From 683e08ff6ef0a279343ba4383c6e01e4a9143050 Mon Sep 17 00:00:00 2001 From: Willem de Bruijn Date: Sun, 30 Dec 2018 17:24:36 -0500 Subject: [PATCH 001/176] ip: validate header length on virtual device xmit [ Upstream commit cb9f1b783850b14cbd7f87d061d784a666dfba1f ] KMSAN detected read beyond end of buffer in vti and sit devices when passing truncated packets with PF_PACKET. The issue affects additional ip tunnel devices. Extend commit 76c0ddd8c3a6 ("ip6_tunnel: be careful when accessing the inner header") and commit ccfec9e5cb2d ("ip_tunnel: be careful when accessing the inner header"). Move the check to a separate helper and call at the start of each ndo_start_xmit function in net/ipv4 and net/ipv6. Minor changes: - convert dev_kfree_skb to kfree_skb on error path, as dev_kfree_skb calls consume_skb which is not for error paths. - use pskb_network_may_pull even though that is pedantic here, as the same as pskb_may_pull for devices without llheaders. - do not cache ipv6 hdrs if used only once (unsafe across pskb_may_pull, was more relevant to earlier patch) Reported-by: syzbot Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman (cherry picked from commit cde81154f86e36df0fad21c23976cc8b80c01600) [vegard: drop changes to ip6erspan_tunnel_xmit(), which doesn't exist in 4.14 due to missing commit 5a963eb61b7c39e6c422b6e48619d19d04719358 ("ip6_gre: Add ERSPAN native tunnel support") from 4.16] Signed-off-by: Vegard Nossum --- include/linux/netdevice.h | 58 +++++++++++++++++++++++---------------- include/net/dst.h | 5 ++-- include/net/ip_tunnels.h | 20 ++++++++++++++ net/core/dev.c | 14 ++-------- net/ipv4/ip_gre.c | 9 ++++++ net/ipv4/ip_tunnel.c | 9 ------ net/ipv4/ip_vti.c | 12 ++++++-- net/ipv6/ip6_gre.c | 3 ++ net/ipv6/ip6_tunnel.c | 10 ++----- net/ipv6/ip6_vti.c | 8 +++--- net/ipv6/ip6mr.c | 17 ++++++++---- net/ipv6/sit.c | 3 ++ 12 files changed, 102 insertions(+), 66 deletions(-) diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 52f526018349..70b66c8a4675 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -160,31 +160,38 @@ static inline bool dev_xmit_complete(int rc) * (unsigned long) so they can be read and written atomically. */ +#define NET_DEV_STAT(FIELD) \ + union { \ + unsigned long FIELD; \ + atomic_long_t __##FIELD; \ + } + struct net_device_stats { - unsigned long rx_packets; - unsigned long tx_packets; - unsigned long rx_bytes; - unsigned long tx_bytes; - unsigned long rx_errors; - unsigned long tx_errors; - unsigned long rx_dropped; - unsigned long tx_dropped; - unsigned long multicast; - unsigned long collisions; - unsigned long rx_length_errors; - unsigned long rx_over_errors; - unsigned long rx_crc_errors; - unsigned long rx_frame_errors; - unsigned long rx_fifo_errors; - unsigned long rx_missed_errors; - unsigned long tx_aborted_errors; - unsigned long tx_carrier_errors; - unsigned long tx_fifo_errors; - unsigned long tx_heartbeat_errors; - unsigned long tx_window_errors; - unsigned long rx_compressed; - unsigned long tx_compressed; + NET_DEV_STAT(rx_packets); + NET_DEV_STAT(tx_packets); + NET_DEV_STAT(rx_bytes); + NET_DEV_STAT(tx_bytes); + NET_DEV_STAT(rx_errors); + NET_DEV_STAT(tx_errors); + NET_DEV_STAT(rx_dropped); + NET_DEV_STAT(tx_dropped); + NET_DEV_STAT(multicast); + NET_DEV_STAT(collisions); + NET_DEV_STAT(rx_length_errors); + NET_DEV_STAT(rx_over_errors); + NET_DEV_STAT(rx_crc_errors); + NET_DEV_STAT(rx_frame_errors); + NET_DEV_STAT(rx_fifo_errors); + NET_DEV_STAT(rx_missed_errors); + NET_DEV_STAT(tx_aborted_errors); + NET_DEV_STAT(tx_carrier_errors); + NET_DEV_STAT(tx_fifo_errors); + NET_DEV_STAT(tx_heartbeat_errors); + NET_DEV_STAT(tx_window_errors); + NET_DEV_STAT(rx_compressed); + NET_DEV_STAT(tx_compressed); }; +#undef NET_DEV_STAT #include @@ -4494,4 +4501,9 @@ do { \ #define PTYPE_HASH_SIZE (16) #define PTYPE_HASH_MASK (PTYPE_HASH_SIZE - 1) +/* Note: Avoid these macros in fast path, prefer per-cpu or per-queue counters. */ +#define DEV_STATS_INC(DEV, FIELD) atomic_long_inc(&(DEV)->stats.__##FIELD) +#define DEV_STATS_ADD(DEV, FIELD, VAL) \ + atomic_long_add((VAL), &(DEV)->stats.__##FIELD) + #endif /* _LINUX_NETDEVICE_H */ diff --git a/include/net/dst.h b/include/net/dst.h index 90bad764bc98..59e1b3d86cc5 100644 --- a/include/net/dst.h +++ b/include/net/dst.h @@ -383,9 +383,8 @@ static inline void __skb_tunnel_rx(struct sk_buff *skb, struct net_device *dev, static inline void skb_tunnel_rx(struct sk_buff *skb, struct net_device *dev, struct net *net) { - /* TODO : stats should be SMP safe */ - dev->stats.rx_packets++; - dev->stats.rx_bytes += skb->len; + DEV_STATS_INC(dev, rx_packets); + DEV_STATS_ADD(dev, rx_bytes, skb->len); __skb_tunnel_rx(skb, dev, net); } diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h index eb2321a13506..8bf17bba7d45 100644 --- a/include/net/ip_tunnels.h +++ b/include/net/ip_tunnels.h @@ -304,6 +304,26 @@ int ip_tunnel_encap_del_ops(const struct ip_tunnel_encap_ops *op, int ip_tunnel_encap_setup(struct ip_tunnel *t, struct ip_tunnel_encap *ipencap); +static inline bool pskb_inet_may_pull(struct sk_buff *skb) +{ + int nhlen; + + switch (skb->protocol) { +#if IS_ENABLED(CONFIG_IPV6) + case htons(ETH_P_IPV6): + nhlen = sizeof(struct ipv6hdr); + break; +#endif + case htons(ETH_P_IP): + nhlen = sizeof(struct iphdr); + break; + default: + nhlen = 0; + } + + return pskb_network_may_pull(skb, nhlen); +} + static inline int ip_encap_hlen(struct ip_tunnel_encap *e) { const struct ip_tunnel_encap_ops *ops; diff --git a/net/core/dev.c b/net/core/dev.c index a0413f65f98d..a79bdbea19ab 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -7983,24 +7983,16 @@ void netdev_run_todo(void) void netdev_stats_to_stats64(struct rtnl_link_stats64 *stats64, const struct net_device_stats *netdev_stats) { -#if BITS_PER_LONG == 64 - BUILD_BUG_ON(sizeof(*stats64) < sizeof(*netdev_stats)); - memcpy(stats64, netdev_stats, sizeof(*netdev_stats)); - /* zero out counters that only exist in rtnl_link_stats64 */ - memset((char *)stats64 + sizeof(*netdev_stats), 0, - sizeof(*stats64) - sizeof(*netdev_stats)); -#else - size_t i, n = sizeof(*netdev_stats) / sizeof(unsigned long); - const unsigned long *src = (const unsigned long *)netdev_stats; + size_t i, n = sizeof(*netdev_stats) / sizeof(atomic_long_t); + const atomic_long_t *src = (atomic_long_t *)netdev_stats; u64 *dst = (u64 *)stats64; BUILD_BUG_ON(n > sizeof(*stats64) / sizeof(u64)); for (i = 0; i < n; i++) - dst[i] = src[i]; + dst[i] = atomic_long_read(&src[i]); /* zero out counters that only exist in rtnl_link_stats64 */ memset((char *)stats64 + n * sizeof(u64), 0, sizeof(*stats64) - n * sizeof(u64)); -#endif } EXPORT_SYMBOL(netdev_stats_to_stats64); diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index d916accd9783..1b59f748f311 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -639,6 +639,9 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, struct ip_tunnel *tunnel = netdev_priv(dev); const struct iphdr *tnl_params; + if (!pskb_inet_may_pull(skb)) + goto free_skb; + if (tunnel->collect_md) { gre_fb_xmit(skb, dev, skb->protocol); return NETDEV_TX_OK; @@ -728,6 +731,9 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb, struct ip_tunnel *tunnel = netdev_priv(dev); bool truncate = false; + if (!pskb_inet_may_pull(skb)) + goto free_skb; + if (tunnel->collect_md) { erspan_fb_xmit(skb, dev, skb->protocol); return NETDEV_TX_OK; @@ -761,6 +767,9 @@ static netdev_tx_t gre_tap_xmit(struct sk_buff *skb, { struct ip_tunnel *tunnel = netdev_priv(dev); + if (!pskb_inet_may_pull(skb)) + goto free_skb; + if (tunnel->collect_md) { gre_fb_xmit(skb, dev, htons(ETH_P_TEB)); return NETDEV_TX_OK; diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c index f0e4b3381258..d2c85371b54e 100644 --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c @@ -633,7 +633,6 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, const struct iphdr *tnl_params, u8 protocol) { struct ip_tunnel *tunnel = netdev_priv(dev); - unsigned int inner_nhdr_len = 0; const struct iphdr *inner_iph; struct flowi4 fl4; u8 tos, ttl; @@ -643,14 +642,6 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, __be32 dst; bool connected; - /* ensure we can access the inner net header, for several users below */ - if (skb->protocol == htons(ETH_P_IP)) - inner_nhdr_len = sizeof(struct iphdr); - else if (skb->protocol == htons(ETH_P_IPV6)) - inner_nhdr_len = sizeof(struct ipv6hdr); - if (unlikely(!pskb_may_pull(skb, inner_nhdr_len))) - goto tx_error; - inner_iph = (const struct iphdr *)skb_inner_network_header(skb); connected = (tunnel->parms.iph.daddr != 0); diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c index d43180dd543e..0d1a10fbdda6 100644 --- a/net/ipv4/ip_vti.c +++ b/net/ipv4/ip_vti.c @@ -321,6 +321,9 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev) struct ip_tunnel *tunnel = netdev_priv(dev); struct flowi fl; + if (!pskb_inet_may_pull(skb)) + goto tx_err; + memset(&fl, 0, sizeof(fl)); switch (skb->protocol) { @@ -333,15 +336,18 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev) xfrm_decode_session(skb, &fl, AF_INET6); break; default: - dev->stats.tx_errors++; - dev_kfree_skb(skb); - return NETDEV_TX_OK; + goto tx_err; } /* override mark with tunnel output key */ fl.flowi_mark = be32_to_cpu(tunnel->parms.o_key); return vti_xmit(skb, dev, &fl); + +tx_err: + dev->stats.tx_errors++; + kfree_skb(skb); + return NETDEV_TX_OK; } static int vti4_err(struct sk_buff *skb, u32 info) diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c index b393cea79d9c..5ca2ab56901d 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -689,6 +689,9 @@ static netdev_tx_t ip6gre_tunnel_xmit(struct sk_buff *skb, struct net_device_stats *stats = &t->dev->stats; int ret; + if (!pskb_inet_may_pull(skb)) + goto tx_err; + if (!ip6_tnl_xmit_ctl(t, &t->parms.laddr, &t->parms.raddr)) goto tx_err; diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c index cfe3a72a1159..7fa0d474d47a 100644 --- a/net/ipv6/ip6_tunnel.c +++ b/net/ipv6/ip6_tunnel.c @@ -1244,10 +1244,6 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) u8 tproto; int err; - /* ensure we can access the full inner ip header */ - if (!pskb_may_pull(skb, sizeof(struct iphdr))) - return -1; - iph = ip_hdr(skb); memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); @@ -1320,9 +1316,6 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) u8 tproto; int err; - if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h)))) - return -1; - ipv6h = ipv6_hdr(skb); tproto = ACCESS_ONCE(t->parms.proto); if ((tproto != IPPROTO_IPV6 && tproto != 0) || @@ -1402,6 +1395,9 @@ ip6_tnl_start_xmit(struct sk_buff *skb, struct net_device *dev) struct net_device_stats *stats = &t->dev->stats; int ret; + if (!pskb_inet_may_pull(skb)) + goto tx_err; + switch (skb->protocol) { case htons(ETH_P_IP): ret = ip4ip6_tnl_xmit(skb, dev); diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c index 976199055e85..312c80912401 100644 --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -556,18 +556,18 @@ vti6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) { struct ip6_tnl *t = netdev_priv(dev); struct net_device_stats *stats = &t->dev->stats; - struct ipv6hdr *ipv6h; struct flowi fl; int ret; + if (!pskb_inet_may_pull(skb)) + goto tx_err; + memset(&fl, 0, sizeof(fl)); switch (skb->protocol) { case htons(ETH_P_IPV6): - ipv6h = ipv6_hdr(skb); - if ((t->parms.proto != IPPROTO_IPV6 && t->parms.proto != 0) || - vti6_addr_conflict(t, ipv6h)) + vti6_addr_conflict(t, ipv6_hdr(skb))) goto tx_err; memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c index 40dfb9bddb21..fcf6f28406b2 100644 --- a/net/ipv6/ip6mr.c +++ b/net/ipv6/ip6mr.c @@ -53,6 +53,7 @@ #include #include #include +#include struct mr6_table { struct list_head list; @@ -706,13 +707,12 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb, .flowi6_iif = skb->skb_iif ? : LOOPBACK_IFINDEX, .flowi6_mark = skb->mark, }; - int err; - err = ip6mr_fib_lookup(net, &fl6, &mrt); - if (err < 0) { - kfree_skb(skb); - return err; - } + if (!pskb_inet_may_pull(skb)) + goto tx_err; + + if (ip6mr_fib_lookup(net, &fl6, &mrt) < 0) + goto tx_err; read_lock(&mrt_lock); dev->stats.tx_bytes += skb->len; @@ -721,6 +721,11 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb, read_unlock(&mrt_lock); kfree_skb(skb); return NETDEV_TX_OK; + +tx_err: + dev->stats.tx_errors++; + kfree_skb(skb); + return NETDEV_TX_OK; } static int reg_vif_get_iflink(const struct net_device *dev) diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index f24a6cd0d15a..a64d292fd4c7 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -1012,6 +1012,9 @@ tx_error: static netdev_tx_t sit_tunnel_xmit(struct sk_buff *skb, struct net_device *dev) { + if (!pskb_inet_may_pull(skb)) + goto tx_err; + switch (skb->protocol) { case htons(ETH_P_IP): sit_tunnel_xmit__(skb, dev, IPPROTO_IPIP); From 60e32c8d4c6bb518863249d1c7c7e1fb7c5a9f96 Mon Sep 17 00:00:00 2001 From: Dave Stevenson Date: Mon, 25 Jun 2018 15:07:12 +0100 Subject: [PATCH 002/176] net: lan78xx: Allow for VLAN headers in timeout calcs The frame abort timeout being set by lan78xx_set_rx_max_frame_length didn't account for any VLAN headers, resulting in very low throughput if used with tagged VLANs. Use VLAN_ETH_HLEN instead of ETH_HLEN to correct for this. Signed-off-by: Dave Stevenson Signed-off-by: David S. Miller (cherry picked from commit 2259b7a64d71f27311a19fd7a5bed47413d75985) Signed-off-by: Vegard Nossum --- drivers/net/usb/lan78xx.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c index 171accb5ebbf..2134beb4edbe 100644 --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c @@ -2175,7 +2175,7 @@ static int lan78xx_change_mtu(struct net_device *netdev, int new_mtu) if ((ll_mtu % dev->maxpacket) == 0) return -EDOM; - ret = lan78xx_set_rx_max_frame_length(dev, new_mtu + ETH_HLEN); + ret = lan78xx_set_rx_max_frame_length(dev, new_mtu + VLAN_ETH_HLEN); netdev->mtu = new_mtu; @@ -2469,7 +2469,8 @@ static int lan78xx_reset(struct lan78xx_net *dev) buf |= FCT_TX_CTL_EN_; ret = lan78xx_write_reg(dev, FCT_TX_CTL, buf); - ret = lan78xx_set_rx_max_frame_length(dev, dev->net->mtu + ETH_HLEN); + ret = lan78xx_set_rx_max_frame_length(dev, + dev->net->mtu + VLAN_ETH_HLEN); ret = lan78xx_read_reg(dev, MAC_RX, &buf); buf |= MAC_RX_RXEN_; From b64278fd3d498eeb7a3f9b44cdffd303eaa41ca7 Mon Sep 17 00:00:00 2001 From: Daniel Wagner Date: Fri, 25 Oct 2019 10:04:13 +0200 Subject: [PATCH 003/176] net: usb: lan78xx: Disable interrupts before calling generic_handle_irq() [ Upstream commit 0a29ac5bd3a988dc151c8d26910dec2557421f64 ] lan78xx_status() will run with interrupts enabled due to the change in ed194d136769 ("usb: core: remove local_irq_save() around ->complete() handler"). generic_handle_irq() expects to be run with IRQs disabled. [ 4.886203] 000: irq 79 handler irq_default_primary_handler+0x0/0x8 enabled interrupts [ 4.886243] 000: WARNING: CPU: 0 PID: 0 at kernel/irq/handle.c:152 __handle_irq_event_percpu+0x154/0x168 [ 4.896294] 000: Modules linked in: [ 4.896301] 000: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.3.6 #39 [ 4.896310] 000: Hardware name: Raspberry Pi 3 Model B+ (DT) [ 4.896315] 000: pstate: 60000005 (nZCv daif -PAN -UAO) [ 4.896321] 000: pc : __handle_irq_event_percpu+0x154/0x168 [ 4.896331] 000: lr : __handle_irq_event_percpu+0x154/0x168 [ 4.896339] 000: sp : ffff000010003cc0 [ 4.896346] 000: x29: ffff000010003cc0 x28: 0000000000000060 [ 4.896355] 000: x27: ffff000011021980 x26: ffff00001189c72b [ 4.896364] 000: x25: ffff000011702bc0 x24: ffff800036d6e400 [ 4.896373] 000: x23: 000000000000004f x22: ffff000010003d64 [ 4.896381] 000: x21: 0000000000000000 x20: 0000000000000002 [ 4.896390] 000: x19: ffff8000371c8480 x18: 0000000000000060 [ 4.896398] 000: x17: 0000000000000000 x16: 00000000000000eb [ 4.896406] 000: x15: ffff000011712d18 x14: 7265746e69206465 [ 4.896414] 000: x13: ffff000010003ba0 x12: ffff000011712df0 [ 4.896422] 000: x11: 0000000000000001 x10: ffff000011712e08 [ 4.896430] 000: x9 : 0000000000000001 x8 : 000000000003c920 [ 4.896437] 000: x7 : ffff0000118cc410 x6 : ffff0000118c7f00 [ 4.896445] 000: x5 : 000000000003c920 x4 : 0000000000004510 [ 4.896453] 000: x3 : ffff000011712dc8 x2 : 0000000000000000 [ 4.896461] 000: x1 : 73a3f67df94c1500 x0 : 0000000000000000 [ 4.896466] 000: Call trace: [ 4.896471] 000: __handle_irq_event_percpu+0x154/0x168 [ 4.896481] 000: handle_irq_event_percpu+0x50/0xb0 [ 4.896489] 000: handle_irq_event+0x40/0x98 [ 4.896497] 000: handle_simple_irq+0xa4/0xf0 [ 4.896505] 000: generic_handle_irq+0x24/0x38 [ 4.896513] 000: intr_complete+0xb0/0xe0 [ 4.896525] 000: __usb_hcd_giveback_urb+0x58/0xd8 [ 4.896533] 000: usb_giveback_urb_bh+0xd0/0x170 [ 4.896539] 000: tasklet_action_common.isra.0+0x9c/0x128 [ 4.896549] 000: tasklet_hi_action+0x24/0x30 [ 4.896556] 000: __do_softirq+0x120/0x23c [ 4.896564] 000: irq_exit+0xb8/0xd8 [ 4.896571] 000: __handle_domain_irq+0x64/0xb8 [ 4.896579] 000: bcm2836_arm_irqchip_handle_irq+0x60/0xc0 [ 4.896586] 000: el1_irq+0xb8/0x140 [ 4.896592] 000: arch_cpu_idle+0x10/0x18 [ 4.896601] 000: do_idle+0x200/0x280 [ 4.896608] 000: cpu_startup_entry+0x20/0x28 [ 4.896615] 000: rest_init+0xb4/0xc0 [ 4.896623] 000: arch_call_rest_init+0xc/0x14 [ 4.896632] 000: start_kernel+0x454/0x480 Fixes: ed194d136769 ("usb: core: remove local_irq_save() around ->complete() handler") Cc: Woojung Huh Cc: Marc Zyngier Cc: Andrew Lunn Cc: Stefan Wahren Cc: Jisheng Zhang Cc: Sebastian Andrzej Siewior Cc: Thomas Gleixner Cc: David Miller Signed-off-by: Daniel Wagner Tested-by: Stefan Wahren Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 9da271c1cdc14839b694e23889a653c1ed0b5f8f) Signed-off-by: Vegard Nossum --- drivers/net/usb/lan78xx.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c index 2134beb4edbe..efc3542aa16b 100644 --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c @@ -1253,8 +1253,11 @@ static void lan78xx_status(struct lan78xx_net *dev, struct urb *urb) netif_dbg(dev, link, dev->net, "PHY INTR: 0x%08x\n", intdata); lan78xx_defer_kevent(dev, EVENT_LINK_RESET); - if (dev->domain_data.phyirq > 0) + if (dev->domain_data.phyirq > 0) { + local_irq_disable(); generic_handle_irq(dev->domain_data.phyirq); + local_irq_enable(); + } } else netdev_warn(dev->net, "unexpected interrupt: 0x%08x\n", intdata); From e2ad089a70e591cf7c886be6f559a0e8503674fc Mon Sep 17 00:00:00 2001 From: Lee Jones Date: Mon, 2 Nov 2020 11:45:06 +0000 Subject: [PATCH 004/176] net: usb: lan78xx: Remove lots of set but unused 'ret' variables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 06cd7c46b3ab3f2252c61bf85b191236cf0254e1 ] Fixes the following W=1 kernel build warning(s): drivers/net/usb/lan78xx.c: In function ‘lan78xx_read_raw_otp’: drivers/net/usb/lan78xx.c:825:6: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] drivers/net/usb/lan78xx.c: In function ‘lan78xx_write_raw_otp’: drivers/net/usb/lan78xx.c:879:6: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] drivers/net/usb/lan78xx.c: In function ‘lan78xx_deferred_multicast_write’: drivers/net/usb/lan78xx.c:1041:6: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] drivers/net/usb/lan78xx.c: In function ‘lan78xx_update_flowcontrol’: drivers/net/usb/lan78xx.c:1127:6: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] drivers/net/usb/lan78xx.c: In function ‘lan78xx_init_mac_address’: drivers/net/usb/lan78xx.c:1666:6: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] drivers/net/usb/lan78xx.c: In function ‘lan78xx_link_status_change’: drivers/net/usb/lan78xx.c:1841:6: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] drivers/net/usb/lan78xx.c: In function ‘lan78xx_irq_bus_sync_unlock’: drivers/net/usb/lan78xx.c:1920:6: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] drivers/net/usb/lan78xx.c: In function ‘lan8835_fixup’: drivers/net/usb/lan78xx.c:1994:6: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] drivers/net/usb/lan78xx.c: In function ‘lan78xx_set_rx_max_frame_length’: drivers/net/usb/lan78xx.c:2192:6: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] drivers/net/usb/lan78xx.c: In function ‘lan78xx_change_mtu’: drivers/net/usb/lan78xx.c:2270:6: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] drivers/net/usb/lan78xx.c: In function ‘lan78xx_set_mac_addr’: drivers/net/usb/lan78xx.c:2299:6: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] drivers/net/usb/lan78xx.c: In function ‘lan78xx_set_features’: drivers/net/usb/lan78xx.c:2333:6: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] drivers/net/usb/lan78xx.c: In function ‘lan78xx_set_suspend’: drivers/net/usb/lan78xx.c:3807:6: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20201102114512.1062724-25-lee.jones@linaro.org Signed-off-by: Jakub Kicinski Stable-dep-of: 1eecc7ab82c4 ("net: lan78xx: fix runtime PM count underflow on link stop") Signed-off-by: Sasha Levin (cherry picked from commit 7585522bf089bfebb7bbd22fddb5495f16f250c9) Signed-off-by: Vegard Nossum --- drivers/net/usb/lan78xx.c | 168 ++++++++++++++++++-------------------- 1 file changed, 78 insertions(+), 90 deletions(-) diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c index efc3542aa16b..77fad49c4303 100644 --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c @@ -810,20 +810,19 @@ static int lan78xx_read_raw_otp(struct lan78xx_net *dev, u32 offset, u32 length, u8 *data) { int i; - int ret; u32 buf; unsigned long timeout; - ret = lan78xx_read_reg(dev, OTP_PWR_DN, &buf); + lan78xx_read_reg(dev, OTP_PWR_DN, &buf); if (buf & OTP_PWR_DN_PWRDN_N_) { /* clear it and wait to be cleared */ - ret = lan78xx_write_reg(dev, OTP_PWR_DN, 0); + lan78xx_write_reg(dev, OTP_PWR_DN, 0); timeout = jiffies + HZ; do { usleep_range(1, 10); - ret = lan78xx_read_reg(dev, OTP_PWR_DN, &buf); + lan78xx_read_reg(dev, OTP_PWR_DN, &buf); if (time_after(jiffies, timeout)) { netdev_warn(dev->net, "timeout on OTP_PWR_DN"); @@ -833,18 +832,18 @@ static int lan78xx_read_raw_otp(struct lan78xx_net *dev, u32 offset, } for (i = 0; i < length; i++) { - ret = lan78xx_write_reg(dev, OTP_ADDR1, + lan78xx_write_reg(dev, OTP_ADDR1, ((offset + i) >> 8) & OTP_ADDR1_15_11); - ret = lan78xx_write_reg(dev, OTP_ADDR2, + lan78xx_write_reg(dev, OTP_ADDR2, ((offset + i) & OTP_ADDR2_10_3)); - ret = lan78xx_write_reg(dev, OTP_FUNC_CMD, OTP_FUNC_CMD_READ_); - ret = lan78xx_write_reg(dev, OTP_CMD_GO, OTP_CMD_GO_GO_); + lan78xx_write_reg(dev, OTP_FUNC_CMD, OTP_FUNC_CMD_READ_); + lan78xx_write_reg(dev, OTP_CMD_GO, OTP_CMD_GO_GO_); timeout = jiffies + HZ; do { udelay(1); - ret = lan78xx_read_reg(dev, OTP_STATUS, &buf); + lan78xx_read_reg(dev, OTP_STATUS, &buf); if (time_after(jiffies, timeout)) { netdev_warn(dev->net, "timeout on OTP_STATUS"); @@ -852,7 +851,7 @@ static int lan78xx_read_raw_otp(struct lan78xx_net *dev, u32 offset, } } while (buf & OTP_STATUS_BUSY_); - ret = lan78xx_read_reg(dev, OTP_RD_DATA, &buf); + lan78xx_read_reg(dev, OTP_RD_DATA, &buf); data[i] = (u8)(buf & 0xFF); } @@ -864,20 +863,19 @@ static int lan78xx_write_raw_otp(struct lan78xx_net *dev, u32 offset, u32 length, u8 *data) { int i; - int ret; u32 buf; unsigned long timeout; - ret = lan78xx_read_reg(dev, OTP_PWR_DN, &buf); + lan78xx_read_reg(dev, OTP_PWR_DN, &buf); if (buf & OTP_PWR_DN_PWRDN_N_) { /* clear it and wait to be cleared */ - ret = lan78xx_write_reg(dev, OTP_PWR_DN, 0); + lan78xx_write_reg(dev, OTP_PWR_DN, 0); timeout = jiffies + HZ; do { udelay(1); - ret = lan78xx_read_reg(dev, OTP_PWR_DN, &buf); + lan78xx_read_reg(dev, OTP_PWR_DN, &buf); if (time_after(jiffies, timeout)) { netdev_warn(dev->net, "timeout on OTP_PWR_DN completion"); @@ -887,21 +885,21 @@ static int lan78xx_write_raw_otp(struct lan78xx_net *dev, u32 offset, } /* set to BYTE program mode */ - ret = lan78xx_write_reg(dev, OTP_PRGM_MODE, OTP_PRGM_MODE_BYTE_); + lan78xx_write_reg(dev, OTP_PRGM_MODE, OTP_PRGM_MODE_BYTE_); for (i = 0; i < length; i++) { - ret = lan78xx_write_reg(dev, OTP_ADDR1, + lan78xx_write_reg(dev, OTP_ADDR1, ((offset + i) >> 8) & OTP_ADDR1_15_11); - ret = lan78xx_write_reg(dev, OTP_ADDR2, + lan78xx_write_reg(dev, OTP_ADDR2, ((offset + i) & OTP_ADDR2_10_3)); - ret = lan78xx_write_reg(dev, OTP_PRGM_DATA, data[i]); - ret = lan78xx_write_reg(dev, OTP_TST_CMD, OTP_TST_CMD_PRGVRFY_); - ret = lan78xx_write_reg(dev, OTP_CMD_GO, OTP_CMD_GO_GO_); + lan78xx_write_reg(dev, OTP_PRGM_DATA, data[i]); + lan78xx_write_reg(dev, OTP_TST_CMD, OTP_TST_CMD_PRGVRFY_); + lan78xx_write_reg(dev, OTP_CMD_GO, OTP_CMD_GO_GO_); timeout = jiffies + HZ; do { udelay(1); - ret = lan78xx_read_reg(dev, OTP_STATUS, &buf); + lan78xx_read_reg(dev, OTP_STATUS, &buf); if (time_after(jiffies, timeout)) { netdev_warn(dev->net, "Timeout on OTP_STATUS completion"); @@ -1026,7 +1024,6 @@ static void lan78xx_deferred_multicast_write(struct work_struct *param) container_of(param, struct lan78xx_priv, set_multicast); struct lan78xx_net *dev = pdata->dev; int i; - int ret; netif_dbg(dev, drv, dev->net, "deferred multicast write 0x%08x\n", pdata->rfe_ctl); @@ -1035,14 +1032,14 @@ static void lan78xx_deferred_multicast_write(struct work_struct *param) DP_SEL_VHF_HASH_LEN, pdata->mchash_table); for (i = 1; i < NUM_OF_MAF; i++) { - ret = lan78xx_write_reg(dev, MAF_HI(i), 0); - ret = lan78xx_write_reg(dev, MAF_LO(i), + lan78xx_write_reg(dev, MAF_HI(i), 0); + lan78xx_write_reg(dev, MAF_LO(i), pdata->pfilter_table[i][1]); - ret = lan78xx_write_reg(dev, MAF_HI(i), + lan78xx_write_reg(dev, MAF_HI(i), pdata->pfilter_table[i][0]); } - ret = lan78xx_write_reg(dev, RFE_CTL, pdata->rfe_ctl); + lan78xx_write_reg(dev, RFE_CTL, pdata->rfe_ctl); } static void lan78xx_set_multicast(struct net_device *netdev) @@ -1112,7 +1109,6 @@ static int lan78xx_update_flowcontrol(struct lan78xx_net *dev, u8 duplex, u16 lcladv, u16 rmtadv) { u32 flow = 0, fct_flow = 0; - int ret; u8 cap; if (dev->fc_autoneg) @@ -1135,10 +1131,10 @@ static int lan78xx_update_flowcontrol(struct lan78xx_net *dev, u8 duplex, (cap & FLOW_CTRL_RX ? "enabled" : "disabled"), (cap & FLOW_CTRL_TX ? "enabled" : "disabled")); - ret = lan78xx_write_reg(dev, FCT_FLOW, fct_flow); + lan78xx_write_reg(dev, FCT_FLOW, fct_flow); /* threshold value should be set before enabling flow */ - ret = lan78xx_write_reg(dev, FLOW, flow); + lan78xx_write_reg(dev, FLOW, flow); return 0; } @@ -1640,11 +1636,10 @@ static int lan78xx_ioctl(struct net_device *netdev, struct ifreq *rq, int cmd) static void lan78xx_init_mac_address(struct lan78xx_net *dev) { u32 addr_lo, addr_hi; - int ret; u8 addr[6]; - ret = lan78xx_read_reg(dev, RX_ADDRL, &addr_lo); - ret = lan78xx_read_reg(dev, RX_ADDRH, &addr_hi); + lan78xx_read_reg(dev, RX_ADDRL, &addr_lo); + lan78xx_read_reg(dev, RX_ADDRH, &addr_hi); addr[0] = addr_lo & 0xFF; addr[1] = (addr_lo >> 8) & 0xFF; @@ -1677,12 +1672,12 @@ static void lan78xx_init_mac_address(struct lan78xx_net *dev) (addr[2] << 16) | (addr[3] << 24); addr_hi = addr[4] | (addr[5] << 8); - ret = lan78xx_write_reg(dev, RX_ADDRL, addr_lo); - ret = lan78xx_write_reg(dev, RX_ADDRH, addr_hi); + lan78xx_write_reg(dev, RX_ADDRL, addr_lo); + lan78xx_write_reg(dev, RX_ADDRH, addr_hi); } - ret = lan78xx_write_reg(dev, MAF_LO(0), addr_lo); - ret = lan78xx_write_reg(dev, MAF_HI(0), addr_hi | MAF_HI_VALID_); + lan78xx_write_reg(dev, MAF_LO(0), addr_lo); + lan78xx_write_reg(dev, MAF_HI(0), addr_hi | MAF_HI_VALID_); ether_addr_copy(dev->net->dev_addr, addr); } @@ -1812,7 +1807,7 @@ static void lan78xx_remove_mdio(struct lan78xx_net *dev) static void lan78xx_link_status_change(struct net_device *net) { struct phy_device *phydev = net->phydev; - int ret, temp; + int temp; /* At forced 100 F/H mode, chip may fail to set mode correctly * when cable is switched between long(~50+m) and short one. @@ -1823,7 +1818,7 @@ static void lan78xx_link_status_change(struct net_device *net) /* disable phy interrupt */ temp = phy_read(phydev, LAN88XX_INT_MASK); temp &= ~LAN88XX_INT_MASK_MDINTPIN_EN_; - ret = phy_write(phydev, LAN88XX_INT_MASK, temp); + phy_write(phydev, LAN88XX_INT_MASK, temp); temp = phy_read(phydev, MII_BMCR); temp &= ~(BMCR_SPEED100 | BMCR_SPEED1000); @@ -1837,7 +1832,7 @@ static void lan78xx_link_status_change(struct net_device *net) /* enable phy interrupt back */ temp = phy_read(phydev, LAN88XX_INT_MASK); temp |= LAN88XX_INT_MASK_MDINTPIN_EN_; - ret = phy_write(phydev, LAN88XX_INT_MASK, temp); + phy_write(phydev, LAN88XX_INT_MASK, temp); } } @@ -1891,14 +1886,13 @@ static void lan78xx_irq_bus_sync_unlock(struct irq_data *irqd) struct lan78xx_net *dev = container_of(data, struct lan78xx_net, domain_data); u32 buf; - int ret; /* call register access here because irq_bus_lock & irq_bus_sync_unlock * are only two callbacks executed in non-atomic contex. */ - ret = lan78xx_read_reg(dev, INT_EP_CTL, &buf); + lan78xx_read_reg(dev, INT_EP_CTL, &buf); if (buf != data->irqenable) - ret = lan78xx_write_reg(dev, INT_EP_CTL, data->irqenable); + lan78xx_write_reg(dev, INT_EP_CTL, data->irqenable); mutex_unlock(&data->irq_lock); } @@ -1965,7 +1959,6 @@ static void lan78xx_remove_irq_domain(struct lan78xx_net *dev) static int lan8835_fixup(struct phy_device *phydev) { int buf; - int ret; struct lan78xx_net *dev = netdev_priv(phydev->attached_dev); /* LED2/PME_N/IRQ_N/RGMII_ID pin to IRQ_N mode */ @@ -1975,11 +1968,11 @@ static int lan8835_fixup(struct phy_device *phydev) phy_write_mmd(phydev, MDIO_MMD_PCS, 0x8010, buf); /* RGMII MAC TXC Delay Enable */ - ret = lan78xx_write_reg(dev, MAC_RGMII_ID, + lan78xx_write_reg(dev, MAC_RGMII_ID, MAC_RGMII_ID_TXC_DELAY_EN_); /* RGMII TX DLL Tune Adjust */ - ret = lan78xx_write_reg(dev, RGMII_TX_BYP_DLL, 0x3D00); + lan78xx_write_reg(dev, RGMII_TX_BYP_DLL, 0x3D00); dev->interface = PHY_INTERFACE_MODE_RGMII_TXID; @@ -2094,28 +2087,27 @@ error: static int lan78xx_set_rx_max_frame_length(struct lan78xx_net *dev, int size) { - int ret = 0; u32 buf; bool rxenabled; - ret = lan78xx_read_reg(dev, MAC_RX, &buf); + lan78xx_read_reg(dev, MAC_RX, &buf); rxenabled = ((buf & MAC_RX_RXEN_) != 0); if (rxenabled) { buf &= ~MAC_RX_RXEN_; - ret = lan78xx_write_reg(dev, MAC_RX, buf); + lan78xx_write_reg(dev, MAC_RX, buf); } /* add 4 to size for FCS */ buf &= ~MAC_RX_MAX_SIZE_MASK_; buf |= (((size + 4) << MAC_RX_MAX_SIZE_SHIFT_) & MAC_RX_MAX_SIZE_MASK_); - ret = lan78xx_write_reg(dev, MAC_RX, buf); + lan78xx_write_reg(dev, MAC_RX, buf); if (rxenabled) { buf |= MAC_RX_RXEN_; - ret = lan78xx_write_reg(dev, MAC_RX, buf); + lan78xx_write_reg(dev, MAC_RX, buf); } return 0; @@ -2172,13 +2164,12 @@ static int lan78xx_change_mtu(struct net_device *netdev, int new_mtu) int ll_mtu = new_mtu + netdev->hard_header_len; int old_hard_mtu = dev->hard_mtu; int old_rx_urb_size = dev->rx_urb_size; - int ret; /* no second zero-length packet read wanted after mtu-sized packets */ if ((ll_mtu % dev->maxpacket) == 0) return -EDOM; - ret = lan78xx_set_rx_max_frame_length(dev, new_mtu + VLAN_ETH_HLEN); + lan78xx_set_rx_max_frame_length(dev, new_mtu + VLAN_ETH_HLEN); netdev->mtu = new_mtu; @@ -2201,7 +2192,6 @@ static int lan78xx_set_mac_addr(struct net_device *netdev, void *p) struct lan78xx_net *dev = netdev_priv(netdev); struct sockaddr *addr = p; u32 addr_lo, addr_hi; - int ret; if (netif_running(netdev)) return -EBUSY; @@ -2218,12 +2208,12 @@ static int lan78xx_set_mac_addr(struct net_device *netdev, void *p) addr_hi = netdev->dev_addr[4] | netdev->dev_addr[5] << 8; - ret = lan78xx_write_reg(dev, RX_ADDRL, addr_lo); - ret = lan78xx_write_reg(dev, RX_ADDRH, addr_hi); + lan78xx_write_reg(dev, RX_ADDRL, addr_lo); + lan78xx_write_reg(dev, RX_ADDRH, addr_hi); /* Added to support MAC address changes */ - ret = lan78xx_write_reg(dev, MAF_LO(0), addr_lo); - ret = lan78xx_write_reg(dev, MAF_HI(0), addr_hi | MAF_HI_VALID_); + lan78xx_write_reg(dev, MAF_LO(0), addr_lo); + lan78xx_write_reg(dev, MAF_HI(0), addr_hi | MAF_HI_VALID_); return 0; } @@ -2235,7 +2225,6 @@ static int lan78xx_set_features(struct net_device *netdev, struct lan78xx_net *dev = netdev_priv(netdev); struct lan78xx_priv *pdata = (struct lan78xx_priv *)(dev->data[0]); unsigned long flags; - int ret; spin_lock_irqsave(&pdata->rfe_ctl_lock, flags); @@ -2254,7 +2243,7 @@ static int lan78xx_set_features(struct net_device *netdev, spin_unlock_irqrestore(&pdata->rfe_ctl_lock, flags); - ret = lan78xx_write_reg(dev, RFE_CTL, pdata->rfe_ctl); + lan78xx_write_reg(dev, RFE_CTL, pdata->rfe_ctl); return 0; } @@ -3693,7 +3682,6 @@ static u16 lan78xx_wakeframe_crc16(const u8 *buf, int len) static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) { u32 buf; - int ret; int mask_index; u16 crc; u32 temp_wucsr; @@ -3702,26 +3690,26 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) const u8 ipv6_multicast[3] = { 0x33, 0x33 }; const u8 arp_type[2] = { 0x08, 0x06 }; - ret = lan78xx_read_reg(dev, MAC_TX, &buf); + lan78xx_read_reg(dev, MAC_TX, &buf); buf &= ~MAC_TX_TXEN_; - ret = lan78xx_write_reg(dev, MAC_TX, buf); - ret = lan78xx_read_reg(dev, MAC_RX, &buf); + lan78xx_write_reg(dev, MAC_TX, buf); + lan78xx_read_reg(dev, MAC_RX, &buf); buf &= ~MAC_RX_RXEN_; - ret = lan78xx_write_reg(dev, MAC_RX, buf); + lan78xx_write_reg(dev, MAC_RX, buf); - ret = lan78xx_write_reg(dev, WUCSR, 0); - ret = lan78xx_write_reg(dev, WUCSR2, 0); - ret = lan78xx_write_reg(dev, WK_SRC, 0xFFF1FF1FUL); + lan78xx_write_reg(dev, WUCSR, 0); + lan78xx_write_reg(dev, WUCSR2, 0); + lan78xx_write_reg(dev, WK_SRC, 0xFFF1FF1FUL); temp_wucsr = 0; temp_pmt_ctl = 0; - ret = lan78xx_read_reg(dev, PMT_CTL, &temp_pmt_ctl); + lan78xx_read_reg(dev, PMT_CTL, &temp_pmt_ctl); temp_pmt_ctl &= ~PMT_CTL_RES_CLR_WKP_EN_; temp_pmt_ctl |= PMT_CTL_RES_CLR_WKP_STS_; for (mask_index = 0; mask_index < NUM_OF_WUF_CFG; mask_index++) - ret = lan78xx_write_reg(dev, WUF_CFG(mask_index), 0); + lan78xx_write_reg(dev, WUF_CFG(mask_index), 0); mask_index = 0; if (wol & WAKE_PHY) { @@ -3750,30 +3738,30 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) /* set WUF_CFG & WUF_MASK for IPv4 Multicast */ crc = lan78xx_wakeframe_crc16(ipv4_multicast, 3); - ret = lan78xx_write_reg(dev, WUF_CFG(mask_index), + lan78xx_write_reg(dev, WUF_CFG(mask_index), WUF_CFGX_EN_ | WUF_CFGX_TYPE_MCAST_ | (0 << WUF_CFGX_OFFSET_SHIFT_) | (crc & WUF_CFGX_CRC16_MASK_)); - ret = lan78xx_write_reg(dev, WUF_MASK0(mask_index), 7); - ret = lan78xx_write_reg(dev, WUF_MASK1(mask_index), 0); - ret = lan78xx_write_reg(dev, WUF_MASK2(mask_index), 0); - ret = lan78xx_write_reg(dev, WUF_MASK3(mask_index), 0); + lan78xx_write_reg(dev, WUF_MASK0(mask_index), 7); + lan78xx_write_reg(dev, WUF_MASK1(mask_index), 0); + lan78xx_write_reg(dev, WUF_MASK2(mask_index), 0); + lan78xx_write_reg(dev, WUF_MASK3(mask_index), 0); mask_index++; /* for IPv6 Multicast */ crc = lan78xx_wakeframe_crc16(ipv6_multicast, 2); - ret = lan78xx_write_reg(dev, WUF_CFG(mask_index), + lan78xx_write_reg(dev, WUF_CFG(mask_index), WUF_CFGX_EN_ | WUF_CFGX_TYPE_MCAST_ | (0 << WUF_CFGX_OFFSET_SHIFT_) | (crc & WUF_CFGX_CRC16_MASK_)); - ret = lan78xx_write_reg(dev, WUF_MASK0(mask_index), 3); - ret = lan78xx_write_reg(dev, WUF_MASK1(mask_index), 0); - ret = lan78xx_write_reg(dev, WUF_MASK2(mask_index), 0); - ret = lan78xx_write_reg(dev, WUF_MASK3(mask_index), 0); + lan78xx_write_reg(dev, WUF_MASK0(mask_index), 3); + lan78xx_write_reg(dev, WUF_MASK1(mask_index), 0); + lan78xx_write_reg(dev, WUF_MASK2(mask_index), 0); + lan78xx_write_reg(dev, WUF_MASK3(mask_index), 0); mask_index++; temp_pmt_ctl |= PMT_CTL_WOL_EN_; @@ -3794,16 +3782,16 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) * for packettype (offset 12,13) = ARP (0x0806) */ crc = lan78xx_wakeframe_crc16(arp_type, 2); - ret = lan78xx_write_reg(dev, WUF_CFG(mask_index), + lan78xx_write_reg(dev, WUF_CFG(mask_index), WUF_CFGX_EN_ | WUF_CFGX_TYPE_ALL_ | (0 << WUF_CFGX_OFFSET_SHIFT_) | (crc & WUF_CFGX_CRC16_MASK_)); - ret = lan78xx_write_reg(dev, WUF_MASK0(mask_index), 0x3000); - ret = lan78xx_write_reg(dev, WUF_MASK1(mask_index), 0); - ret = lan78xx_write_reg(dev, WUF_MASK2(mask_index), 0); - ret = lan78xx_write_reg(dev, WUF_MASK3(mask_index), 0); + lan78xx_write_reg(dev, WUF_MASK0(mask_index), 0x3000); + lan78xx_write_reg(dev, WUF_MASK1(mask_index), 0); + lan78xx_write_reg(dev, WUF_MASK2(mask_index), 0); + lan78xx_write_reg(dev, WUF_MASK3(mask_index), 0); mask_index++; temp_pmt_ctl |= PMT_CTL_WOL_EN_; @@ -3811,7 +3799,7 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) temp_pmt_ctl |= PMT_CTL_SUS_MODE_0_; } - ret = lan78xx_write_reg(dev, WUCSR, temp_wucsr); + lan78xx_write_reg(dev, WUCSR, temp_wucsr); /* when multiple WOL bits are set */ if (hweight_long((unsigned long)wol) > 1) { @@ -3819,16 +3807,16 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) temp_pmt_ctl &= ~PMT_CTL_SUS_MODE_MASK_; temp_pmt_ctl |= PMT_CTL_SUS_MODE_0_; } - ret = lan78xx_write_reg(dev, PMT_CTL, temp_pmt_ctl); + lan78xx_write_reg(dev, PMT_CTL, temp_pmt_ctl); /* clear WUPS */ - ret = lan78xx_read_reg(dev, PMT_CTL, &buf); + lan78xx_read_reg(dev, PMT_CTL, &buf); buf |= PMT_CTL_WUPS_MASK_; - ret = lan78xx_write_reg(dev, PMT_CTL, buf); + lan78xx_write_reg(dev, PMT_CTL, buf); - ret = lan78xx_read_reg(dev, MAC_RX, &buf); + lan78xx_read_reg(dev, MAC_RX, &buf); buf |= MAC_RX_RXEN_; - ret = lan78xx_write_reg(dev, MAC_RX, buf); + lan78xx_write_reg(dev, MAC_RX, buf); return 0; } From f6cbd3c0c4516263a546a791a9eb985ca5ee04a6 Mon Sep 17 00:00:00 2001 From: John Efstathiades Date: Tue, 24 Aug 2021 19:56:04 +0100 Subject: [PATCH 005/176] lan78xx: Fix white space and style issues [ Upstream commit 9ceec7d33adf9647293f24d2fd9a055b89c63864 ] Fix white space and code style issues identified by checkpatch. Signed-off-by: John Efstathiades Signed-off-by: David S. Miller Stable-dep-of: 1eecc7ab82c4 ("net: lan78xx: fix runtime PM count underflow on link stop") Signed-off-by: Sasha Levin (cherry picked from commit 09a8c3e4e79157bd3358bc9f0fab1517ae8ad884) Signed-off-by: Vegard Nossum --- drivers/net/usb/lan78xx.c | 80 ++++++++++++++++++++------------------- 1 file changed, 42 insertions(+), 38 deletions(-) diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c index 77fad49c4303..966fed763641 100644 --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c @@ -371,7 +371,7 @@ struct lan78xx_net { struct usb_anchor deferred; struct mutex phy_mutex; /* for phy access */ - unsigned pipe_in, pipe_out, pipe_intr; + unsigned int pipe_in, pipe_out, pipe_intr; u32 hard_mtu; /* count any extra framing */ size_t rx_urb_size; /* size for rx urbs */ @@ -381,7 +381,7 @@ struct lan78xx_net { wait_queue_head_t *wait; unsigned char suspend_count; - unsigned maxpacket; + unsigned int maxpacket; struct timer_list delay; struct timer_list stat_monitor; @@ -490,7 +490,7 @@ static int lan78xx_read_stats(struct lan78xx_net *dev, if (likely(ret >= 0)) { src = (u32 *)stats; dst = (u32 *)data; - for (i = 0; i < sizeof(*stats)/sizeof(u32); i++) { + for (i = 0; i < sizeof(*stats) / sizeof(u32); i++) { le32_to_cpus(&src[i]); dst[i] = src[i]; } @@ -504,10 +504,11 @@ static int lan78xx_read_stats(struct lan78xx_net *dev, return ret; } -#define check_counter_rollover(struct1, dev_stats, member) { \ - if (struct1->member < dev_stats.saved.member) \ - dev_stats.rollover_count.member++; \ - } +#define check_counter_rollover(struct1, dev_stats, member) \ + do { \ + if ((struct1)->member < (dev_stats).saved.member) \ + (dev_stats).rollover_count.member++; \ + } while (0) static void lan78xx_check_stat_rollover(struct lan78xx_net *dev, struct lan78xx_statstage *stats) @@ -833,9 +834,9 @@ static int lan78xx_read_raw_otp(struct lan78xx_net *dev, u32 offset, for (i = 0; i < length; i++) { lan78xx_write_reg(dev, OTP_ADDR1, - ((offset + i) >> 8) & OTP_ADDR1_15_11); + ((offset + i) >> 8) & OTP_ADDR1_15_11); lan78xx_write_reg(dev, OTP_ADDR2, - ((offset + i) & OTP_ADDR2_10_3)); + ((offset + i) & OTP_ADDR2_10_3)); lan78xx_write_reg(dev, OTP_FUNC_CMD, OTP_FUNC_CMD_READ_); lan78xx_write_reg(dev, OTP_CMD_GO, OTP_CMD_GO_GO_); @@ -889,9 +890,9 @@ static int lan78xx_write_raw_otp(struct lan78xx_net *dev, u32 offset, for (i = 0; i < length; i++) { lan78xx_write_reg(dev, OTP_ADDR1, - ((offset + i) >> 8) & OTP_ADDR1_15_11); + ((offset + i) >> 8) & OTP_ADDR1_15_11); lan78xx_write_reg(dev, OTP_ADDR2, - ((offset + i) & OTP_ADDR2_10_3)); + ((offset + i) & OTP_ADDR2_10_3)); lan78xx_write_reg(dev, OTP_PRGM_DATA, data[i]); lan78xx_write_reg(dev, OTP_TST_CMD, OTP_TST_CMD_PRGVRFY_); lan78xx_write_reg(dev, OTP_CMD_GO, OTP_CMD_GO_GO_); @@ -948,7 +949,7 @@ static int lan78xx_dataport_wait_not_busy(struct lan78xx_net *dev) usleep_range(40, 100); } - netdev_warn(dev->net, "lan78xx_dataport_wait_not_busy timed out"); + netdev_warn(dev->net, "%s timed out", __func__); return -EIO; } @@ -961,7 +962,7 @@ static int lan78xx_dataport_write(struct lan78xx_net *dev, u32 ram_select, int i, ret; if (usb_autopm_get_interface(dev->intf) < 0) - return 0; + return 0; mutex_lock(&pdata->dataport_mutex); @@ -1034,9 +1035,9 @@ static void lan78xx_deferred_multicast_write(struct work_struct *param) for (i = 1; i < NUM_OF_MAF; i++) { lan78xx_write_reg(dev, MAF_HI(i), 0); lan78xx_write_reg(dev, MAF_LO(i), - pdata->pfilter_table[i][1]); + pdata->pfilter_table[i][1]); lan78xx_write_reg(dev, MAF_HI(i), - pdata->pfilter_table[i][0]); + pdata->pfilter_table[i][0]); } lan78xx_write_reg(dev, RFE_CTL, pdata->rfe_ctl); @@ -1055,11 +1056,12 @@ static void lan78xx_set_multicast(struct net_device *netdev) RFE_CTL_DA_PERFECT_ | RFE_CTL_MCAST_HASH_); for (i = 0; i < DP_SEL_VHF_HASH_LEN; i++) - pdata->mchash_table[i] = 0; + pdata->mchash_table[i] = 0; + /* pfilter_table[0] has own HW address */ for (i = 1; i < NUM_OF_MAF; i++) { - pdata->pfilter_table[i][0] = - pdata->pfilter_table[i][1] = 0; + pdata->pfilter_table[i][0] = 0; + pdata->pfilter_table[i][1] = 0; } pdata->rfe_ctl |= RFE_CTL_BCAST_EN_; @@ -1254,9 +1256,10 @@ static void lan78xx_status(struct lan78xx_net *dev, struct urb *urb) generic_handle_irq(dev->domain_data.phyirq); local_irq_enable(); } - } else + } else { netdev_warn(dev->net, "unexpected interrupt: 0x%08x\n", intdata); + } } static int lan78xx_ethtool_get_eeprom_len(struct net_device *netdev) @@ -1345,7 +1348,7 @@ static void lan78xx_get_wol(struct net_device *netdev, struct lan78xx_priv *pdata = (struct lan78xx_priv *)(dev->data[0]); if (usb_autopm_get_interface(dev->intf) < 0) - return; + return; ret = lan78xx_read_reg(dev, USB_CFG0, &buf); if (unlikely(ret < 0)) { @@ -1969,7 +1972,7 @@ static int lan8835_fixup(struct phy_device *phydev) /* RGMII MAC TXC Delay Enable */ lan78xx_write_reg(dev, MAC_RGMII_ID, - MAC_RGMII_ID_TXC_DELAY_EN_); + MAC_RGMII_ID_TXC_DELAY_EN_); /* RGMII TX DLL Tune Adjust */ lan78xx_write_reg(dev, RGMII_TX_BYP_DLL, 0x3D00); @@ -3231,9 +3234,10 @@ drop: if (skb) dev_kfree_skb_any(skb); usb_free_urb(urb); - } else + } else { netif_dbg(dev, tx_queued, dev->net, "> tx, len %d, type 0x%x\n", length, skb->protocol); + } } static void lan78xx_rx_bh(struct lan78xx_net *dev) @@ -3334,7 +3338,7 @@ fail_pipe: unlink_urbs(dev, &dev->rxq); status = usb_autopm_get_interface(dev->intf); if (status < 0) - goto fail_halt; + goto fail_halt; status = usb_clear_halt(dev->udev, dev->pipe_in); usb_autopm_put_interface(dev->intf); if (status < 0 && @@ -3504,8 +3508,8 @@ static int lan78xx_probe(struct usb_interface *intf, struct net_device *netdev; struct usb_device *udev; int ret; - unsigned maxp; - unsigned period; + unsigned int maxp; + unsigned int period; u8 *buf = NULL; udev = interface_to_usbdev(intf); @@ -3739,10 +3743,10 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) /* set WUF_CFG & WUF_MASK for IPv4 Multicast */ crc = lan78xx_wakeframe_crc16(ipv4_multicast, 3); lan78xx_write_reg(dev, WUF_CFG(mask_index), - WUF_CFGX_EN_ | - WUF_CFGX_TYPE_MCAST_ | - (0 << WUF_CFGX_OFFSET_SHIFT_) | - (crc & WUF_CFGX_CRC16_MASK_)); + WUF_CFGX_EN_ | + WUF_CFGX_TYPE_MCAST_ | + (0 << WUF_CFGX_OFFSET_SHIFT_) | + (crc & WUF_CFGX_CRC16_MASK_)); lan78xx_write_reg(dev, WUF_MASK0(mask_index), 7); lan78xx_write_reg(dev, WUF_MASK1(mask_index), 0); @@ -3753,10 +3757,10 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) /* for IPv6 Multicast */ crc = lan78xx_wakeframe_crc16(ipv6_multicast, 2); lan78xx_write_reg(dev, WUF_CFG(mask_index), - WUF_CFGX_EN_ | - WUF_CFGX_TYPE_MCAST_ | - (0 << WUF_CFGX_OFFSET_SHIFT_) | - (crc & WUF_CFGX_CRC16_MASK_)); + WUF_CFGX_EN_ | + WUF_CFGX_TYPE_MCAST_ | + (0 << WUF_CFGX_OFFSET_SHIFT_) | + (crc & WUF_CFGX_CRC16_MASK_)); lan78xx_write_reg(dev, WUF_MASK0(mask_index), 3); lan78xx_write_reg(dev, WUF_MASK1(mask_index), 0); @@ -3783,10 +3787,10 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) */ crc = lan78xx_wakeframe_crc16(arp_type, 2); lan78xx_write_reg(dev, WUF_CFG(mask_index), - WUF_CFGX_EN_ | - WUF_CFGX_TYPE_ALL_ | - (0 << WUF_CFGX_OFFSET_SHIFT_) | - (crc & WUF_CFGX_CRC16_MASK_)); + WUF_CFGX_EN_ | + WUF_CFGX_TYPE_ALL_ | + (0 << WUF_CFGX_OFFSET_SHIFT_) | + (crc & WUF_CFGX_CRC16_MASK_)); lan78xx_write_reg(dev, WUF_MASK0(mask_index), 0x3000); lan78xx_write_reg(dev, WUF_MASK1(mask_index), 0); @@ -3934,7 +3938,7 @@ static int lan78xx_resume(struct usb_interface *intf) if (!--dev->suspend_count) { /* resume interrupt URBs */ if (dev->urb_intr && test_bit(EVENT_DEV_OPEN, &dev->flags)) - usb_submit_urb(dev->urb_intr, GFP_NOIO); + usb_submit_urb(dev->urb_intr, GFP_NOIO); spin_lock_irq(&dev->txq.lock); while ((res = usb_get_from_anchor(&dev->deferred))) { From b70394861f10fc4bb0a53bb4fe54b79f497fdf79 Mon Sep 17 00:00:00 2001 From: John Efstathiades Date: Tue, 24 Aug 2021 19:56:08 +0100 Subject: [PATCH 006/176] lan78xx: Add missing return code checks [ Upstream commit 3415f6baaddb9b39d7112247ab39ef3c700f882e ] There are many places in the driver where the return code from a function call is captured but without a subsequent test of the return code and appropriate action taken. This patch adds the missing return code tests and action. In most cases the action is an early exit from the calling function. The function lan78xx_set_suspend() was also updated to make it consistent with lan78xx_suspend(). Signed-off-by: John Efstathiades Signed-off-by: David S. Miller Stable-dep-of: 1eecc7ab82c4 ("net: lan78xx: fix runtime PM count underflow on link stop") Signed-off-by: Sasha Levin (cherry picked from commit 20ccd52bd3b5e1323e58a1049d7d5285650c6c64) Signed-off-by: Vegard Nossum --- drivers/net/usb/lan78xx.c | 395 ++++++++++++++++++++++++++++++++------ 1 file changed, 331 insertions(+), 64 deletions(-) diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c index 966fed763641..51bbb0dc1f28 100644 --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c @@ -1151,7 +1151,7 @@ static int lan78xx_link_reset(struct lan78xx_net *dev) /* clear LAN78xx interrupt status */ ret = lan78xx_write_reg(dev, INT_STS, INT_STS_PHY_INT_); if (unlikely(ret < 0)) - return -EIO; + return ret; mutex_lock(&phydev->lock); phy_read_status(phydev); @@ -1164,11 +1164,11 @@ static int lan78xx_link_reset(struct lan78xx_net *dev) /* reset MAC */ ret = lan78xx_read_reg(dev, MAC_CR, &buf); if (unlikely(ret < 0)) - return -EIO; + return ret; buf |= MAC_CR_RST_; ret = lan78xx_write_reg(dev, MAC_CR, buf); if (unlikely(ret < 0)) - return -EIO; + return ret; del_timer(&dev->stat_monitor); } else if (link && !dev->link_on) { @@ -1180,18 +1180,30 @@ static int lan78xx_link_reset(struct lan78xx_net *dev) if (ecmd.base.speed == 1000) { /* disable U2 */ ret = lan78xx_read_reg(dev, USB_CFG1, &buf); + if (ret < 0) + return ret; buf &= ~USB_CFG1_DEV_U2_INIT_EN_; ret = lan78xx_write_reg(dev, USB_CFG1, buf); + if (ret < 0) + return ret; /* enable U1 */ ret = lan78xx_read_reg(dev, USB_CFG1, &buf); + if (ret < 0) + return ret; buf |= USB_CFG1_DEV_U1_INIT_EN_; ret = lan78xx_write_reg(dev, USB_CFG1, buf); + if (ret < 0) + return ret; } else { /* enable U1 & U2 */ ret = lan78xx_read_reg(dev, USB_CFG1, &buf); + if (ret < 0) + return ret; buf |= USB_CFG1_DEV_U2_INIT_EN_; buf |= USB_CFG1_DEV_U1_INIT_EN_; ret = lan78xx_write_reg(dev, USB_CFG1, buf); + if (ret < 0) + return ret; } } @@ -1209,6 +1221,8 @@ static int lan78xx_link_reset(struct lan78xx_net *dev) ret = lan78xx_update_flowcontrol(dev, ecmd.base.duplex, ladv, radv); + if (ret < 0) + return ret; if (!timer_pending(&dev->stat_monitor)) { dev->delta = 1; @@ -1219,7 +1233,7 @@ static int lan78xx_link_reset(struct lan78xx_net *dev) tasklet_schedule(&dev->bh); } - return ret; + return 0; } /* some work can't be done in tasklets, so we use keventd @@ -2341,23 +2355,33 @@ static void lan78xx_init_ltm(struct lan78xx_net *dev) static int lan78xx_reset(struct lan78xx_net *dev) { struct lan78xx_priv *pdata = (struct lan78xx_priv *)(dev->data[0]); - u32 buf; - int ret = 0; unsigned long timeout; + int ret; + u32 buf; u8 sig; ret = lan78xx_read_reg(dev, HW_CFG, &buf); + if (ret < 0) + return ret; + buf |= HW_CFG_LRST_; + ret = lan78xx_write_reg(dev, HW_CFG, buf); + if (ret < 0) + return ret; timeout = jiffies + HZ; do { mdelay(1); ret = lan78xx_read_reg(dev, HW_CFG, &buf); + if (ret < 0) + return ret; + if (time_after(jiffies, timeout)) { netdev_warn(dev->net, "timeout on completion of LiteReset"); - return -EIO; + ret = -ETIMEDOUT; + return ret; } } while (buf & HW_CFG_LRST_); @@ -2365,13 +2389,22 @@ static int lan78xx_reset(struct lan78xx_net *dev) /* save DEVID for later usage */ ret = lan78xx_read_reg(dev, ID_REV, &buf); + if (ret < 0) + return ret; + dev->chipid = (buf & ID_REV_CHIP_ID_MASK_) >> 16; dev->chiprev = buf & ID_REV_CHIP_REV_MASK_; /* Respond to the IN token with a NAK */ ret = lan78xx_read_reg(dev, USB_CFG0, &buf); + if (ret < 0) + return ret; + buf |= USB_CFG_BIR_; + ret = lan78xx_write_reg(dev, USB_CFG0, buf); + if (ret < 0) + return ret; /* Init LTM */ lan78xx_init_ltm(dev); @@ -2394,53 +2427,105 @@ static int lan78xx_reset(struct lan78xx_net *dev) } ret = lan78xx_write_reg(dev, BURST_CAP, buf); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, BULK_IN_DLY, DEFAULT_BULK_IN_DELAY); + if (ret < 0) + return ret; ret = lan78xx_read_reg(dev, HW_CFG, &buf); + if (ret < 0) + return ret; + buf |= HW_CFG_MEF_; + ret = lan78xx_write_reg(dev, HW_CFG, buf); + if (ret < 0) + return ret; ret = lan78xx_read_reg(dev, USB_CFG0, &buf); + if (ret < 0) + return ret; + buf |= USB_CFG_BCE_; + ret = lan78xx_write_reg(dev, USB_CFG0, buf); + if (ret < 0) + return ret; /* set FIFO sizes */ buf = (MAX_RX_FIFO_SIZE - 512) / 512; + ret = lan78xx_write_reg(dev, FCT_RX_FIFO_END, buf); + if (ret < 0) + return ret; buf = (MAX_TX_FIFO_SIZE - 512) / 512; + ret = lan78xx_write_reg(dev, FCT_TX_FIFO_END, buf); + if (ret < 0) + return ret; ret = lan78xx_write_reg(dev, INT_STS, INT_STS_CLEAR_ALL_); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, FLOW, 0); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, FCT_FLOW, 0); + if (ret < 0) + return ret; /* Don't need rfe_ctl_lock during initialisation */ ret = lan78xx_read_reg(dev, RFE_CTL, &pdata->rfe_ctl); + if (ret < 0) + return ret; + pdata->rfe_ctl |= RFE_CTL_BCAST_EN_ | RFE_CTL_DA_PERFECT_; + ret = lan78xx_write_reg(dev, RFE_CTL, pdata->rfe_ctl); + if (ret < 0) + return ret; /* Enable or disable checksum offload engines */ - lan78xx_set_features(dev->net, dev->net->features); + ret = lan78xx_set_features(dev->net, dev->net->features); + if (ret < 0) + return ret; lan78xx_set_multicast(dev->net); /* reset PHY */ ret = lan78xx_read_reg(dev, PMT_CTL, &buf); + if (ret < 0) + return ret; + buf |= PMT_CTL_PHY_RST_; + ret = lan78xx_write_reg(dev, PMT_CTL, buf); + if (ret < 0) + return ret; timeout = jiffies + HZ; do { mdelay(1); ret = lan78xx_read_reg(dev, PMT_CTL, &buf); + if (ret < 0) + return ret; + if (time_after(jiffies, timeout)) { netdev_warn(dev->net, "timeout waiting for PHY Reset"); - return -EIO; + ret = -ETIMEDOUT; + return ret; } } while ((buf & PMT_CTL_PHY_RST_) || !(buf & PMT_CTL_READY_)); ret = lan78xx_read_reg(dev, MAC_CR, &buf); + if (ret < 0) + return ret; + /* LAN7801 only has RGMII mode */ if (dev->chipid == ID_REV_CHIP_ID_7801_) buf &= ~MAC_CR_GMII_EN_; @@ -2455,25 +2540,53 @@ static int lan78xx_reset(struct lan78xx_net *dev) } } ret = lan78xx_write_reg(dev, MAC_CR, buf); + if (ret < 0) + return ret; ret = lan78xx_read_reg(dev, MAC_TX, &buf); + if (ret < 0) + return ret; + buf |= MAC_TX_TXEN_; + ret = lan78xx_write_reg(dev, MAC_TX, buf); + if (ret < 0) + return ret; ret = lan78xx_read_reg(dev, FCT_TX_CTL, &buf); + if (ret < 0) + return ret; + buf |= FCT_TX_CTL_EN_; + ret = lan78xx_write_reg(dev, FCT_TX_CTL, buf); + if (ret < 0) + return ret; ret = lan78xx_set_rx_max_frame_length(dev, dev->net->mtu + VLAN_ETH_HLEN); + if (ret < 0) + return ret; ret = lan78xx_read_reg(dev, MAC_RX, &buf); + if (ret < 0) + return ret; + buf |= MAC_RX_RXEN_; + ret = lan78xx_write_reg(dev, MAC_RX, buf); + if (ret < 0) + return ret; ret = lan78xx_read_reg(dev, FCT_RX_CTL, &buf); + if (ret < 0) + return ret; + buf |= FCT_RX_CTL_EN_; + ret = lan78xx_write_reg(dev, FCT_RX_CTL, buf); + if (ret < 0) + return ret; return 0; } @@ -2511,7 +2624,7 @@ static int lan78xx_open(struct net_device *net) ret = usb_autopm_get_interface(dev->intf); if (ret < 0) - goto out; + return ret; phy_start(net->phydev); @@ -2539,7 +2652,6 @@ static int lan78xx_open(struct net_device *net) done: usb_autopm_put_interface(dev->intf); -out: return ret; } @@ -3685,35 +3797,62 @@ static u16 lan78xx_wakeframe_crc16(const u8 *buf, int len) static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) { - u32 buf; - int mask_index; - u16 crc; - u32 temp_wucsr; - u32 temp_pmt_ctl; const u8 ipv4_multicast[3] = { 0x01, 0x00, 0x5E }; const u8 ipv6_multicast[3] = { 0x33, 0x33 }; const u8 arp_type[2] = { 0x08, 0x06 }; + u32 temp_pmt_ctl; + int mask_index; + u32 temp_wucsr; + u32 buf; + u16 crc; + int ret; + + ret = lan78xx_read_reg(dev, MAC_TX, &buf); + if (ret < 0) + return ret; - lan78xx_read_reg(dev, MAC_TX, &buf); buf &= ~MAC_TX_TXEN_; - lan78xx_write_reg(dev, MAC_TX, buf); - lan78xx_read_reg(dev, MAC_RX, &buf); - buf &= ~MAC_RX_RXEN_; - lan78xx_write_reg(dev, MAC_RX, buf); - lan78xx_write_reg(dev, WUCSR, 0); - lan78xx_write_reg(dev, WUCSR2, 0); - lan78xx_write_reg(dev, WK_SRC, 0xFFF1FF1FUL); + ret = lan78xx_write_reg(dev, MAC_TX, buf); + if (ret < 0) + return ret; + + ret = lan78xx_read_reg(dev, MAC_RX, &buf); + if (ret < 0) + return ret; + + buf &= ~MAC_RX_RXEN_; + + ret = lan78xx_write_reg(dev, MAC_RX, buf); + if (ret < 0) + return ret; + + ret = lan78xx_write_reg(dev, WUCSR, 0); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, WUCSR2, 0); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, WK_SRC, 0xFFF1FF1FUL); + if (ret < 0) + return ret; temp_wucsr = 0; temp_pmt_ctl = 0; - lan78xx_read_reg(dev, PMT_CTL, &temp_pmt_ctl); + + ret = lan78xx_read_reg(dev, PMT_CTL, &temp_pmt_ctl); + if (ret < 0) + return ret; + temp_pmt_ctl &= ~PMT_CTL_RES_CLR_WKP_EN_; temp_pmt_ctl |= PMT_CTL_RES_CLR_WKP_STS_; - for (mask_index = 0; mask_index < NUM_OF_WUF_CFG; mask_index++) - lan78xx_write_reg(dev, WUF_CFG(mask_index), 0); + for (mask_index = 0; mask_index < NUM_OF_WUF_CFG; mask_index++) { + ret = lan78xx_write_reg(dev, WUF_CFG(mask_index), 0); + if (ret < 0) + return ret; + } mask_index = 0; if (wol & WAKE_PHY) { @@ -3742,30 +3881,52 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) /* set WUF_CFG & WUF_MASK for IPv4 Multicast */ crc = lan78xx_wakeframe_crc16(ipv4_multicast, 3); - lan78xx_write_reg(dev, WUF_CFG(mask_index), - WUF_CFGX_EN_ | - WUF_CFGX_TYPE_MCAST_ | - (0 << WUF_CFGX_OFFSET_SHIFT_) | - (crc & WUF_CFGX_CRC16_MASK_)); + ret = lan78xx_write_reg(dev, WUF_CFG(mask_index), + WUF_CFGX_EN_ | + WUF_CFGX_TYPE_MCAST_ | + (0 << WUF_CFGX_OFFSET_SHIFT_) | + (crc & WUF_CFGX_CRC16_MASK_)); + if (ret < 0) + return ret; + + ret = lan78xx_write_reg(dev, WUF_MASK0(mask_index), 7); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, WUF_MASK1(mask_index), 0); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, WUF_MASK2(mask_index), 0); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, WUF_MASK3(mask_index), 0); + if (ret < 0) + return ret; - lan78xx_write_reg(dev, WUF_MASK0(mask_index), 7); - lan78xx_write_reg(dev, WUF_MASK1(mask_index), 0); - lan78xx_write_reg(dev, WUF_MASK2(mask_index), 0); - lan78xx_write_reg(dev, WUF_MASK3(mask_index), 0); mask_index++; /* for IPv6 Multicast */ crc = lan78xx_wakeframe_crc16(ipv6_multicast, 2); - lan78xx_write_reg(dev, WUF_CFG(mask_index), - WUF_CFGX_EN_ | - WUF_CFGX_TYPE_MCAST_ | - (0 << WUF_CFGX_OFFSET_SHIFT_) | - (crc & WUF_CFGX_CRC16_MASK_)); + ret = lan78xx_write_reg(dev, WUF_CFG(mask_index), + WUF_CFGX_EN_ | + WUF_CFGX_TYPE_MCAST_ | + (0 << WUF_CFGX_OFFSET_SHIFT_) | + (crc & WUF_CFGX_CRC16_MASK_)); + if (ret < 0) + return ret; + + ret = lan78xx_write_reg(dev, WUF_MASK0(mask_index), 3); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, WUF_MASK1(mask_index), 0); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, WUF_MASK2(mask_index), 0); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, WUF_MASK3(mask_index), 0); + if (ret < 0) + return ret; - lan78xx_write_reg(dev, WUF_MASK0(mask_index), 3); - lan78xx_write_reg(dev, WUF_MASK1(mask_index), 0); - lan78xx_write_reg(dev, WUF_MASK2(mask_index), 0); - lan78xx_write_reg(dev, WUF_MASK3(mask_index), 0); mask_index++; temp_pmt_ctl |= PMT_CTL_WOL_EN_; @@ -3786,16 +3947,27 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) * for packettype (offset 12,13) = ARP (0x0806) */ crc = lan78xx_wakeframe_crc16(arp_type, 2); - lan78xx_write_reg(dev, WUF_CFG(mask_index), - WUF_CFGX_EN_ | - WUF_CFGX_TYPE_ALL_ | - (0 << WUF_CFGX_OFFSET_SHIFT_) | - (crc & WUF_CFGX_CRC16_MASK_)); + ret = lan78xx_write_reg(dev, WUF_CFG(mask_index), + WUF_CFGX_EN_ | + WUF_CFGX_TYPE_ALL_ | + (0 << WUF_CFGX_OFFSET_SHIFT_) | + (crc & WUF_CFGX_CRC16_MASK_)); + if (ret < 0) + return ret; + + ret = lan78xx_write_reg(dev, WUF_MASK0(mask_index), 0x3000); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, WUF_MASK1(mask_index), 0); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, WUF_MASK2(mask_index), 0); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, WUF_MASK3(mask_index), 0); + if (ret < 0) + return ret; - lan78xx_write_reg(dev, WUF_MASK0(mask_index), 0x3000); - lan78xx_write_reg(dev, WUF_MASK1(mask_index), 0); - lan78xx_write_reg(dev, WUF_MASK2(mask_index), 0); - lan78xx_write_reg(dev, WUF_MASK3(mask_index), 0); mask_index++; temp_pmt_ctl |= PMT_CTL_WOL_EN_; @@ -3803,7 +3975,9 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) temp_pmt_ctl |= PMT_CTL_SUS_MODE_0_; } - lan78xx_write_reg(dev, WUCSR, temp_wucsr); + ret = lan78xx_write_reg(dev, WUCSR, temp_wucsr); + if (ret < 0) + return ret; /* when multiple WOL bits are set */ if (hweight_long((unsigned long)wol) > 1) { @@ -3811,16 +3985,30 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) temp_pmt_ctl &= ~PMT_CTL_SUS_MODE_MASK_; temp_pmt_ctl |= PMT_CTL_SUS_MODE_0_; } - lan78xx_write_reg(dev, PMT_CTL, temp_pmt_ctl); + ret = lan78xx_write_reg(dev, PMT_CTL, temp_pmt_ctl); + if (ret < 0) + return ret; /* clear WUPS */ - lan78xx_read_reg(dev, PMT_CTL, &buf); + ret = lan78xx_read_reg(dev, PMT_CTL, &buf); + if (ret < 0) + return ret; + buf |= PMT_CTL_WUPS_MASK_; - lan78xx_write_reg(dev, PMT_CTL, buf); + + ret = lan78xx_write_reg(dev, PMT_CTL, buf); + if (ret < 0) + return ret; lan78xx_read_reg(dev, MAC_RX, &buf); + if (ret < 0) + return ret; + buf |= MAC_RX_RXEN_; + lan78xx_write_reg(dev, MAC_RX, buf); + if (ret < 0) + return ret; return 0; } @@ -3828,7 +4016,6 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) static int lan78xx_suspend(struct usb_interface *intf, pm_message_t message) { struct lan78xx_net *dev = usb_get_intfdata(intf); - struct lan78xx_priv *pdata = (struct lan78xx_priv *)(dev->data[0]); u32 buf; int ret; int event; @@ -3851,11 +4038,24 @@ static int lan78xx_suspend(struct usb_interface *intf, pm_message_t message) /* stop TX & RX */ ret = lan78xx_read_reg(dev, MAC_TX, &buf); + if (ret < 0) + return ret; + buf &= ~MAC_TX_TXEN_; + ret = lan78xx_write_reg(dev, MAC_TX, buf); + if (ret < 0) + return ret; + ret = lan78xx_read_reg(dev, MAC_RX, &buf); + if (ret < 0) + return ret; + buf &= ~MAC_RX_RXEN_; + ret = lan78xx_write_reg(dev, MAC_RX, buf); + if (ret < 0) + return ret; /* empty out the rx and queues */ netif_device_detach(dev->net); @@ -3872,25 +4072,50 @@ static int lan78xx_suspend(struct usb_interface *intf, pm_message_t message) if (PMSG_IS_AUTO(message)) { /* auto suspend (selective suspend) */ ret = lan78xx_read_reg(dev, MAC_TX, &buf); + if (ret < 0) + return ret; + buf &= ~MAC_TX_TXEN_; + ret = lan78xx_write_reg(dev, MAC_TX, buf); + if (ret < 0) + return ret; + ret = lan78xx_read_reg(dev, MAC_RX, &buf); + if (ret < 0) + return ret; + buf &= ~MAC_RX_RXEN_; + ret = lan78xx_write_reg(dev, MAC_RX, buf); + if (ret < 0) + return ret; ret = lan78xx_write_reg(dev, WUCSR, 0); + if (ret < 0) + return ret; ret = lan78xx_write_reg(dev, WUCSR2, 0); + if (ret < 0) + return ret; ret = lan78xx_write_reg(dev, WK_SRC, 0xFFF1FF1FUL); + if (ret < 0) + return ret; /* set goodframe wakeup */ ret = lan78xx_read_reg(dev, WUCSR, &buf); + if (ret < 0) + return ret; buf |= WUCSR_RFE_WAKE_EN_; buf |= WUCSR_STORE_WAKE_; ret = lan78xx_write_reg(dev, WUCSR, buf); + if (ret < 0) + return ret; ret = lan78xx_read_reg(dev, PMT_CTL, &buf); + if (ret < 0) + return ret; buf &= ~PMT_CTL_RES_CLR_WKP_EN_; buf |= PMT_CTL_RES_CLR_WKP_STS_; @@ -3901,18 +4126,36 @@ static int lan78xx_suspend(struct usb_interface *intf, pm_message_t message) buf |= PMT_CTL_SUS_MODE_3_; ret = lan78xx_write_reg(dev, PMT_CTL, buf); + if (ret < 0) + return ret; ret = lan78xx_read_reg(dev, PMT_CTL, &buf); + if (ret < 0) + return ret; buf |= PMT_CTL_WUPS_MASK_; ret = lan78xx_write_reg(dev, PMT_CTL, buf); + if (ret < 0) + return ret; ret = lan78xx_read_reg(dev, MAC_RX, &buf); + if (ret < 0) + return ret; + buf |= MAC_RX_RXEN_; + ret = lan78xx_write_reg(dev, MAC_RX, buf); + if (ret < 0) + return ret; } else { - lan78xx_set_suspend(dev, pdata->wol); + struct lan78xx_priv *pdata; + + pdata = (struct lan78xx_priv *)(dev->data[0]); + + ret = lan78xx_set_suspend(dev, pdata->wol); + if (ret < 0) + return ret; } } @@ -3937,8 +4180,11 @@ static int lan78xx_resume(struct usb_interface *intf) if (!--dev->suspend_count) { /* resume interrupt URBs */ - if (dev->urb_intr && test_bit(EVENT_DEV_OPEN, &dev->flags)) - usb_submit_urb(dev->urb_intr, GFP_NOIO); + if (dev->urb_intr && test_bit(EVENT_DEV_OPEN, &dev->flags)) { + ret = usb_submit_urb(dev->urb_intr, GFP_NOIO); + if (ret < 0) + return ret; + } spin_lock_irq(&dev->txq.lock); while ((res = usb_get_from_anchor(&dev->deferred))) { @@ -3965,13 +4211,21 @@ static int lan78xx_resume(struct usb_interface *intf) } ret = lan78xx_write_reg(dev, WUCSR2, 0); + if (ret < 0) + return ret; ret = lan78xx_write_reg(dev, WUCSR, 0); + if (ret < 0) + return ret; ret = lan78xx_write_reg(dev, WK_SRC, 0xFFF1FF1FUL); + if (ret < 0) + return ret; ret = lan78xx_write_reg(dev, WUCSR2, WUCSR2_NS_RCD_ | WUCSR2_ARP_RCD_ | WUCSR2_IPV6_TCPSYN_RCD_ | WUCSR2_IPV4_TCPSYN_RCD_); + if (ret < 0) + return ret; ret = lan78xx_write_reg(dev, WUCSR, WUCSR_EEE_TX_WAKE_ | WUCSR_EEE_RX_WAKE_ | @@ -3980,10 +4234,18 @@ static int lan78xx_resume(struct usb_interface *intf) WUCSR_WUFR_ | WUCSR_MPR_ | WUCSR_BCST_FR_); + if (ret < 0) + return ret; ret = lan78xx_read_reg(dev, MAC_TX, &buf); + if (ret < 0) + return ret; + buf |= MAC_TX_TXEN_; + ret = lan78xx_write_reg(dev, MAC_TX, buf); + if (ret < 0) + return ret; return 0; } @@ -3991,12 +4253,17 @@ static int lan78xx_resume(struct usb_interface *intf) static int lan78xx_reset_resume(struct usb_interface *intf) { struct lan78xx_net *dev = usb_get_intfdata(intf); + int ret; - lan78xx_reset(dev); + ret = lan78xx_reset(dev); + if (ret < 0) + return ret; phy_start(dev->net->phydev); - return lan78xx_resume(intf); + ret = lan78xx_resume(intf); + + return ret; } static const struct usb_device_id products[] = { From c2688f303badea10dd8526d734db642898128e7e Mon Sep 17 00:00:00 2001 From: John Efstathiades Date: Tue, 24 Aug 2021 19:56:10 +0100 Subject: [PATCH 007/176] lan78xx: Fix partial packet errors on suspend/resume [ Upstream commit e1210fe63bf8b080edd0805240e90b81b6b069c1 ] The MAC can get out of step with the internal packet FIFOs if the system goes to sleep when the link is active, especially at high data rates. This can result in partial frames in the packet FIFOs that in result in malformed frames being delivered to the host. This occurs because the driver does not enable/disable the internal packet FIFOs in step with the corresponding MAC data path. The following changes fix this problem. Update code that enables/disables the MAC receiver and transmitter to the more general Rx and Tx data path, where the data path in each direction consists of both the MAC function (Tx or Rx) and the corresponding packet FIFO. In the receive path the packet FIFO must be enabled before the MAC receiver but disabled after the MAC receiver. In the transmit path the opposite is true: the packet FIFO must be enabled after the MAC transmitter but disabled before the MAC transmitter. The packet FIFOs can be flushed safely once the corresponding data path is stopped. Signed-off-by: John Efstathiades Signed-off-by: David S. Miller Stable-dep-of: 1eecc7ab82c4 ("net: lan78xx: fix runtime PM count underflow on link stop") Signed-off-by: Sasha Levin (cherry picked from commit 242c4cd0d906f6f8708c0214b0c926b109f63168) Signed-off-by: Vegard Nossum --- drivers/net/usb/lan78xx.c | 303 +++++++++++++++++++++++++------------- 1 file changed, 197 insertions(+), 106 deletions(-) diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c index 51bbb0dc1f28..dee9984ad759 100644 --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c @@ -100,6 +100,12 @@ /* statistic update interval (mSec) */ #define STAT_UPDATE_TIMER (1 * 1000) +/* time to wait for MAC or FCT to stop (jiffies) */ +#define HW_DISABLE_TIMEOUT (HZ / 10) + +/* time to wait between polling MAC or FCT state (ms) */ +#define HW_DISABLE_DELAY_MS 1 + /* defines interrupts from interrupt EP */ #define MAX_INT_EP (32) #define INT_EP_INTEP (31) @@ -465,6 +471,26 @@ static int lan78xx_write_reg(struct lan78xx_net *dev, u32 index, u32 data) return ret; } +static int lan78xx_update_reg(struct lan78xx_net *dev, u32 reg, u32 mask, + u32 data) +{ + int ret; + u32 buf; + + ret = lan78xx_read_reg(dev, reg, &buf); + if (ret < 0) + return ret; + + buf &= ~mask; + buf |= (mask & data); + + ret = lan78xx_write_reg(dev, reg, buf); + if (ret < 0) + return ret; + + return 0; +} + static int lan78xx_read_stats(struct lan78xx_net *dev, struct lan78xx_statstage *data) { @@ -2352,6 +2378,156 @@ static void lan78xx_init_ltm(struct lan78xx_net *dev) lan78xx_write_reg(dev, LTM_INACTIVE1, regs[5]); } +static int lan78xx_start_hw(struct lan78xx_net *dev, u32 reg, u32 hw_enable) +{ + return lan78xx_update_reg(dev, reg, hw_enable, hw_enable); +} + +static int lan78xx_stop_hw(struct lan78xx_net *dev, u32 reg, u32 hw_enabled, + u32 hw_disabled) +{ + unsigned long timeout; + bool stopped = true; + int ret; + u32 buf; + + /* Stop the h/w block (if not already stopped) */ + + ret = lan78xx_read_reg(dev, reg, &buf); + if (ret < 0) + return ret; + + if (buf & hw_enabled) { + buf &= ~hw_enabled; + + ret = lan78xx_write_reg(dev, reg, buf); + if (ret < 0) + return ret; + + stopped = false; + timeout = jiffies + HW_DISABLE_TIMEOUT; + do { + ret = lan78xx_read_reg(dev, reg, &buf); + if (ret < 0) + return ret; + + if (buf & hw_disabled) + stopped = true; + else + msleep(HW_DISABLE_DELAY_MS); + } while (!stopped && !time_after(jiffies, timeout)); + } + + ret = stopped ? 0 : -ETIME; + + return ret; +} + +static int lan78xx_flush_fifo(struct lan78xx_net *dev, u32 reg, u32 fifo_flush) +{ + return lan78xx_update_reg(dev, reg, fifo_flush, fifo_flush); +} + +static int lan78xx_start_tx_path(struct lan78xx_net *dev) +{ + int ret; + + netif_dbg(dev, drv, dev->net, "start tx path"); + + /* Start the MAC transmitter */ + + ret = lan78xx_start_hw(dev, MAC_TX, MAC_TX_TXEN_); + if (ret < 0) + return ret; + + /* Start the Tx FIFO */ + + ret = lan78xx_start_hw(dev, FCT_TX_CTL, FCT_TX_CTL_EN_); + if (ret < 0) + return ret; + + return 0; +} + +static int lan78xx_stop_tx_path(struct lan78xx_net *dev) +{ + int ret; + + netif_dbg(dev, drv, dev->net, "stop tx path"); + + /* Stop the Tx FIFO */ + + ret = lan78xx_stop_hw(dev, FCT_TX_CTL, FCT_TX_CTL_EN_, FCT_TX_CTL_DIS_); + if (ret < 0) + return ret; + + /* Stop the MAC transmitter */ + + ret = lan78xx_stop_hw(dev, MAC_TX, MAC_TX_TXEN_, MAC_TX_TXD_); + if (ret < 0) + return ret; + + return 0; +} + +/* The caller must ensure the Tx path is stopped before calling + * lan78xx_flush_tx_fifo(). + */ +static int lan78xx_flush_tx_fifo(struct lan78xx_net *dev) +{ + return lan78xx_flush_fifo(dev, FCT_TX_CTL, FCT_TX_CTL_RST_); +} + +static int lan78xx_start_rx_path(struct lan78xx_net *dev) +{ + int ret; + + netif_dbg(dev, drv, dev->net, "start rx path"); + + /* Start the Rx FIFO */ + + ret = lan78xx_start_hw(dev, FCT_RX_CTL, FCT_RX_CTL_EN_); + if (ret < 0) + return ret; + + /* Start the MAC receiver*/ + + ret = lan78xx_start_hw(dev, MAC_RX, MAC_RX_RXEN_); + if (ret < 0) + return ret; + + return 0; +} + +static int lan78xx_stop_rx_path(struct lan78xx_net *dev) +{ + int ret; + + netif_dbg(dev, drv, dev->net, "stop rx path"); + + /* Stop the MAC receiver */ + + ret = lan78xx_stop_hw(dev, MAC_RX, MAC_RX_RXEN_, MAC_RX_RXD_); + if (ret < 0) + return ret; + + /* Stop the Rx FIFO */ + + ret = lan78xx_stop_hw(dev, FCT_RX_CTL, FCT_RX_CTL_EN_, FCT_RX_CTL_DIS_); + if (ret < 0) + return ret; + + return 0; +} + +/* The caller must ensure the Rx path is stopped before calling + * lan78xx_flush_rx_fifo(). + */ +static int lan78xx_flush_rx_fifo(struct lan78xx_net *dev) +{ + return lan78xx_flush_fifo(dev, FCT_RX_CTL, FCT_RX_CTL_RST_); +} + static int lan78xx_reset(struct lan78xx_net *dev) { struct lan78xx_priv *pdata = (struct lan78xx_priv *)(dev->data[0]); @@ -2543,23 +2719,7 @@ static int lan78xx_reset(struct lan78xx_net *dev) if (ret < 0) return ret; - ret = lan78xx_read_reg(dev, MAC_TX, &buf); - if (ret < 0) - return ret; - - buf |= MAC_TX_TXEN_; - - ret = lan78xx_write_reg(dev, MAC_TX, buf); - if (ret < 0) - return ret; - - ret = lan78xx_read_reg(dev, FCT_TX_CTL, &buf); - if (ret < 0) - return ret; - - buf |= FCT_TX_CTL_EN_; - - ret = lan78xx_write_reg(dev, FCT_TX_CTL, buf); + ret = lan78xx_start_tx_path(dev); if (ret < 0) return ret; @@ -2568,27 +2728,9 @@ static int lan78xx_reset(struct lan78xx_net *dev) if (ret < 0) return ret; - ret = lan78xx_read_reg(dev, MAC_RX, &buf); - if (ret < 0) - return ret; + ret = lan78xx_start_rx_path(dev); - buf |= MAC_RX_RXEN_; - - ret = lan78xx_write_reg(dev, MAC_RX, buf); - if (ret < 0) - return ret; - - ret = lan78xx_read_reg(dev, FCT_RX_CTL, &buf); - if (ret < 0) - return ret; - - buf |= FCT_RX_CTL_EN_; - - ret = lan78xx_write_reg(dev, FCT_RX_CTL, buf); - if (ret < 0) - return ret; - - return 0; + return ret; } static void lan78xx_init_stats(struct lan78xx_net *dev) @@ -3807,23 +3949,10 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) u16 crc; int ret; - ret = lan78xx_read_reg(dev, MAC_TX, &buf); + ret = lan78xx_stop_tx_path(dev); if (ret < 0) return ret; - - buf &= ~MAC_TX_TXEN_; - - ret = lan78xx_write_reg(dev, MAC_TX, buf); - if (ret < 0) - return ret; - - ret = lan78xx_read_reg(dev, MAC_RX, &buf); - if (ret < 0) - return ret; - - buf &= ~MAC_RX_RXEN_; - - ret = lan78xx_write_reg(dev, MAC_RX, buf); + ret = lan78xx_stop_rx_path(dev); if (ret < 0) return ret; @@ -4000,17 +4129,9 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) if (ret < 0) return ret; - lan78xx_read_reg(dev, MAC_RX, &buf); - if (ret < 0) - return ret; + ret = lan78xx_start_rx_path(dev); - buf |= MAC_RX_RXEN_; - - lan78xx_write_reg(dev, MAC_RX, buf); - if (ret < 0) - return ret; - - return 0; + return ret; } static int lan78xx_suspend(struct usb_interface *intf, pm_message_t message) @@ -4036,24 +4157,17 @@ static int lan78xx_suspend(struct usb_interface *intf, pm_message_t message) spin_unlock_irq(&dev->txq.lock); } - /* stop TX & RX */ - ret = lan78xx_read_reg(dev, MAC_TX, &buf); + /* stop RX */ + ret = lan78xx_stop_rx_path(dev); if (ret < 0) return ret; - buf &= ~MAC_TX_TXEN_; - - ret = lan78xx_write_reg(dev, MAC_TX, buf); + ret = lan78xx_flush_rx_fifo(dev); if (ret < 0) return ret; - ret = lan78xx_read_reg(dev, MAC_RX, &buf); - if (ret < 0) - return ret; - - buf &= ~MAC_RX_RXEN_; - - ret = lan78xx_write_reg(dev, MAC_RX, buf); + /* stop Tx */ + ret = lan78xx_stop_tx_path(dev); if (ret < 0) return ret; @@ -4071,23 +4185,11 @@ static int lan78xx_suspend(struct usb_interface *intf, pm_message_t message) if (PMSG_IS_AUTO(message)) { /* auto suspend (selective suspend) */ - ret = lan78xx_read_reg(dev, MAC_TX, &buf); + ret = lan78xx_stop_tx_path(dev); if (ret < 0) return ret; - buf &= ~MAC_TX_TXEN_; - - ret = lan78xx_write_reg(dev, MAC_TX, buf); - if (ret < 0) - return ret; - - ret = lan78xx_read_reg(dev, MAC_RX, &buf); - if (ret < 0) - return ret; - - buf &= ~MAC_RX_RXEN_; - - ret = lan78xx_write_reg(dev, MAC_RX, buf); + ret = lan78xx_stop_rx_path(dev); if (ret < 0) return ret; @@ -4139,13 +4241,7 @@ static int lan78xx_suspend(struct usb_interface *intf, pm_message_t message) if (ret < 0) return ret; - ret = lan78xx_read_reg(dev, MAC_RX, &buf); - if (ret < 0) - return ret; - - buf |= MAC_RX_RXEN_; - - ret = lan78xx_write_reg(dev, MAC_RX, buf); + ret = lan78xx_start_rx_path(dev); if (ret < 0) return ret; } else { @@ -4170,7 +4266,6 @@ static int lan78xx_resume(struct usb_interface *intf) struct sk_buff *skb; struct urb *res; int ret; - u32 buf; if (!timer_pending(&dev->stat_monitor)) { dev->delta = 1; @@ -4178,6 +4273,10 @@ static int lan78xx_resume(struct usb_interface *intf) jiffies + STAT_UPDATE_TIMER); } + ret = lan78xx_flush_tx_fifo(dev); + if (ret < 0) + return ret; + if (!