From: Greg Kroah-Hartman Date: Mon, 24 Jul 2023 17:07:58 +0000 (+0200) Subject: drop some 4.19 patches X-Git-Tag: v5.15.122~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=95af05916624ab370028cafd4972dafc0efbfbbb;p=thirdparty%2Fkernel%2Fstable-queue.git drop some 4.19 patches --- diff --git a/queue-4.19/add-module_firmware-for-firmware_tg357766.patch b/queue-4.19/add-module_firmware-for-firmware_tg357766.patch deleted file mode 100644 index fef2c046b88..00000000000 --- a/queue-4.19/add-module_firmware-for-firmware_tg357766.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 06b2af89868e7ffc5fbed8aa5384da72c03ce22f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 28 Jun 2023 02:13:32 +0200 -Subject: Add MODULE_FIRMWARE() for FIRMWARE_TG357766. - -From: Tobias Heider - -[ Upstream commit 046f753da6143ee16452966915087ec8b0de3c70 ] - -Fixes a bug where on the M1 mac mini initramfs-tools fails to -include the necessary firmware into the initrd. - -Fixes: c4dab50697ff ("tg3: Download 57766 EEE service patch firmware") -Signed-off-by: Tobias Heider -Reviewed-by: Michael Chan -Link: https://lore.kernel.org/r/ZJt7LKzjdz8+dClx@tobhe.de -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/broadcom/tg3.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c -index 2cf144bbef3ee..43b83a3a28049 100644 ---- a/drivers/net/ethernet/broadcom/tg3.c -+++ b/drivers/net/ethernet/broadcom/tg3.c -@@ -235,6 +235,7 @@ MODULE_DESCRIPTION("Broadcom Tigon3 ethernet driver"); - MODULE_LICENSE("GPL"); - MODULE_VERSION(DRV_MODULE_VERSION); - MODULE_FIRMWARE(FIRMWARE_TG3); -+MODULE_FIRMWARE(FIRMWARE_TG357766); - MODULE_FIRMWARE(FIRMWARE_TG3TSO); - MODULE_FIRMWARE(FIRMWARE_TG3TSO5); - --- -2.39.2 - diff --git a/queue-4.19/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch b/queue-4.19/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch deleted file mode 100644 index 1481eceac82..00000000000 --- a/queue-4.19/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch +++ /dev/null @@ -1,42 +0,0 @@ -From ef191039261e6299d0524a779176e2161f7e34a6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 15 Jun 2023 10:17:32 +0800 -Subject: ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer - -From: Su Hui - -[ Upstream commit 79597c8bf64ca99eab385115743131d260339da5 ] - -smatch error: -sound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error: -we previously assumed 'rac97' could be null (see line 2072) - -remove redundant assignment, return error if rac97 is NULL. - -Fixes: da3cec35dd3c ("ALSA: Kill snd_assert() in sound/pci/*") -Signed-off-by: Su Hui -Link: https://lore.kernel.org/r/20230615021732.1972194-1-suhui@nfschina.com -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/pci/ac97/ac97_codec.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c -index a276c4283c7bb..3f13666a01904 100644 ---- a/sound/pci/ac97/ac97_codec.c -+++ b/sound/pci/ac97/ac97_codec.c -@@ -2026,8 +2026,8 @@ int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template, - .dev_disconnect = snd_ac97_dev_disconnect, - }; - -- if (rac97) -- *rac97 = NULL; -+ if (!rac97) -+ return -EINVAL; - if (snd_BUG_ON(!bus || !template)) - return -EINVAL; - if (snd_BUG_ON(template->num >= 4)) --- -2.39.2 - diff --git a/queue-4.19/alsa-jack-fix-mutex-call-in-snd_jack_report.patch b/queue-4.19/alsa-jack-fix-mutex-call-in-snd_jack_report.patch deleted file mode 100644 index ab6baadf7e5..00000000000 --- a/queue-4.19/alsa-jack-fix-mutex-call-in-snd_jack_report.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 95c1235b2f413d5838e5f37cb1b8895436d3505c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 6 Jul 2023 17:53:57 +0200 -Subject: ALSA: jack: Fix mutex call in snd_jack_report() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Takashi Iwai - -[ Upstream commit 89dbb335cb6a627a4067bc42caa09c8bc3326d40 ] - -snd_jack_report() is supposed to be callable from an IRQ context, too, -and it's indeed used in that way from virtsnd driver. The fix for -input_dev race in commit 1b6a6fc5280e ("ALSA: jack: Access input_dev -under mutex"), however, introduced a mutex lock in snd_jack_report(), -and this resulted in a potential sleep-in-atomic. - -For addressing that problem, this patch changes the relevant code to -use the object get/put and removes the mutex usage. That is, -snd_jack_report(), it takes input_get_device() and leaves with -input_put_device() for assuring the input_dev being assigned. - -Although the whole mutex could be reduced, we keep it because it can -be still a protection for potential races between creation and -deletion. - -Fixes: 1b6a6fc5280e ("ALSA: jack: Access input_dev under mutex") -Reported-by: Dan Carpenter -Closes: https://lore.kernel.org/r/cf95f7fe-a748-4990-8378-000491b40329@moroto.mountain -Tested-by: Amadeusz Sławiński -Cc: -Link: https://lore.kernel.org/r/20230706155357.3470-1-tiwai@suse.de -Signed-off-by: Takashi Iwai -Signed-off-by: Sasha Levin ---- - sound/core/jack.c | 15 +++++++-------- - 1 file changed, 7 insertions(+), 8 deletions(-) - -diff --git a/sound/core/jack.c b/sound/core/jack.c -index 074b15fcb0ac4..06e0fc7b64179 100644 ---- a/sound/core/jack.c -+++ b/sound/core/jack.c -@@ -378,6 +378,7 @@ void snd_jack_report(struct snd_jack *jack, int status) - { - struct snd_jack_kctl *jack_kctl; - #ifdef CONFIG_SND_JACK_INPUT_DEV -+ struct input_dev *idev; - int i; - #endif - -@@ -389,30 +390,28 @@ void snd_jack_report(struct snd_jack *jack, int status) - status & jack_kctl->mask_bits); - - #ifdef CONFIG_SND_JACK_INPUT_DEV -- mutex_lock(&jack->input_dev_lock); -- if (!jack->input_dev) { -- mutex_unlock(&jack->input_dev_lock); -+ idev = input_get_device(jack->input_dev); -+ if (!idev) - return; -- } - - for (i = 0; i < ARRAY_SIZE(jack->key); i++) { - int testbit = SND_JACK_BTN_0 >> i; - - if (jack->type & testbit) -- input_report_key(jack->input_dev, jack->key[i], -+ input_report_key(idev, jack->key[i], - status & testbit); - } - - for (i = 0; i < ARRAY_SIZE(jack_switch_types); i++) { - int testbit = 1 << i; - if (jack->type & testbit) -- input_report_switch(jack->input_dev, -+ input_report_switch(idev, - jack_switch_types[i], - status & testbit); - } - -- input_sync(jack->input_dev); -- mutex_unlock(&jack->input_dev_lock); -+ input_sync(idev); -+ input_put_device(idev); - #endif /* CONFIG_SND_JACK_INPUT_DEV */ - } - EXPORT_SYMBOL(snd_jack_report); --- -2.39.2 - diff --git a/queue-4.19/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch b/queue-4.19/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch deleted file mode 100644 index e31faaea748..00000000000 --- a/queue-4.19/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch +++ /dev/null @@ -1,62 +0,0 @@ -From ad8837c42c62766fa3f8dfe3b124485fc46c71a2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 12 Jun 2023 00:50:50 +0900 -Subject: ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ - guard - -From: Masahiro Yamada - -[ Upstream commit 92e2921eeafdfca9acd9b83f07d2b7ca099bac24 ] - -ASM_NL is useful not only in *.S files but also in .c files for using -inline assembler in C code. - -On ARC, however, ASM_NL is evaluated inconsistently. It is expanded to -a backquote (`) in *.S files, but a semicolon (;) in *.c files because -arch/arc/include/asm/linkage.h defines it inside #ifdef __ASSEMBLY__, -so the definition for C code falls back to the default value defined in -include/linux/linkage.h. - -If ASM_NL is used in inline assembler in .c files, it will result in -wrong assembly code because a semicolon is not an instruction separator, -but the start of a comment for ARC. - -Move ASM_NL (also __ALIGN and __ALIGN_STR) out of the #ifdef. - -Fixes: 9df62f054406 ("arch: use ASM_NL instead of ';' for assembler new line character in the macro") -Fixes: 8d92e992a785 ("ARC: define __ALIGN_STR and __ALIGN symbols for ARC") -Signed-off-by: Masahiro Yamada -Signed-off-by: Sasha Levin ---- - arch/arc/include/asm/linkage.h | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/arch/arc/include/asm/linkage.h b/arch/arc/include/asm/linkage.h -index f3d29d4840d58..b89ca8b4d5975 100644 ---- a/arch/arc/include/asm/linkage.h -+++ b/arch/arc/include/asm/linkage.h -@@ -11,6 +11,10 @@ - - #include - -+#define ASM_NL ` /* use '`' to mark new line in macro */ -+#define __ALIGN .align 4 -+#define __ALIGN_STR __stringify(__ALIGN) -+ - #ifdef __ASSEMBLY__ - - .macro ST2 e, o, off -@@ -31,10 +35,6 @@ - #endif - .endm - --#define ASM_NL ` /* use '`' to mark new line in macro */ --#define __ALIGN .align 4 --#define __ALIGN_STR __stringify(__ALIGN) -- - /* annotation for data we want in DCCM - if enabled in .config */ - .macro ARCFP_DATA nm - #ifdef CONFIG_ARC_HAS_DCCM --- -2.39.2 - diff --git a/queue-4.19/arcv2-entry-avoid-a-branch.patch b/queue-4.19/arcv2-entry-avoid-a-branch.patch deleted file mode 100644 index 77768c453b6..00000000000 --- a/queue-4.19/arcv2-entry-avoid-a-branch.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 75acdde2ef23456085ec596574a650610356060a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 10 May 2019 16:24:15 -0700 -Subject: ARCv2: entry: avoid a branch - -From: Vineet Gupta - -[ Upstream commit ab854bfcd310b5872fe12eb8d3f2c30fe427f8f7 ] - -Signed-off-by: Vineet Gupta -Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard") -Signed-off-by: Sasha Levin ---- - arch/arc/include/asm/entry-arcv2.h | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h -index 3209a67629606..beaf655666cbd 100644 ---- a/arch/arc/include/asm/entry-arcv2.h -+++ b/arch/arc/include/asm/entry-arcv2.h -@@ -100,12 +100,11 @@ - ; 2. Upon entry SP is always saved (for any inspection, unwinding etc), - ; but on return, restored only if U mode - -+ lr r9, [AUX_USER_SP] ; U mode SP -+ - mov.nz r9, sp - add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ; K mode SP -- bnz 1f - -- lr r9, [AUX_USER_SP] ; U mode SP --1: - PUSH r9 ; SP (pt_regs->sp) - - PUSH fp --- -2.39.2 - diff --git a/queue-4.19/arcv2-entry-comments-about-hardware-auto-save-on-tak.patch b/queue-4.19/arcv2-entry-comments-about-hardware-auto-save-on-tak.patch deleted file mode 100644 index 59f7315a690..00000000000 --- a/queue-4.19/arcv2-entry-comments-about-hardware-auto-save-on-tak.patch +++ /dev/null @@ -1,158 +0,0 @@ -From d101114608fd77f1804cd33e13286d0ff46f7084 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 9 Apr 2019 16:55:15 -0700 -Subject: ARCv2: entry: comments about hardware auto-save on taken interrupts - -From: Vineet Gupta - -[ Upstream commit 45869eb0c0afd72bd5ab2437d4b00915697c044a ] - -Signed-off-by: Vineet Gupta -Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard") -Signed-off-by: Sasha Levin ---- - arch/arc/include/asm/entry-arcv2.h | 78 ++++++++++++++++++++++++------ - 1 file changed, 62 insertions(+), 16 deletions(-) - -diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h -index 225e7df2d8ed8..1c3520d1fa420 100644 ---- a/arch/arc/include/asm/entry-arcv2.h -+++ b/arch/arc/include/asm/entry-arcv2.h -@@ -7,15 +7,54 @@ - #include - #include /* For THREAD_SIZE */ - -+/* -+ * Interrupt/Exception stack layout (pt_regs) for ARCv2 -+ * (End of struct aligned to end of page [unless nested]) -+ * -+ * INTERRUPT EXCEPTION -+ * -+ * manual --------------------- manual -+ * | orig_r0 | -+ * | event/ECR | -+ * | bta | -+ * | user_r25 | -+ * | gp | -+ * | fp | -+ * | sp | -+ * | r12 | -+ * | r30 | -+ * | r58 | -+ * | r59 | -+ * hw autosave --------------------- -+ * optional | r0 | -+ * | r1 | -+ * ~ ~ -+ * | r9 | -+ * | r10 | -+ * | r11 | -+ * | blink | -+ * | lpe | -+ * | lps | -+ * | lpc | -+ * | ei base | -+ * | ldi base | -+ * | jli base | -+ * --------------------- -+ * hw autosave | pc / eret | -+ * mandatory | stat32 / erstatus | -+ * --------------------- -+ */ -+ - /*------------------------------------------------------------------------*/ - .macro INTERRUPT_PROLOGUE called_from -- -- ; Before jumping to Interrupt Vector, hardware micro-ops did following: -+ ; (A) Before jumping to Interrupt Vector, hardware micro-ops did following: - ; 1. SP auto-switched to kernel mode stack -- ; 2. STATUS32.Z flag set to U mode at time of interrupt (U:1, K:0) -- ; 3. Auto saved: r0-r11, blink, LPE,LPS,LPC, JLI,LDI,EI, PC, STAT32 -+ ; 2. STATUS32.Z flag set if in U mode at time of interrupt (U:1,K:0) -+ ; 3. Auto save: (mandatory) Push PC and STAT32 on stack -+ ; hardware does even if CONFIG_ARC_IRQ_NO_AUTOSAVE -+ ; 4. Auto save: (optional) r0-r11, blink, LPE,LPS,LPC, JLI,LDI,EI - ; -- ; Now manually save: r12, sp, fp, gp, r25 -+ ; (B) Manually saved some regs: r12,r25,r30, sp,fp,gp, ACCL pair - - #ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE - .ifnc \called_from, exception -@@ -57,14 +96,17 @@ - ; - U mode: retrieve it from AUX_USER_SP - ; - K mode: add the offset from current SP where H/w starts auto push - ; -- ; Utilize the fact that Z bit is set if Intr taken in U mode -+ ; 1. Utilize the fact that Z bit is set if Intr taken in U mode -+ ; 2. Upon entry SP is always saved (for any inspection, unwinding etc), -+ ; but on return, restored only if U mode -+ - mov.nz r9, sp -- add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 -+ add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ; K mode SP - bnz 1f - -- lr r9, [AUX_USER_SP] -+ lr r9, [AUX_USER_SP] ; U mode SP - 1: -- PUSH r9 ; SP -+ PUSH r9 ; SP (pt_regs->sp) - - PUSH fp - PUSH gp -@@ -85,6 +127,8 @@ - /*------------------------------------------------------------------------*/ - .macro INTERRUPT_EPILOGUE called_from - -+ ; INPUT: r0 has STAT32 of calling context -+ ; INPUT: Z flag set if returning to K mode - .ifnc \called_from, exception - add sp, sp, 12 ; skip BTA/ECR/orig_r0 placeholderss - .endif -@@ -98,9 +142,10 @@ - POP gp - POP fp - -- ; Don't touch AUX_USER_SP if returning to K mode (Z bit set) -- ; (Z bit set on K mode is inverse of INTERRUPT_PROLOGUE) -- add.z sp, sp, 4 -+ ; Restore SP (into AUX_USER_SP) only if returning to U mode -+ ; - for K mode, it will be implicitly restored as stack is unwound -+ ; - Z flag set on K is inverse of what hardware does on interrupt entry -+ ; but that doesn't really matter - bz 1f - - POPAX AUX_USER_SP -@@ -145,11 +190,11 @@ - /*------------------------------------------------------------------------*/ - .macro EXCEPTION_PROLOGUE - -- ; Before jumping to Exception Vector, hardware micro-ops did following: -+ ; (A) Before jumping to Exception Vector, hardware micro-ops did following: - ; 1. SP auto-switched to kernel mode stack -- ; 2. STATUS32.Z flag set to U mode at time of interrupt (U:1,K:0) -+ ; 2. STATUS32.Z flag set if in U mode at time of exception (U:1,K:0) - ; -- ; Now manually save the complete reg file -+ ; (B) Manually save the complete reg file below - - PUSH r9 ; freeup a register: slot of erstatus - -@@ -195,12 +240,13 @@ - PUSHAX ecr ; r9 contains ECR, expected by EV_Trap - - PUSH r0 ; orig_r0 -+ ; OUTPUT: r9 has ECR - .endm - - /*------------------------------------------------------------------------*/ - .macro EXCEPTION_EPILOGUE - -- ; Assumes r0 has PT_status32 -+ ; INPUT: r0 has STAT32 of calling context - btst r0, STATUS_U_BIT ; Z flag set if K, used in INTERRUPT_EPILOGUE - - add sp, sp, 8 ; orig_r0/ECR don't need restoring --- -2.39.2 - diff --git a/queue-4.19/arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch b/queue-4.19/arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch deleted file mode 100644 index 652387be135..00000000000 --- a/queue-4.19/arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch +++ /dev/null @@ -1,89 +0,0 @@ -From e4c727839b77a24016fb973f42e27538b4d5f0b9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 9 Apr 2019 19:16:37 -0700 -Subject: ARCv2: entry: push out the Z flag unclobber from common - EXCEPTION_PROLOGUE - -From: Vineet Gupta - -[ Upstream commit 23c0cbd0c75c3b564850294427fd2be2bc2a015b ] - -Upon a taken interrupt/exception from User mode, HS hardware auto sets Z flag. -This helps shave a few instructions from EXCEPTION_PROLOGUE by eliding -re-reading ERSTATUS and some bit fiddling. - -However TLB Miss Exception handler can clobber the CPU flags and still end -up in EXCEPTION_PROLOGUE in the slow path handling TLB handling case: - - EV_TLBMissD - do_slow_path_pf - EV_TLBProtV (aliased to call_do_page_fault) - EXCEPTION_PROLOGUE - -As a result, EXCEPTION_PROLOGUE need to "unclobber" the Z flag which this -patch changes. It is now pushed out to TLB Miss Exception handler. -The reasons beings: - - - The flag restoration is only needed for slowpath TLB Miss Exception - handling, but currently being in EXCEPTION_PROLOGUE penalizes all - exceptions such as ProtV and syscall Trap, where Z flag is already - as expected. - - - Pushing unclobber out to where it was clobbered is much cleaner and - also serves to document the fact. - - - Makes EXCEPTION_PROLGUE similar to INTERRUPT_PROLOGUE so easier to - refactor the common parts which is what this series aims to do - -Signed-off-by: Vineet Gupta -Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard") -Signed-off-by: Sasha Levin ---- - arch/arc/include/asm/entry-arcv2.h | 8 -------- - arch/arc/mm/tlbex.S | 11 +++++++++++ - 2 files changed, 11 insertions(+), 8 deletions(-) - -diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h -index 1c3520d1fa420..3209a67629606 100644 ---- a/arch/arc/include/asm/entry-arcv2.h -+++ b/arch/arc/include/asm/entry-arcv2.h -@@ -225,14 +225,6 @@ - - ; -- for interrupts, regs above are auto-saved by h/w in that order -- - ; Now do what ISR prologue does (manually save r12, sp, fp, gp, r25) -- ; -- ; Set Z flag if this was from U mode (expected by INTERRUPT_PROLOGUE) -- ; Although H/w exception micro-ops do set Z flag for U mode (just like -- ; for interrupts), it could get clobbered in case we soft land here from -- ; a TLB Miss exception handler (tlbex.S) -- -- and r10, r10, STATUS_U_MASK -- xor.f 0, r10, STATUS_U_MASK - - INTERRUPT_PROLOGUE exception - -diff --git a/arch/arc/mm/tlbex.S b/arch/arc/mm/tlbex.S -index 0e1e47a67c736..e50cac799a518 100644 ---- a/arch/arc/mm/tlbex.S -+++ b/arch/arc/mm/tlbex.S -@@ -396,6 +396,17 @@ EV_TLBMissD_fast_ret: ; additional label for VDK OS-kit instrumentation - ;-------- Common routine to call Linux Page Fault Handler ----------- - do_slow_path_pf: - -+#ifdef CONFIG_ISA_ARCV2 -+ ; Set Z flag if exception in U mode. Hardware micro-ops do this on any -+ ; taken interrupt/exception, and thus is already the case at the entry -+ ; above, but ensuing code would have already clobbered. -+ ; EXCEPTION_PROLOGUE called in slow path, relies on correct Z flag set -+ -+ lr r2, [erstatus] -+ and r2, r2, STATUS_U_MASK -+ bxor.f 0, r2, STATUS_U_BIT -+#endif -+ - ; Restore the 4-scratch regs saved by fast path miss handler - TLBMISS_RESTORE_REGS - --- -2.39.2 - diff --git a/queue-4.19/arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch b/queue-4.19/arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch deleted file mode 100644 index 84b7ea115f7..00000000000 --- a/queue-4.19/arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch +++ /dev/null @@ -1,466 +0,0 @@ -From d0fb99fc001ef3d140785f937db576f9b135eadd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 May 2019 15:36:46 -0700 -Subject: ARCv2: entry: rewrite to enable use of double load/stores LDD/STD - -From: Vineet Gupta - -[ Upstream commit a4880801a72ecc2dcdfa432f81a754f3e7438567 ] - - - the motivation was to be remove blatent copy-paste due to hasty support - of CONFIG_ARC_IRQ_NO_AUTOSAVE support - - - but with refactoring we could use LDD/STD to greatly optimize the code - -Signed-off-by: Vineet Gupta -Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard") -Signed-off-by: Sasha Levin ---- - arch/arc/include/asm/entry-arcv2.h | 297 ++++++++++++++--------------- - arch/arc/include/asm/linkage.h | 18 ++ - arch/arc/kernel/asm-offsets.c | 7 + - arch/arc/kernel/entry-arcv2.S | 4 +- - 4 files changed, 167 insertions(+), 159 deletions(-) - -diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h -index beaf655666cbd..0733752ce7fe8 100644 ---- a/arch/arc/include/asm/entry-arcv2.h -+++ b/arch/arc/include/asm/entry-arcv2.h -@@ -46,7 +46,8 @@ - */ - - /*------------------------------------------------------------------------*/ --.macro INTERRUPT_PROLOGUE called_from -+.macro INTERRUPT_PROLOGUE -+ - ; (A) Before jumping to Interrupt Vector, hardware micro-ops did following: - ; 1. SP auto-switched to kernel mode stack - ; 2. STATUS32.Z flag set if in U mode at time of interrupt (U:1,K:0) -@@ -57,39 +58,87 @@ - ; (B) Manually saved some regs: r12,r25,r30, sp,fp,gp, ACCL pair - - #ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE --.ifnc \called_from, exception -- st.as r9, [sp, -10] ; save r9 in it's final stack slot -- sub sp, sp, 12 ; skip JLI, LDI, EI -- -- PUSH lp_count -- PUSHAX lp_start -- PUSHAX lp_end -- PUSH blink -- -- PUSH r11 -- PUSH r10 -- -- sub sp, sp, 4 ; skip r9 -- -- PUSH r8 -- PUSH r7 -- PUSH r6 -- PUSH r5 -- PUSH r4 -- PUSH r3 -- PUSH r2 -- PUSH r1 -- PUSH r0 --.endif --#endif -+ ; carve pt_regs on stack (case #3), PC/STAT32 already on stack -+ sub sp, sp, SZ_PT_REGS - 8 - --#ifdef CONFIG_ARC_HAS_ACCL_REGS -- PUSH r59 -- PUSH r58 -+ __SAVE_REGFILE_HARD -+#else -+ ; carve pt_regs on stack (case #4), which grew partially already -+ sub sp, sp, PT_r0 - #endif - -- PUSH r30 -- PUSH r12 -+ __SAVE_REGFILE_SOFT -+.endm -+ -+/*------------------------------------------------------------------------*/ -+.macro EXCEPTION_PROLOGUE -+ -+ ; (A) Before jumping to Exception Vector, hardware micro-ops did following: -+ ; 1. SP auto-switched to kernel mode stack -+ ; 2. STATUS32.Z flag set if in U mode at time of exception (U:1,K:0) -+ ; -+ ; (B) Manually save the complete reg file below -+ -+ sub sp, sp, SZ_PT_REGS ; carve pt_regs -+ -+ ; _HARD saves r10 clobbered by _SOFT as scratch hence comes first -+ -+ __SAVE_REGFILE_HARD -+ __SAVE_REGFILE_SOFT -+ -+ st r0, [sp] ; orig_r0 -+ -+ lr r10, [eret] -+ lr r11, [erstatus] -+ ST2 r10, r11, PT_ret -+ -+ lr r10, [ecr] -+ lr r11, [erbta] -+ ST2 r10, r11, PT_event -+ mov r9, r10 -+ -+ ; OUTPUT: r9 has ECR -+.endm -+ -+/*------------------------------------------------------------------------ -+ * This macro saves the registers manually which would normally be autosaved -+ * by hardware on taken interrupts. It is used by -+ * - exception handlers (which don't have autosave) -+ * - interrupt autosave disabled due to CONFIG_ARC_IRQ_NO_AUTOSAVE -+ */ -+.macro __SAVE_REGFILE_HARD -+ -+ ST2 r0, r1, PT_r0 -+ ST2 r2, r3, PT_r2 -+ ST2 r4, r5, PT_r4 -+ ST2 r6, r7, PT_r6 -+ ST2 r8, r9, PT_r8 -+ ST2 r10, r11, PT_r10 -+ -+ st blink, [sp, PT_blink] -+ -+ lr r10, [lp_end] -+ lr r11, [lp_start] -+ ST2 r10, r11, PT_lpe -+ -+ st lp_count, [sp, PT_lpc] -+ -+ ; skip JLI, LDI, EI for now -+.endm -+ -+/*------------------------------------------------------------------------ -+ * This macros saves a bunch of other registers which can't be autosaved for -+ * various reasons: -+ * - r12: the last caller saved scratch reg since hardware saves in pairs so r0-r11 -+ * - r30: free reg, used by gcc as scratch -+ * - ACCL/ACCH pair when they exist -+ */ -+.macro __SAVE_REGFILE_SOFT -+ -+ ST2 gp, fp, PT_r26 ; gp (r26), fp (r27) -+ -+ st r12, [sp, PT_sp + 4] -+ st r30, [sp, PT_sp + 8] - - ; Saving pt_regs->sp correctly requires some extra work due to the way - ; Auto stack switch works -@@ -100,46 +149,32 @@ - ; 2. Upon entry SP is always saved (for any inspection, unwinding etc), - ; but on return, restored only if U mode - -- lr r9, [AUX_USER_SP] ; U mode SP -+ lr r10, [AUX_USER_SP] ; U mode SP - -- mov.nz r9, sp -- add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ; K mode SP -+ ; ISA requires ADD.nz to have same dest and src reg operands -+ mov.nz r10, sp -+ add.nz r10, r10, SZ_PT_REGS ; K mode SP - -- PUSH r9 ; SP (pt_regs->sp) -- -- PUSH fp -- PUSH gp -+ st r10, [sp, PT_sp] ; SP (pt_regs->sp) - - #ifdef CONFIG_ARC_CURR_IN_REG -- PUSH r25 ; user_r25 -+ st r25, [sp, PT_user_r25] - GET_CURR_TASK_ON_CPU r25 --#else -- sub sp, sp, 4 - #endif - --.ifnc \called_from, exception -- sub sp, sp, 12 ; BTA/ECR/orig_r0 placeholder per pt_regs --.endif -+#ifdef CONFIG_ARC_HAS_ACCL_REGS -+ ST2 r58, r59, PT_sp + 12 -+#endif - - .endm - - /*------------------------------------------------------------------------*/ --.macro INTERRUPT_EPILOGUE called_from -+.macro __RESTORE_REGFILE_SOFT - -- ; INPUT: r0 has STAT32 of calling context -- ; INPUT: Z flag set if returning to K mode --.ifnc \called_from, exception -- add sp, sp, 12 ; skip BTA/ECR/orig_r0 placeholderss --.endif -- --#ifdef CONFIG_ARC_CURR_IN_REG -- POP r25 --#else -- add sp, sp, 4 --#endif -+ LD2 gp, fp, PT_r26 ; gp (r26), fp (r27) - -- POP gp -- POP fp -+ ld r12, [sp, PT_sp + 4] -+ ld r30, [sp, PT_sp + 8] - - ; Restore SP (into AUX_USER_SP) only if returning to U mode - ; - for K mode, it will be implicitly restored as stack is unwound -@@ -147,129 +182,77 @@ - ; but that doesn't really matter - bz 1f - -- POPAX AUX_USER_SP -+ ld r10, [sp, PT_sp] ; SP (pt_regs->sp) -+ sr r10, [AUX_USER_SP] - 1: -- POP r12 -- POP r30 - --#ifdef CONFIG_ARC_HAS_ACCL_REGS -- POP r58 -- POP r59 -+#ifdef CONFIG_ARC_CURR_IN_REG -+ ld r25, [sp, PT_user_r25] - #endif - --#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE --.ifnc \called_from, exception -- POP r0 -- POP r1 -- POP r2 -- POP r3 -- POP r4 -- POP r5 -- POP r6 -- POP r7 -- POP r8 -- POP r9 -- POP r10 -- POP r11 -- -- POP blink -- POPAX lp_end -- POPAX lp_start -- -- POP r9 -- mov lp_count, r9 -- -- add sp, sp, 12 ; skip JLI, LDI, EI -- ld.as r9, [sp, -10] ; reload r9 which got clobbered --.endif -+#ifdef CONFIG_ARC_HAS_ACCL_REGS -+ LD2 r58, r59, PT_sp + 12 - #endif -- - .endm - - /*------------------------------------------------------------------------*/ --.macro EXCEPTION_PROLOGUE -+.macro __RESTORE_REGFILE_HARD - -- ; (A) Before jumping to Exception Vector, hardware micro-ops did following: -- ; 1. SP auto-switched to kernel mode stack -- ; 2. STATUS32.Z flag set if in U mode at time of exception (U:1,K:0) -- ; -- ; (B) Manually save the complete reg file below -+ ld blink, [sp, PT_blink] - -- PUSH r9 ; freeup a register: slot of erstatus -+ LD2 r10, r11, PT_lpe -+ sr r10, [lp_end] -+ sr r11, [lp_start] - -- PUSHAX eret -- sub sp, sp, 12 ; skip JLI, LDI, EI -- PUSH lp_count -- PUSHAX lp_start -- PUSHAX lp_end -- PUSH blink -+ ld r10, [sp, PT_lpc] ; lp_count can't be target of LD -+ mov lp_count, r10 - -- PUSH r11 -- PUSH r10 -+ LD2 r0, r1, PT_r0 -+ LD2 r2, r3, PT_r2 -+ LD2 r4, r5, PT_r4 -+ LD2 r6, r7, PT_r6 -+ LD2 r8, r9, PT_r8 -+ LD2 r10, r11, PT_r10 -+.endm - -- ld.as r9, [sp, 10] ; load stashed r9 (status32 stack slot) -- lr r10, [erstatus] -- st.as r10, [sp, 10] ; save status32 at it's right stack slot - -- PUSH r9 -- PUSH r8 -- PUSH r7 -- PUSH r6 -- PUSH r5 -- PUSH r4 -- PUSH r3 -- PUSH r2 -- PUSH r1 -- PUSH r0 -+/*------------------------------------------------------------------------*/ -+.macro INTERRUPT_EPILOGUE - -- ; -- for interrupts, regs above are auto-saved by h/w in that order -- -- ; Now do what ISR prologue does (manually save r12, sp, fp, gp, r25) -+ ; INPUT: r0 has STAT32 of calling context -+ ; INPUT: Z flag set if returning to K mode - -- INTERRUPT_PROLOGUE exception -+ ; _SOFT clobbers r10 restored by _HARD hence the order - -- PUSHAX erbta -- PUSHAX ecr ; r9 contains ECR, expected by EV_Trap -+ __RESTORE_REGFILE_SOFT -+ -+#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE -+ __RESTORE_REGFILE_HARD -+ add sp, sp, SZ_PT_REGS - 8 -+#else -+ add sp, sp, PT_r0 -+#endif - -- PUSH r0 ; orig_r0 -- ; OUTPUT: r9 has ECR - .endm - - /*------------------------------------------------------------------------*/ - .macro EXCEPTION_EPILOGUE - - ; INPUT: r0 has STAT32 of calling context -- btst r0, STATUS_U_BIT ; Z flag set if K, used in INTERRUPT_EPILOGUE -- -- add sp, sp, 8 ; orig_r0/ECR don't need restoring -- POPAX erbta -- -- INTERRUPT_EPILOGUE exception -- -- POP r0 -- POP r1 -- POP r2 -- POP r3 -- POP r4 -- POP r5 -- POP r6 -- POP r7 -- POP r8 -- POP r9 -- POP r10 -- POP r11 -- -- POP blink -- POPAX lp_end -- POPAX lp_start -- -- POP r9 -- mov lp_count, r9 -- -- add sp, sp, 12 ; skip JLI, LDI, EI -- POPAX eret -- POPAX erstatus -- -- ld.as r9, [sp, -12] ; reload r9 which got clobbered -+ -+ btst r0, STATUS_U_BIT ; Z flag set if K, used in restoring SP -+ -+ ld r10, [sp, PT_event + 4] -+ sr r10, [erbta] -+ -+ LD2 r10, r11, PT_ret -+ sr r10, [eret] -+ sr r11, [erstatus] -+ -+ __RESTORE_REGFILE_SOFT -+ __RESTORE_REGFILE_HARD -+ -+ add sp, sp, SZ_PT_REGS - .endm - - .macro FAKE_RET_FROM_EXCPN -diff --git a/arch/arc/include/asm/linkage.h b/arch/arc/include/asm/linkage.h -index 07c8e1a6c56e2..f3d29d4840d58 100644 ---- a/arch/arc/include/asm/linkage.h -+++ b/arch/arc/include/asm/linkage.h -@@ -13,6 +13,24 @@ - - #ifdef __ASSEMBLY__ - -+.macro ST2 e, o, off -+#ifdef CONFIG_ARC_HAS_LL64 -+ std \e, [sp, \off] -+#else -+ st \e, [sp, \off] -+ st \o, [sp, \off+4] -+#endif -+.endm -+ -+.macro LD2 e, o, off -+#ifdef CONFIG_ARC_HAS_LL64 -+ ldd \e, [sp, \off] -+#else -+ ld \e, [sp, \off] -+ ld \o, [sp, \off+4] -+#endif -+.endm -+ - #define ASM_NL ` /* use '`' to mark new line in macro */ - #define __ALIGN .align 4 - #define __ALIGN_STR __stringify(__ALIGN) -diff --git a/arch/arc/kernel/asm-offsets.c b/arch/arc/kernel/asm-offsets.c -index ecaf34e9235c2..e90dccecfd833 100644 ---- a/arch/arc/kernel/asm-offsets.c -+++ b/arch/arc/kernel/asm-offsets.c -@@ -58,7 +58,14 @@ int main(void) - DEFINE(PT_r5, offsetof(struct pt_regs, r5)); - DEFINE(PT_r6, offsetof(struct pt_regs, r6)); - DEFINE(PT_r7, offsetof(struct pt_regs, r7)); -+ DEFINE(PT_r8, offsetof(struct pt_regs, r8)); -+ DEFINE(PT_r10, offsetof(struct pt_regs, r10)); -+ DEFINE(PT_r26, offsetof(struct pt_regs, r26)); - DEFINE(PT_ret, offsetof(struct pt_regs, ret)); -+ DEFINE(PT_blink, offsetof(struct pt_regs, blink)); -+ DEFINE(PT_lpe, offsetof(struct pt_regs, lp_end)); -+ DEFINE(PT_lpc, offsetof(struct pt_regs, lp_count)); -+ DEFINE(PT_user_r25, offsetof(struct pt_regs, user_r25)); - - DEFINE(SZ_CALLEE_REGS, sizeof(struct callee_regs)); - DEFINE(SZ_PT_REGS, sizeof(struct pt_regs)); -diff --git a/arch/arc/kernel/entry-arcv2.S b/arch/arc/kernel/entry-arcv2.S -index 562089d62d9d6..6cbf0ee8a20a7 100644 ---- a/arch/arc/kernel/entry-arcv2.S -+++ b/arch/arc/kernel/entry-arcv2.S -@@ -70,7 +70,7 @@ reserved: - - ENTRY(handle_interrupt) - -- INTERRUPT_PROLOGUE irq -+ INTERRUPT_PROLOGUE - - # irq control APIs local_irq_save/restore/disable/enable fiddle with - # global interrupt enable bits in STATUS32 (.IE for 1 prio, .E[] for 2 prio) -@@ -226,7 +226,7 @@ debug_marker_l1: - bset.nz r11, r11, AUX_IRQ_ACT_BIT_U ; NZ means U - sr r11, [AUX_IRQ_ACT] - -- INTERRUPT_EPILOGUE irq -+ INTERRUPT_EPILOGUE - rtie - - ;####### Return from Exception / pure kernel mode ####### --- -2.39.2 - diff --git a/queue-4.19/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch b/queue-4.19/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch deleted file mode 100644 index eaed1169263..00000000000 --- a/queue-4.19/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch +++ /dev/null @@ -1,103 +0,0 @@ -From b648318ddaf8c9c7c7a842d6e3b8fde1d8af0729 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 2 Jun 2023 19:28:42 +0100 -Subject: ARM: 9303/1: kprobes: avoid missing-declaration warnings - -From: Arnd Bergmann - -[ Upstream commit 1b9c3ddcec6a55e15d3e38e7405e2d078db02020 ] - -checker_stack_use_t32strd() and kprobe_handler() can be made static since -they are not used from other files, while coverage_start_registers() -and __kprobes_test_case() are used from assembler code, and just need -a declaration to avoid a warning with the global definition. - -arch/arm/probes/kprobes/checkers-common.c:43:18: error: no previous prototype for 'checker_stack_use_t32strd' -arch/arm/probes/kprobes/core.c:236:16: error: no previous prototype for 'kprobe_handler' -arch/arm/probes/kprobes/test-core.c:723:10: error: no previous prototype for 'coverage_start_registers' -arch/arm/probes/kprobes/test-core.c:918:14: error: no previous prototype for '__kprobes_test_case_start' -arch/arm/probes/kprobes/test-core.c:952:14: error: no previous prototype for '__kprobes_test_case_end_16' -arch/arm/probes/kprobes/test-core.c:967:14: error: no previous prototype for '__kprobes_test_case_end_32' - -Fixes: 6624cf651f1a ("ARM: kprobes: collects stack consumption for store instructions") -Fixes: 454f3e132d05 ("ARM/kprobes: Remove jprobe arm implementation") -Acked-by: Masami Hiramatsu (Google) -Reviewed-by: Kees Cook -Signed-off-by: Arnd Bergmann -Signed-off-by: Russell King (Oracle) -Signed-off-by: Sasha Levin ---- - arch/arm/probes/kprobes/checkers-common.c | 2 +- - arch/arm/probes/kprobes/core.c | 2 +- - arch/arm/probes/kprobes/opt-arm.c | 2 -- - arch/arm/probes/kprobes/test-core.c | 2 +- - arch/arm/probes/kprobes/test-core.h | 4 ++++ - 5 files changed, 7 insertions(+), 5 deletions(-) - -diff --git a/arch/arm/probes/kprobes/checkers-common.c b/arch/arm/probes/kprobes/checkers-common.c -index 971119c294741..aa10e5e46ebb2 100644 ---- a/arch/arm/probes/kprobes/checkers-common.c -+++ b/arch/arm/probes/kprobes/checkers-common.c -@@ -48,7 +48,7 @@ enum probes_insn checker_stack_use_imm_0xx(probes_opcode_t insn, - * Different from other insn uses imm8, the real addressing offset of - * STRD in T32 encoding should be imm8 * 4. See ARMARM description. - */ --enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn, -+static enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn, - struct arch_probes_insn *asi, - const struct decode_header *h) - { -diff --git a/arch/arm/probes/kprobes/core.c b/arch/arm/probes/kprobes/core.c -index 62da8e2211e4b..0a7090a65bcad 100644 ---- a/arch/arm/probes/kprobes/core.c -+++ b/arch/arm/probes/kprobes/core.c -@@ -239,7 +239,7 @@ singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb) - * kprobe, and that level is reserved for user kprobe handlers, so we can't - * risk encountering a new kprobe in an interrupt handler. - */ --void __kprobes kprobe_handler(struct pt_regs *regs) -+static void __kprobes kprobe_handler(struct pt_regs *regs) - { - struct kprobe *p, *cur; - struct kprobe_ctlblk *kcb; -diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c -index cf08cb7267670..1516c340a0766 100644 ---- a/arch/arm/probes/kprobes/opt-arm.c -+++ b/arch/arm/probes/kprobes/opt-arm.c -@@ -158,8 +158,6 @@ __arch_remove_optimized_kprobe(struct optimized_kprobe *op, int dirty) - } - } - --extern void kprobe_handler(struct pt_regs *regs); -- - static void - optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs) - { -diff --git a/arch/arm/probes/kprobes/test-core.c b/arch/arm/probes/kprobes/test-core.c -index cc237fa9b90fb..1c86c5d980c5b 100644 ---- a/arch/arm/probes/kprobes/test-core.c -+++ b/arch/arm/probes/kprobes/test-core.c -@@ -723,7 +723,7 @@ static const char coverage_register_lookup[16] = { - [REG_TYPE_NOSPPCX] = COVERAGE_ANY_REG | COVERAGE_SP, - }; - --unsigned coverage_start_registers(const struct decode_header *h) -+static unsigned coverage_start_registers(const struct decode_header *h) - { - unsigned regs = 0; - int i; -diff --git a/arch/arm/probes/kprobes/test-core.h b/arch/arm/probes/kprobes/test-core.h -index 94285203e9f74..459ebda077139 100644 ---- a/arch/arm/probes/kprobes/test-core.h -+++ b/arch/arm/probes/kprobes/test-core.h -@@ -456,3 +456,7 @@ void kprobe_thumb32_test_cases(void); - #else - void kprobe_arm_test_cases(void); - #endif -+ -+void __kprobes_test_case_start(void); -+void __kprobes_test_case_end_16(void); -+void __kprobes_test_case_end_32(void); --- -2.39.2 - diff --git a/queue-4.19/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch b/queue-4.19/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch deleted file mode 100644 index be7310d817f..00000000000 --- a/queue-4.19/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 4e52ab7d7ce44846873fd33945aadd2562facd21 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 May 2023 14:28:30 +0200 -Subject: ARM: dts: BCM5301X: Drop "clock-names" from the SPI node -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Rafał Miłecki - -[ Upstream commit d3c8e2c5757153bbfad70019ec1decbca86f3def ] - -There is no such property in the SPI controller binding documentation. -Also Linux driver doesn't look for it. - -This fixes: -arch/arm/boot/dts/bcm4708-asus-rt-ac56u.dtb: spi@18029200: Unevaluated properties are not allowed ('clock-names' was unexpected) - From schema: Documentation/devicetree/bindings/spi/brcm,spi-bcm-qspi.yaml - -Signed-off-by: Rafał Miłecki -Link: https://lore.kernel.org/r/20230503122830.3200-1-zajec5@gmail.com -Signed-off-by: Florian Fainelli -Signed-off-by: Sasha Levin ---- - arch/arm/boot/dts/bcm5301x.dtsi | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi -index 6edc4bd1e7eaf..a6406a347690e 100644 ---- a/arch/arm/boot/dts/bcm5301x.dtsi -+++ b/arch/arm/boot/dts/bcm5301x.dtsi -@@ -468,7 +468,6 @@ spi@18029200 { - "spi_lr_session_done", - "spi_lr_overread"; - clocks = <&iprocmed>; -- clock-names = "iprocmed"; - num-cs = <2>; - #address-cells = <1>; - #size-cells = <0>; --- -2.39.2 - diff --git a/queue-4.19/arm-ep93xx-fix-missing-prototype-warnings.patch b/queue-4.19/arm-ep93xx-fix-missing-prototype-warnings.patch deleted file mode 100644 index 1c80e49cf00..00000000000 --- a/queue-4.19/arm-ep93xx-fix-missing-prototype-warnings.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d144f3f81fdf6521253b26f80c563d4fd016ec06 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 16 May 2023 17:30:58 +0200 -Subject: ARM: ep93xx: fix missing-prototype warnings - -From: Arnd Bergmann - -[ Upstream commit 419013740ea1e4343d8ade535d999f59fa28e460 ] - -ep93xx_clocksource_read() is only called from the file it is declared in, -while ep93xx_timer_init() is declared in a header that is not included here. - -arch/arm/mach-ep93xx/timer-ep93xx.c:120:13: error: no previous prototype for 'ep93xx_timer_init' -arch/arm/mach-ep93xx/timer-ep93xx.c:63:5: error: no previous prototype for 'ep93xx_clocksource_read' - -Fixes: 000bc17817bf ("ARM: ep93xx: switch to GENERIC_CLOCKEVENTS") -Acked-by: Alexander Sverdlin -Link: https://lore.kernel.org/r/20230516153109.514251-3-arnd@kernel.org -Signed-off-by: Arnd Bergmann -Signed-off-by: Sasha Levin ---- - arch/arm/mach-ep93xx/timer-ep93xx.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/arm/mach-ep93xx/timer-ep93xx.c b/arch/arm/mach-ep93xx/timer-ep93xx.c -index de998830f534f..b07956883e165 100644 ---- a/arch/arm/mach-ep93xx/timer-ep93xx.c -+++ b/arch/arm/mach-ep93xx/timer-ep93xx.c -@@ -9,6 +9,7 @@ - #include - #include - #include "soc.h" -+#include "platform.h" - - /************************************************************************* - * Timer handling for EP93xx -@@ -60,7 +61,7 @@ static u64 notrace ep93xx_read_sched_clock(void) - return ret; - } - --u64 ep93xx_clocksource_read(struct clocksource *c) -+static u64 ep93xx_clocksource_read(struct clocksource *c) - { - u64 ret; - --- -2.39.2 - diff --git a/queue-4.19/arm-orion5x-fix-d2net-gpio-initialization.patch b/queue-4.19/arm-orion5x-fix-d2net-gpio-initialization.patch deleted file mode 100644 index f0266df5c4e..00000000000 --- a/queue-4.19/arm-orion5x-fix-d2net-gpio-initialization.patch +++ /dev/null @@ -1,55 +0,0 @@ -From f8ef1233939495c405a9faa4bd1ae7d3f581bae4 Mon Sep 17 00:00:00 2001 -From: Arnd Bergmann -Date: Tue, 16 May 2023 17:31:05 +0200 -Subject: ARM: orion5x: fix d2net gpio initialization - -From: Arnd Bergmann - -commit f8ef1233939495c405a9faa4bd1ae7d3f581bae4 upstream. - -The DT version of this board has a custom file with the gpio -device. However, it does nothing because the d2net_init() -has no caller or prototype: - -arch/arm/mach-orion5x/board-d2net.c:101:13: error: no previous prototype for 'd2net_init' - -Call it from the board-dt file as intended. - -Fixes: 94b0bd366e36 ("ARM: orion5x: convert d2net to Device Tree") -Reviewed-by: Andrew Lunn -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20230516153109.514251-10-arnd@kernel.org -Signed-off-by: Arnd Bergmann -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/mach-orion5x/board-dt.c | 3 +++ - arch/arm/mach-orion5x/common.h | 6 ++++++ - 2 files changed, 9 insertions(+) - ---- a/arch/arm/mach-orion5x/board-dt.c -+++ b/arch/arm/mach-orion5x/board-dt.c -@@ -63,6 +63,9 @@ static void __init orion5x_dt_init(void) - if (of_machine_is_compatible("maxtor,shared-storage-2")) - mss2_init(); - -+ if (of_machine_is_compatible("lacie,d2-network")) -+ d2net_init(); -+ - of_platform_default_populate(NULL, orion5x_auxdata_lookup, NULL); - } - ---- a/arch/arm/mach-orion5x/common.h -+++ b/arch/arm/mach-orion5x/common.h -@@ -75,6 +75,12 @@ extern void mss2_init(void); - static inline void mss2_init(void) {} - #endif - -+#ifdef CONFIG_MACH_D2NET_DT -+void d2net_init(void); -+#else -+static inline void d2net_init(void) {} -+#endif -+ - /***************************************************************************** - * Helpers to access Orion registers - ****************************************************************************/ diff --git a/queue-4.19/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch b/queue-4.19/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch deleted file mode 100644 index 26ea09779ca..00000000000 --- a/queue-4.19/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch +++ /dev/null @@ -1,46 +0,0 @@ -From b47a7c0f977c015c3bb169a6ccbe0fb4704473aa Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 25 May 2023 10:48:22 +0200 -Subject: arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1 - -From: Wolfram Sang - -[ Upstream commit 1a2c4e5635177939a088d22fa35c6a7032725663 ] - -The schematics are misleading, the flow control is for HSCIF1. We need -SCIF1 for GNSS/GPS which does not use flow control. - -Fixes: c6c816e22bc8 ("arm64: dts: ulcb-kf: enable SCIF1") -Signed-off-by: Wolfram Sang -Reviewed-by: Geert Uytterhoeven -Link: https://lore.kernel.org/r/20230525084823.4195-2-wsa+renesas@sang-engineering.com -Signed-off-by: Geert Uytterhoeven -Signed-off-by: Sasha Levin ---- - arch/arm64/boot/dts/renesas/ulcb-kf.dtsi | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi -index 8bf3091a899c8..5abffdaf4077e 100644 ---- a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi -+++ b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi -@@ -165,7 +165,7 @@ hscif0_pins: hscif0 { - }; - - scif1_pins: scif1 { -- groups = "scif1_data_b", "scif1_ctrl"; -+ groups = "scif1_data_b"; - function = "scif1"; - }; - -@@ -178,7 +178,6 @@ usb0_pins: usb0 { - &scif1 { - pinctrl-0 = <&scif1_pins>; - pinctrl-names = "default"; -- uart-has-rtscts; - - status = "okay"; - }; --- -2.39.2 - diff --git a/queue-4.19/asoc-es8316-increment-max-value-for-alc-capture-targ.patch b/queue-4.19/asoc-es8316-increment-max-value-for-alc-capture-targ.patch deleted file mode 100644 index 3380105e7d4..00000000000 --- a/queue-4.19/asoc-es8316-increment-max-value-for-alc-capture-targ.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 8f45f8cea8f66aefea559e9624ac96ba2ff58970 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 May 2023 21:11:38 +0300 -Subject: ASoC: es8316: Increment max value for ALC Capture Target Volume - control - -From: Cristian Ciocaltea - -[ Upstream commit 6f073429037cd79d7311cd8236311c53f5ea8f01 ] - -The following error occurs when trying to restore a previously saved -ALSA mixer state (tested on a Rock 5B board): - - $ alsactl --no-ucm -f /tmp/asound.state store hw:Analog - $ alsactl --no-ucm -I -f /tmp/asound.state restore hw:Analog - alsactl: set_control:1475: Cannot write control '2:0:0:ALC Capture Target Volume:0' : Invalid argument - -According to ES8316 datasheet, the register at address 0x2B, which is -related to the above mixer control, contains by default the value 0xB0. -Considering the corresponding ALC target bits (ALCLVL) are 7:4, the -control is initialized with 11, which is one step above the maximum -value allowed by the driver: - - ALCLVL | dB gain - -------+-------- - 0000 | -16.5 - 0001 | -15.0 - 0010 | -13.5 - .... | ..... - 0111 | -6.0 - 1000 | -4.5 - 1001 | -3.0 - 1010 | -1.5 - .... | ..... - 1111 | -1.5 - -The tests performed using the VU meter feature (--vumeter=TYPE) of -arecord/aplay confirm the specs are correct and there is no measured -gain if the 1011-1111 range would have been mapped to 0 dB: - - dB gain | VU meter % - --------+----------- - -6.0 | 30-31 - -4.5 | 35-36 - -3.0 | 42-43 - -1.5 | 50-51 - 0.0 | 50-51 - -Increment the max value allowed for ALC Capture Target Volume control, -so that it matches the hardware default. Additionally, update the -related TLV to prevent an artificial extension of the dB gain range. - -Fixes: b8b88b70875a ("ASoC: add es8316 codec driver") -Signed-off-by: Cristian Ciocaltea -Link: https://lore.kernel.org/r/20230530181140.483936-2-cristian.ciocaltea@collabora.com -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/codecs/es8316.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c -index 57130edaf3aba..834e542021fee 100644 ---- a/sound/soc/codecs/es8316.c -+++ b/sound/soc/codecs/es8316.c -@@ -45,7 +45,12 @@ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(dac_vol_tlv, -9600, 50, 1); - static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(adc_vol_tlv, -9600, 50, 1); - static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_max_gain_tlv, -650, 150, 0); - static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_min_gain_tlv, -1200, 150, 0); --static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_target_tlv, -1650, 150, 0); -+ -+static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(alc_target_tlv, -+ 0, 10, TLV_DB_SCALE_ITEM(-1650, 150, 0), -+ 11, 11, TLV_DB_SCALE_ITEM(-150, 0, 0), -+); -+ - static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(hpmixer_gain_tlv, - 0, 4, TLV_DB_SCALE_ITEM(-1200, 150, 0), - 8, 11, TLV_DB_SCALE_ITEM(-450, 150, 0), -@@ -107,7 +112,7 @@ static const struct snd_kcontrol_new es8316_snd_controls[] = { - alc_max_gain_tlv), - SOC_SINGLE_TLV("ALC Capture Min Volume", ES8316_ADC_ALC2, 0, 28, 0, - alc_min_gain_tlv), -- SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 10, 0, -+ SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 11, 0, - alc_target_tlv), - SOC_SINGLE("ALC Capture Hold Time", ES8316_ADC_ALC3, 0, 10, 0), - SOC_SINGLE("ALC Capture Decay Time", ES8316_ADC_ALC4, 4, 10, 0), --- -2.39.2 - diff --git a/queue-4.19/bcache-remove-unnecessary-null-point-check-in-node-allocations.patch b/queue-4.19/bcache-remove-unnecessary-null-point-check-in-node-allocations.patch deleted file mode 100644 index 0fd0e40c180..00000000000 --- a/queue-4.19/bcache-remove-unnecessary-null-point-check-in-node-allocations.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 028ddcac477b691dd9205c92f991cc15259d033e Mon Sep 17 00:00:00 2001 -From: Zheng Wang -Date: Thu, 15 Jun 2023 20:12:21 +0800 -Subject: bcache: Remove unnecessary NULL point check in node allocations - -From: Zheng Wang - -commit 028ddcac477b691dd9205c92f991cc15259d033e upstream. - -Due to the previous fix of __bch_btree_node_alloc, the return value will -never be a NULL pointer. So IS_ERR is enough to handle the failure -situation. Fix it by replacing IS_ERR_OR_NULL check by an IS_ERR check. - -Fixes: cafe56359144 ("bcache: A block layer cache") -Cc: stable@vger.kernel.org -Signed-off-by: Zheng Wang -Signed-off-by: Coly Li -Link: https://lore.kernel.org/r/20230615121223.22502-5-colyli@suse.de -Signed-off-by: Jens Axboe -Signed-off-by: Greg Kroah-Hartman ---- - drivers/md/bcache/btree.c | 10 +++++----- - drivers/md/bcache/super.c | 4 ++-- - 2 files changed, 7 insertions(+), 7 deletions(-) - ---- a/drivers/md/bcache/btree.c -+++ b/drivers/md/bcache/btree.c -@@ -1174,7 +1174,7 @@ static struct btree *btree_node_alloc_re - { - struct btree *n = bch_btree_node_alloc(b->c, op, b->level, b->parent); - -- if (!IS_ERR_OR_NULL(n)) { -+ if (!IS_ERR(n)) { - mutex_lock(&n->write_lock); - bch_btree_sort_into(&b->keys, &n->keys, &b->c->sort); - bkey_copy_key(&n->key, &b->key); -@@ -1377,7 +1377,7 @@ static int btree_gc_coalesce(struct btre - memset(new_nodes, 0, sizeof(new_nodes)); - closure_init_stack(&cl); - -- while (nodes < GC_MERGE_NODES && !IS_ERR_OR_NULL(r[nodes].b)) -+ while (nodes < GC_MERGE_NODES && !IS_ERR(r[nodes].b)) - keys += r[nodes++].keys; - - blocks = btree_default_blocks(b->c) * 2 / 3; -@@ -1389,7 +1389,7 @@ static int btree_gc_coalesce(struct btre - - for (i = 0; i < nodes; i++) { - new_nodes[i] = btree_node_alloc_replacement(r[i].b, NULL); -- if (IS_ERR_OR_NULL(new_nodes[i])) -+ if (IS_ERR(new_nodes[i])) - goto out_nocoalesce; - } - -@@ -1524,7 +1524,7 @@ out_nocoalesce: - atomic_dec(&b->c->prio_blocked); - - for (i = 0; i < nodes; i++) -- if (!IS_ERR_OR_NULL(new_nodes[i])) { -+ if (!IS_ERR(new_nodes[i])) { - btree_node_free(new_nodes[i]); - rw_unlock(true, new_nodes[i]); - } -@@ -1706,7 +1706,7 @@ static int bch_btree_gc_root(struct btre - if (should_rewrite) { - n = btree_node_alloc_replacement(b, NULL); - -- if (!IS_ERR_OR_NULL(n)) { -+ if (!IS_ERR(n)) { - bch_btree_node_write_sync(n); - - bch_btree_set_root(n); ---- a/drivers/md/bcache/super.c -+++ b/drivers/md/bcache/super.c -@@ -1576,7 +1576,7 @@ static void cache_set_flush(struct closu - if (!IS_ERR_OR_NULL(c->gc_thread)) - kthread_stop(c->gc_thread); - -- if (!IS_ERR_OR_NULL(c->root)) -+ if (!IS_ERR(c->root)) - list_add(&c->root->list, &c->btree_cache); - - /* Should skip this if we're unregistering because of an error */ -@@ -1921,7 +1921,7 @@ static int run_cache_set(struct cache_se - - err = "cannot allocate new btree root"; - c->root = __bch_btree_node_alloc(c, NULL, 0, true, NULL); -- if (IS_ERR_OR_NULL(c->root)) -+ if (IS_ERR(c->root)) - goto err; - - mutex_lock(&c->root->write_lock); diff --git a/queue-4.19/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch b/queue-4.19/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch deleted file mode 100644 index ca54e71c9d2..00000000000 --- a/queue-4.19/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch +++ /dev/null @@ -1,142 +0,0 @@ -From 95a55437dc49fb3342c82e61f5472a71c63d9ed0 Mon Sep 17 00:00:00 2001 -From: Michael Schmitz -Date: Wed, 21 Jun 2023 08:17:24 +1200 -Subject: block: change all __u32 annotations to __be32 in affs_hardblocks.h - -From: Michael Schmitz - -commit 95a55437dc49fb3342c82e61f5472a71c63d9ed0 upstream. - -The Amiga partition parser module uses signed int for partition sector -address and count, which will overflow for disks larger than 1 TB. - -Use u64 as type for sector address and size to allow using disks up to -2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD -format allows to specify disk sizes up to 2^128 bytes (though native -OS limitations reduce this somewhat, to max 2^68 bytes), so check for -u64 overflow carefully to protect against overflowing sector_t. - -This bug was reported originally in 2012, and the fix was created by -the RDB author, Joanne Dow . A patch had been -discussed and reviewed on linux-m68k at that time but never officially -submitted (now resubmitted as patch 1 of this series). - -Patch 3 (this series) adds additional error checking and warning -messages. One of the error checks now makes use of the previously -unused rdb_CylBlocks field, which causes a 'sparse' warning -(cast to restricted __be32). - -Annotate all 32 bit fields in affs_hardblocks.h as __be32, as the -on-disk format of RDB and partition blocks is always big endian. - -Reported-by: Martin Steigerwald -Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Message-ID: <201206192146.09327.Martin@lichtvoll.de> -Cc: # 5.2 -Signed-off-by: Michael Schmitz -Reviewed-by: Christoph Hellwig -Reviewed-by: Geert Uytterhoeven -Link: https://lore.kernel.org/r/20230620201725.7020-3-schmitzmic@gmail.com -Signed-off-by: Jens Axboe -Signed-off-by: Greg Kroah-Hartman ---- - include/uapi/linux/affs_hardblocks.h | 68 +++++++++++++++++------------------ - 1 file changed, 34 insertions(+), 34 deletions(-) - ---- a/include/uapi/linux/affs_hardblocks.h -+++ b/include/uapi/linux/affs_hardblocks.h -@@ -7,42 +7,42 @@ - /* Just the needed definitions for the RDB of an Amiga HD. */ - - struct RigidDiskBlock { -- __u32 rdb_ID; -+ __be32 rdb_ID; - __be32 rdb_SummedLongs; -- __s32 rdb_ChkSum; -- __u32 rdb_HostID; -+ __be32 rdb_ChkSum; -+ __be32 rdb_HostID; - __be32 rdb_BlockBytes; -- __u32 rdb_Flags; -- __u32 rdb_BadBlockList; -+ __be32 rdb_Flags; -+ __be32 rdb_BadBlockList; - __be32 rdb_PartitionList; -- __u32 rdb_FileSysHeaderList; -- __u32 rdb_DriveInit; -- __u32 rdb_Reserved1[6]; -- __u32 rdb_Cylinders; -- __u32 rdb_Sectors; -- __u32 rdb_Heads; -- __u32 rdb_Interleave; -- __u32 rdb_Park; -- __u32 rdb_Reserved2[3]; -- __u32 rdb_WritePreComp; -- __u32 rdb_ReducedWrite; -- __u32 rdb_StepRate; -- __u32 rdb_Reserved3[5]; -- __u32 rdb_RDBBlocksLo; -- __u32 rdb_RDBBlocksHi; -- __u32 rdb_LoCylinder; -- __u32 rdb_HiCylinder; -- __u32 rdb_CylBlocks; -- __u32 rdb_AutoParkSeconds; -- __u32 rdb_HighRDSKBlock; -- __u32 rdb_Reserved4; -+ __be32 rdb_FileSysHeaderList; -+ __be32 rdb_DriveInit; -+ __be32 rdb_Reserved1[6]; -+ __be32 rdb_Cylinders; -+ __be32 rdb_Sectors; -+ __be32 rdb_Heads; -+ __be32 rdb_Interleave; -+ __be32 rdb_Park; -+ __be32 rdb_Reserved2[3]; -+ __be32 rdb_WritePreComp; -+ __be32 rdb_ReducedWrite; -+ __be32 rdb_StepRate; -+ __be32 rdb_Reserved3[5]; -+ __be32 rdb_RDBBlocksLo; -+ __be32 rdb_RDBBlocksHi; -+ __be32 rdb_LoCylinder; -+ __be32 rdb_HiCylinder; -+ __be32 rdb_CylBlocks; -+ __be32 rdb_AutoParkSeconds; -+ __be32 rdb_HighRDSKBlock; -+ __be32 rdb_Reserved4; - char rdb_DiskVendor[8]; - char rdb_DiskProduct[16]; - char rdb_DiskRevision[4]; - char rdb_ControllerVendor[8]; - char rdb_ControllerProduct[16]; - char rdb_ControllerRevision[4]; -- __u32 rdb_Reserved5[10]; -+ __be32 rdb_Reserved5[10]; - }; - - #define IDNAME_RIGIDDISK 0x5244534B /* "RDSK" */ -@@ -50,16 +50,16 @@ struct RigidDiskBlock { - struct PartitionBlock { - __be32 pb_ID; - __be32 pb_SummedLongs; -- __s32 pb_ChkSum; -- __u32 pb_HostID; -+ __be32 pb_ChkSum; -+ __be32 pb_HostID; - __be32 pb_Next; -- __u32 pb_Flags; -- __u32 pb_Reserved1[2]; -- __u32 pb_DevFlags; -+ __be32 pb_Flags; -+ __be32 pb_Reserved1[2]; -+ __be32 pb_DevFlags; - __u8 pb_DriveName[32]; -- __u32 pb_Reserved2[15]; -+ __be32 pb_Reserved2[15]; - __be32 pb_Environment[17]; -- __u32 pb_EReserved[15]; -+ __be32 pb_EReserved[15]; - }; - - #define IDNAME_PARTITION 0x50415254 /* "PART" */ diff --git a/queue-4.19/bpf-address-kcsan-report-on-bpf_lru_list.patch b/queue-4.19/bpf-address-kcsan-report-on-bpf_lru_list.patch deleted file mode 100644 index 7569c7a2f4a..00000000000 --- a/queue-4.19/bpf-address-kcsan-report-on-bpf_lru_list.patch +++ /dev/null @@ -1,177 +0,0 @@ -From 2c488883c37e2823eef1b80cae4edf8e97997e0f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 10 May 2023 21:37:48 -0700 -Subject: bpf: Address KCSAN report on bpf_lru_list - -From: Martin KaFai Lau - -[ Upstream commit ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 ] - -KCSAN reported a data-race when accessing node->ref. -Although node->ref does not have to be accurate, -take this chance to use a more common READ_ONCE() and WRITE_ONCE() -pattern instead of data_race(). - -There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). -This patch also adds bpf_lru_node_clear_ref() to do the -WRITE_ONCE(node->ref, 0) also. - -================================================================== -BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem - -write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: -__bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] -__bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] -__bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 -bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] -bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] -bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 -prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] -__htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 -bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 -bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 -generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 -bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 -__sys_bpf+0x338/0x810 -__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] -__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] -__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 -do_syscall_x64 arch/x86/entry/common.c:50 [inline] -do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 -entry_SYSCALL_64_after_hwframe+0x63/0xcd - -read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: -bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] -__htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 -bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 -bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 -generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 -bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 -__sys_bpf+0x338/0x810 -__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] -__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] -__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 -do_syscall_x64 arch/x86/entry/common.c:50 [inline] -do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 -entry_SYSCALL_64_after_hwframe+0x63/0xcd - -value changed: 0x01 -> 0x00 - -Reported by Kernel Concurrency Sanitizer on: -CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 -================================================================== - -Reported-by: syzbot+ebe648a84e8784763f82@syzkaller.appspotmail.com -Signed-off-by: Martin KaFai Lau -Acked-by: Yonghong Song -Link: https://lore.kernel.org/r/20230511043748.1384166-1-martin.lau@linux.dev -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - kernel/bpf/bpf_lru_list.c | 21 +++++++++++++-------- - kernel/bpf/bpf_lru_list.h | 7 ++----- - 2 files changed, 15 insertions(+), 13 deletions(-) - -diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c -index 9b5eeff72fd37..39a0e768adc39 100644 ---- a/kernel/bpf/bpf_lru_list.c -+++ b/kernel/bpf/bpf_lru_list.c -@@ -44,7 +44,12 @@ static struct list_head *local_pending_list(struct bpf_lru_locallist *loc_l) - /* bpf_lru_node helpers */ - static bool bpf_lru_node_is_ref(const struct bpf_lru_node *node) - { -- return node->ref; -+ return READ_ONCE(node->ref); -+} -+ -+static void bpf_lru_node_clear_ref(struct bpf_lru_node *node) -+{ -+ WRITE_ONCE(node->ref, 0); - } - - static void bpf_lru_list_count_inc(struct bpf_lru_list *l, -@@ -92,7 +97,7 @@ static void __bpf_lru_node_move_in(struct bpf_lru_list *l, - - bpf_lru_list_count_inc(l, tgt_type); - node->type = tgt_type; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - list_move(&node->list, &l->lists[tgt_type]); - } - -@@ -113,7 +118,7 @@ static void __bpf_lru_node_move(struct bpf_lru_list *l, - bpf_lru_list_count_inc(l, tgt_type); - node->type = tgt_type; - } -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - - /* If the moving node is the next_inactive_rotation candidate, - * move the next_inactive_rotation pointer also. -@@ -356,7 +361,7 @@ static void __local_list_add_pending(struct bpf_lru *lru, - *(u32 *)((void *)node + lru->hash_offset) = hash; - node->cpu = cpu; - node->type = BPF_LRU_LOCAL_LIST_T_PENDING; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - list_add(&node->list, local_pending_list(loc_l)); - } - -@@ -422,7 +427,7 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru, - if (!list_empty(free_list)) { - node = list_first_entry(free_list, struct bpf_lru_node, list); - *(u32 *)((void *)node + lru->hash_offset) = hash; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - __bpf_lru_node_move(l, node, BPF_LRU_LIST_T_INACTIVE); - } - -@@ -525,7 +530,7 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru, - } - - node->type = BPF_LRU_LOCAL_LIST_T_FREE; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - list_move(&node->list, local_free_list(loc_l)); - - raw_spin_unlock_irqrestore(&loc_l->lock, flags); -@@ -571,7 +576,7 @@ static void bpf_common_lru_populate(struct bpf_lru *lru, void *buf, - - node = (struct bpf_lru_node *)(buf + node_offset); - node->type = BPF_LRU_LIST_T_FREE; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); - buf += elem_size; - } -@@ -597,7 +602,7 @@ static void bpf_percpu_lru_populate(struct bpf_lru *lru, void *buf, - node = (struct bpf_lru_node *)(buf + node_offset); - node->cpu = cpu; - node->type = BPF_LRU_LIST_T_FREE; -- node->ref = 0; -+ bpf_lru_node_clear_ref(node); - list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); - i++; - buf += elem_size; -diff --git a/kernel/bpf/bpf_lru_list.h b/kernel/bpf/bpf_lru_list.h -index 7d4f89b7cb841..08da78b59f0b9 100644 ---- a/kernel/bpf/bpf_lru_list.h -+++ b/kernel/bpf/bpf_lru_list.h -@@ -66,11 +66,8 @@ struct bpf_lru { - - static inline void bpf_lru_node_set_ref(struct bpf_lru_node *node) - { -- /* ref is an approximation on access frequency. It does not -- * have to be very accurate. Hence, no protection is used. -- */ -- if (!node->ref) -- node->ref = 1; -+ if (!READ_ONCE(node->ref)) -+ WRITE_ONCE(node->ref, 1); - } - - int bpf_lru_init(struct bpf_lru *lru, bool percpu, u32 hash_offset, --- -2.39.2 - diff --git a/queue-4.19/btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch b/queue-4.19/btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch deleted file mode 100644 index 49404c8f14e..00000000000 --- a/queue-4.19/btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch +++ /dev/null @@ -1,84 +0,0 @@ -From b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 Mon Sep 17 00:00:00 2001 -From: Filipe Manana -Date: Mon, 19 Jun 2023 17:21:47 +0100 -Subject: btrfs: fix race when deleting quota root from the dirty cow roots list - -From: Filipe Manana - -commit b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 upstream. - -When disabling quotas we are deleting the quota root from the list -fs_info->dirty_cowonly_roots without taking the lock that protects it, -which is struct btrfs_fs_info::trans_lock. This unsynchronized list -manipulation may cause chaos if there's another concurrent manipulation -of this list, such as when adding a root to it with -ctree.c:add_root_to_dirty_list(). - -This can result in all sorts of weird failures caused by a race, such as -the following crash: - - [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI - [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 - [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 - [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] - [337571.279928] Code: 85 38 06 00 (...) - [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 - [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 - [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 - [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b - [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 - [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 - [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 - [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 - [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 - [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 - [337571.282874] Call Trace: - [337571.283101] - [337571.283327] ? __die_body+0x1b/0x60 - [337571.283570] ? die_addr+0x39/0x60 - [337571.283796] ? exc_general_protection+0x22e/0x430 - [337571.284022] ? asm_exc_general_protection+0x22/0x30 - [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] - [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] - [337571.284803] ? _raw_spin_unlock+0x15/0x30 - [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] - [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] - [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] - [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 - [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] - [337571.286358] ? mod_objcg_state+0xd2/0x360 - [337571.286577] ? refill_obj_stock+0xb0/0x160 - [337571.286798] ? seq_release+0x25/0x30 - [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 - [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 - [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 - [337571.287675] __x64_sys_ioctl+0x88/0xc0 - [337571.287901] do_syscall_64+0x38/0x90 - [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc - [337571.288352] RIP: 0033:0x7f478aaffe9b - -So fix this by locking struct btrfs_fs_info::trans_lock before deleting -the quota root from that list. - -Fixes: bed92eae26cc ("Btrfs: qgroup implementation and prototypes") -CC: stable@vger.kernel.org # 4.14+ -Signed-off-by: Filipe Manana -Signed-off-by: David Sterba -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/qgroup.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/fs/btrfs/qgroup.c -+++ b/fs/btrfs/qgroup.c -@@ -1115,7 +1115,9 @@ int btrfs_quota_disable(struct btrfs_fs_ - goto end_trans; - } - -+ spin_lock(&fs_info->trans_lock); - list_del("a_root->dirty_list); -+ spin_unlock(&fs_info->trans_lock); - - btrfs_tree_lock(quota_root->node); - clean_tree_block(fs_info, quota_root->node); diff --git a/queue-4.19/can-bcm-fix-uaf-in-bcm_proc_show.patch b/queue-4.19/can-bcm-fix-uaf-in-bcm_proc_show.patch deleted file mode 100644 index 14dcaf380e3..00000000000 --- a/queue-4.19/can-bcm-fix-uaf-in-bcm_proc_show.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 55c3b96074f3f9b0aee19bf93cd71af7516582bb Mon Sep 17 00:00:00 2001 -From: YueHaibing -Date: Sat, 15 Jul 2023 17:25:43 +0800 -Subject: can: bcm: Fix UAF in bcm_proc_show() - -From: YueHaibing - -commit 55c3b96074f3f9b0aee19bf93cd71af7516582bb upstream. - -BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 -Read of size 8 at addr ffff888155846230 by task cat/7862 - -CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 -Call Trace: - - dump_stack_lvl+0xd5/0x150 - print_report+0xc1/0x5e0 - kasan_report+0xba/0xf0 - bcm_proc_show+0x969/0xa80 - seq_read_iter+0x4f6/0x1260 - seq_read+0x165/0x210 - proc_reg_read+0x227/0x300 - vfs_read+0x1d5/0x8d0 - ksys_read+0x11e/0x240 - do_syscall_64+0x35/0xb0 - entry_SYSCALL_64_after_hwframe+0x63/0xcd - -Allocated by task 7846: - kasan_save_stack+0x1e/0x40 - kasan_set_track+0x21/0x30 - __kasan_kmalloc+0x9e/0xa0 - bcm_sendmsg+0x264b/0x44e0 - sock_sendmsg+0xda/0x180 - ____sys_sendmsg+0x735/0x920 - ___sys_sendmsg+0x11d/0x1b0 - __sys_sendmsg+0xfa/0x1d0 - do_syscall_64+0x35/0xb0 - entry_SYSCALL_64_after_hwframe+0x63/0xcd - -Freed by task 7846: - kasan_save_stack+0x1e/0x40 - kasan_set_track+0x21/0x30 - kasan_save_free_info+0x27/0x40 - ____kasan_slab_free+0x161/0x1c0 - slab_free_freelist_hook+0x119/0x220 - __kmem_cache_free+0xb4/0x2e0 - rcu_core+0x809/0x1bd0 - -bcm_op is freed before procfs entry be removed in bcm_release(), -this lead to bcm_proc_show() may read the freed bcm_op. - -Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") -Signed-off-by: YueHaibing -Reviewed-by: Oliver Hartkopp -Acked-by: Oliver Hartkopp -Link: https://lore.kernel.org/all/20230715092543.15548-1-yuehaibing@huawei.com -Cc: stable@vger.kernel.org -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Greg Kroah-Hartman ---- - net/can/bcm.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - ---- a/net/can/bcm.c -+++ b/net/can/bcm.c -@@ -1520,6 +1520,12 @@ static int bcm_release(struct socket *so - - lock_sock(sk); - -+#if IS_ENABLED(CONFIG_PROC_FS) -+ /* remove procfs entry */ -+ if (net->can.bcmproc_dir && bo->bcm_proc_read) -+ remove_proc_entry(bo->procname, net->can.bcmproc_dir); -+#endif /* CONFIG_PROC_FS */ -+ - list_for_each_entry_safe(op, next, &bo->tx_ops, list) - bcm_remove_op(op); - -@@ -1555,12 +1561,6 @@ static int bcm_release(struct socket *so - list_for_each_entry_safe(op, next, &bo->rx_ops, list) - bcm_remove_op(op); - --#if IS_ENABLED(CONFIG_PROC_FS) -- /* remove procfs entry */ -- if (net->can.bcmproc_dir && bo->bcm_proc_read) -- remove_proc_entry(bo->procname, net->can.bcmproc_dir); --#endif /* CONFIG_PROC_FS */ -- - /* remove device reference */ - if (bo->bound) { - bo->bound = 0; diff --git a/queue-4.19/ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch b/queue-4.19/ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch deleted file mode 100644 index bdebd6ffa01..00000000000 --- a/queue-4.19/ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 257e6172ab36ebbe295a6c9ee9a9dd0fe54c1dc2 Mon Sep 17 00:00:00 2001 -From: Xiubo Li -Date: Wed, 28 Jun 2023 07:57:09 +0800 -Subject: ceph: don't let check_caps skip sending responses for revoke msgs - -From: Xiubo Li - -commit 257e6172ab36ebbe295a6c9ee9a9dd0fe54c1dc2 upstream. - -If a client sends out a cap update dropping caps with the prior 'seq' -just before an incoming cap revoke request, then the client may drop -the revoke because it believes it's already released the requested -capabilities. - -This causes the MDS to wait indefinitely for the client to respond -to the revoke. It's therefore always a good idea to ack the cap -revoke request with the bumped up 'seq'. - -Cc: stable@vger.kernel.org -Link: https://tracker.ceph.com/issues/61782 -Signed-off-by: Xiubo Li -Reviewed-by: Milind Changire -Reviewed-by: Patrick Donnelly -Signed-off-by: Ilya Dryomov -Signed-off-by: Greg Kroah-Hartman ---- - fs/ceph/caps.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - ---- a/fs/ceph/caps.c -+++ b/fs/ceph/caps.c -@@ -3285,6 +3285,15 @@ static void handle_cap_grant(struct inod - } - BUG_ON(cap->issued & ~cap->implemented); - -+ /* don't let check_caps skip sending a response to MDS for revoke msgs */ -+ if (le32_to_cpu(grant->op) == CEPH_CAP_OP_REVOKE) { -+ cap->mds_wanted = 0; -+ if (cap == ci->i_auth_cap) -+ check_caps = 1; /* check auth cap only */ -+ else -+ check_caps = 2; /* check all caps */ -+ } -+ - if (extra_info->inline_version > 0 && - extra_info->inline_version >= ci->i_inline_version) { - ci->i_inline_version = extra_info->inline_version; diff --git a/queue-4.19/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch b/queue-4.19/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch deleted file mode 100644 index 2c4588c7317..00000000000 --- a/queue-4.19/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch +++ /dev/null @@ -1,81 +0,0 @@ -From cdce24c230c530209c4401a7acb8c7930aa81309 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 25 Apr 2023 06:56:11 +0000 -Subject: clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe - -From: Feng Mingxi - -[ Upstream commit 8b5bf64c89c7100c921bd807ba39b2eb003061ab ] - -Smatch reports: -drivers/clocksource/timer-cadence-ttc.c:529 ttc_timer_probe() -warn: 'timer_baseaddr' from of_iomap() not released on lines: 498,508,516. - -timer_baseaddr may have the problem of not being released after use, -I replaced it with the devm_of_iomap() function and added the clk_put() -function to cleanup the "clk_ce" and "clk_cs". - -Fixes: e932900a3279 ("arm: zynq: Use standard timer binding") -Fixes: 70504f311d4b ("clocksource/drivers/cadence_ttc: Convert init function to return error") -Signed-off-by: Feng Mingxi -Reviewed-by: Dongliang Mu -Acked-by: Michal Simek -Signed-off-by: Daniel Lezcano -Link: https://lore.kernel.org/r/20230425065611.702917-1-m202271825@hust.edu.cn -Signed-off-by: Sasha Levin ---- - drivers/clocksource/timer-cadence-ttc.c | 19 +++++++++++++------ - 1 file changed, 13 insertions(+), 6 deletions(-) - -diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c -index b1df0ded8f521..16b9bfb257564 100644 ---- a/drivers/clocksource/timer-cadence-ttc.c -+++ b/drivers/clocksource/timer-cadence-ttc.c -@@ -494,10 +494,10 @@ static int __init ttc_timer_probe(struct platform_device *pdev) - * and use it. Note that the event timer uses the interrupt and it's the - * 2nd TTC hence the irq_of_parse_and_map(,1) - */ -- timer_baseaddr = of_iomap(timer, 0); -- if (!timer_baseaddr) { -+ timer_baseaddr = devm_of_iomap(&pdev->dev, timer, 0, NULL); -+ if (IS_ERR(timer_baseaddr)) { - pr_err("ERROR: invalid timer base address\n"); -- return -ENXIO; -+ return PTR_ERR(timer_baseaddr); - } - - irq = irq_of_parse_and_map(timer, 1); -@@ -521,20 +521,27 @@ static int __init ttc_timer_probe(struct platform_device *pdev) - clk_ce = of_clk_get(timer, clksel); - if (IS_ERR(clk_ce)) { - pr_err("ERROR: timer input clock not found\n"); -- return PTR_ERR(clk_ce); -+ ret = PTR_ERR(clk_ce); -+ goto put_clk_cs; - } - - ret = ttc_setup_clocksource(clk_cs, timer_baseaddr, timer_width); - if (ret) -- return ret; -+ goto put_clk_ce; - - ret = ttc_setup_clockevent(clk_ce, timer_baseaddr + 4, irq); - if (ret) -- return ret; -+ goto put_clk_ce; - - pr_info("%s #0 at %p, irq=%d\n", timer->name, timer_baseaddr, irq); - - return 0; -+ -+put_clk_ce: -+ clk_put(clk_ce); -+put_clk_cs: -+ clk_put(clk_cs); -+ return ret; - } - - static const struct of_device_id ttc_timer_of_match[] = { --- -2.39.2 - diff --git a/queue-4.19/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch b/queue-4.19/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch deleted file mode 100644 index aefa2443a58..00000000000 --- a/queue-4.19/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 86fdffa20ff885a32027563da0692cd00e56eca0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 7 Nov 2019 02:36:28 -0800 -Subject: clocksource/drivers/cadence-ttc: Use ttc driver as platform driver - -From: Rajan Vaja - -[ Upstream commit f5ac896b6a23eb46681cdbef440c1d991b04e519 ] - -Currently TTC driver is TIMER_OF_DECLARE type driver. Because of -that, TTC driver may be initialized before other clock drivers. If -TTC driver is dependent on that clock driver then initialization of -TTC driver will failed. - -So use TTC driver as platform driver instead of using -TIMER_OF_DECLARE. - -Signed-off-by: Rajan Vaja -Tested-by: Michal Simek -Acked-by: Michal Simek -Signed-off-by: Daniel Lezcano -Link: https://lore.kernel.org/r/1573122988-18399-1-git-send-email-rajan.vaja@xilinx.com -Stable-dep-of: 8b5bf64c89c7 ("clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe") -Signed-off-by: Sasha Levin ---- - drivers/clocksource/timer-cadence-ttc.c | 26 +++++++++++++++++-------- - 1 file changed, 18 insertions(+), 8 deletions(-) - -diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c -index a7eb858a84a0f..b1df0ded8f521 100644 ---- a/drivers/clocksource/timer-cadence-ttc.c -+++ b/drivers/clocksource/timer-cadence-ttc.c -@@ -23,6 +23,8 @@ - #include - #include - #include -+#include -+#include - - /* - * This driver configures the 2 16/32-bit count-up timers as follows: -@@ -472,13 +474,7 @@ static int __init ttc_setup_clockevent(struct clk *clk, - return err; - } - --/** -- * ttc_timer_init - Initialize the timer -- * -- * Initializes the timer hardware and register the clock source and clock event -- * timers with Linux kernal timer framework -- */ --static int __init ttc_timer_init(struct device_node *timer) -+static int __init ttc_timer_probe(struct platform_device *pdev) - { - unsigned int irq; - void __iomem *timer_baseaddr; -@@ -486,6 +482,7 @@ static int __init ttc_timer_init(struct device_node *timer) - static int initialized; - int clksel, ret; - u32 timer_width = 16; -+ struct device_node *timer = pdev->dev.of_node; - - if (initialized) - return 0; -@@ -540,4 +537,17 @@ static int __init ttc_timer_init(struct device_node *timer) - return 0; - } - --TIMER_OF_DECLARE(ttc, "cdns,ttc", ttc_timer_init); -+static const struct of_device_id ttc_timer_of_match[] = { -+ {.compatible = "cdns,ttc"}, -+ {}, -+}; -+ -+MODULE_DEVICE_TABLE(of, ttc_timer_of_match); -+ -+static struct platform_driver ttc_timer_driver = { -+ .driver = { -+ .name = "cdns_ttc_timer", -+ .of_match_table = ttc_timer_of_match, -+ }, -+}; -+builtin_platform_driver_probe(ttc_timer_driver, ttc_timer_probe); --- -2.39.2 - diff --git a/queue-4.19/clocksource-drivers-unify-the-names-to-timer-format.patch b/queue-4.19/clocksource-drivers-unify-the-names-to-timer-format.patch deleted file mode 100644 index 46574bac1d9..00000000000 --- a/queue-4.19/clocksource-drivers-unify-the-names-to-timer-format.patch +++ /dev/null @@ -1,219 +0,0 @@ -From ca60c700dea2b20caf43a6b9c00124a3dd36d227 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 24 Sep 2018 05:59:23 +0200 -Subject: clocksource/drivers: Unify the names to timer-* format -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Daniel Lezcano - -[ Upstream commit 9d8d47ea6ec6048abc75ccc4486aff1a7db1ff4b ] - -In order to make some housekeeping in the directory, this patch renames -drivers to the timer-* format in order to unify their names. - -There is no functional changes. - -Acked-by: Uwe Kleine-König -Acked-by: Vladimir Zapolskiy -Acked-by: Liviu Dudau - -Signed-off-by: Daniel Lezcano -Stable-dep-of: 8b5bf64c89c7 ("clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe") -Signed-off-by: Sasha Levin ---- - MAINTAINERS | 10 +++---- - drivers/clocksource/Makefile | 26 +++++++++---------- - ...-armada-370-xp.c => timer-armada-370-xp.c} | 0 - ...adence_ttc_timer.c => timer-cadence-ttc.c} | 0 - .../{time-efm32.c => timer-efm32.c} | 0 - .../{fsl_ftm_timer.c => timer-fsl-ftm.c} | 0 - .../{time-lpc32xx.c => timer-lpc32xx.c} | 0 - .../{time-orion.c => timer-orion.c} | 0 - .../clocksource/{owl-timer.c => timer-owl.c} | 0 - .../{time-pistachio.c => timer-pistachio.c} | 0 - .../{qcom-timer.c => timer-qcom.c} | 0 - .../{versatile.c => timer-versatile.c} | 0 - .../{vf_pit_timer.c => timer-vf-pit.c} | 0 - .../{vt8500_timer.c => timer-vt8500.c} | 0 - .../{zevio-timer.c => timer-zevio.c} | 0 - 15 files changed, 18 insertions(+), 18 deletions(-) - rename drivers/clocksource/{time-armada-370-xp.c => timer-armada-370-xp.c} (100%) - rename drivers/clocksource/{cadence_ttc_timer.c => timer-cadence-ttc.c} (100%) - rename drivers/clocksource/{time-efm32.c => timer-efm32.c} (100%) - rename drivers/clocksource/{fsl_ftm_timer.c => timer-fsl-ftm.c} (100%) - rename drivers/clocksource/{time-lpc32xx.c => timer-lpc32xx.c} (100%) - rename drivers/clocksource/{time-orion.c => timer-orion.c} (100%) - rename drivers/clocksource/{owl-timer.c => timer-owl.c} (100%) - rename drivers/clocksource/{time-pistachio.c => timer-pistachio.c} (100%) - rename drivers/clocksource/{qcom-timer.c => timer-qcom.c} (100%) - rename drivers/clocksource/{versatile.c => timer-versatile.c} (100%) - rename drivers/clocksource/{vf_pit_timer.c => timer-vf-pit.c} (100%) - rename drivers/clocksource/{vt8500_timer.c => timer-vt8500.c} (100%) - rename drivers/clocksource/{zevio-timer.c => timer-zevio.c} (100%) - -diff --git a/MAINTAINERS b/MAINTAINERS -index 3d3d7f5d1c3f1..59003315a9597 100644 ---- a/MAINTAINERS -+++ b/MAINTAINERS -@@ -1180,7 +1180,7 @@ N: owl - F: arch/arm/mach-actions/ - F: arch/arm/boot/dts/owl-* - F: arch/arm64/boot/dts/actions/ --F: drivers/clocksource/owl-* -+F: drivers/clocksource/timer-owl* - F: drivers/pinctrl/actions/* - F: drivers/soc/actions/ - F: include/dt-bindings/power/owl-* -@@ -1603,7 +1603,7 @@ L: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers) - S: Maintained - F: arch/arm/boot/dts/lpc43* - F: drivers/clk/nxp/clk-lpc18xx* --F: drivers/clocksource/time-lpc32xx.c -+F: drivers/clocksource/timer-lpc32xx.c - F: drivers/i2c/busses/i2c-lpc2k.c - F: drivers/memory/pl172.c - F: drivers/mtd/spi-nor/nxp-spifi.c -@@ -2219,7 +2219,7 @@ F: arch/arm/mach-vexpress/ - F: */*/vexpress* - F: */*/*/vexpress* - F: drivers/clk/versatile/clk-vexpress-osc.c --F: drivers/clocksource/versatile.c -+F: drivers/clocksource/timer-versatile.c - N: mps2 - - ARM/VFP SUPPORT -@@ -2241,7 +2241,7 @@ M: Tony Prisk - L: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers) - S: Maintained - F: arch/arm/mach-vt8500/ --F: drivers/clocksource/vt8500_timer.c -+F: drivers/clocksource/timer-vt8500.c - F: drivers/i2c/busses/i2c-wmt.c - F: drivers/mmc/host/wmt-sdmmc.c - F: drivers/pwm/pwm-vt8500.c -@@ -2306,7 +2306,7 @@ F: drivers/cpuidle/cpuidle-zynq.c - F: drivers/block/xsysace.c - N: zynq - N: xilinx --F: drivers/clocksource/cadence_ttc_timer.c -+F: drivers/clocksource/timer-cadence-ttc.c - F: drivers/i2c/busses/i2c-cadence.c - F: drivers/mmc/host/sdhci-of-arasan.c - F: drivers/edac/synopsys_edac.c -diff --git a/drivers/clocksource/Makefile b/drivers/clocksource/Makefile -index db51b2427e8a6..e33b21d3f9d8b 100644 ---- a/drivers/clocksource/Makefile -+++ b/drivers/clocksource/Makefile -@@ -23,8 +23,8 @@ obj-$(CONFIG_FTTMR010_TIMER) += timer-fttmr010.o - obj-$(CONFIG_ROCKCHIP_TIMER) += rockchip_timer.o - obj-$(CONFIG_CLKSRC_NOMADIK_MTU) += nomadik-mtu.o - obj-$(CONFIG_CLKSRC_DBX500_PRCMU) += clksrc-dbx500-prcmu.o --obj-$(CONFIG_ARMADA_370_XP_TIMER) += time-armada-370-xp.o --obj-$(CONFIG_ORION_TIMER) += time-orion.o -+obj-$(CONFIG_ARMADA_370_XP_TIMER) += timer-armada-370-xp.o -+obj-$(CONFIG_ORION_TIMER) += timer-orion.o - obj-$(CONFIG_BCM2835_TIMER) += bcm2835_timer.o - obj-$(CONFIG_CLPS711X_TIMER) += clps711x-timer.o - obj-$(CONFIG_ATLAS7_TIMER) += timer-atlas7.o -@@ -36,25 +36,25 @@ obj-$(CONFIG_SUN4I_TIMER) += sun4i_timer.o - obj-$(CONFIG_SUN5I_HSTIMER) += timer-sun5i.o - obj-$(CONFIG_MESON6_TIMER) += meson6_timer.o - obj-$(CONFIG_TEGRA_TIMER) += tegra20_timer.o --obj-$(CONFIG_VT8500_TIMER) += vt8500_timer.o --obj-$(CONFIG_NSPIRE_TIMER) += zevio-timer.o -+obj-$(CONFIG_VT8500_TIMER) += timer-vt8500.o -+obj-$(CONFIG_NSPIRE_TIMER) += timer-zevio.o - obj-$(CONFIG_BCM_KONA_TIMER) += bcm_kona_timer.o --obj-$(CONFIG_CADENCE_TTC_TIMER) += cadence_ttc_timer.o --obj-$(CONFIG_CLKSRC_EFM32) += time-efm32.o -+obj-$(CONFIG_CADENCE_TTC_TIMER) += timer-cadence-ttc.o -+obj-$(CONFIG_CLKSRC_EFM32) += timer-efm32.o - obj-$(CONFIG_CLKSRC_STM32) += timer-stm32.o - obj-$(CONFIG_CLKSRC_EXYNOS_MCT) += exynos_mct.o --obj-$(CONFIG_CLKSRC_LPC32XX) += time-lpc32xx.o -+obj-$(CONFIG_CLKSRC_LPC32XX) += timer-lpc32xx.o - obj-$(CONFIG_CLKSRC_MPS2) += mps2-timer.o - obj-$(CONFIG_CLKSRC_SAMSUNG_PWM) += samsung_pwm_timer.o --obj-$(CONFIG_FSL_FTM_TIMER) += fsl_ftm_timer.o --obj-$(CONFIG_VF_PIT_TIMER) += vf_pit_timer.o --obj-$(CONFIG_CLKSRC_QCOM) += qcom-timer.o -+obj-$(CONFIG_FSL_FTM_TIMER) += timer-fsl-ftm.o -+obj-$(CONFIG_VF_PIT_TIMER) += timer-vf-pit.o -+obj-$(CONFIG_CLKSRC_QCOM) += timer-qcom.o - obj-$(CONFIG_MTK_TIMER) += timer-mediatek.o --obj-$(CONFIG_CLKSRC_PISTACHIO) += time-pistachio.o -+obj-$(CONFIG_CLKSRC_PISTACHIO) += timer-pistachio.o - obj-$(CONFIG_CLKSRC_TI_32K) += timer-ti-32k.o - obj-$(CONFIG_CLKSRC_NPS) += timer-nps.o - obj-$(CONFIG_OXNAS_RPS_TIMER) += timer-oxnas-rps.o --obj-$(CONFIG_OWL_TIMER) += owl-timer.o -+obj-$(CONFIG_OWL_TIMER) += timer-owl.o - obj-$(CONFIG_SPRD_TIMER) += timer-sprd.o - obj-$(CONFIG_NPCM7XX_TIMER) += timer-npcm7xx.o - -@@ -66,7 +66,7 @@ obj-$(CONFIG_ARM_TIMER_SP804) += timer-sp804.o - obj-$(CONFIG_ARCH_HAS_TICK_BROADCAST) += dummy_timer.o - obj-$(CONFIG_KEYSTONE_TIMER) += timer-keystone.o - obj-$(CONFIG_INTEGRATOR_AP_TIMER) += timer-integrator-ap.o --obj-$(CONFIG_CLKSRC_VERSATILE) += versatile.o -+obj-$(CONFIG_CLKSRC_VERSATILE) += timer-versatile.o - obj-$(CONFIG_CLKSRC_MIPS_GIC) += mips-gic-timer.o - obj-$(CONFIG_CLKSRC_TANGO_XTAL) += tango_xtal.o - obj-$(CONFIG_CLKSRC_IMX_GPT) += timer-imx-gpt.o -diff --git a/drivers/clocksource/time-armada-370-xp.c b/drivers/clocksource/timer-armada-370-xp.c -similarity index 100% -rename from drivers/clocksource/time-armada-370-xp.c -rename to drivers/clocksource/timer-armada-370-xp.c -diff --git a/drivers/clocksource/cadence_ttc_timer.c b/drivers/clocksource/timer-cadence-ttc.c -similarity index 100% -rename from drivers/clocksource/cadence_ttc_timer.c -rename to drivers/clocksource/timer-cadence-ttc.c -diff --git a/drivers/clocksource/time-efm32.c b/drivers/clocksource/timer-efm32.c -similarity index 100% -rename from drivers/clocksource/time-efm32.c -rename to drivers/clocksource/timer-efm32.c -diff --git a/drivers/clocksource/fsl_ftm_timer.c b/drivers/clocksource/timer-fsl-ftm.c -similarity index 100% -rename from drivers/clocksource/fsl_ftm_timer.c -rename to drivers/clocksource/timer-fsl-ftm.c -diff --git a/drivers/clocksource/time-lpc32xx.c b/drivers/clocksource/timer-lpc32xx.c -similarity index 100% -rename from drivers/clocksource/time-lpc32xx.c -rename to drivers/clocksource/timer-lpc32xx.c -diff --git a/drivers/clocksource/time-orion.c b/drivers/clocksource/timer-orion.c -similarity index 100% -rename from drivers/clocksource/time-orion.c -rename to drivers/clocksource/timer-orion.c -diff --git a/drivers/clocksource/owl-timer.c b/drivers/clocksource/timer-owl.c -similarity index 100% -rename from drivers/clocksource/owl-timer.c -rename to drivers/clocksource/timer-owl.c -diff --git a/drivers/clocksource/time-pistachio.c b/drivers/clocksource/timer-pistachio.c -similarity index 100% -rename from drivers/clocksource/time-pistachio.c -rename to drivers/clocksource/timer-pistachio.c -diff --git a/drivers/clocksource/qcom-timer.c b/drivers/clocksource/timer-qcom.c -similarity index 100% -rename from drivers/clocksource/qcom-timer.c -rename to drivers/clocksource/timer-qcom.c -diff --git a/drivers/clocksource/versatile.c b/drivers/clocksource/timer-versatile.c -similarity index 100% -rename from drivers/clocksource/versatile.c -rename to drivers/clocksource/timer-versatile.c -diff --git a/drivers/clocksource/vf_pit_timer.c b/drivers/clocksource/timer-vf-pit.c -similarity index 100% -rename from drivers/clocksource/vf_pit_timer.c -rename to drivers/clocksource/timer-vf-pit.c -diff --git a/drivers/clocksource/vt8500_timer.c b/drivers/clocksource/timer-vt8500.c -similarity index 100% -rename from drivers/clocksource/vt8500_timer.c -rename to drivers/clocksource/timer-vt8500.c -diff --git a/drivers/clocksource/zevio-timer.c b/drivers/clocksource/timer-zevio.c -similarity index 100% -rename from drivers/clocksource/zevio-timer.c -rename to drivers/clocksource/timer-zevio.c --- -2.39.2 - diff --git a/queue-4.19/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch b/queue-4.19/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch deleted file mode 100644 index a6e1f3d77f7..00000000000 --- a/queue-4.19/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 0c67a96251f802879d2f45c09aaab210c2981721 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 19 May 2023 15:33:34 -0700 -Subject: crypto: nx - fix build warnings when DEBUG_FS is not enabled -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Randy Dunlap - -[ Upstream commit b04b076fb56560b39d695ac3744db457e12278fd ] - -Fix build warnings when DEBUG_FS is not enabled by using an empty -do-while loop instead of a value: - -In file included from ../drivers/crypto/nx/nx.c:27: -../drivers/crypto/nx/nx.c: In function 'nx_register_algs': -../drivers/crypto/nx/nx.h:173:33: warning: statement with no effect [-Wunused-value] - 173 | #define NX_DEBUGFS_INIT(drv) (0) -../drivers/crypto/nx/nx.c:573:9: note: in expansion of macro 'NX_DEBUGFS_INIT' - 573 | NX_DEBUGFS_INIT(&nx_driver); -../drivers/crypto/nx/nx.c: In function 'nx_remove': -../drivers/crypto/nx/nx.h:174:33: warning: statement with no effect [-Wunused-value] - 174 | #define NX_DEBUGFS_FINI(drv) (0) -../drivers/crypto/nx/nx.c:793:17: note: in expansion of macro 'NX_DEBUGFS_FINI' - 793 | NX_DEBUGFS_FINI(&nx_driver); - -Also, there is no need to build nx_debugfs.o when DEBUG_FS is not -enabled, so change the Makefile to accommodate that. - -Fixes: ae0222b7289d ("powerpc/crypto: nx driver code supporting nx encryption") -Fixes: aef7b31c8833 ("powerpc/crypto: Build files for the nx device driver") -Signed-off-by: Randy Dunlap -Cc: Breno Leitão -Cc: Nayna Jain -Cc: Paulo Flabiano Smorigo -Cc: Herbert Xu -Cc: "David S. Miller" -Cc: linux-crypto@vger.kernel.org -Cc: Michael Ellerman -Cc: Nicholas Piggin -Cc: Christophe Leroy -Cc: linuxppc-dev@lists.ozlabs.org -Signed-off-by: Herbert Xu -Signed-off-by: Sasha Levin ---- - drivers/crypto/nx/Makefile | 2 +- - drivers/crypto/nx/nx.h | 4 ++-- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/crypto/nx/Makefile b/drivers/crypto/nx/Makefile -index 015155da59c29..76139865d7fa1 100644 ---- a/drivers/crypto/nx/Makefile -+++ b/drivers/crypto/nx/Makefile -@@ -1,7 +1,6 @@ - # SPDX-License-Identifier: GPL-2.0 - obj-$(CONFIG_CRYPTO_DEV_NX_ENCRYPT) += nx-crypto.o - nx-crypto-objs := nx.o \ -- nx_debugfs.o \ - nx-aes-cbc.o \ - nx-aes-ecb.o \ - nx-aes-gcm.o \ -@@ -11,6 +10,7 @@ nx-crypto-objs := nx.o \ - nx-sha256.o \ - nx-sha512.o - -+nx-crypto-$(CONFIG_DEBUG_FS) += nx_debugfs.o - obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_PSERIES) += nx-compress-pseries.o nx-compress.o - obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_POWERNV) += nx-compress-powernv.o nx-compress.o - nx-compress-objs := nx-842.o -diff --git a/drivers/crypto/nx/nx.h b/drivers/crypto/nx/nx.h -index c3e54af18645c..ebad937a9545c 100644 ---- a/drivers/crypto/nx/nx.h -+++ b/drivers/crypto/nx/nx.h -@@ -180,8 +180,8 @@ struct nx_sg *nx_walk_and_build(struct nx_sg *, unsigned int, - int nx_debugfs_init(struct nx_crypto_driver *); - void nx_debugfs_fini(struct nx_crypto_driver *); - #else --#define NX_DEBUGFS_INIT(drv) (0) --#define NX_DEBUGFS_FINI(drv) (0) -+#define NX_DEBUGFS_INIT(drv) do {} while (0) -+#define NX_DEBUGFS_FINI(drv) do {} while (0) - #endif - - #define NX_PAGE_NUM(x) ((u64)(x) & 0xfffffffffffff000ULL) --- -2.39.2 - diff --git a/queue-4.19/debugobjects-recheck-debug_objects_enabled-before-re.patch b/queue-4.19/debugobjects-recheck-debug_objects_enabled-before-re.patch deleted file mode 100644 index e8a1d10593c..00000000000 --- a/queue-4.19/debugobjects-recheck-debug_objects_enabled-before-re.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 233f69239c9aa2b9be0322933feb055562d8f437 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 7 Jun 2023 19:19:02 +0900 -Subject: debugobjects: Recheck debug_objects_enabled before reporting - -From: Tetsuo Handa - -[ Upstream commit 8b64d420fe2450f82848178506d3e3a0bd195539 ] - -syzbot is reporting false a positive ODEBUG message immediately after -ODEBUG was disabled due to OOM. - - [ 1062.309646][T22911] ODEBUG: Out of memory. ODEBUG disabled - [ 1062.886755][ T5171] ------------[ cut here ]------------ - [ 1062.892770][ T5171] ODEBUG: assert_init not available (active state 0) object: ffffc900056afb20 object type: timer_list hint: process_timeout+0x0/0x40 - - CPU 0 [ T5171] CPU 1 [T22911] - -------------- -------------- - debug_object_assert_init() { - if (!debug_objects_enabled) - return; - db = get_bucket(addr); - lookup_object_or_alloc() { - debug_objects_enabled = 0; - return NULL; - } - debug_objects_oom() { - pr_warn("Out of memory. ODEBUG disabled\n"); - // all buckets get emptied here, and - } - lookup_object_or_alloc(addr, db, descr, false, true) { - // this bucket is already empty. - return ERR_PTR(-ENOENT); - } - // Emits false positive warning. - debug_print_object(&o, "assert_init"); - } - -Recheck debug_object_enabled in debug_print_object() to avoid that. - -Reported-by: syzbot -Suggested-by: Thomas Gleixner -Signed-off-by: Tetsuo Handa -Signed-off-by: Thomas Gleixner -Link: https://lore.kernel.org/r/492fe2ae-5141-d548-ebd5-62f5fe2e57f7@I-love.SAKURA.ne.jp -Closes: https://syzkaller.appspot.com/bug?extid=7937ba6a50bdd00fffdf -Signed-off-by: Sasha Levin ---- - lib/debugobjects.