2022-06-13 15:27:38

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 000/287] 4.19.247-rc1 review

This is the start of the stable review cycle for the 4.19.247 release.
There are 287 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed, 15 Jun 2022 09:47:08 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.247-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <[email protected]>
Linux 4.19.247-rc1

Tokunori Ikegami <[email protected]>
mtd: cfi_cmdset_0002: Use chip_ready() for write on S29GL064N

Tokunori Ikegami <[email protected]>
mtd: cfi_cmdset_0002: Move and rename chip_check/chip_ready/chip_good_for_write

Pascal Hambourg <[email protected]>
md/raid0: Ignore RAID0 layout if the second zone has only one device

Michael Ellerman <[email protected]>
powerpc/32: Fix overread/overwrite of thread_struct via ptrace

Mathias Nyman <[email protected]>
Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag

Olivier Matz <[email protected]>
ixgbe: fix unexpected VLAN Rx in promisc mode on VF

Olivier Matz <[email protected]>
ixgbe: fix bcast packets Rx on VF after promisc removal

Martin Faltesek <[email protected]>
nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling

Martin Faltesek <[email protected]>
nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION

Adrian Hunter <[email protected]>
mmc: block: Fix CQE recovery reset success

Sergey Shtylyov <[email protected]>
ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files

Shyam Prasad N <[email protected]>
cifs: return errors during session setup during reconnects

huangwenhui <[email protected]>
ALSA: hda/conexant - Fix loopback issue with CX20632

Xie Yongji <[email protected]>
vringh: Fix loop descriptors check in the indirect cases

Kees Cook <[email protected]>
nodemask: Fix return values to be unsigned

Yu Kuai <[email protected]>
nbd: fix io hung while disconnecting device

Yu Kuai <[email protected]>
nbd: fix race between nbd_alloc_config() and module removal

Yu Kuai <[email protected]>
nbd: call genl_unregister_family() first in nbd_cleanup()

Masahiro Yamada <[email protected]>
modpost: fix undefined behavior of is_arm_mapping_symbol()

Gong Yuanjun <[email protected]>
drm/radeon: fix a possible null pointer dereference

Venky Shankar <[email protected]>
ceph: allow ceph.dir.rctime xattr to be updatable

Michal Kubecek <[email protected]>
Revert "net: af_key: add check for pfkey_broadcast in function pfkey_process"

Guoqing Jiang <[email protected]>
md: protect md_unregister_thread from reentrancy

Hao Luo <[email protected]>
kernfs: Separate kernfs_pr_cont_buf and rename_lock.

John Ogness <[email protected]>
serial: msm_serial: disable interrupts in __msm_console_write()

Wang Cheng <[email protected]>
staging: rtl8712: fix uninit-value in r871xu_drv_init()

Andre Przywara <[email protected]>
clocksource/drivers/sp804: Avoid error on multiple instances

bumwoo lee <[email protected]>
extcon: Modify extcon device to be created after driver data is set

Shuah Khan <[email protected]>
misc: rtsx: set NULL intfdata when probe fails

Marek Szyprowski <[email protected]>
usb: dwc2: gadget: don't reset gadget's driver->bus

Evan Green <[email protected]>
USB: hcd-pci: Fully suspend across freeze/thaw cycle

Duoming Zhou <[email protected]>
drivers: usb: host: Fix deadlock in oxu_bus_suspend()

Duoming Zhou <[email protected]>
drivers: tty: serial: Fix deadlock in sa1100_set_termios()

Zhen Ni <[email protected]>
USB: host: isp116x: check return value after calling platform_get_resource()

Duoming Zhou <[email protected]>
drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop()

Duoming Zhou <[email protected]>
drivers: staging: rtl8192u: Fix deadlock in ieee80211_beacons_stop()

Huang Guobin <[email protected]>
tty: Fix a possible resource leak in icom_probe

Zheyu Ma <[email protected]>
tty: synclink_gt: Fix null-pointer-dereference in slgt_clean()

Kees Cook <[email protected]>
lkdtm/usercopy: Expand size of "out of frame" object

Xiaoke Wang <[email protected]>
iio: dummy: iio_simple_dummy: check the return value of kstrdup()

Linus Torvalds <[email protected]>
drm: imx: fix compiler warning with gcc-12

Miaoqian Lin <[email protected]>
net: altera: Fix refcount leak in altera_tse_mdio_create

Willem de Bruijn <[email protected]>
ip_gre: test csum_start instead of transport header

Feras Daoud <[email protected]>
net/mlx5: Rearm the FW tracer after each tracer event

Masahiro Yamada <[email protected]>
net: ipv6: unexport __init-annotated seg6_hmac_init()

Masahiro Yamada <[email protected]>
net: xfrm: unexport __init-annotated xfrm4_protocol_init()

Masahiro Yamada <[email protected]>
net: mdio: unexport __init-annotated mdio_bus_init()

Chuck Lever <[email protected]>
SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer()

Gal Pressman <[email protected]>
net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure

Eric Dumazet <[email protected]>
bpf, arm64: Clear prog->jited_len along prog->jited

Kuniyuki Iwashima <[email protected]>
af_unix: Fix a data-race in unix_dgram_peer_wake_me().

Miaoqian Lin <[email protected]>
ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe

Kinglong Mee <[email protected]>
xprtrdma: treat all calls not a bcall when bc_serv is NULL

Yang Yingliang <[email protected]>
video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove()

Trond Myklebust <[email protected]>
NFSv4: Don't hold the layoutget locks across multiple RPC calls

Greg Ungerer <[email protected]>
m68knommu: fix undefined reference to `_init_sp'

Greg Ungerer <[email protected]>
m68knommu: set ZERO_PAGE() to the allocated zeroed page

Lucas Tanure <[email protected]>
i2c: cadence: Increase timeout per message if necessary

Mark-PK Tsai <[email protected]>
tracing: Avoid adding tracer option before update_tracer_options

Jun Miao <[email protected]>
tracing: Fix sleeping function called from invalid context on RT kernel

Gong Yuanjun <[email protected]>
mips: cpc: Fix refcount leak in mips_cpc_default_phys_base

Leo Yan <[email protected]>
perf c2c: Fix sorting in percent_rmt_hitm_cmp()

Hoang Le <[email protected]>
tipc: check attribute length for bearer name

David Howells <[email protected]>
afs: Fix infinite loop found by xfstest generic/676

Eric Dumazet <[email protected]>
tcp: tcp_rtx_synack() can be called from process context

Maxim Mikityanskiy <[email protected]>
net/mlx5e: Update netdev features after changing XDP state

Yu Xiao <[email protected]>
nfp: only report pause frame configuration for physical device

Zhihao Cheng <[email protected]>
ubi: ubi_create_volume: Fix use-after-free when volume creation failed

Baokun Li <[email protected]>
jffs2: fix memory leak in jffs2_do_fill_super

Alexander Lobakin <[email protected]>
modpost: fix removing numeric suffixes

Miaoqian Lin <[email protected]>
net: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register

Dan Carpenter <[email protected]>
net: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry()

Jann Horn <[email protected]>
s390/crypto: fix scatterwalk_unmap() callers in AES-GCM

Krzysztof Kozlowski <[email protected]>
clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return value

Tony Lindgren <[email protected]>
bus: ti-sysc: Fix warnings for unbind for serial

Miaoqian Lin <[email protected]>
firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle

Ilpo Järvinen <[email protected]>
serial: stm32-usart: Correct CSIZE, bits, and parity

Ilpo Järvinen <[email protected]>
serial: st-asc: Sanitize CSIZE and correct PARENB for CS7

Ilpo Järvinen <[email protected]>
serial: sh-sci: Don't allow CS5-6

Ilpo Järvinen <[email protected]>
serial: txx9: Don't allow CS5-6

Ilpo Järvinen <[email protected]>
serial: digicolor-usart: Don't allow CS5-6

Ilpo Järvinen <[email protected]>
serial: 8250_fintek: Check SER_RS485_RTS_* only with RS485

John Ogness <[email protected]>
serial: meson: acquire port->lock in startup()

Yang Yingliang <[email protected]>
rtc: mt6397: check return value after calling platform_get_resource()

Samuel Holland <[email protected]>
clocksource/drivers/riscv: Events are stopped during CPU suspend

Miaoqian Lin <[email protected]>
soc: rockchip: Fix refcount leak in rockchip_grf_init

Guilherme G. Piccoli <[email protected]>
coresight: cpu-debug: Replace mutex with mutex_trylock on panic notifier

Krzysztof Kozlowski <[email protected]>
rpmsg: qcom_smd: Fix returning 0 if irq_of_parse_and_map() fails

Cixi Geng <[email protected]>
iio: adc: sc27xx: fix read big scale voltage not right

Zheng Yongjun <[email protected]>
usb: dwc3: pci: Fix pm_runtime_get_sync() error checking

Krzysztof Kozlowski <[email protected]>
rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value

Uwe Kleine-König <[email protected]>
pwm: lp3943: Fix duty calculation in case period was clamped

Miaoqian Lin <[email protected]>
usb: musb: Fix missing of_node_put() in omap2430_probe

Lin Ma <[email protected]>
USB: storage: karma: fix rio_karma_init return

Niels Dossche <[email protected]>
usb: usbip: add missing device lock on tweak configuration cmd

Hangyu Hua <[email protected]>
usb: usbip: fix a refcount leak in stub_probe()

Wang Weiyang <[email protected]>
tty: goldfish: Use tty_port_destroy() to destroy port

Jakob Koschel <[email protected]>
staging: greybus: codecs: fix type confusion of list iterator variable

Randy Dunlap <[email protected]>
pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards

Jia-Ju Bai <[email protected]>
md: bcache: check the return value of kzalloc() in detached_dev_do_request()

Maciej W. Rozycki <[email protected]>
MIPS: IP27: Remove incorrect `cpu_has_fpu' override

Xiao Yang <[email protected]>
RDMA/rxe: Generate a completion for unsupported/invalid opcode

Johan Hovold <[email protected]>
phy: qcom-qmp: fix reset-controller leak on probe errors

Tejun Heo <[email protected]>
blk-iolatency: Fix inflight count imbalances and IO hangs on offline

Dinh Nguyen <[email protected]>
dt-bindings: gpio: altera: correct interrupt-cells

Akira Yokosawa <[email protected]>
docs/conf.py: Cope with removal of language=None in Sphinx 5.0.0

Johan Hovold <[email protected]>
phy: qcom-qmp: fix struct clk leak on probe errors

Kathiravan T <[email protected]>
arm64: dts: qcom: ipq8074: fix the sleep clock frequency

Xiaomeng Tong <[email protected]>
gma500: fix an incorrect NULL check on list iterator

Xiaomeng Tong <[email protected]>
carl9170: tx: fix an incorrect use of list iterator

Mark Brown <[email protected]>
ASoC: rt5514: Fix event generation for "DSP Voice Wake Up" control

Alexander Wetzel <[email protected]>
rtl818x: Prevent using not initialized queues

Mike Kravetz <[email protected]>
hugetlb: fix huge_pmd_unshare address update

Christophe de Dinechin <[email protected]>
nodemask.h: fix compilation error with GCC12

Xiaomeng Tong <[email protected]>
iommu/msm: Fix an incorrect NULL check on list iterator

Vincent Whitchurch <[email protected]>
um: Fix out-of-bounds read in LDT setup

Johannes Berg <[email protected]>
um: chan_user: Fix winch_tramp() return value

Felix Fietkau <[email protected]>
mac80211: upgrade passive scan to active scan on DFS channels after beacon rx

Max Filippov <[email protected]>
irqchip: irq-xtensa-mx: fix initial IRQ affinity

Pali Rohár <[email protected]>
irqchip/armada-370-xp: Do not touch Performance Counter Overflow on A375, A38x, A39x

Dennis Dalessandro <[email protected]>
RDMA/hfi1: Fix potential integer multiplication overflow errors

Nicolas Dufresne <[email protected]>
media: coda: Add more H264 levels for CODA960

Nicolas Dufresne <[email protected]>
media: coda: Fix reported H264 profile

Xiaomeng Tong <[email protected]>
md: fix an incorrect NULL check in md_reload_sb

Xiaomeng Tong <[email protected]>
md: fix an incorrect NULL check in does_sb_need_changing

Brian Norris <[email protected]>
drm/bridge: analogix_dp: Grab runtime PM reference for DP-AUX

Xiaomeng Tong <[email protected]>
drm/nouveau/clk: Fix an incorrect NULL check on list iterator

Dave Airlie <[email protected]>
drm/amdgpu/cs: make commands with 0 chunks illegal behaviour.

Manivannan Sadhasivam <[email protected]>
scsi: ufs: qcom: Add a readl() to make sure ref_clk gets enabled

Xiaomeng Tong <[email protected]>
scsi: dc395x: Fix a missing check on list iterator

Junxiao Bi via Ocfs2-devel <[email protected]>
ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock

Alexander Aring <[email protected]>
dlm: fix missing lkb refcount handling

Alexander Aring <[email protected]>
dlm: fix plock invalid read

Johan Hovold <[email protected]>
PCI: qcom: Fix unbalanced PHY init on probe errors

Johan Hovold <[email protected]>
PCI: qcom: Fix runtime PM imbalance on probe errors

Bjorn Helgaas <[email protected]>
PCI/PM: Fix bridge_d3_blacklist[] Elo i2 overwrite of Gigabyte X299

Keita Suzuki <[email protected]>
tracing: Fix potential double free in create_var_ref()

Jan Kara <[email protected]>
ext4: avoid cycles in directory h-tree

Jan Kara <[email protected]>
ext4: verify dir block before splitting it

Ye Bin <[email protected]>
ext4: fix bug_on in ext4_writepages

Ye Bin <[email protected]>
ext4: fix use-after-free in ext4_rename_dir_prepare

Pablo Neira Ayuso <[email protected]>
netfilter: nf_tables: disallow non-stateful expression in sets earlier

Zhihao Cheng <[email protected]>
fs-writeback: writeback_sb_inodes:Recalculate 'wrote' according skipped pages

Emmanuel Grumbach <[email protected]>
iwlwifi: mvm: fix assert 1F04 upon reconfig

Johannes Berg <[email protected]>
wifi: mac80211: fix use-after-free in chanctx code

Chao Yu <[email protected]>
f2fs: fix deadloop in foreground GC

Zhengjun Xing <[email protected]>
perf jevents: Fix event syntax error caused by ExtSel

Leo Yan <[email protected]>
perf c2c: Use stdio interface if slang is not supported

Joerg Roedel <[email protected]>
iommu/amd: Increase timeout waiting for GA log enablement

Amelie Delaunay <[email protected]>
dmaengine: stm32-mdma: remove GISR1 register

Miaoqian Lin <[email protected]>
video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup

Trond Myklebust <[email protected]>
NFSv4/pNFS: Do not fail I/O when we fail to allocate the pNFS layout

Nathan Chancellor <[email protected]>
i2c: at91: Initialize dma_buf in at91_twi_xfer()

Michael Walle <[email protected]>
i2c: at91: use dma safe buffers

Yong Wu <[email protected]>
iommu/mediatek: Add list_del in mtk_iommu_remove

Jakob Koschel <[email protected]>
f2fs: fix dereference of stale list iterator after loop body

Douglas Miller <[email protected]>
RDMA/hfi1: Prevent use of lock before it is initialized

Björn Ardö <[email protected]>
mailbox: forward the hrtimer if not queued and under a lock

Miaoqian Lin <[email protected]>
powerpc/fsl_rio: Fix refcount leak in fsl_rio_setup

Kajol Jain <[email protected]>
powerpc/perf: Fix the threshold compare group constraint for power9

Miaoqian Lin <[email protected]>
Input: sparcspkr - fix refcount leak in bbc_beep_probe

Qi Zheng <[email protected]>
tty: fix deadlock caused by calling printk() under tty_port->lock

Alexey Dobriyan <[email protected]>
proc: fix dentry/inode overinstantiating under /proc/${pid}/net

Randy Dunlap <[email protected]>
powerpc/4xx/cpm: Fix return value of __setup() handler

Randy Dunlap <[email protected]>
powerpc/idle: Fix return value of __setup() handler

Randy Dunlap <[email protected]>
powerpc/8xx: export 'cpm_setbrg' for modules

Muchun Song <[email protected]>
dax: fix cache flush on PMD-mapped pages

Miaohe Lin <[email protected]>
drivers/base/node.c: fix compaction sysfs file leak

Krzysztof Kozlowski <[email protected]>
pinctrl: mvebu: Fix irq_of_parse_and_map() return value

Cristian Marussi <[email protected]>
firmware: arm_scmi: Fix list protocols enumeration in the base protocol

Gustavo A. R. Silva <[email protected]>
scsi: fcoe: Fix Wstringop-overflow warnings in fcoe_wwn_from_mac()

Lv Ruyi <[email protected]>
mfd: ipaq-micro: Fix error check return value of platform_get_irq()

Corentin Labbe <[email protected]>
crypto: marvell/cesa - ECB does not IV

Stefan Wahren <[email protected]>
ARM: dts: bcm2835-rpi-b: Fix GPIO line names

Phil Elwell <[email protected]>
ARM: dts: bcm2835-rpi-zero-w: Fix GPIO line name for Wifi/BT

Dan Carpenter <[email protected]>
PCI: rockchip: Fix find_first_zero_bit() limit

Dan Carpenter <[email protected]>
PCI: cadence: Fix find_first_zero_bit() limit

Miaoqian Lin <[email protected]>
soc: qcom: smsm: Fix missing of_node_put() in smsm_parse_ipc

