+++ /dev/null
-From 14eb61274e33ef7ccdbc22c5a5afca83678ede58 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 4 Jul 2022 17:26:29 -0400
-Subject: __follow_mount_rcu(): verify that mount_lock remains unchanged
-
-From: Al Viro <viro@zeniv.linux.org.uk>
-
-[ Upstream commit 20aac6c60981f5bfacd66661d090d907bf1482f0 ]
-
-Validate mount_lock seqcount as soon as we cross into mount in RCU
-mode. Sure, ->mnt_root is pinned and will remain so until we
-do rcu_read_unlock() anyway, and we will eventually fail to unlazy if
-the mount_lock had been touched, but we might run into a hard error
-(e.g. -ENOENT) before trying to unlazy. And it's possible to end
-up with RCU pathwalk racing with rename() and umount() in a way
-that would fail with -ENOENT while non-RCU pathwalk would've
-succeeded with any timings.
-
-Once upon a time we hadn't needed that, but analysis had been subtle,
-brittle and went out of window as soon as RENAME_EXCHANGE had been
-added.
-
-It's narrow, hard to hit and won't get you anything other than
-stray -ENOENT that could be arranged in much easier way with the
-same priveleges, but it's a bug all the same.
-
-Cc: stable@kernel.org
-X-sky-is-falling: unlikely
-Fixes: da1ce0670c14 "vfs: add cross-rename"
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/namei.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/fs/namei.c b/fs/namei.c
-index 1f28d3f463c3..4dbf55b37ec6 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -1505,6 +1505,8 @@ static bool __follow_mount_rcu(struct nameidata *nd, struct path *path,
- * becoming unpinned.
- */
- flags = dentry->d_flags;
-+ if (read_seqretry(&mount_lock, nd->m_seq))
-+ return false;
- continue;
- }
- if (read_seqretry(&mount_lock, nd->m_seq))
---
-2.35.1
-
+++ /dev/null
-From 9305db9f54d884157d6086c63315de25fc2537bb Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 15 Jul 2022 09:05:15 +0800
-Subject: ALSA: bcd2000: Fix a UAF bug on the error path of probing
-
-From: Zheyu Ma <zheyuma97@gmail.com>
-
-[ Upstream commit ffb2759df7efbc00187bfd9d1072434a13a54139 ]
-
-When the driver fails in snd_card_register() at probe time, it will free
-the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug.
-
-The following log can reveal it:
-
-[ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
-[ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0
-[ 50.729530] Call Trace:
-[ 50.732899] bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
-
-Fix this by adding usb_kill_urb() before usb_free_urb().
-
-Fixes: b47a22290d58 ("ALSA: MIDI driver for Behringer BCD2000 USB device")
-Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
-Cc: <stable@vger.kernel.org>
-Link: https://lore.kernel.org/r/20220715010515.2087925-1-zheyuma97@gmail.com
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- sound/usb/bcd2000/bcd2000.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/sound/usb/bcd2000/bcd2000.c b/sound/usb/bcd2000/bcd2000.c
-index cd4a0bc6d278..7aec0a95c609 100644
---- a/sound/usb/bcd2000/bcd2000.c
-+++ b/sound/usb/bcd2000/bcd2000.c
-@@ -348,7 +348,8 @@ static int bcd2000_init_midi(struct bcd2000 *bcd2k)
- static void bcd2000_free_usb_related_resources(struct bcd2000 *bcd2k,
- struct usb_interface *interface)
- {
-- /* usb_kill_urb not necessary, urb is aborted automatically */
-+ usb_kill_urb(bcd2k->midi_out_urb);
-+ usb_kill_urb(bcd2k->midi_in_urb);
-
- usb_free_urb(bcd2k->midi_out_urb);
- usb_free_urb(bcd2k->midi_in_urb);
---
-2.35.1
-
+++ /dev/null
-From ec205a0c7a273c9b18e5866c366403ce72bde318 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 30 Jul 2022 21:22:43 -0600
-Subject: ALSA: hda/realtek: Add quirk for Clevo NV45PZ
-
-From: Tim Crawford <tcrawford@system76.com>
-
-[ Upstream commit be561ffad708f0cee18aee4231f80ffafaf7a419 ]
-
-Fixes headset detection on Clevo NV45PZ.
-
-Signed-off-by: Tim Crawford <tcrawford@system76.com>
-Cc: <stable@vger.kernel.org>
-Link: https://lore.kernel.org/r/20220731032243.4300-1-tcrawford@system76.com
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- sound/pci/hda/patch_realtek.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
-index 2f55bc43bfa9..6a65b962e96d 100644
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -9203,6 +9203,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
- SND_PCI_QUIRK(0x1558, 0x4018, "Clevo NV40M[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
- SND_PCI_QUIRK(0x1558, 0x4019, "Clevo NV40MZ", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
- SND_PCI_QUIRK(0x1558, 0x4020, "Clevo NV40MB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
-+ SND_PCI_QUIRK(0x1558, 0x4041, "Clevo NV4[15]PZ", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
- SND_PCI_QUIRK(0x1558, 0x40a1, "Clevo NL40GU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
- SND_PCI_QUIRK(0x1558, 0x40c1, "Clevo NL40[CZ]U", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
- SND_PCI_QUIRK(0x1558, 0x40d1, "Clevo NL41DU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
---
-2.35.1
-
+++ /dev/null
-From e0d45922b6479d94a947996ea00a627b829dfb4d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Aug 2022 18:40:01 +0200
-Subject: ALSA: hda/realtek: Add quirk for HP Spectre x360 15-eb0xxx
-
-From: Ivan Hasenkampf <ivan.hasenkampf@gmail.com>
-
-[ Upstream commit 24df5428ef9d1ca1edd54eca7eb667110f2dfae3 ]
-
-Fixes speaker output on HP Spectre x360 15-eb0xxx
-
-[ re-sorted in SSID order by tiwai ]
-
-Signed-off-by: Ivan Hasenkampf <ivan.hasenkampf@gmail.com>
-Cc: <stable@vger.kernel.org>
-Link: https://lore.kernel.org/r/20220803164001.290394-1-ivan.hasenkampf@gmail.com
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- sound/pci/hda/patch_realtek.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
-index 6a65b962e96d..93680621c90f 100644
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -9044,6 +9044,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
- SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT),
- SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED),
- SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO),
-+ SND_PCI_QUIRK(0x103c, 0x86e7, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
-+ SND_PCI_QUIRK(0x103c, 0x86e8, "HP Spectre x360 15-eb0xxx", ALC285_FIXUP_HP_SPECTRE_X360_EB1),
- SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
- SND_PCI_QUIRK(0x103c, 0x8720, "HP EliteBook x360 1040 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
- SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED),
---
-2.35.1
-
+++ /dev/null
-From 03c77c56dcd131bc52f4fee118914a7ca7899ceb Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 22 Jul 2022 16:39:48 +0200
-Subject: ALSA: usb-audio: Add quirk for Behringer UMC202HD
-
-From: Takashi Iwai <tiwai@suse.de>
-
-[ Upstream commit e086c37f876fd1f551e2b4f9be97d4a1923cd219 ]
-
-Just like other Behringer models, UMC202HD (USB ID 1397:0507) requires
-the quirk for the stable streaming, too.
-
-BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=215934
-Cc: <stable@vger.kernel.org>
-Link: https://lore.kernel.org/r/20220722143948.29804-1-tiwai@suse.de
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- sound/usb/quirks.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
-index 968d90caeefa..168fd802d70b 100644
---- a/sound/usb/quirks.c
-+++ b/sound/usb/quirks.c
-@@ -1843,6 +1843,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
- QUIRK_FLAG_SHARE_MEDIA_DEVICE | QUIRK_FLAG_ALIGN_TRANSFER),
- DEVICE_FLG(0x1395, 0x740a, /* Sennheiser DECT */
- QUIRK_FLAG_GET_SAMPLE_RATE),
-+ DEVICE_FLG(0x1397, 0x0507, /* Behringer UMC202HD */
-+ QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB),
- DEVICE_FLG(0x1397, 0x0508, /* Behringer UMC204HD */
- QUIRK_FLAG_PLAYBACK_FIRST | QUIRK_FLAG_GENERIC_IMPLICIT_FB),
- DEVICE_FLG(0x1397, 0x0509, /* Behringer UMC404HD */
---
-2.35.1
-
+++ /dev/null
-From b4923067cbd4e5d5d7227feb103adcbdacae9b80 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 2 Aug 2022 22:36:25 +0900
-Subject: ARM: dts: uniphier: Fix USB interrupts for PXs2 SoC
-
-From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
-
-[ Upstream commit 9b0dc7abb5cc43a2dbf90690c3c6011dcadc574d ]
-
-An interrupt for USB device are shared with USB host. Set interrupt-names
-property to common "dwc_usb3" instead of "host" and "peripheral".
-
-Cc: stable@vger.kernel.org
-Fixes: 45be1573ad19 ("ARM: dts: uniphier: Add USB3 controller nodes")
-Reported-by: Ryuta NAKANISHI <nakanishi.ryuta@socionext.com>
-Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arm/boot/dts/uniphier-pxs2.dtsi | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/arch/arm/boot/dts/uniphier-pxs2.dtsi b/arch/arm/boot/dts/uniphier-pxs2.dtsi
-index e81e5937a60a..03301ddb3403 100644
---- a/arch/arm/boot/dts/uniphier-pxs2.dtsi
-+++ b/arch/arm/boot/dts/uniphier-pxs2.dtsi
-@@ -597,8 +597,8 @@ usb0: usb@65a00000 {
- compatible = "socionext,uniphier-dwc3", "snps,dwc3";
- status = "disabled";
- reg = <0x65a00000 0xcd00>;
-- interrupt-names = "host", "peripheral";
-- interrupts = <0 134 4>, <0 135 4>;
-+ interrupt-names = "dwc_usb3";
-+ interrupts = <0 134 4>;
- pinctrl-names = "default";
- pinctrl-0 = <&pinctrl_usb0>, <&pinctrl_usb2>;
- clock-names = "ref", "bus_early", "suspend";
-@@ -693,8 +693,8 @@ usb1: usb@65c00000 {
- compatible = "socionext,uniphier-dwc3", "snps,dwc3";
- status = "disabled";
- reg = <0x65c00000 0xcd00>;
-- interrupt-names = "host", "peripheral";
-- interrupts = <0 137 4>, <0 138 4>;
-+ interrupt-names = "dwc_usb3";
-+ interrupts = <0 137 4>;
- pinctrl-names = "default";
- pinctrl-0 = <&pinctrl_usb1>, <&pinctrl_usb3>;
- clock-names = "ref", "bus_early", "suspend";
---
-2.35.1
-
+++ /dev/null
-From 2a0fbcf58cb586a5517846eeb48180483653574a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 2 Aug 2022 22:36:47 +0900
-Subject: arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC
-
-From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
-
-[ Upstream commit fe17b91a7777df140d0f1433991da67ba658796c ]
-
-An interrupt for USB device are shared with USB host. Set interrupt-names
-property to common "dwc_usb3" instead of "host" and "peripheral".
-
-Cc: stable@vger.kernel.org
-Fixes: d7b9beb830d7 ("arm64: dts: uniphier: Add USB3 controller nodes")
-Reported-by: Ryuta NAKANISHI <nakanishi.ryuta@socionext.com>
-Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
-Signed-off-by: Arnd Bergmann <arnd@arndb.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi b/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi
-index be97da132258..ba75adedbf79 100644
---- a/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi
-+++ b/arch/arm64/boot/dts/socionext/uniphier-pxs3.dtsi
-@@ -599,8 +599,8 @@ usb0: usb@65a00000 {
- compatible = "socionext,uniphier-dwc3", "snps,dwc3";
- status = "disabled";
- reg = <0x65a00000 0xcd00>;
-- interrupt-names = "host", "peripheral";
-- interrupts = <0 134 4>, <0 135 4>;
-+ interrupt-names = "dwc_usb3";
-+ interrupts = <0 134 4>;
- pinctrl-names = "default";
- pinctrl-0 = <&pinctrl_usb0>, <&pinctrl_usb2>;
- clock-names = "ref", "bus_early", "suspend";
-@@ -701,8 +701,8 @@ usb1: usb@65c00000 {
- compatible = "socionext,uniphier-dwc3", "snps,dwc3";
- status = "disabled";
- reg = <0x65c00000 0xcd00>;
-- interrupt-names = "host", "peripheral";
-- interrupts = <0 137 4>, <0 138 4>;
-+ interrupt-names = "dwc_usb3";
-+ interrupts = <0 137 4>;
- pinctrl-names = "default";
- pinctrl-0 = <&pinctrl_usb1>, <&pinctrl_usb3>;
- clock-names = "ref", "bus_early", "suspend";
---
-2.35.1
-
+++ /dev/null
-From 98b8d2386f7e0243a609a693968681f979d159f1 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 17 May 2022 11:04:20 -0700
-Subject: bpf: Fix KASAN use-after-free Read in compute_effective_progs
-
-From: Tadeusz Struk <tadeusz.struk@linaro.org>
-
-[ Upstream commit 4c46091ee985ae84c60c5e95055d779fcd291d87 ]
-
-Syzbot found a Use After Free bug in compute_effective_progs().
-The reproducer creates a number of BPF links, and causes a fault
-injected alloc to fail, while calling bpf_link_detach on them.
-Link detach triggers the link to be freed by bpf_link_free(),
-which calls __cgroup_bpf_detach() and update_effective_progs().
-If the memory allocation in this function fails, the function restores
-the pointer to the bpf_cgroup_link on the cgroup list, but the memory
-gets freed just after it returns. After this, every subsequent call to
-update_effective_progs() causes this already deallocated pointer to be
-dereferenced in prog_list_length(), and triggers KASAN UAF error.
-
-To fix this issue don't preserve the pointer to the prog or link in the
-list, but remove it and replace it with a dummy prog without shrinking
-the table. The subsequent call to __cgroup_bpf_detach() or
-__cgroup_bpf_detach() will correct it.
-
-Fixes: af6eea57437a ("bpf: Implement bpf_link-based cgroup BPF program attachment")
-Reported-by: <syzbot+f264bffdfbd5614f3bb2@syzkaller.appspotmail.com>
-Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
-Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
-Cc: <stable@vger.kernel.org>
-Link: https://syzkaller.appspot.com/bug?id=8ebf179a95c2a2670f7cf1ba62429ec044369db4
-Link: https://lore.kernel.org/bpf/20220517180420.87954-1-tadeusz.struk@linaro.org
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/bpf/cgroup.c | 70 ++++++++++++++++++++++++++++++++++++++-------
- 1 file changed, 60 insertions(+), 10 deletions(-)
-
-diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
-index afb414b26d01..7a394f7c205c 100644
---- a/kernel/bpf/cgroup.c
-+++ b/kernel/bpf/cgroup.c
-@@ -720,6 +720,60 @@ static struct bpf_prog_list *find_detach_entry(struct list_head *progs,
- return ERR_PTR(-ENOENT);
- }
-
-+/**
-+ * purge_effective_progs() - After compute_effective_progs fails to alloc new
-+ * cgrp->bpf.inactive table we can recover by
-+ * recomputing the array in place.
-+ *
-+ * @cgrp: The cgroup which descendants to travers
-+ * @prog: A program to detach or NULL
-+ * @link: A link to detach or NULL
-+ * @atype: Type of detach operation
-+ */
-+static void purge_effective_progs(struct cgroup *cgrp, struct bpf_prog *prog,
-+ struct bpf_cgroup_link *link,
-+ enum cgroup_bpf_attach_type atype)
-+{
-+ struct cgroup_subsys_state *css;
-+ struct bpf_prog_array *progs;
-+ struct bpf_prog_list *pl;
-+ struct list_head *head;
-+ struct cgroup *cg;
-+ int pos;
-+
-+ /* recompute effective prog array in place */
-+ css_for_each_descendant_pre(css, &cgrp->self) {
-+ struct cgroup *desc = container_of(css, struct cgroup, self);
-+
-+ if (percpu_ref_is_zero(&desc->bpf.refcnt))
-+ continue;
-+
-+ /* find position of link or prog in effective progs array */
-+ for (pos = 0, cg = desc; cg; cg = cgroup_parent(cg)) {
-+ if (pos && !(cg->bpf.flags[atype] & BPF_F_ALLOW_MULTI))
-+ continue;
-+
-+ head = &cg->bpf.progs[atype];
-+ list_for_each_entry(pl, head, node) {
-+ if (!prog_list_prog(pl))
-+ continue;
-+ if (pl->prog == prog && pl->link == link)
-+ goto found;
-+ pos++;
-+ }
-+ }
-+found:
-+ BUG_ON(!cg);
-+ progs = rcu_dereference_protected(
-+ desc->bpf.effective[atype],
-+ lockdep_is_held(&cgroup_mutex));
-+
-+ /* Remove the program from the array */
-+ WARN_ONCE(bpf_prog_array_delete_safe_at(progs, pos),
-+ "Failed to purge a prog from array at index %d", pos);
-+ }
-+}
-+
- /**
- * __cgroup_bpf_detach() - Detach the program or link from a cgroup, and
- * propagate the change to descendants
-@@ -739,7 +793,6 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
- struct bpf_prog_list *pl;
- struct list_head *progs;
- u32 flags;
-- int err;
-
- atype = to_cgroup_bpf_attach_type(type);
- if (atype < 0)
-@@ -761,9 +814,12 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
- pl->prog = NULL;
- pl->link = NULL;
-
-- err = update_effective_progs(cgrp, atype);
-- if (err)
-- goto cleanup;
-+ if (update_effective_progs(cgrp, atype)) {
-+ /* if update effective array failed replace the prog with a dummy prog*/
-+ pl->prog = old_prog;
-+ pl->link = link;
-+ purge_effective_progs(cgrp, old_prog, link, atype);
-+ }
-
- /* now can actually delete it from this cgroup list */
- list_del(&pl->node);
-@@ -775,12 +831,6 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
- bpf_prog_put(old_prog);
- static_branch_dec(&cgroup_bpf_enabled_key[atype]);
- return 0;
--
--cleanup:
-- /* restore back prog or link */
-- pl->prog = old_prog;
-- pl->link = link;
-- return err;
- }
-
- static int cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
---
-2.35.1
-
+++ /dev/null
-From ce8a11f5c1af5069d3c52bc8a1d74d83d8775bb8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 7 Jun 2022 19:48:24 +0800
-Subject: btrfs: reject log replay if there is unsupported RO compat flag
-
-From: Qu Wenruo <wqu@suse.com>
-
-[ Upstream commit dc4d31684974d140250f3ee612c3f0cab13b3146 ]
-
-[BUG]
-If we have a btrfs image with dirty log, along with an unsupported RO
-compatible flag:
-
-log_root 30474240
-...
-compat_flags 0x0
-compat_ro_flags 0x40000003
- ( FREE_SPACE_TREE |
- FREE_SPACE_TREE_VALID |
- unknown flag: 0x40000000 )
-
-Then even if we can only mount it RO, we will still cause metadata
-update for log replay:
-
- BTRFS info (device dm-1): flagging fs with big metadata feature
- BTRFS info (device dm-1): using free space tree
- BTRFS info (device dm-1): has skinny extents
- BTRFS info (device dm-1): start tree-log replay
-
-This is definitely against RO compact flag requirement.
-
-[CAUSE]
-RO compact flag only forces us to do RO mount, but we will still do log
-replay for plain RO mount.
-
-Thus this will result us to do log replay and update metadata.
-
-This can be very problematic for new RO compat flag, for example older
-kernel can not understand v2 cache, and if we allow metadata update on
-RO mount and invalidate/corrupt v2 cache.
-
-[FIX]
-Just reject the mount unless rescue=nologreplay is provided:
-
- BTRFS error (device dm-1): cannot replay dirty log with unsupport optional features (0x40000000), try rescue=nologreplay instead
-
-We don't want to set rescue=nologreply directly, as this would make the
-end user to read the old data, and cause confusion.
-
-Since the such case is really rare, we're mostly fine to just reject the
-mount with an error message, which also includes the proper workaround.
-
-CC: stable@vger.kernel.org #4.9+
-Signed-off-by: Qu Wenruo <wqu@suse.com>
-Reviewed-by: David Sterba <dsterba@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/btrfs/disk-io.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
-index de440ebf5648..8daa5bb93a4c 100644
---- a/fs/btrfs/disk-io.c
-+++ b/fs/btrfs/disk-io.c
-@@ -3670,6 +3670,20 @@ int __cold open_ctree(struct super_block *sb, struct btrfs_fs_devices *fs_device
- err = -EINVAL;
- goto fail_alloc;
- }
-+ /*
-+ * We have unsupported RO compat features, although RO mounted, we
-+ * should not cause any metadata write, including log replay.
-+ * Or we could screw up whatever the new feature requires.
-+ */
-+ if (unlikely(features && btrfs_super_log_root(disk_super) &&
-+ !btrfs_test_opt(fs_info, NOLOGREPLAY))) {
-+ btrfs_err(fs_info,
-+"cannot replay dirty log with unsupported compat_ro features (0x%llx), try rescue=nologreplay",
-+ features);
-+ err = -EINVAL;
-+ goto fail_alloc;
-+ }
-+
-
- if (sectorsize < PAGE_SIZE) {
- struct btrfs_subpage_info *subpage_info;
---
-2.35.1
-
+++ /dev/null
-From 8eeb51ad2a4674628201ee893e70546808e56fb4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 14 Jun 2022 22:40:24 +0100
-Subject: coresight: Clear the connection field properly
-
-From: Suzuki K Poulose <suzuki.poulose@arm.com>
-
-[ Upstream commit 2af89ebacf299b7fba5f3087d35e8a286ec33706 ]
-
-coresight devices track their connections (output connections) and
-hold a reference to the fwnode. When a device goes away, we walk through
-the devices on the coresight bus and make sure that the references
-are dropped. This happens both ways:
- a) For all output connections from the device, drop the reference to
- the target device via coresight_release_platform_data()
-
-b) Iterate over all the devices on the coresight bus and drop the
- reference to fwnode if *this* device is the target of the output
- connection, via coresight_remove_conns()->coresight_remove_match().
-
-However, the coresight_remove_match() doesn't clear the fwnode field,
-after dropping the reference, this causes use-after-free and
-additional refcount drops on the fwnode.
-
-e.g., if we have two devices, A and B, with a connection, A -> B.
-If we remove B first, B would clear the reference on B, from A
-via coresight_remove_match(). But when A is removed, it still has
-a connection with fwnode still pointing to B. Thus it tries to drops
-the reference in coresight_release_platform_data(), raising the bells
-like :
-
-[ 91.990153] ------------[ cut here ]------------
-[ 91.990163] refcount_t: addition on 0; use-after-free.
-[ 91.990212] WARNING: CPU: 0 PID: 461 at lib/refcount.c:25 refcount_warn_saturate+0xa0/0x144
-[ 91.990260] Modules linked in: coresight_funnel coresight_replicator coresight_etm4x(-)
- crct10dif_ce coresight ip_tables x_tables ipv6 [last unloaded: coresight_cpu_debug]
-[ 91.990398] CPU: 0 PID: 461 Comm: rmmod Tainted: G W T 5.19.0-rc2+ #53
-[ 91.990418] Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb 1 2019
-[ 91.990434] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
-[ 91.990454] pc : refcount_warn_saturate+0xa0/0x144
-[ 91.990476] lr : refcount_warn_saturate+0xa0/0x144
-[ 91.990496] sp : ffff80000c843640
-[ 91.990509] x29: ffff80000c843640 x28: ffff800009957c28 x27: ffff80000c8439a8
-[ 91.990560] x26: ffff00097eff1990 x25: ffff8000092b6ad8 x24: ffff00097eff19a8
-[ 91.990610] x23: ffff80000c8439a8 x22: 0000000000000000 x21: ffff80000c8439c2
-[ 91.990659] x20: 0000000000000000 x19: ffff00097eff1a10 x18: ffff80000ab99c40
-[ 91.990708] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80000abf6fa0
-[ 91.990756] x14: 000000000000001d x13: 0a2e656572662d72 x12: 657466612d657375
-[ 91.990805] x11: 203b30206e6f206e x10: 6f69746964646120 x9 : ffff8000081aba28
-[ 91.990854] x8 : 206e6f206e6f6974 x7 : 69646461203a745f x6 : 746e756f63666572
-[ 91.990903] x5 : ffff00097648ec58 x4 : 0000000000000000 x3 : 0000000000000027
-[ 91.990952] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00080260ba00
-[ 91.991000] Call trace:
-[ 91.991012] refcount_warn_saturate+0xa0/0x144
-[ 91.991034] kobject_get+0xac/0xb0
-[ 91.991055] of_node_get+0x2c/0x40
-[ 91.991076] of_fwnode_get+0x40/0x60
-[ 91.991094] fwnode_handle_get+0x3c/0x60
-[ 91.991116] fwnode_get_nth_parent+0xf4/0x110
-[ 91.991137] fwnode_full_name_string+0x48/0xc0
-[ 91.991158] device_node_string+0x41c/0x530
-[ 91.991178] pointer+0x320/0x3ec
-[ 91.991198] vsnprintf+0x23c/0x750
-[ 91.991217] vprintk_store+0x104/0x4b0
-[ 91.991238] vprintk_emit+0x8c/0x360
-[ 91.991257] vprintk_default+0x44/0x50
-[ 91.991276] vprintk+0xcc/0xf0
-[ 91.991295] _printk+0x68/0x90
-[ 91.991315] of_node_release+0x13c/0x14c
-[ 91.991334] kobject_put+0x98/0x114
-[ 91.991354] of_node_put+0x24/0x34
-[ 91.991372] of_fwnode_put+0x40/0x5c
-[ 91.991390] fwnode_handle_put+0x38/0x50
-[ 91.991411] coresight_release_platform_data+0x74/0xb0 [coresight]
-[ 91.991472] coresight_unregister+0x64/0xcc [coresight]
-[ 91.991525] etm4_remove_dev+0x64/0x78 [coresight_etm4x]
-[ 91.991563] etm4_remove_amba+0x1c/0x2c [coresight_etm4x]
-[ 91.991598] amba_remove+0x3c/0x19c
-
-Reproducible by: (Build all coresight components as modules):
-
- #!/bin/sh
- while true
- do
- for m in tmc stm cpu_debug etm4x replicator funnel
- do
- modprobe coresight_${m}
- done
-
- for m in tmc stm cpu_debug etm4x replicator funnel
- do
- rmmode coresight_${m}
- done
- done
-
-Cc: stable@vger.kernel.org
-Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
-Cc: Mike Leach <mike.leach@linaro.org>
-Cc: Leo Yan <leo.yan@linaro.org>
-Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
-Fixes: 37ea1ffddffa ("coresight: Use fwnode handle instead of device names")
-Link: https://lore.kernel.org/r/20220614214024.3005275-1-suzuki.poulose@arm.com
-Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/hwtracing/coresight/coresight-core.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/hwtracing/coresight/coresight-core.c b/drivers/hwtracing/coresight/coresight-core.c
-index ee6ce92ab4c3..1edfec1e9d18 100644
---- a/drivers/hwtracing/coresight/coresight-core.c
-+++ b/drivers/hwtracing/coresight/coresight-core.c
-@@ -1424,6 +1424,7 @@ static int coresight_remove_match(struct device *dev, void *data)
- * platform data.
- */
- fwnode_handle_put(conn->child_fwnode);
-+ conn->child_fwnode = NULL;
- /* No need to continue */
- break;
- }
---
-2.35.1
-
+++ /dev/null
-From 3d3deb65f4881a79e177b5234f8547c5c212e78e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 18 May 2022 15:31:26 +0000
-Subject: crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel
- memory leak
-
-From: John Allen <john.allen@amd.com>
-
-[ Upstream commit 13dc15a3f5fd7f884e4bfa8c011a0ae868df12ae ]
-
-For some sev ioctl interfaces, input may be passed that is less than or
-equal to SEV_FW_BLOB_MAX_SIZE, but larger than the data that PSP
-firmware returns. In this case, kmalloc will allocate memory that is the
-size of the input rather than the size of the data. Since PSP firmware
-doesn't fully overwrite the buffer, the sev ioctl interfaces with the
-issue may return uninitialized slab memory.
-
-Currently, all of the ioctl interfaces in the ccp driver are safe, but
-to prevent future problems, change all ioctl interfaces that allocate
-memory with kmalloc to use kzalloc and memset the data buffer to zero
-in sev_ioctl_do_platform_status.
-
-Fixes: 38103671aad3 ("crypto: ccp: Use the stack and common buffer for status commands")
-Fixes: e799035609e15 ("crypto: ccp: Implement SEV_PEK_CSR ioctl command")
-Fixes: 76a2b524a4b1d ("crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command")
-Fixes: d6112ea0cb344 ("crypto: ccp - introduce SEV_GET_ID2 command")
-Cc: stable@vger.kernel.org
-Reported-by: Andy Nguyen <theflow@google.com>
-Suggested-by: David Rientjes <rientjes@google.com>
-Suggested-by: Peter Gonda <pgonda@google.com>
-Signed-off-by: John Allen <john.allen@amd.com>
-Reviewed-by: Peter Gonda <pgonda@google.com>
-Acked-by: David Rientjes <rientjes@google.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/crypto/ccp/sev-dev.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
-index 799b476fc3e8..0c92d940ac4e 100644
---- a/drivers/crypto/ccp/sev-dev.c
-+++ b/drivers/crypto/ccp/sev-dev.c
-@@ -577,6 +577,8 @@ static int sev_ioctl_do_platform_status(struct sev_issue_cmd *argp)
- struct sev_user_data_status data;
- int ret;
-
-+ memset(&data, 0, sizeof(data));
-+
- ret = __sev_do_cmd_locked(SEV_CMD_PLATFORM_STATUS, &data, &argp->error);
- if (ret)
- return ret;
-@@ -630,7 +632,7 @@ static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp, bool writable)
- if (input.length > SEV_FW_BLOB_MAX_SIZE)
- return -EFAULT;
-
-- blob = kmalloc(input.length, GFP_KERNEL);
-+ blob = kzalloc(input.length, GFP_KERNEL);
- if (!blob)
- return -ENOMEM;
-
-@@ -854,7 +856,7 @@ static int sev_ioctl_do_get_id2(struct sev_issue_cmd *argp)
- input_address = (void __user *)input.address;
-
- if (input.address && input.length) {
-- id_blob = kmalloc(input.length, GFP_KERNEL);
-+ id_blob = kzalloc(input.length, GFP_KERNEL);
- if (!id_blob)
- return -ENOMEM;
-
-@@ -973,14 +975,14 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp, bool writable)
- if (input.cert_chain_len > SEV_FW_BLOB_MAX_SIZE)
- return -EFAULT;
-
-- pdh_blob = kmalloc(input.pdh_cert_len, GFP_KERNEL);
-+ pdh_blob = kzalloc(input.pdh_cert_len, GFP_KERNEL);
- if (!pdh_blob)
- return -ENOMEM;
-
- data.pdh_cert_address = __psp_pa(pdh_blob);
- data.pdh_cert_len = input.pdh_cert_len;
-
-- cert_blob = kmalloc(input.cert_chain_len, GFP_KERNEL);
-+ cert_blob = kzalloc(input.cert_chain_len, GFP_KERNEL);
- if (!cert_blob) {
- ret = -ENOMEM;
- goto e_free_pdh;
---
-2.35.1
-
+++ /dev/null
-From eea6736378d992206ba2376b2dae701fa4a3fabd Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 31 Jul 2022 22:34:24 -0400
-Subject: csky: abiv1: Fixup compile error
-
-From: Guo Ren <guoren@linux.alibaba.com>
-
-[ Upstream commit 45fef4c4b9c94e86d9c13f0b2e7e71bb32254509 ]
-
- LD vmlinux.o
-arch/csky/lib/string.o: In function `memmove':
-string.c:(.text+0x108): multiple definition of `memmove'
-lib/string.o:string.c:(.text+0x7e8): first defined here
-arch/csky/lib/string.o: In function `memset':
-string.c:(.text+0x148): multiple definition of `memset'
-lib/string.o:string.c:(.text+0x2ac): first defined here
-scripts/Makefile.vmlinux_o:68: recipe for target 'vmlinux.o' failed
-make[4]: *** [vmlinux.o] Error 1
-
-Fixes: e4df2d5e852a ("csky: Add C based string functions")
-Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
-Signed-off-by: Guo Ren <guoren@kernel.org>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/csky/abiv1/inc/abi/string.h | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/arch/csky/abiv1/inc/abi/string.h b/arch/csky/abiv1/inc/abi/string.h
-index 9d95594b0feb..de50117b904d 100644
---- a/arch/csky/abiv1/inc/abi/string.h
-+++ b/arch/csky/abiv1/inc/abi/string.h
-@@ -6,4 +6,10 @@
- #define __HAVE_ARCH_MEMCPY
- extern void *memcpy(void *, const void *, __kernel_size_t);
-
-+#define __HAVE_ARCH_MEMMOVE
-+extern void *memmove(void *, const void *, __kernel_size_t);
-+
-+#define __HAVE_ARCH_MEMSET
-+extern void *memset(void *, int, __kernel_size_t);
-+
- #endif /* __ABI_CSKY_STRING_H */
---
-2.35.1
-
+++ /dev/null
-From b1dac98d489b9236a15b491dd955722d3a7e7b20 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 15 Jul 2022 09:49:24 -0400
-Subject: drivers/base: fix userspace break from using bin_attributes for
- cpumap and cpulist
-
-From: Phil Auld <pauld@redhat.com>
-
-[ Upstream commit 7ee951acd31a88f941fd6535fbdee3a1567f1d63 ]
-
-Using bin_attributes with a 0 size causes fstat and friends to return that
-0 size. This breaks userspace code that retrieves the size before reading
-the file. Rather than reverting 75bd50fa841 ("drivers/base/node.c: use
-bin_attribute to break the size limitation of cpumap ABI") let's put in a
-size value at compile time.
-
-For cpulist the maximum size is on the order of
- NR_CPUS * (ceil(log10(NR_CPUS)) + 1)/2
-
-which for 8192 is 20480 (8192 * 5)/2. In order to get near that you'd need
-a system with every other CPU on one node. For example: (0,2,4,8, ... ).
-To simplify the math and support larger NR_CPUS in the future we are using
-(NR_CPUS * 7)/2. We also set it to a min of PAGE_SIZE to retain the older
-behavior for smaller NR_CPUS.
-
-The cpumap file the size works out to be NR_CPUS/4 + NR_CPUS/32 - 1
-(or NR_CPUS * 9/32 - 1) including the ","s.
-
-Add a set of macros for these values to cpumask.h so they can be used in
-multiple places. Apply these to the handful of such files in
-drivers/base/topology.c as well as node.c.
-
-As an example, on an 80 cpu 4-node system (NR_CPUS == 8192):
-
-before:
-
--r--r--r--. 1 root root 0 Jul 12 14:08 system/node/node0/cpulist
--r--r--r--. 1 root root 0 Jul 11 17:25 system/node/node0/cpumap
-
-after:
-
--r--r--r--. 1 root root 28672 Jul 13 11:32 system/node/node0/cpulist
--r--r--r--. 1 root root 4096 Jul 13 11:31 system/node/node0/cpumap
-
-CONFIG_NR_CPUS = 16384
--r--r--r--. 1 root root 57344 Jul 13 14:03 system/node/node0/cpulist
--r--r--r--. 1 root root 4607 Jul 13 14:02 system/node/node0/cpumap
-
-The actual number of cpus doesn't matter for the reported size since they
-are based on NR_CPUS.
-
-Fixes: 75bd50fa841d ("drivers/base/node.c: use bin_attribute to break the size limitation of cpumap ABI")
-Fixes: bb9ec13d156e ("topology: use bin_attribute to break the size limitation of cpumap ABI")
-Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Cc: "Rafael J. Wysocki" <rafael@kernel.org>
-Cc: Yury Norov <yury.norov@gmail.com>
-Cc: stable@vger.kernel.org
-Acked-by: Yury Norov <yury.norov@gmail.com> (for include/linux/cpumask.h)
-Signed-off-by: Phil Auld <pauld@redhat.com>
-Link: https://lore.kernel.org/r/20220715134924.3466194-1-pauld@redhat.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/base/node.c | 4 ++--
- drivers/base/topology.c | 32 ++++++++++++++++----------------
- include/linux/cpumask.h | 18 ++++++++++++++++++
- 3 files changed, 36 insertions(+), 18 deletions(-)
-
-diff --git a/drivers/base/node.c b/drivers/base/node.c
-index 0ac6376ef7a1..eb0f43784c2b 100644
---- a/drivers/base/node.c
-+++ b/drivers/base/node.c
-@@ -45,7 +45,7 @@ static inline ssize_t cpumap_read(struct file *file, struct kobject *kobj,
- return n;
- }
-
--static BIN_ATTR_RO(cpumap, 0);
-+static BIN_ATTR_RO(cpumap, CPUMAP_FILE_MAX_BYTES);
-
- static inline ssize_t cpulist_read(struct file *file, struct kobject *kobj,
- struct bin_attribute *attr, char *buf,
-@@ -66,7 +66,7 @@ static inline ssize_t cpulist_read(struct file *file, struct kobject *kobj,
- return n;
- }
-
--static BIN_ATTR_RO(cpulist, 0);
-+static BIN_ATTR_RO(cpulist, CPULIST_FILE_MAX_BYTES);
-
- /**
- * struct node_access_nodes - Access class device to hold user visible
-diff --git a/drivers/base/topology.c b/drivers/base/topology.c
-index ac6ad9ab67f9..89f98be5c5b9 100644
---- a/drivers/base/topology.c
-+++ b/drivers/base/topology.c
-@@ -62,47 +62,47 @@ define_id_show_func(ppin, "0x%llx");
- static DEVICE_ATTR_ADMIN_RO(ppin);
-
- define_siblings_read_func(thread_siblings, sibling_cpumask);
--static BIN_ATTR_RO(thread_siblings, 0);
--static BIN_ATTR_RO(thread_siblings_list, 0);
-+static BIN_ATTR_RO(thread_siblings, CPUMAP_FILE_MAX_BYTES);
-+static BIN_ATTR_RO(thread_siblings_list, CPULIST_FILE_MAX_BYTES);
-
- define_siblings_read_func(core_cpus, sibling_cpumask);
--static BIN_ATTR_RO(core_cpus, 0);
--static BIN_ATTR_RO(core_cpus_list, 0);
-+static BIN_ATTR_RO(core_cpus, CPUMAP_FILE_MAX_BYTES);
-+static BIN_ATTR_RO(core_cpus_list, CPULIST_FILE_MAX_BYTES);
-
- define_siblings_read_func(core_siblings, core_cpumask);
--static BIN_ATTR_RO(core_siblings, 0);
--static BIN_ATTR_RO(core_siblings_list, 0);
-+static BIN_ATTR_RO(core_siblings, CPUMAP_FILE_MAX_BYTES);
-+static BIN_ATTR_RO(core_siblings_list, CPULIST_FILE_MAX_BYTES);
-
- #ifdef TOPOLOGY_CLUSTER_SYSFS
- define_siblings_read_func(cluster_cpus, cluster_cpumask);
--static BIN_ATTR_RO(cluster_cpus, 0);
--static BIN_ATTR_RO(cluster_cpus_list, 0);
-+static BIN_ATTR_RO(cluster_cpus, CPUMAP_FILE_MAX_BYTES);
-+static BIN_ATTR_RO(cluster_cpus_list, CPULIST_FILE_MAX_BYTES);
- #endif
-
- #ifdef TOPOLOGY_DIE_SYSFS
- define_siblings_read_func(die_cpus, die_cpumask);
--static BIN_ATTR_RO(die_cpus, 0);
--static BIN_ATTR_RO(die_cpus_list, 0);
-+static BIN_ATTR_RO(die_cpus, CPUMAP_FILE_MAX_BYTES);
-+static BIN_ATTR_RO(die_cpus_list, CPULIST_FILE_MAX_BYTES);
- #endif
-
- define_siblings_read_func(package_cpus, core_cpumask);
--static BIN_ATTR_RO(package_cpus, 0);
--static BIN_ATTR_RO(package_cpus_list, 0);
-+static BIN_ATTR_RO(package_cpus, CPUMAP_FILE_MAX_BYTES);
-+static BIN_ATTR_RO(package_cpus_list, CPULIST_FILE_MAX_BYTES);
-
- #ifdef TOPOLOGY_BOOK_SYSFS
- define_id_show_func(book_id, "%d");
- static DEVICE_ATTR_RO(book_id);
- define_siblings_read_func(book_siblings, book_cpumask);
--static BIN_ATTR_RO(book_siblings, 0);
--static BIN_ATTR_RO(book_siblings_list, 0);
-+static BIN_ATTR_RO(book_siblings, CPUMAP_FILE_MAX_BYTES);
-+static BIN_ATTR_RO(book_siblings_list, CPULIST_FILE_MAX_BYTES);
- #endif
-
- #ifdef TOPOLOGY_DRAWER_SYSFS
- define_id_show_func(drawer_id, "%d");
- static DEVICE_ATTR_RO(drawer_id);
- define_siblings_read_func(drawer_siblings, drawer_cpumask);
--static BIN_ATTR_RO(drawer_siblings, 0);
--static BIN_ATTR_RO(drawer_siblings_list, 0);
-+static BIN_ATTR_RO(drawer_siblings, CPUMAP_FILE_MAX_BYTES);
-+static BIN_ATTR_RO(drawer_siblings_list, CPULIST_FILE_MAX_BYTES);
- #endif
-
- static struct bin_attribute *bin_attrs[] = {
-diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
-index fe29ac7cc469..4592d0845941 100644
---- a/include/linux/cpumask.h
-+++ b/include/linux/cpumask.h
-@@ -1071,4 +1071,22 @@ cpumap_print_list_to_buf(char *buf, const struct cpumask *mask,
- [0] = 1UL \
- } }
-
-+/*
-+ * Provide a valid theoretical max size for cpumap and cpulist sysfs files
-+ * to avoid breaking userspace which may allocate a buffer based on the size
-+ * reported by e.g. fstat.
-+ *
-+ * for cpumap NR_CPUS * 9/32 - 1 should be an exact length.
-+ *
-+ * For cpulist 7 is (ceil(log10(NR_CPUS)) + 1) allowing for NR_CPUS to be up
-+ * to 2 orders of magnitude larger than 8192. And then we divide by 2 to
-+ * cover a worst-case of every other cpu being on one of two nodes for a
-+ * very large NR_CPUS.
-+ *
-+ * Use PAGE_SIZE as a minimum for smaller configurations.
-+ */
-+#define CPUMAP_FILE_MAX_BYTES ((((NR_CPUS * 9)/32 - 1) > PAGE_SIZE) \
-+ ? (NR_CPUS * 9)/32 - 1 : PAGE_SIZE)
-+#define CPULIST_FILE_MAX_BYTES (((NR_CPUS * 7)/2 > PAGE_SIZE) ? (NR_CPUS * 7)/2 : PAGE_SIZE)
-+
- #endif /* __LINUX_CPUMASK_H */
---
-2.35.1
-
+++ /dev/null
-From 4eac50b82fb2d529a4802828b19b092b0cbf0715 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 12 Jul 2022 12:30:29 -0400
-Subject: drm/amdgpu: Check BO's requested pinning domains against its
- preferred_domains
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Leo Li <sunpeng.li@amd.com>
-
-[ Upstream commit f5ba14043621f4afdf3ad5f92ee2d8dbebbe4340 ]
-
-When pinning a buffer, we should check to see if there are any
-additional restrictions imposed by bo->preferred_domains. This will
-prevent the BO from being moved to an invalid domain when pinning.
-
-For example, this can happen if the user requests to create a BO in GTT
-domain for display scanout. amdgpu_dm will allow pinning to either VRAM
-or GTT domains, since DCN can scanout from either or. However, in
-amdgpu_bo_pin_restricted(), pinning to VRAM is preferred if there is
-adequate carveout. This can lead to pinning to VRAM despite the user
-requesting GTT placement for the BO.
-
-v2: Allow the kernel to override the domain, which can happen when
- exporting a BO to a V4L camera (for example).
-
-Signed-off-by: Leo Li <sunpeng.li@amd.com>
-Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
-Reviewed-by: Christian König <christian.koenig@amd.com>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
-index 2c82b1d5a0d7..4570ad449390 100644
---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
-+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
-@@ -882,6 +882,10 @@ int amdgpu_bo_pin_restricted(struct amdgpu_bo *bo, u32 domain,
- if (WARN_ON_ONCE(min_offset > max_offset))
- return -EINVAL;
-
-+ /* Check domain to be pinned to against preferred domains */
-+ if (bo->preferred_domains & domain)
-+ domain = bo->preferred_domains & domain;
-+
- /* A shared bo cannot be migrated to VRAM */
- if (bo->tbo.base.import_attach) {
- if (domain & AMDGPU_GEM_DOMAIN_GTT)
---
-2.35.1
-
+++ /dev/null
-From 9850d6a91e51f3700fdfd4443f77b459b037e07d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 14 Jun 2022 12:45:37 +0300
-Subject: drm/dp/mst: Read the extended DPCD capabilities during system resume
-
-From: Imre Deak <imre.deak@intel.com>
-
-[ Upstream commit 7a710a8bc909313951eb9252d8419924c771d7c2 ]
-
-The WD22TB4 Thunderbolt dock at least will revert its DP_MAX_LINK_RATE
-from HBR3 to HBR2 after system suspend/resume if the DP_DP13_DPCD_REV
-registers are not read subsequently also as required.
-
-Fix this by reading DP_DP13_DPCD_REV registers as well, matching what is
-done during connector detection. While at it also fix up the same call
-in drm_dp_mst_dump_topology().
-
-Cc: Lyude Paul <lyude@redhat.com>
-Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5292
-Signed-off-by: Imre Deak <imre.deak@intel.com>
-Reviewed-by: Jani Nikula <jani.nikula@intel.com>
-Cc: <stable@vger.kernel.org> # v5.14+
-Reviewed-by: Lyude Paul <lyude@redhat.com>
-Link: https://patchwork.freedesktop.org/patch/msgid/20220614094537.885472-1-imre.deak@intel.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/display/drm_dp_mst_topology.c | 7 ++-----
- 1 file changed, 2 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c
-index 67b3b9697da7..18f2b6075b78 100644
---- a/drivers/gpu/drm/display/drm_dp_mst_topology.c
-+++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c
-@@ -3860,9 +3860,7 @@ int drm_dp_mst_topology_mgr_resume(struct drm_dp_mst_topology_mgr *mgr,
- if (!mgr->mst_primary)
- goto out_fail;
-
-- ret = drm_dp_dpcd_read(mgr->aux, DP_DPCD_REV, mgr->dpcd,
-- DP_RECEIVER_CAP_SIZE);
-- if (ret != DP_RECEIVER_CAP_SIZE) {
-+ if (drm_dp_read_dpcd_caps(mgr->aux, mgr->dpcd) < 0) {
- drm_dbg_kms(mgr->dev, "dpcd read failed - undocked during suspend?\n");
- goto out_fail;
- }
-@@ -4911,8 +4909,7 @@ void drm_dp_mst_dump_topology(struct seq_file *m,
- u8 buf[DP_PAYLOAD_TABLE_SIZE];
- int ret;
-
-- ret = drm_dp_dpcd_read(mgr->aux, DP_DPCD_REV, buf, DP_RECEIVER_CAP_SIZE);
-- if (ret) {
-+ if (drm_dp_read_dpcd_caps(mgr->aux, buf) < 0) {
- seq_printf(m, "dpcd read failed\n");
- goto out;
- }
---
-2.35.1
-
+++ /dev/null
-From 4ba6933086fff9c00b0faa445d6f4e7d4e5ff751 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 21 Jun 2022 12:46:17 +0200
-Subject: drm/fb-helper: Fix out-of-bounds access
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Thomas Zimmermann <tzimmermann@suse.de>
-
-[ Upstream commit ae25885bdf59fde40726863c57fd20e4a0642183 ]
-
-Clip memory range to screen-buffer size to avoid out-of-bounds access
-in fbdev deferred I/O's damage handling.
-
-Fbdev's deferred I/O can only track pages. From the range of pages, the
-damage handler computes the clipping rectangle for the display update.
-If the fbdev screen buffer ends near the beginning of a page, that page
-could contain more scanlines. The damage handler would then track these
-non-existing scanlines as dirty and provoke an out-of-bounds access
-during the screen update. Hence, clip the maximum memory range to the
-size of the screen buffer.
-
-While at it, rename the variables min/max to min_off/max_off in
-drm_fb_helper_deferred_io(). This avoids confusion with the macros of
-the same name.
-
-Reported-by: Nuno Gonçalves <nunojpg@gmail.com>
-Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
-Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
-Tested-by: Nuno Gonçalves <nunojpg@gmail.com>
-Fixes: 67b723f5b742 ("drm/fb-helper: Calculate damaged area in separate helper")
-Cc: Thomas Zimmermann <tzimmermann@suse.de>
-Cc: Javier Martinez Canillas <javierm@redhat.com>
-Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
-Cc: Maxime Ripard <mripard@kernel.org>
-Cc: <stable@vger.kernel.org> # v5.18+
-Link: https://patchwork.freedesktop.org/patch/msgid/20220621104617.8817-1-tzimmermann@suse.de
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/drm_fb_helper.c | 27 +++++++++++++++++++--------
- 1 file changed, 19 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
-index 5ad2b6a2778c..1705e8d345ab 100644
---- a/drivers/gpu/drm/drm_fb_helper.c
-+++ b/drivers/gpu/drm/drm_fb_helper.c
-@@ -680,7 +680,11 @@ static void drm_fb_helper_damage(struct fb_info *info, u32 x, u32 y,
- schedule_work(&helper->damage_work);
- }
-
--/* Convert memory region into area of scanlines and pixels per scanline */
-+/*
-+ * Convert memory region into area of scanlines and pixels per
-+ * scanline. The parameters off and len must not reach beyond
-+ * the end of the framebuffer.
-+ */
- static void drm_fb_helper_memory_range_to_clip(struct fb_info *info, off_t off, size_t len,
- struct drm_rect *clip)
- {
-@@ -715,22 +719,29 @@ static void drm_fb_helper_memory_range_to_clip(struct fb_info *info, off_t off,
- */
- void drm_fb_helper_deferred_io(struct fb_info *info, struct list_head *pagereflist)
- {
-- unsigned long start, end, min, max;
-+ unsigned long start, end, min_off, max_off;
- struct fb_deferred_io_pageref *pageref;
- struct drm_rect damage_area;
-
-- min = ULONG_MAX;
-- max = 0;
-+ min_off = ULONG_MAX;
-+ max_off = 0;
- list_for_each_entry(pageref, pagereflist, list) {
- start = pageref->offset;
- end = start + PAGE_SIZE;
-- min = min(min, start);
-- max = max(max, end);
-+ min_off = min(min_off, start);
-+ max_off = max(max_off, end);
- }
-- if (min >= max)
-+ if (min_off >= max_off)
- return;
-
-- drm_fb_helper_memory_range_to_clip(info, min, max - min, &damage_area);
-+ /*
-+ * As we can only track pages, we might reach beyond the end
-+ * of the screen and account for non-existing scanlines. Hence,
-+ * keep the covered memory area within the screen buffer.
-+ */
-+ max_off = min(max_off, info->screen_size);
-+
-+ drm_fb_helper_memory_range_to_clip(info, min_off, max_off - min_off, &damage_area);
- drm_fb_helper_damage(info, damage_area.x1, damage_area.y1,
- drm_rect_width(&damage_area),
- drm_rect_height(&damage_area));
---
-2.35.1
-
+++ /dev/null
-From c788aef49db3a12b08d26fbbf7fddb8cf92a71ac Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 22 Jun 2022 10:34:13 +0200
-Subject: drm/hyperv-drm: Include framebuffer and EDID headers
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Thomas Zimmermann <tzimmermann@suse.de>
-
-[ Upstream commit 009a3a52791f31c57d755a73f6bc66fbdd8bd76c ]
-
-Fix a number of compile errors by including the correct header
-files. Examples are shown below.
-
- ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c: In function 'hyperv_blit_to_vram_rect':
- ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c:25:48: error: invalid use of undefined type 'struct drm_framebuffer'
- 25 | struct hyperv_drm_device *hv = to_hv(fb->dev);
- | ^~
-
- ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c: In function 'hyperv_connector_get_modes':
- ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c:59:17: error: implicit declaration of function 'drm_add_modes_noedid' [-Werror=implicit-function-declaration]
- 59 | count = drm_add_modes_noedid(connector,
- | ^~~~~~~~~~~~~~~~~~~~
-
- ../drivers/gpu/drm/hyperv/hyperv_drm_modeset.c:62:9: error: implicit declaration of function 'drm_set_preferred_mode'; did you mean 'drm_mm_reserve_node'? [-Werror=implicit-function-declaration]
- 62 | drm_set_preferred_mode(connector, hv->preferred_width,
- | ^~~~~~~~~~~~~~~~~~~~~~
-
-Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
-Fixes: 76c56a5affeb ("drm/hyperv: Add DRM driver for hyperv synthetic video device")
-Fixes: 720cf96d8fec ("drm: Drop drm_framebuffer.h from drm_crtc.h")
-Fixes: 255490f9150d ("drm: Drop drm_edid.h from drm_crtc.h")
-Cc: Deepak Rawat <drawat.floss@gmail.com>
-Cc: Thomas Zimmermann <tzimmermann@suse.de>
-Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
-Cc: Maxime Ripard <mripard@kernel.org>
-Cc: linux-hyperv@vger.kernel.org
-Cc: dri-devel@lists.freedesktop.org
-Cc: <stable@vger.kernel.org> # v5.14+
-Acked-by: Maxime Ripard <maxime@cerno.tech>
-Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
-Link: https://patchwork.freedesktop.org/patch/msgid/20220622083413.12573-1-tzimmermann@suse.de
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/hyperv/hyperv_drm_modeset.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
-index 27f4fcb058f9..b8e64dd8d3a6 100644
---- a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
-+++ b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c
-@@ -7,9 +7,11 @@
-
- #include <drm/drm_damage_helper.h>
- #include <drm/drm_drv.h>
-+#include <drm/drm_edid.h>
- #include <drm/drm_fb_helper.h>
- #include <drm/drm_format_helper.h>
- #include <drm/drm_fourcc.h>
-+#include <drm/drm_framebuffer.h>
- #include <drm/drm_gem_atomic_helper.h>
- #include <drm/drm_gem_framebuffer_helper.h>
- #include <drm/drm_gem_shmem_helper.h>
---
-2.35.1
-
+++ /dev/null
-From ca2b56495ef3523ca282c39439e94ca901512595 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 3 Jul 2022 00:07:27 +0100
-Subject: drm/ingenic: Use the highest possible DMA burst size
-
-From: Paul Cercueil <paul@crapouillou.net>
-
-[ Upstream commit f0dce5c4fdaf9e98dd2755ffb1363822854b6287 ]
-
-Until now, when running at the maximum resolution of 1280x720 at 32bpp
-on the JZ4770 SoC the output was garbled, the X/Y position of the
-top-left corner of the framebuffer warping to a random position with
-the whole image being offset accordingly, every time a new frame was
-being submitted.
-
-This problem can be eliminated by using a bigger burst size for the DMA.
-
-Set in each soc_info structure the maximum burst size supported by the
-corresponding SoC, and use it in the driver.
-
-Set the new value using regmap_update_bits() instead of
-regmap_set_bits(), since we do want to override the old value of the
-burst size. (Note that regmap_set_bits() wasn't really valid before for
-the same reason, but it never seemed to be a problem).
