+++ /dev/null
-From 06b2af89868e7ffc5fbed8aa5384da72c03ce22f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 28 Jun 2023 02:13:32 +0200
-Subject: Add MODULE_FIRMWARE() for FIRMWARE_TG357766.
-
-From: Tobias Heider <me@tobhe.de>
-
-[ Upstream commit 046f753da6143ee16452966915087ec8b0de3c70 ]
-
-Fixes a bug where on the M1 mac mini initramfs-tools fails to
-include the necessary firmware into the initrd.
-
-Fixes: c4dab50697ff ("tg3: Download 57766 EEE service patch firmware")
-Signed-off-by: Tobias Heider <me@tobhe.de>
-Reviewed-by: Michael Chan <michael.chan@broadcom.com>
-Link: https://lore.kernel.org/r/ZJt7LKzjdz8+dClx@tobhe.de
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/ethernet/broadcom/tg3.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
-index 2cf144bbef3ee..43b83a3a28049 100644
---- a/drivers/net/ethernet/broadcom/tg3.c
-+++ b/drivers/net/ethernet/broadcom/tg3.c
-@@ -235,6 +235,7 @@ MODULE_DESCRIPTION("Broadcom Tigon3 ethernet driver");
- MODULE_LICENSE("GPL");
- MODULE_VERSION(DRV_MODULE_VERSION);
- MODULE_FIRMWARE(FIRMWARE_TG3);
-+MODULE_FIRMWARE(FIRMWARE_TG357766);
- MODULE_FIRMWARE(FIRMWARE_TG3TSO);
- MODULE_FIRMWARE(FIRMWARE_TG3TSO5);
-
---
-2.39.2
-
+++ /dev/null
-From ef191039261e6299d0524a779176e2161f7e34a6 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 15 Jun 2023 10:17:32 +0800
-Subject: ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer
-
-From: Su Hui <suhui@nfschina.com>
-
-[ Upstream commit 79597c8bf64ca99eab385115743131d260339da5 ]
-
-smatch error:
-sound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error:
-we previously assumed 'rac97' could be null (see line 2072)
-
-remove redundant assignment, return error if rac97 is NULL.
-
-Fixes: da3cec35dd3c ("ALSA: Kill snd_assert() in sound/pci/*")
-Signed-off-by: Su Hui <suhui@nfschina.com>
-Link: https://lore.kernel.org/r/20230615021732.1972194-1-suhui@nfschina.com
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- sound/pci/ac97/ac97_codec.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c
-index a276c4283c7bb..3f13666a01904 100644
---- a/sound/pci/ac97/ac97_codec.c
-+++ b/sound/pci/ac97/ac97_codec.c
-@@ -2026,8 +2026,8 @@ int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template,
- .dev_disconnect = snd_ac97_dev_disconnect,
- };
-
-- if (rac97)
-- *rac97 = NULL;
-+ if (!rac97)
-+ return -EINVAL;
- if (snd_BUG_ON(!bus || !template))
- return -EINVAL;
- if (snd_BUG_ON(template->num >= 4))
---
-2.39.2
-
+++ /dev/null
-From 95c1235b2f413d5838e5f37cb1b8895436d3505c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 6 Jul 2023 17:53:57 +0200
-Subject: ALSA: jack: Fix mutex call in snd_jack_report()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Takashi Iwai <tiwai@suse.de>
-
-[ Upstream commit 89dbb335cb6a627a4067bc42caa09c8bc3326d40 ]
-
-snd_jack_report() is supposed to be callable from an IRQ context, too,
-and it's indeed used in that way from virtsnd driver. The fix for
-input_dev race in commit 1b6a6fc5280e ("ALSA: jack: Access input_dev
-under mutex"), however, introduced a mutex lock in snd_jack_report(),
-and this resulted in a potential sleep-in-atomic.
-
-For addressing that problem, this patch changes the relevant code to
-use the object get/put and removes the mutex usage. That is,
-snd_jack_report(), it takes input_get_device() and leaves with
-input_put_device() for assuring the input_dev being assigned.
-
-Although the whole mutex could be reduced, we keep it because it can
-be still a protection for potential races between creation and
-deletion.
-
-Fixes: 1b6a6fc5280e ("ALSA: jack: Access input_dev under mutex")
-Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
-Closes: https://lore.kernel.org/r/cf95f7fe-a748-4990-8378-000491b40329@moroto.mountain
-Tested-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
-Cc: <stable@vger.kernel.org>
-Link: https://lore.kernel.org/r/20230706155357.3470-1-tiwai@suse.de
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- sound/core/jack.c | 15 +++++++--------
- 1 file changed, 7 insertions(+), 8 deletions(-)
-
-diff --git a/sound/core/jack.c b/sound/core/jack.c
-index 074b15fcb0ac4..06e0fc7b64179 100644
---- a/sound/core/jack.c
-+++ b/sound/core/jack.c
-@@ -378,6 +378,7 @@ void snd_jack_report(struct snd_jack *jack, int status)
- {
- struct snd_jack_kctl *jack_kctl;
- #ifdef CONFIG_SND_JACK_INPUT_DEV
-+ struct input_dev *idev;
- int i;
- #endif
-
-@@ -389,30 +390,28 @@ void snd_jack_report(struct snd_jack *jack, int status)
- status & jack_kctl->mask_bits);
-
- #ifdef CONFIG_SND_JACK_INPUT_DEV
-- mutex_lock(&jack->input_dev_lock);
-- if (!jack->input_dev) {
-- mutex_unlock(&jack->input_dev_lock);
-+ idev = input_get_device(jack->input_dev);
-+ if (!idev)
- return;
-- }
-
- for (i = 0; i < ARRAY_SIZE(jack->key); i++) {
- int testbit = SND_JACK_BTN_0 >> i;
-
- if (jack->type & testbit)
-- input_report_key(jack->input_dev, jack->key[i],
-+ input_report_key(idev, jack->key[i],
- status & testbit);
- }
-
- for (i = 0; i < ARRAY_SIZE(jack_switch_types); i++) {
- int testbit = 1 << i;
- if (jack->type & testbit)
-- input_report_switch(jack->input_dev,
-+ input_report_switch(idev,
- jack_switch_types[i],
- status & testbit);
- }
-
-- input_sync(jack->input_dev);
-- mutex_unlock(&jack->input_dev_lock);
-+ input_sync(idev);
-+ input_put_device(idev);
- #endif /* CONFIG_SND_JACK_INPUT_DEV */
- }
- EXPORT_SYMBOL(snd_jack_report);
---
-2.39.2
-
+++ /dev/null
-From ad8837c42c62766fa3f8dfe3b124485fc46c71a2 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 12 Jun 2023 00:50:50 +0900
-Subject: ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__
- guard
-
-From: Masahiro Yamada <masahiroy@kernel.org>
-
-[ Upstream commit 92e2921eeafdfca9acd9b83f07d2b7ca099bac24 ]
-
-ASM_NL is useful not only in *.S files but also in .c files for using
-inline assembler in C code.
-
-On ARC, however, ASM_NL is evaluated inconsistently. It is expanded to
-a backquote (`) in *.S files, but a semicolon (;) in *.c files because
-arch/arc/include/asm/linkage.h defines it inside #ifdef __ASSEMBLY__,
-so the definition for C code falls back to the default value defined in
-include/linux/linkage.h.
-
-If ASM_NL is used in inline assembler in .c files, it will result in
-wrong assembly code because a semicolon is not an instruction separator,
-but the start of a comment for ARC.
-
-Move ASM_NL (also __ALIGN and __ALIGN_STR) out of the #ifdef.
-
-Fixes: 9df62f054406 ("arch: use ASM_NL instead of ';' for assembler new line character in the macro")
-Fixes: 8d92e992a785 ("ARC: define __ALIGN_STR and __ALIGN symbols for ARC")
-Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arc/include/asm/linkage.h | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/arch/arc/include/asm/linkage.h b/arch/arc/include/asm/linkage.h
-index f3d29d4840d58..b89ca8b4d5975 100644
---- a/arch/arc/include/asm/linkage.h
-+++ b/arch/arc/include/asm/linkage.h
-@@ -11,6 +11,10 @@
-
- #include <asm/dwarf.h>
-
-+#define ASM_NL ` /* use '`' to mark new line in macro */
-+#define __ALIGN .align 4
-+#define __ALIGN_STR __stringify(__ALIGN)
-+
- #ifdef __ASSEMBLY__
-
- .macro ST2 e, o, off
-@@ -31,10 +35,6 @@
- #endif
- .endm
-
--#define ASM_NL ` /* use '`' to mark new line in macro */
--#define __ALIGN .align 4
--#define __ALIGN_STR __stringify(__ALIGN)
--
- /* annotation for data we want in DCCM - if enabled in .config */
- .macro ARCFP_DATA nm
- #ifdef CONFIG_ARC_HAS_DCCM
---
-2.39.2
-
+++ /dev/null
-From 75acdde2ef23456085ec596574a650610356060a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 10 May 2019 16:24:15 -0700
-Subject: ARCv2: entry: avoid a branch
-
-From: Vineet Gupta <vgupta@synopsys.com>
-
-[ Upstream commit ab854bfcd310b5872fe12eb8d3f2c30fe427f8f7 ]
-
-Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
-Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arc/include/asm/entry-arcv2.h | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h
-index 3209a67629606..beaf655666cbd 100644
---- a/arch/arc/include/asm/entry-arcv2.h
-+++ b/arch/arc/include/asm/entry-arcv2.h
-@@ -100,12 +100,11 @@
- ; 2. Upon entry SP is always saved (for any inspection, unwinding etc),
- ; but on return, restored only if U mode
-
-+ lr r9, [AUX_USER_SP] ; U mode SP
-+
- mov.nz r9, sp
- add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ; K mode SP
-- bnz 1f
-
-- lr r9, [AUX_USER_SP] ; U mode SP
--1:
- PUSH r9 ; SP (pt_regs->sp)
-
- PUSH fp
---
-2.39.2
-
+++ /dev/null
-From d101114608fd77f1804cd33e13286d0ff46f7084 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 9 Apr 2019 16:55:15 -0700
-Subject: ARCv2: entry: comments about hardware auto-save on taken interrupts
-
-From: Vineet Gupta <vgupta@synopsys.com>
-
-[ Upstream commit 45869eb0c0afd72bd5ab2437d4b00915697c044a ]
-
-Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
-Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arc/include/asm/entry-arcv2.h | 78 ++++++++++++++++++++++++------
- 1 file changed, 62 insertions(+), 16 deletions(-)
-
-diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h
-index 225e7df2d8ed8..1c3520d1fa420 100644
---- a/arch/arc/include/asm/entry-arcv2.h
-+++ b/arch/arc/include/asm/entry-arcv2.h
-@@ -7,15 +7,54 @@
- #include <asm/irqflags-arcv2.h>
- #include <asm/thread_info.h> /* For THREAD_SIZE */
-
-+/*
-+ * Interrupt/Exception stack layout (pt_regs) for ARCv2
-+ * (End of struct aligned to end of page [unless nested])
-+ *
-+ * INTERRUPT EXCEPTION
-+ *
-+ * manual --------------------- manual
-+ * | orig_r0 |
-+ * | event/ECR |
-+ * | bta |
-+ * | user_r25 |
-+ * | gp |
-+ * | fp |
-+ * | sp |
-+ * | r12 |
-+ * | r30 |
-+ * | r58 |
-+ * | r59 |
-+ * hw autosave ---------------------
-+ * optional | r0 |
-+ * | r1 |
-+ * ~ ~
-+ * | r9 |
-+ * | r10 |
-+ * | r11 |
-+ * | blink |
-+ * | lpe |
-+ * | lps |
-+ * | lpc |
-+ * | ei base |
-+ * | ldi base |
-+ * | jli base |
-+ * ---------------------
-+ * hw autosave | pc / eret |
-+ * mandatory | stat32 / erstatus |
-+ * ---------------------
-+ */
-+
- /*------------------------------------------------------------------------*/
- .macro INTERRUPT_PROLOGUE called_from
--
-- ; Before jumping to Interrupt Vector, hardware micro-ops did following:
-+ ; (A) Before jumping to Interrupt Vector, hardware micro-ops did following:
- ; 1. SP auto-switched to kernel mode stack
-- ; 2. STATUS32.Z flag set to U mode at time of interrupt (U:1, K:0)
-- ; 3. Auto saved: r0-r11, blink, LPE,LPS,LPC, JLI,LDI,EI, PC, STAT32
-+ ; 2. STATUS32.Z flag set if in U mode at time of interrupt (U:1,K:0)
-+ ; 3. Auto save: (mandatory) Push PC and STAT32 on stack
-+ ; hardware does even if CONFIG_ARC_IRQ_NO_AUTOSAVE
-+ ; 4. Auto save: (optional) r0-r11, blink, LPE,LPS,LPC, JLI,LDI,EI
- ;
-- ; Now manually save: r12, sp, fp, gp, r25
-+ ; (B) Manually saved some regs: r12,r25,r30, sp,fp,gp, ACCL pair
-
- #ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE
- .ifnc \called_from, exception
-@@ -57,14 +96,17 @@
- ; - U mode: retrieve it from AUX_USER_SP
- ; - K mode: add the offset from current SP where H/w starts auto push
- ;
-- ; Utilize the fact that Z bit is set if Intr taken in U mode
-+ ; 1. Utilize the fact that Z bit is set if Intr taken in U mode
-+ ; 2. Upon entry SP is always saved (for any inspection, unwinding etc),
-+ ; but on return, restored only if U mode
-+
- mov.nz r9, sp
-- add.nz r9, r9, SZ_PT_REGS - PT_sp - 4
-+ add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ; K mode SP
- bnz 1f
-
-- lr r9, [AUX_USER_SP]
-+ lr r9, [AUX_USER_SP] ; U mode SP
- 1:
-- PUSH r9 ; SP
-+ PUSH r9 ; SP (pt_regs->sp)
-
- PUSH fp
- PUSH gp
-@@ -85,6 +127,8 @@
- /*------------------------------------------------------------------------*/
- .macro INTERRUPT_EPILOGUE called_from
-
-+ ; INPUT: r0 has STAT32 of calling context
-+ ; INPUT: Z flag set if returning to K mode
- .ifnc \called_from, exception
- add sp, sp, 12 ; skip BTA/ECR/orig_r0 placeholderss
- .endif
-@@ -98,9 +142,10 @@
- POP gp
- POP fp
-
-- ; Don't touch AUX_USER_SP if returning to K mode (Z bit set)
-- ; (Z bit set on K mode is inverse of INTERRUPT_PROLOGUE)
-- add.z sp, sp, 4
-+ ; Restore SP (into AUX_USER_SP) only if returning to U mode
-+ ; - for K mode, it will be implicitly restored as stack is unwound
-+ ; - Z flag set on K is inverse of what hardware does on interrupt entry
-+ ; but that doesn't really matter
- bz 1f
-
- POPAX AUX_USER_SP
-@@ -145,11 +190,11 @@
- /*------------------------------------------------------------------------*/
- .macro EXCEPTION_PROLOGUE
-
-- ; Before jumping to Exception Vector, hardware micro-ops did following:
-+ ; (A) Before jumping to Exception Vector, hardware micro-ops did following:
- ; 1. SP auto-switched to kernel mode stack
-- ; 2. STATUS32.Z flag set to U mode at time of interrupt (U:1,K:0)
-+ ; 2. STATUS32.Z flag set if in U mode at time of exception (U:1,K:0)
- ;
-- ; Now manually save the complete reg file
-+ ; (B) Manually save the complete reg file below
-
- PUSH r9 ; freeup a register: slot of erstatus
-
-@@ -195,12 +240,13 @@
- PUSHAX ecr ; r9 contains ECR, expected by EV_Trap
-
- PUSH r0 ; orig_r0
-+ ; OUTPUT: r9 has ECR
- .endm
-
- /*------------------------------------------------------------------------*/
- .macro EXCEPTION_EPILOGUE
-
-- ; Assumes r0 has PT_status32
-+ ; INPUT: r0 has STAT32 of calling context
- btst r0, STATUS_U_BIT ; Z flag set if K, used in INTERRUPT_EPILOGUE
-
- add sp, sp, 8 ; orig_r0/ECR don't need restoring
---
-2.39.2
-
+++ /dev/null
-From e4c727839b77a24016fb973f42e27538b4d5f0b9 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 9 Apr 2019 19:16:37 -0700
-Subject: ARCv2: entry: push out the Z flag unclobber from common
- EXCEPTION_PROLOGUE
-
-From: Vineet Gupta <vgupta@synopsys.com>
-
-[ Upstream commit 23c0cbd0c75c3b564850294427fd2be2bc2a015b ]
-
-Upon a taken interrupt/exception from User mode, HS hardware auto sets Z flag.
-This helps shave a few instructions from EXCEPTION_PROLOGUE by eliding
-re-reading ERSTATUS and some bit fiddling.
-
-However TLB Miss Exception handler can clobber the CPU flags and still end
-up in EXCEPTION_PROLOGUE in the slow path handling TLB handling case:
-
- EV_TLBMissD
- do_slow_path_pf
- EV_TLBProtV (aliased to call_do_page_fault)
- EXCEPTION_PROLOGUE
-
-As a result, EXCEPTION_PROLOGUE need to "unclobber" the Z flag which this
-patch changes. It is now pushed out to TLB Miss Exception handler.
-The reasons beings:
-
- - The flag restoration is only needed for slowpath TLB Miss Exception
- handling, but currently being in EXCEPTION_PROLOGUE penalizes all
- exceptions such as ProtV and syscall Trap, where Z flag is already
- as expected.
-
- - Pushing unclobber out to where it was clobbered is much cleaner and
- also serves to document the fact.
-
- - Makes EXCEPTION_PROLGUE similar to INTERRUPT_PROLOGUE so easier to
- refactor the common parts which is what this series aims to do
-
-Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
-Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arc/include/asm/entry-arcv2.h | 8 --------
- arch/arc/mm/tlbex.S | 11 +++++++++++
- 2 files changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h
-index 1c3520d1fa420..3209a67629606 100644
---- a/arch/arc/include/asm/entry-arcv2.h
-+++ b/arch/arc/include/asm/entry-arcv2.h
-@@ -225,14 +225,6 @@
-
- ; -- for interrupts, regs above are auto-saved by h/w in that order --
- ; Now do what ISR prologue does (manually save r12, sp, fp, gp, r25)
-- ;
-- ; Set Z flag if this was from U mode (expected by INTERRUPT_PROLOGUE)
-- ; Although H/w exception micro-ops do set Z flag for U mode (just like
-- ; for interrupts), it could get clobbered in case we soft land here from
-- ; a TLB Miss exception handler (tlbex.S)
--
-- and r10, r10, STATUS_U_MASK
-- xor.f 0, r10, STATUS_U_MASK
-
- INTERRUPT_PROLOGUE exception
-
-diff --git a/arch/arc/mm/tlbex.S b/arch/arc/mm/tlbex.S
-index 0e1e47a67c736..e50cac799a518 100644
---- a/arch/arc/mm/tlbex.S
-+++ b/arch/arc/mm/tlbex.S
-@@ -396,6 +396,17 @@ EV_TLBMissD_fast_ret: ; additional label for VDK OS-kit instrumentation
- ;-------- Common routine to call Linux Page Fault Handler -----------
- do_slow_path_pf:
-
-+#ifdef CONFIG_ISA_ARCV2
-+ ; Set Z flag if exception in U mode. Hardware micro-ops do this on any
-+ ; taken interrupt/exception, and thus is already the case at the entry
-+ ; above, but ensuing code would have already clobbered.
-+ ; EXCEPTION_PROLOGUE called in slow path, relies on correct Z flag set
-+
-+ lr r2, [erstatus]
-+ and r2, r2, STATUS_U_MASK
-+ bxor.f 0, r2, STATUS_U_BIT
-+#endif
-+
- ; Restore the 4-scratch regs saved by fast path miss handler
- TLBMISS_RESTORE_REGS
-
---
-2.39.2
-
+++ /dev/null
-From d0fb99fc001ef3d140785f937db576f9b135eadd Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 15 May 2019 15:36:46 -0700
-Subject: ARCv2: entry: rewrite to enable use of double load/stores LDD/STD
-
-From: Vineet Gupta <vgupta@synopsys.com>
-
-[ Upstream commit a4880801a72ecc2dcdfa432f81a754f3e7438567 ]
-
- - the motivation was to be remove blatent copy-paste due to hasty support
- of CONFIG_ARC_IRQ_NO_AUTOSAVE support
-
- - but with refactoring we could use LDD/STD to greatly optimize the code
-
-Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
-Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arc/include/asm/entry-arcv2.h | 297 ++++++++++++++---------------
- arch/arc/include/asm/linkage.h | 18 ++
- arch/arc/kernel/asm-offsets.c | 7 +
- arch/arc/kernel/entry-arcv2.S | 4 +-
- 4 files changed, 167 insertions(+), 159 deletions(-)
-
-diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h
-index beaf655666cbd..0733752ce7fe8 100644
---- a/arch/arc/include/asm/entry-arcv2.h
-+++ b/arch/arc/include/asm/entry-arcv2.h
-@@ -46,7 +46,8 @@
- */
-
- /*------------------------------------------------------------------------*/
--.macro INTERRUPT_PROLOGUE called_from
-+.macro INTERRUPT_PROLOGUE
-+
- ; (A) Before jumping to Interrupt Vector, hardware micro-ops did following:
- ; 1. SP auto-switched to kernel mode stack
- ; 2. STATUS32.Z flag set if in U mode at time of interrupt (U:1,K:0)
-@@ -57,39 +58,87 @@
- ; (B) Manually saved some regs: r12,r25,r30, sp,fp,gp, ACCL pair
-
- #ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE
--.ifnc \called_from, exception
-- st.as r9, [sp, -10] ; save r9 in it's final stack slot
-- sub sp, sp, 12 ; skip JLI, LDI, EI
--
-- PUSH lp_count
-- PUSHAX lp_start
-- PUSHAX lp_end
-- PUSH blink
--
-- PUSH r11
-- PUSH r10
--
-- sub sp, sp, 4 ; skip r9
--
-- PUSH r8
-- PUSH r7
-- PUSH r6
-- PUSH r5
-- PUSH r4
-- PUSH r3
-- PUSH r2
-- PUSH r1
-- PUSH r0
--.endif
--#endif
-+ ; carve pt_regs on stack (case #3), PC/STAT32 already on stack
-+ sub sp, sp, SZ_PT_REGS - 8
-
--#ifdef CONFIG_ARC_HAS_ACCL_REGS
-- PUSH r59
-- PUSH r58
-+ __SAVE_REGFILE_HARD
-+#else
-+ ; carve pt_regs on stack (case #4), which grew partially already
-+ sub sp, sp, PT_r0
- #endif
-
-- PUSH r30
-- PUSH r12
-+ __SAVE_REGFILE_SOFT
-+.endm
-+
-+/*------------------------------------------------------------------------*/
-+.macro EXCEPTION_PROLOGUE
-+
-+ ; (A) Before jumping to Exception Vector, hardware micro-ops did following:
-+ ; 1. SP auto-switched to kernel mode stack
-+ ; 2. STATUS32.Z flag set if in U mode at time of exception (U:1,K:0)
-+ ;
-+ ; (B) Manually save the complete reg file below
-+
-+ sub sp, sp, SZ_PT_REGS ; carve pt_regs
-+
-+ ; _HARD saves r10 clobbered by _SOFT as scratch hence comes first
-+
-+ __SAVE_REGFILE_HARD
-+ __SAVE_REGFILE_SOFT
-+
-+ st r0, [sp] ; orig_r0
-+
-+ lr r10, [eret]
-+ lr r11, [erstatus]
-+ ST2 r10, r11, PT_ret
-+
-+ lr r10, [ecr]
-+ lr r11, [erbta]
-+ ST2 r10, r11, PT_event
-+ mov r9, r10
-+
-+ ; OUTPUT: r9 has ECR
-+.endm
-+
-+/*------------------------------------------------------------------------
-+ * This macro saves the registers manually which would normally be autosaved
-+ * by hardware on taken interrupts. It is used by
-+ * - exception handlers (which don't have autosave)
-+ * - interrupt autosave disabled due to CONFIG_ARC_IRQ_NO_AUTOSAVE
-+ */
-+.macro __SAVE_REGFILE_HARD
-+
-+ ST2 r0, r1, PT_r0
-+ ST2 r2, r3, PT_r2
-+ ST2 r4, r5, PT_r4
-+ ST2 r6, r7, PT_r6
-+ ST2 r8, r9, PT_r8
-+ ST2 r10, r11, PT_r10
-+
-+ st blink, [sp, PT_blink]
-+
-+ lr r10, [lp_end]
-+ lr r11, [lp_start]
-+ ST2 r10, r11, PT_lpe
-+
-+ st lp_count, [sp, PT_lpc]
-+
-+ ; skip JLI, LDI, EI for now
-+.endm
-+
-+/*------------------------------------------------------------------------
-+ * This macros saves a bunch of other registers which can't be autosaved for
-+ * various reasons:
-+ * - r12: the last caller saved scratch reg since hardware saves in pairs so r0-r11
-+ * - r30: free reg, used by gcc as scratch
-+ * - ACCL/ACCH pair when they exist
-+ */
-+.macro __SAVE_REGFILE_SOFT
-+
-+ ST2 gp, fp, PT_r26 ; gp (r26), fp (r27)
-+
-+ st r12, [sp, PT_sp + 4]
-+ st r30, [sp, PT_sp + 8]
-
- ; Saving pt_regs->sp correctly requires some extra work due to the way
- ; Auto stack switch works
-@@ -100,46 +149,32 @@
- ; 2. Upon entry SP is always saved (for any inspection, unwinding etc),
- ; but on return, restored only if U mode
-
-- lr r9, [AUX_USER_SP] ; U mode SP
-+ lr r10, [AUX_USER_SP] ; U mode SP
-
-- mov.nz r9, sp
-- add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ; K mode SP
-+ ; ISA requires ADD.nz to have same dest and src reg operands
-+ mov.nz r10, sp
-+ add.nz r10, r10, SZ_PT_REGS ; K mode SP
-
-- PUSH r9 ; SP (pt_regs->sp)
--
-- PUSH fp
-- PUSH gp
-+ st r10, [sp, PT_sp] ; SP (pt_regs->sp)
-
- #ifdef CONFIG_ARC_CURR_IN_REG
-- PUSH r25 ; user_r25
-+ st r25, [sp, PT_user_r25]
- GET_CURR_TASK_ON_CPU r25
--#else
-- sub sp, sp, 4
- #endif
-
--.ifnc \called_from, exception
-- sub sp, sp, 12 ; BTA/ECR/orig_r0 placeholder per pt_regs
--.endif
-+#ifdef CONFIG_ARC_HAS_ACCL_REGS
-+ ST2 r58, r59, PT_sp + 12
-+#endif
-
- .endm
-
- /*------------------------------------------------------------------------*/
--.macro INTERRUPT_EPILOGUE called_from
-+.macro __RESTORE_REGFILE_SOFT
-
-- ; INPUT: r0 has STAT32 of calling context
-- ; INPUT: Z flag set if returning to K mode
--.ifnc \called_from, exception
-- add sp, sp, 12 ; skip BTA/ECR/orig_r0 placeholderss
--.endif
--
--#ifdef CONFIG_ARC_CURR_IN_REG
-- POP r25
--#else
-- add sp, sp, 4
--#endif
-+ LD2 gp, fp, PT_r26 ; gp (r26), fp (r27)
-
-- POP gp
-- POP fp
-+ ld r12, [sp, PT_sp + 4]
-+ ld r30, [sp, PT_sp + 8]
-
- ; Restore SP (into AUX_USER_SP) only if returning to U mode
- ; - for K mode, it will be implicitly restored as stack is unwound
-@@ -147,129 +182,77 @@
- ; but that doesn't really matter
- bz 1f
-
-- POPAX AUX_USER_SP
-+ ld r10, [sp, PT_sp] ; SP (pt_regs->sp)
-+ sr r10, [AUX_USER_SP]
- 1:
-- POP r12
-- POP r30
-
--#ifdef CONFIG_ARC_HAS_ACCL_REGS
-- POP r58
-- POP r59
-+#ifdef CONFIG_ARC_CURR_IN_REG
-+ ld r25, [sp, PT_user_r25]
- #endif
-
--#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE
--.ifnc \called_from, exception
-- POP r0
-- POP r1
-- POP r2
-- POP r3
-- POP r4
-- POP r5
-- POP r6
-- POP r7
-- POP r8
-- POP r9
-- POP r10
-- POP r11
--
-- POP blink
-- POPAX lp_end
-- POPAX lp_start
--
-- POP r9
-- mov lp_count, r9
--
-- add sp, sp, 12 ; skip JLI, LDI, EI
-- ld.as r9, [sp, -10] ; reload r9 which got clobbered
--.endif
-+#ifdef CONFIG_ARC_HAS_ACCL_REGS
-+ LD2 r58, r59, PT_sp + 12
- #endif
--
- .endm
-
- /*------------------------------------------------------------------------*/
--.macro EXCEPTION_PROLOGUE
-+.macro __RESTORE_REGFILE_HARD
-
-- ; (A) Before jumping to Exception Vector, hardware micro-ops did following:
-- ; 1. SP auto-switched to kernel mode stack
-- ; 2. STATUS32.Z flag set if in U mode at time of exception (U:1,K:0)
-- ;
-- ; (B) Manually save the complete reg file below
-+ ld blink, [sp, PT_blink]
-
-- PUSH r9 ; freeup a register: slot of erstatus
-+ LD2 r10, r11, PT_lpe
-+ sr r10, [lp_end]
-+ sr r11, [lp_start]
-
-- PUSHAX eret
-- sub sp, sp, 12 ; skip JLI, LDI, EI
-- PUSH lp_count
-- PUSHAX lp_start
-- PUSHAX lp_end
-- PUSH blink
-+ ld r10, [sp, PT_lpc] ; lp_count can't be target of LD
-+ mov lp_count, r10
-
-- PUSH r11
-- PUSH r10
-+ LD2 r0, r1, PT_r0
-+ LD2 r2, r3, PT_r2
-+ LD2 r4, r5, PT_r4
-+ LD2 r6, r7, PT_r6
-+ LD2 r8, r9, PT_r8
-+ LD2 r10, r11, PT_r10
-+.endm
-
-- ld.as r9, [sp, 10] ; load stashed r9 (status32 stack slot)
-- lr r10, [erstatus]
-- st.as r10, [sp, 10] ; save status32 at it's right stack slot
-
-- PUSH r9
-- PUSH r8
-- PUSH r7
-- PUSH r6
-- PUSH r5
-- PUSH r4
-- PUSH r3
-- PUSH r2
-- PUSH r1
-- PUSH r0
-+/*------------------------------------------------------------------------*/
-+.macro INTERRUPT_EPILOGUE
-
-- ; -- for interrupts, regs above are auto-saved by h/w in that order --
-- ; Now do what ISR prologue does (manually save r12, sp, fp, gp, r25)
-+ ; INPUT: r0 has STAT32 of calling context
-+ ; INPUT: Z flag set if returning to K mode
-
-- INTERRUPT_PROLOGUE exception
-+ ; _SOFT clobbers r10 restored by _HARD hence the order
-
-- PUSHAX erbta
-- PUSHAX ecr ; r9 contains ECR, expected by EV_Trap
-+ __RESTORE_REGFILE_SOFT
-+
-+#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE
-+ __RESTORE_REGFILE_HARD
-+ add sp, sp, SZ_PT_REGS - 8
-+#else
-+ add sp, sp, PT_r0
-+#endif
-
-- PUSH r0 ; orig_r0
-- ; OUTPUT: r9 has ECR
- .endm
-
- /*------------------------------------------------------------------------*/
- .macro EXCEPTION_EPILOGUE
-
- ; INPUT: r0 has STAT32 of calling context
-- btst r0, STATUS_U_BIT ; Z flag set if K, used in INTERRUPT_EPILOGUE
--
-- add sp, sp, 8 ; orig_r0/ECR don't need restoring
-- POPAX erbta
--
-- INTERRUPT_EPILOGUE exception
--
-- POP r0
-- POP r1
-- POP r2
-- POP r3
-- POP r4
-- POP r5
-- POP r6
-- POP r7
-- POP r8
-- POP r9
-- POP r10
-- POP r11
--
-- POP blink
-- POPAX lp_end
-- POPAX lp_start
--
-- POP r9
-- mov lp_count, r9
--
-- add sp, sp, 12 ; skip JLI, LDI, EI
-- POPAX eret
-- POPAX erstatus
--
-- ld.as r9, [sp, -12] ; reload r9 which got clobbered
-+
-+ btst r0, STATUS_U_BIT ; Z flag set if K, used in restoring SP
-+
-+ ld r10, [sp, PT_event + 4]
-+ sr r10, [erbta]
-+
-+ LD2 r10, r11, PT_ret
-+ sr r10, [eret]
-+ sr r11, [erstatus]
-+
-+ __RESTORE_REGFILE_SOFT
-+ __RESTORE_REGFILE_HARD
-+
-+ add sp, sp, SZ_PT_REGS
- .endm
-
- .macro FAKE_RET_FROM_EXCPN
-diff --git a/arch/arc/include/asm/linkage.h b/arch/arc/include/asm/linkage.h
-index 07c8e1a6c56e2..f3d29d4840d58 100644
---- a/arch/arc/include/asm/linkage.h
-+++ b/arch/arc/include/asm/linkage.h
-@@ -13,6 +13,24 @@
-
- #ifdef __ASSEMBLY__
-
-+.macro ST2 e, o, off
-+#ifdef CONFIG_ARC_HAS_LL64
-+ std \e, [sp, \off]
-+#else
-+ st \e, [sp, \off]
-+ st \o, [sp, \off+4]
-+#endif
-+.endm
-+
-+.macro LD2 e, o, off
-+#ifdef CONFIG_ARC_HAS_LL64
-+ ldd \e, [sp, \off]
-+#else
-+ ld \e, [sp, \off]
-+ ld \o, [sp, \off+4]
-+#endif
-+.endm
-+
- #define ASM_NL ` /* use '`' to mark new line in macro */
- #define __ALIGN .align 4
- #define __ALIGN_STR __stringify(__ALIGN)
-diff --git a/arch/arc/kernel/asm-offsets.c b/arch/arc/kernel/asm-offsets.c
-index ecaf34e9235c2..e90dccecfd833 100644
---- a/arch/arc/kernel/asm-offsets.c
-+++ b/arch/arc/kernel/asm-offsets.c
-@@ -58,7 +58,14 @@ int main(void)
- DEFINE(PT_r5, offsetof(struct pt_regs, r5));
- DEFINE(PT_r6, offsetof(struct pt_regs, r6));
- DEFINE(PT_r7, offsetof(struct pt_regs, r7));
-+ DEFINE(PT_r8, offsetof(struct pt_regs, r8));
-+ DEFINE(PT_r10, offsetof(struct pt_regs, r10));
-+ DEFINE(PT_r26, offsetof(struct pt_regs, r26));
- DEFINE(PT_ret, offsetof(struct pt_regs, ret));
-+ DEFINE(PT_blink, offsetof(struct pt_regs, blink));
-+ DEFINE(PT_lpe, offsetof(struct pt_regs, lp_end));
-+ DEFINE(PT_lpc, offsetof(struct pt_regs, lp_count));
-+ DEFINE(PT_user_r25, offsetof(struct pt_regs, user_r25));
-
- DEFINE(SZ_CALLEE_REGS, sizeof(struct callee_regs));
- DEFINE(SZ_PT_REGS, sizeof(struct pt_regs));
-diff --git a/arch/arc/kernel/entry-arcv2.S b/arch/arc/kernel/entry-arcv2.S
-index 562089d62d9d6..6cbf0ee8a20a7 100644
---- a/arch/arc/kernel/entry-arcv2.S
-+++ b/arch/arc/kernel/entry-arcv2.S
-@@ -70,7 +70,7 @@ reserved:
-
- ENTRY(handle_interrupt)
-
-- INTERRUPT_PROLOGUE irq
-+ INTERRUPT_PROLOGUE
-
- # irq control APIs local_irq_save/restore/disable/enable fiddle with
- # global interrupt enable bits in STATUS32 (.IE for 1 prio, .E[] for 2 prio)
-@@ -226,7 +226,7 @@ debug_marker_l1:
- bset.nz r11, r11, AUX_IRQ_ACT_BIT_U ; NZ means U
- sr r11, [AUX_IRQ_ACT]
-
-- INTERRUPT_EPILOGUE irq
-+ INTERRUPT_EPILOGUE
- rtie
-
- ;####### Return from Exception / pure kernel mode #######
---
-2.39.2
-
+++ /dev/null
-From b648318ddaf8c9c7c7a842d6e3b8fde1d8af0729 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 2 Jun 2023 19:28:42 +0100
-Subject: ARM: 9303/1: kprobes: avoid missing-declaration warnings
-
-From: Arnd Bergmann <arnd@arndb.de>
-
-[ Upstream commit 1b9c3ddcec6a55e15d3e38e7405e2d078db02020 ]
-
-checker_stack_use_t32strd() and kprobe_handler() can be made static since
-they are not used from other files, while coverage_start_registers()
-and __kprobes_test_case() are used from assembler code, and just need
-a declaration to avoid a warning with the global definition.
-
-arch/arm/probes/kprobes/checkers-common.c:43:18: error: no previous prototype for 'checker_stack_use_t32strd'
-arch/arm/probes/kprobes/core.c:236:16: error: no previous prototype for 'kprobe_handler'
-arch/arm/probes/kprobes/test-core.c:723:10: error: no previous prototype for 'coverage_start_registers'
-arch/arm/probes/kprobes/test-core.c:918:14: error: no previous prototype for '__kprobes_test_case_start'
-arch/arm/probes/kprobes/test-core.c:952:14: error: no previous prototype for '__kprobes_test_case_end_16'
-arch/arm/probes/kprobes/test-core.c:967:14: error: no previous prototype for '__kprobes_test_case_end_32'
-
-Fixes: 6624cf651f1a ("ARM: kprobes: collects stack consumption for store instructions")
-Fixes: 454f3e132d05 ("ARM/kprobes: Remove jprobe arm implementation")
-Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arm/probes/kprobes/checkers-common.c | 2 +-
- arch/arm/probes/kprobes/core.c | 2 +-
- arch/arm/probes/kprobes/opt-arm.c | 2 --
- arch/arm/probes/kprobes/test-core.c | 2 +-
- arch/arm/probes/kprobes/test-core.h | 4 ++++
- 5 files changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/arch/arm/probes/kprobes/checkers-common.c b/arch/arm/probes/kprobes/checkers-common.c
-index 971119c294741..aa10e5e46ebb2 100644
---- a/arch/arm/probes/kprobes/checkers-common.c
-+++ b/arch/arm/probes/kprobes/checkers-common.c
-@@ -48,7 +48,7 @@ enum probes_insn checker_stack_use_imm_0xx(probes_opcode_t insn,
- * Different from other insn uses imm8, the real addressing offset of
- * STRD in T32 encoding should be imm8 * 4. See ARMARM description.
- */
--enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn,
-+static enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn,
- struct arch_probes_insn *asi,
- const struct decode_header *h)
- {
-diff --git a/arch/arm/probes/kprobes/core.c b/arch/arm/probes/kprobes/core.c
-index 62da8e2211e4b..0a7090a65bcad 100644
---- a/arch/arm/probes/kprobes/core.c
-+++ b/arch/arm/probes/kprobes/core.c
-@@ -239,7 +239,7 @@ singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb)
- * kprobe, and that level is reserved for user kprobe handlers, so we can't
- * risk encountering a new kprobe in an interrupt handler.
- */
--void __kprobes kprobe_handler(struct pt_regs *regs)
-+static void __kprobes kprobe_handler(struct pt_regs *regs)
- {
- struct kprobe *p, *cur;
- struct kprobe_ctlblk *kcb;
-diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c
-index cf08cb7267670..1516c340a0766 100644
---- a/arch/arm/probes/kprobes/opt-arm.c
-+++ b/arch/arm/probes/kprobes/opt-arm.c
-@@ -158,8 +158,6 @@ __arch_remove_optimized_kprobe(struct optimized_kprobe *op, int dirty)
- }
- }
-
--extern void kprobe_handler(struct pt_regs *regs);
--
- static void
- optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs)
- {
-diff --git a/arch/arm/probes/kprobes/test-core.c b/arch/arm/probes/kprobes/test-core.c
-index cc237fa9b90fb..1c86c5d980c5b 100644
---- a/arch/arm/probes/kprobes/test-core.c
-+++ b/arch/arm/probes/kprobes/test-core.c
-@@ -723,7 +723,7 @@ static const char coverage_register_lookup[16] = {
- [REG_TYPE_NOSPPCX] = COVERAGE_ANY_REG | COVERAGE_SP,
- };
-
--unsigned coverage_start_registers(const struct decode_header *h)
-+static unsigned coverage_start_registers(const struct decode_header *h)
- {
- unsigned regs = 0;
- int i;
-diff --git a/arch/arm/probes/kprobes/test-core.h b/arch/arm/probes/kprobes/test-core.h
-index 94285203e9f74..459ebda077139 100644
---- a/arch/arm/probes/kprobes/test-core.h
-+++ b/arch/arm/probes/kprobes/test-core.h
-@@ -456,3 +456,7 @@ void kprobe_thumb32_test_cases(void);
- #else
- void kprobe_arm_test_cases(void);
- #endif
-+
-+void __kprobes_test_case_start(void);
-+void __kprobes_test_case_end_16(void);
-+void __kprobes_test_case_end_32(void);
---
-2.39.2
-
+++ /dev/null
-From 4e52ab7d7ce44846873fd33945aadd2562facd21 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 May 2023 14:28:30 +0200
-Subject: ARM: dts: BCM5301X: Drop "clock-names" from the SPI node
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Rafał Miłecki <rafal@milecki.pl>
-
-[ Upstream commit d3c8e2c5757153bbfad70019ec1decbca86f3def ]
-
-There is no such property in the SPI controller binding documentation.
-Also Linux driver doesn't look for it.
-
-This fixes:
-arch/arm/boot/dts/bcm4708-asus-rt-ac56u.dtb: spi@18029200: Unevaluated properties are not allowed ('clock-names' was unexpected)
- From schema: Documentation/devicetree/bindings/spi/brcm,spi-bcm-qspi.yaml
-
-Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
-Link: https://lore.kernel.org/r/20230503122830.3200-1-zajec5@gmail.com
-Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arm/boot/dts/bcm5301x.dtsi | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi
-index 6edc4bd1e7eaf..a6406a347690e 100644
---- a/arch/arm/boot/dts/bcm5301x.dtsi
-+++ b/arch/arm/boot/dts/bcm5301x.dtsi
-@@ -468,7 +468,6 @@ spi@18029200 {
- "spi_lr_session_done",
- "spi_lr_overread";
- clocks = <&iprocmed>;
-- clock-names = "iprocmed";
- num-cs = <2>;
- #address-cells = <1>;
- #size-cells = <0>;
---
-2.39.2
-
+++ /dev/null
-From d144f3f81fdf6521253b26f80c563d4fd016ec06 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 16 May 2023 17:30:58 +0200
-Subject: ARM: ep93xx: fix missing-prototype warnings
-
-From: Arnd Bergmann <arnd@arndb.de>
-
-[ Upstream commit 419013740ea1e4343d8ade535d999f59fa28e460 ]
-
-ep93xx_clocksource_read() is only called from the file it is declared in,
-while ep93xx_timer_init() is declared in a header that is not included here.
-
-arch/arm/mach-ep93xx/timer-ep93xx.c:120:13: error: no previous prototype for 'ep93xx_timer_init'
-arch/arm/mach-ep93xx/timer-ep93xx.c:63:5: error: no previous prototype for 'ep93xx_clocksource_read'
-
-Fixes: 000bc17817bf ("ARM: ep93xx: switch to GENERIC_CLOCKEVENTS")
-Acked-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
-Link: https://lore.kernel.org/r/20230516153109.514251-3-arnd@kernel.org
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arm/mach-ep93xx/timer-ep93xx.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/arch/arm/mach-ep93xx/timer-ep93xx.c b/arch/arm/mach-ep93xx/timer-ep93xx.c
-index de998830f534f..b07956883e165 100644
---- a/arch/arm/mach-ep93xx/timer-ep93xx.c
-+++ b/arch/arm/mach-ep93xx/timer-ep93xx.c
-@@ -9,6 +9,7 @@
- #include <linux/io.h>
- #include <asm/mach/time.h>
- #include "soc.h"
-+#include "platform.h"
-
- /*************************************************************************
- * Timer handling for EP93xx
-@@ -60,7 +61,7 @@ static u64 notrace ep93xx_read_sched_clock(void)
- return ret;
- }
-
--u64 ep93xx_clocksource_read(struct clocksource *c)
-+static u64 ep93xx_clocksource_read(struct clocksource *c)
- {
- u64 ret;
-
---
-2.39.2
-
+++ /dev/null
-From f8ef1233939495c405a9faa4bd1ae7d3f581bae4 Mon Sep 17 00:00:00 2001
-From: Arnd Bergmann <arnd@arndb.de>
-Date: Tue, 16 May 2023 17:31:05 +0200
-Subject: ARM: orion5x: fix d2net gpio initialization
-
-From: Arnd Bergmann <arnd@arndb.de>
-
-commit f8ef1233939495c405a9faa4bd1ae7d3f581bae4 upstream.
-
-The DT version of this board has a custom file with the gpio
-device. However, it does nothing because the d2net_init()
-has no caller or prototype:
-
-arch/arm/mach-orion5x/board-d2net.c:101:13: error: no previous prototype for 'd2net_init'
-
-Call it from the board-dt file as intended.
-
-Fixes: 94b0bd366e36 ("ARM: orion5x: convert d2net to Device Tree")
-Reviewed-by: Andrew Lunn <andrew@lunn.ch>
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/r/20230516153109.514251-10-arnd@kernel.org
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm/mach-orion5x/board-dt.c | 3 +++
- arch/arm/mach-orion5x/common.h | 6 ++++++
- 2 files changed, 9 insertions(+)
-
---- a/arch/arm/mach-orion5x/board-dt.c
-+++ b/arch/arm/mach-orion5x/board-dt.c
-@@ -63,6 +63,9 @@ static void __init orion5x_dt_init(void)
- if (of_machine_is_compatible("maxtor,shared-storage-2"))
- mss2_init();
-
-+ if (of_machine_is_compatible("lacie,d2-network"))
-+ d2net_init();
-+
- of_platform_default_populate(NULL, orion5x_auxdata_lookup, NULL);
- }
-
---- a/arch/arm/mach-orion5x/common.h
-+++ b/arch/arm/mach-orion5x/common.h
-@@ -75,6 +75,12 @@ extern void mss2_init(void);
- static inline void mss2_init(void) {}
- #endif
-
-+#ifdef CONFIG_MACH_D2NET_DT
-+void d2net_init(void);
-+#else
-+static inline void d2net_init(void) {}
-+#endif
-+
- /*****************************************************************************
- * Helpers to access Orion registers
- ****************************************************************************/
+++ /dev/null
-From b47a7c0f977c015c3bb169a6ccbe0fb4704473aa Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 25 May 2023 10:48:22 +0200
-Subject: arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1
-
-From: Wolfram Sang <wsa+renesas@sang-engineering.com>
-
-[ Upstream commit 1a2c4e5635177939a088d22fa35c6a7032725663 ]
-
-The schematics are misleading, the flow control is for HSCIF1. We need
-SCIF1 for GNSS/GPS which does not use flow control.
-
-Fixes: c6c816e22bc8 ("arm64: dts: ulcb-kf: enable SCIF1")
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
-Link: https://lore.kernel.org/r/20230525084823.4195-2-wsa+renesas@sang-engineering.com
-Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arm64/boot/dts/renesas/ulcb-kf.dtsi | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi
-index 8bf3091a899c8..5abffdaf4077e 100644
---- a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi
-+++ b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi
-@@ -165,7 +165,7 @@ hscif0_pins: hscif0 {
- };
-
- scif1_pins: scif1 {
-- groups = "scif1_data_b", "scif1_ctrl";
-+ groups = "scif1_data_b";
- function = "scif1";
- };
-
-@@ -178,7 +178,6 @@ usb0_pins: usb0 {
- &scif1 {
- pinctrl-0 = <&scif1_pins>;
- pinctrl-names = "default";
-- uart-has-rtscts;
-
- status = "okay";
- };
---
-2.39.2
-
+++ /dev/null
-From 8f45f8cea8f66aefea559e9624ac96ba2ff58970 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 30 May 2023 21:11:38 +0300
-Subject: ASoC: es8316: Increment max value for ALC Capture Target Volume
- control
-
-From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
-
-[ Upstream commit 6f073429037cd79d7311cd8236311c53f5ea8f01 ]
-
-The following error occurs when trying to restore a previously saved
-ALSA mixer state (tested on a Rock 5B board):
-
- $ alsactl --no-ucm -f /tmp/asound.state store hw:Analog
- $ alsactl --no-ucm -I -f /tmp/asound.state restore hw:Analog
- alsactl: set_control:1475: Cannot write control '2:0:0:ALC Capture Target Volume:0' : Invalid argument
-
-According to ES8316 datasheet, the register at address 0x2B, which is
-related to the above mixer control, contains by default the value 0xB0.
-Considering the corresponding ALC target bits (ALCLVL) are 7:4, the
-control is initialized with 11, which is one step above the maximum
-value allowed by the driver:
-
- ALCLVL | dB gain
- -------+--------
- 0000 | -16.5
- 0001 | -15.0
- 0010 | -13.5
- .... | .....
- 0111 | -6.0
- 1000 | -4.5
- 1001 | -3.0
- 1010 | -1.5
- .... | .....
- 1111 | -1.5
-
-The tests performed using the VU meter feature (--vumeter=TYPE) of
-arecord/aplay confirm the specs are correct and there is no measured
-gain if the 1011-1111 range would have been mapped to 0 dB:
-
- dB gain | VU meter %
- --------+-----------
- -6.0 | 30-31
- -4.5 | 35-36
- -3.0 | 42-43
- -1.5 | 50-51
- 0.0 | 50-51
-
-Increment the max value allowed for ALC Capture Target Volume control,
-so that it matches the hardware default. Additionally, update the
-related TLV to prevent an artificial extension of the dB gain range.
-
-Fixes: b8b88b70875a ("ASoC: add es8316 codec driver")
-Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
-Link: https://lore.kernel.org/r/20230530181140.483936-2-cristian.ciocaltea@collabora.com
-Signed-off-by: Mark Brown <broonie@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- sound/soc/codecs/es8316.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c
-index 57130edaf3aba..834e542021fee 100644
---- a/sound/soc/codecs/es8316.c
-+++ b/sound/soc/codecs/es8316.c
-@@ -45,7 +45,12 @@ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(dac_vol_tlv, -9600, 50, 1);
- static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(adc_vol_tlv, -9600, 50, 1);
- static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_max_gain_tlv, -650, 150, 0);
- static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_min_gain_tlv, -1200, 150, 0);
--static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_target_tlv, -1650, 150, 0);
-+
-+static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(alc_target_tlv,
-+ 0, 10, TLV_DB_SCALE_ITEM(-1650, 150, 0),
-+ 11, 11, TLV_DB_SCALE_ITEM(-150, 0, 0),
-+);
-+
- static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(hpmixer_gain_tlv,
- 0, 4, TLV_DB_SCALE_ITEM(-1200, 150, 0),
- 8, 11, TLV_DB_SCALE_ITEM(-450, 150, 0),
-@@ -107,7 +112,7 @@ static const struct snd_kcontrol_new es8316_snd_controls[] = {
- alc_max_gain_tlv),
- SOC_SINGLE_TLV("ALC Capture Min Volume", ES8316_ADC_ALC2, 0, 28, 0,
- alc_min_gain_tlv),
-- SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 10, 0,
-+ SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 11, 0,
- alc_target_tlv),
- SOC_SINGLE("ALC Capture Hold Time", ES8316_ADC_ALC3, 0, 10, 0),
- SOC_SINGLE("ALC Capture Decay Time", ES8316_ADC_ALC4, 4, 10, 0),
---
-2.39.2
-
+++ /dev/null
-From 028ddcac477b691dd9205c92f991cc15259d033e Mon Sep 17 00:00:00 2001
-From: Zheng Wang <zyytlz.wz@163.com>
-Date: Thu, 15 Jun 2023 20:12:21 +0800
-Subject: bcache: Remove unnecessary NULL point check in node allocations
-
-From: Zheng Wang <zyytlz.wz@163.com>
-
-commit 028ddcac477b691dd9205c92f991cc15259d033e upstream.
-
-Due to the previous fix of __bch_btree_node_alloc, the return value will
-never be a NULL pointer. So IS_ERR is enough to handle the failure
-situation. Fix it by replacing IS_ERR_OR_NULL check by an IS_ERR check.
-
-Fixes: cafe56359144 ("bcache: A block layer cache")
-Cc: stable@vger.kernel.org
-Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
-Signed-off-by: Coly Li <colyli@suse.de>
-Link: https://lore.kernel.org/r/20230615121223.22502-5-colyli@suse.de
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/md/bcache/btree.c | 10 +++++-----
- drivers/md/bcache/super.c | 4 ++--
- 2 files changed, 7 insertions(+), 7 deletions(-)
-
---- a/drivers/md/bcache/btree.c
-+++ b/drivers/md/bcache/btree.c
-@@ -1174,7 +1174,7 @@ static struct btree *btree_node_alloc_re
- {
- struct btree *n = bch_btree_node_alloc(b->c, op, b->level, b->parent);
-
-- if (!IS_ERR_OR_NULL(n)) {
-+ if (!IS_ERR(n)) {
- mutex_lock(&n->write_lock);
- bch_btree_sort_into(&b->keys, &n->keys, &b->c->sort);
- bkey_copy_key(&n->key, &b->key);
-@@ -1377,7 +1377,7 @@ static int btree_gc_coalesce(struct btre
- memset(new_nodes, 0, sizeof(new_nodes));
- closure_init_stack(&cl);
-
-- while (nodes < GC_MERGE_NODES && !IS_ERR_OR_NULL(r[nodes].b))
-+ while (nodes < GC_MERGE_NODES && !IS_ERR(r[nodes].b))
- keys += r[nodes++].keys;
-
- blocks = btree_default_blocks(b->c) * 2 / 3;
-@@ -1389,7 +1389,7 @@ static int btree_gc_coalesce(struct btre
-
- for (i = 0; i < nodes; i++) {
- new_nodes[i] = btree_node_alloc_replacement(r[i].b, NULL);
-- if (IS_ERR_OR_NULL(new_nodes[i]))
-+ if (IS_ERR(new_nodes[i]))
- goto out_nocoalesce;
- }
-
-@@ -1524,7 +1524,7 @@ out_nocoalesce:
- atomic_dec(&b->c->prio_blocked);
-
- for (i = 0; i < nodes; i++)
-- if (!IS_ERR_OR_NULL(new_nodes[i])) {
-+ if (!IS_ERR(new_nodes[i])) {
- btree_node_free(new_nodes[i]);
- rw_unlock(true, new_nodes[i]);
- }
-@@ -1706,7 +1706,7 @@ static int bch_btree_gc_root(struct btre
- if (should_rewrite) {
- n = btree_node_alloc_replacement(b, NULL);
-
-- if (!IS_ERR_OR_NULL(n)) {
-+ if (!IS_ERR(n)) {
- bch_btree_node_write_sync(n);
-
- bch_btree_set_root(n);
---- a/drivers/md/bcache/super.c
-+++ b/drivers/md/bcache/super.c
-@@ -1576,7 +1576,7 @@ static void cache_set_flush(struct closu
- if (!IS_ERR_OR_NULL(c->gc_thread))
- kthread_stop(c->gc_thread);
-
-- if (!IS_ERR_OR_NULL(c->root))
-+ if (!IS_ERR(c->root))
- list_add(&c->root->list, &c->btree_cache);
-
- /* Should skip this if we're unregistering because of an error */
-@@ -1921,7 +1921,7 @@ static int run_cache_set(struct cache_se
-
- err = "cannot allocate new btree root";
- c->root = __bch_btree_node_alloc(c, NULL, 0, true, NULL);
-- if (IS_ERR_OR_NULL(c->root))
-+ if (IS_ERR(c->root))
- goto err;
-
- mutex_lock(&c->root->write_lock);
+++ /dev/null
-From 95a55437dc49fb3342c82e61f5472a71c63d9ed0 Mon Sep 17 00:00:00 2001
-From: Michael Schmitz <schmitzmic@gmail.com>
-Date: Wed, 21 Jun 2023 08:17:24 +1200
-Subject: block: change all __u32 annotations to __be32 in affs_hardblocks.h
-
-From: Michael Schmitz <schmitzmic@gmail.com>
-
-commit 95a55437dc49fb3342c82e61f5472a71c63d9ed0 upstream.
-
-The Amiga partition parser module uses signed int for partition sector
-address and count, which will overflow for disks larger than 1 TB.
-
-Use u64 as type for sector address and size to allow using disks up to
-2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD
-format allows to specify disk sizes up to 2^128 bytes (though native
-OS limitations reduce this somewhat, to max 2^68 bytes), so check for
-u64 overflow carefully to protect against overflowing sector_t.
-
-This bug was reported originally in 2012, and the fix was created by
-the RDB author, Joanne Dow <jdow@earthlink.net>. A patch had been
-discussed and reviewed on linux-m68k at that time but never officially
-submitted (now resubmitted as patch 1 of this series).
-
-Patch 3 (this series) adds additional error checking and warning
-messages. One of the error checks now makes use of the previously
-unused rdb_CylBlocks field, which causes a 'sparse' warning
-(cast to restricted __be32).
-
-Annotate all 32 bit fields in affs_hardblocks.h as __be32, as the
-on-disk format of RDB and partition blocks is always big endian.
-
-Reported-by: Martin Steigerwald <Martin@lichtvoll.de>
-Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Message-ID: <201206192146.09327.Martin@lichtvoll.de>
-Cc: <stable@vger.kernel.org> # 5.2
-Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
-Reviewed-by: Christoph Hellwig <hch@lst.de>
-Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
-Link: https://lore.kernel.org/r/20230620201725.7020-3-schmitzmic@gmail.com
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/uapi/linux/affs_hardblocks.h | 68 +++++++++++++++++------------------
- 1 file changed, 34 insertions(+), 34 deletions(-)
-
---- a/include/uapi/linux/affs_hardblocks.h
-+++ b/include/uapi/linux/affs_hardblocks.h
-@@ -7,42 +7,42 @@
- /* Just the needed definitions for the RDB of an Amiga HD. */
-
- struct RigidDiskBlock {
-- __u32 rdb_ID;
-+ __be32 rdb_ID;
- __be32 rdb_SummedLongs;
-- __s32 rdb_ChkSum;
-- __u32 rdb_HostID;
-+ __be32 rdb_ChkSum;
-+ __be32 rdb_HostID;
- __be32 rdb_BlockBytes;
-- __u32 rdb_Flags;
-- __u32 rdb_BadBlockList;
-+ __be32 rdb_Flags;
-+ __be32 rdb_BadBlockList;
- __be32 rdb_PartitionList;
-- __u32 rdb_FileSysHeaderList;
-- __u32 rdb_DriveInit;
-- __u32 rdb_Reserved1[6];
-- __u32 rdb_Cylinders;
-- __u32 rdb_Sectors;
-- __u32 rdb_Heads;
-- __u32 rdb_Interleave;
-- __u32 rdb_Park;
-- __u32 rdb_Reserved2[3];
-- __u32 rdb_WritePreComp;
-- __u32 rdb_ReducedWrite;
-- __u32 rdb_StepRate;
-- __u32 rdb_Reserved3[5];
-- __u32 rdb_RDBBlocksLo;
-- __u32 rdb_RDBBlocksHi;
-- __u32 rdb_LoCylinder;
-- __u32 rdb_HiCylinder;
-- __u32 rdb_CylBlocks;
-- __u32 rdb_AutoParkSeconds;
-- __u32 rdb_HighRDSKBlock;
-- __u32 rdb_Reserved4;
-+ __be32 rdb_FileSysHeaderList;
-+ __be32 rdb_DriveInit;
-+ __be32 rdb_Reserved1[6];
-+ __be32 rdb_Cylinders;
-+ __be32 rdb_Sectors;
-+ __be32 rdb_Heads;
-+ __be32 rdb_Interleave;
-+ __be32 rdb_Park;
-+ __be32 rdb_Reserved2[3];
-+ __be32 rdb_WritePreComp;
-+ __be32 rdb_ReducedWrite;
-+ __be32 rdb_StepRate;
-+ __be32 rdb_Reserved3[5];
-+ __be32 rdb_RDBBlocksLo;
-+ __be32 rdb_RDBBlocksHi;
-+ __be32 rdb_LoCylinder;
-+ __be32 rdb_HiCylinder;
-+ __be32 rdb_CylBlocks;
-+ __be32 rdb_AutoParkSeconds;
-+ __be32 rdb_HighRDSKBlock;
-+ __be32 rdb_Reserved4;
- char rdb_DiskVendor[8];
- char rdb_DiskProduct[16];
- char rdb_DiskRevision[4];
- char rdb_ControllerVendor[8];
- char rdb_ControllerProduct[16];
- char rdb_ControllerRevision[4];
-- __u32 rdb_Reserved5[10];
-+ __be32 rdb_Reserved5[10];
- };
-
- #define IDNAME_RIGIDDISK 0x5244534B /* "RDSK" */
-@@ -50,16 +50,16 @@ struct RigidDiskBlock {
- struct PartitionBlock {
- __be32 pb_ID;
- __be32 pb_SummedLongs;
-- __s32 pb_ChkSum;
-- __u32 pb_HostID;
-+ __be32 pb_ChkSum;
-+ __be32 pb_HostID;
- __be32 pb_Next;
-- __u32 pb_Flags;
-- __u32 pb_Reserved1[2];
-- __u32 pb_DevFlags;
-+ __be32 pb_Flags;
-+ __be32 pb_Reserved1[2];
-+ __be32 pb_DevFlags;
- __u8 pb_DriveName[32];
-- __u32 pb_Reserved2[15];
-+ __be32 pb_Reserved2[15];
- __be32 pb_Environment[17];
-- __u32 pb_EReserved[15];
-+ __be32 pb_EReserved[15];
- };
-
- #define IDNAME_PARTITION 0x50415254 /* "PART" */
+++ /dev/null
-From 2c488883c37e2823eef1b80cae4edf8e97997e0f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 10 May 2023 21:37:48 -0700
-Subject: bpf: Address KCSAN report on bpf_lru_list
-
-From: Martin KaFai Lau <martin.lau@kernel.org>
-
-[ Upstream commit ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 ]
-
-KCSAN reported a data-race when accessing node->ref.
-Although node->ref does not have to be accurate,
-take this chance to use a more common READ_ONCE() and WRITE_ONCE()
-pattern instead of data_race().
-
-There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref().
-This patch also adds bpf_lru_node_clear_ref() to do the
-WRITE_ONCE(node->ref, 0) also.
-
-==================================================================
-BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem
-
-write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1:
-__bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline]
-__bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline]
-__bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240
-bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline]
-bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline]
-bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499
-prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline]
-__htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316
-bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313
-bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200
-generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687
-bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534
-__sys_bpf+0x338/0x810
-__do_sys_bpf kernel/bpf/syscall.c:5096 [inline]
-__se_sys_bpf kernel/bpf/syscall.c:5094 [inline]
-__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094
-do_syscall_x64 arch/x86/entry/common.c:50 [inline]
-do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
-entry_SYSCALL_64_after_hwframe+0x63/0xcd
-
-read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0:
-bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline]
-__htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332
-bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313
-bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200
-generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687
-bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534
-__sys_bpf+0x338/0x810
-__do_sys_bpf kernel/bpf/syscall.c:5096 [inline]
-__se_sys_bpf kernel/bpf/syscall.c:5094 [inline]
-__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094
-do_syscall_x64 arch/x86/entry/common.c:50 [inline]
-do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
-entry_SYSCALL_64_after_hwframe+0x63/0xcd
-
-value changed: 0x01 -> 0x00
-
-Reported by Kernel Concurrency Sanitizer on:
-CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0
-Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
-==================================================================
-
-Reported-by: syzbot+ebe648a84e8784763f82@syzkaller.appspotmail.com
-Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
-Acked-by: Yonghong Song <yhs@fb.com>
-Link: https://lore.kernel.org/r/20230511043748.1384166-1-martin.lau@linux.dev
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/bpf/bpf_lru_list.c | 21 +++++++++++++--------
- kernel/bpf/bpf_lru_list.h | 7 ++-----
- 2 files changed, 15 insertions(+), 13 deletions(-)
-
-diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c
-index 9b5eeff72fd37..39a0e768adc39 100644
---- a/kernel/bpf/bpf_lru_list.c
-+++ b/kernel/bpf/bpf_lru_list.c
-@@ -44,7 +44,12 @@ static struct list_head *local_pending_list(struct bpf_lru_locallist *loc_l)
- /* bpf_lru_node helpers */
- static bool bpf_lru_node_is_ref(const struct bpf_lru_node *node)
- {
-- return node->ref;
-+ return READ_ONCE(node->ref);
-+}
-+
-+static void bpf_lru_node_clear_ref(struct bpf_lru_node *node)
-+{
-+ WRITE_ONCE(node->ref, 0);
- }
-
- static void bpf_lru_list_count_inc(struct bpf_lru_list *l,
-@@ -92,7 +97,7 @@ static void __bpf_lru_node_move_in(struct bpf_lru_list *l,
-
- bpf_lru_list_count_inc(l, tgt_type);
- node->type = tgt_type;
-- node->ref = 0;
-+ bpf_lru_node_clear_ref(node);
- list_move(&node->list, &l->lists[tgt_type]);
- }
-
-@@ -113,7 +118,7 @@ static void __bpf_lru_node_move(struct bpf_lru_list *l,
- bpf_lru_list_count_inc(l, tgt_type);
- node->type = tgt_type;
- }
-- node->ref = 0;
-+ bpf_lru_node_clear_ref(node);
-
- /* If the moving node is the next_inactive_rotation candidate,
- * move the next_inactive_rotation pointer also.
-@@ -356,7 +361,7 @@ static void __local_list_add_pending(struct bpf_lru *lru,
- *(u32 *)((void *)node + lru->hash_offset) = hash;
- node->cpu = cpu;
- node->type = BPF_LRU_LOCAL_LIST_T_PENDING;
-- node->ref = 0;
-+ bpf_lru_node_clear_ref(node);
- list_add(&node->list, local_pending_list(loc_l));
- }
-
-@@ -422,7 +427,7 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru,
- if (!list_empty(free_list)) {
- node = list_first_entry(free_list, struct bpf_lru_node, list);
- *(u32 *)((void *)node + lru->hash_offset) = hash;
-- node->ref = 0;
-+ bpf_lru_node_clear_ref(node);
- __bpf_lru_node_move(l, node, BPF_LRU_LIST_T_INACTIVE);
- }
-
-@@ -525,7 +530,7 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru,
- }
-
- node->type = BPF_LRU_LOCAL_LIST_T_FREE;
-- node->ref = 0;
-+ bpf_lru_node_clear_ref(node);
- list_move(&node->list, local_free_list(loc_l));
-
- raw_spin_unlock_irqrestore(&loc_l->lock, flags);
-@@ -571,7 +576,7 @@ static void bpf_common_lru_populate(struct bpf_lru *lru, void *buf,
-
- node = (struct bpf_lru_node *)(buf + node_offset);
- node->type = BPF_LRU_LIST_T_FREE;
-- node->ref = 0;
-+ bpf_lru_node_clear_ref(node);
- list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]);
- buf += elem_size;
- }
-@@ -597,7 +602,7 @@ static void bpf_percpu_lru_populate(struct bpf_lru *lru, void *buf,
- node = (struct bpf_lru_node *)(buf + node_offset);
- node->cpu = cpu;
- node->type = BPF_LRU_LIST_T_FREE;
-- node->ref = 0;
-+ bpf_lru_node_clear_ref(node);
- list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]);
- i++;
- buf += elem_size;
-diff --git a/kernel/bpf/bpf_lru_list.h b/kernel/bpf/bpf_lru_list.h
-index 7d4f89b7cb841..08da78b59f0b9 100644
---- a/kernel/bpf/bpf_lru_list.h
-+++ b/kernel/bpf/bpf_lru_list.h
-@@ -66,11 +66,8 @@ struct bpf_lru {
-
- static inline void bpf_lru_node_set_ref(struct bpf_lru_node *node)
- {
-- /* ref is an approximation on access frequency. It does not
-- * have to be very accurate. Hence, no protection is used.
-- */
-- if (!node->ref)
-- node->ref = 1;
-+ if (!READ_ONCE(node->ref))
-+ WRITE_ONCE(node->ref, 1);
- }
-
- int bpf_lru_init(struct bpf_lru *lru, bool percpu, u32 hash_offset,
---
-2.39.2
-
+++ /dev/null
-From b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 Mon Sep 17 00:00:00 2001
-From: Filipe Manana <fdmanana@suse.com>
-Date: Mon, 19 Jun 2023 17:21:47 +0100
-Subject: btrfs: fix race when deleting quota root from the dirty cow roots list
-
-From: Filipe Manana <fdmanana@suse.com>
-
-commit b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 upstream.
-
-When disabling quotas we are deleting the quota root from the list
-fs_info->dirty_cowonly_roots without taking the lock that protects it,
-which is struct btrfs_fs_info::trans_lock. This unsynchronized list
-manipulation may cause chaos if there's another concurrent manipulation
-of this list, such as when adding a root to it with
-ctree.c:add_root_to_dirty_list().
-
-This can result in all sorts of weird failures caused by a race, such as
-the following crash:
-
- [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI
- [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1
- [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
- [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]
- [337571.279928] Code: 85 38 06 00 (...)
- [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206
- [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000
- [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070
- [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b
- [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600
- [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48
- [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000
- [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
- [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0
- [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
- [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
- [337571.282874] Call Trace:
- [337571.283101] <TASK>
- [337571.283327] ? __die_body+0x1b/0x60
- [337571.283570] ? die_addr+0x39/0x60
- [337571.283796] ? exc_general_protection+0x22e/0x430
- [337571.284022] ? asm_exc_general_protection+0x22/0x30
- [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs]
- [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs]
- [337571.284803] ? _raw_spin_unlock+0x15/0x30
- [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs]
- [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs]
- [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs]
- [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410
- [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs]
- [337571.286358] ? mod_objcg_state+0xd2/0x360
- [337571.286577] ? refill_obj_stock+0xb0/0x160
- [337571.286798] ? seq_release+0x25/0x30
- [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0
- [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0
- [337571.287455] ? __x64_sys_ioctl+0x88/0xc0
- [337571.287675] __x64_sys_ioctl+0x88/0xc0
- [337571.287901] do_syscall_64+0x38/0x90
- [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc
- [337571.288352] RIP: 0033:0x7f478aaffe9b
-
-So fix this by locking struct btrfs_fs_info::trans_lock before deleting
-the quota root from that list.
-
-Fixes: bed92eae26cc ("Btrfs: qgroup implementation and prototypes")
-CC: stable@vger.kernel.org # 4.14+
-Signed-off-by: Filipe Manana <fdmanana@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/btrfs/qgroup.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/fs/btrfs/qgroup.c
-+++ b/fs/btrfs/qgroup.c
-@@ -1115,7 +1115,9 @@ int btrfs_quota_disable(struct btrfs_fs_
- goto end_trans;
- }
-
-+ spin_lock(&fs_info->trans_lock);
- list_del("a_root->dirty_list);
-+ spin_unlock(&fs_info->trans_lock);
-
- btrfs_tree_lock(quota_root->node);
- clean_tree_block(fs_info, quota_root->node);
+++ /dev/null
-From 55c3b96074f3f9b0aee19bf93cd71af7516582bb Mon Sep 17 00:00:00 2001
-From: YueHaibing <yuehaibing@huawei.com>
-Date: Sat, 15 Jul 2023 17:25:43 +0800
-Subject: can: bcm: Fix UAF in bcm_proc_show()
-
-From: YueHaibing <yuehaibing@huawei.com>
-
-commit 55c3b96074f3f9b0aee19bf93cd71af7516582bb upstream.
-
-BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80
-Read of size 8 at addr ffff888155846230 by task cat/7862
-
-CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
-Call Trace:
- <TASK>
- dump_stack_lvl+0xd5/0x150
- print_report+0xc1/0x5e0
- kasan_report+0xba/0xf0
- bcm_proc_show+0x969/0xa80
- seq_read_iter+0x4f6/0x1260
- seq_read+0x165/0x210
- proc_reg_read+0x227/0x300
- vfs_read+0x1d5/0x8d0
- ksys_read+0x11e/0x240
- do_syscall_64+0x35/0xb0
- entry_SYSCALL_64_after_hwframe+0x63/0xcd
-
-Allocated by task 7846:
- kasan_save_stack+0x1e/0x40
- kasan_set_track+0x21/0x30
- __kasan_kmalloc+0x9e/0xa0
- bcm_sendmsg+0x264b/0x44e0
- sock_sendmsg+0xda/0x180
- ____sys_sendmsg+0x735/0x920
- ___sys_sendmsg+0x11d/0x1b0
- __sys_sendmsg+0xfa/0x1d0
- do_syscall_64+0x35/0xb0
- entry_SYSCALL_64_after_hwframe+0x63/0xcd
-
-Freed by task 7846:
- kasan_save_stack+0x1e/0x40
- kasan_set_track+0x21/0x30
- kasan_save_free_info+0x27/0x40
- ____kasan_slab_free+0x161/0x1c0
- slab_free_freelist_hook+0x119/0x220
- __kmem_cache_free+0xb4/0x2e0
- rcu_core+0x809/0x1bd0
-
-bcm_op is freed before procfs entry be removed in bcm_release(),
-this lead to bcm_proc_show() may read the freed bcm_op.
-
-Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol")
-Signed-off-by: YueHaibing <yuehaibing@huawei.com>
-Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
-Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
-Link: https://lore.kernel.org/all/20230715092543.15548-1-yuehaibing@huawei.com
-Cc: stable@vger.kernel.org
-Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/can/bcm.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
---- a/net/can/bcm.c
-+++ b/net/can/bcm.c
-@@ -1520,6 +1520,12 @@ static int bcm_release(struct socket *so
-
- lock_sock(sk);
-
-+#if IS_ENABLED(CONFIG_PROC_FS)
-+ /* remove procfs entry */
-+ if (net->can.bcmproc_dir && bo->bcm_proc_read)
-+ remove_proc_entry(bo->procname, net->can.bcmproc_dir);
-+#endif /* CONFIG_PROC_FS */
-+
- list_for_each_entry_safe(op, next, &bo->tx_ops, list)
- bcm_remove_op(op);
-
-@@ -1555,12 +1561,6 @@ static int bcm_release(struct socket *so
- list_for_each_entry_safe(op, next, &bo->rx_ops, list)
- bcm_remove_op(op);
-
--#if IS_ENABLED(CONFIG_PROC_FS)
-- /* remove procfs entry */
-- if (net->can.bcmproc_dir && bo->bcm_proc_read)
-- remove_proc_entry(bo->procname, net->can.bcmproc_dir);
--#endif /* CONFIG_PROC_FS */
--
- /* remove device reference */
- if (bo->bound) {
- bo->bound = 0;
+++ /dev/null
-From 257e6172ab36ebbe295a6c9ee9a9dd0fe54c1dc2 Mon Sep 17 00:00:00 2001
-From: Xiubo Li <xiubli@redhat.com>
-Date: Wed, 28 Jun 2023 07:57:09 +0800
-Subject: ceph: don't let check_caps skip sending responses for revoke msgs
-
-From: Xiubo Li <xiubli@redhat.com>
-
-commit 257e6172ab36ebbe295a6c9ee9a9dd0fe54c1dc2 upstream.
-
-If a client sends out a cap update dropping caps with the prior 'seq'
-just before an incoming cap revoke request, then the client may drop
-the revoke because it believes it's already released the requested
-capabilities.
-
-This causes the MDS to wait indefinitely for the client to respond
-to the revoke. It's therefore always a good idea to ack the cap
-revoke request with the bumped up 'seq'.
-
-Cc: stable@vger.kernel.org
-Link: https://tracker.ceph.com/issues/61782
-Signed-off-by: Xiubo Li <xiubli@redhat.com>
-Reviewed-by: Milind Changire <mchangir@redhat.com>
-Reviewed-by: Patrick Donnelly <pdonnell@redhat.com>
-Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ceph/caps.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
---- a/fs/ceph/caps.c
-+++ b/fs/ceph/caps.c
-@@ -3285,6 +3285,15 @@ static void handle_cap_grant(struct inod
- }
- BUG_ON(cap->issued & ~cap->implemented);
-
-+ /* don't let check_caps skip sending a response to MDS for revoke msgs */
-+ if (le32_to_cpu(grant->op) == CEPH_CAP_OP_REVOKE) {
-+ cap->mds_wanted = 0;
-+ if (cap == ci->i_auth_cap)
-+ check_caps = 1; /* check auth cap only */
-+ else
-+ check_caps = 2; /* check all caps */
-+ }
-+
- if (extra_info->inline_version > 0 &&
- extra_info->inline_version >= ci->i_inline_version) {
- ci->i_inline_version = extra_info->inline_version;
+++ /dev/null
-From cdce24c230c530209c4401a7acb8c7930aa81309 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 25 Apr 2023 06:56:11 +0000
-Subject: clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe
-
-From: Feng Mingxi <m202271825@hust.edu.cn>
-
-[ Upstream commit 8b5bf64c89c7100c921bd807ba39b2eb003061ab ]
-
-Smatch reports:
-drivers/clocksource/timer-cadence-ttc.c:529 ttc_timer_probe()
-warn: 'timer_baseaddr' from of_iomap() not released on lines: 498,508,516.
-
-timer_baseaddr may have the problem of not being released after use,
-I replaced it with the devm_of_iomap() function and added the clk_put()
-function to cleanup the "clk_ce" and "clk_cs".
-
-Fixes: e932900a3279 ("arm: zynq: Use standard timer binding")
-Fixes: 70504f311d4b ("clocksource/drivers/cadence_ttc: Convert init function to return error")
-Signed-off-by: Feng Mingxi <m202271825@hust.edu.cn>
-Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
-Acked-by: Michal Simek <michal.simek@amd.com>
-Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
-Link: https://lore.kernel.org/r/20230425065611.702917-1-m202271825@hust.edu.cn
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/clocksource/timer-cadence-ttc.c | 19 +++++++++++++------
- 1 file changed, 13 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c
-index b1df0ded8f521..16b9bfb257564 100644
---- a/drivers/clocksource/timer-cadence-ttc.c
-+++ b/drivers/clocksource/timer-cadence-ttc.c
-@@ -494,10 +494,10 @@ static int __init ttc_timer_probe(struct platform_device *pdev)
- * and use it. Note that the event timer uses the interrupt and it's the
- * 2nd TTC hence the irq_of_parse_and_map(,1)
- */
-- timer_baseaddr = of_iomap(timer, 0);
-- if (!timer_baseaddr) {
-+ timer_baseaddr = devm_of_iomap(&pdev->dev, timer, 0, NULL);
-+ if (IS_ERR(timer_baseaddr)) {
- pr_err("ERROR: invalid timer base address\n");
-- return -ENXIO;
-+ return PTR_ERR(timer_baseaddr);
- }
-
- irq = irq_of_parse_and_map(timer, 1);
-@@ -521,20 +521,27 @@ static int __init ttc_timer_probe(struct platform_device *pdev)
- clk_ce = of_clk_get(timer, clksel);
- if (IS_ERR(clk_ce)) {
- pr_err("ERROR: timer input clock not found\n");
-- return PTR_ERR(clk_ce);
-+ ret = PTR_ERR(clk_ce);
-+ goto put_clk_cs;
- }
-
- ret = ttc_setup_clocksource(clk_cs, timer_baseaddr, timer_width);
- if (ret)
-- return ret;
-+ goto put_clk_ce;
-
- ret = ttc_setup_clockevent(clk_ce, timer_baseaddr + 4, irq);
- if (ret)
-- return ret;
-+ goto put_clk_ce;
-
- pr_info("%s #0 at %p, irq=%d\n", timer->name, timer_baseaddr, irq);
-
- return 0;
-+
-+put_clk_ce:
-+ clk_put(clk_ce);
-+put_clk_cs:
-+ clk_put(clk_cs);
-+ return ret;
- }
-
- static const struct of_device_id ttc_timer_of_match[] = {
---
-2.39.2
-
+++ /dev/null
-From 86fdffa20ff885a32027563da0692cd00e56eca0 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 7 Nov 2019 02:36:28 -0800
-Subject: clocksource/drivers/cadence-ttc: Use ttc driver as platform driver
-
-From: Rajan Vaja <rajan.vaja@xilinx.com>
-
-[ Upstream commit f5ac896b6a23eb46681cdbef440c1d991b04e519 ]
-
-Currently TTC driver is TIMER_OF_DECLARE type driver. Because of
-that, TTC driver may be initialized before other clock drivers. If
-TTC driver is dependent on that clock driver then initialization of
-TTC driver will failed.
-
-So use TTC driver as platform driver instead of using
-TIMER_OF_DECLARE.
-
-Signed-off-by: Rajan Vaja <rajan.vaja@xilinx.com>
-Tested-by: Michal Simek <michal.simek@xilinx.com>
-Acked-by: Michal Simek <michal.simek@xilinx.com>
-Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
-Link: https://lore.kernel.org/r/1573122988-18399-1-git-send-email-rajan.vaja@xilinx.com
-Stable-dep-of: 8b5bf64c89c7 ("clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/clocksource/timer-cadence-ttc.c | 26 +++++++++++++++++--------
- 1 file changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c
-index a7eb858a84a0f..b1df0ded8f521 100644
---- a/drivers/clocksource/timer-cadence-ttc.c
-+++ b/drivers/clocksource/timer-cadence-ttc.c
-@@ -23,6 +23,8 @@
- #include <linux/of_irq.h>
- #include <linux/slab.h>
- #include <linux/sched_clock.h>
-+#include <linux/module.h>
-+#include <linux/of_platform.h>
-
- /*
- * This driver configures the 2 16/32-bit count-up timers as follows:
-@@ -472,13 +474,7 @@ static int __init ttc_setup_clockevent(struct clk *clk,
- return err;
- }
-
--/**
-- * ttc_timer_init - Initialize the timer
-- *
-- * Initializes the timer hardware and register the clock source and clock event
-- * timers with Linux kernal timer framework
-- */
--static int __init ttc_timer_init(struct device_node *timer)
-+static int __init ttc_timer_probe(struct platform_device *pdev)
- {
- unsigned int irq;
- void __iomem *timer_baseaddr;
-@@ -486,6 +482,7 @@ static int __init ttc_timer_init(struct device_node *timer)
- static int initialized;
- int clksel, ret;
- u32 timer_width = 16;
-+ struct device_node *timer = pdev->dev.of_node;
-
- if (initialized)
- return 0;
-@@ -540,4 +537,17 @@ static int __init ttc_timer_init(struct device_node *timer)
- return 0;
- }
-
--TIMER_OF_DECLARE(ttc, "cdns,ttc", ttc_timer_init);
-+static const struct of_device_id ttc_timer_of_match[] = {
-+ {.compatible = "cdns,ttc"},
-+ {},
-+};
-+
-+MODULE_DEVICE_TABLE(of, ttc_timer_of_match);
-+
-+static struct platform_driver ttc_timer_driver = {
-+ .driver = {
-+ .name = "cdns_ttc_timer",
-+ .of_match_table = ttc_timer_of_match,
-+ },
-+};
-+builtin_platform_driver_probe(ttc_timer_driver, ttc_timer_probe);
---
-2.39.2
-
+++ /dev/null
-From ca60c700dea2b20caf43a6b9c00124a3dd36d227 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 24 Sep 2018 05:59:23 +0200
-Subject: clocksource/drivers: Unify the names to timer-* format
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Daniel Lezcano <daniel.lezcano@linaro.org>
-
-[ Upstream commit 9d8d47ea6ec6048abc75ccc4486aff1a7db1ff4b ]
-
-In order to make some housekeeping in the directory, this patch renames
-drivers to the timer-* format in order to unify their names.
-
-There is no functional changes.
-
-Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
-Acked-by: Vladimir Zapolskiy <vz@mleia.com>
-Acked-by: Liviu Dudau <liviu.dudau@arm.com>
-
-Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
-Stable-dep-of: 8b5bf64c89c7 ("clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- MAINTAINERS | 10 +++----
- drivers/clocksource/Makefile | 26 +++++++++----------
- ...-armada-370-xp.c => timer-armada-370-xp.c} | 0
- ...adence_ttc_timer.c => timer-cadence-ttc.c} | 0
- .../{time-efm32.c => timer-efm32.c} | 0
- .../{fsl_ftm_timer.c => timer-fsl-ftm.c} | 0
- .../{time-lpc32xx.c => timer-lpc32xx.c} | 0
- .../{time-orion.c => timer-orion.c} | 0
- .../clocksource/{owl-timer.c => timer-owl.c} | 0
- .../{time-pistachio.c => timer-pistachio.c} | 0
- .../{qcom-timer.c => timer-qcom.c} | 0
- .../{versatile.c => timer-versatile.c} | 0
- .../{vf_pit_timer.c => timer-vf-pit.c} | 0
- .../{vt8500_timer.c => timer-vt8500.c} | 0
- .../{zevio-timer.c => timer-zevio.c} | 0
- 15 files changed, 18 insertions(+), 18 deletions(-)
- rename drivers/clocksource/{time-armada-370-xp.c => timer-armada-370-xp.c} (100%)
- rename drivers/clocksource/{cadence_ttc_timer.c => timer-cadence-ttc.c} (100%)
- rename drivers/clocksource/{time-efm32.c => timer-efm32.c} (100%)
- rename drivers/clocksource/{fsl_ftm_timer.c => timer-fsl-ftm.c} (100%)
- rename drivers/clocksource/{time-lpc32xx.c => timer-lpc32xx.c} (100%)
- rename drivers/clocksource/{time-orion.c => timer-orion.c} (100%)
- rename drivers/clocksource/{owl-timer.c => timer-owl.c} (100%)
- rename drivers/clocksource/{time-pistachio.c => timer-pistachio.c} (100%)
- rename drivers/clocksource/{qcom-timer.c => timer-qcom.c} (100%)
- rename drivers/clocksource/{versatile.c => timer-versatile.c} (100%)
- rename drivers/clocksource/{vf_pit_timer.c => timer-vf-pit.c} (100%)
- rename drivers/clocksource/{vt8500_timer.c => timer-vt8500.c} (100%)
- rename drivers/clocksource/{zevio-timer.c => timer-zevio.c} (100%)
-
-diff --git a/MAINTAINERS b/MAINTAINERS
-index 3d3d7f5d1c3f1..59003315a9597 100644
---- a/MAINTAINERS
-+++ b/MAINTAINERS
-@@ -1180,7 +1180,7 @@ N: owl
- F: arch/arm/mach-actions/
- F: arch/arm/boot/dts/owl-*
- F: arch/arm64/boot/dts/actions/
--F: drivers/clocksource/owl-*
-+F: drivers/clocksource/timer-owl*
- F: drivers/pinctrl/actions/*
- F: drivers/soc/actions/
- F: include/dt-bindings/power/owl-*
-@@ -1603,7 +1603,7 @@ L: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers)
- S: Maintained
- F: arch/arm/boot/dts/lpc43*
- F: drivers/clk/nxp/clk-lpc18xx*
--F: drivers/clocksource/time-lpc32xx.c
-+F: drivers/clocksource/timer-lpc32xx.c
- F: drivers/i2c/busses/i2c-lpc2k.c
- F: drivers/memory/pl172.c
- F: drivers/mtd/spi-nor/nxp-spifi.c
-@@ -2219,7 +2219,7 @@ F: arch/arm/mach-vexpress/
- F: */*/vexpress*
- F: */*/*/vexpress*
- F: drivers/clk/versatile/clk-vexpress-osc.c
--F: drivers/clocksource/versatile.c
-+F: drivers/clocksource/timer-versatile.c
- N: mps2
-
- ARM/VFP SUPPORT
-@@ -2241,7 +2241,7 @@ M: Tony Prisk <linux@prisktech.co.nz>
- L: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers)
- S: Maintained
- F: arch/arm/mach-vt8500/
--F: drivers/clocksource/vt8500_timer.c
-+F: drivers/clocksource/timer-vt8500.c
- F: drivers/i2c/busses/i2c-wmt.c
- F: drivers/mmc/host/wmt-sdmmc.c
- F: drivers/pwm/pwm-vt8500.c
-@@ -2306,7 +2306,7 @@ F: drivers/cpuidle/cpuidle-zynq.c
- F: drivers/block/xsysace.c
- N: zynq
- N: xilinx
--F: drivers/clocksource/cadence_ttc_timer.c
-+F: drivers/clocksource/timer-cadence-ttc.c
- F: drivers/i2c/busses/i2c-cadence.c
- F: drivers/mmc/host/sdhci-of-arasan.c
- F: drivers/edac/synopsys_edac.c
-diff --git a/drivers/clocksource/Makefile b/drivers/clocksource/Makefile
-index db51b2427e8a6..e33b21d3f9d8b 100644
---- a/drivers/clocksource/Makefile
-+++ b/drivers/clocksource/Makefile
-@@ -23,8 +23,8 @@ obj-$(CONFIG_FTTMR010_TIMER) += timer-fttmr010.o
- obj-$(CONFIG_ROCKCHIP_TIMER) += rockchip_timer.o
- obj-$(CONFIG_CLKSRC_NOMADIK_MTU) += nomadik-mtu.o
- obj-$(CONFIG_CLKSRC_DBX500_PRCMU) += clksrc-dbx500-prcmu.o
--obj-$(CONFIG_ARMADA_370_XP_TIMER) += time-armada-370-xp.o
--obj-$(CONFIG_ORION_TIMER) += time-orion.o
-+obj-$(CONFIG_ARMADA_370_XP_TIMER) += timer-armada-370-xp.o
-+obj-$(CONFIG_ORION_TIMER) += timer-orion.o
- obj-$(CONFIG_BCM2835_TIMER) += bcm2835_timer.o
- obj-$(CONFIG_CLPS711X_TIMER) += clps711x-timer.o
- obj-$(CONFIG_ATLAS7_TIMER) += timer-atlas7.o
-@@ -36,25 +36,25 @@ obj-$(CONFIG_SUN4I_TIMER) += sun4i_timer.o
- obj-$(CONFIG_SUN5I_HSTIMER) += timer-sun5i.o
- obj-$(CONFIG_MESON6_TIMER) += meson6_timer.o
- obj-$(CONFIG_TEGRA_TIMER) += tegra20_timer.o
--obj-$(CONFIG_VT8500_TIMER) += vt8500_timer.o
--obj-$(CONFIG_NSPIRE_TIMER) += zevio-timer.o
-+obj-$(CONFIG_VT8500_TIMER) += timer-vt8500.o
-+obj-$(CONFIG_NSPIRE_TIMER) += timer-zevio.o
- obj-$(CONFIG_BCM_KONA_TIMER) += bcm_kona_timer.o
--obj-$(CONFIG_CADENCE_TTC_TIMER) += cadence_ttc_timer.o
--obj-$(CONFIG_CLKSRC_EFM32) += time-efm32.o
-+obj-$(CONFIG_CADENCE_TTC_TIMER) += timer-cadence-ttc.o
-+obj-$(CONFIG_CLKSRC_EFM32) += timer-efm32.o
- obj-$(CONFIG_CLKSRC_STM32) += timer-stm32.o
- obj-$(CONFIG_CLKSRC_EXYNOS_MCT) += exynos_mct.o
--obj-$(CONFIG_CLKSRC_LPC32XX) += time-lpc32xx.o
-+obj-$(CONFIG_CLKSRC_LPC32XX) += timer-lpc32xx.o
- obj-$(CONFIG_CLKSRC_MPS2) += mps2-timer.o
- obj-$(CONFIG_CLKSRC_SAMSUNG_PWM) += samsung_pwm_timer.o
--obj-$(CONFIG_FSL_FTM_TIMER) += fsl_ftm_timer.o
--obj-$(CONFIG_VF_PIT_TIMER) += vf_pit_timer.o
--obj-$(CONFIG_CLKSRC_QCOM) += qcom-timer.o
-+obj-$(CONFIG_FSL_FTM_TIMER) += timer-fsl-ftm.o
-+obj-$(CONFIG_VF_PIT_TIMER) += timer-vf-pit.o
-+obj-$(CONFIG_CLKSRC_QCOM) += timer-qcom.o
- obj-$(CONFIG_MTK_TIMER) += timer-mediatek.o
--obj-$(CONFIG_CLKSRC_PISTACHIO) += time-pistachio.o
-+obj-$(CONFIG_CLKSRC_PISTACHIO) += timer-pistachio.o
- obj-$(CONFIG_CLKSRC_TI_32K) += timer-ti-32k.o
- obj-$(CONFIG_CLKSRC_NPS) += timer-nps.o
- obj-$(CONFIG_OXNAS_RPS_TIMER) += timer-oxnas-rps.o
--obj-$(CONFIG_OWL_TIMER) += owl-timer.o
-+obj-$(CONFIG_OWL_TIMER) += timer-owl.o
- obj-$(CONFIG_SPRD_TIMER) += timer-sprd.o
- obj-$(CONFIG_NPCM7XX_TIMER) += timer-npcm7xx.o
-
-@@ -66,7 +66,7 @@ obj-$(CONFIG_ARM_TIMER_SP804) += timer-sp804.o
- obj-$(CONFIG_ARCH_HAS_TICK_BROADCAST) += dummy_timer.o
- obj-$(CONFIG_KEYSTONE_TIMER) += timer-keystone.o
- obj-$(CONFIG_INTEGRATOR_AP_TIMER) += timer-integrator-ap.o
--obj-$(CONFIG_CLKSRC_VERSATILE) += versatile.o
-+obj-$(CONFIG_CLKSRC_VERSATILE) += timer-versatile.o
- obj-$(CONFIG_CLKSRC_MIPS_GIC) += mips-gic-timer.o
- obj-$(CONFIG_CLKSRC_TANGO_XTAL) += tango_xtal.o
- obj-$(CONFIG_CLKSRC_IMX_GPT) += timer-imx-gpt.o
-diff --git a/drivers/clocksource/time-armada-370-xp.c b/drivers/clocksource/timer-armada-370-xp.c
-similarity index 100%
-rename from drivers/clocksource/time-armada-370-xp.c
-rename to drivers/clocksource/timer-armada-370-xp.c
-diff --git a/drivers/clocksource/cadence_ttc_timer.c b/drivers/clocksource/timer-cadence-ttc.c
-similarity index 100%
-rename from drivers/clocksource/cadence_ttc_timer.c
-rename to drivers/clocksource/timer-cadence-ttc.c
-diff --git a/drivers/clocksource/time-efm32.c b/drivers/clocksource/timer-efm32.c
-similarity index 100%
-rename from drivers/clocksource/time-efm32.c
-rename to drivers/clocksource/timer-efm32.c
-diff --git a/drivers/clocksource/fsl_ftm_timer.c b/drivers/clocksource/timer-fsl-ftm.c
-similarity index 100%
-rename from drivers/clocksource/fsl_ftm_timer.c
-rename to drivers/clocksource/timer-fsl-ftm.c
-diff --git a/drivers/clocksource/time-lpc32xx.c b/drivers/clocksource/timer-lpc32xx.c
-similarity index 100%
-rename from drivers/clocksource/time-lpc32xx.c
-rename to drivers/clocksource/timer-lpc32xx.c
-diff --git a/drivers/clocksource/time-orion.c b/drivers/clocksource/timer-orion.c
-similarity index 100%
-rename from drivers/clocksource/time-orion.c
-rename to drivers/clocksource/timer-orion.c
-diff --git a/drivers/clocksource/owl-timer.c b/drivers/clocksource/timer-owl.c
-similarity index 100%
-rename from drivers/clocksource/owl-timer.c
-rename to drivers/clocksource/timer-owl.c
-diff --git a/drivers/clocksource/time-pistachio.c b/drivers/clocksource/timer-pistachio.c
-similarity index 100%
-rename from drivers/clocksource/time-pistachio.c
-rename to drivers/clocksource/timer-pistachio.c
-diff --git a/drivers/clocksource/qcom-timer.c b/drivers/clocksource/timer-qcom.c
-similarity index 100%
-rename from drivers/clocksource/qcom-timer.c
-rename to drivers/clocksource/timer-qcom.c
-diff --git a/drivers/clocksource/versatile.c b/drivers/clocksource/timer-versatile.c
-similarity index 100%
-rename from drivers/clocksource/versatile.c
-rename to drivers/clocksource/timer-versatile.c
-diff --git a/drivers/clocksource/vf_pit_timer.c b/drivers/clocksource/timer-vf-pit.c
-similarity index 100%
-rename from drivers/clocksource/vf_pit_timer.c
-rename to drivers/clocksource/timer-vf-pit.c
-diff --git a/drivers/clocksource/vt8500_timer.c b/drivers/clocksource/timer-vt8500.c
-similarity index 100%
-rename from drivers/clocksource/vt8500_timer.c
-rename to drivers/clocksource/timer-vt8500.c
-diff --git a/drivers/clocksource/zevio-timer.c b/drivers/clocksource/timer-zevio.c
-similarity index 100%
-rename from drivers/clocksource/zevio-timer.c
-rename to drivers/clocksource/timer-zevio.c
---
-2.39.2
-
+++ /dev/null
-From 0c67a96251f802879d2f45c09aaab210c2981721 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 19 May 2023 15:33:34 -0700
-Subject: crypto: nx - fix build warnings when DEBUG_FS is not enabled
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Randy Dunlap <rdunlap@infradead.org>
-
-[ Upstream commit b04b076fb56560b39d695ac3744db457e12278fd ]
-
-Fix build warnings when DEBUG_FS is not enabled by using an empty
-do-while loop instead of a value:
-
-In file included from ../drivers/crypto/nx/nx.c:27:
-../drivers/crypto/nx/nx.c: In function 'nx_register_algs':
-../drivers/crypto/nx/nx.h:173:33: warning: statement with no effect [-Wunused-value]
- 173 | #define NX_DEBUGFS_INIT(drv) (0)
-../drivers/crypto/nx/nx.c:573:9: note: in expansion of macro 'NX_DEBUGFS_INIT'
- 573 | NX_DEBUGFS_INIT(&nx_driver);
-../drivers/crypto/nx/nx.c: In function 'nx_remove':
-../drivers/crypto/nx/nx.h:174:33: warning: statement with no effect [-Wunused-value]
- 174 | #define NX_DEBUGFS_FINI(drv) (0)
-../drivers/crypto/nx/nx.c:793:17: note: in expansion of macro 'NX_DEBUGFS_FINI'
- 793 | NX_DEBUGFS_FINI(&nx_driver);
-
-Also, there is no need to build nx_debugfs.o when DEBUG_FS is not
-enabled, so change the Makefile to accommodate that.