Miaoqian Lin <[email protected]>
soc: qcom: smp2p: Fix missing of_node_put() in smp2p_parse_ipc

David Howells <[email protected]>
rxrpc: Don't try to resend the request if we're receiving the reply

David Howells <[email protected]>
rxrpc: Fix listen() setting the bar too high for the prealloc rings

Duoming Zhou <[email protected]>
NFC: hci: fix sleep in atomic context bugs in nfc_hci_hcp_message_tx

Yang Yingliang <[email protected]>
ASoC: wm2000: fix missing clk_disable_unprepare() on error in wm2000_anc_transition()

Hangyu Hua <[email protected]>
drm: msm: fix possible memory leak in mdp5_crtc_cursor_set()

Eric Biggers <[email protected]>
ext4: reject the 'commit' option on ext2 filesystems

Eric Dumazet <[email protected]>
sctp: read sk->sk_bound_dev_if once in sctp_rcv()

Geert Uytterhoeven <[email protected]>
m68k: math-emu: Fix dependencies of math emulation support

Ying Hsu <[email protected]>
Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout

Michael Rodin <[email protected]>
media: vsp1: Fix offset calculation for plane cropping

Pavel Skripkin <[email protected]>
media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init

Miaoqian Lin <[email protected]>
media: exynos4-is: Change clk_disable to clk_disable_unprepare

Miaoqian Lin <[email protected]>
media: st-delta: Fix PM disable depth imbalance in delta_probe

Josh Poimboeuf <[email protected]>
scripts/faddr2line: Fix overlapping text section failures

Miaoqian Lin <[email protected]>
regulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt

Miaoqian Lin <[email protected]>
ASoC: mxs-saif: Fix refcount leak in mxs_saif_probe

Ravi Bangoria <[email protected]>
perf/amd/ibs: Use interrupt regs ip for stack unwinding

Xiaomeng Tong <[email protected]>
media: uvcvideo: Fix missing check to determine if element is found in list

Dan Carpenter <[email protected]>
drm/msm: return an error pointer in msm_gem_prime_get_sg_table()

Jessica Zhang <[email protected]>
drm/msm/mdp5: Return error code in mdp5_mixer_release when deadlock is detected

Jessica Zhang <[email protected]>
drm/msm/mdp5: Return error code in mdp5_pipe_release when deadlock is detected

Randy Dunlap <[email protected]>
x86/mm: Cleanup the control_va_addr_alignment() __setup handler

Krzysztof Kozlowski <[email protected]>
irqchip/aspeed-i2c-ic: Fix irq_of_parse_and_map() return value

Randy Dunlap <[email protected]>
x86: Fix return value of __setup handlers

Yang Yingliang <[email protected]>
drm/rockchip: vop: fix possible null-ptr-deref in vop_bind()

Yang Yingliang <[email protected]>
drm/msm/hdmi: check return value after calling platform_get_resource_byname()

Dmitry Baryshkov <[email protected]>
drm/msm/dsi: fix error checks and return values for DSI xmit functions

Vinod Polimera <[email protected]>
drm/msm/disp/dpu1: set vbif hw config to NULL to avoid use after memory free during pm runtime resume

Josh Poimboeuf <[email protected]>
x86/speculation: Add missing prototype for unpriv_ebpf_notify()

Matthieu Baerts <[email protected]>
x86/pm: Fix false positive kmemleak report in msr_build_context()

Kiwoong Kim <[email protected]>
scsi: ufs: core: Exclude UECxx from SFR dump list

Nuno Sá <[email protected]>
of: overlay: do not break notify on NOTIFY_{OK|STOP}

Amir Goldstein <[email protected]>
fsnotify: fix wrong lockdep annotations

Amir Goldstein <[email protected]>
inotify: show inotify mask flags in proc fdinfo

Dan Carpenter <[email protected]>
ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix

Zheng Yongjun <[email protected]>
spi: img-spfi: Fix pm_runtime_get_sync() error checking

Miaoqian Lin <[email protected]>
HID: elan: Fix potential double free in elan_input_configured

Jonathan Teh <[email protected]>
HID: hid-led: fix maximum brightness for Dream Cheeky

Jan Kiszka <[email protected]>
efi: Add missing prototype for efi_capsule_setup_info

Lin Ma <[email protected]>
NFC: NULL out the dev->rfkill to prevent UAF

Miaoqian Lin <[email protected]>
spi: spi-ti-qspi: Fix return value handling of wait_for_completion_timeout

Johannes Berg <[email protected]>
nl80211: show SSID for P2P_GO interfaces

Maxime Ripard <[email protected]>
drm/vc4: txp: Force alpha to be 0xff if it's disabled

Maxime Ripard <[email protected]>
drm/vc4: txp: Don't set TXP_VSTART_AT_EOF

Miles Chen <[email protected]>
drm/mediatek: Fix mtk_cec_mask()

Ammar Faizi <[email protected]>
x86/delay: Fix the wrong asm constraint in delay_loop()

Miaoqian Lin <[email protected]>
ASoC: mediatek: Fix missing of_node_put in mt2701_wm8960_machine_probe

Miaoqian Lin <[email protected]>
ASoC: mediatek: Fix error handling in mt8173_max98090_dev_probe

Lucas Stach <[email protected]>
drm/bridge: adv7511: clean up CEC adapter when probe fails

Jani Nikula <[email protected]>
drm/edid: fix invalid EDID extension block filtering

Wenli Looi <[email protected]>
ath9k: fix ar9003_get_eepmisc

Linus Torvalds <[email protected]>
drm: fix EDID struct for old ARM OABI format

Douglas Miller <[email protected]>
RDMA/hfi1: Prevent panic when SDMA is disabled

Finn Thain <[email protected]>
macintosh/via-pmu: Fix build failure when CONFIG_INPUT is disabled

Lv Ruyi <[email protected]>
powerpc/xics: fix refcount leak in icp_opal_init()

Vasily Averin <[email protected]>
tracing: incorrect isolate_mote_t cast in mm_vmscan_lru_isolate

Yicong Yang <[email protected]>
PCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store()

Peng Wu <[email protected]>
ARM: hisi: Add missing of_node_put after of_find_compatible_node

Krzysztof Kozlowski <[email protected]>
ARM: dts: exynos: add atmel,24c128 fallback to Samsung EEPROM

Peng Wu <[email protected]>
ARM: versatile: Add missing of_node_put in dcscb_init

OGAWA Hirofumi <[email protected]>
fat: add ratelimit to fat*_ent_bread()

Janusz Krzysztofik <[email protected]>
ARM: OMAP1: clock: Fix UART rate reporting algorithm

Zixuan Fu <[email protected]>
fs: jfs: fix possible NULL pointer dereference in dbFree()

Brian Norris <[email protected]>
PM / devfreq: rk3399_dmc: Disable edev on remove()

Krzysztof Kozlowski <[email protected]>
ARM: dts: ox820: align interrupt controller node name with dtschema

Jakub Kicinski <[email protected]>
eth: tg3: silence the GCC 12 array-bounds warning

David Howells <[email protected]>
rxrpc: Return an error to sendmsg if call failed

Guenter Roeck <[email protected]>
hwmon: Make chip parameter for with_info API mandatory

Kwanghoon Son <[email protected]>
media: exynos4-is: Fix compile warning

Fabio Estevam <[email protected]>
net: phy: micrel: Allow probing without .driver_data

Lin Ma <[email protected]>
ASoC: rt5645: Fix errorenous cleanup order

Smith, Kyle Miller (Nimble Kernel) <[email protected]>
nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags

Jason A. Donenfeld <[email protected]>
openrisc: start CPU timer early in boot

Hans Verkuil <[email protected]>
media: cec-adap.c: fix is_configuring state

Dongliang Mu <[email protected]>
rtlwifi: Use pr_warn instead of WARN_ONCE

Corey Minyard <[email protected]>
ipmi:ssif: Check for NULL msg when handling events and messages

Mikulas Patocka <[email protected]>
dma-debug: change allocation mode from GFP_NOWAIT to GFP_ATIOMIC

Heiko Carstens <[email protected]>
s390/preempt: disable __preempt_count_add() optimization for PROFILE_ALL_BRANCHES

Charles Keepax <[email protected]>
ASoC: tscs454: Add endianness flag in snd_soc_component_driver

Petr Machata <[email protected]>
mlxsw: spectrum_dcb: Do not warn about priority changes

Mark Brown <[email protected]>
ASoC: dapm: Don't fold register value changes into notifications

jianghaoran <[email protected]>
ipv6: Don't send rs packets to the interface of ARPHRD_TUNNEL

Evan Quan <[email protected]>
drm/amd/pm: fix the compile warning

Steven Price <[email protected]>
drm/plane: Move range check for format_count earlier

Lv Ruyi <[email protected]>
scsi: megaraid: Fix error check return value of register_chrdev()

Heming Zhao <[email protected]>
md/bitmap: don't set sb values if can't pass sanity check

Zheyu Ma <[email protected]>
media: cx25821: Fix the warning when removing the module

Zheyu Ma <[email protected]>
media: pci: cx23885: Fix the error handling in cx23885_initdev()

Luca Weiss <[email protected]>
media: venus: hfi: avoid null dereference in deinit

Thibaut VARÈNE <[email protected]>
ath9k: fix QCA9561 PA bias level

Keita Suzuki <[email protected]>
drm/amd/pm: fix double free in si_parse_power_table()

Amadeusz Sławiński <[email protected]>
ALSA: jack: Access input_dev under mutex

Kirill A. Shutemov <[email protected]>
ACPICA: Avoid cache flush inside virtual machines

Daniel Vetter <[email protected]>
fbcon: Consistently protect deferred_takeover with console_lock()

Niels Dossche <[email protected]>
ipv6: fix locking issues with loops over idev->addr_list

Haowen Bai <[email protected]>
ipw2x00: Fix potential NULL dereference in libipw_xmit()

Haowen Bai <[email protected]>
b43: Fix assigning negative value to unsigned variable

Haowen Bai <[email protected]>
b43legacy: Fix assigning negative value to unsigned variable

Niels Dossche <[email protected]>
mwifiex: add mutex lock for call in mwifiex_dfs_chan_sw_work_queue

Liu Zixian <[email protected]>
drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes

Qu Wenruo <[email protected]>
btrfs: repair super block num_devices automatically

Qu Wenruo <[email protected]>
btrfs: add "0x" prefix for unsupported optional features

Eric W. Biederman <[email protected]>
ptrace: Reimplement PTRACE_KILL by always sending SIGKILL

Eric W. Biederman <[email protected]>
ptrace/xtensa: Replace PT_SINGLESTEP with TIF_SINGLESTEP

Monish Kumar R <[email protected]>
USB: new quirk for Dell Gen 2 devices

Carl Yin(殷张成) <[email protected]>
USB: serial: option: add Quectel BG95 modem

Marios Levogiannis <[email protected]>
ALSA: hda/realtek - Fix microphone noise on ASUS TUF B550M-PLUS

Niklas Cassel <[email protected]>
binfmt_flat: do not stop relocating GOT entries prematurely on riscv


-------------

Diffstat:

Documentation/ABI/testing/sysfs-ata | 11 +-
Documentation/conf.py | 2 +-
.../devicetree/bindings/gpio/gpio-altera.txt | 5 +-
Documentation/hwmon/hwmon-kernel-api.txt | 2 +-
Makefile | 4 +-
arch/arm/boot/dts/bcm2835-rpi-b.dts | 13 +-
arch/arm/boot/dts/bcm2835-rpi-zero-w.dts | 22 +--
arch/arm/boot/dts/exynos5250-smdk5250.dts | 4 +-
arch/arm/boot/dts/ox820.dtsi | 2 +-
arch/arm/mach-hisi/platsmp.c | 4 +
arch/arm/mach-omap1/clock.c | 2 +-
arch/arm/mach-vexpress/dcscb.c | 1 +
arch/arm64/boot/dts/qcom/ipq8074.dtsi | 2 +-
arch/arm64/net/bpf_jit_comp.c | 1 +
arch/m68k/Kconfig.cpu | 2 +-
arch/m68k/Kconfig.machine | 1 +
arch/m68k/include/asm/pgtable_no.h | 3 +-
.../include/asm/mach-ip27/cpu-feature-overrides.h | 1 -
arch/mips/kernel/mips-cpc.c | 1 +
arch/openrisc/include/asm/timex.h | 1 +
arch/openrisc/kernel/head.S | 9 ++
arch/powerpc/kernel/idle.c | 2 +-
arch/powerpc/kernel/ptrace.c | 18 ++-
arch/powerpc/perf/isa207-common.c | 3 +-
arch/powerpc/platforms/4xx/cpm.c | 2 +-
arch/powerpc/sysdev/cpm1.c | 1 +
arch/powerpc/sysdev/fsl_rio.c | 2 +
arch/powerpc/sysdev/xics/icp-opal.c | 1 +
arch/s390/crypto/aes_s390.c | 4 +-
arch/s390/include/asm/preempt.h | 15 ++-
arch/um/drivers/chan_user.c | 9 +-
arch/x86/entry/vdso/vma.c | 2 +-
arch/x86/events/amd/ibs.c | 18 +++
arch/x86/include/asm/acenv.h | 14 +-
arch/x86/include/asm/suspend_32.h | 2 +-
arch/x86/include/asm/suspend_64.h | 12 +-
arch/x86/kernel/apic/apic.c | 2 +-
arch/x86/kernel/cpu/intel.c | 2 +-
arch/x86/kernel/step.c | 3 +-
arch/x86/kernel/sys_x86_64.c | 7 +-
arch/x86/lib/delay.c | 4 +-
arch/x86/mm/pat.c | 2 +-
arch/x86/um/ldt.c | 6 +-
arch/xtensa/kernel/ptrace.c | 4 +-
arch/xtensa/kernel/signal.c | 4 +-
block/blk-iolatency.c | 122 +++++++++--------
drivers/ata/libata-transport.c | 2 +-
drivers/ata/pata_octeon_cf.c | 3 +
drivers/base/node.c | 1 +
drivers/block/nbd.c | 37 +++--
drivers/bus/ti-sysc.c | 4 +-
drivers/char/ipmi/ipmi_ssif.c | 23 ++++
drivers/clocksource/riscv_timer.c | 2 +-
drivers/clocksource/timer-oxnas-rps.c | 2 +-
drivers/clocksource/timer-sp804.c | 10 +-
drivers/crypto/marvell/cipher.c | 1 -
drivers/devfreq/rk3399_dmc.c | 2 +
drivers/dma/stm32-mdma.c | 21 +--
drivers/extcon/extcon.c | 29 ++--
drivers/firmware/arm_scmi/base.c | 2 +-
drivers/firmware/dmi-sysfs.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +-
drivers/gpu/drm/amd/amdgpu/kv_dpm.c | 14 +-
drivers/gpu/drm/amd/amdgpu/si_dpm.c | 8 +-
drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 1 +
drivers/gpu/drm/bridge/analogix/analogix_dp_core.c | 13 +-
drivers/gpu/drm/drm_edid.c | 6 +-
drivers/gpu/drm/drm_plane.c | 14 +-
drivers/gpu/drm/gma500/psb_intel_display.c | 7 +-
drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +-
drivers/gpu/drm/mediatek/mtk_cec.c | 2 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 4 +-
drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c | 14 +-
drivers/gpu/drm/msm/disp/mdp5/mdp5_mixer.c | 15 ++-
drivers/gpu/drm/msm/disp/mdp5/mdp5_mixer.h | 4 +-
drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.c | 15 ++-
drivers/gpu/drm/msm/disp/mdp5/mdp5_pipe.h | 2 +-
drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c | 20 ++-
drivers/gpu/drm/msm/dsi/dsi_host.c | 21 ++-
drivers/gpu/drm/msm/hdmi/hdmi.c | 4 +
drivers/gpu/drm/msm/msm_gem_prime.c | 2 +-
drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c | 6 +-
drivers/gpu/drm/radeon/radeon_connectors.c | 4 +
drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 2 +-
drivers/gpu/drm/vc4/vc4_txp.c | 8 +-
drivers/gpu/drm/virtio/virtgpu_display.c | 2 +
drivers/hid/hid-elan.c | 2 -
drivers/hid/hid-led.c | 2 +-
drivers/hwmon/hwmon.c | 16 +--
drivers/hwtracing/coresight/coresight-cpu-debug.c | 7 +-
drivers/i2c/busses/i2c-at91.c | 11 ++
drivers/i2c/busses/i2c-cadence.c | 12 +-
drivers/iio/adc/sc27xx_adc.c | 4 +-
drivers/iio/dummy/iio_simple_dummy.c | 20 +--
drivers/infiniband/hw/hfi1/file_ops.c | 2 +
drivers/infiniband/hw/hfi1/init.c | 2 +-
drivers/infiniband/hw/hfi1/sdma.c | 12 +-
drivers/infiniband/sw/rxe/rxe_req.c | 2 +-
drivers/input/misc/sparcspkr.c | 1 +
drivers/input/mouse/bcm5974.c | 7 +-
drivers/iommu/amd_iommu_init.c | 2 +-
drivers/iommu/msm_iommu.c | 11 +-
drivers/iommu/mtk_iommu.c | 3 +-
drivers/irqchip/irq-armada-370-xp.c | 11 +-
drivers/irqchip/irq-aspeed-i2c-ic.c | 4 +-
drivers/irqchip/irq-xtensa-mx.c | 18 ++-
drivers/macintosh/Kconfig | 4 +
drivers/macintosh/Makefile | 3 +-
drivers/macintosh/via-pmu.c | 2 +-
drivers/mailbox/mailbox.c | 19 ++-
drivers/md/bcache/request.c | 6 +
drivers/md/md-bitmap.c | 44 +++---
drivers/md/md.c | 33 +++--
drivers/md/raid0.c | 31 ++---
drivers/media/cec/cec-adap.c | 6 +-
drivers/media/pci/cx23885/cx23885-core.c | 6 +-
drivers/media/pci/cx25821/cx25821-core.c | 2 +-
drivers/media/platform/coda/coda-common.c | 15 ++-
drivers/media/platform/exynos4-is/fimc-is.c | 2 +-
drivers/media/platform/exynos4-is/fimc-isp-video.h | 2 +-
drivers/media/platform/qcom/venus/hfi.c | 3 +
drivers/media/platform/sti/delta/delta-v4l2.c | 6 +-
drivers/media/platform/vsp1/vsp1_rpf.c | 6 +-
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 7 +-
drivers/media/usb/uvc/uvc_v4l2.c | 20 +--
drivers/mfd/ipaq-micro.c | 2 +-
drivers/misc/cardreader/rtsx_usb.c | 1 +
drivers/misc/lkdtm/usercopy.c | 17 ++-
drivers/mmc/core/block.c | 3 +-
drivers/mtd/chips/cfi_cmdset_0002.c | 93 +++++++------
drivers/mtd/ubi/vmt.c | 1 -
drivers/net/dsa/mv88e6xxx/chip.c | 1 +
drivers/net/ethernet/altera/altera_tse_main.c | 6 +-
drivers/net/ethernet/broadcom/Makefile | 5 +
drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 8 +-
drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 +
drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 2 +-
.../ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 7 +-
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 5 +
drivers/net/ethernet/mellanox/mlxsw/spectrum_dcb.c | 13 --
.../net/ethernet/netronome/nfp/nfp_net_ethtool.c | 4 +-
drivers/net/phy/mdio_bus.c | 1 -
drivers/net/phy/micrel.c | 11 +-
drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 2 +-
drivers/net/wireless/ath/ath9k/ar9003_phy.h | 2 +-
drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 8 ++
drivers/net/wireless/ath/carl9170/tx.c | 3 +
drivers/net/wireless/broadcom/b43/phy_n.c | 2 +-
drivers/net/wireless/broadcom/b43legacy/phy.c | 2 +-
drivers/net/wireless/intel/ipw2x00/libipw_tx.c | 2 +-
drivers/net/wireless/intel/iwlwifi/mvm/power.c | 3 +
drivers/net/wireless/marvell/mwifiex/11h.c | 2 +
drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c | 8 +-
drivers/net/wireless/realtek/rtlwifi/usb.c | 2 +-
drivers/nfc/st21nfca/se.c | 32 ++++-
drivers/nfc/st21nfca/st21nfca.h | 1 +
drivers/nvme/host/pci.c | 1 +
drivers/of/overlay.c | 4 +-
drivers/pci/controller/dwc/pcie-qcom.c | 9 +-
drivers/pci/controller/pcie-cadence-ep.c | 3 +-
drivers/pci/controller/pcie-rockchip-ep.c | 3 +-
drivers/pci/pci.c | 12 +-
drivers/pcmcia/Kconfig | 2 +-
drivers/phy/qualcomm/phy-qcom-qmp.c | 11 +-
drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 2 +-
drivers/pwm/pwm-lp3943.c | 1 +
drivers/regulator/pfuze100-regulator.c | 2 +
drivers/rpmsg/qcom_smd.c | 4 +-
drivers/rtc/rtc-mt6397.c | 2 +
drivers/scsi/dc395x.c | 15 ++-
drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
drivers/scsi/megaraid.c | 2 +-
drivers/scsi/ufs/ufs-qcom.c | 7 +-
drivers/scsi/ufs/ufshcd.c | 7 +-
drivers/soc/qcom/smp2p.c | 1 +
drivers/soc/qcom/smsm.c | 1 +
drivers/soc/rockchip/grf.c | 2 +
drivers/spi/spi-img-spfi.c | 2 +-
drivers/spi/spi-ti-qspi.c | 5 +-
drivers/staging/greybus/audio_codec.c | 4 +-
drivers/staging/rtl8192e/rtllib_softmac.c | 2 +-
.../staging/rtl8192u/ieee80211/ieee80211_softmac.c | 2 +-
drivers/staging/rtl8712/usb_intf.c | 6 +-
drivers/tty/goldfish.c | 2 +
drivers/tty/serial/8250/8250_fintek.c | 8 +-
drivers/tty/serial/digicolor-usart.c | 2 +
drivers/tty/serial/icom.c | 2 +-
drivers/tty/serial/meson_uart.c | 13 ++
drivers/tty/serial/msm_serial.c | 5 +
drivers/tty/serial/sa1100.c | 4 +-
drivers/tty/serial/serial_txx9.c | 2 +
drivers/tty/serial/sh-sci.c | 6 +-
drivers/tty/serial/st-asc.c | 4 +
drivers/tty/serial/stm32-usart.c | 15 ++-
drivers/tty/synclink_gt.c | 2 +
drivers/tty/tty_buffer.c | 3 +-
drivers/usb/core/hcd-pci.c | 4 +-
drivers/usb/core/quirks.c | 3 +
drivers/usb/dwc2/gadget.c | 1 -
drivers/usb/dwc3/dwc3-pci.c | 2 +-
drivers/usb/host/isp116x-hcd.c | 6 +-
drivers/usb/host/oxu210hp-hcd.c | 2 +
drivers/usb/musb/omap2430.c | 1 +
drivers/usb/serial/option.c | 2 +
drivers/usb/storage/karma.c | 15 ++-
drivers/usb/usbip/stub_dev.c | 2 +-
drivers/usb/usbip/stub_rx.c | 2 +
drivers/vhost/vringh.c | 10 +-
drivers/video/fbdev/amba-clcd.c | 5 +-
drivers/video/fbdev/core/fbcon.c | 5 +-
drivers/video/fbdev/pxa3xx-gcu.c | 12 +-
fs/afs/dir.c | 5 +-
fs/binfmt_flat.c | 27 +++-
fs/btrfs/disk-io.c | 4 +-
fs/btrfs/volumes.c | 8 +-
fs/ceph/xattr.c | 10 +-
fs/cifs/smb2pdu.c | 3 +
fs/dax.c | 3 +-
fs/dlm/lock.c | 11 +-
fs/dlm/plock.c | 12 +-
fs/ext4/inline.c | 12 ++
fs/ext4/namei.c | 84 +++++++++---
fs/ext4/super.c | 1 +
fs/f2fs/segment.c | 9 +-
fs/f2fs/segment.h | 32 +++--
fs/fat/fatent.c | 7 +-
fs/fs-writeback.c | 13 +-
fs/jffs2/fs.c | 1 +
fs/jfs/jfs_dmap.c | 3 +-
fs/kernfs/dir.c | 31 +++--
fs/nfs/nfs4proc.c | 4 +
fs/nfs/pnfs.c | 2 +
fs/notify/fdinfo.c | 11 +-
fs/notify/inotify/inotify.h | 12 ++
fs/notify/inotify/inotify_user.c | 2 +-
fs/notify/mark.c | 6 +-
fs/ocfs2/dlmfs/userdlm.c | 16 ++-
fs/proc/generic.c | 3 +
fs/proc/proc_net.c | 3 +
include/drm/drm_edid.h | 6 +-
include/linux/bpf.h | 2 +
include/linux/efi.h | 2 +
include/linux/mailbox_controller.h | 1 +
include/linux/mtd/cfi.h | 1 +
include/linux/nodemask.h | 51 ++++---
include/linux/ptrace.h | 6 -
include/net/if_inet6.h | 8 ++
include/scsi/libfcoe.h | 3 +-
include/sound/jack.h | 1 +
include/trace/events/vmscan.h | 4 +-
kernel/dma/debug.c | 2 +-
kernel/ptrace.c | 5 +-
kernel/trace/trace.c | 13 +-
kernel/trace/trace_events_hist.c | 3 +
lib/nodemask.c | 4 +-
mm/hugetlb.c | 9 +-
net/bluetooth/sco.c | 21 +--
net/ipv4/ip_gre.c | 11 +-
net/ipv4/tcp_output.c | 4 +-
net/ipv4/xfrm4_protocol.c | 1 -
net/ipv6/addrconf.c | 33 ++++-
net/ipv6/seg6_hmac.c | 1 -
net/key/af_key.c | 10 +-
net/mac80211/chan.c | 7 +-
net/mac80211/ieee80211_i.h | 5 +
net/mac80211/scan.c | 20 +++
net/netfilter/nf_tables_api.c | 16 ++-
net/netfilter/nft_dynset.c | 3 -
net/nfc/core.c | 1 +
net/rxrpc/call_event.c | 3 +-
net/rxrpc/sendmsg.c | 6 +
net/rxrpc/sysctl.c | 4 +-
net/sctp/input.c | 4 +-
net/sunrpc/xdr.c | 6 +-
net/sunrpc/xprtrdma/rpc_rdma.c | 5 +
net/tipc/bearer.c | 3 +-
net/unix/af_unix.c | 2 +-
net/wireless/nl80211.c | 1 +
scripts/faddr2line | 150 +++++++++++++--------
scripts/mod/modpost.c | 5 +-
sound/core/jack.c | 34 ++++-
sound/pci/hda/patch_conexant.c | 7 +
sound/pci/hda/patch_realtek.c | 10 ++
sound/soc/codecs/rt5514.c | 2 +-
sound/soc/codecs/rt5645.c | 7 +-
sound/soc/codecs/tscs454.c | 12 +-
sound/soc/codecs/wm2000.c | 6 +-
sound/soc/mediatek/mt2701/mt2701-wm8960.c | 9 +-
sound/soc/mediatek/mt8173/mt8173-max98090.c | 5 +-
sound/soc/mxs/mxs-saif.c | 1 +
sound/soc/soc-dapm.c | 2 -
tools/perf/builtin-c2c.c | 10 +-
tools/perf/pmu-events/jevents.c | 2 +-
293 files changed, 1620 insertions(+), 824 deletions(-)



2022-06-13 15:29:16

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 162/287] drm/bridge: analogix_dp: Grab runtime PM reference for DP-AUX

From: Brian Norris <[email protected]>

commit 8fb6c44fe8468f92ac7b8bbfcca4404a4e88645f upstream.

If the display is not enable()d, then we aren't holding a runtime PM
reference here. Thus, it's easy to accidentally cause a hang, if user
space is poking around at /dev/drm_dp_aux0 at the "wrong" time.

Let's get a runtime PM reference, and check that we "see" the panel.
Don't force any panel power-up, etc., because that can be intrusive, and
that's not what other drivers do (see
drivers/gpu/drm/bridge/ti-sn65dsi86.c and
drivers/gpu/drm/bridge/parade-ps8640.c.)

Fixes: 0d97ad03f422 ("drm/bridge: analogix_dp: Remove duplicated code")
Cc: <[email protected]>
Cc: Tomeu Vizoso <[email protected]>
Signed-off-by: Brian Norris <[email protected]>
Reviewed-by: Douglas Anderson <[email protected]>
Signed-off-by: Douglas Anderson <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/20220301181107.v4.1.I773a08785666ebb236917b0c8e6c05e3de471e75@changeid
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/gpu/drm/bridge/analogix/analogix_dp_core.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c
+++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c
@@ -1514,8 +1514,19 @@ static ssize_t analogix_dpaux_transfer(s
struct drm_dp_aux_msg *msg)
{
struct analogix_dp_device *dp = to_dp(aux);
+ int ret;

- return analogix_dp_transfer(dp, msg);
+ pm_runtime_get_sync(dp->dev);
+
+ ret = analogix_dp_detect_hpd(dp);
+ if (ret)
+ goto out;
+
+ ret = analogix_dp_transfer(dp, msg);
+out:
+ pm_runtime_put(dp->dev);
+
+ return ret;
}

struct analogix_dp_device *


2022-06-13 15:29:28

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 072/287] HID: elan: Fix potential double free in elan_input_configured

From: Miaoqian Lin <[email protected]>

[ Upstream commit 1af20714fedad238362571620be0bd690ded05b6 ]

'input' is a managed resource allocated with devm_input_allocate_device(),
so there is no need to call input_free_device() explicitly or
there will be a double free.

According to the doc of devm_input_allocate_device():
* Managed input devices do not need to be explicitly unregistered or
* freed as it will be done automatically when owner device unbinds from
* its driver (or binding fails).

Fixes: b7429ea53d6c ("HID: elan: Fix memleak in elan_input_configured")
Fixes: 9a6a4193d65b ("HID: Add driver for USB ELAN Touchpad")
Signed-off-by: Miaoqian Lin <[email protected]>
Acked-by: Benjamin Tissoires <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/hid/hid-elan.c | 2 --
1 file changed, 2 deletions(-)

diff --git a/drivers/hid/hid-elan.c b/drivers/hid/hid-elan.c
index 7139227edb28..63077fb23026 100644
--- a/drivers/hid/hid-elan.c
+++ b/drivers/hid/hid-elan.c
@@ -192,7 +192,6 @@ static int elan_input_configured(struct hid_device *hdev, struct hid_input *hi)
ret = input_mt_init_slots(input, ELAN_MAX_FINGERS, INPUT_MT_POINTER);
if (ret) {
hid_err(hdev, "Failed to init elan MT slots: %d\n", ret);
- input_free_device(input);
return ret;
}

@@ -204,7 +203,6 @@ static int elan_input_configured(struct hid_device *hdev, struct hid_input *hi)
hid_err(hdev, "Failed to register elan input device: %d\n",
ret);
input_mt_destroy_slots(input);
- input_free_device(input);
return ret;
}

--
2.35.1



2022-06-13 15:30:11

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 143/287] wifi: mac80211: fix use-after-free in chanctx code

From: Johannes Berg <[email protected]>

commit 2965c4cdf7ad9ce0796fac5e57debb9519ea721e upstream.

In ieee80211_vif_use_reserved_context(), when we have an
old context and the new context's replace_state is set to
IEEE80211_CHANCTX_REPLACE_NONE, we free the old context
in ieee80211_vif_use_reserved_reassign(). Therefore, we
cannot check the old_ctx anymore, so we should set it to
NULL after this point.

However, since the new_ctx replace state is clearly not
IEEE80211_CHANCTX_REPLACES_OTHER, we're not going to do
anything else in this function and can just return to
avoid accessing the freed old_ctx.

Cc: [email protected]
Fixes: 5bcae31d9cb1 ("mac80211: implement multi-vif in-place reservations")
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Link: https://lore.kernel.org/r/20220601091926.df419d91b165.I17a9b3894ff0b8323ce2afdb153b101124c821e5@changeid
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/mac80211/chan.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)

--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -1638,12 +1638,9 @@ int ieee80211_vif_use_reserved_context(s

if (new_ctx->replace_state == IEEE80211_CHANCTX_REPLACE_NONE) {
if (old_ctx)
- err = ieee80211_vif_use_reserved_reassign(sdata);
- else
- err = ieee80211_vif_use_reserved_assign(sdata);
+ return ieee80211_vif_use_reserved_reassign(sdata);

- if (err)
- return err;
+ return ieee80211_vif_use_reserved_assign(sdata);
}

/*


2022-06-13 15:30:33

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 073/287] spi: img-spfi: Fix pm_runtime_get_sync() error checking

From: Zheng Yongjun <[email protected]>

[ Upstream commit cc470d55343056d6b2a5c32e10e0aad06f324078 ]

If the device is already in a runtime PM enabled state
pm_runtime_get_sync() will return 1, so a test for negative
value should be used to check for errors.

Fixes: deba25800a12b ("spi: Add driver for IMG SPFI controller")
Signed-off-by: Zheng Yongjun <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Mark Brown <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/spi/spi-img-spfi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/spi/spi-img-spfi.c b/drivers/spi/spi-img-spfi.c
index 25a545c985d4..c63cceec6312 100644
--- a/drivers/spi/spi-img-spfi.c
+++ b/drivers/spi/spi-img-spfi.c
@@ -774,7 +774,7 @@ static int img_spfi_resume(struct device *dev)
int ret;

ret = pm_runtime_get_sync(dev);
- if (ret) {
+ if (ret < 0) {
pm_runtime_put_noidle(dev);
return ret;
}
--
2.35.1



2022-06-13 15:34:18

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 144/287] iwlwifi: mvm: fix assert 1F04 upon reconfig

From: Emmanuel Grumbach <[email protected]>

commit 9d096e3d3061dbf4ee10e2b59fc2c06e05bdb997 upstream.

When we reconfig we must not send the MAC_POWER command that relates to
a MAC that was not yet added to the firmware.

Ignore those in the iterator.