-
-Cc: <stable@vger.kernel.org>
-Fixes: 90b86fcc47b4 ("DRM: Add KMS driver for the Ingenic JZ47xx SoCs")
-Signed-off-by: Paul Cercueil <paul@crapouillou.net>
-Link: https://patchwork.freedesktop.org/patch/msgid/20220702230727.66704-1-paul@crapouillou.net
-Acked-by: Sam Ravnborg <sam@ravnborg.org>
-Tested-by: Christophe Branchereau <cbranchereau@gmail.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/ingenic/ingenic-drm-drv.c | 10 ++++++++--
- drivers/gpu/drm/ingenic/ingenic-drm.h | 3 +++
- 2 files changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
-index 8eb0ad501a7b..150a973c6001 100644
---- a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
-+++ b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
-@@ -69,6 +69,7 @@ struct jz_soc_info {
- bool map_noncoherent;
- bool use_extended_hwdesc;
- bool plane_f0_not_working;
-+ u32 max_burst;
- unsigned int max_width, max_height;
- const u32 *formats_f0, *formats_f1;
- unsigned int num_formats_f0, num_formats_f1;
-@@ -318,8 +319,9 @@ static void ingenic_drm_crtc_update_timings(struct ingenic_drm *priv,
- regmap_write(priv->map, JZ_REG_LCD_REV, mode->htotal << 16);
- }
-
-- regmap_set_bits(priv->map, JZ_REG_LCD_CTRL,
-- JZ_LCD_CTRL_OFUP | JZ_LCD_CTRL_BURST_16);
-+ regmap_update_bits(priv->map, JZ_REG_LCD_CTRL,
-+ JZ_LCD_CTRL_OFUP | JZ_LCD_CTRL_BURST_MASK,
-+ JZ_LCD_CTRL_OFUP | priv->soc_info->max_burst);
-
- /*
- * IPU restart - specify how much time the LCDC will wait before
-@@ -1518,6 +1520,7 @@ static const struct jz_soc_info jz4740_soc_info = {
- .map_noncoherent = false,
- .max_width = 800,
- .max_height = 600,
-+ .max_burst = JZ_LCD_CTRL_BURST_16,
- .formats_f1 = jz4740_formats,
- .num_formats_f1 = ARRAY_SIZE(jz4740_formats),
- /* JZ4740 has only one plane */
-@@ -1529,6 +1532,7 @@ static const struct jz_soc_info jz4725b_soc_info = {
- .map_noncoherent = false,
- .max_width = 800,
- .max_height = 600,
-+ .max_burst = JZ_LCD_CTRL_BURST_16,
- .formats_f1 = jz4725b_formats_f1,
- .num_formats_f1 = ARRAY_SIZE(jz4725b_formats_f1),
- .formats_f0 = jz4725b_formats_f0,
-@@ -1541,6 +1545,7 @@ static const struct jz_soc_info jz4770_soc_info = {
- .map_noncoherent = true,
- .max_width = 1280,
- .max_height = 720,
-+ .max_burst = JZ_LCD_CTRL_BURST_64,
- .formats_f1 = jz4770_formats_f1,
- .num_formats_f1 = ARRAY_SIZE(jz4770_formats_f1),
- .formats_f0 = jz4770_formats_f0,
-@@ -1555,6 +1560,7 @@ static const struct jz_soc_info jz4780_soc_info = {
- .plane_f0_not_working = true, /* REVISIT */
- .max_width = 4096,
- .max_height = 2048,
-+ .max_burst = JZ_LCD_CTRL_BURST_64,
- .formats_f1 = jz4770_formats_f1,
- .num_formats_f1 = ARRAY_SIZE(jz4770_formats_f1),
- .formats_f0 = jz4770_formats_f0,
-diff --git a/drivers/gpu/drm/ingenic/ingenic-drm.h b/drivers/gpu/drm/ingenic/ingenic-drm.h
-index cb1d09b62588..e5bd007ea93d 100644
---- a/drivers/gpu/drm/ingenic/ingenic-drm.h
-+++ b/drivers/gpu/drm/ingenic/ingenic-drm.h
-@@ -106,6 +106,9 @@
- #define JZ_LCD_CTRL_BURST_4 (0x0 << 28)
- #define JZ_LCD_CTRL_BURST_8 (0x1 << 28)
- #define JZ_LCD_CTRL_BURST_16 (0x2 << 28)
-+#define JZ_LCD_CTRL_BURST_32 (0x3 << 28)
-+#define JZ_LCD_CTRL_BURST_64 (0x4 << 28)
-+#define JZ_LCD_CTRL_BURST_MASK (0x7 << 28)
- #define JZ_LCD_CTRL_RGB555 BIT(27)
- #define JZ_LCD_CTRL_OFUP BIT(26)
- #define JZ_LCD_CTRL_FRC_GRAYSCALE_16 (0x0 << 24)
---
-2.35.1
-
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- drivers/gpu/drm/mediatek/mtk_dsi.c | 28 +++++++++++++++++++++-------
+ drivers/gpu/drm/mediatek/mtk_dsi.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
-diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
-index 966a4729bb41..907d07eda000 100644
--- a/drivers/gpu/drm/mediatek/mtk_dsi.c
+++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
@@ -203,6 +203,7 @@ struct mtk_dsi {
u32 irq_data;
wait_queue_head_t irq_wait_queue;
const struct mtk_dsi_driver_data *driver_data;
-@@ -661,18 +662,11 @@ static int mtk_dsi_poweron(struct mtk_dsi *dsi)
+@@ -661,18 +662,11 @@ static int mtk_dsi_poweron(struct mtk_ds
mtk_dsi_reset_engine(dsi);
mtk_dsi_phy_timconfig(dsi);
return 0;
err_disable_engine_clk:
clk_disable_unprepare(dsi->engine_clk);
-@@ -701,6 +695,23 @@ static void mtk_dsi_poweroff(struct mtk_dsi *dsi)
+@@ -703,6 +697,23 @@ static void mtk_dsi_poweroff(struct mtk_
clk_disable_unprepare(dsi->digital_clk);
phy_power_off(dsi->phy);
}
static void mtk_output_dsi_enable(struct mtk_dsi *dsi)
-@@ -708,6 +719,7 @@ static void mtk_output_dsi_enable(struct mtk_dsi *dsi)
+@@ -710,6 +721,7 @@ static void mtk_output_dsi_enable(struct
if (dsi->enabled)
return;
mtk_dsi_set_mode(dsi);
mtk_dsi_clk_hs_mode(dsi, 1);
-@@ -1017,6 +1029,8 @@ static ssize_t mtk_dsi_host_transfer(struct mipi_dsi_host *host,
+@@ -1019,6 +1031,8 @@ static ssize_t mtk_dsi_host_transfer(str
if (MTK_DSI_HOST_IS_READ(msg->type))
irq_flag |= LPRX_RD_RDY_INT_FLAG;
ret = mtk_dsi_host_send_cmd(dsi, msg, irq_flag);
if (ret)
goto restore_dsi_mode;
---
-2.35.1
-
+++ /dev/null
-From eee633764249f17bb03e27d0f62b3d3f56f7bf55 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 20 May 2022 10:00:04 +0800
-Subject: drm/mediatek: Modify dsi funcs to atomic operations
-
-From: Xinlei Lee <xinlei.lee@mediatek.com>
-
-[ Upstream commit 7f6335c6a258edf4d5ff1b904bc033188dc7b48b ]
-
-Because .enable & .disable are deprecated.
-Use .atomic_enable & .atomic_disable instead.
-
-Link: https://patchwork.kernel.org/project/linux-mediatek/patch/1653012007-11854-2-git-send-email-xinlei.lee@mediatek.com/
-Signed-off-by: Jitao Shi <jitao.shi@mediatek.com>
-Signed-off-by: Xinlei Lee <xinlei.lee@mediatek.com>
-Reviewed-by: Rex-BC Chen <rex-bc.chen@mediatek.com>
-Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/mediatek/mtk_dsi.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
-index d9f10a33e6fa..6e7793f935da 100644
---- a/drivers/gpu/drm/mediatek/mtk_dsi.c
-+++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
-@@ -763,14 +763,16 @@ static void mtk_dsi_bridge_mode_set(struct drm_bridge *bridge,
- drm_display_mode_to_videomode(adjusted, &dsi->vm);
- }
-
--static void mtk_dsi_bridge_disable(struct drm_bridge *bridge)
-+static void mtk_dsi_bridge_atomic_disable(struct drm_bridge *bridge,
-+ struct drm_bridge_state *old_bridge_state)
- {
- struct mtk_dsi *dsi = bridge_to_dsi(bridge);
-
- mtk_output_dsi_disable(dsi);
- }
-
--static void mtk_dsi_bridge_enable(struct drm_bridge *bridge)
-+static void mtk_dsi_bridge_atomic_enable(struct drm_bridge *bridge,
-+ struct drm_bridge_state *old_bridge_state)
- {
- struct mtk_dsi *dsi = bridge_to_dsi(bridge);
-
-@@ -779,8 +781,8 @@ static void mtk_dsi_bridge_enable(struct drm_bridge *bridge)
-
- static const struct drm_bridge_funcs mtk_dsi_bridge_funcs = {
- .attach = mtk_dsi_bridge_attach,
-- .disable = mtk_dsi_bridge_disable,
-- .enable = mtk_dsi_bridge_enable,
-+ .atomic_disable = mtk_dsi_bridge_atomic_disable,
-+ .atomic_enable = mtk_dsi_bridge_atomic_enable,
- .mode_set = mtk_dsi_bridge_mode_set,
- };
-
---
-2.35.1
-
+++ /dev/null
-From fdbabb61cb02a8883acbb52d303ced70bd0ec21e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 20 May 2022 10:00:05 +0800
-Subject: drm/mediatek: Separate poweron/poweroff from enable/disable and
- define new funcs
-
-From: Jitao Shi <jitao.shi@mediatek.com>
-
-[ Upstream commit cde7e2e35c2866d22a3a012e72a41052dfcc255d ]
-
-In order to match the changes of "Use the drm_panel_bridge API",
-the poweron/poweroff of dsi is extracted from enable/disable and
-defined as new funcs (atomic_pre_enable/atomic_post_disable).
-
-Since dsi_poweron is moved from dsi_enable to pre_enable function, in
-order to avoid poweron failure, the operation of dsi register fails to
-cause bus hang. Therefore, the protection mechanism is added to the
-dsi_enable function.
-
-Fixes: 2dd8075d2185 ("drm/mediatek: mtk_dsi: Use the drm_panel_bridge API")
-
-Link: https://patchwork.kernel.org/project/linux-mediatek/patch/1653012007-11854-3-git-send-email-xinlei.lee@mediatek.com/
-Signed-off-by: Jitao Shi <jitao.shi@mediatek.com>
-Signed-off-by: Xinlei Lee <xinlei.lee@mediatek.com>
-Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
-Reviewed-by: Rex-BC Chen <rex-bc.chen@mediatek.com>
-Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/mediatek/mtk_dsi.c | 53 +++++++++++++++++++-----------
- 1 file changed, 34 insertions(+), 19 deletions(-)
-
-diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
-index 6e7793f935da..966a4729bb41 100644
---- a/drivers/gpu/drm/mediatek/mtk_dsi.c
-+++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
-@@ -691,16 +691,6 @@ static void mtk_dsi_poweroff(struct mtk_dsi *dsi)
- if (--dsi->refcount != 0)
- return;
-
-- /*
-- * mtk_dsi_stop() and mtk_dsi_start() is asymmetric, since
-- * mtk_dsi_stop() should be called after mtk_drm_crtc_atomic_disable(),
-- * which needs irq for vblank, and mtk_dsi_stop() will disable irq.
-- * mtk_dsi_start() needs to be called in mtk_output_dsi_enable(),
-- * after dsi is fully set.
-- */
-- mtk_dsi_stop(dsi);
--
-- mtk_dsi_switch_to_cmd_mode(dsi, VM_DONE_INT_FLAG, 500);
- mtk_dsi_reset_engine(dsi);
- mtk_dsi_lane0_ulp_mode_enter(dsi);
- mtk_dsi_clk_ulp_mode_enter(dsi);
-@@ -715,17 +705,9 @@ static void mtk_dsi_poweroff(struct mtk_dsi *dsi)
-
- static void mtk_output_dsi_enable(struct mtk_dsi *dsi)
- {
-- int ret;
--
- if (dsi->enabled)
- return;
-
-- ret = mtk_dsi_poweron(dsi);
-- if (ret < 0) {
-- DRM_ERROR("failed to power on dsi\n");
-- return;
-- }
--
- mtk_dsi_set_mode(dsi);
- mtk_dsi_clk_hs_mode(dsi, 1);
-
-@@ -739,7 +721,16 @@ static void mtk_output_dsi_disable(struct mtk_dsi *dsi)
- if (!dsi->enabled)
- return;
-
-- mtk_dsi_poweroff(dsi);
-+ /*
-+ * mtk_dsi_stop() and mtk_dsi_start() is asymmetric, since
-+ * mtk_dsi_stop() should be called after mtk_drm_crtc_atomic_disable(),
-+ * which needs irq for vblank, and mtk_dsi_stop() will disable irq.
-+ * mtk_dsi_start() needs to be called in mtk_output_dsi_enable(),
-+ * after dsi is fully set.
-+ */
-+ mtk_dsi_stop(dsi);
-+
-+ mtk_dsi_switch_to_cmd_mode(dsi, VM_DONE_INT_FLAG, 500);
-
- dsi->enabled = false;
- }
-@@ -776,13 +767,37 @@ static void mtk_dsi_bridge_atomic_enable(struct drm_bridge *bridge,
- {
- struct mtk_dsi *dsi = bridge_to_dsi(bridge);
-
-+ if (dsi->refcount == 0)
-+ return;
-+
- mtk_output_dsi_enable(dsi);
- }
-
-+static void mtk_dsi_bridge_atomic_pre_enable(struct drm_bridge *bridge,
-+ struct drm_bridge_state *old_bridge_state)
-+{
-+ struct mtk_dsi *dsi = bridge_to_dsi(bridge);
-+ int ret;
-+
-+ ret = mtk_dsi_poweron(dsi);
-+ if (ret < 0)
-+ DRM_ERROR("failed to power on dsi\n");
-+}
-+
-+static void mtk_dsi_bridge_atomic_post_disable(struct drm_bridge *bridge,
-+ struct drm_bridge_state *old_bridge_state)
-+{
-+ struct mtk_dsi *dsi = bridge_to_dsi(bridge);
-+
-+ mtk_dsi_poweroff(dsi);
-+}
-+
- static const struct drm_bridge_funcs mtk_dsi_bridge_funcs = {
- .attach = mtk_dsi_bridge_attach,
- .atomic_disable = mtk_dsi_bridge_atomic_disable,
- .atomic_enable = mtk_dsi_bridge_atomic_enable,
-+ .atomic_pre_enable = mtk_dsi_bridge_atomic_pre_enable,
-+ .atomic_post_disable = mtk_dsi_bridge_atomic_post_disable,
- .mode_set = mtk_dsi_bridge_mode_set,
- };
-
---
-2.35.1
-
+++ /dev/null
-From a3d015c94a8063fa5733033f7e3cb13d9164e73d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 14 Jul 2022 13:42:33 -0400
-Subject: drm/nouveau/acpi: Don't print error when we get -EINPROGRESS from
- pm_runtime
-
-From: Lyude Paul <lyude@redhat.com>
-
-[ Upstream commit 53c26181950ddc3c8ace3c0939c89e9c4d8deeb9 ]
-
-Since this isn't actually a failure.
-
-Signed-off-by: Lyude Paul <lyude@redhat.com>
-Reviewed-by: David Airlie <airlied@linux.ie>
-Fixes: 79e765ad665d ("drm/nouveau/drm/nouveau: Prevent handling ACPI HPD events too early")
-Cc: <stable@vger.kernel.org> # v4.19+
-Link: https://patchwork.freedesktop.org/patch/msgid/20220714174234.949259-2-lyude@redhat.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/nouveau/nouveau_display.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/drm/nouveau/nouveau_display.c b/drivers/gpu/drm/nouveau/nouveau_display.c
-index 2cd0932b3d68..9f5a45f24e5b 100644
---- a/drivers/gpu/drm/nouveau/nouveau_display.c
-+++ b/drivers/gpu/drm/nouveau/nouveau_display.c
-@@ -537,7 +537,7 @@ nouveau_display_acpi_ntfy(struct notifier_block *nb, unsigned long val,
- * it's own hotplug events.
- */
- pm_runtime_put_autosuspend(drm->dev->dev);
-- } else if (ret == 0) {
-+ } else if (ret == 0 || ret == -EINPROGRESS) {
- /* We've started resuming the GPU already, so
- * it will handle scheduling a full reprobe
- * itself
---
-2.35.1
-
+++ /dev/null
-From d4a4ca1be1af412505da2fd5b60858077e313854 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 14 Jul 2022 13:42:34 -0400
-Subject: drm/nouveau: Don't pm_runtime_put_sync(), only
- pm_runtime_put_autosuspend()
-
-From: Lyude Paul <lyude@redhat.com>
-
-[ Upstream commit c96cfaf8fc02d4bb70727dfa7ce7841a3cff9be2 ]
-
-While trying to fix another issue, it occurred to me that I don't actually
-think there is any situation where we want pm_runtime_put() in nouveau to
-be synchronous. In fact, this kind of just seems like it would cause
-issues where we may unexpectedly block a thread we don't expect to be
-blocked.
-
-So, let's only use pm_runtime_put_autosuspend().
-
-Changes since v1:
-* Use pm_runtime_put_autosuspend(), not pm_runtime_put()
-
-Signed-off-by: Lyude Paul <lyude@redhat.com>
-Reviewed-by: David Airlie <airlied@linux.ie>
-Fixes: 3a6536c51d5d ("drm/nouveau: Intercept ACPI_VIDEO_NOTIFY_PROBE")
-Cc: Hans de Goede <hdegoede@redhat.com>
-Cc: <stable@vger.kernel.org> # v4.10+
-Link: https://patchwork.freedesktop.org/patch/msgid/20220714174234.949259-3-lyude@redhat.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/nouveau/nouveau_display.c | 2 +-
- drivers/gpu/drm/nouveau/nouveau_fbcon.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/gpu/drm/nouveau/nouveau_display.c b/drivers/gpu/drm/nouveau/nouveau_display.c
-index 9f5a45f24e5b..a2f5df568ca5 100644
---- a/drivers/gpu/drm/nouveau/nouveau_display.c
-+++ b/drivers/gpu/drm/nouveau/nouveau_display.c
-@@ -515,7 +515,7 @@ nouveau_display_hpd_work(struct work_struct *work)
-
- pm_runtime_mark_last_busy(drm->dev->dev);
- noop:
-- pm_runtime_put_sync(drm->dev->dev);
-+ pm_runtime_put_autosuspend(dev->dev);
- }
-
- #ifdef CONFIG_ACPI
-diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
-index 4f9b3aa5deda..20ac1ce2c0f1 100644
---- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c
-+++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
-@@ -466,7 +466,7 @@ nouveau_fbcon_set_suspend_work(struct work_struct *work)
- if (state == FBINFO_STATE_RUNNING) {
- nouveau_fbcon_hotplug_resume(drm->fbcon);
- pm_runtime_mark_last_busy(drm->dev->dev);
-- pm_runtime_put_sync(drm->dev->dev);
-+ pm_runtime_put_autosuspend(drm->dev->dev);
- }
- }
-
---
-2.35.1
-
+++ /dev/null
-From bc0f39623d2a1b3b85f1c5b11f566aaa119ccbb3 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 11 May 2022 11:37:16 -0500
-Subject: drm/nouveau: fix another off-by-one in nvbios_addr
-
-From: Timur Tabi <ttabi@nvidia.com>
-
-[ Upstream commit c441d28945fb113220d48d6c86ebc0b090a2b677 ]
-
-This check determines whether a given address is part of
-image 0 or image 1. Image 1 starts at offset image0_size,
-so that address should be included.
-
-Fixes: 4d4e9907ff572 ("drm/nouveau/bios: guard against out-of-bounds accesses to image")
-Cc: <stable@vger.kernel.org> # v4.8+
-Signed-off-by: Timur Tabi <ttabi@nvidia.com>
-Reviewed-by: Karol Herbst <kherbst@redhat.com>
-Signed-off-by: Lyude Paul <lyude@redhat.com>
-Link: https://patchwork.freedesktop.org/patch/msgid/20220511163716.3520591-1-ttabi@nvidia.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
-index 64e423dddd9e..6c318e41bde0 100644
---- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
-+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c
-@@ -33,7 +33,7 @@ nvbios_addr(struct nvkm_bios *bios, u32 *addr, u8 size)
- {
- u32 p = *addr;
-
-- if (*addr > bios->image0_size && bios->imaged_addr) {
-+ if (*addr >= bios->image0_size && bios->imaged_addr) {
- *addr -= bios->image0_size;
- *addr += bios->imaged_addr;
- }
---
-2.35.1
-
+++ /dev/null
-From 06dd7fcf1e1e47ca3ed1e14497e5246821c9ef4c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 26 May 2022 16:43:13 -0400
-Subject: drm/nouveau/kms: Fix failure path for creating DP connectors
-
-From: Lyude Paul <lyude@redhat.com>
-
-[ Upstream commit ca0367ca5d9216644b41f86348d6661f8d9e32d8 ]
-
-It looks like that when we moved nouveau over to using drm_dp_aux_init()
-and registering it's aux bus during late connector registration, we totally
-forgot to fix the failure codepath in nouveau_connector_create() - as it
-still seems to assume that drm_dp_aux_init() can fail (it can't).
-
-So, let's fix that and also add a missing check to ensure that we've
-properly allocated nv_connector->aux.name while we're at it.
-
-Signed-off-by: Lyude Paul <lyude@redhat.com>
-Reviewed-by: David Airlie <airlied@linux.ie>
-Fixes: fd43ad9d47e7 ("drm/nouveau/kms/nv50-: Move AUX adapter reg to connector late register/early unregister")
-Cc: <stable@vger.kernel.org> # v5.14+
-Link: https://patchwork.freedesktop.org/patch/msgid/20220526204313.656473-1-lyude@redhat.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/nouveau/nouveau_connector.c | 8 +++-----
- 1 file changed, 3 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c
-index 22b83a6577eb..df83c4654e26 100644
---- a/drivers/gpu/drm/nouveau/nouveau_connector.c
-+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
-@@ -1361,13 +1361,11 @@ nouveau_connector_create(struct drm_device *dev,
- snprintf(aux_name, sizeof(aux_name), "sor-%04x-%04x",
- dcbe->hasht, dcbe->hashm);
- nv_connector->aux.name = kstrdup(aux_name, GFP_KERNEL);
-- drm_dp_aux_init(&nv_connector->aux);
-- if (ret) {
-- NV_ERROR(drm, "Failed to init AUX adapter for sor-%04x-%04x: %d\n",
-- dcbe->hasht, dcbe->hashm, ret);
-+ if (!nv_connector->aux.name) {
- kfree(nv_connector);
-- return ERR_PTR(ret);
-+ return ERR_PTR(-ENOMEM);
- }
-+ drm_dp_aux_init(&nv_connector->aux);
- fallthrough;
- default:
- funcs = &nouveau_connector_funcs;
---
-2.35.1
-
+++ /dev/null
-From ac0c918731ae633f821d9f30277fb30ec0a05cbd Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 29 Jun 2022 01:42:39 +0300
-Subject: drm/tegra: Fix vmapping of prime buffers
-
-From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
-
-[ Upstream commit c7860cbee9989882d2908682526a5ef617523cfe ]
-
-The code assumes that Tegra GEM is permanently vmapped, which is not
-true for the scattered buffers. After converting Tegra video decoder
-driver to V4L API, we're now getting a BUG_ON from dma-buf core on playing
-video using libvdpau-tegra on T30+ because tegra_gem_prime_vmap() sets
-vaddr to NULL. Older pre-V4L video decoder driver wasn't vmapping dma-bufs.
-Fix it by actually vmapping the exported GEMs.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
-Signed-off-by: Thierry Reding <treding@nvidia.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/tegra/gem.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c
-index 7c7dd84e6db8..81991090adcc 100644
---- a/drivers/gpu/drm/tegra/gem.c
-+++ b/drivers/gpu/drm/tegra/gem.c
-@@ -704,14 +704,23 @@ static int tegra_gem_prime_vmap(struct dma_buf *buf, struct iosys_map *map)
- {
- struct drm_gem_object *gem = buf->priv;
- struct tegra_bo *bo = to_tegra_bo(gem);
-+ void *vaddr;
-
-- iosys_map_set_vaddr(map, bo->vaddr);
-+ vaddr = tegra_bo_mmap(&bo->base);
-+ if (IS_ERR(vaddr))
-+ return PTR_ERR(vaddr);
-+
-+ iosys_map_set_vaddr(map, vaddr);
-
- return 0;
- }
-
- static void tegra_gem_prime_vunmap(struct dma_buf *buf, struct iosys_map *map)
- {
-+ struct drm_gem_object *gem = buf->priv;
-+ struct tegra_bo *bo = to_tegra_bo(gem);
-+
-+ tegra_bo_munmap(&bo->base, map->vaddr);
- }
-
- static const struct dma_buf_ops tegra_gem_prime_dmabuf_ops = {
---
-2.35.1
-
+++ /dev/null
-From 78f1cd97e0c8ffa01b96be7ef7893e038cd96508 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 13 Jun 2022 16:47:44 +0200
-Subject: drm/vc4: hdmi: Disable audio if dmas property is present but empty
-
-From: Phil Elwell <phil@raspberrypi.org>
-
-[ Upstream commit db2b927f8668adf3ac765e0921cd2720f5c04172 ]
-
-The dmas property is used to hold the dmaengine channel used for audio
-output.
-
-Older device trees were missing that property, so if it's not there we
-disable the audio output entirely.
-
-However, some overlays have set an empty value to that property, mostly
-to workaround the fact that overlays cannot remove a property. Let's add
-a test for that case and if it's empty, let's disable it as well.
-
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Phil Elwell <phil@raspberrypi.org>
-Link: https://lore.kernel.org/r/20220613144800.326124-18-maxime@cerno.tech
-Signed-off-by: Maxime Ripard <maxime@cerno.tech>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/vc4/vc4_hdmi.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
-index ce9d16666d91..6b4f42332d95 100644
---- a/drivers/gpu/drm/vc4/vc4_hdmi.c
-+++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
-@@ -2035,12 +2035,12 @@ static int vc4_hdmi_audio_init(struct vc4_hdmi *vc4_hdmi)
- struct device *dev = &vc4_hdmi->pdev->dev;
- struct platform_device *codec_pdev;
- const __be32 *addr;
-- int index;
-+ int index, len;
- int ret;
-
-- if (!of_find_property(dev->of_node, "dmas", NULL)) {
-+ if (!of_find_property(dev->of_node, "dmas", &len) || !len) {
- dev_warn(dev,
-- "'dmas' DT property is missing, no HDMI audio\n");
-+ "'dmas' DT property is missing or empty, no HDMI audio\n");
- return 0;
- }
-
---
-2.35.1
-
+++ /dev/null
-From a243ba1c4a932a2513ab0222b5c31d019538b199 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 15 Jun 2022 14:24:23 -0700
-Subject: epoll: autoremove wakers even more aggressively
-
-From: Benjamin Segall <bsegall@google.com>
-
-[ Upstream commit a16ceb13961068f7209e34d7984f8e42d2c06159 ]
-
-If a process is killed or otherwise exits while having active network
-connections and many threads waiting on epoll_wait, the threads will all
-be woken immediately, but not removed from ep->wq. Then when network
-traffic scans ep->wq in wake_up, every wakeup attempt will fail, and will
-not remove the entries from the list.
-
-This means that the cost of the wakeup attempt is far higher than usual,
-does not decrease, and this also competes with the dying threads trying to
-actually make progress and remove themselves from the wq.
-
-Handle this by removing visited epoll wq entries unconditionally, rather
-than only when the wakeup succeeds - the structure of ep_poll means that
-the only potential loss is the timed_out->eavail heuristic, which now can
-race and result in a redundant ep_send_events attempt. (But only when
-incoming data and a timeout actually race, not on every timeout)
-
-Shakeel added:
-
-: We are seeing this issue in production with real workloads and it has
-: caused hard lockups. Particularly network heavy workloads with a lot
-: of threads in epoll_wait() can easily trigger this issue if they get
-: killed (oom-killed in our case).
-
-Link: https://lkml.kernel.org/r/xm26fsjotqda.fsf@google.com
-Signed-off-by: Ben Segall <bsegall@google.com>
-Tested-by: Shakeel Butt <shakeelb@google.com>
-Cc: Alexander Viro <viro@zeniv.linux.org.uk>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Shakeel Butt <shakeelb@google.com>
-Cc: Eric Dumazet <edumazet@google.com>
-Cc: Roman Penyaev <rpenyaev@suse.de>
-Cc: Jason Baron <jbaron@akamai.com>
-Cc: Khazhismel Kumykov <khazhy@google.com>
-Cc: Heiher <r@hev.cc>
-Cc: <stable@kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/eventpoll.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/fs/eventpoll.c b/fs/eventpoll.c
-index e2daa940ebce..8b56b94e2f56 100644
---- a/fs/eventpoll.c
-+++ b/fs/eventpoll.c
-@@ -1747,6 +1747,21 @@ static struct timespec64 *ep_timeout_to_timespec(struct timespec64 *to, long ms)
- return to;
- }
-
-+/*
-+ * autoremove_wake_function, but remove even on failure to wake up, because we
-+ * know that default_wake_function/ttwu will only fail if the thread is already
-+ * woken, and in that case the ep_poll loop will remove the entry anyways, not
-+ * try to reuse it.
-+ */
-+static int ep_autoremove_wake_function(struct wait_queue_entry *wq_entry,
-+ unsigned int mode, int sync, void *key)
-+{
-+ int ret = default_wake_function(wq_entry, mode, sync, key);
-+
-+ list_del_init(&wq_entry->entry);
-+ return ret;
-+}
-+
- /**
- * ep_poll - Retrieves ready events, and delivers them to the caller-supplied
- * event buffer.
-@@ -1828,8 +1843,15 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events,
- * normal wakeup path no need to call __remove_wait_queue()
- * explicitly, thus ep->lock is not taken, which halts the
- * event delivery.
-+ *
-+ * In fact, we now use an even more aggressive function that
-+ * unconditionally removes, because we don't reuse the wait
-+ * entry between loop iterations. This lets us also avoid the
-+ * performance issue if a process is killed, causing all of its
-+ * threads to wake up without being removed normally.
- */
- init_wait(&wait);
-+ wait.func = ep_autoremove_wake_function;
-
- write_lock_irq(&ep->lock);
- /*
---
-2.35.1
-
+++ /dev/null
-From b98c086153d76fbbb9ccae4d4416547027db47db Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 2 Jun 2022 22:08:38 +0200
-Subject: fbcon: Fix accelerated fbdev scrolling while logo is still shown
-
-From: Helge Deller <deller@gmx.de>
-
-[ Upstream commit 3866cba87dcd0162fb41e9b3b653d0af68fad5ec ]
-
-There is no need to directly skip over to the SCROLL_REDRAW case while
-the logo is still shown.
-
-When using DRM, this change has no effect because the code will reach
-the SCROLL_REDRAW case immediately anyway.
-
-But if you run an accelerated fbdev driver and have
-FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION enabled, console scrolling is
-slowed down by factors so that it feels as if you use a 9600 baud
-terminal.
-
-So, drop those unnecessary checks and speed up fbdev console
-acceleration during bootup.
-
-Cc: stable@vger.kernel.org # v5.10+
-Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
-Signed-off-by: Helge Deller <deller@gmx.de>
-Link: https://patchwork.freedesktop.org/patch/msgid/YpkYxk7wsBPx3po+@p100
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/video/fbdev/core/fbcon.c | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
-index 1a9aa12cf886..1a1de5b4645c 100644
---- a/drivers/video/fbdev/core/fbcon.c
-+++ b/drivers/video/fbdev/core/fbcon.c
-@@ -1758,8 +1758,6 @@ static bool fbcon_scroll(struct vc_data *vc, unsigned int t, unsigned int b,
- case SM_UP:
- if (count > vc->vc_rows) /* Maximum realistic size */
- count = vc->vc_rows;
-- if (logo_shown >= 0)
-- goto redraw_up;
- switch (fb_scrollmode(p)) {
- case SCROLL_MOVE:
- fbcon_redraw_blit(vc, info, p, t, b - t - count,
-@@ -1848,8 +1846,6 @@ static bool fbcon_scroll(struct vc_data *vc, unsigned int t, unsigned int b,
- case SM_DOWN:
- if (count > vc->vc_rows) /* Maximum realistic size */
- count = vc->vc_rows;
-- if (logo_shown >= 0)
-- goto redraw_down;
- switch (fb_scrollmode(p)) {
- case SCROLL_MOVE:
- fbcon_redraw_blit(vc, info, p, b - 1, b - t - count,
---
-2.35.1
-
+++ /dev/null
-From d9d27d24ba7501f40215af66b500159644245533 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 2 Jun 2022 22:06:28 +0200
-Subject: fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters
-
-From: Helge Deller <deller@gmx.de>
-
-[ Upstream commit cad564ca557f8d3bb3b1fa965d9a2b3f6490ec69 ]
-
-The user may use the fbcon=vc:<n1>-<n2> option to tell fbcon to take
-over the given range (n1...n2) of consoles. The value for n1 and n2
-needs to be a positive number and up to (MAX_NR_CONSOLES - 1).
-The given values were not fully checked against those boundaries yet.
-
-To fix the issue, convert first_fb_vc and last_fb_vc to unsigned
-integers and check them against the upper boundary, and make sure that
-first_fb_vc is smaller than last_fb_vc.
-
-Cc: stable@vger.kernel.org # v4.19+
-Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
-Signed-off-by: Helge Deller <deller@gmx.de>
-Link: https://patchwork.freedesktop.org/patch/msgid/YpkYRMojilrtZIgM@p100
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/video/fbdev/core/fbcon.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
-index 1a1de5b4645c..b89075f3b6ab 100644
---- a/drivers/video/fbdev/core/fbcon.c
-+++ b/drivers/video/fbdev/core/fbcon.c
-@@ -125,8 +125,8 @@ static int logo_lines;
- enums. */
- static int logo_shown = FBCON_LOGO_CANSHOW;
- /* console mappings */
--static int first_fb_vc;
--static int last_fb_vc = MAX_NR_CONSOLES - 1;
-+static unsigned int first_fb_vc;
-+static unsigned int last_fb_vc = MAX_NR_CONSOLES - 1;
- static int fbcon_is_default = 1;
- static int primary_device = -1;
- static int fbcon_has_console_bind;
-@@ -440,10 +440,12 @@ static int __init fb_console_setup(char *this_opt)
- options += 3;
- if (*options)
- first_fb_vc = simple_strtoul(options, &options, 10) - 1;
-- if (first_fb_vc < 0)
-+ if (first_fb_vc >= MAX_NR_CONSOLES)
- first_fb_vc = 0;
- if (*options++ == '-')
- last_fb_vc = simple_strtoul(options, &options, 10) - 1;
-+ if (last_fb_vc < first_fb_vc || last_fb_vc >= MAX_NR_CONSOLES)
-+ last_fb_vc = MAX_NR_CONSOLES - 1;
- fbcon_is_default = 0;
- continue;
- }
---
-2.35.1
-
+++ /dev/null
-From efb1a337a02e06df948da844dc408e0fd50cd258 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 12 Jun 2022 19:50:29 -0400
-Subject: fix short copy handling in copy_mc_pipe_to_iter()
-
-From: Al Viro <viro@zeniv.linux.org.uk>
-
-[ Upstream commit c3497fd009ef2c59eea60d21c3ac22de3585ed7d ]
-
-Unlike other copying operations on ITER_PIPE, copy_mc_to_iter() can
-result in a short copy. In that case we need to trim the unused
-buffers, as well as the length of partially filled one - it's not
-enough to set ->head, ->iov_offset and ->count to reflect how
-much had we copied. Not hard to fix, fortunately...
-
-I'd put a helper (pipe_discard_from(pipe, head)) into pipe_fs_i.h,
-rather than iov_iter.c - it has nothing to do with iov_iter and
-having it will allow us to avoid an ugly kludge in fs/splice.c.
-We could put it into lib/iov_iter.c for now and move it later,
-but I don't see the point going that way...
-
-Cc: stable@kernel.org # 4.19+
-Fixes: ca146f6f091e "lib/iov_iter: Fix pipe handling in _copy_to_iter_mcsafe()"
-Reviewed-by: Jeff Layton <jlayton@kernel.org>
-Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/linux/pipe_fs_i.h | 9 +++++++++
- lib/iov_iter.c | 15 +++++++++++----
- 2 files changed, 20 insertions(+), 4 deletions(-)
-
-diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
-index cb0fd633a610..4ea496924106 100644
---- a/include/linux/pipe_fs_i.h
-+++ b/include/linux/pipe_fs_i.h
-@@ -229,6 +229,15 @@ static inline bool pipe_buf_try_steal(struct pipe_inode_info *pipe,
- return buf->ops->try_steal(pipe, buf);
- }
-
-+static inline void pipe_discard_from(struct pipe_inode_info *pipe,
-+ unsigned int old_head)
-+{
-+ unsigned int mask = pipe->ring_size - 1;
-+
-+ while (pipe->head > old_head)
-+ pipe_buf_release(pipe, &pipe->bufs[--pipe->head & mask]);
-+}
-+
- /* Differs from PIPE_BUF in that PIPE_SIZE is the length of the actual
- memory allocation, whereas PIPE_BUF makes atomicity guarantees. */
- #define PIPE_SIZE PAGE_SIZE
-diff --git a/lib/iov_iter.c b/lib/iov_iter.c
-index 0b64695ab632..2bf20b48a04a 100644
---- a/lib/iov_iter.c
-+++ b/lib/iov_iter.c
-@@ -689,6 +689,7 @@ static size_t copy_mc_pipe_to_iter(const void *addr, size_t bytes,
- struct pipe_inode_info *pipe = i->pipe;
- unsigned int p_mask = pipe->ring_size - 1;
- unsigned int i_head;
-+ unsigned int valid = pipe->head;
- size_t n, off, xfer = 0;
-
- if (!sanity(i))
-@@ -702,11 +703,17 @@ static size_t copy_mc_pipe_to_iter(const void *addr, size_t bytes,
- rem = copy_mc_to_kernel(p + off, addr + xfer, chunk);
- chunk -= rem;
- kunmap_local(p);
-- i->head = i_head;
-- i->iov_offset = off + chunk;
-- xfer += chunk;
-- if (rem)
-+ if (chunk) {
-+ i->head = i_head;
-+ i->iov_offset = off + chunk;
-+ xfer += chunk;
-+ valid = i_head + 1;
-+ }
-+ if (rem) {
-+ pipe->bufs[i_head & p_mask].len -= rem;
-+ pipe_discard_from(pipe, valid);
- break;
-+ }
- n -= chunk;
- off = 0;
- i_head++;
---
-2.35.1
-
+++ /dev/null
-From 64fc62d5d534496e9c262c5f45b6053c5d019208 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 26 Jul 2022 10:18:51 -0400
-Subject: ftrace/x86: Add back ftrace_expected assignment
-
-From: Steven Rostedt (Google) <rostedt@goodmis.org>
-
-[ Upstream commit ac6c1b2ca77e722a1e5d651f12f437f2f237e658 ]
-
-When a ftrace_bug happens (where ftrace fails to modify a location) it is
-helpful to have what was at that location as well as what was expected to
-be there.
-
-But with the conversion to text_poke() the variable that assigns the
-expected for debugging was dropped. Unfortunately, I noticed this when I
-needed it. Add it back.
-
-Link: https://lkml.kernel.org/r/20220726101851.069d2e70@gandalf.local.home
-
-Cc: "x86@kernel.org" <x86@kernel.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: Ingo Molnar <mingo@kernel.org>
-Cc: Borislav Petkov <bp@alien8.de>
-Cc: "H. Peter Anvin" <hpa@zytor.com>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: stable@vger.kernel.org
-Fixes: 768ae4406a5c ("x86/ftrace: Use text_poke()")
-Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/x86/kernel/ftrace.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c
-index 24b9fa89aa27..bd165004776d 100644
---- a/arch/x86/kernel/ftrace.c
-+++ b/arch/x86/kernel/ftrace.c
-@@ -91,6 +91,7 @@ static int ftrace_verify_code(unsigned long ip, const char *old_code)
-
- /* Make sure it is what we expect it to be */
- if (memcmp(cur_code, old_code, MCOUNT_INSN_SIZE) != 0) {
-+ ftrace_expected = old_code;
- WARN_ON(1);
- return -EINVAL;
- }
---
-2.35.1
-
+++ /dev/null
-From 6a8e4273ffe4f780a39f1c0677b80a21e832dc9d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 22 Apr 2022 15:48:53 +0200
-Subject: fuse: fix deadlock between atomic O_TRUNC and page invalidation
-
-From: Miklos Szeredi <mszeredi@redhat.com>
-
-[ Upstream commit 2fdbb8dd01556e1501132b5ad3826e8f71e24a8b ]
-
-fuse_finish_open() will be called with FUSE_NOWRITE set in case of atomic
-O_TRUNC open(), so commit 76224355db75 ("fuse: truncate pagecache on
-atomic_o_trunc") replaced invalidate_inode_pages2() by truncate_pagecache()
-in such a case to avoid the A-A deadlock. However, we found another A-B-B-A
-deadlock related to the case above, which will cause the xfstests
-generic/464 testcase hung in our virtio-fs test environment.
-
-For example, consider two processes concurrently open one same file, one
-with O_TRUNC and another without O_TRUNC. The deadlock case is described
-below, if open(O_TRUNC) is already set_nowrite(acquired A), and is trying
-to lock a page (acquiring B), open() could have held the page lock
-(acquired B), and waiting on the page writeback (acquiring A). This would
-lead to deadlocks.
-
-open(O_TRUNC)
-----------------------------------------------------------------
-fuse_open_common
- inode_lock [C acquire]
- fuse_set_nowrite [A acquire]
-
- fuse_finish_open
- truncate_pagecache
- lock_page [B acquire]
- truncate_inode_page
- unlock_page [B release]
-
- fuse_release_nowrite [A release]
- inode_unlock [C release]
-----------------------------------------------------------------
-
-open()
-----------------------------------------------------------------
-fuse_open_common
- fuse_finish_open
- invalidate_inode_pages2
- lock_page [B acquire]
- fuse_launder_page
- fuse_wait_on_page_writeback [A acquire & release]
- unlock_page [B release]
-----------------------------------------------------------------
-
-Besides this case, all calls of invalidate_inode_pages2() and
-invalidate_inode_pages2_range() in fuse code also can deadlock with
-open(O_TRUNC).
-
-Fix by moving the truncate_pagecache() call outside the nowrite protected
-region. The nowrite protection is only for delayed writeback
-(writeback_cache) case, where inode lock does not protect against
-truncation racing with writes on the server. Write syscalls racing with
-page cache truncation still get the inode lock protection.
-
-This patch also changes the order of filemap_invalidate_lock()
-vs. fuse_set_nowrite() in fuse_open_common(). This new order matches the
-order found in fuse_file_fallocate() and fuse_do_setattr().
-
-Reported-by: Jiachen Zhang <zhangjiachen.jaycee@bytedance.com>
-Tested-by: Jiachen Zhang <zhangjiachen.jaycee@bytedance.com>
-Fixes: e4648309b85a ("fuse: truncate pending writes on O_TRUNC")
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/fuse/dir.c | 7 ++++++-
- fs/fuse/file.c | 30 +++++++++++++++++-------------
- 2 files changed, 23 insertions(+), 14 deletions(-)
-
-diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
-index 74303d6e987b..a93d675a726a 100644
---- a/fs/fuse/dir.c
-+++ b/fs/fuse/dir.c
-@@ -537,6 +537,7 @@ static int fuse_create_open(struct inode *dir, struct dentry *entry,
- struct fuse_file *ff;
- void *security_ctx = NULL;
- u32 security_ctxlen;
-+ bool trunc = flags & O_TRUNC;
-
- /* Userspace expects S_IFREG in create mode */
- BUG_ON((mode & S_IFMT) != S_IFREG);
-@@ -561,7 +562,7 @@ static int fuse_create_open(struct inode *dir, struct dentry *entry,
- inarg.mode = mode;
- inarg.umask = current_umask();
-
-- if (fm->fc->handle_killpriv_v2 && (flags & O_TRUNC) &&
-+ if (fm->fc->handle_killpriv_v2 && trunc &&
- !(flags & O_EXCL) && !capable(CAP_FSETID)) {
- inarg.open_flags |= FUSE_OPEN_KILL_SUIDGID;
- }
-@@ -623,6 +624,10 @@ static int fuse_create_open(struct inode *dir, struct dentry *entry,
- } else {
- file->private_data = ff;
- fuse_finish_open(inode, file);
-+ if (fm->fc->atomic_o_trunc && trunc)
-+ truncate_pagecache(inode, 0);
-+ else if (!(ff->open_flags & FOPEN_KEEP_CACHE))
-+ invalidate_inode_pages2(inode->i_mapping);
- }
- return err;
-
-diff --git a/fs/fuse/file.c b/fs/fuse/file.c
-index 60885ff9157c..dfee142bca5c 100644
---- a/fs/fuse/file.c
-+++ b/fs/fuse/file.c
-@@ -210,13 +210,9 @@ void fuse_finish_open(struct inode *inode, struct file *file)
- fi->attr_version = atomic64_inc_return(&fc->attr_version);
- i_size_write(inode, 0);
- spin_unlock(&fi->lock);
-- truncate_pagecache(inode, 0);
- file_update_time(file);
- fuse_invalidate_attr_mask(inode, FUSE_STATX_MODSIZE);
-- } else if (!(ff->open_flags & FOPEN_KEEP_CACHE)) {
-- invalidate_inode_pages2(inode->i_mapping);
- }
--
- if ((file->f_mode & FMODE_WRITE) && fc->writeback_cache)
- fuse_link_write_file(file);
- }
-@@ -239,30 +235,38 @@ int fuse_open_common(struct inode *inode, struct file *file, bool isdir)
- if (err)
- return err;
-
-- if (is_wb_truncate || dax_truncate) {
-+ if (is_wb_truncate || dax_truncate)
- inode_lock(inode);
-- fuse_set_nowrite(inode);
-- }
-
- if (dax_truncate) {
- filemap_invalidate_lock(inode->i_mapping);
- err = fuse_dax_break_layouts(inode, 0, 0);
- if (err)
-- goto out;
-+ goto out_inode_unlock;
- }
-
-+ if (is_wb_truncate || dax_truncate)
-+ fuse_set_nowrite(inode);
-+
- err = fuse_do_open(fm, get_node_id(inode), file, isdir);
- if (!err)
- fuse_finish_open(inode, file);
-
--out:
-+ if (is_wb_truncate || dax_truncate)
-+ fuse_release_nowrite(inode);
-+ if (!err) {
-+ struct fuse_file *ff = file->private_data;
-+
-+ if (fc->atomic_o_trunc && (file->f_flags & O_TRUNC))
-+ truncate_pagecache(inode, 0);
-+ else if (!(ff->open_flags & FOPEN_KEEP_CACHE))
-+ invalidate_inode_pages2(inode->i_mapping);
-+ }
- if (dax_truncate)
- filemap_invalidate_unlock(inode->i_mapping);
--
-- if (is_wb_truncate | dax_truncate) {
-- fuse_release_nowrite(inode);
-+out_inode_unlock:
-+ if (is_wb_truncate || dax_truncate)
- inode_unlock(inode);
-- }
-
- return err;
- }
---
-2.35.1
-
+++ /dev/null
-From 9a76a72661a15caa9ccd7884caa7f17bffb7a9ea Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 21 Jul 2022 16:06:18 +0200
-Subject: fuse: ioctl: translate ENOSYS
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Miklos Szeredi <mszeredi@redhat.com>
-
-[ Upstream commit 02c0cab8e7345b06f1c0838df444e2902e4138d3 ]
-
-Overlayfs may fail to complete updates when a filesystem lacks
-fileattr/xattr syscall support and responds with an ENOSYS error code,
-resulting in an unexpected "Function not implemented" error.
-
-This bug may occur with FUSE filesystems, such as davfs2.
-
-Steps to reproduce:
-
- # install davfs2, e.g., apk add davfs2
- mkdir /test mkdir /test/lower /test/upper /test/work /test/mnt
- yes '' | mount -t davfs -o ro http://some-web-dav-server/path \
- /test/lower
- mount -t overlay -o upperdir=/test/upper,lowerdir=/test/lower \
- -o workdir=/test/work overlay /test/mnt
-
- # when "some-file" exists in the lowerdir, this fails with "Function
- # not implemented", with dmesg showing "overlayfs: failed to retrieve
- # lower fileattr (/some-file, err=-38)"
- touch /test/mnt/some-file
-
-The underlying cause of this regresion is actually in FUSE, which fails to
-translate the ENOSYS error code returned by userspace filesystem (which
-means that the ioctl operation is not supported) to ENOTTY.
-
-Reported-by: Christian Kohlschütter <christian@kohlschutter.com>
-Fixes: 72db82115d2b ("ovl: copy up sync/noatime fileattr flags")
-Fixes: 59efec7b9039 ("fuse: implement ioctl support")
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/fuse/ioctl.c | 15 +++++++++++++--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/fs/fuse/ioctl.c b/fs/fuse/ioctl.c
-index 33cde4bbccdc..61d8afcb10a3 100644
---- a/fs/fuse/ioctl.c
-+++ b/fs/fuse/ioctl.c
-@@ -9,6 +9,17 @@
- #include <linux/compat.h>
- #include <linux/fileattr.h>
-
-+static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args)
-+{
-+ ssize_t ret = fuse_simple_request(fm, args);
-+
-+ /* Translate ENOSYS, which shouldn't be returned from fs */
-+ if (ret == -ENOSYS)
-+ ret = -ENOTTY;
-+
-+ return ret;
-+}
-+
- /*
- * CUSE servers compiled on 32bit broke on 64bit kernels because the
- * ABI was defined to be 'struct iovec' which is different on 32bit
-@@ -259,7 +270,7 @@ long fuse_do_ioctl(struct file *file, unsigned int cmd, unsigned long arg,
- ap.args.out_pages = true;
- ap.args.out_argvar = true;
-
-- transferred = fuse_simple_request(fm, &ap.args);
-+ transferred = fuse_send_ioctl(fm, &ap.args);
- err = transferred;
- if (transferred < 0)
- goto out;
-@@ -393,7 +404,7 @@ static int fuse_priv_ioctl(struct inode *inode, struct fuse_file *ff,
- args.out_args[1].size = inarg.out_size;
- args.out_args[1].value = ptr;
-
-- err = fuse_simple_request(fm, &args);
-+ err = fuse_send_ioctl(fm, &args);
- if (!err) {
- if (outarg.result < 0)
- err = outarg.result;
---
-2.35.1
-
+++ /dev/null
-From 415837824b69f800cea848df2bc04c46605413db Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 21 Jul 2022 16:06:18 +0200
-Subject: fuse: limit nsec
-
-From: Miklos Szeredi <mszeredi@redhat.com>
-
-[ Upstream commit 47912eaa061a6a81e4aa790591a1874c650733c0 ]
-
-Limit nanoseconds to 0..999999999.
-
-Fixes: d8a5ba45457e ("[PATCH] FUSE - core")
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/fuse/inode.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
-index 8c0665c5dff8..7c290089e693 100644
---- a/fs/fuse/inode.c
-+++ b/fs/fuse/inode.c
-@@ -180,6 +180,12 @@ void fuse_change_attributes_common(struct inode *inode, struct fuse_attr *attr,
- inode->i_uid = make_kuid(fc->user_ns, attr->uid);
- inode->i_gid = make_kgid(fc->user_ns, attr->gid);
- inode->i_blocks = attr->blocks;
-+
-+ /* Sanitize nsecs */
-+ attr->atimensec = min_t(u32, attr->atimensec, NSEC_PER_SEC - 1);
-+ attr->mtimensec = min_t(u32, attr->mtimensec, NSEC_PER_SEC - 1);
-+ attr->ctimensec = min_t(u32, attr->ctimensec, NSEC_PER_SEC - 1);
-+
- inode->i_atime.tv_sec = attr->atime;
- inode->i_atime.tv_nsec = attr->atimensec;
- /* mtime from server may be stale due to local buffered write */
---
-2.35.1
-
+++ /dev/null
-From 8674a3b26deade1bbd04e752246293b72bf6863c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 20 Apr 2022 16:05:41 +0200
-Subject: fuse: write inode in fuse_release()
-
-From: Miklos Szeredi <mszeredi@redhat.com>
-
-[ Upstream commit 035ff33cf4db101250fb980a3941bf078f37a544 ]
-
-A race between write(2) and close(2) allows pages to be dirtied after
-fuse_flush -> write_inode_now(). If these pages are not flushed from
-fuse_release(), then there might not be a writable open file later. So any
-remaining dirty pages must be written back before the file is released.
-
-This is a partial revert of the blamed commit.
-
-Reported-by: syzbot+6e1efbd8efaaa6860e91@syzkaller.appspotmail.com
-Fixes: 36ea23374d1f ("fuse: write inode in fuse_vma_close() instead of fuse_release()")
-Cc: <stable@vger.kernel.org> # v5.16
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/fuse/file.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/fs/fuse/file.c b/fs/fuse/file.c
-index 05caa2b9272e..60885ff9157c 100644
---- a/fs/fuse/file.c
-+++ b/fs/fuse/file.c
-@@ -338,6 +338,15 @@ static int fuse_open(struct inode *inode, struct file *file)
-
- static int fuse_release(struct inode *inode, struct file *file)
- {
-+ struct fuse_conn *fc = get_fuse_conn(inode);
-+
-+ /*
-+ * Dirty pages might remain despite write_inode_now() call from
-+ * fuse_flush() due to writes racing with the close.
-+ */
-+ if (fc->writeback_cache)
-+ write_inode_now(inode, 1);
-+
- fuse_release_common(file, false);
-
- /* return value is ignored by VFS */
---
-2.35.1
-
+++ /dev/null
-From bfb446268f6178e53244ad8b7cc1a6b20435f790 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 26 May 2022 01:08:27 +0200
-Subject: HID: hid-input: add Surface Go battery quirk
-
-From: Maximilian Luz <luzmaximilian@gmail.com>
-
-[ Upstream commit db925d809011c37b246434fdce71209fc2e6c0c2 ]
-
-Similar to the Surface Go (1), the (Elantech) touchscreen/digitizer in
-the Surface Go 2 mistakenly reports the battery of the stylus. Instead
-of over the touchscreen device, battery information is provided via
-bluetooth and the touchscreen device reports an empty battery.
-
-Apply the HID_BATTERY_QUIRK_IGNORE quirk to ignore this battery and
-prevent the erroneous low battery warnings.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/hid/hid-ids.h | 1 +
- drivers/hid/hid-input.c | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
-index d9eb676abe96..9c4e92a9c646 100644
---- a/drivers/hid/hid-ids.h
-+++ b/drivers/hid/hid-ids.h
-@@ -413,6 +413,7 @@
- #define USB_DEVICE_ID_ASUS_UX550VE_TOUCHSCREEN 0x2544
- #define USB_DEVICE_ID_ASUS_UX550_TOUCHSCREEN 0x2706
- #define I2C_DEVICE_ID_SURFACE_GO_TOUCHSCREEN 0x261A
-+#define I2C_DEVICE_ID_SURFACE_GO2_TOUCHSCREEN 0x2A1C
-
- #define USB_VENDOR_ID_ELECOM 0x056e
- #define USB_DEVICE_ID_ELECOM_BM084 0x0061
-diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
-index c6b27aab9041..48c1c02c69f4 100644
---- a/drivers/hid/hid-input.c
-+++ b/drivers/hid/hid-input.c
-@@ -381,6 +381,8 @@ static const struct hid_device_id hid_battery_quirks[] = {
- HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_SURFACE_GO_TOUCHSCREEN),
- HID_BATTERY_QUIRK_IGNORE },
-+ { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_SURFACE_GO2_TOUCHSCREEN),
-+ HID_BATTERY_QUIRK_IGNORE },
- {}
- };
-
---
-2.35.1
-
+++ /dev/null
-From fda2e32fadf0b81d5d65e6535b400165619be6c8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 12 Jul 2022 15:17:05 -0700
-Subject: HID: nintendo: Add missing array termination
-
-From: Guenter Roeck <linux@roeck-us.net>
-
-[ Upstream commit ab5f3404b7762b88403fbddbdda6b1b464bd6cbc ]
-
-joycon_dpad_inputs_jc[] is unterminated. This may result in odd warnings
-such as
-
-input: input_set_capability: invalid code 3077588140 for type 1
-
-or in kernel crashes in nintendo_hid_probe(). Terminate the array to fix
-the problem.
-
-Fixes: 2af16c1f846bd ("HID: nintendo: add nintendo switch controller driver")
-Cc: Daniel J. Ogorchock <djogorchock@gmail.com>
-Signed-off-by: Guenter Roeck <linux@roeck-us.net>
-Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/hid/hid-nintendo.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/hid/hid-nintendo.c b/drivers/hid/hid-nintendo.c
-index 2204de889739..4b1173957c17 100644
---- a/drivers/hid/hid-nintendo.c
-+++ b/drivers/hid/hid-nintendo.c
-@@ -1586,6 +1586,7 @@ static const unsigned int joycon_button_inputs_r[] = {
- /* We report joy-con d-pad inputs as buttons and pro controller as a hat. */
- static const unsigned int joycon_dpad_inputs_jc[] = {
- BTN_DPAD_UP, BTN_DPAD_DOWN, BTN_DPAD_LEFT, BTN_DPAD_RIGHT,
-+ 0 /* 0 signals end of array */
- };
-
- static int joycon_input_create(struct joycon_ctlr *ctlr)
---
-2.35.1
-
+++ /dev/null
-From 0137a15938b0f57b5698e4493c44ca69b3a208c3 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 13 May 2022 14:52:37 -0700
-Subject: HID: wacom: Don't register pad_input for touch switch
-
-From: Ping Cheng <pinglinux@gmail.com>
-
-[ Upstream commit d6b675687a4ab4dba684716d97c8c6f81bf10905 ]
-
-Touch switch state is received through WACOM_PAD_FIELD. However, it
-is reported by touch_input. Don't register pad_input if no other pad
-events require the interface.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Ping Cheng <ping.cheng@wacom.com>
-Reviewed-by: Jason Gerecke <jason.gerecke@wacom.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/hid/wacom_sys.c | 2 +-
- drivers/hid/wacom_wac.c | 43 ++++++++++++++++++++++++-----------------
- 2 files changed, 26 insertions(+), 19 deletions(-)
-
-diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
-index 620fe74f5676..98384b911288 100644
---- a/drivers/hid/wacom_sys.c
-+++ b/drivers/hid/wacom_sys.c
-@@ -2121,7 +2121,7 @@ static int wacom_register_inputs(struct wacom *wacom)
-
- error = wacom_setup_pad_input_capabilities(pad_input_dev, wacom_wac);
- if (error) {
-- /* no pad in use on this interface */
-+ /* no pad events using this interface */
- input_free_device(pad_input_dev);
- wacom_wac->pad_input = NULL;
- pad_input_dev = NULL;
-diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
-index 866b484b82de..f8cc4bb3e3a7 100644
---- a/drivers/hid/wacom_wac.c
-+++ b/drivers/hid/wacom_wac.c
-@@ -2019,7 +2019,6 @@ static void wacom_wac_pad_usage_mapping(struct hid_device *hdev,
- wacom_wac->has_mute_touch_switch = true;
- usage->type = EV_SW;
- usage->code = SW_MUTE_DEVICE;
-- features->device_type |= WACOM_DEVICETYPE_PAD;
- break;
- case WACOM_HID_WD_TOUCHSTRIP:
- wacom_map_usage(input, usage, field, EV_ABS, ABS_RX, 0);
-@@ -2099,6 +2098,30 @@ static void wacom_wac_pad_event(struct hid_device *hdev, struct hid_field *field
- wacom_wac->hid_data.inrange_state |= value;
- }
-
-+ /* Process touch switch state first since it is reported through touch interface,
-+ * which is indepentent of pad interface. In the case when there are no other pad
-+ * events, the pad interface will not even be created.