-
-Fixes: ae0222b7289d ("powerpc/crypto: nx driver code supporting nx encryption")
-Fixes: aef7b31c8833 ("powerpc/crypto: Build files for the nx device driver")
-Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
-Cc: Breno Leitão <leitao@debian.org>
-Cc: Nayna Jain <nayna@linux.ibm.com>
-Cc: Paulo Flabiano Smorigo <pfsmorigo@gmail.com>
-Cc: Herbert Xu <herbert@gondor.apana.org.au>
-Cc: "David S. Miller" <davem@davemloft.net>
-Cc: linux-crypto@vger.kernel.org
-Cc: Michael Ellerman <mpe@ellerman.id.au>
-Cc: Nicholas Piggin <npiggin@gmail.com>
-Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
-Cc: linuxppc-dev@lists.ozlabs.org
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/crypto/nx/Makefile | 2 +-
- drivers/crypto/nx/nx.h | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/crypto/nx/Makefile b/drivers/crypto/nx/Makefile
-index 015155da59c29..76139865d7fa1 100644
---- a/drivers/crypto/nx/Makefile
-+++ b/drivers/crypto/nx/Makefile
-@@ -1,7 +1,6 @@
- # SPDX-License-Identifier: GPL-2.0
- obj-$(CONFIG_CRYPTO_DEV_NX_ENCRYPT) += nx-crypto.o
- nx-crypto-objs := nx.o \
-- nx_debugfs.o \
- nx-aes-cbc.o \
- nx-aes-ecb.o \
- nx-aes-gcm.o \
-@@ -11,6 +10,7 @@ nx-crypto-objs := nx.o \
- nx-sha256.o \
- nx-sha512.o
-
-+nx-crypto-$(CONFIG_DEBUG_FS) += nx_debugfs.o
- obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_PSERIES) += nx-compress-pseries.o nx-compress.o
- obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_POWERNV) += nx-compress-powernv.o nx-compress.o
- nx-compress-objs := nx-842.o
-diff --git a/drivers/crypto/nx/nx.h b/drivers/crypto/nx/nx.h
-index c3e54af18645c..ebad937a9545c 100644
---- a/drivers/crypto/nx/nx.h
-+++ b/drivers/crypto/nx/nx.h
-@@ -180,8 +180,8 @@ struct nx_sg *nx_walk_and_build(struct nx_sg *, unsigned int,
- int nx_debugfs_init(struct nx_crypto_driver *);
- void nx_debugfs_fini(struct nx_crypto_driver *);
- #else
--#define NX_DEBUGFS_INIT(drv) (0)
--#define NX_DEBUGFS_FINI(drv) (0)
-+#define NX_DEBUGFS_INIT(drv) do {} while (0)
-+#define NX_DEBUGFS_FINI(drv) do {} while (0)
- #endif
-
- #define NX_PAGE_NUM(x) ((u64)(x) & 0xfffffffffffff000ULL)
---
-2.39.2
-
+++ /dev/null
-From 233f69239c9aa2b9be0322933feb055562d8f437 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 7 Jun 2023 19:19:02 +0900
-Subject: debugobjects: Recheck debug_objects_enabled before reporting
-
-From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-
-[ Upstream commit 8b64d420fe2450f82848178506d3e3a0bd195539 ]
-
-syzbot is reporting false a positive ODEBUG message immediately after
-ODEBUG was disabled due to OOM.
-
- [ 1062.309646][T22911] ODEBUG: Out of memory. ODEBUG disabled
- [ 1062.886755][ T5171] ------------[ cut here ]------------
- [ 1062.892770][ T5171] ODEBUG: assert_init not available (active state 0) object: ffffc900056afb20 object type: timer_list hint: process_timeout+0x0/0x40
-
- CPU 0 [ T5171] CPU 1 [T22911]
- -------------- --------------
- debug_object_assert_init() {
- if (!debug_objects_enabled)
- return;
- db = get_bucket(addr);
- lookup_object_or_alloc() {
- debug_objects_enabled = 0;
- return NULL;
- }
- debug_objects_oom() {
- pr_warn("Out of memory. ODEBUG disabled\n");
- // all buckets get emptied here, and
- }
- lookup_object_or_alloc(addr, db, descr, false, true) {
- // this bucket is already empty.
- return ERR_PTR(-ENOENT);
- }
- // Emits false positive warning.
- debug_print_object(&o, "assert_init");
- }
-
-Recheck debug_object_enabled in debug_print_object() to avoid that.
-
-Reported-by: syzbot <syzbot+7937ba6a50bdd00fffdf@syzkaller.appspotmail.com>
-Suggested-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Link: https://lore.kernel.org/r/492fe2ae-5141-d548-ebd5-62f5fe2e57f7@I-love.SAKURA.ne.jp
-Closes: https://syzkaller.appspot.com/bug?extid=7937ba6a50bdd00fffdf
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- lib/debugobjects.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/lib/debugobjects.c b/lib/debugobjects.c
-index 5f23d896df55a..62d095fd0c52a 100644
---- a/lib/debugobjects.c
-+++ b/lib/debugobjects.c
-@@ -371,6 +371,15 @@ static void debug_print_object(struct debug_obj *obj, char *msg)
- struct debug_obj_descr *descr = obj->descr;
- static int limit;
-
-+ /*
-+ * Don't report if lookup_object_or_alloc() by the current thread
-+ * failed because lookup_object_or_alloc()/debug_objects_oom() by a
-+ * concurrent thread turned off debug_objects_enabled and cleared
-+ * the hash buckets.
-+ */
-+ if (!debug_objects_enabled)
-+ return;
-+
- if (limit < 5 && descr != descr_test) {
- void *hint = descr->debug_hint ?
- descr->debug_hint(obj->object) : NULL;
---
-2.39.2
-
+++ /dev/null
-From a2b308044dcaca8d3e580959a4f867a1d5c37fac Mon Sep 17 00:00:00 2001
-From: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
-Date: Sat, 13 May 2023 14:51:00 +0200
-Subject: drm/amdgpu: Validate VM ioctl flags.
-
-From: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
-
-commit a2b308044dcaca8d3e580959a4f867a1d5c37fac upstream.
-
-None have been defined yet, so reject anybody setting any. Mesa sets
-it to 0 anyway.
-
-Signed-off-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
-+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
-@@ -2989,6 +2989,10 @@ int amdgpu_vm_ioctl(struct drm_device *d
- struct amdgpu_fpriv *fpriv = filp->driver_priv;
- int r;
-
-+ /* No valid flags defined yet */
-+ if (args->in.flags)
-+ return -EINVAL;
-+
- switch (args->in.op) {
- case AMDGPU_VM_OP_RESERVE_VMID:
- /* current, we only have requirement to reserve vmid from gfxhub */
+++ /dev/null
-From 4e076c73e4f6e90816b30fcd4a0d7ab365087255 Mon Sep 17 00:00:00 2001
-From: Daniel Vetter <daniel.vetter@ffwll.ch>
-Date: Fri, 21 Jul 2023 15:58:38 +0200
-Subject: drm/atomic: Fix potential use-after-free in nonblocking commits
-
-From: Daniel Vetter <daniel.vetter@ffwll.ch>
-
-commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream.
-
-This requires a bit of background. Properly done a modeset driver's
-unload/remove sequence should be
-
- drm_dev_unplug();
- drm_atomic_helper_shutdown();
- drm_dev_put();
-
-The trouble is that the drm_dev_unplugged() checks are by design racy,
-they do not synchronize against all outstanding ioctl. This is because
-those ioctl could block forever (both for modeset and for driver
-specific ioctls), leading to deadlocks in hotunplug. Instead the code
-sections that touch the hardware need to be annotated with
-drm_dev_enter/exit, to avoid accessing hardware resources after the
-unload/remove has finished.
-
-To avoid use-after-free issues all the involved userspace visible
-objects are supposed to hold a reference on the underlying drm_device,
-like drm_file does.
-
-The issue now is that we missed one, the atomic modeset ioctl can be run
-in a nonblocking fashion, and in that case it cannot rely on the implied
-drm_device reference provided by the ioctl calling context. This can
-result in a use-after-free if an nonblocking atomic commit is carefully
-raced against a driver unload.
-
-Fix this by unconditionally grabbing a drm_device reference for any
-drm_atomic_state structures. Strictly speaking this isn't required for
-blocking commits and TEST_ONLY calls, but it's the simpler approach.
-
-Thanks to shanzhulig for the initial idea of grabbing an unconditional
-reference, I just added comments, a condensed commit message and fixed a
-minor potential issue in where exactly we drop the final reference.
-
-Reported-by: shanzhulig <shanzhulig@gmail.com>
-Suggested-by: shanzhulig <shanzhulig@gmail.com>
-Reviewed-by: Maxime Ripard <mripard@kernel.org>
-Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
-Cc: Thomas Zimmermann <tzimmermann@suse.de>
-Cc: David Airlie <airlied@gmail.com>
-Cc: stable@kernel.org
-Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
-Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/drm_atomic.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
---- a/drivers/gpu/drm/drm_atomic.c
-+++ b/drivers/gpu/drm/drm_atomic.c
-@@ -91,6 +91,12 @@ drm_atomic_state_init(struct drm_device
- if (!state->planes)
- goto fail;
-
-+ /*
-+ * Because drm_atomic_state can be committed asynchronously we need our
-+ * own reference and cannot rely on the on implied by drm_file in the
-+ * ioctl call.
-+ */
-+ drm_dev_get(dev);
- state->dev = dev;
-
- DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state);
-@@ -250,7 +256,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear);
- void __drm_atomic_state_free(struct kref *ref)
- {
- struct drm_atomic_state *state = container_of(ref, typeof(*state), ref);
-- struct drm_mode_config *config = &state->dev->mode_config;
-+ struct drm_device *dev = state->dev;
-+ struct drm_mode_config *config = &dev->mode_config;
-
- drm_atomic_state_clear(state);
-
-@@ -262,6 +269,8 @@ void __drm_atomic_state_free(struct kref
- drm_atomic_state_default_release(state);
- kfree(state);
- }
-+
-+ drm_dev_put(dev);
- }
- EXPORT_SYMBOL(__drm_atomic_state_free);
-
+++ /dev/null
-From 991fcb77f490390bcad89fa67d95763c58cdc04c Mon Sep 17 00:00:00 2001
-From: Lyude Paul <lyude@redhat.com>
-Date: Thu, 5 Nov 2020 18:57:02 -0500
-Subject: drm/edid: Fix uninitialized variable in drm_cvt_modes()
-
-From: Lyude Paul <lyude@redhat.com>
-
-commit 991fcb77f490390bcad89fa67d95763c58cdc04c upstream.
-
-Noticed this when trying to compile with -Wall on a kernel fork. We
-potentially don't set width here, which causes the compiler to complain
-about width potentially being uninitialized in drm_cvt_modes(). So, let's
-fix that.
-
-Changes since v1:
-* Don't emit an error as this code isn't reachable, just mark it as such
-Changes since v2:
-* Remove now unused variable
-
-Fixes: 3f649ab728cd ("treewide: Remove uninitialized_var() usage")
-Signed-off-by: Lyude Paul <lyude@redhat.com>
-Reviewed-by: Ilia Mirkin <imirkin@alum.mit.edu>
-Link: https://patchwork.freedesktop.org/patch/msgid/20201105235703.1328115-1-lyude@redhat.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/drm_edid.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/gpu/drm/drm_edid.c
-+++ b/drivers/gpu/drm/drm_edid.c
-@@ -2798,6 +2798,8 @@ static int drm_cvt_modes(struct drm_conn
- case 0x0c:
- width = height * 15 / 9;
- break;
-+ default:
-+ unreachable();
- }
-
- for (j = 1; j < 5; j++) {
+++ /dev/null
-From e827def04dcba9582598bfa29b10f68ed4108f2d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 16 May 2023 10:50:39 +0200
-Subject: drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H
-
-From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
-
-[ Upstream commit f24b49550814fdee4a98b9552e35e243ccafd4a8 ]
-
-The previous setting was related to the overall dimension and not to the
-active display area.
-In the "PHYSICAL SPECIFICATIONS" section, the datasheet shows the
-following parameters:
-
- ----------------------------------------------------------
-| Item | Specifications | unit |
- ----------------------------------------------------------
-| Display area | 98.7 (W) x 57.5 (H) | mm |
- ----------------------------------------------------------
-| Overall dimension | 105.5(W) x 67.2(H) x 4.96(D) | mm |
- ----------------------------------------------------------
-
-Fixes: 966fea78adf2 ("drm/panel: simple: Add support for Ampire AM-480272H3TMQW-T01H")
-Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
-Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
-[narmstrong: fixed Fixes commit id length]
-Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
-Link: https://patchwork.freedesktop.org/patch/msgid/20230516085039.3797303-1-dario.binacchi@amarulasolutions.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/panel/panel-simple.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
-index a424afdcc77a1..35771e0e69fa6 100644
---- a/drivers/gpu/drm/panel/panel-simple.c
-+++ b/drivers/gpu/drm/panel/panel-simple.c
-@@ -405,8 +405,8 @@ static const struct panel_desc ampire_am_480272h3tmqw_t01h = {
- .num_modes = 1,
- .bpc = 8,
- .size = {
-- .width = 105,
-- .height = 67,
-+ .width = 99,
-+ .height = 58,
- },
- .bus_format = MEDIA_BUS_FMT_RGB888_1X24,
- };
---
-2.39.2
-
+++ /dev/null
-From eeeaa3a9489dc01c08a7ac9ba2b400970310d8f6 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 19 May 2023 08:33:27 -0700
-Subject: drm/radeon: fix possible division-by-zero errors
-
-From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
-
-[ Upstream commit 1becc57cd1a905e2aa0e1eca60d2a37744525c4a ]
-
-Function rv740_get_decoded_reference_divider() may return 0 due to
-unpredictable reference divider value calculated in
-radeon_atom_get_clock_dividers(). This will lead to
-division-by-zero error once that value is used as a divider
-in calculating 'clk_s'.
-While unlikely, this issue should nonetheless be prevented so add a
-sanity check for such cases by testing 'decoded_ref' value against 0.
-
-Found by Linux Verification Center (linuxtesting.org) with static
-analysis tool SVACE.
-
-v2: minor coding style fixes (Alex)
-In practice this should actually happen as the vbios should be
-properly populated.
-
-Fixes: 66229b200598 ("drm/radeon/kms: add dpm support for rv7xx (v4)")
-Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/radeon/cypress_dpm.c | 8 ++++++--
- drivers/gpu/drm/radeon/ni_dpm.c | 8 ++++++--
- drivers/gpu/drm/radeon/rv740_dpm.c | 8 ++++++--
- 3 files changed, 18 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/gpu/drm/radeon/cypress_dpm.c b/drivers/gpu/drm/radeon/cypress_dpm.c
-index 3eb7899a4035b..2c637e04dfebc 100644
---- a/drivers/gpu/drm/radeon/cypress_dpm.c
-+++ b/drivers/gpu/drm/radeon/cypress_dpm.c
-@@ -558,8 +558,12 @@ static int cypress_populate_mclk_value(struct radeon_device *rdev,
- ASIC_INTERNAL_MEMORY_SS, vco_freq)) {
- u32 reference_clock = rdev->clock.mpll.reference_freq;
- u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div);
-- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
-- u32 clk_v = ss.percentage *
-+ u32 clk_s, clk_v;
-+
-+ if (!decoded_ref)
-+ return -EINVAL;
-+ clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
-+ clk_v = ss.percentage *
- (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625);
-
- mpll_ss1 &= ~CLKV_MASK;
-diff --git a/drivers/gpu/drm/radeon/ni_dpm.c b/drivers/gpu/drm/radeon/ni_dpm.c
-index a7273c01de34b..2a9d415400f79 100644
---- a/drivers/gpu/drm/radeon/ni_dpm.c
-+++ b/drivers/gpu/drm/radeon/ni_dpm.c
-@@ -2239,8 +2239,12 @@ static int ni_populate_mclk_value(struct radeon_device *rdev,
- ASIC_INTERNAL_MEMORY_SS, vco_freq)) {
- u32 reference_clock = rdev->clock.mpll.reference_freq;
- u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div);
-- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
-- u32 clk_v = ss.percentage *
-+ u32 clk_s, clk_v;
-+
-+ if (!decoded_ref)
-+ return -EINVAL;
-+ clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
-+ clk_v = ss.percentage *
- (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625);
-
- mpll_ss1 &= ~CLKV_MASK;
-diff --git a/drivers/gpu/drm/radeon/rv740_dpm.c b/drivers/gpu/drm/radeon/rv740_dpm.c
-index afd597ec50858..50290e93c79dc 100644
---- a/drivers/gpu/drm/radeon/rv740_dpm.c
-+++ b/drivers/gpu/drm/radeon/rv740_dpm.c
-@@ -251,8 +251,12 @@ int rv740_populate_mclk_value(struct radeon_device *rdev,
- ASIC_INTERNAL_MEMORY_SS, vco_freq)) {
- u32 reference_clock = rdev->clock.mpll.reference_freq;
- u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div);
-- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
-- u32 clk_v = 0x40000 * ss.percentage *
-+ u32 clk_s, clk_v;
-+
-+ if (!decoded_ref)
-+ return -EINVAL;
-+ clk_s = reference_clock * 5 / (decoded_ref * ss.rate);
-+ clk_v = 0x40000 * ss.percentage *
- (dividers.whole_fb_div + (dividers.frac_fb_div / 8)) / (clk_s * 10000);
-
- mpll_ss1 &= ~CLKV_MASK;
---
-2.39.2
-
+++ /dev/null
-From 3ed7461ec41add6315b7cb24e8bdc79b6637250c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 6 Mar 2023 11:40:36 +0100
-Subject: evm: Complete description of evm_inode_setattr()
-
-From: Roberto Sassu <roberto.sassu@huawei.com>
-
-[ Upstream commit b1de86d4248b273cb12c4cd7d20c08d459519f7d ]
-
-Add the description for missing parameters of evm_inode_setattr() to
-avoid the warning arising with W=n compile option.
-
-Fixes: 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm") # v3.2+
-Fixes: c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") # v6.3+
-Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
-Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- security/integrity/evm/evm_main.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
-index 6d1efe1359f17..9c036a41e7347 100644
---- a/security/integrity/evm/evm_main.c
-+++ b/security/integrity/evm/evm_main.c
-@@ -474,7 +474,9 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
-
- /**
- * evm_inode_setattr - prevent updating an invalid EVM extended attribute
-+ * @idmap: idmap of the mount
- * @dentry: pointer to the affected dentry
-+ * @attr: iattr structure containing the new file attributes
- *
- * Permit update of file attributes when files have a valid EVM signature,
- * except in the case of them having an immutable portable signature.
---
-2.39.2
-
+++ /dev/null
-From 6909cf5c4101214f4305a62d582a5b93c7e1eb9a Mon Sep 17 00:00:00 2001
-From: Eric Whitney <enwlinux@gmail.com>
-Date: Mon, 22 May 2023 14:15:20 -0400
-Subject: ext4: correct inline offset when handling xattrs in inode body
-
-From: Eric Whitney <enwlinux@gmail.com>
-
-commit 6909cf5c4101214f4305a62d582a5b93c7e1eb9a upstream.
-
-When run on a file system where the inline_data feature has been
-enabled, xfstests generic/269, generic/270, and generic/476 cause ext4
-to emit error messages indicating that inline directory entries are
-corrupted. This occurs because the inline offset used to locate
-inline directory entries in the inode body is not updated when an
-xattr in that shared region is deleted and the region is shifted in
-memory to recover the space it occupied. If the deleted xattr precedes
-the system.data attribute, which points to the inline directory entries,
-that attribute will be moved further up in the region. The inline
-offset continues to point to whatever is located in system.data's former
-location, with unfortunate effects when used to access directory entries
-or (presumably) inline data in the inode body.
-
-Cc: stable@kernel.org
-Signed-off-by: Eric Whitney <enwlinux@gmail.com>
-Link: https://lore.kernel.org/r/20230522181520.1570360-1-enwlinux@gmail.com
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ext4/xattr.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
---- a/fs/ext4/xattr.c
-+++ b/fs/ext4/xattr.c
-@@ -1767,6 +1767,20 @@ static int ext4_xattr_set_entry(struct e
- memmove(here, (void *)here + size,
- (void *)last - (void *)here + sizeof(__u32));
- memset(last, 0, size);
-+
-+ /*
-+ * Update i_inline_off - moved ibody region might contain
-+ * system.data attribute. Handling a failure here won't
-+ * cause other complications for setting an xattr.
-+ */
-+ if (!is_block && ext4_has_inline_data(inode)) {
-+ ret = ext4_find_inline_data_nolock(inode);
-+ if (ret) {
-+ ext4_warning_inode(inode,
-+ "unable to update i_inline_off");
-+ goto out;
-+ }
-+ }
- } else if (s->not_found) {
- /* Insert new name. */
- size_t size = EXT4_XATTR_LEN(name_len);
+++ /dev/null
-From c4d13222afd8a64bf11bc7ec68645496ee8b54b9 Mon Sep 17 00:00:00 2001
-From: Chao Yu <chao@kernel.org>
-Date: Tue, 6 Jun 2023 15:32:03 +0800
-Subject: ext4: fix to check return value of freeze_bdev() in ext4_shutdown()
-
-From: Chao Yu <chao@kernel.org>
-
-commit c4d13222afd8a64bf11bc7ec68645496ee8b54b9 upstream.
-
-freeze_bdev() can fail due to a lot of reasons, it needs to check its
-reason before later process.
-
-Fixes: 783d94854499 ("ext4: add EXT4_IOC_GOINGDOWN ioctl")
-Cc: stable@kernel.org
-Signed-off-by: Chao Yu <chao@kernel.org>
-Link: https://lore.kernel.org/r/20230606073203.1310389-1-chao@kernel.org
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ext4/ioctl.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/fs/ext4/ioctl.c
-+++ b/fs/ext4/ioctl.c
-@@ -561,6 +561,7 @@ static int ext4_shutdown(struct super_bl
- {
- struct ext4_sb_info *sbi = EXT4_SB(sb);
- __u32 flags;
-+ int ret;
-
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
-@@ -579,7 +580,9 @@ static int ext4_shutdown(struct super_bl
-
- switch (flags) {
- case EXT4_GOING_FLAGS_DEFAULT:
-- freeze_bdev(sb->s_bdev);
-+ ret = freeze_bdev(sb->s_bdev);
-+ if (ret)
-+ return ret;
- set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags);
- thaw_bdev(sb->s_bdev, sb);
- break;
+++ /dev/null
-From 247c3d214c23dfeeeb892e91a82ac1188bdaec9f Mon Sep 17 00:00:00 2001
-From: Kemeng Shi <shikemeng@huaweicloud.com>
-Date: Sat, 3 Jun 2023 23:03:18 +0800
-Subject: ext4: fix wrong unit use in ext4_mb_clear_bb
-
-From: Kemeng Shi <shikemeng@huaweicloud.com>
-
-commit 247c3d214c23dfeeeb892e91a82ac1188bdaec9f upstream.
-
-Function ext4_issue_discard need count in cluster. Pass count_clusters
-instead of count to fix the mismatch.
-
-Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
-Cc: stable@kernel.org
-Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
-Link: https://lore.kernel.org/r/20230603150327.3596033-11-shikemeng@huaweicloud.com
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ext4/mballoc.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/fs/ext4/mballoc.c
-+++ b/fs/ext4/mballoc.c
-@@ -4948,8 +4948,8 @@ do_more:
- * them with group lock_held
- */
- if (test_opt(sb, DISCARD)) {
-- err = ext4_issue_discard(sb, block_group, bit, count,
-- NULL);
-+ err = ext4_issue_discard(sb, block_group, bit,
-+ count_clusters, NULL);
- if (err && err != -EOPNOTSUPP)
- ext4_msg(sb, KERN_WARNING, "discard request in"
- " group:%d block:%d count:%lu failed"
+++ /dev/null
-From de25d6e9610a8b30cce9bbb19b50615d02ebca02 Mon Sep 17 00:00:00 2001
-From: Baokun Li <libaokun1@huawei.com>
-Date: Mon, 24 Apr 2023 11:38:35 +0800
-Subject: ext4: only update i_reserved_data_blocks on successful block allocation
-
-From: Baokun Li <libaokun1@huawei.com>
-
-commit de25d6e9610a8b30cce9bbb19b50615d02ebca02 upstream.
-
-In our fault injection test, we create an ext4 file, migrate it to
-non-extent based file, then punch a hole and finally trigger a WARN_ON
-in the ext4_da_update_reserve_space():
-
-EXT4-fs warning (device sda): ext4_da_update_reserve_space:369:
-ino 14, used 11 with only 10 reserved data blocks
-
-When writing back a non-extent based file, if we enable delalloc, the
-number of reserved blocks will be subtracted from the number of blocks
-mapped by ext4_ind_map_blocks(), and the extent status tree will be
-updated. We update the extent status tree by first removing the old
-extent_status and then inserting the new extent_status. If the block range
-we remove happens to be in an extent, then we need to allocate another
-extent_status with ext4_es_alloc_extent().
-
- use old to remove to add new
- |----------|------------|------------|
- old extent_status
-
-The problem is that the allocation of a new extent_status failed due to a
-fault injection, and __es_shrink() did not get free memory, resulting in
-a return of -ENOMEM. Then do_writepages() retries after receiving -ENOMEM,
-we map to the same extent again, and the number of reserved blocks is again
-subtracted from the number of blocks in that extent. Since the blocks in
-the same extent are subtracted twice, we end up triggering WARN_ON at
-ext4_da_update_reserve_space() because used > ei->i_reserved_data_blocks.
-
-For non-extent based file, we update the number of reserved blocks after
-ext4_ind_map_blocks() is executed, which causes a problem that when we call
-ext4_ind_map_blocks() to create a block, it doesn't always create a block,
-but we always reduce the number of reserved blocks. So we move the logic
-for updating reserved blocks to ext4_ind_map_blocks() to ensure that the
-number of reserved blocks is updated only after we do succeed in allocating
-some new blocks.
-
-Fixes: 5f634d064c70 ("ext4: Fix quota accounting error with fallocate")
-Cc: stable@kernel.org
-Signed-off-by: Baokun Li <libaokun1@huawei.com>
-Reviewed-by: Jan Kara <jack@suse.cz>
-Link: https://lore.kernel.org/r/20230424033846.4732-2-libaokun1@huawei.com
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ext4/indirect.c | 8 ++++++++
- fs/ext4/inode.c | 10 ----------
- 2 files changed, 8 insertions(+), 10 deletions(-)
-
---- a/fs/ext4/indirect.c
-+++ b/fs/ext4/indirect.c
-@@ -642,6 +642,14 @@ int ext4_ind_map_blocks(handle_t *handle
-
- ext4_update_inode_fsync_trans(handle, inode, 1);
- count = ar.len;
-+
-+ /*
-+ * Update reserved blocks/metadata blocks after successful block
-+ * allocation which had been deferred till now.
-+ */
-+ if (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE)
-+ ext4_da_update_reserve_space(inode, count, 1);
-+
- got_it:
- map->m_flags |= EXT4_MAP_MAPPED;
- map->m_pblk = le32_to_cpu(chain[depth-1].key);
---- a/fs/ext4/inode.c
-+++ b/fs/ext4/inode.c
-@@ -668,16 +668,6 @@ found:
- */
- ext4_clear_inode_state(inode, EXT4_STATE_EXT_MIGRATE);
- }
--
-- /*
-- * Update reserved blocks/metadata blocks after successful
-- * block allocation which had been deferred till now. We don't
-- * support fallocate for non extent files. So we can update
-- * reserve space here.
-- */
-- if ((retval > 0) &&
-- (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE))
-- ext4_da_update_reserve_space(inode, retval, 1);
- }
-
- if (retval > 0) {
+++ /dev/null
-From cc6bac4f6afd26a471e06f23c295864ecbdeab10 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 22 Mar 2023 16:39:53 +0200
-Subject: extcon: Fix kernel doc of property capability fields to avoid
- warnings
-
-From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-
-[ Upstream commit 73346b9965ebda2feb7fef8629e9b28baee820e3 ]
-
-Kernel documentation has to be synchronized with a code, otherwise
-the validator is not happy:
-
- Function parameter or member 'usb_bits' not described in 'extcon_cable'
- Function parameter or member 'chg_bits' not described in 'extcon_cable'
- Function parameter or member 'jack_bits' not described in 'extcon_cable'
- Function parameter or member 'disp_bits' not described in 'extcon_cable'
-
-Describe the fields added in the past.
-
-Fixes: ceaa98f442cf ("extcon: Add the support for the capability of each property")
-Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/extcon/extcon.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/extcon/extcon.c b/drivers/extcon/extcon.c
-index 0607806ad46e8..84fc0e48bb0e8 100644
---- a/drivers/extcon/extcon.c
-+++ b/drivers/extcon/extcon.c
-@@ -208,6 +208,10 @@ static const struct __extcon_info {
- * @chg_propval: the array of charger connector properties
- * @jack_propval: the array of jack connector properties
- * @disp_propval: the array of display connector properties
-+ * @usb_bits: the bit array of the USB connector property capabilities
-+ * @chg_bits: the bit array of the charger connector property capabilities
-+ * @jack_bits: the bit array of the jack connector property capabilities
-+ * @disp_bits: the bit array of the display connector property capabilities
- */
- struct extcon_cable {
- struct extcon_dev *edev;
---
-2.39.2
-
+++ /dev/null
-From 707d4d01424345740571236ea3f2ca010fa11d75 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 22 Mar 2023 16:39:52 +0200
-Subject: extcon: Fix kernel doc of property fields to avoid warnings
-
-From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-
-[ Upstream commit 7e77e0b7a9f4cdf91cb0950749b40c840ea63efc ]
-
-Kernel documentation has to be synchronized with a code, otherwise
-the validator is not happy:
-
- Function parameter or member 'usb_propval' not described in 'extcon_cable'
- Function parameter or member 'chg_propval' not described in 'extcon_cable'
- Function parameter or member 'jack_propval' not described in 'extcon_cable'
- Function parameter or member 'disp_propval' not described in 'extcon_cable'
-
-Describe the fields added in the past.
-
-Fixes: 067c1652e7a7 ("extcon: Add the support for extcon property according to extcon type")
-Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/extcon/extcon.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/extcon/extcon.c b/drivers/extcon/extcon.c
-index 4c70136c7aa3c..0607806ad46e8 100644
---- a/drivers/extcon/extcon.c
-+++ b/drivers/extcon/extcon.c
-@@ -204,6 +204,10 @@ static const struct __extcon_info {
- * @attr_name: "name" sysfs entry
- * @attr_state: "state" sysfs entry
- * @attrs: the array pointing to attr_name and attr_state for attr_g
-+ * @usb_propval: the array of USB connector properties
-+ * @chg_propval: the array of charger connector properties
-+ * @jack_propval: the array of jack connector properties
-+ * @disp_propval: the array of display connector properties
- */
- struct extcon_cable {
- struct extcon_dev *edev;
---
-2.39.2
-
+++ /dev/null
-From 2b0762ff7262e714b210e68c9b732895f8db7f29 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 29 Jun 2023 09:41:02 +0800
-Subject: f2fs: fix error path handling in truncate_dnode()
-
-From: Chao Yu <chao@kernel.org>
-
-[ Upstream commit 0135c482fa97e2fd8245cb462784112a00ed1211 ]
-
-If truncate_node() fails in truncate_dnode(), it missed to call
-f2fs_put_page(), fix it.
-
-Fixes: 7735730d39d7 ("f2fs: fix to propagate error from __get_meta_page()")
-Signed-off-by: Chao Yu <chao@kernel.org>
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/f2fs/node.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
-index 2c28f488ac2f0..9911f780e0136 100644
---- a/fs/f2fs/node.c
-+++ b/fs/f2fs/node.c
-@@ -879,8 +879,10 @@ static int truncate_dnode(struct dnode_of_data *dn)
- dn->ofs_in_node = 0;
- f2fs_truncate_data_blocks(dn);
- err = truncate_node(dn);
-- if (err)
-+ if (err) {
-+ f2fs_put_page(page, 1);
- return err;
-+ }
-
- return 1;
- }
---
-2.39.2
-
+++ /dev/null
-From d95706927c87029a0dd3db53f6b360d5e0fc788a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 15 Jul 2023 16:16:56 +0800
-Subject: fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe
-
-From: Zhang Shurong <zhang_shurong@foxmail.com>
-
-[ Upstream commit 4e88761f5f8c7869f15a2046b1a1116f4fab4ac8 ]
-
-This func misses checking for platform_get_irq()'s call and may passes the
-negative error codes to request_irq(), which takes unsigned IRQ #,
-causing it to fail with -EINVAL, overriding an original error code.
-
-Fix this by stop calling request_irq() with invalid IRQ #s.
-
-Fixes: 1630d85a8312 ("au1200fb: fix hardcoded IRQ")
-Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
-Signed-off-by: Helge Deller <deller@gmx.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/video/fbdev/au1200fb.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c
-index f8e83a9519189..593c390e98629 100644
---- a/drivers/video/fbdev/au1200fb.c
-+++ b/drivers/video/fbdev/au1200fb.c
-@@ -1744,6 +1744,9 @@ static int au1200fb_drv_probe(struct platform_device *dev)
-
- /* Now hook interrupt too */
- irq = platform_get_irq(dev, 0);
-+ if (irq < 0)
-+ return irq;
-+
- ret = request_irq(irq, au1200fb_handle_irq,
- IRQF_SHARED, "lcd", (void *)dev);
- if (ret) {
---
-2.39.2
-
+++ /dev/null
-From c75f5a55061091030a13fef71b9995b89bc86213 Mon Sep 17 00:00:00 2001
-From: Zheng Wang <zyytlz.wz@163.com>
-Date: Thu, 27 Apr 2023 11:08:41 +0800
-Subject: fbdev: imsttfb: Fix use after free bug in imsttfb_probe
-
-From: Zheng Wang <zyytlz.wz@163.com>
-
-commit c75f5a55061091030a13fef71b9995b89bc86213 upstream.
-
-A use-after-free bug may occur if init_imstt invokes framebuffer_release
-and free the info ptr. The caller, imsttfb_probe didn't notice that and
-still keep the ptr as private data in pdev.
-
-If we remove the driver which will call imsttfb_remove to make cleanup,
-UAF happens.
-
-Fix it by return error code if bad case happens in init_imstt.
-
-Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
-Signed-off-by: Helge Deller <deller@gmx.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/video/fbdev/imsttfb.c | 15 ++++++++-------
- 1 file changed, 8 insertions(+), 7 deletions(-)
-
---- a/drivers/video/fbdev/imsttfb.c
-+++ b/drivers/video/fbdev/imsttfb.c
-@@ -1348,7 +1348,7 @@ static struct fb_ops imsttfb_ops = {
- .fb_ioctl = imsttfb_ioctl,
- };
-
--static void init_imstt(struct fb_info *info)
-+static int init_imstt(struct fb_info *info)
- {
- struct imstt_par *par = info->par;
- __u32 i, tmp, *ip, *end;
-@@ -1420,7 +1420,7 @@ static void init_imstt(struct fb_info *i
- || !(compute_imstt_regvals(par, info->var.xres, info->var.yres))) {
- printk("imsttfb: %ux%ux%u not supported\n", info->var.xres, info->var.yres, info->var.bits_per_pixel);
- framebuffer_release(info);
-- return;
-+ return -ENODEV;
- }
-
- sprintf(info->fix.id, "IMS TT (%s)", par->ramdac == IBM ? "IBM" : "TVP");
-@@ -1456,12 +1456,13 @@ static void init_imstt(struct fb_info *i
-
- if (register_framebuffer(info) < 0) {
- framebuffer_release(info);
-- return;
-+ return -ENODEV;
- }
-
- tmp = (read_reg_le32(par->dc_regs, SSTATUS) & 0x0f00) >> 8;
- fb_info(info, "%s frame buffer; %uMB vram; chip version %u\n",
- info->fix.id, info->fix.smem_len >> 20, tmp);
-+ return 0;
- }
-
- static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
-@@ -1527,10 +1528,10 @@ static int imsttfb_probe(struct pci_dev
- if (!par->cmap_regs)
- goto error;
- info->pseudo_palette = par->palette;
-- init_imstt(info);
--
-- pci_set_drvdata(pdev, info);
-- return 0;
-+ ret = init_imstt(info);
-+ if (!ret)
-+ pci_set_drvdata(pdev, info);
-+ return ret;
-
- error:
- if (par->dc_regs)
+++ /dev/null
-From 579bc81ba8cb2dd46b633e39130cee0e0828597b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 28 Jun 2023 15:24:37 +0200
-Subject: fbdev: imxfb: warn about invalid left/right margin
-
-From: Martin Kaiser <martin@kaiser.cx>
-
-[ Upstream commit 4e47382fbca916d7db95cbf9e2d7ca2e9d1ca3fe ]
-
-Warn about invalid var->left_margin or var->right_margin. Their values
-are read from the device tree.
-
-We store var->left_margin-3 and var->right_margin-1 in register
-fields. These fields should be >= 0.
-
-Fixes: 7e8549bcee00 ("imxfb: Fix margin settings")
-Signed-off-by: Martin Kaiser <martin@kaiser.cx>
-Signed-off-by: Helge Deller <deller@gmx.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/video/fbdev/imxfb.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c
-index c4eb8661f7516..8ec260ed9a6f6 100644
---- a/drivers/video/fbdev/imxfb.c
-+++ b/drivers/video/fbdev/imxfb.c
-@@ -601,10 +601,10 @@ static int imxfb_activate_var(struct fb_var_screeninfo *var, struct fb_info *inf
- if (var->hsync_len < 1 || var->hsync_len > 64)
- printk(KERN_ERR "%s: invalid hsync_len %d\n",
- info->fix.id, var->hsync_len);
-- if (var->left_margin > 255)
-+ if (var->left_margin < 3 || var->left_margin > 255)
- printk(KERN_ERR "%s: invalid left_margin %d\n",
- info->fix.id, var->left_margin);
-- if (var->right_margin > 255)
-+ if (var->right_margin < 1 || var->right_margin > 255)
- printk(KERN_ERR "%s: invalid right_margin %d\n",
- info->fix.id, var->right_margin);
- if (var->yres < 1 || var->yres > ymax_mask)
---
-2.39.2
-
+++ /dev/null
-From 45589c7b202f7e510d68e9201eb4d378e0be55f0 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 4 Jun 2023 17:42:28 +0200
-Subject: fbdev: omapfb: lcd_mipid: Fix an error handling path in
- mipid_spi_probe()
-
-From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-
-[ Upstream commit 79a3908d1ea6c35157a6d907b1a9d8ec06015e7a ]
-
-If 'mipid_detect()' fails, we must free 'md' to avoid a memory leak.
-
-Fixes: 66d2f99d0bb5 ("omapfb: add support for MIPI-DCS compatible LCDs")
-Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-Signed-off-by: Helge Deller <deller@gmx.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/video/fbdev/omap/lcd_mipid.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/video/fbdev/omap/lcd_mipid.c b/drivers/video/fbdev/omap/lcd_mipid.c
-index e3a85432f9266..5730355ee5986 100644
---- a/drivers/video/fbdev/omap/lcd_mipid.c
-+++ b/drivers/video/fbdev/omap/lcd_mipid.c
-@@ -576,11 +576,15 @@ static int mipid_spi_probe(struct spi_device *spi)
-
- r = mipid_detect(md);
- if (r < 0)
-- return r;
-+ goto free_md;
-
- omapfb_register_panel(&md->panel);
-
- return 0;
-+
-+free_md:
-+ kfree(md);
-+ return r;
- }
-
- static int mipid_spi_remove(struct spi_device *spi)
---
-2.39.2
-
+++ /dev/null
-From 92655fbda5c05950a411eaabc19e025e86e2a291 Mon Sep 17 00:00:00 2001
-From: Alexander Aring <aahringo@redhat.com>
-Date: Fri, 19 May 2023 11:21:24 -0400
-Subject: fs: dlm: return positive pid value for F_GETLK
-
-From: Alexander Aring <aahringo@redhat.com>
-
-commit 92655fbda5c05950a411eaabc19e025e86e2a291 upstream.
-
-The GETLK pid values have all been negated since commit 9d5b86ac13c5
-("fs/locks: Remove fl_nspid and use fs-specific l_pid for remote locks").
-Revert this for local pids, and leave in place negative pids for remote
-owners.
-
-Cc: stable@vger.kernel.org
-Fixes: 9d5b86ac13c5 ("fs/locks: Remove fl_nspid and use fs-specific l_pid for remote locks")
-Signed-off-by: Alexander Aring <aahringo@redhat.com>
-Signed-off-by: David Teigland <teigland@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/dlm/plock.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/fs/dlm/plock.c
-+++ b/fs/dlm/plock.c
-@@ -366,7 +366,9 @@ int dlm_posix_get(dlm_lockspace_t *locks
- locks_init_lock(fl);
- fl->fl_type = (op->info.ex) ? F_WRLCK : F_RDLCK;
- fl->fl_flags = FL_POSIX;
-- fl->fl_pid = -op->info.pid;
-+ fl->fl_pid = op->info.pid;
-+ if (op->info.nodeid != dlm_our_nodeid())
-+ fl->fl_pid = -fl->fl_pid;
- fl->fl_start = op->info.start;
- fl->fl_end = op->info.end;
- rv = 0;
+++ /dev/null
-From a9d1c4c6df0e568207907c04aed9e7beb1294c42 Mon Sep 17 00:00:00 2001
-From: Miklos Szeredi <mszeredi@redhat.com>
-Date: Wed, 7 Jun 2023 17:49:20 +0200
-Subject: fuse: revalidate: don't invalidate if interrupted
-
-From: Miklos Szeredi <mszeredi@redhat.com>
-
-commit a9d1c4c6df0e568207907c04aed9e7beb1294c42 upstream.
-
-If the LOOKUP request triggered from fuse_dentry_revalidate() is
-interrupted, then the dentry will be invalidated, possibly resulting in
-submounts being unmounted.
-
-Reported-by: Xu Rongbo <xurongbo@baidu.com>
-Closes: https://lore.kernel.org/all/CAJfpegswN_CJJ6C3RZiaK6rpFmNyWmXfaEpnQUJ42KCwNF5tWw@mail.gmail.com/
-Fixes: 9e6268db496a ("[PATCH] FUSE - read-write operations")
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/fuse/dir.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/fuse/dir.c
-+++ b/fs/fuse/dir.c
-@@ -232,7 +232,7 @@ static int fuse_dentry_revalidate(struct
- spin_unlock(&fc->lock);
- }
- kfree(forget);
-- if (ret == -ENOMEM)
-+ if (ret == -ENOMEM || ret == -EINTR)
- goto out;
- if (ret || fuse_invalid_attr(&outarg.attr) ||
- (outarg.attr.mode ^ inode->i_mode) & S_IFMT)
+++ /dev/null
-From 504a10d9e46bc37b23d0a1ae2f28973c8516e636 Mon Sep 17 00:00:00 2001
-From: Bob Peterson <rpeterso@redhat.com>
-Date: Fri, 28 Apr 2023 12:07:46 -0400
-Subject: gfs2: Don't deref jdesc in evict
-
-From: Bob Peterson <rpeterso@redhat.com>
-
-commit 504a10d9e46bc37b23d0a1ae2f28973c8516e636 upstream.
-
-On corrupt gfs2 file systems the evict code can try to reference the
-journal descriptor structure, jdesc, after it has been freed and set to
-NULL. The sequence of events is:
-
-init_journal()
-...
-fail_jindex:
- gfs2_jindex_free(sdp); <------frees journals, sets jdesc = NULL
- if (gfs2_holder_initialized(&ji_gh))
- gfs2_glock_dq_uninit(&ji_gh);
-fail:
- iput(sdp->sd_jindex); <--references jdesc in evict_linked_inode
- evict()
- gfs2_evict_inode()
- evict_linked_inode()
- ret = gfs2_trans_begin(sdp, 0, sdp->sd_jdesc->jd_blocks);
-<------references the now freed/zeroed sd_jdesc pointer.
-
-The call to gfs2_trans_begin is done because the truncate_inode_pages
-call can cause gfs2 events that require a transaction, such as removing
-journaled data (jdata) blocks from the journal.
-
-This patch fixes the problem by adding a check for sdp->sd_jdesc to
-function gfs2_evict_inode. In theory, this should only happen to corrupt
-gfs2 file systems, when gfs2 detects the problem, reports it, then tries
-to evict all the system inodes it has read in up to that point.
-
-Reported-by: Yang Lan <lanyang0908@gmail.com>
-Signed-off-by: Bob Peterson <rpeterso@redhat.com>
-Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
-[DP: adjusted context]
-Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/gfs2/super.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
---- a/fs/gfs2/super.c
-+++ b/fs/gfs2/super.c
-@@ -1586,6 +1586,14 @@ static void gfs2_evict_inode(struct inod
- if (inode->i_nlink || sb_rdonly(sb))
- goto out;
-
-+ /*
-+ * In case of an incomplete mount, gfs2_evict_inode() may be called for
-+ * system files without having an active journal to write to. In that
-+ * case, skip the filesystem evict.
-+ */
-+ if (!sdp->sd_jdesc)
-+ goto out;
-+
- if (test_bit(GIF_ALLOC_FAILED, &ip->i_flags)) {
- BUG_ON(!gfs2_glock_is_locked_by_me(ip->i_gl));
- gfs2_holder_mark_uninitialized(&gh);
+++ /dev/null
-From f8db8de33b48afe5ae3f57f6e8cba66c1e9aa6a3 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 22 Jun 2023 14:32:31 -0700
-Subject: gtp: Fix use-after-free in __gtp_encap_destroy().
-
-From: Kuniyuki Iwashima <kuniyu@amazon.com>
-
-[ Upstream commit ce3aee7114c575fab32a5e9e939d4bbb3dcca79f ]
-
-syzkaller reported use-after-free in __gtp_encap_destroy(). [0]
-
-It shows the same process freed sk and touched it illegally.
-
-Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock()
-and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data,
-but release_sock() is called after sock_put() releases the last refcnt.
-
-[0]:
-BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
-BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
-BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
-BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline]
-BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]
-BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178
-Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401
-
-CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
-Call Trace:
- <TASK>
- __dump_stack lib/dump_stack.c:88 [inline]
- dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106
- print_address_description mm/kasan/report.c:351 [inline]
- print_report+0xcc/0x620 mm/kasan/report.c:462
- kasan_report+0xb2/0xe0 mm/kasan/report.c:572
- check_region_inline mm/kasan/generic.c:181 [inline]
- kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187
- instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
- atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
- queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
- do_raw_spin_lock include/linux/spinlock.h:186 [inline]
- __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]
- _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178
- spin_lock_bh include/linux/spinlock.h:355 [inline]
- release_sock+0x1f/0x1a0 net/core/sock.c:3526
- gtp_encap_disable_sock drivers/net/gtp.c:651 [inline]
- gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664
- gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728
- unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841
- rtnl_delete_link net/core/rtnetlink.c:3216 [inline]
- rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268
- rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423
- netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548
- netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
- netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365
- netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913
- sock_sendmsg_nosec net/socket.c:724 [inline]
- sock_sendmsg+0x1b7/0x200 net/socket.c:747
- ____sys_sendmsg+0x75a/0x990 net/socket.c:2493
- ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547
- __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576
- do_syscall_x64 arch/x86/entry/common.c:50 [inline]
- do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
- entry_SYSCALL_64_after_hwframe+0x72/0xdc
-RIP: 0033:0x7f1168b1fe5d
-Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
-RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
-RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d
-RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003
-RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000
-R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
-R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000
- </TASK>
-
-Allocated by task 1483:
- kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
- kasan_set_track+0x25/0x30 mm/kasan/common.c:52
- __kasan_slab_alloc+0x59/0x70 mm/kasan/common.c:328
- kasan_slab_alloc include/linux/kasan.h:186 [inline]
- slab_post_alloc_hook mm/slab.h:711 [inline]
- slab_alloc_node mm/slub.c:3451 [inline]
- slab_alloc mm/slub.c:3459 [inline]
- __kmem_cache_alloc_lru mm/slub.c:3466 [inline]
- kmem_cache_alloc+0x16d/0x340 mm/slub.c:3475
- sk_prot_alloc+0x5f/0x280 net/core/sock.c:2073
- sk_alloc+0x34/0x6c0 net/core/sock.c:2132
- inet6_create net/ipv6/af_inet6.c:192 [inline]
- inet6_create+0x2c7/0xf20 net/ipv6/af_inet6.c:119
- __sock_create+0x2a1/0x530 net/socket.c:1535
- sock_create net/socket.c:1586 [inline]
- __sys_socket_create net/socket.c:1623 [inline]
- __sys_socket_create net/socket.c:1608 [inline]
- __sys_socket+0x137/0x250 net/socket.c:1651
- __do_sys_socket net/socket.c:1664 [inline]
- __se_sys_socket net/socket.c:1662 [inline]
- __x64_sys_socket+0x72/0xb0 net/socket.c:1662
- do_syscall_x64 arch/x86/entry/common.c:50 [inline]
- do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
- entry_SYSCALL_64_after_hwframe+0x72/0xdc
-
-Freed by task 2401:
- kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
- kasan_set_track+0x25/0x30 mm/kasan/common.c:52
- kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521
- ____kasan_slab_free mm/kasan/common.c:236 [inline]
- ____kasan_slab_free mm/kasan/common.c:200 [inline]
- __kasan_slab_free+0x10c/0x1b0 mm/kasan/common.c:244
- kasan_slab_free include/linux/kasan.h:162 [inline]
- slab_free_hook mm/slub.c:1781 [inline]
- slab_free_freelist_hook mm/slub.c:1807 [inline]
- slab_free mm/slub.c:3786 [inline]
- kmem_cache_free+0xb4/0x490 mm/slub.c:3808
- sk_prot_free net/core/sock.c:2113 [inline]
- __sk_destruct+0x500/0x720 net/core/sock.c:2207
- sk_destruct+0xc1/0xe0 net/core/sock.c:2222
- __sk_free+0xed/0x3d0 net/core/sock.c:2233
- sk_free+0x7c/0xa0 net/core/sock.c:2244
- sock_put include/net/sock.h:1981 [inline]
- __gtp_encap_destroy+0x165/0x1b0 drivers/net/gtp.c:634
- gtp_encap_disable_sock drivers/net/gtp.c:651 [inline]
- gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664
- gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728
- unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841
- rtnl_delete_link net/core/rtnetlink.c:3216 [inline]
- rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268
- rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423
- netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548
- netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
- netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365
- netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913
- sock_sendmsg_nosec net/socket.c:724 [inline]
- sock_sendmsg+0x1b7/0x200 net/socket.c:747
- ____sys_sendmsg+0x75a/0x990 net/socket.c:2493
- ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547
- __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576
- do_syscall_x64 arch/x86/entry/common.c:50 [inline]
- do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
- entry_SYSCALL_64_after_hwframe+0x72/0xdc
-
-The buggy address belongs to the object at ffff88800dbef300
- which belongs to the cache UDPv6 of size 1344
-The buggy address is located 152 bytes inside of
- freed 1344-byte region [ffff88800dbef300, ffff88800dbef840)
-
-The buggy address belongs to the physical page:
-page:00000000d31bfed5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800dbeed40 pfn:0xdbe8
-head:00000000d31bfed5 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
-memcg:ffff888008ee0801
-flags: 0x100000000010200(slab|head|node=0|zone=1)
-page_type: 0xffffffff()
-raw: 0100000000010200 ffff88800c7a3000 dead000000000122 0000000000000000
-raw: ffff88800dbeed40 0000000080160015 00000001ffffffff ffff888008ee0801
-page dumped because: kasan: bad access detected
-
-Memory state around the buggy address:
- ffff88800dbef280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- ffff88800dbef300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
->ffff88800dbef380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ^
- ffff88800dbef400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
- ffff88800dbef480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-
-Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage")
-Reported-by: syzkaller <syzkaller@googlegroups.com>
-Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
-Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Link: https://lore.kernel.org/r/20230622213231.24651-1-kuniyu@amazon.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/gtp.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
-index e18d06cb2173c..2718b0507f713 100644
---- a/drivers/net/gtp.c
-+++ b/drivers/net/gtp.c
-@@ -301,7 +301,9 @@ static void __gtp_encap_destroy(struct sock *sk)
- gtp->sk1u = NULL;
- udp_sk(sk)->encap_type = 0;
- rcu_assign_sk_user_data(sk, NULL);
-+ release_sock(sk);
- sock_put(sk);
-+ return;
- }
- release_sock(sk);
- }
---
-2.39.2
-
+++ /dev/null
-From d744ae7477190967a3ddc289e2cd4ae59e8b1237 Mon Sep 17 00:00:00 2001
-From: Martin Kaiser <martin@kaiser.cx>
-Date: Thu, 15 Jun 2023 15:49:59 +0100
-Subject: hwrng: imx-rngc - fix the timeout for init and self check
-
-From: Martin Kaiser <martin@kaiser.cx>
-
-commit d744ae7477190967a3ddc289e2cd4ae59e8b1237 upstream.
-
-Fix the timeout that is used for the initialisation and for the self
-test. wait_for_completion_timeout expects a timeout in jiffies, but
-RNGC_TIMEOUT is in milliseconds. Call msecs_to_jiffies to do the
-conversion.
-
-Cc: stable@vger.kernel.org
-Fixes: 1d5449445bd0 ("hwrng: mx-rngc - add a driver for Freescale RNGC")
-Signed-off-by: Martin Kaiser <martin@kaiser.cx>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/char/hw_random/imx-rngc.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
---- a/drivers/char/hw_random/imx-rngc.c
-+++ b/drivers/char/hw_random/imx-rngc.c
-@@ -105,7 +105,7 @@ static int imx_rngc_self_test(struct imx
- cmd = readl(rngc->base + RNGC_COMMAND);
- writel(cmd | RNGC_CMD_SELF_TEST, rngc->base + RNGC_COMMAND);
-
-- ret = wait_for_completion_timeout(&rngc->rng_op_done, RNGC_TIMEOUT);
-+ ret = wait_for_completion_timeout(&rngc->rng_op_done, msecs_to_jiffies(RNGC_TIMEOUT));
- if (!ret) {
- imx_rngc_irq_mask_clear(rngc);
- return -ETIMEDOUT;
-@@ -188,9 +188,7 @@ static int imx_rngc_init(struct hwrng *r
- cmd = readl(rngc->base + RNGC_COMMAND);
- writel(cmd | RNGC_CMD_SEED, rngc->base + RNGC_COMMAND);
-
-- ret = wait_for_completion_timeout(&rngc->rng_op_done,
-- RNGC_TIMEOUT);
--
-+ ret = wait_for_completion_timeout(&rngc->rng_op_done, msecs_to_jiffies(RNGC_TIMEOUT));
- if (!ret) {
- imx_rngc_irq_mask_clear(rngc);
- return -ETIMEDOUT;
+++ /dev/null
-From afa4aa51e6f9ff115b1cefcc5f7274340691a1f6 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 28 Oct 2021 12:11:08 +0200
-Subject: hwrng: virtio - add an internal buffer
-
-From: Laurent Vivier <lvivier@redhat.com>
-
-[ Upstream commit bf3175bc50a3754dc427e2f5046e17a9fafc8be7 ]
-
-hwrng core uses two buffers that can be mixed in the
-virtio-rng queue.
-
-If the buffer is provided with wait=0 it is enqueued in the
-virtio-rng queue but unused by the caller.
-On the next call, core provides another buffer but the
-first one is filled instead and the new one queued.
-And the caller reads the data from the new one that is not
-updated, and the data in the first one are lost.
-
-To avoid this mix, virtio-rng needs to use its own unique
-internal buffer at a cost of a data copy to the caller buffer.
-
-Signed-off-by: Laurent Vivier <lvivier@redhat.com>
-Link: https://lore.kernel.org/r/20211028101111.128049-2-lvivier@redhat.com
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/char/hw_random/virtio-rng.c | 43 ++++++++++++++++++++++-------
- 1 file changed, 33 insertions(+), 10 deletions(-)
-
-diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
-index 7abd604e938c2..999f523c80c1e 100644
---- a/drivers/char/hw_random/virtio-rng.c
-+++ b/drivers/char/hw_random/virtio-rng.c
-@@ -30,13 +30,20 @@ static DEFINE_IDA(rng_index_ida);
- struct virtrng_info {
- struct hwrng hwrng;
- struct virtqueue *vq;
-- struct completion have_data;
- char name[25];
-- unsigned int data_avail;
- int index;
- bool busy;
- bool hwrng_register_done;
- bool hwrng_removed;
-+ /* data transfer */
-+ struct completion have_data;
-+ unsigned int data_avail;
-+ /* minimal size returned by rng_buffer_size() */
-+#if SMP_CACHE_BYTES < 32
-+ u8 data[32];
-+#else
-+ u8 data[SMP_CACHE_BYTES];
-+#endif
- };
-
- static void random_recv_done(struct virtqueue *vq)
-@@ -51,14 +58,14 @@ static void random_recv_done(struct virtqueue *vq)
- }
-
- /* The host will fill any buffer we give it with sweet, sweet randomness. */
--static void register_buffer(struct virtrng_info *vi, u8 *buf, size_t size)
-+static void register_buffer(struct virtrng_info *vi)
- {
- struct scatterlist sg;
-
-- sg_init_one(&sg, buf, size);
-+ sg_init_one(&sg, vi->data, sizeof(vi->data));
-
- /* There should always be room for one buffer. */
-- virtqueue_add_inbuf(vi->vq, &sg, 1, buf, GFP_KERNEL);
-+ virtqueue_add_inbuf(vi->vq, &sg, 1, vi->data, GFP_KERNEL);
-
- virtqueue_kick(vi->vq);
- }
-@@ -67,6 +74,8 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
- {
- int ret;
- struct virtrng_info *vi = (struct virtrng_info *)rng->priv;
-+ unsigned int chunk;
-+ size_t read;
-
- if (vi->hwrng_removed)
- return -ENODEV;
-@@ -74,19 +83,33 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
- if (!vi->busy) {
- vi->busy = true;
- reinit_completion(&vi->have_data);
-- register_buffer(vi, buf, size);
-+ register_buffer(vi);
- }
-
- if (!wait)
- return 0;
-
-- ret = wait_for_completion_killable(&vi->have_data);
-- if (ret < 0)
-- return ret;
-+ read = 0;
-+ while (size != 0) {
-+ ret = wait_for_completion_killable(&vi->have_data);
-+ if (ret < 0)
-+ return ret;
-+
-+ chunk = min_t(unsigned int, size, vi->data_avail);
-+ memcpy(buf + read, vi->data, chunk);
-+ read += chunk;
-+ size -= chunk;
-+ vi->data_avail = 0;
-+
-+ if (size != 0) {
-+ reinit_completion(&vi->have_data);
-+ register_buffer(vi);
-+ }
-+ }
-
- vi->busy = false;
-
-- return vi->data_avail;
-+ return read;
- }
-
- static void virtio_cleanup(struct hwrng *rng)
---
-2.39.2
-
+++ /dev/null
-From 7ae21313b4da71d05544089d1fdb20bab025446e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 28 Oct 2021 12:11:11 +0200
-Subject: hwrng: virtio - always add a pending request
-
-From: Laurent Vivier <lvivier@redhat.com>
-
-[ Upstream commit 9a4b612d675b03f7fc9fa1957ca399c8223f3954 ]
-
-If we ensure we have already some data available by enqueuing
-again the buffer once data are exhausted, we can return what we
-have without waiting for the device answer.
-
-Signed-off-by: Laurent Vivier <lvivier@redhat.com>
-Link: https://lore.kernel.org/r/20211028101111.128049-5-lvivier@redhat.com
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/char/hw_random/virtio-rng.c | 26 ++++++++++++--------------
- 1 file changed, 12 insertions(+), 14 deletions(-)
-
-diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
-index c88f175e60a4c..a84248c26fd7f 100644
---- a/drivers/char/hw_random/virtio-rng.c
-+++ b/drivers/char/hw_random/virtio-rng.c
-@@ -32,7 +32,6 @@ struct virtrng_info {
- struct virtqueue *vq;
- char name[25];
- int index;
-- bool busy;
- bool hwrng_register_done;
- bool hwrng_removed;
- /* data transfer */
-@@ -56,16 +55,18 @@ static void random_recv_done(struct virtqueue *vq)
- return;
-
- vi->data_idx = 0;
-- vi->busy = false;
-
- complete(&vi->have_data);
- }
-
--/* The host will fill any buffer we give it with sweet, sweet randomness. */
--static void register_buffer(struct virtrng_info *vi)
-+static void request_entropy(struct virtrng_info *vi)
- {
- struct scatterlist sg;
-
-+ reinit_completion(&vi->have_data);
-+ vi->data_avail = 0;
-+ vi->data_idx = 0;
-+
- sg_init_one(&sg, vi->data, sizeof(vi->data));
-
- /* There should always be room for one buffer. */
-@@ -81,6 +82,8 @@ static unsigned int copy_data(struct virtrng_info *vi, void *buf,
- memcpy(buf, vi->data + vi->data_idx, size);
- vi->data_idx += size;
- vi->data_avail -= size;
-+ if (vi->data_avail == 0)
-+ request_entropy(vi);
- return size;
- }
-
-@@ -110,13 +113,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
- * so either size is 0 or data_avail is 0
- */
- while (size != 0) {
-- /* data_avail is 0 */
-- if (!vi->busy) {
-- /* no pending request, ask for more */
-- vi->busy = true;
-- reinit_completion(&vi->have_data);
-- register_buffer(vi);
-- }
-+ /* data_avail is 0 but a request is pending */
- ret = wait_for_completion_killable(&vi->have_data);
- if (ret < 0)
- return ret;
-@@ -138,8 +135,7 @@ static void virtio_cleanup(struct hwrng *rng)
- {
- struct virtrng_info *vi = (struct virtrng_info *)rng->priv;
-
-- if (vi->busy)
-- complete(&vi->have_data);
-+ complete(&vi->have_data);
- }
-
- static int probe_common(struct virtio_device *vdev)
-@@ -175,6 +171,9 @@ static int probe_common(struct virtio_device *vdev)
- goto err_find;
- }
-
-+ /* we always have a pending entropy request */
-+ request_entropy(vi);
-+
- return 0;
-
- err_find:
-@@ -193,7 +192,6 @@ static void remove_common(struct virtio_device *vdev)
- vi->data_idx = 0;
- complete(&vi->have_data);
- vdev->config->reset(vdev);
-- vi->busy = false;
- if (vi->hwrng_register_done)
- hwrng_unregister(&vi->hwrng);
- vdev->config->del_vqs(vdev);
---
-2.39.2
-
+++ /dev/null
-From 9c50a382f8e13e6db7abbe15241a4a9c88d4fc4e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 28 Oct 2021 12:11:09 +0200
-Subject: hwrng: virtio - don't wait on cleanup
-
-From: Laurent Vivier <lvivier@redhat.com>
-
-[ Upstream commit 2bb31abdbe55742c89f4dc0cc26fcbc8467364f6 ]
-
-When virtio-rng device was dropped by the hwrng core we were forced
-to wait the buffer to come back from the device to not have
-remaining ongoing operation that could spoil the buffer.
-
-But now, as the buffer is internal to the virtio-rng we can release
-the waiting loop immediately, the buffer will be retrieve and use
-when the virtio-rng driver will be selected again.
-
-This avoids to hang on an rng_current write command if the virtio-rng
-device is blocked by a lack of entropy. This allows to select
-another entropy source if the current one is empty.
-
-Signed-off-by: Laurent Vivier <lvivier@redhat.com>
-Link: https://lore.kernel.org/r/20211028101111.128049-3-lvivier@redhat.com
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/char/hw_random/virtio-rng.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
-index 999f523c80c1e..9a3fbd2b41107 100644
---- a/drivers/char/hw_random/virtio-rng.c
-+++ b/drivers/char/hw_random/virtio-rng.c
-@@ -94,6 +94,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
- ret = wait_for_completion_killable(&vi->have_data);
- if (ret < 0)
- return ret;
-+ /* if vi->data_avail is 0, we have been interrupted
-+ * by a cleanup, but buffer stays in the queue
-+ */
-+ if (vi->data_avail == 0)
-+ return read;
-
- chunk = min_t(unsigned int, size, vi->data_avail);
- memcpy(buf + read, vi->data, chunk);
-@@ -117,7 +122,7 @@ static void virtio_cleanup(struct hwrng *rng)
- struct virtrng_info *vi = (struct virtrng_info *)rng->priv;
-
- if (vi->busy)
-- wait_for_completion(&vi->have_data);
-+ complete(&vi->have_data);
- }
-
- static int probe_common(struct virtio_device *vdev)
---
-2.39.2
-
+++ /dev/null
-From 92b8d417f897b6b2b12a75862caf03ab756af0c4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 28 Oct 2021 12:11:10 +0200
-Subject: hwrng: virtio - don't waste entropy
-
-From: Laurent Vivier <lvivier@redhat.com>
-
-[ Upstream commit 5c8e933050044d6dd2a000f9a5756ae73cbe7c44 ]
-
-if we don't use all the entropy available in the buffer, keep it
-and use it later.
-
-Signed-off-by: Laurent Vivier <lvivier@redhat.com>
-Link: https://lore.kernel.org/r/20211028101111.128049-4-lvivier@redhat.com
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/char/hw_random/virtio-rng.c | 52 +++++++++++++++++++----------
- 1 file changed, 35 insertions(+), 17 deletions(-)
-
-diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
-index 9a3fbd2b41107..c88f175e60a4c 100644
---- a/drivers/char/hw_random/virtio-rng.c
-+++ b/drivers/char/hw_random/virtio-rng.c
-@@ -38,6 +38,7 @@ struct virtrng_info {
- /* data transfer */
- struct completion have_data;
- unsigned int data_avail;
-+ unsigned int data_idx;
- /* minimal size returned by rng_buffer_size() */
- #if SMP_CACHE_BYTES < 32
- u8 data[32];
-@@ -54,6 +55,9 @@ static void random_recv_done(struct virtqueue *vq)
- if (!virtqueue_get_buf(vi->vq, &vi->data_avail))
- return;
-
-+ vi->data_idx = 0;
-+ vi->busy = false;
-+
- complete(&vi->have_data);
- }
-
-@@ -70,6 +74,16 @@ static void register_buffer(struct virtrng_info *vi)
- virtqueue_kick(vi->vq);
- }
-
-+static unsigned int copy_data(struct virtrng_info *vi, void *buf,
-+ unsigned int size)
-+{
-+ size = min_t(unsigned int, size, vi->data_avail);
-+ memcpy(buf, vi->data + vi->data_idx, size);
-+ vi->data_idx += size;
-+ vi->data_avail -= size;
-+ return size;
-+}
-+
- static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
- {
- int ret;
-@@ -80,17 +94,29 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
- if (vi->hwrng_removed)
- return -ENODEV;
-
-- if (!vi->busy) {
-- vi->busy = true;
-- reinit_completion(&vi->have_data);
-- register_buffer(vi);
-+ read = 0;
-+
-+ /* copy available data */
-+ if (vi->data_avail) {
-+ chunk = copy_data(vi, buf, size);
-+ size -= chunk;
-+ read += chunk;
- }
-
- if (!wait)
-- return 0;
-+ return read;
-
-- read = 0;
-+ /* We have already copied available entropy,
-+ * so either size is 0 or data_avail is 0
-+ */
- while (size != 0) {
-+ /* data_avail is 0 */
-+ if (!vi->busy) {
-+ /* no pending request, ask for more */
-+ vi->busy = true;
-+ reinit_completion(&vi->have_data);
-+ register_buffer(vi);
-+ }
- ret = wait_for_completion_killable(&vi->have_data);
- if (ret < 0)
- return ret;
-@@ -100,20 +126,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
- if (vi->data_avail == 0)
- return read;
-
-- chunk = min_t(unsigned int, size, vi->data_avail);
-- memcpy(buf + read, vi->data, chunk);
-- read += chunk;
-+ chunk = copy_data(vi, buf + read, size);
- size -= chunk;
-- vi->data_avail = 0;
--
-- if (size != 0) {
-- reinit_completion(&vi->have_data);
-- register_buffer(vi);
-- }
-+ read += chunk;
- }
-
-- vi->busy = false;
--
- return read;
- }
-
-@@ -173,6 +190,7 @@ static void remove_common(struct virtio_device *vdev)
-
- vi->hwrng_removed = true;
- vi->data_avail = 0;
-+ vi->data_idx = 0;
- complete(&vi->have_data);
- vdev->config->reset(vdev);
- vi->busy = false;
---
-2.39.2
-
+++ /dev/null
-From 939a58b0fd48531e7170994e9836b43eb6a96c4e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 4 May 2023 11:59:32 +0800
-Subject: hwrng: virtio - Fix race on data_avail and actual data
-
-From: Herbert Xu <herbert@gondor.apana.org.au>
-
-[ Upstream commit ac52578d6e8d300dd50f790f29a24169b1edd26c ]
-
-The virtio rng device kicks off a new entropy request whenever the
-data available reaches zero. When a new request occurs at the end
-of a read operation, that is, when the result of that request is
-only needed by the next reader, then there is a race between the
-writing of the new data and the next reader.
-
-This is because there is no synchronisation whatsoever between the
-writer and the reader.
-
-Fix this by writing data_avail with smp_store_release and reading
-it with smp_load_acquire when we first enter read. The subsequent
-reads are safe because they're either protected by the first load
-acquire, or by the completion mechanism.
-
-Also remove the redundant zeroing of data_idx in random_recv_done
-(data_idx must already be zero at this point) and data_avail in
-request_entropy (ditto).
-
-Reported-by: syzbot+726dc8c62c3536431ceb@syzkaller.appspotmail.com
-Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.")
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Acked-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/char/hw_random/virtio-rng.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c
-index a84248c26fd7f..58884d8752011 100644
---- a/drivers/char/hw_random/virtio-rng.c
-+++ b/drivers/char/hw_random/virtio-rng.c
-@@ -17,6 +17,7 @@
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
- */
-
-+#include <asm/barrier.h>
- #include <linux/err.h>
- #include <linux/hw_random.h>
- #include <linux/scatterlist.h>
-@@ -49,13 +50,13 @@ struct virtrng_info {
- static void random_recv_done(struct virtqueue *vq)
- {
- struct virtrng_info *vi = vq->vdev->priv;
-+ unsigned int len;
-
- /* We can get spurious callbacks, e.g. shared IRQs + virtio_pci. */
-- if (!virtqueue_get_buf(vi->vq, &vi->data_avail))
-+ if (!virtqueue_get_buf(vi->vq, &len))
- return;
-
-- vi->data_idx = 0;
--
-+ smp_store_release(&vi->data_avail, len);
- complete(&vi->have_data);
- }
-
-@@ -64,7 +65,6 @@ static void request_entropy(struct virtrng_info *vi)
- struct scatterlist sg;
-
- reinit_completion(&vi->have_data);
-- vi->data_avail = 0;
- vi->data_idx = 0;
-
- sg_init_one(&sg, vi->data, sizeof(vi->data));
-@@ -100,7 +100,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait)
- read = 0;
-
- /* copy available data */
-- if (vi->data_avail) {
-+ if (smp_load_acquire(&vi->data_avail)) {
- chunk = copy_data(vi, buf, size);
- size -= chunk;
- read += chunk;
---
-2.39.2
-
+++ /dev/null
-From 0a46aee6b7cf29789b550cefcd60aa2427d87866 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 23 Aug 2021 23:41:42 +0200
-Subject: i2c: xiic: Defer xiic_wakeup() and __xiic_start_xfer() in
- xiic_process()
-
-From: Marek Vasut <marex@denx.de>
-
-[ Upstream commit 743e227a895923c37a333eb2ebf3e391f00c406d ]
-
-The __xiic_start_xfer() manipulates the interrupt flags, xiic_wakeup()
-may result in return from xiic_xfer() early. Defer both to the end of
-the xiic_process() interrupt thread, so that they are executed after
-all the other interrupt bits handling completed and once it completely
-safe to perform changes to the interrupt bits in the hardware.
-
-Signed-off-by: Marek Vasut <marex@denx.de>
-Acked-by: Michal Simek <michal.simek@xilinx.com>
-Signed-off-by: Wolfram Sang <wsa@kernel.org>
-Stable-dep-of: cb6e45c9a0ad ("i2c: xiic: Don't try to handle more interrupt events after error")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/busses/i2c-xiic.c | 37 ++++++++++++++++++++++++-----------
- 1 file changed, 26 insertions(+), 11 deletions(-)
-
-diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c
-index 03ce9b7d6456a..c7f74687282ea 100644
---- a/drivers/i2c/busses/i2c-xiic.c
-+++ b/drivers/i2c/busses/i2c-xiic.c
-@@ -362,6 +362,9 @@ static irqreturn_t xiic_process(int irq, void *dev_id)
- struct xiic_i2c *i2c = dev_id;
- u32 pend, isr, ier;
- u32 clr = 0;
-+ int xfer_more = 0;
-+ int wakeup_req = 0;
-+ int wakeup_code = 0;
-
- /* Get the interrupt Status from the IPIF. There is no clearing of
- * interrupts in the IPIF. Interrupts must be cleared at the source.
-@@ -398,10 +401,14 @@ static irqreturn_t xiic_process(int irq, void *dev_id)
- */
- xiic_reinit(i2c);
-
-- if (i2c->rx_msg)
-- xiic_wakeup(i2c, STATE_ERROR);
-- if (i2c->tx_msg)
-- xiic_wakeup(i2c, STATE_ERROR);
-+ if (i2c->rx_msg) {
-+ wakeup_req = 1;
-+ wakeup_code = STATE_ERROR;
-+ }
-+ if (i2c->tx_msg) {
-+ wakeup_req = 1;
-+ wakeup_code = STATE_ERROR;
-+ }
- }
- if (pend & XIIC_INTR_RX_FULL_MASK) {
- /* Receive register/FIFO is full */
-@@ -435,8 +442,7 @@ static irqreturn_t xiic_process(int irq, void *dev_id)
- i2c->tx_msg++;
- dev_dbg(i2c->adap.dev.parent,
- "%s will start next...\n", __func__);
--
-- __xiic_start_xfer(i2c);
-+ xfer_more = 1;
- }
- }
- }
-@@ -450,11 +456,13 @@ static irqreturn_t xiic_process(int irq, void *dev_id)
- if (!i2c->tx_msg)
- goto out;
-
-- if ((i2c->nmsgs == 1) && !i2c->rx_msg &&
-- xiic_tx_space(i2c) == 0)
-- xiic_wakeup(i2c, STATE_DONE);
-+ wakeup_req = 1;
-+
-+ if (i2c->nmsgs == 1 && !i2c->rx_msg &&
-+ xiic_tx_space(i2c) == 0)
-+ wakeup_code = STATE_DONE;
- else
-- xiic_wakeup(i2c, STATE_ERROR);
-+ wakeup_code = STATE_ERROR;
- }
- if (pend & (XIIC_INTR_TX_EMPTY_MASK | XIIC_INTR_TX_HALF_MASK)) {
- /* Transmit register/FIFO is empty or ½ empty */
-@@ -478,7 +486,7 @@ static irqreturn_t xiic_process(int irq, void *dev_id)
- if (i2c->nmsgs > 1) {
- i2c->nmsgs--;
- i2c->tx_msg++;
-- __xiic_start_xfer(i2c);
-+ xfer_more = 1;
- } else {
- xiic_irq_dis(i2c, XIIC_INTR_TX_HALF_MASK);
-
-@@ -496,6 +504,13 @@ static irqreturn_t xiic_process(int irq, void *dev_id)
- dev_dbg(i2c->adap.dev.parent, "%s clr: 0x%x\n", __func__, clr);
-
- xiic_setreg32(i2c, XIIC_IISR_OFFSET, clr);
-+ if (xfer_more)
-+ __xiic_start_xfer(i2c);
-+ if (wakeup_req)
-+ xiic_wakeup(i2c, wakeup_code);
-+
-+ WARN_ON(xfer_more && wakeup_req);
-+
- mutex_unlock(&i2c->lock);
- return IRQ_HANDLED;
- }
---
-2.39.2
-
+++ /dev/null
-From 54f6886655a814ccc6bedd7924acfb2796ace463 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 6 Jun 2023 12:25:58 -0600
-Subject: i2c: xiic: Don't try to handle more interrupt events after error
-
-From: Robert Hancock <robert.hancock@calian.com>
-
-[ Upstream commit cb6e45c9a0ad9e0f8664fd06db0227d185dc76ab ]
-
-In xiic_process, it is possible that error events such as arbitration
-lost or TX error can be raised in conjunction with other interrupt flags
-such as TX FIFO empty or bus not busy. Error events result in the
-controller being reset and the error returned to the calling request,
-but the function could potentially try to keep handling the other
-events, such as by writing more messages into the TX FIFO. Since the
-transaction has already failed, this is not helpful and will just cause
-issues.
-
-This problem has been present ever since:
-
-commit 7f9906bd7f72 ("i2c: xiic: Service all interrupts in isr")
-
-which allowed non-error events to be handled after errors, but became
-more obvious after:
-
-commit 743e227a8959 ("i2c: xiic: Defer xiic_wakeup() and
-__xiic_start_xfer() in xiic_process()")
-
-which reworked the code to add a WARN_ON which triggers if both the
-xfer_more and wakeup_req flags were set, since this combination is
-not supposed to happen, but was occurring in this scenario.
-
-Skip further interrupt handling after error flags are detected to avoid
-this problem.
-
-Fixes: 7f9906bd7f72 ("i2c: xiic: Service all interrupts in isr")
-Signed-off-by: Robert Hancock <robert.hancock@calian.com>
-Acked-by: Andi Shyti <andi.shyti@kernel.org>
-Signed-off-by: Wolfram Sang <wsa@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/busses/i2c-xiic.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c
-index c7f74687282ea..c1f85114ab812 100644
---- a/drivers/i2c/busses/i2c-xiic.c
-+++ b/drivers/i2c/busses/i2c-xiic.c
-@@ -409,6 +409,8 @@ static irqreturn_t xiic_process(int irq, void *dev_id)
- wakeup_req = 1;
- wakeup_code = STATE_ERROR;
- }
-+ /* don't try to handle other events */
-+ goto out;
- }
- if (pend & XIIC_INTR_RX_FULL_MASK) {
- /* Receive register/FIFO is full */
---
-2.39.2
-
+++ /dev/null
-From 58240f64a0be015e60403b558eac9ea7b1483365 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 16 Feb 2023 11:56:28 -0500
-Subject: IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors
-
-From: Patrick Kelsey <pat.kelsey@cornelisnetworks.com>
-
-[ Upstream commit fd8958efe8779d3db19c9124fce593ce681ac709 ]
-
-Fix three sources of error involving struct sdma_txreq.num_descs.
-
-When _extend_sdma_tx_descs() extends the descriptor array, it uses the
-value of tx->num_descs to determine how many existing entries from the
-tx's original, internal descriptor array to copy to the newly allocated
-one. As this value was incremented before the call, the copy loop will
-access one entry past the internal descriptor array, copying its contents
-into the corresponding slot in the new array.
-
-If the call to _extend_sdma_tx_descs() fails, _pad_smda_tx_descs() then
-invokes __sdma_tx_clean() which uses the value of tx->num_desc to drive a
-loop that unmaps all descriptor entries in use. As this value was
-incremented before the call, the unmap loop will invoke sdma_unmap_desc()
-on a descriptor entry whose contents consist of whatever random data was
-copied into it during (1), leading to cascading further calls into the
-kernel and driver using arbitrary data.
-
-_sdma_close_tx() was using tx->num_descs instead of tx->num_descs - 1.
-
-Fix all of the above by:
-- Only increment .num_descs after .descp is extended.
-- Use .num_descs - 1 instead of .num_descs for last .descp entry.
-
-Fixes: f4d26d81ad7f ("staging/rdma/hfi1: Add coalescing support for SDMA TX descriptors")
-Link: https://lore.kernel.org/r/167656658879.2223096.10026561343022570690.stgit@awfm-02.cornelisnetworks.com
-Signed-off-by: Brendan Cunningham <bcunningham@cornelisnetworks.com>
-Signed-off-by: Patrick Kelsey <pat.kelsey@cornelisnetworks.com>
-Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
-Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/infiniband/hw/hfi1/sdma.c | 4 ++--
- drivers/infiniband/hw/hfi1/sdma.h | 15 +++++++--------
- 2 files changed, 9 insertions(+), 10 deletions(-)
-
-diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c
-index 33ff9eca28f69..245f9505a9aca 100644
---- a/drivers/infiniband/hw/hfi1/sdma.c
-+++ b/drivers/infiniband/hw/hfi1/sdma.c
-@@ -3202,8 +3202,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx)
- {
- int rval = 0;
-
-- tx->num_desc++;
-- if ((unlikely(tx->num_desc == tx->desc_limit))) {
-+ if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) {
- rval = _extend_sdma_tx_descs(dd, tx);
- if (rval) {
- __sdma_txclean(dd, tx);
-@@ -3216,6 +3215,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx)
- SDMA_MAP_NONE,
- dd->sdma_pad_phys,
- sizeof(u32) - (tx->packet_len & (sizeof(u32) - 1)));
-+ tx->num_desc++;
- _sdma_close_tx(dd, tx);
- return rval;
- }
-diff --git a/drivers/infiniband/hw/hfi1/sdma.h b/drivers/infiniband/hw/hfi1/sdma.h
-index 46c775f255d14..a3dd2f3d56cca 100644
---- a/drivers/infiniband/hw/hfi1/sdma.h
-+++ b/drivers/infiniband/hw/hfi1/sdma.h
-@@ -680,14 +680,13 @@ static inline void sdma_txclean(struct hfi1_devdata *dd, struct sdma_txreq *tx)
- static inline void _sdma_close_tx(struct hfi1_devdata *dd,
- struct sdma_txreq *tx)
- {
-- tx->descp[tx->num_desc].qw[0] |=
-- SDMA_DESC0_LAST_DESC_FLAG;
-- tx->descp[tx->num_desc].qw[1] |=
-- dd->default_desc1;
-+ u16 last_desc = tx->num_desc - 1;
-+
-+ tx->descp[last_desc].qw[0] |= SDMA_DESC0_LAST_DESC_FLAG;
-+ tx->descp[last_desc].qw[1] |= dd->default_desc1;
- if (tx->flags & SDMA_TXREQ_F_URGENT)
-- tx->descp[tx->num_desc].qw[1] |=
-- (SDMA_DESC1_HEAD_TO_HOST_FLAG |
-- SDMA_DESC1_INT_REQ_FLAG);
-+ tx->descp[last_desc].qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG |
-+ SDMA_DESC1_INT_REQ_FLAG);
- }
-
- static inline int _sdma_txadd_daddr(
-@@ -704,6 +703,7 @@ static inline int _sdma_txadd_daddr(
- type,
- addr, len);
- WARN_ON(len > tx->tlen);
-+ tx->num_desc++;
- tx->tlen -= len;
- /* special cases for last */
- if (!tx->tlen) {
-@@ -715,7 +715,6 @@ static inline int _sdma_txadd_daddr(
- _sdma_close_tx(dd, tx);
- }
- }
-- tx->num_desc++;
- return rval;
- }
-
---
-2.39.2
-
+++ /dev/null
-From 46ae827efd8dbae05deb396bf8beb1545f27f411 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 7 Jul 2023 18:43:27 -0700
-Subject: icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in
- icmp6_dev().
-
-From: Kuniyuki Iwashima <kuniyu@amazon.com>
-
-[ Upstream commit 2aaa8a15de73874847d62eb595c6683bface80fd ]
-
-With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that
-has the link-local address as src and dst IP and will be forwarded to
-an external IP in the IPv6 Ext Hdr.
-
-For example, the script below generates a packet whose src IP is the
-link-local address and dst is updated to 11::.
-
- # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done
- # python3
- >>> from socket import *
- >>> from scapy.all import *
- >>>
- >>> SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456"
- >>>
- >>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR)
- >>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1)
- >>>
- >>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW)
- >>> sk.sendto(bytes(pkt), (DST_ADDR, 0))
-
-For such a packet, we call ip6_route_input() to look up a route for the
-next destination in these three functions depending on the header type.
-
- * ipv6_rthdr_rcv()
- * ipv6_rpl_srh_rcv()
- * ipv6_srh_rcv()
-
-If no route is found, ip6_null_entry is set to skb, and the following
-dst_input(skb) calls ip6_pkt_drop().
-
-Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev
-as the input device is the loopback interface. Then, we have to check if
-skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref
-for ip6_null_entry.
-
-BUG: kernel NULL pointer dereference, address: 0000000000000000
- PF: supervisor read access in kernel mode
- PF: error_code(0x0000) - not-present page
-PGD 0 P4D 0
-Oops: 0000 [#1] PREEMPT SMP PTI
-CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
-RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)
-Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01
-RSP: 0018:ffffc90000003c70 EFLAGS: 00000286
-RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0
-RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18
-RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001
-R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10
-R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0
-FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
-CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0
-PKRU: 55555554
-Call Trace:
- <IRQ>
- ip6_pkt_drop (net/ipv6/route.c:4513)
- ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686)
- ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5))
- ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483)
- __netif_receive_skb_one_core (net/core/dev.c:5455)
- process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895)
- __napi_poll (net/core/dev.c:6460)
- net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660)
- __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)
- do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)
- </IRQ>
- <TASK>
- __local_bh_enable_ip (kernel/softirq.c:381)
- __dev_queue_xmit (net/core/dev.c:4231)
- ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135)
- rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914)
- sock_sendmsg (net/socket.c:725 net/socket.c:748)
- __sys_sendto (net/socket.c:2134)
- __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142)
- do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
- entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
-RIP: 0033:0x7f9dc751baea
-Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
-RSP: 002b:00007ffe98712c38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
-RAX: ffffffffffffffda RBX: 00007ffe98712cf8 RCX: 00007f9dc751baea
-RDX: 0000000000000060 RSI: 00007f9dc6460b90 RDI: 0000000000000003
-RBP: 00007f9dc56e8be0 R08: 00007ffe98712d70 R09: 000000000000001c
-R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
-R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007f9dc6af5d1b
- </TASK>
-Modules linked in:
-CR2: 0000000000000000
- ---[ end trace 0000000000000000 ]---
-RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)
-Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01
-RSP: 0018:ffffc90000003c70 EFLAGS: 00000286
-RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0
-RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18
-RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001
-R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10
-R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0
-FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
-CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0
-PKRU: 55555554
-Kernel panic - not syncing: Fatal exception in interrupt
-Kernel Offset: disabled
-
-Fixes: 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address")
-Reported-by: Wang Yufen <wangyufen@huawei.com>
-Closes: https://lore.kernel.org/netdev/c41403a9-c2f6-3b7e-0c96-e1901e605cd0@huawei.com/
-Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
-Reviewed-by: David Ahern <dsahern@kernel.org>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/icmp.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
-index 1b86a2e03d049..bfafd7649ccb3 100644
---- a/net/ipv6/icmp.c
-+++ b/net/ipv6/icmp.c
-@@ -407,7 +407,10 @@ static struct net_device *icmp6_dev(const struct sk_buff *skb)
- if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) {
- const struct rt6_info *rt6 = skb_rt6_info(skb);
-
-- if (rt6)
-+ /* The destination could be an external IP in Ext Hdr (SRv6, RPL, etc.),
-+ * and ip6_null_entry could be set to skb if no route is found.
-+ */
-+ if (rt6 && rt6->rt6i_idev)
- dev = rt6->rt6i_idev->dev;
- }
-
---
-2.39.2
-
+++ /dev/null
-From d31c957cc8ca0a46d225cbe69724ba5a83276a67 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 20 Jun 2023 10:47:32 -0700
-Subject: igb: Fix igb_down hung on surprise removal
-
-From: Ying Hsu <yinghsu@chromium.org>
-
-[ Upstream commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 ]
-
-In a setup where a Thunderbolt hub connects to Ethernet and a display
-through USB Type-C, users may experience a hung task timeout when they
-remove the cable between the PC and the Thunderbolt hub.
-This is because the igb_down function is called multiple times when
-the Thunderbolt hub is unplugged. For example, the igb_io_error_detected
-triggers the first call, and the igb_remove triggers the second call.
-The second call to igb_down will block at napi_synchronize.
-Here's the call trace:
- __schedule+0x3b0/0xddb
- ? __mod_timer+0x164/0x5d3
- schedule+0x44/0xa8
- schedule_timeout+0xb2/0x2a4
- ? run_local_timers+0x4e/0x4e
- msleep+0x31/0x38
- igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4]
- __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4]
- igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4]
- __dev_close_many+0x95/0xec
- dev_close_many+0x6e/0x103
- unregister_netdevice_many+0x105/0x5b1
- unregister_netdevice_queue+0xc2/0x10d
- unregister_netdev+0x1c/0x23
- igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4]
- pci_device_remove+0x3f/0x9c
- device_release_driver_internal+0xfe/0x1b4
- pci_stop_bus_device+0x5b/0x7f
- pci_stop_bus_device+0x30/0x7f
- pci_stop_bus_device+0x30/0x7f
- pci_stop_and_remove_bus_device+0x12/0x19
- pciehp_unconfigure_device+0x76/0xe9
- pciehp_disable_slot+0x6e/0x131
- pciehp_handle_presence_or_link_change+0x7a/0x3f7
- pciehp_ist+0xbe/0x194
- irq_thread_fn+0x22/0x4d
- ? irq_thread+0x1fd/0x1fd
- irq_thread+0x17b/0x1fd
- ? irq_forced_thread_fn+0x5f/0x5f
- kthread+0x142/0x153
- ? __irq_get_irqchip_state+0x46/0x46
- ? kthread_associate_blkcg+0x71/0x71
- ret_from_fork+0x1f/0x30
-
-In this case, igb_io_error_detected detaches the network interface
-and requests a PCIE slot reset, however, the PCIE reset callback is
-not being invoked and thus the Ethernet connection breaks down.
-As the PCIE error in this case is a non-fatal one, requesting a
-slot reset can be avoided.
-This patch fixes the task hung issue and preserves Ethernet
-connection by ignoring non-fatal PCIE errors.
-
-Signed-off-by: Ying Hsu <yinghsu@chromium.org>
-Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
-Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
-Reviewed-by: Simon Horman <simon.horman@corigine.com>
-Link: https://lore.kernel.org/r/20230620174732.4145155-1-anthony.l.nguyen@intel.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/ethernet/intel/igb/igb_main.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
-index 6f9d563deb6ba..be51179089852 100644
---- a/drivers/net/ethernet/intel/igb/igb_main.c
-+++ b/drivers/net/ethernet/intel/igb/igb_main.c
-@@ -9059,6 +9059,11 @@ static pci_ers_result_t igb_io_error_detected(struct pci_dev *pdev,
- struct net_device *netdev = pci_get_drvdata(pdev);
- struct igb_adapter *adapter = netdev_priv(netdev);
-
-+ if (state == pci_channel_io_normal) {
-+ dev_warn(&pdev->dev, "Non-correctable non-fatal error reported.\n");
-+ return PCI_ERS_RESULT_CAN_RECOVER;
-+ }
-+
- netif_device_detach(netdev);
-
- if (state == pci_channel_io_perm_failure)
---
-2.39.2
-
+++ /dev/null
-From 51b90364f500ae4b586dc32e18e61f232983cb55 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 10 May 2023 17:27:55 -0700
-Subject: Input: adxl34x - do not hardcode interrupt trigger type
-
-From: Marek Vasut <marex@denx.de>
-
-[ Upstream commit e96220bce5176ed2309f77f061dcc0430b82b25e ]
-
-Instead of hardcoding IRQ trigger type to IRQF_TRIGGER_HIGH, let's
-respect the settings specified in the firmware description.
-
-Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers")
-Signed-off-by: Marek Vasut <marex@denx.de>
-Acked-by: Michael Hennerich <michael.hennerich@analog.com>
-Link: https://lore.kernel.org/r/20230509203555.549158-1-marex@denx.de
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/input/misc/adxl34x.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/drivers/input/misc/adxl34x.c b/drivers/input/misc/adxl34x.c
-index 3695dd7dbb9b4..ec0c91ec52277 100644
---- a/drivers/input/misc/adxl34x.c
-+++ b/drivers/input/misc/adxl34x.c
-@@ -811,8 +811,7 @@ struct adxl34x *adxl34x_probe(struct device *dev, int irq,
- AC_WRITE(ac, POWER_CTL, 0);
-
- err = request_threaded_irq(ac->irq, NULL, adxl34x_irq,
-- IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
-- dev_name(dev), ac);
-+ IRQF_ONESHOT, dev_name(dev), ac);
- if (err) {
- dev_err(dev, "irq %d busy?\n", ac->irq);
- goto err_free_mem;
---
-2.39.2
-
+++ /dev/null
-From 569e4104a6ffce321ca0b44f7bcb5c522b3a082f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 1 May 2023 17:01:45 -0700
-Subject: Input: drv260x - sleep between polling GO bit
-
-From: Luca Weiss <luca@z3ntu.xyz>
-
-[ Upstream commit efef661dfa6bf8cbafe4cd6a97433fcef0118967 ]
-
-When doing the initial startup there's no need to poll without any
-delay and spam the I2C bus.
-
-Let's sleep 15ms between each attempt, which is the same time as used
-in the vendor driver.
-
-Fixes: 7132fe4f5687 ("Input: drv260x - add TI drv260x haptics driver")
-Signed-off-by: Luca Weiss <luca@z3ntu.xyz>
-Link: https://lore.kernel.org/r/20230430-drv260x-improvements-v1-2-1fb28b4cc698@z3ntu.xyz
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/input/misc/drv260x.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/input/misc/drv260x.c b/drivers/input/misc/drv260x.c
-index 17eb84ab4c0b7..fe3fbde989be2 100644
---- a/drivers/input/misc/drv260x.c
-+++ b/drivers/input/misc/drv260x.c
-@@ -443,6 +443,7 @@ static int drv260x_init(struct drv260x_data *haptics)
- }
-
- do {
-+ usleep_range(15000, 15500);
- error = regmap_read(haptics->regmap, DRV260X_GO, &cal_buf);
- if (error) {
- dev_err(&haptics->client->dev,
---
-2.39.2
-
+++ /dev/null
-From 9df6a4870dc371136e90330cfbbc51464ee66993 Mon Sep 17 00:00:00 2001
-From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
-Date: Thu, 1 Jun 2023 14:42:44 +0800
-Subject: integrity: Fix possible multiple allocation in integrity_inode_get()
-
-From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
-
-commit 9df6a4870dc371136e90330cfbbc51464ee66993 upstream.
-
-When integrity_inode_get() is querying and inserting the cache, there
-is a conditional race in the concurrent environment.
-
-The race condition is the result of not properly implementing
-"double-checked locking". In this case, it first checks to see if the
-iint cache record exists before taking the lock, but doesn't check
-again after taking the integrity_iint_lock.
-
-Fixes: bf2276d10ce5 ("ima: allocating iint improvements")
-Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
-Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
-Cc: <stable@vger.kernel.org> # v3.10+
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- security/integrity/iint.c | 15 +++++++++------
- 1 file changed, 9 insertions(+), 6 deletions(-)
-
---- a/security/integrity/iint.c
-+++ b/security/integrity/iint.c
-@@ -46,12 +46,10 @@ static struct integrity_iint_cache *__in
- else if (inode > iint->inode)
- n = n->rb_right;
- else
-- break;
-+ return iint;
- }
-- if (!n)
-- return NULL;
-
-- return iint;
-+ return NULL;
- }
-
- /*
-@@ -116,10 +114,15 @@ struct integrity_iint_cache *integrity_i
- parent = *p;
- test_iint = rb_entry(parent, struct integrity_iint_cache,
- rb_node);
-- if (inode < test_iint->inode)
-+ if (inode < test_iint->inode) {
- p = &(*p)->rb_left;
-- else
-+ } else if (inode > test_iint->inode) {
- p = &(*p)->rb_right;
-+ } else {
-+ write_unlock(&integrity_iint_lock);
-+ kmem_cache_free(iint_cache, iint);
-+ return test_iint;
-+ }
- }
-
- iint->inode = inode;
+++ /dev/null
-From b6b485d5880cefb054197d49b212532df8ee9263 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 8 Jul 2023 14:59:10 +0800
-Subject: ipv6/addrconf: fix a potential refcount underflow for idev
-
-From: Ziyang Xuan <william.xuanziyang@huawei.com>
-
-[ Upstream commit 06a0716949c22e2aefb648526580671197151acc ]
-
-Now in addrconf_mod_rs_timer(), reference idev depends on whether
-rs_timer is not pending. Then modify rs_timer timeout.
-
-There is a time gap in [1], during which if the pending rs_timer
-becomes not pending. It will miss to hold idev, but the rs_timer
-is activated. Thus rs_timer callback function addrconf_rs_timer()
-will be executed and put idev later without holding idev. A refcount
-underflow issue for idev can be caused by this.
-
- if (!timer_pending(&idev->rs_timer))
- in6_dev_hold(idev);
- <--------------[1]
- mod_timer(&idev->rs_timer, jiffies + when);
-
-To fix the issue, hold idev if mod_timer() return 0.
