Xiongwei Song [Tue, 16 Nov 2021 13:10:33 +0000 (21:10 +0800)]
floppy: Add max size check for user space request
[ Upstream commit
545a32498c536ee152331cd2e7d2416aa0f20e01 ]
We need to check the max request size that is from user space before
allocating pages. If the request size exceeds the limit, return -EINVAL.
This check can avoid the warning below from page allocator.
WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 current_gfp_context include/linux/sched/mm.h:195 [inline]
WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 __alloc_pages+0x45d/0x500 mm/page_alloc.c:5356
Modules linked in:
CPU: 3 PID: 16525 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
RIP: 0010:__alloc_pages+0x45d/0x500 mm/page_alloc.c:5344
Code: be c9 00 00 00 48 c7 c7 20 4a 97 89 c6 05 62 32 a7 0b 01 e8 74 9a 42 07 e9 6a ff ff ff 0f 0b e9 a0 fd ff ff 40 80 e5 3f eb 88 <0f> 0b e9 18 ff ff ff 4c 89 ef 44 89 e6 45 31 ed e8 1e 76 ff ff e9
RSP: 0018:
ffffc90023b87850 EFLAGS:
00010246
RAX:
0000000000000000 RBX:
1ffff92004770f0b RCX:
dffffc0000000000
RDX:
0000000000000000 RSI:
0000000000000033 RDI:
0000000000010cc1
RBP:
0000000000000000 R08:
0000000000000000 R09:
0000000000000001
R10:
ffffffff81bb4686 R11:
0000000000000001 R12:
ffffffff902c1960
R13:
0000000000000033 R14:
0000000000000000 R15:
ffff88804cf64a30
FS:
0000000000000000(0000) GS:
ffff88802cd00000(0063) knlGS:
00000000f44b4b40
CS: 0010 DS: 002b ES: 002b CR0:
0000000080050033
CR2:
000000002c921000 CR3:
000000004f507000 CR4:
0000000000150ee0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
Call Trace:
<TASK>
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191
__get_free_pages+0x8/0x40 mm/page_alloc.c:5418
raw_cmd_copyin drivers/block/floppy.c:3113 [inline]
raw_cmd_ioctl drivers/block/floppy.c:3160 [inline]
fd_locked_ioctl+0x12e5/0x2820 drivers/block/floppy.c:3528
fd_ioctl drivers/block/floppy.c:3555 [inline]
fd_compat_ioctl+0x891/0x1b60 drivers/block/floppy.c:3869
compat_blkdev_ioctl+0x3b8/0x810 block/ioctl.c:662
__do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:972
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
Reported-by: syzbot+23a02c7df2cf2bc93fa2@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20211116131033.27685-1-sxwjean@me.com
Signed-off-by: Xiongwei Song <sxwjean@gmail.com>
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Neal Liu [Fri, 26 Nov 2021 10:00:21 +0000 (18:00 +0800)]
usb: uhci: add aspeed ast2600 uhci support
[ Upstream commit
554abfe2eadec97d12c71d4a69da1518478f69eb ]
Enable ast2600 uhci quirks.
Signed-off-by: Neal Liu <neal_liu@aspeedtech.com>
Link: https://lore.kernel.org/r/20211126100021.2331024-1-neal_liu@aspeedtech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Kishon Vijay Abraham I [Fri, 26 Nov 2021 08:45:55 +0000 (14:15 +0530)]
arm64: dts: ti: j721e-main: Fix 'dtbs_check' in serdes_ln_ctrl node
[ Upstream commit
3f92a5be6084b77f764a8bbb881ac0d12cb9e863 ]
Fix 'dtbs_check' in serdes_ln_ctrl (mux@4080) node by changing the node
name to mux-controller@4080.
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Reviewed-by: Aswath Govindraju <a-govindraju@ti.com>
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Link: https://lore.kernel.org/r/20211126084555.17797-3-kishon@ti.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Kishon Vijay Abraham I [Fri, 26 Nov 2021 08:45:54 +0000 (14:15 +0530)]
arm64: dts: ti: j7200-main: Fix 'dtbs_check' serdes_ln_ctrl node
[ Upstream commit
4d3984906397581dc0ccb6a02bf16b6ff82c9192 ]
Fix 'dtbs_check' in serdes_ln_ctrl (serdes-ln-ctrl@4080) node by
changing the node name to mux-controller@4080.
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Reviewed-by: Aswath Govindraju <a-govindraju@ti.com>
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Link: https://lore.kernel.org/r/20211126084555.17797-2-kishon@ti.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Hans de Goede [Mon, 22 Nov 2021 17:05:33 +0000 (18:05 +0100)]
ACPI / x86: Add not-present quirk for the PCI0.SDHB.BRC1 device on the GPD win
[ Upstream commit
57d2dbf710d832841872fb15ebb79429cab90fae ]
The GPD win and its sibling the GPD pocket (99% the same electronics in a
different case) use a PCI wifi card. But the ACPI tables on both variants
contain a bug where the SDIO MMC controller for SDIO wifi cards is enabled
despite this. This SDIO MMC controller has a PCI0.SDHB.BRC1 child-device
which _PS3 method sets a GPIO causing the PCI wifi card to turn off.
At the moment there is a pretty ugly kludge in the sdhci-acpi.c code,
just to work around the bug in the DSDT of this single design. This can
be solved cleaner/simply with a quirk overriding the _STA return of the
broken PCI0.SDHB.BRC1 PCI0.SDHB.BRC1 child with a status value of 0,
so that its power_manageable flag gets cleared, avoiding this problem.
Note that even though it is not used, the _STA method for the MMC
controller is deliberately not overridden. If the status of the MMC
controller were forced to 0 it would never get suspended, which would
cause these mini-laptops to not reach S0i3 level when suspended.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Hans de Goede [Mon, 22 Nov 2021 17:05:32 +0000 (18:05 +0100)]
ACPI / x86: Allow specifying acpi_device_override_status() quirks by path
[ Upstream commit
ba46e42e925b5d09b4e441f8de3db119cc7df58f ]
Not all ACPI-devices have a HID + UID, allow specifying quirks for
acpi_device_override_status() by path too.
Note this moves the path/HID+UID check to after the CPU + DMI checks
since the path lookup is somewhat costly.
This way this lookup is only done on devices where the other checks
match.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Hans de Goede [Mon, 22 Nov 2021 17:05:31 +0000 (18:05 +0100)]
ACPI: Change acpi_device_always_present() into acpi_device_override_status()
[ Upstream commit
1a68b346a2c9969c05e80a3b99a9ab160b5655c0 ]
Currently, acpi_bus_get_status() calls acpi_device_always_present() to
allow platform quirks to override the _STA return to report that a
device is present (status = ACPI_STA_DEFAULT) independent of the _STA
return.
In some cases it might also be useful to have the opposite functionality
and have a platform quirk which marks a device as not present (status = 0)
to work around ACPI table bugs.
Change acpi_device_always_present() into a more generic
acpi_device_override_status() function to allow this.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Hans de Goede [Mon, 22 Nov 2021 17:05:30 +0000 (18:05 +0100)]
ACPI / x86: Drop PWM2 device on Lenovo Yoga Book from always present table
[ Upstream commit
d431dfb764b145369be820fcdfd50f2159b9bbc2 ]
It turns out that there is a WMI object which controls the PWM2 device
used for the keyboard backlight and that WMI object also provides some
other useful functionality.
The upcoming lenovo-yogabook-wmi driver will offer both backlight
control and the other functionality, so there no longer is a need
to have the lpss-pwm driver binding to PWM2 for backlight control;
and this is now actually undesirable because this will cause both
the WMI code and the lpss-pwm driver to poke at the same PWM
controller.
Drop the always-present quirk for the PWM2 ACPI-device, so that the
lpss-pwm controller will no longer bind to it.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Zack Rusin [Fri, 5 Nov 2021 19:38:45 +0000 (15:38 -0400)]
drm/vmwgfx: Introduce a new placement for MOB page tables
[ Upstream commit
f6be23264bbac88d1e2bb39658e1b8a397e3f46d ]
For larger (bigger than a page) and noncontiguous mobs we have
to create page tables that allow the host to find the memory.
Those page tables just used regular system memory. Unfortunately
in TTM those BO's are not allowed to be busy thus can't be
fenced and we have to fence those bo's because we don't want
to destroy the page tables while the host is still executing
the command buffers which might be accessing them.
To solve it we introduce a new placement VMW_PL_SYSTEM which
is very similar to TTM_PL_SYSTEM except that it allows
fencing. This fixes kernel oops'es during unloading of the driver
(and pci hot remove/add) which were caused by busy BO's in
TTM_PL_SYSTEM being present in the delayed deletion list in
TTM (TTM_PL_SYSTEM manager is destroyed before the delayed
deletions are executed)
Signed-off-by: Zack Rusin <zackr@vmware.com>
Reviewed-by: Martin Krastev <krastevm@vmware.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211105193845.258816-5-zackr@vmware.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Zack Rusin [Fri, 5 Nov 2021 19:38:43 +0000 (15:38 -0400)]
drm/vmwgfx: Release ttm memory if probe fails
[ Upstream commit
28b5f3b6121b7db2a44be499cfca0b6b801588b6 ]
The ttm mem global state was leaking if the vmwgfx driver load failed.
In case of a driver load failure we have to make sure we also release
the ttm mem global state.
Signed-off-by: Zack Rusin <zackr@vmware.com>
Reviewed-by: Martin Krastev <krastevm@vmware.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211105193845.258816-3-zackr@vmware.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Adam Ward [Mon, 29 Nov 2021 22:10:12 +0000 (22:10 +0000)]
regulator: da9121: Prevent current limit change when enabled
[ Upstream commit
24f0853228f3b98f1ef08d5824376c69bb8124d2 ]
Prevent changing current limit when enabled as a precaution against
possibile instability due to tight integration with switching cycle
Signed-off-by: Adam Ward <Adam.Ward.opensource@diasemi.com>
Link: https://lore.kernel.org/r/52ee682476004a1736c1e0293358987319c1c415.1638223185.git.Adam.Ward.opensource@diasemi.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Mansur Alisha Shaik [Mon, 8 Nov 2021 05:48:51 +0000 (06:48 +0100)]
media: venus: avoid calling core_clk_setrate() concurrently during concurrent video sessions
[ Upstream commit
91f2b7d269e5c885c38c7ffa261f5276bd42f907 ]
In existing implementation, core_clk_setrate() is getting called
concurrently in concurrent video sessions. Before the previous call to
core_clk_setrate returns, new call to core_clk_setrate is invoked from
another video session running concurrently. This results in latest
calculated frequency being set (higher/lower) instead of actual frequency
required for that video session. It also results in stability crashes
mention below. These resources are specific to video core, hence keeping
under core lock would ensure that they are estimated for all running video
sessions and called once for the video core.
Crash logs:
[ 1.900089] WARNING: CPU: 4 PID: 1 at drivers/opp/debugfs.c:33 opp_debug_remove_one+0x2c/0x48
[ 1.908493] Modules linked in:
[ 1.911524] CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.10.67 #35
f8edb8c30cf2dd6838495dd9ef9be47af7f5f60c
[ 1.921036] Hardware name: Qualcomm Technologies, Inc. sc7280 IDP SKU2 platform (DT)
[ 1.928673] pstate:
60800009 (nZCv daif -PAN +UAO -TCO BTYPE=--)
[ 1.934608] pc : opp_debug_remove_one+0x2c/0x48
[ 1.939080] lr : opp_debug_remove_one+0x2c/0x48
[ 1.943560] sp :
ffffffc011d7b7f0
[ 1.946836] pmr_save:
000000e0
[ 1.949854] x29:
ffffffc011d7b7f0 x28:
ffffffc010733bbc
[ 1.955104] x27:
ffffffc010733ba8 x26:
ffffff8083cedd00
[ 1.960355] x25:
0000000000000001 x24:
0000000000000000
[ 1.965603] x23:
ffffff8083cc2878 x22:
ffffff8083ceb900
[ 1.970852] x21:
ffffff8083ceb910 x20:
ffffff8083cc2800
[ 1.976101] x19:
ffffff8083ceb900 x18:
00000000ffff0a10
[ 1.981352] x17:
ffffff80837a5620 x16:
00000000000000ec
[ 1.986601] x15:
ffffffc010519ad4 x14:
0000000000000003
[ 1.991849] x13:
0000000000000004 x12:
0000000000000001
[ 1.997100] x11:
c0000000ffffdfff x10:
00000000ffffffff
[ 2.002348] x9 :
d2627c580300dc00 x8 :
d2627c580300dc00
[ 2.007596] x7 :
0720072007200720 x6 :
ffffff80802ecf00
[ 2.012845] x5 :
0000000000190004 x4 :
0000000000000000
[ 2.018094] x3 :
ffffffc011d7b478 x2 :
ffffffc011d7b480
[ 2.023343] x1 :
00000000ffffdfff x0 :
0000000000000017
[ 2.028594] Call trace:
[ 2.031022] opp_debug_remove_one+0x2c/0x48
[ 2.035160] dev_pm_opp_put+0x94/0xb0
[ 2.038780] _opp_remove_all+0x7c/0xc8
[ 2.042486] _opp_remove_all_static+0x54/0x7c
[ 2.046796] dev_pm_opp_remove_table+0x74/0x98
[ 2.051183] devm_pm_opp_of_table_release+0x18/0x24
[ 2.056001] devm_action_release+0x1c/0x28
[ 2.060053] release_nodes+0x23c/0x2b8
[ 2.063760] devres_release_group+0xcc/0xd0
[ 2.067900] component_bind+0xac/0x168
[ 2.071608] component_bind_all+0x98/0x124
[ 2.075664] msm_drm_bind+0x1e8/0x678
[ 2.079287] try_to_bring_up_master+0x60/0x134
[ 2.083674] component_master_add_with_match+0xd8/0x120
[ 2.088834] msm_pdev_probe+0x20c/0x2a0
[ 2.092629] platform_drv_probe+0x9c/0xbc
[ 2.096598] really_probe+0x11c/0x46c
[ 2.100217] driver_probe_device+0x8c/0xf0
[ 2.104270] device_driver_attach+0x54/0x78
[ 2.108407] __driver_attach+0x48/0x148
[ 2.112201] bus_for_each_dev+0x88/0xd4
[ 2.115998] driver_attach+0x2c/0x38
[ 2.119534] bus_add_driver+0x10c/0x200
[ 2.123330] driver_register+0x6c/0x104
[ 2.127122] __platform_driver_register+0x4c/0x58
[ 2.131767] msm_drm_register+0x6c/0x70
[ 2.135560] do_one_initcall+0x64/0x23c
[ 2.139357] do_initcall_level+0xac/0x15c
[ 2.143321] do_initcalls+0x5c/0x9c
[ 2.146778] do_basic_setup+0x2c/0x38
[ 2.150401] kernel_init_freeable+0xf8/0x15c
[ 2.154622] kernel_init+0x1c/0x11c
[ 2.158079] ret_from_fork+0x10/0x30
[ 2.161615] ---[ end trace
a2cc45a0f784b212 ]---
[ 2.166272] Removing OPP:
300000000
Signed-off-by: Mansur Alisha Shaik <mansur@codeaurora.org>
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Sriram R [Thu, 25 Nov 2021 09:30:14 +0000 (15:00 +0530)]
ath11k: Avoid NULL ptr access during mgmt tx cleanup
[ Upstream commit
a93789ae541c7d5c1c2a4942013adb6bcc5e2848 ]
Currently 'ar' reference is not added in skb_cb during
WMI mgmt tx. Though this is generally not used during tx completion
callbacks, on interface removal the remaining idr cleanup callback
uses the ar ptr from skb_cb from mgmt txmgmt_idr. Hence
fill them during tx call for proper usage.
Also free the skb which is missing currently in these
callbacks.