--dev->suspend_count) { /* resume interrupt URBs */ if (dev->urb_intr && test_bit(EVENT_DEV_OPEN, &dev->flags)) { @@ -4237,17 +4336,9 @@ static int lan78xx_resume(struct usb_interface *intf) if (ret < 0) return ret; - ret = lan78xx_read_reg(dev, MAC_TX, &buf); - if (ret < 0) - return ret; + ret = lan78xx_start_tx_path(dev); - buf |= MAC_TX_TXEN_; - - ret = lan78xx_write_reg(dev, MAC_TX, buf); - if (ret < 0) - return ret; - - return 0; + return ret; } static int lan78xx_reset_resume(struct usb_interface *intf) From cb2fabebb54f6cc12e8d180c40d9ac59076bb666 Mon Sep 17 00:00:00 2001 From: John Efstathiades Date: Tue, 24 Aug 2021 19:56:11 +0100 Subject: [PATCH 008/176] lan78xx: Fix race conditions in suspend/resume handling [ Upstream commit 5f4cc6e25148cc141f97afb41b4dfe9eb1cce613 ] If the interface is given an IP address while the device is suspended (as a result of an auto-suspend event) there is a race between lan78xx_resume() and lan78xx_open() that can result in an exception or failure to handle incoming packets. The following changes fix this problem. Introduce a mutex to serialise operations in the network interface open and stop entry points with respect to the USB driver suspend and resume entry points. Move Tx and Rx data path start/stop to lan78xx_start() and lan78xx_stop() respectively and flush the packet FIFOs before starting the Tx and Rx data paths. This prevents the MAC and FIFOs getting out of step and delivery of malformed packets to the network stack. Stop processing of received packets before disconnecting the PHY from the MAC to prevent a kernel exception caused by handling packets after the PHY device has been removed. Refactor device auto-suspend code to make it consistent with the the system suspend code and make the suspend handler easier to read. Add new code to stop wake-on-lan packets or PHY events resuming the host or device from suspend if the device has not been opened (typically after an IP address is assigned). This patch is dependent on changes to lan78xx_suspend() and lan78xx_resume() introduced in the previous patch of this patch set. Signed-off-by: John Efstathiades Signed-off-by: David S. Miller Stable-dep-of: 1eecc7ab82c4 ("net: lan78xx: fix runtime PM count underflow on link stop") Signed-off-by: Sasha Levin (cherry picked from commit 513cfa1886cd2a06658410b788236522c2a69583) Signed-off-by: Vegard Nossum --- drivers/net/usb/lan78xx.c | 433 +++++++++++++++++++++++++------------- 1 file changed, 291 insertions(+), 142 deletions(-) diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c index dee9984ad759..23c1d9cd20b5 100644 --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c @@ -376,6 +376,7 @@ struct lan78xx_net { struct urb *urb_intr; struct usb_anchor deferred; + struct mutex dev_mutex; /* serialise open/stop wrt suspend/resume */ struct mutex phy_mutex; /* for phy access */ unsigned int pipe_in, pipe_out, pipe_intr; @@ -2207,11 +2208,16 @@ static int lan78xx_change_mtu(struct net_device *netdev, int new_mtu) int ll_mtu = new_mtu + netdev->hard_header_len; int old_hard_mtu = dev->hard_mtu; int old_rx_urb_size = dev->rx_urb_size; + int ret; /* no second zero-length packet read wanted after mtu-sized packets */ if ((ll_mtu % dev->maxpacket) == 0) return -EDOM; + ret = usb_autopm_get_interface(dev->intf); + if (ret < 0) + return ret; + lan78xx_set_rx_max_frame_length(dev, new_mtu + VLAN_ETH_HLEN); netdev->mtu = new_mtu; @@ -2227,6 +2233,8 @@ static int lan78xx_change_mtu(struct net_device *netdev, int new_mtu) } } + usb_autopm_put_interface(dev->intf); + return 0; } @@ -2719,16 +2727,8 @@ static int lan78xx_reset(struct lan78xx_net *dev) if (ret < 0) return ret; - ret = lan78xx_start_tx_path(dev); - if (ret < 0) - return ret; - ret = lan78xx_set_rx_max_frame_length(dev, dev->net->mtu + VLAN_ETH_HLEN); - if (ret < 0) - return ret; - - ret = lan78xx_start_rx_path(dev); return ret; } @@ -2764,10 +2764,14 @@ static int lan78xx_open(struct net_device *net) struct lan78xx_net *dev = netdev_priv(net); int ret; + netif_dbg(dev, ifup, dev->net, "open device"); + ret = usb_autopm_get_interface(dev->intf); if (ret < 0) return ret; + mutex_lock(&dev->dev_mutex); + phy_start(net->phydev); netif_dbg(dev, ifup, dev->net, "phy initialised successfully"); @@ -2782,6 +2786,20 @@ static int lan78xx_open(struct net_device *net) } } + ret = lan78xx_flush_rx_fifo(dev); + if (ret < 0) + goto done; + ret = lan78xx_flush_tx_fifo(dev); + if (ret < 0) + goto done; + + ret = lan78xx_start_tx_path(dev); + if (ret < 0) + goto done; + ret = lan78xx_start_rx_path(dev); + if (ret < 0) + goto done; + lan78xx_init_stats(dev); set_bit(EVENT_DEV_OPEN, &dev->flags); @@ -2792,6 +2810,8 @@ static int lan78xx_open(struct net_device *net) lan78xx_defer_kevent(dev, EVENT_LINK_RESET); done: + mutex_unlock(&dev->dev_mutex); + usb_autopm_put_interface(dev->intf); return ret; @@ -2810,38 +2830,56 @@ static void lan78xx_terminate_urbs(struct lan78xx_net *dev) temp = unlink_urbs(dev, &dev->txq) + unlink_urbs(dev, &dev->rxq); /* maybe wait for deletions to finish. */ - while (!skb_queue_empty(&dev->rxq) && - !skb_queue_empty(&dev->txq) && - !skb_queue_empty(&dev->done)) { + while (!skb_queue_empty(&dev->rxq) || + !skb_queue_empty(&dev->txq)) { schedule_timeout(msecs_to_jiffies(UNLINK_TIMEOUT_MS)); set_current_state(TASK_UNINTERRUPTIBLE); netif_dbg(dev, ifdown, dev->net, - "waited for %d urb completions\n", temp); + "waited for %d urb completions", temp); } set_current_state(TASK_RUNNING); dev->wait = NULL; remove_wait_queue(&unlink_wakeup, &wait); + + while (!skb_queue_empty(&dev->done)) { + struct skb_data *entry; + struct sk_buff *skb; + + skb = skb_dequeue(&dev->done); + entry = (struct skb_data *)(skb->cb); + usb_free_urb(entry->urb); + dev_kfree_skb(skb); + } } static int lan78xx_stop(struct net_device *net) { struct lan78xx_net *dev = netdev_priv(net); + netif_dbg(dev, ifup, dev->net, "stop device"); + + mutex_lock(&dev->dev_mutex); + if (timer_pending(&dev->stat_monitor)) del_timer_sync(&dev->stat_monitor); - if (net->phydev) - phy_stop(net->phydev); - clear_bit(EVENT_DEV_OPEN, &dev->flags); netif_stop_queue(net); + tasklet_kill(&dev->bh); + + lan78xx_terminate_urbs(dev); netif_info(dev, ifdown, dev->net, "stop stats: rx/tx %lu/%lu, errs %lu/%lu\n", net->stats.rx_packets, net->stats.tx_packets, net->stats.rx_errors, net->stats.tx_errors); - lan78xx_terminate_urbs(dev); + /* ignore errors that occur stopping the Tx and Rx data paths */ + lan78xx_stop_tx_path(dev); + lan78xx_stop_rx_path(dev); + + if (net->phydev) + phy_stop(net->phydev); usb_kill_urb(dev->urb_intr); @@ -2851,12 +2889,17 @@ static int lan78xx_stop(struct net_device *net) * can't flush_scheduled_work() until we drop rtnl (later), * else workers could deadlock; so make workers a NOP. */ - dev->flags = 0; + clear_bit(EVENT_TX_HALT, &dev->flags); + clear_bit(EVENT_RX_HALT, &dev->flags); + clear_bit(EVENT_LINK_RESET, &dev->flags); + clear_bit(EVENT_STAT_UPDATE, &dev->flags); + cancel_delayed_work_sync(&dev->wq); - tasklet_kill(&dev->bh); usb_autopm_put_interface(dev->intf); + mutex_unlock(&dev->dev_mutex); + return 0; } @@ -2982,6 +3025,9 @@ lan78xx_start_xmit(struct sk_buff *skb, struct net_device *net) struct lan78xx_net *dev = netdev_priv(net); struct sk_buff *skb2 = NULL; + if (test_bit(EVENT_DEV_ASLEEP, &dev->flags)) + schedule_delayed_work(&dev->wq, 0); + if (skb) { skb_tx_timestamp(skb); skb2 = lan78xx_tx_prep(dev, skb, GFP_ATOMIC); @@ -3567,18 +3613,17 @@ static void lan78xx_delayedwork(struct work_struct *work) dev = container_of(work, struct lan78xx_net, wq.work); + if (usb_autopm_get_interface(dev->intf) < 0) + return; + if (test_bit(EVENT_TX_HALT, &dev->flags)) { unlink_urbs(dev, &dev->txq); - status = usb_autopm_get_interface(dev->intf); - if (status < 0) - goto fail_pipe; + status = usb_clear_halt(dev->udev, dev->pipe_out); - usb_autopm_put_interface(dev->intf); if (status < 0 && status != -EPIPE && status != -ESHUTDOWN) { if (netif_msg_tx_err(dev)) -fail_pipe: netdev_err(dev->net, "can't clear tx halt, status %d\n", status); @@ -3588,18 +3633,14 @@ fail_pipe: netif_wake_queue(dev->net); } } + if (test_bit(EVENT_RX_HALT, &dev->flags)) { unlink_urbs(dev, &dev->rxq); - status = usb_autopm_get_interface(dev->intf); - if (status < 0) - goto fail_halt; status = usb_clear_halt(dev->udev, dev->pipe_in); - usb_autopm_put_interface(dev->intf); if (status < 0 && status != -EPIPE && status != -ESHUTDOWN) { if (netif_msg_rx_err(dev)) -fail_halt: netdev_err(dev->net, "can't clear rx halt, status %d\n", status); @@ -3613,16 +3654,9 @@ fail_halt: int ret = 0; clear_bit(EVENT_LINK_RESET, &dev->flags); - status = usb_autopm_get_interface(dev->intf); - if (status < 0) - goto skip_reset; if (lan78xx_link_reset(dev) < 0) { - usb_autopm_put_interface(dev->intf); -skip_reset: netdev_info(dev->net, "link reset failed (%d)\n", ret); - } else { - usb_autopm_put_interface(dev->intf); } } @@ -3636,6 +3670,8 @@ skip_reset: dev->delta = min((dev->delta * 2), 50); } + + usb_autopm_put_interface(dev->intf); } static void intr_complete(struct urb *urb) @@ -3792,6 +3828,7 @@ static int lan78xx_probe(struct usb_interface *intf, skb_queue_head_init(&dev->rxq_pause); skb_queue_head_init(&dev->txq_pend); mutex_init(&dev->phy_mutex); + mutex_init(&dev->dev_mutex); tasklet_init(&dev->bh, lan78xx_bh, (unsigned long)dev); INIT_DELAYED_WORK(&dev->wq, lan78xx_delayedwork); @@ -3937,6 +3974,74 @@ static u16 lan78xx_wakeframe_crc16(const u8 *buf, int len) return crc; } +static int lan78xx_set_auto_suspend(struct lan78xx_net *dev) +{ + u32 buf; + int ret; + + ret = lan78xx_stop_tx_path(dev); + if (ret < 0) + return ret; + + ret = lan78xx_stop_rx_path(dev); + if (ret < 0) + return ret; + + /* auto suspend (selective suspend) */ + + ret = lan78xx_write_reg(dev, WUCSR, 0); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, WUCSR2, 0); + if (ret < 0) + return ret; + ret = lan78xx_write_reg(dev, WK_SRC, 0xFFF1FF1FUL); + if (ret < 0) + return ret; + + /* set goodframe wakeup */ + + ret = lan78xx_read_reg(dev, WUCSR, &buf); + if (ret < 0) + return ret; + + buf |= WUCSR_RFE_WAKE_EN_; + buf |= WUCSR_STORE_WAKE_; + + ret = lan78xx_write_reg(dev, WUCSR, buf); + if (ret < 0) + return ret; + + ret = lan78xx_read_reg(dev, PMT_CTL, &buf); + if (ret < 0) + return ret; + + buf &= ~PMT_CTL_RES_CLR_WKP_EN_; + buf |= PMT_CTL_RES_CLR_WKP_STS_; + buf |= PMT_CTL_PHY_WAKE_EN_; + buf |= PMT_CTL_WOL_EN_; + buf &= ~PMT_CTL_SUS_MODE_MASK_; + buf |= PMT_CTL_SUS_MODE_3_; + + ret = lan78xx_write_reg(dev, PMT_CTL, buf); + if (ret < 0) + return ret; + + ret = lan78xx_read_reg(dev, PMT_CTL, &buf); + if (ret < 0) + return ret; + + buf |= PMT_CTL_WUPS_MASK_; + + ret = lan78xx_write_reg(dev, PMT_CTL, buf); + if (ret < 0) + return ret; + + ret = lan78xx_start_rx_path(dev); + + return ret; +} + static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) { const u8 ipv4_multicast[3] = { 0x01, 0x00, 0x5E }; @@ -4137,18 +4242,25 @@ static int lan78xx_set_suspend(struct lan78xx_net *dev, u32 wol) static int lan78xx_suspend(struct usb_interface *intf, pm_message_t message) { struct lan78xx_net *dev = usb_get_intfdata(intf); - u32 buf; + bool dev_open; int ret; int event; event = message.event; - if (!dev->suspend_count++) { + mutex_lock(&dev->dev_mutex); + + netif_dbg(dev, ifdown, dev->net, + "suspending: pm event %#x", message.event); + + dev_open = test_bit(EVENT_DEV_OPEN, &dev->flags); + + if (dev_open) { spin_lock_irq(&dev->txq.lock); /* don't autosuspend while transmitting */ if ((skb_queue_len(&dev->txq) || skb_queue_len(&dev->txq_pend)) && - PMSG_IS_AUTO(message)) { + PMSG_IS_AUTO(message)) { spin_unlock_irq(&dev->txq.lock); ret = -EBUSY; goto out; @@ -4160,171 +4272,204 @@ static int lan78xx_suspend(struct usb_interface *intf, pm_message_t message) /* stop RX */ ret = lan78xx_stop_rx_path(dev); if (ret < 0) - return ret; + goto out; ret = lan78xx_flush_rx_fifo(dev); if (ret < 0) - return ret; + goto out; /* stop Tx */ ret = lan78xx_stop_tx_path(dev); if (ret < 0) - return ret; + goto out; - /* empty out the rx and queues */ + /* empty out the Rx and Tx queues */ netif_device_detach(dev->net); lan78xx_terminate_urbs(dev); usb_kill_urb(dev->urb_intr); /* reattach */ netif_device_attach(dev->net); - } - if (test_bit(EVENT_DEV_ASLEEP, &dev->flags)) { del_timer(&dev->stat_monitor); if (PMSG_IS_AUTO(message)) { - /* auto suspend (selective suspend) */ - ret = lan78xx_stop_tx_path(dev); + ret = lan78xx_set_auto_suspend(dev); if (ret < 0) - return ret; - - ret = lan78xx_stop_rx_path(dev); - if (ret < 0) - return ret; - - ret = lan78xx_write_reg(dev, WUCSR, 0); - if (ret < 0) - return ret; - ret = lan78xx_write_reg(dev, WUCSR2, 0); - if (ret < 0) - return ret; - ret = lan78xx_write_reg(dev, WK_SRC, 0xFFF1FF1FUL); - if (ret < 0) - return ret; - - /* set goodframe wakeup */ - ret = lan78xx_read_reg(dev, WUCSR, &buf); - if (ret < 0) - return ret; - - buf |= WUCSR_RFE_WAKE_EN_; - buf |= WUCSR_STORE_WAKE_; - - ret = lan78xx_write_reg(dev, WUCSR, buf); - if (ret < 0) - return ret; - - ret = lan78xx_read_reg(dev, PMT_CTL, &buf); - if (ret < 0) - return ret; - - buf &= ~PMT_CTL_RES_CLR_WKP_EN_; - buf |= PMT_CTL_RES_CLR_WKP_STS_; - - buf |= PMT_CTL_PHY_WAKE_EN_; - buf |= PMT_CTL_WOL_EN_; - buf &= ~PMT_CTL_SUS_MODE_MASK_; - buf |= PMT_CTL_SUS_MODE_3_; - - ret = lan78xx_write_reg(dev, PMT_CTL, buf); - if (ret < 0) - return ret; - - ret = lan78xx_read_reg(dev, PMT_CTL, &buf); - if (ret < 0) - return ret; - - buf |= PMT_CTL_WUPS_MASK_; - - ret = lan78xx_write_reg(dev, PMT_CTL, buf); - if (ret < 0) - return ret; - - ret = lan78xx_start_rx_path(dev); - if (ret < 0) - return ret; + goto out; } else { struct lan78xx_priv *pdata; pdata = (struct lan78xx_priv *)(dev->data[0]); - + netif_carrier_off(dev->net); ret = lan78xx_set_suspend(dev, pdata->wol); if (ret < 0) - return ret; + goto out; } + } else { + /* Interface is down; don't allow WOL and PHY + * events to wake up the host + */ + u32 buf; + + set_bit(EVENT_DEV_ASLEEP, &dev->flags); + + ret = lan78xx_write_reg(dev, WUCSR, 0); + if (ret < 0) + goto out; + ret = lan78xx_write_reg(dev, WUCSR2, 0); + if (ret < 0) + goto out; + + ret = lan78xx_read_reg(dev, PMT_CTL, &buf); + if (ret < 0) + goto out; + + buf &= ~PMT_CTL_RES_CLR_WKP_EN_; + buf |= PMT_CTL_RES_CLR_WKP_STS_; + buf &= ~PMT_CTL_SUS_MODE_MASK_; + buf |= PMT_CTL_SUS_MODE_3_; + + ret = lan78xx_write_reg(dev, PMT_CTL, buf); + if (ret < 0) + goto out; + + ret = lan78xx_read_reg(dev, PMT_CTL, &buf); + if (ret < 0) + goto out; + + buf |= PMT_CTL_WUPS_MASK_; + + ret = lan78xx_write_reg(dev, PMT_CTL, buf); + if (ret < 0) + goto out; } ret = 0; out: + mutex_unlock(&dev->dev_mutex); + return ret; } +static bool lan78xx_submit_deferred_urbs(struct lan78xx_net *dev) +{ + bool pipe_halted = false; + struct urb *urb; + + while ((urb = usb_get_from_anchor(&dev->deferred))) { + struct sk_buff *skb = urb->context; + int ret; + + if (!netif_device_present(dev->net) || + !netif_carrier_ok(dev->net) || + pipe_halted) { + usb_free_urb(urb); + dev_kfree_skb(skb); + continue; + } + + ret = usb_submit_urb(urb, GFP_ATOMIC); + + if (ret == 0) { + netif_trans_update(dev->net); + lan78xx_queue_skb(&dev->txq, skb, tx_start); + } else { + usb_free_urb(urb); + dev_kfree_skb(skb); + + if (ret == -EPIPE) { + netif_stop_queue(dev->net); + pipe_halted = true; + } else if (ret == -ENODEV) { + netif_device_detach(dev->net); + } + } + } + + return pipe_halted; +} + static int lan78xx_resume(struct usb_interface *intf) { struct lan78xx_net *dev = usb_get_intfdata(intf); - struct sk_buff *skb; - struct urb *res; + bool dev_open; int ret; - if (!timer_pending(&dev->stat_monitor)) { - dev->delta = 1; - mod_timer(&dev->stat_monitor, - jiffies + STAT_UPDATE_TIMER); - } + mutex_lock(&dev->dev_mutex); - ret = lan78xx_flush_tx_fifo(dev); - if (ret < 0) - return ret; + netif_dbg(dev, ifup, dev->net, "resuming device"); - if (!--dev->suspend_count) { - /* resume interrupt URBs */ - if (dev->urb_intr && test_bit(EVENT_DEV_OPEN, &dev->flags)) { - ret = usb_submit_urb(dev->urb_intr, GFP_NOIO); - if (ret < 0) - return ret; - } + dev_open = test_bit(EVENT_DEV_OPEN, &dev->flags); + + if (dev_open) { + bool pipe_halted = false; + + ret = lan78xx_flush_tx_fifo(dev); + if (ret < 0) + goto out; + + if (dev->urb_intr) { + int ret = usb_submit_urb(dev->urb_intr, GFP_KERNEL); - spin_lock_irq(&dev->txq.lock); - while ((res = usb_get_from_anchor(&dev->deferred))) { - skb = (struct sk_buff *)res->context; - ret = usb_submit_urb(res, GFP_ATOMIC); if (ret < 0) { - dev_kfree_skb_any(skb); - usb_free_urb(res); - usb_autopm_put_interface_async(dev->intf); - } else { - netif_trans_update(dev->net); - lan78xx_queue_skb(&dev->txq, skb, tx_start); + if (ret == -ENODEV) + netif_device_detach(dev->net); + + netdev_warn(dev->net, "Failed to submit intr URB"); } } + spin_lock_irq(&dev->txq.lock); + + if (netif_device_present(dev->net)) { + pipe_halted = lan78xx_submit_deferred_urbs(dev); + + if (pipe_halted) + lan78xx_defer_kevent(dev, EVENT_TX_HALT); + } + clear_bit(EVENT_DEV_ASLEEP, &dev->flags); + spin_unlock_irq(&dev->txq.lock); - if (test_bit(EVENT_DEV_OPEN, &dev->flags)) { - if (!(skb_queue_len(&dev->txq) >= dev->tx_qlen)) - netif_start_queue(dev->net); - tasklet_schedule(&dev->bh); + if (!pipe_halted && + netif_device_present(dev->net) && + (skb_queue_len(&dev->txq) < dev->tx_qlen)) + netif_start_queue(dev->net); + + ret = lan78xx_start_tx_path(dev); + if (ret < 0) + goto out; + + tasklet_schedule(&dev->bh); + + if (!timer_pending(&dev->stat_monitor)) { + dev->delta = 1; + mod_timer(&dev->stat_monitor, + jiffies + STAT_UPDATE_TIMER); } + + } else { + clear_bit(EVENT_DEV_ASLEEP, &dev->flags); } ret = lan78xx_write_reg(dev, WUCSR2, 0); if (ret < 0) - return ret; + goto out; ret = lan78xx_write_reg(dev, WUCSR, 0); if (ret < 0) - return ret; + goto out; ret = lan78xx_write_reg(dev, WK_SRC, 0xFFF1FF1FUL); if (ret < 0) - return ret; + goto out; ret = lan78xx_write_reg(dev, WUCSR2, WUCSR2_NS_RCD_ | WUCSR2_ARP_RCD_ | WUCSR2_IPV6_TCPSYN_RCD_ | WUCSR2_IPV4_TCPSYN_RCD_); if (ret < 0) - return ret; + goto out; ret = lan78xx_write_reg(dev, WUCSR, WUCSR_EEE_TX_WAKE_ | WUCSR_EEE_RX_WAKE_ | @@ -4334,9 +4479,11 @@ static int lan78xx_resume(struct usb_interface *intf) WUCSR_MPR_ | WUCSR_BCST_FR_); if (ret < 0) - return ret; + goto out; - ret = lan78xx_start_tx_path(dev); + ret = 0; +out: + mutex_unlock(&dev->dev_mutex); return ret; } @@ -4346,6 +4493,8 @@ static int lan78xx_reset_resume(struct usb_interface *intf) struct lan78xx_net *dev = usb_get_intfdata(intf); int ret; + netif_dbg(dev, ifup, dev->net, "(reset) resuming device"); + ret = lan78xx_reset(dev); if (ret < 0) return ret; From 30336393906643b4fece662c7c2f1871766222fd Mon Sep 17 00:00:00 2001 From: Oleksij Rempel Date: Wed, 28 Feb 2024 13:45:17 +0100 Subject: [PATCH 009/176] net: lan78xx: fix runtime PM count underflow on link stop [ Upstream commit 1eecc7ab82c42133b748e1895275942a054a7f67 ] Current driver has some asymmetry in the runtime PM calls. On lan78xx_open() it will call usb_autopm_get() and unconditionally usb_autopm_put(). And on lan78xx_stop() it will call only usb_autopm_put(). So far, it was working only because this driver do not activate autosuspend by default, so it was visible only by warning "Runtime PM usage count underflow!". Since, with current driver, we can't use runtime PM with active link, execute lan78xx_open()->usb_autopm_put() only in error case. Otherwise, keep ref counting high as long as interface is open. Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") Signed-off-by: Oleksij Rempel Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 575689f40b415299864bf1826d03e71d3d807c73) Signed-off-by: Vegard Nossum --- drivers/net/usb/lan78xx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c index 23c1d9cd20b5..7a5d8f1da113 100644 --- a/drivers/net/usb/lan78xx.c +++ b/drivers/net/usb/lan78xx.c @@ -2812,7 +2812,8 @@ static int lan78xx_open(struct net_device *net) done: mutex_unlock(&dev->dev_mutex); - usb_autopm_put_interface(dev->intf); + if (ret < 0) + usb_autopm_put_interface(dev->intf); return ret; } From de6f8690a982faf789a071b7683e3b26274faf4e Mon Sep 17 00:00:00 2001 From: Li RongQing Date: Fri, 14 Sep 2018 16:00:51 +0800 Subject: [PATCH 010/176] net: move definition of pcpu_lstats to header file [ Upstream commit 52bb6677d530d37055092d86b4eab69dce6c166a ] pcpu_lstats is defined in several files, so unify them as one and move to header file Signed-off-by: Zhang Yu Signed-off-by: Li RongQing Signed-off-by: David S. Miller Stable-dep-of: 1ca1ba465e55 ("geneve: make sure to pull inner header in geneve_rx()") Signed-off-by: Sasha Levin (cherry picked from commit 6463ace2a35d22642c90147ebced20ef6145eac6) Signed-off-by: Vegard Nossum --- drivers/net/loopback.c | 6 ------ drivers/net/nlmon.c | 6 ------ drivers/net/vsockmon.c | 14 ++++---------- include/linux/netdevice.h | 6 ++++++ 4 files changed, 10 insertions(+), 22 deletions(-) diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c index daef41ce2349..92997f0ffcb3 100644 --- a/drivers/net/loopback.c +++ b/drivers/net/loopback.c @@ -59,12 +59,6 @@ #include #include -struct pcpu_lstats { - u64 packets; - u64 bytes; - struct u64_stats_sync syncp; -}; - /* The higher levels take care of making this non-reentrant (it's * called with bh's disabled). */ diff --git a/drivers/net/nlmon.c b/drivers/net/nlmon.c index 4b22955de191..dd0db7534cb3 100644 --- a/drivers/net/nlmon.c +++ b/drivers/net/nlmon.c @@ -6,12 +6,6 @@ #include #include -struct pcpu_lstats { - u64 packets; - u64 bytes; - struct u64_stats_sync syncp; -}; - static netdev_tx_t nlmon_xmit(struct sk_buff *skb, struct net_device *dev) { int len = skb->len; diff --git a/drivers/net/vsockmon.c b/drivers/net/vsockmon.c index c28bdce14fd5..7bad5c95551f 100644 --- a/drivers/net/vsockmon.c +++ b/drivers/net/vsockmon.c @@ -11,12 +11,6 @@ #define DEFAULT_MTU (VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + \ sizeof(struct af_vsockmon_hdr)) -struct pcpu_lstats { - u64 rx_packets; - u64 rx_bytes; - struct u64_stats_sync syncp; -}; - static int vsockmon_dev_init(struct net_device *dev) { dev->lstats = netdev_alloc_pcpu_stats(struct pcpu_lstats); @@ -56,8 +50,8 @@ static netdev_tx_t vsockmon_xmit(struct sk_buff *skb, struct net_device *dev) struct pcpu_lstats *stats = this_cpu_ptr(dev->lstats); u64_stats_update_begin(&stats->syncp); - stats->rx_bytes += len; - stats->rx_packets++; + stats->bytes += len; + stats->packets++; u64_stats_update_end(&stats->syncp); dev_kfree_skb(skb); @@ -80,8 +74,8 @@ vsockmon_get_stats64(struct net_device *dev, struct rtnl_link_stats64 *stats) do { start = u64_stats_fetch_begin_irq(&vstats->syncp); - tbytes = vstats->rx_bytes; - tpackets = vstats->rx_packets; + tbytes = vstats->bytes; + tpackets = vstats->packets; } while (u64_stats_fetch_retry_irq(&vstats->syncp, start)); packets += tpackets; diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 70b66c8a4675..bdde6d1b6325 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -2245,6 +2245,12 @@ struct pcpu_sw_netstats { struct u64_stats_sync syncp; }; +struct pcpu_lstats { + u64 packets; + u64 bytes; + struct u64_stats_sync syncp; +}; + #define __netdev_alloc_pcpu_stats(type, gfp) \ ({ \ typeof(type) __percpu *pcpu_stats = alloc_percpu_gfp(type, gfp);\ From 46ae53df59e8bb5f52d184011ff4db8582b47874 Mon Sep 17 00:00:00 2001 From: Phillip Potter Date: Fri, 23 Apr 2021 00:49:45 +0100 Subject: [PATCH 011/176] net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb [ Upstream commit d13f048dd40e8577260cd43faea8ec9b77520197 ] Modify the header size check in geneve6_xmit_skb and geneve_xmit_skb to use pskb_inet_may_pull rather than pskb_network_may_pull. This fixes two kernel selftest failures introduced by the commit introducing the checks: IPv4 over geneve6: PMTU exceptions IPv4 over geneve6: PMTU exceptions - nexthop objects It does this by correctly accounting for the fact that IPv4 packets may transit over geneve IPv6 tunnels (and vice versa), and still fixes the uninit-value bug fixed by the original commit. Reported-by: kernel test robot Fixes: 6628ddfec758 ("net: geneve: check skb is large enough for IPv4/IPv6 header") Suggested-by: Sabrina Dubroca Signed-off-by: Phillip Potter Acked-by: Sabrina Dubroca Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 35385daa8db320d2d9664930c28e732578b0d7de) Signed-off-by: Vegard Nossum --- drivers/net/geneve.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c index d87ec8d0f152..a8995d178ed2 100644 --- a/drivers/net/geneve.c +++ b/drivers/net/geneve.c @@ -834,7 +834,7 @@ static int geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, __be16 df; int err; - if (!pskb_network_may_pull(skb, sizeof(struct iphdr))) + if (!pskb_inet_may_pull(skb)) return -EINVAL; sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); @@ -884,7 +884,7 @@ static int geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev, __be16 sport; int err; - if (!pskb_network_may_pull(skb, sizeof(struct ipv6hdr))) + if (!pskb_inet_may_pull(skb)) return -EINVAL; sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); From 3b1e13eb6c7bcbc71e0766dc21ccb55f8d15ab50 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Thu, 29 Feb 2024 13:11:52 +0000 Subject: [PATCH 012/176] geneve: make sure to pull inner header in geneve_rx() [ Upstream commit 1ca1ba465e55b9460e4e75dec9fff31e708fec74 ] syzbot triggered a bug in geneve_rx() [1] Issue is similar to the one I fixed in commit 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") We have to save skb->network_header in a temporary variable in order to be able to recompute the network_header pointer after a pskb_inet_may_pull() call. pskb_inet_may_pull() makes sure the needed headers are in skb->head. [1] BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline] BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391 IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] geneve_rx drivers/net/geneve.c:279 [inline] geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391 udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108 udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186 udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346 __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422 udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604 ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:461 [inline] ip_rcv_finish net/ipv4/ip_input.c:449 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core net/core/dev.c:5534 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648 process_backlog+0x480/0x8b0 net/core/dev.c:5976 __napi_poll+0xe3/0x980 net/core/dev.c:6576 napi_poll net/core/dev.c:6645 [inline] net_rx_action+0x8b8/0x1870 net/core/dev.c:6778 __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553 do_softirq+0x9a/0xf0 kernel/softirq.c:454 __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline] __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378 dev_queue_xmit include/linux/netdevice.h:3171 [inline] packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline] packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook mm/slub.c:3819 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x352/0x790 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1296 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783 packet_alloc_skb net/packet/af_packet.c:2930 [inline] packet_snd net/packet/af_packet.c:3024 [inline] packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels") Reported-and-tested-by: syzbot+6a1423ff3f97159aae64@syzkaller.appspotmail.com Signed-off-by: Eric Dumazet Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit e431c3227864b5646601c97f5f898d99472f2914) Signed-off-by: Vegard Nossum --- drivers/net/geneve.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c index a8995d178ed2..b2aad1ae549d 100644 --- a/drivers/net/geneve.c +++ b/drivers/net/geneve.c @@ -215,7 +215,7 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs, struct metadata_dst *tun_dst = NULL; struct pcpu_sw_netstats *stats; unsigned int len; - int err = 0; + int nh, err = 0; void *oiph; if (ip_tunnel_collect_metadata() || gs->collect_md) { @@ -259,9 +259,23 @@ static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs, goto drop; } - oiph = skb_network_header(skb); + /* Save offset of outer header relative to skb->head, + * because we are going to reset the network header to the inner header + * and might change skb->head. + */ + nh = skb_network_header(skb) - skb->head; + skb_reset_network_header(skb); + if (!pskb_inet_may_pull(skb)) { + DEV_STATS_INC(geneve->dev, rx_length_errors); + DEV_STATS_INC(geneve->dev, rx_errors); + goto drop; + } + + /* Get the outer header. */ + oiph = skb->head + nh; + if (geneve_get_sk_family(gs) == AF_INET) err = IP_ECN_decapsulate(oiph, skb); #if IS_ENABLED(CONFIG_IPV6) From 08230f3ca93b03add21ae1e8ddf08bd283daab23 Mon Sep 17 00:00:00 2001 From: Harsha Sharma Date: Fri, 13 Oct 2017 04:23:57 +0530 Subject: [PATCH 013/176] netfilter: nf_conntrack_h323: Remove typedef struct Remove typedef from struct as linux-kernel coding style tends to avoid using typedefs. Done using following coccinelle semantic patch @r1@ type T; @@ typedef struct { ... } T; @script:python c1@ T2; T << r1.T; @@ if T[-2:] =="_t" or T[-2:] == "_T": coccinelle.T2 = T[:-2]; else: coccinelle.T2 = T; print T, coccinelle.T2 @r2@ type r1.T; identifier c1.T2; @@ -typedef struct + T2 { ... } -T ; @r3@ type r1.T; identifier c1.T2; @@ -T +struct T2 Signed-off-by: Harsha Sharma Signed-off-by: Pablo Neira Ayuso (cherry picked from commit 67704c2a05860edf8529c8271550148348737a8f) Signed-off-by: Vegard Nossum --- net/netfilter/nf_conntrack_h323_asn1.c | 80 +++++++++++++------------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c index 89b2e46925c4..7831aa1effc9 100644 --- a/net/netfilter/nf_conntrack_h323_asn1.c +++ b/net/netfilter/nf_conntrack_h323_asn1.c @@ -91,41 +91,41 @@ typedef struct field_t { } field_t; /* Bit Stream */ -typedef struct { +struct bitstr { unsigned char *buf; unsigned char *beg; unsigned char *end; unsigned char *cur; unsigned int bit; -} bitstr_t; +}; /* Tool Functions */ #define INC_BIT(bs) if((++(bs)->bit)>7){(bs)->cur++;(bs)->bit=0;} #define INC_BITS(bs,b) if(((bs)->bit+=(b))>7){(bs)->cur+=(bs)->bit>>3;(bs)->bit&=7;} #define BYTE_ALIGN(bs) if((bs)->bit){(bs)->cur++;(bs)->bit=0;} #define CHECK_BOUND(bs,n) if((bs)->cur+(n)>(bs)->end)return(H323_ERROR_BOUND) -static unsigned int get_len(bitstr_t *bs); -static unsigned int get_bit(bitstr_t *bs); -static unsigned int get_bits(bitstr_t *bs, unsigned int b); -static unsigned int get_bitmap(bitstr_t *bs, unsigned int b); -static unsigned int get_uint(bitstr_t *bs, int b); +static unsigned int get_len(struct bitstr *bs); +static unsigned int get_bit(struct bitstr *bs); +static unsigned int get_bits(struct bitstr *bs, unsigned int b); +static unsigned int get_bitmap(struct bitstr *bs, unsigned int b); +static unsigned int get_uint(struct bitstr *bs, int b); /* Decoder Functions */ -static int decode_nul(bitstr_t *bs, const struct field_t *f, char *base, int level); -static int decode_bool(bitstr_t *bs, const struct field_t *f, char *base, int level); -static int decode_oid(bitstr_t *bs, const struct field_t *f, char *base, int level); -static int decode_int(bitstr_t *bs, const struct field_t *f, char *base, int level); -static int decode_enum(bitstr_t *bs, const struct field_t *f, char *base, int level); -static int decode_bitstr(bitstr_t *bs, const struct field_t *f, char *base, int level); -static int decode_numstr(bitstr_t *bs, const struct field_t *f, char *base, int level); -static int decode_octstr(bitstr_t *bs, const struct field_t *f, char *base, int level); -static int decode_bmpstr(bitstr_t *bs, const struct field_t *f, char *base, int level); -static int decode_seq(bitstr_t *bs, const struct field_t *f, char *base, int level); -static int decode_seqof(bitstr_t *bs, const struct field_t *f, char *base, int level); -static int decode_choice(bitstr_t *bs, const struct field_t *f, char *base, int level); +static int decode_nul(struct bitstr *bs, const struct field_t *f, char *base, int level); +static int decode_bool(struct bitstr *bs, const struct field_t *f, char *base, int level); +static int decode_oid(struct bitstr *bs, const struct field_t *f, char *base, int level); +static int decode_int(struct bitstr *bs, const struct field_t *f, char *base, int level); +static int decode_enum(struct bitstr *bs, const struct field_t *f, char *base, int level); +static int decode_bitstr(struct bitstr *bs, const struct field_t *f, char *base, int level); +static int decode_numstr(struct bitstr *bs, const struct field_t *f, char *base, int level); +static int decode_octstr(struct bitstr *bs, const struct field_t *f, char *base, int level); +static int decode_bmpstr(struct bitstr *bs, const struct field_t *f, char *base, int level); +static int decode_seq(struct bitstr *bs, const struct field_t *f, char *base, int level); +static int decode_seqof(struct bitstr *bs, const struct field_t *f, char *base, int level); +static int decode_choice(struct bitstr *bs, const struct field_t *f, char *base, int level); /* Decoder Functions Vector */ -typedef int (*decoder_t)(bitstr_t *, const struct field_t *, char *, int); +typedef int (*decoder_t)(struct bitstr *, const struct field_t *, char *, int); static const decoder_t Decoders[] = { decode_nul, decode_bool, @@ -150,7 +150,7 @@ static const decoder_t Decoders[] = { * Functions ****************************************************************************/ /* Assume bs is aligned && v < 16384 */ -static unsigned int get_len(bitstr_t *bs) +static unsigned int get_len(struct bitstr *bs) { unsigned int v; @@ -166,7 +166,7 @@ static unsigned int get_len(bitstr_t *bs) } /****************************************************************************/ -static unsigned int get_bit(bitstr_t *bs) +static unsigned int get_bit(struct bitstr *bs) { unsigned int b = (*bs->cur) & (0x80 >> bs->bit); @@ -177,7 +177,7 @@ static unsigned int get_bit(bitstr_t *bs) /****************************************************************************/ /* Assume b <= 8 */ -static unsigned int get_bits(bitstr_t *bs, unsigned int b) +static unsigned int get_bits(struct bitstr *bs, unsigned int b) { unsigned int v, l; @@ -203,7 +203,7 @@ static unsigned int get_bits(bitstr_t *bs, unsigned int b) /****************************************************************************/ /* Assume b <= 32 */ -static unsigned int get_bitmap(bitstr_t *bs, unsigned int b) +static unsigned int get_bitmap(struct bitstr *bs, unsigned int b) { unsigned int v, l, shift, bytes; @@ -242,7 +242,7 @@ static unsigned int get_bitmap(bitstr_t *bs, unsigned int b) /**************************************************************************** * Assume bs is aligned and sizeof(unsigned int) == 4 ****************************************************************************/ -static unsigned int get_uint(bitstr_t *bs, int b) +static unsigned int get_uint(struct bitstr *bs, int b) { unsigned int v = 0; @@ -264,7 +264,7 @@ static unsigned int get_uint(bitstr_t *bs, int b) } /****************************************************************************/ -static int decode_nul(bitstr_t *bs, const struct field_t *f, +static int decode_nul(struct bitstr *bs, const struct field_t *f, char *base, int level) { PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); @@ -273,7 +273,7 @@ static int decode_nul(bitstr_t *bs, const struct field_t *f, } /****************************************************************************/ -static int decode_bool(bitstr_t *bs, const struct field_t *f, +static int decode_bool(struct bitstr *bs, const struct field_t *f, char *base, int level) { PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); @@ -285,7 +285,7 @@ static int decode_bool(bitstr_t *bs, const struct field_t *f, } /****************************************************************************/ -static int decode_oid(bitstr_t *bs, const struct field_t *f, +static int decode_oid(struct bitstr *bs, const struct field_t *f, char *base, int level) { int len; @@ -302,7 +302,7 @@ static int decode_oid(bitstr_t *bs, const struct field_t *f, } /****************************************************************************/ -static int decode_int(bitstr_t *bs, const struct field_t *f, +static int decode_int(struct bitstr *bs, const struct field_t *f, char *base, int level) { unsigned int len; @@ -346,7 +346,7 @@ static int decode_int(bitstr_t *bs, const struct field_t *f, } /****************************************************************************/ -static int decode_enum(bitstr_t *bs, const struct field_t *f, +static int decode_enum(struct bitstr *bs, const struct field_t *f, char *base, int level) { PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); @@ -362,7 +362,7 @@ static int decode_enum(bitstr_t *bs, const struct field_t *f, } /****************************************************************************/ -static int decode_bitstr(bitstr_t *bs, const struct field_t *f, +static int decode_bitstr(struct bitstr *bs, const struct field_t *f, char *base, int level) { unsigned int len; @@ -396,7 +396,7 @@ static int decode_bitstr(bitstr_t *bs, const struct field_t *f, } /****************************************************************************/ -static int decode_numstr(bitstr_t *bs, const struct field_t *f, +static int decode_numstr(struct bitstr *bs, const struct field_t *f, char *base, int level) { unsigned int len; @@ -414,7 +414,7 @@ static int decode_numstr(bitstr_t *bs, const struct field_t *f, } /****************************************************************************/ -static int decode_octstr(bitstr_t *bs, const struct field_t *f, +static int decode_octstr(struct bitstr *bs, const struct field_t *f, char *base, int level) { unsigned int len; @@ -463,7 +463,7 @@ static int decode_octstr(bitstr_t *bs, const struct field_t *f, } /****************************************************************************/ -static int decode_bmpstr(bitstr_t *bs, const struct field_t *f, +static int decode_bmpstr(struct bitstr *bs, const struct field_t *f, char *base, int level) { unsigned int len; @@ -489,7 +489,7 @@ static int decode_bmpstr(bitstr_t *bs, const struct field_t *f, } /****************************************************************************/ -static int decode_seq(bitstr_t *bs, const struct field_t *f, +static int decode_seq(struct bitstr *bs, const struct field_t *f, char *base, int level) { unsigned int ext, bmp, i, opt, len = 0, bmp2, bmp2_len; @@ -606,7 +606,7 @@ static int decode_seq(bitstr_t *bs, const struct field_t *f, } /****************************************************************************/ -static int decode_seqof(bitstr_t *bs, const struct field_t *f, +static int decode_seqof(struct bitstr *bs, const struct field_t *f, char *base, int level) { unsigned int count, effective_count = 0, i, len = 0; @@ -696,7 +696,7 @@ static int decode_seqof(bitstr_t *bs, const struct field_t *f, /****************************************************************************/ -static int decode_choice(bitstr_t *bs, const struct field_t *f, +static int decode_choice(struct bitstr *bs, const struct field_t *f, char *base, int level) { unsigned int type, ext, len = 0; @@ -772,7 +772,7 @@ int DecodeRasMessage(unsigned char *buf, size_t sz, RasMessage *ras) FNAME("RasMessage") CHOICE, 5, 24, 32, DECODE | EXT, 0, _RasMessage }; - bitstr_t bs; + struct bitstr bs; bs.buf = bs.beg = bs.cur = buf; bs.end = buf + sz; @@ -789,7 +789,7 @@ static int DecodeH323_UserInformation(unsigned char *buf, unsigned char *beg, FNAME("H323-UserInformation") SEQ, 1, 2, 2, DECODE | EXT, 0, _H323_UserInformation }; - bitstr_t bs; + struct bitstr bs; bs.buf = buf; bs.beg = bs.cur = beg; @@ -808,7 +808,7 @@ int DecodeMultimediaSystemControlMessage(unsigned char *buf, size_t sz, FNAME("MultimediaSystemControlMessage") CHOICE, 2, 4, 4, DECODE | EXT, 0, _MultimediaSystemControlMessage }; - bitstr_t bs; + struct bitstr bs; bs.buf = bs.beg = bs.cur = buf; bs.end = buf + sz; From 0025d996dd7b719a14f477ad3fa810abdf406585 Mon Sep 17 00:00:00 2001 From: Eric Sesterhenn Date: Mon, 9 Oct 2017 07:01:14 +0200 Subject: [PATCH 014/176] netfilter: nf_ct_h323: Out Of Bound Read in Netfilter Conntrack Add missing counter decrement to prevent out of bounds memory read. Signed-off-by: Eric Sesterhenn Acked-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso (cherry picked from commit e8daf27c2fea38e16a791780952aa5dff1c409fe) Signed-off-by: Vegard Nossum --- net/netfilter/nf_conntrack_h323_asn1.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c index 7831aa1effc9..cf1bf2605c10 100644 --- a/net/netfilter/nf_conntrack_h323_asn1.c +++ b/net/netfilter/nf_conntrack_h323_asn1.c @@ -877,6 +877,7 @@ int DecodeQ931(unsigned char *buf, size_t sz, Q931 *q931) if (sz < 1) break; len = *p++; + sz--; if (sz < len) break; p += len; From 5ee983c52f6ca4fa4f15d9ff3b82634237b49e4f Mon Sep 17 00:00:00 2001 From: Eric Sesterhenn Date: Mon, 13 Nov 2017 09:09:40 +0100 Subject: [PATCH 015/176] netfilter: nf_ct_h323: Convert CHECK_BOUND macro to function It is bad practive to return in a macro, this patch moves the check into a function. Signed-off-by: Eric Sesterhenn Signed-off-by: Pablo Neira Ayuso (cherry picked from commit bc7d811ace4ad39a3941089ca871633366878719) Signed-off-by: Vegard Nossum --- net/netfilter/nf_conntrack_h323_asn1.c | 94 ++++++++++++++++++-------- 1 file changed, 65 insertions(+), 29 deletions(-) diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c index cf1bf2605c10..3d9a009ac147 100644 --- a/net/netfilter/nf_conntrack_h323_asn1.c +++ b/net/netfilter/nf_conntrack_h323_asn1.c @@ -103,7 +103,6 @@ struct bitstr { #define INC_BIT(bs) if((++(bs)->bit)>7){(bs)->cur++;(bs)->bit=0;} #define INC_BITS(bs,b) if(((bs)->bit+=(b))>7){(bs)->cur+=(bs)->bit>>3;(bs)->bit&=7;} #define BYTE_ALIGN(bs) if((bs)->bit){(bs)->cur++;(bs)->bit=0;} -#define CHECK_BOUND(bs,n) if((bs)->cur+(n)>(bs)->end)return(H323_ERROR_BOUND) static unsigned int get_len(struct bitstr *bs); static unsigned int get_bit(struct bitstr *bs); static unsigned int get_bits(struct bitstr *bs, unsigned int b); @@ -165,6 +164,14 @@ static unsigned int get_len(struct bitstr *bs) return v; } +static int nf_h323_error_boundary(struct bitstr *bs, size_t bytes) +{ + if (*bs->cur + bytes > *bs->end) + return 1; + + return 0; +} + /****************************************************************************/ static unsigned int get_bit(struct bitstr *bs) { @@ -280,7 +287,8 @@ static int decode_bool(struct bitstr *bs, const struct field_t *f, INC_BIT(bs); - CHECK_BOUND(bs, 0); + if (nf_h323_error_boundary(bs, 0)) + return H323_ERROR_BOUND; return H323_ERROR_NONE; } @@ -293,11 +301,14 @@ static int decode_oid(struct bitstr *bs, const struct field_t *f, PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); BYTE_ALIGN(bs); - CHECK_BOUND(bs, 1); + if (nf_h323_error_boundary(bs, 1)) + return H323_ERROR_BOUND; + len = *bs->cur++; bs->cur += len; + if (nf_h323_error_boundary(bs, 0)) + return H323_ERROR_BOUND; - CHECK_BOUND(bs, 0); return H323_ERROR_NONE; } @@ -330,7 +341,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f, break; case UNCO: BYTE_ALIGN(bs); - CHECK_BOUND(bs, 2); + if (nf_h323_error_boundary(bs, 2)) + return H323_ERROR_BOUND; len = get_len(bs); bs->cur += len; break; @@ -341,7 +353,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f, PRINT("\n"); - CHECK_BOUND(bs, 0); + if (nf_h323_error_boundary(bs, 0)) + return H323_ERROR_BOUND; return H323_ERROR_NONE; } @@ -357,7 +370,8 @@ static int decode_enum(struct bitstr *bs, const struct field_t *f, INC_BITS(bs, f->sz); } - CHECK_BOUND(bs, 0); + if (nf_h323_error_boundary(bs, 0)) + return H323_ERROR_BOUND; return H323_ERROR_NONE; } @@ -375,12 +389,14 @@ static int decode_bitstr(struct bitstr *bs, const struct field_t *f, len = f->lb; break; case WORD: /* 2-byte length */ - CHECK_BOUND(bs, 2); + if (nf_h323_error_boundary(bs, 2)) + return H323_ERROR_BOUND; len = (*bs->cur++) << 8; len += (*bs->cur++) + f->lb; break; case SEMI: - CHECK_BOUND(bs, 2); + if (nf_h323_error_boundary(bs, 2)) + return H323_ERROR_BOUND; len = get_len(bs); break; default: @@ -391,7 +407,8 @@ static int decode_bitstr(struct bitstr *bs, const struct field_t *f, bs->cur += len >> 3; bs->bit = len & 7; - CHECK_BOUND(bs, 0); + if (nf_h323_error_boundary(bs, 0)) + return H323_ERROR_BOUND; return H323_ERROR_NONE; } @@ -409,7 +426,8 @@ static int decode_numstr(struct bitstr *bs, const struct field_t *f, BYTE_ALIGN(bs); INC_BITS(bs, (len << 2)); - CHECK_BOUND(bs, 0); + if (nf_h323_error_boundary(bs, 0)) + return H323_ERROR_BOUND; return H323_ERROR_NONE; } @@ -440,12 +458,14 @@ static int decode_octstr(struct bitstr *bs, const struct field_t *f, break; case BYTE: /* Range == 256 */ BYTE_ALIGN(bs); - CHECK_BOUND(bs, 1); + if (nf_h323_error_boundary(bs, 1)) + return H323_ERROR_BOUND; len = (*bs->cur++) + f->lb; break; case SEMI: BYTE_ALIGN(bs); - CHECK_BOUND(bs, 2); + if (nf_h323_error_boundary(bs, 2)) + return H323_ERROR_BOUND; len = get_len(bs) + f->lb; break; default: /* 2 <= Range <= 255 */ @@ -458,7 +478,8 @@ static int decode_octstr(struct bitstr *bs, const struct field_t *f, PRINT("\n"); - CHECK_BOUND(bs, 0); + if (nf_h323_error_boundary(bs, 0)) + return H323_ERROR_BOUND; return H323_ERROR_NONE; } @@ -473,7 +494,8 @@ static int decode_bmpstr(struct bitstr *bs, const struct field_t *f, switch (f->sz) { case BYTE: /* Range == 256 */ BYTE_ALIGN(bs); - CHECK_BOUND(bs, 1); + if (nf_h323_error_boundary(bs, 1)) + return H323_ERROR_BOUND; len = (*bs->cur++) + f->lb; break; default: /* 2 <= Range <= 255 */ @@ -484,7 +506,8 @@ static int decode_bmpstr(struct bitstr *bs, const struct field_t *f, bs->cur += len << 1; - CHECK_BOUND(bs, 0); + if (nf_h323_error_boundary(bs, 0)) + return H323_ERROR_BOUND; return H323_ERROR_NONE; } @@ -525,9 +548,11 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, /* Decode */ if (son->attr & OPEN) { /* Open field */ - CHECK_BOUND(bs, 2); + if (nf_h323_error_boundary(bs, 2)) + return H323_ERROR_BOUND; len = get_len(bs); - CHECK_BOUND(bs, len); + if (nf_h323_error_boundary(bs, len)) + return H323_ERROR_BOUND; if (!base || !(son->attr & DECODE)) { PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ", son->name); @@ -556,7 +581,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, /* Get the extension bitmap */ bmp2_len = get_bits(bs, 7) + 1; - CHECK_BOUND(bs, (bmp2_len + 7) >> 3); + if (nf_h323_error_boundary(bs, (bmp2_len + 7) >> 3)) + return H323_ERROR_BOUND; bmp2 = get_bitmap(bs, bmp2_len); bmp |= bmp2 >> f->sz; if (base) @@ -567,9 +593,11 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, for (opt = 0; opt < bmp2_len; opt++, i++, son++) { /* Check Range */ if (i >= f->ub) { /* Newer Version? */ - CHECK_BOUND(bs, 2); + if (nf_h323_error_boundary(bs, 2)) + return H323_ERROR_BOUND; len = get_len(bs); - CHECK_BOUND(bs, len); + if (nf_h323_error_boundary(bs, len)) + return H323_ERROR_BOUND; bs->cur += len; continue; } @@ -583,9 +611,11 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, if (!((0x80000000 >> opt) & bmp2)) /* Not present */ continue; - CHECK_BOUND(bs, 2); + if (nf_h323_error_boundary(bs, 2)) + return H323_ERROR_BOUND; len = get_len(bs); - CHECK_BOUND(bs, len); + if (nf_h323_error_boundary(bs, len)) + return H323_ERROR_BOUND; if (!base || !(son->attr & DECODE)) { PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ", son->name); @@ -623,19 +653,22 @@ static int decode_seqof(struct bitstr *bs, const struct field_t *f, switch (f->sz) { case BYTE: BYTE_ALIGN(bs); - CHECK_BOUND(bs, 1); + if (nf_h323_error_boundary(bs, 1)) + return H323_ERROR_BOUND; count = *bs->cur++; break; case WORD: BYTE_ALIGN(bs); - CHECK_BOUND(bs, 2); + if (nf_h323_error_boundary(bs, 2)) + return H323_ERROR_BOUND; count = *bs->cur++; count <<= 8; count += *bs->cur++; break; case SEMI: BYTE_ALIGN(bs); - CHECK_BOUND(bs, 2); + if (nf_h323_error_boundary(bs, 2)) + return H323_ERROR_BOUND; count = get_len(bs); break; default: @@ -659,7 +692,8 @@ static int decode_seqof(struct bitstr *bs, const struct field_t *f, if (son->attr & OPEN) { BYTE_ALIGN(bs); len = get_len(bs); - CHECK_BOUND(bs, len); + if (nf_h323_error_boundary(bs, len)) + return H323_ERROR_BOUND; if (!base || !(son->attr & DECODE)) { PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ", son->name); @@ -728,7 +762,8 @@ static int decode_choice(struct bitstr *bs, const struct field_t *f, if (type >= f->ub) { /* Newer version? */ BYTE_ALIGN(bs); len = get_len(bs); - CHECK_BOUND(bs, len); + if (nf_h323_error_boundary(bs, len)) + return H323_ERROR_BOUND; bs->cur += len; return H323_ERROR_NONE; } @@ -743,7 +778,8 @@ static int decode_choice(struct bitstr *bs, const struct field_t *f, if (ext || (son->attr & OPEN)) { BYTE_ALIGN(bs); len = get_len(bs); - CHECK_BOUND(bs, len); + if (nf_h323_error_boundary(bs, len)) + return H323_ERROR_BOUND; if (!base || !(son->attr & DECODE)) { PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ", son->name); From 74a4c76141e79f28621987d7a5d1233528717105 Mon Sep 17 00:00:00 2001 From: Eric Sesterhenn Date: Mon, 13 Nov 2017 09:09:41 +0100 Subject: [PATCH 016/176] netfilter: nf_ct_h323: Extend nf_h323_error_boundary to work on bits as well This patch fixes several out of bounds memory reads by extending the nf_h323_error_boundary() function to work on bits as well an check the affected parts. Signed-off-by: Eric Sesterhenn Signed-off-by: Pablo Neira Ayuso (cherry picked from commit ec8a8f3c31ddef0a7d9626c4b8a4baa30f3b80aa) Signed-off-by: Vegard Nossum --- net/netfilter/nf_conntrack_h323_asn1.c | 92 +++++++++++++++++--------- 1 file changed, 62 insertions(+), 30 deletions(-) diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c index 3d9a009ac147..dc6347342e34 100644 --- a/net/netfilter/nf_conntrack_h323_asn1.c +++ b/net/netfilter/nf_conntrack_h323_asn1.c @@ -164,8 +164,13 @@ static unsigned int get_len(struct bitstr *bs) return v; } -static int nf_h323_error_boundary(struct bitstr *bs, size_t bytes) +static int nf_h323_error_boundary(struct bitstr *bs, size_t bytes, size_t bits) { + bits += bs->bit; + bytes += bits / BITS_PER_BYTE; + if (bits % BITS_PER_BYTE > 0) + bytes++; + if (*bs->cur + bytes > *bs->end) return 1; @@ -286,8 +291,7 @@ static int decode_bool(struct bitstr *bs, const struct field_t *f, PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); INC_BIT(bs); - - if (nf_h323_error_boundary(bs, 0)) + if (nf_h323_error_boundary(bs, 0, 0)) return H323_ERROR_BOUND; return H323_ERROR_NONE; } @@ -301,12 +305,12 @@ static int decode_oid(struct bitstr *bs, const struct field_t *f, PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); BYTE_ALIGN(bs); - if (nf_h323_error_boundary(bs, 1)) + if (nf_h323_error_boundary(bs, 1, 0)) return H323_ERROR_BOUND; len = *bs->cur++; bs->cur += len; - if (nf_h323_error_boundary(bs, 0)) + if (nf_h323_error_boundary(bs, 0, 0)) return H323_ERROR_BOUND; return H323_ERROR_NONE; @@ -330,6 +334,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f, bs->cur += 2; break; case CONS: /* 64K < Range < 4G */ + if (nf_h323_error_boundary(bs, 0, 2)) + return H323_ERROR_BOUND; len = get_bits(bs, 2) + 1; BYTE_ALIGN(bs); if (base && (f->attr & DECODE)) { /* timeToLive */ @@ -341,7 +347,7 @@ static int decode_int(struct bitstr *bs, const struct field_t *f, break; case UNCO: BYTE_ALIGN(bs); - if (nf_h323_error_boundary(bs, 2)) + if (nf_h323_error_boundary(bs, 2, 0)) return H323_ERROR_BOUND; len = get_len(bs); bs->cur += len; @@ -353,7 +359,7 @@ static int decode_int(struct bitstr *bs, const struct field_t *f, PRINT("\n"); - if (nf_h323_error_boundary(bs, 0)) + if (nf_h323_error_boundary(bs, 0, 0)) return H323_ERROR_BOUND; return H323_ERROR_NONE; } @@ -370,7 +376,7 @@ static int decode_enum(struct bitstr *bs, const struct field_t *f, INC_BITS(bs, f->sz); } - if (nf_h323_error_boundary(bs, 0)) + if (nf_h323_error_boundary(bs, 0, 0)) return H323_ERROR_BOUND; return H323_ERROR_NONE; } @@ -389,13 +395,13 @@ static int decode_bitstr(struct bitstr *bs, const struct field_t *f, len = f->lb; break; case WORD: /* 2-byte length */ - if (nf_h323_error_boundary(bs, 2)) + if (nf_h323_error_boundary(bs, 2, 0)) return H323_ERROR_BOUND; len = (*bs->cur++) << 8; len += (*bs->cur++) + f->lb; break; case SEMI: - if (nf_h323_error_boundary(bs, 2)) + if (nf_h323_error_boundary(bs, 2, 0)) return H323_ERROR_BOUND; len = get_len(bs); break; @@ -407,7 +413,7 @@ static int decode_bitstr(struct bitstr *bs, const struct field_t *f, bs->cur += len >> 3; bs->bit = len & 7; - if (nf_h323_error_boundary(bs, 0)) + if (nf_h323_error_boundary(bs, 0, 0)) return H323_ERROR_BOUND; return H323_ERROR_NONE; } @@ -421,12 +427,14 @@ static int decode_numstr(struct bitstr *bs, const struct field_t *f, PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); /* 2 <= Range <= 255 */ + if (nf_h323_error_boundary(bs, 0, f->sz)) + return H323_ERROR_BOUND; len = get_bits(bs, f->sz) + f->lb; BYTE_ALIGN(bs); INC_BITS(bs, (len << 2)); - if (nf_h323_error_boundary(bs, 0)) + if (nf_h323_error_boundary(bs, 0, 0)) return H323_ERROR_BOUND; return H323_ERROR_NONE; } @@ -458,17 +466,19 @@ static int decode_octstr(struct bitstr *bs, const struct field_t *f, break; case BYTE: /* Range == 256 */ BYTE_ALIGN(bs); - if (nf_h323_error_boundary(bs, 1)) + if (nf_h323_error_boundary(bs, 1, 0)) return H323_ERROR_BOUND; len = (*bs->cur++) + f->lb; break; case SEMI: BYTE_ALIGN(bs); - if (nf_h323_error_boundary(bs, 2)) + if (nf_h323_error_boundary(bs, 2, 0)) return H323_ERROR_BOUND; len = get_len(bs) + f->lb; break; default: /* 2 <= Range <= 255 */ + if (nf_h323_error_boundary(bs, 0, f->sz)) + return H323_ERROR_BOUND; len = get_bits(bs, f->sz) + f->lb; BYTE_ALIGN(bs); break; @@ -478,7 +488,7 @@ static int decode_octstr(struct bitstr *bs, const struct field_t *f, PRINT("\n"); - if (nf_h323_error_boundary(bs, 0)) + if (nf_h323_error_boundary(bs, 0, 0)) return H323_ERROR_BOUND; return H323_ERROR_NONE; } @@ -494,11 +504,13 @@ static int decode_bmpstr(struct bitstr *bs, const struct field_t *f, switch (f->sz) { case BYTE: /* Range == 256 */ BYTE_ALIGN(bs); - if (nf_h323_error_boundary(bs, 1)) + if (nf_h323_error_boundary(bs, 1, 0)) return H323_ERROR_BOUND; len = (*bs->cur++) + f->lb; break; default: /* 2 <= Range <= 255 */ + if (nf_h323_error_boundary(bs, 0, f->sz)) + return H323_ERROR_BOUND; len = get_bits(bs, f->sz) + f->lb; BYTE_ALIGN(bs); break; @@ -506,7 +518,7 @@ static int decode_bmpstr(struct bitstr *bs, const struct field_t *f, bs->cur += len << 1; - if (nf_h323_error_boundary(bs, 0)) + if (nf_h323_error_boundary(bs, 0, 0)) return H323_ERROR_BOUND; return H323_ERROR_NONE; } @@ -526,9 +538,13 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, base = (base && (f->attr & DECODE)) ? base + f->offset : NULL; /* Extensible? */ + if (nf_h323_error_boundary(bs, 0, 1)) + return H323_ERROR_BOUND; ext = (f->attr & EXT) ? get_bit(bs) : 0; /* Get fields bitmap */ + if (nf_h323_error_boundary(bs, 0, f->sz)) + return H323_ERROR_BOUND; bmp = get_bitmap(bs, f->sz); if (base) *(unsigned int *)base = bmp; @@ -548,10 +564,10 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, /* Decode */ if (son->attr & OPEN) { /* Open field */ - if (nf_h323_error_boundary(bs, 2)) + if (nf_h323_error_boundary(bs, 2, 0)) return H323_ERROR_BOUND; len = get_len(bs); - if (nf_h323_error_boundary(bs, len)) + if (nf_h323_error_boundary(bs, len, 0)) return H323_ERROR_BOUND; if (!base || !(son->attr & DECODE)) { PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, @@ -580,8 +596,10 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, return H323_ERROR_NONE; /* Get the extension bitmap */ + if (nf_h323_error_boundary(bs, 0, 7)) + return H323_ERROR_BOUND; bmp2_len = get_bits(bs, 7) + 1; - if (nf_h323_error_boundary(bs, (bmp2_len + 7) >> 3)) + if (nf_h323_error_boundary(bs, 0, bmp2_len)) return H323_ERROR_BOUND; bmp2 = get_bitmap(bs, bmp2_len); bmp |= bmp2 >> f->sz; @@ -593,10 +611,10 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, for (opt = 0; opt < bmp2_len; opt++, i++, son++) { /* Check Range */ if (i >= f->ub) { /* Newer Version? */ - if (nf_h323_error_boundary(bs, 2)) + if (nf_h323_error_boundary(bs, 2, 0)) return H323_ERROR_BOUND; len = get_len(bs); - if (nf_h323_error_boundary(bs, len)) + if (nf_h323_error_boundary(bs, len, 0)) return H323_ERROR_BOUND; bs->cur += len; continue; @@ -611,10 +629,10 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, if (!((0x80000000 >> opt) & bmp2)) /* Not present */ continue; - if (nf_h323_error_boundary(bs, 2)) + if (nf_h323_error_boundary(bs, 2, 0)) return H323_ERROR_BOUND; len = get_len(bs); - if (nf_h323_error_boundary(bs, len)) + if (nf_h323_error_boundary(bs, len, 0)) return H323_ERROR_BOUND; if (!base || !(son->attr & DECODE)) { PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ", @@ -653,13 +671,13 @@ static int decode_seqof(struct bitstr *bs, const struct field_t *f, switch (f->sz) { case BYTE: BYTE_ALIGN(bs); - if (nf_h323_error_boundary(bs, 1)) + if (nf_h323_error_boundary(bs, 1, 0)) return H323_ERROR_BOUND; count = *bs->cur++; break; case WORD: BYTE_ALIGN(bs); - if (nf_h323_error_boundary(bs, 2)) + if (nf_h323_error_boundary(bs, 2, 0)) return H323_ERROR_BOUND; count = *bs->cur++; count <<= 8; @@ -667,11 +685,13 @@ static int decode_seqof(struct bitstr *bs, const struct field_t *f, break; case SEMI: BYTE_ALIGN(bs); - if (nf_h323_error_boundary(bs, 2)) + if (nf_h323_error_boundary(bs, 2, 0)) return H323_ERROR_BOUND; count = get_len(bs); break; default: + if (nf_h323_error_boundary(bs, 0, f->sz)) + return H323_ERROR_BOUND; count = get_bits(bs, f->sz); break; } @@ -691,8 +711,10 @@ static int decode_seqof(struct bitstr *bs, const struct field_t *f, for (i = 0; i < count; i++) { if (son->attr & OPEN) { BYTE_ALIGN(bs); + if (nf_h323_error_boundary(bs, 2, 0)) + return H323_ERROR_BOUND; len = get_len(bs); - if (nf_h323_error_boundary(bs, len)) + if (nf_h323_error_boundary(bs, len, 0)) return H323_ERROR_BOUND; if (!base || !(son->attr & DECODE)) { PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, @@ -744,11 +766,17 @@ static int decode_choice(struct bitstr *bs, const struct field_t *f, base = (base && (f->attr & DECODE)) ? base + f->offset : NULL; /* Decode the choice index number */ + if (nf_h323_error_boundary(bs, 0, 1)) + return H323_ERROR_BOUND; if ((f->attr & EXT) && get_bit(bs)) { ext = 1; + if (nf_h323_error_boundary(bs, 0, 7)) + return H323_ERROR_BOUND; type = get_bits(bs, 7) + f->lb; } else { ext = 0; + if (nf_h323_error_boundary(bs, 0, f->sz)) + return H323_ERROR_BOUND; type = get_bits(bs, f->sz); if (type >= f->lb) return H323_ERROR_RANGE; @@ -761,8 +789,10 @@ static int decode_choice(struct bitstr *bs, const struct field_t *f, /* Check Range */ if (type >= f->ub) { /* Newer version? */ BYTE_ALIGN(bs); + if (nf_h323_error_boundary(bs, 2, 0)) + return H323_ERROR_BOUND; len = get_len(bs); - if (nf_h323_error_boundary(bs, len)) + if (nf_h323_error_boundary(bs, len, 0)) return H323_ERROR_BOUND; bs->cur += len; return H323_ERROR_NONE; @@ -777,8 +807,10 @@ static int decode_choice(struct bitstr *bs, const struct field_t *f, if (ext || (son->attr & OPEN)) { BYTE_ALIGN(bs); + if (nf_h323_error_boundary(bs, len, 0)) + return H323_ERROR_BOUND; len = get_len(bs); - if (nf_h323_error_boundary(bs, len)) + if (nf_h323_error_boundary(bs, len, 0)) return H323_ERROR_BOUND; if (!base || !(son->attr & DECODE)) { PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ", From 1c31b4059c9416af2dfb42f087f64edd607eb35f Mon Sep 17 00:00:00 2001 From: Lena Wang Date: Tue, 5 Mar 2024 11:38:55 +0000 Subject: [PATCH 017/176] netfilter: nf_conntrack_h323: Add protection for bmp length out of range [ Upstream commit 767146637efc528b5e3d31297df115e85a2fd362 ] UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts that are out of bounds for their data type. vmlinux get_bitmap(b=75) + 712 vmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956 vmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216 vmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812 vmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216 vmlinux DecodeRasMessage() + 304 vmlinux ras_help() + 684 vmlinux nf_confirm() + 188 Due to abnormal data in skb->data, the extension bitmap length exceeds 32 when decoding ras message then uses the length to make a shift operation. It will change into negative after several loop. UBSAN load could detect a negative shift as an undefined behaviour and reports exception. So we add the protection to avoid the length exceeding 32. Or else it will return out of range error and stop decoding. Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") Signed-off-by: Lena Wang Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin (cherry picked from commit 98db42191329c679f4ca52bec0b319689e1ad8cb) Signed-off-by: Vegard Nossum --- net/netfilter/nf_conntrack_h323_asn1.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c index dc6347342e34..9ed1b5a825d0 100644 --- a/net/netfilter/nf_conntrack_h323_asn1.c +++ b/net/netfilter/nf_conntrack_h323_asn1.c @@ -545,6 +545,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, /* Get fields bitmap */ if (nf_h323_error_boundary(bs, 0, f->sz)) return H323_ERROR_BOUND; + if (f->sz > 32) + return H323_ERROR_RANGE; bmp = get_bitmap(bs, f->sz); if (base) *(unsigned int *)base = bmp; @@ -601,6 +603,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, bmp2_len = get_bits(bs, 7) + 1; if (nf_h323_error_boundary(bs, 0, bmp2_len)) return H323_ERROR_BOUND; + if (bmp2_len > 32) + return H323_ERROR_RANGE; bmp2 = get_bitmap(bs, bmp2_len); bmp |= bmp2 >> f->sz; if (base) From 7bab6671e4d56af53eaa19b4e61d349ce3b1cee7 Mon Sep 17 00:00:00 2001 From: Jason Xing Date: Mon, 4 Mar 2024 16:20:35 +0800 Subject: [PATCH 018/176] netrom: Fix a data-race around sysctl_netrom_default_path_quality [ Upstream commit 958d6145a6d9ba9e075c921aead8753fb91c9101 ] We need to protect the reader reading sysctl_netrom_default_path_quality because the value can be changed concurrently. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jason Xing Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 7644df766006d4878a556e427e3ecc78c2d5606b) Signed-off-by: Vegard Nossum --- net/netrom/nr_route.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c index d098bb8d53aa..7f089638c535 100644 --- a/net/netrom/nr_route.c +++ b/net/netrom/nr_route.c @@ -144,7 +144,7 @@ static int __must_check nr_add_node(ax25_address *nr, const char *mnemonic, nr_neigh->digipeat = NULL; nr_neigh->ax25 = NULL; nr_neigh->dev = dev; - nr_neigh->quality = sysctl_netrom_default_path_quality; + nr_neigh->quality = READ_ONCE(sysctl_netrom_default_path_quality); nr_neigh->locked = 0; nr_neigh->count = 0; nr_neigh->number = nr_neigh_no++; From 5993b06357724c9656435dcd39ef3f731bb68719 Mon Sep 17 00:00:00 2001 From: Jason Xing Date: Mon, 4 Mar 2024 16:20:36 +0800 Subject: [PATCH 019/176] netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser [ Upstream commit cfd9f4a740f772298308b2e6070d2c744fb5cf79 ] We need to protect the reader reading the sysctl value because the value can be changed concurrently. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jason Xing Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit e3a3718b1723253d4f068e88e81d880d71f1a1e9) Signed-off-by: Vegard Nossum --- net/netrom/nr_route.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c index 7f089638c535..53f2d371a928 100644 --- a/net/netrom/nr_route.c +++ b/net/netrom/nr_route.c @@ -790,7 +790,7 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25) if (ax25 != NULL) { ret = nr_add_node(nr_src, "", &ax25->dest_addr, ax25->digipeat, ax25->ax25_dev->dev, 0, - sysctl_netrom_obsolescence_count_initialiser); + READ_ONCE(sysctl_netrom_obsolescence_count_initialiser)); if (ret) return ret; } From 3babe0b373c89f4557d880edfaee1269e0565619 Mon Sep 17 00:00:00 2001 From: Jason Xing Date: Mon, 4 Mar 2024 16:20:37 +0800 Subject: [PATCH 020/176] netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser [ Upstream commit 119cae5ea3f9e35cdada8e572cc067f072fa825a ] We need to protect the reader reading the sysctl value because the value can be changed concurrently. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jason Xing Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit acc653e8a3aaab1b7103f98645f2cce7be89e3d3) Signed-off-by: Vegard Nossum --- net/netrom/nr_dev.c | 2 +- net/netrom/nr_out.c | 2 +- net/netrom/nr_subr.c | 5 +++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/net/netrom/nr_dev.c b/net/netrom/nr_dev.c index 988f542481a8..fa845edad7bf 100644 --- a/net/netrom/nr_dev.c +++ b/net/netrom/nr_dev.c @@ -84,7 +84,7 @@ static int nr_header(struct sk_buff *skb, struct net_device *dev, buff[6] |= AX25_SSSID_SPARE; buff += AX25_ADDR_LEN; - *buff++ = sysctl_netrom_network_ttl_initialiser; + *buff++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser); *buff++ = NR_PROTO_IP; *buff++ = NR_PROTO_IP; diff --git a/net/netrom/nr_out.c b/net/netrom/nr_out.c index 00fbf1419ec6..213bddab6e74 100644 --- a/net/netrom/nr_out.c +++ b/net/netrom/nr_out.c @@ -207,7 +207,7 @@ void nr_transmit_buffer(struct sock *sk, struct sk_buff *skb) dptr[6] |= AX25_SSSID_SPARE; dptr += AX25_ADDR_LEN; - *dptr++ = sysctl_netrom_network_ttl_initialiser; + *dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser); if (!nr_route_frame(skb, NULL)) { kfree_skb(skb); diff --git a/net/netrom/nr_subr.c b/net/netrom/nr_subr.c index a7d3a265befb..b5cee72b8c98 100644 --- a/net/netrom/nr_subr.c +++ b/net/netrom/nr_subr.c @@ -185,7 +185,8 @@ void nr_write_internal(struct sock *sk, int frametype) *dptr++ = nr->my_id; *dptr++ = frametype; *dptr++ = nr->window; - if (nr->bpqext) *dptr++ = sysctl_netrom_network_ttl_initialiser; + if (nr->bpqext) + *dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser); break; case NR_DISCREQ: @@ -239,7 +240,7 @@ void __nr_transmit_reply(struct sk_buff *skb, int mine, unsigned char cmdflags) dptr[6] |= AX25_SSSID_SPARE; dptr += AX25_ADDR_LEN; - *dptr++ = sysctl_netrom_network_ttl_initialiser; + *dptr++ = READ_ONCE(sysctl_netrom_network_ttl_initialiser); if (mine) { *dptr++ = 0; From 75af2f874a607d406075ebee8872267e7610cc9c Mon Sep 17 00:00:00 2001 From: Jason Xing Date: Mon, 4 Mar 2024 16:20:38 +0800 Subject: [PATCH 021/176] netrom: Fix a data-race around sysctl_netrom_transport_timeout [ Upstream commit 60a7a152abd494ed4f69098cf0f322e6bb140612 ] We need to protect the reader reading the sysctl value because the value can be changed concurrently. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jason Xing Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 500936692ccca8617a955652d1929f079b17a201) Signed-off-by: Vegard Nossum --- net/netrom/af_netrom.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index 4480d0d8394b..ac594ce94092 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c @@ -456,7 +456,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol, nr_init_timers(sk); nr->t1 = - msecs_to_jiffies(sysctl_netrom_transport_timeout); + msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_timeout)); nr->t2 = msecs_to_jiffies(sysctl_netrom_transport_acknowledge_delay); nr->n2 = From 6e9e490c1c0f727effa44d696b29b363b9ddf216 Mon Sep 17 00:00:00 2001 From: Jason Xing Date: Mon, 4 Mar 2024 16:20:39 +0800 Subject: [PATCH 022/176] netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries [ Upstream commit e799299aafed417cc1f32adccb2a0e5268b3f6d5 ] We need to protect the reader reading the sysctl value because the value can be changed concurrently. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jason Xing Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 84b8486e9cedc93875f251ba31abcf73bd586a3a) Signed-off-by: Vegard Nossum --- net/netrom/af_netrom.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index ac594ce94092..555f6249a668 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c @@ -460,7 +460,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol, nr->t2 = msecs_to_jiffies(sysctl_netrom_transport_acknowledge_delay); nr->n2 = - msecs_to_jiffies(sysctl_netrom_transport_maximum_tries); + msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_maximum_tries)); nr->t4 = msecs_to_jiffies(sysctl_netrom_transport_busy_delay); nr->idle = From 9da1d2a1e6687d4009eff99367df4bf7dee17f6c Mon Sep 17 00:00:00 2001 From: Jason Xing Date: Mon, 4 Mar 2024 16:20:40 +0800 Subject: [PATCH 023/176] netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay [ Upstream commit 806f462ba9029d41aadf8ec93f2f99c5305deada ] We need to protect the reader reading the sysctl value because the value can be changed concurrently. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jason Xing Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 6133a71c75dacea12fcc85838b4455c2055b0f14) Signed-off-by: Vegard Nossum --- net/netrom/af_netrom.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index 555f6249a668..c84ac6603766 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c @@ -458,7 +458,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol, nr->t1 = msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_timeout)); nr->t2 = - msecs_to_jiffies(sysctl_netrom_transport_acknowledge_delay); + msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_acknowledge_delay)); nr->n2 = msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_maximum_tries)); nr->t4 = From 943942802104ff9dcb435d85456b08967878b40d Mon Sep 17 00:00:00 2001 From: Jason Xing Date: Mon, 4 Mar 2024 16:20:41 +0800 Subject: [PATCH 024/176] netrom: Fix a data-race around sysctl_netrom_transport_busy_delay [ Upstream commit 43547d8699439a67b78d6bb39015113f7aa360fd ] We need to protect the reader reading the sysctl value because the value can be changed concurrently. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jason Xing Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 7782e5e7047cae6b9255ee727c99fc73d77cf773) Signed-off-by: Vegard Nossum --- net/netrom/af_netrom.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index c84ac6603766..fd01ca1d074b 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c @@ -462,7 +462,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol, nr->n2 = msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_maximum_tries)); nr->t4 = - msecs_to_jiffies(sysctl_netrom_transport_busy_delay); + msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_busy_delay)); nr->idle = msecs_to_jiffies(sysctl_netrom_transport_no_activity_timeout); nr->window = sysctl_netrom_transport_requested_window_size; From 3f661371119e40c7307cff48dfaa28ba19ec6a20 Mon Sep 17 00:00:00 2001 From: Jason Xing Date: Mon, 4 Mar 2024 16:20:42 +0800 Subject: [PATCH 025/176] netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size [ Upstream commit a2e706841488f474c06e9b33f71afc947fb3bf56 ] We need to protect the reader reading the sysctl value because the value can be changed concurrently. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jason Xing Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 4f2efa17c3ec5e4be0567b47439b9713c0dc6550) Signed-off-by: Vegard Nossum --- net/netrom/af_netrom.