-
-Fixes: b7b1bfce0bb6 ("ipv6: split duplicate address detection and router solicitation timer")
-Suggested-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/addrconf.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index f261c6d7f1f28..23edc325f70be 100644
---- a/net/ipv6/addrconf.c
-+++ b/net/ipv6/addrconf.c
-@@ -316,9 +316,8 @@ static void addrconf_del_dad_work(struct inet6_ifaddr *ifp)
- static void addrconf_mod_rs_timer(struct inet6_dev *idev,
- unsigned long when)
- {
-- if (!timer_pending(&idev->rs_timer))
-+ if (!mod_timer(&idev->rs_timer, jiffies + when))
- in6_dev_hold(idev);
-- mod_timer(&idev->rs_timer, jiffies + when);
- }
-
- static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp,
---
-2.39.2
-
+++ /dev/null
-From fb27984c7b464c888b054effdf720e797025a50e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 26 Jun 2023 17:33:47 +0800
-Subject: ipvlan: Fix return value of ipvlan_queue_xmit()
-
-From: Cambda Zhu <cambda@linux.alibaba.com>
-
-[ Upstream commit 8a9922e7be6d042fa00f894c376473b17a162b66 ]
-
-ipvlan_queue_xmit() should return NET_XMIT_XXX, but
-ipvlan_xmit_mode_l2/l3() returns rx_handler_result_t or NET_RX_XXX
-in some cases. ipvlan_rcv_frame() will only return RX_HANDLER_CONSUMED
-in ipvlan_xmit_mode_l2/l3() because 'local' is true. It's equal to
-NET_XMIT_SUCCESS. But dev_forward_skb() can return NET_RX_SUCCESS or
-NET_RX_DROP, and returning NET_RX_DROP(NET_XMIT_DROP) will increase
-both ipvlan and ipvlan->phy_dev drops counter.
-
-The skb to forward can be treated as xmitted successfully. This patch
-makes ipvlan_queue_xmit() return NET_XMIT_SUCCESS for forward skb.
-
-Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
-Signed-off-by: Cambda Zhu <cambda@linux.alibaba.com>
-Link: https://lore.kernel.org/r/20230626093347.7492-1-cambda@linux.alibaba.com
-Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/ipvlan/ipvlan_core.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
-index eb80d277b56f5..6b6c5a7250a65 100644
---- a/drivers/net/ipvlan/ipvlan_core.c
-+++ b/drivers/net/ipvlan/ipvlan_core.c
-@@ -592,7 +592,8 @@ static int ipvlan_xmit_mode_l3(struct sk_buff *skb, struct net_device *dev)
- consume_skb(skb);
- return NET_XMIT_DROP;
- }
-- return ipvlan_rcv_frame(addr, &skb, true);
-+ ipvlan_rcv_frame(addr, &skb, true);
-+ return NET_XMIT_SUCCESS;
- }
- }
- out:
-@@ -618,7 +619,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev)
- consume_skb(skb);
- return NET_XMIT_DROP;
- }
-- return ipvlan_rcv_frame(addr, &skb, true);
-+ ipvlan_rcv_frame(addr, &skb, true);
-+ return NET_XMIT_SUCCESS;
- }
- }
- skb = skb_share_check(skb, GFP_ATOMIC);
-@@ -630,7 +632,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev)
- * the skb for the main-dev. At the RX side we just return
- * RX_PASS for it to be processed further on the stack.
- */
-- return dev_forward_skb(ipvlan->phy_dev, skb);
-+ dev_forward_skb(ipvlan->phy_dev, skb);
-+ return NET_XMIT_SUCCESS;
-
- } else if (is_multicast_ether_addr(eth->h_dest)) {
- skb_reset_mac_header(skb);
---
-2.39.2
-
+++ /dev/null
-From 4ccd3be2ccc9fa9c3b14d259dc5e795c7d90db2d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 10 May 2023 18:33:42 +0200
-Subject: irqchip/jcore-aic: Fix missing allocation of IRQ descriptors
-
-From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
-
-[ Upstream commit 4848229494a323eeaab62eee5574ef9f7de80374 ]
-
-The initialization function for the J-Core AIC aic_irq_of_init() is
-currently missing the call to irq_alloc_descs() which allocates and
-initializes all the IRQ descriptors. Add missing function call and
-return the error code from irq_alloc_descs() in case the allocation
-fails.
-
-Fixes: 981b58f66cfc ("irqchip/jcore-aic: Add J-Core AIC driver")
-Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
-Tested-by: Rob Landley <rob@landley.net>
-Signed-off-by: Marc Zyngier <maz@kernel.org>
-Link: https://lore.kernel.org/r/20230510163343.43090-1-glaubitz@physik.fu-berlin.de
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/irqchip/irq-jcore-aic.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c
-index 5f47d8ee4ae39..b9dcc8e78c750 100644
---- a/drivers/irqchip/irq-jcore-aic.c
-+++ b/drivers/irqchip/irq-jcore-aic.c
-@@ -68,6 +68,7 @@ static int __init aic_irq_of_init(struct device_node *node,
- unsigned min_irq = JCORE_AIC2_MIN_HWIRQ;
- unsigned dom_sz = JCORE_AIC_MAX_HWIRQ+1;
- struct irq_domain *domain;
-+ int ret;
-
- pr_info("Initializing J-Core AIC\n");
-
-@@ -100,6 +101,12 @@ static int __init aic_irq_of_init(struct device_node *node,
- jcore_aic.irq_unmask = noop;
- jcore_aic.name = "AIC";
-
-+ ret = irq_alloc_descs(-1, min_irq, dom_sz - min_irq,
-+ of_node_to_nid(node));
-+
-+ if (ret < 0)
-+ return ret;
-+
- domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq,
- &jcore_aic_irqdomain_ops,
- &jcore_aic);
---
-2.39.2
-
+++ /dev/null
-From a0040d3dcb0b479ed0a896c972942db0a435106b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 6 Apr 2021 10:35:51 +0100
-Subject: irqchip/jcore-aic: Kill use of irq_create_strict_mappings()
-
-From: Marc Zyngier <maz@kernel.org>
-
-[ Upstream commit 5f8b938bd790cff6542c7fe3c1495c71f89fef1b ]
-
-irq_create_strict_mappings() is a poor way to allow the use of
-a linear IRQ domain as a legacy one. Let's be upfront about it.
-
-Signed-off-by: Marc Zyngier <maz@kernel.org>
-Link: https://lore.kernel.org/r/20210406093557.1073423-4-maz@kernel.org
-Stable-dep-of: 4848229494a3 ("irqchip/jcore-aic: Fix missing allocation of IRQ descriptors")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/irqchip/irq-jcore-aic.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c
-index 033bccb41455c..5f47d8ee4ae39 100644
---- a/drivers/irqchip/irq-jcore-aic.c
-+++ b/drivers/irqchip/irq-jcore-aic.c
-@@ -100,11 +100,11 @@ static int __init aic_irq_of_init(struct device_node *node,
- jcore_aic.irq_unmask = noop;
- jcore_aic.name = "AIC";
-
-- domain = irq_domain_add_linear(node, dom_sz, &jcore_aic_irqdomain_ops,
-+ domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq,
-+ &jcore_aic_irqdomain_ops,
- &jcore_aic);
- if (!domain)
- return -ENOMEM;
-- irq_create_strict_mappings(domain, min_irq, min_irq, dom_sz - min_irq);
-
- return 0;
- }
---
-2.39.2
-
+++ /dev/null
-From 1168f095417643f663caa341211e117db552989f Mon Sep 17 00:00:00 2001
-From: Fabian Frederick <fabf@skynet.be>
-Date: Sat, 6 May 2023 06:56:12 +0200
-Subject: jffs2: reduce stack usage in jffs2_build_xattr_subsystem()
-
-From: Fabian Frederick <fabf@skynet.be>
-
-commit 1168f095417643f663caa341211e117db552989f upstream.
-
-Use kcalloc() for allocation/flush of 128 pointers table to
-reduce stack usage.
-
-Function now returns -ENOMEM or 0 on success.
-
-stackusage
-Before:
-./fs/jffs2/xattr.c:775 jffs2_build_xattr_subsystem 1208
-dynamic,bounded
-
-After:
-./fs/jffs2/xattr.c:775 jffs2_build_xattr_subsystem 192
-dynamic,bounded
-
-Also update definition when CONFIG_JFFS2_FS_XATTR is not enabled
-
-Tested with an MTD mount point and some user set/getfattr.
-
-Many current target on OpenWRT also suffer from a compilation warning
-(that become an error with CONFIG_WERROR) with the following output:
-
-fs/jffs2/xattr.c: In function 'jffs2_build_xattr_subsystem':
-fs/jffs2/xattr.c:887:1: error: the frame size of 1088 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
- 887 | }
- | ^
-
-Using dynamic allocation fix this compilation warning.
-
-Fixes: c9f700f840bd ("[JFFS2][XATTR] using 'delete marker' for xdatum/xref deletion")
-Reported-by: Tim Gardner <tim.gardner@canonical.com>
-Reported-by: kernel test robot <lkp@intel.com>
-Reported-by: Ron Economos <re@w6rz.net>
-Reported-by: Nathan Chancellor <nathan@kernel.org>
-Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
-Signed-off-by: Fabian Frederick <fabf@skynet.be>
-Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
-Cc: stable@vger.kernel.org
-Message-Id: <20230506045612.16616-1-ansuelsmth@gmail.com>
-Signed-off-by: Christian Brauner <brauner@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/jffs2/build.c | 5 ++++-
- fs/jffs2/xattr.c | 13 +++++++++----
- fs/jffs2/xattr.h | 4 ++--
- 3 files changed, 15 insertions(+), 7 deletions(-)
-
---- a/fs/jffs2/build.c
-+++ b/fs/jffs2/build.c
-@@ -211,7 +211,10 @@ static int jffs2_build_filesystem(struct
- ic->scan_dents = NULL;
- cond_resched();
- }
-- jffs2_build_xattr_subsystem(c);
-+ ret = jffs2_build_xattr_subsystem(c);
-+ if (ret)
-+ goto exit;
-+
- c->flags &= ~JFFS2_SB_FLAG_BUILDING;
-
- dbg_fsbuild("FS build complete\n");
---- a/fs/jffs2/xattr.c
-+++ b/fs/jffs2/xattr.c
-@@ -772,10 +772,10 @@ void jffs2_clear_xattr_subsystem(struct
- }
-
- #define XREF_TMPHASH_SIZE (128)
--void jffs2_build_xattr_subsystem(struct jffs2_sb_info *c)
-+int jffs2_build_xattr_subsystem(struct jffs2_sb_info *c)
- {
- struct jffs2_xattr_ref *ref, *_ref;
-- struct jffs2_xattr_ref *xref_tmphash[XREF_TMPHASH_SIZE];
-+ struct jffs2_xattr_ref **xref_tmphash;
- struct jffs2_xattr_datum *xd, *_xd;
- struct jffs2_inode_cache *ic;
- struct jffs2_raw_node_ref *raw;
-@@ -784,9 +784,12 @@ void jffs2_build_xattr_subsystem(struct
-
- BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
-
-+ xref_tmphash = kcalloc(XREF_TMPHASH_SIZE,
-+ sizeof(struct jffs2_xattr_ref *), GFP_KERNEL);
-+ if (!xref_tmphash)
-+ return -ENOMEM;
-+
- /* Phase.1 : Merge same xref */
-- for (i=0; i < XREF_TMPHASH_SIZE; i++)
-- xref_tmphash[i] = NULL;
- for (ref=c->xref_temp; ref; ref=_ref) {
- struct jffs2_xattr_ref *tmp;
-
-@@ -884,6 +887,8 @@ void jffs2_build_xattr_subsystem(struct
- "%u of xref (%u dead, %u orphan) found.\n",
- xdatum_count, xdatum_unchecked_count, xdatum_orphan_count,
- xref_count, xref_dead_count, xref_orphan_count);
-+ kfree(xref_tmphash);
-+ return 0;
- }
-
- struct jffs2_xattr_datum *jffs2_setup_xattr_datum(struct jffs2_sb_info *c,
---- a/fs/jffs2/xattr.h
-+++ b/fs/jffs2/xattr.h
-@@ -71,7 +71,7 @@ static inline int is_xattr_ref_dead(stru
- #ifdef CONFIG_JFFS2_FS_XATTR
-
- extern void jffs2_init_xattr_subsystem(struct jffs2_sb_info *c);
--extern void jffs2_build_xattr_subsystem(struct jffs2_sb_info *c);
-+extern int jffs2_build_xattr_subsystem(struct jffs2_sb_info *c);
- extern void jffs2_clear_xattr_subsystem(struct jffs2_sb_info *c);
-
- extern struct jffs2_xattr_datum *jffs2_setup_xattr_datum(struct jffs2_sb_info *c,
-@@ -103,7 +103,7 @@ extern ssize_t jffs2_listxattr(struct de
- #else
-
- #define jffs2_init_xattr_subsystem(c)
--#define jffs2_build_xattr_subsystem(c)
-+#define jffs2_build_xattr_subsystem(c) (0)
- #define jffs2_clear_xattr_subsystem(c)
-
- #define jffs2_xattr_do_crccheck_inode(c, ic)
+++ /dev/null
-From 11509910c599cbd04585ec35a6d5e1a0053d84c1 Mon Sep 17 00:00:00 2001
-From: Siddh Raman Pant <code@siddh.me>
-Date: Tue, 20 Jun 2023 22:17:00 +0530
-Subject: jfs: jfs_dmap: Validate db_l2nbperpage while mounting
-
-From: Siddh Raman Pant <code@siddh.me>
-
-commit 11509910c599cbd04585ec35a6d5e1a0053d84c1 upstream.
-
-In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block
-number inside dbFree(). db_l2nbperpage, which is the log2 number of
-blocks per page, is passed as an argument to BLKTODMAP which uses it
-for shifting.
-
-Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is
-too big. This happens because the large value is set without any
-validation in dbMount() at line 181.
-
-Thus, make sure that db_l2nbperpage is correct while mounting.
-
-Max number of blocks per page = Page size / Min block size
-=> log2(Max num_block per page) = log2(Page size / Min block size)
- = log2(Page size) - log2(Min block size)
-
-=> Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE
-
-Reported-and-tested-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715
-Cc: stable@vger.kernel.org
-Suggested-by: Dave Kleikamp <dave.kleikamp@oracle.com>
-Signed-off-by: Siddh Raman Pant <code@siddh.me>
-Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/jfs/jfs_dmap.c | 6 ++++++
- fs/jfs/jfs_filsys.h | 2 ++
- 2 files changed, 8 insertions(+)
-
---- a/fs/jfs/jfs_dmap.c
-+++ b/fs/jfs/jfs_dmap.c
-@@ -191,7 +191,13 @@ int dbMount(struct inode *ipbmap)
- dbmp_le = (struct dbmap_disk *) mp->data;
- bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize);
- bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
-+
- bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
-+ if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) {
-+ err = -EINVAL;
-+ goto err_release_metapage;
-+ }
-+
- bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
- if (!bmp->db_numag) {
- err = -EINVAL;
---- a/fs/jfs/jfs_filsys.h
-+++ b/fs/jfs/jfs_filsys.h
-@@ -135,7 +135,9 @@
- #define NUM_INODE_PER_IAG INOSPERIAG
-
- #define MINBLOCKSIZE 512
-+#define L2MINBLOCKSIZE 9
- #define MAXBLOCKSIZE 4096
-+#define L2MAXBLOCKSIZE 12
- #define MAXFILESIZE ((s64)1 << 52)
-
- #define JFS_LINK_MAX 0xffffffff
+++ /dev/null
-From 8b2db998a10f3e10565a0bcd7135e3b686532fed Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 27 May 2023 20:34:34 +0800
-Subject: kexec: fix a memory leak in crash_shrink_memory()
-
-From: Zhen Lei <thunder.leizhen@huawei.com>
-
-[ Upstream commit 1cba6c4309f03de570202c46f03df3f73a0d4c82 ]
-
-Patch series "kexec: enable kexec_crash_size to support two crash kernel
-regions".
-
-When crashkernel=X fails to reserve region under 4G, it will fall back to
-reserve region above 4G and a region of the default size will also be
-reserved under 4G. Unfortunately, /sys/kernel/kexec_crash_size only
-supports one crash kernel region now, the user cannot sense the low memory
-reserved by reading /sys/kernel/kexec_crash_size. Also, low memory cannot
-be freed by writing this file.
-
-For example:
-resource_size(crashk_res) = 512M
-resource_size(crashk_low_res) = 256M
-
-The result of 'cat /sys/kernel/kexec_crash_size' is 512M, but it should be
-768M. When we execute 'echo 0 > /sys/kernel/kexec_crash_size', the size
-of crashk_res becomes 0 and resource_size(crashk_low_res) is still 256 MB,
-which is incorrect.
-
-Since crashk_res manages the memory with high address and crashk_low_res
-manages the memory with low address, crashk_low_res is shrunken only when
-all crashk_res is shrunken. And because when there is only one crash
-kernel region, crashk_res is always used. Therefore, if all crashk_res is
-shrunken and crashk_low_res still exists, swap them.
-
-This patch (of 6):
-
-If the value of parameter 'new_size' is in the semi-open and semi-closed
-interval (crashk_res.end - KEXEC_CRASH_MEM_ALIGN + 1, crashk_res.end], the
-calculation result of ram_res is:
-
- ram_res->start = crashk_res.end + 1
- ram_res->end = crashk_res.end
-
-The operation of insert_resource() fails, and ram_res is not added to
-iomem_resource. As a result, the memory of the control block ram_res is
-leaked.
-
-In fact, on all architectures, the start address and size of crashk_res
-are already aligned by KEXEC_CRASH_MEM_ALIGN. Therefore, we do not need
-to round up crashk_res.start again. Instead, we should round up
-'new_size' in advance.
-
-Link: https://lkml.kernel.org/r/20230527123439.772-1-thunder.leizhen@huawei.com
-Link: https://lkml.kernel.org/r/20230527123439.772-2-thunder.leizhen@huawei.com
-Fixes: 6480e5a09237 ("kdump: add missing RAM resource in crash_shrink_memory()")
-Fixes: 06a7f711246b ("kexec: premit reduction of the reserved memory size")
-Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
-Acked-by: Baoquan He <bhe@redhat.com>
-Cc: Cong Wang <amwang@redhat.com>
-Cc: Eric W. Biederman <ebiederm@xmission.com>
-Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/kexec_core.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
-index 6b3d7f7211dd6..3666d434a8f59 100644
---- a/kernel/kexec_core.c
-+++ b/kernel/kexec_core.c
-@@ -1020,6 +1020,7 @@ int crash_shrink_memory(unsigned long new_size)
- start = crashk_res.start;
- end = crashk_res.end;
- old_size = (end == 0) ? 0 : end - start + 1;
-+ new_size = roundup(new_size, KEXEC_CRASH_MEM_ALIGN);
- if (new_size >= old_size) {
- ret = (new_size == old_size) ? 0 : -EINVAL;
- goto unlock;
-@@ -1031,9 +1032,7 @@ int crash_shrink_memory(unsigned long new_size)
- goto unlock;
- }
-
-- start = roundup(start, KEXEC_CRASH_MEM_ALIGN);
-- end = roundup(start + new_size, KEXEC_CRASH_MEM_ALIGN);
--
-+ end = start + new_size;
- crash_free_reserved_phys_range(end, crashk_res.end);
-
- if ((start == end) && (crashk_res.parent != NULL))
---
-2.39.2
-
+++ /dev/null
-From 52429ee7c466fa39578a37aba04f8ef0265f1457 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 24 Mar 2023 15:54:23 +0100
-Subject: KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes
-
-From: Nico Boehr <nrb@linux.ibm.com>
-
-[ Upstream commit 285cff4c0454340a4dc53f46e67f2cb1c293bd74 ]
-
-The KVM_S390_GET_CMMA_BITS ioctl may return incorrect values when userspace
-specifies a start_gfn outside of memslots.
-
-This can occur when a VM has multiple memslots with a hole in between:
-
-+-----+----------+--------+--------+
-| ... | Slot N-1 | <hole> | Slot N |
-+-----+----------+--------+--------+
- ^ ^ ^ ^
- | | | |
-GFN A A+B | |
- A+B+C |
- A+B+C+D
-
-When userspace specifies a GFN in [A+B, A+B+C), it would expect to get the
-CMMA values of the first dirty page in Slot N. However, userspace may get a
-start_gfn of A+B+C+D with a count of 0, hence completely skipping over any
-dirty pages in slot N.
-
-The error is in kvm_s390_next_dirty_cmma(), which assumes
-gfn_to_memslot_approx() will return the memslot _below_ the specified GFN
-when the specified GFN lies outside a memslot. In reality it may return
-either the memslot below or above the specified GFN.
-
-When a memslot above the specified GFN is returned this happens:
-
-- ofs is calculated, but since the memslot's base_gfn is larger than the
- specified cur_gfn, ofs will underflow to a huge number.
-- ofs is passed to find_next_bit(). Since ofs will exceed the memslot's
- number of pages, the number of pages in the memslot is returned,
- completely skipping over all bits in the memslot userspace would be
- interested in.
-
-Fix this by resetting ofs to zero when a memslot _above_ cur_gfn is
-returned (cur_gfn < ms->base_gfn).
-
-Signed-off-by: Nico Boehr <nrb@linux.ibm.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Fixes: afdad61615cc ("KVM: s390: Fix storage attributes migration with memory slots")
-Message-Id: <20230324145424.293889-2-nrb@linux.ibm.com>
-Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/s390/kvm/kvm-s390.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
-index 3aade928c18dd..92041d442d2e6 100644
---- a/arch/s390/kvm/kvm-s390.c
-+++ b/arch/s390/kvm/kvm-s390.c
-@@ -1716,6 +1716,10 @@ static unsigned long kvm_s390_next_dirty_cmma(struct kvm_memslots *slots,
- ms = slots->memslots + slotidx;
- ofs = 0;
- }
-+
-+ if (cur_gfn < ms->base_gfn)
-+ ofs = 0;
-+
- ofs = find_next_bit(kvm_second_dirty_bitmap(ms), ms->npages, ofs);
- while ((slotidx > 0) && (ofs >= ms->npages)) {
- slotidx--;
---
-2.39.2
-
+++ /dev/null
-From 87da1904b8c1c4030f88ea104f42f0a2d6b7bce8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 19 Jun 2023 20:06:57 +0100
-Subject: lib/ts_bm: reset initial match offset for every block of text
-
-From: Jeremy Sowden <jeremy@azazel.net>
-
-[ Upstream commit 6f67fbf8192da80c4db01a1800c7fceaca9cf1f9 ]
-
-The `shift` variable which indicates the offset in the string at which
-to start matching the pattern is initialized to `bm->patlen - 1`, but it
-is not reset when a new block is retrieved. This means the implemen-
-tation may start looking at later and later positions in each successive
-block and miss occurrences of the pattern at the beginning. E.g.,
-consider a HTTP packet held in a non-linear skb, where the HTTP request
-line occurs in the second block:
-
- [... 52 bytes of packet headers ...]
- GET /bmtest HTTP/1.1\r\nHost: www.example.com\r\n\r\n
-
-and the pattern is "GET /bmtest".
-
-Once the first block comprising the packet headers has been examined,
-`shift` will be pointing to somewhere near the end of the block, and so
-when the second block is examined the request line at the beginning will
-be missed.
-
-Reinitialize the variable for each new block.
-
-Fixes: 8082e4ed0a61 ("[LIB]: Boyer-Moore extension for textsearch infrastructure strike #2")
-Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1390
-Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- lib/ts_bm.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/lib/ts_bm.c b/lib/ts_bm.c
-index 9e66ee4020e90..5de382e79a45a 100644
---- a/lib/ts_bm.c
-+++ b/lib/ts_bm.c
-@@ -64,10 +64,12 @@ static unsigned int bm_find(struct ts_config *conf, struct ts_state *state)
- struct ts_bm *bm = ts_config_priv(conf);
- unsigned int i, text_len, consumed = state->offset;
- const u8 *text;
-- int shift = bm->patlen - 1, bs;
-+ int bs;
- const u8 icase = conf->flags & TS_IGNORECASE;
-
- for (;;) {
-+ int shift = bm->patlen - 1;
-+
- text_len = conf->get_next_block(consumed, &text, conf, state);
-
- if (unlikely(text_len == 0))
---
-2.39.2
-
+++ /dev/null
-From 3be5e9a7e94dd56e5d1ec735d5f11d991fd11606 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 18 Jul 2023 10:41:51 -0700
-Subject: llc: Don't drop packet from non-root netns.
-
-From: Kuniyuki Iwashima <kuniyu@amazon.com>
-
-[ Upstream commit 6631463b6e6673916d2481f692938f393148aa82 ]
-
-Now these upper layer protocol handlers can be called from llc_rcv()
-as sap->rcv_func(), which is registered by llc_sap_open().
-
- * function which is passed to register_8022_client()
- -> no in-kernel user calls register_8022_client().
-
- * snap_rcv()
- `- proto->rcvfunc() : registered by register_snap_client()
- -> aarp_rcv() and atalk_rcv() drop packets from non-root netns
-
- * stp_pdu_rcv()
- `- garp_protos[]->rcv() : registered by stp_proto_register()
- -> garp_pdu_rcv() and br_stp_rcv() are netns-aware
-
-So, we can safely remove the netns restriction in llc_rcv().
-
-Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe")
-Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
-Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/llc/llc_input.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c
-index 82cb93f66b9bd..f9e801cc50f5e 100644
---- a/net/llc/llc_input.c
-+++ b/net/llc/llc_input.c
-@@ -162,9 +162,6 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev,
- void (*sta_handler)(struct sk_buff *skb);
- void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb);
-
-- if (!net_eq(dev_net(dev), &init_net))
-- goto drop;
--
- /*
- * When the interface is in promisc. mode, drop all the crap that it
- * receives, do not try to analyse it.
---
-2.39.2
-
+++ /dev/null
-From 9d3c47985bd35b602eb28d2eff0fef510ba3ff20 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 20 Jun 2023 20:00:22 -0500
-Subject: mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0
-
-From: Nishanth Menon <nm@ti.com>
-
-[ Upstream commit 1b712f18c461bd75f018033a15cf381e712806b5 ]
-
-Sec proxy/message manager data buffer is 60 bytes with the last of the
-registers indicating transmission completion. This however poses a bit
-of a challenge.
-
-The backing memory for sec_proxy / message manager is regular memory,
-and all sec proxy does is to trigger a burst of all 60 bytes of data
-over to the target thread backing ring accelerator. It doesn't do a
-memory scrub when it moves data out in the burst. When we transmit
-multiple messages, remnants of previous message is also transmitted
-which results in some random data being set in TISCI fields of
-messages that have been expanded forward.
-
-The entire concept of backward compatibility hinges on the fact that
-the unused message fields remain 0x0 allowing for 0x0 value to be
-specially considered when backward compatibility of message extension
-is done.
-
-So, instead of just writing the completion register, we continue
-to fill the message buffer up with 0x0 (note: for partial message
-involving completion, we already do this).
-
-This allows us to scale and introduce ABI changes back also work with
-other boot stages that may have left data in the internal memory.
-
-While at this, be consistent and explicit with the data_reg pointer
-increment.
-
-Fixes: aace66b170ce ("mailbox: Introduce TI message manager driver")
-Signed-off-by: Nishanth Menon <nm@ti.com>
-Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/mailbox/ti-msgmgr.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/mailbox/ti-msgmgr.c b/drivers/mailbox/ti-msgmgr.c
-index 01e9e462512b7..eb1e9771037f2 100644
---- a/drivers/mailbox/ti-msgmgr.c
-+++ b/drivers/mailbox/ti-msgmgr.c
-@@ -385,14 +385,20 @@ static int ti_msgmgr_send_data(struct mbox_chan *chan, void *data)
- /* Ensure all unused data is 0 */
- data_trail &= 0xFFFFFFFF >> (8 * (sizeof(u32) - trail_bytes));
- writel(data_trail, data_reg);
-- data_reg++;
-+ data_reg += sizeof(u32);
- }
-+
- /*
- * 'data_reg' indicates next register to write. If we did not already
- * write on tx complete reg(last reg), we must do so for transmit
-+ * In addition, we also need to make sure all intermediate data
-+ * registers(if any required), are reset to 0 for TISCI backward
-+ * compatibility to be maintained.
- */
-- if (data_reg <= qinst->queue_buff_end)
-- writel(0, qinst->queue_buff_end);
-+ while (data_reg <= qinst->queue_buff_end) {
-+ writel(0, data_reg);
-+ data_reg += sizeof(u32);
-+ }
-
- return 0;
- }
---
-2.39.2
-
+++ /dev/null
-From 8c977d8f9a4252e9b335230eb09b5cc3f52e6db1 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 12 May 2023 09:56:07 +0800
-Subject: md: fix data corruption for raid456 when reshape restart while grow
- up
-
-From: Yu Kuai <yukuai3@huawei.com>
-
-[ Upstream commit 873f50ece41aad5c4f788a340960c53774b5526e ]
-
-Currently, if reshape is interrupted, echo "reshape" to sync_action will
-restart reshape from scratch, for example:
-
-echo frozen > sync_action
-echo reshape > sync_action
-
-This will corrupt data before reshape_position if the array is growing,
-fix the problem by continue reshape from reshape_position.
-
-Reported-by: Peter Neuwirth <reddunur@online.de>
-Link: https://lore.kernel.org/linux-raid/e2f96772-bfbc-f43b-6da1-f520e5164536@online.de/
-Signed-off-by: Yu Kuai <yukuai3@huawei.com>
-Signed-off-by: Song Liu <song@kernel.org>
-Link: https://lore.kernel.org/r/20230512015610.821290-3-yukuai1@huaweicloud.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/md/md.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/md/md.c b/drivers/md/md.c
-index 2e23a898fc978..6b074c2202d5a 100644
---- a/drivers/md/md.c
-+++ b/drivers/md/md.c
-@@ -4639,11 +4639,21 @@ action_store(struct mddev *mddev, const char *page, size_t len)
- return -EINVAL;
- err = mddev_lock(mddev);
- if (!err) {
-- if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))
-+ if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) {
- err = -EBUSY;
-- else {
-+ } else if (mddev->reshape_position == MaxSector ||
-+ mddev->pers->check_reshape == NULL ||
-+ mddev->pers->check_reshape(mddev)) {
- clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery);
- err = mddev->pers->start_reshape(mddev);
-+ } else {
-+ /*
-+ * If reshape is still in progress, and
-+ * md_check_recovery() can continue to reshape,
-+ * don't restart reshape because data can be
-+ * corrupted for raid456.
-+ */
-+ clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery);
- }
- mddev_unlock(mddev);
- }
---
-2.39.2
-
+++ /dev/null
-From e836007089ba8fdf24e636ef2b007651fb4582e6 Mon Sep 17 00:00:00 2001
-From: Jason Baron <jbaron@akamai.com>
-Date: Fri, 23 Jun 2023 14:05:23 -0400
-Subject: md/raid0: add discard support for the 'original' layout
-
-From: Jason Baron <jbaron@akamai.com>
-
-commit e836007089ba8fdf24e636ef2b007651fb4582e6 upstream.
-
-We've found that using raid0 with the 'original' layout and discard
-enabled with different disk sizes (such that at least two zones are
-created) can result in data corruption. This is due to the fact that
-the discard handling in 'raid0_handle_discard()' assumes the 'alternate'
-layout. We've seen this corruption using ext4 but other filesystems are
-likely susceptible as well.
-
-More specifically, while multiple zones are necessary to create the
-corruption, the corruption may not occur with multiple zones if they
-layout in such a way the layout matches what the 'alternate' layout
-would have produced. Thus, not all raid0 devices with the 'original'
-layout, different size disks and discard enabled will encounter this
-corruption.
-
-The 3.14 kernel inadvertently changed the raid0 disk layout for different
-size disks. Thus, running a pre-3.14 kernel and post-3.14 kernel on the
-same raid0 array could corrupt data. This lead to the creation of the
-'original' layout (to match the pre-3.14 layout) and the 'alternate' layout
-(to match the post 3.14 layout) in the 5.4 kernel time frame and an option
-to tell the kernel which layout to use (since it couldn't be autodetected).
-However, when the 'original' layout was added back to 5.4 discard support
-for the 'original' layout was not added leading this issue.
-
-I've been able to reliably reproduce the corruption with the following
-test case:
-
-1. create raid0 array with different size disks using original layout
-2. mkfs
-3. mount -o discard
-4. create lots of files
-5. remove 1/2 the files
-6. fstrim -a (or just the mount point for the raid0 array)
-7. umount
-8. fsck -fn /dev/md0 (spews all sorts of corruptions)
-
-Let's fix this by adding proper discard support to the 'original' layout.
-The fix 'maps' the 'original' layout disks to the order in which they are
-read/written such that we can compare the disks in the same way that the
-current 'alternate' layout does. A 'disk_shift' field is added to
-'struct strip_zone'. This could be computed on the fly in
-raid0_handle_discard() but by adding this field, we save some computation
-in the discard path.
-
-Note we could also potentially fix this by re-ordering the disks in the
-zones that follow the first one, and then always read/writing them using
-the 'alternate' layout. However, that is seen as a more substantial change,
-and we are attempting the least invasive fix at this time to remedy the
-corruption.
-
-I've verified the change using the reproducer mentioned above. Typically,
-the corruption is seen after less than 3 iterations, while the patch has
-run 500+ iterations.
-
-Cc: NeilBrown <neilb@suse.de>
-Cc: Song Liu <song@kernel.org>
-Fixes: c84a1372df92 ("md/raid0: avoid RAID0 data corruption due to layout confusion.")
-Cc: stable@vger.kernel.org
-Signed-off-by: Jason Baron <jbaron@akamai.com>
-Signed-off-by: Song Liu <song@kernel.org>
-Link: https://lore.kernel.org/r/20230623180523.1901230-1-jbaron@akamai.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/md/raid0.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++-------
- drivers/md/raid0.h | 1
- 2 files changed, 55 insertions(+), 8 deletions(-)
-
---- a/drivers/md/raid0.c
-+++ b/drivers/md/raid0.c
-@@ -296,6 +296,18 @@ static int create_strip_zones(struct mdd
- goto abort;
- }
-
-+ if (conf->layout == RAID0_ORIG_LAYOUT) {
-+ for (i = 1; i < conf->nr_strip_zones; i++) {
-+ sector_t first_sector = conf->strip_zone[i-1].zone_end;
-+
-+ sector_div(first_sector, mddev->chunk_sectors);
-+ zone = conf->strip_zone + i;
-+ /* disk_shift is first disk index used in the zone */
-+ zone->disk_shift = sector_div(first_sector,
-+ zone->nb_dev);
-+ }
-+ }
-+
- pr_debug("md/raid0:%s: done.\n", mdname(mddev));
- *private_conf = conf;
-
-@@ -482,6 +494,20 @@ static inline int is_io_in_chunk_boundar
- }
- }
-
-+/*
-+ * Convert disk_index to the disk order in which it is read/written.
-+ * For example, if we have 4 disks, they are numbered 0,1,2,3. If we
-+ * write the disks starting at disk 3, then the read/write order would
-+ * be disk 3, then 0, then 1, and then disk 2 and we want map_disk_shift()
-+ * to map the disks as follows 0,1,2,3 => 1,2,3,0. So disk 0 would map
-+ * to 1, 1 to 2, 2 to 3, and 3 to 0. That way we can compare disks in
-+ * that 'output' space to understand the read/write disk ordering.
-+ */
-+static int map_disk_shift(int disk_index, int num_disks, int disk_shift)
-+{
-+ return ((disk_index + num_disks - disk_shift) % num_disks);
-+}
-+
- static void raid0_handle_discard(struct mddev *mddev, struct bio *bio)
- {
- struct r0conf *conf = mddev->private;
-@@ -495,7 +521,9 @@ static void raid0_handle_discard(struct
- sector_t end_disk_offset;
- unsigned int end_disk_index;
- unsigned int disk;
-+ sector_t orig_start, orig_end;
-
-+ orig_start = start;
- zone = find_zone(conf, &start);
-
- if (bio_end_sector(bio) > zone->zone_end) {
-@@ -509,6 +537,7 @@ static void raid0_handle_discard(struct
- } else
- end = bio_end_sector(bio);
-
-+ orig_end = end;
- if (zone != conf->strip_zone)
- end = end - zone[-1].zone_end;
-
-@@ -520,13 +549,26 @@ static void raid0_handle_discard(struct
- last_stripe_index = end;
- sector_div(last_stripe_index, stripe_size);
-
-- start_disk_index = (int)(start - first_stripe_index * stripe_size) /
-- mddev->chunk_sectors;
-+ /* In the first zone the original and alternate layouts are the same */
-+ if ((conf->layout == RAID0_ORIG_LAYOUT) && (zone != conf->strip_zone)) {
-+ sector_div(orig_start, mddev->chunk_sectors);
-+ start_disk_index = sector_div(orig_start, zone->nb_dev);
-+ start_disk_index = map_disk_shift(start_disk_index,
-+ zone->nb_dev,
-+ zone->disk_shift);
-+ sector_div(orig_end, mddev->chunk_sectors);
-+ end_disk_index = sector_div(orig_end, zone->nb_dev);
-+ end_disk_index = map_disk_shift(end_disk_index,
-+ zone->nb_dev, zone->disk_shift);
-+ } else {
-+ start_disk_index = (int)(start - first_stripe_index * stripe_size) /
-+ mddev->chunk_sectors;
-+ end_disk_index = (int)(end - last_stripe_index * stripe_size) /
-+ mddev->chunk_sectors;
-+ }
- start_disk_offset = ((int)(start - first_stripe_index * stripe_size) %
- mddev->chunk_sectors) +
- first_stripe_index * mddev->chunk_sectors;
-- end_disk_index = (int)(end - last_stripe_index * stripe_size) /
-- mddev->chunk_sectors;
- end_disk_offset = ((int)(end - last_stripe_index * stripe_size) %
- mddev->chunk_sectors) +
- last_stripe_index * mddev->chunk_sectors;
-@@ -535,18 +577,22 @@ static void raid0_handle_discard(struct
- sector_t dev_start, dev_end;
- struct bio *discard_bio = NULL;
- struct md_rdev *rdev;
-+ int compare_disk;
-+
-+ compare_disk = map_disk_shift(disk, zone->nb_dev,
-+ zone->disk_shift);
-
-- if (disk < start_disk_index)
-+ if (compare_disk < start_disk_index)
- dev_start = (first_stripe_index + 1) *
- mddev->chunk_sectors;
-- else if (disk > start_disk_index)
-+ else if (compare_disk > start_disk_index)
- dev_start = first_stripe_index * mddev->chunk_sectors;
- else
- dev_start = start_disk_offset;
-
-- if (disk < end_disk_index)
-+ if (compare_disk < end_disk_index)
- dev_end = (last_stripe_index + 1) * mddev->chunk_sectors;
-- else if (disk > end_disk_index)
-+ else if (compare_disk > end_disk_index)
- dev_end = last_stripe_index * mddev->chunk_sectors;
- else
- dev_end = end_disk_offset;
---- a/drivers/md/raid0.h
-+++ b/drivers/md/raid0.h
-@@ -6,6 +6,7 @@ struct strip_zone {
- sector_t zone_end; /* Start of the next zone (in sectors) */
- sector_t dev_start; /* Zone offset in real dev (in sectors) */
- int nb_dev; /* # of devices attached to the zone */
-+ int disk_shift; /* start disk for the original layout */
- };
-
- /* Linux 3.14 (20d0189b101) made an unintended change to
+++ /dev/null
-From c42045a300917bf19d72afa28c7485a1e242ad54 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 15 May 2023 21:48:05 +0800
-Subject: md/raid10: check slab-out-of-bounds in md_bitmap_get_counter
-
-From: Li Nan <linan122@huawei.com>
-
-[ Upstream commit 301867b1c16805aebbc306aafa6ecdc68b73c7e5 ]
-
-If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()
-will return -EINVAL because 'page >= bitmap->pages', but the return value
-was not checked immediately in md_bitmap_get_counter() in order to set
-*blocks value and slab-out-of-bounds occurs.
-
-Move check of 'page >= bitmap->pages' to md_bitmap_get_counter() and
-return directly if true.
-
-Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.")
-Signed-off-by: Li Nan <linan122@huawei.com>
-Reviewed-by: Yu Kuai <yukuai3@huawei.com>
-Signed-off-by: Song Liu <song@kernel.org>
-Link: https://lore.kernel.org/r/20230515134808.3936750-2-linan666@huaweicloud.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/md/md-bitmap.c | 17 +++++++++--------
- 1 file changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
-index 1c4c462787198..7ca81e917aef4 100644
---- a/drivers/md/md-bitmap.c
-+++ b/drivers/md/md-bitmap.c
-@@ -53,14 +53,7 @@ __acquires(bitmap->lock)
- {
- unsigned char *mappage;
-
-- if (page >= bitmap->pages) {
-- /* This can happen if bitmap_start_sync goes beyond
-- * End-of-device while looking for a whole page.
-- * It is harmless.
-- */
-- return -EINVAL;
-- }
--
-+ WARN_ON_ONCE(page >= bitmap->pages);
- if (bitmap->bp[page].hijacked) /* it's hijacked, don't try to alloc */
- return 0;
-
-@@ -1368,6 +1361,14 @@ __acquires(bitmap->lock)
- sector_t csize;
- int err;
-
-+ if (page >= bitmap->pages) {
-+ /*
-+ * This can happen if bitmap_start_sync goes beyond
-+ * End-of-device while looking for a whole page or
-+ * user set a huge number to sysfs bitmap_set_bits.
-+ */
-+ return NULL;
-+ }
- err = md_bitmap_checkpage(bitmap, page, create, 0);
-
- if (bitmap->bp[page].hijacked ||
---
-2.39.2
-
+++ /dev/null
-From 259441acc7d9499e917ec4612b2d9d732e643a53 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 2 Jun 2023 17:18:39 +0800
-Subject: md/raid10: fix io loss while replacement replace rdev
-
-From: Li Nan <linan122@huawei.com>
-
-[ Upstream commit 2ae6aaf76912bae53c74b191569d2ab484f24bf3 ]
-
-When removing a disk with replacement, the replacement will be used to
-replace rdev. During this process, there is a brief window in which both
-rdev and replacement are read as NULL in raid10_write_request(). This
-will result in io not being submitted but it should be.
-
- //remove //write
- raid10_remove_disk raid10_write_request
- mirror->rdev = NULL
- read rdev -> NULL
- mirror->rdev = mirror->replacement
- mirror->replacement = NULL
- read replacement -> NULL
-
-Fix it by reading replacement first and rdev later, meanwhile, use smp_mb()
-to prevent memory reordering.
-
-Fixes: 475b0321a4df ("md/raid10: writes should get directed to replacement as well as original.")
-Signed-off-by: Li Nan <linan122@huawei.com>
-Reviewed-by: Yu Kuai <yukuai3@huawei.com>
-Signed-off-by: Song Liu <song@kernel.org>
-Link: https://lore.kernel.org/r/20230602091839.743798-3-linan666@huaweicloud.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/md/raid10.c | 22 ++++++++++++++++++----
- 1 file changed, 18 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
-index f6d2be1d23864..d46056b07c079 100644
---- a/drivers/md/raid10.c
-+++ b/drivers/md/raid10.c
-@@ -781,8 +781,16 @@ static struct md_rdev *read_balance(struct r10conf *conf,
- disk = r10_bio->devs[slot].devnum;
- rdev = rcu_dereference(conf->mirrors[disk].replacement);
- if (rdev == NULL || test_bit(Faulty, &rdev->flags) ||
-- r10_bio->devs[slot].addr + sectors > rdev->recovery_offset)
-+ r10_bio->devs[slot].addr + sectors >
-+ rdev->recovery_offset) {
-+ /*
-+ * Read replacement first to prevent reading both rdev
-+ * and replacement as NULL during replacement replace
-+ * rdev.
-+ */
-+ smp_mb();
- rdev = rcu_dereference(conf->mirrors[disk].rdev);
-+ }
- if (rdev == NULL ||
- test_bit(Faulty, &rdev->flags))
- continue;
-@@ -1400,9 +1408,15 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio,
-
- for (i = 0; i < conf->copies; i++) {
- int d = r10_bio->devs[i].devnum;
-- struct md_rdev *rdev = rcu_dereference(conf->mirrors[d].rdev);
-- struct md_rdev *rrdev = rcu_dereference(
-- conf->mirrors[d].replacement);
-+ struct md_rdev *rdev, *rrdev;
-+
-+ rrdev = rcu_dereference(conf->mirrors[d].replacement);
-+ /*
-+ * Read replacement first to prevent reading both rdev and
-+ * replacement as NULL during replacement replace rdev.
-+ */
-+ smp_mb();
-+ rdev = rcu_dereference(conf->mirrors[d].rdev);
- if (rdev == rrdev)
- rrdev = NULL;
- if (rdev && unlikely(test_bit(Blocked, &rdev->flags))) {
---
-2.39.2
-
+++ /dev/null
-From 06023f86c6d335ab7cbc42c39fdf4677bddab0d7 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 22 May 2023 15:25:33 +0800
-Subject: md/raid10: fix overflow of md/safe_mode_delay
-
-From: Li Nan <linan122@huawei.com>
-
-[ Upstream commit 6beb489b2eed25978523f379a605073f99240c50 ]
-
-There is no input check when echo md/safe_mode_delay in safe_delay_store().
-And msec might also overflow when HZ < 1000 in safe_delay_show(), Fix it by
-checking overflow in safe_delay_store() and use unsigned long conversion in
-safe_delay_show().
-
-Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers")
-Signed-off-by: Li Nan <linan122@huawei.com>
-Signed-off-by: Song Liu <song@kernel.org>
-Link: https://lore.kernel.org/r/20230522072535.1523740-2-linan666@huaweicloud.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/md/md.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/md/md.c b/drivers/md/md.c
-index f8c111b369928..ad3e666b9d735 100644
---- a/drivers/md/md.c
-+++ b/drivers/md/md.c
-@@ -3671,8 +3671,9 @@ int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale)
- static ssize_t
- safe_delay_show(struct mddev *mddev, char *page)
- {
-- int msec = (mddev->safemode_delay*1000)/HZ;
-- return sprintf(page, "%d.%03d\n", msec/1000, msec%1000);
-+ unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ;
-+
-+ return sprintf(page, "%u.%03u\n", msec/1000, msec%1000);
- }
- static ssize_t
- safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len)
-@@ -3684,7 +3685,7 @@ safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len)
- return -EINVAL;
- }
-
-- if (strict_strtoul_scaled(cbuf, &msec, 3) < 0)
-+ if (strict_strtoul_scaled(cbuf, &msec, 3) < 0 || msec > UINT_MAX / HZ)
- return -EINVAL;
- if (msec == 0)
- mddev->safemode_delay = 0;
---
-2.39.2
-
+++ /dev/null
-From 3ac2cda1e64e9661ec83abeb47a94e2514a776f6 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 22 May 2023 15:25:34 +0800
-Subject: md/raid10: fix wrong setting of max_corr_read_errors
-
-From: Li Nan <linan122@huawei.com>
-
-[ Upstream commit f8b20a405428803bd9881881d8242c9d72c6b2b2 ]
-
-There is no input check when echo md/max_read_errors and overflow might
-occur. Add check of input number.
-
-Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.")
-Signed-off-by: Li Nan <linan122@huawei.com>
-Reviewed-by: Yu Kuai <yukuai3@huawei.com>
-Signed-off-by: Song Liu <song@kernel.org>
-Link: https://lore.kernel.org/r/20230522072535.1523740-3-linan666@huaweicloud.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/md/md.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/md/md.c b/drivers/md/md.c
-index ad3e666b9d735..2e23a898fc978 100644
---- a/drivers/md/md.c
-+++ b/drivers/md/md.c
-@@ -4337,6 +4337,8 @@ max_corrected_read_errors_store(struct mddev *mddev, const char *buf, size_t len
- rv = kstrtouint(buf, 10, &n);
- if (rv < 0)
- return rv;
-+ if (n > INT_MAX)
-+ return -EINVAL;
- atomic_set(&mddev->max_corr_read_errors, n);
- return len;
- }
---
-2.39.2
-
+++ /dev/null
-From 1028f0b7c80c5262aa6683b18d6334476dd55f25 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 29 May 2023 21:11:00 +0800
-Subject: md/raid10: prevent soft lockup while flush writes
-
-From: Yu Kuai <yukuai3@huawei.com>
-
-[ Upstream commit 010444623e7f4da6b4a4dd603a7da7469981e293 ]
-
-Currently, there is no limit for raid1/raid10 plugged bio. While flushing
-writes, raid1 has cond_resched() while raid10 doesn't, and too many
-writes can cause soft lockup.
-
-Follow up soft lockup can be triggered easily with writeback test for
-raid10 with ramdisks:
-
-watchdog: BUG: soft lockup - CPU#10 stuck for 27s! [md0_raid10:1293]
-Call Trace:
- <TASK>
- call_rcu+0x16/0x20
- put_object+0x41/0x80
- __delete_object+0x50/0x90
- delete_object_full+0x2b/0x40
- kmemleak_free+0x46/0xa0
- slab_free_freelist_hook.constprop.0+0xed/0x1a0
- kmem_cache_free+0xfd/0x300
- mempool_free_slab+0x1f/0x30
- mempool_free+0x3a/0x100
- bio_free+0x59/0x80
- bio_put+0xcf/0x2c0
- free_r10bio+0xbf/0xf0
- raid_end_bio_io+0x78/0xb0
- one_write_done+0x8a/0xa0
- raid10_end_write_request+0x1b4/0x430
- bio_endio+0x175/0x320
- brd_submit_bio+0x3b9/0x9b7 [brd]
- __submit_bio+0x69/0xe0
- submit_bio_noacct_nocheck+0x1e6/0x5a0
- submit_bio_noacct+0x38c/0x7e0
- flush_pending_writes+0xf0/0x240
- raid10d+0xac/0x1ed0
-
-Fix the problem by adding cond_resched() to raid10 like what raid1 did.
-
-Note that unlimited plugged bio still need to be optimized, for example,
-in the case of lots of dirty pages writeback, this will take lots of
-memory and io will spend a long time in plug, hence io latency is bad.
-
-Signed-off-by: Yu Kuai <yukuai3@huawei.com>
-Signed-off-by: Song Liu <song@kernel.org>
-Link: https://lore.kernel.org/r/20230529131106.2123367-2-yukuai1@huaweicloud.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/md/raid10.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
-index d46056b07c079..bee694be20132 100644
---- a/drivers/md/raid10.c
-+++ b/drivers/md/raid10.c
-@@ -942,6 +942,7 @@ static void flush_pending_writes(struct r10conf *conf)
- else
- generic_make_request(bio);
- bio = next;
-+ cond_resched();
- }
- blk_finish_plug(&plug);
- } else
-@@ -1127,6 +1128,7 @@ static void raid10_unplug(struct blk_plug_cb *cb, bool from_schedule)
- else
- generic_make_request(bio);
- bio = next;
-+ cond_resched();
- }
- kfree(plug);
- }
---
-2.39.2
-
+++ /dev/null
-From d012063f1e944dad67033cc0cd1fde30da0e3268 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 14 Mar 2023 10:04:49 -0700
-Subject: media: usb: Check az6007_read() return value
-
-From: Daniil Dulov <d.dulov@aladdin.ru>
-
-[ Upstream commit fdaca63186f59fc664b346c45b76576624b48e57 ]
-
-If az6007_read() returns error, there is no sence to continue.
-
-Found by Linux Verification Center (linuxtesting.org) with SVACE.
-
-Fixes: 3af2f4f15a61 ("[media] az6007: Change the az6007 read/write routine parameter")
-Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
-Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
-index 746926364535d..8e914be5b7c5e 100644
---- a/drivers/media/usb/dvb-usb-v2/az6007.c
-+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
-@@ -210,7 +210,8 @@ static int az6007_rc_query(struct dvb_usb_device *d)
- unsigned code;
- enum rc_proto proto;
-
-- az6007_read(d, AZ6007_READ_IR, 0, 0, st->data, 10);
-+ if (az6007_read(d, AZ6007_READ_IR, 0, 0, st->data, 10) < 0)
-+ return -EIO;
-
- if (st->data[1] == 0x44)
- return 0;
---
-2.39.2
-
+++ /dev/null
-From 0bfc643423d21b0d842787fc278020696fbfc558 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 23 May 2023 07:59:32 +0800
-Subject: media: usb: siano: Fix warning due to null work_func_t function
- pointer
-
-From: Duoming Zhou <duoming@zju.edu.cn>
-
-[ Upstream commit 6f489a966fbeb0da63d45c2c66a8957eab604bf6 ]
-
-The previous commit ebad8e731c1c ("media: usb: siano: Fix use after
-free bugs caused by do_submit_urb") adds cancel_work_sync() in
-smsusb_stop_streaming(). But smsusb_stop_streaming() may be called,
-even if the work_struct surb->wq has not been initialized. As a result,
-the warning will occur. One of the processes that could lead to warning
-is shown below:
-
-smsusb_probe()
- smsusb_init_device()
- if (!dev->in_ep || !dev->out_ep || align < 0) {
- smsusb_term_device(intf);
- smsusb_stop_streaming()
- cancel_work_sync(&dev->surbs[i].wq);
- __cancel_work_timer()
- __flush_work()
- if (WARN_ON(!work->func)) // work->func is null
-
-The log reported by syzbot is shown below:
-
-WARNING: CPU: 0 PID: 897 at kernel/workqueue.c:3066 __flush_work+0x798/0xa80 kernel/workqueue.c:3063
-Modules linked in:
-CPU: 0 PID: 897 Comm: kworker/0:2 Not tainted 6.2.0-rc1-syzkaller #0
-RIP: 0010:__flush_work+0x798/0xa80 kernel/workqueue.c:3066
-...
-RSP: 0018:ffffc9000464ebf8 EFLAGS: 00010246
-RAX: 1ffff11002dbb420 RBX: 0000000000000021 RCX: 1ffffffff204fa4e
-RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888016dda0e8
-RBP: ffffc9000464ed98 R08: 0000000000000001 R09: ffffffff90253b2f
-R10: 0000000000000001 R11: 0000000000000000 R12: ffff888016dda0e8
-R13: ffff888016dda0e8 R14: ffff888016dda100 R15: 0000000000000001
-FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
-CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-CR2: 00007ffd4331efe8 CR3: 000000000b48e000 CR4: 00000000003506f0
-DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
-DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
-Call Trace:
- <TASK>
- __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3160
- smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline]
- smsusb_term_device+0xda/0x2d0 drivers/media/usb/siano/smsusb.c:344
- smsusb_init_device+0x400/0x9ce drivers/media/usb/siano/smsusb.c:419
- smsusb_probe+0xbbd/0xc55 drivers/media/usb/siano/smsusb.c:567
-...
-
-This patch adds check before cancel_work_sync(). If surb->wq has not
-been initialized, the cancel_work_sync() will not be executed.
-
-Reported-by: syzbot+27b0b464864741b18b99@syzkaller.appspotmail.com
-Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb")
-Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
-Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/usb/siano/smsusb.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
-index 2df3d730ea768..cd706874899c3 100644
---- a/drivers/media/usb/siano/smsusb.c
-+++ b/drivers/media/usb/siano/smsusb.c
-@@ -190,7 +190,8 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev)
-
- for (i = 0; i < MAX_URBS; i++) {
- usb_kill_urb(&dev->surbs[i].urb);
-- cancel_work_sync(&dev->surbs[i].wq);
-+ if (dev->surbs[i].wq.func)
-+ cancel_work_sync(&dev->surbs[i].wq);
-
- if (dev->surbs[i].cb) {
- smscore_putbuffer(dev->coredev, dev->surbs[i].cb);
---
-2.39.2
-
+++ /dev/null
-From e893f0ec9971c9347a2a0414e40093f005b71e03 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 18 May 2023 15:36:49 +0200
-Subject: media: videodev2.h: Fix struct v4l2_input tuner index comment
-
-From: Marek Vasut <marex@denx.de>
-
-[ Upstream commit 26ae58f65e64fa7ba61d64bae752e59e08380c6a ]
-
-VIDIOC_ENUMINPUT documentation describes the tuner field of
-struct v4l2_input as index:
-
-Documentation/userspace-api/media/v4l/vidioc-enuminput.rst
-"
-* - __u32
- - ``tuner``
- - Capture devices can have zero or more tuners (RF demodulators).
- When the ``type`` is set to ``V4L2_INPUT_TYPE_TUNER`` this is an
- RF connector and this field identifies the tuner. It corresponds
- to struct :c:type:`v4l2_tuner` field ``index``. For
- details on tuners see :ref:`tuner`.
-"
-
-Drivers I could find also use the 'tuner' field as an index, e.g.:
-drivers/media/pci/bt8xx/bttv-driver.c bttv_enum_input()
-drivers/media/usb/go7007/go7007-v4l2.c vidioc_enum_input()
-
-However, the UAPI comment claims this field is 'enum v4l2_tuner_type':
-include/uapi/linux/videodev2.h
-
-This field being 'enum v4l2_tuner_type' is unlikely as it seems to be
-never used that way in drivers, and documentation confirms it. It seem
-this comment got in accidentally in the commit which this patch fixes.
-Fix the UAPI comment to stop confusion.
-
-This was pointed out by Dmitry while reviewing VIDIOC_ENUMINPUT
-support for strace.
-
-Fixes: 6016af82eafc ("[media] v4l2: use __u32 rather than enums in ioctl() structs")
-Signed-off-by: Marek Vasut <marex@denx.de>
-Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/uapi/linux/videodev2.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h
-index ad6a633f5848a..ac22e7f062399 100644
---- a/include/uapi/linux/videodev2.h
-+++ b/include/uapi/linux/videodev2.h
-@@ -1510,7 +1510,7 @@ struct v4l2_input {
- __u8 name[32]; /* Label */
- __u32 type; /* Type of input */
- __u32 audioset; /* Associated audios (bitfield) */
-- __u32 tuner; /* enum v4l2_tuner_type */
-+ __u32 tuner; /* Tuner index */
- v4l2_std_id std;
- __u32 status;
- __u32 capabilities;
---
-2.39.2
-
+++ /dev/null
-From e30b96869547af066175585c4913bfb9bbf5e916 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 16 May 2023 22:27:04 +0200
-Subject: memstick r592: make memstick_debug_get_tpc_name() static
-
-From: Arnd Bergmann <arnd@arndb.de>
-
-[ Upstream commit 434587df9f7fd68575f99a889cc5f2efc2eaee5e ]
-
-There are no other files referencing this function, apparently
-it was left global to avoid an 'unused function' warning when
-the only caller is left out. With a 'W=1' build, it causes
-a 'missing prototype' warning though:
-
-drivers/memstick/host/r592.c:47:13: error: no previous prototype for 'memstick_debug_get_tpc_name' [-Werror=missing-prototypes]
-
-Annotate the function as 'static __maybe_unused' to avoid both
-problems.
-
-Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader")
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Link: https://lore.kernel.org/r/20230516202714.560929-1-arnd@kernel.org
-Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/memstick/host/r592.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c
-index edb1b5588b7a0..6360f5c6d3958 100644
---- a/drivers/memstick/host/r592.c
-+++ b/drivers/memstick/host/r592.c
-@@ -47,12 +47,10 @@ static const char *tpc_names[] = {
- * memstick_debug_get_tpc_name - debug helper that returns string for
- * a TPC number
- */
--const char *memstick_debug_get_tpc_name(int tpc)
-+static __maybe_unused const char *memstick_debug_get_tpc_name(int tpc)
- {
- return tpc_names[tpc-1];
- }
--EXPORT_SYMBOL(memstick_debug_get_tpc_name);
--
-
- /* Read a register*/
- static inline u32 r592_read_reg(struct r592_device *dev, int address)
---
-2.39.2
-
+++ /dev/null
-From c57fa0037024c92c2ca34243e79e857da5d2c0a9 Mon Sep 17 00:00:00 2001
-From: George Stark <gnstark@sberdevices.ru>
-Date: Tue, 6 Jun 2023 19:53:57 +0300
-Subject: meson saradc: fix clock divider mask length
-
-From: George Stark <gnstark@sberdevices.ru>
-
-commit c57fa0037024c92c2ca34243e79e857da5d2c0a9 upstream.
-
-According to the datasheets of supported meson SoCs length of ADC_CLK_DIV
-field is 6-bit. Although all supported SoCs have the register
-with that field documented later SoCs use external clock rather than
-ADC internal clock so this patch affects only meson8 family (S8* SoCs).
-
-Fixes: 3adbf3427330 ("iio: adc: add a driver for the SAR ADC found in Amlogic Meson SoCs")
-Signed-off-by: George Stark <GNStark@sberdevices.ru>
-Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
-Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
-Link: https://lore.kernel.org/r/20230606165357.42417-1-gnstark@sberdevices.ru
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/iio/adc/meson_saradc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/iio/adc/meson_saradc.c
-+++ b/drivers/iio/adc/meson_saradc.c
-@@ -75,7 +75,7 @@
- #define MESON_SAR_ADC_REG3_PANEL_DETECT_COUNT_MASK GENMASK(20, 18)
- #define MESON_SAR_ADC_REG3_PANEL_DETECT_FILTER_TB_MASK GENMASK(17, 16)
- #define MESON_SAR_ADC_REG3_ADC_CLK_DIV_SHIFT 10
-- #define MESON_SAR_ADC_REG3_ADC_CLK_DIV_WIDTH 5
-+ #define MESON_SAR_ADC_REG3_ADC_CLK_DIV_WIDTH 6
- #define MESON_SAR_ADC_REG3_BLOCK_DLY_SEL_MASK GENMASK(9, 8)
- #define MESON_SAR_ADC_REG3_BLOCK_DLY_MASK GENMASK(7, 0)
-
+++ /dev/null
-From d3266ffb81d44b80b833b11b52aa251047fa1ba4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 9 Jun 2023 09:48:18 +0800
-Subject: mfd: intel-lpss: Add missing check for platform_get_resource
-
-From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
-
-[ Upstream commit d918e0d5824495a75d00b879118b098fcab36fdb ]
-
-Add the missing check for platform_get_resource and return error
-if it fails.
-
-Fixes: 4b45efe85263 ("mfd: Add support for Intel Sunrisepoint LPSS devices")
-Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
-Signed-off-by: Lee Jones <lee@kernel.org>
-Link: https://lore.kernel.org/r/20230609014818.28475-1-jiasheng@iscas.ac.cn
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/mfd/intel-lpss-acpi.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/mfd/intel-lpss-acpi.c b/drivers/mfd/intel-lpss-acpi.c
-index fc44fb7c595bc..281ef5f52eb55 100644
---- a/drivers/mfd/intel-lpss-acpi.c
-+++ b/drivers/mfd/intel-lpss-acpi.c
-@@ -92,6 +92,9 @@ static int intel_lpss_acpi_probe(struct platform_device *pdev)
- return -ENOMEM;
-
- info->mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
-+ if (!info->mem)
-+ return -ENODEV;
-+
- info->irq = platform_get_irq(pdev, 0);
-
- ret = intel_lpss_probe(&pdev->dev, info);
---
-2.39.2
-
+++ /dev/null
-From 135ecabb089f9739c90fcfc093e4fca81157e8f9 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 15 May 2023 22:57:10 +0200
-Subject: mfd: rt5033: Drop rt5033-battery sub-device
-
-From: Stephan Gerhold <stephan@gerhold.net>
-
-[ Upstream commit 43db1344e0f8c1eb687a1d6cd5b0de3009ab66cb ]
-
-The fuel gauge in the RT5033 PMIC (rt5033-battery) has its own I2C bus
-and interrupt lines. Therefore, it is not part of the MFD device
-and needs to be specified separately in the device tree.
-
-Fixes: 0b271258544b ("mfd: rt5033: Add Richtek RT5033 driver core.")
-Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
-Signed-off-by: Jakob Hauser <jahau@rocketmail.com>
-Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
-Signed-off-by: Lee Jones <lee@kernel.org>
-Link: https://lore.kernel.org/r/6a8a19bc67b5be3732882e8131ad2ffcb546ac03.1684182964.git.jahau@rocketmail.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/mfd/rt5033.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/drivers/mfd/rt5033.c b/drivers/mfd/rt5033.c
-index 9bd089c563753..94cdad91c0657 100644
---- a/drivers/mfd/rt5033.c
-+++ b/drivers/mfd/rt5033.c
-@@ -44,9 +44,6 @@ static const struct mfd_cell rt5033_devs[] = {
- {
- .name = "rt5033-charger",
- .of_compatible = "richtek,rt5033-charger",
-- }, {
-- .name = "rt5033-battery",
-- .of_compatible = "richtek,rt5033-battery",
- }, {
- .name = "rt5033-led",
- .of_compatible = "richtek,rt5033-led",
---
-2.39.2
-
+++ /dev/null
-From 85501700b904c3cc48cc73d347156cfc1c525962 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 17 Jun 2023 12:43:16 +0200
-Subject: mfd: stmpe: Only disable the regulators if they are enabled
-
-From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-
-[ Upstream commit 104d32bd81f620bb9f67fbf7d1159c414e89f05f ]
-
-In stmpe_probe(), if some regulator_enable() calls fail, probing continues
-and there is only a dev_warn().
-
-So, if stmpe_probe() is called the regulator may not be enabled. It is
-cleaner to test it before calling regulator_disable() in the remove
-function.
-
-Fixes: 9c9e321455fb ("mfd: stmpe: add optional regulators")
-Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
-Link: https://lore.kernel.org/r/8de3aaf297931d655b9ad6aed548f4de8b85425a.1686998575.git.christophe.jaillet@wanadoo.fr
-Signed-off-by: Lee Jones <lee@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/mfd/stmpe.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/mfd/stmpe.c b/drivers/mfd/stmpe.c
-index 722ad2c368a56..d752c56d60e42 100644
---- a/drivers/mfd/stmpe.c
-+++ b/drivers/mfd/stmpe.c
-@@ -1428,9 +1428,9 @@ int stmpe_probe(struct stmpe_client_info *ci, enum stmpe_partnum partnum)
-
- int stmpe_remove(struct stmpe *stmpe)
- {
-- if (!IS_ERR(stmpe->vio))
-+ if (!IS_ERR(stmpe->vio) && regulator_is_enabled(stmpe->vio))
- regulator_disable(stmpe->vio);
-- if (!IS_ERR(stmpe->vcc))
-+ if (!IS_ERR(stmpe->vcc) && regulator_is_enabled(stmpe->vcc))
- regulator_disable(stmpe->vcc);
-
- mfd_remove_devices(stmpe->dev);
---
-2.39.2
-
+++ /dev/null
-From f61b7634a3249d12b9daa36ffbdb9965b6f24c6c Mon Sep 17 00:00:00 2001
-From: Damien Le Moal <dlemoal@kernel.org>
-Date: Sat, 15 Apr 2023 11:35:39 +0900
-Subject: misc: pci_endpoint_test: Free IRQs before removing the device
-
-From: Damien Le Moal <dlemoal@kernel.org>
-
-commit f61b7634a3249d12b9daa36ffbdb9965b6f24c6c upstream.
-
-In pci_endpoint_test_remove(), freeing the IRQs after removing the device
-creates a small race window for IRQs to be received with the test device
-memory already released, causing the IRQ handler to access invalid memory,
-resulting in an oops.
-
-Free the device IRQs before removing the device to avoid this issue.
-
-Link: https://lore.kernel.org/r/20230415023542.77601-15-dlemoal@kernel.org
-Fixes: e03327122e2c ("pci_endpoint_test: Add 2 ioctl commands")
-Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
-Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
-Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
-Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/misc/pci_endpoint_test.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
---- a/drivers/misc/pci_endpoint_test.c
-+++ b/drivers/misc/pci_endpoint_test.c
-@@ -785,6 +785,9 @@ static void pci_endpoint_test_remove(str
- if (id < 0)
- return;
-
-+ pci_endpoint_test_release_irq(test);
-+ pci_endpoint_test_free_irq_vectors(test);
-+
- misc_deregister(&test->miscdev);
- kfree(misc_device->name);
- ida_simple_remove(&pci_endpoint_test_ida, id);
-@@ -793,9 +796,6 @@ static void pci_endpoint_test_remove(str
- pci_iounmap(pdev, test->bar[bar]);
- }
-
-- pci_endpoint_test_release_irq(test);
-- pci_endpoint_test_free_irq_vectors(test);
--
- pci_release_regions(pdev);
- pci_disable_device(pdev);
- }
+++ /dev/null
-From fb620ae73b70c2f57b9d3e911fc24c024ba2324f Mon Sep 17 00:00:00 2001
-From: Damien Le Moal <dlemoal@kernel.org>
-Date: Sat, 15 Apr 2023 11:35:40 +0900
-Subject: misc: pci_endpoint_test: Re-init completion for every test
-
-From: Damien Le Moal <dlemoal@kernel.org>
-
-commit fb620ae73b70c2f57b9d3e911fc24c024ba2324f upstream.
-
-The irq_raised completion used to detect the end of a test case is
-initialized when the test device is probed, but never reinitialized again
-before a test case. As a result, the irq_raised completion synchronization
-is effective only for the first ioctl test case executed. Any subsequent
-call to wait_for_completion() by another ioctl() call will immediately
-return, potentially too early, leading to false positive failures.
-
-Fix this by reinitializing the irq_raised completion before starting a new
-ioctl() test command.
-
-Link: https://lore.kernel.org/r/20230415023542.77601-16-dlemoal@kernel.org
-Fixes: 2c156ac71c6b ("misc: Add host side PCI driver for PCI test function device")
-Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
-Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
-Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
-Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/misc/pci_endpoint_test.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/drivers/misc/pci_endpoint_test.c
-+++ b/drivers/misc/pci_endpoint_test.c
-@@ -601,6 +601,10 @@ static long pci_endpoint_test_ioctl(stru
- struct pci_dev *pdev = test->pdev;
-
- mutex_lock(&test->mutex);
-+
-+ reinit_completion(&test->irq_raised);
-+ test->last_irq = -ENODATA;
-+
- switch (cmd) {
- case PCITEST_BAR:
- bar = arg;
+++ /dev/null
-From f1738a1f816233e6dfc2407f24a31d596643fd90 Mon Sep 17 00:00:00 2001
-From: Robert Marko <robimarko@gmail.com>
-Date: Mon, 19 Jun 2023 21:35:58 +0200
-Subject: mmc: core: disable TRIM on Kingston EMMC04G-M627
-
-From: Robert Marko <robimarko@gmail.com>
-
-commit f1738a1f816233e6dfc2407f24a31d596643fd90 upstream.
-
-It seems that Kingston EMMC04G-M627 despite advertising TRIM support does
-not work when the core is trying to use REQ_OP_WRITE_ZEROES.
-
-We are seeing I/O errors in OpenWrt under 6.1 on Zyxel NBG7815 that we did
-not previously have and tracked it down to REQ_OP_WRITE_ZEROES.
-
-Trying to use fstrim seems to also throw errors like:
-[93010.835112] I/O error, dev loop0, sector 16902 op 0x3:(DISCARD) flags 0x800 phys_seg 1 prio class 2
-
-Disabling TRIM makes the error go away, so lets add a quirk for this eMMC
-to disable TRIM.
-
-Signed-off-by: Robert Marko <robimarko@gmail.com>
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/r/20230619193621.437358-1-robimarko@gmail.com
-Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/mmc/core/quirks.h | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/mmc/core/quirks.h
-+++ b/drivers/mmc/core/quirks.h
-@@ -91,6 +91,13 @@ static const struct mmc_fixup mmc_blk_fi
- MMC_QUIRK_SEC_ERASE_TRIM_BROKEN),
-
- /*
-+ * Kingston EMMC04G-M627 advertises TRIM but it does not seems to
-+ * support being used to offload WRITE_ZEROES.
-+ */
-+ MMC_FIXUP("M62704", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc,
-+ MMC_QUIRK_TRIM_BROKEN),
-+
-+ /*
- * On Some Kingston eMMCs, performing trim can result in
- * unrecoverable data conrruption occasionally due to a firmware bug.
- */
+++ /dev/null
-From dbfbddcddcebc9ce8a08757708d4e4a99d238e44 Mon Sep 17 00:00:00 2001
-From: Robert Marko <robimarko@gmail.com>
-Date: Tue, 30 May 2023 23:32:59 +0200
-Subject: mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M
-
-From: Robert Marko <robimarko@gmail.com>
-
-commit dbfbddcddcebc9ce8a08757708d4e4a99d238e44 upstream.
-
-It seems that Micron MTFC4GACAJCN-1M despite advertising TRIM support does
-not work when the core is trying to use REQ_OP_WRITE_ZEROES.
-
-We are seeing the following errors in OpenWrt under 6.1 on Qnap Qhora 301W
-that we did not previously have and tracked it down to REQ_OP_WRITE_ZEROES:
-[ 18.085950] I/O error, dev loop0, sector 596 op 0x9:(WRITE_ZEROES) flags 0x800 phys_seg 0 prio class 2
-
-Disabling TRIM makes the error go away, so lets add a quirk for this eMMC
-to disable TRIM.
-
-Signed-off-by: Robert Marko <robimarko@gmail.com>
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/r/20230530213259.1776512-1-robimarko@gmail.com
-Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/mmc/core/quirks.h | 7 +++++++
- 1 file changed, 7 insertions(+)
-
---- a/drivers/mmc/core/quirks.h
-+++ b/drivers/mmc/core/quirks.h
-@@ -98,6 +98,13 @@ static const struct mmc_fixup mmc_blk_fi
- MMC_QUIRK_TRIM_BROKEN),
-
- /*
-+ * Micron MTFC4GACAJCN-1M advertises TRIM but it does not seems to
-+ * support being used to offload WRITE_ZEROES.
-+ */
-+ MMC_FIXUP("Q2J54A", CID_MANFID_MICRON, 0x014e, add_quirk_mmc,
-+ MMC_QUIRK_TRIM_BROKEN),
-+
-+ /*
- * On Some Kingston eMMCs, performing trim can result in
- * unrecoverable data conrruption occasionally due to a firmware bug.
- */
+++ /dev/null
-From 900af37b23eddbb3069809f016b46b3a70a539a1 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 1 Jun 2023 21:09:56 +0900
-Subject: modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24}
-
-From: Masahiro Yamada <masahiroy@kernel.org>
-
-[ Upstream commit 56a24b8ce6a7f9c4a21b2276a8644f6f3d8fc14d ]
-
-addend_arm_rel() processes R_ARM_PC24, R_ARM_CALL, R_ARM_JUMP24 in a
-wrong way.
-
-Here, test code.
-
-[test code for R_ARM_JUMP24]
-
- .section .init.text,"ax"
- bar:
- bx lr
-
- .section .text,"ax"
- .globl foo
- foo:
- b bar
-
-[test code for R_ARM_CALL]
-
- .section .init.text,"ax"
- bar:
- bx lr
-
- .section .text,"ax"
- .globl foo
- foo:
- push {lr}
- bl bar
- pop {pc}
-
-If you compile it with ARM multi_v7_defconfig, modpost will show the
-symbol name, (unknown).
-
- WARNING: modpost: vmlinux.o: section mismatch in reference: foo (section: .text) -> (unknown) (section: .init.text)
-
-(You need to use GNU linker instead of LLD to reproduce it.)
-
-Fix the code to make modpost show the correct symbol name.
-
-I imported (with adjustment) sign_extend32() from include/linux/bitops.h.
-
-The '+8' is the compensation for pc-relative instruction. It is
-documented in "ELF for the Arm Architecture" [1].
-
- "If the relocation is pc-relative then compensation for the PC bias
- (the PC value is 8 bytes ahead of the executing instruction in Arm
- state and 4 bytes in Thumb state) must be encoded in the relocation
- by the object producer."
-
-[1]: https://github.com/ARM-software/abi-aa/blob/main/aaelf32/aaelf32.rst
-
-Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm")
-Fixes: 6e2e340b59d2 ("ARM: 7324/1: modpost: Fix section warnings for ARM for many compilers")
-Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- scripts/mod/modpost.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
-index 41b1791a9463b..2060a3fe9691d 100644
---- a/scripts/mod/modpost.c
-+++ b/scripts/mod/modpost.c
-@@ -1751,12 +1751,20 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)
- #define R_ARM_THM_JUMP19 51
- #endif
-
-+static int32_t sign_extend32(int32_t value, int index)
-+{
-+ uint8_t shift = 31 - index;
-+
-+ return (int32_t)(value << shift) >> shift;
-+}
-+
- static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)
- {
- unsigned int r_typ = ELF_R_TYPE(r->r_info);
- Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info);
- void *loc = reloc_location(elf, sechdr, r);
- uint32_t inst;
-+ int32_t offset;
-
- switch (r_typ) {
- case R_ARM_ABS32:
-@@ -1766,6 +1774,10 @@ static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)
- case R_ARM_PC24:
- case R_ARM_CALL:
- case R_ARM_JUMP24:
-+ inst = TO_NATIVE(*(uint32_t *)loc);
-+ offset = sign_extend32((inst & 0x00ffffff) << 2, 25);
-+ r->r_addend = offset + sym->st_value + 8;
-+ break;
- case R_ARM_THM_CALL:
- case R_ARM_THM_JUMP24:
- case R_ARM_THM_JUMP19:
---
-2.39.2
-
+++ /dev/null
-From 0d510b44c12ef373d8102b1be1652f7e485f1bf7 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 1 Jun 2023 21:09:55 +0900
-Subject: modpost: fix section mismatch message for R_ARM_ABS32
-
-From: Masahiro Yamada <masahiroy@kernel.org>
-
-[ Upstream commit b7c63520f6703a25eebb4f8138fed764fcae1c6f ]
-
-addend_arm_rel() processes R_ARM_ABS32 in a wrong way.
-
-Here, test code.
-
- [test code 1]
-
- #include <linux/init.h>
-
- int __initdata foo;
- int get_foo(void) { return foo; }
-
-If you compile it with ARM versatile_defconfig, modpost will show the
-symbol name, (unknown).
-
- WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> (unknown) (section: .init.data)
-
-(You need to use GNU linker instead of LLD to reproduce it.)
-
-If you compile it for other architectures, modpost will show the correct
-symbol name.
-
- WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data)
-
-For R_ARM_ABS32, addend_arm_rel() sets r->r_addend to a wrong value.
-
-I just mimicked the code in arch/arm/kernel/module.c.
-
-However, there is more difficulty for ARM.
-
-Here, test code.
-
- [test code 2]
-
- #include <linux/init.h>
-
- int __initdata foo;
- int get_foo(void) { return foo; }
-
- int __initdata bar;
- int get_bar(void) { return bar; }
-
-With this commit applied, modpost will show the following messages
-for ARM versatile_defconfig:
-
- WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data)
- WARNING: modpost: vmlinux.o: section mismatch in reference: get_bar (section: .text) -> foo (section: .init.data)
-
-The reference from 'get_bar' to 'foo' seems wrong.
-
-I have no solution for this because it is true in assembly level.
-
-In the following output, relocation at 0x1c is no longer associated
-with 'bar'. The two relocation entries point to the same symbol, and
-the offset to 'bar' is encoded in the instruction 'r0, [r3, #4]'.
-
- Disassembly of section .text:
-
- 00000000 <get_foo>:
- 0: e59f3004 ldr r3, [pc, #4] @ c <get_foo+0xc>
- 4: e5930000 ldr r0, [r3]
- 8: e12fff1e bx lr
- c: 00000000 .word 0x00000000
-
- 00000010 <get_bar>:
- 10: e59f3004 ldr r3, [pc, #4] @ 1c <get_bar+0xc>
- 14: e5930004 ldr r0, [r3, #4]
- 18: e12fff1e bx lr
- 1c: 00000000 .word 0x00000000
-
- Relocation section '.rel.text' at offset 0x244 contains 2 entries:
- Offset Info Type Sym.Value Sym. Name
- 0000000c 00000c02 R_ARM_ABS32 00000000 .init.data
- 0000001c 00000c02 R_ARM_ABS32 00000000 .init.data
-
-When find_elf_symbol() gets into a situation where relsym->st_name is
-zero, there is no guarantee to get the symbol name as written in C.
-
-I am keeping the current logic because it is useful in many architectures,
-but the symbol name is not always correct depending on the optimization.
-I left some comments in find_tosym().
-
-Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm")
-Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- scripts/mod/modpost.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
-index 8c2847ef4e422..41b1791a9463b 100644
---- a/scripts/mod/modpost.c
-+++ b/scripts/mod/modpost.c
-@@ -1260,6 +1260,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr,
- if (relsym->st_name != 0)
- return relsym;
-
-+ /*
-+ * Strive to find a better symbol name, but the resulting name may not
-+ * match the symbol referenced in the original code.
-+ */
- relsym_secindex = get_secindex(elf, relsym);
- for (sym = elf->symtab_start; sym < elf->symtab_stop; sym++) {
- if (get_secindex(elf, sym) != relsym_secindex)
-@@ -1750,12 +1754,14 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)
- static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r)
- {
- unsigned int r_typ = ELF_R_TYPE(r->r_info);
-+ Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info);
-+ void *loc = reloc_location(elf, sechdr, r);
-+ uint32_t inst;
-
- switch (r_typ) {
- case R_ARM_ABS32:
-- /* From ARM ABI: (S + A) | T */
-- r->r_addend = (int)(long)
-- (elf->symtab_start + ELF_R_SYM(r->r_info));
-+ inst = TO_NATIVE(*(uint32_t *)loc);
-+ r->r_addend = inst + sym->st_value;
- break;
- case R_ARM_PC24:
- case R_ARM_CALL:
---
-2.39.2
-
+++ /dev/null
-From 7acd50017017a72aa1c54911c3e2fd8386dc3c3b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 5 Jun 2023 20:21:59 +0800
-Subject: nbd: Add the maximum limit of allocated index in nbd_dev_add
-
-From: Zhong Jinghua <zhongjinghua@huawei.com>
-
-[ Upstream commit f12bc113ce904777fd6ca003b473b427782b3dde ]
-
-If the index allocated by idr_alloc greater than MINORMASK >> part_shift,
-the device number will overflow, resulting in failure to create a block
-device.
-
-Fix it by imiting the size of the max allocation.
-
-Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com>
-Reviewed-by: Christoph Hellwig <hch@lst.de>
-Link: https://lore.kernel.org/r/20230605122159.2134384-1-zhongjinghua@huaweicloud.com
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/block/nbd.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
-index 28024248a7b53..5a07964a1e676 100644
---- a/drivers/block/nbd.c
-+++ b/drivers/block/nbd.c
-@@ -1646,7 +1646,8 @@ static int nbd_dev_add(int index)
- if (err == -ENOSPC)
- err = -EEXIST;
- } else {
-- err = idr_alloc(&nbd_index_idr, nbd, 0, 0, GFP_KERNEL);
-+ err = idr_alloc(&nbd_index_idr, nbd, 0,
-+ (MINORMASK >> part_shift) + 1, GFP_KERNEL);
- if (err >= 0)
- index = err;
- }
---
-2.39.2
-
+++ /dev/null
-From 1b5ea7ffb7a3bdfffb4b7f40ce0d20a3372ee405 Mon Sep 17 00:00:00 2001
-From: Florian Fainelli <florian.fainelli@broadcom.com>
-Date: Thu, 22 Jun 2023 03:31:07 -0700
-Subject: net: bcmgenet: Ensure MDIO unregistration has clocks enabled
-
-From: Florian Fainelli <florian.fainelli@broadcom.com>
-
-commit 1b5ea7ffb7a3bdfffb4b7f40ce0d20a3372ee405 upstream.
-
-With support for Ethernet PHY LEDs having been added, while
-unregistering a MDIO bus and its child device liks PHYs there may be
-"late" accesses to the MDIO bus. One typical use case is setting the PHY
-LEDs brightness to OFF for instance.
-
-We need to ensure that the MDIO bus controller remains entirely
-functional since it runs off the main GENET adapter clock.
-
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/all/20230617155500.4005881-1-andrew@lunn.ch/
-Fixes: 9a4e79697009 ("net: bcmgenet: utilize generic Broadcom UniMAC MDIO controller driver")
-Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
-Reviewed-by: Andrew Lunn <andrew@lunn.ch>
-Link: https://lore.kernel.org/r/20230622103107.1760280-1-florian.fainelli@broadcom.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
-+++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
-@@ -620,5 +620,7 @@ void bcmgenet_mii_exit(struct net_device
- if (of_phy_is_fixed_link(dn))
- of_phy_deregister_fixed_link(dn);
- of_node_put(priv->phy_dn);
-+ clk_prepare_enable(priv->clk);
- platform_device_unregister(priv->mii_pdev);
-+ clk_disable_unprepare(priv->clk);
- }
+++ /dev/null
-From d66c29881b68da5523baa978e1c93d3e344ead2b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 30 Jun 2023 19:41:18 +0300
-Subject: net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode
-
-From: Vladimir Oltean <vladimir.oltean@nxp.com>
-
-[ Upstream commit 6ca3c005d0604e8d2b439366e3923ea58db99641 ]
-
-According to the synchronization rules for .ndo_get_stats() as seen in
-Documentation/networking/netdevices.rst, acquiring a plain spin_lock()
-should not be illegal, but the bridge driver implementation makes it so.
-
-After running these commands, I am being faced with the following
-lockdep splat:
-
-$ ip link add link swp0 name macsec0 type macsec encrypt on && ip link set swp0 up
-$ ip link add dev br0 type bridge vlan_filtering 1 && ip link set br0 up
-$ ip link set macsec0 master br0 && ip link set macsec0 up
-
- ========================================================
- WARNING: possible irq lock inversion dependency detected
- 6.4.0-04295-g31b577b4bd4a #603 Not tainted
- --------------------------------------------------------
- swapper/1/0 just changed the state of lock:
- ffff6bd348724cd8 (&br->lock){+.-.}-{3:3}, at: br_forward_delay_timer_expired+0x34/0x198
- but this lock took another, SOFTIRQ-unsafe lock in the past:
- (&ocelot->stats_lock){+.+.}-{3:3}
-
- and interrupts could create inverse lock ordering between them.
-
- other info that might help us debug this:
- Chain exists of:
- &br->lock --> &br->hash_lock --> &ocelot->stats_lock
-
- Possible interrupt unsafe locking scenario:
-
- CPU0 CPU1
- ---- ----
- lock(&ocelot->stats_lock);
- local_irq_disable();
- lock(&br->lock);
- lock(&br->hash_lock);
- <Interrupt>
- lock(&br->lock);
-
- *** DEADLOCK ***
-
-(details about the 3 locks skipped)
-
-swp0 is instantiated by drivers/net/dsa/ocelot/felix.c, and this
-only matters to the extent that its .ndo_get_stats64() method calls
-spin_lock(&ocelot->stats_lock).
-
-Documentation/locking/lockdep-design.rst says:
-
-| A lock is irq-safe means it was ever used in an irq context, while a lock
-| is irq-unsafe means it was ever acquired with irq enabled.
-
-(...)
-
-| Furthermore, the following usage based lock dependencies are not allowed
-| between any two lock-classes::
-|
-| <hardirq-safe> -> <hardirq-unsafe>
-| <softirq-safe> -> <softirq-unsafe>
-
-Lockdep marks br->hash_lock as softirq-safe, because it is sometimes
-taken in softirq context (for example br_fdb_update() which runs in
-NET_RX softirq), and when it's not in softirq context it blocks softirqs
-by using spin_lock_bh().
-
-Lockdep marks ocelot->stats_lock as softirq-unsafe, because it never
-blocks softirqs from running, and it is never taken from softirq
-context. So it can always be interrupted by softirqs.
-
-There is a call path through which a function that holds br->hash_lock:
-fdb_add_hw_addr() will call a function that acquires ocelot->stats_lock:
-ocelot_port_get_stats64(). This can be seen below:
-
-ocelot_port_get_stats64+0x3c/0x1e0
-felix_get_stats64+0x20/0x38
-dsa_slave_get_stats64+0x3c/0x60
-dev_get_stats+0x74/0x2c8
-rtnl_fill_stats+0x4c/0x150
-rtnl_fill_ifinfo+0x5cc/0x7b8
-rtmsg_ifinfo_build_skb+0xe4/0x150
-rtmsg_ifinfo+0x5c/0xb0
-__dev_notify_flags+0x58/0x200
-__dev_set_promiscuity+0xa0/0x1f8
-dev_set_promiscuity+0x30/0x70
-macsec_dev_change_rx_flags+0x68/0x88
-__dev_set_promiscuity+0x1a8/0x1f8
-__dev_set_rx_mode+0x74/0xa8
-dev_uc_add+0x74/0xa0
-fdb_add_hw_addr+0x68/0xd8
-fdb_add_local+0xc4/0x110
-br_fdb_add_local+0x54/0x88
-br_add_if+0x338/0x4a0
-br_add_slave+0x20/0x38
-do_setlink+0x3a4/0xcb8
-rtnl_newlink+0x758/0x9d0
-rtnetlink_rcv_msg+0x2f0/0x550
-netlink_rcv_skb+0x128/0x148
-rtnetlink_rcv+0x24/0x38
-
-the plain English explanation for it is:
-
-The macsec0 bridge port is created without p->flags & BR_PROMISC,
-because it is what br_manage_promisc() decides for a VLAN filtering
-bridge with a single auto port.
-
-As part of the br_add_if() procedure, br_fdb_add_local() is called for
-the MAC address of the device, and this results in a call to
-dev_uc_add() for macsec0 while the softirq-safe br->hash_lock is taken.
-
-Because macsec0 does not have IFF_UNICAST_FLT, dev_uc_add() ends up
-calling __dev_set_promiscuity() for macsec0, which is propagated by its
-implementation, macsec_dev_change_rx_flags(), to the lower device: swp0.
-This triggers the call path:
-
-dev_set_promiscuity(swp0)
--> rtmsg_ifinfo()
- -> dev_get_stats()
- -> ocelot_port_get_stats64()
-
-with a calling context that lockdep doesn't like (br->hash_lock held).
-
-Normally we don't see this, because even though many drivers that can be
-bridge ports don't support IFF_UNICAST_FLT, we need a driver that
-
-(a) doesn't support IFF_UNICAST_FLT, *and*
-(b) it forwards the IFF_PROMISC flag to another driver, and
-(c) *that* driver implements ndo_get_stats64() using a softirq-unsafe
- spinlock.
-
-Condition (b) is necessary because the first __dev_set_rx_mode() calls
-__dev_set_promiscuity() with "bool notify=false", and thus, the
-rtmsg_ifinfo() code path won't be entered.
-
-The same criteria also hold true for DSA switches which don't report
-IFF_UNICAST_FLT. When the DSA master uses a spin_lock() in its
-ndo_get_stats64() method, the same lockdep splat can be seen.
-
-I think the deadlock possibility is real, even though I didn't reproduce
-it, and I'm thinking of the following situation to support that claim:
-
-fdb_add_hw_addr() runs on a CPU A, in a context with softirqs locally
-disabled and br->hash_lock held, and may end up attempting to acquire
-ocelot->stats_lock.
-
-In parallel, ocelot->stats_lock is currently held by a thread B (say,
-ocelot_check_stats_work()), which is interrupted while holding it by a
-softirq which attempts to lock br->hash_lock.
-
-Thread B cannot make progress because br->hash_lock is held by A. Whereas
-thread A cannot make progress because ocelot->stats_lock is held by B.
-
-When taking the issue at face value, the bridge can avoid that problem
-by simply making the ports promiscuous from a code path with a saner
-calling context (br->hash_lock not held). A bridge port without
-IFF_UNICAST_FLT is going to become promiscuous as soon as we call
-dev_uc_add() on it (which we do unconditionally), so why not be
-preemptive and make it promiscuous right from the beginning, so as to
-not be taken by surprise.
-
-With this, we've broken the links between code that holds br->hash_lock
-or br->lock and code that calls into the ndo_change_rx_flags() or
-ndo_get_stats64() ops of the bridge port.
-
-Fixes: 2796d0c648c9 ("bridge: Automatically manage port promiscuous mode.")
-Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
-Reviewed-by: Ido Schimmel <idosch@nvidia.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/bridge/br_if.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
-index b5fb2b682e191..ab539551b7d39 100644
---- a/net/bridge/br_if.c
-+++ b/net/bridge/br_if.c
-@@ -161,8 +161,9 @@ void br_manage_promisc(struct net_bridge *br)
- * This lets us disable promiscuous mode and write
- * this config to hw.
- */
-- if (br->auto_cnt == 0 ||
-- (br->auto_cnt == 1 && br_auto_port(p)))
-+ if ((p->dev->priv_flags & IFF_UNICAST_FLT) &&
-+ (br->auto_cnt == 0 ||
-+ (br->auto_cnt == 1 && br_auto_port(p))))
- br_port_clear_promisc(p);
- else
- br_port_set_promisc(p);
---
-2.39.2
-
+++ /dev/null
-From e30a64ceb7b11cf6fcd324236f5de49d836f811d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 2 Sep 2021 11:10:37 -0700
-Subject: net: create netdev->dev_addr assignment helpers
-
-From: Jakub Kicinski <kuba@kernel.org>
-
-[ Upstream commit 48eab831ae8b9f7002a533fa4235eed63ea1f1a3 ]
-
-Recent work on converting address list to a tree made it obvious
-we need an abstraction around writing netdev->dev_addr. Without
-such abstraction updating the main device address is invisible
-to the core.
-
-Introduce a number of helpers which for now just wrap memcpy()
-but in the future can make necessary changes to the address
-tree.
-
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/linux/etherdevice.h | 12 ++++++++++++
- include/linux/netdevice.h | 18 ++++++++++++++++++
- 2 files changed, 30 insertions(+)
-
-diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h
-index e1e9eff096d05..2932a40060c1d 100644
---- a/include/linux/etherdevice.h
-+++ b/include/linux/etherdevice.h
-@@ -291,6 +291,18 @@ static inline void ether_addr_copy(u8 *dst, const u8 *src)
- #endif
- }
-
-+/**
-+ * eth_hw_addr_set - Assign Ethernet address to a net_device
-+ * @dev: pointer to net_device structure
-+ * @addr: address to assign
-+ *
-+ * Assign given address to the net_device, addr_assign_type is not changed.
-+ */
-+static inline void eth_hw_addr_set(struct net_device *dev, const u8 *addr)
-+{
-+ ether_addr_copy(dev->dev_addr, addr);
-+}
-+
- /**
- * eth_hw_addr_inherit - Copy dev_addr from another net_device
- * @dst: pointer to net_device to copy dev_addr to
-diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
-index 90827d85265b0..7e9df3854420a 100644
---- a/include/linux/netdevice.h
-+++ b/include/linux/netdevice.h
-@@ -4079,6 +4079,24 @@ void __hw_addr_unsync_dev(struct netdev_hw_addr_list *list,
- void __hw_addr_init(struct netdev_hw_addr_list *list);
-
- /* Functions used for device addresses handling */
-+static inline void
-+__dev_addr_set(struct net_device *dev, const u8 *addr, size_t len)
-+{
-+ memcpy(dev->dev_addr, addr, len);
-+}
-+
-+static inline void dev_addr_set(struct net_device *dev, const u8 *addr)
-+{
-+ __dev_addr_set(dev, addr, dev->addr_len);
-+}
-+
-+static inline void
-+dev_addr_mod(struct net_device *dev, unsigned int offset,
-+ const u8 *addr, size_t len)
-+{
-+ memcpy(&dev->dev_addr[offset], addr, len);
-+}
-+
- int dev_addr_add(struct net_device *dev, const unsigned char *addr,
- unsigned char addr_type);
- int dev_addr_del(struct net_device *dev, const unsigned char *addr,
---
-2.39.2
-
+++ /dev/null
-From 4b1ceed57aa791f16d3264dae3b1a75703df6675 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 12 Jul 2023 16:36:57 +0530
-Subject: net: ethernet: ti: cpsw_ale: Fix
- cpsw_ale_get_field()/cpsw_ale_set_field()
-
-From: Tanmay Patil <t-patil@ti.com>
-
-[ Upstream commit b685f1a58956fa36cc01123f253351b25bfacfda ]
-
-CPSW ALE has 75 bit ALE entries which are stored within three 32 bit words.
-The cpsw_ale_get_field() and cpsw_ale_set_field() functions assume that the
-field will be strictly contained within one word. However, this is not
-guaranteed to be the case and it is possible for ALE field entries to span
-across up to two words at the most.
-
-Fix the methods to handle getting/setting fields spanning up to two words.
-
-Fixes: db82173f23c5 ("netdev: driver: ethernet: add cpsw address lookup engine support")
-Signed-off-by: Tanmay Patil <t-patil@ti.com>
-[s-vadapalli@ti.com: rephrased commit message and added Fixes tag]
-Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/ethernet/ti/cpsw_ale.c | 24 +++++++++++++++++++-----
- 1 file changed, 19 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c
-index c245629a38c76..6cb98760bc84e 100644
---- a/drivers/net/ethernet/ti/cpsw_ale.c
-+++ b/drivers/net/ethernet/ti/cpsw_ale.c
-@@ -67,23 +67,37 @@
-
- static inline int cpsw_ale_get_field(u32 *ale_entry, u32 start, u32 bits)
- {
-- int idx;
-+ int idx, idx2;
-+ u32 hi_val = 0;
-
- idx = start / 32;
-+ idx2 = (start + bits - 1) / 32;
-+ /* Check if bits to be fetched exceed a word */
-+ if (idx != idx2) {
-+ idx2 = 2 - idx2; /* flip */
-+ hi_val = ale_entry[idx2] << ((idx2 * 32) - start);
-+ }
- start -= idx * 32;
- idx = 2 - idx; /* flip */
-- return (ale_entry[idx] >> start) & BITMASK(bits);
-+ return (hi_val + (ale_entry[idx] >> start)) & BITMASK(bits);
- }
-
- static inline void cpsw_ale_set_field(u32 *ale_entry, u32 start, u32 bits,
- u32 value)
- {
-- int idx;
-+ int idx, idx2;
-
- value &= BITMASK(bits);
-- idx = start / 32;
-+ idx = start / 32;
-+ idx2 = (start + bits - 1) / 32;
-+ /* Check if bits to be set exceed a word */
-+ if (idx != idx2) {
-+ idx2 = 2 - idx2; /* flip */
-+ ale_entry[idx2] &= ~(BITMASK(bits + start - (idx2 * 32)));
-+ ale_entry[idx2] |= (value >> ((idx2 * 32) - start));
-+ }
- start -= idx * 32;
-- idx = 2 - idx; /* flip */
-+ idx = 2 - idx; /* flip */
- ale_entry[idx] &= ~(BITMASK(bits) << start);
- ale_entry[idx] |= (value << start);
- }
---
-2.39.2
-
+++ /dev/null
-From 4f1ea261d5545d222edbe3ee226f6423f76ff7e5 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 17 Jul 2023 22:45:19 +0800
-Subject: net:ipv6: check return value of pskb_trim()
-
-From: Yuanjun Gong <ruc_gongyuanjun@163.com>
-
-[ Upstream commit 4258faa130be4ea43e5e2d839467da421b8ff274 ]
-
-goto tx_err if an unexpected result is returned by pskb_tirm()
-in ip6erspan_tunnel_xmit().