-+ */
-+ if ((equivalent_usage == WACOM_HID_WD_MUTE_DEVICE) ||
-+ (equivalent_usage == WACOM_HID_WD_TOUCHONOFF)) {
-+ if (wacom_wac->shared->touch_input) {
-+ bool *is_touch_on = &wacom_wac->shared->is_touch_on;
-+
-+ if (equivalent_usage == WACOM_HID_WD_MUTE_DEVICE && value)
-+ *is_touch_on = !(*is_touch_on);
-+ else if (equivalent_usage == WACOM_HID_WD_TOUCHONOFF)
-+ *is_touch_on = value;
-+
-+ input_report_switch(wacom_wac->shared->touch_input,
-+ SW_MUTE_DEVICE, !(*is_touch_on));
-+ input_sync(wacom_wac->shared->touch_input);
-+ }
-+ return;
-+ }
-+
-+ if (!input)
-+ return;
-+
- switch (equivalent_usage) {
- case WACOM_HID_WD_TOUCHRING:
- /*
-@@ -2134,22 +2157,6 @@ static void wacom_wac_pad_event(struct hid_device *hdev, struct hid_field *field
- input_event(input, usage->type, usage->code, 0);
- break;
-
-- case WACOM_HID_WD_MUTE_DEVICE:
-- case WACOM_HID_WD_TOUCHONOFF:
-- if (wacom_wac->shared->touch_input) {
-- bool *is_touch_on = &wacom_wac->shared->is_touch_on;
--
-- if (equivalent_usage == WACOM_HID_WD_MUTE_DEVICE && value)
-- *is_touch_on = !(*is_touch_on);
-- else if (equivalent_usage == WACOM_HID_WD_TOUCHONOFF)
-- *is_touch_on = value;
--
-- input_report_switch(wacom_wac->shared->touch_input,
-- SW_MUTE_DEVICE, !(*is_touch_on));
-- input_sync(wacom_wac->shared->touch_input);
-- }
-- break;
--
- case WACOM_HID_WD_MODE_CHANGE:
- if (wacom_wac->is_direct_mode != value) {
- wacom_wac->is_direct_mode = value;
-@@ -2835,7 +2842,7 @@ void wacom_wac_event(struct hid_device *hdev, struct hid_field *field,
- /* usage tests must precede field tests */
- if (WACOM_BATTERY_USAGE(usage))
- wacom_wac_battery_event(hdev, field, usage, value);
-- else if (WACOM_PAD_FIELD(field) && wacom->wacom_wac.pad_input)
-+ else if (WACOM_PAD_FIELD(field))
- wacom_wac_pad_event(hdev, field, usage, value);
- else if (WACOM_PEN_FIELD(field) && wacom->wacom_wac.pen_input)
- wacom_wac_pen_event(hdev, field, usage, value);
---
-2.35.1
-
+++ /dev/null
-From 45bea7616fc78940408008d1bbb3b8ce92304f93 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 13 May 2022 14:51:56 -0700
-Subject: HID: wacom: Only report rotation for art pen
-
-From: Ping Cheng <pinglinux@gmail.com>
-
-[ Upstream commit 7ccced33a0ba39b0103ae1dfbf7f1dffdc0a1bc2 ]
-
-The generic routine, wacom_wac_pen_event, turns rotation value 90
-degree anti-clockwise before posting the events. This non-zero
-event trggers a non-zero ABS_Z event for non art pen tools. However,
-HID_DG_TWIST is only supported by art pen.
-
-[jkosina@suse.cz: fix build: add missing brace]
-Cc: stable@vger.kernel.org
-Signed-off-by: Ping Cheng <ping.cheng@wacom.com>
-Reviewed-by: Jason Gerecke <jason.gerecke@wacom.com>
---
-Hi Jiri,
-
-This is kind of a version 2 of the last one I posted two days ago.
-I updated the logic so it has less changed lines: 29 vs 158! Hopefully,
-the logic is easier to follow now. Please ignore the last one.
-
-Thank you!
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/hid/wacom_wac.c | 29 +++++++++++++++++++++--------
- 1 file changed, 21 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
-index 9470c2b0b529..866b484b82de 100644
---- a/drivers/hid/wacom_wac.c
-+++ b/drivers/hid/wacom_wac.c
-@@ -638,9 +638,26 @@ static int wacom_intuos_id_mangle(int tool_id)
- return (tool_id & ~0xFFF) << 4 | (tool_id & 0xFFF);
- }
-
-+static bool wacom_is_art_pen(int tool_id)
-+{
-+ bool is_art_pen = false;
-+
-+ switch (tool_id) {
-+ case 0x885: /* Intuos3 Marker Pen */
-+ case 0x804: /* Intuos4/5 13HD/24HD Marker Pen */
-+ case 0x10804: /* Intuos4/5 13HD/24HD Art Pen */
-+ is_art_pen = true;
-+ break;
-+ }
-+ return is_art_pen;
-+}
-+
- static int wacom_intuos_get_tool_type(int tool_id)
- {
-- int tool_type;
-+ int tool_type = BTN_TOOL_PEN;
-+
-+ if (wacom_is_art_pen(tool_id))
-+ return tool_type;
-
- switch (tool_id) {
- case 0x812: /* Inking pen */
-@@ -655,12 +672,9 @@ static int wacom_intuos_get_tool_type(int tool_id)
- case 0x852:
- case 0x823: /* Intuos3 Grip Pen */
- case 0x813: /* Intuos3 Classic Pen */
-- case 0x885: /* Intuos3 Marker Pen */
- case 0x802: /* Intuos4/5 13HD/24HD General Pen */
-- case 0x804: /* Intuos4/5 13HD/24HD Marker Pen */
- case 0x8e2: /* IntuosHT2 pen */
- case 0x022:
-- case 0x10804: /* Intuos4/5 13HD/24HD Art Pen */
- case 0x10842: /* MobileStudio Pro Pro Pen slim */
- case 0x14802: /* Intuos4/5 13HD/24HD Classic Pen */
- case 0x16802: /* Cintiq 13HD Pro Pen */
-@@ -718,10 +732,6 @@ static int wacom_intuos_get_tool_type(int tool_id)
- case 0x10902: /* Intuos4/5 13HD/24HD Airbrush */
- tool_type = BTN_TOOL_AIRBRUSH;
- break;
--
-- default: /* Unknown tool */
-- tool_type = BTN_TOOL_PEN;
-- break;
- }
- return tool_type;
- }
-@@ -2336,6 +2346,9 @@ static void wacom_wac_pen_event(struct hid_device *hdev, struct hid_field *field
- }
- return;
- case HID_DG_TWIST:
-+ /* don't modify the value if the pen doesn't support the feature */
-+ if (!wacom_is_art_pen(wacom_wac->id[0])) return;
-+
- /*
- * Userspace expects pen twist to have its zero point when
- * the buttons/finger is on the tablet's left. HID values
---
-2.35.1
-
+++ /dev/null
-From 8d278756aab6ff9b002539a96ddecedc470c5fcc Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 24 Jun 2022 14:13:05 +0200
-Subject: ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr()
-
-From: Alexander Lobakin <alexandr.lobakin@intel.com>
-
-[ Upstream commit e5a16a5c4602c119262f350274021f90465f479d ]
-
-test_bit(), as any other bitmap op, takes `unsigned long *` as a
-second argument (pointer to the actual bitmap), as any bitmap
-itself is an array of unsigned longs. However, the ia64_get_irr()
-code passes a ref to `u64` as a second argument.
-This works with the ia64 bitops implementation due to that they
-have `void *` as the second argument and then cast it later on.
-This works with the bitmap API itself due to that `unsigned long`
-has the same size on ia64 as `u64` (`unsigned long long`), but
-from the compiler PoV those two are different.
-Define @irr as `unsigned long` to fix that. That implies no
-functional changes. Has been hidden for 16 years!
-
-Fixes: a58786917ce2 ("[IA64] avoid broken SAL_CACHE_FLUSH implementations")
-Cc: stable@vger.kernel.org # 2.6.16+
-Reported-by: kernel test robot <lkp@intel.com>
-Signed-off-by: Alexander Lobakin <alexandr.lobakin@intel.com>
-Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
-Reviewed-by: Yury Norov <yury.norov@gmail.com>
-Signed-off-by: Yury Norov <yury.norov@gmail.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/ia64/include/asm/processor.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/ia64/include/asm/processor.h b/arch/ia64/include/asm/processor.h
-index 7cbce290f4e5..757c2f6d8d4b 100644
---- a/arch/ia64/include/asm/processor.h
-+++ b/arch/ia64/include/asm/processor.h
-@@ -538,7 +538,7 @@ ia64_get_irr(unsigned int vector)
- {
- unsigned int reg = vector / 64;
- unsigned int bit = vector % 64;
-- u64 irr;
-+ unsigned long irr;
-
- switch (reg) {
- case 0: irr = ia64_getreg(_IA64_REG_CR_IRR0); break;
---
-2.35.1
-
+++ /dev/null
-From 574bac6c5e4c8f3d6063039b1d9b4d006a170357 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 18 Jul 2022 15:07:06 +0200
-Subject: iio: fix iio_format_avail_range() printing for none IIO_VAL_INT
-
-From: Fawzi Khaber <fawzi.khaber@tdk.com>
-
-[ Upstream commit 5e1f91850365de55ca74945866c002fda8f00331 ]
-
-iio_format_avail_range() should print range as follow [min, step, max], so
-the function was previously calling iio_format_list() with length = 3,
-length variable refers to the array size of values not the number of
-elements. In case of non IIO_VAL_INT values each element has integer part
-and decimal part. With length = 3 this would cause premature end of loop
-and result in printing only one element.
-
-Signed-off-by: Fawzi Khaber <fawzi.khaber@tdk.com>
-Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
-Fixes: eda20ba1e25e ("iio: core: Consolidate iio_format_avail_{list,range}()")
-Link: https://lore.kernel.org/r/20220718130706.32571-1-jmaneyrol@invensense.com
-Cc: <Stable@vger.kernel.org>
-Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/iio/industrialio-core.c | 18 +++++++++++++++++-
- 1 file changed, 17 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
-index adf054c7a75e..299ae3ad2fe5 100644
---- a/drivers/iio/industrialio-core.c
-+++ b/drivers/iio/industrialio-core.c
-@@ -835,7 +835,23 @@ static ssize_t iio_format_avail_list(char *buf, const int *vals,
-
- static ssize_t iio_format_avail_range(char *buf, const int *vals, int type)
- {
-- return iio_format_list(buf, vals, type, 3, "[", "]");
-+ int length;
-+
-+ /*
-+ * length refers to the array size , not the number of elements.
-+ * The purpose is to print the range [min , step ,max] so length should
-+ * be 3 in case of int, and 6 for other types.
-+ */
-+ switch (type) {
-+ case IIO_VAL_INT:
-+ length = 3;
-+ break;
-+ default:
-+ length = 6;
-+ break;
-+ }
-+
-+ return iio_format_list(buf, vals, type, length, "[", "]");
- }
-
- static ssize_t iio_read_channel_info_avail(struct device *dev,
---
-2.35.1
-
+++ /dev/null
-From fccda6e8e53e594d0b4589122144a7b6c4fe3c39 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 17 Jul 2022 08:42:41 +0800
-Subject: iio: light: isl29028: Fix the warning in isl29028_remove()
-
-From: Zheyu Ma <zheyuma97@gmail.com>
-
-[ Upstream commit 06674fc7c003b9d0aa1d37fef7ab2c24802cc6ad ]
-
-The driver use the non-managed form of the register function in
-isl29028_remove(). To keep the release order as mirroring the ordering
-in probe, the driver should use non-managed form in probe, too.
-
-The following log reveals it:
-
-[ 32.374955] isl29028 0-0010: remove
-[ 32.376861] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI
-[ 32.377676] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
-[ 32.379432] RIP: 0010:kernfs_find_and_get_ns+0x28/0xe0
-[ 32.385461] Call Trace:
-[ 32.385807] sysfs_unmerge_group+0x59/0x110
-[ 32.386110] dpm_sysfs_remove+0x58/0xc0
-[ 32.386391] device_del+0x296/0xe50
-[ 32.386959] cdev_device_del+0x1d/0xd0
-[ 32.387231] devm_iio_device_unreg+0x27/0xb0
-[ 32.387542] devres_release_group+0x319/0x3d0
-[ 32.388162] i2c_device_remove+0x93/0x1f0
-
-Fixes: 2db5054ac28d ("staging: iio: isl29028: add runtime power management support")
-Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
-Link: https://lore.kernel.org/r/20220717004241.2281028-1-zheyuma97@gmail.com
-Cc: <Stable@vger.kernel.org>
-Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/iio/light/isl29028.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/iio/light/isl29028.c b/drivers/iio/light/isl29028.c
-index 9de3262aa688..a62787f5d5e7 100644
---- a/drivers/iio/light/isl29028.c
-+++ b/drivers/iio/light/isl29028.c
-@@ -625,7 +625,7 @@ static int isl29028_probe(struct i2c_client *client,
- ISL29028_POWER_OFF_DELAY_MS);
- pm_runtime_use_autosuspend(&client->dev);
-
-- ret = devm_iio_device_register(indio_dev->dev.parent, indio_dev);
-+ ret = iio_device_register(indio_dev);
- if (ret < 0) {
- dev_err(&client->dev,
- "%s(): iio registration failed with error %d\n",
---
-2.35.1
-
+++ /dev/null
-From 6983dec2f67e9edf159f000438f316aeb7a36614 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 2 Aug 2022 15:20:33 +0800
-Subject: Input: gscps2 - check return value of ioremap() in gscps2_probe()
-
-From: Xie Shaowen <studentxswpy@163.com>
-
-[ Upstream commit e61b3125a4f036b3c6b87ffd656fc1ab00440ae9 ]
-
-The function ioremap() in gscps2_probe() can fail, so
-its return value should be checked.
-
-Fixes: 4bdc0d676a643 ("remove ioremap_nocache and devm_ioremap_nocache")
-Cc: <stable@vger.kernel.org> # v5.6+
-Reported-by: Hacash Robot <hacashRobot@santino.com>
-Signed-off-by: Xie Shaowen <studentxswpy@163.com>
-Signed-off-by: Helge Deller <deller@gmx.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/input/serio/gscps2.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/input/serio/gscps2.c b/drivers/input/serio/gscps2.c
-index a9065c6ab550..da2c67cb8642 100644
---- a/drivers/input/serio/gscps2.c
-+++ b/drivers/input/serio/gscps2.c
-@@ -350,6 +350,10 @@ static int __init gscps2_probe(struct parisc_device *dev)
- ps2port->port = serio;
- ps2port->padev = dev;
- ps2port->addr = ioremap(hpa, GSC_STATUS + 4);
-+ if (!ps2port->addr) {
-+ ret = -ENOMEM;
-+ goto fail_nomem;
-+ }
- spin_lock_init(&ps2port->lock);
-
- gscps2_reset(ps2port);
---
-2.35.1
-
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- drivers/hwtracing/intel_th/pci.c | 5 +++++
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
1 file changed, 5 insertions(+)
-diff --git a/drivers/hwtracing/intel_th/pci.c b/drivers/hwtracing/intel_th/pci.c
-index 7da4f298ed01..f432a772571b 100644
--- a/drivers/hwtracing/intel_th/pci.c
+++ b/drivers/hwtracing/intel_th/pci.c
-@@ -278,6 +278,11 @@ static const struct pci_device_id intel_th_pci_id_table[] = {
- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x54a6),
+@@ -285,6 +285,11 @@ static const struct pci_device_id intel_
.driver_data = (kernel_ulong_t)&intel_th_2x,
},
-+ {
+ {
+ /* Meteor Lake-P */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x7e24),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
- {
++ {
/* Alder Lake CPU */
PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x466f),
---
-2.35.1
-
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- drivers/hwtracing/intel_th/pci.c | 5 +++++
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
1 file changed, 5 insertions(+)
-diff --git a/drivers/hwtracing/intel_th/pci.c b/drivers/hwtracing/intel_th/pci.c
-index ff034eac7c7b..2f450e6ce4a8 100644
--- a/drivers/hwtracing/intel_th/pci.c
+++ b/drivers/hwtracing/intel_th/pci.c
-@@ -288,6 +288,11 @@ static const struct pci_device_id intel_th_pci_id_table[] = {
- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x7a26),
+@@ -295,6 +295,11 @@ static const struct pci_device_id intel_
.driver_data = (kernel_ulong_t)&intel_th_2x,
},
-+ {
+ {
+ /* Raptor Lake-S CPU */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa76f),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
- {
++ {
/* Alder Lake CPU */
PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x466f),
---
-2.35.1
-
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- drivers/hwtracing/intel_th/pci.c | 5 +++++
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
1 file changed, 5 insertions(+)
-diff --git a/drivers/hwtracing/intel_th/pci.c b/drivers/hwtracing/intel_th/pci.c
-index f432a772571b..ff034eac7c7b 100644
--- a/drivers/hwtracing/intel_th/pci.c
+++ b/drivers/hwtracing/intel_th/pci.c
-@@ -283,6 +283,11 @@ static const struct pci_device_id intel_th_pci_id_table[] = {
- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x7e24),
+@@ -290,6 +290,11 @@ static const struct pci_device_id intel_
.driver_data = (kernel_ulong_t)&intel_th_2x,
},
-+ {
+ {
+ /* Raptor Lake-S */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x7a26),
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+ },
- {
++ {
/* Alder Lake CPU */
PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x466f),
---
-2.35.1
-
+ .driver_data = (kernel_ulong_t)&intel_th_2x,
+++ /dev/null
-From 9bf4a78ad07955391a1bcea5c8192e58c1385198 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 2 Aug 2022 07:28:51 +0900
-Subject: ksmbd: fix heap-based overflow in set_ntacl_dacl()
-
-From: Namjae Jeon <linkinjeon@kernel.org>
-
-[ Upstream commit 8f0541186e9ad1b62accc9519cc2b7a7240272a7 ]
-
-The testcase use SMB2_SET_INFO_HE command to set a malformed file attribute
-under the label `security.NTACL`. SMB2_QUERY_INFO_HE command in testcase
-trigger the following overflow.
-
-[ 4712.003781] ==================================================================
-[ 4712.003790] BUG: KASAN: slab-out-of-bounds in build_sec_desc+0x842/0x1dd0 [ksmbd]
-[ 4712.003807] Write of size 1060 at addr ffff88801e34c068 by task kworker/0:0/4190
-
-[ 4712.003813] CPU: 0 PID: 4190 Comm: kworker/0:0 Not tainted 5.19.0-rc5 #1
-[ 4712.003850] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
-[ 4712.003867] Call Trace:
-[ 4712.003870] <TASK>
-[ 4712.003873] dump_stack_lvl+0x49/0x5f
-[ 4712.003935] print_report.cold+0x5e/0x5cf
-[ 4712.003972] ? ksmbd_vfs_get_sd_xattr+0x16d/0x500 [ksmbd]
-[ 4712.003984] ? cmp_map_id+0x200/0x200
-[ 4712.003988] ? build_sec_desc+0x842/0x1dd0 [ksmbd]
-[ 4712.004000] kasan_report+0xaa/0x120
-[ 4712.004045] ? build_sec_desc+0x842/0x1dd0 [ksmbd]
-[ 4712.004056] kasan_check_range+0x100/0x1e0
-[ 4712.004060] memcpy+0x3c/0x60
-[ 4712.004064] build_sec_desc+0x842/0x1dd0 [ksmbd]
-[ 4712.004076] ? parse_sec_desc+0x580/0x580 [ksmbd]
-[ 4712.004088] ? ksmbd_acls_fattr+0x281/0x410 [ksmbd]
-[ 4712.004099] smb2_query_info+0xa8f/0x6110 [ksmbd]
-[ 4712.004111] ? psi_group_change+0x856/0xd70
-[ 4712.004148] ? update_load_avg+0x1c3/0x1af0
-[ 4712.004152] ? asym_cpu_capacity_scan+0x5d0/0x5d0
-[ 4712.004157] ? xas_load+0x23/0x300
-[ 4712.004162] ? smb2_query_dir+0x1530/0x1530 [ksmbd]
-[ 4712.004173] ? _raw_spin_lock_bh+0xe0/0xe0
-[ 4712.004179] handle_ksmbd_work+0x30e/0x1020 [ksmbd]
-[ 4712.004192] process_one_work+0x778/0x11c0
-[ 4712.004227] ? _raw_spin_lock_irq+0x8e/0xe0
-[ 4712.004231] worker_thread+0x544/0x1180
-[ 4712.004234] ? __cpuidle_text_end+0x4/0x4
-[ 4712.004239] kthread+0x282/0x320
-[ 4712.004243] ? process_one_work+0x11c0/0x11c0
-[ 4712.004246] ? kthread_complete_and_exit+0x30/0x30
-[ 4712.004282] ret_from_fork+0x1f/0x30
-
-This patch add the buffer validation for security descriptor that is
-stored by malformed SMB2_SET_INFO_HE command. and allocate large
-response buffer about SMB2_O_INFO_SECURITY file info class.
-
-Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
-Cc: stable@vger.kernel.org
-Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17771
-Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
-Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/ksmbd/smb2pdu.c | 39 +++++++++-----
- fs/ksmbd/smbacl.c | 130 ++++++++++++++++++++++++++++++---------------
- fs/ksmbd/smbacl.h | 2 +-
- fs/ksmbd/vfs.c | 5 ++
- 4 files changed, 119 insertions(+), 57 deletions(-)
-
-diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
-index 54aaf9014136..a9c33d15ca1f 100644
---- a/fs/ksmbd/smb2pdu.c
-+++ b/fs/ksmbd/smb2pdu.c
-@@ -535,9 +535,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work)
- struct smb2_query_info_req *req;
-
- req = smb2_get_msg(work->request_buf);
-- if (req->InfoType == SMB2_O_INFO_FILE &&
-- (req->FileInfoClass == FILE_FULL_EA_INFORMATION ||
-- req->FileInfoClass == FILE_ALL_INFORMATION))
-+ if ((req->InfoType == SMB2_O_INFO_FILE &&
-+ (req->FileInfoClass == FILE_FULL_EA_INFORMATION ||
-+ req->FileInfoClass == FILE_ALL_INFORMATION)) ||
-+ req->InfoType == SMB2_O_INFO_SECURITY)
- sz = large_sz;
- }
-
-@@ -2974,7 +2975,7 @@ int smb2_open(struct ksmbd_work *work)
- goto err_out;
-
- rc = build_sec_desc(user_ns,
-- pntsd, NULL,
-+ pntsd, NULL, 0,
- OWNER_SECINFO |
- GROUP_SECINFO |
- DACL_SECINFO,
-@@ -3819,6 +3820,15 @@ static int verify_info_level(int info_level)
- return 0;
- }
-
-+static int smb2_resp_buf_len(struct ksmbd_work *work, unsigned short hdr2_len)
-+{
-+ int free_len;
-+
-+ free_len = (int)(work->response_sz -
-+ (get_rfc1002_len(work->response_buf) + 4)) - hdr2_len;
-+ return free_len;
-+}
-+
- static int smb2_calc_max_out_buf_len(struct ksmbd_work *work,
- unsigned short hdr2_len,
- unsigned int out_buf_len)
-@@ -3828,9 +3838,7 @@ static int smb2_calc_max_out_buf_len(struct ksmbd_work *work,
- if (out_buf_len > work->conn->vals->max_trans_size)
- return -EINVAL;
-
-- free_len = (int)(work->response_sz -
-- (get_rfc1002_len(work->response_buf) + 4)) -
-- hdr2_len;
-+ free_len = smb2_resp_buf_len(work, hdr2_len);
- if (free_len < 0)
- return -EINVAL;
-
-@@ -5093,10 +5101,10 @@ static int smb2_get_info_sec(struct ksmbd_work *work,
- struct smb_ntsd *pntsd = (struct smb_ntsd *)rsp->Buffer, *ppntsd = NULL;
- struct smb_fattr fattr = {{0}};
- struct inode *inode;
-- __u32 secdesclen;
-+ __u32 secdesclen = 0;
- unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID;
- int addition_info = le32_to_cpu(req->AdditionalInformation);
-- int rc;
-+ int rc = 0, ppntsd_size = 0;
-
- if (addition_info & ~(OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO |
- PROTECTED_DACL_SECINFO |
-@@ -5142,11 +5150,14 @@ static int smb2_get_info_sec(struct ksmbd_work *work,
-
- if (test_share_config_flag(work->tcon->share_conf,
- KSMBD_SHARE_FLAG_ACL_XATTR))
-- ksmbd_vfs_get_sd_xattr(work->conn, user_ns,
-- fp->filp->f_path.dentry, &ppntsd);
--
-- rc = build_sec_desc(user_ns, pntsd, ppntsd, addition_info,
-- &secdesclen, &fattr);
-+ ppntsd_size = ksmbd_vfs_get_sd_xattr(work->conn, user_ns,
-+ fp->filp->f_path.dentry,
-+ &ppntsd);
-+
-+ /* Check if sd buffer size exceeds response buffer size */
-+ if (smb2_resp_buf_len(work, 8) > ppntsd_size)
-+ rc = build_sec_desc(user_ns, pntsd, ppntsd, ppntsd_size,
-+ addition_info, &secdesclen, &fattr);
- posix_acl_release(fattr.cf_acls);
- posix_acl_release(fattr.cf_dacls);
- kfree(ppntsd);
-diff --git a/fs/ksmbd/smbacl.c b/fs/ksmbd/smbacl.c
-index 38f23bf981ac..3781bca2c8fc 100644
---- a/fs/ksmbd/smbacl.c
-+++ b/fs/ksmbd/smbacl.c
-@@ -690,6 +690,7 @@ static void set_posix_acl_entries_dacl(struct user_namespace *user_ns,
- static void set_ntacl_dacl(struct user_namespace *user_ns,
- struct smb_acl *pndacl,
- struct smb_acl *nt_dacl,
-+ unsigned int aces_size,
- const struct smb_sid *pownersid,
- const struct smb_sid *pgrpsid,
- struct smb_fattr *fattr)
-@@ -703,9 +704,19 @@ static void set_ntacl_dacl(struct user_namespace *user_ns,
- if (nt_num_aces) {
- ntace = (struct smb_ace *)((char *)nt_dacl + sizeof(struct smb_acl));
- for (i = 0; i < nt_num_aces; i++) {
-- memcpy((char *)pndace + size, ntace, le16_to_cpu(ntace->size));
-- size += le16_to_cpu(ntace->size);
-- ntace = (struct smb_ace *)((char *)ntace + le16_to_cpu(ntace->size));
-+ unsigned short nt_ace_size;
-+
-+ if (offsetof(struct smb_ace, access_req) > aces_size)
-+ break;
-+
-+ nt_ace_size = le16_to_cpu(ntace->size);
-+ if (nt_ace_size > aces_size)
-+ break;
-+
-+ memcpy((char *)pndace + size, ntace, nt_ace_size);
-+ size += nt_ace_size;
-+ aces_size -= nt_ace_size;
-+ ntace = (struct smb_ace *)((char *)ntace + nt_ace_size);
- num_aces++;
- }
- }
-@@ -878,7 +889,7 @@ int parse_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd,
- /* Convert permission bits from mode to equivalent CIFS ACL */
- int build_sec_desc(struct user_namespace *user_ns,
- struct smb_ntsd *pntsd, struct smb_ntsd *ppntsd,
-- int addition_info, __u32 *secdesclen,
-+ int ppntsd_size, int addition_info, __u32 *secdesclen,
- struct smb_fattr *fattr)
- {
- int rc = 0;
-@@ -938,15 +949,25 @@ int build_sec_desc(struct user_namespace *user_ns,
-
- if (!ppntsd) {
- set_mode_dacl(user_ns, dacl_ptr, fattr);
-- } else if (!ppntsd->dacloffset) {
-- goto out;
- } else {
- struct smb_acl *ppdacl_ptr;
-+ unsigned int dacl_offset = le32_to_cpu(ppntsd->dacloffset);
-+ int ppdacl_size, ntacl_size = ppntsd_size - dacl_offset;
-+
-+ if (!dacl_offset ||
-+ (dacl_offset + sizeof(struct smb_acl) > ppntsd_size))
-+ goto out;
-+
-+ ppdacl_ptr = (struct smb_acl *)((char *)ppntsd + dacl_offset);
-+ ppdacl_size = le16_to_cpu(ppdacl_ptr->size);
-+ if (ppdacl_size > ntacl_size ||
-+ ppdacl_size < sizeof(struct smb_acl))
-+ goto out;
-
-- ppdacl_ptr = (struct smb_acl *)((char *)ppntsd +
-- le32_to_cpu(ppntsd->dacloffset));
- set_ntacl_dacl(user_ns, dacl_ptr, ppdacl_ptr,
-- nowner_sid_ptr, ngroup_sid_ptr, fattr);
-+ ntacl_size - sizeof(struct smb_acl),
-+ nowner_sid_ptr, ngroup_sid_ptr,
-+ fattr);
- }
- pntsd->dacloffset = cpu_to_le32(offset);
- offset += le16_to_cpu(dacl_ptr->size);
-@@ -980,24 +1001,31 @@ int smb_inherit_dacl(struct ksmbd_conn *conn,
- struct smb_sid owner_sid, group_sid;
- struct dentry *parent = path->dentry->d_parent;
- struct user_namespace *user_ns = mnt_user_ns(path->mnt);
-- int inherited_flags = 0, flags = 0, i, ace_cnt = 0, nt_size = 0;
-- int rc = 0, num_aces, dacloffset, pntsd_type, acl_len;
-+ int inherited_flags = 0, flags = 0, i, ace_cnt = 0, nt_size = 0, pdacl_size;
-+ int rc = 0, num_aces, dacloffset, pntsd_type, pntsd_size, acl_len, aces_size;
- char *aces_base;
- bool is_dir = S_ISDIR(d_inode(path->dentry)->i_mode);
-
-- acl_len = ksmbd_vfs_get_sd_xattr(conn, user_ns,
-- parent, &parent_pntsd);
-- if (acl_len <= 0)
-+ pntsd_size = ksmbd_vfs_get_sd_xattr(conn, user_ns,
-+ parent, &parent_pntsd);
-+ if (pntsd_size <= 0)
- return -ENOENT;
- dacloffset = le32_to_cpu(parent_pntsd->dacloffset);
-- if (!dacloffset) {
-+ if (!dacloffset || (dacloffset + sizeof(struct smb_acl) > pntsd_size)) {
- rc = -EINVAL;
- goto free_parent_pntsd;
- }
-
- parent_pdacl = (struct smb_acl *)((char *)parent_pntsd + dacloffset);
-+ acl_len = pntsd_size - dacloffset;
- num_aces = le32_to_cpu(parent_pdacl->num_aces);
- pntsd_type = le16_to_cpu(parent_pntsd->type);
-+ pdacl_size = le16_to_cpu(parent_pdacl->size);
-+
-+ if (pdacl_size > acl_len || pdacl_size < sizeof(struct smb_acl)) {
-+ rc = -EINVAL;
-+ goto free_parent_pntsd;
-+ }
-
- aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, GFP_KERNEL);
- if (!aces_base) {
-@@ -1008,11 +1036,23 @@ int smb_inherit_dacl(struct ksmbd_conn *conn,
- aces = (struct smb_ace *)aces_base;
- parent_aces = (struct smb_ace *)((char *)parent_pdacl +
- sizeof(struct smb_acl));
-+ aces_size = acl_len - sizeof(struct smb_acl);
-
- if (pntsd_type & DACL_AUTO_INHERITED)
- inherited_flags = INHERITED_ACE;
-
- for (i = 0; i < num_aces; i++) {
-+ int pace_size;
-+
-+ if (offsetof(struct smb_ace, access_req) > aces_size)
-+ break;
-+
-+ pace_size = le16_to_cpu(parent_aces->size);
-+ if (pace_size > aces_size)
-+ break;
-+
-+ aces_size -= pace_size;
-+
- flags = parent_aces->flags;
- if (!smb_inherit_flags(flags, is_dir))
- goto pass;
-@@ -1057,8 +1097,7 @@ int smb_inherit_dacl(struct ksmbd_conn *conn,
- aces = (struct smb_ace *)((char *)aces + le16_to_cpu(aces->size));
- ace_cnt++;
- pass:
-- parent_aces =
-- (struct smb_ace *)((char *)parent_aces + le16_to_cpu(parent_aces->size));
-+ parent_aces = (struct smb_ace *)((char *)parent_aces + pace_size);
- }
-
- if (nt_size > 0) {
-@@ -1153,7 +1192,7 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path,
- struct smb_ntsd *pntsd = NULL;
- struct smb_acl *pdacl;
- struct posix_acl *posix_acls;
-- int rc = 0, acl_size;
-+ int rc = 0, pntsd_size, acl_size, aces_size, pdacl_size, dacl_offset;
- struct smb_sid sid;
- int granted = le32_to_cpu(*pdaccess & ~FILE_MAXIMAL_ACCESS_LE);
- struct smb_ace *ace;
-@@ -1162,37 +1201,33 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path,
- struct smb_ace *others_ace = NULL;
- struct posix_acl_entry *pa_entry;
- unsigned int sid_type = SIDOWNER;
-- char *end_of_acl;
-+ unsigned short ace_size;
-
- ksmbd_debug(SMB, "check permission using windows acl\n");
-- acl_size = ksmbd_vfs_get_sd_xattr(conn, user_ns,
-- path->dentry, &pntsd);
-- if (acl_size <= 0 || !pntsd || !pntsd->dacloffset) {
-- kfree(pntsd);
-- return 0;
-- }
-+ pntsd_size = ksmbd_vfs_get_sd_xattr(conn, user_ns,
-+ path->dentry, &pntsd);
-+ if (pntsd_size <= 0 || !pntsd)
-+ goto err_out;
-+
-+ dacl_offset = le32_to_cpu(pntsd->dacloffset);
-+ if (!dacl_offset ||
-+ (dacl_offset + sizeof(struct smb_acl) > pntsd_size))
-+ goto err_out;
-
- pdacl = (struct smb_acl *)((char *)pntsd + le32_to_cpu(pntsd->dacloffset));
-- end_of_acl = ((char *)pntsd) + acl_size;
-- if (end_of_acl <= (char *)pdacl) {
-- kfree(pntsd);
-- return 0;
-- }
-+ acl_size = pntsd_size - dacl_offset;
-+ pdacl_size = le16_to_cpu(pdacl->size);
-
-- if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size) ||
-- le16_to_cpu(pdacl->size) < sizeof(struct smb_acl)) {
-- kfree(pntsd);
-- return 0;
-- }
-+ if (pdacl_size > acl_size || pdacl_size < sizeof(struct smb_acl))
-+ goto err_out;
-
- if (!pdacl->num_aces) {
-- if (!(le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) &&
-+ if (!(pdacl_size - sizeof(struct smb_acl)) &&
- *pdaccess & ~(FILE_READ_CONTROL_LE | FILE_WRITE_DAC_LE)) {
- rc = -EACCES;
- goto err_out;
- }
-- kfree(pntsd);
-- return 0;
-+ goto err_out;
- }
-
- if (*pdaccess & FILE_MAXIMAL_ACCESS_LE) {
-@@ -1200,11 +1235,16 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path,
- DELETE;
-
- ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
-+ aces_size = acl_size - sizeof(struct smb_acl);
- for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) {
-+ if (offsetof(struct smb_ace, access_req) > aces_size)
-+ break;
-+ ace_size = le16_to_cpu(ace->size);
-+ if (ace_size > aces_size)
-+ break;
-+ aces_size -= ace_size;
- granted |= le32_to_cpu(ace->access_req);
- ace = (struct smb_ace *)((char *)ace + le16_to_cpu(ace->size));
-- if (end_of_acl < (char *)ace)
-- goto err_out;
- }
-
- if (!pdacl->num_aces)
-@@ -1216,7 +1256,15 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path,
- id_to_sid(uid, sid_type, &sid);
-
- ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
-+ aces_size = acl_size - sizeof(struct smb_acl);
- for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) {
-+ if (offsetof(struct smb_ace, access_req) > aces_size)
-+ break;
-+ ace_size = le16_to_cpu(ace->size);
-+ if (ace_size > aces_size)
-+ break;
-+ aces_size -= ace_size;
-+
- if (!compare_sids(&sid, &ace->sid) ||
- !compare_sids(&sid_unix_NFS_mode, &ace->sid)) {
- found = 1;
-@@ -1226,8 +1274,6 @@ int smb_check_perm_dacl(struct ksmbd_conn *conn, struct path *path,
- others_ace = ace;
-
- ace = (struct smb_ace *)((char *)ace + le16_to_cpu(ace->size));
-- if (end_of_acl < (char *)ace)
-- goto err_out;
- }
-
- if (*pdaccess & FILE_MAXIMAL_ACCESS_LE && found) {
-diff --git a/fs/ksmbd/smbacl.h b/fs/ksmbd/smbacl.h
-index 811af3309429..fcb2c83f2992 100644
---- a/fs/ksmbd/smbacl.h
-+++ b/fs/ksmbd/smbacl.h
-@@ -193,7 +193,7 @@ struct posix_acl_state {
- int parse_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd,
- int acl_len, struct smb_fattr *fattr);
- int build_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd,
-- struct smb_ntsd *ppntsd, int addition_info,
-+ struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info,
- __u32 *secdesclen, struct smb_fattr *fattr);
- int init_acl_state(struct posix_acl_state *state, int cnt);
- void free_acl_state(struct posix_acl_state *state);
-diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c
-index 05efcdf7a4a7..201962f03772 100644
---- a/fs/ksmbd/vfs.c
-+++ b/fs/ksmbd/vfs.c
-@@ -1540,6 +1540,11 @@ int ksmbd_vfs_get_sd_xattr(struct ksmbd_conn *conn,
- }
-
- *pntsd = acl.sd_buf;
-+ if (acl.sd_size < sizeof(struct smb_ntsd)) {
-+ pr_err("sd size is invalid\n");
-+ goto out_free;
-+ }
-+
- (*pntsd)->osidoffset = cpu_to_le32(le32_to_cpu((*pntsd)->osidoffset) -
- NDR_NTSD_OFFSETOF);
- (*pntsd)->gsidoffset = cpu_to_le32(le32_to_cpu((*pntsd)->gsidoffset) -
---
-2.35.1
-
+++ /dev/null
-From 1aee2ce6d6f534f164521c98e4804bd102190706 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 28 Jul 2022 21:56:19 +0900
-Subject: ksmbd: fix memory leak in smb2_handle_negotiate
-
-From: Namjae Jeon <linkinjeon@kernel.org>
-
-[ Upstream commit aa7253c2393f6dcd6a1468b0792f6da76edad917 ]
-
-The allocated memory didn't free under an error
-path in smb2_handle_negotiate().
-
-Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
-Cc: stable@vger.kernel.org
-Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17815
-Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
-Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/ksmbd/smb2pdu.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
-index 353f047e783c..a06dad0d1bb7 100644
---- a/fs/ksmbd/smb2pdu.c
-+++ b/fs/ksmbd/smb2pdu.c
-@@ -1139,12 +1139,16 @@ int smb2_handle_negotiate(struct ksmbd_work *work)
- status);
- rsp->hdr.Status = status;
- rc = -EINVAL;
-+ kfree(conn->preauth_info);
-+ conn->preauth_info = NULL;
- goto err_out;
- }
-
- rc = init_smb3_11_server(conn);
- if (rc < 0) {
- rsp->hdr.Status = STATUS_INVALID_PARAMETER;
-+ kfree(conn->preauth_info);
-+ conn->preauth_info = NULL;
- goto err_out;
- }
-
---
-2.35.1
-
+++ /dev/null
-From 0fd5c7331b0c3cb35bf6512187a54dae4e16631f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 28 Jul 2022 21:57:08 +0900
-Subject: ksmbd: fix use-after-free bug in smb2_tree_disconect
-
-From: Namjae Jeon <linkinjeon@kernel.org>
-
-[ Upstream commit cf6531d98190fa2cf92a6d8bbc8af0a4740a223c ]
-
-smb2_tree_disconnect() freed the struct ksmbd_tree_connect,
-but it left the dangling pointer. It can be accessed
-again under compound requests.
-
-This bug can lead an oops looking something link:
-
-[ 1685.468014 ] BUG: KASAN: use-after-free in ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd]
-[ 1685.468068 ] Read of size 4 at addr ffff888102172180 by task kworker/1:2/4807
-...
-[ 1685.468130 ] Call Trace:
-[ 1685.468132 ] <TASK>
-[ 1685.468135 ] dump_stack_lvl+0x49/0x5f
-[ 1685.468141 ] print_report.cold+0x5e/0x5cf
-[ 1685.468145 ] ? ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd]
-[ 1685.468157 ] kasan_report+0xaa/0x120
-[ 1685.468194 ] ? ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd]
-[ 1685.468206 ] __asan_report_load4_noabort+0x14/0x20
-[ 1685.468210 ] ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd]
-[ 1685.468222 ] smb2_tree_disconnect+0x175/0x250 [ksmbd]
-[ 1685.468235 ] handle_ksmbd_work+0x30e/0x1020 [ksmbd]
-[ 1685.468247 ] process_one_work+0x778/0x11c0
-[ 1685.468251 ] ? _raw_spin_lock_irq+0x8e/0xe0
-[ 1685.468289 ] worker_thread+0x544/0x1180
-[ 1685.468293 ] ? __cpuidle_text_end+0x4/0x4
-[ 1685.468297 ] kthread+0x282/0x320
-[ 1685.468301 ] ? process_one_work+0x11c0/0x11c0
-[ 1685.468305 ] ? kthread_complete_and_exit+0x30/0x30
-[ 1685.468309 ] ret_from_fork+0x1f/0x30
-
-Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
-Cc: stable@vger.kernel.org
-Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17816
-Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
-Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/ksmbd/smb2pdu.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
-index a06dad0d1bb7..b5835e78a325 100644
---- a/fs/ksmbd/smb2pdu.c
-+++ b/fs/ksmbd/smb2pdu.c
-@@ -2043,6 +2043,7 @@ int smb2_tree_disconnect(struct ksmbd_work *work)
-
- ksmbd_close_tree_conn_fds(work);
- ksmbd_tree_conn_disconnect(sess, tcon);
-+ work->tcon = NULL;
- return 0;
- }
-
---
-2.35.1
-
+++ /dev/null
-From 03cee3ff6652e9af63d94336023f871553f60b74 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 28 Jul 2022 21:58:53 +0900
-Subject: ksmbd: prevent out of bound read for SMB2_TREE_CONNNECT
-
-From: Hyunchul Lee <hyc.lee@gmail.com>
-
-[ Upstream commit 824d4f64c20093275f72fc8101394d75ff6a249e ]
-
-if Status is not 0 and PathLength is long,
-smb_strndup_from_utf16 could make out of bound
-read in smb2_tree_connnect.
-
-This bug can lead an oops looking something like:
-
-[ 1553.882047] BUG: KASAN: slab-out-of-bounds in smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
-[ 1553.882064] Read of size 2 at addr ffff88802c4eda04 by task kworker/0:2/42805
-...
-[ 1553.882095] Call Trace:
-[ 1553.882098] <TASK>
-[ 1553.882101] dump_stack_lvl+0x49/0x5f
-[ 1553.882107] print_report.cold+0x5e/0x5cf
-[ 1553.882112] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
-[ 1553.882122] kasan_report+0xaa/0x120
-[ 1553.882128] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
-[ 1553.882139] __asan_report_load_n_noabort+0xf/0x20
-[ 1553.882143] smb_strndup_from_utf16+0x469/0x4c0 [ksmbd]
-[ 1553.882155] ? smb_strtoUTF16+0x3b0/0x3b0 [ksmbd]
-[ 1553.882166] ? __kmalloc_node+0x185/0x430
-[ 1553.882171] smb2_tree_connect+0x140/0xab0 [ksmbd]
-[ 1553.882185] handle_ksmbd_work+0x30e/0x1020 [ksmbd]
-[ 1553.882197] process_one_work+0x778/0x11c0
-[ 1553.882201] ? _raw_spin_lock_irq+0x8e/0xe0
-[ 1553.882206] worker_thread+0x544/0x1180
-[ 1553.882209] ? __cpuidle_text_end+0x4/0x4
-[ 1553.882214] kthread+0x282/0x320
-[ 1553.882218] ? process_one_work+0x11c0/0x11c0
-[ 1553.882221] ? kthread_complete_and_exit+0x30/0x30
-[ 1553.882225] ret_from_fork+0x1f/0x30
-[ 1553.882231] </TASK>
-
-There is no need to check error request validation in server.
-This check allow invalid requests not to validate message.
-
-Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
-Cc: stable@vger.kernel.org
-Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17818
-Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
-Acked-by: Namjae Jeon <linkinjeon@kernel.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/ksmbd/smb2misc.c | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c
-index aa1e663d9deb..6e25ace36568 100644
---- a/fs/ksmbd/smb2misc.c
-+++ b/fs/ksmbd/smb2misc.c
-@@ -90,11 +90,6 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len,
- *off = 0;
- *len = 0;
-
-- /* error reqeusts do not have data area */
-- if (hdr->Status && hdr->Status != STATUS_MORE_PROCESSING_REQUIRED &&
-- (((struct smb2_err_rsp *)hdr)->StructureSize) == SMB2_ERROR_STRUCTURE_SIZE2_LE)
-- return ret;
--
- /*
- * Following commands have data areas so we have to get the location
- * of the data buffer offset and data buffer length for the particular
---
-2.35.1
-
+++ /dev/null
-From 40b114a8b3385152b4e63c017bc73d910d2556dc Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 28 Jul 2022 23:41:51 +0900
-Subject: ksmbd: prevent out of bound read for SMB2_WRITE
-
-From: Hyunchul Lee <hyc.lee@gmail.com>
-
-[ Upstream commit ac60778b87e45576d7bfdbd6f53df902654e6f09 ]
-
-OOB read memory can be written to a file,
-if DataOffset is 0 and Length is too large
-in SMB2_WRITE request of compound request.
-
-To prevent this, when checking the length of
-the data area of SMB2_WRITE in smb2_get_data_area_len(),
-let the minimum of DataOffset be the size of
-SMB2 header + the size of SMB2_WRITE header.
-
-This bug can lead an oops looking something like:
-
-[ 798.008715] BUG: KASAN: slab-out-of-bounds in copy_page_from_iter_atomic+0xd3d/0x14b0
-[ 798.008724] Read of size 252 at addr ffff88800f863e90 by task kworker/0:2/2859
-...
-[ 798.008754] Call Trace:
-[ 798.008756] <TASK>
-[ 798.008759] dump_stack_lvl+0x49/0x5f
-[ 798.008764] print_report.cold+0x5e/0x5cf
-[ 798.008768] ? __filemap_get_folio+0x285/0x6d0
-[ 798.008774] ? copy_page_from_iter_atomic+0xd3d/0x14b0
-[ 798.008777] kasan_report+0xaa/0x120
-[ 798.008781] ? copy_page_from_iter_atomic+0xd3d/0x14b0
-[ 798.008784] kasan_check_range+0x100/0x1e0
-[ 798.008788] memcpy+0x24/0x60
-[ 798.008792] copy_page_from_iter_atomic+0xd3d/0x14b0
-[ 798.008795] ? pagecache_get_page+0x53/0x160
-[ 798.008799] ? iov_iter_get_pages_alloc+0x1590/0x1590
-[ 798.008803] ? ext4_write_begin+0xfc0/0xfc0
-[ 798.008807] ? current_time+0x72/0x210
-[ 798.008811] generic_perform_write+0x2c8/0x530
-[ 798.008816] ? filemap_fdatawrite_wbc+0x180/0x180
-[ 798.008820] ? down_write+0xb4/0x120
-[ 798.008824] ? down_write_killable+0x130/0x130
-[ 798.008829] ext4_buffered_write_iter+0x137/0x2c0
-[ 798.008833] ext4_file_write_iter+0x40b/0x1490
-[ 798.008837] ? __fsnotify_parent+0x275/0xb20
-[ 798.008842] ? __fsnotify_update_child_dentry_flags+0x2c0/0x2c0
-[ 798.008846] ? ext4_buffered_write_iter+0x2c0/0x2c0
-[ 798.008851] __kernel_write+0x3a1/0xa70
-[ 798.008855] ? __x64_sys_preadv2+0x160/0x160
-[ 798.008860] ? security_file_permission+0x4a/0xa0
-[ 798.008865] kernel_write+0xbb/0x360
-[ 798.008869] ksmbd_vfs_write+0x27e/0xb90 [ksmbd]
-[ 798.008881] ? ksmbd_vfs_read+0x830/0x830 [ksmbd]
-[ 798.008892] ? _raw_read_unlock+0x2a/0x50
-[ 798.008896] smb2_write+0xb45/0x14e0 [ksmbd]
-[ 798.008909] ? __kasan_check_write+0x14/0x20
-[ 798.008912] ? _raw_spin_lock_bh+0xd0/0xe0
-[ 798.008916] ? smb2_read+0x15e0/0x15e0 [ksmbd]
-[ 798.008927] ? memcpy+0x4e/0x60
-[ 798.008931] ? _raw_spin_unlock+0x19/0x30
-[ 798.008934] ? ksmbd_smb2_check_message+0x16af/0x2350 [ksmbd]
-[ 798.008946] ? _raw_spin_lock_bh+0xe0/0xe0
-[ 798.008950] handle_ksmbd_work+0x30e/0x1020 [ksmbd]
-[ 798.008962] process_one_work+0x778/0x11c0
-[ 798.008966] ? _raw_spin_lock_irq+0x8e/0xe0
-[ 798.008970] worker_thread+0x544/0x1180
-[ 798.008973] ? __cpuidle_text_end+0x4/0x4
-[ 798.008977] kthread+0x282/0x320
-[ 798.008982] ? process_one_work+0x11c0/0x11c0
-[ 798.008985] ? kthread_complete_and_exit+0x30/0x30
-[ 798.008989] ret_from_fork+0x1f/0x30
-[ 798.008995] </TASK>
-
-Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
-Cc: stable@vger.kernel.org
-Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17817
-Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
-Acked-by: Namjae Jeon <linkinjeon@kernel.org>
-Signed-off-by: Steve French <stfrench@microsoft.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/ksmbd/smb2misc.c | 7 +++++--
- fs/ksmbd/smb2pdu.c | 8 +++-----
- 2 files changed, 8 insertions(+), 7 deletions(-)
-
-diff --git a/fs/ksmbd/smb2misc.c b/fs/ksmbd/smb2misc.c
-index f8f456377a51..aa1e663d9deb 100644
---- a/fs/ksmbd/smb2misc.c
-+++ b/fs/ksmbd/smb2misc.c
-@@ -136,8 +136,11 @@ static int smb2_get_data_area_len(unsigned int *off, unsigned int *len,
- *len = le16_to_cpu(((struct smb2_read_req *)hdr)->ReadChannelInfoLength);
- break;
- case SMB2_WRITE:
-- if (((struct smb2_write_req *)hdr)->DataOffset) {
-- *off = le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset);
-+ if (((struct smb2_write_req *)hdr)->DataOffset ||
-+ ((struct smb2_write_req *)hdr)->Length) {
-+ *off = max_t(unsigned int,
-+ le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset),
-+ offsetof(struct smb2_write_req, Buffer));
- *len = le32_to_cpu(((struct smb2_write_req *)hdr)->Length);
- break;
- }
-diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
-index b5835e78a325..54aaf9014136 100644
---- a/fs/ksmbd/smb2pdu.c
-+++ b/fs/ksmbd/smb2pdu.c
-@@ -6500,14 +6500,12 @@ int smb2_write(struct ksmbd_work *work)
- writethrough = true;
-
- if (is_rdma_channel == false) {
-- if ((u64)le16_to_cpu(req->DataOffset) + length >
-- get_rfc1002_len(work->request_buf)) {
-- pr_err("invalid write data offset %u, smb_len %u\n",
-- le16_to_cpu(req->DataOffset),
-- get_rfc1002_len(work->request_buf));
-+ if (le16_to_cpu(req->DataOffset) <
-+ offsetof(struct smb2_write_req, Buffer)) {
- err = -EINVAL;
- goto out;
- }
-+
- data_buf = (char *)(((char *)&req->hdr.ProtocolId) +
- le16_to_cpu(req->DataOffset));
-
---
-2.35.1
-
+++ /dev/null
-From ea59497b46e7a2ab3f493caa24e211a155376ac1 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 29 Apr 2022 21:00:22 +0000
-Subject: KVM: Do not incorporate page offset into gfn=>pfn cache user address
-
-From: Sean Christopherson <seanjc@google.com>
-
-[ Upstream commit 3ba2c95ea180740b16281fa43a3ee5f47279c0ed ]
-
-Don't adjust the userspace address in the gfn=>pfn cache by the page
-offset from the gpa. KVM should never use the user address directly, and
-all KVM operations that translate a user address to something else
-require the user address to be page aligned. Ignoring the offset will
-allow the cache to reuse a gfn=>hva translation in the unlikely event
-that the page offset of the gpa changes, but the gfn does not. And more
-importantly, not having to (un)adjust the user address will simplify a
-future bug fix.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Message-Id: <20220429210025.3293691-6-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- virt/kvm/pfncache.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c
-index 40cbe90d52e0..05cb0bcbf662 100644
---- a/virt/kvm/pfncache.c
-+++ b/virt/kvm/pfncache.c
-@@ -179,8 +179,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
- ret = -EFAULT;
- goto out;
- }
--
-- gpc->uhva += page_offset;
- }
-
- /*
---
-2.35.1
-
+++ /dev/null
-From 42a8593225a8bdc485b1f7203bc49cd5b103376f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 29 Apr 2022 21:00:20 +0000
-Subject: KVM: Drop unused @gpa param from gfn=>pfn cache's __release_gpc()
- helper
-
-From: Sean Christopherson <seanjc@google.com>
-
-[ Upstream commit 345b0fd6fe5f66dfe841bad0b39dd11a5672df68 ]
-
-Drop the @pga param from __release_gpc() and rename the helper to make it
-more obvious that the cache itself is not being released. The helper
-will be reused by a future commit to release a pfn+khva combination that
-is _never_ associated with the cache, at which point the current name
-would go from slightly misleading to blatantly wrong.
-
-No functional change intended.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Message-Id: <20220429210025.3293691-4-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- virt/kvm/pfncache.c | 10 +++-------
- 1 file changed, 3 insertions(+), 7 deletions(-)
-
-diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c
-index dd84676615f1..e05a6a1b8eff 100644
---- a/virt/kvm/pfncache.c
-+++ b/virt/kvm/pfncache.c
-@@ -95,7 +95,7 @@ bool kvm_gfn_to_pfn_cache_check(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
- }
- EXPORT_SYMBOL_GPL(kvm_gfn_to_pfn_cache_check);
-
--static void __release_gpc(struct kvm *kvm, kvm_pfn_t pfn, void *khva, gpa_t gpa)
-+static void gpc_release_pfn_and_khva(struct kvm *kvm, kvm_pfn_t pfn, void *khva)
- {
- /* Unmap the old page if it was mapped before, and release it */
- if (!is_error_noslot_pfn(pfn)) {
-@@ -146,7 +146,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
- unsigned long page_offset = gpa & ~PAGE_MASK;
- kvm_pfn_t old_pfn, new_pfn;
- unsigned long old_uhva;
-- gpa_t old_gpa;
- void *old_khva;
- bool old_valid;
- int ret = 0;
-@@ -160,7 +159,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
-
- write_lock_irq(&gpc->lock);
-
-- old_gpa = gpc->gpa;
- old_pfn = gpc->pfn;
- old_khva = gpc->khva - offset_in_page(gpc->khva);
- old_uhva = gpc->uhva;
-@@ -244,7 +242,7 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
- out:
- write_unlock_irq(&gpc->lock);
-
-- __release_gpc(kvm, old_pfn, old_khva, old_gpa);
-+ gpc_release_pfn_and_khva(kvm, old_pfn, old_khva);
-
- return ret;
- }
-@@ -254,14 +252,12 @@ void kvm_gfn_to_pfn_cache_unmap(struct kvm *kvm, struct gfn_to_pfn_cache *gpc)
- {
- void *old_khva;
- kvm_pfn_t old_pfn;
-- gpa_t old_gpa;
-
- write_lock_irq(&gpc->lock);
-
- gpc->valid = false;
-
- old_khva = gpc->khva - offset_in_page(gpc->khva);
-- old_gpa = gpc->gpa;
- old_pfn = gpc->pfn;
-
- /*
-@@ -273,7 +269,7 @@ void kvm_gfn_to_pfn_cache_unmap(struct kvm *kvm, struct gfn_to_pfn_cache *gpc)
-
- write_unlock_irq(&gpc->lock);
-
-- __release_gpc(kvm, old_pfn, old_khva, old_gpa);
-+ gpc_release_pfn_and_khva(kvm, old_pfn, old_khva);
- }
- EXPORT_SYMBOL_GPL(kvm_gfn_to_pfn_cache_unmap);
-
---
-2.35.1
-
+++ /dev/null
-From 2efc1788a4dacd0abc511650fbbbd867149698b7 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 29 Apr 2022 21:00:24 +0000
-Subject: KVM: Fix multiple races in gfn=>pfn cache refresh
-
-From: Sean Christopherson <seanjc@google.com>
-
-[ Upstream commit 58cd407ca4c6278cf9f9d09a2e663bf645b0c982 ]
-
-Rework the gfn=>pfn cache (gpc) refresh logic to address multiple races
-between the cache itself, and between the cache and mmu_notifier events.