Crash_info:
[19282.489476] Unable to handle kernel NULL pointer dereference at virtual address
00000000
[19282.489515] pgd =
91eb8000
[19282.496702] [
00000000] *pgd=
00000000
[19282.502524] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[19282.783728] PC is at ath11k_mac_vif_txmgmt_idr_remove+0x28/0xd8 [ath11k]
[19282.789170] LR is at idr_for_each+0xa0/0xc8
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-00729-QCAHKSWPL_SILICONZ-3 v2
Signed-off-by: Sriram R <quic_srirrama@quicinc.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1637832614-13831-1-git-send-email-quic_srirrama@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Zekun Shen [Fri, 29 Oct 2021 20:19:23 +0000 (16:19 -0400)]
rsi: Fix out-of-bounds read in rsi_read_pkt()
[ Upstream commit
f1cb3476e48b60c450ec3a1d7da0805bffc6e43a ]
rsi_get_* functions rely on an offset variable from usb
input. The size of usb input is RSI_MAX_RX_USB_PKT_SIZE(3000),
while 2-byte offset can be up to 0xFFFF. Thus a large offset
can cause out-of-bounds read.
The patch adds a bound checking condition when rcv_pkt_len is 0,
indicating it's USB. It's unclear whether this is triggerable
from other type of bus. The following check might help in that case.
offset > rcv_pkt_len - FRAME_DESC_SZ
The bug is trigerrable with conpromised/malfunctioning USB devices.
I tested the patch with the crashing input and got no more bug report.
Attached is the KASAN report from fuzzing.
BUG: KASAN: slab-out-of-bounds in rsi_read_pkt+0x42e/0x500 [rsi_91x]
Read of size 2 at addr
ffff888019439fdb by task RX-Thread/227
CPU: 0 PID: 227 Comm: RX-Thread Not tainted 5.6.0 #66
Call Trace:
dump_stack+0x76/0xa0
print_address_description.constprop.0+0x16/0x200
? rsi_read_pkt+0x42e/0x500 [rsi_91x]
? rsi_read_pkt+0x42e/0x500 [rsi_91x]
__kasan_report.cold+0x37/0x7c
? rsi_read_pkt+0x42e/0x500 [rsi_91x]
kasan_report+0xe/0x20
rsi_read_pkt+0x42e/0x500 [rsi_91x]
rsi_usb_rx_thread+0x1b1/0x2fc [rsi_usb]
? rsi_probe+0x16a0/0x16a0 [rsi_usb]
? _raw_spin_lock_irqsave+0x7b/0xd0
? _raw_spin_trylock_bh+0x120/0x120
? __wake_up_common+0x10b/0x520
? rsi_probe+0x16a0/0x16a0 [rsi_usb]
kthread+0x2b5/0x3b0
? kthread_create_on_node+0xd0/0xd0
ret_from_fork+0x22/0x40
Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/YXxXS4wgu2OsmlVv@10-18-43-117.dynapool.wireless.nyu.edu
Signed-off-by: Sasha Levin <sashal@kernel.org>
Zekun Shen [Fri, 29 Oct 2021 19:49:03 +0000 (15:49 -0400)]
rsi: Fix use-after-free in rsi_rx_done_handler()
[ Upstream commit
b07e3c6ebc0c20c772c0f54042e430acec2945c3 ]
When freeing rx_cb->rx_skb, the pointer is not set to NULL,
a later rsi_rx_done_handler call will try to read the freed
address.
This bug will very likley lead to double free, although
detected early as use-after-free bug.
The bug is triggerable with a compromised/malfunctional usb
device. After applying the patch, the same input no longer
triggers the use-after-free.
Attached is the kasan report from fuzzing.
BUG: KASAN: use-after-free in rsi_rx_done_handler+0x354/0x430 [rsi_usb]
Read of size 4 at addr
ffff8880188e5930 by task modprobe/231
Call Trace:
<IRQ>
dump_stack+0x76/0xa0
print_address_description.constprop.0+0x16/0x200
? rsi_rx_done_handler+0x354/0x430 [rsi_usb]
? rsi_rx_done_handler+0x354/0x430 [rsi_usb]
__kasan_report.cold+0x37/0x7c
? dma_direct_unmap_page+0x90/0x110
? rsi_rx_done_handler+0x354/0x430 [rsi_usb]
kasan_report+0xe/0x20
rsi_rx_done_handler+0x354/0x430 [rsi_usb]
__usb_hcd_giveback_urb+0x1e4/0x380
usb_giveback_urb_bh+0x241/0x4f0
? __usb_hcd_giveback_urb+0x380/0x380
? apic_timer_interrupt+0xa/0x20
tasklet_action_common.isra.0+0x135/0x330
__do_softirq+0x18c/0x634
? handle_irq_event+0xcd/0x157
? handle_edge_irq+0x1eb/0x7b0
irq_exit+0x114/0x140
do_IRQ+0x91/0x1e0
common_interrupt+0xf/0xf
</IRQ>
Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/YXxQL/vIiYcZUu/j@10-18-43-117.dynapool.wireless.nyu.edu
Signed-off-by: Sasha Levin <sashal@kernel.org>
Zekun Shen [Sun, 31 Oct 2021 02:42:50 +0000 (22:42 -0400)]
mwifiex: Fix skb_over_panic in mwifiex_usb_recv()
[ Upstream commit
04d80663f67ccef893061b49ec8a42ff7045ae84 ]
Currently, with an unknown recv_type, mwifiex_usb_recv
just return -1 without restoring the skb. Next time
mwifiex_usb_rx_complete is invoked with the same skb,
calling skb_put causes skb_over_panic.
The bug is triggerable with a compromised/malfunctioning
usb device. After applying the patch, skb_over_panic
no longer shows up with the same input.
Attached is the panic report from fuzzing.
skbuff: skb_over_panic: text:
000000003bf1b5fa
len:2048 put:4 head:
00000000dd6a115b data:
000000000a9445d8
tail:0x844 end:0x840 dev:<NULL>
kernel BUG at net/core/skbuff.c:109!
invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 PID: 198 Comm: in:imklog Not tainted 5.6.0 #60
RIP: 0010:skb_panic+0x15f/0x161
Call Trace:
<IRQ>
? mwifiex_usb_rx_complete+0x26b/0xfcd [mwifiex_usb]
skb_put.cold+0x24/0x24
mwifiex_usb_rx_complete+0x26b/0xfcd [mwifiex_usb]
__usb_hcd_giveback_urb+0x1e4/0x380
usb_giveback_urb_bh+0x241/0x4f0
? __hrtimer_run_queues+0x316/0x740
? __usb_hcd_giveback_urb+0x380/0x380
tasklet_action_common.isra.0+0x135/0x330
__do_softirq+0x18c/0x634
irq_exit+0x114/0x140
smp_apic_timer_interrupt+0xde/0x380
apic_timer_interrupt+0xf/0x20
</IRQ>
Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/YX4CqjfRcTa6bVL+@Zekuns-MBP-16.fios-router.home
Signed-off-by: Sasha Levin <sashal@kernel.org>
Stephan Müller [Sun, 21 Nov 2021 14:14:20 +0000 (15:14 +0100)]
crypto: jitter - consider 32 LSB for APT
[ Upstream commit
552d03a223eda3df84526ab2c1f4d82e15eaee7a ]
The APT compares the current time stamp with a pre-set value. The
current code only considered the 4 LSB only. Yet, after reviews by
mathematicians of the user space Jitter RNG version >= 3.1.0, it was
concluded that the APT can be calculated on the 32 LSB of the time
delta. Thi change is applied to the kernel.
This fixes a bug where an AMD EPYC fails this test as its RDTSC value
contains zeros in the LSB. The most appropriate fix would have been to
apply a GCD calculation and divide the time stamp by the GCD. Yet, this
is a significant code change that will be considered for a future
update. Note, tests showed that constantly the GCD always was 32 on
these systems, i.e. the 5 LSB were always zero (thus failing the APT
since it only considered the 4 LSB for its calculation).
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Chengfeng Ye [Fri, 5 Nov 2021 13:45:07 +0000 (06:45 -0700)]
HSI: core: Fix return freed object in hsi_new_client
[ Upstream commit
a1ee1c08fcd5af03187dcd41dcab12fd5b379555 ]
cl is freed on error of calling device_register, but this
object is return later, which will cause uaf issue. Fix it
by return NULL on error.
Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Hans de Goede [Thu, 25 Nov 2021 20:30:10 +0000 (21:30 +0100)]
gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use
[ Upstream commit
bdfd6ab8fdccd8b138837efff66f4a1911496378 ]
If the IRQ is already in use, then acpi_dev_gpio_irq_get_by() really
should not change the type underneath the current owner.
I specifically hit an issue with this an a Chuwi Hi8 Super (CWI509) Bay
Trail tablet, when the Boot OS selection in the BIOS is set to Android.
In this case _STA for a MAX17047 ACPI I2C device wrongly returns 0xf and
the _CRS resources for this device include a GpioInt pointing to a GPIO
already in use by an _AEI handler, with a different type then specified
in the _CRS for the MAX17047 device. Leading to the acpi_dev_gpio_irq_get()
call done by the i2c-core-acpi.c code changing the type breaking the
_AEI handler.
Now this clearly is a bug in the DSDT of this tablet (in Android mode),
but in general calling irq_set_irq_type() on an IRQ which already is
in use seems like a bad idea.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Fugang Duan [Thu, 25 Nov 2021 02:03:49 +0000 (10:03 +0800)]
tty: serial: imx: disable UCR4_OREN in .stop_rx() instead of .shutdown()
[ Upstream commit
028e083832b06fdeeb290e1e57dc1f6702c4c215 ]
The UCR4_OREN should be disabled before disabling the uart receiver in
.stop_rx() instead of in the .shutdown().
Otherwise, if we have the overrun error during the receiver disable
process, the overrun interrupt will keep trigging until we disable the
OREN interrupt in the .shutdown(), because the ORE status can only be
cleared when read the rx FIFO or reset the controller. Although the
called time between the receiver disable and OREN disable in .shutdown()
is very short, there is still the risk of endless interrupt during this
short period of time. So here change to disable OREN before the receiver
been disabled in .stop_rx().
Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
Link: https://lore.kernel.org/r/20211125020349.4980-1-sherry.sun@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jiri Slaby [Thu, 18 Nov 2021 07:31:09 +0000 (08:31 +0100)]
mxser: keep only !tty test in ISR
[ Upstream commit
274ab58dc2b460cc474ffc7ccfcede4b2be1a3f5 ]
The others are superfluous with tty refcounting in place now. And they
are racy in fact:
* tty_port_initialized() reports false for a small moment after
interrupts are enabled.
* closing is 1 while the port is still alive.
The queues are flushed later during close anyway. So there is no need
for this special handling. Actually, the ISR should not flush the
queues. It should behave as every other driver, just queue the chars
into tty buffer and go on. But this will be changed later. There is
still a lot code depending on having tty in ISR (and not only tty_port).
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Link: https://lore.kernel.org/r/20211118073125.12283-4-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Martyn Welch [Thu, 25 Nov 2021 10:53:02 +0000 (10:53 +0000)]
drm/bridge: megachips: Ensure both bridges are probed before registration
[ Upstream commit
11632d4aa2b3f126790e81a4415d6c23103cf8bb ]
In the configuration used by the b850v3, the STDP2690 is used to read EDID
data whilst it's the STDP4028 which can detect when monitors are connected.
This can result in problems at boot with monitors connected when the
STDP4028 is probed first, a monitor is detected and an attempt is made to
read the EDID data before the STDP2690 has probed:
[ 3.795721] Unable to handle kernel NULL pointer dereference at virtual address
00000018
[ 3.803845] pgd = (ptrval)
[ 3.806581] [
00000018] *pgd=
00000000
[ 3.810180] Internal error: Oops: 5 [#1] SMP ARM
[ 3.814813] Modules linked in:
[ 3.817879] CPU: 0 PID: 64 Comm: kworker/u4:1 Not tainted 5.15.0 #1
[ 3.824161] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
[ 3.830705] Workqueue: events_unbound deferred_probe_work_func
[ 3.836565] PC is at stdp2690_get_edid+0x44/0x19c
[ 3.841286] LR is at ge_b850v3_lvds_get_modes+0x2c/0x5c
[ 3.846526] pc : [<
805eae10>] lr : [<
805eb138>] psr:
80000013
[ 3.852802] sp :
81c359d0 ip :
7dbb550b fp :
81c35a1c
[ 3.858037] r10:
81c73840 r9 :
81c73894 r8 :
816d9800
[ 3.863270] r7 :
00000000 r6 :
81c34000 r5 :
00000000 r4 :
810c35f0
[ 3.869808] r3 :
80e3e294 r2 :
00000080 r1 :
00000cc0 r0 :
81401180
[ 3.876349] Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
[ 3.883499] Control:
10c5387d Table:
1000404a DAC:
00000051
[ 3.889254] Register r0 information: slab kmem_cache start
81401180 pointer offset 0
[ 3.897034] Register r1 information: non-paged memory
[ 3.902097] Register r2 information: non-paged memory
[ 3.907160] Register r3 information: non-slab/vmalloc memory
[ 3.912832] Register r4 information: non-slab/vmalloc memory
[ 3.918503] Register r5 information: NULL pointer
[ 3.923217] Register r6 information: non-slab/vmalloc memory
[ 3.928887] Register r7 information: NULL pointer
[ 3.933601] Register r8 information: slab kmalloc-1k start
816d9800 pointer offset 0 size 1024
[ 3.942244] Register r9 information: slab kmalloc-2k start
81c73800 pointer offset 148 size 2048
[ 3.951058] Register r10 information: slab kmalloc-2k start
81c73800 pointer offset 64 size 2048
[ 3.959873] Register r11 information: non-slab/vmalloc memory
[ 3.965632] Register r12 information: non-paged memory
[ 3.970781] Process kworker/u4:1 (pid: 64, stack limit = 0x(ptrval))
[ 3.977148] Stack: (0x81c359d0 to 0x81c36000)
[ 3.981517] 59c0:
80b2b668 80b2b5bc 000002e2 0000034e
[ 3.989712] 59e0:
81c35a8c 816d98e8 81c35a14 7dbb550b 805bfcd0 810c35f0 81c73840 824addc0
[ 3.997906] 5a00:
00001000 816d9800 81c73894 81c73840 81c35a34 81c35a20 805eb138 805eadd8
[ 4.006099] 5a20:
810c35f0 00000045 81c35adc 81c35a38 80594188 805eb118 80d7c788 80dd1848
[ 4.014292] 5a40:
00000000 81c35a50 80dca950 811194d3 80dca7c4 80dca944 80dca91c 816d9800
[ 4.022485] 5a60:
81c34000 81c760a8 816d9800 80c58c98 810c35f0 816d98e8 00001000 00001000
[ 4.030678] 5a80:
00000000 00000000 8017712c 81c60000 00000002 00000001 00000000 00000000
[ 4.038870] 5aa0:
816d9900 816d9900 00000000 7dbb550b 805c700c 00000008 826282c8 826282c8
[ 4.047062] 5ac0:
00001000 81e1ce40 00001000 00000002 81c35bf4 81c35ae0 805d9694 80593fc0
[ 4.055255] 5ae0:
8017a970 80179ad8 00000179 00000000 81c35bcc 81c35b00 80177108 8017a950
[ 4.063447] 5b00:
00000000 81c35b10 81c34000 00000000 81004fd8 81010a38 00000000 00000059
[ 4.071639] 5b20:
816d98d4 81fbb718 00000013 826282c8 8017a940 81c35b40 81134448 00000400
[ 4.079831] 5b40:
00000178 00000000 e063b9c1 00000000 c2000049 00000040 00000000 00000008
[ 4.088024] 5b60:
82628300 82628380 00000000 00000000 81c34000 00000000 81fbb700 82628340
[ 4.096216] 5b80:
826283c0 00001000 00000000 00000010 816d9800 826282c0 801766f8 00000000
[ 4.104408] 5ba0:
00000000 81004fd8 00000049 00000000 00000000 00000001 80dcf940 80178de4
[ 4.112601] 5bc0:
81c35c0c 7dbb550b 80178de4 81fbb700 00000010 00000010 810c35f4 81e1ce40
[ 4.120793] 5be0:
81c40908 0000000c 81c35c64 81c35bf8 805a7f18 805d94a0 81c35c3c 816d9800
[ 4.128985] 5c00:
00000010 81c34000 81c35c2c 81c35c18 8012fce0 805be90c 81c35c3c 81c35c28
[ 4.137178] 5c20:
805be90c 80173210 81fbb600 81fbb6b4 81c35c5c 7dbb550b 81c35c64 81fbb700
[ 4.145370] 5c40:
816d9800 00000010 810c35f4 81e1ce40 81c40908 0000000c 81c35c84 81c35c68
[ 4.153565] 5c60:
805a8c78 805a7ed0 816d9800 81fbb700 00000010 00000000 81c35cac 81c35c88
[ 4.161758] 5c80:
805a8dc4 805a8b68 816d9800 00000000 816d9800 00000000 8179f810 810c42d0
[ 4.169950] 5ca0:
81c35ccc 81c35cb0 805e47b0 805a8d18 824aa240 81e1ea80 81c40908 81126b60
[ 4.178144] 5cc0:
81c35d14 81c35cd0 8060db1c 805e46cc 81c35d14 81c35ce0 80dd90f8 810c4d58
[ 4.186338] 5ce0:
80dd90dc 81fe9740 fffffffe 81fe9740 81e1ea80 00000000 810c4d6c 80c4b95c
[ 4.194531] 5d00:
80dd9a3c 815c6810 81c35d34 81c35d18 8060dc9c 8060d8fc 8246b440 815c6800
[ 4.202724] 5d20:
815c6810 eefd8e00 81c35d44 81c35d38 8060dd80 8060dbec 81c35d6c 81c35d48
[ 4.210918] 5d40:
805e98a4 8060dd70 00000000 815c6810 810c45b0 81126e90 81126e90 80dd9a3c
[ 4.219112] 5d60:
81c35d8c 81c35d70 80619574 805e9808 815c6810 00000000 810c45b0 81126e90
[ 4.227305] 5d80:
81c35db4 81c35d90 806168dc 80619514 80625df0 80623c80 815c6810 810c45b0
[ 4.235498] 5da0:
81c35e6c 815c6810 81c35dec 81c35db8 80616d04 80616800 81c35de4 81c35dc8
[ 4.243691] 5dc0:
808382b0 80b2f444 8116e310 8116e314 81c35e6c 815c6810 00000003 80dd9a3c
[ 4.251884] 5de0:
81c35e14 81c35df0 80616ec8 80616c60 00000001 810c45b0 81c35e6c 815c6810
[ 4.260076] 5e00:
00000001 80dd9a3c 81c35e34 81c35e18 80617338 80616e90 00000000 81c35e6c
[ 4.268269] 5e20:
80617284 81c34000 81c35e64 81c35e38 80614730 80617290 81c35e64 8171a06c
[ 4.276461] 5e40:
81e220b8 7dbb550b 815c6810 81c34000 815c6854 81126e90 81c35e9c 81c35e68
[ 4.284654] 5e60:
8061673c 806146a8 8060f5e0 815c6810 00000001 7dbb550b 00000000 810c5080
[ 4.292847] 5e80:
810c5320 815c6810 81126e90 00000000 81c35eac 81c35ea0 80617554 80616650
[ 4.301040] 5ea0:
81c35ecc 81c35eb0 80615694 80617544 810c5080 810c5080 810c5094 81126e90
[ 4.309233] 5ec0:
81c35efc 81c35ed0 80615c6c 8061560c 80615bc0 810c50c0 817eeb00 81412800
[ 4.317425] 5ee0:
814c3000 00000000 814c300d 81119a60 81c35f3c 81c35f00 80141488 80615bcc
[ 4.325618] 5f00:
81c60000 81c34000 81c35f24 81c35f18 80143078 817eeb00 81412800 817eeb18
[ 4.333811] 5f20:
81412818 81003d00 00000088 81412800 81c35f74 81c35f40 80141a48 80141298
[ 4.342005] 5f40:
81c35f74 81c34000 801481ac 817efa40 817efc00 801417d8 817eeb00 00000000
[ 4.350199] 5f60:
815a7e7c 81c34000 81c35fac 81c35f78 80149b1c 801417e4 817efc20 817efc20
[ 4.358391] 5f80:
ffffe000 817efa40 801499a8 00000000 00000000 00000000 00000000 00000000
[ 4.366583] 5fa0:
00000000 81c35fb0 80100130 801499b4 00000000 00000000 00000000 00000000
[ 4.374774] 5fc0:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 4.382966] 5fe0:
00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
[ 4.391155] Backtrace:
[ 4.393613] [<
805eadcc>] (stdp2690_get_edid) from [<
805eb138>] (ge_b850v3_lvds_get_modes+0x2c/0x5c)
[ 4.402691] r10:
81c73840 r9:
81c73894 r8:
816d9800 r7:
00001000 r6:
824addc0 r5:
81c73840
[ 4.410534] r4:
810c35f0
[ 4.413073] [<
805eb10c>] (ge_b850v3_lvds_get_modes) from [<
80594188>] (drm_helper_probe_single_connector_modes+0x1d4/0x84c)
[ 4.424240] r5:
00000045 r4:
810c35f0
[ 4.427822] [<
80593fb4>] (drm_helper_probe_single_connector_modes) from [<
805d9694>] (drm_client_modeset_probe+0x200/0x1384)
[ 4.439074] r10:
00000002 r9:
00001000 r8:
81e1ce40 r7:
00001000 r6:
826282c8 r5:
826282c8
[ 4.446917] r4:
00000008
[ 4.449455] [<
805d9494>] (drm_client_modeset_probe) from [<
805a7f18>] (__drm_fb_helper_initial_config_and_unlock+0x54/0x5b4)
[ 4.460713] r10:
0000000c r9:
81c40908 r8:
81e1ce40 r7:
810c35f4 r6:
00000010 r5:
00000010
[ 4.468556] r4:
81fbb700
[ 4.471095] [<
805a7ec4>] (__drm_fb_helper_initial_config_and_unlock) from [<
805a8c78>] (drm_fbdev_client_hotplug+0x11c/0x1b0)
[ 4.482434] r10:
0000000c r9:
81c40908 r8:
81e1ce40 r7:
810c35f4 r6:
00000010 r5:
816d9800
[ 4.490276] r4:
81fbb700
[ 4.492814] [<
805a8b5c>] (drm_fbdev_client_hotplug) from [<
805a8dc4>] (drm_fbdev_generic_setup+0xb8/0x1a4)
[ 4.502494] r7:
00000000 r6:
00000010 r5:
81fbb700 r4:
816d9800
[ 4.508160] [<
805a8d0c>] (drm_fbdev_generic_setup) from [<
805e47b0>] (imx_drm_bind+0xf0/0x130)
[ 4.516805] r7:
810c42d0 r6:
8179f810 r5:
00000000 r4:
816d9800
[ 4.522474] [<
805e46c0>] (imx_drm_bind) from [<
8060db1c>] (try_to_bring_up_master+0x22c/0x2f0)
[ 4.531116] r7:
81126b60 r6:
81c40908 r5:
81e1ea80 r4:
824aa240
[ 4.536783] [<
8060d8f0>] (try_to_bring_up_master) from [<
8060dc9c>] (__component_add+0xbc/0x184)
[ 4.545597] r10:
815c6810 r9:
80dd9a3c r8:
80c4b95c r7:
810c4d6c r6:
00000000 r5:
81e1ea80
[ 4.553440] r4:
81fe9740
[ 4.555980] [<
8060dbe0>] (__component_add) from [<
8060dd80>] (component_add+0x1c/0x20)
[ 4.563921] r7:
eefd8e00 r6:
815c6810 r5:
815c6800 r4:
8246b440
[ 4.569589] [<
8060dd64>] (component_add) from [<
805e98a4>] (dw_hdmi_imx_probe+0xa8/0xe8)
[ 4.577702] [<
805e97fc>] (dw_hdmi_imx_probe) from [<
80619574>] (platform_probe+0x6c/0xc8)
[ 4.585908] r9:
80dd9a3c r8:
81126e90 r7:
81126e90 r6:
810c45b0 r5:
815c6810 r4:
00000000
[ 4.593662] [<
80619508>] (platform_probe) from [<
806168dc>] (really_probe+0xe8/0x460)
[ 4.601524] r7:
81126e90 r6:
810c45b0 r5:
00000000 r4:
815c6810
[ 4.607191] [<
806167f4>] (really_probe) from [<
80616d04>] (__driver_probe_device+0xb0/0x230)
[ 4.615658] r7:
815c6810 r6:
81c35e6c r5:
810c45b0 r4:
815c6810
[ 4.621326] [<
80616c54>] (__driver_probe_device) from [<
80616ec8>] (driver_probe_device+0x44/0xe0)
[ 4.630313] r9:
80dd9a3c r8:
00000003 r7:
815c6810 r6:
81c35e6c r5:
8116e314 r4:
8116e310
[ 4.638068] [<
80616e84>] (driver_probe_device) from [<
80617338>] (__device_attach_driver+0xb4/0x12c)
[ 4.647227] r9:
80dd9a3c r8:
00000001 r7:
815c6810 r6:
81c35e6c r5:
810c45b0 r4:
00000001
[ 4.654981] [<
80617284>] (__device_attach_driver) from [<
80614730>] (bus_for_each_drv+0x94/0xd8)
[ 4.663794] r7:
81c34000 r6:
80617284 r5:
81c35e6c r4:
00000000
[ 4.669461] [<
8061469c>] (bus_for_each_drv) from [<
8061673c>] (__device_attach+0xf8/0x190)
[ 4.677753] r7:
81126e90 r6:
815c6854 r5:
81c34000 r4:
815c6810
[ 4.683419] [<
80616644>] (__device_attach) from [<
80617554>] (device_initial_probe+0x1c/0x20)
[ 4.691971] r8:
00000000 r7:
81126e90 r6:
815c6810 r5:
810c5320 r4:
810c5080
[ 4.698681] [<
80617538>] (device_initial_probe) from [<
80615694>] (bus_probe_device+0x94/0x9c)
[ 4.707318] [<
80615600>] (bus_probe_device) from [<
80615c6c>] (deferred_probe_work_func+0xac/0xf0)
[ 4.716305] r7:
81126e90 r6:
810c5094 r5:
810c5080 r4:
810c5080
[ 4.721973] [<
80615bc0>] (deferred_probe_work_func) from [<
80141488>] (process_one_work+0x1fc/0x54c)
[ 4.731139] r10:
81119a60 r9:
814c300d r8:
00000000 r7:
814c3000 r6:
81412800 r5:
817eeb00
[ 4.738981] r4:
810c50c0 r3:
80615bc0
[ 4.742563] [<
8014128c>] (process_one_work) from [<
80141a48>] (worker_thread+0x270/0x570)
[ 4.750765] r10:
81412800 r9:
00000088 r8:
81003d00 r7:
81412818 r6:
817eeb18 r5:
81412800
[ 4.758608] r4:
817eeb00
[ 4.761147] [<
801417d8>] (worker_thread) from [<
80149b1c>] (kthread+0x174/0x190)
[ 4.768574] r10:
81c34000 r9:
815a7e7c r8:
00000000 r7:
817eeb00 r6:
801417d8 r5:
817efc00
[ 4.776417] r4:
817efa40
[ 4.778955] [<
801499a8>] (kthread) from [<
80100130>] (ret_from_fork+0x14/0x24)
[ 4.786201] Exception stack(0x81c35fb0 to 0x81c35ff8)
[ 4.791266] 5fa0:
00000000 00000000 00000000 00000000
[ 4.799459] 5fc0:
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 4.807651] 5fe0:
00000000 00000000 00000000 00000000 00000013 00000000
[ 4.814279] r10:
00000000 r9:
00000000 r8:
00000000 r7:
00000000 r6:
00000000 r5:
801499a8
[ 4.822120] r4:
817efa40
[ 4.824664] Code:
e3a02080 e593001c e3a01d33 e3a05000 (
e5979018)
Split the registration from the STDP4028 probe routine and only perform
registration once both the STDP4028 and STDP2690 have probed.
Signed-off-by: Martyn Welch <martyn.welch@collabora.com>
CC: Peter Senna Tschudin <peter.senna@gmail.com>
CC: Martyn Welch <martyn.welch@collabora.co.uk>
CC: Neil Armstrong <narmstrong@baylibre.com>
CC: Robert Foss <robert.foss@linaro.org>
CC: Laurent Pinchart <Laurent.pinchart@ideasonboard.com>
CC: Jonas Karlman <jonas@kwiboo.se>
CC: Jernej Skrabec <jernej.skrabec@gmail.com>
Signed-off-by: Robert Foss <robert.foss@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/43552c3404e8fdf92d8bc5658fac24e9f03c2c57.1637836606.git.martyn.welch@collabora.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Martin Leung [Fri, 12 Nov 2021 22:59:31 +0000 (17:59 -0500)]
drm/amd/display: add else to avoid double destroy clk_mgr
[ Upstream commit
11dff0e871037a6ad978e52f826a2eb7f5fb274a ]
[Why & How]
when changing some code we accidentally
changed else if-> if. reverting that.
Reviewed-by: Aric Cyr <Aric.Cyr@amd.com>
Acked-by: Qingqing Zhuo <qingqing.zhuo@amd.com>
Signed-off-by: Martin Leung <Martin.Leung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Danielle Ratson [Tue, 23 Nov 2021 07:54:47 +0000 (09:54 +0200)]
mlxsw: pci: Add shutdown method in PCI driver
[ Upstream commit
c1020d3cf4752f61a6a413f632ea2ce2370e150d ]
On an arm64 platform with the Spectrum ASIC, after loading and executing
a new kernel via kexec, the following trace [1] is observed. This seems
to be caused by the fact that the device is not properly shutdown before
executing the new kernel.
Fix this by implementing a shutdown method which mirrors the remove
method, as recommended by the kexec maintainer [2][3].
[1]
BUG: Bad page state in process devlink pfn:22f73d
page:
fffffe00089dcf40 refcount:-1 mapcount:0 mapping:
0000000000000000 index:0x0
flags: 0x2ffff00000000000()
raw:
2ffff00000000000 0000000000000000 ffffffff089d0201 0000000000000000
raw:
0000000000000000 0000000000000000 ffffffffffffffff 0000000000000000
page dumped because: nonzero _refcount
Modules linked in:
CPU: 1 PID: 16346 Comm: devlink Tainted: G B 5.8.0-rc6-custom-273020-gac6b365b1bf5 #44
Hardware name: Marvell Armada 7040 TX4810M (DT)
Call trace:
dump_backtrace+0x0/0x1d0
show_stack+0x1c/0x28
dump_stack+0xbc/0x118
bad_page+0xcc/0xf8
check_free_page_bad+0x80/0x88
__free_pages_ok+0x3f8/0x418
__free_pages+0x38/0x60
kmem_freepages+0x200/0x2a8
slab_destroy+0x28/0x68
slabs_destroy+0x60/0x90
___cache_free+0x1b4/0x358
kfree+0xc0/0x1d0
skb_free_head+0x2c/0x38
skb_release_data+0x110/0x1a0
skb_release_all+0x2c/0x38
consume_skb+0x38/0x130
__dev_kfree_skb_any+0x44/0x50
mlxsw_pci_rdq_fini+0x8c/0xb0
mlxsw_pci_queue_fini.isra.0+0x28/0x58
mlxsw_pci_queue_group_fini+0x58/0x88
mlxsw_pci_aqs_fini+0x2c/0x60
mlxsw_pci_fini+0x34/0x50
mlxsw_core_bus_device_unregister+0x104/0x1d0
mlxsw_devlink_core_bus_device_reload_down+0x2c/0x48
devlink_reload+0x44/0x158
devlink_nl_cmd_reload+0x270/0x290
genl_rcv_msg+0x188/0x2f0
netlink_rcv_skb+0x5c/0x118
genl_rcv+0x3c/0x50
netlink_unicast+0x1bc/0x278
netlink_sendmsg+0x194/0x390
__sys_sendto+0xe0/0x158
__arm64_sys_sendto+0x2c/0x38
el0_svc_common.constprop.0+0x70/0x168
do_el0_svc+0x28/0x88
el0_sync_handler+0x88/0x190
el0_sync+0x140/0x180
[2]
https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1195432.html
[3]
https://patchwork.kernel.org/project/linux-scsi/patch/
20170212214920.28866-1-anton@ozlabs.org/#
20116693
Cc: Eric Biederman <ebiederm@xmission.com>
Signed-off-by: Danielle Ratson <danieller@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jan Kiszka [Mon, 21 Jun 2021 18:08:28 +0000 (20:08 +0200)]
soc: ti: pruss: fix referenced node in error message
[ Upstream commit
8aa35e0bb5eaa42bac415ad0847985daa7b4890c ]
So far, "(null)" is reported for the node that is missing clocks.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Acked-by: Suman Anna <s-anna@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Link: https://lore.kernel.org/r/d6e24953-ea89-fd1c-6e16-7a0142118054@siemens.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Alex Deucher [Wed, 10 Nov 2021 15:23:25 +0000 (10:23 -0500)]
drm/amdgpu/display: set vblank_disable_immediate for DC
[ Upstream commit
92020e81ddbeac351ea4a19bcf01743f32b9c800 ]
Disable vblanks immediately to save power. I think this was
missed when we merged DC support.
Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1781
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Yang Li [Mon, 15 Nov 2021 08:10:19 +0000 (16:10 +0800)]
drm/amd/display: check top_pipe_to_program pointer
[ Upstream commit
a689e8d1f80012f90384ebac9dcfac4201f9f77e ]
Clang static analysis reports this error
drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc.c:2870:7: warning:
Dereference of null pointer [clang-analyzer-core.NullDereference]
if
(top_pipe_to_program->stream_res.tg->funcs->lock_doublebuffer_enable) {
^
top_pipe_to_program being NULL is caught as an error
But then it is used to report the error.
So add a check before using it.
Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Yang Li <yang.lee@linux.alibaba.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Lukas Bulwahn [Thu, 28 Oct 2021 14:19:33 +0000 (16:19 +0200)]
ARM: imx: rename DEBUG_IMX21_IMX27_UART to DEBUG_IMX27_UART
[ Upstream commit
b0100bce4ff82ec1ccd3c1f3d339fd2df6a81784 ]
Since commit
4b563a066611 ("ARM: imx: Remove imx21 support"), the config
DEBUG_IMX21_IMX27_UART is really only debug support for IMX27.
So, rename this option to DEBUG_IMX27_UART and adjust dependencies in
Kconfig and rename the definitions to IMX27 as further clean-up.
This issue was discovered with ./scripts/checkkconfigsymbols.py, which
reported that DEBUG_IMX21_IMX27_UART depends on the non-existing config
SOC_IMX21.
Signed-off-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Marek Vasut [Sat, 16 Oct 2021 21:05:47 +0000 (23:05 +0200)]
soc: imx: gpcv2: Synchronously suspend MIX domains
[ Upstream commit
f756f435f7dd823f2d4bd593ce1bf3168def1308 ]
In case the following power domain sequence happens, iMX8M Mini always hangs:
gpumix:on -> gpu:on -> gpu:off -> gpu:on
This is likely due to another quirk of the GPC block. This situation can be
prevented by always synchronously powering off both the domain and MIX domain.
Make it so. This turns the aforementioned sequence into:
gpumix:on -> gpu:on -> gpu:off -> gpumix:off -> gpumix:on -> gpu:on
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Frieder Schrempf <frieder.schrempf@kontron.de>
Cc: Lucas Stach <l.stach@pengutronix.de>
Cc: NXP Linux Team <linux-imx@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Shawn Guo <shawnguo@kernel.org>
Acked-by: Lucas Stach <l.stach@pengutronix.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Konrad Dybcio [Sun, 14 Nov 2021 01:27:45 +0000 (02:27 +0100)]
arm64: dts: qcom: sm8350: Shorten camera-thermal-bottom name
[ Upstream commit
f52dd33943ca5f84ae76890f352f6d9e12512c3f ]
Thermal zone names should not be longer than 20 names, which is indicated by
a message at boot. Change "camera-thermal-bottom" to "cam-thermal-bottom" to
fix it.
Signed-off-by: Konrad Dybcio <konrad.dybcio@somainline.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Link: https://lore.kernel.org/r/20211114012755.112226-6-konrad.dybcio@somainline.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Dinh Nguyen [Tue, 12 Oct 2021 19:07:06 +0000 (14:07 -0500)]
EDAC/synopsys: Use the quirk for version instead of ddr version
[ Upstream commit
bd1d6da17c296bd005bfa656952710d256e77dd3 ]
Version 2.40a supports DDR_ECC_INTR_SUPPORT for a quirk, so use that
quirk to determine a call to setup_address_map().
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Michal Simek <michal.simek@xilinx.com>
Link: https://lkml.kernel.org/r/20211012190709.1504152-1-dinguyen@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Yang Li [Thu, 18 Nov 2021 09:48:03 +0000 (17:48 +0800)]
ethernet: renesas: Use div64_ul instead of do_div
[ Upstream commit
d9f31aeaa1e5aefa68130878af3c3513d41c1e2d ]
do_div() does a 64-by-32 division. Here the divisor is an
unsigned long which on some platforms is 64 bit wide. So use
div64_ul instead of do_div to avoid a possible truncation.
Eliminate the following coccicheck warning:
./drivers/net/ethernet/renesas/ravb_main.c:2492:1-7: WARNING:
do_div() does a 64-by-32 division, please consider using div64_ul
instead.
Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Yang Li <yang.lee@linux.alibaba.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Link: https://lore.kernel.org/r/1637228883-100100-1-git-send-email-yang.lee@linux.alibaba.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Andrii Nakryiko [Wed, 17 Nov 2021 19:41:13 +0000 (11:41 -0800)]
libbpf: Accommodate DWARF/compiler bug with duplicated structs
[ Upstream commit
efdd3eb8015e7447095f02a26eaabd164cd18004 ]
According to [0], compilers sometimes might produce duplicate DWARF
definitions for exactly the same struct/union within the same
compilation unit (CU). We've had similar issues with identical arrays
and handled them with a similar workaround in
6b6e6b1d09aa ("libbpf:
Accomodate DWARF/compiler bug with duplicated identical arrays"). Do the
same for struct/union by ensuring that two structs/unions are exactly
the same, down to the integer values of field referenced type IDs.
Solving this more generically (allowing referenced types to be
equivalent, but using different type IDs, all within a single CU)
requires a huge complexity increase to handle many-to-many mappings
between canonidal and candidate type graphs. Before we invest in that,
let's see if this approach handles all the instances of this issue in
practice. Thankfully it's pretty rare, it seems.
[0] https://lore.kernel.org/bpf/YXr2NFlJTAhHdZqq@krava/
Reported-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20211117194114.347675-1-andrii@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Zheyu Ma [Tue, 11 May 2021 09:00:03 +0000 (10:00 +0100)]
media: b2c2: Add missing check in flexcop_pci_isr:
[ Upstream commit
b13203032e679674c7c518f52a7ec0801ca3a829 ]
A out-of-bounds bug can be triggered by an interrupt, the reason for
this bug is the lack of checking of register values.
In flexcop_pci_isr, the driver reads value from a register and uses it as
a dma address. Finally, this address will be passed to the count parameter
of find_next_packet. If this value is larger than the size of dma, the
index of buffer will be out-of-bounds.
Fix this by adding a check after reading the value of the register.
The following KASAN report reveals it:
BUG: KASAN: slab-out-of-bounds in find_next_packet
drivers/media/dvb-core/dvb_demux.c:528 [inline]
BUG: KASAN: slab-out-of-bounds in _dvb_dmx_swfilter
drivers/media/dvb-core/dvb_demux.c:572 [inline]
BUG: KASAN: slab-out-of-bounds in dvb_dmx_swfilter+0x3fa/0x420
drivers/media/dvb-core/dvb_demux.c:603
Read of size 1 at addr
ffff8880608c00a0 by task swapper/2/0
CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xec/0x156 lib/dump_stack.c:118
print_address_description+0x78/0x290 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x25b/0x380 mm/kasan/report.c:412
__asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:430
find_next_packet drivers/media/dvb-core/dvb_demux.c:528 [inline]
_dvb_dmx_swfilter drivers/media/dvb-core/dvb_demux.c:572 [inline]
dvb_dmx_swfilter+0x3fa/0x420 drivers/media/dvb-core/dvb_demux.c:603
flexcop_pass_dmx_data+0x2e/0x40 drivers/media/common/b2c2/flexcop.c:167
flexcop_pci_isr+0x3d1/0x5d0 drivers/media/pci/b2c2/flexcop-pci.c:212
__handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149
handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189
handle_irq_event+0xac/0x140 kernel/irq/handle.c:206
handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725
generic_handle_irq_desc include/linux/irqdesc.h:155 [inline]
handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87
do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247
common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670
</IRQ>
RIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61
Code: 00 00 55 be 04 00 00 00 48 c7 c7 00 62 2f 8c 48 89 e5 e8 fb 31
e8 f8 8b 05 75 4f 8e 03 85 c0 7e 07 0f 00 2d 8a 61 66 00 fb f4 <5d> c3
90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41
RSP: 0018:
ffff88806b71fcc8 EFLAGS:
00000246 ORIG_RAX:
ffffffffffffffde
RAX:
0000000000000000 RBX:
ffffffff8bde44c8 RCX:
ffffffff88a11285
RDX:
0000000000000000 RSI:
0000000000000004 RDI:
ffffffff8c2f6200
RBP:
ffff88806b71fcc8 R08:
fffffbfff185ec40 R09:
fffffbfff185ec40
R10:
0000000000000001 R11:
fffffbfff185ec40 R12:
0000000000000002
R13:
ffffffff8be9d6e0 R14:
0000000000000000 R15:
0000000000000000
arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]
default_idle+0x6f/0x360 arch/x86/kernel/process.c:557
arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548
default_idle_call+0x3b/0x60 kernel/sched/idle.c:93
cpuidle_idle_call kernel/sched/idle.c:153 [inline]
do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263
cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369
start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271
secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243
Allocated by task 1:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:553
kasan_slab_alloc+0x11/0x20 mm/kasan/kasan.c:490
slab_post_alloc_hook mm/slab.h:445 [inline]
slab_alloc_node mm/slub.c:2741 [inline]
slab_alloc mm/slub.c:2749 [inline]
kmem_cache_alloc+0xeb/0x280 mm/slub.c:2754
kmem_cache_zalloc include/linux/slab.h:699 [inline]
__kernfs_new_node+0xe2/0x6f0 fs/kernfs/dir.c:633
kernfs_new_node+0x9a/0x120 fs/kernfs/dir.c:693
__kernfs_create_file+0x5f/0x340 fs/kernfs/file.c:992
sysfs_add_file_mode_ns+0x22a/0x4e0 fs/sysfs/file.c:306
create_files fs/sysfs/group.c:63 [inline]
internal_create_group+0x34e/0xc30 fs/sysfs/group.c:147
sysfs_create_group fs/sysfs/group.c:173 [inline]
sysfs_create_groups+0x9c/0x140 fs/sysfs/group.c:200
driver_add_groups+0x3e/0x50 drivers/base/driver.c:129
bus_add_driver+0x3a5/0x790 drivers/base/bus.c:684
driver_register+0x1cd/0x410 drivers/base/driver.c:170
__pci_register_driver+0x197/0x200 drivers/pci/pci-driver.c:1411
cx88_audio_pci_driver_init+0x23/0x25 drivers/media/pci/cx88/cx88-alsa.c:
1017
do_one_initcall+0xe0/0x610 init/main.c:884
do_initcall_level init/main.c:952 [inline]
do_initcalls init/main.c:960 [inline]
do_basic_setup init/main.c:978 [inline]
kernel_init_freeable+0x4d0/0x592 init/main.c:1145
kernel_init+0x18/0x190 init/main.c:1062
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at
ffff8880608c0000
which belongs to the cache kernfs_node_cache of size 160
The buggy address is located 0 bytes to the right of
160-byte region [
ffff8880608c0000,
ffff8880608c00a0)
The buggy address belongs to the page:
page:
ffffea0001823000 count:1 mapcount:0 mapping:
ffff88806bed1e00
index:0x0 compound_mapcount: 0
flags: 0x100000000008100(slab|head)
raw:
0100000000008100 dead000000000100 dead000000000200 ffff88806bed1e00
raw:
0000000000000000 0000000000240024 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880608bff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880608c0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>
ffff8880608c0080: 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 00
^
ffff8880608c0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880608c0180: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================
Link: https://lore.kernel.org/linux-media/1620723603-30912-1-git-send-email-zheyuma97@gmail.com
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
José Expósito [Thu, 18 Nov 2021 07:29:53 +0000 (08:29 +0100)]
HID: apple: Do not reset quirks when the Fn key is not found
[ Upstream commit
a5fe7864d8ada170f19cc47d176bf8260ffb4263 ]
When a keyboard without a function key is detected, instead of removing
all quirks, remove only the APPLE_HAS_FN quirk.
Signed-off-by: José Expósito <jose.exposito89@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
José Expósito [Thu, 18 Nov 2021 16:52:08 +0000 (17:52 +0100)]
HID: magicmouse: Report battery level over USB
[ Upstream commit
0b91b4e4dae63cd43871fc2012370b86ee588f91 ]
When connected over USB, the Apple Magic Mouse 2 and the Apple Magic
Trackpad 2 register multiple interfaces, one of them is used to report
the battery level.
However, unlike when connected over Bluetooth, the battery level is not
reported automatically and it is required to fetch it manually.
Fix the battery report descriptor and add a timer to fetch the battery
level.
Signed-off-by: José Expósito <jose.exposito89@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Hans de Goede [Sat, 6 Nov 2021 13:02:27 +0000 (14:02 +0100)]
drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Book X91F/L
[ Upstream commit
bc30c3b0c8a1904d83d5f0d60fb8650a334b207b ]
The Lenovo Yoga Book X91F/L uses a panel which has been mounted
90 degrees rotated. Add a quirk for this.
Cc: Yauhen Kharuzhy <jekhor@gmail.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Simon Ser <contact@emersion.fr>
Tested-by: Yauhen Kharuzhy <jekhor@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211106130227.11927-1-hdegoede@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Brian Chen [Wed, 10 Nov 2021 21:33:12 +0000 (21:33 +0000)]
psi: Fix PSI_MEM_FULL state when tasks are in memstall and doing reclaim
[ Upstream commit
cb0e52b7748737b2cf6481fdd9b920ce7e1ebbdf ]
We've noticed cases where tasks in a cgroup are stalled on memory but
there is little memory FULL pressure since tasks stay on the runqueue
in reclaim.
A simple example involves a single threaded program that keeps leaking
and touching large amounts of memory. It runs in a cgroup with swap
enabled, memory.high set at 10M and cpu.max ratio set at 5%. Though
there is significant CPU pressure and memory SOME, there is barely any
memory FULL since the task enters reclaim and stays on the runqueue.
However, this memory-bound task is effectively stalled on memory and
we expect memory FULL to match memory SOME in this scenario.
The code is confused about memstall && running, thinking there is a
stalled task and a productive task when there's only one task: a
reclaimer that's counted as both. To fix this, we redefine the
condition for PSI_MEM_FULL to check that all running tasks are in an
active memstall instead of checking that there are no running tasks.
case PSI_MEM_FULL:
- return unlikely(tasks[NR_MEMSTALL] && !tasks[NR_RUNNING]);
+ return unlikely(tasks[NR_MEMSTALL] &&
+ tasks[NR_RUNNING] == tasks[NR_MEMSTALL_RUNNING]);
This will capture reclaimers. It will also capture tasks that called
psi_memstall_enter() and are about to sleep, but this should be
negligible noise.
Signed-off-by: Brian Chen <brianchen118@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Link: https://lore.kernel.org/r/20211110213312.310243-1-brianchen118@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Pavankumar Kondeti [Fri, 12 Nov 2021 10:24:40 +0000 (15:54 +0530)]
usb: gadget: f_fs: Use stream_open() for endpoint files
[ Upstream commit
c76ef96fc00eb398c8fc836b0eb2f82bcc619dc7 ]
Function fs endpoint file operations are synchronized via an interruptible
mutex wait. However we see threads that do ep file operations concurrently
are getting blocked for the mutex lock in __fdget_pos(). This is an
uninterruptible wait and we see hung task warnings and kernel panic
if hung_task_panic systcl is enabled if host does not send/receive
the data for long time.
The reason for threads getting blocked in __fdget_pos() is due to
the file position protection introduced by the commit
9c225f2655e3
("vfs: atomic f_pos accesses as per POSIX"). Since function fs
endpoint files does not have the notion of the file position, switch
to the stream mode. This will bypass the file position mutex and
threads will be blocked in interruptible state for the function fs
mutex.
It should not affects user space as we are only changing the task state
changes the task state from UNINTERRUPTIBLE to INTERRUPTIBLE while waiting
for the USB transfers to be finished. However there is a slight change to
the O_NONBLOCK behavior. Earlier threads that are using O_NONBLOCK are also
getting blocked inside fdget_pos(). Now they reach to function fs and error
code is returned. The non blocking behavior is actually honoured now.