-
-Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support")
-Signed-off-by: Yuanjun Gong <ruc_gongyuanjun@163.com>
-Reviewed-by: David Ahern <dsahern@kernel.org>
-Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/ip6_gre.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
-index 45c304b51b2b7..aa8ada354a399 100644
---- a/net/ipv6/ip6_gre.c
-+++ b/net/ipv6/ip6_gre.c
-@@ -960,7 +960,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
- goto tx_err;
-
- if (skb->len > dev->mtu + dev->hard_header_len) {
-- pskb_trim(skb, dev->mtu + dev->hard_header_len);
-+ if (pskb_trim(skb, dev->mtu + dev->hard_header_len))
-+ goto tx_err;
- truncate = true;
- }
-
---
-2.39.2
-
+++ /dev/null
-From 7a8227b2e76be506b2ac64d2beac950ca04892a5 Mon Sep 17 00:00:00 2001
-From: Moritz Fischer <moritzf@google.com>
-Date: Tue, 27 Jun 2023 03:50:00 +0000
-Subject: net: lan743x: Don't sleep in atomic context
-
-From: Moritz Fischer <moritzf@google.com>
-
-commit 7a8227b2e76be506b2ac64d2beac950ca04892a5 upstream.
-
-dev_set_rx_mode() grabs a spin_lock, and the lan743x implementation
-proceeds subsequently to go to sleep using readx_poll_timeout().
-
-Introduce a helper wrapping the readx_poll_timeout_atomic() function
-and use it to replace the calls to readx_polL_timeout().
-
-Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver")
-Cc: stable@vger.kernel.org
-Cc: Bryan Whitehead <bryan.whitehead@microchip.com>
-Cc: UNGLinuxDriver@microchip.com
-Signed-off-by: Moritz Fischer <moritzf@google.com>
-Reviewed-by: Andrew Lunn <andrew@lunn.ch>
-Link: https://lore.kernel.org/r/20230627035000.1295254-1-moritzf@google.com
-Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/net/ethernet/microchip/lan743x_main.c | 21 +++++++++++++++++----
- 1 file changed, 17 insertions(+), 4 deletions(-)
-
---- a/drivers/net/ethernet/microchip/lan743x_main.c
-+++ b/drivers/net/ethernet/microchip/lan743x_main.c
-@@ -80,6 +80,18 @@ static int lan743x_csr_light_reset(struc
- !(data & HW_CFG_LRST_), 100000, 10000000);
- }
-
-+static int lan743x_csr_wait_for_bit_atomic(struct lan743x_adapter *adapter,
-+ int offset, u32 bit_mask,
-+ int target_value, int udelay_min,
-+ int udelay_max, int count)
-+{
-+ u32 data;
-+
-+ return readx_poll_timeout_atomic(LAN743X_CSR_READ_OP, offset, data,
-+ target_value == !!(data & bit_mask),
-+ udelay_max, udelay_min * count);
-+}
-+
- static int lan743x_csr_wait_for_bit(struct lan743x_adapter *adapter,
- int offset, u32 bit_mask,
- int target_value, int usleep_min,
-@@ -675,8 +687,8 @@ static int lan743x_dp_write(struct lan74
- u32 dp_sel;
- int i;
-
-- if (lan743x_csr_wait_for_bit(adapter, DP_SEL, DP_SEL_DPRDY_,
-- 1, 40, 100, 100))
-+ if (lan743x_csr_wait_for_bit_atomic(adapter, DP_SEL, DP_SEL_DPRDY_,
-+ 1, 40, 100, 100))
- return -EIO;
- dp_sel = lan743x_csr_read(adapter, DP_SEL);
- dp_sel &= ~DP_SEL_MASK_;
-@@ -687,8 +699,9 @@ static int lan743x_dp_write(struct lan74
- lan743x_csr_write(adapter, DP_ADDR, addr + i);
- lan743x_csr_write(adapter, DP_DATA_0, buf[i]);
- lan743x_csr_write(adapter, DP_CMD, DP_CMD_WRITE_);
-- if (lan743x_csr_wait_for_bit(adapter, DP_SEL, DP_SEL_DPRDY_,
-- 1, 40, 100, 100))
-+ if (lan743x_csr_wait_for_bit_atomic(adapter, DP_SEL,
-+ DP_SEL_DPRDY_,
-+ 1, 40, 100, 100))
- return -EIO;
- }
-
+++ /dev/null
-From f9e8a622e20536ae06e72b75b9d71051521991fb Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 5 Jul 2023 07:37:12 +0200
-Subject: net: mvneta: fix txq_map in case of txq_number==1
-
-From: Klaus Kudielka <klaus.kudielka@gmail.com>
-
-[ Upstream commit 21327f81db6337c8843ce755b01523c7d3df715b ]
-
-If we boot with mvneta.txq_number=1, the txq_map is set incorrectly:
-MVNETA_CPU_TXQ_ACCESS(1) refers to TX queue 1, but only TX queue 0 is
-initialized. Fix this.
-
-Fixes: 50bf8cb6fc9c ("net: mvneta: Configure XPS support")
-Signed-off-by: Klaus Kudielka <klaus.kudielka@gmail.com>
-Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
-Link: https://lore.kernel.org/r/20230705053712.3914-1-klaus.kudielka@gmail.com
-Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/ethernet/marvell/mvneta.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
-index f1a4b11ce0d19..512f9cd68070a 100644
---- a/drivers/net/ethernet/marvell/mvneta.c
-+++ b/drivers/net/ethernet/marvell/mvneta.c
-@@ -1415,7 +1415,7 @@ static void mvneta_defaults_set(struct mvneta_port *pp)
- */
- if (txq_number == 1)
- txq_map = (cpu == pp->rxq_def) ?
-- MVNETA_CPU_TXQ_ACCESS(1) : 0;
-+ MVNETA_CPU_TXQ_ACCESS(0) : 0;
-
- } else {
- txq_map = MVNETA_CPU_TXQ_ACCESS_ALL_MASK;
-@@ -3665,7 +3665,7 @@ static void mvneta_percpu_elect(struct mvneta_port *pp)
- */
- if (txq_number == 1)
- txq_map = (cpu == elected_cpu) ?
-- MVNETA_CPU_TXQ_ACCESS(1) : 0;
-+ MVNETA_CPU_TXQ_ACCESS(0) : 0;
- else
- txq_map = mvreg_read(pp, MVNETA_CPU_MAP(cpu)) &
- MVNETA_CPU_TXQ_ACCESS_ALL_MASK;
---
-2.39.2
-
+++ /dev/null
-From b1ff776eeefc168d9e591f6d3c7d58f3c7ac80f8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 24 Apr 2020 16:06:16 +0800
-Subject: net: Replace the limit of TCP_LINGER2 with TCP_FIN_TIMEOUT_MAX
-
-From: Cambda Zhu <cambda@linux.alibaba.com>
-
-[ Upstream commit f0628c524fd188c3f9418e12478dfdfadacba815 ]
-
-This patch changes the behavior of TCP_LINGER2 about its limit. The
-sysctl_tcp_fin_timeout used to be the limit of TCP_LINGER2 but now it's
-only the default value. A new macro named TCP_FIN_TIMEOUT_MAX is added
-as the limit of TCP_LINGER2, which is 2 minutes.
-
-Since TCP_LINGER2 used sysctl_tcp_fin_timeout as the default value
-and the limit in the past, the system administrator cannot set the
-default value for most of sockets and let some sockets have a greater
-timeout. It might be a mistake that let the sysctl to be the limit of
-the TCP_LINGER2. Maybe we can add a new sysctl to set the max of
-TCP_LINGER2, but FIN-WAIT-2 timeout is usually no need to be too long
-and 2 minutes are legal considering TCP specs.
-
-Changes in v3:
-- Remove the new socket option and change the TCP_LINGER2 behavior so
- that the timeout can be set to value between sysctl_tcp_fin_timeout
- and 2 minutes.
-
-Changes in v2:
-- Add int overflow check for the new socket option.
-
-Changes in v1:
-- Add a new socket option to set timeout greater than
- sysctl_tcp_fin_timeout.
-
-Signed-off-by: Cambda Zhu <cambda@linux.alibaba.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Stable-dep-of: 9df5335ca974 ("tcp: annotate data-races around tp->linger2")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/net/tcp.h | 1 +
- net/ipv4/tcp.c | 4 ++--
- 2 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/include/net/tcp.h b/include/net/tcp.h
-index 81300a04b5808..22cca858f2678 100644
---- a/include/net/tcp.h
-+++ b/include/net/tcp.h
-@@ -128,6 +128,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo);
- * to combine FIN-WAIT-2 timeout with
- * TIME-WAIT timer.
- */
-+#define TCP_FIN_TIMEOUT_MAX (120 * HZ) /* max TCP_LINGER2 value (two minutes) */
-
- #define TCP_DELACK_MAX ((unsigned)(HZ/5)) /* maximal time to delay before sending an ACK */
- #if HZ >= 100
-diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
-index cb96775fc86f6..9f3cdcbbb7590 100644
---- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -3001,8 +3001,8 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
- case TCP_LINGER2:
- if (val < 0)
- tp->linger2 = -1;
-- else if (val > net->ipv4.sysctl_tcp_fin_timeout / HZ)
-- tp->linger2 = 0;
-+ else if (val > TCP_FIN_TIMEOUT_MAX / HZ)
-+ tp->linger2 = TCP_FIN_TIMEOUT_MAX;
- else
- tp->linger2 = val * HZ;
- break;
---
-2.39.2
-
+++ /dev/null
-From df9234bee325290818da8d5735cbfcf37bb2115b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 3 Jul 2023 19:08:42 +0800
-Subject: net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX
-
-From: Lin Ma <linma@zju.edu.cn>
-
-[ Upstream commit 30c45b5361d39b4b793780ffac5538090b9e2eb1 ]
-
-The attribute TCA_PEDIT_PARMS_EX is not be included in pedit_policy and
-one malicious user could fake a TCA_PEDIT_PARMS_EX whose length is
-smaller than the intended sizeof(struct tc_pedit). Hence, the
-dereference in tcf_pedit_init() could access dirty heap data.
-
-static int tcf_pedit_init(...)
-{
- // ...
- pattr = tb[TCA_PEDIT_PARMS]; // TCA_PEDIT_PARMS is included
- if (!pattr)
- pattr = tb[TCA_PEDIT_PARMS_EX]; // but this is not
-
- // ...
- parm = nla_data(pattr);
-
- index = parm->index; // parm is able to be smaller than 4 bytes
- // and this dereference gets dirty skb_buff
- // data created in netlink_sendmsg
-}
-
-This commit adds TCA_PEDIT_PARMS_EX length in pedit_policy which avoid
-the above case, just like the TCA_PEDIT_PARMS.
-
-Fixes: 71d0ed7079df ("net/act_pedit: Support using offset relative to the conventional network headers")
-Signed-off-by: Lin Ma <linma@zju.edu.cn>
-Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
-Link: https://lore.kernel.org/r/20230703110842.590282-1-linma@zju.edu.cn
-Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/sched/act_pedit.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
-index aeb8f84cbd9e2..255d4ecf62522 100644
---- a/net/sched/act_pedit.c
-+++ b/net/sched/act_pedit.c
-@@ -29,6 +29,7 @@ static struct tc_action_ops act_pedit_ops;
-
- static const struct nla_policy pedit_policy[TCA_PEDIT_MAX + 1] = {
- [TCA_PEDIT_PARMS] = { .len = sizeof(struct tc_pedit) },
-+ [TCA_PEDIT_PARMS_EX] = { .len = sizeof(struct tc_pedit) },
- [TCA_PEDIT_KEYS_EX] = { .type = NLA_NESTED },
- };
-
---
-2.39.2
-
+++ /dev/null
-From 19bfe7281d835cff53c41f2059bbd4222c112960 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 10 Jul 2023 23:16:34 -0300
-Subject: net/sched: make psched_mtu() RTNL-less safe
-
-From: Pedro Tammela <pctammela@mojatatu.com>
-
-[ Upstream commit 150e33e62c1fa4af5aaab02776b6c3812711d478 ]
-
-Eric Dumazet says[1]:
--------
-Speaking of psched_mtu(), I see that net/sched/sch_pie.c is using it
-without holding RTNL, so dev->mtu can be changed underneath.
-KCSAN could issue a warning.
--------
-
-Annotate dev->mtu with READ_ONCE() so KCSAN don't issue a warning.
-
-[1] https://lore.kernel.org/all/CANn89iJoJO5VtaJ-2=_d2aOQhb0Xw8iBT_Cxqp2HyuS-zj6azw@mail.gmail.com/
-
-v1 -> v2: Fix commit message
-
-Fixes: d4b36210c2e6 ("net: pkt_sched: PIE AQM scheme")
-Suggested-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
-Reviewed-by: Simon Horman <simon.horman@corigine.com>
-Link: https://lore.kernel.org/r/20230711021634.561598-1-pctammela@mojatatu.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/net/pkt_sched.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h
-index e09ea6917c061..83a16f3bd6e6a 100644
---- a/include/net/pkt_sched.h
-+++ b/include/net/pkt_sched.h
-@@ -131,7 +131,7 @@ extern const struct nla_policy rtm_tca_policy[TCA_MAX + 1];
- */
- static inline unsigned int psched_mtu(const struct net_device *dev)
- {
-- return dev->mtu + dev->hard_header_len;
-+ return READ_ONCE(dev->mtu) + dev->hard_header_len;
- }
-
- static inline struct net *qdisc_net(struct Qdisc *q)
---
-2.39.2
-
+++ /dev/null
-From pablo@netfilter.org Wed Jul 5 18:55:24 2023
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Wed, 5 Jul 2023 18:55:10 +0200
-Subject: netfilter: add helper function to set up the nfnetlink header and use it
-To: netfilter-devel@vger.kernel.org
-Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org
-Message-ID: <20230705165516.50145-5-pablo@netfilter.org>
-
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-
-[ 19c28b1374fb1073a9ec873a6c10bf5f16b10b9d ]
-
-This patch adds a helper function to set up the netlink and nfnetlink headers.
-Update existing codebase to use it.
-
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/netfilter/nfnetlink.h | 27 +++++++++
- net/netfilter/ipset/ip_set_core.c | 17 +----
- net/netfilter/nf_conntrack_netlink.c | 77 +++++++-------------------
- net/netfilter/nf_tables_api.c | 102 +++++++++--------------------------
- net/netfilter/nf_tables_trace.c | 9 ---
- net/netfilter/nfnetlink_acct.c | 11 +--
- net/netfilter/nfnetlink_cthelper.c | 11 +--
- net/netfilter/nfnetlink_cttimeout.c | 22 ++-----
- net/netfilter/nfnetlink_log.c | 11 +--
- net/netfilter/nfnetlink_queue.c | 12 +---
- net/netfilter/nft_compat.c | 11 +--
- 11 files changed, 102 insertions(+), 208 deletions(-)
-
---- a/include/linux/netfilter/nfnetlink.h
-+++ b/include/linux/netfilter/nfnetlink.h
-@@ -49,6 +49,33 @@ static inline u16 nfnl_msg_type(u8 subsy
- return subsys << 8 | msg_type;
- }
-
-+static inline void nfnl_fill_hdr(struct nlmsghdr *nlh, u8 family, u8 version,
-+ __be16 res_id)
-+{
-+ struct nfgenmsg *nfmsg;
-+
-+ nfmsg = nlmsg_data(nlh);
-+ nfmsg->nfgen_family = family;
-+ nfmsg->version = version;
-+ nfmsg->res_id = res_id;
-+}
-+
-+static inline struct nlmsghdr *nfnl_msg_put(struct sk_buff *skb, u32 portid,
-+ u32 seq, int type, int flags,
-+ u8 family, u8 version,
-+ __be16 res_id)
-+{
-+ struct nlmsghdr *nlh;
-+
-+ nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
-+ if (!nlh)
-+ return NULL;
-+
-+ nfnl_fill_hdr(nlh, family, version, res_id);
-+
-+ return nlh;
-+}
-+
- void nfnl_lock(__u8 subsys_id);
- void nfnl_unlock(__u8 subsys_id);
- #ifdef CONFIG_PROVE_LOCKING
---- a/net/netfilter/ipset/ip_set_core.c
-+++ b/net/netfilter/ipset/ip_set_core.c
-@@ -791,20 +791,9 @@ static struct nlmsghdr *
- start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags,
- enum ipset_cmd cmd)
- {
-- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
--
-- nlh = nlmsg_put(skb, portid, seq, nfnl_msg_type(NFNL_SUBSYS_IPSET, cmd),
-- sizeof(*nfmsg), flags);
-- if (!nlh)
-- return NULL;
--
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = NFPROTO_IPV4;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = 0;
--
-- return nlh;
-+ return nfnl_msg_put(skb, portid, seq,
-+ nfnl_msg_type(NFNL_SUBSYS_IPSET, cmd), flags,
-+ NFPROTO_IPV4, NFNETLINK_V0, 0);
- }
-
- /* Create a set */
---- a/net/netfilter/nf_conntrack_netlink.c
-+++ b/net/netfilter/nf_conntrack_netlink.c
-@@ -517,20 +517,15 @@ ctnetlink_fill_info(struct sk_buff *skb,
- {
- const struct nf_conntrack_zone *zone;
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- struct nlattr *nest_parms;
- unsigned int flags = portid ? NLM_F_MULTI : 0, event;
-
- event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, nf_ct_l3num(ct),
-+ NFNETLINK_V0, 0);
-+ if (!nlh)
- goto nlmsg_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = nf_ct_l3num(ct);
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = 0;
--
- zone = nf_ct_zone(ct);
-
- nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
-@@ -687,7 +682,6 @@ ctnetlink_conntrack_event(unsigned int e
- const struct nf_conntrack_zone *zone;
- struct net *net;
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- struct nlattr *nest_parms;
- struct nf_conn *ct = item->ct;
- struct sk_buff *skb;
-@@ -717,15 +711,11 @@ ctnetlink_conntrack_event(unsigned int e
- goto errout;
-
- type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type);
-- nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, nf_ct_l3num(ct),
-+ NFNETLINK_V0, 0);
-+ if (!nlh)
- goto nlmsg_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = nf_ct_l3num(ct);
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = 0;
--
- zone = nf_ct_zone(ct);
-
- nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
-@@ -2170,20 +2160,15 @@ ctnetlink_ct_stat_cpu_fill_info(struct s
- __u16 cpu, const struct ip_conntrack_stat *st)
- {
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- unsigned int flags = portid ? NLM_F_MULTI : 0, event;
-
- event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
- IPCTNL_MSG_CT_GET_STATS_CPU);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
-+ NFNETLINK_V0, htons(cpu));
-+ if (!nlh)
- goto nlmsg_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = AF_UNSPEC;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = htons(cpu);
--
- if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) ||
- nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) ||
- nla_put_be32(skb, CTA_STATS_IGNORE, htonl(st->ignore)) ||
-@@ -2254,20 +2239,15 @@ ctnetlink_stat_ct_fill_info(struct sk_bu
- struct net *net)
- {
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- unsigned int flags = portid ? NLM_F_MULTI : 0, event;
- unsigned int nr_conntracks = atomic_read(&net->ct.count);
-
- event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
-+ NFNETLINK_V0, 0);
-+ if (!nlh)
- goto nlmsg_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = AF_UNSPEC;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = 0;
--
- if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks)))
- goto nla_put_failure;
-
-@@ -2780,19 +2760,14 @@ ctnetlink_exp_fill_info(struct sk_buff *
- int event, const struct nf_conntrack_expect *exp)
- {
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- unsigned int flags = portid ? NLM_F_MULTI : 0;
-
- event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags,
-+ exp->tuple.src.l3num, NFNETLINK_V0, 0);
-+ if (!nlh)
- goto nlmsg_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = exp->tuple.src.l3num;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = 0;
--
- if (ctnetlink_exp_dump_expect(skb, exp) < 0)
- goto nla_put_failure;
-
-@@ -2812,7 +2787,6 @@ ctnetlink_expect_event(unsigned int even
- struct nf_conntrack_expect *exp = item->exp;
- struct net *net = nf_ct_exp_net(exp);
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- struct sk_buff *skb;
- unsigned int type, group;
- int flags = 0;
-@@ -2835,15 +2809,11 @@ ctnetlink_expect_event(unsigned int even
- goto errout;
-
- type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type);
-- nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, item->portid, 0, type, flags,
-+ exp->tuple.src.l3num, NFNETLINK_V0, 0);
-+ if (!nlh)
- goto nlmsg_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = exp->tuple.src.l3num;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = 0;
--
- if (ctnetlink_exp_dump_expect(skb, exp) < 0)
- goto nla_put_failure;
-
-@@ -3413,20 +3383,15 @@ ctnetlink_exp_stat_fill_info(struct sk_b
- const struct ip_conntrack_stat *st)
- {
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- unsigned int flags = portid ? NLM_F_MULTI : 0, event;
-
- event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
- IPCTNL_MSG_EXP_GET_STATS_CPU);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
-+ NFNETLINK_V0, htons(cpu));
-+ if (!nlh)
- goto nlmsg_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = AF_UNSPEC;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = htons(cpu);
--
- if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) ||
- nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) ||
- nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete)))
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -578,18 +578,13 @@ static int nf_tables_fill_table_info(str
- int family, const struct nft_table *table)
- {
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
-
- event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
-+ NFNETLINK_V0, nft_base_seq(net));
-+ if (!nlh)
- goto nla_put_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = family;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = nft_base_seq(net);
--
- if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
- nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
- nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
-@@ -1213,18 +1208,13 @@ static int nf_tables_fill_chain_info(str
- const struct nft_chain *chain)
- {
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
-
- event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
-+ NFNETLINK_V0, nft_base_seq(net));
-+ if (!nlh)
- goto nla_put_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = family;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = nft_base_seq(net);
--
- if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
- goto nla_put_failure;
- if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
-@@ -2257,21 +2247,16 @@ static int nf_tables_fill_rule_info(stru
- const struct nft_rule *rule)
- {
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- const struct nft_expr *expr, *next;
- struct nlattr *list;
- const struct nft_rule *prule;
- u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
-
-- nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
-+ nft_base_seq(net));
-+ if (!nlh)
- goto nla_put_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = family;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = nft_base_seq(net);
--
- if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
- goto nla_put_failure;
- if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
-@@ -3166,23 +3151,17 @@ static __be64 nf_jiffies64_to_msecs(u64
- static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
- const struct nft_set *set, u16 event, u16 flags)
- {
-- struct nfgenmsg *nfmsg;
- struct nlmsghdr *nlh;
- struct nlattr *desc;
- u32 portid = ctx->portid;
- u32 seq = ctx->seq;
-
- event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
-- flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
-+ NFNETLINK_V0, nft_base_seq(ctx->net));
-+ if (!nlh)
- goto nla_put_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = ctx->family;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = nft_base_seq(ctx->net);
--
- if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
- goto nla_put_failure;
- if (nla_put_string(skb, NFTA_SET_NAME, set->name))
-@@ -3996,7 +3975,6 @@ static int nf_tables_dump_set(struct sk_
- struct nft_set *set;
- struct nft_set_dump_args args;
- bool set_found = false;
-- struct nfgenmsg *nfmsg;
- struct nlmsghdr *nlh;
- struct nlattr *nest;
- u32 portid, seq;
-@@ -4029,16 +4007,11 @@ static int nf_tables_dump_set(struct sk_
- portid = NETLINK_CB(cb->skb).portid;
- seq = cb->nlh->nlmsg_seq;
-
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
-- NLM_F_MULTI);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
-+ table->family, NFNETLINK_V0, nft_base_seq(net));
-+ if (!nlh)
- goto nla_put_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = table->family;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = nft_base_seq(net);
--
- if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
- goto nla_put_failure;
- if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
-@@ -4095,22 +4068,16 @@ static int nf_tables_fill_setelem_info(s
- const struct nft_set *set,
- const struct nft_set_elem *elem)
- {
-- struct nfgenmsg *nfmsg;
- struct nlmsghdr *nlh;
- struct nlattr *nest;
- int err;
-
- event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
-- flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
-+ NFNETLINK_V0, nft_base_seq(ctx->net));
-+ if (!nlh)
- goto nla_put_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = ctx->family;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = nft_base_seq(ctx->net);
--
- if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
- goto nla_put_failure;
- if (nla_put_string(skb, NFTA_SET_NAME, set->name))
-@@ -5146,19 +5113,14 @@ static int nf_tables_fill_obj_info(struc
- int family, const struct nft_table *table,
- struct nft_object *obj, bool reset)
- {
-- struct nfgenmsg *nfmsg;
- struct nlmsghdr *nlh;
-
- event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
-+ NFNETLINK_V0, nft_base_seq(net));
-+ if (!nlh)
- goto nla_put_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = family;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = nft_base_seq(net);
--
- if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
- nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
- nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
-@@ -5806,20 +5768,15 @@ static int nf_tables_fill_flowtable_info
- struct nft_flowtable *flowtable)
- {
- struct nlattr *nest, *nest_devs;
-- struct nfgenmsg *nfmsg;
- struct nlmsghdr *nlh;
- int i;
-
- event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
-+ NFNETLINK_V0, nft_base_seq(net));
-+ if (!nlh)
- goto nla_put_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = family;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = nft_base_seq(net);
--
- if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
- nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
- nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
-@@ -6045,19 +6002,14 @@ static int nf_tables_fill_gen_info(struc
- u32 portid, u32 seq)
- {
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- char buf[TASK_COMM_LEN];
- int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
-
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
-+ NFNETLINK_V0, nft_base_seq(net));
-+ if (!nlh)
- goto nla_put_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = AF_UNSPEC;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = nft_base_seq(net);
--
- if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
- nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
- nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
---- a/net/netfilter/nf_tables_trace.c
-+++ b/net/netfilter/nf_tables_trace.c
-@@ -186,7 +186,6 @@ static bool nft_trace_have_verdict_chain
- void nft_trace_notify(struct nft_traceinfo *info)
- {
- const struct nft_pktinfo *pkt = info->pkt;
-- struct nfgenmsg *nfmsg;
- struct nlmsghdr *nlh;
- struct sk_buff *skb;
- unsigned int size;
-@@ -222,15 +221,11 @@ void nft_trace_notify(struct nft_tracein
- return;
-
- event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_TRACE);
-- nlh = nlmsg_put(skb, 0, 0, event, sizeof(struct nfgenmsg), 0);
-+ nlh = nfnl_msg_put(skb, 0, 0, event, 0, info->basechain->type->family,
-+ NFNETLINK_V0, 0);
- if (!nlh)
- goto nla_put_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = info->basechain->type->family;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = 0;
--
- if (nla_put_be32(skb, NFTA_TRACE_NFPROTO, htonl(nft_pf(pkt))))
- goto nla_put_failure;
-
---- a/net/netfilter/nfnetlink_acct.c
-+++ b/net/netfilter/nfnetlink_acct.c
-@@ -135,21 +135,16 @@ nfnl_acct_fill_info(struct sk_buff *skb,
- int event, struct nf_acct *acct)
- {
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- unsigned int flags = portid ? NLM_F_MULTI : 0;
- u64 pkts, bytes;
- u32 old_flags;
-
- event = nfnl_msg_type(NFNL_SUBSYS_ACCT, event);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
-+ NFNETLINK_V0, 0);
-+ if (!nlh)
- goto nlmsg_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = AF_UNSPEC;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = 0;
--
- if (nla_put_string(skb, NFACCT_NAME, acct->name))
- goto nla_put_failure;
-
---- a/net/netfilter/nfnetlink_cthelper.c
-+++ b/net/netfilter/nfnetlink_cthelper.c
-@@ -532,20 +532,15 @@ nfnl_cthelper_fill_info(struct sk_buff *
- int event, struct nf_conntrack_helper *helper)
- {
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- unsigned int flags = portid ? NLM_F_MULTI : 0;
- int status;
-
- event = nfnl_msg_type(NFNL_SUBSYS_CTHELPER, event);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
-+ NFNETLINK_V0, 0);
-+ if (!nlh)
- goto nlmsg_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = AF_UNSPEC;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = 0;
--
- if (nla_put_string(skb, NFCTH_NAME, helper->name))
- goto nla_put_failure;
-
---- a/net/netfilter/nfnetlink_cttimeout.c
-+++ b/net/netfilter/nfnetlink_cttimeout.c
-@@ -164,20 +164,15 @@ ctnl_timeout_fill_info(struct sk_buff *s
- int event, struct ctnl_timeout *timeout)
- {
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- unsigned int flags = portid ? NLM_F_MULTI : 0;
- const struct nf_conntrack_l4proto *l4proto = timeout->timeout.l4proto;
-
- event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_TIMEOUT, event);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
-+ NFNETLINK_V0, 0);
-+ if (!nlh)
- goto nlmsg_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = AF_UNSPEC;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = 0;
--
- if (nla_put_string(skb, CTA_TIMEOUT_NAME, timeout->name) ||
- nla_put_be16(skb, CTA_TIMEOUT_L3PROTO,
- htons(timeout->timeout.l3num)) ||
-@@ -396,19 +391,14 @@ cttimeout_default_fill_info(struct net *
- const unsigned int *timeouts)
- {
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- unsigned int flags = portid ? NLM_F_MULTI : 0;
-
- event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_TIMEOUT, event);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
-+ NFNETLINK_V0, 0);
-+ if (!nlh)
- goto nlmsg_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = AF_UNSPEC;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = 0;
--
- if (nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, htons(l4proto->l3proto)) ||
- nla_put_u8(skb, CTA_TIMEOUT_L4PROTO, l4proto->l4proto))
- goto nla_put_failure;
---- a/net/netfilter/nfnetlink_log.c
-+++ b/net/netfilter/nfnetlink_log.c
-@@ -404,20 +404,15 @@ __build_packet_message(struct nfnl_log_n
- {
- struct nfulnl_msg_packet_hdr pmsg;
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- sk_buff_data_t old_tail = inst->skb->tail;
- struct sock *sk;
- const unsigned char *hwhdrp;
-
-- nlh = nlmsg_put(inst->skb, 0, 0,
-- nfnl_msg_type(NFNL_SUBSYS_ULOG, NFULNL_MSG_PACKET),
-- sizeof(struct nfgenmsg), 0);
-+ nlh = nfnl_msg_put(inst->skb, 0, 0,
-+ nfnl_msg_type(NFNL_SUBSYS_ULOG, NFULNL_MSG_PACKET),
-+ 0, pf, NFNETLINK_V0, htons(inst->group_num));
- if (!nlh)
- return -1;
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = pf;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = htons(inst->group_num);
-
- memset(&pmsg, 0, sizeof(pmsg));
- pmsg.hw_protocol = skb->protocol;
---- a/net/netfilter/nfnetlink_queue.c
-+++ b/net/netfilter/nfnetlink_queue.c
-@@ -387,7 +387,6 @@ nfqnl_build_packet_message(struct net *n
- struct nlattr *nla;
- struct nfqnl_msg_packet_hdr *pmsg;
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- struct sk_buff *entskb = entry->skb;
- struct net_device *indev;
- struct net_device *outdev;
-@@ -473,18 +472,15 @@ nfqnl_build_packet_message(struct net *n
- goto nlmsg_failure;
- }
-
-- nlh = nlmsg_put(skb, 0, 0,
-- nfnl_msg_type(NFNL_SUBSYS_QUEUE, NFQNL_MSG_PACKET),
-- sizeof(struct nfgenmsg), 0);
-+ nlh = nfnl_msg_put(skb, 0, 0,
-+ nfnl_msg_type(NFNL_SUBSYS_QUEUE, NFQNL_MSG_PACKET),
-+ 0, entry->state.pf, NFNETLINK_V0,
-+ htons(queue->queue_num));
- if (!nlh) {
- skb_tx_error(entskb);
- kfree_skb(skb);
- goto nlmsg_failure;
- }
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = entry->state.pf;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = htons(queue->queue_num);
-
- nla = __nla_reserve(skb, NFQA_PACKET_HDR, sizeof(*pmsg));
- pmsg = nla_data(nla);
---- a/net/netfilter/nft_compat.c
-+++ b/net/netfilter/nft_compat.c
-@@ -575,19 +575,14 @@ nfnl_compat_fill_info(struct sk_buff *sk
- int rev, int target)
- {
- struct nlmsghdr *nlh;
-- struct nfgenmsg *nfmsg;
- unsigned int flags = portid ? NLM_F_MULTI : 0;
-
- event = nfnl_msg_type(NFNL_SUBSYS_NFT_COMPAT, event);
-- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
-- if (nlh == NULL)
-+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
-+ NFNETLINK_V0, 0);
-+ if (!nlh)
- goto nlmsg_failure;
-
-- nfmsg = nlmsg_data(nlh);
-- nfmsg->nfgen_family = family;
-- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = 0;
--
- if (nla_put_string(skb, NFTA_COMPAT_NAME, name) ||
- nla_put_be32(skb, NFTA_COMPAT_REV, htonl(rev)) ||
- nla_put_be32(skb, NFTA_COMPAT_TYPE, htonl(target)))
+++ /dev/null
-From 6eef7a2b933885a17679eb8ed0796ddf0ee5309b Mon Sep 17 00:00:00 2001
-From: Florent Revest <revest@chromium.org>
-Date: Mon, 3 Jul 2023 16:52:16 +0200
-Subject: netfilter: conntrack: Avoid nf_ct_helper_hash uses after free
-
-From: Florent Revest <revest@chromium.org>
-
-commit 6eef7a2b933885a17679eb8ed0796ddf0ee5309b upstream.
-
-If nf_conntrack_init_start() fails (for example due to a
-register_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini()
-clean-up path frees the nf_ct_helper_hash map.
-
-When built with NF_CONNTRACK=y, further netfilter modules (e.g:
-netfilter_conntrack_ftp) can still be loaded and call
-nf_conntrack_helpers_register(), independently of whether nf_conntrack
-initialized correctly. This accesses the nf_ct_helper_hash dangling
-pointer and causes a uaf, possibly leading to random memory corruption.
-
-This patch guards nf_conntrack_helper_register() from accessing a freed
-or uninitialized nf_ct_helper_hash pointer and fixes possible
-uses-after-free when loading a conntrack module.
-
-Cc: stable@vger.kernel.org
-Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
-Signed-off-by: Florent Revest <revest@chromium.org>
-Reviewed-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/netfilter/nf_conntrack_helper.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/net/netfilter/nf_conntrack_helper.c
-+++ b/net/netfilter/nf_conntrack_helper.c
-@@ -400,6 +400,9 @@ int nf_conntrack_helper_register(struct
- BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES);
- BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1);
-
-+ if (!nf_ct_helper_hash)
-+ return -ENOENT;
-+
- if (me->expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT)
- return -EINVAL;
-
-@@ -570,4 +573,5 @@ void nf_conntrack_helper_fini(void)
- {
- nf_ct_extend_unregister(&helper_extend);
- kvfree(nf_ct_helper_hash);
-+ nf_ct_helper_hash = NULL;
- }
+++ /dev/null
-From c40874c71ae6f5e26f1958101a5a7dd1d049899f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 23 Jun 2023 11:23:46 +0000
-Subject: netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param()
- return value.
-
-From: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
-
-[ Upstream commit f188d30087480eab421cd8ca552fb15f55d57f4d ]
-
-ct_sip_parse_numerical_param() returns only 0 or 1 now.
-But process_register_request() and process_register_response() imply
-checking for a negative value if parsing of a numerical header parameter
-failed.
-The invocation in nf_nat_sip() looks correct:
- if (ct_sip_parse_numerical_param(...) > 0 &&
- ...) { ... }
-
-Make the return value of the function ct_sip_parse_numerical_param()
-a tristate to fix all the cases
-a) return 1 if value is found; *val is set
-b) return 0 if value is not found; *val is unchanged
-c) return -1 on error; *val is undefined
-
-Found by InfoTeCS on behalf of Linux Verification Center
-(linuxtesting.org) with SVACE.
-
-Fixes: 0f32a40fc91a ("[NETFILTER]: nf_conntrack_sip: create signalling expectations")
-Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
-Reviewed-by: Simon Horman <simon.horman@corigine.com>
-Reviewed-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/netfilter/nf_conntrack_sip.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
-index 046f118dea06b..d16aa43ebd4d6 100644
---- a/net/netfilter/nf_conntrack_sip.c
-+++ b/net/netfilter/nf_conntrack_sip.c
-@@ -605,7 +605,7 @@ int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr,
- start += strlen(name);
- *val = simple_strtoul(start, &end, 0);
- if (start == end)
-- return 0;
-+ return -1;
- if (matchoff && matchlen) {
- *matchoff = start - dptr;
- *matchlen = end - start;
---
-2.39.2
-
+++ /dev/null
-From stable-owner@vger.kernel.org Wed Jul 5 18:55:57 2023
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Wed, 5 Jul 2023 18:55:13 +0200
-Subject: netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain
-To: netfilter-devel@vger.kernel.org
-Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org
-Message-ID: <20230705165516.50145-8-pablo@netfilter.org>
-
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-
-[ 26b5a5712eb85e253724e56a54c17f8519bd8e4e ]
-
-Add a new state to deal with rule expressions deactivation from the
-newrule error path, otherwise the anonymous set remains in the list in
-inactive state for the next generation. Mark the set/chain transaction
-as unbound so the abort path releases this object, set it as inactive in
-the next generation so it is not reachable anymore from this transaction
-and reference counter is dropped.
-
-Fixes: 1240eb93f061 ("netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE")
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/net/netfilter/nf_tables.h | 1 +
- net/netfilter/nf_tables_api.c | 26 ++++++++++++++++++++++----
- 2 files changed, 23 insertions(+), 4 deletions(-)
-
---- a/include/net/netfilter/nf_tables.h
-+++ b/include/net/netfilter/nf_tables.h
-@@ -736,6 +736,7 @@ struct nft_expr_type {
-
- enum nft_trans_phase {
- NFT_TRANS_PREPARE,
-+ NFT_TRANS_PREPARE_ERROR,
- NFT_TRANS_ABORT,
- NFT_TRANS_COMMIT,
- NFT_TRANS_RELEASE
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -120,7 +120,8 @@ static void nft_trans_destroy(struct nft
- kfree(trans);
- }
-
--static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
-+static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
-+ bool bind)
- {
- struct nftables_pernet *nft_net;
- struct net *net = ctx->net;
-@@ -134,16 +135,26 @@ static void nft_set_trans_bind(const str
- switch (trans->msg_type) {
- case NFT_MSG_NEWSET:
- if (nft_trans_set(trans) == set)
-- nft_trans_set_bound(trans) = true;
-+ nft_trans_set_bound(trans) = bind;
- break;
- case NFT_MSG_NEWSETELEM:
- if (nft_trans_elem_set(trans) == set)
-- nft_trans_elem_set_bound(trans) = true;
-+ nft_trans_elem_set_bound(trans) = bind;
- break;
- }
- }
- }
-
-+static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
-+{
-+ return __nft_set_trans_bind(ctx, set, true);
-+}
-+
-+static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
-+{
-+ return __nft_set_trans_bind(ctx, set, false);
-+}
-+
- static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
- {
- struct nftables_pernet *nft_net;
-@@ -2784,7 +2795,7 @@ static int nf_tables_newrule(struct net
-
- return 0;
- err2:
-- nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE);
-+ nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
- nf_tables_rule_destroy(&ctx, rule);
- err1:
- for (i = 0; i < n; i++) {
-@@ -3809,6 +3820,13 @@ void nf_tables_deactivate_set(const stru
- enum nft_trans_phase phase)
- {
- switch (phase) {
-+ case NFT_TRANS_PREPARE_ERROR:
-+ nft_set_trans_unbind(ctx, set);
-+ if (nft_set_is_anonymous(set))
-+ nft_deactivate_next(ctx->net, set);
-+
-+ set->use--;
-+ break;
- case NFT_TRANS_PREPARE:
- if (nft_set_is_anonymous(set))
- nft_deactivate_next(ctx->net, set);
+++ /dev/null
-From pablo@netfilter.org Wed Jul 5 18:55:22 2023
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Wed, 5 Jul 2023 18:55:08 +0200
-Subject: netfilter: nf_tables: add rescheduling points during loop detection walks
-To: netfilter-devel@vger.kernel.org
-Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org
-Message-ID: <20230705165516.50145-3-pablo@netfilter.org>
-
-From: Florian Westphal <fw@strlen.de>
-
-[ 81ea010667417ef3f218dfd99b69769fe66c2b67 ]
-
-Add explicit rescheduling points during ruleset walk.
-
-Switching to a faster algorithm is possible but this is a much
-smaller change, suitable for nf tree.
-
-Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1460
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/netfilter/nf_tables_api.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -2552,6 +2552,8 @@ int nft_chain_validate(const struct nft_
- if (err < 0)
- return err;
- }
-+
-+ cond_resched();
- }
-
- return 0;
-@@ -6956,9 +6958,13 @@ static int nf_tables_check_loops(const s
- break;
- }
- }
-+
-+ cond_resched();
- }
-
- list_for_each_entry(set, &ctx->table->sets, list) {
-+ cond_resched();
-+
- if (!nft_is_active_next(ctx->net, set))
- continue;
- if (!(set->flags & NFT_SET_MAP) ||
+++ /dev/null
-From 519800f3b9e064d6eec3b22116785effa817ba10 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 18 Jul 2023 01:30:33 +0200
-Subject: netfilter: nf_tables: can't schedule in nft_chain_validate
-
-From: Florian Westphal <fw@strlen.de>
-
-[ Upstream commit 314c82841602a111c04a7210c21dc77e0d560242 ]
-
-Can be called via nft set element list iteration, which may acquire
-rcu and/or bh read lock (depends on set type).
-
-BUG: sleeping function called from invalid context at net/netfilter/nf_tables_api.c:3353
-in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1232, name: nft
-preempt_count: 0, expected: 0
-RCU nest depth: 1, expected: 0
-2 locks held by nft/1232:
- #0: ffff8881180e3ea8 (&nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid
- #1: ffffffff83f5f540 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire
-Call Trace:
- nft_chain_validate
- nft_lookup_validate_setelem
- nft_pipapo_walk
- nft_lookup_validate
- nft_chain_validate
- nft_immediate_validate
- nft_chain_validate
- nf_tables_validate
- nf_tables_abort
-
-No choice but to move it to nf_tables_validate().
-
-Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks")
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/netfilter/nf_tables_api.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
-index f25b6337f150a..115bc79ec9055 100644
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -2602,8 +2602,6 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
- if (err < 0)
- return err;
- }
--
-- cond_resched();
- }
-
- return 0;
-@@ -2627,6 +2625,8 @@ static int nft_table_validate(struct net *net, const struct nft_table *table)
- err = nft_chain_validate(&ctx, chain);
- if (err < 0)
- return err;
-+
-+ cond_resched();
- }
-
- return 0;
---
-2.39.2
-
+++ /dev/null
-From pablo@netfilter.org Wed Jul 5 18:55:22 2023
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Wed, 5 Jul 2023 18:55:07 +0200
-Subject: netfilter: nf_tables: fix nat hook table deletion
-To: netfilter-devel@vger.kernel.org
-Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org
-Message-ID: <20230705165516.50145-2-pablo@netfilter.org>
-
-From: Florian Westphal <fw@strlen.de>
-
-[ 1e9451cbda456a170518b2bfd643e2cb980880bf ]
-
-sybot came up with following transaction:
- add table ip syz0
- add chain ip syz0 syz2 { type nat hook prerouting priority 0; policy accept; }
- add table ip syz0 { flags dormant; }
- delete chain ip syz0 syz2
- delete table ip syz0
-
-which yields:
-hook not found, pf 2 num 0
-WARNING: CPU: 0 PID: 6775 at net/netfilter/core.c:413 __nf_unregister_net_hook+0x3e6/0x4a0 net/netfilter/core.c:413
-[..]
- nft_unregister_basechain_hooks net/netfilter/nf_tables_api.c:206 [inline]
- nft_table_disable net/netfilter/nf_tables_api.c:835 [inline]
- nf_tables_table_disable net/netfilter/nf_tables_api.c:868 [inline]
- nf_tables_commit+0x32d3/0x4d70 net/netfilter/nf_tables_api.c:7550
- nfnetlink_rcv_batch net/netfilter/nfnetlink.c:486 [inline]
- nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:544 [inline]
- nfnetlink_rcv+0x14a5/0x1e50 net/netfilter/nfnetlink.c:562
- netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
-
-Problem is that when I added ability to override base hook registration
-to make nat basechains register with the nat core instead of netfilter
-core, I forgot to update nft_table_disable() to use that instead of
-the 'raw' hook register interface.
-
-In syzbot transaction, the basechain is of 'nat' type. Its registered
-with the nat core. The switch to 'dormant mode' attempts to delete from
-netfilter core instead.
-
-After updating nft_table_disable/enable to use the correct helper,
-nft_(un)register_basechain_hooks can be folded into the only remaining
-caller.
-
-Because nft_trans_table_enable() won't do anything when the DORMANT flag
-is set, remove the flag first, then re-add it in case re-enablement
-fails, else this patch breaks sequence:
-
-add table ip x { flags dormant; }
-/* add base chains */
-add table ip x
-
-The last 'add' will remove the dormant flags, but won't have any other
-effect -- base chains are not registered.
-Then, next 'set dormant flag' will create another 'hook not found'
-splat.
-
-Reported-by: syzbot+2570f2c036e3da5db176@syzkaller.appspotmail.com
-Fixes: 4e25ceb80b58 ("netfilter: nf_tables: allow chain type to override hook register")
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-(cherry picked from commit 1e9451cbda456a170518b2bfd643e2cb980880bf)
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/netfilter/nf_tables_api.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -743,7 +743,7 @@ static void nft_table_disable(struct net
- if (cnt && i++ == cnt)
- break;
-
-- nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
-+ nf_tables_unregister_hook(net, table, chain);
- }
- }
-
-@@ -758,7 +758,7 @@ static int nf_tables_table_enable(struct
- if (!nft_is_base_chain(chain))
- continue;
-
-- err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
-+ err = nf_tables_register_hook(net, table, chain);
- if (err < 0)
- goto err;
-
-@@ -802,11 +802,12 @@ static int nf_tables_updtable(struct nft
- nft_trans_table_enable(trans) = false;
- } else if (!(flags & NFT_TABLE_F_DORMANT) &&
- ctx->table->flags & NFT_TABLE_F_DORMANT) {
-+ ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
- ret = nf_tables_table_enable(ctx->net, ctx->table);
-- if (ret >= 0) {
-- ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
-+ if (ret >= 0)
- nft_trans_table_enable(trans) = true;
-- }
-+ else
-+ ctx->table->flags |= NFT_TABLE_F_DORMANT;
- }
- if (ret < 0)
- goto err;
+++ /dev/null
-From stable-owner@vger.kernel.org Wed Jul 5 18:56:03 2023
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Wed, 5 Jul 2023 18:55:16 +0200
-Subject: netfilter: nf_tables: fix scheduling-while-atomic splat
-To: netfilter-devel@vger.kernel.org
-Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org
-Message-ID: <20230705165516.50145-11-pablo@netfilter.org>
-
-From: Florian Westphal <fw@strlen.de>
-
-[ 2024439bd5ceb145eeeb428b2a59e9b905153ac3 ]
-
-nf_tables_check_loops() can be called from rhashtable list
-walk so cond_resched() cannot be used here.
-
-Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks")
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/netfilter/nf_tables_api.c | 4 ----
- 1 file changed, 4 deletions(-)
-
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -7021,13 +7021,9 @@ static int nf_tables_check_loops(const s
- break;
- }
- }
--
-- cond_resched();
- }
-
- list_for_each_entry(set, &ctx->table->sets, list) {
-- cond_resched();
--
- if (!nft_is_active_next(ctx->net, set))
- continue;
- if (!(set->flags & NFT_SET_MAP) ||
+++ /dev/null
-From 976b926cc5c9ddd0dd5caf4c7b577052477d78eb Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 20 Jul 2023 00:29:58 +0200
-Subject: netfilter: nf_tables: fix spurious set element insertion failure
-
-From: Florian Westphal <fw@strlen.de>
-
-[ Upstream commit ddbd8be68941985f166f5107109a90ce13147c44 ]
-
-On some platforms there is a padding hole in the nft_verdict
-structure, between the verdict code and the chain pointer.
-
-On element insertion, if the new element clashes with an existing one and
-NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as
-the data associated with duplicated element is the same as the existing
-one. The data equality check uses memcmp.
-
-For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT
-padding area leads to spurious failure even if the verdict data is the
-same.
-
-This then makes the insertion fail with 'already exists' error, even
-though the new "key : data" matches an existing entry and userspace
-told the kernel that it doesn't want to receive an error indication.
-
-Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion")
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/netfilter/nf_tables_api.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
-index 16405e71a6780..f25b6337f150a 100644
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -7248,6 +7248,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
-
- if (!tb[NFTA_VERDICT_CODE])
- return -EINVAL;
-+
-+ /* zero padding hole for memcmp */
-+ memset(data, 0, sizeof(*data));
- data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
-
- switch (data->verdict.code) {
---
-2.39.2
-
+++ /dev/null
-From stable-owner@vger.kernel.org Wed Jul 5 18:55:56 2023
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Wed, 5 Jul 2023 18:55:12 +0200
-Subject: netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE
-To: netfilter-devel@vger.kernel.org
-Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org
-Message-ID: <20230705165516.50145-7-pablo@netfilter.org>
-
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-
-[ 1240eb93f0616b21c675416516ff3d74798fdc97 ]
-
-In case of error when adding a new rule that refers to an anonymous set,
-deactivate expressions via NFT_TRANS_PREPARE state, not NFT_TRANS_RELEASE.
-Thus, the lookup expression marks anonymous sets as inactive in the next
-generation to ensure it is not reachable in this transaction anymore and
-decrement the set refcount as introduced by c1592a89942e ("netfilter:
-nf_tables: deactivate anonymous set from preparation phase"). The abort
-step takes care of undoing the anonymous set.
-
-This is also consistent with rule deletion, where NFT_TRANS_PREPARE is
-used. Note that this error path is exercised in the preparation step of
-the commit protocol. This patch replaces nf_tables_rule_release() by the
-deactivate and destroy calls, this time with NFT_TRANS_PREPARE.
-
-Due to this incorrect error handling, it is possible to access a
-dangling pointer to the anonymous set that remains in the transaction
-list.
-
-[1009.379054] BUG: KASAN: use-after-free in nft_set_lookup_global+0x147/0x1a0 [nf_tables]
-[1009.379106] Read of size 8 at addr ffff88816c4c8020 by task nft-rule-add/137110
-[1009.379116] CPU: 7 PID: 137110 Comm: nft-rule-add Not tainted 6.4.0-rc4+ #256
-[1009.379128] Call Trace:
-[1009.379132] <TASK>
-[1009.379135] dump_stack_lvl+0x33/0x50
-[1009.379146] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables]
-[1009.379191] print_address_description.constprop.0+0x27/0x300
-[1009.379201] kasan_report+0x107/0x120
-[1009.379210] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables]
-[1009.379255] nft_set_lookup_global+0x147/0x1a0 [nf_tables]
-[1009.379302] nft_lookup_init+0xa5/0x270 [nf_tables]
-[1009.379350] nf_tables_newrule+0x698/0xe50 [nf_tables]
-[1009.379397] ? nf_tables_rule_release+0xe0/0xe0 [nf_tables]
-[1009.379441] ? kasan_unpoison+0x23/0x50
-[1009.379450] nfnetlink_rcv_batch+0x97c/0xd90 [nfnetlink]
-[1009.379470] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink]
-[1009.379485] ? __alloc_skb+0xb8/0x1e0
-[1009.379493] ? __alloc_skb+0xb8/0x1e0
-[1009.379502] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0
-[1009.379509] ? unwind_get_return_address+0x2a/0x40
-[1009.379517] ? write_profile+0xc0/0xc0
-[1009.379524] ? avc_lookup+0x8f/0xc0
-[1009.379532] ? __rcu_read_unlock+0x43/0x60
-
-Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets")
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/netfilter/nf_tables_api.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -2784,7 +2784,8 @@ static int nf_tables_newrule(struct net
-
- return 0;
- err2:
-- nf_tables_rule_release(&ctx, rule);
-+ nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE);
-+ nf_tables_rule_destroy(&ctx, rule);
- err1:
- for (i = 0; i < n; i++) {
- if (info[i].ops) {
+++ /dev/null
-From caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd Mon Sep 17 00:00:00 2001
-From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-Date: Wed, 5 Jul 2023 18:05:35 -0300
-Subject: netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
-
-From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-
-commit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd upstream.
-
-When evaluating byteorder expressions with size 2, a union with 32-bit and
-16-bit members is used. Since the 16-bit members are aligned to 32-bit,
-the array accesses will be out-of-bounds.
-
-It may lead to a stack-out-of-bounds access like the one below:
-
-[ 23.095215] ==================================================================
-[ 23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320
-[ 23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115
-[ 23.096358]
-[ 23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413
-[ 23.096770] Call Trace:
-[ 23.096910] <IRQ>
-[ 23.097030] dump_stack_lvl+0x60/0xc0
-[ 23.097218] print_report+0xcf/0x630
-[ 23.097388] ? nft_byteorder_eval+0x13c/0x320
-[ 23.097577] ? kasan_addr_to_slab+0xd/0xc0
-[ 23.097760] ? nft_byteorder_eval+0x13c/0x320
-[ 23.097949] kasan_report+0xc9/0x110
-[ 23.098106] ? nft_byteorder_eval+0x13c/0x320
-[ 23.098298] __asan_load2+0x83/0xd0
-[ 23.098453] nft_byteorder_eval+0x13c/0x320
-[ 23.098659] nft_do_chain+0x1c8/0xc50
-[ 23.098852] ? __pfx_nft_do_chain+0x10/0x10
-[ 23.099078] ? __kasan_check_read+0x11/0x20
-[ 23.099295] ? __pfx___lock_acquire+0x10/0x10
-[ 23.099535] ? __pfx___lock_acquire+0x10/0x10
-[ 23.099745] ? __kasan_check_read+0x11/0x20
-[ 23.099929] nft_do_chain_ipv4+0xfe/0x140
-[ 23.100105] ? __pfx_nft_do_chain_ipv4+0x10/0x10
-[ 23.100327] ? lock_release+0x204/0x400
-[ 23.100515] ? nf_hook.constprop.0+0x340/0x550
-[ 23.100779] nf_hook_slow+0x6c/0x100
-[ 23.100977] ? __pfx_nft_do_chain_ipv4+0x10/0x10
-[ 23.101223] nf_hook.constprop.0+0x334/0x550
-[ 23.101443] ? __pfx_ip_local_deliver_finish+0x10/0x10
-[ 23.101677] ? __pfx_nf_hook.constprop.0+0x10/0x10
-[ 23.101882] ? __pfx_ip_rcv_finish+0x10/0x10
-[ 23.102071] ? __pfx_ip_local_deliver_finish+0x10/0x10
-[ 23.102291] ? rcu_read_lock_held+0x4b/0x70
-[ 23.102481] ip_local_deliver+0xbb/0x110
-[ 23.102665] ? __pfx_ip_rcv+0x10/0x10
-[ 23.102839] ip_rcv+0x199/0x2a0
-[ 23.102980] ? __pfx_ip_rcv+0x10/0x10
-[ 23.103140] __netif_receive_skb_one_core+0x13e/0x150
-[ 23.103362] ? __pfx___netif_receive_skb_one_core+0x10/0x10
-[ 23.103647] ? mark_held_locks+0x48/0xa0
-[ 23.103819] ? process_backlog+0x36c/0x380
-[ 23.103999] __netif_receive_skb+0x23/0xc0
-[ 23.104179] process_backlog+0x91/0x380
-[ 23.104350] __napi_poll.constprop.0+0x66/0x360
-[ 23.104589] ? net_rx_action+0x1cb/0x610
-[ 23.104811] net_rx_action+0x33e/0x610
-[ 23.105024] ? _raw_spin_unlock+0x23/0x50
-[ 23.105257] ? __pfx_net_rx_action+0x10/0x10
-[ 23.105485] ? mark_held_locks+0x48/0xa0
-[ 23.105741] __do_softirq+0xfa/0x5ab
-[ 23.105956] ? __dev_queue_xmit+0x765/0x1c00
-[ 23.106193] do_softirq.part.0+0x49/0xc0
-[ 23.106423] </IRQ>
-[ 23.106547] <TASK>
-[ 23.106670] __local_bh_enable_ip+0xf5/0x120
-[ 23.106903] __dev_queue_xmit+0x789/0x1c00
-[ 23.107131] ? __pfx___dev_queue_xmit+0x10/0x10
-[ 23.107381] ? find_held_lock+0x8e/0xb0
-[ 23.107585] ? lock_release+0x204/0x400
-[ 23.107798] ? neigh_resolve_output+0x185/0x350
-[ 23.108049] ? mark_held_locks+0x48/0xa0
-[ 23.108265] ? neigh_resolve_output+0x185/0x350
-[ 23.108514] neigh_resolve_output+0x246/0x350
-[ 23.108753] ? neigh_resolve_output+0x246/0x350
-[ 23.109003] ip_finish_output2+0x3c3/0x10b0
-[ 23.109250] ? __pfx_ip_finish_output2+0x10/0x10
-[ 23.109510] ? __pfx_nf_hook+0x10/0x10
-[ 23.109732] __ip_finish_output+0x217/0x390
-[ 23.109978] ip_finish_output+0x2f/0x130
-[ 23.110207] ip_output+0xc9/0x170
-[ 23.110404] ip_push_pending_frames+0x1a0/0x240
-[ 23.110652] raw_sendmsg+0x102e/0x19e0
-[ 23.110871] ? __pfx_raw_sendmsg+0x10/0x10
-[ 23.111093] ? lock_release+0x204/0x400
-[ 23.111304] ? __mod_lruvec_page_state+0x148/0x330
-[ 23.111567] ? find_held_lock+0x8e/0xb0
-[ 23.111777] ? find_held_lock+0x8e/0xb0
-[ 23.111993] ? __rcu_read_unlock+0x7c/0x2f0
-[ 23.112225] ? aa_sk_perm+0x18a/0x550
-[ 23.112431] ? filemap_map_pages+0x4f1/0x900
-[ 23.112665] ? __pfx_aa_sk_perm+0x10/0x10
-[ 23.112880] ? find_held_lock+0x8e/0xb0
-[ 23.113098] inet_sendmsg+0xa0/0xb0
-[ 23.113297] ? inet_sendmsg+0xa0/0xb0
-[ 23.113500] ? __pfx_inet_sendmsg+0x10/0x10
-[ 23.113727] sock_sendmsg+0xf4/0x100
-[ 23.113924] ? move_addr_to_kernel.part.0+0x4f/0xa0
-[ 23.114190] __sys_sendto+0x1d4/0x290
-[ 23.114391] ? __pfx___sys_sendto+0x10/0x10
-[ 23.114621] ? __pfx_mark_lock.part.0+0x10/0x10
-[ 23.114869] ? lock_release+0x204/0x400
-[ 23.115076] ? find_held_lock+0x8e/0xb0
-[ 23.115287] ? rcu_is_watching+0x23/0x60
-[ 23.115503] ? __rseq_handle_notify_resume+0x6e2/0x860
-[ 23.115778] ? __kasan_check_write+0x14/0x30
-[ 23.116008] ? blkcg_maybe_throttle_current+0x8d/0x770
-[ 23.116285] ? mark_held_locks+0x28/0xa0
-[ 23.116503] ? do_syscall_64+0x37/0x90
-[ 23.116713] __x64_sys_sendto+0x7f/0xb0
-[ 23.116924] do_syscall_64+0x59/0x90
-[ 23.117123] ? irqentry_exit_to_user_mode+0x25/0x30
-[ 23.117387] ? irqentry_exit+0x77/0xb0
-[ 23.117593] ? exc_page_fault+0x92/0x140
-[ 23.117806] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
-[ 23.118081] RIP: 0033:0x7f744aee2bba
-[ 23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
-[ 23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
-[ 23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba
-[ 23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003
-[ 23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010
-[ 23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
-[ 23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0
-[ 23.121617] </TASK>
-[ 23.121749]
-[ 23.121845] The buggy address belongs to the virtual mapping at
-[ 23.121845] [ffffc90000000000, ffffc90000009000) created by:
-[ 23.121845] irq_init_percpu_irqstack+0x1cf/0x270
-[ 23.122707]
-[ 23.122803] The buggy address belongs to the physical page:
-[ 23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09
-[ 23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff)
-[ 23.123998] page_type: 0xffffffff()
-[ 23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000
-[ 23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
-[ 23.125023] page dumped because: kasan: bad access detected
-[ 23.125326]
-[ 23.125421] Memory state around the buggy address:
-[ 23.125682] ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-[ 23.126072] ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00
-[ 23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00
-[ 23.126840] ^
-[ 23.127138] ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3
-[ 23.127522] ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
-[ 23.127906] ==================================================================
-[ 23.128324] Disabling lock debugging due to kernel taint
-
-Using simple s16 pointers for the 16-bit accesses fixes the problem. For
-the 32-bit accesses, src and dst can be used directly.
-
-Fixes: 96518518cc41 ("netfilter: add nftables")
-Cc: stable@vger.kernel.org
-Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI
-Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
-Reviewed-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/netfilter/nft_byteorder.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
---- a/net/netfilter/nft_byteorder.c
-+++ b/net/netfilter/nft_byteorder.c
-@@ -33,11 +33,11 @@ static void nft_byteorder_eval(const str
- const struct nft_byteorder *priv = nft_expr_priv(expr);
- u32 *src = ®s->data[priv->sreg];
- u32 *dst = ®s->data[priv->dreg];
-- union { u32 u32; u16 u16; } *s, *d;
-+ u16 *s16, *d16;
- unsigned int i;
-
-- s = (void *)src;
-- d = (void *)dst;
-+ s16 = (void *)src;
-+ d16 = (void *)dst;
-
- switch (priv->size) {
- case 8: {
-@@ -63,11 +63,11 @@ static void nft_byteorder_eval(const str
- switch (priv->op) {
- case NFT_BYTEORDER_NTOH:
- for (i = 0; i < priv->len / 4; i++)
-- d[i].u32 = ntohl((__force __be32)s[i].u32);
-+ dst[i] = ntohl((__force __be32)src[i]);
- break;
- case NFT_BYTEORDER_HTON:
- for (i = 0; i < priv->len / 4; i++)
-- d[i].u32 = (__force __u32)htonl(s[i].u32);
-+ dst[i] = (__force __u32)htonl(src[i]);
- break;
- }
- break;
-@@ -75,11 +75,11 @@ static void nft_byteorder_eval(const str
- switch (priv->op) {
- case NFT_BYTEORDER_NTOH:
- for (i = 0; i < priv->len / 2; i++)
-- d[i].u16 = ntohs((__force __be16)s[i].u16);
-+ d16[i] = ntohs((__force __be16)s16[i]);
- break;
- case NFT_BYTEORDER_HTON:
- for (i = 0; i < priv->len / 2; i++)
-- d[i].u16 = (__force __u16)htons(s[i].u16);
-+ d16[i] = (__force __u16)htons(s16[i]);
- break;
- }
- break;
+++ /dev/null
-From stable-owner@vger.kernel.org Wed Jul 5 18:55:57 2023
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Wed, 5 Jul 2023 18:55:14 +0200
-Subject: netfilter: nf_tables: reject unbound anonymous set before commit phase
-To: netfilter-devel@vger.kernel.org
-Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org
-Message-ID: <20230705165516.50145-9-pablo@netfilter.org>
-
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-
-[ 938154b93be8cd611ddfd7bafc1849f3c4355201 ]
-
-Add a new list to track set transaction and to check for unbound
-anonymous sets before entering the commit phase.
-
-Bail out at the end of the transaction handling if an anonymous set
-remains unbound.
-
-Fixes: 96518518cc41 ("netfilter: add nftables")
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/net/netfilter/nf_tables.h | 3 +++
- net/netfilter/nf_tables_api.c | 33 ++++++++++++++++++++++++++++++---
- 2 files changed, 33 insertions(+), 3 deletions(-)
-
---- a/include/net/netfilter/nf_tables.h
-+++ b/include/net/netfilter/nf_tables.h
-@@ -1320,12 +1320,14 @@ static inline void nft_set_elem_clear_bu
- * struct nft_trans - nf_tables object update in transaction
- *
- * @list: used internally
-+ * @binding_list: list of objects with possible bindings
- * @msg_type: message type
- * @ctx: transaction context
- * @data: internal information related to the transaction
- */
- struct nft_trans {
- struct list_head list;
-+ struct list_head binding_list;
- int msg_type;
- struct nft_ctx ctx;
- char data[0];
-@@ -1413,6 +1415,7 @@ void nft_chain_filter_fini(void);
- struct nftables_pernet {
- struct list_head tables;
- struct list_head commit_list;
-+ struct list_head binding_list;
- struct list_head module_list;
- struct list_head notify_list;
- struct mutex commit_mutex;
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -102,6 +102,7 @@ static struct nft_trans *nft_trans_alloc
- return NULL;
-
- INIT_LIST_HEAD(&trans->list);
-+ INIT_LIST_HEAD(&trans->binding_list);
- trans->msg_type = msg_type;
- trans->ctx = *ctx;
-
-@@ -114,9 +115,15 @@ static struct nft_trans *nft_trans_alloc
- return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
- }
-
--static void nft_trans_destroy(struct nft_trans *trans)
-+static void nft_trans_list_del(struct nft_trans *trans)
- {
- list_del(&trans->list);
-+ list_del(&trans->binding_list);
-+}
-+
-+static void nft_trans_destroy(struct nft_trans *trans)
-+{
-+ nft_trans_list_del(trans);
- kfree(trans);
- }
-
-@@ -160,6 +167,13 @@ static void nft_trans_commit_list_add_ta
- struct nftables_pernet *nft_net;
-
- nft_net = net_generic(net, nf_tables_net_id);
-+ switch (trans->msg_type) {
-+ case NFT_MSG_NEWSET:
-+ if (nft_set_is_anonymous(nft_trans_set(trans)))
-+ list_add_tail(&trans->binding_list, &nft_net->binding_list);
-+ break;
-+ }
-+
- list_add_tail(&trans->list, &nft_net->commit_list);
- }
-
-@@ -6403,7 +6417,7 @@ static void nf_tables_commit_release(str
- synchronize_rcu();
-
- list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
-- list_del(&trans->list);
-+ nft_trans_list_del(trans);
- nft_commit_release(trans);
- }
- }
-@@ -6542,6 +6556,18 @@ static int nf_tables_commit(struct net *
- struct nft_chain *chain;
- struct nft_table *table;
-
-+ list_for_each_entry(trans, &nft_net->binding_list, binding_list) {
-+ switch (trans->msg_type) {
-+ case NFT_MSG_NEWSET:
-+ if (nft_set_is_anonymous(nft_trans_set(trans)) &&
-+ !nft_trans_set_bound(trans)) {
-+ pr_warn_once("nftables ruleset with unbound set\n");
-+ return -EINVAL;
-+ }
-+ break;
-+ }
-+ }
-+
- /* 0. Validate ruleset, otherwise roll back for error reporting. */
- if (nf_tables_validate(net) < 0)
- return -EAGAIN;
-@@ -6847,7 +6873,7 @@ static int __nf_tables_abort(struct net
-
- list_for_each_entry_safe_reverse(trans, next,
- &nft_net->commit_list, list) {
-- list_del(&trans->list);
-+ nft_trans_list_del(trans);
- nf_tables_abort_release(trans);
- }
-
-@@ -7497,6 +7523,7 @@ static int __net_init nf_tables_init_net
-
- INIT_LIST_HEAD(&nft_net->tables);
- INIT_LIST_HEAD(&nft_net->commit_list);
-+ INIT_LIST_HEAD(&nft_net->binding_list);
- mutex_init(&nft_net->commit_mutex);
- nft_net->base_seq = 1;
- nft_net->validate_state = NFT_VALIDATE_SKIP;
+++ /dev/null
-From stable-owner@vger.kernel.org Wed Jul 5 18:56:29 2023
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Wed, 5 Jul 2023 18:55:15 +0200
-Subject: netfilter: nf_tables: unbind non-anonymous set if rule construction fails
-To: netfilter-devel@vger.kernel.org
-Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org
-Message-ID: <20230705165516.50145-10-pablo@netfilter.org>
-
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-
-[ 3e70489721b6c870252c9082c496703677240f53 ]
-
-Otherwise a dangling reference to a rule object that is gone remains
-in the set binding list.
-
-Fixes: 26b5a5712eb8 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain")
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/netfilter/nf_tables_api.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -3838,6 +3838,8 @@ void nf_tables_deactivate_set(const stru
- nft_set_trans_unbind(ctx, set);
- if (nft_set_is_anonymous(set))
- nft_deactivate_next(ctx->net, set);
-+ else
-+ list_del_rcu(&binding->list);
-
- set->use--;
- break;
+++ /dev/null
-From stable-owner@vger.kernel.org Wed Jul 5 18:56:03 2023
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Wed, 5 Jul 2023 18:55:11 +0200
-Subject: netfilter: nf_tables: use net_generic infra for transaction data
-To: netfilter-devel@vger.kernel.org
-Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org
-Message-ID: <20230705165516.50145-6-pablo@netfilter.org>
-
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-
-[ 0854db2aaef3fcdd3498a9d299c60adea2aa3dc6 ]
-
-This moves all nf_tables pernet data from struct net to a net_generic
-extension, with the exception of the gencursor.
-
-The latter is used in the data path and also outside of the nf_tables
-core. All others are only used from the configuration plane.
-
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/net/netfilter/nf_tables.h | 10 +
- include/net/netns/nftables.h | 5
- net/netfilter/nf_tables_api.c | 303 +++++++++++++++++++++++---------------
- net/netfilter/nft_chain_filter.c | 11 +
- net/netfilter/nft_dynset.c | 6
- 5 files changed, 210 insertions(+), 125 deletions(-)
-
---- a/include/net/netfilter/nf_tables.h
-+++ b/include/net/netfilter/nf_tables.h
-@@ -1409,4 +1409,14 @@ struct nft_trans_flowtable {
- int __init nft_chain_filter_init(void);
- void nft_chain_filter_fini(void);
-
-+struct nftables_pernet {
-+ struct list_head tables;
-+ struct list_head commit_list;
-+ struct list_head module_list;
-+ struct list_head notify_list;
-+ struct mutex commit_mutex;
-+ unsigned int base_seq;
-+ u8 validate_state;
-+};
-+
- #endif /* _NET_NF_TABLES_H */
---- a/include/net/netns/nftables.h
-+++ b/include/net/netns/nftables.h
-@@ -5,12 +5,7 @@
- #include <linux/list.h>
-
- struct netns_nftables {
-- struct list_head tables;
-- struct list_head commit_list;
-- struct mutex commit_mutex;
-- unsigned int base_seq;
- u8 gencursor;
-- u8 validate_state;
- };
-
- #endif
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -22,10 +22,13 @@
- #include <net/netfilter/nf_tables_core.h>
- #include <net/netfilter/nf_tables.h>
- #include <net/net_namespace.h>
-+#include <net/netns/generic.h>
- #include <net/sock.h>
-
- #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
-
-+unsigned int nf_tables_net_id __read_mostly;
-+
- static LIST_HEAD(nf_tables_expressions);
- static LIST_HEAD(nf_tables_objects);
- static LIST_HEAD(nf_tables_flowtables);
-@@ -53,7 +56,9 @@ static const struct rhashtable_params nf
-
- static void nft_validate_state_update(struct net *net, u8 new_validate_state)
- {
-- switch (net->nft.validate_state) {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
-+
-+ switch (nft_net->validate_state) {
- case NFT_VALIDATE_SKIP:
- WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
- break;
-@@ -64,7 +69,7 @@ static void nft_validate_state_update(st
- return;
- }
-
-- net->nft.validate_state = new_validate_state;
-+ nft_net->validate_state = new_validate_state;
- }
-
- static void nft_ctx_init(struct nft_ctx *ctx,
-@@ -117,13 +122,15 @@ static void nft_trans_destroy(struct nft
-
- static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
- {
-+ struct nftables_pernet *nft_net;
- struct net *net = ctx->net;
- struct nft_trans *trans;
-
- if (!nft_set_is_anonymous(set))
- return;
-
-- list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
-+ nft_net = net_generic(net, nf_tables_net_id);
-+ list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
- switch (trans->msg_type) {
- case NFT_MSG_NEWSET:
- if (nft_trans_set(trans) == set)
-@@ -137,6 +144,14 @@ static void nft_set_trans_bind(const str
- }
- }
-
-+static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
-+{
-+ struct nftables_pernet *nft_net;
-+
-+ nft_net = net_generic(net, nf_tables_net_id);
-+ list_add_tail(&trans->list, &nft_net->commit_list);
-+}
-+
- static int nf_tables_register_hook(struct net *net,
- const struct nft_table *table,
- struct nft_chain *chain)
-@@ -187,7 +202,7 @@ static int nft_trans_table_add(struct nf
- if (msg_type == NFT_MSG_NEWTABLE)
- nft_activate_next(ctx->net, ctx->table);
-
-- list_add_tail(&trans->list, &ctx->net->nft.commit_list);
-+ nft_trans_commit_list_add_tail(ctx->net, trans);
- return 0;
- }
-
-@@ -214,7 +229,7 @@ static int nft_trans_chain_add(struct nf
- if (msg_type == NFT_MSG_NEWCHAIN)
- nft_activate_next(ctx->net, ctx->chain);
-
-- list_add_tail(&trans->list, &ctx->net->nft.commit_list);
-+ nft_trans_commit_list_add_tail(ctx->net, trans);
- return 0;
- }
-
-@@ -287,7 +302,7 @@ static struct nft_trans *nft_trans_rule_
- ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
- }
- nft_trans_rule(trans) = rule;
-- list_add_tail(&trans->list, &ctx->net->nft.commit_list);
-+ nft_trans_commit_list_add_tail(ctx->net, trans);
-
- return trans;
- }
-@@ -342,7 +357,7 @@ static int nft_trans_set_add(const struc
- nft_activate_next(ctx->net, set);
- }
- nft_trans_set(trans) = set;
-- list_add_tail(&trans->list, &ctx->net->nft.commit_list);
-+ nft_trans_commit_list_add_tail(ctx->net, trans);
-
- return 0;
- }
-@@ -374,7 +389,7 @@ static int nft_trans_obj_add(struct nft_
- nft_activate_next(ctx->net, obj);
-
- nft_trans_obj(trans) = obj;
-- list_add_tail(&trans->list, &ctx->net->nft.commit_list);
-+ nft_trans_commit_list_add_tail(ctx->net, trans);
-
- return 0;
- }
-@@ -407,7 +422,7 @@ static int nft_trans_flowtable_add(struc
- nft_activate_next(ctx->net, flowtable);
-
- nft_trans_flowtable(trans) = flowtable;
-- list_add_tail(&trans->list, &ctx->net->nft.commit_list);
-+ nft_trans_commit_list_add_tail(ctx->net, trans);
-
- return 0;
- }
-@@ -435,12 +450,14 @@ static struct nft_table *nft_table_looku
- const struct nlattr *nla,
- u8 family, u8 genmask)
- {
-+ struct nftables_pernet *nft_net;
- struct nft_table *table;
-
- if (nla == NULL)
- return ERR_PTR(-EINVAL);
-
-- list_for_each_entry_rcu(table, &net->nft.tables, list) {
-+ nft_net = net_generic(net, nf_tables_net_id);
-+ list_for_each_entry_rcu(table, &nft_net->tables, list) {
- if (!nla_strcmp(nla, table->name) &&
- table->family == family &&
- nft_active_genmask(table, genmask))
-@@ -454,9 +471,11 @@ static struct nft_table *nft_table_looku
- const struct nlattr *nla,
- u8 genmask)
- {
-+ struct nftables_pernet *nft_net;
- struct nft_table *table;
-
-- list_for_each_entry(table, &net->nft.tables, list) {
-+ nft_net = net_generic(net, nf_tables_net_id);
-+ list_for_each_entry(table, &nft_net->tables, list) {
- if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
- nft_active_genmask(table, genmask))
- return table;
-@@ -509,11 +528,13 @@ __nf_tables_chain_type_lookup(const stru
- static void nft_request_module(struct net *net, const char *fmt, ...)
- {
- char module_name[MODULE_NAME_LEN];
-+ struct nftables_pernet *nft_net;
- LIST_HEAD(commit_list);
- va_list args;
- int ret;
-
-- list_splice_init(&net->nft.commit_list, &commit_list);
-+ nft_net = net_generic(net, nf_tables_net_id);
-+ list_splice_init(&nft_net->commit_list, &commit_list);
-
- va_start(args, fmt);
- ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
-@@ -521,12 +542,12 @@ static void nft_request_module(struct ne
- if (ret >= MODULE_NAME_LEN)
- return;
-
-- mutex_unlock(&net->nft.commit_mutex);
-+ mutex_unlock(&nft_net->commit_mutex);
- request_module("%s", module_name);
-- mutex_lock(&net->nft.commit_mutex);
-+ mutex_lock(&nft_net->commit_mutex);
-
-- WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
-- list_splice(&commit_list, &net->nft.commit_list);
-+ WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
-+ list_splice(&commit_list, &nft_net->commit_list);
- }
- #endif
-
-@@ -563,7 +584,9 @@ nf_tables_chain_type_lookup(struct net *
-
- static __be16 nft_base_seq(const struct net *net)
- {
-- return htons(net->nft.base_seq & 0xffff);
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
-+
-+ return htons(nft_net->base_seq & 0xffff);
- }
-
- static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
-@@ -631,15 +654,17 @@ static int nf_tables_dump_tables(struct
- struct netlink_callback *cb)
- {
- const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
-+ struct nftables_pernet *nft_net;
- const struct nft_table *table;
- unsigned int idx = 0, s_idx = cb->args[0];
- struct net *net = sock_net(skb->sk);
- int family = nfmsg->nfgen_family;
-
- rcu_read_lock();
-- cb->seq = net->nft.base_seq;
-+ nft_net = net_generic(net, nf_tables_net_id);
-+ cb->seq = nft_net->base_seq;
-
-- list_for_each_entry_rcu(table, &net->nft.tables, list) {
-+ list_for_each_entry_rcu(table, &nft_net->tables, list) {
- if (family != NFPROTO_UNSPEC && family != table->family)
- continue;
-
-@@ -813,7 +838,7 @@ static int nf_tables_updtable(struct nft
- goto err;
-
- nft_trans_table_update(trans) = true;
-- list_add_tail(&trans->list, &ctx->net->nft.commit_list);
-+ nft_trans_commit_list_add_tail(ctx->net, trans);
- return 0;
- err:
- nft_trans_destroy(trans);
-@@ -848,6 +873,7 @@ static int nf_tables_newtable(struct net
- const struct nlattr * const nla[],
- struct netlink_ext_ack *extack)
- {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
- u8 genmask = nft_genmask_next(net);
- int family = nfmsg->nfgen_family;
-@@ -857,7 +883,7 @@ static int nf_tables_newtable(struct net
- struct nft_ctx ctx;
- int err;
-
-- lockdep_assert_held(&net->nft.commit_mutex);
-+ lockdep_assert_held(&nft_net->commit_mutex);
- attr = nla[NFTA_TABLE_NAME];
- table = nft_table_lookup(net, attr, family, genmask);
- if (IS_ERR(table)) {
-@@ -907,7 +933,7 @@ static int nf_tables_newtable(struct net
- if (err < 0)
- goto err_trans;
-
-- list_add_tail_rcu(&table->list, &net->nft.tables);
-+ list_add_tail_rcu(&table->list, &nft_net->tables);
- return 0;
- err_trans:
- rhltable_destroy(&table->chains_ht);
-@@ -987,11 +1013,12 @@ out:
-
- static int nft_flush(struct nft_ctx *ctx, int family)
- {
-+ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id);
- struct nft_table *table, *nt;
- const struct nlattr * const *nla = ctx->nla;
- int err = 0;
-
-- list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
-+ list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
- if (family != AF_UNSPEC && table->family != family)
- continue;
-
-@@ -1105,7 +1132,9 @@ nft_chain_lookup_byhandle(const struct n
- static bool lockdep_commit_lock_is_held(struct net *net)
- {
- #ifdef CONFIG_PROVE_LOCKING
-- return lockdep_is_held(&net->nft.commit_mutex);
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
-+
-+ return lockdep_is_held(&nft_net->commit_mutex);
- #else
- return true;
- #endif
-@@ -1302,11 +1331,13 @@ static int nf_tables_dump_chains(struct
- unsigned int idx = 0, s_idx = cb->args[0];
- struct net *net = sock_net(skb->sk);
- int family = nfmsg->nfgen_family;
-+ struct nftables_pernet *nft_net;
-
- rcu_read_lock();
-- cb->seq = net->nft.base_seq;
-+ nft_net = net_generic(net, nf_tables_net_id);
-+ cb->seq = nft_net->base_seq;
-
-- list_for_each_entry_rcu(table, &net->nft.tables, list) {
-+ list_for_each_entry_rcu(table, &nft_net->tables, list) {
- if (family != NFPROTO_UNSPEC && family != table->family)
- continue;
-
-@@ -1499,12 +1530,13 @@ static int nft_chain_parse_hook(struct n
- struct nft_chain_hook *hook, u8 family,
- bool autoload)
- {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- struct nlattr *ha[NFTA_HOOK_MAX + 1];
- const struct nft_chain_type *type;
- struct net_device *dev;
- int err;
-
-- lockdep_assert_held(&net->nft.commit_mutex);
-+ lockdep_assert_held(&nft_net->commit_mutex);
- lockdep_nfnl_nft_mutex_not_held();
-
- err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
-@@ -1773,6 +1805,7 @@ static int nf_tables_updchain(struct nft
-
- if (nla[NFTA_CHAIN_HANDLE] &&
- nla[NFTA_CHAIN_NAME]) {
-+ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id);
- struct nft_trans *tmp;
- char *name;
-
-@@ -1782,7 +1815,7 @@ static int nf_tables_updchain(struct nft
- goto err;
-
- err = -EEXIST;
-- list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
-+ list_for_each_entry(tmp, &nft_net->commit_list, list) {
- if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
- tmp->ctx.table == table &&
- nft_trans_chain_update(tmp) &&
-@@ -1795,7 +1828,7 @@ static int nf_tables_updchain(struct nft
-
- nft_trans_chain_name(trans) = name;
- }
-- list_add_tail(&trans->list, &ctx->net->nft.commit_list);
-+ nft_trans_commit_list_add_tail(ctx->net, trans);
-
- return 0;
- err:
-@@ -1809,6 +1842,7 @@ static int nf_tables_newchain(struct net
- const struct nlattr * const nla[],
- struct netlink_ext_ack *extack)
- {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
- u8 genmask = nft_genmask_next(net);
- int family = nfmsg->nfgen_family;
-@@ -1819,7 +1853,7 @@ static int nf_tables_newchain(struct net
- struct nft_ctx ctx;
- u64 handle = 0;
-
-- lockdep_assert_held(&net->nft.commit_mutex);
-+ lockdep_assert_held(&nft_net->commit_mutex);
-
- table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
- if (IS_ERR(table)) {
-@@ -2342,11 +2376,13 @@ static int nf_tables_dump_rules(struct s
- unsigned int idx = 0, s_idx = cb->args[0];
- struct net *net = sock_net(skb->sk);
- int family = nfmsg->nfgen_family;
-+ struct nftables_pernet *nft_net;
-
- rcu_read_lock();
-- cb->seq = net->nft.base_seq;
-+ nft_net = net_generic(net, nf_tables_net_id);
-+ cb->seq = nft_net->base_seq;
-
-- list_for_each_entry_rcu(table, &net->nft.tables, list) {
-+ list_for_each_entry_rcu(table, &nft_net->tables, list) {
- if (family != NFPROTO_UNSPEC && family != table->family)
- continue;
-
-@@ -2499,7 +2535,6 @@ static void nf_tables_rule_destroy(const
- {
- struct nft_expr *expr, *next;
-
-- lockdep_assert_held(&ctx->net->nft.commit_mutex);
- /*
- * Careful: some expressions might not be initialized in case this
- * is called on error from nf_tables_newrule().
-@@ -2579,6 +2614,7 @@ static int nf_tables_newrule(struct net
- const struct nlattr * const nla[],
- struct netlink_ext_ack *extack)
- {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
- u8 genmask = nft_genmask_next(net);
- struct nft_expr_info *info = NULL;
-@@ -2595,7 +2631,7 @@ static int nf_tables_newrule(struct net
- int err, rem;
- u64 handle, pos_handle;
-
-- lockdep_assert_held(&net->nft.commit_mutex);
-+ lockdep_assert_held(&nft_net->commit_mutex);
-
- table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
- if (IS_ERR(table)) {
-@@ -2743,7 +2779,7 @@ static int nf_tables_newrule(struct net
- kvfree(info);
- chain->use++;
-
-- if (net->nft.validate_state == NFT_VALIDATE_DO)
-+ if (nft_net->validate_state == NFT_VALIDATE_DO)
- return nft_table_validate(net, table);
-
- return 0;
-@@ -2765,10 +2801,11 @@ static struct nft_rule *nft_rule_lookup_
- const struct nft_chain *chain,
- const struct nlattr *nla)
- {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- u32 id = ntohl(nla_get_be32(nla));
- struct nft_trans *trans;
-
-- list_for_each_entry(trans, &net->nft.commit_list, list) {
-+ list_for_each_entry(trans, &nft_net->commit_list, list) {
- struct nft_rule *rule = nft_trans_rule(trans);
-
- if (trans->msg_type == NFT_MSG_NEWRULE &&
-@@ -2887,12 +2924,13 @@ nft_select_set_ops(const struct nft_ctx
- const struct nft_set_desc *desc,
- enum nft_set_policies policy)
- {
-+ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id);
- const struct nft_set_ops *ops, *bops;
- struct nft_set_estimate est, best;
- const struct nft_set_type *type;
- u32 flags = 0;
-
-- lockdep_assert_held(&ctx->net->nft.commit_mutex);
-+ lockdep_assert_held(&nft_net->commit_mutex);
- lockdep_nfnl_nft_mutex_not_held();
- #ifdef CONFIG_MODULES
- if (list_empty(&nf_tables_set_types)) {
-@@ -3038,10 +3076,11 @@ static struct nft_set *nft_set_lookup_by
- const struct nft_table *table,
- const struct nlattr *nla, u8 genmask)
- {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- struct nft_trans *trans;
- u32 id = ntohl(nla_get_be32(nla));
-
-- list_for_each_entry(trans, &net->nft.commit_list, list) {
-+ list_for_each_entry(trans, &nft_net->commit_list, list) {
- if (trans->msg_type == NFT_MSG_NEWSET) {
- struct nft_set *set = nft_trans_set(trans);
-
-@@ -3257,14 +3296,16 @@ static int nf_tables_dump_sets(struct sk
- struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
- struct net *net = sock_net(skb->sk);
- struct nft_ctx *ctx = cb->data, ctx_set;
-+ struct nftables_pernet *nft_net;
-
- if (cb->args[1])
- return skb->len;
-
- rcu_read_lock();
-- cb->seq = net->nft.base_seq;
-+ nft_net = net_generic(net, nf_tables_net_id);
-+ cb->seq = nft_net->base_seq;
-
-- list_for_each_entry_rcu(table, &net->nft.tables, list) {
-+ list_for_each_entry_rcu(table, &nft_net->tables, list) {
- if (ctx->family != NFPROTO_UNSPEC &&
- ctx->family != table->family)
- continue;
-@@ -3971,6 +4012,7 @@ static int nf_tables_dump_set(struct sk_
- {
- struct nft_set_dump_ctx *dump_ctx = cb->data;
- struct net *net = sock_net(skb->sk);
-+ struct nftables_pernet *nft_net;
- struct nft_table *table;
- struct nft_set *set;
- struct nft_set_dump_args args;
-@@ -3981,7 +4023,8 @@ static int nf_tables_dump_set(struct sk_
- int event;
-
- rcu_read_lock();
-- list_for_each_entry_rcu(table, &net->nft.tables, list) {
-+ nft_net = net_generic(net, nf_tables_net_id);
-+ list_for_each_entry_rcu(table, &nft_net->tables, list) {
- if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
- dump_ctx->ctx.family != table->family)
- continue;
-@@ -4571,7 +4614,7 @@ static int nft_add_set_elem(struct nft_c
- }
-
- nft_trans_elem(trans) = elem;
-- list_add_tail(&trans->list, &ctx->net->nft.commit_list);
-+ nft_trans_commit_list_add_tail(ctx->net, trans);
- return 0;
-
- err6:
-@@ -4596,6 +4639,7 @@ static int nf_tables_newsetelem(struct n
- const struct nlattr * const nla[],
- struct netlink_ext_ack *extack)
- {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- u8 genmask = nft_genmask_next(net);
- const struct nlattr *attr;
- struct nft_set *set;
-@@ -4625,7 +4669,7 @@ static int nf_tables_newsetelem(struct n
- return err;
- }
-
-- if (net->nft.validate_state == NFT_VALIDATE_DO)
-+ if (nft_net->validate_state == NFT_VALIDATE_DO)
- return nft_table_validate(net, ctx.table);
-
- return 0;
-@@ -4738,7 +4782,7 @@ static int nft_del_setelem(struct nft_ct
- nft_set_elem_deactivate(ctx->net, set, &elem);
-
- nft_trans_elem(trans) = elem;
-- list_add_tail(&trans->list, &ctx->net->nft.commit_list);
-+ nft_trans_commit_list_add_tail(ctx->net, trans);
- return 0;
-
- fail_ops:
-@@ -4772,7 +4816,7 @@ static int nft_flush_set(const struct nf
- nft_set_elem_deactivate(ctx->net, set, elem);
- nft_trans_elem_set(trans) = set;
- nft_trans_elem(trans) = *elem;
-- list_add_tail(&trans->list, &ctx->net->nft.commit_list);
-+ nft_trans_commit_list_add_tail(ctx->net, trans);
-
- return 0;
- err1:
-@@ -5151,6 +5195,7 @@ static int nf_tables_dump_obj(struct sk_
- struct nft_obj_filter *filter = cb->data;
- struct net *net = sock_net(skb->sk);
- int family = nfmsg->nfgen_family;
-+ struct nftables_pernet *nft_net;
- struct nft_object *obj;
- bool reset = false;
-
-@@ -5158,9 +5203,10 @@ static int nf_tables_dump_obj(struct sk_
- reset = true;
-
- rcu_read_lock();
-- cb->seq = net->nft.base_seq;
-+ nft_net = net_generic(net, nf_tables_net_id);
-+ cb->seq = nft_net->base_seq;
-
-- list_for_each_entry_rcu(table, &net->nft.tables, list) {
-+ list_for_each_entry_rcu(table, &nft_net->tables, list) {
- if (family != NFPROTO_UNSPEC && family != table->family)
- continue;
-
-@@ -5826,12 +5872,14 @@ static int nf_tables_dump_flowtable(stru
- struct net *net = sock_net(skb->sk);
- int family = nfmsg->nfgen_family;
- struct nft_flowtable *flowtable;
-+ struct nftables_pernet *nft_net;
- const struct nft_table *table;
-
- rcu_read_lock();
-- cb->seq = net->nft.base_seq;
-+ nft_net = net_generic(net, nf_tables_net_id);
-+ cb->seq = nft_net->base_seq;
-
-- list_for_each_entry_rcu(table, &net->nft.tables, list) {
-+ list_for_each_entry_rcu(table, &nft_net->tables, list) {
- if (family != NFPROTO_UNSPEC && family != table->family)
- continue;
-
-@@ -6001,6 +6049,7 @@ static void nf_tables_flowtable_destroy(
- static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
- u32 portid, u32 seq)
- {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- struct nlmsghdr *nlh;
- char buf[TASK_COMM_LEN];
- int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
-@@ -6010,7 +6059,7 @@ static int nf_tables_fill_gen_info(struc
- if (!nlh)
- goto nla_put_failure;
-
-- if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
-+ if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
- nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
- nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
- goto nla_put_failure;
-@@ -6043,6 +6092,7 @@ static int nf_tables_flowtable_event(str
- {
- struct net_device *dev = netdev_notifier_info_to_dev(ptr);
- struct nft_flowtable *flowtable;
-+ struct nftables_pernet *nft_net;
- struct nft_table *table;
- struct net *net;
-
-@@ -6050,13 +6100,14 @@ static int nf_tables_flowtable_event(str
- return 0;
-
- net = dev_net(dev);
-- mutex_lock(&net->nft.commit_mutex);
-- list_for_each_entry(table, &net->nft.tables, list) {
-+ nft_net = net_generic(net, nf_tables_net_id);
-+ mutex_lock(&nft_net->commit_mutex);
-+ list_for_each_entry(table, &nft_net->tables, list) {
- list_for_each_entry(flowtable, &table->flowtables, list) {
- nft_flowtable_event(event, dev, flowtable);
- }
- }
-- mutex_unlock(&net->nft.commit_mutex);
-+ mutex_unlock(&nft_net->commit_mutex);
-
- return NOTIFY_DONE;
- }
-@@ -6237,16 +6288,17 @@ static const struct nfnl_callback nf_tab
-
- static int nf_tables_validate(struct net *net)
- {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- struct nft_table *table;
-
-- switch (net->nft.validate_state) {
-+ switch (nft_net->validate_state) {
- case NFT_VALIDATE_SKIP:
- break;
- case NFT_VALIDATE_NEED:
- nft_validate_state_update(net, NFT_VALIDATE_DO);
- /* fall through */
- case NFT_VALIDATE_DO:
-- list_for_each_entry(table, &net->nft.tables, list) {
-+ list_for_each_entry(table, &nft_net->tables, list) {
- if (nft_table_validate(net, table) < 0)
- return -EAGAIN;
- }
-@@ -6323,14 +6375,15 @@ static void nft_commit_release(struct nf
-
- static void nf_tables_commit_release(struct net *net)
- {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- struct nft_trans *trans, *next;
-
-- if (list_empty(&net->nft.commit_list))
-+ if (list_empty(&nft_net->commit_list))
- return;
-
- synchronize_rcu();
-
-- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
-+ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
- list_del(&trans->list);
- nft_commit_release(trans);
- }
-@@ -6369,9 +6422,10 @@ static int nf_tables_commit_chain_prepar
-
- static void nf_tables_commit_chain_prepare_cancel(struct net *net)
- {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- struct nft_trans *trans, *next;
-
-- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
-+ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
- struct nft_chain *chain = trans->ctx.chain;
-
- if (trans->msg_type == NFT_MSG_NEWRULE ||
-@@ -6463,6 +6517,7 @@ static void nft_chain_del(struct nft_cha
-
- static int nf_tables_commit(struct net *net, struct sk_buff *skb)
- {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- struct nft_trans *trans, *next;
- struct nft_trans_elem *te;
- struct nft_chain *chain;
-@@ -6473,7 +6528,7 @@ static int nf_tables_commit(struct net *
- return -EAGAIN;
-
- /* 1. Allocate space for next generation rules_gen_X[] */
-- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
-+ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
- int ret;
-
- if (trans->msg_type == NFT_MSG_NEWRULE ||
-@@ -6489,7 +6544,7 @@ static int nf_tables_commit(struct net *
- }
-
- /* step 2. Make rules_gen_X visible to packet path */
-- list_for_each_entry(table, &net->nft.tables, list) {
-+ list_for_each_entry(table, &nft_net->tables, list) {
- list_for_each_entry(chain, &table->chains, list)
- nf_tables_commit_chain(net, chain);
- }
-@@ -6498,12 +6553,13 @@ static int nf_tables_commit(struct net *
- * Bump generation counter, invalidate any dump in progress.
- * Cannot fail after this point.