-
-The existing refresh code attempts to guard against races with the
-mmu_notifier by speculatively marking the cache valid, and then marking
-it invalid if a mmu_notifier invalidation occurs. That handles the case
-where an invalidation occurs between dropping and re-acquiring gpc->lock,
-but it doesn't handle the scenario where the cache is refreshed after the
-cache was invalidated by the notifier, but before the notifier elevates
-mmu_notifier_count. The gpc refresh can't use the "retry" helper as its
-invalidation occurs _before_ mmu_notifier_count is elevated and before
-mmu_notifier_range_start is set/updated.
-
- CPU0 CPU1
- ---- ----
-
- gfn_to_pfn_cache_invalidate_start()
- |
- -> gpc->valid = false;
- kvm_gfn_to_pfn_cache_refresh()
- |
- |-> gpc->valid = true;
-
- hva_to_pfn_retry()
- |
- -> acquire kvm->mmu_lock
- kvm->mmu_notifier_count == 0
- mmu_seq == kvm->mmu_notifier_seq
- drop kvm->mmu_lock
- return pfn 'X'
- acquire kvm->mmu_lock
- kvm_inc_notifier_count()
- drop kvm->mmu_lock()
- kernel frees pfn 'X'
- kvm_gfn_to_pfn_cache_check()
- |
- |-> gpc->valid == true
-
- caller accesses freed pfn 'X'
-
-Key off of mn_active_invalidate_count to detect that a pfncache refresh
-needs to wait for an in-progress mmu_notifier invalidation. While
-mn_active_invalidate_count is not guaranteed to be stable, it is
-guaranteed to be elevated prior to an invalidation acquiring gpc->lock,
-so either the refresh will see an active invalidation and wait, or the
-invalidation will run after the refresh completes.
-
-Speculatively marking the cache valid is itself flawed, as a concurrent
-kvm_gfn_to_pfn_cache_check() would see a valid cache with stale pfn/khva
-values. The KVM Xen use case explicitly allows/wants multiple users;
-even though the caches are allocated per vCPU, __kvm_xen_has_interrupt()
-can read a different vCPU (or vCPUs). Address this race by invalidating
-the cache prior to dropping gpc->lock (this is made possible by fixing
-the above mmu_notifier race).
-
-Complicating all of this is the fact that both the hva=>pfn resolution
-and mapping of the kernel address can sleep, i.e. must be done outside
-of gpc->lock.
-
-Fix the above races in one fell swoop, trying to fix each individual race
-is largely pointless and essentially impossible to test, e.g. closing one
-hole just shifts the focus to the other hole.
-
-Fixes: 982ed0de4753 ("KVM: Reinstate gfn_to_pfn_cache with invalidation support")
-Cc: stable@vger.kernel.org
-Cc: David Woodhouse <dwmw@amazon.co.uk>
-Cc: Mingwei Zhang <mizhang@google.com>
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Message-Id: <20220429210025.3293691-8-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- virt/kvm/kvm_main.c | 9 +++
- virt/kvm/pfncache.c | 193 ++++++++++++++++++++++++++++----------------
- 2 files changed, 131 insertions(+), 71 deletions(-)
-
-diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index a49df8988cd6..28126ee221b5 100644
---- a/virt/kvm/kvm_main.c
-+++ b/virt/kvm/kvm_main.c
-@@ -724,6 +724,15 @@ static int kvm_mmu_notifier_invalidate_range_start(struct mmu_notifier *mn,
- kvm->mn_active_invalidate_count++;
- spin_unlock(&kvm->mn_invalidate_lock);
-
-+ /*
-+ * Invalidate pfn caches _before_ invalidating the secondary MMUs, i.e.
-+ * before acquiring mmu_lock, to avoid holding mmu_lock while acquiring
-+ * each cache's lock. There are relatively few caches in existence at
-+ * any given time, and the caches themselves can check for hva overlap,
-+ * i.e. don't need to rely on memslot overlap checks for performance.
-+ * Because this runs without holding mmu_lock, the pfn caches must use
-+ * mn_active_invalidate_count (see above) instead of mmu_notifier_count.
-+ */
- gfn_to_pfn_cache_invalidate_start(kvm, range->start, range->end,
- hva_range.may_block);
-
-diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c
-index f610d3945b69..b0b678367376 100644
---- a/virt/kvm/pfncache.c
-+++ b/virt/kvm/pfncache.c
-@@ -112,31 +112,122 @@ static void gpc_release_pfn_and_khva(struct kvm *kvm, kvm_pfn_t pfn, void *khva)
- }
- }
-
--static kvm_pfn_t hva_to_pfn_retry(struct kvm *kvm, unsigned long uhva)
-+static inline bool mmu_notifier_retry_cache(struct kvm *kvm, unsigned long mmu_seq)
- {
-+ /*
-+ * mn_active_invalidate_count acts for all intents and purposes
-+ * like mmu_notifier_count here; but the latter cannot be used
-+ * here because the invalidation of caches in the mmu_notifier
-+ * event occurs _before_ mmu_notifier_count is elevated.
-+ *
-+ * Note, it does not matter that mn_active_invalidate_count
-+ * is not protected by gpc->lock. It is guaranteed to
-+ * be elevated before the mmu_notifier acquires gpc->lock, and
-+ * isn't dropped until after mmu_notifier_seq is updated.
-+ */
-+ if (kvm->mn_active_invalidate_count)
-+ return true;
-+
-+ /*
-+ * Ensure mn_active_invalidate_count is read before
-+ * mmu_notifier_seq. This pairs with the smp_wmb() in
-+ * mmu_notifier_invalidate_range_end() to guarantee either the
-+ * old (non-zero) value of mn_active_invalidate_count or the
-+ * new (incremented) value of mmu_notifier_seq is observed.
-+ */
-+ smp_rmb();
-+ return kvm->mmu_notifier_seq != mmu_seq;
-+}
-+
-+static kvm_pfn_t hva_to_pfn_retry(struct kvm *kvm, struct gfn_to_pfn_cache *gpc)
-+{
-+ /* Note, the new page offset may be different than the old! */
-+ void *old_khva = gpc->khva - offset_in_page(gpc->khva);
-+ kvm_pfn_t new_pfn = KVM_PFN_ERR_FAULT;
-+ void *new_khva = NULL;
- unsigned long mmu_seq;
-- kvm_pfn_t new_pfn;
-- int retry;
-+
-+ lockdep_assert_held(&gpc->refresh_lock);
-+
-+ lockdep_assert_held_write(&gpc->lock);
-+
-+ /*
-+ * Invalidate the cache prior to dropping gpc->lock, the gpa=>uhva
-+ * assets have already been updated and so a concurrent check() from a
-+ * different task may not fail the gpa/uhva/generation checks.
-+ */
-+ gpc->valid = false;
-
- do {
- mmu_seq = kvm->mmu_notifier_seq;
- smp_rmb();
-
-+ write_unlock_irq(&gpc->lock);
-+
-+ /*
-+ * If the previous iteration "failed" due to an mmu_notifier
-+ * event, release the pfn and unmap the kernel virtual address
-+ * from the previous attempt. Unmapping might sleep, so this
-+ * needs to be done after dropping the lock. Opportunistically
-+ * check for resched while the lock isn't held.
-+ */
-+ if (new_pfn != KVM_PFN_ERR_FAULT) {
-+ /*
-+ * Keep the mapping if the previous iteration reused
-+ * the existing mapping and didn't create a new one.
-+ */
-+ if (new_khva == old_khva)
-+ new_khva = NULL;
-+
-+ gpc_release_pfn_and_khva(kvm, new_pfn, new_khva);
-+
-+ cond_resched();
-+ }
-+
- /* We always request a writeable mapping */
-- new_pfn = hva_to_pfn(uhva, false, NULL, true, NULL);
-+ new_pfn = hva_to_pfn(gpc->uhva, false, NULL, true, NULL);
- if (is_error_noslot_pfn(new_pfn))
-- break;
-+ goto out_error;
-+
-+ /*
-+ * Obtain a new kernel mapping if KVM itself will access the
-+ * pfn. Note, kmap() and memremap() can both sleep, so this
-+ * too must be done outside of gpc->lock!
-+ */
-+ if (gpc->usage & KVM_HOST_USES_PFN) {
-+ if (new_pfn == gpc->pfn) {
-+ new_khva = old_khva;
-+ } else if (pfn_valid(new_pfn)) {
-+ new_khva = kmap(pfn_to_page(new_pfn));
-+#ifdef CONFIG_HAS_IOMEM
-+ } else {
-+ new_khva = memremap(pfn_to_hpa(new_pfn), PAGE_SIZE, MEMREMAP_WB);
-+#endif
-+ }
-+ if (!new_khva) {
-+ kvm_release_pfn_clean(new_pfn);
-+ goto out_error;
-+ }
-+ }
-+
-+ write_lock_irq(&gpc->lock);
-
-- KVM_MMU_READ_LOCK(kvm);
-- retry = mmu_notifier_retry_hva(kvm, mmu_seq, uhva);
-- KVM_MMU_READ_UNLOCK(kvm);
-- if (!retry)
-- break;
-+ /*
-+ * Other tasks must wait for _this_ refresh to complete before
-+ * attempting to refresh.
-+ */
-+ WARN_ON_ONCE(gpc->valid);
-+ } while (mmu_notifier_retry_cache(kvm, mmu_seq));
-
-- cond_resched();
-- } while (1);
-+ gpc->valid = true;
-+ gpc->pfn = new_pfn;
-+ gpc->khva = new_khva + (gpc->gpa & ~PAGE_MASK);
-+ return 0;
-+
-+out_error:
-+ write_lock_irq(&gpc->lock);
-
-- return new_pfn;
-+ return -EFAULT;
- }
-
- int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
-@@ -147,7 +238,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
- kvm_pfn_t old_pfn, new_pfn;
- unsigned long old_uhva;
- void *old_khva;
-- bool old_valid;
- int ret = 0;
-
- /*
-@@ -169,7 +259,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
- old_pfn = gpc->pfn;
- old_khva = gpc->khva - offset_in_page(gpc->khva);
- old_uhva = gpc->uhva;
-- old_valid = gpc->valid;
-
- /* If the userspace HVA is invalid, refresh that first */
- if (gpc->gpa != gpa || gpc->generation != slots->generation ||
-@@ -182,7 +271,6 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
- gpc->uhva = gfn_to_hva_memslot(gpc->memslot, gfn);
-
- if (kvm_is_error_hva(gpc->uhva)) {
-- gpc->pfn = KVM_PFN_ERR_FAULT;
- ret = -EFAULT;
- goto out;
- }
-@@ -192,60 +280,8 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
- * If the userspace HVA changed or the PFN was already invalid,
- * drop the lock and do the HVA to PFN lookup again.
- */
-- if (!old_valid || old_uhva != gpc->uhva) {
-- unsigned long uhva = gpc->uhva;
-- void *new_khva = NULL;
--
-- /* Placeholders for "hva is valid but not yet mapped" */
-- gpc->pfn = KVM_PFN_ERR_FAULT;
-- gpc->khva = NULL;
-- gpc->valid = true;
--
-- write_unlock_irq(&gpc->lock);
--
-- new_pfn = hva_to_pfn_retry(kvm, uhva);
-- if (is_error_noslot_pfn(new_pfn)) {
-- ret = -EFAULT;
-- goto map_done;
-- }
--
-- if (gpc->usage & KVM_HOST_USES_PFN) {
-- if (new_pfn == old_pfn) {
-- /*
-- * Reuse the existing pfn and khva, but put the
-- * reference acquired hva_to_pfn_retry(); the
-- * cache still holds a reference to the pfn
-- * from the previous refresh.
-- */
-- gpc_release_pfn_and_khva(kvm, new_pfn, NULL);
--
-- new_khva = old_khva;
-- old_pfn = KVM_PFN_ERR_FAULT;
-- old_khva = NULL;
-- } else if (pfn_valid(new_pfn)) {
-- new_khva = kmap(pfn_to_page(new_pfn));
--#ifdef CONFIG_HAS_IOMEM
-- } else {
-- new_khva = memremap(pfn_to_hpa(new_pfn), PAGE_SIZE, MEMREMAP_WB);
--#endif
-- }
-- if (new_khva)
-- new_khva += page_offset;
-- else
-- ret = -EFAULT;
-- }
--
-- map_done:
-- write_lock_irq(&gpc->lock);
-- if (ret) {
-- gpc->valid = false;
-- gpc->pfn = KVM_PFN_ERR_FAULT;
-- gpc->khva = NULL;
-- } else {
-- /* At this point, gpc->valid may already have been cleared */
-- gpc->pfn = new_pfn;
-- gpc->khva = new_khva;
-- }
-+ if (!gpc->valid || old_uhva != gpc->uhva) {
-+ ret = hva_to_pfn_retry(kvm, gpc);
- } else {
- /* If the HVA→PFN mapping was already valid, don't unmap it. */
- old_pfn = KVM_PFN_ERR_FAULT;
-@@ -253,11 +289,26 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
- }
-
- out:
-+ /*
-+ * Invalidate the cache and purge the pfn/khva if the refresh failed.
-+ * Some/all of the uhva, gpa, and memslot generation info may still be
-+ * valid, leave it as is.
-+ */
-+ if (ret) {
-+ gpc->valid = false;
-+ gpc->pfn = KVM_PFN_ERR_FAULT;
-+ gpc->khva = NULL;
-+ }
-+
-+ /* Snapshot the new pfn before dropping the lock! */
-+ new_pfn = gpc->pfn;
-+
- write_unlock_irq(&gpc->lock);
-
- mutex_unlock(&gpc->refresh_lock);
-
-- gpc_release_pfn_and_khva(kvm, old_pfn, old_khva);
-+ if (old_pfn != new_pfn)
-+ gpc_release_pfn_and_khva(kvm, old_pfn, old_khva);
-
- return ret;
- }
---
-2.35.1
-
+++ /dev/null
-From 52ddf24c3e8dd515588fd249a9c0e59735e9281e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 29 Apr 2022 21:00:23 +0000
-Subject: KVM: Fully serialize gfn=>pfn cache refresh via mutex
-
-From: Sean Christopherson <seanjc@google.com>
-
-[ Upstream commit 93984f19e7bce4c18084a6ef3dacafb155b806ed ]
-
-Protect gfn=>pfn cache refresh with a mutex to fully serialize refreshes.
-The refresh logic doesn't protect against
-
-- concurrent unmaps, or refreshes with different GPAs (which may or may not
- happen in practice, for example if a cache is only used under vcpu->mutex;
- but it's allowed in the code)
-
-- a false negative on the memslot generation. If the first refresh sees
- a stale memslot generation, it will refresh the hva and generation before
- moving on to the hva=>pfn translation. If it then drops gpc->lock, a
- different user of the cache can come along, acquire gpc->lock, see that
- the memslot generation is fresh, and skip the hva=>pfn update due to the
- userspace address also matching (because it too was updated).
-
-The refresh path can already sleep during hva=>pfn resolution, so wrap
-the refresh with a mutex to ensure that any given refresh runs to
-completion before other callers can start their refresh.
-
-Cc: stable@vger.kernel.org
-Cc: Lai Jiangshan <jiangshanlai@gmail.com>
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Message-Id: <20220429210025.3293691-7-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/linux/kvm_types.h | 2 ++
- virt/kvm/pfncache.c | 12 ++++++++++++
- 2 files changed, 14 insertions(+)
-
-diff --git a/include/linux/kvm_types.h b/include/linux/kvm_types.h
-index ac1ebb37a0ff..f328a01db4fe 100644
---- a/include/linux/kvm_types.h
-+++ b/include/linux/kvm_types.h
-@@ -19,6 +19,7 @@ struct kvm_memslots;
- enum kvm_mr_change;
-
- #include <linux/bits.h>
-+#include <linux/mutex.h>
- #include <linux/types.h>
- #include <linux/spinlock_types.h>
-
-@@ -69,6 +70,7 @@ struct gfn_to_pfn_cache {
- struct kvm_vcpu *vcpu;
- struct list_head list;
- rwlock_t lock;
-+ struct mutex refresh_lock;
- void *khva;
- kvm_pfn_t pfn;
- enum pfn_cache_usage usage;
-diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c
-index 05cb0bcbf662..f610d3945b69 100644
---- a/virt/kvm/pfncache.c
-+++ b/virt/kvm/pfncache.c
-@@ -157,6 +157,13 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
- if (page_offset + len > PAGE_SIZE)
- return -EINVAL;
-
-+ /*
-+ * If another task is refreshing the cache, wait for it to complete.
-+ * There is no guarantee that concurrent refreshes will see the same
-+ * gpa, memslots generation, etc..., so they must be fully serialized.
-+ */
-+ mutex_lock(&gpc->refresh_lock);
-+
- write_lock_irq(&gpc->lock);
-
- old_pfn = gpc->pfn;
-@@ -248,6 +255,8 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
- out:
- write_unlock_irq(&gpc->lock);
-
-+ mutex_unlock(&gpc->refresh_lock);
-+
- gpc_release_pfn_and_khva(kvm, old_pfn, old_khva);
-
- return ret;
-@@ -259,6 +268,7 @@ void kvm_gfn_to_pfn_cache_unmap(struct kvm *kvm, struct gfn_to_pfn_cache *gpc)
- void *old_khva;
- kvm_pfn_t old_pfn;
-
-+ mutex_lock(&gpc->refresh_lock);
- write_lock_irq(&gpc->lock);
-
- gpc->valid = false;
-@@ -274,6 +284,7 @@ void kvm_gfn_to_pfn_cache_unmap(struct kvm *kvm, struct gfn_to_pfn_cache *gpc)
- gpc->pfn = KVM_PFN_ERR_FAULT;
-
- write_unlock_irq(&gpc->lock);
-+ mutex_unlock(&gpc->refresh_lock);
-
- gpc_release_pfn_and_khva(kvm, old_pfn, old_khva);
- }
-@@ -288,6 +299,7 @@ int kvm_gfn_to_pfn_cache_init(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
-
- if (!gpc->active) {
- rwlock_init(&gpc->lock);
-+ mutex_init(&gpc->refresh_lock);
-
- gpc->khva = NULL;
- gpc->pfn = KVM_PFN_ERR_FAULT;
---
-2.35.1
-
+++ /dev/null
-From d767abce1471976905ba9734b7e1e3756377d9e8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 7 Jun 2022 21:35:51 +0000
-Subject: KVM: nVMX: Account for KVM reserved CR4 bits in consistency checks
-
-From: Sean Christopherson <seanjc@google.com>
-
-[ Upstream commit ca58f3aa53d165afe4ab74c755bc2f6d168617ac ]
-
-Check that the guest (L2) and host (L1) CR4 values that would be loaded
-by nested VM-Enter and VM-Exit respectively are valid with respect to
-KVM's (L0 host) allowed CR4 bits. Failure to check KVM reserved bits
-would allow L1 to load an illegal CR4 (or trigger hardware VM-Fail or
-failed VM-Entry) by massaging guest CPUID to allow features that are not
-supported by KVM. Amusingly, KVM itself is an accomplice in its doom, as
-KVM adjusts L1's MSR_IA32_VMX_CR4_FIXED1 to allow L1 to enable bits for
-L2 based on L1's CPUID model.
-
-Note, although nested_{guest,host}_cr4_valid() are _currently_ used if
-and only if the vCPU is post-VMXON (nested.vmxon == true), that may not
-be true in the future, e.g. emulating VMXON has a bug where it doesn't
-check the allowed/required CR0/CR4 bits.
-
-Cc: stable@vger.kernel.org
-Fixes: 3899152ccbf4 ("KVM: nVMX: fix checks on CR{0,4} during virtual VMX operation")
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Message-Id: <20220607213604.3346000-3-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/x86/kvm/vmx/nested.h | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kvm/vmx/nested.h b/arch/x86/kvm/vmx/nested.h
-index c92cea0b8ccc..129ae4e01f7c 100644
---- a/arch/x86/kvm/vmx/nested.h
-+++ b/arch/x86/kvm/vmx/nested.h
-@@ -281,7 +281,8 @@ static inline bool nested_cr4_valid(struct kvm_vcpu *vcpu, unsigned long val)
- u64 fixed0 = to_vmx(vcpu)->nested.msrs.cr4_fixed0;
- u64 fixed1 = to_vmx(vcpu)->nested.msrs.cr4_fixed1;
-
-- return fixed_bits_valid(val, fixed0, fixed1);
-+ return fixed_bits_valid(val, fixed0, fixed1) &&
-+ __kvm_is_valid_cr4(vcpu, val);
- }
-
- /* No difference in the restrictions on guest and host CR4 in VMX operation. */
---
-2.35.1
-
+++ /dev/null
-From 452c457abb5411372c478172ce17b997bce37923 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 7 Jun 2022 21:35:52 +0000
-Subject: KVM: nVMX: Inject #UD if VMXON is attempted with incompatible CR0/CR4
-
-From: Sean Christopherson <seanjc@google.com>
-
-[ Upstream commit c7d855c2aff2d511fd60ee2e356134c4fb394799 ]
-
-Inject a #UD if L1 attempts VMXON with a CR0 or CR4 that is disallowed
-per the associated nested VMX MSRs' fixed0/1 settings. KVM cannot rely
-on hardware to perform the checks, even for the few checks that have
-higher priority than VM-Exit, as (a) KVM may have forced CR0/CR4 bits in
-hardware while running the guest, (b) there may incompatible CR0/CR4 bits
-that have lower priority than VM-Exit, e.g. CR0.NE, and (c) userspace may
-have further restricted the allowed CR0/CR4 values by manipulating the
-guest's nested VMX MSRs.
-
-Note, despite a very strong desire to throw shade at Jim, commit
-70f3aac964ae ("kvm: nVMX: Remove superfluous VMX instruction fault checks")
-is not to blame for the buggy behavior (though the comment...). That
-commit only removed the CR0.PE, EFLAGS.VM, and COMPATIBILITY mode checks
-(though it did erroneously drop the CPL check, but that has already been
-remedied). KVM may force CR0.PE=1, but will do so only when also
-forcing EFLAGS.VM=1 to emulate Real Mode, i.e. hardware will still #UD.
-
-Link: https://bugzilla.kernel.org/show_bug.cgi?id=216033
-Fixes: ec378aeef9df ("KVM: nVMX: Implement VMXON and VMXOFF")
-Reported-by: Eric Li <ercli@ucdavis.edu>
-Cc: stable@vger.kernel.org
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Message-Id: <20220607213604.3346000-4-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/x86/kvm/vmx/nested.c | 23 ++++++++++++++---------
- 1 file changed, 14 insertions(+), 9 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
-index 30babb471ae3..f3b500b8475f 100644
---- a/arch/x86/kvm/vmx/nested.c
-+++ b/arch/x86/kvm/vmx/nested.c
-@@ -4964,20 +4964,25 @@ static int handle_vmon(struct kvm_vcpu *vcpu)
- | FEAT_CTL_VMX_ENABLED_OUTSIDE_SMX;
-
- /*
-- * The Intel VMX Instruction Reference lists a bunch of bits that are
-- * prerequisite to running VMXON, most notably cr4.VMXE must be set to
-- * 1 (see vmx_is_valid_cr4() for when we allow the guest to set this).
-- * Otherwise, we should fail with #UD. But most faulting conditions
-- * have already been checked by hardware, prior to the VM-exit for
-- * VMXON. We do test guest cr4.VMXE because processor CR4 always has
-- * that bit set to 1 in non-root mode.
-+ * Note, KVM cannot rely on hardware to perform the CR0/CR4 #UD checks
-+ * that have higher priority than VM-Exit (see Intel SDM's pseudocode
-+ * for VMXON), as KVM must load valid CR0/CR4 values into hardware while
-+ * running the guest, i.e. KVM needs to check the _guest_ values.
-+ *
-+ * Rely on hardware for the other two pre-VM-Exit checks, !VM86 and
-+ * !COMPATIBILITY modes. KVM may run the guest in VM86 to emulate Real
-+ * Mode, but KVM will never take the guest out of those modes.
- */
-- if (!kvm_read_cr4_bits(vcpu, X86_CR4_VMXE)) {
-+ if (!nested_host_cr0_valid(vcpu, kvm_read_cr0(vcpu)) ||
-+ !nested_host_cr4_valid(vcpu, kvm_read_cr4(vcpu))) {
- kvm_queue_exception(vcpu, UD_VECTOR);
- return 1;
- }
-
-- /* CPL=0 must be checked manually. */
-+ /*
-+ * CPL=0 and all other checks that are lower priority than VM-Exit must
-+ * be checked manually.
-+ */
- if (vmx_get_cpl(vcpu)) {
- kvm_inject_gp(vcpu, 0);
- return 1;
---
-2.35.1
-
+++ /dev/null
-From 386e4970d04eb231b4e6fb4a700344e6164b67e8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 7 Jun 2022 21:35:54 +0000
-Subject: KVM: nVMX: Let userspace set nVMX MSR to any _host_ supported value
-
-From: Sean Christopherson <seanjc@google.com>
-
-[ Upstream commit f8ae08f9789ad59d318ea75b570caa454aceda81 ]
-
-Restrict the nVMX MSRs based on KVM's config, not based on the guest's
-current config. Using the guest's config to audit the new config
-prevents userspace from restoring the original config (KVM's config) if
-at any point in the past the guest's config was restricted in any way.
-
-Fixes: 62cc6b9dc61e ("KVM: nVMX: support restore of VMX capability MSRs")
-Cc: stable@vger.kernel.org
-Cc: David Matlack <dmatlack@google.com>
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Message-Id: <20220607213604.3346000-6-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/x86/kvm/vmx/nested.c | 70 +++++++++++++++++++++------------------
- 1 file changed, 37 insertions(+), 33 deletions(-)
-
-diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
-index f3b500b8475f..66735fbb791d 100644
---- a/arch/x86/kvm/vmx/nested.c
-+++ b/arch/x86/kvm/vmx/nested.c
-@@ -1223,7 +1223,7 @@ static int vmx_restore_vmx_basic(struct vcpu_vmx *vmx, u64 data)
- BIT_ULL(49) | BIT_ULL(54) | BIT_ULL(55) |
- /* reserved */
- BIT_ULL(31) | GENMASK_ULL(47, 45) | GENMASK_ULL(63, 56);
-- u64 vmx_basic = vmx->nested.msrs.basic;
-+ u64 vmx_basic = vmcs_config.nested.basic;
-
- if (!is_bitwise_subset(vmx_basic, data, feature_and_reserved))
- return -EINVAL;
-@@ -1246,36 +1246,42 @@ static int vmx_restore_vmx_basic(struct vcpu_vmx *vmx, u64 data)
- return 0;
- }
-
--static int
--vmx_restore_control_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data)
-+static void vmx_get_control_msr(struct nested_vmx_msrs *msrs, u32 msr_index,
-+ u32 **low, u32 **high)
- {
-- u64 supported;
-- u32 *lowp, *highp;
--
- switch (msr_index) {
- case MSR_IA32_VMX_TRUE_PINBASED_CTLS:
-- lowp = &vmx->nested.msrs.pinbased_ctls_low;
-- highp = &vmx->nested.msrs.pinbased_ctls_high;
-+ *low = &msrs->pinbased_ctls_low;
-+ *high = &msrs->pinbased_ctls_high;
- break;
- case MSR_IA32_VMX_TRUE_PROCBASED_CTLS:
-- lowp = &vmx->nested.msrs.procbased_ctls_low;
-- highp = &vmx->nested.msrs.procbased_ctls_high;
-+ *low = &msrs->procbased_ctls_low;
-+ *high = &msrs->procbased_ctls_high;
- break;
- case MSR_IA32_VMX_TRUE_EXIT_CTLS:
-- lowp = &vmx->nested.msrs.exit_ctls_low;
-- highp = &vmx->nested.msrs.exit_ctls_high;
-+ *low = &msrs->exit_ctls_low;
-+ *high = &msrs->exit_ctls_high;
- break;
- case MSR_IA32_VMX_TRUE_ENTRY_CTLS:
-- lowp = &vmx->nested.msrs.entry_ctls_low;
-- highp = &vmx->nested.msrs.entry_ctls_high;
-+ *low = &msrs->entry_ctls_low;
-+ *high = &msrs->entry_ctls_high;
- break;
- case MSR_IA32_VMX_PROCBASED_CTLS2:
-- lowp = &vmx->nested.msrs.secondary_ctls_low;
-- highp = &vmx->nested.msrs.secondary_ctls_high;
-+ *low = &msrs->secondary_ctls_low;
-+ *high = &msrs->secondary_ctls_high;
- break;
- default:
- BUG();
- }
-+}
-+
-+static int
-+vmx_restore_control_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data)
-+{
-+ u32 *lowp, *highp;
-+ u64 supported;
-+
-+ vmx_get_control_msr(&vmcs_config.nested, msr_index, &lowp, &highp);
-
- supported = vmx_control_msr(*lowp, *highp);
-
-@@ -1287,6 +1293,7 @@ vmx_restore_control_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data)
- if (!is_bitwise_subset(supported, data, GENMASK_ULL(63, 32)))
- return -EINVAL;
-
-+ vmx_get_control_msr(&vmx->nested.msrs, msr_index, &lowp, &highp);
- *lowp = data;
- *highp = data >> 32;
- return 0;
-@@ -1300,10 +1307,8 @@ static int vmx_restore_vmx_misc(struct vcpu_vmx *vmx, u64 data)
- BIT_ULL(28) | BIT_ULL(29) | BIT_ULL(30) |
- /* reserved */
- GENMASK_ULL(13, 9) | BIT_ULL(31);
-- u64 vmx_misc;
--
-- vmx_misc = vmx_control_msr(vmx->nested.msrs.misc_low,
-- vmx->nested.msrs.misc_high);
-+ u64 vmx_misc = vmx_control_msr(vmcs_config.nested.misc_low,
-+ vmcs_config.nested.misc_high);
-
- if (!is_bitwise_subset(vmx_misc, data, feature_and_reserved_bits))
- return -EINVAL;
-@@ -1331,10 +1336,8 @@ static int vmx_restore_vmx_misc(struct vcpu_vmx *vmx, u64 data)
-
- static int vmx_restore_vmx_ept_vpid_cap(struct vcpu_vmx *vmx, u64 data)
- {
-- u64 vmx_ept_vpid_cap;
--
-- vmx_ept_vpid_cap = vmx_control_msr(vmx->nested.msrs.ept_caps,
-- vmx->nested.msrs.vpid_caps);
-+ u64 vmx_ept_vpid_cap = vmx_control_msr(vmcs_config.nested.ept_caps,
-+ vmcs_config.nested.vpid_caps);
-
- /* Every bit is either reserved or a feature bit. */
- if (!is_bitwise_subset(vmx_ept_vpid_cap, data, -1ULL))
-@@ -1345,20 +1348,21 @@ static int vmx_restore_vmx_ept_vpid_cap(struct vcpu_vmx *vmx, u64 data)
- return 0;
- }
-
--static int vmx_restore_fixed0_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data)
-+static u64 *vmx_get_fixed0_msr(struct nested_vmx_msrs *msrs, u32 msr_index)
- {
-- u64 *msr;
--
- switch (msr_index) {
- case MSR_IA32_VMX_CR0_FIXED0:
-- msr = &vmx->nested.msrs.cr0_fixed0;
-- break;
-+ return &msrs->cr0_fixed0;
- case MSR_IA32_VMX_CR4_FIXED0:
-- msr = &vmx->nested.msrs.cr4_fixed0;
-- break;
-+ return &msrs->cr4_fixed0;
- default:
- BUG();
- }
-+}
-+
-+static int vmx_restore_fixed0_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data)
-+{
-+ const u64 *msr = vmx_get_fixed0_msr(&vmcs_config.nested, msr_index);
-
- /*
- * 1 bits (which indicates bits which "must-be-1" during VMX operation)
-@@ -1367,7 +1371,7 @@ static int vmx_restore_fixed0_msr(struct vcpu_vmx *vmx, u32 msr_index, u64 data)
- if (!is_bitwise_subset(data, *msr, -1ULL))
- return -EINVAL;
-
-- *msr = data;
-+ *vmx_get_fixed0_msr(&vmx->nested.msrs, msr_index) = data;
- return 0;
- }
-
-@@ -1428,7 +1432,7 @@ int vmx_set_vmx_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 data)
- vmx->nested.msrs.vmcs_enum = data;
- return 0;
- case MSR_IA32_VMX_VMFUNC:
-- if (data & ~vmx->nested.msrs.vmfunc_controls)
-+ if (data & ~vmcs_config.nested.vmfunc_controls)
- return -EINVAL;
- vmx->nested.msrs.vmfunc_controls = data;
- return 0;
---
-2.35.1
-
+++ /dev/null
-From b52bbbb1b583491cdb74bb02fc84bec3ec4dbe2d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 14 Jun 2022 21:58:27 +0000
-Subject: KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case
-
-From: Sean Christopherson <seanjc@google.com>
-
-[ Upstream commit fa578398a0ba2c079fa1170da21fa5baae0cedb2 ]
-
-If a nested run isn't pending, snapshot vmcs01.GUEST_BNDCFGS irrespective
-of whether or not VM_ENTRY_LOAD_BNDCFGS is set in vmcs12. When restoring
-nested state, e.g. after migration, without a nested run pending,
-prepare_vmcs02() will propagate nested.vmcs01_guest_bndcfgs to vmcs02,
-i.e. will load garbage/zeros into vmcs02.GUEST_BNDCFGS.
-
-If userspace restores nested state before MSRs, then loading garbage is a
-non-issue as loading BNDCFGS will also update vmcs02. But if usersepace
-restores MSRs first, then KVM is responsible for propagating L2's value,
-which is actually thrown into vmcs01, into vmcs02.
-
-Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state
-is all kinds of bizarre and ideally would not be supported. Sadly, some
-VMMs do exactly that and rely on KVM to make things work.
-
-Note, there's still a lurking SMM bug, as propagating vmcs01.GUEST_BNDFGS
-to vmcs02 across RSM may corrupt L2's BNDCFGS. But KVM's entire VMX+SMM
-emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the
-"default treatment of SMIs", i.e. when not using an SMI Transfer Monitor.
-
-Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com
-Fixes: 62cf9bd8118c ("KVM: nVMX: Fix emulation of VM_ENTRY_LOAD_BNDCFGS")
-Cc: stable@vger.kernel.org
-Cc: Lei Wang <lei4.wang@intel.com>
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Message-Id: <20220614215831.3762138-2-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/x86/kvm/vmx/nested.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
-index ab135f9ef52f..d6cb040966f9 100644
---- a/arch/x86/kvm/vmx/nested.c
-+++ b/arch/x86/kvm/vmx/nested.c
-@@ -3376,7 +3376,8 @@ enum nvmx_vmentry_status nested_vmx_enter_non_root_mode(struct kvm_vcpu *vcpu,
- if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
- vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL);
- if (kvm_mpx_supported() &&
-- !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))
-+ (!vmx->nested.nested_run_pending ||
-+ !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS)))
- vmx->nested.vmcs01_guest_bndcfgs = vmcs_read64(GUEST_BNDCFGS);
-
- /*
---
-2.35.1
-
+++ /dev/null
-From b840ad0bc32e8dc61c68c80d5a88dd6f19b2c01e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 14 Jun 2022 21:58:28 +0000
-Subject: KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL for !nested_run_pending
- case
-
-From: Sean Christopherson <seanjc@google.com>
-
-[ Upstream commit 764643a6be07445308e492a528197044c801b3ba ]
-
-If a nested run isn't pending, snapshot vmcs01.GUEST_IA32_DEBUGCTL
-irrespective of whether or not VM_ENTRY_LOAD_DEBUG_CONTROLS is set in
-vmcs12. When restoring nested state, e.g. after migration, without a
-nested run pending, prepare_vmcs02() will propagate
-nested.vmcs01_debugctl to vmcs02, i.e. will load garbage/zeros into
-vmcs02.GUEST_IA32_DEBUGCTL.
-
-If userspace restores nested state before MSRs, then loading garbage is a
-non-issue as loading DEBUGCTL will also update vmcs02. But if usersepace
-restores MSRs first, then KVM is responsible for propagating L2's value,
-which is actually thrown into vmcs01, into vmcs02.
-
-Restoring L2 MSRs into vmcs01, i.e. loading all MSRs before nested state
-is all kinds of bizarre and ideally would not be supported. Sadly, some
-VMMs do exactly that and rely on KVM to make things work.
-
-Note, there's still a lurking SMM bug, as propagating vmcs01's DEBUGCTL
-to vmcs02 across RSM may corrupt L2's DEBUGCTL. But KVM's entire VMX+SMM
-emulation is flawed as SMI+RSM should not toouch _any_ VMCS when use the
-"default treatment of SMIs", i.e. when not using an SMI Transfer Monitor.
-
-Link: https://lore.kernel.org/all/Yobt1XwOfb5M6Dfa@google.com
-Fixes: 8fcc4b5923af ("kvm: nVMX: Introduce KVM_CAP_NESTED_STATE")
-Cc: stable@vger.kernel.org
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Message-Id: <20220614215831.3762138-3-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/x86/kvm/vmx/nested.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
-index d6cb040966f9..30babb471ae3 100644
---- a/arch/x86/kvm/vmx/nested.c
-+++ b/arch/x86/kvm/vmx/nested.c
-@@ -3373,7 +3373,8 @@ enum nvmx_vmentry_status nested_vmx_enter_non_root_mode(struct kvm_vcpu *vcpu,
- if (likely(!evaluate_pending_interrupts) && kvm_vcpu_apicv_active(vcpu))
- evaluate_pending_interrupts |= vmx_has_apicv_interrupt(vcpu);
-
-- if (!(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
-+ if (!vmx->nested.nested_run_pending ||
-+ !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS))
- vmx->nested.vmcs01_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL);
- if (kvm_mpx_supported() &&
- (!vmx->nested.nested_run_pending ||
---
-2.35.1
-
+++ /dev/null
-From 4094f6c440d7010664567898b9271e38ef241895 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 29 Apr 2022 21:00:21 +0000
-Subject: KVM: Put the extra pfn reference when reusing a pfn in the gpc cache
-
-From: Sean Christopherson <seanjc@google.com>
-
-[ Upstream commit 3dddf65b4f4c451c345d34ae85bdf1791a746e49 ]
-
-Put the struct page reference to pfn acquired by hva_to_pfn() when the
-old and new pfns for a gfn=>pfn cache match. The cache already has a
-reference via the old/current pfn, and will only put one reference when
-the cache is done with the pfn.
-
-Fixes: 982ed0de4753 ("KVM: Reinstate gfn_to_pfn_cache with invalidation support")
-Cc: stable@vger.kernel.org
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Message-Id: <20220429210025.3293691-5-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- virt/kvm/pfncache.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c
-index e05a6a1b8eff..40cbe90d52e0 100644
---- a/virt/kvm/pfncache.c
-+++ b/virt/kvm/pfncache.c
-@@ -206,6 +206,14 @@ int kvm_gfn_to_pfn_cache_refresh(struct kvm *kvm, struct gfn_to_pfn_cache *gpc,
-
- if (gpc->usage & KVM_HOST_USES_PFN) {
- if (new_pfn == old_pfn) {
-+ /*
-+ * Reuse the existing pfn and khva, but put the
-+ * reference acquired hva_to_pfn_retry(); the
-+ * cache still holds a reference to the pfn
-+ * from the previous refresh.
-+ */
-+ gpc_release_pfn_and_khva(kvm, new_pfn, NULL);
-+
- new_khva = old_khva;
- old_pfn = KVM_PFN_ERR_FAULT;
- old_khva = NULL;
---
-2.35.1
-
+++ /dev/null
-From 312aee67f8e93778405734e49ade001a9fad4211 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 18 Jul 2022 15:04:34 +0200
-Subject: KVM: s390: pv: don't present the ecall interrupt twice
-
-From: Nico Boehr <nrb@linux.ibm.com>
-
-[ Upstream commit c3f0e5fd2d33d80c5a5a8b5e5d2bab2841709cc8 ]
-
-When the SIGP interpretation facility is present and a VCPU sends an
-ecall to another VCPU in enabled wait, the sending VCPU receives a 56
-intercept (partial execution), so KVM can wake up the receiving CPU.
-Note that the SIGP interpretation facility will take care of the
-interrupt delivery and KVM's only job is to wake the receiving VCPU.
-
-For PV, the sending VCPU will receive a 108 intercept (pv notify) and
-should continue like in the non-PV case, i.e. wake the receiving VCPU.
-
-For PV and non-PV guests the interrupt delivery will occur through the
-SIGP interpretation facility on SIE entry when SIE finds the X bit in
-the status field set.
-
-However, in handle_pv_notification(), there was no special handling for
-SIGP, which leads to interrupt injection being requested by KVM for the
-next SIE entry. This results in the interrupt being delivered twice:
-once by the SIGP interpretation facility and once by KVM through the
-IICTL.
-
-Add the necessary special handling in handle_pv_notification(), similar
-to handle_partial_execution(), which simply wakes the receiving VCPU and
-leave interrupt delivery to the SIGP interpretation facility.
-
-In contrast to external calls, emergency calls are not interpreted but
-also cause a 108 intercept, which is why we still need to call
-handle_instruction() for SIGP orders other than ecall.
-
-Since kvm_s390_handle_sigp_pei() is now called for all SIGP orders which
-cause a 108 intercept - even if they are actually handled by
-handle_instruction() - move the tracepoint in kvm_s390_handle_sigp_pei()
-to avoid possibly confusing trace messages.
-
-Signed-off-by: Nico Boehr <nrb@linux.ibm.com>
-Cc: <stable@vger.kernel.org> # 5.7
-Fixes: da24a0cc58ed ("KVM: s390: protvirt: Instruction emulation")
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
-Link: https://lore.kernel.org/r/20220718130434.73302-1-nrb@linux.ibm.com
-Message-Id: <20220718130434.73302-1-nrb@linux.ibm.com>
-Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/s390/kvm/intercept.c | 15 +++++++++++++++
- arch/s390/kvm/sigp.c | 4 ++--
- 2 files changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c
-index 8bd42a20d924..88112065d941 100644
---- a/arch/s390/kvm/intercept.c
-+++ b/arch/s390/kvm/intercept.c
-@@ -528,12 +528,27 @@ static int handle_pv_uvc(struct kvm_vcpu *vcpu)
-
- static int handle_pv_notification(struct kvm_vcpu *vcpu)
- {
-+ int ret;
-+
- if (vcpu->arch.sie_block->ipa == 0xb210)
- return handle_pv_spx(vcpu);
- if (vcpu->arch.sie_block->ipa == 0xb220)
- return handle_pv_sclp(vcpu);
- if (vcpu->arch.sie_block->ipa == 0xb9a4)
- return handle_pv_uvc(vcpu);
-+ if (vcpu->arch.sie_block->ipa >> 8 == 0xae) {
-+ /*
-+ * Besides external call, other SIGP orders also cause a
-+ * 108 (pv notify) intercept. In contrast to external call,
-+ * these orders need to be emulated and hence the appropriate
-+ * place to handle them is in handle_instruction().
-+ * So first try kvm_s390_handle_sigp_pei() and if that isn't
-+ * successful, go on with handle_instruction().
-+ */
-+ ret = kvm_s390_handle_sigp_pei(vcpu);
-+ if (!ret)
-+ return ret;
-+ }
-
- return handle_instruction(vcpu);
- }
-diff --git a/arch/s390/kvm/sigp.c b/arch/s390/kvm/sigp.c
-index 8aaee2892ec3..cb747bf6c798 100644
---- a/arch/s390/kvm/sigp.c
-+++ b/arch/s390/kvm/sigp.c
-@@ -480,9 +480,9 @@ int kvm_s390_handle_sigp_pei(struct kvm_vcpu *vcpu)
- struct kvm_vcpu *dest_vcpu;
- u8 order_code = kvm_s390_get_base_disp_rs(vcpu, NULL);
-
-- trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr);
--
- if (order_code == SIGP_EXTERNAL_CALL) {
-+ trace_kvm_s390_handle_sigp_pei(vcpu, order_code, cpu_addr);
-+
- dest_vcpu = kvm_get_vcpu_by_id(vcpu->kvm, cpu_addr);
- BUG_ON(dest_vcpu == NULL);
-
---
-2.35.1
-
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- arch/x86/kvm/x86.c | 7 +++++--
+ arch/x86/kvm/x86.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index e5fa335a4ea7..b2949f653564 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
-@@ -3239,10 +3239,13 @@ static int set_msr_mce(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+@@ -3245,10 +3245,13 @@ static int set_msr_mce(struct kvm_vcpu *
/* only 0 or all 1s can be written to IA32_MCi_CTL
* some Linux kernels though clear bit 10 in bank 4 to
* workaround a BIOS/GART TBL issue on AMD K8s, ignore
return -1;
/* MCi_STATUS */
---
-2.35.1
-
+++ /dev/null
-From 3f99761427448c41f59799a25942ebf1c92b772e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 2 May 2022 00:07:26 +0200
-Subject: KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
-
-From: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
-
-[ Upstream commit f17c31c48e5cde9895a491d91c424eeeada3e134 ]
-
-Don't BUG/WARN on interrupt injection due to GIF being cleared,
-since it's trivial for userspace to force the situation via
-KVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct
-for KVM internally generated injections).
-
- kernel BUG at arch/x86/kvm/svm/svm.c:3386!
- invalid opcode: 0000 [#1] SMP
- CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264
- Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
- RIP: 0010:svm_inject_irq+0xab/0xb0 [kvm_amd]
- Code: <0f> 0b 0f 1f 00 0f 1f 44 00 00 80 3d ac b3 01 00 00 55 48 89 f5 53
- RSP: 0018:ffffc90000b37d88 EFLAGS: 00010246
- RAX: 0000000000000000 RBX: ffff88810a234ac0 RCX: 0000000000000006
- RDX: 0000000000000000 RSI: ffffc90000b37df7 RDI: ffff88810a234ac0
- RBP: ffffc90000b37df7 R08: ffff88810a1fa410 R09: 0000000000000000
- R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
- R13: ffff888109571000 R14: ffff88810a234ac0 R15: 0000000000000000
- FS: 0000000001821380(0000) GS:ffff88846fdc0000(0000) knlGS:0000000000000000
- CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
- CR2: 00007f74fc550008 CR3: 000000010a6fe000 CR4: 0000000000350ea0
- Call Trace:
- <TASK>
- inject_pending_event+0x2f7/0x4c0 [kvm]
- kvm_arch_vcpu_ioctl_run+0x791/0x17a0 [kvm]
- kvm_vcpu_ioctl+0x26d/0x650 [kvm]
- __x64_sys_ioctl+0x82/0xb0
- do_syscall_64+0x3b/0xc0
- entry_SYSCALL_64_after_hwframe+0x44/0xae
- </TASK>
-
-Fixes: 219b65dcf6c0 ("KVM: SVM: Improve nested interrupt injection")
-Cc: stable@vger.kernel.org
-Co-developed-by: Sean Christopherson <seanjc@google.com>
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Signed-off-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
-Message-Id: <35426af6e123cbe91ec7ce5132ce72521f02b1b5.1651440202.git.maciej.szmigiero@oracle.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/x86/kvm/svm/svm.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
-index 44bbf25dfeb9..e9f479acf941 100644
---- a/arch/x86/kvm/svm/svm.c
-+++ b/arch/x86/kvm/svm/svm.c
-@@ -3385,8 +3385,6 @@ static void svm_inject_irq(struct kvm_vcpu *vcpu)
- {
- struct vcpu_svm *svm = to_svm(vcpu);
-
-- BUG_ON(!(gif_set(svm)));
--
- trace_kvm_inj_virq(vcpu->arch.interrupt.nr);
- ++vcpu->stat.irq_injections;
-
---
-2.35.1
-
+++ /dev/null
-From 5ef7132f5c1b5e760c2d86b0c56383dc22c9f3fc Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 11 Jul 2022 23:27:48 +0000
-Subject: KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks
-
-From: Sean Christopherson <seanjc@google.com>
-
-[ Upstream commit ec6e4d863258d4bfb36d48d5e3ef68140234d688 ]
-
-Wait to mark the TSS as busy during LTR emulation until after all fault
-checks for the LTR have passed. Specifically, don't mark the TSS busy if
-the new TSS base is non-canonical.
-
-Opportunistically drop the one-off !seg_desc.PRESENT check for TR as the
-only reason for the early check was to avoid marking a !PRESENT TSS as
-busy, i.e. the common !PRESENT is now done before setting the busy bit.
-
-Fixes: e37a75a13cda ("KVM: x86: Emulator ignores LDTR/TR extended base on LLDT/LTR")
-Reported-by: syzbot+760a73552f47a8cd0fd9@syzkaller.appspotmail.com
-Cc: stable@vger.kernel.org
-Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
-Cc: Hou Wenlong <houwenlong.hwl@antgroup.com>
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
-Link: https://lore.kernel.org/r/20220711232750.1092012-2-seanjc@google.com
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/x86/kvm/emulate.c | 19 +++++++++----------
- 1 file changed, 9 insertions(+), 10 deletions(-)
-
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index f8382abe22ff..93a969066d5c 100644
---- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -1687,16 +1687,6 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
- case VCPU_SREG_TR:
- if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9))
- goto exception;
-- if (!seg_desc.p) {
-- err_vec = NP_VECTOR;
-- goto exception;
-- }
-- old_desc = seg_desc;
-- seg_desc.type |= 2; /* busy */
-- ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
-- sizeof(seg_desc), &ctxt->exception);
-- if (ret != X86EMUL_CONTINUE)
-- return ret;
- break;
- case VCPU_SREG_LDTR:
- if (seg_desc.s || seg_desc.type != 2)
-@@ -1737,6 +1727,15 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
- ((u64)base3 << 32), ctxt))
- return emulate_gp(ctxt, 0);
- }
-+
-+ if (seg == VCPU_SREG_TR) {
-+ old_desc = seg_desc;
-+ seg_desc.type |= 2; /* busy */
-+ ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc,
-+ sizeof(seg_desc), &ctxt->exception);
-+ if (ret != X86EMUL_CONTINUE)
-+ return ret;
-+ }
- load:
- ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg);
- if (desc)
---
-2.35.1
-
+++ /dev/null
-From 1d4354d553be3fc86438d397274ddf854202ea95 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 23 Jul 2022 01:30:29 +0000
-Subject: KVM: x86/mmu: Treat NX as a valid SPTE bit for NPT
-
-From: Sean Christopherson <seanjc@google.com>
-
-[ Upstream commit 6c6ab524cfae0799e55c82b2c1d61f1af0156f8d ]
-
-Treat the NX bit as valid when using NPT, as KVM will set the NX bit when
-the NX huge page mitigation is enabled (mindblowing) and trigger the WARN
-that fires on reserved SPTE bits being set.
-
-KVM has required NX support for SVM since commit b26a71a1a5b9 ("KVM: SVM:
-Refuse to load kvm_amd if NX support is not available") for exactly this
-reason, but apparently it never occurred to anyone to actually test NPT
-with the mitigation enabled.
-
- ------------[ cut here ]------------
- spte = 0x800000018a600ee7, level = 2, rsvd bits = 0x800f0000001fe000
- WARNING: CPU: 152 PID: 15966 at arch/x86/kvm/mmu/spte.c:215 make_spte+0x327/0x340 [kvm]
- Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 10.48.0 01/27/2022
- RIP: 0010:make_spte+0x327/0x340 [kvm]
- Call Trace:
- <TASK>
- tdp_mmu_map_handle_target_level+0xc3/0x230 [kvm]
- kvm_tdp_mmu_map+0x343/0x3b0 [kvm]
- direct_page_fault+0x1ae/0x2a0 [kvm]
- kvm_tdp_page_fault+0x7d/0x90 [kvm]
- kvm_mmu_page_fault+0xfb/0x2e0 [kvm]
- npf_interception+0x55/0x90 [kvm_amd]
- svm_invoke_exit_handler+0x31/0xf0 [kvm_amd]
- svm_handle_exit+0xf6/0x1d0 [kvm_amd]
- vcpu_enter_guest+0xb6d/0xee0 [kvm]
- ? kvm_pmu_trigger_event+0x6d/0x230 [kvm]
- vcpu_run+0x65/0x2c0 [kvm]
- kvm_arch_vcpu_ioctl_run+0x355/0x610 [kvm]
- kvm_vcpu_ioctl+0x551/0x610 [kvm]
- __se_sys_ioctl+0x77/0xc0
- __x64_sys_ioctl+0x1d/0x20
- do_syscall_64+0x44/0xa0
- entry_SYSCALL_64_after_hwframe+0x46/0xb0
- </TASK>
- ---[ end trace 0000000000000000 ]---
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Message-Id: <20220723013029.1753623-1-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/x86/kvm/mmu/mmu.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
-index 17252f39bd7c..a1d17a826807 100644
---- a/arch/x86/kvm/mmu/mmu.c
-+++ b/arch/x86/kvm/mmu/mmu.c
-@@ -4567,7 +4567,7 @@ reset_tdp_shadow_zero_bits_mask(struct kvm_mmu *context)
-
- if (boot_cpu_is_amd())
- __reset_rsvds_bits_mask(shadow_zero_check, reserved_hpa_bits(),
-- context->root_role.level, false,
-+ context->root_role.level, true,
- boot_cpu_has(X86_FEATURE_GBPAGES),
- false, true);
- else
---
-2.35.1
-
+++ /dev/null
-From a1cc01410606cb8a22afc4b77d94cb1df15fb3ca Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 11 Jul 2022 23:27:49 +0000
-Subject: KVM: x86: Set error code to segment selector on LLDT/LTR
- non-canonical #GP
-
-From: Sean Christopherson <seanjc@google.com>
-
-[ Upstream commit 2626206963ace9e8bf92b6eea5ff78dd674c555c ]
-
-When injecting a #GP on LLDT/LTR due to a non-canonical LDT/TSS base, set
-the error code to the selector. Intel SDM's says nothing about the #GP,
-but AMD's APM explicitly states that both LLDT and LTR set the error code
-to the selector, not zero.
-
-Note, a non-canonical memory operand on LLDT/LTR does generate a #GP(0),
-but the KVM code in question is specific to the base from the descriptor.
-
-Fixes: e37a75a13cda ("KVM: x86: Emulator ignores LDTR/TR extended base on LLDT/LTR")
-Cc: stable@vger.kernel.org
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
-Link: https://lore.kernel.org/r/20220711232750.1092012-3-seanjc@google.com
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/x86/kvm/emulate.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 93a969066d5c..aa907cec0918 100644
---- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -1724,8 +1724,8 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
- if (ret != X86EMUL_CONTINUE)
- return ret;
- if (emul_is_noncanonical_address(get_desc_base(&seg_desc) |
-- ((u64)base3 << 32), ctxt))
-- return emulate_gp(ctxt, 0);
-+ ((u64)base3 << 32), ctxt))
-+ return emulate_gp(ctxt, err_code);
- }
-
- if (seg == VCPU_SREG_TR) {
---
-2.35.1
-
Link: https://lore.kernel.org/r/20220512222716.4112548-2-seanjc@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- arch/x86/kvm/x86.c | 4 ++--
+ arch/x86/kvm/x86.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index b2949f653564..68d40cb5709d 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
-@@ -3246,13 +3246,13 @@ static int set_msr_mce(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+@@ -3252,13 +3252,13 @@ static int set_msr_mce(struct kvm_vcpu *
*/
if ((offset & 0x3) == 0 &&
data != 0 && (data | (1 << 10) | 1) != ~(u64)0)
}
vcpu->arch.mce_banks[offset] = data;
---
-2.35.1
-
+++ /dev/null
-From 38fd254b03ece4442185f4ea788de4316699491a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 7 Jun 2022 21:35:50 +0000
-Subject: KVM: x86: Split kvm_is_valid_cr4() and export only the non-vendor
- bits
-
-From: Sean Christopherson <seanjc@google.com>
-
-[ Upstream commit c33f6f2228fe8517e38941a508e9f905f99ecba9 ]
-
-Split the common x86 parts of kvm_is_valid_cr4(), i.e. the reserved bits
-checks, into a separate helper, __kvm_is_valid_cr4(), and export only the
-inner helper to vendor code in order to prevent nested VMX from calling
-back into vmx_is_valid_cr4() via kvm_is_valid_cr4().
-
-On SVM, this is a nop as SVM doesn't place any additional restrictions on
-CR4.
