From 8bb6ee62c33b1f281b98b2dd19f1d7249a1ee5ab Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Mon, 15 Apr 2024 14:02:23 +0300 Subject: [PATCH 001/182] speakup: Fix sizeof() vs ARRAY_SIZE() bug commit 008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b upstream. The "buf" pointer is an array of u16 values. This code should be using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512), otherwise it can the still got out of bounds. Fixes: c8d2f34ea96e ("speakup: Avoid crash on very long word") Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Reviewed-by: Samuel Thibault Link: https://lore.kernel.org/r/d16f67d2-fd0a-4d45-adac-75ddd11001aa@moroto.mountain Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 42f0a3f67158ed6b2908d2b9ffbf7e96d23fd358) Signed-off-by: Vegard Nossum --- drivers/staging/speakup/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/speakup/main.c b/drivers/staging/speakup/main.c index 767f362c6e5a..00e9b87cf1c1 100644 --- a/drivers/staging/speakup/main.c +++ b/drivers/staging/speakup/main.c @@ -582,7 +582,7 @@ static u_long get_word(struct vc_data *vc) } attr_ch = get_char(vc, (u_short *)tmp_pos, &spk_attr); buf[cnt++] = attr_ch; - while (tmpx < vc->vc_cols - 1 && cnt < sizeof(buf) - 1) { + while (tmpx < vc->vc_cols - 1 && cnt < ARRAY_SIZE(buf) - 1) { tmp_pos += 2; tmpx++; ch = get_char(vc, (u_short *)tmp_pos, &temp); From a43f1f02b3a93c9a2da8ea92e4d6509d0a61ebd8 Mon Sep 17 00:00:00 2001 From: Petr Pavlu Date: Fri, 17 May 2024 15:40:08 +0200 Subject: [PATCH 002/182] ring-buffer: Fix a race between readers and resize checks commit c2274b908db05529980ec056359fae916939fdaa upstream. The reader code in rb_get_reader_page() swaps a new reader page into the ring buffer by doing cmpxchg on old->list.prev->next to point it to the new page. Following that, if the operation is successful, old->list.next->prev gets updated too. This means the underlying doubly-linked list is temporarily inconsistent, page->prev->next or page->next->prev might not be equal back to page for some page in the ring buffer. The resize operation in ring_buffer_resize() can be invoked in parallel. It calls rb_check_pages() which can detect the described inconsistency and stop further tracing: [ 190.271762] ------------[ cut here ]------------ [ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0 [ 190.271789] Modules linked in: [...] [ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1 [ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f [ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014 [ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0 [ 190.272023] Code: [...] [ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206 [ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80 [ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700 [ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000 [ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720 [ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000 [ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000 [ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0 [ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 190.272077] Call Trace: [ 190.272098] [ 190.272189] ring_buffer_resize+0x2ab/0x460 [ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0 [ 190.272206] tracing_resize_ring_buffer+0x65/0x90 [ 190.272216] tracing_entries_write+0x74/0xc0 [ 190.272225] vfs_write+0xf5/0x420 [ 190.272248] ksys_write+0x67/0xe0 [ 190.272256] do_syscall_64+0x82/0x170 [ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 190.272373] RIP: 0033:0x7f1bd657d263 [ 190.272381] Code: [...] [ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263 [ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001 [ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000 [ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500 [ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002 [ 190.272412] [ 190.272414] ---[ end trace 0000000000000000 ]--- Note that ring_buffer_resize() calls rb_check_pages() only if the parent trace_buffer has recording disabled. Recent commit d78ab792705c ("tracing: Stop current tracer when resizing buffer") causes that it is now always the case which makes it more likely to experience this issue. The window to hit this race is nonetheless very small. To help reproducing it, one can add a delay loop in rb_get_reader_page(): ret = rb_head_page_replace(reader, cpu_buffer->reader_page); if (!ret) goto spin; for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */ __asm__ __volatile__ ("" : : : "memory"); rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list; .. and then run the following commands on the target system: echo 1 > /sys/kernel/tracing/events/sched/sched_switch/enable while true; do echo 16 > /sys/kernel/tracing/buffer_size_kb; sleep 0.1 echo 8 > /sys/kernel/tracing/buffer_size_kb; sleep 0.1 done & while true; do for i in /sys/kernel/tracing/per_cpu/*; do timeout 0.1 cat $i/trace_pipe; sleep 0.2 done done To fix the problem, make sure ring_buffer_resize() doesn't invoke rb_check_pages() concurrently with a reader operating on the same ring_buffer_per_cpu by taking its cpu_buffer->reader_lock. Link: https://lore.kernel.org/linux-trace-kernel/20240517134008.24529-3-petr.pavlu@suse.com Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Mathieu Desnoyers Fixes: 659f451ff213 ("ring-buffer: Add integrity check at end of iter read") Signed-off-by: Petr Pavlu [ Fixed whitespace ] Signed-off-by: Steven Rostedt (Google) Signed-off-by: Greg Kroah-Hartman (cherry picked from commit b50932ea673b5a089a4bb570a8a868d95c72854e) Signed-off-by: Vegard Nossum --- kernel/trace/ring_buffer.