- */
-- while (++net->nft.base_seq == 0);
-+ while (++nft_net->base_seq == 0)
-+ ;
-
- /* step 3. Start new generation, rules_gen_X now in use. */
- net->nft.gencursor = nft_gencursor_next(net);
-
-- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
-+ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
- switch (trans->msg_type) {
- case NFT_MSG_NEWTABLE:
- if (nft_trans_table_update(trans)) {
-@@ -6624,7 +6680,7 @@ static int nf_tables_commit(struct net *
-
- nf_tables_commit_release(net);
- nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
-- mutex_unlock(&net->nft.commit_mutex);
-+ mutex_unlock(&nft_net->commit_mutex);
-
- return 0;
- }
-@@ -6660,10 +6716,11 @@ static void nf_tables_abort_release(stru
-
- static int __nf_tables_abort(struct net *net)
- {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- struct nft_trans *trans, *next;
- struct nft_trans_elem *te;
-
-- list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
-+ list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
- list) {
- switch (trans->msg_type) {
- case NFT_MSG_NEWTABLE:
-@@ -6770,7 +6827,7 @@ static int __nf_tables_abort(struct net
- synchronize_rcu();
-
- list_for_each_entry_safe_reverse(trans, next,
-- &net->nft.commit_list, list) {
-+ &nft_net->commit_list, list) {
- list_del(&trans->list);
- nf_tables_abort_release(trans);
- }
-@@ -6780,22 +6837,24 @@ static int __nf_tables_abort(struct net
-
- static int nf_tables_abort(struct net *net, struct sk_buff *skb)
- {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- int ret = __nf_tables_abort(net);
-
-- mutex_unlock(&net->nft.commit_mutex);
-+ mutex_unlock(&nft_net->commit_mutex);
-
- return ret;
- }
-
- static bool nf_tables_valid_genid(struct net *net, u32 genid)
- {
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
- bool genid_ok;
-
-- mutex_lock(&net->nft.commit_mutex);
-+ mutex_lock(&nft_net->commit_mutex);
-
-- genid_ok = genid == 0 || net->nft.base_seq == genid;
-+ genid_ok = genid == 0 || nft_net->base_seq == genid;
- if (!genid_ok)
-- mutex_unlock(&net->nft.commit_mutex);
-+ mutex_unlock(&nft_net->commit_mutex);
-
- /* else, commit mutex has to be released by commit or abort function */
- return genid_ok;
-@@ -7353,10 +7412,9 @@ int __nft_release_basechain(struct nft_c
- }
- EXPORT_SYMBOL_GPL(__nft_release_basechain);
-
--static void __nft_release_tables(struct net *net)
-+static void __nft_release_table(struct net *net, struct nft_table *table)
- {
- struct nft_flowtable *flowtable, *nf;
-- struct nft_table *table, *nt;
- struct nft_chain *chain, *nc;
- struct nft_object *obj, *ne;
- struct nft_rule *rule, *nr;
-@@ -7366,71 +7424,84 @@ static void __nft_release_tables(struct
- .family = NFPROTO_NETDEV,
- };
-
-- list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
-- ctx.family = table->family;
-+ ctx.family = table->family;
-
-- list_for_each_entry(chain, &table->chains, list)
-- nf_tables_unregister_hook(net, table, chain);
-- /* No packets are walking on these chains anymore. */
-- ctx.table = table;
-- list_for_each_entry(chain, &table->chains, list) {
-- ctx.chain = chain;
-- list_for_each_entry_safe(rule, nr, &chain->rules, list) {
-- list_del(&rule->list);
-- chain->use--;
-- nf_tables_rule_release(&ctx, rule);
-- }
-- }
-- list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
-- list_del(&flowtable->list);
-- table->use--;
-- nf_tables_flowtable_destroy(flowtable);
-- }
-- list_for_each_entry_safe(set, ns, &table->sets, list) {
-- list_del(&set->list);
-- table->use--;
-- nft_set_destroy(set);
-- }
-- list_for_each_entry_safe(obj, ne, &table->objects, list) {
-- list_del(&obj->list);
-- table->use--;
-- nft_obj_destroy(&ctx, obj);
-- }
-- list_for_each_entry_safe(chain, nc, &table->chains, list) {
-- ctx.chain = chain;
-- nft_chain_del(chain);
-- table->use--;
-- nf_tables_chain_destroy(&ctx);
-+ list_for_each_entry(chain, &table->chains, list)
-+ nf_tables_unregister_hook(net, table, chain);
-+ /* No packets are walking on these chains anymore. */
-+ ctx.table = table;
-+ list_for_each_entry(chain, &table->chains, list) {
-+ ctx.chain = chain;
-+ list_for_each_entry_safe(rule, nr, &chain->rules, list) {
-+ list_del(&rule->list);
-+ chain->use--;
-+ nf_tables_rule_release(&ctx, rule);
- }
-- list_del(&table->list);
-- nf_tables_table_destroy(&ctx);
- }
-+ list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
-+ list_del(&flowtable->list);
-+ table->use--;
-+ nf_tables_flowtable_destroy(flowtable);
-+ }
-+ list_for_each_entry_safe(set, ns, &table->sets, list) {
-+ list_del(&set->list);
-+ table->use--;
-+ nft_set_destroy(set);
-+ }
-+ list_for_each_entry_safe(obj, ne, &table->objects, list) {
-+ list_del(&obj->list);
-+ table->use--;
-+ nft_obj_destroy(&ctx, obj);
-+ }
-+ list_for_each_entry_safe(chain, nc, &table->chains, list) {
-+ ctx.chain = chain;
-+ nft_chain_del(chain);
-+ table->use--;
-+ nf_tables_chain_destroy(&ctx);
-+ }
-+ list_del(&table->list);
-+ nf_tables_table_destroy(&ctx);
-+}
-+
-+static void __nft_release_tables(struct net *net)
-+{
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
-+ struct nft_table *table, *nt;
-+
-+ list_for_each_entry_safe(table, nt, &nft_net->tables, list)
-+ __nft_release_table(net, table);
- }
-
- static int __net_init nf_tables_init_net(struct net *net)
- {
-- INIT_LIST_HEAD(&net->nft.tables);
-- INIT_LIST_HEAD(&net->nft.commit_list);
-- mutex_init(&net->nft.commit_mutex);
-- net->nft.base_seq = 1;
-- net->nft.validate_state = NFT_VALIDATE_SKIP;
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
-+
-+ INIT_LIST_HEAD(&nft_net->tables);
-+ INIT_LIST_HEAD(&nft_net->commit_list);
-+ mutex_init(&nft_net->commit_mutex);
-+ nft_net->base_seq = 1;
-+ nft_net->validate_state = NFT_VALIDATE_SKIP;
-
- return 0;
- }
-
- static void __net_exit nf_tables_exit_net(struct net *net)
- {
-- mutex_lock(&net->nft.commit_mutex);
-- if (!list_empty(&net->nft.commit_list))
-+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id);
-+
-+ mutex_lock(&nft_net->commit_mutex);
-+ if (!list_empty(&nft_net->commit_list))
- __nf_tables_abort(net);
- __nft_release_tables(net);
-- mutex_unlock(&net->nft.commit_mutex);
-- WARN_ON_ONCE(!list_empty(&net->nft.tables));
-+ mutex_unlock(&nft_net->commit_mutex);
-+ WARN_ON_ONCE(!list_empty(&nft_net->tables));
- }
-
- static struct pernet_operations nf_tables_net_ops = {
- .init = nf_tables_init_net,
- .exit = nf_tables_exit_net,
-+ .id = &nf_tables_net_id,
-+ .size = sizeof(struct nftables_pernet),
- };
-
- static int __init nf_tables_module_init(void)
---- a/net/netfilter/nft_chain_filter.c
-+++ b/net/netfilter/nft_chain_filter.c
-@@ -2,6 +2,7 @@
- #include <linux/kernel.h>
- #include <linux/netdevice.h>
- #include <net/net_namespace.h>
-+#include <net/netns/generic.h>
- #include <net/netfilter/nf_tables.h>
- #include <linux/netfilter_ipv4.h>
- #include <linux/netfilter_ipv6.h>
-@@ -10,6 +11,8 @@
- #include <net/netfilter/nf_tables_ipv4.h>
- #include <net/netfilter/nf_tables_ipv6.h>
-
-+extern unsigned int nf_tables_net_id;
-+
- #ifdef CONFIG_NF_TABLES_IPV4
- static unsigned int nft_do_chain_ipv4(void *priv,
- struct sk_buff *skb,
-@@ -315,6 +318,7 @@ static int nf_tables_netdev_event(struct
- unsigned long event, void *ptr)
- {
- struct net_device *dev = netdev_notifier_info_to_dev(ptr);
-+ struct nftables_pernet *nft_net;
- struct nft_table *table;
- struct nft_chain *chain, *nr;
- struct nft_ctx ctx = {
-@@ -325,8 +329,9 @@ static int nf_tables_netdev_event(struct
- event != NETDEV_CHANGENAME)
- return NOTIFY_DONE;
-
-- mutex_lock(&ctx.net->nft.commit_mutex);
-- list_for_each_entry(table, &ctx.net->nft.tables, list) {
-+ nft_net = net_generic(ctx.net, nf_tables_net_id);
-+ mutex_lock(&nft_net->commit_mutex);
-+ list_for_each_entry(table, &nft_net->tables, list) {
- if (table->family != NFPROTO_NETDEV)
- continue;
-
-@@ -340,7 +345,7 @@ static int nf_tables_netdev_event(struct
- nft_netdev_event(event, dev, &ctx);
- }
- }
-- mutex_unlock(&ctx.net->nft.commit_mutex);
-+ mutex_unlock(&nft_net->commit_mutex);
-
- return NOTIFY_DONE;
- }
---- a/net/netfilter/nft_dynset.c
-+++ b/net/netfilter/nft_dynset.c
-@@ -15,6 +15,9 @@
- #include <linux/netfilter/nf_tables.h>
- #include <net/netfilter/nf_tables.h>
- #include <net/netfilter/nf_tables_core.h>
-+#include <net/netns/generic.h>
-+
-+extern unsigned int nf_tables_net_id;
-
- struct nft_dynset {
- struct nft_set *set;
-@@ -112,13 +115,14 @@ static int nft_dynset_init(const struct
- const struct nft_expr *expr,
- const struct nlattr * const tb[])
- {
-+ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id);
- struct nft_dynset *priv = nft_expr_priv(expr);
- u8 genmask = nft_genmask_next(ctx->net);
- struct nft_set *set;
- u64 timeout;
- int err;
-
-- lockdep_assert_held(&ctx->net->nft.commit_mutex);
-+ lockdep_assert_held(&nft_net->commit_mutex);
-
- if (tb[NFTA_DYNSET_SET_NAME] == NULL ||
- tb[NFTA_DYNSET_OP] == NULL ||
+++ /dev/null
-From pablo@netfilter.org Wed Jul 5 18:55:23 2023
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Wed, 5 Jul 2023 18:55:09 +0200
-Subject: netfilter: nftables: add helper function to set the base sequence number
-To: netfilter-devel@vger.kernel.org
-Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org
-Message-ID: <20230705165516.50145-4-pablo@netfilter.org>
-
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-
-[ 802b805162a1b7d8391c40ac8a878e9e63287aff ]
-
-This patch adds a helper function to calculate the base sequence number
-field that is stored in the nfnetlink header. Use the helper function
-whenever possible.
-
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/netfilter/nf_tables_api.c | 23 ++++++++++++++---------
- 1 file changed, 14 insertions(+), 9 deletions(-)
-
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -561,6 +561,11 @@ nf_tables_chain_type_lookup(struct net *
- return ERR_PTR(-ENOENT);
- }
-
-+static __be16 nft_base_seq(const struct net *net)
-+{
-+ return htons(net->nft.base_seq & 0xffff);
-+}
-+
- static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
- [NFTA_TABLE_NAME] = { .type = NLA_STRING,
- .len = NFT_TABLE_MAXNAMELEN - 1 },
-@@ -583,7 +588,7 @@ static int nf_tables_fill_table_info(str
- nfmsg = nlmsg_data(nlh);
- nfmsg->nfgen_family = family;
- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
-+ nfmsg->res_id = nft_base_seq(net);
-
- if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
- nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
-@@ -1218,7 +1223,7 @@ static int nf_tables_fill_chain_info(str
- nfmsg = nlmsg_data(nlh);
- nfmsg->nfgen_family = family;
- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
-+ nfmsg->res_id = nft_base_seq(net);
-
- if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
- goto nla_put_failure;
-@@ -2265,7 +2270,7 @@ static int nf_tables_fill_rule_info(stru
- nfmsg = nlmsg_data(nlh);
- nfmsg->nfgen_family = family;
- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
-+ nfmsg->res_id = nft_base_seq(net);
-
- if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
- goto nla_put_failure;
-@@ -3176,7 +3181,7 @@ static int nf_tables_fill_set(struct sk_
- nfmsg = nlmsg_data(nlh);
- nfmsg->nfgen_family = ctx->family;
- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
-+ nfmsg->res_id = nft_base_seq(ctx->net);
-
- if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
- goto nla_put_failure;
-@@ -4032,7 +4037,7 @@ static int nf_tables_dump_set(struct sk_
- nfmsg = nlmsg_data(nlh);
- nfmsg->nfgen_family = table->family;
- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
-+ nfmsg->res_id = nft_base_seq(net);
-
- if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
- goto nla_put_failure;
-@@ -4104,7 +4109,7 @@ static int nf_tables_fill_setelem_info(s
- nfmsg = nlmsg_data(nlh);
- nfmsg->nfgen_family = ctx->family;
- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
-+ nfmsg->res_id = nft_base_seq(ctx->net);
-
- if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
- goto nla_put_failure;
-@@ -5152,7 +5157,7 @@ static int nf_tables_fill_obj_info(struc
- nfmsg = nlmsg_data(nlh);
- nfmsg->nfgen_family = family;
- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
-+ nfmsg->res_id = nft_base_seq(net);
-
- if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
- nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
-@@ -5813,7 +5818,7 @@ static int nf_tables_fill_flowtable_info
- nfmsg = nlmsg_data(nlh);
- nfmsg->nfgen_family = family;
- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
-+ nfmsg->res_id = nft_base_seq(net);
-
- if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
- nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
-@@ -6051,7 +6056,7 @@ static int nf_tables_fill_gen_info(struc
- nfmsg = nlmsg_data(nlh);
- nfmsg->nfgen_family = AF_UNSPEC;
- nfmsg->version = NFNETLINK_V0;
-- nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
-+ nfmsg->res_id = nft_base_seq(net);
-
- if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
- nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
+++ /dev/null
-From 3a75a252bcf5592f5b27882ccbb7d44ddafb7763 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 26 Jun 2023 09:43:13 -0700
-Subject: netlink: Add __sock_i_ino() for __netlink_diag_dump().
-
-From: Kuniyuki Iwashima <kuniyu@amazon.com>
-
-[ Upstream commit 25a9c8a4431c364f97f75558cb346d2ad3f53fbb ]
-
-syzbot reported a warning in __local_bh_enable_ip(). [0]
-
-Commit 8d61f926d420 ("netlink: fix potential deadlock in
-netlink_set_err()") converted read_lock(&nl_table_lock) to
-read_lock_irqsave() in __netlink_diag_dump() to prevent a deadlock.
-
-However, __netlink_diag_dump() calls sock_i_ino() that uses
-read_lock_bh() and read_unlock_bh(). If CONFIG_TRACE_IRQFLAGS=y,
-read_unlock_bh() finally enables IRQ even though it should stay
-disabled until the following read_unlock_irqrestore().
-
-Using read_lock() in sock_i_ino() would trigger a lockdep splat
-in another place that was fixed in commit f064af1e500a ("net: fix
-a lockdep splat"), so let's add __sock_i_ino() that would be safe
-to use under BH disabled.
-
-[0]:
-WARNING: CPU: 0 PID: 5012 at kernel/softirq.c:376 __local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376
-Modules linked in:
-CPU: 0 PID: 5012 Comm: syz-executor487 Not tainted 6.4.0-rc7-syzkaller-00202-g6f68fc395f49 #0
-Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
-RIP: 0010:__local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376
-Code: 45 bf 01 00 00 00 e8 91 5b 0a 00 e8 3c 15 3d 00 fb 65 8b 05 ec e9 b5 7e 85 c0 74 58 5b 5d c3 65 8b 05 b2 b6 b4 7e 85 c0 75 a2 <0f> 0b eb 9e e8 89 15 3d 00 eb 9f 48 89 ef e8 6f 49 18 00 eb a8 0f
-RSP: 0018:ffffc90003a1f3d0 EFLAGS: 00010046
-RAX: 0000000000000000 RBX: 0000000000000201 RCX: 1ffffffff1cf5996
-RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff8805c6f3
-RBP: ffffffff8805c6f3 R08: 0000000000000001 R09: ffff8880152b03a3
-R10: ffffed1002a56074 R11: 0000000000000005 R12: 00000000000073e4
-R13: dffffc0000000000 R14: 0000000000000002 R15: 0000000000000000
-FS: 0000555556726300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
-CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-CR2: 000000000045ad50 CR3: 000000007c646000 CR4: 00000000003506f0
-DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
-DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
-Call Trace:
- <TASK>
- sock_i_ino+0x83/0xa0 net/core/sock.c:2559
- __netlink_diag_dump+0x45c/0x790 net/netlink/diag.c:171
- netlink_diag_dump+0xd6/0x230 net/netlink/diag.c:207
- netlink_dump+0x570/0xc50 net/netlink/af_netlink.c:2269
- __netlink_dump_start+0x64b/0x910 net/netlink/af_netlink.c:2374
- netlink_dump_start include/linux/netlink.h:329 [inline]
- netlink_diag_handler_dump+0x1ae/0x250 net/netlink/diag.c:238
- __sock_diag_cmd net/core/sock_diag.c:238 [inline]
- sock_diag_rcv_msg+0x31e/0x440 net/core/sock_diag.c:269
- netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2547
- sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280
- netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
- netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365
- netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1914
- sock_sendmsg_nosec net/socket.c:724 [inline]
- sock_sendmsg+0xde/0x190 net/socket.c:747
- ____sys_sendmsg+0x71c/0x900 net/socket.c:2503
- ___sys_sendmsg+0x110/0x1b0 net/socket.c:2557
- __sys_sendmsg+0xf7/0x1c0 net/socket.c:2586
- do_syscall_x64 arch/x86/entry/common.c:50 [inline]
- do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
- entry_SYSCALL_64_after_hwframe+0x63/0xcd
-RIP: 0033:0x7f5303aaabb9
-Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
-RSP: 002b:00007ffc7506e548 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
-RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5303aaabb9
-RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
-RBP: 00007f5303a6ed60 R08: 0000000000000000 R09: 0000000000000000
-R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5303a6edf0
-R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
- </TASK>
-
-Fixes: 8d61f926d420 ("netlink: fix potential deadlock in netlink_set_err()")
-Reported-by: syzbot+5da61cf6a9bc1902d422@syzkaller.appspotmail.com
-Link: https://syzkaller.appspot.com/bug?extid=5da61cf6a9bc1902d422
-Suggested-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Link: https://lore.kernel.org/r/20230626164313.52528-1-kuniyu@amazon.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/net/sock.h | 1 +
- net/core/sock.c | 17 ++++++++++++++---
- net/netlink/diag.c | 2 +-
- 3 files changed, 16 insertions(+), 4 deletions(-)
-
-diff --git a/include/net/sock.h b/include/net/sock.h
-index 616e84d1670df..72739f72e4b90 100644
---- a/include/net/sock.h
-+++ b/include/net/sock.h
-@@ -1840,6 +1840,7 @@ static inline void sock_graft(struct sock *sk, struct socket *parent)
- }
-
- kuid_t sock_i_uid(struct sock *sk);
-+unsigned long __sock_i_ino(struct sock *sk);
- unsigned long sock_i_ino(struct sock *sk);
-
- static inline kuid_t sock_net_uid(const struct net *net, const struct sock *sk)
-diff --git a/net/core/sock.c b/net/core/sock.c
-index 347a55519d0a5..5b31f3446fc7a 100644
---- a/net/core/sock.c
-+++ b/net/core/sock.c
-@@ -1939,13 +1939,24 @@ kuid_t sock_i_uid(struct sock *sk)
- }
- EXPORT_SYMBOL(sock_i_uid);
-
--unsigned long sock_i_ino(struct sock *sk)
-+unsigned long __sock_i_ino(struct sock *sk)
- {
- unsigned long ino;
-
-- read_lock_bh(&sk->sk_callback_lock);
-+ read_lock(&sk->sk_callback_lock);
- ino = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_ino : 0;
-- read_unlock_bh(&sk->sk_callback_lock);
-+ read_unlock(&sk->sk_callback_lock);
-+ return ino;
-+}
-+EXPORT_SYMBOL(__sock_i_ino);
-+
-+unsigned long sock_i_ino(struct sock *sk)
-+{
-+ unsigned long ino;
-+
-+ local_bh_disable();
-+ ino = __sock_i_ino(sk);
-+ local_bh_enable();
- return ino;
- }
- EXPORT_SYMBOL(sock_i_ino);
-diff --git a/net/netlink/diag.c b/net/netlink/diag.c
-index 83a0429805e9d..85ee4891c2c7f 100644
---- a/net/netlink/diag.c
-+++ b/net/netlink/diag.c
-@@ -167,7 +167,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
- NETLINK_CB(cb->skb).portid,
- cb->nlh->nlmsg_seq,
- NLM_F_MULTI,
-- sock_i_ino(sk)) < 0) {
-+ __sock_i_ino(sk)) < 0) {
- ret = 1;
- break;
- }
---
-2.39.2
-
+++ /dev/null
-From 459b47414fc29c8475bd27d3af1b1a4f95fb993f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 21 Jun 2023 17:47:20 +0000
-Subject: netlink: do not hard code device address lenth in fdb dumps
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit aa5406950726e336c5c9585b09799a734b6e77bf ]
-
-syzbot reports that some netdev devices do not have a six bytes
-address [1]
-
-Replace ETH_ALEN by dev->addr_len.
-
-[1] (Case of a device where dev->addr_len = 4)
-
-BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
-BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169
-instrument_copy_to_user include/linux/instrumented.h:114 [inline]
-copyout+0xb8/0x100 lib/iov_iter.c:169
-_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536
-copy_to_iter include/linux/uio.h:206 [inline]
-simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513
-__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
-skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527
-skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
-netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970
-sock_recvmsg_nosec net/socket.c:1019 [inline]
-sock_recvmsg net/socket.c:1040 [inline]
-____sys_recvmsg+0x283/0x7f0 net/socket.c:2722
-___sys_recvmsg+0x223/0x840 net/socket.c:2764
-do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
-__sys_recvmmsg net/socket.c:2937 [inline]
-__do_sys_recvmmsg net/socket.c:2960 [inline]
-__se_sys_recvmmsg net/socket.c:2953 [inline]
-__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
-do_syscall_x64 arch/x86/entry/common.c:50 [inline]
-do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
-entry_SYSCALL_64_after_hwframe+0x63/0xcd
-
-Uninit was stored to memory at:
-__nla_put lib/nlattr.c:1009 [inline]
-nla_put+0x1c6/0x230 lib/nlattr.c:1067
-nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071
-nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]
-ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456
-rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629
-netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268
-netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995
-sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019
-____sys_recvmsg+0x664/0x7f0 net/socket.c:2720
-___sys_recvmsg+0x223/0x840 net/socket.c:2764
-do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
-__sys_recvmmsg net/socket.c:2937 [inline]
-__do_sys_recvmmsg net/socket.c:2960 [inline]
-__se_sys_recvmmsg net/socket.c:2953 [inline]
-__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
-do_syscall_x64 arch/x86/entry/common.c:50 [inline]
-do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
-entry_SYSCALL_64_after_hwframe+0x63/0xcd
-
-Uninit was created at:
-slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716
-slab_alloc_node mm/slub.c:3451 [inline]
-__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490
-kmalloc_trace+0x51/0x200 mm/slab_common.c:1057
-kmalloc include/linux/slab.h:559 [inline]
-__hw_addr_create net/core/dev_addr_lists.c:60 [inline]
-__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118
-__dev_mc_add net/core/dev_addr_lists.c:867 [inline]
-dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885
-igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680
-ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754
-ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708
-addrconf_type_change net/ipv6/addrconf.c:3731 [inline]
-addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699
-notifier_call_chain kernel/notifier.c:93 [inline]
-raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461
-call_netdevice_notifiers_info net/core/dev.c:1935 [inline]
-call_netdevice_notifiers_extack net/core/dev.c:1973 [inline]
-call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987
-bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906
-do_set_master net/core/rtnetlink.c:2626 [inline]
-rtnl_newlink_create net/core/rtnetlink.c:3460 [inline]
-__rtnl_newlink net/core/rtnetlink.c:3660 [inline]
-rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673
-rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395
-netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546
-rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413
-netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
-netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365
-netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913
-sock_sendmsg_nosec net/socket.c:724 [inline]
-sock_sendmsg net/socket.c:747 [inline]
-____sys_sendmsg+0x999/0xd50 net/socket.c:2503
-___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557
-__sys_sendmsg net/socket.c:2586 [inline]
-__do_sys_sendmsg net/socket.c:2595 [inline]
-__se_sys_sendmsg net/socket.c:2593 [inline]
-__x64_sys_sendmsg+0x304/0x490 net/socket.c:2593
-do_syscall_x64 arch/x86/entry/common.c:50 [inline]
-do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
-entry_SYSCALL_64_after_hwframe+0x63/0xcd
-
-Bytes 2856-2857 of 3500 are uninitialized
-Memory access of size 3500 starts at ffff888018d99104
-Data copied to user address 0000000020000480
-
-Fixes: d83b06036048 ("net: add fdb generic dump routine")
-Reported-by: syzbot <syzkaller@googlegroups.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reviewed-by: Jiri Pirko <jiri@nvidia.com>
-Link: https://lore.kernel.org/r/20230621174720.1845040-1-edumazet@google.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/core/rtnetlink.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
-index 2837cc03f69e2..79f62517e24a5 100644
---- a/net/core/rtnetlink.c
-+++ b/net/core/rtnetlink.c
-@@ -3436,7 +3436,7 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb,
- ndm->ndm_ifindex = dev->ifindex;
- ndm->ndm_state = ndm_state;
-
-- if (nla_put(skb, NDA_LLADDR, ETH_ALEN, addr))
-+ if (nla_put(skb, NDA_LLADDR, dev->addr_len, addr))
- goto nla_put_failure;
- if (vid)
- if (nla_put(skb, NDA_VLAN, sizeof(u16), &vid))
-@@ -3450,10 +3450,10 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb,
- return -EMSGSIZE;
- }
-
--static inline size_t rtnl_fdb_nlmsg_size(void)
-+static inline size_t rtnl_fdb_nlmsg_size(const struct net_device *dev)
- {
- return NLMSG_ALIGN(sizeof(struct ndmsg)) +
-- nla_total_size(ETH_ALEN) + /* NDA_LLADDR */
-+ nla_total_size(dev->addr_len) + /* NDA_LLADDR */
- nla_total_size(sizeof(u16)) + /* NDA_VLAN */
- 0;
- }
-@@ -3465,7 +3465,7 @@ static void rtnl_fdb_notify(struct net_device *dev, u8 *addr, u16 vid, int type,
- struct sk_buff *skb;
- int err = -ENOBUFS;
-
-- skb = nlmsg_new(rtnl_fdb_nlmsg_size(), GFP_ATOMIC);
-+ skb = nlmsg_new(rtnl_fdb_nlmsg_size(dev), GFP_ATOMIC);
- if (!skb)
- goto errout;
-
---
-2.39.2
-
+++ /dev/null
-From 6845ece794e1aeaadab2f5f1b10d1d35bc668d1c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 21 Jun 2023 15:43:37 +0000
-Subject: netlink: fix potential deadlock in netlink_set_err()
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 8d61f926d42045961e6b65191c09e3678d86a9cf ]
-
-syzbot reported a possible deadlock in netlink_set_err() [1]
-
-A similar issue was fixed in commit 1d482e666b8e ("netlink: disable IRQs
-for netlink_lock_table()") in netlink_lock_table()
-
-This patch adds IRQ safety to netlink_set_err() and __netlink_diag_dump()
-which were not covered by cited commit.
-
-[1]
-
-WARNING: possible irq lock inversion dependency detected
-6.4.0-rc6-syzkaller-00240-g4e9f0ec38852 #0 Not tainted
-
-syz-executor.2/23011 just changed the state of lock:
-ffffffff8e1a7a58 (nl_table_lock){.+.?}-{2:2}, at: netlink_set_err+0x2e/0x3a0 net/netlink/af_netlink.c:1612
-but this lock was taken by another, SOFTIRQ-safe lock in the past:
- (&local->queue_stop_reason_lock){..-.}-{2:2}
-
-and interrupts could create inverse lock ordering between them.
-
-other info that might help us debug this:
- Possible interrupt unsafe locking scenario:
-
- CPU0 CPU1
- ---- ----
- lock(nl_table_lock);
- local_irq_disable();
- lock(&local->queue_stop_reason_lock);
- lock(nl_table_lock);
- <Interrupt>
- lock(&local->queue_stop_reason_lock);
-
- *** DEADLOCK ***
-
-Fixes: 1d482e666b8e ("netlink: disable IRQs for netlink_lock_table()")
-Reported-by: syzbot+a7d200a347f912723e5c@syzkaller.appspotmail.com
-Link: https://syzkaller.appspot.com/bug?extid=a7d200a347f912723e5c
-Link: https://lore.kernel.org/netdev/000000000000e38d1605fea5747e@google.com/T/#u
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Cc: Johannes Berg <johannes.berg@intel.com>
-Link: https://lore.kernel.org/r/20230621154337.1668594-1-edumazet@google.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/netlink/af_netlink.c | 5 +++--
- net/netlink/diag.c | 5 +++--
- 2 files changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
-index 57fd9b7cfc75f..35ecaa93f213a 100644
---- a/net/netlink/af_netlink.c
-+++ b/net/netlink/af_netlink.c
-@@ -1603,6 +1603,7 @@ static int do_one_set_err(struct sock *sk, struct netlink_set_err_data *p)
- int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code)
- {
- struct netlink_set_err_data info;
-+ unsigned long flags;
- struct sock *sk;
- int ret = 0;
-
-@@ -1612,12 +1613,12 @@ int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code)
- /* sk->sk_err wants a positive error value */
- info.code = -code;
-
-- read_lock(&nl_table_lock);
-+ read_lock_irqsave(&nl_table_lock, flags);
-
- sk_for_each_bound(sk, &nl_table[ssk->sk_protocol].mc_list)
- ret += do_one_set_err(sk, &info);
-
-- read_unlock(&nl_table_lock);
-+ read_unlock_irqrestore(&nl_table_lock, flags);
- return ret;
- }
- EXPORT_SYMBOL(netlink_set_err);
-diff --git a/net/netlink/diag.c b/net/netlink/diag.c
-index 7dda33b9b7849..83a0429805e9d 100644
---- a/net/netlink/diag.c
-+++ b/net/netlink/diag.c
-@@ -93,6 +93,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
- struct net *net = sock_net(skb->sk);
- struct netlink_diag_req *req;
- struct netlink_sock *nlsk;
-+ unsigned long flags;
- struct sock *sk;
- int num = 2;
- int ret = 0;
-@@ -151,7 +152,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
- num++;
-
- mc_list:
-- read_lock(&nl_table_lock);
-+ read_lock_irqsave(&nl_table_lock, flags);
- sk_for_each_bound(sk, &tbl->mc_list) {
- if (sk_hashed(sk))
- continue;
-@@ -172,7 +173,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
- }
- num++;
- }
-- read_unlock(&nl_table_lock);
-+ read_unlock_irqrestore(&nl_table_lock, flags);
-
- done:
- cb->args[0] = num;
---
-2.39.2
-
+++ /dev/null
-From f2fd3340eff76d7c5d0b33c8a89cb746bb836c1a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 30 Jul 2021 16:41:59 +0200
-Subject: nfc: constify several pointers to u8, char and sk_buff
-
-From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
-
-[ Upstream commit 3df40eb3a2ea58bf404a38f15a7a2768e4762cb0 ]
-
-Several functions receive pointers to u8, char or sk_buff but do not
-modify the contents so make them const. This allows doing the same for
-local variables and in total makes the code a little bit safer.
-
-Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Stable-dep-of: 0d9b41daa590 ("nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect()")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/net/nfc/nfc.h | 4 ++--
- net/nfc/core.c | 4 ++--
- net/nfc/hci/llc_shdlc.c | 10 ++++-----
- net/nfc/llcp.h | 8 +++----
- net/nfc/llcp_commands.c | 46 ++++++++++++++++++++++-------------------
- net/nfc/llcp_core.c | 44 +++++++++++++++++++++------------------
- net/nfc/nfc.h | 2 +-
- 7 files changed, 63 insertions(+), 55 deletions(-)
-
-diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h
-index bbdc73a3239df..8b86560b5cfb1 100644
---- a/include/net/nfc/nfc.h
-+++ b/include/net/nfc/nfc.h
-@@ -278,7 +278,7 @@ struct sk_buff *nfc_alloc_send_skb(struct nfc_dev *dev, struct sock *sk,
- struct sk_buff *nfc_alloc_recv_skb(unsigned int size, gfp_t gfp);
-
- int nfc_set_remote_general_bytes(struct nfc_dev *dev,
-- u8 *gt, u8 gt_len);
-+ const u8 *gt, u8 gt_len);
- u8 *nfc_get_local_general_bytes(struct nfc_dev *dev, size_t *gb_len);
-
- int nfc_fw_download_done(struct nfc_dev *dev, const char *firmware_name,
-@@ -292,7 +292,7 @@ int nfc_dep_link_is_up(struct nfc_dev *dev, u32 target_idx,
- u8 comm_mode, u8 rf_mode);
-
- int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode,
-- u8 *gb, size_t gb_len);
-+ const u8 *gb, size_t gb_len);
- int nfc_tm_deactivated(struct nfc_dev *dev);
- int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb);
-
-diff --git a/net/nfc/core.c b/net/nfc/core.c
-index a84f824da051d..dd12ee46ac730 100644
---- a/net/nfc/core.c
-+++ b/net/nfc/core.c
-@@ -646,7 +646,7 @@ int nfc_disable_se(struct nfc_dev *dev, u32 se_idx)
- return rc;
- }
-
--int nfc_set_remote_general_bytes(struct nfc_dev *dev, u8 *gb, u8 gb_len)
-+int nfc_set_remote_general_bytes(struct nfc_dev *dev, const u8 *gb, u8 gb_len)
- {
- pr_debug("dev_name=%s gb_len=%d\n", dev_name(&dev->dev), gb_len);
-
-@@ -675,7 +675,7 @@ int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb)
- EXPORT_SYMBOL(nfc_tm_data_received);
-
- int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode,
-- u8 *gb, size_t gb_len)
-+ const u8 *gb, size_t gb_len)
- {
- int rc;
-
-diff --git a/net/nfc/hci/llc_shdlc.c b/net/nfc/hci/llc_shdlc.c
-index fe988936ad923..e6863c71f566d 100644
---- a/net/nfc/hci/llc_shdlc.c
-+++ b/net/nfc/hci/llc_shdlc.c
-@@ -134,7 +134,7 @@ static bool llc_shdlc_x_lteq_y_lt_z(int x, int y, int z)
- return ((y >= x) || (y < z)) ? true : false;
- }
-
--static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc,
-+static struct sk_buff *llc_shdlc_alloc_skb(const struct llc_shdlc *shdlc,
- int payload_len)
- {
- struct sk_buff *skb;
-@@ -148,7 +148,7 @@ static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc,
- }
-
- /* immediately sends an S frame. */
--static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc,
-+static int llc_shdlc_send_s_frame(const struct llc_shdlc *shdlc,
- enum sframe_type sframe_type, int nr)
- {
- int r;
-@@ -170,7 +170,7 @@ static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc,
- }
-
- /* immediately sends an U frame. skb may contain optional payload */
--static int llc_shdlc_send_u_frame(struct llc_shdlc *shdlc,
-+static int llc_shdlc_send_u_frame(const struct llc_shdlc *shdlc,
- struct sk_buff *skb,
- enum uframe_modifier uframe_modifier)
- {
-@@ -372,7 +372,7 @@ static void llc_shdlc_connect_complete(struct llc_shdlc *shdlc, int r)
- wake_up(shdlc->connect_wq);
- }
-
--static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc)
-+static int llc_shdlc_connect_initiate(const struct llc_shdlc *shdlc)
- {
- struct sk_buff *skb;
-
-@@ -388,7 +388,7 @@ static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc)
- return llc_shdlc_send_u_frame(shdlc, skb, U_FRAME_RSET);
- }
-
--static int llc_shdlc_connect_send_ua(struct llc_shdlc *shdlc)
-+static int llc_shdlc_connect_send_ua(const struct llc_shdlc *shdlc)
- {
- struct sk_buff *skb;
-
-diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h
-index 1f68724d44d3b..a070a57fc1516 100644
---- a/net/nfc/llcp.h
-+++ b/net/nfc/llcp.h
-@@ -233,15 +233,15 @@ struct sock *nfc_llcp_accept_dequeue(struct sock *sk, struct socket *newsock);
-
- /* TLV API */
- int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local,
-- u8 *tlv_array, u16 tlv_array_len);
-+ const u8 *tlv_array, u16 tlv_array_len);
- int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock,
-- u8 *tlv_array, u16 tlv_array_len);
-+ const u8 *tlv_array, u16 tlv_array_len);
-
- /* Commands API */
- void nfc_llcp_recv(void *data, struct sk_buff *skb, int err);
--u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length);
-+u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length);
- struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap);
--struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri,
-+struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri,
- size_t uri_len);
- void nfc_llcp_free_sdp_tlv(struct nfc_llcp_sdp_tlv *sdp);
- void nfc_llcp_free_sdp_tlv_list(struct hlist_head *sdp_head);
-diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
-index d1fc019e932e0..6dcad7bcf20bb 100644
---- a/net/nfc/llcp_commands.c
-+++ b/net/nfc/llcp_commands.c
-@@ -27,7 +27,7 @@
- #include "nfc.h"
- #include "llcp.h"
-
--static u8 llcp_tlv_length[LLCP_TLV_MAX] = {
-+static const u8 llcp_tlv_length[LLCP_TLV_MAX] = {
- 0,
- 1, /* VERSION */
- 2, /* MIUX */
-@@ -41,7 +41,7 @@ static u8 llcp_tlv_length[LLCP_TLV_MAX] = {
-
- };
-
--static u8 llcp_tlv8(u8 *tlv, u8 type)
-+static u8 llcp_tlv8(const u8 *tlv, u8 type)
- {
- if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]])
- return 0;
-@@ -49,7 +49,7 @@ static u8 llcp_tlv8(u8 *tlv, u8 type)
- return tlv[2];
- }
-
--static u16 llcp_tlv16(u8 *tlv, u8 type)
-+static u16 llcp_tlv16(const u8 *tlv, u8 type)
- {
- if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]])
- return 0;
-@@ -58,37 +58,37 @@ static u16 llcp_tlv16(u8 *tlv, u8 type)
- }
-
-
--static u8 llcp_tlv_version(u8 *tlv)
-+static u8 llcp_tlv_version(const u8 *tlv)
- {
- return llcp_tlv8(tlv, LLCP_TLV_VERSION);
- }
-
--static u16 llcp_tlv_miux(u8 *tlv)
-+static u16 llcp_tlv_miux(const u8 *tlv)
- {
- return llcp_tlv16(tlv, LLCP_TLV_MIUX) & 0x7ff;
- }
-
--static u16 llcp_tlv_wks(u8 *tlv)
-+static u16 llcp_tlv_wks(const u8 *tlv)
- {
- return llcp_tlv16(tlv, LLCP_TLV_WKS);
- }
-
--static u16 llcp_tlv_lto(u8 *tlv)
-+static u16 llcp_tlv_lto(const u8 *tlv)
- {
- return llcp_tlv8(tlv, LLCP_TLV_LTO);
- }
-
--static u8 llcp_tlv_opt(u8 *tlv)
-+static u8 llcp_tlv_opt(const u8 *tlv)
- {
- return llcp_tlv8(tlv, LLCP_TLV_OPT);
- }
-
--static u8 llcp_tlv_rw(u8 *tlv)
-+static u8 llcp_tlv_rw(const u8 *tlv)
- {
- return llcp_tlv8(tlv, LLCP_TLV_RW) & 0xf;
- }
-
--u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length)
-+u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length)
- {
- u8 *tlv, length;
-
-@@ -142,7 +142,7 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap)
- return sdres;
- }
-
--struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri,
-+struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri,
- size_t uri_len)
- {
- struct nfc_llcp_sdp_tlv *sdreq;
-@@ -202,9 +202,10 @@ void nfc_llcp_free_sdp_tlv_list(struct hlist_head *head)
- }
-
- int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local,
-- u8 *tlv_array, u16 tlv_array_len)
-+ const u8 *tlv_array, u16 tlv_array_len)
- {
-- u8 *tlv = tlv_array, type, length, offset = 0;
-+ const u8 *tlv = tlv_array;
-+ u8 type, length, offset = 0;
-
- pr_debug("TLV array length %d\n", tlv_array_len);
-
-@@ -251,9 +252,10 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local,
- }
-
- int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock,
-- u8 *tlv_array, u16 tlv_array_len)
-+ const u8 *tlv_array, u16 tlv_array_len)
- {
-- u8 *tlv = tlv_array, type, length, offset = 0;
-+ const u8 *tlv = tlv_array;
-+ u8 type, length, offset = 0;
-
- pr_debug("TLV array length %d\n", tlv_array_len);
-
-@@ -307,7 +309,7 @@ static struct sk_buff *llcp_add_header(struct sk_buff *pdu,
- return pdu;
- }
-
--static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, u8 *tlv,
-+static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, const u8 *tlv,
- u8 tlv_length)
- {
- /* XXX Add an skb length check */
-@@ -401,9 +403,10 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
- {
- struct nfc_llcp_local *local;
- struct sk_buff *skb;
-- u8 *service_name_tlv = NULL, service_name_tlv_length;
-- u8 *miux_tlv = NULL, miux_tlv_length;
-- u8 *rw_tlv = NULL, rw_tlv_length, rw;
-+ const u8 *service_name_tlv = NULL;
-+ const u8 *miux_tlv = NULL;
-+ const u8 *rw_tlv = NULL;
-+ u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw;
- int err;
- u16 size = 0;
- __be16 miux;
-@@ -477,8 +480,9 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock)
- {
- struct nfc_llcp_local *local;
- struct sk_buff *skb;
-- u8 *miux_tlv = NULL, miux_tlv_length;
-- u8 *rw_tlv = NULL, rw_tlv_length, rw;
-+ const u8 *miux_tlv = NULL;
-+ const u8 *rw_tlv = NULL;
-+ u8 miux_tlv_length, rw_tlv_length, rw;
- int err;
- u16 size = 0;
- __be16 miux;
-diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
-index 3290f2275b857..bdc1a9d0965af 100644
---- a/net/nfc/llcp_core.c
-+++ b/net/nfc/llcp_core.c
-@@ -314,7 +314,7 @@ static char *wks[] = {
- "urn:nfc:sn:snep",
- };
-
--static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len)
-+static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len)
- {
- int sap, num_wks;
-
-@@ -338,7 +338,7 @@ static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len)
-
- static
- struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local,
-- u8 *sn, size_t sn_len)
-+ const u8 *sn, size_t sn_len)
- {
- struct sock *sk;
- struct nfc_llcp_sock *llcp_sock, *tmp_sock;
-@@ -535,7 +535,7 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
- {
- u8 *gb_cur, version, version_length;
- u8 lto_length, wks_length, miux_length;
-- u8 *version_tlv = NULL, *lto_tlv = NULL,
-+ const u8 *version_tlv = NULL, *lto_tlv = NULL,
- *wks_tlv = NULL, *miux_tlv = NULL;
- __be16 wks = cpu_to_be16(local->local_wks);
- u8 gb_len = 0;
-@@ -625,7 +625,7 @@ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len)
- return local->gb;
- }
-
--int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len)
-+int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len)
- {
- struct nfc_llcp_local *local;
-
-@@ -652,27 +652,27 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len)
- local->remote_gb_len - 3);
- }
-
--static u8 nfc_llcp_dsap(struct sk_buff *pdu)
-+static u8 nfc_llcp_dsap(const struct sk_buff *pdu)
- {
- return (pdu->data[0] & 0xfc) >> 2;
- }
-
--static u8 nfc_llcp_ptype(struct sk_buff *pdu)
-+static u8 nfc_llcp_ptype(const struct sk_buff *pdu)
- {
- return ((pdu->data[0] & 0x03) << 2) | ((pdu->data[1] & 0xc0) >> 6);
- }
-
--static u8 nfc_llcp_ssap(struct sk_buff *pdu)
-+static u8 nfc_llcp_ssap(const struct sk_buff *pdu)
- {
- return pdu->data[1] & 0x3f;
- }
-
--static u8 nfc_llcp_ns(struct sk_buff *pdu)
-+static u8 nfc_llcp_ns(const struct sk_buff *pdu)
- {
- return pdu->data[2] >> 4;
- }
-
--static u8 nfc_llcp_nr(struct sk_buff *pdu)
-+static u8 nfc_llcp_nr(const struct sk_buff *pdu)
- {
- return pdu->data[2] & 0xf;
- }
-@@ -814,7 +814,7 @@ static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local
- }
-
- static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local,
-- u8 *sn, size_t sn_len)
-+ const u8 *sn, size_t sn_len)
- {
- struct nfc_llcp_sock *llcp_sock;
-
-@@ -828,9 +828,10 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local,
- return llcp_sock;
- }
-
--static u8 *nfc_llcp_connect_sn(struct sk_buff *skb, size_t *sn_len)
-+static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len)
- {
-- u8 *tlv = &skb->data[2], type, length;
-+ u8 type, length;
-+ const u8 *tlv = &skb->data[2];
- size_t tlv_array_len = skb->len - LLCP_HEADER_SIZE, offset = 0;
-
- while (offset < tlv_array_len) {
-@@ -888,7 +889,7 @@ static void nfc_llcp_recv_ui(struct nfc_llcp_local *local,
- }
-
- static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
-- struct sk_buff *skb)
-+ const struct sk_buff *skb)
- {
- struct sock *new_sk, *parent;
- struct nfc_llcp_sock *sock, *new_sock;
-@@ -906,7 +907,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local,
- goto fail;
- }
- } else {
-- u8 *sn;
-+ const u8 *sn;
- size_t sn_len;
-
- sn = nfc_llcp_connect_sn(skb, &sn_len);
-@@ -1125,7 +1126,7 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
- }
-
- static void nfc_llcp_recv_disc(struct nfc_llcp_local *local,
-- struct sk_buff *skb)
-+ const struct sk_buff *skb)
- {
- struct nfc_llcp_sock *llcp_sock;
- struct sock *sk;
-@@ -1168,7 +1169,8 @@ static void nfc_llcp_recv_disc(struct nfc_llcp_local *local,
- nfc_llcp_sock_put(llcp_sock);
- }
-
--static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb)
-+static void nfc_llcp_recv_cc(struct nfc_llcp_local *local,
-+ const struct sk_buff *skb)
- {
- struct nfc_llcp_sock *llcp_sock;
- struct sock *sk;
-@@ -1201,7 +1203,8 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb)
- nfc_llcp_sock_put(llcp_sock);
- }
-
--static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb)
-+static void nfc_llcp_recv_dm(struct nfc_llcp_local *local,
-+ const struct sk_buff *skb)
- {
- struct nfc_llcp_sock *llcp_sock;
- struct sock *sk;
-@@ -1239,12 +1242,13 @@ static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb)
- }
-
- static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
-- struct sk_buff *skb)
-+ const struct sk_buff *skb)
- {
- struct nfc_llcp_sock *llcp_sock;
-- u8 dsap, ssap, *tlv, type, length, tid, sap;
-+ u8 dsap, ssap, type, length, tid, sap;
-+ const u8 *tlv;
- u16 tlv_len, offset;
-- char *service_name;
-+ const char *service_name;
- size_t service_name_len;
- struct nfc_llcp_sdp_tlv *sdp;
- HLIST_HEAD(llc_sdres_list);
-diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h
-index 6c6f76b370b1e..c792165f523f1 100644
---- a/net/nfc/nfc.h
-+++ b/net/nfc/nfc.h
-@@ -60,7 +60,7 @@ void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx,
- u8 comm_mode, u8 rf_mode);
- int nfc_llcp_register_device(struct nfc_dev *dev);
- void nfc_llcp_unregister_device(struct nfc_dev *dev);
--int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len);
-+int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len);
- u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len);
- int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb);
- struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev);
---
-2.39.2
-
+++ /dev/null
-From 994bdd8700413b10cf79b929542fa04709405edc Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 13 May 2023 13:52:04 +0200
-Subject: nfc: llcp: fix possible use of uninitialized variable in
- nfc_llcp_send_connect()
-
-From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
-
-[ Upstream commit 0d9b41daa5907756a31772d8af8ac5ff25cf17c1 ]
-
-If sock->service_name is NULL, the local variable
-service_name_tlv_length will not be assigned by nfc_llcp_build_tlv(),
-later leading to using value frmo the stack. Smatch warning:
-
- net/nfc/llcp_commands.c:442 nfc_llcp_send_connect() error: uninitialized symbol 'service_name_tlv_length'.
-
-Fixes: de9e5aeb4f40 ("NFC: llcp: Fix usage of llcp_add_tlv()")
-Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/nfc/llcp_commands.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
-index 6dcad7bcf20bb..737c7aa384f44 100644
---- a/net/nfc/llcp_commands.c
-+++ b/net/nfc/llcp_commands.c
-@@ -406,7 +406,8 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock)
- const u8 *service_name_tlv = NULL;
- const u8 *miux_tlv = NULL;
- const u8 *rw_tlv = NULL;
-- u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw;
-+ u8 service_name_tlv_length = 0;
-+ u8 miux_tlv_length, rw_tlv_length, rw;
- int err;
- u16 size = 0;
- __be16 miux;
---
-2.39.2
-
+++ /dev/null
-From 58f5d894006d82ed7335e1c37182fbc5f08c2f51 Mon Sep 17 00:00:00 2001
-From: Dai Ngo <dai.ngo@oracle.com>
-Date: Tue, 6 Jun 2023 16:41:02 -0700
-Subject: NFSD: add encoding of op_recall flag for write delegation
-
-From: Dai Ngo <dai.ngo@oracle.com>
-
-commit 58f5d894006d82ed7335e1c37182fbc5f08c2f51 upstream.
-
-Modified nfsd4_encode_open to encode the op_recall flag properly
-for OPEN result with write delegation granted.
-
-Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
-Reviewed-by: Jeff Layton <jlayton@kernel.org>
-Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/nfsd/nfs4xdr.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/fs/nfsd/nfs4xdr.c
-+++ b/fs/nfsd/nfs4xdr.c
-@@ -3403,7 +3403,7 @@ nfsd4_encode_open(struct nfsd4_compoundr
- p = xdr_reserve_space(xdr, 32);
- if (!p)
- return nfserr_resource;
-- *p++ = cpu_to_be32(0);
-+ *p++ = cpu_to_be32(open->op_recall);
-
- /*
- * TODO: space_limit's in delegations
+++ /dev/null
-From 5d7e064f00a219bea355726f35ad8949bc616514 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 5 Nov 2022 09:43:09 +0000
-Subject: NTB: amd: Fix error handling in amd_ntb_pci_driver_init()
-
-From: Yuan Can <yuancan@huawei.com>
-
-[ Upstream commit 98af0a33c1101c29b3ce4f0cf4715fd927c717f9 ]
-
-A problem about ntb_hw_amd create debugfs failed is triggered with the
-following log given:
-
- [ 618.431232] AMD(R) PCI-E Non-Transparent Bridge Driver 1.0
- [ 618.433284] debugfs: Directory 'ntb_hw_amd' with parent '/' already present!
-
-The reason is that amd_ntb_pci_driver_init() returns pci_register_driver()
-directly without checking its return value, if pci_register_driver()
-failed, it returns without destroy the newly created debugfs, resulting
-the debugfs of ntb_hw_amd can never be created later.
-
- amd_ntb_pci_driver_init()
- debugfs_create_dir() # create debugfs directory
- pci_register_driver()
- driver_register()
- bus_add_driver()
- priv = kzalloc(...) # OOM happened
- # return without destroy debugfs directory
-
-Fix by removing debugfs when pci_register_driver() returns error.
-
-Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge")
-Signed-off-by: Yuan Can <yuancan@huawei.com>
-Signed-off-by: Jon Mason <jdmason@kudzu.us>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/ntb/hw/amd/ntb_hw_amd.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c
-index 0b1fbb5dba9b6..7de7616803935 100644
---- a/drivers/ntb/hw/amd/ntb_hw_amd.c
-+++ b/drivers/ntb/hw/amd/ntb_hw_amd.c
-@@ -1139,12 +1139,17 @@ static struct pci_driver amd_ntb_pci_driver = {
-
- static int __init amd_ntb_pci_driver_init(void)
- {
-+ int ret;
- pr_info("%s %s\n", NTB_DESC, NTB_VER);
-
- if (debugfs_initialized())
- debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL);
-
-- return pci_register_driver(&amd_ntb_pci_driver);
-+ ret = pci_register_driver(&amd_ntb_pci_driver);
-+ if (ret)
-+ debugfs_remove_recursive(debugfs_dir);
-+
-+ return ret;
- }
- module_init(amd_ntb_pci_driver_init);
-
---
-2.39.2
-
+++ /dev/null
-From 6c414abbd187488cca9dedbfb323305e19628e74 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 5 Nov 2022 09:43:01 +0000
-Subject: ntb: idt: Fix error handling in idt_pci_driver_init()
-
-From: Yuan Can <yuancan@huawei.com>
-
-[ Upstream commit c012968259b451dc4db407f2310fe131eaefd800 ]
-
-A problem about ntb_hw_idt create debugfs failed is triggered with the
-following log given:
-
- [ 1236.637636] IDT PCI-E Non-Transparent Bridge Driver 2.0
- [ 1236.639292] debugfs: Directory 'ntb_hw_idt' with parent '/' already present!
-
-The reason is that idt_pci_driver_init() returns pci_register_driver()
-directly without checking its return value, if pci_register_driver()
-failed, it returns without destroy the newly created debugfs, resulting
-the debugfs of ntb_hw_idt can never be created later.
-
- idt_pci_driver_init()
- debugfs_create_dir() # create debugfs directory
- pci_register_driver()
- driver_register()
- bus_add_driver()
- priv = kzalloc(...) # OOM happened
- # return without destroy debugfs directory
-
-Fix by removing debugfs when pci_register_driver() returns error.
-
-Fixes: bf2a952d31d2 ("NTB: Add IDT 89HPESxNTx PCIe-switches support")
-Signed-off-by: Yuan Can <yuancan@huawei.com>
-Signed-off-by: Jon Mason <jdmason@kudzu.us>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/ntb/hw/idt/ntb_hw_idt.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c
-index a67ef23e81bca..82e08f583980b 100644
---- a/drivers/ntb/hw/idt/ntb_hw_idt.c
-+++ b/drivers/ntb/hw/idt/ntb_hw_idt.c
-@@ -2692,6 +2692,7 @@ static struct pci_driver idt_pci_driver = {
-
- static int __init idt_pci_driver_init(void)
- {
-+ int ret;
- pr_info("%s %s\n", NTB_DESC, NTB_VER);
-
- /* Create the top DebugFS directory if the FS is initialized */
-@@ -2699,7 +2700,11 @@ static int __init idt_pci_driver_init(void)
- dbgfs_topdir = debugfs_create_dir(KBUILD_MODNAME, NULL);
-
- /* Register the NTB hardware driver to handle the PCI device */
-- return pci_register_driver(&idt_pci_driver);
-+ ret = pci_register_driver(&idt_pci_driver);
-+ if (ret)
-+ debugfs_remove_recursive(dbgfs_topdir);
-+
-+ return ret;
- }
- module_init(idt_pci_driver_init);
-
---
-2.39.2
-
+++ /dev/null
-From 358aa040c10230eb3cb6ebcf84c9dfe99ded0948 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 5 Nov 2022 09:43:22 +0000
-Subject: ntb: intel: Fix error handling in intel_ntb_pci_driver_init()
-
-From: Yuan Can <yuancan@huawei.com>
-
-[ Upstream commit 4c3c796aca02883ad35bb117468938cc4022ca41 ]
-
-A problem about ntb_hw_intel create debugfs failed is triggered with the
-following log given:
-
- [ 273.112733] Intel(R) PCI-E Non-Transparent Bridge Driver 2.0
- [ 273.115342] debugfs: Directory 'ntb_hw_intel' with parent '/' already present!
-
-The reason is that intel_ntb_pci_driver_init() returns
-pci_register_driver() directly without checking its return value, if
-pci_register_driver() failed, it returns without destroy the newly created
-debugfs, resulting the debugfs of ntb_hw_intel can never be created later.
-
- intel_ntb_pci_driver_init()
- debugfs_create_dir() # create debugfs directory
- pci_register_driver()
- driver_register()
- bus_add_driver()
- priv = kzalloc(...) # OOM happened
- # return without destroy debugfs directory
-
-Fix by removing debugfs when pci_register_driver() returns error.
-
-Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers")
-Signed-off-by: Yuan Can <yuancan@huawei.com>
-Acked-by: Dave Jiang <dave.jiang@intel.com>
-Signed-off-by: Jon Mason <jdmason@kudzu.us>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/ntb/hw/intel/ntb_hw_gen1.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c
-index 2ad263f708da7..084bd1d1ac1dc 100644
---- a/drivers/ntb/hw/intel/ntb_hw_gen1.c
-+++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c
-@@ -2052,12 +2052,17 @@ static struct pci_driver intel_ntb_pci_driver = {
-
- static int __init intel_ntb_pci_driver_init(void)
- {
-+ int ret;
- pr_info("%s %s\n", NTB_DESC, NTB_VER);
-
- if (debugfs_initialized())
- debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL);
-
-- return pci_register_driver(&intel_ntb_pci_driver);
-+ ret = pci_register_driver(&intel_ntb_pci_driver);
-+ if (ret)
-+ debugfs_remove_recursive(debugfs_dir);
-+
-+ return ret;
- }
- module_init(intel_ntb_pci_driver_init);
-
---
-2.39.2
-
+++ /dev/null
-From f72bc20308a55f4ea33714c839246367d246b89d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 22 Nov 2022 11:32:44 +0800
-Subject: NTB: ntb_tool: Add check for devm_kcalloc
-
-From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
-
-[ Upstream commit 2790143f09938776a3b4f69685b380bae8fd06c7 ]
-
-As the devm_kcalloc may return NULL pointer,
-it should be better to add check for the return
-value, as same as the others.
-
-Fixes: 7f46c8b3a552 ("NTB: ntb_tool: Add full multi-port NTB API support")
-Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
-Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
-Reviewed-by: Dave Jiang <dave.jiang@intel.com>
-Signed-off-by: Jon Mason <jdmason@kudzu.us>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/ntb/test/ntb_tool.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c
-index 6301aa413c3b8..1f64146546221 100644
---- a/drivers/ntb/test/ntb_tool.c
-+++ b/drivers/ntb/test/ntb_tool.c
-@@ -998,6 +998,8 @@ static int tool_init_mws(struct tool_ctx *tc)
- tc->peers[pidx].outmws =
- devm_kcalloc(&tc->ntb->dev, tc->peers[pidx].outmw_cnt,
- sizeof(*tc->peers[pidx].outmws), GFP_KERNEL);
-+ if (tc->peers[pidx].outmws == NULL)
-+ return -ENOMEM;
-
- for (widx = 0; widx < tc->peers[pidx].outmw_cnt; widx++) {
- tc->peers[pidx].outmws[widx].pidx = pidx;
---
-2.39.2
-
+++ /dev/null
-From 7b07412afefa9dcd30ba063fc844a1f2104b6fae Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 10 Nov 2022 23:19:17 +0800
-Subject: NTB: ntb_transport: fix possible memory leak while device_register()
- fails
-
-From: Yang Yingliang <yangyingliang@huawei.com>
-
-[ Upstream commit 8623ccbfc55d962e19a3537652803676ad7acb90 ]
-
-If device_register() returns error, the name allocated by
-dev_set_name() need be freed. As comment of device_register()
-says, it should use put_device() to give up the reference in
-the error path. So fix this by calling put_device(), then the
-name can be freed in kobject_cleanup(), and client_dev is freed
-in ntb_transport_client_release().
-
-Fixes: fce8a7bb5b4b ("PCI-Express Non-Transparent Bridge Support")
-Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
-Reviewed-by: Dave Jiang <dave.jiang@intel.com>
-Signed-off-by: Jon Mason <jdmason@kudzu.us>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/ntb/ntb_transport.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c
-index 9398959664769..2d647a1cd0ee5 100644
---- a/drivers/ntb/ntb_transport.c
-+++ b/drivers/ntb/ntb_transport.c
-@@ -393,7 +393,7 @@ int ntb_transport_register_client_dev(char *device_name)
-
- rc = device_register(dev);
- if (rc) {
-- kfree(client_dev);
-+ put_device(dev);
- goto err;
- }
-
---
-2.39.2
-
+++ /dev/null
-From 88d341716b83abd355558523186ca488918627ee Mon Sep 17 00:00:00 2001
-From: Robin Murphy <robin.murphy@arm.com>
-Date: Wed, 7 Jun 2023 18:18:47 +0100
-Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9235
-
-From: Robin Murphy <robin.murphy@arm.com>
-
-commit 88d341716b83abd355558523186ca488918627ee upstream.
-
-Marvell's own product brief implies the 92xx series are a closely related
-family, and sure enough it turns out that 9235 seems to need the same quirk
-as the other three, although possibly only when certain ports are used.
-
-Link: https://lore.kernel.org/linux-iommu/2a699a99-545c-1324-e052-7d2f41fed1ae@yahoo.co.uk/
-Link: https://lore.kernel.org/r/731507e05d70239aec96fcbfab6e65d8ce00edd2.1686157165.git.robin.murphy@arm.com
-Reported-by: Jason Adriaanse <jason_a69@yahoo.co.uk>
-Signed-off-by: Robin Murphy <robin.murphy@arm.com>
-Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
-Reviewed-by: Christoph Hellwig <hch@lst.de>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/pci/quirks.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/pci/quirks.c
-+++ b/drivers/pci/quirks.c
-@@ -4074,6 +4074,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M
- /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */
- DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230,
- quirk_dma_func1_alias);
-+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9235,
-+ quirk_dma_func1_alias);
- DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0642,
- quirk_dma_func1_alias);
- DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0645,
+++ /dev/null
-From 6c18e9d066dee0688410a364ac9344b0379068e1 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 31 May 2023 18:27:44 +0800
-Subject: PCI: Add pci_clear_master() stub for non-CONFIG_PCI
-
-From: Sui Jingfeng <suijingfeng@loongson.cn>
-
-[ Upstream commit 2aa5ac633259843f656eb6ecff4cf01e8e810c5e ]
-
-Add a pci_clear_master() stub when CONFIG_PCI is not set so drivers that
-support both PCI and platform devices don't need #ifdefs or extra Kconfig
-symbols for the PCI parts.
-
-[bhelgaas: commit log]
-Fixes: 6a479079c072 ("PCI: Add pci_clear_master() as opposite of pci_set_master()")
-Link: https://lore.kernel.org/r/20230531102744.2354313-1-suijingfeng@loongson.cn
-Signed-off-by: Sui Jingfeng <suijingfeng@loongson.cn>
-Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
-Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/linux/pci.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/include/linux/pci.h b/include/linux/pci.h
-index 3e06e9790c255..1d1b0bfd51968 100644
---- a/include/linux/pci.h
-+++ b/include/linux/pci.h
-@@ -1643,6 +1643,7 @@ static inline struct pci_dev *pci_get_class(unsigned int class,
- #define pci_dev_put(dev) do { } while (0)
-
- static inline void pci_set_master(struct pci_dev *dev) { }
-+static inline void pci_clear_master(struct pci_dev *dev) { }
- static inline int pci_enable_device(struct pci_dev *dev) { return -EIO; }
- static inline void pci_disable_device(struct pci_dev *dev) { }
- static inline int pci_assign_resource(struct pci_dev *dev, int i)
---
-2.39.2
-
+++ /dev/null
-From 9e30fd26f43b89cb6b4e850a86caa2e50dedb454 Mon Sep 17 00:00:00 2001
-From: Ondrej Zary <linux@zary.sk>
-Date: Wed, 14 Jun 2023 09:42:53 +0200
-Subject: PCI/PM: Avoid putting EloPOS E2/S2/H2 PCIe Ports in D3cold
-
-From: Ondrej Zary <linux@zary.sk>
-
-commit 9e30fd26f43b89cb6b4e850a86caa2e50dedb454 upstream.
-
-The quirk for Elo i2 introduced in commit 92597f97a40b ("PCI/PM: Avoid
-putting Elo i2 PCIe Ports in D3cold") is also needed by EloPOS E2/S2/H2
-which uses the same Continental Z2 board.
-
-Change the quirk to match the board instead of system.
-
-Link: https://bugzilla.kernel.org/show_bug.cgi?id=215715
-Link: https://lore.kernel.org/r/20230614074253.22318-1-linux@zary.sk
-Signed-off-by: Ondrej Zary <linux@zary.sk>
-Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/pci/pci.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
---- a/drivers/pci/pci.c
-+++ b/drivers/pci/pci.c
-@@ -2521,13 +2521,13 @@ static const struct dmi_system_id bridge
- {
- /*
- * Downstream device is not accessible after putting a root port
-- * into D3cold and back into D0 on Elo i2.
-+ * into D3cold and back into D0 on Elo Continental Z2 board
- */
-- .ident = "Elo i2",
-+ .ident = "Elo Continental Z2",
- .matches = {
-- DMI_MATCH(DMI_SYS_VENDOR, "Elo Touch Solutions"),
-- DMI_MATCH(DMI_PRODUCT_NAME, "Elo i2"),
-- DMI_MATCH(DMI_PRODUCT_VERSION, "RevB"),
-+ DMI_MATCH(DMI_BOARD_VENDOR, "Elo Touch Solutions"),
-+ DMI_MATCH(DMI_BOARD_NAME, "Geminilake"),
-+ DMI_MATCH(DMI_BOARD_VERSION, "Continental Z2"),
- },
- },
- #endif
+++ /dev/null
-From a33d700e8eea76c62120cb3dbf5e01328f18319a Mon Sep 17 00:00:00 2001
-From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
-Date: Mon, 19 Jun 2023 20:34:00 +0530
-Subject: PCI: qcom: Disable write access to read only registers for IP v2.3.3
-
-From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
-
-commit a33d700e8eea76c62120cb3dbf5e01328f18319a upstream.
-
-In the post init sequence of v2.9.0, write access to read only registers
-are not disabled after updating the registers. Fix it by disabling the
-access after register update.
-
-Link: https://lore.kernel.org/r/20230619150408.8468-2-manivannan.sadhasivam@linaro.org
-Fixes: 5d76117f070d ("PCI: qcom: Add support for IPQ8074 PCIe controller")
-Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
-Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/pci/controller/dwc/pcie-qcom.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/pci/controller/dwc/pcie-qcom.c
-+++ b/drivers/pci/controller/dwc/pcie-qcom.c
-@@ -758,6 +758,8 @@ static int qcom_pcie_get_resources_2_4_0
- if (IS_ERR(res->phy_ahb_reset))
- return PTR_ERR(res->phy_ahb_reset);
-
-+ dw_pcie_dbi_ro_wr_dis(pci);
-+
- return 0;
- }
-
+++ /dev/null
-From 9dd3c7c4c8c3f7f010d9cdb7c3f42506d93c9527 Mon Sep 17 00:00:00 2001
-From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
-Date: Tue, 18 Apr 2023 09:46:51 +0200
-Subject: PCI: rockchip: Add poll and timeout to wait for PHY PLLs to be locked
-
-From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
-
-commit 9dd3c7c4c8c3f7f010d9cdb7c3f42506d93c9527 upstream.
-
-The RK3399 PCIe controller should wait until the PHY PLLs are locked.
-Add poll and timeout to wait for PHY PLLs to be locked. If they cannot
-be locked generate error message and jump to error handler. Accessing
-registers in the PHY clock domain when PLLs are not locked causes hang
-The PHY PLLs status is checked through a side channel register.
-This is documented in the TRM section 17.5.8.1 "PCIe Initialization
-Sequence".
-
-Link: https://lore.kernel.org/r/20230418074700.1083505-5-rick.wertenbroek@gmail.com
-Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller")
-Tested-by: Damien Le Moal <dlemoal@kernel.org>
-Signed-off-by: Rick Wertenbroek <rick.wertenbroek@gmail.com>
-Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
-Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/pci/controller/pcie-rockchip.c | 17 +++++++++++++++++
- drivers/pci/controller/pcie-rockchip.h | 2 ++
- 2 files changed, 19 insertions(+)
-
---- a/drivers/pci/controller/pcie-rockchip.c
-+++ b/drivers/pci/controller/pcie-rockchip.c
-@@ -14,6 +14,7 @@
- #include <linux/clk.h>
- #include <linux/delay.h>
- #include <linux/gpio/consumer.h>
-+#include <linux/iopoll.h>
- #include <linux/of_pci.h>
- #include <linux/phy/phy.h>
- #include <linux/platform_device.h>
-@@ -154,6 +155,12 @@ int rockchip_pcie_parse_dt(struct rockch
- }
- EXPORT_SYMBOL_GPL(rockchip_pcie_parse_dt);
-
-+#define rockchip_pcie_read_addr(addr) rockchip_pcie_read(rockchip, addr)
-+/* 100 ms max wait time for PHY PLLs to lock */
-+#define RK_PHY_PLL_LOCK_TIMEOUT_US 100000
-+/* Sleep should be less than 20ms */
-+#define RK_PHY_PLL_LOCK_SLEEP_US 1000
-+
- int rockchip_pcie_init_port(struct rockchip_pcie *rockchip)
- {
- struct device *dev = rockchip->dev;
-@@ -255,6 +262,16 @@ int rockchip_pcie_init_port(struct rockc
- }
- }
-
-+ err = readx_poll_timeout(rockchip_pcie_read_addr,
-+ PCIE_CLIENT_SIDE_BAND_STATUS,
-+ regs, !(regs & PCIE_CLIENT_PHY_ST),
-+ RK_PHY_PLL_LOCK_SLEEP_US,
-+ RK_PHY_PLL_LOCK_TIMEOUT_US);
-+ if (err) {
-+ dev_err(dev, "PHY PLLs could not lock, %d\n", err);
-+ goto err_power_off_phy;
-+ }
-+
- /*
- * Please don't reorder the deassert sequence of the following
- * four reset pins.
---- a/drivers/pci/controller/pcie-rockchip.h
-+++ b/drivers/pci/controller/pcie-rockchip.h
-@@ -37,6 +37,8 @@
- #define PCIE_CLIENT_MODE_EP HIWORD_UPDATE(0x0040, 0)
- #define PCIE_CLIENT_GEN_SEL_1 HIWORD_UPDATE(0x0080, 0)
- #define PCIE_CLIENT_GEN_SEL_2 HIWORD_UPDATE_BIT(0x0080)
-+#define PCIE_CLIENT_SIDE_BAND_STATUS (PCIE_CLIENT_BASE + 0x20)
-+#define PCIE_CLIENT_PHY_ST BIT(12)
- #define PCIE_CLIENT_DEBUG_OUT_0 (PCIE_CLIENT_BASE + 0x3c)
- #define PCIE_CLIENT_DEBUG_LTSSM_MASK GENMASK(5, 0)
- #define PCIE_CLIENT_DEBUG_LTSSM_L1 0x18
+++ /dev/null
-From f397fd4ac1fa3afcabd8cee030f953ccaed2a364 Mon Sep 17 00:00:00 2001
-From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
-Date: Tue, 18 Apr 2023 09:46:50 +0200
-Subject: PCI: rockchip: Assert PCI Configuration Enable bit after probe
-
-From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
-
-commit f397fd4ac1fa3afcabd8cee030f953ccaed2a364 upstream.
-
-Assert PCI Configuration Enable bit after probe. When this bit is left to
-0 in the endpoint mode, the RK3399 PCIe endpoint core will generate
-configuration request retry status (CRS) messages back to the root complex.
-Assert this bit after probe to allow the RK3399 PCIe endpoint core to reply
-to configuration requests from the root complex.
-This is documented in section 17.5.8.1.2 of the RK3399 TRM.
-
-Link: https://lore.kernel.org/r/20230418074700.1083505-4-rick.wertenbroek@gmail.com
-Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller")
-Tested-by: Damien Le Moal <dlemoal@kernel.org>
-Signed-off-by: Rick Wertenbroek <rick.wertenbroek@gmail.com>
-Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
-Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/pci/controller/pcie-rockchip-ep.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/drivers/pci/controller/pcie-rockchip-ep.c
-+++ b/drivers/pci/controller/pcie-rockchip-ep.c
-@@ -620,6 +620,9 @@ static int rockchip_pcie_ep_probe(struct
-
- ep->irq_pci_addr = ROCKCHIP_PCIE_EP_DUMMY_IRQ_ADDR;
-
-+ rockchip_pcie_write(rockchip, PCIE_CLIENT_CONF_ENABLE,
-+ PCIE_CLIENT_CONFIG);
-+
- return 0;
- err_epc_mem_exit:
- pci_epc_mem_exit(epc);
+++ /dev/null
-From 166e89d99dd85a856343cca51eee781b793801f2 Mon Sep 17 00:00:00 2001
-From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
-Date: Tue, 18 Apr 2023 09:46:54 +0200
-Subject: PCI: rockchip: Fix legacy IRQ generation for RK3399 PCIe endpoint core
-
-From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
-
-commit 166e89d99dd85a856343cca51eee781b793801f2 upstream.
-
-Fix legacy IRQ generation for RK3399 PCIe endpoint core according to
-the technical reference manual (TRM). Assert and deassert legacy
-interrupt (INTx) through the legacy interrupt control register
-("PCIE_CLIENT_LEGACY_INT_CTRL") instead of manually generating a PCIe
-message. The generation of the legacy interrupt was tested and validated
-with the PCIe endpoint test driver.
-
-Link: https://lore.kernel.org/r/20230418074700.1083505-8-rick.wertenbroek@gmail.com
-Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller")
-Tested-by: Damien Le Moal <dlemoal@kernel.org>
-Signed-off-by: Rick Wertenbroek <rick.wertenbroek@gmail.com>
-Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
-Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/pci/controller/pcie-rockchip-ep.c | 45 +++++++-----------------------
- drivers/pci/controller/pcie-rockchip.h | 6 +++-
- 2 files changed, 16 insertions(+), 35 deletions(-)
-
---- a/drivers/pci/controller/pcie-rockchip-ep.c
-+++ b/drivers/pci/controller/pcie-rockchip-ep.c
-@@ -346,48 +346,25 @@ static int rockchip_pcie_ep_get_msi(stru
- }
-
- static void rockchip_pcie_ep_assert_intx(struct rockchip_pcie_ep *ep, u8 fn,
-- u8 intx, bool is_asserted)
-+ u8 intx, bool do_assert)
- {
- struct rockchip_pcie *rockchip = &ep->rockchip;
-- u32 r = ep->max_regions - 1;
-- u32 offset;
-- u32 status;
-- u8 msg_code;
--
-- if (unlikely(ep->irq_pci_addr != ROCKCHIP_PCIE_EP_PCI_LEGACY_IRQ_ADDR ||
-- ep->irq_pci_fn != fn)) {
-- rockchip_pcie_prog_ep_ob_atu(rockchip, fn, r,
-- AXI_WRAPPER_NOR_MSG,
-- ep->irq_phys_addr, 0, 0);
-- ep->irq_pci_addr = ROCKCHIP_PCIE_EP_PCI_LEGACY_IRQ_ADDR;
-- ep->irq_pci_fn = fn;
-- }
-
- intx &= 3;
-- if (is_asserted) {
-+
-+ if (do_assert) {
- ep->irq_pending |= BIT(intx);
-- msg_code = ROCKCHIP_PCIE_MSG_CODE_ASSERT_INTA + intx;
-+ rockchip_pcie_write(rockchip,
-+ PCIE_CLIENT_INT_IN_ASSERT |
-+ PCIE_CLIENT_INT_PEND_ST_PEND,
-+ PCIE_CLIENT_LEGACY_INT_CTRL);
- } else {
- ep->irq_pending &= ~BIT(intx);
-- msg_code = ROCKCHIP_PCIE_MSG_CODE_DEASSERT_INTA + intx;
-+ rockchip_pcie_write(rockchip,
-+ PCIE_CLIENT_INT_IN_DEASSERT |
-+ PCIE_CLIENT_INT_PEND_ST_NORMAL,
-+ PCIE_CLIENT_LEGACY_INT_CTRL);
- }
--
-- status = rockchip_pcie_read(rockchip,
-- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) +
-- ROCKCHIP_PCIE_EP_CMD_STATUS);
-- status &= ROCKCHIP_PCIE_EP_CMD_STATUS_IS;
--
-- if ((status != 0) ^ (ep->irq_pending != 0)) {
-- status ^= ROCKCHIP_PCIE_EP_CMD_STATUS_IS;
-- rockchip_pcie_write(rockchip, status,
-- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) +
-- ROCKCHIP_PCIE_EP_CMD_STATUS);
-- }
--
-- offset =
-- ROCKCHIP_PCIE_MSG_ROUTING(ROCKCHIP_PCIE_MSG_ROUTING_LOCAL_INTX) |
-- ROCKCHIP_PCIE_MSG_CODE(msg_code) | ROCKCHIP_PCIE_MSG_NO_DATA;
-- writel(0, ep->irq_cpu_addr + offset);
- }
-
- static int rockchip_pcie_ep_send_legacy_irq(struct rockchip_pcie_ep *ep, u8 fn,
---- a/drivers/pci/controller/pcie-rockchip.h
-+++ b/drivers/pci/controller/pcie-rockchip.h
-@@ -37,6 +37,11 @@
- #define PCIE_CLIENT_MODE_EP HIWORD_UPDATE(0x0040, 0)
- #define PCIE_CLIENT_GEN_SEL_1 HIWORD_UPDATE(0x0080, 0)
- #define PCIE_CLIENT_GEN_SEL_2 HIWORD_UPDATE_BIT(0x0080)
-+#define PCIE_CLIENT_LEGACY_INT_CTRL (PCIE_CLIENT_BASE + 0x0c)
-+#define PCIE_CLIENT_INT_IN_ASSERT HIWORD_UPDATE_BIT(0x0002)
-+#define PCIE_CLIENT_INT_IN_DEASSERT HIWORD_UPDATE(0x0002, 0)
-+#define PCIE_CLIENT_INT_PEND_ST_PEND HIWORD_UPDATE_BIT(0x0001)
-+#define PCIE_CLIENT_INT_PEND_ST_NORMAL HIWORD_UPDATE(0x0001, 0)
- #define PCIE_CLIENT_SIDE_BAND_STATUS (PCIE_CLIENT_BASE + 0x20)
- #define PCIE_CLIENT_PHY_ST BIT(12)
- #define PCIE_CLIENT_DEBUG_OUT_0 (PCIE_CLIENT_BASE + 0x3c)
-@@ -234,7 +239,6 @@
- #define ROCKCHIP_PCIE_EP_MSI_CTRL_ME BIT(16)
- #define ROCKCHIP_PCIE_EP_MSI_CTRL_MASK_MSI_CAP BIT(24)
- #define ROCKCHIP_PCIE_EP_DUMMY_IRQ_ADDR 0x1
--#define ROCKCHIP_PCIE_EP_PCI_LEGACY_IRQ_ADDR 0x3
- #define ROCKCHIP_PCIE_EP_FUNC_BASE(fn) (((fn) << 12) & GENMASK(19, 12))
- #define ROCKCHIP_PCIE_AT_IB_EP_FUNC_BAR_ADDR0(fn, bar) \
- (PCIE_RC_RP_ATS_BASE + 0x0840 + (fn) * 0x0040 + (bar) * 0x0008)
+++ /dev/null
-From 8962b2cb39119cbda4fc69a1f83957824f102f81 Mon Sep 17 00:00:00 2001
-From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
-Date: Tue, 18 Apr 2023 09:46:56 +0200
-Subject: PCI: rockchip: Use u32 variable to access 32-bit registers
-
-From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
-
-commit 8962b2cb39119cbda4fc69a1f83957824f102f81 upstream.
-
-Previously u16 variables were used to access 32-bit registers, this
-resulted in not all of the data being read from the registers. Also
-the left shift of more than 16-bits would result in moving data out
-of the variable. Use u32 variables to access 32-bit registers
-
-Link: https://lore.kernel.org/r/20230418074700.1083505-10-rick.wertenbroek@gmail.com
-Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller")
-Tested-by: Damien Le Moal <dlemoal@kernel.org>
-Signed-off-by: Rick Wertenbroek <rick.wertenbroek@gmail.com>
-Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
-Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/pci/controller/pcie-rockchip-ep.c | 10 +++++-----
- drivers/pci/controller/pcie-rockchip.h | 1 +
- 2 files changed, 6 insertions(+), 5 deletions(-)
-
---- a/drivers/pci/controller/pcie-rockchip-ep.c
-+++ b/drivers/pci/controller/pcie-rockchip-ep.c
-@@ -313,15 +313,15 @@ static int rockchip_pcie_ep_set_msi(stru
- {
- struct rockchip_pcie_ep *ep = epc_get_drvdata(epc);
- struct rockchip_pcie *rockchip = &ep->rockchip;
-- u16 flags;
-+ u32 flags;
-
- flags = rockchip_pcie_read(rockchip,
- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) +
- ROCKCHIP_PCIE_EP_MSI_CTRL_REG);
- flags &= ~ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_MASK;
- flags |=
-- ((multi_msg_cap << 1) << ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_OFFSET) |
-- PCI_MSI_FLAGS_64BIT;
-+ (multi_msg_cap << ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_OFFSET) |
-+ (PCI_MSI_FLAGS_64BIT << ROCKCHIP_PCIE_EP_MSI_FLAGS_OFFSET);
- flags &= ~ROCKCHIP_PCIE_EP_MSI_CTRL_MASK_MSI_CAP;
- rockchip_pcie_write(rockchip, flags,
- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) +
-@@ -333,7 +333,7 @@ static int rockchip_pcie_ep_get_msi(stru
- {
- struct rockchip_pcie_ep *ep = epc_get_drvdata(epc);
- struct rockchip_pcie *rockchip = &ep->rockchip;
-- u16 flags;
-+ u32 flags;
-
- flags = rockchip_pcie_read(rockchip,
- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) +
-@@ -394,7 +394,7 @@ static int rockchip_pcie_ep_send_msi_irq
- u8 interrupt_num)
- {
- struct rockchip_pcie *rockchip = &ep->rockchip;
-- u16 flags, mme, data, data_mask;
-+ u32 flags, mme, data, data_mask;
- u8 msi_count;
- u64 pci_addr, pci_addr_mask = 0xff;
-
---- a/drivers/pci/controller/pcie-rockchip.h
-+++ b/drivers/pci/controller/pcie-rockchip.h
-@@ -232,6 +232,7 @@
- #define ROCKCHIP_PCIE_EP_CMD_STATUS 0x4
- #define ROCKCHIP_PCIE_EP_CMD_STATUS_IS BIT(19)
- #define ROCKCHIP_PCIE_EP_MSI_CTRL_REG 0x90
-+#define ROCKCHIP_PCIE_EP_MSI_FLAGS_OFFSET 16
- #define ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_OFFSET 17
- #define ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_MASK GENMASK(19, 17)
- #define ROCKCHIP_PCIE_EP_MSI_CTRL_MME_OFFSET 20
+++ /dev/null
-From 1f1c42ece18de365c976a060f3c8eb481b038e3a Mon Sep 17 00:00:00 2001
-From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
-Date: Tue, 18 Apr 2023 09:46:49 +0200
-Subject: PCI: rockchip: Write PCI Device ID to correct register
-
-From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
-
-commit 1f1c42ece18de365c976a060f3c8eb481b038e3a upstream.
-
-Write PCI Device ID (DID) to the correct register. The Device ID was not
-updated through the correct register. Device ID was written to a read-only
-register and therefore did not work. The Device ID is now set through the
-correct register. This is documented in the RK3399 TRM section 17.6.6.1.1
-
-Link: https://lore.kernel.org/r/20230418074700.1083505-3-rick.wertenbroek@gmail.com
-Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller")
-Tested-by: Damien Le Moal <dlemoal@kernel.org>
-Signed-off-by: Rick Wertenbroek <rick.wertenbroek@gmail.com>
-Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
-Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/pci/controller/pcie-rockchip-ep.c | 6 ++++--
- drivers/pci/controller/pcie-rockchip.h | 2 ++
- 2 files changed, 6 insertions(+), 2 deletions(-)
-
---- a/drivers/pci/controller/pcie-rockchip-ep.c
-+++ b/drivers/pci/controller/pcie-rockchip-ep.c
-@@ -124,6 +124,7 @@ static void rockchip_pcie_prog_ep_ob_atu
- static int rockchip_pcie_ep_write_header(struct pci_epc *epc, u8 fn,
- struct pci_epf_header *hdr)
- {
-+ u32 reg;
- struct rockchip_pcie_ep *ep = epc_get_drvdata(epc);
- struct rockchip_pcie *rockchip = &ep->rockchip;
-
-@@ -136,8 +137,9 @@ static int rockchip_pcie_ep_write_header
- PCIE_CORE_CONFIG_VENDOR);
- }
-
-- rockchip_pcie_write(rockchip, hdr->deviceid << 16,
-- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + PCI_VENDOR_ID);
-+ reg = rockchip_pcie_read(rockchip, PCIE_EP_CONFIG_DID_VID);
-+ reg = (reg & 0xFFFF) | (hdr->deviceid << 16);
-+ rockchip_pcie_write(rockchip, reg, PCIE_EP_CONFIG_DID_VID);
-
- rockchip_pcie_write(rockchip,
- hdr->revid |
---- a/drivers/pci/controller/pcie-rockchip.h
-+++ b/drivers/pci/controller/pcie-rockchip.h
-@@ -132,6 +132,8 @@
- #define PCIE_RC_RP_ATS_BASE 0x400000
- #define PCIE_RC_CONFIG_NORMAL_BASE 0x800000
- #define PCIE_RC_CONFIG_BASE 0xa00000
-+#define PCIE_EP_CONFIG_BASE 0xa00000
-+#define PCIE_EP_CONFIG_DID_VID (PCIE_EP_CONFIG_BASE + 0x00)
- #define PCIE_RC_CONFIG_RID_CCR (PCIE_RC_CONFIG_BASE + 0x08)
- #define PCIE_RC_CONFIG_SCC_SHIFT 16
- #define PCIE_RC_CONFIG_DCR (PCIE_RC_CONFIG_BASE + 0xc4)
+++ /dev/null
-From 1305047881df831eb992b45f8488e5dbc824694f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 12 Jun 2023 16:41:01 -0700
-Subject: perf dwarf-aux: Fix off-by-one in die_get_varname()
-
-From: Namhyung Kim <namhyung@kernel.org>
-
-[ Upstream commit 3abfcfd847717d232e36963f31a361747c388fe7 ]
-
-The die_get_varname() returns "(unknown_type)" string if it failed to
-find a type for the variable. But it had a space before the opening
-parenthesis and it made the closing parenthesis cut off due to the
-off-by-one in the string length (14).
-
-Signed-off-by: Namhyung Kim <namhyung@kernel.org>
-Fixes: 88fd633cdfa19060 ("perf probe: No need to use formatting strbuf method")
-Cc: Adrian Hunter <adrian.hunter@intel.com>
-Cc: Ian Rogers <irogers@google.com>
-Cc: Ingo Molnar <mingo@kernel.org>
-Cc: Jiri Olsa <jolsa@kernel.org>
-Cc: Masami Hiramatsu <mhiramat@kernel.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Link: https://lore.kernel.org/r/20230612234102.3909116-1-namhyung@kernel.org
-Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- tools/perf/util/dwarf-aux.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
-index 6de57d9ee7cc2..db099dc20a682 100644
---- a/tools/perf/util/dwarf-aux.c
-+++ b/tools/perf/util/dwarf-aux.c
-@@ -1020,7 +1020,7 @@ int die_get_varname(Dwarf_Die *vr_die, struct strbuf *buf)
- ret = die_get_typename(vr_die, buf);
- if (ret < 0) {
- pr_debug("Failed to get type, make it unknown.\n");
-- ret = strbuf_add(buf, " (unknown_type)", 14);
-+ ret = strbuf_add(buf, "(unknown_type)", 14);
- }
-
- return ret < 0 ? ret : strbuf_addf(buf, "\t%s", dwarf_diename(vr_die));
---
-2.39.2
-
+++ /dev/null
-From 430635a0ef1ce958b7b4311f172694ece2c692b8 Mon Sep 17 00:00:00 2001
-From: Adrian Hunter <adrian.hunter@intel.com>
-Date: Mon, 3 Apr 2023 18:48:31 +0300
-Subject: perf intel-pt: Fix CYC timestamps after standalone CBR
-
-From: Adrian Hunter <adrian.hunter@intel.com>
-
-commit 430635a0ef1ce958b7b4311f172694ece2c692b8 upstream.
-
-After a standalone CBR (not associated with TSC), update the cycles
-reference timestamp and reset the cycle count, so that CYC timestamps
-are calculated relative to that point with the new frequency.
-
-Fixes: cc33618619cefc6d ("perf tools: Add Intel PT support for decoding CYC packets")
-Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
-Cc: Adrian Hunter <adrian.hunter@intel.com>
-Cc: Ian Rogers <irogers@google.com>
-Cc: Jiri Olsa <jolsa@kernel.org>
-Cc: Namhyung Kim <namhyung@kernel.org>
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/r/20230403154831.8651-2-adrian.hunter@intel.com
-Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
-Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
-+++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
-@@ -1499,6 +1499,8 @@ static void intel_pt_calc_cbr(struct int
-
- decoder->cbr = cbr;
- decoder->cbr_cyc_to_tsc = decoder->max_non_turbo_ratio_fp / cbr;
-+ decoder->cyc_ref_timestamp = decoder->timestamp;
-+ decoder->cycle_cnt = 0;
- }
-
- static void intel_pt_calc_cyc_timestamp(struct intel_pt_decoder *decoder)
+++ /dev/null
-From 56cbeacf143530576905623ac72ae0964f3293a6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Georg=20M=C3=BCller?= <georgmueller@gmx.net>
-Date: Wed, 28 Jun 2023 10:45:50 +0200
-Subject: perf probe: Add test for regression introduced by switch to die_get_decl_file()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Georg Müller <georgmueller@gmx.net>
-
-commit 56cbeacf143530576905623ac72ae0964f3293a6 upstream.
-
-This patch adds a test to validate that 'perf probe' works for binaries
-where DWARF info is split into multiple CUs
-
-Signed-off-by: Georg Müller <georgmueller@gmx.net>
-Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
-Cc: Adrian Hunter <adrian.hunter@intel.com>
-Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
-Cc: Ian Rogers <irogers@google.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Jiri Olsa <jolsa@kernel.org>
-Cc: Mark Rutland <mark.rutland@arm.com>
-Cc: Namhyung Kim <namhyung@kernel.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: regressions@lists.linux.dev
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/r/20230628084551.1860532-5-georgmueller@gmx.net
-Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- tools/perf/tests/shell/test_uprobe_from_different_cu.sh | 77 ++++++++++++++++
- 1 file changed, 77 insertions(+)
- create mode 100755 tools/perf/tests/shell/test_uprobe_from_different_cu.sh
-
---- /dev/null
-+++ b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh
-@@ -0,0 +1,77 @@
-+#!/bin/bash
-+# test perf probe of function from different CU
-+# SPDX-License-Identifier: GPL-2.0
-+
-+set -e
-+
-+temp_dir=$(mktemp -d /tmp/perf-uprobe-different-cu-sh.XXXXXXXXXX)
-+
-+cleanup()
-+{
-+ trap - EXIT TERM INT
-+ if [[ "${temp_dir}" =~ ^/tmp/perf-uprobe-different-cu-sh.*$ ]]; then
-+ echo "--- Cleaning up ---"
-+ perf probe -x ${temp_dir}/testfile -d foo
-+ rm -f "${temp_dir}/"*
-+ rmdir "${temp_dir}"
-+ fi
-+}
-+
-+trap_cleanup()
-+{
-+ cleanup
-+ exit 1
-+}
-+
-+trap trap_cleanup EXIT TERM INT
-+
-+cat > ${temp_dir}/testfile-foo.h << EOF
-+struct t
-+{
-+ int *p;
-+ int c;
-+};
-+
-+extern int foo (int i, struct t *t);
-+EOF
-+
-+cat > ${temp_dir}/testfile-foo.c << EOF
-+#include "testfile-foo.h"
-+
-+int
-+foo (int i, struct t *t)
-+{
-+ int j, res = 0;
-+ for (j = 0; j < i && j < t->c; j++)
-+ res += t->p[j];
-+
-+ return res;
-+}
-+EOF
-+
-+cat > ${temp_dir}/testfile-main.c << EOF
-+#include "testfile-foo.h"
-+
-+static struct t g;
-+
-+int
-+main (int argc, char **argv)
-+{
-+ int i;
-+ int j[argc];
-+ g.c = argc;
-+ g.p = j;
-+ for (i = 0; i < argc; i++)
-+ j[i] = (int) argv[i][0];
-+ return foo (3, &g);
-+}
-+EOF
-+
-+gcc -g -Og -flto -c ${temp_dir}/testfile-foo.c -o ${temp_dir}/testfile-foo.o
-+gcc -g -Og -c ${temp_dir}/testfile-main.c -o ${temp_dir}/testfile-main.o
-+gcc -g -Og -o ${temp_dir}/testfile ${temp_dir}/testfile-foo.o ${temp_dir}/testfile-main.o
-+
-+perf probe -x ${temp_dir}/testfile --funcs foo
-+perf probe -x ${temp_dir}/testfile foo
-+
-+cleanup
+++ /dev/null
-From 968ab9261627fa305307e3935ca1a32fcddd36cb Mon Sep 17 00:00:00 2001
-From: Mario Limonciello <mario.limonciello@amd.com>
-Date: Fri, 21 Apr 2023 07:06:21 -0500
-Subject: pinctrl: amd: Detect internal GPIO0 debounce handling
-
-From: Mario Limonciello <mario.limonciello@amd.com>
-
-commit 968ab9261627fa305307e3935ca1a32fcddd36cb upstream.
-
-commit 4e5a04be88fe ("pinctrl: amd: disable and mask interrupts on probe")
-had a mistake in loop iteration 63 that it would clear offset 0xFC instead
-of 0x100. Offset 0xFC is actually `WAKE_INT_MASTER_REG`. This was
-clearing bits 13 and 15 from the register which significantly changed the
-expected handling for some platforms for GPIO0.
-
-commit b26cd9325be4 ("pinctrl: amd: Disable and mask interrupts on resume")
-actually fixed this bug, but lead to regressions on Lenovo Z13 and some
-other systems. This is because there was no handling in the driver for bit
-15 debounce behavior.
-
-Quoting a public BKDG:
-```
-EnWinBlueBtn. Read-write. Reset: 0. 0=GPIO0 detect debounced power button;
-Power button override is 4 seconds. 1=GPIO0 detect debounced power button
-in S3/S5/S0i3, and detect "pressed less than 2 seconds" and "pressed 2~10
-seconds" in S0; Power button override is 10 seconds
-```
-
-Cross referencing the same master register in Windows it's obvious that
-Windows doesn't use debounce values in this configuration. So align the
-Linux driver to do this as well. This fixes wake on lid when
-WAKE_INT_MASTER_REG is properly programmed.
-
-Cc: stable@vger.kernel.org
-Link: https://bugzilla.kernel.org/show_bug.cgi?id=217315
-Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
-Link: https://lore.kernel.org/r/20230421120625.3366-2-mario.limonciello@amd.com
-Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/pinctrl/pinctrl-amd.c | 7 +++++++
- drivers/pinctrl/pinctrl-amd.h | 1 +
- 2 files changed, 8 insertions(+)
-
---- a/drivers/pinctrl/pinctrl-amd.c
-+++ b/drivers/pinctrl/pinctrl-amd.c
-@@ -127,6 +127,12 @@ static int amd_gpio_set_debounce(struct
- struct amd_gpio *gpio_dev = gpiochip_get_data(gc);
-
- raw_spin_lock_irqsave(&gpio_dev->lock, flags);
-+
-+ /* Use special handling for Pin0 debounce */
-+ pin_reg = readl(gpio_dev->base + WAKE_INT_MASTER_REG);
-+ if (pin_reg & INTERNAL_GPIO0_DEBOUNCE)
-+ debounce = 0;
-+
- pin_reg = readl(gpio_dev->base + offset * 4);
-
- if (debounce) {
-@@ -216,6 +222,7 @@ static void amd_gpio_dbg_show(struct seq
- char *output_value;
- char *output_enable;
-
-+ seq_printf(s, "WAKE_INT_MASTER_REG: 0x%08x\n", readl(gpio_dev->base + WAKE_INT_MASTER_REG));
- for (bank = 0; bank < gpio_dev->hwbank_num; bank++) {
- seq_printf(s, "GPIO bank%d\t", bank);
-
---- a/drivers/pinctrl/pinctrl-amd.h
-+++ b/drivers/pinctrl/pinctrl-amd.h
-@@ -21,6 +21,7 @@
- #define AMD_GPIO_PINS_BANK3 32
-
- #define WAKE_INT_MASTER_REG 0xfc
-+#define INTERNAL_GPIO0_DEBOUNCE (1 << 15)
- #define EOI_MASK (1 << 29)
-
- #define WAKE_INT_STATUS_REG0 0x2f8
+++ /dev/null
-From a855724dc08b8cb0c13ab1e065a4922f1e5a7552 Mon Sep 17 00:00:00 2001
-From: Mario Limonciello <mario.limonciello@amd.com>
-Date: Fri, 21 Apr 2023 07:06:22 -0500
-Subject: pinctrl: amd: Fix mistake in handling clearing pins at startup
-
-From: Mario Limonciello <mario.limonciello@amd.com>
-
-commit a855724dc08b8cb0c13ab1e065a4922f1e5a7552 upstream.
-
-commit 4e5a04be88fe ("pinctrl: amd: disable and mask interrupts on probe")
-had a mistake in loop iteration 63 that it would clear offset 0xFC instead
-of 0x100. Offset 0xFC is actually `WAKE_INT_MASTER_REG`. This was
-clearing bits 13 and 15 from the register which significantly changed the
-expected handling for some platforms for GPIO0.
-
-Cc: stable@vger.kernel.org
-Link: https://bugzilla.kernel.org/show_bug.cgi?id=217315
-Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
-Link: https://lore.kernel.org/r/20230421120625.3366-3-mario.limonciello@amd.com
-Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/pinctrl/pinctrl-amd.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/pinctrl/pinctrl-amd.c
-+++ b/drivers/pinctrl/pinctrl-amd.c
-@@ -794,9 +794,9 @@ static void amd_gpio_irq_init(struct amd
-
- raw_spin_lock_irqsave(&gpio_dev->lock, flags);
-
-- pin_reg = readl(gpio_dev->base + i * 4);
-+ pin_reg = readl(gpio_dev->base + pin * 4);
- pin_reg &= ~mask;
-- writel(pin_reg, gpio_dev->base + i * 4);
-+ writel(pin_reg, gpio_dev->base + pin * 4);
-
- raw_spin_unlock_irqrestore(&gpio_dev->lock, flags);
- }
+++ /dev/null
-From 0d5ace1a07f7e846d0f6d972af60d05515599d0b Mon Sep 17 00:00:00 2001
-From: Mario Limonciello <mario.limonciello@amd.com>
-Date: Wed, 5 Jul 2023 08:30:02 -0500
-Subject: pinctrl: amd: Only use special debounce behavior for GPIO 0
-
-From: Mario Limonciello <mario.limonciello@amd.com>
-
-commit 0d5ace1a07f7e846d0f6d972af60d05515599d0b upstream.
-
-It's uncommon to use debounce on any other pin, but technically
-we should only set debounce to 0 when working off GPIO0.
-
-Cc: stable@vger.kernel.org
-Tested-by: Jan Visser <starquake@linuxeverywhere.org>
-Fixes: 968ab9261627 ("pinctrl: amd: Detect internal GPIO0 debounce handling")
-Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
-Link: https://lore.kernel.org/r/20230705133005.577-2-mario.limonciello@amd.com
-Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/pinctrl/pinctrl-amd.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
---- a/drivers/pinctrl/pinctrl-amd.c
-+++ b/drivers/pinctrl/pinctrl-amd.c
-@@ -129,9 +129,11 @@ static int amd_gpio_set_debounce(struct
- raw_spin_lock_irqsave(&gpio_dev->lock, flags);
-
- /* Use special handling for Pin0 debounce */
-- pin_reg = readl(gpio_dev->base + WAKE_INT_MASTER_REG);
-- if (pin_reg & INTERNAL_GPIO0_DEBOUNCE)
-- debounce = 0;
-+ if (offset == 0) {
-+ pin_reg = readl(gpio_dev->base + WAKE_INT_MASTER_REG);
-+ if (pin_reg & INTERNAL_GPIO0_DEBOUNCE)
-+ debounce = 0;
-+ }
-
- pin_reg = readl(gpio_dev->base + offset * 4);
-
+++ /dev/null
-From c6a53f20f6bffc5450fcb9e1b763e8c839407eb2 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 5 Jul 2023 08:30:03 -0500
-Subject: pinctrl: amd: Use amd_pinconf_set() for all config options
-
-From: Mario Limonciello <mario.limonciello@amd.com>
-
-[ Upstream commit 635a750d958e158e17af0f524bedc484b27fbb93 ]
-
-On ASUS TUF A16 it is reported that the ITE5570 ACPI device connected to
-GPIO 7 is causing an interrupt storm. This issue doesn't happen on
-Windows.