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index fd01ca1d074b..b824e42a94e8 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c @@ -465,7 +465,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol, msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_busy_delay)); nr->idle = msecs_to_jiffies(sysctl_netrom_transport_no_activity_timeout); - nr->window = sysctl_netrom_transport_requested_window_size; + nr->window = READ_ONCE(sysctl_netrom_transport_requested_window_size); nr->bpqext = 1; nr->state = NR_STATE_0; From 0a8e233837a214086305549c6cc3c10505960a18 Mon Sep 17 00:00:00 2001 From: Jason Xing Date: Mon, 4 Mar 2024 16:20:43 +0800 Subject: [PATCH 026/176] netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout [ Upstream commit f99b494b40431f0ca416859f2345746199398e2b ] We need to protect the reader reading the sysctl value because the value can be changed concurrently. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jason Xing Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 73426c32e259c767d40613b956d5b80d0c28a9a9) Signed-off-by: Vegard Nossum --- net/netrom/af_netrom.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index b824e42a94e8..a0b89764c95c 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c @@ -464,7 +464,7 @@ static int nr_create(struct net *net, struct socket *sock, int protocol, nr->t4 = msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_busy_delay)); nr->idle = - msecs_to_jiffies(sysctl_netrom_transport_no_activity_timeout); + msecs_to_jiffies(READ_ONCE(sysctl_netrom_transport_no_activity_timeout)); nr->window = READ_ONCE(sysctl_netrom_transport_requested_window_size); nr->bpqext = 1; From 4851e4321fdf86f860623d8541f46916cbd9b8e7 Mon Sep 17 00:00:00 2001 From: Jason Xing Date: Mon, 4 Mar 2024 16:20:44 +0800 Subject: [PATCH 027/176] netrom: Fix a data-race around sysctl_netrom_routing_control [ Upstream commit b5dffcb8f71bdd02a4e5799985b51b12f4eeaf76 ] We need to protect the reader reading the sysctl value because the value can be changed concurrently. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jason Xing Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit c13fbb5902bce848759385986d4833f5b90782c1) Signed-off-by: Vegard Nossum --- net/netrom/nr_route.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c index 53f2d371a928..ad210933896f 100644 --- a/net/netrom/nr_route.c +++ b/net/netrom/nr_route.c @@ -804,7 +804,7 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25) return ret; } - if (!sysctl_netrom_routing_control && ax25 != NULL) + if (!READ_ONCE(sysctl_netrom_routing_control) && ax25 != NULL) return 0; /* Its Time-To-Live has expired */ From 3c574b4ac9511dee909385868739d64de9abf892 Mon Sep 17 00:00:00 2001 From: Jason Xing Date: Mon, 4 Mar 2024 16:20:45 +0800 Subject: [PATCH 028/176] netrom: Fix a data-race around sysctl_netrom_link_fails_count [ Upstream commit bc76645ebdd01be9b9994dac39685a3d0f6f7985 ] We need to protect the reader reading the sysctl value because the value can be changed concurrently. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jason Xing Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 97a4d8b9f67cc7efe9a0c137e12f6d9e40795bf1) Signed-off-by: Vegard Nossum --- net/netrom/nr_route.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c index ad210933896f..879c811892ff 100644 --- a/net/netrom/nr_route.c +++ b/net/netrom/nr_route.c @@ -752,7 +752,7 @@ void nr_link_failed(ax25_cb *ax25, int reason) nr_neigh->ax25 = NULL; ax25_cb_put(ax25); - if (++nr_neigh->failed < sysctl_netrom_link_fails_count) { + if (++nr_neigh->failed < READ_ONCE(sysctl_netrom_link_fails_count)) { nr_neigh_put(nr_neigh); return; } From daa941d9ed63191c6d3e13d640ecd55a07d449a3 Mon Sep 17 00:00:00 2001 From: Jason Xing Date: Mon, 4 Mar 2024 16:20:46 +0800 Subject: [PATCH 029/176] netrom: Fix data-races around sysctl_net_busy_read [ Upstream commit d380ce70058a4ccddc3e5f5c2063165dc07672c6 ] We need to protect the reader reading the sysctl value because the value can be changed concurrently. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jason Xing Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit d623fd5298d95b65d27ef5a618ebf39541074856) Signed-off-by: Vegard Nossum --- net/netrom/af_netrom.c | 2 +- net/netrom/nr_in.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index a0b89764c95c..8c61dc9ce779 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c @@ -956,7 +956,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev) * G8PZT's Xrouter which is sending packets with command type 7 * as an extension of the protocol. */ - if (sysctl_netrom_reset_circuit && + if (READ_ONCE(sysctl_netrom_reset_circuit) && (frametype != NR_RESET || flags != 0)) nr_transmit_reset(skb, 1); diff --git a/net/netrom/nr_in.c b/net/netrom/nr_in.c index 80dbd0beb516..0449c6ead50e 100644 --- a/net/netrom/nr_in.c +++ b/net/netrom/nr_in.c @@ -100,7 +100,7 @@ static int nr_state1_machine(struct sock *sk, struct sk_buff *skb, break; case NR_RESET: - if (sysctl_netrom_reset_circuit) + if (READ_ONCE(sysctl_netrom_reset_circuit)) nr_disconnect(sk, ECONNRESET); break; @@ -131,7 +131,7 @@ static int nr_state2_machine(struct sock *sk, struct sk_buff *skb, break; case NR_RESET: - if (sysctl_netrom_reset_circuit) + if (READ_ONCE(sysctl_netrom_reset_circuit)) nr_disconnect(sk, ECONNRESET); break; @@ -266,7 +266,7 @@ static int nr_state3_machine(struct sock *sk, struct sk_buff *skb, int frametype break; case NR_RESET: - if (sysctl_netrom_reset_circuit) + if (READ_ONCE(sysctl_netrom_reset_circuit)) nr_disconnect(sk, ECONNRESET); break; From 0e37e77f60fe5fe48b7010deb499d284c92003c6 Mon Sep 17 00:00:00 2001 From: Christophe Leroy Date: Fri, 8 Feb 2019 15:02:55 +0000 Subject: [PATCH 030/176] tools/selftest/vm: allow choosing mem size and page size in map_hugetlb [ Upstream commit fa7b9a805c797b729022029aaa3a2b7c35fff4c6 ] map_hugetlb maps 256Mbytes of memory with default hugepage size. This patch allows the user to pass the size and page shift as an argument in order to use different size and page size. Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Stable-dep-of: 91b80cc5b39f ("selftests: mm: fix map_hugetlb failure on 64K page size systems") Signed-off-by: Sasha Levin (cherry picked from commit becbfcabedfe3ceb9bd6184c172fad00c0a8feb0) Signed-off-by: Vegard Nossum --- tools/testing/selftests/vm/map_hugetlb.c | 29 ++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/vm/map_hugetlb.c b/tools/testing/selftests/vm/map_hugetlb.c index 9b777fa95f09..5a2d7b8efc40 100644 --- a/tools/testing/selftests/vm/map_hugetlb.c +++ b/tools/testing/selftests/vm/map_hugetlb.c @@ -23,6 +23,14 @@ #define MAP_HUGETLB 0x40000 /* arch specific */ #endif +#ifndef MAP_HUGE_SHIFT +#define MAP_HUGE_SHIFT 26 +#endif + +#ifndef MAP_HUGE_MASK +#define MAP_HUGE_MASK 0x3f +#endif + /* Only ia64 requires this */ #ifdef __ia64__ #define ADDR (void *)(0x8000000000000000UL) @@ -58,12 +66,29 @@ static int read_bytes(char *addr) return 0; } -int main(void) +int main(int argc, char **argv) { void *addr; int ret; + size_t length = LENGTH; + int flags = FLAGS; + int shift = 0; - addr = mmap(ADDR, LENGTH, PROTECTION, FLAGS, -1, 0); + if (argc > 1) + length = atol(argv[1]) << 20; + if (argc > 2) { + shift = atoi(argv[2]); + if (shift) + flags |= (shift & MAP_HUGE_MASK) << MAP_HUGE_SHIFT; + } + + if (shift) + printf("%u kB hugepages\n", 1 << shift); + else + printf("Default size hugepages\n"); + printf("Mapping %lu Mbytes\n", (unsigned long)length >> 20); + + addr = mmap(ADDR, length, PROTECTION, flags, -1, 0); if (addr == MAP_FAILED) { perror("mmap"); exit(1); From b37d2d9d10c65fabe5b9b53ec84d9388202f4bf2 Mon Sep 17 00:00:00 2001 From: Nico Pache Date: Fri, 19 Jan 2024 06:14:29 -0700 Subject: [PATCH 031/176] selftests: mm: fix map_hugetlb failure on 64K page size systems [ Upstream commit 91b80cc5b39f00399e8e2d17527cad2c7fa535e2 ] On systems with 64k page size and 512M huge page sizes, the allocation and test succeeds but errors out at the munmap. As the comment states, munmap will failure if its not HUGEPAGE aligned. This is due to the length of the mapping being 1/2 the size of the hugepage causing the munmap to not be hugepage aligned. Fix this by making the mapping length the full hugepage if the hugepage is larger than the length of the mapping. Link: https://lkml.kernel.org/r/20240119131429.172448-1-npache@redhat.com Signed-off-by: Nico Pache Cc: Donet Tom Cc: Shuah Khan Cc: Christophe Leroy Cc: Michael Ellerman Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin (cherry picked from commit abdbd5f3e8c504d864fdc032dd5a4eb481cb12bf) Signed-off-by: Vegard Nossum --- tools/testing/selftests/vm/map_hugetlb.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tools/testing/selftests/vm/map_hugetlb.c b/tools/testing/selftests/vm/map_hugetlb.c index 5a2d7b8efc40..ab349c6db00d 100644 --- a/tools/testing/selftests/vm/map_hugetlb.c +++ b/tools/testing/selftests/vm/map_hugetlb.c @@ -15,6 +15,7 @@ #include #include #include +#include "vm_util.h" #define LENGTH (256UL*1024*1024) #define PROTECTION (PROT_READ | PROT_WRITE) @@ -70,10 +71,16 @@ int main(int argc, char **argv) { void *addr; int ret; + size_t hugepage_size; size_t length = LENGTH; int flags = FLAGS; int shift = 0; + hugepage_size = default_huge_page_size(); + /* munmap with fail if the length is not page aligned */ + if (hugepage_size > length) + length = hugepage_size; + if (argc > 1) length = atol(argv[1]) << 20; if (argc > 2) { From fb847632d0d888521c17c0f1109ca827316281a4 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Mon, 8 Mar 2021 14:02:37 +0100 Subject: [PATCH 032/176] um: allow not setting extra rpaths in the linux binary [ Upstream commit 386093c68ba3e8bcfe7f46deba901e0e80713c29 ] There doesn't seem to be any reason for the rpath being set in the binaries, at on systems that I tested on. On the other hand, setting rpath is actually harming binaries in some cases, e.g. if using nix-based compilation environments where /lib & /lib64 are not part of the actual environment. Add a new Kconfig option (under EXPERT, for less user confusion) that allows disabling the rpath additions. Signed-off-by: Johannes Berg Signed-off-by: Richard Weinberger Stable-dep-of: 846cfbeed09b ("um: Fix adding '-no-pie' for clang") Signed-off-by: Sasha Levin (cherry picked from commit 90091bdf5df0195de0d2d8e3e4d43aaaee122d34) [vegard: fix trivial conflict due to missing commit 1572497cb0e6d2016078bc9d5a95786bb878389f ("kconfig: include common Kconfig files from top-level Kconfig")] Signed-off-by: Vegard Nossum --- arch/um/Kconfig.um | 13 +++++++++++++ arch/um/Makefile | 3 ++- arch/x86/Makefile.um | 2 +- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/arch/um/Kconfig.um b/arch/um/Kconfig.um index 3e7f228b22e1..bea5c96b9cff 100644 --- a/arch/um/Kconfig.um +++ b/arch/um/Kconfig.um @@ -25,6 +25,19 @@ config LD_SCRIPT_DYN source "fs/Kconfig.binfmt" +config LD_SCRIPT_DYN_RPATH + bool "set rpath in the binary" if EXPERT + default y + depends on LD_SCRIPT_DYN + help + Add /lib (and /lib64 for 64-bit) to the linux binary's rpath + explicitly. + + You may need to turn this off if compiling for nix systems + that have their libraries in random /nix directories and + might otherwise unexpected use libraries from /lib or /lib64 + instead of the desired ones. + config HOSTFS tristate "Host filesystem" help diff --git a/arch/um/Makefile b/arch/um/Makefile index b76fcce397a1..80f6caadf325 100644 --- a/arch/um/Makefile +++ b/arch/um/Makefile @@ -121,7 +121,8 @@ archheaders: archprepare: include/generated/user_constants.h LINK-$(CONFIG_LD_SCRIPT_STATIC) += -static -LINK-$(CONFIG_LD_SCRIPT_DYN) += -Wl,-rpath,/lib $(call cc-option, -no-pie) +LINK-$(CONFIG_LD_SCRIPT_DYN) += $(call cc-option, -no-pie) +LINK-$(CONFIG_LD_SCRIPT_DYN_RPATH) += -Wl,-rpath,/lib CFLAGS_NO_HARDENING := $(call cc-option, -fno-PIC,) $(call cc-option, -fno-pic,) \ $(call cc-option, -fno-stack-protector,) \ diff --git a/arch/x86/Makefile.um b/arch/x86/Makefile.um index 45af19921ebd..f1809d892618 100644 --- a/arch/x86/Makefile.um +++ b/arch/x86/Makefile.um @@ -53,7 +53,7 @@ ELF_FORMAT := elf64-x86-64 # Not on all 64-bit distros /lib is a symlink to /lib64. PLD is an example. -LINK-$(CONFIG_LD_SCRIPT_DYN) += -Wl,-rpath,/lib64 +LINK-$(CONFIG_LD_SCRIPT_DYN_RPATH) += -Wl,-rpath,/lib64 LINK-y += -m64 # Do unit-at-a-time unconditionally on x86_64, following the host From 8ddca3d65f8a45b7a4e8d844441b30f990e0b015 Mon Sep 17 00:00:00 2001 From: Juhee Kang Date: Sun, 10 Oct 2021 13:03:28 +0900 Subject: [PATCH 033/176] hv_netvsc: use netif_is_bond_master() instead of open code [ Upstream commit c60882a4566a0a62dc3a40c85131103aad83dcb3 ] Use netif_is_bond_master() function instead of open code, which is ((event_dev->priv_flags & IFF_BONDING) && (event_dev->flags & IFF_MASTER)). This patch doesn't change logic. Signed-off-by: Juhee Kang Signed-off-by: David S. Miller Stable-dep-of: 9cae43da9867 ("hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed") Signed-off-by: Sasha Levin (cherry picked from commit a2577793ff166cc18fe4192a8b1bca2d37253e6a) Signed-off-by: Vegard Nossum --- drivers/net/hyperv/netvsc_drv.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index 17a7ef679bab..44aa9810259e 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -2232,8 +2232,7 @@ static int netvsc_netdev_event(struct notifier_block *this, return NOTIFY_DONE; /* Avoid Bonding master dev with same MAC registering as VF */ - if ((event_dev->priv_flags & IFF_BONDING) && - (event_dev->flags & IFF_MASTER)) + if (netif_is_bond_master(event_dev)) return NOTIFY_DONE; switch (event) { From f2348ee837cee8604c0502b6ef9d806ce1cc13ec Mon Sep 17 00:00:00 2001 From: Oleg Nesterov Date: Sat, 9 Sep 2023 19:25:54 +0200 Subject: [PATCH 034/176] getrusage: add the "signal_struct *sig" local variable [ Upstream commit c7ac8231ace9b07306d0299969e42073b189c70a ] No functional changes, cleanup/preparation. Link: https://lkml.kernel.org/r/20230909172554.GA20441@redhat.com Signed-off-by: Oleg Nesterov Cc: Eric W. Biederman Signed-off-by: Andrew Morton Stable-dep-of: daa694e41375 ("getrusage: move thread_group_cputime_adjusted() outside of lock_task_sighand()") Signed-off-by: Sasha Levin (cherry picked from commit e904c9a4834888cb2b37607d9571f49964f4603f) Signed-off-by: Vegard Nossum --- kernel/sys.c | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/kernel/sys.c b/kernel/sys.c index 6adb0691f63c..fef7942bb938 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1660,6 +1660,7 @@ void getrusage(struct task_struct *p, int who, struct rusage *r) unsigned long flags; u64 tgutime, tgstime, utime, stime; unsigned long maxrss = 0; + struct signal_struct *sig = p->signal; memset((char *)r, 0, sizeof (*r)); utime = stime = 0; @@ -1667,7 +1668,7 @@ void getrusage(struct task_struct *p, int who, struct rusage *r) if (who == RUSAGE_THREAD) { task_cputime_adjusted(current, &utime, &stime); accumulate_thread_rusage(p, r); - maxrss = p->signal->maxrss; + maxrss = sig->maxrss; goto out; } @@ -1677,15 +1678,15 @@ void getrusage(struct task_struct *p, int who, struct rusage *r) switch (who) { case RUSAGE_BOTH: case RUSAGE_CHILDREN: - utime = p->signal->cutime; - stime = p->signal->cstime; - r->ru_nvcsw = p->signal->cnvcsw; - r->ru_nivcsw = p->signal->cnivcsw; - r->ru_minflt = p->signal->cmin_flt; - r->ru_majflt = p->signal->cmaj_flt; - r->ru_inblock = p->signal->cinblock; - r->ru_oublock = p->signal->coublock; - maxrss = p->signal->cmaxrss; + utime = sig->cutime; + stime = sig->cstime; + r->ru_nvcsw = sig->cnvcsw; + r->ru_nivcsw = sig->cnivcsw; + r->ru_minflt = sig->cmin_flt; + r->ru_majflt = sig->cmaj_flt; + r->ru_inblock = sig->cinblock; + r->ru_oublock = sig->coublock; + maxrss = sig->cmaxrss; if (who == RUSAGE_CHILDREN) break; @@ -1694,14 +1695,14 @@ void getrusage(struct task_struct *p, int who, struct rusage *r) thread_group_cputime_adjusted(p, &tgutime, &tgstime); utime += tgutime; stime += tgstime; - r->ru_nvcsw += p->signal->nvcsw; - r->ru_nivcsw += p->signal->nivcsw; - r->ru_minflt += p->signal->min_flt; - r->ru_majflt += p->signal->maj_flt; - r->ru_inblock += p->signal->inblock; - r->ru_oublock += p->signal->oublock; - if (maxrss < p->signal->maxrss) - maxrss = p->signal->maxrss; + r->ru_nvcsw += sig->nvcsw; + r->ru_nivcsw += sig->nivcsw; + r->ru_minflt += sig->min_flt; + r->ru_majflt += sig->maj_flt; + r->ru_inblock += sig->inblock; + r->ru_oublock += sig->oublock; + if (maxrss < sig->maxrss) + maxrss = sig->maxrss; t = p; do { accumulate_thread_rusage(t, r); From c048d8254a03786c76d3e0f7b687c98f951c7957 Mon Sep 17 00:00:00 2001 From: Oleg Nesterov Date: Mon, 22 Jan 2024 16:50:50 +0100 Subject: [PATCH 035/176] getrusage: move thread_group_cputime_adjusted() outside of lock_task_sighand() [ Upstream commit daa694e4137571b4ebec330f9a9b4d54aa8b8089 ] Patch series "getrusage: use sig->stats_lock", v2. This patch (of 2): thread_group_cputime() does its own locking, we can safely shift thread_group_cputime_adjusted() which does another for_each_thread loop outside of ->siglock protected section. This is also preparation for the next patch which changes getrusage() to use stats_lock instead of siglock, thread_group_cputime() takes the same lock. With the current implementation recursive read_seqbegin_or_lock() is fine, thread_group_cputime() can't enter the slow mode if the caller holds stats_lock, yet this looks more safe and better performance-wise. Link: https://lkml.kernel.org/r/20240122155023.GA26169@redhat.com Link: https://lkml.kernel.org/r/20240122155050.GA26205@redhat.com Signed-off-by: Oleg Nesterov Reported-by: Dylan Hatch Tested-by: Dylan Hatch Cc: Eric W. Biederman Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin (cherry picked from commit 33ec341e3e9588962ff3cf49f642da140d3ecfc0) [Harshit: conflicts resolved due to missing commit: d5e38d6b84d6 ("y2038: rusage: use __kernel_old_timeval") in 4.14.y, also I used ns_to_timeval() instead of ns_to_kernel_old_timeval()] Signed-off-by: Harshit Mogalapalli --- kernel/sys.c | 38 +++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/kernel/sys.c b/kernel/sys.c index fef7942bb938..a81e190735f0 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1659,17 +1659,19 @@ void getrusage(struct task_struct *p, int who, struct rusage *r) struct task_struct *t; unsigned long flags; u64 tgutime, tgstime, utime, stime; - unsigned long maxrss = 0; + unsigned long maxrss; + struct mm_struct *mm; struct signal_struct *sig = p->signal; - memset((char *)r, 0, sizeof (*r)); + memset(r, 0, sizeof(*r)); utime = stime = 0; + maxrss = 0; if (who == RUSAGE_THREAD) { task_cputime_adjusted(current, &utime, &stime); accumulate_thread_rusage(p, r); maxrss = sig->maxrss; - goto out; + goto out_thread; } if (!lock_task_sighand(p, &flags)) @@ -1692,9 +1694,6 @@ void getrusage(struct task_struct *p, int who, struct rusage *r) break; case RUSAGE_SELF: - thread_group_cputime_adjusted(p, &tgutime, &tgstime); - utime += tgutime; - stime += tgstime; r->ru_nvcsw += sig->nvcsw; r->ru_nivcsw += sig->nivcsw; r->ru_minflt += sig->min_flt; @@ -1714,19 +1713,24 @@ void getrusage(struct task_struct *p, int who, struct rusage *r) } unlock_task_sighand(p, &flags); -out: + if (who == RUSAGE_CHILDREN) + goto out_children; + + thread_group_cputime_adjusted(p, &tgutime, &tgstime); + utime += tgutime; + stime += tgstime; + +out_thread: + mm = get_task_mm(p); + if (mm) { + setmax_mm_hiwater_rss(&maxrss, mm); + mmput(mm); + } + +out_children: + r->ru_maxrss = maxrss * (PAGE_SIZE / 1024); /* convert pages to KBs */ r->ru_utime = ns_to_timeval(utime); r->ru_stime = ns_to_timeval(stime); - - if (who != RUSAGE_CHILDREN) { - struct mm_struct *mm = get_task_mm(p); - - if (mm) { - setmax_mm_hiwater_rss(&maxrss, mm); - mmput(mm); - } - } - r->ru_maxrss = maxrss * (PAGE_SIZE / 1024); /* convert pages to KBs */ } SYSCALL_DEFINE2(getrusage, int, who, struct rusage __user *, ru) From 82f1e0dc48d7753fa960bfc2cec672a0aaf69e01 Mon Sep 17 00:00:00 2001 From: Oleg Nesterov Date: Sat, 9 Sep 2023 19:26:29 +0200 Subject: [PATCH 036/176] getrusage: use __for_each_thread() [ Upstream commit 13b7bc60b5353371460a203df6c38ccd38ad7a3a ] do/while_each_thread should be avoided when possible. Plus this change allows to avoid lock_task_sighand(), we can use rcu and/or sig->stats_lock instead. Link: https://lkml.kernel.org/r/20230909172629.GA20454@redhat.com Signed-off-by: Oleg Nesterov Cc: Eric W. Biederman Signed-off-by: Andrew Morton Stable-dep-of: f7ec1cd5cc7e ("getrusage: use sig->stats_lock rather than lock_task_sighand()") Signed-off-by: Sasha Levin (cherry picked from commit e24772adaaf4b81ac0855cceb17080352526f765) Signed-off-by: Vegard Nossum --- kernel/sys.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/kernel/sys.c b/kernel/sys.c index a81e190735f0..648b92b1321e 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1702,10 +1702,8 @@ void getrusage(struct task_struct *p, int who, struct rusage *r) r->ru_oublock += sig->oublock; if (maxrss < sig->maxrss) maxrss = sig->maxrss; - t = p; - do { + __for_each_thread(sig, t) accumulate_thread_rusage(t, r); - } while_each_thread(p, t); break; default: From 8d11949c478109b80f65d7b3da4927407e61c10a Mon Sep 17 00:00:00 2001 From: Oleg Nesterov Date: Mon, 22 Jan 2024 16:50:53 +0100 Subject: [PATCH 037/176] getrusage: use sig->stats_lock rather than lock_task_sighand() [ Upstream commit f7ec1cd5cc7ef3ad964b677ba82b8b77f1c93009 ] lock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call getrusage() at the same time and the process has NR_THREADS, spin_lock_irq will spin with irqs disabled O(NR_CPUS * NR_THREADS) time. Change getrusage() to use sig->stats_lock, it was specifically designed for this type of use. This way it runs lockless in the likely case. TODO: - Change do_task_stat() to use sig->stats_lock too, then we can remove spin_lock_irq(siglock) in wait_task_zombie(). - Turn sig->stats_lock into seqcount_rwlock_t, this way the readers in the slow mode won't exclude each other. See https://lore.kernel.org/all/20230913154907.GA26210@redhat.com/ - stats_lock has to disable irqs because ->siglock can be taken in irq context, it would be very nice to change __exit_signal() to avoid the siglock->stats_lock dependency. Link: https://lkml.kernel.org/r/20240122155053.GA26214@redhat.com Signed-off-by: Oleg Nesterov Reported-by: Dylan Hatch Tested-by: Dylan Hatch Cc: Eric W. Biederman Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin (cherry picked from commit c96f49d3a741f6693feecdb067c442b609903d03) Signed-off-by: Vegard Nossum --- kernel/sys.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/kernel/sys.c b/kernel/sys.c index 648b92b1321e..c94b9f74a923 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1662,7 +1662,9 @@ void getrusage(struct task_struct *p, int who, struct rusage *r) unsigned long maxrss; struct mm_struct *mm; struct signal_struct *sig = p->signal; + unsigned int seq = 0; +retry: memset(r, 0, sizeof(*r)); utime = stime = 0; maxrss = 0; @@ -1674,8 +1676,7 @@ void getrusage(struct task_struct *p, int who, struct rusage *r) goto out_thread; } - if (!lock_task_sighand(p, &flags)) - return; + flags = read_seqbegin_or_lock_irqsave(&sig->stats_lock, &seq); switch (who) { case RUSAGE_BOTH: @@ -1702,14 +1703,23 @@ void getrusage(struct task_struct *p, int who, struct rusage *r) r->ru_oublock += sig->oublock; if (maxrss < sig->maxrss) maxrss = sig->maxrss; + + rcu_read_lock(); __for_each_thread(sig, t) accumulate_thread_rusage(t, r); + rcu_read_unlock(); + break; default: BUG(); } - unlock_task_sighand(p, &flags); + + if (need_seqretry(&sig->stats_lock, seq)) { + seq = 1; + goto retry; + } + done_seqretry_irqrestore(&sig->stats_lock, seq, flags); if (who == RUSAGE_CHILDREN) goto out_children; From fee13d620a067a56d35582ad3bae29e9fd6dd1f8 Mon Sep 17 00:00:00 2001 From: Christophe Leroy Date: Fri, 18 Sep 2020 21:20:28 -0700 Subject: [PATCH 038/176] selftests/vm: fix display of page size in map_hugetlb [ Upstream commit 1ec882fc81e3177faf055877310dbdb0c68eb7db ] The displayed size is in bytes while the text says it is in kB. Shift it by 10 to really display kBytes. Fixes: fa7b9a805c79 ("tools/selftest/vm: allow choosing mem size and page size in map_hugetlb") Signed-off-by: Christophe Leroy Signed-off-by: Andrew Morton Cc: Link: https://lkml.kernel.org/r/e27481224564a93d14106e750de31189deaa8bc8.1598861977.git.christophe.leroy@csgroup.eu Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin (cherry picked from commit 71317d703c550c819b5465c3a49ce98650089865) Signed-off-by: Vegard Nossum --- tools/testing/selftests/vm/map_hugetlb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/vm/map_hugetlb.c b/tools/testing/selftests/vm/map_hugetlb.c index ab349c6db00d..7b41cc6ecb0b 100644 --- a/tools/testing/selftests/vm/map_hugetlb.c +++ b/tools/testing/selftests/vm/map_hugetlb.c @@ -90,7 +90,7 @@ int main(int argc, char **argv) } if (shift) - printf("%u kB hugepages\n", 1 << shift); + printf("%u kB hugepages\n", 1 << (shift - 10)); else printf("Default size hugepages\n"); printf("Mapping %lu Mbytes\n", (unsigned long)length >> 20); From f19d6a15935beb1be8aee2845912d846e5649981 Mon Sep 17 00:00:00 2001 From: Christophe Leroy Date: Wed, 1 Apr 2020 21:11:51 -0700 Subject: [PATCH 039/176] selftests/vm: fix map_hugetlb length used for testing read and write [ Upstream commit cabc30da10e677c67ab9a136b1478175734715c5 ] Commit fa7b9a805c79 ("tools/selftest/vm: allow choosing mem size and page size in map_hugetlb") added the possibility to change the size of memory mapped for the test, but left the read and write test using the default value. This is unnoticed when mapping a length greater than the default one, but segfaults otherwise. Fix read_bytes() and write_bytes() by giving them the real length. Also fix the call to munmap(). Fixes: fa7b9a805c79 ("tools/selftest/vm: allow choosing mem size and page size in map_hugetlb") Signed-off-by: Christophe Leroy Signed-off-by: Andrew Morton Reviewed-by: Leonardo Bras Cc: Michael Ellerman Cc: Shuah Khan Cc: Link: http://lkml.kernel.org/r/9a404a13c871c4bd0ba9ede68f69a1225180dd7e.1580978385.git.christophe.leroy@c-s.fr Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin (cherry picked from commit af289249ec5c79200c4ec4ec7f4902378956c4d7) Signed-off-by: Vegard Nossum --- tools/testing/selftests/vm/map_hugetlb.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tools/testing/selftests/vm/map_hugetlb.c b/tools/testing/selftests/vm/map_hugetlb.c index 7b41cc6ecb0b..c65c55b7a789 100644 --- a/tools/testing/selftests/vm/map_hugetlb.c +++ b/tools/testing/selftests/vm/map_hugetlb.c @@ -46,20 +46,20 @@ static void check_bytes(char *addr) printf("First hex is %x\n", *((unsigned int *)addr)); } -static void write_bytes(char *addr) +static void write_bytes(char *addr, size_t length) { unsigned long i; - for (i = 0; i < LENGTH; i++) + for (i = 0; i < length; i++) *(addr + i) = (char)i; } -static int read_bytes(char *addr) +static int read_bytes(char *addr, size_t length) { unsigned long i; check_bytes(addr); - for (i = 0; i < LENGTH; i++) + for (i = 0; i < length; i++) if (*(addr + i) != (char)i) { printf("Mismatch at %lu\n", i); return 1; @@ -103,11 +103,11 @@ int main(int argc, char **argv) printf("Returned address is %p\n", addr); check_bytes(addr); - write_bytes(addr); - ret = read_bytes(addr); + write_bytes(addr, length); + ret = read_bytes(addr, length); /* munmap() length of MAP_HUGETLB memory must be hugepage aligned */ - if (munmap(addr, LENGTH)) { + if (munmap(addr, length)) { perror("munmap"); exit(1); } From 9f461ae2ce069e993c27b6e1d7961ef19529327e Mon Sep 17 00:00:00 2001 From: Vegard Nossum Date: Mon, 15 Apr 2024 09:36:26 +0000 Subject: [PATCH 040/176] LTS: Update to 4.14.342 This corresponds to 4.19.310 upstream (v4.19.309..v4.19.310). Signed-off-by: Vegard Nossum --- .elts/config.yaml | 4 +- .elts/meta/4.14.342.yaml | 143 ++++++++++++++++++++++++++++++++ .elts/upstream/4.19.310.yaml | 152 +++++++++++++++++++++++++++++++++++ Makefile | 2 +- 4 files changed, 298 insertions(+), 3 deletions(-) create mode 100644 .elts/meta/4.14.342.yaml create mode 100644 .elts/upstream/4.19.310.yaml diff --git a/.elts/config.yaml b/.elts/config.yaml index e90aa78c9461..016e524b9214 100644 --- a/.elts/config.yaml +++ b/.elts/config.yaml @@ -1,5 +1,5 @@ upstream_repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git upstream_base: 4.19.304 base: 4.14.336 -upstream_version: 4.19.309 -version: 4.14.341 +upstream_version: 4.19.310 +version: 4.14.342 diff --git a/.elts/meta/4.14.342.yaml b/.elts/meta/4.14.342.yaml new file mode 100644 index 000000000000..447e87ca1926 --- /dev/null +++ b/.elts/meta/4.14.342.yaml @@ -0,0 +1,143 @@ +683e08ff6ef0a279343ba4383c6e01e4a9143050: + title: 'ip: validate header length on virtual device xmit' + mainline: cb9f1b783850b14cbd7f87d061d784a666dfba1f +60e32c8d4c6bb518863249d1c7c7e1fb7c5a9f96: + title: 'net: lan78xx: Allow for VLAN headers in timeout calcs' +b64278fd3d498eeb7a3f9b44cdffd303eaa41ca7: + title: 'net: usb: lan78xx: Disable interrupts before calling generic_handle_irq()' + mainline: 0a29ac5bd3a988dc151c8d26910dec2557421f64 +e2ad089a70e591cf7c886be6f559a0e8503674fc: + title: 'net: usb: lan78xx: Remove lots of set but unused ''ret'' variables' + mainline: 06cd7c46b3ab3f2252c61bf85b191236cf0254e1 + upstream: 7585522bf089bfebb7bbd22fddb5495f16f250c9 +f6cbd3c0c4516263a546a791a9eb985ca5ee04a6: + title: 'lan78xx: Fix white space and style issues' + mainline: 9ceec7d33adf9647293f24d2fd9a055b89c63864 + upstream: 09a8c3e4e79157bd3358bc9f0fab1517ae8ad884 +b70394861f10fc4bb0a53bb4fe54b79f497fdf79: + title: 'lan78xx: Add missing return code checks' + mainline: 3415f6baaddb9b39d7112247ab39ef3c700f882e + upstream: 20ccd52bd3b5e1323e58a1049d7d5285650c6c64 +c2688f303badea10dd8526d734db642898128e7e: + title: 'lan78xx: Fix partial packet errors on suspend/resume' + mainline: e1210fe63bf8b080edd0805240e90b81b6b069c1 + upstream: 242c4cd0d906f6f8708c0214b0c926b109f63168 +cb2fabebb54f6cc12e8d180c40d9ac59076bb666: + title: 'lan78xx: Fix race conditions in suspend/resume handling' + mainline: 5f4cc6e25148cc141f97afb41b4dfe9eb1cce613 + upstream: 513cfa1886cd2a06658410b788236522c2a69583 +30336393906643b4fece662c7c2f1871766222fd: + title: 'net: lan78xx: fix runtime PM count underflow on link stop' + mainline: 1eecc7ab82c42133b748e1895275942a054a7f67 + upstream: 575689f40b415299864bf1826d03e71d3d807c73 +de6f8690a982faf789a071b7683e3b26274faf4e: + title: 'net: move definition of pcpu_lstats to header file' + mainline: 52bb6677d530d37055092d86b4eab69dce6c166a + upstream: 6463ace2a35d22642c90147ebced20ef6145eac6 +46ae53df59e8bb5f52d184011ff4db8582b47874: + title: 'net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb' + mainline: d13f048dd40e8577260cd43faea8ec9b77520197 +3b1e13eb6c7bcbc71e0766dc21ccb55f8d15ab50: + title: 'geneve: make sure to pull inner header in geneve_rx()' + mainline: 1ca1ba465e55b9460e4e75dec9fff31e708fec74 + upstream: e431c3227864b5646601c97f5f898d99472f2914 +08230f3ca93b03add21ae1e8ddf08bd283daab23: + title: 'netfilter: nf_conntrack_h323: Remove typedef struct' +0025d996dd7b719a14f477ad3fa810abdf406585: + title: 'netfilter: nf_ct_h323: Out Of Bound Read in Netfilter Conntrack' +5ee983c52f6ca4fa4f15d9ff3b82634237b49e4f: + title: 'netfilter: nf_ct_h323: Convert CHECK_BOUND macro to function' +74a4c76141e79f28621987d7a5d1233528717105: + title: 'netfilter: nf_ct_h323: Extend nf_h323_error_boundary to work on bits as well' +1c31b4059c9416af2dfb42f087f64edd607eb35f: + title: 'netfilter: nf_conntrack_h323: Add protection for bmp length out of range' + mainline: 767146637efc528b5e3d31297df115e85a2fd362 + upstream: 98db42191329c679f4ca52bec0b319689e1ad8cb +7bab6671e4d56af53eaa19b4e61d349ce3b1cee7: + title: 'netrom: Fix a data-race around sysctl_netrom_default_path_quality' + mainline: 958d6145a6d9ba9e075c921aead8753fb91c9101 + upstream: 7644df766006d4878a556e427e3ecc78c2d5606b +5993b06357724c9656435dcd39ef3f731bb68719: + title: 'netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser' + mainline: cfd9f4a740f772298308b2e6070d2c744fb5cf79 + upstream: e3a3718b1723253d4f068e88e81d880d71f1a1e9 +3babe0b373c89f4557d880edfaee1269e0565619: + title: 'netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser' + mainline: 119cae5ea3f9e35cdada8e572cc067f072fa825a + upstream: acc653e8a3aaab1b7103f98645f2cce7be89e3d3 +75af2f874a607d406075ebee8872267e7610cc9c: + title: 'netrom: Fix a data-race around sysctl_netrom_transport_timeout' + mainline: 60a7a152abd494ed4f69098cf0f322e6bb140612 + upstream: 500936692ccca8617a955652d1929f079b17a201 +6e9e490c1c0f727effa44d696b29b363b9ddf216: + title: 'netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries' + mainline: e799299aafed417cc1f32adccb2a0e5268b3f6d5 + upstream: 84b8486e9cedc93875f251ba31abcf73bd586a3a +9da1d2a1e6687d4009eff99367df4bf7dee17f6c: + title: 'netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay' + mainline: 806f462ba9029d41aadf8ec93f2f99c5305deada + upstream: 6133a71c75dacea12fcc85838b4455c2055b0f14 +943942802104ff9dcb435d85456b08967878b40d: + title: 'netrom: Fix a data-race around sysctl_netrom_transport_busy_delay' + mainline: 43547d8699439a67b78d6bb39015113f7aa360fd + upstream: 7782e5e7047cae6b9255ee727c99fc73d77cf773 +3f661371119e40c7307cff48dfaa28ba19ec6a20: + title: 'netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size' + mainline: a2e706841488f474c06e9b33f71afc947fb3bf56 + upstream: 4f2efa17c3ec5e4be0567b47439b9713c0dc6550 +0a8e233837a214086305549c6cc3c10505960a18: + title: 'netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout' + mainline: f99b494b40431f0ca416859f2345746199398e2b + upstream: 73426c32e259c767d40613b956d5b80d0c28a9a9 +4851e4321fdf86f860623d8541f46916cbd9b8e7: + title: 'netrom: Fix a data-race around sysctl_netrom_routing_control' + mainline: b5dffcb8f71bdd02a4e5799985b51b12f4eeaf76 + upstream: c13fbb5902bce848759385986d4833f5b90782c1 +3c574b4ac9511dee909385868739d64de9abf892: + title: 'netrom: Fix a data-race around sysctl_netrom_link_fails_count' + mainline: bc76645ebdd01be9b9994dac39685a3d0f6f7985 + upstream: 97a4d8b9f67cc7efe9a0c137e12f6d9e40795bf1 +daa941d9ed63191c6d3e13d640ecd55a07d449a3: + title: 'netrom: Fix data-races around sysctl_net_busy_read' + mainline: d380ce70058a4ccddc3e5f5c2063165dc07672c6 + upstream: d623fd5298d95b65d27ef5a618ebf39541074856 +0e37e77f60fe5fe48b7010deb499d284c92003c6: + title: 'tools/selftest/vm: allow choosing mem size and page size in map_hugetlb' + mainline: fa7b9a805c797b729022029aaa3a2b7c35fff4c6 + upstream: becbfcabedfe3ceb9bd6184c172fad00c0a8feb0 +b37d2d9d10c65fabe5b9b53ec84d9388202f4bf2: + title: 'selftests: mm: fix map_hugetlb failure on 64K page size systems' + mainline: 91b80cc5b39f00399e8e2d17527cad2c7fa535e2 + upstream: abdbd5f3e8c504d864fdc032dd5a4eb481cb12bf +fb847632d0d888521c17c0f1109ca827316281a4: + title: 'um: allow not setting extra rpaths in the linux binary' + mainline: 386093c68ba3e8bcfe7f46deba901e0e80713c29 + upstream: 90091bdf5df0195de0d2d8e3e4d43aaaee122d34 +8ddca3d65f8a45b7a4e8d844441b30f990e0b015: + title: 'hv_netvsc: use netif_is_bond_master() instead of open code' + mainline: c60882a4566a0a62dc3a40c85131103aad83dcb3 + upstream: a2577793ff166cc18fe4192a8b1bca2d37253e6a +f2348ee837cee8604c0502b6ef9d806ce1cc13ec: + title: 'getrusage: add the "signal_struct *sig" local variable' + mainline: c7ac8231ace9b07306d0299969e42073b189c70a + upstream: e904c9a4834888cb2b37607d9571f49964f4603f +c048d8254a03786c76d3e0f7b687c98f951c7957: + title: 'getrusage: move thread_group_cputime_adjusted() outside of lock_task_sighand()' + mainline: daa694e4137571b4ebec330f9a9b4d54aa8b8089 + upstream: 33ec341e3e9588962ff3cf49f642da140d3ecfc0 +82f1e0dc48d7753fa960bfc2cec672a0aaf69e01: + title: 'getrusage: use __for_each_thread()' + mainline: 13b7bc60b5353371460a203df6c38ccd38ad7a3a + upstream: e24772adaaf4b81ac0855cceb17080352526f765 +8d11949c478109b80f65d7b3da4927407e61c10a: + title: 'getrusage: use sig->stats_lock rather than lock_task_sighand()' + mainline: f7ec1cd5cc7ef3ad964b677ba82b8b77f1c93009 + upstream: c96f49d3a741f6693feecdb067c442b609903d03 +fee13d620a067a56d35582ad3bae29e9fd6dd1f8: + title: 'selftests/vm: fix display of page size in map_hugetlb' + mainline: 1ec882fc81e3177faf055877310dbdb0c68eb7db + upstream: 71317d703c550c819b5465c3a49ce98650089865 +f19d6a15935beb1be8aee2845912d846e5649981: + title: 'selftests/vm: fix map_hugetlb length used for testing read and write' + mainline: cabc30da10e677c67ab9a136b1478175734715c5 + upstream: af289249ec5c79200c4ec4ec7f4902378956c4d7 diff --git a/.elts/upstream/4.19.310.yaml b/.elts/upstream/4.19.310.yaml new file mode 100644 index 000000000000..aa7ef7f60b20 --- /dev/null +++ b/.elts/upstream/4.19.310.yaml @@ -0,0 +1,152 @@ +7585522bf089bfebb7bbd22fddb5495f16f250c9: + title: 'net: usb: lan78xx: Remove lots of set but unused ''ret'' variables' + mainline: 06cd7c46b3ab3f2252c61bf85b191236cf0254e1 + backport: e2ad089a70e591cf7c886be6f559a0e8503674fc +09a8c3e4e79157bd3358bc9f0fab1517ae8ad884: + title: 'lan78xx: Fix white space and style issues' + mainline: 9ceec7d33adf9647293f24d2fd9a055b89c63864 + backport: f6cbd3c0c4516263a546a791a9eb985ca5ee04a6 +20ccd52bd3b5e1323e58a1049d7d5285650c6c64: + title: 'lan78xx: Add missing return code checks' + mainline: 3415f6baaddb9b39d7112247ab39ef3c700f882e + backport: b70394861f10fc4bb0a53bb4fe54b79f497fdf79 +242c4cd0d906f6f8708c0214b0c926b109f63168: + title: 'lan78xx: Fix partial packet errors on suspend/resume' + mainline: e1210fe63bf8b080edd0805240e90b81b6b069c1 + backport: c2688f303badea10dd8526d734db642898128e7e +513cfa1886cd2a06658410b788236522c2a69583: + title: 'lan78xx: Fix race conditions in suspend/resume handling' + mainline: 5f4cc6e25148cc141f97afb41b4dfe9eb1cce613 + backport: cb2fabebb54f6cc12e8d180c40d9ac59076bb666 +575689f40b415299864bf1826d03e71d3d807c73: + title: 'net: lan78xx: fix runtime PM count underflow on link stop' + mainline: 1eecc7ab82c42133b748e1895275942a054a7f67 + backport: 30336393906643b4fece662c7c2f1871766222fd +6463ace2a35d22642c90147ebced20ef6145eac6: + title: 'net: move definition of pcpu_lstats to header file' + mainline: 52bb6677d530d37055092d86b4eab69dce6c166a + backport: de6f8690a982faf789a071b7683e3b26274faf4e +e431c3227864b5646601c97f5f898d99472f2914: + title: 'geneve: make sure to pull inner header in geneve_rx()' + mainline: 1ca1ba465e55b9460e4e75dec9fff31e708fec74 + backport: 3b1e13eb6c7bcbc71e0766dc21ccb55f8d15ab50 +31ea5bcc7d4cd1423de6be327a2c034725704136: + title: 'net/ipv6: avoid possible UAF in ip6_route_mpath_notify()' + mainline: 685f7d531264599b3f167f1e94bbd22f120e5fab + skipped: commit 93531c6743157d7e8c5792f8ed1a5 is not present; backport is too risky +786854141057751bc08eb26f1b02e97c1631c8f4: + title: 'net/rds: fix WARNING in rds_conn_connect_if_down' + mainline: c055fc00c07be1f0df7375ab0036cebd1106ed38 + skipped: backport is too risky +98db42191329c679f4ca52bec0b319689e1ad8cb: + title: 'netfilter: nf_conntrack_h323: Add protection for bmp length out of range' + mainline: 767146637efc528b5e3d31297df115e85a2fd362 + backport: 1c31b4059c9416af2dfb42f087f64edd607eb35f +7644df766006d4878a556e427e3ecc78c2d5606b: + title: 'netrom: Fix a data-race around sysctl_netrom_default_path_quality' + mainline: 958d6145a6d9ba9e075c921aead8753fb91c9101 + backport: 7bab6671e4d56af53eaa19b4e61d349ce3b1cee7 +e3a3718b1723253d4f068e88e81d880d71f1a1e9: + title: 'netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser' + mainline: cfd9f4a740f772298308b2e6070d2c744fb5cf79 + backport: 5993b06357724c9656435dcd39ef3f731bb68719 +acc653e8a3aaab1b7103f98645f2cce7be89e3d3: + title: 'netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser' + mainline: 119cae5ea3f9e35cdada8e572cc067f072fa825a + backport: 3babe0b373c89f4557d880edfaee1269e0565619 +500936692ccca8617a955652d1929f079b17a201: + title: 'netrom: Fix a data-race around sysctl_netrom_transport_timeout' + mainline: 60a7a152abd494ed4f69098cf0f322e6bb140612 + backport: 75af2f874a607d406075ebee8872267e7610cc9c +84b8486e9cedc93875f251ba31abcf73bd586a3a: + title: 'netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries' + mainline: e799299aafed417cc1f32adccb2a0e5268b3f6d5 + backport: 6e9e490c1c0f727effa44d696b29b363b9ddf216 +6133a71c75dacea12fcc85838b4455c2055b0f14: + title: 'netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay' + mainline: 806f462ba9029d41aadf8ec93f2f99c5305deada + backport: 9da1d2a1e6687d4009eff99367df4bf7dee17f6c +7782e5e7047cae6b9255ee727c99fc73d77cf773: + title: 'netrom: Fix a data-race around sysctl_netrom_transport_busy_delay' + mainline: 43547d8699439a67b78d6bb39015113f7aa360fd + backport: 943942802104ff9dcb435d85456b08967878b40d +4f2efa17c3ec5e4be0567b47439b9713c0dc6550: + title: 'netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size' + mainline: a2e706841488f474c06e9b33f71afc947fb3bf56 + backport: 3f661371119e40c7307cff48dfaa28ba19ec6a20 +73426c32e259c767d40613b956d5b80d0c28a9a9: + title: 'netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout' + mainline: f99b494b40431f0ca416859f2345746199398e2b + backport: 0a8e233837a214086305549c6cc3c10505960a18 +c13fbb5902bce848759385986d4833f5b90782c1: + title: 'netrom: Fix a data-race around sysctl_netrom_routing_control' + mainline: b5dffcb8f71bdd02a4e5799985b51b12f4eeaf76 + backport: 4851e4321fdf86f860623d8541f46916cbd9b8e7 +97a4d8b9f67cc7efe9a0c137e12f6d9e40795bf1: + title: 'netrom: Fix a data-race around sysctl_netrom_link_fails_count' + mainline: bc76645ebdd01be9b9994dac39685a3d0f6f7985 + backport: 3c574b4ac9511dee909385868739d64de9abf892 +d623fd5298d95b65d27ef5a618ebf39541074856: + title: 'netrom: Fix data-races around sysctl_net_busy_read' + mainline: d380ce70058a4ccddc3e5f5c2063165dc07672c6 + backport: daa941d9ed63191c6d3e13d640ecd55a07d449a3 +40011850de6d613e982c84c854018aeca2c6bb19: + title: 'btrfs: ref-verify: free ref cache before clearing mount opt' + mainline: f03e274a8b29d1d1c1bbd7f764766cb5ca537ab7 + skipped: fixes patch not in branch +becbfcabedfe3ceb9bd6184c172fad00c0a8feb0: + title: 'tools/selftest/vm: allow choosing mem size and page size in map_hugetlb' + mainline: fa7b9a805c797b729022029aaa3a2b7c35fff4c6 + backport: 0e37e77f60fe5fe48b7010deb499d284c92003c6 +abdbd5f3e8c504d864fdc032dd5a4eb481cb12bf: + title: 'selftests: mm: fix map_hugetlb failure on 64K page size systems' + mainline: 91b80cc5b39f00399e8e2d17527cad2c7fa535e2 + backport: b37d2d9d10c65fabe5b9b53ec84d9388202f4bf2 +90091bdf5df0195de0d2d8e3e4d43aaaee122d34: + title: 'um: allow not setting extra rpaths in the linux binary' + mainline: 386093c68ba3e8bcfe7f46deba901e0e80713c29 + backport: fb847632d0d888521c17c0f1109ca827316281a4 +39807e3985ffa2714e46362fdded274a2d768578: + title: 'Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU' + mainline: a60e6c3918d20848906ffcdfcf72ca6a8cfbcf2e + skipped: commit 32863a2d5db62c4fa401ced61388d680421002d6 is not present (unsupported hardware) +61acc4c4a3c33905b124dc4af206df92c1426500: + title: 'hv_netvsc: Make netvsc/VF binding check both MAC and serial number' + mainline: 64ff412ad41fe3a5bf759ff4844dc1382176485c + skipped: commit 00d7ddba1143623b31bc2c15d18216e2da031b14 is not present +a2577793ff166cc18fe4192a8b1bca2d37253e6a: + title: 'hv_netvsc: use netif_is_bond_master() instead of open code' + mainline: c60882a4566a0a62dc3a40c85131103aad83dcb3 + backport: 8ddca3d65f8a45b7a4e8d844441b30f990e0b015 +bcb7164258d0a9a8aa2e73ddccc2d78f67d2519d: + title: 'hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed' + mainline: 9cae43da9867412f8bd09aee5c8a8dc5e8dc3dc2 + skipped: fixes patch not in branch +d5e38d6b84d6d21a4f8a4f555a0908b6d9ffe224: + title: 'y2038: rusage: use __kernel_old_timeval' + mainline: bdd565f817a74b9e30edec108f7cb1dbc762b8a6 + skipped: 4.14 does not have struct __kernel_old_timeval and backporting would be too risky +e904c9a4834888cb2b37607d9571f49964f4603f: + title: 'getrusage: add the "signal_struct *sig" local variable' + mainline: c7ac8231ace9b07306d0299969e42073b189c70a + backport: f2348ee837cee8604c0502b6ef9d806ce1cc13ec +33ec341e3e9588962ff3cf49f642da140d3ecfc0: + title: 'getrusage: move thread_group_cputime_adjusted() outside of lock_task_sighand()' + mainline: daa694e4137571b4ebec330f9a9b4d54aa8b8089 + backport: c048d8254a03786c76d3e0f7b687c98f951c7957 +e24772adaaf4b81ac0855cceb17080352526f765: + title: 'getrusage: use __for_each_thread()' + mainline: 13b7bc60b5353371460a203df6c38ccd38ad7a3a + backport: 82f1e0dc48d7753fa960bfc2cec672a0aaf69e01 +c96f49d3a741f6693feecdb067c442b609903d03: + title: 'getrusage: use sig->stats_lock rather than lock_task_sighand()' + mainline: f7ec1cd5cc7ef3ad964b677ba82b8b77f1c93009 + backport: 8d11949c478109b80f65d7b3da4927407e61c10a +71317d703c550c819b5465c3a49ce98650089865: + title: 'selftests/vm: fix display of page size in map_hugetlb' + mainline: 1ec882fc81e3177faf055877310dbdb0c68eb7db + backport: fee13d620a067a56d35582ad3bae29e9fd6dd1f8 +af289249ec5c79200c4ec4ec7f4902378956c4d7: + title: 'selftests/vm: fix map_hugetlb length used for testing read and write' + mainline: cabc30da10e677c67ab9a136b1478175734715c5 + backport: f19d6a15935beb1be8aee2845912d846e5649981 diff --git a/Makefile b/Makefile index 0a53d6d980f7..750ef287bebb 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 VERSION = 4 PATCHLEVEL = 14 -SUBLEVEL = 341 +SUBLEVEL = 342 EXTRAVERSION = -openela NAME = Petit Gorille From 3300a318344fb9cee9d92161549c7cfef5ac1413 Mon Sep 17 00:00:00 2001 From: Juergen Gross Date: Thu, 22 Oct 2020 11:49:05 +0200 Subject: [PATCH 041/176] xen/events: only register debug interrupt for 2-level events [ Upstream commit d04b1ae5a9b0c868dda8b4b34175ef08f3cb9e93 ] xen_debug_interrupt() is specific to 2-level event handling. So don't register it with fifo event handling being active. Signed-off-by: Juergen Gross Reviewed-by: Jan Beulich Link: https://lore.kernel.org/r/20201022094907.28560-4-jgross@suse.com Signed-off-by: Boris Ostrovsky Stable-dep-of: 69143f60868b ("x86/xen: Fix memory leak in xen_smp_intr_init{_pv}()") Signed-off-by: Sasha Levin (cherry picked from commit 475a13f3d41e422370420882ccf9dbb3f960d33c) Signed-off-by: Harshit Mogalapalli --- arch/x86/xen/smp.c | 19 +++++++++++-------- arch/x86/xen/xen-ops.h | 2 ++ drivers/xen/events/events_base.c | 10 ++++++---- 3 files changed, 19 insertions(+), 12 deletions(-) diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c index 77c959cf81e7..bcf2305213c6 100644 --- a/arch/x86/xen/smp.c +++ b/arch/x86/xen/smp.c @@ -88,14 +88,17 @@ int xen_smp_intr_init(unsigned int cpu) per_cpu(xen_callfunc_irq, cpu).irq = rc; per_cpu(xen_callfunc_irq, cpu).name = callfunc_name; - debug_name = kasprintf(GFP_KERNEL, "debug%d", cpu); - rc = bind_virq_to_irqhandler(VIRQ_DEBUG, cpu, xen_debug_interrupt, - IRQF_PERCPU | IRQF_NOBALANCING, - debug_name, NULL); - if (rc < 0) - goto fail; - per_cpu(xen_debug_irq, cpu).irq = rc; - per_cpu(xen_debug_irq, cpu).name = debug_name; + if (!xen_fifo_events) { + debug_name = kasprintf(GFP_KERNEL, "debug%d", cpu); + rc = bind_virq_to_irqhandler(VIRQ_DEBUG, cpu, + xen_debug_interrupt, + IRQF_PERCPU | IRQF_NOBALANCING, + debug_name, NULL); + if (rc < 0) + goto fail; + per_cpu(xen_debug_irq, cpu).irq = rc; + per_cpu(xen_debug_irq, cpu).name = debug_name; + } callfunc_name = kasprintf(GFP_KERNEL, "callfuncsingle%d", cpu); rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_SINGLE_VECTOR, diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h index 75011b80660f..852f649ba504 100644 --- a/arch/x86/xen/xen-ops.h +++ b/arch/x86/xen/xen-ops.h @@ -30,6 +30,8 @@ extern struct start_info *xen_start_info; extern struct shared_info xen_dummy_shared_info; extern struct shared_info *HYPERVISOR_shared_info; +extern bool xen_fifo_events; + void xen_setup_mfn_list_list(void); void xen_setup_shared_info(void); void xen_build_mfn_list_list(void); diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c index de6d3029f589..074a4eededc4 100644 --- a/drivers/xen/events/events_base.c +++ b/drivers/xen/events/events_base.c @@ -2110,8 +2110,8 @@ void xen_callback_vector(void) void xen_callback_vector(void) {} #endif -static bool fifo_events = true; -module_param(fifo_events, bool, 0); +bool xen_fifo_events = true; +module_param_named(fifo_events, xen_fifo_events, bool, 0); static int xen_evtchn_cpu_prepare(unsigned int cpu) { @@ -2140,10 +2140,12 @@ void __init xen_init_IRQ(void) int ret = -EINVAL; unsigned int evtchn; - if (fifo_events) + if (xen_fifo_events) ret = xen_evtchn_fifo_init(); - if (ret < 0) + if (ret < 0) { xen_evtchn_2l_init(); + xen_fifo_events = false; + } xen_cpu_init_eoi(smp_processor_id()); From 5ee8a0e79d4147dd41e7e4e420d91e2f16eb4bb6 Mon Sep 17 00:00:00 2001 From: Xiu Jianfeng Date: Wed, 23 Nov 2022 23:58:57 +0800 Subject: [PATCH 042/176] x86/xen: Fix memory leak in xen_smp_intr_init{_pv}() [ Upstream commit 69143f60868b3939ddc89289b29db593b647295e ] These local variables @{resched|pmu|callfunc...}_name saves the new string allocated by kasprintf(), and when bind_{v}ipi_to_irqhandler() fails, it goes to the @fail tag, and calls xen_smp_intr_free{_pv}() to free resource, however the new string is not saved, which cause a memory leak issue. fix it. Fixes: 9702785a747a ("i386: move xen") Signed-off-by: Xiu Jianfeng Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/20221123155858.11382-2-xiujianfeng@huawei.com Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin (cherry picked from commit 9209d2cbf5845b8bf8e722015d86f65a9d2bc76a) Signed-off-by: Harshit Mogalapalli --- arch/x86/xen/smp.c | 24 ++++++++++++------------ arch/x86/xen/smp_pv.c | 12 ++++++------ 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c index bcf2305213c6..3c5d44241577 100644 --- a/arch/x86/xen/smp.c +++ b/arch/x86/xen/smp.c @@ -32,30 +32,30 @@ static irqreturn_t xen_reschedule_interrupt(int irq, void *dev_id) void xen_smp_intr_free(unsigned int cpu) { + kfree(per_cpu(xen_resched_irq, cpu).name); + per_cpu(xen_resched_irq, cpu).name = NULL; if (per_cpu(xen_resched_irq, cpu).irq >= 0) { unbind_from_irqhandler(per_cpu(xen_resched_irq, cpu).irq, NULL); per_cpu(xen_resched_irq, cpu).irq = -1; - kfree(per_cpu(xen_resched_irq, cpu).name); - per_cpu(xen_resched_irq, cpu).name = NULL; } + kfree(per_cpu(xen_callfunc_irq, cpu).name); + per_cpu(xen_callfunc_irq, cpu).name = NULL; if (per_cpu(xen_callfunc_irq, cpu).irq >= 0) { unbind_from_irqhandler(per_cpu(xen_callfunc_irq, cpu).irq, NULL); per_cpu(xen_callfunc_irq, cpu).irq = -1; - kfree(per_cpu(xen_callfunc_irq, cpu).name); - per_cpu(xen_callfunc_irq, cpu).name = NULL; } + kfree(per_cpu(xen_debug_irq, cpu).name); + per_cpu(xen_debug_irq, cpu).name = NULL; if (per_cpu(xen_debug_irq, cpu).irq >= 0) { unbind_from_irqhandler(per_cpu(xen_debug_irq, cpu).irq, NULL); per_cpu(xen_debug_irq, cpu).irq = -1; - kfree(per_cpu(xen_debug_irq, cpu).name); - per_cpu(xen_debug_irq, cpu).name = NULL; } + kfree(per_cpu(xen_callfuncsingle_irq, cpu).name); + per_cpu(xen_callfuncsingle_irq, cpu).name = NULL; if (per_cpu(xen_callfuncsingle_irq, cpu).irq >= 0) { unbind_from_irqhandler(per_cpu(xen_callfuncsingle_irq, cpu).irq, NULL); per_cpu(xen_callfuncsingle_irq, cpu).irq = -1; - kfree(per_cpu(xen_callfuncsingle_irq, cpu).name); - per_cpu(xen_callfuncsingle_irq, cpu).name = NULL; } } @@ -65,6 +65,7 @@ int xen_smp_intr_init(unsigned int cpu) char *resched_name, *callfunc_name, *debug_name; resched_name = kasprintf(GFP_KERNEL, "resched%d", cpu); + per_cpu(xen_resched_irq, cpu).name = resched_name; rc = bind_ipi_to_irqhandler(XEN_RESCHEDULE_VECTOR, cpu, xen_reschedule_interrupt, @@ -74,9 +75,9 @@ int xen_smp_intr_init(unsigned int cpu) if (rc < 0) goto fail; per_cpu(xen_resched_irq, cpu).irq = rc; - per_cpu(xen_resched_irq, cpu).name = resched_name; callfunc_name = kasprintf(GFP_KERNEL, "callfunc%d", cpu); + per_cpu(xen_callfunc_irq, cpu).name = callfunc_name; rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_VECTOR, cpu, xen_call_function_interrupt, @@ -86,10 +87,10 @@ int xen_smp_intr_init(unsigned int cpu) if (rc < 0) goto fail; per_cpu(xen_callfunc_irq, cpu).irq = rc; - per_cpu(xen_callfunc_irq, cpu).name = callfunc_name; if (!xen_fifo_events) { debug_name = kasprintf(GFP_KERNEL, "debug%d", cpu); + per_cpu(xen_debug_irq, cpu).name = debug_name; rc = bind_virq_to_irqhandler(VIRQ_DEBUG, cpu, xen_debug_interrupt, IRQF_PERCPU | IRQF_NOBALANCING, @@ -97,10 +98,10 @@ int xen_smp_intr_init(unsigned int cpu) if (rc < 0) goto fail; per_cpu(xen_debug_irq, cpu).irq = rc; - per_cpu(xen_debug_irq, cpu).name = debug_name; } callfunc_name = kasprintf(GFP_KERNEL, "callfuncsingle%d", cpu); + per_cpu(xen_callfuncsingle_irq, cpu).name = callfunc_name; rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_SINGLE_VECTOR, cpu, xen_call_function_single_interrupt, @@ -110,7 +111,6 @@ int xen_smp_intr_init(unsigned int cpu) if (rc < 0) goto fail; per_cpu(xen_callfuncsingle_irq, cpu).irq = rc; - per_cpu(xen_callfuncsingle_irq, cpu).name = callfunc_name; return 0; diff --git a/arch/x86/xen/smp_pv.c b/arch/x86/xen/smp_pv.c index 691831813bba..3be524b69581 100644 --- a/arch/x86/xen/smp_pv.c +++ b/arch/x86/xen/smp_pv.c @@ -96,18 +96,18 @@ asmlinkage __visible void cpu_bringup_and_idle(void) void xen_smp_intr_free_pv(unsigned int cpu) { + kfree(per_cpu(xen_irq_work, cpu).name); + per_cpu(xen_irq_work, cpu).name = NULL; if (per_cpu(xen_irq_work, cpu).irq >= 0) { unbind_from_irqhandler(per_cpu(xen_irq_work, cpu).irq, NULL); per_cpu(xen_irq_work, cpu).irq = -1; - kfree(per_cpu(xen_irq_work, cpu).name); - per_cpu(xen_irq_work, cpu).name = NULL; } + kfree(per_cpu(xen_pmu_irq, cpu).name); + per_cpu(xen_pmu_irq, cpu).name = NULL; if (per_cpu(xen_pmu_irq, cpu).irq >= 0) { unbind_from_irqhandler(per_cpu(xen_pmu_irq, cpu).irq, NULL); per_cpu(xen_pmu_irq, cpu).irq = -1; - kfree(per_cpu(xen_pmu_irq, cpu).name); - per_cpu(xen_pmu_irq, cpu).name = NULL; } } @@ -117,6 +117,7 @@ int xen_smp_intr_init_pv(unsigned int cpu) char *callfunc_name, *pmu_name; callfunc_name = kasprintf(GFP_KERNEL, "irqwork%d", cpu); + per_cpu(xen_irq_work, cpu).name = callfunc_name; rc = bind_ipi_to_irqhandler(XEN_IRQ_WORK_VECTOR, cpu, xen_irq_work_interrupt, @@ -126,10 +127,10 @@ int xen_smp_intr_init_pv(unsigned int cpu) if (rc < 0) goto fail; per_cpu(xen_irq_work, cpu).irq = rc; - per_cpu(xen_irq_work, cpu).name = callfunc_name; if (is_xen_pmu) { pmu_name = kasprintf(GFP_KERNEL, "pmu%d", cpu); + per_cpu(xen_pmu_irq, cpu).name = pmu_name; rc = bind_virq_to_irqhandler(VIRQ_XENPMU, cpu, xen_pmu_irq_handler, IRQF_PERCPU|IRQF_NOBALANCING, @@ -137,7 +138,6 @@ int xen_smp_intr_init_pv(unsigned int cpu) if (rc < 0) goto fail; per_cpu(xen_pmu_irq, cpu).irq = rc; - per_cpu(xen_pmu_irq, cpu).name = pmu_name; } return 0; From f2645f10d789c047bcaf11a573ed337bad4f0707 Mon Sep 17 00:00:00 2001 From: Kunwu Chan Date: Fri, 19 Jan 2024 17:49:48 +0800 Subject: [PATCH 043/176] x86/xen: Add some null pointer checking to smp.c [ Upstream commit 3693bb4465e6e32a204a5b86d3ec7e6b9f7e67c2 ] kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity. Signed-off-by: Kunwu Chan Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202401161119.iof6BQsf-lkp@intel.com/ Suggested-by: Markus Elfring Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/20240119094948.275390-1-chentao@kylinos.cn Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin (cherry picked from commit 70a33a629090130d731fc1e1ad498bb672eea165) Signed-off-by: Harshit Mogalapalli --- arch/x86/xen/smp.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c index 3c5d44241577..615bc8800a09 100644 --- a/arch/x86/xen/smp.c +++ b/arch/x86/xen/smp.c @@ -65,6 +65,8 @@ int xen_smp_intr_init(unsigned int cpu) char *resched_name, *callfunc_name, *debug_name; resched_name = kasprintf(GFP_KERNEL, "resched%d", cpu); + if (!resched_name) + goto fail_mem; per_cpu(xen_resched_irq, cpu).name = resched_name; rc = bind_ipi_to_irqhandler(XEN_RESCHEDULE_VECTOR, cpu, @@ -77,6 +79,8 @@ int xen_smp_intr_init(unsigned int cpu) per_cpu(xen_resched_irq, cpu).irq = rc; callfunc_name = kasprintf(GFP_KERNEL, "callfunc%d", cpu); + if (!callfunc_name) + goto fail_mem; per_cpu(xen_callfunc_irq, cpu).name = callfunc_name; rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_VECTOR, cpu, @@ -90,6 +94,9 @@ int xen_smp_intr_init(unsigned int cpu) if (!xen_fifo_events) { debug_name = kasprintf(GFP_KERNEL, "debug%d", cpu); + if (!debug_name) + goto fail_mem; + per_cpu(xen_debug_irq, cpu).name = debug_name; rc = bind_virq_to_irqhandler(VIRQ_DEBUG, cpu, xen_debug_interrupt, @@ -101,6 +108,9 @@ int xen_smp_intr_init(unsigned int cpu) } callfunc_name = kasprintf(GFP_KERNEL, "callfuncsingle%d", cpu); + if (!callfunc_name) + goto fail_mem; + per_cpu(xen_callfuncsingle_irq, cpu).name = callfunc_name; rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_SINGLE_VECTOR, cpu, @@ -114,6 +124,8 @@ int xen_smp_intr_init(unsigned int cpu) return 0; + fail_mem: + rc = -ENOMEM; fail: xen_smp_intr_free(cpu); return rc; From 96405638c5c2567f6c27cfd84ada8a5a5311b231 Mon Sep 17 00:00:00 2001 From: Jiaxun Yang Date: Fri, 2 Feb 2024 12:30:27 +0000 Subject: [PATCH 044/176] MIPS: Clear Cause.BD in instruction_pointer_set [ Upstream commit 9d6e21ddf20293b3880ae55b9d14de91c5891c59 ] Clear Cause.BD after we use instruction_pointer_set to override EPC. This can prevent exception_epc check against instruction code at new return address. It won't be considered as "in delay slot" after epc being overridden anyway. Signed-off-by: Jiaxun Yang Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin (cherry picked from commit b0b3373993a5b445eeb410d7c74a87710aad9d6e) Signed-off-by: Harshit Mogalapalli --- arch/mips/include/asm/ptrace.h | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/mips/include/asm/ptrace.h b/arch/mips/include/asm/ptrace.h index b6578611dddb..e45c082e1231 100644 --- a/arch/mips/include/asm/ptrace.h +++ b/arch/mips/include/asm/ptrace.h @@ -65,6 +65,7 @@ static inline void instruction_pointer_set(struct pt_regs *regs, unsigned long val) { regs->cp0_epc = val; + regs->cp0_cause &= ~CAUSEF_BD; } /* Query offset/name of register from its name/offset */ From 3ded98fc3b9716997438f60daf0452b7c3e6d360 Mon Sep 17 00:00:00 2001 From: Alexander Gordeev Date: Wed, 14 Feb 2024 17:32:40 +0100 Subject: [PATCH 045/176] net/iucv: fix the allocation size of iucv_path_table array [ Upstream commit b4ea9b6a18ebf7f9f3a7a60f82e925186978cfcf ] iucv_path_table is a dynamically allocated array of pointers to struct iucv_path items. Yet, its size is calculated as if it was an array of struct iucv_path items. Signed-off-by: Alexander Gordeev Reviewed-by: Alexandra Winter Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 13f5b64a584b5554f81e7e493dcbafaddd06557d) Signed-off-by: Harshit Mogalapalli --- net/iucv/iucv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c index 255a716fa395..7d670ec17a7e 100644 --- a/net/iucv/iucv.c +++ b/net/iucv/iucv.c @@ -192,7 +192,7 @@ static char iucv_error_pathid[16] = "INVALID PATHID"; static LIST_HEAD(iucv_handler_list); /* - * iucv_path_table: an array of iucv_path structures. + * iucv_path_table: array of pointers to iucv_path structures. */ static struct iucv_path **iucv_path_table; static unsigned long iucv_max_pathid; @@ -603,7 +603,7 @@ static int iucv_enable(void) get_online_cpus(); rc = -ENOMEM; - alloc_size = iucv_max_pathid * sizeof(struct iucv_path); + alloc_size = iucv_max_pathid * sizeof(*iucv_path_table); iucv_path_table = kzalloc(alloc_size, GFP_KERNEL); if (!iucv_path_table) goto out; From e9f9eb0c2d8c5c96fc354cf8ede84f4ba6f38d19 Mon Sep 17 00:00:00 2001 From: Greg Joyce Date: Fri, 16 Feb 2024 15:04:17 -0600 Subject: [PATCH 046/176] block: sed-opal: handle empty atoms when parsing response [ Upstream commit 5429c8de56f6b2bd8f537df3a1e04e67b9c04282 ] The SED Opal response parsing function response_parse() does not handle the case of an empty atom in the response. This causes the entry count to be too high and the response fails to be parsed. Recognizing, but ignoring, empty atoms allows response handling to succeed. Signed-off-by: Greg Joyce Link: https://lore.kernel.org/r/20240216210417.3526064-2-gjoyce@linux.ibm.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin (cherry picked from commit 72da7347f460b2ecc5e934bcbef312e0fa5ebf2b) Signed-off-by: Harshit Mogalapalli --- block/opal_proto.h | 1 + block/sed-opal.c | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/block/opal_proto.h b/block/opal_proto.h index e20be8258854..2456b8adc457 100644 --- a/block/opal_proto.h +++ b/block/opal_proto.h @@ -73,6 +73,7 @@ enum opal_response_token { #define SHORT_ATOM_BYTE 0xBF #define MEDIUM_ATOM_BYTE 0xDF #define LONG_ATOM_BYTE 0xE3 +#define EMPTY_ATOM_BYTE 0xFF #define OPAL_INVAL_PARAM 12 #define OPAL_MANUFACTURED_INACTIVE 0x08 diff --git a/block/sed-opal.c b/block/sed-opal.c index ae902077cd9d..ec81a70f70e0 100644 --- a/block/sed-opal.c +++ b/block/sed-opal.c @@ -847,16 +847,20 @@ static int response_parse(const u8 *buf, size_t length, token_length = response_parse_medium(iter, pos); else if (pos[0] <= LONG_ATOM_BYTE) /* long atom */ token_length = response_parse_long(iter, pos); + else if (pos[0] == EMPTY_ATOM_BYTE) /* empty atom */ + token_length = 1; else /* TOKEN */ token_length = response_parse_token(iter, pos); if (token_length < 0) return token_length; + if (pos[0] != EMPTY_ATOM_BYTE) + num_entries++; + pos += token_length; total -= token_length; iter++; - num_entries++; } if (num_entries == 0) { From e6d8df74f2692f4e83306e293a8c503112d32aa8 Mon Sep 17 00:00:00 2001 From: Mikulas Patocka Date: Tue, 20 Feb 2024 19:11:51 +0100 Subject: [PATCH 047/176] dm-verity, dm-crypt: align "struct bvec_iter" correctly [ Upstream commit 787f1b2800464aa277236a66eb3c279535edd460 ] "struct bvec_iter" is defined with the __packed attribute, so it is aligned on a single byte. On X86 (and on other architectures that support unaligned addresses in hardware), "struct bvec_iter" is accessed using the 8-byte and 4-byte memory instructions, however these instructions are less efficient if they operate on unaligned addresses. (on RISC machines that don't have unaligned access in hardware, GCC generates byte-by-byte accesses that are very inefficient - see [1]) This commit reorders the entries in "struct dm_verity_io" and "struct convert_context", so that "struct bvec_iter" is aligned on 8 bytes. [1] https://lore.kernel.org/all/ZcLuWUNRZadJr0tQ@fedora/T/ Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin (cherry picked from commit 8338d971f919256b312f28a9a320f552a499dc8e) Signed-off-by: Harshit Mogalapalli --- drivers/md/dm-crypt.c | 4 ++-- drivers/md/dm-verity.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c index 966fb898f4b8..35602b5b8667 100644 --- a/drivers/md/dm-crypt.c +++ b/drivers/md/dm-crypt.c @@ -46,11 +46,11 @@ struct convert_context { struct completion restart; struct bio *bio_in; - struct bio *bio_out; struct bvec_iter iter_in; + struct bio *bio_out; struct bvec_iter iter_out; - u64 cc_sector; atomic_t cc_pending; + u64 cc_sector; union { struct skcipher_request *req; struct aead_request *req_aead; diff --git a/drivers/md/dm-verity.h b/drivers/md/dm-verity.h index 5509d69fd29f..82466acec04a 100644 --- a/drivers/md/dm-verity.h +++ b/drivers/md/dm-verity.h @@ -71,11 +71,11 @@ struct dm_verity_io { /* original value of bio->bi_end_io */ bio_end_io_t *orig_bi_end_io; + struct bvec_iter iter; + sector_t block; unsigned n_blocks; - struct bvec_iter iter; - struct work_struct work; /* From 70928e45cbbe230a8fde12a6bb7bbbfb77139e7f Mon Sep 17 00:00:00 2001 From: Ranjan Kumar Date: Wed, 21 Feb 2024 12:47:24 +0530 Subject: [PATCH 048/176] scsi: mpt3sas: Prevent sending diag_reset when the controller is ready [ Upstream commit ee0017c3ed8a8abfa4d40e42f908fb38c31e7515 ] If the driver detects that the controller is not ready before sending the first IOC facts command, it will wait for a maximum of 10 seconds for it to become ready. However, even if the controller becomes ready within 10 seconds, the driver will still issue a diagnostic reset. Modify the driver to avoid sending a diag reset if the controller becomes ready within the 10-second wait time. Signed-off-by: Ranjan Kumar Link: https://lore.kernel.org/r/20240221071724.14986-1-ranjan.kumar@broadcom.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin (cherry picked from commit 6cc96148d26afbf1e3b8167ee68dc9eec387804d) Signed-off-by: Harshit Mogalapalli --- drivers/scsi/mpt3sas/mpt3sas_base.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c index 9e400def0d04..fc21ae077b92 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_base.c +++ b/drivers/scsi/mpt3sas/mpt3sas_base.c @@ -4392,7 +4392,9 @@ _base_wait_for_iocstate(struct MPT3SAS_ADAPTER *ioc, int timeout) return -EFAULT; } - issue_diag_reset: + return 0; + +issue_diag_reset: rc = _base_diag_reset(ioc); return rc; } From b79150eddce93e7bf87f005c9c996abd90d4655e Mon Sep 17 00:00:00 2001 From: Yuxuan Hu <20373622@buaa.edu.cn> Date: Wed, 3 Jan 2024 17:10:43 +0800 Subject: [PATCH 049/176] Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security [ Upstream commit 2535b848fa0f42ddff3e5255cf5e742c9b77bb26 ] During our fuzz testing of the connection and disconnection process at the RFCOMM layer, we discovered this bug. By comparing the packets from a normal connection and disconnection process with the testcase that triggered a KASAN report. We analyzed the cause of this bug as follows: 1. In the packets captured during a normal connection, the host sends a `Read Encryption Key Size` type of `HCI_CMD` packet (Command Opcode: 0x1408) to the controller to inquire the length of encryption key.After receiving this packet, the controller immediately replies with a Command Completepacket (Event Code: 0x0e) to return the Encryption Key Size. 2. In our fuzz test case, the timing of the controller's response to this packet was delayed to an unexpected point: after the RFCOMM and L2CAP layers had disconnected but before the HCI layer had disconnected. 3. After receiving the Encryption Key Size Response at the time described in point 2, the host still called the rfcomm_check_security function. However, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;` had already been released, and when the function executed `return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`, specifically when accessing `conn->hcon`, a null-ptr-deref error occurred. To fix this bug, check if `sk->sk_state` is BT_CLOSED before calling rfcomm_recv_frame in rfcomm_process_rx. Signed-off-by: Yuxuan Hu <20373622@buaa.edu.cn> Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin (cherry picked from commit 369f419c097e82407dd429a202cde9a73d3ae29b) Signed-off-by: Harshit Mogalapalli --- net/bluetooth/rfcomm/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c index 3d1287d02fdd..2927e7d18acf 100644 --- a/net/bluetooth/rfcomm/core.c +++ b/net/bluetooth/rfcomm/core.c @@ -1939,7 +1939,7 @@ static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s) /* Get data directly from socket receive queue without copying it. */ while ((skb = skb_dequeue(&sk->sk_receive_queue))) { skb_orphan(skb); - if (!skb_linearize(skb)) { + if (!skb_linearize(skb) && sk->sk_state != BT_CLOSED) { s = rfcomm_recv_frame(s, skb); if (!s) break; From 51ec1ed43d0b4ab1228eb55189fa939ad579c4c2 Mon Sep 17 00:00:00 2001 From: Takashi Sakamoto Date: Thu, 29 Feb 2024 22:17:37 +0900 Subject: [PATCH 050/176] firewire: core: use long bus reset on gap count error [ Upstream commit d0b06dc48fb15902d7da09c5c0861e7f042a9381 ] When resetting the bus after a gap count error, use a long rather than short bus reset. IEEE 1394-1995 uses only long bus resets. IEEE 1394a adds the option of short bus resets. When video or audio transmission is in progress and a device is hot-plugged elsewhere on the bus, the resulting bus reset can cause video frame drops or audio dropouts. Short bus resets reduce or eliminate this problem. Accordingly, short bus resets are almost always preferred. However, on a mixed 1394/1394a bus, a short bus reset can trigger an immediate additional bus reset. This double bus reset can be interpreted differently by different nodes on the bus, resulting in an inconsistent gap count after the bus reset. An inconsistent gap count will cause another bus reset, leading to a neverending bus reset loop. This only happens for some bus topologies, not for all mixed 1394/1394a buses. By instead sending a long bus reset after a gap count inconsistency, we avoid the doubled bus reset, restoring the bus to normal operation. Signed-off-by: Adam Goldman Link: https://sourceforge.net/p/linux1394/mailman/message/58741624/ Signed-off-by: Takashi Sakamoto Signed-off-by: Sasha Levin (cherry picked from commit b89198d02d0149f22149675766c47883de923106) Signed-off-by: Harshit Mogalapalli --- drivers/firewire/core-card.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/firewire/core-card.c b/drivers/firewire/core-card.c index 0e6f96c0e395..6c464c75ac9d 100644 --- a/drivers/firewire/core-card.c +++ b/drivers/firewire/core-card.c @@ -513,7 +513,19 @@ static void bm_work(struct work_struct *work) fw_notice(card, "phy config: new root=%x, gap_count=%d\n", new_root_id, gap_count); fw_send_phy_config(card, new_root_id, generation, gap_count); - reset_bus(card, true); + /* + * Where possible, use a short bus reset to minimize + * disruption to isochronous transfers. But in the event + * of a gap count inconsistency, use a long bus reset. + * + * As noted in 1394a 8.4.6.2, nodes on a mixed 1394/1394a bus + * may set different gap counts after a bus reset. On a mixed + * 1394/1394a bus, a short bus reset can get doubled. Some + * nodes may treat the double reset as one bus reset and others + * may treat it as two, causing a gap count inconsistency + * again. Using a long bus reset prevents this. + */ + reset_bus(card, card->gap_count != 0); /* Will allocate broadcast channel after the reset. */ goto out; } From 243004088d2707ad353b4ee4dd6b96f76daca68d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= Date: Tue, 5 Mar 2024 11:10:42 +0100 Subject: [PATCH 051/176] Input: gpio_keys_polled - suppress deferred probe error for gpio MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 963465a33141d0d52338e77f80fe543d2c9dc053 ] On a PC Engines APU our admins are faced with: $ dmesg | grep -c "gpio-keys-polled gpio-keys-polled: unable to claim gpio 0, err=-517" 261 Such a message always appears when e.g. a new USB device is plugged in. Suppress this message which considerably clutters the kernel log for EPROBE_DEFER (i.e. -517). Signed-off-by: Uwe Kleine-König Reviewed-by: Linus Walleij Link: https://lore.kernel.org/r/20240305101042.10953-2-u.kleine-koenig@pengutronix.de Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin (cherry picked from commit a215f042a7f57346fd5430e84f81f822e84975b5) Signed-off-by: Harshit Mogalapalli --- drivers/input/keyboard/gpio_keys_polled.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/input/keyboard/gpio_keys_polled.c b/drivers/input/keyboard/gpio_keys_polled.c index edc7262103b9..96e47b240149 100644 --- a/drivers/input/keyboard/gpio_keys_polled.c +++ b/drivers/input/keyboard/gpio_keys_polled.c @@ -328,12 +328,10 @@ static int gpio_keys_polled_probe(struct platform_device *pdev) error = devm_gpio_request_one(dev, button->gpio, flags, button->desc ? : DRV_NAME); - if (error) { - dev_err(dev, - "unable to claim gpio %u, err=%d\n", - button->gpio, error); - return error; - } + if (error) + return dev_err_probe(dev, error, + "unable to claim gpio %u\n", + button->gpio); bdata->gpiod = gpio_to_desc(button->gpio); if (!bdata->gpiod) { From 6895f6831861ceceb98e7b6604ec9050a37c8173 Mon Sep 17 00:00:00 2001 From: Stuart Henderson Date: Wed, 6 Mar 2024 16:14:35 +0000 Subject: [PATCH 052/176] ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC [ Upstream commit 03c7874106ca5032a312626b927b1c35f07b1f35 ] Signed-off-by: Stuart Henderson Link: https://msgid.link/r/20240306161439.1385643-1-stuarth@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin (cherry picked from commit c2a85fd64160fcf4185669d4db299fbb2df76986) [Harshit: Use snd_soc_update_bits(codec, ...) instead of component versioni due to missing commit: f4ee271709f0 ("ASoC: wm8962: replace codec to component") in 4.14.y] Signed-off-by: Harshit Mogalapalli --- sound/soc/codecs/wm8962.