Cc: [email protected]
Signed-off-by: Emmanuel Grumbach <[email protected]>
Signed-off-by: Gregory Greenman <[email protected]>
Link: https://lore.kernel.org/r/20220517120044.ed2ffc8ce732.If786e19512d0da4334a6382ea6148703422c7d7b@changeid
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/wireless/intel/iwlwifi/mvm/power.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/net/wireless/intel/iwlwifi/mvm/power.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/power.c
@@ -611,6 +611,9 @@ static void iwl_mvm_power_get_vifs_itera
struct iwl_power_vifs *power_iterator = _data;
bool active = mvmvif->phy_ctxt && mvmvif->phy_ctxt->id < NUM_PHY_CTX;

+ if (!mvmvif->uploaded)
+ return;
+
switch (ieee80211_vif_type_p2p(vif)) {
case NL80211_IFTYPE_P2P_DEVICE:
break;


2022-06-13 15:34:34

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 126/287] tty: fix deadlock caused by calling printk() under tty_port->lock

From: Qi Zheng <[email protected]>

[ Upstream commit 6b9dbedbe3499fef862c4dff5217cf91f34e43b3 ]

pty_write() invokes kmalloc() which may invoke a normal printk() to print
failure message. This can cause a deadlock in the scenario reported by
syz-bot below:

CPU0 CPU1 CPU2
---- ---- ----
lock(console_owner);
lock(&port_lock_key);
lock(&port->lock);
lock(&port_lock_key);
lock(&port->lock);
lock(console_owner);

As commit dbdda842fe96 ("printk: Add console owner and waiter logic to
load balance console writes") said, such deadlock can be prevented by
using printk_deferred() in kmalloc() (which is invoked in the section
guarded by the port->lock). But there are too many printk() on the
kmalloc() path, and kmalloc() can be called from anywhere, so changing
printk() to printk_deferred() is too complicated and inelegant.

Therefore, this patch chooses to specify __GFP_NOWARN to kmalloc(), so
that printk() will not be called, and this deadlock problem can be
avoided.

Syzbot reported the following lockdep error:

======================================================
WARNING: possible circular locking dependency detected
5.4.143-00237-g08ccc19a-dirty #10 Not tainted
------------------------------------------------------
syz-executor.4/29420 is trying to acquire lock:
ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: console_trylock_spinning kernel/printk/printk.c:1752 [inline]
ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: vprintk_emit+0x2ca/0x470 kernel/printk/printk.c:2023

but task is already holding lock:
ffff8880119c9158 (&port->lock){-.-.}-{2:2}, at: pty_write+0xf4/0x1f0 drivers/tty/pty.c:120

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #2 (&port->lock){-.-.}-{2:2}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159
tty_port_tty_get drivers/tty/tty_port.c:288 [inline] <-- lock(&port->lock);
tty_port_default_wakeup+0x1d/0xb0 drivers/tty/tty_port.c:47
serial8250_tx_chars+0x530/0xa80 drivers/tty/serial/8250/8250_port.c:1767
serial8250_handle_irq.part.0+0x31f/0x3d0 drivers/tty/serial/8250/8250_port.c:1854
serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1827 [inline] <-- lock(&port_lock_key);
serial8250_default_handle_irq+0xb2/0x220 drivers/tty/serial/8250/8250_port.c:1870
serial8250_interrupt+0xfd/0x200 drivers/tty/serial/8250/8250_core.c:126
__handle_irq_event_percpu+0x109/0xa50 kernel/irq/handle.c:156
[...]

-> #1 (&port_lock_key){-.-.}-{2:2}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159
serial8250_console_write+0x184/0xa40 drivers/tty/serial/8250/8250_port.c:3198
<-- lock(&port_lock_key);
call_console_drivers kernel/printk/printk.c:1819 [inline]
console_unlock+0x8cb/0xd00 kernel/printk/printk.c:2504
vprintk_emit+0x1b5/0x470 kernel/printk/printk.c:2024 <-- lock(console_owner);
vprintk_func+0x8d/0x250 kernel/printk/printk_safe.c:394
printk+0xba/0xed kernel/printk/printk.c:2084
register_console+0x8b3/0xc10 kernel/printk/printk.c:2829
univ8250_console_init+0x3a/0x46 drivers/tty/serial/8250/8250_core.c:681
console_init+0x49d/0x6d3 kernel/printk/printk.c:2915
start_kernel+0x5e9/0x879 init/main.c:713
secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241

-> #0 (console_owner){....}-{0:0}:
[...]
lock_acquire+0x127/0x340 kernel/locking/lockdep.c:4734
console_trylock_spinning kernel/printk/printk.c:1773 [inline] <-- lock(console_owner);
vprintk_emit+0x307/0x470 kernel/printk/printk.c:2023
vprintk_func+0x8d/0x250 kernel/printk/printk_safe.c:394
printk+0xba/0xed kernel/printk/printk.c:2084
fail_dump lib/fault-inject.c:45 [inline]
should_fail+0x67b/0x7c0 lib/fault-inject.c:144
__should_failslab+0x152/0x1c0 mm/failslab.c:33
should_failslab+0x5/0x10 mm/slab_common.c:1224
slab_pre_alloc_hook mm/slab.h:468 [inline]
slab_alloc_node mm/slub.c:2723 [inline]
slab_alloc mm/slub.c:2807 [inline]
__kmalloc+0x72/0x300 mm/slub.c:3871
kmalloc include/linux/slab.h:582 [inline]
tty_buffer_alloc+0x23f/0x2a0 drivers/tty/tty_buffer.c:175
__tty_buffer_request_room+0x156/0x2a0 drivers/tty/tty_buffer.c:273
tty_insert_flip_string_fixed_flag+0x93/0x250 drivers/tty/tty_buffer.c:318
tty_insert_flip_string include/linux/tty_flip.h:37 [inline]
pty_write+0x126/0x1f0 drivers/tty/pty.c:122 <-- lock(&port->lock);
n_tty_write+0xa7a/0xfc0 drivers/tty/n_tty.c:2356
do_tty_write drivers/tty/tty_io.c:961 [inline]
tty_write+0x512/0x930 drivers/tty/tty_io.c:1045
__vfs_write+0x76/0x100 fs/read_write.c:494
[...]

other info that might help us debug this:

Chain exists of:
console_owner --> &port_lock_key --> &port->lock

Link: https://lkml.kernel.org/r/[email protected]
Link: https://lkml.kernel.org/r/[email protected]
Fixes: b6da31b2c07c ("tty: Fix data race in tty_insert_flip_string_fixed_flag")
Signed-off-by: Qi Zheng <[email protected]>
Acked-by: Jiri Slaby <[email protected]>
Acked-by: Greg Kroah-Hartman <[email protected]>
Cc: Akinobu Mita <[email protected]>
Cc: Vlastimil Babka <[email protected]>
Cc: Steven Rostedt (Google) <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/tty/tty_buffer.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
index 6b0cb633679d..dfe0c8c22cd3 100644
--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -167,7 +167,8 @@ static struct tty_buffer *tty_buffer_alloc(struct tty_port *port, size_t size)
have queued and recycle that ? */
if (atomic_read(&port->buf.mem_used) > port->buf.mem_limit)
return NULL;
- p = kmalloc(sizeof(struct tty_buffer) + 2 * size, GFP_ATOMIC);
+ p = kmalloc(sizeof(struct tty_buffer) + 2 * size,
+ GFP_ATOMIC | __GFP_NOWARN);
if (p == NULL)
return NULL;

--
2.35.1



2022-06-13 15:35:28

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 187/287] MIPS: IP27: Remove incorrect `cpu_has_fpu override

From: Maciej W. Rozycki <[email protected]>

commit 424c3781dd1cb401857585331eaaa425a13f2429 upstream.

Remove unsupported forcing of `cpu_has_fpu' to 1, which makes the `nofpu'
kernel parameter non-functional, and also causes a link error:

ld: arch/mips/kernel/traps.o: in function `trap_init':
./arch/mips/include/asm/msa.h:(.init.text+0x348): undefined reference to `handle_fpe'
ld: ./arch/mips/include/asm/msa.h:(.init.text+0x354): undefined reference to `handle_fpe'
ld: ./arch/mips/include/asm/msa.h:(.init.text+0x360): undefined reference to `handle_fpe'

where the CONFIG_MIPS_FP_SUPPORT configuration option has been disabled.

Signed-off-by: Maciej W. Rozycki <[email protected]>
Reported-by: Stephen Zhang <[email protected]>
Fixes: 0ebb2f4159af ("MIPS: IP27: Update/restructure CPU overrides")
Cc: [email protected] # v4.2+
Signed-off-by: Thomas Bogendoerfer <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/mips/include/asm/mach-ip27/cpu-feature-overrides.h | 1 -
1 file changed, 1 deletion(-)

--- a/arch/mips/include/asm/mach-ip27/cpu-feature-overrides.h
+++ b/arch/mips/include/asm/mach-ip27/cpu-feature-overrides.h
@@ -28,7 +28,6 @@
#define cpu_has_6k_cache 0
#define cpu_has_8k_cache 0
#define cpu_has_tx39_cache 0
-#define cpu_has_fpu 1
#define cpu_has_nofpuex 0
#define cpu_has_32fpr 1
#define cpu_has_counter 1


2022-06-13 15:35:42

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 118/287] firmware: arm_scmi: Fix list protocols enumeration in the base protocol

From: Cristian Marussi <[email protected]>

[ Upstream commit 8009120e0354a67068e920eb10dce532391361d0 ]

While enumerating protocols implemented by the SCMI platform using
BASE_DISCOVER_LIST_PROTOCOLS, the number of returned protocols is
currently validated in an improper way since the check employs a sum
between unsigned integers that could overflow and cause the check itself
to be silently bypassed if the returned value 'loop_num_ret' is big
enough.

Fix the validation avoiding the addition.

Link: https://lore.kernel.org/r/[email protected]
Fixes: b6f20ff8bd94 ("firmware: arm_scmi: add common infrastructure and support for base protocol")
Signed-off-by: Cristian Marussi <[email protected]>
Signed-off-by: Sudeep Holla <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/firmware/arm_scmi/base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/firmware/arm_scmi/base.c b/drivers/firmware/arm_scmi/base.c
index 204390297f4b..95d892db0dff 100644
--- a/drivers/firmware/arm_scmi/base.c
+++ b/drivers/firmware/arm_scmi/base.c
@@ -164,7 +164,7 @@ static int scmi_base_implementation_list_get(const struct scmi_handle *handle,
break;

loop_num_ret = le32_to_cpu(*num_ret);
- if (tot_num_ret + loop_num_ret > MAX_PROTOCOLS_IMP) {
+ if (loop_num_ret > MAX_PROTOCOLS_IMP - tot_num_ret) {
dev_err(dev, "No. of Protocol > MAX_PROTOCOLS_IMP");
break;
}
--
2.35.1



2022-06-13 15:35:56

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 075/287] inotify: show inotify mask flags in proc fdinfo

From: Amir Goldstein <[email protected]>

[ Upstream commit a32e697cda27679a0327ae2cafdad8c7170f548f ]

The inotify mask flags IN_ONESHOT and IN_EXCL_UNLINK are not "internal
to kernel" and should be exposed in procfs fdinfo so CRIU can restore
them.

Fixes: 6933599697c9 ("inotify: hide internal kernel bits from fdinfo")
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Amir Goldstein <[email protected]>
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/notify/fdinfo.c | 11 ++---------
fs/notify/inotify/inotify.h | 12 ++++++++++++
fs/notify/inotify/inotify_user.c | 2 +-
3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/fs/notify/fdinfo.c b/fs/notify/fdinfo.c
index 86fcf5814279..74aeabbf0ea4 100644
--- a/fs/notify/fdinfo.c
+++ b/fs/notify/fdinfo.c
@@ -83,16 +83,9 @@ static void inotify_fdinfo(struct seq_file *m, struct fsnotify_mark *mark)
inode_mark = container_of(mark, struct inotify_inode_mark, fsn_mark);
inode = igrab(fsnotify_conn_inode(mark->connector));
if (inode) {
- /*
- * IN_ALL_EVENTS represents all of the mask bits
- * that we expose to userspace. There is at
- * least one bit (FS_EVENT_ON_CHILD) which is
- * used only internally to the kernel.
- */
- u32 mask = mark->mask & IN_ALL_EVENTS;
- seq_printf(m, "inotify wd:%x ino:%lx sdev:%x mask:%x ignored_mask:%x ",
+ seq_printf(m, "inotify wd:%x ino:%lx sdev:%x mask:%x ignored_mask:0 ",
inode_mark->wd, inode->i_ino, inode->i_sb->s_dev,
- mask, mark->ignored_mask);
+ inotify_mark_user_mask(mark));
show_mark_fhandle(m, inode);
seq_putc(m, '\n');
iput(inode);
diff --git a/fs/notify/inotify/inotify.h b/fs/notify/inotify/inotify.h
index 7e4578d35b61..5d94c00b1233 100644
--- a/fs/notify/inotify/inotify.h
+++ b/fs/notify/inotify/inotify.h
@@ -21,6 +21,18 @@ static inline struct inotify_event_info *INOTIFY_E(struct fsnotify_event *fse)
return container_of(fse, struct inotify_event_info, fse);
}

+/*
+ * INOTIFY_USER_FLAGS represents all of the mask bits that we expose to
+ * userspace. There is at least one bit (FS_EVENT_ON_CHILD) which is
+ * used only internally to the kernel.
+ */
+#define INOTIFY_USER_MASK (IN_ALL_EVENTS | IN_ONESHOT | IN_EXCL_UNLINK)
+
+static inline __u32 inotify_mark_user_mask(struct fsnotify_mark *fsn_mark)
+{
+ return fsn_mark->mask & INOTIFY_USER_MASK;
+}
+
extern void inotify_ignored_and_remove_idr(struct fsnotify_mark *fsn_mark,
struct fsnotify_group *group);
extern int inotify_handle_event(struct fsnotify_group *group,
diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
index 97a51690338e..83d0b9356844 100644
--- a/fs/notify/inotify/inotify_user.c
+++ b/fs/notify/inotify/inotify_user.c
@@ -96,7 +96,7 @@ static inline __u32 inotify_arg_to_mask(u32 arg)
mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD | FS_UNMOUNT);

/* mask off the flags used to open the fd */
- mask |= (arg & (IN_ALL_EVENTS | IN_ONESHOT | IN_EXCL_UNLINK));
+ mask |= (arg & INOTIFY_USER_MASK);

return mask;
}
--
2.35.1



2022-06-13 15:36:28

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 210/287] serial: st-asc: Sanitize CSIZE and correct PARENB for CS7

From: Ilpo Järvinen <[email protected]>

[ Upstream commit 52bb1cb7118564166b04d52387bd8403632f5190 ]

Only CS7 and CS8 seem supported but CSIZE is not sanitized from CS5 or
CS6 to CS8. In addition, ASC_CTL_MODE_7BIT_PAR suggests that CS7 has
to have parity, thus add PARENB.

Incorrect CSIZE results in miscalculation of the frame bits in
tty_get_char_size() or in its predecessor where the roughly the same
code is directly within uart_update_timeout().

Fixes: c4b058560762 (serial:st-asc: Add ST ASC driver.)
Cc: Srinivas Kandagatla <[email protected]>
Signed-off-by: Ilpo Järvinen <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/tty/serial/st-asc.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/tty/serial/st-asc.c b/drivers/tty/serial/st-asc.c
index 7971997cdead..ce35e3a131b1 100644
--- a/drivers/tty/serial/st-asc.c
+++ b/drivers/tty/serial/st-asc.c
@@ -540,10 +540,14 @@ static void asc_set_termios(struct uart_port *port, struct ktermios *termios,
/* set character length */
if ((cflag & CSIZE) == CS7) {
ctrl_val |= ASC_CTL_MODE_7BIT_PAR;
+ cflag |= PARENB;
} else {
ctrl_val |= (cflag & PARENB) ? ASC_CTL_MODE_8BIT_PAR :
ASC_CTL_MODE_8BIT;
+ cflag &= ~CSIZE;
+ cflag |= CS8;
}
+ termios->c_cflag = cflag;

/* set stop bit */
ctrl_val |= (cflag & CSTOPB) ? ASC_CTL_STOP_2BIT : ASC_CTL_STOP_1BIT;
--
2.35.1



2022-06-13 15:36:32

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 082/287] drm/msm/dsi: fix error checks and return values for DSI xmit functions

From: Dmitry Baryshkov <[email protected]>

[ Upstream commit f0e7e9ed379c012c4d6b09a09b868accc426223c ]

As noticed by Dan ([1] an the followup thread) there are multiple issues
with the return values for MSM DSI command transmission callback. In
the error case it can easily return a positive value when it should
have returned a proper error code.

This commits attempts to fix these issues both in TX and in RX paths.