-
-On VMX, this is also currently a nop, but only because nested VMX is
-missing checks on reserved CR4 bits for nested VM-Enter. That bug will
-be fixed in a future patch, and could simply use kvm_is_valid_cr4() as-is,
-but nVMX has _another_ bug where VMXON emulation doesn't enforce VMX's
-restrictions on CR0/CR4. The cleanest and most intuitive way to fix the
-VMXON bug is to use nested_host_cr{0,4}_valid(). If the CR4 variant
-routes through kvm_is_valid_cr4(), using nested_host_cr4_valid() won't do
-the right thing for the VMXON case as vmx_is_valid_cr4() enforces VMX's
-restrictions if and only if the vCPU is post-VMXON.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Message-Id: <20220607213604.3346000-2-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/x86/kvm/svm/nested.c | 3 ++-
- arch/x86/kvm/vmx/vmx.c | 4 ++--
- arch/x86/kvm/x86.c | 12 +++++++++---
- arch/x86/kvm/x86.h | 2 +-
- 4 files changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
-index ba7cd26f438f..1773080976ca 100644
---- a/arch/x86/kvm/svm/nested.c
-+++ b/arch/x86/kvm/svm/nested.c
-@@ -320,7 +320,8 @@ static bool __nested_vmcb_check_save(struct kvm_vcpu *vcpu,
- return false;
- }
-
-- if (CC(!kvm_is_valid_cr4(vcpu, save->cr4)))
-+ /* Note, SVM doesn't have any additional restrictions on CR4. */
-+ if (CC(!__kvm_is_valid_cr4(vcpu, save->cr4)))
- return false;
-
- if (CC(!kvm_valid_efer(vcpu, save->efer)))
-diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
-index be7c19374fdd..0aaea87a1459 100644
---- a/arch/x86/kvm/vmx/vmx.c
-+++ b/arch/x86/kvm/vmx/vmx.c
-@@ -3230,8 +3230,8 @@ static bool vmx_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
- {
- /*
- * We operate under the default treatment of SMM, so VMX cannot be
-- * enabled under SMM. Note, whether or not VMXE is allowed at all is
-- * handled by kvm_is_valid_cr4().
-+ * enabled under SMM. Note, whether or not VMXE is allowed at all,
-+ * i.e. is a reserved bit, is handled by common x86 code.
- */
- if ((cr4 & X86_CR4_VMXE) && is_smm(vcpu))
- return false;
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 68d40cb5709d..9eac0528d584 100644
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -1094,7 +1094,7 @@ int kvm_emulate_xsetbv(struct kvm_vcpu *vcpu)
- }
- EXPORT_SYMBOL_GPL(kvm_emulate_xsetbv);
-
--bool kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
-+bool __kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
- {
- if (cr4 & cr4_reserved_bits)
- return false;
-@@ -1102,9 +1102,15 @@ bool kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
- if (cr4 & vcpu->arch.cr4_guest_rsvd_bits)
- return false;
-
-- return static_call(kvm_x86_is_valid_cr4)(vcpu, cr4);
-+ return true;
-+}
-+EXPORT_SYMBOL_GPL(__kvm_is_valid_cr4);
-+
-+static bool kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
-+{
-+ return __kvm_is_valid_cr4(vcpu, cr4) &&
-+ static_call(kvm_x86_is_valid_cr4)(vcpu, cr4);
- }
--EXPORT_SYMBOL_GPL(kvm_is_valid_cr4);
-
- void kvm_post_set_cr4(struct kvm_vcpu *vcpu, unsigned long old_cr4, unsigned long cr4)
- {
-diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
-index 588792f00334..80417761fe4a 100644
---- a/arch/x86/kvm/x86.h
-+++ b/arch/x86/kvm/x86.h
-@@ -407,7 +407,7 @@ static inline void kvm_machine_check(void)
- void kvm_load_guest_xsave_state(struct kvm_vcpu *vcpu);
- void kvm_load_host_xsave_state(struct kvm_vcpu *vcpu);
- int kvm_spec_ctrl_test_value(u64 value);
--bool kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4);
-+bool __kvm_is_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4);
- int kvm_handle_memory_failure(struct kvm_vcpu *vcpu, int r,
- struct x86_exception *e);
- int kvm_handle_invpcid(struct kvm_vcpu *vcpu, unsigned long type, gva_t gva);
---
-2.35.1
-
+++ /dev/null
-From 5e473ef1c39d9c7a4982900926db3650f9bb71cc Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 12 Jul 2022 12:54:21 +0200
-Subject: mbcache: add functions to delete entry if unused
-
-From: Jan Kara <jack@suse.cz>
-
-[ Upstream commit 3dc96bba65f53daa217f0a8f43edad145286a8f5 ]
-
-Add function mb_cache_entry_delete_or_get() to delete mbcache entry if
-it is unused and also add a function to wait for entry to become unused
-- mb_cache_entry_wait_unused(). We do not share code between the two
-deleting function as one of them will go away soon.
-
-CC: stable@vger.kernel.org
-Fixes: 82939d7999df ("ext4: convert to mbcache2")
-Signed-off-by: Jan Kara <jack@suse.cz>
-Link: https://lore.kernel.org/r/20220712105436.32204-2-jack@suse.cz
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/mbcache.c | 66 +++++++++++++++++++++++++++++++++++++++--
- include/linux/mbcache.h | 10 ++++++-
- 2 files changed, 73 insertions(+), 3 deletions(-)
-
-diff --git a/fs/mbcache.c b/fs/mbcache.c
-index cfc28129fb6f..2010bc80a3f2 100644
---- a/fs/mbcache.c
-+++ b/fs/mbcache.c
-@@ -11,7 +11,7 @@
- /*
- * Mbcache is a simple key-value store. Keys need not be unique, however
- * key-value pairs are expected to be unique (we use this fact in
-- * mb_cache_entry_delete()).
-+ * mb_cache_entry_delete_or_get()).
- *
- * Ext2 and ext4 use this cache for deduplication of extended attribute blocks.
- * Ext4 also uses it for deduplication of xattr values stored in inodes.
-@@ -125,6 +125,19 @@ void __mb_cache_entry_free(struct mb_cache_entry *entry)
- }
- EXPORT_SYMBOL(__mb_cache_entry_free);
-
-+/*
-+ * mb_cache_entry_wait_unused - wait to be the last user of the entry
-+ *
-+ * @entry - entry to work on
-+ *
-+ * Wait to be the last user of the entry.
-+ */
-+void mb_cache_entry_wait_unused(struct mb_cache_entry *entry)
-+{
-+ wait_var_event(&entry->e_refcnt, atomic_read(&entry->e_refcnt) <= 3);
-+}
-+EXPORT_SYMBOL(mb_cache_entry_wait_unused);
-+
- static struct mb_cache_entry *__entry_find(struct mb_cache *cache,
- struct mb_cache_entry *entry,
- u32 key)
-@@ -217,7 +230,7 @@ struct mb_cache_entry *mb_cache_entry_get(struct mb_cache *cache, u32 key,
- }
- EXPORT_SYMBOL(mb_cache_entry_get);
-
--/* mb_cache_entry_delete - remove a cache entry
-+/* mb_cache_entry_delete - try to remove a cache entry
- * @cache - cache we work with
- * @key - key
- * @value - value
-@@ -254,6 +267,55 @@ void mb_cache_entry_delete(struct mb_cache *cache, u32 key, u64 value)
- }
- EXPORT_SYMBOL(mb_cache_entry_delete);
-
-+/* mb_cache_entry_delete_or_get - remove a cache entry if it has no users
-+ * @cache - cache we work with
-+ * @key - key
-+ * @value - value
-+ *
-+ * Remove entry from cache @cache with key @key and value @value. The removal
-+ * happens only if the entry is unused. The function returns NULL in case the
-+ * entry was successfully removed or there's no entry in cache. Otherwise the
-+ * function grabs reference of the entry that we failed to delete because it
-+ * still has users and return it.
-+ */
-+struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache,
-+ u32 key, u64 value)
-+{
-+ struct hlist_bl_node *node;
-+ struct hlist_bl_head *head;
-+ struct mb_cache_entry *entry;
-+
-+ head = mb_cache_entry_head(cache, key);
-+ hlist_bl_lock(head);
-+ hlist_bl_for_each_entry(entry, node, head, e_hash_list) {
-+ if (entry->e_key == key && entry->e_value == value) {
-+ if (atomic_read(&entry->e_refcnt) > 2) {
-+ atomic_inc(&entry->e_refcnt);
-+ hlist_bl_unlock(head);
-+ return entry;
-+ }
-+ /* We keep hash list reference to keep entry alive */
-+ hlist_bl_del_init(&entry->e_hash_list);
-+ hlist_bl_unlock(head);
-+ spin_lock(&cache->c_list_lock);
-+ if (!list_empty(&entry->e_list)) {
-+ list_del_init(&entry->e_list);
-+ if (!WARN_ONCE(cache->c_entry_count == 0,
-+ "mbcache: attempt to decrement c_entry_count past zero"))
-+ cache->c_entry_count--;
-+ atomic_dec(&entry->e_refcnt);
-+ }
-+ spin_unlock(&cache->c_list_lock);
-+ mb_cache_entry_put(cache, entry);
-+ return NULL;
-+ }
-+ }
-+ hlist_bl_unlock(head);
-+
-+ return NULL;
-+}
-+EXPORT_SYMBOL(mb_cache_entry_delete_or_get);
-+
- /* mb_cache_entry_touch - cache entry got used
- * @cache - cache the entry belongs to
- * @entry - entry that got used
-diff --git a/include/linux/mbcache.h b/include/linux/mbcache.h
-index 20f1e3ff6013..8eca7f25c432 100644
---- a/include/linux/mbcache.h
-+++ b/include/linux/mbcache.h
-@@ -30,15 +30,23 @@ void mb_cache_destroy(struct mb_cache *cache);
- int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key,
- u64 value, bool reusable);
- void __mb_cache_entry_free(struct mb_cache_entry *entry);
-+void mb_cache_entry_wait_unused(struct mb_cache_entry *entry);
- static inline int mb_cache_entry_put(struct mb_cache *cache,
- struct mb_cache_entry *entry)
- {
-- if (!atomic_dec_and_test(&entry->e_refcnt))
-+ unsigned int cnt = atomic_dec_return(&entry->e_refcnt);
-+
-+ if (cnt > 0) {
-+ if (cnt <= 3)
-+ wake_up_var(&entry->e_refcnt);
- return 0;
-+ }
- __mb_cache_entry_free(entry);
- return 1;
- }
-
-+struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache,
-+ u32 key, u64 value);
- void mb_cache_entry_delete(struct mb_cache *cache, u32 key, u64 value);
- struct mb_cache_entry *mb_cache_entry_get(struct mb_cache *cache, u32 key,
- u64 value);
---
-2.35.1
-
+++ /dev/null
-From 7bd38da9abe3f76a78a3a3a79043c0c887d99af3 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 12 Jul 2022 12:54:20 +0200
-Subject: mbcache: don't reclaim used entries
-
-From: Jan Kara <jack@suse.cz>
-
-[ Upstream commit 58318914186c157477b978b1739dfe2f1b9dc0fe ]
-
-Do not reclaim entries that are currently used by somebody from a
-shrinker. Firstly, these entries are likely useful. Secondly, we will
-need to keep such entries to protect pending increment of xattr block
-refcount.
-
-CC: stable@vger.kernel.org
-Fixes: 82939d7999df ("ext4: convert to mbcache2")
-Signed-off-by: Jan Kara <jack@suse.cz>
-Link: https://lore.kernel.org/r/20220712105436.32204-1-jack@suse.cz
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/mbcache.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/fs/mbcache.c b/fs/mbcache.c
-index 97c54d3a2227..cfc28129fb6f 100644
---- a/fs/mbcache.c
-+++ b/fs/mbcache.c
-@@ -288,7 +288,7 @@ static unsigned long mb_cache_shrink(struct mb_cache *cache,
- while (nr_to_scan-- && !list_empty(&cache->c_list)) {
- entry = list_first_entry(&cache->c_list,
- struct mb_cache_entry, e_list);
-- if (entry->e_referenced) {
-+ if (entry->e_referenced || atomic_read(&entry->e_refcnt) > 2) {
- entry->e_referenced = 0;
- list_move_tail(&entry->e_list, &cache->c_list);
- continue;
-@@ -302,6 +302,14 @@ static unsigned long mb_cache_shrink(struct mb_cache *cache,
- spin_unlock(&cache->c_list_lock);
- head = mb_cache_entry_head(cache, entry->e_key);
- hlist_bl_lock(head);
-+ /* Now a reliable check if the entry didn't get used... */
-+ if (atomic_read(&entry->e_refcnt) > 2) {
-+ hlist_bl_unlock(head);
-+ spin_lock(&cache->c_list_lock);
-+ list_add_tail(&entry->e_list, &cache->c_list);
-+ cache->c_entry_count++;
-+ continue;
-+ }
- if (!hlist_bl_unhashed(&entry->e_hash_list)) {
- hlist_bl_del_init(&entry->e_hash_list);
- atomic_dec(&entry->e_refcnt);
---
-2.35.1
-
+++ /dev/null
-From bbbaa00ff25f7981f951b2a3b98b902494102db6 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 24 Jul 2022 14:26:12 -0400
-Subject: md-raid: destroy the bitmap after destroying the thread
-
-From: Mikulas Patocka <mpatocka@redhat.com>
-
-[ Upstream commit e151db8ecfb019b7da31d076130a794574c89f6f ]
-
-When we ran the lvm test "shell/integrity-blocksize-3.sh" on a kernel with
-kasan, we got failure in write_page.
-
-The reason for the failure is that md_bitmap_destroy is called before
-destroying the thread and the thread may be waiting in the function
-write_page for the bio to complete. When the thread finishes waiting, it
-executes "if (test_bit(BITMAP_WRITE_ERROR, &bitmap->flags))", which
-triggers the kasan warning.
-
-Note that the commit 48df498daf62 that caused this bug claims that it is
-neede for md-cluster, you should check md-cluster and possibly find
-another bugfix for it.
-
-BUG: KASAN: use-after-free in write_page+0x18d/0x680 [md_mod]
-Read of size 8 at addr ffff889162030c78 by task mdX_raid1/5539
-
-CPU: 10 PID: 5539 Comm: mdX_raid1 Not tainted 5.19.0-rc2 #1
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
-Call Trace:
- <TASK>
- dump_stack_lvl+0x34/0x44
- print_report.cold+0x45/0x57a
- ? __lock_text_start+0x18/0x18
- ? write_page+0x18d/0x680 [md_mod]
- kasan_report+0xa8/0xe0
- ? write_page+0x18d/0x680 [md_mod]
- kasan_check_range+0x13f/0x180
- write_page+0x18d/0x680 [md_mod]
- ? super_sync+0x4d5/0x560 [dm_raid]
- ? md_bitmap_file_kick+0xa0/0xa0 [md_mod]
- ? rs_set_dev_and_array_sectors+0x2e0/0x2e0 [dm_raid]
- ? mutex_trylock+0x120/0x120
- ? preempt_count_add+0x6b/0xc0
- ? preempt_count_sub+0xf/0xc0
- md_update_sb+0x707/0xe40 [md_mod]
- md_reap_sync_thread+0x1b2/0x4a0 [md_mod]
- md_check_recovery+0x533/0x960 [md_mod]
- raid1d+0xc8/0x2a20 [raid1]
- ? var_wake_function+0xe0/0xe0
- ? psi_group_change+0x411/0x500
- ? preempt_count_sub+0xf/0xc0
- ? _raw_spin_lock_irqsave+0x78/0xc0
- ? __lock_text_start+0x18/0x18
- ? raid1_end_read_request+0x2a0/0x2a0 [raid1]
- ? preempt_count_sub+0xf/0xc0
- ? _raw_spin_unlock_irqrestore+0x19/0x40
- ? del_timer_sync+0xa9/0x100
- ? try_to_del_timer_sync+0xc0/0xc0
- ? _raw_spin_lock_irqsave+0x78/0xc0
- ? __lock_text_start+0x18/0x18
- ? __list_del_entry_valid+0x68/0xa0
- ? finish_wait+0xa3/0x100
- md_thread+0x161/0x260 [md_mod]
- ? unregister_md_personality+0xa0/0xa0 [md_mod]
- ? _raw_spin_lock_irqsave+0x78/0xc0
- ? prepare_to_wait_event+0x2c0/0x2c0
- ? unregister_md_personality+0xa0/0xa0 [md_mod]
- kthread+0x148/0x180
- ? kthread_complete_and_exit+0x20/0x20
- ret_from_fork+0x1f/0x30
- </TASK>
-
-Allocated by task 5522:
- kasan_save_stack+0x1e/0x40
- __kasan_kmalloc+0x80/0xa0
- md_bitmap_create+0xa8/0xe80 [md_mod]
- md_run+0x777/0x1300 [md_mod]
- raid_ctr+0x249c/0x4a30 [dm_raid]
- dm_table_add_target+0x2b0/0x620 [dm_mod]
- table_load+0x1c8/0x400 [dm_mod]
- ctl_ioctl+0x29e/0x560 [dm_mod]
- dm_compat_ctl_ioctl+0x7/0x20 [dm_mod]
- __do_compat_sys_ioctl+0xfa/0x160
- do_syscall_64+0x90/0xc0
- entry_SYSCALL_64_after_hwframe+0x46/0xb0
-
-Freed by task 5680:
- kasan_save_stack+0x1e/0x40
- kasan_set_track+0x21/0x40
- kasan_set_free_info+0x20/0x40
- __kasan_slab_free+0xf7/0x140
- kfree+0x80/0x240
- md_bitmap_free+0x1c3/0x280 [md_mod]
- __md_stop+0x21/0x120 [md_mod]
- md_stop+0x9/0x40 [md_mod]
- raid_dtr+0x1b/0x40 [dm_raid]
- dm_table_destroy+0x98/0x1e0 [dm_mod]
- __dm_destroy+0x199/0x360 [dm_mod]
- dev_remove+0x10c/0x160 [dm_mod]
- ctl_ioctl+0x29e/0x560 [dm_mod]
- dm_compat_ctl_ioctl+0x7/0x20 [dm_mod]
- __do_compat_sys_ioctl+0xfa/0x160
- do_syscall_64+0x90/0xc0
- entry_SYSCALL_64_after_hwframe+0x46/0xb0
-
-Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
-Cc: stable@vger.kernel.org
-Fixes: 48df498daf62 ("md: move bitmap_destroy to the beginning of __md_stop")
-Signed-off-by: Song Liu <song@kernel.org>
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/md/md.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/md/md.c b/drivers/md/md.c
-index c7ecb0bffda0..660c52d48256 100644
---- a/drivers/md/md.c
-+++ b/drivers/md/md.c
-@@ -6244,11 +6244,11 @@ static void mddev_detach(struct mddev *mddev)
- static void __md_stop(struct mddev *mddev)
- {
- struct md_personality *pers = mddev->pers;
-- md_bitmap_destroy(mddev);
- mddev_detach(mddev);
- /* Ensure ->event_work is done */
- if (mddev->event_work.func)
- flush_workqueue(md_misc_wq);
-+ md_bitmap_destroy(mddev);
- spin_lock(&mddev->lock);
- mddev->pers = NULL;
- spin_unlock(&mddev->lock);
---
-2.35.1
-
+++ /dev/null
-From 24f0e8306bf150abac23c3c24598c1bedb55fe12 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 26 Jul 2022 04:33:12 -0400
-Subject: md-raid10: fix KASAN warning
-
-From: Mikulas Patocka <mpatocka@redhat.com>
-
-[ Upstream commit d17f744e883b2f8d13cca252d71cfe8ace346f7d ]
-
-There's a KASAN warning in raid10_remove_disk when running the lvm
-test lvconvert-raid-reshape.sh. We fix this warning by verifying that the
-value "number" is valid.
-
-BUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10]
-Read of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682
-
-CPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1
-Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
-Call Trace:
- <TASK>
- dump_stack_lvl+0x34/0x44
- print_report.cold+0x45/0x57a
- ? __lock_text_start+0x18/0x18
- ? raid10_remove_disk+0x61/0x2a0 [raid10]
- kasan_report+0xa8/0xe0
- ? raid10_remove_disk+0x61/0x2a0 [raid10]
- raid10_remove_disk+0x61/0x2a0 [raid10]
-Buffer I/O error on dev dm-76, logical block 15344, async page read
- ? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0
- remove_and_add_spares+0x367/0x8a0 [md_mod]
- ? super_written+0x1c0/0x1c0 [md_mod]
- ? mutex_trylock+0xac/0x120
- ? _raw_spin_lock+0x72/0xc0
- ? _raw_spin_lock_bh+0xc0/0xc0
- md_check_recovery+0x848/0x960 [md_mod]
- raid10d+0xcf/0x3360 [raid10]
- ? sched_clock_cpu+0x185/0x1a0
- ? rb_erase+0x4d4/0x620
- ? var_wake_function+0xe0/0xe0
- ? psi_group_change+0x411/0x500
- ? preempt_count_sub+0xf/0xc0
- ? _raw_spin_lock_irqsave+0x78/0xc0
- ? __lock_text_start+0x18/0x18
- ? raid10_sync_request+0x36c0/0x36c0 [raid10]
- ? preempt_count_sub+0xf/0xc0
- ? _raw_spin_unlock_irqrestore+0x19/0x40
- ? del_timer_sync+0xa9/0x100
- ? try_to_del_timer_sync+0xc0/0xc0
- ? _raw_spin_lock_irqsave+0x78/0xc0
- ? __lock_text_start+0x18/0x18
- ? _raw_spin_unlock_irq+0x11/0x24
- ? __list_del_entry_valid+0x68/0xa0
- ? finish_wait+0xa3/0x100
- md_thread+0x161/0x260 [md_mod]
- ? unregister_md_personality+0xa0/0xa0 [md_mod]
- ? _raw_spin_lock_irqsave+0x78/0xc0
- ? prepare_to_wait_event+0x2c0/0x2c0
- ? unregister_md_personality+0xa0/0xa0 [md_mod]
- kthread+0x148/0x180
- ? kthread_complete_and_exit+0x20/0x20
- ret_from_fork+0x1f/0x30
- </TASK>
-
-Allocated by task 124495:
- kasan_save_stack+0x1e/0x40
- __kasan_kmalloc+0x80/0xa0
- setup_conf+0x140/0x5c0 [raid10]
- raid10_run+0x4cd/0x740 [raid10]
- md_run+0x6f9/0x1300 [md_mod]
- raid_ctr+0x2531/0x4ac0 [dm_raid]
- dm_table_add_target+0x2b0/0x620 [dm_mod]
- table_load+0x1c8/0x400 [dm_mod]
- ctl_ioctl+0x29e/0x560 [dm_mod]
- dm_compat_ctl_ioctl+0x7/0x20 [dm_mod]
- __do_compat_sys_ioctl+0xfa/0x160
- do_syscall_64+0x90/0xc0
- entry_SYSCALL_64_after_hwframe+0x46/0xb0
-
-Last potentially related work creation:
- kasan_save_stack+0x1e/0x40
- __kasan_record_aux_stack+0x9e/0xc0
- kvfree_call_rcu+0x84/0x480
- timerfd_release+0x82/0x140
-L __fput+0xfa/0x400
- task_work_run+0x80/0xc0
- exit_to_user_mode_prepare+0x155/0x160
- syscall_exit_to_user_mode+0x12/0x40
- do_syscall_64+0x42/0xc0
- entry_SYSCALL_64_after_hwframe+0x46/0xb0
-
-Second to last potentially related work creation:
- kasan_save_stack+0x1e/0x40
- __kasan_record_aux_stack+0x9e/0xc0
- kvfree_call_rcu+0x84/0x480
- timerfd_release+0x82/0x140
- __fput+0xfa/0x400
- task_work_run+0x80/0xc0
- exit_to_user_mode_prepare+0x155/0x160
- syscall_exit_to_user_mode+0x12/0x40
- do_syscall_64+0x42/0xc0
- entry_SYSCALL_64_after_hwframe+0x46/0xb0
-
-The buggy address belongs to the object at ffff889108f3d200
- which belongs to the cache kmalloc-256 of size 256
-The buggy address is located 0 bytes to the right of
- 256-byte region [ffff889108f3d200, ffff889108f3d300)
-
-The buggy address belongs to the physical page:
-page:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c
-head:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0
-flags: 0x4000000000010200(slab|head|zone=2)
-raw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40
-raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
-page dumped because: kasan: bad access detected
-
-Memory state around the buggy address:
- ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- ffff889108f3d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
->ffff889108f3d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- ^
- ffff889108f3d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
- ffff889108f3d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-
-Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Song Liu <song@kernel.org>
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/md/raid10.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
-index d589f823feb1..f1908fe61677 100644
---- a/drivers/md/raid10.c
-+++ b/drivers/md/raid10.c
-@@ -2167,9 +2167,12 @@ static int raid10_remove_disk(struct mddev *mddev, struct md_rdev *rdev)
- int err = 0;
- int number = rdev->raid_disk;
- struct md_rdev **rdevp;
-- struct raid10_info *p = conf->mirrors + number;
-+ struct raid10_info *p;
-
- print_conf(conf);
-+ if (unlikely(number >= mddev->raid_disks))
-+ return 0;
-+ p = conf->mirrors + number;
- if (rdev == p->rdev)
- rdevp = &p->rdev;
- else if (rdev == p->replacement)
---
-2.35.1
-
+++ /dev/null
-From f2eeacd8cefb521e349a7d6c49d07c065dc84beb Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 30 Mar 2022 02:56:52 +0100
-Subject: media: isl7998x: select V4L2_FWNODE to fix build error
-
-From: Randy Dunlap <rdunlap@infradead.org>
-
-[ Upstream commit 81e005842d0b8167c059553a1c29c36d8a7a9329 ]
-
-Fix build error when VIDEO_ISL7998X=y and V4L2_FWNODE=m
-by selecting V4L2_FWNODE.
-
-microblaze-linux-ld: drivers/media/i2c/isl7998x.o: in function `isl7998x_probe':
-(.text+0x8f4): undefined reference to `v4l2_fwnode_endpoint_parse'
-
-Cc: stable@vger.kernel.org # 5.18 and above
-Fixes: 51ef2be546e2 ("media: i2c: isl7998x: Add driver for Intersil ISL7998x")
-Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
-Reported-by: kernel test robot <lkp@intel.com>
-Cc: Marek Vasut <marex@denx.de>
-Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
-Reviewed-by: Michael Tretter <m.tretter@pengutronix.de>
-Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/i2c/Kconfig | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/media/i2c/Kconfig b/drivers/media/i2c/Kconfig
-index 2b20aa6c37b1..c926e5d43820 100644
---- a/drivers/media/i2c/Kconfig
-+++ b/drivers/media/i2c/Kconfig
-@@ -1178,6 +1178,7 @@ config VIDEO_ISL7998X
- depends on OF_GPIO
- select MEDIA_CONTROLLER
- select VIDEO_V4L2_SUBDEV_API
-+ select V4L2_FWNODE
- help
- Support for Intersil ISL7998x analog to MIPI-CSI2 or
- BT.656 decoder.
---
-2.35.1
-
+++ /dev/null
-From ad019b312a26390838e88bff7ec653e493796d75 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 14 Apr 2022 05:14:15 +0100
-Subject: media: [PATCH] pci: atomisp_cmd: fix three missing checks on list
- iterator
-
-From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
-
-[ Upstream commit 09b204eb9de9fdf07d028c41c4331b5cfeb70dd7 ]
-
-The three bugs are here:
- __func__, s3a_buf->s3a_data->exp_id);
- __func__, md_buf->metadata->exp_id);
- __func__, dis_buf->dis_data->exp_id);
-
-The list iterator 's3a_buf/md_buf/dis_buf' will point to a bogus
-position containing HEAD if the list is empty or no element is found.
-This case must be checked before any use of the iterator, otherwise
-it will lead to a invalid memory access.
-
-To fix this bug, add an check. Use a new variable '*_iter' as the
-list iterator, while use the old variable '*_buf' as a dedicated
-pointer to point to the found element.
-
-Link: https://lore.kernel.org/linux-media/20220414041415.3342-1-xiam0nd.tong@gmail.com
-Cc: stable@vger.kernel.org
-Fixes: ad85094b293e4 ("Revert "media: staging: atomisp: Remove driver"")
-Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- .../staging/media/atomisp/pci/atomisp_cmd.c | 57 ++++++++++++-------
- 1 file changed, 36 insertions(+), 21 deletions(-)
-
-diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
-index 97d5a528969b..0da0b69a4637 100644
---- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
-+++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
-@@ -901,9 +901,9 @@ void atomisp_buf_done(struct atomisp_sub_device *asd, int error,
- int err;
- unsigned long irqflags;
- struct ia_css_frame *frame = NULL;
-- struct atomisp_s3a_buf *s3a_buf = NULL, *_s3a_buf_tmp;
-- struct atomisp_dis_buf *dis_buf = NULL, *_dis_buf_tmp;
-- struct atomisp_metadata_buf *md_buf = NULL, *_md_buf_tmp;
-+ struct atomisp_s3a_buf *s3a_buf = NULL, *_s3a_buf_tmp, *s3a_iter;
-+ struct atomisp_dis_buf *dis_buf = NULL, *_dis_buf_tmp, *dis_iter;
-+ struct atomisp_metadata_buf *md_buf = NULL, *_md_buf_tmp, *md_iter;
- enum atomisp_metadata_type md_type;
- struct atomisp_device *isp = asd->isp;
- struct v4l2_control ctrl;
-@@ -942,60 +942,75 @@ void atomisp_buf_done(struct atomisp_sub_device *asd, int error,
-
- switch (buf_type) {
- case IA_CSS_BUFFER_TYPE_3A_STATISTICS:
-- list_for_each_entry_safe(s3a_buf, _s3a_buf_tmp,
-+ list_for_each_entry_safe(s3a_iter, _s3a_buf_tmp,
- &asd->s3a_stats_in_css, list) {
-- if (s3a_buf->s3a_data ==
-+ if (s3a_iter->s3a_data ==
- buffer.css_buffer.data.stats_3a) {
-- list_del_init(&s3a_buf->list);
-- list_add_tail(&s3a_buf->list,
-+ list_del_init(&s3a_iter->list);
-+ list_add_tail(&s3a_iter->list,
- &asd->s3a_stats_ready);
-+ s3a_buf = s3a_iter;
- break;
- }
- }
-
- asd->s3a_bufs_in_css[css_pipe_id]--;
- atomisp_3a_stats_ready_event(asd, buffer.css_buffer.exp_id);
-- dev_dbg(isp->dev, "%s: s3a stat with exp_id %d is ready\n",
-- __func__, s3a_buf->s3a_data->exp_id);
-+ if (s3a_buf)
-+ dev_dbg(isp->dev, "%s: s3a stat with exp_id %d is ready\n",
-+ __func__, s3a_buf->s3a_data->exp_id);
-+ else
-+ dev_dbg(isp->dev, "%s: s3a stat is ready with no exp_id found\n",
-+ __func__);
- break;
- case IA_CSS_BUFFER_TYPE_METADATA:
- if (error)
- break;
-
- md_type = atomisp_get_metadata_type(asd, css_pipe_id);
-- list_for_each_entry_safe(md_buf, _md_buf_tmp,
-+ list_for_each_entry_safe(md_iter, _md_buf_tmp,
- &asd->metadata_in_css[md_type], list) {
-- if (md_buf->metadata ==
-+ if (md_iter->metadata ==
- buffer.css_buffer.data.metadata) {
-- list_del_init(&md_buf->list);
-- list_add_tail(&md_buf->list,
-+ list_del_init(&md_iter->list);
-+ list_add_tail(&md_iter->list,
- &asd->metadata_ready[md_type]);
-+ md_buf = md_iter;
- break;
- }
- }
- asd->metadata_bufs_in_css[stream_id][css_pipe_id]--;
- atomisp_metadata_ready_event(asd, md_type);
-- dev_dbg(isp->dev, "%s: metadata with exp_id %d is ready\n",
-- __func__, md_buf->metadata->exp_id);
-+ if (md_buf)
-+ dev_dbg(isp->dev, "%s: metadata with exp_id %d is ready\n",
-+ __func__, md_buf->metadata->exp_id);
-+ else
-+ dev_dbg(isp->dev, "%s: metadata is ready with no exp_id found\n",
-+ __func__);
- break;
- case IA_CSS_BUFFER_TYPE_DIS_STATISTICS:
-- list_for_each_entry_safe(dis_buf, _dis_buf_tmp,
-+ list_for_each_entry_safe(dis_iter, _dis_buf_tmp,
- &asd->dis_stats_in_css, list) {
-- if (dis_buf->dis_data ==
-+ if (dis_iter->dis_data ==
- buffer.css_buffer.data.stats_dvs) {
- spin_lock_irqsave(&asd->dis_stats_lock,
- irqflags);
-- list_del_init(&dis_buf->list);
-- list_add(&dis_buf->list, &asd->dis_stats);
-+ list_del_init(&dis_iter->list);
-+ list_add(&dis_iter->list, &asd->dis_stats);
- asd->params.dis_proj_data_valid = true;
- spin_unlock_irqrestore(&asd->dis_stats_lock,
- irqflags);
-+ dis_buf = dis_iter;
- break;
- }
- }
- asd->dis_bufs_in_css--;
-- dev_dbg(isp->dev, "%s: dis stat with exp_id %d is ready\n",
-- __func__, dis_buf->dis_data->exp_id);
-+ if (dis_buf)
-+ dev_dbg(isp->dev, "%s: dis stat with exp_id %d is ready\n",
-+ __func__, dis_buf->dis_data->exp_id);
-+ else
-+ dev_dbg(isp->dev, "%s: dis stat is ready with no exp_id found\n",
-+ __func__);
- break;
- case IA_CSS_BUFFER_TYPE_VF_OUTPUT_FRAME:
- case IA_CSS_BUFFER_TYPE_SEC_VF_OUTPUT_FRAME:
---
-2.35.1
-
+++ /dev/null
-From 4ec7e9e909329887c2c397938d5deccbe1f97c21 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 14 Jul 2022 16:41:34 +0800
-Subject: MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
-
-From: Huacai Chen <chenhuacai@loongson.cn>
-
-[ Upstream commit e1a534f5d074db45ae5cbac41d8912b98e96a006 ]
-
-When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected,
-cpu_max_bits_warn() generates a runtime warning similar as below while
-we show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit)
-instead of NR_CPUS to iterate CPUs.
-
-[ 3.052463] ------------[ cut here ]------------
-[ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0
-[ 3.070072] Modules linked in: efivarfs autofs4
-[ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052
-[ 3.084034] Hardware name: Loongson Loongson-3A4000-7A1000-1w-V0.1-CRB/Loongson-LS3A4000-7A1000-1w-EVB-V1.21, BIOS Loongson-UDK2018-V2.0.04082-beta7 04/27
-[ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000
-[ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430
-[ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff
-[ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890
-[ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa
-[ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000
-[ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000
-[ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000
-[ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286
-[ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c
-[ 3.195868] ...
-[ 3.199917] Call Trace:
-[ 3.203941] [<98000000002086d8>] show_stack+0x38/0x14c
-[ 3.210666] [<9800000000cf846c>] dump_stack_lvl+0x60/0x88
-[ 3.217625] [<980000000023d268>] __warn+0xd0/0x100
-[ 3.223958] [<9800000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc
-[ 3.231150] [<9800000000210220>] show_cpuinfo+0x5e8/0x5f0
-[ 3.238080] [<98000000004f578c>] seq_read_iter+0x354/0x4b4
-[ 3.245098] [<98000000004c2e90>] new_sync_read+0x17c/0x1c4
-[ 3.252114] [<98000000004c5174>] vfs_read+0x138/0x1d0
-[ 3.258694] [<98000000004c55f8>] ksys_read+0x70/0x100
-[ 3.265265] [<9800000000cfde9c>] do_syscall+0x7c/0x94
-[ 3.271820] [<9800000000202fe4>] handle_syscall+0xc4/0x160
-[ 3.281824] ---[ end trace 8b484262b4b8c24c ]---
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
-Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/mips/kernel/proc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/mips/kernel/proc.c b/arch/mips/kernel/proc.c
-index bb43bf850314..8eba5a1ed664 100644
---- a/arch/mips/kernel/proc.c
-+++ b/arch/mips/kernel/proc.c
-@@ -311,7 +311,7 @@ static void *c_start(struct seq_file *m, loff_t *pos)
- {
- unsigned long i = *pos;
-
-- return i < NR_CPUS ? (void *) (i + 1) : NULL;
-+ return i < nr_cpu_ids ? (void *) (i + 1) : NULL;
- }
-
- static void *c_next(struct seq_file *m, void *v, loff_t *pos)
---
-2.35.1
-
+++ /dev/null
-From bbb048ec8a35951f2c60fed8519533208a158421 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 28 Jun 2022 21:18:24 +0530
-Subject: mtd: rawnand: arasan: Fix clock rate in NV-DDR
-
-From: Olga Kitaina <okitain@gmail.com>
-
-[ Upstream commit e16eceea863b417fd328588b1be1a79de0bc937f ]
-
-According to the Arasan NAND controller spec, the flash clock rate for SDR
-must be <= 100 MHz, while for NV-DDR it must be the same as the rate of the
-CLK line for the mode. The driver previously always set 100 MHz for NV-DDR,
-which would result in incorrect behavior for NV-DDR modes 0-4.
-
-The appropriate clock rate can be calculated from the NV-DDR timing
-parameters as 1/tCK, or for rates measured in picoseconds,
-10^12 / nand_nvddr_timings->tCK_min.
-
-Fixes: 197b88fecc50 ("mtd: rawnand: arasan: Add new Arasan NAND controller")
-CC: stable@vger.kernel.org # 5.8+
-Signed-off-by: Olga Kitaina <okitain@gmail.com>
-Signed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@xilinx.com>
-Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
-Link: https://lore.kernel.org/linux-mtd/20220628154824.12222-3-amit.kumar-mahapatra@xilinx.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/mtd/nand/raw/arasan-nand-controller.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/mtd/nand/raw/arasan-nand-controller.c b/drivers/mtd/nand/raw/arasan-nand-controller.c
-index c5264fa223c4..296fb16c8dc3 100644
---- a/drivers/mtd/nand/raw/arasan-nand-controller.c
-+++ b/drivers/mtd/nand/raw/arasan-nand-controller.c
-@@ -1043,7 +1043,13 @@ static int anfc_setup_interface(struct nand_chip *chip, int target,
- DQS_BUFF_SEL_OUT(dqs_mode);
- }
-
-- anand->clk = ANFC_XLNX_SDR_DFLT_CORE_CLK;
-+ if (nand_interface_is_sdr(conf)) {
-+ anand->clk = ANFC_XLNX_SDR_DFLT_CORE_CLK;
-+ } else {
-+ /* ONFI timings are defined in picoseconds */
-+ anand->clk = div_u64((u64)NSEC_PER_SEC * 1000,
-+ conf->timings.nvddr.tCK_min);
-+ }
-
- /*
- * Due to a hardware bug in the ZynqMP SoC, SDR timing modes 0-1 work
---
-2.35.1
-
+++ /dev/null
-From 50be5f20b7d115ecf9abf210cb452dccfbc8cbd1 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 28 Jun 2022 21:18:23 +0530
-Subject: mtd: rawnand: arasan: Update NAND bus clock instead of system clock
-
-From: Amit Kumar Mahapatra <amit.kumar-mahapatra@xilinx.com>
-
-[ Upstream commit 7499bfeedb47efc1ee4dc793b92c610d46e6d6a6 ]
-
-In current implementation the Arasan NAND driver is updating the
-system clock(i.e., anand->clk) in accordance to the timing modes
-(i.e., SDR or NVDDR). But as per the Arasan NAND controller spec the
-flash clock or the NAND bus clock(i.e., nfc->bus_clk), need to be
-updated instead. This patch keeps the system clock unchanged and updates
-the NAND bus clock as per the timing modes.
-
-Fixes: 197b88fecc50 ("mtd: rawnand: arasan: Add new Arasan NAND controller")
-CC: stable@vger.kernel.org # 5.8+
-Signed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@xilinx.com>
-Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
-Link: https://lore.kernel.org/linux-mtd/20220628154824.12222-2-amit.kumar-mahapatra@xilinx.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/mtd/nand/raw/arasan-nand-controller.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/mtd/nand/raw/arasan-nand-controller.c b/drivers/mtd/nand/raw/arasan-nand-controller.c
-index 53bd10738418..c5264fa223c4 100644
---- a/drivers/mtd/nand/raw/arasan-nand-controller.c
-+++ b/drivers/mtd/nand/raw/arasan-nand-controller.c
-@@ -347,17 +347,17 @@ static int anfc_select_target(struct nand_chip *chip, int target)
-
- /* Update clock frequency */
- if (nfc->cur_clk != anand->clk) {
-- clk_disable_unprepare(nfc->controller_clk);
-- ret = clk_set_rate(nfc->controller_clk, anand->clk);
-+ clk_disable_unprepare(nfc->bus_clk);
-+ ret = clk_set_rate(nfc->bus_clk, anand->clk);
- if (ret) {
- dev_err(nfc->dev, "Failed to change clock rate\n");
- return ret;
- }
-
-- ret = clk_prepare_enable(nfc->controller_clk);
-+ ret = clk_prepare_enable(nfc->bus_clk);
- if (ret) {
- dev_err(nfc->dev,
-- "Failed to re-enable the controller clock\n");
-+ "Failed to re-enable the bus clock\n");
- return ret;
- }
-
---
-2.35.1
-
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- net/9p/client.c | 5 +----
+ net/9p/client.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
-diff --git a/net/9p/client.c b/net/9p/client.c
-index 8bba0d9cf975..371519e7b885 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
-@@ -889,16 +889,13 @@ static struct p9_fid *p9_fid_create(struct p9_client *clnt)
+@@ -886,16 +886,13 @@ static struct p9_fid *p9_fid_create(stru
struct p9_fid *fid;
p9_debug(P9_DEBUG_FID, "clnt %p\n", clnt);
refcount_set(&fid->count, 1);
idr_preload(GFP_KERNEL);
---
-2.35.1
-
+++ /dev/null
-From ba2c0597b0c1aaf5277e7c02c68e8535863025bc Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 28 Jul 2022 19:49:15 +0800
-Subject: ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh()
-
-From: Jiachen Zhang <zhangjiachen.jaycee@bytedance.com>
-
-[ Upstream commit dd524b7f317de8d31d638cbfdc7be4cf9b770e42 ]
-
-Some code paths cannot guarantee the inode have any dentry alias. So
-WARN_ON() all !dentry may flood the kernel logs.
-
-For example, when an overlayfs inode is watched by inotifywait (1), and
-someone is trying to read the /proc/$(pidof inotifywait)/fdinfo/INOTIFY_FD,
-at that time if the dentry has been reclaimed by kernel (such as
-echo 2 > /proc/sys/vm/drop_caches), there will be a WARN_ON(). The
-printed call stack would be like:
-
- ? show_mark_fhandle+0xf0/0xf0
- show_mark_fhandle+0x4a/0xf0
- ? show_mark_fhandle+0xf0/0xf0
- ? seq_vprintf+0x30/0x50
- ? seq_printf+0x53/0x70
- ? show_mark_fhandle+0xf0/0xf0
- inotify_fdinfo+0x70/0x90
- show_fdinfo.isra.4+0x53/0x70
- seq_show+0x130/0x170
- seq_read+0x153/0x440
- vfs_read+0x94/0x150
- ksys_read+0x5f/0xe0
- do_syscall_64+0x59/0x1e0
- entry_SYSCALL_64_after_hwframe+0x44/0xa9
-
-So let's drop WARN_ON() to avoid kernel log flooding.
-
-Reported-by: Hongbo Yin <yinhongbo@bytedance.com>
-Signed-off-by: Jiachen Zhang <zhangjiachen.jaycee@bytedance.com>
-Signed-off-by: Tianci Zhang <zhangtianci.1997@bytedance.com>
-Fixes: 8ed5eec9d6c4 ("ovl: encode pure upper file handles")
-Cc: <stable@vger.kernel.org> # v4.16
-Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/overlayfs/export.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fs/overlayfs/export.c b/fs/overlayfs/export.c
-index 2eada97bbd23..e065a5b9a442 100644
---- a/fs/overlayfs/export.c
-+++ b/fs/overlayfs/export.c
-@@ -259,7 +259,7 @@ static int ovl_encode_fh(struct inode *inode, u32 *fid, int *max_len,
- return FILEID_INVALID;
-
- dentry = d_find_any_alias(inode);
-- if (WARN_ON(!dentry))
-+ if (!dentry)
- return FILEID_INVALID;
-
- bytes = ovl_dentry_to_fid(ofs, dentry, fid, buflen);
---
-2.35.1
-
+++ /dev/null
-From 9a81465effab09f20d63b68e363001be45ebe2c4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 22 Jul 2022 10:57:09 +0800
-Subject: parisc: Check the return value of ioremap() in lba_driver_probe()
-
-From: William Dean <williamsukatube@gmail.com>
-
-[ Upstream commit cf59f34d7f978d14d6520fd80a78a5ad5cb8abf8 ]
-
-The function ioremap() in lba_driver_probe() can fail, so
-its return value should be checked.
-
-Fixes: 4bdc0d676a643 ("remove ioremap_nocache and devm_ioremap_nocache")
-Reported-by: Hacash Robot <hacashRobot@santino.com>
-Signed-off-by: William Dean <williamsukatube@gmail.com>
-Signed-off-by: Helge Deller <deller@gmx.de>
-Cc: <stable@vger.kernel.org> # v5.6+
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/parisc/lba_pci.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/parisc/lba_pci.c b/drivers/parisc/lba_pci.c
-index 732b516c7bf8..afc6e66ddc31 100644
---- a/drivers/parisc/lba_pci.c
-+++ b/drivers/parisc/lba_pci.c
-@@ -1476,9 +1476,13 @@ lba_driver_probe(struct parisc_device *dev)
- u32 func_class;
- void *tmp_obj;
- char *version;
-- void __iomem *addr = ioremap(dev->hpa.start, 4096);
-+ void __iomem *addr;
- int max;
-
-+ addr = ioremap(dev->hpa.start, 4096);
-+ if (addr == NULL)
-+ return -ENOMEM;
-+
- /* Read HW Rev First */
- func_class = READ_REG32(addr + LBA_FCLASS);
-
---
-2.35.1
-
+++ /dev/null
-From c22343f0a3caf17518da7e6bc969dd3cc55726a1 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 19 Jul 2022 06:19:41 +0200
-Subject: parisc: Drop pa_swapper_pg_lock spinlock
-
-From: Helge Deller <deller@gmx.de>
-
-[ Upstream commit 3fbc9a7de0564c55d8a9584c9cd2c9dfe6bd6d43 ]
-
-This spinlock was dropped with commit b7795074a046 ("parisc: Optimize
-per-pagetable spinlocks") in kernel v5.12.
-
-Remove it to silence a sparse warning.
-
-Signed-off-by: Helge Deller <deller@gmx.de>
-Reported-by: kernel test robot <lkp@intel.com>
-Cc: <stable@vger.kernel.org> # v5.12+
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/parisc/kernel/cache.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/arch/parisc/kernel/cache.c b/arch/parisc/kernel/cache.c
-index a9bc578e4c52..af3d7cdc1541 100644
---- a/arch/parisc/kernel/cache.c
-+++ b/arch/parisc/kernel/cache.c
-@@ -50,9 +50,6 @@ void flush_instruction_cache_local(void); /* flushes local code-cache only */
- */
- DEFINE_SPINLOCK(pa_tlb_flush_lock);
-
--/* Swapper page setup lock. */
--DEFINE_SPINLOCK(pa_swapper_pg_lock);
--
- #if defined(CONFIG_64BIT) && defined(CONFIG_SMP)
- int pa_serialize_tlb_flushes __ro_after_init;
- #endif
---
-2.35.1
-
+++ /dev/null
-From 156a90cb6307af38a8e9e3293999b846a0a84fa0 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 18 Jul 2022 17:06:47 +0200
-Subject: parisc: Fix device names in /proc/iomem
-
-From: Helge Deller <deller@gmx.de>
-
-[ Upstream commit cab56b51ec0e69128909cef4650e1907248d821b ]
-
-Fix the output of /proc/iomem to show the real hardware device name
-including the pa_pathname, e.g. "Merlin 160 Core Centronics [8:16:0]".
-Up to now only the pa_pathname ("[8:16.0]") was shown.
-
-Signed-off-by: Helge Deller <deller@gmx.de>
-Cc: <stable@vger.kernel.org> # v4.9+
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/parisc/kernel/drivers.c | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c
-index 776d624a7207..d126e78e101a 100644
---- a/arch/parisc/kernel/drivers.c
-+++ b/arch/parisc/kernel/drivers.c
-@@ -520,7 +520,6 @@ alloc_pa_dev(unsigned long hpa, struct hardware_path *mod_path)
- dev->id.hversion_rev = iodc_data[1] & 0x0f;
- dev->id.sversion = ((iodc_data[4] & 0x0f) << 16) |
- (iodc_data[5] << 8) | iodc_data[6];
-- dev->hpa.name = parisc_pathname(dev);
- dev->hpa.start = hpa;
- /* This is awkward. The STI spec says that gfx devices may occupy
- * 32MB or 64MB. Unfortunately, we don't know how to tell whether
-@@ -534,10 +533,10 @@ alloc_pa_dev(unsigned long hpa, struct hardware_path *mod_path)
- dev->hpa.end = hpa + 0xfff;
- }
- dev->hpa.flags = IORESOURCE_MEM;
-- name = parisc_hardware_description(&dev->id);
-- if (name) {
-- strlcpy(dev->name, name, sizeof(dev->name));
-- }
-+ dev->hpa.name = dev->name;
-+ name = parisc_hardware_description(&dev->id) ? : "unknown";
-+ snprintf(dev->name, sizeof(dev->name), "%s [%s]",
-+ name, parisc_pathname(dev));
-
- /* Silently fail things like mouse ports which are subsumed within
- * the keyboard controller
---
-2.35.1
-
+++ /dev/null
-From a66c3e5c25c595fb101a1744bda69271cebe8ed3 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 1 Aug 2022 17:36:15 +0200
-Subject: parisc: io_pgetevents_time64() needs compat syscall in 32-bit compat
- mode
-
-From: Helge Deller <deller@gmx.de>
-
-[ Upstream commit 6431e92fc827bdd2d28f79150d90415ba9ce0d21 ]
-
-For all syscalls in 32-bit compat mode on 64-bit kernels the upper
-32-bits of the 64-bit registers are zeroed out, so a negative 32-bit
-signed value will show up as positive 64-bit signed value.
-
-This behaviour breaks the io_pgetevents_time64() syscall which expects
-signed 64-bit values for the "min_nr" and "nr" parameters.
-Fix this by switching to the compat_sys_io_pgetevents_time64() syscall,
-which uses "compat_long_t" types for those parameters.
-
-Cc: <stable@vger.kernel.org> # v5.1+
-Signed-off-by: Helge Deller <deller@gmx.de>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/parisc/kernel/syscalls/syscall.tbl | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/parisc/kernel/syscalls/syscall.tbl b/arch/parisc/kernel/syscalls/syscall.tbl
-index 68b46fe2f17c..8a99c998da9b 100644
---- a/arch/parisc/kernel/syscalls/syscall.tbl
-+++ b/arch/parisc/kernel/syscalls/syscall.tbl
-@@ -413,7 +413,7 @@
- 412 32 utimensat_time64 sys_utimensat sys_utimensat
- 413 32 pselect6_time64 sys_pselect6 compat_sys_pselect6_time64
- 414 32 ppoll_time64 sys_ppoll compat_sys_ppoll_time64
--416 32 io_pgetevents_time64 sys_io_pgetevents sys_io_pgetevents
-+416 32 io_pgetevents_time64 sys_io_pgetevents compat_sys_io_pgetevents_time64
- 417 32 recvmmsg_time64 sys_recvmmsg compat_sys_recvmmsg_time64
- 418 32 mq_timedsend_time64 sys_mq_timedsend sys_mq_timedsend
- 419 32 mq_timedreceive_time64 sys_mq_timedreceive sys_mq_timedreceive
---
-2.35.1
-
Cc: stable@vger.kernel.org # v5.11+
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- drivers/pci/controller/dwc/pcie-qcom.c | 48 +++++++++++++++-----------
+ drivers/pci/controller/dwc/pcie-qcom.c | 48 +++++++++++++++++++--------------
1 file changed, 28 insertions(+), 20 deletions(-)
-diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c
-index 2ea13750b492..3bbe1612a930 100644
--- a/drivers/pci/controller/dwc/pcie-qcom.c
+++ b/drivers/pci/controller/dwc/pcie-qcom.c
-@@ -1038,9 +1038,7 @@ static int qcom_pcie_init_2_3_3(struct qcom_pcie *pcie)
+@@ -1036,9 +1036,7 @@ static int qcom_pcie_init_2_3_3(struct q
struct qcom_pcie_resources_2_3_3 *res = &pcie->res.v2_3_3;
struct dw_pcie *pci = pcie->pci;
struct device *dev = pci->dev;
for (i = 0; i < ARRAY_SIZE(res->rst); i++) {
ret = reset_control_assert(res->rst[i]);
-@@ -1097,6 +1095,33 @@ static int qcom_pcie_init_2_3_3(struct qcom_pcie *pcie)
+@@ -1095,6 +1093,33 @@ static int qcom_pcie_init_2_3_3(struct q
goto err_clk_aux;
}
writel(SLV_ADDR_SPACE_SZ,
pcie->parf + PCIE20_v3_PARF_SLV_ADDR_SPACE_SIZE);
-@@ -1124,24 +1149,6 @@ static int qcom_pcie_init_2_3_3(struct qcom_pcie *pcie)
+@@ -1122,24 +1147,6 @@ static int qcom_pcie_init_2_3_3(struct q
PCI_EXP_DEVCTL2);
return 0;
}
static int qcom_pcie_get_resources_2_7_0(struct qcom_pcie *pcie)
-@@ -1467,6 +1474,7 @@ static const struct qcom_pcie_ops ops_2_4_0 = {
+@@ -1465,6 +1472,7 @@ static const struct qcom_pcie_ops ops_2_
static const struct qcom_pcie_ops ops_2_3_3 = {
.get_resources = qcom_pcie_get_resources_2_3_3,
.init = qcom_pcie_init_2_3_3,
.deinit = qcom_pcie_deinit_2_3_3,
.ltssm_enable = qcom_pcie_2_3_2_ltssm_enable,
};
---
-2.35.1
-
+++ /dev/null
-From b57c15bda53986f1a0827a03ea2444bd6bc5bbbf Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 28 Jun 2022 16:48:54 +0200
-Subject: powerpc/64e: Fix early TLB miss with KUAP
-
-From: Christophe Leroy <christophe.leroy@csgroup.eu>
-
-[ Upstream commit 09317643117ade87c03158341e87466413fa8f1a ]
-
-With KUAP, the TLB miss handler bails out when an access to user
-memory is performed with a nul TID.
-
-But the normal TLB miss routine which is only used early during boot
-does the check regardless for all memory areas, not only user memory.
-
-By chance there is no early IO or vmalloc access, but when KASAN
-come we will start having early TLB misses.
-
-Fix it by creating a special branch for user accesses similar to the
-one in the 'bolted' TLB miss handlers. Unfortunately SPRN_MAS1 is
-now read too early and there are no registers available to preserve
-it so it will be read a second time.
-
-Fixes: 57bc963837f5 ("powerpc/kuap: Wire-up KUAP on book3e/64")
-Cc: stable@vger.kernel.org
-Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/8d6c5859a45935d6e1a336da4dc20be421e8cea7.1656427701.git.christophe.leroy@csgroup.eu
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/powerpc/mm/nohash/tlb_low_64e.S | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/arch/powerpc/mm/nohash/tlb_low_64e.S b/arch/powerpc/mm/nohash/tlb_low_64e.S
-index 8b97c4acfebf..9e9ab3803fb2 100644
---- a/arch/powerpc/mm/nohash/tlb_low_64e.S
-+++ b/arch/powerpc/mm/nohash/tlb_low_64e.S
-@@ -583,7 +583,7 @@ itlb_miss_fault_e6500:
- */
- rlwimi r11,r14,32-19,27,27
- rlwimi r11,r14,32-16,19,19
-- beq normal_tlb_miss
-+ beq normal_tlb_miss_user
- /* XXX replace the RMW cycles with immediate loads + writes */
- 1: mfspr r10,SPRN_MAS1
- cmpldi cr0,r15,8 /* Check for vmalloc region */
-@@ -626,7 +626,7 @@ itlb_miss_fault_e6500:
-
- cmpldi cr0,r15,0 /* Check for user region */
- std r14,EX_TLB_ESR(r12) /* write crazy -1 to frame */
-- beq normal_tlb_miss
-+ beq normal_tlb_miss_user
-
- li r11,_PAGE_PRESENT|_PAGE_BAP_SX /* Base perm */
- oris r11,r11,_PAGE_ACCESSED@h
-@@ -653,6 +653,12 @@ itlb_miss_fault_e6500:
- * r11 = PTE permission mask
- * r10 = crap (free to use)
- */
-+normal_tlb_miss_user:
-+#ifdef CONFIG_PPC_KUAP
-+ mfspr r14,SPRN_MAS1
-+ rlwinm. r14,r14,0,0x3fff0000
-+ beq- normal_tlb_miss_access_fault /* KUAP fault */
-+#endif
- normal_tlb_miss:
- /* So we first construct the page table address. We do that by
- * shifting the bottom of the address (not the region ID) by
-@@ -683,11 +689,6 @@ finish_normal_tlb_miss:
- /* Check if required permissions are met */
- andc. r15,r11,r14
- bne- normal_tlb_miss_access_fault
--#ifdef CONFIG_PPC_KUAP
-- mfspr r11,SPRN_MAS1
-- rlwinm. r10,r11,0,0x3fff0000
-- beq- normal_tlb_miss_access_fault /* KUAP fault */
--#endif
-
- /* Now we build the MAS:
- *
-@@ -709,9 +710,7 @@ finish_normal_tlb_miss:
- rldicl r10,r14,64-8,64-8
- cmpldi cr0,r10,BOOK3E_PAGESZ_4K
- beq- 1f
--#ifndef CONFIG_PPC_KUAP
- mfspr r11,SPRN_MAS1
--#endif
- rlwimi r11,r14,31,21,24
- rlwinm r11,r11,0,21,19
- mtspr SPRN_MAS1,r11
---
-2.35.1
-
+++ /dev/null
-From 786ebb67ed1e8ac601ff8f1dcdfdc3e12e3cb5b5 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 6 Jul 2022 12:10:43 +0200
-Subject: powerpc/fsl-pci: Fix Class Code of PCIe Root Port
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Pali Rohár <pali@kernel.org>
-
-[ Upstream commit 0c551abfa004ce154d487d91777bf221c808a64f ]
-
-By default old pre-3.0 Freescale PCIe controllers reports invalid PCI Class
-Code 0x0b20 for PCIe Root Port. It can be seen by lspci -b output on P2020
-board which has this pre-3.0 controller:
-
- $ lspci -bvnn
- 00:00.0 Power PC [0b20]: Freescale Semiconductor Inc P2020E [1957:0070] (rev 21)
- !!! Invalid class 0b20 for header type 01
- Capabilities: [4c] Express Root Port (Slot-), MSI 00
-
-Fix this issue by programming correct PCI Class Code 0x0604 for PCIe Root
-Port to the Freescale specific PCIe register 0x474.