Reviewed-by: John Keeping <john@metanate.com>
Signed-off-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
Link: https://lore.kernel.org/r/1636712682-1226-1-git-send-email-quic_pkondeti@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Haimin Zhang [Sat, 13 Nov 2021 16:53:20 +0000 (11:53 -0500)]
USB: ehci_brcm_hub_control: Improve port index sanitizing
[ Upstream commit
9933698f6119886c110750e67c10ac66f12b730f ]
Due to (wIndex & 0xff) - 1 can get an integer greater than 15, this
can cause array index to be out of bounds since the size of array
port_status is 15. This change prevents a possible out-of-bounds
pointer computation by forcing the use of a valid port number.
Reported-by: TCS Robot <tcs_robot@tencent.com>
Signed-off-by: Haimin Zhang <tcs.kernel@gmail.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20211113165320.GA59686@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Amjad Ouled-Ameur [Fri, 12 Nov 2021 16:28:26 +0000 (17:28 +0100)]
usb: dwc3: meson-g12a: fix shared reset control use
[ Upstream commit
4ce3b45704d5ef46fb4b28083c8aba6716fabf3b ]
reset_control_(de)assert() calls are called on a shared reset line when
reset_control_reset has been used. This is not allowed by the reset
framework.
Use reset_control_rearm() call in suspend() and remove() as a way to state
that the resource is no longer used, hence the shared reset line
may be triggered again by other devices. Use reset_control_rearm() also in
case probe fails after reset() has been called.
reset_control_rearm() keeps use of triggered_count sane in the reset
framework, use of reset_control_reset() on shared reset line should be
balanced with reset_control_rearm().
Signed-off-by: Amjad Ouled-Ameur <aouledameur@baylibre.com>
Reported-by: Jerome Brunet <jbrunet@baylibre.com>
Link: https://lore.kernel.org/r/20211112162827.128319-3-aouledameur@baylibre.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Baochen Qiang [Tue, 26 Oct 2021 01:16:05 +0000 (09:16 +0800)]
ath11k: Fix crash caused by uninitialized TX ring
[ Upstream commit
273703ebdb01b6c5f1aaf4b98fb57b177609055c ]
Commit
31582373a4a8 ("ath11k: Change number of TCL rings to one for
QCA6390") avoids initializing the other entries of dp->tx_ring cause
the corresponding TX rings on QCA6390/WCN6855 are not used, but leaves
those ring masks in ath11k_hw_ring_mask_qca6390.tx unchanged. Normally
this is OK because we will only get interrupts from the first TX ring
on these chips and thus only the first entry of dp->tx_ring is involved.
In case of one MSI vector, all DP rings share the same IRQ. For each
interrupt, all rings have to be checked, which means the other entries
of dp->tx_ring are involved. However since they are not initialized,
system crashes.
Fix this issue by simply removing those ring masks.
crash stack:
[ 102.907438] BUG: kernel NULL pointer dereference, address:
0000000000000028
[ 102.907447] #PF: supervisor read access in kernel mode
[ 102.907451] #PF: error_code(0x0000) - not-present page
[ 102.907453] PGD
1081f0067 P4D
1081f0067 PUD
1081f1067 PMD 0
[ 102.907460] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI
[ 102.907465] CPU: 0 PID: 3511 Comm: apt-check Kdump: loaded Tainted: G E 5.15.0-rc4-wt-ath+ #20
[ 102.907470] Hardware name: AMD Celadon-RN/Celadon-RN, BIOS RCD1005E 10/08/2020
[ 102.907472] RIP: 0010:ath11k_dp_tx_completion_handler+0x201/0x830 [ath11k]
[ 102.907497] Code: 3c 24 4e 8d ac 37 10 04 00 00 4a 8d bc 37 68 04 00 00 48 89 3c 24 48 63 c8 89 83 84 18 00 00 48 c1 e1 05 48 03 8b 78 18 00 00 <8b> 51 08 89 d6 83 e6 07 89 74 24 24 83 fe 03 74 04 85 f6 75 63 41
[ 102.907501] RSP: 0000:
ffff9b7340003e08 EFLAGS:
00010202
[ 102.907505] RAX:
0000000000000001 RBX:
ffff8e21530c0100 RCX:
0000000000000020
[ 102.907508] RDX:
0000000000000000 RSI:
00000000fffffe00 RDI:
ffff8e21530c1938
[ 102.907511] RBP:
ffff8e21530c0000 R08:
0000000000000001 R09:
0000000000000000
[ 102.907513] R10:
ffff8e2145534c10 R11:
0000000000000001 R12:
ffff8e21530c2938
[ 102.907515] R13:
ffff8e21530c18e0 R14:
0000000000000100 R15:
ffff8e21530c2978
[ 102.907518] FS:
00007f5d4297e740(0000) GS:
ffff8e243d600000(0000) knlGS:
0000000000000000
[ 102.907521] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 102.907524] CR2:
0000000000000028 CR3:
00000001034ea000 CR4:
0000000000350ef0
[ 102.907527] Call Trace:
[ 102.907531] <IRQ>
[ 102.907537] ath11k_dp_service_srng+0x5c/0x2f0 [ath11k]
[ 102.907556] ath11k_pci_ext_grp_napi_poll+0x21/0x70 [ath11k_pci]
[ 102.907562] __napi_poll+0x2c/0x160
[ 102.907570] net_rx_action+0x251/0x310
[ 102.907576] __do_softirq+0x107/0x2fc
[ 102.907585] irq_exit_rcu+0x74/0x90
[ 102.907593] common_interrupt+0x83/0xa0
[ 102.907600] </IRQ>
[ 102.907601] asm_common_interrupt+0x1e/0x40
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1
Signed-off-by: Baochen Qiang <bqiang@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20211026011605.58615-1-quic_bqiang@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Mauro Carvalho Chehab [Thu, 11 Nov 2021 23:04:09 +0000 (23:04 +0000)]
media: atomisp: handle errors at sh_css_create_isp_params()
[ Upstream commit
58043dbf6d1ae9deab4f5aa1e039c70112017682 ]
The succ var tracks memory allocation erros on this function.
Fix it, in order to stop this W=1 Werror in clang:
drivers/staging/media/atomisp/pci/sh_css_params.c:2430:7: error: variable 'succ' set but not used [-Werror,-Wunused-but-set-variable]
bool succ = true;
^
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Linus Lüssing [Sun, 31 Oct 2021 21:30:12 +0000 (22:30 +0100)]
batman-adv: allow netlink usage in unprivileged containers
[ Upstream commit
9057d6c23e7388ee9d037fccc9a7bc8557ce277b ]
Currently, creating a batman-adv interface in an unprivileged LXD
container and attaching secondary interfaces to it with "ip" or "batctl"
works fine. However all batctl debug and configuration commands
fail:
root@container:~# batctl originators
Error received: Operation not permitted
root@container:~# batctl orig_interval
1000
root@container:~# batctl orig_interval 2000
root@container:~# batctl orig_interval
1000
To fix this change the generic netlink permissions from GENL_ADMIN_PERM
to GENL_UNS_ADMIN_PERM. This way a batman-adv interface is fully
maintainable as root from within a user namespace, from an unprivileged
container.
All except one batman-adv netlink setting are per interface and do not
leak information or change settings from the host system and are
therefore save to retrieve or modify as root from within an unprivileged
container.
"batctl routing_algo" / BATADV_CMD_GET_ROUTING_ALGOS is the only
exception: It provides the batman-adv kernel module wide default routing
algorithm. However it is read-only from netlink and an unprivileged
container is still not allowed to modify
/sys/module/batman_adv/parameters/routing_algo. Instead it is advised to
use the newly introduced "batctl if create routing_algo RA_NAME" /
IFLA_BATADV_ALGO_NAME to set the routing algorithm on interface
creation, which already works fine in an unprivileged container.
Cc: Tycho Andersen <tycho@tycho.pizza>
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Wan Jiabing [Mon, 18 Oct 2021 01:45:03 +0000 (21:45 -0400)]
ARM: shmobile: rcar-gen2: Add missing of_node_put()
[ Upstream commit
85744f2d938c5f3cfc44cb6533c157469634da93 ]
Fix following coccicheck warning:
./arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c:156:1-33: Function
for_each_matching_node_and_match should have of_node_put() before break
and goto.
Early exits from for_each_matching_node_and_match() should decrement the
node reference counter.
Signed-off-by: Wan Jiabing <wanjiabing@vivo.com>
Link: https://lore.kernel.org/r/20211018014503.7598-1-wanjiabing@vivo.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Mauro Carvalho Chehab [Wed, 10 Nov 2021 12:59:11 +0000 (12:59 +0000)]
media: atomisp: check before deference asd variable
[ Upstream commit
71665d816214124d6bc4eb80314ac8f84ecacd78 ]
The asd->isp was referenced before checking if asd is not
NULL.
This fixes this warning:
../drivers/staging/media/atomisp/pci/atomisp_cmd.c:5548 atomisp_set_fmt_to_snr() warn: variable dereferenced before check 'asd' (see line 5540)
While here, avoid getting the pipe pointer twice.
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Hans de Goede [Sun, 7 Nov 2021 17:15:48 +0000 (17:15 +0000)]
media: atomisp-ov2680: Fix ov2680_set_fmt() clobbering the exposure
[ Upstream commit
4492289c31364d28c2680b43b18883385a5d216c ]
Now that we restore the default or last user set exposure setting on
power_up() there is no need for the registers written by ov2680_set_fmt()
to write to the exposure register.
Not doing so fixes the exposure always being reset to the value from
the res->regs array after a set_fmt().
Link: https://lore.kernel.org/linux-media/20211107171549.267583-11-hdegoede@redhat.com
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Mauro Carvalho Chehab [Fri, 29 Oct 2021 07:09:39 +0000 (08:09 +0100)]
media: atomisp: set per-device's default mode
[ Upstream commit
2c45e343c581091835c9047ed5298518aa133163 ]
The atomisp driver originally used the s_parm command to
initialize the run_mode type to the driver. So, before start
setting up the streaming, s_parm should be called.
So, even having 5 "normal" video devices, one meant to be used
for each type, the run_mode was actually selected when
s_parm is called.
Without setting the run mode, applications that don't call
VIDIOC_SET_PARM with a custom atomisp parameters won't work, as
the pipeline won't be set:
atomisp-isp2 0000:00:03.0: can't create streams
atomisp-isp2 0000:00:03.0: __get_frame_info 1600x1200 (padded to 0) returned -22
However, commit
8a7c5594c020 ("media: v4l2-ioctl: clear fields in s_parm")
broke support for it, with a good reason, as drivers shoudn't be
extending the API for their own purposes.
So, as an step to allow generic apps to use this driver, put
the device's run_mode in preview after open.
After this patch, using v4l2grab starts to work on preview
mode (/dev/video2):
$ v4l2grab -f YUYV -x 1600 -y 1200 -d /dev/video2 -n 1 -u
$ feh out000.pnm
So, let's just setup the default run_mode that each video devnode
should assume, setting it at open() time.
Reported-by: Tsuchiya Yuto <kitakar@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Mauro Carvalho Chehab [Thu, 4 Nov 2021 11:45:27 +0000 (11:45 +0000)]
media: atomisp: fix try_fmt logic
[ Upstream commit
c9e9094c4e42124af909b2f5f6ded0498e0854ac ]
The internal try_fmt logic is not meant to provide everything
that the V4L2 API should provide. Also, it doesn't decrement
the pads that are used only internally by the driver, but aren't
part of the device's output.
Fix it.
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ben Skeggs [Wed, 24 Feb 2021 09:29:52 +0000 (19:29 +1000)]
drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR
[ Upstream commit
1d2271d2fb85e54bfc9630a6c30ac0feb9ffb983 ]
There have been reports of the WFI timing out on some boards, and a
patch was proposed to just remove it. This stuff is rather fragile,
and I believe the WFI might be needed with our FW prior to GM200.
However, we probably should not be touching PMU during init on GPUs
where we depend on NVIDIA FW, outside of limited circumstances, so
this should be a somewhat safer change that achieves the desired
result.
Reported-by: Diego Viola <diego.viola@gmail.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Reviewed-by: Karol Herbst <kherbst@redhat.com>
Signed-off-by: Karol Herbst <kherbst@redhat.com>
Link: https://gitlab.freedesktop.org/drm/nouveau/-/merge_requests/10
Signed-off-by: Sasha Levin <sashal@kernel.org>
Neil Armstrong [Fri, 29 Oct 2021 13:59:47 +0000 (15:59 +0200)]
drm/bridge: dw-hdmi: handle ELD when DRM_BRIDGE_ATTACH_NO_CONNECTOR
[ Upstream commit
3f2532d65a571ca02258b547b5b68ab2e9406fdb ]
The current ELD handling takes the internal connector ELD buffer and
shares it to the I2S and AHB sub-driver.
But with DRM_BRIDGE_ATTACH_NO_CONNECTOR, the connector is created
elsewhere (or not), and an eventual connector is known only
if the bridge chain up to a connector is enabled.
The current dw-hdmi code gets the current connector from
atomic_enable() so use the already stored connector pointer and
replace the buffer pointer with a callback returning the current
connector ELD buffer.
Since a connector is not always available, either pass an empty
ELD to the alsa HDMI driver or don't call snd_pcm_hw_constraint_eld()
in AHB driver.
Reported-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
[narmstrong: fixed typo in commit log]
Acked-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211029135947.3022875-1-narmstrong@baylibre.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Zekun Shen [Thu, 28 Oct 2021 22:37:49 +0000 (18:37 -0400)]
ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply
[ Upstream commit
ae80b6033834342601e99f74f6a62ff5092b1cee ]
Unexpected WDCMSG_TARGET_START replay can lead to null-ptr-deref
when ar->tx_cmd->odata is NULL. The patch adds a null check to
prevent such case.
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
ar5523_cmd+0x46a/0x581 [ar5523]
ar5523_probe.cold+0x1b7/0x18da [ar5523]
? ar5523_cmd_rx_cb+0x7a0/0x7a0 [ar5523]
? __pm_runtime_set_status+0x54a/0x8f0
? _raw_spin_trylock_bh+0x120/0x120
? pm_runtime_barrier+0x220/0x220
? __pm_runtime_resume+0xb1/0xf0
usb_probe_interface+0x25b/0x710
really_probe+0x209/0x5d0
driver_probe_device+0xc6/0x1b0
device_driver_attach+0xe2/0x120
I found the bug using a custome USBFuzz port. It's a research work
to fuzz USB stack/drivers. I modified it to fuzz ath9k driver only,
providing hand-crafted usb descriptors to QEMU.
After fixing the code (fourth byte in usb packet) to WDCMSG_TARGET_START,
I got the null-ptr-deref bug. I believe the bug is triggerable whenever
cmd->odata is NULL. After patching, I tested with the same input and no
longer see the KASAN report.
This was NOT tested on a real device.
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/YXsmPQ3awHFLuAj2@10-18-43-117.dynapool.wireless.nyu.edu
Signed-off-by: Sasha Levin <sashal@kernel.org>
Andrii Nakryiko [Sun, 7 Nov 2021 16:55:21 +0000 (08:55 -0800)]
selftests/bpf: Fix bpf_object leak in skb_ctx selftest
[ Upstream commit
8c7a95520184b6677ca6075e12df9c208d57d088 ]
skb_ctx selftest didn't close bpf_object implicitly allocated by
bpf_prog_test_load() helper. Fix the problem by explicitly calling
bpf_object__close() at the end of the test.
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: Hengqi Chen <hengqi.chen@gmail.com>
Link: https://lore.kernel.org/bpf/20211107165521.9240-10-andrii@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Andrii Nakryiko [Sun, 7 Nov 2021 16:55:20 +0000 (08:55 -0800)]
selftests/bpf: Destroy XDP link correctly
[ Upstream commit
f91231eeeed752119f49eb6620cae44ec745a007 ]
bpf_link__detach() was confused with bpf_link__destroy() and leaves
leaked FD in the process. Fix the problem.
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: Hengqi Chen <hengqi.chen@gmail.com>
Link: https://lore.kernel.org/bpf/20211107165521.9240-9-andrii@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Andrii Nakryiko [Sun, 7 Nov 2021 16:55:15 +0000 (08:55 -0800)]
selftests/bpf: Fix memory leaks in btf_type_c_dump() helper
[ Upstream commit
8ba285874913da21ca39a46376e9cc5ce0f45f94 ]
Free up memory and resources used by temporary allocated memstream and
btf_dump instance.