-
-Comparing the GPIO register configuration between Windows and Linux
-bit 20 has been configured as a pull up on Windows, but not on Linux.
-Checking GPIO declaration from the firmware it is clear it *should* have
-been a pull up on Linux as well.
-
-```
-GpioInt (Level, ActiveLow, Exclusive, PullUp, 0x0000,
- "\\_SB.GPIO", 0x00, ResourceConsumer, ,)
-{ // Pin list
-0x0007
-}
-```
-
-On Linux amd_gpio_set_config() is currently only used for programming
-the debounce. Actually the GPIO core calls it with all the arguments
-that are supported by a GPIO, pinctrl-amd just responds `-ENOTSUPP`.
-
-To solve this issue expand amd_gpio_set_config() to support the other
-arguments amd_pinconf_set() supports, namely `PIN_CONFIG_BIAS_PULL_DOWN`,
-`PIN_CONFIG_BIAS_PULL_UP`, and `PIN_CONFIG_DRIVE_STRENGTH`.
-
-Reported-by: Nik P <npliashechnikov@gmail.com>
-Reported-by: Nathan Schulte <nmschulte@gmail.com>
-Reported-by: Friedrich Vock <friedrich.vock@gmx.de>
-Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217336
-Reported-by: dridri85@gmail.com
-Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217493
-Link: https://lore.kernel.org/linux-input/20230530154058.17594-1-friedrich.vock@gmx.de/
-Tested-by: Jan Visser <starquake@linuxeverywhere.org>
-Fixes: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips")
-Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
-Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-Link: https://lore.kernel.org/r/20230705133005.577-3-mario.limonciello@amd.com
-Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/pinctrl/pinctrl-amd.c | 28 +++++++++++++++-------------
- 1 file changed, 15 insertions(+), 13 deletions(-)
-
-diff --git a/drivers/pinctrl/pinctrl-amd.c b/drivers/pinctrl/pinctrl-amd.c
-index d5f5661de13c6..c140ee16fe7c8 100644
---- a/drivers/pinctrl/pinctrl-amd.c
-+++ b/drivers/pinctrl/pinctrl-amd.c
-@@ -190,18 +190,6 @@ static int amd_gpio_set_debounce(struct gpio_chip *gc, unsigned offset,
- return ret;
- }
-
--static int amd_gpio_set_config(struct gpio_chip *gc, unsigned offset,
-- unsigned long config)
--{
-- u32 debounce;
--
-- if (pinconf_to_config_param(config) != PIN_CONFIG_INPUT_DEBOUNCE)
-- return -ENOTSUPP;
--
-- debounce = pinconf_to_config_argument(config);
-- return amd_gpio_set_debounce(gc, offset, debounce);
--}
--
- #ifdef CONFIG_DEBUG_FS
- static void amd_gpio_dbg_show(struct seq_file *s, struct gpio_chip *gc)
- {
-@@ -686,7 +674,7 @@ static int amd_pinconf_get(struct pinctrl_dev *pctldev,
- }
-
- static int amd_pinconf_set(struct pinctrl_dev *pctldev, unsigned int pin,
-- unsigned long *configs, unsigned num_configs)
-+ unsigned long *configs, unsigned int num_configs)
- {
- int i;
- u32 arg;
-@@ -776,6 +764,20 @@ static int amd_pinconf_group_set(struct pinctrl_dev *pctldev,
- return 0;
- }
-
-+static int amd_gpio_set_config(struct gpio_chip *gc, unsigned int pin,
-+ unsigned long config)
-+{
-+ struct amd_gpio *gpio_dev = gpiochip_get_data(gc);
-+
-+ if (pinconf_to_config_param(config) == PIN_CONFIG_INPUT_DEBOUNCE) {
-+ u32 debounce = pinconf_to_config_argument(config);
-+
-+ return amd_gpio_set_debounce(gc, pin, debounce);
-+ }
-+
-+ return amd_pinconf_set(gpio_dev->pctrl, pin, &config, 1);
-+}
-+
- static const struct pinconf_ops amd_pinconf_ops = {
- .pin_config_get = amd_pinconf_get,
- .pin_config_set = amd_pinconf_set,
---
-2.39.2
-
+++ /dev/null
-From 8cc3629d359b1617fe9c7a963a43fb802602ce1f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 15 Jun 2023 13:53:33 +0300
-Subject: pinctrl: at91-pio4: check return value of devm_kasprintf()
-
-From: Claudiu Beznea <claudiu.beznea@microchip.com>
-
-[ Upstream commit f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0 ]
-
-devm_kasprintf() returns a pointer to dynamically allocated memory.
-Pointer could be NULL in case allocation fails. Check pointer validity.
-Identified with coccinelle (kmerr.cocci script).
-
-Fixes: 776180848b57 ("pinctrl: introduce driver for Atmel PIO4 controller")
-Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks")
-Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int")
-Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
-Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-Link: https://lore.kernel.org/r/20230615105333.585304-4-claudiu.beznea@microchip.com
-Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/pinctrl/pinctrl-at91-pio4.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c
-index 5b883eb49ce92..cbbda24bf6a80 100644
---- a/drivers/pinctrl/pinctrl-at91-pio4.c
-+++ b/drivers/pinctrl/pinctrl-at91-pio4.c
-@@ -1024,6 +1024,8 @@ static int atmel_pinctrl_probe(struct platform_device *pdev)
- /* Pin naming convention: P(bank_name)(bank_pin_number). */
- pin_desc[i].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "P%c%d",
- bank + 'A', line);
-+ if (!pin_desc[i].name)
-+ return -ENOMEM;
-
- group->name = group_names[i] = pin_desc[i].name;
- group->pin = pin_desc[i].number;
---
-2.39.2
-
+++ /dev/null
-From 1dab81b0371c72df1a682c0bb10383010b482841 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 5 Jun 2023 17:37:34 +0300
-Subject: pinctrl: cherryview: Return correct value if pin in push-pull mode
-
-From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-
-[ Upstream commit 5835196a17be5cfdcad0b617f90cf4abe16951a4 ]
-
-Currently the getter returns ENOTSUPP on pin configured in
-the push-pull mode. Fix this by adding the missed switch case.
-
-Fixes: ccdf81d08dbe ("pinctrl: cherryview: add option to set open-drain pin config")
-Fixes: 6e08d6bbebeb ("pinctrl: Add Intel Cherryview/Braswell pin controller support")
-Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
-Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/pinctrl/intel/pinctrl-cherryview.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c
-index 25932d2a71547..ef8eb42e4d383 100644
---- a/drivers/pinctrl/intel/pinctrl-cherryview.c
-+++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
-@@ -1032,11 +1032,6 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned pin,
-
- break;
-
-- case PIN_CONFIG_DRIVE_OPEN_DRAIN:
-- if (!(ctrl1 & CHV_PADCTRL1_ODEN))
-- return -EINVAL;
-- break;
--
- case PIN_CONFIG_BIAS_HIGH_IMPEDANCE: {
- u32 cfg;
-
-@@ -1046,6 +1041,16 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned pin,
- return -EINVAL;
-
- break;
-+
-+ case PIN_CONFIG_DRIVE_PUSH_PULL:
-+ if (ctrl1 & CHV_PADCTRL1_ODEN)
-+ return -EINVAL;
-+ break;
-+
-+ case PIN_CONFIG_DRIVE_OPEN_DRAIN:
-+ if (!(ctrl1 & CHV_PADCTRL1_ODEN))
-+ return -EINVAL;
-+ break;
- }
-
- default:
---
-2.39.2
-
+++ /dev/null
-From ef15279e88446b0b4c31771ab1aca4bdc6714705 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 18 Apr 2023 06:07:43 -0700
-Subject: PM: domains: fix integer overflow issues in genpd_parse_state()
-
-From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
-
-[ Upstream commit e5d1c8722083f0332dcd3c85fa1273d85fb6bed8 ]
-
-Currently, while calculating residency and latency values, right
-operands may overflow if resulting values are big enough.
-
-To prevent this, albeit unlikely case, play it safe and convert
-right operands to left ones' type s64.
-
-Found by Linux Verification Center (linuxtesting.org) with static
-analysis tool SVACE.
-
-Fixes: 30f604283e05 ("PM / Domains: Allow domain power states to be read from DT")
-Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
-Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/base/power/domain.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c
-index e865aa4b25047..b32d3cf4f670d 100644
---- a/drivers/base/power/domain.c
-+++ b/drivers/base/power/domain.c
-@@ -2433,10 +2433,10 @@ static int genpd_parse_state(struct genpd_power_state *genpd_state,
-
- err = of_property_read_u32(state_node, "min-residency-us", &residency);
- if (!err)
-- genpd_state->residency_ns = 1000 * residency;
-+ genpd_state->residency_ns = 1000LL * residency;
-
-- genpd_state->power_on_latency_ns = 1000 * exit_latency;
-- genpd_state->power_off_latency_ns = 1000 * entry_latency;
-+ genpd_state->power_on_latency_ns = 1000LL * exit_latency;
-+ genpd_state->power_off_latency_ns = 1000LL * entry_latency;
- genpd_state->fwnode = &state_node->fwnode;
-
- return 0;
---
-2.39.2
-
+++ /dev/null
-From deabead3b46d4d115d9fd90afe2b7dbebe10919a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 1 Jun 2023 20:58:47 +0200
-Subject: posix-timers: Ensure timer ID search-loop limit is valid
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-[ Upstream commit 8ce8849dd1e78dadcee0ec9acbd259d239b7069f ]
-
-posix_timer_add() tries to allocate a posix timer ID by starting from the
-cached ID which was stored by the last successful allocation.
-
-This is done in a loop searching the ID space for a free slot one by
-one. The loop has to terminate when the search wrapped around to the
-starting point.
-
-But that's racy vs. establishing the starting point. That is read out
-lockless, which leads to the following problem:
-
-CPU0 CPU1
-posix_timer_add()
- start = sig->posix_timer_id;
- lock(hash_lock);
- ... posix_timer_add()
- if (++sig->posix_timer_id < 0)
- start = sig->posix_timer_id;
- sig->posix_timer_id = 0;
-
-So CPU1 can observe a negative start value, i.e. -1, and the loop break
-never happens because the condition can never be true:
-
- if (sig->posix_timer_id == start)
- break;
-
-While this is unlikely to ever turn into an endless loop as the ID space is
-huge (INT_MAX), the racy read of the start value caught the attention of
-KCSAN and Dmitry unearthed that incorrectness.
-
-Rewrite it so that all id operations are under the hash lock.
-
-Reported-by: syzbot+5c54bd3eb218bb595aa9@syzkaller.appspotmail.com
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
-Link: https://lore.kernel.org/r/87bkhzdn6g.ffs@tglx
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/linux/sched/signal.h | 2 +-
- kernel/time/posix-timers.c | 31 ++++++++++++++++++-------------
- 2 files changed, 19 insertions(+), 14 deletions(-)
-
-diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h
-index 660d78c9af6c8..6a55b30ae742b 100644
---- a/include/linux/sched/signal.h
-+++ b/include/linux/sched/signal.h
-@@ -127,7 +127,7 @@ struct signal_struct {
- #ifdef CONFIG_POSIX_TIMERS
-
- /* POSIX.1b Interval Timers */
-- int posix_timer_id;
-+ unsigned int next_posix_timer_id;
- struct list_head posix_timers;
-
- /* ITIMER_REAL timer for the process */
-diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
-index 1234868b3b03e..8768ce2c4bf52 100644
---- a/kernel/time/posix-timers.c
-+++ b/kernel/time/posix-timers.c
-@@ -159,25 +159,30 @@ static struct k_itimer *posix_timer_by_id(timer_t id)
- static int posix_timer_add(struct k_itimer *timer)
- {
- struct signal_struct *sig = current->signal;
-- int first_free_id = sig->posix_timer_id;
- struct hlist_head *head;
-- int ret = -ENOENT;
-+ unsigned int cnt, id;
-
-- do {
-+ /*
-+ * FIXME: Replace this by a per signal struct xarray once there is
-+ * a plan to handle the resulting CRIU regression gracefully.
-+ */
-+ for (cnt = 0; cnt <= INT_MAX; cnt++) {
- spin_lock(&hash_lock);
-- head = &posix_timers_hashtable[hash(sig, sig->posix_timer_id)];
-- if (!__posix_timers_find(head, sig, sig->posix_timer_id)) {
-+ id = sig->next_posix_timer_id;
-+
-+ /* Write the next ID back. Clamp it to the positive space */
-+ sig->next_posix_timer_id = (id + 1) & INT_MAX;
-+
-+ head = &posix_timers_hashtable[hash(sig, id)];
-+ if (!__posix_timers_find(head, sig, id)) {
- hlist_add_head_rcu(&timer->t_hash, head);
-- ret = sig->posix_timer_id;
-+ spin_unlock(&hash_lock);
-+ return id;
- }
-- if (++sig->posix_timer_id < 0)
-- sig->posix_timer_id = 0;
-- if ((sig->posix_timer_id == first_free_id) && (ret == -ENOENT))
-- /* Loop over all possible ids completed */
-- ret = -EAGAIN;
- spin_unlock(&hash_lock);
-- } while (ret == -ENOENT);
-- return ret;
-+ }
-+ /* POSIX return code when no timer ID could be allocated */
-+ return -EAGAIN;
- }
-
- static inline void unlock_timer(struct k_itimer *timr, unsigned long flags)
---
-2.39.2
-
+++ /dev/null
-From a91683b99e01be25196c16b35ce56179ca1665f2 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 30 Jun 2023 22:47:12 -0700
-Subject: powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Randy Dunlap <rdunlap@infradead.org>
-
-[ Upstream commit 39f49684036d24af800ff194c33c7b2653c591d7 ]
-
-In a randconfig with CONFIG_SERIAL_CPM=m and
-CONFIG_PPC_EARLY_DEBUG_CPM=y, there is a build error:
-ERROR: modpost: "udbg_putc" [drivers/tty/serial/cpm_uart/cpm_uart.ko] undefined!
-
-Prevent the build error by allowing PPC_EARLY_DEBUG_CPM only when
-SERIAL_CPM=y.
-
-Fixes: c374e00e17f1 ("[POWERPC] Add early debug console for CPM serial ports.")
-Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
-Reviewed-by: Pali Rohár <pali@kernel.org>
-Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://msgid.link/20230701054714.30512-1-rdunlap@infradead.org
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/powerpc/Kconfig.debug | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug
-index ffe0cf0f0bea2..923b3b794d13f 100644
---- a/arch/powerpc/Kconfig.debug
-+++ b/arch/powerpc/Kconfig.debug
-@@ -232,7 +232,7 @@ config PPC_EARLY_DEBUG_40x
-
- config PPC_EARLY_DEBUG_CPM
- bool "Early serial debugging for Freescale CPM-based serial ports"
-- depends on SERIAL_CPM
-+ depends on SERIAL_CPM=y
- help
- Select this to enable early debugging for Freescale chips
- using a CPM-based serial port. This assumes that the bootwrapper
---
-2.39.2
-
+++ /dev/null
-From 538cb4b674cd354c9bbdaaf06670cfdf71f72bca Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 13 Apr 2023 08:12:28 -0700
-Subject: radeon: avoid double free in ci_dpm_init()
-
-From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
-
-[ Upstream commit 20c3dffdccbd494e0dd631d1660aeecbff6775f2 ]
-
-Several calls to ci_dpm_fini() will attempt to free resources that
-either have been freed before or haven't been allocated yet. This
-may lead to undefined or dangerous behaviour.
-
-For instance, if r600_parse_extended_power_table() fails, it might
-call r600_free_extended_power_table() as will ci_dpm_fini() later
-during error handling.
-
-Fix this by only freeing pointers to objects previously allocated.
-
-Found by Linux Verification Center (linuxtesting.org) with static
-analysis tool SVACE.
-
-Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)")
-Co-developed-by: Natalia Petrova <n.petrova@fintech.ru>
-Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/radeon/ci_dpm.c | 28 ++++++++++++++++++++--------
- 1 file changed, 20 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c
-index 90c1afe498bea..ce8b14592b69b 100644
---- a/drivers/gpu/drm/radeon/ci_dpm.c
-+++ b/drivers/gpu/drm/radeon/ci_dpm.c
-@@ -5552,6 +5552,7 @@ static int ci_parse_power_table(struct radeon_device *rdev)
- u8 frev, crev;
- u8 *power_state_offset;
- struct ci_ps *ps;
-+ int ret;
-
- if (!atom_parse_data_header(mode_info->atom_context, index, NULL,
- &frev, &crev, &data_offset))
-@@ -5581,11 +5582,15 @@ static int ci_parse_power_table(struct radeon_device *rdev)
- non_clock_array_index = power_state->v2.nonClockInfoIndex;
- non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *)
- &non_clock_info_array->nonClockInfo[non_clock_array_index];
-- if (!rdev->pm.power_state[i].clock_info)
-- return -EINVAL;
-+ if (!rdev->pm.power_state[i].clock_info) {
-+ ret = -EINVAL;
-+ goto err_free_ps;
-+ }
- ps = kzalloc(sizeof(struct ci_ps), GFP_KERNEL);
-- if (ps == NULL)
-- return -ENOMEM;
-+ if (ps == NULL) {
-+ ret = -ENOMEM;
-+ goto err_free_ps;
-+ }
- rdev->pm.dpm.ps[i].ps_priv = ps;
- ci_parse_pplib_non_clock_info(rdev, &rdev->pm.dpm.ps[i],
- non_clock_info,
-@@ -5625,6 +5630,12 @@ static int ci_parse_power_table(struct radeon_device *rdev)
- }
-
- return 0;
-+
-+err_free_ps:
-+ for (i = 0; i < rdev->pm.dpm.num_ps; i++)
-+ kfree(rdev->pm.dpm.ps[i].ps_priv);
-+ kfree(rdev->pm.dpm.ps);
-+ return ret;
- }
-
- static int ci_get_vbios_boot_values(struct radeon_device *rdev,
-@@ -5713,25 +5724,26 @@ int ci_dpm_init(struct radeon_device *rdev)
-
- ret = ci_get_vbios_boot_values(rdev, &pi->vbios_boot_state);
- if (ret) {
-- ci_dpm_fini(rdev);
-+ kfree(rdev->pm.dpm.priv);
- return ret;
- }
-
- ret = r600_get_platform_caps(rdev);
- if (ret) {
-- ci_dpm_fini(rdev);
-+ kfree(rdev->pm.dpm.priv);
- return ret;
- }
-
- ret = r600_parse_extended_power_table(rdev);
- if (ret) {
-- ci_dpm_fini(rdev);
-+ kfree(rdev->pm.dpm.priv);
- return ret;
- }
-
- ret = ci_parse_power_table(rdev);
- if (ret) {
-- ci_dpm_fini(rdev);
-+ kfree(rdev->pm.dpm.priv);
-+ r600_free_extended_power_table(rdev);
- return ret;
- }
-
---
-2.39.2
-
+++ /dev/null
-From a82d62f708545d22859584e0e0620da8e3759bbc Mon Sep 17 00:00:00 2001
-From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
-Date: Mon, 19 Jun 2023 15:57:44 +0000
-Subject: Revert "8250: add support for ASIX devices with a FIFO bug"
-
-From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
-
-commit a82d62f708545d22859584e0e0620da8e3759bbc upstream.
-
-This reverts commit eb26dfe8aa7eeb5a5aa0b7574550125f8aa4c3b3.
-
-Commit eb26dfe8aa7e ("8250: add support for ASIX devices with a FIFO
-bug") merged on Jul 13, 2012 adds a quirk for PCI_VENDOR_ID_ASIX
-(0x9710). But that ID is the same as PCI_VENDOR_ID_NETMOS defined in
-1f8b061050c7 ("[PATCH] Netmos parallel/serial/combo support") merged
-on Mar 28, 2005. In pci_serial_quirks array, the NetMos entry always
-takes precedence over the ASIX entry even since it was initially
-merged, code in that commit is always unreachable.
-
-In my tests, adding the FIFO workaround to pci_netmos_init() makes no
-difference, and the vendor driver also does not have such workaround.
-Given that the code was never used for over a decade, it's safe to
-revert it.
-
-Also, the real PCI_VENDOR_ID_ASIX should be 0x125b, which is used on
-their newer AX99100 PCIe serial controllers released on 2016. The FIFO
-workaround should not be intended for these newer controllers, and it
-was never implemented in vendor driver.
-
-Fixes: eb26dfe8aa7e ("8250: add support for ASIX devices with a FIFO bug")
-Cc: stable <stable@kernel.org>
-Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
-Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-Link: https://lore.kernel.org/r/20230619155743.827859-1-jiaqing.zhao@linux.intel.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/serial/8250/8250.h | 1 -
- drivers/tty/serial/8250/8250_pci.c | 19 -------------------
- drivers/tty/serial/8250/8250_port.c | 11 +++--------
- include/linux/serial_8250.h | 1 -
- 4 files changed, 3 insertions(+), 29 deletions(-)
-
---- a/drivers/tty/serial/8250/8250.h
-+++ b/drivers/tty/serial/8250/8250.h
-@@ -85,7 +85,6 @@ struct serial8250_config {
- #define UART_BUG_TXEN (1 << 1) /* UART has buggy TX IIR status */
- #define UART_BUG_NOMSR (1 << 2) /* UART has buggy MSR status bits (Au1x00) */
- #define UART_BUG_THRE (1 << 3) /* UART has buggy THRE reassertion */
--#define UART_BUG_PARITY (1 << 4) /* UART mishandles parity if FIFO enabled */
-
-
- #ifdef CONFIG_SERIAL_8250_SHARE_IRQ
---- a/drivers/tty/serial/8250/8250_pci.c
-+++ b/drivers/tty/serial/8250/8250_pci.c
-@@ -1049,14 +1049,6 @@ static int pci_oxsemi_tornado_init(struc
- return number_uarts;
- }
-
--static int pci_asix_setup(struct serial_private *priv,
-- const struct pciserial_board *board,
-- struct uart_8250_port *port, int idx)
--{
-- port->bugs |= UART_BUG_PARITY;
-- return pci_default_setup(priv, board, port, idx);
--}
--
- /* Quatech devices have their own extra interface features */
-
- struct quatech_feature {
-@@ -1683,7 +1675,6 @@ pci_wch_ch38x_setup(struct serial_privat
- #define PCI_DEVICE_ID_WCH_CH355_4S 0x7173
- #define PCI_VENDOR_ID_AGESTAR 0x5372
- #define PCI_DEVICE_ID_AGESTAR_9375 0x6872
--#define PCI_VENDOR_ID_ASIX 0x9710
- #define PCI_DEVICE_ID_BROADCOM_TRUMANAGE 0x160a
- #define PCI_DEVICE_ID_AMCC_ADDIDATA_APCI7800 0x818e
-
-@@ -2455,16 +2446,6 @@ static struct pci_serial_quirk pci_seria
- .setup = pci_wch_ch38x_setup,
- },
- /*
-- * ASIX devices with FIFO bug
-- */
-- {
-- .vendor = PCI_VENDOR_ID_ASIX,
-- .device = PCI_ANY_ID,
-- .subvendor = PCI_ANY_ID,
-- .subdevice = PCI_ANY_ID,
-- .setup = pci_asix_setup,
-- },
-- /*
- * Broadcom TruManage (NetXtreme)
- */
- {
---- a/drivers/tty/serial/8250/8250_port.c
-+++ b/drivers/tty/serial/8250/8250_port.c
-@@ -2617,11 +2617,8 @@ static unsigned char serial8250_compute_
-
- if (c_cflag & CSTOPB)
- cval |= UART_LCR_STOP;
-- if (c_cflag & PARENB) {
-+ if (c_cflag & PARENB)
- cval |= UART_LCR_PARITY;
-- if (up->bugs & UART_BUG_PARITY)
-- up->fifo_bug = true;
-- }
- if (!(c_cflag & PARODD))
- cval |= UART_LCR_EPAR;
- #ifdef CMSPAR
-@@ -2735,8 +2732,7 @@ serial8250_do_set_termios(struct uart_po
- up->lcr = cval; /* Save computed LCR */
-
- if (up->capabilities & UART_CAP_FIFO && port->fifosize > 1) {
-- /* NOTE: If fifo_bug is not set, a user can set RX_trigger. */
-- if ((baud < 2400 && !up->dma) || up->fifo_bug) {
-+ if (baud < 2400 && !up->dma) {
- up->fcr &= ~UART_FCR_TRIGGER_MASK;
- up->fcr |= UART_FCR_TRIGGER_1;
- }
-@@ -3072,8 +3068,7 @@ static int do_set_rxtrig(struct tty_port
- struct uart_8250_port *up = up_to_u8250p(uport);
- int rxtrig;
-
-- if (!(up->capabilities & UART_CAP_FIFO) || uport->fifosize <= 1 ||
-- up->fifo_bug)
-+ if (!(up->capabilities & UART_CAP_FIFO) || uport->fifosize <= 1)
- return -EINVAL;
-
- rxtrig = bytes_to_fcr_rxtrig(up, bytes);
---- a/include/linux/serial_8250.h
-+++ b/include/linux/serial_8250.h
-@@ -99,7 +99,6 @@ struct uart_8250_port {
- struct list_head list; /* ports on this IRQ */
- u32 capabilities; /* port capabilities */
- unsigned short bugs; /* port bugs */
-- bool fifo_bug; /* min RX trigger if enabled */
- unsigned int tx_loadsz; /* transmit fifo load size */
- unsigned char acr;
- unsigned char fcr;
+++ /dev/null
-From 0891c3b57a9ceed9c4e331ce92a2edea7581fc11 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 17 Jul 2023 14:59:18 -0700
-Subject: Revert "tcp: avoid the lookup process failing to get sk in ehash
- table"
-
-From: Kuniyuki Iwashima <kuniyu@amazon.com>
-
-[ Upstream commit 81b3ade5d2b98ad6e0a473b0e1e420a801275592 ]
-
-This reverts commit 3f4ca5fafc08881d7a57daa20449d171f2887043.
-
-Commit 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in
-ehash table") reversed the order in how a socket is inserted into ehash
-to fix an issue that ehash-lookup could fail when reqsk/full sk/twsk are
-swapped. However, it introduced another lookup failure.
-
-The full socket in ehash is allocated from a slab with SLAB_TYPESAFE_BY_RCU
-and does not have SOCK_RCU_FREE, so the socket could be reused even while
-it is being referenced on another CPU doing RCU lookup.
-
-Let's say a socket is reused and inserted into the same hash bucket during
-lookup. After the blamed commit, a new socket is inserted at the end of
-the list. If that happens, we will skip sockets placed after the previous
-position of the reused socket, resulting in ehash lookup failure.
-
-As described in Documentation/RCU/rculist_nulls.rst, we should insert a
-new socket at the head of the list to avoid such an issue.
-
-This issue, the swap-lookup-failure, and another variant reported in [0]
-can all be handled properly by adding a locked ehash lookup suggested by
-Eric Dumazet [1].
-
-However, this issue could occur for every packet, thus more likely than
-the other two races, so let's revert the change for now.
-
-Link: https://lore.kernel.org/netdev/20230606064306.9192-1-duanmuquan@baidu.com/ [0]
-Link: https://lore.kernel.org/netdev/CANn89iK8snOz8TYOhhwfimC7ykYA78GA3Nyv8x06SZYa1nKdyA@mail.gmail.com/ [1]
-Fixes: 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in ehash table")
-Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
-Link: https://lore.kernel.org/r/20230717215918.15723-1-kuniyu@amazon.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv4/inet_hashtables.c | 17 ++---------------
- net/ipv4/inet_timewait_sock.c | 8 ++++----
- 2 files changed, 6 insertions(+), 19 deletions(-)
-
-diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
-index 5a272d09b8248..c6d670cd872f0 100644
---- a/net/ipv4/inet_hashtables.c
-+++ b/net/ipv4/inet_hashtables.c
-@@ -579,20 +579,8 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk)
- spin_lock(lock);
- if (osk) {
- WARN_ON_ONCE(sk->sk_hash != osk->sk_hash);
-- ret = sk_hashed(osk);
-- if (ret) {
-- /* Before deleting the node, we insert a new one to make
-- * sure that the look-up-sk process would not miss either
-- * of them and that at least one node would exist in ehash
-- * table all the time. Otherwise there's a tiny chance
-- * that lookup process could find nothing in ehash table.
-- */
-- __sk_nulls_add_node_tail_rcu(sk, list);
-- sk_nulls_del_node_init_rcu(osk);
-- }
-- goto unlock;
-- }
-- if (found_dup_sk) {
-+ ret = sk_nulls_del_node_init_rcu(osk);
-+ } else if (found_dup_sk) {
- *found_dup_sk = inet_ehash_lookup_by_sk(sk, list);
- if (*found_dup_sk)
- ret = false;
-@@ -601,7 +589,6 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk)
- if (ret)
- __sk_nulls_add_node_rcu(sk, list);
-
--unlock:
- spin_unlock(lock);
-
- return ret;
-diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
-index fedd19c22b392..88c5069b5d20c 100644
---- a/net/ipv4/inet_timewait_sock.c
-+++ b/net/ipv4/inet_timewait_sock.c
-@@ -80,10 +80,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw)
- }
- EXPORT_SYMBOL_GPL(inet_twsk_put);
-
--static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw,
-- struct hlist_nulls_head *list)
-+static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw,
-+ struct hlist_nulls_head *list)
- {
-- hlist_nulls_add_tail_rcu(&tw->tw_node, list);
-+ hlist_nulls_add_head_rcu(&tw->tw_node, list);
- }
-
- static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw,
-@@ -119,7 +119,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk,
-
- spin_lock(lock);
-
-- inet_twsk_add_node_tail_rcu(tw, &ehead->chain);
-+ inet_twsk_add_node_rcu(tw, &ehead->chain);
-
- /* Step 3: Remove SK from hash chain */
- if (__sk_nulls_del_node_init_rcu(sk))
---
-2.39.2
-
+++ /dev/null
-From 7e42907f3a7b4ce3a2d1757f6d78336984daf8f5 Mon Sep 17 00:00:00 2001
-From: Zheng Yejian <zhengyejian1@huawei.com>
-Date: Sun, 9 Jul 2023 06:51:44 +0800
-Subject: ring-buffer: Fix deadloop issue on reading trace_pipe
-
-From: Zheng Yejian <zhengyejian1@huawei.com>
-
-commit 7e42907f3a7b4ce3a2d1757f6d78336984daf8f5 upstream.
-
-Soft lockup occurs when reading file 'trace_pipe':
-
- watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [cat:4488]
- [...]
- RIP: 0010:ring_buffer_empty_cpu+0xed/0x170
- RSP: 0018:ffff88810dd6fc48 EFLAGS: 00000246
- RAX: 0000000000000000 RBX: 0000000000000246 RCX: ffffffff93d1aaeb
- RDX: ffff88810a280040 RSI: 0000000000000008 RDI: ffff88811164b218
- RBP: ffff88811164b218 R08: 0000000000000000 R09: ffff88815156600f
- R10: ffffed102a2acc01 R11: 0000000000000001 R12: 0000000051651901
- R13: 0000000000000000 R14: ffff888115e49500 R15: 0000000000000000
- [...]
- CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
- CR2: 00007f8d853c2000 CR3: 000000010dcd8000 CR4: 00000000000006e0
- DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
- DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
- Call Trace:
- __find_next_entry+0x1a8/0x4b0
- ? peek_next_entry+0x250/0x250
- ? down_write+0xa5/0x120
- ? down_write_killable+0x130/0x130
- trace_find_next_entry_inc+0x3b/0x1d0
- tracing_read_pipe+0x423/0xae0
- ? tracing_splice_read_pipe+0xcb0/0xcb0
- vfs_read+0x16b/0x490
- ksys_read+0x105/0x210
- ? __ia32_sys_pwrite64+0x200/0x200
- ? switch_fpu_return+0x108/0x220
- do_syscall_64+0x33/0x40
- entry_SYSCALL_64_after_hwframe+0x61/0xc6
-
-Through the vmcore, I found it's because in tracing_read_pipe(),
-ring_buffer_empty_cpu() found some buffer is not empty but then it
-cannot read anything due to "rb_num_of_entries() == 0" always true,
-Then it infinitely loop the procedure due to user buffer not been
-filled, see following code path:
-
- tracing_read_pipe() {
- ... ...
- waitagain:
- tracing_wait_pipe() // 1. find non-empty buffer here
- trace_find_next_entry_inc() // 2. loop here try to find an entry
- __find_next_entry()
- ring_buffer_empty_cpu(); // 3. find non-empty buffer
- peek_next_entry() // 4. but peek always return NULL
- ring_buffer_peek()
- rb_buffer_peek()
- rb_get_reader_page()
- // 5. because rb_num_of_entries() == 0 always true here
- // then return NULL
- // 6. user buffer not been filled so goto 'waitgain'
- // and eventually leads to an deadloop in kernel!!!
- }
-
-By some analyzing, I found that when resetting ringbuffer, the 'entries'
-of its pages are not all cleared (see rb_reset_cpu()). Then when reducing
-the ringbuffer, and if some reduced pages exist dirty 'entries' data, they
-will be added into 'cpu_buffer->overrun' (see rb_remove_pages()), which
-cause wrong 'overrun' count and eventually cause the deadloop issue.
-
-To fix it, we need to clear every pages in rb_reset_cpu().
-
-Link: https://lore.kernel.org/linux-trace-kernel/20230708225144.3785600-1-zhengyejian1@huawei.com
-
-Cc: stable@vger.kernel.org
-Fixes: a5fb833172eca ("ring-buffer: Fix uninitialized read_stamp")
-Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
-Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/trace/ring_buffer.c | 24 +++++++++++++++---------
- 1 file changed, 15 insertions(+), 9 deletions(-)
-
---- a/kernel/trace/ring_buffer.c
-+++ b/kernel/trace/ring_buffer.c
-@@ -4408,28 +4408,34 @@ unsigned long ring_buffer_size(struct ri
- }
- EXPORT_SYMBOL_GPL(ring_buffer_size);
-
-+static void rb_clear_buffer_page(struct buffer_page *page)
-+{
-+ local_set(&page->write, 0);
-+ local_set(&page->entries, 0);
-+ rb_init_page(page->page);
-+ page->read = 0;
-+}
-+
- static void
- rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
- {
-+ struct buffer_page *page;
-+
- rb_head_page_deactivate(cpu_buffer);
-
- cpu_buffer->head_page
- = list_entry(cpu_buffer->pages, struct buffer_page, list);
-- local_set(&cpu_buffer->head_page->write, 0);
-- local_set(&cpu_buffer->head_page->entries, 0);
-- local_set(&cpu_buffer->head_page->page->commit, 0);
--
-- cpu_buffer->head_page->read = 0;
-+ rb_clear_buffer_page(cpu_buffer->head_page);
-+ list_for_each_entry(page, cpu_buffer->pages, list) {
-+ rb_clear_buffer_page(page);
-+ }
-
- cpu_buffer->tail_page = cpu_buffer->head_page;
- cpu_buffer->commit_page = cpu_buffer->head_page;
-
- INIT_LIST_HEAD(&cpu_buffer->reader_page->list);
- INIT_LIST_HEAD(&cpu_buffer->new_pages);
-- local_set(&cpu_buffer->reader_page->write, 0);
-- local_set(&cpu_buffer->reader_page->entries, 0);
-- local_set(&cpu_buffer->reader_page->page->commit, 0);
-- cpu_buffer->reader_page->read = 0;
-+ rb_clear_buffer_page(cpu_buffer->reader_page);
-
- local_set(&cpu_buffer->entries_bytes, 0);
- local_set(&cpu_buffer->overrun, 0);
+++ /dev/null
-From d374daa9cdec916607584105f5d15a6cd42696a6 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 8 Jun 2023 21:11:42 +0200
-Subject: rtc: st-lpc: Release some resources in st_rtc_probe() in case of
- error
-
-From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-
-[ Upstream commit 06c6e1b01d9261f03629cefd1f3553503291e6cf ]
-
-If an error occurs after clk_get(), the corresponding resources should be
-released.
-
-Use devm_clk_get() to fix it.
-
-Fixes: b5b2bdfc2893 ("rtc: st: Add new driver for ST's LPC RTC")
-Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-Link: https://lore.kernel.org/r/866af6adbc7454a7b4505eb6c28fbdc86ccff39e.1686251455.git.christophe.jaillet@wanadoo.fr
-Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/rtc/rtc-st-lpc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/rtc/rtc-st-lpc.c b/drivers/rtc/rtc-st-lpc.c
-index e66439b6247a4..e8a8ca3545f00 100644
---- a/drivers/rtc/rtc-st-lpc.c
-+++ b/drivers/rtc/rtc-st-lpc.c
-@@ -239,7 +239,7 @@ static int st_rtc_probe(struct platform_device *pdev)
- enable_irq_wake(rtc->irq);
- disable_irq(rtc->irq);
-
-- rtc->clk = clk_get(&pdev->dev, NULL);
-+ rtc->clk = devm_clk_get(&pdev->dev, NULL);
- if (IS_ERR(rtc->clk)) {
- dev_err(&pdev->dev, "Unable to request clock\n");
- return PTR_ERR(rtc->clk);
---
-2.39.2
-
+++ /dev/null
-From 1bc2f94406b03808f08a0f4b770a725753a34849 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 5 May 2023 16:50:58 +0800
-Subject: samples/bpf: Fix buffer overflow in tcp_basertt
-
-From: Pengcheng Yang <yangpc@wangsu.com>
-
-[ Upstream commit f4dea9689c5fea3d07170c2cb0703e216f1a0922 ]
-
-Using sizeof(nv) or strlen(nv)+1 is correct.
-
-Fixes: c890063e4404 ("bpf: sample BPF_SOCKET_OPS_BASE_RTT program")
-Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
-Link: https://lore.kernel.org/r/1683276658-2860-1-git-send-email-yangpc@wangsu.com
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- samples/bpf/tcp_basertt_kern.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/samples/bpf/tcp_basertt_kern.c b/samples/bpf/tcp_basertt_kern.c
-index 4bf4fc597db9a..653d233714ad0 100644
---- a/samples/bpf/tcp_basertt_kern.c
-+++ b/samples/bpf/tcp_basertt_kern.c
-@@ -54,7 +54,7 @@ int bpf_basertt(struct bpf_sock_ops *skops)
- case BPF_SOCK_OPS_BASE_RTT:
- n = bpf_getsockopt(skops, SOL_TCP, TCP_CONGESTION,
- cong, sizeof(cong));
-- if (!n && !__builtin_memcmp(cong, nv, sizeof(nv)+1)) {
-+ if (!n && !__builtin_memcmp(cong, nv, sizeof(nv))) {
- /* Set base_rtt to 80us */
- rv = 80;
- } else if (n) {
---
-2.39.2
-
+++ /dev/null
-From 29445fe25db278af2e1f337c9529eeae5d380b35 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 30 May 2023 16:25:07 +0800
-Subject: sched/fair: Don't balance task to its current running CPU
-
-From: Yicong Yang <yangyicong@hisilicon.com>
-
-[ Upstream commit 0dd37d6dd33a9c23351e6115ae8cdac7863bc7de ]
-
-We've run into the case that the balancer tries to balance a migration
-disabled task and trigger the warning in set_task_cpu() like below:
-
- ------------[ cut here ]------------
- WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240
- Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip>
- CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1
- Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021
- pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
- pc : set_task_cpu+0x188/0x240
- lr : load_balance+0x5d0/0xc60
- sp : ffff80000803bc70
- x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040
- x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001
- x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78
- x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000
- x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000
- x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000
- x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530
- x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e
- x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a
- x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001
- Call trace:
- set_task_cpu+0x188/0x240
- load_balance+0x5d0/0xc60
- rebalance_domains+0x26c/0x380
- _nohz_idle_balance.isra.0+0x1e0/0x370
- run_rebalance_domains+0x6c/0x80
- __do_softirq+0x128/0x3d8
- ____do_softirq+0x18/0x24
- call_on_irq_stack+0x2c/0x38
- do_softirq_own_stack+0x24/0x3c
- __irq_exit_rcu+0xcc/0xf4
- irq_exit_rcu+0x18/0x24
- el1_interrupt+0x4c/0xe4
- el1h_64_irq_handler+0x18/0x2c
- el1h_64_irq+0x74/0x78
- arch_cpu_idle+0x18/0x4c
- default_idle_call+0x58/0x194
- do_idle+0x244/0x2b0
- cpu_startup_entry+0x30/0x3c
- secondary_start_kernel+0x14c/0x190
- __secondary_switched+0xb0/0xb4
- ---[ end trace 0000000000000000 ]---
-
-Further investigation shows that the warning is superfluous, the migration
-disabled task is just going to be migrated to its current running CPU.
-This is because that on load balance if the dst_cpu is not allowed by the
-task, we'll re-select a new_dst_cpu as a candidate. If no task can be
-balanced to dst_cpu we'll try to balance the task to the new_dst_cpu
-instead. In this case when the migration disabled task is not on CPU it
-only allows to run on its current CPU, load balance will select its
-current CPU as new_dst_cpu and later triggers the warning above.
-
-The new_dst_cpu is chosen from the env->dst_grpmask. Currently it
-contains CPUs in sched_group_span() and if we have overlapped groups it's
-possible to run into this case. This patch makes env->dst_grpmask of
-group_balance_mask() which exclude any CPUs from the busiest group and
-solve the issue. For balancing in a domain with no overlapped groups
-the behaviour keeps same as before.
-
-Suggested-by: Vincent Guittot <vincent.guittot@linaro.org>
-Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
-Link: https://lore.kernel.org/r/20230530082507.10444-1-yangyicong@huawei.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/sched/fair.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
-index eb67f42fb96ba..09f82c84474b8 100644
---- a/kernel/sched/fair.c
-+++ b/kernel/sched/fair.c
-@@ -8721,7 +8721,7 @@ static int load_balance(int this_cpu, struct rq *this_rq,
- .sd = sd,
- .dst_cpu = this_cpu,
- .dst_rq = this_rq,
-- .dst_grpmask = sched_group_span(sd->groups),
-+ .dst_grpmask = group_balance_mask(sd->groups),
- .idle = idle,
- .loop_break = sched_nr_migrate_break,
- .cpus = cpus,
---
-2.39.2
-
+++ /dev/null
-From e1b37563caffc410bb4b55f153ccb14dede66815 Mon Sep 17 00:00:00 2001
-From: "Ahmed S. Darwish" <darwi@linutronix.de>
-Date: Mon, 15 May 2023 19:32:16 +0200
-Subject: scripts/tags.sh: Resolve gtags empty index generation
-
-From: Ahmed S. Darwish <darwi@linutronix.de>
-
-commit e1b37563caffc410bb4b55f153ccb14dede66815 upstream.
-
-gtags considers any file outside of its current working directory
-"outside the source tree" and refuses to index it. For O= kernel builds,
-or when "make" is invoked from a directory other then the kernel source
-tree, gtags ignores the entire kernel source and generates an empty
-index.
-
-Force-set gtags current working directory to the kernel source tree.
-
-Due to commit 9da0763bdd82 ("kbuild: Use relative path when building in
-a subdir of the source tree"), if the kernel build is done in a
-sub-directory of the kernel source tree, the kernel Makefile will set
-the kernel's $srctree to ".." for shorter compile-time and run-time
-warnings. Consequently, the list of files to be indexed will be in the
-"../*" form, rendering all such paths invalid once gtags switches to the
-kernel source tree as its current working directory.
-
-If gtags indexing is requested and the build directory is not the kernel
-source tree, index all files in absolute-path form.
-
-Note, indexing in absolute-path form will not affect the generated
-index, as paths in gtags indices are always relative to the gtags "root
-directory" anyway (as evidenced by "gtags --dump").
-
-Signed-off-by: Ahmed S. Darwish <darwi@linutronix.de>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- scripts/tags.sh | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
---- a/scripts/tags.sh
-+++ b/scripts/tags.sh
-@@ -28,6 +28,13 @@ fi
- # ignore userspace tools
- ignore="$ignore ( -path ${tree}tools ) -prune -o"
-
-+# gtags(1) refuses to index any file outside of its current working dir.
-+# If gtags indexing is requested and the build output directory is not
-+# the kernel source tree, index all files in absolute-path form.
-+if [[ "$1" == "gtags" && -n "${tree}" ]]; then
-+ tree=$(realpath "$tree")/
-+fi
-+
- # Detect if ALLSOURCE_ARCHS is set. If not, we assume SRCARCH
- if [ "${ALLSOURCE_ARCHS}" = "" ]; then
- ALLSOURCE_ARCHS=${SRCARCH}
-@@ -136,7 +143,7 @@ docscope()
-
- dogtags()
- {
-- all_target_sources | gtags -i -f -
-+ all_target_sources | gtags -i -C "${tree:-.}" -f - "$PWD"
- }
-
- # Basic regular expressions with an optional /kind-spec/ for ctags and
+++ /dev/null
-From a2a994777eca5a7c0463e65c84a199840479c744 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 5 May 2023 22:12:55 +0800
-Subject: scsi: 3w-xxxx: Add error handling for initialization failure in
- tw_probe()
-
-From: Yuchen Yang <u202114568@hust.edu.cn>
-
-[ Upstream commit 2e2fe5ac695a00ab03cab4db1f4d6be07168ed9d ]
-
-Smatch complains that:
-
-tw_probe() warn: missing error code 'retval'
-
-This patch adds error checking to tw_probe() to handle initialization
-failure. If tw_reset_sequence() function returns a non-zero value, the
-function will return -EINVAL to indicate initialization failure.
-
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Yuchen Yang <u202114568@hust.edu.cn>
-Link: https://lore.kernel.org/r/20230505141259.7730-1-u202114568@hust.edu.cn
-Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/3w-xxxx.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c
-index 471366945bd4f..8a61e832607eb 100644
---- a/drivers/scsi/3w-xxxx.c
-+++ b/drivers/scsi/3w-xxxx.c
-@@ -2303,8 +2303,10 @@ static int tw_probe(struct pci_dev *pdev, const struct pci_device_id *dev_id)
- TW_DISABLE_INTERRUPTS(tw_dev);
-
- /* Initialize the card */
-- if (tw_reset_sequence(tw_dev))
-+ if (tw_reset_sequence(tw_dev)) {
-+ retval = -EINVAL;
- goto out_release_mem_region;
-+ }
-
- /* Set host specific parameters */
- host->max_id = TW_MAX_UNITS;
---
-2.39.2
-
+++ /dev/null
-From af73f23a27206ffb3c477cac75b5fcf03410556e Mon Sep 17 00:00:00 2001
-From: Nilesh Javali <njavali@marvell.com>
-Date: Wed, 7 Jun 2023 17:08:39 +0530
-Subject: scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
-
-From: Nilesh Javali <njavali@marvell.com>
-
-commit af73f23a27206ffb3c477cac75b5fcf03410556e upstream.
-
-Klocwork reported warning of rport maybe NULL and will be dereferenced.
-rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced.
-
-Check valid rport returned by fc_bsg_to_rport().
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Link: https://lore.kernel.org/r/20230607113843.37185-5-njavali@marvell.com
-Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/qla2xxx/qla_bsg.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/drivers/scsi/qla2xxx/qla_bsg.c
-+++ b/drivers/scsi/qla2xxx/qla_bsg.c
-@@ -264,6 +264,10 @@ qla2x00_process_els(struct bsg_job *bsg_
-
- if (bsg_request->msgcode == FC_BSG_RPT_ELS) {
- rport = fc_bsg_to_rport(bsg_job);
-+ if (!rport) {
-+ rval = -ENOMEM;
-+ goto done;
-+ }
- fcport = *(fc_port_t **) rport->dd_data;
- host = rport_to_shost(rport);
- vha = shost_priv(host);
+++ /dev/null
-From 464ea494a40c6e3e0e8f91dd325408aaf21515ba Mon Sep 17 00:00:00 2001
-From: Bikash Hazarika <bhazarika@marvell.com>
-Date: Wed, 7 Jun 2023 17:08:37 +0530
-Subject: scsi: qla2xxx: Fix potential NULL pointer dereference
-
-From: Bikash Hazarika <bhazarika@marvell.com>
-
-commit 464ea494a40c6e3e0e8f91dd325408aaf21515ba upstream.
-
-Klocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate
-pointer before dereferencing the pointer.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Bikash Hazarika <bhazarika@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Link: https://lore.kernel.org/r/20230607113843.37185-3-njavali@marvell.com
-Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/qla2xxx/qla_iocb.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/drivers/scsi/qla2xxx/qla_iocb.c
-+++ b/drivers/scsi/qla2xxx/qla_iocb.c
-@@ -603,7 +603,8 @@ qla24xx_build_scsi_type_6_iocbs(srb_t *s
- *((uint32_t *)(&cmd_pkt->entry_type)) = cpu_to_le32(COMMAND_TYPE_6);
-
- /* No data transfer */
-- if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE) {
-+ if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE ||
-+ tot_dsds == 0) {
- cmd_pkt->byte_count = cpu_to_le32(0);
- return 0;
- }
+++ /dev/null
-From 00eca15319d9ce8c31cdf22f32a3467775423df4 Mon Sep 17 00:00:00 2001
-From: Shreyas Deodhar <sdeodhar@marvell.com>
-Date: Wed, 7 Jun 2023 17:08:41 +0530
-Subject: scsi: qla2xxx: Pointer may be dereferenced
-
-From: Shreyas Deodhar <sdeodhar@marvell.com>
-
-commit 00eca15319d9ce8c31cdf22f32a3467775423df4 upstream.
-
-Klocwork tool reported pointer 'rport' returned from call to function
-fc_bsg_to_rport() may be NULL and will be dereferenced.
-
-Add a fix to validate rport before dereferencing.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Shreyas Deodhar <sdeodhar@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Link: https://lore.kernel.org/r/20230607113843.37185-7-njavali@marvell.com
-Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/qla2xxx/qla_bsg.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/scsi/qla2xxx/qla_bsg.c
-+++ b/drivers/scsi/qla2xxx/qla_bsg.c
-@@ -2488,6 +2488,8 @@ qla24xx_bsg_request(struct bsg_job *bsg_
-
- if (bsg_request->msgcode == FC_BSG_RPT_ELS) {
- rport = fc_bsg_to_rport(bsg_job);
-+ if (!rport)
-+ return ret;
- host = rport_to_shost(rport);
- vha = shost_priv(host);
- } else {
+++ /dev/null
-From fc0cba0c7be8261a1625098bd1d695077ec621c9 Mon Sep 17 00:00:00 2001
-From: Quinn Tran <qutran@marvell.com>
-Date: Fri, 28 Apr 2023 00:53:38 -0700
-Subject: scsi: qla2xxx: Wait for io return on terminate rport
-
-From: Quinn Tran <qutran@marvell.com>
-
-commit fc0cba0c7be8261a1625098bd1d695077ec621c9 upstream.
-
-System crash due to use after free.
-Current code allows terminate_rport_io to exit before making
-sure all IOs has returned. For FCP-2 device, IO's can hang
-on in HW because driver has not tear down the session in FW at
-first sign of cable pull. When dev_loss_tmo timer pops,
-terminate_rport_io is called and upper layer is about to
-free various resources. Terminate_rport_io trigger qla to do
-the final cleanup, but the cleanup might not be fast enough where it
-leave qla still holding on to the same resource.
-
-Wait for IO's to return to upper layer before resources are freed.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Quinn Tran <qutran@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Link: https://lore.kernel.org/r/20230428075339.32551-7-njavali@marvell.com
-Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/qla2xxx/qla_attr.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
---- a/drivers/scsi/qla2xxx/qla_attr.c
-+++ b/drivers/scsi/qla2xxx/qla_attr.c
-@@ -1800,6 +1800,7 @@ static void
- qla2x00_terminate_rport_io(struct fc_rport *rport)
- {
- fc_port_t *fcport = *(fc_port_t **)rport->dd_data;
-+ scsi_qla_host_t *vha;
-
- if (!fcport)
- return;
-@@ -1809,9 +1810,12 @@ qla2x00_terminate_rport_io(struct fc_rpo
-
- if (test_bit(ABORT_ISP_ACTIVE, &fcport->vha->dpc_flags))
- return;
-+ vha = fcport->vha;
-
- if (unlikely(pci_channel_offline(fcport->vha->hw->pdev))) {
- qla2x00_abort_all_cmds(fcport->vha, DID_NO_CONNECT << 16);
-+ qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24,
-+ 0, WAIT_TARGET);
- return;
- }
- /*
-@@ -1826,6 +1830,15 @@ qla2x00_terminate_rport_io(struct fc_rpo
- else
- qla2x00_port_logout(fcport->vha, fcport);
- }
-+
-+ /* check for any straggling io left behind */
-+ if (qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, 0, WAIT_TARGET)) {
-+ ql_log(ql_log_warn, vha, 0x300b,
-+ "IO not return. Resetting. \n");
-+ set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags);
-+ qla2xxx_wake_dpc(vha);
-+ qla2x00_wait_for_chip_reset(vha);
-+ }
- }
-
- static int
+++ /dev/null
-From 046a3289610ded808adcf4dea37c0170b26f779e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 27 Jun 2023 12:03:40 +0000
-Subject: sctp: fix potential deadlock on &net->sctp.addr_wq_lock
-
-From: Chengfeng Ye <dg573847474@gmail.com>
-
-[ Upstream commit 6feb37b3b06e9049e20dcf7e23998f92c9c5be9a ]
-
-As &net->sctp.addr_wq_lock is also acquired by the timer
-sctp_addr_wq_timeout_handler() in protocal.c, the same lock acquisition
-at sctp_auto_asconf_init() seems should disable irq since it is called
-from sctp_accept() under process context.
-
-Possible deadlock scenario:
-sctp_accept()
- -> sctp_sock_migrate()
- -> sctp_auto_asconf_init()
- -> spin_lock(&net->sctp.addr_wq_lock)
- <timer interrupt>
- -> sctp_addr_wq_timeout_handler()
- -> spin_lock_bh(&net->sctp.addr_wq_lock); (deadlock here)
-
-This flaw was found using an experimental static analysis tool we are
-developing for irq-related deadlock.
-
-The tentative patch fix the potential deadlock by spin_lock_bh().
-
-Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
-Fixes: 34e5b0118685 ("sctp: delay auto_asconf init until binding the first addr")
-Acked-by: Xin Long <lucien.xin@gmail.com>
-Link: https://lore.kernel.org/r/20230627120340.19432-1-dg573847474@gmail.com
-Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/sctp/socket.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index a68f3d6b72335..baa825751c393 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -380,9 +380,9 @@ static void sctp_auto_asconf_init(struct sctp_sock *sp)
- struct net *net = sock_net(&sp->inet.sk);
-
- if (net->sctp.default_auto_asconf) {
-- spin_lock(&net->sctp.addr_wq_lock);
-+ spin_lock_bh(&net->sctp.addr_wq_lock);
- list_add_tail(&sp->auto_asconf_list, &net->sctp.auto_asconf_splist);
-- spin_unlock(&net->sctp.addr_wq_lock);
-+ spin_unlock_bh(&net->sctp.addr_wq_lock);
- sp->do_auto_asconf = 1;
- }
- }
---
-2.39.2
-
+++ /dev/null
-From 27a826837ec9a3e94cc44bd9328b8289b0fcecd7 Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@linaro.org>
-Date: Mon, 19 Jun 2023 12:45:17 +0300
-Subject: serial: atmel: don't enable IRQs prematurely
-
-From: Dan Carpenter <dan.carpenter@linaro.org>
-
-commit 27a826837ec9a3e94cc44bd9328b8289b0fcecd7 upstream.
-
-The atmel_complete_tx_dma() function disables IRQs at the start
-of the function by calling spin_lock_irqsave(&port->lock, flags);
-There is no need to disable them a second time using the
-spin_lock_irq() function and, in fact, doing so is a bug because
-it will enable IRQs prematurely when we call spin_unlock_irq().
-
-Just use spin_lock/unlock() instead without disabling or enabling
-IRQs.
-
-Fixes: 08f738be88bb ("serial: at91: add tx dma support")
-Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
-Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
-Acked-by: Richard Genoud <richard.genoud@gmail.com>
-Link: https://lore.kernel.org/r/cb7c39a9-c004-4673-92e1-be4e34b85368@moroto.mountain
-Cc: stable <stable@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/serial/atmel_serial.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/tty/serial/atmel_serial.c
-+++ b/drivers/tty/serial/atmel_serial.c
-@@ -791,11 +791,11 @@ static void atmel_complete_tx_dma(void *
-
- port->icount.tx += atmel_port->tx_len;
-
-- spin_lock_irq(&atmel_port->lock_tx);
-+ spin_lock(&atmel_port->lock_tx);
- async_tx_ack(atmel_port->desc_tx);
- atmel_port->cookie_tx = -EINVAL;
- atmel_port->desc_tx = NULL;
-- spin_unlock_irq(&atmel_port->lock_tx);
-+ spin_unlock(&atmel_port->lock_tx);
-
- if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
- uart_write_wakeup(port);
-gfs2-don-t-deref-jdesc-in-evict.patch
x86-microcode-amd-load-late-on-both-threads-too.patch
-x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch
-video-imsttfb-check-for-ioremap-failures.patch
-fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch
-drm-edid-fix-uninitialized-variable-in-drm_cvt_modes.patch
-scripts-tags.sh-resolve-gtags-empty-index-generation.patch
-drm-amdgpu-validate-vm-ioctl-flags.patch
-treewide-remove-uninitialized_var-usage.patch
-md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch
-md-raid10-fix-overflow-of-md-safe_mode_delay.patch
-md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch
-md-raid10-fix-io-loss-while-replacement-replace-rdev.patch
-irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch
-irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch
-clocksource-drivers-unify-the-names-to-timer-format.patch
-clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch
-clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch
-pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch
-arm-9303-1-kprobes-avoid-missing-declaration-warning.patch
-evm-complete-description-of-evm_inode_setattr.patch
-wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch
-wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch
-samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch
-wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch
-nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch
-nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch
-wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch
-wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch
-wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch
-wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch
-wl3501_cs-remove-unnecessary-null-check.patch
-wl3501_cs-fix-misspelling-and-provide-missing-docume.patch
-net-create-netdev-dev_addr-assignment-helpers.patch
-wl3501_cs-use-eth_hw_addr_set.patch
-wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch
-wifi-ray_cs-utilize-strnlen-in-parse_addr.patch
-wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch
-wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch
-wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch
-wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch
-watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch
-watchdog-perf-more-properly-prevent-false-positives-.patch
-kexec-fix-a-memory-leak-in-crash_shrink_memory.patch
-memstick-r592-make-memstick_debug_get_tpc_name-stati.patch
-wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch
-wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch
-netlink-fix-potential-deadlock-in-netlink_set_err.patch
-netlink-do-not-hard-code-device-address-lenth-in-fdb.patch
-gtp-fix-use-after-free-in-__gtp_encap_destroy.patch
-lib-ts_bm-reset-initial-match-offset-for-every-block.patch
-netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch
-ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch
-netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch
-radeon-avoid-double-free-in-ci_dpm_init.patch
-input-drv260x-sleep-between-polling-go-bit.patch
-arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch
-input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch
-drm-panel-simple-fix-active-size-for-ampire-am-48027.patch
-arm-ep93xx-fix-missing-prototype-warnings.patch
-asoc-es8316-increment-max-value-for-alc-capture-targ.patch
-soc-fsl-qe-fix-usb.c-build-errors.patch
-ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch
-arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch
-fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch
-drm-radeon-fix-possible-division-by-zero-errors.patch
-alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch
-scsi-3w-xxxx-add-error-handling-for-initialization-f.patch
-pci-add-pci_clear_master-stub-for-non-config_pci.patch
-pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch
-perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch
-pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch
-hwrng-virtio-add-an-internal-buffer.patch
-hwrng-virtio-don-t-wait-on-cleanup.patch
-hwrng-virtio-don-t-waste-entropy.patch
-hwrng-virtio-always-add-a-pending-request.patch
-hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch
-crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch
-modpost-fix-section-mismatch-message-for-r_arm_abs32.patch
-modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch
-arcv2-entry-comments-about-hardware-auto-save-on-tak.patch
-arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch
-arcv2-entry-avoid-a-branch.patch
-arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch
-arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch
-usb-serial-option-add-lara-r6-01b-pids.patch
-block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch
-w1-fix-loop-in-w1_fini.patch
-sh-j2-use-ioremap-to-translate-device-tree-address-i.patch
-media-usb-check-az6007_read-return-value.patch
-media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch
-media-usb-siano-fix-warning-due-to-null-work_func_t-.patch
-extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch
-extcon-fix-kernel-doc-of-property-capability-fields-.patch
-usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch
-mfd-rt5033-drop-rt5033-battery-sub-device.patch
-kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch
-mfd-intel-lpss-add-missing-check-for-platform_get_re.patch
-mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch
-rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch
-sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch
-add-module_firmware-for-firmware_tg357766.patch
-spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch
-mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch
-f2fs-fix-error-path-handling-in-truncate_dnode.patch
-powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch
-net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch
-tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch
-net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch
-sh-dma-fix-dma-channel-offset-calculation.patch
-i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch
-i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch
-alsa-jack-fix-mutex-call-in-snd_jack_report.patch
-nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch
-mmc-core-disable-trim-on-kingston-emmc04g-m627.patch
-mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch
-bcache-remove-unnecessary-null-point-check-in-node-allocations.patch
-integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch
-jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch
-btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch
-arm-orion5x-fix-d2net-gpio-initialization.patch
-spi-spi-fsl-spi-remove-always-true-conditional-in-fsl_spi_do_one_msg.patch
-spi-spi-fsl-spi-relax-message-sanity-checking-a-little.patch
-spi-spi-fsl-spi-allow-changing-bits_per_word-while-cs-is-still-active.patch
-netfilter-nf_tables-fix-nat-hook-table-deletion.patch
-netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch
-netfilter-nftables-add-helper-function-to-set-the-base-sequence-number.patch
-netfilter-add-helper-function-to-set-up-the-nfnetlink-header-and-use-it.patch
-netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch
-netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch
-netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch
-netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch
-netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch
-netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch
-netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch
-netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch
-net-lan743x-don-t-sleep-in-atomic-context.patch
-workqueue-clean-up-work_-constant-types-clarify-masking.patch
-net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch
-vrf-increment-icmp6inmsgs-on-the-original-netdev.patch
-icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch
-udp6-fix-udp6_ehashfn-typo.patch
-ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch
-ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch
-ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch
-ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch
-ntb-ntb_tool-add-check-for-devm_kcalloc.patch
-ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch
-wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch
-net-sched-make-psched_mtu-rtnl-less-safe.patch
-pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch
-pinctrl-amd-detect-internal-gpio0-debounce-handling.patch
-pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch
-tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch
-net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch
-sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch
-perf-intel-pt-fix-cyc-timestamps-after-standalone-cbr.patch
-ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch
-ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch
-ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch
-jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch
-pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch
-pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch
-pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch
-pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch
-pci-rockchip-write-pci-device-id-to-correct-register.patch
-pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch
-pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch
-pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch
-misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch
-misc-pci_endpoint_test-re-init-completion-for-every-test.patch
-md-raid0-add-discard-support-for-the-original-layout.patch
-fs-dlm-return-positive-pid-value-for-f_getlk.patch
-serial-atmel-don-t-enable-irqs-prematurely.patch
-hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch
-ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch
-meson-saradc-fix-clock-divider-mask-length.patch
-revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch
-tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch
-tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch
-ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch
-xtensa-iss-fix-call-to-split_if_spec.patch
-scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch
-scsi-qla2xxx-fix-potential-null-pointer-dereference.patch
-scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch
-scsi-qla2xxx-pointer-may-be-dereferenced.patch
-drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch
-tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch
-perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch
-fuse-revalidate-don-t-invalidate-if-interrupted.patch
-can-bcm-fix-uaf-in-bcm_proc_show.patch
-ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch
-debugobjects-recheck-debug_objects_enabled-before-re.patch
-nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch
-md-fix-data-corruption-for-raid456-when-reshape-rest.patch
-md-raid10-prevent-soft-lockup-while-flush-writes.patch
-posix-timers-ensure-timer-id-search-loop-limit-is-va.patch
-sched-fair-don-t-balance-task-to-its-current-running.patch
-bpf-address-kcsan-report-on-bpf_lru_list.patch
-wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch
-wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch
-igb-fix-igb_down-hung-on-surprise-removal.patch
-spi-bcm63xx-fix-max-prepend-length.patch
-fbdev-imxfb-warn-about-invalid-left-right-margin.patch
-pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch
-net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch
-net-ipv6-check-return-value-of-pskb_trim.patch
-revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch
-fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch
-llc-don-t-drop-packet-from-non-root-netns.patch
-netfilter-nf_tables-fix-spurious-set-element-inserti.patch
-netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch
-net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch
-tcp-annotate-data-races-around-tp-linger2.patch
-tcp-annotate-data-races-around-rskq_defer_accept.patch
-tcp-annotate-data-races-around-tp-notsent_lowat.patch
-tcp-annotate-data-races-around-fastopenq.max_qlen.patch
-tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch
x86-cpu-amd-move-the-errata-checking-functionality-up.patch
x86-cpu-amd-add-a-zenbleed-fix.patch
+++ /dev/null
-From 19649fbbfd10504ba897ed154b1459a13e5128e6 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 27 May 2023 18:44:50 +0200
-Subject: sh: dma: Fix DMA channel offset calculation
-
-From: Artur Rojek <contact@artur-rojek.eu>
-
-[ Upstream commit e82e47584847129a20b8c9f4a1dcde09374fb0e0 ]
-
-Various SoCs of the SH3, SH4 and SH4A family, which use this driver,
-feature a differing number of DMA channels, which can be distributed
-between up to two DMAC modules. The existing implementation fails to
-correctly accommodate for all those variations, resulting in wrong
-channel offset calculations and leading to kernel panics.
-
-Rewrite dma_base_addr() in order to properly calculate channel offsets
-in a DMAC module. Fix dmaor_read_reg() and dmaor_write_reg(), so that
-the correct DMAC module base is selected for the DMAOR register.
-
-Fixes: 7f47c7189b3e8f19 ("sh: dma: More legacy cpu dma chainsawing.")
-Signed-off-by: Artur Rojek <contact@artur-rojek.eu>
-Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
-Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
-Link: https://lore.kernel.org/r/20230527164452.64797-2-contact@artur-rojek.eu
-Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/sh/drivers/dma/dma-sh.c | 37 +++++++++++++++++++++++-------------
- 1 file changed, 24 insertions(+), 13 deletions(-)
-
-diff --git a/arch/sh/drivers/dma/dma-sh.c b/arch/sh/drivers/dma/dma-sh.c
-index afde2a7d3eb35..e0679d8a9b34b 100644
---- a/arch/sh/drivers/dma/dma-sh.c
-+++ b/arch/sh/drivers/dma/dma-sh.c
-@@ -21,6 +21,18 @@
- #include <cpu/dma-register.h>
- #include <cpu/dma.h>
-
-+/*
-+ * Some of the SoCs feature two DMAC modules. In such a case, the channels are
-+ * distributed equally among them.
-+ */
-+#ifdef SH_DMAC_BASE1
-+#define SH_DMAC_NR_MD_CH (CONFIG_NR_ONCHIP_DMA_CHANNELS / 2)
-+#else
-+#define SH_DMAC_NR_MD_CH CONFIG_NR_ONCHIP_DMA_CHANNELS
-+#endif
-+
-+#define SH_DMAC_CH_SZ 0x10
-+
- /*
- * Define the default configuration for dual address memory-memory transfer.
- * The 0x400 value represents auto-request, external->external.
-@@ -32,7 +44,7 @@ static unsigned long dma_find_base(unsigned int chan)
- unsigned long base = SH_DMAC_BASE0;
-
- #ifdef SH_DMAC_BASE1
-- if (chan >= 6)
-+ if (chan >= SH_DMAC_NR_MD_CH)
- base = SH_DMAC_BASE1;
- #endif
-
-@@ -43,13 +55,13 @@ static unsigned long dma_base_addr(unsigned int chan)
- {
- unsigned long base = dma_find_base(chan);
-
-- /* Normalize offset calculation */
-- if (chan >= 9)
-- chan -= 6;
-- if (chan >= 4)
-- base += 0x10;
-+ chan = (chan % SH_DMAC_NR_MD_CH) * SH_DMAC_CH_SZ;
-+
-+ /* DMAOR is placed inside the channel register space. Step over it. */
-+ if (chan >= DMAOR)
-+ base += SH_DMAC_CH_SZ;
-
-- return base + (chan * 0x10);
-+ return base + chan;
- }
-
- #ifdef CONFIG_SH_DMA_IRQ_MULTI
-@@ -253,12 +265,11 @@ static int sh_dmac_get_dma_residue(struct dma_channel *chan)
- #define NR_DMAOR 1
- #endif
-
--/*
-- * DMAOR bases are broken out amongst channel groups. DMAOR0 manages
-- * channels 0 - 5, DMAOR1 6 - 11 (optional).
-- */
--#define dmaor_read_reg(n) __raw_readw(dma_find_base((n)*6))
--#define dmaor_write_reg(n, data) __raw_writew(data, dma_find_base(n)*6)
-+#define dmaor_read_reg(n) __raw_readw(dma_find_base((n) * \
-+ SH_DMAC_NR_MD_CH) + DMAOR)
-+#define dmaor_write_reg(n, data) __raw_writew(data, \
-+ dma_find_base((n) * \
-+ SH_DMAC_NR_MD_CH) + DMAOR)
-
- static inline int dmaor_reset(int no)
- {
---
-2.39.2
-
+++ /dev/null
-From 92844b02e3e40efbd969ec03d51cd1bfd9530cdc Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 May 2023 14:57:41 +0200
-Subject: sh: j2: Use ioremap() to translate device tree address into kernel
- memory
-
-From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
-
-[ Upstream commit bc9d1f0cecd2407cfb2364a7d4be2f52d1d46a9d ]
-
-Addresses the following warning when building j2_defconfig:
-
-arch/sh/kernel/cpu/sh2/probe.c: In function 'scan_cache':
-arch/sh/kernel/cpu/sh2/probe.c:24:16: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
- 24 | j2_ccr_base = (u32 __iomem *)of_flat_dt_translate_address(node);
- |
-
-Fixes: 5a846abad07f ("sh: add support for J-Core J2 processor")
-Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
-Tested-by: Rob Landley <rob@landley.net>
-Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
-Link: https://lore.kernel.org/r/20230503125746.331835-1-glaubitz@physik.fu-berlin.de
-Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/sh/kernel/cpu/sh2/probe.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/sh/kernel/cpu/sh2/probe.c b/arch/sh/kernel/cpu/sh2/probe.c
-index a5bd036426789..75dcb1d6bc62f 100644
---- a/arch/sh/kernel/cpu/sh2/probe.c
-+++ b/arch/sh/kernel/cpu/sh2/probe.c
-@@ -24,7 +24,7 @@ static int __init scan_cache(unsigned long node, const char *uname,
- if (!of_flat_dt_is_compatible(node, "jcore,cache"))
- return 0;
-
-- j2_ccr_base = (u32 __iomem *)of_flat_dt_translate_address(node);
-+ j2_ccr_base = ioremap(of_flat_dt_translate_address(node), 4);
-
- return 1;
- }
---
-2.39.2
-
+++ /dev/null
-From 71e654502cd063aaefe7768e183dbd8e7732fa18 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 21 May 2023 15:52:16 -0700
-Subject: soc/fsl/qe: fix usb.c build errors
-
-From: Randy Dunlap <rdunlap@infradead.org>
-
-[ Upstream commit 7b1a78babd0d2cd27aa07255dee0c2d7ac0f31e3 ]
-
-Fix build errors in soc/fsl/qe/usb.c when QUICC_ENGINE is not set.
-This happens when PPC_EP88XC is set, which selects CPM1 & CPM.
-When CPM is set, USB_FSL_QE can be set without QUICC_ENGINE
-being set. When USB_FSL_QE is set, QE_USB deafults to y, which
-causes build errors when QUICC_ENGINE is not set. Making
-QE_USB depend on QUICC_ENGINE prevents QE_USB from defaulting to y.
-
-Fixes these build errors:
-
-drivers/soc/fsl/qe/usb.o: in function `qe_usb_clock_set':
-usb.c:(.text+0x1e): undefined reference to `qe_immr'
-powerpc-linux-ld: usb.c:(.text+0x2a): undefined reference to `qe_immr'
-powerpc-linux-ld: usb.c:(.text+0xbc): undefined reference to `qe_setbrg'
-powerpc-linux-ld: usb.c:(.text+0xca): undefined reference to `cmxgcr_lock'
-powerpc-linux-ld: usb.c:(.text+0xce): undefined reference to `cmxgcr_lock'
-
-Fixes: 5e41486c408e ("powerpc/QE: add support for QE USB clocks routing")
-Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
-Reported-by: kernel test robot <lkp@intel.com>
-Link: https://lore.kernel.org/all/202301101500.pillNv6R-lkp@intel.com/
-Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
-Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
-Cc: Leo Li <leoyang.li@nxp.com>
-Cc: Masahiro Yamada <masahiroy@kernel.org>
-Cc: Nicolas Schier <nicolas@fjasle.eu>
-Cc: Qiang Zhao <qiang.zhao@nxp.com>
-Cc: linuxppc-dev <linuxppc-dev@lists.ozlabs.org>
-Cc: linux-arm-kernel@lists.infradead.org
-Cc: Kumar Gala <galak@kernel.crashing.org>
-Acked-by: Nicolas Schier <nicolas@jasle.eu>
-Signed-off-by: Li Yang <leoyang.li@nxp.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/soc/fsl/qe/Kconfig | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/soc/fsl/qe/Kconfig b/drivers/soc/fsl/qe/Kconfig
-index fabba17e9d65b..7ec158e2acf91 100644
---- a/drivers/soc/fsl/qe/Kconfig
-+++ b/drivers/soc/fsl/qe/Kconfig
-@@ -37,6 +37,7 @@ config QE_TDM
-
- config QE_USB
- bool
-+ depends on QUICC_ENGINE
- default y if USB_FSL_QE
- help
- QE USB Controller support
---
-2.39.2
-
+++ /dev/null
-From 9edf06e0871337e5889ae663fcedb3b34c2e4225 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 29 Jun 2023 15:43:05 +0200
-Subject: spi: bcm-qspi: return error if neither hif_mspi nor mspi is available
-
-From: Jonas Gorski <jonas.gorski@gmail.com>
-
-[ Upstream commit 7c1f23ad34fcdace50275a6aa1e1969b41c6233f ]
-
-If neither a "hif_mspi" nor "mspi" resource is present, the driver will
-just early exit in probe but still return success. Apart from not doing
-anything meaningful, this would then also lead to a null pointer access
-on removal, as platform_get_drvdata() would return NULL, which it would
-then try to dereference when trying to unregister the spi master.
-
-Fix this by unconditionally calling devm_ioremap_resource(), as it can
-handle a NULL res and will then return a viable ERR_PTR() if we get one.
-
-The "return 0;" was previously a "goto qspi_resource_err;" where then
-ret was returned, but since ret was still initialized to 0 at this place
-this was a valid conversion in 63c5395bb7a9 ("spi: bcm-qspi: Fix
-use-after-free on unbind"). The issue was not introduced by this commit,
-only made more obvious.
-
-Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver")
-Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
-Reviewed-by: Kamal Dasu <kamal.dasu@broadcom.com>
-Link: https://lore.kernel.org/r/20230629134306.95823-1-jonas.gorski@gmail.com
-Signed-off-by: Mark Brown <broonie@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/spi/spi-bcm-qspi.c | 10 +++-------
- 1 file changed, 3 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c
-index 3f291db7b39a0..e3c69b6237708 100644
---- a/drivers/spi/spi-bcm-qspi.c
-+++ b/drivers/spi/spi-bcm-qspi.c
-@@ -1255,13 +1255,9 @@ int bcm_qspi_probe(struct platform_device *pdev,
- res = platform_get_resource_byname(pdev, IORESOURCE_MEM,
- "mspi");
-
-- if (res) {
-- qspi->base[MSPI] = devm_ioremap_resource(dev, res);
-- if (IS_ERR(qspi->base[MSPI]))
-- return PTR_ERR(qspi->base[MSPI]);
-- } else {
-- return 0;
-- }
-+ qspi->base[MSPI] = devm_ioremap_resource(dev, res);
-+ if (IS_ERR(qspi->base[MSPI]))
-+ return PTR_ERR(qspi->base[MSPI]);
-
- res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "bspi");
- if (res) {
---
-2.39.2
-
+++ /dev/null
-From 05d73b5b40011e55975b3dbf8e12a4af4bc43847 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 29 Jun 2023 09:14:52 +0200
-Subject: spi: bcm63xx: fix max prepend length
-
-From: Jonas Gorski <jonas.gorski@gmail.com>
-
-[ Upstream commit 5158814cbb37bbb38344b3ecddc24ba2ed0365f2 ]
-
-The command word is defined as following:
-
- /* Command */
- #define SPI_CMD_COMMAND_SHIFT 0
- #define SPI_CMD_DEVICE_ID_SHIFT 4
- #define SPI_CMD_PREPEND_BYTE_CNT_SHIFT 8
- #define SPI_CMD_ONE_BYTE_SHIFT 11
- #define SPI_CMD_ONE_WIRE_SHIFT 12
-
-If the prepend byte count field starts at bit 8, and the next defined
-bit is SPI_CMD_ONE_BYTE at bit 11, it can be at most 3 bits wide, and
-thus the max value is 7, not 15.
-
-Fixes: b17de076062a ("spi/bcm63xx: work around inability to keep CS up")
-Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
-Link: https://lore.kernel.org/r/20230629071453.62024-1-jonas.gorski@gmail.com
-Signed-off-by: Mark Brown <broonie@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/spi/spi-bcm63xx.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c
-index bfe5754768f97..cc6ec3fb5bfdf 100644
---- a/drivers/spi/spi-bcm63xx.c
-+++ b/drivers/spi/spi-bcm63xx.c
-@@ -134,7 +134,7 @@ enum bcm63xx_regs_spi {
- SPI_MSG_DATA_SIZE,
- };
-
--#define BCM63XX_SPI_MAX_PREPEND 15
-+#define BCM63XX_SPI_MAX_PREPEND 7
-
- #define BCM63XX_SPI_MAX_CS 8
- #define BCM63XX_SPI_BUS_NUM 0
---
-2.39.2
-
+++ /dev/null
-From a798a7086c38d91d304132c194cff9f02197f5cd Mon Sep 17 00:00:00 2001
-From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
-Date: Wed, 27 Mar 2019 14:30:51 +0000
-Subject: spi: spi-fsl-spi: allow changing bits_per_word while CS is still active
-
-From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
-
-commit a798a7086c38d91d304132c194cff9f02197f5cd upstream.
-
-Commit c9bfcb315104 (spi_mpc83xx: much improved driver) introduced
-logic to ensure bits_per_word and speed_hz stay the same for a series
-of spi_transfers with CS active, arguing that
-
- The current driver may cause glitches on SPI CLK line since one
- must disable the SPI controller before changing any HW settings.
-
-This sounds quite reasonable. So this is a quite naive attempt at
-relaxing this sanity checking to only ensure that speed_hz is
-constant - in the faint hope that if we do not causes changes to the
-clock-related fields of the SPMODE register (DIV16 and PM), those
-glitches won't appear.
-
-The purpose of this change is to allow automatically optimizing large
-transfers to use 32 bits-per-word; taking one interrupt for every byte
-is extremely slow.
-
-Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
-Signed-off-by: Mark Brown <broonie@kernel.org>
-Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/spi/spi-fsl-spi.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
---- a/drivers/spi/spi-fsl-spi.c
-+++ b/drivers/spi/spi-fsl-spi.c
-@@ -339,7 +339,7 @@ static int fsl_spi_do_one_msg(struct spi
- struct spi_transfer *t, *first;
- unsigned int cs_change;
- const int nsecs = 50;
-- int status;
-+ int status, last_bpw;
-
- /*
- * In CPU mode, optimize large byte transfers to use larger
-@@ -378,21 +378,22 @@ static int fsl_spi_do_one_msg(struct spi
- if (cs_change)
- first = t;
- cs_change = t->cs_change;
-- if ((first->bits_per_word != t->bits_per_word) ||
-- (first->speed_hz != t->speed_hz)) {
-+ if (first->speed_hz != t->speed_hz) {
- dev_err(&spi->dev,
-- "bits_per_word/speed_hz cannot change while CS is active\n");
-+ "speed_hz cannot change while CS is active\n");
- return -EINVAL;
- }
- }
-
-+ last_bpw = -1;
- cs_change = 1;
- status = -EINVAL;
- list_for_each_entry(t, &m->transfers, transfer_list) {
-- if (cs_change)
-+ if (cs_change || last_bpw != t->bits_per_word)
- status = fsl_spi_setup_transfer(spi, t);
- if (status < 0)
- break;
-+ last_bpw = t->bits_per_word;
-
- if (cs_change) {
- fsl_spi_chipselect(spi, BITBANG_CS_ACTIVE);
+++ /dev/null
-From 17ecffa289489e8442306bbc62ebb964e235cdad Mon Sep 17 00:00:00 2001
-From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
-Date: Wed, 27 Mar 2019 14:30:51 +0000
-Subject: spi: spi-fsl-spi: relax message sanity checking a little
-
-From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
-
-commit 17ecffa289489e8442306bbc62ebb964e235cdad upstream.
-
-The comment says that we should not allow changes (to
-bits_per_word/speed_hz) while CS is active, and indeed the code below
-does fsl_spi_setup_transfer() when the ->cs_change of the previous
-spi_transfer was set (and for the very first transfer).
-
-So the sanity checking is a bit too strict - we can change it to
-follow the same logic as is used by the actual transfer loop.
-
-Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
-Signed-off-by: Mark Brown <broonie@kernel.org>
-Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/spi/spi-fsl-spi.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
---- a/drivers/spi/spi-fsl-spi.c
-+++ b/drivers/spi/spi-fsl-spi.c
-@@ -373,13 +373,15 @@ static int fsl_spi_do_one_msg(struct spi
- }
-
- /* Don't allow changes if CS is active */
-- first = list_first_entry(&m->transfers, struct spi_transfer,
-- transfer_list);
-+ cs_change = 1;
- list_for_each_entry(t, &m->transfers, transfer_list) {
-+ if (cs_change)
-+ first = t;
-+ cs_change = t->cs_change;
- if ((first->bits_per_word != t->bits_per_word) ||
- (first->speed_hz != t->speed_hz)) {
- dev_err(&spi->dev,
-- "bits_per_word/speed_hz should be same for the same SPI transfer\n");
-+ "bits_per_word/speed_hz cannot change while CS is active\n");
- return -EINVAL;
- }
- }
+++ /dev/null
-From 24c363623361b430fb79459ca922e816e6f48603 Mon Sep 17 00:00:00 2001
-From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
-Date: Wed, 27 Mar 2019 14:30:50 +0000
-Subject: spi: spi-fsl-spi: remove always-true conditional in fsl_spi_do_one_msg
-
-From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
-
-commit 24c363623361b430fb79459ca922e816e6f48603 upstream.
-
-__spi_validate() in the generic SPI code sets ->speed_hz and
-->bits_per_word to non-zero values, so this condition is always true.
-
-Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
-Signed-off-by: Mark Brown <broonie@kernel.org>
-Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/spi/spi-fsl-spi.c | 10 ++++------
- 1 file changed, 4 insertions(+), 6 deletions(-)
-
---- a/drivers/spi/spi-fsl-spi.c
-+++ b/drivers/spi/spi-fsl-spi.c
-@@ -387,12 +387,10 @@ static int fsl_spi_do_one_msg(struct spi
- cs_change = 1;
- status = -EINVAL;
- list_for_each_entry(t, &m->transfers, transfer_list) {
-- if (t->bits_per_word || t->speed_hz) {
-- if (cs_change)
-- status = fsl_spi_setup_transfer(spi, t);
-- if (status < 0)
-- break;
-- }
-+ if (cs_change)
-+ status = fsl_spi_setup_transfer(spi, t);
-+ if (status < 0)
-+ break;
-
- if (cs_change) {
- fsl_spi_chipselect(spi, BITBANG_CS_ACTIVE);
+++ /dev/null
-From fc80fc2d4e39137869da3150ee169b40bf879287 Mon Sep 17 00:00:00 2001
-From: Ding Hui <dinghui@sangfor.com.cn>
-Date: Mon, 15 May 2023 10:13:07 +0800
-Subject: SUNRPC: Fix UAF in svc_tcp_listen_data_ready()
-
-From: Ding Hui <dinghui@sangfor.com.cn>
-
-commit fc80fc2d4e39137869da3150ee169b40bf879287 upstream.
-
-After the listener svc_sock is freed, and before invoking svc_tcp_accept()
-for the established child sock, there is a window that the newsock
-retaining a freed listener svc_sock in sk_user_data which cloning from
-parent. In the race window, if data is received on the newsock, we will
-observe use-after-free report in svc_tcp_listen_data_ready().
-
-Reproduce by two tasks:
-
-1. while :; do rpc.nfsd 0 ; rpc.nfsd; done
-2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done
-
-KASAN report:
-
- ==================================================================
- BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]
- Read of size 8 at addr ffff888139d96228 by task nc/102553
- CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18
- Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
- Call Trace:
- <IRQ>
- dump_stack_lvl+0x33/0x50
- print_address_description.constprop.0+0x27/0x310
- print_report+0x3e/0x70
- kasan_report+0xae/0xe0
- svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc]
- tcp_data_queue+0x9f4/0x20e0
- tcp_rcv_established+0x666/0x1f60
- tcp_v4_do_rcv+0x51c/0x850
- tcp_v4_rcv+0x23fc/0x2e80
- ip_protocol_deliver_rcu+0x62/0x300
- ip_local_deliver_finish+0x267/0x350
- ip_local_deliver+0x18b/0x2d0
- ip_rcv+0x2fb/0x370
- __netif_receive_skb_one_core+0x166/0x1b0
- process_backlog+0x24c/0x5e0
- __napi_poll+0xa2/0x500
- net_rx_action+0x854/0xc90
- __do_softirq+0x1bb/0x5de
- do_softirq+0xcb/0x100
- </IRQ>
- <TASK>
- ...
- </TASK>
-
- Allocated by task 102371:
- kasan_save_stack+0x1e/0x40
- kasan_set_track+0x21/0x30
- __kasan_kmalloc+0x7b/0x90
- svc_setup_socket+0x52/0x4f0 [sunrpc]
- svc_addsock+0x20d/0x400 [sunrpc]
- __write_ports_addfd+0x209/0x390 [nfsd]
- write_ports+0x239/0x2c0 [nfsd]
- nfsctl_transaction_write+0xac/0x110 [nfsd]
- vfs_write+0x1c3/0xae0
- ksys_write+0xed/0x1c0
- do_syscall_64+0x38/0x90
- entry_SYSCALL_64_after_hwframe+0x72/0xdc
-
- Freed by task 102551:
- kasan_save_stack+0x1e/0x40
- kasan_set_track+0x21/0x30
- kasan_save_free_info+0x2a/0x50
- __kasan_slab_free+0x106/0x190
- __kmem_cache_free+0x133/0x270
- svc_xprt_free+0x1e2/0x350 [sunrpc]
- svc_xprt_destroy_all+0x25a/0x440 [sunrpc]
- nfsd_put+0x125/0x240 [nfsd]
- nfsd_svc+0x2cb/0x3c0 [nfsd]
- write_threads+0x1ac/0x2a0 [nfsd]
- nfsctl_transaction_write+0xac/0x110 [nfsd]
- vfs_write+0x1c3/0xae0
- ksys_write+0xed/0x1c0
- do_syscall_64+0x38/0x90
- entry_SYSCALL_64_after_hwframe+0x72/0xdc
-
-Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready()
-if state != TCP_LISTEN, that will avoid dereferencing svsk for all
-child socket.
-
-Link: https://lore.kernel.org/lkml/20230507091131.23540-1-dinghui@sangfor.com.cn/
-Fixes: fa9251afc33c ("SUNRPC: Call the default socket callbacks instead of open coding")
-Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/sunrpc/svcsock.c | 27 +++++++++++++--------------
- 1 file changed, 13 insertions(+), 14 deletions(-)
-
---- a/net/sunrpc/svcsock.c
-+++ b/net/sunrpc/svcsock.c
-@@ -757,12 +757,6 @@ static void svc_tcp_listen_data_ready(st
- dprintk("svc: socket %p TCP (listen) state change %d\n",
- sk, sk->sk_state);
-
-- if (svsk) {
-- /* Refer to svc_setup_socket() for details. */
-- rmb();
-- svsk->sk_odata(sk);
-- }
--
- /*
- * This callback may called twice when a new connection
- * is established as a child socket inherits everything
-@@ -771,15 +765,20 @@ static void svc_tcp_listen_data_ready(st
- * when one of child sockets become ESTABLISHED.
- * 2) data_ready method of the child socket may be called
- * when it receives data before the socket is accepted.
-- * In case of 2, we should ignore it silently.
-+ * In case of 2, we should ignore it silently and DO NOT
-+ * dereference svsk.
- */
-- if (sk->sk_state == TCP_LISTEN) {
-- if (svsk) {
-- set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags);
-- svc_xprt_enqueue(&svsk->sk_xprt);
-- } else
-- printk("svc: socket %p: no user data\n", sk);
-- }
-+ if (sk->sk_state != TCP_LISTEN)
-+ return;
-+
-+ if (svsk) {
-+ /* Refer to svc_setup_socket() for details. */
-+ rmb();
-+ svsk->sk_odata(sk);
-+ set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags);
-+ svc_xprt_enqueue(&svsk->sk_xprt);
-+ } else
-+ printk("svc: socket %p: no user data\n", sk);
- }
-
- /*
+++ /dev/null
-From c6189e65ece39fd095d8e0458ccd06c8f3fde811 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 19 Jul 2023 21:28:57 +0000
-Subject: tcp: annotate data-races around fastopenq.max_qlen
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 70f360dd7042cb843635ece9d28335a4addff9eb ]
-
-This field can be read locklessly.
-
-Fixes: 1536e2857bd3 ("tcp: Add a TCP_FASTOPEN socket option to get a max backlog on its listner")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Link: https://lore.kernel.org/r/20230719212857.3943972-12-edumazet@google.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/linux/tcp.h | 2 +-
- net/ipv4/tcp.c | 2 +-
- net/ipv4/tcp_fastopen.c | 6 ++++--
- 3 files changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/include/linux/tcp.h b/include/linux/tcp.h
-index 621ab5a7fb8fa..0d63a428e6f9c 100644
---- a/include/linux/tcp.h
-+++ b/include/linux/tcp.h
-@@ -460,7 +460,7 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog)
- struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue;
- int somaxconn = READ_ONCE(sock_net(sk)->core.sysctl_somaxconn);
-
-- queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn);
-+ WRITE_ONCE(queue->fastopenq.max_qlen, min_t(unsigned int, backlog, somaxconn));
- }
-
- static inline void tcp_move_syn(struct tcp_sock *tp,
-diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
-index 373bf3d3be592..00648a478c6a5 100644
---- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -3554,7 +3554,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level,
- break;
-
- case TCP_FASTOPEN:
-- val = icsk->icsk_accept_queue.fastopenq.max_qlen;
-+ val = READ_ONCE(icsk->icsk_accept_queue.fastopenq.max_qlen);
- break;
-
- case TCP_FASTOPEN_CONNECT:
-diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
-index f726591de7c7a..f7bb78b443fa9 100644
---- a/net/ipv4/tcp_fastopen.c
-+++ b/net/ipv4/tcp_fastopen.c
-@@ -276,6 +276,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk,
- static bool tcp_fastopen_queue_check(struct sock *sk)
- {
- struct fastopen_queue *fastopenq;
-+ int max_qlen;
-
- /* Make sure the listener has enabled fastopen, and we don't
- * exceed the max # of pending TFO requests allowed before trying
-@@ -288,10 +289,11 @@ static bool tcp_fastopen_queue_check(struct sock *sk)
- * temporarily vs a server not supporting Fast Open at all.
- */
- fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq;
-- if (fastopenq->max_qlen == 0)
-+ max_qlen = READ_ONCE(fastopenq->max_qlen);
-+ if (max_qlen == 0)
- return false;
-
-- if (fastopenq->qlen >= fastopenq->max_qlen) {
-+ if (fastopenq->qlen >= max_qlen) {
- struct request_sock *req1;
- spin_lock(&fastopenq->lock);
- req1 = fastopenq->rskq_rst_head;
---
-2.39.2
-
+++ /dev/null
-From d86223ba68246e87777a5988576f296dc862d1ff Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 19 Jul 2023 21:28:54 +0000
-Subject: tcp: annotate data-races around rskq_defer_accept
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit ae488c74422fb1dcd807c0201804b3b5e8a322a3 ]
-
-do_tcp_getsockopt() reads rskq_defer_accept while another cpu
-might change its value.
-
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Link: https://lore.kernel.org/r/20230719212857.3943972-9-edumazet@google.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv4/tcp.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
-index 4711963413a49..853a33bf8863e 100644
---- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -3009,9 +3009,9 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
-
- case TCP_DEFER_ACCEPT:
- /* Translate value in seconds to number of retransmits */
-- icsk->icsk_accept_queue.rskq_defer_accept =
-- secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ,
-- TCP_RTO_MAX / HZ);
-+ WRITE_ONCE(icsk->icsk_accept_queue.rskq_defer_accept,
-+ secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ,
-+ TCP_RTO_MAX / HZ));
- break;
-
- case TCP_WINDOW_CLAMP:
-@@ -3406,8 +3406,9 @@ static int do_tcp_getsockopt(struct sock *sk, int level,
- val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ;
- break;
- case TCP_DEFER_ACCEPT:
-- val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept,
-- TCP_TIMEOUT_INIT / HZ, TCP_RTO_MAX / HZ);
-+ val = READ_ONCE(icsk->icsk_accept_queue.rskq_defer_accept);
-+ val = retrans_to_secs(val, TCP_TIMEOUT_INIT / HZ,
-+ TCP_RTO_MAX / HZ);
- break;
- case TCP_WINDOW_CLAMP:
- val = tp->window_clamp;
---
-2.39.2
-
+++ /dev/null
-From e94e0409f44504d34b6f41dc533d8c1ae777761e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 19 Jul 2023 21:28:53 +0000
-Subject: tcp: annotate data-races around tp->linger2
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 9df5335ca974e688389c875546e5819778a80d59 ]
-
-do_tcp_getsockopt() reads tp->linger2 while another cpu
-might change its value.
-
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Link: https://lore.kernel.org/r/20230719212857.3943972-8-edumazet@google.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv4/tcp.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
-index 9f3cdcbbb7590..4711963413a49 100644
---- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -3000,11 +3000,11 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
-
- case TCP_LINGER2:
- if (val < 0)
-- tp->linger2 = -1;
-+ WRITE_ONCE(tp->linger2, -1);
- else if (val > TCP_FIN_TIMEOUT_MAX / HZ)
-- tp->linger2 = TCP_FIN_TIMEOUT_MAX;
-+ WRITE_ONCE(tp->linger2, TCP_FIN_TIMEOUT_MAX);
- else
-- tp->linger2 = val * HZ;
-+ WRITE_ONCE(tp->linger2, val * HZ);
- break;
-
- case TCP_DEFER_ACCEPT:
-@@ -3401,7 +3401,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level,
- val = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries;
- break;
- case TCP_LINGER2:
-- val = tp->linger2;
-+ val = READ_ONCE(tp->linger2);
- if (val >= 0)
- val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ;
- break;
---
-2.39.2
-
+++ /dev/null
-From f3ce1b988ff336ba962b41f0b9a23603d714b5de Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 19 Jul 2023 21:28:55 +0000
-Subject: tcp: annotate data-races around tp->notsent_lowat
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 1aeb87bc1440c5447a7fa2d6e3c2cca52cbd206b ]
-
-tp->notsent_lowat can be read locklessly from do_tcp_getsockopt()
-and tcp_poll().
-
-Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Link: https://lore.kernel.org/r/20230719212857.3943972-10-edumazet@google.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/net/tcp.h | 6 +++++-
- net/ipv4/tcp.c | 4 ++--
- 2 files changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/include/net/tcp.h b/include/net/tcp.h
-index 22cca858f2678..c6c48409e7b42 100644
---- a/include/net/tcp.h
-+++ b/include/net/tcp.h
-@@ -1883,7 +1883,11 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr);
- static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp)
- {
- struct net *net = sock_net((struct sock *)tp);
-- return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat);
-+ u32 val;
-+
-+ val = READ_ONCE(tp->notsent_lowat);
-+
-+ return val ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat);
- }
-
- /* @wake is one when sk_stream_write_space() calls us.
-diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
-index 853a33bf8863e..373bf3d3be592 100644
---- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -3099,7 +3099,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
- err = tcp_repair_set_window(tp, optval, optlen);
- break;
- case TCP_NOTSENT_LOWAT:
-- tp->notsent_lowat = val;
-+ WRITE_ONCE(tp->notsent_lowat, val);
- sk->sk_write_space(sk);
- break;
- case TCP_INQ:
-@@ -3569,7 +3569,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level,
- val = tcp_time_stamp_raw() + tp->tsoffset;
- break;
- case TCP_NOTSENT_LOWAT:
-- val = tp->notsent_lowat;
-+ val = READ_ONCE(tp->notsent_lowat);
- break;
- case TCP_INQ:
- val = tp->recvmsg_inq;
---
-2.39.2
-
+++ /dev/null
-From 36d7bf742ab5800923fe42f090516a1a2792401c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 29 Jun 2023 16:41:50 +0000
-Subject: tcp: annotate data races in __tcp_oow_rate_limited()
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 998127cdb4699b9d470a9348ffe9f1154346be5f ]
-
-request sockets are lockless, __tcp_oow_rate_limited() could be called
-on the same object from different cpus. This is harmless.