-
-With this change lspci -b output is:
-
- $ lspci -bvnn
- 00:00.0 PCI bridge [0604]: Freescale Semiconductor Inc P2020E [1957:0070] (rev 21) (prog-if 00 [Normal decode])
- Capabilities: [4c] Express Root Port (Slot-), MSI 00
-
-Without any "Invalid class" error. So class code was properly reflected
-into standard (read-only) PCI register 0x08.
-
-Same fix is already implemented in U-Boot pcie_fsl.c driver in commit:
-http://source.denx.de/u-boot/u-boot/-/commit/d18d06ac35229345a0af80977a408cfbe1d1015b
-
-Fix activated by U-Boot stay active also after booting Linux kernel.
-But boards which use older U-Boot version without that fix are affected and
-still require this fix.
-
-So implement this class code fix also in kernel fsl_pci.c driver.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Pali Rohár <pali@kernel.org>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/20220706101043.4867-1-pali@kernel.org
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/powerpc/sysdev/fsl_pci.c | 8 ++++++++
- arch/powerpc/sysdev/fsl_pci.h | 1 +
- 2 files changed, 9 insertions(+)
-
-diff --git a/arch/powerpc/sysdev/fsl_pci.c b/arch/powerpc/sysdev/fsl_pci.c
-index 1011cfea2e32..bfbb8c8fc9aa 100644
---- a/arch/powerpc/sysdev/fsl_pci.c
-+++ b/arch/powerpc/sysdev/fsl_pci.c
-@@ -521,6 +521,7 @@ int fsl_add_bridge(struct platform_device *pdev, int is_primary)
- struct resource rsrc;
- const int *bus_range;
- u8 hdr_type, progif;
-+ u32 class_code;
- struct device_node *dev;
- struct ccsr_pci __iomem *pci;
- u16 temp;
-@@ -594,6 +595,13 @@ int fsl_add_bridge(struct platform_device *pdev, int is_primary)
- PPC_INDIRECT_TYPE_SURPRESS_PRIMARY_BUS;
- if (fsl_pcie_check_link(hose))
- hose->indirect_type |= PPC_INDIRECT_TYPE_NO_PCIE_LINK;
-+ /* Fix Class Code to PCI_CLASS_BRIDGE_PCI_NORMAL for pre-3.0 controller */
-+ if (in_be32(&pci->block_rev1) < PCIE_IP_REV_3_0) {
-+ early_read_config_dword(hose, 0, 0, PCIE_FSL_CSR_CLASSCODE, &class_code);
-+ class_code &= 0xff;
-+ class_code |= PCI_CLASS_BRIDGE_PCI_NORMAL << 8;
-+ early_write_config_dword(hose, 0, 0, PCIE_FSL_CSR_CLASSCODE, class_code);
-+ }
- } else {
- /*
- * Set PBFR(PCI Bus Function Register)[10] = 1 to
-diff --git a/arch/powerpc/sysdev/fsl_pci.h b/arch/powerpc/sysdev/fsl_pci.h
-index cdbde2e0c96e..093a875d7d1e 100644
---- a/arch/powerpc/sysdev/fsl_pci.h
-+++ b/arch/powerpc/sysdev/fsl_pci.h
-@@ -18,6 +18,7 @@ struct platform_device;
-
- #define PCIE_LTSSM 0x0404 /* PCIE Link Training and Status */
- #define PCIE_LTSSM_L0 0x16 /* L0 state */
-+#define PCIE_FSL_CSR_CLASSCODE 0x474 /* FSL GPEX CSR */
- #define PCIE_IP_REV_2_2 0x02080202 /* PCIE IP block version Rev2.2 */
- #define PCIE_IP_REV_3_0 0x02080300 /* PCIE IP block version Rev3.0 */
- #define PIWAR_EN 0x80000000 /* Enable */
---
-2.35.1
-
+++ /dev/null
-From a167a432b19b5f7084da36f2a360ff5a55a3a4e2 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 28 Jul 2022 00:32:17 +1000
-Subject: powerpc/powernv: Avoid crashing if rng is NULL
-
-From: Michael Ellerman <mpe@ellerman.id.au>
-
-[ Upstream commit 90b5d4fe0b3ba7f589c6723c6bfb559d9e83956a ]
-
-On a bare-metal Power8 system that doesn't have an "ibm,power-rng", a
-malicious QEMU and guest that ignore the absence of the
-KVM_CAP_PPC_HWRNG flag, and calls H_RANDOM anyway, will dereference a
-NULL pointer.
-
-In practice all Power8 machines have an "ibm,power-rng", but let's not
-rely on that, add a NULL check and early return in
-powernv_get_random_real_mode().
-
-Fixes: e928e9cb3601 ("KVM: PPC: Book3S HV: Add fast real-mode H_RANDOM implementation.")
-Cc: stable@vger.kernel.org # v4.1+
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/20220727143219.2684192-1-mpe@ellerman.id.au
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/powerpc/platforms/powernv/rng.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/arch/powerpc/platforms/powernv/rng.c b/arch/powerpc/platforms/powernv/rng.c
-index 3805ad13b8f3..2287c9cd0cd5 100644
---- a/arch/powerpc/platforms/powernv/rng.c
-+++ b/arch/powerpc/platforms/powernv/rng.c
-@@ -63,6 +63,8 @@ int powernv_get_random_real_mode(unsigned long *v)
- struct powernv_rng *rng;
-
- rng = raw_cpu_read(powernv_rng);
-+ if (!rng)
-+ return 0;
-
- *v = rng_whiten(rng, __raw_rm_readq(rng->regs_real));
-
---
-2.35.1
-
+++ /dev/null
-From 025ddb197f7de58ae9c168a668e11e460880a24f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 28 Jun 2022 16:43:35 +0200
-Subject: powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E
-
-From: Christophe Leroy <christophe.leroy@csgroup.eu>
-
-[ Upstream commit dd8de84b57b02ba9c1fe530a6d916c0853f136bd ]
-
-On FSL_BOOK3E, _PAGE_RW is defined with two bits, one for user and one
-for supervisor. As soon as one of the two bits is set, the page has
-to be display as RW. But the way it is implemented today requires both
-bits to be set in order to display it as RW.
-
-Instead of display RW when _PAGE_RW bits are set and R otherwise,
-reverse the logic and display R when _PAGE_RW bits are all 0 and
-RW otherwise.
-
-This change has no impact on other platforms as _PAGE_RW is a single
-bit on all of them.
-
-Fixes: 8eb07b187000 ("powerpc/mm: Dump linux pagetables")
-Cc: stable@vger.kernel.org
-Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/0c33b96317811edf691e81698aaee8fa45ec3449.1656427391.git.christophe.leroy@csgroup.eu
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/powerpc/mm/ptdump/shared.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/arch/powerpc/mm/ptdump/shared.c b/arch/powerpc/mm/ptdump/shared.c
-index 03607ab90c66..f884760ca5cf 100644
---- a/arch/powerpc/mm/ptdump/shared.c
-+++ b/arch/powerpc/mm/ptdump/shared.c
-@@ -17,9 +17,9 @@ static const struct flag_info flag_array[] = {
- .clear = " ",
- }, {
- .mask = _PAGE_RW,
-- .val = _PAGE_RW,
-- .set = "rw",
-- .clear = "r ",
-+ .val = 0,
-+ .set = "r ",
-+ .clear = "rw",
- }, {
- .mask = _PAGE_EXEC,
- .val = _PAGE_EXEC,
---
-2.35.1
-
+++ /dev/null
-From b7d3d9e06c7ee60503525173d9dbda4c5ced3247 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 11 Jun 2022 08:51:57 +0200
-Subject: powerpc: Restore CONFIG_DEBUG_INFO in defconfigs
-
-From: Christophe Leroy <christophe.leroy@csgroup.eu>
-
-[ Upstream commit 92f89ec1b534b6eca2b81bae97d30a786932f51a ]
-
-Commit f9b3cd245784 ("Kconfig.debug: make DEBUG_INFO selectable from a
-choice") broke the selection of CONFIG_DEBUG_INFO by powerpc defconfigs.
-
-It is now necessary to select one of the three DEBUG_INFO_DWARF*
-options to get DEBUG_INFO enabled.
-
-Replace DEBUG_INFO=y by DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y in all
-defconfigs using the following command:
-
-sed -i s/DEBUG_INFO=y/DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y/g `git grep -l DEBUG_INFO arch/powerpc/configs/`
-
-Fixes: f9b3cd245784 ("Kconfig.debug: make DEBUG_INFO selectable from a choice")
-Cc: stable@vger.kernel.org
-Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/98a4c2603bf9e4b776e219f5b8541d23aa24e854.1654930308.git.christophe.leroy@csgroup.eu
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/powerpc/configs/44x/akebono_defconfig | 2 +-
- arch/powerpc/configs/44x/currituck_defconfig | 2 +-
- arch/powerpc/configs/44x/fsp2_defconfig | 2 +-
- arch/powerpc/configs/44x/iss476-smp_defconfig | 2 +-
- arch/powerpc/configs/44x/warp_defconfig | 2 +-
- arch/powerpc/configs/52xx/lite5200b_defconfig | 2 +-
- arch/powerpc/configs/52xx/motionpro_defconfig | 2 +-
- arch/powerpc/configs/52xx/tqm5200_defconfig | 2 +-
- arch/powerpc/configs/adder875_defconfig | 2 +-
- arch/powerpc/configs/ep8248e_defconfig | 2 +-
- arch/powerpc/configs/ep88xc_defconfig | 2 +-
- arch/powerpc/configs/fsl-emb-nonhw.config | 2 +-
- arch/powerpc/configs/mgcoge_defconfig | 2 +-
- arch/powerpc/configs/mpc5200_defconfig | 2 +-
- arch/powerpc/configs/mpc8272_ads_defconfig | 2 +-
- arch/powerpc/configs/mpc885_ads_defconfig | 2 +-
- arch/powerpc/configs/ppc6xx_defconfig | 2 +-
- arch/powerpc/configs/pq2fads_defconfig | 2 +-
- arch/powerpc/configs/ps3_defconfig | 2 +-
- arch/powerpc/configs/tqm8xx_defconfig | 2 +-
- 20 files changed, 20 insertions(+), 20 deletions(-)
-
-diff --git a/arch/powerpc/configs/44x/akebono_defconfig b/arch/powerpc/configs/44x/akebono_defconfig
-index 4bc549c6edc5..fde4824f235e 100644
---- a/arch/powerpc/configs/44x/akebono_defconfig
-+++ b/arch/powerpc/configs/44x/akebono_defconfig
-@@ -118,7 +118,7 @@ CONFIG_CRAMFS=y
- CONFIG_NLS_DEFAULT="n"
- CONFIG_NLS_CODEPAGE_437=y
- CONFIG_NLS_ISO8859_1=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_MAGIC_SYSRQ=y
- CONFIG_DETECT_HUNG_TASK=y
- CONFIG_XMON=y
-diff --git a/arch/powerpc/configs/44x/currituck_defconfig b/arch/powerpc/configs/44x/currituck_defconfig
-index 717827219921..7283b7d4a1a5 100644
---- a/arch/powerpc/configs/44x/currituck_defconfig
-+++ b/arch/powerpc/configs/44x/currituck_defconfig
-@@ -73,7 +73,7 @@ CONFIG_NFS_FS=y
- CONFIG_NFS_V3_ACL=y
- CONFIG_NFS_V4=y
- CONFIG_NLS_DEFAULT="n"
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_MAGIC_SYSRQ=y
- CONFIG_DETECT_HUNG_TASK=y
- CONFIG_XMON=y
-diff --git a/arch/powerpc/configs/44x/fsp2_defconfig b/arch/powerpc/configs/44x/fsp2_defconfig
-index 8da316e61a08..3fdfbb29b854 100644
---- a/arch/powerpc/configs/44x/fsp2_defconfig
-+++ b/arch/powerpc/configs/44x/fsp2_defconfig
-@@ -110,7 +110,7 @@ CONFIG_XZ_DEC=y
- CONFIG_PRINTK_TIME=y
- CONFIG_MESSAGE_LOGLEVEL_DEFAULT=3
- CONFIG_DYNAMIC_DEBUG=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_MAGIC_SYSRQ=y
- CONFIG_DETECT_HUNG_TASK=y
- CONFIG_CRYPTO_CBC=y
-diff --git a/arch/powerpc/configs/44x/iss476-smp_defconfig b/arch/powerpc/configs/44x/iss476-smp_defconfig
-index c11e777b2f3d..0f6380e1e612 100644
---- a/arch/powerpc/configs/44x/iss476-smp_defconfig
-+++ b/arch/powerpc/configs/44x/iss476-smp_defconfig
-@@ -56,7 +56,7 @@ CONFIG_PROC_KCORE=y
- CONFIG_TMPFS=y
- CONFIG_CRAMFS=y
- # CONFIG_NETWORK_FILESYSTEMS is not set
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_MAGIC_SYSRQ=y
- CONFIG_DETECT_HUNG_TASK=y
- CONFIG_PPC_EARLY_DEBUG=y
-diff --git a/arch/powerpc/configs/44x/warp_defconfig b/arch/powerpc/configs/44x/warp_defconfig
-index 47252c2d7669..20891c413149 100644
---- a/arch/powerpc/configs/44x/warp_defconfig
-+++ b/arch/powerpc/configs/44x/warp_defconfig
-@@ -88,7 +88,7 @@ CONFIG_NLS_UTF8=y
- CONFIG_CRC_CCITT=y
- CONFIG_CRC_T10DIF=y
- CONFIG_PRINTK_TIME=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_DEBUG_FS=y
- CONFIG_MAGIC_SYSRQ=y
- CONFIG_DETECT_HUNG_TASK=y
-diff --git a/arch/powerpc/configs/52xx/lite5200b_defconfig b/arch/powerpc/configs/52xx/lite5200b_defconfig
-index 63368e677506..7db479dcbc0c 100644
---- a/arch/powerpc/configs/52xx/lite5200b_defconfig
-+++ b/arch/powerpc/configs/52xx/lite5200b_defconfig
-@@ -58,6 +58,6 @@ CONFIG_NFS_FS=y
- CONFIG_NFS_V4=y
- CONFIG_ROOT_NFS=y
- CONFIG_PRINTK_TIME=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_DETECT_HUNG_TASK=y
- # CONFIG_DEBUG_BUGVERBOSE is not set
-diff --git a/arch/powerpc/configs/52xx/motionpro_defconfig b/arch/powerpc/configs/52xx/motionpro_defconfig
-index 72762da94846..6186ead1e105 100644
---- a/arch/powerpc/configs/52xx/motionpro_defconfig
-+++ b/arch/powerpc/configs/52xx/motionpro_defconfig
-@@ -84,7 +84,7 @@ CONFIG_ROOT_NFS=y
- CONFIG_NLS_CODEPAGE_437=y
- CONFIG_NLS_ISO8859_1=y
- CONFIG_PRINTK_TIME=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_DETECT_HUNG_TASK=y
- # CONFIG_DEBUG_BUGVERBOSE is not set
- CONFIG_CRYPTO_ECB=y
-diff --git a/arch/powerpc/configs/52xx/tqm5200_defconfig b/arch/powerpc/configs/52xx/tqm5200_defconfig
-index a3c8ca74032c..e6735b945327 100644
---- a/arch/powerpc/configs/52xx/tqm5200_defconfig
-+++ b/arch/powerpc/configs/52xx/tqm5200_defconfig
-@@ -85,7 +85,7 @@ CONFIG_ROOT_NFS=y
- CONFIG_NLS_CODEPAGE_437=y
- CONFIG_NLS_ISO8859_1=y
- CONFIG_PRINTK_TIME=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_DETECT_HUNG_TASK=y
- # CONFIG_DEBUG_BUGVERBOSE is not set
- CONFIG_CRYPTO_ECB=y
-diff --git a/arch/powerpc/configs/adder875_defconfig b/arch/powerpc/configs/adder875_defconfig
-index 5326bc739279..7f35d5bc1229 100644
---- a/arch/powerpc/configs/adder875_defconfig
-+++ b/arch/powerpc/configs/adder875_defconfig
-@@ -45,7 +45,7 @@ CONFIG_CRAMFS=y
- CONFIG_NFS_FS=y
- CONFIG_ROOT_NFS=y
- CONFIG_CRC32_SLICEBY4=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_DEBUG_FS=y
- CONFIG_MAGIC_SYSRQ=y
- CONFIG_DETECT_HUNG_TASK=y
-diff --git a/arch/powerpc/configs/ep8248e_defconfig b/arch/powerpc/configs/ep8248e_defconfig
-index 00d69965f898..8df6d3a293e3 100644
---- a/arch/powerpc/configs/ep8248e_defconfig
-+++ b/arch/powerpc/configs/ep8248e_defconfig
-@@ -59,7 +59,7 @@ CONFIG_NLS_CODEPAGE_437=y
- CONFIG_NLS_ASCII=y
- CONFIG_NLS_ISO8859_1=y
- CONFIG_NLS_UTF8=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_MAGIC_SYSRQ=y
- # CONFIG_SCHED_DEBUG is not set
- CONFIG_BDI_SWITCH=y
-diff --git a/arch/powerpc/configs/ep88xc_defconfig b/arch/powerpc/configs/ep88xc_defconfig
-index f5c3e72da719..a98ef6a4abef 100644
---- a/arch/powerpc/configs/ep88xc_defconfig
-+++ b/arch/powerpc/configs/ep88xc_defconfig
-@@ -48,6 +48,6 @@ CONFIG_CRAMFS=y
- CONFIG_NFS_FS=y
- CONFIG_ROOT_NFS=y
- CONFIG_CRC32_SLICEBY4=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_MAGIC_SYSRQ=y
- CONFIG_DETECT_HUNG_TASK=y
-diff --git a/arch/powerpc/configs/fsl-emb-nonhw.config b/arch/powerpc/configs/fsl-emb-nonhw.config
-index df37efed0aec..f14c6dbd7346 100644
---- a/arch/powerpc/configs/fsl-emb-nonhw.config
-+++ b/arch/powerpc/configs/fsl-emb-nonhw.config
-@@ -24,7 +24,7 @@ CONFIG_CRYPTO_PCBC=m
- CONFIG_CRYPTO_SHA256=y
- CONFIG_CRYPTO_SHA512=y
- CONFIG_DEBUG_FS=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_DEBUG_KERNEL=y
- CONFIG_DEBUG_SHIRQ=y
- CONFIG_DETECT_HUNG_TASK=y
-diff --git a/arch/powerpc/configs/mgcoge_defconfig b/arch/powerpc/configs/mgcoge_defconfig
-index dcc8dccf54f3..498d35db7833 100644
---- a/arch/powerpc/configs/mgcoge_defconfig
-+++ b/arch/powerpc/configs/mgcoge_defconfig
-@@ -73,7 +73,7 @@ CONFIG_NLS_CODEPAGE_437=y
- CONFIG_NLS_ASCII=y
- CONFIG_NLS_ISO8859_1=y
- CONFIG_NLS_UTF8=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_DEBUG_FS=y
- CONFIG_MAGIC_SYSRQ=y
- # CONFIG_SCHED_DEBUG is not set
-diff --git a/arch/powerpc/configs/mpc5200_defconfig b/arch/powerpc/configs/mpc5200_defconfig
-index 83d801307178..c0fe5e76604a 100644
---- a/arch/powerpc/configs/mpc5200_defconfig
-+++ b/arch/powerpc/configs/mpc5200_defconfig
-@@ -122,6 +122,6 @@ CONFIG_ROOT_NFS=y
- CONFIG_NLS_CODEPAGE_437=y
- CONFIG_NLS_ISO8859_1=y
- CONFIG_PRINTK_TIME=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_DEBUG_KERNEL=y
- CONFIG_DETECT_HUNG_TASK=y
-diff --git a/arch/powerpc/configs/mpc8272_ads_defconfig b/arch/powerpc/configs/mpc8272_ads_defconfig
-index 00a4d2bf43b2..4145ef5689ca 100644
---- a/arch/powerpc/configs/mpc8272_ads_defconfig
-+++ b/arch/powerpc/configs/mpc8272_ads_defconfig
-@@ -67,7 +67,7 @@ CONFIG_NLS_CODEPAGE_437=y
- CONFIG_NLS_ASCII=y
- CONFIG_NLS_ISO8859_1=y
- CONFIG_NLS_UTF8=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_MAGIC_SYSRQ=y
- CONFIG_DETECT_HUNG_TASK=y
- CONFIG_BDI_SWITCH=y
-diff --git a/arch/powerpc/configs/mpc885_ads_defconfig b/arch/powerpc/configs/mpc885_ads_defconfig
-index c74dc76b1d0d..700115d85d6f 100644
---- a/arch/powerpc/configs/mpc885_ads_defconfig
-+++ b/arch/powerpc/configs/mpc885_ads_defconfig
-@@ -71,7 +71,7 @@ CONFIG_ROOT_NFS=y
- CONFIG_CRYPTO=y
- CONFIG_CRYPTO_DEV_TALITOS=y
- CONFIG_CRC32_SLICEBY4=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_MAGIC_SYSRQ=y
- CONFIG_DEBUG_FS=y
- CONFIG_DEBUG_VM_PGTABLE=y
-diff --git a/arch/powerpc/configs/ppc6xx_defconfig b/arch/powerpc/configs/ppc6xx_defconfig
-index b622ecd73286..91967824272e 100644
---- a/arch/powerpc/configs/ppc6xx_defconfig
-+++ b/arch/powerpc/configs/ppc6xx_defconfig
-@@ -1065,7 +1065,7 @@ CONFIG_NLS_ISO8859_14=m
- CONFIG_NLS_ISO8859_15=m
- CONFIG_NLS_KOI8_R=m
- CONFIG_NLS_KOI8_U=m
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_HEADERS_INSTALL=y
- CONFIG_MAGIC_SYSRQ=y
- CONFIG_DEBUG_KERNEL=y
-diff --git a/arch/powerpc/configs/pq2fads_defconfig b/arch/powerpc/configs/pq2fads_defconfig
-index 9d8a76857c6f..9d63e2e65211 100644
---- a/arch/powerpc/configs/pq2fads_defconfig
-+++ b/arch/powerpc/configs/pq2fads_defconfig
-@@ -68,7 +68,7 @@ CONFIG_NLS_CODEPAGE_437=y
- CONFIG_NLS_ASCII=y
- CONFIG_NLS_ISO8859_1=y
- CONFIG_NLS_UTF8=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_MAGIC_SYSRQ=y
- CONFIG_DETECT_HUNG_TASK=y
- # CONFIG_SCHED_DEBUG is not set
-diff --git a/arch/powerpc/configs/ps3_defconfig b/arch/powerpc/configs/ps3_defconfig
-index 7c95fab4b920..2d9ac233da68 100644
---- a/arch/powerpc/configs/ps3_defconfig
-+++ b/arch/powerpc/configs/ps3_defconfig
-@@ -153,7 +153,7 @@ CONFIG_NLS_CODEPAGE_437=y
- CONFIG_NLS_ISO8859_1=y
- CONFIG_CRC_CCITT=m
- CONFIG_CRC_T10DIF=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_MAGIC_SYSRQ=y
- CONFIG_DEBUG_MEMORY_INIT=y
- CONFIG_DEBUG_STACKOVERFLOW=y
-diff --git a/arch/powerpc/configs/tqm8xx_defconfig b/arch/powerpc/configs/tqm8xx_defconfig
-index 77857d513022..083c2e57520a 100644
---- a/arch/powerpc/configs/tqm8xx_defconfig
-+++ b/arch/powerpc/configs/tqm8xx_defconfig
-@@ -55,6 +55,6 @@ CONFIG_CRAMFS=y
- CONFIG_NFS_FS=y
- CONFIG_ROOT_NFS=y
- CONFIG_CRC32_SLICEBY4=y
--CONFIG_DEBUG_INFO=y
-+CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
- CONFIG_MAGIC_SYSRQ=y
- CONFIG_DETECT_HUNG_TASK=y
---
-2.35.1
-
+++ /dev/null
-From 452a991df03fea2d6438fa8f8da69e1767cab1b8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 1 Jul 2022 14:14:17 -0700
-Subject: scsi: lpfc: Remove extra atomic_inc on cmd_pending in queuecommand
- after VMID
-
-From: James Smart <jsmart2021@gmail.com>
-
-[ Upstream commit 0948a9c5386095baae4012190a6b65aba684a907 ]
-
-VMID introduced an extra increment of cmd_pending, causing double-counting
-of the I/O. The normal increment ios performed in lpfc_get_scsi_buf.
-
-Link: https://lore.kernel.org/r/20220701211425.2708-5-jsmart2021@gmail.com
-Fixes: 33c79741deaf ("scsi: lpfc: vmid: Introduce VMID in I/O path")
-Cc: <stable@vger.kernel.org> # v5.14+
-Co-developed-by: Justin Tee <justin.tee@broadcom.com>
-Signed-off-by: Justin Tee <justin.tee@broadcom.com>
-Signed-off-by: James Smart <jsmart2021@gmail.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/lpfc/lpfc_scsi.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
-index ba5e4016262e..084c0f9fdc3a 100644
---- a/drivers/scsi/lpfc/lpfc_scsi.c
-+++ b/drivers/scsi/lpfc/lpfc_scsi.c
-@@ -5456,7 +5456,6 @@ lpfc_queuecommand(struct Scsi_Host *shost, struct scsi_cmnd *cmnd)
- cur_iocbq->cmd_flag |= LPFC_IO_VMID;
- }
- }
-- atomic_inc(&ndlp->cmd_pending);
-
- #ifdef CONFIG_SCSI_LPFC_DEBUG_FS
- if (unlikely(phba->hdwqstat_on & LPFC_CHECK_SCSI_IO))
---
-2.35.1
-
+++ /dev/null
-From b9f9bae7f3cc422d1625e07eae230361a3e4e4e5 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 12 Jul 2022 22:20:40 -0700
-Subject: scsi: qla2xxx: edif: Fix dropped IKE message
-
-From: Quinn Tran <qutran@marvell.com>
-
-[ Upstream commit c019cd656e717349ff22d0c41d6fbfc773f48c52 ]
-
-This patch fixes IKE message being dropped due to error in processing Purex
-IOCB and Continuation IOCBs.
-
-Link: https://lore.kernel.org/r/20220713052045.10683-6-njavali@marvell.com
-Fixes: fac2807946c1 ("scsi: qla2xxx: edif: Add extraction of auth_els from the wire")
-Cc: stable@vger.kernel.org
-Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
-Signed-off-by: Quinn Tran <qutran@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_isr.c | 54 +++++++++++++++-------------------
- 1 file changed, 24 insertions(+), 30 deletions(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
-index 1353a5b61c14..895a8d6a5f0e 100644
---- a/drivers/scsi/qla2xxx/qla_isr.c
-+++ b/drivers/scsi/qla2xxx/qla_isr.c
-@@ -3710,12 +3710,11 @@ void qla24xx_nvme_ls4_iocb(struct scsi_qla_host *vha,
- * Return: 0 all iocbs has arrived, xx- all iocbs have not arrived.
- */
- static int qla_chk_cont_iocb_avail(struct scsi_qla_host *vha,
-- struct rsp_que *rsp, response_t *pkt)
-+ struct rsp_que *rsp, response_t *pkt, u32 rsp_q_in)
- {
-- int start_pkt_ring_index, end_pkt_ring_index, n_ring_index;
-- response_t *end_pkt;
-+ int start_pkt_ring_index;
-+ u32 iocb_cnt = 0;
- int rc = 0;
-- u32 rsp_q_in;
-
- if (pkt->entry_count == 1)
- return rc;
-@@ -3726,34 +3725,18 @@ static int qla_chk_cont_iocb_avail(struct scsi_qla_host *vha,
- else
- start_pkt_ring_index = rsp->ring_index - 1;
-
-- if ((start_pkt_ring_index + pkt->entry_count) >= rsp->length)
-- end_pkt_ring_index = start_pkt_ring_index + pkt->entry_count -
-- rsp->length - 1;
-+ if (rsp_q_in < start_pkt_ring_index)
-+ /* q in ptr is wrapped */
-+ iocb_cnt = rsp->length - start_pkt_ring_index + rsp_q_in;
- else
-- end_pkt_ring_index = start_pkt_ring_index + pkt->entry_count - 1;
-+ iocb_cnt = rsp_q_in - start_pkt_ring_index;
-
-- end_pkt = rsp->ring + end_pkt_ring_index;
--
-- /* next pkt = end_pkt + 1 */
-- n_ring_index = end_pkt_ring_index + 1;
-- if (n_ring_index >= rsp->length)
-- n_ring_index = 0;
--
-- rsp_q_in = rsp->qpair->use_shadow_reg ? *rsp->in_ptr :
-- rd_reg_dword(rsp->rsp_q_in);
--
-- /* rsp_q_in is either wrapped or pointing beyond endpkt */
-- if ((rsp_q_in < start_pkt_ring_index && rsp_q_in < n_ring_index) ||
-- rsp_q_in >= n_ring_index)
-- /* all IOCBs arrived. */
-- rc = 0;
-- else
-+ if (iocb_cnt < pkt->entry_count)
- rc = -EIO;
-
-- ql_dbg(ql_dbg_init + ql_dbg_verbose, vha, 0x5091,
-- "%s - ring %p pkt %p end pkt %p entry count %#x rsp_q_in %d rc %d\n",
-- __func__, rsp->ring, pkt, end_pkt, pkt->entry_count,
-- rsp_q_in, rc);
-+ ql_dbg(ql_dbg_init, vha, 0x5091,
-+ "%s - ring %p pkt %p entry count %d iocb_cnt %d rsp_q_in %d rc %d\n",
-+ __func__, rsp->ring, pkt, pkt->entry_count, iocb_cnt, rsp_q_in, rc);
-
- return rc;
- }
-@@ -3770,7 +3753,7 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha,
- struct qla_hw_data *ha = vha->hw;
- struct purex_entry_24xx *purex_entry;
- struct purex_item *pure_item;
-- u16 rsp_in = 0;
-+ u16 rsp_in = 0, cur_ring_index;
- int follow_inptr, is_shadow_hba;
-
- if (!ha->flags.fw_started)
-@@ -3801,6 +3784,7 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha,
- (!follow_inptr &&
- rsp->ring_ptr->signature != RESPONSE_PROCESSED)) {
- pkt = (struct sts_entry_24xx *)rsp->ring_ptr;
-+ cur_ring_index = rsp->ring_index;
-
- rsp->ring_index++;
- if (rsp->ring_index == rsp->length) {
-@@ -3921,7 +3905,17 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha,
- break;
-
- case ELS_AUTH_ELS:
-- if (qla_chk_cont_iocb_avail(vha, rsp, (response_t *)pkt)) {
-+ if (qla_chk_cont_iocb_avail(vha, rsp, (response_t *)pkt, rsp_in)) {
-+ /*
-+ * ring_ptr and ring_index were
-+ * pre-incremented above. Reset them
-+ * back to current. Wait for next
-+ * interrupt with all IOCBs to arrive
-+ * and re-process.
-+ */
-+ rsp->ring_ptr = (response_t *)pkt;
-+ rsp->ring_index = cur_ring_index;
-+
- ql_dbg(ql_dbg_init, vha, 0x5091,
- "Defer processing ELS opcode %#x...\n",
- purex_entry->els_frame_payload[3]);
---
-2.35.1
-
+++ /dev/null
-From bbf97f698babaae6efec80f94f046833506fccf4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 15 Jun 2022 22:35:02 -0700
-Subject: scsi: qla2xxx: Fix crash due to stale SRB access around I/O timeouts
-
-From: Arun Easi <aeasi@marvell.com>
-
-[ Upstream commit c39587bc0abaf16593f7abcdf8aeec3c038c7d52 ]
-
-Ensure SRB is returned during I/O timeout error escalation. If that is not
-possible fail the escalation path.
-
-Following crash stack was seen:
-
-BUG: unable to handle kernel paging request at 0000002f56aa90f8
-IP: qla_chk_edif_rx_sa_delete_pending+0x14/0x30 [qla2xxx]
-Call Trace:
- ? qla2x00_status_entry+0x19f/0x1c50 [qla2xxx]
- ? qla2x00_start_sp+0x116/0x1170 [qla2xxx]
- ? dma_pool_alloc+0x1d6/0x210
- ? mempool_alloc+0x54/0x130
- ? qla24xx_process_response_queue+0x548/0x12b0 [qla2xxx]
- ? qla_do_work+0x2d/0x40 [qla2xxx]
- ? process_one_work+0x14c/0x390
-
-Link: https://lore.kernel.org/r/20220616053508.27186-6-njavali@marvell.com
-Fixes: d74595278f4a ("scsi: qla2xxx: Add multiple queue pair functionality.")
-Cc: stable@vger.kernel.org
-Signed-off-by: Arun Easi <aeasi@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_os.c | 43 +++++++++++++++++++++++++----------
- 1 file changed, 31 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
-index 6fd5c21ad1f5..66f1723c8583 100644
---- a/drivers/scsi/qla2xxx/qla_os.c
-+++ b/drivers/scsi/qla2xxx/qla_os.c
-@@ -1342,21 +1342,20 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
- /*
- * Returns: QLA_SUCCESS or QLA_FUNCTION_FAILED.
- */
--int
--qla2x00_eh_wait_for_pending_commands(scsi_qla_host_t *vha, unsigned int t,
-- uint64_t l, enum nexus_wait_type type)
-+static int
-+__qla2x00_eh_wait_for_pending_commands(struct qla_qpair *qpair, unsigned int t,
-+ uint64_t l, enum nexus_wait_type type)
- {
- int cnt, match, status;
- unsigned long flags;
-- struct qla_hw_data *ha = vha->hw;
-- struct req_que *req;
-+ scsi_qla_host_t *vha = qpair->vha;
-+ struct req_que *req = qpair->req;
- srb_t *sp;
- struct scsi_cmnd *cmd;
-
- status = QLA_SUCCESS;
-
-- spin_lock_irqsave(&ha->hardware_lock, flags);
-- req = vha->req;
-+ spin_lock_irqsave(qpair->qp_lock_ptr, flags);
- for (cnt = 1; status == QLA_SUCCESS &&
- cnt < req->num_outstanding_cmds; cnt++) {
- sp = req->outstanding_cmds[cnt];
-@@ -1383,12 +1382,32 @@ qla2x00_eh_wait_for_pending_commands(scsi_qla_host_t *vha, unsigned int t,
- if (!match)
- continue;
-
-- spin_unlock_irqrestore(&ha->hardware_lock, flags);
-+ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
- status = qla2x00_eh_wait_on_command(cmd);
-- spin_lock_irqsave(&ha->hardware_lock, flags);
-+ spin_lock_irqsave(qpair->qp_lock_ptr, flags);
- }
-- spin_unlock_irqrestore(&ha->hardware_lock, flags);
-+ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
-+
-+ return status;
-+}
-+
-+int
-+qla2x00_eh_wait_for_pending_commands(scsi_qla_host_t *vha, unsigned int t,
-+ uint64_t l, enum nexus_wait_type type)
-+{
-+ struct qla_qpair *qpair;
-+ struct qla_hw_data *ha = vha->hw;
-+ int i, status = QLA_SUCCESS;
-
-+ status = __qla2x00_eh_wait_for_pending_commands(ha->base_qpair, t, l,
-+ type);
-+ for (i = 0; status == QLA_SUCCESS && i < ha->max_qpairs; i++) {
-+ qpair = ha->queue_pair_map[i];
-+ if (!qpair)
-+ continue;
-+ status = __qla2x00_eh_wait_for_pending_commands(qpair, t, l,
-+ type);
-+ }
- return status;
- }
-
-@@ -1425,7 +1444,7 @@ qla2xxx_eh_device_reset(struct scsi_cmnd *cmd)
- return err;
-
- if (fcport->deleted)
-- return SUCCESS;
-+ return FAILED;
-
- ql_log(ql_log_info, vha, 0x8009,
- "DEVICE RESET ISSUED nexus=%ld:%d:%llu cmd=%p.\n", vha->host_no,
-@@ -1493,7 +1512,7 @@ qla2xxx_eh_target_reset(struct scsi_cmnd *cmd)
- return err;
-
- if (fcport->deleted)
-- return SUCCESS;
-+ return FAILED;
-
- ql_log(ql_log_info, vha, 0x8009,
- "TARGET RESET ISSUED nexus=%ld:%d cmd=%p.\n", vha->host_no,
---
-2.35.1
-
+++ /dev/null
-From 6cfb8ba3f898fc966bba265d8baccb83d66f73f3 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 12 Jul 2022 22:20:42 -0700
-Subject: scsi: qla2xxx: Fix discovery issues in FC-AL topology
-
-From: Arun Easi <aeasi@marvell.com>
-
-[ Upstream commit 47ccb113cead905bdc236571bf8ac6fed90321b3 ]
-
-A direct attach tape device, when gets swapped with another, was not
-discovered. Fix this by looking at loop map and reinitialize link if there
-are devices present.
-
-Link: https://lore.kernel.org/linux-scsi/baef87c3-5dad-3b47-44c1-6914bfc90108@cybernetics.com/
-Link: https://lore.kernel.org/r/20220713052045.10683-8-njavali@marvell.com
-Cc: stable@vger.kernel.org
-Reported-by: Tony Battersby <tonyb@cybernetics.com>
-Tested-by: Tony Battersby <tonyb@cybernetics.com>
-Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
-Signed-off-by: Arun Easi <aeasi@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_gbl.h | 3 ++-
- drivers/scsi/qla2xxx/qla_init.c | 29 +++++++++++++++++++++++++++++
- drivers/scsi/qla2xxx/qla_mbx.c | 5 ++++-
- 3 files changed, 35 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h
-index a211ed18d4e9..1c2c161b4e9f 100644
---- a/drivers/scsi/qla2xxx/qla_gbl.h
-+++ b/drivers/scsi/qla2xxx/qla_gbl.h
-@@ -435,7 +435,8 @@ extern int
- qla2x00_get_resource_cnts(scsi_qla_host_t *);
-
- extern int
--qla2x00_get_fcal_position_map(scsi_qla_host_t *ha, char *pos_map);
-+qla2x00_get_fcal_position_map(scsi_qla_host_t *ha, char *pos_map,
-+ u8 *num_entries);
-
- extern int
- qla2x00_get_link_status(scsi_qla_host_t *, uint16_t, struct link_statistics *,
-diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
-index f8a7b6f2541e..7b78d331aabd 100644
---- a/drivers/scsi/qla2xxx/qla_init.c
-+++ b/drivers/scsi/qla2xxx/qla_init.c
-@@ -5505,6 +5505,22 @@ static int qla2x00_configure_n2n_loop(scsi_qla_host_t *vha)
- return QLA_FUNCTION_FAILED;
- }
-
-+static void
-+qla_reinitialize_link(scsi_qla_host_t *vha)
-+{
-+ int rval;
-+
-+ atomic_set(&vha->loop_state, LOOP_DOWN);
-+ atomic_set(&vha->loop_down_timer, LOOP_DOWN_TIME);
-+ rval = qla2x00_full_login_lip(vha);
-+ if (rval == QLA_SUCCESS) {
-+ ql_dbg(ql_dbg_disc, vha, 0xd050, "Link reinitialized\n");
-+ } else {
-+ ql_dbg(ql_dbg_disc, vha, 0xd051,
-+ "Link reinitialization failed (%d)\n", rval);
-+ }
-+}
-+
- /*
- * qla2x00_configure_local_loop
- * Updates Fibre Channel Device Database with local loop devices.
-@@ -5556,6 +5572,19 @@ qla2x00_configure_local_loop(scsi_qla_host_t *vha)
- spin_unlock_irqrestore(&vha->work_lock, flags);
-
- if (vha->scan.scan_retry < MAX_SCAN_RETRIES) {
-+ u8 loop_map_entries = 0;
-+ int rc;
-+
-+ rc = qla2x00_get_fcal_position_map(vha, NULL,
-+ &loop_map_entries);
-+ if (rc == QLA_SUCCESS && loop_map_entries > 1) {
-+ /*
-+ * There are devices that are still not logged
-+ * in. Reinitialize to give them a chance.
-+ */
-+ qla_reinitialize_link(vha);
-+ return QLA_FUNCTION_FAILED;
-+ }
- set_bit(LOCAL_LOOP_UPDATE, &vha->dpc_flags);
- set_bit(LOOP_RESYNC_NEEDED, &vha->dpc_flags);
- }
-diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
-index bcade1deb798..86d8c455c07a 100644
---- a/drivers/scsi/qla2xxx/qla_mbx.c
-+++ b/drivers/scsi/qla2xxx/qla_mbx.c
-@@ -3068,7 +3068,8 @@ qla2x00_get_resource_cnts(scsi_qla_host_t *vha)
- * Kernel context.
- */
- int
--qla2x00_get_fcal_position_map(scsi_qla_host_t *vha, char *pos_map)
-+qla2x00_get_fcal_position_map(scsi_qla_host_t *vha, char *pos_map,
-+ u8 *num_entries)
- {
- int rval;
- mbx_cmd_t mc;
-@@ -3108,6 +3109,8 @@ qla2x00_get_fcal_position_map(scsi_qla_host_t *vha, char *pos_map)
-
- if (pos_map)
- memcpy(pos_map, pmap, FCAL_MAP_SIZE);
-+ if (num_entries)
-+ *num_entries = pmap[0];
- }
- dma_pool_free(ha->s_dma_pool, pmap, pmap_dma);
-
---
-2.35.1
-
+++ /dev/null
-From 60e461e5c6fe788bcc728e8b17d25dfb9f1c8be4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 15 Jun 2022 22:35:07 -0700
-Subject: scsi: qla2xxx: Fix erroneous mailbox timeout after PCI error
- injection
-
-From: Quinn Tran <qutran@marvell.com>
-
-[ Upstream commit f260694e6463b63ae550aad25ddefe94cb1904da ]
-
-Clear wait for mailbox interrupt flag to prevent stale mailbox:
-
-Feb 22 05:22:56 ltcden4-lp7 kernel: qla2xxx [0135:90:00.1]-500a:4: LOOP UP detected (16 Gbps).
-Feb 22 05:22:59 ltcden4-lp7 kernel: qla2xxx [0135:90:00.1]-d04c:4: MBX Command timeout for cmd 69, ...
-
-To fix the issue, driver needs to clear the MBX_INTR_WAIT flag on purging
-the mailbox. When the stale mailbox completion does arrive, it will be
-dropped.
-
-Link: https://lore.kernel.org/r/20220616053508.27186-11-njavali@marvell.com
-Fixes: b6faaaf796d7 ("scsi: qla2xxx: Serialize mailbox request")
-Cc: Naresh Bannoth <nbannoth@in.ibm.com>
-Cc: Kyle Mahlkuch <Kyle.Mahlkuch@ibm.com>
-Cc: stable@vger.kernel.org
-Reported-by: Naresh Bannoth <nbannoth@in.ibm.com>
-Tested-by: Naresh Bannoth <nbannoth@in.ibm.com>
-Signed-off-by: Quinn Tran <qutran@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_mbx.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
-index 892caf2475df..1b154ab025bd 100644
---- a/drivers/scsi/qla2xxx/qla_mbx.c
-+++ b/drivers/scsi/qla2xxx/qla_mbx.c
-@@ -274,6 +274,12 @@ qla2x00_mailbox_command(scsi_qla_host_t *vha, mbx_cmd_t *mcp)
- atomic_inc(&ha->num_pend_mbx_stage3);
- if (!wait_for_completion_timeout(&ha->mbx_intr_comp,
- mcp->tov * HZ)) {
-+ ql_dbg(ql_dbg_mbx, vha, 0x117a,
-+ "cmd=%x Timeout.\n", command);
-+ spin_lock_irqsave(&ha->hardware_lock, flags);
-+ clear_bit(MBX_INTR_WAIT, &ha->mbx_cmd_flags);
-+ spin_unlock_irqrestore(&ha->hardware_lock, flags);
-+
- if (chip_reset != ha->chip_reset) {
- eeh_delay = ha->flags.eeh_busy ? 1 : 0;
-
-@@ -286,12 +292,6 @@ qla2x00_mailbox_command(scsi_qla_host_t *vha, mbx_cmd_t *mcp)
- rval = QLA_ABORTED;
- goto premature_exit;
- }
-- ql_dbg(ql_dbg_mbx, vha, 0x117a,
-- "cmd=%x Timeout.\n", command);
-- spin_lock_irqsave(&ha->hardware_lock, flags);
-- clear_bit(MBX_INTR_WAIT, &ha->mbx_cmd_flags);
-- spin_unlock_irqrestore(&ha->hardware_lock, flags);
--
- } else if (ha->flags.purge_mbox ||
- chip_reset != ha->chip_reset) {
- eeh_delay = ha->flags.eeh_busy ? 1 : 0;
---
-2.35.1
-
+++ /dev/null
-From a46bb1ecd095c0bbfe78b1da5476ebd6575afc56 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 15 Jun 2022 22:34:58 -0700
-Subject: scsi: qla2xxx: Fix excessive I/O error messages by default
-
-From: Arun Easi <aeasi@marvell.com>
-
-[ Upstream commit bff4873c709085e09d0ffae0c25b8e65256e3205 ]
-
-Disable printing I/O error messages by default. The messages will be
-printed only when logging was enabled.
-
-Link: https://lore.kernel.org/r/20220616053508.27186-2-njavali@marvell.com
-Fixes: 8e2d81c6b5be ("scsi: qla2xxx: Fix excessive messages during device logout")
-Cc: stable@vger.kernel.org
-Signed-off-by: Arun Easi <aeasi@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_isr.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
-index 21b31d6359c8..ae47fc559ae0 100644
---- a/drivers/scsi/qla2xxx/qla_isr.c
-+++ b/drivers/scsi/qla2xxx/qla_isr.c
-@@ -2639,7 +2639,7 @@ static void qla24xx_nvme_iocb_entry(scsi_qla_host_t *vha, struct req_que *req,
- }
-
- if (unlikely(logit))
-- ql_log(ql_dbg_io, fcport->vha, 0x5060,
-+ ql_dbg(ql_dbg_io, fcport->vha, 0x5060,
- "NVME-%s ERR Handling - hdl=%x status(%x) tr_len:%x resid=%x ox_id=%x\n",
- sp->name, sp->handle, comp_status,
- fd->transferred_length, le32_to_cpu(sts->residual_len),
-@@ -3496,7 +3496,7 @@ qla2x00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt)
-
- out:
- if (logit)
-- ql_log(ql_dbg_io, fcport->vha, 0x3022,
-+ ql_dbg(ql_dbg_io, fcport->vha, 0x3022,
- "FCP command status: 0x%x-0x%x (0x%x) nexus=%ld:%d:%llu portid=%02x%02x%02x oxid=0x%x cdb=%10phN len=0x%x rsp_info=0x%x resid=0x%x fw_resid=0x%x sp=%p cp=%p.\n",
- comp_status, scsi_status, res, vha->host_no,
- cp->device->id, cp->device->lun, fcport->d_id.b.domain,
---
-2.35.1
-
+++ /dev/null
-From 484e602f833c764c9bb58e8b43c1c64302a8814b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 12 Jul 2022 22:20:41 -0700
-Subject: scsi: qla2xxx: Fix imbalance vha->vref_count
-
-From: Quinn Tran <qutran@marvell.com>
-
-[ Upstream commit 63fa7f2644b4b48e1913af33092c044bf48e9321 ]
-
-vref_count took an extra decrement in the task management path. Add an
-extra ref count to compensate the imbalance.
-
-Link: https://lore.kernel.org/r/20220713052045.10683-7-njavali@marvell.com
-Cc: stable@vger.kernel.org
-Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
-Signed-off-by: Quinn Tran <qutran@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_init.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
-index ef6857ad148d..f8a7b6f2541e 100644
---- a/drivers/scsi/qla2xxx/qla_init.c
-+++ b/drivers/scsi/qla2xxx/qla_init.c
-@@ -168,6 +168,7 @@ int qla24xx_async_abort_cmd(srb_t *cmd_sp, bool wait)
- struct srb_iocb *abt_iocb;
- srb_t *sp;
- int rval = QLA_FUNCTION_FAILED;
-+ uint8_t bail;
-
- /* ref: INIT for ABTS command */
- sp = qla2xxx_get_qpair_sp(cmd_sp->vha, cmd_sp->qpair, cmd_sp->fcport,
-@@ -175,6 +176,7 @@ int qla24xx_async_abort_cmd(srb_t *cmd_sp, bool wait)
- if (!sp)
- return QLA_MEMORY_ALLOC_FAILED;
-
-+ QLA_VHA_MARK_BUSY(vha, bail);
- abt_iocb = &sp->u.iocb_cmd;
- sp->type = SRB_ABT_CMD;
- sp->name = "abort";
-@@ -2011,12 +2013,14 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint32_t lun,
- struct srb_iocb *tm_iocb;
- srb_t *sp;
- int rval = QLA_FUNCTION_FAILED;
-+ uint8_t bail;
-
- /* ref: INIT */
- sp = qla2x00_get_sp(vha, fcport, GFP_KERNEL);
- if (!sp)
- goto done;
-
-+ QLA_VHA_MARK_BUSY(vha, bail);
- sp->type = SRB_TM_CMD;
- sp->name = "tmf";
- qla2x00_init_async_sp(sp, qla2x00_get_async_timeout(vha),
---
-2.35.1
-
+++ /dev/null
-From 8624f3a1810a248525365cbad29b1bfc9356ec61 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 12 Jul 2022 22:20:37 -0700
-Subject: scsi: qla2xxx: Fix incorrect display of max frame size
-
-From: Bikash Hazarika <bhazarika@marvell.com>
-
-[ Upstream commit cf3b4fb655796674e605268bd4bfb47a47c8bce6 ]
-
-Replace display field with the correct field.
-
-Link: https://lore.kernel.org/r/20220713052045.10683-3-njavali@marvell.com
-Fixes: 8777e4314d39 ("scsi: qla2xxx: Migrate NVME N2N handling into state machine")
-Cc: stable@vger.kernel.org
-Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
-Signed-off-by: Bikash Hazarika <bhazarika@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_def.h | 1 +
- drivers/scsi/qla2xxx/qla_gs.c | 9 +++------
- drivers/scsi/qla2xxx/qla_init.c | 2 ++
- drivers/scsi/qla2xxx/qla_isr.c | 4 +---
- 4 files changed, 7 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
-index 77ef82df6d4d..5d594c82d14c 100644
---- a/drivers/scsi/qla2xxx/qla_def.h
-+++ b/drivers/scsi/qla2xxx/qla_def.h
-@@ -3975,6 +3975,7 @@ struct qla_hw_data {
- /* SRB cache. */
- #define SRB_MIN_REQ 128
- mempool_t *srb_mempool;
-+ u8 port_name[WWN_SIZE];
-
- volatile struct {
- uint32_t mbox_int :1;
-diff --git a/drivers/scsi/qla2xxx/qla_gs.c b/drivers/scsi/qla2xxx/qla_gs.c
-index f56b578475ba..c999221912e5 100644
---- a/drivers/scsi/qla2xxx/qla_gs.c
-+++ b/drivers/scsi/qla2xxx/qla_gs.c
-@@ -1596,7 +1596,6 @@ qla2x00_hba_attributes(scsi_qla_host_t *vha, void *entries,
- unsigned int callopt)
- {
- struct qla_hw_data *ha = vha->hw;
-- struct init_cb_24xx *icb24 = (void *)ha->init_cb;
- struct new_utsname *p_sysid = utsname();
- struct ct_fdmi_hba_attr *eiter;
- uint16_t alen;
-@@ -1758,8 +1757,8 @@ qla2x00_hba_attributes(scsi_qla_host_t *vha, void *entries,
- /* MAX CT Payload Length */
- eiter = entries + size;
- eiter->type = cpu_to_be16(FDMI_HBA_MAXIMUM_CT_PAYLOAD_LENGTH);
-- eiter->a.max_ct_len = cpu_to_be32(le16_to_cpu(IS_FWI2_CAPABLE(ha) ?
-- icb24->frame_payload_size : ha->init_cb->frame_payload_size));
-+ eiter->a.max_ct_len = cpu_to_be32(ha->frame_payload_size >> 2);
-+
- alen = sizeof(eiter->a.max_ct_len);
- alen += FDMI_ATTR_TYPELEN(eiter);
- eiter->len = cpu_to_be16(alen);
-@@ -1851,7 +1850,6 @@ qla2x00_port_attributes(scsi_qla_host_t *vha, void *entries,
- unsigned int callopt)
- {
- struct qla_hw_data *ha = vha->hw;
-- struct init_cb_24xx *icb24 = (void *)ha->init_cb;
- struct new_utsname *p_sysid = utsname();
- char *hostname = p_sysid ?
- p_sysid->nodename : fc_host_system_hostname(vha->host);
-@@ -1903,8 +1901,7 @@ qla2x00_port_attributes(scsi_qla_host_t *vha, void *entries,
- /* Max frame size. */
- eiter = entries + size;
- eiter->type = cpu_to_be16(FDMI_PORT_MAX_FRAME_SIZE);
-- eiter->a.max_frame_size = cpu_to_be32(le16_to_cpu(IS_FWI2_CAPABLE(ha) ?
-- icb24->frame_payload_size : ha->init_cb->frame_payload_size));
-+ eiter->a.max_frame_size = cpu_to_be32(ha->frame_payload_size);
- alen = sizeof(eiter->a.max_frame_size);
- alen += FDMI_ATTR_TYPELEN(eiter);
- eiter->len = cpu_to_be16(alen);
-diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
-index ad96bc19ed05..ef6857ad148d 100644
---- a/drivers/scsi/qla2xxx/qla_init.c
-+++ b/drivers/scsi/qla2xxx/qla_init.c
-@@ -4520,6 +4520,8 @@ qla2x00_init_rings(scsi_qla_host_t *vha)
- BIT_6) != 0;
- ql_dbg(ql_dbg_init, vha, 0x00bc, "FA-WWPN Support: %s.\n",
- (ha->flags.fawwpn_enabled) ? "enabled" : "disabled");
-+ /* Init_cb will be reused for other command(s). Save a backup copy of port_name */
-+ memcpy(ha->port_name, ha->init_cb->port_name, WWN_SIZE);
- }
-
- /* ELS pass through payload is limit by frame size. */
-diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
-index 5f2949e03fc8..fc252dbfb0bf 100644
---- a/drivers/scsi/qla2xxx/qla_isr.c
-+++ b/drivers/scsi/qla2xxx/qla_isr.c
-@@ -1354,9 +1354,7 @@ qla2x00_async_event(scsi_qla_host_t *vha, struct rsp_que *rsp, uint16_t *mb)
- if (!vha->vp_idx) {
- if (ha->flags.fawwpn_enabled &&
- (ha->current_topology == ISP_CFG_F)) {
-- void *wwpn = ha->init_cb->port_name;
--
-- memcpy(vha->port_name, wwpn, WWN_SIZE);
-+ memcpy(vha->port_name, ha->port_name, WWN_SIZE);
- fc_host_port_name(vha->host) =
- wwn_to_u64(vha->port_name);
- ql_dbg(ql_dbg_init + ql_dbg_verbose,
---
-2.35.1
-
+++ /dev/null
-From 784659d081ede75e363b4ecc62e6719d952efee0 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 15 Jun 2022 22:35:03 -0700
-Subject: scsi: qla2xxx: Fix losing FCP-2 targets during port perturbation
- tests
-
-From: Arun Easi <aeasi@marvell.com>
-
-[ Upstream commit 58d1c124cd79ea686b512043c5bd515590b2ed95 ]
-
-When a mix of FCP-2 (tape) and non-FCP-2 targets are present, FCP-2 target
-state was incorrectly transitioned when both of the targets were gone. Fix
-this by ignoring state transition for FCP-2 targets.