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: Hengqi Chen <hengqi.chen@gmail.com>
Link: https://lore.kernel.org/bpf/20211107165521.9240-4-andrii@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Qiang Yu [Sun, 31 Oct 2021 04:16:04 +0000 (12:16 +0800)]
drm/lima: fix warning when CONFIG_DEBUG_SG=y & CONFIG_DMA_API_DEBUG=y
[ Upstream commit
89636a06fa2ee7826a19c39c19a9bc99ab9340a9 ]
Otherwise get following warning:
DMA-API: lima 1c40000.gpu: mapping sg segment longer than device claims to support [len=4149248] [max=65536]
See: https://gitlab.freedesktop.org/mesa/mesa/-/issues/5496
Reviewed-by: Vasily Khoruzhick <anarsoul@gmail.com>
Reported-by: Roman Stratiienko <r.stratiienko@gmail.com>
Signed-off-by: Qiang Yu <yuq825@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211031041604.187216-1-yuq825@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Alexander Aring [Tue, 2 Nov 2021 19:17:24 +0000 (15:17 -0400)]
fs: dlm: filter user dlm messages for kernel locks
[ Upstream commit
6c2e3bf68f3e5e5a647aa52be246d5f552d7496d ]
This patch fixes the following crash by receiving a invalid message:
[ 160.672220] ==================================================================
[ 160.676206] BUG: KASAN: user-memory-access in dlm_user_add_ast+0xc3/0x370
[ 160.679659] Read of size 8 at addr
00000000deadbeef by task kworker/u32:13/319
[ 160.681447]
[ 160.681824] CPU: 10 PID: 319 Comm: kworker/u32:13 Not tainted 5.14.0-rc2+ #399
[ 160.683472] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.14.0-1.module+el8.6.0+12648+
6ede71a5 04/01/2014
[ 160.685574] Workqueue: dlm_recv process_recv_sockets
[ 160.686721] Call Trace:
[ 160.687310] dump_stack_lvl+0x56/0x6f
[ 160.688169] ? dlm_user_add_ast+0xc3/0x370
[ 160.689116] kasan_report.cold.14+0x116/0x11b
[ 160.690138] ? dlm_user_add_ast+0xc3/0x370
[ 160.690832] dlm_user_add_ast+0xc3/0x370
[ 160.691502] _receive_unlock_reply+0x103/0x170
[ 160.692241] _receive_message+0x11df/0x1ec0
[ 160.692926] ? rcu_read_lock_sched_held+0xa1/0xd0
[ 160.693700] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 160.694427] ? lock_acquire+0x175/0x400
[ 160.695058] ? do_purge.isra.51+0x200/0x200
[ 160.695744] ? lock_acquired+0x360/0x5d0
[ 160.696400] ? lock_contended+0x6a0/0x6a0
[ 160.697055] ? lock_release+0x21d/0x5e0
[ 160.697686] ? lock_is_held_type+0xe0/0x110
[ 160.698352] ? lock_is_held_type+0xe0/0x110
[ 160.699026] ? ___might_sleep+0x1cc/0x1e0
[ 160.699698] ? dlm_wait_requestqueue+0x94/0x140
[ 160.700451] ? dlm_process_requestqueue+0x240/0x240
[ 160.701249] ? down_write_killable+0x2b0/0x2b0
[ 160.701988] ? do_raw_spin_unlock+0xa2/0x130
[ 160.702690] dlm_receive_buffer+0x1a5/0x210
[ 160.703385] dlm_process_incoming_buffer+0x726/0x9f0
[ 160.704210] receive_from_sock+0x1c0/0x3b0
[ 160.704886] ? dlm_tcp_shutdown+0x30/0x30
[ 160.705561] ? lock_acquire+0x175/0x400
[ 160.706197] ? rcu_read_lock_sched_held+0xa1/0xd0
[ 160.706941] ? rcu_read_lock_bh_held+0xb0/0xb0
[ 160.707681] process_recv_sockets+0x32/0x40
[ 160.708366] process_one_work+0x55e/0xad0
[ 160.709045] ? pwq_dec_nr_in_flight+0x110/0x110
[ 160.709820] worker_thread+0x65/0x5e0
[ 160.710423] ? process_one_work+0xad0/0xad0
[ 160.711087] kthread+0x1ed/0x220
[ 160.711628] ? set_kthread_struct+0x80/0x80
[ 160.712314] ret_from_fork+0x22/0x30
The issue is that we received a DLM message for a user lock but the
destination lock is a kernel lock. Note that the address which is trying
to derefence is
00000000deadbeef, which is in a kernel lock
lkb->lkb_astparam, this field should never be derefenced by the DLM
kernel stack. In case of a user lock lkb->lkb_astparam is lkb->lkb_ua
(memory is shared by a union field). The struct lkb_ua will be handled
by the DLM kernel stack but on a kernel lock it will contain invalid
data and ends in most likely crashing the kernel.
It can be reproduced with two cluster nodes.
node 2:
dlm_tool join test
echo "862 fooobaar 1 2 1" > /sys/kernel/debug/dlm/test_locks
echo "862 3 1" > /sys/kernel/debug/dlm/test_waiters
node 1:
dlm_tool join test
python:
foo = DLM(h_cmd=3, o_nextcmd=1, h_nodeid=1, h_lockspace=0x77222027, \
m_type=7, m_flags=0x1, m_remid=0x862, m_result=0xFFFEFFFE)
newFile = open("/sys/kernel/debug/dlm/comms/2/rawmsg", "wb")
newFile.write(bytes(foo))
Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Archie Pusaka [Thu, 28 Oct 2021 11:17:25 +0000 (19:17 +0800)]
Bluetooth: Fix removing adv when processing cmd complete
[ Upstream commit
2128939fe2e771645dd88e1938c27fdf96bd1cd0 ]
If we remove one instance of adv using Set Extended Adv Enable, there
is a possibility of issue occurs when processing the Command Complete
event. Especially, the adv_info might not be found since we already
remove it in hci_req_clear_adv_instance() -> hci_remove_adv_instance().
If that's the case, we will mistakenly proceed to remove all adv
instances instead of just one single instance.
This patch fixes the issue by checking the content of the HCI command
instead of checking whether the adv_info is found.
Signed-off-by: Archie Pusaka <apusaka@chromium.org>
Reviewed-by: Sonny Sasaka <sonnysasaka@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Brian Norris [Fri, 24 Sep 2021 00:33:55 +0000 (17:33 -0700)]
drm/panel: Delete panel on mipi_dsi_attach() failure
[ Upstream commit
9bf7123bb07f98dc76acb5daa91248e6f95713cb ]
Many DSI panel drivers fail to clean up their panel references on
mipi_dsi_attach() failure, so we're leaving a dangling drm_panel
reference to freed memory. Clean that up on failure.
Noticed by inspection, after seeing similar problems on other drivers.
Therefore, I'm not marking Fixes/stable.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20210923173336.3.If9e74fa9b1d6eaa9e0e5b95b2b957b992740251c@changeid
Signed-off-by: Sasha Levin <sashal@kernel.org>
Wei Yongjun [Wed, 13 Oct 2021 08:55:01 +0000 (16:55 +0800)]
Bluetooth: Fix memory leak of hci device
[ Upstream commit
75d9b8559ac36e059238ee4f8e33cd86086586ba ]
Fault injection test reported memory leak of hci device as follows:
unreferenced object 0xffff88800b858000 (size 8192):
comm "kworker/0:2", pid 167, jiffies
4294955747 (age 557.148s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N..
backtrace:
[<
0000000070eb1059>] kmem_cache_alloc_trace mm/slub.c:3208
[<
00000000015eb521>] hci_alloc_dev_priv include/linux/slab.h:591
[<
00000000dcfc1e21>] bpa10x_probe include/net/bluetooth/hci_core.h:1240
[<
000000005d3028c7>] usb_probe_interface drivers/usb/core/driver.c:397
[<
00000000cbac9243>] really_probe drivers/base/dd.c:517
[<
0000000024cab3f0>] __driver_probe_device drivers/base/dd.c:751
[<
00000000202135cb>] driver_probe_device drivers/base/dd.c:782
[<
000000000761f2bc>] __device_attach_driver drivers/base/dd.c:899
[<
00000000f7d63134>] bus_for_each_drv drivers/base/bus.c:427
[<
00000000c9551f0b>] __device_attach drivers/base/dd.c:971
[<
000000007f79bd16>] bus_probe_device drivers/base/bus.c:487
[<
000000007bb8b95a>] device_add drivers/base/core.c:3364
[<
000000009564d9ea>] usb_set_configuration drivers/usb/core/message.c:2171
[<
00000000e4657087>] usb_generic_driver_probe drivers/usb/core/generic.c:239
[<
0000000071ede518>] usb_probe_device drivers/usb/core/driver.c:294
[<
00000000cbac9243>] really_probe drivers/base/dd.c:517
hci_alloc_dev() do not init the device's flag. And hci_free_dev()
using put_device() to free the memory allocated for this device,
but it calls just put_device(dev) only in case of HCI_UNREGISTER
flag is set, So any error handing before hci_register_dev() success
will cause memory leak.
To avoid this behaviour we can using kfree() to release dev before
hci_register_dev() success.
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Wei Yongjun [Wed, 13 Oct 2021 08:55:46 +0000 (16:55 +0800)]
Bluetooth: Fix debugfs entry leak in hci_register_dev()
[ Upstream commit
5a4bb6a8e981d3d0d492aa38412ee80b21033177 ]
Fault injection test report debugfs entry leak as follows:
debugfs: Directory 'hci0' with parent 'bluetooth' already present!
When register_pm_notifier() failed in hci_register_dev(), the debugfs
create by debugfs_create_dir() do not removed in the error handing path.
Add the remove debugfs code to fix it.
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Merlijn Wajer [Sun, 12 Dec 2021 22:40:07 +0000 (23:40 +0100)]
leds: lp55xx: initialise output direction from dts
[ Upstream commit
9e87a8da747bf72365abb79e6f64fcca955b4f56 ]
Commit
a5d3d1adc95f ("leds: lp55xx: Initialize enable GPIO direction to
output") attempts to fix this, but the fix did not work since at least
for the Nokia N900 the value needs to be set to HIGH, per the device
tree. So rather than hardcoding the value to a potentially invalid value
for some devices, let's set direction in lp55xx_init_device.
Fixes:
a5d3d1adc95f ("leds: lp55xx: Initialize enable GPIO direction to output")
Fixes:
92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx")
Fixes:
ac219bf3c9bd ("leds: lp55xx: Convert to use GPIO descriptors")
Signed-off-by: Merlijn Wajer <merlijn@wizzup.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Sicelo A. Mhlongo [Sun, 12 Dec 2021 22:40:06 +0000 (23:40 +0100)]
ARM: dts: omap3-n900: Fix lp5523 for multi color
[ Upstream commit
e9af026a3b24f59d7af4609f73e0ef60a4d6d516 ]
Since the LED multicolor framework support was added in commit
92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx")
LEDs on this platform stopped working.
Fixes:
92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx")
Fixes:
ac219bf3c9bd ("leds: lp55xx: Convert to use GPIO descriptors")
Signed-off-by: Merlijn Wajer <merlijn@wizzup.org>
Signed-off-by: Sicelo A. Mhlongo <absicsz@gmail.com>
Signed-off-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
jason-jh.lin [Thu, 23 Dec 2021 14:51:55 +0000 (22:51 +0800)]
mailbox: fix gce_num of mt8192 driver data
[ Upstream commit
35ca43710f792ce183312fdc7e4b2bb0b721a173 ]
Because mt8192 only have 1 gce, the gce_num should be 1.
Fixes:
85dfdbfc13ea ("mailbox: cmdq: add multi-gce clocks support for mt8195")
Signed-off-by: jason-jh.lin <jason-jh.lin@mediatek.com>
Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Paul Cercueil [Fri, 7 Jan 2022 18:57:22 +0000 (18:57 +0000)]
MIPS: compressed: Fix build with ZSTD compression
[ Upstream commit
c5c7440fe7f74645940d5c9e2c49cd7efb706a4f ]
Fix the following build issues:
mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `FSE_buildDTable_internal':
decompress.c:(.text.FSE_buildDTable_internal+0x2cc): undefined reference to `__clzdi2'
mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `BIT_initDStream':
decompress.c:(.text.BIT_initDStream+0x7c): undefined reference to `__clzdi2'
mips64el-linux-ld: decompress.c:(.text.BIT_initDStream+0x158): undefined reference to `__clzdi2'
mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `ZSTD_buildFSETable_body_default.constprop.0':
decompress.c:(.text.ZSTD_buildFSETable_body_default.constprop.0+0x2a8): undefined reference to `__clzdi2'
mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `FSE_readNCount_body_default':
decompress.c:(.text.FSE_readNCount_body_default+0x130): undefined reference to `__ctzdi2'
mips64el-linux-ld: decompress.c:(.text.FSE_readNCount_body_default+0x1a4): undefined reference to `__ctzdi2'
mips64el-linux-ld: decompress.c:(.text.FSE_readNCount_body_default+0x2e4): undefined reference to `__clzdi2'
mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `HUF_readStats_body_default':
decompress.c:(.text.HUF_readStats_body_default+0x184): undefined reference to `__clzdi2'
mips64el-linux-ld: decompress.c:(.text.HUF_readStats_body_default+0x1b4): undefined reference to `__clzdi2'
mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `ZSTD_DCtx_getParameter':
decompress.c:(.text.ZSTD_DCtx_getParameter+0x60): undefined reference to `__clzdi2'
Fixes:
a510b616131f ("MIPS: Add support for ZSTD-compressed kernels")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Nick Terrell <terrelln@fb.com>
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Paul Cercueil [Fri, 19 Nov 2021 17:50:52 +0000 (17:50 +0000)]
MIPS: boot/compressed/: add __ashldi3 to target for ZSTD compression
[ Upstream commit
fbf3bce458214bb971d3d571515b3b129eac290b ]
Just like before with __bswapdi2(), for MIPS pre-boot when
CONFIG_KERNEL_ZSTD=y the decompressor function will use __ashldi3(), so
the object file should be added to the target object file.
Fixes these build errors:
mipsel-linux-ld: arch/mips/boot/compressed/decompress.o: in function `FSE_buildDTable_internal':
decompress.c:(.text.FSE_buildDTable_internal+0x48): undefined reference to `__ashldi3'
mipsel-linux-ld: arch/mips/boot/compressed/decompress.o: in function `FSE_decompress_wksp_body_default':
decompress.c:(.text.FSE_decompress_wksp_body_default+0xa8): undefined reference to `__ashldi3'
mipsel-linux-ld: arch/mips/boot/compressed/decompress.o: in function `ZSTD_getFrameHeader_advanced':
decompress.c:(.text.ZSTD_getFrameHeader_advanced+0x134): undefined reference to `__ashldi3'
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Stephen Boyd [Fri, 7 Jan 2022 19:42:32 +0000 (11:42 -0800)]
of/fdt: Don't worry about non-memory region overlap for no-map
[ Upstream commit
da17d6905d29ddcdc04b2fdc37ed8cf1e8437cc8 ]
In commit
8a5a75e5e9e5 ("of/fdt: Make sure no-map does not remove
already reserved regions") we returned -EBUSY when trying to mark
regions as no-map when they intersect with reserved memory. The goal was
to find bad no-map reserved memory DT nodes that would unmap the kernel
text/data sections.
The problem is the reserved memory check will still trigger if the DT
has a /memreserve/ that completely subsumes the no-map memory carveouts
in the reserved memory node _and_ that region is also not part of the
memory reg property. For example in sc7180.dtsi we have the following
reserved-memory and memory node:
memory@
80000000 {
/* We expect the bootloader to fill in the size */
reg = <0 0x80000000 0 0>;
};
smem_mem: memory@
80900000 {
reg = <0x0 0x80900000 0x0 0x200000>;
no-map;
};
and the memreserve filled in by the bootloader is
/memreserve/ 0x80800000 0x400000;
while the /memory node is transformed into
memory@
80000000 {
/* The bootloader fills in the size, and adds another region */
reg = <0 0x80000000 0 0x00800000>,
<0 0x80c00000 0 0x7f200000>;
};
The smem region is doubly reserved via /memreserve/ and by not being
part of the /memory reg property. This leads to the following warning
printed at boot.