-
-Add READ_ONCE()/WRITE_ONCE() annotations to avoid a KCSAN report.
-
-Fixes: 4ce7e93cb3fe ("tcp: rate limit ACK sent by SYN_RECV request sockets")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv4/tcp_input.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index bd921fa7b9ab4..281f7799aeafc 100644
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -3429,8 +3429,11 @@ static int tcp_ack_update_window(struct sock *sk, const struct sk_buff *skb, u32
- static bool __tcp_oow_rate_limited(struct net *net, int mib_idx,
- u32 *last_oow_ack_time)
- {
-- if (*last_oow_ack_time) {
-- s32 elapsed = (s32)(tcp_jiffies32 - *last_oow_ack_time);
-+ /* Paired with the WRITE_ONCE() in this function. */
-+ u32 val = READ_ONCE(*last_oow_ack_time);
-+
-+ if (val) {
-+ s32 elapsed = (s32)(tcp_jiffies32 - val);
-
- if (0 <= elapsed &&
- elapsed < READ_ONCE(net->ipv4.sysctl_tcp_invalid_ratelimit)) {
-@@ -3439,7 +3442,10 @@ static bool __tcp_oow_rate_limited(struct net *net, int mib_idx,
- }
- }
-
-- *last_oow_ack_time = tcp_jiffies32;
-+ /* Paired with the prior READ_ONCE() and with itself,
-+ * as we might be lockless.
-+ */
-+ WRITE_ONCE(*last_oow_ack_time, tcp_jiffies32);
-
- return false; /* not rate-limited: go ahead, send dupack now! */
- }
---
-2.39.2
-
+++ /dev/null
-From f4032d615f90970d6c3ac1d9c0bce3351eb4445c Mon Sep 17 00:00:00 2001
-From: Jarkko Sakkinen <jarkko.sakkinen@tuni.fi>
-Date: Tue, 16 May 2023 01:25:54 +0300
-Subject: tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation
-
-From: Jarkko Sakkinen <jarkko.sakkinen@tuni.fi>
-
-commit f4032d615f90970d6c3ac1d9c0bce3351eb4445c upstream.
-
-/dev/vtpmx is made visible before 'workqueue' is initialized, which can
-lead to a memory corruption in the worst case scenario.
-
-Address this by initializing 'workqueue' as the very first step of the
-driver initialization.
-
-Cc: stable@vger.kernel.org
-Fixes: 6f99612e2500 ("tpm: Proxy driver for supporting multiple emulated TPMs")
-Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
-Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@tuni.fi>
-Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/char/tpm/tpm_vtpm_proxy.c | 30 +++++++-----------------------
- 1 file changed, 7 insertions(+), 23 deletions(-)
-
---- a/drivers/char/tpm/tpm_vtpm_proxy.c
-+++ b/drivers/char/tpm/tpm_vtpm_proxy.c
-@@ -700,37 +700,21 @@ static struct miscdevice vtpmx_miscdev =
- .fops = &vtpmx_fops,
- };
-
--static int vtpmx_init(void)
--{
-- return misc_register(&vtpmx_miscdev);
--}
--
--static void vtpmx_cleanup(void)
--{
-- misc_deregister(&vtpmx_miscdev);
--}
--
- static int __init vtpm_module_init(void)
- {
- int rc;
-
-- rc = vtpmx_init();
-- if (rc) {
-- pr_err("couldn't create vtpmx device\n");
-- return rc;
-- }
--
- workqueue = create_workqueue("tpm-vtpm");
- if (!workqueue) {
- pr_err("couldn't create workqueue\n");
-- rc = -ENOMEM;
-- goto err_vtpmx_cleanup;
-+ return -ENOMEM;
- }
-
-- return 0;
--
--err_vtpmx_cleanup:
-- vtpmx_cleanup();
-+ rc = misc_register(&vtpmx_miscdev);
-+ if (rc) {
-+ pr_err("couldn't create vtpmx device\n");
-+ destroy_workqueue(workqueue);
-+ }
-
- return rc;
- }
-@@ -738,7 +722,7 @@ err_vtpmx_cleanup:
- static void __exit vtpm_module_exit(void)
- {
- destroy_workqueue(workqueue);
-- vtpmx_cleanup();
-+ misc_deregister(&vtpmx_miscdev);
- }
-
- module_init(vtpm_module_init);
+++ /dev/null
-From 6018b585e8c6fa7d85d4b38d9ce49a5b67be7078 Mon Sep 17 00:00:00 2001
-From: Mohamed Khalfella <mkhalfella@purestorage.com>
-Date: Wed, 12 Jul 2023 22:30:21 +0000
-Subject: tracing/histograms: Add histograms to hist_vars if they have referenced variables
-
-From: Mohamed Khalfella <mkhalfella@purestorage.com>
-
-commit 6018b585e8c6fa7d85d4b38d9ce49a5b67be7078 upstream.
-
-Hist triggers can have referenced variables without having direct
-variables fields. This can be the case if referenced variables are added
-for trigger actions. In this case the newly added references will not
-have field variables. Not taking such referenced variables into
-consideration can result in a bug where it would be possible to remove
-hist trigger with variables being refenced. This will result in a bug
-that is easily reproducable like so
-
-$ cd /sys/kernel/tracing
-$ echo 'synthetic_sys_enter char[] comm; long id' >> synthetic_events
-$ echo 'hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger
-$ echo 'hist:keys=common_pid.execname,id.syscall:onmatch(raw_syscalls.sys_enter).synthetic_sys_enter($comm, id)' >> events/raw_syscalls/sys_enter/trigger
-$ echo '!hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger
-
-[ 100.263533] ==================================================================
-[ 100.264634] BUG: KASAN: slab-use-after-free in resolve_var_refs+0xc7/0x180
-[ 100.265520] Read of size 8 at addr ffff88810375d0f0 by task bash/439
-[ 100.266320]
-[ 100.266533] CPU: 2 PID: 439 Comm: bash Not tainted 6.5.0-rc1 #4
-[ 100.267277] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
-[ 100.268561] Call Trace:
-[ 100.268902] <TASK>
-[ 100.269189] dump_stack_lvl+0x4c/0x70
-[ 100.269680] print_report+0xc5/0x600
-[ 100.270165] ? resolve_var_refs+0xc7/0x180
-[ 100.270697] ? kasan_complete_mode_report_info+0x80/0x1f0
-[ 100.271389] ? resolve_var_refs+0xc7/0x180
-[ 100.271913] kasan_report+0xbd/0x100
-[ 100.272380] ? resolve_var_refs+0xc7/0x180
-[ 100.272920] __asan_load8+0x71/0xa0
-[ 100.273377] resolve_var_refs+0xc7/0x180
-[ 100.273888] event_hist_trigger+0x749/0x860
-[ 100.274505] ? kasan_save_stack+0x2a/0x50
-[ 100.275024] ? kasan_set_track+0x29/0x40
-[ 100.275536] ? __pfx_event_hist_trigger+0x10/0x10
-[ 100.276138] ? ksys_write+0xd1/0x170
-[ 100.276607] ? do_syscall_64+0x3c/0x90
-[ 100.277099] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8
-[ 100.277771] ? destroy_hist_data+0x446/0x470
-[ 100.278324] ? event_hist_trigger_parse+0xa6c/0x3860
-[ 100.278962] ? __pfx_event_hist_trigger_parse+0x10/0x10
-[ 100.279627] ? __kasan_check_write+0x18/0x20
-[ 100.280177] ? mutex_unlock+0x85/0xd0
-[ 100.280660] ? __pfx_mutex_unlock+0x10/0x10
-[ 100.281200] ? kfree+0x7b/0x120
-[ 100.281619] ? ____kasan_slab_free+0x15d/0x1d0
-[ 100.282197] ? event_trigger_write+0xac/0x100
-[ 100.282764] ? __kasan_slab_free+0x16/0x20
-[ 100.283293] ? __kmem_cache_free+0x153/0x2f0
-[ 100.283844] ? sched_mm_cid_remote_clear+0xb1/0x250
-[ 100.284550] ? __pfx_sched_mm_cid_remote_clear+0x10/0x10
-[ 100.285221] ? event_trigger_write+0xbc/0x100
-[ 100.285781] ? __kasan_check_read+0x15/0x20
-[ 100.286321] ? __bitmap_weight+0x66/0xa0
-[ 100.286833] ? _find_next_bit+0x46/0xe0
-[ 100.287334] ? task_mm_cid_work+0x37f/0x450
-[ 100.287872] event_triggers_call+0x84/0x150
-[ 100.288408] trace_event_buffer_commit+0x339/0x430
-[ 100.289073] ? ring_buffer_event_data+0x3f/0x60
-[ 100.292189] trace_event_raw_event_sys_enter+0x8b/0xe0
-[ 100.295434] syscall_trace_enter.constprop.0+0x18f/0x1b0
-[ 100.298653] syscall_enter_from_user_mode+0x32/0x40
-[ 100.301808] do_syscall_64+0x1a/0x90
-[ 100.304748] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
-[ 100.307775] RIP: 0033:0x7f686c75c1cb
-[ 100.310617] Code: 73 01 c3 48 8b 0d 65 3c 10 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 21 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 3c 10 00 f7 d8 64 89 01 48
-[ 100.317847] RSP: 002b:00007ffc60137a38 EFLAGS: 00000246 ORIG_RAX: 0000000000000021
-[ 100.321200] RAX: ffffffffffffffda RBX: 000055f566469ea0 RCX: 00007f686c75c1cb
-[ 100.324631] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 000000000000000a
-[ 100.328104] RBP: 00007ffc60137ac0 R08: 00007f686c818460 R09: 000000000000000a
-[ 100.331509] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009
-[ 100.334992] R13: 0000000000000007 R14: 000000000000000a R15: 0000000000000007
-[ 100.338381] </TASK>
-
-We hit the bug because when second hist trigger has was created
-has_hist_vars() returned false because hist trigger did not have
-variables. As a result of that save_hist_vars() was not called to add
-the trigger to trace_array->hist_vars. Later on when we attempted to
-remove the first histogram find_any_var_ref() failed to detect it is
-being used because it did not find the second trigger in hist_vars list.
-
-With this change we wait until trigger actions are created so we can take
-into consideration if hist trigger has variable references. Also, now we
-check the return value of save_hist_vars() and fail trigger creation if
-save_hist_vars() fails.
-
-Link: https://lore.kernel.org/linux-trace-kernel/20230712223021.636335-1-mkhalfella@purestorage.com
-
-Cc: stable@vger.kernel.org
-Fixes: 067fe038e70f6 ("tracing: Add variable reference handling to hist triggers")
-Signed-off-by: Mohamed Khalfella <mkhalfella@purestorage.com>
-Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/trace/trace_events_hist.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
---- a/kernel/trace/trace_events_hist.c
-+++ b/kernel/trace/trace_events_hist.c
-@@ -5787,13 +5787,15 @@ static int event_hist_trigger_func(struc
- if (get_named_trigger_data(trigger_data))
- goto enable;
-
-- if (has_hist_vars(hist_data))
-- save_hist_vars(hist_data);
--
- ret = create_actions(hist_data, file);
- if (ret)
- goto out_unreg;
-
-+ if (has_hist_vars(hist_data) || hist_data->n_var_refs) {
-+ if (save_hist_vars(hist_data))
-+ goto out_unreg;
-+ }
-+
- ret = tracing_map_init(hist_data->map);
- if (ret)
- goto out_unreg;
+++ /dev/null
-From 4b8b3905165ef98386a3c06f196c85d21292d029 Mon Sep 17 00:00:00 2001
-From: Mohamed Khalfella <mkhalfella@purestorage.com>
-Date: Fri, 14 Jul 2023 20:33:41 +0000
-Subject: tracing/histograms: Return an error if we fail to add histogram to hist_vars list
-
-From: Mohamed Khalfella <mkhalfella@purestorage.com>
-
-commit 4b8b3905165ef98386a3c06f196c85d21292d029 upstream.
-
-Commit 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if
-they have referenced variables") added a check to fail histogram creation
-if save_hist_vars() failed to add histogram to hist_vars list. But the
-commit failed to set ret to failed return code before jumping to
-unregister histogram, fix it.
-
-Link: https://lore.kernel.org/linux-trace-kernel/20230714203341.51396-1-mkhalfella@purestorage.com
-
-Cc: stable@vger.kernel.org
-Fixes: 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if they have referenced variables")
-Signed-off-by: Mohamed Khalfella <mkhalfella@purestorage.com>
-Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/trace/trace_events_hist.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/kernel/trace/trace_events_hist.c
-+++ b/kernel/trace/trace_events_hist.c
-@@ -5792,7 +5792,8 @@ static int event_hist_trigger_func(struc
- goto out_unreg;
-
- if (has_hist_vars(hist_data) || hist_data->n_var_refs) {
-- if (save_hist_vars(hist_data))
-+ ret = save_hist_vars(hist_data);
-+ if (ret)
- goto out_unreg;
- }
-
+++ /dev/null
-From 0638dcc7e75fbb766761e7b4694d0f0f141bbbd1 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 3 Jun 2020 13:09:38 -0700
-Subject: treewide: Remove uninitialized_var() usage
-
-From: Kees Cook <keescook@chromium.org>
-
-commit 3f649ab728cda8038259d8f14492fe400fbab911 upstream.
-
-Using uninitialized_var() is dangerous as it papers over real bugs[1]
-(or can in the future), and suppresses unrelated compiler warnings
-(e.g. "unused variable"). If the compiler thinks it is uninitialized,
-either simply initialize the variable or make compiler changes.
-
-In preparation for removing[2] the[3] macro[4], remove all remaining
-needless uses with the following script:
-
-git grep '\buninitialized_var\b' | cut -d: -f1 | sort -u | \
- xargs perl -pi -e \
- 's/\buninitialized_var\(([^\)]+)\)/\1/g;
- s:\s*/\* (GCC be quiet|to make compiler happy) \*/$::g;'
-
-drivers/video/fbdev/riva/riva_hw.c was manually tweaked to avoid
-pathological white-space.
-
-No outstanding warnings were found building allmodconfig with GCC 9.3.0
-for x86_64, i386, arm64, arm, powerpc, powerpc64le, s390x, mips, sparc64,
-alpha, and m68k.
-
-[1] https://lore.kernel.org/lkml/20200603174714.192027-1-glider@google.com/
-[2] https://lore.kernel.org/lkml/CA+55aFw+Vbj0i=1TGqCR5vQkCzWJ0QxK6CernOU6eedsudAixw@mail.gmail.com/
-[3] https://lore.kernel.org/lkml/CA+55aFwgbgqhbp1fkxvRKEpzyR5J8n1vKT1VZdz9knmPuXhOeg@mail.gmail.com/
-[4] https://lore.kernel.org/lkml/CA+55aFz2500WfbKXAx8s67wrm9=yVJu65TpLgN_ybYNv0VEOKA@mail.gmail.com/
-
-Reviewed-by: Leon Romanovsky <leonro@mellanox.com> # drivers/infiniband and mlx4/mlx5
-Acked-by: Jason Gunthorpe <jgg@mellanox.com> # IB
-Acked-by: Kalle Valo <kvalo@codeaurora.org> # wireless drivers
-Reviewed-by: Chao Yu <yuchao0@huawei.com> # erofs
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm/mach-sa1100/assabet.c | 2 +-
- arch/ia64/kernel/process.c | 2 +-
- arch/ia64/mm/discontig.c | 2 +-
- arch/ia64/mm/tlb.c | 2 +-
- arch/powerpc/platforms/52xx/mpc52xx_pic.c | 2 +-
- arch/s390/kernel/smp.c | 2 +-
- arch/x86/kernel/quirks.c | 10 +++++-----
- drivers/acpi/acpi_pad.c | 2 +-
- drivers/ata/libata-scsi.c | 2 +-
- drivers/atm/zatm.c | 2 +-
- drivers/block/drbd/drbd_nl.c | 6 +++---
- drivers/clk/clk-gate.c | 2 +-
- drivers/firewire/ohci.c | 14 +++++++-------
- drivers/gpu/drm/bridge/sil-sii8620.c | 2 +-
- drivers/gpu/drm/drm_edid.c | 2 +-
- drivers/gpu/drm/exynos/exynos_drm_dsi.c | 6 +++---
- drivers/i2c/busses/i2c-rk3x.c | 2 +-
- drivers/ide/ide-acpi.c | 2 +-
- drivers/ide/ide-atapi.c | 2 +-
- drivers/ide/ide-io-std.c | 4 ++--
- drivers/ide/ide-io.c | 8 ++++----
- drivers/ide/ide-sysfs.c | 2 +-
- drivers/ide/umc8672.c | 2 +-
- drivers/infiniband/core/uverbs_cmd.c | 4 ++--
- drivers/infiniband/hw/cxgb4/cm.c | 2 +-
- drivers/infiniband/hw/cxgb4/cq.c | 2 +-
- drivers/infiniband/hw/mlx4/qp.c | 6 +++---
- drivers/infiniband/hw/mlx5/cq.c | 2 +-
- drivers/infiniband/hw/mthca/mthca_qp.c | 10 +++++-----
- drivers/input/serio/serio_raw.c | 2 +-
- drivers/md/dm-io.c | 2 +-
- drivers/md/dm-ioctl.c | 2 +-
- drivers/md/dm-snap-persistent.c | 2 +-
- drivers/md/dm-table.c | 2 +-
- drivers/md/raid5.c | 2 +-
- drivers/media/dvb-frontends/rtl2832.c | 2 +-
- drivers/media/tuners/qt1010.c | 4 ++--
- drivers/media/usb/gspca/vicam.c | 2 +-
- drivers/media/usb/uvc/uvc_video.c | 8 ++++----
- drivers/memstick/host/jmb38x_ms.c | 2 +-
- drivers/memstick/host/tifm_ms.c | 2 +-
- drivers/mmc/host/sdhci.c | 2 +-
- drivers/mtd/nand/raw/nand_ecc.c | 2 +-
- drivers/mtd/nand/raw/s3c2410.c | 2 +-
- drivers/mtd/ubi/eba.c | 2 +-
- drivers/net/can/janz-ican3.c | 2 +-
- drivers/net/ethernet/broadcom/bnx2.c | 4 ++--
- drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 4 ++--
- drivers/net/ethernet/neterion/s2io.c | 2 +-
- drivers/net/ethernet/qlogic/qla3xxx.c | 2 +-
- drivers/net/ethernet/sun/cassini.c | 2 +-
- drivers/net/ethernet/sun/niu.c | 6 +++---
- drivers/net/wan/z85230.c | 2 +-
- drivers/net/wireless/ath/ath10k/core.c | 2 +-
- drivers/net/wireless/ath/ath6kl/init.c | 2 +-
- drivers/net/wireless/ath/ath9k/init.c | 2 +-
- drivers/net/wireless/broadcom/b43/debugfs.c | 2 +-
- drivers/net/wireless/broadcom/b43/dma.c | 2 +-
- drivers/net/wireless/broadcom/b43/lo.c | 2 +-
- drivers/net/wireless/broadcom/b43/phy_n.c | 2 +-
- drivers/net/wireless/broadcom/b43/xmit.c | 12 ++++++------
- drivers/net/wireless/broadcom/b43legacy/debugfs.c | 2 +-
- drivers/net/wireless/broadcom/b43legacy/main.c | 2 +-
- drivers/net/wireless/intel/iwlegacy/3945.c | 2 +-
- drivers/net/wireless/intel/iwlegacy/4965-mac.c | 2 +-
- drivers/platform/x86/hdaps.c | 4 ++--
- drivers/scsi/dc395x.c | 2 +-
- drivers/scsi/pm8001/pm8001_hwi.c | 2 +-
- drivers/scsi/pm8001/pm80xx_hwi.c | 2 +-
- drivers/ssb/driver_chipcommon.c | 4 ++--
- drivers/tty/cyclades.c | 2 +-
- drivers/tty/isicom.c | 2 +-
- drivers/usb/musb/cppi_dma.c | 2 +-
- drivers/usb/storage/sddr55.c | 4 ++--
- drivers/vhost/net.c | 4 ++--
- drivers/video/fbdev/matrox/matroxfb_maven.c | 6 +++---
- drivers/video/fbdev/pm3fb.c | 6 +++---
- drivers/video/fbdev/riva/riva_hw.c | 3 +--
- drivers/virtio/virtio_ring.c | 2 +-
- fs/afs/dir.c | 2 +-
- fs/afs/security.c | 2 +-
- fs/dlm/netlink.c | 2 +-
- fs/fat/dir.c | 2 +-
- fs/fuse/control.c | 2 +-
- fs/fuse/cuse.c | 2 +-
- fs/fuse/file.c | 2 +-
- fs/gfs2/aops.c | 2 +-
- fs/gfs2/bmap.c | 2 +-
- fs/hfsplus/unicode.c | 2 +-
- fs/isofs/namei.c | 4 ++--
- fs/jffs2/erase.c | 2 +-
- fs/nfsd/nfsctl.c | 2 +-
- fs/ocfs2/alloc.c | 4 ++--
- fs/ocfs2/dir.c | 14 +++++++-------
- fs/ocfs2/extent_map.c | 4 ++--
- fs/ocfs2/namei.c | 2 +-
- fs/ocfs2/refcounttree.c | 2 +-
- fs/ocfs2/xattr.c | 2 +-
- fs/omfs/file.c | 2 +-
- fs/overlayfs/copy_up.c | 2 +-
- fs/ubifs/commit.c | 6 +++---
- fs/ubifs/dir.c | 2 +-
- fs/ubifs/file.c | 4 ++--
- fs/ubifs/journal.c | 2 +-
- fs/ubifs/lpt.c | 2 +-
- fs/ubifs/tnc.c | 6 +++---
- fs/ubifs/tnc_misc.c | 4 ++--
- fs/udf/balloc.c | 2 +-
- fs/xfs/xfs_bmap_util.c | 2 +-
- kernel/async.c | 4 ++--
- kernel/audit.c | 2 +-
- kernel/dma/debug.c | 2 +-
- kernel/events/core.c | 2 +-
- kernel/events/uprobes.c | 2 +-
- kernel/exit.c | 2 +-
- kernel/futex.c | 12 ++++++------
- kernel/locking/lockdep.c | 6 +++---
- kernel/trace/ring_buffer.c | 2 +-
- lib/radix-tree.c | 2 +-
- mm/frontswap.c | 2 +-
- mm/ksm.c | 2 +-
- mm/memcontrol.c | 2 +-
- mm/mempolicy.c | 4 ++--
- mm/percpu.c | 2 +-
- mm/slub.c | 4 ++--
- mm/swap.c | 4 ++--
- net/dccp/options.c | 2 +-
- net/ipv4/netfilter/nf_socket_ipv4.c | 6 +++---
- net/ipv6/ip6_flowlabel.c | 2 +-
- net/ipv6/netfilter/nf_socket_ipv6.c | 2 +-
- net/netfilter/nf_conntrack_ftp.c | 2 +-
- net/netfilter/nfnetlink_log.c | 2 +-
- net/netfilter/nfnetlink_queue.c | 4 ++--
- net/sched/cls_flow.c | 2 +-
- net/sched/sch_cake.c | 2 +-
- net/sched/sch_cbq.c | 2 +-
- net/sched/sch_fq_codel.c | 2 +-
- net/sched/sch_sfq.c | 2 +-
- sound/core/control_compat.c | 2 +-
- sound/isa/sb/sb16_csp.c | 2 +-
- sound/usb/endpoint.c | 2 +-
- 141 files changed, 216 insertions(+), 217 deletions(-)
-
---- a/arch/arm/mach-sa1100/assabet.c
-+++ b/arch/arm/mach-sa1100/assabet.c
-@@ -570,7 +570,7 @@ static void __init map_sa1100_gpio_regs(
- */
- static void __init get_assabet_scr(void)
- {
-- unsigned long uninitialized_var(scr), i;
-+ unsigned long scr, i;
-
- GPDR |= 0x3fc; /* Configure GPIO 9:2 as outputs */
- GPSR = 0x3fc; /* Write 0xFF to GPIO 9:2 */
---- a/arch/ia64/kernel/process.c
-+++ b/arch/ia64/kernel/process.c
-@@ -444,7 +444,7 @@ static void
- do_copy_task_regs (struct task_struct *task, struct unw_frame_info *info, void *arg)
- {
- unsigned long mask, sp, nat_bits = 0, ar_rnat, urbs_end, cfm;
-- unsigned long uninitialized_var(ip); /* GCC be quiet */
-+ unsigned long ip;
- elf_greg_t *dst = arg;
- struct pt_regs *pt;
- char nat;
---- a/arch/ia64/mm/discontig.c
-+++ b/arch/ia64/mm/discontig.c
-@@ -181,7 +181,7 @@ static void *per_cpu_node_setup(void *cp
- void __init setup_per_cpu_areas(void)
- {
- struct pcpu_alloc_info *ai;
-- struct pcpu_group_info *uninitialized_var(gi);
-+ struct pcpu_group_info *gi;
- unsigned int *cpu_map;
- void *base;
- unsigned long base_offset;
---- a/arch/ia64/mm/tlb.c
-+++ b/arch/ia64/mm/tlb.c
-@@ -339,7 +339,7 @@ EXPORT_SYMBOL(flush_tlb_range);
-
- void ia64_tlb_init(void)
- {
-- ia64_ptce_info_t uninitialized_var(ptce_info); /* GCC be quiet */
-+ ia64_ptce_info_t ptce_info;
- u64 tr_pgbits;
- long status;
- pal_vm_info_1_u_t vm_info_1;
---- a/arch/powerpc/platforms/52xx/mpc52xx_pic.c
-+++ b/arch/powerpc/platforms/52xx/mpc52xx_pic.c
-@@ -340,7 +340,7 @@ static int mpc52xx_irqhost_map(struct ir
- {
- int l1irq;
- int l2irq;
-- struct irq_chip *uninitialized_var(irqchip);
-+ struct irq_chip *irqchip;
- void *hndlr;
- int type;
- u32 reg;
---- a/arch/s390/kernel/smp.c
-+++ b/arch/s390/kernel/smp.c
-@@ -145,7 +145,7 @@ static int pcpu_sigp_retry(struct pcpu *
-
- static inline int pcpu_stopped(struct pcpu *pcpu)
- {
-- u32 uninitialized_var(status);
-+ u32 status;
-
- if (__pcpu_sigp(pcpu->address, SIGP_SENSE,
- 0, &status) != SIGP_CC_STATUS_STORED)
---- a/arch/x86/kernel/quirks.c
-+++ b/arch/x86/kernel/quirks.c
-@@ -96,7 +96,7 @@ static void ich_force_hpet_resume(void)
- static void ich_force_enable_hpet(struct pci_dev *dev)
- {
- u32 val;
-- u32 uninitialized_var(rcba);
-+ u32 rcba;
- int err = 0;
-
- if (hpet_address || force_hpet_address)
-@@ -186,7 +186,7 @@ static void hpet_print_force_info(void)
- static void old_ich_force_hpet_resume(void)
- {
- u32 val;
-- u32 uninitialized_var(gen_cntl);
-+ u32 gen_cntl;
-
- if (!force_hpet_address || !cached_dev)
- return;
-@@ -208,7 +208,7 @@ static void old_ich_force_hpet_resume(vo
- static void old_ich_force_enable_hpet(struct pci_dev *dev)
- {
- u32 val;
-- u32 uninitialized_var(gen_cntl);
-+ u32 gen_cntl;
-
- if (hpet_address || force_hpet_address)
- return;
-@@ -299,7 +299,7 @@ static void vt8237_force_hpet_resume(voi
-
- static void vt8237_force_enable_hpet(struct pci_dev *dev)
- {
-- u32 uninitialized_var(val);
-+ u32 val;
-
- if (hpet_address || force_hpet_address)
- return;
-@@ -430,7 +430,7 @@ static void nvidia_force_hpet_resume(voi
-
- static void nvidia_force_enable_hpet(struct pci_dev *dev)
- {
-- u32 uninitialized_var(val);
-+ u32 val;
-
- if (hpet_address || force_hpet_address)
- return;
---- a/drivers/acpi/acpi_pad.c
-+++ b/drivers/acpi/acpi_pad.c
-@@ -95,7 +95,7 @@ static void round_robin_cpu(unsigned int
- cpumask_var_t tmp;
- int cpu;
- unsigned long min_weight = -1;
-- unsigned long uninitialized_var(preferred_cpu);
-+ unsigned long preferred_cpu;
-
- if (!alloc_cpumask_var(&tmp, GFP_KERNEL))
- return;
---- a/drivers/ata/libata-scsi.c
-+++ b/drivers/ata/libata-scsi.c
-@@ -178,7 +178,7 @@ static ssize_t ata_scsi_park_show(struct
- struct ata_link *link;
- struct ata_device *dev;
- unsigned long now;
-- unsigned int uninitialized_var(msecs);
-+ unsigned int msecs;
- int rc = 0;
-
- ap = ata_shost_to_port(sdev->host);
---- a/drivers/atm/zatm.c
-+++ b/drivers/atm/zatm.c
-@@ -939,7 +939,7 @@ static int open_tx_first(struct atm_vcc
- vcc->qos.txtp.max_pcr >= ATM_OC3_PCR);
- if (unlimited && zatm_dev->ubr != -1) zatm_vcc->shaper = zatm_dev->ubr;
- else {
-- int uninitialized_var(pcr);
-+ int pcr;
-
- if (unlimited) vcc->qos.txtp.max_sdu = ATM_MAX_AAL5_PDU;
- if ((zatm_vcc->shaper = alloc_shaper(vcc->dev,&pcr,
---- a/drivers/block/drbd/drbd_nl.c
-+++ b/drivers/block/drbd/drbd_nl.c
-@@ -3394,7 +3394,7 @@ int drbd_adm_dump_devices(struct sk_buff
- {
- struct nlattr *resource_filter;
- struct drbd_resource *resource;
-- struct drbd_device *uninitialized_var(device);
-+ struct drbd_device *device;
- int minor, err, retcode;
- struct drbd_genlmsghdr *dh;
- struct device_info device_info;
-@@ -3483,7 +3483,7 @@ int drbd_adm_dump_connections(struct sk_
- {
- struct nlattr *resource_filter;
- struct drbd_resource *resource = NULL, *next_resource;
-- struct drbd_connection *uninitialized_var(connection);
-+ struct drbd_connection *connection;
- int err = 0, retcode;
- struct drbd_genlmsghdr *dh;
- struct connection_info connection_info;
-@@ -3645,7 +3645,7 @@ int drbd_adm_dump_peer_devices(struct sk
- {
- struct nlattr *resource_filter;
- struct drbd_resource *resource;
-- struct drbd_device *uninitialized_var(device);
-+ struct drbd_device *device;
- struct drbd_peer_device *peer_device = NULL;
- int minor, err, retcode;
- struct drbd_genlmsghdr *dh;
---- a/drivers/clk/clk-gate.c
-+++ b/drivers/clk/clk-gate.c
-@@ -43,7 +43,7 @@ static void clk_gate_endisable(struct cl
- {
- struct clk_gate *gate = to_clk_gate(hw);
- int set = gate->flags & CLK_GATE_SET_TO_DISABLE ? 1 : 0;
-- unsigned long uninitialized_var(flags);
-+ unsigned long flags;
- u32 reg;
-
- set ^= enable;
---- a/drivers/firewire/ohci.c
-+++ b/drivers/firewire/ohci.c
-@@ -1112,7 +1112,7 @@ static void context_tasklet(unsigned lon
- static int context_add_buffer(struct context *ctx)
- {
- struct descriptor_buffer *desc;
-- dma_addr_t uninitialized_var(bus_addr);
-+ dma_addr_t bus_addr;
- int offset;
-
- /*
-@@ -1302,7 +1302,7 @@ static int at_context_queue_packet(struc
- struct fw_packet *packet)
- {
- struct fw_ohci *ohci = ctx->ohci;
-- dma_addr_t d_bus, uninitialized_var(payload_bus);
-+ dma_addr_t d_bus, payload_bus;
- struct driver_data *driver_data;
- struct descriptor *d, *last;
- __le32 *header;
-@@ -2458,7 +2458,7 @@ static int ohci_set_config_rom(struct fw
- {
- struct fw_ohci *ohci;
- __be32 *next_config_rom;
-- dma_addr_t uninitialized_var(next_config_rom_bus);
-+ dma_addr_t next_config_rom_bus;
-
- ohci = fw_ohci(card);
-
-@@ -2947,10 +2947,10 @@ static struct fw_iso_context *ohci_alloc
- int type, int channel, size_t header_size)
- {
- struct fw_ohci *ohci = fw_ohci(card);
-- struct iso_context *uninitialized_var(ctx);
-- descriptor_callback_t uninitialized_var(callback);
-- u64 *uninitialized_var(channels);
-- u32 *uninitialized_var(mask), uninitialized_var(regs);
-+ struct iso_context *ctx;
-+ descriptor_callback_t callback;
-+ u64 *channels;
-+ u32 *mask, regs;
- int index, ret = -EBUSY;
-
- spin_lock_irq(&ohci->lock);
---- a/drivers/gpu/drm/bridge/sil-sii8620.c
-+++ b/drivers/gpu/drm/bridge/sil-sii8620.c
-@@ -988,7 +988,7 @@ static void sii8620_set_auto_zone(struct
-
- static void sii8620_stop_video(struct sii8620 *ctx)
- {
-- u8 uninitialized_var(val);
-+ u8 val;
-
- sii8620_write_seq_static(ctx,
- REG_TPI_INTR_EN, 0,
---- a/drivers/gpu/drm/drm_edid.c
-+++ b/drivers/gpu/drm/drm_edid.c
-@@ -2778,7 +2778,7 @@ static int drm_cvt_modes(struct drm_conn
- const u8 empty[3] = { 0, 0, 0 };
-
- for (i = 0; i < 4; i++) {
-- int uninitialized_var(width), height;
-+ int width, height;
- cvt = &(timing->data.other_data.data.cvt[i]);
-
- if (!memcmp(cvt->code, empty, 3))
---- a/drivers/gpu/drm/exynos/exynos_drm_dsi.c
-+++ b/drivers/gpu/drm/exynos/exynos_drm_dsi.c
-@@ -544,9 +544,9 @@ static unsigned long exynos_dsi_pll_find
- unsigned long best_freq = 0;
- u32 min_delta = 0xffffffff;
- u8 p_min, p_max;
-- u8 _p, uninitialized_var(best_p);
-- u16 _m, uninitialized_var(best_m);
-- u8 _s, uninitialized_var(best_s);
-+ u8 _p, best_p;
-+ u16 _m, best_m;
-+ u8 _s, best_s;
-
- p_min = DIV_ROUND_UP(fin, (12 * MHZ));
- p_max = fin / (6 * MHZ);
---- a/drivers/i2c/busses/i2c-rk3x.c
-+++ b/drivers/i2c/busses/i2c-rk3x.c
-@@ -421,7 +421,7 @@ static void rk3x_i2c_handle_read(struct
- {
- unsigned int i;
- unsigned int len = i2c->msg->len - i2c->processed;
-- u32 uninitialized_var(val);
-+ u32 val;
- u8 byte;
-
- /* we only care for MBRF here. */
---- a/drivers/ide/ide-acpi.c
-+++ b/drivers/ide/ide-acpi.c
-@@ -180,7 +180,7 @@ err:
- static acpi_handle ide_acpi_hwif_get_handle(ide_hwif_t *hwif)
- {
- struct device *dev = hwif->gendev.parent;
-- acpi_handle uninitialized_var(dev_handle);
-+ acpi_handle dev_handle;
- u64 pcidevfn;
- acpi_handle chan_handle;
- int err;
---- a/drivers/ide/ide-atapi.c
-+++ b/drivers/ide/ide-atapi.c
-@@ -591,7 +591,7 @@ static int ide_delayed_transfer_pc(ide_d
-
- static ide_startstop_t ide_transfer_pc(ide_drive_t *drive)
- {
-- struct ide_atapi_pc *uninitialized_var(pc);
-+ struct ide_atapi_pc *pc;
- ide_hwif_t *hwif = drive->hwif;
- struct request *rq = hwif->rq;
- ide_expiry_t *expiry;
---- a/drivers/ide/ide-io-std.c
-+++ b/drivers/ide/ide-io-std.c
-@@ -172,7 +172,7 @@ void ide_input_data(ide_drive_t *drive,
- u8 mmio = (hwif->host_flags & IDE_HFLAG_MMIO) ? 1 : 0;
-
- if (io_32bit) {
-- unsigned long uninitialized_var(flags);
-+ unsigned long flags;
-
- if ((io_32bit & 2) && !mmio) {
- local_irq_save(flags);
-@@ -216,7 +216,7 @@ void ide_output_data(ide_drive_t *drive,
- u8 mmio = (hwif->host_flags & IDE_HFLAG_MMIO) ? 1 : 0;
-
- if (io_32bit) {
-- unsigned long uninitialized_var(flags);
-+ unsigned long flags;
-
- if ((io_32bit & 2) && !mmio) {
- local_irq_save(flags);
---- a/drivers/ide/ide-io.c
-+++ b/drivers/ide/ide-io.c
-@@ -605,12 +605,12 @@ static int drive_is_ready(ide_drive_t *d
- void ide_timer_expiry (struct timer_list *t)
- {
- ide_hwif_t *hwif = from_timer(hwif, t, timer);
-- ide_drive_t *uninitialized_var(drive);
-+ ide_drive_t *drive;
- ide_handler_t *handler;
- unsigned long flags;
- int wait = -1;
- int plug_device = 0;
-- struct request *uninitialized_var(rq_in_flight);
-+ struct request *rq_in_flight;
-
- spin_lock_irqsave(&hwif->lock, flags);
-
-@@ -763,13 +763,13 @@ irqreturn_t ide_intr (int irq, void *dev
- {
- ide_hwif_t *hwif = (ide_hwif_t *)dev_id;
- struct ide_host *host = hwif->host;
-- ide_drive_t *uninitialized_var(drive);
-+ ide_drive_t *drive;
- ide_handler_t *handler;
- unsigned long flags;
- ide_startstop_t startstop;
- irqreturn_t irq_ret = IRQ_NONE;
- int plug_device = 0;
-- struct request *uninitialized_var(rq_in_flight);
-+ struct request *rq_in_flight;
-
- if (host->host_flags & IDE_HFLAG_SERIALIZE) {
- if (hwif != host->cur_port)
---- a/drivers/ide/ide-sysfs.c
-+++ b/drivers/ide/ide-sysfs.c
-@@ -131,7 +131,7 @@ static struct device_attribute *ide_port
-
- int ide_sysfs_register_port(ide_hwif_t *hwif)
- {
-- int i, uninitialized_var(rc);
-+ int i, rc;
-
- for (i = 0; ide_port_attrs[i]; i++) {
- rc = device_create_file(hwif->portdev, ide_port_attrs[i]);
---- a/drivers/ide/umc8672.c
-+++ b/drivers/ide/umc8672.c
-@@ -107,7 +107,7 @@ static void umc_set_speeds(u8 speeds[])
- static void umc_set_pio_mode(ide_hwif_t *hwif, ide_drive_t *drive)
- {
- ide_hwif_t *mate = hwif->mate;
-- unsigned long uninitialized_var(flags);
-+ unsigned long flags;
- const u8 pio = drive->pio_mode - XFER_PIO_0;
-
- printk("%s: setting umc8672 to PIO mode%d (speed %d)\n",
---- a/drivers/infiniband/core/uverbs_cmd.c
-+++ b/drivers/infiniband/core/uverbs_cmd.c
-@@ -1726,7 +1726,7 @@ ssize_t ib_uverbs_open_qp(struct ib_uver
- struct ib_udata udata;
- struct ib_uqp_object *obj;
- struct ib_xrcd *xrcd;
-- struct ib_uobject *uninitialized_var(xrcd_uobj);
-+ struct ib_uobject *xrcd_uobj;
- struct ib_qp *qp;
- struct ib_qp_open_attr attr;
- int ret;
-@@ -3694,7 +3694,7 @@ static int __uverbs_create_xsrq(struct i
- struct ib_usrq_object *obj;
- struct ib_pd *pd;
- struct ib_srq *srq;
-- struct ib_uobject *uninitialized_var(xrcd_uobj);
-+ struct ib_uobject *xrcd_uobj;
- struct ib_srq_init_attr attr;
- int ret;
- struct ib_device *ib_dev;
---- a/drivers/infiniband/hw/cxgb4/cm.c
-+++ b/drivers/infiniband/hw/cxgb4/cm.c
-@@ -3195,7 +3195,7 @@ static int get_lladdr(struct net_device
-
- static int pick_local_ip6addrs(struct c4iw_dev *dev, struct iw_cm_id *cm_id)
- {
-- struct in6_addr uninitialized_var(addr);
-+ struct in6_addr addr;
- struct sockaddr_in6 *la6 = (struct sockaddr_in6 *)&cm_id->m_local_addr;
- struct sockaddr_in6 *ra6 = (struct sockaddr_in6 *)&cm_id->m_remote_addr;
-
---- a/drivers/infiniband/hw/cxgb4/cq.c
-+++ b/drivers/infiniband/hw/cxgb4/cq.c
-@@ -755,7 +755,7 @@ skip_cqe:
- static int __c4iw_poll_cq_one(struct c4iw_cq *chp, struct c4iw_qp *qhp,
- struct ib_wc *wc, struct c4iw_srq *srq)
- {
-- struct t4_cqe uninitialized_var(cqe);
-+ struct t4_cqe cqe;
- struct t4_wq *wq = qhp ? &qhp->wq : NULL;
- u32 credit = 0;
- u8 cqe_flushed;
---- a/drivers/infiniband/hw/mlx4/qp.c
-+++ b/drivers/infiniband/hw/mlx4/qp.c
-@@ -3463,11 +3463,11 @@ static int _mlx4_ib_post_send(struct ib_
- int nreq;
- int err = 0;
- unsigned ind;
-- int uninitialized_var(size);
-- unsigned uninitialized_var(seglen);
-+ int size;
-+ unsigned seglen;
- __be32 dummy;
- __be32 *lso_wqe;
-- __be32 uninitialized_var(lso_hdr_sz);
-+ __be32 lso_hdr_sz;
- __be32 blh;
- int i;
- struct mlx4_ib_dev *mdev = to_mdev(ibqp->device);
---- a/drivers/infiniband/hw/mlx5/cq.c
-+++ b/drivers/infiniband/hw/mlx5/cq.c
-@@ -1333,7 +1333,7 @@ int mlx5_ib_resize_cq(struct ib_cq *ibcq
- __be64 *pas;
- int page_shift;
- int inlen;
-- int uninitialized_var(cqe_size);
-+ int cqe_size;
- unsigned long flags;
-
- if (!MLX5_CAP_GEN(dev->mdev, cq_resize)) {
---- a/drivers/infiniband/hw/mthca/mthca_qp.c
-+++ b/drivers/infiniband/hw/mthca/mthca_qp.c
-@@ -1630,8 +1630,8 @@ int mthca_tavor_post_send(struct ib_qp *
- * without initializing f0 and size0, and they are in fact
- * never used uninitialized.
- */
-- int uninitialized_var(size0);
-- u32 uninitialized_var(f0);
-+ int size0;
-+ u32 f0;
- int ind;
- u8 op0 = 0;
-
-@@ -1831,7 +1831,7 @@ int mthca_tavor_post_receive(struct ib_q
- * without initializing size0, and it is in fact never used
- * uninitialized.
- */
-- int uninitialized_var(size0);
-+ int size0;
- int ind;
- void *wqe;
- void *prev_wqe;
-@@ -1945,8 +1945,8 @@ int mthca_arbel_post_send(struct ib_qp *
- * without initializing f0 and size0, and they are in fact
- * never used uninitialized.
- */
-- int uninitialized_var(size0);
-- u32 uninitialized_var(f0);
-+ int size0;
-+ u32 f0;
- int ind;
- u8 op0 = 0;
-
---- a/drivers/input/serio/serio_raw.c
-+++ b/drivers/input/serio/serio_raw.c
-@@ -162,7 +162,7 @@ static ssize_t serio_raw_read(struct fil
- {
- struct serio_raw_client *client = file->private_data;
- struct serio_raw *serio_raw = client->serio_raw;
-- char uninitialized_var(c);
-+ char c;
- ssize_t read = 0;
- int error;
-
---- a/drivers/md/dm-io.c
-+++ b/drivers/md/dm-io.c
-@@ -306,7 +306,7 @@ static void do_region(int op, int op_fla
- struct request_queue *q = bdev_get_queue(where->bdev);
- unsigned short logical_block_size = queue_logical_block_size(q);
- sector_t num_sectors;
-- unsigned int uninitialized_var(special_cmd_max_sectors);
-+ unsigned int special_cmd_max_sectors;
-
- /*
- * Reject unsupported discard and write same requests.
---- a/drivers/md/dm-ioctl.c
-+++ b/drivers/md/dm-ioctl.c
-@@ -1822,7 +1822,7 @@ static int ctl_ioctl(struct file *file,
- int ioctl_flags;
- int param_flags;
- unsigned int cmd;
-- struct dm_ioctl *uninitialized_var(param);
-+ struct dm_ioctl *param;
- ioctl_fn fn = NULL;
- size_t input_param_size;
- struct dm_ioctl param_kernel;
---- a/drivers/md/dm-snap-persistent.c
-+++ b/drivers/md/dm-snap-persistent.c
-@@ -613,7 +613,7 @@ static int persistent_read_metadata(stru
- chunk_t old, chunk_t new),
- void *callback_context)
- {
-- int r, uninitialized_var(new_snapshot);
-+ int r, new_snapshot;
- struct pstore *ps = get_info(store);
-
- /*
---- a/drivers/md/dm-table.c
-+++ b/drivers/md/dm-table.c
-@@ -671,7 +671,7 @@ static int validate_hardware_logical_blo
- */
- unsigned short remaining = 0;
-
-- struct dm_target *uninitialized_var(ti);
-+ struct dm_target *ti;
- struct queue_limits ti_limits;
- unsigned i;
-
---- a/drivers/md/raid5.c
-+++ b/drivers/md/raid5.c
-@@ -2603,7 +2603,7 @@ static void raid5_end_write_request(stru
- struct stripe_head *sh = bi->bi_private;
- struct r5conf *conf = sh->raid_conf;
- int disks = sh->disks, i;
-- struct md_rdev *uninitialized_var(rdev);
-+ struct md_rdev *rdev;
- sector_t first_bad;
- int bad_sectors;
- int replacement = 0;
---- a/drivers/media/dvb-frontends/rtl2832.c
-+++ b/drivers/media/dvb-frontends/rtl2832.c
-@@ -653,7 +653,7 @@ static int rtl2832_read_status(struct dv
- struct i2c_client *client = dev->client;
- struct dtv_frontend_properties *c = &fe->dtv_property_cache;
- int ret;
-- u32 uninitialized_var(tmp);
-+ u32 tmp;
- u8 u8tmp, buf[2];
- u16 u16tmp;
-
---- a/drivers/media/tuners/qt1010.c
-+++ b/drivers/media/tuners/qt1010.c
-@@ -224,7 +224,7 @@ static int qt1010_set_params(struct dvb_
- static int qt1010_init_meas1(struct qt1010_priv *priv,
- u8 oper, u8 reg, u8 reg_init_val, u8 *retval)
- {
-- u8 i, val1, uninitialized_var(val2);
-+ u8 i, val1, val2;
- int err;
-
- qt1010_i2c_oper_t i2c_data[] = {
-@@ -259,7 +259,7 @@ static int qt1010_init_meas1(struct qt10
- static int qt1010_init_meas2(struct qt1010_priv *priv,
- u8 reg_init_val, u8 *retval)
- {
-- u8 i, uninitialized_var(val);
-+ u8 i, val;
- int err;
- qt1010_i2c_oper_t i2c_data[] = {
- { QT1010_WR, 0x07, reg_init_val },
---- a/drivers/media/usb/gspca/vicam.c
-+++ b/drivers/media/usb/gspca/vicam.c
-@@ -234,7 +234,7 @@ static int sd_init(struct gspca_dev *gsp
- {
- int ret;
- const struct ihex_binrec *rec;
-- const struct firmware *uninitialized_var(fw);
-+ const struct firmware *fw;
- u8 *firmware_buf;
-
- ret = request_ihex_firmware(&fw, VICAM_FIRMWARE,
---- a/drivers/media/usb/uvc/uvc_video.c
-+++ b/drivers/media/usb/uvc/uvc_video.c
-@@ -802,9 +802,9 @@ static void uvc_video_stats_decode(struc
- unsigned int header_size;
- bool has_pts = false;
- bool has_scr = false;
-- u16 uninitialized_var(scr_sof);
-- u32 uninitialized_var(scr_stc);
-- u32 uninitialized_var(pts);
-+ u16 scr_sof;
-+ u32 scr_stc;
-+ u32 pts;
-
- if (stream->stats.stream.nb_frames == 0 &&
- stream->stats.frame.nb_packets == 0)
-@@ -1801,7 +1801,7 @@ static int uvc_init_video(struct uvc_str
- struct usb_host_endpoint *best_ep = NULL;
- unsigned int best_psize = UINT_MAX;
- unsigned int bandwidth;
-- unsigned int uninitialized_var(altsetting);
-+ unsigned int altsetting;
- int intfnum = stream->intfnum;
-
- /* Isochronous endpoint, select the alternate setting. */
---- a/drivers/memstick/host/jmb38x_ms.c
-+++ b/drivers/memstick/host/jmb38x_ms.c
-@@ -316,7 +316,7 @@ static int jmb38x_ms_transfer_data(struc
- }
-
- while (length) {
-- unsigned int uninitialized_var(p_off);
-+ unsigned int p_off;
-
- if (host->req->long_data) {
- pg = nth_page(sg_page(&host->req->sg),
---- a/drivers/memstick/host/tifm_ms.c
-+++ b/drivers/memstick/host/tifm_ms.c
-@@ -200,7 +200,7 @@ static unsigned int tifm_ms_transfer_dat
- host->block_pos);
-
- while (length) {
-- unsigned int uninitialized_var(p_off);
-+ unsigned int p_off;
-
- if (host->req->long_data) {
- pg = nth_page(sg_page(&host->req->sg),
---- a/drivers/mmc/host/sdhci.c
-+++ b/drivers/mmc/host/sdhci.c
-@@ -374,7 +374,7 @@ static void sdhci_read_block_pio(struct
- {
- unsigned long flags;
- size_t blksize, len, chunk;
-- u32 uninitialized_var(scratch);
-+ u32 scratch;
- u8 *buf;
-
- DBG("PIO reading\n");
---- a/drivers/mtd/nand/raw/nand_ecc.c
-+++ b/drivers/mtd/nand/raw/nand_ecc.c
-@@ -144,7 +144,7 @@ void __nand_calculate_ecc(const unsigned
- /* rp0..rp15..rp17 are the various accumulated parities (per byte) */
- uint32_t rp0, rp1, rp2, rp3, rp4, rp5, rp6, rp7;
- uint32_t rp8, rp9, rp10, rp11, rp12, rp13, rp14, rp15, rp16;
-- uint32_t uninitialized_var(rp17); /* to make compiler happy */
-+ uint32_t rp17;
- uint32_t par; /* the cumulative parity for all data */
- uint32_t tmppar; /* the cumulative parity for this iteration;
- for rp12, rp14 and rp16 at the end of the
---- a/drivers/mtd/nand/raw/s3c2410.c
-+++ b/drivers/mtd/nand/raw/s3c2410.c
-@@ -304,7 +304,7 @@ static int s3c2410_nand_setrate(struct s
- int tacls_max = (info->cpu_type == TYPE_S3C2412) ? 8 : 4;
- int tacls, twrph0, twrph1;
- unsigned long clkrate = clk_get_rate(info->clk);
-- unsigned long uninitialized_var(set), cfg, uninitialized_var(mask);
-+ unsigned long set, cfg, mask;
- unsigned long flags;
-
- /* calculate the timing information for the controller */
---- a/drivers/mtd/ubi/eba.c
-+++ b/drivers/mtd/ubi/eba.c
-@@ -612,7 +612,7 @@ int ubi_eba_read_leb(struct ubi_device *
- int err, pnum, scrub = 0, vol_id = vol->vol_id;
- struct ubi_vid_io_buf *vidb;
- struct ubi_vid_hdr *vid_hdr;
-- uint32_t uninitialized_var(crc);
-+ uint32_t crc;
-
- err = leb_read_lock(ubi, vol_id, lnum);
- if (err)
---- a/drivers/net/can/janz-ican3.c
-+++ b/drivers/net/can/janz-ican3.c
-@@ -1455,7 +1455,7 @@ static int ican3_napi(struct napi_struct
-
- /* process all communication messages */
- while (true) {
-- struct ican3_msg uninitialized_var(msg);
-+ struct ican3_msg msg;
- ret = ican3_recv_msg(mod, &msg);
- if (ret)
- break;
---- a/drivers/net/ethernet/broadcom/bnx2.c
-+++ b/drivers/net/ethernet/broadcom/bnx2.c
-@@ -1461,7 +1461,7 @@ bnx2_test_and_disable_2g5(struct bnx2 *b
- static void
- bnx2_enable_forced_2g5(struct bnx2 *bp)
- {
-- u32 uninitialized_var(bmcr);
-+ u32 bmcr;
- int err;
-
- if (!(bp->phy_flags & BNX2_PHY_FLAG_2_5G_CAPABLE))
-@@ -1505,7 +1505,7 @@ bnx2_enable_forced_2g5(struct bnx2 *bp)
- static void
- bnx2_disable_forced_2g5(struct bnx2 *bp)
- {
-- u32 uninitialized_var(bmcr);
-+ u32 bmcr;
- int err;
-
- if (!(bp->phy_flags & BNX2_PHY_FLAG_2_5G_CAPABLE))
---- a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c
-+++ b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c
-@@ -471,8 +471,8 @@ void mlx5_core_req_pages_handler(struct
-
- int mlx5_satisfy_startup_pages(struct mlx5_core_dev *dev, int boot)
- {
-- u16 uninitialized_var(func_id);
-- s32 uninitialized_var(npages);
-+ u16 func_id;
-+ s32 npages;
- int err;
-
- err = mlx5_cmd_query_pages(dev, &func_id, &npages, boot);
---- a/drivers/net/ethernet/neterion/s2io.c
-+++ b/drivers/net/ethernet/neterion/s2io.c
-@@ -7291,7 +7291,7 @@ static int rx_osm_handler(struct ring_in
- int ring_no = ring_data->ring_no;
- u16 l3_csum, l4_csum;
- unsigned long long err = rxdp->Control_1 & RXD_T_CODE;
-- struct lro *uninitialized_var(lro);
-+ struct lro *lro;
- u8 err_mask;
- struct swStat *swstats = &sp->mac_control.stats_info->sw_stat;
-
---- a/drivers/net/ethernet/qlogic/qla3xxx.c
-+++ b/drivers/net/ethernet/qlogic/qla3xxx.c
-@@ -3771,7 +3771,7 @@ static int ql3xxx_probe(struct pci_dev *
- struct net_device *ndev = NULL;
- struct ql3_adapter *qdev = NULL;
- static int cards_found;
-- int uninitialized_var(pci_using_dac), err;
-+ int pci_using_dac, err;
-
- err = pci_enable_device(pdev);
- if (err) {
---- a/drivers/net/ethernet/sun/cassini.c
-+++ b/drivers/net/ethernet/sun/cassini.c
-@@ -2291,7 +2291,7 @@ static int cas_rx_ringN(struct cas *cp,
- drops = 0;
- while (1) {
- struct cas_rx_comp *rxc = rxcs + entry;
-- struct sk_buff *uninitialized_var(skb);
-+ struct sk_buff *skb;
- int type, len;
- u64 words[4];
- int i, dring;
---- a/drivers/net/ethernet/sun/niu.c
-+++ b/drivers/net/ethernet/sun/niu.c
-@@ -429,7 +429,7 @@ static int serdes_init_niu_1g_serdes(str
- struct niu_link_config *lp = &np->link_config;
- u16 pll_cfg, pll_sts;
- int max_retry = 100;
-- u64 uninitialized_var(sig), mask, val;
-+ u64 sig, mask, val;
- u32 tx_cfg, rx_cfg;
- unsigned long i;
- int err;
-@@ -526,7 +526,7 @@ static int serdes_init_niu_10g_serdes(st
- struct niu_link_config *lp = &np->link_config;
- u32 tx_cfg, rx_cfg, pll_cfg, pll_sts;
- int max_retry = 100;
-- u64 uninitialized_var(sig), mask, val;
-+ u64 sig, mask, val;
- unsigned long i;
- int err;
-
-@@ -714,7 +714,7 @@ static int esr_write_glue0(struct niu *n
-
- static int esr_reset(struct niu *np)
- {
-- u32 uninitialized_var(reset);
-+ u32 reset;
- int err;
-
- err = mdio_write(np, np->port, NIU_ESR_DEV_ADDR,
---- a/drivers/net/wan/z85230.c
-+++ b/drivers/net/wan/z85230.c
-@@ -705,7 +705,7 @@ EXPORT_SYMBOL(z8530_nop);
- irqreturn_t z8530_interrupt(int irq, void *dev_id)
- {
- struct z8530_dev *dev=dev_id;
-- u8 uninitialized_var(intr);
-+ u8 intr;
- static volatile int locker=0;
- int work=0;
- struct z8530_irqhandler *irqs;
---- a/drivers/net/wireless/ath/ath10k/core.c
-+++ b/drivers/net/wireless/ath/ath10k/core.c
-@@ -1891,7 +1891,7 @@ static int ath10k_init_uart(struct ath10
-
- static int ath10k_init_hw_params(struct ath10k *ar)
- {
-- const struct ath10k_hw_params *uninitialized_var(hw_params);
-+ const struct ath10k_hw_params *hw_params;
- int i;
-
- for (i = 0; i < ARRAY_SIZE(ath10k_hw_params_list); i++) {
---- a/drivers/net/wireless/ath/ath6kl/init.c
-+++ b/drivers/net/wireless/ath/ath6kl/init.c
-@@ -1575,7 +1575,7 @@ static int ath6kl_init_upload(struct ath
-
- int ath6kl_init_hw_params(struct ath6kl *ar)
- {
-- const struct ath6kl_hw *uninitialized_var(hw);
-+ const struct ath6kl_hw *hw;
- int i;
-
- for (i = 0; i < ARRAY_SIZE(hw_list); i++) {
---- a/drivers/net/wireless/ath/ath9k/init.c
-+++ b/drivers/net/wireless/ath/ath9k/init.c
-@@ -230,7 +230,7 @@ static unsigned int ath9k_reg_rmw(void *
- struct ath_hw *ah = hw_priv;
- struct ath_common *common = ath9k_hw_common(ah);
- struct ath_softc *sc = (struct ath_softc *) common->priv;
-- unsigned long uninitialized_var(flags);
-+ unsigned long flags;
- u32 val;
-
- if (NR_CPUS > 1 && ah->config.serialize_regmode == SER_REG_MODE_ON) {
---- a/drivers/net/wireless/broadcom/b43/debugfs.c
-+++ b/drivers/net/wireless/broadcom/b43/debugfs.c
-@@ -506,7 +506,7 @@ static ssize_t b43_debugfs_read(struct f
- struct b43_wldev *dev;
- struct b43_debugfs_fops *dfops;
- struct b43_dfs_file *dfile;
-- ssize_t uninitialized_var(ret);
-+ ssize_t ret;
- char *buf;
- const size_t bufsize = 1024 * 16; /* 16 kiB buffer */
- const size_t buforder = get_order(bufsize);
---- a/drivers/net/wireless/broadcom/b43/dma.c
-+++ b/drivers/net/wireless/broadcom/b43/dma.c
-@@ -50,7 +50,7 @@
- static u32 b43_dma_address(struct b43_dma *dma, dma_addr_t dmaaddr,
- enum b43_addrtype addrtype)
- {
-- u32 uninitialized_var(addr);
-+ u32 addr;
-
- switch (addrtype) {
- case B43_DMA_ADDR_LOW:
---- a/drivers/net/wireless/broadcom/b43/lo.c
-+++ b/drivers/net/wireless/broadcom/b43/lo.c
-@@ -742,7 +742,7 @@ struct b43_lo_calib *b43_calibrate_lo_se
- };
- int max_rx_gain;
- struct b43_lo_calib *cal;
-- struct lo_g_saved_values uninitialized_var(saved_regs);
-+ struct lo_g_saved_values saved_regs;
- /* Values from the "TXCTL Register and Value Table" */
- u16 txctl_reg;
- u16 txctl_value;
---- a/drivers/net/wireless/broadcom/b43/phy_n.c
-+++ b/drivers/net/wireless/broadcom/b43/phy_n.c
-@@ -5655,7 +5655,7 @@ static int b43_nphy_rev2_cal_rx_iq(struc
- u8 rfctl[2];
- u8 afectl_core;
- u16 tmp[6];
-- u16 uninitialized_var(cur_hpf1), uninitialized_var(cur_hpf2), cur_lna;
-+ u16 cur_hpf1, cur_hpf2, cur_lna;
- u32 real, imag;
- enum nl80211_band band;
-
---- a/drivers/net/wireless/broadcom/b43/xmit.c
-+++ b/drivers/net/wireless/broadcom/b43/xmit.c
-@@ -435,10 +435,10 @@ int b43_generate_txhdr(struct b43_wldev
- if ((rates[0].flags & IEEE80211_TX_RC_USE_RTS_CTS) ||
- (rates[0].flags & IEEE80211_TX_RC_USE_CTS_PROTECT)) {
- unsigned int len;
-- struct ieee80211_hdr *uninitialized_var(hdr);
-+ struct ieee80211_hdr *hdr;
- int rts_rate, rts_rate_fb;
- int rts_rate_ofdm, rts_rate_fb_ofdm;
-- struct b43_plcp_hdr6 *uninitialized_var(plcp);
-+ struct b43_plcp_hdr6 *plcp;
- struct ieee80211_rate *rts_cts_rate;
-
- rts_cts_rate = ieee80211_get_rts_cts_rate(dev->wl->hw, info);
-@@ -449,7 +449,7 @@ int b43_generate_txhdr(struct b43_wldev
- rts_rate_fb_ofdm = b43_is_ofdm_rate(rts_rate_fb);
-
- if (rates[0].flags & IEEE80211_TX_RC_USE_CTS_PROTECT) {
-- struct ieee80211_cts *uninitialized_var(cts);
-+ struct ieee80211_cts *cts;
-
- switch (dev->fw.hdr_format) {
- case B43_FW_HDR_598:
-@@ -471,7 +471,7 @@ int b43_generate_txhdr(struct b43_wldev
- mac_ctl |= B43_TXH_MAC_SENDCTS;
- len = sizeof(struct ieee80211_cts);
- } else {
-- struct ieee80211_rts *uninitialized_var(rts);
-+ struct ieee80211_rts *rts;
-
- switch (dev->fw.hdr_format) {
- case B43_FW_HDR_598:
-@@ -663,8 +663,8 @@ void b43_rx(struct b43_wldev *dev, struc
- const struct b43_rxhdr_fw4 *rxhdr = _rxhdr;
- __le16 fctl;
- u16 phystat0, phystat3;
-- u16 uninitialized_var(chanstat), uninitialized_var(mactime);
-- u32 uninitialized_var(macstat);
-+ u16 chanstat, mactime;
-+ u32 macstat;
- u16 chanid;
- int padding, rate_idx;
-
---- a/drivers/net/wireless/broadcom/b43legacy/debugfs.c
-+++ b/drivers/net/wireless/broadcom/b43legacy/debugfs.c
-@@ -203,7 +203,7 @@ static ssize_t b43legacy_debugfs_read(st
- struct b43legacy_wldev *dev;
- struct b43legacy_debugfs_fops *dfops;
- struct b43legacy_dfs_file *dfile;
-- ssize_t uninitialized_var(ret);
-+ ssize_t ret;
- char *buf;
- const size_t bufsize = 1024 * 16; /* 16 KiB buffer */
- const size_t buforder = get_order(bufsize);
---- a/drivers/net/wireless/broadcom/b43legacy/main.c
-+++ b/drivers/net/wireless/broadcom/b43legacy/main.c
-@@ -2612,7 +2612,7 @@ static void b43legacy_put_phy_into_reset
- static int b43legacy_switch_phymode(struct b43legacy_wl *wl,
- unsigned int new_mode)
- {
-- struct b43legacy_wldev *uninitialized_var(up_dev);
-+ struct b43legacy_wldev *up_dev;
- struct b43legacy_wldev *down_dev;
- int err;
- bool gmode = false;
---- a/drivers/net/wireless/intel/iwlegacy/3945.c
-+++ b/drivers/net/wireless/intel/iwlegacy/3945.c
-@@ -2115,7 +2115,7 @@ il3945_txpower_set_from_eeprom(struct il
-
- /* set tx power value for all OFDM rates */
- for (rate_idx = 0; rate_idx < IL_OFDM_RATES; rate_idx++) {
-- s32 uninitialized_var(power_idx);
-+ s32 power_idx;
- int rc;
-
- /* use channel group's clip-power table,
---- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c
-+++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
-@@ -2784,7 +2784,7 @@ il4965_hdl_tx(struct il_priv *il, struct
- struct ieee80211_tx_info *info;
- struct il4965_tx_resp *tx_resp = (void *)&pkt->u.raw[0];
- u32 status = le32_to_cpu(tx_resp->u.status);
-- int uninitialized_var(tid);
-+ int tid;
- int sta_id;
- int freed;
- u8 *qc = NULL;
---- a/drivers/platform/x86/hdaps.c
-+++ b/drivers/platform/x86/hdaps.c
-@@ -378,7 +378,7 @@ static ssize_t hdaps_variance_show(struc
- static ssize_t hdaps_temp1_show(struct device *dev,
- struct device_attribute *attr, char *buf)
- {
-- u8 uninitialized_var(temp);
-+ u8 temp;
- int ret;
-
- ret = hdaps_readb_one(HDAPS_PORT_TEMP1, &temp);
-@@ -391,7 +391,7 @@ static ssize_t hdaps_temp1_show(struct d
- static ssize_t hdaps_temp2_show(struct device *dev,
- struct device_attribute *attr, char *buf)
- {
-- u8 uninitialized_var(temp);
-+ u8 temp;
- int ret;
-
- ret = hdaps_readb_one(HDAPS_PORT_TEMP2, &temp);
---- a/drivers/scsi/dc395x.c
-+++ b/drivers/scsi/dc395x.c
-@@ -4275,7 +4275,7 @@ static int adapter_sg_tables_alloc(struc
- const unsigned srbs_per_page = PAGE_SIZE/SEGMENTX_LEN;
- int srb_idx = 0;
- unsigned i = 0;
-- struct SGentry *uninitialized_var(ptr);
-+ struct SGentry *ptr;
-
- for (i = 0; i < DC395x_MAX_SRB_CNT; i++)
- acb->srb_array[i].segment_x = NULL;
---- a/drivers/scsi/pm8001/pm8001_hwi.c
-+++ b/drivers/scsi/pm8001/pm8001_hwi.c
-@@ -4174,7 +4174,7 @@ static int process_oq(struct pm8001_hba_
- {
- struct outbound_queue_table *circularQ;
- void *pMsg1 = NULL;
-- u8 uninitialized_var(bc);
-+ u8 bc;
- u32 ret = MPI_IO_STATUS_FAIL;
- unsigned long flags;
-
---- a/drivers/scsi/pm8001/pm80xx_hwi.c
-+++ b/drivers/scsi/pm8001/pm80xx_hwi.c
-@@ -3811,7 +3811,7 @@ static int process_oq(struct pm8001_hba_
- {
- struct outbound_queue_table *circularQ;
- void *pMsg1 = NULL;
-- u8 uninitialized_var(bc);
-+ u8 bc;
- u32 ret = MPI_IO_STATUS_FAIL;
- unsigned long flags;
- u32 regval;
---- a/drivers/ssb/driver_chipcommon.c
-+++ b/drivers/ssb/driver_chipcommon.c
-@@ -119,7 +119,7 @@ void ssb_chipco_set_clockmode(struct ssb
- static enum ssb_clksrc chipco_pctl_get_slowclksrc(struct ssb_chipcommon *cc)
- {
- struct ssb_bus *bus = cc->dev->bus;
-- u32 uninitialized_var(tmp);
-+ u32 tmp;
-
- if (cc->dev->id.revision < 6) {
- if (bus->bustype == SSB_BUSTYPE_SSB ||
-@@ -149,7 +149,7 @@ static enum ssb_clksrc chipco_pctl_get_s
- /* Get maximum or minimum (depending on get_max flag) slowclock frequency. */
- static int chipco_pctl_clockfreqlimit(struct ssb_chipcommon *cc, int get_max)
- {
-- int uninitialized_var(limit);
-+ int limit;
- enum ssb_clksrc clocksrc;
- int divisor = 1;
- u32 tmp;
---- a/drivers/tty/cyclades.c
-+++ b/drivers/tty/cyclades.c
-@@ -3648,7 +3648,7 @@ static int cy_pci_probe(struct pci_dev *
- struct cyclades_card *card;
- void __iomem *addr0 = NULL, *addr2 = NULL;
- char *card_name = NULL;
-- u32 uninitialized_var(mailbox);
-+ u32 mailbox;
- unsigned int device_id, nchan = 0, card_no, i, j;
- unsigned char plx_ver;
- int retval, irq;
---- a/drivers/tty/isicom.c
-+++ b/drivers/tty/isicom.c
-@@ -1537,7 +1537,7 @@ static unsigned int card_count;
- static int isicom_probe(struct pci_dev *pdev,
- const struct pci_device_id *ent)
- {
-- unsigned int uninitialized_var(signature), index;
-+ unsigned int signature, index;
- int retval = -EPERM;
- struct isi_board *board = NULL;
-
---- a/drivers/usb/musb/cppi_dma.c
-+++ b/drivers/usb/musb/cppi_dma.c
-@@ -1146,7 +1146,7 @@ irqreturn_t cppi_interrupt(int irq, void
- struct musb_hw_ep *hw_ep = NULL;
- u32 rx, tx;
- int i, index;
-- unsigned long uninitialized_var(flags);
-+ unsigned long flags;
-
- cppi = container_of(musb->dma_controller, struct cppi, controller);
- if (cppi->irq)
---- a/drivers/usb/storage/sddr55.c
-+++ b/drivers/usb/storage/sddr55.c
-@@ -553,8 +553,8 @@ static int sddr55_reset(struct us_data *
-
- static unsigned long sddr55_get_capacity(struct us_data *us) {
-
-- unsigned char uninitialized_var(manufacturerID);
-- unsigned char uninitialized_var(deviceID);
-+ unsigned char manufacturerID;
-+ unsigned char deviceID;
- int result;
- struct sddr55_card_info *info = (struct sddr55_card_info *)us->extra;
-
---- a/drivers/vhost/net.c
-+++ b/drivers/vhost/net.c
-@@ -828,7 +828,7 @@ static int get_rx_bufs(struct vhost_virt
- /* len is always initialized before use since we are always called with
- * datalen > 0.
- */
-- u32 uninitialized_var(len);
-+ u32 len;
-
- while (datalen > 0 && headcount < quota) {
- if (unlikely(seg >= UIO_MAXIOV)) {
-@@ -885,7 +885,7 @@ static void handle_rx(struct vhost_net *
- {
- struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_RX];
- struct vhost_virtqueue *vq = &nvq->vq;
-- unsigned uninitialized_var(in), log;
-+ unsigned in, log;
- struct vhost_log *vq_log;
- struct msghdr msg = {
- .msg_name = NULL,
---- a/drivers/video/fbdev/matrox/matroxfb_maven.c
-+++ b/drivers/video/fbdev/matrox/matroxfb_maven.c
-@@ -299,7 +299,7 @@ static int matroxfb_mavenclock(const str
- unsigned int* in, unsigned int* feed, unsigned int* post,
- unsigned int* htotal2) {
- unsigned int fvco;
-- unsigned int uninitialized_var(p);
-+ unsigned int p;
-
- fvco = matroxfb_PLL_mavenclock(&maven1000_pll, ctl, htotal, vtotal, in, feed, &p, htotal2);
- if (!fvco)
-@@ -731,8 +731,8 @@ static int maven_find_exact_clocks(unsig
-
- for (x = 0; x < 8; x++) {
- unsigned int c;
-- unsigned int uninitialized_var(a), uninitialized_var(b),
-- uninitialized_var(h2);
-+ unsigned int a, b,
-+ h2;
- unsigned int h = ht + 2 + x;
-
- if (!matroxfb_mavenclock((m->mode == MATROXFB_OUTPUT_MODE_PAL) ? &maven_PAL : &maven_NTSC, h, vt, &a, &b, &c, &h2)) {
---- a/drivers/video/fbdev/pm3fb.c
-+++ b/drivers/video/fbdev/pm3fb.c
-@@ -821,9 +821,9 @@ static void pm3fb_write_mode(struct fb_i
-
- wmb();
- {
-- unsigned char uninitialized_var(m); /* ClkPreScale */
-- unsigned char uninitialized_var(n); /* ClkFeedBackScale */
-- unsigned char uninitialized_var(p); /* ClkPostScale */
-+ unsigned char m; /* ClkPreScale */
-+ unsigned char n; /* ClkFeedBackScale */
-+ unsigned char p; /* ClkPostScale */
- unsigned long pixclock = PICOS2KHZ(info->var.pixclock);
-
- (void)pm3fb_calculate_clock(pixclock, &m, &n, &p);
---- a/drivers/video/fbdev/riva/riva_hw.c
-+++ b/drivers/video/fbdev/riva/riva_hw.c
-@@ -1245,8 +1245,7 @@ int CalcStateExt
- )
- {
- int pixelDepth;
-- int uninitialized_var(VClk),uninitialized_var(m),
-- uninitialized_var(n), uninitialized_var(p);
-+ int VClk, m, n, p;
-
- /*
- * Save mode parameters.
---- a/drivers/virtio/virtio_ring.c
-+++ b/drivers/virtio/virtio_ring.c
-@@ -268,7 +268,7 @@ static inline int virtqueue_add(struct v
- struct vring_virtqueue *vq = to_vvq(_vq);
- struct scatterlist *sg;
- struct vring_desc *desc;
-- unsigned int i, n, avail, descs_used, uninitialized_var(prev), err_idx;
-+ unsigned int i, n, avail, descs_used, prev, err_idx;
- int head;
- bool indirect;
-
---- a/fs/afs/dir.c
-+++ b/fs/afs/dir.c
-@@ -887,7 +887,7 @@ static struct dentry *afs_lookup(struct
- static int afs_d_revalidate(struct dentry *dentry, unsigned int flags)
- {
- struct afs_vnode *vnode, *dir;
-- struct afs_fid uninitialized_var(fid);
-+ struct afs_fid fid;
- struct dentry *parent;
- struct inode *inode;
- struct key *key;
---- a/fs/afs/security.c
-+++ b/fs/afs/security.c
-@@ -340,7 +340,7 @@ int afs_check_permit(struct afs_vnode *v
- int afs_permission(struct inode *inode, int mask)
- {
- struct afs_vnode *vnode = AFS_FS_I(inode);
-- afs_access_t uninitialized_var(access);
-+ afs_access_t access;
- struct key *key;
- int ret;
-
---- a/fs/dlm/netlink.c
-+++ b/fs/dlm/netlink.c
-@@ -115,7 +115,7 @@ static void fill_data(struct dlm_lock_da
-
- void dlm_timeout_warn(struct dlm_lkb *lkb)
- {
-- struct sk_buff *uninitialized_var(send_skb);
-+ struct sk_buff *send_skb;
- struct dlm_lock_data *data;
- size_t size;
- int rv;
---- a/fs/fat/dir.c
-+++ b/fs/fat/dir.c
-@@ -1287,7 +1287,7 @@ int fat_add_entries(struct inode *dir, v
- struct super_block *sb = dir->i_sb;
- struct msdos_sb_info *sbi = MSDOS_SB(sb);
- struct buffer_head *bh, *prev, *bhs[3]; /* 32*slots (672bytes) */
-- struct msdos_dir_entry *uninitialized_var(de);
-+ struct msdos_dir_entry *de;
- int err, free_slots, i, nr_bhs;
- loff_t pos, i_pos;
-
---- a/fs/fuse/control.c
-+++ b/fs/fuse/control.c
-@@ -117,7 +117,7 @@ static ssize_t fuse_conn_max_background_
- const char __user *buf,
- size_t count, loff_t *ppos)
- {
-- unsigned uninitialized_var(val);
-+ unsigned val;
- ssize_t ret;
-
- ret = fuse_conn_limit_write(file, buf, count, ppos, &val,
---- a/fs/fuse/cuse.c
-+++ b/fs/fuse/cuse.c
-@@ -269,7 +269,7 @@ static int cuse_parse_one(char **pp, cha
- static int cuse_parse_devinfo(char *p, size_t len, struct cuse_devinfo *devinfo)
- {
- char *end = p + len;
-- char *uninitialized_var(key), *uninitialized_var(val);
-+ char *key, *val;
- int rc;
-
- while (true) {
---- a/fs/fuse/file.c
-+++ b/fs/fuse/file.c
-@@ -2774,7 +2774,7 @@ static void fuse_register_polled_file(st
- {
- spin_lock(&fc->lock);
- if (RB_EMPTY_NODE(&ff->polled_node)) {
-- struct rb_node **link, *uninitialized_var(parent);
-+ struct rb_node **link, *parent;
-
- link = fuse_find_polled_node(fc, ff->kh, &parent);
- BUG_ON(*link);
---- a/fs/gfs2/aops.c
-+++ b/fs/gfs2/aops.c
-@@ -359,7 +359,7 @@ static int gfs2_write_cache_jdata(struct
- int done = 0;
- struct pagevec pvec;
- int nr_pages;
-- pgoff_t uninitialized_var(writeback_index);
-+ pgoff_t writeback_index;
- pgoff_t index;
- pgoff_t end;
- pgoff_t done_index;
---- a/fs/gfs2/bmap.c
-+++ b/fs/gfs2/bmap.c
-@@ -1754,7 +1754,7 @@ static int punch_hole(struct gfs2_inode
- u64 lblock = (offset + (1 << bsize_shift) - 1) >> bsize_shift;
- __u16 start_list[GFS2_MAX_META_HEIGHT];
- __u16 __end_list[GFS2_MAX_META_HEIGHT], *end_list = NULL;
-- unsigned int start_aligned, uninitialized_var(end_aligned);
-+ unsigned int start_aligned, end_aligned;
- unsigned int strip_h = ip->i_height - 1;
- u32 btotal = 0;
- int ret, state;
---- a/fs/hfsplus/unicode.c
-+++ b/fs/hfsplus/unicode.c
-@@ -398,7 +398,7 @@ int hfsplus_hash_dentry(const struct den
- astr = str->name;
- len = str->len;
- while (len > 0) {
-- int uninitialized_var(dsize);
-+ int dsize;
- size = asc2unichar(sb, astr, len, &c);
- astr += size;
- len -= size;
---- a/fs/isofs/namei.c
-+++ b/fs/isofs/namei.c
-@@ -153,8 +153,8 @@ isofs_find_entry(struct inode *dir, stru
- struct dentry *isofs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags)
- {
- int found;
-- unsigned long uninitialized_var(block);
-- unsigned long uninitialized_var(offset);
-+ unsigned long block;
-+ unsigned long offset;
- struct inode *inode;
- struct page *page;
-
---- a/fs/jffs2/erase.c
-+++ b/fs/jffs2/erase.c
-@@ -401,7 +401,7 @@ static void jffs2_mark_erased_block(stru
- {
- size_t retlen;
- int ret;
-- uint32_t uninitialized_var(bad_offset);
-+ uint32_t bad_offset;
-
- switch (jffs2_block_check_erase(c, jeb, &bad_offset)) {
- case -EAGAIN: goto refile;
---- a/fs/nfsd/nfsctl.c
-+++ b/fs/nfsd/nfsctl.c
-@@ -347,7 +347,7 @@ static ssize_t write_unlock_fs(struct fi
- static ssize_t write_filehandle(struct file *file, char *buf, size_t size)
- {
- char *dname, *path;
-- int uninitialized_var(maxsize);
-+ int maxsize;
- char *mesg = buf;
- int len;
- struct auth_domain *dom;
---- a/fs/ocfs2/alloc.c
-+++ b/fs/ocfs2/alloc.c
-@@ -4722,7 +4722,7 @@ int ocfs2_insert_extent(handle_t *handle
- struct ocfs2_alloc_context *meta_ac)
- {
- int status;
-- int uninitialized_var(free_records);
-+ int free_records;
- struct buffer_head *last_eb_bh = NULL;
- struct ocfs2_insert_type insert = {0, };
- struct ocfs2_extent_rec rec;
-@@ -7052,7 +7052,7 @@ int ocfs2_convert_inline_data_to_extents
- int need_free = 0;
- u32 bit_off, num;
- handle_t *handle;
-- u64 uninitialized_var(block);
-+ u64 block;
- struct ocfs2_inode_info *oi = OCFS2_I(inode);
- struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
- struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data;
---- a/fs/ocfs2/dir.c
-+++ b/fs/ocfs2/dir.c
-@@ -866,9 +866,9 @@ static int ocfs2_dx_dir_lookup(struct in
- u64 *ret_phys_blkno)
- {
- int ret = 0;
-- unsigned int cend, uninitialized_var(clen);
-- u32 uninitialized_var(cpos);
-- u64 uninitialized_var(blkno);
-+ unsigned int cend, clen;
-+ u32 cpos;
-+ u64 blkno;
- u32 name_hash = hinfo->major_hash;
-
- ret = ocfs2_dx_dir_lookup_rec(inode, el, name_hash, &cpos, &blkno,
-@@ -912,7 +912,7 @@ static int ocfs2_dx_dir_search(const cha
- struct ocfs2_dir_lookup_result *res)
- {
- int ret, i, found;
-- u64 uninitialized_var(phys);
-+ u64 phys;
- struct buffer_head *dx_leaf_bh = NULL;
- struct ocfs2_dx_leaf *dx_leaf;
- struct ocfs2_dx_entry *dx_entry = NULL;
-@@ -4420,9 +4420,9 @@ out:
- int ocfs2_dx_dir_truncate(struct inode *dir, struct buffer_head *di_bh)
- {
- int ret;
-- unsigned int uninitialized_var(clen);
-- u32 major_hash = UINT_MAX, p_cpos, uninitialized_var(cpos);
-- u64 uninitialized_var(blkno);
-+ unsigned int clen;
-+ u32 major_hash = UINT_MAX, p_cpos, cpos;
-+ u64 blkno;
- struct ocfs2_super *osb = OCFS2_SB(dir->i_sb);
- struct buffer_head *dx_root_bh = NULL;
- struct ocfs2_dx_root_block *dx_root;
---- a/fs/ocfs2/extent_map.c
-+++ b/fs/ocfs2/extent_map.c
-@@ -416,7 +416,7 @@ static int ocfs2_get_clusters_nocache(st
- {
- int i, ret, tree_height, len;
- struct ocfs2_dinode *di;
-- struct ocfs2_extent_block *uninitialized_var(eb);
-+ struct ocfs2_extent_block *eb;
- struct ocfs2_extent_list *el;
- struct ocfs2_extent_rec *rec;
- struct buffer_head *eb_bh = NULL;
-@@ -613,7 +613,7 @@ int ocfs2_get_clusters(struct inode *ino
- unsigned int *extent_flags)
- {
- int ret;
-- unsigned int uninitialized_var(hole_len), flags = 0;
-+ unsigned int hole_len, flags = 0;
- struct buffer_head *di_bh = NULL;
- struct ocfs2_extent_rec rec;
-
---- a/fs/ocfs2/namei.c
-+++ b/fs/ocfs2/namei.c
-@@ -2506,7 +2506,7 @@ int ocfs2_create_inode_in_orphan(struct
- struct buffer_head *new_di_bh = NULL;
- struct ocfs2_alloc_context *inode_ac = NULL;
- struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
-- u64 uninitialized_var(di_blkno), suballoc_loc;
-+ u64 di_blkno, suballoc_loc;
- u16 suballoc_bit;
-
- status = ocfs2_inode_lock(dir, &parent_di_bh, 1);
---- a/fs/ocfs2/refcounttree.c
-+++ b/fs/ocfs2/refcounttree.c
-@@ -1069,7 +1069,7 @@ static int ocfs2_get_refcount_rec(struct
- struct buffer_head **ret_bh)
- {
- int ret = 0, i, found;
-- u32 low_cpos, uninitialized_var(cpos_end);
-+ u32 low_cpos, cpos_end;
- struct ocfs2_extent_list *el;
- struct ocfs2_extent_rec *rec = NULL;
- struct ocfs2_extent_block *eb = NULL;
---- a/fs/ocfs2/xattr.c
-+++ b/fs/ocfs2/xattr.c
-@@ -1219,7 +1219,7 @@ static int ocfs2_xattr_block_get(struct
- struct ocfs2_xattr_value_root *xv;
- size_t size;
- int ret = -ENODATA, name_offset, name_len, i;
-- int uninitialized_var(block_off);
-+ int block_off;
-
- xs->bucket = ocfs2_xattr_bucket_new(inode);
- if (!xs->bucket) {
---- a/fs/omfs/file.c
-+++ b/fs/omfs/file.c
-@@ -220,7 +220,7 @@ static int omfs_get_block(struct inode *
- struct buffer_head *bh;
- sector_t next, offset;
- int ret;
-- u64 uninitialized_var(new_block);
-+ u64 new_block;
- u32 max_extents;
- int extent_count;
- struct omfs_extent *oe;
---- a/fs/overlayfs/copy_up.c
-+++ b/fs/overlayfs/copy_up.c
-@@ -713,7 +713,7 @@ static int ovl_copy_up_meta_inode_data(s
- struct path upperpath, datapath;
- int err;
- char *capability = NULL;
-- ssize_t uninitialized_var(cap_size);
-+ ssize_t cap_size;
-
- ovl_path_upper(c->dentry, &upperpath);
- if (WARN_ON(upperpath.dentry == NULL))
---- a/fs/ubifs/commit.c
-+++ b/fs/ubifs/commit.c
-@@ -564,11 +564,11 @@ out:
- */
- int dbg_check_old_index(struct ubifs_info *c, struct ubifs_zbranch *zroot)
- {
-- int lnum, offs, len, err = 0, uninitialized_var(last_level), child_cnt;
-+ int lnum, offs, len, err = 0, last_level, child_cnt;
- int first = 1, iip;
- struct ubifs_debug_info *d = c->dbg;
-- union ubifs_key uninitialized_var(lower_key), upper_key, l_key, u_key;
-- unsigned long long uninitialized_var(last_sqnum);
-+ union ubifs_key lower_key, upper_key, l_key, u_key;
-+ unsigned long long last_sqnum;
- struct ubifs_idx_node *idx;
- struct list_head list;
- struct idx_node *i;
---- a/fs/ubifs/dir.c
-+++ b/fs/ubifs/dir.c
-@@ -1294,7 +1294,7 @@ static int do_rename(struct inode *old_d
- struct ubifs_budget_req ino_req = { .dirtied_ino = 1,
- .dirtied_ino_d = ALIGN(old_inode_ui->data_len, 8) };
- struct timespec64 time;
-- unsigned int uninitialized_var(saved_nlink);
-+ unsigned int saved_nlink;
- struct fscrypt_name old_nm, new_nm;
-
- /*
---- a/fs/ubifs/file.c
-+++ b/fs/ubifs/file.c
-@@ -234,7 +234,7 @@ static int write_begin_slow(struct addre
- struct ubifs_info *c = inode->i_sb->s_fs_info;
- pgoff_t index = pos >> PAGE_SHIFT;
- struct ubifs_budget_req req = { .new_page = 1 };
-- int uninitialized_var(err), appending = !!(pos + len > inode->i_size);
-+ int err, appending = !!(pos + len > inode->i_size);
- struct page *page;
-
- dbg_gen("ino %lu, pos %llu, len %u, i_size %lld",
-@@ -438,7 +438,7 @@ static int ubifs_write_begin(struct file
- struct ubifs_info *c = inode->i_sb->s_fs_info;
- struct ubifs_inode *ui = ubifs_inode(inode);
- pgoff_t index = pos >> PAGE_SHIFT;
-- int uninitialized_var(err), appending = !!(pos + len > inode->i_size);
-+ int err, appending = !!(pos + len > inode->i_size);
- int skipped_read = 0;
- struct page *page;
-
---- a/fs/ubifs/journal.c
-+++ b/fs/ubifs/journal.c
-@@ -1355,7 +1355,7 @@ int ubifs_jnl_truncate(struct ubifs_info
- union ubifs_key key, to_key;
- struct ubifs_ino_node *ino;
- struct ubifs_trun_node *trun;
-- struct ubifs_data_node *uninitialized_var(dn);
-+ struct ubifs_data_node *dn;
- int err, dlen, len, lnum, offs, bit, sz, sync = IS_SYNC(inode);
- struct ubifs_inode *ui = ubifs_inode(inode);
- ino_t inum = inode->i_ino;
---- a/fs/ubifs/lpt.c
-+++ b/fs/ubifs/lpt.c
-@@ -287,7 +287,7 @@ uint32_t ubifs_unpack_bits(const struct
- const int k = 32 - nrbits;
- uint8_t *p = *addr;
- int b = *pos;
-- uint32_t uninitialized_var(val);
-+ uint32_t val;
- const int bytes = (nrbits + b + 7) >> 3;
-
- ubifs_assert(c, nrbits > 0);
---- a/fs/ubifs/tnc.c
-+++ b/fs/ubifs/tnc.c
-@@ -936,7 +936,7 @@ static int fallible_resolve_collision(st
- int adding)
- {
- struct ubifs_znode *o_znode = NULL, *znode = *zn;
-- int uninitialized_var(o_n), err, cmp, unsure = 0, nn = *n;
-+ int o_n, err, cmp, unsure = 0, nn = *n;
-
- cmp = fallible_matches_name(c, &znode->zbranch[nn], nm);
- if (unlikely(cmp < 0))
-@@ -1558,8 +1558,8 @@ out:
- */
- int ubifs_tnc_get_bu_keys(struct ubifs_info *c, struct bu_info *bu)
- {
-- int n, err = 0, lnum = -1, uninitialized_var(offs);
-- int uninitialized_var(len);
-+ int n, err = 0, lnum = -1, offs;
-+ int len;
- unsigned int block = key_block(c, &bu->key);
- struct ubifs_znode *znode;
-
---- a/fs/ubifs/tnc_misc.c
-+++ b/fs/ubifs/tnc_misc.c
-@@ -138,8 +138,8 @@ int ubifs_search_zbranch(const struct ub
- const struct ubifs_znode *znode,
- const union ubifs_key *key, int *n)
- {
-- int beg = 0, end = znode->child_cnt, uninitialized_var(mid);
-- int uninitialized_var(cmp);
-+ int beg = 0, end = znode->child_cnt, mid;
-+ int cmp;
- const struct ubifs_zbranch *zbr = &znode->zbranch[0];
-
- ubifs_assert(c, end > beg);
---- a/fs/udf/balloc.c
-+++ b/fs/udf/balloc.c
-@@ -555,7 +555,7 @@ static udf_pblk_t udf_table_new_block(st
- udf_pblk_t newblock = 0;
- uint32_t adsize;
- uint32_t elen, goal_elen = 0;
-- struct kernel_lb_addr eloc, uninitialized_var(goal_eloc);
-+ struct kernel_lb_addr eloc, goal_eloc;
- struct extent_position epos, goal_epos;
- int8_t etype;
- struct udf_inode_info *iinfo = UDF_I(table);
---- a/fs/xfs/xfs_bmap_util.c
-+++ b/fs/xfs/xfs_bmap_util.c
-@@ -130,7 +130,7 @@ xfs_bmap_rtalloc(
- * pick an extent that will space things out in the rt area.