[1]: https://lore.kernel.org/linux-arm-msm/20211001123617.GH2283@kili/

Fixes: a689554ba6ed ("drm/msm: Initial add DSI connector support")
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Dmitry Baryshkov <[email protected]>
Reviewed-by: Abhinav Kumar <[email protected]>
Tested-by: Marijn Suijten <[email protected]>
Patchwork: https://patchwork.freedesktop.org/patch/480501/
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Dmitry Baryshkov <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/msm/dsi/dsi_host.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
index 9abfb19ea7ed..56cfa0a03fd5 100644
--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
+++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
@@ -1354,10 +1354,10 @@ static int dsi_cmds2buf_tx(struct msm_dsi_host *msm_host,
dsi_get_bpp(msm_host->format) / 8;

len = dsi_cmd_dma_add(msm_host, msg);
- if (!len) {
+ if (len < 0) {
pr_err("%s: failed to add cmd type = 0x%x\n",
__func__, msg->type);
- return -EINVAL;
+ return len;
}

/* for video mode, do not send cmds more than
@@ -1376,10 +1376,14 @@ static int dsi_cmds2buf_tx(struct msm_dsi_host *msm_host,
}

ret = dsi_cmd_dma_tx(msm_host, len);
- if (ret < len) {
- pr_err("%s: cmd dma tx failed, type=0x%x, data0=0x%x, len=%d\n",
- __func__, msg->type, (*(u8 *)(msg->tx_buf)), len);
- return -ECOMM;
+ if (ret < 0) {
+ pr_err("%s: cmd dma tx failed, type=0x%x, data0=0x%x, len=%d, ret=%d\n",
+ __func__, msg->type, (*(u8 *)(msg->tx_buf)), len, ret);
+ return ret;
+ } else if (ret < len) {
+ pr_err("%s: cmd dma tx failed, type=0x%x, data0=0x%x, ret=%d len=%d\n",
+ __func__, msg->type, (*(u8 *)(msg->tx_buf)), ret, len);
+ return -EIO;
}

return len;
@@ -2105,9 +2109,12 @@ int msm_dsi_host_cmd_rx(struct mipi_dsi_host *host,
}

ret = dsi_cmds2buf_tx(msm_host, msg);
- if (ret < msg->tx_len) {
+ if (ret < 0) {
pr_err("%s: Read cmd Tx failed, %d\n", __func__, ret);
return ret;
+ } else if (ret < msg->tx_len) {
+ pr_err("%s: Read cmd Tx failed, too short: %d\n", __func__, ret);
+ return -ECOMM;
}

/*
--
2.35.1



2022-06-13 15:37:28

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 056/287] RDMA/hfi1: Prevent panic when SDMA is disabled

From: Douglas Miller <[email protected]>

[ Upstream commit 629e052d0c98e46dde9f0824f0aa437f678d9b8f ]

If the hfi1 module is loaded with HFI1_CAP_SDMA off, a call to
hfi1_write_iter() will dereference a NULL pointer and panic. A typical
stack frame is:

sdma_select_user_engine [hfi1]
hfi1_user_sdma_process_request [hfi1]
hfi1_write_iter [hfi1]
do_iter_readv_writev
do_iter_write
vfs_writev
do_writev
do_syscall_64

The fix is to test for SDMA in hfi1_write_iter() and fail the I/O with
EINVAL.

Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Douglas Miller <[email protected]>
Signed-off-by: Dennis Dalessandro <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/infiniband/hw/hfi1/file_ops.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/infiniband/hw/hfi1/file_ops.c b/drivers/infiniband/hw/hfi1/file_ops.c
index adeb259458de..64ee11542a56 100644
--- a/drivers/infiniband/hw/hfi1/file_ops.c
+++ b/drivers/infiniband/hw/hfi1/file_ops.c
@@ -308,6 +308,8 @@ static ssize_t hfi1_write_iter(struct kiocb *kiocb, struct iov_iter *from)
unsigned long dim = from->nr_segs;
int idx;

+ if (!HFI1_CAP_IS_KSET(SDMA))
+ return -EINVAL;
idx = srcu_read_lock(&fd->pq_srcu);
pq = srcu_dereference(fd->pq, &fd->pq_srcu);
if (!cq || !pq) {
--
2.35.1



2022-06-13 15:38:58

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 106/287] NFC: hci: fix sleep in atomic context bugs in nfc_hci_hcp_message_tx

From: Duoming Zhou <[email protected]>

[ Upstream commit b413b0cb008646e9f24ce5253cb3cf7ee217aff6 ]

There are sleep in atomic context bugs when the request to secure
element of st21nfca is timeout. The root cause is that kzalloc and
alloc_skb with GFP_KERNEL parameter and mutex_lock are called in
st21nfca_se_wt_timeout which is a timer handler. The call tree shows
the execution paths that could lead to bugs:

(Interrupt context)
st21nfca_se_wt_timeout
nfc_hci_send_event
nfc_hci_hcp_message_tx
kzalloc(..., GFP_KERNEL) //may sleep
alloc_skb(..., GFP_KERNEL) //may sleep
mutex_lock() //may sleep

This patch moves the operations that may sleep into a work item.
The work item will run in another kernel thread which is in
process context to execute the bottom half of the interrupt.
So it could prevent atomic context from sleeping.

Fixes: 2130fb97fecf ("NFC: st21nfca: Adding support for secure element")
Signed-off-by: Duoming Zhou <[email protected]>
Reviewed-by: Krzysztof Kozlowski <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/nfc/st21nfca/se.c | 17 ++++++++++++++---
drivers/nfc/st21nfca/st21nfca.h | 1 +
2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/drivers/nfc/st21nfca/se.c b/drivers/nfc/st21nfca/se.c
index ced3c20d6453..f69d2ed5a3e2 100644
--- a/drivers/nfc/st21nfca/se.c
+++ b/drivers/nfc/st21nfca/se.c
@@ -252,7 +252,7 @@ int st21nfca_hci_se_io(struct nfc_hci_dev *hdev, u32 se_idx,
}
EXPORT_SYMBOL(st21nfca_hci_se_io);

-static void st21nfca_se_wt_timeout(struct timer_list *t)
+static void st21nfca_se_wt_work(struct work_struct *work)
{
/*
* No answer from the secure element
@@ -265,8 +265,9 @@ static void st21nfca_se_wt_timeout(struct timer_list *t)
*/
/* hardware reset managed through VCC_UICC_OUT power supply */
u8 param = 0x01;
- struct st21nfca_hci_info *info = from_timer(info, t,
- se_info.bwi_timer);
+ struct st21nfca_hci_info *info = container_of(work,
+ struct st21nfca_hci_info,
+ se_info.timeout_work);

pr_debug("\n");

@@ -284,6 +285,13 @@ static void st21nfca_se_wt_timeout(struct timer_list *t)
info->se_info.cb(info->se_info.cb_context, NULL, 0, -ETIME);
}

+static void st21nfca_se_wt_timeout(struct timer_list *t)
+{
+ struct st21nfca_hci_info *info = from_timer(info, t, se_info.bwi_timer);
+
+ schedule_work(&info->se_info.timeout_work);
+}
+
static void st21nfca_se_activation_timeout(struct timer_list *t)
{
struct st21nfca_hci_info *info = from_timer(info, t,
@@ -376,6 +384,7 @@ int st21nfca_apdu_reader_event_received(struct nfc_hci_dev *hdev,
switch (event) {
case ST21NFCA_EVT_TRANSMIT_DATA:
del_timer_sync(&info->se_info.bwi_timer);
+ cancel_work_sync(&info->se_info.timeout_work);
info->se_info.bwi_active = false;
r = nfc_hci_send_event(hdev, ST21NFCA_DEVICE_MGNT_GATE,
ST21NFCA_EVT_SE_END_OF_APDU_TRANSFER, NULL, 0);
@@ -405,6 +414,7 @@ void st21nfca_se_init(struct nfc_hci_dev *hdev)
struct st21nfca_hci_info *info = nfc_hci_get_clientdata(hdev);

init_completion(&info->se_info.req_completion);
+ INIT_WORK(&info->se_info.timeout_work, st21nfca_se_wt_work);
/* initialize timers */
timer_setup(&info->se_info.bwi_timer, st21nfca_se_wt_timeout, 0);
info->se_info.bwi_active = false;
@@ -432,6 +442,7 @@ void st21nfca_se_deinit(struct nfc_hci_dev *hdev)
if (info->se_info.se_active)
del_timer_sync(&info->se_info.se_active_timer);

+ cancel_work_sync(&info->se_info.timeout_work);
info->se_info.bwi_active = false;
info->se_info.se_active = false;
}
diff --git a/drivers/nfc/st21nfca/st21nfca.h b/drivers/nfc/st21nfca/st21nfca.h
index 94ffb0501e87..7e2923ac9263 100644
--- a/drivers/nfc/st21nfca/st21nfca.h
+++ b/drivers/nfc/st21nfca/st21nfca.h
@@ -152,6 +152,7 @@ struct st21nfca_se_info {

se_io_cb_t cb;
void *cb_context;
+ struct work_struct timeout_work;
};

struct st21nfca_hci_info {
--
2.35.1



2022-06-13 15:42:26

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 153/287] PCI: qcom: Fix runtime PM imbalance on probe errors

From: Johan Hovold <[email protected]>

commit 87d83b96c8d6c6c2d2096bd0bdba73bcf42b8ef0 upstream.

Drop the leftover pm_runtime_disable() calls from the late probe error
paths that would, for example, prevent runtime PM from being reenabled
after a probe deferral.

Link: https://lore.kernel.org/r/[email protected]
Fixes: 6e5da6f7d824 ("PCI: qcom: Fix error handling in runtime PM support")
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Lorenzo Pieralisi <[email protected]>
Signed-off-by: Bjorn Helgaas <[email protected]>
Reviewed-by: Manivannan Sadhasivam <[email protected]>
Acked-by: Stanimir Varbanov <[email protected]>
Cc: [email protected] # 4.20
Cc: Bjorn Andersson <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/pci/controller/dwc/pcie-qcom.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)

--- a/drivers/pci/controller/dwc/pcie-qcom.c
+++ b/drivers/pci/controller/dwc/pcie-qcom.c
@@ -1331,17 +1331,14 @@ static int qcom_pcie_probe(struct platfo
}

ret = phy_init(pcie->phy);
- if (ret) {
- pm_runtime_disable(&pdev->dev);
+ if (ret)
goto err_pm_runtime_put;
- }

platform_set_drvdata(pdev, pcie);

ret = dw_pcie_host_init(pp);
if (ret) {
dev_err(dev, "cannot initialize host\n");
- pm_runtime_disable(&pdev->dev);
goto err_pm_runtime_put;
}



2022-06-13 15:42:30

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 131/287] RDMA/hfi1: Prevent use of lock before it is initialized

From: Douglas Miller <[email protected]>

[ Upstream commit 05c03dfd09c069c4ffd783b47b2da5dcc9421f2c ]

If there is a failure during probe of hfi1 before the sdma_map_lock is
initialized, the call to hfi1_free_devdata() will attempt to use a lock
that has not been initialized. If the locking correctness validator is on
then an INFO message and stack trace resembling the following may be seen:

INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
Call Trace:
register_lock_class+0x11b/0x880
__lock_acquire+0xf3/0x7930
lock_acquire+0xff/0x2d0
_raw_spin_lock_irq+0x46/0x60
sdma_clean+0x42a/0x660 [hfi1]
hfi1_free_devdata+0x3a7/0x420 [hfi1]
init_one+0x867/0x11a0 [hfi1]
pci_device_probe+0x40e/0x8d0

The use of sdma_map_lock in sdma_clean() is for freeing the sdma_map
memory, and sdma_map is not allocated/initialized until after
sdma_map_lock has been initialized. This code only needs to be run if
sdma_map is not NULL, and so checking for that condition will avoid trying
to use the lock before it is initialized.

Fixes: 473291b3ea0e ("IB/hfi1: Fix for early release of sdma context")
Fixes: 7724105686e7 ("IB/hfi1: add driver files")
Link: https://lore.kernel.org/r/[email protected]
Reported-by: Zheyu Ma <[email protected]>
Signed-off-by: Douglas Miller <[email protected]>
Signed-off-by: Dennis Dalessandro <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/infiniband/hw/hfi1/sdma.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c
index 38258de75a94..33ff9eca28f6 100644
--- a/drivers/infiniband/hw/hfi1/sdma.c
+++ b/drivers/infiniband/hw/hfi1/sdma.c
@@ -1313,11 +1313,13 @@ void sdma_clean(struct hfi1_devdata *dd, size_t num_engines)
kvfree(sde->tx_ring);
sde->tx_ring = NULL;
}
- spin_lock_irq(&dd->sde_map_lock);
- sdma_map_free(rcu_access_pointer(dd->sdma_map));
- RCU_INIT_POINTER(dd->sdma_map, NULL);
- spin_unlock_irq(&dd->sde_map_lock);
- synchronize_rcu();
+ if (rcu_access_pointer(dd->sdma_map)) {
+ spin_lock_irq(&dd->sde_map_lock);
+ sdma_map_free(rcu_access_pointer(dd->sdma_map));
+ RCU_INIT_POINTER(dd->sdma_map, NULL);
+ spin_unlock_irq(&dd->sde_map_lock);
+ synchronize_rcu();
+ }
kfree(dd->per_sdma);
dd->per_sdma = NULL;

--
2.35.1



2022-06-13 15:43:41

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 197/287] rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value

From: Krzysztof Kozlowski <[email protected]>

[ Upstream commit 1a358d35066487d228a68303d808bc4721c6b1b9 ]

The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO.

Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend")
Signed-off-by: Krzysztof Kozlowski <[email protected]>
Signed-off-by: Bjorn Andersson <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/rpmsg/qcom_smd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c
index aa008fa11002..6e09fccd2e87 100644
--- a/drivers/rpmsg/qcom_smd.c
+++ b/drivers/rpmsg/qcom_smd.c
@@ -1388,7 +1388,7 @@ static int qcom_smd_parse_edge(struct device *dev,
edge->name = node->name;

irq = irq_of_parse_and_map(node, 0);
- if (irq < 0) {
+ if (!irq) {
dev_err(dev, "required smd interrupt missing\n");
ret = irq;
goto put_node;
--
2.35.1



2022-06-13 15:45:13

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 241/287] net: mdio: unexport __init-annotated mdio_bus_init()

From: Masahiro Yamada <[email protected]>

[ Upstream commit 35b42dce619701f1300fb8498dae82c9bb1f0263 ]

EXPORT_SYMBOL and __init is a bad combination because the .init.text
section is freed up after the initialization. Hence, modules cannot
use symbols annotated __init. The access to a freed symbol may end up
with kernel panic.

modpost used to detect it, but it has been broken for a decade.

Recently, I fixed modpost so it started to warn it again, then this
showed up in linux-next builds.

There are two ways to fix it:

- Remove __init
- Remove EXPORT_SYMBOL

I chose the latter for this case because the only in-tree call-site,
drivers/net/phy/phy_device.c is never compiled as modular.
(CONFIG_PHYLIB is boolean)

Fixes: 90eff9096c01 ("net: phy: Allow splitting MDIO bus/device support from PHYs")
Reported-by: Stephen Rothwell <[email protected]>
Signed-off-by: Masahiro Yamada <[email protected]>
Reviewed-by: Florian Fainelli <[email protected]>
Reviewed-by: Russell King (Oracle) <[email protected]>
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/phy/mdio_bus.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
index eaa890a6a5d2..efdac68da7f4 100644
--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -746,7 +746,6 @@ int __init mdio_bus_init(void)

return ret;
}
-EXPORT_SYMBOL_GPL(mdio_bus_init);

#if IS_ENABLED(CONFIG_PHYLIB)
void mdio_bus_exit(void)
--
2.35.1



2022-06-13 15:45:15

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 247/287] drm: imx: fix compiler warning with gcc-12

From: Linus Torvalds <[email protected]>

[ Upstream commit 7aefd8b53815274f3ef398d370a3c9b27dd9f00c ]

Gcc-12 correctly warned about this code using a non-NULL pointer as a
truth value:

drivers/gpu/drm/imx/ipuv3-crtc.c: In function ‘ipu_crtc_disable_planes’:
drivers/gpu/drm/imx/ipuv3-crtc.c:72:21: error: the comparison will always evaluate as ‘true’ for the address of ‘plane’ will never be NULL [-Werror=address]
72 | if (&ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base)
| ^

due to the extraneous '&' address-of operator.

Philipp Zabel points out that The mistake had no adverse effect since
the following condition doesn't actually dereference the NULL pointer,
but the intent of the code was obviously to check for it, not to take
the address of the member.

Fixes: eb8c88808c83 ("drm/imx: add deferred plane disabling")
Acked-by: Philipp Zabel <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/imx/ipuv3-crtc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/imx/ipuv3-crtc.c b/drivers/gpu/drm/imx/ipuv3-crtc.c
index ff34f9bb55a1..824c90dca730 100644
--- a/drivers/gpu/drm/imx/ipuv3-crtc.c
+++ b/drivers/gpu/drm/imx/ipuv3-crtc.c
@@ -71,7 +71,7 @@ static void ipu_crtc_disable_planes(struct ipu_crtc *ipu_crtc,
drm_atomic_crtc_state_for_each_plane(plane, old_crtc_state) {
if (plane == &ipu_crtc->plane[0]->base)
disable_full = true;
- if (&ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base)
+ if (ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base)
disable_partial = true;
}

--
2.35.1



2022-06-13 15:45:22

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 067/287] nl80211: show SSID for P2P_GO interfaces

From: Johannes Berg <[email protected]>

[ Upstream commit a75971bc2b8453630e9f85e0beaa4da8db8277a3 ]

There's no real reason not to send the SSID to userspace
when it requests information about P2P_GO, it is, in that
respect, exactly the same as AP interfaces. Fix that.

Fixes: 44905265bc15 ("nl80211: don't expose wdev->ssid for most interfaces")
Signed-off-by: Johannes Berg <[email protected]>
Link: https://lore.kernel.org/r/20220318134656.14354ae223f0.Ia25e85a512281b92e1645d4160766a4b1a471597@changeid
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
net/wireless/nl80211.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 2799ff117f5a..534f57363f4a 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2885,6 +2885,7 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
wdev_lock(wdev);
switch (wdev->iftype) {
case NL80211_IFTYPE_AP:
+ case NL80211_IFTYPE_P2P_GO:
if (wdev->ssid_len &&
nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
goto nla_put_failure_locked;
--
2.35.1



2022-06-13 15:45:47

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 215/287] s390/crypto: fix scatterwalk_unmap() callers in AES-GCM

From: Jann Horn <[email protected]>

[ Upstream commit bd52cd5e23f134019b23f0c389db0f9a436e4576 ]

The argument of scatterwalk_unmap() is supposed to be the void* that was
returned by the previous scatterwalk_map() call.
The s390 AES-GCM implementation was instead passing the pointer to the
struct scatter_walk.

This doesn't actually break anything because scatterwalk_unmap() only uses
its argument under CONFIG_HIGHMEM and ARCH_HAS_FLUSH_ON_KUNMAP.