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/lib/debugobjects.c b/lib/debugobjects.c -index 5f23d896df55a..62d095fd0c52a 100644 ---- a/lib/debugobjects.c -+++ b/lib/debugobjects.c -@@ -371,6 +371,15 @@ static void debug_print_object(struct debug_obj *obj, char *msg) - struct debug_obj_descr *descr = obj->descr; - static int limit; - -+ /* -+ * Don't report if lookup_object_or_alloc() by the current thread -+ * failed because lookup_object_or_alloc()/debug_objects_oom() by a -+ * concurrent thread turned off debug_objects_enabled and cleared -+ * the hash buckets. -+ */ -+ if (!debug_objects_enabled) -+ return; -+ - if (limit < 5 && descr != descr_test) { - void *hint = descr->debug_hint ? - descr->debug_hint(obj->object) : NULL; --- -2.39.2 - diff --git a/queue-4.19/drm-amdgpu-validate-vm-ioctl-flags.patch b/queue-4.19/drm-amdgpu-validate-vm-ioctl-flags.patch deleted file mode 100644 index 79e55af997d..00000000000 --- a/queue-4.19/drm-amdgpu-validate-vm-ioctl-flags.patch +++ /dev/null @@ -1,33 +0,0 @@ -From a2b308044dcaca8d3e580959a4f867a1d5c37fac Mon Sep 17 00:00:00 2001 -From: Bas Nieuwenhuizen -Date: Sat, 13 May 2023 14:51:00 +0200 -Subject: drm/amdgpu: Validate VM ioctl flags. - -From: Bas Nieuwenhuizen - -commit a2b308044dcaca8d3e580959a4f867a1d5c37fac upstream. - -None have been defined yet, so reject anybody setting any. Mesa sets -it to 0 anyway. - -Signed-off-by: Bas Nieuwenhuizen -Signed-off-by: Alex Deucher -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c -+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c -@@ -2989,6 +2989,10 @@ int amdgpu_vm_ioctl(struct drm_device *d - struct amdgpu_fpriv *fpriv = filp->driver_priv; - int r; - -+ /* No valid flags defined yet */ -+ if (args->in.flags) -+ return -EINVAL; -+ - switch (args->in.op) { - case AMDGPU_VM_OP_RESERVE_VMID: - /* current, we only have requirement to reserve vmid from gfxhub */ diff --git a/queue-4.19/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch b/queue-4.19/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch deleted file mode 100644 index f1faf8d442d..00000000000 --- a/queue-4.19/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 4e076c73e4f6e90816b30fcd4a0d7ab365087255 Mon Sep 17 00:00:00 2001 -From: Daniel Vetter -Date: Fri, 21 Jul 2023 15:58:38 +0200 -Subject: drm/atomic: Fix potential use-after-free in nonblocking commits - -From: Daniel Vetter - -commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream. - -This requires a bit of background. Properly done a modeset driver's -unload/remove sequence should be - - drm_dev_unplug(); - drm_atomic_helper_shutdown(); - drm_dev_put(); - -The trouble is that the drm_dev_unplugged() checks are by design racy, -they do not synchronize against all outstanding ioctl. This is because -those ioctl could block forever (both for modeset and for driver -specific ioctls), leading to deadlocks in hotunplug. Instead the code -sections that touch the hardware need to be annotated with -drm_dev_enter/exit, to avoid accessing hardware resources after the -unload/remove has finished. - -To avoid use-after-free issues all the involved userspace visible -objects are supposed to hold a reference on the underlying drm_device, -like drm_file does. - -The issue now is that we missed one, the atomic modeset ioctl can be run -in a nonblocking fashion, and in that case it cannot rely on the implied -drm_device reference provided by the ioctl calling context. This can -result in a use-after-free if an nonblocking atomic commit is carefully -raced against a driver unload. - -Fix this by unconditionally grabbing a drm_device reference for any -drm_atomic_state structures. Strictly speaking this isn't required for -blocking commits and TEST_ONLY calls, but it's the simpler approach. - -Thanks to shanzhulig for the initial idea of grabbing an unconditional -reference, I just added comments, a condensed commit message and fixed a -minor potential issue in where exactly we drop the final reference. - -Reported-by: shanzhulig -Suggested-by: shanzhulig -Reviewed-by: Maxime Ripard -Cc: Maarten Lankhorst -Cc: Thomas Zimmermann -Cc: David Airlie -Cc: stable@kernel.org -Signed-off-by: Daniel Vetter -Signed-off-by: Daniel Vetter -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/drm_atomic.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - ---- a/drivers/gpu/drm/drm_atomic.c -+++ b/drivers/gpu/drm/drm_atomic.c -@@ -91,6 +91,12 @@ drm_atomic_state_init(struct drm_device - if (!state->planes) - goto fail; - -+ /* -+ * Because drm_atomic_state can be committed asynchronously we need our -+ * own reference and cannot rely on the on implied by drm_file in the -+ * ioctl call. -+ */ -+ drm_dev_get(dev); - state->dev = dev; - - DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state); -@@ -250,7 +256,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear); - void __drm_atomic_state_free(struct kref *ref) - { - struct drm_atomic_state *state = container_of(ref, typeof(*state), ref); -- struct drm_mode_config *config = &state->dev->mode_config; -+ struct drm_device *dev = state->dev; -+ struct drm_mode_config *config = &dev->mode_config; - - drm_atomic_state_clear(state); - -@@ -262,6 +269,8 @@ void __drm_atomic_state_free(struct kref - drm_atomic_state_default_release(state); - kfree(state); - } -+ -+ drm_dev_put(dev); - } - EXPORT_SYMBOL(__drm_atomic_state_free); - diff --git a/queue-4.19/drm-edid-fix-uninitialized-variable-in-drm_cvt_modes.patch b/queue-4.19/drm-edid-fix-uninitialized-variable-in-drm_cvt_modes.patch deleted file mode 100644 index e383b4f6ec5..00000000000 --- a/queue-4.19/drm-edid-fix-uninitialized-variable-in-drm_cvt_modes.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 991fcb77f490390bcad89fa67d95763c58cdc04c Mon Sep 17 00:00:00 2001 -From: Lyude Paul -Date: Thu, 5 Nov 2020 18:57:02 -0500 -Subject: drm/edid: Fix uninitialized variable in drm_cvt_modes() - -From: Lyude Paul - -commit 991fcb77f490390bcad89fa67d95763c58cdc04c upstream. - -Noticed this when trying to compile with -Wall on a kernel fork. We -potentially don't set width here, which causes the compiler to complain -about width potentially being uninitialized in drm_cvt_modes(). So, let's -fix that. - -Changes since v1: -* Don't emit an error as this code isn't reachable, just mark it as such -Changes since v2: -* Remove now unused variable - -Fixes: 3f649ab728cd ("treewide: Remove uninitialized_var() usage") -Signed-off-by: Lyude Paul -Reviewed-by: Ilia Mirkin -Link: https://patchwork.freedesktop.org/patch/msgid/20201105235703.1328115-1-lyude@redhat.com -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/drm_edid.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/gpu/drm/drm_edid.c -+++ b/drivers/gpu/drm/drm_edid.c -@@ -2798,6 +2798,8 @@ static int drm_cvt_modes(struct drm_conn - case 0x0c: - width = height * 15 / 9; - break; -+ default: -+ unreachable(); - } - - for (j = 1; j < 5; j++) { diff --git a/queue-4.19/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch b/queue-4.19/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch deleted file mode 100644 index bcc9e6fb210..00000000000 --- a/queue-4.19/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch +++ /dev/null @@ -1,51 +0,0 @@ -From e827def04dcba9582598bfa29b10f68ed4108f2d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 16 May 2023 10:50:39 +0200 -Subject: drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H - -From: Dario Binacchi - -[ Upstream commit f24b49550814fdee4a98b9552e35e243ccafd4a8 ] - -The previous setting was related to the overall dimension and not to the -active display area. -In the "PHYSICAL SPECIFICATIONS" section, the datasheet shows the -following parameters: - - ---------------------------------------------------------- -| Item | Specifications | unit | - ---------------------------------------------------------- -| Display area | 98.7 (W) x 57.5 (H) | mm | - ---------------------------------------------------------- -| Overall dimension | 105.5(W) x 67.2(H) x 4.96(D) | mm | - ---------------------------------------------------------- - -Fixes: 966fea78adf2 ("drm/panel: simple: Add support for Ampire AM-480272H3TMQW-T01H") -Signed-off-by: Dario Binacchi -Reviewed-by: Neil Armstrong -[narmstrong: fixed Fixes commit id length] -Signed-off-by: Neil Armstrong -Link: https://patchwork.freedesktop.org/patch/msgid/20230516085039.3797303-1-dario.binacchi@amarulasolutions.com -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/panel/panel-simple.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c -index a424afdcc77a1..35771e0e69fa6 100644 ---- a/drivers/gpu/drm/panel/panel-simple.c -+++ b/drivers/gpu/drm/panel/panel-simple.c -@@ -405,8 +405,8 @@ static const struct panel_desc ampire_am_480272h3tmqw_t01h = { - .num_modes = 1, - .bpc = 8, - .size = { -- .width = 105, -- .height = 67, -+ .width = 99, -+ .height = 58, - }, - .bus_format = MEDIA_BUS_FMT_RGB888_1X24, - }; --- -2.39.2 - diff --git a/queue-4.19/drm-radeon-fix-possible-division-by-zero-errors.patch b/queue-4.19/drm-radeon-fix-possible-division-by-zero-errors.patch deleted file mode 100644 index d8ce2e8ca6f..00000000000 --- a/queue-4.19/drm-radeon-fix-possible-division-by-zero-errors.patch +++ /dev/null @@ -1,94 +0,0 @@ -From eeeaa3a9489dc01c08a7ac9ba2b400970310d8f6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 19 May 2023 08:33:27 -0700 -Subject: drm/radeon: fix possible division-by-zero errors - -From: Nikita Zhandarovich - -[ Upstream commit 1becc57cd1a905e2aa0e1eca60d2a37744525c4a ] - -Function rv740_get_decoded_reference_divider() may return 0 due to -unpredictable reference divider value calculated in -radeon_atom_get_clock_dividers(). This will lead to -division-by-zero error once that value is used as a divider -in calculating 'clk_s'. -While unlikely, this issue should nonetheless be prevented so add a -sanity check for such cases by testing 'decoded_ref' value against 0. - -Found by Linux Verification Center (linuxtesting.org) with static -analysis tool SVACE. - -v2: minor coding style fixes (Alex) -In practice this should actually happen as the vbios should be -properly populated. - -Fixes: 66229b200598 ("drm/radeon/kms: add dpm support for rv7xx (v4)") -Signed-off-by: Nikita Zhandarovich -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/radeon/cypress_dpm.c | 8 ++++++-- - drivers/gpu/drm/radeon/ni_dpm.c | 8 ++++++-- - drivers/gpu/drm/radeon/rv740_dpm.c | 8 ++++++-- - 3 files changed, 18 insertions(+), 6 deletions(-) - -diff --git a/drivers/gpu/drm/radeon/cypress_dpm.c b/drivers/gpu/drm/radeon/cypress_dpm.c -index 3eb7899a4035b..2c637e04dfebc 100644 ---- a/drivers/gpu/drm/radeon/cypress_dpm.c -+++ b/drivers/gpu/drm/radeon/cypress_dpm.c -@@ -558,8 +558,12 @@ static int cypress_populate_mclk_value(struct radeon_device *rdev, - ASIC_INTERNAL_MEMORY_SS, vco_freq)) { - u32 reference_clock = rdev->clock.mpll.reference_freq; - u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); -- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); -- u32 clk_v = ss.percentage * -+ u32 clk_s, clk_v; -+ -+ if (!decoded_ref) -+ return -EINVAL; -+ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); -+ clk_v = ss.percentage * - (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625); - - mpll_ss1 &= ~CLKV_MASK; -diff --git a/drivers/gpu/drm/radeon/ni_dpm.c b/drivers/gpu/drm/radeon/ni_dpm.c -index a7273c01de34b..2a9d415400f79 100644 ---- a/drivers/gpu/drm/radeon/ni_dpm.c -+++ b/drivers/gpu/drm/radeon/ni_dpm.c -@@ -2239,8 +2239,12 @@ static int ni_populate_mclk_value(struct radeon_device *rdev, - ASIC_INTERNAL_MEMORY_SS, vco_freq)) { - u32 reference_clock = rdev->clock.mpll.reference_freq; - u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); -- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); -- u32 clk_v = ss.percentage * -+ u32 clk_s, clk_v; -+ -+ if (!decoded_ref) -+ return -EINVAL; -+ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); -+ clk_v = ss.percentage * - (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625); - - mpll_ss1 &= ~CLKV_MASK; -diff --git a/drivers/gpu/drm/radeon/rv740_dpm.c b/drivers/gpu/drm/radeon/rv740_dpm.c -index afd597ec50858..50290e93c79dc 100644 ---- a/drivers/gpu/drm/radeon/rv740_dpm.c -+++ b/drivers/gpu/drm/radeon/rv740_dpm.c -@@ -251,8 +251,12 @@ int rv740_populate_mclk_value(struct radeon_device *rdev, - ASIC_INTERNAL_MEMORY_SS, vco_freq)) { - u32 reference_clock = rdev->clock.mpll.reference_freq; - u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); -- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); -- u32 clk_v = 0x40000 * ss.percentage * -+ u32 clk_s, clk_v; -+ -+ if (!decoded_ref) -+ return -EINVAL; -+ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); -+ clk_v = 0x40000 * ss.percentage * - (dividers.whole_fb_div + (dividers.frac_fb_div / 8)) / (clk_s * 10000); - - mpll_ss1 &= ~CLKV_MASK; --- -2.39.2 - diff --git a/queue-4.19/evm-complete-description-of-evm_inode_setattr.patch b/queue-4.19/evm-complete-description-of-evm_inode_setattr.patch deleted file mode 100644 index 8860eb8dd28..00000000000 --- a/queue-4.19/evm-complete-description-of-evm_inode_setattr.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 3ed7461ec41add6315b7cb24e8bdc79b6637250c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 6 Mar 2023 11:40:36 +0100 -Subject: evm: Complete description of evm_inode_setattr() - -From: Roberto Sassu - -[ Upstream commit b1de86d4248b273cb12c4cd7d20c08d459519f7d ] - -Add the description for missing parameters of evm_inode_setattr() to -avoid the warning arising with W=n compile option. - -Fixes: 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm") # v3.2+ -Fixes: c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") # v6.3+ -Signed-off-by: Roberto Sassu -Reviewed-by: Stefan Berger -Signed-off-by: Mimi Zohar -Signed-off-by: Sasha Levin ---- - security/integrity/evm/evm_main.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c -index 6d1efe1359f17..9c036a41e7347 100644 ---- a/security/integrity/evm/evm_main.c -+++ b/security/integrity/evm/evm_main.c -@@ -474,7 +474,9 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) - - /** - * evm_inode_setattr - prevent updating an invalid EVM extended attribute -+ * @idmap: idmap of the mount - * @dentry: pointer to the affected dentry -+ * @attr: iattr structure containing the new file attributes - * - * Permit update of file attributes when files have a valid EVM signature, - * except in the case of them having an immutable portable signature. --- -2.39.2 - diff --git a/queue-4.19/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch b/queue-4.19/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch deleted file mode 100644 index a63fa3f78be..00000000000 --- a/queue-4.19/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 6909cf5c4101214f4305a62d582a5b93c7e1eb9a Mon Sep 17 00:00:00 2001 -From: Eric Whitney -Date: Mon, 22 May 2023 14:15:20 -0400 -Subject: ext4: correct inline offset when handling xattrs in inode body - -From: Eric Whitney - -commit 6909cf5c4101214f4305a62d582a5b93c7e1eb9a upstream. - -When run on a file system where the inline_data feature has been -enabled, xfstests generic/269, generic/270, and generic/476 cause ext4 -to emit error messages indicating that inline directory entries are -corrupted. This occurs because the inline offset used to locate -inline directory entries in the inode body is not updated when an -xattr in that shared region is deleted and the region is shifted in -memory to recover the space it occupied. If the deleted xattr precedes -the system.data attribute, which points to the inline directory entries, -that attribute will be moved further up in the region. The inline -offset continues to point to whatever is located in system.data's former -location, with unfortunate effects when used to access directory entries -or (presumably) inline data in the inode body. - -Cc: stable@kernel.org -Signed-off-by: Eric Whitney -Link: https://lore.kernel.org/r/20230522181520.1570360-1-enwlinux@gmail.com -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/xattr.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -1767,6 +1767,20 @@ static int ext4_xattr_set_entry(struct e - memmove(here, (void *)here + size, - (void *)last - (void *)here + sizeof(__u32)); - memset(last, 0, size); -+ -+ /* -+ * Update i_inline_off - moved ibody region might contain -+ * system.data attribute. Handling a failure here won't -+ * cause other complications for setting an xattr. -+ */ -+ if (!is_block && ext4_has_inline_data(inode)) { -+ ret = ext4_find_inline_data_nolock(inode); -+ if (ret) { -+ ext4_warning_inode(inode, -+ "unable to update i_inline_off"); -+ goto out; -+ } -+ } - } else if (s->not_found) { - /* Insert new name. */ - size_t size = EXT4_XATTR_LEN(name_len); diff --git a/queue-4.19/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch b/queue-4.19/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch deleted file mode 100644 index 2d7511bc7e1..00000000000 --- a/queue-4.19/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch +++ /dev/null @@ -1,43 +0,0 @@ -From c4d13222afd8a64bf11bc7ec68645496ee8b54b9 Mon Sep 17 00:00:00 2001 -From: Chao Yu -Date: Tue, 6 Jun 2023 15:32:03 +0800 -Subject: ext4: fix to check return value of freeze_bdev() in ext4_shutdown() - -From: Chao Yu - -commit c4d13222afd8a64bf11bc7ec68645496ee8b54b9 upstream. - -freeze_bdev() can fail due to a lot of reasons, it needs to check its -reason before later process. - -Fixes: 783d94854499 ("ext4: add EXT4_IOC_GOINGDOWN ioctl") -Cc: stable@kernel.org -Signed-off-by: Chao Yu -Link: https://lore.kernel.org/r/20230606073203.1310389-1-chao@kernel.org -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/ioctl.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/fs/ext4/ioctl.c -+++ b/fs/ext4/ioctl.c -@@ -561,6 +561,7 @@ static int ext4_shutdown(struct super_bl - { - struct ext4_sb_info *sbi = EXT4_SB(sb); - __u32 flags; -+ int ret; - - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; -@@ -579,7 +580,9 @@ static int ext4_shutdown(struct super_bl - - switch (flags) { - case EXT4_GOING_FLAGS_DEFAULT: -- freeze_bdev(sb->s_bdev); -+ ret = freeze_bdev(sb->s_bdev); -+ if (ret) -+ return ret; - set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags); - thaw_bdev(sb->s_bdev, sb); - break; diff --git a/queue-4.19/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch b/queue-4.19/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch deleted file mode 100644 index e95434c2809..00000000000 --- a/queue-4.19/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 247c3d214c23dfeeeb892e91a82ac1188bdaec9f Mon Sep 17 00:00:00 2001 -From: Kemeng Shi -Date: Sat, 3 Jun 2023 23:03:18 +0800 -Subject: ext4: fix wrong unit use in ext4_mb_clear_bb - -From: Kemeng Shi - -commit 247c3d214c23dfeeeb892e91a82ac1188bdaec9f upstream. - -Function ext4_issue_discard need count in cluster. Pass count_clusters -instead of count to fix the mismatch. - -Signed-off-by: Kemeng Shi -Cc: stable@kernel.org -Reviewed-by: Ojaswin Mujoo -Link: https://lore.kernel.org/r/20230603150327.3596033-11-shikemeng@huaweicloud.com -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/mballoc.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/fs/ext4/mballoc.c -+++ b/fs/ext4/mballoc.c -@@ -4948,8 +4948,8 @@ do_more: - * them with group lock_held - */ - if (test_opt(sb, DISCARD)) { -- err = ext4_issue_discard(sb, block_group, bit, count, -- NULL); -+ err = ext4_issue_discard(sb, block_group, bit, -+ count_clusters, NULL); - if (err && err != -EOPNOTSUPP) - ext4_msg(sb, KERN_WARNING, "discard request in" - " group:%d block:%d count:%lu failed" diff --git a/queue-4.19/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch b/queue-4.19/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch deleted file mode 100644 index b3c565d8dd9..00000000000 --- a/queue-4.19/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch +++ /dev/null @@ -1,92 +0,0 @@ -From de25d6e9610a8b30cce9bbb19b50615d02ebca02 Mon Sep 17 00:00:00 2001 -From: Baokun Li -Date: Mon, 24 Apr 2023 11:38:35 +0800 -Subject: ext4: only update i_reserved_data_blocks on successful block allocation - -From: Baokun Li - -commit de25d6e9610a8b30cce9bbb19b50615d02ebca02 upstream. - -In our fault injection test, we create an ext4 file, migrate it to -non-extent based file, then punch a hole and finally trigger a WARN_ON -in the ext4_da_update_reserve_space(): - -EXT4-fs warning (device sda): ext4_da_update_reserve_space:369: -ino 14, used 11 with only 10 reserved data blocks - -When writing back a non-extent based file, if we enable delalloc, the -number of reserved blocks will be subtracted from the number of blocks -mapped by ext4_ind_map_blocks(), and the extent status tree will be -updated. We update the extent status tree by first removing the old -extent_status and then inserting the new extent_status. If the block range -we remove happens to be in an extent, then we need to allocate another -extent_status with ext4_es_alloc_extent(). - - use old to remove to add new - |----------|------------|------------| - old extent_status - -The problem is that the allocation of a new extent_status failed due to a -fault injection, and __es_shrink() did not get free memory, resulting in -a return of -ENOMEM. Then do_writepages() retries after receiving -ENOMEM, -we map to the same extent again, and the number of reserved blocks is again -subtracted from the number of blocks in that extent. Since the blocks in -the same extent are subtracted twice, we end up triggering WARN_ON at -ext4_da_update_reserve_space() because used > ei->i_reserved_data_blocks. - -For non-extent based file, we update the number of reserved blocks after -ext4_ind_map_blocks() is executed, which causes a problem that when we call -ext4_ind_map_blocks() to create a block, it doesn't always create a block, -but we always reduce the number of reserved blocks. So we move the logic -for updating reserved blocks to ext4_ind_map_blocks() to ensure that the -number of reserved blocks is updated only after we do succeed in allocating -some new blocks. - -Fixes: 5f634d064c70 ("ext4: Fix quota accounting error with fallocate") -Cc: stable@kernel.org -Signed-off-by: Baokun Li -Reviewed-by: Jan Kara -Link: https://lore.kernel.org/r/20230424033846.4732-2-libaokun1@huawei.com -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/indirect.c | 8 ++++++++ - fs/ext4/inode.c | 10 ---------- - 2 files changed, 8 insertions(+), 10 deletions(-) - ---- a/fs/ext4/indirect.c -+++ b/fs/ext4/indirect.c -@@ -642,6 +642,14 @@ int ext4_ind_map_blocks(handle_t *handle - - ext4_update_inode_fsync_trans(handle, inode, 1); - count = ar.len; -+ -+ /* -+ * Update reserved blocks/metadata blocks after successful block -+ * allocation which had been deferred till now. -+ */ -+ if (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE) -+ ext4_da_update_reserve_space(inode, count, 1); -+ - got_it: - map->m_flags |= EXT4_MAP_MAPPED; - map->m_pblk = le32_to_cpu(chain[depth-1].key); ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -668,16 +668,6 @@ found: - */ - ext4_clear_inode_state(inode, EXT4_STATE_EXT_MIGRATE); - } -- -- /* -- * Update reserved blocks/metadata blocks after successful -- * block allocation which had been deferred till now. We don't -- * support fallocate for non extent files. So we can update -- * reserve space here. -- */ -- if ((retval > 0) && -- (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE)) -- ext4_da_update_reserve_space(inode, retval, 1); - } - - if (retval > 0) { diff --git a/queue-4.19/extcon-fix-kernel-doc-of-property-capability-fields-.patch b/queue-4.19/extcon-fix-kernel-doc-of-property-capability-fields-.patch deleted file mode 100644 index cea1a623c9d..00000000000 --- a/queue-4.19/extcon-fix-kernel-doc-of-property-capability-fields-.patch +++ /dev/null @@ -1,46 +0,0 @@ -From cc6bac4f6afd26a471e06f23c295864ecbdeab10 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 22 Mar 2023 16:39:53 +0200 -Subject: extcon: Fix kernel doc of property capability fields to avoid - warnings - -From: Andy Shevchenko - -[ Upstream commit 73346b9965ebda2feb7fef8629e9b28baee820e3 ] - -Kernel documentation has to be synchronized with a code, otherwise -the validator is not happy: - - Function parameter or member 'usb_bits' not described in 'extcon_cable' - Function parameter or member 'chg_bits' not described in 'extcon_cable' - Function parameter or member 'jack_bits' not described in 'extcon_cable' - Function parameter or member 'disp_bits' not described in 'extcon_cable' - -Describe the fields added in the past. - -Fixes: ceaa98f442cf ("extcon: Add the support for the capability of each property") -Signed-off-by: Andy Shevchenko -Signed-off-by: Chanwoo Choi -Signed-off-by: Sasha Levin ---- - drivers/extcon/extcon.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/extcon/extcon.c b/drivers/extcon/extcon.c -index 0607806ad46e8..84fc0e48bb0e8 100644 ---- a/drivers/extcon/extcon.c -+++ b/drivers/extcon/extcon.c -@@ -208,6 +208,10 @@ static const struct __extcon_info { - * @chg_propval: the array of charger connector properties - * @jack_propval: the array of jack connector properties - * @disp_propval: the array of display connector properties -+ * @usb_bits: the bit array of the USB connector property capabilities -+ * @chg_bits: the bit array of the charger connector property capabilities -+ * @jack_bits: the bit array of the jack connector property capabilities -+ * @disp_bits: the bit array of the display connector property capabilities - */ - struct extcon_cable { - struct extcon_dev *edev; --- -2.39.2 - diff --git a/queue-4.19/extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch b/queue-4.19/extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch deleted file mode 100644 index 1f88a64309b..00000000000 --- a/queue-4.19/extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 707d4d01424345740571236ea3f2ca010fa11d75 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 22 Mar 2023 16:39:52 +0200 -Subject: extcon: Fix kernel doc of property fields to avoid warnings - -From: Andy Shevchenko - -[ Upstream commit 7e77e0b7a9f4cdf91cb0950749b40c840ea63efc ] - -Kernel documentation has to be synchronized with a code, otherwise -the validator is not happy: - - Function parameter or member 'usb_propval' not described in 'extcon_cable' - Function parameter or member 'chg_propval' not described in 'extcon_cable' - Function parameter or member 'jack_propval' not described in 'extcon_cable' - Function parameter or member 'disp_propval' not described in 'extcon_cable' - -Describe the fields added in the past. - -Fixes: 067c1652e7a7 ("extcon: Add the support for extcon property according to extcon type") -Signed-off-by: Andy Shevchenko -Signed-off-by: Chanwoo Choi -Signed-off-by: Sasha Levin ---- - drivers/extcon/extcon.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/extcon/extcon.c b/drivers/extcon/extcon.c -index 4c70136c7aa3c..0607806ad46e8 100644 ---- a/drivers/extcon/extcon.c -+++ b/drivers/extcon/extcon.c -@@ -204,6 +204,10 @@ static const struct __extcon_info { - * @attr_name: "name" sysfs entry - * @attr_state: "state" sysfs entry - * @attrs: the array pointing to attr_name and attr_state for attr_g -+ * @usb_propval: the array of USB connector properties -+ * @chg_propval: the array of charger connector properties -+ * @jack_propval: the array of jack connector properties -+ * @disp_propval: the array of display connector properties - */ - struct extcon_cable { - struct extcon_dev *edev; --- -2.39.2 - diff --git a/queue-4.19/f2fs-fix-error-path-handling-in-truncate_dnode.patch b/queue-4.19/f2fs-fix-error-path-handling-in-truncate_dnode.patch deleted file mode 100644 index ae4b5d7e41c..00000000000 --- a/queue-4.19/f2fs-fix-error-path-handling-in-truncate_dnode.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 2b0762ff7262e714b210e68c9b732895f8db7f29 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 29 Jun 2023 09:41:02 +0800 -Subject: f2fs: fix error path handling in truncate_dnode() - -From: Chao Yu - -[ Upstream commit 0135c482fa97e2fd8245cb462784112a00ed1211 ] - -If truncate_node() fails in truncate_dnode(), it missed to call -f2fs_put_page(), fix it. - -Fixes: 7735730d39d7 ("f2fs: fix to propagate error from __get_meta_page()") -Signed-off-by: Chao Yu -Signed-off-by: Jaegeuk Kim -Signed-off-by: Sasha Levin ---- - fs/f2fs/node.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c -index 2c28f488ac2f0..9911f780e0136 100644 ---- a/fs/f2fs/node.c -+++ b/fs/f2fs/node.c -@@ -879,8 +879,10 @@ static int truncate_dnode(struct dnode_of_data *dn) - dn->ofs_in_node = 0; - f2fs_truncate_data_blocks(dn); - err = truncate_node(dn); -- if (err) -+ if (err) { -+ f2fs_put_page(page, 1); - return err; -+ } - - return 1; - } --- -2.39.2 - diff --git a/queue-4.19/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch b/queue-4.19/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch deleted file mode 100644 index 5f7e9d8e903..00000000000 --- a/queue-4.19/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch +++ /dev/null @@ -1,40 +0,0 @@ -From d95706927c87029a0dd3db53f6b360d5e0fc788a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 15 Jul 2023 16:16:56 +0800 -Subject: fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe - -From: Zhang Shurong - -[ Upstream commit 4e88761f5f8c7869f15a2046b1a1116f4fab4ac8 ] - -This func misses checking for platform_get_irq()'s call and may passes the -negative error codes to request_irq(), which takes unsigned IRQ #, -causing it to fail with -EINVAL, overriding an original error code. - -Fix this by stop calling request_irq() with invalid IRQ #s. - -Fixes: 1630d85a8312 ("au1200fb: fix hardcoded IRQ") -Signed-off-by: Zhang Shurong -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/au1200fb.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c -index f8e83a9519189..593c390e98629 100644 ---- a/drivers/video/fbdev/au1200fb.c -+++ b/drivers/video/fbdev/au1200fb.c -@@ -1744,6 +1744,9 @@ static int au1200fb_drv_probe(struct platform_device *dev) - - /* Now hook interrupt too */ - irq = platform_get_irq(dev, 0); -+ if (irq < 0) -+ return irq; -+ - ret = request_irq(irq, au1200fb_handle_irq, - IRQF_SHARED, "lcd", (void *)dev); - if (ret) { --- -2.39.2 - diff --git a/queue-4.19/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch b/queue-4.19/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch deleted file mode 100644 index 1b145794a8b..00000000000 --- a/queue-4.19/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch +++ /dev/null @@ -1,75 +0,0 @@ -From c75f5a55061091030a13fef71b9995b89bc86213 Mon Sep 17 00:00:00 2001 -From: Zheng Wang -Date: Thu, 27 Apr 2023 11:08:41 +0800 -Subject: fbdev: imsttfb: Fix use after free bug in imsttfb_probe - -From: Zheng Wang - -commit c75f5a55061091030a13fef71b9995b89bc86213 upstream. - -A use-after-free bug may occur if init_imstt invokes framebuffer_release -and free the info ptr. The caller, imsttfb_probe didn't notice that and -still keep the ptr as private data in pdev. - -If we remove the driver which will call imsttfb_remove to make cleanup, -UAF happens. - -Fix it by return error code if bad case happens in init_imstt. - -Signed-off-by: Zheng Wang -Signed-off-by: Helge Deller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/video/fbdev/imsttfb.c | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - ---- a/drivers/video/fbdev/imsttfb.c -+++ b/drivers/video/fbdev/imsttfb.c -@@ -1348,7 +1348,7 @@ static struct fb_ops imsttfb_ops = { - .fb_ioctl = imsttfb_ioctl, - }; - --static void init_imstt(struct fb_info *info) -+static int init_imstt(struct fb_info *info) - { - struct imstt_par *par = info->par; - __u32 i, tmp, *ip, *end; -@@ -1420,7 +1420,7 @@ static void init_imstt(struct fb_info *i - || !(compute_imstt_regvals(par, info->var.xres, info->var.yres))) { - printk("imsttfb: %ux%ux%u not supported\n", info->var.xres, info->var.yres, info->var.bits_per_pixel); - framebuffer_release(info); -- return; -+ return -ENODEV; - } - - sprintf(info->fix.id, "IMS TT (%s)", par->ramdac == IBM ? "IBM" : "TVP"); -@@ -1456,12 +1456,13 @@ static void init_imstt(struct fb_info *i - - if (register_framebuffer(info) < 0) { - framebuffer_release(info); -- return; -+ return -ENODEV; - } - - tmp = (read_reg_le32(par->dc_regs, SSTATUS) & 0x0f00) >> 8; - fb_info(info, "%s frame buffer; %uMB vram; chip version %u\n", - info->fix.id, info->fix.smem_len >> 20, tmp); -+ return 0; - } - - static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent) -@@ -1527,10 +1528,10 @@ static int imsttfb_probe(struct pci_dev - if (!par->cmap_regs) - goto error; - info->pseudo_palette = par->palette; -- init_imstt(info); -- -- pci_set_drvdata(pdev, info); -- return 0; -+ ret = init_imstt(info); -+ if (!ret) -+ pci_set_drvdata(pdev, info); -+ return ret; - - error: - if (par->dc_regs) diff --git a/queue-4.19/fbdev-imxfb-warn-about-invalid-left-right-margin.patch b/queue-4.19/fbdev-imxfb-warn-about-invalid-left-right-margin.patch deleted file mode 100644 index ddfec6a5be9..00000000000 --- a/queue-4.19/fbdev-imxfb-warn-about-invalid-left-right-margin.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 579bc81ba8cb2dd46b633e39130cee0e0828597b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 28 Jun 2023 15:24:37 +0200 -Subject: fbdev: imxfb: warn about invalid left/right margin - -From: Martin Kaiser - -[ Upstream commit 4e47382fbca916d7db95cbf9e2d7ca2e9d1ca3fe ] - -Warn about invalid var->left_margin or var->right_margin. Their values -are read from the device tree. - -We store var->left_margin-3 and var->right_margin-1 in register -fields. These fields should be >= 0. - -Fixes: 7e8549bcee00 ("imxfb: Fix margin settings") -Signed-off-by: Martin Kaiser -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/imxfb.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c -index c4eb8661f7516..8ec260ed9a6f6 100644 ---- a/drivers/video/fbdev/imxfb.c -+++ b/drivers/video/fbdev/imxfb.c -@@ -601,10 +601,10 @@ static int imxfb_activate_var(struct fb_var_screeninfo *var, struct fb_info *inf - if (var->hsync_len < 1 || var->hsync_len > 64) - printk(KERN_ERR "%s: invalid hsync_len %d\n", - info->fix.id, var->hsync_len); -- if (var->left_margin > 255) -+ if (var->left_margin < 3 || var->left_margin > 255) - printk(KERN_ERR "%s: invalid left_margin %d\n", - info->fix.id, var->left_margin); -- if (var->right_margin > 255) -+ if (var->right_margin < 1 || var->right_margin > 255) - printk(KERN_ERR "%s: invalid right_margin %d\n", - info->fix.id, var->right_margin); - if (var->yres < 1 || var->yres > ymax_mask) --- -2.39.2 - diff --git a/queue-4.19/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch b/queue-4.19/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch deleted file mode 100644 index 0fa55d2e7b1..00000000000 --- a/queue-4.19/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 45589c7b202f7e510d68e9201eb4d378e0be55f0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 4 Jun 2023 17:42:28 +0200 -Subject: fbdev: omapfb: lcd_mipid: Fix an error handling path in - mipid_spi_probe() - -From: Christophe JAILLET - -[ Upstream commit 79a3908d1ea6c35157a6d907b1a9d8ec06015e7a ] - -If 'mipid_detect()' fails, we must free 'md' to avoid a memory leak. - -Fixes: 66d2f99d0bb5 ("omapfb: add support for MIPI-DCS compatible LCDs") -Signed-off-by: Christophe JAILLET -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/omap/lcd_mipid.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/drivers/video/fbdev/omap/lcd_mipid.c b/drivers/video/fbdev/omap/lcd_mipid.c -index e3a85432f9266..5730355ee5986 100644 ---- a/drivers/video/fbdev/omap/lcd_mipid.c -+++ b/drivers/video/fbdev/omap/lcd_mipid.c -@@ -576,11 +576,15 @@ static int mipid_spi_probe(struct spi_device *spi) - - r = mipid_detect(md); - if (r < 0) -- return r; -+ goto free_md; - - omapfb_register_panel(&md->panel); - - return 0; -+ -+free_md: -+ kfree(md); -+ return r; - } - - static int mipid_spi_remove(struct spi_device *spi) --- -2.39.2 - diff --git a/queue-4.19/fs-dlm-return-positive-pid-value-for-f_getlk.patch b/queue-4.19/fs-dlm-return-positive-pid-value-for-f_getlk.patch deleted file mode 100644 index deaa99d2a2f..00000000000 --- a/queue-4.19/fs-dlm-return-positive-pid-value-for-f_getlk.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 92655fbda5c05950a411eaabc19e025e86e2a291 Mon Sep 17 00:00:00 2001 -From: Alexander Aring -Date: Fri, 19 May 2023 11:21:24 -0400 -Subject: fs: dlm: return positive pid value for F_GETLK - -From: Alexander Aring - -commit 92655fbda5c05950a411eaabc19e025e86e2a291 upstream. - -The GETLK pid values have all been negated since commit 9d5b86ac13c5 -("fs/locks: Remove fl_nspid and use fs-specific l_pid for remote locks"). -Revert this for local pids, and leave in place negative pids for remote -owners. - -Cc: stable@vger.kernel.org -Fixes: 9d5b86ac13c5 ("fs/locks: Remove fl_nspid and use fs-specific l_pid for remote locks") -Signed-off-by: Alexander Aring -Signed-off-by: David Teigland -Signed-off-by: Greg Kroah-Hartman ---- - fs/dlm/plock.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/fs/dlm/plock.c -+++ b/fs/dlm/plock.c -@@ -366,7 +366,9 @@ int dlm_posix_get(dlm_lockspace_t *locks - locks_init_lock(fl); - fl->fl_type = (op->info.ex) ? F_WRLCK : F_RDLCK; - fl->fl_flags = FL_POSIX; -- fl->fl_pid = -op->info.pid; -+ fl->fl_pid = op->info.pid; -+ if (op->info.nodeid != dlm_our_nodeid()) -+ fl->fl_pid = -fl->fl_pid; - fl->fl_start = op->info.start; - fl->fl_end = op->info.end; - rv = 0; diff --git a/queue-4.19/fuse-revalidate-don-t-invalidate-if-interrupted.patch b/queue-4.19/fuse-revalidate-don-t-invalidate-if-interrupted.patch deleted file mode 100644 index c8e0c5efb28..00000000000 --- a/queue-4.19/fuse-revalidate-don-t-invalidate-if-interrupted.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a9d1c4c6df0e568207907c04aed9e7beb1294c42 Mon Sep 17 00:00:00 2001 -From: Miklos Szeredi -Date: Wed, 7 Jun 2023 17:49:20 +0200 -Subject: fuse: revalidate: don't invalidate if interrupted - -From: Miklos Szeredi - -commit a9d1c4c6df0e568207907c04aed9e7beb1294c42 upstream. - -If the LOOKUP request triggered from fuse_dentry_revalidate() is -interrupted, then the dentry will be invalidated, possibly resulting in -submounts being unmounted. - -Reported-by: Xu Rongbo -Closes: https://lore.kernel.org/all/CAJfpegswN_CJJ6C3RZiaK6rpFmNyWmXfaEpnQUJ42KCwNF5tWw@mail.gmail.com/ -Fixes: 9e6268db496a ("[PATCH] FUSE - read-write operations") -Cc: -Signed-off-by: Miklos Szeredi -Signed-off-by: Greg Kroah-Hartman ---- - fs/fuse/dir.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/fuse/dir.c -+++ b/fs/fuse/dir.c -@@ -232,7 +232,7 @@ static int fuse_dentry_revalidate(struct - spin_unlock(&fc->lock); - } - kfree(forget); -- if (ret == -ENOMEM) -+ if (ret == -ENOMEM || ret == -EINTR) - goto out; - if (ret || fuse_invalid_attr(&outarg.attr) || - (outarg.attr.mode ^ inode->i_mode) & S_IFMT) diff --git a/queue-4.19/gfs2-don-t-deref-jdesc-in-evict.patch b/queue-4.19/gfs2-don-t-deref-jdesc-in-evict.patch deleted file mode 100644 index 57ffd085898..00000000000 --- a/queue-4.19/gfs2-don-t-deref-jdesc-in-evict.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 504a10d9e46bc37b23d0a1ae2f28973c8516e636 Mon Sep 17 00:00:00 2001 -From: Bob Peterson -Date: Fri, 28 Apr 2023 12:07:46 -0400 -Subject: gfs2: Don't deref jdesc in evict - -From: Bob Peterson - -commit 504a10d9e46bc37b23d0a1ae2f28973c8516e636 upstream. - -On corrupt gfs2 file systems the evict code can try to reference the -journal descriptor structure, jdesc, after it has been freed and set to -NULL. The sequence of events is: - -init_journal() -... -fail_jindex: - gfs2_jindex_free(sdp); <------frees journals, sets jdesc = NULL - if (gfs2_holder_initialized(&ji_gh)) - gfs2_glock_dq_uninit(&ji_gh); -fail: - iput(sdp->sd_jindex); <--references jdesc in evict_linked_inode - evict() - gfs2_evict_inode() - evict_linked_inode() - ret = gfs2_trans_begin(sdp, 0, sdp->sd_jdesc->jd_blocks); -<------references the now freed/zeroed sd_jdesc pointer. - -The call to gfs2_trans_begin is done because the truncate_inode_pages -call can cause gfs2 events that require a transaction, such as removing -journaled data (jdata) blocks from the journal. - -This patch fixes the problem by adding a check for sdp->sd_jdesc to -function gfs2_evict_inode. In theory, this should only happen to corrupt -gfs2 file systems, when gfs2 detects the problem, reports it, then tries -to evict all the system inodes it has read in up to that point. - -Reported-by: Yang Lan -Signed-off-by: Bob Peterson -Signed-off-by: Andreas Gruenbacher -[DP: adjusted context] -Signed-off-by: Dragos-Marian Panait -Signed-off-by: Greg Kroah-Hartman ---- - fs/gfs2/super.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/fs/gfs2/super.c -+++ b/fs/gfs2/super.c -@@ -1586,6 +1586,14 @@ static void gfs2_evict_inode(struct inod - if (inode->i_nlink || sb_rdonly(sb)) - goto out; - -+ /* -+ * In case of an incomplete mount, gfs2_evict_inode() may be called for -+ * system files without having an active journal to write to. In that -+ * case, skip the filesystem evict. -+ */ -+ if (!sdp->sd_jdesc) -+ goto out; -+ - if (test_bit(GIF_ALLOC_FAILED, &ip->i_flags)) { - BUG_ON(!gfs2_glock_is_locked_by_me(ip->i_gl)); - gfs2_holder_mark_uninitialized(&gh); diff --git a/queue-4.19/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch b/queue-4.19/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch deleted file mode 100644 index ba0263f58f8..00000000000 --- a/queue-4.19/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch +++ /dev/null @@ -1,190 +0,0 @@ -From f8db8de33b48afe5ae3f57f6e8cba66c1e9aa6a3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 22 Jun 2023 14:32:31 -0700 -Subject: gtp: Fix use-after-free in __gtp_encap_destroy(). - -From: Kuniyuki Iwashima - -[ Upstream commit ce3aee7114c575fab32a5e9e939d4bbb3dcca79f ] - -syzkaller reported use-after-free in __gtp_encap_destroy(). [0] - -It shows the same process freed sk and touched it illegally. - -Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock() -and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, -but release_sock() is called after sock_put() releases the last refcnt. - -[0]: -BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] -BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] -BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] -BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] -BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] -BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 -Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401 - -CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 -Call Trace: - - __dump_stack lib/dump_stack.c:88 [inline] - dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 - print_address_description mm/kasan/report.c:351 [inline] - print_report+0xcc/0x620 mm/kasan/report.c:462 - kasan_report+0xb2/0xe0 mm/kasan/report.c:572 - check_region_inline mm/kasan/generic.c:181 [inline] - kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 - instrument_atomic_read_write include/linux/instrumented.h:96 [inline] - atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] - queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] - do_raw_spin_lock include/linux/spinlock.h:186 [inline] - __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] - _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 - spin_lock_bh include/linux/spinlock.h:355 [inline] - release_sock+0x1f/0x1a0 net/core/sock.c:3526 - gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] - gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 - gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 - unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 - rtnl_delete_link net/core/rtnetlink.c:3216 [inline] - rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 - rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 - netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 - netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] - netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 - netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 - sock_sendmsg_nosec net/socket.c:724 [inline] - sock_sendmsg+0x1b7/0x200 net/socket.c:747 - ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 - ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 - __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 - do_syscall_x64 arch/x86/entry/common.c:50 [inline] - do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 - entry_SYSCALL_64_after_hwframe+0x72/0xdc -RIP: 0033:0x7f1168b1fe5d -Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 -RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e -RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d -RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 -RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 -R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 - - -Allocated by task 1483: - kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 - kasan_set_track+0x25/0x30 mm/kasan/common.c:52 - __kasan_slab_alloc+0x59/0x70 mm/kasan/common.c:328 - kasan_slab_alloc include/linux/kasan.h:186 [inline] - slab_post_alloc_hook mm/slab.h:711 [inline] - slab_alloc_node mm/slub.c:3451 [inline] - slab_alloc mm/slub.c:3459 [inline] - __kmem_cache_alloc_lru mm/slub.c:3466 [inline] - kmem_cache_alloc+0x16d/0x340 mm/slub.c:3475 - sk_prot_alloc+0x5f/0x280 net/core/sock.c:2073 - sk_alloc+0x34/0x6c0 net/core/sock.c:2132 - inet6_create net/ipv6/af_inet6.c:192 [inline] - inet6_create+0x2c7/0xf20 net/ipv6/af_inet6.c:119 - __sock_create+0x2a1/0x530 net/socket.c:1535 - sock_create net/socket.c:1586 [inline] - __sys_socket_create net/socket.c:1623 [inline] - __sys_socket_create net/socket.c:1608 [inline] - __sys_socket+0x137/0x250 net/socket.c:1651 - __do_sys_socket net/socket.c:1664 [inline] - __se_sys_socket net/socket.c:1662 [inline] - __x64_sys_socket+0x72/0xb0 net/socket.c:1662 - do_syscall_x64 arch/x86/entry/common.c:50 [inline] - do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 - entry_SYSCALL_64_after_hwframe+0x72/0xdc - -Freed by task 2401: - kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 - kasan_set_track+0x25/0x30 mm/kasan/common.c:52 - kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521 - ____kasan_slab_free mm/kasan/common.c:236 [inline] - ____kasan_slab_free mm/kasan/common.c:200 [inline] - __kasan_slab_free+0x10c/0x1b0 mm/kasan/common.c:244 - kasan_slab_free include/linux/kasan.h:162 [inline] - slab_free_hook mm/slub.c:1781 [inline] - slab_free_freelist_hook mm/slub.c:1807 [inline] - slab_free mm/slub.c:3786 [inline] - kmem_cache_free+0xb4/0x490 mm/slub.c:3808 - sk_prot_free net/core/sock.c:2113 [inline] - __sk_destruct+0x500/0x720 net/core/sock.c:2207 - sk_destruct+0xc1/0xe0 net/core/sock.c:2222 - __sk_free+0xed/0x3d0 net/core/sock.c:2233 - sk_free+0x7c/0xa0 net/core/sock.c:2244 - sock_put include/net/sock.h:1981 [inline] - __gtp_encap_destroy+0x165/0x1b0 drivers/net/gtp.c:634 - gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] - gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 - gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 - unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 - rtnl_delete_link net/core/rtnetlink.c:3216 [inline] - rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 - rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 - netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 - netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] - netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 - netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 - sock_sendmsg_nosec net/socket.c:724 [inline] - sock_sendmsg+0x1b7/0x200 net/socket.c:747 - ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 - ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 - __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 - do_syscall_x64 arch/x86/entry/common.c:50 [inline] - do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 - entry_SYSCALL_64_after_hwframe+0x72/0xdc - -The buggy address belongs to the object at ffff88800dbef300 - which belongs to the cache UDPv6 of size 1344 -The buggy address is located 152 bytes inside of - freed 1344-byte region [ffff88800dbef300, ffff88800dbef840) - -The buggy address belongs to the physical page: -page:00000000d31bfed5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800dbeed40 pfn:0xdbe8 -head:00000000d31bfed5 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 -memcg:ffff888008ee0801 -flags: 0x100000000010200(slab|head|node=0|zone=1) -page_type: 0xffffffff() -raw: 0100000000010200 ffff88800c7a3000 dead000000000122 0000000000000000 -raw: ffff88800dbeed40 0000000080160015 00000001ffffffff ffff888008ee0801 -page dumped because: kasan: bad access detected - -Memory state around the buggy address: - ffff88800dbef280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc - ffff88800dbef300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ->ffff88800dbef380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ^ - ffff88800dbef400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ffff88800dbef480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - -Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage") -Reported-by: syzkaller -Signed-off-by: Kuniyuki Iwashima -Reviewed-by: Pablo Neira Ayuso -Link: https://lore.kernel.org/r/20230622213231.24651-1-kuniyu@amazon.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/gtp.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c -index e18d06cb2173c..2718b0507f713 100644 ---- a/drivers/net/gtp.c -+++ b/drivers/net/gtp.c -@@ -301,7 +301,9 @@ static void __gtp_encap_destroy(struct sock *sk) - gtp->sk1u = NULL; - udp_sk(sk)->encap_type = 0; - rcu_assign_sk_user_data(sk, NULL); -+ release_sock(sk); - sock_put(sk); -+ return; - } - release_sock(sk); - } --- -2.39.2 - diff --git a/queue-4.19/hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch b/queue-4.19/hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch deleted file mode 100644 index 4ccb0b31056..00000000000 --- a/queue-4.19/hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch +++ /dev/null @@ -1,45 +0,0 @@ -From d744ae7477190967a3ddc289e2cd4ae59e8b1237 Mon Sep 17 00:00:00 2001 -From: Martin Kaiser -Date: Thu, 15 Jun 2023 15:49:59 +0100 -Subject: hwrng: imx-rngc - fix the timeout for init and self check - -From: Martin Kaiser - -commit d744ae7477190967a3ddc289e2cd4ae59e8b1237 upstream. - -Fix the timeout that is used for the initialisation and for the self -test. wait_for_completion_timeout expects a timeout in jiffies, but -RNGC_TIMEOUT is in milliseconds. Call msecs_to_jiffies to do the -conversion. - -Cc: stable@vger.kernel.org -Fixes: 1d5449445bd0 ("hwrng: mx-rngc - add a driver for Freescale RNGC") -Signed-off-by: Martin Kaiser -Signed-off-by: Herbert Xu -Signed-off-by: Greg Kroah-Hartman ---- - drivers/char/hw_random/imx-rngc.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - ---- a/drivers/char/hw_random/imx-rngc.c -+++ b/drivers/char/hw_random/imx-rngc.c -@@ -105,7 +105,7 @@ static int imx_rngc_self_test(struct imx - cmd = readl(rngc->base + RNGC_COMMAND); - writel(cmd | RNGC_CMD_SELF_TEST, rngc->base + RNGC_COMMAND); - -- ret = wait_for_completion_timeout(&rngc->rng_op_done, RNGC_TIMEOUT); -+ ret = wait_for_completion_timeout(&rngc->rng_op_done, msecs_to_jiffies(RNGC_TIMEOUT)); - if (!ret) { - imx_rngc_irq_mask_clear(rngc); - return -ETIMEDOUT; -@@ -188,9 +188,7 @@ static int imx_rngc_init(struct hwrng *r - cmd = readl(rngc->base + RNGC_COMMAND); - writel(cmd | RNGC_CMD_SEED, rngc->base + RNGC_COMMAND); - -- ret = wait_for_completion_timeout(&rngc->rng_op_done, -- RNGC_TIMEOUT); -- -+ ret = wait_for_completion_timeout(&rngc->rng_op_done, msecs_to_jiffies(RNGC_TIMEOUT)); - if (!ret) { - imx_rngc_irq_mask_clear(rngc); - return -ETIMEDOUT; diff --git a/queue-4.19/hwrng-virtio-add-an-internal-buffer.patch b/queue-4.19/hwrng-virtio-add-an-internal-buffer.patch deleted file mode 100644 index 2b441ee2227..00000000000 --- a/queue-4.19/hwrng-virtio-add-an-internal-buffer.patch +++ /dev/null @@ -1,127 +0,0 @@ -From afa4aa51e6f9ff115b1cefcc5f7274340691a1f6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Oct 2021 12:11:08 +0200 -Subject: hwrng: virtio - add an internal buffer - -From: Laurent Vivier - -[ Upstream commit bf3175bc50a3754dc427e2f5046e17a9fafc8be7 ] - -hwrng core uses two buffers that can be mixed in the -virtio-rng queue. - -If the buffer is provided with wait=0 it is enqueued in the -virtio-rng queue but unused by the caller. -On the next call, core provides another buffer but the -first one is filled instead and the new one queued. -And the caller reads the data from the new one that is not -updated, and the data in the first one are lost. - -To avoid this mix, virtio-rng needs to use its own unique -internal buffer at a cost of a data copy to the caller buffer. - -Signed-off-by: Laurent Vivier -Link: https://lore.kernel.org/r/20211028101111.128049-2-lvivier@redhat.com -Signed-off-by: Michael S. Tsirkin -Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") -Signed-off-by: Sasha Levin ---- - drivers/char/hw_random/virtio-rng.c | 43 ++++++++++++++++++++++------- - 1 file changed, 33 insertions(+), 10 deletions(-) - -diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c -index 7abd604e938c2..999f523c80c1e 100644 ---- a/drivers/char/hw_random/virtio-rng.c -+++ b/drivers/char/hw_random/virtio-rng.c -@@ -30,13 +30,20 @@ static DEFINE_IDA(rng_index_ida); - struct virtrng_info { - struct hwrng hwrng; - struct virtqueue *vq; -- struct completion have_data; - char name[25]; -- unsigned int data_avail; - int index; - bool busy; - bool hwrng_register_done; - bool hwrng_removed; -+ /* data transfer */ -+ struct completion have_data; -+ unsigned int data_avail; -+ /* minimal size returned by rng_buffer_size() */ -+#if SMP_CACHE_BYTES < 32 -+ u8 data[32]; -+#else -+ u8 data[SMP_CACHE_BYTES]; -+#endif - }; - - static void random_recv_done(struct virtqueue *vq) -@@ -51,14 +58,14 @@ static void random_recv_done(struct virtqueue *vq) - } - - /* The host will fill any buffer we give it with sweet, sweet randomness. */ --static void register_buffer(struct virtrng_info *vi, u8 *buf, size_t size) -+static void register_buffer(struct virtrng_info *vi) - { - struct scatterlist sg; - -- sg_init_one(&sg, buf, size); -+ sg_init_one(&sg, vi->data, sizeof(vi->data)); - - /* There should always be room for one buffer. */ -- virtqueue_add_inbuf(vi->vq, &sg, 1, buf, GFP_KERNEL); -+ virtqueue_add_inbuf(vi->vq, &sg, 1, vi->data, GFP_KERNEL); - - virtqueue_kick(vi->vq); - } -@@ -67,6 +74,8 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) - { - int ret; - struct virtrng_info *vi = (struct virtrng_info *)rng->priv; -+ unsigned int chunk; -+ size_t read; - - if (vi->hwrng_removed) - return -ENODEV; -@@ -74,19 +83,33 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) - if (!vi->busy) { - vi->busy = true; - reinit_completion(&vi->have_data); -- register_buffer(vi, buf, size); -+ register_buffer(vi); - } - - if (!wait) - return 0; - -- ret = wait_for_completion_killable(&vi->have_data); -- if (ret < 0) -- return ret; -+ read = 0; -+ while (size != 0) { -+ ret = wait_for_completion_killable(&vi->have_data); -+ if (ret < 0) -+ return ret; -+ -+ chunk = min_t(unsigned int, size, vi->data_avail); -+ memcpy(buf + read, vi->data, chunk); -+ read += chunk; -+ size -= chunk; -+ vi->data_avail = 0; -+ -+ if (size != 0) { -+ reinit_completion(&vi->have_data); -+ register_buffer(vi); -+ } -+ } - - vi->busy = false; - -- return vi->data_avail; -+ return read; - } - - static void virtio_cleanup(struct hwrng *rng) --- -2.39.2 - diff --git a/queue-4.19/hwrng-virtio-always-add-a-pending-request.patch b/queue-4.19/hwrng-virtio-always-add-a-pending-request.patch deleted file mode 100644 index 07ef2583852..00000000000 --- a/queue-4.19/hwrng-virtio-always-add-a-pending-request.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 7ae21313b4da71d05544089d1fdb20bab025446e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Oct 2021 12:11:11 +0200 -Subject: hwrng: virtio - always add a pending request - -From: Laurent Vivier - -[ Upstream commit 9a4b612d675b03f7fc9fa1957ca399c8223f3954 ] - -If we ensure we have already some data available by enqueuing -again the buffer once data are exhausted, we can return what we -have without waiting for the device answer. - -Signed-off-by: Laurent Vivier -Link: https://lore.kernel.org/r/20211028101111.128049-5-lvivier@redhat.com -Signed-off-by: Michael S. Tsirkin -Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") -Signed-off-by: Sasha Levin ---- - drivers/char/hw_random/virtio-rng.c | 26 ++++++++++++-------------- - 1 file changed, 12 insertions(+), 14 deletions(-) - -diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c -index c88f175e60a4c..a84248c26fd7f 100644 ---- a/drivers/char/hw_random/virtio-rng.c -+++ b/drivers/char/hw_random/virtio-rng.c -@@ -32,7 +32,6 @@ struct virtrng_info { - struct virtqueue *vq; - char name[25]; - int index; -- bool busy; - bool hwrng_register_done; - bool hwrng_removed; - /* data transfer */ -@@ -56,16 +55,18 @@ static void random_recv_done(struct virtqueue *vq) - return; - - vi->data_idx = 0; -- vi->busy = false; - - complete(&vi->have_data); - } - --/* The host will fill any buffer we give it with sweet, sweet randomness. */ --static void register_buffer(struct virtrng_info *vi) -+static void request_entropy(struct virtrng_info *vi) - { - struct scatterlist sg; - -+ reinit_completion(&vi->have_data); -+ vi->data_avail = 0; -+ vi->data_idx = 0; -+ - sg_init_one(&sg, vi->data, sizeof(vi->data)); - - /* There should always be room for one buffer. */ -@@ -81,6 +82,8 @@ static unsigned int copy_data(struct virtrng_info *vi, void *buf, - memcpy(buf, vi->data + vi->data_idx, size); - vi->data_idx += size; - vi->data_avail -= size; -+ if (vi->data_avail == 0) -+ request_entropy(vi); - return size; - } - -@@ -110,13 +113,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) - * so either size is 0 or data_avail is 0 - */ - while (size != 0) { -- /* data_avail is 0 */ -- if (!vi->busy) { -- /* no pending request, ask for more */ -- vi->busy = true; -- reinit_completion(&vi->have_data); -- register_buffer(vi); -- } -+ /* data_avail is 0 but a request is pending */ - ret = wait_for_completion_killable(&vi->have_data); - if (ret < 0) - return ret; -@@ -138,8 +135,7 @@ static void virtio_cleanup(struct hwrng *rng) - { - struct virtrng_info *vi = (struct virtrng_info *)rng->priv; - -- if (vi->busy) -- complete(&vi->have_data); -+ complete(&vi->have_data); - } - - static int probe_common(struct virtio_device *vdev) -@@ -175,6 +171,9 @@ static int probe_common(struct virtio_device *vdev) - goto err_find; - } - -+ /* we always have a pending entropy request */ -+ request_entropy(vi); -+ - return 0; - - err_find: -@@ -193,7 +192,6 @@ static void remove_common(struct virtio_device *vdev) - vi->data_idx = 0; - complete(&vi->have_data); - vdev->config->reset(vdev); -- vi->busy = false; - if (vi->hwrng_register_done) - hwrng_unregister(&vi->hwrng); - vdev->config->del_vqs(vdev); --- -2.39.2 - diff --git a/queue-4.19/hwrng-virtio-don-t-wait-on-cleanup.patch b/queue-4.19/hwrng-virtio-don-t-wait-on-cleanup.patch deleted file mode 100644 index f0b00394a59..00000000000 --- a/queue-4.19/hwrng-virtio-don-t-wait-on-cleanup.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 9c50a382f8e13e6db7abbe15241a4a9c88d4fc4e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Oct 2021 12:11:09 +0200 -Subject: hwrng: virtio - don't wait on cleanup - -From: Laurent Vivier - -[ Upstream commit 2bb31abdbe55742c89f4dc0cc26fcbc8467364f6 ] - -When virtio-rng device was dropped by the hwrng core we were forced -to wait the buffer to come back from the device to not have -remaining ongoing operation that could spoil the buffer. - -But now, as the buffer is internal to the virtio-rng we can release -the waiting loop immediately, the buffer will be retrieve and use -when the virtio-rng driver will be selected again. - -This avoids to hang on an rng_current write command if the virtio-rng -device is blocked by a lack of entropy. This allows to select -another entropy source if the current one is empty. - -Signed-off-by: Laurent Vivier -Link: https://lore.kernel.org/r/20211028101111.128049-3-lvivier@redhat.com -Signed-off-by: Michael S. Tsirkin -Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") -Signed-off-by: Sasha Levin ---- - drivers/char/hw_random/virtio-rng.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c -index 999f523c80c1e..9a3fbd2b41107 100644 ---- a/drivers/char/hw_random/virtio-rng.c -+++ b/drivers/char/hw_random/virtio-rng.c -@@ -94,6 +94,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) - ret = wait_for_completion_killable(&vi->have_data); - if (ret < 0) - return ret; -+ /* if vi->data_avail is 0, we have been interrupted -+ * by a cleanup, but buffer stays in the queue -+ */ -+ if (vi->data_avail == 0) -+ return read; - - chunk = min_t(unsigned int, size, vi->data_avail); - memcpy(buf + read, vi->data, chunk); -@@ -117,7 +122,7 @@ static void virtio_cleanup(struct hwrng *rng) - struct virtrng_info *vi = (struct virtrng_info *)rng->priv; - - if (vi->busy) -- wait_for_completion(&vi->have_data); -+ complete(&vi->have_data); - } - - static int probe_common(struct virtio_device *vdev) --- -2.39.2 - diff --git a/queue-4.19/hwrng-virtio-don-t-waste-entropy.patch b/queue-4.19/hwrng-virtio-don-t-waste-entropy.patch deleted file mode 100644 index 37836241dfd..00000000000 --- a/queue-4.19/hwrng-virtio-don-t-waste-entropy.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 92b8d417f897b6b2b12a75862caf03ab756af0c4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 28 Oct 2021 12:11:10 +0200 -Subject: hwrng: virtio - don't waste entropy - -From: Laurent Vivier - -[ Upstream commit 5c8e933050044d6dd2a000f9a5756ae73cbe7c44 ] - -if we don't use all the entropy available in the buffer, keep it -and use it later. - -Signed-off-by: Laurent Vivier -Link: https://lore.kernel.org/r/20211028101111.128049-4-lvivier@redhat.com -Signed-off-by: Michael S. Tsirkin -Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") -Signed-off-by: Sasha Levin ---- - drivers/char/hw_random/virtio-rng.c | 52 +++++++++++++++++++---------- - 1 file changed, 35 insertions(+), 17 deletions(-) - -diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c -index 9a3fbd2b41107..c88f175e60a4c 100644 ---- a/drivers/char/hw_random/virtio-rng.c -+++ b/drivers/char/hw_random/virtio-rng.c -@@ -38,6 +38,7 @@ struct virtrng_info { - /* data transfer */ - struct completion have_data; - unsigned int data_avail; -+ unsigned int data_idx; - /* minimal size returned by rng_buffer_size() */ - #if SMP_CACHE_BYTES < 32 - u8 data[32]; -@@ -54,6 +55,9 @@ static void random_recv_done(struct virtqueue *vq) - if (!virtqueue_get_buf(vi->vq, &vi->data_avail)) - return; - -+ vi->data_idx = 0; -+ vi->busy = false; -+ - complete(&vi->have_data); - } - -@@ -70,6 +74,16 @@ static void register_buffer(struct virtrng_info *vi) - virtqueue_kick(vi->vq); - } - -+static unsigned int copy_data(struct virtrng_info *vi, void *buf, -+ unsigned int size) -+{ -+ size = min_t(unsigned int, size, vi->data_avail); -+ memcpy(buf, vi->data + vi->data_idx, size); -+ vi->data_idx += size; -+ vi->data_avail -= size; -+ return size; -+} -+ - static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) - { - int ret; -@@ -80,17 +94,29 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) - if (vi->hwrng_removed) - return -ENODEV; - -- if (!vi->busy) { -- vi->busy = true; -- reinit_completion(&vi->have_data); -- register_buffer(vi); -+ read = 0; -+ -+ /* copy available data */ -+ if (vi->data_avail) { -+ chunk = copy_data(vi, buf, size); -+ size -= chunk; -+ read += chunk; - } - - if (!wait) -- return 0; -+ return read; - -- read = 0; -+ /* We have already copied available entropy, -+ * so either size is 0 or data_avail is 0 -+ */ - while (size != 0) { -+ /* data_avail is 0 */ -+ if (!vi->busy) { -+ /* no pending request, ask for more */ -+ vi->busy = true; -+ reinit_completion(&vi->have_data); -+ register_buffer(vi); -+ } - ret = wait_for_completion_killable(&vi->have_data); - if (ret < 0) - return ret; -@@ -100,20 +126,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) - if (vi->data_avail == 0) - return read; - -- chunk = min_t(unsigned int, size, vi->data_avail); -- memcpy(buf + read, vi->data, chunk); -- read += chunk; -+ chunk = copy_data(vi, buf + read, size); - size -= chunk; -- vi->data_avail = 0; -- -- if (size != 0) { -- reinit_completion(&vi->have_data); -- register_buffer(vi); -- } -+ read += chunk; - } - -- vi->busy = false; -- - return read; - } - -@@ -173,6 +190,7 @@ static void remove_common(struct virtio_device *vdev) - - vi->hwrng_removed = true; - vi->data_avail = 0; -+ vi->data_idx = 0; - complete(&vi->have_data); - vdev->config->reset(vdev); - vi->busy = false; --- -2.39.2 - diff --git a/queue-4.19/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch b/queue-4.19/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch deleted file mode 100644 index 76a65769e3d..00000000000 --- a/queue-4.19/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 939a58b0fd48531e7170994e9836b43eb6a96c4e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 4 May 2023 11:59:32 +0800 -Subject: hwrng: virtio - Fix race on data_avail and actual data - -From: Herbert Xu - -[ Upstream commit ac52578d6e8d300dd50f790f29a24169b1edd26c ] - -The virtio rng device kicks off a new entropy request whenever the -data available reaches zero. When a new request occurs at the end -of a read operation, that is, when the result of that request is -only needed by the next reader, then there is a race between the -writing of the new data and the next reader. - -This is because there is no synchronisation whatsoever between the -writer and the reader. - -Fix this by writing data_avail with smp_store_release and reading -it with smp_load_acquire when we first enter read. The subsequent -reads are safe because they're either protected by the first load -acquire, or by the completion mechanism. - -Also remove the redundant zeroing of data_idx in random_recv_done -(data_idx must already be zero at this point) and data_avail in -request_entropy (ditto). - -Reported-by: syzbot+726dc8c62c3536431ceb@syzkaller.appspotmail.com -Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.") -Signed-off-by: Herbert Xu -Acked-by: Michael S. Tsirkin -Signed-off-by: Herbert Xu -Signed-off-by: Sasha Levin ---- - drivers/char/hw_random/virtio-rng.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c -index a84248c26fd7f..58884d8752011 100644 ---- a/drivers/char/hw_random/virtio-rng.c -+++ b/drivers/char/hw_random/virtio-rng.c -@@ -17,6 +17,7 @@ - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - */ - -+#include - #include - #include - #include -@@ -49,13 +50,13 @@ struct virtrng_info { - static void random_recv_done(struct virtqueue *vq) - { - struct virtrng_info *vi = vq->vdev->priv; -+ unsigned int len; - - /* We can get spurious callbacks, e.g. shared IRQs + virtio_pci. */ -- if (!virtqueue_get_buf(vi->vq, &vi->data_avail)) -+ if (!virtqueue_get_buf(vi->vq, &len)) - return; - -- vi->data_idx = 0; -- -+ smp_store_release(&vi->data_avail, len); - complete(&vi->have_data); - } - -@@ -64,7 +65,6 @@ static void request_entropy(struct virtrng_info *vi) - struct scatterlist sg; - - reinit_completion(&vi->have_data); -- vi->data_avail = 0; - vi->data_idx = 0; - - sg_init_one(&sg, vi->data, sizeof(vi->data)); -@@ -100,7 +100,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) - read = 0; - - /* copy available data */ -- if (vi->data_avail) { -+ if (smp_load_acquire(&vi->data_avail)) { - chunk = copy_data(vi, buf, size); - size -= chunk; - read += chunk; --- -2.39.2 - diff --git a/queue-4.19/i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch b/queue-4.19/i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch deleted file mode 100644 index 053c4a62215..00000000000 --- a/queue-4.19/i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 0a46aee6b7cf29789b550cefcd60aa2427d87866 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 23 Aug 2021 23:41:42 +0200 -Subject: i2c: xiic: Defer xiic_wakeup() and __xiic_start_xfer() in - xiic_process() - -From: Marek Vasut - -[ Upstream commit 743e227a895923c37a333eb2ebf3e391f00c406d ] - -The __xiic_start_xfer() manipulates the interrupt flags, xiic_wakeup() -may result in return from xiic_xfer() early. Defer both to the end of -the xiic_process() interrupt thread, so that they are executed after -all the other interrupt bits handling completed and once it completely -safe to perform changes to the interrupt bits in the hardware. - -Signed-off-by: Marek Vasut -Acked-by: Michal Simek -Signed-off-by: Wolfram Sang -Stable-dep-of: cb6e45c9a0ad ("i2c: xiic: Don't try to handle more interrupt events after error") -Signed-off-by: Sasha Levin ---- - drivers/i2c/busses/i2c-xiic.c | 37 ++++++++++++++++++++++++----------- - 1 file changed, 26 insertions(+), 11 deletions(-) - -diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c -index 03ce9b7d6456a..c7f74687282ea 100644 ---- a/drivers/i2c/busses/i2c-xiic.c -+++ b/drivers/i2c/busses/i2c-xiic.c -@@ -362,6 +362,9 @@ static irqreturn_t xiic_process(int irq, void *dev_id) - struct xiic_i2c *i2c = dev_id; - u32 pend, isr, ier; - u32 clr = 0; -+ int xfer_more = 0; -+ int wakeup_req = 0; -+ int wakeup_code = 0; - - /* Get the interrupt Status from the IPIF. There is no clearing of - * interrupts in the IPIF. Interrupts must be cleared at the source. -@@ -398,10 +401,14 @@ static irqreturn_t xiic_process(int irq, void *dev_id) - */ - xiic_reinit(i2c); - -- if (i2c->rx_msg) -- xiic_wakeup(i2c, STATE_ERROR); -- if (i2c->tx_msg) -- xiic_wakeup(i2c, STATE_ERROR); -+ if (i2c->rx_msg) { -+ wakeup_req = 1; -+ wakeup_code = STATE_ERROR; -+ } -+ if (i2c->tx_msg) { -+ wakeup_req = 1; -+ wakeup_code = STATE_ERROR; -+ } - } - if (pend & XIIC_INTR_RX_FULL_MASK) { - /* Receive register/FIFO is full */ -@@ -435,8 +442,7 @@ static irqreturn_t xiic_process(int irq, void *dev_id) - i2c->tx_msg++; - dev_dbg(i2c->adap.dev.parent, - "%s will start next...\n", __func__); -- -- __xiic_start_xfer(i2c); -+ xfer_more = 1; - } - } - } -@@ -450,11 +456,13 @@ static irqreturn_t xiic_process(int irq, void *dev_id) - if (!i2c->tx_msg) - goto out; - -- if ((i2c->nmsgs == 1) && !i2c->rx_msg && -- xiic_tx_space(i2c) == 0) -- xiic_wakeup(i2c, STATE_DONE); -+ wakeup_req = 1; -+ -+ if (i2c->nmsgs == 1 && !i2c->rx_msg && -+ xiic_tx_space(i2c) == 0) -+ wakeup_code = STATE_DONE; - else -- xiic_wakeup(i2c, STATE_ERROR); -+ wakeup_code = STATE_ERROR; - } - if (pend & (XIIC_INTR_TX_EMPTY_MASK | XIIC_INTR_TX_HALF_MASK)) { - /* Transmit register/FIFO is empty or ½ empty */ -@@ -478,7 +486,7 @@ static irqreturn_t xiic_process(int irq, void *dev_id) - if (i2c->nmsgs > 1) { - i2c->nmsgs--; - i2c->tx_msg++; -- __xiic_start_xfer(i2c); -+ xfer_more = 1; - } else { - xiic_irq_dis(i2c, XIIC_INTR_TX_HALF_MASK); - -@@ -496,6 +504,13 @@ static irqreturn_t xiic_process(int irq, void *dev_id) - dev_dbg(i2c->adap.dev.parent, "%s clr: 0x%x\n", __func__, clr); - - xiic_setreg32(i2c, XIIC_IISR_OFFSET, clr); -+ if (xfer_more) -+ __xiic_start_xfer(i2c); -+ if (wakeup_req) -+ xiic_wakeup(i2c, wakeup_code); -+ -+ WARN_ON(xfer_more && wakeup_req); -+ - mutex_unlock(&i2c->lock); - return IRQ_HANDLED; - } --- -2.39.2 - diff --git a/queue-4.19/i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch b/queue-4.19/i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch deleted file mode 100644 index a3169a5e72b..00000000000 --- a/queue-4.19/i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 54f6886655a814ccc6bedd7924acfb2796ace463 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 6 Jun 2023 12:25:58 -0600 -Subject: i2c: xiic: Don't try to handle more interrupt events after error - -From: Robert Hancock - -[ Upstream commit cb6e45c9a0ad9e0f8664fd06db0227d185dc76ab ] - -In xiic_process, it is possible that error events such as arbitration -lost or TX error can be raised in conjunction with other interrupt flags -such as TX FIFO empty or bus not busy. Error events result in the -controller being reset and the error returned to the calling request, -but the function could potentially try to keep handling the other -events, such as by writing more messages into the TX FIFO. Since the -transaction has already failed, this is not helpful and will just cause -issues. - -This problem has been present ever since: - -commit 7f9906bd7f72 ("i2c: xiic: Service all interrupts in isr") - -which allowed non-error events to be handled after errors, but became -more obvious after: - -commit 743e227a8959 ("i2c: xiic: Defer xiic_wakeup() and -__xiic_start_xfer() in xiic_process()") - -which reworked the code to add a WARN_ON which triggers if both the -xfer_more and wakeup_req flags were set, since this combination is -not supposed to happen, but was occurring in this scenario. - -Skip further interrupt handling after error flags are detected to avoid -this problem. - -Fixes: 7f9906bd7f72 ("i2c: xiic: Service all interrupts in isr") -Signed-off-by: Robert Hancock -Acked-by: Andi Shyti -Signed-off-by: Wolfram Sang -Signed-off-by: Sasha Levin ---- - drivers/i2c/busses/i2c-xiic.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c -index c7f74687282ea..c1f85114ab812 100644 ---- a/drivers/i2c/busses/i2c-xiic.c -+++ b/drivers/i2c/busses/i2c-xiic.c -@@ -409,6 +409,8 @@ static irqreturn_t xiic_process(int irq, void *dev_id) - wakeup_req = 1; - wakeup_code = STATE_ERROR; - } -+ /* don't try to handle other events */ -+ goto out; - } - if (pend & XIIC_INTR_RX_FULL_MASK) { - /* Receive register/FIFO is full */ --- -2.39.2 - diff --git a/queue-4.19/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch b/queue-4.19/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch deleted file mode 100644 index 38793da2e06..00000000000 --- a/queue-4.19/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 58240f64a0be015e60403b558eac9ea7b1483365 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 16 Feb 2023 11:56:28 -0500 -Subject: IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors - -From: Patrick Kelsey - -[ Upstream commit fd8958efe8779d3db19c9124fce593ce681ac709 ] - -Fix three sources of error involving struct sdma_txreq.num_descs. - -When _extend_sdma_tx_descs() extends the descriptor array, it uses the -value of tx->num_descs to determine how many existing entries from the -tx's original, internal descriptor array to copy to the newly allocated -one. As this value was incremented before the call, the copy loop will -access one entry past the internal descriptor array, copying its contents -into the corresponding slot in the new array. - -If the call to _extend_sdma_tx_descs() fails, _pad_smda_tx_descs() then -invokes __sdma_tx_clean() which uses the value of tx->num_desc to drive a -loop that unmaps all descriptor entries in use. As this value was -incremented before the call, the unmap loop will invoke sdma_unmap_desc() -on a descriptor entry whose contents consist of whatever random data was -copied into it during (1), leading to cascading further calls into the -kernel and driver using arbitrary data. - -_sdma_close_tx() was using tx->num_descs instead of tx->num_descs - 1. - -Fix all of the above by: -- Only increment .num_descs after .descp is extended. -- Use .num_descs - 1 instead of .num_descs for last .descp entry. - -Fixes: f4d26d81ad7f ("staging/rdma/hfi1: Add coalescing support for SDMA TX descriptors") -Link: https://lore.kernel.org/r/167656658879.2223096.10026561343022570690.stgit@awfm-02.cornelisnetworks.com -Signed-off-by: Brendan Cunningham -Signed-off-by: Patrick Kelsey -Signed-off-by: Dennis Dalessandro -Signed-off-by: Jason Gunthorpe -Signed-off-by: Sasha Levin ---- - drivers/infiniband/hw/hfi1/sdma.c | 4 ++-- - drivers/infiniband/hw/hfi1/sdma.h | 15 +++++++-------- - 2 files changed, 9 insertions(+), 10 deletions(-) - -diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c -index 33ff9eca28f69..245f9505a9aca 100644 ---- a/drivers/infiniband/hw/hfi1/sdma.c -+++ b/drivers/infiniband/hw/hfi1/sdma.c -@@ -3202,8 +3202,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) - { - int rval = 0; - -- tx->num_desc++; -- if ((unlikely(tx->num_desc == tx->desc_limit))) { -+ if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) { - rval = _extend_sdma_tx_descs(dd, tx); - if (rval) { - __sdma_txclean(dd, tx); -@@ -3216,6 +3215,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) - SDMA_MAP_NONE, - dd->sdma_pad_phys, - sizeof(u32) - (tx->packet_len & (sizeof(u32) - 1))); -+ tx->num_desc++; - _sdma_close_tx(dd, tx); - return rval; - } -diff --git a/drivers/infiniband/hw/hfi1/sdma.h b/drivers/infiniband/hw/hfi1/sdma.h -index 46c775f255d14..a3dd2f3d56cca 100644 ---- a/drivers/infiniband/hw/hfi1/sdma.h -+++ b/drivers/infiniband/hw/hfi1/sdma.h -@@ -680,14 +680,13 @@ static inline void sdma_txclean(struct hfi1_devdata *dd, struct sdma_txreq *tx) - static inline void _sdma_close_tx(struct hfi1_devdata *dd, - struct sdma_txreq *tx) - { -- tx->descp[tx->num_desc].qw[0] |= -- SDMA_DESC0_LAST_DESC_FLAG; -- tx->descp[tx->num_desc].qw[1] |= -- dd->default_desc1; -+ u16 last_desc = tx->num_desc - 1; -+ -+ tx->descp[last_desc].qw[0] |= SDMA_DESC0_LAST_DESC_FLAG; -+ tx->descp[last_desc].qw[1] |= dd->default_desc1; - if (tx->flags & SDMA_TXREQ_F_URGENT) -- tx->descp[tx->num_desc].qw[1] |= -- (SDMA_DESC1_HEAD_TO_HOST_FLAG | -- SDMA_DESC1_INT_REQ_FLAG); -+ tx->descp[last_desc].qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG | -+ SDMA_DESC1_INT_REQ_FLAG); - } - - static inline int _sdma_txadd_daddr( -@@ -704,6 +703,7 @@ static inline int _sdma_txadd_daddr( - type, - addr, len); - WARN_ON(len > tx->tlen); -+ tx->num_desc++; - tx->tlen -= len; - /* special cases for last */ - if (!tx->tlen) { -@@ -715,7 +715,6 @@ static inline int _sdma_txadd_daddr( - _sdma_close_tx(dd, tx); - } - } -- tx->num_desc++; - return rval; - } - --- -2.39.2 - diff --git a/queue-4.19/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch b/queue-4.19/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch deleted file mode 100644 index 3227658c36f..00000000000 --- a/queue-4.19/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 46ae827efd8dbae05deb396bf8beb1545f27f411 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 7 Jul 2023 18:43:27 -0700 -Subject: icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in - icmp6_dev(). - -From: Kuniyuki Iwashima - -[ Upstream commit 2aaa8a15de73874847d62eb595c6683bface80fd ] - -With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that -has the link-local address as src and dst IP and will be forwarded to -an external IP in the IPv6 Ext Hdr. - -For example, the script below generates a packet whose src IP is the -link-local address and dst is updated to 11::. - - # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done - # python3 - >>> from socket import * - >>> from scapy.all import * - >>> - >>> SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456" - >>> - >>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR) - >>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1) - >>> - >>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW) - >>> sk.sendto(bytes(pkt), (DST_ADDR, 0)) - -For such a packet, we call ip6_route_input() to look up a route for the -next destination in these three functions depending on the header type. - - * ipv6_rthdr_rcv() - * ipv6_rpl_srh_rcv() - * ipv6_srh_rcv() - -If no route is found, ip6_null_entry is set to skb, and the following -dst_input(skb) calls ip6_pkt_drop(). - -Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev -as the input device is the loopback interface. Then, we have to check if -skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref -for ip6_null_entry. - -BUG: kernel NULL pointer dereference, address: 0000000000000000 - PF: supervisor read access in kernel mode - PF: error_code(0x0000) - not-present page -PGD 0 P4D 0 -Oops: 0000 [#1] PREEMPT SMP PTI -CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 -RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) -Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 -RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 -RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 -RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 -RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 -R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 -R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 -FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 -PKRU: 55555554 -Call Trace: - - ip6_pkt_drop (net/ipv6/route.c:4513) - ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686) - ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5)) - ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483) - __netif_receive_skb_one_core (net/core/dev.c:5455) - process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895) - __napi_poll (net/core/dev.c:6460) - net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660) - __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) - do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) - - - __local_bh_enable_ip (kernel/softirq.c:381) - __dev_queue_xmit (net/core/dev.c:4231) - ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135) - rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914) - sock_sendmsg (net/socket.c:725 net/socket.c:748) - __sys_sendto (net/socket.c:2134) - __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142) - do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) - entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) -RIP: 0033:0x7f9dc751baea -Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 -RSP: 002b:00007ffe98712c38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c -RAX: ffffffffffffffda RBX: 00007ffe98712cf8 RCX: 00007f9dc751baea -RDX: 0000000000000060 RSI: 00007f9dc6460b90 RDI: 0000000000000003 -RBP: 00007f9dc56e8be0 R08: 00007ffe98712d70 R09: 000000000000001c -R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 -R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007f9dc6af5d1b - -Modules linked in: -CR2: 0000000000000000 - ---[ end trace 0000000000000000 ]--- -RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) -Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 -RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 -RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 -RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 -RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 -R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 -R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 -FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 -PKRU: 55555554 -Kernel panic - not syncing: Fatal exception in interrupt -Kernel Offset: disabled - -Fixes: 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address") -Reported-by: Wang Yufen -Closes: https://lore.kernel.org/netdev/c41403a9-c2f6-3b7e-0c96-e1901e605cd0@huawei.com/ -Signed-off-by: Kuniyuki Iwashima -Reviewed-by: David Ahern -Reviewed-by: Eric Dumazet -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv6/icmp.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c -index 1b86a2e03d049..bfafd7649ccb3 100644 ---- a/net/ipv6/icmp.c -+++ b/net/ipv6/icmp.c -@@ -407,7 +407,10 @@ static struct net_device *icmp6_dev(const struct sk_buff *skb) - if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { - const struct rt6_info *rt6 = skb_rt6_info(skb); - -- if (rt6) -+ /* The destination could be an external IP in Ext Hdr (SRv6, RPL, etc.), -+ * and ip6_null_entry could be set to skb if no route is found. -+ */ -+ if (rt6 && rt6->rt6i_idev) - dev = rt6->rt6i_idev->dev; - } - --- -2.39.2 - diff --git a/queue-4.19/igb-fix-igb_down-hung-on-surprise-removal.patch b/queue-4.19/igb-fix-igb_down-hung-on-surprise-removal.patch deleted file mode 100644 index cd1d107835f..00000000000 --- a/queue-4.19/igb-fix-igb_down-hung-on-surprise-removal.patch +++ /dev/null @@ -1,89 +0,0 @@ -From d31c957cc8ca0a46d225cbe69724ba5a83276a67 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 20 Jun 2023 10:47:32 -0700 -Subject: igb: Fix igb_down hung on surprise removal - -From: Ying Hsu - -[ Upstream commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 ] - -In a setup where a Thunderbolt hub connects to Ethernet and a display -through USB Type-C, users may experience a hung task timeout when they -remove the cable between the PC and the Thunderbolt hub. -This is because the igb_down function is called multiple times when -the Thunderbolt hub is unplugged. For example, the igb_io_error_detected -triggers the first call, and the igb_remove triggers the second call. -The second call to igb_down will block at napi_synchronize. -Here's the call trace: - __schedule+0x3b0/0xddb - ? __mod_timer+0x164/0x5d3 - schedule+0x44/0xa8 - schedule_timeout+0xb2/0x2a4 - ? run_local_timers+0x4e/0x4e - msleep+0x31/0x38 - igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4] - __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4] - igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4] - __dev_close_many+0x95/0xec - dev_close_many+0x6e/0x103 - unregister_netdevice_many+0x105/0x5b1 - unregister_netdevice_queue+0xc2/0x10d - unregister_netdev+0x1c/0x23 - igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4] - pci_device_remove+0x3f/0x9c - device_release_driver_internal+0xfe/0x1b4 - pci_stop_bus_device+0x5b/0x7f - pci_stop_bus_device+0x30/0x7f - pci_stop_bus_device+0x30/0x7f - pci_stop_and_remove_bus_device+0x12/0x19 - pciehp_unconfigure_device+0x76/0xe9 - pciehp_disable_slot+0x6e/0x131 - pciehp_handle_presence_or_link_change+0x7a/0x3f7 - pciehp_ist+0xbe/0x194 - irq_thread_fn+0x22/0x4d - ? irq_thread+0x1fd/0x1fd - irq_thread+0x17b/0x1fd - ? irq_forced_thread_fn+0x5f/0x5f - kthread+0x142/0x153 - ? __irq_get_irqchip_state+0x46/0x46 - ? kthread_associate_blkcg+0x71/0x71 - ret_from_fork+0x1f/0x30 - -In this case, igb_io_error_detected detaches the network interface -and requests a PCIE slot reset, however, the PCIE reset callback is -not being invoked and thus the Ethernet connection breaks down. -As the PCIE error in this case is a non-fatal one, requesting a -slot reset can be avoided. -This patch fixes the task hung issue and preserves Ethernet -connection by ignoring non-fatal PCIE errors. - -Signed-off-by: Ying Hsu -Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) -Signed-off-by: Tony Nguyen -Reviewed-by: Simon Horman -Link: https://lore.kernel.org/r/20230620174732.4145155-1-anthony.l.nguyen@intel.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/intel/igb/igb_main.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c -index 6f9d563deb6ba..be51179089852 100644 ---- a/drivers/net/ethernet/intel/igb/igb_main.c -+++ b/drivers/net/ethernet/intel/igb/igb_main.c -@@ -9059,6 +9059,11 @@ static pci_ers_result_t igb_io_error_detected(struct pci_dev *pdev, - struct net_device *netdev = pci_get_drvdata(pdev); - struct igb_adapter *adapter = netdev_priv(netdev); - -+ if (state == pci_channel_io_normal) { -+ dev_warn(&pdev->dev, "Non-correctable non-fatal error reported.\n"); -+ return PCI_ERS_RESULT_CAN_RECOVER; -+ } -+ - netif_device_detach(netdev); - - if (state == pci_channel_io_perm_failure) --- -2.39.2 - diff --git a/queue-4.19/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch b/queue-4.19/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch deleted file mode 100644 index 7b8245fb995..00000000000 --- a/queue-4.19/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 51b90364f500ae4b586dc32e18e61f232983cb55 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 10 May 2023 17:27:55 -0700 -Subject: Input: adxl34x - do not hardcode interrupt trigger type - -From: Marek Vasut - -[ Upstream commit e96220bce5176ed2309f77f061dcc0430b82b25e ] - -Instead of hardcoding IRQ trigger type to IRQF_TRIGGER_HIGH, let's -respect the settings specified in the firmware description. - -Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers") -Signed-off-by: Marek Vasut -Acked-by: Michael Hennerich -Link: https://lore.kernel.org/r/20230509203555.549158-1-marex@denx.de -Signed-off-by: Dmitry Torokhov -Signed-off-by: Sasha Levin ---- - drivers/input/misc/adxl34x.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/drivers/input/misc/adxl34x.c b/drivers/input/misc/adxl34x.c -index 3695dd7dbb9b4..ec0c91ec52277 100644 ---- a/drivers/input/misc/adxl34x.c -+++ b/drivers/input/misc/adxl34x.c -@@ -811,8 +811,7 @@ struct adxl34x *adxl34x_probe(struct device *dev, int irq, - AC_WRITE(ac, POWER_CTL, 0); - - err = request_threaded_irq(ac->irq, NULL, adxl34x_irq, -- IRQF_TRIGGER_HIGH | IRQF_ONESHOT, -- dev_name(dev), ac); -+ IRQF_ONESHOT, dev_name(dev), ac); - if (err) { - dev_err(dev, "irq %d busy?\n", ac->irq); - goto err_free_mem; --- -2.39.2 - diff --git a/queue-4.19/input-drv260x-sleep-between-polling-go-bit.patch b/queue-4.19/input-drv260x-sleep-between-polling-go-bit.patch deleted file mode 100644 index 15813280a47..00000000000 --- a/queue-4.19/input-drv260x-sleep-between-polling-go-bit.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 569e4104a6ffce321ca0b44f7bcb5c522b3a082f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 1 May 2023 17:01:45 -0700 -Subject: Input: drv260x - sleep between polling GO bit - -From: Luca Weiss - -[ Upstream commit efef661dfa6bf8cbafe4cd6a97433fcef0118967 ] - -When doing the initial startup there's no need to poll without any -delay and spam the I2C bus. - -Let's sleep 15ms between each attempt, which is the same time as used -in the vendor driver. - -Fixes: 7132fe4f5687 ("Input: drv260x - add TI drv260x haptics driver") -Signed-off-by: Luca Weiss -Link: https://lore.kernel.org/r/20230430-drv260x-improvements-v1-2-1fb28b4cc698@z3ntu.xyz -Signed-off-by: Dmitry Torokhov -Signed-off-by: Sasha Levin ---- - drivers/input/misc/drv260x.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/input/misc/drv260x.c b/drivers/input/misc/drv260x.c -index 17eb84ab4c0b7..fe3fbde989be2 100644 ---- a/drivers/input/misc/drv260x.c -+++ b/drivers/input/misc/drv260x.c -@@ -443,6 +443,7 @@ static int drv260x_init(struct drv260x_data *haptics) - } - - do { -+ usleep_range(15000, 15500); - error = regmap_read(haptics->regmap, DRV260X_GO, &cal_buf); - if (error) { - dev_err(&haptics->client->dev, --- -2.39.2 - diff --git a/queue-4.19/integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch b/queue-4.19/integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch deleted file mode 100644 index d9c79567954..00000000000 --- a/queue-4.19/integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 9df6a4870dc371136e90330cfbbc51464ee66993 Mon Sep 17 00:00:00 2001 -From: Tianjia Zhang -Date: Thu, 1 Jun 2023 14:42:44 +0800 -Subject: integrity: Fix possible multiple allocation in integrity_inode_get() - -From: Tianjia Zhang - -commit 9df6a4870dc371136e90330cfbbc51464ee66993 upstream. - -When integrity_inode_get() is querying and inserting the cache, there -is a conditional race in the concurrent environment. - -The race condition is the result of not properly implementing -"double-checked locking". In this case, it first checks to see if the -iint cache record exists before taking the lock, but doesn't check -again after taking the integrity_iint_lock. - -Fixes: bf2276d10ce5 ("ima: allocating iint improvements") -Signed-off-by: Tianjia Zhang -Cc: Dmitry Kasatkin -Cc: # v3.10+ -Signed-off-by: Mimi Zohar -Signed-off-by: Greg Kroah-Hartman ---- - security/integrity/iint.c | 15 +++++++++------ - 1 file changed, 9 insertions(+), 6 deletions(-) - ---- a/security/integrity/iint.c -+++ b/security/integrity/iint.c -@@ -46,12 +46,10 @@ static struct integrity_iint_cache *__in - else if (inode > iint->inode) - n = n->rb_right; - else -- break; -+ return iint; - } -- if (!n) -- return NULL; - -- return iint; -+ return NULL; - } - - /* -@@ -116,10 +114,15 @@ struct integrity_iint_cache *integrity_i - parent = *p; - test_iint = rb_entry(parent, struct integrity_iint_cache, - rb_node); -- if (inode < test_iint->inode) -+ if (inode < test_iint->inode) { - p = &(*p)->rb_left; -- else -+ } else if (inode > test_iint->inode) { - p = &(*p)->rb_right; -+ } else { -+ write_unlock(&integrity_iint_lock); -+ kmem_cache_free(iint_cache, iint); -+ return test_iint; -+ } - } - - iint->inode = inode; diff --git a/queue-4.19/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch b/queue-4.19/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch deleted file mode 100644 index eeacf645c73..00000000000 --- a/queue-4.19/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch +++ /dev/null @@ -1,53 +0,0 @@ -From b6b485d5880cefb054197d49b212532df8ee9263 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 8 Jul 2023 14:59:10 +0800 -Subject: ipv6/addrconf: fix a potential refcount underflow for idev - -From: Ziyang Xuan - -[ Upstream commit 06a0716949c22e2aefb648526580671197151acc ] - -Now in addrconf_mod_rs_timer(), reference idev depends on whether -rs_timer is not pending. Then modify rs_timer timeout. - -There is a time gap in [1], during which if the pending rs_timer -becomes not pending. It will miss to hold idev, but the rs_timer -is activated. Thus rs_timer callback function addrconf_rs_timer() -will be executed and put idev later without holding idev. A refcount -underflow issue for idev can be caused by this. - - if (!timer_pending(&idev->rs_timer)) - in6_dev_hold(idev); - <--------------[1] - mod_timer(&idev->rs_timer, jiffies + when); - -To fix the issue, hold idev if mod_timer() return 0. - -Fixes: b7b1bfce0bb6 ("ipv6: split duplicate address detection and router solicitation timer") -Suggested-by: Eric Dumazet -Signed-off-by: Ziyang Xuan -Reviewed-by: Eric Dumazet -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv6/addrconf.