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c index d46881f96c16..f8d71f6ca8af 100644 --- a/sound/soc/codecs/wm8962.c +++ b/sound/soc/codecs/wm8962.c @@ -2847,8 +2847,12 @@ static int wm8962_set_fll(struct snd_soc_codec *codec, int fll_id, int source, switch (fll_id) { case WM8962_FLL_MCLK: case WM8962_FLL_BCLK: + fll1 |= (fll_id - 1) << WM8962_FLL_REFCLK_SRC_SHIFT; + break; case WM8962_FLL_OSC: fll1 |= (fll_id - 1) << WM8962_FLL_REFCLK_SRC_SHIFT; + snd_soc_update_bits(codec, WM8962_PLL2, + WM8962_OSC_ENA, WM8962_OSC_ENA); break; case WM8962_FLL_INT: snd_soc_update_bits(codec, WM8962_FLL_CONTROL_1, From 2a2f4e8dfe12971fd6b78ec6e05179151bea4a88 Mon Sep 17 00:00:00 2001 From: Stuart Henderson Date: Wed, 6 Mar 2024 16:14:36 +0000 Subject: [PATCH 053/176] ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode [ Upstream commit 6fa849e4d78b880e878138bf238e4fd2bac3c4fa ] Signed-off-by: Stuart Henderson Link: https://msgid.link/r/20240306161439.1385643-2-stuarth@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin (cherry picked from commit 2f87e22ea1b42b89435bf98a768eb8227797d819) Signed-off-by: Harshit Mogalapalli --- sound/soc/codecs/wm8962.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c index f8d71f6ca8af..b554f714e586 100644 --- a/sound/soc/codecs/wm8962.c +++ b/sound/soc/codecs/wm8962.c @@ -2177,6 +2177,9 @@ SND_SOC_DAPM_PGA_E("HPOUT", SND_SOC_NOPM, 0, 0, NULL, 0, hp_event, SND_SOC_DAPM_OUTPUT("HPOUTL"), SND_SOC_DAPM_OUTPUT("HPOUTR"), + +SND_SOC_DAPM_PGA("SPKOUTL Output", WM8962_CLASS_D_CONTROL_1, 6, 0, NULL, 0), +SND_SOC_DAPM_PGA("SPKOUTR Output", WM8962_CLASS_D_CONTROL_1, 7, 0, NULL, 0), }; static const struct snd_soc_dapm_widget wm8962_dapm_spk_mono_widgets[] = { @@ -2184,7 +2187,6 @@ SND_SOC_DAPM_MIXER("Speaker Mixer", WM8962_MIXER_ENABLES, 1, 0, spkmixl, ARRAY_SIZE(spkmixl)), SND_SOC_DAPM_MUX_E("Speaker PGA", WM8962_PWR_MGMT_2, 4, 0, &spkoutl_mux, out_pga_event, SND_SOC_DAPM_POST_PMU), -SND_SOC_DAPM_PGA("Speaker Output", WM8962_CLASS_D_CONTROL_1, 7, 0, NULL, 0), SND_SOC_DAPM_OUTPUT("SPKOUT"), }; @@ -2199,9 +2201,6 @@ SND_SOC_DAPM_MUX_E("SPKOUTL PGA", WM8962_PWR_MGMT_2, 4, 0, &spkoutl_mux, SND_SOC_DAPM_MUX_E("SPKOUTR PGA", WM8962_PWR_MGMT_2, 3, 0, &spkoutr_mux, out_pga_event, SND_SOC_DAPM_POST_PMU), -SND_SOC_DAPM_PGA("SPKOUTR Output", WM8962_CLASS_D_CONTROL_1, 7, 0, NULL, 0), -SND_SOC_DAPM_PGA("SPKOUTL Output", WM8962_CLASS_D_CONTROL_1, 6, 0, NULL, 0), - SND_SOC_DAPM_OUTPUT("SPKOUTL"), SND_SOC_DAPM_OUTPUT("SPKOUTR"), }; @@ -2311,12 +2310,18 @@ static const struct snd_soc_dapm_route wm8962_spk_mono_intercon[] = { { "Speaker PGA", "Mixer", "Speaker Mixer" }, { "Speaker PGA", "DAC", "DACL" }, - { "Speaker Output", NULL, "Speaker PGA" }, - { "Speaker Output", NULL, "SYSCLK" }, - { "Speaker Output", NULL, "TOCLK" }, - { "Speaker Output", NULL, "TEMP_SPK" }, + { "SPKOUTL Output", NULL, "Speaker PGA" }, + { "SPKOUTL Output", NULL, "SYSCLK" }, + { "SPKOUTL Output", NULL, "TOCLK" }, + { "SPKOUTL Output", NULL, "TEMP_SPK" }, - { "SPKOUT", NULL, "Speaker Output" }, + { "SPKOUTR Output", NULL, "Speaker PGA" }, + { "SPKOUTR Output", NULL, "SYSCLK" }, + { "SPKOUTR Output", NULL, "TOCLK" }, + { "SPKOUTR Output", NULL, "TEMP_SPK" }, + + { "SPKOUT", NULL, "SPKOUTL Output" }, + { "SPKOUT", NULL, "SPKOUTR Output" }, }; static const struct snd_soc_dapm_route wm8962_spk_stereo_intercon[] = { From cacf64e0af45cb788a70941441fc6423149b1d9f Mon Sep 17 00:00:00 2001 From: Stuart Henderson Date: Wed, 6 Mar 2024 16:14:39 +0000 Subject: [PATCH 054/176] ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll [ Upstream commit 96e202f8c52ac49452f83317cf3b34cd1ad81e18 ] Use source instead of ret, which seems to be unrelated and will always be zero. Signed-off-by: Stuart Henderson Link: https://msgid.link/r/20240306161439.1385643-5-stuarth@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin (cherry picked from commit d619f175ff50582c05858cb96d05391f77c7c7aa) [Harshit: Fix minor conflict due to missing commit: f4ee271709f0 ("ASoC: wm8962: replace codec to component") in 4.14.y] Signed-off-by: Harshit Mogalapalli --- sound/soc/codecs/wm8962.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c index b554f714e586..db076f3b5133 100644 --- a/sound/soc/codecs/wm8962.c +++ b/sound/soc/codecs/wm8962.c @@ -2866,7 +2866,7 @@ static int wm8962_set_fll(struct snd_soc_codec *codec, int fll_id, int source, WM8962_FLL_FRC_NCO, WM8962_FLL_FRC_NCO); break; default: - dev_err(codec->dev, "Unknown FLL source %d\n", ret); + dev_err(codec->dev, "Unknown FLL source %d\n", source); return -EINVAL; } From ed2edd721e156046bb4dc4587f06af360f875581 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Thu, 10 Jan 2019 12:18:00 -0800 Subject: [PATCH 055/176] crypto: af_alg - make some functions static [ Upstream commit 466e0759269d31485074126700574230bfff3b1c ] Some exported functions in af_alg.c aren't used outside of that file. Therefore, un-export them and make them 'static'. Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Stable-dep-of: f3c802a1f300 ("crypto: algif_aead - Only wake up when ctx->more is zero") Signed-off-by: Sasha Levin (cherry picked from commit 0ca02d4beebb7b47ea0cbdceac891465cbb966c6) Signed-off-by: Harshit Mogalapalli --- crypto/af_alg.c | 20 +++++++------------- include/crypto/if_alg.h | 7 ------- 2 files changed, 7 insertions(+), 20 deletions(-) diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 24de37ac9d27..90e9892ae0e3 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -430,12 +430,12 @@ int af_alg_make_sg(struct af_alg_sgl *sgl, struct iov_iter *iter, int len) } EXPORT_SYMBOL_GPL(af_alg_make_sg); -void af_alg_link_sg(struct af_alg_sgl *sgl_prev, struct af_alg_sgl *sgl_new) +static void af_alg_link_sg(struct af_alg_sgl *sgl_prev, + struct af_alg_sgl *sgl_new) { sg_unmark_end(sgl_prev->sg + sgl_prev->npages - 1); sg_chain(sgl_prev->sg, sgl_prev->npages + 1, sgl_new->sg); } -EXPORT_SYMBOL_GPL(af_alg_link_sg); void af_alg_free_sg(struct af_alg_sgl *sgl) { @@ -446,7 +446,7 @@ void af_alg_free_sg(struct af_alg_sgl *sgl) } EXPORT_SYMBOL_GPL(af_alg_free_sg); -int af_alg_cmsg_send(struct msghdr *msg, struct af_alg_control *con) +static int af_alg_cmsg_send(struct msghdr *msg, struct af_alg_control *con) { struct cmsghdr *cmsg; @@ -485,7 +485,6 @@ int af_alg_cmsg_send(struct msghdr *msg, struct af_alg_control *con) return 0; } -EXPORT_SYMBOL_GPL(af_alg_cmsg_send); int af_alg_wait_for_completion(int err, struct af_alg_completion *completion) { @@ -520,7 +519,7 @@ EXPORT_SYMBOL_GPL(af_alg_complete); * @sk socket of connection to user space * @return: 0 upon success, < 0 upon error */ -int af_alg_alloc_tsgl(struct sock *sk) +static int af_alg_alloc_tsgl(struct sock *sk) { struct alg_sock *ask = alg_sk(sk); struct af_alg_ctx *ctx = ask->private; @@ -549,7 +548,6 @@ int af_alg_alloc_tsgl(struct sock *sk) return 0; } -EXPORT_SYMBOL_GPL(af_alg_alloc_tsgl); /** * aead_count_tsgl - Count number of TX SG entries @@ -686,7 +684,7 @@ EXPORT_SYMBOL_GPL(af_alg_pull_tsgl); * * @areq Request holding the TX and RX SGL */ -void af_alg_free_areq_sgls(struct af_alg_async_req *areq) +static void af_alg_free_areq_sgls(struct af_alg_async_req *areq) { struct sock *sk = areq->sk; struct alg_sock *ask = alg_sk(sk); @@ -715,7 +713,6 @@ void af_alg_free_areq_sgls(struct af_alg_async_req *areq) sock_kfree_s(sk, tsgl, areq->tsgl_entries * sizeof(*tsgl)); } } -EXPORT_SYMBOL_GPL(af_alg_free_areq_sgls); /** * af_alg_wait_for_wmem - wait for availability of writable memory @@ -724,7 +721,7 @@ EXPORT_SYMBOL_GPL(af_alg_free_areq_sgls); * @flags If MSG_DONTWAIT is set, then only report if function would sleep * @return 0 when writable memory is available, < 0 upon error */ -int af_alg_wait_for_wmem(struct sock *sk, unsigned int flags) +static int af_alg_wait_for_wmem(struct sock *sk, unsigned int flags) { DEFINE_WAIT_FUNC(wait, woken_wake_function); int err = -ERESTARTSYS; @@ -749,7 +746,6 @@ int af_alg_wait_for_wmem(struct sock *sk, unsigned int flags) return err; } -EXPORT_SYMBOL_GPL(af_alg_wait_for_wmem); /** * af_alg_wmem_wakeup - wakeup caller when writable memory is available @@ -818,8 +814,7 @@ EXPORT_SYMBOL_GPL(af_alg_wait_for_data); * * @sk socket of connection to user space */ - -void af_alg_data_wakeup(struct sock *sk) +static void af_alg_data_wakeup(struct sock *sk) { struct alg_sock *ask = alg_sk(sk); struct af_alg_ctx *ctx = ask->private; @@ -837,7 +832,6 @@ void af_alg_data_wakeup(struct sock *sk) sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT); rcu_read_unlock(); } -EXPORT_SYMBOL_GPL(af_alg_data_wakeup); /** * af_alg_sendmsg - implementation of sendmsg system call handler diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index f803dc8c45ad..8afead143af6 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -177,9 +177,6 @@ int af_alg_accept(struct sock *sk, struct socket *newsock, bool kern); int af_alg_make_sg(struct af_alg_sgl *sgl, struct iov_iter *iter, int len); void af_alg_free_sg(struct af_alg_sgl *sgl); -void af_alg_link_sg(struct af_alg_sgl *sgl_prev, struct af_alg_sgl *sgl_new); - -int af_alg_cmsg_send(struct msghdr *msg, struct af_alg_control *con); int af_alg_wait_for_completion(int err, struct af_alg_completion *completion); void af_alg_complete(struct crypto_async_request *req, int err); @@ -246,15 +243,11 @@ static inline bool af_alg_readable(struct sock *sk) return PAGE_SIZE <= af_alg_rcvbuf(sk); } -int af_alg_alloc_tsgl(struct sock *sk); unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset); void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst, size_t dst_offset); -void af_alg_free_areq_sgls(struct af_alg_async_req *areq); -int af_alg_wait_for_wmem(struct sock *sk, unsigned int flags); void af_alg_wmem_wakeup(struct sock *sk); int af_alg_wait_for_data(struct sock *sk, unsigned flags); -void af_alg_data_wakeup(struct sock *sk); int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, unsigned int ivsize); ssize_t af_alg_sendpage(struct socket *sock, struct page *page, From f63a7bf2dcf7e05021785b64b184795f6b6a6ccd Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Sat, 30 May 2020 00:23:49 +1000 Subject: [PATCH 056/176] crypto: algif_aead - Only wake up when ctx->more is zero [ Upstream commit f3c802a1f30013f8f723b62d7fa49eb9e991da23 ] AEAD does not support partial requests so we must not wake up while ctx->more is set. In order to distinguish between the case of no data sent yet and a zero-length request, a new init flag has been added to ctx. SKCIPHER has also been modified to ensure that at least a block of data is available if there is more data to come. Fixes: 2d97591ef43d ("crypto: af_alg - consolidation of...") Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin (cherry picked from commit de564b59755dfb080ef237dd4fbd02cb0c3e58a1) Signed-off-by: Harshit Mogalapalli --- crypto/af_alg.c | 11 ++++++++--- crypto/algif_aead.c | 4 ++-- crypto/algif_skcipher.c | 4 ++-- include/crypto/if_alg.h | 4 +++- 4 files changed, 15 insertions(+), 8 deletions(-) diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 90e9892ae0e3..3ebf20c5f30b 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -676,6 +676,7 @@ void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst, if (!ctx->used) ctx->merge = 0; + ctx->init = ctx->more; } EXPORT_SYMBOL_GPL(af_alg_pull_tsgl); @@ -775,9 +776,10 @@ EXPORT_SYMBOL_GPL(af_alg_wmem_wakeup); * * @sk socket of connection to user space * @flags If MSG_DONTWAIT is set, then only report if function would sleep + * @min Set to minimum request size if partial requests are allowed. * @return 0 when writable memory is available, < 0 upon error */ -int af_alg_wait_for_data(struct sock *sk, unsigned flags) +int af_alg_wait_for_data(struct sock *sk, unsigned flags, unsigned min) { DEFINE_WAIT_FUNC(wait, woken_wake_function); struct alg_sock *ask = alg_sk(sk); @@ -795,7 +797,9 @@ int af_alg_wait_for_data(struct sock *sk, unsigned flags) if (signal_pending(current)) break; timeout = MAX_SCHEDULE_TIMEOUT; - if (sk_wait_event(sk, &timeout, (ctx->used || !ctx->more), + if (sk_wait_event(sk, &timeout, + ctx->init && (!ctx->more || + (min && ctx->used >= min)), &wait)) { err = 0; break; @@ -884,7 +888,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, } lock_sock(sk); - if (!ctx->more && ctx->used) { + if (ctx->init && (init || !ctx->more)) { err = -EINVAL; goto unlock; } @@ -895,6 +899,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, memcpy(ctx->iv, con.iv->iv, ivsize); ctx->aead_assoclen = con.aead_assoclen; + ctx->init = true; } while (size) { diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c index d2638a2289cd..eea987f5a429 100644 --- a/crypto/algif_aead.c +++ b/crypto/algif_aead.c @@ -111,8 +111,8 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, size_t usedpages = 0; /* [in] RX bufs to be used from user */ size_t processed = 0; /* [in] TX bufs to be consumed */ - if (!ctx->used) { - err = af_alg_wait_for_data(sk, flags); + if (!ctx->init || ctx->more) { + err = af_alg_wait_for_data(sk, flags, 0); if (err) return err; } diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index a9dc4eeddcd5..8ce6f8cee0d0 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -72,8 +72,8 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, int err = 0; size_t len = 0; - if (!ctx->used) { - err = af_alg_wait_for_data(sk, flags); + if (!ctx->init || (ctx->more && ctx->used < bs)) { + err = af_alg_wait_for_data(sk, flags, bs); if (err) return err; } diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index 8afead143af6..e752e4828a5a 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -145,6 +145,7 @@ struct af_alg_async_req { * SG? * @enc: Cryptographic operation to be performed when * recvmsg is invoked. + * @init: True if metadata has been sent. * @len: Length of memory allocated for this data structure. * @inflight: Non-zero when AIO requests are in flight. */ @@ -162,6 +163,7 @@ struct af_alg_ctx { bool more; bool merge; bool enc; + bool init; unsigned int len; @@ -247,7 +249,7 @@ unsigned int af_alg_count_tsgl(struct sock *sk, size_t bytes, size_t offset); void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst, size_t dst_offset); void af_alg_wmem_wakeup(struct sock *sk); -int af_alg_wait_for_data(struct sock *sk, unsigned flags); +int af_alg_wait_for_data(struct sock *sk, unsigned flags, unsigned min); int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, unsigned int ivsize); ssize_t af_alg_sendpage(struct socket *sock, struct page *page, From ce3317e4a96642984d3e7fbaf33a086176052bf8 Mon Sep 17 00:00:00 2001 From: Nikita Zhandarovich Date: Fri, 19 Jan 2024 07:39:06 -0800 Subject: [PATCH 057/176] do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak [ Upstream commit 3948abaa4e2be938ccdfc289385a27342fb13d43 ] syzbot identified a kernel information leak vulnerability in do_sys_name_to_handle() and issued the following report [1]. [1] "BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x100 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] do_sys_name_to_handle fs/fhandle.c:73 [inline] __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 ... Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc+0x121/0x3c0 mm/slab_common.c:1020 kmalloc include/linux/slab.h:604 [inline] do_sys_name_to_handle fs/fhandle.c:39 [inline] __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 ... Bytes 18-19 of 20 are uninitialized Memory access of size 20 starts at ffff888128a46380 Data copied to user address 0000000020000240" Per Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to solve the problem. Fixes: 990d6c2d7aee ("vfs: Add name to file handle conversion support") Suggested-by: Chuck Lever III Reported-and-tested-by: Signed-off-by: Nikita Zhandarovich Link: https://lore.kernel.org/r/20240119153906.4367-1-n.zhandarovich@fintech.ru Reviewed-by: Jan Kara Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin (cherry picked from commit 4bac28f441e3cc9d3f1a84c8d023228a68d8a7c1) Signed-off-by: Harshit Mogalapalli --- fs/fhandle.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/fhandle.c b/fs/fhandle.c index 474adc8d2a3a..3f6149998782 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -37,7 +37,7 @@ static long do_sys_name_to_handle(struct path *path, if (f_handle.handle_bytes > MAX_HANDLE_SZ) return -EINVAL; - handle = kmalloc(sizeof(struct file_handle) + f_handle.handle_bytes, + handle = kzalloc(sizeof(struct file_handle) + f_handle.handle_bytes, GFP_KERNEL); if (!handle) return -ENOMEM; From 70137872f87a2e47239cf7ea0d9b295f173f6c27 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Fri, 16 Feb 2024 21:23:34 +0100 Subject: [PATCH 058/176] fs/select: rework stack allocation hack for clang [ Upstream commit ddb9fd7a544088ed70eccbb9f85e9cc9952131c1 ] A while ago, we changed the way that select() and poll() preallocate a temporary buffer just under the size of the static warning limit of 1024 bytes, as clang was frequently going slightly above that limit. The warnings have recently returned and I took another look. As it turns out, clang is not actually inherently worse at reserving stack space, it just happens to inline do_select() into core_sys_select(), while gcc never inlines it. Annotate do_select() to never be inlined and in turn remove the special case for the allocation size. This should give the same behavior for both clang and gcc all the time and once more avoids those warnings. Fixes: ad312f95d41c ("fs/select: avoid clang stack usage warning") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20240216202352.2492798-1-arnd@kernel.org Reviewed-by: Kees Cook Reviewed-by: Andi Kleen Reviewed-by: Jan Kara Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin (cherry picked from commit b86af4d77a5a2487020794845c1a2e948699630c) Signed-off-by: Harshit Mogalapalli --- fs/select.c | 2 +- include/linux/poll.h | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/fs/select.c b/fs/select.c index b752dabb3131..6d6367012bc9 100644 --- a/fs/select.c +++ b/fs/select.c @@ -449,7 +449,7 @@ static inline void wait_key_set(poll_table *wait, unsigned long in, wait->_key |= POLLOUT_SET; } -static int do_select(int n, fd_set_bits *fds, struct timespec64 *end_time) +static noinline_for_stack int do_select(int n, fd_set_bits *fds, struct timespec64 *end_time) { ktime_t expire, *to = NULL; struct poll_wqueues table; diff --git a/include/linux/poll.h b/include/linux/poll.h index c7acd7c09747..d384f12abdd5 100644 --- a/include/linux/poll.h +++ b/include/linux/poll.h @@ -15,11 +15,7 @@ extern struct ctl_table epoll_table[]; /* for sysctl */ /* ~832 bytes of stack space used max in sys_select/sys_poll before allocating additional memory. */ -#ifdef __clang__ -#define MAX_STACK_ALLOC 768 -#else #define MAX_STACK_ALLOC 832 -#endif #define FRONTEND_STACK_ALLOC 256 #define SELECT_STACK_ALLOC FRONTEND_STACK_ALLOC #define POLL_STACK_ALLOC FRONTEND_STACK_ALLOC From 644ef6ff144cf72b7c0170ade4a8a449f01d9e63 Mon Sep 17 00:00:00 2001 From: Christoph Hellwig Date: Wed, 8 Jul 2020 14:25:41 +0200 Subject: [PATCH 059/176] md: switch to ->check_events for media change notifications [ Upstream commit a564e23f0f99759f453dbefcb9160dec6d99df96 ] md is the last driver using the legacy media_changed method. Switch it over to (not so) new ->clear_events approach, which also removes the need for the ->revalidate_disk method. Signed-off-by: Christoph Hellwig [axboe: remove unused 'bdops' variable in disk_clear_events()] Signed-off-by: Jens Axboe Stable-dep-of: 9674f54e41ff ("md: Don't clear MD_CLOSING when the raid is about to stop") Signed-off-by: Sasha Levin (cherry picked from commit dc51c01a3d5a796e18520a186f56e13f8e70749f) Signed-off-by: Harshit Mogalapalli --- Documentation/filesystems/Locking | 4 +--- block/genhd.c | 8 +------- drivers/md/md.c | 19 ++++++++----------- include/linux/blkdev.h | 2 -- 4 files changed, 10 insertions(+), 23 deletions(-) diff --git a/Documentation/filesystems/Locking b/Documentation/filesystems/Locking index 75d2d57e2c44..a39e9311d5ae 100644 --- a/Documentation/filesystems/Locking +++ b/Documentation/filesystems/Locking @@ -405,7 +405,6 @@ prototypes: int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long); int (*direct_access) (struct block_device *, sector_t, void **, unsigned long *); - int (*media_changed) (struct gendisk *); void (*unlock_native_capacity) (struct gendisk *); int (*revalidate_disk) (struct gendisk *); int (*getgeo)(struct block_device *, struct hd_geometry *); @@ -418,13 +417,12 @@ release: yes ioctl: no compat_ioctl: no direct_access: no -media_changed: no unlock_native_capacity: no revalidate_disk: no getgeo: no swap_slot_free_notify: no (see below) -media_changed, unlock_native_capacity and revalidate_disk are called only from +unlock_native_capacity and revalidate_disk are called only from check_disk_change(). swap_slot_free_notify is called with swap_lock and sometimes the page lock diff --git a/block/genhd.c b/block/genhd.c index 3958ae39daeb..3cc6c58a9821 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -1688,18 +1688,12 @@ void disk_flush_events(struct gendisk *disk, unsigned int mask) */ unsigned int disk_clear_events(struct gendisk *disk, unsigned int mask) { - const struct block_device_operations *bdops = disk->fops; struct disk_events *ev = disk->ev; unsigned int pending; unsigned int clearing = mask; - if (!ev) { - /* for drivers still using the old ->media_changed method */ - if ((mask & DISK_EVENT_MEDIA_CHANGE) && - bdops->media_changed && bdops->media_changed(disk)) - return DISK_EVENT_MEDIA_CHANGE; + if (!ev) return 0; - } disk_block_events(disk); diff --git a/drivers/md/md.c b/drivers/md/md.c index 07da8d7569b5..25112c207f4b 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -5429,6 +5429,7 @@ static int md_alloc(dev_t dev, char *name) * remove it now. */ disk->flags |= GENHD_FL_EXT_DEVT; + disk->events |= DISK_EVENT_MEDIA_CHANGE; mddev->gendisk = disk; add_disk(disk); @@ -7535,20 +7536,17 @@ static void md_release(struct gendisk *disk, fmode_t mode) mddev_put(mddev); } -static int md_media_changed(struct gendisk *disk) -{ - struct mddev *mddev = disk->private_data; - - return mddev->changed; -} - -static int md_revalidate(struct gendisk *disk) +static unsigned int md_check_events(struct gendisk *disk, unsigned int clearing) { struct mddev *mddev = disk->private_data; + unsigned int ret = 0; + if (mddev->changed) + ret = DISK_EVENT_MEDIA_CHANGE; mddev->changed = 0; - return 0; + return ret; } + static const struct block_device_operations md_fops = { .owner = THIS_MODULE, @@ -7559,8 +7557,7 @@ static const struct block_device_operations md_fops = .compat_ioctl = md_compat_ioctl, #endif .getgeo = md_getgeo, - .media_changed = md_media_changed, - .revalidate_disk= md_revalidate, + .check_events = md_check_events, }; static int md_thread(void *arg) diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h index afbe2fcc476a..c724c43976d2 100644 --- a/include/linux/blkdev.h +++ b/include/linux/blkdev.h @@ -1985,8 +1985,6 @@ struct block_device_operations { int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long); unsigned int (*check_events) (struct gendisk *disk, unsigned int clearing); - /* ->media_changed() is DEPRECATED, use ->check_events() instead */ - int (*media_changed) (struct gendisk *); void (*unlock_native_capacity) (struct gendisk *); int (*revalidate_disk) (struct gendisk *); int (*getgeo)(struct block_device *, struct hd_geometry *); From 5621bcf7c79c834e98f01dfea929a7bbf7d600ab Mon Sep 17 00:00:00 2001 From: Christoph Hellwig Date: Tue, 3 Nov 2020 11:00:11 +0100 Subject: [PATCH 060/176] block: add a new set_read_only method [ Upstream commit e00adcadf3af7a8335026d71ab9f0e0a922191ac ] Add a new method to allow for driver-specific processing when setting or clearing the block device read-only state. This allows to replace the cumbersome and error-prone override of the whole ioctl implementation. Signed-off-by: Christoph Hellwig Signed-off-by: Jens Axboe Stable-dep-of: 9674f54e41ff ("md: Don't clear MD_CLOSING when the raid is about to stop") Signed-off-by: Sasha Levin (cherry picked from commit f28658bc8a7faa03578dc2588b5b3b56b09575a6) Signed-off-by: Harshit Mogalapalli --- block/ioctl.c | 5 +++++ include/linux/blkdev.h | 1 + 2 files changed, 6 insertions(+) diff --git a/block/ioctl.c b/block/ioctl.c index 0de02ee67eed..463b63c6f282 100644 --- a/block/ioctl.c +++ b/block/ioctl.c @@ -444,6 +444,11 @@ static int blkdev_roset(struct block_device *bdev, fmode_t mode, return -EACCES; if (get_user(n, (int __user *)arg)) return -EFAULT; + if (bdev->bd_disk->fops->set_read_only) { + ret = bdev->bd_disk->fops->set_read_only(bdev, n); + if (ret) + return ret; + } set_device_ro(bdev, n); return 0; } diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h index c724c43976d2..1416634a6c5c 100644 --- a/include/linux/blkdev.h +++ b/include/linux/blkdev.h @@ -1988,6 +1988,7 @@ struct block_device_operations { void (*unlock_native_capacity) (struct gendisk *); int (*revalidate_disk) (struct gendisk *); int (*getgeo)(struct block_device *, struct hd_geometry *); + int (*set_read_only)(struct block_device *bdev, bool ro); /* this callback is with swap_lock and sometimes page table lock held */ void (*swap_slot_free_notify) (struct block_device *, unsigned long); struct module *owner; From 1d018bd5617e06f3c7bd6df7cacaf79a35cd4da3 Mon Sep 17 00:00:00 2001 From: Christoph Hellwig Date: Tue, 3 Nov 2020 11:00:13 +0100 Subject: [PATCH 061/176] md: implement ->set_read_only to hook into BLKROSET processing [ Upstream commit 118cf084adb3964d06e1667cf7d702e56e5cd2c5 ] Implement the ->set_read_only method instead of parsing the actual ioctl command. Signed-off-by: Christoph Hellwig Acked-by: Song Liu Signed-off-by: Jens Axboe Stable-dep-of: 9674f54e41ff ("md: Don't clear MD_CLOSING when the raid is about to stop") Signed-off-by: Sasha Levin (cherry picked from commit bde70d747f81f7f014b7c63d6a7b2dd6c8356f43) Signed-off-by: Harshit Mogalapalli --- drivers/md/md.c | 62 ++++++++++++++++++++++++------------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/drivers/md/md.c b/drivers/md/md.c index 25112c207f4b..d37cb273d755 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -7142,7 +7142,6 @@ static inline bool md_ioctl_valid(unsigned int cmd) { switch (cmd) { case ADD_NEW_DISK: - case BLKROSET: case GET_ARRAY_INFO: case GET_BITMAP_FILE: case GET_DISK_INFO: @@ -7170,7 +7169,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, int err = 0; void __user *argp = (void __user *)arg; struct mddev *mddev = NULL; - int ro; bool did_set_md_closing = false; if (!md_ioctl_valid(cmd)) @@ -7361,35 +7359,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, goto unlock; } break; - - case BLKROSET: - if (get_user(ro, (int __user *)(arg))) { - err = -EFAULT; - goto unlock; - } - err = -EINVAL; - - /* if the bdev is going readonly the value of mddev->ro - * does not matter, no writes are coming - */ - if (ro) - goto unlock; - - /* are we are already prepared for writes? */ - if (mddev->ro != 1) - goto unlock; - - /* transitioning to readauto need only happen for - * arrays that call md_write_start - */ - if (mddev->pers) { - err = restart_array(mddev); - if (err == 0) { - mddev->ro = 2; - set_disk_ro(mddev->gendisk, 0); - } - } - goto unlock; } /* @@ -7483,6 +7452,36 @@ static int md_compat_ioctl(struct block_device *bdev, fmode_t mode, } #endif /* CONFIG_COMPAT */ +static int md_set_read_only(struct block_device *bdev, bool ro) +{ + struct mddev *mddev = bdev->bd_disk->private_data; + int err; + + err = mddev_lock(mddev); + if (err) + return err; + + if (!mddev->raid_disks && !mddev->external) { + err = -ENODEV; + goto out_unlock; + } + + /* + * Transitioning to read-auto need only happen for arrays that call + * md_write_start and which are not ready for writes yet. + */ + if (!ro && mddev->ro == 1 && mddev->pers) { + err = restart_array(mddev); + if (err) + goto out_unlock; + mddev->ro = 2; + } + +out_unlock: + mddev_unlock(mddev); + return err; +} + static int md_open(struct block_device *bdev, fmode_t mode) { /* @@ -7558,6 +7557,7 @@ static const struct block_device_operations md_fops = #endif .getgeo = md_getgeo, .check_events = md_check_events, + .set_read_only = md_set_read_only, }; static int md_thread(void *arg) From fe9ee4210de1a9816e6e99a791894f87a62c2fb3 Mon Sep 17 00:00:00 2001 From: Li Nan Date: Mon, 26 Feb 2024 11:14:40 +0800 Subject: [PATCH 062/176] md: Don't clear MD_CLOSING when the raid is about to stop [ Upstream commit 9674f54e41fffaf06f6a60202e1fa4cc13de3cf5 ] The raid should not be opened anymore when it is about to be stopped. However, other processes can open it again if the flag MD_CLOSING is cleared before exiting. From now on, this flag will not be cleared when the raid will be stopped. Fixes: 065e519e71b2 ("md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop") Signed-off-by: Li Nan Reviewed-by: Yu Kuai Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20240226031444.3606764-6-linan666@huaweicloud.com Signed-off-by: Sasha Levin (cherry picked from commit 8eea2ea62b459cebffd20d5d5121becbec838291) Signed-off-by: Harshit Mogalapalli --- drivers/md/md.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/md/md.c b/drivers/md/md.c index d37cb273d755..122730037770 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -5857,7 +5857,15 @@ static void md_clean(struct mddev *mddev) mddev->persistent = 0; mddev->level = LEVEL_NONE; mddev->clevel[0] = 0; - mddev->flags = 0; + /* + * Don't clear MD_CLOSING, or mddev can be opened again. + * 'hold_active != 0' means mddev is still in the creation + * process and will be used later. + */ + if (mddev->hold_active) + mddev->flags = 0; + else + mddev->flags &= BIT_ULL_MASK(MD_CLOSING); mddev->sb_flags = 0; mddev->ro = 0; mddev->metadata_type[0] = 0; @@ -7169,7 +7177,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, int err = 0; void __user *argp = (void __user *)arg; struct mddev *mddev = NULL; - bool did_set_md_closing = false; if (!md_ioctl_valid(cmd)) return -ENOTTY; @@ -7264,7 +7271,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode, err = -EBUSY; goto out; } - did_set_md_closing = true; mutex_unlock(&mddev->open_mutex); sync_blockdev(bdev); } @@ -7428,7 +7434,7 @@ unlock: mddev->hold_active = 0; mddev_unlock(mddev); out: - if(did_set_md_closing) + if (cmd == STOP_ARRAY_RO || (err && cmd == STOP_ARRAY)) clear_bit(MD_CLOSING, &mddev->flags); return err; } From 67f0ca2ac39c5b06d90c7bbb3f4dbd01a96fd1fa Mon Sep 17 00:00:00 2001 From: Chun-Yi Lee Date: Tue, 5 Mar 2024 16:20:48 +0800 Subject: [PATCH 063/176] aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts [ Upstream commit f98364e926626c678fb4b9004b75cacf92ff0662 ] This patch is against CVE-2023-6270. The description of cve is: A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial code is finished. But the net_device ifp will still be used in later tx()->dev_queue_xmit() in kthread. Which means that the dev_put(ifp) should NOT be called in the success path of skb initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into use-after-free because the net_device is freed. This patch removed the dev_put(ifp) in the success path in aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx(). Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270 Fixes: 7562f876cd93 ("[NET]: Rework dev_base via list_head (v3)") Signed-off-by: Chun-Yi Lee Link: https://lore.kernel.org/r/20240305082048.25526-1-jlee@suse.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin (cherry picked from commit ad80c34944d7175fa1f5c7a55066020002921a99) Signed-off-by: Harshit Mogalapalli --- drivers/block/aoe/aoecmd.c | 12 ++++++------ drivers/block/aoe/aoenet.c | 1 + 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c index dc43254e05a4..681c9e31c5c5 100644 --- a/drivers/block/aoe/aoecmd.c +++ b/drivers/block/aoe/aoecmd.c @@ -421,13 +421,16 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu rcu_read_lock(); for_each_netdev_rcu(&init_net, ifp) { dev_hold(ifp); - if (!is_aoe_netif(ifp)) - goto cont; + if (!is_aoe_netif(ifp)) { + dev_put(ifp); + continue; + } skb = new_skb(sizeof *h + sizeof *ch); if (skb == NULL) { printk(KERN_INFO "aoe: skb alloc failure\n"); - goto cont; + dev_put(ifp); + continue; } skb_put(skb, sizeof *h + sizeof *ch); skb->dev = ifp; @@ -442,9 +445,6 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu h->major = cpu_to_be16(aoemajor); h->minor = aoeminor; h->cmd = AOECMD_CFG; - -cont: - dev_put(ifp); } rcu_read_unlock(); } diff --git a/drivers/block/aoe/aoenet.c b/drivers/block/aoe/aoenet.c index 63773a90581d..1e66c7a188a1 100644 --- a/drivers/block/aoe/aoenet.c +++ b/drivers/block/aoe/aoenet.c @@ -64,6 +64,7 @@ tx(int id) __must_hold(&txlock) pr_warn("aoe: packet could not be sent on %s. %s\n", ifp ? ifp->name : "netif", "consider increasing tx_queue_len"); + dev_put(ifp); spin_lock_irq(&txlock); } return 0; From 44b1502cbcf6899a21c9d4ec8c61f5bcfaee0d03 Mon Sep 17 00:00:00 2001 From: Peter Hilber Date: Mon, 18 Dec 2023 08:38:39 +0100 Subject: [PATCH 064/176] timekeeping: Fix cross-timestamp interpolation on counter wrap [ Upstream commit 84dccadd3e2a3f1a373826ad71e5ced5e76b0c00 ] cycle_between() decides whether get_device_system_crosststamp() will interpolate for older counter readings. cycle_between() yields wrong results for a counter wrap-around where after < before < test, and for the case after < test < before. Fix the comparison logic. Fixes: 2c756feb18d9 ("time: Add history to cross timestamp interface supporting slower devices") Signed-off-by: Peter Hilber Signed-off-by: Thomas Gleixner Acked-by: John Stultz Link: https://lore.kernel.org/r/20231218073849.35294-2-peter.hilber@opensynergy.com Signed-off-by: Sasha Levin (cherry picked from commit 3c22ef22761ab15b1c32ea5997859c0719fdc14d) Signed-off-by: Harshit Mogalapalli --- kernel/time/timekeeping.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c index 1d6a476fdfba..a29bbdd4dfc1 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -1081,7 +1081,7 @@ static bool cycle_between(u64 before, u64 test, u64 after) { if (test > before && test < after) return true; - if (test < before && before > after) + if (before > after && (test > before || test < after)) return true; return false; } From ed6452adf4a6e0b9641fc065d63ddc6075238c23 Mon Sep 17 00:00:00 2001 From: Peter Hilber Date: Mon, 18 Dec 2023 08:38:40 +0100 Subject: [PATCH 065/176] timekeeping: Fix cross-timestamp interpolation corner case decision [ Upstream commit 87a41130881995f82f7adbafbfeddaebfb35f0ef ] The cycle_between() helper checks if parameter test is in the open interval (before, after). Colloquially speaking, this also applies to the counter wrap-around special case before > after. get_device_system_crosststamp() currently uses cycle_between() at the first call site to decide whether to interpolate for older counter readings. get_device_system_crosststamp() has the following problem with cycle_between() testing against an open interval: Assume that, by chance, cycles == tk->tkr_mono.cycle_last (in the following, "cycle_last" for brevity). Then, cycle_between() at the first call site, with effective argument values cycle_between(cycle_last, cycles, now), returns false, enabling interpolation. During interpolation, get_device_system_crosststamp() will then call cycle_between() at the second call site (if a history_begin was supplied). The effective argument values are cycle_between(history_begin->cycles, cycles, cycles), since system_counterval.cycles == interval_start == cycles, per the assumption. Due to the test against the open interval, cycle_between() returns false again. This causes get_device_system_crosststamp() to return -EINVAL. This failure should be avoided, since get_device_system_crosststamp() works both when cycles follows cycle_last (no interpolation), and when cycles precedes cycle_last (interpolation). For the case cycles == cycle_last, interpolation is actually unneeded. Fix this by changing cycle_between() into timestamp_in_interval(), which now checks against the closed interval, rather than the open interval. This changes the get_device_system_crosststamp() behavior for three corner cases: 1. Bypass interpolation in the case cycles == tk->tkr_mono.cycle_last, fixing the problem described above. 2. At the first timestamp_in_interval() call site, cycles == now no longer causes failure. 3. At the second timestamp_in_interval() call site, history_begin->cycles == system_counterval.cycles no longer causes failure. adjust_historical_crosststamp() also works for this corner case, where partial_history_cycles == total_history_cycles. These behavioral changes should not cause any problems. Fixes: 2c756feb18d9 ("time: Add history to cross timestamp interface supporting slower devices") Signed-off-by: Peter Hilber Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/r/20231218073849.35294-3-peter.hilber@opensynergy.com Signed-off-by: Sasha Levin (cherry picked from commit 86c7cc07eef558e9986a17ac5b6d5f44c8b493bd) Signed-off-by: Harshit Mogalapalli --- kernel/time/timekeeping.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c index a29bbdd4dfc1..e7603bd5e050 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -1075,13 +1075,15 @@ static int adjust_historical_crosststamp(struct system_time_snapshot *history, } /* - * cycle_between - true if test occurs chronologically between before and after + * timestamp_in_interval - true if ts is chronologically in [start, end] + * + * True if ts occurs chronologically at or after start, and before or at end. */ -static bool cycle_between(u64 before, u64 test, u64 after) +static bool timestamp_in_interval(u64 start, u64 end, u64 ts) { - if (test > before && test < after) + if (ts >= start && ts <= end) return true; - if (before > after && (test > before || test < after)) + if (start > end && (ts >= start || ts <= end)) return true; return false; } @@ -1141,7 +1143,7 @@ int get_device_system_crosststamp(int (*get_time_fn) */ now = tk_clock_read(&tk->tkr_mono); interval_start = tk->tkr_mono.cycle_last; - if (!cycle_between(interval_start, cycles, now)) { + if (!timestamp_in_interval(interval_start, now, cycles)) { clock_was_set_seq = tk->clock_was_set_seq; cs_was_changed_seq = tk->cs_was_changed_seq; cycles = interval_start; @@ -1172,13 +1174,13 @@ int get_device_system_crosststamp(int (*get_time_fn) bool discontinuity; /* - * Check that the counter value occurs after the provided + * Check that the counter value is not before the provided * history reference and that the history doesn't cross a * clocksource change */ if (!history_begin || - !cycle_between(history_begin->cycles, - system_counterval.cycles, cycles) || + !timestamp_in_interval(history_begin->cycles, + cycles, system_counterval.cycles) || history_begin->cs_was_changed_seq != cs_was_changed_seq) return -EINVAL; partial_history_cycles = cycles - system_counterval.cycles; From fabbb78782e6dd484cc0e036e1e0dbbb8c70b8da Mon Sep 17 00:00:00 2001 From: Peter Hilber Date: Mon, 18 Dec 2023 08:38:41 +0100 Subject: [PATCH 066/176] timekeeping: Fix cross-timestamp interpolation for non-x86 [ Upstream commit 14274d0bd31b4debf28284604589f596ad2e99f2 ] So far, get_device_system_crosststamp() unconditionally passes system_counterval.cycles to timekeeping_cycles_to_ns(). But when interpolating system time (do_interp == true), system_counterval.cycles is before tkr_mono.cycle_last, contrary to the timekeeping_cycles_to_ns() expectations. On x86, CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE will mitigate on interpolating, setting delta to 0. With delta == 0, xtstamp->sys_monoraw and xtstamp->sys_realtime are then set to the last update time, as implicitly expected by adjust_historical_crosststamp(). On other architectures, the resulting nonsense xtstamp->sys_monoraw and xtstamp->sys_realtime corrupt the xtstamp (ts) adjustment in adjust_historical_crosststamp(). Fix this by deriving xtstamp->sys_monoraw and xtstamp->sys_realtime from the last update time when interpolating, by using the local variable "cycles". The local variable already has the right value when interpolating, unlike system_counterval.cycles. Fixes: 2c756feb18d9 ("time: Add history to cross timestamp interface supporting slower devices") Signed-off-by: Peter Hilber Signed-off-by: Thomas Gleixner Acked-by: John Stultz Link: https://lore.kernel.org/r/20231218073849.35294-4-peter.hilber@opensynergy.com Signed-off-by: Sasha Levin (cherry picked from commit 20880812b2f8fad4cf269f83bd5266eed31f0208) Signed-off-by: Harshit Mogalapalli --- kernel/time/timekeeping.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c index e7603bd5e050..3091c72f8933 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -1156,10 +1156,8 @@ int get_device_system_crosststamp(int (*get_time_fn) tk_core.timekeeper.offs_real); base_raw = tk->tkr_raw.base; - nsec_real = timekeeping_cycles_to_ns(&tk->tkr_mono, - system_counterval.cycles); - nsec_raw = timekeeping_cycles_to_ns(&tk->tkr_raw, - system_counterval.cycles); + nsec_real = timekeeping_cycles_to_ns(&tk->tkr_mono, cycles); + nsec_raw = timekeeping_cycles_to_ns(&tk->tkr_raw, cycles); } while (read_seqcount_retry(&tk_core.seq, seq)); xtstamp->sys_realtime = ktime_add_ns(base_real, nsec_real); From 0e7ba895f0ec865043f09e88cbfc750869e3d81a Mon Sep 17 00:00:00 2001 From: Saurav Girepunje Date: Tue, 29 Oct 2019 00:42:59 +0530 Subject: [PATCH 067/176] b43: dma: Fix use true/false for bool type variable [ Upstream commit a9160bb35ad9ada8428a4d48426f7fc128db40cc ] use true/false for bool type variables assignment. Signed-off-by: Saurav Girepunje Signed-off-by: Kalle Valo Stable-dep-of: 9636951e4468 ("wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled") Signed-off-by: Sasha Levin (cherry picked from commit eb014286140dd5bd4f82417bb186edbbb2f1d3a4) Signed-off-by: Harshit Mogalapalli --- drivers/net/wireless/broadcom/b43/dma.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/broadcom/b43/dma.c b/drivers/net/wireless/broadcom/b43/dma.c index e0cf2a974121..2dc998d1bcb5 100644 --- a/drivers/net/wireless/broadcom/b43/dma.c +++ b/drivers/net/wireless/broadcom/b43/dma.c @@ -1462,7 +1462,7 @@ int b43_dma_tx(struct b43_wldev *dev, struct sk_buff *skb) /* This TX ring is full. */ unsigned int skb_mapping = skb_get_queue_mapping(skb); ieee80211_stop_queue(dev->wl->hw, skb_mapping); - dev->wl->tx_queue_stopped[skb_mapping] = 1; + dev->wl->tx_queue_stopped[skb_mapping] = true; ring->stopped = true; if (b43_debug(dev, B43_DBG_DMAVERBOSE)) { b43dbg(dev->wl, "Stopped TX ring %d\n", ring->index); @@ -1626,7 +1626,7 @@ void b43_dma_handle_txstatus(struct b43_wldev *dev, } if (dev->wl->tx_queue_stopped[ring->queue_prio]) { - dev->wl->tx_queue_stopped[ring->queue_prio] = 0; + dev->wl->tx_queue_stopped[ring->queue_prio] = false; } else { /* If the driver queue is running wake the corresponding * mac80211 queue. */ From c6fa41a3cb1d5f9fff1b455d779df5a47c44f254 Mon Sep 17 00:00:00 2001 From: Rahul Rameshbabu Date: Sun, 31 Dec 2023 05:03:33 +0000 Subject: [PATCH 068/176] wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled [ Upstream commit 9636951e4468f02c72cc75a82dc65d003077edbc ] When QoS is disabled, the queue priority value will not map to the correct ieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS is disabled to prevent trying to stop/wake a non-existent queue and failing to stop/wake the actual queue instantiated. Log of issue before change (with kernel parameter qos=0): [ +5.112651] ------------[ cut here ]------------ [ +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __ieee80211_wake_queue+0xd5/0x180 [mac80211] [ +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3 [ +0.000044] videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common [ +0.000055] usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43(O)] [ +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G W O 6.6.7 #1-NixOS [ +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019 [ +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211] [ +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00 [ +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097 [ +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000 [ +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88820b924900 [ +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 000000000003bfd0 [ +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 0000000000000000 [ +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffffc0fa6f40 [ +0.000001] FS: 0000000000000000(0000) GS:ffff88846fb80000(0000) knlGS:0000000000000000 [ +0.000001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000001] CR2: 00007fafda7ae008 CR3: 000000046d220005 CR4: 00000000000606e0 [ +0.000002] Call Trace: [ +0.000003] [ +0.000001] ? __ieee80211_wake_queue+0xd5/0x180 [mac80211] [ +0.000044] ? __warn+0x81/0x130 [ +0.000005] ? __ieee80211_wake_queue+0xd5/0x180 [mac80211] [ +0.000045] ? report_bug+0x171/0x1a0 [ +0.000004] ? handle_bug+0x41/0x70 [ +0.000004] ? exc_invalid_op+0x17/0x70 [ +0.000003] ? asm_exc_invalid_op+0x1a/0x20 [ +0.000005] ? __ieee80211_wake_queue+0xd5/0x180 [mac80211] [ +0.000043] ieee80211_wake_queue+0x4a/0x80 [mac80211] [ +0.000044] b43_dma_handle_txstatus+0x29c/0x3a0 [b43] [ +0.000016] ? __pfx_irq_thread_fn+0x10/0x10 [ +0.000002] b43_handle_txstatus+0x61/0x80 [b43] [ +0.000012] b43_interrupt_thread_handler+0x3f9/0x6b0 [b43] [ +0.000011] irq_thread_fn+0x23/0x60 [ +0.000002] irq_thread+0xfe/0x1c0 [ +0.000002] ? __pfx_irq_thread_dtor+0x10/0x10 [ +0.000001] ? __pfx_irq_thread+0x10/0x10 [ +0.000001] kthread+0xe8/0x120 [ +0.000003] ? __pfx_kthread+0x10/0x10 [ +0.000003] ret_from_fork+0x34/0x50 [ +0.000002] ? __pfx_kthread+0x10/0x10 [ +0.000002] ret_from_fork_asm+0x1b/0x30 [ +0.000004] [ +0.000001] ---[ end trace 0000000000000000 ]--- [ +0.000065] ------------[ cut here ]------------ [ +0.000001] WARNING: CPU: 0 PID: 56077 at net/mac80211/util.c:514 __ieee80211_stop_queue+0xcc/0xe0 [mac80211] [ +0.000077] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3 [ +0.000073] videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common [ +0.000084] usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43] [ +0.000012] CPU: 0 PID: 56077 Comm: kworker/u16:17 Tainted: G W O 6.6.7 #1-NixOS [ +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019 [ +0.000001] Workqueue: phy7 b43_tx_work [b43] [ +0.000019] RIP: 0010:__ieee80211_stop_queue+0xcc/0xe0 [mac80211] [ +0.000076] Code: 74 11 48 8b 78 08 0f b7 d6 89 e9 4c 89 e6 e8 ab f4 00 00 65 ff 0d 9c b7 34 3f 0f 85 55 ff ff ff 0f 1f 44 00 00 e9 4b ff ff ff <0f> 0b 5b 5d 41 5c 41 5d c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 [ +0.000002] RSP: 0000:ffffc90004157d50 EFLAGS: 00010097 [ +0.000002] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000 [ +0.000002] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8882d65d0900 [ +0.000002] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 [ +0.000001] R10: 00000000000000ff R11: ffff88814d0155a0 R12: ffff8882d65d0900 [ +0.000002] R13: 0000000000000000 R14: ffff8881002d2800 R15: 00000000000000d0 [ +0.000002] FS: 0000000000000000(0000) GS:ffff88846f800000(0000) knlGS:0000000000000000 [ +0.000003] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000002] CR2: 00007f2e8c10c880 CR3: 0000000385b66005 CR4: 00000000000606f0 [ +0.000002] Call Trace: [ +0.000001] [ +0.000001] ? __ieee80211_stop_queue+0xcc/0xe0 [mac80211] [ +0.000075] ? __warn+0x81/0x130 [ +0.000004] ? __ieee80211_stop_queue+0xcc/0xe0 [mac80211] [ +0.000075] ? report_bug+0x171/0x1a0 [ +0.000005] ? handle_bug+0x41/0x70 [ +0.000003] ? exc_invalid_op+0x17/0x70 [ +0.000004] ? asm_exc_invalid_op+0x1a/0x20 [ +0.000004] ? __ieee80211_stop_queue+0xcc/0xe0 [mac80211] [ +0.000076] ieee80211_stop_queue+0x36/0x50 [mac80211] [ +0.000077] b43_dma_tx+0x550/0x780 [b43] [ +0.000023] b43_tx_work+0x90/0x130 [b43] [ +0.000018] process_one_work+0x174/0x340 [ +0.000003] worker_thread+0x27b/0x3a0 [ +0.000004] ? __pfx_worker_thread+0x10/0x10 [ +0.000002] kthread+0xe8/0x120 [ +0.000003] ? __pfx_kthread+0x10/0x10 [ +0.000004] ret_from_fork+0x34/0x50 [ +0.000002] ? __pfx_kthread+0x10/0x10 [ +0.000003] ret_from_fork_asm+0x1b/0x30 [ +0.000006] [ +0.000001] ---[ end trace 0000000000000000 ]--- Fixes: e6f5b934fba8 ("b43: Add QOS support") Signed-off-by: Rahul Rameshbabu Reviewed-by: Julian Calaby Signed-off-by: Kalle Valo Link: https://msgid.link/20231231050300.122806-2-sergeantsagara@protonmail.com Signed-off-by: Sasha Levin (cherry picked from commit 1824f942527f784a19e01eac2d9679a21623d010) Signed-off-by: Harshit Mogalapalli --- drivers/net/wireless/broadcom/b43/b43.h | 16 ++++++++++++++++ drivers/net/wireless/broadcom/b43/dma.c | 4 ++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/broadcom/b43/b43.h b/drivers/net/wireless/broadcom/b43/b43.h index a449561fccf2..f6bf07dfb748 100644 --- a/drivers/net/wireless/broadcom/b43/b43.h +++ b/drivers/net/wireless/broadcom/b43/b43.h @@ -1082,6 +1082,22 @@ static inline bool b43_using_pio_transfers(struct b43_wldev *dev) return dev->__using_pio_transfers; } +static inline void b43_wake_queue(struct b43_wldev *dev, int queue_prio) +{ + if (dev->qos_enabled) + ieee80211_wake_queue(dev->wl->hw, queue_prio); + else + ieee80211_wake_queue(dev->wl->hw, 0); +} + +static inline void b43_stop_queue(struct b43_wldev *dev, int queue_prio) +{ + if (dev->qos_enabled) + ieee80211_stop_queue(dev->wl->hw, queue_prio); + else + ieee80211_stop_queue(dev->wl->hw, 0); +} + /* Message printing */ __printf(2, 3) void b43info(struct b43_wl *wl, const char *fmt, ...); __printf(2, 3) void b43err(struct b43_wl *wl, const char *fmt, ...); diff --git a/drivers/net/wireless/broadcom/b43/dma.c b/drivers/net/wireless/broadcom/b43/dma.c index 2dc998d1bcb5..0372b9755033 100644 --- a/drivers/net/wireless/broadcom/b43/dma.c +++ b/drivers/net/wireless/broadcom/b43/dma.c @@ -1461,7 +1461,7 @@ int b43_dma_tx(struct b43_wldev *dev, struct sk_buff *skb) should_inject_overflow(ring)) { /* This TX ring is full. */ unsigned int skb_mapping = skb_get_queue_mapping(skb); - ieee80211_stop_queue(dev->wl->hw, skb_mapping); + b43_stop_queue(dev, skb_mapping); dev->wl->tx_queue_stopped[skb_mapping] = true; ring->stopped = true; if (b43_debug(dev, B43_DBG_DMAVERBOSE)) { @@ -1630,7 +1630,7 @@ void b43_dma_handle_txstatus(struct b43_wldev *dev, } else { /* If the driver queue is running wake the corresponding * mac80211 queue. */ - ieee80211_wake_queue(dev->wl->hw, ring->queue_prio); + b43_wake_queue(dev, ring->queue_prio); if (b43_debug(dev, B43_DBG_DMAVERBOSE)) { b43dbg(dev->wl, "Woke up TX ring %d\n", ring->index); } From 947b5e0d7e03173f242ce6c5871cb82e357529f9 Mon Sep 17 00:00:00 2001 From: Rahul Rameshbabu Date: Sun, 31 Dec 2023 05:03:45 +0000 Subject: [PATCH 069/176] wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is disabled [ Upstream commit 77135a38f6c2f950d2306ac3d37cbb407e6243f2 ] When QoS is disabled, the queue priority value will not map to the correct ieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS is disabled to prevent trying to stop/wake a non-existent queue and failing to stop/wake the actual queue instantiated. Fixes: 5100d5ac81b9 ("b43: Add PIO support for PCMCIA devices") Signed-off-by: Rahul Rameshbabu Reviewed-by: Julian Calaby Signed-off-by: Kalle Valo Link: https://msgid.link/20231231050300.122806-3-sergeantsagara@protonmail.com Signed-off-by: Sasha Levin (cherry picked from commit 5175e6256f5ad36ceea6ad5aa44f6ce87764e653) Signed-off-by: Harshit Mogalapalli --- drivers/net/wireless/broadcom/b43/pio.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/broadcom/b43/pio.c b/drivers/net/wireless/broadcom/b43/pio.c index a4ff5e2a42b9..b5126edcdc80 100644 --- a/drivers/net/wireless/broadcom/b43/pio.c +++ b/drivers/net/wireless/broadcom/b43/pio.c @@ -538,7 +538,7 @@ int b43_pio_tx(struct b43_wldev *dev, struct sk_buff *skb) if (total_len > (q->buffer_size - q->buffer_used)) { /* Not enough memory on the queue. */ err = -EBUSY; - ieee80211_stop_queue(dev->wl->hw, skb_get_queue_mapping(skb)); + b43_stop_queue(dev, skb_get_queue_mapping(skb)); q->stopped = true; goto out; } @@ -565,7 +565,7 @@ int b43_pio_tx(struct b43_wldev *dev, struct sk_buff *skb) if (((q->buffer_size - q->buffer_used) < roundup(2 + 2 + 6, 4)) || (q->free_packet_slots == 0)) { /* The queue is full. */ - ieee80211_stop_queue(dev->wl->hw, skb_get_queue_mapping(skb)); + b43_stop_queue(dev, skb_get_queue_mapping(skb)); q->stopped = true; } @@ -600,7 +600,7 @@ void b43_pio_handle_txstatus(struct b43_wldev *dev, list_add(&pack->list, &q->packets_list); if (q->stopped) { - ieee80211_wake_queue(dev->wl->hw, q->queue_prio); + b43_wake_queue(dev, q->queue_prio); q->stopped = false; } } From 73a69fcb66db7b037de6c521e49ba54ee21e5e3c Mon Sep 17 00:00:00 2001 From: Saurav Girepunje Date: Tue, 29 Oct 2019 00:32:04 +0530 Subject: [PATCH 070/176] b43: main: Fix use true/false for bool type [ Upstream commit 6db774c1725059f98e4fce97f878688248584be5 ] use true/false on bool type variable assignment. Signed-off-by: Saurav Girepunje Signed-off-by: Kalle Valo Stable-dep-of: 581c8967d66c ("wifi: b43: Stop correct queue in DMA worker when QoS is disabled") Signed-off-by: Sasha Levin (cherry picked from commit ddd8aa7d4959a42786c3e2c2491c33e91e032f88) Signed-off-by: Harshit Mogalapalli --- drivers/net/wireless/broadcom/b43/main.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/broadcom/b43/main.c b/drivers/net/wireless/broadcom/b43/main.c index 8a226a9d755e..9a3563de60a7 100644 --- a/drivers/net/wireless/broadcom/b43/main.c +++ b/drivers/net/wireless/broadcom/b43/main.c @@ -3625,7 +3625,7 @@ static void b43_tx_work(struct work_struct *work) else err = b43_dma_tx(dev, skb); if (err == -ENOSPC) { - wl->tx_queue_stopped[queue_num] = 1; + wl->tx_queue_stopped[queue_num] = true; ieee80211_stop_queue(wl->hw, queue_num); skb_queue_head(&wl->tx_queue[queue_num], skb); break; @@ -3636,7 +3636,7 @@ static void b43_tx_work(struct work_struct *work) } if (!err) - wl->tx_queue_stopped[queue_num] = 0; + wl->tx_queue_stopped[queue_num] = false; } #if B43_DEBUG @@ -5630,7 +5630,7 @@ static struct b43_wl *b43_wireless_init(struct b43_bus_dev *dev) /* Initialize queues and flags. */ for (queue_num = 0; queue_num < B43_QOS_QUEUE_NUM; queue_num++) { skb_queue_head_init(&wl->tx_queue[queue_num]); - wl->tx_queue_stopped[queue_num] = 0; + wl->tx_queue_stopped[queue_num] = false; } snprintf(chip_name, ARRAY_SIZE(chip_name), From 13876838c450d766f468452a940c14e7f16ce55b Mon Sep 17 00:00:00 2001 From: Rahul Rameshbabu Date: Sun, 31 Dec 2023 05:03:51 +0000 Subject: [PATCH 071/176] wifi: b43: Stop correct queue in DMA worker when QoS is disabled [ Upstream commit 581c8967d66c4961076dbbee356834e9c6777184 ] When QoS is disabled, the queue priority value will not map to the correct ieee80211 queue since there is only one queue. Stop queue 0 when QoS is disabled to prevent trying to stop a non-existent queue and failing to stop the actual queue instantiated. Fixes: bad691946966 ("b43: avoid packet losses in the dma worker code.") Signed-off-by: Rahul Rameshbabu Reviewed-by: Julian Calaby Signed-off-by: Kalle Valo Link: https://msgid.link/20231231050300.122806-4-sergeantsagara@protonmail.com Signed-off-by: Sasha Levin (cherry picked from commit 0191ff009dce9740494e37a8616b3f0a3b38d884) Signed-off-by: Harshit Mogalapalli --- drivers/net/wireless/broadcom/b43/main.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/broadcom/b43/main.c b/drivers/net/wireless/broadcom/b43/main.c index 9a3563de60a7..8d50ebdbeb1e 100644 --- a/drivers/net/wireless/broadcom/b43/main.c +++ b/drivers/net/wireless/broadcom/b43/main.c @@ -3626,7 +3626,7 @@ static void b43_tx_work(struct work_struct *work) err = b43_dma_tx(dev, skb); if (err == -ENOSPC) { wl->tx_queue_stopped[queue_num] = true; - ieee80211_stop_queue(wl->hw, queue_num); + b43_stop_queue(dev, queue_num); skb_queue_head(&wl->tx_queue[queue_num], skb); break; } @@ -3650,6 +3650,7 @@ static void b43_op_tx(struct ieee80211_hw *hw, struct sk_buff *skb) { struct b43_wl *wl = hw_to_b43_wl(hw); + u16 skb_queue_mapping; if (unlikely(skb->len < 2 + 2 + 6)) { /* Too short, this can't be a valid frame. */ @@ -3658,12 +3659,12 @@ static void b43_op_tx(struct ieee80211_hw *hw, } B43_WARN_ON(skb_shinfo(skb)->nr_frags); - skb_queue_tail(&wl->tx_queue[skb->queue_mapping], skb); - if (!wl->tx_queue_stopped[skb->queue_mapping]) { + skb_queue_mapping = skb_get_queue_mapping(skb); + skb_queue_tail(&wl->tx_queue[skb_queue_mapping], skb); + if (!wl->tx_queue_stopped[skb_queue_mapping]) ieee80211_queue_work(wl->hw, &wl->tx_work); - } else { - ieee80211_stop_queue(wl->hw, skb->queue_mapping); - } + else + b43_stop_queue(wl->current_dev, skb_queue_mapping); } static void b43_qos_params_upload(struct b43_wldev *dev, From 14ee0973eab90a53de93ef3bd02f73ef9cb54622 Mon Sep 17 00:00:00 2001 From: Rahul Rameshbabu Date: Sun, 31 Dec 2023 05:03:58 +0000 Subject: [PATCH 072/176] wifi: b43: Disable QoS for bcm4331 [ Upstream commit 09795bded2e725443fe4a4803cae2079cdaf7b26 ] bcm4331 seems to not function correctly with QoS support. This may be due to issues with currently available firmware or potentially a device specific issue. When queues that are not of the default "best effort" priority are selected, traffic appears to not transmit out of the hardware while no errors are returned. This behavior is present among all the other priority queues: video, voice, and background. While this can be worked around by setting a kernel parameter, the default behavior is problematic for most users and may be difficult to debug. This patch offers a working out-of-box experience for bcm4331 users. Log of the issue (using ssh low-priority traffic as an example): ssh -T -vvvv git@github.com OpenSSH_9.6p1, OpenSSL 3.0.12 24 Oct 2023 debug1: Reading configuration data /etc/ssh/ssh_config debug2: checking match for 'host * exec "/nix/store/q1c2flcykgr4wwg5a6h450hxbk4ch589-bash-5.2-p15/bin/bash -c '/nix/store/c015armnkhr6v18za0rypm7sh1i8js8w-gnupg-2.4.1/bin/gpg-connect-agent --quiet updatestartuptty /bye >/dev/null 2>&1'"' host github.com originally github.com debug3: /etc/ssh/ssh_config line 5: matched 'host "github.com"' debug1: Executing command: '/nix/store/q1c2flcykgr4wwg5a6h450hxbk4ch589-bash-5.2-p15/bin/bash -c '/nix/store/c015armnkhr6v18za0rypm7sh1i8js8w-gnupg-2.4.1/bin/gpg-connect-agent --quiet updatestartuptty /bye >/dev/null 2>&1'' debug3: command returned status 0 debug3: /etc/ssh/ssh_config line 5: matched 'exec "/nix/store/q1c2flcykgr4wwg5a6h450hxbk4ch589-bash-5.2-p15/bin/bash -c '/nix/store/c015armnkhr6v18za0r"' debug2: match found debug1: /etc/ssh/ssh_config line 9: Applying options for * debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/binary-eater/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/binary-eater/.ssh/known_hosts2' debug2: resolving "github.com" port 22 debug3: resolve_host: lookup github.com:22 debug3: channel_clear_timeouts: clearing debug3: ssh_connect_direct: entering debug1: Connecting to github.com [192.30.255.113] port 22. debug3: set_sock_tos: set socket 3 IP_TOS 0x48 Fixes: e6f5b934fba8 ("b43: Add QOS support") Signed-off-by: Rahul Rameshbabu Reviewed-by: Julian Calaby Signed-off-by: Kalle Valo Link: https://msgid.link/20231231050300.122806-5-sergeantsagara@protonmail.com Signed-off-by: Sasha Levin (cherry picked from commit 4828567fd9625926c07fe711a096d5374f5f42d5) Signed-off-by: Harshit Mogalapalli --- drivers/net/wireless/broadcom/b43/main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/b43/main.c b/drivers/net/wireless/broadcom/b43/main.c index 8d50ebdbeb1e..6d18c01b18dd 100644 --- a/drivers/net/wireless/broadcom/b43/main.c +++ b/drivers/net/wireless/broadcom/b43/main.c @@ -2605,7 +2605,8 @@ static void b43_request_firmware(struct work_struct *work) start_ieee80211: wl->hw->queues = B43_QOS_QUEUE_NUM; - if (!modparam_qos || dev->fw.opensource) + if (!modparam_qos || dev->fw.opensource || + dev->dev->chip_id == BCMA_CHIP_ID_BCM4331) wl->hw->queues = 1; err = ieee80211_register_hw(wl->hw); From 4b8198ce7bd031846776dc60a66402697e2d3f9b Mon Sep 17 00:00:00 2001 From: Jinjie Ruan Date: Sun, 3 Sep 2023 11:02:15 +0800 Subject: [PATCH 073/176] wifi: mwifiex: debugfs: Drop unnecessary error check for debugfs_create_dir() [ Upstream commit 50180c7f8e3de7c2d87f619131776598fcb1478d ] debugfs_create_dir() returns ERR_PTR and never return NULL. As Russell suggested, this patch removes the error checking for debugfs_create_dir(). This is because the DebugFS kernel API is developed in a way that the caller can safely ignore the errors that occur during the creation of DebugFS nodes. The debugfs APIs have a IS_ERR() judge in start_creating() which can handle it gracefully. So these checks are unnecessary. Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") Signed-off-by: Jinjie Ruan Suggested-by: Russell King (Oracle) Signed-off-by: Kalle Valo Link: https://msgid.link/20230903030216.1509013-3-ruanjinjie@huawei.com Signed-off-by: Sasha Levin (cherry picked from commit 1e68b5319090ee3f810580c059a202ec8b24bdbe) Signed-off-by: Harshit Mogalapalli --- drivers/net/wireless/marvell/mwifiex/debugfs.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/debugfs.c b/drivers/net/wireless/marvell/mwifiex/debugfs.c index b843be87112c..727fc3ae27b5 100644 --- a/drivers/net/wireless/marvell/mwifiex/debugfs.c +++ b/drivers/net/wireless/marvell/mwifiex/debugfs.c @@ -1001,9 +1001,6 @@ mwifiex_dev_debugfs_init(struct mwifiex_private *priv) priv->dfs_dev_dir = debugfs_create_dir(priv->netdev->name, mwifiex_dfs_dir); - if (!priv->dfs_dev_dir) - return; - MWIFIEX_DFS_ADD_FILE(info); MWIFIEX_DFS_ADD_FILE(debug); MWIFIEX_DFS_ADD_FILE(getlog); From c4d2af79e42344f14a2826b617fbe57e263c8e36 Mon Sep 17 00:00:00 2001 From: Xin Long Date: Sat, 10 Mar 2018 18:57:50 +0800 Subject: [PATCH 074/176] sock_diag: request _diag module only when the family or proto has been registered Now when using 'ss' in iproute, kernel would try to load all _diag modules, which also causes corresponding family and proto modules to be loaded as well due to module dependencies. Like after running 'ss', sctp, dccp, af_packet (if it works as a module) would be loaded. For example: $ lsmod|grep sctp $ ss $ lsmod|grep sctp sctp_diag 16384 0 sctp 323584 5 sctp_diag inet_diag 24576 4 raw_diag,tcp_diag,sctp_diag,udp_diag libcrc32c 16384 3 nf_conntrack,nf_nat,sctp As these family and proto modules are loaded unintentionally, it could cause some problems, like: - Some debug tools use 'ss' to collect the socket info, which loads all those diag and family and protocol modules. It's noisy for identifying issues. - Users usually expect to drop sctp init packet silently when they have no sense of sctp protocol instead of sending abort back. - It wastes resources (especially with multiple netns), and SCTP module can't be unloaded once it's loaded. ... In short, it's really inappropriate to have these family and proto modules loaded unexpectedly when just doing debugging with inet_diag. This patch is to introduce sock_load_diag_module() where it loads the _diag module only when it's corresponding family or proto has been already registered. Note that we can't just load _diag module without the family or proto loaded, as some symbols used in _diag module are from the family or proto module. v1->v2: - move inet proto check to inet_diag to avoid a compiling err. v2->v3: - define sock_load_diag_module in sock.c and export one symbol only. - improve the changelog. Reported-by: Sabrina Dubroca Acked-by: Marcelo Ricardo Leitner Acked-by: Phil Sutter Acked-by: Sabrina Dubroca Signed-off-by: Xin Long Signed-off-by: David S. Miller (cherry picked from commit bf2ae2e4bf9360e07c0cdfa166bcdc0afd92f4ce) Signed-off-by: Harshit Mogalapalli --- include/linux/net.h | 1 + include/net/sock.h | 1 + net/core/sock.c | 21 +++++++++++++++++++++ net/core/sock_diag.c | 12 ++++-------- net/ipv4/inet_diag.c | 3 +-- net/socket.c | 5 +++++ 6 files changed, 33 insertions(+), 10 deletions(-) diff --git a/include/linux/net.h b/include/linux/net.h index caeb159abda5..d8d5f2c7b776 100644 --- a/include/linux/net.h +++ b/include/linux/net.h @@ -222,6 +222,7 @@ enum { int sock_wake_async(struct socket_wq *sk_wq, int how, int band); int sock_register(const struct net_proto_family *fam); void sock_unregister(int family); +bool sock_is_registered(int family); int __sock_create(struct net *net, int family, int type, int proto, struct socket **res, int kern); int sock_create(int family, int type, int proto, struct socket **res); diff --git a/include/net/sock.h b/include/net/sock.h index f974b548e119..e9d4e486403b 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -1155,6 +1155,7 @@ struct proto { int proto_register(struct proto *prot, int alloc_slab); void proto_unregister(struct proto *prot); +int sock_load_diag_module(int family, int protocol); #ifdef SOCK_REFCNT_DEBUG static inline void sk_refcnt_debug_inc(struct sock *sk) diff --git a/net/core/sock.c b/net/core/sock.c index e8b5742d9149..8816cb661e81 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -3296,6 +3296,27 @@ void proto_unregister(struct proto *prot) } EXPORT_SYMBOL(proto_unregister); +int sock_load_diag_module(int family, int protocol) +{ + if (!protocol) { + if (!sock_is_registered(family)) + return -ENOENT; + + return request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK, + NETLINK_SOCK_DIAG, family); + } + +#ifdef CONFIG_INET + if (family == AF_INET && + !rcu_access_pointer(inet_protos[protocol])) + return -ENOENT; +#endif + + return request_module("net-pf-%d-proto-%d-type-%d-%d", PF_NETLINK, + NETLINK_SOCK_DIAG, family, protocol); +} +EXPORT_SYMBOL(sock_load_diag_module); + #ifdef CONFIG_PROC_FS static void *proto_seq_start(struct seq_file *seq, loff_t *pos) __acquires(proto_list_mutex) diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c index 146b50e30659..c37b5be7c5e4 100644 --- a/net/core/sock_diag.c +++ b/net/core/sock_diag.c @@ -220,8 +220,7 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh) return -EINVAL; if (sock_diag_handlers[req->sdiag_family] == NULL) - request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK, - NETLINK_SOCK_DIAG, req->sdiag_family); + sock_load_diag_module(req->sdiag_family, 0); mutex_lock(&sock_diag_table_mutex); hndl = sock_diag_handlers[req->sdiag_family]; @@ -247,8 +246,7 @@ static int sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, case TCPDIAG_GETSOCK: case DCCPDIAG_GETSOCK: if (inet_rcv_compat == NULL) - request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK, - NETLINK_SOCK_DIAG, AF_INET); + sock_load_diag_module(AF_INET, 0); mutex_lock(&sock_diag_table_mutex); if (inet_rcv_compat != NULL) @@ -281,14 +279,12 @@ static int sock_diag_bind(struct net *net, int group) case SKNLGRP_INET_TCP_DESTROY: case SKNLGRP_INET_UDP_DESTROY: if (!sock_diag_handlers[AF_INET]) - request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK, - NETLINK_SOCK_DIAG, AF_INET); + sock_load_diag_module(AF_INET, 0); break; case SKNLGRP_INET6_TCP_DESTROY: case SKNLGRP_INET6_UDP_DESTROY: if (!sock_diag_handlers[AF_INET6]) - request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK, - NETLINK_SOCK_DIAG, AF_INET6); + sock_load_diag_module(AF_INET6, 0); break; } return 0; diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c index 5fac8d776391..a3335815e981 100644 --- a/net/ipv4/inet_diag.c +++ b/net/ipv4/inet_diag.c @@ -53,8 +53,7 @@ static DEFINE_MUTEX(inet_diag_table_mutex); static const struct inet_diag_handler *inet_diag_lock_handler(int proto) { if (!inet_diag_table[proto]) - request_module("net-pf-%d-proto-%d-type-%d-%d", PF_NETLINK, - NETLINK_SOCK_DIAG, AF_INET, proto); + sock_load_diag_module(AF_INET, proto); mutex_lock(&inet_diag_table_mutex); if (!inet_diag_table[proto]) diff --git a/net/socket.c b/net/socket.c index e59b114e16ba..1e2f271bc7d5 100644 --- a/net/socket.c +++ b/net/socket.c @@ -2604,6 +2604,11 @@ void sock_unregister(int family) } EXPORT_SYMBOL(sock_unregister); +bool sock_is_registered(int family) +{ + return family < NPROTO && rcu_access_pointer(net_families[family]); +} + static int __init sock_init(void) { int err; From 7e6bdf38024904a26cf237968d6f476d3060ea8c Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Mon, 22 Jan 2024 11:25:55 +0000 Subject: [PATCH 075/176] sock_diag: annotate data-races around sock_diag_handlers[family] [ Upstream commit efd402537673f9951992aea4ef0f5ff51d858f4b ] __sock_diag_cmd() and sock_diag_bind() read sock_diag_handlers[family] without a lock held. Use READ_ONCE()/WRITE_ONCE() annotations to avoid potential issues. Fixes: 8ef874bfc729 ("sock_diag: Move the sock_ code to net/core/") Signed-off-by: Eric Dumazet Reviewed-by: Guillaume Nault Reviewed-by: Kuniyuki Iwashima Reviewed-by: Willem de Bruijn Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit cffd4a7c975848e2bb7c577e5c814a0d2bc9efd4) Signed-off-by: Harshit Mogalapalli --- net/core/sock_diag.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c index c37b5be7c5e4..f0560b3a6c54 100644 --- a/net/core/sock_diag.c +++ b/net/core/sock_diag.c @@ -186,7 +186,7 @@ int sock_diag_register(const struct sock_diag_handler *hndl) if (sock_diag_handlers[hndl->family]) err = -EBUSY; else - sock_diag_handlers[hndl->family] = hndl; + WRITE_ONCE(sock_diag_handlers[hndl->family], hndl); mutex_unlock(&sock_diag_table_mutex); return err; @@ -202,7 +202,7 @@ void sock_diag_unregister(const struct sock_diag_handler *hnld) mutex_lock(&sock_diag_table_mutex); BUG_ON(sock_diag_handlers[family] != hnld); - sock_diag_handlers[family] = NULL; + WRITE_ONCE(sock_diag_handlers[family], NULL); mutex_unlock(&sock_diag_table_mutex); } EXPORT_SYMBOL_GPL(sock_diag_unregister); @@ -219,7 +219,7 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh) if (req->sdiag_family >= AF_MAX) return -EINVAL; - if (sock_diag_handlers[req->sdiag_family] == NULL) + if (READ_ONCE(sock_diag_handlers[req->sdiag_family]) == NULL) sock_load_diag_module(req->sdiag_family, 0); mutex_lock(&sock_diag_table_mutex); @@ -278,12 +278,12 @@ static int sock_diag_bind(struct net *net, int group) switch (group) { case SKNLGRP_INET_TCP_DESTROY: case SKNLGRP_INET_UDP_DESTROY: - if (!sock_diag_handlers[AF_INET]) + if (!READ_ONCE(sock_diag_handlers[AF_INET])) sock_load_diag_module(AF_INET, 0); break; case SKNLGRP_INET6_TCP_DESTROY: case SKNLGRP_INET6_UDP_DESTROY: - if (!sock_diag_handlers[AF_INET6]) + if (!READ_ONCE(sock_diag_handlers[AF_INET6])) sock_load_diag_module(AF_INET6, 0); break; } From d4a666252ef7cc7e3c6c126564e8f8e3ac751196 Mon Sep 17 00:00:00 2001 From: Kuniyuki Iwashima Date: Tue, 23 Jan 2024 09:08:52 -0800 Subject: [PATCH 076/176] af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc(). [ Upstream commit 31e03207119a535d0b0e3b3a7f91983aeb2cb14d ] gc_in_progress is changed under spin_lock(&unix_gc_lock), but wait_for_unix_gc() reads it locklessly. Let's use READ_ONCE(). Fixes: 5f23b734963e ("net: Fix soft lockups/OOM issues w/ unix garbage collector") Signed-off-by: Kuniyuki Iwashima Link: https://lore.kernel.org/r/20240123170856.41348-2-kuniyu@amazon.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 0c41412330b8804ec9829ecb929a21d8cc2e06c5) Signed-off-by: Harshit Mogalapalli --- net/unix/garbage.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/unix/garbage.c b/net/unix/garbage.c index 4d283e26d816..0a212422b513 100644 --- a/net/unix/garbage.c +++ b/net/unix/garbage.c @@ -203,7 +203,7 @@ void wait_for_unix_gc(void) if (READ_ONCE(unix_tot_inflight) > UNIX_INFLIGHT_TRIGGER_GC && !READ_ONCE(gc_in_progress)) unix_gc(); - wait_event(unix_gc_wait, gc_in_progress == false); + wait_event(unix_gc_wait, !READ_ONCE(gc_in_progress)); } /* The external entry point: unix_gc() */ From 7dbbfcf6db50dd29b7040c06826c2f26b8813b6a Mon Sep 17 00:00:00 2001 From: Zhipeng Lu Date: Fri, 26 Jan 2024 15:53:34 +0800 Subject: [PATCH 077/176] wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer() [ Upstream commit 5f0e4aede01cb01fa633171f0533affd25328c3a ] In the for statement of lbs_allocate_cmd_buffer(), if the allocation of cmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to be freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer(). Fixes: 876c9d3aeb98 ("[PATCH] Marvell Libertas 8388 802.11b/g USB driver") Signed-off-by: Zhipeng Lu Signed-off-by: Kalle Valo Link: https://msgid.link/20240126075336.2825608-1-alexious@zju.edu.cn Signed-off-by: Sasha Levin (cherry picked from commit 96481624fb5a6319079fb5059e46dbce43a90186) Signed-off-by: Harshit Mogalapalli --- drivers/net/wireless/marvell/libertas/cmd.