Fixes: bf7fa038707c ("s390/crypto: add s390 platform specific aes gcm support.")
Signed-off-by: Jann Horn <[email protected]>
Acked-by: Harald Freudenberger <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Heiko Carstens <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/s390/crypto/aes_s390.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c
index 2bc189187ed4..c663caf37ba4 100644
--- a/arch/s390/crypto/aes_s390.c
+++ b/arch/s390/crypto/aes_s390.c
@@ -861,7 +861,7 @@ static inline void _gcm_sg_unmap_and_advance(struct gcm_sg_walk *gw,
unsigned int nbytes)
{
gw->walk_bytes_remain -= nbytes;
- scatterwalk_unmap(&gw->walk);
+ scatterwalk_unmap(gw->walk_ptr);
scatterwalk_advance(&gw->walk, nbytes);
scatterwalk_done(&gw->walk, 0, gw->walk_bytes_remain);
gw->walk_ptr = NULL;
@@ -936,7 +936,7 @@ static int gcm_out_walk_go(struct gcm_sg_walk *gw, unsigned int minbytesneeded)
goto out;
}

- scatterwalk_unmap(&gw->walk);
+ scatterwalk_unmap(gw->walk_ptr);
gw->walk_ptr = NULL;

gw->ptr = gw->buf;
--
2.35.1



2022-06-13 15:45:55

by Pavel Machek

[permalink] [raw]
Subject: Re: [PATCH 4.19 000/287] 4.19.247-rc1 review

Hi!

> This is the start of the stable review cycle for the 4.19.247 release.
> There are 287 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.

CIP testing did not find any problems here:

https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-4.19.y

Tested-by: Pavel Machek (CIP) <[email protected]>

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany


Attachments:
(No filename) (662.00 B)
signature.asc (201.00 B)
Download all attachments

2022-06-13 15:51:53

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 022/287] media: cx25821: Fix the warning when removing the module

From: Zheyu Ma <[email protected]>

[ Upstream commit 2203436a4d24302871617373a7eb21bc17e38762 ]

When removing the module, we will get the following warning:

[ 14.746697] remove_proc_entry: removing non-empty directory 'irq/21', leaking at least 'cx25821[1]'
[ 14.747449] WARNING: CPU: 4 PID: 368 at fs/proc/generic.c:717 remove_proc_entry+0x389/0x3f0
[ 14.751611] RIP: 0010:remove_proc_entry+0x389/0x3f0
[ 14.759589] Call Trace:
[ 14.759792] <TASK>
[ 14.759975] unregister_irq_proc+0x14c/0x170
[ 14.760340] irq_free_descs+0x94/0xe0
[ 14.760640] mp_unmap_irq+0xb6/0x100
[ 14.760937] acpi_unregister_gsi_ioapic+0x27/0x40
[ 14.761334] acpi_pci_irq_disable+0x1d3/0x320
[ 14.761688] pci_disable_device+0x1ad/0x380
[ 14.762027] ? _raw_spin_unlock_irqrestore+0x2d/0x60
[ 14.762442] ? cx25821_shutdown+0x20/0x9f0 [cx25821]
[ 14.762848] cx25821_finidev+0x48/0xc0 [cx25821]
[ 14.763242] pci_device_remove+0x92/0x240

Fix this by freeing the irq before call pci_disable_device().

Signed-off-by: Zheyu Ma <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/media/pci/cx25821/cx25821-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/pci/cx25821/cx25821-core.c b/drivers/media/pci/cx25821/cx25821-core.c
index e04fe9f17b7a..99359eaf8cdc 100644
--- a/drivers/media/pci/cx25821/cx25821-core.c
+++ b/drivers/media/pci/cx25821/cx25821-core.c
@@ -1350,11 +1350,11 @@ static void cx25821_finidev(struct pci_dev *pci_dev)
struct cx25821_dev *dev = get_cx25821(v4l2_dev);

cx25821_shutdown(dev);
- pci_disable_device(pci_dev);

/* unregister stuff */
if (pci_dev->irq)
free_irq(pci_dev->irq, dev);
+ pci_disable_device(pci_dev);

cx25821_dev_unregister(dev);
v4l2_device_unregister(v4l2_dev);
--
2.35.1



2022-06-13 15:52:12

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 013/287] ipw2x00: Fix potential NULL dereference in libipw_xmit()

From: Haowen Bai <[email protected]>

[ Upstream commit e8366bbabe1d207cf7c5b11ae50e223ae6fc278b ]

crypt and crypt->ops could be null, so we need to checking null
before dereference

Signed-off-by: Haowen Bai <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/wireless/intel/ipw2x00/libipw_tx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
index 84205aa508df..daa4f9eb08ff 100644
--- a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
+++ b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
@@ -397,7 +397,7 @@ netdev_tx_t libipw_xmit(struct sk_buff *skb, struct net_device *dev)

/* Each fragment may need to have room for encryption
* pre/postfix */
- if (host_encrypt)
+ if (host_encrypt && crypt && crypt->ops)
bytes_per_frag -= crypt->ops->extra_mpdu_prefix_len +
crypt->ops->extra_mpdu_postfix_len;

--
2.35.1



2022-06-13 15:52:23

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 165/287] media: coda: Fix reported H264 profile

From: Nicolas Dufresne <[email protected]>

commit 7110c08ea71953a7fc342f0b76046f72442cf26c upstream.

The CODA960 manual states that ASO/FMO features of baseline are not
supported, so for this reason this driver should only report
constrained baseline support.

This fixes negotiation issue with constrained baseline content
on GStreamer 1.17.1.

ASO/FMO features are unsupported for the encoder and untested for the
decoder because there is currently no userspace support. Neither GStreamer
parsers nor FFMPEG parsers support ASO/FMO.

Cc: [email protected]
Fixes: 42a68012e67c2 ("media: coda: add read-only h.264 decoder profile/level controls")
Signed-off-by: Nicolas Dufresne <[email protected]>
Signed-off-by: Ezequiel Garcia <[email protected]>
Tested-by: Pascal Speck <[email protected]>
Signed-off-by: Fabio Estevam <[email protected]>
Reviewed-by: Philipp Zabel <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/media/platform/coda/coda-common.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/media/platform/coda/coda-common.c
+++ b/drivers/media/platform/coda/coda-common.c
@@ -1894,8 +1894,8 @@ static void coda_encode_ctrls(struct cod
0x0, V4L2_MPEG_VIDEO_H264_LOOP_FILTER_MODE_ENABLED);
v4l2_ctrl_new_std_menu(&ctx->ctrls, &coda_ctrl_ops,
V4L2_CID_MPEG_VIDEO_H264_PROFILE,
- V4L2_MPEG_VIDEO_H264_PROFILE_BASELINE, 0x0,
- V4L2_MPEG_VIDEO_H264_PROFILE_BASELINE);
+ V4L2_MPEG_VIDEO_H264_PROFILE_CONSTRAINED_BASELINE, 0x0,
+ V4L2_MPEG_VIDEO_H264_PROFILE_CONSTRAINED_BASELINE);
if (ctx->dev->devtype->product == CODA_HX4 ||
ctx->dev->devtype->product == CODA_7541) {
v4l2_ctrl_new_std_menu(&ctx->ctrls, &coda_ctrl_ops,
@@ -1977,7 +1977,7 @@ static void coda_decode_ctrls(struct cod
ctx->h264_profile_ctrl = v4l2_ctrl_new_std_menu(&ctx->ctrls,
&coda_ctrl_ops, V4L2_CID_MPEG_VIDEO_H264_PROFILE,
V4L2_MPEG_VIDEO_H264_PROFILE_HIGH,
- ~((1 << V4L2_MPEG_VIDEO_H264_PROFILE_BASELINE) |
+ ~((1 << V4L2_MPEG_VIDEO_H264_PROFILE_CONSTRAINED_BASELINE) |
(1 << V4L2_MPEG_VIDEO_H264_PROFILE_MAIN) |
(1 << V4L2_MPEG_VIDEO_H264_PROFILE_HIGH)),
V4L2_MPEG_VIDEO_H264_PROFILE_HIGH);


2022-06-13 16:02:30

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 037/287] nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags

From: Smith, Kyle Miller (Nimble Kernel) <[email protected]>

[ Upstream commit da42761181627e9bdc37d18368b827948a583929 ]

In nvme_alloc_admin_tags, the admin_q can be set to an error (typically
-ENOMEM) if the blk_mq_init_queue call fails to set up the queue, which
is checked immediately after the call. However, when we return the error
message up the stack, to nvme_reset_work the error takes us to
nvme_remove_dead_ctrl()
nvme_dev_disable()
nvme_suspend_queue(&dev->queues[0]).

Here, we only check that the admin_q is non-NULL, rather than not
an error or NULL, and begin quiescing a queue that never existed, leading
to bad / NULL pointer dereference.

Signed-off-by: Kyle Smith <[email protected]>
Reviewed-by: Chaitanya Kulkarni <[email protected]>
Reviewed-by: Hannes Reinecke <[email protected]>
Signed-off-by: Christoph Hellwig <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/nvme/host/pci.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index d7cf3202cdd3..b06d2b6bd3fe 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1522,6 +1522,7 @@ static int nvme_alloc_admin_tags(struct nvme_dev *dev)
dev->ctrl.admin_q = blk_mq_init_queue(&dev->admin_tagset);
if (IS_ERR(dev->ctrl.admin_q)) {
blk_mq_free_tag_set(&dev->admin_tagset);
+ dev->ctrl.admin_q = NULL;
return -ENOMEM;
}
if (!blk_get_queue(dev->ctrl.admin_q)) {
--
2.35.1



2022-06-13 16:05:52

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 280/287] nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling

From: Martin Faltesek <[email protected]>

commit 996419e0594abb311fb958553809f24f38e7abbe upstream.

Error paths do not free previously allocated memory. Add devm_kfree() to
those failure paths.

Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support")
Fixes: 4fbcc1a4cb20 ("nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION")
Cc: [email protected]
Signed-off-by: Martin Faltesek <[email protected]>
Reviewed-by: Guenter Roeck <[email protected]>
Reviewed-by: Krzysztof Kozlowski <[email protected]>
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/nfc/st21nfca/se.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)

--- a/drivers/nfc/st21nfca/se.c
+++ b/drivers/nfc/st21nfca/se.c
@@ -342,22 +342,29 @@ int st21nfca_connectivity_event_received
transaction->aid_len = skb->data[1];

/* Checking if the length of the AID is valid */
- if (transaction->aid_len > sizeof(transaction->aid))
+ if (transaction->aid_len > sizeof(transaction->aid)) {
+ devm_kfree(dev, transaction);
return -EINVAL;
+ }

memcpy(transaction->aid, &skb->data[2],
transaction->aid_len);

/* Check next byte is PARAMETERS tag (82) */
if (skb->data[transaction->aid_len + 2] !=
- NFC_EVT_TRANSACTION_PARAMS_TAG)
+ NFC_EVT_TRANSACTION_PARAMS_TAG) {
+ devm_kfree(dev, transaction);
return -EPROTO;
+ }

transaction->params_len = skb->data[transaction->aid_len + 3];

/* Total size is allocated (skb->len - 2) minus fixed array members */
- if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
+ if (transaction->params_len > ((skb->len - 2) -
+ sizeof(struct nfc_evt_transaction))) {
+ devm_kfree(dev, transaction);
return -EINVAL;
+ }

memcpy(transaction->params, skb->data +
transaction->aid_len + 4, transaction->params_len);


2022-06-13 16:10:19

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 011/287] b43legacy: Fix assigning negative value to unsigned variable

From: Haowen Bai <[email protected]>

[ Upstream commit 3f6b867559b3d43a7ce1b4799b755e812fc0d503 ]

fix warning reported by smatch:
drivers/net/wireless/broadcom/b43legacy/phy.c:1181 b43legacy_phy_lo_b_measure()
warn: assigning (-772) to unsigned variable 'fval'

Signed-off-by: Haowen Bai <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/wireless/broadcom/b43legacy/phy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/broadcom/b43legacy/phy.c b/drivers/net/wireless/broadcom/b43legacy/phy.c
index 995c7d0c212a..11ee5ee48976 100644
--- a/drivers/net/wireless/broadcom/b43legacy/phy.c
+++ b/drivers/net/wireless/broadcom/b43legacy/phy.c
@@ -1148,7 +1148,7 @@ void b43legacy_phy_lo_b_measure(struct b43legacy_wldev *dev)
struct b43legacy_phy *phy = &dev->phy;
u16 regstack[12] = { 0 };
u16 mls;
- u16 fval;
+ s16 fval;
int i;
int j;

--
2.35.1



2022-06-13 16:12:52

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 077/287] of: overlay: do not break notify on NOTIFY_{OK|STOP}

From: Nuno Sá <[email protected]>

[ Upstream commit 5f756a2eaa4436d7d3dc1e040147f5e992ae34b5 ]

We should not break overlay notifications on NOTIFY_{OK|STOP}
otherwise we might break on the first fragment. We should only stop
notifications if a *real* errno is returned by one of the listeners.

Fixes: a1d19bd4cf1fe ("of: overlay: pr_err from return NOTIFY_OK to overlay apply/remove")
Signed-off-by: Nuno Sá <[email protected]>
Signed-off-by: Rob Herring <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/of/overlay.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
index a77bfeac867d..fef5b6c2fae2 100644
--- a/drivers/of/overlay.c
+++ b/drivers/of/overlay.c
@@ -170,9 +170,7 @@ static int overlay_notify(struct overlay_changeset *ovcs,

ret = blocking_notifier_call_chain(&overlay_notify_chain,
action, &nd);
- if (ret == NOTIFY_OK || ret == NOTIFY_STOP)
- return 0;
- if (ret) {
+ if (notifier_to_errno(ret)) {
ret = notifier_to_errno(ret);
pr_err("overlay changeset %s notifier error %d, target: %pOF\n",
of_overlay_action_name[action], ret, nd.target);
--
2.35.1



2022-06-13 16:13:00

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 286/287] mtd: cfi_cmdset_0002: Move and rename chip_check/chip_ready/chip_good_for_write

From: Tokunori Ikegami <[email protected]>

commit 083084df578a8bdb18334f69e7b32d690aaa3247 upstream.

This is a preparation patch for the S29GL064N buffer writes fix. There
is no functional change.

Link: https://lore.kernel.org/r/[email protected]/
Fixes: dfeae1073583("mtd: cfi_cmdset_0002: Change write buffer to check correct value")
Signed-off-by: Tokunori Ikegami <[email protected]>
Cc: [email protected]
Acked-by: Vignesh Raghavendra <[email protected]>
Signed-off-by: Miquel Raynal <[email protected]>
Link: https://lore.kernel.org/linux-mtd/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/mtd/chips/cfi_cmdset_0002.c | 77 ++++++++++++++----------------------
1 file changed, 32 insertions(+), 45 deletions(-)

--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -731,50 +731,34 @@ static struct mtd_info *cfi_amdstd_setup
}

/*
- * Return true if the chip is ready.
+ * Return true if the chip is ready and has the correct value.
*
* Ready is one of: read mode, query mode, erase-suspend-read mode (in any
* non-suspended sector) and is indicated by no toggle bits toggling.
*
+ * Error are indicated by toggling bits or bits held with the wrong value,
+ * or with bits toggling.
+ *
* Note that anything more complicated than checking if no bits are toggling
* (including checking DQ5 for an error status) is tricky to get working
* correctly and is therefore not done (particularly with interleaved chips
* as each chip must be checked independently of the others).
*/
-static int __xipram chip_ready(struct map_info *map, unsigned long addr)
+static int __xipram chip_ready(struct map_info *map, unsigned long addr,
+ map_word *expected)
{
map_word d, t;
+ int ret;

d = map_read(map, addr);
t = map_read(map, addr);

- return map_word_equal(map, d, t);
-}
+ ret = map_word_equal(map, d, t);

-/*
- * Return true if the chip is ready and has the correct value.
- *
- * Ready is one of: read mode, query mode, erase-suspend-read mode (in any
- * non-suspended sector) and it is indicated by no bits toggling.
- *
- * Error are indicated by toggling bits or bits held with the wrong value,
- * or with bits toggling.
- *
- * Note that anything more complicated than checking if no bits are toggling
- * (including checking DQ5 for an error status) is tricky to get working
- * correctly and is therefore not done (particularly with interleaved chips
- * as each chip must be checked independently of the others).
- *
- */
-static int __xipram chip_good(struct map_info *map, unsigned long addr, map_word expected)
-{
- map_word oldd, curd;
-
- oldd = map_read(map, addr);
- curd = map_read(map, addr);
+ if (!ret || !expected)
+ return ret;

- return map_word_equal(map, oldd, curd) &&
- map_word_equal(map, curd, expected);
+ return map_word_equal(map, t, *expected);
}

static int get_chip(struct map_info *map, struct flchip *chip, unsigned long adr, int mode)
@@ -791,7 +775,7 @@ static int get_chip(struct map_info *map

case FL_STATUS:
for (;;) {
- if (chip_ready(map, adr))
+ if (chip_ready(map, adr, NULL))
break;

if (time_after(jiffies, timeo)) {
@@ -829,7 +813,7 @@ static int get_chip(struct map_info *map
chip->state = FL_ERASE_SUSPENDING;
chip->erase_suspended = 1;
for (;;) {
- if (chip_ready(map, adr))
+ if (chip_ready(map, adr, NULL))
break;

if (time_after(jiffies, timeo)) {
@@ -1360,7 +1344,7 @@ static int do_otp_lock(struct map_info *
/* wait for chip to become ready */
timeo = jiffies + msecs_to_jiffies(2);
for (;;) {
- if (chip_ready(map, adr))
+ if (chip_ready(map, adr, NULL))
break;

if (time_after(jiffies, timeo)) {
@@ -1627,10 +1611,11 @@ static int __xipram do_write_oneword(str
}