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index f261c6d7f1f28..23edc325f70be 100644 ---- a/net/ipv6/addrconf.c -+++ b/net/ipv6/addrconf.c -@@ -316,9 +316,8 @@ static void addrconf_del_dad_work(struct inet6_ifaddr *ifp) - static void addrconf_mod_rs_timer(struct inet6_dev *idev, - unsigned long when) - { -- if (!timer_pending(&idev->rs_timer)) -+ if (!mod_timer(&idev->rs_timer, jiffies + when)) - in6_dev_hold(idev); -- mod_timer(&idev->rs_timer, jiffies + when); - } - - static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp, --- -2.39.2 - diff --git a/queue-4.19/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch b/queue-4.19/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch deleted file mode 100644 index 10fb05e24a0..00000000000 --- a/queue-4.19/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch +++ /dev/null @@ -1,66 +0,0 @@ -From fb27984c7b464c888b054effdf720e797025a50e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 26 Jun 2023 17:33:47 +0800 -Subject: ipvlan: Fix return value of ipvlan_queue_xmit() - -From: Cambda Zhu - -[ Upstream commit 8a9922e7be6d042fa00f894c376473b17a162b66 ] - -ipvlan_queue_xmit() should return NET_XMIT_XXX, but -ipvlan_xmit_mode_l2/l3() returns rx_handler_result_t or NET_RX_XXX -in some cases. ipvlan_rcv_frame() will only return RX_HANDLER_CONSUMED -in ipvlan_xmit_mode_l2/l3() because 'local' is true. It's equal to -NET_XMIT_SUCCESS. But dev_forward_skb() can return NET_RX_SUCCESS or -NET_RX_DROP, and returning NET_RX_DROP(NET_XMIT_DROP) will increase -both ipvlan and ipvlan->phy_dev drops counter. - -The skb to forward can be treated as xmitted successfully. This patch -makes ipvlan_queue_xmit() return NET_XMIT_SUCCESS for forward skb. - -Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") -Signed-off-by: Cambda Zhu -Link: https://lore.kernel.org/r/20230626093347.7492-1-cambda@linux.alibaba.com -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - drivers/net/ipvlan/ipvlan_core.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c -index eb80d277b56f5..6b6c5a7250a65 100644 ---- a/drivers/net/ipvlan/ipvlan_core.c -+++ b/drivers/net/ipvlan/ipvlan_core.c -@@ -592,7 +592,8 @@ static int ipvlan_xmit_mode_l3(struct sk_buff *skb, struct net_device *dev) - consume_skb(skb); - return NET_XMIT_DROP; - } -- return ipvlan_rcv_frame(addr, &skb, true); -+ ipvlan_rcv_frame(addr, &skb, true); -+ return NET_XMIT_SUCCESS; - } - } - out: -@@ -618,7 +619,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) - consume_skb(skb); - return NET_XMIT_DROP; - } -- return ipvlan_rcv_frame(addr, &skb, true); -+ ipvlan_rcv_frame(addr, &skb, true); -+ return NET_XMIT_SUCCESS; - } - } - skb = skb_share_check(skb, GFP_ATOMIC); -@@ -630,7 +632,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) - * the skb for the main-dev. At the RX side we just return - * RX_PASS for it to be processed further on the stack. - */ -- return dev_forward_skb(ipvlan->phy_dev, skb); -+ dev_forward_skb(ipvlan->phy_dev, skb); -+ return NET_XMIT_SUCCESS; - - } else if (is_multicast_ether_addr(eth->h_dest)) { - skb_reset_mac_header(skb); --- -2.39.2 - diff --git a/queue-4.19/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch b/queue-4.19/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch deleted file mode 100644 index bb6269bb90b..00000000000 --- a/queue-4.19/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 4ccd3be2ccc9fa9c3b14d259dc5e795c7d90db2d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 10 May 2023 18:33:42 +0200 -Subject: irqchip/jcore-aic: Fix missing allocation of IRQ descriptors - -From: John Paul Adrian Glaubitz - -[ Upstream commit 4848229494a323eeaab62eee5574ef9f7de80374 ] - -The initialization function for the J-Core AIC aic_irq_of_init() is -currently missing the call to irq_alloc_descs() which allocates and -initializes all the IRQ descriptors. Add missing function call and -return the error code from irq_alloc_descs() in case the allocation -fails. - -Fixes: 981b58f66cfc ("irqchip/jcore-aic: Add J-Core AIC driver") -Signed-off-by: John Paul Adrian Glaubitz -Tested-by: Rob Landley -Signed-off-by: Marc Zyngier -Link: https://lore.kernel.org/r/20230510163343.43090-1-glaubitz@physik.fu-berlin.de -Signed-off-by: Sasha Levin ---- - drivers/irqchip/irq-jcore-aic.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c -index 5f47d8ee4ae39..b9dcc8e78c750 100644 ---- a/drivers/irqchip/irq-jcore-aic.c -+++ b/drivers/irqchip/irq-jcore-aic.c -@@ -68,6 +68,7 @@ static int __init aic_irq_of_init(struct device_node *node, - unsigned min_irq = JCORE_AIC2_MIN_HWIRQ; - unsigned dom_sz = JCORE_AIC_MAX_HWIRQ+1; - struct irq_domain *domain; -+ int ret; - - pr_info("Initializing J-Core AIC\n"); - -@@ -100,6 +101,12 @@ static int __init aic_irq_of_init(struct device_node *node, - jcore_aic.irq_unmask = noop; - jcore_aic.name = "AIC"; - -+ ret = irq_alloc_descs(-1, min_irq, dom_sz - min_irq, -+ of_node_to_nid(node)); -+ -+ if (ret < 0) -+ return ret; -+ - domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq, - &jcore_aic_irqdomain_ops, - &jcore_aic); --- -2.39.2 - diff --git a/queue-4.19/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch b/queue-4.19/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch deleted file mode 100644 index a9ea1fb0971..00000000000 --- a/queue-4.19/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch +++ /dev/null @@ -1,41 +0,0 @@ -From a0040d3dcb0b479ed0a896c972942db0a435106b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 6 Apr 2021 10:35:51 +0100 -Subject: irqchip/jcore-aic: Kill use of irq_create_strict_mappings() - -From: Marc Zyngier - -[ Upstream commit 5f8b938bd790cff6542c7fe3c1495c71f89fef1b ] - -irq_create_strict_mappings() is a poor way to allow the use of -a linear IRQ domain as a legacy one. Let's be upfront about it. - -Signed-off-by: Marc Zyngier -Link: https://lore.kernel.org/r/20210406093557.1073423-4-maz@kernel.org -Stable-dep-of: 4848229494a3 ("irqchip/jcore-aic: Fix missing allocation of IRQ descriptors") -Signed-off-by: Sasha Levin ---- - drivers/irqchip/irq-jcore-aic.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c -index 033bccb41455c..5f47d8ee4ae39 100644 ---- a/drivers/irqchip/irq-jcore-aic.c -+++ b/drivers/irqchip/irq-jcore-aic.c -@@ -100,11 +100,11 @@ static int __init aic_irq_of_init(struct device_node *node, - jcore_aic.irq_unmask = noop; - jcore_aic.name = "AIC"; - -- domain = irq_domain_add_linear(node, dom_sz, &jcore_aic_irqdomain_ops, -+ domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq, -+ &jcore_aic_irqdomain_ops, - &jcore_aic); - if (!domain) - return -ENOMEM; -- irq_create_strict_mappings(domain, min_irq, min_irq, dom_sz - min_irq); - - return 0; - } --- -2.39.2 - diff --git a/queue-4.19/jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch b/queue-4.19/jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch deleted file mode 100644 index 7ffa2036cfa..00000000000 --- a/queue-4.19/jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 1168f095417643f663caa341211e117db552989f Mon Sep 17 00:00:00 2001 -From: Fabian Frederick -Date: Sat, 6 May 2023 06:56:12 +0200 -Subject: jffs2: reduce stack usage in jffs2_build_xattr_subsystem() - -From: Fabian Frederick - -commit 1168f095417643f663caa341211e117db552989f upstream. - -Use kcalloc() for allocation/flush of 128 pointers table to -reduce stack usage. - -Function now returns -ENOMEM or 0 on success. - -stackusage -Before: -./fs/jffs2/xattr.c:775 jffs2_build_xattr_subsystem 1208 -dynamic,bounded - -After: -./fs/jffs2/xattr.c:775 jffs2_build_xattr_subsystem 192 -dynamic,bounded - -Also update definition when CONFIG_JFFS2_FS_XATTR is not enabled - -Tested with an MTD mount point and some user set/getfattr. - -Many current target on OpenWRT also suffer from a compilation warning -(that become an error with CONFIG_WERROR) with the following output: - -fs/jffs2/xattr.c: In function 'jffs2_build_xattr_subsystem': -fs/jffs2/xattr.c:887:1: error: the frame size of 1088 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] - 887 | } - | ^ - -Using dynamic allocation fix this compilation warning. - -Fixes: c9f700f840bd ("[JFFS2][XATTR] using 'delete marker' for xdatum/xref deletion") -Reported-by: Tim Gardner -Reported-by: kernel test robot -Reported-by: Ron Economos -Reported-by: Nathan Chancellor -Reviewed-by: Nick Desaulniers -Signed-off-by: Fabian Frederick -Signed-off-by: Christian Marangi -Cc: stable@vger.kernel.org -Message-Id: <20230506045612.16616-1-ansuelsmth@gmail.com> -Signed-off-by: Christian Brauner -Signed-off-by: Greg Kroah-Hartman ---- - fs/jffs2/build.c | 5 ++++- - fs/jffs2/xattr.c | 13 +++++++++---- - fs/jffs2/xattr.h | 4 ++-- - 3 files changed, 15 insertions(+), 7 deletions(-) - ---- a/fs/jffs2/build.c -+++ b/fs/jffs2/build.c -@@ -211,7 +211,10 @@ static int jffs2_build_filesystem(struct - ic->scan_dents = NULL; - cond_resched(); - } -- jffs2_build_xattr_subsystem(c); -+ ret = jffs2_build_xattr_subsystem(c); -+ if (ret) -+ goto exit; -+ - c->flags &= ~JFFS2_SB_FLAG_BUILDING; - - dbg_fsbuild("FS build complete\n"); ---- a/fs/jffs2/xattr.c -+++ b/fs/jffs2/xattr.c -@@ -772,10 +772,10 @@ void jffs2_clear_xattr_subsystem(struct - } - - #define XREF_TMPHASH_SIZE (128) --void jffs2_build_xattr_subsystem(struct jffs2_sb_info *c) -+int jffs2_build_xattr_subsystem(struct jffs2_sb_info *c) - { - struct jffs2_xattr_ref *ref, *_ref; -- struct jffs2_xattr_ref *xref_tmphash[XREF_TMPHASH_SIZE]; -+ struct jffs2_xattr_ref **xref_tmphash; - struct jffs2_xattr_datum *xd, *_xd; - struct jffs2_inode_cache *ic; - struct jffs2_raw_node_ref *raw; -@@ -784,9 +784,12 @@ void jffs2_build_xattr_subsystem(struct - - BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING)); - -+ xref_tmphash = kcalloc(XREF_TMPHASH_SIZE, -+ sizeof(struct jffs2_xattr_ref *), GFP_KERNEL); -+ if (!xref_tmphash) -+ return -ENOMEM; -+ - /* Phase.1 : Merge same xref */ -- for (i=0; i < XREF_TMPHASH_SIZE; i++) -- xref_tmphash[i] = NULL; - for (ref=c->xref_temp; ref; ref=_ref) { - struct jffs2_xattr_ref *tmp; - -@@ -884,6 +887,8 @@ void jffs2_build_xattr_subsystem(struct - "%u of xref (%u dead, %u orphan) found.\n", - xdatum_count, xdatum_unchecked_count, xdatum_orphan_count, - xref_count, xref_dead_count, xref_orphan_count); -+ kfree(xref_tmphash); -+ return 0; - } - - struct jffs2_xattr_datum *jffs2_setup_xattr_datum(struct jffs2_sb_info *c, ---- a/fs/jffs2/xattr.h -+++ b/fs/jffs2/xattr.h -@@ -71,7 +71,7 @@ static inline int is_xattr_ref_dead(stru - #ifdef CONFIG_JFFS2_FS_XATTR - - extern void jffs2_init_xattr_subsystem(struct jffs2_sb_info *c); --extern void jffs2_build_xattr_subsystem(struct jffs2_sb_info *c); -+extern int jffs2_build_xattr_subsystem(struct jffs2_sb_info *c); - extern void jffs2_clear_xattr_subsystem(struct jffs2_sb_info *c); - - extern struct jffs2_xattr_datum *jffs2_setup_xattr_datum(struct jffs2_sb_info *c, -@@ -103,7 +103,7 @@ extern ssize_t jffs2_listxattr(struct de - #else - - #define jffs2_init_xattr_subsystem(c) --#define jffs2_build_xattr_subsystem(c) -+#define jffs2_build_xattr_subsystem(c) (0) - #define jffs2_clear_xattr_subsystem(c) - - #define jffs2_xattr_do_crccheck_inode(c, ic) diff --git a/queue-4.19/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch b/queue-4.19/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch deleted file mode 100644 index a53faad56d0..00000000000 --- a/queue-4.19/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 11509910c599cbd04585ec35a6d5e1a0053d84c1 Mon Sep 17 00:00:00 2001 -From: Siddh Raman Pant -Date: Tue, 20 Jun 2023 22:17:00 +0530 -Subject: jfs: jfs_dmap: Validate db_l2nbperpage while mounting - -From: Siddh Raman Pant - -commit 11509910c599cbd04585ec35a6d5e1a0053d84c1 upstream. - -In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block -number inside dbFree(). db_l2nbperpage, which is the log2 number of -blocks per page, is passed as an argument to BLKTODMAP which uses it -for shifting. - -Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is -too big. This happens because the large value is set without any -validation in dbMount() at line 181. - -Thus, make sure that db_l2nbperpage is correct while mounting. - -Max number of blocks per page = Page size / Min block size -=> log2(Max num_block per page) = log2(Page size / Min block size) - = log2(Page size) - log2(Min block size) - -=> Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE - -Reported-and-tested-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715 -Cc: stable@vger.kernel.org -Suggested-by: Dave Kleikamp -Signed-off-by: Siddh Raman Pant -Signed-off-by: Dave Kleikamp -Signed-off-by: Greg Kroah-Hartman ---- - fs/jfs/jfs_dmap.c | 6 ++++++ - fs/jfs/jfs_filsys.h | 2 ++ - 2 files changed, 8 insertions(+) - ---- a/fs/jfs/jfs_dmap.c -+++ b/fs/jfs/jfs_dmap.c -@@ -191,7 +191,13 @@ int dbMount(struct inode *ipbmap) - dbmp_le = (struct dbmap_disk *) mp->data; - bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize); - bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree); -+ - bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage); -+ if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) { -+ err = -EINVAL; -+ goto err_release_metapage; -+ } -+ - bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); - if (!bmp->db_numag) { - err = -EINVAL; ---- a/fs/jfs/jfs_filsys.h -+++ b/fs/jfs/jfs_filsys.h -@@ -135,7 +135,9 @@ - #define NUM_INODE_PER_IAG INOSPERIAG - - #define MINBLOCKSIZE 512 -+#define L2MINBLOCKSIZE 9 - #define MAXBLOCKSIZE 4096 -+#define L2MAXBLOCKSIZE 12 - #define MAXFILESIZE ((s64)1 << 52) - - #define JFS_LINK_MAX 0xffffffff diff --git a/queue-4.19/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch b/queue-4.19/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch deleted file mode 100644 index 59f26261be7..00000000000 --- a/queue-4.19/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 8b2db998a10f3e10565a0bcd7135e3b686532fed Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 27 May 2023 20:34:34 +0800 -Subject: kexec: fix a memory leak in crash_shrink_memory() - -From: Zhen Lei - -[ Upstream commit 1cba6c4309f03de570202c46f03df3f73a0d4c82 ] - -Patch series "kexec: enable kexec_crash_size to support two crash kernel -regions". - -When crashkernel=X fails to reserve region under 4G, it will fall back to -reserve region above 4G and a region of the default size will also be -reserved under 4G. Unfortunately, /sys/kernel/kexec_crash_size only -supports one crash kernel region now, the user cannot sense the low memory -reserved by reading /sys/kernel/kexec_crash_size. Also, low memory cannot -be freed by writing this file. - -For example: -resource_size(crashk_res) = 512M -resource_size(crashk_low_res) = 256M - -The result of 'cat /sys/kernel/kexec_crash_size' is 512M, but it should be -768M. When we execute 'echo 0 > /sys/kernel/kexec_crash_size', the size -of crashk_res becomes 0 and resource_size(crashk_low_res) is still 256 MB, -which is incorrect. - -Since crashk_res manages the memory with high address and crashk_low_res -manages the memory with low address, crashk_low_res is shrunken only when -all crashk_res is shrunken. And because when there is only one crash -kernel region, crashk_res is always used. Therefore, if all crashk_res is -shrunken and crashk_low_res still exists, swap them. - -This patch (of 6): - -If the value of parameter 'new_size' is in the semi-open and semi-closed -interval (crashk_res.end - KEXEC_CRASH_MEM_ALIGN + 1, crashk_res.end], the -calculation result of ram_res is: - - ram_res->start = crashk_res.end + 1 - ram_res->end = crashk_res.end - -The operation of insert_resource() fails, and ram_res is not added to -iomem_resource. As a result, the memory of the control block ram_res is -leaked. - -In fact, on all architectures, the start address and size of crashk_res -are already aligned by KEXEC_CRASH_MEM_ALIGN. Therefore, we do not need -to round up crashk_res.start again. Instead, we should round up -'new_size' in advance. - -Link: https://lkml.kernel.org/r/20230527123439.772-1-thunder.leizhen@huawei.com -Link: https://lkml.kernel.org/r/20230527123439.772-2-thunder.leizhen@huawei.com -Fixes: 6480e5a09237 ("kdump: add missing RAM resource in crash_shrink_memory()") -Fixes: 06a7f711246b ("kexec: premit reduction of the reserved memory size") -Signed-off-by: Zhen Lei -Acked-by: Baoquan He -Cc: Cong Wang -Cc: Eric W. Biederman -Cc: Michael Holzheu -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - kernel/kexec_core.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c -index 6b3d7f7211dd6..3666d434a8f59 100644 ---- a/kernel/kexec_core.c -+++ b/kernel/kexec_core.c -@@ -1020,6 +1020,7 @@ int crash_shrink_memory(unsigned long new_size) - start = crashk_res.start; - end = crashk_res.end; - old_size = (end == 0) ? 0 : end - start + 1; -+ new_size = roundup(new_size, KEXEC_CRASH_MEM_ALIGN); - if (new_size >= old_size) { - ret = (new_size == old_size) ? 0 : -EINVAL; - goto unlock; -@@ -1031,9 +1032,7 @@ int crash_shrink_memory(unsigned long new_size) - goto unlock; - } - -- start = roundup(start, KEXEC_CRASH_MEM_ALIGN); -- end = roundup(start + new_size, KEXEC_CRASH_MEM_ALIGN); -- -+ end = start + new_size; - crash_free_reserved_phys_range(end, crashk_res.end); - - if ((start == end) && (crashk_res.parent != NULL)) --- -2.39.2 - diff --git a/queue-4.19/kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch b/queue-4.19/kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch deleted file mode 100644 index cf5b3b1536d..00000000000 --- a/queue-4.19/kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 52429ee7c466fa39578a37aba04f8ef0265f1457 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 24 Mar 2023 15:54:23 +0100 -Subject: KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes - -From: Nico Boehr - -[ Upstream commit 285cff4c0454340a4dc53f46e67f2cb1c293bd74 ] - -The KVM_S390_GET_CMMA_BITS ioctl may return incorrect values when userspace -specifies a start_gfn outside of memslots. - -This can occur when a VM has multiple memslots with a hole in between: - -+-----+----------+--------+--------+ -| ... | Slot N-1 | | Slot N | -+-----+----------+--------+--------+ - ^ ^ ^ ^ - | | | | -GFN A A+B | | - A+B+C | - A+B+C+D - -When userspace specifies a GFN in [A+B, A+B+C), it would expect to get the -CMMA values of the first dirty page in Slot N. However, userspace may get a -start_gfn of A+B+C+D with a count of 0, hence completely skipping over any -dirty pages in slot N. - -The error is in kvm_s390_next_dirty_cmma(), which assumes -gfn_to_memslot_approx() will return the memslot _below_ the specified GFN -when the specified GFN lies outside a memslot. In reality it may return -either the memslot below or above the specified GFN. - -When a memslot above the specified GFN is returned this happens: - -- ofs is calculated, but since the memslot's base_gfn is larger than the - specified cur_gfn, ofs will underflow to a huge number. -- ofs is passed to find_next_bit(). Since ofs will exceed the memslot's - number of pages, the number of pages in the memslot is returned, - completely skipping over all bits in the memslot userspace would be - interested in. - -Fix this by resetting ofs to zero when a memslot _above_ cur_gfn is -returned (cur_gfn < ms->base_gfn). - -Signed-off-by: Nico Boehr -Reviewed-by: Claudio Imbrenda -Fixes: afdad61615cc ("KVM: s390: Fix storage attributes migration with memory slots") -Message-Id: <20230324145424.293889-2-nrb@linux.ibm.com> -Signed-off-by: Claudio Imbrenda -Signed-off-by: Janosch Frank -Signed-off-by: Sasha Levin ---- - arch/s390/kvm/kvm-s390.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c -index 3aade928c18dd..92041d442d2e6 100644 ---- a/arch/s390/kvm/kvm-s390.c -+++ b/arch/s390/kvm/kvm-s390.c -@@ -1716,6 +1716,10 @@ static unsigned long kvm_s390_next_dirty_cmma(struct kvm_memslots *slots, - ms = slots->memslots + slotidx; - ofs = 0; - } -+ -+ if (cur_gfn < ms->base_gfn) -+ ofs = 0; -+ - ofs = find_next_bit(kvm_second_dirty_bitmap(ms), ms->npages, ofs); - while ((slotidx > 0) && (ofs >= ms->npages)) { - slotidx--; --- -2.39.2 - diff --git a/queue-4.19/lib-ts_bm-reset-initial-match-offset-for-every-block.patch b/queue-4.19/lib-ts_bm-reset-initial-match-offset-for-every-block.patch deleted file mode 100644 index 1207b6478c1..00000000000 --- a/queue-4.19/lib-ts_bm-reset-initial-match-offset-for-every-block.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 87da1904b8c1c4030f88ea104f42f0a2d6b7bce8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 19 Jun 2023 20:06:57 +0100 -Subject: lib/ts_bm: reset initial match offset for every block of text - -From: Jeremy Sowden - -[ Upstream commit 6f67fbf8192da80c4db01a1800c7fceaca9cf1f9 ] - -The `shift` variable which indicates the offset in the string at which -to start matching the pattern is initialized to `bm->patlen - 1`, but it -is not reset when a new block is retrieved. This means the implemen- -tation may start looking at later and later positions in each successive -block and miss occurrences of the pattern at the beginning. E.g., -consider a HTTP packet held in a non-linear skb, where the HTTP request -line occurs in the second block: - - [... 52 bytes of packet headers ...] - GET /bmtest HTTP/1.1\r\nHost: www.example.com\r\n\r\n - -and the pattern is "GET /bmtest". - -Once the first block comprising the packet headers has been examined, -`shift` will be pointing to somewhere near the end of the block, and so -when the second block is examined the request line at the beginning will -be missed. - -Reinitialize the variable for each new block. - -Fixes: 8082e4ed0a61 ("[LIB]: Boyer-Moore extension for textsearch infrastructure strike #2") -Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1390 -Signed-off-by: Jeremy Sowden -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - lib/ts_bm.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/lib/ts_bm.c b/lib/ts_bm.c -index 9e66ee4020e90..5de382e79a45a 100644 ---- a/lib/ts_bm.c -+++ b/lib/ts_bm.c -@@ -64,10 +64,12 @@ static unsigned int bm_find(struct ts_config *conf, struct ts_state *state) - struct ts_bm *bm = ts_config_priv(conf); - unsigned int i, text_len, consumed = state->offset; - const u8 *text; -- int shift = bm->patlen - 1, bs; -+ int bs; - const u8 icase = conf->flags & TS_IGNORECASE; - - for (;;) { -+ int shift = bm->patlen - 1; -+ - text_len = conf->get_next_block(consumed, &text, conf, state); - - if (unlikely(text_len == 0)) --- -2.39.2 - diff --git a/queue-4.19/llc-don-t-drop-packet-from-non-root-netns.patch b/queue-4.19/llc-don-t-drop-packet-from-non-root-netns.patch deleted file mode 100644 index 2ae40426913..00000000000 --- a/queue-4.19/llc-don-t-drop-packet-from-non-root-netns.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 3be5e9a7e94dd56e5d1ec735d5f11d991fd11606 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 18 Jul 2023 10:41:51 -0700 -Subject: llc: Don't drop packet from non-root netns. - -From: Kuniyuki Iwashima - -[ Upstream commit 6631463b6e6673916d2481f692938f393148aa82 ] - -Now these upper layer protocol handlers can be called from llc_rcv() -as sap->rcv_func(), which is registered by llc_sap_open(). - - * function which is passed to register_8022_client() - -> no in-kernel user calls register_8022_client(). - - * snap_rcv() - `- proto->rcvfunc() : registered by register_snap_client() - -> aarp_rcv() and atalk_rcv() drop packets from non-root netns - - * stp_pdu_rcv() - `- garp_protos[]->rcv() : registered by stp_proto_register() - -> garp_pdu_rcv() and br_stp_rcv() are netns-aware - -So, we can safely remove the netns restriction in llc_rcv(). - -Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") -Signed-off-by: Kuniyuki Iwashima -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/llc/llc_input.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c -index 82cb93f66b9bd..f9e801cc50f5e 100644 ---- a/net/llc/llc_input.c -+++ b/net/llc/llc_input.c -@@ -162,9 +162,6 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev, - void (*sta_handler)(struct sk_buff *skb); - void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb); - -- if (!net_eq(dev_net(dev), &init_net)) -- goto drop; -- - /* - * When the interface is in promisc. mode, drop all the crap that it - * receives, do not try to analyse it. --- -2.39.2 - diff --git a/queue-4.19/mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch b/queue-4.19/mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch deleted file mode 100644 index eab438beeaa..00000000000 --- a/queue-4.19/mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 9d3c47985bd35b602eb28d2eff0fef510ba3ff20 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 20 Jun 2023 20:00:22 -0500 -Subject: mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 - -From: Nishanth Menon - -[ Upstream commit 1b712f18c461bd75f018033a15cf381e712806b5 ] - -Sec proxy/message manager data buffer is 60 bytes with the last of the -registers indicating transmission completion. This however poses a bit -of a challenge. - -The backing memory for sec_proxy / message manager is regular memory, -and all sec proxy does is to trigger a burst of all 60 bytes of data -over to the target thread backing ring accelerator. It doesn't do a -memory scrub when it moves data out in the burst. When we transmit -multiple messages, remnants of previous message is also transmitted -which results in some random data being set in TISCI fields of -messages that have been expanded forward. - -The entire concept of backward compatibility hinges on the fact that -the unused message fields remain 0x0 allowing for 0x0 value to be -specially considered when backward compatibility of message extension -is done. - -So, instead of just writing the completion register, we continue -to fill the message buffer up with 0x0 (note: for partial message -involving completion, we already do this). - -This allows us to scale and introduce ABI changes back also work with -other boot stages that may have left data in the internal memory. - -While at this, be consistent and explicit with the data_reg pointer -increment. - -Fixes: aace66b170ce ("mailbox: Introduce TI message manager driver") -Signed-off-by: Nishanth Menon -Signed-off-by: Jassi Brar -Signed-off-by: Sasha Levin ---- - drivers/mailbox/ti-msgmgr.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/drivers/mailbox/ti-msgmgr.c b/drivers/mailbox/ti-msgmgr.c -index 01e9e462512b7..eb1e9771037f2 100644 ---- a/drivers/mailbox/ti-msgmgr.c -+++ b/drivers/mailbox/ti-msgmgr.c -@@ -385,14 +385,20 @@ static int ti_msgmgr_send_data(struct mbox_chan *chan, void *data) - /* Ensure all unused data is 0 */ - data_trail &= 0xFFFFFFFF >> (8 * (sizeof(u32) - trail_bytes)); - writel(data_trail, data_reg); -- data_reg++; -+ data_reg += sizeof(u32); - } -+ - /* - * 'data_reg' indicates next register to write. If we did not already - * write on tx complete reg(last reg), we must do so for transmit -+ * In addition, we also need to make sure all intermediate data -+ * registers(if any required), are reset to 0 for TISCI backward -+ * compatibility to be maintained. - */ -- if (data_reg <= qinst->queue_buff_end) -- writel(0, qinst->queue_buff_end); -+ while (data_reg <= qinst->queue_buff_end) { -+ writel(0, data_reg); -+ data_reg += sizeof(u32); -+ } - - return 0; - } --- -2.39.2 - diff --git a/queue-4.19/md-fix-data-corruption-for-raid456-when-reshape-rest.patch b/queue-4.19/md-fix-data-corruption-for-raid456-when-reshape-rest.patch deleted file mode 100644 index dfb8b2d7957..00000000000 --- a/queue-4.19/md-fix-data-corruption-for-raid456-when-reshape-rest.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 8c977d8f9a4252e9b335230eb09b5cc3f52e6db1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 12 May 2023 09:56:07 +0800 -Subject: md: fix data corruption for raid456 when reshape restart while grow - up - -From: Yu Kuai - -[ Upstream commit 873f50ece41aad5c4f788a340960c53774b5526e ] - -Currently, if reshape is interrupted, echo "reshape" to sync_action will -restart reshape from scratch, for example: - -echo frozen > sync_action -echo reshape > sync_action - -This will corrupt data before reshape_position if the array is growing, -fix the problem by continue reshape from reshape_position. - -Reported-by: Peter Neuwirth -Link: https://lore.kernel.org/linux-raid/e2f96772-bfbc-f43b-6da1-f520e5164536@online.de/ -Signed-off-by: Yu Kuai -Signed-off-by: Song Liu -Link: https://lore.kernel.org/r/20230512015610.821290-3-yukuai1@huaweicloud.com -Signed-off-by: Sasha Levin ---- - drivers/md/md.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/drivers/md/md.c b/drivers/md/md.c -index 2e23a898fc978..6b074c2202d5a 100644 ---- a/drivers/md/md.c -+++ b/drivers/md/md.c -@@ -4639,11 +4639,21 @@ action_store(struct mddev *mddev, const char *page, size_t len) - return -EINVAL; - err = mddev_lock(mddev); - if (!err) { -- if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) -+ if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) { - err = -EBUSY; -- else { -+ } else if (mddev->reshape_position == MaxSector || -+ mddev->pers->check_reshape == NULL || -+ mddev->pers->check_reshape(mddev)) { - clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); - err = mddev->pers->start_reshape(mddev); -+ } else { -+ /* -+ * If reshape is still in progress, and -+ * md_check_recovery() can continue to reshape, -+ * don't restart reshape because data can be -+ * corrupted for raid456. -+ */ -+ clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); - } - mddev_unlock(mddev); - } --- -2.39.2 - diff --git a/queue-4.19/md-raid0-add-discard-support-for-the-original-layout.patch b/queue-4.19/md-raid0-add-discard-support-for-the-original-layout.patch deleted file mode 100644 index 8f1c4a01d52..00000000000 --- a/queue-4.19/md-raid0-add-discard-support-for-the-original-layout.patch +++ /dev/null @@ -1,203 +0,0 @@ -From e836007089ba8fdf24e636ef2b007651fb4582e6 Mon Sep 17 00:00:00 2001 -From: Jason Baron -Date: Fri, 23 Jun 2023 14:05:23 -0400 -Subject: md/raid0: add discard support for the 'original' layout - -From: Jason Baron - -commit e836007089ba8fdf24e636ef2b007651fb4582e6 upstream. - -We've found that using raid0 with the 'original' layout and discard -enabled with different disk sizes (such that at least two zones are -created) can result in data corruption. This is due to the fact that -the discard handling in 'raid0_handle_discard()' assumes the 'alternate' -layout. We've seen this corruption using ext4 but other filesystems are -likely susceptible as well. - -More specifically, while multiple zones are necessary to create the -corruption, the corruption may not occur with multiple zones if they -layout in such a way the layout matches what the 'alternate' layout -would have produced. Thus, not all raid0 devices with the 'original' -layout, different size disks and discard enabled will encounter this -corruption. - -The 3.14 kernel inadvertently changed the raid0 disk layout for different -size disks. Thus, running a pre-3.14 kernel and post-3.14 kernel on the -same raid0 array could corrupt data. This lead to the creation of the -'original' layout (to match the pre-3.14 layout) and the 'alternate' layout -(to match the post 3.14 layout) in the 5.4 kernel time frame and an option -to tell the kernel which layout to use (since it couldn't be autodetected). -However, when the 'original' layout was added back to 5.4 discard support -for the 'original' layout was not added leading this issue. - -I've been able to reliably reproduce the corruption with the following -test case: - -1. create raid0 array with different size disks using original layout -2. mkfs -3. mount -o discard -4. create lots of files -5. remove 1/2 the files -6. fstrim -a (or just the mount point for the raid0 array) -7. umount -8. fsck -fn /dev/md0 (spews all sorts of corruptions) - -Let's fix this by adding proper discard support to the 'original' layout. -The fix 'maps' the 'original' layout disks to the order in which they are -read/written such that we can compare the disks in the same way that the -current 'alternate' layout does. A 'disk_shift' field is added to -'struct strip_zone'. This could be computed on the fly in -raid0_handle_discard() but by adding this field, we save some computation -in the discard path. - -Note we could also potentially fix this by re-ordering the disks in the -zones that follow the first one, and then always read/writing them using -the 'alternate' layout. However, that is seen as a more substantial change, -and we are attempting the least invasive fix at this time to remedy the -corruption. - -I've verified the change using the reproducer mentioned above. Typically, -the corruption is seen after less than 3 iterations, while the patch has -run 500+ iterations. - -Cc: NeilBrown -Cc: Song Liu -Fixes: c84a1372df92 ("md/raid0: avoid RAID0 data corruption due to layout confusion.") -Cc: stable@vger.kernel.org -Signed-off-by: Jason Baron -Signed-off-by: Song Liu -Link: https://lore.kernel.org/r/20230623180523.1901230-1-jbaron@akamai.com -Signed-off-by: Greg Kroah-Hartman ---- - drivers/md/raid0.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++------- - drivers/md/raid0.h | 1 - 2 files changed, 55 insertions(+), 8 deletions(-) - ---- a/drivers/md/raid0.c -+++ b/drivers/md/raid0.c -@@ -296,6 +296,18 @@ static int create_strip_zones(struct mdd - goto abort; - } - -+ if (conf->layout == RAID0_ORIG_LAYOUT) { -+ for (i = 1; i < conf->nr_strip_zones; i++) { -+ sector_t first_sector = conf->strip_zone[i-1].zone_end; -+ -+ sector_div(first_sector, mddev->chunk_sectors); -+ zone = conf->strip_zone + i; -+ /* disk_shift is first disk index used in the zone */ -+ zone->disk_shift = sector_div(first_sector, -+ zone->nb_dev); -+ } -+ } -+ - pr_debug("md/raid0:%s: done.\n", mdname(mddev)); - *private_conf = conf; - -@@ -482,6 +494,20 @@ static inline int is_io_in_chunk_boundar - } - } - -+/* -+ * Convert disk_index to the disk order in which it is read/written. -+ * For example, if we have 4 disks, they are numbered 0,1,2,3. If we -+ * write the disks starting at disk 3, then the read/write order would -+ * be disk 3, then 0, then 1, and then disk 2 and we want map_disk_shift() -+ * to map the disks as follows 0,1,2,3 => 1,2,3,0. So disk 0 would map -+ * to 1, 1 to 2, 2 to 3, and 3 to 0. That way we can compare disks in -+ * that 'output' space to understand the read/write disk ordering. -+ */ -+static int map_disk_shift(int disk_index, int num_disks, int disk_shift) -+{ -+ return ((disk_index + num_disks - disk_shift) % num_disks); -+} -+ - static void raid0_handle_discard(struct mddev *mddev, struct bio *bio) - { - struct r0conf *conf = mddev->private; -@@ -495,7 +521,9 @@ static void raid0_handle_discard(struct - sector_t end_disk_offset; - unsigned int end_disk_index; - unsigned int disk; -+ sector_t orig_start, orig_end; - -+ orig_start = start; - zone = find_zone(conf, &start); - - if (bio_end_sector(bio) > zone->zone_end) { -@@ -509,6 +537,7 @@ static void raid0_handle_discard(struct - } else - end = bio_end_sector(bio); - -+ orig_end = end; - if (zone != conf->strip_zone) - end = end - zone[-1].zone_end; - -@@ -520,13 +549,26 @@ static void raid0_handle_discard(struct - last_stripe_index = end; - sector_div(last_stripe_index, stripe_size); - -- start_disk_index = (int)(start - first_stripe_index * stripe_size) / -- mddev->chunk_sectors; -+ /* In the first zone the original and alternate layouts are the same */ -+ if ((conf->layout == RAID0_ORIG_LAYOUT) && (zone != conf->strip_zone)) { -+ sector_div(orig_start, mddev->chunk_sectors); -+ start_disk_index = sector_div(orig_start, zone->nb_dev); -+ start_disk_index = map_disk_shift(start_disk_index, -+ zone->nb_dev, -+ zone->disk_shift); -+ sector_div(orig_end, mddev->chunk_sectors); -+ end_disk_index = sector_div(orig_end, zone->nb_dev); -+ end_disk_index = map_disk_shift(end_disk_index, -+ zone->nb_dev, zone->disk_shift); -+ } else { -+ start_disk_index = (int)(start - first_stripe_index * stripe_size) / -+ mddev->chunk_sectors; -+ end_disk_index = (int)(end - last_stripe_index * stripe_size) / -+ mddev->chunk_sectors; -+ } - start_disk_offset = ((int)(start - first_stripe_index * stripe_size) % - mddev->chunk_sectors) + - first_stripe_index * mddev->chunk_sectors; -- end_disk_index = (int)(end - last_stripe_index * stripe_size) / -- mddev->chunk_sectors; - end_disk_offset = ((int)(end - last_stripe_index * stripe_size) % - mddev->chunk_sectors) + - last_stripe_index * mddev->chunk_sectors; -@@ -535,18 +577,22 @@ static void raid0_handle_discard(struct - sector_t dev_start, dev_end; - struct bio *discard_bio = NULL; - struct md_rdev *rdev; -+ int compare_disk; -+ -+ compare_disk = map_disk_shift(disk, zone->nb_dev, -+ zone->disk_shift); - -- if (disk < start_disk_index) -+ if (compare_disk < start_disk_index) - dev_start = (first_stripe_index + 1) * - mddev->chunk_sectors; -- else if (disk > start_disk_index) -+ else if (compare_disk > start_disk_index) - dev_start = first_stripe_index * mddev->chunk_sectors; - else - dev_start = start_disk_offset; - -- if (disk < end_disk_index) -+ if (compare_disk < end_disk_index) - dev_end = (last_stripe_index + 1) * mddev->chunk_sectors; -- else if (disk > end_disk_index) -+ else if (compare_disk > end_disk_index) - dev_end = last_stripe_index * mddev->chunk_sectors; - else - dev_end = end_disk_offset; ---- a/drivers/md/raid0.h -+++ b/drivers/md/raid0.h -@@ -6,6 +6,7 @@ struct strip_zone { - sector_t zone_end; /* Start of the next zone (in sectors) */ - sector_t dev_start; /* Zone offset in real dev (in sectors) */ - int nb_dev; /* # of devices attached to the zone */ -+ int disk_shift; /* start disk for the original layout */ - }; - - /* Linux 3.14 (20d0189b101) made an unintended change to diff --git a/queue-4.19/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch b/queue-4.19/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch deleted file mode 100644 index b2d63a56285..00000000000 --- a/queue-4.19/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch +++ /dev/null @@ -1,65 +0,0 @@ -From c42045a300917bf19d72afa28c7485a1e242ad54 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 May 2023 21:48:05 +0800 -Subject: md/raid10: check slab-out-of-bounds in md_bitmap_get_counter - -From: Li Nan - -[ Upstream commit 301867b1c16805aebbc306aafa6ecdc68b73c7e5 ] - -If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage() -will return -EINVAL because 'page >= bitmap->pages', but the return value -was not checked immediately in md_bitmap_get_counter() in order to set -*blocks value and slab-out-of-bounds occurs. - -Move check of 'page >= bitmap->pages' to md_bitmap_get_counter() and -return directly if true. - -Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.") -Signed-off-by: Li Nan -Reviewed-by: Yu Kuai -Signed-off-by: Song Liu -Link: https://lore.kernel.org/r/20230515134808.3936750-2-linan666@huaweicloud.com -Signed-off-by: Sasha Levin ---- - drivers/md/md-bitmap.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - -diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c -index 1c4c462787198..7ca81e917aef4 100644 ---- a/drivers/md/md-bitmap.c -+++ b/drivers/md/md-bitmap.c -@@ -53,14 +53,7 @@ __acquires(bitmap->lock) - { - unsigned char *mappage; - -- if (page >= bitmap->pages) { -- /* This can happen if bitmap_start_sync goes beyond -- * End-of-device while looking for a whole page. -- * It is harmless. -- */ -- return -EINVAL; -- } -- -+ WARN_ON_ONCE(page >= bitmap->pages); - if (bitmap->bp[page].hijacked) /* it's hijacked, don't try to alloc */ - return 0; - -@@ -1368,6 +1361,14 @@ __acquires(bitmap->lock) - sector_t csize; - int err; - -+ if (page >= bitmap->pages) { -+ /* -+ * This can happen if bitmap_start_sync goes beyond -+ * End-of-device while looking for a whole page or -+ * user set a huge number to sysfs bitmap_set_bits. -+ */ -+ return NULL; -+ } - err = md_bitmap_checkpage(bitmap, page, create, 0); - - if (bitmap->bp[page].hijacked || --- -2.39.2 - diff --git a/queue-4.19/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch b/queue-4.19/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch deleted file mode 100644 index 325b0cb9437..00000000000 --- a/queue-4.19/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 259441acc7d9499e917ec4612b2d9d732e643a53 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 2 Jun 2023 17:18:39 +0800 -Subject: md/raid10: fix io loss while replacement replace rdev - -From: Li Nan - -[ Upstream commit 2ae6aaf76912bae53c74b191569d2ab484f24bf3 ] - -When removing a disk with replacement, the replacement will be used to -replace rdev. During this process, there is a brief window in which both -rdev and replacement are read as NULL in raid10_write_request(). This -will result in io not being submitted but it should be. - - //remove //write - raid10_remove_disk raid10_write_request - mirror->rdev = NULL - read rdev -> NULL - mirror->rdev = mirror->replacement - mirror->replacement = NULL - read replacement -> NULL - -Fix it by reading replacement first and rdev later, meanwhile, use smp_mb() -to prevent memory reordering. - -Fixes: 475b0321a4df ("md/raid10: writes should get directed to replacement as well as original.") -Signed-off-by: Li Nan -Reviewed-by: Yu Kuai -Signed-off-by: Song Liu -Link: https://lore.kernel.org/r/20230602091839.743798-3-linan666@huaweicloud.com -Signed-off-by: Sasha Levin ---- - drivers/md/raid10.c | 22 ++++++++++++++++++---- - 1 file changed, 18 insertions(+), 4 deletions(-) - -diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index f6d2be1d23864..d46056b07c079 100644 ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -781,8 +781,16 @@ static struct md_rdev *read_balance(struct r10conf *conf, - disk = r10_bio->devs[slot].devnum; - rdev = rcu_dereference(conf->mirrors[disk].replacement); - if (rdev == NULL || test_bit(Faulty, &rdev->flags) || -- r10_bio->devs[slot].addr + sectors > rdev->recovery_offset) -+ r10_bio->devs[slot].addr + sectors > -+ rdev->recovery_offset) { -+ /* -+ * Read replacement first to prevent reading both rdev -+ * and replacement as NULL during replacement replace -+ * rdev. -+ */ -+ smp_mb(); - rdev = rcu_dereference(conf->mirrors[disk].rdev); -+ } - if (rdev == NULL || - test_bit(Faulty, &rdev->flags)) - continue; -@@ -1400,9 +1408,15 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio, - - for (i = 0; i < conf->copies; i++) { - int d = r10_bio->devs[i].devnum; -- struct md_rdev *rdev = rcu_dereference(conf->mirrors[d].rdev); -- struct md_rdev *rrdev = rcu_dereference( -- conf->mirrors[d].replacement); -+ struct md_rdev *rdev, *rrdev; -+ -+ rrdev = rcu_dereference(conf->mirrors[d].replacement); -+ /* -+ * Read replacement first to prevent reading both rdev and -+ * replacement as NULL during replacement replace rdev. -+ */ -+ smp_mb(); -+ rdev = rcu_dereference(conf->mirrors[d].rdev); - if (rdev == rrdev) - rrdev = NULL; - if (rdev && unlikely(test_bit(Blocked, &rdev->flags))) { --- -2.39.2 - diff --git a/queue-4.19/md-raid10-fix-overflow-of-md-safe_mode_delay.patch b/queue-4.19/md-raid10-fix-overflow-of-md-safe_mode_delay.patch deleted file mode 100644 index 68be8949886..00000000000 --- a/queue-4.19/md-raid10-fix-overflow-of-md-safe_mode_delay.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 06023f86c6d335ab7cbc42c39fdf4677bddab0d7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 May 2023 15:25:33 +0800 -Subject: md/raid10: fix overflow of md/safe_mode_delay - -From: Li Nan - -[ Upstream commit 6beb489b2eed25978523f379a605073f99240c50 ] - -There is no input check when echo md/safe_mode_delay in safe_delay_store(). -And msec might also overflow when HZ < 1000 in safe_delay_show(), Fix it by -checking overflow in safe_delay_store() and use unsigned long conversion in -safe_delay_show(). - -Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers") -Signed-off-by: Li Nan -Signed-off-by: Song Liu -Link: https://lore.kernel.org/r/20230522072535.1523740-2-linan666@huaweicloud.com -Signed-off-by: Sasha Levin ---- - drivers/md/md.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/drivers/md/md.c b/drivers/md/md.c -index f8c111b369928..ad3e666b9d735 100644 ---- a/drivers/md/md.c -+++ b/drivers/md/md.c -@@ -3671,8 +3671,9 @@ int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale) - static ssize_t - safe_delay_show(struct mddev *mddev, char *page) - { -- int msec = (mddev->safemode_delay*1000)/HZ; -- return sprintf(page, "%d.%03d\n", msec/1000, msec%1000); -+ unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ; -+ -+ return sprintf(page, "%u.%03u\n", msec/1000, msec%1000); - } - static ssize_t - safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) -@@ -3684,7 +3685,7 @@ safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) - return -EINVAL; - } - -- if (strict_strtoul_scaled(cbuf, &msec, 3) < 0) -+ if (strict_strtoul_scaled(cbuf, &msec, 3) < 0 || msec > UINT_MAX / HZ) - return -EINVAL; - if (msec == 0) - mddev->safemode_delay = 0; --- -2.39.2 - diff --git a/queue-4.19/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch b/queue-4.19/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch deleted file mode 100644 index 92a048b1d02..00000000000 --- a/queue-4.19/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 3ac2cda1e64e9661ec83abeb47a94e2514a776f6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 22 May 2023 15:25:34 +0800 -Subject: md/raid10: fix wrong setting of max_corr_read_errors - -From: Li Nan - -[ Upstream commit f8b20a405428803bd9881881d8242c9d72c6b2b2 ] - -There is no input check when echo md/max_read_errors and overflow might -occur. Add check of input number. - -Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.") -Signed-off-by: Li Nan -Reviewed-by: Yu Kuai -Signed-off-by: Song Liu -Link: https://lore.kernel.org/r/20230522072535.1523740-3-linan666@huaweicloud.com -Signed-off-by: Sasha Levin ---- - drivers/md/md.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/md/md.c b/drivers/md/md.c -index ad3e666b9d735..2e23a898fc978 100644 ---- a/drivers/md/md.c -+++ b/drivers/md/md.c -@@ -4337,6 +4337,8 @@ max_corrected_read_errors_store(struct mddev *mddev, const char *buf, size_t len - rv = kstrtouint(buf, 10, &n); - if (rv < 0) - return rv; -+ if (n > INT_MAX) -+ return -EINVAL; - atomic_set(&mddev->max_corr_read_errors, n); - return len; - } --- -2.39.2 - diff --git a/queue-4.19/md-raid10-prevent-soft-lockup-while-flush-writes.patch b/queue-4.19/md-raid10-prevent-soft-lockup-while-flush-writes.patch deleted file mode 100644 index f2b33679d76..00000000000 --- a/queue-4.19/md-raid10-prevent-soft-lockup-while-flush-writes.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 1028f0b7c80c5262aa6683b18d6334476dd55f25 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 29 May 2023 21:11:00 +0800 -Subject: md/raid10: prevent soft lockup while flush writes - -From: Yu Kuai - -[ Upstream commit 010444623e7f4da6b4a4dd603a7da7469981e293 ] - -Currently, there is no limit for raid1/raid10 plugged bio. While flushing -writes, raid1 has cond_resched() while raid10 doesn't, and too many -writes can cause soft lockup. - -Follow up soft lockup can be triggered easily with writeback test for -raid10 with ramdisks: - -watchdog: BUG: soft lockup - CPU#10 stuck for 27s! [md0_raid10:1293] -Call Trace: - - call_rcu+0x16/0x20 - put_object+0x41/0x80 - __delete_object+0x50/0x90 - delete_object_full+0x2b/0x40 - kmemleak_free+0x46/0xa0 - slab_free_freelist_hook.constprop.0+0xed/0x1a0 - kmem_cache_free+0xfd/0x300 - mempool_free_slab+0x1f/0x30 - mempool_free+0x3a/0x100 - bio_free+0x59/0x80 - bio_put+0xcf/0x2c0 - free_r10bio+0xbf/0xf0 - raid_end_bio_io+0x78/0xb0 - one_write_done+0x8a/0xa0 - raid10_end_write_request+0x1b4/0x430 - bio_endio+0x175/0x320 - brd_submit_bio+0x3b9/0x9b7 [brd] - __submit_bio+0x69/0xe0 - submit_bio_noacct_nocheck+0x1e6/0x5a0 - submit_bio_noacct+0x38c/0x7e0 - flush_pending_writes+0xf0/0x240 - raid10d+0xac/0x1ed0 - -Fix the problem by adding cond_resched() to raid10 like what raid1 did. - -Note that unlimited plugged bio still need to be optimized, for example, -in the case of lots of dirty pages writeback, this will take lots of -memory and io will spend a long time in plug, hence io latency is bad. - -Signed-off-by: Yu Kuai -Signed-off-by: Song Liu -Link: https://lore.kernel.org/r/20230529131106.2123367-2-yukuai1@huaweicloud.com -Signed-off-by: Sasha Levin ---- - drivers/md/raid10.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index d46056b07c079..bee694be20132 100644 ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -942,6 +942,7 @@ static void flush_pending_writes(struct r10conf *conf) - else - generic_make_request(bio); - bio = next; -+ cond_resched(); - } - blk_finish_plug(&plug); - } else -@@ -1127,6 +1128,7 @@ static void raid10_unplug(struct blk_plug_cb *cb, bool from_schedule) - else - generic_make_request(bio); - bio = next; -+ cond_resched(); - } - kfree(plug); - } --- -2.39.2 - diff --git a/queue-4.19/media-usb-check-az6007_read-return-value.patch b/queue-4.19/media-usb-check-az6007_read-return-value.patch deleted file mode 100644 index f05565620a3..00000000000 --- a/queue-4.19/media-usb-check-az6007_read-return-value.patch +++ /dev/null @@ -1,38 +0,0 @@ -From d012063f1e944dad67033cc0cd1fde30da0e3268 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Mar 2023 10:04:49 -0700 -Subject: media: usb: Check az6007_read() return value - -From: Daniil Dulov - -[ Upstream commit fdaca63186f59fc664b346c45b76576624b48e57 ] - -If az6007_read() returns error, there is no sence to continue. - -Found by Linux Verification Center (linuxtesting.org) with SVACE. - -Fixes: 3af2f4f15a61 ("[media] az6007: Change the az6007 read/write routine parameter") -Signed-off-by: Daniil Dulov -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c -index 746926364535d..8e914be5b7c5e 100644 ---- a/drivers/media/usb/dvb-usb-v2/az6007.c -+++ b/drivers/media/usb/dvb-usb-v2/az6007.c -@@ -210,7 +210,8 @@ static int az6007_rc_query(struct dvb_usb_device *d) - unsigned code; - enum rc_proto proto; - -- az6007_read(d, AZ6007_READ_IR, 0, 0, st->data, 10); -+ if (az6007_read(d, AZ6007_READ_IR, 0, 0, st->data, 10) < 0) -+ return -EIO; - - if (st->data[1] == 0x44) - return 0; --- -2.39.2 - diff --git a/queue-4.19/media-usb-siano-fix-warning-due-to-null-work_func_t-.patch b/queue-4.19/media-usb-siano-fix-warning-due-to-null-work_func_t-.patch deleted file mode 100644 index 1eeacc4c3b3..00000000000 --- a/queue-4.19/media-usb-siano-fix-warning-due-to-null-work_func_t-.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 0bfc643423d21b0d842787fc278020696fbfc558 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 23 May 2023 07:59:32 +0800 -Subject: media: usb: siano: Fix warning due to null work_func_t function - pointer - -From: Duoming Zhou - -[ Upstream commit 6f489a966fbeb0da63d45c2c66a8957eab604bf6 ] - -The previous commit ebad8e731c1c ("media: usb: siano: Fix use after -free bugs caused by do_submit_urb") adds cancel_work_sync() in -smsusb_stop_streaming(). But smsusb_stop_streaming() may be called, -even if the work_struct surb->wq has not been initialized. As a result, -the warning will occur. One of the processes that could lead to warning -is shown below: - -smsusb_probe() - smsusb_init_device() - if (!dev->in_ep || !dev->out_ep || align < 0) { - smsusb_term_device(intf); - smsusb_stop_streaming() - cancel_work_sync(&dev->surbs[i].wq); - __cancel_work_timer() - __flush_work() - if (WARN_ON(!work->func)) // work->func is null - -The log reported by syzbot is shown below: - -WARNING: CPU: 0 PID: 897 at kernel/workqueue.c:3066 __flush_work+0x798/0xa80 kernel/workqueue.c:3063 -Modules linked in: -CPU: 0 PID: 897 Comm: kworker/0:2 Not tainted 6.2.0-rc1-syzkaller #0 -RIP: 0010:__flush_work+0x798/0xa80 kernel/workqueue.c:3066 -... -RSP: 0018:ffffc9000464ebf8 EFLAGS: 00010246 -RAX: 1ffff11002dbb420 RBX: 0000000000000021 RCX: 1ffffffff204fa4e -RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888016dda0e8 -RBP: ffffc9000464ed98 R08: 0000000000000001 R09: ffffffff90253b2f -R10: 0000000000000001 R11: 0000000000000000 R12: ffff888016dda0e8 -R13: ffff888016dda0e8 R14: ffff888016dda100 R15: 0000000000000001 -FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 00007ffd4331efe8 CR3: 000000000b48e000 CR4: 00000000003506f0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -Call Trace: - - __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3160 - smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline] - smsusb_term_device+0xda/0x2d0 drivers/media/usb/siano/smsusb.c:344 - smsusb_init_device+0x400/0x9ce drivers/media/usb/siano/smsusb.c:419 - smsusb_probe+0xbbd/0xc55 drivers/media/usb/siano/smsusb.c:567 -... - -This patch adds check before cancel_work_sync(). If surb->wq has not -been initialized, the cancel_work_sync() will not be executed. - -Reported-by: syzbot+27b0b464864741b18b99@syzkaller.appspotmail.com -Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb") -Signed-off-by: Duoming Zhou -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/usb/siano/smsusb.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c -index 2df3d730ea768..cd706874899c3 100644 ---- a/drivers/media/usb/siano/smsusb.c -+++ b/drivers/media/usb/siano/smsusb.c -@@ -190,7 +190,8 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev) - - for (i = 0; i < MAX_URBS; i++) { - usb_kill_urb(&dev->surbs[i].urb); -- cancel_work_sync(&dev->surbs[i].wq); -+ if (dev->surbs[i].wq.func) -+ cancel_work_sync(&dev->surbs[i].wq); - - if (dev->surbs[i].cb) { - smscore_putbuffer(dev->coredev, dev->surbs[i].cb); --- -2.39.2 - diff --git a/queue-4.19/media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch b/queue-4.19/media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch deleted file mode 100644 index bd304440a75..00000000000 --- a/queue-4.19/media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch +++ /dev/null @@ -1,62 +0,0 @@ -From e893f0ec9971c9347a2a0414e40093f005b71e03 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 18 May 2023 15:36:49 +0200 -Subject: media: videodev2.h: Fix struct v4l2_input tuner index comment - -From: Marek Vasut - -[ Upstream commit 26ae58f65e64fa7ba61d64bae752e59e08380c6a ] - -VIDIOC_ENUMINPUT documentation describes the tuner field of -struct v4l2_input as index: - -Documentation/userspace-api/media/v4l/vidioc-enuminput.rst -" -* - __u32 - - ``tuner`` - - Capture devices can have zero or more tuners (RF demodulators). - When the ``type`` is set to ``V4L2_INPUT_TYPE_TUNER`` this is an - RF connector and this field identifies the tuner. It corresponds - to struct :c:type:`v4l2_tuner` field ``index``. For - details on tuners see :ref:`tuner`. -" - -Drivers I could find also use the 'tuner' field as an index, e.g.: -drivers/media/pci/bt8xx/bttv-driver.c bttv_enum_input() -drivers/media/usb/go7007/go7007-v4l2.c vidioc_enum_input() - -However, the UAPI comment claims this field is 'enum v4l2_tuner_type': -include/uapi/linux/videodev2.h - -This field being 'enum v4l2_tuner_type' is unlikely as it seems to be -never used that way in drivers, and documentation confirms it. It seem -this comment got in accidentally in the commit which this patch fixes. -Fix the UAPI comment to stop confusion. - -This was pointed out by Dmitry while reviewing VIDIOC_ENUMINPUT -support for strace. - -Fixes: 6016af82eafc ("[media] v4l2: use __u32 rather than enums in ioctl() structs") -Signed-off-by: Marek Vasut -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - include/uapi/linux/videodev2.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h -index ad6a633f5848a..ac22e7f062399 100644 ---- a/include/uapi/linux/videodev2.h -+++ b/include/uapi/linux/videodev2.h -@@ -1510,7 +1510,7 @@ struct v4l2_input { - __u8 name[32]; /* Label */ - __u32 type; /* Type of input */ - __u32 audioset; /* Associated audios (bitfield) */ -- __u32 tuner; /* enum v4l2_tuner_type */ -+ __u32 tuner; /* Tuner index */ - v4l2_std_id std; - __u32 status; - __u32 capabilities; --- -2.39.2 - diff --git a/queue-4.19/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch b/queue-4.19/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch deleted file mode 100644 index f489c149c25..00000000000 --- a/queue-4.19/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch +++ /dev/null @@ -1,49 +0,0 @@ -From e30b96869547af066175585c4913bfb9bbf5e916 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 16 May 2023 22:27:04 +0200 -Subject: memstick r592: make memstick_debug_get_tpc_name() static - -From: Arnd Bergmann - -[ Upstream commit 434587df9f7fd68575f99a889cc5f2efc2eaee5e ] - -There are no other files referencing this function, apparently -it was left global to avoid an 'unused function' warning when -the only caller is left out. With a 'W=1' build, it causes -a 'missing prototype' warning though: - -drivers/memstick/host/r592.c:47:13: error: no previous prototype for 'memstick_debug_get_tpc_name' [-Werror=missing-prototypes] - -Annotate the function as 'static __maybe_unused' to avoid both -problems. - -Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader") -Signed-off-by: Arnd Bergmann -Link: https://lore.kernel.org/r/20230516202714.560929-1-arnd@kernel.org -Signed-off-by: Ulf Hansson -Signed-off-by: Sasha Levin ---- - drivers/memstick/host/r592.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c -index edb1b5588b7a0..6360f5c6d3958 100644 ---- a/drivers/memstick/host/r592.c -+++ b/drivers/memstick/host/r592.c -@@ -47,12 +47,10 @@ static const char *tpc_names[] = { - * memstick_debug_get_tpc_name - debug helper that returns string for - * a TPC number - */ --const char *memstick_debug_get_tpc_name(int tpc) -+static __maybe_unused const char *memstick_debug_get_tpc_name(int tpc) - { - return tpc_names[tpc-1]; - } --EXPORT_SYMBOL(memstick_debug_get_tpc_name); -- - - /* Read a register*/ - static inline u32 r592_read_reg(struct r592_device *dev, int address) --- -2.39.2 - diff --git a/queue-4.19/meson-saradc-fix-clock-divider-mask-length.patch b/queue-4.19/meson-saradc-fix-clock-divider-mask-length.patch deleted file mode 100644 index 4d6df65e8d9..00000000000 --- a/queue-4.19/meson-saradc-fix-clock-divider-mask-length.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c57fa0037024c92c2ca34243e79e857da5d2c0a9 Mon Sep 17 00:00:00 2001 -From: George Stark -Date: Tue, 6 Jun 2023 19:53:57 +0300 -Subject: meson saradc: fix clock divider mask length - -From: George Stark - -commit c57fa0037024c92c2ca34243e79e857da5d2c0a9 upstream. - -According to the datasheets of supported meson SoCs length of ADC_CLK_DIV -field is 6-bit. Although all supported SoCs have the register -with that field documented later SoCs use external clock rather than -ADC internal clock so this patch affects only meson8 family (S8* SoCs). - -Fixes: 3adbf3427330 ("iio: adc: add a driver for the SAR ADC found in Amlogic Meson SoCs") -Signed-off-by: George Stark -Reviewed-by: Andy Shevchenko -Reviewed-by: Martin Blumenstingl -Link: https://lore.kernel.org/r/20230606165357.42417-1-gnstark@sberdevices.ru -Cc: -Signed-off-by: Jonathan Cameron -Signed-off-by: Greg Kroah-Hartman ---- - drivers/iio/adc/meson_saradc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/iio/adc/meson_saradc.c -+++ b/drivers/iio/adc/meson_saradc.c -@@ -75,7 +75,7 @@ - #define MESON_SAR_ADC_REG3_PANEL_DETECT_COUNT_MASK GENMASK(20, 18) - #define MESON_SAR_ADC_REG3_PANEL_DETECT_FILTER_TB_MASK GENMASK(17, 16) - #define MESON_SAR_ADC_REG3_ADC_CLK_DIV_SHIFT 10 -- #define MESON_SAR_ADC_REG3_ADC_CLK_DIV_WIDTH 5 -+ #define MESON_SAR_ADC_REG3_ADC_CLK_DIV_WIDTH 6 - #define MESON_SAR_ADC_REG3_BLOCK_DLY_SEL_MASK GENMASK(9, 8) - #define MESON_SAR_ADC_REG3_BLOCK_DLY_MASK GENMASK(7, 0) - diff --git a/queue-4.19/mfd-intel-lpss-add-missing-check-for-platform_get_re.patch b/queue-4.19/mfd-intel-lpss-add-missing-check-for-platform_get_re.patch deleted file mode 100644 index be8b6f28a98..00000000000 --- a/queue-4.19/mfd-intel-lpss-add-missing-check-for-platform_get_re.patch +++ /dev/null @@ -1,38 +0,0 @@ -From d3266ffb81d44b80b833b11b52aa251047fa1ba4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 9 Jun 2023 09:48:18 +0800 -Subject: mfd: intel-lpss: Add missing check for platform_get_resource - -From: Jiasheng Jiang - -[ Upstream commit d918e0d5824495a75d00b879118b098fcab36fdb ] - -Add the missing check for platform_get_resource and return error -if it fails. - -Fixes: 4b45efe85263 ("mfd: Add support for Intel Sunrisepoint LPSS devices") -Signed-off-by: Jiasheng Jiang -Signed-off-by: Lee Jones -Link: https://lore.kernel.org/r/20230609014818.28475-1-jiasheng@iscas.ac.cn -Signed-off-by: Sasha Levin ---- - drivers/mfd/intel-lpss-acpi.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/mfd/intel-lpss-acpi.c b/drivers/mfd/intel-lpss-acpi.c -index fc44fb7c595bc..281ef5f52eb55 100644 ---- a/drivers/mfd/intel-lpss-acpi.c -+++ b/drivers/mfd/intel-lpss-acpi.c -@@ -92,6 +92,9 @@ static int intel_lpss_acpi_probe(struct platform_device *pdev) - return -ENOMEM; - - info->mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); -+ if (!info->mem) -+ return -ENODEV; -+ - info->irq = platform_get_irq(pdev, 0); - - ret = intel_lpss_probe(&pdev->dev, info); --- -2.39.2 - diff --git a/queue-4.19/mfd-rt5033-drop-rt5033-battery-sub-device.patch b/queue-4.19/mfd-rt5033-drop-rt5033-battery-sub-device.patch deleted file mode 100644 index e8a07f96464..00000000000 --- a/queue-4.19/mfd-rt5033-drop-rt5033-battery-sub-device.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 135ecabb089f9739c90fcfc093e4fca81157e8f9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 15 May 2023 22:57:10 +0200 -Subject: mfd: rt5033: Drop rt5033-battery sub-device - -From: Stephan Gerhold - -[ Upstream commit 43db1344e0f8c1eb687a1d6cd5b0de3009ab66cb ] - -The fuel gauge in the RT5033 PMIC (rt5033-battery) has its own I2C bus -and interrupt lines. Therefore, it is not part of the MFD device -and needs to be specified separately in the device tree. - -Fixes: 0b271258544b ("mfd: rt5033: Add Richtek RT5033 driver core.") -Signed-off-by: Stephan Gerhold -Signed-off-by: Jakob Hauser -Reviewed-by: Linus Walleij -Signed-off-by: Lee Jones -Link: https://lore.kernel.org/r/6a8a19bc67b5be3732882e8131ad2ffcb546ac03.1684182964.git.jahau@rocketmail.com -Signed-off-by: Sasha Levin ---- - drivers/mfd/rt5033.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/drivers/mfd/rt5033.c b/drivers/mfd/rt5033.c -index 9bd089c563753..94cdad91c0657 100644 ---- a/drivers/mfd/rt5033.c -+++ b/drivers/mfd/rt5033.c -@@ -44,9 +44,6 @@ static const struct mfd_cell rt5033_devs[] = { - { - .name = "rt5033-charger", - .of_compatible = "richtek,rt5033-charger", -- }, { -- .name = "rt5033-battery", -- .of_compatible = "richtek,rt5033-battery", - }, { - .name = "rt5033-led", - .of_compatible = "richtek,rt5033-led", --- -2.39.2 - diff --git a/queue-4.19/mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch b/queue-4.19/mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch deleted file mode 100644 index 2bc8ba83b53..00000000000 --- a/queue-4.19/mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 85501700b904c3cc48cc73d347156cfc1c525962 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 17 Jun 2023 12:43:16 +0200 -Subject: mfd: stmpe: Only disable the regulators if they are enabled - -From: Christophe JAILLET - -[ Upstream commit 104d32bd81f620bb9f67fbf7d1159c414e89f05f ] - -In stmpe_probe(), if some regulator_enable() calls fail, probing continues -and there is only a dev_warn(). - -So, if stmpe_probe() is called the regulator may not be enabled. It is -cleaner to test it before calling regulator_disable() in the remove -function. - -Fixes: 9c9e321455fb ("mfd: stmpe: add optional regulators") -Signed-off-by: Christophe JAILLET -Reviewed-by: Linus Walleij -Link: https://lore.kernel.org/r/8de3aaf297931d655b9ad6aed548f4de8b85425a.1686998575.git.christophe.jaillet@wanadoo.fr -Signed-off-by: Lee Jones -Signed-off-by: Sasha Levin ---- - drivers/mfd/stmpe.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/mfd/stmpe.c b/drivers/mfd/stmpe.c -index 722ad2c368a56..d752c56d60e42 100644 ---- a/drivers/mfd/stmpe.c -+++ b/drivers/mfd/stmpe.c -@@ -1428,9 +1428,9 @@ int stmpe_probe(struct stmpe_client_info *ci, enum stmpe_partnum partnum) - - int stmpe_remove(struct stmpe *stmpe) - { -- if (!IS_ERR(stmpe->vio)) -+ if (!IS_ERR(stmpe->vio) && regulator_is_enabled(stmpe->vio)) - regulator_disable(stmpe->vio); -- if (!IS_ERR(stmpe->vcc)) -+ if (!IS_ERR(stmpe->vcc) && regulator_is_enabled(stmpe->vcc)) - regulator_disable(stmpe->vcc); - - mfd_remove_devices(stmpe->dev); --- -2.39.2 - diff --git a/queue-4.19/misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch b/queue-4.19/misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch deleted file mode 100644 index 53c0fffe7e8..00000000000 --- a/queue-4.19/misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch +++ /dev/null @@ -1,50 +0,0 @@ -From f61b7634a3249d12b9daa36ffbdb9965b6f24c6c Mon Sep 17 00:00:00 2001 -From: Damien Le Moal -Date: Sat, 15 Apr 2023 11:35:39 +0900 -Subject: misc: pci_endpoint_test: Free IRQs before removing the device - -From: Damien Le Moal - -commit f61b7634a3249d12b9daa36ffbdb9965b6f24c6c upstream. - -In pci_endpoint_test_remove(), freeing the IRQs after removing the device -creates a small race window for IRQs to be received with the test device -memory already released, causing the IRQ handler to access invalid memory, -resulting in an oops. - -Free the device IRQs before removing the device to avoid this issue. - -Link: https://lore.kernel.org/r/20230415023542.77601-15-dlemoal@kernel.org -Fixes: e03327122e2c ("pci_endpoint_test: Add 2 ioctl commands") -Signed-off-by: Damien Le Moal -Signed-off-by: Lorenzo Pieralisi -Signed-off-by: Bjorn Helgaas -Reviewed-by: Manivannan Sadhasivam -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - drivers/misc/pci_endpoint_test.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/drivers/misc/pci_endpoint_test.c -+++ b/drivers/misc/pci_endpoint_test.c -@@ -785,6 +785,9 @@ static void pci_endpoint_test_remove(str - if (id < 0) - return; - -+ pci_endpoint_test_release_irq(test); -+ pci_endpoint_test_free_irq_vectors(test); -+ - misc_deregister(&test->miscdev); - kfree(misc_device->name); - ida_simple_remove(&pci_endpoint_test_ida, id); -@@ -793,9 +796,6 @@ static void pci_endpoint_test_remove(str - pci_iounmap(pdev, test->bar[bar]); - } - -- pci_endpoint_test_release_irq(test); -- pci_endpoint_test_free_irq_vectors(test); -- - pci_release_regions(pdev); - pci_disable_device(pdev); - } diff --git a/queue-4.19/misc-pci_endpoint_test-re-init-completion-for-every-test.patch b/queue-4.19/misc-pci_endpoint_test-re-init-completion-for-every-test.patch deleted file mode 100644 index e61770d6df5..00000000000 --- a/queue-4.19/misc-pci_endpoint_test-re-init-completion-for-every-test.patch +++ /dev/null @@ -1,44 +0,0 @@ -From fb620ae73b70c2f57b9d3e911fc24c024ba2324f Mon Sep 17 00:00:00 2001 -From: Damien Le Moal -Date: Sat, 15 Apr 2023 11:35:40 +0900 -Subject: misc: pci_endpoint_test: Re-init completion for every test - -From: Damien Le Moal - -commit fb620ae73b70c2f57b9d3e911fc24c024ba2324f upstream. - -The irq_raised completion used to detect the end of a test case is -initialized when the test device is probed, but never reinitialized again -before a test case. As a result, the irq_raised completion synchronization -is effective only for the first ioctl test case executed. Any subsequent -call to wait_for_completion() by another ioctl() call will immediately -return, potentially too early, leading to false positive failures. - -Fix this by reinitializing the irq_raised completion before starting a new -ioctl() test command. - -Link: https://lore.kernel.org/r/20230415023542.77601-16-dlemoal@kernel.org -Fixes: 2c156ac71c6b ("misc: Add host side PCI driver for PCI test function device") -Signed-off-by: Damien Le Moal -Signed-off-by: Lorenzo Pieralisi -Signed-off-by: Bjorn Helgaas -Reviewed-by: Manivannan Sadhasivam -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - drivers/misc/pci_endpoint_test.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/misc/pci_endpoint_test.c -+++ b/drivers/misc/pci_endpoint_test.c -@@ -601,6 +601,10 @@ static long pci_endpoint_test_ioctl(stru - struct pci_dev *pdev = test->pdev; - - mutex_lock(&test->mutex); -+ -+ reinit_completion(&test->irq_raised); -+ test->last_irq = -ENODATA; -+ - switch (cmd) { - case PCITEST_BAR: - bar = arg; diff --git a/queue-4.19/mmc-core-disable-trim-on-kingston-emmc04g-m627.patch b/queue-4.19/mmc-core-disable-trim-on-kingston-emmc04g-m627.patch deleted file mode 100644 index c77405ac358..00000000000 --- a/queue-4.19/mmc-core-disable-trim-on-kingston-emmc04g-m627.patch +++ /dev/null @@ -1,46 +0,0 @@ -From f1738a1f816233e6dfc2407f24a31d596643fd90 Mon Sep 17 00:00:00 2001 -From: Robert Marko -Date: Mon, 19 Jun 2023 21:35:58 +0200 -Subject: mmc: core: disable TRIM on Kingston EMMC04G-M627 - -From: Robert Marko - -commit f1738a1f816233e6dfc2407f24a31d596643fd90 upstream. - -It seems that Kingston EMMC04G-M627 despite advertising TRIM support does -not work when the core is trying to use REQ_OP_WRITE_ZEROES. - -We are seeing I/O errors in OpenWrt under 6.1 on Zyxel NBG7815 that we did -not previously have and tracked it down to REQ_OP_WRITE_ZEROES. - -Trying to use fstrim seems to also throw errors like: -[93010.835112] I/O error, dev loop0, sector 16902 op 0x3:(DISCARD) flags 0x800 phys_seg 1 prio class 2 - -Disabling TRIM makes the error go away, so lets add a quirk for this eMMC -to disable TRIM. - -Signed-off-by: Robert Marko -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20230619193621.437358-1-robimarko@gmail.com -Signed-off-by: Ulf Hansson -Signed-off-by: Greg Kroah-Hartman ---- - drivers/mmc/core/quirks.h | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/drivers/mmc/core/quirks.h -+++ b/drivers/mmc/core/quirks.h -@@ -91,6 +91,13 @@ static const struct mmc_fixup mmc_blk_fi - MMC_QUIRK_SEC_ERASE_TRIM_BROKEN), - - /* -+ * Kingston EMMC04G-M627 advertises TRIM but it does not seems to -+ * support being used to offload WRITE_ZEROES. -+ */ -+ MMC_FIXUP("M62704", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc, -+ MMC_QUIRK_TRIM_BROKEN), -+ -+ /* - * On Some Kingston eMMCs, performing trim can result in - * unrecoverable data conrruption occasionally due to a firmware bug. - */ diff --git a/queue-4.19/mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch b/queue-4.19/mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch deleted file mode 100644 index 6730eea968d..00000000000 --- a/queue-4.19/mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch +++ /dev/null @@ -1,44 +0,0 @@ -From dbfbddcddcebc9ce8a08757708d4e4a99d238e44 Mon Sep 17 00:00:00 2001 -From: Robert Marko -Date: Tue, 30 May 2023 23:32:59 +0200 -Subject: mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M - -From: Robert Marko - -commit dbfbddcddcebc9ce8a08757708d4e4a99d238e44 upstream. - -It seems that Micron MTFC4GACAJCN-1M despite advertising TRIM support does -not work when the core is trying to use REQ_OP_WRITE_ZEROES. - -We are seeing the following errors in OpenWrt under 6.1 on Qnap Qhora 301W -that we did not previously have and tracked it down to REQ_OP_WRITE_ZEROES: -[ 18.085950] I/O error, dev loop0, sector 596 op 0x9:(WRITE_ZEROES) flags 0x800 phys_seg 0 prio class 2 - -Disabling TRIM makes the error go away, so lets add a quirk for this eMMC -to disable TRIM. - -Signed-off-by: Robert Marko -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20230530213259.1776512-1-robimarko@gmail.com -Signed-off-by: Ulf Hansson -Signed-off-by: Greg Kroah-Hartman ---- - drivers/mmc/core/quirks.h | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/drivers/mmc/core/quirks.h -+++ b/drivers/mmc/core/quirks.h -@@ -98,6 +98,13 @@ static const struct mmc_fixup mmc_blk_fi - MMC_QUIRK_TRIM_BROKEN), - - /* -+ * Micron MTFC4GACAJCN-1M advertises TRIM but it does not seems to -+ * support being used to offload WRITE_ZEROES. -+ */ -+ MMC_FIXUP("Q2J54A", CID_MANFID_MICRON, 0x014e, add_quirk_mmc, -+ MMC_QUIRK_TRIM_BROKEN), -+ -+ /* - * On Some Kingston eMMCs, performing trim can result in - * unrecoverable data conrruption occasionally due to a firmware bug. - */ diff --git a/queue-4.19/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch b/queue-4.19/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch deleted file mode 100644 index 19ffd3bb20f..00000000000 --- a/queue-4.19/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 900af37b23eddbb3069809f016b46b3a70a539a1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 1 Jun 2023 21:09:56 +0900 -Subject: modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24} - -From: Masahiro Yamada - -[ Upstream commit 56a24b8ce6a7f9c4a21b2276a8644f6f3d8fc14d ] - -addend_arm_rel() processes R_ARM_PC24, R_ARM_CALL, R_ARM_JUMP24 in a -wrong way. - -Here, test code. - -[test code for R_ARM_JUMP24] - - .section .init.text,"ax" - bar: - bx lr - - .section .text,"ax" - .globl foo - foo: - b bar - -[test code for R_ARM_CALL] - - .section .init.text,"ax" - bar: - bx lr - - .section .text,"ax" - .globl foo - foo: - push {lr} - bl bar - pop {pc} - -If you compile it with ARM multi_v7_defconfig, modpost will show the -symbol name, (unknown). - - WARNING: modpost: vmlinux.o: section mismatch in reference: foo (section: .text) -> (unknown) (section: .init.text) - -(You need to use GNU linker instead of LLD to reproduce it.) - -Fix the code to make modpost show the correct symbol name. - -I imported (with adjustment) sign_extend32() from include/linux/bitops.h. - -The '+8' is the compensation for pc-relative instruction. It is -documented in "ELF for the Arm Architecture" [1]. - - "If the relocation is pc-relative then compensation for the PC bias - (the PC value is 8 bytes ahead of the executing instruction in Arm - state and 4 bytes in Thumb state) must be encoded in the relocation - by the object producer." - -[1]: https://github.com/ARM-software/abi-aa/blob/main/aaelf32/aaelf32.rst - -Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") -Fixes: 6e2e340b59d2 ("ARM: 7324/1: modpost: Fix section warnings for ARM for many compilers") -Signed-off-by: Masahiro Yamada -Signed-off-by: Sasha Levin ---- - scripts/mod/modpost.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c -index 41b1791a9463b..2060a3fe9691d 100644 ---- a/scripts/mod/modpost.c -+++ b/scripts/mod/modpost.c -@@ -1751,12 +1751,20 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) - #define R_ARM_THM_JUMP19 51 - #endif - -+static int32_t sign_extend32(int32_t value, int index) -+{ -+ uint8_t shift = 31 - index; -+ -+ return (int32_t)(value << shift) >> shift; -+} -+ - static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) - { - unsigned int r_typ = ELF_R_TYPE(r->r_info); - Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info); - void *loc = reloc_location(elf, sechdr, r); - uint32_t inst; -+ int32_t offset; - - switch (r_typ) { - case R_ARM_ABS32: -@@ -1766,6 +1774,10 @@ static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) - case R_ARM_PC24: - case R_ARM_CALL: - case R_ARM_JUMP24: -+ inst = TO_NATIVE(*(uint32_t *)loc); -+ offset = sign_extend32((inst & 0x00ffffff) << 2, 25); -+ r->r_addend = offset + sym->st_value + 8; -+ break; - case R_ARM_THM_CALL: - case R_ARM_THM_JUMP24: - case R_ARM_THM_JUMP19: --- -2.39.2 - diff --git a/queue-4.19/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch b/queue-4.19/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch deleted file mode 100644 index 947c7ff4bbe..00000000000 --- a/queue-4.19/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 0d510b44c12ef373d8102b1be1652f7e485f1bf7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 1 Jun 2023 21:09:55 +0900 -Subject: modpost: fix section mismatch message for R_ARM_ABS32 - -From: Masahiro Yamada - -[ Upstream commit b7c63520f6703a25eebb4f8138fed764fcae1c6f ] - -addend_arm_rel() processes R_ARM_ABS32 in a wrong way. - -Here, test code. - - [test code 1] - - #include - - int __initdata foo; - int get_foo(void) { return foo; } - -If you compile it with ARM versatile_defconfig, modpost will show the -symbol name, (unknown). - - WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> (unknown) (section: .init.data) - -(You need to use GNU linker instead of LLD to reproduce it.) - -If you compile it for other architectures, modpost will show the correct -symbol name. - - WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) - -For R_ARM_ABS32, addend_arm_rel() sets r->r_addend to a wrong value. - -I just mimicked the code in arch/arm/kernel/module.c. - -However, there is more difficulty for ARM. - -Here, test code. - - [test code 2] - - #include - - int __initdata foo; - int get_foo(void) { return foo; } - - int __initdata bar; - int get_bar(void) { return bar; } - -With this commit applied, modpost will show the following messages -for ARM versatile_defconfig: - - WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) - WARNING: modpost: vmlinux.o: section mismatch in reference: get_bar (section: .text) -> foo (section: .init.data) - -The reference from 'get_bar' to 'foo' seems wrong. - -I have no solution for this because it is true in assembly level. - -In the following output, relocation at 0x1c is no longer associated -with 'bar'. The two relocation entries point to the same symbol, and -the offset to 'bar' is encoded in the instruction 'r0, [r3, #4]'. - - Disassembly of section .text: - - 00000000 : - 0: e59f3004 ldr r3, [pc, #4] @ c - 4: e5930000 ldr r0, [r3] - 8: e12fff1e bx lr - c: 00000000 .word 0x00000000 - - 00000010 : - 10: e59f3004 ldr r3, [pc, #4] @ 1c - 14: e5930004 ldr r0, [r3, #4] - 18: e12fff1e bx lr - 1c: 00000000 .word 0x00000000 - - Relocation section '.rel.text' at offset 0x244 contains 2 entries: - Offset Info Type Sym.Value Sym. Name - 0000000c 00000c02 R_ARM_ABS32 00000000 .init.data - 0000001c 00000c02 R_ARM_ABS32 00000000 .init.data - -When find_elf_symbol() gets into a situation where relsym->st_name is -zero, there is no guarantee to get the symbol name as written in C. - -I am keeping the current logic because it is useful in many architectures, -but the symbol name is not always correct depending on the optimization. -I left some comments in find_tosym(). - -Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") -Signed-off-by: Masahiro Yamada -Signed-off-by: Sasha Levin ---- - scripts/mod/modpost.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c -index 8c2847ef4e422..41b1791a9463b 100644 ---- a/scripts/mod/modpost.c -+++ b/scripts/mod/modpost.c -@@ -1260,6 +1260,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, - if (relsym->st_name != 0) - return relsym; - -+ /* -+ * Strive to find a better symbol name, but the resulting name may not -+ * match the symbol referenced in the original code. -+ */ - relsym_secindex = get_secindex(elf, relsym); - for (sym = elf->symtab_start; sym < elf->symtab_stop; sym++) { - if (get_secindex(elf, sym) != relsym_secindex) -@@ -1750,12 +1754,14 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) - static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) - { - unsigned int r_typ = ELF_R_TYPE(r->r_info); -+ Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info); -+ void *loc = reloc_location(elf, sechdr, r); -+ uint32_t inst; - - switch (r_typ) { - case R_ARM_ABS32: -- /* From ARM ABI: (S + A) | T */ -- r->r_addend = (int)(long) -- (elf->symtab_start + ELF_R_SYM(r->r_info)); -+ inst = TO_NATIVE(*(uint32_t *)loc); -+ r->r_addend = inst + sym->st_value; - break; - case R_ARM_PC24: - case R_ARM_CALL: --- -2.39.2 - diff --git a/queue-4.19/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch b/queue-4.19/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch deleted file mode 100644 index 83da249fff2..00000000000 --- a/queue-4.19/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 7acd50017017a72aa1c54911c3e2fd8386dc3c3b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 5 Jun 2023 20:21:59 +0800 -Subject: nbd: Add the maximum limit of allocated index in nbd_dev_add - -From: Zhong Jinghua - -[ Upstream commit f12bc113ce904777fd6ca003b473b427782b3dde ] - -If the index allocated by idr_alloc greater than MINORMASK >> part_shift, -the device number will overflow, resulting in failure to create a block -device. - -Fix it by imiting the size of the max allocation. - -Signed-off-by: Zhong Jinghua -Reviewed-by: Christoph Hellwig -Link: https://lore.kernel.org/r/20230605122159.2134384-1-zhongjinghua@huaweicloud.com -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - drivers/block/nbd.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c -index 28024248a7b53..5a07964a1e676 100644 ---- a/drivers/block/nbd.c -+++ b/drivers/block/nbd.c -@@ -1646,7 +1646,8 @@ static int nbd_dev_add(int index) - if (err == -ENOSPC) - err = -EEXIST; - } else { -- err = idr_alloc(&nbd_index_idr, nbd, 0, 0, GFP_KERNEL); -+ err = idr_alloc(&nbd_index_idr, nbd, 0, -+ (MINORMASK >> part_shift) + 1, GFP_KERNEL); - if (err >= 0) - index = err; - } --- -2.39.2 - diff --git a/queue-4.19/net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch b/queue-4.19/net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch deleted file mode 100644 index 733983a5ff2..00000000000 --- a/queue-4.19/net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 1b5ea7ffb7a3bdfffb4b7f40ce0d20a3372ee405 Mon Sep 17 00:00:00 2001 -From: Florian Fainelli -Date: Thu, 22 Jun 2023 03:31:07 -0700 -Subject: net: bcmgenet: Ensure MDIO unregistration has clocks enabled - -From: Florian Fainelli - -commit 1b5ea7ffb7a3bdfffb4b7f40ce0d20a3372ee405 upstream. - -With support for Ethernet PHY LEDs having been added, while -unregistering a MDIO bus and its child device liks PHYs there may be -"late" accesses to the MDIO bus. One typical use case is setting the PHY -LEDs brightness to OFF for instance. - -We need to ensure that the MDIO bus controller remains entirely -functional since it runs off the main GENET adapter clock. - -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/all/20230617155500.4005881-1-andrew@lunn.ch/ -Fixes: 9a4e79697009 ("net: bcmgenet: utilize generic Broadcom UniMAC MDIO controller driver") -Signed-off-by: Florian Fainelli -Reviewed-by: Andrew Lunn -Link: https://lore.kernel.org/r/20230622103107.1760280-1-florian.fainelli@broadcom.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/net/ethernet/broadcom/genet/bcmmii.c -+++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c -@@ -620,5 +620,7 @@ void bcmgenet_mii_exit(struct net_device - if (of_phy_is_fixed_link(dn)) - of_phy_deregister_fixed_link(dn); - of_node_put(priv->phy_dn); -+ clk_prepare_enable(priv->clk); - platform_device_unregister(priv->mii_pdev); -+ clk_disable_unprepare(priv->clk); - } diff --git a/queue-4.19/net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch b/queue-4.19/net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch deleted file mode 100644 index 5dcecec5102..00000000000 --- a/queue-4.19/net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch +++ /dev/null @@ -1,198 +0,0 @@ -From d66c29881b68da5523baa978e1c93d3e344ead2b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 30 Jun 2023 19:41:18 +0300 -Subject: net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode - -From: Vladimir Oltean - -[ Upstream commit 6ca3c005d0604e8d2b439366e3923ea58db99641 ] - -According to the synchronization rules for .ndo_get_stats() as seen in -Documentation/networking/netdevices.rst, acquiring a plain spin_lock() -should not be illegal, but the bridge driver implementation makes it so. - -After running these commands, I am being faced with the following -lockdep splat: - -$ ip link add link swp0 name macsec0 type macsec encrypt on && ip link set swp0 up -$ ip link add dev br0 type bridge vlan_filtering 1 && ip link set br0 up -$ ip link set macsec0 master br0 && ip link set macsec0 up - - ======================================================== - WARNING: possible irq lock inversion dependency detected - 6.4.0-04295-g31b577b4bd4a #603 Not tainted - -------------------------------------------------------- - swapper/1/0 just changed the state of lock: - ffff6bd348724cd8 (&br->lock){+.-.}-{3:3}, at: br_forward_delay_timer_expired+0x34/0x198 - but this lock took another, SOFTIRQ-unsafe lock in the past: - (&ocelot->stats_lock){+.+.}-{3:3} - - and interrupts could create inverse lock ordering between them. - - other info that might help us debug this: - Chain exists of: - &br->lock --> &br->hash_lock --> &ocelot->stats_lock - - Possible interrupt unsafe locking scenario: - - CPU0 CPU1 - ---- ---- - lock(&ocelot->stats_lock); - local_irq_disable(); - lock(&br->lock); - lock(&br->hash_lock); - - lock(&br->lock); - - *** DEADLOCK *** - -(details about the 3 locks skipped) - -swp0 is instantiated by drivers/net/dsa/ocelot/felix.c, and this -only matters to the extent that its .ndo_get_stats64() method calls -spin_lock(&ocelot->stats_lock). - -Documentation/locking/lockdep-design.rst says: - -| A lock is irq-safe means it was ever used in an irq context, while a lock -| is irq-unsafe means it was ever acquired with irq enabled. - -(...) - -| Furthermore, the following usage based lock dependencies are not allowed -| between any two lock-classes:: -| -| -> -| -> - -Lockdep marks br->hash_lock as softirq-safe, because it is sometimes -taken in softirq context (for example br_fdb_update() which runs in -NET_RX softirq), and when it's not in softirq context it blocks softirqs -by using spin_lock_bh(). - -Lockdep marks ocelot->stats_lock as softirq-unsafe, because it never -blocks softirqs from running, and it is never taken from softirq -context. So it can always be interrupted by softirqs. - -There is a call path through which a function that holds br->hash_lock: -fdb_add_hw_addr() will call a function that acquires ocelot->stats_lock: -ocelot_port_get_stats64(). This can be seen below: - -ocelot_port_get_stats64+0x3c/0x1e0 -felix_get_stats64+0x20/0x38 -dsa_slave_get_stats64+0x3c/0x60 -dev_get_stats+0x74/0x2c8 -rtnl_fill_stats+0x4c/0x150 -rtnl_fill_ifinfo+0x5cc/0x7b8 -rtmsg_ifinfo_build_skb+0xe4/0x150 -rtmsg_ifinfo+0x5c/0xb0 -__dev_notify_flags+0x58/0x200 -__dev_set_promiscuity+0xa0/0x1f8 -dev_set_promiscuity+0x30/0x70 -macsec_dev_change_rx_flags+0x68/0x88 -__dev_set_promiscuity+0x1a8/0x1f8 -__dev_set_rx_mode+0x74/0xa8 -dev_uc_add+0x74/0xa0 -fdb_add_hw_addr+0x68/0xd8 -fdb_add_local+0xc4/0x110 -br_fdb_add_local+0x54/0x88 -br_add_if+0x338/0x4a0 -br_add_slave+0x20/0x38 -do_setlink+0x3a4/0xcb8 -rtnl_newlink+0x758/0x9d0 -rtnetlink_rcv_msg+0x2f0/0x550 -netlink_rcv_skb+0x128/0x148 -rtnetlink_rcv+0x24/0x38 - -the plain English explanation for it is: - -The macsec0 bridge port is created without p->flags & BR_PROMISC, -because it is what br_manage_promisc() decides for a VLAN filtering -bridge with a single auto port. - -As part of the br_add_if() procedure, br_fdb_add_local() is called for -the MAC address of the device, and this results in a call to -dev_uc_add() for macsec0 while the softirq-safe br->hash_lock is taken. - -Because macsec0 does not have IFF_UNICAST_FLT, dev_uc_add() ends up -calling __dev_set_promiscuity() for macsec0, which is propagated by its -implementation, macsec_dev_change_rx_flags(), to the lower device: swp0. -This triggers the call path: - -dev_set_promiscuity(swp0) --> rtmsg_ifinfo() - -> dev_get_stats() - -> ocelot_port_get_stats64() - -with a calling context that lockdep doesn't like (br->hash_lock held). - -Normally we don't see this, because even though many drivers that can be -bridge ports don't support IFF_UNICAST_FLT, we need a driver that - -(a) doesn't support IFF_UNICAST_FLT, *and* -(b) it forwards the IFF_PROMISC flag to another driver, and -(c) *that* driver implements ndo_get_stats64() using a softirq-unsafe - spinlock. - -Condition (b) is necessary because the first __dev_set_rx_mode() calls -__dev_set_promiscuity() with "bool notify=false", and thus, the -rtmsg_ifinfo() code path won't be entered. - -The same criteria also hold true for DSA switches which don't report -IFF_UNICAST_FLT. When the DSA master uses a spin_lock() in its -ndo_get_stats64() method, the same lockdep splat can be seen. - -I think the deadlock possibility is real, even though I didn't reproduce -it, and I'm thinking of the following situation to support that claim: - -fdb_add_hw_addr() runs on a CPU A, in a context with softirqs locally -disabled and br->hash_lock held, and may end up attempting to acquire -ocelot->stats_lock. - -In parallel, ocelot->stats_lock is currently held by a thread B (say, -ocelot_check_stats_work()), which is interrupted while holding it by a -softirq which attempts to lock br->hash_lock. - -Thread B cannot make progress because br->hash_lock is held by A. Whereas -thread A cannot make progress because ocelot->stats_lock is held by B. - -When taking the issue at face value, the bridge can avoid that problem -by simply making the ports promiscuous from a code path with a saner -calling context (br->hash_lock not held). A bridge port without -IFF_UNICAST_FLT is going to become promiscuous as soon as we call -dev_uc_add() on it (which we do unconditionally), so why not be -preemptive and make it promiscuous right from the beginning, so as to -not be taken by surprise. - -With this, we've broken the links between code that holds br->hash_lock -or br->lock and code that calls into the ndo_change_rx_flags() or -ndo_get_stats64() ops of the bridge port. - -Fixes: 2796d0c648c9 ("bridge: Automatically manage port promiscuous mode.") -Signed-off-by: Vladimir Oltean -Reviewed-by: Ido Schimmel -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/bridge/br_if.