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/marvell/libertas/cmd.c b/drivers/net/wireless/marvell/libertas/cmd.c index c1f422918737..d1984f03fdfc 100644 --- a/drivers/net/wireless/marvell/libertas/cmd.c +++ b/drivers/net/wireless/marvell/libertas/cmd.c @@ -1132,7 +1132,7 @@ int lbs_allocate_cmd_buffer(struct lbs_private *priv) if (!cmdarray[i].cmdbuf) { lbs_deb_host("ALLOC_CMD_BUF: ptempvirtualaddr is NULL\n"); ret = -1; - goto done; + goto free_cmd_array; } } @@ -1140,8 +1140,17 @@ int lbs_allocate_cmd_buffer(struct lbs_private *priv) init_waitqueue_head(&cmdarray[i].cmdwait_q); lbs_cleanup_and_insert_cmd(priv, &cmdarray[i]); } - ret = 0; + return 0; +free_cmd_array: + for (i = 0; i < LBS_NUM_CMD_BUFFERS; i++) { + if (cmdarray[i].cmdbuf) { + kfree(cmdarray[i].cmdbuf); + cmdarray[i].cmdbuf = NULL; + } + } + kfree(priv->cmd_array); + priv->cmd_array = NULL; done: return ret; } From d39f836a2b9e34610d3c1b6800adda8b1b98b6b6 Mon Sep 17 00:00:00 2001 From: Armin Wolf Date: Tue, 13 Feb 2024 01:41:58 +0100 Subject: [PATCH 078/176] ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit() [ Upstream commit e18afcb7b2a12b635ac10081f943fcf84ddacc51 ] After unregistering the CPU idle device, the memory associated with it is not freed, leading to a memory leak: unreferenced object 0xffff896282f6c000 (size 1024): comm "swapper/0", pid 1, jiffies 4294893170 hex dump (first 32 bytes): 00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 8836a742): [] kmalloc_trace+0x29d/0x340 [] acpi_processor_power_init+0xf3/0x1c0 [] __acpi_processor_start+0xd3/0xf0 [] acpi_processor_start+0x2c/0x50 [] really_probe+0xe2/0x480 [] __driver_probe_device+0x78/0x160 [] driver_probe_device+0x1f/0x90 [] __driver_attach+0xce/0x1c0 [] bus_for_each_dev+0x70/0xc0 [] bus_add_driver+0x112/0x210 [] driver_register+0x55/0x100 [] acpi_processor_driver_init+0x3b/0xc0 [] do_one_initcall+0x41/0x300 [] kernel_init_freeable+0x320/0x470 [] kernel_init+0x16/0x1b0 [] ret_from_fork+0x2d/0x50 Fix this by freeing the CPU idle device after unregistering it. Fixes: 3d339dcbb56d ("cpuidle / ACPI : move cpuidle_device field out of the acpi_processor_power structure") Signed-off-by: Armin Wolf Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin (cherry picked from commit d351bcadab6caa6d8ce7159ff4b77e2da35c09fa) Signed-off-by: Harshit Mogalapalli --- drivers/acpi/processor_idle.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c index 590eeca2419f..5580e506838e 100644 --- a/drivers/acpi/processor_idle.c +++ b/drivers/acpi/processor_idle.c @@ -1526,6 +1526,8 @@ int acpi_processor_power_exit(struct acpi_processor *pr) acpi_processor_registered--; if (acpi_processor_registered == 0) cpuidle_unregister_driver(&acpi_idle_driver); + + kfree(dev); } pr->flags.power_setup_done = 0; From 3ecc2213610561a98f56332417ce1cd445addd80 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 16 Feb 2024 10:02:37 +0000 Subject: [PATCH 079/176] bus: tegra-aconnect: Update dependency to ARCH_TEGRA [ Upstream commit 4acd21a45c1446277e2abaece97d7fa7c2e692a9 ] Update the architecture dependency to be the generic Tegra because the driver works on the four latest Tegra generations not just Tegra210, if you build a kernel with a specific ARCH_TEGRA_xxx_SOC option that excludes Tegra210 you don't get this driver. Fixes: 46a88534afb59 ("bus: Add support for Tegra ACONNECT") Signed-off-by: Peter Robinson Cc: Jon Hunter Cc: Thierry Reding Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin (cherry picked from commit dfd9078eecdac8d45badc029d0a1afb9b887d089) Signed-off-by: Harshit Mogalapalli --- drivers/bus/Kconfig | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/bus/Kconfig b/drivers/bus/Kconfig index 3e66f4cc1a59..3443f4669885 100644 --- a/drivers/bus/Kconfig +++ b/drivers/bus/Kconfig @@ -144,12 +144,13 @@ config SUNXI_RSB config TEGRA_ACONNECT tristate "Tegra ACONNECT Bus Driver" - depends on ARCH_TEGRA_210_SOC + depends on ARCH_TEGRA depends on OF && PM select PM_CLK help Driver for the Tegra ACONNECT bus which is used to interface with - the devices inside the Audio Processing Engine (APE) for Tegra210. + the devices inside the Audio Processing Engine (APE) for + Tegra210 and later. config TEGRA_GMI tristate "Tegra Generic Memory Interface bus driver" From cff340eed43a60e8352306c2d0daa936e2609d55 Mon Sep 17 00:00:00 2001 From: Mario Limonciello Date: Mon, 22 Jan 2024 17:34:00 -0600 Subject: [PATCH 080/176] iommu/amd: Mark interrupt as managed [ Upstream commit 0feda94c868d396fac3b3cb14089d2d989a07c72 ] On many systems that have an AMD IOMMU the following sequence of warnings is observed during bootup. ``` pci 0000:00:00.2 can't derive routing for PCI INT A pci 0000:00:00.2: PCI INT A: not connected ``` This series of events happens because of the IOMMU initialization sequence order and the lack of _PRT entries for the IOMMU. During initialization the IOMMU driver first enables the PCI device using pci_enable_device(). This will call acpi_pci_irq_enable() which will check if the interrupt is declared in a PCI routing table (_PRT) entry. According to the PCI spec [1] these routing entries are only required under PCI root bridges: The _PRT object is required under all PCI root bridges The IOMMU is directly connected to the root complex, so there is no parent bridge to look for a _PRT entry. The first warning is emitted since no entry could be found in the hierarchy. The second warning is then emitted because the interrupt hasn't yet been configured to any value. The pin was configured in pci_read_irq() but the byte in PCI_INTERRUPT_LINE return 0xff which means "Unknown". After that sequence of events pci_enable_msi() is called and this will allocate an interrupt. That is both of these warnings are totally harmless because the IOMMU uses MSI for interrupts. To avoid even trying to probe for a _PRT entry mark the IOMMU as IRQ managed. This avoids both warnings. Link: https://uefi.org/htmlspecs/ACPI_Spec_6_4_html/06_Device_Configuration/Device_Configuration.html?highlight=_prt#prt-pci-routing-table [1] Signed-off-by: Mario Limonciello Fixes: cffe0a2b5a34 ("x86, irq: Keep balance of IOAPIC pin reference count") Reviewed-by: Vasant Hegde Link: https://lore.kernel.org/r/20240122233400.1802-1-mario.limonciello@amd.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin (cherry picked from commit 46b9f2480b5bd3793340754eb52aa887fcbeb2f1) Signed-off-by: Harshit Mogalapalli --- drivers/iommu/amd_iommu_init.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c index 8b7702553fa4..2cbf32172b88 100644 --- a/drivers/iommu/amd_iommu_init.c +++ b/drivers/iommu/amd_iommu_init.c @@ -1712,6 +1712,9 @@ static int __init iommu_init_pci(struct amd_iommu *iommu) /* Prevent binding other PCI device drivers to IOMMU devices */ iommu->dev->match_driver = false; + /* ACPI _PRT won't have an IRQ for IOMMU */ + iommu->dev->irq_managed = 1; + pci_read_config_dword(iommu->dev, cap_ptr + MMIO_CAP_HDR_OFFSET, &iommu->cap); pci_read_config_dword(iommu->dev, cap_ptr + MMIO_RANGE_OFFSET, From 7f3fb7d44b2c90cb14e6bdc2be5058669186d725 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Tue, 13 Feb 2024 11:05:37 +0100 Subject: [PATCH 081/176] wifi: brcmsmac: avoid function pointer casts [ Upstream commit e1ea6db35fc3ba5ff063f097385e9f7a88c25356 ] An old cleanup went a little too far and causes a warning with clang-16 and higher as it breaks control flow integrity (KCFI) rules: drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c:64:34: error: cast from 'void (*)(struct brcms_phy *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] 64 | brcms_init_timer(physhim->wl, (void (*)(void *))fn, | ^~~~~~~~~~~~~~~~~~~~ Change this one instance back to passing a void pointer so it can be used with the timer callback interface. Fixes: d89a4c80601d ("staging: brcm80211: removed void * from softmac phy") Signed-off-by: Arnd Bergmann Acked-by: Arend van Spriel Signed-off-by: Kalle Valo Link: https://msgid.link/20240213100548.457854-1-arnd@kernel.org Signed-off-by: Sasha Levin (cherry picked from commit 523bd0437c687d0b4edf7548b95217993746c64c) Signed-off-by: Harshit Mogalapalli --- .../net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c | 3 ++- drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c | 5 ++--- drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c index 1c4e9dd57960..508ebbbda6b6 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_cmn.c @@ -394,8 +394,9 @@ struct shared_phy *wlc_phy_shared_attach(struct shared_phy_params *shp) return sh; } -static void wlc_phy_timercb_phycal(struct brcms_phy *pi) +static void wlc_phy_timercb_phycal(void *ptr) { + struct brcms_phy *pi = ptr; uint delay = 5; if (PHY_PERICAL_MPHASE_PENDING(pi)) { diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c index a0de5db0cd64..b72381791536 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.c @@ -57,12 +57,11 @@ void wlc_phy_shim_detach(struct phy_shim_info *physhim) } struct wlapi_timer *wlapi_init_timer(struct phy_shim_info *physhim, - void (*fn)(struct brcms_phy *pi), + void (*fn)(void *pi), void *arg, const char *name) { return (struct wlapi_timer *) - brcms_init_timer(physhim->wl, (void (*)(void *))fn, - arg, name); + brcms_init_timer(physhim->wl, fn, arg, name); } void wlapi_free_timer(struct wlapi_timer *t) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h index dd8774717ade..27d0934e600e 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h +++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy_shim.h @@ -131,7 +131,7 @@ void wlc_phy_shim_detach(struct phy_shim_info *physhim); /* PHY to WL utility functions */ struct wlapi_timer *wlapi_init_timer(struct phy_shim_info *physhim, - void (*fn)(struct brcms_phy *pi), + void (*fn)(void *pi), void *arg, const char *name); void wlapi_free_timer(struct wlapi_timer *t); void wlapi_add_timer(struct wlapi_timer *t, uint ms, int periodic); From a8674f8f32d3ce9502633eec64d5f1240d7ab031 Mon Sep 17 00:00:00 2001 From: Geert Uytterhoeven Date: Wed, 30 Aug 2023 17:03:04 +0200 Subject: [PATCH 082/176] ARM: dts: arm: realview: Fix development chip ROM compatible value [ Upstream commit 3baa4c5143d65ebab2de0d99a395e5f4f1f46608 ] When the development chip ROM was added, the "direct-mapped" compatible value was already obsolete. In addition, the device node lacked the accompanying "probe-type" property, causing the old physmap_of_core driver to fall back to trying all available probe types. Unfortunately this fallback was lost when the DT and pdata cases were merged. Fix this by using the modern "mtd-rom" compatible value instead. Fixes: 5c3f5edbe0a1dff3 ("ARM: realview: add flash devices to the PB1176 DTS") Fixes: 642b1e8dbed7bbbf ("mtd: maps: Merge physmap_of.c into physmap-core.c") Signed-off-by: Geert Uytterhoeven Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin (cherry picked from commit d6a0ddacb07986dbd08d97b8c8b0928778e318b4) Signed-off-by: Harshit Mogalapalli --- arch/arm/boot/dts/arm-realview-pb1176.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/boot/dts/arm-realview-pb1176.dts b/arch/arm/boot/dts/arm-realview-pb1176.dts index 939c108c24a6..092285fc7ffe 100644 --- a/arch/arm/boot/dts/arm-realview-pb1176.dts +++ b/arch/arm/boot/dts/arm-realview-pb1176.dts @@ -390,7 +390,7 @@ /* Direct-mapped development chip ROM */ pb1176_rom@10200000 { - compatible = "direct-mapped"; + compatible = "mtd-rom"; reg = <0x10200000 0x4000>; bank-width = <1>; }; From ff060748955642dd9eb032bb32bf8d3c8b0c809c Mon Sep 17 00:00:00 2001 From: "Rafael J. Wysocki" Date: Mon, 26 Feb 2024 17:35:27 +0100 Subject: [PATCH 083/176] ACPI: scan: Fix device check notification handling [ Upstream commit 793551c965116d9dfaf0550dacae1396a20efa69 ] It is generally invalid to fail a Device Check notification if the scan handler has not been attached to the given device after a bus rescan, because there may be valid reasons for the scan handler to refuse attaching to the device (for example, the device is not ready). For this reason, modify acpi_scan_device_check() to return 0 in that case without printing a warning. While at it, reduce the log level of the "already enumerated" message in the same function, because it is only interesting when debugging notification handling Fixes: 443fc8202272 ("ACPI / hotplug: Rework generic code to handle suprise removals") Signed-off-by: Rafael J. Wysocki Reviewed-by: Jonathan Cameron Signed-off-by: Sasha Levin (cherry picked from commit 3dd8bfb5f23fa1605f2a7b62c91258a7d778ccb1) Signed-off-by: Harshit Mogalapalli --- drivers/acpi/scan.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c index 11f07f525b13..d015c1f8c872 100644 --- a/drivers/acpi/scan.c +++ b/drivers/acpi/scan.c @@ -320,18 +320,14 @@ static int acpi_scan_device_check(struct acpi_device *adev) * again). */ if (adev->handler) { - dev_warn(&adev->dev, "Already enumerated\n"); - return -EALREADY; + dev_dbg(&adev->dev, "Already enumerated\n"); + return 0; } error = acpi_bus_scan(adev->handle); if (error) { dev_warn(&adev->dev, "Namespace scan failure\n"); return error; } - if (!adev->handler) { - dev_warn(&adev->dev, "Enumeration failure\n"); - error = -ENODEV; - } } else { error = acpi_scan_device_not_present(adev); } From f1a4dbde435665ebd50419198f51995a86722489 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Tue, 27 Feb 2024 09:51:12 -0800 Subject: [PATCH 084/176] x86, relocs: Ignore relocations in .notes section [ Upstream commit aaa8736370db1a78f0e8434344a484f9fd20be3b ] When building with CONFIG_XEN_PV=y, .text symbols are emitted into the .notes section so that Xen can find the "startup_xen" entry point. This information is used prior to booting the kernel, so relocations are not useful. In fact, performing relocations against the .notes section means that the KASLR base is exposed since /sys/kernel/notes is world-readable. To avoid leaking the KASLR base without breaking unprivileged tools that are expecting to read /sys/kernel/notes, skip performing relocations in the .notes section. The values readable in .notes are then identical to those found in System.map. Reported-by: Guixiong Wei Closes: https://lore.kernel.org/all/20240218073501.54555-1-guixiongwei@gmail.com/ Fixes: 5ead97c84fa7 ("xen: Core Xen implementation") Fixes: da1a679cde9b ("Add /sys/kernel/notes") Reviewed-by: Juergen Gross Signed-off-by: Kees Cook Signed-off-by: Sasha Levin (cherry picked from commit 13edb509abc91c72152a11baaf0e7c060a312e03) Signed-off-by: Harshit Mogalapalli --- arch/x86/tools/relocs.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c index c58b63178123..5bec866043be 100644 --- a/arch/x86/tools/relocs.c +++ b/arch/x86/tools/relocs.c @@ -578,6 +578,14 @@ static void print_absolute_relocs(void) if (!(sec_applies->shdr.sh_flags & SHF_ALLOC)) { continue; } + /* + * Do not perform relocations in .notes section; any + * values there are meant for pre-boot consumption (e.g. + * startup_xen). + */ + if (sec_applies->shdr.sh_type == SHT_NOTE) { + continue; + } sh_symtab = sec_symtab->symtab; sym_strtab = sec_symtab->link->strtab; for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) { From 98dd836d4d90f8c75583cdb77e51e43416145bf2 Mon Sep 17 00:00:00 2001 From: Zhipeng Lu Date: Tue, 2 Jan 2024 13:38:13 +0800 Subject: [PATCH 085/176] SUNRPC: fix some memleaks in gssx_dec_option_array [ Upstream commit 3cfcfc102a5e57b021b786a755a38935e357797d ] The creds and oa->data need to be freed in the error-handling paths after their allocation. So this patch add these deallocations in the corresponding paths. Fixes: 1d658336b05f ("SUNRPC: Add RPC based upcall mechanism for RPCGSS auth") Signed-off-by: Zhipeng Lu Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin (cherry picked from commit b97c37978ca825557d331c9012e0c1ddc0e42364) Signed-off-by: Harshit Mogalapalli --- net/sunrpc/auth_gss/gss_rpc_xdr.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c index 444380f968f1..730a9c4dc993 100644 --- a/net/sunrpc/auth_gss/gss_rpc_xdr.c +++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c @@ -263,8 +263,8 @@ static int gssx_dec_option_array(struct xdr_stream *xdr, creds = kzalloc(sizeof(struct svc_cred), GFP_KERNEL); if (!creds) { - kfree(oa->data); - return -ENOMEM; + err = -ENOMEM; + goto free_oa; } oa->data[0].option.data = CREDS_VALUE; @@ -278,29 +278,40 @@ static int gssx_dec_option_array(struct xdr_stream *xdr, /* option buffer */ p = xdr_inline_decode(xdr, 4); - if (unlikely(p == NULL)) - return -ENOSPC; + if (unlikely(p == NULL)) { + err = -ENOSPC; + goto free_creds; + } length = be32_to_cpup(p); p = xdr_inline_decode(xdr, length); - if (unlikely(p == NULL)) - return -ENOSPC; + if (unlikely(p == NULL)) { + err = -ENOSPC; + goto free_creds; + } if (length == sizeof(CREDS_VALUE) && memcmp(p, CREDS_VALUE, sizeof(CREDS_VALUE)) == 0) { /* We have creds here. parse them */ err = gssx_dec_linux_creds(xdr, creds); if (err) - return err; + goto free_creds; oa->data[0].value.len = 1; /* presence */ } else { /* consume uninteresting buffer */ err = gssx_dec_buffer(xdr, &dummy); if (err) - return err; + goto free_creds; } } return 0; + +free_creds: + kfree(creds); +free_oa: + kfree(oa->data); + oa->data = NULL; + return err; } static int gssx_dec_status(struct xdr_stream *xdr, From 4cb02a03a5ed3ea326f92cb72cc6d96019ea43f4 Mon Sep 17 00:00:00 2001 From: Christophe JAILLET Date: Mon, 26 Feb 2024 22:37:39 +0100 Subject: [PATCH 086/176] mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove function [ Upstream commit ae5004a40a262d329039b99b62bd3fe7645b66ad ] This looks strange to call release_mem_region() in a remove function without any request_mem_region() in the probe or "struct resource" somewhere. So remove the corresponding code. Fixes: 3a96dff0f828 ("mmc: SD/MMC Host Controller for Wondermedia WM8505/WM8650") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/bb0bb1ed1e18de55e8c0547625bde271e64b8c31.1708983064.git.christophe.jaillet@wanadoo.fr Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin (cherry picked from commit f10426db32e7712fcc72154e2fa288f7127094ad) Signed-off-by: Harshit Mogalapalli --- drivers/mmc/host/wmt-sdmmc.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/drivers/mmc/host/wmt-sdmmc.c b/drivers/mmc/host/wmt-sdmmc.c index 627b7d487461..5be752ce5a9a 100644 --- a/drivers/mmc/host/wmt-sdmmc.c +++ b/drivers/mmc/host/wmt-sdmmc.c @@ -893,7 +893,6 @@ static int wmt_mci_remove(struct platform_device *pdev) { struct mmc_host *mmc; struct wmt_mci_priv *priv; - struct resource *res; u32 reg_tmp; mmc = platform_get_drvdata(pdev); @@ -921,9 +920,6 @@ static int wmt_mci_remove(struct platform_device *pdev) clk_disable_unprepare(priv->clk_sdmmc); clk_put(priv->clk_sdmmc); - res = platform_get_resource(pdev, IORESOURCE_MEM, 0); - release_mem_region(res->start, resource_size(res)); - mmc_free_host(mmc); dev_info(&pdev->dev, "WMT MCI device removed\n"); From 7344a5ae74cc4e62b079a877d20b2570e2f235ef Mon Sep 17 00:00:00 2001 From: Ruud Bos Date: Thu, 28 Oct 2021 16:34:57 +0200 Subject: [PATCH 087/176] igb: move PEROUT and EXTTS isr logic to separate functions [ Upstream commit cf99c1dd7b7729091043374b90807c7a5f9fd9b1 ] Remove code duplication in the tsync interrupt handler function by moving this logic to separate functions. This keeps the interrupt handler readable and allows the new functions to be extended for adapter types other than i210. Signed-off-by: Ruud Bos Tested-by: Gurucharan G Signed-off-by: Tony Nguyen Stable-dep-of: ee14cc9ea19b ("igb: Fix missing time sync events") Signed-off-by: Sasha Levin (cherry picked from commit d686b4537ead6bdd1a636040c00af51e9e0a1bc5) Signed-off-by: Harshit Mogalapalli --- drivers/net/ethernet/intel/igb/igb_main.c | 81 +++++++++++++---------- 1 file changed, 46 insertions(+), 35 deletions(-) diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c index d679b31c9a13..4c51d7648524 100644 --- a/drivers/net/ethernet/intel/igb/igb_main.c +++ b/drivers/net/ethernet/intel/igb/igb_main.c @@ -5771,12 +5771,52 @@ void igb_update_stats(struct igb_adapter *adapter) } } +static void igb_perout(struct igb_adapter *adapter, int tsintr_tt) +{ + int pin = ptp_find_pin(adapter->ptp_clock, PTP_PF_PEROUT, tsintr_tt); + struct e1000_hw *hw = &adapter->hw; + struct timespec64 ts; + u32 tsauxc; + + if (pin < 0 || pin >= IGB_N_PEROUT) + return; + + spin_lock(&adapter->tmreg_lock); + ts = timespec64_add(adapter->perout[pin].start, + adapter->perout[pin].period); + /* u32 conversion of tv_sec is safe until y2106 */ + wr32((tsintr_tt == 1) ? E1000_TRGTTIML1 : E1000_TRGTTIML0, ts.tv_nsec); + wr32((tsintr_tt == 1) ? E1000_TRGTTIMH1 : E1000_TRGTTIMH0, (u32)ts.tv_sec); + tsauxc = rd32(E1000_TSAUXC); + tsauxc |= TSAUXC_EN_TT0; + wr32(E1000_TSAUXC, tsauxc); + adapter->perout[pin].start = ts; + spin_unlock(&adapter->tmreg_lock); +} + +static void igb_extts(struct igb_adapter *adapter, int tsintr_tt) +{ + int pin = ptp_find_pin(adapter->ptp_clock, PTP_PF_EXTTS, tsintr_tt); + struct e1000_hw *hw = &adapter->hw; + struct ptp_clock_event event; + u32 sec, nsec; + + if (pin < 0 || pin >= IGB_N_EXTTS) + return; + + nsec = rd32((tsintr_tt == 1) ? E1000_AUXSTMPL1 : E1000_AUXSTMPL0); + sec = rd32((tsintr_tt == 1) ? E1000_AUXSTMPH1 : E1000_AUXSTMPH0); + event.type = PTP_CLOCK_EXTTS; + event.index = tsintr_tt; + event.timestamp = sec * 1000000000ULL + nsec; + ptp_clock_event(adapter->ptp_clock, &event); +} + static void igb_tsync_interrupt(struct igb_adapter *adapter) { struct e1000_hw *hw = &adapter->hw; + u32 ack = 0, tsicr = rd32(E1000_TSICR); struct ptp_clock_event event; - struct timespec64 ts; - u32 ack = 0, tsauxc, sec, nsec, tsicr = rd32(E1000_TSICR); if (tsicr & TSINTR_SYS_WRAP) { event.type = PTP_CLOCK_PPS; @@ -5792,51 +5832,22 @@ static void igb_tsync_interrupt(struct igb_adapter *adapter) } if (tsicr & TSINTR_TT0) { - spin_lock(&adapter->tmreg_lock); - ts = timespec64_add(adapter->perout[0].start, - adapter->perout[0].period); - /* u32 conversion of tv_sec is safe until y2106 */ - wr32(E1000_TRGTTIML0, ts.tv_nsec); - wr32(E1000_TRGTTIMH0, (u32)ts.tv_sec); - tsauxc = rd32(E1000_TSAUXC); - tsauxc |= TSAUXC_EN_TT0; - wr32(E1000_TSAUXC, tsauxc); - adapter->perout[0].start = ts; - spin_unlock(&adapter->tmreg_lock); + igb_perout(adapter, 0); ack |= TSINTR_TT0; } if (tsicr & TSINTR_TT1) { - spin_lock(&adapter->tmreg_lock); - ts = timespec64_add(adapter->perout[1].start, - adapter->perout[1].period); - wr32(E1000_TRGTTIML1, ts.tv_nsec); - wr32(E1000_TRGTTIMH1, (u32)ts.tv_sec); - tsauxc = rd32(E1000_TSAUXC); - tsauxc |= TSAUXC_EN_TT1; - wr32(E1000_TSAUXC, tsauxc); - adapter->perout[1].start = ts; - spin_unlock(&adapter->tmreg_lock); + igb_perout(adapter, 1); ack |= TSINTR_TT1; } if (tsicr & TSINTR_AUTT0) { - nsec = rd32(E1000_AUXSTMPL0); - sec = rd32(E1000_AUXSTMPH0); - event.type = PTP_CLOCK_EXTTS; - event.index = 0; - event.timestamp = sec * 1000000000ULL + nsec; - ptp_clock_event(adapter->ptp_clock, &event); + igb_extts(adapter, 0); ack |= TSINTR_AUTT0; } if (tsicr & TSINTR_AUTT1) { - nsec = rd32(E1000_AUXSTMPL1); - sec = rd32(E1000_AUXSTMPH1); - event.type = PTP_CLOCK_EXTTS; - event.index = 1; - event.timestamp = sec * 1000000000ULL + nsec; - ptp_clock_event(adapter->ptp_clock, &event); + igb_extts(adapter, 1); ack |= TSINTR_AUTT1; } From 2fe7a8cde6d1b03ecb4fed3f7cf6e5427463cfda Mon Sep 17 00:00:00 2001 From: Vinicius Costa Gomes Date: Tue, 20 Feb 2024 15:57:11 -0800 Subject: [PATCH 088/176] igb: Fix missing time sync events [ Upstream commit ee14cc9ea19ba9678177e2224a9c58cce5937c73 ] Fix "double" clearing of interrupts, which can cause external events or timestamps to be missed. The E1000_TSIRC Time Sync Interrupt Cause register can be cleared in two ways, by either reading it or by writing '1' into the specific cause bit. This is documented in section 8.16.1. The following flow was used: 1. read E1000_TSIRC into 'tsicr'; 2. handle the interrupts present into 'tsirc' and mark them in 'ack'; 3. write 'ack' into E1000_TSICR; As both (1) and (3) will clear the interrupt cause, if the same interrupt happens again between (1) and (3) it will be ignored, causing events to be missed. Remove the extra clear in (3). Fixes: 00c65578b47b ("igb: enable internal PPS for the i210") Acked-by: Richard Cochran Signed-off-by: Vinicius Costa Gomes Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin (cherry picked from commit f346bf4db1ebaad9c8ca5aae6397c7867b8ac4f3) Signed-off-by: Harshit Mogalapalli --- drivers/net/ethernet/intel/igb/igb_main.c | 23 +++++------------------ 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c index 4c51d7648524..555fb9f7edc7 100644 --- a/drivers/net/ethernet/intel/igb/igb_main.c +++ b/drivers/net/ethernet/intel/igb/igb_main.c @@ -5815,44 +5815,31 @@ static void igb_extts(struct igb_adapter *adapter, int tsintr_tt) static void igb_tsync_interrupt(struct igb_adapter *adapter) { struct e1000_hw *hw = &adapter->hw; - u32 ack = 0, tsicr = rd32(E1000_TSICR); + u32 tsicr = rd32(E1000_TSICR); struct ptp_clock_event event; if (tsicr & TSINTR_SYS_WRAP) { event.type = PTP_CLOCK_PPS; if (adapter->ptp_caps.pps) ptp_clock_event(adapter->ptp_clock, &event); - ack |= TSINTR_SYS_WRAP; } if (tsicr & E1000_TSICR_TXTS) { /* retrieve hardware timestamp */ schedule_work(&adapter->ptp_tx_work); - ack |= E1000_TSICR_TXTS; } - if (tsicr & TSINTR_TT0) { + if (tsicr & TSINTR_TT0) igb_perout(adapter, 0); - ack |= TSINTR_TT0; - } - if (tsicr & TSINTR_TT1) { + if (tsicr & TSINTR_TT1) igb_perout(adapter, 1); - ack |= TSINTR_TT1; - } - if (tsicr & TSINTR_AUTT0) { + if (tsicr & TSINTR_AUTT0) igb_extts(adapter, 0); - ack |= TSINTR_AUTT0; - } - if (tsicr & TSINTR_AUTT1) { + if (tsicr & TSINTR_AUTT1) igb_extts(adapter, 1); - ack |= TSINTR_AUTT1; - } - - /* acknowledge the interrupts */ - wr32(E1000_TSICR, ack); } static irqreturn_t igb_msix_other(int irq, void *data) From e63d5f1f3f5f918a0a94e7d4facccfa6342239cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Dre=C3=9Fler?= Date: Mon, 8 Jan 2024 23:46:06 +0100 Subject: [PATCH 089/176] Bluetooth: Remove superfluous call to hci_conn_check_pending() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 78e3639fc8031275010c3287ac548c0bc8de83b1 ] The "pending connections" feature was originally introduced with commit 4c67bc74f016 ("[Bluetooth] Support concurrent connect requests") and 6bd57416127e ("[Bluetooth] Handling pending connect attempts after inquiry") to handle controllers supporting only a single connection request at a time. Later things were extended to also cancel ongoing inquiries on connect() with commit 89e65975fea5 ("Bluetooth: Cancel Inquiry before Create Connection"). With commit a9de9248064b ("[Bluetooth] Switch from OGF+OCF to using only opcodes"), hci_conn_check_pending() was introduced as a helper to consolidate a few places where we check for pending connections (indicated by the BT_CONNECT2 flag) and then try to connect. This refactoring commit also snuck in two more calls to hci_conn_check_pending(): - One is in the failure callback of hci_cs_inquiry(), this one probably makes sense: If we send an "HCI Inquiry" command and then immediately after a "Create Connection" command, the "Create Connection" command might fail before the "HCI Inquiry" command, and then we want to retry the "Create Connection" on failure of the "HCI Inquiry". - The other added call to hci_conn_check_pending() is in the event handler for the "Remote Name" event, this seems unrelated and is possibly a copy-paste error, so remove that one. Fixes: a9de9248064b ("[Bluetooth] Switch from OGF+OCF to using only opcodes") Signed-off-by: Jonas Dreßler Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin (cherry picked from commit 6e960390709966929a29eaec8bca710237a54f24) Signed-off-by: Harshit Mogalapalli --- net/bluetooth/hci_event.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 987ba33375c9..c6daea873d53 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -2514,8 +2514,6 @@ static void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb) BT_DBG("%s", hdev->name); - hci_conn_check_pending(hdev); - hci_dev_lock(hdev); conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr); From 224f6971eb2b4457331804d194017c1524f8157f Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Wed, 28 Feb 2024 10:49:26 -0500 Subject: [PATCH 090/176] Bluetooth: hci_core: Fix possible buffer overflow [ Upstream commit 81137162bfaa7278785b24c1fd2e9e74f082e8e4 ] struct hci_dev_info has a fixed size name[8] field so in the event that hdev->name is bigger than that strcpy would attempt to write past its size, so this fixes this problem by switching to use strscpy. Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin (cherry picked from commit 6d5a9d4a7bcbb7534ce45a18a52e7bd23e69d8ac) Signed-off-by: Harshit Mogalapalli --- net/bluetooth/hci_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 8faecd94bf5a..5a6bef003eba 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -2024,7 +2024,7 @@ int hci_get_dev_info(void __user *arg) else flags = hdev->flags; - strcpy(di.name, hdev->name); + strscpy(di.name, hdev->name, sizeof(di.name)); di.bdaddr = hdev->bdaddr; di.type = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4); di.flags = flags; From aca6a0b117cfb0701cc2bea02db1e8c6372b08b0 Mon Sep 17 00:00:00 2001 From: Chen Ni Date: Tue, 5 Mar 2024 07:59:27 +0000 Subject: [PATCH 091/176] sr9800: Add check for usbnet_get_endpoints [ Upstream commit 07161b2416f740a2cb87faa5566873f401440a61 ] Add check for usbnet_get_endpoints() and return the error if it fails in order to transfer the error. Signed-off-by: Chen Ni Reviewed-by: Simon Horman Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support") Link: https://lore.kernel.org/r/20240305075927.261284-1-nichen@iscas.ac.cn Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 424eba06ed405d557077339edb19ce0ebe39e7c7) Signed-off-by: Harshit Mogalapalli --- drivers/net/usb/sr9800.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c index 8f8c9ede88c2..a5ff7df10505 100644 --- a/drivers/net/usb/sr9800.c +++ b/drivers/net/usb/sr9800.c @@ -737,7 +737,9 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf) data->eeprom_len = SR9800_EEPROM_LEN; - usbnet_get_endpoints(dev, intf); + ret = usbnet_get_endpoints(dev, intf); + if (ret) + goto out; /* LED Setting Rule : * AABB:CCDD From 5b157b57a27deae00138ebbf9abe793d85b80d12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= Date: Thu, 7 Mar 2024 13:03:36 +0100 Subject: [PATCH 092/176] bpf: Fix hashtab overflow check on 32-bit arches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 6787d916c2cf9850c97a0a3f73e08c43e7d973b1 ] The hashtab code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. So apply the same fix to hashtab, by moving the overflow check to before the roundup. Fixes: daaf427c6ab3 ("bpf: fix arraymap NULL deref and missing overflow and zero size checks") Signed-off-by: Toke Høiland-Jørgensen Message-ID: <20240307120340.99577-3-toke@redhat.com> Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin (cherry picked from commit 33ec04cadb77605b71d9298311919303d390c4d5) [Harshit: fix conflitc due to missing commit: daffc5a2e6f4 ("bpf: hashtab: move attribute validation before allocation") in 4.14.y] Signed-off-by: Harshit Mogalapalli --- kernel/bpf/hashtab.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c index db2c3e019daf..c46bbccfdcc0 100644 --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -298,7 +298,13 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr) num_possible_cpus()); } - /* hash table size must be power of 2 */ + /* hash table size must be power of 2; roundup_pow_of_two() can overflow + * into UB on 32-bit arches, so check that first + */ + err = -E2BIG; + if (htab->map.max_entries > 1UL << 31) + goto free_htab; + htab->n_buckets = roundup_pow_of_two(htab->map.max_entries); err = -E2BIG; @@ -324,9 +330,8 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr) else htab->elem_size += round_up(htab->map.value_size, 8); - /* prevent zero size kmalloc and check for u32 overflow */ - if (htab->n_buckets == 0 || - htab->n_buckets > U32_MAX / sizeof(struct bucket)) + /* check for u32 overflow */ + if (htab->n_buckets > U32_MAX / sizeof(struct bucket)) goto free_htab; cost = (u64) htab->n_buckets * sizeof(struct bucket) + From c7eb664d0ae8b3da9621816bfe11ad862c24e342 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= Date: Thu, 7 Mar 2024 13:03:37 +0100 Subject: [PATCH 093/176] bpf: Fix stackmap overflow check on 32-bit arches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 7a4b21250bf79eef26543d35bd390448646c536b ] The stackmap code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. The commit in the fixes tag actually attempted to fix this, but the fix did not account for the UB, so the fix only works on CPUs where an overflow does result in a neat truncation to zero, which is not guaranteed. Checking the value before rounding does not have this problem. Fixes: 6183f4d3a0a2 ("bpf: Check for integer overflow when using roundup_pow_of_two()") Signed-off-by: Toke Høiland-Jørgensen Reviewed-by: Bui Quang Minh Message-ID: <20240307120340.99577-4-toke@redhat.com> Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin (cherry picked from commit d0e214acc59145ce25113f617311aa79dda39cb3) Signed-off-by: Harshit Mogalapalli --- kernel/bpf/stackmap.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c index 099dc780a92f..ce24b2010dc7 100644 --- a/kernel/bpf/stackmap.c +++ b/kernel/bpf/stackmap.c @@ -70,11 +70,14 @@ static struct bpf_map *stack_map_alloc(union bpf_attr *attr) value_size / 8 > sysctl_perf_event_max_stack) return ERR_PTR(-EINVAL); - /* hash table size must be power of 2 */ - n_buckets = roundup_pow_of_two(attr->max_entries); - if (!n_buckets) + /* hash table size must be power of 2; roundup_pow_of_two() can overflow + * into UB on 32-bit arches, so check that first + */ + if (attr->max_entries > 1UL << 31) return ERR_PTR(-E2BIG); + n_buckets = roundup_pow_of_two(attr->max_entries); + cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap); if (cost >= U32_MAX - PAGE_SIZE) return ERR_PTR(-E2BIG); From efa596b077451aef0f8bb760ad3975264a046ee4 Mon Sep 17 00:00:00 2001 From: Shiming Cheng Date: Thu, 7 Mar 2024 18:01:57 +0800 Subject: [PATCH 094/176] ipv6: fib6_rules: flush route cache when rule is changed [ Upstream commit c4386ab4f6c600f75fdfd21143f89bac3e625d0d ] When rule policy is changed, ipv6 socket cache is not refreshed. The sock's skb still uses a outdated route cache and was sent to a wrong interface. To avoid this error we should update fib node's version when rule is changed. Then skb's route will be reroute checked as route cache version is already different with fib node version. The route cache is refreshed to match the latest rule. Fixes: 101367c2f8c4 ("[IPV6]: Policy Routing Rules") Signed-off-by: Shiming Cheng Signed-off-by: Lena Wang Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 95db6e62a2d920abf43c169e51046adb9f394ef0) Signed-off-by: Harshit Mogalapalli --- net/ipv6/fib6_rules.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c index b240f24a6e52..5ecec10374ca 100644 --- a/net/ipv6/fib6_rules.c +++ b/net/ipv6/fib6_rules.c @@ -315,6 +315,11 @@ static size_t fib6_rule_nlmsg_payload(struct fib_rule *rule) + nla_total_size(16); /* src */ } +static void fib6_rule_flush_cache(struct fib_rules_ops *ops) +{ + rt_genid_bump_ipv6(ops->fro_net); +} + static const struct fib_rules_ops __net_initconst fib6_rules_ops_template = { .family = AF_INET6, .rule_size = sizeof(struct fib6_rule), @@ -326,6 +331,7 @@ static const struct fib_rules_ops __net_initconst fib6_rules_ops_template = { .compare = fib6_rule_compare, .fill = fib6_rule_fill, .nlmsg_payload = fib6_rule_nlmsg_payload, + .flush_cache = fib6_rule_flush_cache, .nlgroup = RTNLGRP_IPV6_RULE, .policy = fib6_rule_policy, .owner = THIS_MODULE, From 9676e9447d12a404638bbee6bd43852440c7c137 Mon Sep 17 00:00:00 2001 From: Gavrilov Ilia Date: Thu, 7 Mar 2024 14:23:49 +0000 Subject: [PATCH 095/176] tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function [ Upstream commit 716edc9706deb3bb2ff56e2eeb83559cea8f22db ] The 'len' variable can't be negative when assigned the result of 'min_t' because all 'min_t' parameters are cast to unsigned int, and then the minimum one is chosen. To fix the logic, check 'len' as read from 'optlen', where the types of relevant variables are (signed) int. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Gavrilov Ilia Reviewed-by: Jason Xing Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit d909b53ff5b8f005b474b4417ee271f5a4adca94) Signed-off-by: Harshit Mogalapalli --- net/ipv4/tcp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index eb5458cbdc1c..7c4c871208e0 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -3030,11 +3030,11 @@ static int do_tcp_getsockopt(struct sock *sk, int level, if (get_user(len, optlen)) return -EFAULT; - len = min_t(unsigned int, len, sizeof(int)); - if (len < 0) return -EINVAL; + len = min_t(unsigned int, len, sizeof(int)); + switch (optname) { case TCP_MAXSEG: val = tp->mss_cache; From a0e4e51da39f5a7fc9d9e1f5fc14640701887d90 Mon Sep 17 00:00:00 2001 From: Gavrilov Ilia Date: Thu, 7 Mar 2024 14:23:50 +0000 Subject: [PATCH 096/176] l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() function [ Upstream commit 955e9876ba4ee26eeaab1b13517f5b2c88e73d55 ] The 'len' variable can't be negative when assigned the result of 'min_t' because all 'min_t' parameters are cast to unsigned int, and then the minimum one is chosen. To fix the logic, check 'len' as read from 'optlen', where the types of relevant variables are (signed) int. Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") Reviewed-by: Tom Parkin Signed-off-by: Gavrilov Ilia Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 51a7e05fbca612ae1f09f62dfe21957380b8546d) Signed-off-by: Harshit Mogalapalli --- net/l2tp/l2tp_ppp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c index 332fa7ec8a3d..74f842a305b9 100644 --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -1535,11 +1535,11 @@ static int pppol2tp_getsockopt(struct socket *sock, int level, int optname, if (get_user(len, optlen)) return -EFAULT; - len = min_t(unsigned int, len, sizeof(int)); - if (len < 0) return -EINVAL; + len = min_t(unsigned int, len, sizeof(int)); + err = -ENOTCONN; if (sk->sk_user_data == NULL) goto end; From 5cfa0a58e61d01c690063af3623d0a53b76951a6 Mon Sep 17 00:00:00 2001 From: Gavrilov Ilia Date: Thu, 7 Mar 2024 14:23:50 +0000 Subject: [PATCH 097/176] udp: fix incorrect parameter validation in the udp_lib_getsockopt() function [ Upstream commit 4bb3ba7b74fceec6f558745b25a43c6521cf5506 ] The 'len' variable can't be negative when assigned the result of 'min_t' because all 'min_t' parameters are cast to unsigned int, and then the minimum one is chosen. To fix the logic, check 'len' as read from 'optlen', where the types of relevant variables are (signed) int. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Willem de Bruijn Signed-off-by: Gavrilov Ilia Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit f21612ee652c08b4a5a0bb11528035f57935fae1) Signed-off-by: Harshit Mogalapalli --- net/ipv4/udp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 21429419abb5..aa998d598ce1 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -2478,11 +2478,11 @@ int udp_lib_getsockopt(struct sock *sk, int level, int optname, if (get_user(len, optlen)) return -EFAULT; - len = min_t(unsigned int, len, sizeof(int)); - if (len < 0) return -EINVAL; + len = min_t(unsigned int, len, sizeof(int)); + switch (optname) { case UDP_CORK: val = READ_ONCE(up->corkflag); From 59a4e1ed1e12998b6ee449091fe2ae36597b223b Mon Sep 17 00:00:00 2001 From: Gavrilov Ilia Date: Thu, 7 Mar 2024 14:23:50 +0000 Subject: [PATCH 098/176] net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function [ Upstream commit 3ed5f415133f9b7518fbe55ba9ae9a3f5e700929 ] The 'len' variable can't be negative when assigned the result of 'min_t' because all 'min_t' parameters are cast to unsigned int, and then the minimum one is chosen. To fix the logic, check 'len' as read from 'optlen', where the types of relevant variables are (signed) int. Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") Signed-off-by: Gavrilov Ilia Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 867608c0abcbdc86e62925604ac2d3f0c7ca678a) Signed-off-by: Harshit Mogalapalli --- net/kcm/kcmsock.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c index e0fe70b55629..5e6949ef15fd 100644 --- a/net/kcm/kcmsock.c +++ b/net/kcm/kcmsock.c @@ -1276,10 +1276,11 @@ static int kcm_getsockopt(struct socket *sock, int level, int optname, if (get_user(len, optlen)) return -EFAULT; - len = min_t(unsigned int, len, sizeof(int)); if (len < 0) return -EINVAL; + len = min_t(unsigned int, len, sizeof(int)); + switch (optname) { case KCM_RECV_DISABLE: val = kcm->rx_disabled; From fa19944cf14ae594b5b1353f881e80f4d83016b5 Mon Sep 17 00:00:00 2001 From: Gavrilov Ilia Date: Thu, 7 Mar 2024 14:23:50 +0000 Subject: [PATCH 099/176] net/x25: fix incorrect parameter validation in the x25_getsockopt() function [ Upstream commit d6eb8de2015f0c24822e47356f839167ebde2945 ] The 'len' variable can't be negative when assigned the result of 'min_t' because all 'min_t' parameters are cast to unsigned int, and then the minimum one is chosen. To fix the logic, check 'len' as read from 'optlen', where the types of relevant variables are (signed) int. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Gavrilov Ilia Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 7089428a1a4e28efa0c36877d80639a8306fdbf4) Signed-off-by: Harshit Mogalapalli --- net/x25/af_x25.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c index 73e293c3f2fb..973bac8b2b8b 100644 --- a/net/x25/af_x25.c +++ b/net/x25/af_x25.c @@ -474,12 +474,12 @@ static int x25_getsockopt(struct socket *sock, int level, int optname, if (get_user(len, optlen)) goto out; - len = min_t(unsigned int, len, sizeof(int)); - rc = -EINVAL; if (len < 0) goto out; + len = min_t(unsigned int, len, sizeof(int)); + rc = -EFAULT; if (put_user(len, optlen)) goto out; From 3d651f489f213a8688c49fdb9c5af4e94aaefe08 Mon Sep 17 00:00:00 2001 From: Ming Lei Date: Mon, 11 Mar 2024 13:42:55 -0400 Subject: [PATCH 100/176] dm raid: fix false positive for requeue needed during reshape [ Upstream commit b25b8f4b8ecef0f48c05f0c3572daeabefe16526 ] An empty flush doesn't have a payload, so it should never be looked at when considering to possibly requeue a bio for the case when a reshape is in progress. Fixes: 9dbd1aa3a81c ("dm raid: add reshaping support to the target") Reported-by: Patrick Plenefisch Signed-off-by: Ming Lei Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin (cherry picked from commit 52a35f5551c6c63f2c50c24117377faa47b2395c) Signed-off-by: Harshit Mogalapalli --- drivers/md/dm-raid.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c index b818cc982e62..54b99fc10aa2 100644 --- a/drivers/md/dm-raid.c +++ b/drivers/md/dm-raid.c @@ -3248,14 +3248,14 @@ static int raid_map(struct dm_target *ti, struct bio *bio) struct mddev *mddev = &rs->md; /* - * If we're reshaping to add disk(s)), ti->len and + * If we're reshaping to add disk(s), ti->len and * mddev->array_sectors will differ during the process * (ti->len > mddev->array_sectors), so we have to requeue * bios with addresses > mddev->array_sectors here or * there will occur accesses past EOD of the component * data images thus erroring the raid set. */ - if (unlikely(bio_end_sector(bio) > mddev->array_sectors)) + if (unlikely(bio_has_data(bio) && bio_end_sector(bio) > mddev->array_sectors)) return DM_MAPIO_REQUEUE; md_handle_request(mddev, bio); From d8348562b9ba5d57db7ff9c39b40c326d81fec2d Mon Sep 17 00:00:00 2001 From: Mikulas Patocka Date: Mon, 11 Mar 2024 15:06:39 +0100 Subject: [PATCH 101/176] dm: call the resume method on internal suspend [ Upstream commit 65e8fbde64520001abf1c8d0e573561b4746ef38 ] There is this reported crash when experimenting with the lvm2 testsuite. The list corruption is caused by the fact that the postsuspend and resume methods were not paired correctly; there were two consecutive calls to the origin_postsuspend function. The second call attempts to remove the "hash_list" entry from a list, while it was already removed by the first call. Fix __dm_internal_resume so that it calls the preresume and resume methods of the table's targets. If a preresume method of some target fails, we are in a tricky situation. We can't return an error because dm_internal_resume isn't supposed to return errors. We can't return success, because then the "resume" and "postsuspend" methods would not be paired correctly. So, we set the DMF_SUSPENDED flag and we fake normal suspend - it may confuse userspace tools, but it won't cause a kernel crash. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:56! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 8343 Comm: dmsetup Not tainted 6.8.0-rc6 #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 RIP: 0010:__list_del_entry_valid_or_report+0x77/0xc0 RSP: 0018:ffff8881b831bcc0 EFLAGS: 00010282 RAX: 000000000000004e RBX: ffff888143b6eb80 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff819053d0 RDI: 00000000ffffffff RBP: ffff8881b83a3400 R08: 00000000fffeffff R09: 0000000000000058 R10: 0000000000000000 R11: ffffffff81a24080 R12: 0000000000000001 R13: ffff88814538e000 R14: ffff888143bc6dc0 R15: ffffffffa02e4bb0 FS: 00000000f7c0f780(0000) GS:ffff8893f0a40000(0000) knlGS:0000000000000000 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 0000000057fb5000 CR3: 0000000143474000 CR4: 00000000000006b0 Call Trace: ? die+0x2d/0x80 ? do_trap+0xeb/0xf0 ? __list_del_entry_valid_or_report+0x77/0xc0 ? do_error_trap+0x60/0x80 ? __list_del_entry_valid_or_report+0x77/0xc0 ? exc_invalid_op+0x49/0x60 ? __list_del_entry_valid_or_report+0x77/0xc0 ? asm_exc_invalid_op+0x16/0x20 ? table_deps+0x1b0/0x1b0 [dm_mod] ? __list_del_entry_valid_or_report+0x77/0xc0 origin_postsuspend+0x1a/0x50 [dm_snapshot] dm_table_postsuspend_targets+0x34/0x50 [dm_mod] dm_suspend+0xd8/0xf0 [dm_mod] dev_suspend+0x1f2/0x2f0 [dm_mod] ? table_deps+0x1b0/0x1b0 [dm_mod] ctl_ioctl+0x300/0x5f0 [dm_mod] dm_compat_ctl_ioctl+0x7/0x10 [dm_mod] __x64_compat_sys_ioctl+0x104/0x170 do_syscall_64+0x184/0x1b0 entry_SYSCALL_64_after_hwframe+0x46/0x4e RIP: 0033:0xf7e6aead ---[ end trace 0000000000000000 ]--- Fixes: ffcc39364160 ("dm: enhance internal suspend and resume interface") Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin (cherry picked from commit 69836d9329f0b4c58faaf3d886a7748ddb5bf718) Signed-off-by: Harshit Mogalapalli --- drivers/md/dm.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/drivers/md/dm.c b/drivers/md/dm.c index 92f92ea417b9..6467ea5c987d 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -2600,6 +2600,9 @@ static void __dm_internal_suspend(struct mapped_device *md, unsigned suspend_fla static void __dm_internal_resume(struct mapped_device *md) { + int r; + struct dm_table *map; + BUG_ON(!md->internal_suspend_count); if (--md->internal_suspend_count) @@ -2608,12 +2611,23 @@ static void __dm_internal_resume(struct mapped_device *md) if (dm_suspended_md(md)) goto done; /* resume from nested suspend */ - /* - * NOTE: existing callers don't need to call dm_table_resume_targets - * (which may fail -- so best to avoid it for now by passing NULL map) - */ - (void) __dm_resume(md, NULL); - + map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock)); + r = __dm_resume(md, map); + if (r) { + /* + * If a preresume method of some target failed, we are in a + * tricky situation. We can't return an error to the caller. We + * can't fake success because then the "resume" and + * "postsuspend" methods would not be paired correctly, and it + * would break various targets, for example it would cause list + * corruption in the "origin" target. + * + * So, we fake normal suspend here, to make sure that the + * "resume" and "postsuspend" methods will be paired correctly. + */ + DMERR("Preresume method failed: %d", r); + set_bit(DMF_SUSPENDED, &md->flags); + } done: clear_bit(DMF_SUSPENDED_INTERNALLY, &md->flags); smp_mb__after_atomic(); From c5b100db7c774d0770809952834e65c00da6aed8 Mon Sep 17 00:00:00 2001 From: Chen Ni Date: Tue, 24 Oct 2023 08:07:38 +0000 Subject: [PATCH 102/176] drm/tegra: dsi: Add missing check for of_find_device_by_node [ Upstream commit afe6fcb9775882230cd29b529203eabd5d2a638d ] Add check for the return value of of_find_device_by_node() and return the error if it fails in order to avoid NULL pointer dereference. Fixes: e94236cde4d5 ("drm/tegra: dsi: Add ganged mode support") Signed-off-by: Chen Ni Signed-off-by: Thierry Reding Link: https://patchwork.freedesktop.org/patch/msgid/20231024080738.825553-1-nichen@iscas.ac.cn Signed-off-by: Sasha Levin (cherry picked from commit 47a13d0b9d8527518639ab5c39667f69d6203e80) Signed-off-by: Harshit Mogalapalli --- drivers/gpu/drm/tegra/dsi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c index 4e06af34c048..9f51cee6d9d0 100644 --- a/drivers/gpu/drm/tegra/dsi.c +++ b/drivers/gpu/drm/tegra/dsi.c @@ -1476,9 +1476,11 @@ static int tegra_dsi_ganged_probe(struct tegra_dsi *dsi) np = of_parse_phandle(dsi->dev->of_node, "nvidia,ganged-mode", 0); if (np) { struct platform_device *gangster = of_find_device_by_node(np); + of_node_put(np); + if (!gangster) + return -EPROBE_DEFER; dsi->slave = platform_get_drvdata(gangster); - of_node_put(np); if (!dsi->slave) { put_device(&gangster->dev); From a1d6e2d545ae60e3c0f14afc655960a12a1836ce Mon Sep 17 00:00:00 2001 From: Sowjanya Komatineni Date: Tue, 14 Jul 2020 21:20:51 -0700 Subject: [PATCH 103/176] gpu: host1x: mipi: Update tegra_mipi_request() to be node based [ Upstream commit 767598d447aa46411289c5808b0e45e20a1823b4 ] Tegra CSI driver need a separate MIPI device for each channel as calibration of corresponding MIPI pads for each channel should happen independently. So, this patch updates tegra_mipi_request() API to add a device_node pointer argument to allow creating mipi device for specific device node rather than a device. Signed-off-by: Sowjanya Komatineni Signed-off-by: Thierry Reding Stable-dep-of: 830c1ded3563 ("drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()") Signed-off-by: Sasha Levin (cherry picked from commit aaa5ef6db779a2ffdac6e2c4e27a042fc85af425) Signed-off-by: Harshit Mogalapalli --- drivers/gpu/drm/tegra/dsi.c | 2 +- drivers/gpu/host1x/mipi.c | 4 ++-- include/linux/host1x.h | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c index 9f51cee6d9d0..421f70494d40 100644 --- a/drivers/gpu/drm/tegra/dsi.c +++ b/drivers/gpu/drm/tegra/dsi.c @@ -1567,7 +1567,7 @@ static int tegra_dsi_probe(struct platform_device *pdev) if (IS_ERR(dsi->regs)) return PTR_ERR(dsi->regs); - dsi->mipi = tegra_mipi_request(&pdev->dev); + dsi->mipi = tegra_mipi_request(&pdev->dev, pdev->dev.of_node); if (IS_ERR(dsi->mipi)) return PTR_ERR(dsi->mipi); diff --git a/drivers/gpu/host1x/mipi.c b/drivers/gpu/host1x/mipi.c index e00809d996a2..762d349ad00f 100644 --- a/drivers/gpu/host1x/mipi.c +++ b/drivers/gpu/host1x/mipi.c @@ -206,9 +206,9 @@ static int tegra_mipi_power_down(struct tegra_mipi *mipi) return 0; } -struct tegra_mipi_device *tegra_mipi_request(struct device *device) +struct tegra_mipi_device *tegra_mipi_request(struct device *device, + struct device_node *np) { - struct device_node *np = device->of_node; struct tegra_mipi_device *dev; struct of_phandle_args args; int err; diff --git a/include/linux/host1x.h b/include/linux/host1x.h index 630b1a98ab58..96594c30097e 100644 --- a/include/linux/host1x.h +++ b/include/linux/host1x.h @@ -337,7 +337,8 @@ int host1x_client_unregister(struct host1x_client *client); struct tegra_mipi_device; -struct tegra_mipi_device *tegra_mipi_request(struct device *device); +struct tegra_mipi_device *tegra_mipi_request(struct device *device, + struct device_node *np); void tegra_mipi_free(struct tegra_mipi_device *device); int tegra_mipi_enable(struct tegra_mipi_device *device); int tegra_mipi_disable(struct tegra_mipi_device *device); From a7f31893877bed52efc884b8151f7bd211643115 Mon Sep 17 00:00:00 2001 From: Cai Huoqing Date: Thu, 16 Sep 2021 18:56:40 +0800 Subject: [PATCH 104/176] drm/tegra: dsi: Make use of the helper function dev_err_probe() [ Upstream commit fc75e4fcbd1e4252a0481ebb23cd4516c127a8e2 ] When possible use dev_err_probe help to properly deal with the PROBE_DEFER error, the benefit is that DEFER issue will be logged in the devices_deferred debugfs file. And using dev_err_probe() can reduce code size, the error value gets printed. Signed-off-by: Cai Huoqing Signed-off-by: Thierry Reding Stable-dep-of: 830c1ded3563 ("drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()") Signed-off-by: Sasha Levin (cherry picked from commit 4003d399dd34bd9a80fcf78a3feb3140eb82b2b8) Signed-off-by: Harshit Mogalapalli --- drivers/gpu/drm/tegra/dsi.c | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c index 421f70494d40..5af5f9871093 100644 --- a/drivers/gpu/drm/tegra/dsi.c +++ b/drivers/gpu/drm/tegra/dsi.c @@ -1533,28 +1533,24 @@ static int tegra_dsi_probe(struct platform_device *pdev) } dsi->clk = devm_clk_get(&pdev->dev, NULL); - if (IS_ERR(dsi->clk)) { - dev_err(&pdev->dev, "cannot get DSI clock\n"); - return PTR_ERR(dsi->clk); - } + if (IS_ERR(dsi->clk)) + return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk), + "cannot get DSI clock\n"); dsi->clk_lp = devm_clk_get(&pdev->dev, "lp"); - if (IS_ERR(dsi->clk_lp)) { - dev_err(&pdev->dev, "cannot get low-power clock\n"); - return PTR_ERR(dsi->clk_lp); - } + if (IS_ERR(dsi->clk_lp)) + return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_lp), + "cannot get low-power clock\n"); dsi->clk_parent = devm_clk_get(&pdev->dev, "parent"); - if (IS_ERR(dsi->clk_parent)) { - dev_err(&pdev->dev, "cannot get parent clock\n"); - return PTR_ERR(dsi->clk_parent); - } + if (IS_ERR(dsi->clk_parent)) + return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_parent), + "cannot get parent clock\n"); dsi->vdd = devm_regulator_get(&pdev->dev, "avdd-dsi-csi"); - if (IS_ERR(dsi->vdd)) { - dev_err(&pdev->dev, "cannot get VDD supply\n"); - return PTR_ERR(dsi->vdd); - } + if (IS_ERR(dsi->vdd)) + return dev_err_probe(&pdev->dev, PTR_ERR(dsi->vdd), + "cannot get VDD supply\n"); err = tegra_dsi_setup_clocks(dsi); if (err < 0) { From beef7ea1764bd7497ea4a76932b5b57bb6d1147d Mon Sep 17 00:00:00 2001 From: Christophe JAILLET Date: Sat, 2 Sep 2023 17:22:08 +0200 Subject: [PATCH 105/176] drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe() [ Upstream commit 830c1ded356369cd1303e8bb87ce3fea6e744de8 ] If an error occurs after calling tegra_output_probe(), tegra_output_remove() should be called as already done in the remove function. Fixes: dec727399a4b ("drm/tegra: Add DSI support") Signed-off-by: Christophe JAILLET Signed-off-by: Thierry Reding Link: https://patchwork.freedesktop.org/patch/msgid/16820073278d031f6c474a08d5f22a255158585e.1693667005.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin (cherry picked from commit 0cb8749a621cdd291dc8976bbc245029124d402a) Signed-off-by: Harshit Mogalapalli --- drivers/gpu/drm/tegra/dsi.c | 54 ++++++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 19 deletions(-) diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c index 5af5f9871093..15734335d28e 100644 --- a/drivers/gpu/drm/tegra/dsi.c +++ b/drivers/gpu/drm/tegra/dsi.c @@ -1528,44 +1528,58 @@ static int tegra_dsi_probe(struct platform_device *pdev) if (!pdev->dev.pm_domain) { dsi->rst = devm_reset_control_get(&pdev->dev, "dsi"); - if (IS_ERR(dsi->rst)) - return PTR_ERR(dsi->rst); + if (IS_ERR(dsi->rst)) { + err = PTR_ERR(dsi->rst); + goto remove; + } } dsi->clk = devm_clk_get(&pdev->dev, NULL); - if (IS_ERR(dsi->clk)) - return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk), - "cannot get DSI clock\n"); + if (IS_ERR(dsi->clk)) { + err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk), + "cannot get DSI clock\n"); + goto remove; + } dsi->clk_lp = devm_clk_get(&pdev->dev, "lp"); - if (IS_ERR(dsi->clk_lp)) - return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_lp), - "cannot get low-power clock\n"); + if (IS_ERR(dsi->clk_lp)) { + err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_lp), + "cannot get low-power clock\n"); + goto remove; + } dsi->clk_parent = devm_clk_get(&pdev->dev, "parent"); - if (IS_ERR(dsi->clk_parent)) - return dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_parent), - "cannot get parent clock\n"); + if (IS_ERR(dsi->clk_parent)) { + err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->clk_parent), + "cannot get parent clock\n"); + goto remove; + } dsi->vdd = devm_regulator_get(&pdev->dev, "avdd-dsi-csi"); - if (IS_ERR(dsi->vdd)) - return dev_err_probe(&pdev->dev, PTR_ERR(dsi->vdd), - "cannot get VDD supply\n"); + if (IS_ERR(dsi->vdd)) { + err = dev_err_probe(&pdev->dev, PTR_ERR(dsi->vdd), + "cannot get VDD supply\n"); + goto remove; + } err = tegra_dsi_setup_clocks(dsi); if (err < 0) { dev_err(&pdev->dev, "cannot setup clocks\n"); - return err; + goto remove; } regs = platform_get_resource(pdev, IORESOURCE_MEM, 0); dsi->regs = devm_ioremap_resource(&pdev->dev, regs); - if (IS_ERR(dsi->regs)) - return PTR_ERR(dsi->regs); + if (IS_ERR(dsi->regs)) { + err = PTR_ERR(dsi->regs); + goto remove; + } dsi->mipi = tegra_mipi_request(&pdev->dev, pdev->dev.of_node); - if (IS_ERR(dsi->mipi)) - return PTR_ERR(dsi->mipi); + if (IS_ERR(dsi->mipi)) { + err = PTR_ERR(dsi->mipi); + goto remove; + } dsi->host.ops = &tegra_dsi_host_ops; dsi->host.dev = &pdev->dev; @@ -1596,6 +1610,8 @@ unregister: mipi_dsi_host_unregister(&dsi->host); mipi_free: tegra_mipi_free(dsi->mipi); +remove: + tegra_output_remove(&dsi->output); return err; } From 8f0f744ebf00a199144bb821d0d1b186de6be782 Mon Sep 17 00:00:00 2001 From: Christophe JAILLET Date: Sat, 2 Sep 2023 17:22:09 +0200 Subject: [PATCH 106/176] drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path of tegra_dsi_probe() [ Upstream commit 5286a9fc280c45b6b307ee1b07f7a997e042252c ] If an error occurs after calling pm_runtime_enable(), pm_runtime_disable() should be called as already done in the remove function. Fixes: ef8187d75265 ("drm/tegra: dsi: Implement runtime PM") Signed-off-by: Christophe JAILLET Signed-off-by: Thierry Reding Link: https://patchwork.freedesktop.org/patch/msgid/ee4a15c9cd4b574a55cd67c30d2411239ba2cee9.1693667005.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin (cherry picked from commit d7e898d13a867014352f0daf98f8a0155c67a3c9) Signed-off-by: Harshit Mogalapalli --- drivers/gpu/drm/tegra/dsi.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c index 15734335d28e..8b9456272aaa 100644 --- a/drivers/gpu/drm/tegra/dsi.c +++ b/drivers/gpu/drm/tegra/dsi.c @@ -1607,6 +1607,7 @@ static int tegra_dsi_probe(struct platform_device *pdev) return 0; unregister: + pm_runtime_disable(&pdev->dev); mipi_dsi_host_unregister(&dsi->host); mipi_free: tegra_mipi_free(dsi->mipi); From 9514fc65463c56256c0fbb075a6e414d2c440e9c Mon Sep 17 00:00:00 2001 From: Alex Bee Date: Fri, 22 Dec 2023 18:41:54 +0100 Subject: [PATCH 107/176] drm/rockchip: inno_hdmi: Fix video timing [ Upstream commit 47a145c03484d33e65d773169d5ca1b9fe2a492e ] The controller wants the difference between *total and *sync_start in the HDMI_VIDEO_EXT_*DELAY registers. Otherwise the signal is very unstable for certain non-VIC modes. See downstream commit [0]. [0] https://github.com/rockchip-linux/kernel/commit/8eb559f2502c Fixes: 412d4ae6b7a5 ("drm/rockchip: hdmi: add Innosilicon HDMI support") Co-developed-by: Zheng Yang Signed-off-by: Zheng Yang Signed-off-by: Alex Bee Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/20231222174220.55249-4-knaerzche@gmail.com Signed-off-by: Sasha Levin (cherry picked from commit c031022829a91114cb2bd531c38de99184957b6d) Signed-off-by: Harshit Mogalapalli --- drivers/gpu/drm/rockchip/inno_hdmi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/rockchip/inno_hdmi.c b/drivers/gpu/drm/rockchip/inno_hdmi.c index 7a251a54e792..ed12b6ba59fa 100644 --- a/drivers/gpu/drm/rockchip/inno_hdmi.c +++ b/drivers/gpu/drm/rockchip/inno_hdmi.c @@ -407,7 +407,7 @@ static int inno_hdmi_config_video_timing(struct inno_hdmi *hdmi, hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HBLANK_L, value & 0xFF); hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HBLANK_H, (value >> 8) & 0xFF); - value = mode->hsync_start - mode->hdisplay; + value = mode->htotal - mode->hsync_start; hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HDELAY_L, value & 0xFF); hdmi_writeb(hdmi, HDMI_VIDEO_EXT_HDELAY_H, (value >> 8) & 0xFF); @@ -422,7 +422,7 @@ static int inno_hdmi_config_video_timing(struct inno_hdmi *hdmi, value = mode->vtotal - mode->vdisplay; hdmi_writeb(hdmi, HDMI_VIDEO_EXT_VBLANK, value & 0xFF); - value = mode->vsync_start - mode->vdisplay; + value = mode->vtotal - mode->vsync_start; hdmi_writeb(hdmi, HDMI_VIDEO_EXT_VDELAY, value & 0xFF); value = mode->vsync_end - mode->vsync_start; From 36ac37d23799588aa1f243c55a9958bac40ce8be Mon Sep 17 00:00:00 2001 From: Harry Wentland Date: Wed, 8 Nov 2023 11:36:20 -0500 Subject: [PATCH 108/176] drm: Don't treat 0 as -1 in drm_fixp2int_ceil [ Upstream commit cf8837d7204481026335461629b84ac7f4538fa5 ] Unit testing this in VKMS shows that passing 0 into this function returns -1, which is highly counter- intuitive. Fix it by checking whether the input is >= 0 instead of > 0. Fixes: 64566b5e767f ("drm: Add drm_fixp_from_fraction and drm_fixp2int_ceil") Signed-off-by: Harry Wentland Reviewed-by: Simon Ser Reviewed-by: Melissa Wen Signed-off-by: Melissa Wen Link: https://patchwork.freedesktop.org/patch/msgid/20231108163647.106853-2-harry.wentland@amd.com Signed-off-by: Sasha Levin (cherry picked from commit e3271a9f1432472bfd1aec82a5086d6b10e0dfec) Signed-off-by: Harshit Mogalapalli --- include/drm/drm_fixed.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/drm/drm_fixed.h b/include/drm/drm_fixed.h index 553210c02ee0..627efa56e59f 100644 --- a/include/drm/drm_fixed.h +++ b/include/drm/drm_fixed.h @@ -88,7 +88,7 @@ static inline int drm_fixp2int(s64 a) static inline int drm_fixp2int_ceil(s64 a) { - if (a > 0) + if (a >= 0) return drm_fixp2int(a + DRM_FIXED_ALMOST_ONE); else return drm_fixp2int(a - DRM_FIXED_ALMOST_ONE); From f37d112202ea81abf2af9a552cd3657f8b042342 Mon Sep 17 00:00:00 2001 From: Alexander Stein Date: Wed, 10 Jan 2024 10:01:11 +0100 Subject: [PATCH 109/176] media: tc358743: register v4l2 async device only after successful setup [ Upstream commit 87399f1ff92203d65f1febf5919429f4bb613a02 ] Ensure the device has been setup correctly before registering the v4l2 async device, thus allowing userspace to access. Signed-off-by: Alexander Stein Reviewed-by: Robert Foss Fixes: 4c5211a10039 ("[media] tc358743: register v4l2 asynchronous subdevice") Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20240110090111.458115-1-alexander.stein@ew.tq-group.com Signed-off-by: Sasha Levin (cherry picked from commit 17c2650de14842c25c569cbb2126c421489a3a24) Signed-off-by: Harshit Mogalapalli --- drivers/media/i2c/tc358743.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c index b294433c8345..8ffbb9b9b04e 100644 --- a/drivers/media/i2c/tc358743.c +++ b/drivers/media/i2c/tc358743.c @@ -1937,9 +1937,6 @@ static int tc358743_probe(struct i2c_client *client, state->mbus_fmt_code = MEDIA_BUS_FMT_RGB888_1X24; sd->dev = &client->dev; - err = v4l2_async_register_subdev(sd); - if (err < 0) - goto err_hdl; mutex_init(&state->confctl_mutex); @@ -1979,6 +1976,10 @@ static int tc358743_probe(struct i2c_client *client, if (err) goto err_work_queues; + err = v4l2_async_register_subdev(sd); + if (err < 0) + goto err_work_queues; + v4l2_info(sd, "%s found @ 0x%x (%s)\n", client->name, client->addr << 1, client->adapter->name); From e2bc2e2b68b321dfd3fb2c66691014a66ee074a6 Mon Sep 17 00:00:00 2001 From: Nikita Zhandarovich Date: Fri, 12 Jan 2024 05:42:26 -0800 Subject: [PATCH 110/176] media: em28xx: annotate unchecked call to media_device_register() [ Upstream commit fd61d77a3d28444b2635f0c8b5a2ecd6a4d94026 ] Static analyzers generate alerts for an unchecked call to `media_device_register()`. However, in this case, the device will work reliably without the media controller API. Add a comment above the call to prevent future unnecessary changes. Suggested-by: Mauro Carvalho Chehab Fixes: 37ecc7b1278f ("[media] em28xx: add media controller support") Signed-off-by: Nikita Zhandarovich Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin (cherry picked from commit 8b3c5d95bcc85f4333b6968ae7710ee2a1b28f0a) Signed-off-by: Harshit Mogalapalli --- drivers/media/usb/em28xx/em28xx-cards.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c index 23a9fe8d9d1e..8e53307f2677 100644 --- a/drivers/media/usb/em28xx/em28xx-cards.c +++ b/drivers/media/usb/em28xx/em28xx-cards.c @@ -3740,6 +3740,10 @@ static int em28xx_usb_probe(struct usb_interface *interface, * topology will likely change after the load of the em28xx subdrivers. */ #ifdef CONFIG_MEDIA_CONTROLLER + /* + * No need to check the return value, the device will still be + * usable without media controller API. + */ retval = media_device_register(dev->media_dev); #endif From fdec9e17f52ea90aa40441a258d62ad3f0d6707d Mon Sep 17 00:00:00 2001 From: Zhipeng Lu Date: Thu, 1 Feb 2024 20:47:53 +0800 Subject: [PATCH 111/176] media: v4l2-tpg: fix some memleaks in tpg_alloc [ Upstream commit 8cf9c5051076e0eb958f4361d50d8b0c3ee6691c ] In tpg_alloc, resources should be deallocated in each and every error-handling paths, since they are allocated in for statements. Otherwise there would be memleaks because tpg_free is called only when tpg_alloc return 0. Fixes: 63881df94d3e ("[media] vivid: add the Test Pattern Generator") Signed-off-by: Zhipeng Lu Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin (cherry picked from commit 0de691ff547d86dd54c24b40a81f9c925df8dd77) [Harshit: fix conflict due to missing commit: fad953ce0b22 ("treewide: Use array_size() in vzalloc()") in 4.14.y] Signed-off-by: Harshit Mogalapalli --- drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 52 +++++++++++++++---- 1 file changed, 42 insertions(+), 10 deletions(-) diff --git a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c index 664c4b8b1a6d..13fd0dbb075e 100644 --- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c +++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c @@ -125,6 +125,7 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w) { unsigned pat; unsigned plane; + int ret = 0; tpg->max_line_width = max_w; for (pat = 0; pat < TPG_MAX_PAT_LINES; pat++) { @@ -132,29 +133,60 @@ int tpg_alloc(struct tpg_data *tpg, unsigned max_w) unsigned pixelsz = plane ? 2 : 4; tpg->lines[pat][plane] = vzalloc(max_w * 2 * pixelsz); - if (!tpg->lines[pat][plane]) - return -ENOMEM; + if (!tpg->lines[pat][plane]) { + ret = -ENOMEM; + goto free_lines; + } if (plane == 0) continue; tpg->downsampled_lines[pat][plane] = vzalloc(max_w * 2 * pixelsz); - if (!tpg->downsampled_lines[pat][plane]) - return -ENOMEM; + if (!tpg->downsampled_lines[pat][plane]) { + ret = -ENOMEM; + goto free_lines; + } } } for (plane = 0; plane < TPG_MAX_PLANES; plane++) { unsigned pixelsz = plane ? 2 : 4; tpg->contrast_line[plane] = vzalloc(max_w * pixelsz); - if (!tpg->contrast_line[plane]) - return -ENOMEM; + if (!tpg->contrast_line[plane]) { + ret = -ENOMEM; + goto free_contrast_line; + } tpg->black_line[plane] = vzalloc(max_w * pixelsz); - if (!tpg->black_line[plane]) - return -ENOMEM; + if (!tpg->black_line[plane]) { + ret = -ENOMEM; + goto free_contrast_line; + } tpg->random_line[plane] = vzalloc(max_w * 2 * pixelsz); - if (!tpg->random_line[plane]) - return -ENOMEM; + if (!tpg->random_line[plane]) { + ret = -ENOMEM; + goto free_contrast_line; + } } return 0; + +free_contrast_line: + for (plane = 0; plane < TPG_MAX_PLANES; plane++) { + vfree(tpg->contrast_line[plane]); + vfree(tpg->black_line[plane]); + vfree(tpg->random_line[plane]); + tpg->contrast_line[plane] = NULL; + tpg->black_line[plane] = NULL; + tpg->random_line[plane] = NULL; + } +free_lines: + for (pat = 0; pat < TPG_MAX_PAT_LINES; pat++) + for (plane = 0; plane < TPG_MAX_PLANES; plane++) { + vfree(tpg->lines[pat][plane]); + tpg->lines[pat][plane] = NULL; + if (plane == 0) + continue; + vfree(tpg->downsampled_lines[pat][plane]); + tpg->downsampled_lines[pat][plane] = NULL; + } + return ret; } EXPORT_SYMBOL_GPL(tpg_alloc); From 08af260a5bc1b71c1278dccb64a7866ea0687ef3 Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Thu, 28 Mar 2019 14:36:14 -0400 Subject: [PATCH 112/176] media: dvbdev: remove double-unlock [ Upstream commit 122d0e8dd050cc5dc3fb9e9b5f2dee3c5276ce35 ] As warned by smatch: drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:529 dvb_register_device() error: double unlock 'sem:&minor_rwsem' Reported-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Stable-dep-of: 8c64f4cdf4e6 ("media: edia: dvbdev: fix a use-after-free") Signed-off-by: Sasha Levin (cherry picked from commit cfa5ffc57e54fb8b864d23b6992cb37d706f6a87) Signed-off-by: Harshit Mogalapalli --- drivers/media/dvb-core/dvbdev.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index 0506179a7c86..a30ab33f8484 100644 --- a/drivers/media/dvb-core/dvbdev.c +++ b/drivers/media/dvb-core/dvbdev.c @@ -511,7 +511,6 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, dvb_media_device_free(dvbdev); kfree(dvbdevfops); kfree(dvbdev); - up_write(&minor_rwsem); mutex_unlock(&dvbdev_register_lock); return ret; } From 88b9134f0e55fe9a7162ee90e5324e2fd91b0ad9 Mon Sep 17 00:00:00 2001 From: Fuqian Huang Date: Wed, 3 Jul 2019 13:28:37 -0300 Subject: [PATCH 113/176] media: media/dvb: Use kmemdup rather than duplicating its implementation [ Upstream commit f6af820ef1be58c2e4b81aa479b9f109eb6344ce ] kmemdup is introduced to duplicate a region of memory in a neat way. Rather than kmalloc/kzalloc + memcpy, which the programmer needs to write the size twice (sometimes lead to mistakes), kmemdup improves readability, leads to smaller code and also reduce the chances of mistakes. Suggestion to use kmemdup rather than using kmalloc/kzalloc + memcpy. Signed-off-by: Fuqian Huang Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Stable-dep-of: 8c64f4cdf4e6 ("media: edia: dvbdev: fix a use-after-free") Signed-off-by: Sasha Levin (cherry picked from commit 6e4129f8163460c79bb99887bc6f791196fcbda2) Signed-off-by: Harshit Mogalapalli --- drivers/media/dvb-core/dvbdev.c | 3 +-- drivers/media/dvb-frontends/drx39xyj/drxj.c | 5 ++--- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index a30ab33f8484..8153b213d066 100644 --- a/drivers/media/dvb-core/dvbdev.c +++ b/drivers/media/dvb-core/dvbdev.c @@ -460,7 +460,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, return -ENOMEM; } - dvbdevfops = kzalloc(sizeof(struct file_operations), GFP_KERNEL); + dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); if (!dvbdevfops){ kfree (dvbdev); @@ -477,7 +477,6 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, dvbdev->fops = dvbdevfops; init_waitqueue_head (&dvbdev->wait_queue); - memcpy(dvbdevfops, template->fops, sizeof(struct file_operations)); dvbdevfops->owner = adap->module; list_add_tail (&dvbdev->list_head, &adap->device_list); diff --git a/drivers/media/dvb-frontends/drx39xyj/drxj.c b/drivers/media/dvb-frontends/drx39xyj/drxj.c index 6f057ac1becc..3f3e69b9ee5e 100644 --- a/drivers/media/dvb-frontends/drx39xyj/drxj.c +++ b/drivers/media/dvb-frontends/drx39xyj/drxj.c @@ -12284,7 +12284,8 @@ struct dvb_frontend *drx39xxj_attach(struct i2c_adapter *i2c) if (state == NULL) goto error; - demod = kmalloc(sizeof(struct drx_demod_instance), GFP_KERNEL); + demod = kmemdup(&drxj_default_demod_g, + sizeof(struct drx_demod_instance), GFP_KERNEL); if (demod == NULL) goto error; @@ -12308,8 +12309,6 @@ struct dvb_frontend *drx39xxj_attach(struct i2c_adapter *i2c) state->demod = demod; /* setup the demod data */ - memcpy(demod, &drxj_default_demod_g, sizeof(struct drx_demod_instance)); - demod->my_i2c_dev_addr = demod_addr; demod->my_common_attr = demod_comm_attr; demod->my_i2c_dev_addr->user_data = state; From 5ace531d9048d5957c275071f8e55d5b3261e03e Mon Sep 17 00:00:00 2001 From: Dinghao Liu Date: Mon, 24 Aug 2020 14:27:46 +0200 Subject: [PATCH 114/176] media: dvbdev: Fix memleak in dvb_register_device [ Upstream commit 167faadfcf9339088910e9e85a1b711fcbbef8e9 ] When device_create() fails, dvbdev and dvbdevfops should be freed just like when dvb_register_media_device() fails. Signed-off-by: Dinghao Liu Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Stable-dep-of: 8c64f4cdf4e6 ("media: edia: dvbdev: fix a use-after-free") Signed-off-by: Sasha Levin (cherry picked from commit 085f36c317cba8b8955c5da5f59c7486345d2bbb) Signed-off-by: Harshit Mogalapalli --- drivers/media/dvb-core/dvbdev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index 8153b213d066..4b05136e3662 100644 --- a/drivers/media/dvb-core/dvbdev.c +++ b/drivers/media/dvb-core/dvbdev.c @@ -522,6 +522,9 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, if (IS_ERR(clsdev)) { pr_err("%s: failed to create device dvb%d.