OF: fdt: Reserved memory: failed to reserve memory for node 'memory@
80900000': base 0x0000000080900000, size 2 MiB
Otherwise nothing really goes wrong because the smem region is not going
to be mapped by the kernel's direct linear mapping given that it isn't
part of the memory node. Therefore, let's only consider this to be a
problem if we're trying to mark a region as no-map and it is actually
memory that we're intending to keep out of the kernel's direct mapping
but it's already been reserved.
Acked-by: Mike Rapoport <rppt@kernel.org>
Cc: Douglas Anderson <dianders@chromium.org>
Cc: Nicolas Boichat <drinkcat@chromium.org>
Cc: Quentin Perret <qperret@google.com>
Cc: Jan Kiszka <jan.kiszka@siemens.com>
Fixes:
8a5a75e5e9e5 ("of/fdt: Make sure no-map does not remove already reserved regions")
Signed-off-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Link: https://lore.kernel.org/r/20220107194233.2793146-1-swboyd@chromium.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Baruch Siach [Thu, 30 Dec 2021 16:31:52 +0000 (18:31 +0200)]
of: base: Fix phandle argument length mismatch error message
[ Upstream commit
94a4950a4acff39b5847cc1fee4f65e160813493 ]
The cell_count field of of_phandle_iterator is the number of cells we
expect in the phandle arguments list when cells_name is missing. The
error message should show the number of cells we actually see.
Fixes:
af3be70a3211 ("of: Improve of_phandle_iterator_next() error message")
Cc: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Rob Herring <robh@kernel.org>
Link: https://lore.kernel.org/r/96519ac55be90a63fa44afe01480c30d08535465.1640881913.git.baruch@tkos.co.il
Signed-off-by: Sasha Levin <sashal@kernel.org>
Conor Dooley [Thu, 23 Dec 2021 15:42:44 +0000 (15:42 +0000)]
clk: bm1880: remove kfrees on static allocations
[ Upstream commit
c861c1be3897845313a0df47804b1db37c7052e1 ]
bm1880_clk_unregister_pll & bm1880_clk_unregister_div both try to
free statically allocated variables, so remove those kfrees.
For example, if we take L703 kfree(div_hw):
- div_hw is a bm1880_div_hw_clock pointer
- in bm1880_clk_register_plls this is pointed to an element of arg1:
struct bm1880_div_hw_clock *clks
- in the probe, where bm1880_clk_register_plls is called arg1 is
bm1880_div_clks, defined on L371:
static struct bm1880_div_hw_clock bm1880_div_clks[]
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
Fixes:
1ab4601da55b ("clk: Add common clock driver for BM1880 SoC")
Link: https://lore.kernel.org/r/20211223154244.1024062-1-conor.dooley@microchip.com
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Shengjiu Wang [Wed, 5 Jan 2022 11:08:03 +0000 (19:08 +0800)]
ASoC: fsl_asrc: refine the check of available clock divider
[ Upstream commit
320386343451ab6a3577e0ee200dac56a6182944 ]
According to RM, the clock divider range is from 1 to 8, clock
prescaling ratio may be any power of 2 from 1 to 128.
So the supported divider is not all the value between
1 and 1024, just limited value in that range.
Create table for the supported divder and add function to
check the clock divider is available by comparing with
the table.
Fixes:
d0250cf4f2ab ("ASoC: fsl_asrc: Add an option to select internal ratio mode")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://lore.kernel.org/r/1641380883-20709-1-git-send-email-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Shengjiu Wang [Tue, 4 Jan 2022 10:40:35 +0000 (18:40 +0800)]
ASoC: imx-card: improve the sound quality for low rate
[ Upstream commit
3969341813eb56d2dfc39bb64229359a6ae3c195 ]
According to RM, on auto mode:
For codec AK4458 and AK4497, the lowest ratio of MLCK/FS is 256
if sample rate is 8kHz-48kHz,
For codec AK5558, the lowest ratio of MLCK/FS is 512 if sample
rate is 8kHz-48kHz.
With these setting the sound quality for 8kHz-48kHz can be improved.
Fixes:
aa736700f42f ("ASoC: imx-card: Add imx-card machine driver")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://lore.kernel.org/r/1641292835-19085-4-git-send-email-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Shengjiu Wang [Tue, 4 Jan 2022 10:40:34 +0000 (18:40 +0800)]
ASoC: imx-card: Fix mclk calculation issue for akcodec
[ Upstream commit
f331ae5fa59fbfb748317b290648fc3f1a50d932 ]
Transfer the refined slots and slot_width to akcodec_get_mclk_rate()
for mclk calculation, otherwise the mclk frequency does not match
with the slots and slot_width for S16_LE format, because the default
slot_width is 32.
Fixes:
aa736700f42f ("ASoC: imx-card: Add imx-card machine driver")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://lore.kernel.org/r/1641292835-19085-3-git-send-email-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Shengjiu Wang [Tue, 4 Jan 2022 10:40:33 +0000 (18:40 +0800)]
ASoC: imx-card: Need special setting for ak4497 on i.MX8MQ
[ Upstream commit
3349b3d0c63b8b6fcca58156d72407f0b2e101ac ]
The SAI on i.MX8MQ don't support one2one ratio for mclk:bclk, so
the mclk frequency exceeds the supported range of codec for
the case that sample rate is larger than 705kHZ and format is
S32_LE. Update the supported width for such case.
Fixes:
aa736700f42f ("ASoC: imx-card: Add imx-card machine driver")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://lore.kernel.org/r/1641292835-19085-2-git-send-email-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Taniya Das [Mon, 20 Dec 2021 16:43:56 +0000 (22:13 +0530)]
clk: qcom: gcc-sc7280: Mark gcc_cfg_noc_lpass_clk always enabled
[ Upstream commit
9c337073d9d81a145434b22f42dc3128ecd17730 ]
The gcc cfg noc lpass clock is required to be always enabled for the
LPASS core and audio drivers to be functional.
Fixes:
a3cc092196ef ("clk: qcom: Add Global Clock controller (GCC) driver for SC7280")
Signed-off-by: Taniya Das <tdas@codeaurora.org>
Link: https://lore.kernel.org/r/1640018638-19436-4-git-send-email-tdas@codeaurora.org
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Kamal Heib [Mon, 20 Dec 2021 15:25:30 +0000 (17:25 +0200)]
RDMA/cxgb4: Set queue pair state when being queried
[ Upstream commit
e375b9c92985e409c4bb95dd43d34915ea7f5e28 ]
The API for ib_query_qp requires the driver to set cur_qp_state on return,
add the missing set.
Fixes:
67bbc05512d8 ("RDMA/cxgb4: Add query_qp support")
Link: https://lore.kernel.org/r/20211220152530.60399-1-kamalheib1@gmail.com
Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Christian A. Ehrhardt [Fri, 31 Dec 2021 13:44:32 +0000 (14:44 +0100)]
ALSA: hda/cs8409: Fix Jack detection after resume
[ Upstream commit
57f234248ff925d88caedf4019ec84e6ecb83909 ]
The suspend code unconditionally sets ->hp_jack_in and ->mic_jack_in
to zero but without reporting this status change to the HDA core.
To compensate for this, always assume a status change on the
first unsol event after boot or resume.
Fixes:
424e531b47f8 ("ALSA: hda/cs8409: Ensure Type Detection is only run on startup when necessary")
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
Link: https://lore.kernel.org/r/20211231134432.atwmuzeceqiklcoa@cae.in-ulm.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Christian A. Ehrhardt [Fri, 31 Dec 2021 13:12:21 +0000 (14:12 +0100)]
ALSA: hda/cs8409: Increase delay during jack detection
[ Upstream commit
8cd07657177006b67cc1610e4466cc75ad781c05 ]
Commit
c8b4f0865e82 reduced delays related to cs42l42 jack
detection. However, the change was too aggressive. As a result
internal speakers on DELL Inspirion 3501 are not detected.
Increase the delay in cs42l42_run_jack_detect() a bit.
Fixes:
c8b4f0865e82 ("ALSA: hda/cs8409: Remove unnecessary delays")
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
Link: https://lore.kernel.org/r/20211231131221.itwotyfk5qomn7n6@cae.in-ulm.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Alyssa Ross [Tue, 4 Jan 2022 13:22:16 +0000 (13:22 +0000)]
ASoC: fsl_mqs: fix MODULE_ALIAS
[ Upstream commit
9f3d45318dd9e739ed62e4218839a7a824d3cced ]
modprobe can't handle spaces in aliases.
Fixes:
9e28f6532c61 ("ASoC: fsl_mqs: Add MQS component driver")
Signed-off-by: Alyssa Ross <hi@alyssa.is>
Link: https://lore.kernel.org/r/20220104132218.1690103-1-hi@alyssa.is
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ammar Faizi [Sun, 26 Dec 2021 13:54:02 +0000 (20:54 +0700)]
powerpc/xive: Add missing null check after calling kmalloc
[ Upstream commit
18dbfcdedc802f9500b2c29794f22a31d27639c0 ]
Commit
930914b7d528fc ("powerpc/xive: Add a debugfs file to dump
internal XIVE state") forgot to add a null check.
Add it.
Fixes:
930914b7d528fc6b0249bffc00564100bcf6ef75 ("powerpc/xive: Add a debugfs file to dump internal XIVE state")
Signed-off-by: Ammar Faizi <ammarfaizi2@gmail.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20211226135314.251221-1-ammar.faizi@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Randy Dunlap [Wed, 29 Dec 2021 00:05:53 +0000 (16:05 -0800)]
mips: bcm63xx: add support for clk_set_parent()
[ Upstream commit
6f03055d508ff4feb8db02ba3df9303a1db8d381 ]
The MIPS BMC63XX subarch does not provide/support clk_set_parent().
This causes build errors in a few drivers, so add a simple implementation
of that function so that callers of it will build without errors.
Fixes these build errors:
ERROR: modpost: "clk_set_parent" [sound/soc/jz4740/snd-soc-jz4740-i2s.ko] undefined!
ERROR: modpost: "clk_set_parent" [sound/soc/atmel/snd-soc-atmel-i2s.ko] undefined!
Fixes:
e7300d04bd08 ("MIPS: BCM63xx: Add support for the Broadcom BCM63xx family of SOCs." )
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Randy Dunlap [Wed, 29 Dec 2021 00:03:45 +0000 (16:03 -0800)]
mips: lantiq: add support for clk_set_parent()
[ Upstream commit
76f66dfd60dc5d2f9dec22d99091fea1035c5d03 ]
Provide a simple implementation of clk_set_parent() in the lantiq
subarch so that callers of it will build without errors.
Fixes these build errors:
ERROR: modpost: "clk_set_parent" [sound/soc/jz4740/snd-soc-jz4740-i2s.ko] undefined!
ERROR: modpost: "clk_set_parent" [sound/soc/atmel/snd-soc-atmel-i2s.ko] undefined!
Fixes:
171bb2f19ed6 ("MIPS: Lantiq: Add initial support for Lantiq SoCs")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: kernel test robot <lkp@intel.com>
--to=linux-mips@vger.kernel.org --cc="John Crispin <john@phrozen.org>" --cc="Jonathan Cameron <jic23@kernel.org>" --cc="Russell King <linux@armlinux.org.uk>" --cc="Andy Shevchenko <andy.shevchenko@gmail.com>" --cc=alsa-devel@alsa-project.org --to="Thomas Bogendoerfer <tsbogend@alpha.franken.de>"
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Sameer Pujar [Thu, 23 Dec 2021 11:53:51 +0000 (17:23 +0530)]
arm64: tegra: Remove non existent Tegra194 reset
[ Upstream commit
146b3a77af8091cabbd1decc51d67799e69682d2 ]
Tegra194 does not really have "hda2codec_2x" related reset. Hence drop
this entry to reflect actual HW.
Fixes:
4878cc0c9fab ("arm64: tegra: Add HDA controller on Tegra194")
Signed-off-by: Sameer Pujar <spujar@nvidia.com>
Link: https://lore.kernel.org/r/1640260431-11613-4-git-send-email-spujar@nvidia.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Trevor Wu [Thu, 30 Dec 2021 08:47:30 +0000 (16:47 +0800)]
ASoC: mediatek: mt8195: correct pcmif BE dai control flow
[ Upstream commit
2355028c0c54c03afb66c589347f1dc9f6fe2e38 ]
Originally, the conditions for preventing reentry are not correct.
dai->component->active is not the state specifically for pcmif dai, so it
is not a correct condition to indicate the status of pcmif dai.
On the other hand, snd_soc_dai_stream_actvie() in prepare ops for both
playback and capture possibly return true at the first entry when these
two streams are opened at the same time.
In the patch, I refer to the implementation in mt8192-dai-pcm.c.
Clock and enabling bit for PCMIF are managed by DAPM, and the condition
for prepare ops is replaced by the status of dai widget.
Fixes:
1f95c019115c ("ASoC: mediatek: mt8195: support pcm in platform driver")
Signed-off-by: Trevor Wu <trevor.wu@mediatek.com>
Link: https://lore.kernel.org/r/20211230084731.31372-2-trevor.wu@mediatek.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Wei Yongjun [Tue, 28 Dec 2021 12:55:22 +0000 (12:55 +0000)]
misc: lattice-ecp3-config: Fix task hung when firmware load failed
[ Upstream commit
fcee5ce50bdb21116711e38635e3865594af907e ]
When firmware load failed, kernel report task hung as follows:
INFO: task xrun:5191 blocked for more than 147 seconds.
Tainted: G W 5.16.0-rc5-next-
20211220+ #11
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:xrun state:D stack: 0 pid: 5191 ppid: 270 flags:0x00000004
Call Trace:
__schedule+0xc12/0x4b50 kernel/sched/core.c:4986
schedule+0xd7/0x260 kernel/sched/core.c:6369 (discriminator 1)
schedule_timeout+0x7aa/0xa80 kernel/time/timer.c:1857
wait_for_completion+0x181/0x290 kernel/sched/completion.c:85
lattice_ecp3_remove+0x32/0x40 drivers/misc/lattice-ecp3-config.c:221
spi_remove+0x72/0xb0 drivers/spi/spi.c:409
lattice_ecp3_remove() wait for signals from firmware loading, but when
load failed, firmware_load() does not send this signal. This cause
device remove hung. Fix it by sending signal even if load failed.
Fixes:
781551df57c7 ("misc: Add Lattice ECP3 FPGA configuration via SPI")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Link: https://lore.kernel.org/r/20211228125522.3122284-1-weiyongjun1@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jiasheng Jiang [Tue, 28 Dec 2021 03:40:26 +0000 (11:40 +0800)]
ASoC: samsung: idma: Check of ioremap return value
[ Upstream commit
3ecb46755eb85456b459a1a9f952c52986bce8ec ]
Because of the potential failure of the ioremap(), the buf->area could
be NULL.
Therefore, we need to check it and return -ENOMEM in order to transfer
the error.
Fixes:
f09aecd50f39 ("ASoC: SAMSUNG: Add I2S0 internal dma driver")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Link: https://lore.kernel.org/r/20211228034026.1659385-1-jiasheng@iscas.ac.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Swapnil Jakhade [Thu, 23 Dec 2021 06:01:33 +0000 (07:01 +0100)]
phy: cadence: Sierra: Fix to get correct parent for mux clocks
[ Upstream commit
da08aab940092a050a4fb2857ed9479d2b0e03c4 ]
Fix get_parent() callback to return the correct index of the parent for
PLL_CMNLC1 clock. Add a separate table of register values corresponding
to the parent index for PLL_CMNLC1. Update set_parent() callback
accordingly.
Fixes:
28081b72859f ("phy: cadence: Sierra: Model PLL_CMNLC and PLL_CMNLC1 as clocks (mux clocks)")
Signed-off-by: Swapnil Jakhade <sjakhade@cadence.com>
Reviewed-by: Aswath Govindraju <a-govindraju@ti.com>
Link: https://lore.kernel.org/r/20211223060137.9252-12-sjakhade@cadence.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Michael Ellerman [Tue, 21 Dec 2021 13:51:00 +0000 (00:51 +1100)]
powerpc/64s: Use EMIT_WARN_ENTRY for SRR debug warnings
[ Upstream commit
fd1eaaaaa6864b5fb8f99880fcefb49760b8fe4e ]
When CONFIG_PPC_RFI_SRR_DEBUG=y we check the SRR values before returning
from interrupts. This is done in asm using EMIT_BUG_ENTRY, and passing
BUGFLAG_WARNING.