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c -index b5fb2b682e191..ab539551b7d39 100644 ---- a/net/bridge/br_if.c -+++ b/net/bridge/br_if.c -@@ -161,8 +161,9 @@ void br_manage_promisc(struct net_bridge *br) - * This lets us disable promiscuous mode and write - * this config to hw. - */ -- if (br->auto_cnt == 0 || -- (br->auto_cnt == 1 && br_auto_port(p))) -+ if ((p->dev->priv_flags & IFF_UNICAST_FLT) && -+ (br->auto_cnt == 0 || -+ (br->auto_cnt == 1 && br_auto_port(p)))) - br_port_clear_promisc(p); - else - br_port_set_promisc(p); --- -2.39.2 - diff --git a/queue-4.19/net-create-netdev-dev_addr-assignment-helpers.patch b/queue-4.19/net-create-netdev-dev_addr-assignment-helpers.patch deleted file mode 100644 index 297db3ad7ca..00000000000 --- a/queue-4.19/net-create-netdev-dev_addr-assignment-helpers.patch +++ /dev/null @@ -1,82 +0,0 @@ -From e30a64ceb7b11cf6fcd324236f5de49d836f811d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 2 Sep 2021 11:10:37 -0700 -Subject: net: create netdev->dev_addr assignment helpers - -From: Jakub Kicinski - -[ Upstream commit 48eab831ae8b9f7002a533fa4235eed63ea1f1a3 ] - -Recent work on converting address list to a tree made it obvious -we need an abstraction around writing netdev->dev_addr. Without -such abstraction updating the main device address is invisible -to the core. - -Introduce a number of helpers which for now just wrap memcpy() -but in the future can make necessary changes to the address -tree. - -Signed-off-by: Jakub Kicinski -Signed-off-by: David S. Miller -Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") -Signed-off-by: Sasha Levin ---- - include/linux/etherdevice.h | 12 ++++++++++++ - include/linux/netdevice.h | 18 ++++++++++++++++++ - 2 files changed, 30 insertions(+) - -diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h -index e1e9eff096d05..2932a40060c1d 100644 ---- a/include/linux/etherdevice.h -+++ b/include/linux/etherdevice.h -@@ -291,6 +291,18 @@ static inline void ether_addr_copy(u8 *dst, const u8 *src) - #endif - } - -+/** -+ * eth_hw_addr_set - Assign Ethernet address to a net_device -+ * @dev: pointer to net_device structure -+ * @addr: address to assign -+ * -+ * Assign given address to the net_device, addr_assign_type is not changed. -+ */ -+static inline void eth_hw_addr_set(struct net_device *dev, const u8 *addr) -+{ -+ ether_addr_copy(dev->dev_addr, addr); -+} -+ - /** - * eth_hw_addr_inherit - Copy dev_addr from another net_device - * @dst: pointer to net_device to copy dev_addr to -diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h -index 90827d85265b0..7e9df3854420a 100644 ---- a/include/linux/netdevice.h -+++ b/include/linux/netdevice.h -@@ -4079,6 +4079,24 @@ void __hw_addr_unsync_dev(struct netdev_hw_addr_list *list, - void __hw_addr_init(struct netdev_hw_addr_list *list); - - /* Functions used for device addresses handling */ -+static inline void -+__dev_addr_set(struct net_device *dev, const u8 *addr, size_t len) -+{ -+ memcpy(dev->dev_addr, addr, len); -+} -+ -+static inline void dev_addr_set(struct net_device *dev, const u8 *addr) -+{ -+ __dev_addr_set(dev, addr, dev->addr_len); -+} -+ -+static inline void -+dev_addr_mod(struct net_device *dev, unsigned int offset, -+ const u8 *addr, size_t len) -+{ -+ memcpy(&dev->dev_addr[offset], addr, len); -+} -+ - int dev_addr_add(struct net_device *dev, const unsigned char *addr, - unsigned char addr_type); - int dev_addr_del(struct net_device *dev, const unsigned char *addr, --- -2.39.2 - diff --git a/queue-4.19/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch b/queue-4.19/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch deleted file mode 100644 index f22db08d7b4..00000000000 --- a/queue-4.19/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 4b1ceed57aa791f16d3264dae3b1a75703df6675 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 12 Jul 2023 16:36:57 +0530 -Subject: net: ethernet: ti: cpsw_ale: Fix - cpsw_ale_get_field()/cpsw_ale_set_field() - -From: Tanmay Patil - -[ Upstream commit b685f1a58956fa36cc01123f253351b25bfacfda ] - -CPSW ALE has 75 bit ALE entries which are stored within three 32 bit words. -The cpsw_ale_get_field() and cpsw_ale_set_field() functions assume that the -field will be strictly contained within one word. However, this is not -guaranteed to be the case and it is possible for ALE field entries to span -across up to two words at the most. - -Fix the methods to handle getting/setting fields spanning up to two words. - -Fixes: db82173f23c5 ("netdev: driver: ethernet: add cpsw address lookup engine support") -Signed-off-by: Tanmay Patil -[s-vadapalli@ti.com: rephrased commit message and added Fixes tag] -Signed-off-by: Siddharth Vadapalli -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/ti/cpsw_ale.c | 24 +++++++++++++++++++----- - 1 file changed, 19 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c -index c245629a38c76..6cb98760bc84e 100644 ---- a/drivers/net/ethernet/ti/cpsw_ale.c -+++ b/drivers/net/ethernet/ti/cpsw_ale.c -@@ -67,23 +67,37 @@ - - static inline int cpsw_ale_get_field(u32 *ale_entry, u32 start, u32 bits) - { -- int idx; -+ int idx, idx2; -+ u32 hi_val = 0; - - idx = start / 32; -+ idx2 = (start + bits - 1) / 32; -+ /* Check if bits to be fetched exceed a word */ -+ if (idx != idx2) { -+ idx2 = 2 - idx2; /* flip */ -+ hi_val = ale_entry[idx2] << ((idx2 * 32) - start); -+ } - start -= idx * 32; - idx = 2 - idx; /* flip */ -- return (ale_entry[idx] >> start) & BITMASK(bits); -+ return (hi_val + (ale_entry[idx] >> start)) & BITMASK(bits); - } - - static inline void cpsw_ale_set_field(u32 *ale_entry, u32 start, u32 bits, - u32 value) - { -- int idx; -+ int idx, idx2; - - value &= BITMASK(bits); -- idx = start / 32; -+ idx = start / 32; -+ idx2 = (start + bits - 1) / 32; -+ /* Check if bits to be set exceed a word */ -+ if (idx != idx2) { -+ idx2 = 2 - idx2; /* flip */ -+ ale_entry[idx2] &= ~(BITMASK(bits + start - (idx2 * 32))); -+ ale_entry[idx2] |= (value >> ((idx2 * 32) - start)); -+ } - start -= idx * 32; -- idx = 2 - idx; /* flip */ -+ idx = 2 - idx; /* flip */ - ale_entry[idx] &= ~(BITMASK(bits) << start); - ale_entry[idx] |= (value << start); - } --- -2.39.2 - diff --git a/queue-4.19/net-ipv6-check-return-value-of-pskb_trim.patch b/queue-4.19/net-ipv6-check-return-value-of-pskb_trim.patch deleted file mode 100644 index 096de135394..00000000000 --- a/queue-4.19/net-ipv6-check-return-value-of-pskb_trim.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 4f1ea261d5545d222edbe3ee226f6423f76ff7e5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 22:45:19 +0800 -Subject: net:ipv6: check return value of pskb_trim() - -From: Yuanjun Gong - -[ Upstream commit 4258faa130be4ea43e5e2d839467da421b8ff274 ] - -goto tx_err if an unexpected result is returned by pskb_tirm() -in ip6erspan_tunnel_xmit(). - -Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") -Signed-off-by: Yuanjun Gong -Reviewed-by: David Ahern -Reviewed-by: Kuniyuki Iwashima -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv6/ip6_gre.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c -index 45c304b51b2b7..aa8ada354a399 100644 ---- a/net/ipv6/ip6_gre.c -+++ b/net/ipv6/ip6_gre.c -@@ -960,7 +960,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, - goto tx_err; - - if (skb->len > dev->mtu + dev->hard_header_len) { -- pskb_trim(skb, dev->mtu + dev->hard_header_len); -+ if (pskb_trim(skb, dev->mtu + dev->hard_header_len)) -+ goto tx_err; - truncate = true; - } - --- -2.39.2 - diff --git a/queue-4.19/net-lan743x-don-t-sleep-in-atomic-context.patch b/queue-4.19/net-lan743x-don-t-sleep-in-atomic-context.patch deleted file mode 100644 index 90db667a7af..00000000000 --- a/queue-4.19/net-lan743x-don-t-sleep-in-atomic-context.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 7a8227b2e76be506b2ac64d2beac950ca04892a5 Mon Sep 17 00:00:00 2001 -From: Moritz Fischer -Date: Tue, 27 Jun 2023 03:50:00 +0000 -Subject: net: lan743x: Don't sleep in atomic context - -From: Moritz Fischer - -commit 7a8227b2e76be506b2ac64d2beac950ca04892a5 upstream. - -dev_set_rx_mode() grabs a spin_lock, and the lan743x implementation -proceeds subsequently to go to sleep using readx_poll_timeout(). - -Introduce a helper wrapping the readx_poll_timeout_atomic() function -and use it to replace the calls to readx_polL_timeout(). - -Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver") -Cc: stable@vger.kernel.org -Cc: Bryan Whitehead -Cc: UNGLinuxDriver@microchip.com -Signed-off-by: Moritz Fischer -Reviewed-by: Andrew Lunn -Link: https://lore.kernel.org/r/20230627035000.1295254-1-moritzf@google.com -Signed-off-by: Paolo Abeni -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/microchip/lan743x_main.c | 21 +++++++++++++++++---- - 1 file changed, 17 insertions(+), 4 deletions(-) - ---- a/drivers/net/ethernet/microchip/lan743x_main.c -+++ b/drivers/net/ethernet/microchip/lan743x_main.c -@@ -80,6 +80,18 @@ static int lan743x_csr_light_reset(struc - !(data & HW_CFG_LRST_), 100000, 10000000); - } - -+static int lan743x_csr_wait_for_bit_atomic(struct lan743x_adapter *adapter, -+ int offset, u32 bit_mask, -+ int target_value, int udelay_min, -+ int udelay_max, int count) -+{ -+ u32 data; -+ -+ return readx_poll_timeout_atomic(LAN743X_CSR_READ_OP, offset, data, -+ target_value == !!(data & bit_mask), -+ udelay_max, udelay_min * count); -+} -+ - static int lan743x_csr_wait_for_bit(struct lan743x_adapter *adapter, - int offset, u32 bit_mask, - int target_value, int usleep_min, -@@ -675,8 +687,8 @@ static int lan743x_dp_write(struct lan74 - u32 dp_sel; - int i; - -- if (lan743x_csr_wait_for_bit(adapter, DP_SEL, DP_SEL_DPRDY_, -- 1, 40, 100, 100)) -+ if (lan743x_csr_wait_for_bit_atomic(adapter, DP_SEL, DP_SEL_DPRDY_, -+ 1, 40, 100, 100)) - return -EIO; - dp_sel = lan743x_csr_read(adapter, DP_SEL); - dp_sel &= ~DP_SEL_MASK_; -@@ -687,8 +699,9 @@ static int lan743x_dp_write(struct lan74 - lan743x_csr_write(adapter, DP_ADDR, addr + i); - lan743x_csr_write(adapter, DP_DATA_0, buf[i]); - lan743x_csr_write(adapter, DP_CMD, DP_CMD_WRITE_); -- if (lan743x_csr_wait_for_bit(adapter, DP_SEL, DP_SEL_DPRDY_, -- 1, 40, 100, 100)) -+ if (lan743x_csr_wait_for_bit_atomic(adapter, DP_SEL, -+ DP_SEL_DPRDY_, -+ 1, 40, 100, 100)) - return -EIO; - } - diff --git a/queue-4.19/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch b/queue-4.19/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch deleted file mode 100644 index 987b2a40ed8..00000000000 --- a/queue-4.19/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch +++ /dev/null @@ -1,48 +0,0 @@ -From f9e8a622e20536ae06e72b75b9d71051521991fb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 5 Jul 2023 07:37:12 +0200 -Subject: net: mvneta: fix txq_map in case of txq_number==1 - -From: Klaus Kudielka - -[ Upstream commit 21327f81db6337c8843ce755b01523c7d3df715b ] - -If we boot with mvneta.txq_number=1, the txq_map is set incorrectly: -MVNETA_CPU_TXQ_ACCESS(1) refers to TX queue 1, but only TX queue 0 is -initialized. Fix this. - -Fixes: 50bf8cb6fc9c ("net: mvneta: Configure XPS support") -Signed-off-by: Klaus Kudielka -Reviewed-by: Michal Kubiak -Link: https://lore.kernel.org/r/20230705053712.3914-1-klaus.kudielka@gmail.com -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - drivers/net/ethernet/marvell/mvneta.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c -index f1a4b11ce0d19..512f9cd68070a 100644 ---- a/drivers/net/ethernet/marvell/mvneta.c -+++ b/drivers/net/ethernet/marvell/mvneta.c -@@ -1415,7 +1415,7 @@ static void mvneta_defaults_set(struct mvneta_port *pp) - */ - if (txq_number == 1) - txq_map = (cpu == pp->rxq_def) ? -- MVNETA_CPU_TXQ_ACCESS(1) : 0; -+ MVNETA_CPU_TXQ_ACCESS(0) : 0; - - } else { - txq_map = MVNETA_CPU_TXQ_ACCESS_ALL_MASK; -@@ -3665,7 +3665,7 @@ static void mvneta_percpu_elect(struct mvneta_port *pp) - */ - if (txq_number == 1) - txq_map = (cpu == elected_cpu) ? -- MVNETA_CPU_TXQ_ACCESS(1) : 0; -+ MVNETA_CPU_TXQ_ACCESS(0) : 0; - else - txq_map = mvreg_read(pp, MVNETA_CPU_MAP(cpu)) & - MVNETA_CPU_TXQ_ACCESS_ALL_MASK; --- -2.39.2 - diff --git a/queue-4.19/net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch b/queue-4.19/net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch deleted file mode 100644 index fa550b7fb0f..00000000000 --- a/queue-4.19/net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch +++ /dev/null @@ -1,73 +0,0 @@ -From b1ff776eeefc168d9e591f6d3c7d58f3c7ac80f8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 24 Apr 2020 16:06:16 +0800 -Subject: net: Replace the limit of TCP_LINGER2 with TCP_FIN_TIMEOUT_MAX - -From: Cambda Zhu - -[ Upstream commit f0628c524fd188c3f9418e12478dfdfadacba815 ] - -This patch changes the behavior of TCP_LINGER2 about its limit. The -sysctl_tcp_fin_timeout used to be the limit of TCP_LINGER2 but now it's -only the default value. A new macro named TCP_FIN_TIMEOUT_MAX is added -as the limit of TCP_LINGER2, which is 2 minutes. - -Since TCP_LINGER2 used sysctl_tcp_fin_timeout as the default value -and the limit in the past, the system administrator cannot set the -default value for most of sockets and let some sockets have a greater -timeout. It might be a mistake that let the sysctl to be the limit of -the TCP_LINGER2. Maybe we can add a new sysctl to set the max of -TCP_LINGER2, but FIN-WAIT-2 timeout is usually no need to be too long -and 2 minutes are legal considering TCP specs. - -Changes in v3: -- Remove the new socket option and change the TCP_LINGER2 behavior so - that the timeout can be set to value between sysctl_tcp_fin_timeout - and 2 minutes. - -Changes in v2: -- Add int overflow check for the new socket option. - -Changes in v1: -- Add a new socket option to set timeout greater than - sysctl_tcp_fin_timeout. - -Signed-off-by: Cambda Zhu -Signed-off-by: David S. Miller -Stable-dep-of: 9df5335ca974 ("tcp: annotate data-races around tp->linger2") -Signed-off-by: Sasha Levin ---- - include/net/tcp.h | 1 + - net/ipv4/tcp.c | 4 ++-- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/include/net/tcp.h b/include/net/tcp.h -index 81300a04b5808..22cca858f2678 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -128,6 +128,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo); - * to combine FIN-WAIT-2 timeout with - * TIME-WAIT timer. - */ -+#define TCP_FIN_TIMEOUT_MAX (120 * HZ) /* max TCP_LINGER2 value (two minutes) */ - - #define TCP_DELACK_MAX ((unsigned)(HZ/5)) /* maximal time to delay before sending an ACK */ - #if HZ >= 100 -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index cb96775fc86f6..9f3cdcbbb7590 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3001,8 +3001,8 @@ static int do_tcp_setsockopt(struct sock *sk, int level, - case TCP_LINGER2: - if (val < 0) - tp->linger2 = -1; -- else if (val > net->ipv4.sysctl_tcp_fin_timeout / HZ) -- tp->linger2 = 0; -+ else if (val > TCP_FIN_TIMEOUT_MAX / HZ) -+ tp->linger2 = TCP_FIN_TIMEOUT_MAX; - else - tp->linger2 = val * HZ; - break; --- -2.39.2 - diff --git a/queue-4.19/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch b/queue-4.19/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch deleted file mode 100644 index c8efee46236..00000000000 --- a/queue-4.19/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch +++ /dev/null @@ -1,57 +0,0 @@ -From df9234bee325290818da8d5735cbfcf37bb2115b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 3 Jul 2023 19:08:42 +0800 -Subject: net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX - -From: Lin Ma - -[ Upstream commit 30c45b5361d39b4b793780ffac5538090b9e2eb1 ] - -The attribute TCA_PEDIT_PARMS_EX is not be included in pedit_policy and -one malicious user could fake a TCA_PEDIT_PARMS_EX whose length is -smaller than the intended sizeof(struct tc_pedit). Hence, the -dereference in tcf_pedit_init() could access dirty heap data. - -static int tcf_pedit_init(...) -{ - // ... - pattr = tb[TCA_PEDIT_PARMS]; // TCA_PEDIT_PARMS is included - if (!pattr) - pattr = tb[TCA_PEDIT_PARMS_EX]; // but this is not - - // ... - parm = nla_data(pattr); - - index = parm->index; // parm is able to be smaller than 4 bytes - // and this dereference gets dirty skb_buff - // data created in netlink_sendmsg -} - -This commit adds TCA_PEDIT_PARMS_EX length in pedit_policy which avoid -the above case, just like the TCA_PEDIT_PARMS. - -Fixes: 71d0ed7079df ("net/act_pedit: Support using offset relative to the conventional network headers") -Signed-off-by: Lin Ma -Reviewed-by: Pedro Tammela -Link: https://lore.kernel.org/r/20230703110842.590282-1-linma@zju.edu.cn -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/sched/act_pedit.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c -index aeb8f84cbd9e2..255d4ecf62522 100644 ---- a/net/sched/act_pedit.c -+++ b/net/sched/act_pedit.c -@@ -29,6 +29,7 @@ static struct tc_action_ops act_pedit_ops; - - static const struct nla_policy pedit_policy[TCA_PEDIT_MAX + 1] = { - [TCA_PEDIT_PARMS] = { .len = sizeof(struct tc_pedit) }, -+ [TCA_PEDIT_PARMS_EX] = { .len = sizeof(struct tc_pedit) }, - [TCA_PEDIT_KEYS_EX] = { .type = NLA_NESTED }, - }; - --- -2.39.2 - diff --git a/queue-4.19/net-sched-make-psched_mtu-rtnl-less-safe.patch b/queue-4.19/net-sched-make-psched_mtu-rtnl-less-safe.patch deleted file mode 100644 index 0b060652053..00000000000 --- a/queue-4.19/net-sched-make-psched_mtu-rtnl-less-safe.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 19bfe7281d835cff53c41f2059bbd4222c112960 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 10 Jul 2023 23:16:34 -0300 -Subject: net/sched: make psched_mtu() RTNL-less safe - -From: Pedro Tammela - -[ Upstream commit 150e33e62c1fa4af5aaab02776b6c3812711d478 ] - -Eric Dumazet says[1]: -------- -Speaking of psched_mtu(), I see that net/sched/sch_pie.c is using it -without holding RTNL, so dev->mtu can be changed underneath. -KCSAN could issue a warning. -------- - -Annotate dev->mtu with READ_ONCE() so KCSAN don't issue a warning. - -[1] https://lore.kernel.org/all/CANn89iJoJO5VtaJ-2=_d2aOQhb0Xw8iBT_Cxqp2HyuS-zj6azw@mail.gmail.com/ - -v1 -> v2: Fix commit message - -Fixes: d4b36210c2e6 ("net: pkt_sched: PIE AQM scheme") -Suggested-by: Eric Dumazet -Signed-off-by: Pedro Tammela -Reviewed-by: Simon Horman -Link: https://lore.kernel.org/r/20230711021634.561598-1-pctammela@mojatatu.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/net/pkt_sched.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h -index e09ea6917c061..83a16f3bd6e6a 100644 ---- a/include/net/pkt_sched.h -+++ b/include/net/pkt_sched.h -@@ -131,7 +131,7 @@ extern const struct nla_policy rtm_tca_policy[TCA_MAX + 1]; - */ - static inline unsigned int psched_mtu(const struct net_device *dev) - { -- return dev->mtu + dev->hard_header_len; -+ return READ_ONCE(dev->mtu) + dev->hard_header_len; - } - - static inline struct net *qdisc_net(struct Qdisc *q) --- -2.39.2 - diff --git a/queue-4.19/netfilter-add-helper-function-to-set-up-the-nfnetlink-header-and-use-it.patch b/queue-4.19/netfilter-add-helper-function-to-set-up-the-nfnetlink-header-and-use-it.patch deleted file mode 100644 index df60b163b1a..00000000000 --- a/queue-4.19/netfilter-add-helper-function-to-set-up-the-nfnetlink-header-and-use-it.patch +++ /dev/null @@ -1,704 +0,0 @@ -From pablo@netfilter.org Wed Jul 5 18:55:24 2023 -From: Pablo Neira Ayuso -Date: Wed, 5 Jul 2023 18:55:10 +0200 -Subject: netfilter: add helper function to set up the nfnetlink header and use it -To: netfilter-devel@vger.kernel.org -Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org -Message-ID: <20230705165516.50145-5-pablo@netfilter.org> - -From: Pablo Neira Ayuso - -[ 19c28b1374fb1073a9ec873a6c10bf5f16b10b9d ] - -This patch adds a helper function to set up the netlink and nfnetlink headers. -Update existing codebase to use it. - -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/netfilter/nfnetlink.h | 27 +++++++++ - net/netfilter/ipset/ip_set_core.c | 17 +---- - net/netfilter/nf_conntrack_netlink.c | 77 +++++++------------------- - net/netfilter/nf_tables_api.c | 102 +++++++++-------------------------- - net/netfilter/nf_tables_trace.c | 9 --- - net/netfilter/nfnetlink_acct.c | 11 +-- - net/netfilter/nfnetlink_cthelper.c | 11 +-- - net/netfilter/nfnetlink_cttimeout.c | 22 ++----- - net/netfilter/nfnetlink_log.c | 11 +-- - net/netfilter/nfnetlink_queue.c | 12 +--- - net/netfilter/nft_compat.c | 11 +-- - 11 files changed, 102 insertions(+), 208 deletions(-) - ---- a/include/linux/netfilter/nfnetlink.h -+++ b/include/linux/netfilter/nfnetlink.h -@@ -49,6 +49,33 @@ static inline u16 nfnl_msg_type(u8 subsy - return subsys << 8 | msg_type; - } - -+static inline void nfnl_fill_hdr(struct nlmsghdr *nlh, u8 family, u8 version, -+ __be16 res_id) -+{ -+ struct nfgenmsg *nfmsg; -+ -+ nfmsg = nlmsg_data(nlh); -+ nfmsg->nfgen_family = family; -+ nfmsg->version = version; -+ nfmsg->res_id = res_id; -+} -+ -+static inline struct nlmsghdr *nfnl_msg_put(struct sk_buff *skb, u32 portid, -+ u32 seq, int type, int flags, -+ u8 family, u8 version, -+ __be16 res_id) -+{ -+ struct nlmsghdr *nlh; -+ -+ nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags); -+ if (!nlh) -+ return NULL; -+ -+ nfnl_fill_hdr(nlh, family, version, res_id); -+ -+ return nlh; -+} -+ - void nfnl_lock(__u8 subsys_id); - void nfnl_unlock(__u8 subsys_id); - #ifdef CONFIG_PROVE_LOCKING ---- a/net/netfilter/ipset/ip_set_core.c -+++ b/net/netfilter/ipset/ip_set_core.c -@@ -791,20 +791,9 @@ static struct nlmsghdr * - start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags, - enum ipset_cmd cmd) - { -- struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; -- -- nlh = nlmsg_put(skb, portid, seq, nfnl_msg_type(NFNL_SUBSYS_IPSET, cmd), -- sizeof(*nfmsg), flags); -- if (!nlh) -- return NULL; -- -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = NFPROTO_IPV4; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = 0; -- -- return nlh; -+ return nfnl_msg_put(skb, portid, seq, -+ nfnl_msg_type(NFNL_SUBSYS_IPSET, cmd), flags, -+ NFPROTO_IPV4, NFNETLINK_V0, 0); - } - - /* Create a set */ ---- a/net/netfilter/nf_conntrack_netlink.c -+++ b/net/netfilter/nf_conntrack_netlink.c -@@ -517,20 +517,15 @@ ctnetlink_fill_info(struct sk_buff *skb, - { - const struct nf_conntrack_zone *zone; - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - struct nlattr *nest_parms; - unsigned int flags = portid ? NLM_F_MULTI : 0, event; - - event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, nf_ct_l3num(ct), -+ NFNETLINK_V0, 0); -+ if (!nlh) - goto nlmsg_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = nf_ct_l3num(ct); -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = 0; -- - zone = nf_ct_zone(ct); - - nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); -@@ -687,7 +682,6 @@ ctnetlink_conntrack_event(unsigned int e - const struct nf_conntrack_zone *zone; - struct net *net; - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - struct nlattr *nest_parms; - struct nf_conn *ct = item->ct; - struct sk_buff *skb; -@@ -717,15 +711,11 @@ ctnetlink_conntrack_event(unsigned int e - goto errout; - - type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type); -- nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, nf_ct_l3num(ct), -+ NFNETLINK_V0, 0); -+ if (!nlh) - goto nlmsg_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = nf_ct_l3num(ct); -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = 0; -- - zone = nf_ct_zone(ct); - - nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); -@@ -2170,20 +2160,15 @@ ctnetlink_ct_stat_cpu_fill_info(struct s - __u16 cpu, const struct ip_conntrack_stat *st) - { - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - unsigned int flags = portid ? NLM_F_MULTI : 0, event; - - event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, - IPCTNL_MSG_CT_GET_STATS_CPU); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, -+ NFNETLINK_V0, htons(cpu)); -+ if (!nlh) - goto nlmsg_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = AF_UNSPEC; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = htons(cpu); -- - if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) || - nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) || - nla_put_be32(skb, CTA_STATS_IGNORE, htonl(st->ignore)) || -@@ -2254,20 +2239,15 @@ ctnetlink_stat_ct_fill_info(struct sk_bu - struct net *net) - { - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - unsigned int flags = portid ? NLM_F_MULTI : 0, event; - unsigned int nr_conntracks = atomic_read(&net->ct.count); - - event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, -+ NFNETLINK_V0, 0); -+ if (!nlh) - goto nlmsg_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = AF_UNSPEC; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = 0; -- - if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks))) - goto nla_put_failure; - -@@ -2780,19 +2760,14 @@ ctnetlink_exp_fill_info(struct sk_buff * - int event, const struct nf_conntrack_expect *exp) - { - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - unsigned int flags = portid ? NLM_F_MULTI : 0; - - event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, -+ exp->tuple.src.l3num, NFNETLINK_V0, 0); -+ if (!nlh) - goto nlmsg_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = exp->tuple.src.l3num; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = 0; -- - if (ctnetlink_exp_dump_expect(skb, exp) < 0) - goto nla_put_failure; - -@@ -2812,7 +2787,6 @@ ctnetlink_expect_event(unsigned int even - struct nf_conntrack_expect *exp = item->exp; - struct net *net = nf_ct_exp_net(exp); - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - struct sk_buff *skb; - unsigned int type, group; - int flags = 0; -@@ -2835,15 +2809,11 @@ ctnetlink_expect_event(unsigned int even - goto errout; - - type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type); -- nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, -+ exp->tuple.src.l3num, NFNETLINK_V0, 0); -+ if (!nlh) - goto nlmsg_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = exp->tuple.src.l3num; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = 0; -- - if (ctnetlink_exp_dump_expect(skb, exp) < 0) - goto nla_put_failure; - -@@ -3413,20 +3383,15 @@ ctnetlink_exp_stat_fill_info(struct sk_b - const struct ip_conntrack_stat *st) - { - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - unsigned int flags = portid ? NLM_F_MULTI : 0, event; - - event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, - IPCTNL_MSG_EXP_GET_STATS_CPU); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, -+ NFNETLINK_V0, htons(cpu)); -+ if (!nlh) - goto nlmsg_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = AF_UNSPEC; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = htons(cpu); -- - if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) || - nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) || - nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete))) ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -578,18 +578,13 @@ static int nf_tables_fill_table_info(str - int family, const struct nft_table *table) - { - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - - event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, -+ NFNETLINK_V0, nft_base_seq(net)); -+ if (!nlh) - goto nla_put_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = family; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = nft_base_seq(net); -- - if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || - nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) || - nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) || -@@ -1213,18 +1208,13 @@ static int nf_tables_fill_chain_info(str - const struct nft_chain *chain) - { - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - - event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, -+ NFNETLINK_V0, nft_base_seq(net)); -+ if (!nlh) - goto nla_put_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = family; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = nft_base_seq(net); -- - if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) - goto nla_put_failure; - if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle), -@@ -2257,21 +2247,16 @@ static int nf_tables_fill_rule_info(stru - const struct nft_rule *rule) - { - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - const struct nft_expr *expr, *next; - struct nlattr *list; - const struct nft_rule *prule; - u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); - -- nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0, -+ nft_base_seq(net)); -+ if (!nlh) - goto nla_put_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = family; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = nft_base_seq(net); -- - if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) - goto nla_put_failure; - if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) -@@ -3166,23 +3151,17 @@ static __be64 nf_jiffies64_to_msecs(u64 - static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, - const struct nft_set *set, u16 event, u16 flags) - { -- struct nfgenmsg *nfmsg; - struct nlmsghdr *nlh; - struct nlattr *desc; - u32 portid = ctx->portid; - u32 seq = ctx->seq; - - event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), -- flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, -+ NFNETLINK_V0, nft_base_seq(ctx->net)); -+ if (!nlh) - goto nla_put_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = ctx->family; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = nft_base_seq(ctx->net); -- - if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) - goto nla_put_failure; - if (nla_put_string(skb, NFTA_SET_NAME, set->name)) -@@ -3996,7 +3975,6 @@ static int nf_tables_dump_set(struct sk_ - struct nft_set *set; - struct nft_set_dump_args args; - bool set_found = false; -- struct nfgenmsg *nfmsg; - struct nlmsghdr *nlh; - struct nlattr *nest; - u32 portid, seq; -@@ -4029,16 +4007,11 @@ static int nf_tables_dump_set(struct sk_ - portid = NETLINK_CB(cb->skb).portid; - seq = cb->nlh->nlmsg_seq; - -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), -- NLM_F_MULTI); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI, -+ table->family, NFNETLINK_V0, nft_base_seq(net)); -+ if (!nlh) - goto nla_put_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = table->family; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = nft_base_seq(net); -- - if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) - goto nla_put_failure; - if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) -@@ -4095,22 +4068,16 @@ static int nf_tables_fill_setelem_info(s - const struct nft_set *set, - const struct nft_set_elem *elem) - { -- struct nfgenmsg *nfmsg; - struct nlmsghdr *nlh; - struct nlattr *nest; - int err; - - event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), -- flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, -+ NFNETLINK_V0, nft_base_seq(ctx->net)); -+ if (!nlh) - goto nla_put_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = ctx->family; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = nft_base_seq(ctx->net); -- - if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) - goto nla_put_failure; - if (nla_put_string(skb, NFTA_SET_NAME, set->name)) -@@ -5146,19 +5113,14 @@ static int nf_tables_fill_obj_info(struc - int family, const struct nft_table *table, - struct nft_object *obj, bool reset) - { -- struct nfgenmsg *nfmsg; - struct nlmsghdr *nlh; - - event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, -+ NFNETLINK_V0, nft_base_seq(net)); -+ if (!nlh) - goto nla_put_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = family; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = nft_base_seq(net); -- - if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || - nla_put_string(skb, NFTA_OBJ_NAME, obj->name) || - nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || -@@ -5806,20 +5768,15 @@ static int nf_tables_fill_flowtable_info - struct nft_flowtable *flowtable) - { - struct nlattr *nest, *nest_devs; -- struct nfgenmsg *nfmsg; - struct nlmsghdr *nlh; - int i; - - event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, -+ NFNETLINK_V0, nft_base_seq(net)); -+ if (!nlh) - goto nla_put_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = family; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = nft_base_seq(net); -- - if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || - nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || - nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || -@@ -6045,19 +6002,14 @@ static int nf_tables_fill_gen_info(struc - u32 portid, u32 seq) - { - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - char buf[TASK_COMM_LEN]; - int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); - -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC, -+ NFNETLINK_V0, nft_base_seq(net)); -+ if (!nlh) - goto nla_put_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = AF_UNSPEC; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = nft_base_seq(net); -- - if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || - nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || - nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) ---- a/net/netfilter/nf_tables_trace.c -+++ b/net/netfilter/nf_tables_trace.c -@@ -186,7 +186,6 @@ static bool nft_trace_have_verdict_chain - void nft_trace_notify(struct nft_traceinfo *info) - { - const struct nft_pktinfo *pkt = info->pkt; -- struct nfgenmsg *nfmsg; - struct nlmsghdr *nlh; - struct sk_buff *skb; - unsigned int size; -@@ -222,15 +221,11 @@ void nft_trace_notify(struct nft_tracein - return; - - event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_TRACE); -- nlh = nlmsg_put(skb, 0, 0, event, sizeof(struct nfgenmsg), 0); -+ nlh = nfnl_msg_put(skb, 0, 0, event, 0, info->basechain->type->family, -+ NFNETLINK_V0, 0); - if (!nlh) - goto nla_put_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = info->basechain->type->family; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = 0; -- - if (nla_put_be32(skb, NFTA_TRACE_NFPROTO, htonl(nft_pf(pkt)))) - goto nla_put_failure; - ---- a/net/netfilter/nfnetlink_acct.c -+++ b/net/netfilter/nfnetlink_acct.c -@@ -135,21 +135,16 @@ nfnl_acct_fill_info(struct sk_buff *skb, - int event, struct nf_acct *acct) - { - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - unsigned int flags = portid ? NLM_F_MULTI : 0; - u64 pkts, bytes; - u32 old_flags; - - event = nfnl_msg_type(NFNL_SUBSYS_ACCT, event); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, -+ NFNETLINK_V0, 0); -+ if (!nlh) - goto nlmsg_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = AF_UNSPEC; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = 0; -- - if (nla_put_string(skb, NFACCT_NAME, acct->name)) - goto nla_put_failure; - ---- a/net/netfilter/nfnetlink_cthelper.c -+++ b/net/netfilter/nfnetlink_cthelper.c -@@ -532,20 +532,15 @@ nfnl_cthelper_fill_info(struct sk_buff * - int event, struct nf_conntrack_helper *helper) - { - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - unsigned int flags = portid ? NLM_F_MULTI : 0; - int status; - - event = nfnl_msg_type(NFNL_SUBSYS_CTHELPER, event); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, -+ NFNETLINK_V0, 0); -+ if (!nlh) - goto nlmsg_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = AF_UNSPEC; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = 0; -- - if (nla_put_string(skb, NFCTH_NAME, helper->name)) - goto nla_put_failure; - ---- a/net/netfilter/nfnetlink_cttimeout.c -+++ b/net/netfilter/nfnetlink_cttimeout.c -@@ -164,20 +164,15 @@ ctnl_timeout_fill_info(struct sk_buff *s - int event, struct ctnl_timeout *timeout) - { - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - unsigned int flags = portid ? NLM_F_MULTI : 0; - const struct nf_conntrack_l4proto *l4proto = timeout->timeout.l4proto; - - event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_TIMEOUT, event); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, -+ NFNETLINK_V0, 0); -+ if (!nlh) - goto nlmsg_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = AF_UNSPEC; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = 0; -- - if (nla_put_string(skb, CTA_TIMEOUT_NAME, timeout->name) || - nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, - htons(timeout->timeout.l3num)) || -@@ -396,19 +391,14 @@ cttimeout_default_fill_info(struct net * - const unsigned int *timeouts) - { - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - unsigned int flags = portid ? NLM_F_MULTI : 0; - - event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_TIMEOUT, event); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, -+ NFNETLINK_V0, 0); -+ if (!nlh) - goto nlmsg_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = AF_UNSPEC; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = 0; -- - if (nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, htons(l4proto->l3proto)) || - nla_put_u8(skb, CTA_TIMEOUT_L4PROTO, l4proto->l4proto)) - goto nla_put_failure; ---- a/net/netfilter/nfnetlink_log.c -+++ b/net/netfilter/nfnetlink_log.c -@@ -404,20 +404,15 @@ __build_packet_message(struct nfnl_log_n - { - struct nfulnl_msg_packet_hdr pmsg; - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - sk_buff_data_t old_tail = inst->skb->tail; - struct sock *sk; - const unsigned char *hwhdrp; - -- nlh = nlmsg_put(inst->skb, 0, 0, -- nfnl_msg_type(NFNL_SUBSYS_ULOG, NFULNL_MSG_PACKET), -- sizeof(struct nfgenmsg), 0); -+ nlh = nfnl_msg_put(inst->skb, 0, 0, -+ nfnl_msg_type(NFNL_SUBSYS_ULOG, NFULNL_MSG_PACKET), -+ 0, pf, NFNETLINK_V0, htons(inst->group_num)); - if (!nlh) - return -1; -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = pf; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = htons(inst->group_num); - - memset(&pmsg, 0, sizeof(pmsg)); - pmsg.hw_protocol = skb->protocol; ---- a/net/netfilter/nfnetlink_queue.c -+++ b/net/netfilter/nfnetlink_queue.c -@@ -387,7 +387,6 @@ nfqnl_build_packet_message(struct net *n - struct nlattr *nla; - struct nfqnl_msg_packet_hdr *pmsg; - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - struct sk_buff *entskb = entry->skb; - struct net_device *indev; - struct net_device *outdev; -@@ -473,18 +472,15 @@ nfqnl_build_packet_message(struct net *n - goto nlmsg_failure; - } - -- nlh = nlmsg_put(skb, 0, 0, -- nfnl_msg_type(NFNL_SUBSYS_QUEUE, NFQNL_MSG_PACKET), -- sizeof(struct nfgenmsg), 0); -+ nlh = nfnl_msg_put(skb, 0, 0, -+ nfnl_msg_type(NFNL_SUBSYS_QUEUE, NFQNL_MSG_PACKET), -+ 0, entry->state.pf, NFNETLINK_V0, -+ htons(queue->queue_num)); - if (!nlh) { - skb_tx_error(entskb); - kfree_skb(skb); - goto nlmsg_failure; - } -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = entry->state.pf; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = htons(queue->queue_num); - - nla = __nla_reserve(skb, NFQA_PACKET_HDR, sizeof(*pmsg)); - pmsg = nla_data(nla); ---- a/net/netfilter/nft_compat.c -+++ b/net/netfilter/nft_compat.c -@@ -575,19 +575,14 @@ nfnl_compat_fill_info(struct sk_buff *sk - int rev, int target) - { - struct nlmsghdr *nlh; -- struct nfgenmsg *nfmsg; - unsigned int flags = portid ? NLM_F_MULTI : 0; - - event = nfnl_msg_type(NFNL_SUBSYS_NFT_COMPAT, event); -- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); -- if (nlh == NULL) -+ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, -+ NFNETLINK_V0, 0); -+ if (!nlh) - goto nlmsg_failure; - -- nfmsg = nlmsg_data(nlh); -- nfmsg->nfgen_family = family; -- nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = 0; -- - if (nla_put_string(skb, NFTA_COMPAT_NAME, name) || - nla_put_be32(skb, NFTA_COMPAT_REV, htonl(rev)) || - nla_put_be32(skb, NFTA_COMPAT_TYPE, htonl(target))) diff --git a/queue-4.19/netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch b/queue-4.19/netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch deleted file mode 100644 index 2b568387a22..00000000000 --- a/queue-4.19/netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 6eef7a2b933885a17679eb8ed0796ddf0ee5309b Mon Sep 17 00:00:00 2001 -From: Florent Revest -Date: Mon, 3 Jul 2023 16:52:16 +0200 -Subject: netfilter: conntrack: Avoid nf_ct_helper_hash uses after free - -From: Florent Revest - -commit 6eef7a2b933885a17679eb8ed0796ddf0ee5309b upstream. - -If nf_conntrack_init_start() fails (for example due to a -register_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini() -clean-up path frees the nf_ct_helper_hash map. - -When built with NF_CONNTRACK=y, further netfilter modules (e.g: -netfilter_conntrack_ftp) can still be loaded and call -nf_conntrack_helpers_register(), independently of whether nf_conntrack -initialized correctly. This accesses the nf_ct_helper_hash dangling -pointer and causes a uaf, possibly leading to random memory corruption. - -This patch guards nf_conntrack_helper_register() from accessing a freed -or uninitialized nf_ct_helper_hash pointer and fixes possible -uses-after-free when loading a conntrack module. - -Cc: stable@vger.kernel.org -Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") -Signed-off-by: Florent Revest -Reviewed-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Greg Kroah-Hartman ---- - net/netfilter/nf_conntrack_helper.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/net/netfilter/nf_conntrack_helper.c -+++ b/net/netfilter/nf_conntrack_helper.c -@@ -400,6 +400,9 @@ int nf_conntrack_helper_register(struct - BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES); - BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1); - -+ if (!nf_ct_helper_hash) -+ return -ENOENT; -+ - if (me->expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT) - return -EINVAL; - -@@ -570,4 +573,5 @@ void nf_conntrack_helper_fini(void) - { - nf_ct_extend_unregister(&helper_extend); - kvfree(nf_ct_helper_hash); -+ nf_ct_helper_hash = NULL; - } diff --git a/queue-4.19/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch b/queue-4.19/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch deleted file mode 100644 index 92b7e6541a3..00000000000 --- a/queue-4.19/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch +++ /dev/null @@ -1,53 +0,0 @@ -From c40874c71ae6f5e26f1958101a5a7dd1d049899f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 23 Jun 2023 11:23:46 +0000 -Subject: netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() - return value. - -From: Ilia.Gavrilov - -[ Upstream commit f188d30087480eab421cd8ca552fb15f55d57f4d ] - -ct_sip_parse_numerical_param() returns only 0 or 1 now. -But process_register_request() and process_register_response() imply -checking for a negative value if parsing of a numerical header parameter -failed. -The invocation in nf_nat_sip() looks correct: - if (ct_sip_parse_numerical_param(...) > 0 && - ...) { ... } - -Make the return value of the function ct_sip_parse_numerical_param() -a tristate to fix all the cases -a) return 1 if value is found; *val is set -b) return 0 if value is not found; *val is unchanged -c) return -1 on error; *val is undefined - -Found by InfoTeCS on behalf of Linux Verification Center -(linuxtesting.org) with SVACE. - -Fixes: 0f32a40fc91a ("[NETFILTER]: nf_conntrack_sip: create signalling expectations") -Signed-off-by: Ilia.Gavrilov -Reviewed-by: Simon Horman -Reviewed-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_conntrack_sip.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c -index 046f118dea06b..d16aa43ebd4d6 100644 ---- a/net/netfilter/nf_conntrack_sip.c -+++ b/net/netfilter/nf_conntrack_sip.c -@@ -605,7 +605,7 @@ int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr, - start += strlen(name); - *val = simple_strtoul(start, &end, 0); - if (start == end) -- return 0; -+ return -1; - if (matchoff && matchlen) { - *matchoff = start - dptr; - *matchlen = end - start; --- -2.39.2 - diff --git a/queue-4.19/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch b/queue-4.19/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch deleted file mode 100644 index cdbeda5cb43..00000000000 --- a/queue-4.19/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch +++ /dev/null @@ -1,101 +0,0 @@ -From stable-owner@vger.kernel.org Wed Jul 5 18:55:57 2023 -From: Pablo Neira Ayuso -Date: Wed, 5 Jul 2023 18:55:13 +0200 -Subject: netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain -To: netfilter-devel@vger.kernel.org -Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org -Message-ID: <20230705165516.50145-8-pablo@netfilter.org> - -From: Pablo Neira Ayuso - -[ 26b5a5712eb85e253724e56a54c17f8519bd8e4e ] - -Add a new state to deal with rule expressions deactivation from the -newrule error path, otherwise the anonymous set remains in the list in -inactive state for the next generation. Mark the set/chain transaction -as unbound so the abort path releases this object, set it as inactive in -the next generation so it is not reachable anymore from this transaction -and reference counter is dropped. - -Fixes: 1240eb93f061 ("netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE") -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Greg Kroah-Hartman ---- - include/net/netfilter/nf_tables.h | 1 + - net/netfilter/nf_tables_api.c | 26 ++++++++++++++++++++++---- - 2 files changed, 23 insertions(+), 4 deletions(-) - ---- a/include/net/netfilter/nf_tables.h -+++ b/include/net/netfilter/nf_tables.h -@@ -736,6 +736,7 @@ struct nft_expr_type { - - enum nft_trans_phase { - NFT_TRANS_PREPARE, -+ NFT_TRANS_PREPARE_ERROR, - NFT_TRANS_ABORT, - NFT_TRANS_COMMIT, - NFT_TRANS_RELEASE ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -120,7 +120,8 @@ static void nft_trans_destroy(struct nft - kfree(trans); - } - --static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) -+static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set, -+ bool bind) - { - struct nftables_pernet *nft_net; - struct net *net = ctx->net; -@@ -134,16 +135,26 @@ static void nft_set_trans_bind(const str - switch (trans->msg_type) { - case NFT_MSG_NEWSET: - if (nft_trans_set(trans) == set) -- nft_trans_set_bound(trans) = true; -+ nft_trans_set_bound(trans) = bind; - break; - case NFT_MSG_NEWSETELEM: - if (nft_trans_elem_set(trans) == set) -- nft_trans_elem_set_bound(trans) = true; -+ nft_trans_elem_set_bound(trans) = bind; - break; - } - } - } - -+static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) -+{ -+ return __nft_set_trans_bind(ctx, set, true); -+} -+ -+static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set) -+{ -+ return __nft_set_trans_bind(ctx, set, false); -+} -+ - static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) - { - struct nftables_pernet *nft_net; -@@ -2784,7 +2795,7 @@ static int nf_tables_newrule(struct net - - return 0; - err2: -- nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE); -+ nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR); - nf_tables_rule_destroy(&ctx, rule); - err1: - for (i = 0; i < n; i++) { -@@ -3809,6 +3820,13 @@ void nf_tables_deactivate_set(const stru - enum nft_trans_phase phase) - { - switch (phase) { -+ case NFT_TRANS_PREPARE_ERROR: -+ nft_set_trans_unbind(ctx, set); -+ if (nft_set_is_anonymous(set)) -+ nft_deactivate_next(ctx->net, set); -+ -+ set->use--; -+ break; - case NFT_TRANS_PREPARE: - if (nft_set_is_anonymous(set)) - nft_deactivate_next(ctx->net, set); diff --git a/queue-4.19/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch b/queue-4.19/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch deleted file mode 100644 index 9c21fe87b00..00000000000 --- a/queue-4.19/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch +++ /dev/null @@ -1,50 +0,0 @@ -From pablo@netfilter.org Wed Jul 5 18:55:22 2023 -From: Pablo Neira Ayuso -Date: Wed, 5 Jul 2023 18:55:08 +0200 -Subject: netfilter: nf_tables: add rescheduling points during loop detection walks -To: netfilter-devel@vger.kernel.org -Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org -Message-ID: <20230705165516.50145-3-pablo@netfilter.org> - -From: Florian Westphal - -[ 81ea010667417ef3f218dfd99b69769fe66c2b67 ] - -Add explicit rescheduling points during ruleset walk. - -Switching to a faster algorithm is possible but this is a much -smaller change, suitable for nf tree. - -Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1460 -Signed-off-by: Florian Westphal -Acked-by: Pablo Neira Ayuso -Signed-off-by: Greg Kroah-Hartman ---- - net/netfilter/nf_tables_api.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -2552,6 +2552,8 @@ int nft_chain_validate(const struct nft_ - if (err < 0) - return err; - } -+ -+ cond_resched(); - } - - return 0; -@@ -6956,9 +6958,13 @@ static int nf_tables_check_loops(const s - break; - } - } -+ -+ cond_resched(); - } - - list_for_each_entry(set, &ctx->table->sets, list) { -+ cond_resched(); -+ - if (!nft_is_active_next(ctx->net, set)) - continue; - if (!(set->flags & NFT_SET_MAP) || diff --git a/queue-4.19/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch b/queue-4.19/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch deleted file mode 100644 index c27fe0b50ff..00000000000 --- a/queue-4.19/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 519800f3b9e064d6eec3b22116785effa817ba10 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 18 Jul 2023 01:30:33 +0200 -Subject: netfilter: nf_tables: can't schedule in nft_chain_validate - -From: Florian Westphal - -[ Upstream commit 314c82841602a111c04a7210c21dc77e0d560242 ] - -Can be called via nft set element list iteration, which may acquire -rcu and/or bh read lock (depends on set type). - -BUG: sleeping function called from invalid context at net/netfilter/nf_tables_api.c:3353 -in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1232, name: nft -preempt_count: 0, expected: 0 -RCU nest depth: 1, expected: 0 -2 locks held by nft/1232: - #0: ffff8881180e3ea8 (&nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid - #1: ffffffff83f5f540 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire -Call Trace: - nft_chain_validate - nft_lookup_validate_setelem - nft_pipapo_walk - nft_lookup_validate - nft_chain_validate - nft_immediate_validate - nft_chain_validate - nf_tables_validate - nf_tables_abort - -No choice but to move it to nf_tables_validate(). - -Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks") -Signed-off-by: Florian Westphal -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_tables_api.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index f25b6337f150a..115bc79ec9055 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -2602,8 +2602,6 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) - if (err < 0) - return err; - } -- -- cond_resched(); - } - - return 0; -@@ -2627,6 +2625,8 @@ static int nft_table_validate(struct net *net, const struct nft_table *table) - err = nft_chain_validate(&ctx, chain); - if (err < 0) - return err; -+ -+ cond_resched(); - } - - return 0; --- -2.39.2 - diff --git a/queue-4.19/netfilter-nf_tables-fix-nat-hook-table-deletion.patch b/queue-4.19/netfilter-nf_tables-fix-nat-hook-table-deletion.patch deleted file mode 100644 index a88acd35192..00000000000 --- a/queue-4.19/netfilter-nf_tables-fix-nat-hook-table-deletion.patch +++ /dev/null @@ -1,104 +0,0 @@ -From pablo@netfilter.org Wed Jul 5 18:55:22 2023 -From: Pablo Neira Ayuso -Date: Wed, 5 Jul 2023 18:55:07 +0200 -Subject: netfilter: nf_tables: fix nat hook table deletion -To: netfilter-devel@vger.kernel.org -Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org -Message-ID: <20230705165516.50145-2-pablo@netfilter.org> - -From: Florian Westphal - -[ 1e9451cbda456a170518b2bfd643e2cb980880bf ] - -sybot came up with following transaction: - add table ip syz0 - add chain ip syz0 syz2 { type nat hook prerouting priority 0; policy accept; } - add table ip syz0 { flags dormant; } - delete chain ip syz0 syz2 - delete table ip syz0 - -which yields: -hook not found, pf 2 num 0 -WARNING: CPU: 0 PID: 6775 at net/netfilter/core.c:413 __nf_unregister_net_hook+0x3e6/0x4a0 net/netfilter/core.c:413 -[..] - nft_unregister_basechain_hooks net/netfilter/nf_tables_api.c:206 [inline] - nft_table_disable net/netfilter/nf_tables_api.c:835 [inline] - nf_tables_table_disable net/netfilter/nf_tables_api.c:868 [inline] - nf_tables_commit+0x32d3/0x4d70 net/netfilter/nf_tables_api.c:7550 - nfnetlink_rcv_batch net/netfilter/nfnetlink.c:486 [inline] - nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:544 [inline] - nfnetlink_rcv+0x14a5/0x1e50 net/netfilter/nfnetlink.c:562 - netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] - -Problem is that when I added ability to override base hook registration -to make nat basechains register with the nat core instead of netfilter -core, I forgot to update nft_table_disable() to use that instead of -the 'raw' hook register interface. - -In syzbot transaction, the basechain is of 'nat' type. Its registered -with the nat core. The switch to 'dormant mode' attempts to delete from -netfilter core instead. - -After updating nft_table_disable/enable to use the correct helper, -nft_(un)register_basechain_hooks can be folded into the only remaining -caller. - -Because nft_trans_table_enable() won't do anything when the DORMANT flag -is set, remove the flag first, then re-add it in case re-enablement -fails, else this patch breaks sequence: - -add table ip x { flags dormant; } -/* add base chains */ -add table ip x - -The last 'add' will remove the dormant flags, but won't have any other -effect -- base chains are not registered. -Then, next 'set dormant flag' will create another 'hook not found' -splat. - -Reported-by: syzbot+2570f2c036e3da5db176@syzkaller.appspotmail.com -Fixes: 4e25ceb80b58 ("netfilter: nf_tables: allow chain type to override hook register") -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso -(cherry picked from commit 1e9451cbda456a170518b2bfd643e2cb980880bf) -Signed-off-by: Greg Kroah-Hartman ---- - net/netfilter/nf_tables_api.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -743,7 +743,7 @@ static void nft_table_disable(struct net - if (cnt && i++ == cnt) - break; - -- nf_unregister_net_hook(net, &nft_base_chain(chain)->ops); -+ nf_tables_unregister_hook(net, table, chain); - } - } - -@@ -758,7 +758,7 @@ static int nf_tables_table_enable(struct - if (!nft_is_base_chain(chain)) - continue; - -- err = nf_register_net_hook(net, &nft_base_chain(chain)->ops); -+ err = nf_tables_register_hook(net, table, chain); - if (err < 0) - goto err; - -@@ -802,11 +802,12 @@ static int nf_tables_updtable(struct nft - nft_trans_table_enable(trans) = false; - } else if (!(flags & NFT_TABLE_F_DORMANT) && - ctx->table->flags & NFT_TABLE_F_DORMANT) { -+ ctx->table->flags &= ~NFT_TABLE_F_DORMANT; - ret = nf_tables_table_enable(ctx->net, ctx->table); -- if (ret >= 0) { -- ctx->table->flags &= ~NFT_TABLE_F_DORMANT; -+ if (ret >= 0) - nft_trans_table_enable(trans) = true; -- } -+ else -+ ctx->table->flags |= NFT_TABLE_F_DORMANT; - } - if (ret < 0) - goto err; diff --git a/queue-4.19/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch b/queue-4.19/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch deleted file mode 100644 index c69f0b54718..00000000000 --- a/queue-4.19/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch +++ /dev/null @@ -1,39 +0,0 @@ -From stable-owner@vger.kernel.org Wed Jul 5 18:56:03 2023 -From: Pablo Neira Ayuso -Date: Wed, 5 Jul 2023 18:55:16 +0200 -Subject: netfilter: nf_tables: fix scheduling-while-atomic splat -To: netfilter-devel@vger.kernel.org -Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org -Message-ID: <20230705165516.50145-11-pablo@netfilter.org> - -From: Florian Westphal - -[ 2024439bd5ceb145eeeb428b2a59e9b905153ac3 ] - -nf_tables_check_loops() can be called from rhashtable list -walk so cond_resched() cannot be used here. - -Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks") -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Greg Kroah-Hartman ---- - net/netfilter/nf_tables_api.c | 4 ---- - 1 file changed, 4 deletions(-) - ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -7021,13 +7021,9 @@ static int nf_tables_check_loops(const s - break; - } - } -- -- cond_resched(); - } - - list_for_each_entry(set, &ctx->table->sets, list) { -- cond_resched(); -- - if (!nft_is_active_next(ctx->net, set)) - continue; - if (!(set->flags & NFT_SET_MAP) || diff --git a/queue-4.19/netfilter-nf_tables-fix-spurious-set-element-inserti.patch b/queue-4.19/netfilter-nf_tables-fix-spurious-set-element-inserti.patch deleted file mode 100644 index 868adf8b9e3..00000000000 --- a/queue-4.19/netfilter-nf_tables-fix-spurious-set-element-inserti.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 976b926cc5c9ddd0dd5caf4c7b577052477d78eb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Jul 2023 00:29:58 +0200 -Subject: netfilter: nf_tables: fix spurious set element insertion failure - -From: Florian Westphal - -[ Upstream commit ddbd8be68941985f166f5107109a90ce13147c44 ] - -On some platforms there is a padding hole in the nft_verdict -structure, between the verdict code and the chain pointer. - -On element insertion, if the new element clashes with an existing one and -NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as -the data associated with duplicated element is the same as the existing -one. The data equality check uses memcmp. - -For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT -padding area leads to spurious failure even if the verdict data is the -same. - -This then makes the insertion fail with 'already exists' error, even -though the new "key : data" matches an existing entry and userspace -told the kernel that it doesn't want to receive an error indication. - -Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion") -Signed-off-by: Florian Westphal -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_tables_api.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index 16405e71a6780..f25b6337f150a 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -7248,6 +7248,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, - - if (!tb[NFTA_VERDICT_CODE]) - return -EINVAL; -+ -+ /* zero padding hole for memcmp */ -+ memset(data, 0, sizeof(*data)); - data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); - - switch (data->verdict.code) { --- -2.39.2 - diff --git a/queue-4.19/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch b/queue-4.19/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch deleted file mode 100644 index 4e43421384f..00000000000 --- a/queue-4.19/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch +++ /dev/null @@ -1,73 +0,0 @@ -From stable-owner@vger.kernel.org Wed Jul 5 18:55:56 2023 -From: Pablo Neira Ayuso -Date: Wed, 5 Jul 2023 18:55:12 +0200 -Subject: netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE -To: netfilter-devel@vger.kernel.org -Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org -Message-ID: <20230705165516.50145-7-pablo@netfilter.org> - -From: Pablo Neira Ayuso - -[ 1240eb93f0616b21c675416516ff3d74798fdc97 ] - -In case of error when adding a new rule that refers to an anonymous set, -deactivate expressions via NFT_TRANS_PREPARE state, not NFT_TRANS_RELEASE. -Thus, the lookup expression marks anonymous sets as inactive in the next -generation to ensure it is not reachable in this transaction anymore and -decrement the set refcount as introduced by c1592a89942e ("netfilter: -nf_tables: deactivate anonymous set from preparation phase"). The abort -step takes care of undoing the anonymous set. - -This is also consistent with rule deletion, where NFT_TRANS_PREPARE is -used. Note that this error path is exercised in the preparation step of -the commit protocol. This patch replaces nf_tables_rule_release() by the -deactivate and destroy calls, this time with NFT_TRANS_PREPARE. - -Due to this incorrect error handling, it is possible to access a -dangling pointer to the anonymous set that remains in the transaction -list. - -[1009.379054] BUG: KASAN: use-after-free in nft_set_lookup_global+0x147/0x1a0 [nf_tables] -[1009.379106] Read of size 8 at addr ffff88816c4c8020 by task nft-rule-add/137110 -[1009.379116] CPU: 7 PID: 137110 Comm: nft-rule-add Not tainted 6.4.0-rc4+ #256 -[1009.379128] Call Trace: -[1009.379132] -[1009.379135] dump_stack_lvl+0x33/0x50 -[1009.379146] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] -[1009.379191] print_address_description.constprop.0+0x27/0x300 -[1009.379201] kasan_report+0x107/0x120 -[1009.379210] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] -[1009.379255] nft_set_lookup_global+0x147/0x1a0 [nf_tables] -[1009.379302] nft_lookup_init+0xa5/0x270 [nf_tables] -[1009.379350] nf_tables_newrule+0x698/0xe50 [nf_tables] -[1009.379397] ? nf_tables_rule_release+0xe0/0xe0 [nf_tables] -[1009.379441] ? kasan_unpoison+0x23/0x50 -[1009.379450] nfnetlink_rcv_batch+0x97c/0xd90 [nfnetlink] -[1009.379470] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink] -[1009.379485] ? __alloc_skb+0xb8/0x1e0 -[1009.379493] ? __alloc_skb+0xb8/0x1e0 -[1009.379502] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 -[1009.379509] ? unwind_get_return_address+0x2a/0x40 -[1009.379517] ? write_profile+0xc0/0xc0 -[1009.379524] ? avc_lookup+0x8f/0xc0 -[1009.379532] ? __rcu_read_unlock+0x43/0x60 - -Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Greg Kroah-Hartman ---- - net/netfilter/nf_tables_api.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -2784,7 +2784,8 @@ static int nf_tables_newrule(struct net - - return 0; - err2: -- nf_tables_rule_release(&ctx, rule); -+ nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE); -+ nf_tables_rule_destroy(&ctx, rule); - err1: - for (i = 0; i < n; i++) { - if (info[i].ops) { diff --git a/queue-4.19/netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch b/queue-4.19/netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch deleted file mode 100644 index bca9bf74f78..00000000000 --- a/queue-4.19/netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch +++ /dev/null @@ -1,211 +0,0 @@ -From caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd Mon Sep 17 00:00:00 2001 -From: Thadeu Lima de Souza Cascardo -Date: Wed, 5 Jul 2023 18:05:35 -0300 -Subject: netfilter: nf_tables: prevent OOB access in nft_byteorder_eval - -From: Thadeu Lima de Souza Cascardo - -commit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd upstream. - -When evaluating byteorder expressions with size 2, a union with 32-bit and -16-bit members is used. Since the 16-bit members are aligned to 32-bit, -the array accesses will be out-of-bounds. - -It may lead to a stack-out-of-bounds access like the one below: - -[ 23.095215] ================================================================== -[ 23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320 -[ 23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115 -[ 23.096358] -[ 23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413 -[ 23.096770] Call Trace: -[ 23.096910] -[ 23.097030] dump_stack_lvl+0x60/0xc0 -[ 23.097218] print_report+0xcf/0x630 -[ 23.097388] ? nft_byteorder_eval+0x13c/0x320 -[ 23.097577] ? kasan_addr_to_slab+0xd/0xc0 -[ 23.097760] ? nft_byteorder_eval+0x13c/0x320 -[ 23.097949] kasan_report+0xc9/0x110 -[ 23.098106] ? nft_byteorder_eval+0x13c/0x320 -[ 23.098298] __asan_load2+0x83/0xd0 -[ 23.098453] nft_byteorder_eval+0x13c/0x320 -[ 23.098659] nft_do_chain+0x1c8/0xc50 -[ 23.098852] ? __pfx_nft_do_chain+0x10/0x10 -[ 23.099078] ? __kasan_check_read+0x11/0x20 -[ 23.099295] ? __pfx___lock_acquire+0x10/0x10 -[ 23.099535] ? __pfx___lock_acquire+0x10/0x10 -[ 23.099745] ? __kasan_check_read+0x11/0x20 -[ 23.099929] nft_do_chain_ipv4+0xfe/0x140 -[ 23.100105] ? __pfx_nft_do_chain_ipv4+0x10/0x10 -[ 23.100327] ? lock_release+0x204/0x400 -[ 23.100515] ? nf_hook.constprop.0+0x340/0x550 -[ 23.100779] nf_hook_slow+0x6c/0x100 -[ 23.100977] ? __pfx_nft_do_chain_ipv4+0x10/0x10 -[ 23.101223] nf_hook.constprop.0+0x334/0x550 -[ 23.101443] ? __pfx_ip_local_deliver_finish+0x10/0x10 -[ 23.101677] ? __pfx_nf_hook.constprop.0+0x10/0x10 -[ 23.101882] ? __pfx_ip_rcv_finish+0x10/0x10 -[ 23.102071] ? __pfx_ip_local_deliver_finish+0x10/0x10 -[ 23.102291] ? rcu_read_lock_held+0x4b/0x70 -[ 23.102481] ip_local_deliver+0xbb/0x110 -[ 23.102665] ? __pfx_ip_rcv+0x10/0x10 -[ 23.102839] ip_rcv+0x199/0x2a0 -[ 23.102980] ? __pfx_ip_rcv+0x10/0x10 -[ 23.103140] __netif_receive_skb_one_core+0x13e/0x150 -[ 23.103362] ? __pfx___netif_receive_skb_one_core+0x10/0x10 -[ 23.103647] ? mark_held_locks+0x48/0xa0 -[ 23.103819] ? process_backlog+0x36c/0x380 -[ 23.103999] __netif_receive_skb+0x23/0xc0 -[ 23.104179] process_backlog+0x91/0x380 -[ 23.104350] __napi_poll.constprop.0+0x66/0x360 -[ 23.104589] ? net_rx_action+0x1cb/0x610 -[ 23.104811] net_rx_action+0x33e/0x610 -[ 23.105024] ? _raw_spin_unlock+0x23/0x50 -[ 23.105257] ? __pfx_net_rx_action+0x10/0x10 -[ 23.105485] ? mark_held_locks+0x48/0xa0 -[ 23.105741] __do_softirq+0xfa/0x5ab -[ 23.105956] ? __dev_queue_xmit+0x765/0x1c00 -[ 23.106193] do_softirq.part.0+0x49/0xc0 -[ 23.106423] -[ 23.106547] -[ 23.106670] __local_bh_enable_ip+0xf5/0x120 -[ 23.106903] __dev_queue_xmit+0x789/0x1c00 -[ 23.107131] ? __pfx___dev_queue_xmit+0x10/0x10 -[ 23.107381] ? find_held_lock+0x8e/0xb0 -[ 23.107585] ? lock_release+0x204/0x400 -[ 23.107798] ? neigh_resolve_output+0x185/0x350 -[ 23.108049] ? mark_held_locks+0x48/0xa0 -[ 23.108265] ? neigh_resolve_output+0x185/0x350 -[ 23.108514] neigh_resolve_output+0x246/0x350 -[ 23.108753] ? neigh_resolve_output+0x246/0x350 -[ 23.109003] ip_finish_output2+0x3c3/0x10b0 -[ 23.109250] ? __pfx_ip_finish_output2+0x10/0x10 -[ 23.109510] ? __pfx_nf_hook+0x10/0x10 -[ 23.109732] __ip_finish_output+0x217/0x390 -[ 23.109978] ip_finish_output+0x2f/0x130 -[ 23.110207] ip_output+0xc9/0x170 -[ 23.110404] ip_push_pending_frames+0x1a0/0x240 -[ 23.110652] raw_sendmsg+0x102e/0x19e0 -[ 23.110871] ? __pfx_raw_sendmsg+0x10/0x10 -[ 23.111093] ? lock_release+0x204/0x400 -[ 23.111304] ? __mod_lruvec_page_state+0x148/0x330 -[ 23.111567] ? find_held_lock+0x8e/0xb0 -[ 23.111777] ? find_held_lock+0x8e/0xb0 -[ 23.111993] ? __rcu_read_unlock+0x7c/0x2f0 -[ 23.112225] ? aa_sk_perm+0x18a/0x550 -[ 23.112431] ? filemap_map_pages+0x4f1/0x900 -[ 23.112665] ? __pfx_aa_sk_perm+0x10/0x10 -[ 23.112880] ? find_held_lock+0x8e/0xb0 -[ 23.113098] inet_sendmsg+0xa0/0xb0 -[ 23.113297] ? inet_sendmsg+0xa0/0xb0 -[ 23.113500] ? __pfx_inet_sendmsg+0x10/0x10 -[ 23.113727] sock_sendmsg+0xf4/0x100 -[ 23.113924] ? move_addr_to_kernel.part.0+0x4f/0xa0 -[ 23.114190] __sys_sendto+0x1d4/0x290 -[ 23.114391] ? __pfx___sys_sendto+0x10/0x10 -[ 23.114621] ? __pfx_mark_lock.part.0+0x10/0x10 -[ 23.114869] ? lock_release+0x204/0x400 -[ 23.115076] ? find_held_lock+0x8e/0xb0 -[ 23.115287] ? rcu_is_watching+0x23/0x60 -[ 23.115503] ? __rseq_handle_notify_resume+0x6e2/0x860 -[ 23.115778] ? __kasan_check_write+0x14/0x30 -[ 23.116008] ? blkcg_maybe_throttle_current+0x8d/0x770 -[ 23.116285] ? mark_held_locks+0x28/0xa0 -[ 23.116503] ? do_syscall_64+0x37/0x90 -[ 23.116713] __x64_sys_sendto+0x7f/0xb0 -[ 23.116924] do_syscall_64+0x59/0x90 -[ 23.117123] ? irqentry_exit_to_user_mode+0x25/0x30 -[ 23.117387] ? irqentry_exit+0x77/0xb0 -[ 23.117593] ? exc_page_fault+0x92/0x140 -[ 23.117806] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 -[ 23.118081] RIP: 0033:0x7f744aee2bba -[ 23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 -[ 23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c -[ 23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba -[ 23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003 -[ 23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010 -[ 23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 -[ 23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0 -[ 23.121617] -[ 23.121749] -[ 23.121845] The buggy address belongs to the virtual mapping at -[ 23.121845] [ffffc90000000000, ffffc90000009000) created by: -[ 23.121845] irq_init_percpu_irqstack+0x1cf/0x270 -[ 23.122707] -[ 23.122803] The buggy address belongs to the physical page: -[ 23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09 -[ 23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff) -[ 23.123998] page_type: 0xffffffff() -[ 23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000 -[ 23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 -[ 23.125023] page dumped because: kasan: bad access detected -[ 23.125326] -[ 23.125421] Memory state around the buggy address: -[ 23.125682] ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -[ 23.126072] ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 -[ 23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 -[ 23.126840] ^ -[ 23.127138] ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 -[ 23.127522] ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 -[ 23.127906] ================================================================== -[ 23.128324] Disabling lock debugging due to kernel taint - -Using simple s16 pointers for the 16-bit accesses fixes the problem. For -the 32-bit accesses, src and dst can be used directly. - -Fixes: 96518518cc41 ("netfilter: add nftables") -Cc: stable@vger.kernel.org -Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI -Signed-off-by: Thadeu Lima de Souza Cascardo -Reviewed-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Greg Kroah-Hartman ---- - net/netfilter/nft_byteorder.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - ---- a/net/netfilter/nft_byteorder.c -+++ b/net/netfilter/nft_byteorder.c -@@ -33,11 +33,11 @@ static void nft_byteorder_eval(const str - const struct nft_byteorder *priv = nft_expr_priv(expr); - u32 *src = ®s->data[priv->sreg]; - u32 *dst = ®s->data[priv->dreg]; -- union { u32 u32; u16 u16; } *s, *d; -+ u16 *s16, *d16; - unsigned int i; - -- s = (void *)src; -- d = (void *)dst; -+ s16 = (void *)src; -+ d16 = (void *)dst; - - switch (priv->size) { - case 8: { -@@ -63,11 +63,11 @@ static void nft_byteorder_eval(const str - switch (priv->op) { - case NFT_BYTEORDER_NTOH: - for (i = 0; i < priv->len / 4; i++) -- d[i].u32 = ntohl((__force __be32)s[i].u32); -+ dst[i] = ntohl((__force __be32)src[i]); - break; - case NFT_BYTEORDER_HTON: - for (i = 0; i < priv->len / 4; i++) -- d[i].u32 = (__force __u32)htonl(s[i].u32); -+ dst[i] = (__force __u32)htonl(src[i]); - break; - } - break; -@@ -75,11 +75,11 @@ static void nft_byteorder_eval(const str - switch (priv->op) { - case NFT_BYTEORDER_NTOH: - for (i = 0; i < priv->len / 2; i++) -- d[i].u16 = ntohs((__force __be16)s[i].u16); -+ d16[i] = ntohs((__force __be16)s16[i]); - break; - case NFT_BYTEORDER_HTON: - for (i = 0; i < priv->len / 2; i++) -- d[i].u16 = (__force __u16)htons(s[i].u16); -+ d16[i] = (__force __u16)htons(s16[i]); - break; - } - break; diff --git a/queue-4.19/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch b/queue-4.19/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch deleted file mode 100644 index 19d00b12cd4..00000000000 --- a/queue-4.19/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch +++ /dev/null @@ -1,137 +0,0 @@ -From stable-owner@vger.kernel.org Wed Jul 5 18:55:57 2023 -From: Pablo Neira Ayuso -Date: Wed, 5 Jul 2023 18:55:14 +0200 -Subject: netfilter: nf_tables: reject unbound anonymous set before commit phase -To: netfilter-devel@vger.kernel.org -Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org -Message-ID: <20230705165516.50145-9-pablo@netfilter.org> - -From: Pablo Neira Ayuso - -[ 938154b93be8cd611ddfd7bafc1849f3c4355201 ] - -Add a new list to track set transaction and to check for unbound -anonymous sets before entering the commit phase. - -Bail out at the end of the transaction handling if an anonymous set -remains unbound. - -Fixes: 96518518cc41 ("netfilter: add nftables") -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Greg Kroah-Hartman ---- - include/net/netfilter/nf_tables.h | 3 +++ - net/netfilter/nf_tables_api.c | 33 ++++++++++++++++++++++++++++++--- - 2 files changed, 33 insertions(+), 3 deletions(-) - ---- a/include/net/netfilter/nf_tables.h -+++ b/include/net/netfilter/nf_tables.h -@@ -1320,12 +1320,14 @@ static inline void nft_set_elem_clear_bu - * struct nft_trans - nf_tables object update in transaction - * - * @list: used internally -+ * @binding_list: list of objects with possible bindings - * @msg_type: message type - * @ctx: transaction context - * @data: internal information related to the transaction - */ - struct nft_trans { - struct list_head list; -+ struct list_head binding_list; - int msg_type; - struct nft_ctx ctx; - char data[0]; -@@ -1413,6 +1415,7 @@ void nft_chain_filter_fini(void); - struct nftables_pernet { - struct list_head tables; - struct list_head commit_list; -+ struct list_head binding_list; - struct list_head module_list; - struct list_head notify_list; - struct mutex commit_mutex; ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -102,6 +102,7 @@ static struct nft_trans *nft_trans_alloc - return NULL; - - INIT_LIST_HEAD(&trans->list); -+ INIT_LIST_HEAD(&trans->binding_list); - trans->msg_type = msg_type; - trans->ctx = *ctx; - -@@ -114,9 +115,15 @@ static struct nft_trans *nft_trans_alloc - return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); - } - --static void nft_trans_destroy(struct nft_trans *trans) -+static void nft_trans_list_del(struct nft_trans *trans) - { - list_del(&trans->list); -+ list_del(&trans->binding_list); -+} -+ -+static void nft_trans_destroy(struct nft_trans *trans) -+{ -+ nft_trans_list_del(trans); - kfree(trans); - } - -@@ -160,6 +167,13 @@ static void nft_trans_commit_list_add_ta - struct nftables_pernet *nft_net; - - nft_net = net_generic(net, nf_tables_net_id); -+ switch (trans->msg_type) { -+ case NFT_MSG_NEWSET: -+ if (nft_set_is_anonymous(nft_trans_set(trans))) -+ list_add_tail(&trans->binding_list, &nft_net->binding_list); -+ break; -+ } -+ - list_add_tail(&trans->list, &nft_net->commit_list); - } - -@@ -6403,7 +6417,7 @@ static void nf_tables_commit_release(str - synchronize_rcu(); - - list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { -- list_del(&trans->list); -+ nft_trans_list_del(trans); - nft_commit_release(trans); - } - } -@@ -6542,6 +6556,18 @@ static int nf_tables_commit(struct net * - struct nft_chain *chain; - struct nft_table *table; - -+ list_for_each_entry(trans, &nft_net->binding_list, binding_list) { -+ switch (trans->msg_type) { -+ case NFT_MSG_NEWSET: -+ if (nft_set_is_anonymous(nft_trans_set(trans)) && -+ !nft_trans_set_bound(trans)) { -+ pr_warn_once("nftables ruleset with unbound set\n"); -+ return -EINVAL; -+ } -+ break; -+ } -+ } -+ - /* 0. Validate ruleset, otherwise roll back for error reporting. */ - if (nf_tables_validate(net) < 0) - return -EAGAIN; -@@ -6847,7 +6873,7 @@ static int __nf_tables_abort(struct net - - list_for_each_entry_safe_reverse(trans, next, - &nft_net->commit_list, list) { -- list_del(&trans->list); -+ nft_trans_list_del(trans); - nf_tables_abort_release(trans); - } - -@@ -7497,6 +7523,7 @@ static int __net_init nf_tables_init_net - - INIT_LIST_HEAD(&nft_net->tables); - INIT_LIST_HEAD(&nft_net->commit_list); -+ INIT_LIST_HEAD(&nft_net->binding_list); - mutex_init(&nft_net->commit_mutex); - nft_net->base_seq = 1; - nft_net->validate_state = NFT_VALIDATE_SKIP; diff --git a/queue-4.19/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch b/queue-4.19/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch deleted file mode 100644 index 874be6923b5..00000000000 --- a/queue-4.19/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch +++ /dev/null @@ -1,33 +0,0 @@ -From stable-owner@vger.kernel.org Wed Jul 5 18:56:29 2023 -From: Pablo Neira Ayuso -Date: Wed, 5 Jul 2023 18:55:15 +0200 -Subject: netfilter: nf_tables: unbind non-anonymous set if rule construction fails -To: netfilter-devel@vger.kernel.org -Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org -Message-ID: <20230705165516.50145-10-pablo@netfilter.org> - -From: Pablo Neira Ayuso - -[ 3e70489721b6c870252c9082c496703677240f53 ] - -Otherwise a dangling reference to a rule object that is gone remains -in the set binding list. - -Fixes: 26b5a5712eb8 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Greg Kroah-Hartman ---- - net/netfilter/nf_tables_api.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -3838,6 +3838,8 @@ void nf_tables_deactivate_set(const stru - nft_set_trans_unbind(ctx, set); - if (nft_set_is_anonymous(set)) - nft_deactivate_next(ctx->net, set); -+ else -+ list_del_rcu(&binding->list); - - set->use--; - break; diff --git a/queue-4.19/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch b/queue-4.19/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch deleted file mode 100644 index 2938e7b9ca9..00000000000 --- a/queue-4.19/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch +++ /dev/null @@ -1,1032 +0,0 @@ -From stable-owner@vger.kernel.org Wed Jul 5 18:56:03 2023 -From: Pablo Neira Ayuso -Date: Wed, 5 Jul 2023 18:55:11 +0200 -Subject: netfilter: nf_tables: use net_generic infra for transaction data -To: netfilter-devel@vger.kernel.org -Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org -Message-ID: <20230705165516.50145-6-pablo@netfilter.org> - -From: Pablo Neira Ayuso - -[ 0854db2aaef3fcdd3498a9d299c60adea2aa3dc6 ] - -This moves all nf_tables pernet data from struct net to a net_generic -extension, with the exception of the gencursor. - -The latter is used in the data path and also outside of the nf_tables -core. All others are only used from the configuration plane. - -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Greg Kroah-Hartman ---- - include/net/netfilter/nf_tables.h | 10 + - include/net/netns/nftables.h | 5 - net/netfilter/nf_tables_api.c | 303 +++++++++++++++++++++++--------------- - net/netfilter/nft_chain_filter.c | 11 + - net/netfilter/nft_dynset.c | 6 - 5 files changed, 210 insertions(+), 125 deletions(-) - ---- a/include/net/netfilter/nf_tables.h -+++ b/include/net/netfilter/nf_tables.h -@@ -1409,4 +1409,14 @@ struct nft_trans_flowtable { - int __init nft_chain_filter_init(void); - void nft_chain_filter_fini(void); - -+struct nftables_pernet { -+ struct list_head tables; -+ struct list_head commit_list; -+ struct list_head module_list; -+ struct list_head notify_list; -+ struct mutex commit_mutex; -+ unsigned int base_seq; -+ u8 validate_state; -+}; -+ - #endif /* _NET_NF_TABLES_H */ ---- a/include/net/netns/nftables.h -+++ b/include/net/netns/nftables.h -@@ -5,12 +5,7 @@ - #include - - struct netns_nftables { -- struct list_head tables; -- struct list_head commit_list; -- struct mutex commit_mutex; -- unsigned int base_seq; - u8 gencursor; -- u8 validate_state; - }; - - #endif ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -22,10 +22,13 @@ - #include - #include - #include -+#include - #include - - #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) - -+unsigned int nf_tables_net_id __read_mostly; -+ - static LIST_HEAD(nf_tables_expressions); - static LIST_HEAD(nf_tables_objects); - static LIST_HEAD(nf_tables_flowtables); -@@ -53,7 +56,9 @@ static const struct rhashtable_params nf - - static void nft_validate_state_update(struct net *net, u8 new_validate_state) - { -- switch (net->nft.validate_state) { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); -+ -+ switch (nft_net->validate_state) { - case NFT_VALIDATE_SKIP: - WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); - break; -@@ -64,7 +69,7 @@ static void nft_validate_state_update(st - return; - } - -- net->nft.validate_state = new_validate_state; -+ nft_net->validate_state = new_validate_state; - } - - static void nft_ctx_init(struct nft_ctx *ctx, -@@ -117,13 +122,15 @@ static void nft_trans_destroy(struct nft - - static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) - { -+ struct nftables_pernet *nft_net; - struct net *net = ctx->net; - struct nft_trans *trans; - - if (!nft_set_is_anonymous(set)) - return; - -- list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { -+ nft_net = net_generic(net, nf_tables_net_id); -+ list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { - switch (trans->msg_type) { - case NFT_MSG_NEWSET: - if (nft_trans_set(trans) == set) -@@ -137,6 +144,14 @@ static void nft_set_trans_bind(const str - } - } - -+static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) -+{ -+ struct nftables_pernet *nft_net; -+ -+ nft_net = net_generic(net, nf_tables_net_id); -+ list_add_tail(&trans->list, &nft_net->commit_list); -+} -+ - static int nf_tables_register_hook(struct net *net, - const struct nft_table *table, - struct nft_chain *chain) -@@ -187,7 +202,7 @@ static int nft_trans_table_add(struct nf - if (msg_type == NFT_MSG_NEWTABLE) - nft_activate_next(ctx->net, ctx->table); - -- list_add_tail(&trans->list, &ctx->net->nft.commit_list); -+ nft_trans_commit_list_add_tail(ctx->net, trans); - return 0; - } - -@@ -214,7 +229,7 @@ static int nft_trans_chain_add(struct nf - if (msg_type == NFT_MSG_NEWCHAIN) - nft_activate_next(ctx->net, ctx->chain); - -- list_add_tail(&trans->list, &ctx->net->nft.commit_list); -+ nft_trans_commit_list_add_tail(ctx->net, trans); - return 0; - } - -@@ -287,7 +302,7 @@ static struct nft_trans *nft_trans_rule_ - ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); - } - nft_trans_rule(trans) = rule; -- list_add_tail(&trans->list, &ctx->net->nft.commit_list); -+ nft_trans_commit_list_add_tail(ctx->net, trans); - - return trans; - } -@@ -342,7 +357,7 @@ static int nft_trans_set_add(const struc - nft_activate_next(ctx->net, set); - } - nft_trans_set(trans) = set; -- list_add_tail(&trans->list, &ctx->net->nft.commit_list); -+ nft_trans_commit_list_add_tail(ctx->net, trans); - - return 0; - } -@@ -374,7 +389,7 @@ static int nft_trans_obj_add(struct nft_ - nft_activate_next(ctx->net, obj); - - nft_trans_obj(trans) = obj; -- list_add_tail(&trans->list, &ctx->net->nft.commit_list); -+ nft_trans_commit_list_add_tail(ctx->net, trans); - - return 0; - } -@@ -407,7 +422,7 @@ static int nft_trans_flowtable_add(struc - nft_activate_next(ctx->net, flowtable); - - nft_trans_flowtable(trans) = flowtable; -- list_add_tail(&trans->list, &ctx->net->nft.commit_list); -+ nft_trans_commit_list_add_tail(ctx->net, trans); - - return 0; - } -@@ -435,12 +450,14 @@ static struct nft_table *nft_table_looku - const struct nlattr *nla, - u8 family, u8 genmask) - { -+ struct nftables_pernet *nft_net; - struct nft_table *table; - - if (nla == NULL) - return ERR_PTR(-EINVAL); - -- list_for_each_entry_rcu(table, &net->nft.tables, list) { -+ nft_net = net_generic(net, nf_tables_net_id); -+ list_for_each_entry_rcu(table, &nft_net->tables, list) { - if (!nla_strcmp(nla, table->name) && - table->family == family && - nft_active_genmask(table, genmask)) -@@ -454,9 +471,11 @@ static struct nft_table *nft_table_looku - const struct nlattr *nla, - u8 genmask) - { -+ struct nftables_pernet *nft_net; - struct nft_table *table; - -- list_for_each_entry(table, &net->nft.tables, list) { -+ nft_net = net_generic(net, nf_tables_net_id); -+ list_for_each_entry(table, &nft_net->tables, list) { - if (be64_to_cpu(nla_get_be64(nla)) == table->handle && - nft_active_genmask(table, genmask)) - return table; -@@ -509,11 +528,13 @@ __nf_tables_chain_type_lookup(const stru - static void nft_request_module(struct net *net, const char *fmt, ...) - { - char module_name[MODULE_NAME_LEN]; -+ struct nftables_pernet *nft_net; - LIST_HEAD(commit_list); - va_list args; - int ret; - -- list_splice_init(&net->nft.commit_list, &commit_list); -+ nft_net = net_generic(net, nf_tables_net_id); -+ list_splice_init(&nft_net->commit_list, &commit_list); - - va_start(args, fmt); - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); -@@ -521,12 +542,12 @@ static void nft_request_module(struct ne - if (ret >= MODULE_NAME_LEN) - return; - -- mutex_unlock(&net->nft.commit_mutex); -+ mutex_unlock(&nft_net->commit_mutex); - request_module("%s", module_name); -- mutex_lock(&net->nft.commit_mutex); -+ mutex_lock(&nft_net->commit_mutex); - -- WARN_ON_ONCE(!list_empty(&net->nft.commit_list)); -- list_splice(&commit_list, &net->nft.commit_list); -+ WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); -+ list_splice(&commit_list, &nft_net->commit_list); - } - #endif - -@@ -563,7 +584,9 @@ nf_tables_chain_type_lookup(struct net * - - static __be16 nft_base_seq(const struct net *net) - { -- return htons(net->nft.base_seq & 0xffff); -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); -+ -+ return htons(nft_net->base_seq & 0xffff); - } - - static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { -@@ -631,15 +654,17 @@ static int nf_tables_dump_tables(struct - struct netlink_callback *cb) - { - const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); -+ struct nftables_pernet *nft_net; - const struct nft_table *table; - unsigned int idx = 0, s_idx = cb->args[0]; - struct net *net = sock_net(skb->sk); - int family = nfmsg->nfgen_family; - - rcu_read_lock(); -- cb->seq = net->nft.base_seq; -+ nft_net = net_generic(net, nf_tables_net_id); -+ cb->seq = nft_net->base_seq; - -- list_for_each_entry_rcu(table, &net->nft.tables, list) { -+ list_for_each_entry_rcu(table, &nft_net->tables, list) { - if (family != NFPROTO_UNSPEC && family != table->family) - continue; - -@@ -813,7 +838,7 @@ static int nf_tables_updtable(struct nft - goto err; - - nft_trans_table_update(trans) = true; -- list_add_tail(&trans->list, &ctx->net->nft.commit_list); -+ nft_trans_commit_list_add_tail(ctx->net, trans); - return 0; - err: - nft_trans_destroy(trans); -@@ -848,6 +873,7 @@ static int nf_tables_newtable(struct net - const struct nlattr * const nla[], - struct netlink_ext_ack *extack) - { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); - const struct nfgenmsg *nfmsg = nlmsg_data(nlh); - u8 genmask = nft_genmask_next(net); - int family = nfmsg->nfgen_family; -@@ -857,7 +883,7 @@ static int nf_tables_newtable(struct net - struct nft_ctx ctx; - int err; - -- lockdep_assert_held(&net->nft.commit_mutex); -+ lockdep_assert_held(&nft_net->commit_mutex); - attr = nla[NFTA_TABLE_NAME]; - table = nft_table_lookup(net, attr, family, genmask); - if (IS_ERR(table)) { -@@ -907,7 +933,7 @@ static int nf_tables_newtable(struct net - if (err < 0) - goto err_trans; - -- list_add_tail_rcu(&table->list, &net->nft.tables); -+ list_add_tail_rcu(&table->list, &nft_net->tables); - return 0; - err_trans: - rhltable_destroy(&table->chains_ht); -@@ -987,11 +1013,12 @@ out: - - static int nft_flush(struct nft_ctx *ctx, int family) - { -+ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); - struct nft_table *table, *nt; - const struct nlattr * const *nla = ctx->nla; - int err = 0; - -- list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) { -+ list_for_each_entry_safe(table, nt, &nft_net->tables, list) { - if (family != AF_UNSPEC && table->family != family) - continue; - -@@ -1105,7 +1132,9 @@ nft_chain_lookup_byhandle(const struct n - static bool lockdep_commit_lock_is_held(struct net *net) - { - #ifdef CONFIG_PROVE_LOCKING -- return lockdep_is_held(&net->nft.commit_mutex); -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); -+ -+ return lockdep_is_held(&nft_net->commit_mutex); - #else - return true; - #endif -@@ -1302,11 +1331,13 @@ static int nf_tables_dump_chains(struct - unsigned int idx = 0, s_idx = cb->args[0]; - struct net *net = sock_net(skb->sk); - int family = nfmsg->nfgen_family; -+ struct nftables_pernet *nft_net; - - rcu_read_lock(); -- cb->seq = net->nft.base_seq; -+ nft_net = net_generic(net, nf_tables_net_id); -+ cb->seq = nft_net->base_seq; - -- list_for_each_entry_rcu(table, &net->nft.tables, list) { -+ list_for_each_entry_rcu(table, &nft_net->tables, list) { - if (family != NFPROTO_UNSPEC && family != table->family) - continue; - -@@ -1499,12 +1530,13 @@ static int nft_chain_parse_hook(struct n - struct nft_chain_hook *hook, u8 family, - bool autoload) - { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); - struct nlattr *ha[NFTA_HOOK_MAX + 1]; - const struct nft_chain_type *type; - struct net_device *dev; - int err; - -- lockdep_assert_held(&net->nft.commit_mutex); -+ lockdep_assert_held(&nft_net->commit_mutex); - lockdep_nfnl_nft_mutex_not_held(); - - err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK], -@@ -1773,6 +1805,7 @@ static int nf_tables_updchain(struct nft - - if (nla[NFTA_CHAIN_HANDLE] && - nla[NFTA_CHAIN_NAME]) { -+ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); - struct nft_trans *tmp; - char *name; - -@@ -1782,7 +1815,7 @@ static int nf_tables_updchain(struct nft - goto err; - - err = -EEXIST; -- list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) { -+ list_for_each_entry(tmp, &nft_net->commit_list, list) { - if (tmp->msg_type == NFT_MSG_NEWCHAIN && - tmp->ctx.table == table && - nft_trans_chain_update(tmp) && -@@ -1795,7 +1828,7 @@ static int nf_tables_updchain(struct nft - - nft_trans_chain_name(trans) = name; - } -- list_add_tail(&trans->list, &ctx->net->nft.commit_list); -+ nft_trans_commit_list_add_tail(ctx->net, trans); - - return 0; - err: -@@ -1809,6 +1842,7 @@ static int nf_tables_newchain(struct net - const struct nlattr * const nla[], - struct netlink_ext_ack *extack) - { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); - const struct nfgenmsg *nfmsg = nlmsg_data(nlh); - u8 genmask = nft_genmask_next(net); - int family = nfmsg->nfgen_family; -@@ -1819,7 +1853,7 @@ static int nf_tables_newchain(struct net - struct nft_ctx ctx; - u64 handle = 0; - -- lockdep_assert_held(&net->nft.commit_mutex); -+ lockdep_assert_held(&nft_net->commit_mutex); - - table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); - if (IS_ERR(table)) { -@@ -2342,11 +2376,13 @@ static int nf_tables_dump_rules(struct s - unsigned int idx = 0, s_idx = cb->args[0]; - struct net *net = sock_net(skb->sk); - int family = nfmsg->nfgen_family; -+ struct nftables_pernet *nft_net; - - rcu_read_lock(); -- cb->seq = net->nft.base_seq; -+ nft_net = net_generic(net, nf_tables_net_id); -+ cb->seq = nft_net->base_seq; - -- list_for_each_entry_rcu(table, &net->nft.tables, list) { -+ list_for_each_entry_rcu(table, &nft_net->tables, list) { - if (family != NFPROTO_UNSPEC && family != table->family) - continue; - -@@ -2499,7 +2535,6 @@ static void nf_tables_rule_destroy(const - { - struct nft_expr *expr, *next; - -- lockdep_assert_held(&ctx->net->nft.commit_mutex); - /* - * Careful: some expressions might not be initialized in case this - * is called on error from nf_tables_newrule(). -@@ -2579,6 +2614,7 @@ static int nf_tables_newrule(struct net - const struct nlattr * const nla[], - struct netlink_ext_ack *extack) - { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); - const struct nfgenmsg *nfmsg = nlmsg_data(nlh); - u8 genmask = nft_genmask_next(net); - struct nft_expr_info *info = NULL; -@@ -2595,7 +2631,7 @@ static int nf_tables_newrule(struct net - int err, rem; - u64 handle, pos_handle; - -- lockdep_assert_held(&net->nft.commit_mutex); -+ lockdep_assert_held(&nft_net->commit_mutex); - - table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); - if (IS_ERR(table)) { -@@ -2743,7 +2779,7 @@ static int nf_tables_newrule(struct net - kvfree(info); - chain->use++; - -- if (net->nft.validate_state == NFT_VALIDATE_DO) -+ if (nft_net->validate_state == NFT_VALIDATE_DO) - return nft_table_validate(net, table); - - return 0; -@@ -2765,10 +2801,11 @@ static struct nft_rule *nft_rule_lookup_ - const struct nft_chain *chain, - const struct nlattr *nla) - { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); - u32 id = ntohl(nla_get_be32(nla)); - struct nft_trans *trans; - -- list_for_each_entry(trans, &net->nft.commit_list, list) { -+ list_for_each_entry(trans, &nft_net->commit_list, list) { - struct nft_rule *rule = nft_trans_rule(trans); - - if (trans->msg_type == NFT_MSG_NEWRULE && -@@ -2887,12 +2924,13 @@ nft_select_set_ops(const struct nft_ctx - const struct nft_set_desc *desc, - enum nft_set_policies policy) - { -+ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); - const struct nft_set_ops *ops, *bops; - struct nft_set_estimate est, best; - const struct nft_set_type *type; - u32 flags = 0; - -- lockdep_assert_held(&ctx->net->nft.commit_mutex); -+ lockdep_assert_held(&nft_net->commit_mutex); - lockdep_nfnl_nft_mutex_not_held(); - #ifdef CONFIG_MODULES - if (list_empty(&nf_tables_set_types)) { -@@ -3038,10 +3076,11 @@ static struct nft_set *nft_set_lookup_by - const struct nft_table *table, - const struct nlattr *nla, u8 genmask) - { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); - struct nft_trans *trans; - u32 id = ntohl(nla_get_be32(nla)); - -- list_for_each_entry(trans, &net->nft.commit_list, list) { -+ list_for_each_entry(trans, &nft_net->commit_list, list) { - if (trans->msg_type == NFT_MSG_NEWSET) { - struct nft_set *set = nft_trans_set(trans); - -@@ -3257,14 +3296,16 @@ static int nf_tables_dump_sets(struct sk - struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; - struct