%s%d (%ld)\n", __func__, adap->num, dnames[type], id, PTR_ERR(clsdev)); + dvb_media_device_free(dvbdev); + kfree(dvbdevfops); + kfree(dvbdev); return PTR_ERR(clsdev); } dprintk("DVB: register adapter%d/%s%d @ minor: %i (0x%02x)\n", From 83a32ee58edae39a2e9bb7d71f36d0317ebf39d2 Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Wed, 9 Jun 2021 14:32:29 +0200 Subject: [PATCH 115/176] media: dvbdev: fix error logic at dvb_register_device() [ Upstream commit 1fec2ecc252301110e4149e6183fa70460d29674 ] As reported by smatch: drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:510 dvb_register_device() warn: '&dvbdev->list_head' not removed from list drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:530 dvb_register_device() warn: '&dvbdev->list_head' not removed from list drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:545 dvb_register_device() warn: '&dvbdev->list_head' not removed from list The error logic inside dvb_register_device() doesn't remove devices from the dvb_adapter_list in case of errors. Signed-off-by: Mauro Carvalho Chehab Stable-dep-of: 8c64f4cdf4e6 ("media: edia: dvbdev: fix a use-after-free") Signed-off-by: Sasha Levin (cherry picked from commit a30cf94eaf5dd3ffd8d13c3a8c303d04357b01c1) Signed-off-by: Harshit Mogalapalli --- drivers/media/dvb-core/dvbdev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index 4b05136e3662..ade61ae347e1 100644 --- a/drivers/media/dvb-core/dvbdev.c +++ b/drivers/media/dvb-core/dvbdev.c @@ -488,6 +488,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, break; if (minor == MAX_DVB_MINORS) { + list_del (&dvbdev->list_head); kfree(dvbdevfops); kfree(dvbdev); up_write(&minor_rwsem); @@ -508,6 +509,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, __func__); dvb_media_device_free(dvbdev); + list_del (&dvbdev->list_head); kfree(dvbdevfops); kfree(dvbdev); mutex_unlock(&dvbdev_register_lock); @@ -523,6 +525,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, pr_err("%s: failed to create device dvb%d.%s%d (%ld)\n", __func__, adap->num, dnames[type], id, PTR_ERR(clsdev)); dvb_media_device_free(dvbdev); + list_del (&dvbdev->list_head); kfree(dvbdevfops); kfree(dvbdev); return PTR_ERR(clsdev); From 0ae7184adc0e7116a0bc81eded303fc031db1812 Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Tue, 19 Sep 2017 14:22:19 -0400 Subject: [PATCH 116/176] media: dvbdev: convert DVB device types into an enum Enums can be documented via kernel-doc. So, convert the DVB_DEVICE_* macros to an enum. Signed-off-by: Mauro Carvalho Chehab (cherry picked from commit 6bbf7a855d200ddd83494a9ceb95f9465f953f59) Signed-off-by: Harshit Mogalapalli --- drivers/media/dvb-core/dvbdev.c | 34 ++++++++++++++++++---- drivers/media/dvb-core/dvbdev.h | 51 ++++++++++++++++++++++----------- 2 files changed, 64 insertions(+), 21 deletions(-) diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index ade61ae347e1..5c2491739b62 100644 --- a/drivers/media/dvb-core/dvbdev.c +++ b/drivers/media/dvb-core/dvbdev.c @@ -51,8 +51,15 @@ static LIST_HEAD(dvb_adapter_list); static DEFINE_MUTEX(dvbdev_register_lock); static const char * const dnames[] = { - "video", "audio", "sec", "frontend", "demux", "dvr", "ca", - "net", "osd" + [DVB_DEVICE_VIDEO] = "video", + [DVB_DEVICE_AUDIO] = "audio", + [DVB_DEVICE_SEC] = "sec", + [DVB_DEVICE_FRONTEND] = "frontend", + [DVB_DEVICE_DEMUX] = "demux", + [DVB_DEVICE_DVR] = "dvr", + [DVB_DEVICE_CA] = "ca", + [DVB_DEVICE_NET] = "net", + [DVB_DEVICE_OSD] = "osd" }; #ifdef CONFIG_DVB_DYNAMIC_MINORS @@ -60,7 +67,24 @@ static const char * const dnames[] = { #define DVB_MAX_IDS MAX_DVB_MINORS #else #define DVB_MAX_IDS 4 -#define nums2minor(num, type, id) ((num << 6) | (id << 4) | type) + +static int nums2minor(int num, enum dvb_device_type type, int id) +{ + int n = (num << 6) | (id << 4); + + switch (type) { + case DVB_DEVICE_VIDEO: return n; + case DVB_DEVICE_AUDIO: return n | 1; + case DVB_DEVICE_SEC: return n | 2; + case DVB_DEVICE_FRONTEND: return n | 3; + case DVB_DEVICE_DEMUX: return n | 4; + case DVB_DEVICE_DVR: return n | 5; + case DVB_DEVICE_CA: return n | 6; + case DVB_DEVICE_NET: return n | 7; + case DVB_DEVICE_OSD: return n | 8; + } +} + #define MAX_DVB_MINORS (DVB_MAX_ADAPTERS*64) #endif @@ -435,8 +459,8 @@ static int dvb_register_media_device(struct dvb_device *dvbdev, } int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, - const struct dvb_device *template, void *priv, int type, - int demux_sink_pads) + const struct dvb_device *template, void *priv, + enum dvb_device_type type, int demux_sink_pads) { struct dvb_device *dvbdev; struct file_operations *dvbdevfops; diff --git a/drivers/media/dvb-core/dvbdev.h b/drivers/media/dvb-core/dvbdev.h index 5f6a6e7cda61..e35cb9469bc3 100644 --- a/drivers/media/dvb-core/dvbdev.h +++ b/drivers/media/dvb-core/dvbdev.h @@ -35,15 +35,37 @@ #define DVB_UNSET (-1) -#define DVB_DEVICE_VIDEO 0 -#define DVB_DEVICE_AUDIO 1 -#define DVB_DEVICE_SEC 2 -#define DVB_DEVICE_FRONTEND 3 -#define DVB_DEVICE_DEMUX 4 -#define DVB_DEVICE_DVR 5 -#define DVB_DEVICE_CA 6 -#define DVB_DEVICE_NET 7 -#define DVB_DEVICE_OSD 8 +/* List of DVB device types */ + +/** + * enum dvb_device_type - type of the Digital TV device + * + * @DVB_DEVICE_SEC: Digital TV standalone Common Interface (CI) + * @DVB_DEVICE_FRONTEND: Digital TV frontend. + * @DVB_DEVICE_DEMUX: Digital TV demux. + * @DVB_DEVICE_DVR: Digital TV digital video record (DVR). + * @DVB_DEVICE_CA: Digital TV Conditional Access (CA). + * @DVB_DEVICE_NET: Digital TV network. + * + * @DVB_DEVICE_VIDEO: Digital TV video decoder. + * Deprecated. Used only on av7110-av. + * @DVB_DEVICE_AUDIO: Digital TV audio decoder. + * Deprecated. Used only on av7110-av. + * @DVB_DEVICE_OSD: Digital TV On Screen Display (OSD). + * Deprecated. Used only on av7110. + */ +enum dvb_device_type { + DVB_DEVICE_SEC, + DVB_DEVICE_FRONTEND, + DVB_DEVICE_DEMUX, + DVB_DEVICE_DVR, + DVB_DEVICE_CA, + DVB_DEVICE_NET, + + DVB_DEVICE_VIDEO, + DVB_DEVICE_AUDIO, + DVB_DEVICE_OSD, +}; #define DVB_DEFINE_MOD_OPT_ADAPTER_NR(adapter_nr) \ static short adapter_nr[] = \ @@ -104,8 +126,7 @@ struct dvb_adapter { * @list_head: List head with all DVB devices * @fops: pointer to struct file_operations * @adapter: pointer to the adapter that holds this device node - * @type: type of the device: DVB_DEVICE_SEC, DVB_DEVICE_FRONTEND, - * DVB_DEVICE_DEMUX, DVB_DEVICE_DVR, DVB_DEVICE_CA, DVB_DEVICE_NET + * @type: type of the device, as defined by &enum dvb_device_type. * @minor: devnode minor number. Major number is always DVB_MAJOR. * @id: device ID number, inside the adapter * @readers: Initialized by the caller. Each call to open() in Read Only mode @@ -136,7 +157,7 @@ struct dvb_device { struct kref ref; const struct file_operations *fops; struct dvb_adapter *adapter; - int type; + enum dvb_device_type type; int minor; u32 id; @@ -209,9 +230,7 @@ int dvb_unregister_adapter(struct dvb_adapter *adap); * stored * @template: Template used to create &pdvbdev; * @priv: private data - * @type: type of the device: %DVB_DEVICE_SEC, %DVB_DEVICE_FRONTEND, - * %DVB_DEVICE_DEMUX, %DVB_DEVICE_DVR, %DVB_DEVICE_CA, - * %DVB_DEVICE_NET + * @type: type of the device, as defined by &enum dvb_device_type. * @demux_sink_pads: Number of demux outputs, to be used to create the TS * outputs via the Media Controller. */ @@ -219,7 +238,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, const struct dvb_device *template, void *priv, - int type, + enum dvb_device_type type, int demux_sink_pads); /** From 8f649cb42cc0154445a0319a3ec9e0f6f37737b5 Mon Sep 17 00:00:00 2001 From: Hyunwoo Kim Date: Thu, 17 Nov 2022 04:59:24 +0000 Subject: [PATCH 117/176] media: dvb-core: Fix use-after-free due to race at dvb_register_device() [ Upstream commit 627bb528b086b4136315c25d6a447a98ea9448d3 ] dvb_register_device() dynamically allocates fops with kmemdup() to set the fops->owner. And these fops are registered in 'file->f_ops' using replace_fops() in the dvb_device_open() process, and kfree()d in dvb_free_device(). However, it is not common to use dynamically allocated fops instead of 'static const' fops as an argument of replace_fops(), and UAF may occur. These UAFs can occur on any dvb type using dvb_register_device(), such as dvb_dvr, dvb_demux, dvb_frontend, dvb_net, etc. So, instead of kfree() the fops dynamically allocated in dvb_register_device() in dvb_free_device() called during the .disconnect() process, kfree() it collectively in exit_dvbdev() called when the dvbdev.c module is removed. Link: https://lore.kernel.org/linux-media/20221117045925.14297-4-imv4bel@gmail.com Signed-off-by: Hyunwoo Kim Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab Stable-dep-of: 8c64f4cdf4e6 ("media: edia: dvbdev: fix a use-after-free") Signed-off-by: Sasha Levin (cherry picked from commit dc04ff778b4f8ff4560f1c42993417359e74d36a) Signed-off-by: Harshit Mogalapalli --- drivers/media/dvb-core/dvbdev.c | 84 ++++++++++++++++++++++++--------- drivers/media/dvb-core/dvbdev.h | 15 ++++++ 2 files changed, 78 insertions(+), 21 deletions(-) diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index 5c2491739b62..614fbabd5097 100644 --- a/drivers/media/dvb-core/dvbdev.c +++ b/drivers/media/dvb-core/dvbdev.c @@ -36,6 +36,7 @@ #include static DEFINE_MUTEX(dvbdev_mutex); +static LIST_HEAD(dvbdevfops_list); static int dvbdev_debug; module_param(dvbdev_debug, int, 0644); @@ -463,14 +464,15 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, enum dvb_device_type type, int demux_sink_pads) { struct dvb_device *dvbdev; - struct file_operations *dvbdevfops; + struct file_operations *dvbdevfops = NULL; + struct dvbdevfops_node *node = NULL, *new_node = NULL; struct device *clsdev; int minor; int id, ret; mutex_lock(&dvbdev_register_lock); - if ((id = dvbdev_get_free_id (adap, type)) < 0){ + if ((id = dvbdev_get_free_id (adap, type)) < 0) { mutex_unlock(&dvbdev_register_lock); *pdvbdev = NULL; pr_err("%s: couldn't find free device id\n", __func__); @@ -478,18 +480,45 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, } *pdvbdev = dvbdev = kzalloc(sizeof(*dvbdev), GFP_KERNEL); - if (!dvbdev){ mutex_unlock(&dvbdev_register_lock); return -ENOMEM; } - dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); + /* + * When a device of the same type is probe()d more than once, + * the first allocated fops are used. This prevents memory leaks + * that can occur when the same device is probe()d repeatedly. + */ + list_for_each_entry(node, &dvbdevfops_list, list_head) { + if (node->fops->owner == adap->module && + node->type == type && + node->template == template) { + dvbdevfops = node->fops; + break; + } + } - if (!dvbdevfops){ - kfree (dvbdev); - mutex_unlock(&dvbdev_register_lock); - return -ENOMEM; + if (dvbdevfops == NULL) { + dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); + if (!dvbdevfops) { + kfree(dvbdev); + mutex_unlock(&dvbdev_register_lock); + return -ENOMEM; + } + + new_node = kzalloc(sizeof(struct dvbdevfops_node), GFP_KERNEL); + if (!new_node) { + kfree(dvbdevfops); + kfree(dvbdev); + mutex_unlock(&dvbdev_register_lock); + return -ENOMEM; + } + + new_node->fops = dvbdevfops; + new_node->type = type; + new_node->template = template; + list_add_tail (&new_node->list_head, &dvbdevfops_list); } memcpy(dvbdev, template, sizeof(struct dvb_device)); @@ -500,20 +529,20 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, dvbdev->priv = priv; dvbdev->fops = dvbdevfops; init_waitqueue_head (&dvbdev->wait_queue); - dvbdevfops->owner = adap->module; - list_add_tail (&dvbdev->list_head, &adap->device_list); - down_write(&minor_rwsem); #ifdef CONFIG_DVB_DYNAMIC_MINORS for (minor = 0; minor < MAX_DVB_MINORS; minor++) if (dvb_minors[minor] == NULL) break; - if (minor == MAX_DVB_MINORS) { + if (new_node) { + list_del (&new_node->list_head); + kfree(dvbdevfops); + kfree(new_node); + } list_del (&dvbdev->list_head); - kfree(dvbdevfops); kfree(dvbdev); up_write(&minor_rwsem); mutex_unlock(&dvbdev_register_lock); @@ -522,41 +551,47 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, #else minor = nums2minor(adap->num, type, id); #endif - dvbdev->minor = minor; dvb_minors[minor] = dvb_device_get(dvbdev); up_write(&minor_rwsem); - ret = dvb_register_media_device(dvbdev, type, minor, demux_sink_pads); if (ret) { pr_err("%s: dvb_register_media_device failed to create the mediagraph\n", __func__); - + if (new_node) { + list_del (&new_node->list_head); + kfree(dvbdevfops); + kfree(new_node); + } dvb_media_device_free(dvbdev); list_del (&dvbdev->list_head); - kfree(dvbdevfops); kfree(dvbdev); mutex_unlock(&dvbdev_register_lock); return ret; } - mutex_unlock(&dvbdev_register_lock); - clsdev = device_create(dvb_class, adap->device, MKDEV(DVB_MAJOR, minor), dvbdev, "dvb%d.%s%d", adap->num, dnames[type], id); if (IS_ERR(clsdev)) { pr_err("%s: failed to create device dvb%d.%s%d (%ld)\n", __func__, adap->num, dnames[type], id, PTR_ERR(clsdev)); + if (new_node) { + list_del (&new_node->list_head); + kfree(dvbdevfops); + kfree(new_node); + } dvb_media_device_free(dvbdev); list_del (&dvbdev->list_head); - kfree(dvbdevfops); kfree(dvbdev); + mutex_unlock(&dvbdev_register_lock); return PTR_ERR(clsdev); } + dprintk("DVB: register adapter%d/%s%d @ minor: %i (0x%02x)\n", adap->num, dnames[type], id, minor, minor); + mutex_unlock(&dvbdev_register_lock); return 0; } EXPORT_SYMBOL(dvb_register_device); @@ -585,7 +620,6 @@ static void dvb_free_device(struct kref *ref) { struct dvb_device *dvbdev = container_of(ref, struct dvb_device, ref); - kfree (dvbdev->fops); kfree (dvbdev); } @@ -1024,9 +1058,17 @@ error: static void __exit exit_dvbdev(void) { + struct dvbdevfops_node *node, *next; + class_destroy(dvb_class); cdev_del(&dvb_device_cdev); unregister_chrdev_region(MKDEV(DVB_MAJOR, 0), MAX_DVB_MINORS); + + list_for_each_entry_safe(node, next, &dvbdevfops_list, list_head) { + list_del (&node->list_head); + kfree(node->fops); + kfree(node); + } } subsys_initcall(init_dvbdev); diff --git a/drivers/media/dvb-core/dvbdev.h b/drivers/media/dvb-core/dvbdev.h index e35cb9469bc3..e5d575851224 100644 --- a/drivers/media/dvb-core/dvbdev.h +++ b/drivers/media/dvb-core/dvbdev.h @@ -186,6 +186,21 @@ struct dvb_device { void *priv; }; +/** + * struct dvbdevfops_node - fops nodes registered in dvbdevfops_list + * + * @fops: Dynamically allocated fops for ->owner registration + * @type: type of dvb_device + * @template: dvb_device used for registration + * @list_head: list_head for dvbdevfops_list + */ +struct dvbdevfops_node { + struct file_operations *fops; + enum dvb_device_type type; + const struct dvb_device *template; + struct list_head list_head; +}; + /** * dvb_device_get - Increase dvb_device reference * From dec38a328d1cb93913450eab8c0b2b52ca6d96b7 Mon Sep 17 00:00:00 2001 From: Zhipeng Lu Date: Sat, 3 Feb 2024 14:40:43 +0100 Subject: [PATCH 118/176] media: edia: dvbdev: fix a use-after-free [ Upstream commit 8c64f4cdf4e6cc5682c52523713af8c39c94e6d5 ] In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed in several error-handling paths. However, *pdvbdev is not set to NULL after dvbdev's deallocation, causing use-after-frees in many places, for example, in the following call chain: budget_register |-> dvb_dmxdev_init |-> dvb_register_device |-> dvb_dmxdev_release |-> dvb_unregister_device |-> dvb_remove_device |-> dvb_device_put |-> kref_put When calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in dvb_register_device) could point to memory that had been freed in dvb_register_device. Thereafter, this pointer is transferred to kref_put and triggering a use-after-free. Link: https://lore.kernel.org/linux-media/20240203134046.3120099-1-alexious@zju.edu.cn Fixes: b61901024776 ("V4L/DVB (5244): Dvbdev: fix illegal re-usage of fileoperations struct") Signed-off-by: Zhipeng Lu Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin (cherry picked from commit d0f5c28333822f9baa5280d813124920720fd856) Signed-off-by: Harshit Mogalapalli --- drivers/media/dvb-core/dvbdev.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index 614fbabd5097..6e3c0234a674 100644 --- a/drivers/media/dvb-core/dvbdev.c +++ b/drivers/media/dvb-core/dvbdev.c @@ -503,6 +503,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); if (!dvbdevfops) { kfree(dvbdev); + *pdvbdev = NULL; mutex_unlock(&dvbdev_register_lock); return -ENOMEM; } @@ -511,6 +512,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, if (!new_node) { kfree(dvbdevfops); kfree(dvbdev); + *pdvbdev = NULL; mutex_unlock(&dvbdev_register_lock); return -ENOMEM; } @@ -544,6 +546,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, } list_del (&dvbdev->list_head); kfree(dvbdev); + *pdvbdev = NULL; up_write(&minor_rwsem); mutex_unlock(&dvbdev_register_lock); return -EINVAL; @@ -566,6 +569,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, dvb_media_device_free(dvbdev); list_del (&dvbdev->list_head); kfree(dvbdev); + *pdvbdev = NULL; mutex_unlock(&dvbdev_register_lock); return ret; } @@ -584,6 +588,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, dvb_media_device_free(dvbdev); list_del (&dvbdev->list_head); kfree(dvbdev); + *pdvbdev = NULL; mutex_unlock(&dvbdev_register_lock); return PTR_ERR(clsdev); } From a9c53a71d5103df700ba1022bd793c2e7da2e4b3 Mon Sep 17 00:00:00 2001 From: Stephan Gerhold Date: Wed, 6 Jul 2022 15:41:29 +0200 Subject: [PATCH 119/176] clk: qcom: reset: Allow specifying custom reset delay [ Upstream commit 2cb8a39b6781ea23accd1fa93b3ad000d0948aec ] The amount of time required between asserting and deasserting the reset signal can vary depending on the involved hardware component. Sometimes 1 us might not be enough and a larger delay is necessary to conform to the specifications. Usually this is worked around in the consuming drivers, by replacing reset_control_reset() with a sequence of reset_control_assert(), waiting for a custom delay, followed by reset_control_deassert(). However, in some cases the driver making use of the reset is generic and can be used with different reset controllers. In this case the reset time requirement is better handled directly by the reset controller driver. Make this possible by adding an "udelay" field to the qcom_reset_map that allows setting a different reset delay (in microseconds). Signed-off-by: Stephan Gerhold Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220706134132.3623415-4-stephan.gerhold@kernkonzept.com Stable-dep-of: 2f8cf2c3f3e3 ("clk: qcom: reset: Ensure write completion on reset de/assertion") Signed-off-by: Sasha Levin (cherry picked from commit 5f0a066e0ece83eb4c72c6672539bcdbfeb39a4e) Signed-off-by: Harshit Mogalapalli --- drivers/clk/qcom/reset.c | 4 +++- drivers/clk/qcom/reset.h | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c index 0324d8daab9b..fc68c8fa30ac 100644 --- a/drivers/clk/qcom/reset.c +++ b/drivers/clk/qcom/reset.c @@ -21,8 +21,10 @@ static int qcom_reset(struct reset_controller_dev *rcdev, unsigned long id) { + struct qcom_reset_controller *rst = to_qcom_reset_controller(rcdev); + rcdev->ops->assert(rcdev, id); - udelay(1); + udelay(rst->reset_map[id].udelay ?: 1); /* use 1 us as default */ rcdev->ops->deassert(rcdev, id); return 0; } diff --git a/drivers/clk/qcom/reset.h b/drivers/clk/qcom/reset.h index cda877927d43..3e30f6724c7a 100644 --- a/drivers/clk/qcom/reset.h +++ b/drivers/clk/qcom/reset.h @@ -19,6 +19,7 @@ struct qcom_reset_map { unsigned int reg; u8 bit; + u8 udelay; }; struct regmap; From 7091467f8cf4ffb05762766872608822fba862a6 Mon Sep 17 00:00:00 2001 From: Robert Marko Date: Mon, 7 Nov 2022 14:28:59 +0100 Subject: [PATCH 120/176] clk: qcom: reset: support resetting multiple bits [ Upstream commit 4a5210893625f89723ea210d7c630b730abb37ad ] This patch adds the support for giving the complete bitmask in reset structure and reset operation will use this bitmask for all reset operations. Currently, reset structure only takes a single bit for each reset and then calculates the bitmask by using the BIT() macro. However, this is not sufficient anymore for newer SoC-s like IPQ8074, IPQ6018 and more, since their networking resets require multiple bits to be asserted in order to properly reset the HW block completely. So, in order to allow asserting multiple bits add "bitmask" field to qcom_reset_map, and then use that bitmask value if its populated in the driver, if its not populated, then we just default to existing behaviour and calculate the bitmask on the fly. Signed-off-by: Robert Marko Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221107132901.489240-1-robimarko@gmail.com Stable-dep-of: 2f8cf2c3f3e3 ("clk: qcom: reset: Ensure write completion on reset de/assertion") Signed-off-by: Sasha Levin (cherry picked from commit 38dd93f87da08876edf8df89a5992ce46da920ea) Signed-off-by: Harshit Mogalapalli --- drivers/clk/qcom/reset.c | 4 ++-- drivers/clk/qcom/reset.h | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c index fc68c8fa30ac..60b60631c344 100644 --- a/drivers/clk/qcom/reset.c +++ b/drivers/clk/qcom/reset.c @@ -38,7 +38,7 @@ qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id) rst = to_qcom_reset_controller(rcdev); map = &rst->reset_map[id]; - mask = BIT(map->bit); + mask = map->bitmask ? map->bitmask : BIT(map->bit); return regmap_update_bits(rst->regmap, map->reg, mask, mask); } @@ -52,7 +52,7 @@ qcom_reset_deassert(struct reset_controller_dev *rcdev, unsigned long id) rst = to_qcom_reset_controller(rcdev); map = &rst->reset_map[id]; - mask = BIT(map->bit); + mask = map->bitmask ? map->bitmask : BIT(map->bit); return regmap_update_bits(rst->regmap, map->reg, mask, 0); } diff --git a/drivers/clk/qcom/reset.h b/drivers/clk/qcom/reset.h index 3e30f6724c7a..a118311503d4 100644 --- a/drivers/clk/qcom/reset.h +++ b/drivers/clk/qcom/reset.h @@ -20,6 +20,7 @@ struct qcom_reset_map { unsigned int reg; u8 bit; u8 udelay; + u32 bitmask; }; struct regmap; From fb58c616f8d5d230746a6e834a13daaf9616432d Mon Sep 17 00:00:00 2001 From: Konrad Dybcio Date: Tue, 6 Feb 2024 19:43:35 +0100 Subject: [PATCH 121/176] clk: qcom: reset: Commonize the de/assert functions [ Upstream commit eda40d9c583e95e0b6ac69d2950eec10f802e0e8 ] They do the same thing, except the last argument of the last function call differs. Commonize them. Reviewed-by: Bryan O'Donoghue Signed-off-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240105-topic-venus_reset-v2-2-c37eba13b5ce@linaro.org Signed-off-by: Bjorn Andersson Stable-dep-of: 2f8cf2c3f3e3 ("clk: qcom: reset: Ensure write completion on reset de/assertion") Signed-off-by: Sasha Levin (cherry picked from commit 823c46950d9a96e94db8f565013f4f2f528c2bbe) Signed-off-by: Harshit Mogalapalli --- drivers/clk/qcom/reset.c | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c index 60b60631c344..252d7abf577e 100644 --- a/drivers/clk/qcom/reset.c +++ b/drivers/clk/qcom/reset.c @@ -29,8 +29,8 @@ static int qcom_reset(struct reset_controller_dev *rcdev, unsigned long id) return 0; } -static int -qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id) +static int qcom_reset_set_assert(struct reset_controller_dev *rcdev, + unsigned long id, bool assert) { struct qcom_reset_controller *rst; const struct qcom_reset_map *map; @@ -40,21 +40,17 @@ qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id) map = &rst->reset_map[id]; mask = map->bitmask ? map->bitmask : BIT(map->bit); - return regmap_update_bits(rst->regmap, map->reg, mask, mask); + return regmap_update_bits(rst->regmap, map->reg, mask, assert ? mask : 0); } -static int -qcom_reset_deassert(struct reset_controller_dev *rcdev, unsigned long id) +static int qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id) { - struct qcom_reset_controller *rst; - const struct qcom_reset_map *map; - u32 mask; + return qcom_reset_set_assert(rcdev, id, true); +} - rst = to_qcom_reset_controller(rcdev); - map = &rst->reset_map[id]; - mask = map->bitmask ? map->bitmask : BIT(map->bit); - - return regmap_update_bits(rst->regmap, map->reg, mask, 0); +static int qcom_reset_deassert(struct reset_controller_dev *rcdev, unsigned long id) +{ + return qcom_reset_set_assert(rcdev, id, false); } const struct reset_control_ops qcom_reset_ops = { From 3acb0bf9b01663735e38d8647655c4c2dc81aa80 Mon Sep 17 00:00:00 2001 From: Konrad Dybcio Date: Tue, 6 Feb 2024 19:43:36 +0100 Subject: [PATCH 122/176] clk: qcom: reset: Ensure write completion on reset de/assertion [ Upstream commit 2f8cf2c3f3e3f7ef61bd19abb4b0bb797ad50aaf ] Trying to toggle the resets in a rapid fashion can lead to the changes not actually arriving at the clock controller block when we expect them to. This was observed at least on SM8250. Read back the value after regmap_update_bits to ensure write completion. Fixes: b36ba30c8ac6 ("clk: qcom: Add reset controller support") Signed-off-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240105-topic-venus_reset-v2-3-c37eba13b5ce@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin (cherry picked from commit d258d124f435adb3cac491e4b0274e75597f3a02) Signed-off-by: Harshit Mogalapalli --- drivers/clk/qcom/reset.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c index 252d7abf577e..3a1cfc2dd94c 100644 --- a/drivers/clk/qcom/reset.c +++ b/drivers/clk/qcom/reset.c @@ -40,7 +40,12 @@ static int qcom_reset_set_assert(struct reset_controller_dev *rcdev, map = &rst->reset_map[id]; mask = map->bitmask ? map->bitmask : BIT(map->bit); - return regmap_update_bits(rst->regmap, map->reg, mask, assert ? mask : 0); + regmap_update_bits(rst->regmap, map->reg, mask, assert ? mask : 0); + + /* Read back the register to ensure write completion, ignore the value */ + regmap_read(rst->regmap, map->reg, &mask); + + return 0; } static int qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id) From 045db5c9471c0d3662193af5123c40c459442c29 Mon Sep 17 00:00:00 2001 From: Chengguang Xu Date: Wed, 20 Mar 2019 13:03:59 +0800 Subject: [PATCH 123/176] quota: code cleanup for __dquot_alloc_space() [ Upstream commit df15a2a59d0b29d86e17140b83ed231adaded12f ] Replace (flags & DQUOT_SPACE_RESERVE) with variable reserve. Signed-off-by: Chengguang Xu Signed-off-by: Jan Kara Stable-dep-of: 179b8c97ebf6 ("quota: Fix rcu annotations of inode dquot pointers") Signed-off-by: Sasha Levin (cherry picked from commit d9e4ab12b60a49204435102f8120c0d3e62583f1) Signed-off-by: Harshit Mogalapalli --- fs/quota/dquot.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c index 1629d50782bf..9d8ed856166f 100644 --- a/fs/quota/dquot.c +++ b/fs/quota/dquot.c @@ -1666,7 +1666,7 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) for (cnt = 0; cnt < MAXQUOTAS; cnt++) { if (!dquots[cnt]) continue; - if (flags & DQUOT_SPACE_RESERVE) { + if (reserve) { ret = dquot_add_space(dquots[cnt], 0, number, flags, &warn[cnt]); } else { @@ -1679,7 +1679,7 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) if (!dquots[cnt]) continue; spin_lock(&dquots[cnt]->dq_dqb_lock); - if (flags & DQUOT_SPACE_RESERVE) { + if (reserve) { dquots[cnt]->dq_dqb.dqb_rsvspace -= number; } else { From 34b20f6e467fcd6dcd4352a429263beca0cc46fc Mon Sep 17 00:00:00 2001 From: Jiang Biao Date: Wed, 24 Apr 2019 08:58:57 +0800 Subject: [PATCH 124/176] fs/quota: erase unused but set variable warning [ Upstream commit 78bc3334a69ff289dbc973a9db7c52a2d7757e5b ] Local variable *reserved* of remove_dquot_ref() is only used if define CONFIG_QUOTA_DEBUG, but not ebraced in CONFIG_QUOTA_DEBUG macro, which leads to unused-but-set-variable warning when compiling. This patch ebrace it into CONFIG_QUOTA_DEBUG macro like what is done in add_dquot_ref(). Signed-off-by: Jiang Biao Signed-off-by: Jan Kara Stable-dep-of: 179b8c97ebf6 ("quota: Fix rcu annotations of inode dquot pointers") Signed-off-by: Sasha Levin (cherry picked from commit 1974c13019b97140149690cd622a9c6732c32124) Signed-off-by: Harshit Mogalapalli --- fs/quota/dquot.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c index 9d8ed856166f..28b6d3f56301 100644 --- a/fs/quota/dquot.c +++ b/fs/quota/dquot.c @@ -1052,7 +1052,9 @@ static void remove_dquot_ref(struct super_block *sb, int type, struct list_head *tofree_head) { struct inode *inode; +#ifdef CONFIG_QUOTA_DEBUG int reserved = 0; +#endif spin_lock(&sb->s_inode_list_lock); list_for_each_entry(inode, &sb->s_inodes, i_sb_list) { @@ -1064,8 +1066,10 @@ static void remove_dquot_ref(struct super_block *sb, int type, */ spin_lock(&dq_data_lock); if (!IS_NOQUOTA(inode)) { +#ifdef CONFIG_QUOTA_DEBUG if (unlikely(inode_get_rsv_space(inode) > 0)) reserved = 1; +#endif remove_inode_dquot_ref(inode, type, tofree_head); } spin_unlock(&dq_data_lock); From 92b446b2b7dfe86c8955bf914789754b2d44ec81 Mon Sep 17 00:00:00 2001 From: Chengguang Xu Date: Tue, 30 Apr 2019 14:40:10 +0800 Subject: [PATCH 125/176] quota: check time limit when back out space/inode change [ Upstream commit 632a9f3acd6687376cbb0b178df6048e19cbacc9 ] When we fail from allocating inode/space, we back out the change we already did. In a special case which has exceeded soft limit by the change, we should also check time limit and reset it properly. Signed-off-by: Chengguang Xu Signed-off-by: Jan Kara Stable-dep-of: 179b8c97ebf6 ("quota: Fix rcu annotations of inode dquot pointers") Signed-off-by: Sasha Levin (cherry picked from commit e87ed533e7a6167f4a5e1b0fdbf21784acf115cc) Signed-off-by: Harshit Mogalapalli --- fs/quota/dquot.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c index 28b6d3f56301..271927d91ff3 100644 --- a/fs/quota/dquot.c +++ b/fs/quota/dquot.c @@ -1683,13 +1683,11 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) if (!dquots[cnt]) continue; spin_lock(&dquots[cnt]->dq_dqb_lock); - if (reserve) { - dquots[cnt]->dq_dqb.dqb_rsvspace -= - number; - } else { - dquots[cnt]->dq_dqb.dqb_curspace -= - number; - } + if (reserve) + dquot_free_reserved_space(dquots[cnt], + number); + else + dquot_decr_space(dquots[cnt], number); spin_unlock(&dquots[cnt]->dq_dqb_lock); } spin_unlock(&inode->i_lock); @@ -1740,7 +1738,7 @@ int dquot_alloc_inode(struct inode *inode) continue; /* Back out changes we already did */ spin_lock(&dquots[cnt]->dq_dqb_lock); - dquots[cnt]->dq_dqb.dqb_curinodes--; + dquot_decr_inodes(dquots[cnt], 1); spin_unlock(&dquots[cnt]->dq_dqb_lock); } goto warn_put_all; From ba23e07d50c32bf3e5c651e29fe526f53652b28b Mon Sep 17 00:00:00 2001 From: Baokun Li Date: Fri, 30 Jun 2023 19:08:22 +0800 Subject: [PATCH 126/176] quota: simplify drop_dquot_ref() [ Upstream commit 7bce48f0fec602b3b6c335963b26d9eefa417788 ] As Honza said, remove_inode_dquot_ref() currently does not release the last dquot reference but instead adds the dquot to tofree_head list. This is because dqput() can sleep while dropping of the last dquot reference (writing back the dquot and calling ->release_dquot()) and that must not happen under dq_list_lock. Now that dqput() queues the final dquot cleanup into a workqueue, remove_inode_dquot_ref() can call dqput() unconditionally and we can significantly simplify it. Here we open code the simplified code of remove_inode_dquot_ref() into remove_dquot_ref() and remove the function put_dquot_list() which is no longer used. Signed-off-by: Baokun Li Signed-off-by: Jan Kara Message-Id: <20230630110822.3881712-6-libaokun1@huawei.com> Stable-dep-of: 179b8c97ebf6 ("quota: Fix rcu annotations of inode dquot pointers") Signed-off-by: Sasha Levin (cherry picked from commit 248699a705f31211c0d7cc9e0d79cbbabbc9c791) Signed-off-by: Harshit Mogalapalli --- fs/quota/dquot.c | 70 +++++++----------------------------------------- 1 file changed, 9 insertions(+), 61 deletions(-) diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c index 271927d91ff3..82218bda4b0c 100644 --- a/fs/quota/dquot.c +++ b/fs/quota/dquot.c @@ -997,59 +997,7 @@ out: return err; } -/* - * Remove references to dquots from inode and add dquot to list for freeing - * if we have the last reference to dquot - */ -static void remove_inode_dquot_ref(struct inode *inode, int type, - struct list_head *tofree_head) -{ - struct dquot **dquots = i_dquot(inode); - struct dquot *dquot = dquots[type]; - - if (!dquot) - return; - - dquots[type] = NULL; - if (list_empty(&dquot->dq_free)) { - /* - * The inode still has reference to dquot so it can't be in the - * free list - */ - spin_lock(&dq_list_lock); - list_add(&dquot->dq_free, tofree_head); - spin_unlock(&dq_list_lock); - } else { - /* - * Dquot is already in a list to put so we won't drop the last - * reference here. - */ - dqput(dquot); - } -} - -/* - * Free list of dquots - * Dquots are removed from inodes and no new references can be got so we are - * the only ones holding reference - */ -static void put_dquot_list(struct list_head *tofree_head) -{ - struct list_head *act_head; - struct dquot *dquot; - - act_head = tofree_head->next; - while (act_head != tofree_head) { - dquot = list_entry(act_head, struct dquot, dq_free); - act_head = act_head->next; - /* Remove dquot from the list so we won't have problems... */ - list_del_init(&dquot->dq_free); - dqput(dquot); - } -} - -static void remove_dquot_ref(struct super_block *sb, int type, - struct list_head *tofree_head) +static void remove_dquot_ref(struct super_block *sb, int type) { struct inode *inode; #ifdef CONFIG_QUOTA_DEBUG @@ -1066,11 +1014,16 @@ static void remove_dquot_ref(struct super_block *sb, int type, */ spin_lock(&dq_data_lock); if (!IS_NOQUOTA(inode)) { + struct dquot **dquots = i_dquot(inode); + struct dquot *dquot = dquots[type]; + #ifdef CONFIG_QUOTA_DEBUG if (unlikely(inode_get_rsv_space(inode) > 0)) reserved = 1; #endif - remove_inode_dquot_ref(inode, type, tofree_head); + dquots[type] = NULL; + if (dquot) + dqput(dquot); } spin_unlock(&dq_data_lock); } @@ -1087,13 +1040,8 @@ static void remove_dquot_ref(struct super_block *sb, int type, /* Gather all references from inodes and drop them */ static void drop_dquot_ref(struct super_block *sb, int type) { - LIST_HEAD(tofree_head); - - if (sb->dq_op) { - remove_dquot_ref(sb, type, &tofree_head); - synchronize_srcu(&dquot_srcu); - put_dquot_list(&tofree_head); - } + if (sb->dq_op) + remove_dquot_ref(sb, type); } static inline From b2b5f36baf4785d586642aab144412e5961b7955 Mon Sep 17 00:00:00 2001 From: Wang Jianjian Date: Fri, 2 Feb 2024 16:18:52 +0800 Subject: [PATCH 127/176] quota: Fix potential NULL pointer dereference [ Upstream commit d0aa72604fbd80c8aabb46eda00535ed35570f1f ] Below race may cause NULL pointer dereference P1 P2 dquot_free_inode quota_off drop_dquot_ref remove_dquot_ref dquots = i_dquot(inode) dquots = i_dquot(inode) srcu_read_lock dquots[cnt]) != NULL (1) dquots[type] = NULL (2) spin_lock(&dquots[cnt]->dq_dqb_lock) (3) .... If dquot_free_inode(or other routines) checks inode's quota pointers (1) before quota_off sets it to NULL(2) and use it (3) after that, NULL pointer dereference will be triggered. So let's fix it by using a temporary pointer to avoid this issue. Signed-off-by: Wang Jianjian Signed-off-by: Jan Kara Message-Id: <20240202081852.2514092-1-wangjianjian3@huawei.com> Stable-dep-of: 179b8c97ebf6 ("quota: Fix rcu annotations of inode dquot pointers") Signed-off-by: Sasha Levin (cherry picked from commit 8514899c1a4edf802f03c408db901063aa3f05a1) Signed-off-by: Harshit Mogalapalli --- fs/quota/dquot.c | 98 ++++++++++++++++++++++++++++-------------------- 1 file changed, 57 insertions(+), 41 deletions(-) diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c index 82218bda4b0c..3e987b961cbc 100644 --- a/fs/quota/dquot.c +++ b/fs/quota/dquot.c @@ -368,15 +368,17 @@ int dquot_mark_dquot_dirty(struct dquot *dquot) EXPORT_SYMBOL(dquot_mark_dquot_dirty); /* Dirtify all the dquots - this can block when journalling */ -static inline int mark_all_dquot_dirty(struct dquot * const *dquot) +static inline int mark_all_dquot_dirty(struct dquot * const *dquots) { int ret, err, cnt; + struct dquot *dquot; ret = err = 0; for (cnt = 0; cnt < MAXQUOTAS; cnt++) { - if (dquot[cnt]) + dquot = srcu_dereference(dquots[cnt], &dquot_srcu); + if (dquot) /* Even in case of error we have to continue */ - ret = mark_dquot_dirty(dquot[cnt]); + ret = mark_dquot_dirty(dquot); if (!err) err = ret; } @@ -1597,6 +1599,7 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) struct dquot_warn warn[MAXQUOTAS]; int reserve = flags & DQUOT_SPACE_RESERVE; struct dquot **dquots; + struct dquot *dquot; if (!dquot_active(inode)) { if (reserve) { @@ -1616,27 +1619,26 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) index = srcu_read_lock(&dquot_srcu); spin_lock(&inode->i_lock); for (cnt = 0; cnt < MAXQUOTAS; cnt++) { - if (!dquots[cnt]) + dquot = srcu_dereference(dquots[cnt], &dquot_srcu); + if (!dquot) continue; if (reserve) { - ret = dquot_add_space(dquots[cnt], 0, number, flags, - &warn[cnt]); + ret = dquot_add_space(dquot, 0, number, flags, &warn[cnt]); } else { - ret = dquot_add_space(dquots[cnt], number, 0, flags, - &warn[cnt]); + ret = dquot_add_space(dquot, number, 0, flags, &warn[cnt]); } if (ret) { /* Back out changes we already did */ for (cnt--; cnt >= 0; cnt--) { - if (!dquots[cnt]) + dquot = srcu_dereference(dquots[cnt], &dquot_srcu); + if (!dquot) continue; - spin_lock(&dquots[cnt]->dq_dqb_lock); + spin_lock(&dquot->dq_dqb_lock); if (reserve) - dquot_free_reserved_space(dquots[cnt], - number); + dquot_free_reserved_space(dquot, number); else - dquot_decr_space(dquots[cnt], number); - spin_unlock(&dquots[cnt]->dq_dqb_lock); + dquot_decr_space(dquot, number); + spin_unlock(&dquot->dq_dqb_lock); } spin_unlock(&inode->i_lock); goto out_flush_warn; @@ -1667,6 +1669,7 @@ int dquot_alloc_inode(struct inode *inode) int cnt, ret = 0, index; struct dquot_warn warn[MAXQUOTAS]; struct dquot * const *dquots; + struct dquot *dquot; if (!dquot_active(inode)) return 0; @@ -1677,17 +1680,19 @@ int dquot_alloc_inode(struct inode *inode) index = srcu_read_lock(&dquot_srcu); spin_lock(&inode->i_lock); for (cnt = 0; cnt < MAXQUOTAS; cnt++) { - if (!dquots[cnt]) + dquot = srcu_dereference(dquots[cnt], &dquot_srcu); + if (!dquot) continue; - ret = dquot_add_inodes(dquots[cnt], 1, &warn[cnt]); + ret = dquot_add_inodes(dquot, 1, &warn[cnt]); if (ret) { for (cnt--; cnt >= 0; cnt--) { - if (!dquots[cnt]) + dquot = srcu_dereference(dquots[cnt], &dquot_srcu); + if (!dquot) continue; /* Back out changes we already did */ - spin_lock(&dquots[cnt]->dq_dqb_lock); - dquot_decr_inodes(dquots[cnt], 1); - spin_unlock(&dquots[cnt]->dq_dqb_lock); + spin_lock(&dquot->dq_dqb_lock); + dquot_decr_inodes(dquot, 1); + spin_unlock(&dquot->dq_dqb_lock); } goto warn_put_all; } @@ -1709,6 +1714,7 @@ EXPORT_SYMBOL(dquot_alloc_inode); int dquot_claim_space_nodirty(struct inode *inode, qsize_t number) { struct dquot **dquots; + struct dquot *dquot; int cnt, index; if (!dquot_active(inode)) { @@ -1724,9 +1730,8 @@ int dquot_claim_space_nodirty(struct inode *inode, qsize_t number) spin_lock(&inode->i_lock); /* Claim reserved quotas to allocated quotas */ for (cnt = 0; cnt < MAXQUOTAS; cnt++) { - if (dquots[cnt]) { - struct dquot *dquot = dquots[cnt]; - + dquot = srcu_dereference(dquots[cnt], &dquot_srcu); + if (dquot) { spin_lock(&dquot->dq_dqb_lock); if (WARN_ON_ONCE(dquot->dq_dqb.dqb_rsvspace < number)) number = dquot->dq_dqb.dqb_rsvspace; @@ -1751,6 +1756,7 @@ EXPORT_SYMBOL(dquot_claim_space_nodirty); void dquot_reclaim_space_nodirty(struct inode *inode, qsize_t number) { struct dquot **dquots; + struct dquot *dquot; int cnt, index; if (!dquot_active(inode)) { @@ -1766,9 +1772,8 @@ void dquot_reclaim_space_nodirty(struct inode *inode, qsize_t number) spin_lock(&inode->i_lock); /* Claim reserved quotas to allocated quotas */ for (cnt = 0; cnt < MAXQUOTAS; cnt++) { - if (dquots[cnt]) { - struct dquot *dquot = dquots[cnt]; - + dquot = srcu_dereference(dquots[cnt], &dquot_srcu); + if (dquot) { spin_lock(&dquot->dq_dqb_lock); if (WARN_ON_ONCE(dquot->dq_dqb.dqb_curspace < number)) number = dquot->dq_dqb.dqb_curspace; @@ -1795,6 +1800,7 @@ void __dquot_free_space(struct inode *inode, qsize_t number, int flags) unsigned int cnt; struct dquot_warn warn[MAXQUOTAS]; struct dquot **dquots; + struct dquot *dquot; int reserve = flags & DQUOT_SPACE_RESERVE, index; if (!dquot_active(inode)) { @@ -1815,17 +1821,18 @@ void __dquot_free_space(struct inode *inode, qsize_t number, int flags) int wtype; warn[cnt].w_type = QUOTA_NL_NOWARN; - if (!dquots[cnt]) + dquot = srcu_dereference(dquots[cnt], &dquot_srcu); + if (!dquot) continue; - spin_lock(&dquots[cnt]->dq_dqb_lock); - wtype = info_bdq_free(dquots[cnt], number); + spin_lock(&dquot->dq_dqb_lock); + wtype = info_bdq_free(dquot, number); if (wtype != QUOTA_NL_NOWARN) - prepare_warning(&warn[cnt], dquots[cnt], wtype); + prepare_warning(&warn[cnt], dquot, wtype); if (reserve) - dquot_free_reserved_space(dquots[cnt], number); + dquot_free_reserved_space(dquot, number); else - dquot_decr_space(dquots[cnt], number); - spin_unlock(&dquots[cnt]->dq_dqb_lock); + dquot_decr_space(dquot, number); + spin_unlock(&dquot->dq_dqb_lock); } if (reserve) *inode_reserved_space(inode) -= number; @@ -1850,6 +1857,7 @@ void dquot_free_inode(struct inode *inode) unsigned int cnt; struct dquot_warn warn[MAXQUOTAS]; struct dquot * const *dquots; + struct dquot *dquot; int index; if (!dquot_active(inode)) @@ -1860,16 +1868,16 @@ void dquot_free_inode(struct inode *inode) spin_lock(&inode->i_lock); for (cnt = 0; cnt < MAXQUOTAS; cnt++) { int wtype; - warn[cnt].w_type = QUOTA_NL_NOWARN; - if (!dquots[cnt]) + dquot = srcu_dereference(dquots[cnt], &dquot_srcu); + if (!dquot) continue; - spin_lock(&dquots[cnt]->dq_dqb_lock); - wtype = info_idq_free(dquots[cnt], 1); + spin_lock(&dquot->dq_dqb_lock); + wtype = info_idq_free(dquot, 1); if (wtype != QUOTA_NL_NOWARN) - prepare_warning(&warn[cnt], dquots[cnt], wtype); - dquot_decr_inodes(dquots[cnt], 1); - spin_unlock(&dquots[cnt]->dq_dqb_lock); + prepare_warning(&warn[cnt], dquot, wtype); + dquot_decr_inodes(dquot, 1); + spin_unlock(&dquot->dq_dqb_lock); } spin_unlock(&inode->i_lock); mark_all_dquot_dirty(dquots); @@ -1896,7 +1904,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) qsize_t rsv_space = 0; qsize_t inode_usage = 1; struct dquot *transfer_from[MAXQUOTAS] = {}; - int cnt, ret = 0; + int cnt, index, ret = 0; char is_valid[MAXQUOTAS] = {}; struct dquot_warn warn_to[MAXQUOTAS]; struct dquot_warn warn_from_inodes[MAXQUOTAS]; @@ -1985,8 +1993,16 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) spin_unlock(&inode->i_lock); spin_unlock(&dq_data_lock); + /* + * These arrays are local and we hold dquot references so we don't need + * the srcu protection but still take dquot_srcu to avoid warning in + * mark_all_dquot_dirty(). + */ + index = srcu_read_lock(&dquot_srcu); mark_all_dquot_dirty(transfer_from); mark_all_dquot_dirty(transfer_to); + srcu_read_unlock(&dquot_srcu, index); + flush_warnings(warn_to); flush_warnings(warn_from_inodes); flush_warnings(warn_from_space); From 9b7a96f32e377542671c0cc2c43a1ab5cfa84723 Mon Sep 17 00:00:00 2001 From: Jan Kara Date: Tue, 6 Feb 2024 15:32:09 +0100 Subject: [PATCH 128/176] quota: Fix rcu annotations of inode dquot pointers [ Upstream commit 179b8c97ebf63429589f5afeba59a181fe70603e ] Dquot pointers in i_dquot array in the inode are protected by dquot_srcu. Annotate the array pointers with __rcu, perform the locked dereferences with srcu_dereference_check() instead of plain reads, and set the array elements with rcu_assign_pointer(). Fixes: b9ba6f94b238 ("quota: remove dqptr_sem") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202402061900.rTuYDlo6-lkp@intel.com/ Signed-off-by: Jan Kara Signed-off-by: Sasha Levin (cherry picked from commit 06172dff9a47e76dfce9b60d44ef21131b417803) Signed-off-by: Harshit Mogalapalli --- fs/quota/dquot.c | 66 ++++++++++++++++++++++++++++-------------------- 1 file changed, 39 insertions(+), 27 deletions(-) diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c index 3e987b961cbc..403da8387fcb 100644 --- a/fs/quota/dquot.c +++ b/fs/quota/dquot.c @@ -368,7 +368,7 @@ int dquot_mark_dquot_dirty(struct dquot *dquot) EXPORT_SYMBOL(dquot_mark_dquot_dirty); /* Dirtify all the dquots - this can block when journalling */ -static inline int mark_all_dquot_dirty(struct dquot * const *dquots) +static inline int mark_all_dquot_dirty(struct dquot __rcu * const *dquots) { int ret, err, cnt; struct dquot *dquot; @@ -919,14 +919,15 @@ out: } EXPORT_SYMBOL(dqget); -static inline struct dquot **i_dquot(struct inode *inode) +static inline struct dquot __rcu **i_dquot(struct inode *inode) { - return inode->i_sb->s_op->get_dquots(inode); + /* Force __rcu for now until filesystems are fixed */ + return (struct dquot __rcu **)inode->i_sb->s_op->get_dquots(inode); } static int dqinit_needed(struct inode *inode, int type) { - struct dquot * const *dquots; + struct dquot __rcu * const *dquots; int cnt; if (IS_NOQUOTA(inode)) @@ -1016,14 +1017,16 @@ static void remove_dquot_ref(struct super_block *sb, int type) */ spin_lock(&dq_data_lock); if (!IS_NOQUOTA(inode)) { - struct dquot **dquots = i_dquot(inode); - struct dquot *dquot = dquots[type]; + struct dquot __rcu **dquots = i_dquot(inode); + struct dquot *dquot = srcu_dereference_check( + dquots[type], &dquot_srcu, + lockdep_is_held(&dq_data_lock)); #ifdef CONFIG_QUOTA_DEBUG if (unlikely(inode_get_rsv_space(inode) > 0)) reserved = 1; #endif - dquots[type] = NULL; + rcu_assign_pointer(dquots[type], NULL); if (dquot) dqput(dquot); } @@ -1376,7 +1379,8 @@ static int dquot_active(const struct inode *inode) static int __dquot_initialize(struct inode *inode, int type) { int cnt, init_needed = 0; - struct dquot **dquots, *got[MAXQUOTAS] = {}; + struct dquot __rcu **dquots; + struct dquot *got[MAXQUOTAS] = {}; struct super_block *sb = inode->i_sb; qsize_t rsv; int ret = 0; @@ -1451,7 +1455,7 @@ static int __dquot_initialize(struct inode *inode, int type) if (!got[cnt]) continue; if (!dquots[cnt]) { - dquots[cnt] = got[cnt]; + rcu_assign_pointer(dquots[cnt], got[cnt]); got[cnt] = NULL; /* * Make quota reservation system happy if someone @@ -1459,12 +1463,16 @@ static int __dquot_initialize(struct inode *inode, int type) */ rsv = inode_get_rsv_space(inode); if (unlikely(rsv)) { + struct dquot *dquot = srcu_dereference_check( + dquots[cnt], &dquot_srcu, + lockdep_is_held(&dq_data_lock)); + spin_lock(&inode->i_lock); /* Get reservation again under proper lock */ rsv = __inode_get_rsv_space(inode); - spin_lock(&dquots[cnt]->dq_dqb_lock); - dquots[cnt]->dq_dqb.dqb_rsvspace += rsv; - spin_unlock(&dquots[cnt]->dq_dqb_lock); + spin_lock(&dquot->dq_dqb_lock); + dquot->dq_dqb.dqb_rsvspace += rsv; + spin_unlock(&dquot->dq_dqb_lock); spin_unlock(&inode->i_lock); } } @@ -1486,7 +1494,7 @@ EXPORT_SYMBOL(dquot_initialize); bool dquot_initialize_needed(struct inode *inode) { - struct dquot **dquots; + struct dquot __rcu **dquots; int i; if (!dquot_active(inode)) @@ -1511,13 +1519,14 @@ EXPORT_SYMBOL(dquot_initialize_needed); static void __dquot_drop(struct inode *inode) { int cnt; - struct dquot **dquots = i_dquot(inode); + struct dquot __rcu **dquots = i_dquot(inode); struct dquot *put[MAXQUOTAS]; spin_lock(&dq_data_lock); for (cnt = 0; cnt < MAXQUOTAS; cnt++) { - put[cnt] = dquots[cnt]; - dquots[cnt] = NULL; + put[cnt] = srcu_dereference_check(dquots[cnt], &dquot_srcu, + lockdep_is_held(&dq_data_lock)); + rcu_assign_pointer(dquots[cnt], NULL); } spin_unlock(&dq_data_lock); dqput_all(put); @@ -1525,7 +1534,7 @@ static void __dquot_drop(struct inode *inode) void dquot_drop(struct inode *inode) { - struct dquot * const *dquots; + struct dquot __rcu * const *dquots; int cnt; if (IS_NOQUOTA(inode)) @@ -1598,7 +1607,7 @@ int __dquot_alloc_space(struct inode *inode, qsize_t number, int flags) int cnt, ret = 0, index; struct dquot_warn warn[MAXQUOTAS]; int reserve = flags & DQUOT_SPACE_RESERVE; - struct dquot **dquots; + struct dquot __rcu **dquots; struct dquot *dquot; if (!dquot_active(inode)) { @@ -1668,7 +1677,7 @@ int dquot_alloc_inode(struct inode *inode) { int cnt, ret = 0, index; struct dquot_warn warn[MAXQUOTAS]; - struct dquot * const *dquots; + struct dquot __rcu * const *dquots; struct dquot *dquot; if (!dquot_active(inode)) @@ -1713,7 +1722,7 @@ EXPORT_SYMBOL(dquot_alloc_inode); */ int dquot_claim_space_nodirty(struct inode *inode, qsize_t number) { - struct dquot **dquots; + struct dquot __rcu **dquots; struct dquot *dquot; int cnt, index; @@ -1755,7 +1764,7 @@ EXPORT_SYMBOL(dquot_claim_space_nodirty); */ void dquot_reclaim_space_nodirty(struct inode *inode, qsize_t number) { - struct dquot **dquots; + struct dquot __rcu **dquots; struct dquot *dquot; int cnt, index; @@ -1799,7 +1808,7 @@ void __dquot_free_space(struct inode *inode, qsize_t number, int flags) { unsigned int cnt; struct dquot_warn warn[MAXQUOTAS]; - struct dquot **dquots; + struct dquot __rcu **dquots; struct dquot *dquot; int reserve = flags & DQUOT_SPACE_RESERVE, index; @@ -1856,7 +1865,7 @@ void dquot_free_inode(struct inode *inode) { unsigned int cnt; struct dquot_warn warn[MAXQUOTAS]; - struct dquot * const *dquots; + struct dquot __rcu * const *dquots; struct dquot *dquot; int index; @@ -1903,6 +1912,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) qsize_t cur_space; qsize_t rsv_space = 0; qsize_t inode_usage = 1; + struct dquot __rcu **dquots; struct dquot *transfer_from[MAXQUOTAS] = {}; int cnt, index, ret = 0; char is_valid[MAXQUOTAS] = {}; @@ -1935,6 +1945,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) } cur_space = __inode_get_bytes(inode); rsv_space = __inode_get_rsv_space(inode); + dquots = i_dquot(inode); /* * Build the transfer_from list, check limits, and update usage in * the target structures. @@ -1949,7 +1960,8 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) if (!sb_has_quota_active(inode->i_sb, cnt)) continue; is_valid[cnt] = 1; - transfer_from[cnt] = i_dquot(inode)[cnt]; + transfer_from[cnt] = srcu_dereference_check(dquots[cnt], + &dquot_srcu, lockdep_is_held(&dq_data_lock)); ret = dquot_add_inodes(transfer_to[cnt], inode_usage, &warn_to[cnt]); if (ret) @@ -1988,7 +2000,7 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) rsv_space); spin_unlock(&transfer_from[cnt]->dq_dqb_lock); } - i_dquot(inode)[cnt] = transfer_to[cnt]; + rcu_assign_pointer(dquots[cnt], transfer_to[cnt]); } spin_unlock(&inode->i_lock); spin_unlock(&dq_data_lock); @@ -1999,8 +2011,8 @@ int __dquot_transfer(struct inode *inode, struct dquot **transfer_to) * mark_all_dquot_dirty(). */ index = srcu_read_lock(&dquot_srcu); - mark_all_dquot_dirty(transfer_from); - mark_all_dquot_dirty(transfer_to); + mark_all_dquot_dirty((struct dquot __rcu **)transfer_from); + mark_all_dquot_dirty((struct dquot __rcu **)transfer_to); srcu_read_unlock(&dquot_srcu, index); flush_warnings(warn_to); From d85a1e5fdc93c04aad783ac5134fe266a0a372b7 Mon Sep 17 00:00:00 2001 From: Yang Jihong Date: Tue, 6 Feb 2024 08:32:28 +0000 Subject: [PATCH 129/176] perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str() [ Upstream commit 1eb3d924e3c0b8c27388b0583a989d757866efb6 ] slist needs to be freed in both error path and normal path in thread_map__new_by_tid_str(). Fixes: b52956c961be3a04 ("perf tools: Allow multiple threads or processes in record, stat, top") Reviewed-by: Arnaldo Carvalho de Melo Signed-off-by: Yang Jihong Signed-off-by: Namhyung Kim Link: https://lore.kernel.org/r/20240206083228.172607-6-yangjihong1@huawei.com Signed-off-by: Sasha Levin (cherry picked from commit f9e92ad5eb0901cacac8f1cc4e5ea12514f7934b) Signed-off-by: Harshit Mogalapalli --- tools/perf/util/thread_map.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/perf/util/thread_map.c b/tools/perf/util/thread_map.c index be0d5a736dea..073e021040f9 100644 --- a/tools/perf/util/thread_map.c +++ b/tools/perf/util/thread_map.c @@ -302,13 +302,13 @@ struct thread_map *thread_map__new_by_tid_str(const char *tid_str) threads->nr = ntasks; } out: + strlist__delete(slist); if (threads) refcount_set(&threads->refcnt, 1); return threads; out_free_threads: zfree(&threads); - strlist__delete(slist); goto out; } From 38f97031f0e5fad4f2a081d34cd1a1365cca5e05 Mon Sep 17 00:00:00 2001 From: Nikita Zhandarovich Date: Tue, 6 Feb 2024 08:48:14 -0800 Subject: [PATCH 130/176] drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode() [ Upstream commit c4891d979c7668b195a0a75787967ec95a24ecef ] Clean up a typo in pr_err() erroneously printing NI MC 'rdev->mc_fw->size' during SMC firmware load. Log 'rdev->smc_fw->size' instead. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 6596afd48af4 ("drm/radeon/kms: add dpm support for btc (v3)") Signed-off-by: Nikita Zhandarovich Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin (cherry picked from commit 1c35795b90f4dce0605ace7eef9ae1bd1282ebf2) Signed-off-by: Harshit Mogalapalli --- drivers/gpu/drm/radeon/ni.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/radeon/ni.c b/drivers/gpu/drm/radeon/ni.c index 9eccd0c81d88..6cd000590d7f 100644 --- a/drivers/gpu/drm/radeon/ni.c +++ b/drivers/gpu/drm/radeon/ni.c @@ -823,7 +823,7 @@ int ni_init_microcode(struct radeon_device *rdev) err = 0; } else if (rdev->smc_fw->size != smc_req_size) { pr_err("ni_mc: Bogus length %zu in firmware \"%s\"\n", - rdev->mc_fw->size, fw_name); + rdev->smc_fw->size, fw_name); err = -EINVAL; } } From 9075faa224b8911050442a04a83e7156df94f0b7 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 13 Feb 2024 14:53:43 +0100 Subject: [PATCH 131/176] ALSA: seq: fix function cast warnings [ Upstream commit d7bf73809849463f76de42aad62c850305dd6c5d ] clang-16 points out a control flow integrity (kcfi) issue when event callbacks get converted to incompatible types: sound/core/seq/seq_midi.c:135:30: error: cast from 'int (*)(struct snd_rawmidi_substream *, const char *, int)' to 'snd_seq_dump_func_t' (aka 'int (*)(void *, void *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 135 | snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)dump_midi, substream); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sound/core/seq/seq_virmidi.c:83:31: error: cast from 'int (*)(struct snd_rawmidi_substream *, const unsigned char *, int)' to 'snd_seq_dump_func_t' (aka 'int (*)(void *, void *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 83 | snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)snd_rawmidi_receive, vmidi->substream); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For addressing those errors, introduce wrapper functions that are used for callbacks and bridge to the actual function call with pointer cast. The code was originally added with the initial ALSA merge in linux-2.5.4. [ the patch description shamelessly copied from Arnd's original patch -- tiwai ] Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Arnd Bergmann Link: https://lore.kernel.org/r/20240213101020.459183-1-arnd@kernel.org Link: https://lore.kernel.org/r/20240213135343.16411-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin (cherry picked from commit 9f9254f8927d9f4e4185ec18d8ee648dfcb5ed62) Signed-off-by: Harshit Mogalapalli --- sound/core/seq/seq_midi.c | 8 +++++++- sound/core/seq/seq_virmidi.c | 9 ++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/sound/core/seq/seq_midi.c b/sound/core/seq/seq_midi.c index 5dd0ee258359..a5e1e21ece3d 100644 --- a/sound/core/seq/seq_midi.c +++ b/sound/core/seq/seq_midi.c @@ -129,6 +129,12 @@ static int dump_midi(struct snd_rawmidi_substream *substream, const char *buf, i return 0; } +/* callback for snd_seq_dump_var_event(), bridging to dump_midi() */ +static int __dump_midi(void *ptr, void *buf, int count) +{ + return dump_midi(ptr, buf, count); +} + static int event_process_midi(struct snd_seq_event *ev, int direct, void *private_data, int atomic, int hop) { @@ -148,7 +154,7 @@ static int event_process_midi(struct snd_seq_event *ev, int direct, pr_debug("ALSA: seq_midi: invalid sysex event flags = 0x%x\n", ev->flags); return 0; } - snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)dump_midi, substream); + snd_seq_dump_var_event(ev, __dump_midi, substream); snd_midi_event_reset_decode(msynth->parser); } else { if (msynth->parser == NULL) diff --git a/sound/core/seq/seq_virmidi.c b/sound/core/seq/seq_virmidi.c index dd958d76ca5d..adfca2a709e9 100644 --- a/sound/core/seq/seq_virmidi.c +++ b/sound/core/seq/seq_virmidi.c @@ -76,6 +76,13 @@ static void snd_virmidi_init_event(struct snd_virmidi *vmidi, /* * decode input event and put to read buffer of each opened file */ + +/* callback for snd_seq_dump_var_event(), bridging to snd_rawmidi_receive() */ +static int dump_to_rawmidi(void *ptr, void *buf, int count) +{ + return snd_rawmidi_receive(ptr, buf, count); +} + static int snd_virmidi_dev_receive_event(struct snd_virmidi_dev *rdev, struct snd_seq_event *ev, bool atomic) @@ -94,7 +101,7 @@ static int snd_virmidi_dev_receive_event(struct snd_virmidi_dev *rdev, if (ev->type == SNDRV_SEQ_EVENT_SYSEX) { if ((ev->flags & SNDRV_SEQ_EVENT_LENGTH_MASK) != SNDRV_SEQ_EVENT_LENGTH_VARIABLE) continue; - snd_seq_dump_var_event(ev, (snd_seq_dump_func_t)snd_rawmidi_receive, vmidi->substream); + snd_seq_dump_var_event(ev, dump_to_rawmidi, vmidi->substream); snd_midi_event_reset_decode(vmidi->parser); } else { len = snd_midi_event_decode(vmidi->parser, msg, sizeof(msg), ev); From 0203c9b23b47d5e2f6d817b69d592ccc88d9a1f5 Mon Sep 17 00:00:00 2001 From: Daniil Dulov Date: Sun, 11 Feb 2024 07:07:05 -0800 Subject: [PATCH 132/176] media: go7007: add check of return value of go7007_read_addr() [ Upstream commit 0b70530ee740861f4776ff724fcc25023df1799a ] If go7007_read_addr() returns error channel is not assigned a value. In this case go to allocfail. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 866b8695d67e ("Staging: add the go7007 video driver") Signed-off-by: Daniil Dulov Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin (cherry picked from commit ff13e3ce6aa4c0dfdbc6438fe3c03118afe3ee8c) Signed-off-by: Harshit Mogalapalli --- drivers/media/usb/go7007/go7007-usb.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c index ddfaabd4c081..d36cac861ca3 100644 --- a/drivers/media/usb/go7007/go7007-usb.c +++ b/drivers/media/usb/go7007/go7007-usb.c @@ -1205,7 +1205,9 @@ static int go7007_usb_probe(struct usb_interface *intf, u16 channel; /* read channel number from GPIO[1:0] */ - go7007_read_addr(go, 0x3c81, &channel); + if (go7007_read_addr(go, 0x3c81, &channel)) + goto allocfail; + channel &= 0x3; go->board_id = GO7007_BOARDID_ADLINK_MPG24; usb->board = board = &board_adlink_mpg24; From ef1a77adc95fea554698fbbe7530b7e7da5ef4a6 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Tue, 13 Feb 2024 11:04:27 +0100 Subject: [PATCH 133/176] media: pvrusb2: fix pvr2_stream_callback casts [ Upstream commit 30baa4a96b23add91a87305baaeba82c4e109e1f ] clang-16 complains about a control flow integrity (KCFI) issue in pvrusb2, which casts three different prototypes into pvr2_stream_callback: drivers/media/usb/pvrusb2/pvrusb2-v4l2.c:1070:30: error: cast from 'void (*)(struct pvr2_v4l2_fh *)' to 'pvr2_stream_callback' (aka 'void (*)(void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 1070 | pvr2_stream_set_callback(sp,(pvr2_stream_callback)pvr2_v4l2_notify,fh); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/media/usb/pvrusb2/pvrusb2-context.c:110:6: error: cast from 'void (*)(struct pvr2_context *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] 110 | (void (*)(void *))pvr2_context_notify, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/media/usb/pvrusb2/pvrusb2-dvb.c:152:6: error: cast from 'void (*)(struct pvr2_dvb_adapter *)' to 'pvr2_stream_callback' (aka 'void (*)(void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 152 | (pvr2_stream_callback) pvr2_dvb_notify, adap); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Change the functions to actually take a void* argument so the cast is no longer needed. Fixes: bb8ce9d9143c ("V4L/DVB (7682): pvrusb2-dvb: finish up stream & buffer handling") Signed-off-by: Arnd Bergmann Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin (cherry picked from commit 4e93392ae27eb5f8ad4efd31cf8f1ecd5fdabe15) Signed-off-by: Harshit Mogalapalli --- drivers/media/usb/pvrusb2/pvrusb2-context.c | 8 ++++---- drivers/media/usb/pvrusb2/pvrusb2-dvb.c | 6 ++++-- drivers/media/usb/pvrusb2/pvrusb2-v4l2.c | 6 ++++-- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/drivers/media/usb/pvrusb2/pvrusb2-context.c b/drivers/media/usb/pvrusb2/pvrusb2-context.c index 9236463ba269..28a9cfef8f9f 100644 --- a/drivers/media/usb/pvrusb2/pvrusb2-context.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-context.c @@ -99,8 +99,10 @@ static void pvr2_context_destroy(struct pvr2_context *mp) } -static void pvr2_context_notify(struct pvr2_context *mp) +static void pvr2_context_notify(void *ptr) { + struct pvr2_context *mp = ptr; + pvr2_context_set_notify(mp,!0); } @@ -115,9 +117,7 @@ static void pvr2_context_check(struct pvr2_context *mp) pvr2_trace(PVR2_TRACE_CTXT, "pvr2_context %p (initialize)", mp); /* Finish hardware initialization */ - if (pvr2_hdw_initialize(mp->hdw, - (void (*)(void *))pvr2_context_notify, - mp)) { + if (pvr2_hdw_initialize(mp->hdw, pvr2_context_notify, mp)) { mp->video_stream.stream = pvr2_hdw_get_video_stream(mp->hdw); /* Trigger interface initialization. By doing this diff --git a/drivers/media/usb/pvrusb2/pvrusb2-dvb.c b/drivers/media/usb/pvrusb2/pvrusb2-dvb.c index 56c750535ee7..716d59112e93 100644 --- a/drivers/media/usb/pvrusb2/pvrusb2-dvb.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-dvb.c @@ -97,8 +97,10 @@ static int pvr2_dvb_feed_thread(void *data) return stat; } -static void pvr2_dvb_notify(struct pvr2_dvb_adapter *adap) +static void pvr2_dvb_notify(void *ptr) { + struct pvr2_dvb_adapter *adap = ptr; + wake_up(&adap->buffer_wait_data); } @@ -158,7 +160,7 @@ static int pvr2_dvb_stream_do_start(struct pvr2_dvb_adapter *adap) } pvr2_stream_set_callback(pvr->video_stream.stream, - (pvr2_stream_callback) pvr2_dvb_notify, adap); + pvr2_dvb_notify, adap); ret = pvr2_stream_set_buffer_count(stream, PVR2_DVB_BUFFER_COUNT); if (ret < 0) return ret; diff --git a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c index e0413db26781..b2ffdadeb593 100644 --- a/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-v4l2.c @@ -1092,8 +1092,10 @@ static int pvr2_v4l2_open(struct file *file) } -static void pvr2_v4l2_notify(struct pvr2_v4l2_fh *fhp) +static void pvr2_v4l2_notify(void *ptr) { + struct pvr2_v4l2_fh *fhp = ptr; + wake_up(&fhp->wait_data); } @@ -1126,7 +1128,7 @@ static int pvr2_v4l2_iosetup(struct pvr2_v4l2_fh *fh) hdw = fh->channel.mc_head->hdw; sp = fh->pdi->stream->stream; - pvr2_stream_set_callback(sp,(pvr2_stream_callback)pvr2_v4l2_notify,fh); + pvr2_stream_set_callback(sp, pvr2_v4l2_notify, fh); pvr2_hdw_set_stream_type(hdw,fh->pdi->config); if ((ret = pvr2_hdw_set_streaming(hdw,!0)) < 0) return ret; return pvr2_ioread_set_enabled(fh->rhp,!0); From bbb93685c7c6f27816955df2d599ca30a5ff2dbb Mon Sep 17 00:00:00 2001 From: AngeloGioacchino Del Regno Date: Thu, 15 Feb 2024 09:53:09 +0100 Subject: [PATCH 134/176] drm/mediatek: dsi: Fix DSI RGB666 formats and definitions [ Upstream commit fae6f815505301b92d9113764f4d76d0bfe45607 ] The register bits definitions for RGB666 formats are wrong in multiple ways: first, in the DSI_PS_SEL bits region, the Packed 18-bits RGB666 format is selected with bit 1, while the Loosely Packed one is bit 2, and second - the definition name "LOOSELY_PS_18BIT_RGB666" is wrong because the loosely packed format is 24 bits instead! Either way, functions mtk_dsi_ps_control_vact() and mtk_dsi_ps_control() do not even agree on the DSI_PS_SEL bit to set in DSI_PSCTRL: one sets loosely packed (24) on RGB666, the other sets packed (18), and the other way around for RGB666_PACKED. Fixing this entire stack of issues is done in one go: - Use the correct bit for the Loosely Packed RGB666 definition - Rename LOOSELY_PS_18BIT_RGB666 to LOOSELY_PS_24BIT_RGB666 - Change ps_bpp_mode in mtk_dsi_ps_control_vact() to set: - Loosely Packed, 24-bits for MIPI_DSI_FMT_RGB666 - Packed, 18-bits for MIPI_DSI_FMT_RGB666_PACKED Fixes: 2e54c14e310f ("drm/mediatek: Add DSI sub driver") Reviewed-by: Alexandre Mergnat Reviewed-by: CK Hu Signed-off-by: AngeloGioacchino Del Regno Link: https://patchwork.kernel.org/project/dri-devel/patch/20240215085316.56835-3-angelogioacchino.delregno@collabora.com/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin (cherry picked from commit a5e660dba9ff73531053664e20dd858d880adbdb) Signed-off-by: Harshit Mogalapalli --- drivers/gpu/drm/mediatek/mtk_dsi.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c index 7ae243122f68..66100be1c3bf 100644 --- a/drivers/gpu/drm/mediatek/mtk_dsi.c +++ b/drivers/gpu/drm/mediatek/mtk_dsi.c @@ -70,8 +70,8 @@ #define DSI_PS_WC 0x3fff #define DSI_PS_SEL (3 << 16) #define PACKED_PS_16BIT_RGB565 (0 << 16) -#define LOOSELY_PS_18BIT_RGB666 (1 << 16) -#define PACKED_PS_18BIT_RGB666 (2 << 16) +#define PACKED_PS_18BIT_RGB666 (1 << 16) +#define LOOSELY_PS_24BIT_RGB666 (2 << 16) #define PACKED_PS_24BIT_RGB888 (3 << 16) #define DSI_VSA_NL 0x20 @@ -327,10 +327,10 @@ static void mtk_dsi_ps_control_vact(struct mtk_dsi *dsi) ps_bpp_mode |= PACKED_PS_24BIT_RGB888; break; case MIPI_DSI_FMT_RGB666: - ps_bpp_mode |= PACKED_PS_18BIT_RGB666; + ps_bpp_mode |= LOOSELY_PS_24BIT_RGB666; break; case MIPI_DSI_FMT_RGB666_PACKED: - ps_bpp_mode |= LOOSELY_PS_18BIT_RGB666; + ps_bpp_mode |= PACKED_PS_18BIT_RGB666; break; case MIPI_DSI_FMT_RGB565: ps_bpp_mode |= PACKED_PS_16BIT_RGB565; @@ -381,7 +381,7 @@ static void mtk_dsi_ps_control(struct mtk_dsi *dsi) dsi_tmp_buf_bpp = 3; break; case MIPI_DSI_FMT_RGB666: - tmp_reg = LOOSELY_PS_18BIT_RGB666; + tmp_reg = LOOSELY_PS_24BIT_RGB666; dsi_tmp_buf_bpp = 3; break; case MIPI_DSI_FMT_RGB666_PACKED: From 8bfb9ffc388bc45abfcbf77b8b2c0715c4a950f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Wedekind?= Date: Mon, 19 Feb 2024 14:28:11 +0100 Subject: [PATCH 135/176] PCI: Mark 3ware-9650SE Root Port Extended Tags as broken MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit baf67aefbe7d7deafa59ca49612d163f8889934c ] Per PCIe r6.1, sec 2.2.6.2 and 7.5.3.4, a Requester may not use 8-bit Tags unless its Extended Tag Field Enable is set, but all Receivers/Completers must handle 8-bit Tags correctly regardless of their Extended Tag Field Enable. Some devices do not handle 8-bit Tags as Completers, so add a quirk for them. If we find such a device, we disable Extended Tags for the entire hierarchy to make peer-to-peer DMA possible. The 3ware 9650SE seems to have issues with handling 8-bit tags. Mark it as broken. This fixes PCI Parity Errors like : 3w-9xxx: scsi0: ERROR: (0x06:0x000C): PCI Parity Error: clearing. 3w-9xxx: scsi0: ERROR: (0x06:0x000D): PCI Abort: clearing. 3w-9xxx: scsi0: ERROR: (0x06:0x000E): Controller Queue Error: clearing. 3w-9xxx: scsi0: ERROR: (0x06:0x0010): Microcontroller Error: clearing. Link: https://lore.kernel.org/r/20240219132811.8351-1-joerg@wedekind.de Fixes: 60db3a4d8cc9 ("PCI: Enable PCIe Extended Tags if supported") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=202425 Signed-off-by: Jörg Wedekind Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin (cherry picked from commit 8443ceba0a8e5960e134ef26346266cb2d3a251d) Signed-off-by: Harshit Mogalapalli --- drivers/pci/quirks.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c index ef9303547484..764fcb521a75 100644 --- a/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c @@ -5101,6 +5101,7 @@ static void quirk_no_ext_tags(struct pci_dev *pdev) pci_walk_bus(bridge->bus, pci_configure_extended_tags, NULL); } +DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_3WARE, 0x1004, quirk_no_ext_tags); DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0132, quirk_no_ext_tags); DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0140, quirk_no_ext_tags); DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0141, quirk_no_ext_tags); From 2c4e4f364fc917492491e7e801a11aa3d021eaba Mon Sep 17 00:00:00 2001 From: Christophe JAILLET Date: Wed, 10 Jan 2024 19:58:21 +0100 Subject: [PATCH 136/176] clk: hisilicon: hi3519: Release the correct number of gates in hi3519_clk_unregister() [ Upstream commit 74e39f526d95c0c119ada1874871ee328c59fbee ] The gates are stored in 'hi3519_gate_clks', not 'hi3519_mux_clks'. This is also in line with how hisi_clk_register_gate() is called in the probe. Fixes: 224b3b262c52 ("clk: hisilicon: hi3519: add driver remove path and fix some issues") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/c3f1877c9a0886fa35c949c8f0ef25547f284f18.1704912510.git.christophe.jaillet@wanadoo.fr Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin (cherry picked from commit 907370aacf216e3a662d44e88d204413488444b3) Signed-off-by: Harshit Mogalapalli --- drivers/clk/hisilicon/clk-hi3519.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/clk/hisilicon/clk-hi3519.c b/drivers/clk/hisilicon/clk-hi3519.c index 51b173ef1dda..d789735160a2 100644 --- a/drivers/clk/hisilicon/clk-hi3519.c +++ b/drivers/clk/hisilicon/clk-hi3519.c @@ -142,7 +142,7 @@ static void hi3519_clk_unregister(struct platform_device *pdev) of_clk_del_provider(pdev->dev.of_node); hisi_clk_unregister_gate(hi3519_gate_clks, - ARRAY_SIZE(hi3519_mux_clks), + ARRAY_SIZE(hi3519_gate_clks), crg->clk_data); hisi_clk_unregister_mux(hi3519_mux_clks, ARRAY_SIZE(hi3519_mux_clks), From 964b1a6dfa9591962a88502cbce73e0d5a39f12c Mon Sep 17 00:00:00 2001 From: Fedor Pchelkin Date: Fri, 15 Dec 2023 12:33:55 +0300 Subject: [PATCH 137/176] drm/tegra: put drm_gem_object ref on error in tegra_fb_create [ Upstream commit 32e5a120a5105bce01561978ee55aee8e40ac0dc ] Inside tegra_fb_create(), drm_gem_object_lookup() increments ref count of the found object. But if the following size check fails then the last found object's ref count should be put there as the unreferencing loop can't detect this situation. Found by Linux Verification Center (linuxtesting.org). Fixes: de2ba664c30f ("gpu: host1x: drm: Add memory manager and fb") Signed-off-by: Fedor Pchelkin Signed-off-by: Thierry Reding Link: https://patchwork.freedesktop.org/patch/msgid/20231215093356.12067-1-pchelkin@ispras.ru Signed-off-by: Sasha Levin (cherry picked from commit d674e78da934afd2ce5935eff08cf5361a9a27ac) Signed-off-by: Harshit Mogalapalli --- drivers/gpu/drm/tegra/fb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/tegra/fb.c b/drivers/gpu/drm/tegra/fb.c index 80540c1c66dc..4fe3c74c370e 100644 --- a/drivers/gpu/drm/tegra/fb.c +++ b/drivers/gpu/drm/tegra/fb.c @@ -179,6 +179,7 @@ struct drm_framebuffer *tegra_fb_create(struct drm_device *drm, if (gem->size < size) { err = -EINVAL; + drm_gem_object_put(gem); goto unreference; } From cc17862516e0adc1504c13f2bcf8e6e660af3912 Mon Sep 17 00:00:00 2001 From: Peter Griffin Date: Tue, 20 Feb 2024 11:50:10 +0000 Subject: [PATCH 138/176] mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref [ Upstream commit d2b0680cf3b05490b579e71b0df6e07451977745 ] of_parse_phandle() returns a device_node with refcount incremented, which the callee needs to call of_node_put() on when done. We should only call of_node_put() when the property argument is provided though as otherwise nothing has taken a reference on the node. Fixes: 45330bb43421 ("mfd: syscon: Allow property as NULL in syscon_regmap_lookup_by_phandle") Signed-off-by: Peter Griffin Link: https://lore.kernel.org/r/20240220115012.471689-2-peter.griffin@linaro.org Signed-off-by: Lee Jones Signed-off-by: Sasha Levin (cherry picked from commit 5d16d3dc28a95915c1f7a41f68f2a069ced4b578) Signed-off-by: Harshit Mogalapalli --- drivers/mfd/syscon.