-
-Link: https://lore.kernel.org/r/20220616053508.27186-7-njavali@marvell.com
-Fixes: 44c57f205876 ("scsi: qla2xxx: Changes to support FCP2 Target")
-Cc: stable@vger.kernel.org
-Signed-off-by: Arun Easi <aeasi@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_gs.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_gs.c b/drivers/scsi/qla2xxx/qla_gs.c
-index e811de2f6a25..f56b578475ba 100644
---- a/drivers/scsi/qla2xxx/qla_gs.c
-+++ b/drivers/scsi/qla2xxx/qla_gs.c
-@@ -3578,7 +3578,7 @@ void qla24xx_async_gnnft_done(scsi_qla_host_t *vha, srb_t *sp)
- do_delete) {
- if (fcport->loop_id != FC_NO_LOOP_ID) {
- if (fcport->flags & FCF_FCP2_DEVICE)
-- fcport->logout_on_delete = 0;
-+ continue;
-
- ql_log(ql_log_warn, vha, 0x20f0,
- "%s %d %8phC post del sess\n",
---
-2.35.1
-
+++ /dev/null
-From f71cffc3a88951cfc872dd7ad62e3145f7852d5d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 15 Jun 2022 22:35:06 -0700
-Subject: scsi: qla2xxx: Fix losing FCP-2 targets on long port disable with
- I/Os
-
-From: Arun Easi <aeasi@marvell.com>
-
-[ Upstream commit 2416ccd3815ba1613e10a6da0a24ef21acfe5633 ]
-
-FCP-2 devices were not coming back online once they were lost, login
-retries exhausted, and then came back up. Fix this by accepting RSCN when
-the device is not online.
-
-Link: https://lore.kernel.org/r/20220616053508.27186-10-njavali@marvell.com
-Fixes: 44c57f205876 ("scsi: qla2xxx: Changes to support FCP2 Target")
-Cc: stable@vger.kernel.org
-Signed-off-by: Arun Easi <aeasi@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_init.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
-index 88ca398be485..b6c3f66c4988 100644
---- a/drivers/scsi/qla2xxx/qla_init.c
-+++ b/drivers/scsi/qla2xxx/qla_init.c
-@@ -1825,7 +1825,8 @@ void qla2x00_handle_rscn(scsi_qla_host_t *vha, struct event_arg *ea)
- case RSCN_PORT_ADDR:
- fcport = qla2x00_find_fcport_by_nportid(vha, &ea->id, 1);
- if (fcport) {
-- if (fcport->flags & FCF_FCP2_DEVICE) {
-+ if (fcport->flags & FCF_FCP2_DEVICE &&
-+ atomic_read(&fcport->state) == FCS_ONLINE) {
- ql_dbg(ql_dbg_disc, vha, 0x2115,
- "Delaying session delete for FCP2 portid=%06x %8phC ",
- fcport->d_id.b24, fcport->port_name);
-@@ -1857,7 +1858,8 @@ void qla2x00_handle_rscn(scsi_qla_host_t *vha, struct event_arg *ea)
- break;
- case RSCN_AREA_ADDR:
- list_for_each_entry(fcport, &vha->vp_fcports, list) {
-- if (fcport->flags & FCF_FCP2_DEVICE)
-+ if (fcport->flags & FCF_FCP2_DEVICE &&
-+ atomic_read(&fcport->state) == FCS_ONLINE)
- continue;
-
- if ((ea->id.b24 & 0xffff00) == (fcport->d_id.b24 & 0xffff00)) {
-@@ -1868,7 +1870,8 @@ void qla2x00_handle_rscn(scsi_qla_host_t *vha, struct event_arg *ea)
- break;
- case RSCN_DOM_ADDR:
- list_for_each_entry(fcport, &vha->vp_fcports, list) {
-- if (fcport->flags & FCF_FCP2_DEVICE)
-+ if (fcport->flags & FCF_FCP2_DEVICE &&
-+ atomic_read(&fcport->state) == FCS_ONLINE)
- continue;
-
- if ((ea->id.b24 & 0xff0000) == (fcport->d_id.b24 & 0xff0000)) {
-@@ -1880,7 +1883,8 @@ void qla2x00_handle_rscn(scsi_qla_host_t *vha, struct event_arg *ea)
- case RSCN_FAB_ADDR:
- default:
- list_for_each_entry(fcport, &vha->vp_fcports, list) {
-- if (fcport->flags & FCF_FCP2_DEVICE)
-+ if (fcport->flags & FCF_FCP2_DEVICE &&
-+ atomic_read(&fcport->state) == FCS_ONLINE)
- continue;
-
- fcport->scan_needed = 1;
---
-2.35.1
-
+++ /dev/null
-From ec0466138dab2ba0b7570578a316aef299cf25a8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 15 Jun 2022 22:35:04 -0700
-Subject: scsi: qla2xxx: Fix losing target when it reappears during delete
-
-From: Arun Easi <aeasi@marvell.com>
-
-[ Upstream commit 118b0c863c8f5629cc5271fc24d72d926e0715d9 ]
-
-FC target disappeared during port perturbation tests due to a race that
-tramples target state. Fix the issue by adding state checks before
-proceeding.
-
-Link: https://lore.kernel.org/r/20220616053508.27186-8-njavali@marvell.com
-Fixes: 44c57f205876 ("scsi: qla2xxx: Changes to support FCP2 Target")
-Cc: stable@vger.kernel.org
-Signed-off-by: Arun Easi <aeasi@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_attr.c | 24 +++++++++++++++++-------
- 1 file changed, 17 insertions(+), 7 deletions(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
-index 3b3e4234f37a..412ad888bdc1 100644
---- a/drivers/scsi/qla2xxx/qla_attr.c
-+++ b/drivers/scsi/qla2xxx/qla_attr.c
-@@ -2716,17 +2716,24 @@ qla2x00_dev_loss_tmo_callbk(struct fc_rport *rport)
- if (!fcport)
- return;
-
-- /* Now that the rport has been deleted, set the fcport state to
-- FCS_DEVICE_DEAD */
-- qla2x00_set_fcport_state(fcport, FCS_DEVICE_DEAD);
-+
-+ /*
-+ * Now that the rport has been deleted, set the fcport state to
-+ * FCS_DEVICE_DEAD, if the fcport is still lost.
-+ */
-+ if (fcport->scan_state != QLA_FCPORT_FOUND)
-+ qla2x00_set_fcport_state(fcport, FCS_DEVICE_DEAD);
-
- /*
- * Transport has effectively 'deleted' the rport, clear
- * all local references.
- */
- spin_lock_irqsave(host->host_lock, flags);
-- fcport->rport = fcport->drport = NULL;
-- *((fc_port_t **)rport->dd_data) = NULL;
-+ /* Confirm port has not reappeared before clearing pointers. */
-+ if (rport->port_state != FC_PORTSTATE_ONLINE) {
-+ fcport->rport = fcport->drport = NULL;
-+ *((fc_port_t **)rport->dd_data) = NULL;
-+ }
- spin_unlock_irqrestore(host->host_lock, flags);
-
- if (test_bit(ABORT_ISP_ACTIVE, &fcport->vha->dpc_flags))
-@@ -2759,9 +2766,12 @@ qla2x00_terminate_rport_io(struct fc_rport *rport)
- /*
- * At this point all fcport's software-states are cleared. Perform any
- * final cleanup of firmware resources (PCBs and XCBs).
-+ *
-+ * Attempt to cleanup only lost devices.
- */
- if (fcport->loop_id != FC_NO_LOOP_ID) {
-- if (IS_FWI2_CAPABLE(fcport->vha->hw)) {
-+ if (IS_FWI2_CAPABLE(fcport->vha->hw) &&
-+ fcport->scan_state != QLA_FCPORT_FOUND) {
- if (fcport->loop_id != FC_NO_LOOP_ID)
- fcport->logout_on_delete = 1;
-
-@@ -2771,7 +2781,7 @@ qla2x00_terminate_rport_io(struct fc_rport *rport)
- __LINE__);
- qlt_schedule_sess_for_deletion(fcport);
- }
-- } else {
-+ } else if (!IS_FWI2_CAPABLE(fcport->vha->hw)) {
- qla2x00_port_logout(fcport->vha, fcport);
- }
- }
---
-2.35.1
-
+++ /dev/null
-From 3cd334b11de490fefa146ff75313d30f8c9f75a6 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 12 Jul 2022 22:20:39 -0700
-Subject: scsi: qla2xxx: Fix response queue handler reading stale packets
-
-From: Arun Easi <aeasi@marvell.com>
-
-[ Upstream commit b1f707146923335849fb70237eec27d4d1ae7d62 ]
-
-On some platforms, the current logic of relying on finding new packet
-solely based on signature pattern can lead to driver reading stale
-packets. Though this is a bug in those platforms, reduce such exposures by
-limiting reading packets until the IN pointer.
-
-Two module parameters are introduced:
-
- ql2xrspq_follow_inptr:
-
- When set, on newer adapters that has queue pointer shadowing, look for
- response packets only until response queue in pointer.
-
- When reset, response packets are read based on a signature pattern
- logic (old way).
-
- ql2xrspq_follow_inptr_legacy:
-
- Like ql2xrspq_follow_inptr, but for those adapters where there is no
- queue pointer shadowing.
-
-Link: https://lore.kernel.org/r/20220713052045.10683-5-njavali@marvell.com
-Cc: stable@vger.kernel.org
-Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
-Signed-off-by: Arun Easi <aeasi@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_gbl.h | 2 ++
- drivers/scsi/qla2xxx/qla_isr.c | 24 +++++++++++++++++++++++-
- drivers/scsi/qla2xxx/qla_os.c | 10 ++++++++++
- 3 files changed, 35 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h
-index dac27b5ff0ac..a211ed18d4e9 100644
---- a/drivers/scsi/qla2xxx/qla_gbl.h
-+++ b/drivers/scsi/qla2xxx/qla_gbl.h
-@@ -193,6 +193,8 @@ extern int ql2xsecenable;
- extern int ql2xenforce_iocb_limit;
- extern int ql2xabts_wait_nvme;
- extern u32 ql2xnvme_queues;
-+extern int ql2xrspq_follow_inptr;
-+extern int ql2xrspq_follow_inptr_legacy;
-
- extern int qla2x00_loop_reset(scsi_qla_host_t *);
- extern void qla2x00_abort_all_cmds(scsi_qla_host_t *, int);
-diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
-index fc252dbfb0bf..1353a5b61c14 100644
---- a/drivers/scsi/qla2xxx/qla_isr.c
-+++ b/drivers/scsi/qla2xxx/qla_isr.c
-@@ -3770,6 +3770,8 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha,
- struct qla_hw_data *ha = vha->hw;
- struct purex_entry_24xx *purex_entry;
- struct purex_item *pure_item;
-+ u16 rsp_in = 0;
-+ int follow_inptr, is_shadow_hba;
-
- if (!ha->flags.fw_started)
- return;
-@@ -3779,7 +3781,25 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha,
- qla_cpu_update(rsp->qpair, smp_processor_id());
- }
-
-- while (rsp->ring_ptr->signature != RESPONSE_PROCESSED) {
-+#define __update_rsp_in(_update, _is_shadow_hba, _rsp, _rsp_in) \
-+ do { \
-+ if (_update) { \
-+ _rsp_in = _is_shadow_hba ? *(_rsp)->in_ptr : \
-+ rd_reg_dword_relaxed((_rsp)->rsp_q_in); \
-+ } \
-+ } while (0)
-+
-+ is_shadow_hba = IS_SHADOW_REG_CAPABLE(ha);
-+ follow_inptr = is_shadow_hba ? ql2xrspq_follow_inptr :
-+ ql2xrspq_follow_inptr_legacy;
-+
-+ __update_rsp_in(follow_inptr, is_shadow_hba, rsp, rsp_in);
-+
-+ while ((likely(follow_inptr &&
-+ rsp->ring_index != rsp_in &&
-+ rsp->ring_ptr->signature != RESPONSE_PROCESSED)) ||
-+ (!follow_inptr &&
-+ rsp->ring_ptr->signature != RESPONSE_PROCESSED)) {
- pkt = (struct sts_entry_24xx *)rsp->ring_ptr;
-
- rsp->ring_index++;
-@@ -3892,6 +3912,8 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha,
- }
- pure_item = qla27xx_copy_fpin_pkt(vha,
- (void **)&pkt, &rsp);
-+ __update_rsp_in(follow_inptr, is_shadow_hba,
-+ rsp, rsp_in);
- if (!pure_item)
- break;
- qla24xx_queue_purex_item(vha, pure_item,
-diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
-index 66f1723c8583..0bbb48d31441 100644
---- a/drivers/scsi/qla2xxx/qla_os.c
-+++ b/drivers/scsi/qla2xxx/qla_os.c
-@@ -338,6 +338,16 @@ module_param(ql2xdelay_before_pci_error_handling, uint, 0644);
- MODULE_PARM_DESC(ql2xdelay_before_pci_error_handling,
- "Number of seconds delayed before qla begin PCI error self-handling (default: 5).\n");
-
-+int ql2xrspq_follow_inptr = 1;
-+module_param(ql2xrspq_follow_inptr, int, 0644);
-+MODULE_PARM_DESC(ql2xrspq_follow_inptr,
-+ "Follow RSP IN pointer for RSP updates for HBAs 27xx and newer (default: 1).");
-+
-+int ql2xrspq_follow_inptr_legacy = 1;
-+module_param(ql2xrspq_follow_inptr_legacy, int, 0644);
-+MODULE_PARM_DESC(ql2xrspq_follow_inptr_legacy,
-+ "Follow RSP IN pointer for RSP updates for HBAs older than 27XX. (default: 1).");
-+
- static void qla2x00_clear_drv_active(struct qla_hw_data *);
- static void qla2x00_free_device(scsi_qla_host_t *);
- static int qla2xxx_map_queues(struct Scsi_Host *shost);
---
-2.35.1
-
+++ /dev/null
-From 707c5b307f91b8248188d891e19d58b2f5511157 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 15 Jun 2022 22:35:01 -0700
-Subject: scsi: qla2xxx: Turn off multi-queue for 8G adapters
-
-From: Quinn Tran <qutran@marvell.com>
-
-[ Upstream commit 5304673bdb1635e27555bd636fd5d6956f1cd552 ]
-
-For 8G adapters, multi-queue was enabled accidentally. Make sure
-multi-queue is not enabled.
-
-Link: https://lore.kernel.org/r/20220616053508.27186-5-njavali@marvell.com
-Cc: stable@vger.kernel.org
-Signed-off-by: Quinn Tran <qutran@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_def.h | 4 ++--
- drivers/scsi/qla2xxx/qla_isr.c | 16 ++++++----------
- 2 files changed, 8 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
-index b4ff8eea7879..77ef82df6d4d 100644
---- a/drivers/scsi/qla2xxx/qla_def.h
-+++ b/drivers/scsi/qla2xxx/qla_def.h
-@@ -4260,8 +4260,8 @@ struct qla_hw_data {
- #define IS_OEM_001(ha) ((ha)->device_type & DT_OEM_001)
- #define HAS_EXTENDED_IDS(ha) ((ha)->device_type & DT_EXTENDED_IDS)
- #define IS_CT6_SUPPORTED(ha) ((ha)->device_type & DT_CT6_SUPPORTED)
--#define IS_MQUE_CAPABLE(ha) ((ha)->mqenable || IS_QLA83XX(ha) || \
-- IS_QLA27XX(ha) || IS_QLA28XX(ha))
-+#define IS_MQUE_CAPABLE(ha) (IS_QLA83XX(ha) || IS_QLA27XX(ha) || \
-+ IS_QLA28XX(ha))
- #define IS_BIDI_CAPABLE(ha) \
- (IS_QLA25XX(ha) || IS_QLA2031(ha) || IS_QLA27XX(ha) || IS_QLA28XX(ha))
- /* Bit 21 of fw_attributes decides the MCTP capabilities */
-diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
-index ae47fc559ae0..5f2949e03fc8 100644
---- a/drivers/scsi/qla2xxx/qla_isr.c
-+++ b/drivers/scsi/qla2xxx/qla_isr.c
-@@ -4420,16 +4420,12 @@ qla24xx_enable_msix(struct qla_hw_data *ha, struct rsp_que *rsp)
- }
-
- /* Enable MSI-X vector for response queue update for queue 0 */
-- if (IS_QLA83XX(ha) || IS_QLA27XX(ha) || IS_QLA28XX(ha)) {
-- if (ha->msixbase && ha->mqiobase &&
-- (ha->max_rsp_queues > 1 || ha->max_req_queues > 1 ||
-- ql2xmqsupport))
-- ha->mqenable = 1;
-- } else
-- if (ha->mqiobase &&
-- (ha->max_rsp_queues > 1 || ha->max_req_queues > 1 ||
-- ql2xmqsupport))
-- ha->mqenable = 1;
-+ if (IS_MQUE_CAPABLE(ha) &&
-+ (ha->msixbase && ha->mqiobase && ha->max_qpairs))
-+ ha->mqenable = 1;
-+ else
-+ ha->mqenable = 0;
-+
- ql_dbg(ql_dbg_multiq, vha, 0xc005,
- "mqiobase=%p, max_rsp_queues=%d, max_req_queues=%d.\n",
- ha->mqiobase, ha->max_rsp_queues, ha->max_req_queues);
---
-2.35.1
-
+++ /dev/null
-From 8df583fe738190a8f20b53f8c755ef7fdc1020b2 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 12 Jul 2022 22:20:44 -0700
-Subject: scsi: qla2xxx: Update manufacturer details
-
-From: Bikash Hazarika <bhazarika@marvell.com>
-
-[ Upstream commit 1ccad27716ecad1fd58c35e579bedb81fa5e1ad5 ]
-
-Update manufacturer details to indicate Marvell Semiconductors.
-
-Link: https://lore.kernel.org/r/20220713052045.10683-10-njavali@marvell.com
-Cc: stable@vger.kernel.org
-Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
-Signed-off-by: Bikash Hazarika <bhazarika@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_def.h | 2 +-
- drivers/scsi/qla2xxx/qla_gs.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
-index 5d594c82d14c..5a1a2ab7b852 100644
---- a/drivers/scsi/qla2xxx/qla_def.h
-+++ b/drivers/scsi/qla2xxx/qla_def.h
-@@ -78,7 +78,7 @@ typedef union {
- #include "qla_nvme.h"
- #define QLA2XXX_DRIVER_NAME "qla2xxx"
- #define QLA2XXX_APIDEV "ql2xapidev"
--#define QLA2XXX_MANUFACTURER "QLogic Corporation"
-+#define QLA2XXX_MANUFACTURER "Marvell Semiconductor, Inc."
-
- /*
- * We have MAILBOX_REGISTER_COUNT sized arrays in a few places,
-diff --git a/drivers/scsi/qla2xxx/qla_gs.c b/drivers/scsi/qla2xxx/qla_gs.c
-index c999221912e5..0a95816afd0b 100644
---- a/drivers/scsi/qla2xxx/qla_gs.c
-+++ b/drivers/scsi/qla2xxx/qla_gs.c
-@@ -1616,7 +1616,7 @@ qla2x00_hba_attributes(scsi_qla_host_t *vha, void *entries,
- eiter->type = cpu_to_be16(FDMI_HBA_MANUFACTURER);
- alen = scnprintf(
- eiter->a.manufacturer, sizeof(eiter->a.manufacturer),
-- "%s", "QLogic Corporation");
-+ "%s", QLA2XXX_MANUFACTURER);
- alen += FDMI_ATTR_ALIGNMENT(alen);
- alen += FDMI_ATTR_TYPELEN(eiter);
- eiter->len = cpu_to_be16(alen);
---
-2.35.1
-
+++ /dev/null
-From c751cb3aef1515ae098ecbb8829f3aabc5f17cac Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 15 Jun 2022 22:35:00 -0700
-Subject: scsi: qla2xxx: Wind down adapter after PCIe error
-
-From: Quinn Tran <qutran@marvell.com>
-
-[ Upstream commit d3117c83ba316b3200d9f2fe900f2b9a5525a25c ]
-
-Put adapter into a wind down state if OS does not make any attempt to
-recover the adapter after PCIe error.
-
-Link: https://lore.kernel.org/r/20220616053508.27186-4-njavali@marvell.com
-Cc: stable@vger.kernel.org
-Signed-off-by: Quinn Tran <qutran@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_bsg.c | 10 ++++++-
- drivers/scsi/qla2xxx/qla_def.h | 4 +++
- drivers/scsi/qla2xxx/qla_init.c | 20 ++++++++++++++
- drivers/scsi/qla2xxx/qla_os.c | 48 +++++++++++++++++++++++++++++++++
- 4 files changed, 81 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c
-index c2f00f076f79..726af9e40572 100644
---- a/drivers/scsi/qla2xxx/qla_bsg.c
-+++ b/drivers/scsi/qla2xxx/qla_bsg.c
-@@ -2975,6 +2975,13 @@ qla24xx_bsg_timeout(struct bsg_job *bsg_job)
-
- ql_log(ql_log_info, vha, 0x708b, "%s CMD timeout. bsg ptr %p.\n",
- __func__, bsg_job);
-+
-+ if (qla2x00_isp_reg_stat(ha)) {
-+ ql_log(ql_log_info, vha, 0x9007,
-+ "PCI/Register disconnect.\n");
-+ qla_pci_set_eeh_busy(vha);
-+ }
-+
- /* find the bsg job from the active list of commands */
- spin_lock_irqsave(&ha->hardware_lock, flags);
- for (que = 0; que < ha->max_req_queues; que++) {
-@@ -2992,7 +2999,8 @@ qla24xx_bsg_timeout(struct bsg_job *bsg_job)
- sp->u.bsg_job == bsg_job) {
- req->outstanding_cmds[cnt] = NULL;
- spin_unlock_irqrestore(&ha->hardware_lock, flags);
-- if (ha->isp_ops->abort_command(sp)) {
-+
-+ if (!ha->flags.eeh_busy && ha->isp_ops->abort_command(sp)) {
- ql_log(ql_log_warn, vha, 0x7089,
- "mbx abort_command failed.\n");
- bsg_reply->result = -EIO;
-diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
-index e8f69c486be1..b4ff8eea7879 100644
---- a/drivers/scsi/qla2xxx/qla_def.h
-+++ b/drivers/scsi/qla2xxx/qla_def.h
-@@ -4040,6 +4040,9 @@ struct qla_hw_data {
- uint32_t n2n_fw_acc_sec:1;
- uint32_t plogi_template_valid:1;
- uint32_t port_isolated:1;
-+ uint32_t eeh_flush:2;
-+#define EEH_FLUSH_RDY 1
-+#define EEH_FLUSH_DONE 2
- } flags;
-
- uint16_t max_exchg;
-@@ -4074,6 +4077,7 @@ struct qla_hw_data {
- uint32_t rsp_que_len;
- uint32_t req_que_off;
- uint32_t rsp_que_off;
-+ unsigned long eeh_jif;
-
- /* Multi queue data structs */
- device_reg_t *mqiobase;
-diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
-index 3f3417a3e891..88ca398be485 100644
---- a/drivers/scsi/qla2xxx/qla_init.c
-+++ b/drivers/scsi/qla2xxx/qla_init.c
-@@ -47,6 +47,7 @@ qla2x00_sp_timeout(struct timer_list *t)
- {
- srb_t *sp = from_timer(sp, t, u.iocb_cmd.timer);
- struct srb_iocb *iocb;
-+ scsi_qla_host_t *vha = sp->vha;
-
- WARN_ON(irqs_disabled());
- iocb = &sp->u.iocb_cmd;
-@@ -54,6 +55,12 @@ qla2x00_sp_timeout(struct timer_list *t)
-
- /* ref: TMR */
- kref_put(&sp->cmd_kref, qla2x00_sp_release);
-+
-+ if (vha && qla2x00_isp_reg_stat(vha->hw)) {
-+ ql_log(ql_log_info, vha, 0x9008,
-+ "PCI/Register disconnect.\n");
-+ qla_pci_set_eeh_busy(vha);
-+ }
- }
-
- void qla2x00_sp_free(srb_t *sp)
-@@ -9657,6 +9664,12 @@ int qla2xxx_disable_port(struct Scsi_Host *host)
-
- vha->hw->flags.port_isolated = 1;
-
-+ if (qla2x00_isp_reg_stat(vha->hw)) {
-+ ql_log(ql_log_info, vha, 0x9006,
-+ "PCI/Register disconnect, exiting.\n");
-+ qla_pci_set_eeh_busy(vha);
-+ return FAILED;
-+ }
- if (qla2x00_chip_is_down(vha))
- return 0;
-
-@@ -9672,6 +9685,13 @@ int qla2xxx_enable_port(struct Scsi_Host *host)
- {
- scsi_qla_host_t *vha = shost_priv(host);
-
-+ if (qla2x00_isp_reg_stat(vha->hw)) {
-+ ql_log(ql_log_info, vha, 0x9001,
-+ "PCI/Register disconnect, exiting.\n");
-+ qla_pci_set_eeh_busy(vha);
-+ return FAILED;
-+ }
-+
- vha->hw->flags.port_isolated = 0;
- /* Set the flag to 1, so that isp_abort can proceed */
- vha->flags.online = 1;
-diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
-index 73073fb08369..6fd5c21ad1f5 100644
---- a/drivers/scsi/qla2xxx/qla_os.c
-+++ b/drivers/scsi/qla2xxx/qla_os.c
-@@ -333,6 +333,11 @@ MODULE_PARM_DESC(ql2xabts_wait_nvme,
- "To wait for ABTS response on I/O timeouts for NVMe. (default: 1)");
-
-
-+u32 ql2xdelay_before_pci_error_handling = 5;
-+module_param(ql2xdelay_before_pci_error_handling, uint, 0644);
-+MODULE_PARM_DESC(ql2xdelay_before_pci_error_handling,
-+ "Number of seconds delayed before qla begin PCI error self-handling (default: 5).\n");
-+
- static void qla2x00_clear_drv_active(struct qla_hw_data *);
- static void qla2x00_free_device(scsi_qla_host_t *);
- static int qla2xxx_map_queues(struct Scsi_Host *shost);
-@@ -7238,6 +7243,44 @@ static void qla_heart_beat(struct scsi_qla_host *vha, u16 dpc_started)
- }
- }
-
-+static void qla_wind_down_chip(scsi_qla_host_t *vha)
-+{
-+ struct qla_hw_data *ha = vha->hw;
-+
-+ if (!ha->flags.eeh_busy)
-+ return;
-+ if (ha->pci_error_state)
-+ /* system is trying to recover */
-+ return;
-+
-+ /*
-+ * Current system is not handling PCIE error. At this point, this is
-+ * best effort to wind down the adapter.
-+ */
-+ if (time_after_eq(jiffies, ha->eeh_jif + ql2xdelay_before_pci_error_handling * HZ) &&
-+ !ha->flags.eeh_flush) {
-+ ql_log(ql_log_info, vha, 0x9009,
-+ "PCI Error detected, attempting to reset hardware.\n");
-+
-+ ha->isp_ops->reset_chip(vha);
-+ ha->isp_ops->disable_intrs(ha);
-+
-+ ha->flags.eeh_flush = EEH_FLUSH_RDY;
-+ ha->eeh_jif = jiffies;
-+
-+ } else if (ha->flags.eeh_flush == EEH_FLUSH_RDY &&
-+ time_after_eq(jiffies, ha->eeh_jif + 5 * HZ)) {
-+ pci_clear_master(ha->pdev);
-+
-+ /* flush all command */
-+ qla2x00_abort_isp_cleanup(vha);
-+ ha->flags.eeh_flush = EEH_FLUSH_DONE;
-+
-+ ql_log(ql_log_info, vha, 0x900a,
-+ "PCI Error handling complete, all IOs aborted.\n");
-+ }
-+}
-+
- /**************************************************************************
- * qla2x00_timer
- *
-@@ -7261,6 +7304,8 @@ qla2x00_timer(struct timer_list *t)
- fc_port_t *fcport = NULL;
-
- if (ha->flags.eeh_busy) {
-+ qla_wind_down_chip(vha);
-+
- ql_dbg(ql_dbg_timer, vha, 0x6000,
- "EEH = %d, restarting timer.\n",
- ha->flags.eeh_busy);
-@@ -7841,6 +7886,9 @@ void qla_pci_set_eeh_busy(struct scsi_qla_host *vha)
-
- spin_lock_irqsave(&base_vha->work_lock, flags);
- if (!ha->flags.eeh_busy) {
-+ ha->eeh_jif = jiffies;
-+ ha->flags.eeh_flush = 0;
-+
- ha->flags.eeh_busy = 1;
- do_cleanup = true;
- }
---
-2.35.1
-
+++ /dev/null
-From 74f0c3d28a9666032ef45b5df22ebf8019605add Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 12 Jul 2022 22:20:38 -0700
-Subject: scsi: qla2xxx: Zero undefined mailbox IN registers
-
-From: Bikash Hazarika <bhazarika@marvell.com>
-
-[ Upstream commit 6c96a3c7d49593ef15805f5e497601c87695abc9 ]
-
-While requesting a new mailbox command, driver does not write any data to
-unused registers. Initialize the unused register value to zero while
-requesting a new mailbox command to prevent stale entry access by firmware.
-
-Link: https://lore.kernel.org/r/20220713052045.10683-4-njavali@marvell.com
-Cc: stable@vger.kernel.org
-Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
-Signed-off-by: Bikash Hazarika <bhazarika@marvell.com>
-Signed-off-by: Quinn Tran <qutran@marvell.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_mbx.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
-index 1b154ab025bd..bcade1deb798 100644
---- a/drivers/scsi/qla2xxx/qla_mbx.c
-+++ b/drivers/scsi/qla2xxx/qla_mbx.c
-@@ -238,6 +238,8 @@ qla2x00_mailbox_command(scsi_qla_host_t *vha, mbx_cmd_t *mcp)
- ql_dbg(ql_dbg_mbx, vha, 0x1112,
- "mbox[%d]<-0x%04x\n", cnt, *iptr);
- wrt_reg_word(optr, *iptr);
-+ } else {
-+ wrt_reg_word(optr, 0);
- }
-
- mboxes >>= 1;
---
-2.35.1
-
+++ /dev/null
-From 0c185f582d18580b73851b74739c9ab1501c2fa7 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 12 Jul 2022 22:20:36 -0700
-Subject: scsi: Revert "scsi: qla2xxx: Fix disk failure to rediscover"
-
-From: Nilesh Javali <njavali@marvell.com>
-
-[ Upstream commit 5bc7b01c513a4a9b4cfe306e8d1720cfcfd3b8a3 ]
-
-This fixes the regression of NVMe discovery failure during driver load
-time.
-
-This reverts commit 6a45c8e137d4e2c72eecf1ac7cf64f2fdfcead99.
-
-Link: https://lore.kernel.org/r/20220713052045.10683-2-njavali@marvell.com
-Cc: stable@vger.kernel.org
-Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
-Signed-off-by: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qla2xxx/qla_init.c | 5 ++---
- drivers/scsi/qla2xxx/qla_nvme.c | 5 -----
- 2 files changed, 2 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
-index b6c3f66c4988..ad96bc19ed05 100644
---- a/drivers/scsi/qla2xxx/qla_init.c
-+++ b/drivers/scsi/qla2xxx/qla_init.c
-@@ -5778,8 +5778,6 @@ qla2x00_reg_remote_port(scsi_qla_host_t *vha, fc_port_t *fcport)
- if (atomic_read(&fcport->state) == FCS_ONLINE)
- return;
-
-- qla2x00_set_fcport_state(fcport, FCS_ONLINE);
--
- rport_ids.node_name = wwn_to_u64(fcport->node_name);
- rport_ids.port_name = wwn_to_u64(fcport->port_name);
- rport_ids.port_id = fcport->d_id.b.domain << 16 |
-@@ -5880,7 +5878,6 @@ qla2x00_update_fcport(scsi_qla_host_t *vha, fc_port_t *fcport)
- qla2x00_reg_remote_port(vha, fcport);
- break;
- case MODE_TARGET:
-- qla2x00_set_fcport_state(fcport, FCS_ONLINE);
- if (!vha->vha_tgt.qla_tgt->tgt_stop &&
- !vha->vha_tgt.qla_tgt->tgt_stopped)
- qlt_fc_port_added(vha, fcport);
-@@ -5898,6 +5895,8 @@ qla2x00_update_fcport(scsi_qla_host_t *vha, fc_port_t *fcport)
- if (NVME_TARGET(vha->hw, fcport))
- qla_nvme_register_remote(vha, fcport);
-
-+ qla2x00_set_fcport_state(fcport, FCS_ONLINE);
-+
- if (IS_IIDMA_CAPABLE(vha->hw) && vha->hw->flags.gpsc_supported) {
- if (fcport->id_changed) {
- fcport->id_changed = 0;
-diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c
-index 87c9404aa401..7450c3458be7 100644
---- a/drivers/scsi/qla2xxx/qla_nvme.c
-+++ b/drivers/scsi/qla2xxx/qla_nvme.c
-@@ -37,11 +37,6 @@ int qla_nvme_register_remote(struct scsi_qla_host *vha, struct fc_port *fcport)
- (fcport->nvme_flag & NVME_FLAG_REGISTERED))
- return 0;
-
-- if (atomic_read(&fcport->state) == FCS_ONLINE)
-- return 0;
--
-- qla2x00_set_fcport_state(fcport, FCS_ONLINE);
--
- fcport->nvme_flag &= ~NVME_FLAG_RESETTING;
-
- memset(&req, 0, sizeof(struct nvme_fc_port_info));
---
-2.35.1
-
+++ /dev/null
-From 7180280ffcbdb8a1d9212cc2afab8b3d7b72ce5d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 11 Jul 2022 10:51:32 -0400
-Subject: scsi: sg: Allow waiting for commands to complete on removed device
-
-From: Tony Battersby <tonyb@cybernetics.com>
-
-[ Upstream commit 3455607fd7be10b449f5135c00dc306b85dc0d21 ]
-
-When a SCSI device is removed while in active use, currently sg will
-immediately return -ENODEV on any attempt to wait for active commands that
-were sent before the removal. This is problematic for commands that use
-SG_FLAG_DIRECT_IO since the data buffer may still be in use by the kernel
-when userspace frees or reuses it after getting ENODEV, leading to
-corrupted userspace memory (in the case of READ-type commands) or corrupted
-data being sent to the device (in the case of WRITE-type commands). This
-has been seen in practice when logging out of a iscsi_tcp session, where
-the iSCSI driver may still be processing commands after the device has been
-marked for removal.
-
-Change the policy to allow userspace to wait for active sg commands even
-when the device is being removed. Return -ENODEV only when there are no
-more responses to read.
-
-Link: https://lore.kernel.org/r/5ebea46f-fe83-2d0b-233d-d0dcb362dd0a@cybernetics.com
-Cc: <stable@vger.kernel.org>
-Acked-by: Douglas Gilbert <dgilbert@interlog.com>
-Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/sg.c | 53 +++++++++++++++++++++++++++++------------------
- 1 file changed, 33 insertions(+), 20 deletions(-)
-
-diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index 118c7b4a8af2..340b050ad28d 100644
---- a/drivers/scsi/sg.c
-+++ b/drivers/scsi/sg.c
-@@ -195,7 +195,7 @@ static void sg_link_reserve(Sg_fd * sfp, Sg_request * srp, int size);
- static void sg_unlink_reserve(Sg_fd * sfp, Sg_request * srp);
- static Sg_fd *sg_add_sfp(Sg_device * sdp);
- static void sg_remove_sfp(struct kref *);
--static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id);
-+static Sg_request *sg_get_rq_mark(Sg_fd * sfp, int pack_id, bool *busy);
- static Sg_request *sg_add_request(Sg_fd * sfp);
- static int sg_remove_request(Sg_fd * sfp, Sg_request * srp);
- static Sg_device *sg_get_dev(int dev);
-@@ -444,6 +444,7 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
- Sg_fd *sfp;
- Sg_request *srp;
- int req_pack_id = -1;
-+ bool busy;
- sg_io_hdr_t *hp;
- struct sg_header *old_hdr;
- int retval;
-@@ -466,20 +467,16 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
- if (retval)
- return retval;
-
-- srp = sg_get_rq_mark(sfp, req_pack_id);
-+ srp = sg_get_rq_mark(sfp, req_pack_id, &busy);
- if (!srp) { /* now wait on packet to arrive */
-- if (atomic_read(&sdp->detaching))
-- return -ENODEV;
- if (filp->f_flags & O_NONBLOCK)
- return -EAGAIN;
- retval = wait_event_interruptible(sfp->read_wait,
-- (atomic_read(&sdp->detaching) ||
-- (srp = sg_get_rq_mark(sfp, req_pack_id))));
-- if (atomic_read(&sdp->detaching))
-- return -ENODEV;
-- if (retval)
-- /* -ERESTARTSYS as signal hit process */
-- return retval;
-+ ((srp = sg_get_rq_mark(sfp, req_pack_id, &busy)) ||
-+ (!busy && atomic_read(&sdp->detaching))));
-+ if (!srp)
-+ /* signal or detaching */
-+ return retval ? retval : -ENODEV;
- }
- if (srp->header.interface_id != '\0')
- return sg_new_read(sfp, buf, count, srp);
-@@ -940,9 +937,7 @@ sg_ioctl_common(struct file *filp, Sg_device *sdp, Sg_fd *sfp,
- if (result < 0)
- return result;
- result = wait_event_interruptible(sfp->read_wait,
-- (srp_done(sfp, srp) || atomic_read(&sdp->detaching)));
-- if (atomic_read(&sdp->detaching))
-- return -ENODEV;
-+ srp_done(sfp, srp));
- write_lock_irq(&sfp->rq_list_lock);
- if (srp->done) {
- srp->done = 2;
-@@ -2079,19 +2074,28 @@ sg_unlink_reserve(Sg_fd * sfp, Sg_request * srp)
- }
-
- static Sg_request *
--sg_get_rq_mark(Sg_fd * sfp, int pack_id)
-+sg_get_rq_mark(Sg_fd * sfp, int pack_id, bool *busy)
- {
- Sg_request *resp;
- unsigned long iflags;
-
-+ *busy = false;
- write_lock_irqsave(&sfp->rq_list_lock, iflags);
- list_for_each_entry(resp, &sfp->rq_list, entry) {
-- /* look for requests that are ready + not SG_IO owned */
-- if ((1 == resp->done) && (!resp->sg_io_owned) &&
-+ /* look for requests that are not SG_IO owned */
-+ if ((!resp->sg_io_owned) &&
- ((-1 == pack_id) || (resp->header.pack_id == pack_id))) {
-- resp->done = 2; /* guard against other readers */
-- write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
-- return resp;
-+ switch (resp->done) {
-+ case 0: /* request active */
-+ *busy = true;
-+ break;
-+ case 1: /* request done; response ready to return */
-+ resp->done = 2; /* guard against other readers */
-+ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
-+ return resp;
-+ case 2: /* response already being returned */
-+ break;
-+ }
- }
- }
- write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
-@@ -2145,6 +2149,15 @@ sg_remove_request(Sg_fd * sfp, Sg_request * srp)
- res = 1;
- }
- write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
-+
-+ /*
-+ * If the device is detaching, wakeup any readers in case we just
-+ * removed the last response, which would leave nothing for them to
-+ * return other than -ENODEV.
-+ */
-+ if (unlikely(atomic_read(&sfp->parentdp->detaching)))
-+ wake_up_interruptible_all(&sfp->read_wait);
-+
- return res;
- }
-
---
-2.35.1
-
+++ /dev/null
-From 040076f0ab10143dc046c3347c9b3c04d0330d7a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 26 Jul 2022 11:12:21 +0200
-Subject: serial: mvebu-uart: uart2 error bits clearing
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Narendra Hadke <nhadke@marvell.com>
-
-[ Upstream commit a7209541239e5dd44d981289e5f9059222d40fd1 ]
-
-For mvebu uart2, error bits are not cleared on buffer read.
-This causes interrupt loop and system hang.
-
-Cc: stable@vger.kernel.org
-Reviewed-by: Yi Guo <yi.guo@cavium.com>
-Reviewed-by: Nadav Haklai <nadavh@marvell.com>
-Signed-off-by: Narendra Hadke <nhadke@marvell.com>
-Signed-off-by: Pali Rohár <pali@kernel.org>
-Link: https://lore.kernel.org/r/20220726091221.12358-1-pali@kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/tty/serial/mvebu-uart.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/drivers/tty/serial/mvebu-uart.c b/drivers/tty/serial/mvebu-uart.c
-index 93489fe334d0..65eaecd10b7c 100644
---- a/drivers/tty/serial/mvebu-uart.c
-+++ b/drivers/tty/serial/mvebu-uart.c
-@@ -265,6 +265,7 @@ static void mvebu_uart_rx_chars(struct uart_port *port, unsigned int status)
- struct tty_port *tport = &port->state->port;
- unsigned char ch = 0;
- char flag = 0;
-+ int ret;
-
- do {
- if (status & STAT_RX_RDY(port)) {
-@@ -277,6 +278,16 @@ static void mvebu_uart_rx_chars(struct uart_port *port, unsigned int status)
- port->icount.parity++;
- }
-
-+ /*
-+ * For UART2, error bits are not cleared on buffer read.
-+ * This causes interrupt loop and system hang.
-+ */
-+ if (IS_EXTENDED(port) && (status & STAT_BRK_ERR)) {
-+ ret = readl(port->membase + UART_STAT);
-+ ret |= STAT_BRK_ERR;
-+ writel(ret, port->membase + UART_STAT);
-+ }
-+
- if (status & STAT_BRK_DET) {
- port->icount.brk++;
- status &= ~(STAT_FRM_ERR | STAT_PAR_ERR);
---
-2.35.1
-
spmi-trace-fix-stack-out-of-bound-access-in-spmi-tracing-functions.patch
csky-abiv1-fixup-compile-error.patch
drivers-base-fix-userspace-break-from-using-bin_attributes-for-cpumap-and-cpulist.patch
-kvm-drop-unused-gpa-param-from-gfn-pfn-cache-s-__rel.patch
-kvm-put-the-extra-pfn-reference-when-reusing-a-pfn-i.patch
-kvm-do-not-incorporate-page-offset-into-gfn-pfn-cach.patch
-kvm-fully-serialize-gfn-pfn-cache-refresh-via-mutex.patch-7350
-kvm-fix-multiple-races-in-gfn-pfn-cache-refresh.patch-19149
-hid-wacom-only-report-rotation-for-art-pen.patch-25074
-hid-wacom-don-t-register-pad_input-for-touch-switch.patch-820
-drm-nouveau-fix-another-off-by-one-in-nvbios_addr.patch-28623
-bpf-fix-kasan-use-after-free-read-in-compute_effecti.patch
-drm-mediatek-modify-dsi-funcs-to-atomic-operations.patch-7159
-drm-mediatek-separate-poweron-poweroff-from-enable-d.patch-3169
drm-mediatek-keep-dsi-as-lp00-before-dcs-cmds-transf.patch
-kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-.patch
-hid-hid-input-add-surface-go-battery-quirk.patch-7851
-crypto-ccp-use-kzalloc-for-sev-ioctl-interfaces-to-p.patch
crypto-blake2s-remove-shash-module.patch
-drm-dp-mst-read-the-extended-dpcd-capabilities-durin.patch
-scsi-qla2xxx-fix-excessive-i-o-error-messages-by-def.patch
-scsi-qla2xxx-wind-down-adapter-after-pcie-error.patch-31117
-scsi-qla2xxx-turn-off-multi-queue-for-8g-adapters.patch-20754
-scsi-qla2xxx-fix-crash-due-to-stale-srb-access-aroun.patch
-scsi-qla2xxx-fix-losing-fcp-2-targets-during-port-pe.patch
-scsi-qla2xxx-fix-losing-target-when-it-reappears-dur.patch
-scsi-qla2xxx-fix-losing-fcp-2-targets-on-long-port-d.patch
-scsi-qla2xxx-fix-erroneous-mailbox-timeout-after-pci.patch
-fbcon-fix-accelerated-fbdev-scrolling-while-logo-is-.patch
-fbcon-fix-boundary-checks-for-fbcon-vc-n1-n2-paramet.patch
-kvm-nvmx-snapshot-pre-vm-enter-bndcfgs-for-nested_ru.patch
-kvm-nvmx-snapshot-pre-vm-enter-debugctl-for-nested_r.patch
-drm-hyperv-drm-include-framebuffer-and-edid-headers.patch-15144
-coresight-clear-the-connection-field-properly.patch-22500
-usbnet-fix-linkwatch-use-after-free-on-disconnect.patch-30140
-drm-fb-helper-fix-out-of-bounds-access.patch-14074
-drm-vc4-hdmi-disable-audio-if-dmas-property-is-prese.patch
-fix-short-copy-handling-in-copy_mc_pipe_to_iter.patch-23282
-powerpc-restore-config_debug_info-in-defconfigs.patch-27837
-powerpc-ptdump-fix-display-of-rw-pages-on-fsl_book3e.patch-3011
-powerpc-64e-fix-early-tlb-miss-with-kuap.patch-29650
-mtd-rawnand-arasan-update-nand-bus-clock-instead-of-.patch
-mtd-rawnand-arasan-fix-clock-rate-in-nv-ddr.patch-18581
-ia64-processor-fix-wincompatible-pointer-types-in-ia.patch
-usbnet-smsc95xx-fix-deadlock-on-runtime-resume.patch-22908
-drm-ingenic-use-the-highest-possible-dma-burst-size.patch-22931
firmware-arm_scpi-ensure-scpi_info-is-not-assigned-i.patch
-media-isl7998x-select-v4l2_fwnode-to-fix-build-error.patch-24025
-__follow_mount_rcu-verify-that-mount_lock-remains-un.patch
-soundwire-qcom-check-device-status-before-reading-de.patch
-scsi-lpfc-remove-extra-atomic_inc-on-cmd_pending-in-.patch
-usb-dwc3-gadget-refactor-dwc3_repare_one_trb.patch-8861
-usb-dwc3-gadget-fix-high-speed-multiplier-setting.patch-13588
intel_th-pci-add-meteor-lake-p-support.patch
intel_th-pci-add-raptor-lake-s-pch-support.patch
intel_th-pci-add-raptor-lake-s-cpu-support.patch
-drm-tegra-fix-vmapping-of-prime-buffers.patch-28390
-media-patch-pci-atomisp_cmd-fix-three-missing-checks.patch
kvm-set_msr_mce-permit-guests-to-ignore-single-bit-e.patch
kvm-x86-signal-gp-not-eperm-on-bad-wrmsr-mci_ctl-sta.patch
iommu-vt-d-avoid-invalid-memory-access-via-node_onli.patch
pci-aer-iterate-over-error-counters-instead-of-error.patch
pci-qcom-power-on-phy-before-ipq8074-dbi-register-ac.patch
-drm-amdgpu-check-bo-s-requested-pinning-domains-agai.patch
-kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch
-kvm-x86-set-error-code-to-segment-selector-on-lldt-l.patch
-mips-cpuinfo-fix-a-warning-for-config_cpumask_offsta.patch
-tty-8250-add-support-for-brainboxes-px-cards.patch-25863
dm-writecache-set-a-default-max_writeback_jobs.patch
-drm-nouveau-kms-fix-failure-path-for-creating-dp-con.patch
-drm-nouveau-acpi-don-t-print-error-when-we-get-einpr.patch
-drm-nouveau-don-t-pm_runtime_put_sync-only-pm_runtim.patch
-alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-prob.patch
-x86-olpc-fix-logical-not-is-only-applied-to-the-left.patch
-drivers-base-fix-userspace-break-from-using-bin_attr.patch
kexec_file-drop-weak-attribute-from-functions.patch
kexec-clean-up-arch_kexec_kernel_verify_sig.patch
kexec-keys-s390-make-use-of-built-in-and-secondary-k.patch
tracing-events-add-__vstring-and-__assign_vstr-helpe.patch
dm-thin-fix-use-after-free-crash-in-dm_sm_register_t.patch
net-9p-initialize-the-iounit-field-during-fid-creati.patch
-um-remove-straying-parenthesis.patch-5379
-epoll-autoremove-wakers-even-more-aggressively.patch-6975
arm-marvell-update-pcie-fixup.patch
timekeeping-contribute-wall-clock-to-rng-on-time-cha.patch
-um-seed-rng-using-host-os-rng.patch-8415
-scsi-revert-scsi-qla2xxx-fix-disk-failure-to-redisco.patch
-scsi-qla2xxx-fix-incorrect-display-of-max-frame-size.patch-30577
-scsi-qla2xxx-zero-undefined-mailbox-in-registers.patch-4895
-scsi-qla2xxx-fix-response-queue-handler-reading-stal.patch
-scsi-qla2xxx-edif-fix-dropped-ike-message.patch
-scsi-qla2xxx-fix-imbalance-vha-vref_count.patch-12738
-scsi-qla2xxx-fix-discovery-issues-in-fc-al-topology.patch-25366
-scsi-qla2xxx-update-manufacturer-details.patch
-scsi-sg-allow-waiting-for-commands-to-complete-on-re.patch
-iio-fix-iio_format_avail_range-printing-for-none-iio.patch
-iio-light-isl29028-fix-the-warning-in-isl29028_remov.patch
-tty-vt-initialize-unicode-screen-buffer.patch-8483
-kvm-s390-pv-don-t-present-the-ecall-interrupt-twice.patch-16826
locking-csd_lock-change-csdlock_debug-from-early_par.patch
block-don-t-allow-the-same-type-rq_qos-add-more-than.patch
-hid-nintendo-add-missing-array-termination.patch-24808
-fuse-write-inode-in-fuse_release.patch-28840
-fuse-fix-deadlock-between-atomic-o_trunc-and-page-in.patch
-fuse-limit-nsec.patch-2050
-fuse-ioctl-translate-enosys.patch-17448
-alsa-usb-audio-add-quirk-for-behringer-umc202hd.patch-24063
-spmi-trace-fix-stack-out-of-bound-access-in-spmi-tra.patch
-btrfs-reject-log-replay-if-there-is-unsupported-ro-c.patch
btrfs-tree-log-make-the-return-value-for-log-syncing.patch
btrfs-ensure-pages-are-unlocked-on-cow_file_range-fa.patch
btrfs-fix-error-handling-of-fallback-uncompress-writ.patch
btrfs-join-running-log-transaction-when-logging-new-.patch
intel_idle-make-spr-c1-and-c1e-be-independent.patch
acpi-cppc-do-not-prevent-cppc-from-working-in-the-fu.patch
-powerpc-fsl-pci-fix-class-code-of-pcie-root-port.patch-7836
-usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch-24136
-usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch-12274
-usb-typec-ucsi-acknowledge-the-get_error_status-comm.patch
-powerpc-powernv-avoid-crashing-if-rng-is-null.patch-9536
powerpc-powernv-kvm-use-darn-for-h_random-on-power9.patch
-serial-mvebu-uart-uart2-error-bits-clearing.patch-15528
-ovl-drop-warn_on-dentry-is-null-in-ovl_encode_fh.patch-29266
s390-unwind-fix-fgraph-return-address-recovery.patch
-kvm-x86-split-kvm_is_valid_cr4-and-export-only-the-n.patch
-kvm-nvmx-account-for-kvm-reserved-cr4-bits-in-consis.patch
-kvm-nvmx-inject-ud-if-vmxon-is-attempted-with-incomp.patch
-kvm-nvmx-let-userspace-set-nvmx-msr-to-any-_host_-su.patch
kvm-x86-pmu-introduce-the-ctrl_mask-value-for-fixed-.patch
kvm-vmx-mark-all-perf_global_-ovf-_ctrl-bits-reserve.patch
kvm-x86-pmu-ignore-pmu-global_ctrl-check-if-vpmu-doe.patch
revert-kvm-x86-pmu-accept-0-for-absent-pmu-msrs-when.patch
kvm-vmx-add-helper-to-check-if-the-guest-pmu-has-per.patch
kvm-nvmx-attempt-to-load-perf_global_ctrl-on-nvmx-xf.patch
-kvm-x86-mmu-treat-nx-as-a-valid-spte-bit-for-npt.patch-3797
dm-raid-fix-address-sanitizer-warning-in-raid_status.patch
dm-raid-fix-address-sanitizer-warning-in-raid_resume.patch
dm-fix-dm-raid-crash-if-md_handle_request-splits-bio.patch
mm-damon-reclaim-fix-potential-memory-leak-in-damon_.patch
hugetlb_cgroup-fix-wrong-hugetlb-cgroup-numa-stat.patch
batman-adv-tracing-use-the-new-__vstring-helper.patch
-ftrace-x86-add-back-ftrace_expected-assignment.patch-6434
-alsa-hda-realtek-add-quirk-for-clevo-nv45pz.patch-15916
tracing-use-a-struct-alignof-to-determine-trace-even.patch
-csky-abiv1-fixup-compile-error.patch-25803
-ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch-5672
-ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch-30412
-ksmbd-prevent-out-of-bound-read-for-smb2_write.patch-20867
-ksmbd-prevent-out-of-bound-read-for-smb2_tree_connne.patch
-parisc-fix-device-names-in-proc-iomem.patch-18836
-parisc-drop-pa_swapper_pg_lock-spinlock.patch-26906
-parisc-check-the-return-value-of-ioremap-in-lba_driv.patch
-parisc-io_pgetevents_time64-needs-compat-syscall-in-.patch
-input-gscps2-check-return-value-of-ioremap-in-gscps2.patch
-x86-kprobes-update-kcb-status-flag-after-singlestepp.patch
-arm-dts-uniphier-fix-usb-interrupts-for-pxs2-soc.patch-2243
-arm64-dts-uniphier-fix-usb-interrupts-for-pxs3-soc.patch-8226
-md-raid-destroy-the-bitmap-after-destroying-the-thre.patch
-md-raid10-fix-kasan-warning.patch-1758
ext4-fix-reading-leftover-inlined-symlinks.patch
ext4-update-s_overhead_clusters-in-the-superblock-du.patch
ext4-fix-extent-status-tree-race-in-writeback-error-.patch
documentation-ext4-fix-cell-spacing-of-table-heading.patch
ext4-check-if-directory-block-is-within-i_size.patch
ext4-make-sure-ext4_append-always-allocates-new-bloc.patch
-mbcache-don-t-reclaim-used-entries.patch-21676
-mbcache-add-functions-to-delete-entry-if-unused.patch-21045
ext4-remove-ea-inode-entry-from-mbcache-on-inode-evi.patch
ext4-unindent-codeblock-in-ext4_xattr_block_set.patch
ext4-fix-race-when-reusing-xattr-blocks.patch
-thermal-sysfs-fix-cooling_device_stats_setup-error-c.patch
-alsa-hda-realtek-add-quirk-for-hp-spectre-x360-15-eb.patch
keys-asymmetric-enforce-sm2-signature-use-pkey-algo.patch
tpm-eventlog-fix-section-mismatch-for-debug_section_.patch
tpm-add-check-for-failure-mode-for-tpm2-modules.patch
-ksmbd-fix-heap-based-overflow-in-set_ntacl_dacl.patch-15594
-vfs-check-the-truncate-maximum-size-in-inode_newsize.patch
+++ /dev/null
-From 22279f33dd8646f63cc191b62fa6c863d0dd016b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 6 Jul 2022 10:56:44 +0100
-Subject: soundwire: qcom: Check device status before reading devid
-
-From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
-
-[ Upstream commit aa1262ca66957183ea1fb32a067e145b995f3744 ]
-
-As per hardware datasheet its recommended that we check the device
-status before reading devid assigned by auto-enumeration.
-
-Without this patch we see SoundWire devices with invalid enumeration
-addresses on the bus.
-
-Cc: stable@vger.kernel.org
-Fixes: a6e6581942ca ("soundwire: qcom: add auto enumeration support")
-Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
-Link: https://lore.kernel.org/r/20220706095644.5852-1-srinivas.kandagatla@linaro.org
-Signed-off-by: Vinod Koul <vkoul@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/soundwire/qcom.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c
-index 22b706350ead..b5ec7726592c 100644
---- a/drivers/soundwire/qcom.c
-+++ b/drivers/soundwire/qcom.c
-@@ -471,6 +471,10 @@ static int qcom_swrm_enumerate(struct sdw_bus *bus)
- char *buf1 = (char *)&val1, *buf2 = (char *)&val2;
-
- for (i = 1; i <= SDW_MAX_DEVICES; i++) {
-+ /* do not continue if the status is Not Present */
-+ if (!ctrl->status[i])
-+ continue;
-+
- /*SCP_Devid5 - Devid 4*/
- ctrl->reg_read(ctrl, SWRM_ENUMERATOR_SLAVE_DEV_ID_1(i), &val1);
-
---
-2.35.1
-
+++ /dev/null
-From 2d56df30d76af97123d66b3f131f270e6d686b5d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 27 Jun 2022 16:55:12 -0700
-Subject: spmi: trace: fix stack-out-of-bound access in SPMI tracing functions
-
-From: David Collins <quic_collinsd@quicinc.com>
-
-[ Upstream commit 2af28b241eea816e6f7668d1954f15894b45d7e3 ]
-
-trace_spmi_write_begin() and trace_spmi_read_end() both call
-memcpy() with a length of "len + 1". This leads to one extra
-byte being read beyond the end of the specified buffer. Fix
-this out-of-bound memory access by using a length of "len"
-instead.