net *net = sock_net(skb->sk); - struct nft_ctx *ctx = cb->data, ctx_set; -+ struct nftables_pernet *nft_net; - - if (cb->args[1]) - return skb->len; - - rcu_read_lock(); -- cb->seq = net->nft.base_seq; -+ nft_net = net_generic(net, nf_tables_net_id); -+ cb->seq = nft_net->base_seq; - -- list_for_each_entry_rcu(table, &net->nft.tables, list) { -+ list_for_each_entry_rcu(table, &nft_net->tables, list) { - if (ctx->family != NFPROTO_UNSPEC && - ctx->family != table->family) - continue; -@@ -3971,6 +4012,7 @@ static int nf_tables_dump_set(struct sk_ - { - struct nft_set_dump_ctx *dump_ctx = cb->data; - struct net *net = sock_net(skb->sk); -+ struct nftables_pernet *nft_net; - struct nft_table *table; - struct nft_set *set; - struct nft_set_dump_args args; -@@ -3981,7 +4023,8 @@ static int nf_tables_dump_set(struct sk_ - int event; - - rcu_read_lock(); -- list_for_each_entry_rcu(table, &net->nft.tables, list) { -+ nft_net = net_generic(net, nf_tables_net_id); -+ list_for_each_entry_rcu(table, &nft_net->tables, list) { - if (dump_ctx->ctx.family != NFPROTO_UNSPEC && - dump_ctx->ctx.family != table->family) - continue; -@@ -4571,7 +4614,7 @@ static int nft_add_set_elem(struct nft_c - } - - nft_trans_elem(trans) = elem; -- list_add_tail(&trans->list, &ctx->net->nft.commit_list); -+ nft_trans_commit_list_add_tail(ctx->net, trans); - return 0; - - err6: -@@ -4596,6 +4639,7 @@ static int nf_tables_newsetelem(struct n - const struct nlattr * const nla[], - struct netlink_ext_ack *extack) - { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); - u8 genmask = nft_genmask_next(net); - const struct nlattr *attr; - struct nft_set *set; -@@ -4625,7 +4669,7 @@ static int nf_tables_newsetelem(struct n - return err; - } - -- if (net->nft.validate_state == NFT_VALIDATE_DO) -+ if (nft_net->validate_state == NFT_VALIDATE_DO) - return nft_table_validate(net, ctx.table); - - return 0; -@@ -4738,7 +4782,7 @@ static int nft_del_setelem(struct nft_ct - nft_set_elem_deactivate(ctx->net, set, &elem); - - nft_trans_elem(trans) = elem; -- list_add_tail(&trans->list, &ctx->net->nft.commit_list); -+ nft_trans_commit_list_add_tail(ctx->net, trans); - return 0; - - fail_ops: -@@ -4772,7 +4816,7 @@ static int nft_flush_set(const struct nf - nft_set_elem_deactivate(ctx->net, set, elem); - nft_trans_elem_set(trans) = set; - nft_trans_elem(trans) = *elem; -- list_add_tail(&trans->list, &ctx->net->nft.commit_list); -+ nft_trans_commit_list_add_tail(ctx->net, trans); - - return 0; - err1: -@@ -5151,6 +5195,7 @@ static int nf_tables_dump_obj(struct sk_ - struct nft_obj_filter *filter = cb->data; - struct net *net = sock_net(skb->sk); - int family = nfmsg->nfgen_family; -+ struct nftables_pernet *nft_net; - struct nft_object *obj; - bool reset = false; - -@@ -5158,9 +5203,10 @@ static int nf_tables_dump_obj(struct sk_ - reset = true; - - rcu_read_lock(); -- cb->seq = net->nft.base_seq; -+ nft_net = net_generic(net, nf_tables_net_id); -+ cb->seq = nft_net->base_seq; - -- list_for_each_entry_rcu(table, &net->nft.tables, list) { -+ list_for_each_entry_rcu(table, &nft_net->tables, list) { - if (family != NFPROTO_UNSPEC && family != table->family) - continue; - -@@ -5826,12 +5872,14 @@ static int nf_tables_dump_flowtable(stru - struct net *net = sock_net(skb->sk); - int family = nfmsg->nfgen_family; - struct nft_flowtable *flowtable; -+ struct nftables_pernet *nft_net; - const struct nft_table *table; - - rcu_read_lock(); -- cb->seq = net->nft.base_seq; -+ nft_net = net_generic(net, nf_tables_net_id); -+ cb->seq = nft_net->base_seq; - -- list_for_each_entry_rcu(table, &net->nft.tables, list) { -+ list_for_each_entry_rcu(table, &nft_net->tables, list) { - if (family != NFPROTO_UNSPEC && family != table->family) - continue; - -@@ -6001,6 +6049,7 @@ static void nf_tables_flowtable_destroy( - static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, - u32 portid, u32 seq) - { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); - struct nlmsghdr *nlh; - char buf[TASK_COMM_LEN]; - int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); -@@ -6010,7 +6059,7 @@ static int nf_tables_fill_gen_info(struc - if (!nlh) - goto nla_put_failure; - -- if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || -+ if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) || - nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || - nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) - goto nla_put_failure; -@@ -6043,6 +6092,7 @@ static int nf_tables_flowtable_event(str - { - struct net_device *dev = netdev_notifier_info_to_dev(ptr); - struct nft_flowtable *flowtable; -+ struct nftables_pernet *nft_net; - struct nft_table *table; - struct net *net; - -@@ -6050,13 +6100,14 @@ static int nf_tables_flowtable_event(str - return 0; - - net = dev_net(dev); -- mutex_lock(&net->nft.commit_mutex); -- list_for_each_entry(table, &net->nft.tables, list) { -+ nft_net = net_generic(net, nf_tables_net_id); -+ mutex_lock(&nft_net->commit_mutex); -+ list_for_each_entry(table, &nft_net->tables, list) { - list_for_each_entry(flowtable, &table->flowtables, list) { - nft_flowtable_event(event, dev, flowtable); - } - } -- mutex_unlock(&net->nft.commit_mutex); -+ mutex_unlock(&nft_net->commit_mutex); - - return NOTIFY_DONE; - } -@@ -6237,16 +6288,17 @@ static const struct nfnl_callback nf_tab - - static int nf_tables_validate(struct net *net) - { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); - struct nft_table *table; - -- switch (net->nft.validate_state) { -+ switch (nft_net->validate_state) { - case NFT_VALIDATE_SKIP: - break; - case NFT_VALIDATE_NEED: - nft_validate_state_update(net, NFT_VALIDATE_DO); - /* fall through */ - case NFT_VALIDATE_DO: -- list_for_each_entry(table, &net->nft.tables, list) { -+ list_for_each_entry(table, &nft_net->tables, list) { - if (nft_table_validate(net, table) < 0) - return -EAGAIN; - } -@@ -6323,14 +6375,15 @@ static void nft_commit_release(struct nf - - static void nf_tables_commit_release(struct net *net) - { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); - struct nft_trans *trans, *next; - -- if (list_empty(&net->nft.commit_list)) -+ if (list_empty(&nft_net->commit_list)) - return; - - synchronize_rcu(); - -- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { -+ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { - list_del(&trans->list); - nft_commit_release(trans); - } -@@ -6369,9 +6422,10 @@ static int nf_tables_commit_chain_prepar - - static void nf_tables_commit_chain_prepare_cancel(struct net *net) - { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); - struct nft_trans *trans, *next; - -- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { -+ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { - struct nft_chain *chain = trans->ctx.chain; - - if (trans->msg_type == NFT_MSG_NEWRULE || -@@ -6463,6 +6517,7 @@ static void nft_chain_del(struct nft_cha - - static int nf_tables_commit(struct net *net, struct sk_buff *skb) - { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); - struct nft_trans *trans, *next; - struct nft_trans_elem *te; - struct nft_chain *chain; -@@ -6473,7 +6528,7 @@ static int nf_tables_commit(struct net * - return -EAGAIN; - - /* 1. Allocate space for next generation rules_gen_X[] */ -- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { -+ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { - int ret; - - if (trans->msg_type == NFT_MSG_NEWRULE || -@@ -6489,7 +6544,7 @@ static int nf_tables_commit(struct net * - } - - /* step 2. Make rules_gen_X visible to packet path */ -- list_for_each_entry(table, &net->nft.tables, list) { -+ list_for_each_entry(table, &nft_net->tables, list) { - list_for_each_entry(chain, &table->chains, list) - nf_tables_commit_chain(net, chain); - } -@@ -6498,12 +6553,13 @@ static int nf_tables_commit(struct net * - * Bump generation counter, invalidate any dump in progress. - * Cannot fail after this point. - */ -- while (++net->nft.base_seq == 0); -+ while (++nft_net->base_seq == 0) -+ ; - - /* step 3. Start new generation, rules_gen_X now in use. */ - net->nft.gencursor = nft_gencursor_next(net); - -- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { -+ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { - switch (trans->msg_type) { - case NFT_MSG_NEWTABLE: - if (nft_trans_table_update(trans)) { -@@ -6624,7 +6680,7 @@ static int nf_tables_commit(struct net * - - nf_tables_commit_release(net); - nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); -- mutex_unlock(&net->nft.commit_mutex); -+ mutex_unlock(&nft_net->commit_mutex); - - return 0; - } -@@ -6660,10 +6716,11 @@ static void nf_tables_abort_release(stru - - static int __nf_tables_abort(struct net *net) - { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); - struct nft_trans *trans, *next; - struct nft_trans_elem *te; - -- list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list, -+ list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list, - list) { - switch (trans->msg_type) { - case NFT_MSG_NEWTABLE: -@@ -6770,7 +6827,7 @@ static int __nf_tables_abort(struct net - synchronize_rcu(); - - list_for_each_entry_safe_reverse(trans, next, -- &net->nft.commit_list, list) { -+ &nft_net->commit_list, list) { - list_del(&trans->list); - nf_tables_abort_release(trans); - } -@@ -6780,22 +6837,24 @@ static int __nf_tables_abort(struct net - - static int nf_tables_abort(struct net *net, struct sk_buff *skb) - { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); - int ret = __nf_tables_abort(net); - -- mutex_unlock(&net->nft.commit_mutex); -+ mutex_unlock(&nft_net->commit_mutex); - - return ret; - } - - static bool nf_tables_valid_genid(struct net *net, u32 genid) - { -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); - bool genid_ok; - -- mutex_lock(&net->nft.commit_mutex); -+ mutex_lock(&nft_net->commit_mutex); - -- genid_ok = genid == 0 || net->nft.base_seq == genid; -+ genid_ok = genid == 0 || nft_net->base_seq == genid; - if (!genid_ok) -- mutex_unlock(&net->nft.commit_mutex); -+ mutex_unlock(&nft_net->commit_mutex); - - /* else, commit mutex has to be released by commit or abort function */ - return genid_ok; -@@ -7353,10 +7412,9 @@ int __nft_release_basechain(struct nft_c - } - EXPORT_SYMBOL_GPL(__nft_release_basechain); - --static void __nft_release_tables(struct net *net) -+static void __nft_release_table(struct net *net, struct nft_table *table) - { - struct nft_flowtable *flowtable, *nf; -- struct nft_table *table, *nt; - struct nft_chain *chain, *nc; - struct nft_object *obj, *ne; - struct nft_rule *rule, *nr; -@@ -7366,71 +7424,84 @@ static void __nft_release_tables(struct - .family = NFPROTO_NETDEV, - }; - -- list_for_each_entry_safe(table, nt, &net->nft.tables, list) { -- ctx.family = table->family; -+ ctx.family = table->family; - -- list_for_each_entry(chain, &table->chains, list) -- nf_tables_unregister_hook(net, table, chain); -- /* No packets are walking on these chains anymore. */ -- ctx.table = table; -- list_for_each_entry(chain, &table->chains, list) { -- ctx.chain = chain; -- list_for_each_entry_safe(rule, nr, &chain->rules, list) { -- list_del(&rule->list); -- chain->use--; -- nf_tables_rule_release(&ctx, rule); -- } -- } -- list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { -- list_del(&flowtable->list); -- table->use--; -- nf_tables_flowtable_destroy(flowtable); -- } -- list_for_each_entry_safe(set, ns, &table->sets, list) { -- list_del(&set->list); -- table->use--; -- nft_set_destroy(set); -- } -- list_for_each_entry_safe(obj, ne, &table->objects, list) { -- list_del(&obj->list); -- table->use--; -- nft_obj_destroy(&ctx, obj); -- } -- list_for_each_entry_safe(chain, nc, &table->chains, list) { -- ctx.chain = chain; -- nft_chain_del(chain); -- table->use--; -- nf_tables_chain_destroy(&ctx); -+ list_for_each_entry(chain, &table->chains, list) -+ nf_tables_unregister_hook(net, table, chain); -+ /* No packets are walking on these chains anymore. */ -+ ctx.table = table; -+ list_for_each_entry(chain, &table->chains, list) { -+ ctx.chain = chain; -+ list_for_each_entry_safe(rule, nr, &chain->rules, list) { -+ list_del(&rule->list); -+ chain->use--; -+ nf_tables_rule_release(&ctx, rule); - } -- list_del(&table->list); -- nf_tables_table_destroy(&ctx); - } -+ list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { -+ list_del(&flowtable->list); -+ table->use--; -+ nf_tables_flowtable_destroy(flowtable); -+ } -+ list_for_each_entry_safe(set, ns, &table->sets, list) { -+ list_del(&set->list); -+ table->use--; -+ nft_set_destroy(set); -+ } -+ list_for_each_entry_safe(obj, ne, &table->objects, list) { -+ list_del(&obj->list); -+ table->use--; -+ nft_obj_destroy(&ctx, obj); -+ } -+ list_for_each_entry_safe(chain, nc, &table->chains, list) { -+ ctx.chain = chain; -+ nft_chain_del(chain); -+ table->use--; -+ nf_tables_chain_destroy(&ctx); -+ } -+ list_del(&table->list); -+ nf_tables_table_destroy(&ctx); -+} -+ -+static void __nft_release_tables(struct net *net) -+{ -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); -+ struct nft_table *table, *nt; -+ -+ list_for_each_entry_safe(table, nt, &nft_net->tables, list) -+ __nft_release_table(net, table); - } - - static int __net_init nf_tables_init_net(struct net *net) - { -- INIT_LIST_HEAD(&net->nft.tables); -- INIT_LIST_HEAD(&net->nft.commit_list); -- mutex_init(&net->nft.commit_mutex); -- net->nft.base_seq = 1; -- net->nft.validate_state = NFT_VALIDATE_SKIP; -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); -+ -+ INIT_LIST_HEAD(&nft_net->tables); -+ INIT_LIST_HEAD(&nft_net->commit_list); -+ mutex_init(&nft_net->commit_mutex); -+ nft_net->base_seq = 1; -+ nft_net->validate_state = NFT_VALIDATE_SKIP; - - return 0; - } - - static void __net_exit nf_tables_exit_net(struct net *net) - { -- mutex_lock(&net->nft.commit_mutex); -- if (!list_empty(&net->nft.commit_list)) -+ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); -+ -+ mutex_lock(&nft_net->commit_mutex); -+ if (!list_empty(&nft_net->commit_list)) - __nf_tables_abort(net); - __nft_release_tables(net); -- mutex_unlock(&net->nft.commit_mutex); -- WARN_ON_ONCE(!list_empty(&net->nft.tables)); -+ mutex_unlock(&nft_net->commit_mutex); -+ WARN_ON_ONCE(!list_empty(&nft_net->tables)); - } - - static struct pernet_operations nf_tables_net_ops = { - .init = nf_tables_init_net, - .exit = nf_tables_exit_net, -+ .id = &nf_tables_net_id, -+ .size = sizeof(struct nftables_pernet), - }; - - static int __init nf_tables_module_init(void) ---- a/net/netfilter/nft_chain_filter.c -+++ b/net/netfilter/nft_chain_filter.c -@@ -2,6 +2,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -10,6 +11,8 @@ - #include - #include - -+extern unsigned int nf_tables_net_id; -+ - #ifdef CONFIG_NF_TABLES_IPV4 - static unsigned int nft_do_chain_ipv4(void *priv, - struct sk_buff *skb, -@@ -315,6 +318,7 @@ static int nf_tables_netdev_event(struct - unsigned long event, void *ptr) - { - struct net_device *dev = netdev_notifier_info_to_dev(ptr); -+ struct nftables_pernet *nft_net; - struct nft_table *table; - struct nft_chain *chain, *nr; - struct nft_ctx ctx = { -@@ -325,8 +329,9 @@ static int nf_tables_netdev_event(struct - event != NETDEV_CHANGENAME) - return NOTIFY_DONE; - -- mutex_lock(&ctx.net->nft.commit_mutex); -- list_for_each_entry(table, &ctx.net->nft.tables, list) { -+ nft_net = net_generic(ctx.net, nf_tables_net_id); -+ mutex_lock(&nft_net->commit_mutex); -+ list_for_each_entry(table, &nft_net->tables, list) { - if (table->family != NFPROTO_NETDEV) - continue; - -@@ -340,7 +345,7 @@ static int nf_tables_netdev_event(struct - nft_netdev_event(event, dev, &ctx); - } - } -- mutex_unlock(&ctx.net->nft.commit_mutex); -+ mutex_unlock(&nft_net->commit_mutex); - - return NOTIFY_DONE; - } ---- a/net/netfilter/nft_dynset.c -+++ b/net/netfilter/nft_dynset.c -@@ -15,6 +15,9 @@ - #include - #include - #include -+#include -+ -+extern unsigned int nf_tables_net_id; - - struct nft_dynset { - struct nft_set *set; -@@ -112,13 +115,14 @@ static int nft_dynset_init(const struct - const struct nft_expr *expr, - const struct nlattr * const tb[]) - { -+ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); - struct nft_dynset *priv = nft_expr_priv(expr); - u8 genmask = nft_genmask_next(ctx->net); - struct nft_set *set; - u64 timeout; - int err; - -- lockdep_assert_held(&ctx->net->nft.commit_mutex); -+ lockdep_assert_held(&nft_net->commit_mutex); - - if (tb[NFTA_DYNSET_SET_NAME] == NULL || - tb[NFTA_DYNSET_OP] == NULL || diff --git a/queue-4.19/netfilter-nftables-add-helper-function-to-set-the-base-sequence-number.patch b/queue-4.19/netfilter-nftables-add-helper-function-to-set-the-base-sequence-number.patch deleted file mode 100644 index e15f9a44432..00000000000 --- a/queue-4.19/netfilter-nftables-add-helper-function-to-set-the-base-sequence-number.patch +++ /dev/null @@ -1,117 +0,0 @@ -From pablo@netfilter.org Wed Jul 5 18:55:23 2023 -From: Pablo Neira Ayuso -Date: Wed, 5 Jul 2023 18:55:09 +0200 -Subject: netfilter: nftables: add helper function to set the base sequence number -To: netfilter-devel@vger.kernel.org -Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org -Message-ID: <20230705165516.50145-4-pablo@netfilter.org> - -From: Pablo Neira Ayuso - -[ 802b805162a1b7d8391c40ac8a878e9e63287aff ] - -This patch adds a helper function to calculate the base sequence number -field that is stored in the nfnetlink header. Use the helper function -whenever possible. - -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Greg Kroah-Hartman ---- - net/netfilter/nf_tables_api.c | 23 ++++++++++++++--------- - 1 file changed, 14 insertions(+), 9 deletions(-) - ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -561,6 +561,11 @@ nf_tables_chain_type_lookup(struct net * - return ERR_PTR(-ENOENT); - } - -+static __be16 nft_base_seq(const struct net *net) -+{ -+ return htons(net->nft.base_seq & 0xffff); -+} -+ - static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { - [NFTA_TABLE_NAME] = { .type = NLA_STRING, - .len = NFT_TABLE_MAXNAMELEN - 1 }, -@@ -583,7 +588,7 @@ static int nf_tables_fill_table_info(str - nfmsg = nlmsg_data(nlh); - nfmsg->nfgen_family = family; - nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); -+ nfmsg->res_id = nft_base_seq(net); - - if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || - nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) || -@@ -1218,7 +1223,7 @@ static int nf_tables_fill_chain_info(str - nfmsg = nlmsg_data(nlh); - nfmsg->nfgen_family = family; - nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); -+ nfmsg->res_id = nft_base_seq(net); - - if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) - goto nla_put_failure; -@@ -2265,7 +2270,7 @@ static int nf_tables_fill_rule_info(stru - nfmsg = nlmsg_data(nlh); - nfmsg->nfgen_family = family; - nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); -+ nfmsg->res_id = nft_base_seq(net); - - if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) - goto nla_put_failure; -@@ -3176,7 +3181,7 @@ static int nf_tables_fill_set(struct sk_ - nfmsg = nlmsg_data(nlh); - nfmsg->nfgen_family = ctx->family; - nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); -+ nfmsg->res_id = nft_base_seq(ctx->net); - - if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) - goto nla_put_failure; -@@ -4032,7 +4037,7 @@ static int nf_tables_dump_set(struct sk_ - nfmsg = nlmsg_data(nlh); - nfmsg->nfgen_family = table->family; - nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); -+ nfmsg->res_id = nft_base_seq(net); - - if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) - goto nla_put_failure; -@@ -4104,7 +4109,7 @@ static int nf_tables_fill_setelem_info(s - nfmsg = nlmsg_data(nlh); - nfmsg->nfgen_family = ctx->family; - nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); -+ nfmsg->res_id = nft_base_seq(ctx->net); - - if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) - goto nla_put_failure; -@@ -5152,7 +5157,7 @@ static int nf_tables_fill_obj_info(struc - nfmsg = nlmsg_data(nlh); - nfmsg->nfgen_family = family; - nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); -+ nfmsg->res_id = nft_base_seq(net); - - if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || - nla_put_string(skb, NFTA_OBJ_NAME, obj->name) || -@@ -5813,7 +5818,7 @@ static int nf_tables_fill_flowtable_info - nfmsg = nlmsg_data(nlh); - nfmsg->nfgen_family = family; - nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); -+ nfmsg->res_id = nft_base_seq(net); - - if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || - nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || -@@ -6051,7 +6056,7 @@ static int nf_tables_fill_gen_info(struc - nfmsg = nlmsg_data(nlh); - nfmsg->nfgen_family = AF_UNSPEC; - nfmsg->version = NFNETLINK_V0; -- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); -+ nfmsg->res_id = nft_base_seq(net); - - if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || - nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || diff --git a/queue-4.19/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch b/queue-4.19/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch deleted file mode 100644 index 6e8e545f52f..00000000000 --- a/queue-4.19/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 3a75a252bcf5592f5b27882ccbb7d44ddafb7763 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 26 Jun 2023 09:43:13 -0700 -Subject: netlink: Add __sock_i_ino() for __netlink_diag_dump(). - -From: Kuniyuki Iwashima - -[ Upstream commit 25a9c8a4431c364f97f75558cb346d2ad3f53fbb ] - -syzbot reported a warning in __local_bh_enable_ip(). [0] - -Commit 8d61f926d420 ("netlink: fix potential deadlock in -netlink_set_err()") converted read_lock(&nl_table_lock) to -read_lock_irqsave() in __netlink_diag_dump() to prevent a deadlock. - -However, __netlink_diag_dump() calls sock_i_ino() that uses -read_lock_bh() and read_unlock_bh(). If CONFIG_TRACE_IRQFLAGS=y, -read_unlock_bh() finally enables IRQ even though it should stay -disabled until the following read_unlock_irqrestore(). - -Using read_lock() in sock_i_ino() would trigger a lockdep splat -in another place that was fixed in commit f064af1e500a ("net: fix -a lockdep splat"), so let's add __sock_i_ino() that would be safe -to use under BH disabled. - -[0]: -WARNING: CPU: 0 PID: 5012 at kernel/softirq.c:376 __local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 -Modules linked in: -CPU: 0 PID: 5012 Comm: syz-executor487 Not tainted 6.4.0-rc7-syzkaller-00202-g6f68fc395f49 #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 -RIP: 0010:__local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 -Code: 45 bf 01 00 00 00 e8 91 5b 0a 00 e8 3c 15 3d 00 fb 65 8b 05 ec e9 b5 7e 85 c0 74 58 5b 5d c3 65 8b 05 b2 b6 b4 7e 85 c0 75 a2 <0f> 0b eb 9e e8 89 15 3d 00 eb 9f 48 89 ef e8 6f 49 18 00 eb a8 0f -RSP: 0018:ffffc90003a1f3d0 EFLAGS: 00010046 -RAX: 0000000000000000 RBX: 0000000000000201 RCX: 1ffffffff1cf5996 -RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff8805c6f3 -RBP: ffffffff8805c6f3 R08: 0000000000000001 R09: ffff8880152b03a3 -R10: ffffed1002a56074 R11: 0000000000000005 R12: 00000000000073e4 -R13: dffffc0000000000 R14: 0000000000000002 R15: 0000000000000000 -FS: 0000555556726300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 000000000045ad50 CR3: 000000007c646000 CR4: 00000000003506f0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 -Call Trace: - - sock_i_ino+0x83/0xa0 net/core/sock.c:2559 - __netlink_diag_dump+0x45c/0x790 net/netlink/diag.c:171 - netlink_diag_dump+0xd6/0x230 net/netlink/diag.c:207 - netlink_dump+0x570/0xc50 net/netlink/af_netlink.c:2269 - __netlink_dump_start+0x64b/0x910 net/netlink/af_netlink.c:2374 - netlink_dump_start include/linux/netlink.h:329 [inline] - netlink_diag_handler_dump+0x1ae/0x250 net/netlink/diag.c:238 - __sock_diag_cmd net/core/sock_diag.c:238 [inline] - sock_diag_rcv_msg+0x31e/0x440 net/core/sock_diag.c:269 - netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2547 - sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280 - netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] - netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365 - netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1914 - sock_sendmsg_nosec net/socket.c:724 [inline] - sock_sendmsg+0xde/0x190 net/socket.c:747 - ____sys_sendmsg+0x71c/0x900 net/socket.c:2503 - ___sys_sendmsg+0x110/0x1b0 net/socket.c:2557 - __sys_sendmsg+0xf7/0x1c0 net/socket.c:2586 - do_syscall_x64 arch/x86/entry/common.c:50 [inline] - do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 - entry_SYSCALL_64_after_hwframe+0x63/0xcd -RIP: 0033:0x7f5303aaabb9 -Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 -RSP: 002b:00007ffc7506e548 EFLAGS: 00000246 ORIG_RAX: 000000000000002e -RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5303aaabb9 -RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 -RBP: 00007f5303a6ed60 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5303a6edf0 -R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 - - -Fixes: 8d61f926d420 ("netlink: fix potential deadlock in netlink_set_err()") -Reported-by: syzbot+5da61cf6a9bc1902d422@syzkaller.appspotmail.com -Link: https://syzkaller.appspot.com/bug?extid=5da61cf6a9bc1902d422 -Suggested-by: Eric Dumazet -Signed-off-by: Kuniyuki Iwashima -Reviewed-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230626164313.52528-1-kuniyu@amazon.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/net/sock.h | 1 + - net/core/sock.c | 17 ++++++++++++++--- - net/netlink/diag.c | 2 +- - 3 files changed, 16 insertions(+), 4 deletions(-) - -diff --git a/include/net/sock.h b/include/net/sock.h -index 616e84d1670df..72739f72e4b90 100644 ---- a/include/net/sock.h -+++ b/include/net/sock.h -@@ -1840,6 +1840,7 @@ static inline void sock_graft(struct sock *sk, struct socket *parent) - } - - kuid_t sock_i_uid(struct sock *sk); -+unsigned long __sock_i_ino(struct sock *sk); - unsigned long sock_i_ino(struct sock *sk); - - static inline kuid_t sock_net_uid(const struct net *net, const struct sock *sk) -diff --git a/net/core/sock.c b/net/core/sock.c -index 347a55519d0a5..5b31f3446fc7a 100644 ---- a/net/core/sock.c -+++ b/net/core/sock.c -@@ -1939,13 +1939,24 @@ kuid_t sock_i_uid(struct sock *sk) - } - EXPORT_SYMBOL(sock_i_uid); - --unsigned long sock_i_ino(struct sock *sk) -+unsigned long __sock_i_ino(struct sock *sk) - { - unsigned long ino; - -- read_lock_bh(&sk->sk_callback_lock); -+ read_lock(&sk->sk_callback_lock); - ino = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_ino : 0; -- read_unlock_bh(&sk->sk_callback_lock); -+ read_unlock(&sk->sk_callback_lock); -+ return ino; -+} -+EXPORT_SYMBOL(__sock_i_ino); -+ -+unsigned long sock_i_ino(struct sock *sk) -+{ -+ unsigned long ino; -+ -+ local_bh_disable(); -+ ino = __sock_i_ino(sk); -+ local_bh_enable(); - return ino; - } - EXPORT_SYMBOL(sock_i_ino); -diff --git a/net/netlink/diag.c b/net/netlink/diag.c -index 83a0429805e9d..85ee4891c2c7f 100644 ---- a/net/netlink/diag.c -+++ b/net/netlink/diag.c -@@ -167,7 +167,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, - NETLINK_CB(cb->skb).portid, - cb->nlh->nlmsg_seq, - NLM_F_MULTI, -- sock_i_ino(sk)) < 0) { -+ __sock_i_ino(sk)) < 0) { - ret = 1; - break; - } --- -2.39.2 - diff --git a/queue-4.19/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch b/queue-4.19/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch deleted file mode 100644 index d17adc884c3..00000000000 --- a/queue-4.19/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch +++ /dev/null @@ -1,157 +0,0 @@ -From 459b47414fc29c8475bd27d3af1b1a4f95fb993f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 21 Jun 2023 17:47:20 +0000 -Subject: netlink: do not hard code device address lenth in fdb dumps - -From: Eric Dumazet - -[ Upstream commit aa5406950726e336c5c9585b09799a734b6e77bf ] - -syzbot reports that some netdev devices do not have a six bytes -address [1] - -Replace ETH_ALEN by dev->addr_len. - -[1] (Case of a device where dev->addr_len = 4) - -BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] -BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169 -instrument_copy_to_user include/linux/instrumented.h:114 [inline] -copyout+0xb8/0x100 lib/iov_iter.c:169 -_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536 -copy_to_iter include/linux/uio.h:206 [inline] -simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513 -__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419 -skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527 -skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] -netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970 -sock_recvmsg_nosec net/socket.c:1019 [inline] -sock_recvmsg net/socket.c:1040 [inline] -____sys_recvmsg+0x283/0x7f0 net/socket.c:2722 -___sys_recvmsg+0x223/0x840 net/socket.c:2764 -do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 -__sys_recvmmsg net/socket.c:2937 [inline] -__do_sys_recvmmsg net/socket.c:2960 [inline] -__se_sys_recvmmsg net/socket.c:2953 [inline] -__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 -do_syscall_x64 arch/x86/entry/common.c:50 [inline] -do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 -entry_SYSCALL_64_after_hwframe+0x63/0xcd - -Uninit was stored to memory at: -__nla_put lib/nlattr.c:1009 [inline] -nla_put+0x1c6/0x230 lib/nlattr.c:1067 -nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071 -nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline] -ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456 -rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629 -netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268 -netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995 -sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019 -____sys_recvmsg+0x664/0x7f0 net/socket.c:2720 -___sys_recvmsg+0x223/0x840 net/socket.c:2764 -do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 -__sys_recvmmsg net/socket.c:2937 [inline] -__do_sys_recvmmsg net/socket.c:2960 [inline] -__se_sys_recvmmsg net/socket.c:2953 [inline] -__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 -do_syscall_x64 arch/x86/entry/common.c:50 [inline] -do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 -entry_SYSCALL_64_after_hwframe+0x63/0xcd - -Uninit was created at: -slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716 -slab_alloc_node mm/slub.c:3451 [inline] -__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490 -kmalloc_trace+0x51/0x200 mm/slab_common.c:1057 -kmalloc include/linux/slab.h:559 [inline] -__hw_addr_create net/core/dev_addr_lists.c:60 [inline] -__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118 -__dev_mc_add net/core/dev_addr_lists.c:867 [inline] -dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885 -igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680 -ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754 -ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708 -addrconf_type_change net/ipv6/addrconf.c:3731 [inline] -addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699 -notifier_call_chain kernel/notifier.c:93 [inline] -raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461 -call_netdevice_notifiers_info net/core/dev.c:1935 [inline] -call_netdevice_notifiers_extack net/core/dev.c:1973 [inline] -call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987 -bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906 -do_set_master net/core/rtnetlink.c:2626 [inline] -rtnl_newlink_create net/core/rtnetlink.c:3460 [inline] -__rtnl_newlink net/core/rtnetlink.c:3660 [inline] -rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673 -rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395 -netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546 -rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413 -netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] -netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365 -netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913 -sock_sendmsg_nosec net/socket.c:724 [inline] -sock_sendmsg net/socket.c:747 [inline] -____sys_sendmsg+0x999/0xd50 net/socket.c:2503 -___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557 -__sys_sendmsg net/socket.c:2586 [inline] -__do_sys_sendmsg net/socket.c:2595 [inline] -__se_sys_sendmsg net/socket.c:2593 [inline] -__x64_sys_sendmsg+0x304/0x490 net/socket.c:2593 -do_syscall_x64 arch/x86/entry/common.c:50 [inline] -do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 -entry_SYSCALL_64_after_hwframe+0x63/0xcd - -Bytes 2856-2857 of 3500 are uninitialized -Memory access of size 3500 starts at ffff888018d99104 -Data copied to user address 0000000020000480 - -Fixes: d83b06036048 ("net: add fdb generic dump routine") -Reported-by: syzbot -Signed-off-by: Eric Dumazet -Reviewed-by: Jiri Pirko -Link: https://lore.kernel.org/r/20230621174720.1845040-1-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/core/rtnetlink.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c -index 2837cc03f69e2..79f62517e24a5 100644 ---- a/net/core/rtnetlink.c -+++ b/net/core/rtnetlink.c -@@ -3436,7 +3436,7 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb, - ndm->ndm_ifindex = dev->ifindex; - ndm->ndm_state = ndm_state; - -- if (nla_put(skb, NDA_LLADDR, ETH_ALEN, addr)) -+ if (nla_put(skb, NDA_LLADDR, dev->addr_len, addr)) - goto nla_put_failure; - if (vid) - if (nla_put(skb, NDA_VLAN, sizeof(u16), &vid)) -@@ -3450,10 +3450,10 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb, - return -EMSGSIZE; - } - --static inline size_t rtnl_fdb_nlmsg_size(void) -+static inline size_t rtnl_fdb_nlmsg_size(const struct net_device *dev) - { - return NLMSG_ALIGN(sizeof(struct ndmsg)) + -- nla_total_size(ETH_ALEN) + /* NDA_LLADDR */ -+ nla_total_size(dev->addr_len) + /* NDA_LLADDR */ - nla_total_size(sizeof(u16)) + /* NDA_VLAN */ - 0; - } -@@ -3465,7 +3465,7 @@ static void rtnl_fdb_notify(struct net_device *dev, u8 *addr, u16 vid, int type, - struct sk_buff *skb; - int err = -ENOBUFS; - -- skb = nlmsg_new(rtnl_fdb_nlmsg_size(), GFP_ATOMIC); -+ skb = nlmsg_new(rtnl_fdb_nlmsg_size(dev), GFP_ATOMIC); - if (!skb) - goto errout; - --- -2.39.2 - diff --git a/queue-4.19/netlink-fix-potential-deadlock-in-netlink_set_err.patch b/queue-4.19/netlink-fix-potential-deadlock-in-netlink_set_err.patch deleted file mode 100644 index ed4e1963a67..00000000000 --- a/queue-4.19/netlink-fix-potential-deadlock-in-netlink_set_err.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 6845ece794e1aeaadab2f5f1b10d1d35bc668d1c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 21 Jun 2023 15:43:37 +0000 -Subject: netlink: fix potential deadlock in netlink_set_err() - -From: Eric Dumazet - -[ Upstream commit 8d61f926d42045961e6b65191c09e3678d86a9cf ] - -syzbot reported a possible deadlock in netlink_set_err() [1] - -A similar issue was fixed in commit 1d482e666b8e ("netlink: disable IRQs -for netlink_lock_table()") in netlink_lock_table() - -This patch adds IRQ safety to netlink_set_err() and __netlink_diag_dump() -which were not covered by cited commit. - -[1] - -WARNING: possible irq lock inversion dependency detected -6.4.0-rc6-syzkaller-00240-g4e9f0ec38852 #0 Not tainted - -syz-executor.2/23011 just changed the state of lock: -ffffffff8e1a7a58 (nl_table_lock){.+.?}-{2:2}, at: netlink_set_err+0x2e/0x3a0 net/netlink/af_netlink.c:1612 -but this lock was taken by another, SOFTIRQ-safe lock in the past: - (&local->queue_stop_reason_lock){..-.}-{2:2} - -and interrupts could create inverse lock ordering between them. - -other info that might help us debug this: - Possible interrupt unsafe locking scenario: - - CPU0 CPU1 - ---- ---- - lock(nl_table_lock); - local_irq_disable(); - lock(&local->queue_stop_reason_lock); - lock(nl_table_lock); - - lock(&local->queue_stop_reason_lock); - - *** DEADLOCK *** - -Fixes: 1d482e666b8e ("netlink: disable IRQs for netlink_lock_table()") -Reported-by: syzbot+a7d200a347f912723e5c@syzkaller.appspotmail.com -Link: https://syzkaller.appspot.com/bug?extid=a7d200a347f912723e5c -Link: https://lore.kernel.org/netdev/000000000000e38d1605fea5747e@google.com/T/#u -Signed-off-by: Eric Dumazet -Cc: Johannes Berg -Link: https://lore.kernel.org/r/20230621154337.1668594-1-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/netlink/af_netlink.c | 5 +++-- - net/netlink/diag.c | 5 +++-- - 2 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index 57fd9b7cfc75f..35ecaa93f213a 100644 ---- a/net/netlink/af_netlink.c -+++ b/net/netlink/af_netlink.c -@@ -1603,6 +1603,7 @@ static int do_one_set_err(struct sock *sk, struct netlink_set_err_data *p) - int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code) - { - struct netlink_set_err_data info; -+ unsigned long flags; - struct sock *sk; - int ret = 0; - -@@ -1612,12 +1613,12 @@ int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code) - /* sk->sk_err wants a positive error value */ - info.code = -code; - -- read_lock(&nl_table_lock); -+ read_lock_irqsave(&nl_table_lock, flags); - - sk_for_each_bound(sk, &nl_table[ssk->sk_protocol].mc_list) - ret += do_one_set_err(sk, &info); - -- read_unlock(&nl_table_lock); -+ read_unlock_irqrestore(&nl_table_lock, flags); - return ret; - } - EXPORT_SYMBOL(netlink_set_err); -diff --git a/net/netlink/diag.c b/net/netlink/diag.c -index 7dda33b9b7849..83a0429805e9d 100644 ---- a/net/netlink/diag.c -+++ b/net/netlink/diag.c -@@ -93,6 +93,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, - struct net *net = sock_net(skb->sk); - struct netlink_diag_req *req; - struct netlink_sock *nlsk; -+ unsigned long flags; - struct sock *sk; - int num = 2; - int ret = 0; -@@ -151,7 +152,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, - num++; - - mc_list: -- read_lock(&nl_table_lock); -+ read_lock_irqsave(&nl_table_lock, flags); - sk_for_each_bound(sk, &tbl->mc_list) { - if (sk_hashed(sk)) - continue; -@@ -172,7 +173,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, - } - num++; - } -- read_unlock(&nl_table_lock); -+ read_unlock_irqrestore(&nl_table_lock, flags); - - done: - cb->args[0] = num; --- -2.39.2 - diff --git a/queue-4.19/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch b/queue-4.19/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch deleted file mode 100644 index e9f0509bfca..00000000000 --- a/queue-4.19/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch +++ /dev/null @@ -1,465 +0,0 @@ -From f2fd3340eff76d7c5d0b33c8a89cb746bb836c1a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 30 Jul 2021 16:41:59 +0200 -Subject: nfc: constify several pointers to u8, char and sk_buff - -From: Krzysztof Kozlowski - -[ Upstream commit 3df40eb3a2ea58bf404a38f15a7a2768e4762cb0 ] - -Several functions receive pointers to u8, char or sk_buff but do not -modify the contents so make them const. This allows doing the same for -local variables and in total makes the code a little bit safer. - -Signed-off-by: Krzysztof Kozlowski -Signed-off-by: Jakub Kicinski -Stable-dep-of: 0d9b41daa590 ("nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect()") -Signed-off-by: Sasha Levin ---- - include/net/nfc/nfc.h | 4 ++-- - net/nfc/core.c | 4 ++-- - net/nfc/hci/llc_shdlc.c | 10 ++++----- - net/nfc/llcp.h | 8 +++---- - net/nfc/llcp_commands.c | 46 ++++++++++++++++++++++------------------- - net/nfc/llcp_core.c | 44 +++++++++++++++++++++------------------ - net/nfc/nfc.h | 2 +- - 7 files changed, 63 insertions(+), 55 deletions(-) - -diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h -index bbdc73a3239df..8b86560b5cfb1 100644 ---- a/include/net/nfc/nfc.h -+++ b/include/net/nfc/nfc.h -@@ -278,7 +278,7 @@ struct sk_buff *nfc_alloc_send_skb(struct nfc_dev *dev, struct sock *sk, - struct sk_buff *nfc_alloc_recv_skb(unsigned int size, gfp_t gfp); - - int nfc_set_remote_general_bytes(struct nfc_dev *dev, -- u8 *gt, u8 gt_len); -+ const u8 *gt, u8 gt_len); - u8 *nfc_get_local_general_bytes(struct nfc_dev *dev, size_t *gb_len); - - int nfc_fw_download_done(struct nfc_dev *dev, const char *firmware_name, -@@ -292,7 +292,7 @@ int nfc_dep_link_is_up(struct nfc_dev *dev, u32 target_idx, - u8 comm_mode, u8 rf_mode); - - int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode, -- u8 *gb, size_t gb_len); -+ const u8 *gb, size_t gb_len); - int nfc_tm_deactivated(struct nfc_dev *dev); - int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb); - -diff --git a/net/nfc/core.c b/net/nfc/core.c -index a84f824da051d..dd12ee46ac730 100644 ---- a/net/nfc/core.c -+++ b/net/nfc/core.c -@@ -646,7 +646,7 @@ int nfc_disable_se(struct nfc_dev *dev, u32 se_idx) - return rc; - } - --int nfc_set_remote_general_bytes(struct nfc_dev *dev, u8 *gb, u8 gb_len) -+int nfc_set_remote_general_bytes(struct nfc_dev *dev, const u8 *gb, u8 gb_len) - { - pr_debug("dev_name=%s gb_len=%d\n", dev_name(&dev->dev), gb_len); - -@@ -675,7 +675,7 @@ int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb) - EXPORT_SYMBOL(nfc_tm_data_received); - - int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode, -- u8 *gb, size_t gb_len) -+ const u8 *gb, size_t gb_len) - { - int rc; - -diff --git a/net/nfc/hci/llc_shdlc.c b/net/nfc/hci/llc_shdlc.c -index fe988936ad923..e6863c71f566d 100644 ---- a/net/nfc/hci/llc_shdlc.c -+++ b/net/nfc/hci/llc_shdlc.c -@@ -134,7 +134,7 @@ static bool llc_shdlc_x_lteq_y_lt_z(int x, int y, int z) - return ((y >= x) || (y < z)) ? true : false; - } - --static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc, -+static struct sk_buff *llc_shdlc_alloc_skb(const struct llc_shdlc *shdlc, - int payload_len) - { - struct sk_buff *skb; -@@ -148,7 +148,7 @@ static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc, - } - - /* immediately sends an S frame. */ --static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc, -+static int llc_shdlc_send_s_frame(const struct llc_shdlc *shdlc, - enum sframe_type sframe_type, int nr) - { - int r; -@@ -170,7 +170,7 @@ static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc, - } - - /* immediately sends an U frame. skb may contain optional payload */ --static int llc_shdlc_send_u_frame(struct llc_shdlc *shdlc, -+static int llc_shdlc_send_u_frame(const struct llc_shdlc *shdlc, - struct sk_buff *skb, - enum uframe_modifier uframe_modifier) - { -@@ -372,7 +372,7 @@ static void llc_shdlc_connect_complete(struct llc_shdlc *shdlc, int r) - wake_up(shdlc->connect_wq); - } - --static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc) -+static int llc_shdlc_connect_initiate(const struct llc_shdlc *shdlc) - { - struct sk_buff *skb; - -@@ -388,7 +388,7 @@ static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc) - return llc_shdlc_send_u_frame(shdlc, skb, U_FRAME_RSET); - } - --static int llc_shdlc_connect_send_ua(struct llc_shdlc *shdlc) -+static int llc_shdlc_connect_send_ua(const struct llc_shdlc *shdlc) - { - struct sk_buff *skb; - -diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h -index 1f68724d44d3b..a070a57fc1516 100644 ---- a/net/nfc/llcp.h -+++ b/net/nfc/llcp.h -@@ -233,15 +233,15 @@ struct sock *nfc_llcp_accept_dequeue(struct sock *sk, struct socket *newsock); - - /* TLV API */ - int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, -- u8 *tlv_array, u16 tlv_array_len); -+ const u8 *tlv_array, u16 tlv_array_len); - int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock, -- u8 *tlv_array, u16 tlv_array_len); -+ const u8 *tlv_array, u16 tlv_array_len); - - /* Commands API */ - void nfc_llcp_recv(void *data, struct sk_buff *skb, int err); --u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length); -+u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length); - struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap); --struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri, -+struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri, - size_t uri_len); - void nfc_llcp_free_sdp_tlv(struct nfc_llcp_sdp_tlv *sdp); - void nfc_llcp_free_sdp_tlv_list(struct hlist_head *sdp_head); -diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c -index d1fc019e932e0..6dcad7bcf20bb 100644 ---- a/net/nfc/llcp_commands.c -+++ b/net/nfc/llcp_commands.c -@@ -27,7 +27,7 @@ - #include "nfc.h" - #include "llcp.h" - --static u8 llcp_tlv_length[LLCP_TLV_MAX] = { -+static const u8 llcp_tlv_length[LLCP_TLV_MAX] = { - 0, - 1, /* VERSION */ - 2, /* MIUX */ -@@ -41,7 +41,7 @@ static u8 llcp_tlv_length[LLCP_TLV_MAX] = { - - }; - --static u8 llcp_tlv8(u8 *tlv, u8 type) -+static u8 llcp_tlv8(const u8 *tlv, u8 type) - { - if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]]) - return 0; -@@ -49,7 +49,7 @@ static u8 llcp_tlv8(u8 *tlv, u8 type) - return tlv[2]; - } - --static u16 llcp_tlv16(u8 *tlv, u8 type) -+static u16 llcp_tlv16(const u8 *tlv, u8 type) - { - if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]]) - return 0; -@@ -58,37 +58,37 @@ static u16 llcp_tlv16(u8 *tlv, u8 type) - } - - --static u8 llcp_tlv_version(u8 *tlv) -+static u8 llcp_tlv_version(const u8 *tlv) - { - return llcp_tlv8(tlv, LLCP_TLV_VERSION); - } - --static u16 llcp_tlv_miux(u8 *tlv) -+static u16 llcp_tlv_miux(const u8 *tlv) - { - return llcp_tlv16(tlv, LLCP_TLV_MIUX) & 0x7ff; - } - --static u16 llcp_tlv_wks(u8 *tlv) -+static u16 llcp_tlv_wks(const u8 *tlv) - { - return llcp_tlv16(tlv, LLCP_TLV_WKS); - } - --static u16 llcp_tlv_lto(u8 *tlv) -+static u16 llcp_tlv_lto(const u8 *tlv) - { - return llcp_tlv8(tlv, LLCP_TLV_LTO); - } - --static u8 llcp_tlv_opt(u8 *tlv) -+static u8 llcp_tlv_opt(const u8 *tlv) - { - return llcp_tlv8(tlv, LLCP_TLV_OPT); - } - --static u8 llcp_tlv_rw(u8 *tlv) -+static u8 llcp_tlv_rw(const u8 *tlv) - { - return llcp_tlv8(tlv, LLCP_TLV_RW) & 0xf; - } - --u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length) -+u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length) - { - u8 *tlv, length; - -@@ -142,7 +142,7 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap) - return sdres; - } - --struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri, -+struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri, - size_t uri_len) - { - struct nfc_llcp_sdp_tlv *sdreq; -@@ -202,9 +202,10 @@ void nfc_llcp_free_sdp_tlv_list(struct hlist_head *head) - } - - int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, -- u8 *tlv_array, u16 tlv_array_len) -+ const u8 *tlv_array, u16 tlv_array_len) - { -- u8 *tlv = tlv_array, type, length, offset = 0; -+ const u8 *tlv = tlv_array; -+ u8 type, length, offset = 0; - - pr_debug("TLV array length %d\n", tlv_array_len); - -@@ -251,9 +252,10 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, - } - - int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock, -- u8 *tlv_array, u16 tlv_array_len) -+ const u8 *tlv_array, u16 tlv_array_len) - { -- u8 *tlv = tlv_array, type, length, offset = 0; -+ const u8 *tlv = tlv_array; -+ u8 type, length, offset = 0; - - pr_debug("TLV array length %d\n", tlv_array_len); - -@@ -307,7 +309,7 @@ static struct sk_buff *llcp_add_header(struct sk_buff *pdu, - return pdu; - } - --static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, u8 *tlv, -+static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, const u8 *tlv, - u8 tlv_length) - { - /* XXX Add an skb length check */ -@@ -401,9 +403,10 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) - { - struct nfc_llcp_local *local; - struct sk_buff *skb; -- u8 *service_name_tlv = NULL, service_name_tlv_length; -- u8 *miux_tlv = NULL, miux_tlv_length; -- u8 *rw_tlv = NULL, rw_tlv_length, rw; -+ const u8 *service_name_tlv = NULL; -+ const u8 *miux_tlv = NULL; -+ const u8 *rw_tlv = NULL; -+ u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw; - int err; - u16 size = 0; - __be16 miux; -@@ -477,8 +480,9 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock) - { - struct nfc_llcp_local *local; - struct sk_buff *skb; -- u8 *miux_tlv = NULL, miux_tlv_length; -- u8 *rw_tlv = NULL, rw_tlv_length, rw; -+ const u8 *miux_tlv = NULL; -+ const u8 *rw_tlv = NULL; -+ u8 miux_tlv_length, rw_tlv_length, rw; - int err; - u16 size = 0; - __be16 miux; -diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c -index 3290f2275b857..bdc1a9d0965af 100644 ---- a/net/nfc/llcp_core.c -+++ b/net/nfc/llcp_core.c -@@ -314,7 +314,7 @@ static char *wks[] = { - "urn:nfc:sn:snep", - }; - --static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len) -+static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len) - { - int sap, num_wks; - -@@ -338,7 +338,7 @@ static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len) - - static - struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local, -- u8 *sn, size_t sn_len) -+ const u8 *sn, size_t sn_len) - { - struct sock *sk; - struct nfc_llcp_sock *llcp_sock, *tmp_sock; -@@ -535,7 +535,7 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local) - { - u8 *gb_cur, version, version_length; - u8 lto_length, wks_length, miux_length; -- u8 *version_tlv = NULL, *lto_tlv = NULL, -+ const u8 *version_tlv = NULL, *lto_tlv = NULL, - *wks_tlv = NULL, *miux_tlv = NULL; - __be16 wks = cpu_to_be16(local->local_wks); - u8 gb_len = 0; -@@ -625,7 +625,7 @@ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len) - return local->gb; - } - --int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len) -+int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len) - { - struct nfc_llcp_local *local; - -@@ -652,27 +652,27 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len) - local->remote_gb_len - 3); - } - --static u8 nfc_llcp_dsap(struct sk_buff *pdu) -+static u8 nfc_llcp_dsap(const struct sk_buff *pdu) - { - return (pdu->data[0] & 0xfc) >> 2; - } - --static u8 nfc_llcp_ptype(struct sk_buff *pdu) -+static u8 nfc_llcp_ptype(const struct sk_buff *pdu) - { - return ((pdu->data[0] & 0x03) << 2) | ((pdu->data[1] & 0xc0) >> 6); - } - --static u8 nfc_llcp_ssap(struct sk_buff *pdu) -+static u8 nfc_llcp_ssap(const struct sk_buff *pdu) - { - return pdu->data[1] & 0x3f; - } - --static u8 nfc_llcp_ns(struct sk_buff *pdu) -+static u8 nfc_llcp_ns(const struct sk_buff *pdu) - { - return pdu->data[2] >> 4; - } - --static u8 nfc_llcp_nr(struct sk_buff *pdu) -+static u8 nfc_llcp_nr(const struct sk_buff *pdu) - { - return pdu->data[2] & 0xf; - } -@@ -814,7 +814,7 @@ static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local - } - - static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local, -- u8 *sn, size_t sn_len) -+ const u8 *sn, size_t sn_len) - { - struct nfc_llcp_sock *llcp_sock; - -@@ -828,9 +828,10 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local, - return llcp_sock; - } - --static u8 *nfc_llcp_connect_sn(struct sk_buff *skb, size_t *sn_len) -+static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len) - { -- u8 *tlv = &skb->data[2], type, length; -+ u8 type, length; -+ const u8 *tlv = &skb->data[2]; - size_t tlv_array_len = skb->len - LLCP_HEADER_SIZE, offset = 0; - - while (offset < tlv_array_len) { -@@ -888,7 +889,7 @@ static void nfc_llcp_recv_ui(struct nfc_llcp_local *local, - } - - static void nfc_llcp_recv_connect(struct nfc_llcp_local *local, -- struct sk_buff *skb) -+ const struct sk_buff *skb) - { - struct sock *new_sk, *parent; - struct nfc_llcp_sock *sock, *new_sock; -@@ -906,7 +907,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local, - goto fail; - } - } else { -- u8 *sn; -+ const u8 *sn; - size_t sn_len; - - sn = nfc_llcp_connect_sn(skb, &sn_len); -@@ -1125,7 +1126,7 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local, - } - - static void nfc_llcp_recv_disc(struct nfc_llcp_local *local, -- struct sk_buff *skb) -+ const struct sk_buff *skb) - { - struct nfc_llcp_sock *llcp_sock; - struct sock *sk; -@@ -1168,7 +1169,8 @@ static void nfc_llcp_recv_disc(struct nfc_llcp_local *local, - nfc_llcp_sock_put(llcp_sock); - } - --static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb) -+static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, -+ const struct sk_buff *skb) - { - struct nfc_llcp_sock *llcp_sock; - struct sock *sk; -@@ -1201,7 +1203,8 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb) - nfc_llcp_sock_put(llcp_sock); - } - --static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb) -+static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, -+ const struct sk_buff *skb) - { - struct nfc_llcp_sock *llcp_sock; - struct sock *sk; -@@ -1239,12 +1242,13 @@ static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb) - } - - static void nfc_llcp_recv_snl(struct nfc_llcp_local *local, -- struct sk_buff *skb) -+ const struct sk_buff *skb) - { - struct nfc_llcp_sock *llcp_sock; -- u8 dsap, ssap, *tlv, type, length, tid, sap; -+ u8 dsap, ssap, type, length, tid, sap; -+ const u8 *tlv; - u16 tlv_len, offset; -- char *service_name; -+ const char *service_name; - size_t service_name_len; - struct nfc_llcp_sdp_tlv *sdp; - HLIST_HEAD(llc_sdres_list); -diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h -index 6c6f76b370b1e..c792165f523f1 100644 ---- a/net/nfc/nfc.h -+++ b/net/nfc/nfc.h -@@ -60,7 +60,7 @@ void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx, - u8 comm_mode, u8 rf_mode); - int nfc_llcp_register_device(struct nfc_dev *dev); - void nfc_llcp_unregister_device(struct nfc_dev *dev); --int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len); -+int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len); - u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len); - int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb); - struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev); --- -2.39.2 - diff --git a/queue-4.19/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch b/queue-4.19/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch deleted file mode 100644 index 11ed79bf3e6..00000000000 --- a/queue-4.19/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 994bdd8700413b10cf79b929542fa04709405edc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 13 May 2023 13:52:04 +0200 -Subject: nfc: llcp: fix possible use of uninitialized variable in - nfc_llcp_send_connect() - -From: Krzysztof Kozlowski - -[ Upstream commit 0d9b41daa5907756a31772d8af8ac5ff25cf17c1 ] - -If sock->service_name is NULL, the local variable -service_name_tlv_length will not be assigned by nfc_llcp_build_tlv(), -later leading to using value frmo the stack. Smatch warning: - - net/nfc/llcp_commands.c:442 nfc_llcp_send_connect() error: uninitialized symbol 'service_name_tlv_length'. - -Fixes: de9e5aeb4f40 ("NFC: llcp: Fix usage of llcp_add_tlv()") -Signed-off-by: Krzysztof Kozlowski -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/nfc/llcp_commands.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c -index 6dcad7bcf20bb..737c7aa384f44 100644 ---- a/net/nfc/llcp_commands.c -+++ b/net/nfc/llcp_commands.c -@@ -406,7 +406,8 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) - const u8 *service_name_tlv = NULL; - const u8 *miux_tlv = NULL; - const u8 *rw_tlv = NULL; -- u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw; -+ u8 service_name_tlv_length = 0; -+ u8 miux_tlv_length, rw_tlv_length, rw; - int err; - u16 size = 0; - __be16 miux; --- -2.39.2 - diff --git a/queue-4.19/nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch b/queue-4.19/nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch deleted file mode 100644 index 2b26b53577f..00000000000 --- a/queue-4.19/nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 58f5d894006d82ed7335e1c37182fbc5f08c2f51 Mon Sep 17 00:00:00 2001 -From: Dai Ngo -Date: Tue, 6 Jun 2023 16:41:02 -0700 -Subject: NFSD: add encoding of op_recall flag for write delegation - -From: Dai Ngo - -commit 58f5d894006d82ed7335e1c37182fbc5f08c2f51 upstream. - -Modified nfsd4_encode_open to encode the op_recall flag properly -for OPEN result with write delegation granted. - -Signed-off-by: Dai Ngo -Reviewed-by: Jeff Layton -Signed-off-by: Chuck Lever -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - fs/nfsd/nfs4xdr.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/fs/nfsd/nfs4xdr.c -+++ b/fs/nfsd/nfs4xdr.c -@@ -3403,7 +3403,7 @@ nfsd4_encode_open(struct nfsd4_compoundr - p = xdr_reserve_space(xdr, 32); - if (!p) - return nfserr_resource; -- *p++ = cpu_to_be32(0); -+ *p++ = cpu_to_be32(open->op_recall); - - /* - * TODO: space_limit's in delegations diff --git a/queue-4.19/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch b/queue-4.19/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch deleted file mode 100644 index 50404b9a780..00000000000 --- a/queue-4.19/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 5d7e064f00a219bea355726f35ad8949bc616514 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 5 Nov 2022 09:43:09 +0000 -Subject: NTB: amd: Fix error handling in amd_ntb_pci_driver_init() - -From: Yuan Can - -[ Upstream commit 98af0a33c1101c29b3ce4f0cf4715fd927c717f9 ] - -A problem about ntb_hw_amd create debugfs failed is triggered with the -following log given: - - [ 618.431232] AMD(R) PCI-E Non-Transparent Bridge Driver 1.0 - [ 618.433284] debugfs: Directory 'ntb_hw_amd' with parent '/' already present! - -The reason is that amd_ntb_pci_driver_init() returns pci_register_driver() -directly without checking its return value, if pci_register_driver() -failed, it returns without destroy the newly created debugfs, resulting -the debugfs of ntb_hw_amd can never be created later. - - amd_ntb_pci_driver_init() - debugfs_create_dir() # create debugfs directory - pci_register_driver() - driver_register() - bus_add_driver() - priv = kzalloc(...) # OOM happened - # return without destroy debugfs directory - -Fix by removing debugfs when pci_register_driver() returns error. - -Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge") -Signed-off-by: Yuan Can -Signed-off-by: Jon Mason -Signed-off-by: Sasha Levin ---- - drivers/ntb/hw/amd/ntb_hw_amd.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c -index 0b1fbb5dba9b6..7de7616803935 100644 ---- a/drivers/ntb/hw/amd/ntb_hw_amd.c -+++ b/drivers/ntb/hw/amd/ntb_hw_amd.c -@@ -1139,12 +1139,17 @@ static struct pci_driver amd_ntb_pci_driver = { - - static int __init amd_ntb_pci_driver_init(void) - { -+ int ret; - pr_info("%s %s\n", NTB_DESC, NTB_VER); - - if (debugfs_initialized()) - debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); - -- return pci_register_driver(&amd_ntb_pci_driver); -+ ret = pci_register_driver(&amd_ntb_pci_driver); -+ if (ret) -+ debugfs_remove_recursive(debugfs_dir); -+ -+ return ret; - } - module_init(amd_ntb_pci_driver_init); - --- -2.39.2 - diff --git a/queue-4.19/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch b/queue-4.19/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch deleted file mode 100644 index 2613d7d0cfa..00000000000 --- a/queue-4.19/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 6c414abbd187488cca9dedbfb323305e19628e74 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 5 Nov 2022 09:43:01 +0000 -Subject: ntb: idt: Fix error handling in idt_pci_driver_init() - -From: Yuan Can - -[ Upstream commit c012968259b451dc4db407f2310fe131eaefd800 ] - -A problem about ntb_hw_idt create debugfs failed is triggered with the -following log given: - - [ 1236.637636] IDT PCI-E Non-Transparent Bridge Driver 2.0 - [ 1236.639292] debugfs: Directory 'ntb_hw_idt' with parent '/' already present! - -The reason is that idt_pci_driver_init() returns pci_register_driver() -directly without checking its return value, if pci_register_driver() -failed, it returns without destroy the newly created debugfs, resulting -the debugfs of ntb_hw_idt can never be created later. - - idt_pci_driver_init() - debugfs_create_dir() # create debugfs directory - pci_register_driver() - driver_register() - bus_add_driver() - priv = kzalloc(...) # OOM happened - # return without destroy debugfs directory - -Fix by removing debugfs when pci_register_driver() returns error. - -Fixes: bf2a952d31d2 ("NTB: Add IDT 89HPESxNTx PCIe-switches support") -Signed-off-by: Yuan Can -Signed-off-by: Jon Mason -Signed-off-by: Sasha Levin ---- - drivers/ntb/hw/idt/ntb_hw_idt.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c -index a67ef23e81bca..82e08f583980b 100644 ---- a/drivers/ntb/hw/idt/ntb_hw_idt.c -+++ b/drivers/ntb/hw/idt/ntb_hw_idt.c -@@ -2692,6 +2692,7 @@ static struct pci_driver idt_pci_driver = { - - static int __init idt_pci_driver_init(void) - { -+ int ret; - pr_info("%s %s\n", NTB_DESC, NTB_VER); - - /* Create the top DebugFS directory if the FS is initialized */ -@@ -2699,7 +2700,11 @@ static int __init idt_pci_driver_init(void) - dbgfs_topdir = debugfs_create_dir(KBUILD_MODNAME, NULL); - - /* Register the NTB hardware driver to handle the PCI device */ -- return pci_register_driver(&idt_pci_driver); -+ ret = pci_register_driver(&idt_pci_driver); -+ if (ret) -+ debugfs_remove_recursive(dbgfs_topdir); -+ -+ return ret; - } - module_init(idt_pci_driver_init); - --- -2.39.2 - diff --git a/queue-4.19/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch b/queue-4.19/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch deleted file mode 100644 index e1e8747c123..00000000000 --- a/queue-4.19/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 358aa040c10230eb3cb6ebcf84c9dfe99ded0948 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 5 Nov 2022 09:43:22 +0000 -Subject: ntb: intel: Fix error handling in intel_ntb_pci_driver_init() - -From: Yuan Can - -[ Upstream commit 4c3c796aca02883ad35bb117468938cc4022ca41 ] - -A problem about ntb_hw_intel create debugfs failed is triggered with the -following log given: - - [ 273.112733] Intel(R) PCI-E Non-Transparent Bridge Driver 2.0 - [ 273.115342] debugfs: Directory 'ntb_hw_intel' with parent '/' already present! - -The reason is that intel_ntb_pci_driver_init() returns -pci_register_driver() directly without checking its return value, if -pci_register_driver() failed, it returns without destroy the newly created -debugfs, resulting the debugfs of ntb_hw_intel can never be created later. - - intel_ntb_pci_driver_init() - debugfs_create_dir() # create debugfs directory - pci_register_driver() - driver_register() - bus_add_driver() - priv = kzalloc(...) # OOM happened - # return without destroy debugfs directory - -Fix by removing debugfs when pci_register_driver() returns error. - -Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") -Signed-off-by: Yuan Can -Acked-by: Dave Jiang -Signed-off-by: Jon Mason -Signed-off-by: Sasha Levin ---- - drivers/ntb/hw/intel/ntb_hw_gen1.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c -index 2ad263f708da7..084bd1d1ac1dc 100644 ---- a/drivers/ntb/hw/intel/ntb_hw_gen1.c -+++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c -@@ -2052,12 +2052,17 @@ static struct pci_driver intel_ntb_pci_driver = { - - static int __init intel_ntb_pci_driver_init(void) - { -+ int ret; - pr_info("%s %s\n", NTB_DESC, NTB_VER); - - if (debugfs_initialized()) - debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); - -- return pci_register_driver(&intel_ntb_pci_driver); -+ ret = pci_register_driver(&intel_ntb_pci_driver); -+ if (ret) -+ debugfs_remove_recursive(debugfs_dir); -+ -+ return ret; - } - module_init(intel_ntb_pci_driver_init); - --- -2.39.2 - diff --git a/queue-4.19/ntb-ntb_tool-add-check-for-devm_kcalloc.patch b/queue-4.19/ntb-ntb_tool-add-check-for-devm_kcalloc.patch deleted file mode 100644 index eb80d5ff7cf..00000000000 --- a/queue-4.19/ntb-ntb_tool-add-check-for-devm_kcalloc.patch +++ /dev/null @@ -1,39 +0,0 @@ -From f72bc20308a55f4ea33714c839246367d246b89d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 22 Nov 2022 11:32:44 +0800 -Subject: NTB: ntb_tool: Add check for devm_kcalloc - -From: Jiasheng Jiang - -[ Upstream commit 2790143f09938776a3b4f69685b380bae8fd06c7 ] - -As the devm_kcalloc may return NULL pointer, -it should be better to add check for the return -value, as same as the others. - -Fixes: 7f46c8b3a552 ("NTB: ntb_tool: Add full multi-port NTB API support") -Signed-off-by: Jiasheng Jiang -Reviewed-by: Serge Semin -Reviewed-by: Dave Jiang -Signed-off-by: Jon Mason -Signed-off-by: Sasha Levin ---- - drivers/ntb/test/ntb_tool.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c -index 6301aa413c3b8..1f64146546221 100644 ---- a/drivers/ntb/test/ntb_tool.c -+++ b/drivers/ntb/test/ntb_tool.c -@@ -998,6 +998,8 @@ static int tool_init_mws(struct tool_ctx *tc) - tc->peers[pidx].outmws = - devm_kcalloc(&tc->ntb->dev, tc->peers[pidx].outmw_cnt, - sizeof(*tc->peers[pidx].outmws), GFP_KERNEL); -+ if (tc->peers[pidx].outmws == NULL) -+ return -ENOMEM; - - for (widx = 0; widx < tc->peers[pidx].outmw_cnt; widx++) { - tc->peers[pidx].outmws[widx].pidx = pidx; --- -2.39.2 - diff --git a/queue-4.19/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch b/queue-4.19/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch deleted file mode 100644 index 8fd7c5128b6..00000000000 --- a/queue-4.19/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 7b07412afefa9dcd30ba063fc844a1f2104b6fae Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 10 Nov 2022 23:19:17 +0800 -Subject: NTB: ntb_transport: fix possible memory leak while device_register() - fails - -From: Yang Yingliang - -[ Upstream commit 8623ccbfc55d962e19a3537652803676ad7acb90 ] - -If device_register() returns error, the name allocated by -dev_set_name() need be freed. As comment of device_register() -says, it should use put_device() to give up the reference in -the error path. So fix this by calling put_device(), then the -name can be freed in kobject_cleanup(), and client_dev is freed -in ntb_transport_client_release(). - -Fixes: fce8a7bb5b4b ("PCI-Express Non-Transparent Bridge Support") -Signed-off-by: Yang Yingliang -Reviewed-by: Dave Jiang -Signed-off-by: Jon Mason -Signed-off-by: Sasha Levin ---- - drivers/ntb/ntb_transport.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c -index 9398959664769..2d647a1cd0ee5 100644 ---- a/drivers/ntb/ntb_transport.c -+++ b/drivers/ntb/ntb_transport.c -@@ -393,7 +393,7 @@ int ntb_transport_register_client_dev(char *device_name) - - rc = device_register(dev); - if (rc) { -- kfree(client_dev); -+ put_device(dev); - goto err; - } - --- -2.39.2 - diff --git a/queue-4.19/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch b/queue-4.19/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch deleted file mode 100644 index 31ae4684215..00000000000 --- a/queue-4.19/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 88d341716b83abd355558523186ca488918627ee Mon Sep 17 00:00:00 2001 -From: Robin Murphy -Date: Wed, 7 Jun 2023 18:18:47 +0100 -Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9235 - -From: Robin Murphy - -commit 88d341716b83abd355558523186ca488918627ee upstream. - -Marvell's own product brief implies the 92xx series are a closely related -family, and sure enough it turns out that 9235 seems to need the same quirk -as the other three, although possibly only when certain ports are used. - -Link: https://lore.kernel.org/linux-iommu/2a699a99-545c-1324-e052-7d2f41fed1ae@yahoo.co.uk/ -Link: https://lore.kernel.org/r/731507e05d70239aec96fcbfab6e65d8ce00edd2.1686157165.git.robin.murphy@arm.com -Reported-by: Jason Adriaanse -Signed-off-by: Robin Murphy -Signed-off-by: Bjorn Helgaas -Reviewed-by: Christoph Hellwig -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pci/quirks.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/pci/quirks.c -+++ b/drivers/pci/quirks.c -@@ -4074,6 +4074,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M - /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */ - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230, - quirk_dma_func1_alias); -+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9235, -+ quirk_dma_func1_alias); - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0642, - quirk_dma_func1_alias); - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0645, diff --git a/queue-4.19/pci-add-pci_clear_master-stub-for-non-config_pci.patch b/queue-4.19/pci-add-pci_clear_master-stub-for-non-config_pci.patch deleted file mode 100644 index d1f2b4cef8e..00000000000 --- a/queue-4.19/pci-add-pci_clear_master-stub-for-non-config_pci.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 6c18e9d066dee0688410a364ac9344b0379068e1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 31 May 2023 18:27:44 +0800 -Subject: PCI: Add pci_clear_master() stub for non-CONFIG_PCI - -From: Sui Jingfeng - -[ Upstream commit 2aa5ac633259843f656eb6ecff4cf01e8e810c5e ] - -Add a pci_clear_master() stub when CONFIG_PCI is not set so drivers that -support both PCI and platform devices don't need #ifdefs or extra Kconfig -symbols for the PCI parts. - -[bhelgaas: commit log] -Fixes: 6a479079c072 ("PCI: Add pci_clear_master() as opposite of pci_set_master()") -Link: https://lore.kernel.org/r/20230531102744.2354313-1-suijingfeng@loongson.cn -Signed-off-by: Sui Jingfeng -Signed-off-by: Bjorn Helgaas -Reviewed-by: Geert Uytterhoeven -Signed-off-by: Sasha Levin ---- - include/linux/pci.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/include/linux/pci.h b/include/linux/pci.h -index 3e06e9790c255..1d1b0bfd51968 100644 ---- a/include/linux/pci.h -+++ b/include/linux/pci.h -@@ -1643,6 +1643,7 @@ static inline struct pci_dev *pci_get_class(unsigned int class, - #define pci_dev_put(dev) do { } while (0) - - static inline void pci_set_master(struct pci_dev *dev) { } -+static inline void pci_clear_master(struct pci_dev *dev) { } - static inline int pci_enable_device(struct pci_dev *dev) { return -EIO; } - static inline void pci_disable_device(struct pci_dev *dev) { } - static inline int pci_assign_resource(struct pci_dev *dev, int i) --- -2.39.2 - diff --git a/queue-4.19/pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch b/queue-4.19/pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch deleted file mode 100644 index 2a67c529051..00000000000 --- a/queue-4.19/pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 9e30fd26f43b89cb6b4e850a86caa2e50dedb454 Mon Sep 17 00:00:00 2001 -From: Ondrej Zary -Date: Wed, 14 Jun 2023 09:42:53 +0200 -Subject: PCI/PM: Avoid putting EloPOS E2/S2/H2 PCIe Ports in D3cold - -From: Ondrej Zary - -commit 9e30fd26f43b89cb6b4e850a86caa2e50dedb454 upstream. - -The quirk for Elo i2 introduced in commit 92597f97a40b ("PCI/PM: Avoid -putting Elo i2 PCIe Ports in D3cold") is also needed by EloPOS E2/S2/H2 -which uses the same Continental Z2 board. - -Change the quirk to match the board instead of system. - -Link: https://bugzilla.kernel.org/show_bug.cgi?id=215715 -Link: https://lore.kernel.org/r/20230614074253.22318-1-linux@zary.sk -Signed-off-by: Ondrej Zary -Signed-off-by: Bjorn Helgaas -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pci/pci.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - ---- a/drivers/pci/pci.c -+++ b/drivers/pci/pci.c -@@ -2521,13 +2521,13 @@ static const struct dmi_system_id bridge - { - /* - * Downstream device is not accessible after putting a root port -- * into D3cold and back into D0 on Elo i2. -+ * into D3cold and back into D0 on Elo Continental Z2 board - */ -- .ident = "Elo i2", -+ .ident = "Elo Continental Z2", - .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "Elo Touch Solutions"), -- DMI_MATCH(DMI_PRODUCT_NAME, "Elo i2"), -- DMI_MATCH(DMI_PRODUCT_VERSION, "RevB"), -+ DMI_MATCH(DMI_BOARD_VENDOR, "Elo Touch Solutions"), -+ DMI_MATCH(DMI_BOARD_NAME, "Geminilake"), -+ DMI_MATCH(DMI_BOARD_VERSION, "Continental Z2"), - }, - }, - #endif diff --git a/queue-4.19/pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch b/queue-4.19/pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch deleted file mode 100644 index 5279a396ce6..00000000000 --- a/queue-4.19/pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a33d700e8eea76c62120cb3dbf5e01328f18319a Mon Sep 17 00:00:00 2001 -From: Manivannan Sadhasivam -Date: Mon, 19 Jun 2023 20:34:00 +0530 -Subject: PCI: qcom: Disable write access to read only registers for IP v2.3.3 - -From: Manivannan Sadhasivam - -commit a33d700e8eea76c62120cb3dbf5e01328f18319a upstream. - -In the post init sequence of v2.9.0, write access to read only registers -are not disabled after updating the registers. Fix it by disabling the -access after register update. - -Link: https://lore.kernel.org/r/20230619150408.8468-2-manivannan.sadhasivam@linaro.org -Fixes: 5d76117f070d ("PCI: qcom: Add support for IPQ8074 PCIe controller") -Signed-off-by: Manivannan Sadhasivam -Signed-off-by: Lorenzo Pieralisi -Cc: -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pci/controller/dwc/pcie-qcom.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/pci/controller/dwc/pcie-qcom.c -+++ b/drivers/pci/controller/dwc/pcie-qcom.c -@@ -758,6 +758,8 @@ static int qcom_pcie_get_resources_2_4_0 - if (IS_ERR(res->phy_ahb_reset)) - return PTR_ERR(res->phy_ahb_reset); - -+ dw_pcie_dbi_ro_wr_dis(pci); -+ - return 0; - } - diff --git a/queue-4.19/pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch b/queue-4.19/pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch deleted file mode 100644 index 4dfcd00274a..00000000000 --- a/queue-4.19/pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 9dd3c7c4c8c3f7f010d9cdb7c3f42506d93c9527 Mon Sep 17 00:00:00 2001 -From: Rick Wertenbroek -Date: Tue, 18 Apr 2023 09:46:51 +0200 -Subject: PCI: rockchip: Add poll and timeout to wait for PHY PLLs to be locked - -From: Rick Wertenbroek - -commit 9dd3c7c4c8c3f7f010d9cdb7c3f42506d93c9527 upstream. - -The RK3399 PCIe controller should wait until the PHY PLLs are locked. -Add poll and timeout to wait for PHY PLLs to be locked. If they cannot -be locked generate error message and jump to error handler. Accessing -registers in the PHY clock domain when PLLs are not locked causes hang -The PHY PLLs status is checked through a side channel register. -This is documented in the TRM section 17.5.8.1 "PCIe Initialization -Sequence". - -Link: https://lore.kernel.org/r/20230418074700.1083505-5-rick.wertenbroek@gmail.com -Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") -Tested-by: Damien Le Moal -Signed-off-by: Rick Wertenbroek -Signed-off-by: Lorenzo Pieralisi -Reviewed-by: Damien Le Moal -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pci/controller/pcie-rockchip.c | 17 +++++++++++++++++ - drivers/pci/controller/pcie-rockchip.h | 2 ++ - 2 files changed, 19 insertions(+) - ---- a/drivers/pci/controller/pcie-rockchip.c -+++ b/drivers/pci/controller/pcie-rockchip.c -@@ -14,6 +14,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -154,6 +155,12 @@ int rockchip_pcie_parse_dt(struct rockch - } - EXPORT_SYMBOL_GPL(rockchip_pcie_parse_dt); - -+#define rockchip_pcie_read_addr(addr) rockchip_pcie_read(rockchip, addr) -+/* 100 ms max wait time for PHY PLLs to lock */ -+#define RK_PHY_PLL_LOCK_TIMEOUT_US 100000 -+/* Sleep should be less than 20ms */ -+#define RK_PHY_PLL_LOCK_SLEEP_US 1000 -+ - int rockchip_pcie_init_port(struct rockchip_pcie *rockchip) - { - struct device *dev = rockchip->dev; -@@ -255,6 +262,16 @@ int rockchip_pcie_init_port(struct rockc - } - } - -+ err = readx_poll_timeout(rockchip_pcie_read_addr, -+ PCIE_CLIENT_SIDE_BAND_STATUS, -+ regs, !(regs & PCIE_CLIENT_PHY_ST), -+ RK_PHY_PLL_LOCK_SLEEP_US, -+ RK_PHY_PLL_LOCK_TIMEOUT_US); -+ if (err) { -+ dev_err(dev, "PHY PLLs could not lock, %d\n", err); -+ goto err_power_off_phy; -+ } -+ - /* - * Please don't reorder the deassert sequence of the following - * four reset pins. ---- a/drivers/pci/controller/pcie-rockchip.h -+++ b/drivers/pci/controller/pcie-rockchip.h -@@ -37,6 +37,8 @@ - #define PCIE_CLIENT_MODE_EP HIWORD_UPDATE(0x0040, 0) - #define PCIE_CLIENT_GEN_SEL_1 HIWORD_UPDATE(0x0080, 0) - #define PCIE_CLIENT_GEN_SEL_2 HIWORD_UPDATE_BIT(0x0080) -+#define PCIE_CLIENT_SIDE_BAND_STATUS (PCIE_CLIENT_BASE + 0x20) -+#define PCIE_CLIENT_PHY_ST BIT(12) - #define PCIE_CLIENT_DEBUG_OUT_0 (PCIE_CLIENT_BASE + 0x3c) - #define PCIE_CLIENT_DEBUG_LTSSM_MASK GENMASK(5, 0) - #define PCIE_CLIENT_DEBUG_LTSSM_L1 0x18 diff --git a/queue-4.19/pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch b/queue-4.19/pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch deleted file mode 100644 index 40b24130c7a..00000000000 --- a/queue-4.19/pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch +++ /dev/null @@ -1,40 +0,0 @@ -From f397fd4ac1fa3afcabd8cee030f953ccaed2a364 Mon Sep 17 00:00:00 2001 -From: Rick Wertenbroek -Date: Tue, 18 Apr 2023 09:46:50 +0200 -Subject: PCI: rockchip: Assert PCI Configuration Enable bit after probe - -From: Rick Wertenbroek - -commit f397fd4ac1fa3afcabd8cee030f953ccaed2a364 upstream. - -Assert PCI Configuration Enable bit after probe. When this bit is left to -0 in the endpoint mode, the RK3399 PCIe endpoint core will generate -configuration request retry status (CRS) messages back to the root complex. -Assert this bit after probe to allow the RK3399 PCIe endpoint core to reply -to configuration requests from the root complex. -This is documented in section 17.5.8.1.2 of the RK3399 TRM. - -Link: https://lore.kernel.org/r/20230418074700.1083505-4-rick.wertenbroek@gmail.com -Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") -Tested-by: Damien Le Moal -Signed-off-by: Rick Wertenbroek -Signed-off-by: Lorenzo Pieralisi -Reviewed-by: Damien Le Moal -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pci/controller/pcie-rockchip-ep.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/pci/controller/pcie-rockchip-ep.c -+++ b/drivers/pci/controller/pcie-rockchip-ep.c -@@ -620,6 +620,9 @@ static int rockchip_pcie_ep_probe(struct - - ep->irq_pci_addr = ROCKCHIP_PCIE_EP_DUMMY_IRQ_ADDR; - -+ rockchip_pcie_write(rockchip, PCIE_CLIENT_CONF_ENABLE, -+ PCIE_CLIENT_CONFIG); -+ - return 0; - err_epc_mem_exit: - pci_epc_mem_exit(epc); diff --git a/queue-4.19/pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch b/queue-4.19/pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch deleted file mode 100644 index 91128349f15..00000000000 --- a/queue-4.19/pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 166e89d99dd85a856343cca51eee781b793801f2 Mon Sep 17 00:00:00 2001 -From: Rick Wertenbroek -Date: Tue, 18 Apr 2023 09:46:54 +0200 -Subject: PCI: rockchip: Fix legacy IRQ generation for RK3399 PCIe endpoint core - -From: Rick Wertenbroek - -commit 166e89d99dd85a856343cca51eee781b793801f2 upstream. - -Fix legacy IRQ generation for RK3399 PCIe endpoint core according to -the technical reference manual (TRM). Assert and deassert legacy -interrupt (INTx) through the legacy interrupt control register -("PCIE_CLIENT_LEGACY_INT_CTRL") instead of manually generating a PCIe -message. The generation of the legacy interrupt was tested and validated -with the PCIe endpoint test driver. - -Link: https://lore.kernel.org/r/20230418074700.1083505-8-rick.wertenbroek@gmail.com -Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") -Tested-by: Damien Le Moal -Signed-off-by: Rick Wertenbroek -Signed-off-by: Lorenzo Pieralisi -Reviewed-by: Damien Le Moal -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pci/controller/pcie-rockchip-ep.c | 45 +++++++----------------------- - drivers/pci/controller/pcie-rockchip.h | 6 +++- - 2 files changed, 16 insertions(+), 35 deletions(-) - ---- a/drivers/pci/controller/pcie-rockchip-ep.c -+++ b/drivers/pci/controller/pcie-rockchip-ep.c -@@ -346,48 +346,25 @@ static int rockchip_pcie_ep_get_msi(stru - } - - static void rockchip_pcie_ep_assert_intx(struct rockchip_pcie_ep *ep, u8 fn, -- u8 intx, bool is_asserted) -+ u8 intx, bool do_assert) - { - struct rockchip_pcie *rockchip = &ep->rockchip; -- u32 r = ep->max_regions - 1; -- u32 offset; -- u32 status; -- u8 msg_code; -- -- if (unlikely(ep->irq_pci_addr != ROCKCHIP_PCIE_EP_PCI_LEGACY_IRQ_ADDR || -- ep->irq_pci_fn != fn)) { -- rockchip_pcie_prog_ep_ob_atu(rockchip, fn, r, -- AXI_WRAPPER_NOR_MSG, -- ep->irq_phys_addr, 0, 0); -- ep->irq_pci_addr = ROCKCHIP_PCIE_EP_PCI_LEGACY_IRQ_ADDR; -- ep->irq_pci_fn = fn; -- } - - intx &= 3; -- if (is_asserted) { -+ -+ if (do_assert) { - ep->irq_pending |= BIT(intx); -- msg_code = ROCKCHIP_PCIE_MSG_CODE_ASSERT_INTA + intx; -+ rockchip_pcie_write(rockchip, -+ PCIE_CLIENT_INT_IN_ASSERT | -+ PCIE_CLIENT_INT_PEND_ST_PEND, -+ PCIE_CLIENT_LEGACY_INT_CTRL); - } else { - ep->irq_pending &= ~BIT(intx); -- msg_code = ROCKCHIP_PCIE_MSG_CODE_DEASSERT_INTA + intx; -+ rockchip_pcie_write(rockchip, -+ PCIE_CLIENT_INT_IN_DEASSERT | -+ PCIE_CLIENT_INT_PEND_ST_NORMAL, -+ PCIE_CLIENT_LEGACY_INT_CTRL); - } -- -- status = rockchip_pcie_read(rockchip, -- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + -- ROCKCHIP_PCIE_EP_CMD_STATUS); -- status &= ROCKCHIP_PCIE_EP_CMD_STATUS_IS; -- -- if ((status != 0) ^ (ep->irq_pending != 0)) { -- status ^= ROCKCHIP_PCIE_EP_CMD_STATUS_IS; -- rockchip_pcie_write(rockchip, status, -- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + -- ROCKCHIP_PCIE_EP_CMD_STATUS); -- } -- -- offset = -- ROCKCHIP_PCIE_MSG_ROUTING(ROCKCHIP_PCIE_MSG_ROUTING_LOCAL_INTX) | -- ROCKCHIP_PCIE_MSG_CODE(msg_code) | ROCKCHIP_PCIE_MSG_NO_DATA; -- writel(0, ep->irq_cpu_addr + offset); - } - - static int rockchip_pcie_ep_send_legacy_irq(struct rockchip_pcie_ep *ep, u8 fn, ---- a/drivers/pci/controller/pcie-rockchip.h -+++ b/drivers/pci/controller/pcie-rockchip.h -@@ -37,6 +37,11 @@ - #define PCIE_CLIENT_MODE_EP HIWORD_UPDATE(0x0040, 0) - #define PCIE_CLIENT_GEN_SEL_1 HIWORD_UPDATE(0x0080, 0) - #define PCIE_CLIENT_GEN_SEL_2 HIWORD_UPDATE_BIT(0x0080) -+#define PCIE_CLIENT_LEGACY_INT_CTRL (PCIE_CLIENT_BASE + 0x0c) -+#define PCIE_CLIENT_INT_IN_ASSERT HIWORD_UPDATE_BIT(0x0002) -+#define PCIE_CLIENT_INT_IN_DEASSERT HIWORD_UPDATE(0x0002, 0) -+#define PCIE_CLIENT_INT_PEND_ST_PEND HIWORD_UPDATE_BIT(0x0001) -+#define PCIE_CLIENT_INT_PEND_ST_NORMAL HIWORD_UPDATE(0x0001, 0) - #define PCIE_CLIENT_SIDE_BAND_STATUS (PCIE_CLIENT_BASE + 0x20) - #define PCIE_CLIENT_PHY_ST BIT(12) - #define PCIE_CLIENT_DEBUG_OUT_0 (PCIE_CLIENT_BASE + 0x3c) -@@ -234,7 +239,6 @@ - #define ROCKCHIP_PCIE_EP_MSI_CTRL_ME BIT(16) - #define ROCKCHIP_PCIE_EP_MSI_CTRL_MASK_MSI_CAP BIT(24) - #define ROCKCHIP_PCIE_EP_DUMMY_IRQ_ADDR 0x1 --#define ROCKCHIP_PCIE_EP_PCI_LEGACY_IRQ_ADDR 0x3 - #define ROCKCHIP_PCIE_EP_FUNC_BASE(fn) (((fn) << 12) & GENMASK(19, 12)) - #define ROCKCHIP_PCIE_AT_IB_EP_FUNC_BAR_ADDR0(fn, bar) \ - (PCIE_RC_RP_ATS_BASE + 0x0840 + (fn) * 0x0040 + (bar) * 0x0008) diff --git a/queue-4.19/pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch b/queue-4.19/pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch deleted file mode 100644 index 8efd0dcdc05..00000000000 --- a/queue-4.19/pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 8962b2cb39119cbda4fc69a1f83957824f102f81 Mon Sep 17 00:00:00 2001 -From: Rick Wertenbroek -Date: Tue, 18 Apr 2023 09:46:56 +0200 -Subject: PCI: rockchip: Use u32 variable to access 32-bit registers - -From: Rick Wertenbroek - -commit 8962b2cb39119cbda4fc69a1f83957824f102f81 upstream. - -Previously u16 variables were used to access 32-bit registers, this -resulted in not all of the data being read from the registers. Also -the left shift of more than 16-bits would result in moving data out -of the variable. Use u32 variables to access 32-bit registers - -Link: https://lore.kernel.org/r/20230418074700.1083505-10-rick.wertenbroek@gmail.com -Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") -Tested-by: Damien Le Moal -Signed-off-by: Rick Wertenbroek -Signed-off-by: Lorenzo Pieralisi -Reviewed-by: Damien Le Moal -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pci/controller/pcie-rockchip-ep.c | 10 +++++----- - drivers/pci/controller/pcie-rockchip.h | 1 + - 2 files changed, 6 insertions(+), 5 deletions(-) - ---- a/drivers/pci/controller/pcie-rockchip-ep.c -+++ b/drivers/pci/controller/pcie-rockchip-ep.c -@@ -313,15 +313,15 @@ static int rockchip_pcie_ep_set_msi(stru - { - struct rockchip_pcie_ep *ep = epc_get_drvdata(epc); - struct rockchip_pcie *rockchip = &ep->rockchip; -- u16 flags; -+ u32 flags; - - flags = rockchip_pcie_read(rockchip, - ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + - ROCKCHIP_PCIE_EP_MSI_CTRL_REG); - flags &= ~ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_MASK; - flags |= -- ((multi_msg_cap << 1) << ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_OFFSET) | -- PCI_MSI_FLAGS_64BIT; -+ (multi_msg_cap << ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_OFFSET) | -+ (PCI_MSI_FLAGS_64BIT << ROCKCHIP_PCIE_EP_MSI_FLAGS_OFFSET); - flags &= ~ROCKCHIP_PCIE_EP_MSI_CTRL_MASK_MSI_CAP; - rockchip_pcie_write(rockchip, flags, - ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + -@@ -333,7 +333,7 @@ static int rockchip_pcie_ep_get_msi(stru - { - struct rockchip_pcie_ep *ep = epc_get_drvdata(epc); - struct rockchip_pcie *rockchip = &ep->rockchip; -- u16 flags; -+ u32 flags; - - flags = rockchip_pcie_read(rockchip, - ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + -@@ -394,7 +394,7 @@ static int rockchip_pcie_ep_send_msi_irq - u8 interrupt_num) - { - struct rockchip_pcie *rockchip = &ep->rockchip; -- u16 flags, mme, data, data_mask; -+ u32 flags, mme, data, data_mask; - u8 msi_count; - u64 pci_addr, pci_addr_mask = 0xff; - ---- a/drivers/pci/controller/pcie-rockchip.h -+++ b/drivers/pci/controller/pcie-rockchip.h -@@ -232,6 +232,7 @@ - #define ROCKCHIP_PCIE_EP_CMD_STATUS 0x4 - #define ROCKCHIP_PCIE_EP_CMD_STATUS_IS BIT(19) - #define ROCKCHIP_PCIE_EP_MSI_CTRL_REG 0x90 -+#define ROCKCHIP_PCIE_EP_MSI_FLAGS_OFFSET 16 - #define ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_OFFSET 17 - #define ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_MASK GENMASK(19, 17) - #define ROCKCHIP_PCIE_EP_MSI_CTRL_MME_OFFSET 20 diff --git a/queue-4.19/pci-rockchip-write-pci-device-id-to-correct-register.patch b/queue-4.19/pci-rockchip-write-pci-device-id-to-correct-register.patch deleted file mode 100644 index e0393daa2ca..00000000000 --- a/queue-4.19/pci-rockchip-write-pci-device-id-to-correct-register.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 1f1c42ece18de365c976a060f3c8eb481b038e3a Mon Sep 17 00:00:00 2001 -From: Rick Wertenbroek -Date: Tue, 18 Apr 2023 09:46:49 +0200 -Subject: PCI: rockchip: Write PCI Device ID to correct register - -From: Rick Wertenbroek - -commit 1f1c42ece18de365c976a060f3c8eb481b038e3a upstream. - -Write PCI Device ID (DID) to the correct register. The Device ID was not -updated through the correct register. Device ID was written to a read-only -register and therefore did not work. The Device ID is now set through the -correct register. This is documented in the RK3399 TRM section 17.6.6.1.1 - -Link: https://lore.kernel.org/r/20230418074700.1083505-3-rick.wertenbroek@gmail.com -Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") -Tested-by: Damien Le Moal -Signed-off-by: Rick Wertenbroek -Signed-off-by: Lorenzo Pieralisi -Reviewed-by: Damien Le Moal -Cc: stable@vger.kernel.org -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pci/controller/pcie-rockchip-ep.c | 6 ++++-- - drivers/pci/controller/pcie-rockchip.h | 2 ++ - 2 files changed, 6 insertions(+), 2 deletions(-) - ---- a/drivers/pci/controller/pcie-rockchip-ep.c -+++ b/drivers/pci/controller/pcie-rockchip-ep.c -@@ -124,6 +124,7 @@ static void rockchip_pcie_prog_ep_ob_atu - static int rockchip_pcie_ep_write_header(struct pci_epc *epc, u8 fn, - struct pci_epf_header *hdr) - { -+ u32 reg; - struct rockchip_pcie_ep *ep = epc_get_drvdata(epc); - struct rockchip_pcie *rockchip = &ep->rockchip; - -@@ -136,8 +137,9 @@ static int rockchip_pcie_ep_write_header - PCIE_CORE_CONFIG_VENDOR); - } - -- rockchip_pcie_write(rockchip, hdr->deviceid << 16, -- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + PCI_VENDOR_ID); -+ reg = rockchip_pcie_read(rockchip, PCIE_EP_CONFIG_DID_VID); -+ reg = (reg & 0xFFFF) | (hdr->deviceid << 16); -+ rockchip_pcie_write(rockchip, reg, PCIE_EP_CONFIG_DID_VID); - - rockchip_pcie_write(rockchip, - hdr->revid | ---- a/drivers/pci/controller/pcie-rockchip.h -+++ b/drivers/pci/controller/pcie-rockchip.h -@@ -132,6 +132,8 @@ - #define PCIE_RC_RP_ATS_BASE 0x400000 - #define PCIE_RC_CONFIG_NORMAL_BASE 0x800000 - #define PCIE_RC_CONFIG_BASE 0xa00000 -+#define PCIE_EP_CONFIG_BASE 0xa00000 -+#define PCIE_EP_CONFIG_DID_VID (PCIE_EP_CONFIG_BASE + 0x00) - #define PCIE_RC_CONFIG_RID_CCR (PCIE_RC_CONFIG_BASE + 0x08) - #define PCIE_RC_CONFIG_SCC_SHIFT 16 - #define PCIE_RC_CONFIG_DCR (PCIE_RC_CONFIG_BASE + 0xc4) diff --git a/queue-4.19/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch b/queue-4.19/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch deleted file mode 100644 index 8e17d476da1..00000000000 --- a/queue-4.19/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 1305047881df831eb992b45f8488e5dbc824694f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 12 Jun 2023 16:41:01 -0700 -Subject: perf dwarf-aux: Fix off-by-one in die_get_varname() - -From: Namhyung Kim - -[ Upstream commit 3abfcfd847717d232e36963f31a361747c388fe7 ] - -The die_get_varname() returns "(unknown_type)" string if it failed to -find a type for the variable. But it had a space before the opening -parenthesis and it made the closing parenthesis cut off due to the -off-by-one in the string length (14). - -Signed-off-by: Namhyung Kim -Fixes: 88fd633cdfa19060 ("perf probe: No need to use formatting strbuf method") -Cc: Adrian Hunter -Cc: Ian Rogers -Cc: Ingo Molnar -Cc: Jiri Olsa -Cc: Masami Hiramatsu -Cc: Peter Zijlstra -Link: https://lore.kernel.org/r/20230612234102.3909116-1-namhyung@kernel.org -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin ---- - tools/perf/util/dwarf-aux.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c -index 6de57d9ee7cc2..db099dc20a682 100644 ---- a/tools/perf/util/dwarf-aux.c -+++ b/tools/perf/util/dwarf-aux.c -@@ -1020,7 +1020,7 @@ int die_get_varname(Dwarf_Die *vr_die, struct strbuf *buf) - ret = die_get_typename(vr_die, buf); - if (ret < 0) { - pr_debug("Failed to get type, make it unknown.\n"); -- ret = strbuf_add(buf, " (unknown_type)", 14); -+ ret = strbuf_add(buf, "(unknown_type)", 14); - } - - return ret < 0 ? ret : strbuf_addf(buf, "\t%s", dwarf_diename(vr_die)); --- -2.39.2 - diff --git a/queue-4.19/perf-intel-pt-fix-cyc-timestamps-after-standalone-cbr.patch b/queue-4.19/perf-intel-pt-fix-cyc-timestamps-after-standalone-cbr.patch deleted file mode 100644 index 5170066b0de..00000000000 --- a/queue-4.19/perf-intel-pt-fix-cyc-timestamps-after-standalone-cbr.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 430635a0ef1ce958b7b4311f172694ece2c692b8 Mon Sep 17 00:00:00 2001 -From: Adrian Hunter -Date: Mon, 3 Apr 2023 18:48:31 +0300 -Subject: perf intel-pt: Fix CYC timestamps after standalone CBR - -From: Adrian Hunter - -commit 430635a0ef1ce958b7b4311f172694ece2c692b8 upstream. - -After a standalone CBR (not associated with TSC), update the cycles -reference timestamp and reset the cycle count, so that CYC timestamps -are calculated relative to that point with the new frequency. - -Fixes: cc33618619cefc6d ("perf tools: Add Intel PT support for decoding CYC packets") -Signed-off-by: Adrian Hunter -Cc: Adrian Hunter -Cc: Ian Rogers -Cc: Jiri Olsa -Cc: Namhyung Kim -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20230403154831.8651-2-adrian.hunter@intel.com -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Adrian Hunter -Signed-off-by: Greg Kroah-Hartman ---- - tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c -+++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c -@@ -1499,6 +1499,8 @@ static void intel_pt_calc_cbr(struct int - - decoder->cbr = cbr; - decoder->cbr_cyc_to_tsc = decoder->max_non_turbo_ratio_fp / cbr; -+ decoder->cyc_ref_timestamp = decoder->timestamp; -+ decoder->cycle_cnt = 0; - } - - static void intel_pt_calc_cyc_timestamp(struct intel_pt_decoder *decoder) diff --git a/queue-4.19/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch b/queue-4.19/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch deleted file mode 100644 index ac282bd2634..00000000000 --- a/queue-4.19/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 56cbeacf143530576905623ac72ae0964f3293a6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Georg=20M=C3=BCller?