/*
- * We check "time_after" and "!chip_good" before checking
- * "chip_good" to avoid the failure due to scheduling.
+ * We check "time_after" and "!chip_ready" before checking
+ * "chip_ready" to avoid the failure due to scheduling.
*/
- if (time_after(jiffies, timeo) && !chip_good(map, adr, datum)) {
+ if (time_after(jiffies, timeo) &&
+ !chip_ready(map, adr, &datum)) {
xip_enable(map, chip, adr);
printk(KERN_WARNING "MTD %s(): software timeout\n", __func__);
xip_disable(map, chip, adr);
@@ -1638,7 +1623,7 @@ static int __xipram do_write_oneword(str
break;
}

- if (chip_good(map, adr, datum))
+ if (chip_ready(map, adr, &datum))
break;

/* Latency issues. Drop the lock, wait a while and retry */
@@ -1882,13 +1867,13 @@ static int __xipram do_write_buffer(stru
}

/*
- * We check "time_after" and "!chip_good" before checking "chip_good" to avoid
- * the failure due to scheduling.
+ * We check "time_after" and "!chip_ready" before checking
+ * "chip_ready" to avoid the failure due to scheduling.
*/
- if (time_after(jiffies, timeo) && !chip_good(map, adr, datum))
+ if (time_after(jiffies, timeo) && !chip_ready(map, adr, &datum))
break;

- if (chip_good(map, adr, datum)) {
+ if (chip_ready(map, adr, &datum)) {
xip_enable(map, chip, adr);
goto op_done;
}
@@ -2022,7 +2007,7 @@ static int cfi_amdstd_panic_wait(struct
* If the driver thinks the chip is idle, and no toggle bits
* are changing, then the chip is actually idle for sure.
*/
- if (chip->state == FL_READY && chip_ready(map, adr))
+ if (chip->state == FL_READY && chip_ready(map, adr, NULL))
return 0;

/*
@@ -2039,7 +2024,7 @@ static int cfi_amdstd_panic_wait(struct

/* wait for the chip to become ready */
for (i = 0; i < jiffies_to_usecs(timeo); i++) {
- if (chip_ready(map, adr))
+ if (chip_ready(map, adr, NULL))
return 0;

udelay(1);
@@ -2103,13 +2088,13 @@ retry:
map_write(map, datum, adr);

for (i = 0; i < jiffies_to_usecs(uWriteTimeout); i++) {
- if (chip_ready(map, adr))
+ if (chip_ready(map, adr, NULL))
break;

udelay(1);
}

- if (!chip_good(map, adr, datum)) {
+ if (!chip_ready(map, adr, &datum)) {
/* reset on all failures. */
map_write(map, CMD(0xF0), chip->start);
/* FIXME - should have reset delay before continuing */
@@ -2250,6 +2235,7 @@ static int __xipram do_erase_chip(struct
DECLARE_WAITQUEUE(wait, current);
int ret = 0;
int retry_cnt = 0;
+ map_word datum = map_word_ff(map);

adr = cfi->addr_unlock1;

@@ -2304,7 +2290,7 @@ static int __xipram do_erase_chip(struct
chip->erase_suspended = 0;
}

- if (chip_good(map, adr, map_word_ff(map)))
+ if (chip_ready(map, adr, &datum))
break;

if (time_after(jiffies, timeo)) {
@@ -2346,6 +2332,7 @@ static int __xipram do_erase_oneblock(st
DECLARE_WAITQUEUE(wait, current);
int ret = 0;
int retry_cnt = 0;
+ map_word datum = map_word_ff(map);

adr += chip->start;

@@ -2400,7 +2387,7 @@ static int __xipram do_erase_oneblock(st
chip->erase_suspended = 0;
}

- if (chip_good(map, adr, map_word_ff(map)))
+ if (chip_ready(map, adr, &datum))
break;

if (time_after(jiffies, timeo)) {
@@ -2593,7 +2580,7 @@ static int __maybe_unused do_ppb_xxlock(
*/
timeo = jiffies + msecs_to_jiffies(2000); /* 2s max (un)locking */
for (;;) {
- if (chip_ready(map, adr))
+ if (chip_ready(map, adr, NULL))
break;

if (time_after(jiffies, timeo)) {


2022-06-13 16:14:32

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 192/287] usb: usbip: fix a refcount leak in stub_probe()

From: Hangyu Hua <[email protected]>

[ Upstream commit 9ec4cbf1cc55d126759051acfe328d489c5d6e60 ]

usb_get_dev() is called in stub_device_alloc(). When stub_probe() fails
after that, usb_put_dev() needs to be called to release the reference.

Fix this by moving usb_put_dev() to sdev_free error path handling.

Find this by code review.

Fixes: 3ff67445750a ("usbip: fix error handling in stub_probe()")
Reviewed-by: Shuah Khan <[email protected]>
Signed-off-by: Hangyu Hua <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/usb/usbip/stub_dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c
index 0081c1073b08..c64964c32cc9 100644
--- a/drivers/usb/usbip/stub_dev.c
+++ b/drivers/usb/usbip/stub_dev.c
@@ -427,7 +427,6 @@ static int stub_probe(struct usb_device *udev)
(struct usb_dev_state *) udev);
err_port:
dev_set_drvdata(&udev->dev, NULL);
- usb_put_dev(udev);

/* we already have busid_priv, just lock busid_lock */
spin_lock(&busid_priv->busid_lock);
@@ -442,6 +441,7 @@ static int stub_probe(struct usb_device *udev)
put_busid_priv(busid_priv);

sdev_free:
+ usb_put_dev(udev);
stub_device_free(sdev);

return rc;
--
2.35.1



2022-06-13 16:15:18

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 002/287] ALSA: hda/realtek - Fix microphone noise on ASUS TUF B550M-PLUS

From: Marios Levogiannis <[email protected]>

commit 9bfa7b36343c7d84370bc61c9ed774635b05e4eb upstream.

Set microphone pins 0x18 (rear) and 0x19 (front) to VREF_50 to fix the
microphone noise on ASUS TUF B550M-PLUS which uses the ALCS1200A codec.
The initial value was VREF_80.

The same issue is also present on Windows using both the default Windows
driver and all tested Realtek drivers before version 6.0.9049.1. Comparing
Realtek driver 6.0.9049.1 (the first one without the microphone noise) to
Realtek driver 6.0.9047.1 (the last one with the microphone noise)
revealed that the fix is the result of setting pins 0x18 and 0x19 to
VREF_50.

This fix may also work for other boards that have been reported to have
the same microphone issue and use the ALC1150 and ALCS1200A codecs, since
these codecs are similar and the fix in the Realtek driver on Windows is
common for both. However, it is currently enabled only for ASUS TUF
B550M-PLUS as this is the only board that could be tested.

Signed-off-by: Marios Levogiannis <[email protected]>
Cc: <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/pci/hda/patch_realtek.c | 10 ++++++++++
1 file changed, 10 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -1916,6 +1916,7 @@ enum {
ALC1220_FIXUP_CLEVO_PB51ED_PINS,
ALC887_FIXUP_ASUS_AUDIO,
ALC887_FIXUP_ASUS_HMIC,
+ ALCS1200A_FIXUP_MIC_VREF,
};

static void alc889_fixup_coef(struct hda_codec *codec,
@@ -2461,6 +2462,14 @@ static const struct hda_fixup alc882_fix
.chained = true,
.chain_id = ALC887_FIXUP_ASUS_AUDIO,
},
+ [ALCS1200A_FIXUP_MIC_VREF] = {
+ .type = HDA_FIXUP_PINCTLS,
+ .v.pins = (const struct hda_pintbl[]) {
+ { 0x18, PIN_VREF50 }, /* rear mic */
+ { 0x19, PIN_VREF50 }, /* front mic */
+ {}
+ }
+ },
};

static const struct snd_pci_quirk alc882_fixup_tbl[] = {
@@ -2498,6 +2507,7 @@ static const struct snd_pci_quirk alc882
SND_PCI_QUIRK(0x1043, 0x835f, "Asus Eee 1601", ALC888_FIXUP_EEE1601),
SND_PCI_QUIRK(0x1043, 0x84bc, "ASUS ET2700", ALC887_FIXUP_ASUS_BASS),
SND_PCI_QUIRK(0x1043, 0x8691, "ASUS ROG Ranger VIII", ALC882_FIXUP_GPIO3),
+ SND_PCI_QUIRK(0x1043, 0x8797, "ASUS TUF B550M-PLUS", ALCS1200A_FIXUP_MIC_VREF),
SND_PCI_QUIRK(0x104d, 0x9043, "Sony Vaio VGC-LN51JGB", ALC882_FIXUP_NO_PRIMARY_HP),
SND_PCI_QUIRK(0x104d, 0x9044, "Sony VAIO AiO", ALC882_FIXUP_NO_PRIMARY_HP),
SND_PCI_QUIRK(0x104d, 0x9047, "Sony Vaio TT", ALC889_FIXUP_VAIO_TT),


2022-06-13 16:16:05

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 264/287] kernfs: Separate kernfs_pr_cont_buf and rename_lock.

From: Hao Luo <[email protected]>

[ Upstream commit 1a702dc88e150487c9c173a249b3d236498b9183 ]

Previously the protection of kernfs_pr_cont_buf was piggy backed by
rename_lock, which means that pr_cont() needs to be protected under
rename_lock. This can cause potential circular lock dependencies.

If there is an OOM, we have the following call hierarchy:

-> cpuset_print_current_mems_allowed()
-> pr_cont_cgroup_name()
-> pr_cont_kernfs_name()

pr_cont_kernfs_name() will grab rename_lock and call printk. So we have
the following lock dependencies:

kernfs_rename_lock -> console_sem

Sometimes, printk does a wakeup before releasing console_sem, which has
the dependence chain:

console_sem -> p->pi_lock -> rq->lock

Now, imagine one wants to read cgroup_name under rq->lock, for example,
printing cgroup_name in a tracepoint in the scheduler code. They will
be holding rq->lock and take rename_lock:

rq->lock -> kernfs_rename_lock

Now they will deadlock.

A prevention to this circular lock dependency is to separate the
protection of pr_cont_buf from rename_lock. In principle, rename_lock
is to protect the integrity of cgroup name when copying to buf. Once
pr_cont_buf has got its content, rename_lock can be dropped. So it's
safe to drop rename_lock after kernfs_name_locked (and
kernfs_path_from_node_locked) and rely on a dedicated pr_cont_lock
to protect pr_cont_buf.

Acked-by: Tejun Heo <[email protected]>
Signed-off-by: Hao Luo <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/kernfs/dir.c | 31 +++++++++++++++++++------------
1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
index a4a538abcaf9..99627d3438e5 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -20,7 +20,15 @@

DEFINE_MUTEX(kernfs_mutex);
static DEFINE_SPINLOCK(kernfs_rename_lock); /* kn->parent and ->name */
-static char kernfs_pr_cont_buf[PATH_MAX]; /* protected by rename_lock */
+/*
+ * Don't use rename_lock to piggy back on pr_cont_buf. We don't want to
+ * call pr_cont() while holding rename_lock. Because sometimes pr_cont()
+ * will perform wakeups when releasing console_sem. Holding rename_lock
+ * will introduce deadlock if the scheduler reads the kernfs_name in the
+ * wakeup path.
+ */
+static DEFINE_SPINLOCK(kernfs_pr_cont_lock);
+static char kernfs_pr_cont_buf[PATH_MAX]; /* protected by pr_cont_lock */
static DEFINE_SPINLOCK(kernfs_idr_lock); /* root->ino_idr */

#define rb_to_kn(X) rb_entry((X), struct kernfs_node, rb)
@@ -229,12 +237,12 @@ void pr_cont_kernfs_name(struct kernfs_node *kn)
{
unsigned long flags;

- spin_lock_irqsave(&kernfs_rename_lock, flags);
+ spin_lock_irqsave(&kernfs_pr_cont_lock, flags);

- kernfs_name_locked(kn, kernfs_pr_cont_buf, sizeof(kernfs_pr_cont_buf));
+ kernfs_name(kn, kernfs_pr_cont_buf, sizeof(kernfs_pr_cont_buf));
pr_cont("%s", kernfs_pr_cont_buf);

- spin_unlock_irqrestore(&kernfs_rename_lock, flags);
+ spin_unlock_irqrestore(&kernfs_pr_cont_lock, flags);
}

/**
@@ -248,10 +256,10 @@ void pr_cont_kernfs_path(struct kernfs_node *kn)
unsigned long flags;
int sz;

- spin_lock_irqsave(&kernfs_rename_lock, flags);
+ spin_lock_irqsave(&kernfs_pr_cont_lock, flags);

- sz = kernfs_path_from_node_locked(kn, NULL, kernfs_pr_cont_buf,
- sizeof(kernfs_pr_cont_buf));
+ sz = kernfs_path_from_node(kn, NULL, kernfs_pr_cont_buf,
+ sizeof(kernfs_pr_cont_buf));
if (sz < 0) {
pr_cont("(error)");
goto out;
@@ -265,7 +273,7 @@ void pr_cont_kernfs_path(struct kernfs_node *kn)
pr_cont("%s", kernfs_pr_cont_buf);

out:
- spin_unlock_irqrestore(&kernfs_rename_lock, flags);
+ spin_unlock_irqrestore(&kernfs_pr_cont_lock, flags);
}

/**
@@ -867,13 +875,12 @@ static struct kernfs_node *kernfs_walk_ns(struct kernfs_node *parent,

lockdep_assert_held(&kernfs_mutex);

- /* grab kernfs_rename_lock to piggy back on kernfs_pr_cont_buf */
- spin_lock_irq(&kernfs_rename_lock);
+ spin_lock_irq(&kernfs_pr_cont_lock);

len = strlcpy(kernfs_pr_cont_buf, path, sizeof(kernfs_pr_cont_buf));

if (len >= sizeof(kernfs_pr_cont_buf)) {
- spin_unlock_irq(&kernfs_rename_lock);
+ spin_unlock_irq(&kernfs_pr_cont_lock);
return NULL;
}

@@ -885,7 +892,7 @@ static struct kernfs_node *kernfs_walk_ns(struct kernfs_node *parent,
parent = kernfs_find_ns(parent, name, ns);
}

- spin_unlock_irq(&kernfs_rename_lock);
+ spin_unlock_irq(&kernfs_pr_cont_lock);

return parent;
}
--
2.35.1



2022-06-13 16:22:53

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 114/287] ARM: dts: bcm2835-rpi-b: Fix GPIO line names

From: Stefan Wahren <[email protected]>

[ Upstream commit 97bd8659c1c46c23e4daea7e040befca30939950 ]

Recently this has been fixed in the vendor tree, so upstream this.

Fixes: 731b26a6ac17 ("ARM: bcm2835: Add names for the Raspberry Pi GPIO lines")
Signed-off-by: Phil Elwell <[email protected]>
Signed-off-by: Stefan Wahren <[email protected]>
Signed-off-by: Florian Fainelli <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/arm/boot/dts/bcm2835-rpi-b.dts | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/arch/arm/boot/dts/bcm2835-rpi-b.dts b/arch/arm/boot/dts/bcm2835-rpi-b.dts
index 31ff602e2cd3..6bac18d7c070 100644
--- a/arch/arm/boot/dts/bcm2835-rpi-b.dts
+++ b/arch/arm/boot/dts/bcm2835-rpi-b.dts
@@ -48,18 +48,17 @@
"GPIO18",
"NC", /* GPIO19 */
"NC", /* GPIO20 */
- "GPIO21",
+ "CAM_GPIO0",
"GPIO22",
"GPIO23",
"GPIO24",
"GPIO25",
"NC", /* GPIO26 */
- "CAM_GPIO0",
- /* Binary number representing build/revision */
- "CONFIG0",
- "CONFIG1",
- "CONFIG2",
- "CONFIG3",
+ "GPIO27",
+ "GPIO28",
+ "GPIO29",
+ "GPIO30",
+ "GPIO31",
"NC", /* GPIO32 */
"NC", /* GPIO33 */
"NC", /* GPIO34 */
--
2.35.1



2022-06-13 16:26:57

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 040/287] media: exynos4-is: Fix compile warning

From: Kwanghoon Son <[email protected]>

[ Upstream commit e080f5c1f2b6d02c02ee5d674e0e392ccf63bbaf ]

Declare static on function 'fimc_isp_video_device_unregister'.

When VIDEO_EXYNOS4_ISP_DMA_CAPTURE=n, compiler warns about
warning: no previous prototype for function [-Wmissing-prototypes]

Reported-by: kernel test robot <[email protected]>
Signed-off-by: Kwanghoon Son <[email protected]>
Signed-off-by: Sakari Ailus <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/media/platform/exynos4-is/fimc-isp-video.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/exynos4-is/fimc-isp-video.h b/drivers/media/platform/exynos4-is/fimc-isp-video.h
index f79a1b348aa6..67ef85249912 100644
--- a/drivers/media/platform/exynos4-is/fimc-isp-video.h
+++ b/drivers/media/platform/exynos4-is/fimc-isp-video.h
@@ -35,7 +35,7 @@ static inline int fimc_isp_video_device_register(struct fimc_isp *isp,
return 0;
}

-void fimc_isp_video_device_unregister(struct fimc_isp *isp,
+static inline void fimc_isp_video_device_unregister(struct fimc_isp *isp,
enum v4l2_buf_type type)
{
}
--
2.35.1



2022-06-13 16:27:54

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 057/287] drm: fix EDID struct for old ARM OABI format

From: Linus Torvalds <[email protected]>

[ Upstream commit 47f15561b69e226bfc034e94ff6dbec51a4662af ]

When building the kernel for arm with the "-mabi=apcs-gnu" option, gcc
will force alignment of all structures and unions to a word boundary
(see also STRUCTURE_SIZE_BOUNDARY and the "-mstructure-size-boundary=XX"
option if you're a gcc person), even when the members of said structures
do not want or need said alignment.