- */
- if (ap->eof && ap->offset == 0) {
-- xfs_rtblock_t uninitialized_var(rtx); /* realtime extent no */
-+ xfs_rtblock_t rtx; /* realtime extent no */
-
- error = xfs_rtpick_extent(mp, ap->tp, ralen, &rtx);
- if (error)
---- a/kernel/async.c
-+++ b/kernel/async.c
-@@ -115,7 +115,7 @@ static void async_run_entry_fn(struct wo
- struct async_entry *entry =
- container_of(work, struct async_entry, work);
- unsigned long flags;
-- ktime_t uninitialized_var(calltime), delta, rettime;
-+ ktime_t calltime, delta, rettime;
-
- /* 1) run (and print duration) */
- if (initcall_debug && system_state < SYSTEM_RUNNING) {
-@@ -283,7 +283,7 @@ EXPORT_SYMBOL_GPL(async_synchronize_full
- */
- void async_synchronize_cookie_domain(async_cookie_t cookie, struct async_domain *domain)
- {
-- ktime_t uninitialized_var(starttime), delta, endtime;
-+ ktime_t starttime, delta, endtime;
-
- if (initcall_debug && system_state < SYSTEM_RUNNING) {
- pr_debug("async_waiting @ %i\n", task_pid_nr(current));
---- a/kernel/audit.c
-+++ b/kernel/audit.c
-@@ -1796,7 +1796,7 @@ struct audit_buffer *audit_log_start(str
- {
- struct audit_buffer *ab;
- struct timespec64 t;
-- unsigned int uninitialized_var(serial);
-+ unsigned int serial;
-
- if (audit_initialized != AUDIT_INITIALIZED)
- return NULL;
---- a/kernel/dma/debug.c
-+++ b/kernel/dma/debug.c
-@@ -963,7 +963,7 @@ static int device_dma_allocations(struct
- static int dma_debug_device_change(struct notifier_block *nb, unsigned long action, void *data)
- {
- struct device *dev = data;
-- struct dma_debug_entry *uninitialized_var(entry);
-+ struct dma_debug_entry *entry;
- int count;
-
- if (dma_debug_disabled())
---- a/kernel/events/core.c
-+++ b/kernel/events/core.c
-@@ -10575,7 +10575,7 @@ SYSCALL_DEFINE5(perf_event_open,
- struct perf_event *group_leader = NULL, *output_event = NULL;
- struct perf_event *event, *sibling;
- struct perf_event_attr attr;
-- struct perf_event_context *ctx, *uninitialized_var(gctx);
-+ struct perf_event_context *ctx, *gctx;
- struct file *event_file = NULL;
- struct fd group = {NULL, 0};
- struct task_struct *task = NULL;
---- a/kernel/events/uprobes.c
-+++ b/kernel/events/uprobes.c
-@@ -1887,7 +1887,7 @@ static void handle_swbp(struct pt_regs *
- {
- struct uprobe *uprobe;
- unsigned long bp_vaddr;
-- int uninitialized_var(is_swbp);
-+ int is_swbp;
-
- bp_vaddr = uprobe_get_swbp_addr(regs);
- if (bp_vaddr == get_trampoline_vaddr())
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -140,7 +140,7 @@ static void __exit_signal(struct task_st
- struct signal_struct *sig = tsk->signal;
- bool group_dead = thread_group_leader(tsk);
- struct sighand_struct *sighand;
-- struct tty_struct *uninitialized_var(tty);
-+ struct tty_struct *tty;
- u64 utime, stime;
-
- sighand = rcu_dereference_check(tsk->sighand,
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -1398,7 +1398,7 @@ static int lookup_pi_state(u32 __user *u
- static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval)
- {
- int err;
-- u32 uninitialized_var(curval);
-+ u32 curval;
-
- if (unlikely(should_fail_futex(true)))
- return -EFAULT;
-@@ -1569,7 +1569,7 @@ static void mark_wake_futex(struct wake_
- */
- static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_pi_state *pi_state)
- {
-- u32 uninitialized_var(curval), newval;
-+ u32 curval, newval;
- struct task_struct *new_owner;
- bool postunlock = false;
- DEFINE_WAKE_Q(wake_q);
-@@ -3083,7 +3083,7 @@ uaddr_faulted:
- */
- static int futex_unlock_pi(u32 __user *uaddr, unsigned int flags)
- {
-- u32 uninitialized_var(curval), uval, vpid = task_pid_vnr(current);
-+ u32 curval, uval, vpid = task_pid_vnr(current);
- union futex_key key = FUTEX_KEY_INIT;
- struct futex_hash_bucket *hb;
- struct futex_q *top_waiter;
-@@ -3558,7 +3558,7 @@ err_unlock:
- static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr,
- bool pi, bool pending_op)
- {
-- u32 uval, uninitialized_var(nval), mval;
-+ u32 uval, nval, mval;
- int err;
-
- /* Futex address must be 32bit aligned */
-@@ -3688,7 +3688,7 @@ static void exit_robust_list(struct task
- struct robust_list_head __user *head = curr->robust_list;
- struct robust_list __user *entry, *next_entry, *pending;
- unsigned int limit = ROBUST_LIST_LIMIT, pi, pip;
-- unsigned int uninitialized_var(next_pi);
-+ unsigned int next_pi;
- unsigned long futex_offset;
- int rc;
-
-@@ -3987,7 +3987,7 @@ static void compat_exit_robust_list(stru
- struct compat_robust_list_head __user *head = curr->compat_robust_list;
- struct robust_list __user *entry, *next_entry, *pending;
- unsigned int limit = ROBUST_LIST_LIMIT, pi, pip;
-- unsigned int uninitialized_var(next_pi);
-+ unsigned int next_pi;
- compat_uptr_t uentry, next_uentry, upending;
- compat_long_t futex_offset;
- int rc;
---- a/kernel/locking/lockdep.c
-+++ b/kernel/locking/lockdep.c
-@@ -1246,7 +1246,7 @@ static int noop_count(struct lock_list *
- static unsigned long __lockdep_count_forward_deps(struct lock_list *this)
- {
- unsigned long count = 0;
-- struct lock_list *uninitialized_var(target_entry);
-+ struct lock_list *target_entry;
-
- __bfs_forwards(this, (void *)&count, noop_count, &target_entry);
-
-@@ -1274,7 +1274,7 @@ unsigned long lockdep_count_forward_deps
- static unsigned long __lockdep_count_backward_deps(struct lock_list *this)
- {
- unsigned long count = 0;
-- struct lock_list *uninitialized_var(target_entry);
-+ struct lock_list *target_entry;
-
- __bfs_backwards(this, (void *)&count, noop_count, &target_entry);
-
-@@ -2662,7 +2662,7 @@ check_usage_backwards(struct task_struct
- {
- int ret;
- struct lock_list root;
-- struct lock_list *uninitialized_var(target_entry);
-+ struct lock_list *target_entry;
-
- root.parent = NULL;
- root.class = hlock_class(this);
---- a/kernel/trace/ring_buffer.c
-+++ b/kernel/trace/ring_buffer.c
-@@ -561,7 +561,7 @@ static void rb_wake_up_waiters(struct ir
- */
- int ring_buffer_wait(struct ring_buffer *buffer, int cpu, bool full)
- {
-- struct ring_buffer_per_cpu *uninitialized_var(cpu_buffer);
-+ struct ring_buffer_per_cpu *cpu_buffer;
- DEFINE_WAIT(wait);
- struct rb_irq_work *work;
- int ret = 0;
---- a/lib/radix-tree.c
-+++ b/lib/radix-tree.c
-@@ -1498,7 +1498,7 @@ void *radix_tree_tag_clear(struct radix_
- {
- struct radix_tree_node *node, *parent;
- unsigned long maxindex;
-- int uninitialized_var(offset);
-+ int offset;
-
- radix_tree_load_root(root, &node, &maxindex);
- if (index > maxindex)
---- a/mm/frontswap.c
-+++ b/mm/frontswap.c
-@@ -447,7 +447,7 @@ static int __frontswap_shrink(unsigned l
- void frontswap_shrink(unsigned long target_pages)
- {
- unsigned long pages_to_unuse = 0;
-- int uninitialized_var(type), ret;
-+ int type, ret;
-
- /*
- * we don't want to hold swap_lock while doing a very
---- a/mm/ksm.c
-+++ b/mm/ksm.c
-@@ -2381,7 +2381,7 @@ next_mm:
- static void ksm_do_scan(unsigned int scan_npages)
- {
- struct rmap_item *rmap_item;
-- struct page *uninitialized_var(page);
-+ struct page *page;
-
- while (scan_npages-- && likely(!freezing(current))) {
- cond_resched();
---- a/mm/memcontrol.c
-+++ b/mm/memcontrol.c
-@@ -919,7 +919,7 @@ struct mem_cgroup *mem_cgroup_iter(struc
- struct mem_cgroup *prev,
- struct mem_cgroup_reclaim_cookie *reclaim)
- {
-- struct mem_cgroup_reclaim_iter *uninitialized_var(iter);
-+ struct mem_cgroup_reclaim_iter *iter;
- struct cgroup_subsys_state *css = NULL;
- struct mem_cgroup *memcg = NULL;
- struct mem_cgroup *pos = NULL;
---- a/mm/mempolicy.c
-+++ b/mm/mempolicy.c
-@@ -1147,7 +1147,7 @@ int do_migrate_pages(struct mm_struct *m
- static struct page *new_page(struct page *page, unsigned long start)
- {
- struct vm_area_struct *vma;
-- unsigned long uninitialized_var(address);
-+ unsigned long address;
-
- vma = find_vma(current->mm, start);
- while (vma) {
-@@ -1545,7 +1545,7 @@ static int kernel_get_mempolicy(int __us
- unsigned long flags)
- {
- int err;
-- int uninitialized_var(pval);
-+ int pval;
- nodemask_t nodes;
-
- if (nmask != NULL && maxnode < nr_node_ids)
---- a/mm/percpu.c
-+++ b/mm/percpu.c
-@@ -2283,7 +2283,7 @@ static struct pcpu_alloc_info * __init p
- const size_t static_size = __per_cpu_end - __per_cpu_start;
- int nr_groups = 1, nr_units = 0;
- size_t size_sum, min_unit_size, alloc_size;
-- int upa, max_upa, uninitialized_var(best_upa); /* units_per_alloc */
-+ int upa, max_upa, best_upa; /* units_per_alloc */
- int last_allocs, group, unit;
- unsigned int cpu, tcpu;
- struct pcpu_alloc_info *ai;
---- a/mm/slub.c
-+++ b/mm/slub.c
-@@ -1179,7 +1179,7 @@ static noinline int free_debug_processin
- struct kmem_cache_node *n = get_node(s, page_to_nid(page));
- void *object = head;
- int cnt = 0;
-- unsigned long uninitialized_var(flags);
-+ unsigned long flags;
- int ret = 0;
-
- spin_lock_irqsave(&n->list_lock, flags);
-@@ -2826,7 +2826,7 @@ static void __slab_free(struct kmem_cach
- struct page new;
- unsigned long counters;
- struct kmem_cache_node *n = NULL;
-- unsigned long uninitialized_var(flags);
-+ unsigned long flags;
-
- stat(s, FREE_SLOWPATH);
-
---- a/mm/swap.c
-+++ b/mm/swap.c
-@@ -721,8 +721,8 @@ void release_pages(struct page **pages,
- LIST_HEAD(pages_to_free);
- struct pglist_data *locked_pgdat = NULL;
- struct lruvec *lruvec;
-- unsigned long uninitialized_var(flags);
-- unsigned int uninitialized_var(lock_batch);
-+ unsigned long flags;
-+ unsigned int lock_batch;
-
- for (i = 0; i < nr; i++) {
- struct page *page = pages[i];
---- a/net/dccp/options.c
-+++ b/net/dccp/options.c
-@@ -60,7 +60,7 @@ int dccp_parse_options(struct sock *sk,
- (dh->dccph_doff * 4);
- struct dccp_options_received *opt_recv = &dp->dccps_options_received;
- unsigned char opt, len;
-- unsigned char *uninitialized_var(value);
-+ unsigned char *value;
- u32 elapsed_time;
- __be32 opt_val;
- int rc;
---- a/net/ipv4/netfilter/nf_socket_ipv4.c
-+++ b/net/ipv4/netfilter/nf_socket_ipv4.c
-@@ -96,11 +96,11 @@ nf_socket_get_sock_v4(struct net *net, s
- struct sock *nf_sk_lookup_slow_v4(struct net *net, const struct sk_buff *skb,
- const struct net_device *indev)
- {
-- __be32 uninitialized_var(daddr), uninitialized_var(saddr);
-- __be16 uninitialized_var(dport), uninitialized_var(sport);
-+ __be32 daddr, saddr;
-+ __be16 dport, sport;
- const struct iphdr *iph = ip_hdr(skb);
- struct sk_buff *data_skb = NULL;
-- u8 uninitialized_var(protocol);
-+ u8 protocol;
- #if IS_ENABLED(CONFIG_NF_CONNTRACK)
- enum ip_conntrack_info ctinfo;
- struct nf_conn const *ct;
---- a/net/ipv6/ip6_flowlabel.c
-+++ b/net/ipv6/ip6_flowlabel.c
-@@ -518,7 +518,7 @@ int ipv6_flowlabel_opt_get(struct sock *
-
- int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
- {
-- int uninitialized_var(err);
-+ int err;
- struct net *net = sock_net(sk);
- struct ipv6_pinfo *np = inet6_sk(sk);
- struct in6_flowlabel_req freq;
---- a/net/ipv6/netfilter/nf_socket_ipv6.c
-+++ b/net/ipv6/netfilter/nf_socket_ipv6.c
-@@ -102,7 +102,7 @@ nf_socket_get_sock_v6(struct net *net, s
- struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb,
- const struct net_device *indev)
- {
-- __be16 uninitialized_var(dport), uninitialized_var(sport);
-+ __be16 dport, sport;
- const struct in6_addr *daddr = NULL, *saddr = NULL;
- struct ipv6hdr *iph = ipv6_hdr(skb), ipv6_var;
- struct sk_buff *data_skb = NULL;
---- a/net/netfilter/nf_conntrack_ftp.c
-+++ b/net/netfilter/nf_conntrack_ftp.c
-@@ -383,7 +383,7 @@ static int help(struct sk_buff *skb,
- int ret;
- u32 seq;
- int dir = CTINFO2DIR(ctinfo);
-- unsigned int uninitialized_var(matchlen), uninitialized_var(matchoff);
-+ unsigned int matchlen, matchoff;
- struct nf_ct_ftp_master *ct_ftp_info = nfct_help_data(ct);
- struct nf_conntrack_expect *exp;
- union nf_inet_addr *daddr;
---- a/net/netfilter/nfnetlink_log.c
-+++ b/net/netfilter/nfnetlink_log.c
-@@ -637,7 +637,7 @@ nfulnl_log_packet(struct net *net,
- struct nfnl_log_net *log = nfnl_log_pernet(net);
- const struct nfnl_ct_hook *nfnl_ct = NULL;
- struct nf_conn *ct = NULL;
-- enum ip_conntrack_info uninitialized_var(ctinfo);
-+ enum ip_conntrack_info ctinfo;
-
- if (li_user && li_user->type == NF_LOG_TYPE_ULOG)
- li = li_user;
---- a/net/netfilter/nfnetlink_queue.c
-+++ b/net/netfilter/nfnetlink_queue.c
-@@ -392,7 +392,7 @@ nfqnl_build_packet_message(struct net *n
- struct net_device *indev;
- struct net_device *outdev;
- struct nf_conn *ct = NULL;
-- enum ip_conntrack_info uninitialized_var(ctinfo);
-+ enum ip_conntrack_info ctinfo;
- struct nfnl_ct_hook *nfnl_ct;
- bool csum_verify;
- char *secdata = NULL;
-@@ -1191,7 +1191,7 @@ static int nfqnl_recv_verdict(struct net
- struct nfqnl_instance *queue;
- unsigned int verdict;
- struct nf_queue_entry *entry;
-- enum ip_conntrack_info uninitialized_var(ctinfo);
-+ enum ip_conntrack_info ctinfo;
- struct nfnl_ct_hook *nfnl_ct;
- struct nf_conn *ct = NULL;
- struct nfnl_queue_net *q = nfnl_queue_pernet(net);
---- a/net/sched/cls_flow.c
-+++ b/net/sched/cls_flow.c
-@@ -229,7 +229,7 @@ static u32 flow_get_skgid(const struct s
-
- static u32 flow_get_vlan_tag(const struct sk_buff *skb)
- {
-- u16 uninitialized_var(tag);
-+ u16 tag;
-
- if (vlan_get_tag(skb, &tag) < 0)
- return 0;
---- a/net/sched/sch_cake.c
-+++ b/net/sched/sch_cake.c
-@@ -1649,7 +1649,7 @@ static s32 cake_enqueue(struct sk_buff *
- {
- struct cake_sched_data *q = qdisc_priv(sch);
- int len = qdisc_pkt_len(skb);
-- int uninitialized_var(ret);
-+ int ret;
- struct sk_buff *ack = NULL;
- ktime_t now = ktime_get();
- struct cake_tin_data *b;
---- a/net/sched/sch_cbq.c
-+++ b/net/sched/sch_cbq.c
-@@ -365,7 +365,7 @@ cbq_enqueue(struct sk_buff *skb, struct
- struct sk_buff **to_free)
- {
- struct cbq_sched_data *q = qdisc_priv(sch);
-- int uninitialized_var(ret);
-+ int ret;
- struct cbq_class *cl = cbq_classify(skb, sch, &ret);
-
- #ifdef CONFIG_NET_CLS_ACT
---- a/net/sched/sch_fq_codel.c
-+++ b/net/sched/sch_fq_codel.c
-@@ -192,7 +192,7 @@ static int fq_codel_enqueue(struct sk_bu
- struct fq_codel_sched_data *q = qdisc_priv(sch);
- unsigned int idx, prev_backlog, prev_qlen;
- struct fq_codel_flow *flow;
-- int uninitialized_var(ret);
-+ int ret;
- unsigned int pkt_len;
- bool memory_limited;
-
---- a/net/sched/sch_sfq.c
-+++ b/net/sched/sch_sfq.c
-@@ -353,7 +353,7 @@ sfq_enqueue(struct sk_buff *skb, struct
- unsigned int hash, dropped;
- sfq_index x, qlen;
- struct sfq_slot *slot;
-- int uninitialized_var(ret);
-+ int ret;
- struct sk_buff *head;
- int delta;
-
---- a/sound/core/control_compat.c
-+++ b/sound/core/control_compat.c
-@@ -236,7 +236,7 @@ static int copy_ctl_value_from_user(stru
- {
- struct snd_ctl_elem_value32 __user *data32 = userdata;
- int i, type, size;
-- int uninitialized_var(count);
-+ int count;
- unsigned int indirect;
-
- if (copy_from_user(&data->id, &data32->id, sizeof(data->id)))
---- a/sound/isa/sb/sb16_csp.c
-+++ b/sound/isa/sb/sb16_csp.c
-@@ -116,7 +116,7 @@ static void info_read(struct snd_info_en
- int snd_sb_csp_new(struct snd_sb *chip, int device, struct snd_hwdep ** rhwdep)
- {
- struct snd_sb_csp *p;
-- int uninitialized_var(version);
-+ int version;
- int err;
- struct snd_hwdep *hw;
-
---- a/sound/usb/endpoint.c
-+++ b/sound/usb/endpoint.c
-@@ -324,7 +324,7 @@ static void queue_pending_output_urbs(st
- while (test_bit(EP_FLAG_RUNNING, &ep->flags)) {
-
- unsigned long flags;
-- struct snd_usb_packet_info *uninitialized_var(packet);
-+ struct snd_usb_packet_info *packet;
- struct snd_urb_ctx *ctx = NULL;
- int err, i;
-
+++ /dev/null
-From a9c09546e903f1068acfa38e1ee18bded7114b37 Mon Sep 17 00:00:00 2001
-From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-Date: Sat, 10 Jun 2023 17:59:25 +0200
-Subject: tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error
-
-From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-
-commit a9c09546e903f1068acfa38e1ee18bded7114b37 upstream.
-
-If clk_get_rate() fails, the clk that has just been allocated needs to be
-freed.
-
-Cc: <stable@vger.kernel.org> # v3.3+
-Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
-Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
-Fixes: 5f5a7a5578c5 ("serial: samsung: switch to clkdev based clock lookup")
-Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
-Message-ID: <e4baf6039368f52e5a5453982ddcb9a330fc689e.1686412569.git.christophe.jaillet@wanadoo.fr>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/serial/samsung.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/drivers/tty/serial/samsung.c
-+++ b/drivers/tty/serial/samsung.c
-@@ -1199,8 +1199,12 @@ static unsigned int s3c24xx_serial_getcl
- continue;
-
- rate = clk_get_rate(clk);
-- if (!rate)
-+ if (!rate) {
-+ dev_err(ourport->port.dev,
-+ "Failed to get clock rate for %s.\n", clkname);
-+ clk_put(clk);
- continue;
-+ }
-
- if (ourport->info->has_divslot) {
- unsigned long div = rate / req_baud;
+++ /dev/null
-From 832e231cff476102e8204a9e7bddfe5c6154a375 Mon Sep 17 00:00:00 2001
-From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-Date: Sat, 10 Jun 2023 17:59:26 +0200
-Subject: tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk
-
-From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-
-commit 832e231cff476102e8204a9e7bddfe5c6154a375 upstream.
-
-When the best clk is searched, we iterate over all possible clk.
-
-If we find a better match, the previous one, if any, needs to be freed.
-If a better match has already been found, we still need to free the new
-one, otherwise it leaks.
-
-Cc: <stable@vger.kernel.org> # v3.3+
-Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
-Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
-Fixes: 5f5a7a5578c5 ("serial: samsung: switch to clkdev based clock lookup")
-Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
-Message-ID: <cf3e0053d2fc7391b2d906a86cd01a5ef15fb9dc.1686412569.git.christophe.jaillet@wanadoo.fr>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/serial/samsung.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
---- a/drivers/tty/serial/samsung.c
-+++ b/drivers/tty/serial/samsung.c
-@@ -1230,10 +1230,18 @@ static unsigned int s3c24xx_serial_getcl
- calc_deviation = -calc_deviation;
-
- if (calc_deviation < deviation) {
-+ /*
-+ * If we find a better clk, release the previous one, if
-+ * any.
-+ */
-+ if (!IS_ERR(*best_clk))
-+ clk_put(*best_clk);
- *best_clk = clk;
- best_quot = quot;
- *clk_num = cnt;
- deviation = calc_deviation;
-+ } else {
-+ clk_put(clk);
- }
- }
-
+++ /dev/null
-From dd4780f2e582e32ee8f5c8c08d03b8b73e369d5c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 8 Jul 2023 08:29:58 +0000
-Subject: udp6: fix udp6_ehashfn() typo
-
-From: Eric Dumazet <edumazet@google.com>
-
-[ Upstream commit 51d03e2f2203e76ed02d33fb5ffbb5fc85ffaf54 ]
-
-Amit Klein reported that udp6_ehash_secret was initialized but never used.
-
-Fixes: 1bbdceef1e53 ("inet: convert inet_ehash_secret and ipv6_hash_secret to net_get_random_once")
-Reported-by: Amit Klein <aksecurity@gmail.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Cc: Willy Tarreau <w@1wt.eu>
-Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
-Cc: David Ahern <dsahern@kernel.org>
-Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/udp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index 9274603514e54..cf0bbe2e3a79f 100644
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -99,7 +99,7 @@ static u32 udp6_ehashfn(const struct net *net,
- fhash = __ipv6_addr_jhash(faddr, udp_ipv6_hash_secret);
-
- return __inet6_ehashfn(lhash, lport, fhash, fport,
-- udp_ipv6_hash_secret + net_hash_mix(net));
-+ udp6_ehash_secret + net_hash_mix(net));
- }
-
- int udp_v6_get_port(struct sock *sk, unsigned short snum)
---
-2.39.2
-
+++ /dev/null
-From a73ed729a0242b99c1c9a5c6e71a75e01fff18e8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 20 Apr 2023 22:08:31 +0800
-Subject: usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe()
-
-From: Li Yang <lidaxian@hust.edu.cn>
-
-[ Upstream commit 342161c11403ea00e9febc16baab1d883d589d04 ]
-
-Smatch reports:
-drivers/usb/phy/phy-tahvo.c: tahvo_usb_probe()
-warn: missing unwind goto?
-
-After geting irq, if ret < 0, it will return without error handling to
-free memory.
-Just add error handling to fix this problem.
-
-Fixes: 0d45a1373e66 ("usb: phy: tahvo: add IRQ check")
-Signed-off-by: Li Yang <lidaxian@hust.edu.cn>
-Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
-Link: https://lore.kernel.org/r/20230420140832.9110-1-lidaxian@hust.edu.cn
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/phy/phy-tahvo.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/usb/phy/phy-tahvo.c b/drivers/usb/phy/phy-tahvo.c
-index 60d390e28289f..2923a7f6952dc 100644
---- a/drivers/usb/phy/phy-tahvo.c
-+++ b/drivers/usb/phy/phy-tahvo.c
-@@ -398,7 +398,7 @@ static int tahvo_usb_probe(struct platform_device *pdev)
-
- tu->irq = ret = platform_get_irq(pdev, 0);
- if (ret < 0)
-- return ret;
-+ goto err_remove_phy;
- ret = request_threaded_irq(tu->irq, NULL, tahvo_usb_vbus_interrupt,
- IRQF_ONESHOT,
- "tahvo-vbus", tu);
---
-2.39.2
-
+++ /dev/null
-From ffa5f7a3bf28c1306eef85d4056539c2d4b8eb09 Mon Sep 17 00:00:00 2001
-From: Davide Tronchin <davide.tronchin.94@gmail.com>
-Date: Thu, 22 Jun 2023 11:29:21 +0200
-Subject: USB: serial: option: add LARA-R6 01B PIDs
-
-From: Davide Tronchin <davide.tronchin.94@gmail.com>
-
-commit ffa5f7a3bf28c1306eef85d4056539c2d4b8eb09 upstream.
-
-The new LARA-R6 product variant identified by the "01B" string can be
-configured (by AT interface) in three different USB modes:
-
-* Default mode (Vendor ID: 0x1546 Product ID: 0x1311) with 4 serial
-interfaces
-
-* RmNet mode (Vendor ID: 0x1546 Product ID: 0x1312) with 4 serial
-interfaces and 1 RmNet virtual network interface
-
-* CDC-ECM mode (Vendor ID: 0x1546 Product ID: 0x1313) with 4 serial
-interface and 1 CDC-ECM virtual network interface
-The first 4 interfaces of all the 3 USB configurations (default, RmNet,
-CDC-ECM) are the same.
-
-In default mode LARA-R6 01B exposes the following interfaces:
-If 0: Diagnostic
-If 1: AT parser
-If 2: AT parser
-If 3: AT parser/alternative functions
-
-In RmNet mode LARA-R6 01B exposes the following interfaces:
-If 0: Diagnostic
-If 1: AT parser
-If 2: AT parser
-If 3: AT parser/alternative functions
-If 4: RMNET interface
-
-In CDC-ECM mode LARA-R6 01B exposes the following interfaces:
-If 0: Diagnostic
-If 1: AT parser
-If 2: AT parser
-If 3: AT parser/alternative functions
-If 4: CDC-ECM interface
-
-Signed-off-by: Davide Tronchin <davide.tronchin.94@gmail.com>
-Link: https://lore.kernel.org/r/20230622092921.12651-1-davide.tronchin.94@gmail.com
-Cc: stable@vger.kernel.org
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/serial/option.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/drivers/usb/serial/option.c
-+++ b/drivers/usb/serial/option.c
-@@ -1151,6 +1151,10 @@ static const struct usb_device_id option
- { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa),
- .driver_info = RSVD(3) },
- /* u-blox products */
-+ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1311) }, /* u-blox LARA-R6 01B */
-+ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1312), /* u-blox LARA-R6 01B (RMNET) */
-+ .driver_info = RSVD(4) },
-+ { USB_DEVICE_INTERFACE_CLASS(UBLOX_VENDOR_ID, 0x1313, 0xff) }, /* u-blox LARA-R6 01B (ECM) */
- { USB_DEVICE(UBLOX_VENDOR_ID, 0x1341) }, /* u-blox LARA-L6 */
- { USB_DEVICE(UBLOX_VENDOR_ID, 0x1342), /* u-blox LARA-L6 (RMNET) */
- .driver_info = RSVD(4) },
+++ /dev/null
-From 13b7c0390a5d3840e1e2cda8f44a310fdbb982de Mon Sep 17 00:00:00 2001
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Date: Mon, 3 May 2021 13:57:34 +0200
-Subject: video: imsttfb: check for ioremap() failures
-
-From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-commit 13b7c0390a5d3840e1e2cda8f44a310fdbb982de upstream.
-
-We should check if ioremap() were to somehow fail in imsttfb_probe() and
-handle the unwinding of the resources allocated here properly.
-
-Ideally if anyone cares about this driver (it's for a PowerMac era PCI
-display card), they wouldn't even be using fbdev anymore. Or the devm_*
-apis could be used, but that's just extra work for diminishing
-returns...
-
-Cc: Finn Thain <fthain@telegraphics.com.au>
-Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
-Reviewed-by: Rob Herring <robh@kernel.org>
-Link: https://lore.kernel.org/r/20210503115736.2104747-68-gregkh@linuxfoundation.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/video/fbdev/imsttfb.c | 21 ++++++++++++++++++---
- 1 file changed, 18 insertions(+), 3 deletions(-)
-
---- a/drivers/video/fbdev/imsttfb.c
-+++ b/drivers/video/fbdev/imsttfb.c
-@@ -1470,6 +1470,7 @@ static int imsttfb_probe(struct pci_dev
- struct imstt_par *par;
- struct fb_info *info;
- struct device_node *dp;
-+ int ret = -ENOMEM;
-
- dp = pci_device_to_OF_node(pdev);
- if(dp)
-@@ -1508,23 +1509,37 @@ static int imsttfb_probe(struct pci_dev
- default:
- printk(KERN_INFO "imsttfb: Device 0x%x unknown, "
- "contact maintainer.\n", pdev->device);
-- release_mem_region(addr, size);
-- framebuffer_release(info);
-- return -ENODEV;
-+ ret = -ENODEV;
-+ goto error;
- }
-
- info->fix.smem_start = addr;
- info->screen_base = (__u8 *)ioremap(addr, par->ramdac == IBM ?
- 0x400000 : 0x800000);
-+ if (!info->screen_base)
-+ goto error;
- info->fix.mmio_start = addr + 0x800000;
- par->dc_regs = ioremap(addr + 0x800000, 0x1000);
-+ if (!par->dc_regs)
-+ goto error;
- par->cmap_regs_phys = addr + 0x840000;
- par->cmap_regs = (__u8 *)ioremap(addr + 0x840000, 0x1000);
-+ if (!par->cmap_regs)
-+ goto error;
- info->pseudo_palette = par->palette;
- init_imstt(info);
-
- pci_set_drvdata(pdev, info);
- return 0;
-+
-+error:
-+ if (par->dc_regs)
-+ iounmap(par->dc_regs);
-+ if (info->screen_base)
-+ iounmap(info->screen_base);
-+ release_mem_region(addr, size);
-+ framebuffer_release(info);
-+ return ret;
- }
-
- static void imsttfb_remove(struct pci_dev *pdev)
+++ /dev/null
-From ca9b3ac6d3bbb8860c544487324e18a6481a20d7 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 10 Jun 2019 10:32:50 -0400
-Subject: vrf: Increment Icmp6InMsgs on the original netdev
-
-From: Stephen Suryaputra <ssuryaextr@gmail.com>
-
-[ Upstream commit e1ae5c2ea4783b1fd87be250f9fcc9d9e1a6ba3f ]
-
-Get the ingress interface and increment ICMP counters based on that
-instead of skb->dev when the the dev is a VRF device.
-
-This is a follow up on the following message:
-https://www.spinics.net/lists/netdev/msg560268.html
-
-v2: Avoid changing skb->dev since it has unintended effect for local
- delivery (David Ahern).
-Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
-Reviewed-by: David Ahern <dsahern@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Stable-dep-of: 2aaa8a15de73 ("icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev().")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/net/addrconf.h | 16 ++++++++++++++++
- net/ipv6/icmp.c | 17 +++++++++++------
- net/ipv6/reassembly.c | 4 ++--
- 3 files changed, 29 insertions(+), 8 deletions(-)
-
-diff --git a/include/net/addrconf.h b/include/net/addrconf.h
-index db2a87981dd46..9583d3bbab039 100644
---- a/include/net/addrconf.h
-+++ b/include/net/addrconf.h
-@@ -340,6 +340,22 @@ static inline struct inet6_dev *__in6_dev_get(const struct net_device *dev)
- return rcu_dereference_rtnl(dev->ip6_ptr);
- }
-
-+/**
-+ * __in6_dev_stats_get - get inet6_dev pointer for stats
-+ * @dev: network device
-+ * @skb: skb for original incoming interface if neeeded
-+ *
-+ * Caller must hold rcu_read_lock or RTNL, because this function
-+ * does not take a reference on the inet6_dev.
-+ */
-+static inline struct inet6_dev *__in6_dev_stats_get(const struct net_device *dev,
-+ const struct sk_buff *skb)
-+{
-+ if (netif_is_l3_master(dev))
-+ dev = dev_get_by_index_rcu(dev_net(dev), inet6_iif(skb));
-+ return __in6_dev_get(dev);
-+}
-+
- /**
- * __in6_dev_get_safely - get inet6_dev pointer from netdevice
- * @dev: network device
-diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
-index fbc8746371b6d..1b86a2e03d049 100644
---- a/net/ipv6/icmp.c
-+++ b/net/ipv6/icmp.c
-@@ -395,23 +395,28 @@ static struct dst_entry *icmpv6_route_lookup(struct net *net,
- return ERR_PTR(err);
- }
-
--static int icmp6_iif(const struct sk_buff *skb)
-+static struct net_device *icmp6_dev(const struct sk_buff *skb)
- {
-- int iif = skb->dev->ifindex;
-+ struct net_device *dev = skb->dev;
-
- /* for local traffic to local address, skb dev is the loopback
- * device. Check if there is a dst attached to the skb and if so
- * get the real device index. Same is needed for replies to a link
- * local address on a device enslaved to an L3 master device
- */
-- if (unlikely(iif == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) {
-+ if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) {
- const struct rt6_info *rt6 = skb_rt6_info(skb);
-
- if (rt6)
-- iif = rt6->rt6i_idev->dev->ifindex;
-+ dev = rt6->rt6i_idev->dev;
- }
-
-- return iif;
-+ return dev;
-+}
-+
-+static int icmp6_iif(const struct sk_buff *skb)
-+{
-+ return icmp6_dev(skb)->ifindex;
- }
-
- /*
-@@ -800,7 +805,7 @@ void icmpv6_notify(struct sk_buff *skb, u8 type, u8 code, __be32 info)
- static int icmpv6_rcv(struct sk_buff *skb)
- {
- struct net *net = dev_net(skb->dev);
-- struct net_device *dev = skb->dev;
-+ struct net_device *dev = icmp6_dev(skb);
- struct inet6_dev *idev = __in6_dev_get(dev);
- const struct in6_addr *saddr, *daddr;
- struct icmp6hdr *hdr;
-diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
-index 60dfd0d118512..b596727f04978 100644
---- a/net/ipv6/reassembly.c
-+++ b/net/ipv6/reassembly.c
-@@ -302,7 +302,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb,
- skb_network_header_len(skb));
-
- rcu_read_lock();
-- __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMOKS);
-+ __IP6_INC_STATS(net, __in6_dev_stats_get(dev, skb), IPSTATS_MIB_REASMOKS);
- rcu_read_unlock();
- fq->q.fragments = NULL;
- fq->q.rb_fragments = RB_ROOT;
-@@ -317,7 +317,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb,
- net_dbg_ratelimited("ip6_frag_reasm: no memory for reassembly\n");
- out_fail:
- rcu_read_lock();
-- __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMFAILS);
-+ __IP6_INC_STATS(net, __in6_dev_stats_get(dev, skb), IPSTATS_MIB_REASMFAILS);
- rcu_read_unlock();
- inet_frag_kill(&fq->q);
- return -1;
---
-2.39.2
-
+++ /dev/null
-From 7fab2a6bde29ee9a8cf5b2eea008b078d8e3aac2 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 19 May 2021 17:17:45 +0300
-Subject: w1: fix loop in w1_fini()
-
-From: Dan Carpenter <dan.carpenter@oracle.com>
-
-[ Upstream commit 83f3fcf96fcc7e5405b37d9424c7ef26bfa203f8 ]
-
-The __w1_remove_master_device() function calls:
-
- list_del(&dev->w1_master_entry);
-
-So presumably this can cause an endless loop.
-
-Fixes: 7785925dd8e0 ("[PATCH] w1: cleanups.")
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/w1/w1.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c
-index cb3650efc29cd..8db9ca241d99c 100644
---- a/drivers/w1/w1.c
-+++ b/drivers/w1/w1.c
-@@ -1237,10 +1237,10 @@ static int __init w1_init(void)
-
- static void __exit w1_fini(void)
- {
-- struct w1_master *dev;
-+ struct w1_master *dev, *n;
-
- /* Set netlink removal messages and some cleanup */
-- list_for_each_entry(dev, &w1_masters, w1_master_entry)
-+ list_for_each_entry_safe(dev, n, &w1_masters, w1_master_entry)
- __w1_remove_master_device(dev);
-
- w1_fini_netlink();
---
-2.39.2
-
+++ /dev/null
-From 0c282f6c0842390de9ae2a22490760732c735d15 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 19 May 2023 10:18:25 -0700
-Subject: watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on
- correct config
-
-From: Douglas Anderson <dianders@chromium.org>
-
-[ Upstream commit 5e008df11c55228a86a1bae692cc2002503572c9 ]
-
-Patch series "watchdog/hardlockup: Add the buddy hardlockup detector", v5.
-
-This patch series adds the "buddy" hardlockup detector. In brief, the
-buddy hardlockup detector can detect hardlockups without arch-level
-support by having CPUs checkup on a "buddy" CPU periodically.
-
-Given the new design of this patch series, testing all combinations is
-fairly difficult. I've attempted to make sure that all combinations of
-CONFIG_ options are good, but it wouldn't surprise me if I missed
-something. I apologize in advance and I'll do my best to fix any
-problems that are found.
-
-This patch (of 18):
-
-The real watchdog_update_hrtimer_threshold() is defined in
-kernel/watchdog_hld.c. That file is included if
-CONFIG_HARDLOCKUP_DETECTOR_PERF and the function is defined in that file
-if CONFIG_HARDLOCKUP_CHECK_TIMESTAMP.
-
-The dummy version of the function in "nmi.h" didn't get that quite right.
-While this doesn't appear to be a huge deal, it's nice to make it
-consistent.
-
-It doesn't break builds because CHECK_TIMESTAMP is only defined by x86 so
-others don't get a double definition, and x86 uses perf lockup detector,
-so it gets the out of line version.
-
-Link: https://lkml.kernel.org/r/20230519101840.v5.18.Ia44852044cdcb074f387e80df6b45e892965d4a1@changeid
-Link: https://lkml.kernel.org/r/20230519101840.v5.1.I8cbb2f4fa740528fcfade4f5439b6cdcdd059251@changeid
-Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes")
-Signed-off-by: Douglas Anderson <dianders@chromium.org>
-Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
-Reviewed-by: Petr Mladek <pmladek@suse.com>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Catalin Marinas <catalin.marinas@arm.com>
-Cc: Chen-Yu Tsai <wens@csie.org>
-Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
-Cc: Daniel Thompson <daniel.thompson@linaro.org>
-Cc: "David S. Miller" <davem@davemloft.net>
-Cc: Guenter Roeck <groeck@chromium.org>
-Cc: Ian Rogers <irogers@google.com>
-Cc: Lecopzer Chen <lecopzer.chen@mediatek.com>
-Cc: Marc Zyngier <maz@kernel.org>
-Cc: Mark Rutland <mark.rutland@arm.com>
-Cc: Masayoshi Mizuma <msys.mizuma@gmail.com>
-Cc: Matthias Kaehlcke <mka@chromium.org>
-Cc: Michael Ellerman <mpe@ellerman.id.au>
-Cc: Pingfan Liu <kernelfans@gmail.com>
-Cc: Randy Dunlap <rdunlap@infradead.org>
-Cc: "Ravi V. Shankar" <ravi.v.shankar@intel.com>
-Cc: Ricardo Neri <ricardo.neri@intel.com>
-Cc: Stephane Eranian <eranian@google.com>
-Cc: Stephen Boyd <swboyd@chromium.org>
-Cc: Sumit Garg <sumit.garg@linaro.org>
-Cc: Tzung-Bi Shih <tzungbi@chromium.org>
-Cc: Will Deacon <will@kernel.org>
-Cc: Colin Cross <ccross@android.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/linux/nmi.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/linux/nmi.h b/include/linux/nmi.h
-index e972d1ae1ee63..6cb593d9ed08a 100644
---- a/include/linux/nmi.h
-+++ b/include/linux/nmi.h
-@@ -197,7 +197,7 @@ u64 hw_nmi_get_sample_period(int watchdog_thresh);
- #endif
-
- #if defined(CONFIG_HARDLOCKUP_CHECK_TIMESTAMP) && \
-- defined(CONFIG_HARDLOCKUP_DETECTOR)
-+ defined(CONFIG_HARDLOCKUP_DETECTOR_PERF)
- void watchdog_update_hrtimer_threshold(u64 period);
- #else
- static inline void watchdog_update_hrtimer_threshold(u64 period) { }
---
-2.39.2
-
+++ /dev/null
-From 3c6dc6af3bc7f2705b7a426759a9837e74c2a453 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 19 May 2023 10:18:26 -0700
-Subject: watchdog/perf: more properly prevent false positives with turbo modes
-
-From: Douglas Anderson <dianders@chromium.org>
-
-[ Upstream commit 4379e59fe5665cfda737e45b8bf2f05321ef049c ]
-
-Currently, in the watchdog_overflow_callback() we first check to see if
-the watchdog had been touched and _then_ we handle the workaround for
-turbo mode. This order should be reversed.
-
-Specifically, "touching" the hardlockup detector's watchdog should avoid
-lockups being detected for one period that should be roughly the same
-regardless of whether we're running turbo or not. That means that we
-should do the extra accounting for turbo _before_ we look at (and clear)
-the global indicating that we've been touched.
-
-NOTE: this fix is made based on code inspection. I am not aware of any
-reports where the old code would have generated false positives. That
-being said, this order seems more correct and also makes it easier down
-the line to share code with the "buddy" hardlockup detector.
-
-Link: https://lkml.kernel.org/r/20230519101840.v5.2.I843b0d1de3e096ba111a179f3adb16d576bef5c7@changeid
-Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes")
-Signed-off-by: Douglas Anderson <dianders@chromium.org>
-Cc: Andi Kleen <ak@linux.intel.com>
-Cc: Catalin Marinas <catalin.marinas@arm.com>
-Cc: Chen-Yu Tsai <wens@csie.org>
-Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
-Cc: Colin Cross <ccross@android.com>
-Cc: Daniel Thompson <daniel.thompson@linaro.org>
-Cc: "David S. Miller" <davem@davemloft.net>
-Cc: Guenter Roeck <groeck@chromium.org>
-Cc: Ian Rogers <irogers@google.com>
-Cc: Lecopzer Chen <lecopzer.chen@mediatek.com>
-Cc: Marc Zyngier <maz@kernel.org>
-Cc: Mark Rutland <mark.rutland@arm.com>
-Cc: Masayoshi Mizuma <msys.mizuma@gmail.com>
-Cc: Matthias Kaehlcke <mka@chromium.org>
-Cc: Michael Ellerman <mpe@ellerman.id.au>
-Cc: Nicholas Piggin <npiggin@gmail.com>
-Cc: Petr Mladek <pmladek@suse.com>
-Cc: Pingfan Liu <kernelfans@gmail.com>
-Cc: Randy Dunlap <rdunlap@infradead.org>
-Cc: "Ravi V. Shankar" <ravi.v.shankar@intel.com>
-Cc: Ricardo Neri <ricardo.neri@intel.com>
-Cc: Stephane Eranian <eranian@google.com>
-Cc: Stephen Boyd <swboyd@chromium.org>
-Cc: Sumit Garg <sumit.garg@linaro.org>
-Cc: Tzung-Bi Shih <tzungbi@chromium.org>
-Cc: Will Deacon <will@kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/watchdog_hld.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/kernel/watchdog_hld.c b/kernel/watchdog_hld.c
-index 71381168dedef..f8e460b4a59d5 100644
---- a/kernel/watchdog_hld.c
-+++ b/kernel/watchdog_hld.c
-@@ -114,14 +114,14 @@ static void watchdog_overflow_callback(struct perf_event *event,
- /* Ensure the watchdog never gets throttled */
- event->hw.interrupts = 0;
-
-+ if (!watchdog_check_timestamp())
-+ return;
-+
- if (__this_cpu_read(watchdog_nmi_touch) == true) {
- __this_cpu_write(watchdog_nmi_touch, false);
- return;
- }
-
-- if (!watchdog_check_timestamp())
-- return;
--
- /* check for a hardlockup
- * This is done by making sure our timer interrupt
- * is incrementing. The timer interrupt should have
---
-2.39.2
-
+++ /dev/null
-From 5f65296a9458994473a1830d34aed8a66606adf3 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 9 Jul 2023 06:31:54 -0700
-Subject: wifi: airo: avoid uninitialized warning in airo_get_rate()
-
-From: Randy Dunlap <rdunlap@infradead.org>
-
-[ Upstream commit 9373771aaed17f5c2c38485f785568abe3a9f8c1 ]
-
-Quieten a gcc (11.3.0) build error or warning by checking the function
-call status and returning -EBUSY if the function call failed.
-This is similar to what several other wireless drivers do for the
-SIOCGIWRATE ioctl call when there is a locking problem.
-
-drivers/net/wireless/cisco/airo.c: error: 'status_rid.currentXmitRate' is used uninitialized [-Werror=uninitialized]
-
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
-Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
-Link: https://lore.kernel.org/r/39abf2c7-24a-f167-91da-ed4c5435d1c4@linux-m68k.org
-Link: https://lore.kernel.org/r/20230709133154.26206-1-rdunlap@infradead.org
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/cisco/airo.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c
-index 5a6ee0b014da0..a01b42c7c07ac 100644
---- a/drivers/net/wireless/cisco/airo.c
-+++ b/drivers/net/wireless/cisco/airo.c
-@@ -6100,8 +6100,11 @@ static int airo_get_rate(struct net_device *dev,
- {
- struct airo_info *local = dev->ml_priv;
- StatusRid status_rid; /* Card status info */
-+ int ret;
-
-- readStatusRid(local, &status_rid, 1);
-+ ret = readStatusRid(local, &status_rid, 1);
-+ if (ret)
-+ return -EBUSY;
-
- vwrq->value = le16_to_cpu(status_rid.currentXmitRate) * 500000;
- /* If more than one rate, set auto */
---
-2.39.2
-
+++ /dev/null
-From cf65e68abf8e7ab7b1fbd232bbdf201720676629 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 26 Apr 2023 17:35:01 +0300
-Subject: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Fedor Pchelkin <pchelkin@ispras.ru>
-
-[ Upstream commit f24292e827088bba8de7158501ac25a59b064953 ]
-
-For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid
-uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should
-validate pkt_len before accessing the SKB.
-
-For example, the obtained SKB may have been badly constructed with
-pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr
-but after being processed in ath9k_htc_rx_msg() and passed to
-ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI
-command header which should be located inside its data payload.
-
-Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit
-memory can be referenced.
-
-Tested on Qualcomm Atheros Communications AR9271 802.11n .
-
-Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
-
-Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
-Reported-and-tested-by: syzbot+f2cb6e0ffdb961921e4d@syzkaller.appspotmail.com
-Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
-Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
-Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
-Link: https://lore.kernel.org/r/20230424183348.111355-1-pchelkin@ispras.ru
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/ath/ath9k/wmi.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
-index e4ea6f5cc78ab..5e2a610df61cf 100644
---- a/drivers/net/wireless/ath/ath9k/wmi.c
-+++ b/drivers/net/wireless/ath/ath9k/wmi.c
-@@ -218,6 +218,10 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb,
- if (unlikely(wmi->stopped))
- goto free_skb;
-
-+ /* Validate the obtained SKB. */
-+ if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr)))
-+ goto free_skb;
-+
- hdr = (struct wmi_cmd_hdr *) skb->data;
- cmd_id = be16_to_cpu(hdr->command_id);
-
---
-2.39.2
-
+++ /dev/null
-From bbf82c3def2c11aee88ff24f3b0c8cf9599e0071 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 13 Jun 2023 16:46:55 +0300
-Subject: wifi: ath9k: convert msecs to jiffies where needed
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Dmitry Antipov <dmantipov@yandex.ru>
-
-[ Upstream commit 2aa083acea9f61be3280184384551178f510ff51 ]
-
-Since 'ieee80211_queue_delayed_work()' expects timeout in
-jiffies and not milliseconds, 'msecs_to_jiffies()' should
-be used in 'ath_restart_work()' and '__ath9k_flush()'.
-
-Fixes: d63ffc45c5d3 ("ath9k: rename tx_complete_work to hw_check_work")
-Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
-Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
-Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
-Link: https://lore.kernel.org/r/20230613134655.248728-1-dmantipov@yandex.ru
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/ath/ath9k/main.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
-index e8e297a04d360..2fdf9858a73d9 100644
---- a/drivers/net/wireless/ath/ath9k/main.c
-+++ b/drivers/net/wireless/ath/ath9k/main.c
-@@ -200,7 +200,7 @@ void ath_cancel_work(struct ath_softc *sc)
- void ath_restart_work(struct ath_softc *sc)
- {
- ieee80211_queue_delayed_work(sc->hw, &sc->hw_check_work,
-- ATH_HW_CHECK_POLL_INT);
-+ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT));
-
- if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9330(sc->sc_ah))
- ieee80211_queue_delayed_work(sc->hw, &sc->hw_pll_work,
-@@ -2228,7 +2228,7 @@ void __ath9k_flush(struct ieee80211_hw *hw, u32 queues, bool drop,
- }
-
- ieee80211_queue_delayed_work(hw, &sc->hw_check_work,
-- ATH_HW_CHECK_POLL_INT);
-+ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT));
- }
-
- static bool ath9k_tx_frames_pending(struct ieee80211_hw *hw)
---
-2.39.2
-
+++ /dev/null
-From cbdd7ba95d47d114975b51072b4265f8344abe37 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 17 May 2023 18:03:17 +0300
-Subject: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Fedor Pchelkin <pchelkin@ispras.ru>
-
-[ Upstream commit 061b0cb9327b80d7a0f63a33e7c3e2a91a71f142 ]
-
-A bad USB device is able to construct a service connection response
-message with target endpoint being ENDPOINT0 which is reserved for
-HTC_CTRL_RSVD_SVC and should not be modified to be used for any other
-services.
-
-Reject such service connection responses.
-
-Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
-
-Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
-Reported-by: syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com
-Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
-Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
-Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
-Link: https://lore.kernel.org/r/20230516150427.79469-1-pchelkin@ispras.ru
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/ath/ath9k/htc_hst.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
-index 6331c98088e03..d5e5f9cf4ca86 100644
---- a/drivers/net/wireless/ath/ath9k/htc_hst.c
-+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
-@@ -114,7 +114,13 @@ static void htc_process_conn_rsp(struct htc_target *target,
-
- if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) {
- epid = svc_rspmsg->endpoint_id;
-- if (epid < 0 || epid >= ENDPOINT_MAX)
-+
-+ /* Check that the received epid for the endpoint to attach
-+ * a new service is valid. ENDPOINT0 can't be used here as it
-+ * is already reserved for HTC_CTRL_RSVD_SVC service and thus
-+ * should not be modified.
-+ */
-+ if (epid <= ENDPOINT0 || epid >= ENDPOINT_MAX)
- return;
-
- service_id = be16_to_cpu(svc_rspmsg->service_id);
---
-2.39.2
-
+++ /dev/null
-From 16cb131de7a54b775ccf43c5fa130d76ee3a1901 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 26 Apr 2023 17:35:00 +0300
-Subject: wifi: ath9k: fix AR9003 mac hardware hang check register offset
- calculation
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Peter Seiderer <ps.report@gmx.net>
-
-[ Upstream commit 3e56c80931c7615250fe4bf83f93b57881969266 ]
-
-Fix ath9k_hw_verify_hang()/ar9003_hw_detect_mac_hang() register offset
-calculation (do not overflow the shift for the second register/queues
-above five, use the register layout described in the comments above
-ath9k_hw_verify_hang() instead).
-
-Fixes: 222e04830ff0 ("ath9k: Fix MAC HW hang check for AR9003")
-
-Reported-by: Gregg Wonderly <greggwonderly@seqtechllc.com>
-Link: https://lore.kernel.org/linux-wireless/E3A9C354-0CB7-420C-ADEF-F0177FB722F4@seqtechllc.com/
-Signed-off-by: Peter Seiderer <ps.report@gmx.net>
-Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
-Reviewed-by: Simon Horman <simon.horman@corigine.com>
-Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
-Link: https://lore.kernel.org/r/20230422212423.26065-1-ps.report@gmx.net
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/ath/ath9k/ar9003_hw.c | 27 ++++++++++++++--------
- 1 file changed, 18 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/net/wireless/ath/ath9k/ar9003_hw.c b/drivers/net/wireless/ath/ath9k/ar9003_hw.c
-index 2fe12b0de5b4f..dea8a998fb622 100644
---- a/drivers/net/wireless/ath/ath9k/ar9003_hw.c
-+++ b/drivers/net/wireless/ath/ath9k/ar9003_hw.c
-@@ -1099,17 +1099,22 @@ static bool ath9k_hw_verify_hang(struct ath_hw *ah, unsigned int queue)
- {
- u32 dma_dbg_chain, dma_dbg_complete;
- u8 dcu_chain_state, dcu_complete_state;
-+ unsigned int dbg_reg, reg_offset;
- int i;
-
-- for (i = 0; i < NUM_STATUS_READS; i++) {
-- if (queue < 6)
-- dma_dbg_chain = REG_READ(ah, AR_DMADBG_4);
-- else
-- dma_dbg_chain = REG_READ(ah, AR_DMADBG_5);
-+ if (queue < 6) {
-+ dbg_reg = AR_DMADBG_4;
-+ reg_offset = queue * 5;
-+ } else {
-+ dbg_reg = AR_DMADBG_5;
-+ reg_offset = (queue - 6) * 5;
-+ }
-
-+ for (i = 0; i < NUM_STATUS_READS; i++) {
-+ dma_dbg_chain = REG_READ(ah, dbg_reg);
- dma_dbg_complete = REG_READ(ah, AR_DMADBG_6);
-
-- dcu_chain_state = (dma_dbg_chain >> (5 * queue)) & 0x1f;
-+ dcu_chain_state = (dma_dbg_chain >> reg_offset) & 0x1f;
- dcu_complete_state = dma_dbg_complete & 0x3;
-
- if ((dcu_chain_state != 0x6) || (dcu_complete_state != 0x1))
-@@ -1128,6 +1133,7 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah)
- u8 dcu_chain_state, dcu_complete_state;
- bool dcu_wait_frdone = false;
- unsigned long chk_dcu = 0;
-+ unsigned int reg_offset;
- unsigned int i = 0;
-
- dma_dbg_4 = REG_READ(ah, AR_DMADBG_4);
-@@ -1139,12 +1145,15 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah)
- goto exit;
-
- for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) {
-- if (i < 6)
-+ if (i < 6) {
- chk_dbg = dma_dbg_4;
-- else
-+ reg_offset = i * 5;
-+ } else {
- chk_dbg = dma_dbg_5;
-+ reg_offset = (i - 6) * 5;
-+ }
-
-- dcu_chain_state = (chk_dbg >> (5 * i)) & 0x1f;
-+ dcu_chain_state = (chk_dbg >> reg_offset) & 0x1f;
- if (dcu_chain_state == 0x6) {
- dcu_wait_frdone = true;
- chk_dcu |= BIT(i);
---
-2.39.2
-
+++ /dev/null
-From 43e3a8b56606fdc140f08245ff49796f93f86e88 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 9 Jun 2023 11:37:44 +0200
-Subject: wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Remi Pommarel <repk@triplefau.lt>
-
-[ Upstream commit 75086cc6dee046e3fbb3dba148b376d8802f83bc ]
-
-On EDMA capable hardware, ath9k_txq_list_has_key() can enter infinite
-loop if it is called while all txq_fifos have packets that use different
-key that the one we are looking for. Fix it by exiting the loop if all
-txq_fifos have been checked already.
-
-Because this loop is called under spin_lock_bh() (see ath_txq_lock) it
-causes the following rcu stall:
-
-rcu: INFO: rcu_sched self-detected stall on CPU
-ath10k_pci 0000:01:00.0: failed to read temperature -11
-rcu: 1-....: (5254 ticks this GP) idle=189/1/0x4000000000000002 softirq=8442983/8442984 fqs=2579
- (t=5257 jiffies g=17983297 q=334)
-Task dump for CPU 1:
-task:hostapd state:R running task stack: 0 pid: 297 ppid: 289 flags:0x0000000a
-Call trace:
- dump_backtrace+0x0/0x170
- show_stack+0x1c/0x24
- sched_show_task+0x140/0x170
- dump_cpu_task+0x48/0x54
- rcu_dump_cpu_stacks+0xf0/0x134
- rcu_sched_clock_irq+0x8d8/0x9fc
- update_process_times+0xa0/0xec
- tick_sched_timer+0x5c/0xd0
- __hrtimer_run_queues+0x154/0x320
- hrtimer_interrupt+0x120/0x2f0
- arch_timer_handler_virt+0x38/0x44
- handle_percpu_devid_irq+0x9c/0x1e0
- handle_domain_irq+0x64/0x90
- gic_handle_irq+0x78/0xb0
- call_on_irq_stack+0x28/0x38
- do_interrupt_handler+0x54/0x5c
- el1_interrupt+0x2c/0x4c
- el1h_64_irq_handler+0x14/0x1c
- el1h_64_irq+0x74/0x78
- ath9k_txq_has_key+0x1bc/0x250 [ath9k]
- ath9k_set_key+0x1cc/0x3dc [ath9k]
- drv_set_key+0x78/0x170
- ieee80211_key_replace+0x564/0x6cc
- ieee80211_key_link+0x174/0x220
- ieee80211_add_key+0x11c/0x300
- nl80211_new_key+0x12c/0x330
- genl_family_rcv_msg_doit+0xbc/0x11c
- genl_rcv_msg+0xd8/0x1c4
- netlink_rcv_skb+0x40/0x100
- genl_rcv+0x3c/0x50
- netlink_unicast+0x1ec/0x2c0
- netlink_sendmsg+0x198/0x3c0
- ____sys_sendmsg+0x210/0x250
- ___sys_sendmsg+0x78/0xc4
- __sys_sendmsg+0x4c/0x90
- __arm64_sys_sendmsg+0x28/0x30
- invoke_syscall.constprop.0+0x60/0x100
- do_el0_svc+0x48/0xd0
- el0_svc+0x14/0x50
- el0t_64_sync_handler+0xa8/0xb0
- el0t_64_sync+0x158/0x15c
-
-This rcu stall is hard to reproduce as is, but changing ATH_TXFIFO_DEPTH
-from 8 to 2 makes it reasonably easy to reproduce.
-
-Fixes: ca2848022c12 ("ath9k: Postpone key cache entry deletion for TXQ frames reference it")
-Signed-off-by: Remi Pommarel <repk@triplefau.lt>
-Tested-by: Nicolas Escande <nico.escande@gmail.com>
-Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
-Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
-Link: https://lore.kernel.org/r/20230609093744.1985-1-repk@triplefau.lt
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/ath/ath9k/main.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
-index ee1b9c39bad7a..e8e297a04d360 100644
---- a/drivers/net/wireless/ath/ath9k/main.c
-+++ b/drivers/net/wireless/ath/ath9k/main.c
-@@ -847,7 +847,7 @@ static bool ath9k_txq_list_has_key(struct list_head *txq_list, u32 keyix)
- static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix)
- {
- struct ath_hw *ah = sc->sc_ah;
-- int i;
-+ int i, j;
- struct ath_txq *txq;
- bool key_in_use = false;
-
-@@ -865,8 +865,9 @@ static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix)
- if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) {
- int idx = txq->txq_tailidx;
-
-- while (!key_in_use &&
-- !list_empty(&txq->txq_fifo[idx])) {
-+ for (j = 0; !key_in_use &&
-+ !list_empty(&txq->txq_fifo[idx]) &&
-+ j < ATH_TXFIFO_DEPTH; j++) {
- key_in_use = ath9k_txq_list_has_key(
- &txq->txq_fifo[idx], keyix);
- INCR(idx, ATH_TXFIFO_DEPTH);
---
-2.39.2
-
+++ /dev/null
-From c11669e78c6279d4eb42e332fdcbd353a753cffd Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 20 May 2023 09:53:14 +0200
-Subject: wifi: atmel: Fix an error handling path in atmel_probe()
-
-From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-
-[ Upstream commit 6b92e4351a29af52c285fe235e6e4d1a75de04b2 ]
-
-Should atmel_config() fail, some resources need to be released as already
-done in the remove function.
-
-While at it, remove a useless and erroneous comment. The probe is
-atmel_probe(), not atmel_attach().
-
-Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
-Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-Reviewed-by: Simon Horman <simon.horman@corigine.com>
-Signed-off-by: Kalle Valo <kvalo@kernel.org>
-Link: https://lore.kernel.org/r/1e65f174607a83348034197fa7d603bab10ba4a9.1684569156.git.christophe.jaillet@wanadoo.fr
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/atmel/atmel_cs.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/wireless/atmel/atmel_cs.c b/drivers/net/wireless/atmel/atmel_cs.c
-index 7afc9c5329fb1..f5fa1a95b0c15 100644
---- a/drivers/net/wireless/atmel/atmel_cs.c
-+++ b/drivers/net/wireless/atmel/atmel_cs.c
-@@ -73,6 +73,7 @@ struct local_info {
- static int atmel_probe(struct pcmcia_device *p_dev)
- {
- struct local_info *local;
-+ int ret;
-
- dev_dbg(&p_dev->dev, "atmel_attach()\n");
-
-@@ -83,8 +84,16 @@ static int atmel_probe(struct pcmcia_device *p_dev)
-
- p_dev->priv = local;
-
-- return atmel_config(p_dev);
--} /* atmel_attach */
-+ ret = atmel_config(p_dev);
-+ if (ret)
-+ goto err_free_priv;
-+
-+ return 0;
-+
-+err_free_priv:
-+ kfree(p_dev->priv);
-+ return ret;
-+}
-
- static void atmel_detach(struct pcmcia_device *link)
- {
---
-2.39.2
-
+++ /dev/null
-From 7fa7b97844f258140628a39210c44fd2dd1b7c21 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 20 Jun 2023 13:04:02 +0300
-Subject: wifi: iwlwifi: mvm: avoid baid size integer overflow
-
-From: Johannes Berg <johannes.berg@intel.com>
-
-[ Upstream commit 1a528ab1da324d078ec60283c34c17848580df24 ]
-
-Roee reported various hard-to-debug crashes with pings in
-EHT aggregation scenarios. Enabling KASAN showed that we
-access the BAID allocation out of bounds, and looking at
-the code a bit shows that since the reorder buffer entry
-(struct iwl_mvm_reorder_buf_entry) is 128 bytes if debug
-such as lockdep is enabled, then staring from an agg size
-512 we overflow the size calculation, and allocate a much
-smaller structure than we should, causing slab corruption
-once we initialize this.
-
-Fix this by simply using u32 instead of u16.
-
-Reported-by: Roee Goldfiner <roee.h.goldfiner@intel.com>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
-Link: https://lore.kernel.org/r/20230620125813.f428c856030d.I2c2bb808e945adb71bc15f5b2bac2d8957ea90eb@changeid
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
-index 373ace38edab7..83883ce7f55dc 100644
---- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
-+++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
-@@ -2237,7 +2237,7 @@ int iwl_mvm_sta_rx_agg(struct iwl_mvm *mvm, struct ieee80211_sta *sta,
- }
-
- if (iwl_mvm_has_new_rx_api(mvm) && start) {
-- u16 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]);
-+ u32 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]);
-
- /* sparse doesn't like the __align() so don't check */
- #ifndef __CHECKER__
---
-2.39.2
-
+++ /dev/null
-From d6fb7a006f008102f2c65907ae4ba8fed02b5d0b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 6 May 2023 15:53:15 +0200
-Subject: wifi: mwifiex: Fix the size of a memory allocation in
- mwifiex_ret_802_11_scan()
-
-From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-
-[ Upstream commit d9aef04fcfa81ee4fb2804a21a3712b7bbd936af ]
-
-The type of "mwifiex_adapter->nd_info" is "struct cfg80211_wowlan_nd_info",
-not "struct cfg80211_wowlan_nd_match".
-
-Use struct_size() to ease the computation of the needed size.
-
-The current code over-allocates some memory, so is safe.
-But it wastes 32 bytes.
-
-Fixes: 7d7f07d8c5d3 ("mwifiex: add wowlan net-detect support")
-Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-Reviewed-by: Simon Horman <simon.horman@corigine.com>
-Signed-off-by: Kalle Valo <kvalo@kernel.org>
-Link: https://lore.kernel.org/r/7a6074fb056d2181e058a3cc6048d8155c20aec7.1683371982.git.christophe.jaillet@wanadoo.fr
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/marvell/mwifiex/scan.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
-index c9f6cd2919699..4f0e78ae3dbd0 100644
---- a/drivers/net/wireless/marvell/mwifiex/scan.c
-+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
-@@ -2208,9 +2208,9 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,
-
- if (nd_config) {
- adapter->nd_info =
-- kzalloc(sizeof(struct cfg80211_wowlan_nd_match) +
-- sizeof(struct cfg80211_wowlan_nd_match *) *
-- scan_rsp->number_of_sets, GFP_ATOMIC);
-+ kzalloc(struct_size(adapter->nd_info, matches,
-+ scan_rsp->number_of_sets),
-+ GFP_ATOMIC);
-
- if (adapter->nd_info)
- adapter->nd_info->n_matches = scan_rsp->number_of_sets;
---
-2.39.2
-
+++ /dev/null
-From fdea8bce372ab31562ece0fb8bf706052166a8c9 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 20 May 2023 09:38:22 +0200
-Subject: wifi: orinoco: Fix an error handling path in orinoco_cs_probe()
-
-From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-
-[ Upstream commit 67a81d911c01225f426cc6bee2373df044c1a9b7 ]
-
-Should orinoco_cs_config() fail, some resources need to be released as
-already done in the remove function.
-
-While at it, remove a useless and erroneous comment. The probe is
-orinoco_cs_probe(), not orinoco_cs_attach().
-
-Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
-Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-Signed-off-by: Kalle Valo <kvalo@kernel.org>
-Link: https://lore.kernel.org/r/e24735ce4d82901d5f7ea08419eea53bfdde3d65.1684568286.git.christophe.jaillet@wanadoo.fr
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/intersil/orinoco/orinoco_cs.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c
-index a956f965a1e5e..03bfd2482656c 100644
---- a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c
-+++ b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c
-@@ -96,6 +96,7 @@ orinoco_cs_probe(struct pcmcia_device *link)
- {
- struct orinoco_private *priv;
- struct orinoco_pccard *card;
-+ int ret;
-
- priv = alloc_orinocodev(sizeof(*card), &link->dev,
- orinoco_cs_hard_reset, NULL);
-@@ -107,8 +108,16 @@ orinoco_cs_probe(struct pcmcia_device *link)
- card->p_dev = link;
- link->priv = priv;
-
-- return orinoco_cs_config(link);
--} /* orinoco_cs_attach */
-+ ret = orinoco_cs_config(link);
-+ if (ret)
-+ goto err_free_orinocodev;
-+
-+ return 0;
-+
-+err_free_orinocodev:
-+ free_orinocodev(priv);
-+ return ret;
-+}
-
- static void orinoco_cs_detach(struct pcmcia_device *link)
- {
---
-2.39.2
-
+++ /dev/null
-From 7a359d8680a5bf516024b7d91b9bde70a5f1ef76 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 20 May 2023 09:29:46 +0200
-Subject: wifi: orinoco: Fix an error handling path in spectrum_cs_probe()
-
-From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-
-[ Upstream commit 925244325159824385209e3e0e3f91fa6bf0646c ]
-
-Should spectrum_cs_config() fail, some resources need to be released as
-already done in the remove function.
-
-While at it, remove a useless and erroneous comment. The probe is
-spectrum_cs_probe(), not spectrum_cs_attach().
-
-Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
-Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-Reviewed-by: Simon Horman <simon.horman@corigine.com>
-Signed-off-by: Kalle Valo <kvalo@kernel.org>
-Link: https://lore.kernel.org/r/c0bc0c21c58ca477fc5521607615bafbf2aef8eb.1684567733.git.christophe.jaillet@wanadoo.fr
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/intersil/orinoco/spectrum_cs.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c
-index b60048c95e0a8..011c86e55923e 100644
---- a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c
-+++ b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c
-@@ -157,6 +157,7 @@ spectrum_cs_probe(struct pcmcia_device *link)
- {
- struct orinoco_private *priv;
- struct orinoco_pccard *card;
-+ int ret;
-
- priv = alloc_orinocodev(sizeof(*card), &link->dev,
- spectrum_cs_hard_reset,
-@@ -169,8 +170,16 @@ spectrum_cs_probe(struct pcmcia_device *link)
- card->p_dev = link;
- link->priv = priv;
-
-- return spectrum_cs_config(link);
--} /* spectrum_cs_attach */
-+ ret = spectrum_cs_config(link);
-+ if (ret)
-+ goto err_free_orinocodev;
-+
-+ return 0;
-+
-+err_free_orinocodev:
-+ free_orinocodev(priv);
-+ return ret;
-+}
-
- static void spectrum_cs_detach(struct pcmcia_device *link)
- {
---
-2.39.2
-
+++ /dev/null
-From 7d705b4ddd98b5603dec26cc74030feea2eebf60 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 3 Jun 2022 19:44:14 +0300
-Subject: wifi: ray_cs: Drop useless status variable in parse_addr()
-
-From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-
-[ Upstream commit 4dfc63c002a555a2c3c34d89009532ad803be876 ]
-
-The status variable assigned only once and used also only once.
-Replace it's usage by actual value.
-
-Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-Signed-off-by: Kalle Valo <kvalo@kernel.org>
-Link: https://lore.kernel.org/r/20220603164414.48436-2-andriy.shevchenko@linux.intel.com
-Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/ray_cs.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c
-index f15714f19d0ff..e5cdcee04615f 100644
---- a/drivers/net/wireless/ray_cs.c
-+++ b/drivers/net/wireless/ray_cs.c
-@@ -1653,7 +1653,6 @@ static int parse_addr(char *in_str, UCHAR *out)
- {
- int i, k;
- int len;
-- int status;
-
- if (in_str == NULL)
- return 0;
-@@ -1662,7 +1661,6 @@ static int parse_addr(char *in_str, UCHAR *out)
- return 0;
- memset(out, 0, ADDRLEN);
-
-- status = 1;
- i = 5;
-
- while (len > 0) {
-@@ -1680,7 +1678,7 @@ static int parse_addr(char *in_str, UCHAR *out)
- if (!i--)
- break;
- }
-- return status;
-+ return 1;
- }
-
- /*===========================================================================*/
---
-2.39.2
-
+++ /dev/null
-From c56ebaf56992bd5ad91919e1bdb623475a1bc379 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 20 May 2023 10:13:22 +0200
-Subject: wifi: ray_cs: Fix an error handling path in ray_probe()
-
-From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-
-[ Upstream commit 4f8d66a9fb2edcd05c1e563456a55a08910bfb37 ]
-
-Should ray_config() fail, some resources need to be released as already
-done in the remove function.
-
-While at it, remove a useless and erroneous comment. The probe is
-ray_probe(), not ray_attach().
-
-Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
-Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-Reviewed-by: Simon Horman <simon.horman@corigine.com>
-Signed-off-by: Kalle Valo <kvalo@kernel.org>
-Link: https://lore.kernel.org/r/8c544d18084f8b37dd108e844f7e79e85ff708ff.1684570373.git.christophe.jaillet@wanadoo.fr
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/ray_cs.c | 16 +++++++++++-----
- 1 file changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c
-index e5cdcee04615f..edc990d099789 100644
---- a/drivers/net/wireless/ray_cs.c
-+++ b/drivers/net/wireless/ray_cs.c
-@@ -282,13 +282,14 @@ static int ray_probe(struct pcmcia_device *p_dev)
- {
- ray_dev_t *local;
- struct net_device *dev;
-+ int ret;
-
- dev_dbg(&p_dev->dev, "ray_attach()\n");
-
- /* Allocate space for private device-specific data */
- dev = alloc_etherdev(sizeof(ray_dev_t));
- if (!dev)
-- goto fail_alloc_dev;
-+ return -ENOMEM;
-
- local = netdev_priv(dev);
- local->finder = p_dev;
-@@ -325,11 +326,16 @@ static int ray_probe(struct pcmcia_device *p_dev)
- timer_setup(&local->timer, NULL, 0);
-
- this_device = p_dev;
-- return ray_config(p_dev);
-+ ret = ray_config(p_dev);
-+ if (ret)
-+ goto err_free_dev;
-+
-+ return 0;
-
--fail_alloc_dev:
-- return -ENOMEM;
--} /* ray_attach */
-+err_free_dev:
-+ free_netdev(dev);
-+ return ret;
-+}
-
- static void ray_detach(struct pcmcia_device *link)
- {
---
-2.39.2
-
+++ /dev/null
-From 39183f28dd2fa490bf43101f1f9693db74661545 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 3 Jun 2022 19:44:13 +0300
-Subject: wifi: ray_cs: Utilize strnlen() in parse_addr()
-
-From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-
-[ Upstream commit 9e8e9187673cb24324f9165dd47b2b28f60b0b10 ]
-
-Instead of doing simple operations and using an additional variable on stack,
-utilize strnlen() and reuse len variable.
-
-Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-Signed-off-by: Kalle Valo <kvalo@kernel.org>
-Link: https://lore.kernel.org/r/20220603164414.48436-1-andriy.shevchenko@linux.intel.com
-Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/ray_cs.c | 16 +++++++---------
- 1 file changed, 7 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c
-index 8704bae39e1bf..f15714f19d0ff 100644
---- a/drivers/net/wireless/ray_cs.c
-+++ b/drivers/net/wireless/ray_cs.c
-@@ -1651,31 +1651,29 @@ static void authenticate_timeout(struct timer_list *t)
- /*===========================================================================*/
- static int parse_addr(char *in_str, UCHAR *out)
- {
-+ int i, k;
- int len;
-- int i, j, k;
- int status;
-
- if (in_str == NULL)
- return 0;
-- if ((len = strlen(in_str)) < 2)
-+ len = strnlen(in_str, ADDRLEN * 2 + 1) - 1;
-+ if (len < 1)
- return 0;
- memset(out, 0, ADDRLEN);
-
- status = 1;
-- j = len - 1;
-- if (j > 12)
-- j = 12;
- i = 5;
-
-- while (j > 0) {
-- if ((k = hex_to_bin(in_str[j--])) != -1)
-+ while (len > 0) {
-+ if ((k = hex_to_bin(in_str[len--])) != -1)
- out[i] = k;
- else
- return 0;
-
-- if (j == 0)
-+ if (len == 0)
- break;
-- if ((k = hex_to_bin(in_str[j--])) != -1)
-+ if ((k = hex_to_bin(in_str[len--])) != -1)
- out[i] += k << 4;
- else
- return 0;
---
-2.39.2
-
+++ /dev/null
-From 2a7df1bf66097f12bf14a803010334fd8c7d3260 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 28 May 2023 00:28:59 +0200
-Subject: wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown
-
-From: Marek Vasut <marex@denx.de>
-
-[ Upstream commit e74f562328b03fbe9cf438f958464dff3a644dfc ]
-
-It makes no sense to set MMC_PM_KEEP_POWER in shutdown. The flag
-indicates to the MMC subsystem to keep the slot powered on during
-suspend, but in shutdown the slot should actually be powered off.
-Drop this call.
-
-Fixes: 063848c3e155 ("rsi: sdio: Add WOWLAN support for S5 shutdown state")
-Signed-off-by: Marek Vasut <marex@denx.de>
-Reviewed-by: Simon Horman <simon.horman@corigine.com>
-Signed-off-by: Kalle Valo <kvalo@kernel.org>
-Link: https://lore.kernel.org/r/20230527222859.273768-1-marex@denx.de
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/rsi/rsi_91x_sdio.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio.c b/drivers/net/wireless/rsi/rsi_91x_sdio.c
-index 48efe83c58d89..409a3e8305763 100644
---- a/drivers/net/wireless/rsi/rsi_91x_sdio.c
-+++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c
-@@ -1368,9 +1368,6 @@ static void rsi_shutdown(struct device *dev)
- if (sdev->write_fail)
- rsi_dbg(INFO_ZONE, "###### Device is not ready #######\n");
-
-- if (rsi_set_sdio_pm_caps(adapter))
-- rsi_dbg(INFO_ZONE, "Setting power management caps failed\n");
--
- rsi_dbg(INFO_ZONE, "***** RSI module shut down *****\n");
- }
-
---
-2.39.2
-
+++ /dev/null
-From eec6c0631c177e946a67d88280585b6f80934407 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 15 Jun 2023 12:04:07 -0600
-Subject: wifi: wext-core: Fix -Wstringop-overflow warning in
- ioctl_standard_iw_point()
-
-From: Gustavo A. R. Silva <gustavoars@kernel.org>
-
-[ Upstream commit 71e7552c90db2a2767f5c17c7ec72296b0d92061 ]
-
--Wstringop-overflow is legitimately warning us about extra_size
-pontentially being zero at some point, hence potenially ending
-up _allocating_ zero bytes of memory for extra pointer and then
-trying to access such object in a call to copy_from_user().
-
-Fix this by adding a sanity check to ensure we never end up
-trying to allocate zero bytes of data for extra pointer, before
-continue executing the rest of the code in the function.
-
-Address the following -Wstringop-overflow warning seen when built
-m68k architecture with allyesconfig configuration:
- from net/wireless/wext-core.c:11:
-In function '_copy_from_user',
- inlined from 'copy_from_user' at include/linux/uaccess.h:183:7,
- inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7:
-arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
- 48 | #define memset(d, c, n) __builtin_memset(d, c, n)
- | ^~~~~~~~~~~~~~~~~~~~~~~~~
-include/linux/uaccess.h:153:17: note: in expansion of macro 'memset'
- 153 | memset(to + (n - res), 0, res);
- | ^~~~~~
-In function 'kmalloc',
- inlined from 'kzalloc' at include/linux/slab.h:694:9,
- inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10:
-include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc'
- 577 | return __kmalloc(size, flags);
- | ^~~~~~~~~~~~~~~~~~~~~~
-
-This help with the ongoing efforts to globally enable
--Wstringop-overflow.
-
-Link: https://github.com/KSPP/linux/issues/315
-Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
-Reviewed-by: Simon Horman <simon.horman@corigine.com>
-Link: https://lore.kernel.org/r/ZItSlzvIpjdjNfd8@work
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/wireless/wext-core.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
-index 76a80a41615be..a57f54bc0e1a7 100644
---- a/net/wireless/wext-core.c
-+++ b/net/wireless/wext-core.c
-@@ -796,6 +796,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd,
- }
- }
-
-+ /* Sanity-check to ensure we never end up _allocating_ zero
-+ * bytes of data for extra.
-+ */
-+ if (extra_size <= 0)
-+ return -EFAULT;
-+
- /* kzalloc() ensures NULL-termination for essid_compat. */
- extra = kzalloc(extra_size, GFP_KERNEL);
- if (!extra)
---
-2.39.2
-
+++ /dev/null
-From 0ca96611eabb69439dd098fe35b02e57573d5f13 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 20 May 2023 10:05:08 +0200
-Subject: wifi: wl3501_cs: Fix an error handling path in wl3501_probe()
-
-From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-
-[ Upstream commit 391af06a02e7642039ac5f6c4b2c034ab0992b5d ]
-
-Should wl3501_config() fail, some resources need to be released as already
-done in the remove function.
-
-Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
-Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
-Reviewed-by: Simon Horman <simon.horman@corigine.com>
-Signed-off-by: Kalle Valo <kvalo@kernel.org>
-Link: https://lore.kernel.org/r/7cc9c9316489b7d69b36aeb0edd3123538500b41.1684569865.git.christophe.jaillet@wanadoo.fr
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/wl3501_cs.c | 16 +++++++++++-----
- 1 file changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
-index 46188a83d8be8..4380c5d8fdd27 100644
---- a/drivers/net/wireless/wl3501_cs.c
-+++ b/drivers/net/wireless/wl3501_cs.c
-@@ -1863,6 +1863,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev)
- {
- struct net_device *dev;
- struct wl3501_card *this;
-+ int ret;
-
- /* The io structure describes IO port mapping */
- p_dev->resource[0]->end = 16;
-@@ -1874,8 +1875,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev)
-
- dev = alloc_etherdev(sizeof(struct wl3501_card));
- if (!dev)
-- goto out_link;
--
-+ return -ENOMEM;
-
- dev->netdev_ops = &wl3501_netdev_ops;
- dev->watchdog_timeo = 5 * HZ;
-@@ -1888,9 +1888,15 @@ static int wl3501_probe(struct pcmcia_device *p_dev)
- netif_stop_queue(dev);
- p_dev->priv = dev;
-
-- return wl3501_config(p_dev);
--out_link:
-- return -ENOMEM;
-+ ret = wl3501_config(p_dev);
-+ if (ret)
-+ goto out_free_etherdev;
-+
-+ return 0;
-+
-+out_free_etherdev:
-+ free_netdev(dev);
-+ return ret;
- }
-
- static int wl3501_config(struct pcmcia_device *link)
---
-2.39.2
-
+++ /dev/null
-From 547b7019051a368a9dc01f5544d6bb44912e690b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 26 Aug 2020 10:33:51 +0100
-Subject: wl3501_cs: Fix a bunch of formatting issues related to function docs
-
-From: Lee Jones <lee.jones@linaro.org>
-
-[ Upstream commit 2307d0bc9d8b60299f255d1771ce0d997162a957 ]
-
-Fixes the following W=1 kernel build warning(s):
-
- In file included from drivers/net/wireless/wl3501_cs.c:57:
- drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel'
- drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'channel' not described in 'iw_valid_channel'
- drivers/net/wireless/wl3501_cs.c:162: warning: Function parameter or member 'reg_domain' not described in 'iw_default_channel'
- drivers/net/wireless/wl3501_cs.c:248: warning: Function parameter or member 'this' not described in 'wl3501_set_to_wla'
- drivers/net/wireless/wl3501_cs.c:270: warning: Function parameter or member 'this' not described in 'wl3501_get_from_wla'
- drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'this' not described in 'wl3501_send_pkt'
- drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt'
- drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt'
- drivers/net/wireless/wl3501_cs.c:729: warning: Function parameter or member 'this' not described in 'wl3501_block_interrupt'
- drivers/net/wireless/wl3501_cs.c:746: warning: Function parameter or member 'this' not described in 'wl3501_unblock_interrupt'
- drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'irq' not described in 'wl3501_interrupt'
- drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'dev_id' not described in 'wl3501_interrupt'
- drivers/net/wireless/wl3501_cs.c:1257: warning: Function parameter or member 'dev' not described in 'wl3501_reset'
- drivers/net/wireless/wl3501_cs.c:1420: warning: Function parameter or member 'link' not described in 'wl3501_detach'
-
-Cc: Kalle Valo <kvalo@codeaurora.org>
-Cc: "David S. Miller" <davem@davemloft.net>
-Cc: Jakub Kicinski <kuba@kernel.org>
-Cc: Fox Chen <mhchen@golf.ccl.itri.org.tw>
-Cc: de Melo <acme@conectiva.com.br>
-Cc: Gustavo Niemeyer <niemeyer@conectiva.com>
-Cc: linux-wireless@vger.kernel.org
-Cc: netdev@vger.kernel.org
-Signed-off-by: Lee Jones <lee.jones@linaro.org>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-Link: https://lore.kernel.org/r/20200826093401.1458456-21-lee.jones@linaro.org
-Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/wl3501_cs.c | 22 ++++++++++++----------
- 1 file changed, 12 insertions(+), 10 deletions(-)
-
-diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
-index cfde9b94b4b60..78c89e6421f97 100644
---- a/drivers/net/wireless/wl3501_cs.c
-+++ b/drivers/net/wireless/wl3501_cs.c
-@@ -133,8 +133,8 @@ static const struct {
-
- /**
- * iw_valid_channel - validate channel in regulatory domain
-- * @reg_comain - regulatory domain
-- * @channel - channel to validate
-+ * @reg_comain: regulatory domain
-+ * @channel: channel to validate
- *
- * Returns 0 if invalid in the specified regulatory domain, non-zero if valid.
- */
-@@ -153,7 +153,7 @@ static int iw_valid_channel(int reg_domain, int channel)
-
- /**
- * iw_default_channel - get default channel for a regulatory domain
-- * @reg_comain - regulatory domain
-+ * @reg_domain: regulatory domain
- *
- * Returns the default channel for a regulatory domain
- */
-@@ -236,6 +236,7 @@ static int wl3501_get_flash_mac_addr(struct wl3501_card *this)
-
- /**
- * wl3501_set_to_wla - Move 'size' bytes from PC to card
-+ * @this: Card
- * @dest: Card addressing space
- * @src: PC addressing space
- * @size: Bytes to move
-@@ -258,6 +259,7 @@ static void wl3501_set_to_wla(struct wl3501_card *this, u16 dest, void *src,
-
- /**
- * wl3501_get_from_wla - Move 'size' bytes from card to PC
-+ * @this: Card
- * @src: Card addressing space
- * @dest: PC addressing space
- * @size: Bytes to move
-@@ -454,7 +456,7 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend)
-
- /**
- * wl3501_send_pkt - Send a packet.
-- * @this - card
-+ * @this: Card
- *
- * Send a packet.
- *
-@@ -722,7 +724,7 @@ static void wl3501_mgmt_scan_confirm(struct wl3501_card *this, u16 addr)
-
- /**
- * wl3501_block_interrupt - Mask interrupt from SUTRO
-- * @this - card
-+ * @this: Card
- *
- * Mask interrupt from SUTRO. (i.e. SUTRO cannot interrupt the HOST)
- * Return: 1 if interrupt is originally enabled
-@@ -739,7 +741,7 @@ static int wl3501_block_interrupt(struct wl3501_card *this)
-
- /**
- * wl3501_unblock_interrupt - Enable interrupt from SUTRO
-- * @this - card
-+ * @this: Card
- *
- * Enable interrupt from SUTRO. (i.e. SUTRO can interrupt the HOST)
- * Return: 1 if interrupt is originally enabled
-@@ -1113,8 +1115,8 @@ static inline void wl3501_ack_interrupt(struct wl3501_card *this)
-
- /**
- * wl3501_interrupt - Hardware interrupt from card.
-- * @irq - Interrupt number
-- * @dev_id - net_device
-+ * @irq: Interrupt number
-+ * @dev_id: net_device
- *
- * We must acknowledge the interrupt as soon as possible, and block the
- * interrupt from the same card immediately to prevent re-entry.
-@@ -1252,7 +1254,7 @@ static int wl3501_close(struct net_device *dev)
-
- /**
- * wl3501_reset - Reset the SUTRO.
-- * @dev - network device
-+ * @dev: network device
- *
- * It is almost the same as wl3501_open(). In fact, we may just wl3501_close()
- * and wl3501_open() again, but I wouldn't like to free_irq() when the driver
-@@ -1415,7 +1417,7 @@ static struct iw_statistics *wl3501_get_wireless_stats(struct net_device *dev)
-
- /**
- * wl3501_detach - deletes a driver "instance"
-- * @link - FILL_IN
-+ * @link: FILL_IN
- *
- * This deletes a driver "instance". The device is de-registered with Card
- * Services. If it has been released, all local data structures are freed.
---
-2.39.2
-
+++ /dev/null
-From 95fa0eae9a65ac7aa9641b6c3e2e2baa5a405801 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 2 Nov 2020 11:23:53 +0000
-Subject: wl3501_cs: Fix misspelling and provide missing documentation
-
-From: Lee Jones <lee.jones@linaro.org>
-
-[ Upstream commit 8b8a6f8c3b50193d161c598a6784e721128d6dc3 ]
-
-Fixes the following W=1 kernel build warning(s):
-
- In file included from drivers/net/wireless/wl3501_cs.c:57:
- drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel'
- drivers/net/wireless/wl3501_cs.c:143: warning: Excess function parameter 'reg_comain' description in 'iw_valid_channel'
- drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt'
- drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt'
-
-Cc: Kalle Valo <kvalo@codeaurora.org>
-Cc: "David S. Miller" <davem@davemloft.net>
-Cc: Jakub Kicinski <kuba@kernel.org>
-Cc: Fox Chen <mhchen@golf.ccl.itri.org.tw>
-Cc: de Melo <acme@conectiva.com.br>
-Cc: Gustavo Niemeyer <niemeyer@conectiva.com>
-Cc: linux-wireless@vger.kernel.org
-Cc: netdev@vger.kernel.org
-Signed-off-by: Lee Jones <lee.jones@linaro.org>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-Link: https://lore.kernel.org/r/20201102112410.1049272-25-lee.jones@linaro.org
-Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/wl3501_cs.c | 8 +++-----
- 1 file changed, 3 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
-index 5b2383270627c..c6d1a320e244f 100644
---- a/drivers/net/wireless/wl3501_cs.c
-+++ b/drivers/net/wireless/wl3501_cs.c
-@@ -133,7 +133,7 @@ static const struct {
-
- /**
- * iw_valid_channel - validate channel in regulatory domain
-- * @reg_comain: regulatory domain
-+ * @reg_domain: regulatory domain
- * @channel: channel to validate
- *
- * Returns 0 if invalid in the specified regulatory domain, non-zero if valid.
-@@ -457,11 +457,9 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend)
- /**
- * wl3501_send_pkt - Send a packet.
- * @this: Card
-- *
-- * Send a packet.
-- *
-- * data = Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr,
-+ * @data: Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr,
- * data[6] - data[11] is Src MAC Addr)
-+ * @len: Packet length
- * Ref: IEEE 802.11
- */
- static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len)
---
-2.39.2
-
+++ /dev/null
-From 21a78f971fc1457d7cca18d3b669df8c9ebe7e89 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 26 Sep 2020 18:45:58 +0100
-Subject: wl3501_cs: Remove unnecessary NULL check
-
-From: Alex Dewar <alex.dewar90@gmail.com>
-
-[ Upstream commit 1d2a85382282e7c77cbde5650335c3ffc6073fa1 ]
-
-In wl3501_detach(), link->priv is checked for a NULL value before being
-passed to free_netdev(). However, it cannot be NULL at this point as it
-has already been passed to other functions, so just remove the check.
-
-Addresses-Coverity: CID 710499: Null pointer dereferences (REVERSE_INULL)
-Signed-off-by: Alex Dewar <alex.dewar90@gmail.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-Link: https://lore.kernel.org/r/20200926174558.9436-1-alex.dewar90@gmail.com
-Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/wl3501_cs.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
-index 78c89e6421f97..5b2383270627c 100644
---- a/drivers/net/wireless/wl3501_cs.c
-+++ b/drivers/net/wireless/wl3501_cs.c
-@@ -1438,9 +1438,7 @@ static void wl3501_detach(struct pcmcia_device *link)
- wl3501_release(link);
-
- unregister_netdev(dev);
--
-- if (link->priv)
-- free_netdev(link->priv);
-+ free_netdev(dev);
- }
-
- static int wl3501_get_name(struct net_device *dev, struct iw_request_info *info,
---
-2.39.2
-
+++ /dev/null
-From 377134b648d92ee9684576ff1522558cbf0c7a5e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 18 Oct 2021 16:50:20 -0700
-Subject: wl3501_cs: use eth_hw_addr_set()
-
-From: Jakub Kicinski <kuba@kernel.org>
-
-[ Upstream commit 18774612246d036c04ce9fee7f67192f96f48725 ]
-
-Commit 406f42fa0d3c ("net-next: When a bond have a massive amount
-of VLANs...") introduced a rbtree for faster Ethernet address look
-up. To maintain netdev->dev_addr in this tree we need to make all
-the writes to it got through appropriate helpers.
-
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-Link: https://lore.kernel.org/r/20211018235021.1279697-15-kuba@kernel.org
-Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/wl3501_cs.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
-index c6d1a320e244f..46188a83d8be8 100644
---- a/drivers/net/wireless/wl3501_cs.c
-+++ b/drivers/net/wireless/wl3501_cs.c
-@@ -1946,8 +1946,7 @@ static int wl3501_config(struct pcmcia_device *link)
- goto failed;
- }
-
-- for (i = 0; i < 6; i++)
-- dev->dev_addr[i] = ((char *)&this->mac_addr)[i];
-+ eth_hw_addr_set(dev, this->mac_addr);
-
- /* print probe information */
- printk(KERN_INFO "%s: wl3501 @ 0x%3.3x, IRQ %d, "
---
-2.39.2
-
+++ /dev/null
-From afa4bb778e48d79e4a642ed41e3b4e0de7489a6c Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Fri, 23 Jun 2023 12:08:14 -0700
-Subject: workqueue: clean up WORK_* constant types, clarify masking
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit afa4bb778e48d79e4a642ed41e3b4e0de7489a6c upstream.
-
-Dave Airlie reports that gcc-13.1.1 has started complaining about some
-of the workqueue code in 32-bit arm builds:
-
- kernel/workqueue.c: In function ‘get_work_pwq’:
- kernel/workqueue.c:713:24: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
- 713 | return (void *)(data & WORK_STRUCT_WQ_DATA_MASK);
- | ^
- [ ... a couple of other cases ... ]
-
-and while it's not immediately clear exactly why gcc started complaining
-about it now, I suspect it's some C23-induced enum type handlign fixup in
-gcc-13 is the cause.
-
-Whatever the reason for starting to complain, the code and data types
-are indeed disgusting enough that the complaint is warranted.
-
-The wq code ends up creating various "helper constants" (like that
-WORK_STRUCT_WQ_DATA_MASK) using an enum type, which is all kinds of
-confused. The mask needs to be 'unsigned long', not some unspecified
-enum type.
-
-To make matters worse, the actual "mask and cast to a pointer" is
-repeated a couple of times, and the cast isn't even always done to the
-right pointer, but - as the error case above - to a 'void *' with then
-the compiler finishing the job.
-
-That's now how we roll in the kernel.
-
-So create the masks using the proper types rather than some ambiguous
-enumeration, and use a nice helper that actually does the type
-conversion in one well-defined place.
-
-Incidentally, this magically makes clang generate better code. That,
-admittedly, is really just a sign of clang having been seriously
-confused before, and cleaning up the typing unconfuses the compiler too.
-
-Reported-by: Dave Airlie <airlied@gmail.com>
-Link: https://lore.kernel.org/lkml/CAPM=9twNnV4zMCvrPkw3H-ajZOH-01JVh_kDrxdPYQErz8ZTdA@mail.gmail.com/
-Cc: Arnd Bergmann <arnd@arndb.de>
-Cc: Tejun Heo <tj@kernel.org>
-Cc: Nick Desaulniers <ndesaulniers@google.com>
-Cc: Nathan Chancellor <nathan@kernel.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/workqueue.h | 15 ++++++++-------
- kernel/workqueue.c | 13 ++++++++-----
- 2 files changed, 16 insertions(+), 12 deletions(-)
-
---- a/include/linux/workqueue.h
-+++ b/include/linux/workqueue.h
-@@ -73,7 +73,6 @@ enum {
- WORK_OFFQ_FLAG_BASE = WORK_STRUCT_COLOR_SHIFT,
-
- __WORK_OFFQ_CANCELING = WORK_OFFQ_FLAG_BASE,
-- WORK_OFFQ_CANCELING = (1 << __WORK_OFFQ_CANCELING),
-
- /*
- * When a work item is off queue, its high bits point to the last
-@@ -84,12 +83,6 @@ enum {
- WORK_OFFQ_POOL_SHIFT = WORK_OFFQ_FLAG_BASE + WORK_OFFQ_FLAG_BITS,
- WORK_OFFQ_LEFT = BITS_PER_LONG - WORK_OFFQ_POOL_SHIFT,
- WORK_OFFQ_POOL_BITS = WORK_OFFQ_LEFT <= 31 ? WORK_OFFQ_LEFT : 31,
-- WORK_OFFQ_POOL_NONE = (1LU << WORK_OFFQ_POOL_BITS) - 1,
--
-- /* convenience constants */
-- WORK_STRUCT_FLAG_MASK = (1UL << WORK_STRUCT_FLAG_BITS) - 1,
-- WORK_STRUCT_WQ_DATA_MASK = ~WORK_STRUCT_FLAG_MASK,
-- WORK_STRUCT_NO_POOL = (unsigned long)WORK_OFFQ_POOL_NONE << WORK_OFFQ_POOL_SHIFT,
-
- /* bit mask for work_busy() return values */
- WORK_BUSY_PENDING = 1 << 0,
-@@ -99,6 +92,14 @@ enum {
- WORKER_DESC_LEN = 24,
- };
-
-+/* Convenience constants - of type 'unsigned long', not 'enum'! */
-+#define WORK_OFFQ_CANCELING (1ul << __WORK_OFFQ_CANCELING)
-+#define WORK_OFFQ_POOL_NONE ((1ul << WORK_OFFQ_POOL_BITS) - 1)
-+#define WORK_STRUCT_NO_POOL (WORK_OFFQ_POOL_NONE << WORK_OFFQ_POOL_SHIFT)
-+
-+#define WORK_STRUCT_FLAG_MASK ((1ul << WORK_STRUCT_FLAG_BITS) - 1)
-+#define WORK_STRUCT_WQ_DATA_MASK (~WORK_STRUCT_FLAG_MASK)
-+
- struct work_struct {
- atomic_long_t data;
- struct list_head entry;
---- a/kernel/workqueue.c
-+++ b/kernel/workqueue.c
-@@ -680,12 +680,17 @@ static void clear_work_data(struct work_
- set_work_data(work, WORK_STRUCT_NO_POOL, 0);
- }
-
-+static inline struct pool_workqueue *work_struct_pwq(unsigned long data)
-+{
-+ return (struct pool_workqueue *)(data & WORK_STRUCT_WQ_DATA_MASK);
-+}
-+
- static struct pool_workqueue *get_work_pwq(struct work_struct *work)
- {
- unsigned long data = atomic_long_read(&work->data);
-
- if (data & WORK_STRUCT_PWQ)
-- return (void *)(data & WORK_STRUCT_WQ_DATA_MASK);
-+ return work_struct_pwq(data);
- else
- return NULL;
- }
-@@ -713,8 +718,7 @@ static struct worker_pool *get_work_pool
- assert_rcu_or_pool_mutex();
-
- if (data & WORK_STRUCT_PWQ)
-- return ((struct pool_workqueue *)
-- (data & WORK_STRUCT_WQ_DATA_MASK))->pool;
-+ return work_struct_pwq(data)->pool;
-
- pool_id = data >> WORK_OFFQ_POOL_SHIFT;
- if (pool_id == WORK_OFFQ_POOL_NONE)
-@@ -735,8 +739,7 @@ static int get_work_pool_id(struct work_
- unsigned long data = atomic_long_read(&work->data);
-
- if (data & WORK_STRUCT_PWQ)
-- return ((struct pool_workqueue *)
-- (data & WORK_STRUCT_WQ_DATA_MASK))->pool->id;
-+ return work_struct_pwq(data)->pool->id;
-
- return data >> WORK_OFFQ_POOL_SHIFT;
- }
+++ /dev/null
-From f9c9987bf52f4e42e940ae217333ebb5a4c3b506 Mon Sep 17 00:00:00 2001
-From: Thomas Gleixner <tglx@linutronix.de>
-Date: Thu, 15 Jun 2023 22:33:55 +0200
-Subject: x86/smp: Use dedicated cache-line for mwait_play_dead()
-
-From: Thomas Gleixner <tglx@linutronix.de>
-
-commit f9c9987bf52f4e42e940ae217333ebb5a4c3b506 upstream.
-
-Monitoring idletask::thread_info::flags in mwait_play_dead() has been an
-obvious choice as all what is needed is a cache line which is not written
-by other CPUs.
-
-But there is a use case where a "dead" CPU needs to be brought out of
-MWAIT: kexec().
-
-This is required as kexec() can overwrite text, pagetables, stacks and the
-monitored cacheline of the original kernel. The latter causes MWAIT to
-resume execution which obviously causes havoc on the kexec kernel which
-results usually in triple faults.
-
-Use a dedicated per CPU storage to prepare for that.
-
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Ashok Raj <ashok.raj@intel.com>
-Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de>
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/r/20230615193330.434553750@linutronix.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/smpboot.c | 24 ++++++++++++++----------
- 1 file changed, 14 insertions(+), 10 deletions(-)
-
---- a/arch/x86/kernel/smpboot.c
-+++ b/arch/x86/kernel/smpboot.c
-@@ -96,6 +96,17 @@ DEFINE_PER_CPU_READ_MOSTLY(cpumask_var_t
- DEFINE_PER_CPU_READ_MOSTLY(struct cpuinfo_x86, cpu_info);
- EXPORT_PER_CPU_SYMBOL(cpu_info);
-
-+struct mwait_cpu_dead {
-+ unsigned int control;
-+ unsigned int status;
-+};
-+
-+/*
-+ * Cache line aligned data for mwait_play_dead(). Separate on purpose so
-+ * that it's unlikely to be touched by other CPUs.
-+ */
-+static DEFINE_PER_CPU_ALIGNED(struct mwait_cpu_dead, mwait_cpu_dead);
-+
- /* Logical package management. We might want to allocate that dynamically */
- unsigned int __max_logical_packages __read_mostly;
- EXPORT_SYMBOL(__max_logical_packages);
-@@ -1594,10 +1605,10 @@ static bool wakeup_cpu0(void)
- */
- static inline void mwait_play_dead(void)
- {
-+ struct mwait_cpu_dead *md = this_cpu_ptr(&mwait_cpu_dead);
- unsigned int eax, ebx, ecx, edx;
- unsigned int highest_cstate = 0;
- unsigned int highest_subcstate = 0;
-- void *mwait_ptr;
- int i;
-
- if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD)
-@@ -1631,13 +1642,6 @@ static inline void mwait_play_dead(void)
- (highest_subcstate - 1);
- }
-
-- /*
-- * This should be a memory location in a cache line which is
-- * unlikely to be touched by other processors. The actual
-- * content is immaterial as it is not actually modified in any way.
-- */
-- mwait_ptr = ¤t_thread_info()->flags;
--
- wbinvd();
-
- while (1) {
-@@ -1649,9 +1653,9 @@ static inline void mwait_play_dead(void)
- * case where we return around the loop.
- */
- mb();
-- clflush(mwait_ptr);
-+ clflush(md);
- mb();
-- __monitor(mwait_ptr, 0, 0);
-+ __monitor(md, 0, 0);
- mb();
- __mwait(eax, 0);
- /*
+++ /dev/null
-From bc8d5916541fa19ca5bc598eb51a5f78eb891a36 Mon Sep 17 00:00:00 2001
-From: Max Filippov <jcmvbkbc@gmail.com>
-Date: Mon, 3 Jul 2023 11:01:42 -0700
-Subject: xtensa: ISS: fix call to split_if_spec
-
-From: Max Filippov <jcmvbkbc@gmail.com>
-
-commit bc8d5916541fa19ca5bc598eb51a5f78eb891a36 upstream.
-
-split_if_spec expects a NULL-pointer as an end marker for the argument
-list, but tuntap_probe never supplied that terminating NULL. As a result
-incorrectly formatted interface specification string may cause a crash
-because of the random memory access. Fix that by adding NULL terminator
-to the split_if_spec argument list.
-
-Cc: stable@vger.kernel.org
-Fixes: 7282bee78798 ("[PATCH] xtensa: Architecture support for Tensilica Xtensa Part 8")
-Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/xtensa/platforms/iss/network.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/arch/xtensa/platforms/iss/network.c
-+++ b/arch/xtensa/platforms/iss/network.c
-@@ -236,7 +236,7 @@ static int tuntap_probe(struct iss_net_p
-
- init += sizeof(TRANSPORT_TUNTAP_NAME) - 1;
- if (*init == ',') {
-- rem = split_if_spec(init + 1, &mac_str, &dev_name);
-+ rem = split_if_spec(init + 1, &mac_str, &dev_name, NULL);
- if (rem != NULL) {
- pr_err("%s: extra garbage on specification : '%s'\n",
- dev->name, rem);
projects / thirdparty / kernel / stable-queue.git / commitdiff