= -Date: Wed, 28 Jun 2023 10:45:50 +0200 -Subject: perf probe: Add test for regression introduced by switch to die_get_decl_file() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Georg Müller - -commit 56cbeacf143530576905623ac72ae0964f3293a6 upstream. - -This patch adds a test to validate that 'perf probe' works for binaries -where DWARF info is split into multiple CUs - -Signed-off-by: Georg Müller -Acked-by: Masami Hiramatsu (Google) -Cc: Adrian Hunter -Cc: Alexander Shishkin -Cc: Ian Rogers -Cc: Ingo Molnar -Cc: Jiri Olsa -Cc: Mark Rutland -Cc: Namhyung Kim -Cc: Peter Zijlstra -Cc: regressions@lists.linux.dev -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20230628084551.1860532-5-georgmueller@gmx.net -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Greg Kroah-Hartman ---- - tools/perf/tests/shell/test_uprobe_from_different_cu.sh | 77 ++++++++++++++++ - 1 file changed, 77 insertions(+) - create mode 100755 tools/perf/tests/shell/test_uprobe_from_different_cu.sh - ---- /dev/null -+++ b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh -@@ -0,0 +1,77 @@ -+#!/bin/bash -+# test perf probe of function from different CU -+# SPDX-License-Identifier: GPL-2.0 -+ -+set -e -+ -+temp_dir=$(mktemp -d /tmp/perf-uprobe-different-cu-sh.XXXXXXXXXX) -+ -+cleanup() -+{ -+ trap - EXIT TERM INT -+ if [[ "${temp_dir}" =~ ^/tmp/perf-uprobe-different-cu-sh.*$ ]]; then -+ echo "--- Cleaning up ---" -+ perf probe -x ${temp_dir}/testfile -d foo -+ rm -f "${temp_dir}/"* -+ rmdir "${temp_dir}" -+ fi -+} -+ -+trap_cleanup() -+{ -+ cleanup -+ exit 1 -+} -+ -+trap trap_cleanup EXIT TERM INT -+ -+cat > ${temp_dir}/testfile-foo.h << EOF -+struct t -+{ -+ int *p; -+ int c; -+}; -+ -+extern int foo (int i, struct t *t); -+EOF -+ -+cat > ${temp_dir}/testfile-foo.c << EOF -+#include "testfile-foo.h" -+ -+int -+foo (int i, struct t *t) -+{ -+ int j, res = 0; -+ for (j = 0; j < i && j < t->c; j++) -+ res += t->p[j]; -+ -+ return res; -+} -+EOF -+ -+cat > ${temp_dir}/testfile-main.c << EOF -+#include "testfile-foo.h" -+ -+static struct t g; -+ -+int -+main (int argc, char **argv) -+{ -+ int i; -+ int j[argc]; -+ g.c = argc; -+ g.p = j; -+ for (i = 0; i < argc; i++) -+ j[i] = (int) argv[i][0]; -+ return foo (3, &g); -+} -+EOF -+ -+gcc -g -Og -flto -c ${temp_dir}/testfile-foo.c -o ${temp_dir}/testfile-foo.o -+gcc -g -Og -c ${temp_dir}/testfile-main.c -o ${temp_dir}/testfile-main.o -+gcc -g -Og -o ${temp_dir}/testfile ${temp_dir}/testfile-foo.o ${temp_dir}/testfile-main.o -+ -+perf probe -x ${temp_dir}/testfile --funcs foo -+perf probe -x ${temp_dir}/testfile foo -+ -+cleanup diff --git a/queue-4.19/pinctrl-amd-detect-internal-gpio0-debounce-handling.patch b/queue-4.19/pinctrl-amd-detect-internal-gpio0-debounce-handling.patch deleted file mode 100644 index 00a6ce430b2..00000000000 --- a/queue-4.19/pinctrl-amd-detect-internal-gpio0-debounce-handling.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 968ab9261627fa305307e3935ca1a32fcddd36cb Mon Sep 17 00:00:00 2001 -From: Mario Limonciello -Date: Fri, 21 Apr 2023 07:06:21 -0500 -Subject: pinctrl: amd: Detect internal GPIO0 debounce handling - -From: Mario Limonciello - -commit 968ab9261627fa305307e3935ca1a32fcddd36cb upstream. - -commit 4e5a04be88fe ("pinctrl: amd: disable and mask interrupts on probe") -had a mistake in loop iteration 63 that it would clear offset 0xFC instead -of 0x100. Offset 0xFC is actually `WAKE_INT_MASTER_REG`. This was -clearing bits 13 and 15 from the register which significantly changed the -expected handling for some platforms for GPIO0. - -commit b26cd9325be4 ("pinctrl: amd: Disable and mask interrupts on resume") -actually fixed this bug, but lead to regressions on Lenovo Z13 and some -other systems. This is because there was no handling in the driver for bit -15 debounce behavior. - -Quoting a public BKDG: -``` -EnWinBlueBtn. Read-write. Reset: 0. 0=GPIO0 detect debounced power button; -Power button override is 4 seconds. 1=GPIO0 detect debounced power button -in S3/S5/S0i3, and detect "pressed less than 2 seconds" and "pressed 2~10 -seconds" in S0; Power button override is 10 seconds -``` - -Cross referencing the same master register in Windows it's obvious that -Windows doesn't use debounce values in this configuration. So align the -Linux driver to do this as well. This fixes wake on lid when -WAKE_INT_MASTER_REG is properly programmed. - -Cc: stable@vger.kernel.org -Link: https://bugzilla.kernel.org/show_bug.cgi?id=217315 -Signed-off-by: Mario Limonciello -Link: https://lore.kernel.org/r/20230421120625.3366-2-mario.limonciello@amd.com -Signed-off-by: Linus Walleij -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pinctrl/pinctrl-amd.c | 7 +++++++ - drivers/pinctrl/pinctrl-amd.h | 1 + - 2 files changed, 8 insertions(+) - ---- a/drivers/pinctrl/pinctrl-amd.c -+++ b/drivers/pinctrl/pinctrl-amd.c -@@ -127,6 +127,12 @@ static int amd_gpio_set_debounce(struct - struct amd_gpio *gpio_dev = gpiochip_get_data(gc); - - raw_spin_lock_irqsave(&gpio_dev->lock, flags); -+ -+ /* Use special handling for Pin0 debounce */ -+ pin_reg = readl(gpio_dev->base + WAKE_INT_MASTER_REG); -+ if (pin_reg & INTERNAL_GPIO0_DEBOUNCE) -+ debounce = 0; -+ - pin_reg = readl(gpio_dev->base + offset * 4); - - if (debounce) { -@@ -216,6 +222,7 @@ static void amd_gpio_dbg_show(struct seq - char *output_value; - char *output_enable; - -+ seq_printf(s, "WAKE_INT_MASTER_REG: 0x%08x\n", readl(gpio_dev->base + WAKE_INT_MASTER_REG)); - for (bank = 0; bank < gpio_dev->hwbank_num; bank++) { - seq_printf(s, "GPIO bank%d\t", bank); - ---- a/drivers/pinctrl/pinctrl-amd.h -+++ b/drivers/pinctrl/pinctrl-amd.h -@@ -21,6 +21,7 @@ - #define AMD_GPIO_PINS_BANK3 32 - - #define WAKE_INT_MASTER_REG 0xfc -+#define INTERNAL_GPIO0_DEBOUNCE (1 << 15) - #define EOI_MASK (1 << 29) - - #define WAKE_INT_STATUS_REG0 0x2f8 diff --git a/queue-4.19/pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch b/queue-4.19/pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch deleted file mode 100644 index 1e30bf1de1c..00000000000 --- a/queue-4.19/pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a855724dc08b8cb0c13ab1e065a4922f1e5a7552 Mon Sep 17 00:00:00 2001 -From: Mario Limonciello -Date: Fri, 21 Apr 2023 07:06:22 -0500 -Subject: pinctrl: amd: Fix mistake in handling clearing pins at startup - -From: Mario Limonciello - -commit a855724dc08b8cb0c13ab1e065a4922f1e5a7552 upstream. - -commit 4e5a04be88fe ("pinctrl: amd: disable and mask interrupts on probe") -had a mistake in loop iteration 63 that it would clear offset 0xFC instead -of 0x100. Offset 0xFC is actually `WAKE_INT_MASTER_REG`. This was -clearing bits 13 and 15 from the register which significantly changed the -expected handling for some platforms for GPIO0. - -Cc: stable@vger.kernel.org -Link: https://bugzilla.kernel.org/show_bug.cgi?id=217315 -Signed-off-by: Mario Limonciello -Link: https://lore.kernel.org/r/20230421120625.3366-3-mario.limonciello@amd.com -Signed-off-by: Linus Walleij -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pinctrl/pinctrl-amd.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/pinctrl/pinctrl-amd.c -+++ b/drivers/pinctrl/pinctrl-amd.c -@@ -794,9 +794,9 @@ static void amd_gpio_irq_init(struct amd - - raw_spin_lock_irqsave(&gpio_dev->lock, flags); - -- pin_reg = readl(gpio_dev->base + i * 4); -+ pin_reg = readl(gpio_dev->base + pin * 4); - pin_reg &= ~mask; -- writel(pin_reg, gpio_dev->base + i * 4); -+ writel(pin_reg, gpio_dev->base + pin * 4); - - raw_spin_unlock_irqrestore(&gpio_dev->lock, flags); - } diff --git a/queue-4.19/pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch b/queue-4.19/pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch deleted file mode 100644 index c45deee6c66..00000000000 --- a/queue-4.19/pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 0d5ace1a07f7e846d0f6d972af60d05515599d0b Mon Sep 17 00:00:00 2001 -From: Mario Limonciello -Date: Wed, 5 Jul 2023 08:30:02 -0500 -Subject: pinctrl: amd: Only use special debounce behavior for GPIO 0 - -From: Mario Limonciello - -commit 0d5ace1a07f7e846d0f6d972af60d05515599d0b upstream. - -It's uncommon to use debounce on any other pin, but technically -we should only set debounce to 0 when working off GPIO0. - -Cc: stable@vger.kernel.org -Tested-by: Jan Visser -Fixes: 968ab9261627 ("pinctrl: amd: Detect internal GPIO0 debounce handling") -Signed-off-by: Mario Limonciello -Link: https://lore.kernel.org/r/20230705133005.577-2-mario.limonciello@amd.com -Signed-off-by: Linus Walleij -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pinctrl/pinctrl-amd.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - ---- a/drivers/pinctrl/pinctrl-amd.c -+++ b/drivers/pinctrl/pinctrl-amd.c -@@ -129,9 +129,11 @@ static int amd_gpio_set_debounce(struct - raw_spin_lock_irqsave(&gpio_dev->lock, flags); - - /* Use special handling for Pin0 debounce */ -- pin_reg = readl(gpio_dev->base + WAKE_INT_MASTER_REG); -- if (pin_reg & INTERNAL_GPIO0_DEBOUNCE) -- debounce = 0; -+ if (offset == 0) { -+ pin_reg = readl(gpio_dev->base + WAKE_INT_MASTER_REG); -+ if (pin_reg & INTERNAL_GPIO0_DEBOUNCE) -+ debounce = 0; -+ } - - pin_reg = readl(gpio_dev->base + offset * 4); - diff --git a/queue-4.19/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch b/queue-4.19/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch deleted file mode 100644 index 9b216e957f3..00000000000 --- a/queue-4.19/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch +++ /dev/null @@ -1,108 +0,0 @@ -From c6a53f20f6bffc5450fcb9e1b763e8c839407eb2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 5 Jul 2023 08:30:03 -0500 -Subject: pinctrl: amd: Use amd_pinconf_set() for all config options - -From: Mario Limonciello - -[ Upstream commit 635a750d958e158e17af0f524bedc484b27fbb93 ] - -On ASUS TUF A16 it is reported that the ITE5570 ACPI device connected to -GPIO 7 is causing an interrupt storm. This issue doesn't happen on -Windows. - -Comparing the GPIO register configuration between Windows and Linux -bit 20 has been configured as a pull up on Windows, but not on Linux. -Checking GPIO declaration from the firmware it is clear it *should* have -been a pull up on Linux as well. - -``` -GpioInt (Level, ActiveLow, Exclusive, PullUp, 0x0000, - "\\_SB.GPIO", 0x00, ResourceConsumer, ,) -{ // Pin list -0x0007 -} -``` - -On Linux amd_gpio_set_config() is currently only used for programming -the debounce. Actually the GPIO core calls it with all the arguments -that are supported by a GPIO, pinctrl-amd just responds `-ENOTSUPP`. - -To solve this issue expand amd_gpio_set_config() to support the other -arguments amd_pinconf_set() supports, namely `PIN_CONFIG_BIAS_PULL_DOWN`, -`PIN_CONFIG_BIAS_PULL_UP`, and `PIN_CONFIG_DRIVE_STRENGTH`. - -Reported-by: Nik P -Reported-by: Nathan Schulte -Reported-by: Friedrich Vock -Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217336 -Reported-by: dridri85@gmail.com -Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217493 -Link: https://lore.kernel.org/linux-input/20230530154058.17594-1-friedrich.vock@gmx.de/ -Tested-by: Jan Visser -Fixes: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips") -Signed-off-by: Mario Limonciello -Reviewed-by: Andy Shevchenko -Link: https://lore.kernel.org/r/20230705133005.577-3-mario.limonciello@amd.com -Signed-off-by: Linus Walleij -Signed-off-by: Sasha Levin ---- - drivers/pinctrl/pinctrl-amd.c | 28 +++++++++++++++------------- - 1 file changed, 15 insertions(+), 13 deletions(-) - -diff --git a/drivers/pinctrl/pinctrl-amd.c b/drivers/pinctrl/pinctrl-amd.c -index d5f5661de13c6..c140ee16fe7c8 100644 ---- a/drivers/pinctrl/pinctrl-amd.c -+++ b/drivers/pinctrl/pinctrl-amd.c -@@ -190,18 +190,6 @@ static int amd_gpio_set_debounce(struct gpio_chip *gc, unsigned offset, - return ret; - } - --static int amd_gpio_set_config(struct gpio_chip *gc, unsigned offset, -- unsigned long config) --{ -- u32 debounce; -- -- if (pinconf_to_config_param(config) != PIN_CONFIG_INPUT_DEBOUNCE) -- return -ENOTSUPP; -- -- debounce = pinconf_to_config_argument(config); -- return amd_gpio_set_debounce(gc, offset, debounce); --} -- - #ifdef CONFIG_DEBUG_FS - static void amd_gpio_dbg_show(struct seq_file *s, struct gpio_chip *gc) - { -@@ -686,7 +674,7 @@ static int amd_pinconf_get(struct pinctrl_dev *pctldev, - } - - static int amd_pinconf_set(struct pinctrl_dev *pctldev, unsigned int pin, -- unsigned long *configs, unsigned num_configs) -+ unsigned long *configs, unsigned int num_configs) - { - int i; - u32 arg; -@@ -776,6 +764,20 @@ static int amd_pinconf_group_set(struct pinctrl_dev *pctldev, - return 0; - } - -+static int amd_gpio_set_config(struct gpio_chip *gc, unsigned int pin, -+ unsigned long config) -+{ -+ struct amd_gpio *gpio_dev = gpiochip_get_data(gc); -+ -+ if (pinconf_to_config_param(config) == PIN_CONFIG_INPUT_DEBOUNCE) { -+ u32 debounce = pinconf_to_config_argument(config); -+ -+ return amd_gpio_set_debounce(gc, pin, debounce); -+ } -+ -+ return amd_pinconf_set(gpio_dev->pctrl, pin, &config, 1); -+} -+ - static const struct pinconf_ops amd_pinconf_ops = { - .pin_config_get = amd_pinconf_get, - .pin_config_set = amd_pinconf_set, --- -2.39.2 - diff --git a/queue-4.19/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch b/queue-4.19/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch deleted file mode 100644 index f887cbf1584..00000000000 --- a/queue-4.19/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 8cc3629d359b1617fe9c7a963a43fb802602ce1f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 15 Jun 2023 13:53:33 +0300 -Subject: pinctrl: at91-pio4: check return value of devm_kasprintf() - -From: Claudiu Beznea - -[ Upstream commit f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0 ] - -devm_kasprintf() returns a pointer to dynamically allocated memory. -Pointer could be NULL in case allocation fails. Check pointer validity. -Identified with coccinelle (kmerr.cocci script). - -Fixes: 776180848b57 ("pinctrl: introduce driver for Atmel PIO4 controller") -Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks") -Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int") -Signed-off-by: Claudiu Beznea -Reviewed-by: Andy Shevchenko -Link: https://lore.kernel.org/r/20230615105333.585304-4-claudiu.beznea@microchip.com -Signed-off-by: Linus Walleij -Signed-off-by: Sasha Levin ---- - drivers/pinctrl/pinctrl-at91-pio4.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c -index 5b883eb49ce92..cbbda24bf6a80 100644 ---- a/drivers/pinctrl/pinctrl-at91-pio4.c -+++ b/drivers/pinctrl/pinctrl-at91-pio4.c -@@ -1024,6 +1024,8 @@ static int atmel_pinctrl_probe(struct platform_device *pdev) - /* Pin naming convention: P(bank_name)(bank_pin_number). */ - pin_desc[i].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "P%c%d", - bank + 'A', line); -+ if (!pin_desc[i].name) -+ return -ENOMEM; - - group->name = group_names[i] = pin_desc[i].name; - group->pin = pin_desc[i].number; --- -2.39.2 - diff --git a/queue-4.19/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch b/queue-4.19/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch deleted file mode 100644 index 297f675b95f..00000000000 --- a/queue-4.19/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 1dab81b0371c72df1a682c0bb10383010b482841 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 5 Jun 2023 17:37:34 +0300 -Subject: pinctrl: cherryview: Return correct value if pin in push-pull mode - -From: Andy Shevchenko - -[ Upstream commit 5835196a17be5cfdcad0b617f90cf4abe16951a4 ] - -Currently the getter returns ENOTSUPP on pin configured in -the push-pull mode. Fix this by adding the missed switch case. - -Fixes: ccdf81d08dbe ("pinctrl: cherryview: add option to set open-drain pin config") -Fixes: 6e08d6bbebeb ("pinctrl: Add Intel Cherryview/Braswell pin controller support") -Acked-by: Mika Westerberg -Signed-off-by: Andy Shevchenko -Signed-off-by: Sasha Levin ---- - drivers/pinctrl/intel/pinctrl-cherryview.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c -index 25932d2a71547..ef8eb42e4d383 100644 ---- a/drivers/pinctrl/intel/pinctrl-cherryview.c -+++ b/drivers/pinctrl/intel/pinctrl-cherryview.c -@@ -1032,11 +1032,6 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned pin, - - break; - -- case PIN_CONFIG_DRIVE_OPEN_DRAIN: -- if (!(ctrl1 & CHV_PADCTRL1_ODEN)) -- return -EINVAL; -- break; -- - case PIN_CONFIG_BIAS_HIGH_IMPEDANCE: { - u32 cfg; - -@@ -1046,6 +1041,16 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned pin, - return -EINVAL; - - break; -+ -+ case PIN_CONFIG_DRIVE_PUSH_PULL: -+ if (ctrl1 & CHV_PADCTRL1_ODEN) -+ return -EINVAL; -+ break; -+ -+ case PIN_CONFIG_DRIVE_OPEN_DRAIN: -+ if (!(ctrl1 & CHV_PADCTRL1_ODEN)) -+ return -EINVAL; -+ break; - } - - default: --- -2.39.2 - diff --git a/queue-4.19/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch b/queue-4.19/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch deleted file mode 100644 index fd4ada2152b..00000000000 --- a/queue-4.19/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch +++ /dev/null @@ -1,48 +0,0 @@ -From ef15279e88446b0b4c31771ab1aca4bdc6714705 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 18 Apr 2023 06:07:43 -0700 -Subject: PM: domains: fix integer overflow issues in genpd_parse_state() - -From: Nikita Zhandarovich - -[ Upstream commit e5d1c8722083f0332dcd3c85fa1273d85fb6bed8 ] - -Currently, while calculating residency and latency values, right -operands may overflow if resulting values are big enough. - -To prevent this, albeit unlikely case, play it safe and convert -right operands to left ones' type s64. - -Found by Linux Verification Center (linuxtesting.org) with static -analysis tool SVACE. - -Fixes: 30f604283e05 ("PM / Domains: Allow domain power states to be read from DT") -Signed-off-by: Nikita Zhandarovich -Acked-by: Ulf Hansson -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - drivers/base/power/domain.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c -index e865aa4b25047..b32d3cf4f670d 100644 ---- a/drivers/base/power/domain.c -+++ b/drivers/base/power/domain.c -@@ -2433,10 +2433,10 @@ static int genpd_parse_state(struct genpd_power_state *genpd_state, - - err = of_property_read_u32(state_node, "min-residency-us", &residency); - if (!err) -- genpd_state->residency_ns = 1000 * residency; -+ genpd_state->residency_ns = 1000LL * residency; - -- genpd_state->power_on_latency_ns = 1000 * exit_latency; -- genpd_state->power_off_latency_ns = 1000 * entry_latency; -+ genpd_state->power_on_latency_ns = 1000LL * exit_latency; -+ genpd_state->power_off_latency_ns = 1000LL * entry_latency; - genpd_state->fwnode = &state_node->fwnode; - - return 0; --- -2.39.2 - diff --git a/queue-4.19/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch b/queue-4.19/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch deleted file mode 100644 index 1d7b8e95a2c..00000000000 --- a/queue-4.19/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch +++ /dev/null @@ -1,115 +0,0 @@ -From deabead3b46d4d115d9fd90afe2b7dbebe10919a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 1 Jun 2023 20:58:47 +0200 -Subject: posix-timers: Ensure timer ID search-loop limit is valid - -From: Thomas Gleixner - -[ Upstream commit 8ce8849dd1e78dadcee0ec9acbd259d239b7069f ] - -posix_timer_add() tries to allocate a posix timer ID by starting from the -cached ID which was stored by the last successful allocation. - -This is done in a loop searching the ID space for a free slot one by -one. The loop has to terminate when the search wrapped around to the -starting point. - -But that's racy vs. establishing the starting point. That is read out -lockless, which leads to the following problem: - -CPU0 CPU1 -posix_timer_add() - start = sig->posix_timer_id; - lock(hash_lock); - ... posix_timer_add() - if (++sig->posix_timer_id < 0) - start = sig->posix_timer_id; - sig->posix_timer_id = 0; - -So CPU1 can observe a negative start value, i.e. -1, and the loop break -never happens because the condition can never be true: - - if (sig->posix_timer_id == start) - break; - -While this is unlikely to ever turn into an endless loop as the ID space is -huge (INT_MAX), the racy read of the start value caught the attention of -KCSAN and Dmitry unearthed that incorrectness. - -Rewrite it so that all id operations are under the hash lock. - -Reported-by: syzbot+5c54bd3eb218bb595aa9@syzkaller.appspotmail.com -Reported-by: Dmitry Vyukov -Signed-off-by: Thomas Gleixner -Reviewed-by: Frederic Weisbecker -Link: https://lore.kernel.org/r/87bkhzdn6g.ffs@tglx -Signed-off-by: Sasha Levin ---- - include/linux/sched/signal.h | 2 +- - kernel/time/posix-timers.c | 31 ++++++++++++++++++------------- - 2 files changed, 19 insertions(+), 14 deletions(-) - -diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h -index 660d78c9af6c8..6a55b30ae742b 100644 ---- a/include/linux/sched/signal.h -+++ b/include/linux/sched/signal.h -@@ -127,7 +127,7 @@ struct signal_struct { - #ifdef CONFIG_POSIX_TIMERS - - /* POSIX.1b Interval Timers */ -- int posix_timer_id; -+ unsigned int next_posix_timer_id; - struct list_head posix_timers; - - /* ITIMER_REAL timer for the process */ -diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c -index 1234868b3b03e..8768ce2c4bf52 100644 ---- a/kernel/time/posix-timers.c -+++ b/kernel/time/posix-timers.c -@@ -159,25 +159,30 @@ static struct k_itimer *posix_timer_by_id(timer_t id) - static int posix_timer_add(struct k_itimer *timer) - { - struct signal_struct *sig = current->signal; -- int first_free_id = sig->posix_timer_id; - struct hlist_head *head; -- int ret = -ENOENT; -+ unsigned int cnt, id; - -- do { -+ /* -+ * FIXME: Replace this by a per signal struct xarray once there is -+ * a plan to handle the resulting CRIU regression gracefully. -+ */ -+ for (cnt = 0; cnt <= INT_MAX; cnt++) { - spin_lock(&hash_lock); -- head = &posix_timers_hashtable[hash(sig, sig->posix_timer_id)]; -- if (!__posix_timers_find(head, sig, sig->posix_timer_id)) { -+ id = sig->next_posix_timer_id; -+ -+ /* Write the next ID back. Clamp it to the positive space */ -+ sig->next_posix_timer_id = (id + 1) & INT_MAX; -+ -+ head = &posix_timers_hashtable[hash(sig, id)]; -+ if (!__posix_timers_find(head, sig, id)) { - hlist_add_head_rcu(&timer->t_hash, head); -- ret = sig->posix_timer_id; -+ spin_unlock(&hash_lock); -+ return id; - } -- if (++sig->posix_timer_id < 0) -- sig->posix_timer_id = 0; -- if ((sig->posix_timer_id == first_free_id) && (ret == -ENOENT)) -- /* Loop over all possible ids completed */ -- ret = -EAGAIN; - spin_unlock(&hash_lock); -- } while (ret == -ENOENT); -- return ret; -+ } -+ /* POSIX return code when no timer ID could be allocated */ -+ return -EAGAIN; - } - - static inline void unlock_timer(struct k_itimer *timr, unsigned long flags) --- -2.39.2 - diff --git a/queue-4.19/powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch b/queue-4.19/powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch deleted file mode 100644 index edb29963600..00000000000 --- a/queue-4.19/powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch +++ /dev/null @@ -1,46 +0,0 @@ -From a91683b99e01be25196c16b35ce56179ca1665f2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 30 Jun 2023 22:47:12 -0700 -Subject: powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Randy Dunlap - -[ Upstream commit 39f49684036d24af800ff194c33c7b2653c591d7 ] - -In a randconfig with CONFIG_SERIAL_CPM=m and -CONFIG_PPC_EARLY_DEBUG_CPM=y, there is a build error: -ERROR: modpost: "udbg_putc" [drivers/tty/serial/cpm_uart/cpm_uart.ko] undefined! - -Prevent the build error by allowing PPC_EARLY_DEBUG_CPM only when -SERIAL_CPM=y. - -Fixes: c374e00e17f1 ("[POWERPC] Add early debug console for CPM serial ports.") -Signed-off-by: Randy Dunlap -Reviewed-by: Pali Rohár -Reviewed-by: Christophe Leroy -Signed-off-by: Michael Ellerman -Link: https://msgid.link/20230701054714.30512-1-rdunlap@infradead.org -Signed-off-by: Sasha Levin ---- - arch/powerpc/Kconfig.debug | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug -index ffe0cf0f0bea2..923b3b794d13f 100644 ---- a/arch/powerpc/Kconfig.debug -+++ b/arch/powerpc/Kconfig.debug -@@ -232,7 +232,7 @@ config PPC_EARLY_DEBUG_40x - - config PPC_EARLY_DEBUG_CPM - bool "Early serial debugging for Freescale CPM-based serial ports" -- depends on SERIAL_CPM -+ depends on SERIAL_CPM=y - help - Select this to enable early debugging for Freescale chips - using a CPM-based serial port. This assumes that the bootwrapper --- -2.39.2 - diff --git a/queue-4.19/radeon-avoid-double-free-in-ci_dpm_init.patch b/queue-4.19/radeon-avoid-double-free-in-ci_dpm_init.patch deleted file mode 100644 index 6c81cb6efdb..00000000000 --- a/queue-4.19/radeon-avoid-double-free-in-ci_dpm_init.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 538cb4b674cd354c9bbdaaf06670cfdf71f72bca Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 13 Apr 2023 08:12:28 -0700 -Subject: radeon: avoid double free in ci_dpm_init() - -From: Nikita Zhandarovich - -[ Upstream commit 20c3dffdccbd494e0dd631d1660aeecbff6775f2 ] - -Several calls to ci_dpm_fini() will attempt to free resources that -either have been freed before or haven't been allocated yet. This -may lead to undefined or dangerous behaviour. - -For instance, if r600_parse_extended_power_table() fails, it might -call r600_free_extended_power_table() as will ci_dpm_fini() later -during error handling. - -Fix this by only freeing pointers to objects previously allocated. - -Found by Linux Verification Center (linuxtesting.org) with static -analysis tool SVACE. - -Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") -Co-developed-by: Natalia Petrova -Signed-off-by: Nikita Zhandarovich -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/radeon/ci_dpm.c | 28 ++++++++++++++++++++-------- - 1 file changed, 20 insertions(+), 8 deletions(-) - -diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c -index 90c1afe498bea..ce8b14592b69b 100644 ---- a/drivers/gpu/drm/radeon/ci_dpm.c -+++ b/drivers/gpu/drm/radeon/ci_dpm.c -@@ -5552,6 +5552,7 @@ static int ci_parse_power_table(struct radeon_device *rdev) - u8 frev, crev; - u8 *power_state_offset; - struct ci_ps *ps; -+ int ret; - - if (!atom_parse_data_header(mode_info->atom_context, index, NULL, - &frev, &crev, &data_offset)) -@@ -5581,11 +5582,15 @@ static int ci_parse_power_table(struct radeon_device *rdev) - non_clock_array_index = power_state->v2.nonClockInfoIndex; - non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) - &non_clock_info_array->nonClockInfo[non_clock_array_index]; -- if (!rdev->pm.power_state[i].clock_info) -- return -EINVAL; -+ if (!rdev->pm.power_state[i].clock_info) { -+ ret = -EINVAL; -+ goto err_free_ps; -+ } - ps = kzalloc(sizeof(struct ci_ps), GFP_KERNEL); -- if (ps == NULL) -- return -ENOMEM; -+ if (ps == NULL) { -+ ret = -ENOMEM; -+ goto err_free_ps; -+ } - rdev->pm.dpm.ps[i].ps_priv = ps; - ci_parse_pplib_non_clock_info(rdev, &rdev->pm.dpm.ps[i], - non_clock_info, -@@ -5625,6 +5630,12 @@ static int ci_parse_power_table(struct radeon_device *rdev) - } - - return 0; -+ -+err_free_ps: -+ for (i = 0; i < rdev->pm.dpm.num_ps; i++) -+ kfree(rdev->pm.dpm.ps[i].ps_priv); -+ kfree(rdev->pm.dpm.ps); -+ return ret; - } - - static int ci_get_vbios_boot_values(struct radeon_device *rdev, -@@ -5713,25 +5724,26 @@ int ci_dpm_init(struct radeon_device *rdev) - - ret = ci_get_vbios_boot_values(rdev, &pi->vbios_boot_state); - if (ret) { -- ci_dpm_fini(rdev); -+ kfree(rdev->pm.dpm.priv); - return ret; - } - - ret = r600_get_platform_caps(rdev); - if (ret) { -- ci_dpm_fini(rdev); -+ kfree(rdev->pm.dpm.priv); - return ret; - } - - ret = r600_parse_extended_power_table(rdev); - if (ret) { -- ci_dpm_fini(rdev); -+ kfree(rdev->pm.dpm.priv); - return ret; - } - - ret = ci_parse_power_table(rdev); - if (ret) { -- ci_dpm_fini(rdev); -+ kfree(rdev->pm.dpm.priv); -+ r600_free_extended_power_table(rdev); - return ret; - } - --- -2.39.2 - diff --git a/queue-4.19/revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch b/queue-4.19/revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch deleted file mode 100644 index 26cabe77651..00000000000 --- a/queue-4.19/revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch +++ /dev/null @@ -1,139 +0,0 @@ -From a82d62f708545d22859584e0e0620da8e3759bbc Mon Sep 17 00:00:00 2001 -From: Jiaqing Zhao -Date: Mon, 19 Jun 2023 15:57:44 +0000 -Subject: Revert "8250: add support for ASIX devices with a FIFO bug" - -From: Jiaqing Zhao - -commit a82d62f708545d22859584e0e0620da8e3759bbc upstream. - -This reverts commit eb26dfe8aa7eeb5a5aa0b7574550125f8aa4c3b3. - -Commit eb26dfe8aa7e ("8250: add support for ASIX devices with a FIFO -bug") merged on Jul 13, 2012 adds a quirk for PCI_VENDOR_ID_ASIX -(0x9710). But that ID is the same as PCI_VENDOR_ID_NETMOS defined in -1f8b061050c7 ("[PATCH] Netmos parallel/serial/combo support") merged -on Mar 28, 2005. In pci_serial_quirks array, the NetMos entry always -takes precedence over the ASIX entry even since it was initially -merged, code in that commit is always unreachable. - -In my tests, adding the FIFO workaround to pci_netmos_init() makes no -difference, and the vendor driver also does not have such workaround. -Given that the code was never used for over a decade, it's safe to -revert it. - -Also, the real PCI_VENDOR_ID_ASIX should be 0x125b, which is used on -their newer AX99100 PCIe serial controllers released on 2016. The FIFO -workaround should not be intended for these newer controllers, and it -was never implemented in vendor driver. - -Fixes: eb26dfe8aa7e ("8250: add support for ASIX devices with a FIFO bug") -Cc: stable -Signed-off-by: Jiaqing Zhao -Reviewed-by: Andy Shevchenko -Link: https://lore.kernel.org/r/20230619155743.827859-1-jiaqing.zhao@linux.intel.com -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/8250/8250.h | 1 - - drivers/tty/serial/8250/8250_pci.c | 19 ------------------- - drivers/tty/serial/8250/8250_port.c | 11 +++-------- - include/linux/serial_8250.h | 1 - - 4 files changed, 3 insertions(+), 29 deletions(-) - ---- a/drivers/tty/serial/8250/8250.h -+++ b/drivers/tty/serial/8250/8250.h -@@ -85,7 +85,6 @@ struct serial8250_config { - #define UART_BUG_TXEN (1 << 1) /* UART has buggy TX IIR status */ - #define UART_BUG_NOMSR (1 << 2) /* UART has buggy MSR status bits (Au1x00) */ - #define UART_BUG_THRE (1 << 3) /* UART has buggy THRE reassertion */ --#define UART_BUG_PARITY (1 << 4) /* UART mishandles parity if FIFO enabled */ - - - #ifdef CONFIG_SERIAL_8250_SHARE_IRQ ---- a/drivers/tty/serial/8250/8250_pci.c -+++ b/drivers/tty/serial/8250/8250_pci.c -@@ -1049,14 +1049,6 @@ static int pci_oxsemi_tornado_init(struc - return number_uarts; - } - --static int pci_asix_setup(struct serial_private *priv, -- const struct pciserial_board *board, -- struct uart_8250_port *port, int idx) --{ -- port->bugs |= UART_BUG_PARITY; -- return pci_default_setup(priv, board, port, idx); --} -- - /* Quatech devices have their own extra interface features */ - - struct quatech_feature { -@@ -1683,7 +1675,6 @@ pci_wch_ch38x_setup(struct serial_privat - #define PCI_DEVICE_ID_WCH_CH355_4S 0x7173 - #define PCI_VENDOR_ID_AGESTAR 0x5372 - #define PCI_DEVICE_ID_AGESTAR_9375 0x6872 --#define PCI_VENDOR_ID_ASIX 0x9710 - #define PCI_DEVICE_ID_BROADCOM_TRUMANAGE 0x160a - #define PCI_DEVICE_ID_AMCC_ADDIDATA_APCI7800 0x818e - -@@ -2455,16 +2446,6 @@ static struct pci_serial_quirk pci_seria - .setup = pci_wch_ch38x_setup, - }, - /* -- * ASIX devices with FIFO bug -- */ -- { -- .vendor = PCI_VENDOR_ID_ASIX, -- .device = PCI_ANY_ID, -- .subvendor = PCI_ANY_ID, -- .subdevice = PCI_ANY_ID, -- .setup = pci_asix_setup, -- }, -- /* - * Broadcom TruManage (NetXtreme) - */ - { ---- a/drivers/tty/serial/8250/8250_port.c -+++ b/drivers/tty/serial/8250/8250_port.c -@@ -2617,11 +2617,8 @@ static unsigned char serial8250_compute_ - - if (c_cflag & CSTOPB) - cval |= UART_LCR_STOP; -- if (c_cflag & PARENB) { -+ if (c_cflag & PARENB) - cval |= UART_LCR_PARITY; -- if (up->bugs & UART_BUG_PARITY) -- up->fifo_bug = true; -- } - if (!(c_cflag & PARODD)) - cval |= UART_LCR_EPAR; - #ifdef CMSPAR -@@ -2735,8 +2732,7 @@ serial8250_do_set_termios(struct uart_po - up->lcr = cval; /* Save computed LCR */ - - if (up->capabilities & UART_CAP_FIFO && port->fifosize > 1) { -- /* NOTE: If fifo_bug is not set, a user can set RX_trigger. */ -- if ((baud < 2400 && !up->dma) || up->fifo_bug) { -+ if (baud < 2400 && !up->dma) { - up->fcr &= ~UART_FCR_TRIGGER_MASK; - up->fcr |= UART_FCR_TRIGGER_1; - } -@@ -3072,8 +3068,7 @@ static int do_set_rxtrig(struct tty_port - struct uart_8250_port *up = up_to_u8250p(uport); - int rxtrig; - -- if (!(up->capabilities & UART_CAP_FIFO) || uport->fifosize <= 1 || -- up->fifo_bug) -+ if (!(up->capabilities & UART_CAP_FIFO) || uport->fifosize <= 1) - return -EINVAL; - - rxtrig = bytes_to_fcr_rxtrig(up, bytes); ---- a/include/linux/serial_8250.h -+++ b/include/linux/serial_8250.h -@@ -99,7 +99,6 @@ struct uart_8250_port { - struct list_head list; /* ports on this IRQ */ - u32 capabilities; /* port capabilities */ - unsigned short bugs; /* port bugs */ -- bool fifo_bug; /* min RX trigger if enabled */ - unsigned int tx_loadsz; /* transmit fifo load size */ - unsigned char acr; - unsigned char fcr; diff --git a/queue-4.19/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch b/queue-4.19/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch deleted file mode 100644 index 75611e500a9..00000000000 --- a/queue-4.19/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 0891c3b57a9ceed9c4e331ce92a2edea7581fc11 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 17 Jul 2023 14:59:18 -0700 -Subject: Revert "tcp: avoid the lookup process failing to get sk in ehash - table" - -From: Kuniyuki Iwashima - -[ Upstream commit 81b3ade5d2b98ad6e0a473b0e1e420a801275592 ] - -This reverts commit 3f4ca5fafc08881d7a57daa20449d171f2887043. - -Commit 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in -ehash table") reversed the order in how a socket is inserted into ehash -to fix an issue that ehash-lookup could fail when reqsk/full sk/twsk are -swapped. However, it introduced another lookup failure. - -The full socket in ehash is allocated from a slab with SLAB_TYPESAFE_BY_RCU -and does not have SOCK_RCU_FREE, so the socket could be reused even while -it is being referenced on another CPU doing RCU lookup. - -Let's say a socket is reused and inserted into the same hash bucket during -lookup. After the blamed commit, a new socket is inserted at the end of -the list. If that happens, we will skip sockets placed after the previous -position of the reused socket, resulting in ehash lookup failure. - -As described in Documentation/RCU/rculist_nulls.rst, we should insert a -new socket at the head of the list to avoid such an issue. - -This issue, the swap-lookup-failure, and another variant reported in [0] -can all be handled properly by adding a locked ehash lookup suggested by -Eric Dumazet [1]. - -However, this issue could occur for every packet, thus more likely than -the other two races, so let's revert the change for now. - -Link: https://lore.kernel.org/netdev/20230606064306.9192-1-duanmuquan@baidu.com/ [0] -Link: https://lore.kernel.org/netdev/CANn89iK8snOz8TYOhhwfimC7ykYA78GA3Nyv8x06SZYa1nKdyA@mail.gmail.com/ [1] -Fixes: 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in ehash table") -Signed-off-by: Kuniyuki Iwashima -Link: https://lore.kernel.org/r/20230717215918.15723-1-kuniyu@amazon.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/inet_hashtables.c | 17 ++--------------- - net/ipv4/inet_timewait_sock.c | 8 ++++---- - 2 files changed, 6 insertions(+), 19 deletions(-) - -diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c -index 5a272d09b8248..c6d670cd872f0 100644 ---- a/net/ipv4/inet_hashtables.c -+++ b/net/ipv4/inet_hashtables.c -@@ -579,20 +579,8 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) - spin_lock(lock); - if (osk) { - WARN_ON_ONCE(sk->sk_hash != osk->sk_hash); -- ret = sk_hashed(osk); -- if (ret) { -- /* Before deleting the node, we insert a new one to make -- * sure that the look-up-sk process would not miss either -- * of them and that at least one node would exist in ehash -- * table all the time. Otherwise there's a tiny chance -- * that lookup process could find nothing in ehash table. -- */ -- __sk_nulls_add_node_tail_rcu(sk, list); -- sk_nulls_del_node_init_rcu(osk); -- } -- goto unlock; -- } -- if (found_dup_sk) { -+ ret = sk_nulls_del_node_init_rcu(osk); -+ } else if (found_dup_sk) { - *found_dup_sk = inet_ehash_lookup_by_sk(sk, list); - if (*found_dup_sk) - ret = false; -@@ -601,7 +589,6 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) - if (ret) - __sk_nulls_add_node_rcu(sk, list); - --unlock: - spin_unlock(lock); - - return ret; -diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c -index fedd19c22b392..88c5069b5d20c 100644 ---- a/net/ipv4/inet_timewait_sock.c -+++ b/net/ipv4/inet_timewait_sock.c -@@ -80,10 +80,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw) - } - EXPORT_SYMBOL_GPL(inet_twsk_put); - --static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw, -- struct hlist_nulls_head *list) -+static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw, -+ struct hlist_nulls_head *list) - { -- hlist_nulls_add_tail_rcu(&tw->tw_node, list); -+ hlist_nulls_add_head_rcu(&tw->tw_node, list); - } - - static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw, -@@ -119,7 +119,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk, - - spin_lock(lock); - -- inet_twsk_add_node_tail_rcu(tw, &ehead->chain); -+ inet_twsk_add_node_rcu(tw, &ehead->chain); - - /* Step 3: Remove SK from hash chain */ - if (__sk_nulls_del_node_init_rcu(sk)) --- -2.39.2 - diff --git a/queue-4.19/ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch b/queue-4.19/ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch deleted file mode 100644 index 63a5a49ea1e..00000000000 --- a/queue-4.19/ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 7e42907f3a7b4ce3a2d1757f6d78336984daf8f5 Mon Sep 17 00:00:00 2001 -From: Zheng Yejian -Date: Sun, 9 Jul 2023 06:51:44 +0800 -Subject: ring-buffer: Fix deadloop issue on reading trace_pipe - -From: Zheng Yejian - -commit 7e42907f3a7b4ce3a2d1757f6d78336984daf8f5 upstream. - -Soft lockup occurs when reading file 'trace_pipe': - - watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [cat:4488] - [...] - RIP: 0010:ring_buffer_empty_cpu+0xed/0x170 - RSP: 0018:ffff88810dd6fc48 EFLAGS: 00000246 - RAX: 0000000000000000 RBX: 0000000000000246 RCX: ffffffff93d1aaeb - RDX: ffff88810a280040 RSI: 0000000000000008 RDI: ffff88811164b218 - RBP: ffff88811164b218 R08: 0000000000000000 R09: ffff88815156600f - R10: ffffed102a2acc01 R11: 0000000000000001 R12: 0000000051651901 - R13: 0000000000000000 R14: ffff888115e49500 R15: 0000000000000000 - [...] - CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - CR2: 00007f8d853c2000 CR3: 000000010dcd8000 CR4: 00000000000006e0 - DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 - DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 - Call Trace: - __find_next_entry+0x1a8/0x4b0 - ? peek_next_entry+0x250/0x250 - ? down_write+0xa5/0x120 - ? down_write_killable+0x130/0x130 - trace_find_next_entry_inc+0x3b/0x1d0 - tracing_read_pipe+0x423/0xae0 - ? tracing_splice_read_pipe+0xcb0/0xcb0 - vfs_read+0x16b/0x490 - ksys_read+0x105/0x210 - ? __ia32_sys_pwrite64+0x200/0x200 - ? switch_fpu_return+0x108/0x220 - do_syscall_64+0x33/0x40 - entry_SYSCALL_64_after_hwframe+0x61/0xc6 - -Through the vmcore, I found it's because in tracing_read_pipe(), -ring_buffer_empty_cpu() found some buffer is not empty but then it -cannot read anything due to "rb_num_of_entries() == 0" always true, -Then it infinitely loop the procedure due to user buffer not been -filled, see following code path: - - tracing_read_pipe() { - ... ... - waitagain: - tracing_wait_pipe() // 1. find non-empty buffer here - trace_find_next_entry_inc() // 2. loop here try to find an entry - __find_next_entry() - ring_buffer_empty_cpu(); // 3. find non-empty buffer - peek_next_entry() // 4. but peek always return NULL - ring_buffer_peek() - rb_buffer_peek() - rb_get_reader_page() - // 5. because rb_num_of_entries() == 0 always true here - // then return NULL - // 6. user buffer not been filled so goto 'waitgain' - // and eventually leads to an deadloop in kernel!!! - } - -By some analyzing, I found that when resetting ringbuffer, the 'entries' -of its pages are not all cleared (see rb_reset_cpu()). Then when reducing -the ringbuffer, and if some reduced pages exist dirty 'entries' data, they -will be added into 'cpu_buffer->overrun' (see rb_remove_pages()), which -cause wrong 'overrun' count and eventually cause the deadloop issue. - -To fix it, we need to clear every pages in rb_reset_cpu(). - -Link: https://lore.kernel.org/linux-trace-kernel/20230708225144.3785600-1-zhengyejian1@huawei.com - -Cc: stable@vger.kernel.org -Fixes: a5fb833172eca ("ring-buffer: Fix uninitialized read_stamp") -Signed-off-by: Zheng Yejian -Signed-off-by: Steven Rostedt (Google) -Signed-off-by: Greg Kroah-Hartman ---- - kernel/trace/ring_buffer.c | 24 +++++++++++++++--------- - 1 file changed, 15 insertions(+), 9 deletions(-) - ---- a/kernel/trace/ring_buffer.c -+++ b/kernel/trace/ring_buffer.c -@@ -4408,28 +4408,34 @@ unsigned long ring_buffer_size(struct ri - } - EXPORT_SYMBOL_GPL(ring_buffer_size); - -+static void rb_clear_buffer_page(struct buffer_page *page) -+{ -+ local_set(&page->write, 0); -+ local_set(&page->entries, 0); -+ rb_init_page(page->page); -+ page->read = 0; -+} -+ - static void - rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) - { -+ struct buffer_page *page; -+ - rb_head_page_deactivate(cpu_buffer); - - cpu_buffer->head_page - = list_entry(cpu_buffer->pages, struct buffer_page, list); -- local_set(&cpu_buffer->head_page->write, 0); -- local_set(&cpu_buffer->head_page->entries, 0); -- local_set(&cpu_buffer->head_page->page->commit, 0); -- -- cpu_buffer->head_page->read = 0; -+ rb_clear_buffer_page(cpu_buffer->head_page); -+ list_for_each_entry(page, cpu_buffer->pages, list) { -+ rb_clear_buffer_page(page); -+ } - - cpu_buffer->tail_page = cpu_buffer->head_page; - cpu_buffer->commit_page = cpu_buffer->head_page; - - INIT_LIST_HEAD(&cpu_buffer->reader_page->list); - INIT_LIST_HEAD(&cpu_buffer->new_pages); -- local_set(&cpu_buffer->reader_page->write, 0); -- local_set(&cpu_buffer->reader_page->entries, 0); -- local_set(&cpu_buffer->reader_page->page->commit, 0); -- cpu_buffer->reader_page->read = 0; -+ rb_clear_buffer_page(cpu_buffer->reader_page); - - local_set(&cpu_buffer->entries_bytes, 0); - local_set(&cpu_buffer->overrun, 0); diff --git a/queue-4.19/rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch b/queue-4.19/rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch deleted file mode 100644 index d0194733391..00000000000 --- a/queue-4.19/rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch +++ /dev/null @@ -1,40 +0,0 @@ -From d374daa9cdec916607584105f5d15a6cd42696a6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 8 Jun 2023 21:11:42 +0200 -Subject: rtc: st-lpc: Release some resources in st_rtc_probe() in case of - error - -From: Christophe JAILLET - -[ Upstream commit 06c6e1b01d9261f03629cefd1f3553503291e6cf ] - -If an error occurs after clk_get(), the corresponding resources should be -released. - -Use devm_clk_get() to fix it. - -Fixes: b5b2bdfc2893 ("rtc: st: Add new driver for ST's LPC RTC") -Signed-off-by: Christophe JAILLET -Link: https://lore.kernel.org/r/866af6adbc7454a7b4505eb6c28fbdc86ccff39e.1686251455.git.christophe.jaillet@wanadoo.fr -Signed-off-by: Alexandre Belloni -Signed-off-by: Sasha Levin ---- - drivers/rtc/rtc-st-lpc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/rtc/rtc-st-lpc.c b/drivers/rtc/rtc-st-lpc.c -index e66439b6247a4..e8a8ca3545f00 100644 ---- a/drivers/rtc/rtc-st-lpc.c -+++ b/drivers/rtc/rtc-st-lpc.c -@@ -239,7 +239,7 @@ static int st_rtc_probe(struct platform_device *pdev) - enable_irq_wake(rtc->irq); - disable_irq(rtc->irq); - -- rtc->clk = clk_get(&pdev->dev, NULL); -+ rtc->clk = devm_clk_get(&pdev->dev, NULL); - if (IS_ERR(rtc->clk)) { - dev_err(&pdev->dev, "Unable to request clock\n"); - return PTR_ERR(rtc->clk); --- -2.39.2 - diff --git a/queue-4.19/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch b/queue-4.19/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch deleted file mode 100644 index 109b15337ed..00000000000 --- a/queue-4.19/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 1bc2f94406b03808f08a0f4b770a725753a34849 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 5 May 2023 16:50:58 +0800 -Subject: samples/bpf: Fix buffer overflow in tcp_basertt - -From: Pengcheng Yang - -[ Upstream commit f4dea9689c5fea3d07170c2cb0703e216f1a0922 ] - -Using sizeof(nv) or strlen(nv)+1 is correct. - -Fixes: c890063e4404 ("bpf: sample BPF_SOCKET_OPS_BASE_RTT program") -Signed-off-by: Pengcheng Yang -Link: https://lore.kernel.org/r/1683276658-2860-1-git-send-email-yangpc@wangsu.com -Signed-off-by: Alexei Starovoitov -Signed-off-by: Sasha Levin ---- - samples/bpf/tcp_basertt_kern.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/samples/bpf/tcp_basertt_kern.c b/samples/bpf/tcp_basertt_kern.c -index 4bf4fc597db9a..653d233714ad0 100644 ---- a/samples/bpf/tcp_basertt_kern.c -+++ b/samples/bpf/tcp_basertt_kern.c -@@ -54,7 +54,7 @@ int bpf_basertt(struct bpf_sock_ops *skops) - case BPF_SOCK_OPS_BASE_RTT: - n = bpf_getsockopt(skops, SOL_TCP, TCP_CONGESTION, - cong, sizeof(cong)); -- if (!n && !__builtin_memcmp(cong, nv, sizeof(nv)+1)) { -+ if (!n && !__builtin_memcmp(cong, nv, sizeof(nv))) { - /* Set base_rtt to 80us */ - rv = 80; - } else if (n) { --- -2.39.2 - diff --git a/queue-4.19/sched-fair-don-t-balance-task-to-its-current-running.patch b/queue-4.19/sched-fair-don-t-balance-task-to-its-current-running.patch deleted file mode 100644 index 10c3af2ae82..00000000000 --- a/queue-4.19/sched-fair-don-t-balance-task-to-its-current-running.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 29445fe25db278af2e1f337c9529eeae5d380b35 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 30 May 2023 16:25:07 +0800 -Subject: sched/fair: Don't balance task to its current running CPU - -From: Yicong Yang - -[ Upstream commit 0dd37d6dd33a9c23351e6115ae8cdac7863bc7de ] - -We've run into the case that the balancer tries to balance a migration -disabled task and trigger the warning in set_task_cpu() like below: - - ------------[ cut here ]------------ - WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240 - Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip> - CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1 - Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021 - pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) - pc : set_task_cpu+0x188/0x240 - lr : load_balance+0x5d0/0xc60 - sp : ffff80000803bc70 - x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040 - x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001 - x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78 - x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000 - x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000 - x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000 - x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530 - x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e - x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a - x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001 - Call trace: - set_task_cpu+0x188/0x240 - load_balance+0x5d0/0xc60 - rebalance_domains+0x26c/0x380 - _nohz_idle_balance.isra.0+0x1e0/0x370 - run_rebalance_domains+0x6c/0x80 - __do_softirq+0x128/0x3d8 - ____do_softirq+0x18/0x24 - call_on_irq_stack+0x2c/0x38 - do_softirq_own_stack+0x24/0x3c - __irq_exit_rcu+0xcc/0xf4 - irq_exit_rcu+0x18/0x24 - el1_interrupt+0x4c/0xe4 - el1h_64_irq_handler+0x18/0x2c - el1h_64_irq+0x74/0x78 - arch_cpu_idle+0x18/0x4c - default_idle_call+0x58/0x194 - do_idle+0x244/0x2b0 - cpu_startup_entry+0x30/0x3c - secondary_start_kernel+0x14c/0x190 - __secondary_switched+0xb0/0xb4 - ---[ end trace 0000000000000000 ]--- - -Further investigation shows that the warning is superfluous, the migration -disabled task is just going to be migrated to its current running CPU. -This is because that on load balance if the dst_cpu is not allowed by the -task, we'll re-select a new_dst_cpu as a candidate. If no task can be -balanced to dst_cpu we'll try to balance the task to the new_dst_cpu -instead. In this case when the migration disabled task is not on CPU it -only allows to run on its current CPU, load balance will select its -current CPU as new_dst_cpu and later triggers the warning above. - -The new_dst_cpu is chosen from the env->dst_grpmask. Currently it -contains CPUs in sched_group_span() and if we have overlapped groups it's -possible to run into this case. This patch makes env->dst_grpmask of -group_balance_mask() which exclude any CPUs from the busiest group and -solve the issue. For balancing in a domain with no overlapped groups -the behaviour keeps same as before. - -Suggested-by: Vincent Guittot -Signed-off-by: Yicong Yang -Signed-off-by: Peter Zijlstra (Intel) -Reviewed-by: Vincent Guittot -Link: https://lore.kernel.org/r/20230530082507.10444-1-yangyicong@huawei.com -Signed-off-by: Sasha Levin ---- - kernel/sched/fair.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c -index eb67f42fb96ba..09f82c84474b8 100644 ---- a/kernel/sched/fair.c -+++ b/kernel/sched/fair.c -@@ -8721,7 +8721,7 @@ static int load_balance(int this_cpu, struct rq *this_rq, - .sd = sd, - .dst_cpu = this_cpu, - .dst_rq = this_rq, -- .dst_grpmask = sched_group_span(sd->groups), -+ .dst_grpmask = group_balance_mask(sd->groups), - .idle = idle, - .loop_break = sched_nr_migrate_break, - .cpus = cpus, --- -2.39.2 - diff --git a/queue-4.19/scripts-tags.sh-resolve-gtags-empty-index-generation.patch b/queue-4.19/scripts-tags.sh-resolve-gtags-empty-index-generation.patch deleted file mode 100644 index 051af99d720..00000000000 --- a/queue-4.19/scripts-tags.sh-resolve-gtags-empty-index-generation.patch +++ /dev/null @@ -1,65 +0,0 @@ -From e1b37563caffc410bb4b55f153ccb14dede66815 Mon Sep 17 00:00:00 2001 -From: "Ahmed S. Darwish" -Date: Mon, 15 May 2023 19:32:16 +0200 -Subject: scripts/tags.sh: Resolve gtags empty index generation - -From: Ahmed S. Darwish - -commit e1b37563caffc410bb4b55f153ccb14dede66815 upstream. - -gtags considers any file outside of its current working directory -"outside the source tree" and refuses to index it. For O= kernel builds, -or when "make" is invoked from a directory other then the kernel source -tree, gtags ignores the entire kernel source and generates an empty -index. - -Force-set gtags current working directory to the kernel source tree. - -Due to commit 9da0763bdd82 ("kbuild: Use relative path when building in -a subdir of the source tree"), if the kernel build is done in a -sub-directory of the kernel source tree, the kernel Makefile will set -the kernel's $srctree to ".." for shorter compile-time and run-time -warnings. Consequently, the list of files to be indexed will be in the -"../*" form, rendering all such paths invalid once gtags switches to the -kernel source tree as its current working directory. - -If gtags indexing is requested and the build directory is not the kernel -source tree, index all files in absolute-path form. - -Note, indexing in absolute-path form will not affect the generated -index, as paths in gtags indices are always relative to the gtags "root -directory" anyway (as evidenced by "gtags --dump"). - -Signed-off-by: Ahmed S. Darwish -Cc: -Signed-off-by: Masahiro Yamada -Signed-off-by: Greg Kroah-Hartman ---- - scripts/tags.sh | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - ---- a/scripts/tags.sh -+++ b/scripts/tags.sh -@@ -28,6 +28,13 @@ fi - # ignore userspace tools - ignore="$ignore ( -path ${tree}tools ) -prune -o" - -+# gtags(1) refuses to index any file outside of its current working dir. -+# If gtags indexing is requested and the build output directory is not -+# the kernel source tree, index all files in absolute-path form. -+if [[ "$1" == "gtags" && -n "${tree}" ]]; then -+ tree=$(realpath "$tree")/ -+fi -+ - # Detect if ALLSOURCE_ARCHS is set. If not, we assume SRCARCH - if [ "${ALLSOURCE_ARCHS}" = "" ]; then - ALLSOURCE_ARCHS=${SRCARCH} -@@ -136,7 +143,7 @@ docscope() - - dogtags() - { -- all_target_sources | gtags -i -f - -+ all_target_sources | gtags -i -C "${tree:-.}" -f - "$PWD" - } - - # Basic regular expressions with an optional /kind-spec/ for ctags and diff --git a/queue-4.19/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch b/queue-4.19/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch deleted file mode 100644 index bb38bc4df30..00000000000 --- a/queue-4.19/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch +++ /dev/null @@ -1,47 +0,0 @@ -From a2a994777eca5a7c0463e65c84a199840479c744 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 5 May 2023 22:12:55 +0800 -Subject: scsi: 3w-xxxx: Add error handling for initialization failure in - tw_probe() - -From: Yuchen Yang - -[ Upstream commit 2e2fe5ac695a00ab03cab4db1f4d6be07168ed9d ] - -Smatch complains that: - -tw_probe() warn: missing error code 'retval' - -This patch adds error checking to tw_probe() to handle initialization -failure. If tw_reset_sequence() function returns a non-zero value, the -function will return -EINVAL to indicate initialization failure. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Yuchen Yang -Link: https://lore.kernel.org/r/20230505141259.7730-1-u202114568@hust.edu.cn -Reviewed-by: Dan Carpenter -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/3w-xxxx.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c -index 471366945bd4f..8a61e832607eb 100644 ---- a/drivers/scsi/3w-xxxx.c -+++ b/drivers/scsi/3w-xxxx.c -@@ -2303,8 +2303,10 @@ static int tw_probe(struct pci_dev *pdev, const struct pci_device_id *dev_id) - TW_DISABLE_INTERRUPTS(tw_dev); - - /* Initialize the card */ -- if (tw_reset_sequence(tw_dev)) -+ if (tw_reset_sequence(tw_dev)) { -+ retval = -EINVAL; - goto out_release_mem_region; -+ } - - /* Set host specific parameters */ - host->max_id = TW_MAX_UNITS; --- -2.39.2 - diff --git a/queue-4.19/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch b/queue-4.19/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch deleted file mode 100644 index 5f6202254b3..00000000000 --- a/queue-4.19/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch +++ /dev/null @@ -1,37 +0,0 @@ -From af73f23a27206ffb3c477cac75b5fcf03410556e Mon Sep 17 00:00:00 2001 -From: Nilesh Javali -Date: Wed, 7 Jun 2023 17:08:39 +0530 -Subject: scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() - -From: Nilesh Javali - -commit af73f23a27206ffb3c477cac75b5fcf03410556e upstream. - -Klocwork reported warning of rport maybe NULL and will be dereferenced. -rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced. - -Check valid rport returned by fc_bsg_to_rport(). - -Cc: stable@vger.kernel.org -Signed-off-by: Nilesh Javali -Link: https://lore.kernel.org/r/20230607113843.37185-5-njavali@marvell.com -Reviewed-by: Himanshu Madhani -Signed-off-by: Martin K. Petersen -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/qla2xxx/qla_bsg.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/scsi/qla2xxx/qla_bsg.c -+++ b/drivers/scsi/qla2xxx/qla_bsg.c -@@ -264,6 +264,10 @@ qla2x00_process_els(struct bsg_job *bsg_ - - if (bsg_request->msgcode == FC_BSG_RPT_ELS) { - rport = fc_bsg_to_rport(bsg_job); -+ if (!rport) { -+ rval = -ENOMEM; -+ goto done; -+ } - fcport = *(fc_port_t **) rport->dd_data; - host = rport_to_shost(rport); - vha = shost_priv(host); diff --git a/queue-4.19/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch b/queue-4.19/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch deleted file mode 100644 index fc83ca5c714..00000000000 --- a/queue-4.19/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 464ea494a40c6e3e0e8f91dd325408aaf21515ba Mon Sep 17 00:00:00 2001 -From: Bikash Hazarika -Date: Wed, 7 Jun 2023 17:08:37 +0530 -Subject: scsi: qla2xxx: Fix potential NULL pointer dereference - -From: Bikash Hazarika - -commit 464ea494a40c6e3e0e8f91dd325408aaf21515ba upstream. - -Klocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate -pointer before dereferencing the pointer. - -Cc: stable@vger.kernel.org -Signed-off-by: Bikash Hazarika -Signed-off-by: Nilesh Javali -Link: https://lore.kernel.org/r/20230607113843.37185-3-njavali@marvell.com -Reviewed-by: Himanshu Madhani -Signed-off-by: Martin K. Petersen -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/qla2xxx/qla_iocb.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/drivers/scsi/qla2xxx/qla_iocb.c -+++ b/drivers/scsi/qla2xxx/qla_iocb.c -@@ -603,7 +603,8 @@ qla24xx_build_scsi_type_6_iocbs(srb_t *s - *((uint32_t *)(&cmd_pkt->entry_type)) = cpu_to_le32(COMMAND_TYPE_6); - - /* No data transfer */ -- if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE) { -+ if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE || -+ tot_dsds == 0) { - cmd_pkt->byte_count = cpu_to_le32(0); - return 0; - } diff --git a/queue-4.19/scsi-qla2xxx-pointer-may-be-dereferenced.patch b/queue-4.19/scsi-qla2xxx-pointer-may-be-dereferenced.patch deleted file mode 100644 index bac98cf9cbc..00000000000 --- a/queue-4.19/scsi-qla2xxx-pointer-may-be-dereferenced.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 00eca15319d9ce8c31cdf22f32a3467775423df4 Mon Sep 17 00:00:00 2001 -From: Shreyas Deodhar -Date: Wed, 7 Jun 2023 17:08:41 +0530 -Subject: scsi: qla2xxx: Pointer may be dereferenced - -From: Shreyas Deodhar - -commit 00eca15319d9ce8c31cdf22f32a3467775423df4 upstream. - -Klocwork tool reported pointer 'rport' returned from call to function -fc_bsg_to_rport() may be NULL and will be dereferenced. - -Add a fix to validate rport before dereferencing. - -Cc: stable@vger.kernel.org -Signed-off-by: Shreyas Deodhar -Signed-off-by: Nilesh Javali -Link: https://lore.kernel.org/r/20230607113843.37185-7-njavali@marvell.com -Reviewed-by: Himanshu Madhani -Signed-off-by: Martin K. Petersen -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/qla2xxx/qla_bsg.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/drivers/scsi/qla2xxx/qla_bsg.c -+++ b/drivers/scsi/qla2xxx/qla_bsg.c -@@ -2488,6 +2488,8 @@ qla24xx_bsg_request(struct bsg_job *bsg_ - - if (bsg_request->msgcode == FC_BSG_RPT_ELS) { - rport = fc_bsg_to_rport(bsg_job); -+ if (!rport) -+ return ret; - host = rport_to_shost(rport); - vha = shost_priv(host); - } else { diff --git a/queue-4.19/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch b/queue-4.19/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch deleted file mode 100644 index 045198311f1..00000000000 --- a/queue-4.19/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch +++ /dev/null @@ -1,71 +0,0 @@ -From fc0cba0c7be8261a1625098bd1d695077ec621c9 Mon Sep 17 00:00:00 2001 -From: Quinn Tran -Date: Fri, 28 Apr 2023 00:53:38 -0700 -Subject: scsi: qla2xxx: Wait for io return on terminate rport - -From: Quinn Tran - -commit fc0cba0c7be8261a1625098bd1d695077ec621c9 upstream. - -System crash due to use after free. -Current code allows terminate_rport_io to exit before making -sure all IOs has returned. For FCP-2 device, IO's can hang -on in HW because driver has not tear down the session in FW at -first sign of cable pull. When dev_loss_tmo timer pops, -terminate_rport_io is called and upper layer is about to -free various resources. Terminate_rport_io trigger qla to do -the final cleanup, but the cleanup might not be fast enough where it -leave qla still holding on to the same resource. - -Wait for IO's to return to upper layer before resources are freed. - -Cc: stable@vger.kernel.org -Signed-off-by: Quinn Tran -Signed-off-by: Nilesh Javali -Link: https://lore.kernel.org/r/20230428075339.32551-7-njavali@marvell.com -Reviewed-by: Himanshu Madhani -Signed-off-by: Martin K. Petersen -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/qla2xxx/qla_attr.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - ---- a/drivers/scsi/qla2xxx/qla_attr.c -+++ b/drivers/scsi/qla2xxx/qla_attr.c -@@ -1800,6 +1800,7 @@ static void - qla2x00_terminate_rport_io(struct fc_rport *rport) - { - fc_port_t *fcport = *(fc_port_t **)rport->dd_data; -+ scsi_qla_host_t *vha; - - if (!fcport) - return; -@@ -1809,9 +1810,12 @@ qla2x00_terminate_rport_io(struct fc_rpo - - if (test_bit(ABORT_ISP_ACTIVE, &fcport->vha->dpc_flags)) - return; -+ vha = fcport->vha; - - if (unlikely(pci_channel_offline(fcport->vha->hw->pdev))) { - qla2x00_abort_all_cmds(fcport->vha, DID_NO_CONNECT << 16); -+ qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, -+ 0, WAIT_TARGET); - return; - } - /* -@@ -1826,6 +1830,15 @@ qla2x00_terminate_rport_io(struct fc_rpo - else - qla2x00_port_logout(fcport->vha, fcport); - } -+ -+ /* check for any straggling io left behind */ -+ if (qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, 0, WAIT_TARGET)) { -+ ql_log(ql_log_warn, vha, 0x300b, -+ "IO not return. Resetting. \n"); -+ set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags); -+ qla2xxx_wake_dpc(vha); -+ qla2x00_wait_for_chip_reset(vha); -+ } - } - - static int diff --git a/queue-4.19/sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch b/queue-4.19/sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch deleted file mode 100644 index 520d8f9c9d2..00000000000 --- a/queue-4.19/sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 046a3289610ded808adcf4dea37c0170b26f779e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 27 Jun 2023 12:03:40 +0000 -Subject: sctp: fix potential deadlock on &net->sctp.addr_wq_lock - -From: Chengfeng Ye - -[ Upstream commit 6feb37b3b06e9049e20dcf7e23998f92c9c5be9a ] - -As &net->sctp.addr_wq_lock is also acquired by the timer -sctp_addr_wq_timeout_handler() in protocal.c, the same lock acquisition -at sctp_auto_asconf_init() seems should disable irq since it is called -from sctp_accept() under process context. - -Possible deadlock scenario: -sctp_accept() - -> sctp_sock_migrate() - -> sctp_auto_asconf_init() - -> spin_lock(&net->sctp.addr_wq_lock) - - -> sctp_addr_wq_timeout_handler() - -> spin_lock_bh(&net->sctp.addr_wq_lock); (deadlock here) - -This flaw was found using an experimental static analysis tool we are -developing for irq-related deadlock. - -The tentative patch fix the potential deadlock by spin_lock_bh(). - -Signed-off-by: Chengfeng Ye -Fixes: 34e5b0118685 ("sctp: delay auto_asconf init until binding the first addr") -Acked-by: Xin Long -Link: https://lore.kernel.org/r/20230627120340.19432-1-dg573847474@gmail.com -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/sctp/socket.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/sctp/socket.c b/net/sctp/socket.c -index a68f3d6b72335..baa825751c393 100644 ---- a/net/sctp/socket.c -+++ b/net/sctp/socket.c -@@ -380,9 +380,9 @@ static void sctp_auto_asconf_init(struct sctp_sock *sp) - struct net *net = sock_net(&sp->inet.sk); - - if (net->sctp.default_auto_asconf) { -- spin_lock(&net->sctp.addr_wq_lock); -+ spin_lock_bh(&net->sctp.addr_wq_lock); - list_add_tail(&sp->auto_asconf_list, &net->sctp.auto_asconf_splist); -- spin_unlock(&net->sctp.addr_wq_lock); -+ spin_unlock_bh(&net->sctp.addr_wq_lock); - sp->do_auto_asconf = 1; - } - } --- -2.39.2 - diff --git a/queue-4.19/serial-atmel-don-t-enable-irqs-prematurely.patch b/queue-4.19/serial-atmel-don-t-enable-irqs-prematurely.patch deleted file mode 100644 index 039f8368a29..00000000000 --- a/queue-4.19/serial-atmel-don-t-enable-irqs-prematurely.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 27a826837ec9a3e94cc44bd9328b8289b0fcecd7 Mon Sep 17 00:00:00 2001 -From: Dan Carpenter -Date: Mon, 19 Jun 2023 12:45:17 +0300 -Subject: serial: atmel: don't enable IRQs prematurely - -From: Dan Carpenter - -commit 27a826837ec9a3e94cc44bd9328b8289b0fcecd7 upstream. - -The atmel_complete_tx_dma() function disables IRQs at the start -of the function by calling spin_lock_irqsave(&port->lock, flags); -There is no need to disable them a second time using the -spin_lock_irq() function and, in fact, doing so is a bug because -it will enable IRQs prematurely when we call spin_unlock_irq(). - -Just use spin_lock/unlock() instead without disabling or enabling -IRQs. - -Fixes: 08f738be88bb ("serial: at91: add tx dma support") -Signed-off-by: Dan Carpenter -Reviewed-by: Jiri Slaby -Acked-by: Richard Genoud -Link: https://lore.kernel.org/r/cb7c39a9-c004-4673-92e1-be4e34b85368@moroto.mountain -Cc: stable -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/atmel_serial.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/tty/serial/atmel_serial.c -+++ b/drivers/tty/serial/atmel_serial.c -@@ -791,11 +791,11 @@ static void atmel_complete_tx_dma(void * - - port->icount.tx += atmel_port->tx_len; - -- spin_lock_irq(&atmel_port->lock_tx); -+ spin_lock(&atmel_port->lock_tx); - async_tx_ack(atmel_port->desc_tx); - atmel_port->cookie_tx = -EINVAL; - atmel_port->desc_tx = NULL; -- spin_unlock_irq(&atmel_port->lock_tx); -+ spin_unlock(&atmel_port->lock_tx); - - if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) - uart_write_wakeup(port); diff --git a/queue-4.19/series b/queue-4.19/series index 1227dca86ae..4c68ef4f295 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1,220 +1,3 @@ -gfs2-don-t-deref-jdesc-in-evict.patch x86-microcode-amd-load-late-on-both-threads-too.patch -x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch -video-imsttfb-check-for-ioremap-failures.patch -fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch -drm-edid-fix-uninitialized-variable-in-drm_cvt_modes.patch -scripts-tags.sh-resolve-gtags-empty-index-generation.patch -drm-amdgpu-validate-vm-ioctl-flags.patch -treewide-remove-uninitialized_var-usage.patch -md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch -md-raid10-fix-overflow-of-md-safe_mode_delay.patch -md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch -md-raid10-fix-io-loss-while-replacement-replace-rdev.patch -irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch -irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch -clocksource-drivers-unify-the-names-to-timer-format.patch -clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch -clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch -pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch -arm-9303-1-kprobes-avoid-missing-declaration-warning.patch -evm-complete-description-of-evm_inode_setattr.patch -wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch -wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch -samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch -wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch -nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch -nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch -wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch -wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch -wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch -wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch -wl3501_cs-remove-unnecessary-null-check.patch -wl3501_cs-fix-misspelling-and-provide-missing-docume.patch -net-create-netdev-dev_addr-assignment-helpers.patch -wl3501_cs-use-eth_hw_addr_set.patch -wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch -wifi-ray_cs-utilize-strnlen-in-parse_addr.patch -wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch -wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch -wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch -wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch -watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch -watchdog-perf-more-properly-prevent-false-positives-.patch -kexec-fix-a-memory-leak-in-crash_shrink_memory.patch -memstick-r592-make-memstick_debug_get_tpc_name-stati.patch -wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch -wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch -netlink-fix-potential-deadlock-in-netlink_set_err.patch -netlink-do-not-hard-code-device-address-lenth-in-fdb.patch -gtp-fix-use-after-free-in-__gtp_encap_destroy.patch -lib-ts_bm-reset-initial-match-offset-for-every-block.patch -netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch -ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch -netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch -radeon-avoid-double-free-in-ci_dpm_init.patch -input-drv260x-sleep-between-polling-go-bit.patch -arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch -input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch -drm-panel-simple-fix-active-size-for-ampire-am-48027.patch -arm-ep93xx-fix-missing-prototype-warnings.patch -asoc-es8316-increment-max-value-for-alc-capture-targ.patch -soc-fsl-qe-fix-usb.c-build-errors.patch -ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch -arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch -fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch -drm-radeon-fix-possible-division-by-zero-errors.patch -alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch -scsi-3w-xxxx-add-error-handling-for-initialization-f.patch -pci-add-pci_clear_master-stub-for-non-config_pci.patch -pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch -perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch -pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch -hwrng-virtio-add-an-internal-buffer.patch -hwrng-virtio-don-t-wait-on-cleanup.patch -hwrng-virtio-don-t-waste-entropy.patch -hwrng-virtio-always-add-a-pending-request.patch -hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch -crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch -modpost-fix-section-mismatch-message-for-r_arm_abs32.patch -modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch -arcv2-entry-comments-about-hardware-auto-save-on-tak.patch -arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch -arcv2-entry-avoid-a-branch.patch -arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch -arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch -usb-serial-option-add-lara-r6-01b-pids.patch -block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch -w1-fix-loop-in-w1_fini.patch -sh-j2-use-ioremap-to-translate-device-tree-address-i.patch -media-usb-check-az6007_read-return-value.patch -media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch -media-usb-siano-fix-warning-due-to-null-work_func_t-.patch -extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch -extcon-fix-kernel-doc-of-property-capability-fields-.patch -usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch -mfd-rt5033-drop-rt5033-battery-sub-device.patch -kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch -mfd-intel-lpss-add-missing-check-for-platform_get_re.patch -mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch -rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch -sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch -add-module_firmware-for-firmware_tg357766.patch -spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch -mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch -f2fs-fix-error-path-handling-in-truncate_dnode.patch -powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch -net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch -tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch -net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch -sh-dma-fix-dma-channel-offset-calculation.patch -i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch -i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch -alsa-jack-fix-mutex-call-in-snd_jack_report.patch -nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch -mmc-core-disable-trim-on-kingston-emmc04g-m627.patch -mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch -bcache-remove-unnecessary-null-point-check-in-node-allocations.patch -integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch -jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch -btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch -arm-orion5x-fix-d2net-gpio-initialization.patch -spi-spi-fsl-spi-remove-always-true-conditional-in-fsl_spi_do_one_msg.patch -spi-spi-fsl-spi-relax-message-sanity-checking-a-little.patch -spi-spi-fsl-spi-allow-changing-bits_per_word-while-cs-is-still-active.patch -netfilter-nf_tables-fix-nat-hook-table-deletion.patch -netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch -netfilter-nftables-add-helper-function-to-set-the-base-sequence-number.patch -netfilter-add-helper-function-to-set-up-the-nfnetlink-header-and-use-it.patch -netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch -netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch -netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch -netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch -netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch -netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch -netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch -netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch -net-lan743x-don-t-sleep-in-atomic-context.patch -workqueue-clean-up-work_-constant-types-clarify-masking.patch -net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch -vrf-increment-icmp6inmsgs-on-the-original-netdev.patch -icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch -udp6-fix-udp6_ehashfn-typo.patch -ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch -ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch -ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch -ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch -ntb-ntb_tool-add-check-for-devm_kcalloc.patch -ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch -wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch -net-sched-make-psched_mtu-rtnl-less-safe.patch -pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch -pinctrl-amd-detect-internal-gpio0-debounce-handling.patch -pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch -tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch -net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch -sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch -perf-intel-pt-fix-cyc-timestamps-after-standalone-cbr.patch -ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch -ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch -ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch -jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch -pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch -pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch -pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch -pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch -pci-rockchip-write-pci-device-id-to-correct-register.patch -pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch -pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch -pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch -misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch -misc-pci_endpoint_test-re-init-completion-for-every-test.patch -md-raid0-add-discard-support-for-the-original-layout.patch -fs-dlm-return-positive-pid-value-for-f_getlk.patch -serial-atmel-don-t-enable-irqs-prematurely.patch -hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch -ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch -meson-saradc-fix-clock-divider-mask-length.patch -revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch -tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch -tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch -ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch -xtensa-iss-fix-call-to-split_if_spec.patch -scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch -scsi-qla2xxx-fix-potential-null-pointer-dereference.patch -scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch -scsi-qla2xxx-pointer-may-be-dereferenced.patch -drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch -tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch -perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch -fuse-revalidate-don-t-invalidate-if-interrupted.patch -can-bcm-fix-uaf-in-bcm_proc_show.patch -ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch -debugobjects-recheck-debug_objects_enabled-before-re.patch -nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch -md-fix-data-corruption-for-raid456-when-reshape-rest.patch -md-raid10-prevent-soft-lockup-while-flush-writes.patch -posix-timers-ensure-timer-id-search-loop-limit-is-va.patch -sched-fair-don-t-balance-task-to-its-current-running.patch -bpf-address-kcsan-report-on-bpf_lru_list.patch -wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch -wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch -igb-fix-igb_down-hung-on-surprise-removal.patch -spi-bcm63xx-fix-max-prepend-length.patch -fbdev-imxfb-warn-about-invalid-left-right-margin.patch -pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch -net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch -net-ipv6-check-return-value-of-pskb_trim.patch -revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch -fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch -llc-don-t-drop-packet-from-non-root-netns.patch -netfilter-nf_tables-fix-spurious-set-element-inserti.patch -netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch -net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch -tcp-annotate-data-races-around-tp-linger2.patch -tcp-annotate-data-races-around-rskq_defer_accept.patch -tcp-annotate-data-races-around-tp-notsent_lowat.patch -tcp-annotate-data-races-around-fastopenq.max_qlen.patch -tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch x86-cpu-amd-move-the-errata-checking-functionality-up.patch x86-cpu-amd-add-a-zenbleed-fix.patch diff --git a/queue-4.19/sh-dma-fix-dma-channel-offset-calculation.patch b/queue-4.19/sh-dma-fix-dma-channel-offset-calculation.patch deleted file mode 100644 index 4bbc56d6a09..00000000000 --- a/queue-4.19/sh-dma-fix-dma-channel-offset-calculation.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 19649fbbfd10504ba897ed154b1459a13e5128e6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 27 May 2023 18:44:50 +0200 -Subject: sh: dma: Fix DMA channel offset calculation - -From: Artur Rojek - -[ Upstream commit e82e47584847129a20b8c9f4a1dcde09374fb0e0 ] - -Various SoCs of the SH3, SH4 and SH4A family, which use this driver, -feature a differing number of DMA channels, which can be distributed -between up to two DMAC modules. The existing implementation fails to -correctly accommodate for all those variations, resulting in wrong -channel offset calculations and leading to kernel panics. - -Rewrite dma_base_addr() in order to properly calculate channel offsets -in a DMAC module. Fix dmaor_read_reg() and dmaor_write_reg(), so that -the correct DMAC module base is selected for the DMAOR register. - -Fixes: 7f47c7189b3e8f19 ("sh: dma: More legacy cpu dma chainsawing.") -Signed-off-by: Artur Rojek -Reviewed-by: Geert Uytterhoeven -Reviewed-by: John Paul Adrian Glaubitz -Link: https://lore.kernel.org/r/20230527164452.64797-2-contact@artur-rojek.eu -Signed-off-by: John Paul Adrian Glaubitz -Signed-off-by: Sasha Levin ---- - arch/sh/drivers/dma/dma-sh.c | 37 +++++++++++++++++++++++------------- - 1 file changed, 24 insertions(+), 13 deletions(-) - -diff --git a/arch/sh/drivers/dma/dma-sh.c b/arch/sh/drivers/dma/dma-sh.c -index afde2a7d3eb35..e0679d8a9b34b 100644 ---- a/arch/sh/drivers/dma/dma-sh.c -+++ b/arch/sh/drivers/dma/dma-sh.c -@@ -21,6 +21,18 @@ - #include - #include - -+/* -+ * Some of the SoCs feature two DMAC modules. In such a case, the channels are -+ * distributed equally among them. -+ */ -+#ifdef SH_DMAC_BASE1 -+#define SH_DMAC_NR_MD_CH (CONFIG_NR_ONCHIP_DMA_CHANNELS / 2) -+#else -+#define SH_DMAC_NR_MD_CH CONFIG_NR_ONCHIP_DMA_CHANNELS -+#endif -+ -+#define SH_DMAC_CH_SZ 0x10 -+ - /* - * Define the default configuration for dual address memory-memory transfer. - * The 0x400 value represents auto-request, external->external. -@@ -32,7 +44,7 @@ static unsigned long dma_find_base(unsigned int chan) - unsigned long base = SH_DMAC_BASE0; - - #ifdef SH_DMAC_BASE1 -- if (chan >= 6) -+ if (chan >= SH_DMAC_NR_MD_CH) - base = SH_DMAC_BASE1; - #endif - -@@ -43,13 +55,13 @@ static unsigned long dma_base_addr(unsigned int chan) - { - unsigned long base = dma_find_base(chan); - -- /* Normalize offset calculation */ -- if (chan >= 9) -- chan -= 6; -- if (chan >= 4) -- base += 0x10; -+ chan = (chan % SH_DMAC_NR_MD_CH) * SH_DMAC_CH_SZ; -+ -+ /* DMAOR is placed inside the channel register space. Step over it. */ -+ if (chan >= DMAOR) -+ base += SH_DMAC_CH_SZ; - -- return base + (chan * 0x10); -+ return base + chan; - } - - #ifdef CONFIG_SH_DMA_IRQ_MULTI -@@ -253,12 +265,11 @@ static int sh_dmac_get_dma_residue(struct dma_channel *chan) - #define NR_DMAOR 1 - #endif - --/* -- * DMAOR bases are broken out amongst channel groups. DMAOR0 manages -- * channels 0 - 5, DMAOR1 6 - 11 (optional). -- */ --#define dmaor_read_reg(n) __raw_readw(dma_find_base((n)*6)) --#define dmaor_write_reg(n, data) __raw_writew(data, dma_find_base(n)*6) -+#define dmaor_read_reg(n) __raw_readw(dma_find_base((n) * \ -+ SH_DMAC_NR_MD_CH) + DMAOR) -+#define dmaor_write_reg(n, data) __raw_writew(data, \ -+ dma_find_base((n) * \ -+ SH_DMAC_NR_MD_CH) + DMAOR) - - static inline int dmaor_reset(int no) - { --- -2.39.2 - diff --git a/queue-4.19/sh-j2-use-ioremap-to-translate-device-tree-address-i.patch b/queue-4.19/sh-j2-use-ioremap-to-translate-device-tree-address-i.patch deleted file mode 100644 index e74e4ba7c97..00000000000 --- a/queue-4.19/sh-j2-use-ioremap-to-translate-device-tree-address-i.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 92844b02e3e40efbd969ec03d51cd1bfd9530cdc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 May 2023 14:57:41 +0200 -Subject: sh: j2: Use ioremap() to translate device tree address into kernel - memory - -From: John Paul Adrian Glaubitz - -[ Upstream commit bc9d1f0cecd2407cfb2364a7d4be2f52d1d46a9d ] - -Addresses the following warning when building j2_defconfig: - -arch/sh/kernel/cpu/sh2/probe.c: In function 'scan_cache': -arch/sh/kernel/cpu/sh2/probe.c:24:16: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] - 24 | j2_ccr_base = (u32 __iomem *)of_flat_dt_translate_address(node); - | - -Fixes: 5a846abad07f ("sh: add support for J-Core J2 processor") -Reviewed-by: Geert Uytterhoeven -Tested-by: Rob Landley -Signed-off-by: John Paul Adrian Glaubitz -Link: https://lore.kernel.org/r/20230503125746.331835-1-glaubitz@physik.fu-berlin.de -Signed-off-by: John Paul Adrian Glaubitz -Signed-off-by: Sasha Levin ---- - arch/sh/kernel/cpu/sh2/probe.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/sh/kernel/cpu/sh2/probe.c b/arch/sh/kernel/cpu/sh2/probe.c -index a5bd036426789..75dcb1d6bc62f 100644 ---- a/arch/sh/kernel/cpu/sh2/probe.c -+++ b/arch/sh/kernel/cpu/sh2/probe.c -@@ -24,7 +24,7 @@ static int __init scan_cache(unsigned long node, const char *uname, - if (!of_flat_dt_is_compatible(node, "jcore,cache")) - return 0; - -- j2_ccr_base = (u32 __iomem *)of_flat_dt_translate_address(node); -+ j2_ccr_base = ioremap(of_flat_dt_translate_address(node), 4); - - return 1; - } --- -2.39.2 - diff --git a/queue-4.19/soc-fsl-qe-fix-usb.c-build-errors.patch b/queue-4.19/soc-fsl-qe-fix-usb.c-build-errors.patch deleted file mode 100644 index 05a3eb69638..00000000000 --- a/queue-4.19/soc-fsl-qe-fix-usb.c-build-errors.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 71e654502cd063aaefe7768e183dbd8e7732fa18 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 21 May 2023 15:52:16 -0700 -Subject: soc/fsl/qe: fix usb.c build errors - -From: Randy Dunlap - -[ Upstream commit 7b1a78babd0d2cd27aa07255dee0c2d7ac0f31e3 ] - -Fix build errors in soc/fsl/qe/usb.c when QUICC_ENGINE is not set. -This happens when PPC_EP88XC is set, which selects CPM1 & CPM. -When CPM is set, USB_FSL_QE can be set without QUICC_ENGINE -being set. When USB_FSL_QE is set, QE_USB deafults to y, which -causes build errors when QUICC_ENGINE is not set. Making -QE_USB depend on QUICC_ENGINE prevents QE_USB from defaulting to y. - -Fixes these build errors: - -drivers/soc/fsl/qe/usb.o: in function `qe_usb_clock_set': -usb.c:(.text+0x1e): undefined reference to `qe_immr' -powerpc-linux-ld: usb.c:(.text+0x2a): undefined reference to `qe_immr' -powerpc-linux-ld: usb.c:(.text+0xbc): undefined reference to `qe_setbrg' -powerpc-linux-ld: usb.c:(.text+0xca): undefined reference to `cmxgcr_lock' -powerpc-linux-ld: usb.c:(.text+0xce): undefined reference to `cmxgcr_lock' - -Fixes: 5e41486c408e ("powerpc/QE: add support for QE USB clocks routing") -Signed-off-by: Randy Dunlap -Reported-by: kernel test robot -Link: https://lore.kernel.org/all/202301101500.pillNv6R-lkp@intel.com/ -Suggested-by: Michael Ellerman -Cc: Christophe Leroy -Cc: Leo Li -Cc: Masahiro Yamada -Cc: Nicolas Schier -Cc: Qiang Zhao -Cc: linuxppc-dev -Cc: linux-arm-kernel@lists.infradead.org -Cc: Kumar Gala -Acked-by: Nicolas Schier -Signed-off-by: Li Yang -Signed-off-by: Sasha Levin ---- - drivers/soc/fsl/qe/Kconfig | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/soc/fsl/qe/Kconfig b/drivers/soc/fsl/qe/Kconfig -index fabba17e9d65b..7ec158e2acf91 100644 ---- a/drivers/soc/fsl/qe/Kconfig -+++ b/drivers/soc/fsl/qe/Kconfig -@@ -37,6 +37,7 @@ config QE_TDM - - config QE_USB - bool -+ depends on QUICC_ENGINE - default y if USB_FSL_QE - help - QE USB Controller support --- -2.39.2 - diff --git a/queue-4.19/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch b/queue-4.19/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch deleted file mode 100644 index 4fa4b5a78a2..00000000000 --- a/queue-4.19/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 9edf06e0871337e5889ae663fcedb3b34c2e4225 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 29 Jun 2023 15:43:05 +0200 -Subject: spi: bcm-qspi: return error if neither hif_mspi nor mspi is available - -From: Jonas Gorski - -[ Upstream commit 7c1f23ad34fcdace50275a6aa1e1969b41c6233f ] - -If neither a "hif_mspi" nor "mspi" resource is present, the driver will -just early exit in probe but still return success. Apart from not doing -anything meaningful, this would then also lead to a null pointer access -on removal, as platform_get_drvdata() would return NULL, which it would -then try to dereference when trying to unregister the spi master. - -Fix this by unconditionally calling devm_ioremap_resource(), as it can -handle a NULL res and will then return a viable ERR_PTR() if we get one. - -The "return 0;" was previously a "goto qspi_resource_err;" where then -ret was returned, but since ret was still initialized to 0 at this place -this was a valid conversion in 63c5395bb7a9 ("spi: bcm-qspi: Fix -use-after-free on unbind"). The issue was not introduced by this commit, -only made more obvious. - -Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") -Signed-off-by: Jonas Gorski -Reviewed-by: Kamal Dasu -Link: https://lore.kernel.org/r/20230629134306.95823-1-jonas.gorski@gmail.com -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - drivers/spi/spi-bcm-qspi.c | 10 +++------- - 1 file changed, 3 insertions(+), 7 deletions(-) - -diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c -index 3f291db7b39a0..e3c69b6237708 100644 ---- a/drivers/spi/spi-bcm-qspi.c -+++ b/drivers/spi/spi-bcm-qspi.c -@@ -1255,13 +1255,9 @@ int bcm_qspi_probe(struct platform_device *pdev, - res = platform_get_resource_byname(pdev, IORESOURCE_MEM, - "mspi"); - -- if (res) { -- qspi->base[MSPI] = devm_ioremap_resource(dev, res); -- if (IS_ERR(qspi->base[MSPI])) -- return PTR_ERR(qspi->base[MSPI]); -- } else { -- return 0; -- } -+ qspi->base[MSPI] = devm_ioremap_resource(dev, res); -+ if (IS_ERR(qspi->base[MSPI])) -+ return PTR_ERR(qspi->base[MSPI]); - - res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "bspi"); - if (res) { --- -2.39.2 - diff --git a/queue-4.19/spi-bcm63xx-fix-max-prepend-length.patch b/queue-4.19/spi-bcm63xx-fix-max-prepend-length.patch deleted file mode 100644 index 6138009c47d..00000000000 --- a/queue-4.19/spi-bcm63xx-fix-max-prepend-length.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 05d73b5b40011e55975b3dbf8e12a4af4bc43847 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 29 Jun 2023 09:14:52 +0200 -Subject: spi: bcm63xx: fix max prepend length - -From: Jonas Gorski - -[ Upstream commit 5158814cbb37bbb38344b3ecddc24ba2ed0365f2 ] - -The command word is defined as following: - - /* Command */ - #define SPI_CMD_COMMAND_SHIFT 0 - #define SPI_CMD_DEVICE_ID_SHIFT 4 - #define SPI_CMD_PREPEND_BYTE_CNT_SHIFT 8 - #define SPI_CMD_ONE_BYTE_SHIFT 11 - #define SPI_CMD_ONE_WIRE_SHIFT 12 - -If the prepend byte count field starts at bit 8, and the next defined -bit is SPI_CMD_ONE_BYTE at bit 11, it can be at most 3 bits wide, and -thus the max value is 7, not 15. - -Fixes: b17de076062a ("spi/bcm63xx: work around inability to keep CS up") -Signed-off-by: Jonas Gorski -Link: https://lore.kernel.org/r/20230629071453.62024-1-jonas.gorski@gmail.com -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - drivers/spi/spi-bcm63xx.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c -index bfe5754768f97..cc6ec3fb5bfdf 100644 ---- a/drivers/spi/spi-bcm63xx.c -+++ b/drivers/spi/spi-bcm63xx.c -@@ -134,7 +134,7 @@ enum bcm63xx_regs_spi { - SPI_MSG_DATA_SIZE, - }; - --#define BCM63XX_SPI_MAX_PREPEND 15 -+#define BCM63XX_SPI_MAX_PREPEND 7 - - #define BCM63XX_SPI_MAX_CS 8 - #define BCM63XX_SPI_BUS_NUM 0 --- -2.39.2 - diff --git a/queue-4.19/spi-spi-fsl-spi-allow-changing-bits_per_word-while-cs-is-still-active.patch b/queue-4.19/spi-spi-fsl-spi-allow-changing-bits_per_word-while-cs-is-still-active.patch deleted file mode 100644 index e408cdd52bc..00000000000 --- a/queue-4.19/spi-spi-fsl-spi-allow-changing-bits_per_word-while-cs-is-still-active.patch +++ /dev/null @@ -1,72 +0,0 @@ -From a798a7086c38d91d304132c194cff9f02197f5cd Mon Sep 17 00:00:00 2001 -From: Rasmus Villemoes -Date: Wed, 27 Mar 2019 14:30:51 +0000 -Subject: spi: spi-fsl-spi: allow changing bits_per_word while CS is still active - -From: Rasmus Villemoes - -commit a798a7086c38d91d304132c194cff9f02197f5cd upstream. - -Commit c9bfcb315104 (spi_mpc83xx: much improved driver) introduced -logic to ensure bits_per_word and speed_hz stay the same for a series -of spi_transfers with CS active, arguing that - - The current driver may cause glitches on SPI CLK line since one - must disable the SPI controller before changing any HW settings. - -This sounds quite reasonable. So this is a quite naive attempt at -relaxing this sanity checking to only ensure that speed_hz is -constant - in the faint hope that if we do not causes changes to the -clock-related fields of the SPMODE register (DIV16 and PM), those -glitches won't appear. - -The purpose of this change is to allow automatically optimizing large -transfers to use 32 bits-per-word; taking one interrupt for every byte -is extremely slow. - -Signed-off-by: Rasmus Villemoes -Signed-off-by: Mark Brown -Cc: Christophe Leroy -Signed-off-by: Greg Kroah-Hartman ---- - drivers/spi/spi-fsl-spi.