This completely messes up the structure alignment of 'struct edid' on
those targets, because even though all the embedded structures are
marked with "__attribute__((packed))", the unions that contain them are
not.

This was exposed by commit f1e4c916f97f ("drm/edid: add EDID block count
and size helpers"), but the bug is pre-existing. That commit just made
the structure layout problem cause a build failure due to the addition
of the

BUILD_BUG_ON(sizeof(*edid) != EDID_LENGTH);

sanity check in drivers/gpu/drm/drm_edid.c:edid_block_data().

This legacy union alignment should probably not be used in the first
place, but we can fix the layout by adding the packed attribute to the
union entries even when each member is already packed and it shouldn't
matter in a sane build environment.

You can see this issue with a trivial test program:

union {
struct {
char c[5];
};
struct {
char d;
unsigned e;
} __attribute__((packed));
} a = { "1234" };

where building this with a normal "gcc -S" will result in the expected
5-byte size of said union:

.type a, @object
.size a, 5

but with an ARM compiler and the old ABI:

arm-linux-gnu-gcc -mabi=apcs-gnu -mfloat-abi=soft -S t.c

you get

.type a, %object
.size a, 8

instead, because even though each member of the union is packed, the
union itself still gets aligned.

This was reported by Sudip for the spear3xx_defconfig target.

Link: https://lore.kernel.org/lkml/YpCUzStDnSgQLNFN@debian/
Reported-by: Sudip Mukherjee <[email protected]>
Acked-by: Arnd Bergmann <[email protected]>
Cc: Maarten Lankhorst <[email protected]>
Cc: Maxime Ripard <[email protected]>
Cc: Thomas Zimmermann <[email protected]>
Cc: David Airlie <[email protected]>
Cc: Daniel Vetter <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
include/drm/drm_edid.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/drm/drm_edid.h b/include/drm/drm_edid.h
index 53be104aab5c..8b9678bffe7b 100644
--- a/include/drm/drm_edid.h
+++ b/include/drm/drm_edid.h
@@ -115,7 +115,7 @@ struct detailed_data_monitor_range {
u8 supported_scalings;
u8 preferred_refresh;
} __attribute__((packed)) cvt;
- } formula;
+ } __attribute__((packed)) formula;
} __attribute__((packed));

struct detailed_data_wpindex {
@@ -148,7 +148,7 @@ struct detailed_non_pixel {
struct detailed_data_wpindex color;
struct std_timing timings[6];
struct cvt_timing cvt[4];
- } data;
+ } __attribute__((packed)) data;
} __attribute__((packed));

#define EDID_DETAIL_EST_TIMINGS 0xf7
@@ -166,7 +166,7 @@ struct detailed_timing {
union {
struct detailed_pixel_timing pixel_data;
struct detailed_non_pixel other_data;
- } data;
+ } __attribute__((packed)) data;
} __attribute__((packed));

#define DRM_EDID_INPUT_SERRATION_VSYNC (1 << 0)
--
2.35.1



2022-06-13 16:31:24

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 139/287] iommu/amd: Increase timeout waiting for GA log enablement

From: Joerg Roedel <[email protected]>

[ Upstream commit 42bb5aa043382f09bef2cc33b8431be867c70f8e ]

On some systems it can take a long time for the hardware to enable the
GA log of the AMD IOMMU. The current wait time is only 0.1ms, but
testing showed that it can take up to 14ms for the GA log to enter
running state after it has been enabled.

Sometimes the long delay happens when booting the system, sometimes
only on resume. Adjust the timeout accordingly to not print a warning
when hardware takes a longer than usual.

There has already been an attempt to fix this with commit

9b45a7738eec ("iommu/amd: Fix loop timeout issue in iommu_ga_log_enable()")

But that commit was based on some wrong math and did not fix the issue
in all cases.

Cc: "D. Ziegfeld" <[email protected]>
Cc: Jörg-Volker Peetz <[email protected]>
Fixes: 8bda0cfbdc1a ("iommu/amd: Detect and initialize guest vAPIC log")
Signed-off-by: Joerg Roedel <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/iommu/amd_iommu_init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
index 76ae6968801e..1c61cd0b1d55 100644
--- a/drivers/iommu/amd_iommu_init.c
+++ b/drivers/iommu/amd_iommu_init.c
@@ -90,7 +90,7 @@
#define ACPI_DEVFLAG_LINT1 0x80
#define ACPI_DEVFLAG_ATSDIS 0x10000000

-#define LOOP_TIMEOUT 100000
+#define LOOP_TIMEOUT 2000000
/*
* ACPI table definitions
*
--
2.35.1



2022-06-13 16:32:26

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 198/287] usb: dwc3: pci: Fix pm_runtime_get_sync() error checking

From: Zheng Yongjun <[email protected]>

[ Upstream commit a03e2ddab8e735e2cc315609b297b300e9cc60d2 ]

If the device is already in a runtime PM enabled state
pm_runtime_get_sync() will return 1, so a test for negative
value should be used to check for errors.

Fixes: 8eed00b237a28 ("usb: dwc3: pci: Runtime resume child device from wq")
Signed-off-by: Zheng Yongjun <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/usb/dwc3/dwc3-pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
index ad2cb08b440f..527938eee846 100644
--- a/drivers/usb/dwc3/dwc3-pci.c
+++ b/drivers/usb/dwc3/dwc3-pci.c
@@ -205,7 +205,7 @@ static void dwc3_pci_resume_work(struct work_struct *work)
int ret;

ret = pm_runtime_get_sync(&dwc3->dev);
- if (ret) {
+ if (ret < 0) {
pm_runtime_put_sync_autosuspend(&dwc3->dev);
return;
}
--
2.35.1



2022-06-13 16:33:05

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 250/287] tty: synclink_gt: Fix null-pointer-dereference in slgt_clean()

From: Zheyu Ma <[email protected]>

[ Upstream commit 689ca31c542687709ba21ec2195c1fbce34fd029 ]

When the driver fails at alloc_hdlcdev(), and then we remove the driver
module, we will get the following splat:

[ 25.065966] general protection fault, probably for non-canonical address 0xdffffc0000000182: 0000 [#1] PREEMPT SMP KASAN PTI
[ 25.066914] KASAN: null-ptr-deref in range [0x0000000000000c10-0x0000000000000c17]
[ 25.069262] RIP: 0010:detach_hdlc_protocol+0x2a/0x3e0
[ 25.077709] Call Trace:
[ 25.077924] <TASK>
[ 25.078108] unregister_hdlc_device+0x16/0x30
[ 25.078481] slgt_cleanup+0x157/0x9f0 [synclink_gt]

Fix this by checking whether the 'info->netdev' is a null pointer first.

Reviewed-by: Jiri Slaby <[email protected]>
Signed-off-by: Zheyu Ma <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/tty/synclink_gt.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c
index afe34beec720..11c62fcd67f2 100644
--- a/drivers/tty/synclink_gt.c
+++ b/drivers/tty/synclink_gt.c
@@ -1753,6 +1753,8 @@ static int hdlcdev_init(struct slgt_info *info)
*/
static void hdlcdev_exit(struct slgt_info *info)
{
+ if (!info->netdev)
+ return;
unregister_hdlc_device(info->netdev);
free_netdev(info->netdev);
info->netdev = NULL;
--
2.35.1



2022-06-13 16:33:30

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 092/287] perf/amd/ibs: Use interrupt regs ip for stack unwinding

From: Ravi Bangoria <[email protected]>

[ Upstream commit 3d47083b9ff46863e8374ad3bb5edb5e464c75f8 ]

IbsOpRip is recorded when IBS interrupt is triggered. But there is
a skid from the time IBS interrupt gets triggered to the time the
interrupt is presented to the core. Meanwhile processor would have
moved ahead and thus IbsOpRip will be inconsistent with rsp and rbp
recorded as part of the interrupt regs. This causes issues while
unwinding stack using the ORC unwinder as it needs consistent rip,
rsp and rbp. Fix this by using rip from interrupt regs instead of
IbsOpRip for stack unwinding.

Fixes: ee9f8fce99640 ("x86/unwind: Add the ORC unwinder")
Reported-by: Dmitry Monakhov <[email protected]>
Suggested-by: Peter Zijlstra <[email protected]>
Signed-off-by: Ravi Bangoria <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Link: https://lkml.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
arch/x86/events/amd/ibs.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)

diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c
index 2d9e1372b070..d157d0adef06 100644
--- a/arch/x86/events/amd/ibs.c
+++ b/arch/x86/events/amd/ibs.c
@@ -324,6 +324,16 @@ static int perf_ibs_init(struct perf_event *event)
hwc->config_base = perf_ibs->msr;
hwc->config = config;

+ /*
+ * rip recorded by IbsOpRip will not be consistent with rsp and rbp
+ * recorded as part of interrupt regs. Thus we need to use rip from
+ * interrupt regs while unwinding call stack. Setting _EARLY flag
+ * makes sure we unwind call-stack before perf sample rip is set to
+ * IbsOpRip.
+ */
+ if (event->attr.sample_type & PERF_SAMPLE_CALLCHAIN)
+ event->attr.sample_type |= __PERF_SAMPLE_CALLCHAIN_EARLY;
+
return 0;
}

@@ -693,6 +703,14 @@ static int perf_ibs_handle_irq(struct perf_ibs *perf_ibs, struct pt_regs *iregs)
data.raw = &raw;
}

+ /*
+ * rip recorded by IbsOpRip will not be consistent with rsp and rbp
+ * recorded as part of interrupt regs. Thus we need to use rip from
+ * interrupt regs while unwinding call stack.
+ */
+ if (event->attr.sample_type & PERF_SAMPLE_CALLCHAIN)
+ data.callchain = perf_callchain(event, iregs);
+
throttle = perf_event_overflow(event, &data, &regs);
out:
if (throttle) {
--
2.35.1



2022-06-13 16:35:59

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 4.19 201/287] coresight: cpu-debug: Replace mutex with mutex_trylock on panic notifier

From: Guilherme G. Piccoli <[email protected]>

[ Upstream commit 1adff542d67a2ed1120955cb219bfff8a9c53f59 ]

The panic notifier infrastructure executes registered callbacks when
a panic event happens - such callbacks are executed in atomic context,
with interrupts and preemption disabled in the running CPU and all other
CPUs disabled. That said, mutexes in such context are not a good idea.

This patch replaces a regular mutex with a mutex_trylock safer approach;
given the nature of the mutex used in the driver, it should be pretty
uncommon being unable to acquire such mutex in the panic path, hence
no functional change should be observed (and if it is, that would be
likely a deadlock with the regular mutex).

Fixes: 2227b7c74634 ("coresight: add support for CPU debug module")
Cc: Leo Yan <[email protected]>
Cc: Mathieu Poirier <[email protected]>
Cc: Mike Leach <[email protected]>
Cc: Suzuki K Poulose <[email protected]>
Signed-off-by: Guilherme G. Piccoli <[email protected]>
Reviewed-by: Suzuki K Poulose <[email protected]>
Signed-off-by: Suzuki K Poulose <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/hwtracing/coresight/coresight-cpu-debug.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/hwtracing/coresight/coresight-cpu-debug.c b/drivers/hwtracing/coresight/coresight-cpu-debug.c
index e8819d750938..a4eba09691b4 100644
--- a/drivers/hwtracing/coresight/coresight-cpu-debug.c
+++ b/drivers/hwtracing/coresight/coresight-cpu-debug.c
@@ -379,9 +379,10 @@ static int debug_notifier_call(struct notifier_block *self,
int cpu;
struct debug_drvdata *drvdata;

- mutex_lock(&debug_lock);
+ /* Bail out if we can't acquire the mutex or the functionality is off */
+ if (!mutex_trylock(&debug_lock))
+ return NOTIFY_DONE;

- /* Bail out if the functionality is disabled */
if (!debug_enable)
goto skip_dump;

@@ -400,7 +401,7 @@ static int debug_notifier_call(struct notifier_block *self,

skip_dump:
mutex_unlock(&debug_lock);
- return 0;
+ return NOTIFY_DONE;
}

static struct notifier_block debug_notifier = {
--
2.35.1



2022-06-14 00:12:49

by Guenter Roeck

[permalink] [raw]
Subject: Re: [PATCH 4.19 000/287] 4.19.247-rc1 review

On Mon, Jun 13, 2022 at 12:07:04PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.247 release.
> There are 287 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 15 Jun 2022 09:47:08 +0000.
> Anything received after that time might be too late.
>

Build results:
total: 157 pass: 157 fail: 0
Qemu test results:
total: 425 pass: 425 fail: 0

Tested-by: Guenter Roeck <[email protected]>

Guenter

2022-06-14 03:48:30

by Shuah Khan

[permalink] [raw]
Subject: Re: [PATCH 4.19 000/287] 4.19.247-rc1 review

On 6/13/22 4:07 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.247 release.
> There are 287 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 15 Jun 2022 09:47:08 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.247-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>

Compiled and booted on my test system. No dmesg regressions.

Tested-by: Shuah Khan <[email protected]>

thanks,
-- Shuah

2022-06-14 06:47:20

by Naresh Kamboju

[permalink] [raw]
Subject: Re: [PATCH 4.19 000/287] 4.19.247-rc1 review

On Mon, 13 Jun 2022 at 16:17, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 4.19.247 release.
> There are 287 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 15 Jun 2022 09:47:08 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.247-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h


Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Tested-by: Linux Kernel Functional Testing <[email protected]>

## Build
* kernel: 4.19.247-rc1
* git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc
* git branch: linux-4.19.y
* git commit: cbdd85f3a5c93a3948c77f3d3016506b65276ca5
* git describe: v4.19.246-288-gcbdd85f3a5c9
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.19.y/build/v4.19.246-288-gcbdd85f3a5c9

## Test Regressions (compared to v4.19.245-31-gfb313cec37d7)
No test regressions found.

## Metric Regressions (compared to v4.19.245-31-gfb313cec37d7)
No metric regressions found.

## Test Fixes (compared to v4.19.245-31-gfb313cec37d7)
No test fixes found.

## Metric Fixes (compared to v4.19.245-31-gfb313cec37d7)
No metric fixes found.

## Test result summary
total: 104198, pass: 92268, fail: 261, skip: 10762, xfail: 907

## Build Summary
* arc: 10 total, 10 passed, 0 failed
* arm: 298 total, 292 passed, 6 failed
* arm64: 56 total, 54 passed, 2 failed
* i386: 27 total, 23 passed, 4 failed
* mips: 27 total, 27 passed, 0 failed
* parisc: 12 total, 12 passed, 0 failed
* powerpc: 55 total, 54 passed, 1 failed
* s390: 12 total, 12 passed, 0 failed
* sh: 24 total, 24 passed, 0 failed
* sparc: 12 total, 12 passed, 0 failed
* x86_64: 53 total, 51 passed, 2 failed

## Test suites summary
* fwts
* igt-gpu-tools
* kunit
* kvm-unit-tests
* libhugetlbfs
* log-parser-boot
* log-parser-test
* ltp-cap_bounds
* ltp-cap_bounds-tests
* ltp-commands
* ltp-commands-tests
* ltp-containers
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests
* ltp-fcntl-locktests-tests
* ltp-filecaps
* ltp-filecaps-tests
* ltp-fs
* ltp-fs-tests
* ltp-fs_bind
* ltp-fs_bind-tests
* ltp-fs_perms_simple
* ltp-fs_perms_simple-tests
* ltp-fsx
* ltp-fsx-tests
* ltp-hugetlb
* ltp-hugetlb-tests
* ltp-io
* ltp-io-tests
* ltp-ipc
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty
* ltp-pty-tests
* ltp-sched
* ltp-sched-tests
* ltp-securebits
* ltp-securebits-tests
* ltp-smoke
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* rcutorture
* ssuite
* v4l2-compliance
* vdso

--
Linaro LKFT
https://lkft.linaro.org

2022-06-14 10:54:06

by Sudip Mukherjee

[permalink] [raw]
Subject: Re: [PATCH 4.19 000/287] 4.19.247-rc1 review

Hi Greg,

On Mon, Jun 13, 2022 at 12:07:04PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.247 release.
> There are 287 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 15 Jun 2022 09:47:08 +0000.
> Anything received after that time might be too late.

Build test (gcc version 11.3.1 20220612):
mips: 63 configs -> no failure
arm: 115 configs -> no failure
arm64: 2 configs -> no failure
x86_64: 4 configs -> no failure
alpha allmodconfig -> no failure
s390 allmodconfig -> no failure
xtensa allmodconfig -> no failure

powerpc allmodconfig and riscv allmodconfig failed to build.
backported patches sent separately.

Boot test:
x86_64: Booted on my test laptop. No regression.
x86_64: Booted on qemu. No regression. [1]

[1]. https://openqa.qa.codethink.co.uk/tests/1315


Tested-by: Sudip Mukherjee <[email protected]>

--
Regards
Sudip