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c index b93fe4c4957a..3a4ba3bd44c6 100644 --- a/drivers/mfd/syscon.c +++ b/drivers/mfd/syscon.c @@ -190,7 +190,9 @@ struct regmap *syscon_regmap_lookup_by_phandle(struct device_node *np, return ERR_PTR(-ENODEV); regmap = syscon_node_to_regmap(syscon_np); - of_node_put(syscon_np); + + if (property) + of_node_put(syscon_np); return regmap; } From 7fc8137190a1cebb8826d8ed71480d2653801e3f Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Sun, 1 Sep 2019 22:35:24 +0200 Subject: [PATCH 139/176] crypto: arm - Rename functions to avoid conflict with crypto/sha256.h [ Upstream commit e4dcc1be15268b6d34de3968f906577591521bd5 ] Rename static / file-local functions so that they do not conflict with the functions declared in crypto/sha256.h. This is a preparation patch for folding crypto/sha256.h into crypto/sha.h. Signed-off-by: Hans de Goede Signed-off-by: Herbert Xu Stable-dep-of: 53cc9baeb9bc ("crypto: arm/sha - fix function cast warnings") Signed-off-by: Sasha Levin (cherry picked from commit bdb1db7115d9b2a9d10c101dfc67386485fad00d) Signed-off-by: Harshit Mogalapalli --- arch/arm/crypto/sha256_glue.c | 8 ++++---- arch/arm/crypto/sha256_neon_glue.c | 24 ++++++++++++------------ 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/arch/arm/crypto/sha256_glue.c b/arch/arm/crypto/sha256_glue.c index a84e869ef900..36d422ffa9b0 100644 --- a/arch/arm/crypto/sha256_glue.c +++ b/arch/arm/crypto/sha256_glue.c @@ -44,7 +44,7 @@ int crypto_sha256_arm_update(struct shash_desc *desc, const u8 *data, } EXPORT_SYMBOL(crypto_sha256_arm_update); -static int sha256_final(struct shash_desc *desc, u8 *out) +static int crypto_sha256_arm_final(struct shash_desc *desc, u8 *out) { sha256_base_do_finalize(desc, (sha256_block_fn *)sha256_block_data_order); @@ -56,7 +56,7 @@ int crypto_sha256_arm_finup(struct shash_desc *desc, const u8 *data, { sha256_base_do_update(desc, data, len, (sha256_block_fn *)sha256_block_data_order); - return sha256_final(desc, out); + return crypto_sha256_arm_final(desc, out); } EXPORT_SYMBOL(crypto_sha256_arm_finup); @@ -64,7 +64,7 @@ static struct shash_alg algs[] = { { .digestsize = SHA256_DIGEST_SIZE, .init = sha256_base_init, .update = crypto_sha256_arm_update, - .final = sha256_final, + .final = crypto_sha256_arm_final, .finup = crypto_sha256_arm_finup, .descsize = sizeof(struct sha256_state), .base = { @@ -79,7 +79,7 @@ static struct shash_alg algs[] = { { .digestsize = SHA224_DIGEST_SIZE, .init = sha224_base_init, .update = crypto_sha256_arm_update, - .final = sha256_final, + .final = crypto_sha256_arm_final, .finup = crypto_sha256_arm_finup, .descsize = sizeof(struct sha256_state), .base = { diff --git a/arch/arm/crypto/sha256_neon_glue.c b/arch/arm/crypto/sha256_neon_glue.c index 39ccd658817e..d4d6ecde9ff1 100644 --- a/arch/arm/crypto/sha256_neon_glue.c +++ b/arch/arm/crypto/sha256_neon_glue.c @@ -29,8 +29,8 @@ asmlinkage void sha256_block_data_order_neon(u32 *digest, const void *data, unsigned int num_blks); -static int sha256_update(struct shash_desc *desc, const u8 *data, - unsigned int len) +static int crypto_sha256_neon_update(struct shash_desc *desc, const u8 *data, + unsigned int len) { struct sha256_state *sctx = shash_desc_ctx(desc); @@ -46,8 +46,8 @@ static int sha256_update(struct shash_desc *desc, const u8 *data, return 0; } -static int sha256_finup(struct shash_desc *desc, const u8 *data, - unsigned int len, u8 *out) +static int crypto_sha256_neon_finup(struct shash_desc *desc, const u8 *data, + unsigned int len, u8 *out) { if (!may_use_simd()) return crypto_sha256_arm_finup(desc, data, len, out); @@ -63,17 +63,17 @@ static int sha256_finup(struct shash_desc *desc, const u8 *data, return sha256_base_finish(desc, out); } -static int sha256_final(struct shash_desc *desc, u8 *out) +static int crypto_sha256_neon_final(struct shash_desc *desc, u8 *out) { - return sha256_finup(desc, NULL, 0, out); + return crypto_sha256_neon_finup(desc, NULL, 0, out); } struct shash_alg sha256_neon_algs[] = { { .digestsize = SHA256_DIGEST_SIZE, .init = sha256_base_init, - .update = sha256_update, - .final = sha256_final, - .finup = sha256_finup, + .update = crypto_sha256_neon_update, + .final = crypto_sha256_neon_final, + .finup = crypto_sha256_neon_finup, .descsize = sizeof(struct sha256_state), .base = { .cra_name = "sha256", @@ -86,9 +86,9 @@ struct shash_alg sha256_neon_algs[] = { { }, { .digestsize = SHA224_DIGEST_SIZE, .init = sha224_base_init, - .update = sha256_update, - .final = sha256_final, - .finup = sha256_finup, + .update = crypto_sha256_neon_update, + .final = crypto_sha256_neon_final, + .finup = crypto_sha256_neon_finup, .descsize = sizeof(struct sha256_state), .base = { .cra_name = "sha224", From 0147d403e14fcf04d14e54c8db8c92e0b9e895c1 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Tue, 13 Feb 2024 14:49:46 +0100 Subject: [PATCH 140/176] crypto: arm/sha - fix function cast warnings [ Upstream commit 53cc9baeb9bc2a187eb9c9790d30995148852b12 ] clang-16 warns about casting between incompatible function types: arch/arm/crypto/sha256_glue.c:37:5: error: cast from 'void (*)(u32 *, const void *, unsigned int)' (aka 'void (*)(unsigned int *, const void *, unsigned int)') to 'sha256_block_fn *' (aka 'void (*)(struct sha256_state *, const unsigned char *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 37 | (sha256_block_fn *)sha256_block_data_order); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ arch/arm/crypto/sha512-glue.c:34:3: error: cast from 'void (*)(u64 *, const u8 *, int)' (aka 'void (*)(unsigned long long *, const unsigned char *, int)') to 'sha512_block_fn *' (aka 'void (*)(struct sha512_state *, const unsigned char *, int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 34 | (sha512_block_fn *)sha512_block_data_order); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fix the prototypes for the assembler functions to match the typedef. The code already relies on the digest being the first part of the state structure, so there is no change in behavior. Fixes: c80ae7ca3726 ("crypto: arm/sha512 - accelerated SHA-512 using ARM generic ASM and NEON") Fixes: b59e2ae3690c ("crypto: arm/sha256 - move SHA-224/256 ASM/NEON implementation to base layer") Signed-off-by: Arnd Bergmann Reviewed-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin (cherry picked from commit 8d27d1b155c26bae2bd76b0c3e78cc4f1f1e21c5) Signed-off-by: Harshit Mogalapalli --- arch/arm/crypto/sha256_glue.c | 13 +++++-------- arch/arm/crypto/sha512-glue.c | 12 +++++------- 2 files changed, 10 insertions(+), 15 deletions(-) diff --git a/arch/arm/crypto/sha256_glue.c b/arch/arm/crypto/sha256_glue.c index 36d422ffa9b0..6fcaadcc0c57 100644 --- a/arch/arm/crypto/sha256_glue.c +++ b/arch/arm/crypto/sha256_glue.c @@ -30,8 +30,8 @@ #include "sha256_glue.h" -asmlinkage void sha256_block_data_order(u32 *digest, const void *data, - unsigned int num_blks); +asmlinkage void sha256_block_data_order(struct sha256_state *state, + const u8 *data, int num_blks); int crypto_sha256_arm_update(struct shash_desc *desc, const u8 *data, unsigned int len) @@ -39,23 +39,20 @@ int crypto_sha256_arm_update(struct shash_desc *desc, const u8 *data, /* make sure casting to sha256_block_fn() is safe */ BUILD_BUG_ON(offsetof(struct sha256_state, state) != 0); - return sha256_base_do_update(desc, data, len, - (sha256_block_fn *)sha256_block_data_order); + return sha256_base_do_update(desc, data, len, sha256_block_data_order); } EXPORT_SYMBOL(crypto_sha256_arm_update); static int crypto_sha256_arm_final(struct shash_desc *desc, u8 *out) { - sha256_base_do_finalize(desc, - (sha256_block_fn *)sha256_block_data_order); + sha256_base_do_finalize(desc, sha256_block_data_order); return sha256_base_finish(desc, out); } int crypto_sha256_arm_finup(struct shash_desc *desc, const u8 *data, unsigned int len, u8 *out) { - sha256_base_do_update(desc, data, len, - (sha256_block_fn *)sha256_block_data_order); + sha256_base_do_update(desc, data, len, sha256_block_data_order); return crypto_sha256_arm_final(desc, out); } EXPORT_SYMBOL(crypto_sha256_arm_finup); diff --git a/arch/arm/crypto/sha512-glue.c b/arch/arm/crypto/sha512-glue.c index 269a394e4a53..dec4e1f5bc43 100644 --- a/arch/arm/crypto/sha512-glue.c +++ b/arch/arm/crypto/sha512-glue.c @@ -28,27 +28,25 @@ MODULE_ALIAS_CRYPTO("sha512"); MODULE_ALIAS_CRYPTO("sha384-arm"); MODULE_ALIAS_CRYPTO("sha512-arm"); -asmlinkage void sha512_block_data_order(u64 *state, u8 const *src, int blocks); +asmlinkage void sha512_block_data_order(struct sha512_state *state, + u8 const *src, int blocks); int sha512_arm_update(struct shash_desc *desc, const u8 *data, unsigned int len) { - return sha512_base_do_update(desc, data, len, - (sha512_block_fn *)sha512_block_data_order); + return sha512_base_do_update(desc, data, len, sha512_block_data_order); } int sha512_arm_final(struct shash_desc *desc, u8 *out) { - sha512_base_do_finalize(desc, - (sha512_block_fn *)sha512_block_data_order); + sha512_base_do_finalize(desc, sha512_block_data_order); return sha512_base_finish(desc, out); } int sha512_arm_finup(struct shash_desc *desc, const u8 *data, unsigned int len, u8 *out) { - sha512_base_do_update(desc, data, len, - (sha512_block_fn *)sha512_block_data_order); + sha512_base_do_update(desc, data, len, sha512_block_data_order); return sha512_arm_final(desc, out); } From 1b84c12ebaccfd96af1d200d69bad289842962a9 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Tue, 13 Feb 2024 11:00:09 +0100 Subject: [PATCH 141/176] mtd: rawnand: lpc32xx_mlc: fix irq handler prototype [ Upstream commit 347b828882e6334690e7003ce5e2fe5f233dc508 ] clang-16 warns about mismatched function prototypes: drivers/mtd/nand/raw/lpc32xx_mlc.c:783:29: error: cast from 'irqreturn_t (*)(int, struct lpc32xx_nand_host *)' (aka 'enum irqreturn (*)(int, struct lpc32xx_nand_host *)') to 'irq_handler_t' (aka 'enum irqreturn (*)(int, void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] Change the interrupt handler to the normal way of just passing a void* pointer and converting it inside the function.. Fixes: 70f7cb78ec53 ("mtd: add LPC32xx MLC NAND driver") Signed-off-by: Arnd Bergmann Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20240213100146.455811-1-arnd@kernel.org Signed-off-by: Sasha Levin (cherry picked from commit 9fc05d7953b0d71372b632e1d62abf78c6ac9d64) Signed-off-by: Harshit Mogalapalli --- drivers/mtd/nand/lpc32xx_mlc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/nand/lpc32xx_mlc.c b/drivers/mtd/nand/lpc32xx_mlc.c index d19d07931c2b..24dd74a10a3d 100644 --- a/drivers/mtd/nand/lpc32xx_mlc.c +++ b/drivers/mtd/nand/lpc32xx_mlc.c @@ -315,8 +315,9 @@ static int lpc32xx_nand_device_ready(struct mtd_info *mtd) return 0; } -static irqreturn_t lpc3xxx_nand_irq(int irq, struct lpc32xx_nand_host *host) +static irqreturn_t lpc3xxx_nand_irq(int irq, void *data) { + struct lpc32xx_nand_host *host = data; uint8_t sr; /* Clear interrupt flag by reading status */ @@ -783,7 +784,7 @@ static int lpc32xx_nand_probe(struct platform_device *pdev) goto err_exit3; } - if (request_irq(host->irq, (irq_handler_t)&lpc3xxx_nand_irq, + if (request_irq(host->irq, &lpc3xxx_nand_irq, IRQF_TRIGGER_HIGH, DRV_NAME, host)) { dev_err(&pdev->dev, "Error requesting NAND IRQ\n"); res = -ENXIO; From d7fb1c3d480ad75315a420879665772dd588cd44 Mon Sep 17 00:00:00 2001 From: Srinivasan Shanmugam Date: Sat, 24 Feb 2024 07:48:52 +0530 Subject: [PATCH 142/176] drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 7cf1ad2fe10634238b38442a851d89514cb14ea2 ] Missing break statement in the ATOM_ARG_IMM case of a switch statement, adds the missing break statement, ensuring that the program's control flow is as intended. Fixes the below: drivers/gpu/drm/amd/amdgpu/atom.c:323 atom_get_src_int() warn: ignoring unreachable code. Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") Cc: Jammy Zhou Cc: Christian König Cc: Alex Deucher Signed-off-by: Srinivasan Shanmugam Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin (cherry picked from commit 5a2b18dbec88b972d570994483f188cb59586609) Signed-off-by: Harshit Mogalapalli --- drivers/gpu/drm/amd/amdgpu/atom.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/atom.c b/drivers/gpu/drm/amd/amdgpu/atom.c index e4874cc209ef..52c56b24ac2a 100644 --- a/drivers/gpu/drm/amd/amdgpu/atom.c +++ b/drivers/gpu/drm/amd/amdgpu/atom.c @@ -306,7 +306,7 @@ static uint32_t atom_get_src_int(atom_exec_context *ctx, uint8_t attr, DEBUG("IMM 0x%02X\n", val); return val; } - return 0; + break; case ATOM_ARG_PLL: idx = U8(*ptr); (*ptr)++; From 6251ccc9fe18868635199a6e3dcd17ac5732060a Mon Sep 17 00:00:00 2001 From: Edward Adam Davis Date: Fri, 16 Feb 2024 15:30:47 +0800 Subject: [PATCH 143/176] media: pvrusb2: fix uaf in pvr2_context_set_notify [ Upstream commit 0a0b79ea55de8514e1750884e5fec77f9fdd01ee ] [Syzbot reported] BUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 Read of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26 CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc4/0x620 mm/kasan/report.c:488 kasan_report+0xda/0x110 mm/kasan/report.c:601 pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline] pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272 Freed by task 906: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 poison_slab_object mm/kasan/common.c:241 [inline] __kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inline] slab_free mm/slub.c:4299 [inline] kfree+0x105/0x340 mm/slub.c:4409 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline] pvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158 [Analyze] Task A set disconnect_flag = !0, which resulted in Task B's condition being met and releasing mp, leading to this issue. [Fix] Place the disconnect_flag assignment operation after all code in pvr2_context_disconnect() to avoid this issue. Reported-and-tested-by: syzbot+ce750e124675d4599449@syzkaller.appspotmail.com Fixes: e5be15c63804 ("V4L/DVB (7711): pvrusb2: Fix race on module unload") Signed-off-by: Edward Adam Davis Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin (cherry picked from commit ed8000e1e8e9684ab6c30cf2b526c0cea039929c) Signed-off-by: Harshit Mogalapalli --- drivers/media/usb/pvrusb2/pvrusb2-context.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/pvrusb2/pvrusb2-context.c b/drivers/media/usb/pvrusb2/pvrusb2-context.c index 28a9cfef8f9f..698b2cf65526 100644 --- a/drivers/media/usb/pvrusb2/pvrusb2-context.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-context.c @@ -276,9 +276,9 @@ static void pvr2_context_exit(struct pvr2_context *mp) void pvr2_context_disconnect(struct pvr2_context *mp) { pvr2_hdw_disconnect(mp->hdw); - mp->disconnect_flag = !0; if (!pvr2_context_shutok()) pvr2_context_notify(mp); + mp->disconnect_flag = !0; } From 810b8a9fe3e1bc6bc357b08882289aab5be3909e Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Fri, 16 Feb 2024 17:31:44 +0100 Subject: [PATCH 144/176] media: dvb-frontends: avoid stack overflow warnings with clang [ Upstream commit 7a4cf27d1f0538f779bf31b8c99eda394e277119 ] A previous patch worked around a KASAN issue in stv0367, now a similar problem showed up with clang: drivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than] 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe) Rework the stv0367_writereg() function to be simpler and mark both register access functions as noinline_for_stack so the temporary i2c_msg structures do not get duplicated on the stack when KASAN_STACK is enabled. Fixes: 3cd890dbe2a4 ("media: dvb-frontends: fix i2c access helpers for KASAN") Signed-off-by: Arnd Bergmann Reviewed-by: Justin Stitt Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin (cherry picked from commit c073c8cede5abd3836e83d70d72606d11d0759d4) Signed-off-by: Harshit Mogalapalli --- drivers/media/dvb-frontends/stv0367.c | 34 +++++++-------------------- 1 file changed, 8 insertions(+), 26 deletions(-) diff --git a/drivers/media/dvb-frontends/stv0367.c b/drivers/media/dvb-frontends/stv0367.c index 02abe485f18f..c52e3529c62a 100644 --- a/drivers/media/dvb-frontends/stv0367.c +++ b/drivers/media/dvb-frontends/stv0367.c @@ -128,50 +128,32 @@ static const s32 stv0367cab_RF_LookUp2[RF_LOOKUP_TABLE2_SIZE][RF_LOOKUP_TABLE2_S } }; -static -int stv0367_writeregs(struct stv0367_state *state, u16 reg, u8 *data, int len) +static noinline_for_stack +int stv0367_writereg(struct stv0367_state *state, u16 reg, u8 data) { - u8 buf[MAX_XFER_SIZE]; + u8 buf[3] = { MSB(reg), LSB(reg), data }; struct i2c_msg msg = { .addr = state->config->demod_address, .flags = 0, .buf = buf, - .len = len + 2 + .len = 3, }; int ret; - if (2 + len > sizeof(buf)) { - printk(KERN_WARNING - "%s: i2c wr reg=%04x: len=%d is too big!\n", - KBUILD_MODNAME, reg, len); - return -EINVAL; - } - - - buf[0] = MSB(reg); - buf[1] = LSB(reg); - memcpy(buf + 2, data, len); - if (i2cdebug) printk(KERN_DEBUG "%s: [%02x] %02x: %02x\n", __func__, - state->config->demod_address, reg, buf[2]); + state->config->demod_address, reg, data); ret = i2c_transfer(state->i2c, &msg, 1); if (ret != 1) printk(KERN_ERR "%s: i2c write error! ([%02x] %02x: %02x)\n", - __func__, state->config->demod_address, reg, buf[2]); + __func__, state->config->demod_address, reg, data); return (ret != 1) ? -EREMOTEIO : 0; } -static int stv0367_writereg(struct stv0367_state *state, u16 reg, u8 data) -{ - u8 tmp = data; /* see gcc.gnu.org/bugzilla/show_bug.cgi?id=81715 */ - - return stv0367_writeregs(state, reg, &tmp, 1); -} - -static u8 stv0367_readreg(struct stv0367_state *state, u16 reg) +static noinline_for_stack +u8 stv0367_readreg(struct stv0367_state *state, u16 reg) { u8 b0[] = { 0, 0 }; u8 b1[] = { 0 }; From d692197c4290038026cd849e964cbc0963b8baf7 Mon Sep 17 00:00:00 2001 From: Zhipeng Lu Date: Wed, 21 Feb 2024 12:37:13 +0800 Subject: [PATCH 145/176] media: go7007: fix a memleak in go7007_load_encoder [ Upstream commit b9b683844b01d171a72b9c0419a2d760d946ee12 ] In go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without a deallocation thereafter. After the following call chain: saa7134_go7007_init |-> go7007_boot_encoder |-> go7007_load_encoder |-> kfree(go) go is freed and thus bounce is leaked. Fixes: 95ef39403f89 ("[media] go7007: remember boot firmware") Signed-off-by: Zhipeng Lu Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin (cherry picked from commit 7f11dd3d165b178e738fe73dfeea513e383bedb5) Signed-off-by: Harshit Mogalapalli --- drivers/media/usb/go7007/go7007-driver.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c index d861d7225f49..ecb19e1ed0f1 100644 --- a/drivers/media/usb/go7007/go7007-driver.c +++ b/drivers/media/usb/go7007/go7007-driver.c @@ -88,7 +88,7 @@ static int go7007_load_encoder(struct go7007 *go) const struct firmware *fw_entry; char fw_name[] = "go7007/go7007fw.bin"; void *bounce; - int fw_len, rv = 0; + int fw_len; u16 intr_val, intr_data; if (go->boot_fw == NULL) { @@ -117,9 +117,11 @@ static int go7007_load_encoder(struct go7007 *go) go7007_read_interrupt(go, &intr_val, &intr_data) < 0 || (intr_val & ~0x1) != 0x5a5a) { v4l2_err(go, "error transferring firmware\n"); - rv = -1; + kfree(go->boot_fw); + go->boot_fw = NULL; + return -1; } - return rv; + return 0; } MODULE_FIRMWARE("go7007/go7007fw.bin"); From f754e826a42f26ce110d8c22ac3efcd5b8f714a8 Mon Sep 17 00:00:00 2001 From: Hsin-Yi Wang Date: Fri, 23 Feb 2024 13:23:29 -0800 Subject: [PATCH 146/176] drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip [ Upstream commit c958e86e9cc1b48cac004a6e245154dfba8e163b ] It's possible that mtk_crtc->event is NULL in mtk_drm_crtc_finish_page_flip(). pending_needs_vblank value is set by mtk_crtc->event, but in mtk_drm_crtc_atomic_flush(), it's is not guarded by the same lock in mtk_drm_finish_page_flip(), thus a race condition happens. Consider the following case: CPU1 CPU2 step 1: mtk_drm_crtc_atomic_begin() mtk_crtc->event is not null, step 1: mtk_drm_crtc_atomic_flush: mtk_drm_crtc_update_config( !!mtk_crtc->event) step 2: mtk_crtc_ddp_irq -> mtk_drm_finish_page_flip: lock mtk_crtc->event set to null, pending_needs_vblank set to false unlock pending_needs_vblank set to true, step 2: mtk_crtc_ddp_irq -> mtk_drm_finish_page_flip called again, pending_needs_vblank is still true //null pointer Instead of guarding the entire mtk_drm_crtc_atomic_flush(), it's more efficient to just check if mtk_crtc->event is null before use. Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") Signed-off-by: Hsin-Yi Wang Reviewed-by: CK Hu Link: https://patchwork.kernel.org/project/dri-devel/patch/20240223212404.3709690-1-hsinyi@chromium.org/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin (cherry picked from commit accdac6b71d5a2b84040c3d2234f53a60edc398e) Signed-off-by: Harshit Mogalapalli --- drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c index 3ea311d32fa9..880b19312b41 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c @@ -78,11 +78,13 @@ static void mtk_drm_crtc_finish_page_flip(struct mtk_drm_crtc *mtk_crtc) struct drm_crtc *crtc = &mtk_crtc->base; unsigned long flags; - spin_lock_irqsave(&crtc->dev->event_lock, flags); - drm_crtc_send_vblank_event(crtc, mtk_crtc->event); - drm_crtc_vblank_put(crtc); - mtk_crtc->event = NULL; - spin_unlock_irqrestore(&crtc->dev->event_lock, flags); + if (mtk_crtc->event) { + spin_lock_irqsave(&crtc->dev->event_lock, flags); + drm_crtc_send_vblank_event(crtc, mtk_crtc->event); + drm_crtc_vblank_put(crtc); + mtk_crtc->event = NULL; + spin_unlock_irqrestore(&crtc->dev->event_lock, flags); + } } static void mtk_drm_finish_page_flip(struct mtk_drm_crtc *mtk_crtc) From 1785997d8b483b47a511d6d61e2e8cc20095ec5d Mon Sep 17 00:00:00 2001 From: Kajol Jain Date: Thu, 29 Feb 2024 17:58:47 +0530 Subject: [PATCH 147/176] powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks [ Upstream commit ad86d7ee43b22aa2ed60fb982ae94b285c1be671 ] Running event hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ in one of the system throws below error: ---Logs--- # perf list | grep hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=?/[Kernel PMU event] # perf stat -v -e hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ sleep 2 Using CPUID 00800200 Control descriptor is not initialized Warning: hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ event is not supported by the kernel. failed to read counter hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ Performance counter stats for 'system wide': hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ 2.000700771 seconds time elapsed The above error is because of the hcall failure as required permission "Enable Performance Information Collection" is not set. Based on current code, single_gpci_request function did not check the error type incase hcall fails and by default returns EINVAL. But we can have other reasons for hcall failures like H_AUTHORITY/H_PARAMETER with detail_rc as GEN_BUF_TOO_SMALL, for which we need to act accordingly. Fix this issue by adding new checks in the single_gpci_request and h_gpci_event_init functions. Result after fix patch changes: # perf stat -e hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ sleep 2 Error: No permission to enable hv_gpci/dispatch_timebase_by_processor_processor_time_in_timebase_cycles,phys_processor_idx=0/ event. Fixes: 220a0c609ad1 ("powerpc/perf: Add support for the hv gpci (get performance counter info) interface") Reported-by: Akanksha J N Signed-off-by: Kajol Jain Signed-off-by: Michael Ellerman Link: https://msgid.link/20240229122847.101162-1-kjain@linux.ibm.com Signed-off-by: Sasha Levin (cherry picked from commit 0a1754ba8d537e054b01f0c2dc6b653a5a1b685d) Signed-off-by: Harshit Mogalapalli --- arch/powerpc/perf/hv-gpci.c | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/perf/hv-gpci.c b/arch/powerpc/perf/hv-gpci.c index 126409bb5626..8ae70b5952a5 100644 --- a/arch/powerpc/perf/hv-gpci.c +++ b/arch/powerpc/perf/hv-gpci.c @@ -157,6 +157,20 @@ static unsigned long single_gpci_request(u32 req, u32 starting_index, ret = plpar_hcall_norets(H_GET_PERF_COUNTER_INFO, virt_to_phys(arg), HGPCI_REQ_BUFFER_SIZE); + + /* + * ret value as 'H_PARAMETER' with detail_rc as 'GEN_BUF_TOO_SMALL', + * specifies that the current buffer size cannot accommodate + * all the information and a partial buffer returned. + * Since in this function we are only accessing data for a given starting index, + * we don't need to accommodate whole data and can get required count by + * accessing first entry data. + * Hence hcall fails only incase the ret value is other than H_SUCCESS or + * H_PARAMETER with detail_rc value as GEN_BUF_TOO_SMALL(0x1B). + */ + if (ret == H_PARAMETER && be32_to_cpu(arg->params.detail_rc) == 0x1B) + ret = 0; + if (ret) { pr_devel("hcall failed: 0x%lx\n", ret); goto out; @@ -221,6 +235,7 @@ static int h_gpci_event_init(struct perf_event *event) { u64 count; u8 length; + unsigned long ret; /* Not our event */ if (event->attr.type != event->pmu->type) @@ -260,13 +275,23 @@ static int h_gpci_event_init(struct perf_event *event) } /* check if the request works... */ - if (single_gpci_request(event_get_request(event), + ret = single_gpci_request(event_get_request(event), event_get_starting_index(event), event_get_secondary_index(event), event_get_counter_info_version(event), event_get_offset(event), length, - &count)) { + &count); + + /* + * ret value as H_AUTHORITY implies that partition is not permitted to retrieve + * performance information, and required to set + * "Enable Performance Information Collection" option. + */ + if (ret == H_AUTHORITY) + return -EPERM; + + if (ret) { pr_devel("gpci hcall failed\n"); return -EINVAL; } From 138ea96e89f7b2bccb7b3fee18b0a4430e6b2f5c Mon Sep 17 00:00:00 2001 From: Michael Ellerman Date: Tue, 5 Mar 2024 23:34:08 +1100 Subject: [PATCH 148/176] powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc. [ Upstream commit 20933531be0577cdd782216858c26150dbc7936f ] Move the prototypes into mpc10x.h which is included by all the relevant C files, fixes: arch/powerpc/platforms/embedded6xx/ls_uart.c:59:6: error: no previous prototype for 'avr_uart_configure' arch/powerpc/platforms/embedded6xx/ls_uart.c:82:6: error: no previous prototype for 'avr_uart_send' Signed-off-by: Michael Ellerman Link: https://msgid.link/20240305123410.3306253-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin (cherry picked from commit 131dffef3a81e9c6f4a9e278ffd66f3eb5ae8c3e) Signed-off-by: Harshit Mogalapalli --- arch/powerpc/platforms/embedded6xx/linkstation.c | 3 --- arch/powerpc/platforms/embedded6xx/mpc10x.h | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/platforms/embedded6xx/linkstation.c b/arch/powerpc/platforms/embedded6xx/linkstation.c index f514d5d28cd4..3f3821eb4c36 100644 --- a/arch/powerpc/platforms/embedded6xx/linkstation.c +++ b/arch/powerpc/platforms/embedded6xx/linkstation.c @@ -97,9 +97,6 @@ static void __init linkstation_init_IRQ(void) mpic_init(mpic); } -extern void avr_uart_configure(void); -extern void avr_uart_send(const char); - static void __noreturn linkstation_restart(char *cmd) { local_irq_disable(); diff --git a/arch/powerpc/platforms/embedded6xx/mpc10x.h b/arch/powerpc/platforms/embedded6xx/mpc10x.h index 5ad12023e562..ebc258fa4858 100644 --- a/arch/powerpc/platforms/embedded6xx/mpc10x.h +++ b/arch/powerpc/platforms/embedded6xx/mpc10x.h @@ -156,4 +156,7 @@ int mpc10x_disable_store_gathering(struct pci_controller *hose); /* For MPC107 boards that use the built-in openpic */ void mpc10x_set_openpic(void); +void avr_uart_configure(void); +void avr_uart_send(const char c); + #endif /* __PPC_KERNEL_MPC10X_H */ From e50c0ec386b601a2161ecf3ce4d8bb64dc0226bd Mon Sep 17 00:00:00 2001 From: Luca Weiss Date: Tue, 20 Feb 2024 00:11:19 +0100 Subject: [PATCH 149/176] backlight: lm3630a: Initialize backlight_properties on init [ Upstream commit ad9aeb0e3aa90ebdad5fabf9c21783740eb95907 ] The backlight_properties struct should be initialized to zero before using, otherwise there will be some random values in the struct. Fixes: 0c2a665a648e ("backlight: add Backlight driver for lm3630 chip") Signed-off-by: Luca Weiss Reviewed-by: Daniel Thompson Link: https://lore.kernel.org/r/20240220-lm3630a-fixups-v1-1-9ca62f7e4a33@z3ntu.xyz Signed-off-by: Lee Jones Signed-off-by: Sasha Levin (cherry picked from commit 063b294747b47f7bdaad3953542e73552bf7fe65) Signed-off-by: Harshit Mogalapalli --- drivers/video/backlight/lm3630a_bl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/video/backlight/lm3630a_bl.c b/drivers/video/backlight/lm3630a_bl.c index f17e5a8860fa..70f5ea5f210c 100644 --- a/drivers/video/backlight/lm3630a_bl.c +++ b/drivers/video/backlight/lm3630a_bl.c @@ -332,6 +332,7 @@ static int lm3630a_backlight_register(struct lm3630a_chip *pchip) struct backlight_properties props; struct lm3630a_platform_data *pdata = pchip->pdata; + memset(&props, 0, sizeof(struct backlight_properties)); props.type = BACKLIGHT_RAW; if (pdata->leda_ctrl != LM3630A_LEDA_DISABLE) { props.brightness = pdata->leda_init_brt; From d0ca047e07a3357a1cfa5de925311b5496e1b233 Mon Sep 17 00:00:00 2001 From: Luca Weiss Date: Tue, 20 Feb 2024 00:11:20 +0100 Subject: [PATCH 150/176] backlight: lm3630a: Don't set bl->props.brightness in get_brightness [ Upstream commit 4bf7ddd2d2f0f8826f25f74c7eba4e2c323a1446 ] There's no need to set bl->props.brightness, the get_brightness function is just supposed to return the current brightness and not touch the struct. With that done we can also remove the 'goto out' and just return the value. Fixes: 0c2a665a648e ("backlight: add Backlight driver for lm3630 chip") Signed-off-by: Luca Weiss Reviewed-by: Daniel Thompson Link: https://lore.kernel.org/r/20240220-lm3630a-fixups-v1-2-9ca62f7e4a33@z3ntu.xyz Signed-off-by: Lee Jones Signed-off-by: Sasha Levin (cherry picked from commit 85360e411bd2239ef184178352fab6582a0fcb85) Signed-off-by: Harshit Mogalapalli --- drivers/video/backlight/lm3630a_bl.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/drivers/video/backlight/lm3630a_bl.c b/drivers/video/backlight/lm3630a_bl.c index 70f5ea5f210c..874040c465f2 100644 --- a/drivers/video/backlight/lm3630a_bl.c +++ b/drivers/video/backlight/lm3630a_bl.c @@ -223,7 +223,7 @@ static int lm3630a_bank_a_get_brightness(struct backlight_device *bl) if (rval < 0) goto out_i2c_err; brightness |= rval; - goto out; + return brightness; } /* disable sleep */ @@ -234,11 +234,8 @@ static int lm3630a_bank_a_get_brightness(struct backlight_device *bl) rval = lm3630a_read(pchip, REG_BRT_A); if (rval < 0) goto out_i2c_err; - brightness = rval; + return rval; -out: - bl->props.brightness = brightness; - return bl->props.brightness; out_i2c_err: dev_err(pchip->dev, "i2c failed to access register\n"); return 0; @@ -300,7 +297,7 @@ static int lm3630a_bank_b_get_brightness(struct backlight_device *bl) if (rval < 0) goto out_i2c_err; brightness |= rval; - goto out; + return brightness; } /* disable sleep */ @@ -311,11 +308,8 @@ static int lm3630a_bank_b_get_brightness(struct backlight_device *bl) rval = lm3630a_read(pchip, REG_BRT_B); if (rval < 0) goto out_i2c_err; - brightness = rval; + return rval; -out: - bl->props.brightness = brightness; - return bl->props.brightness; out_i2c_err: dev_err(pchip->dev, "i2c failed to access register\n"); return 0; From 80b386048fb42668966e1afc0ae2c4d6e6dfd1fa Mon Sep 17 00:00:00 2001 From: Daniel Thompson Date: Tue, 20 Feb 2024 15:35:24 +0000 Subject: [PATCH 151/176] backlight: da9052: Fully initialize backlight_properties during probe [ Upstream commit 0285e9efaee8276305db5c52a59baf84e9731556 ] props is stack allocated and the fields that are not explcitly set by the probe function need to be zeroed or we'll get undefined behaviour (especially so power/blank states)! Fixes: 6ede3d832aaa ("backlight: add driver for DA9052/53 PMIC v1") Signed-off-by: Daniel Thompson Link: https://lore.kernel.org/r/20240220153532.76613-2-daniel.thompson@linaro.org Signed-off-by: Lee Jones Signed-off-by: Sasha Levin (cherry picked from commit ba9f50fa0edd4d45bc9840ba05efa9b526a30b53) Signed-off-by: Harshit Mogalapalli --- drivers/video/backlight/da9052_bl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/video/backlight/da9052_bl.c b/drivers/video/backlight/da9052_bl.c index 49035c12739a..d48513eb3bc5 100644 --- a/drivers/video/backlight/da9052_bl.c +++ b/drivers/video/backlight/da9052_bl.c @@ -122,6 +122,7 @@ static int da9052_backlight_probe(struct platform_device *pdev) wleds->led_reg = platform_get_device_id(pdev)->driver_data; wleds->state = DA9052_WLEDS_OFF; + memset(&props, 0, sizeof(struct backlight_properties)); props.type = BACKLIGHT_RAW; props.max_brightness = DA9052_MAX_BRIGHTNESS; From 2f286fb34ca716ba08e7f4cb0f020ce20cb9d219 Mon Sep 17 00:00:00 2001 From: Daniel Thompson Date: Tue, 20 Feb 2024 15:35:25 +0000 Subject: [PATCH 152/176] backlight: lm3639: Fully initialize backlight_properties during probe [ Upstream commit abb5a5d951fbea3feb5c4ba179b89bb96a1d3462 ] props is stack allocated and the fields that are not explcitly set by the probe function need to be zeroed or we'll get undefined behaviour (especially so power/blank states)! Fixes: 0f59858d5119 ("backlight: add new lm3639 backlight driver") Signed-off-by: Daniel Thompson Link: https://lore.kernel.org/r/20240220153532.76613-3-daniel.thompson@linaro.org Signed-off-by: Lee Jones Signed-off-by: Sasha Levin (cherry picked from commit 9d0aaf425cc5aec627ee7cae0990e6c5b7d2adb9) Signed-off-by: Harshit Mogalapalli --- drivers/video/backlight/lm3639_bl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/video/backlight/lm3639_bl.c b/drivers/video/backlight/lm3639_bl.c index 086611c7bc03..a1ef6f23156d 100644 --- a/drivers/video/backlight/lm3639_bl.c +++ b/drivers/video/backlight/lm3639_bl.c @@ -343,6 +343,7 @@ static int lm3639_probe(struct i2c_client *client, } /* backlight */ + memset(&props, 0, sizeof(struct backlight_properties)); props.type = BACKLIGHT_RAW; props.brightness = pdata->init_brt_led; props.max_brightness = pdata->max_brt_led; From 3f2fe45a95a3f6a3cd5f7c17d8c53a41b1800d75 Mon Sep 17 00:00:00 2001 From: Daniel Thompson Date: Tue, 20 Feb 2024 15:35:26 +0000 Subject: [PATCH 153/176] backlight: lp8788: Fully initialize backlight_properties during probe [ Upstream commit 392346827fbe8a7fd573dfb145170d7949f639a6 ] props is stack allocated and the fields that are not explcitly set by the probe function need to be zeroed or we'll get undefined behaviour (especially so power/blank states)! Fixes: c5a51053cf3b ("backlight: add new lp8788 backlight driver") Signed-off-by: Daniel Thompson Link: https://lore.kernel.org/r/20240220153532.76613-4-daniel.thompson@linaro.org Signed-off-by: Lee Jones Signed-off-by: Sasha Levin (cherry picked from commit 3301f60ab7ebc14ec7242f1ad62dc151e11cd308) Signed-off-by: Harshit Mogalapalli --- drivers/video/backlight/lp8788_bl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/video/backlight/lp8788_bl.c b/drivers/video/backlight/lp8788_bl.c index cf869ec90cce..a324423f3047 100644 --- a/drivers/video/backlight/lp8788_bl.c +++ b/drivers/video/backlight/lp8788_bl.c @@ -195,6 +195,7 @@ static int lp8788_backlight_register(struct lp8788_bl *bl) int init_brt; char *name; + memset(&props, 0, sizeof(struct backlight_properties)); props.type = BACKLIGHT_PLATFORM; props.max_brightness = MAX_BRIGHTNESS; From 1455216df91812ea6d3e0fcf0ce4be142ba39cbc Mon Sep 17 00:00:00 2001 From: Sam Ravnborg Date: Sat, 24 Feb 2024 18:42:28 +0100 Subject: [PATCH 154/176] sparc32: Fix section mismatch in leon_pci_grpci [ Upstream commit 24338a6ae13cb743ced77da1b3a12c83f08a0c96 ] Passing a datastructre marked _initconst to platform_driver_register() is wrong. Drop the __initconst notation. This fixes the following warnings: WARNING: modpost: vmlinux: section mismatch in reference: grpci1_of_driver+0x30 (section: .data) -> grpci1_of_match (section: .init.rodata) WARNING: modpost: vmlinux: section mismatch in reference: grpci2_of_driver+0x30 (section: .data) -> grpci2_of_match (section: .init.rodata) Signed-off-by: Sam Ravnborg Cc: "David S. Miller" Cc: Andreas Larsson Fixes: 4154bb821f0b ("sparc: leon: grpci1: constify of_device_id") Fixes: 03949b1cb9f1 ("sparc: leon: grpci2: constify of_device_id") Tested-by: Randy Dunlap # build-tested Reviewed-by: Andreas Larsson Tested-by: Andreas Larsson Signed-off-by: Andreas Larsson Link: https://lore.kernel.org/r/20240224-sam-fix-sparc32-all-builds-v2-7-1f186603c5c4@ravnborg.org Signed-off-by: Sasha Levin (cherry picked from commit 6bf3c3508c839c4457058686fbd59d9c55e5e598) Signed-off-by: Harshit Mogalapalli --- arch/sparc/kernel/leon_pci_grpci1.c | 2 +- arch/sparc/kernel/leon_pci_grpci2.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/sparc/kernel/leon_pci_grpci1.c b/arch/sparc/kernel/leon_pci_grpci1.c index e6935d0ac1ec..c32590bdd312 100644 --- a/arch/sparc/kernel/leon_pci_grpci1.c +++ b/arch/sparc/kernel/leon_pci_grpci1.c @@ -696,7 +696,7 @@ err1: return err; } -static const struct of_device_id grpci1_of_match[] __initconst = { +static const struct of_device_id grpci1_of_match[] = { { .name = "GAISLER_PCIFBRG", }, diff --git a/arch/sparc/kernel/leon_pci_grpci2.c b/arch/sparc/kernel/leon_pci_grpci2.c index ca22f93d9045..dd06abc61657 100644 --- a/arch/sparc/kernel/leon_pci_grpci2.c +++ b/arch/sparc/kernel/leon_pci_grpci2.c @@ -887,7 +887,7 @@ err1: return err; } -static const struct of_device_id grpci2_of_match[] __initconst = { +static const struct of_device_id grpci2_of_match[] = { { .name = "GAISLER_GRPCI2", }, From 684d0dfc0167a62bb2fc9c3c2d97e421a6f8f1d7 Mon Sep 17 00:00:00 2001 From: Johan Carlsson Date: Wed, 13 Mar 2024 09:15:09 +0100 Subject: [PATCH 155/176] ALSA: usb-audio: Stop parsing channels bits when all channels are found. [ Upstream commit a39d51ff1f52cd0b6fe7d379ac93bd8b4237d1b7 ] If a usb audio device sets more bits than the amount of channels it could write outside of the map array. Signed-off-by: Johan Carlsson Fixes: 04324ccc75f9 ("ALSA: usb-audio: add channel map support") Message-ID: <20240313081509.9801-1-johan.carlsson@teenage.engineering> Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin (cherry picked from commit 7e2c1b0f6dd9abde9e60f0f9730026714468770f) Signed-off-by: Harshit Mogalapalli --- sound/usb/stream.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sound/usb/stream.c b/sound/usb/stream.c index 133a66a7f90e..ccaead5319ed 100644 --- a/sound/usb/stream.c +++ b/sound/usb/stream.c @@ -293,9 +293,12 @@ static struct snd_pcm_chmap_elem *convert_chmap(int channels, unsigned int bits, c = 0; if (bits) { - for (; bits && *maps; maps++, bits >>= 1) + for (; bits && *maps; maps++, bits >>= 1) { if (bits & 1) chmap->map[c++] = *maps; + if (c == chmap->channels) + break; + } } else { /* If we're missing wChannelConfig, then guess something to make sure the channel map is not skipped entirely */ From ee504736ec7911bfb90382f7f3222faa7982dc0f Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Tue, 13 Feb 2024 11:05:00 +0100 Subject: [PATCH 156/176] scsi: csiostor: Avoid function pointer casts [ Upstream commit 9f3dbcb5632d6876226031d552ef6163bb3ad215 ] csiostor uses function pointer casts to keep the csio_ln_ev state machine hidden, but this causes warnings about control flow integrity (KCFI) violations in clang-16 and higher: drivers/scsi/csiostor/csio_lnode.c:1098:33: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 1098 | return (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/csiostor/csio_lnode.c:1369:29: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 1369 | if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_uninit)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/csiostor/csio_lnode.c:1373:29: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 1373 | if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/scsi/csiostor/csio_lnode.c:1377:29: error: cast from 'void (*)(struct csio_lnode *, enum csio_ln_ev)' to 'csio_sm_state_t' (aka 'void (*)(void *, unsigned int)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] 1377 | if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_offline)) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Move the enum into a shared header so the correct types can be used without the need for casts. Fixes: a3667aaed569 ("[SCSI] csiostor: Chelsio FCoE offload driver") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20240213100518.457623-1-arnd@kernel.org Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin (cherry picked from commit 77d9c6364756ec8986b8d7f801bcb2295cfa036a) Signed-off-by: Harshit Mogalapalli --- drivers/scsi/csiostor/csio_defs.h | 18 ++++++++++++++++-- drivers/scsi/csiostor/csio_lnode.c | 8 ++++---- drivers/scsi/csiostor/csio_lnode.h | 13 ------------- 3 files changed, 20 insertions(+), 19 deletions(-) diff --git a/drivers/scsi/csiostor/csio_defs.h b/drivers/scsi/csiostor/csio_defs.h index c38017b4af98..e50e93e7fe5a 100644 --- a/drivers/scsi/csiostor/csio_defs.h +++ b/drivers/scsi/csiostor/csio_defs.h @@ -73,7 +73,21 @@ csio_list_deleted(struct list_head *list) #define csio_list_prev(elem) (((struct list_head *)(elem))->prev) /* State machine */ -typedef void (*csio_sm_state_t)(void *, uint32_t); +struct csio_lnode; + +/* State machine evets */ +enum csio_ln_ev { + CSIO_LNE_NONE = (uint32_t)0, + CSIO_LNE_LINKUP, + CSIO_LNE_FAB_INIT_DONE, + CSIO_LNE_LINK_DOWN, + CSIO_LNE_DOWN_LINK, + CSIO_LNE_LOGO, + CSIO_LNE_CLOSE, + CSIO_LNE_MAX_EVENT, +}; + +typedef void (*csio_sm_state_t)(struct csio_lnode *ln, enum csio_ln_ev evt); struct csio_sm { struct list_head sm_list; @@ -83,7 +97,7 @@ struct csio_sm { static inline void csio_set_state(void *smp, void *state) { - ((struct csio_sm *)smp)->sm_state = (csio_sm_state_t)state; + ((struct csio_sm *)smp)->sm_state = state; } static inline void diff --git a/drivers/scsi/csiostor/csio_lnode.c b/drivers/scsi/csiostor/csio_lnode.c index d1df694d9ed0..1dd1859d5bcb 100644 --- a/drivers/scsi/csiostor/csio_lnode.c +++ b/drivers/scsi/csiostor/csio_lnode.c @@ -1087,7 +1087,7 @@ csio_handle_link_down(struct csio_hw *hw, uint8_t portid, uint32_t fcfi, int csio_is_lnode_ready(struct csio_lnode *ln) { - return (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)); + return (csio_get_state(ln) == csio_lns_ready); } /*****************************************************************************/ @@ -1359,15 +1359,15 @@ csio_free_fcfinfo(struct kref *kref) void csio_lnode_state_to_str(struct csio_lnode *ln, int8_t *str) { - if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_uninit)) { + if (csio_get_state(ln) == csio_lns_uninit) { strcpy(str, "UNINIT"); return; } - if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_ready)) { + if (csio_get_state(ln) == csio_lns_ready) { strcpy(str, "READY"); return; } - if (csio_get_state(ln) == ((csio_sm_state_t)csio_lns_offline)) { + if (csio_get_state(ln) == csio_lns_offline) { strcpy(str, "OFFLINE"); return; } diff --git a/drivers/scsi/csiostor/csio_lnode.h b/drivers/scsi/csiostor/csio_lnode.h index 372a67d122d3..607698a0f063 100644 --- a/drivers/scsi/csiostor/csio_lnode.h +++ b/drivers/scsi/csiostor/csio_lnode.h @@ -53,19 +53,6 @@ extern int csio_fcoe_rnodes; extern int csio_fdmi_enable; -/* State machine evets */ -enum csio_ln_ev { - CSIO_LNE_NONE = (uint32_t)0, - CSIO_LNE_LINKUP, - CSIO_LNE_FAB_INIT_DONE, - CSIO_LNE_LINK_DOWN, - CSIO_LNE_DOWN_LINK, - CSIO_LNE_LOGO, - CSIO_LNE_CLOSE, - CSIO_LNE_MAX_EVENT, -}; - - struct csio_fcf_info { struct list_head list; uint8_t priority; From 826d2a5f4af824bc5457e9ca919e6d0e0da677c5 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Thu, 22 Feb 2024 13:44:06 +0100 Subject: [PATCH 157/176] scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn [ Upstream commit b69600231f751304db914c63b937f7098ed2895c ] Some callback functions used here take a boolean argument, others take a status argument. This breaks KCFI type checking, so clang now warns about the function pointer cast: drivers/scsi/bfa/bfad_bsg.c:2138:29: error: cast from 'void (*)(void *, enum bfa_status)' to 'bfa_cb_cbfn_t' (aka 'void (*)(void *, enum bfa_boolean)') converts to incompatible function type [-Werror,-Wcast-function-type-strict] Assuming the code is actually correct here and the callers always match the argument types of the callee, rework this to replace the explicit cast with a union of the two pointer types. This does not change the behavior of the code, so if something is actually broken here, a larger rework may be necessary. Fixes: 37ea0558b87a ("[SCSI] bfa: Added support to collect and reset fcport stats") Fixes: 3ec4f2c8bff2 ("[SCSI] bfa: Added support to configure QOS and collect stats.") Reviewed-by: Kees Cook Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20240222124433.2046570-1-arnd@kernel.org Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin (cherry picked from commit 8413fc5ef952b5ddd606a42b2be1e15694e2f526) Signed-off-by: Harshit Mogalapalli --- drivers/scsi/bfa/bfa.h | 9 ++++++++- drivers/scsi/bfa/bfa_core.c | 4 +--- drivers/scsi/bfa/bfa_ioc.h | 8 ++++++-- drivers/scsi/bfa/bfad_bsg.c | 11 ++++------- 4 files changed, 19 insertions(+), 13 deletions(-) diff --git a/drivers/scsi/bfa/bfa.h b/drivers/scsi/bfa/bfa.h index 0e119d838e1b..f312c356ffc4 100644 --- a/drivers/scsi/bfa/bfa.h +++ b/drivers/scsi/bfa/bfa.h @@ -28,7 +28,6 @@ struct bfa_s; typedef void (*bfa_isr_func_t) (struct bfa_s *bfa, struct bfi_msg_s *m); -typedef void (*bfa_cb_cbfn_status_t) (void *cbarg, bfa_status_t status); /* * Interrupt message handlers @@ -446,4 +445,12 @@ struct bfa_cb_pending_q_s { (__qe)->data = (__data); \ } while (0) +#define bfa_pending_q_init_status(__qe, __cbfn, __cbarg, __data) do { \ + bfa_q_qe_init(&((__qe)->hcb_qe.qe)); \ + (__qe)->hcb_qe.cbfn_status = (__cbfn); \ + (__qe)->hcb_qe.cbarg = (__cbarg); \ + (__qe)->hcb_qe.pre_rmv = BFA_TRUE; \ + (__qe)->data = (__data); \ +} while (0) + #endif /* __BFA_H__ */ diff --git a/drivers/scsi/bfa/bfa_core.c b/drivers/scsi/bfa/bfa_core.c index 3e1caec82554..adb1fba9466c 100644 --- a/drivers/scsi/bfa/bfa_core.c +++ b/drivers/scsi/bfa/bfa_core.c @@ -1915,15 +1915,13 @@ bfa_comp_process(struct bfa_s *bfa, struct list_head *comp_q) struct list_head *qe; struct list_head *qen; struct bfa_cb_qe_s *hcb_qe; - bfa_cb_cbfn_status_t cbfn; list_for_each_safe(qe, qen, comp_q) { hcb_qe = (struct bfa_cb_qe_s *) qe; if (hcb_qe->pre_rmv) { /* qe is invalid after return, dequeue before cbfn() */ list_del(qe); - cbfn = (bfa_cb_cbfn_status_t)(hcb_qe->cbfn); - cbfn(hcb_qe->cbarg, hcb_qe->fw_status); + hcb_qe->cbfn_status(hcb_qe->cbarg, hcb_qe->fw_status); } else hcb_qe->cbfn(hcb_qe->cbarg, BFA_TRUE); } diff --git a/drivers/scsi/bfa/bfa_ioc.h b/drivers/scsi/bfa/bfa_ioc.h index 0f9fab770339..179dd0416979 100644 --- a/drivers/scsi/bfa/bfa_ioc.h +++ b/drivers/scsi/bfa/bfa_ioc.h @@ -369,14 +369,18 @@ struct bfa_reqq_wait_s { void *cbarg; }; -typedef void (*bfa_cb_cbfn_t) (void *cbarg, bfa_boolean_t complete); +typedef void (*bfa_cb_cbfn_t) (void *cbarg, bfa_boolean_t complete); +typedef void (*bfa_cb_cbfn_status_t) (void *cbarg, bfa_status_t status); /* * Generic BFA callback element. */ struct bfa_cb_qe_s { struct list_head qe; - bfa_cb_cbfn_t cbfn; + union { + bfa_cb_cbfn_status_t cbfn_status; + bfa_cb_cbfn_t cbfn; + }; bfa_boolean_t once; bfa_boolean_t pre_rmv; /* set for stack based qe(s) */ bfa_status_t fw_status; /* to access fw status in comp proc */ diff --git a/drivers/scsi/bfa/bfad_bsg.c b/drivers/scsi/bfa/bfad_bsg.c index 9081a5f93aae..7cada202a53b 100644 --- a/drivers/scsi/bfa/bfad_bsg.c +++ b/drivers/scsi/bfa/bfad_bsg.c @@ -2145,8 +2145,7 @@ bfad_iocmd_fcport_get_stats(struct bfad_s *bfad, void *cmd) struct bfa_cb_pending_q_s cb_qe; init_completion(&fcomp.comp); - bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp, - &fcomp, &iocmd->stats); + bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, &iocmd->stats); spin_lock_irqsave(&bfad->bfad_lock, flags); iocmd->status = bfa_fcport_get_stats(&bfad->bfa, &cb_qe); spin_unlock_irqrestore(&bfad->bfad_lock, flags); @@ -2169,7 +2168,7 @@ bfad_iocmd_fcport_reset_stats(struct bfad_s *bfad, void *cmd) struct bfa_cb_pending_q_s cb_qe; init_completion(&fcomp.comp); - bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp, &fcomp, NULL); + bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, NULL); spin_lock_irqsave(&bfad->bfad_lock, flags); iocmd->status = bfa_fcport_clear_stats(&bfad->bfa, &cb_qe); @@ -2453,8 +2452,7 @@ bfad_iocmd_qos_get_stats(struct bfad_s *bfad, void *cmd) struct bfa_fcport_s *fcport = BFA_FCPORT_MOD(&bfad->bfa); init_completion(&fcomp.comp); - bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp, - &fcomp, &iocmd->stats); + bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, &iocmd->stats); spin_lock_irqsave(&bfad->bfad_lock, flags); WARN_ON(!bfa_ioc_get_fcmode(&bfad->bfa.ioc)); @@ -2484,8 +2482,7 @@ bfad_iocmd_qos_reset_stats(struct bfad_s *bfad, void *cmd) struct bfa_fcport_s *fcport = BFA_FCPORT_MOD(&bfad->bfa); init_completion(&fcomp.comp); - bfa_pending_q_init(&cb_qe, (bfa_cb_cbfn_t)bfad_hcb_comp, - &fcomp, NULL); + bfa_pending_q_init_status(&cb_qe, bfad_hcb_comp, &fcomp, NULL); spin_lock_irqsave(&bfad->bfad_lock, flags); WARN_ON(!bfa_ioc_get_fcmode(&bfad->bfa.ioc)); From dd5627de25e1b9b306a735e52a9be0189c50681e Mon Sep 17 00:00:00 2001 From: Christophe JAILLET Date: Tue, 24 Oct 2023 23:58:20 +0200 Subject: [PATCH 158/176] net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr() [ Upstream commit d6f4de70f73a106986ee315d7d512539f2f3303a ] The intent is to check if the strings' are truncated or not. So, >= should be used instead of >, because strlcat() and snprintf() return the length of the output, excluding the trailing NULL. Fixes: a02d69261134 ("SUNRPC: Provide functions for managing universal addresses") Signed-off-by: Christophe JAILLET Reviewed-by: Benjamin Coddington Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin (cherry picked from commit 867a6a6899a68323d6ef8995ea3765611d67ba1e) Signed-off-by: Harshit Mogalapalli --- net/sunrpc/addr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/sunrpc/addr.c b/net/sunrpc/addr.c index 7404f02702a1..eba3b6f4d4ac 100644 --- a/net/sunrpc/addr.c +++ b/net/sunrpc/addr.c @@ -287,10 +287,10 @@ char *rpc_sockaddr2uaddr(const struct sockaddr *sap, gfp_t gfp_flags) } if (snprintf(portbuf, sizeof(portbuf), - ".%u.%u", port >> 8, port & 0xff) > (int)sizeof(portbuf)) + ".%u.%u", port >> 8, port & 0xff) >= (int)sizeof(portbuf)) return NULL; - if (strlcat(addrbuf, portbuf, sizeof(addrbuf)) > sizeof(addrbuf)) + if (strlcat(addrbuf, portbuf, sizeof(addrbuf)) >= sizeof(addrbuf)) return NULL; return kstrdup(addrbuf, gfp_flags); From 43e88e13e5e89dabaa722dcbe424df93ff3fa50b Mon Sep 17 00:00:00 2001 From: Christophe JAILLET Date: Sun, 18 Feb 2024 22:16:53 +0100 Subject: [PATCH 159/176] NFS: Fix an off by one in root_nfs_cat() [ Upstream commit 698ad1a538da0b6bf969cfee630b4e3a026afb87 ] The intent is to check if 'dest' is truncated or not. So, >= should be used instead of >, because strlcat() returns the length of 'dest' and 'src' excluding the trailing NULL. Fixes: 56463e50d1fc ("NFS: Use super.c for NFSROOT mount option parsing") Signed-off-by: Christophe JAILLET Reviewed-by: Benjamin Coddington Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin (cherry picked from commit 9bb320c5cea50e7fa82a477743a6a0546eaa37b3) Signed-off-by: Harshit Mogalapalli --- fs/nfs/nfsroot.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/nfs/nfsroot.c b/fs/nfs/nfsroot.c index effaa4247b91..c0f2e1751c33 100644 --- a/fs/nfs/nfsroot.c +++ b/fs/nfs/nfsroot.c @@ -169,10 +169,10 @@ static int __init root_nfs_cat(char *dest, const char *src, size_t len = strlen(dest); if (len && dest[len - 1] != ',') - if (strlcat(dest, ",", destlen) > destlen) + if (strlcat(dest, ",", destlen) >= destlen) return -1; - if (strlcat(dest, src, destlen) > destlen) + if (strlcat(dest, src, destlen) >= destlen) return -1; return 0; } From ac71f4414591935d0d42f189b92234f8475c8e26 Mon Sep 17 00:00:00 2001 From: Taniya Das Date: Thu, 24 Feb 2022 00:26:05 +0530 Subject: [PATCH 160/176] clk: qcom: gdsc: Add support to update GDSC transition delay [ Upstream commit 4e7c4d3652f96f41179aab3ff53025c7a550d689 ] GDSCs have multiple transition delays which are used for the GDSC FSM states. Older targets/designs required these values to be updated from gdsc code to certain default values for the FSM state to work as expected. But on the newer targets/designs the values updated from the GDSC driver can hamper the FSM state to not work as expected. On SC7180 we observe black screens because the gdsc is being enabled/disabled very rapidly and the GDSC FSM state does not work as expected. This is due to the fact that the GDSC reset value is being updated from SW. Thus add support to update the transition delay from the clock controller gdscs as required. Fixes: 45dd0e55317cc ("clk: qcom: Add support for GDSCs) Signed-off-by: Taniya Das Link: https://lore.kernel.org/r/20220223185606.3941-1-tdas@codeaurora.org Reviewed-by: Bjorn Andersson Signed-off-by: Stephen Boyd Stable-dep-of: 117e7dc697c2 ("clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times") Signed-off-by: Sasha Levin (cherry picked from commit 13c921e83ef2f8c2d7f6d79272e7760de605ca3c) [Harshit: Fix conflicts near copy right section due to missing commit: 44dbeebf1445 ("clk: qcom: gdsc: Add support to reset AON and block reset logic") in 4.14.y] Signed-off-by: Harshit Mogalapalli --- drivers/clk/qcom/gdsc.c | 26 +++++++++++++++++++++----- drivers/clk/qcom/gdsc.h | 8 +++++++- 2 files changed, 28 insertions(+), 6 deletions(-) diff --git a/drivers/clk/qcom/gdsc.c b/drivers/clk/qcom/gdsc.c index a4f3580587b7..a34f7b9a83f5 100644 --- a/drivers/clk/qcom/gdsc.c +++ b/drivers/clk/qcom/gdsc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, The Linux Foundation. All rights reserved. + * Copyright (c) 2015, 2017-2018, 2022, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -33,9 +33,14 @@ #define GMEM_CLAMP_IO_MASK BIT(0) /* Wait 2^n CXO cycles between all states. Here, n=2 (4 cycles). */ -#define EN_REST_WAIT_VAL (0x2 << 20) -#define EN_FEW_WAIT_VAL (0x8 << 16) -#define CLK_DIS_WAIT_VAL (0x2 << 12) +#define EN_REST_WAIT_VAL 0x2 +#define EN_FEW_WAIT_VAL 0x8 +#define CLK_DIS_WAIT_VAL 0x2 + +/* Transition delay shifts */ +#define EN_REST_WAIT_SHIFT 20 +#define EN_FEW_WAIT_SHIFT 16 +#define CLK_DIS_WAIT_SHIFT 12 #define RETAIN_MEM BIT(14) #define RETAIN_PERIPH BIT(13) @@ -267,7 +272,18 @@ static int gdsc_init(struct gdsc *sc) */ mask = HW_CONTROL_MASK | SW_OVERRIDE_MASK | EN_REST_WAIT_MASK | EN_FEW_WAIT_MASK | CLK_DIS_WAIT_MASK; - val = EN_REST_WAIT_VAL | EN_FEW_WAIT_VAL | CLK_DIS_WAIT_VAL; + + if (!sc->en_rest_wait_val) + sc->en_rest_wait_val = EN_REST_WAIT_VAL; + if (!sc->en_few_wait_val) + sc->en_few_wait_val = EN_FEW_WAIT_VAL; + if (!sc->clk_dis_wait_val) + sc->clk_dis_wait_val = CLK_DIS_WAIT_VAL; + + val = sc->en_rest_wait_val << EN_REST_WAIT_SHIFT | + sc->en_few_wait_val << EN_FEW_WAIT_SHIFT | + sc->clk_dis_wait_val << CLK_DIS_WAIT_SHIFT; + ret = regmap_update_bits(sc->regmap, sc->gdscr, mask, val); if (ret) return ret; diff --git a/drivers/clk/qcom/gdsc.h b/drivers/clk/qcom/gdsc.h index 39648348e5ec..73c263656078 100644 --- a/drivers/clk/qcom/gdsc.h +++ b/drivers/clk/qcom/gdsc.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, The Linux Foundation. All rights reserved. + * Copyright (c) 2015, 2017-2018, 2022, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -29,6 +29,9 @@ struct reset_controller_dev; * @cxcs: offsets of branch registers to toggle mem/periph bits in * @cxc_count: number of @cxcs * @pwrsts: Possible powerdomain power states + * @en_rest_wait_val: transition delay value for receiving enr ack signal + * @en_few_wait_val: transition delay value for receiving enf ack signal + * @clk_dis_wait_val: transition delay value for halting clock * @resets: ids of resets associated with this gdsc * @reset_count: number of @resets * @rcdev: reset controller @@ -42,6 +45,9 @@ struct gdsc { unsigned int clamp_io_ctrl; unsigned int *cxcs; unsigned int cxc_count; + unsigned int en_rest_wait_val; + unsigned int en_few_wait_val; + unsigned int clk_dis_wait_val; const u8 pwrsts; /* Powerdomain allowable state bitfields */ #define PWRSTS_OFF BIT(0) From 5f8e15a6c9782fe17177f6adbed2605e2626ec1a Mon Sep 17 00:00:00 2001 From: Hugo Villeneuve Date: Thu, 18 Jan 2024 10:22:01 -0500 Subject: [PATCH 161/176] serial: max310x: fix syntax error in IRQ error message [ Upstream commit 8ede8c6f474255b2213cccd7997b993272a8e2f9 ] Replace g with q. Helpful when grepping thru source code or logs for "request" keyword. Fixes: f65444187a66 ("serial: New serial driver MAX310X") Reviewed-by: Andy Shevchenko Signed-off-by: Hugo Villeneuve Link: https://lore.kernel.org/r/20240118152213.2644269-6-hugo@hugovil.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin (cherry picked from commit e75ae3225cd1e1648c5140abf21d8c76b4b5e10a) Signed-off-by: Harshit Mogalapalli --- drivers/tty/serial/max310x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c index 454659544d35..4a030eceba7b 100644 --- a/drivers/tty/serial/max310x.c +++ b/drivers/tty/serial/max310x.c @@ -1255,7 +1255,7 @@ static int max310x_probe(struct device *dev, struct max310x_devtype *devtype, if (!ret) return 0; - dev_err(dev, "Unable to reguest IRQ %i\n", irq); + dev_err(dev, "Unable to request IRQ %i\n", irq); out_uart: for (i = 0; i < devtype->nr; i++) { From 2ba503c76ed0e3fb44574c56c207662044701968 Mon Sep 17 00:00:00 2001 From: Tudor Ambarus Date: Fri, 19 Jan 2024 10:45:08 +0000 Subject: [PATCH 162/176] tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT [ Upstream commit 314c2b399288f0058a8c5b6683292cbde5f1531b ] The core expects for tx_empty() either TIOCSER_TEMT when the tx is empty or 0 otherwise. s3c24xx_serial_txempty_nofifo() might return 0x4, and at least uart_get_lsr_info() tries to clear exactly TIOCSER_TEMT (BIT(1)). Fix tx_empty() to return TIOCSER_TEMT. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Tudor Ambarus Reviewed-by: Sam Protsenko Link: https://lore.kernel.org/r/20240119104526.1221243-2-tudor.ambarus@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin (cherry picked from commit 6e839e4153c9881d79f94263fa352db35aa82b20) Signed-off-by: Harshit Mogalapalli --- drivers/tty/serial/samsung.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c index a50e80fde223..408478f0fce1 100644 --- a/drivers/tty/serial/samsung.c +++ b/drivers/tty/serial/samsung.c @@ -803,11 +803,10 @@ static unsigned int s3c24xx_serial_tx_empty(struct uart_port *port) if ((ufstat & info->tx_fifomask) != 0 || (ufstat & info->tx_fifofull)) return 0; - - return 1; + return TIOCSER_TEMT; } - return s3c24xx_serial_txempty_nofifo(port); + return s3c24xx_serial_txempty_nofifo(port) ? TIOCSER_TEMT : 0; } /* no modem control lines */ From 5fa039f25b048a293240318f643539862f51a239 Mon Sep 17 00:00:00 2001 From: Sean Wang Date: Mon, 23 Oct 2017 15:16:46 +0800 Subject: [PATCH 163/176] rtc: mediatek: enhance the description for MediaTek PMIC based RTC Give a better description for original MediaTek RTC driver as PMIC based RTC in order to distinguish SoC based RTC. Also turning all words with Mediatek to MediaTek here. Cc: Eddie Huang Signed-off-by: Sean Wang Acked-by: Eddie Huang Signed-off-by: Alexandre Belloni (cherry picked from commit d00a7ed288e7943fcf253c6402abb09f0f9689d0) Signed-off-by: Harshit Mogalapalli --- drivers/rtc/Kconfig | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/rtc/Kconfig b/drivers/rtc/Kconfig index 7129442f0dfe..d2740a28fb3c 100644 --- a/drivers/rtc/Kconfig +++ b/drivers/rtc/Kconfig @@ -1708,14 +1708,14 @@ config RTC_DRV_MOXART will be called rtc-moxart config RTC_DRV_MT6397 - tristate "Mediatek Real Time Clock driver" + tristate "MediaTek PMIC based RTC" depends on MFD_MT6397 || (COMPILE_TEST && IRQ_DOMAIN) help - This selects the Mediatek(R) RTC driver. RTC is part of Mediatek + This selects the MediaTek(R) RTC driver. RTC is part of MediaTek MT6397 PMIC. You should enable MT6397 PMIC MFD before select - Mediatek(R) RTC driver. + MediaTek(R) RTC driver. - If you want to use Mediatek(R) RTC interface, select Y or M here. + If you want to use MediaTek(R) RTC interface, select Y or M here. config RTC_DRV_XGENE tristate "APM X-Gene RTC" From 251fdf12a591f6f0393c9a074493372ee677d5ef Mon Sep 17 00:00:00 2001 From: Randy Dunlap Date: Mon, 12 Feb 2024 21:02:58 -0800 Subject: [PATCH 164/176] rtc: mt6397: select IRQ_DOMAIN instead of depending on it [ Upstream commit 544c42f798e1651dcb04fb0395219bf0f1c2607e ] IRQ_DOMAIN is a hidden (not user visible) symbol. Users cannot set it directly thru "make *config", so drivers should select it instead of depending on it if they need it. Relying on it being set for a dependency is risky. Consistently using "select" or "depends on" can also help reduce Kconfig circular dependency issues. Therefore, change the use of "depends on" for IRQ_DOMAIN to "select" for RTC_DRV_MT6397. Fixes: 04d3ba70a3c9 ("rtc: mt6397: add IRQ domain dependency") Cc: Arnd Bergmann Cc: Eddie Huang Cc: Sean Wang Cc: Matthias Brugger Cc: linux-arm-kernel@lists.infradead.org Cc: linux-mediatek@lists.infradead.org Cc: Alessandro Zummo Cc: Alexandre Belloni Cc: linux-rtc@vger.kernel.org Cc: Marc Zyngier Cc: Philipp Zabel Cc: Peter Rosin Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20240213050258.6167-1-rdunlap@infradead.org Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin (cherry picked from commit 575fe3cc7fe2f80e9f45e1d36a4526ea43fbf280) Signed-off-by: Harshit Mogalapalli --- drivers/rtc/Kconfig | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/rtc/Kconfig b/drivers/rtc/Kconfig index d2740a28fb3c..9a8bb800cb2c 100644 --- a/drivers/rtc/Kconfig +++ b/drivers/rtc/Kconfig @@ -1709,7 +1709,8 @@ config RTC_DRV_MOXART config RTC_DRV_MT6397 tristate "MediaTek PMIC based RTC" - depends on MFD_MT6397 || (COMPILE_TEST && IRQ_DOMAIN) + depends on MFD_MT6397 || COMPILE_TEST + select IRQ_DOMAIN help This selects the MediaTek(R) RTC driver. RTC is part of MediaTek MT6397 PMIC. You should enable MT6397 PMIC MFD before select From 05809dc60c6107cc2d59fc9e5c6ab7880415cce8 Mon Sep 17 00:00:00 2001 From: Andy Shevchenko Date: Mon, 19 Feb 2024 17:04:57 +0200 Subject: [PATCH 165/176] serial: 8250_exar: Don't remove GPIO device on suspend [ Upstream commit 73b5a5c00be39e23b194bad10e1ea8bb73eee176 ] It seems a copy&paste mistake that suspend callback removes the GPIO device. There is no counterpart of this action, means once suspended there is no more GPIO device available untile full unbind-bind cycle is performed. Remove suspicious GPIO device removal in suspend. Fixes: d0aeaa83f0b0 ("serial: exar: split out the exar code from 8250_pci") Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20240219150627.2101198-2-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin (cherry picked from commit 787e2620d1574196f10193a7c3693d95958254cb) Signed-off-by: Harshit Mogalapalli --- drivers/tty/serial/8250/8250_exar.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c index fd7d9aa1de9a..bab5bd24d7b1 100644 --- a/drivers/tty/serial/8250/8250_exar.c +++ b/drivers/tty/serial/8250/8250_exar.c @@ -544,6 +544,7 @@ static void exar_pci_remove(struct pci_dev *pcidev) for (i = 0; i < priv->nr; i++) serial8250_unregister_port(priv->line[i]); + /* Ensure that every init quirk is properly torn down */ if (priv->board->exit) priv->board->exit(pcidev); } @@ -558,10 +559,6 @@ static int __maybe_unused exar_suspend(struct device *dev) if (priv->line[i] >= 0) serial8250_suspend_port(priv->line[i]); - /* Ensure that every init quirk is properly torn down */ - if (priv->board->exit) - priv->board->exit(pcidev); - return 0; } From 5bc6fb9dd8654ad945d2ab614de42276880ed458 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Mon, 4 Mar 2024 10:04:48 +0300 Subject: [PATCH 166/176] staging: greybus: fix get_channel_from_mode() failure path [ Upstream commit 34164202a5827f60a203ca9acaf2d9f7d432aac8 ] The get_channel_from_mode() function is supposed to return the channel which matches the mode. But it has a bug where if it doesn't find a matching channel then it returns the last channel. It should return NULL instead. Also remove an unnecessary NULL check on "channel". Fixes: 2870b52bae4c ("greybus: lights: add lights implementation") Signed-off-by: Dan Carpenter Reviewed-by: Rui Miguel Silva Reviewed-by: Alex Elder Link: https://lore.kernel.org/r/379c0cb4-39e0-4293-8a18-c7b1298e5420@moroto.mountain Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin (cherry picked from commit 40bbb7e4e83a53b5ae2c4b79c675618159571d83) Signed-off-by: Harshit Mogalapalli --- drivers/staging/greybus/light.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/staging/greybus/light.c b/drivers/staging/greybus/light.c index 9fab0e2751aa..031a91614552 100644 --- a/drivers/staging/greybus/light.c +++ b/drivers/staging/greybus/light.c @@ -103,15 +103,15 @@ static struct led_classdev *get_channel_cdev(struct gb_channel *channel) static struct gb_channel *get_channel_from_mode(struct gb_light *light, u32 mode) { - struct gb_channel *channel = NULL; + struct gb_channel *channel; int i; for (i = 0; i < light->channels_count; i++) { channel = &light->channels[i]; - if (channel && channel->mode == mode) - break; + if (channel->mode == mode) + return channel; } - return channel; + return NULL; } static int __gb_lights_flash_intensity_set(struct gb_channel *channel, From f950312d06f35a0dcf0d89eedd046d78ecaacb57 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Thu, 7 Mar 2024 18:17:34 +0000 Subject: [PATCH 167/176] usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 600556809f04eb3bbccd05218215dcd7b285a9a9 ] Currently the variable irqflags is being set but is not being used, it appears it should be used in the call to net2272_probe_fin rather than IRQF_TRIGGER_LOW being used. Kudos to Uwe Kleine-König for suggesting the fix. Cleans up clang scan build warning: drivers/usb/gadget/udc/net2272.c:2610:15: warning: variable 'irqflags' set but not used [-Wunused-but-set-variable] Fixes: ceb80363b2ec ("USB: net2272: driver for PLX NET2272 USB device controller") Signed-off-by: Colin Ian King Acked-by: Alan Stern Link: https://lore.kernel.org/r/20240307181734.2034407-1-colin.i.king@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin (cherry picked from commit 4371549533b124e1693a7771303e44ed827af2e0) Signed-off-by: Harshit Mogalapalli --- drivers/usb/gadget/udc/net2272.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c index 89476090c179..ac691df6481c 100644 --- a/drivers/usb/gadget/udc/net2272.c +++ b/drivers/usb/gadget/udc/net2272.c @@ -2651,7 +2651,7 @@ net2272_plat_probe(struct platform_device *pdev) goto err_req; } - ret = net2272_probe_fin(dev, IRQF_TRIGGER_LOW); + ret = net2272_probe_fin(dev, irqflags); if (ret) goto err_io; From c412392d4e52ac3f871a4b94dcd97886f61f1c68 Mon Sep 17 00:00:00 2001 From: Murali Karicheri Date: Fri, 5 Apr 2019 13:31:30 -0400 Subject: [PATCH 168/176] net: hsr: fix placement of logical operator in a multi-line statement [ Upstream commit 059477830022e1886f55a9641702461c249fa864 ] In a multi-line statement exceeding 80 characters, logical operator should be at the end of a line instead of being at the start. This is seen when ran checkpatch.pl -f on files under net/hsr. The change is per suggestion from checkpatch. Signed-off-by: Murali Karicheri Signed-off-by: David S. Miller Stable-dep-of: ddbec99f5857 ("hsr: Fix uninit-value access in hsr_get_node()") Signed-off-by: Sasha Levin (cherry picked from commit 9706929ab421a6f68ed72fc0e6371e4fca8e698a) Signed-off-by: Harshit Mogalapalli --- net/hsr/hsr_forward.c | 8 ++++---- net/hsr/hsr_framereg.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c index adfb49760678..886fad5922b3 100644 --- a/net/hsr/hsr_forward.c +++ b/net/hsr/hsr_forward.c @@ -63,8 +63,8 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb) return false; /* Correct ether type?. */ - if (!(ethHdr->h_proto == htons(ETH_P_PRP) - || ethHdr->h_proto == htons(ETH_P_HSR))) + if (!(ethHdr->h_proto == htons(ETH_P_PRP) || + ethHdr->h_proto == htons(ETH_P_HSR))) return false; /* Get the supervision header from correct location. */ @@ -336,8 +336,8 @@ static int hsr_fill_frame_info(struct hsr_frame_info *frame, /* FIXME: */ WARN_ONCE(1, "HSR: VLAN not yet supported"); } - if (ethhdr->h_proto == htons(ETH_P_PRP) - || ethhdr->h_proto == htons(ETH_P_HSR)) { + if (ethhdr->h_proto == htons(ETH_P_PRP) || + ethhdr->h_proto == htons(ETH_P_HSR)) { frame->skb_std = NULL; frame->skb_hsr = skb; frame->sequence_nr = hsr_get_skb_sequence_nr(skb); diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c index 336cffd93293..416e107d75a0 100644 --- a/net/hsr/hsr_framereg.c +++ b/net/hsr/hsr_framereg.c @@ -192,8 +192,8 @@ struct hsr_node *hsr_get_node(struct hsr_port *port, struct sk_buff *skb, /* Everyone may create a node entry, connected node to a HSR device. */ - if (ethhdr->h_proto == htons(ETH_P_PRP) - || ethhdr->h_proto == htons(ETH_P_HSR)) { + if (ethhdr->h_proto == htons(ETH_P_PRP) || + ethhdr->h_proto == htons(ETH_P_HSR)) { /* Use the existing sequence_nr from the tag as starting point * for filtering duplicate frames. */ From f185d5434353871c54ffa351ed5647bc974a29f9 Mon Sep 17 00:00:00 2001 From: Shigeru Yoshida Date: Wed, 13 Mar 2024 00:27:19 +0900 Subject: [PATCH 169/176] hsr: Fix uninit-value access in hsr_get_node() [ Upstream commit ddbec99f58571301679addbc022256970ca3eac6 ] KMSAN reported the following uninit-value access issue [1]: ===================================================== BUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 fill_frame_info net/hsr/hsr_forward.c:577 [inline] hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615 hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 __alloc_skb+0x318/0x740 net/core/skbuff.c:651 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 packet_alloc_skb net/packet/af_packet.c:2936 [inline] packet_snd net/packet/af_packet.c:3030 [inline] packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x735/0xa10 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b CPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 ===================================================== If the packet type ID field in the Ethernet header is either ETH_P_PRP or ETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr() reads an invalid value as a sequence number. This causes the above issue. This patch fixes the issue by returning NULL if the Ethernet header is not followed by an HSR tag. Fixes: f266a683a480 ("net/hsr: Better frame dispatch") Reported-and-tested-by: syzbot+2ef3a8ce8e91b5a50098@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=2ef3a8ce8e91b5a50098 [1] Signed-off-by: Shigeru Yoshida Link: https://lore.kernel.org/r/20240312152719.724530-1-syoshida@redhat.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit e3b2bfb8ff1810a537b2aa55ba906a6743ed120c) Signed-off-by: Harshit Mogalapalli --- net/hsr/hsr_framereg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c index 416e107d75a0..74481af83d95 100644 --- a/net/hsr/hsr_framereg.c +++ b/net/hsr/hsr_framereg.c @@ -194,6 +194,10 @@ struct hsr_node *hsr_get_node(struct hsr_port *port, struct sk_buff *skb, if (ethhdr->h_proto == htons(ETH_P_PRP) || ethhdr->h_proto == htons(ETH_P_HSR)) { + /* Check if skb contains hsr_ethhdr */ + if (skb->mac_len < sizeof(struct hsr_ethhdr)) + return NULL; + /* Use the existing sequence_nr from the tag as starting point * for filtering duplicate frames. */ From e2ef56dd89fdb684f70940c3a13aeacaa5551b2f Mon Sep 17 00:00:00 2001 From: Yewon Choi Date: Fri, 15 Mar 2024 18:28:38 +0900 Subject: [PATCH 170/176] rds: introduce acquire/release ordering in acquire/release_in_xmit() [ Upstream commit 1422f28826d2a0c11e5240b3e951c9e214d8656e ] acquire/release_in_xmit() work as bit lock in rds_send_xmit(), so they are expected to ensure acquire/release memory ordering semantics. However, test_and_set_bit/clear_bit() don't imply such semantics, on top of this, following smp_mb__after_atomic() does not guarantee release ordering (memory barrier actually should be placed before clear_bit()). Instead, we use clear_bit_unlock/test_and_set_bit_lock() here. Fixes: 0f4b1c7e89e6 ("rds: fix rds_send_xmit() serialization") Fixes: 1f9ecd7eacfd ("RDS: Pass rds_conn_path to rds_send_xmit()") Signed-off-by: Yewon Choi Reviewed-by: Michal Kubiak Link: https://lore.kernel.org/r/ZfQUxnNTO9AJmzwc@libra05 Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit bec6c4ce1169a565c58c347d5d0ac22e46d507d6) Signed-off-by: Harshit Mogalapalli --- net/rds/send.