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - ---- a/drivers/spi/spi-fsl-spi.c -+++ b/drivers/spi/spi-fsl-spi.c -@@ -339,7 +339,7 @@ static int fsl_spi_do_one_msg(struct spi - struct spi_transfer *t, *first; - unsigned int cs_change; - const int nsecs = 50; -- int status; -+ int status, last_bpw; - - /* - * In CPU mode, optimize large byte transfers to use larger -@@ -378,21 +378,22 @@ static int fsl_spi_do_one_msg(struct spi - if (cs_change) - first = t; - cs_change = t->cs_change; -- if ((first->bits_per_word != t->bits_per_word) || -- (first->speed_hz != t->speed_hz)) { -+ if (first->speed_hz != t->speed_hz) { - dev_err(&spi->dev, -- "bits_per_word/speed_hz cannot change while CS is active\n"); -+ "speed_hz cannot change while CS is active\n"); - return -EINVAL; - } - } - -+ last_bpw = -1; - cs_change = 1; - status = -EINVAL; - list_for_each_entry(t, &m->transfers, transfer_list) { -- if (cs_change) -+ if (cs_change || last_bpw != t->bits_per_word) - status = fsl_spi_setup_transfer(spi, t); - if (status < 0) - break; -+ last_bpw = t->bits_per_word; - - if (cs_change) { - fsl_spi_chipselect(spi, BITBANG_CS_ACTIVE); diff --git a/queue-4.19/spi-spi-fsl-spi-relax-message-sanity-checking-a-little.patch b/queue-4.19/spi-spi-fsl-spi-relax-message-sanity-checking-a-little.patch deleted file mode 100644 index 0b001f6556d..00000000000 --- a/queue-4.19/spi-spi-fsl-spi-relax-message-sanity-checking-a-little.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 17ecffa289489e8442306bbc62ebb964e235cdad Mon Sep 17 00:00:00 2001 -From: Rasmus Villemoes -Date: Wed, 27 Mar 2019 14:30:51 +0000 -Subject: spi: spi-fsl-spi: relax message sanity checking a little - -From: Rasmus Villemoes - -commit 17ecffa289489e8442306bbc62ebb964e235cdad upstream. - -The comment says that we should not allow changes (to -bits_per_word/speed_hz) while CS is active, and indeed the code below -does fsl_spi_setup_transfer() when the ->cs_change of the previous -spi_transfer was set (and for the very first transfer). - -So the sanity checking is a bit too strict - we can change it to -follow the same logic as is used by the actual transfer loop. - -Signed-off-by: Rasmus Villemoes -Signed-off-by: Mark Brown -Cc: Christophe Leroy -Signed-off-by: Greg Kroah-Hartman ---- - drivers/spi/spi-fsl-spi.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - ---- a/drivers/spi/spi-fsl-spi.c -+++ b/drivers/spi/spi-fsl-spi.c -@@ -373,13 +373,15 @@ static int fsl_spi_do_one_msg(struct spi - } - - /* Don't allow changes if CS is active */ -- first = list_first_entry(&m->transfers, struct spi_transfer, -- transfer_list); -+ cs_change = 1; - list_for_each_entry(t, &m->transfers, transfer_list) { -+ if (cs_change) -+ first = t; -+ cs_change = t->cs_change; - if ((first->bits_per_word != t->bits_per_word) || - (first->speed_hz != t->speed_hz)) { - dev_err(&spi->dev, -- "bits_per_word/speed_hz should be same for the same SPI transfer\n"); -+ "bits_per_word/speed_hz cannot change while CS is active\n"); - return -EINVAL; - } - } diff --git a/queue-4.19/spi-spi-fsl-spi-remove-always-true-conditional-in-fsl_spi_do_one_msg.patch b/queue-4.19/spi-spi-fsl-spi-remove-always-true-conditional-in-fsl_spi_do_one_msg.patch deleted file mode 100644 index 92a1a73ed6e..00000000000 --- a/queue-4.19/spi-spi-fsl-spi-remove-always-true-conditional-in-fsl_spi_do_one_msg.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 24c363623361b430fb79459ca922e816e6f48603 Mon Sep 17 00:00:00 2001 -From: Rasmus Villemoes -Date: Wed, 27 Mar 2019 14:30:50 +0000 -Subject: spi: spi-fsl-spi: remove always-true conditional in fsl_spi_do_one_msg - -From: Rasmus Villemoes - -commit 24c363623361b430fb79459ca922e816e6f48603 upstream. - -__spi_validate() in the generic SPI code sets ->speed_hz and -->bits_per_word to non-zero values, so this condition is always true. - -Signed-off-by: Rasmus Villemoes -Signed-off-by: Mark Brown -Cc: Christophe Leroy -Signed-off-by: Greg Kroah-Hartman ---- - drivers/spi/spi-fsl-spi.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - ---- a/drivers/spi/spi-fsl-spi.c -+++ b/drivers/spi/spi-fsl-spi.c -@@ -387,12 +387,10 @@ static int fsl_spi_do_one_msg(struct spi - cs_change = 1; - status = -EINVAL; - list_for_each_entry(t, &m->transfers, transfer_list) { -- if (t->bits_per_word || t->speed_hz) { -- if (cs_change) -- status = fsl_spi_setup_transfer(spi, t); -- if (status < 0) -- break; -- } -+ if (cs_change) -+ status = fsl_spi_setup_transfer(spi, t); -+ if (status < 0) -+ break; - - if (cs_change) { - fsl_spi_chipselect(spi, BITBANG_CS_ACTIVE); diff --git a/queue-4.19/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch b/queue-4.19/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch deleted file mode 100644 index 7f0f03aa824..00000000000 --- a/queue-4.19/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch +++ /dev/null @@ -1,142 +0,0 @@ -From fc80fc2d4e39137869da3150ee169b40bf879287 Mon Sep 17 00:00:00 2001 -From: Ding Hui -Date: Mon, 15 May 2023 10:13:07 +0800 -Subject: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() - -From: Ding Hui - -commit fc80fc2d4e39137869da3150ee169b40bf879287 upstream. - -After the listener svc_sock is freed, and before invoking svc_tcp_accept() -for the established child sock, there is a window that the newsock -retaining a freed listener svc_sock in sk_user_data which cloning from -parent. In the race window, if data is received on the newsock, we will -observe use-after-free report in svc_tcp_listen_data_ready(). - -Reproduce by two tasks: - -1. while :; do rpc.nfsd 0 ; rpc.nfsd; done -2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done - -KASAN report: - - ================================================================== - BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] - Read of size 8 at addr ffff888139d96228 by task nc/102553 - CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 - Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 - Call Trace: - - dump_stack_lvl+0x33/0x50 - print_address_description.constprop.0+0x27/0x310 - print_report+0x3e/0x70 - kasan_report+0xae/0xe0 - svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] - tcp_data_queue+0x9f4/0x20e0 - tcp_rcv_established+0x666/0x1f60 - tcp_v4_do_rcv+0x51c/0x850 - tcp_v4_rcv+0x23fc/0x2e80 - ip_protocol_deliver_rcu+0x62/0x300 - ip_local_deliver_finish+0x267/0x350 - ip_local_deliver+0x18b/0x2d0 - ip_rcv+0x2fb/0x370 - __netif_receive_skb_one_core+0x166/0x1b0 - process_backlog+0x24c/0x5e0 - __napi_poll+0xa2/0x500 - net_rx_action+0x854/0xc90 - __do_softirq+0x1bb/0x5de - do_softirq+0xcb/0x100 - - - ... - - - Allocated by task 102371: - kasan_save_stack+0x1e/0x40 - kasan_set_track+0x21/0x30 - __kasan_kmalloc+0x7b/0x90 - svc_setup_socket+0x52/0x4f0 [sunrpc] - svc_addsock+0x20d/0x400 [sunrpc] - __write_ports_addfd+0x209/0x390 [nfsd] - write_ports+0x239/0x2c0 [nfsd] - nfsctl_transaction_write+0xac/0x110 [nfsd] - vfs_write+0x1c3/0xae0 - ksys_write+0xed/0x1c0 - do_syscall_64+0x38/0x90 - entry_SYSCALL_64_after_hwframe+0x72/0xdc - - Freed by task 102551: - kasan_save_stack+0x1e/0x40 - kasan_set_track+0x21/0x30 - kasan_save_free_info+0x2a/0x50 - __kasan_slab_free+0x106/0x190 - __kmem_cache_free+0x133/0x270 - svc_xprt_free+0x1e2/0x350 [sunrpc] - svc_xprt_destroy_all+0x25a/0x440 [sunrpc] - nfsd_put+0x125/0x240 [nfsd] - nfsd_svc+0x2cb/0x3c0 [nfsd] - write_threads+0x1ac/0x2a0 [nfsd] - nfsctl_transaction_write+0xac/0x110 [nfsd] - vfs_write+0x1c3/0xae0 - ksys_write+0xed/0x1c0 - do_syscall_64+0x38/0x90 - entry_SYSCALL_64_after_hwframe+0x72/0xdc - -Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() -if state != TCP_LISTEN, that will avoid dereferencing svsk for all -child socket. - -Link: https://lore.kernel.org/lkml/20230507091131.23540-1-dinghui@sangfor.com.cn/ -Fixes: fa9251afc33c ("SUNRPC: Call the default socket callbacks instead of open coding") -Signed-off-by: Ding Hui -Cc: -Signed-off-by: Chuck Lever -Signed-off-by: Greg Kroah-Hartman ---- - net/sunrpc/svcsock.c | 27 +++++++++++++-------------- - 1 file changed, 13 insertions(+), 14 deletions(-) - ---- a/net/sunrpc/svcsock.c -+++ b/net/sunrpc/svcsock.c -@@ -757,12 +757,6 @@ static void svc_tcp_listen_data_ready(st - dprintk("svc: socket %p TCP (listen) state change %d\n", - sk, sk->sk_state); - -- if (svsk) { -- /* Refer to svc_setup_socket() for details. */ -- rmb(); -- svsk->sk_odata(sk); -- } -- - /* - * This callback may called twice when a new connection - * is established as a child socket inherits everything -@@ -771,15 +765,20 @@ static void svc_tcp_listen_data_ready(st - * when one of child sockets become ESTABLISHED. - * 2) data_ready method of the child socket may be called - * when it receives data before the socket is accepted. -- * In case of 2, we should ignore it silently. -+ * In case of 2, we should ignore it silently and DO NOT -+ * dereference svsk. - */ -- if (sk->sk_state == TCP_LISTEN) { -- if (svsk) { -- set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags); -- svc_xprt_enqueue(&svsk->sk_xprt); -- } else -- printk("svc: socket %p: no user data\n", sk); -- } -+ if (sk->sk_state != TCP_LISTEN) -+ return; -+ -+ if (svsk) { -+ /* Refer to svc_setup_socket() for details. */ -+ rmb(); -+ svsk->sk_odata(sk); -+ set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags); -+ svc_xprt_enqueue(&svsk->sk_xprt); -+ } else -+ printk("svc: socket %p: no user data\n", sk); - } - - /* diff --git a/queue-4.19/tcp-annotate-data-races-around-fastopenq.max_qlen.patch b/queue-4.19/tcp-annotate-data-races-around-fastopenq.max_qlen.patch deleted file mode 100644 index a4b0f0d61b7..00000000000 --- a/queue-4.19/tcp-annotate-data-races-around-fastopenq.max_qlen.patch +++ /dev/null @@ -1,77 +0,0 @@ -From c6189e65ece39fd095d8e0458ccd06c8f3fde811 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:57 +0000 -Subject: tcp: annotate data-races around fastopenq.max_qlen - -From: Eric Dumazet - -[ Upstream commit 70f360dd7042cb843635ece9d28335a4addff9eb ] - -This field can be read locklessly. - -Fixes: 1536e2857bd3 ("tcp: Add a TCP_FASTOPEN socket option to get a max backlog on its listner") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-12-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/linux/tcp.h | 2 +- - net/ipv4/tcp.c | 2 +- - net/ipv4/tcp_fastopen.c | 6 ++++-- - 3 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/include/linux/tcp.h b/include/linux/tcp.h -index 621ab5a7fb8fa..0d63a428e6f9c 100644 ---- a/include/linux/tcp.h -+++ b/include/linux/tcp.h -@@ -460,7 +460,7 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog) - struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue; - int somaxconn = READ_ONCE(sock_net(sk)->core.sysctl_somaxconn); - -- queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn); -+ WRITE_ONCE(queue->fastopenq.max_qlen, min_t(unsigned int, backlog, somaxconn)); - } - - static inline void tcp_move_syn(struct tcp_sock *tp, -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 373bf3d3be592..00648a478c6a5 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3554,7 +3554,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, - break; - - case TCP_FASTOPEN: -- val = icsk->icsk_accept_queue.fastopenq.max_qlen; -+ val = READ_ONCE(icsk->icsk_accept_queue.fastopenq.max_qlen); - break; - - case TCP_FASTOPEN_CONNECT: -diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c -index f726591de7c7a..f7bb78b443fa9 100644 ---- a/net/ipv4/tcp_fastopen.c -+++ b/net/ipv4/tcp_fastopen.c -@@ -276,6 +276,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk, - static bool tcp_fastopen_queue_check(struct sock *sk) - { - struct fastopen_queue *fastopenq; -+ int max_qlen; - - /* Make sure the listener has enabled fastopen, and we don't - * exceed the max # of pending TFO requests allowed before trying -@@ -288,10 +289,11 @@ static bool tcp_fastopen_queue_check(struct sock *sk) - * temporarily vs a server not supporting Fast Open at all. - */ - fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq; -- if (fastopenq->max_qlen == 0) -+ max_qlen = READ_ONCE(fastopenq->max_qlen); -+ if (max_qlen == 0) - return false; - -- if (fastopenq->qlen >= fastopenq->max_qlen) { -+ if (fastopenq->qlen >= max_qlen) { - struct request_sock *req1; - spin_lock(&fastopenq->lock); - req1 = fastopenq->rskq_rst_head; --- -2.39.2 - diff --git a/queue-4.19/tcp-annotate-data-races-around-rskq_defer_accept.patch b/queue-4.19/tcp-annotate-data-races-around-rskq_defer_accept.patch deleted file mode 100644 index 1961d19d871..00000000000 --- a/queue-4.19/tcp-annotate-data-races-around-rskq_defer_accept.patch +++ /dev/null @@ -1,53 +0,0 @@ -From d86223ba68246e87777a5988576f296dc862d1ff Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:54 +0000 -Subject: tcp: annotate data-races around rskq_defer_accept - -From: Eric Dumazet - -[ Upstream commit ae488c74422fb1dcd807c0201804b3b5e8a322a3 ] - -do_tcp_getsockopt() reads rskq_defer_accept while another cpu -might change its value. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-9-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 4711963413a49..853a33bf8863e 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3009,9 +3009,9 @@ static int do_tcp_setsockopt(struct sock *sk, int level, - - case TCP_DEFER_ACCEPT: - /* Translate value in seconds to number of retransmits */ -- icsk->icsk_accept_queue.rskq_defer_accept = -- secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, -- TCP_RTO_MAX / HZ); -+ WRITE_ONCE(icsk->icsk_accept_queue.rskq_defer_accept, -+ secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, -+ TCP_RTO_MAX / HZ)); - break; - - case TCP_WINDOW_CLAMP: -@@ -3406,8 +3406,9 @@ static int do_tcp_getsockopt(struct sock *sk, int level, - val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; - break; - case TCP_DEFER_ACCEPT: -- val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, -- TCP_TIMEOUT_INIT / HZ, TCP_RTO_MAX / HZ); -+ val = READ_ONCE(icsk->icsk_accept_queue.rskq_defer_accept); -+ val = retrans_to_secs(val, TCP_TIMEOUT_INIT / HZ, -+ TCP_RTO_MAX / HZ); - break; - case TCP_WINDOW_CLAMP: - val = tp->window_clamp; --- -2.39.2 - diff --git a/queue-4.19/tcp-annotate-data-races-around-tp-linger2.patch b/queue-4.19/tcp-annotate-data-races-around-tp-linger2.patch deleted file mode 100644 index 1e8d8c4071d..00000000000 --- a/queue-4.19/tcp-annotate-data-races-around-tp-linger2.patch +++ /dev/null @@ -1,52 +0,0 @@ -From e94e0409f44504d34b6f41dc533d8c1ae777761e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:53 +0000 -Subject: tcp: annotate data-races around tp->linger2 - -From: Eric Dumazet - -[ Upstream commit 9df5335ca974e688389c875546e5819778a80d59 ] - -do_tcp_getsockopt() reads tp->linger2 while another cpu -might change its value. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-8-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 9f3cdcbbb7590..4711963413a49 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3000,11 +3000,11 @@ static int do_tcp_setsockopt(struct sock *sk, int level, - - case TCP_LINGER2: - if (val < 0) -- tp->linger2 = -1; -+ WRITE_ONCE(tp->linger2, -1); - else if (val > TCP_FIN_TIMEOUT_MAX / HZ) -- tp->linger2 = TCP_FIN_TIMEOUT_MAX; -+ WRITE_ONCE(tp->linger2, TCP_FIN_TIMEOUT_MAX); - else -- tp->linger2 = val * HZ; -+ WRITE_ONCE(tp->linger2, val * HZ); - break; - - case TCP_DEFER_ACCEPT: -@@ -3401,7 +3401,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, - val = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries; - break; - case TCP_LINGER2: -- val = tp->linger2; -+ val = READ_ONCE(tp->linger2); - if (val >= 0) - val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; - break; --- -2.39.2 - diff --git a/queue-4.19/tcp-annotate-data-races-around-tp-notsent_lowat.patch b/queue-4.19/tcp-annotate-data-races-around-tp-notsent_lowat.patch deleted file mode 100644 index fb325041f30..00000000000 --- a/queue-4.19/tcp-annotate-data-races-around-tp-notsent_lowat.patch +++ /dev/null @@ -1,64 +0,0 @@ -From f3ce1b988ff336ba962b41f0b9a23603d714b5de Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 Jul 2023 21:28:55 +0000 -Subject: tcp: annotate data-races around tp->notsent_lowat - -From: Eric Dumazet - -[ Upstream commit 1aeb87bc1440c5447a7fa2d6e3c2cca52cbd206b ] - -tp->notsent_lowat can be read locklessly from do_tcp_getsockopt() -and tcp_poll(). - -Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/20230719212857.3943972-10-edumazet@google.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - include/net/tcp.h | 6 +++++- - net/ipv4/tcp.c | 4 ++-- - 2 files changed, 7 insertions(+), 3 deletions(-) - -diff --git a/include/net/tcp.h b/include/net/tcp.h -index 22cca858f2678..c6c48409e7b42 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -1883,7 +1883,11 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr); - static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) - { - struct net *net = sock_net((struct sock *)tp); -- return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); -+ u32 val; -+ -+ val = READ_ONCE(tp->notsent_lowat); -+ -+ return val ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); - } - - /* @wake is one when sk_stream_write_space() calls us. -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 853a33bf8863e..373bf3d3be592 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3099,7 +3099,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, - err = tcp_repair_set_window(tp, optval, optlen); - break; - case TCP_NOTSENT_LOWAT: -- tp->notsent_lowat = val; -+ WRITE_ONCE(tp->notsent_lowat, val); - sk->sk_write_space(sk); - break; - case TCP_INQ: -@@ -3569,7 +3569,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, - val = tcp_time_stamp_raw() + tp->tsoffset; - break; - case TCP_NOTSENT_LOWAT: -- val = tp->notsent_lowat; -+ val = READ_ONCE(tp->notsent_lowat); - break; - case TCP_INQ: - val = tp->recvmsg_inq; --- -2.39.2 - diff --git a/queue-4.19/tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch b/queue-4.19/tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch deleted file mode 100644 index 138e434ac20..00000000000 --- a/queue-4.19/tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 36d7bf742ab5800923fe42f090516a1a2792401c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 29 Jun 2023 16:41:50 +0000 -Subject: tcp: annotate data races in __tcp_oow_rate_limited() - -From: Eric Dumazet - -[ Upstream commit 998127cdb4699b9d470a9348ffe9f1154346be5f ] - -request sockets are lockless, __tcp_oow_rate_limited() could be called -on the same object from different cpus. This is harmless. - -Add READ_ONCE()/WRITE_ONCE() annotations to avoid a KCSAN report. - -Fixes: 4ce7e93cb3fe ("tcp: rate limit ACK sent by SYN_RECV request sockets") -Signed-off-by: Eric Dumazet -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_input.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index bd921fa7b9ab4..281f7799aeafc 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -3429,8 +3429,11 @@ static int tcp_ack_update_window(struct sock *sk, const struct sk_buff *skb, u32 - static bool __tcp_oow_rate_limited(struct net *net, int mib_idx, - u32 *last_oow_ack_time) - { -- if (*last_oow_ack_time) { -- s32 elapsed = (s32)(tcp_jiffies32 - *last_oow_ack_time); -+ /* Paired with the WRITE_ONCE() in this function. */ -+ u32 val = READ_ONCE(*last_oow_ack_time); -+ -+ if (val) { -+ s32 elapsed = (s32)(tcp_jiffies32 - val); - - if (0 <= elapsed && - elapsed < READ_ONCE(net->ipv4.sysctl_tcp_invalid_ratelimit)) { -@@ -3439,7 +3442,10 @@ static bool __tcp_oow_rate_limited(struct net *net, int mib_idx, - } - } - -- *last_oow_ack_time = tcp_jiffies32; -+ /* Paired with the prior READ_ONCE() and with itself, -+ * as we might be lockless. -+ */ -+ WRITE_ONCE(*last_oow_ack_time, tcp_jiffies32); - - return false; /* not rate-limited: go ahead, send dupack now! */ - } --- -2.39.2 - diff --git a/queue-4.19/tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch b/queue-4.19/tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch deleted file mode 100644 index 8174771d615..00000000000 --- a/queue-4.19/tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch +++ /dev/null @@ -1,80 +0,0 @@ -From f4032d615f90970d6c3ac1d9c0bce3351eb4445c Mon Sep 17 00:00:00 2001 -From: Jarkko Sakkinen -Date: Tue, 16 May 2023 01:25:54 +0300 -Subject: tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation - -From: Jarkko Sakkinen - -commit f4032d615f90970d6c3ac1d9c0bce3351eb4445c upstream. - -/dev/vtpmx is made visible before 'workqueue' is initialized, which can -lead to a memory corruption in the worst case scenario. - -Address this by initializing 'workqueue' as the very first step of the -driver initialization. - -Cc: stable@vger.kernel.org -Fixes: 6f99612e2500 ("tpm: Proxy driver for supporting multiple emulated TPMs") -Reviewed-by: Stefan Berger -Signed-off-by: Jarkko Sakkinen -Signed-off-by: Jarkko Sakkinen -Signed-off-by: Greg Kroah-Hartman ---- - drivers/char/tpm/tpm_vtpm_proxy.c | 30 +++++++----------------------- - 1 file changed, 7 insertions(+), 23 deletions(-) - ---- a/drivers/char/tpm/tpm_vtpm_proxy.c -+++ b/drivers/char/tpm/tpm_vtpm_proxy.c -@@ -700,37 +700,21 @@ static struct miscdevice vtpmx_miscdev = - .fops = &vtpmx_fops, - }; - --static int vtpmx_init(void) --{ -- return misc_register(&vtpmx_miscdev); --} -- --static void vtpmx_cleanup(void) --{ -- misc_deregister(&vtpmx_miscdev); --} -- - static int __init vtpm_module_init(void) - { - int rc; - -- rc = vtpmx_init(); -- if (rc) { -- pr_err("couldn't create vtpmx device\n"); -- return rc; -- } -- - workqueue = create_workqueue("tpm-vtpm"); - if (!workqueue) { - pr_err("couldn't create workqueue\n"); -- rc = -ENOMEM; -- goto err_vtpmx_cleanup; -+ return -ENOMEM; - } - -- return 0; -- --err_vtpmx_cleanup: -- vtpmx_cleanup(); -+ rc = misc_register(&vtpmx_miscdev); -+ if (rc) { -+ pr_err("couldn't create vtpmx device\n"); -+ destroy_workqueue(workqueue); -+ } - - return rc; - } -@@ -738,7 +722,7 @@ err_vtpmx_cleanup: - static void __exit vtpm_module_exit(void) - { - destroy_workqueue(workqueue); -- vtpmx_cleanup(); -+ misc_deregister(&vtpmx_miscdev); - } - - module_init(vtpm_module_init); diff --git a/queue-4.19/tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch b/queue-4.19/tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch deleted file mode 100644 index e236b4b7a49..00000000000 --- a/queue-4.19/tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 6018b585e8c6fa7d85d4b38d9ce49a5b67be7078 Mon Sep 17 00:00:00 2001 -From: Mohamed Khalfella -Date: Wed, 12 Jul 2023 22:30:21 +0000 -Subject: tracing/histograms: Add histograms to hist_vars if they have referenced variables - -From: Mohamed Khalfella - -commit 6018b585e8c6fa7d85d4b38d9ce49a5b67be7078 upstream. - -Hist triggers can have referenced variables without having direct -variables fields. This can be the case if referenced variables are added -for trigger actions. In this case the newly added references will not -have field variables. Not taking such referenced variables into -consideration can result in a bug where it would be possible to remove -hist trigger with variables being refenced. This will result in a bug -that is easily reproducable like so - -$ cd /sys/kernel/tracing -$ echo 'synthetic_sys_enter char[] comm; long id' >> synthetic_events -$ echo 'hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger -$ echo 'hist:keys=common_pid.execname,id.syscall:onmatch(raw_syscalls.sys_enter).synthetic_sys_enter($comm, id)' >> events/raw_syscalls/sys_enter/trigger -$ echo '!hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger - -[ 100.263533] ================================================================== -[ 100.264634] BUG: KASAN: slab-use-after-free in resolve_var_refs+0xc7/0x180 -[ 100.265520] Read of size 8 at addr ffff88810375d0f0 by task bash/439 -[ 100.266320] -[ 100.266533] CPU: 2 PID: 439 Comm: bash Not tainted 6.5.0-rc1 #4 -[ 100.267277] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 -[ 100.268561] Call Trace: -[ 100.268902] -[ 100.269189] dump_stack_lvl+0x4c/0x70 -[ 100.269680] print_report+0xc5/0x600 -[ 100.270165] ? resolve_var_refs+0xc7/0x180 -[ 100.270697] ? kasan_complete_mode_report_info+0x80/0x1f0 -[ 100.271389] ? resolve_var_refs+0xc7/0x180 -[ 100.271913] kasan_report+0xbd/0x100 -[ 100.272380] ? resolve_var_refs+0xc7/0x180 -[ 100.272920] __asan_load8+0x71/0xa0 -[ 100.273377] resolve_var_refs+0xc7/0x180 -[ 100.273888] event_hist_trigger+0x749/0x860 -[ 100.274505] ? kasan_save_stack+0x2a/0x50 -[ 100.275024] ? kasan_set_track+0x29/0x40 -[ 100.275536] ? __pfx_event_hist_trigger+0x10/0x10 -[ 100.276138] ? ksys_write+0xd1/0x170 -[ 100.276607] ? do_syscall_64+0x3c/0x90 -[ 100.277099] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8 -[ 100.277771] ? destroy_hist_data+0x446/0x470 -[ 100.278324] ? event_hist_trigger_parse+0xa6c/0x3860 -[ 100.278962] ? __pfx_event_hist_trigger_parse+0x10/0x10 -[ 100.279627] ? __kasan_check_write+0x18/0x20 -[ 100.280177] ? mutex_unlock+0x85/0xd0 -[ 100.280660] ? __pfx_mutex_unlock+0x10/0x10 -[ 100.281200] ? kfree+0x7b/0x120 -[ 100.281619] ? ____kasan_slab_free+0x15d/0x1d0 -[ 100.282197] ? event_trigger_write+0xac/0x100 -[ 100.282764] ? __kasan_slab_free+0x16/0x20 -[ 100.283293] ? __kmem_cache_free+0x153/0x2f0 -[ 100.283844] ? sched_mm_cid_remote_clear+0xb1/0x250 -[ 100.284550] ? __pfx_sched_mm_cid_remote_clear+0x10/0x10 -[ 100.285221] ? event_trigger_write+0xbc/0x100 -[ 100.285781] ? __kasan_check_read+0x15/0x20 -[ 100.286321] ? __bitmap_weight+0x66/0xa0 -[ 100.286833] ? _find_next_bit+0x46/0xe0 -[ 100.287334] ? task_mm_cid_work+0x37f/0x450 -[ 100.287872] event_triggers_call+0x84/0x150 -[ 100.288408] trace_event_buffer_commit+0x339/0x430 -[ 100.289073] ? ring_buffer_event_data+0x3f/0x60 -[ 100.292189] trace_event_raw_event_sys_enter+0x8b/0xe0 -[ 100.295434] syscall_trace_enter.constprop.0+0x18f/0x1b0 -[ 100.298653] syscall_enter_from_user_mode+0x32/0x40 -[ 100.301808] do_syscall_64+0x1a/0x90 -[ 100.304748] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 -[ 100.307775] RIP: 0033:0x7f686c75c1cb -[ 100.310617] Code: 73 01 c3 48 8b 0d 65 3c 10 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 21 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 3c 10 00 f7 d8 64 89 01 48 -[ 100.317847] RSP: 002b:00007ffc60137a38 EFLAGS: 00000246 ORIG_RAX: 0000000000000021 -[ 100.321200] RAX: ffffffffffffffda RBX: 000055f566469ea0 RCX: 00007f686c75c1cb -[ 100.324631] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 000000000000000a -[ 100.328104] RBP: 00007ffc60137ac0 R08: 00007f686c818460 R09: 000000000000000a -[ 100.331509] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009 -[ 100.334992] R13: 0000000000000007 R14: 000000000000000a R15: 0000000000000007 -[ 100.338381] - -We hit the bug because when second hist trigger has was created -has_hist_vars() returned false because hist trigger did not have -variables. As a result of that save_hist_vars() was not called to add -the trigger to trace_array->hist_vars. Later on when we attempted to -remove the first histogram find_any_var_ref() failed to detect it is -being used because it did not find the second trigger in hist_vars list. - -With this change we wait until trigger actions are created so we can take -into consideration if hist trigger has variable references. Also, now we -check the return value of save_hist_vars() and fail trigger creation if -save_hist_vars() fails. - -Link: https://lore.kernel.org/linux-trace-kernel/20230712223021.636335-1-mkhalfella@purestorage.com - -Cc: stable@vger.kernel.org -Fixes: 067fe038e70f6 ("tracing: Add variable reference handling to hist triggers") -Signed-off-by: Mohamed Khalfella -Signed-off-by: Steven Rostedt (Google) -Signed-off-by: Greg Kroah-Hartman ---- - kernel/trace/trace_events_hist.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - ---- a/kernel/trace/trace_events_hist.c -+++ b/kernel/trace/trace_events_hist.c -@@ -5787,13 +5787,15 @@ static int event_hist_trigger_func(struc - if (get_named_trigger_data(trigger_data)) - goto enable; - -- if (has_hist_vars(hist_data)) -- save_hist_vars(hist_data); -- - ret = create_actions(hist_data, file); - if (ret) - goto out_unreg; - -+ if (has_hist_vars(hist_data) || hist_data->n_var_refs) { -+ if (save_hist_vars(hist_data)) -+ goto out_unreg; -+ } -+ - ret = tracing_map_init(hist_data->map); - if (ret) - goto out_unreg; diff --git a/queue-4.19/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch b/queue-4.19/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch deleted file mode 100644 index 515fff4633c..00000000000 --- a/queue-4.19/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 4b8b3905165ef98386a3c06f196c85d21292d029 Mon Sep 17 00:00:00 2001 -From: Mohamed Khalfella -Date: Fri, 14 Jul 2023 20:33:41 +0000 -Subject: tracing/histograms: Return an error if we fail to add histogram to hist_vars list - -From: Mohamed Khalfella - -commit 4b8b3905165ef98386a3c06f196c85d21292d029 upstream. - -Commit 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if -they have referenced variables") added a check to fail histogram creation -if save_hist_vars() failed to add histogram to hist_vars list. But the -commit failed to set ret to failed return code before jumping to -unregister histogram, fix it. - -Link: https://lore.kernel.org/linux-trace-kernel/20230714203341.51396-1-mkhalfella@purestorage.com - -Cc: stable@vger.kernel.org -Fixes: 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if they have referenced variables") -Signed-off-by: Mohamed Khalfella -Signed-off-by: Steven Rostedt (Google) -Signed-off-by: Greg Kroah-Hartman ---- - kernel/trace/trace_events_hist.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/kernel/trace/trace_events_hist.c -+++ b/kernel/trace/trace_events_hist.c -@@ -5792,7 +5792,8 @@ static int event_hist_trigger_func(struc - goto out_unreg; - - if (has_hist_vars(hist_data) || hist_data->n_var_refs) { -- if (save_hist_vars(hist_data)) -+ ret = save_hist_vars(hist_data); -+ if (ret) - goto out_unreg; - } - diff --git a/queue-4.19/treewide-remove-uninitialized_var-usage.patch b/queue-4.19/treewide-remove-uninitialized_var-usage.patch deleted file mode 100644 index 46b33c4fa46..00000000000 --- a/queue-4.19/treewide-remove-uninitialized_var-usage.patch +++ /dev/null @@ -1,2204 +0,0 @@ -From 0638dcc7e75fbb766761e7b4694d0f0f141bbbd1 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 3 Jun 2020 13:09:38 -0700 -Subject: treewide: Remove uninitialized_var() usage - -From: Kees Cook - -commit 3f649ab728cda8038259d8f14492fe400fbab911 upstream. - -Using uninitialized_var() is dangerous as it papers over real bugs[1] -(or can in the future), and suppresses unrelated compiler warnings -(e.g. "unused variable"). If the compiler thinks it is uninitialized, -either simply initialize the variable or make compiler changes. - -In preparation for removing[2] the[3] macro[4], remove all remaining -needless uses with the following script: - -git grep '\buninitialized_var\b' | cut -d: -f1 | sort -u | \ - xargs perl -pi -e \ - 's/\buninitialized_var\(([^\)]+)\)/\1/g; - s:\s*/\* (GCC be quiet|to make compiler happy) \*/$::g;' - -drivers/video/fbdev/riva/riva_hw.c was manually tweaked to avoid -pathological white-space. - -No outstanding warnings were found building allmodconfig with GCC 9.3.0 -for x86_64, i386, arm64, arm, powerpc, powerpc64le, s390x, mips, sparc64, -alpha, and m68k. - -[1] https://lore.kernel.org/lkml/20200603174714.192027-1-glider@google.com/ -[2] https://lore.kernel.org/lkml/CA+55aFw+Vbj0i=1TGqCR5vQkCzWJ0QxK6CernOU6eedsudAixw@mail.gmail.com/ -[3] https://lore.kernel.org/lkml/CA+55aFwgbgqhbp1fkxvRKEpzyR5J8n1vKT1VZdz9knmPuXhOeg@mail.gmail.com/ -[4] https://lore.kernel.org/lkml/CA+55aFz2500WfbKXAx8s67wrm9=yVJu65TpLgN_ybYNv0VEOKA@mail.gmail.com/ - -Reviewed-by: Leon Romanovsky # drivers/infiniband and mlx4/mlx5 -Acked-by: Jason Gunthorpe # IB -Acked-by: Kalle Valo # wireless drivers -Reviewed-by: Chao Yu # erofs -Signed-off-by: Kees Cook -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/mach-sa1100/assabet.c | 2 +- - arch/ia64/kernel/process.c | 2 +- - arch/ia64/mm/discontig.c | 2 +- - arch/ia64/mm/tlb.c | 2 +- - arch/powerpc/platforms/52xx/mpc52xx_pic.c | 2 +- - arch/s390/kernel/smp.c | 2 +- - arch/x86/kernel/quirks.c | 10 +++++----- - drivers/acpi/acpi_pad.c | 2 +- - drivers/ata/libata-scsi.c | 2 +- - drivers/atm/zatm.c | 2 +- - drivers/block/drbd/drbd_nl.c | 6 +++--- - drivers/clk/clk-gate.c | 2 +- - drivers/firewire/ohci.c | 14 +++++++------- - drivers/gpu/drm/bridge/sil-sii8620.c | 2 +- - drivers/gpu/drm/drm_edid.c | 2 +- - drivers/gpu/drm/exynos/exynos_drm_dsi.c | 6 +++--- - drivers/i2c/busses/i2c-rk3x.c | 2 +- - drivers/ide/ide-acpi.c | 2 +- - drivers/ide/ide-atapi.c | 2 +- - drivers/ide/ide-io-std.c | 4 ++-- - drivers/ide/ide-io.c | 8 ++++---- - drivers/ide/ide-sysfs.c | 2 +- - drivers/ide/umc8672.c | 2 +- - drivers/infiniband/core/uverbs_cmd.c | 4 ++-- - drivers/infiniband/hw/cxgb4/cm.c | 2 +- - drivers/infiniband/hw/cxgb4/cq.c | 2 +- - drivers/infiniband/hw/mlx4/qp.c | 6 +++--- - drivers/infiniband/hw/mlx5/cq.c | 2 +- - drivers/infiniband/hw/mthca/mthca_qp.c | 10 +++++----- - drivers/input/serio/serio_raw.c | 2 +- - drivers/md/dm-io.c | 2 +- - drivers/md/dm-ioctl.c | 2 +- - drivers/md/dm-snap-persistent.c | 2 +- - drivers/md/dm-table.c | 2 +- - drivers/md/raid5.c | 2 +- - drivers/media/dvb-frontends/rtl2832.c | 2 +- - drivers/media/tuners/qt1010.c | 4 ++-- - drivers/media/usb/gspca/vicam.c | 2 +- - drivers/media/usb/uvc/uvc_video.c | 8 ++++---- - drivers/memstick/host/jmb38x_ms.c | 2 +- - drivers/memstick/host/tifm_ms.c | 2 +- - drivers/mmc/host/sdhci.c | 2 +- - drivers/mtd/nand/raw/nand_ecc.c | 2 +- - drivers/mtd/nand/raw/s3c2410.c | 2 +- - drivers/mtd/ubi/eba.c | 2 +- - drivers/net/can/janz-ican3.c | 2 +- - drivers/net/ethernet/broadcom/bnx2.c | 4 ++-- - drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 4 ++-- - drivers/net/ethernet/neterion/s2io.c | 2 +- - drivers/net/ethernet/qlogic/qla3xxx.c | 2 +- - drivers/net/ethernet/sun/cassini.c | 2 +- - drivers/net/ethernet/sun/niu.c | 6 +++--- - drivers/net/wan/z85230.c | 2 +- - drivers/net/wireless/ath/ath10k/core.c | 2 +- - drivers/net/wireless/ath/ath6kl/init.c | 2 +- - drivers/net/wireless/ath/ath9k/init.c | 2 +- - drivers/net/wireless/broadcom/b43/debugfs.c | 2 +- - drivers/net/wireless/broadcom/b43/dma.c | 2 +- - drivers/net/wireless/broadcom/b43/lo.c | 2 +- - drivers/net/wireless/broadcom/b43/phy_n.c | 2 +- - drivers/net/wireless/broadcom/b43/xmit.c | 12 ++++++------ - drivers/net/wireless/broadcom/b43legacy/debugfs.c | 2 +- - drivers/net/wireless/broadcom/b43legacy/main.c | 2 +- - drivers/net/wireless/intel/iwlegacy/3945.c | 2 +- - drivers/net/wireless/intel/iwlegacy/4965-mac.c | 2 +- - drivers/platform/x86/hdaps.c | 4 ++-- - drivers/scsi/dc395x.c | 2 +- - drivers/scsi/pm8001/pm8001_hwi.c | 2 +- - drivers/scsi/pm8001/pm80xx_hwi.c | 2 +- - drivers/ssb/driver_chipcommon.c | 4 ++-- - drivers/tty/cyclades.c | 2 +- - drivers/tty/isicom.c | 2 +- - drivers/usb/musb/cppi_dma.c | 2 +- - drivers/usb/storage/sddr55.c | 4 ++-- - drivers/vhost/net.c | 4 ++-- - drivers/video/fbdev/matrox/matroxfb_maven.c | 6 +++--- - drivers/video/fbdev/pm3fb.c | 6 +++--- - drivers/video/fbdev/riva/riva_hw.c | 3 +-- - drivers/virtio/virtio_ring.c | 2 +- - fs/afs/dir.c | 2 +- - fs/afs/security.c | 2 +- - fs/dlm/netlink.c | 2 +- - fs/fat/dir.c | 2 +- - fs/fuse/control.c | 2 +- - fs/fuse/cuse.c | 2 +- - fs/fuse/file.c | 2 +- - fs/gfs2/aops.c | 2 +- - fs/gfs2/bmap.c | 2 +- - fs/hfsplus/unicode.c | 2 +- - fs/isofs/namei.c | 4 ++-- - fs/jffs2/erase.c | 2 +- - fs/nfsd/nfsctl.c | 2 +- - fs/ocfs2/alloc.c | 4 ++-- - fs/ocfs2/dir.c | 14 +++++++------- - fs/ocfs2/extent_map.c | 4 ++-- - fs/ocfs2/namei.c | 2 +- - fs/ocfs2/refcounttree.c | 2 +- - fs/ocfs2/xattr.c | 2 +- - fs/omfs/file.c | 2 +- - fs/overlayfs/copy_up.c | 2 +- - fs/ubifs/commit.c | 6 +++--- - fs/ubifs/dir.c | 2 +- - fs/ubifs/file.c | 4 ++-- - fs/ubifs/journal.c | 2 +- - fs/ubifs/lpt.c | 2 +- - fs/ubifs/tnc.c | 6 +++--- - fs/ubifs/tnc_misc.c | 4 ++-- - fs/udf/balloc.c | 2 +- - fs/xfs/xfs_bmap_util.c | 2 +- - kernel/async.c | 4 ++-- - kernel/audit.c | 2 +- - kernel/dma/debug.c | 2 +- - kernel/events/core.c | 2 +- - kernel/events/uprobes.c | 2 +- - kernel/exit.c | 2 +- - kernel/futex.c | 12 ++++++------ - kernel/locking/lockdep.c | 6 +++--- - kernel/trace/ring_buffer.c | 2 +- - lib/radix-tree.c | 2 +- - mm/frontswap.c | 2 +- - mm/ksm.c | 2 +- - mm/memcontrol.c | 2 +- - mm/mempolicy.c | 4 ++-- - mm/percpu.c | 2 +- - mm/slub.c | 4 ++-- - mm/swap.c | 4 ++-- - net/dccp/options.c | 2 +- - net/ipv4/netfilter/nf_socket_ipv4.c | 6 +++--- - net/ipv6/ip6_flowlabel.c | 2 +- - net/ipv6/netfilter/nf_socket_ipv6.c | 2 +- - net/netfilter/nf_conntrack_ftp.c | 2 +- - net/netfilter/nfnetlink_log.c | 2 +- - net/netfilter/nfnetlink_queue.c | 4 ++-- - net/sched/cls_flow.c | 2 +- - net/sched/sch_cake.c | 2 +- - net/sched/sch_cbq.c | 2 +- - net/sched/sch_fq_codel.c | 2 +- - net/sched/sch_sfq.c | 2 +- - sound/core/control_compat.c | 2 +- - sound/isa/sb/sb16_csp.c | 2 +- - sound/usb/endpoint.c | 2 +- - 141 files changed, 216 insertions(+), 217 deletions(-) - ---- a/arch/arm/mach-sa1100/assabet.c -+++ b/arch/arm/mach-sa1100/assabet.c -@@ -570,7 +570,7 @@ static void __init map_sa1100_gpio_regs( - */ - static void __init get_assabet_scr(void) - { -- unsigned long uninitialized_var(scr), i; -+ unsigned long scr, i; - - GPDR |= 0x3fc; /* Configure GPIO 9:2 as outputs */ - GPSR = 0x3fc; /* Write 0xFF to GPIO 9:2 */ ---- a/arch/ia64/kernel/process.c -+++ b/arch/ia64/kernel/process.c -@@ -444,7 +444,7 @@ static void - do_copy_task_regs (struct task_struct *task, struct unw_frame_info *info, void *arg) - { - unsigned long mask, sp, nat_bits = 0, ar_rnat, urbs_end, cfm; -- unsigned long uninitialized_var(ip); /* GCC be quiet */ -+ unsigned long ip; - elf_greg_t *dst = arg; - struct pt_regs *pt; - char nat; ---- a/arch/ia64/mm/discontig.c -+++ b/arch/ia64/mm/discontig.c -@@ -181,7 +181,7 @@ static void *per_cpu_node_setup(void *cp - void __init setup_per_cpu_areas(void) - { - struct pcpu_alloc_info *ai; -- struct pcpu_group_info *uninitialized_var(gi); -+ struct pcpu_group_info *gi; - unsigned int *cpu_map; - void *base; - unsigned long base_offset; ---- a/arch/ia64/mm/tlb.c -+++ b/arch/ia64/mm/tlb.c -@@ -339,7 +339,7 @@ EXPORT_SYMBOL(flush_tlb_range); - - void ia64_tlb_init(void) - { -- ia64_ptce_info_t uninitialized_var(ptce_info); /* GCC be quiet */ -+ ia64_ptce_info_t ptce_info; - u64 tr_pgbits; - long status; - pal_vm_info_1_u_t vm_info_1; ---- a/arch/powerpc/platforms/52xx/mpc52xx_pic.c -+++ b/arch/powerpc/platforms/52xx/mpc52xx_pic.c -@@ -340,7 +340,7 @@ static int mpc52xx_irqhost_map(struct ir - { - int l1irq; - int l2irq; -- struct irq_chip *uninitialized_var(irqchip); -+ struct irq_chip *irqchip; - void *hndlr; - int type; - u32 reg; ---- a/arch/s390/kernel/smp.c -+++ b/arch/s390/kernel/smp.c -@@ -145,7 +145,7 @@ static int pcpu_sigp_retry(struct pcpu * - - static inline int pcpu_stopped(struct pcpu *pcpu) - { -- u32 uninitialized_var(status); -+ u32 status; - - if (__pcpu_sigp(pcpu->address, SIGP_SENSE, - 0, &status) != SIGP_CC_STATUS_STORED) ---- a/arch/x86/kernel/quirks.c -+++ b/arch/x86/kernel/quirks.c -@@ -96,7 +96,7 @@ static void ich_force_hpet_resume(void) - static void ich_force_enable_hpet(struct pci_dev *dev) - { - u32 val; -- u32 uninitialized_var(rcba); -+ u32 rcba; - int err = 0; - - if (hpet_address || force_hpet_address) -@@ -186,7 +186,7 @@ static void hpet_print_force_info(void) - static void old_ich_force_hpet_resume(void) - { - u32 val; -- u32 uninitialized_var(gen_cntl); -+ u32 gen_cntl; - - if (!force_hpet_address || !cached_dev) - return; -@@ -208,7 +208,7 @@ static void old_ich_force_hpet_resume(vo - static void old_ich_force_enable_hpet(struct pci_dev *dev) - { - u32 val; -- u32 uninitialized_var(gen_cntl); -+ u32 gen_cntl; - - if (hpet_address || force_hpet_address) - return; -@@ -299,7 +299,7 @@ static void vt8237_force_hpet_resume(voi - - static void vt8237_force_enable_hpet(struct pci_dev *dev) - { -- u32 uninitialized_var(val); -+ u32 val; - - if (hpet_address || force_hpet_address) - return; -@@ -430,7 +430,7 @@ static void nvidia_force_hpet_resume(voi - - static void nvidia_force_enable_hpet(struct pci_dev *dev) - { -- u32 uninitialized_var(val); -+ u32 val; - - if (hpet_address || force_hpet_address) - return; ---- a/drivers/acpi/acpi_pad.c -+++ b/drivers/acpi/acpi_pad.c -@@ -95,7 +95,7 @@ static void round_robin_cpu(unsigned int - cpumask_var_t tmp; - int cpu; - unsigned long min_weight = -1; -- unsigned long uninitialized_var(preferred_cpu); -+ unsigned long preferred_cpu; - - if (!alloc_cpumask_var(&tmp, GFP_KERNEL)) - return; ---- a/drivers/ata/libata-scsi.c -+++ b/drivers/ata/libata-scsi.c -@@ -178,7 +178,7 @@ static ssize_t ata_scsi_park_show(struct - struct ata_link *link; - struct ata_device *dev; - unsigned long now; -- unsigned int uninitialized_var(msecs); -+ unsigned int msecs; - int rc = 0; - - ap = ata_shost_to_port(sdev->host); ---- a/drivers/atm/zatm.c -+++ b/drivers/atm/zatm.c -@@ -939,7 +939,7 @@ static int open_tx_first(struct atm_vcc - vcc->qos.txtp.max_pcr >= ATM_OC3_PCR); - if (unlimited && zatm_dev->ubr != -1) zatm_vcc->shaper = zatm_dev->ubr; - else { -- int uninitialized_var(pcr); -+ int pcr; - - if (unlimited) vcc->qos.txtp.max_sdu = ATM_MAX_AAL5_PDU; - if ((zatm_vcc->shaper = alloc_shaper(vcc->dev,&pcr, ---- a/drivers/block/drbd/drbd_nl.c -+++ b/drivers/block/drbd/drbd_nl.c -@@ -3394,7 +3394,7 @@ int drbd_adm_dump_devices(struct sk_buff - { - struct nlattr *resource_filter; - struct drbd_resource *resource; -- struct drbd_device *uninitialized_var(device); -+ struct drbd_device *device; - int minor, err, retcode; - struct drbd_genlmsghdr *dh; - struct device_info device_info; -@@ -3483,7 +3483,7 @@ int drbd_adm_dump_connections(struct sk_ - { - struct nlattr *resource_filter; - struct drbd_resource *resource = NULL, *next_resource; -- struct drbd_connection *uninitialized_var(connection); -+ struct drbd_connection *connection; - int err = 0, retcode; - struct drbd_genlmsghdr *dh; - struct connection_info connection_info; -@@ -3645,7 +3645,7 @@ int drbd_adm_dump_peer_devices(struct sk - { - struct nlattr *resource_filter; - struct drbd_resource *resource; -- struct drbd_device *uninitialized_var(device); -+ struct drbd_device *device; - struct drbd_peer_device *peer_device = NULL; - int minor, err, retcode; - struct drbd_genlmsghdr *dh; ---- a/drivers/clk/clk-gate.c -+++ b/drivers/clk/clk-gate.c -@@ -43,7 +43,7 @@ static void clk_gate_endisable(struct cl - { - struct clk_gate *gate = to_clk_gate(hw); - int set = gate->flags & CLK_GATE_SET_TO_DISABLE ? 1 : 0; -- unsigned long uninitialized_var(flags); -+ unsigned long flags; - u32 reg; - - set ^= enable; ---- a/drivers/firewire/ohci.c -+++ b/drivers/firewire/ohci.c -@@ -1112,7 +1112,7 @@ static void context_tasklet(unsigned lon - static int context_add_buffer(struct context *ctx) - { - struct descriptor_buffer *desc; -- dma_addr_t uninitialized_var(bus_addr); -+ dma_addr_t bus_addr; - int offset; - - /* -@@ -1302,7 +1302,7 @@ static int at_context_queue_packet(struc - struct fw_packet *packet) - { - struct fw_ohci *ohci = ctx->ohci; -- dma_addr_t d_bus, uninitialized_var(payload_bus); -+ dma_addr_t d_bus, payload_bus; - struct driver_data *driver_data; - struct descriptor *d, *last; - __le32 *header; -@@ -2458,7 +2458,7 @@ static int ohci_set_config_rom(struct fw - { - struct fw_ohci *ohci; - __be32 *next_config_rom; -- dma_addr_t uninitialized_var(next_config_rom_bus); -+ dma_addr_t next_config_rom_bus; - - ohci = fw_ohci(card); - -@@ -2947,10 +2947,10 @@ static struct fw_iso_context *ohci_alloc - int type, int channel, size_t header_size) - { - struct fw_ohci *ohci = fw_ohci(card); -- struct iso_context *uninitialized_var(ctx); -- descriptor_callback_t uninitialized_var(callback); -- u64 *uninitialized_var(channels); -- u32 *uninitialized_var(mask), uninitialized_var(regs); -+ struct iso_context *ctx; -+ descriptor_callback_t callback; -+ u64 *channels; -+ u32 *mask, regs; - int index, ret = -EBUSY; - - spin_lock_irq(&ohci->lock); ---- a/drivers/gpu/drm/bridge/sil-sii8620.c -+++ b/drivers/gpu/drm/bridge/sil-sii8620.c -@@ -988,7 +988,7 @@ static void sii8620_set_auto_zone(struct - - static void sii8620_stop_video(struct sii8620 *ctx) - { -- u8 uninitialized_var(val); -+ u8 val; - - sii8620_write_seq_static(ctx, - REG_TPI_INTR_EN, 0, ---- a/drivers/gpu/drm/drm_edid.c -+++ b/drivers/gpu/drm/drm_edid.c -@@ -2778,7 +2778,7 @@ static int drm_cvt_modes(struct drm_conn - const u8 empty[3] = { 0, 0, 0 }; - - for (i = 0; i < 4; i++) { -- int uninitialized_var(width), height; -+ int width, height; - cvt = &(timing->data.other_data.data.cvt[i]); - - if (!memcmp(cvt->code, empty, 3)) ---- a/drivers/gpu/drm/exynos/exynos_drm_dsi.c -+++ b/drivers/gpu/drm/exynos/exynos_drm_dsi.c -@@ -544,9 +544,9 @@ static unsigned long exynos_dsi_pll_find - unsigned long best_freq = 0; - u32 min_delta = 0xffffffff; - u8 p_min, p_max; -- u8 _p, uninitialized_var(best_p); -- u16 _m, uninitialized_var(best_m); -- u8 _s, uninitialized_var(best_s); -+ u8 _p, best_p; -+ u16 _m, best_m; -+ u8 _s, best_s; - - p_min = DIV_ROUND_UP(fin, (12 * MHZ)); - p_max = fin / (6 * MHZ); ---- a/drivers/i2c/busses/i2c-rk3x.c -+++ b/drivers/i2c/busses/i2c-rk3x.c -@@ -421,7 +421,7 @@ static void rk3x_i2c_handle_read(struct - { - unsigned int i; - unsigned int len = i2c->msg->len - i2c->processed; -- u32 uninitialized_var(val); -+ u32 val; - u8 byte; - - /* we only care for MBRF here. */ ---- a/drivers/ide/ide-acpi.c -+++ b/drivers/ide/ide-acpi.c -@@ -180,7 +180,7 @@ err: - static acpi_handle ide_acpi_hwif_get_handle(ide_hwif_t *hwif) - { - struct device *dev = hwif->gendev.parent; -- acpi_handle uninitialized_var(dev_handle); -+ acpi_handle dev_handle; - u64 pcidevfn; - acpi_handle chan_handle; - int err; ---- a/drivers/ide/ide-atapi.c -+++ b/drivers/ide/ide-atapi.c -@@ -591,7 +591,7 @@ static int ide_delayed_transfer_pc(ide_d - - static ide_startstop_t ide_transfer_pc(ide_drive_t *drive) - { -- struct ide_atapi_pc *uninitialized_var(pc); -+ struct ide_atapi_pc *pc; - ide_hwif_t *hwif = drive->hwif; - struct request *rq = hwif->rq; - ide_expiry_t *expiry; ---- a/drivers/ide/ide-io-std.c -+++ b/drivers/ide/ide-io-std.c -@@ -172,7 +172,7 @@ void ide_input_data(ide_drive_t *drive, - u8 mmio = (hwif->host_flags & IDE_HFLAG_MMIO) ? 1 : 0; - - if (io_32bit) { -- unsigned long uninitialized_var(flags); -+ unsigned long flags; - - if ((io_32bit & 2) && !mmio) { - local_irq_save(flags); -@@ -216,7 +216,7 @@ void ide_output_data(ide_drive_t *drive, - u8 mmio = (hwif->host_flags & IDE_HFLAG_MMIO) ? 1 : 0; - - if (io_32bit) { -- unsigned long uninitialized_var(flags); -+ unsigned long flags; - - if ((io_32bit & 2) && !mmio) { - local_irq_save(flags); ---- a/drivers/ide/ide-io.c -+++ b/drivers/ide/ide-io.c -@@ -605,12 +605,12 @@ static int drive_is_ready(ide_drive_t *d - void ide_timer_expiry (struct timer_list *t) - { - ide_hwif_t *hwif = from_timer(hwif, t, timer); -- ide_drive_t *uninitialized_var(drive); -+ ide_drive_t *drive; - ide_handler_t *handler; - unsigned long flags; - int wait = -1; - int plug_device = 0; -- struct request *uninitialized_var(rq_in_flight); -+ struct request *rq_in_flight; - - spin_lock_irqsave(&hwif->lock, flags); - -@@ -763,13 +763,13 @@ irqreturn_t ide_intr (int irq, void *dev - { - ide_hwif_t *hwif = (ide_hwif_t *)dev_id; - struct ide_host *host = hwif->host; -- ide_drive_t *uninitialized_var(drive); -+ ide_drive_t *drive; - ide_handler_t *handler; - unsigned long flags; - ide_startstop_t startstop; - irqreturn_t irq_ret = IRQ_NONE; - int plug_device = 0; -- struct request *uninitialized_var(rq_in_flight); -+ struct request *rq_in_flight; - - if (host->host_flags & IDE_HFLAG_SERIALIZE) { - if (hwif != host->cur_port) ---- a/drivers/ide/ide-sysfs.c -+++ b/drivers/ide/ide-sysfs.c -@@ -131,7 +131,7 @@ static struct device_attribute *ide_port - - int ide_sysfs_register_port(ide_hwif_t *hwif) - { -- int i, uninitialized_var(rc); -+ int i, rc; - - for (i = 0; ide_port_attrs[i]; i++) { - rc = device_create_file(hwif->portdev, ide_port_attrs[i]); ---- a/drivers/ide/umc8672.c -+++ b/drivers/ide/umc8672.c -@@ -107,7 +107,7 @@ static void umc_set_speeds(u8 speeds[]) - static void umc_set_pio_mode(ide_hwif_t *hwif, ide_drive_t *drive) - { - ide_hwif_t *mate = hwif->mate; -- unsigned long uninitialized_var(flags); -+ unsigned long flags; - const u8 pio = drive->pio_mode - XFER_PIO_0; - - printk("%s: setting umc8672 to PIO mode%d (speed %d)\n", ---- a/drivers/infiniband/core/uverbs_cmd.c -+++ b/drivers/infiniband/core/uverbs_cmd.c -@@ -1726,7 +1726,7 @@ ssize_t ib_uverbs_open_qp(struct ib_uver - struct ib_udata udata; - struct ib_uqp_object *obj; - struct ib_xrcd *xrcd; -- struct ib_uobject *uninitialized_var(xrcd_uobj); -+ struct ib_uobject *xrcd_uobj; - struct ib_qp *qp; - struct ib_qp_open_attr attr; - int ret; -@@ -3694,7 +3694,7 @@ static int __uverbs_create_xsrq(struct i - struct ib_usrq_object *obj; - struct ib_pd *pd; - struct ib_srq *srq; -- struct ib_uobject *uninitialized_var(xrcd_uobj); -+ struct ib_uobject *xrcd_uobj; - struct ib_srq_init_attr attr; - int ret; - struct ib_device *ib_dev; ---- a/drivers/infiniband/hw/cxgb4/cm.c -+++ b/drivers/infiniband/hw/cxgb4/cm.c -@@ -3195,7 +3195,7 @@ static int get_lladdr(struct net_device - - static int pick_local_ip6addrs(struct c4iw_dev *dev, struct iw_cm_id *cm_id) - { -- struct in6_addr uninitialized_var(addr); -+ struct in6_addr addr; - struct sockaddr_in6 *la6 = (struct sockaddr_in6 *)&cm_id->m_local_addr; - struct sockaddr_in6 *ra6 = (struct sockaddr_in6 *)&cm_id->m_remote_addr; - ---- a/drivers/infiniband/hw/cxgb4/cq.c -+++ b/drivers/infiniband/hw/cxgb4/cq.c -@@ -755,7 +755,7 @@ skip_cqe: - static int __c4iw_poll_cq_one(struct c4iw_cq *chp, struct c4iw_qp *qhp, - struct ib_wc *wc, struct c4iw_srq *srq) - { -- struct t4_cqe uninitialized_var(cqe); -+ struct t4_cqe cqe; - struct t4_wq *wq = qhp ? &qhp->wq : NULL; - u32 credit = 0; - u8 cqe_flushed; ---- a/drivers/infiniband/hw/mlx4/qp.c -+++ b/drivers/infiniband/hw/mlx4/qp.c -@@ -3463,11 +3463,11 @@ static int _mlx4_ib_post_send(struct ib_ - int nreq; - int err = 0; - unsigned ind; -- int uninitialized_var(size); -- unsigned uninitialized_var(seglen); -+ int size; -+ unsigned seglen; - __be32 dummy; - __be32 *lso_wqe; -- __be32 uninitialized_var(lso_hdr_sz); -+ __be32 lso_hdr_sz; - __be32 blh; - int i; - struct mlx4_ib_dev *mdev = to_mdev(ibqp->device); ---- a/drivers/infiniband/hw/mlx5/cq.c -+++ b/drivers/infiniband/hw/mlx5/cq.c -@@ -1333,7 +1333,7 @@ int mlx5_ib_resize_cq(struct ib_cq *ibcq - __be64 *pas; - int page_shift; - int inlen; -- int uninitialized_var(cqe_size); -+ int cqe_size; - unsigned long flags; - - if (!MLX5_CAP_GEN(dev->mdev, cq_resize)) { ---- a/drivers/infiniband/hw/mthca/mthca_qp.c -+++ b/drivers/infiniband/hw/mthca/mthca_qp.c -@@ -1630,8 +1630,8 @@ int mthca_tavor_post_send(struct ib_qp * - * without initializing f0 and size0, and they are in fact - * never used uninitialized. - */ -- int uninitialized_var(size0); -- u32 uninitialized_var(f0); -+ int size0; -+ u32 f0; - int ind; - u8 op0 = 0; - -@@ -1831,7 +1831,7 @@ int mthca_tavor_post_receive(struct ib_q - * without initializing size0, and it is in fact never used - * uninitialized. - */ -- int uninitialized_var(size0); -+ int size0; - int ind; - void *wqe; - void *prev_wqe; -@@ -1945,8 +1945,8 @@ int mthca_arbel_post_send(struct ib_qp * - * without initializing f0 and size0, and they are in fact - * never used uninitialized. - */ -- int uninitialized_var(size0); -- u32 uninitialized_var(f0); -+ int size0; -+ u32 f0; - int ind; - u8 op0 = 0; - ---- a/drivers/input/serio/serio_raw.c -+++ b/drivers/input/serio/serio_raw.c -@@ -162,7 +162,7 @@ static ssize_t serio_raw_read(struct fil - { - struct serio_raw_client *client = file->private_data; - struct serio_raw *serio_raw = client->serio_raw; -- char uninitialized_var(c); -+ char c; - ssize_t read = 0; - int error; - ---- a/drivers/md/dm-io.c -+++ b/drivers/md/dm-io.c -@@ -306,7 +306,7 @@ static void do_region(int op, int op_fla - struct request_queue *q = bdev_get_queue(where->bdev); - unsigned short logical_block_size = queue_logical_block_size(q); - sector_t num_sectors; -- unsigned int uninitialized_var(special_cmd_max_sectors); -+ unsigned int special_cmd_max_sectors; - - /* - * Reject unsupported discard and write same requests. ---- a/drivers/md/dm-ioctl.c -+++ b/drivers/md/dm-ioctl.c -@@ -1822,7 +1822,7 @@ static int ctl_ioctl(struct file *file, - int ioctl_flags; - int param_flags; - unsigned int cmd; -- struct dm_ioctl *uninitialized_var(param); -+ struct dm_ioctl *param; - ioctl_fn fn = NULL; - size_t input_param_size; - struct dm_ioctl param_kernel; ---- a/drivers/md/dm-snap-persistent.c -+++ b/drivers/md/dm-snap-persistent.c -@@ -613,7 +613,7 @@ static int persistent_read_metadata(stru - chunk_t old, chunk_t new), - void *callback_context) - { -- int r, uninitialized_var(new_snapshot); -+ int r, new_snapshot; - struct pstore *ps = get_info(store); - - /* ---- a/drivers/md/dm-table.c -+++ b/drivers/md/dm-table.c -@@ -671,7 +671,7 @@ static int validate_hardware_logical_blo - */ - unsigned short remaining = 0; - -- struct dm_target *uninitialized_var(ti); -+ struct dm_target *ti; - struct queue_limits ti_limits; - unsigned i; - ---- a/drivers/md/raid5.c -+++ b/drivers/md/raid5.c -@@ -2603,7 +2603,7 @@ static void raid5_end_write_request(stru - struct stripe_head *sh = bi->bi_private; - struct r5conf *conf = sh->raid_conf; - int disks = sh->disks, i; -- struct md_rdev *uninitialized_var(rdev); -+ struct md_rdev *rdev; - sector_t first_bad; - int bad_sectors; - int replacement = 0; ---- a/drivers/media/dvb-frontends/rtl2832.c -+++ b/drivers/media/dvb-frontends/rtl2832.c -@@ -653,7 +653,7 @@ static int rtl2832_read_status(struct dv - struct i2c_client *client = dev->client; - struct dtv_frontend_properties *c = &fe->dtv_property_cache; - int ret; -- u32 uninitialized_var(tmp); -+ u32 tmp; - u8 u8tmp, buf[2]; - u16 u16tmp; - ---- a/drivers/media/tuners/qt1010.c -+++ b/drivers/media/tuners/qt1010.c -@@ -224,7 +224,7 @@ static int qt1010_set_params(struct dvb_ - static int qt1010_init_meas1(struct qt1010_priv *priv, - u8 oper, u8 reg, u8 reg_init_val, u8 *retval) - { -- u8 i, val1, uninitialized_var(val2); -+ u8 i, val1, val2; - int err; - - qt1010_i2c_oper_t i2c_data[] = { -@@ -259,7 +259,7 @@ static int qt1010_init_meas1(struct qt10 - static int qt1010_init_meas2(struct qt1010_priv *priv, - u8 reg_init_val, u8 *retval) - { -- u8 i, uninitialized_var(val); -+ u8 i, val; - int err; - qt1010_i2c_oper_t i2c_data[] = { - { QT1010_WR, 0x07, reg_init_val }, ---- a/drivers/media/usb/gspca/vicam.c -+++ b/drivers/media/usb/gspca/vicam.c -@@ -234,7 +234,7 @@ static int sd_init(struct gspca_dev *gsp - { - int ret; - const struct ihex_binrec *rec; -- const struct firmware *uninitialized_var(fw); -+ const struct firmware *fw; - u8 *firmware_buf; - - ret = request_ihex_firmware(&fw, VICAM_FIRMWARE, ---- a/drivers/media/usb/uvc/uvc_video.c -+++ b/drivers/media/usb/uvc/uvc_video.c -@@ -802,9 +802,9 @@ static void uvc_video_stats_decode(struc - unsigned int header_size; - bool has_pts = false; - bool has_scr = false; -- u16 uninitialized_var(scr_sof); -- u32 uninitialized_var(scr_stc); -- u32 uninitialized_var(pts); -+ u16 scr_sof; -+ u32 scr_stc; -+ u32 pts; - - if (stream->stats.stream.nb_frames == 0 && - stream->stats.frame.nb_packets == 0) -@@ -1801,7 +1801,7 @@ static int uvc_init_video(struct uvc_str - struct usb_host_endpoint *best_ep = NULL; - unsigned int best_psize = UINT_MAX; - unsigned int bandwidth; -- unsigned int uninitialized_var(altsetting); -+ unsigned int altsetting; - int intfnum = stream->intfnum; - - /* Isochronous endpoint, select the alternate setting. */ ---- a/drivers/memstick/host/jmb38x_ms.c -+++ b/drivers/memstick/host/jmb38x_ms.c -@@ -316,7 +316,7 @@ static int jmb38x_ms_transfer_data(struc - } - - while (length) { -- unsigned int uninitialized_var(p_off); -+ unsigned int p_off; - - if (host->req->long_data) { - pg = nth_page(sg_page(&host->req->sg), ---- a/drivers/memstick/host/tifm_ms.c -+++ b/drivers/memstick/host/tifm_ms.c -@@ -200,7 +200,7 @@ static unsigned int tifm_ms_transfer_dat - host->block_pos); - - while (length) { -- unsigned int uninitialized_var(p_off); -+ unsigned int p_off; - - if (host->req->long_data) { - pg = nth_page(sg_page(&host->req->sg), ---- a/drivers/mmc/host/sdhci.c -+++ b/drivers/mmc/host/sdhci.c -@@ -374,7 +374,7 @@ static void sdhci_read_block_pio(struct - { - unsigned long flags; - size_t blksize, len, chunk; -- u32 uninitialized_var(scratch); -+ u32 scratch; - u8 *buf; - - DBG("PIO reading\n"); ---- a/drivers/mtd/nand/raw/nand_ecc.c -+++ b/drivers/mtd/nand/raw/nand_ecc.c -@@ -144,7 +144,7 @@ void __nand_calculate_ecc(const unsigned - /* rp0..rp15..rp17 are the various accumulated parities (per byte) */ - uint32_t rp0, rp1, rp2, rp3, rp4, rp5, rp6, rp7; - uint32_t rp8, rp9, rp10, rp11, rp12, rp13, rp14, rp15, rp16; -- uint32_t uninitialized_var(rp17); /* to make compiler happy */ -+ uint32_t rp17; - uint32_t par; /* the cumulative parity for all data */ - uint32_t tmppar; /* the cumulative parity for this iteration; - for rp12, rp14 and rp16 at the end of the ---- a/drivers/mtd/nand/raw/s3c2410.c -+++ b/drivers/mtd/nand/raw/s3c2410.c -@@ -304,7 +304,7 @@ static int s3c2410_nand_setrate(struct s - int tacls_max = (info->cpu_type == TYPE_S3C2412) ? 8 : 4; - int tacls, twrph0, twrph1; - unsigned long clkrate = clk_get_rate(info->clk); -- unsigned long uninitialized_var(set), cfg, uninitialized_var(mask); -+ unsigned long set, cfg, mask; - unsigned long flags; - - /* calculate the timing information for the controller */ ---- a/drivers/mtd/ubi/eba.c -+++ b/drivers/mtd/ubi/eba.c -@@ -612,7 +612,7 @@ int ubi_eba_read_leb(struct ubi_device * - int err, pnum, scrub = 0, vol_id = vol->vol_id; - struct ubi_vid_io_buf *vidb; - struct ubi_vid_hdr *vid_hdr; -- uint32_t uninitialized_var(crc); -+ uint32_t crc; - - err = leb_read_lock(ubi, vol_id, lnum); - if (err) ---- a/drivers/net/can/janz-ican3.c -+++ b/drivers/net/can/janz-ican3.c -@@ -1455,7 +1455,7 @@ static int ican3_napi(struct napi_struct - - /* process all communication messages */ - while (true) { -- struct ican3_msg uninitialized_var(msg); -+ struct ican3_msg msg; - ret = ican3_recv_msg(mod, &msg); - if (ret) - break; ---- a/drivers/net/ethernet/broadcom/bnx2.c -+++ b/drivers/net/ethernet/broadcom/bnx2.c -@@ -1461,7 +1461,7 @@ bnx2_test_and_disable_2g5(struct bnx2 *b - static void - bnx2_enable_forced_2g5(struct bnx2 *bp) - { -- u32 uninitialized_var(bmcr); -+ u32 bmcr; - int err; - - if (!(bp->phy_flags & BNX2_PHY_FLAG_2_5G_CAPABLE)) -@@ -1505,7 +1505,7 @@ bnx2_enable_forced_2g5(struct bnx2 *bp) - static void - bnx2_disable_forced_2g5(struct bnx2 *bp) - { -- u32 uninitialized_var(bmcr); -+ u32 bmcr; - int err; - - if (!(bp->phy_flags & BNX2_PHY_FLAG_2_5G_CAPABLE)) ---- a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c -+++ b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c -@@ -471,8 +471,8 @@ void mlx5_core_req_pages_handler(struct - - int mlx5_satisfy_startup_pages(struct mlx5_core_dev *dev, int boot) - { -- u16 uninitialized_var(func_id); -- s32 uninitialized_var(npages); -+ u16 func_id; -+ s32 npages; - int err; - - err = mlx5_cmd_query_pages(dev, &func_id, &npages, boot); ---- a/drivers/net/ethernet/neterion/s2io.c -+++ b/drivers/net/ethernet/neterion/s2io.c -@@ -7291,7 +7291,7 @@ static int rx_osm_handler(struct ring_in - int ring_no = ring_data->ring_no; - u16 l3_csum, l4_csum; - unsigned long long err = rxdp->Control_1 & RXD_T_CODE; -- struct lro *uninitialized_var(lro); -+ struct lro *lro; - u8 err_mask; - struct swStat *swstats = &sp->mac_control.stats_info->sw_stat; - ---- a/drivers/net/ethernet/qlogic/qla3xxx.c -+++ b/drivers/net/ethernet/qlogic/qla3xxx.c -@@ -3771,7 +3771,7 @@ static int ql3xxx_probe(struct pci_dev * - struct net_device *ndev = NULL; - struct ql3_adapter *qdev = NULL; - static int cards_found; -- int uninitialized_var(pci_using_dac), err; -+ int pci_using_dac, err; - - err = pci_enable_device(pdev); - if (err) { ---- a/drivers/net/ethernet/sun/cassini.c -+++ b/drivers/net/ethernet/sun/cassini.c -@@ -2291,7 +2291,7 @@ static int cas_rx_ringN(struct cas *cp, - drops = 0; - while (1) { - struct cas_rx_comp *rxc = rxcs + entry; -- struct sk_buff *uninitialized_var(skb); -+ struct sk_buff *skb; - int type, len; - u64 words[4]; - int i, dring; ---- a/drivers/net/ethernet/sun/niu.c -+++ b/drivers/net/ethernet/sun/niu.c -@@ -429,7 +429,7 @@ static int serdes_init_niu_1g_serdes(str - struct niu_link_config *lp = &np->link_config; - u16 pll_cfg, pll_sts; - int max_retry = 100; -- u64 uninitialized_var(sig), mask, val; -+ u64 sig, mask, val; - u32 tx_cfg, rx_cfg; - unsigned long i; - int err; -@@ -526,7 +526,7 @@ static int serdes_init_niu_10g_serdes(st - struct niu_link_config *lp = &np->link_config; - u32 tx_cfg, rx_cfg, pll_cfg, pll_sts; - int max_retry = 100; -- u64 uninitialized_var(sig), mask, val; -+ u64 sig, mask, val; - unsigned long i; - int err; - -@@ -714,7 +714,7 @@ static int esr_write_glue0(struct niu *n - - static int esr_reset(struct niu *np) - { -- u32 uninitialized_var(reset); -+ u32 reset; - int err; - - err = mdio_write(np, np->port, NIU_ESR_DEV_ADDR, ---- a/drivers/net/wan/z85230.c -+++ b/drivers/net/wan/z85230.c -@@ -705,7 +705,7 @@ EXPORT_SYMBOL(z8530_nop); - irqreturn_t z8530_interrupt(int irq, void *dev_id) - { - struct z8530_dev *dev=dev_id; -- u8 uninitialized_var(intr); -+ u8 intr; - static volatile int locker=0; - int work=0; - struct z8530_irqhandler *irqs; ---- a/drivers/net/wireless/ath/ath10k/core.c -+++ b/drivers/net/wireless/ath/ath10k/core.c -@@ -1891,7 +1891,7 @@ static int ath10k_init_uart(struct ath10 - - static int ath10k_init_hw_params(struct ath10k *ar) - { -- const struct ath10k_hw_params *uninitialized_var(hw_params); -+ const struct ath10k_hw_params *hw_params; - int i; - - for (i = 0; i < ARRAY_SIZE(ath10k_hw_params_list); i++) { ---- a/drivers/net/wireless/ath/ath6kl/init.c -+++ b/drivers/net/wireless/ath/ath6kl/init.c -@@ -1575,7 +1575,7 @@ static int ath6kl_init_upload(struct ath - - int ath6kl_init_hw_params(struct ath6kl *ar) - { -- const struct ath6kl_hw *uninitialized_var(hw); -+ const struct ath6kl_hw *hw; - int i; - - for (i = 0; i < ARRAY_SIZE(hw_list); i++) { ---- a/drivers/net/wireless/ath/ath9k/init.c -+++ b/drivers/net/wireless/ath/ath9k/init.c -@@ -230,7 +230,7 @@ static unsigned int ath9k_reg_rmw(void * - struct ath_hw *ah = hw_priv; - struct ath_common *common = ath9k_hw_common(ah); - struct ath_softc *sc = (struct ath_softc *) common->priv; -- unsigned long uninitialized_var(flags); -+ unsigned long flags; - u32 val; - - if (NR_CPUS > 1 && ah->config.serialize_regmode == SER_REG_MODE_ON) { ---- a/drivers/net/wireless/broadcom/b43/debugfs.c -+++ b/drivers/net/wireless/broadcom/b43/debugfs.c -@@ -506,7 +506,7 @@ static ssize_t b43_debugfs_read(struct f - struct b43_wldev *dev; - struct b43_debugfs_fops *dfops; - struct b43_dfs_file *dfile; -- ssize_t uninitialized_var(ret); -+ ssize_t ret; - char *buf; - const size_t bufsize = 1024 * 16; /* 16 kiB buffer */ - const size_t buforder = get_order(bufsize); ---- a/drivers/net/wireless/broadcom/b43/dma.c -+++ b/drivers/net/wireless/broadcom/b43/dma.c -@@ -50,7 +50,7 @@ - static u32 b43_dma_address(struct b43_dma *dma, dma_addr_t dmaaddr, - enum b43_addrtype addrtype) - { -- u32 uninitialized_var(addr); -+ u32 addr; - - switch (addrtype) { - case B43_DMA_ADDR_LOW: ---- a/drivers/net/wireless/broadcom/b43/lo.c -+++ b/drivers/net/wireless/broadcom/b43/lo.c -@@ -742,7 +742,7 @@ struct b43_lo_calib *b43_calibrate_lo_se - }; - int max_rx_gain; - struct b43_lo_calib *cal; -- struct lo_g_saved_values uninitialized_var(saved_regs); -+ struct lo_g_saved_values saved_regs; - /* Values from the "TXCTL Register and Value Table" */ - u16 txctl_reg; - u16 txctl_value; ---- a/drivers/net/wireless/broadcom/b43/phy_n.c -+++ b/drivers/net/wireless/broadcom/b43/phy_n.c -@@ -5655,7 +5655,7 @@ static int b43_nphy_rev2_cal_rx_iq(struc - u8 rfctl[2]; - u8 afectl_core; - u16 tmp[6]; -- u16 uninitialized_var(cur_hpf1), uninitialized_var(cur_hpf2), cur_lna; -+ u16 cur_hpf1, cur_hpf2, cur_lna; - u32 real, imag; - enum nl80211_band band; - ---- a/drivers/net/wireless/broadcom/b43/xmit.c -+++ b/drivers/net/wireless/broadcom/b43/xmit.c -@@ -435,10 +435,10 @@ int b43_generate_txhdr(struct b43_wldev - if ((rates[0].flags & IEEE80211_TX_RC_USE_RTS_CTS) || - (rates[0].flags & IEEE80211_TX_RC_USE_CTS_PROTECT)) { - unsigned int len; -- struct ieee80211_hdr *uninitialized_var(hdr); -+ struct ieee80211_hdr *hdr; - int rts_rate, rts_rate_fb; - int rts_rate_ofdm, rts_rate_fb_ofdm; -- struct b43_plcp_hdr6 *uninitialized_var(plcp); -+ struct b43_plcp_hdr6 *plcp; - struct ieee80211_rate *rts_cts_rate; - - rts_cts_rate = ieee80211_get_rts_cts_rate(dev->wl->hw, info); -@@ -449,7 +449,7 @@ int b43_generate_txhdr(struct b43_wldev - rts_rate_fb_ofdm = b43_is_ofdm_rate(rts_rate_fb); - - if (rates[0].flags & IEEE80211_TX_RC_USE_CTS_PROTECT) { -- struct ieee80211_cts *uninitialized_var(cts); -+ struct ieee80211_cts *cts; - - switch (dev->fw.hdr_format) { - case B43_FW_HDR_598: -@@ -471,7 +471,7 @@ int b43_generate_txhdr(struct b43_wldev - mac_ctl |= B43_TXH_MAC_SENDCTS; - len = sizeof(struct ieee80211_cts); - } else { -- struct ieee80211_rts *uninitialized_var(rts); -+ struct ieee80211_rts *rts; - - switch (dev->fw.hdr_format) { - case B43_FW_HDR_598: -@@ -663,8 +663,8 @@ void b43_rx(struct b43_wldev *dev, struc - const struct b43_rxhdr_fw4 *rxhdr = _rxhdr; - __le16 fctl; - u16 phystat0, phystat3; -- u16 uninitialized_var(chanstat), uninitialized_var(mactime); -- u32 uninitialized_var(macstat); -+ u16 chanstat, mactime; -+ u32 macstat; - u16 chanid; - int padding, rate_idx; - ---- a/drivers/net/wireless/broadcom/b43legacy/debugfs.c -+++ b/drivers/net/wireless/broadcom/b43legacy/debugfs.c -@@ -203,7 +203,7 @@ static ssize_t b43legacy_debugfs_read(st - struct b43legacy_wldev *dev; - struct b43legacy_debugfs_fops *dfops; - struct b43legacy_dfs_file *dfile; -- ssize_t uninitialized_var(ret); -+ ssize_t ret; - char *buf; - const size_t bufsize = 1024 * 16; /* 16 KiB buffer */ - const size_t buforder = get_order(bufsize); ---- a/drivers/net/wireless/broadcom/b43legacy/main.c -+++ b/drivers/net/wireless/broadcom/b43legacy/main.c -@@ -2612,7 +2612,7 @@ static void b43legacy_put_phy_into_reset - static int b43legacy_switch_phymode(struct b43legacy_wl *wl, - unsigned int new_mode) - { -- struct b43legacy_wldev *uninitialized_var(up_dev); -+ struct b43legacy_wldev *up_dev; - struct b43legacy_wldev *down_dev; - int err; - bool gmode = false; ---- a/drivers/net/wireless/intel/iwlegacy/3945.c -+++ b/drivers/net/wireless/intel/iwlegacy/3945.c -@@ -2115,7 +2115,7 @@ il3945_txpower_set_from_eeprom(struct il - - /* set tx power value for all OFDM rates */ - for (rate_idx = 0; rate_idx < IL_OFDM_RATES; rate_idx++) { -- s32 uninitialized_var(power_idx); -+ s32 power_idx; - int rc; - - /* use channel group's clip-power table, ---- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c -+++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c -@@ -2784,7 +2784,7 @@ il4965_hdl_tx(struct il_priv *il, struct - struct ieee80211_tx_info *info; - struct il4965_tx_resp *tx_resp = (void *)&pkt->u.raw[0]; - u32 status = le32_to_cpu(tx_resp->u.status); -- int uninitialized_var(tid); -+ int tid; - int sta_id; - int freed; - u8 *qc = NULL; ---- a/drivers/platform/x86/hdaps.c -+++ b/drivers/platform/x86/hdaps.c -@@ -378,7 +378,7 @@ static ssize_t hdaps_variance_show(struc - static ssize_t hdaps_temp1_show(struct device *dev, - struct device_attribute *attr, char *buf) - { -- u8 uninitialized_var(temp); -+ u8 temp; - int ret; - - ret = hdaps_readb_one(HDAPS_PORT_TEMP1, &temp); -@@ -391,7 +391,7 @@ static ssize_t hdaps_temp1_show(struct d - static ssize_t hdaps_temp2_show(struct device *dev, - struct device_attribute *attr, char *buf) - { -- u8 uninitialized_var(temp); -+ u8 temp; - int ret; - - ret = hdaps_readb_one(HDAPS_PORT_TEMP2, &temp); ---- a/drivers/scsi/dc395x.c -+++ b/drivers/scsi/dc395x.c -@@ -4275,7 +4275,7 @@ static int adapter_sg_tables_alloc(struc - const unsigned srbs_per_page = PAGE_SIZE/SEGMENTX_LEN; - int srb_idx = 0; - unsigned i = 0; -- struct SGentry *uninitialized_var(ptr); -+ struct SGentry *ptr; - - for (i = 0; i < DC395x_MAX_SRB_CNT; i++) - acb->srb_array[i].segment_x = NULL; ---- a/drivers/scsi/pm8001/pm8001_hwi.c -+++ b/drivers/scsi/pm8001/pm8001_hwi.c -@@ -4174,7 +4174,7 @@ static int process_oq(struct pm8001_hba_ - { - struct outbound_queue_table *circularQ; - void *pMsg1 = NULL; -- u8 uninitialized_var(bc); -+ u8 bc; - u32 ret = MPI_IO_STATUS_FAIL; - unsigned long flags; - ---- a/drivers/scsi/pm8001/pm80xx_hwi.c -+++ b/drivers/scsi/pm8001/pm80xx_hwi.c -@@ -3811,7 +3811,7 @@ static int process_oq(struct pm8001_hba_ - { - struct outbound_queue_table *circularQ; - void *pMsg1 = NULL; -- u8 uninitialized_var(bc); -+ u8 bc; - u32 ret = MPI_IO_STATUS_FAIL; - unsigned long flags; - u32 regval; ---- a/drivers/ssb/driver_chipcommon.c -+++ b/drivers/ssb/driver_chipcommon.c -@@ -119,7 +119,7 @@ void ssb_chipco_set_clockmode(struct ssb - static enum ssb_clksrc chipco_pctl_get_slowclksrc(struct ssb_chipcommon *cc) - { - struct ssb_bus *bus = cc->dev->bus; -- u32 uninitialized_var(tmp); -+ u32 tmp; - - if (cc->dev->id.revision < 6) { - if (bus->bustype == SSB_BUSTYPE_SSB || -@@ -149,7 +149,7 @@ static enum ssb_clksrc chipco_pctl_get_s - /* Get maximum or minimum (depending on get_max flag) slowclock frequency. */ - static int chipco_pctl_clockfreqlimit(struct ssb_chipcommon *cc, int get_max) - { -- int uninitialized_var(limit); -+ int limit; - enum ssb_clksrc clocksrc; - int divisor = 1; - u32 tmp; ---- a/drivers/tty/cyclades.c -+++ b/drivers/tty/cyclades.c -@@ -3648,7 +3648,7 @@ static int cy_pci_probe(struct pci_dev * - struct cyclades_card *card; - void __iomem *addr0 = NULL, *addr2 = NULL; - char *card_name = NULL; -- u32 uninitialized_var(mailbox); -+ u32 mailbox; - unsigned int device_id, nchan = 0, card_no, i, j; - unsigned char plx_ver; - int retval, irq; ---- a/drivers/tty/isicom.c -+++ b/drivers/tty/isicom.c -@@ -1537,7 +1537,7 @@ static unsigned int card_count; - static int isicom_probe(struct pci_dev *pdev, - const struct pci_device_id *ent) - { -- unsigned int uninitialized_var(signature), index; -+ unsigned int signature, index; - int retval = -EPERM; - struct isi_board *board = NULL; - ---- a/drivers/usb/musb/cppi_dma.c -+++ b/drivers/usb/musb/cppi_dma.c -@@ -1146,7 +1146,7 @@ irqreturn_t cppi_interrupt(int irq, void - struct musb_hw_ep *hw_ep = NULL; - u32 rx, tx; - int i, index; -- unsigned long uninitialized_var(flags); -+ unsigned long flags; - - cppi = container_of(musb->dma_controller, struct cppi, controller); - if (cppi->irq) ---- a/drivers/usb/storage/sddr55.c -+++ b/drivers/usb/storage/sddr55.c -@@ -553,8 +553,8 @@ static int sddr55_reset(struct us_data * - - static unsigned long sddr55_get_capacity(struct us_data *us) { - -- unsigned char uninitialized_var(manufacturerID); -- unsigned char uninitialized_var(deviceID); -+ unsigned char manufacturerID; -+ unsigned char deviceID; - int result; - struct sddr55_card_info *info = (struct sddr55_card_info *)us->extra; - ---- a/drivers/vhost/net.c -+++ b/drivers/vhost/net.c -@@ -828,7 +828,7 @@ static int get_rx_bufs(struct vhost_virt - /* len is always initialized before use since we are always called with - * datalen > 0. - */ -- u32 uninitialized_var(len); -+ u32 len; - - while (datalen > 0 && headcount < quota) { - if (unlikely(seg >= UIO_MAXIOV)) { -@@ -885,7 +885,7 @@ static void handle_rx(struct vhost_net * - { - struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_RX]; - struct vhost_virtqueue *vq = &nvq->vq; -- unsigned uninitialized_var(in), log; -+ unsigned in, log; - struct vhost_log *vq_log; - struct msghdr msg = { - .msg_name = NULL, ---- a/drivers/video/fbdev/matrox/matroxfb_maven.c -+++ b/drivers/video/fbdev/matrox/matroxfb_maven.c -@@ -299,7 +299,7 @@ static int matroxfb_mavenclock(const str - unsigned int* in, unsigned int* feed, unsigned int* post, - unsigned int* htotal2) { - unsigned int fvco; -- unsigned int uninitialized_var(p); -+ unsigned int p; - - fvco = matroxfb_PLL_mavenclock(&maven1000_pll, ctl, htotal, vtotal, in, feed, &p, htotal2); - if (!fvco) -@@ -731,8 +731,8 @@ static int maven_find_exact_clocks(unsig - - for (x = 0; x < 8; x++) { - unsigned int c; -- unsigned int uninitialized_var(a), uninitialized_var(b), -- uninitialized_var(h2); -+ unsigned int a, b, -+ h2; - unsigned int h = ht + 2 + x; - - if (!matroxfb_mavenclock((m->mode == MATROXFB_OUTPUT_MODE_PAL) ? &maven_PAL : &maven_NTSC, h, vt, &a, &b, &c, &h2)) { ---- a/drivers/video/fbdev/pm3fb.c -+++ b/drivers/video/fbdev/pm3fb.c -@@ -821,9 +821,9 @@ static void pm3fb_write_mode(struct fb_i - - wmb(); - { -- unsigned char uninitialized_var(m); /* ClkPreScale */ -- unsigned char uninitialized_var(n); /* ClkFeedBackScale */ -- unsigned char uninitialized_var(p); /* ClkPostScale */ -+ unsigned char m; /* ClkPreScale */ -+ unsigned char n; /* ClkFeedBackScale */ -+ unsigned char p; /* ClkPostScale */ - unsigned long pixclock = PICOS2KHZ(info->var.pixclock); - - (void)pm3fb_calculate_clock(pixclock, &m, &n, &p); ---- a/drivers/video/fbdev/riva/riva_hw.c -+++ b/drivers/video/fbdev/riva/riva_hw.c -@@ -1245,8 +1245,7 @@ int CalcStateExt - ) - { - int pixelDepth; -- int uninitialized_var(VClk),uninitialized_var(m), -- uninitialized_var(n), uninitialized_var(p); -+ int VClk, m, n, p; - - /* - * Save mode parameters. ---- a/drivers/virtio/virtio_ring.c -+++ b/drivers/virtio/virtio_ring.c -@@ -268,7 +268,7 @@ static inline int virtqueue_add(struct v - struct vring_virtqueue *vq = to_vvq(_vq); - struct scatterlist *sg; - struct vring_desc *desc; -- unsigned int i, n, avail, descs_used, uninitialized_var(prev), err_idx; -+ unsigned int i, n, avail, descs_used, prev, err_idx; - int head; - bool indirect; - ---- a/fs/afs/dir.c -+++ b/fs/afs/dir.c -@@ -887,7 +887,7 @@ static struct dentry *afs_lookup(struct - static int afs_d_revalidate(struct dentry *dentry, unsigned int flags) - { - struct afs_vnode *vnode, *dir; -- struct afs_fid uninitialized_var(fid); -+ struct afs_fid fid; - struct dentry *parent; - struct inode *inode; - struct key *key; ---- a/fs/afs/security.c -+++ b/fs/afs/security.c -@@ -340,7 +340,7 @@ int afs_check_permit(struct afs_vnode *v - int afs_permission(struct inode *inode, int mask) - { - struct afs_vnode *vnode = AFS_FS_I(inode); -- afs_access_t uninitialized_var(access); -+ afs_access_t access; - struct key *key; - int ret; - ---- a/fs/dlm/netlink.c -+++ b/fs/dlm/netlink.c -@@ -115,7 +115,7 @@ static void fill_data(struct dlm_lock_da - - void dlm_timeout_warn(struct dlm_lkb *lkb) - { -- struct sk_buff *uninitialized_var(send_skb); -+ struct sk_buff *send_skb; - struct dlm_lock_data *data; - size_t size; - int rv; ---- a/fs/fat/dir.c -+++ b/fs/fat/dir.c -@@ -1287,7 +1287,7 @@ int fat_add_entries(struct inode *dir, v - struct super_block *sb = dir->i_sb; - struct msdos_sb_info *sbi = MSDOS_SB(sb); - struct buffer_head *bh, *prev, *bhs[3]; /* 32*slots (672bytes) */ -- struct msdos_dir_entry *uninitialized_var(de); -+ struct msdos_dir_entry *de; - int err, free_slots, i, nr_bhs; - loff_t pos, i_pos; - ---- a/fs/fuse/control.c -+++ b/fs/fuse/control.c -@@ -117,7 +117,7 @@ static ssize_t fuse_conn_max_background_ - const char __user *buf, - size_t count, loff_t *ppos) - { -- unsigned uninitialized_var(val); -+ unsigned val; - ssize_t ret; - - ret = fuse_conn_limit_write(file, buf, count, ppos, &val, ---- a/fs/fuse/cuse.c -+++ b/fs/fuse/cuse.c -@@ -269,7 +269,7 @@ static int cuse_parse_one(char **pp, cha - static int cuse_parse_devinfo(char *p, size_t len, struct cuse_devinfo *devinfo) - { - char *end = p + len; -- char *uninitialized_var(key), *uninitialized_var(val); -+ char *key, *val; - int rc; - - while (true) { ---- a/fs/fuse/file.c -+++ b/fs/fuse/file.c -@@ -2774,7 +2774,7 @@ static void fuse_register_polled_file(st - { - spin_lock(&fc->lock); - if (RB_EMPTY_NODE(&ff->polled_node)) { -- struct rb_node **link, *uninitialized_var(parent); -+ struct rb_node **link, *parent; - - link = fuse_find_polled_node(fc, ff->kh, &parent); - BUG_ON(*link); ---- a/fs/gfs2/aops.c -+++ b/fs/gfs2/aops.c -@@ -359,7 +359,7 @@ static int gfs2_write_cache_jdata(struct - int done = 0; - struct pagevec pvec; - int nr_pages; -- pgoff_t uninitialized_var(writeback_index); -+ pgoff_t writeback_index; - pgoff_t index; - pgoff_t end; - pgoff_t done_index; ---- a/fs/gfs2/bmap.c -+++ b/fs/gfs2/bmap.c -@@ -1754,7 +1754,7 @@ static int punch_hole(struct gfs2_inode - u64 lblock = (offset + (1 << bsize_shift) - 1) >> bsize_shift; - __u16 start_list[GFS2_MAX_META_HEIGHT]; - __u16 __end_list[GFS2_MAX_META_HEIGHT], *end_list = NULL; -- unsigned int start_aligned, uninitialized_var(end_aligned); -+ unsigned int start_aligned, end_aligned; - unsigned int strip_h = ip->i_height - 1; - u32 btotal = 0; - int ret, state; ---- a/fs/hfsplus/unicode.c -+++ b/fs/hfsplus/unicode.c -@@ -398,7 +398,7 @@ int hfsplus_hash_dentry(const struct den - astr = str->name; - len = str->len; - while (len > 0) { -- int uninitialized_var(dsize); -+ int dsize; - size = asc2unichar(sb, astr, len, &c); - astr += size; - len -= size; ---- a/fs/isofs/namei.c -+++ b/fs/isofs/namei.c -@@ -153,8 +153,8 @@ isofs_find_entry(struct inode *dir, stru - struct dentry *isofs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags) - { - int found; -- unsigned long uninitialized_var(block); -- unsigned long uninitialized_var(offset); -+ unsigned long block; -+ unsigned long offset; - struct inode *inode; - struct page *page; - ---- a/fs/jffs2/erase.c -+++ b/fs/jffs2/erase.c -@@ -401,7 +401,7 @@ static void jffs2_mark_erased_block(stru - { - size_t retlen; - int ret; -- uint32_t uninitialized_var(bad_offset); -+ uint32_t bad_offset; - - switch (jffs2_block_check_erase(c, jeb, &bad_offset)) { - case -EAGAIN: goto refile; ---- a/fs/nfsd/nfsctl.c -+++ b/fs/nfsd/nfsctl.c -@@ -347,7 +347,7 @@ static ssize_t write_unlock_fs(struct fi - static ssize_t write_filehandle(struct file *file, char *buf, size_t size) - { - char *dname, *path; -- int uninitialized_var(maxsize); -+ int maxsize; - char *mesg = buf; - int len; - struct auth_domain *dom; ---- a/fs/ocfs2/alloc.c -+++ b/fs/ocfs2/alloc.c -@@ -4722,7 +4722,7 @@ int ocfs2_insert_extent(handle_t *handle - struct ocfs2_alloc_context *meta_ac) - { - int status; -- int uninitialized_var(free_records); -+ int free_records; - struct buffer_head *last_eb_bh = NULL; - struct ocfs2_insert_type insert = {0, }; - struct ocfs2_extent_rec rec; -@@ -7052,7 +7052,7 @@ int ocfs2_convert_inline_data_to_extents - int need_free = 0; - u32 bit_off, num; - handle_t *handle; -- u64 uninitialized_var(block); -+ u64 block; - struct ocfs2_inode_info *oi = OCFS2_I(inode); - struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); - struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data; ---- a/fs/ocfs2/dir.c -+++ b/fs/ocfs2/dir.c -@@ -866,9 +866,9 @@ static int ocfs2_dx_dir_lookup(struct in - u64 *ret_phys_blkno) - { - int ret = 0; -- unsigned int cend, uninitialized_var(clen); -- u32 uninitialized_var(cpos); -- u64 uninitialized_var(blkno); -+ unsigned int cend, clen; -+ u32 cpos; -+ u64 blkno; - u32 name_hash = hinfo->major_hash; - - ret = ocfs2_dx_dir_lookup_rec(inode, el, name_hash, &cpos, &blkno, -@@ -912,7 +912,7 @@ static int ocfs2_dx_dir_search(const cha - struct ocfs2_dir_lookup_result *res) - { - int ret, i, found; -- u64 uninitialized_var(phys); -+ u64 phys; - struct buffer_head *dx_leaf_bh = NULL; - struct ocfs2_dx_leaf *dx_leaf; - struct ocfs2_dx_entry *dx_entry = NULL; -@@ -4420,9 +4420,9 @@ out: - int ocfs2_dx_dir_truncate(struct inode *dir, struct buffer_head *di_bh) - { - int ret; -- unsigned int uninitialized_var(clen); -- u32 major_hash = UINT_MAX, p_cpos, uninitialized_var(cpos); -- u64 uninitialized_var(blkno); -+ unsigned int clen; -+ u32 major_hash = UINT_MAX, p_cpos, cpos; -+ u64 blkno; - struct ocfs2_super *osb = OCFS2_SB(dir->i_sb); - struct buffer_head *dx_root_bh = NULL; - struct ocfs2_dx_root_block *dx_root; ---- a/fs/ocfs2/extent_map.c -+++ b/fs/ocfs2/extent_map.c -@@ -416,7 +416,7 @@ static int ocfs2_get_clusters_nocache(st - { - int i, ret, tree_height, len; - struct ocfs2_dinode *di; -- struct ocfs2_extent_block *uninitialized_var(eb); -+ struct ocfs2_extent_block *eb; - struct ocfs2_extent_list *el; - struct ocfs2_extent_rec *rec; - struct buffer_head *eb_bh = NULL; -@@ -613,7 +613,7 @@ int ocfs2_get_clusters(struct inode *ino - unsigned int *extent_flags) - { - int ret; -- unsigned int uninitialized_var(hole_len), flags = 0; -+ unsigned int hole_len, flags = 0; - struct buffer_head *di_bh = NULL; - struct ocfs2_extent_rec rec; - ---- a/fs/ocfs2/namei.c -+++ b/fs/ocfs2/namei.c -@@ -2506,7 +2506,7 @@ int ocfs2_create_inode_in_orphan(struct - struct buffer_head *new_di_bh = NULL; - struct ocfs2_alloc_context *inode_ac = NULL; - struct ocfs2_dir_lookup_result orphan_insert = { NULL, }; -- u64 uninitialized_var(di_blkno), suballoc_loc; -+ u64 di_blkno, suballoc_loc; - u16 suballoc_bit; - - status = ocfs2_inode_lock(dir, &parent_di_bh, 1); ---- a/fs/ocfs2/refcounttree.c -+++ b/fs/ocfs2/refcounttree.c -@@ -1069,7 +1069,7 @@ static int ocfs2_get_refcount_rec(struct - struct buffer_head **ret_bh) - { - int ret = 0, i, found; -- u32 low_cpos, uninitialized_var(cpos_end); -+ u32 low_cpos, cpos_end; - struct ocfs2_extent_list *el; - struct ocfs2_extent_rec *rec = NULL; - struct ocfs2_extent_block *eb = NULL; ---- a/fs/ocfs2/xattr.c -+++ b/fs/ocfs2/xattr.c -@@ -1219,7 +1219,7 @@ static int ocfs2_xattr_block_get(struct - struct ocfs2_xattr_value_root *xv; - size_t size; - int ret = -ENODATA, name_offset, name_len, i; -- int uninitialized_var(block_off); -+ int block_off; - - xs->bucket = ocfs2_xattr_bucket_new(inode); - if (!xs->bucket) { ---- a/fs/omfs/file.c -+++ b/fs/omfs/file.c -@@ -220,7 +220,7 @@ static int omfs_get_block(struct inode * - struct buffer_head *bh; - sector_t next, offset; - int ret; -- u64 uninitialized_var(new_block); -+ u64 new_block; - u32 max_extents; - int extent_count; - struct omfs_extent *oe; ---- a/fs/overlayfs/copy_up.c -+++ b/fs/overlayfs/copy_up.c -@@ -713,7 +713,7 @@ static int ovl_copy_up_meta_inode_data(s - struct path upperpath, datapath; - int err; - char *capability = NULL; -- ssize_t uninitialized_var(cap_size); -+ ssize_t cap_size; - - ovl_path_upper(c->dentry, &upperpath); - if (WARN_ON(upperpath.dentry == NULL)) ---- a/fs/ubifs/commit.c -+++ b/fs/ubifs/commit.c -@@ -564,11 +564,11 @@ out: - */ - int dbg_check_old_index(struct ubifs_info *c, struct ubifs_zbranch *zroot) - { -- int lnum, offs, len, err = 0, uninitialized_var(last_level), child_cnt; -+ int lnum, offs, len, err = 0, last_level, child_cnt; - int first = 1, iip; - struct ubifs_debug_info *d = c->dbg; -- union ubifs_key uninitialized_var(lower_key), upper_key, l_key, u_key; -- unsigned long long uninitialized_var(last_sqnum); -+ union ubifs_key lower_key, upper_key, l_key, u_key; -+ unsigned long long last_sqnum; - struct ubifs_idx_node *idx; - struct list_head list; - struct idx_node *i; ---- a/fs/ubifs/dir.c -+++ b/fs/ubifs/dir.c -@@ -1294,7 +1294,7 @@ static int do_rename(struct inode *old_d - struct ubifs_budget_req ino_req = { .dirtied_ino = 1, - .dirtied_ino_d = ALIGN(old_inode_ui->data_len, 8) }; - struct timespec64 time; -- unsigned int uninitialized_var(saved_nlink); -+ unsigned int saved_nlink; - struct fscrypt_name old_nm, new_nm; - - /* ---- a/fs/ubifs/file.c -+++ b/fs/ubifs/file.c -@@ -234,7 +234,7 @@ static int write_begin_slow(struct addre - struct ubifs_info *c = inode->i_sb->s_fs_info; - pgoff_t index = pos >> PAGE_SHIFT; - struct ubifs_budget_req req = { .new_page = 1 }; -- int uninitialized_var(err), appending = !!(pos + len > inode->i_size); -+ int err, appending = !!(pos + len > inode->i_size); - struct page *page; - - dbg_gen("ino %lu, pos %llu, len %u, i_size %lld", -@@ -438,7 +438,7 @@ static int ubifs_write_begin(struct file - struct ubifs_info *c = inode->i_sb->s_fs_info; - struct ubifs_inode *ui = ubifs_inode(inode); - pgoff_t index = pos >> PAGE_SHIFT; -- int uninitialized_var(err), appending = !!(pos + len > inode->i_size); -+ int err, appending = !!