-
-Here is a KASAN log showing the issue:
-
-BUG: KASAN: stack-out-of-bounds in trace_event_raw_event_spmi_read_end+0x1d0/0x234
-Read of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314
-...
-Call trace:
- dump_backtrace+0x0/0x3e8
- show_stack+0x2c/0x3c
- dump_stack_lvl+0xdc/0x11c
- print_address_description+0x74/0x384
- kasan_report+0x188/0x268
- kasan_check_range+0x270/0x2b0
- memcpy+0x90/0xe8
- trace_event_raw_event_spmi_read_end+0x1d0/0x234
- spmi_read_cmd+0x294/0x3ac
- spmi_ext_register_readl+0x84/0x9c
- regmap_spmi_ext_read+0x144/0x1b0 [regmap_spmi]
- _regmap_raw_read+0x40c/0x754
- regmap_raw_read+0x3a0/0x514
- regmap_bulk_read+0x418/0x494
- adc5_gen3_poll_wait_hs+0xe8/0x1e0 [qcom_spmi_adc5_gen3]
- ...
- __arm64_sys_read+0x4c/0x60
- invoke_syscall+0x80/0x218
- el0_svc_common+0xec/0x1c8
- ...
-
-addr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at offset 32 in frame:
- adc5_gen3_poll_wait_hs+0x0/0x1e0 [qcom_spmi_adc5_gen3]
-
-this frame has 1 object:
- [32, 33) 'status'
-
-Memory state around the buggy address:
- ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
- ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
->ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00
- ^
- ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00
-==================================================================
-
-Fixes: a9fce374815d ("spmi: add command tracepoints for SPMI")
-Cc: stable@vger.kernel.org
-Reviewed-by: Stephen Boyd <sboyd@kernel.org>
-Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
-Signed-off-by: David Collins <quic_collinsd@quicinc.com>
-Link: https://lore.kernel.org/r/20220627235512.2272783-1-quic_collinsd@quicinc.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/trace/events/spmi.h | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/include/trace/events/spmi.h b/include/trace/events/spmi.h
-index 8b60efe18ba6..a6819fd85cdf 100644
---- a/include/trace/events/spmi.h
-+++ b/include/trace/events/spmi.h
-@@ -21,15 +21,15 @@ TRACE_EVENT(spmi_write_begin,
- __field ( u8, sid )
- __field ( u16, addr )
- __field ( u8, len )
-- __dynamic_array ( u8, buf, len + 1 )
-+ __dynamic_array ( u8, buf, len )
- ),
-
- TP_fast_assign(
- __entry->opcode = opcode;
- __entry->sid = sid;
- __entry->addr = addr;
-- __entry->len = len + 1;
-- memcpy(__get_dynamic_array(buf), buf, len + 1);
-+ __entry->len = len;
-+ memcpy(__get_dynamic_array(buf), buf, len);
- ),
-
- TP_printk("opc=%d sid=%02d addr=0x%04x len=%d buf=0x[%*phD]",
-@@ -92,7 +92,7 @@ TRACE_EVENT(spmi_read_end,
- __field ( u16, addr )
- __field ( int, ret )
- __field ( u8, len )
-- __dynamic_array ( u8, buf, len + 1 )
-+ __dynamic_array ( u8, buf, len )
- ),
-
- TP_fast_assign(
-@@ -100,8 +100,8 @@ TRACE_EVENT(spmi_read_end,
- __entry->sid = sid;
- __entry->addr = addr;
- __entry->ret = ret;
-- __entry->len = len + 1;
-- memcpy(__get_dynamic_array(buf), buf, len + 1);
-+ __entry->len = len;
-+ memcpy(__get_dynamic_array(buf), buf, len);
- ),
-
- TP_printk("opc=%d sid=%02d addr=0x%04x ret=%d len=%02d buf=0x[%*phD]",
---
-2.35.1
-
+++ /dev/null
-From 801cc2015d8cbd8a81277013b3c4ec0b643d3a2a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 29 Jul 2022 17:39:07 +0200
-Subject: thermal: sysfs: Fix cooling_device_stats_setup() error code path
-
-From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-
-[ Upstream commit d5a8aa5d7d80d21ab6b266f1bed4194b61746199 ]
-
-If cooling_device_stats_setup() fails to create the stats object, it
-must clear the last slot in cooling_device_attr_groups that was
-initially empty (so as to make it possible to add stats attributes to
-the cooling device attribute groups).
-
-Failing to do so may cause the stats attributes to be created by
-mistake for a device that doesn't have a stats object, because the
-slot in question might be populated previously during the registration
-of another cooling device.
-
-Fixes: 8ea229511e06 ("thermal: Add cooling device's statistics in sysfs")
-Reported-by: Di Shen <di.shen@unisoc.com>
-Tested-by: Di Shen <di.shen@unisoc.com>
-Cc: 4.17+ <stable@vger.kernel.org> # 4.17+
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/thermal/thermal_sysfs.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c
-index 1c4aac8464a7..1e5a78131aba 100644
---- a/drivers/thermal/thermal_sysfs.c
-+++ b/drivers/thermal/thermal_sysfs.c
-@@ -813,12 +813,13 @@ static const struct attribute_group cooling_device_stats_attr_group = {
-
- static void cooling_device_stats_setup(struct thermal_cooling_device *cdev)
- {
-+ const struct attribute_group *stats_attr_group = NULL;
- struct cooling_dev_stats *stats;
- unsigned long states;
- int var;
-
- if (cdev->ops->get_max_state(cdev, &states))
-- return;
-+ goto out;
-
- states++; /* Total number of states is highest state + 1 */
-
-@@ -828,7 +829,7 @@ static void cooling_device_stats_setup(struct thermal_cooling_device *cdev)
-
- stats = kzalloc(var, GFP_KERNEL);
- if (!stats)
-- return;
-+ goto out;
-
- stats->time_in_state = (ktime_t *)(stats + 1);
- stats->trans_table = (unsigned int *)(stats->time_in_state + states);
-@@ -838,9 +839,12 @@ static void cooling_device_stats_setup(struct thermal_cooling_device *cdev)
-
- spin_lock_init(&stats->lock);
-
-+ stats_attr_group = &cooling_device_stats_attr_group;
-+
-+out:
- /* Fill the empty slot left in cooling_device_attr_groups */
- var = ARRAY_SIZE(cooling_device_attr_groups) - 2;
-- cooling_device_attr_groups[var] = &cooling_device_stats_attr_group;
-+ cooling_device_attr_groups[var] = stats_attr_group;
- }
-
- static void cooling_device_stats_destroy(struct thermal_cooling_device *cdev)
---
-2.35.1
-
+++ /dev/null
-From d5a779b3947b0de53727a97e7a50c53e27258d0e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 11 Jul 2022 16:35:10 +0100
-Subject: tty: 8250: Add support for Brainboxes PX cards.
-
-From: Cameron Williams <cang1@live.co.uk>
-
-[ Upstream commit ef5a03a26c87a760bc3d86b5af7b773e82f8b1b7 ]
-
-Add support for some of the Brainboxes PCIe (PX) range of
-serial cards, including the PX-101, PX-235/PX-246,
-PX-203/PX-257, PX-260/PX-701, PX-310, PX-313,
-PX-320/PX-324/PX-376/PX-387, PX-335/PX-346, PX-368, PX-420,
-PX-803 and PX-846.
-
-Signed-off-by: Cameron Williams <cang1@live.co.uk>
-Cc: stable <stable@kernel.org>
-Link: https://lore.kernel.org/r/AM5PR0202MB2564669252BDC59BF55A6E87C4879@AM5PR0202MB2564.eurprd02.prod.outlook.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/tty/serial/8250/8250_pci.c | 109 +++++++++++++++++++++++++++++
- 1 file changed, 109 insertions(+)
-
-diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
-index a17619db7939..f6732c1ed238 100644
---- a/drivers/tty/serial/8250/8250_pci.c
-+++ b/drivers/tty/serial/8250/8250_pci.c
-@@ -5076,6 +5076,115 @@ static const struct pci_device_id serial_pci_tbl[] = {
- PCI_ANY_ID, PCI_ANY_ID,
- 0, 0,
- pbn_b2_4_115200 },
-+ /*
-+ * Brainboxes PX-101
-+ */
-+ { PCI_VENDOR_ID_INTASHIELD, 0x4005,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_b0_2_115200 },
-+ { PCI_VENDOR_ID_INTASHIELD, 0x4019,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_oxsemi_2_15625000 },
-+ /*
-+ * Brainboxes PX-235/246
-+ */
-+ { PCI_VENDOR_ID_INTASHIELD, 0x4004,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_b0_1_115200 },
-+ { PCI_VENDOR_ID_INTASHIELD, 0x4016,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_oxsemi_1_15625000 },
-+ /*
-+ * Brainboxes PX-203/PX-257
-+ */
-+ { PCI_VENDOR_ID_INTASHIELD, 0x4006,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_b0_2_115200 },
-+ { PCI_VENDOR_ID_INTASHIELD, 0x4015,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_oxsemi_4_15625000 },
-+ /*
-+ * Brainboxes PX-260/PX-701
-+ */
-+ { PCI_VENDOR_ID_INTASHIELD, 0x400A,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_oxsemi_4_15625000 },
-+ /*
-+ * Brainboxes PX-310
-+ */
-+ { PCI_VENDOR_ID_INTASHIELD, 0x400E,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_oxsemi_2_15625000 },
-+ /*
-+ * Brainboxes PX-313
-+ */
-+ { PCI_VENDOR_ID_INTASHIELD, 0x400C,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_oxsemi_2_15625000 },
-+ /*
-+ * Brainboxes PX-320/324/PX-376/PX-387
-+ */
-+ { PCI_VENDOR_ID_INTASHIELD, 0x400B,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_oxsemi_1_15625000 },
-+ /*
-+ * Brainboxes PX-335/346
-+ */
-+ { PCI_VENDOR_ID_INTASHIELD, 0x400F,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_oxsemi_4_15625000 },
-+ /*
-+ * Brainboxes PX-368
-+ */
-+ { PCI_VENDOR_ID_INTASHIELD, 0x4010,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_oxsemi_4_15625000 },
-+ /*
-+ * Brainboxes PX-420
-+ */
-+ { PCI_VENDOR_ID_INTASHIELD, 0x4000,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_b0_4_115200 },
-+ { PCI_VENDOR_ID_INTASHIELD, 0x4011,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_oxsemi_4_15625000 },
-+ /*
-+ * Brainboxes PX-803
-+ */
-+ { PCI_VENDOR_ID_INTASHIELD, 0x4009,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_b0_1_115200 },
-+ { PCI_VENDOR_ID_INTASHIELD, 0x401E,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_oxsemi_1_15625000 },
-+ /*
-+ * Brainboxes PX-846
-+ */
-+ { PCI_VENDOR_ID_INTASHIELD, 0x4008,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_b0_1_115200 },
-+ { PCI_VENDOR_ID_INTASHIELD, 0x4017,
-+ PCI_ANY_ID, PCI_ANY_ID,
-+ 0, 0,
-+ pbn_oxsemi_1_15625000 },
-+
- /*
- * Perle PCI-RAS cards
- */
---
-2.35.1
-
+++ /dev/null
-From 4ba55f6cee68a9d823d68a382f70be58049709e0 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 19 Jul 2022 14:49:39 +0900
-Subject: tty: vt: initialize unicode screen buffer
-
-From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-
-[ Upstream commit af77c56aa35325daa2bc2bed5c2ebf169be61b86 ]
-
-syzbot reports kernel infoleak at vcs_read() [1], for buffer can be read
-immediately after resize operation. Initialize buffer using kzalloc().
-
- ----------
- #include <fcntl.h>
- #include <unistd.h>
- #include <sys/ioctl.h>
- #include <linux/fb.h>
-
- int main(int argc, char *argv[])
- {
- struct fb_var_screeninfo var = { };
- const int fb_fd = open("/dev/fb0", 3);
- ioctl(fb_fd, FBIOGET_VSCREENINFO, &var);
- var.yres = 0x21;
- ioctl(fb_fd, FBIOPUT_VSCREENINFO, &var);
- return read(open("/dev/vcsu", O_RDONLY), &var, sizeof(var)) == -1;
- }
- ----------
-
-Link: https://syzkaller.appspot.com/bug?extid=31a641689d43387f05d3 [1]
-Cc: stable <stable@vger.kernel.org>
-Reported-by: syzbot <syzbot+31a641689d43387f05d3@syzkaller.appspotmail.com>
-Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
-Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-Link: https://lore.kernel.org/r/4ef053cf-e796-fb5e-58b7-3ae58242a4ad@I-love.SAKURA.ne.jp
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/tty/vt/vt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
-index dfc1f4b445f3..6eaf8eb84661 100644
---- a/drivers/tty/vt/vt.c
-+++ b/drivers/tty/vt/vt.c
-@@ -344,7 +344,7 @@ static struct uni_screen *vc_uniscr_alloc(unsigned int cols, unsigned int rows)
- /* allocate everything in one go */
- memsize = cols * rows * sizeof(char32_t);
- memsize += rows * sizeof(char32_t *);
-- p = vmalloc(memsize);
-+ p = vzalloc(memsize);
- if (!p)
- return NULL;
-
---
-2.35.1
-
+++ /dev/null
-From a6a0f18473e1a64bfda2f4a192f3692fd833716c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 31 May 2022 11:17:39 +0000
-Subject: um: Remove straying parenthesis
-
-From: Benjamin Beichler <benjamin.beichler@uni-rostock.de>
-
-[ Upstream commit c6496e0a4a90d8149203c16323cff3fa46e422e7 ]
-
-Commit e3a33af812c6 ("um: fix and optimize xor select template for CONFIG64 and timetravel mode")
-caused a build regression when CONFIG_XOR_BLOCKS and CONFIG_UML_TIME_TRAVEL_SUPPORT
-are selected.
-Fix it by removing the straying parenthesis.
-
-Cc: stable@vger.kernel.org
-Fixes: e3a33af812c6 ("um: fix and optimize xor select template for CONFIG64 and timetravel mode")
-Signed-off-by: Benjamin Beichler <benjamin.beichler@uni-rostock.de>
-[rw: Added commit message]
-Signed-off-by: Richard Weinberger <richard@nod.at>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/um/include/asm/xor.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/um/include/asm/xor.h b/arch/um/include/asm/xor.h
-index 22b39de73c24..647fae200c5d 100644
---- a/arch/um/include/asm/xor.h
-+++ b/arch/um/include/asm/xor.h
-@@ -18,7 +18,7 @@
- #undef XOR_SELECT_TEMPLATE
- /* pick an arbitrary one - measuring isn't possible with inf-cpu */
- #define XOR_SELECT_TEMPLATE(x) \
-- (time_travel_mode == TT_MODE_INFCPU ? TT_CPU_INF_XOR_DEFAULT : x))
-+ (time_travel_mode == TT_MODE_INFCPU ? TT_CPU_INF_XOR_DEFAULT : x)
- #endif
-
- #endif
---
-2.35.1
-
+++ /dev/null
-From 2e26ddf816692690d73af68c3eb552e320ca3e2b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 13 Jul 2022 01:12:21 +0200
-Subject: um: seed rng using host OS rng
-
-From: Jason A. Donenfeld <Jason@zx2c4.com>
-
-[ Upstream commit 0b9ba6135d7f18b82f3d8bebb55ded725ba88e0e ]
-
-UML generally does not provide access to special CPU instructions like
-RDRAND, and execution tends to be rather deterministic, with no real
-hardware interrupts, making good randomness really very hard, if not
-all together impossible. Not only is this a security eyebrow raiser, but
-it's also quite annoying when trying to do various pieces of UML-based
-automation that takes a long time to boot, if ever.
-
-Fix this by trivially calling getrandom() in the host and using that
-seed as "bootloader randomness", which initializes the rng immediately
-at UML boot.
-
-The old behavior can be restored the same way as on any other arch, by
-way of CONFIG_TRUST_BOOTLOADER_RANDOMNESS=n or
-random.trust_bootloader=0. So seen from that perspective, this just
-makes UML act like other archs, which is positive in its own right.
-
-Additionally, wire up arch_get_random_{int,long}() in the same way, so
-that reseeds can also make use of the host RNG, controllable by
-CONFIG_TRUST_CPU_RANDOMNESS and random.trust_cpu, per usual.
-
-Cc: stable@vger.kernel.org
-Acked-by: Johannes Berg <johannes@sipsolutions.net>
-Acked-By: Anton Ivanov <anton.ivanov@cambridgegreys.com>
-Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/um/include/asm/archrandom.h | 30 ++++++++++++++++++++++++++++++
- arch/um/include/shared/os.h | 7 +++++++
- arch/um/kernel/um_arch.c | 8 ++++++++
- arch/um/os-Linux/util.c | 6 ++++++
- 4 files changed, 51 insertions(+)
- create mode 100644 arch/um/include/asm/archrandom.h
-
-diff --git a/arch/um/include/asm/archrandom.h b/arch/um/include/asm/archrandom.h
-new file mode 100644
-index 000000000000..2f24cb96391d
---- /dev/null
-+++ b/arch/um/include/asm/archrandom.h
-@@ -0,0 +1,30 @@
-+/* SPDX-License-Identifier: GPL-2.0 */
-+#ifndef __ASM_UM_ARCHRANDOM_H__
-+#define __ASM_UM_ARCHRANDOM_H__
-+
-+#include <linux/types.h>
-+
-+/* This is from <os.h>, but better not to #include that in a global header here. */
-+ssize_t os_getrandom(void *buf, size_t len, unsigned int flags);
-+
-+static inline bool __must_check arch_get_random_long(unsigned long *v)
-+{
-+ return os_getrandom(v, sizeof(*v), 0) == sizeof(*v);
-+}
-+
-+static inline bool __must_check arch_get_random_int(unsigned int *v)
-+{
-+ return os_getrandom(v, sizeof(*v), 0) == sizeof(*v);
-+}
-+
-+static inline bool __must_check arch_get_random_seed_long(unsigned long *v)
-+{
-+ return false;
-+}
-+
-+static inline bool __must_check arch_get_random_seed_int(unsigned int *v)
-+{
-+ return false;
-+}
-+
-+#endif
-diff --git a/arch/um/include/shared/os.h b/arch/um/include/shared/os.h
-index fafde1d5416e..0df646c6651e 100644
---- a/arch/um/include/shared/os.h
-+++ b/arch/um/include/shared/os.h
-@@ -11,6 +11,12 @@
- #include <irq_user.h>
- #include <longjmp.h>
- #include <mm_id.h>
-+/* This is to get size_t */
-+#ifndef __UM_HOST__
-+#include <linux/types.h>
-+#else
-+#include <sys/types.h>
-+#endif
-
- #define CATCH_EINTR(expr) while ((errno = 0, ((expr) < 0)) && (errno == EINTR))
-
-@@ -243,6 +249,7 @@ extern void stack_protections(unsigned long address);
- extern int raw(int fd);
- extern void setup_machinename(char *machine_out);
- extern void setup_hostinfo(char *buf, int len);
-+extern ssize_t os_getrandom(void *buf, size_t len, unsigned int flags);
- extern void os_dump_core(void) __attribute__ ((noreturn));
- extern void um_early_printk(const char *s, unsigned int n);
- extern void os_fix_helper_signals(void);
-diff --git a/arch/um/kernel/um_arch.c b/arch/um/kernel/um_arch.c
-index 9838967d0b2f..e0de60e503b9 100644
---- a/arch/um/kernel/um_arch.c
-+++ b/arch/um/kernel/um_arch.c
-@@ -16,6 +16,7 @@
- #include <linux/sched/task.h>
- #include <linux/kmsg_dump.h>
- #include <linux/suspend.h>
-+#include <linux/random.h>
-
- #include <asm/processor.h>
- #include <asm/cpufeature.h>
-@@ -406,6 +407,8 @@ int __init __weak read_initrd(void)
-
- void __init setup_arch(char **cmdline_p)
- {
-+ u8 rng_seed[32];
-+
- stack_protections((unsigned long) &init_thread_info);
- setup_physmem(uml_physmem, uml_reserved, physmem_size, highmem);
- mem_total_pages(physmem_size, iomem_size, highmem);
-@@ -416,6 +419,11 @@ void __init setup_arch(char **cmdline_p)
- strlcpy(boot_command_line, command_line, COMMAND_LINE_SIZE);
- *cmdline_p = command_line;
- setup_hostinfo(host_info, sizeof host_info);
-+
-+ if (os_getrandom(rng_seed, sizeof(rng_seed), 0) == sizeof(rng_seed)) {
-+ add_bootloader_randomness(rng_seed, sizeof(rng_seed));
-+ memzero_explicit(rng_seed, sizeof(rng_seed));
-+ }
- }
-
- void __init check_bugs(void)
-diff --git a/arch/um/os-Linux/util.c b/arch/um/os-Linux/util.c
-index 41297ec404bf..fc0f2a9dee5a 100644
---- a/arch/um/os-Linux/util.c
-+++ b/arch/um/os-Linux/util.c
-@@ -14,6 +14,7 @@
- #include <sys/wait.h>
- #include <sys/mman.h>
- #include <sys/utsname.h>
-+#include <sys/random.h>
- #include <init.h>
- #include <os.h>
-
-@@ -96,6 +97,11 @@ static inline void __attribute__ ((noreturn)) uml_abort(void)
- exit(127);
- }
-
-+ssize_t os_getrandom(void *buf, size_t len, unsigned int flags)
-+{
-+ return getrandom(buf, len, flags);
-+}
-+
- /*
- * UML helper threads must not handle SIGWINCH/INT/TERM
- */
---
-2.35.1
-
+++ /dev/null
-From 25eec0f3ea8c7037878dbfa2801f71808bbe3897 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 4 Jul 2022 16:18:12 +0200
-Subject: usb: dwc3: gadget: fix high speed multiplier setting
-
-From: Michael Grzeschik <m.grzeschik@pengutronix.de>
-
-[ Upstream commit 8affe37c525d800a2628c4ecfaed13b77dc5634a ]
-
-For High-Speed Transfers the prepare_one_trb function is calculating the
-multiplier setting for the trb based on the length parameter of the trb
-currently prepared. This assumption is wrong. For trbs with a sg list,
-the length of the actual request has to be taken instead.
-
-Fixes: 40d829fb2ec6 ("usb: dwc3: gadget: Correct ISOC DATA PIDs for short packets")
-Cc: stable <stable@kernel.org>
-Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
-Link: https://lore.kernel.org/r/20220704141812.1532306-3-m.grzeschik@pengutronix.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/dwc3/gadget.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
-index 1b7d73638969..52d5a7c81362 100644
---- a/drivers/usb/dwc3/gadget.c
-+++ b/drivers/usb/dwc3/gadget.c
-@@ -1264,10 +1264,10 @@ static void dwc3_prepare_one_trb(struct dwc3_ep *dep,
- unsigned int mult = 2;
- unsigned int maxp = usb_endpoint_maxp(ep->desc);
-
-- if (trb_length <= (2 * maxp))
-+ if (req->request.length <= (2 * maxp))
- mult--;
-
-- if (trb_length <= maxp)
-+ if (req->request.length <= maxp)
- mult--;
-
- trb->size |= DWC3_TRB_SIZE_PCM1(mult);
---
-2.35.1
-
+++ /dev/null
-From a4c08ba674cd5fa59b05d31b34a23c96236de36f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 4 Jul 2022 16:18:11 +0200
-Subject: usb: dwc3: gadget: refactor dwc3_repare_one_trb
-
-From: Michael Grzeschik <m.grzeschik@pengutronix.de>
-
-[ Upstream commit 23385cec5f354794dadced7f28c31da7ae3eb54c ]
-
-The function __dwc3_prepare_one_trb has many parameters. Since it is
-only used in dwc3_prepare_one_trb there is no point in keeping the
-function. We merge both functions and get rid of the big list of
-parameters.
-
-Fixes: 40d829fb2ec6 ("usb: dwc3: gadget: Correct ISOC DATA PIDs for short packets")
-Cc: stable <stable@kernel.org>
-Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
-Link: https://lore.kernel.org/r/20220704141812.1532306-2-m.grzeschik@pengutronix.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/dwc3/gadget.c | 92 +++++++++++++++++----------------------
- 1 file changed, 40 insertions(+), 52 deletions(-)
-
-diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
-index 0d89dfa6eef5..1b7d73638969 100644
---- a/drivers/usb/dwc3/gadget.c
-+++ b/drivers/usb/dwc3/gadget.c
-@@ -1182,17 +1182,49 @@ static u32 dwc3_calc_trbs_left(struct dwc3_ep *dep)
- return trbs_left;
- }
-
--static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb,
-- dma_addr_t dma, unsigned int length, unsigned int chain,
-- unsigned int node, unsigned int stream_id,
-- unsigned int short_not_ok, unsigned int no_interrupt,
-- unsigned int is_last, bool must_interrupt)
-+/**
-+ * dwc3_prepare_one_trb - setup one TRB from one request
-+ * @dep: endpoint for which this request is prepared
-+ * @req: dwc3_request pointer
-+ * @trb_length: buffer size of the TRB
-+ * @chain: should this TRB be chained to the next?
-+ * @node: only for isochronous endpoints. First TRB needs different type.
-+ * @use_bounce_buffer: set to use bounce buffer
-+ * @must_interrupt: set to interrupt on TRB completion
-+ */
-+static void dwc3_prepare_one_trb(struct dwc3_ep *dep,
-+ struct dwc3_request *req, unsigned int trb_length,
-+ unsigned int chain, unsigned int node, bool use_bounce_buffer,
-+ bool must_interrupt)
- {
-+ struct dwc3_trb *trb;
-+ dma_addr_t dma;
-+ unsigned int stream_id = req->request.stream_id;
-+ unsigned int short_not_ok = req->request.short_not_ok;
-+ unsigned int no_interrupt = req->request.no_interrupt;
-+ unsigned int is_last = req->request.is_last;
- struct dwc3 *dwc = dep->dwc;
- struct usb_gadget *gadget = dwc->gadget;
- enum usb_device_speed speed = gadget->speed;
-
-- trb->size = DWC3_TRB_SIZE_LENGTH(length);
-+ if (use_bounce_buffer)
-+ dma = dep->dwc->bounce_addr;
-+ else if (req->request.num_sgs > 0)
-+ dma = sg_dma_address(req->start_sg);
-+ else
-+ dma = req->request.dma;
-+
-+ trb = &dep->trb_pool[dep->trb_enqueue];
-+
-+ if (!req->trb) {
-+ dwc3_gadget_move_started_request(req);
-+ req->trb = trb;
-+ req->trb_dma = dwc3_trb_dma_offset(dep, trb);
-+ }
-+
-+ req->num_trbs++;
-+
-+ trb->size = DWC3_TRB_SIZE_LENGTH(trb_length);
- trb->bpl = lower_32_bits(dma);
- trb->bph = upper_32_bits(dma);
-
-@@ -1232,10 +1264,10 @@ static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb,
- unsigned int mult = 2;
- unsigned int maxp = usb_endpoint_maxp(ep->desc);
-
-- if (length <= (2 * maxp))
-+ if (trb_length <= (2 * maxp))
- mult--;
-
-- if (length <= maxp)
-+ if (trb_length <= maxp)
- mult--;
-
- trb->size |= DWC3_TRB_SIZE_PCM1(mult);
-@@ -1309,50 +1341,6 @@ static void __dwc3_prepare_one_trb(struct dwc3_ep *dep, struct dwc3_trb *trb,
- trace_dwc3_prepare_trb(dep, trb);
- }
-
--/**
-- * dwc3_prepare_one_trb - setup one TRB from one request
-- * @dep: endpoint for which this request is prepared
-- * @req: dwc3_request pointer
-- * @trb_length: buffer size of the TRB
-- * @chain: should this TRB be chained to the next?
-- * @node: only for isochronous endpoints. First TRB needs different type.
-- * @use_bounce_buffer: set to use bounce buffer
-- * @must_interrupt: set to interrupt on TRB completion
-- */
--static void dwc3_prepare_one_trb(struct dwc3_ep *dep,
-- struct dwc3_request *req, unsigned int trb_length,
-- unsigned int chain, unsigned int node, bool use_bounce_buffer,
-- bool must_interrupt)
--{
-- struct dwc3_trb *trb;
-- dma_addr_t dma;
-- unsigned int stream_id = req->request.stream_id;
-- unsigned int short_not_ok = req->request.short_not_ok;
-- unsigned int no_interrupt = req->request.no_interrupt;
-- unsigned int is_last = req->request.is_last;
--
-- if (use_bounce_buffer)
-- dma = dep->dwc->bounce_addr;
-- else if (req->request.num_sgs > 0)
-- dma = sg_dma_address(req->start_sg);
-- else
-- dma = req->request.dma;
--
-- trb = &dep->trb_pool[dep->trb_enqueue];
--
-- if (!req->trb) {
-- dwc3_gadget_move_started_request(req);
-- req->trb = trb;
-- req->trb_dma = dwc3_trb_dma_offset(dep, trb);
-- }
--
-- req->num_trbs++;
--
-- __dwc3_prepare_one_trb(dep, trb, dma, trb_length, chain, node,
-- stream_id, short_not_ok, no_interrupt, is_last,
-- must_interrupt);
--}
--
- static bool dwc3_needs_extra_trb(struct dwc3_ep *dep, struct dwc3_request *req)
- {
- unsigned int maxp = usb_endpoint_maxp(dep->endpoint.desc);
---
-2.35.1
-
+++ /dev/null
-From 695e00b305c742f7d25e7a4347d0a6f6f3488047 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 21 Jul 2022 11:07:10 -0400
-Subject: USB: gadget: Fix use-after-free Read in usb_udc_uevent()
-
-From: Alan Stern <stern@rowland.harvard.edu>
-
-[ Upstream commit 2191c00855b03aa59c20e698be713d952d51fc18 ]
-
-The syzbot fuzzer found a race between uevent callbacks and gadget
-driver unregistration that can cause a use-after-free bug:
-
----------------------------------------------------------------
-BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130
-drivers/usb/gadget/udc/core.c:1732
-Read of size 8 at addr ffff888078ce2050 by task udevd/2968
-
-CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0
-Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
-06/29/2022
-Call Trace:
- <TASK>
- __dump_stack lib/dump_stack.c:88 [inline]
- dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
- print_address_description mm/kasan/report.c:317 [inline]
- print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
- kasan_report+0xbe/0x1f0 mm/kasan/report.c:495
- usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732
- dev_uevent+0x290/0x770 drivers/base/core.c:2424
----------------------------------------------------------------
-
-The bug occurs because usb_udc_uevent() dereferences udc->driver but
-does so without acquiring the udc_lock mutex, which protects this
-field. If the gadget driver is unbound from the udc concurrently with
-uevent processing, the driver structure may be accessed after it has
-been deallocated.
-
-To prevent the race, we make sure that the routine holds the mutex
-around the racing accesses.
-
-Link: <https://lore.kernel.org/all/0000000000004de90405a719c951@google.com>
-CC: stable@vger.kernel.org # fc274c1e9973
-Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.edu
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/gadget/udc/core.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c
-index 7886497253cc..cafcf260394c 100644
---- a/drivers/usb/gadget/udc/core.c
-+++ b/drivers/usb/gadget/udc/core.c
-@@ -1728,13 +1728,14 @@ static int usb_udc_uevent(struct device *dev, struct kobj_uevent_env *env)
- return ret;
- }
-
-- if (udc->driver) {
-+ mutex_lock(&udc_lock);
-+ if (udc->driver)
- ret = add_uevent_var(env, "USB_UDC_DRIVER=%s",
- udc->driver->function);
-- if (ret) {
-- dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n");
-- return ret;
-- }
-+ mutex_unlock(&udc_lock);
-+ if (ret) {
-+ dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n");
-+ return ret;
- }
-
- return 0;
---
-2.35.1
-
+++ /dev/null
-From bcd8d6752d2fa9b3d117527f7cd8444380afa4a8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 26 Jul 2022 15:49:18 +0800
-Subject: USB: HCD: Fix URB giveback issue in tasklet function
-
-From: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
-
-[ Upstream commit 26c6c2f8a907c9e3a2f24990552a4d77235791e6 ]
-
-Usb core introduce the mechanism of giveback of URB in tasklet context to
-reduce hardware interrupt handling time. On some test situation(such as
-FIO with 4KB block size), when tasklet callback function called to
-giveback URB, interrupt handler add URB node to the bh->head list also.
-If check bh->head list again after finish all URB giveback of local_list,
-then it may introduce a "dynamic balance" between giveback URB and add URB
-to bh->head list. This tasklet callback function may not exit for a long
-time, which will cause other tasklet function calls to be delayed. Some
-real-time applications(such as KB and Mouse) will see noticeable lag.
-
-In order to prevent the tasklet function from occupying the cpu for a long
-time at a time, new URBS will not be added to the local_list even though
-the bh->head list is not empty. But also need to ensure the left URB
-giveback to be processed in time, so add a member high_prio for structure
-giveback_urb_bh to prioritize tasklet and schelule this tasklet again if
-bh->head list is not empty.
-
-At the same time, we are able to prioritize tasklet through structure
-member high_prio. So, replace the local high_prio_bh variable with this
-structure member in usb_hcd_giveback_urb.
-
-Fixes: 94dfd7edfd5c ("USB: HCD: support giveback of URB in tasklet context")
-Cc: stable <stable@kernel.org>
-Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
-Signed-off-by: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
-Link: https://lore.kernel.org/r/20220726074918.5114-1-WeitaoWang-oc@zhaoxin.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/core/hcd.c | 26 +++++++++++++++-----------
- include/linux/usb/hcd.h | 1 +
- 2 files changed, 16 insertions(+), 11 deletions(-)
-
-diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
-index 06eea8848ccc..11c8ea0cccc8 100644
---- a/drivers/usb/core/hcd.c
-+++ b/drivers/usb/core/hcd.c
-@@ -1691,7 +1691,6 @@ static void usb_giveback_urb_bh(struct tasklet_struct *t)
-
- spin_lock_irq(&bh->lock);
- bh->running = true;
-- restart:
- list_replace_init(&bh->head, &local_list);
- spin_unlock_irq(&bh->lock);
-
-@@ -1705,10 +1704,17 @@ static void usb_giveback_urb_bh(struct tasklet_struct *t)
- bh->completing_ep = NULL;
- }
-
-- /* check if there are new URBs to giveback */
-+ /*
-+ * giveback new URBs next time to prevent this function
-+ * from not exiting for a long time.
-+ */
- spin_lock_irq(&bh->lock);
-- if (!list_empty(&bh->head))
-- goto restart;
-+ if (!list_empty(&bh->head)) {
-+ if (bh->high_prio)
-+ tasklet_hi_schedule(&bh->bh);
-+ else
-+ tasklet_schedule(&bh->bh);
-+ }
- bh->running = false;
- spin_unlock_irq(&bh->lock);
- }
-@@ -1737,7 +1743,7 @@ static void usb_giveback_urb_bh(struct tasklet_struct *t)
- void usb_hcd_giveback_urb(struct usb_hcd *hcd, struct urb *urb, int status)
- {
- struct giveback_urb_bh *bh;
-- bool running, high_prio_bh;
-+ bool running;
-
- /* pass status to tasklet via unlinked */
- if (likely(!urb->unlinked))
-@@ -1748,13 +1754,10 @@ void usb_hcd_giveback_urb(struct usb_hcd *hcd, struct urb *urb, int status)
- return;
- }
-
-- if (usb_pipeisoc(urb->pipe) || usb_pipeint(urb->pipe)) {
-+ if (usb_pipeisoc(urb->pipe) || usb_pipeint(urb->pipe))
- bh = &hcd->high_prio_bh;
-- high_prio_bh = true;
-- } else {
-+ else
- bh = &hcd->low_prio_bh;
-- high_prio_bh = false;
-- }
-
- spin_lock(&bh->lock);
- list_add_tail(&urb->urb_list, &bh->head);
-@@ -1763,7 +1766,7 @@ void usb_hcd_giveback_urb(struct usb_hcd *hcd, struct urb *urb, int status)
-
- if (running)
- ;
-- else if (high_prio_bh)
-+ else if (bh->high_prio)
- tasklet_hi_schedule(&bh->bh);
- else
- tasklet_schedule(&bh->bh);
-@@ -2959,6 +2962,7 @@ int usb_add_hcd(struct usb_hcd *hcd,
-
- /* initialize tasklets */
- init_giveback_urb_bh(&hcd->high_prio_bh);
-+ hcd->high_prio_bh.high_prio = true;
- init_giveback_urb_bh(&hcd->low_prio_bh);
-
- /* enable irqs just before we start the controller,
-diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h
-index 2c1fc9212cf2..98d1921f02b1 100644
---- a/include/linux/usb/hcd.h
-+++ b/include/linux/usb/hcd.h
-@@ -66,6 +66,7 @@
-
- struct giveback_urb_bh {
- bool running;
-+ bool high_prio;
- spinlock_t lock;
- struct list_head head;
- struct tasklet_struct bh;
---
-2.35.1
-
+++ /dev/null
-From d6b81f001c2bae43f67f2e757774341def8894be Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 26 Jul 2022 14:45:49 +0800
-Subject: usb: typec: ucsi: Acknowledge the GET_ERROR_STATUS command completion
-
-From: Linyu Yuan <quic_linyyuan@quicinc.com>
-
-[ Upstream commit a7dc438b5e446afcd1b3b6651da28271400722f2 ]
-
-We found PPM will not send any notification after it report error status
-and OPM issue GET_ERROR_STATUS command to read the details about error.
-
-According UCSI spec, PPM may clear the Error Status Data after the OPM
-has acknowledged the command completion.
-
-This change add operation to acknowledge the command completion from PPM.
-
-Fixes: bdc62f2bae8f (usb: typec: ucsi: Simplified registration and I/O API)
-Cc: <stable@vger.kernel.org> # 5.10
-Signed-off-by: Jack Pham <quic_jackp@quicinc.com>
-Signed-off-by: Linyu Yuan <quic_linyyuan@quicinc.com>
-Link: https://lore.kernel.org/r/1658817949-4632-1-git-send-email-quic_linyyuan@quicinc.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/typec/ucsi/ucsi.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
-index cbd862f9f2a1..1aea46493b85 100644
---- a/drivers/usb/typec/ucsi/ucsi.c
-+++ b/drivers/usb/typec/ucsi/ucsi.c
-@@ -76,6 +76,10 @@ static int ucsi_read_error(struct ucsi *ucsi)
- if (ret)
- return ret;
-
-+ ret = ucsi_acknowledge_command(ucsi);
-+ if (ret)
-+ return ret;
-+
- switch (error) {
- case UCSI_ERROR_INCOMPATIBLE_PARTNER:
- return -EOPNOTSUPP;
---
-2.35.1
-
+++ /dev/null
-From e76a4cdb309afe50d707c3a04df9f64540323d98 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 23 Jun 2022 14:50:59 +0200
-Subject: usbnet: Fix linkwatch use-after-free on disconnect
-
-From: Lukas Wunner <lukas@wunner.de>
-
-[ Upstream commit a69e617e533edddf3fa3123149900f36e0a6dc74 ]
-
-usbnet uses the work usbnet_deferred_kevent() to perform tasks which may
-sleep. On disconnect, completion of the work was originally awaited in
-->ndo_stop(). But in 2003, that was moved to ->disconnect() by historic
-commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock":
-
- https://git.kernel.org/tglx/history/c/0f138bbfd83c
-
-The change was made because back then, the kernel's workqueue
-implementation did not allow waiting for a single work. One had to wait
-for completion of *all* work by calling flush_scheduled_work(), and that
-could deadlock when waiting for usbnet_deferred_kevent() with rtnl_mutex
-held in ->ndo_stop().
-
-The commit solved one problem but created another: It causes a
-use-after-free in USB Ethernet drivers aqc111.c, asix_devices.c,
-ax88179_178a.c, ch9200.c and smsc75xx.c:
-
-* If the drivers receive a link change interrupt immediately before
- disconnect, they raise EVENT_LINK_RESET in their (non-sleepable)
- ->status() callback and schedule usbnet_deferred_kevent().
-* usbnet_deferred_kevent() invokes the driver's ->link_reset() callback,
- which calls netif_carrier_{on,off}().
-* That in turn schedules the work linkwatch_event().
-
-Because usbnet_deferred_kevent() is awaited after unregister_netdev(),
-netif_carrier_{on,off}() may operate on an unregistered netdev and
-linkwatch_event() may run after free_netdev(), causing a use-after-free.
-
-In 2010, usbnet was changed to only wait for a single instance of
-usbnet_deferred_kevent() instead of *all* work by commit 23f333a2bfaf
-("drivers/net: don't use flush_scheduled_work()").
-
-Unfortunately the commit neglected to move the wait back to
-->ndo_stop(). Rectify that omission at long last.
-
-Reported-by: Jann Horn <jannh@google.com>
-Link: https://lore.kernel.org/netdev/CAG48ez0MHBbENX5gCdHAUXZ7h7s20LnepBF-pa5M=7Bi-jZrEA@mail.gmail.com/
-Reported-by: Oleksij Rempel <o.rempel@pengutronix.de>
-Link: https://lore.kernel.org/netdev/20220315113841.GA22337@pengutronix.de/
-Signed-off-by: Lukas Wunner <lukas@wunner.de>
-Cc: stable@vger.kernel.org
-Acked-by: Oliver Neukum <oneukum@suse.com>
-Link: https://lore.kernel.org/r/d1c87ebe9fc502bffcd1576e238d685ad08321e4.1655987888.git.lukas@wunner.de
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/usb/usbnet.c | 8 ++------
- 1 file changed, 2 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
-index 78a92751ce4c..0ed09bb91c44 100644
---- a/drivers/net/usb/usbnet.c
-+++ b/drivers/net/usb/usbnet.c
-@@ -849,13 +849,11 @@ int usbnet_stop (struct net_device *net)
-
- mpn = !test_and_clear_bit(EVENT_NO_RUNTIME_PM, &dev->flags);
-
-- /* deferred work (task, timer, softirq) must also stop.
-- * can't flush_scheduled_work() until we drop rtnl (later),
-- * else workers could deadlock; so make workers a NOP.
-- */
-+ /* deferred work (timer, softirq, task) must also stop */
- dev->flags = 0;
- del_timer_sync (&dev->delay);
- tasklet_kill (&dev->bh);
-+ cancel_work_sync(&dev->kevent);
- if (!pm)
- usb_autopm_put_interface(dev->intf);
-
-@@ -1619,8 +1617,6 @@ void usbnet_disconnect (struct usb_interface *intf)
- net = dev->net;
- unregister_netdev (net);
-
-- cancel_work_sync(&dev->kevent);
--
- usb_scuttle_anchored_urbs(&dev->deferred);
-
- if (dev->driver_info->unbind)
---
-2.35.1
-
+++ /dev/null
-From 7660b6340c5f30ea6c98ee7271cefad4f9193d98 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 1 Jul 2022 22:47:51 +0200
-Subject: usbnet: smsc95xx: Fix deadlock on runtime resume
-
-From: Lukas Wunner <lukas@wunner.de>
-
-[ Upstream commit 7b960c967f2aa01ab8f45c5a0bd78e754cffdeee ]
-
-Commit 05b35e7eb9a1 ("smsc95xx: add phylib support") amended
-smsc95xx_resume() to call phy_init_hw(). That function waits for the
-device to runtime resume even though it is placed in the runtime resume
-path, causing a deadlock.
-
-The problem is that phy_init_hw() calls down to smsc95xx_mdiobus_read(),
-which never uses the _nopm variant of usbnet_read_cmd().
-
-Commit b4df480f68ae ("usbnet: smsc95xx: add reset_resume function with
-reset operation") causes a similar deadlock on resume if the device was
-already runtime suspended when entering system sleep:
-
-That's because the commit introduced smsc95xx_reset_resume(), which
-calls down to smsc95xx_reset(), which neglects to use _nopm accessors.
-
-Fix by auto-detecting whether a device access is performed by the
-suspend/resume task_struct and use the _nopm variant if so. This works
-because the PM core guarantees that suspend/resume callbacks are run in
-task context.
-
-Stacktrace for posterity:
-
- INFO: task kworker/2:1:49 blocked for more than 122 seconds.
- Workqueue: usb_hub_wq hub_event
- schedule
- rpm_resume
- __pm_runtime_resume
- usb_autopm_get_interface
- usbnet_read_cmd
- __smsc95xx_read_reg
- __smsc95xx_phy_wait_not_busy
- __smsc95xx_mdio_read
- smsc95xx_mdiobus_read
- __mdiobus_read
- mdiobus_read
- smsc_phy_reset
- phy_init_hw
- smsc95xx_resume
- usb_resume_interface
- usb_resume_both
- usb_runtime_resume
- __rpm_callback
- rpm_callback
- rpm_resume
- __pm_runtime_resume
- usb_autoresume_device
- hub_event
- process_one_work
-
-Fixes: b4df480f68ae ("usbnet: smsc95xx: add reset_resume function with reset operation")
-Signed-off-by: Lukas Wunner <lukas@wunner.de>
-Cc: stable@vger.kernel.org # v3.16+
-Cc: Andre Edich <andre.edich@microchip.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/usb/smsc95xx.c | 26 ++++++++++++++++++++------
- 1 file changed, 20 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
-index bd03e16f98a1..4dc43929e370 100644
---- a/drivers/net/usb/smsc95xx.c
-+++ b/drivers/net/usb/smsc95xx.c
-@@ -71,6 +71,7 @@ struct smsc95xx_priv {
- struct fwnode_handle *irqfwnode;
- struct mii_bus *mdiobus;
- struct phy_device *phydev;
-+ struct task_struct *pm_task;
- };
-
- static bool turbo_mode = true;
-@@ -80,13 +81,14 @@ MODULE_PARM_DESC(turbo_mode, "Enable multiple frames per Rx transaction");
- static int __must_check __smsc95xx_read_reg(struct usbnet *dev, u32 index,
- u32 *data, int in_pm)
- {
-+ struct smsc95xx_priv *pdata = dev->driver_priv;
- u32 buf;
- int ret;
- int (*fn)(struct usbnet *, u8, u8, u16, u16, void *, u16);
-
- BUG_ON(!dev);
-
-- if (!in_pm)
-+ if (current != pdata->pm_task)
- fn = usbnet_read_cmd;
- else
- fn = usbnet_read_cmd_nopm;
-@@ -110,13 +112,14 @@ static int __must_check __smsc95xx_read_reg(struct usbnet *dev, u32 index,
- static int __must_check __smsc95xx_write_reg(struct usbnet *dev, u32 index,
- u32 data, int in_pm)
- {
-+ struct smsc95xx_priv *pdata = dev->driver_priv;
- u32 buf;
- int ret;
- int (*fn)(struct usbnet *, u8, u8, u16, u16, const void *, u16);
-
- BUG_ON(!dev);
-
-- if (!in_pm)
-+ if (current != pdata->pm_task)
- fn = usbnet_write_cmd;
- else
- fn = usbnet_write_cmd_nopm;
-@@ -1490,9 +1493,12 @@ static int smsc95xx_suspend(struct usb_interface *intf, pm_message_t message)
- u32 val, link_up;
- int ret;
-
-+ pdata->pm_task = current;
-+
- ret = usbnet_suspend(intf, message);
- if (ret < 0) {
- netdev_warn(dev->net, "usbnet_suspend error\n");
-+ pdata->pm_task = NULL;
- return ret;
- }
-
-@@ -1732,6 +1738,7 @@ static int smsc95xx_suspend(struct usb_interface *intf, pm_message_t message)
- if (ret && PMSG_IS_AUTO(message))
- usbnet_resume(intf);
-
-+ pdata->pm_task = NULL;
- return ret;
- }
-
-@@ -1752,29 +1759,31 @@ static int smsc95xx_resume(struct usb_interface *intf)
- /* do this first to ensure it's cleared even in error case */
- pdata->suspend_flags = 0;
-
-+ pdata->pm_task = current;
-+
- if (suspend_flags & SUSPEND_ALLMODES) {
- /* clear wake-up sources */
- ret = smsc95xx_read_reg_nopm(dev, WUCSR, &val);
- if (ret < 0)
-- return ret;
-+ goto done;
-
- val &= ~(WUCSR_WAKE_EN_ | WUCSR_MPEN_);
-
- ret = smsc95xx_write_reg_nopm(dev, WUCSR, val);
- if (ret < 0)
-- return ret;
-+ goto done;
-
- /* clear wake-up status */
- ret = smsc95xx_read_reg_nopm(dev, PM_CTRL, &val);
- if (ret < 0)
-- return ret;
-+ goto done;
-
- val &= ~PM_CTL_WOL_EN_;
- val |= PM_CTL_WUPS_;
-
- ret = smsc95xx_write_reg_nopm(dev, PM_CTRL, val);
- if (ret < 0)
-- return ret;
-+ goto done;
- }
-
- phy_init_hw(pdata->phydev);
-@@ -1783,15 +1792,20 @@ static int smsc95xx_resume(struct usb_interface *intf)
- if (ret < 0)
- netdev_warn(dev->net, "usbnet_resume error\n");
-
-+done:
-+ pdata->pm_task = NULL;
- return ret;
- }
-
- static int smsc95xx_reset_resume(struct usb_interface *intf)
- {
- struct usbnet *dev = usb_get_intfdata(intf);
-+ struct smsc95xx_priv *pdata = dev->driver_priv;
- int ret;
-
-+ pdata->pm_task = current;
- ret = smsc95xx_reset(dev);
-+ pdata->pm_task = NULL;
- if (ret < 0)
- return ret;
-
---
-2.35.1
-
+++ /dev/null
-From e04fea8cd8ac26f4d38a6c8f8550dc732235ab0c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 8 Aug 2022 09:52:35 +0100
-Subject: vfs: Check the truncate maximum size in inode_newsize_ok()
-
-From: David Howells <dhowells@redhat.com>
-
-[ Upstream commit e2ebff9c57fe4eb104ce4768f6ebcccf76bef849 ]
-
-If something manages to set the maximum file size to MAX_OFFSET+1, this
-can cause the xfs and ext4 filesystems at least to become corrupt.
-
-Ordinarily, the kernel protects against userspace trying this by
-checking the value early in the truncate() and ftruncate() system calls
-calls - but there are at least two places that this check is bypassed:
-
- (1) Cachefiles will round up the EOF of the backing file to DIO block
- size so as to allow DIO on the final block - but this might push
- the offset negative. It then calls notify_change(), but this
- inadvertently bypasses the checking. This can be triggered if
- someone puts an 8EiB-1 file on a server for someone else to try and
- access by, say, nfs.
-
- (2) ksmbd doesn't check the value it is given in set_end_of_file_info()
- and then calls vfs_truncate() directly - which also bypasses the
- check.
-
-In both cases, it is potentially possible for a network filesystem to
-cause a disk filesystem to be corrupted: cachefiles in the client's
-cache filesystem; ksmbd in the server's filesystem.
-
-nfsd is okay as it checks the value, but we can then remove this check
-too.
-
-Fix this by adding a check to inode_newsize_ok(), as called from
-setattr_prepare(), thereby catching the issue as filesystems set up to
-perform the truncate with minimal opportunity for bypassing the new
-check.
-
-Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling")
-Fixes: f44158485826 ("cifsd: add file operations")
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reported-by: Jeff Layton <jlayton@kernel.org>
-Tested-by: Jeff Layton <jlayton@kernel.org>
-Reviewed-by: Namjae Jeon <linkinjeon@kernel.org>
-Cc: stable@kernel.org
-Acked-by: Alexander Viro <viro@zeniv.linux.org.uk>
-cc: Steve French <sfrench@samba.org>
-cc: Hyunchul Lee <hyc.lee@gmail.com>
-cc: Chuck Lever <chuck.lever@oracle.com>
-cc: Dave Wysochanski <dwysocha@redhat.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/attr.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/fs/attr.c b/fs/attr.c
-index dbe996b0dedf..f581c4d00897 100644
---- a/fs/attr.c
-+++ b/fs/attr.c
-@@ -184,6 +184,8 @@ EXPORT_SYMBOL(setattr_prepare);
- */
- int inode_newsize_ok(const struct inode *inode, loff_t offset)
- {
-+ if (offset < 0)
-+ return -EINVAL;
- if (inode->i_size < offset) {
- unsigned long limit;
-
---
-2.35.1
-
+++ /dev/null
-From d71f841a854f95581d4ab63274cd768d8381a44c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 2 Aug 2022 15:04:16 +0900
-Subject: x86/kprobes: Update kcb status flag after singlestepping
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
-
-[ Upstream commit dec8784c9088b131a1523f582c2194cfc8107dc0 ]
-
-Fix kprobes to update kcb (kprobes control block) status flag to
-KPROBE_HIT_SSDONE even if the kp->post_handler is not set.
-
-This bug may cause a kernel panic if another INT3 user runs right
-after kprobes because kprobe_int3_handler() misunderstands the
-INT3 is kprobe's single stepping INT3.
-
-Fixes: 6256e668b7af ("x86/kprobes: Use int3 instead of debug trap for single-step")
-Reported-by: Daniel Müller <deso@posteo.net>
-Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Tested-by: Daniel Müller <deso@posteo.net>
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/all/20220727210136.jjgc3lpqeq42yr3m@muellerd-fedora-PC2BDTX9
-Link: https://lore.kernel.org/r/165942025658.342061.12452378391879093249.stgit@devnote2
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/x86/kernel/kprobes/core.c | 18 +++++++++++-------
- 1 file changed, 11 insertions(+), 7 deletions(-)
-
-diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
-index 7c4ab8870da4..74167dc5f55e 100644
---- a/arch/x86/kernel/kprobes/core.c
-+++ b/arch/x86/kernel/kprobes/core.c
-@@ -814,16 +814,20 @@ set_current_kprobe(struct kprobe *p, struct pt_regs *regs,
- static void kprobe_post_process(struct kprobe *cur, struct pt_regs *regs,
- struct kprobe_ctlblk *kcb)
- {
-- if ((kcb->kprobe_status != KPROBE_REENTER) && cur->post_handler) {
-- kcb->kprobe_status = KPROBE_HIT_SSDONE;
-- cur->post_handler(cur, regs, 0);
-- }
--
- /* Restore back the original saved kprobes variables and continue. */
-- if (kcb->kprobe_status == KPROBE_REENTER)
-+ if (kcb->kprobe_status == KPROBE_REENTER) {
-+ /* This will restore both kcb and current_kprobe */
- restore_previous_kprobe(kcb);
-- else
-+ } else {
-+ /*
-+ * Always update the kcb status because
-+ * reset_curent_kprobe() doesn't update kcb.
-+ */
-+ kcb->kprobe_status = KPROBE_HIT_SSDONE;
-+ if (cur->post_handler)
-+ cur->post_handler(cur, regs, 0);
- reset_current_kprobe();
-+ }
- }
- NOKPROBE_SYMBOL(kprobe_post_process);
-
---
-2.35.1
-
+++ /dev/null
-From 181fac7e1d71b4723e799eb09ab117ee9407108b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 15 Jul 2022 17:15:36 +0200
-Subject: x86/olpc: fix 'logical not is only applied to the left hand side'
-
-From: Alexander Lobakin <alexandr.lobakin@intel.com>
-
-[ Upstream commit 3a2ba42cbd0b669ce3837ba400905f93dd06c79f ]
-
-The bitops compile-time optimization series revealed one more
-problem in olpc-xo1-sci.c:send_ebook_state(), resulted in GCC
-warnings:
-
-arch/x86/platform/olpc/olpc-xo1-sci.c: In function 'send_ebook_state':
-arch/x86/platform/olpc/olpc-xo1-sci.c:83:63: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses]
- 83 | if (!!test_bit(SW_TABLET_MODE, ebook_switch_idev->sw) == state)
- | ^~
-arch/x86/platform/olpc/olpc-xo1-sci.c:83:13: note: add parentheses around left hand side expression to silence this warning
-
-Despite this code working as intended, this redundant double
-negation of boolean value, together with comparing to `char`
-with no explicit conversion to bool, makes compilers think
-the author made some unintentional logical mistakes here.
-Make it the other way around and negate the char instead
-to silence the warnings.
-
-Fixes: d2aa37411b8e ("x86/olpc/xo1/sci: Produce wakeup events for buttons and switches")
-Cc: stable@vger.kernel.org # 3.5+
-Reported-by: Guenter Roeck <linux@roeck-us.net>
-Reported-by: kernel test robot <lkp@intel.com>
-Reviewed-and-tested-by: Guenter Roeck <linux@roeck-us.net>
-Signed-off-by: Alexander Lobakin <alexandr.lobakin@intel.com>
-Signed-off-by: Yury Norov <yury.norov@gmail.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/x86/platform/olpc/olpc-xo1-sci.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/x86/platform/olpc/olpc-xo1-sci.c b/arch/x86/platform/olpc/olpc-xo1-sci.c
-index f03a6883dcc6..89f25af4b3c3 100644
---- a/arch/x86/platform/olpc/olpc-xo1-sci.c
-+++ b/arch/x86/platform/olpc/olpc-xo1-sci.c
-@@ -80,7 +80,7 @@ static void send_ebook_state(void)
- return;
- }
-
-- if (!!test_bit(SW_TABLET_MODE, ebook_switch_idev->sw) == state)
-+ if (test_bit(SW_TABLET_MODE, ebook_switch_idev->sw) == !!state)
- return; /* Nothing new to report. */
-
- input_report_switch(ebook_switch_idev, SW_TABLET_MODE, state);
---
-2.35.1
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