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/net/rds/send.c b/net/rds/send.c index 23f2d81e7967..f43ee9c7e3c1 100644 --- a/net/rds/send.c +++ b/net/rds/send.c @@ -103,13 +103,12 @@ EXPORT_SYMBOL_GPL(rds_send_path_reset); static int acquire_in_xmit(struct rds_conn_path *cp) { - return test_and_set_bit(RDS_IN_XMIT, &cp->cp_flags) == 0; + return test_and_set_bit_lock(RDS_IN_XMIT, &cp->cp_flags) == 0; } static void release_in_xmit(struct rds_conn_path *cp) { - clear_bit(RDS_IN_XMIT, &cp->cp_flags); - smp_mb__after_atomic(); + clear_bit_unlock(RDS_IN_XMIT, &cp->cp_flags); /* * We don't use wait_on_bit()/wake_up_bit() because our waking is in a * hot path and finding waiters is very rare. We don't want to walk From b3f50f65706d8c16fc23b4c2d67622da15dbf2f2 Mon Sep 17 00:00:00 2001 From: Felix Maurer Date: Fri, 15 Mar 2024 13:04:52 +0100 Subject: [PATCH 171/176] hsr: Handle failures in module init [ Upstream commit 3cf28cd492308e5f63ed00b29ea03ca016264376 ] A failure during registration of the netdev notifier was not handled at all. A failure during netlink initialization did not unregister the netdev notifier. Handle failures of netdev notifier registration and netlink initialization. Both functions should only return negative values on failure and thereby lead to the hsr module not being loaded. Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") Signed-off-by: Felix Maurer Reviewed-by: Shigeru Yoshida Reviewed-by: Breno Leitao Link: https://lore.kernel.org/r/3ce097c15e3f7ace98fc7fd9bcbf299f092e63d1.1710504184.git.fmaurer@redhat.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 9a4e0ec0624c5b3e07fb042b307b98c3543de2f4) Signed-off-by: Harshit Mogalapalli --- net/hsr/hsr_main.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/net/hsr/hsr_main.c b/net/hsr/hsr_main.c index cd37d0011b42..c22013ff4479 100644 --- a/net/hsr/hsr_main.c +++ b/net/hsr/hsr_main.c @@ -115,14 +115,21 @@ static struct notifier_block hsr_nb = { static int __init hsr_init(void) { - int res; + int err; BUILD_BUG_ON(sizeof(struct hsr_tag) != HSR_HLEN); - register_netdevice_notifier(&hsr_nb); - res = hsr_netlink_init(); + err = register_netdevice_notifier(&hsr_nb); + if (err) + return err; - return res; + err = hsr_netlink_init(); + if (err) { + unregister_netdevice_notifier(&hsr_nb); + return err; + } + + return 0; } static void __exit hsr_exit(void) From ac6c533f13a4ec9071d6548a8be5467ab238c6aa Mon Sep 17 00:00:00 2001 From: Thinh Tran Date: Fri, 15 Mar 2024 15:55:35 -0500 Subject: [PATCH 172/176] net/bnx2x: Prevent access to a freed page in page_pool [ Upstream commit d27e2da94a42655861ca4baea30c8cd65546f25d ] Fix race condition leading to system crash during EEH error handling During EEH error recovery, the bnx2x driver's transmit timeout logic could cause a race condition when handling reset tasks. The bnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(), which ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload() SGEs are freed using bnx2x_free_rx_sge_range(). However, this could overlap with the EEH driver's attempt to reset the device using bnx2x_io_slot_reset(), which also tries to free SGEs. This race condition can result in system crashes due to accessing freed memory locations in bnx2x_free_rx_sge() 799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp, 800 struct bnx2x_fastpath *fp, u16 index) 801 { 802 struct sw_rx_page *sw_buf = &fp->rx_page_ring[index]; 803 struct page *page = sw_buf->page; .... where sw_buf was set to NULL after the call to dma_unmap_page() by the preceding thread. EEH: Beginning: 'slot_reset' PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset() bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing... bnx2x 0011:01:00.0: enabling device (0140 -> 0142) bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc0080000025065fc Oops: Kernel access of bad area, sig: 11 [#1] ..... Call Trace: [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable) [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0 [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550 [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60 [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170 [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0 [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 To solve this issue, we need to verify page pool allocations before freeing. Fixes: 4cace675d687 ("bnx2x: Alloc 4k fragment for each rx ring buffer element") Signed-off-by: Thinh Tran Reviewed-by: Jiri Pirko Link: https://lore.kernel.org/r/20240315205535.1321-1-thinhtr@linux.ibm.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 7bcc090c81116c66936a7415f2c6b1483a4bcfd9) Signed-off-by: Harshit Mogalapalli --- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h index 52bce009d096..ee44ef0c8980 100644 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h @@ -1007,9 +1007,6 @@ static inline void bnx2x_set_fw_mac_addr(__le16 *fw_hi, __le16 *fw_mid, static inline void bnx2x_free_rx_mem_pool(struct bnx2x *bp, struct bnx2x_alloc_pool *pool) { - if (!pool->page) - return; - put_page(pool->page); pool->page = NULL; @@ -1020,6 +1017,9 @@ static inline void bnx2x_free_rx_sge_range(struct bnx2x *bp, { int i; + if (!fp->page_pool.page) + return; + if (fp->mode == TPA_MODE_DISABLED) return; From d49e4f3714a9208ee47e19da264ef74eab869b2e Mon Sep 17 00:00:00 2001 From: Fei Shao Date: Thu, 21 Mar 2024 15:08:57 +0800 Subject: [PATCH 173/176] spi: spi-mt65xx: Fix NULL pointer access in interrupt handler [ Upstream commit a20ad45008a7c82f1184dc6dee280096009ece55 ] The TX buffer in spi_transfer can be a NULL pointer, so the interrupt handler may end up writing to the invalid memory and cause crashes. Add a check to trans->tx_buf before using it. Fixes: 1ce24864bff4 ("spi: mediatek: Only do dma for 4-byte aligned buffers") Signed-off-by: Fei Shao Reviewed-by: AngeloGioacchino Del Regno Link: https://msgid.link/r/20240321070942.1587146-2-fshao@chromium.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin (cherry picked from commit 2342b05ec5342a519e00524a507f7a6ea6791a38) Signed-off-by: Harshit Mogalapalli --- drivers/spi/spi-mt65xx.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c index faca2ab75899..89ec11921537 100644 --- a/drivers/spi/spi-mt65xx.c +++ b/drivers/spi/spi-mt65xx.c @@ -524,17 +524,19 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) mdata->xfer_len = min(MTK_SPI_MAX_FIFO_SIZE, len); mtk_spi_setup_packet(master); - cnt = mdata->xfer_len / 4; - iowrite32_rep(mdata->base + SPI_TX_DATA_REG, - trans->tx_buf + mdata->num_xfered, cnt); + if (trans->tx_buf) { + cnt = mdata->xfer_len / 4; + iowrite32_rep(mdata->base + SPI_TX_DATA_REG, + trans->tx_buf + mdata->num_xfered, cnt); - remainder = mdata->xfer_len % 4; - if (remainder > 0) { - reg_val = 0; - memcpy(®_val, - trans->tx_buf + (cnt * 4) + mdata->num_xfered, - remainder); - writel(reg_val, mdata->base + SPI_TX_DATA_REG); + remainder = mdata->xfer_len % 4; + if (remainder > 0) { + reg_val = 0; + memcpy(®_val, + trans->tx_buf + (cnt * 4) + mdata->num_xfered, + remainder); + writel(reg_val, mdata->base + SPI_TX_DATA_REG); + } } mtk_spi_enable_transfer(master); From 2939b898498d9da54f5ea4c0b3d698a7644843fa Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Thu, 2 Jul 2020 13:32:21 +1000 Subject: [PATCH 174/176] crypto: af_alg - Fix regression on empty requests commit 662bb52f50bca16a74fe92b487a14d7dccb85e1a upstream. Some user-space programs rely on crypto requests that have no control metadata. This broke when a check was added to require the presence of control metadata with the ctx->init flag. This patch fixes the regression by setting ctx->init as long as one sendmsg(2) has been made, with or without a control message. Reported-by: Sachin Sant Reported-by: Naresh Kamboju Fixes: f3c802a1f300 ("crypto: algif_aead - Only wake up when...") Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 546e3961b5d4c6db82cfb441fabb4353940c8f95) Signed-off-by: Harshit Mogalapalli --- crypto/af_alg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 3ebf20c5f30b..d15f1dd4fb99 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -892,6 +892,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, err = -EINVAL; goto unlock; } + ctx->init = true; if (init) { ctx->enc = enc; @@ -899,7 +900,6 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, memcpy(ctx->iv, con.iv->iv, ivsize); ctx->aead_assoclen = con.aead_assoclen; - ctx->init = true; } while (size) { From 3f81c30ae458bf0f8cc2f421f3254ffa59dd95df Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Thu, 27 Aug 2020 17:14:36 +1000 Subject: [PATCH 175/176] crypto: af_alg - Work around empty control messages without MSG_MORE commit c195d66a8a75c60515819b101975f38b7ec6577f upstream. The iwd daemon uses libell which sets up the skcipher operation with two separate control messages. As the first control message is sent without MSG_MORE, it is interpreted as an empty request. While libell should be fixed to use MSG_MORE where appropriate, this patch works around the bug in the kernel so that existing binaries continue to work. We will print a warning however. A separate issue is that the new kernel code no longer allows the control message to be sent twice within the same request. This restriction is obviously incompatible with what iwd was doing (first setting an IV and then sending the real control message). This patch changes the kernel so that this is explicitly allowed. Reported-by: Caleb Jorden Fixes: f3c802a1f300 ("crypto: algif_aead - Only wake up when...") Cc: Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman (cherry picked from commit ba1f292491c011fa11d80b152f15ef97e4519891) Signed-off-by: Harshit Mogalapalli --- crypto/af_alg.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/crypto/af_alg.c b/crypto/af_alg.c index d15f1dd4fb99..d8ad27a7a45c 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -21,6 +21,7 @@ #include #include #include +#include #include #include @@ -888,9 +889,15 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, } lock_sock(sk); - if (ctx->init && (init || !ctx->more)) { - err = -EINVAL; - goto unlock; + if (ctx->init && !ctx->more) { + if (ctx->used) { + err = -EINVAL; + goto unlock; + } + + pr_info_once( + "%s sent an empty control message without MSG_MORE.\n", + current->comm); } ctx->init = true; From c33c221f22480e9971f9416b7cedcb41ae5d393a Mon Sep 17 00:00:00 2001 From: Vegard Nossum Date: Wed, 17 Apr 2024 11:28:54 +0000 Subject: [PATCH 176/176] LTS: Update to 4.14.343 This corresponds to 4.19.311 upstream (v4.19.310..v4.19.311). Signed-off-by: Vegard Nossum --- .elts/config.yaml | 4 +- .elts/meta/4.14.343.yaml | 532 ++++++++++++++++++++++++++++++++ .elts/upstream/4.19.311.yaml | 576 +++++++++++++++++++++++++++++++++++ Makefile | 2 +- 4 files changed, 1111 insertions(+), 3 deletions(-) create mode 100644 .elts/meta/4.14.343.yaml create mode 100644 .elts/upstream/4.19.311.yaml diff --git a/.elts/config.yaml b/.elts/config.yaml index 016e524b9214..24548749de93 100644 --- a/.elts/config.yaml +++ b/.elts/config.yaml @@ -1,5 +1,5 @@ upstream_repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git upstream_base: 4.19.304 base: 4.14.336 -upstream_version: 4.19.310 -version: 4.14.342 +upstream_version: 4.19.311 +version: 4.14.343 diff --git a/.elts/meta/4.14.343.yaml b/.elts/meta/4.14.343.yaml new file mode 100644 index 000000000000..d553dcb50333 --- /dev/null +++ b/.elts/meta/4.14.343.yaml @@ -0,0 +1,532 @@ +3300a318344fb9cee9d92161549c7cfef5ac1413: + title: 'xen/events: only register debug interrupt for 2-level events' + mainline: d04b1ae5a9b0c868dda8b4b34175ef08f3cb9e93 +5ee8a0e79d4147dd41e7e4e420d91e2f16eb4bb6: + title: 'x86/xen: Fix memory leak in xen_smp_intr_init{_pv}()' + mainline: 69143f60868b3939ddc89289b29db593b647295e +f2645f10d789c047bcaf11a573ed337bad4f0707: + title: 'x86/xen: Add some null pointer checking to smp.c' + mainline: 3693bb4465e6e32a204a5b86d3ec7e6b9f7e67c2 + upstream: 70a33a629090130d731fc1e1ad498bb672eea165 +96405638c5c2567f6c27cfd84ada8a5a5311b231: + title: 'MIPS: Clear Cause.BD in instruction_pointer_set' + mainline: 9d6e21ddf20293b3880ae55b9d14de91c5891c59 + upstream: b0b3373993a5b445eeb410d7c74a87710aad9d6e +3ded98fc3b9716997438f60daf0452b7c3e6d360: + title: 'net/iucv: fix the allocation size of iucv_path_table array' + mainline: b4ea9b6a18ebf7f9f3a7a60f82e925186978cfcf + upstream: 13f5b64a584b5554f81e7e493dcbafaddd06557d +e9f9eb0c2d8c5c96fc354cf8ede84f4ba6f38d19: + title: 'block: sed-opal: handle empty atoms when parsing response' + mainline: 5429c8de56f6b2bd8f537df3a1e04e67b9c04282 + upstream: 72da7347f460b2ecc5e934bcbef312e0fa5ebf2b +e6d8df74f2692f4e83306e293a8c503112d32aa8: + title: 'dm-verity, dm-crypt: align "struct bvec_iter" correctly' + mainline: 787f1b2800464aa277236a66eb3c279535edd460 + upstream: 8338d971f919256b312f28a9a320f552a499dc8e +70928e45cbbe230a8fde12a6bb7bbbfb77139e7f: + title: 'scsi: mpt3sas: Prevent sending diag_reset when the controller is ready' + mainline: ee0017c3ed8a8abfa4d40e42f908fb38c31e7515 + upstream: 6cc96148d26afbf1e3b8167ee68dc9eec387804d +b79150eddce93e7bf87f005c9c996abd90d4655e: + title: 'Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security' + mainline: 2535b848fa0f42ddff3e5255cf5e742c9b77bb26 + upstream: 369f419c097e82407dd429a202cde9a73d3ae29b +51ec1ed43d0b4ab1228eb55189fa939ad579c4c2: + title: 'firewire: core: use long bus reset on gap count error' + mainline: d0b06dc48fb15902d7da09c5c0861e7f042a9381 + upstream: b89198d02d0149f22149675766c47883de923106 +243004088d2707ad353b4ee4dd6b96f76daca68d: + title: 'Input: gpio_keys_polled - suppress deferred probe error for gpio' + mainline: 963465a33141d0d52338e77f80fe543d2c9dc053 + upstream: a215f042a7f57346fd5430e84f81f822e84975b5 +6895f6831861ceceb98e7b6604ec9050a37c8173: + title: 'ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC' + mainline: 03c7874106ca5032a312626b927b1c35f07b1f35 + upstream: c2a85fd64160fcf4185669d4db299fbb2df76986 +2a2f4e8dfe12971fd6b78ec6e05179151bea4a88: + title: 'ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode' + mainline: 6fa849e4d78b880e878138bf238e4fd2bac3c4fa + upstream: 2f87e22ea1b42b89435bf98a768eb8227797d819 +cacf64e0af45cb788a70941441fc6423149b1d9f: + title: 'ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll' + mainline: 96e202f8c52ac49452f83317cf3b34cd1ad81e18 + upstream: d619f175ff50582c05858cb96d05391f77c7c7aa +ed2edd721e156046bb4dc4587f06af360f875581: + title: 'crypto: af_alg - make some functions static' + mainline: 466e0759269d31485074126700574230bfff3b1c + upstream: 0ca02d4beebb7b47ea0cbdceac891465cbb966c6 +f63a7bf2dcf7e05021785b64b184795f6b6a6ccd: + title: 'crypto: algif_aead - Only wake up when ctx->more is zero' + mainline: f3c802a1f30013f8f723b62d7fa49eb9e991da23 + upstream: de564b59755dfb080ef237dd4fbd02cb0c3e58a1 +ce3317e4a96642984d3e7fbaf33a086176052bf8: + title: 'do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak' + mainline: 3948abaa4e2be938ccdfc289385a27342fb13d43 + upstream: 4bac28f441e3cc9d3f1a84c8d023228a68d8a7c1 +70137872f87a2e47239cf7ea0d9b295f173f6c27: + title: 'fs/select: rework stack allocation hack for clang' + mainline: ddb9fd7a544088ed70eccbb9f85e9cc9952131c1 + upstream: b86af4d77a5a2487020794845c1a2e948699630c +644ef6ff144cf72b7c0170ade4a8a449f01d9e63: + title: 'md: switch to ->check_events for media change notifications' + mainline: a564e23f0f99759f453dbefcb9160dec6d99df96 + upstream: dc51c01a3d5a796e18520a186f56e13f8e70749f +5621bcf7c79c834e98f01dfea929a7bbf7d600ab: + title: 'block: add a new set_read_only method' + mainline: e00adcadf3af7a8335026d71ab9f0e0a922191ac + upstream: f28658bc8a7faa03578dc2588b5b3b56b09575a6 +1d018bd5617e06f3c7bd6df7cacaf79a35cd4da3: + title: 'md: implement ->set_read_only to hook into BLKROSET processing' + mainline: 118cf084adb3964d06e1667cf7d702e56e5cd2c5 + upstream: bde70d747f81f7f014b7c63d6a7b2dd6c8356f43 +fe9ee4210de1a9816e6e99a791894f87a62c2fb3: + title: 'md: Don''t clear MD_CLOSING when the raid is about to stop' + mainline: 9674f54e41fffaf06f6a60202e1fa4cc13de3cf5 + upstream: 8eea2ea62b459cebffd20d5d5121becbec838291 +67f0ca2ac39c5b06d90c7bbb3f4dbd01a96fd1fa: + title: 'aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts' + mainline: f98364e926626c678fb4b9004b75cacf92ff0662 + upstream: ad80c34944d7175fa1f5c7a55066020002921a99 +44b1502cbcf6899a21c9d4ec8c61f5bcfaee0d03: + title: 'timekeeping: Fix cross-timestamp interpolation on counter wrap' + mainline: 84dccadd3e2a3f1a373826ad71e5ced5e76b0c00 + upstream: 3c22ef22761ab15b1c32ea5997859c0719fdc14d +ed6452adf4a6e0b9641fc065d63ddc6075238c23: + title: 'timekeeping: Fix cross-timestamp interpolation corner case decision' + mainline: 87a41130881995f82f7adbafbfeddaebfb35f0ef + upstream: 86c7cc07eef558e9986a17ac5b6d5f44c8b493bd +fabbb78782e6dd484cc0e036e1e0dbbb8c70b8da: + title: 'timekeeping: Fix cross-timestamp interpolation for non-x86' + mainline: 14274d0bd31b4debf28284604589f596ad2e99f2 + upstream: 20880812b2f8fad4cf269f83bd5266eed31f0208 +0e7ba895f0ec865043f09e88cbfc750869e3d81a: + title: 'b43: dma: Fix use true/false for bool type variable' + mainline: a9160bb35ad9ada8428a4d48426f7fc128db40cc + upstream: eb014286140dd5bd4f82417bb186edbbb2f1d3a4 +c6fa41a3cb1d5f9fff1b455d779df5a47c44f254: + title: 'wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled' + mainline: 9636951e4468f02c72cc75a82dc65d003077edbc + upstream: 1824f942527f784a19e01eac2d9679a21623d010 +947b5e0d7e03173f242ce6c5871cb82e357529f9: + title: 'wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is disabled' + mainline: 77135a38f6c2f950d2306ac3d37cbb407e6243f2 + upstream: 5175e6256f5ad36ceea6ad5aa44f6ce87764e653 +73a69fcb66db7b037de6c521e49ba54ee21e5e3c: + title: 'b43: main: Fix use true/false for bool type' + mainline: 6db774c1725059f98e4fce97f878688248584be5 + upstream: ddd8aa7d4959a42786c3e2c2491c33e91e032f88 +13876838c450d766f468452a940c14e7f16ce55b: + title: 'wifi: b43: Stop correct queue in DMA worker when QoS is disabled' + mainline: 581c8967d66c4961076dbbee356834e9c6777184 + upstream: 0191ff009dce9740494e37a8616b3f0a3b38d884 +14ee0973eab90a53de93ef3bd02f73ef9cb54622: + title: 'wifi: b43: Disable QoS for bcm4331' + mainline: 09795bded2e725443fe4a4803cae2079cdaf7b26 + upstream: 4828567fd9625926c07fe711a096d5374f5f42d5 +4b8198ce7bd031846776dc60a66402697e2d3f9b: + title: 'wifi: mwifiex: debugfs: Drop unnecessary error check for debugfs_create_dir()' + mainline: 50180c7f8e3de7c2d87f619131776598fcb1478d + upstream: 1e68b5319090ee3f810580c059a202ec8b24bdbe +c4d2af79e42344f14a2826b617fbe57e263c8e36: + title: 'sock_diag: request _diag module only when the family or proto has been registered' +7e6bdf38024904a26cf237968d6f476d3060ea8c: + title: 'sock_diag: annotate data-races around sock_diag_handlers[family]' + mainline: efd402537673f9951992aea4ef0f5ff51d858f4b + upstream: cffd4a7c975848e2bb7c577e5c814a0d2bc9efd4 +d4a666252ef7cc7e3c6c126564e8f8e3ac751196: + title: 'af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().' + mainline: 31e03207119a535d0b0e3b3a7f91983aeb2cb14d + upstream: 0c41412330b8804ec9829ecb929a21d8cc2e06c5 +7dbbfcf6db50dd29b7040c06826c2f26b8813b6a: + title: 'wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()' + mainline: 5f0e4aede01cb01fa633171f0533affd25328c3a + upstream: 96481624fb5a6319079fb5059e46dbce43a90186 +d39f836a2b9e34610d3c1b6800adda8b1b98b6b6: + title: 'ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()' + mainline: e18afcb7b2a12b635ac10081f943fcf84ddacc51 + upstream: d351bcadab6caa6d8ce7159ff4b77e2da35c09fa +3ecc2213610561a98f56332417ce1cd445addd80: + title: 'bus: tegra-aconnect: Update dependency to ARCH_TEGRA' + mainline: 4acd21a45c1446277e2abaece97d7fa7c2e692a9 + upstream: dfd9078eecdac8d45badc029d0a1afb9b887d089 +cff340eed43a60e8352306c2d0daa936e2609d55: + title: 'iommu/amd: Mark interrupt as managed' + mainline: 0feda94c868d396fac3b3cb14089d2d989a07c72 + upstream: 46b9f2480b5bd3793340754eb52aa887fcbeb2f1 +7f3fb7d44b2c90cb14e6bdc2be5058669186d725: + title: 'wifi: brcmsmac: avoid function pointer casts' + mainline: e1ea6db35fc3ba5ff063f097385e9f7a88c25356 + upstream: 523bd0437c687d0b4edf7548b95217993746c64c +a8674f8f32d3ce9502633eec64d5f1240d7ab031: + title: 'ARM: dts: arm: realview: Fix development chip ROM compatible value' + mainline: 3baa4c5143d65ebab2de0d99a395e5f4f1f46608 + upstream: d6a0ddacb07986dbd08d97b8c8b0928778e318b4 +ff060748955642dd9eb032bb32bf8d3c8b0c809c: + title: 'ACPI: scan: Fix device check notification handling' + mainline: 793551c965116d9dfaf0550dacae1396a20efa69 + upstream: 3dd8bfb5f23fa1605f2a7b62c91258a7d778ccb1 +f1a4dbde435665ebd50419198f51995a86722489: + title: 'x86, relocs: Ignore relocations in .notes section' + mainline: aaa8736370db1a78f0e8434344a484f9fd20be3b + upstream: 13edb509abc91c72152a11baaf0e7c060a312e03 +98dd836d4d90f8c75583cdb77e51e43416145bf2: + title: 'SUNRPC: fix some memleaks in gssx_dec_option_array' + mainline: 3cfcfc102a5e57b021b786a755a38935e357797d + upstream: b97c37978ca825557d331c9012e0c1ddc0e42364 +4cb02a03a5ed3ea326f92cb72cc6d96019ea43f4: + title: 'mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove function' + mainline: ae5004a40a262d329039b99b62bd3fe7645b66ad + upstream: f10426db32e7712fcc72154e2fa288f7127094ad +7344a5ae74cc4e62b079a877d20b2570e2f235ef: + title: 'igb: move PEROUT and EXTTS isr logic to separate functions' + mainline: cf99c1dd7b7729091043374b90807c7a5f9fd9b1 + upstream: d686b4537ead6bdd1a636040c00af51e9e0a1bc5 +2fe7a8cde6d1b03ecb4fed3f7cf6e5427463cfda: + title: 'igb: Fix missing time sync events' + mainline: ee14cc9ea19ba9678177e2224a9c58cce5937c73 + upstream: f346bf4db1ebaad9c8ca5aae6397c7867b8ac4f3 +e63d5f1f3f5f918a0a94e7d4facccfa6342239cc: + title: 'Bluetooth: Remove superfluous call to hci_conn_check_pending()' + mainline: 78e3639fc8031275010c3287ac548c0bc8de83b1 + upstream: 6e960390709966929a29eaec8bca710237a54f24 +224f6971eb2b4457331804d194017c1524f8157f: + title: 'Bluetooth: hci_core: Fix possible buffer overflow' + mainline: 81137162bfaa7278785b24c1fd2e9e74f082e8e4 + upstream: 6d5a9d4a7bcbb7534ce45a18a52e7bd23e69d8ac +aca6a0b117cfb0701cc2bea02db1e8c6372b08b0: + title: 'sr9800: Add check for usbnet_get_endpoints' + mainline: 07161b2416f740a2cb87faa5566873f401440a61 + upstream: 424eba06ed405d557077339edb19ce0ebe39e7c7 +5b157b57a27deae00138ebbf9abe793d85b80d12: + title: 'bpf: Fix hashtab overflow check on 32-bit arches' + mainline: 6787d916c2cf9850c97a0a3f73e08c43e7d973b1 + upstream: 33ec04cadb77605b71d9298311919303d390c4d5 +c7eb664d0ae8b3da9621816bfe11ad862c24e342: + title: 'bpf: Fix stackmap overflow check on 32-bit arches' + mainline: 7a4b21250bf79eef26543d35bd390448646c536b + upstream: d0e214acc59145ce25113f617311aa79dda39cb3 +efa596b077451aef0f8bb760ad3975264a046ee4: + title: 'ipv6: fib6_rules: flush route cache when rule is changed' + mainline: c4386ab4f6c600f75fdfd21143f89bac3e625d0d + upstream: 95db6e62a2d920abf43c169e51046adb9f394ef0 +9676e9447d12a404638bbee6bd43852440c7c137: + title: 'tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function' + mainline: 716edc9706deb3bb2ff56e2eeb83559cea8f22db + upstream: d909b53ff5b8f005b474b4417ee271f5a4adca94 +a0e4e51da39f5a7fc9d9e1f5fc14640701887d90: + title: 'l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() function' + mainline: 955e9876ba4ee26eeaab1b13517f5b2c88e73d55 + upstream: 51a7e05fbca612ae1f09f62dfe21957380b8546d +5cfa0a58e61d01c690063af3623d0a53b76951a6: + title: 'udp: fix incorrect parameter validation in the udp_lib_getsockopt() function' + mainline: 4bb3ba7b74fceec6f558745b25a43c6521cf5506 + upstream: f21612ee652c08b4a5a0bb11528035f57935fae1 +59a4e1ed1e12998b6ee449091fe2ae36597b223b: + title: 'net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function' + mainline: 3ed5f415133f9b7518fbe55ba9ae9a3f5e700929 + upstream: 867608c0abcbdc86e62925604ac2d3f0c7ca678a +fa19944cf14ae594b5b1353f881e80f4d83016b5: + title: 'net/x25: fix incorrect parameter validation in the x25_getsockopt() function' + mainline: d6eb8de2015f0c24822e47356f839167ebde2945 + upstream: 7089428a1a4e28efa0c36877d80639a8306fdbf4 +3d651f489f213a8688c49fdb9c5af4e94aaefe08: + title: 'dm raid: fix false positive for requeue needed during reshape' + mainline: b25b8f4b8ecef0f48c05f0c3572daeabefe16526 + upstream: 52a35f5551c6c63f2c50c24117377faa47b2395c +d8348562b9ba5d57db7ff9c39b40c326d81fec2d: + title: 'dm: call the resume method on internal suspend' + mainline: 65e8fbde64520001abf1c8d0e573561b4746ef38 + upstream: 69836d9329f0b4c58faaf3d886a7748ddb5bf718 +c5b100db7c774d0770809952834e65c00da6aed8: + title: 'drm/tegra: dsi: Add missing check for of_find_device_by_node' + mainline: afe6fcb9775882230cd29b529203eabd5d2a638d + upstream: 47a13d0b9d8527518639ab5c39667f69d6203e80 +a1d6e2d545ae60e3c0f14afc655960a12a1836ce: + title: 'gpu: host1x: mipi: Update tegra_mipi_request() to be node based' + mainline: 767598d447aa46411289c5808b0e45e20a1823b4 + upstream: aaa5ef6db779a2ffdac6e2c4e27a042fc85af425 +a7f31893877bed52efc884b8151f7bd211643115: + title: 'drm/tegra: dsi: Make use of the helper function dev_err_probe()' + mainline: fc75e4fcbd1e4252a0481ebb23cd4516c127a8e2 + upstream: 4003d399dd34bd9a80fcf78a3feb3140eb82b2b8 +beef7ea1764bd7497ea4a76932b5b57bb6d1147d: + title: 'drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()' + mainline: 830c1ded356369cd1303e8bb87ce3fea6e744de8 + upstream: 0cb8749a621cdd291dc8976bbc245029124d402a +8f0f744ebf00a199144bb821d0d1b186de6be782: + title: 'drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path of tegra_dsi_probe()' + mainline: 5286a9fc280c45b6b307ee1b07f7a997e042252c + upstream: d7e898d13a867014352f0daf98f8a0155c67a3c9 +9514fc65463c56256c0fbb075a6e414d2c440e9c: + title: 'drm/rockchip: inno_hdmi: Fix video timing' + mainline: 47a145c03484d33e65d773169d5ca1b9fe2a492e + upstream: c031022829a91114cb2bd531c38de99184957b6d +36ac37d23799588aa1f243c55a9958bac40ce8be: + title: 'drm: Don''t treat 0 as -1 in drm_fixp2int_ceil' + mainline: cf8837d7204481026335461629b84ac7f4538fa5 + upstream: e3271a9f1432472bfd1aec82a5086d6b10e0dfec +f37d112202ea81abf2af9a552cd3657f8b042342: + title: 'media: tc358743: register v4l2 async device only after successful setup' + mainline: 87399f1ff92203d65f1febf5919429f4bb613a02 + upstream: 17c2650de14842c25c569cbb2126c421489a3a24 +e2bc2e2b68b321dfd3fb2c66691014a66ee074a6: + title: 'media: em28xx: annotate unchecked call to media_device_register()' + mainline: fd61d77a3d28444b2635f0c8b5a2ecd6a4d94026 + upstream: 8b3c5d95bcc85f4333b6968ae7710ee2a1b28f0a +fdec9e17f52ea90aa40441a258d62ad3f0d6707d: + title: 'media: v4l2-tpg: fix some memleaks in tpg_alloc' + mainline: 8cf9c5051076e0eb958f4361d50d8b0c3ee6691c + upstream: 0de691ff547d86dd54c24b40a81f9c925df8dd77 +08af260a5bc1b71c1278dccb64a7866ea0687ef3: + title: 'media: dvbdev: remove double-unlock' + mainline: 122d0e8dd050cc5dc3fb9e9b5f2dee3c5276ce35 + upstream: cfa5ffc57e54fb8b864d23b6992cb37d706f6a87 +88b9134f0e55fe9a7162ee90e5324e2fd91b0ad9: + title: 'media: media/dvb: Use kmemdup rather than duplicating its implementation' + mainline: f6af820ef1be58c2e4b81aa479b9f109eb6344ce + upstream: 6e4129f8163460c79bb99887bc6f791196fcbda2 +5ace531d9048d5957c275071f8e55d5b3261e03e: + title: 'media: dvbdev: Fix memleak in dvb_register_device' + mainline: 167faadfcf9339088910e9e85a1b711fcbbef8e9 + upstream: 085f36c317cba8b8955c5da5f59c7486345d2bbb +83a32ee58edae39a2e9bb7d71f36d0317ebf39d2: + title: 'media: dvbdev: fix error logic at dvb_register_device()' + mainline: 1fec2ecc252301110e4149e6183fa70460d29674 + upstream: a30cf94eaf5dd3ffd8d13c3a8c303d04357b01c1 +0ae7184adc0e7116a0bc81eded303fc031db1812: + title: 'media: dvbdev: convert DVB device types into an enum' +8f649cb42cc0154445a0319a3ec9e0f6f37737b5: + title: 'media: dvb-core: Fix use-after-free due to race at dvb_register_device()' + mainline: 627bb528b086b4136315c25d6a447a98ea9448d3 + upstream: dc04ff778b4f8ff4560f1c42993417359e74d36a +dec38a328d1cb93913450eab8c0b2b52ca6d96b7: + title: 'media: edia: dvbdev: fix a use-after-free' + mainline: 8c64f4cdf4e6cc5682c52523713af8c39c94e6d5 + upstream: d0f5c28333822f9baa5280d813124920720fd856 +a9c53a71d5103df700ba1022bd793c2e7da2e4b3: + title: 'clk: qcom: reset: Allow specifying custom reset delay' + mainline: 2cb8a39b6781ea23accd1fa93b3ad000d0948aec + upstream: 5f0a066e0ece83eb4c72c6672539bcdbfeb39a4e +7091467f8cf4ffb05762766872608822fba862a6: + title: 'clk: qcom: reset: support resetting multiple bits' + mainline: 4a5210893625f89723ea210d7c630b730abb37ad + upstream: 38dd93f87da08876edf8df89a5992ce46da920ea +fb58c616f8d5d230746a6e834a13daaf9616432d: + title: 'clk: qcom: reset: Commonize the de/assert functions' + mainline: eda40d9c583e95e0b6ac69d2950eec10f802e0e8 + upstream: 823c46950d9a96e94db8f565013f4f2f528c2bbe +3acb0bf9b01663735e38d8647655c4c2dc81aa80: + title: 'clk: qcom: reset: Ensure write completion on reset de/assertion' + mainline: 2f8cf2c3f3e3f7ef61bd19abb4b0bb797ad50aaf + upstream: d258d124f435adb3cac491e4b0274e75597f3a02 +045db5c9471c0d3662193af5123c40c459442c29: + title: 'quota: code cleanup for __dquot_alloc_space()' + mainline: df15a2a59d0b29d86e17140b83ed231adaded12f + upstream: d9e4ab12b60a49204435102f8120c0d3e62583f1 +34b20f6e467fcd6dcd4352a429263beca0cc46fc: + title: 'fs/quota: erase unused but set variable warning' + mainline: 78bc3334a69ff289dbc973a9db7c52a2d7757e5b + upstream: 1974c13019b97140149690cd622a9c6732c32124 +92b446b2b7dfe86c8955bf914789754b2d44ec81: + title: 'quota: check time limit when back out space/inode change' + mainline: 632a9f3acd6687376cbb0b178df6048e19cbacc9 + upstream: e87ed533e7a6167f4a5e1b0fdbf21784acf115cc +ba23e07d50c32bf3e5c651e29fe526f53652b28b: + title: 'quota: simplify drop_dquot_ref()' + mainline: 7bce48f0fec602b3b6c335963b26d9eefa417788 + upstream: 248699a705f31211c0d7cc9e0d79cbbabbc9c791 +b2b5f36baf4785d586642aab144412e5961b7955: + title: 'quota: Fix potential NULL pointer dereference' + mainline: d0aa72604fbd80c8aabb46eda00535ed35570f1f + upstream: 8514899c1a4edf802f03c408db901063aa3f05a1 +9b7a96f32e377542671c0cc2c43a1ab5cfa84723: + title: 'quota: Fix rcu annotations of inode dquot pointers' + mainline: 179b8c97ebf63429589f5afeba59a181fe70603e + upstream: 06172dff9a47e76dfce9b60d44ef21131b417803 +d85a1e5fdc93c04aad783ac5134fe266a0a372b7: + title: 'perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str()' + mainline: 1eb3d924e3c0b8c27388b0583a989d757866efb6 + upstream: f9e92ad5eb0901cacac8f1cc4e5ea12514f7934b +38f97031f0e5fad4f2a081d34cd1a1365cca5e05: + title: 'drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode()' + mainline: c4891d979c7668b195a0a75787967ec95a24ecef + upstream: 1c35795b90f4dce0605ace7eef9ae1bd1282ebf2 +9075faa224b8911050442a04a83e7156df94f0b7: + title: 'ALSA: seq: fix function cast warnings' + mainline: d7bf73809849463f76de42aad62c850305dd6c5d + upstream: 9f9254f8927d9f4e4185ec18d8ee648dfcb5ed62 +0203c9b23b47d5e2f6d817b69d592ccc88d9a1f5: + title: 'media: go7007: add check of return value of go7007_read_addr()' + mainline: 0b70530ee740861f4776ff724fcc25023df1799a + upstream: ff13e3ce6aa4c0dfdbc6438fe3c03118afe3ee8c +ef1a77adc95fea554698fbbe7530b7e7da5ef4a6: + title: 'media: pvrusb2: fix pvr2_stream_callback casts' + mainline: 30baa4a96b23add91a87305baaeba82c4e109e1f + upstream: 4e93392ae27eb5f8ad4efd31cf8f1ecd5fdabe15 +bbb93685c7c6f27816955df2d599ca30a5ff2dbb: + title: 'drm/mediatek: dsi: Fix DSI RGB666 formats and definitions' + mainline: fae6f815505301b92d9113764f4d76d0bfe45607 + upstream: a5e660dba9ff73531053664e20dd858d880adbdb +8bfb9ffc388bc45abfcbf77b8b2c0715c4a950f6: + title: 'PCI: Mark 3ware-9650SE Root Port Extended Tags as broken' + mainline: baf67aefbe7d7deafa59ca49612d163f8889934c + upstream: 8443ceba0a8e5960e134ef26346266cb2d3a251d +2c4e4f364fc917492491e7e801a11aa3d021eaba: + title: 'clk: hisilicon: hi3519: Release the correct number of gates in hi3519_clk_unregister()' + mainline: 74e39f526d95c0c119ada1874871ee328c59fbee + upstream: 907370aacf216e3a662d44e88d204413488444b3 +964b1a6dfa9591962a88502cbce73e0d5a39f12c: + title: 'drm/tegra: put drm_gem_object ref on error in tegra_fb_create' + mainline: 32e5a120a5105bce01561978ee55aee8e40ac0dc + upstream: d674e78da934afd2ce5935eff08cf5361a9a27ac +cc17862516e0adc1504c13f2bcf8e6e660af3912: + title: 'mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref' + mainline: d2b0680cf3b05490b579e71b0df6e07451977745 + upstream: 5d16d3dc28a95915c1f7a41f68f2a069ced4b578 +7fc8137190a1cebb8826d8ed71480d2653801e3f: + title: 'crypto: arm - Rename functions to avoid conflict with crypto/sha256.h' + mainline: e4dcc1be15268b6d34de3968f906577591521bd5 + upstream: bdb1db7115d9b2a9d10c101dfc67386485fad00d +0147d403e14fcf04d14e54c8db8c92e0b9e895c1: + title: 'crypto: arm/sha - fix function cast warnings' + mainline: 53cc9baeb9bc2a187eb9c9790d30995148852b12 + upstream: 8d27d1b155c26bae2bd76b0c3e78cc4f1f1e21c5 +1b84c12ebaccfd96af1d200d69bad289842962a9: + title: 'mtd: rawnand: lpc32xx_mlc: fix irq handler prototype' + mainline: 347b828882e6334690e7003ce5e2fe5f233dc508 + upstream: 9fc05d7953b0d71372b632e1d62abf78c6ac9d64 +d7fb1c3d480ad75315a420879665772dd588cd44: + title: 'drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int()' + mainline: 7cf1ad2fe10634238b38442a851d89514cb14ea2 + upstream: 5a2b18dbec88b972d570994483f188cb59586609 +6251ccc9fe18868635199a6e3dcd17ac5732060a: + title: 'media: pvrusb2: fix uaf in pvr2_context_set_notify' + mainline: 0a0b79ea55de8514e1750884e5fec77f9fdd01ee + upstream: ed8000e1e8e9684ab6c30cf2b526c0cea039929c +810b8a9fe3e1bc6bc357b08882289aab5be3909e: + title: 'media: dvb-frontends: avoid stack overflow warnings with clang' + mainline: 7a4cf27d1f0538f779bf31b8c99eda394e277119 + upstream: c073c8cede5abd3836e83d70d72606d11d0759d4 +d692197c4290038026cd849e964cbc0963b8baf7: + title: 'media: go7007: fix a memleak in go7007_load_encoder' + mainline: b9b683844b01d171a72b9c0419a2d760d946ee12 + upstream: 7f11dd3d165b178e738fe73dfeea513e383bedb5 +f754e826a42f26ce110d8c22ac3efcd5b8f714a8: + title: 'drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip' + mainline: c958e86e9cc1b48cac004a6e245154dfba8e163b + upstream: accdac6b71d5a2b84040c3d2234f53a60edc398e +1785997d8b483b47a511d6d61e2e8cc20095ec5d: + title: 'powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks' + mainline: ad86d7ee43b22aa2ed60fb982ae94b285c1be671 + upstream: 0a1754ba8d537e054b01f0c2dc6b653a5a1b685d +138ea96e89f7b2bccb7b3fee18b0a4430e6b2f5c: + title: 'powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc.' + mainline: 20933531be0577cdd782216858c26150dbc7936f + upstream: 131dffef3a81e9c6f4a9e278ffd66f3eb5ae8c3e +e50c0ec386b601a2161ecf3ce4d8bb64dc0226bd: + title: 'backlight: lm3630a: Initialize backlight_properties on init' + mainline: ad9aeb0e3aa90ebdad5fabf9c21783740eb95907 + upstream: 063b294747b47f7bdaad3953542e73552bf7fe65 +d0ca047e07a3357a1cfa5de925311b5496e1b233: + title: 'backlight: lm3630a: Don''t set bl->props.brightness in get_brightness' + mainline: 4bf7ddd2d2f0f8826f25f74c7eba4e2c323a1446 + upstream: 85360e411bd2239ef184178352fab6582a0fcb85 +80b386048fb42668966e1afc0ae2c4d6e6dfd1fa: + title: 'backlight: da9052: Fully initialize backlight_properties during probe' + mainline: 0285e9efaee8276305db5c52a59baf84e9731556 + upstream: ba9f50fa0edd4d45bc9840ba05efa9b526a30b53 +2f286fb34ca716ba08e7f4cb0f020ce20cb9d219: + title: 'backlight: lm3639: Fully initialize backlight_properties during probe' + mainline: abb5a5d951fbea3feb5c4ba179b89bb96a1d3462 + upstream: 9d0aaf425cc5aec627ee7cae0990e6c5b7d2adb9 +3f2fe45a95a3f6a3cd5f7c17d8c53a41b1800d75: + title: 'backlight: lp8788: Fully initialize backlight_properties during probe' + mainline: 392346827fbe8a7fd573dfb145170d7949f639a6 + upstream: 3301f60ab7ebc14ec7242f1ad62dc151e11cd308 +1455216df91812ea6d3e0fcf0ce4be142ba39cbc: + title: 'sparc32: Fix section mismatch in leon_pci_grpci' + mainline: 24338a6ae13cb743ced77da1b3a12c83f08a0c96 + upstream: 6bf3c3508c839c4457058686fbd59d9c55e5e598 +684d0dfc0167a62bb2fc9c3c2d97e421a6f8f1d7: + title: 'ALSA: usb-audio: Stop parsing channels bits when all channels are found.' + mainline: a39d51ff1f52cd0b6fe7d379ac93bd8b4237d1b7 + upstream: 7e2c1b0f6dd9abde9e60f0f9730026714468770f +ee504736ec7911bfb90382f7f3222faa7982dc0f: + title: 'scsi: csiostor: Avoid function pointer casts' + mainline: 9f3dbcb5632d6876226031d552ef6163bb3ad215 + upstream: 77d9c6364756ec8986b8d7f801bcb2295cfa036a +826d2a5f4af824bc5457e9ca919e6d0e0da677c5: + title: 'scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn' + mainline: b69600231f751304db914c63b937f7098ed2895c + upstream: 8413fc5ef952b5ddd606a42b2be1e15694e2f526 +dd5627de25e1b9b306a735e52a9be0189c50681e: + title: 'net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()' + mainline: d6f4de70f73a106986ee315d7d512539f2f3303a + upstream: 867a6a6899a68323d6ef8995ea3765611d67ba1e +43e88e13e5e89dabaa722dcbe424df93ff3fa50b: + title: 'NFS: Fix an off by one in root_nfs_cat()' + mainline: 698ad1a538da0b6bf969cfee630b4e3a026afb87 + upstream: 9bb320c5cea50e7fa82a477743a6a0546eaa37b3 +ac71f4414591935d0d42f189b92234f8475c8e26: + title: 'clk: qcom: gdsc: Add support to update GDSC transition delay' + mainline: 4e7c4d3652f96f41179aab3ff53025c7a550d689 + upstream: 13c921e83ef2f8c2d7f6d79272e7760de605ca3c +5f8e15a6c9782fe17177f6adbed2605e2626ec1a: + title: 'serial: max310x: fix syntax error in IRQ error message' + mainline: 8ede8c6f474255b2213cccd7997b993272a8e2f9 + upstream: e75ae3225cd1e1648c5140abf21d8c76b4b5e10a +2ba503c76ed0e3fb44574c56c207662044701968: + title: 'tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT' + mainline: 314c2b399288f0058a8c5b6683292cbde5f1531b + upstream: 6e839e4153c9881d79f94263fa352db35aa82b20 +5fa039f25b048a293240318f643539862f51a239: + title: 'rtc: mediatek: enhance the description for MediaTek PMIC based RTC' +251fdf12a591f6f0393c9a074493372ee677d5ef: + title: 'rtc: mt6397: select IRQ_DOMAIN instead of depending on it' + mainline: 544c42f798e1651dcb04fb0395219bf0f1c2607e + upstream: 575fe3cc7fe2f80e9f45e1d36a4526ea43fbf280 +05809dc60c6107cc2d59fc9e5c6ab7880415cce8: + title: 'serial: 8250_exar: Don''t remove GPIO device on suspend' + mainline: 73b5a5c00be39e23b194bad10e1ea8bb73eee176 + upstream: 787e2620d1574196f10193a7c3693d95958254cb +5bc6fb9dd8654ad945d2ab614de42276880ed458: + title: 'staging: greybus: fix get_channel_from_mode() failure path' + mainline: 34164202a5827f60a203ca9acaf2d9f7d432aac8 + upstream: 40bbb7e4e83a53b5ae2c4b79c675618159571d83 +f950312d06f35a0dcf0d89eedd046d78ecaacb57: + title: 'usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin' + mainline: 600556809f04eb3bbccd05218215dcd7b285a9a9 + upstream: 4371549533b124e1693a7771303e44ed827af2e0 +c412392d4e52ac3f871a4b94dcd97886f61f1c68: + title: 'net: hsr: fix placement of logical operator in a multi-line statement' + mainline: 059477830022e1886f55a9641702461c249fa864 + upstream: 9706929ab421a6f68ed72fc0e6371e4fca8e698a +f185d5434353871c54ffa351ed5647bc974a29f9: + title: 'hsr: Fix uninit-value access in hsr_get_node()' + mainline: ddbec99f58571301679addbc022256970ca3eac6 + upstream: e3b2bfb8ff1810a537b2aa55ba906a6743ed120c +e2ef56dd89fdb684f70940c3a13aeacaa5551b2f: + title: 'rds: introduce acquire/release ordering in acquire/release_in_xmit()' + mainline: 1422f28826d2a0c11e5240b3e951c9e214d8656e + upstream: bec6c4ce1169a565c58c347d5d0ac22e46d507d6 +b3f50f65706d8c16fc23b4c2d67622da15dbf2f2: + title: 'hsr: Handle failures in module init' + mainline: 3cf28cd492308e5f63ed00b29ea03ca016264376 + upstream: 9a4e0ec0624c5b3e07fb042b307b98c3543de2f4 +ac6c533f13a4ec9071d6548a8be5467ab238c6aa: + title: 'net/bnx2x: Prevent access to a freed page in page_pool' + mainline: d27e2da94a42655861ca4baea30c8cd65546f25d + upstream: 7bcc090c81116c66936a7415f2c6b1483a4bcfd9 +d49e4f3714a9208ee47e19da264ef74eab869b2e: + title: 'spi: spi-mt65xx: Fix NULL pointer access in interrupt handler' + mainline: a20ad45008a7c82f1184dc6dee280096009ece55 + upstream: 2342b05ec5342a519e00524a507f7a6ea6791a38 +2939b898498d9da54f5ea4c0b3d698a7644843fa: + title: 'crypto: af_alg - Fix regression on empty requests' + mainline: 662bb52f50bca16a74fe92b487a14d7dccb85e1a + upstream: 546e3961b5d4c6db82cfb441fabb4353940c8f95 +3f81c30ae458bf0f8cc2f421f3254ffa59dd95df: + title: 'crypto: af_alg - Work around empty control messages without MSG_MORE' + mainline: c195d66a8a75c60515819b101975f38b7ec6577f + upstream: ba1f292491c011fa11d80b152f15ef97e4519891 diff --git a/.elts/upstream/4.19.311.yaml b/.elts/upstream/4.19.311.yaml new file mode 100644 index 000000000000..e09ae43dd3ae --- /dev/null +++ b/.elts/upstream/4.19.311.yaml @@ -0,0 +1,576 @@ +53b523420981228674aabbc3d27d3461db19f499: + title: 'ASoC: rt5645: Make LattePanda board DMI match more precise' + mainline: 551539a8606e28cb2a130f8ef3e9834235b456c4 + skipped: too many upstream changes; not worth the risk +70a33a629090130d731fc1e1ad498bb672eea165: + title: 'x86/xen: Add some null pointer checking to smp.c' + mainline: 3693bb4465e6e32a204a5b86d3ec7e6b9f7e67c2 + backport: f2645f10d789c047bcaf11a573ed337bad4f0707 +b0b3373993a5b445eeb410d7c74a87710aad9d6e: + title: 'MIPS: Clear Cause.BD in instruction_pointer_set' + mainline: 9d6e21ddf20293b3880ae55b9d14de91c5891c59 + backport: 96405638c5c2567f6c27cfd84ada8a5a5311b231 +13f5b64a584b5554f81e7e493dcbafaddd06557d: + title: 'net/iucv: fix the allocation size of iucv_path_table array' + mainline: b4ea9b6a18ebf7f9f3a7a60f82e925186978cfcf + backport: 3ded98fc3b9716997438f60daf0452b7c3e6d360 +72da7347f460b2ecc5e934bcbef312e0fa5ebf2b: + title: 'block: sed-opal: handle empty atoms when parsing response' + mainline: 5429c8de56f6b2bd8f537df3a1e04e67b9c04282 + backport: e9f9eb0c2d8c5c96fc354cf8ede84f4ba6f38d19 +8338d971f919256b312f28a9a320f552a499dc8e: + title: 'dm-verity, dm-crypt: align "struct bvec_iter" correctly' + mainline: 787f1b2800464aa277236a66eb3c279535edd460 + backport: e6d8df74f2692f4e83306e293a8c503112d32aa8 +6cc96148d26afbf1e3b8167ee68dc9eec387804d: + title: 'scsi: mpt3sas: Prevent sending diag_reset when the controller is ready' + mainline: ee0017c3ed8a8abfa4d40e42f908fb38c31e7515 + backport: 70928e45cbbe230a8fde12a6bb7bbbfb77139e7f +369f419c097e82407dd429a202cde9a73d3ae29b: + title: 'Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security' + mainline: 2535b848fa0f42ddff3e5255cf5e742c9b77bb26 + backport: b79150eddce93e7bf87f005c9c996abd90d4655e +b89198d02d0149f22149675766c47883de923106: + title: 'firewire: core: use long bus reset on gap count error' + mainline: d0b06dc48fb15902d7da09c5c0861e7f042a9381 + backport: 51ec1ed43d0b4ab1228eb55189fa939ad579c4c2 +2d400317217470b2dc28bb776efeb9c3d53e0340: + title: 'ASoC: Intel: bytcr_rt5640: Add an extra entry for the Chuwi Vi8 tablet' + mainline: f8b0127aca8c60826e7354e504a12d4a46b1c3bb + skipped: causes build failure; not security issue +a215f042a7f57346fd5430e84f81f822e84975b5: + title: 'Input: gpio_keys_polled - suppress deferred probe error for gpio' + mainline: 963465a33141d0d52338e77f80fe543d2c9dc053 + backport: 243004088d2707ad353b4ee4dd6b96f76daca68d +c2a85fd64160fcf4185669d4db299fbb2df76986: + title: 'ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC' + mainline: 03c7874106ca5032a312626b927b1c35f07b1f35 + backport: 6895f6831861ceceb98e7b6604ec9050a37c8173 +2f87e22ea1b42b89435bf98a768eb8227797d819: + title: 'ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode' + mainline: 6fa849e4d78b880e878138bf238e4fd2bac3c4fa + backport: 2a2f4e8dfe12971fd6b78ec6e05179151bea4a88 +d619f175ff50582c05858cb96d05391f77c7c7aa: + title: 'ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll' + mainline: 96e202f8c52ac49452f83317cf3b34cd1ad81e18 + backport: cacf64e0af45cb788a70941441fc6423149b1d9f +17a1144baa54edb9c97014ad441a03b93e50ab75: + title: 'crypto: algif_aead - fix uninitialized ctx->init' + mainline: 21dfbcd1f5cbff9cf2f9e7e43475aed8d072b0dd + skipped: fixes patch not in branch +0ca02d4beebb7b47ea0cbdceac891465cbb966c6: + title: 'crypto: af_alg - make some functions static' + mainline: 466e0759269d31485074126700574230bfff3b1c + backport: ed2edd721e156046bb4dc4587f06af360f875581 +de564b59755dfb080ef237dd4fbd02cb0c3e58a1: + title: 'crypto: algif_aead - Only wake up when ctx->more is zero' + mainline: f3c802a1f30013f8f723b62d7fa49eb9e991da23 + backport: f63a7bf2dcf7e05021785b64b184795f6b6a6ccd +4bac28f441e3cc9d3f1a84c8d023228a68d8a7c1: + title: 'do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak' + mainline: 3948abaa4e2be938ccdfc289385a27342fb13d43 + backport: ce3317e4a96642984d3e7fbaf33a086176052bf8 +b86af4d77a5a2487020794845c1a2e948699630c: + title: 'fs/select: rework stack allocation hack for clang' + mainline: ddb9fd7a544088ed70eccbb9f85e9cc9952131c1 + backport: 70137872f87a2e47239cf7ea0d9b295f173f6c27 +dc51c01a3d5a796e18520a186f56e13f8e70749f: + title: 'md: switch to ->check_events for media change notifications' + mainline: a564e23f0f99759f453dbefcb9160dec6d99df96 + backport: 644ef6ff144cf72b7c0170ade4a8a449f01d9e63 +f28658bc8a7faa03578dc2588b5b3b56b09575a6: + title: 'block: add a new set_read_only method' + mainline: e00adcadf3af7a8335026d71ab9f0e0a922191ac + backport: 5621bcf7c79c834e98f01dfea929a7bbf7d600ab +bde70d747f81f7f014b7c63d6a7b2dd6c8356f43: + title: 'md: implement ->set_read_only to hook into BLKROSET processing' + mainline: 118cf084adb3964d06e1667cf7d702e56e5cd2c5 + backport: 1d018bd5617e06f3c7bd6df7cacaf79a35cd4da3 +8eea2ea62b459cebffd20d5d5121becbec838291: + title: 'md: Don''t clear MD_CLOSING when the raid is about to stop' + mainline: 9674f54e41fffaf06f6a60202e1fa4cc13de3cf5 + backport: fe9ee4210de1a9816e6e99a791894f87a62c2fb3 +ad80c34944d7175fa1f5c7a55066020002921a99: + title: 'aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts' + mainline: f98364e926626c678fb4b9004b75cacf92ff0662 + backport: 67f0ca2ac39c5b06d90c7bbb3f4dbd01a96fd1fa +3c22ef22761ab15b1c32ea5997859c0719fdc14d: + title: 'timekeeping: Fix cross-timestamp interpolation on counter wrap' + mainline: 84dccadd3e2a3f1a373826ad71e5ced5e76b0c00 + backport: 44b1502cbcf6899a21c9d4ec8c61f5bcfaee0d03 +86c7cc07eef558e9986a17ac5b6d5f44c8b493bd: + title: 'timekeeping: Fix cross-timestamp interpolation corner case decision' + mainline: 87a41130881995f82f7adbafbfeddaebfb35f0ef + backport: ed6452adf4a6e0b9641fc065d63ddc6075238c23 +20880812b2f8fad4cf269f83bd5266eed31f0208: + title: 'timekeeping: Fix cross-timestamp interpolation for non-x86' + mainline: 14274d0bd31b4debf28284604589f596ad2e99f2 + backport: fabbb78782e6dd484cc0e036e1e0dbbb8c70b8da +0cd3b0a1dc987697cba1fe93c784365aa1f8a230: + title: 'wifi: ath10k: fix NULL pointer dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()' + mainline: ad25ee36f00172f7d53242dc77c69fff7ced0755 + skipped: fixes patch not in branch +eb014286140dd5bd4f82417bb186edbbb2f1d3a4: + title: 'b43: dma: Fix use true/false for bool type variable' + mainline: a9160bb35ad9ada8428a4d48426f7fc128db40cc + backport: 0e7ba895f0ec865043f09e88cbfc750869e3d81a +1824f942527f784a19e01eac2d9679a21623d010: + title: 'wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled' + mainline: 9636951e4468f02c72cc75a82dc65d003077edbc + backport: c6fa41a3cb1d5f9fff1b455d779df5a47c44f254 +5175e6256f5ad36ceea6ad5aa44f6ce87764e653: + title: 'wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is disabled' + mainline: 77135a38f6c2f950d2306ac3d37cbb407e6243f2 + backport: 947b5e0d7e03173f242ce6c5871cb82e357529f9 +ddd8aa7d4959a42786c3e2c2491c33e91e032f88: + title: 'b43: main: Fix use true/false for bool type' + mainline: 6db774c1725059f98e4fce97f878688248584be5 + backport: 73a69fcb66db7b037de6c521e49ba54ee21e5e3c +0191ff009dce9740494e37a8616b3f0a3b38d884: + title: 'wifi: b43: Stop correct queue in DMA worker when QoS is disabled' + mainline: 581c8967d66c4961076dbbee356834e9c6777184 + backport: 13876838c450d766f468452a940c14e7f16ce55b +4828567fd9625926c07fe711a096d5374f5f42d5: + title: 'wifi: b43: Disable QoS for bcm4331' + mainline: 09795bded2e725443fe4a4803cae2079cdaf7b26 + backport: 14ee0973eab90a53de93ef3bd02f73ef9cb54622 +1e68b5319090ee3f810580c059a202ec8b24bdbe: + title: 'wifi: mwifiex: debugfs: Drop unnecessary error check for debugfs_create_dir()' + mainline: 50180c7f8e3de7c2d87f619131776598fcb1478d + backport: 4b8198ce7bd031846776dc60a66402697e2d3f9b +cffd4a7c975848e2bb7c577e5c814a0d2bc9efd4: + title: 'sock_diag: annotate data-races around sock_diag_handlers[family]' + mainline: efd402537673f9951992aea4ef0f5ff51d858f4b + backport: 7e6bdf38024904a26cf237968d6f476d3060ea8c +0c41412330b8804ec9829ecb929a21d8cc2e06c5: + title: 'af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().' + mainline: 31e03207119a535d0b0e3b3a7f91983aeb2cb14d + backport: d4a666252ef7cc7e3c6c126564e8f8e3ac751196 +96481624fb5a6319079fb5059e46dbce43a90186: + title: 'wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()' + mainline: 5f0e4aede01cb01fa633171f0533affd25328c3a + backport: 7dbbfcf6db50dd29b7040c06826c2f26b8813b6a +d351bcadab6caa6d8ce7159ff4b77e2da35c09fa: + title: 'ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()' + mainline: e18afcb7b2a12b635ac10081f943fcf84ddacc51 + backport: d39f836a2b9e34610d3c1b6800adda8b1b98b6b6 +dfd9078eecdac8d45badc029d0a1afb9b887d089: + title: 'bus: tegra-aconnect: Update dependency to ARCH_TEGRA' + mainline: 4acd21a45c1446277e2abaece97d7fa7c2e692a9 + backport: 3ecc2213610561a98f56332417ce1cd445addd80 +46b9f2480b5bd3793340754eb52aa887fcbeb2f1: + title: 'iommu/amd: Mark interrupt as managed' + mainline: 0feda94c868d396fac3b3cb14089d2d989a07c72 + backport: cff340eed43a60e8352306c2d0daa936e2609d55 +523bd0437c687d0b4edf7548b95217993746c64c: + title: 'wifi: brcmsmac: avoid function pointer casts' + mainline: e1ea6db35fc3ba5ff063f097385e9f7a88c25356 + backport: 7f3fb7d44b2c90cb14e6bdc2be5058669186d725 +d6a0ddacb07986dbd08d97b8c8b0928778e318b4: + title: 'ARM: dts: arm: realview: Fix development chip ROM compatible value' + mainline: 3baa4c5143d65ebab2de0d99a395e5f4f1f46608 + backport: a8674f8f32d3ce9502633eec64d5f1240d7ab031 +3dd8bfb5f23fa1605f2a7b62c91258a7d778ccb1: + title: 'ACPI: scan: Fix device check notification handling' + mainline: 793551c965116d9dfaf0550dacae1396a20efa69 + backport: ff060748955642dd9eb032bb32bf8d3c8b0c809c +13edb509abc91c72152a11baaf0e7c060a312e03: + title: 'x86, relocs: Ignore relocations in .notes section' + mainline: aaa8736370db1a78f0e8434344a484f9fd20be3b + backport: f1a4dbde435665ebd50419198f51995a86722489 +b97c37978ca825557d331c9012e0c1ddc0e42364: + title: 'SUNRPC: fix some memleaks in gssx_dec_option_array' + mainline: 3cfcfc102a5e57b021b786a755a38935e357797d + backport: 98dd836d4d90f8c75583cdb77e51e43416145bf2 +f10426db32e7712fcc72154e2fa288f7127094ad: + title: 'mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove function' + mainline: ae5004a40a262d329039b99b62bd3fe7645b66ad + backport: 4cb02a03a5ed3ea326f92cb72cc6d96019ea43f4 +d686b4537ead6bdd1a636040c00af51e9e0a1bc5: + title: 'igb: move PEROUT and EXTTS isr logic to separate functions' + mainline: cf99c1dd7b7729091043374b90807c7a5f9fd9b1 + backport: 7344a5ae74cc4e62b079a877d20b2570e2f235ef +f346bf4db1ebaad9c8ca5aae6397c7867b8ac4f3: + title: 'igb: Fix missing time sync events' + mainline: ee14cc9ea19ba9678177e2224a9c58cce5937c73 + backport: 2fe7a8cde6d1b03ecb4fed3f7cf6e5427463cfda +6e960390709966929a29eaec8bca710237a54f24: + title: 'Bluetooth: Remove superfluous call to hci_conn_check_pending()' + mainline: 78e3639fc8031275010c3287ac548c0bc8de83b1 + backport: e63d5f1f3f5f918a0a94e7d4facccfa6342239cc +6d5a9d4a7bcbb7534ce45a18a52e7bd23e69d8ac: + title: 'Bluetooth: hci_core: Fix possible buffer overflow' + mainline: 81137162bfaa7278785b24c1fd2e9e74f082e8e4 + backport: 224f6971eb2b4457331804d194017c1524f8157f +424eba06ed405d557077339edb19ce0ebe39e7c7: + title: 'sr9800: Add check for usbnet_get_endpoints' + mainline: 07161b2416f740a2cb87faa5566873f401440a61 + backport: aca6a0b117cfb0701cc2bea02db1e8c6372b08b0 +33ec04cadb77605b71d9298311919303d390c4d5: + title: 'bpf: Fix hashtab overflow check on 32-bit arches' + mainline: 6787d916c2cf9850c97a0a3f73e08c43e7d973b1 + backport: 5b157b57a27deae00138ebbf9abe793d85b80d12 +d0e214acc59145ce25113f617311aa79dda39cb3: + title: 'bpf: Fix stackmap overflow check on 32-bit arches' + mainline: 7a4b21250bf79eef26543d35bd390448646c536b + backport: c7eb664d0ae8b3da9621816bfe11ad862c24e342 +95db6e62a2d920abf43c169e51046adb9f394ef0: + title: 'ipv6: fib6_rules: flush route cache when rule is changed' + mainline: c4386ab4f6c600f75fdfd21143f89bac3e625d0d + backport: efa596b077451aef0f8bb760ad3975264a046ee4 +d909b53ff5b8f005b474b4417ee271f5a4adca94: + title: 'tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function' + mainline: 716edc9706deb3bb2ff56e2eeb83559cea8f22db + backport: 9676e9447d12a404638bbee6bd43852440c7c137 +51a7e05fbca612ae1f09f62dfe21957380b8546d: + title: 'l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt() function' + mainline: 955e9876ba4ee26eeaab1b13517f5b2c88e73d55 + backport: a0e4e51da39f5a7fc9d9e1f5fc14640701887d90 +f21612ee652c08b4a5a0bb11528035f57935fae1: + title: 'udp: fix incorrect parameter validation in the udp_lib_getsockopt() function' + mainline: 4bb3ba7b74fceec6f558745b25a43c6521cf5506 + backport: 5cfa0a58e61d01c690063af3623d0a53b76951a6 +867608c0abcbdc86e62925604ac2d3f0c7ca678a: + title: 'net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function' + mainline: 3ed5f415133f9b7518fbe55ba9ae9a3f5e700929 + backport: 59a4e1ed1e12998b6ee449091fe2ae36597b223b +7089428a1a4e28efa0c36877d80639a8306fdbf4: + title: 'net/x25: fix incorrect parameter validation in the x25_getsockopt() function' + mainline: d6eb8de2015f0c24822e47356f839167ebde2945 + backport: fa19944cf14ae594b5b1353f881e80f4d83016b5 +d746889db75a76aeee95fb705b8e1ac28c684a2e: + title: 'nfp: flower: handle acti_netdevs allocation failure' + mainline: 84e95149bd341705f0eca6a7fcb955c548805002 + skipped: fixes patch not in branch +52a35f5551c6c63f2c50c24117377faa47b2395c: + title: 'dm raid: fix false positive for requeue needed during reshape' + mainline: b25b8f4b8ecef0f48c05f0c3572daeabefe16526 + backport: 3d651f489f213a8688c49fdb9c5af4e94aaefe08 +69836d9329f0b4c58faaf3d886a7748ddb5bf718: + title: 'dm: call the resume method on internal suspend' + mainline: 65e8fbde64520001abf1c8d0e573561b4746ef38 + backport: d8348562b9ba5d57db7ff9c39b40c326d81fec2d +47a13d0b9d8527518639ab5c39667f69d6203e80: + title: 'drm/tegra: dsi: Add missing check for of_find_device_by_node' + mainline: afe6fcb9775882230cd29b529203eabd5d2a638d + backport: c5b100db7c774d0770809952834e65c00da6aed8 +aaa5ef6db779a2ffdac6e2c4e27a042fc85af425: + title: 'gpu: host1x: mipi: Update tegra_mipi_request() to be node based' + mainline: 767598d447aa46411289c5808b0e45e20a1823b4 + backport: a1d6e2d545ae60e3c0f14afc655960a12a1836ce +4003d399dd34bd9a80fcf78a3feb3140eb82b2b8: + title: 'drm/tegra: dsi: Make use of the helper function dev_err_probe()' + mainline: fc75e4fcbd1e4252a0481ebb23cd4516c127a8e2 + backport: a7f31893877bed52efc884b8151f7bd211643115 +0cb8749a621cdd291dc8976bbc245029124d402a: + title: 'drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()' + mainline: 830c1ded356369cd1303e8bb87ce3fea6e744de8 + backport: beef7ea1764bd7497ea4a76932b5b57bb6d1147d +d7e898d13a867014352f0daf98f8a0155c67a3c9: + title: 'drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path of tegra_dsi_probe()' + mainline: 5286a9fc280c45b6b307ee1b07f7a997e042252c + backport: 8f0f744ebf00a199144bb821d0d1b186de6be782 +c031022829a91114cb2bd531c38de99184957b6d: + title: 'drm/rockchip: inno_hdmi: Fix video timing' + mainline: 47a145c03484d33e65d773169d5ca1b9fe2a492e + backport: 9514fc65463c56256c0fbb075a6e414d2c440e9c +e3271a9f1432472bfd1aec82a5086d6b10e0dfec: + title: 'drm: Don''t treat 0 as -1 in drm_fixp2int_ceil' + mainline: cf8837d7204481026335461629b84ac7f4538fa5 + backport: 36ac37d23799588aa1f243c55a9958bac40ce8be +2a1a4409d162a2a7e116ce87695ff6a7f8c7988c: + title: 'drm/rockchip: lvds: do not overwrite error code' + mainline: 79b09453c4e369ca81cfb670d0136d089e3b92f0 + skipped: fixes patch not in branch +7775f620adbfcf3e65f32cb0f1bfa2c5f3786469: + title: 'drm/rockchip: lvds: do not print scary message when probing defer' + mainline: 52d11c863ac92e36a0365249f7f6d27ac48c78bc + skipped: fixes patch not in branch +17c2650de14842c25c569cbb2126c421489a3a24: + title: 'media: tc358743: register v4l2 async device only after successful setup' + mainline: 87399f1ff92203d65f1febf5919429f4bb613a02 + backport: f37d112202ea81abf2af9a552cd3657f8b042342 +35ad0b464f8c1d8414b9eb9ef8da070aa06bd693: + title: 'perf evsel: Fix duplicate initialization of data->id in evsel__parse_sample()' + mainline: 4962aec0d684c8edb14574ccd0da53e4926ff834 + skipped: fixes patch not in branch +def6f2347cc5534daffd513a5a33637fdfc8d1a6: + title: 'ABI: sysfs-bus-pci-devices-aer_stats uses an invalid tag' + mainline: abf313b5a8b72302062dd407ed7e470d67d389bb + skipped: missing commit 81aa5206f9a7c9793e2f7971400351664e40b04f +8b3c5d95bcc85f4333b6968ae7710ee2a1b28f0a: + title: 'media: em28xx: annotate unchecked call to media_device_register()' + mainline: fd61d77a3d28444b2635f0c8b5a2ecd6a4d94026 + backport: e2bc2e2b68b321dfd3fb2c66691014a66ee074a6 +0de691ff547d86dd54c24b40a81f9c925df8dd77: + title: 'media: v4l2-tpg: fix some memleaks in tpg_alloc' + mainline: 8cf9c5051076e0eb958f4361d50d8b0c3ee6691c + backport: fdec9e17f52ea90aa40441a258d62ad3f0d6707d +3dd8abb0ed0e0a7c66d6d677c86ccb188cc39333: + title: 'media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity' + mainline: 8f94b49a5b5d386c038e355bef6347298aabd211 + skipped: fixes patch not in branch +cfa5ffc57e54fb8b864d23b6992cb37d706f6a87: + title: 'media: dvbdev: remove double-unlock' + mainline: 122d0e8dd050cc5dc3fb9e9b5f2dee3c5276ce35 + backport: 08af260a5bc1b71c1278dccb64a7866ea0687ef3 +6e4129f8163460c79bb99887bc6f791196fcbda2: + title: 'media: media/dvb: Use kmemdup rather than duplicating its implementation' + mainline: f6af820ef1be58c2e4b81aa479b9f109eb6344ce + backport: 88b9134f0e55fe9a7162ee90e5324e2fd91b0ad9 +085f36c317cba8b8955c5da5f59c7486345d2bbb: + title: 'media: dvbdev: Fix memleak in dvb_register_device' + mainline: 167faadfcf9339088910e9e85a1b711fcbbef8e9 + backport: 5ace531d9048d5957c275071f8e55d5b3261e03e +a30cf94eaf5dd3ffd8d13c3a8c303d04357b01c1: + title: 'media: dvbdev: fix error logic at dvb_register_device()' + mainline: 1fec2ecc252301110e4149e6183fa70460d29674 + backport: 83a32ee58edae39a2e9bb7d71f36d0317ebf39d2 +dc04ff778b4f8ff4560f1c42993417359e74d36a: + title: 'media: dvb-core: Fix use-after-free due to race at dvb_register_device()' + mainline: 627bb528b086b4136315c25d6a447a98ea9448d3 + backport: 8f649cb42cc0154445a0319a3ec9e0f6f37737b5 +d0f5c28333822f9baa5280d813124920720fd856: + title: 'media: edia: dvbdev: fix a use-after-free' + mainline: 8c64f4cdf4e6cc5682c52523713af8c39c94e6d5 + backport: dec38a328d1cb93913450eab8c0b2b52ca6d96b7 +5f0a066e0ece83eb4c72c6672539bcdbfeb39a4e: + title: 'clk: qcom: reset: Allow specifying custom reset delay' + mainline: 2cb8a39b6781ea23accd1fa93b3ad000d0948aec + backport: a9c53a71d5103df700ba1022bd793c2e7da2e4b3 +38dd93f87da08876edf8df89a5992ce46da920ea: + title: 'clk: qcom: reset: support resetting multiple bits' + mainline: 4a5210893625f89723ea210d7c630b730abb37ad + backport: 7091467f8cf4ffb05762766872608822fba862a6 +823c46950d9a96e94db8f565013f4f2f528c2bbe: + title: 'clk: qcom: reset: Commonize the de/assert functions' + mainline: eda40d9c583e95e0b6ac69d2950eec10f802e0e8 + backport: fb58c616f8d5d230746a6e834a13daaf9616432d +d258d124f435adb3cac491e4b0274e75597f3a02: + title: 'clk: qcom: reset: Ensure write completion on reset de/assertion' + mainline: 2f8cf2c3f3e3f7ef61bd19abb4b0bb797ad50aaf + backport: 3acb0bf9b01663735e38d8647655c4c2dc81aa80 +d9e4ab12b60a49204435102f8120c0d3e62583f1: + title: 'quota: code cleanup for __dquot_alloc_space()' + mainline: df15a2a59d0b29d86e17140b83ed231adaded12f + backport: 045db5c9471c0d3662193af5123c40c459442c29 +1974c13019b97140149690cd622a9c6732c32124: + title: 'fs/quota: erase unused but set variable warning' + mainline: 78bc3334a69ff289dbc973a9db7c52a2d7757e5b + backport: 34b20f6e467fcd6dcd4352a429263beca0cc46fc +e87ed533e7a6167f4a5e1b0fdbf21784acf115cc: + title: 'quota: check time limit when back out space/inode change' + mainline: 632a9f3acd6687376cbb0b178df6048e19cbacc9 + backport: 92b446b2b7dfe86c8955bf914789754b2d44ec81 +248699a705f31211c0d7cc9e0d79cbbabbc9c791: + title: 'quota: simplify drop_dquot_ref()' + mainline: 7bce48f0fec602b3b6c335963b26d9eefa417788 + backport: ba23e07d50c32bf3e5c651e29fe526f53652b28b +8514899c1a4edf802f03c408db901063aa3f05a1: + title: 'quota: Fix potential NULL pointer dereference' + mainline: d0aa72604fbd80c8aabb46eda00535ed35570f1f + backport: b2b5f36baf4785d586642aab144412e5961b7955 +06172dff9a47e76dfce9b60d44ef21131b417803: + title: 'quota: Fix rcu annotations of inode dquot pointers' + mainline: 179b8c97ebf63429589f5afeba59a181fe70603e + backport: 9b7a96f32e377542671c0cc2c43a1ab5cfa84723 +f9e92ad5eb0901cacac8f1cc4e5ea12514f7934b: + title: 'perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str()' + mainline: 1eb3d924e3c0b8c27388b0583a989d757866efb6 + backport: d85a1e5fdc93c04aad783ac5134fe266a0a372b7 +1c35795b90f4dce0605ace7eef9ae1bd1282ebf2: + title: 'drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode()' + mainline: c4891d979c7668b195a0a75787967ec95a24ecef + backport: 38f97031f0e5fad4f2a081d34cd1a1365cca5e05 +9f9254f8927d9f4e4185ec18d8ee648dfcb5ed62: + title: 'ALSA: seq: fix function cast warnings' + mainline: d7bf73809849463f76de42aad62c850305dd6c5d + backport: 9075faa224b8911050442a04a83e7156df94f0b7 +ff13e3ce6aa4c0dfdbc6438fe3c03118afe3ee8c: + title: 'media: go7007: add check of return value of go7007_read_addr()' + mainline: 0b70530ee740861f4776ff724fcc25023df1799a + backport: 0203c9b23b47d5e2f6d817b69d592ccc88d9a1f5 +4e93392ae27eb5f8ad4efd31cf8f1ecd5fdabe15: + title: 'media: pvrusb2: fix pvr2_stream_callback casts' + mainline: 30baa4a96b23add91a87305baaeba82c4e109e1f + backport: ef1a77adc95fea554698fbbe7530b7e7da5ef4a6 +1cb169229f8e6a29bd4ec4baf7a095a91ed6c729: + title: 'firmware: qcom: scm: Add WLAN VMID for Qualcomm SCM interface' + mainline: cc53aabcc283c36274d3f3ce9adc4b40c21d4838 + skipped: commit did not cherry-pick cleanly +c7544fd16bf8656791548ab3b0845b6ed2411496: + title: 'clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times' + mainline: 117e7dc697c2739d754db8fe0c1e2d4f1f5d5f82 + skipped: fixes patch not in branch +a5e660dba9ff73531053664e20dd858d880adbdb: + title: 'drm/mediatek: dsi: Fix DSI RGB666 formats and definitions' + mainline: fae6f815505301b92d9113764f4d76d0bfe45607 + backport: bbb93685c7c6f27816955df2d599ca30a5ff2dbb +8443ceba0a8e5960e134ef26346266cb2d3a251d: + title: 'PCI: Mark 3ware-9650SE Root Port Extended Tags as broken' + mainline: baf67aefbe7d7deafa59ca49612d163f8889934c + backport: 8bfb9ffc388bc45abfcbf77b8b2c0715c4a950f6 +907370aacf216e3a662d44e88d204413488444b3: + title: 'clk: hisilicon: hi3519: Release the correct number of gates in hi3519_clk_unregister()' + mainline: 74e39f526d95c0c119ada1874871ee328c59fbee + backport: 2c4e4f364fc917492491e7e801a11aa3d021eaba +d674e78da934afd2ce5935eff08cf5361a9a27ac: + title: 'drm/tegra: put drm_gem_object ref on error in tegra_fb_create' + mainline: 32e5a120a5105bce01561978ee55aee8e40ac0dc + backport: 964b1a6dfa9591962a88502cbce73e0d5a39f12c +5d16d3dc28a95915c1f7a41f68f2a069ced4b578: + title: 'mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref' + mainline: d2b0680cf3b05490b579e71b0df6e07451977745 + backport: cc17862516e0adc1504c13f2bcf8e6e660af3912 +bdb1db7115d9b2a9d10c101dfc67386485fad00d: + title: 'crypto: arm - Rename functions to avoid conflict with crypto/sha256.h' + mainline: e4dcc1be15268b6d34de3968f906577591521bd5 + backport: 7fc8137190a1cebb8826d8ed71480d2653801e3f +8d27d1b155c26bae2bd76b0c3e78cc4f1f1e21c5: + title: 'crypto: arm/sha - fix function cast warnings' + mainline: 53cc9baeb9bc2a187eb9c9790d30995148852b12 + backport: 0147d403e14fcf04d14e54c8db8c92e0b9e895c1 +9fc05d7953b0d71372b632e1d62abf78c6ac9d64: + title: 'mtd: rawnand: lpc32xx_mlc: fix irq handler prototype' + mainline: 347b828882e6334690e7003ce5e2fe5f233dc508 + backport: 1b84c12ebaccfd96af1d200d69bad289842962a9 +e7221531b9f477f596c432846c57581d0312a02c: + title: 'ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs' + mainline: e3741a8d28a1137f8b19ae6f3d6e3be69a454a0a + skipped: fixes patch not in branch +5a2b18dbec88b972d570994483f188cb59586609: + title: 'drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int()' + mainline: 7cf1ad2fe10634238b38442a851d89514cb14ea2 + backport: d7fb1c3d480ad75315a420879665772dd588cd44 +ed8000e1e8e9684ab6c30cf2b526c0cea039929c: + title: 'media: pvrusb2: fix uaf in pvr2_context_set_notify' + mainline: 0a0b79ea55de8514e1750884e5fec77f9fdd01ee + backport: 6251ccc9fe18868635199a6e3dcd17ac5732060a +c073c8cede5abd3836e83d70d72606d11d0759d4: + title: 'media: dvb-frontends: avoid stack overflow warnings with clang' + mainline: 7a4cf27d1f0538f779bf31b8c99eda394e277119 + backport: 810b8a9fe3e1bc6bc357b08882289aab5be3909e +7f11dd3d165b178e738fe73dfeea513e383bedb5: + title: 'media: go7007: fix a memleak in go7007_load_encoder' + mainline: b9b683844b01d171a72b9c0419a2d760d946ee12 + backport: d692197c4290038026cd849e964cbc0963b8baf7 +accdac6b71d5a2b84040c3d2234f53a60edc398e: + title: 'drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip' + mainline: c958e86e9cc1b48cac004a6e245154dfba8e163b + backport: f754e826a42f26ce110d8c22ac3efcd5b8f714a8 +0a1754ba8d537e054b01f0c2dc6b653a5a1b685d: + title: 'powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks' + mainline: ad86d7ee43b22aa2ed60fb982ae94b285c1be671 + backport: 1785997d8b483b47a511d6d61e2e8cc20095ec5d +131dffef3a81e9c6f4a9e278ffd66f3eb5ae8c3e: + title: 'powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc.' + mainline: 20933531be0577cdd782216858c26150dbc7936f + backport: 138ea96e89f7b2bccb7b3fee18b0a4430e6b2f5c +063b294747b47f7bdaad3953542e73552bf7fe65: + title: 'backlight: lm3630a: Initialize backlight_properties on init' + mainline: ad9aeb0e3aa90ebdad5fabf9c21783740eb95907 + backport: e50c0ec386b601a2161ecf3ce4d8bb64dc0226bd +85360e411bd2239ef184178352fab6582a0fcb85: + title: 'backlight: lm3630a: Don''t set bl->props.brightness in get_brightness' + mainline: 4bf7ddd2d2f0f8826f25f74c7eba4e2c323a1446 + backport: d0ca047e07a3357a1cfa5de925311b5496e1b233 +ba9f50fa0edd4d45bc9840ba05efa9b526a30b53: + title: 'backlight: da9052: Fully initialize backlight_properties during probe' + mainline: 0285e9efaee8276305db5c52a59baf84e9731556 + backport: 80b386048fb42668966e1afc0ae2c4d6e6dfd1fa +9d0aaf425cc5aec627ee7cae0990e6c5b7d2adb9: + title: 'backlight: lm3639: Fully initialize backlight_properties during probe' + mainline: abb5a5d951fbea3feb5c4ba179b89bb96a1d3462 + backport: 2f286fb34ca716ba08e7f4cb0f020ce20cb9d219 +3301f60ab7ebc14ec7242f1ad62dc151e11cd308: + title: 'backlight: lp8788: Fully initialize backlight_properties during probe' + mainline: 392346827fbe8a7fd573dfb145170d7949f639a6 + backport: 3f2fe45a95a3f6a3cd5f7c17d8c53a41b1800d75 +6bf3c3508c839c4457058686fbd59d9c55e5e598: + title: 'sparc32: Fix section mismatch in leon_pci_grpci' + mainline: 24338a6ae13cb743ced77da1b3a12c83f08a0c96 + backport: 1455216df91812ea6d3e0fcf0ce4be142ba39cbc +7e2c1b0f6dd9abde9e60f0f9730026714468770f: + title: 'ALSA: usb-audio: Stop parsing channels bits when all channels are found.' + mainline: a39d51ff1f52cd0b6fe7d379ac93bd8b4237d1b7 + backport: 684d0dfc0167a62bb2fc9c3c2d97e421a6f8f1d7 +77d9c6364756ec8986b8d7f801bcb2295cfa036a: + title: 'scsi: csiostor: Avoid function pointer casts' + mainline: 9f3dbcb5632d6876226031d552ef6163bb3ad215 + backport: ee504736ec7911bfb90382f7f3222faa7982dc0f +8413fc5ef952b5ddd606a42b2be1e15694e2f526: + title: 'scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn' + mainline: b69600231f751304db914c63b937f7098ed2895c + backport: 826d2a5f4af824bc5457e9ca919e6d0e0da677c5 +867a6a6899a68323d6ef8995ea3765611d67ba1e: + title: 'net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()' + mainline: d6f4de70f73a106986ee315d7d512539f2f3303a + backport: dd5627de25e1b9b306a735e52a9be0189c50681e +9bb320c5cea50e7fa82a477743a6a0546eaa37b3: + title: 'NFS: Fix an off by one in root_nfs_cat()' + mainline: 698ad1a538da0b6bf969cfee630b4e3a026afb87 + backport: 43e88e13e5e89dabaa722dcbe424df93ff3fa50b +13c921e83ef2f8c2d7f6d79272e7760de605ca3c: + title: 'clk: qcom: gdsc: Add support to update GDSC transition delay' + mainline: 4e7c4d3652f96f41179aab3ff53025c7a550d689 + backport: ac71f4414591935d0d42f189b92234f8475c8e26 +e75ae3225cd1e1648c5140abf21d8c76b4b5e10a: + title: 'serial: max310x: fix syntax error in IRQ error message' + mainline: 8ede8c6f474255b2213cccd7997b993272a8e2f9 + backport: 5f8e15a6c9782fe17177f6adbed2605e2626ec1a +6e839e4153c9881d79f94263fa352db35aa82b20: + title: 'tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT' + mainline: 314c2b399288f0058a8c5b6683292cbde5f1531b + backport: 2ba503c76ed0e3fb44574c56c207662044701968 +d0687545f89d410b42ed84a8cb089bd670e0a5cf: + title: 'kconfig: fix infinite loop when expanding a macro at the end of file' + mainline: af8bbce92044dc58e4cc039ab94ee5d470a621f5 + skipped: fixes patch not in branch +575fe3cc7fe2f80e9f45e1d36a4526ea43fbf280: + title: 'rtc: mt6397: select IRQ_DOMAIN instead of depending on it' + mainline: 544c42f798e1651dcb04fb0395219bf0f1c2607e + backport: 251fdf12a591f6f0393c9a074493372ee677d5ef +787e2620d1574196f10193a7c3693d95958254cb: + title: 'serial: 8250_exar: Don''t remove GPIO device on suspend' + mainline: 73b5a5c00be39e23b194bad10e1ea8bb73eee176 + backport: 05809dc60c6107cc2d59fc9e5c6ab7880415cce8 +40bbb7e4e83a53b5ae2c4b79c675618159571d83: + title: 'staging: greybus: fix get_channel_from_mode() failure path' + mainline: 34164202a5827f60a203ca9acaf2d9f7d432aac8 + backport: 5bc6fb9dd8654ad945d2ab614de42276880ed458 +4371549533b124e1693a7771303e44ed827af2e0: + title: 'usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin' + mainline: 600556809f04eb3bbccd05218215dcd7b285a9a9 + backport: f950312d06f35a0dcf0d89eedd046d78ecaacb57 +9706929ab421a6f68ed72fc0e6371e4fca8e698a: + title: 'net: hsr: fix placement of logical operator in a multi-line statement' + mainline: 059477830022e1886f55a9641702461c249fa864 + backport: c412392d4e52ac3f871a4b94dcd97886f61f1c68 +e3b2bfb8ff1810a537b2aa55ba906a6743ed120c: + title: 'hsr: Fix uninit-value access in hsr_get_node()' + mainline: ddbec99f58571301679addbc022256970ca3eac6 + backport: f185d5434353871c54ffa351ed5647bc974a29f9 +bec6c4ce1169a565c58c347d5d0ac22e46d507d6: + title: 'rds: introduce acquire/release ordering in acquire/release_in_xmit()' + mainline: 1422f28826d2a0c11e5240b3e951c9e214d8656e + backport: e2ef56dd89fdb684f70940c3a13aeacaa5551b2f +9a4e0ec0624c5b3e07fb042b307b98c3543de2f4: + title: 'hsr: Handle failures in module init' + mainline: 3cf28cd492308e5f63ed00b29ea03ca016264376 + backport: b3f50f65706d8c16fc23b4c2d67622da15dbf2f2 +7bcc090c81116c66936a7415f2c6b1483a4bcfd9: + title: 'net/bnx2x: Prevent access to a freed page in page_pool' + mainline: d27e2da94a42655861ca4baea30c8cd65546f25d + backport: ac6c533f13a4ec9071d6548a8be5467ab238c6aa +2342b05ec5342a519e00524a507f7a6ea6791a38: + title: 'spi: spi-mt65xx: Fix NULL pointer access in interrupt handler' + mainline: a20ad45008a7c82f1184dc6dee280096009ece55 + backport: d49e4f3714a9208ee47e19da264ef74eab869b2e +546e3961b5d4c6db82cfb441fabb4353940c8f95: + title: 'crypto: af_alg - Fix regression on empty requests' + mainline: 662bb52f50bca16a74fe92b487a14d7dccb85e1a + backport: 2939b898498d9da54f5ea4c0b3d698a7644843fa +ba1f292491c011fa11d80b152f15ef97e4519891: + title: 'crypto: af_alg - Work around empty control messages without MSG_MORE' + mainline: c195d66a8a75c60515819b101975f38b7ec6577f + backport: 3f81c30ae458bf0f8cc2f421f3254ffa59dd95df diff --git a/Makefile b/Makefile index 750ef287bebb..0d1906b8b360 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 VERSION = 4 PATCHLEVEL = 14 -SUBLEVEL = 342 +SUBLEVEL = 343 EXTRAVERSION = -openela NAME = Petit Gorille