(pos + len > inode->i_size); - int skipped_read = 0; - struct page *page; - ---- a/fs/ubifs/journal.c -+++ b/fs/ubifs/journal.c -@@ -1355,7 +1355,7 @@ int ubifs_jnl_truncate(struct ubifs_info - union ubifs_key key, to_key; - struct ubifs_ino_node *ino; - struct ubifs_trun_node *trun; -- struct ubifs_data_node *uninitialized_var(dn); -+ struct ubifs_data_node *dn; - int err, dlen, len, lnum, offs, bit, sz, sync = IS_SYNC(inode); - struct ubifs_inode *ui = ubifs_inode(inode); - ino_t inum = inode->i_ino; ---- a/fs/ubifs/lpt.c -+++ b/fs/ubifs/lpt.c -@@ -287,7 +287,7 @@ uint32_t ubifs_unpack_bits(const struct - const int k = 32 - nrbits; - uint8_t *p = *addr; - int b = *pos; -- uint32_t uninitialized_var(val); -+ uint32_t val; - const int bytes = (nrbits + b + 7) >> 3; - - ubifs_assert(c, nrbits > 0); ---- a/fs/ubifs/tnc.c -+++ b/fs/ubifs/tnc.c -@@ -936,7 +936,7 @@ static int fallible_resolve_collision(st - int adding) - { - struct ubifs_znode *o_znode = NULL, *znode = *zn; -- int uninitialized_var(o_n), err, cmp, unsure = 0, nn = *n; -+ int o_n, err, cmp, unsure = 0, nn = *n; - - cmp = fallible_matches_name(c, &znode->zbranch[nn], nm); - if (unlikely(cmp < 0)) -@@ -1558,8 +1558,8 @@ out: - */ - int ubifs_tnc_get_bu_keys(struct ubifs_info *c, struct bu_info *bu) - { -- int n, err = 0, lnum = -1, uninitialized_var(offs); -- int uninitialized_var(len); -+ int n, err = 0, lnum = -1, offs; -+ int len; - unsigned int block = key_block(c, &bu->key); - struct ubifs_znode *znode; - ---- a/fs/ubifs/tnc_misc.c -+++ b/fs/ubifs/tnc_misc.c -@@ -138,8 +138,8 @@ int ubifs_search_zbranch(const struct ub - const struct ubifs_znode *znode, - const union ubifs_key *key, int *n) - { -- int beg = 0, end = znode->child_cnt, uninitialized_var(mid); -- int uninitialized_var(cmp); -+ int beg = 0, end = znode->child_cnt, mid; -+ int cmp; - const struct ubifs_zbranch *zbr = &znode->zbranch[0]; - - ubifs_assert(c, end > beg); ---- a/fs/udf/balloc.c -+++ b/fs/udf/balloc.c -@@ -555,7 +555,7 @@ static udf_pblk_t udf_table_new_block(st - udf_pblk_t newblock = 0; - uint32_t adsize; - uint32_t elen, goal_elen = 0; -- struct kernel_lb_addr eloc, uninitialized_var(goal_eloc); -+ struct kernel_lb_addr eloc, goal_eloc; - struct extent_position epos, goal_epos; - int8_t etype; - struct udf_inode_info *iinfo = UDF_I(table); ---- a/fs/xfs/xfs_bmap_util.c -+++ b/fs/xfs/xfs_bmap_util.c -@@ -130,7 +130,7 @@ xfs_bmap_rtalloc( - * pick an extent that will space things out in the rt area. - */ - if (ap->eof && ap->offset == 0) { -- xfs_rtblock_t uninitialized_var(rtx); /* realtime extent no */ -+ xfs_rtblock_t rtx; /* realtime extent no */ - - error = xfs_rtpick_extent(mp, ap->tp, ralen, &rtx); - if (error) ---- a/kernel/async.c -+++ b/kernel/async.c -@@ -115,7 +115,7 @@ static void async_run_entry_fn(struct wo - struct async_entry *entry = - container_of(work, struct async_entry, work); - unsigned long flags; -- ktime_t uninitialized_var(calltime), delta, rettime; -+ ktime_t calltime, delta, rettime; - - /* 1) run (and print duration) */ - if (initcall_debug && system_state < SYSTEM_RUNNING) { -@@ -283,7 +283,7 @@ EXPORT_SYMBOL_GPL(async_synchronize_full - */ - void async_synchronize_cookie_domain(async_cookie_t cookie, struct async_domain *domain) - { -- ktime_t uninitialized_var(starttime), delta, endtime; -+ ktime_t starttime, delta, endtime; - - if (initcall_debug && system_state < SYSTEM_RUNNING) { - pr_debug("async_waiting @ %i\n", task_pid_nr(current)); ---- a/kernel/audit.c -+++ b/kernel/audit.c -@@ -1796,7 +1796,7 @@ struct audit_buffer *audit_log_start(str - { - struct audit_buffer *ab; - struct timespec64 t; -- unsigned int uninitialized_var(serial); -+ unsigned int serial; - - if (audit_initialized != AUDIT_INITIALIZED) - return NULL; ---- a/kernel/dma/debug.c -+++ b/kernel/dma/debug.c -@@ -963,7 +963,7 @@ static int device_dma_allocations(struct - static int dma_debug_device_change(struct notifier_block *nb, unsigned long action, void *data) - { - struct device *dev = data; -- struct dma_debug_entry *uninitialized_var(entry); -+ struct dma_debug_entry *entry; - int count; - - if (dma_debug_disabled()) ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -10575,7 +10575,7 @@ SYSCALL_DEFINE5(perf_event_open, - struct perf_event *group_leader = NULL, *output_event = NULL; - struct perf_event *event, *sibling; - struct perf_event_attr attr; -- struct perf_event_context *ctx, *uninitialized_var(gctx); -+ struct perf_event_context *ctx, *gctx; - struct file *event_file = NULL; - struct fd group = {NULL, 0}; - struct task_struct *task = NULL; ---- a/kernel/events/uprobes.c -+++ b/kernel/events/uprobes.c -@@ -1887,7 +1887,7 @@ static void handle_swbp(struct pt_regs * - { - struct uprobe *uprobe; - unsigned long bp_vaddr; -- int uninitialized_var(is_swbp); -+ int is_swbp; - - bp_vaddr = uprobe_get_swbp_addr(regs); - if (bp_vaddr == get_trampoline_vaddr()) ---- a/kernel/exit.c -+++ b/kernel/exit.c -@@ -140,7 +140,7 @@ static void __exit_signal(struct task_st - struct signal_struct *sig = tsk->signal; - bool group_dead = thread_group_leader(tsk); - struct sighand_struct *sighand; -- struct tty_struct *uninitialized_var(tty); -+ struct tty_struct *tty; - u64 utime, stime; - - sighand = rcu_dereference_check(tsk->sighand, ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -1398,7 +1398,7 @@ static int lookup_pi_state(u32 __user *u - static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval) - { - int err; -- u32 uninitialized_var(curval); -+ u32 curval; - - if (unlikely(should_fail_futex(true))) - return -EFAULT; -@@ -1569,7 +1569,7 @@ static void mark_wake_futex(struct wake_ - */ - static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_pi_state *pi_state) - { -- u32 uninitialized_var(curval), newval; -+ u32 curval, newval; - struct task_struct *new_owner; - bool postunlock = false; - DEFINE_WAKE_Q(wake_q); -@@ -3083,7 +3083,7 @@ uaddr_faulted: - */ - static int futex_unlock_pi(u32 __user *uaddr, unsigned int flags) - { -- u32 uninitialized_var(curval), uval, vpid = task_pid_vnr(current); -+ u32 curval, uval, vpid = task_pid_vnr(current); - union futex_key key = FUTEX_KEY_INIT; - struct futex_hash_bucket *hb; - struct futex_q *top_waiter; -@@ -3558,7 +3558,7 @@ err_unlock: - static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, - bool pi, bool pending_op) - { -- u32 uval, uninitialized_var(nval), mval; -+ u32 uval, nval, mval; - int err; - - /* Futex address must be 32bit aligned */ -@@ -3688,7 +3688,7 @@ static void exit_robust_list(struct task - struct robust_list_head __user *head = curr->robust_list; - struct robust_list __user *entry, *next_entry, *pending; - unsigned int limit = ROBUST_LIST_LIMIT, pi, pip; -- unsigned int uninitialized_var(next_pi); -+ unsigned int next_pi; - unsigned long futex_offset; - int rc; - -@@ -3987,7 +3987,7 @@ static void compat_exit_robust_list(stru - struct compat_robust_list_head __user *head = curr->compat_robust_list; - struct robust_list __user *entry, *next_entry, *pending; - unsigned int limit = ROBUST_LIST_LIMIT, pi, pip; -- unsigned int uninitialized_var(next_pi); -+ unsigned int next_pi; - compat_uptr_t uentry, next_uentry, upending; - compat_long_t futex_offset; - int rc; ---- a/kernel/locking/lockdep.c -+++ b/kernel/locking/lockdep.c -@@ -1246,7 +1246,7 @@ static int noop_count(struct lock_list * - static unsigned long __lockdep_count_forward_deps(struct lock_list *this) - { - unsigned long count = 0; -- struct lock_list *uninitialized_var(target_entry); -+ struct lock_list *target_entry; - - __bfs_forwards(this, (void *)&count, noop_count, &target_entry); - -@@ -1274,7 +1274,7 @@ unsigned long lockdep_count_forward_deps - static unsigned long __lockdep_count_backward_deps(struct lock_list *this) - { - unsigned long count = 0; -- struct lock_list *uninitialized_var(target_entry); -+ struct lock_list *target_entry; - - __bfs_backwards(this, (void *)&count, noop_count, &target_entry); - -@@ -2662,7 +2662,7 @@ check_usage_backwards(struct task_struct - { - int ret; - struct lock_list root; -- struct lock_list *uninitialized_var(target_entry); -+ struct lock_list *target_entry; - - root.parent = NULL; - root.class = hlock_class(this); ---- a/kernel/trace/ring_buffer.c -+++ b/kernel/trace/ring_buffer.c -@@ -561,7 +561,7 @@ static void rb_wake_up_waiters(struct ir - */ - int ring_buffer_wait(struct ring_buffer *buffer, int cpu, bool full) - { -- struct ring_buffer_per_cpu *uninitialized_var(cpu_buffer); -+ struct ring_buffer_per_cpu *cpu_buffer; - DEFINE_WAIT(wait); - struct rb_irq_work *work; - int ret = 0; ---- a/lib/radix-tree.c -+++ b/lib/radix-tree.c -@@ -1498,7 +1498,7 @@ void *radix_tree_tag_clear(struct radix_ - { - struct radix_tree_node *node, *parent; - unsigned long maxindex; -- int uninitialized_var(offset); -+ int offset; - - radix_tree_load_root(root, &node, &maxindex); - if (index > maxindex) ---- a/mm/frontswap.c -+++ b/mm/frontswap.c -@@ -447,7 +447,7 @@ static int __frontswap_shrink(unsigned l - void frontswap_shrink(unsigned long target_pages) - { - unsigned long pages_to_unuse = 0; -- int uninitialized_var(type), ret; -+ int type, ret; - - /* - * we don't want to hold swap_lock while doing a very ---- a/mm/ksm.c -+++ b/mm/ksm.c -@@ -2381,7 +2381,7 @@ next_mm: - static void ksm_do_scan(unsigned int scan_npages) - { - struct rmap_item *rmap_item; -- struct page *uninitialized_var(page); -+ struct page *page; - - while (scan_npages-- && likely(!freezing(current))) { - cond_resched(); ---- a/mm/memcontrol.c -+++ b/mm/memcontrol.c -@@ -919,7 +919,7 @@ struct mem_cgroup *mem_cgroup_iter(struc - struct mem_cgroup *prev, - struct mem_cgroup_reclaim_cookie *reclaim) - { -- struct mem_cgroup_reclaim_iter *uninitialized_var(iter); -+ struct mem_cgroup_reclaim_iter *iter; - struct cgroup_subsys_state *css = NULL; - struct mem_cgroup *memcg = NULL; - struct mem_cgroup *pos = NULL; ---- a/mm/mempolicy.c -+++ b/mm/mempolicy.c -@@ -1147,7 +1147,7 @@ int do_migrate_pages(struct mm_struct *m - static struct page *new_page(struct page *page, unsigned long start) - { - struct vm_area_struct *vma; -- unsigned long uninitialized_var(address); -+ unsigned long address; - - vma = find_vma(current->mm, start); - while (vma) { -@@ -1545,7 +1545,7 @@ static int kernel_get_mempolicy(int __us - unsigned long flags) - { - int err; -- int uninitialized_var(pval); -+ int pval; - nodemask_t nodes; - - if (nmask != NULL && maxnode < nr_node_ids) ---- a/mm/percpu.c -+++ b/mm/percpu.c -@@ -2283,7 +2283,7 @@ static struct pcpu_alloc_info * __init p - const size_t static_size = __per_cpu_end - __per_cpu_start; - int nr_groups = 1, nr_units = 0; - size_t size_sum, min_unit_size, alloc_size; -- int upa, max_upa, uninitialized_var(best_upa); /* units_per_alloc */ -+ int upa, max_upa, best_upa; /* units_per_alloc */ - int last_allocs, group, unit; - unsigned int cpu, tcpu; - struct pcpu_alloc_info *ai; ---- a/mm/slub.c -+++ b/mm/slub.c -@@ -1179,7 +1179,7 @@ static noinline int free_debug_processin - struct kmem_cache_node *n = get_node(s, page_to_nid(page)); - void *object = head; - int cnt = 0; -- unsigned long uninitialized_var(flags); -+ unsigned long flags; - int ret = 0; - - spin_lock_irqsave(&n->list_lock, flags); -@@ -2826,7 +2826,7 @@ static void __slab_free(struct kmem_cach - struct page new; - unsigned long counters; - struct kmem_cache_node *n = NULL; -- unsigned long uninitialized_var(flags); -+ unsigned long flags; - - stat(s, FREE_SLOWPATH); - ---- a/mm/swap.c -+++ b/mm/swap.c -@@ -721,8 +721,8 @@ void release_pages(struct page **pages, - LIST_HEAD(pages_to_free); - struct pglist_data *locked_pgdat = NULL; - struct lruvec *lruvec; -- unsigned long uninitialized_var(flags); -- unsigned int uninitialized_var(lock_batch); -+ unsigned long flags; -+ unsigned int lock_batch; - - for (i = 0; i < nr; i++) { - struct page *page = pages[i]; ---- a/net/dccp/options.c -+++ b/net/dccp/options.c -@@ -60,7 +60,7 @@ int dccp_parse_options(struct sock *sk, - (dh->dccph_doff * 4); - struct dccp_options_received *opt_recv = &dp->dccps_options_received; - unsigned char opt, len; -- unsigned char *uninitialized_var(value); -+ unsigned char *value; - u32 elapsed_time; - __be32 opt_val; - int rc; ---- a/net/ipv4/netfilter/nf_socket_ipv4.c -+++ b/net/ipv4/netfilter/nf_socket_ipv4.c -@@ -96,11 +96,11 @@ nf_socket_get_sock_v4(struct net *net, s - struct sock *nf_sk_lookup_slow_v4(struct net *net, const struct sk_buff *skb, - const struct net_device *indev) - { -- __be32 uninitialized_var(daddr), uninitialized_var(saddr); -- __be16 uninitialized_var(dport), uninitialized_var(sport); -+ __be32 daddr, saddr; -+ __be16 dport, sport; - const struct iphdr *iph = ip_hdr(skb); - struct sk_buff *data_skb = NULL; -- u8 uninitialized_var(protocol); -+ u8 protocol; - #if IS_ENABLED(CONFIG_NF_CONNTRACK) - enum ip_conntrack_info ctinfo; - struct nf_conn const *ct; ---- a/net/ipv6/ip6_flowlabel.c -+++ b/net/ipv6/ip6_flowlabel.c -@@ -518,7 +518,7 @@ int ipv6_flowlabel_opt_get(struct sock * - - int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen) - { -- int uninitialized_var(err); -+ int err; - struct net *net = sock_net(sk); - struct ipv6_pinfo *np = inet6_sk(sk); - struct in6_flowlabel_req freq; ---- a/net/ipv6/netfilter/nf_socket_ipv6.c -+++ b/net/ipv6/netfilter/nf_socket_ipv6.c -@@ -102,7 +102,7 @@ nf_socket_get_sock_v6(struct net *net, s - struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb, - const struct net_device *indev) - { -- __be16 uninitialized_var(dport), uninitialized_var(sport); -+ __be16 dport, sport; - const struct in6_addr *daddr = NULL, *saddr = NULL; - struct ipv6hdr *iph = ipv6_hdr(skb), ipv6_var; - struct sk_buff *data_skb = NULL; ---- a/net/netfilter/nf_conntrack_ftp.c -+++ b/net/netfilter/nf_conntrack_ftp.c -@@ -383,7 +383,7 @@ static int help(struct sk_buff *skb, - int ret; - u32 seq; - int dir = CTINFO2DIR(ctinfo); -- unsigned int uninitialized_var(matchlen), uninitialized_var(matchoff); -+ unsigned int matchlen, matchoff; - struct nf_ct_ftp_master *ct_ftp_info = nfct_help_data(ct); - struct nf_conntrack_expect *exp; - union nf_inet_addr *daddr; ---- a/net/netfilter/nfnetlink_log.c -+++ b/net/netfilter/nfnetlink_log.c -@@ -637,7 +637,7 @@ nfulnl_log_packet(struct net *net, - struct nfnl_log_net *log = nfnl_log_pernet(net); - const struct nfnl_ct_hook *nfnl_ct = NULL; - struct nf_conn *ct = NULL; -- enum ip_conntrack_info uninitialized_var(ctinfo); -+ enum ip_conntrack_info ctinfo; - - if (li_user && li_user->type == NF_LOG_TYPE_ULOG) - li = li_user; ---- a/net/netfilter/nfnetlink_queue.c -+++ b/net/netfilter/nfnetlink_queue.c -@@ -392,7 +392,7 @@ nfqnl_build_packet_message(struct net *n - struct net_device *indev; - struct net_device *outdev; - struct nf_conn *ct = NULL; -- enum ip_conntrack_info uninitialized_var(ctinfo); -+ enum ip_conntrack_info ctinfo; - struct nfnl_ct_hook *nfnl_ct; - bool csum_verify; - char *secdata = NULL; -@@ -1191,7 +1191,7 @@ static int nfqnl_recv_verdict(struct net - struct nfqnl_instance *queue; - unsigned int verdict; - struct nf_queue_entry *entry; -- enum ip_conntrack_info uninitialized_var(ctinfo); -+ enum ip_conntrack_info ctinfo; - struct nfnl_ct_hook *nfnl_ct; - struct nf_conn *ct = NULL; - struct nfnl_queue_net *q = nfnl_queue_pernet(net); ---- a/net/sched/cls_flow.c -+++ b/net/sched/cls_flow.c -@@ -229,7 +229,7 @@ static u32 flow_get_skgid(const struct s - - static u32 flow_get_vlan_tag(const struct sk_buff *skb) - { -- u16 uninitialized_var(tag); -+ u16 tag; - - if (vlan_get_tag(skb, &tag) < 0) - return 0; ---- a/net/sched/sch_cake.c -+++ b/net/sched/sch_cake.c -@@ -1649,7 +1649,7 @@ static s32 cake_enqueue(struct sk_buff * - { - struct cake_sched_data *q = qdisc_priv(sch); - int len = qdisc_pkt_len(skb); -- int uninitialized_var(ret); -+ int ret; - struct sk_buff *ack = NULL; - ktime_t now = ktime_get(); - struct cake_tin_data *b; ---- a/net/sched/sch_cbq.c -+++ b/net/sched/sch_cbq.c -@@ -365,7 +365,7 @@ cbq_enqueue(struct sk_buff *skb, struct - struct sk_buff **to_free) - { - struct cbq_sched_data *q = qdisc_priv(sch); -- int uninitialized_var(ret); -+ int ret; - struct cbq_class *cl = cbq_classify(skb, sch, &ret); - - #ifdef CONFIG_NET_CLS_ACT ---- a/net/sched/sch_fq_codel.c -+++ b/net/sched/sch_fq_codel.c -@@ -192,7 +192,7 @@ static int fq_codel_enqueue(struct sk_bu - struct fq_codel_sched_data *q = qdisc_priv(sch); - unsigned int idx, prev_backlog, prev_qlen; - struct fq_codel_flow *flow; -- int uninitialized_var(ret); -+ int ret; - unsigned int pkt_len; - bool memory_limited; - ---- a/net/sched/sch_sfq.c -+++ b/net/sched/sch_sfq.c -@@ -353,7 +353,7 @@ sfq_enqueue(struct sk_buff *skb, struct - unsigned int hash, dropped; - sfq_index x, qlen; - struct sfq_slot *slot; -- int uninitialized_var(ret); -+ int ret; - struct sk_buff *head; - int delta; - ---- a/sound/core/control_compat.c -+++ b/sound/core/control_compat.c -@@ -236,7 +236,7 @@ static int copy_ctl_value_from_user(stru - { - struct snd_ctl_elem_value32 __user *data32 = userdata; - int i, type, size; -- int uninitialized_var(count); -+ int count; - unsigned int indirect; - - if (copy_from_user(&data->id, &data32->id, sizeof(data->id))) ---- a/sound/isa/sb/sb16_csp.c -+++ b/sound/isa/sb/sb16_csp.c -@@ -116,7 +116,7 @@ static void info_read(struct snd_info_en - int snd_sb_csp_new(struct snd_sb *chip, int device, struct snd_hwdep ** rhwdep) - { - struct snd_sb_csp *p; -- int uninitialized_var(version); -+ int version; - int err; - struct snd_hwdep *hw; - ---- a/sound/usb/endpoint.c -+++ b/sound/usb/endpoint.c -@@ -324,7 +324,7 @@ static void queue_pending_output_urbs(st - while (test_bit(EP_FLAG_RUNNING, &ep->flags)) { - - unsigned long flags; -- struct snd_usb_packet_info *uninitialized_var(packet); -+ struct snd_usb_packet_info *packet; - struct snd_urb_ctx *ctx = NULL; - int err, i; - diff --git a/queue-4.19/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch b/queue-4.19/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch deleted file mode 100644 index c25ee1b0cf2..00000000000 --- a/queue-4.19/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a9c09546e903f1068acfa38e1ee18bded7114b37 Mon Sep 17 00:00:00 2001 -From: Christophe JAILLET -Date: Sat, 10 Jun 2023 17:59:25 +0200 -Subject: tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error - -From: Christophe JAILLET - -commit a9c09546e903f1068acfa38e1ee18bded7114b37 upstream. - -If clk_get_rate() fails, the clk that has just been allocated needs to be -freed. - -Cc: # v3.3+ -Reviewed-by: Krzysztof Kozlowski -Reviewed-by: Andi Shyti -Fixes: 5f5a7a5578c5 ("serial: samsung: switch to clkdev based clock lookup") -Signed-off-by: Christophe JAILLET -Reviewed-by: Jiri Slaby -Message-ID: -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/samsung.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/tty/serial/samsung.c -+++ b/drivers/tty/serial/samsung.c -@@ -1199,8 +1199,12 @@ static unsigned int s3c24xx_serial_getcl - continue; - - rate = clk_get_rate(clk); -- if (!rate) -+ if (!rate) { -+ dev_err(ourport->port.dev, -+ "Failed to get clock rate for %s.\n", clkname); -+ clk_put(clk); - continue; -+ } - - if (ourport->info->has_divslot) { - unsigned long div = rate / req_baud; diff --git a/queue-4.19/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch b/queue-4.19/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch deleted file mode 100644 index 7c7198883ca..00000000000 --- a/queue-4.19/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 832e231cff476102e8204a9e7bddfe5c6154a375 Mon Sep 17 00:00:00 2001 -From: Christophe JAILLET -Date: Sat, 10 Jun 2023 17:59:26 +0200 -Subject: tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk - -From: Christophe JAILLET - -commit 832e231cff476102e8204a9e7bddfe5c6154a375 upstream. - -When the best clk is searched, we iterate over all possible clk. - -If we find a better match, the previous one, if any, needs to be freed. -If a better match has already been found, we still need to free the new -one, otherwise it leaks. - -Cc: # v3.3+ -Reviewed-by: Krzysztof Kozlowski -Reviewed-by: Andi Shyti -Fixes: 5f5a7a5578c5 ("serial: samsung: switch to clkdev based clock lookup") -Signed-off-by: Christophe JAILLET -Reviewed-by: Jiri Slaby -Message-ID: -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/samsung.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/drivers/tty/serial/samsung.c -+++ b/drivers/tty/serial/samsung.c -@@ -1230,10 +1230,18 @@ static unsigned int s3c24xx_serial_getcl - calc_deviation = -calc_deviation; - - if (calc_deviation < deviation) { -+ /* -+ * If we find a better clk, release the previous one, if -+ * any. -+ */ -+ if (!IS_ERR(*best_clk)) -+ clk_put(*best_clk); - *best_clk = clk; - best_quot = quot; - *clk_num = cnt; - deviation = calc_deviation; -+ } else { -+ clk_put(clk); - } - } - diff --git a/queue-4.19/udp6-fix-udp6_ehashfn-typo.patch b/queue-4.19/udp6-fix-udp6_ehashfn-typo.patch deleted file mode 100644 index 83cd000c763..00000000000 --- a/queue-4.19/udp6-fix-udp6_ehashfn-typo.patch +++ /dev/null @@ -1,40 +0,0 @@ -From dd4780f2e582e32ee8f5c8c08d03b8b73e369d5c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 8 Jul 2023 08:29:58 +0000 -Subject: udp6: fix udp6_ehashfn() typo - -From: Eric Dumazet - -[ Upstream commit 51d03e2f2203e76ed02d33fb5ffbb5fc85ffaf54 ] - -Amit Klein reported that udp6_ehash_secret was initialized but never used. - -Fixes: 1bbdceef1e53 ("inet: convert inet_ehash_secret and ipv6_hash_secret to net_get_random_once") -Reported-by: Amit Klein -Signed-off-by: Eric Dumazet -Cc: Willy Tarreau -Cc: Willem de Bruijn -Cc: David Ahern -Cc: Hannes Frederic Sowa -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/ipv6/udp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index 9274603514e54..cf0bbe2e3a79f 100644 ---- a/net/ipv6/udp.c -+++ b/net/ipv6/udp.c -@@ -99,7 +99,7 @@ static u32 udp6_ehashfn(const struct net *net, - fhash = __ipv6_addr_jhash(faddr, udp_ipv6_hash_secret); - - return __inet6_ehashfn(lhash, lport, fhash, fport, -- udp_ipv6_hash_secret + net_hash_mix(net)); -+ udp6_ehash_secret + net_hash_mix(net)); - } - - int udp_v6_get_port(struct sock *sk, unsigned short snum) --- -2.39.2 - diff --git a/queue-4.19/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch b/queue-4.19/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch deleted file mode 100644 index d4f38580ba4..00000000000 --- a/queue-4.19/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch +++ /dev/null @@ -1,43 +0,0 @@ -From a73ed729a0242b99c1c9a5c6e71a75e01fff18e8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Apr 2023 22:08:31 +0800 -Subject: usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe() - -From: Li Yang - -[ Upstream commit 342161c11403ea00e9febc16baab1d883d589d04 ] - -Smatch reports: -drivers/usb/phy/phy-tahvo.c: tahvo_usb_probe() -warn: missing unwind goto? - -After geting irq, if ret < 0, it will return without error handling to -free memory. -Just add error handling to fix this problem. - -Fixes: 0d45a1373e66 ("usb: phy: tahvo: add IRQ check") -Signed-off-by: Li Yang -Reviewed-by: Dongliang Mu -Link: https://lore.kernel.org/r/20230420140832.9110-1-lidaxian@hust.edu.cn -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/phy/phy-tahvo.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/usb/phy/phy-tahvo.c b/drivers/usb/phy/phy-tahvo.c -index 60d390e28289f..2923a7f6952dc 100644 ---- a/drivers/usb/phy/phy-tahvo.c -+++ b/drivers/usb/phy/phy-tahvo.c -@@ -398,7 +398,7 @@ static int tahvo_usb_probe(struct platform_device *pdev) - - tu->irq = ret = platform_get_irq(pdev, 0); - if (ret < 0) -- return ret; -+ goto err_remove_phy; - ret = request_threaded_irq(tu->irq, NULL, tahvo_usb_vbus_interrupt, - IRQF_ONESHOT, - "tahvo-vbus", tu); --- -2.39.2 - diff --git a/queue-4.19/usb-serial-option-add-lara-r6-01b-pids.patch b/queue-4.19/usb-serial-option-add-lara-r6-01b-pids.patch deleted file mode 100644 index 2e014e97597..00000000000 --- a/queue-4.19/usb-serial-option-add-lara-r6-01b-pids.patch +++ /dev/null @@ -1,65 +0,0 @@ -From ffa5f7a3bf28c1306eef85d4056539c2d4b8eb09 Mon Sep 17 00:00:00 2001 -From: Davide Tronchin -Date: Thu, 22 Jun 2023 11:29:21 +0200 -Subject: USB: serial: option: add LARA-R6 01B PIDs - -From: Davide Tronchin - -commit ffa5f7a3bf28c1306eef85d4056539c2d4b8eb09 upstream. - -The new LARA-R6 product variant identified by the "01B" string can be -configured (by AT interface) in three different USB modes: - -* Default mode (Vendor ID: 0x1546 Product ID: 0x1311) with 4 serial -interfaces - -* RmNet mode (Vendor ID: 0x1546 Product ID: 0x1312) with 4 serial -interfaces and 1 RmNet virtual network interface - -* CDC-ECM mode (Vendor ID: 0x1546 Product ID: 0x1313) with 4 serial -interface and 1 CDC-ECM virtual network interface -The first 4 interfaces of all the 3 USB configurations (default, RmNet, -CDC-ECM) are the same. - -In default mode LARA-R6 01B exposes the following interfaces: -If 0: Diagnostic -If 1: AT parser -If 2: AT parser -If 3: AT parser/alternative functions - -In RmNet mode LARA-R6 01B exposes the following interfaces: -If 0: Diagnostic -If 1: AT parser -If 2: AT parser -If 3: AT parser/alternative functions -If 4: RMNET interface - -In CDC-ECM mode LARA-R6 01B exposes the following interfaces: -If 0: Diagnostic -If 1: AT parser -If 2: AT parser -If 3: AT parser/alternative functions -If 4: CDC-ECM interface - -Signed-off-by: Davide Tronchin -Link: https://lore.kernel.org/r/20230622092921.12651-1-davide.tronchin.94@gmail.com -Cc: stable@vger.kernel.org -Signed-off-by: Johan Hovold -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/serial/option.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/usb/serial/option.c -+++ b/drivers/usb/serial/option.c -@@ -1151,6 +1151,10 @@ static const struct usb_device_id option - { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa), - .driver_info = RSVD(3) }, - /* u-blox products */ -+ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1311) }, /* u-blox LARA-R6 01B */ -+ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1312), /* u-blox LARA-R6 01B (RMNET) */ -+ .driver_info = RSVD(4) }, -+ { USB_DEVICE_INTERFACE_CLASS(UBLOX_VENDOR_ID, 0x1313, 0xff) }, /* u-blox LARA-R6 01B (ECM) */ - { USB_DEVICE(UBLOX_VENDOR_ID, 0x1341) }, /* u-blox LARA-L6 */ - { USB_DEVICE(UBLOX_VENDOR_ID, 0x1342), /* u-blox LARA-L6 (RMNET) */ - .driver_info = RSVD(4) }, diff --git a/queue-4.19/video-imsttfb-check-for-ioremap-failures.patch b/queue-4.19/video-imsttfb-check-for-ioremap-failures.patch deleted file mode 100644 index 89a1c7cc0f3..00000000000 --- a/queue-4.19/video-imsttfb-check-for-ioremap-failures.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 13b7c0390a5d3840e1e2cda8f44a310fdbb982de Mon Sep 17 00:00:00 2001 -From: Greg Kroah-Hartman -Date: Mon, 3 May 2021 13:57:34 +0200 -Subject: video: imsttfb: check for ioremap() failures - -From: Greg Kroah-Hartman - -commit 13b7c0390a5d3840e1e2cda8f44a310fdbb982de upstream. - -We should check if ioremap() were to somehow fail in imsttfb_probe() and -handle the unwinding of the resources allocated here properly. - -Ideally if anyone cares about this driver (it's for a PowerMac era PCI -display card), they wouldn't even be using fbdev anymore. Or the devm_* -apis could be used, but that's just extra work for diminishing -returns... - -Cc: Finn Thain -Cc: Bartlomiej Zolnierkiewicz -Reviewed-by: Rob Herring -Link: https://lore.kernel.org/r/20210503115736.2104747-68-gregkh@linuxfoundation.org -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Greg Kroah-Hartman ---- - drivers/video/fbdev/imsttfb.c | 21 ++++++++++++++++++--- - 1 file changed, 18 insertions(+), 3 deletions(-) - ---- a/drivers/video/fbdev/imsttfb.c -+++ b/drivers/video/fbdev/imsttfb.c -@@ -1470,6 +1470,7 @@ static int imsttfb_probe(struct pci_dev - struct imstt_par *par; - struct fb_info *info; - struct device_node *dp; -+ int ret = -ENOMEM; - - dp = pci_device_to_OF_node(pdev); - if(dp) -@@ -1508,23 +1509,37 @@ static int imsttfb_probe(struct pci_dev - default: - printk(KERN_INFO "imsttfb: Device 0x%x unknown, " - "contact maintainer.\n", pdev->device); -- release_mem_region(addr, size); -- framebuffer_release(info); -- return -ENODEV; -+ ret = -ENODEV; -+ goto error; - } - - info->fix.smem_start = addr; - info->screen_base = (__u8 *)ioremap(addr, par->ramdac == IBM ? - 0x400000 : 0x800000); -+ if (!info->screen_base) -+ goto error; - info->fix.mmio_start = addr + 0x800000; - par->dc_regs = ioremap(addr + 0x800000, 0x1000); -+ if (!par->dc_regs) -+ goto error; - par->cmap_regs_phys = addr + 0x840000; - par->cmap_regs = (__u8 *)ioremap(addr + 0x840000, 0x1000); -+ if (!par->cmap_regs) -+ goto error; - info->pseudo_palette = par->palette; - init_imstt(info); - - pci_set_drvdata(pdev, info); - return 0; -+ -+error: -+ if (par->dc_regs) -+ iounmap(par->dc_regs); -+ if (info->screen_base) -+ iounmap(info->screen_base); -+ release_mem_region(addr, size); -+ framebuffer_release(info); -+ return ret; - } - - static void imsttfb_remove(struct pci_dev *pdev) diff --git a/queue-4.19/vrf-increment-icmp6inmsgs-on-the-original-netdev.patch b/queue-4.19/vrf-increment-icmp6inmsgs-on-the-original-netdev.patch deleted file mode 100644 index fd7f5edd549..00000000000 --- a/queue-4.19/vrf-increment-icmp6inmsgs-on-the-original-netdev.patch +++ /dev/null @@ -1,127 +0,0 @@ -From ca9b3ac6d3bbb8860c544487324e18a6481a20d7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 10 Jun 2019 10:32:50 -0400 -Subject: vrf: Increment Icmp6InMsgs on the original netdev - -From: Stephen Suryaputra - -[ Upstream commit e1ae5c2ea4783b1fd87be250f9fcc9d9e1a6ba3f ] - -Get the ingress interface and increment ICMP counters based on that -instead of skb->dev when the the dev is a VRF device. - -This is a follow up on the following message: -https://www.spinics.net/lists/netdev/msg560268.html - -v2: Avoid changing skb->dev since it has unintended effect for local - delivery (David Ahern). -Signed-off-by: Stephen Suryaputra -Reviewed-by: David Ahern -Signed-off-by: David S. Miller -Stable-dep-of: 2aaa8a15de73 ("icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev().") -Signed-off-by: Sasha Levin ---- - include/net/addrconf.h | 16 ++++++++++++++++ - net/ipv6/icmp.c | 17 +++++++++++------ - net/ipv6/reassembly.c | 4 ++-- - 3 files changed, 29 insertions(+), 8 deletions(-) - -diff --git a/include/net/addrconf.h b/include/net/addrconf.h -index db2a87981dd46..9583d3bbab039 100644 ---- a/include/net/addrconf.h -+++ b/include/net/addrconf.h -@@ -340,6 +340,22 @@ static inline struct inet6_dev *__in6_dev_get(const struct net_device *dev) - return rcu_dereference_rtnl(dev->ip6_ptr); - } - -+/** -+ * __in6_dev_stats_get - get inet6_dev pointer for stats -+ * @dev: network device -+ * @skb: skb for original incoming interface if neeeded -+ * -+ * Caller must hold rcu_read_lock or RTNL, because this function -+ * does not take a reference on the inet6_dev. -+ */ -+static inline struct inet6_dev *__in6_dev_stats_get(const struct net_device *dev, -+ const struct sk_buff *skb) -+{ -+ if (netif_is_l3_master(dev)) -+ dev = dev_get_by_index_rcu(dev_net(dev), inet6_iif(skb)); -+ return __in6_dev_get(dev); -+} -+ - /** - * __in6_dev_get_safely - get inet6_dev pointer from netdevice - * @dev: network device -diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c -index fbc8746371b6d..1b86a2e03d049 100644 ---- a/net/ipv6/icmp.c -+++ b/net/ipv6/icmp.c -@@ -395,23 +395,28 @@ static struct dst_entry *icmpv6_route_lookup(struct net *net, - return ERR_PTR(err); - } - --static int icmp6_iif(const struct sk_buff *skb) -+static struct net_device *icmp6_dev(const struct sk_buff *skb) - { -- int iif = skb->dev->ifindex; -+ struct net_device *dev = skb->dev; - - /* for local traffic to local address, skb dev is the loopback - * device. Check if there is a dst attached to the skb and if so - * get the real device index. Same is needed for replies to a link - * local address on a device enslaved to an L3 master device - */ -- if (unlikely(iif == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { -+ if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { - const struct rt6_info *rt6 = skb_rt6_info(skb); - - if (rt6) -- iif = rt6->rt6i_idev->dev->ifindex; -+ dev = rt6->rt6i_idev->dev; - } - -- return iif; -+ return dev; -+} -+ -+static int icmp6_iif(const struct sk_buff *skb) -+{ -+ return icmp6_dev(skb)->ifindex; - } - - /* -@@ -800,7 +805,7 @@ void icmpv6_notify(struct sk_buff *skb, u8 type, u8 code, __be32 info) - static int icmpv6_rcv(struct sk_buff *skb) - { - struct net *net = dev_net(skb->dev); -- struct net_device *dev = skb->dev; -+ struct net_device *dev = icmp6_dev(skb); - struct inet6_dev *idev = __in6_dev_get(dev); - const struct in6_addr *saddr, *daddr; - struct icmp6hdr *hdr; -diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c -index 60dfd0d118512..b596727f04978 100644 ---- a/net/ipv6/reassembly.c -+++ b/net/ipv6/reassembly.c -@@ -302,7 +302,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb, - skb_network_header_len(skb)); - - rcu_read_lock(); -- __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMOKS); -+ __IP6_INC_STATS(net, __in6_dev_stats_get(dev, skb), IPSTATS_MIB_REASMOKS); - rcu_read_unlock(); - fq->q.fragments = NULL; - fq->q.rb_fragments = RB_ROOT; -@@ -317,7 +317,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb, - net_dbg_ratelimited("ip6_frag_reasm: no memory for reassembly\n"); - out_fail: - rcu_read_lock(); -- __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMFAILS); -+ __IP6_INC_STATS(net, __in6_dev_stats_get(dev, skb), IPSTATS_MIB_REASMFAILS); - rcu_read_unlock(); - inet_frag_kill(&fq->q); - return -1; --- -2.39.2 - diff --git a/queue-4.19/w1-fix-loop-in-w1_fini.patch b/queue-4.19/w1-fix-loop-in-w1_fini.patch deleted file mode 100644 index eee3b608e92..00000000000 --- a/queue-4.19/w1-fix-loop-in-w1_fini.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 7fab2a6bde29ee9a8cf5b2eea008b078d8e3aac2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 19 May 2021 17:17:45 +0300 -Subject: w1: fix loop in w1_fini() - -From: Dan Carpenter - -[ Upstream commit 83f3fcf96fcc7e5405b37d9424c7ef26bfa203f8 ] - -The __w1_remove_master_device() function calls: - - list_del(&dev->w1_master_entry); - -So presumably this can cause an endless loop. - -Fixes: 7785925dd8e0 ("[PATCH] w1: cleanups.") -Signed-off-by: Dan Carpenter -Signed-off-by: Krzysztof Kozlowski -Signed-off-by: Sasha Levin ---- - drivers/w1/w1.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c -index cb3650efc29cd..8db9ca241d99c 100644 ---- a/drivers/w1/w1.c -+++ b/drivers/w1/w1.c -@@ -1237,10 +1237,10 @@ static int __init w1_init(void) - - static void __exit w1_fini(void) - { -- struct w1_master *dev; -+ struct w1_master *dev, *n; - - /* Set netlink removal messages and some cleanup */ -- list_for_each_entry(dev, &w1_masters, w1_master_entry) -+ list_for_each_entry_safe(dev, n, &w1_masters, w1_master_entry) - __w1_remove_master_device(dev); - - w1_fini_netlink(); --- -2.39.2 - diff --git a/queue-4.19/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch b/queue-4.19/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch deleted file mode 100644 index dc4e15c9859..00000000000 --- a/queue-4.19/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 0c282f6c0842390de9ae2a22490760732c735d15 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 19 May 2023 10:18:25 -0700 -Subject: watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on - correct config - -From: Douglas Anderson - -[ Upstream commit 5e008df11c55228a86a1bae692cc2002503572c9 ] - -Patch series "watchdog/hardlockup: Add the buddy hardlockup detector", v5. - -This patch series adds the "buddy" hardlockup detector. In brief, the -buddy hardlockup detector can detect hardlockups without arch-level -support by having CPUs checkup on a "buddy" CPU periodically. - -Given the new design of this patch series, testing all combinations is -fairly difficult. I've attempted to make sure that all combinations of -CONFIG_ options are good, but it wouldn't surprise me if I missed -something. I apologize in advance and I'll do my best to fix any -problems that are found. - -This patch (of 18): - -The real watchdog_update_hrtimer_threshold() is defined in -kernel/watchdog_hld.c. That file is included if -CONFIG_HARDLOCKUP_DETECTOR_PERF and the function is defined in that file -if CONFIG_HARDLOCKUP_CHECK_TIMESTAMP. - -The dummy version of the function in "nmi.h" didn't get that quite right. -While this doesn't appear to be a huge deal, it's nice to make it -consistent. - -It doesn't break builds because CHECK_TIMESTAMP is only defined by x86 so -others don't get a double definition, and x86 uses perf lockup detector, -so it gets the out of line version. - -Link: https://lkml.kernel.org/r/20230519101840.v5.18.Ia44852044cdcb074f387e80df6b45e892965d4a1@changeid -Link: https://lkml.kernel.org/r/20230519101840.v5.1.I8cbb2f4fa740528fcfade4f5439b6cdcdd059251@changeid -Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") -Signed-off-by: Douglas Anderson -Reviewed-by: Nicholas Piggin -Reviewed-by: Petr Mladek -Cc: Andi Kleen -Cc: Catalin Marinas -Cc: Chen-Yu Tsai -Cc: Christophe Leroy -Cc: Daniel Thompson -Cc: "David S. Miller" -Cc: Guenter Roeck -Cc: Ian Rogers -Cc: Lecopzer Chen -Cc: Marc Zyngier -Cc: Mark Rutland -Cc: Masayoshi Mizuma -Cc: Matthias Kaehlcke -Cc: Michael Ellerman -Cc: Pingfan Liu -Cc: Randy Dunlap -Cc: "Ravi V. Shankar" -Cc: Ricardo Neri -Cc: Stephane Eranian -Cc: Stephen Boyd -Cc: Sumit Garg -Cc: Tzung-Bi Shih -Cc: Will Deacon -Cc: Colin Cross -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - include/linux/nmi.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/linux/nmi.h b/include/linux/nmi.h -index e972d1ae1ee63..6cb593d9ed08a 100644 ---- a/include/linux/nmi.h -+++ b/include/linux/nmi.h -@@ -197,7 +197,7 @@ u64 hw_nmi_get_sample_period(int watchdog_thresh); - #endif - - #if defined(CONFIG_HARDLOCKUP_CHECK_TIMESTAMP) && \ -- defined(CONFIG_HARDLOCKUP_DETECTOR) -+ defined(CONFIG_HARDLOCKUP_DETECTOR_PERF) - void watchdog_update_hrtimer_threshold(u64 period); - #else - static inline void watchdog_update_hrtimer_threshold(u64 period) { } --- -2.39.2 - diff --git a/queue-4.19/watchdog-perf-more-properly-prevent-false-positives-.patch b/queue-4.19/watchdog-perf-more-properly-prevent-false-positives-.patch deleted file mode 100644 index 58fc7eac1b9..00000000000 --- a/queue-4.19/watchdog-perf-more-properly-prevent-false-positives-.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 3c6dc6af3bc7f2705b7a426759a9837e74c2a453 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 19 May 2023 10:18:26 -0700 -Subject: watchdog/perf: more properly prevent false positives with turbo modes - -From: Douglas Anderson - -[ Upstream commit 4379e59fe5665cfda737e45b8bf2f05321ef049c ] - -Currently, in the watchdog_overflow_callback() we first check to see if -the watchdog had been touched and _then_ we handle the workaround for -turbo mode. This order should be reversed. - -Specifically, "touching" the hardlockup detector's watchdog should avoid -lockups being detected for one period that should be roughly the same -regardless of whether we're running turbo or not. That means that we -should do the extra accounting for turbo _before_ we look at (and clear) -the global indicating that we've been touched. - -NOTE: this fix is made based on code inspection. I am not aware of any -reports where the old code would have generated false positives. That -being said, this order seems more correct and also makes it easier down -the line to share code with the "buddy" hardlockup detector. - -Link: https://lkml.kernel.org/r/20230519101840.v5.2.I843b0d1de3e096ba111a179f3adb16d576bef5c7@changeid -Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") -Signed-off-by: Douglas Anderson -Cc: Andi Kleen -Cc: Catalin Marinas -Cc: Chen-Yu Tsai -Cc: Christophe Leroy -Cc: Colin Cross -Cc: Daniel Thompson -Cc: "David S. Miller" -Cc: Guenter Roeck -Cc: Ian Rogers -Cc: Lecopzer Chen -Cc: Marc Zyngier -Cc: Mark Rutland -Cc: Masayoshi Mizuma -Cc: Matthias Kaehlcke -Cc: Michael Ellerman -Cc: Nicholas Piggin -Cc: Petr Mladek -Cc: Pingfan Liu -Cc: Randy Dunlap -Cc: "Ravi V. Shankar" -Cc: Ricardo Neri -Cc: Stephane Eranian -Cc: Stephen Boyd -Cc: Sumit Garg -Cc: Tzung-Bi Shih -Cc: Will Deacon -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - kernel/watchdog_hld.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/kernel/watchdog_hld.c b/kernel/watchdog_hld.c -index 71381168dedef..f8e460b4a59d5 100644 ---- a/kernel/watchdog_hld.c -+++ b/kernel/watchdog_hld.c -@@ -114,14 +114,14 @@ static void watchdog_overflow_callback(struct perf_event *event, - /* Ensure the watchdog never gets throttled */ - event->hw.interrupts = 0; - -+ if (!watchdog_check_timestamp()) -+ return; -+ - if (__this_cpu_read(watchdog_nmi_touch) == true) { - __this_cpu_write(watchdog_nmi_touch, false); - return; - } - -- if (!watchdog_check_timestamp()) -- return; -- - /* check for a hardlockup - * This is done by making sure our timer interrupt - * is incrementing. The timer interrupt should have --- -2.39.2 - diff --git a/queue-4.19/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch b/queue-4.19/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch deleted file mode 100644 index e6a83160c61..00000000000 --- a/queue-4.19/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 5f65296a9458994473a1830d34aed8a66606adf3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 9 Jul 2023 06:31:54 -0700 -Subject: wifi: airo: avoid uninitialized warning in airo_get_rate() - -From: Randy Dunlap - -[ Upstream commit 9373771aaed17f5c2c38485f785568abe3a9f8c1 ] - -Quieten a gcc (11.3.0) build error or warning by checking the function -call status and returning -EBUSY if the function call failed. -This is similar to what several other wireless drivers do for the -SIOCGIWRATE ioctl call when there is a locking problem. - -drivers/net/wireless/cisco/airo.c: error: 'status_rid.currentXmitRate' is used uninitialized [-Werror=uninitialized] - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Randy Dunlap -Reported-by: Geert Uytterhoeven -Link: https://lore.kernel.org/r/39abf2c7-24a-f167-91da-ed4c5435d1c4@linux-m68k.org -Link: https://lore.kernel.org/r/20230709133154.26206-1-rdunlap@infradead.org -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/cisco/airo.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c -index 5a6ee0b014da0..a01b42c7c07ac 100644 ---- a/drivers/net/wireless/cisco/airo.c -+++ b/drivers/net/wireless/cisco/airo.c -@@ -6100,8 +6100,11 @@ static int airo_get_rate(struct net_device *dev, - { - struct airo_info *local = dev->ml_priv; - StatusRid status_rid; /* Card status info */ -+ int ret; - -- readStatusRid(local, &status_rid, 1); -+ ret = readStatusRid(local, &status_rid, 1); -+ if (ret) -+ return -EBUSY; - - vwrq->value = le16_to_cpu(status_rid.currentXmitRate) * 500000; - /* If more than one rate, set auto */ --- -2.39.2 - diff --git a/queue-4.19/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch b/queue-4.19/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch deleted file mode 100644 index 12eb40f6c19..00000000000 --- a/queue-4.19/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch +++ /dev/null @@ -1,58 +0,0 @@ -From cf65e68abf8e7ab7b1fbd232bbdf201720676629 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 26 Apr 2023 17:35:01 +0300 -Subject: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Fedor Pchelkin - -[ Upstream commit f24292e827088bba8de7158501ac25a59b064953 ] - -For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid -uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should -validate pkt_len before accessing the SKB. - -For example, the obtained SKB may have been badly constructed with -pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr -but after being processed in ath9k_htc_rx_msg() and passed to -ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI -command header which should be located inside its data payload. - -Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit -memory can be referenced. - -Tested on Qualcomm Atheros Communications AR9271 802.11n . - -Found by Linux Verification Center (linuxtesting.org) with Syzkaller. - -Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") -Reported-and-tested-by: syzbot+f2cb6e0ffdb961921e4d@syzkaller.appspotmail.com -Signed-off-by: Fedor Pchelkin -Acked-by: Toke Høiland-Jørgensen -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20230424183348.111355-1-pchelkin@ispras.ru -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath9k/wmi.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c -index e4ea6f5cc78ab..5e2a610df61cf 100644 ---- a/drivers/net/wireless/ath/ath9k/wmi.c -+++ b/drivers/net/wireless/ath/ath9k/wmi.c -@@ -218,6 +218,10 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb, - if (unlikely(wmi->stopped)) - goto free_skb; - -+ /* Validate the obtained SKB. */ -+ if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr))) -+ goto free_skb; -+ - hdr = (struct wmi_cmd_hdr *) skb->data; - cmd_id = be16_to_cpu(hdr->command_id); - --- -2.39.2 - diff --git a/queue-4.19/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch b/queue-4.19/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch deleted file mode 100644 index 62f1c572c60..00000000000 --- a/queue-4.19/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch +++ /dev/null @@ -1,51 +0,0 @@ -From bbf82c3def2c11aee88ff24f3b0c8cf9599e0071 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 13 Jun 2023 16:46:55 +0300 -Subject: wifi: ath9k: convert msecs to jiffies where needed -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Dmitry Antipov - -[ Upstream commit 2aa083acea9f61be3280184384551178f510ff51 ] - -Since 'ieee80211_queue_delayed_work()' expects timeout in -jiffies and not milliseconds, 'msecs_to_jiffies()' should -be used in 'ath_restart_work()' and '__ath9k_flush()'. - -Fixes: d63ffc45c5d3 ("ath9k: rename tx_complete_work to hw_check_work") -Signed-off-by: Dmitry Antipov -Acked-by: Toke Høiland-Jørgensen -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20230613134655.248728-1-dmantipov@yandex.ru -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath9k/main.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c -index e8e297a04d360..2fdf9858a73d9 100644 ---- a/drivers/net/wireless/ath/ath9k/main.c -+++ b/drivers/net/wireless/ath/ath9k/main.c -@@ -200,7 +200,7 @@ void ath_cancel_work(struct ath_softc *sc) - void ath_restart_work(struct ath_softc *sc) - { - ieee80211_queue_delayed_work(sc->hw, &sc->hw_check_work, -- ATH_HW_CHECK_POLL_INT); -+ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT)); - - if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9330(sc->sc_ah)) - ieee80211_queue_delayed_work(sc->hw, &sc->hw_pll_work, -@@ -2228,7 +2228,7 @@ void __ath9k_flush(struct ieee80211_hw *hw, u32 queues, bool drop, - } - - ieee80211_queue_delayed_work(hw, &sc->hw_check_work, -- ATH_HW_CHECK_POLL_INT); -+ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT)); - } - - static bool ath9k_tx_frames_pending(struct ieee80211_hw *hw) --- -2.39.2 - diff --git a/queue-4.19/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch b/queue-4.19/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch deleted file mode 100644 index 39849183e97..00000000000 --- a/queue-4.19/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch +++ /dev/null @@ -1,54 +0,0 @@ -From cbdd7ba95d47d114975b51072b4265f8344abe37 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 17 May 2023 18:03:17 +0300 -Subject: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Fedor Pchelkin - -[ Upstream commit 061b0cb9327b80d7a0f63a33e7c3e2a91a71f142 ] - -A bad USB device is able to construct a service connection response -message with target endpoint being ENDPOINT0 which is reserved for -HTC_CTRL_RSVD_SVC and should not be modified to be used for any other -services. - -Reject such service connection responses. - -Found by Linux Verification Center (linuxtesting.org) with Syzkaller. - -Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") -Reported-by: syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com -Signed-off-by: Fedor Pchelkin -Acked-by: Toke Høiland-Jørgensen -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20230516150427.79469-1-pchelkin@ispras.ru -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath9k/htc_hst.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c -index 6331c98088e03..d5e5f9cf4ca86 100644 ---- a/drivers/net/wireless/ath/ath9k/htc_hst.c -+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c -@@ -114,7 +114,13 @@ static void htc_process_conn_rsp(struct htc_target *target, - - if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) { - epid = svc_rspmsg->endpoint_id; -- if (epid < 0 || epid >= ENDPOINT_MAX) -+ -+ /* Check that the received epid for the endpoint to attach -+ * a new service is valid. ENDPOINT0 can't be used here as it -+ * is already reserved for HTC_CTRL_RSVD_SVC service and thus -+ * should not be modified. -+ */ -+ if (epid <= ENDPOINT0 || epid >= ENDPOINT_MAX) - return; - - service_id = be16_to_cpu(svc_rspmsg->service_id); --- -2.39.2 - diff --git a/queue-4.19/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch b/queue-4.19/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch deleted file mode 100644 index 49302b4acf5..00000000000 --- a/queue-4.19/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 16cb131de7a54b775ccf43c5fa130d76ee3a1901 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 26 Apr 2023 17:35:00 +0300 -Subject: wifi: ath9k: fix AR9003 mac hardware hang check register offset - calculation -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Peter Seiderer - -[ Upstream commit 3e56c80931c7615250fe4bf83f93b57881969266 ] - -Fix ath9k_hw_verify_hang()/ar9003_hw_detect_mac_hang() register offset -calculation (do not overflow the shift for the second register/queues -above five, use the register layout described in the comments above -ath9k_hw_verify_hang() instead). - -Fixes: 222e04830ff0 ("ath9k: Fix MAC HW hang check for AR9003") - -Reported-by: Gregg Wonderly -Link: https://lore.kernel.org/linux-wireless/E3A9C354-0CB7-420C-ADEF-F0177FB722F4@seqtechllc.com/ -Signed-off-by: Peter Seiderer -Acked-by: Toke Høiland-Jørgensen -Reviewed-by: Simon Horman -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20230422212423.26065-1-ps.report@gmx.net -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath9k/ar9003_hw.c | 27 ++++++++++++++-------- - 1 file changed, 18 insertions(+), 9 deletions(-) - -diff --git a/drivers/net/wireless/ath/ath9k/ar9003_hw.c b/drivers/net/wireless/ath/ath9k/ar9003_hw.c -index 2fe12b0de5b4f..dea8a998fb622 100644 ---- a/drivers/net/wireless/ath/ath9k/ar9003_hw.c -+++ b/drivers/net/wireless/ath/ath9k/ar9003_hw.c -@@ -1099,17 +1099,22 @@ static bool ath9k_hw_verify_hang(struct ath_hw *ah, unsigned int queue) - { - u32 dma_dbg_chain, dma_dbg_complete; - u8 dcu_chain_state, dcu_complete_state; -+ unsigned int dbg_reg, reg_offset; - int i; - -- for (i = 0; i < NUM_STATUS_READS; i++) { -- if (queue < 6) -- dma_dbg_chain = REG_READ(ah, AR_DMADBG_4); -- else -- dma_dbg_chain = REG_READ(ah, AR_DMADBG_5); -+ if (queue < 6) { -+ dbg_reg = AR_DMADBG_4; -+ reg_offset = queue * 5; -+ } else { -+ dbg_reg = AR_DMADBG_5; -+ reg_offset = (queue - 6) * 5; -+ } - -+ for (i = 0; i < NUM_STATUS_READS; i++) { -+ dma_dbg_chain = REG_READ(ah, dbg_reg); - dma_dbg_complete = REG_READ(ah, AR_DMADBG_6); - -- dcu_chain_state = (dma_dbg_chain >> (5 * queue)) & 0x1f; -+ dcu_chain_state = (dma_dbg_chain >> reg_offset) & 0x1f; - dcu_complete_state = dma_dbg_complete & 0x3; - - if ((dcu_chain_state != 0x6) || (dcu_complete_state != 0x1)) -@@ -1128,6 +1133,7 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah) - u8 dcu_chain_state, dcu_complete_state; - bool dcu_wait_frdone = false; - unsigned long chk_dcu = 0; -+ unsigned int reg_offset; - unsigned int i = 0; - - dma_dbg_4 = REG_READ(ah, AR_DMADBG_4); -@@ -1139,12 +1145,15 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah) - goto exit; - - for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) { -- if (i < 6) -+ if (i < 6) { - chk_dbg = dma_dbg_4; -- else -+ reg_offset = i * 5; -+ } else { - chk_dbg = dma_dbg_5; -+ reg_offset = (i - 6) * 5; -+ } - -- dcu_chain_state = (chk_dbg >> (5 * i)) & 0x1f; -+ dcu_chain_state = (chk_dbg >> reg_offset) & 0x1f; - if (dcu_chain_state == 0x6) { - dcu_wait_frdone = true; - chk_dcu |= BIT(i); --- -2.39.2 - diff --git a/queue-4.19/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch b/queue-4.19/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch deleted file mode 100644 index 60b7d4e55bd..00000000000 --- a/queue-4.19/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 43e3a8b56606fdc140f08245ff49796f93f86e88 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 9 Jun 2023 11:37:44 +0200 -Subject: wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Remi Pommarel - -[ Upstream commit 75086cc6dee046e3fbb3dba148b376d8802f83bc ] - -On EDMA capable hardware, ath9k_txq_list_has_key() can enter infinite -loop if it is called while all txq_fifos have packets that use different -key that the one we are looking for. Fix it by exiting the loop if all -txq_fifos have been checked already. - -Because this loop is called under spin_lock_bh() (see ath_txq_lock) it -causes the following rcu stall: - -rcu: INFO: rcu_sched self-detected stall on CPU -ath10k_pci 0000:01:00.0: failed to read temperature -11 -rcu: 1-....: (5254 ticks this GP) idle=189/1/0x4000000000000002 softirq=8442983/8442984 fqs=2579 - (t=5257 jiffies g=17983297 q=334) -Task dump for CPU 1: -task:hostapd state:R running task stack: 0 pid: 297 ppid: 289 flags:0x0000000a -Call trace: - dump_backtrace+0x0/0x170 - show_stack+0x1c/0x24 - sched_show_task+0x140/0x170 - dump_cpu_task+0x48/0x54 - rcu_dump_cpu_stacks+0xf0/0x134 - rcu_sched_clock_irq+0x8d8/0x9fc - update_process_times+0xa0/0xec - tick_sched_timer+0x5c/0xd0 - __hrtimer_run_queues+0x154/0x320 - hrtimer_interrupt+0x120/0x2f0 - arch_timer_handler_virt+0x38/0x44 - handle_percpu_devid_irq+0x9c/0x1e0 - handle_domain_irq+0x64/0x90 - gic_handle_irq+0x78/0xb0 - call_on_irq_stack+0x28/0x38 - do_interrupt_handler+0x54/0x5c - el1_interrupt+0x2c/0x4c - el1h_64_irq_handler+0x14/0x1c - el1h_64_irq+0x74/0x78 - ath9k_txq_has_key+0x1bc/0x250 [ath9k] - ath9k_set_key+0x1cc/0x3dc [ath9k] - drv_set_key+0x78/0x170 - ieee80211_key_replace+0x564/0x6cc - ieee80211_key_link+0x174/0x220 - ieee80211_add_key+0x11c/0x300 - nl80211_new_key+0x12c/0x330 - genl_family_rcv_msg_doit+0xbc/0x11c - genl_rcv_msg+0xd8/0x1c4 - netlink_rcv_skb+0x40/0x100 - genl_rcv+0x3c/0x50 - netlink_unicast+0x1ec/0x2c0 - netlink_sendmsg+0x198/0x3c0 - ____sys_sendmsg+0x210/0x250 - ___sys_sendmsg+0x78/0xc4 - __sys_sendmsg+0x4c/0x90 - __arm64_sys_sendmsg+0x28/0x30 - invoke_syscall.constprop.0+0x60/0x100 - do_el0_svc+0x48/0xd0 - el0_svc+0x14/0x50 - el0t_64_sync_handler+0xa8/0xb0 - el0t_64_sync+0x158/0x15c - -This rcu stall is hard to reproduce as is, but changing ATH_TXFIFO_DEPTH -from 8 to 2 makes it reasonably easy to reproduce. - -Fixes: ca2848022c12 ("ath9k: Postpone key cache entry deletion for TXQ frames reference it") -Signed-off-by: Remi Pommarel -Tested-by: Nicolas Escande -Acked-by: Toke Høiland-Jørgensen -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20230609093744.1985-1-repk@triplefau.lt -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath9k/main.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c -index ee1b9c39bad7a..e8e297a04d360 100644 ---- a/drivers/net/wireless/ath/ath9k/main.c -+++ b/drivers/net/wireless/ath/ath9k/main.c -@@ -847,7 +847,7 @@ static bool ath9k_txq_list_has_key(struct list_head *txq_list, u32 keyix) - static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix) - { - struct ath_hw *ah = sc->sc_ah; -- int i; -+ int i, j; - struct ath_txq *txq; - bool key_in_use = false; - -@@ -865,8 +865,9 @@ static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix) - if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) { - int idx = txq->txq_tailidx; - -- while (!key_in_use && -- !list_empty(&txq->txq_fifo[idx])) { -+ for (j = 0; !key_in_use && -+ !list_empty(&txq->txq_fifo[idx]) && -+ j < ATH_TXFIFO_DEPTH; j++) { - key_in_use = ath9k_txq_list_has_key( - &txq->txq_fifo[idx], keyix); - INCR(idx, ATH_TXFIFO_DEPTH); --- -2.39.2 - diff --git a/queue-4.19/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch b/queue-4.19/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch deleted file mode 100644 index c4c2160eea1..00000000000 --- a/queue-4.19/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch +++ /dev/null @@ -1,59 +0,0 @@ -From c11669e78c6279d4eb42e332fdcbd353a753cffd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 20 May 2023 09:53:14 +0200 -Subject: wifi: atmel: Fix an error handling path in atmel_probe() - -From: Christophe JAILLET - -[ Upstream commit 6b92e4351a29af52c285fe235e6e4d1a75de04b2 ] - -Should atmel_config() fail, some resources need to be released as already -done in the remove function. - -While at it, remove a useless and erroneous comment. The probe is -atmel_probe(), not atmel_attach(). - -Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") -Signed-off-by: Christophe JAILLET -Reviewed-by: Simon Horman -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/1e65f174607a83348034197fa7d603bab10ba4a9.1684569156.git.christophe.jaillet@wanadoo.fr -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/atmel/atmel_cs.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/wireless/atmel/atmel_cs.c b/drivers/net/wireless/atmel/atmel_cs.c -index 7afc9c5329fb1..f5fa1a95b0c15 100644 ---- a/drivers/net/wireless/atmel/atmel_cs.c -+++ b/drivers/net/wireless/atmel/atmel_cs.c -@@ -73,6 +73,7 @@ struct local_info { - static int atmel_probe(struct pcmcia_device *p_dev) - { - struct local_info *local; -+ int ret; - - dev_dbg(&p_dev->dev, "atmel_attach()\n"); - -@@ -83,8 +84,16 @@ static int atmel_probe(struct pcmcia_device *p_dev) - - p_dev->priv = local; - -- return atmel_config(p_dev); --} /* atmel_attach */ -+ ret = atmel_config(p_dev); -+ if (ret) -+ goto err_free_priv; -+ -+ return 0; -+ -+err_free_priv: -+ kfree(p_dev->priv); -+ return ret; -+} - - static void atmel_detach(struct pcmcia_device *link) - { --- -2.39.2 - diff --git a/queue-4.19/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch b/queue-4.19/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch deleted file mode 100644 index 3e182aa876b..00000000000 --- a/queue-4.19/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 7fa7b97844f258140628a39210c44fd2dd1b7c21 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 20 Jun 2023 13:04:02 +0300 -Subject: wifi: iwlwifi: mvm: avoid baid size integer overflow - -From: Johannes Berg - -[ Upstream commit 1a528ab1da324d078ec60283c34c17848580df24 ] - -Roee reported various hard-to-debug crashes with pings in -EHT aggregation scenarios. Enabling KASAN showed that we -access the BAID allocation out of bounds, and looking at -the code a bit shows that since the reorder buffer entry -(struct iwl_mvm_reorder_buf_entry) is 128 bytes if debug -such as lockdep is enabled, then staring from an agg size -512 we overflow the size calculation, and allocate a much -smaller structure than we should, causing slab corruption -once we initialize this. - -Fix this by simply using u32 instead of u16. - -Reported-by: Roee Goldfiner -Signed-off-by: Johannes Berg -Signed-off-by: Gregory Greenman -Link: https://lore.kernel.org/r/20230620125813.f428c856030d.I2c2bb808e945adb71bc15f5b2bac2d8957ea90eb@changeid -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c -index 373ace38edab7..83883ce7f55dc 100644 ---- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c -+++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c -@@ -2237,7 +2237,7 @@ int iwl_mvm_sta_rx_agg(struct iwl_mvm *mvm, struct ieee80211_sta *sta, - } - - if (iwl_mvm_has_new_rx_api(mvm) && start) { -- u16 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); -+ u32 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); - - /* sparse doesn't like the __align() so don't check */ - #ifndef __CHECKER__ --- -2.39.2 - diff --git a/queue-4.19/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch b/queue-4.19/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch deleted file mode 100644 index 8f183f74d19..00000000000 --- a/queue-4.19/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d6fb7a006f008102f2c65907ae4ba8fed02b5d0b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 6 May 2023 15:53:15 +0200 -Subject: wifi: mwifiex: Fix the size of a memory allocation in - mwifiex_ret_802_11_scan() - -From: Christophe JAILLET - -[ Upstream commit d9aef04fcfa81ee4fb2804a21a3712b7bbd936af ] - -The type of "mwifiex_adapter->nd_info" is "struct cfg80211_wowlan_nd_info", -not "struct cfg80211_wowlan_nd_match". - -Use struct_size() to ease the computation of the needed size. - -The current code over-allocates some memory, so is safe. -But it wastes 32 bytes. - -Fixes: 7d7f07d8c5d3 ("mwifiex: add wowlan net-detect support") -Signed-off-by: Christophe JAILLET -Reviewed-by: Simon Horman -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/7a6074fb056d2181e058a3cc6048d8155c20aec7.1683371982.git.christophe.jaillet@wanadoo.fr -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/marvell/mwifiex/scan.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c -index c9f6cd2919699..4f0e78ae3dbd0 100644 ---- a/drivers/net/wireless/marvell/mwifiex/scan.c -+++ b/drivers/net/wireless/marvell/mwifiex/scan.c -@@ -2208,9 +2208,9 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv, - - if (nd_config) { - adapter->nd_info = -- kzalloc(sizeof(struct cfg80211_wowlan_nd_match) + -- sizeof(struct cfg80211_wowlan_nd_match *) * -- scan_rsp->number_of_sets, GFP_ATOMIC); -+ kzalloc(struct_size(adapter->nd_info, matches, -+ scan_rsp->number_of_sets), -+ GFP_ATOMIC); - - if (adapter->nd_info) - adapter->nd_info->n_matches = scan_rsp->number_of_sets; --- -2.39.2 - diff --git a/queue-4.19/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch b/queue-4.19/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch deleted file mode 100644 index 5f229dd40a4..00000000000 --- a/queue-4.19/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch +++ /dev/null @@ -1,58 +0,0 @@ -From fdea8bce372ab31562ece0fb8bf706052166a8c9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 20 May 2023 09:38:22 +0200 -Subject: wifi: orinoco: Fix an error handling path in orinoco_cs_probe() - -From: Christophe JAILLET - -[ Upstream commit 67a81d911c01225f426cc6bee2373df044c1a9b7 ] - -Should orinoco_cs_config() fail, some resources need to be released as -already done in the remove function. - -While at it, remove a useless and erroneous comment. The probe is -orinoco_cs_probe(), not orinoco_cs_attach(). - -Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") -Signed-off-by: Christophe JAILLET -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/e24735ce4d82901d5f7ea08419eea53bfdde3d65.1684568286.git.christophe.jaillet@wanadoo.fr -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intersil/orinoco/orinoco_cs.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c -index a956f965a1e5e..03bfd2482656c 100644 ---- a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c -+++ b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c -@@ -96,6 +96,7 @@ orinoco_cs_probe(struct pcmcia_device *link) - { - struct orinoco_private *priv; - struct orinoco_pccard *card; -+ int ret; - - priv = alloc_orinocodev(sizeof(*card), &link->dev, - orinoco_cs_hard_reset, NULL); -@@ -107,8 +108,16 @@ orinoco_cs_probe(struct pcmcia_device *link) - card->p_dev = link; - link->priv = priv; - -- return orinoco_cs_config(link); --} /* orinoco_cs_attach */ -+ ret = orinoco_cs_config(link); -+ if (ret) -+ goto err_free_orinocodev; -+ -+ return 0; -+ -+err_free_orinocodev: -+ free_orinocodev(priv); -+ return ret; -+} - - static void orinoco_cs_detach(struct pcmcia_device *link) - { --- -2.39.2 - diff --git a/queue-4.19/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch b/queue-4.19/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch deleted file mode 100644 index 83af7fbc629..00000000000 --- a/queue-4.19/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 7a359d8680a5bf516024b7d91b9bde70a5f1ef76 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 20 May 2023 09:29:46 +0200 -Subject: wifi: orinoco: Fix an error handling path in spectrum_cs_probe() - -From: Christophe JAILLET - -[ Upstream commit 925244325159824385209e3e0e3f91fa6bf0646c ] - -Should spectrum_cs_config() fail, some resources need to be released as -already done in the remove function. - -While at it, remove a useless and erroneous comment. The probe is -spectrum_cs_probe(), not spectrum_cs_attach(). - -Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") -Signed-off-by: Christophe JAILLET -Reviewed-by: Simon Horman -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/c0bc0c21c58ca477fc5521607615bafbf2aef8eb.1684567733.git.christophe.jaillet@wanadoo.fr -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intersil/orinoco/spectrum_cs.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c -index b60048c95e0a8..011c86e55923e 100644 ---- a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c -+++ b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c -@@ -157,6 +157,7 @@ spectrum_cs_probe(struct pcmcia_device *link) - { - struct orinoco_private *priv; - struct orinoco_pccard *card; -+ int ret; - - priv = alloc_orinocodev(sizeof(*card), &link->dev, - spectrum_cs_hard_reset, -@@ -169,8 +170,16 @@ spectrum_cs_probe(struct pcmcia_device *link) - card->p_dev = link; - link->priv = priv; - -- return spectrum_cs_config(link); --} /* spectrum_cs_attach */ -+ ret = spectrum_cs_config(link); -+ if (ret) -+ goto err_free_orinocodev; -+ -+ return 0; -+ -+err_free_orinocodev: -+ free_orinocodev(priv); -+ return ret; -+} - - static void spectrum_cs_detach(struct pcmcia_device *link) - { --- -2.39.2 - diff --git a/queue-4.19/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch b/queue-4.19/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch deleted file mode 100644 index 4f8adcf5954..00000000000 --- a/queue-4.19/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 7d705b4ddd98b5603dec26cc74030feea2eebf60 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 3 Jun 2022 19:44:14 +0300 -Subject: wifi: ray_cs: Drop useless status variable in parse_addr() - -From: Andy Shevchenko - -[ Upstream commit 4dfc63c002a555a2c3c34d89009532ad803be876 ] - -The status variable assigned only once and used also only once. -Replace it's usage by actual value. - -Signed-off-by: Andy Shevchenko -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20220603164414.48436-2-andriy.shevchenko@linux.intel.com -Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()") -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ray_cs.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c -index f15714f19d0ff..e5cdcee04615f 100644 ---- a/drivers/net/wireless/ray_cs.c -+++ b/drivers/net/wireless/ray_cs.c -@@ -1653,7 +1653,6 @@ static int parse_addr(char *in_str, UCHAR *out) - { - int i, k; - int len; -- int status; - - if (in_str == NULL) - return 0; -@@ -1662,7 +1661,6 @@ static int parse_addr(char *in_str, UCHAR *out) - return 0; - memset(out, 0, ADDRLEN); - -- status = 1; - i = 5; - - while (len > 0) { -@@ -1680,7 +1678,7 @@ static int parse_addr(char *in_str, UCHAR *out) - if (!i--) - break; - } -- return status; -+ return 1; - } - - /*===========================================================================*/ --- -2.39.2 - diff --git a/queue-4.19/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch b/queue-4.19/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch deleted file mode 100644 index a6ad78e58ad..00000000000 --- a/queue-4.19/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch +++ /dev/null @@ -1,69 +0,0 @@ -From c56ebaf56992bd5ad91919e1bdb623475a1bc379 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 20 May 2023 10:13:22 +0200 -Subject: wifi: ray_cs: Fix an error handling path in ray_probe() - -From: Christophe JAILLET - -[ Upstream commit 4f8d66a9fb2edcd05c1e563456a55a08910bfb37 ] - -Should ray_config() fail, some resources need to be released as already -done in the remove function. - -While at it, remove a useless and erroneous comment. The probe is -ray_probe(), not ray_attach(). - -Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") -Signed-off-by: Christophe JAILLET -Reviewed-by: Simon Horman -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/8c544d18084f8b37dd108e844f7e79e85ff708ff.1684570373.git.christophe.jaillet@wanadoo.fr -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ray_cs.c | 16 +++++++++++----- - 1 file changed, 11 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c -index e5cdcee04615f..edc990d099789 100644 ---- a/drivers/net/wireless/ray_cs.c -+++ b/drivers/net/wireless/ray_cs.c -@@ -282,13 +282,14 @@ static int ray_probe(struct pcmcia_device *p_dev) - { - ray_dev_t *local; - struct net_device *dev; -+ int ret; - - dev_dbg(&p_dev->dev, "ray_attach()\n"); - - /* Allocate space for private device-specific data */ - dev = alloc_etherdev(sizeof(ray_dev_t)); - if (!dev) -- goto fail_alloc_dev; -+ return -ENOMEM; - - local = netdev_priv(dev); - local->finder = p_dev; -@@ -325,11 +326,16 @@ static int ray_probe(struct pcmcia_device *p_dev) - timer_setup(&local->timer, NULL, 0); - - this_device = p_dev; -- return ray_config(p_dev); -+ ret = ray_config(p_dev); -+ if (ret) -+ goto err_free_dev; -+ -+ return 0; - --fail_alloc_dev: -- return -ENOMEM; --} /* ray_attach */ -+err_free_dev: -+ free_netdev(dev); -+ return ret; -+} - - static void ray_detach(struct pcmcia_device *link) - { --- -2.39.2 - diff --git a/queue-4.19/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch b/queue-4.19/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch deleted file mode 100644 index df7e1dad046..00000000000 --- a/queue-4.19/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 39183f28dd2fa490bf43101f1f9693db74661545 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 3 Jun 2022 19:44:13 +0300 -Subject: wifi: ray_cs: Utilize strnlen() in parse_addr() - -From: Andy Shevchenko - -[ Upstream commit 9e8e9187673cb24324f9165dd47b2b28f60b0b10 ] - -Instead of doing simple operations and using an additional variable on stack, -utilize strnlen() and reuse len variable. - -Signed-off-by: Andy Shevchenko -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20220603164414.48436-1-andriy.shevchenko@linux.intel.com -Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()") -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ray_cs.c | 16 +++++++--------- - 1 file changed, 7 insertions(+), 9 deletions(-) - -diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c -index 8704bae39e1bf..f15714f19d0ff 100644 ---- a/drivers/net/wireless/ray_cs.c -+++ b/drivers/net/wireless/ray_cs.c -@@ -1651,31 +1651,29 @@ static void authenticate_timeout(struct timer_list *t) - /*===========================================================================*/ - static int parse_addr(char *in_str, UCHAR *out) - { -+ int i, k; - int len; -- int i, j, k; - int status; - - if (in_str == NULL) - return 0; -- if ((len = strlen(in_str)) < 2) -+ len = strnlen(in_str, ADDRLEN * 2 + 1) - 1; -+ if (len < 1) - return 0; - memset(out, 0, ADDRLEN); - - status = 1; -- j = len - 1; -- if (j > 12) -- j = 12; - i = 5; - -- while (j > 0) { -- if ((k = hex_to_bin(in_str[j--])) != -1) -+ while (len > 0) { -+ if ((k = hex_to_bin(in_str[len--])) != -1) - out[i] = k; - else - return 0; - -- if (j == 0) -+ if (len == 0) - break; -- if ((k = hex_to_bin(in_str[j--])) != -1) -+ if ((k = hex_to_bin(in_str[len--])) != -1) - out[i] += k << 4; - else - return 0; --- -2.39.2 - diff --git a/queue-4.19/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch b/queue-4.19/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch deleted file mode 100644 index 4ff8e9f0d4c..00000000000 --- a/queue-4.19/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 2a7df1bf66097f12bf14a803010334fd8c7d3260 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 28 May 2023 00:28:59 +0200 -Subject: wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown - -From: Marek Vasut - -[ Upstream commit e74f562328b03fbe9cf438f958464dff3a644dfc ] - -It makes no sense to set MMC_PM_KEEP_POWER in shutdown. The flag -indicates to the MMC subsystem to keep the slot powered on during -suspend, but in shutdown the slot should actually be powered off. -Drop this call. - -Fixes: 063848c3e155 ("rsi: sdio: Add WOWLAN support for S5 shutdown state") -Signed-off-by: Marek Vasut -Reviewed-by: Simon Horman -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20230527222859.273768-1-marex@denx.de -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/rsi/rsi_91x_sdio.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio.c b/drivers/net/wireless/rsi/rsi_91x_sdio.c -index 48efe83c58d89..409a3e8305763 100644 ---- a/drivers/net/wireless/rsi/rsi_91x_sdio.c -+++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c -@@ -1368,9 +1368,6 @@ static void rsi_shutdown(struct device *dev) - if (sdev->write_fail) - rsi_dbg(INFO_ZONE, "###### Device is not ready #######\n"); - -- if (rsi_set_sdio_pm_caps(adapter)) -- rsi_dbg(INFO_ZONE, "Setting power management caps failed\n"); -- - rsi_dbg(INFO_ZONE, "***** RSI module shut down *****\n"); - } - --- -2.39.2 - diff --git a/queue-4.19/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch b/queue-4.19/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch deleted file mode 100644 index 42aaf2a63a3..00000000000 --- a/queue-4.19/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch +++ /dev/null @@ -1,71 +0,0 @@ -From eec6c0631c177e946a67d88280585b6f80934407 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 15 Jun 2023 12:04:07 -0600 -Subject: wifi: wext-core: Fix -Wstringop-overflow warning in - ioctl_standard_iw_point() - -From: Gustavo A. R. Silva - -[ Upstream commit 71e7552c90db2a2767f5c17c7ec72296b0d92061 ] - --Wstringop-overflow is legitimately warning us about extra_size -pontentially being zero at some point, hence potenially ending -up _allocating_ zero bytes of memory for extra pointer and then -trying to access such object in a call to copy_from_user(). - -Fix this by adding a sanity check to ensure we never end up -trying to allocate zero bytes of data for extra pointer, before -continue executing the rest of the code in the function. - -Address the following -Wstringop-overflow warning seen when built -m68k architecture with allyesconfig configuration: - from net/wireless/wext-core.c:11: -In function '_copy_from_user', - inlined from 'copy_from_user' at include/linux/uaccess.h:183:7, - inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7: -arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=] - 48 | #define memset(d, c, n) __builtin_memset(d, c, n) - | ^~~~~~~~~~~~~~~~~~~~~~~~~ -include/linux/uaccess.h:153:17: note: in expansion of macro 'memset' - 153 | memset(to + (n - res), 0, res); - | ^~~~~~ -In function 'kmalloc', - inlined from 'kzalloc' at include/linux/slab.h:694:9, - inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10: -include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc' - 577 | return __kmalloc(size, flags); - | ^~~~~~~~~~~~~~~~~~~~~~ - -This help with the ongoing efforts to globally enable --Wstringop-overflow. - -Link: https://github.com/KSPP/linux/issues/315 -Signed-off-by: Gustavo A. R. Silva -Reviewed-by: Simon Horman -Link: https://lore.kernel.org/r/ZItSlzvIpjdjNfd8@work -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - net/wireless/wext-core.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c -index 76a80a41615be..a57f54bc0e1a7 100644 ---- a/net/wireless/wext-core.c -+++ b/net/wireless/wext-core.c -@@ -796,6 +796,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, - } - } - -+ /* Sanity-check to ensure we never end up _allocating_ zero -+ * bytes of data for extra. -+ */ -+ if (extra_size <= 0) -+ return -EFAULT; -+ - /* kzalloc() ensures NULL-termination for essid_compat. */ - extra = kzalloc(extra_size, GFP_KERNEL); - if (!extra) --- -2.39.2 - diff --git a/queue-4.19/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch b/queue-4.19/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch deleted file mode 100644 index a1abfa639d1..00000000000 --- a/queue-4.19/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 0ca96611eabb69439dd098fe35b02e57573d5f13 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 20 May 2023 10:05:08 +0200 -Subject: wifi: wl3501_cs: Fix an error handling path in wl3501_probe() - -From: Christophe JAILLET - -[ Upstream commit 391af06a02e7642039ac5f6c4b2c034ab0992b5d ] - -Should wl3501_config() fail, some resources need to be released as already -done in the remove function. - -Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") -Signed-off-by: Christophe JAILLET -Reviewed-by: Simon Horman -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/7cc9c9316489b7d69b36aeb0edd3123538500b41.1684569865.git.christophe.jaillet@wanadoo.fr -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/wl3501_cs.c | 16 +++++++++++----- - 1 file changed, 11 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c -index 46188a83d8be8..4380c5d8fdd27 100644 ---- a/drivers/net/wireless/wl3501_cs.c -+++ b/drivers/net/wireless/wl3501_cs.c -@@ -1863,6 +1863,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev) - { - struct net_device *dev; - struct wl3501_card *this; -+ int ret; - - /* The io structure describes IO port mapping */ - p_dev->resource[0]->end = 16; -@@ -1874,8 +1875,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev) - - dev = alloc_etherdev(sizeof(struct wl3501_card)); - if (!dev) -- goto out_link; -- -+ return -ENOMEM; - - dev->netdev_ops = &wl3501_netdev_ops; - dev->watchdog_timeo = 5 * HZ; -@@ -1888,9 +1888,15 @@ static int wl3501_probe(struct pcmcia_device *p_dev) - netif_stop_queue(dev); - p_dev->priv = dev; - -- return wl3501_config(p_dev); --out_link: -- return -ENOMEM; -+ ret = wl3501_config(p_dev); -+ if (ret) -+ goto out_free_etherdev; -+ -+ return 0; -+ -+out_free_etherdev: -+ free_netdev(dev); -+ return ret; - } - - static int wl3501_config(struct pcmcia_device *link) --- -2.39.2 - diff --git a/queue-4.19/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch b/queue-4.19/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch deleted file mode 100644 index 6c04e488320..00000000000 --- a/queue-4.19/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch +++ /dev/null @@ -1,143 +0,0 @@ -From 547b7019051a368a9dc01f5544d6bb44912e690b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 26 Aug 2020 10:33:51 +0100 -Subject: wl3501_cs: Fix a bunch of formatting issues related to function docs - -From: Lee Jones - -[ Upstream commit 2307d0bc9d8b60299f255d1771ce0d997162a957 ] - -Fixes the following W=1 kernel build warning(s): - - In file included from drivers/net/wireless/wl3501_cs.c:57: - drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel' - drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'channel' not described in 'iw_valid_channel' - drivers/net/wireless/wl3501_cs.c:162: warning: Function parameter or member 'reg_domain' not described in 'iw_default_channel' - drivers/net/wireless/wl3501_cs.c:248: warning: Function parameter or member 'this' not described in 'wl3501_set_to_wla' - drivers/net/wireless/wl3501_cs.c:270: warning: Function parameter or member 'this' not described in 'wl3501_get_from_wla' - drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'this' not described in 'wl3501_send_pkt' - drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt' - drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt' - drivers/net/wireless/wl3501_cs.c:729: warning: Function parameter or member 'this' not described in 'wl3501_block_interrupt' - drivers/net/wireless/wl3501_cs.c:746: warning: Function parameter or member 'this' not described in 'wl3501_unblock_interrupt' - drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'irq' not described in 'wl3501_interrupt' - drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'dev_id' not described in 'wl3501_interrupt' - drivers/net/wireless/wl3501_cs.c:1257: warning: Function parameter or member 'dev' not described in 'wl3501_reset' - drivers/net/wireless/wl3501_cs.c:1420: warning: Function parameter or member 'link' not described in 'wl3501_detach' - -Cc: Kalle Valo -Cc: "David S. Miller" -Cc: Jakub Kicinski -Cc: Fox Chen -Cc: de Melo -Cc: Gustavo Niemeyer -Cc: linux-wireless@vger.kernel.org -Cc: netdev@vger.kernel.org -Signed-off-by: Lee Jones -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20200826093401.1458456-21-lee.jones@linaro.org -Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/wl3501_cs.c | 22 ++++++++++++---------- - 1 file changed, 12 insertions(+), 10 deletions(-) - -diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c -index cfde9b94b4b60..78c89e6421f97 100644 ---- a/drivers/net/wireless/wl3501_cs.c -+++ b/drivers/net/wireless/wl3501_cs.c -@@ -133,8 +133,8 @@ static const struct { - - /** - * iw_valid_channel - validate channel in regulatory domain -- * @reg_comain - regulatory domain -- * @channel - channel to validate -+ * @reg_comain: regulatory domain -+ * @channel: channel to validate - * - * Returns 0 if invalid in the specified regulatory domain, non-zero if valid. - */ -@@ -153,7 +153,7 @@ static int iw_valid_channel(int reg_domain, int channel) - - /** - * iw_default_channel - get default channel for a regulatory domain -- * @reg_comain - regulatory domain -+ * @reg_domain: regulatory domain - * - * Returns the default channel for a regulatory domain - */ -@@ -236,6 +236,7 @@ static int wl3501_get_flash_mac_addr(struct wl3501_card *this) - - /** - * wl3501_set_to_wla - Move 'size' bytes from PC to card -+ * @this: Card - * @dest: Card addressing space - * @src: PC addressing space - * @size: Bytes to move -@@ -258,6 +259,7 @@ static void wl3501_set_to_wla(struct wl3501_card *this, u16 dest, void *src, - - /** - * wl3501_get_from_wla - Move 'size' bytes from card to PC -+ * @this: Card - * @src: Card addressing space - * @dest: PC addressing space - * @size: Bytes to move -@@ -454,7 +456,7 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend) - - /** - * wl3501_send_pkt - Send a packet. -- * @this - card -+ * @this: Card - * - * Send a packet. - * -@@ -722,7 +724,7 @@ static void wl3501_mgmt_scan_confirm(struct wl3501_card *this, u16 addr) - - /** - * wl3501_block_interrupt - Mask interrupt from SUTRO -- * @this - card -+ * @this: Card - * - * Mask interrupt from SUTRO. (i.e. SUTRO cannot interrupt the HOST) - * Return: 1 if interrupt is originally enabled -@@ -739,7 +741,7 @@ static int wl3501_block_interrupt(struct wl3501_card *this) - - /** - * wl3501_unblock_interrupt - Enable interrupt from SUTRO -- * @this - card -+ * @this: Card - * - * Enable interrupt from SUTRO. (i.e. SUTRO can interrupt the HOST) - * Return: 1 if interrupt is originally enabled -@@ -1113,8 +1115,8 @@ static inline void wl3501_ack_interrupt(struct wl3501_card *this) - - /** - * wl3501_interrupt - Hardware interrupt from card. -- * @irq - Interrupt number -- * @dev_id - net_device -+ * @irq: Interrupt number -+ * @dev_id: net_device - * - * We must acknowledge the interrupt as soon as possible, and block the - * interrupt from the same card immediately to prevent re-entry. -@@ -1252,7 +1254,7 @@ static int wl3501_close(struct net_device *dev) - - /** - * wl3501_reset - Reset the SUTRO. -- * @dev - network device -+ * @dev: network device - * - * It is almost the same as wl3501_open(). In fact, we may just wl3501_close() - * and wl3501_open() again, but I wouldn't like to free_irq() when the driver -@@ -1415,7 +1417,7 @@ static struct iw_statistics *wl3501_get_wireless_stats(struct net_device *dev) - - /** - * wl3501_detach - deletes a driver "instance" -- * @link - FILL_IN -+ * @link: FILL_IN - * - * This deletes a driver "instance". The device is de-registered with Card - * Services. If it has been released, all local data structures are freed. --- -2.39.2 - diff --git a/queue-4.19/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch b/queue-4.19/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch deleted file mode 100644 index 56f0c147769..00000000000 --- a/queue-4.19/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 95fa0eae9a65ac7aa9641b6c3e2e2baa5a405801 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 2 Nov 2020 11:23:53 +0000 -Subject: wl3501_cs: Fix misspelling and provide missing documentation - -From: Lee Jones - -[ Upstream commit 8b8a6f8c3b50193d161c598a6784e721128d6dc3 ] - -Fixes the following W=1 kernel build warning(s): - - In file included from drivers/net/wireless/wl3501_cs.c:57: - drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel' - drivers/net/wireless/wl3501_cs.c:143: warning: Excess function parameter 'reg_comain' description in 'iw_valid_channel' - drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt' - drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt' - -Cc: Kalle Valo -Cc: "David S. Miller" -Cc: Jakub Kicinski -Cc: Fox Chen -Cc: de Melo -Cc: Gustavo Niemeyer -Cc: linux-wireless@vger.kernel.org -Cc: netdev@vger.kernel.org -Signed-off-by: Lee Jones -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20201102112410.1049272-25-lee.jones@linaro.org -Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/wl3501_cs.c | 8 +++----- - 1 file changed, 3 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c -index 5b2383270627c..c6d1a320e244f 100644 ---- a/drivers/net/wireless/wl3501_cs.c -+++ b/drivers/net/wireless/wl3501_cs.c -@@ -133,7 +133,7 @@ static const struct { - - /** - * iw_valid_channel - validate channel in regulatory domain -- * @reg_comain: regulatory domain -+ * @reg_domain: regulatory domain - * @channel: channel to validate - * - * Returns 0 if invalid in the specified regulatory domain, non-zero if valid. -@@ -457,11 +457,9 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend) - /** - * wl3501_send_pkt - Send a packet. - * @this: Card -- * -- * Send a packet. -- * -- * data = Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr, -+ * @data: Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr, - * data[6] - data[11] is Src MAC Addr) -+ * @len: Packet length - * Ref: IEEE 802.11 - */ - static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len) --- -2.39.2 - diff --git a/queue-4.19/wl3501_cs-remove-unnecessary-null-check.patch b/queue-4.19/wl3501_cs-remove-unnecessary-null-check.patch deleted file mode 100644 index dcbf81babcd..00000000000 --- a/queue-4.19/wl3501_cs-remove-unnecessary-null-check.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 21a78f971fc1457d7cca18d3b669df8c9ebe7e89 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 26 Sep 2020 18:45:58 +0100 -Subject: wl3501_cs: Remove unnecessary NULL check - -From: Alex Dewar - -[ Upstream commit 1d2a85382282e7c77cbde5650335c3ffc6073fa1 ] - -In wl3501_detach(), link->priv is checked for a NULL value before being -passed to free_netdev(). However, it cannot be NULL at this point as it -has already been passed to other functions, so just remove the check. - -Addresses-Coverity: CID 710499: Null pointer dereferences (REVERSE_INULL) -Signed-off-by: Alex Dewar -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20200926174558.9436-1-alex.dewar90@gmail.com -Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/wl3501_cs.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c -index 78c89e6421f97..5b2383270627c 100644 ---- a/drivers/net/wireless/wl3501_cs.c -+++ b/drivers/net/wireless/wl3501_cs.c -@@ -1438,9 +1438,7 @@ static void wl3501_detach(struct pcmcia_device *link) - wl3501_release(link); - - unregister_netdev(dev); -- -- if (link->priv) -- free_netdev(link->priv); -+ free_netdev(dev); - } - - static int wl3501_get_name(struct net_device *dev, struct iw_request_info *info, --- -2.39.2 - diff --git a/queue-4.19/wl3501_cs-use-eth_hw_addr_set.patch b/queue-4.19/wl3501_cs-use-eth_hw_addr_set.patch deleted file mode 100644 index 9e978595232..00000000000 --- a/queue-4.19/wl3501_cs-use-eth_hw_addr_set.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 377134b648d92ee9684576ff1522558cbf0c7a5e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 18 Oct 2021 16:50:20 -0700 -Subject: wl3501_cs: use eth_hw_addr_set() - -From: Jakub Kicinski - -[ Upstream commit 18774612246d036c04ce9fee7f67192f96f48725 ] - -Commit 406f42fa0d3c ("net-next: When a bond have a massive amount -of VLANs...") introduced a rbtree for faster Ethernet address look -up. To maintain netdev->dev_addr in this tree we need to make all -the writes to it got through appropriate helpers. - -Signed-off-by: Jakub Kicinski -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20211018235021.1279697-15-kuba@kernel.org -Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/wl3501_cs.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c -index c6d1a320e244f..46188a83d8be8 100644 ---- a/drivers/net/wireless/wl3501_cs.c -+++ b/drivers/net/wireless/wl3501_cs.c -@@ -1946,8 +1946,7 @@ static int wl3501_config(struct pcmcia_device *link) - goto failed; - } - -- for (i = 0; i < 6; i++) -- dev->dev_addr[i] = ((char *)&this->mac_addr)[i]; -+ eth_hw_addr_set(dev, this->mac_addr); - - /* print probe information */ - printk(KERN_INFO "%s: wl3501 @ 0x%3.3x, IRQ %d, " --- -2.39.2 - diff --git a/queue-4.19/workqueue-clean-up-work_-constant-types-clarify-masking.patch b/queue-4.19/workqueue-clean-up-work_-constant-types-clarify-masking.patch deleted file mode 100644 index 3d6a67fa0d2..00000000000 --- a/queue-4.19/workqueue-clean-up-work_-constant-types-clarify-masking.patch +++ /dev/null @@ -1,140 +0,0 @@ -From afa4bb778e48d79e4a642ed41e3b4e0de7489a6c Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Fri, 23 Jun 2023 12:08:14 -0700 -Subject: workqueue: clean up WORK_* constant types, clarify masking -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Linus Torvalds - -commit afa4bb778e48d79e4a642ed41e3b4e0de7489a6c upstream. - -Dave Airlie reports that gcc-13.1.1 has started complaining about some -of the workqueue code in 32-bit arm builds: - - kernel/workqueue.c: In function ‘get_work_pwq’: - kernel/workqueue.c:713:24: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] - 713 | return (void *)(data & WORK_STRUCT_WQ_DATA_MASK); - | ^ - [ ... a couple of other cases ... ] - -and while it's not immediately clear exactly why gcc started complaining -about it now, I suspect it's some C23-induced enum type handlign fixup in -gcc-13 is the cause. - -Whatever the reason for starting to complain, the code and data types -are indeed disgusting enough that the complaint is warranted. - -The wq code ends up creating various "helper constants" (like that -WORK_STRUCT_WQ_DATA_MASK) using an enum type, which is all kinds of -confused. The mask needs to be 'unsigned long', not some unspecified -enum type. - -To make matters worse, the actual "mask and cast to a pointer" is -repeated a couple of times, and the cast isn't even always done to the -right pointer, but - as the error case above - to a 'void *' with then -the compiler finishing the job. - -That's now how we roll in the kernel. - -So create the masks using the proper types rather than some ambiguous -enumeration, and use a nice helper that actually does the type -conversion in one well-defined place. - -Incidentally, this magically makes clang generate better code. That, -admittedly, is really just a sign of clang having been seriously -confused before, and cleaning up the typing unconfuses the compiler too. - -Reported-by: Dave Airlie -Link: https://lore.kernel.org/lkml/CAPM=9twNnV4zMCvrPkw3H-ajZOH-01JVh_kDrxdPYQErz8ZTdA@mail.gmail.com/ -Cc: Arnd Bergmann -Cc: Tejun Heo -Cc: Nick Desaulniers -Cc: Nathan Chancellor -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/workqueue.h | 15 ++++++++------- - kernel/workqueue.c | 13 ++++++++----- - 2 files changed, 16 insertions(+), 12 deletions(-) - ---- a/include/linux/workqueue.h -+++ b/include/linux/workqueue.h -@@ -73,7 +73,6 @@ enum { - WORK_OFFQ_FLAG_BASE = WORK_STRUCT_COLOR_SHIFT, - - __WORK_OFFQ_CANCELING = WORK_OFFQ_FLAG_BASE, -- WORK_OFFQ_CANCELING = (1 << __WORK_OFFQ_CANCELING), - - /* - * When a work item is off queue, its high bits point to the last -@@ -84,12 +83,6 @@ enum { - WORK_OFFQ_POOL_SHIFT = WORK_OFFQ_FLAG_BASE + WORK_OFFQ_FLAG_BITS, - WORK_OFFQ_LEFT = BITS_PER_LONG - WORK_OFFQ_POOL_SHIFT, - WORK_OFFQ_POOL_BITS = WORK_OFFQ_LEFT <= 31 ? WORK_OFFQ_LEFT : 31, -- WORK_OFFQ_POOL_NONE = (1LU << WORK_OFFQ_POOL_BITS) - 1, -- -- /* convenience constants */ -- WORK_STRUCT_FLAG_MASK = (1UL << WORK_STRUCT_FLAG_BITS) - 1, -- WORK_STRUCT_WQ_DATA_MASK = ~WORK_STRUCT_FLAG_MASK, -- WORK_STRUCT_NO_POOL = (unsigned long)WORK_OFFQ_POOL_NONE << WORK_OFFQ_POOL_SHIFT, - - /* bit mask for work_busy() return values */ - WORK_BUSY_PENDING = 1 << 0, -@@ -99,6 +92,14 @@ enum { - WORKER_DESC_LEN = 24, - }; - -+/* Convenience constants - of type 'unsigned long', not 'enum'! */ -+#define WORK_OFFQ_CANCELING (1ul << __WORK_OFFQ_CANCELING) -+#define WORK_OFFQ_POOL_NONE ((1ul << WORK_OFFQ_POOL_BITS) - 1) -+#define WORK_STRUCT_NO_POOL (WORK_OFFQ_POOL_NONE << WORK_OFFQ_POOL_SHIFT) -+ -+#define WORK_STRUCT_FLAG_MASK ((1ul << WORK_STRUCT_FLAG_BITS) - 1) -+#define WORK_STRUCT_WQ_DATA_MASK (~WORK_STRUCT_FLAG_MASK) -+ - struct work_struct { - atomic_long_t data; - struct list_head entry; ---- a/kernel/workqueue.c -+++ b/kernel/workqueue.c -@@ -680,12 +680,17 @@ static void clear_work_data(struct work_ - set_work_data(work, WORK_STRUCT_NO_POOL, 0); - } - -+static inline struct pool_workqueue *work_struct_pwq(unsigned long data) -+{ -+ return (struct pool_workqueue *)(data & WORK_STRUCT_WQ_DATA_MASK); -+} -+ - static struct pool_workqueue *get_work_pwq(struct work_struct *work) - { - unsigned long data = atomic_long_read(&work->data); - - if (data & WORK_STRUCT_PWQ) -- return (void *)(data & WORK_STRUCT_WQ_DATA_MASK); -+ return work_struct_pwq(data); - else - return NULL; - } -@@ -713,8 +718,7 @@ static struct worker_pool *get_work_pool - assert_rcu_or_pool_mutex(); - - if (data & WORK_STRUCT_PWQ) -- return ((struct pool_workqueue *) -- (data & WORK_STRUCT_WQ_DATA_MASK))->pool; -+ return work_struct_pwq(data)->pool; - - pool_id = data >> WORK_OFFQ_POOL_SHIFT; - if (pool_id == WORK_OFFQ_POOL_NONE) -@@ -735,8 +739,7 @@ static int get_work_pool_id(struct work_ - unsigned long data = atomic_long_read(&work->data); - - if (data & WORK_STRUCT_PWQ) -- return ((struct pool_workqueue *) -- (data & WORK_STRUCT_WQ_DATA_MASK))->pool->id; -+ return work_struct_pwq(data)->pool->id; - - return data >> WORK_OFFQ_POOL_SHIFT; - } diff --git a/queue-4.19/x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch b/queue-4.19/x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch deleted file mode 100644 index 631b2772a18..00000000000 --- a/queue-4.19/x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch +++ /dev/null @@ -1,91 +0,0 @@ -From f9c9987bf52f4e42e940ae217333ebb5a4c3b506 Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Thu, 15 Jun 2023 22:33:55 +0200 -Subject: x86/smp: Use dedicated cache-line for mwait_play_dead() - -From: Thomas Gleixner - -commit f9c9987bf52f4e42e940ae217333ebb5a4c3b506 upstream. - -Monitoring idletask::thread_info::flags in mwait_play_dead() has been an -obvious choice as all what is needed is a cache line which is not written -by other CPUs. - -But there is a use case where a "dead" CPU needs to be brought out of -MWAIT: kexec(). - -This is required as kexec() can overwrite text, pagetables, stacks and the -monitored cacheline of the original kernel. The latter causes MWAIT to -resume execution which obviously causes havoc on the kexec kernel which -results usually in triple faults. - -Use a dedicated per CPU storage to prepare for that. - -Signed-off-by: Thomas Gleixner -Reviewed-by: Ashok Raj -Reviewed-by: Borislav Petkov (AMD) -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/r/20230615193330.434553750@linutronix.de -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/smpboot.c | 24 ++++++++++++++---------- - 1 file changed, 14 insertions(+), 10 deletions(-) - ---- a/arch/x86/kernel/smpboot.c -+++ b/arch/x86/kernel/smpboot.c -@@ -96,6 +96,17 @@ DEFINE_PER_CPU_READ_MOSTLY(cpumask_var_t - DEFINE_PER_CPU_READ_MOSTLY(struct cpuinfo_x86, cpu_info); - EXPORT_PER_CPU_SYMBOL(cpu_info); - -+struct mwait_cpu_dead { -+ unsigned int control; -+ unsigned int status; -+}; -+ -+/* -+ * Cache line aligned data for mwait_play_dead(). Separate on purpose so -+ * that it's unlikely to be touched by other CPUs. -+ */ -+static DEFINE_PER_CPU_ALIGNED(struct mwait_cpu_dead, mwait_cpu_dead); -+ - /* Logical package management. We might want to allocate that dynamically */ - unsigned int __max_logical_packages __read_mostly; - EXPORT_SYMBOL(__max_logical_packages); -@@ -1594,10 +1605,10 @@ static bool wakeup_cpu0(void) - */ - static inline void mwait_play_dead(void) - { -+ struct mwait_cpu_dead *md = this_cpu_ptr(&mwait_cpu_dead); - unsigned int eax, ebx, ecx, edx; - unsigned int highest_cstate = 0; - unsigned int highest_subcstate = 0; -- void *mwait_ptr; - int i; - - if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) -@@ -1631,13 +1642,6 @@ static inline void mwait_play_dead(void) - (highest_subcstate - 1); - } - -- /* -- * This should be a memory location in a cache line which is -- * unlikely to be touched by other processors. The actual -- * content is immaterial as it is not actually modified in any way. -- */ -- mwait_ptr = ¤t_thread_info()->flags; -- - wbinvd(); - - while (1) { -@@ -1649,9 +1653,9 @@ static inline void mwait_play_dead(void) - * case where we return around the loop. - */ - mb(); -- clflush(mwait_ptr); -+ clflush(md); - mb(); -- __monitor(mwait_ptr, 0, 0); -+ __monitor(md, 0, 0); - mb(); - __mwait(eax, 0); - /* diff --git a/queue-4.19/xtensa-iss-fix-call-to-split_if_spec.patch b/queue-4.19/xtensa-iss-fix-call-to-split_if_spec.patch deleted file mode 100644 index 6eb37bc12de..00000000000 --- a/queue-4.19/xtensa-iss-fix-call-to-split_if_spec.patch +++ /dev/null @@ -1,34 +0,0 @@ -From bc8d5916541fa19ca5bc598eb51a5f78eb891a36 Mon Sep 17 00:00:00 2001 -From: Max Filippov -Date: Mon, 3 Jul 2023 11:01:42 -0700 -Subject: xtensa: ISS: fix call to split_if_spec - -From: Max Filippov - -commit bc8d5916541fa19ca5bc598eb51a5f78eb891a36 upstream. - -split_if_spec expects a NULL-pointer as an end marker for the argument -list, but tuntap_probe never supplied that terminating NULL. As a result -incorrectly formatted interface specification string may cause a crash -because of the random memory access. Fix that by adding NULL terminator -to the split_if_spec argument list. - -Cc: stable@vger.kernel.org -Fixes: 7282bee78798 ("[PATCH] xtensa: Architecture support for Tensilica Xtensa Part 8") -Signed-off-by: Max Filippov -Signed-off-by: Greg Kroah-Hartman ---- - arch/xtensa/platforms/iss/network.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/arch/xtensa/platforms/iss/network.c -+++ b/arch/xtensa/platforms/iss/network.c -@@ -236,7 +236,7 @@ static int tuntap_probe(struct iss_net_p - - init += sizeof(TRANSPORT_TUNTAP_NAME) - 1; - if (*init == ',') { -- rem = split_if_spec(init + 1, &mac_str, &dev_name); -+ rem = split_if_spec(init + 1, &mac_str, &dev_name, NULL); - if (rem != NULL) { - pr_err("%s: extra garbage on specification : '%s'\n", - dev->name, rem);