However that fails to create an exception table entry for the warning,
and so do_program_check() fails the exception table search and proceeds
to call _exception(), resulting in an oops like:
Oops: Exception in kernel mode, sig: 5 [#1]
LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
Modules linked in:
CPU: 2 PID: 1204 Comm: sigreturn_unali Tainted: P 5.16.0-rc2-00194-g91ca3d4f77c5 #12
NIP:
c00000000000c5b0 LR:
0000000000000000 CTR:
0000000000000000
...
NIP [
c00000000000c5b0] system_call_common+0x150/0x268
LR [
0000000000000000] 0x0
Call Trace:
[
c00000000db73e10] [
c00000000000c558] system_call_common+0xf8/0x268 (unreliable)
...
Instruction dump:
7cc803a6 888d0931 2c240000 4082001c 38800000 988d0931 e8810170 e8a10178
7c9a03a6 7cbb03a6 7d7a02a6 e9810170 <
7f0b6088>
7d7b02a6 e9810178 7f0b6088
We should instead use EMIT_WARN_ENTRY, which creates an exception table
entry for the warning, allowing the warning to be correctly recognised,
and the code to resume after printing the warning.
Note however that because this warning is buried deep in the interrupt
return path, we are not able to recover from it (due to MSR_RI being
clear), so we still end up in die() with an unrecoverable exception.
Fixes:
59dc5bfca0cb ("powerpc/64s: avoid reloading (H)SRR registers if they are still valid")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20211221135101.2085547-2-mpe@ellerman.id.au
Signed-off-by: Sasha Levin <sashal@kernel.org>
Michael Ellerman [Tue, 21 Dec 2021 13:50:59 +0000 (00:50 +1100)]
powerpc/64s: Mask NIP before checking against SRR0
[ Upstream commit
314f6c23dd8d417281eb9e8a516dd98036f2e7b3 ]
When CONFIG_PPC_RFI_SRR_DEBUG=y we check that NIP and SRR0 match when
returning from interrupts. This can trigger falsely if NIP has either of
its two low bits set via sigreturn or ptrace, while SRR0 has its low two
bits masked in hardware.
As a quick fix make sure to mask the low bits before doing the check.
Fixes:
59dc5bfca0cb ("powerpc/64s: avoid reloading (H)SRR registers if they are still valid")
Reported-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Link: https://lore.kernel.org/r/20211221135101.2085547-1-mpe@ellerman.id.au
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jiasheng Jiang [Wed, 22 Dec 2021 01:51:57 +0000 (09:51 +0800)]
ASoC: mediatek: Check for error clk pointer
[ Upstream commit
9de2b9286a6dd16966959b3cb34fc2ddfd39213e ]
Yes, you are right and now the return code depending on the
init_clks().
Fixes:
6078c651947a ("soc: mediatek: Refine scpsys to support multiple platform")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Link: https://lore.kernel.org/r/20211222015157.1025853-1-jiasheng@iscas.ac.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ryuta NAKANISHI [Wed, 22 Dec 2021 05:19:29 +0000 (14:19 +0900)]
phy: uniphier-usb3ss: fix unintended writing zeros to PHY register
[ Upstream commit
898c7a9ec81620125f2463714a0f4dea18ad6e54 ]
Similar to commit
4a90bbb478db ("phy: uniphier-pcie: Fix updating phy
parameters"), in function uniphier_u3ssphy_set_param(), unintentionally
write zeros to other fields when writing PHY registers.
Fixes:
5ab43d0f8697 ("phy: socionext: add USB3 PHY driver for UniPhier SoC")
Signed-off-by: Ryuta NAKANISHI <nakanishi.ryuta@socionext.com>
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Link: https://lore.kernel.org/r/1640150369-4134-1-git-send-email-hayashi.kunihiko@socionext.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Alan Stern [Mon, 20 Dec 2021 11:21:26 +0000 (19:21 +0800)]
scsi: block: pm: Always set request queue runtime active in blk_post_runtime_resume()
[ Upstream commit
6e1fcab00a23f7fe9f4fe9704905a790efa1eeab ]
John Garry reported a deadlock that occurs when trying to access a
runtime-suspended SATA device. For obscure reasons, the rescan procedure
causes the link to be hard-reset, which disconnects the device.
The rescan tries to carry out a runtime resume when accessing the device.
scsi_rescan_device() holds the SCSI device lock and won't release it until
it can put commands onto the device's block queue. This can't happen until
the queue is successfully runtime-resumed or the device is unregistered.
But the runtime resume fails because the device is disconnected, and
__scsi_remove_device() can't do the unregistration because it can't get the
device lock.
The best way to resolve this deadlock appears to be to allow the block
queue to start running again even after an unsuccessful runtime resume.
The idea is that the driver or the SCSI error handler will need to be able
to use the queue to resolve the runtime resume failure.
This patch removes the err argument to blk_post_runtime_resume() and makes
the routine act as though the resume was successful always. This fixes the
deadlock.
Link: https://lore.kernel.org/r/1639999298-244569-4-git-send-email-chenxiang66@hisilicon.com
Fixes:
e27829dc92e5 ("scsi: serialize ->rescan against ->remove")
Reported-and-tested-by: John Garry <john.garry@huawei.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Pingfan Liu [Wed, 15 Dec 2021 02:13:48 +0000 (10:13 +0800)]
efi: apply memblock cap after memblock_add()
[ Upstream commit
b398123bff3bcbc1facb0f29bf6e7b9f1bc55931 ]
On arm64, during kdump kernel saves vmcore, it runs into the following bug:
...
[ 15.148919] usercopy: Kernel memory exposure attempt detected from SLUB object 'kmem_cache_node' (offset 0, size 4096)!
[ 15.159707] ------------[ cut here ]------------
[ 15.164311] kernel BUG at mm/usercopy.c:99!
[ 15.168482] Internal error: Oops - BUG: 0 [#1] SMP
[ 15.173261] Modules linked in: xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce sbsa_gwdt ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm nvme nvme_core xgene_hwmon i2c_designware_platform i2c_designware_core dm_mirror dm_region_hash dm_log dm_mod overlay squashfs zstd_decompress loop
[ 15.206186] CPU: 0 PID: 542 Comm: cp Not tainted 5.16.0-rc4 #1
[ 15.212006] Hardware name: GIGABYTE R272-P30-JG/MP32-AR0-JG, BIOS F12 (SCP: 1.5.
20210426) 05/13/2021
[ 15.221125] pstate:
60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 15.228073] pc : usercopy_abort+0x9c/0xa0
[ 15.232074] lr : usercopy_abort+0x9c/0xa0
[ 15.236070] sp :
ffff8000121abba0
[ 15.239371] x29:
ffff8000121abbb0 x28:
0000000000003000 x27:
0000000000000000
[ 15.246494] x26:
0000000080000400 x25:
0000ffff885c7000 x24:
0000000000000000
[ 15.253617] x23:
000007ff80400000 x22:
ffff07ff80401000 x21:
0000000000000001
[ 15.260739] x20:
0000000000001000 x19:
ffff07ff80400000 x18:
ffffffffffffffff
[ 15.267861] x17:
656a626f2042554c x16:
53206d6f72662064 x15:
6574636574656420
[ 15.274983] x14:
74706d6574746120 x13:
2129363930342065 x12:
7a6973202c302074
[ 15.282105] x11:
ffffc8b041d1b148 x10:
00000000ffff8000 x9 :
ffffc8b04012812c
[ 15.289228] x8 :
00000000ffff7fff x7 :
ffffc8b041d1b148 x6 :
0000000000000000
[ 15.296349] x5 :
0000000000000000 x4 :
0000000000007fff x3 :
0000000000000000
[ 15.303471] x2 :
0000000000000000 x1 :
ffff07ff8c064800 x0 :
000000000000006b
[ 15.310593] Call trace:
[ 15.313027] usercopy_abort+0x9c/0xa0
[ 15.316677] __check_heap_object+0xd4/0xf0
[ 15.320762] __check_object_size.part.0+0x160/0x1e0
[ 15.325628] __check_object_size+0x2c/0x40
[ 15.329711] copy_oldmem_page+0x7c/0x140
[ 15.333623] read_from_oldmem.part.0+0xfc/0x1c0
[ 15.338142] __read_vmcore.constprop.0+0x23c/0x350
[ 15.342920] read_vmcore+0x28/0x34
[ 15.346309] proc_reg_read+0xb4/0xf0
[ 15.349871] vfs_read+0xb8/0x1f0
[ 15.353088] ksys_read+0x74/0x100
[ 15.356390] __arm64_sys_read+0x28/0x34
...
This bug introduced by commit
b261dba2fdb2 ("arm64: kdump: Remove custom
linux,usable-memory-range handling"), which moves
memblock_cap_memory_range() to fdt, but it breaches the rules that
memblock_cap_memory_range() should come after memblock_add() etc as said
in commit
e888fa7bb882 ("memblock: Check memory add/cap ordering").
As a consequence, the virtual address set up by copy_oldmem_page() does
not bail out from the test of virt_addr_valid() in check_heap_object(),
and finally hits the BUG_ON().
Since memblock allocator has no idea about when the memblock is fully
populated, while efi_init() is aware, so tackling this issue by calling the
interface early_init_dt_check_for_usable_mem_range() exposed by of/fdt.
Fixes:
b261dba2fdb2 ("arm64: kdump: Remove custom linux,usable-memory-range handling")
Signed-off-by: Pingfan Liu <kernelfans@gmail.com>
Cc: Rob Herring <robh+dt@kernel.org>
Cc: Zhen Lei <thunder.leizhen@huawei.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Geert Uytterhoeven <geert+renesas@glider.be>
Cc: Frank Rowand <frowand.list@gmail.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Nick Terrell <terrelln@fb.com>
Cc: linux-arm-kernel@lists.infradead.org
To: devicetree@vger.kernel.org
To: linux-efi@vger.kernel.org
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Link: https://lore.kernel.org/r/20211215021348.8766-1-kernelfans@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Zhen Lei [Tue, 14 Dec 2021 04:01:56 +0000 (12:01 +0800)]
of: fdt: Aggregate the processing of "linux,usable-memory-range"
[ Upstream commit
8347b41748c3019157312fbe7f8a6792ae396eb7 ]
Currently, we parse the "linux,usable-memory-range" property in
early_init_dt_scan_chosen(), to obtain the specified memory range of the
crash kernel. We then reserve the required memory after
early_init_dt_scan_memory() has identified all available physical memory.
Because the two pieces of code are separated far, the readability and
maintainability are reduced. So bring them together.
Suggested-by: Rob Herring <robh@kernel.org>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
(change the prototype of early_init_dt_check_for_usable_mem_range(), in
order to use it outside)
Signed-off-by: Pingfan Liu <kernelfans@gmail.com>
Tested-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Acked-by: John Donnelly <john.p.donnelly@oracle.com>
Reviewed-by: Rob Herring <robh@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org
To: devicetree@vger.kernel.org
To: linux-efi@vger.kernel.org
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Trevor Wu [Thu, 16 Dec 2021 02:24:24 +0000 (10:24 +0800)]
ASoC: mediatek: mt8195: correct default value
[ Upstream commit
30e693ee82d20361f2caacca3b68c79e1a7cb16c ]
mt8195_cg_patch is used to reset the default value of audio cg, so the
register value could be consistent with CCF reference count.
Nevertheless, AUDIO_TOP_CON1[1:0] is used to control an internal mux,
and it's expected to keep the default value 0.
This patch corrects the default value in case an unexpected behavior
happens in the future.
Fixes:
6746cc8582599 ("ASoC: mediatek: mt8195: add platform driver")
Signed-off-by: Trevor Wu <trevor.wu@mediatek.com>
Link: https://lore.kernel.org/r/20211216022424.28470-1-trevor.wu@mediatek.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Xiongfeng Wang [Fri, 17 Dec 2021 15:30:55 +0000 (15:30 +0000)]
iommu/iova: Fix race between FQ timeout and teardown
[ Upstream commit
d7061627d701c90e1cac1e1e60c45292f64f3470 ]
It turns out to be possible for hotplugging out a device to reach the
stage of tearing down the device's group and default domain before the
domain's flush queue has drained naturally. At this point, it is then
possible for the timeout to expire just before the del_timer() call
in free_iova_flush_queue(), such that we then proceed to free the FQ
resources while fq_flush_timeout() is still accessing them on another
CPU. Crashes due to this have been observed in the wild while removing
NVMe devices.
Close the race window by using del_timer_sync() to safely wait for any
active timeout handler to finish before we start to free things. We
already avoid any locking in free_iova_flush_queue() since the FQ is
supposed to be inactive anyway, so the potential deadlock scenario does
not apply.
Fixes:
9a005a800ae8 ("iommu/iova: Add flush timer")
Reviewed-by: John Garry <john.garry@huawei.com>
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ rm: rewrite commit message ]
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Link: https://lore.kernel.org/r/0a365e5b07f14b7344677ad6a9a734966a8422ce.1639753638.git.robin.murphy@arm.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Cezary Rojewski [Thu, 16 Dec 2021 11:57:39 +0000 (12:57 +0100)]
ASoC: Intel: catpt: Test dmaengine_submit() result before moving on
[ Upstream commit
2a9a72e290d4a4741e673f86b9fba9bfb319786d ]
After calling dmaengine_submit(), the submitted transfer descriptor
belongs to the DMA engine. Pointer to that descriptor may no longer be
valid after the call and should be tested before awaiting transfer
completion.
Reported-by: Kevin Tian <kevin.tian@intel.com>
Suggested-by: Dave Jiang <dave.jiang@intel.com>
Fixes:
4fac9b31d0b9 ("ASoC: Intel: Add catpt base members")
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://lore.kernel.org/r/20211216115743.2130622-2-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Maxim Levitsky [Tue, 23 Nov 2021 16:10:38 +0000 (18:10 +0200)]
iommu/amd: Remove useless irq affinity notifier
[ Upstream commit
575f5cfb13c84f324f9898383fa4a5694e53c9ef ]
iommu->intcapxt_notify field is no longer used
after a switch to a separate domain was done
Fixes:
d1adcfbb520c ("iommu/amd: Fix IOMMU interrupt generation in X2APIC mode")
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20211123161038.48009-6-mlevitsk@redhat.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Maxim Levitsky [Tue, 23 Nov 2021 16:10:37 +0000 (18:10 +0200)]
iommu/amd: X2apic mode: mask/unmask interrupts on suspend/resume
[ Upstream commit
1980105e3cfc2215c75b4f6b172661d675c467d1 ]
Use IRQCHIP_MASK_ON_SUSPEND to make the core irq code to
mask the iommu interrupt on suspend and unmask it on the resume.
Since now the unmask function updates the INTX settings,
that will restore them on resume from s3/s4.
Since IRQCHIP_MASK_ON_SUSPEND is only effective for interrupts
which are not wakeup sources, remove IRQCHIP_SKIP_SET_WAKE flag
and instead implement a dummy .irq_set_wake which doesn't allow
the interrupt to become a wakeup source.
Fixes:
66929812955bb ("iommu/amd: Add support for X2APIC IOMMU interrupts")
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20211123161038.48009-5-mlevitsk@redhat.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Maxim Levitsky [Tue, 23 Nov 2021 16:10:36 +0000 (18:10 +0200)]
iommu/amd: X2apic mode: setup the INTX registers on mask/unmask
[ Upstream commit
4691f79d62a637958f7b5f55c232a65399500b7a ]
This is more logically correct and will also allow us to
to use mask/unmask logic to restore INTX setttings after
the resume from s3/s4.
Fixes:
66929812955bb ("iommu/amd: Add support for X2APIC IOMMU interrupts")
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20211123161038.48009-4-mlevitsk@redhat.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Maxim Levitsky [Tue, 23 Nov 2021 16:10:35 +0000 (18:10 +0200)]
iommu/amd: X2apic mode: re-enable after resume
[ Upstream commit
01b297a48a26bcb96769505ac948db4603b72bd1 ]
Otherwise it is guaranteed to not work after the resume...
Fixes:
66929812955bb ("iommu/amd: Add support for X2APIC IOMMU interrupts")
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20211123161038.48009-3-mlevitsk@redhat.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
projects / platform / kernel / linux-rpi.git / log