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index 8c09e8ca1561..1e9045f7a75c 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -1101,6 +1101,11 @@ static int rb_check_list(struct ring_buffer_per_cpu *cpu_buffer, * * As a safety measure we check to make sure the data pages have not * been corrupted. + * + * Callers of this function need to guarantee that the list of pages doesn't get + * modified during the check. In particular, if it's possible that the function + * is invoked with concurrent readers which can swap in a new reader page then + * the caller should take cpu_buffer->reader_lock. */ static int rb_check_pages(struct ring_buffer_per_cpu *cpu_buffer) { @@ -1779,8 +1784,12 @@ int ring_buffer_resize(struct ring_buffer *buffer, unsigned long size, */ synchronize_sched(); for_each_buffer_cpu(buffer, cpu) { + unsigned long flags; + cpu_buffer = buffer->buffers[cpu]; + raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags); rb_check_pages(cpu_buffer); + raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags); } atomic_dec(&buffer->record_disabled); } From 39d470c1d65655756f7bc56eef30977466000040 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi Date: Mon, 20 May 2024 22:26:20 +0900 Subject: [PATCH 003/182] nilfs2: fix unexpected freezing of nilfs_segctor_sync() commit 936184eadd82906992ff1f5ab3aada70cce44cee upstream. A potential and reproducible race issue has been identified where nilfs_segctor_sync() would block even after the log writer thread writes a checkpoint, unless there is an interrupt or other trigger to resume log writing. This turned out to be because, depending on the execution timing of the log writer thread running in parallel, the log writer thread may skip responding to nilfs_segctor_sync(), which causes a call to schedule() waiting for completion within nilfs_segctor_sync() to lose the opportunity to wake up. The reason why waking up the task waiting in nilfs_segctor_sync() may be skipped is that updating the request generation issued using a shared sequence counter and adding an wait queue entry to the request wait queue to the log writer, are not done atomically. There is a possibility that log writing and request completion notification by nilfs_segctor_wakeup() may occur between the two operations, and in that case, the wait queue entry is not yet visible to nilfs_segctor_wakeup() and the wake-up of nilfs_segctor_sync() will be carried over until the next request occurs. Fix this issue by performing these two operations simultaneously within the lock section of sc_state_lock. Also, following the memory barrier guidelines for event waiting loops, move the call to set_current_state() in the same location into the event waiting loop to ensure that a memory barrier is inserted just before the event condition determination. Link: https://lkml.kernel.org/r/20240520132621.4054-3-konishi.ryusuke@gmail.com Fixes: 9ff05123e3bf ("nilfs2: segment constructor") Signed-off-by: Ryusuke Konishi Tested-by: Ryusuke Konishi Cc: Cc: "Bai, Shuangpeng" Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 072980bc50626c4557694ce54e3f6f2bde02b6e0) Signed-off-by: Vegard Nossum --- fs/nilfs2/segment.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c index a5b28ca370bb..254404c0e06f 100644 --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -2220,19 +2220,28 @@ static int nilfs_segctor_sync(struct nilfs_sc_info *sci) struct nilfs_segctor_wait_request wait_req; int err = 0; - spin_lock(&sci->sc_state_lock); init_wait(&wait_req.wq); wait_req.err = 0; atomic_set(&wait_req.done, 0); + init_waitqueue_entry(&wait_req.wq, current); + + /* + * To prevent a race issue where completion notifications from the + * log writer thread are missed, increment the request sequence count + * "sc_seq_request" and insert a wait queue entry using the current + * sequence number into the "sc_wait_request" queue at the same time + * within the lock section of "sc_state_lock". + */ + spin_lock(&sci->sc_state_lock); wait_req.seq = ++sci->sc_seq_request; + add_wait_queue(&sci->sc_wait_request, &wait_req.wq); spin_unlock(&sci->sc_state_lock); - init_waitqueue_entry(&wait_req.wq, current); - add_wait_queue(&sci->sc_wait_request, &wait_req.wq); - set_current_state(TASK_INTERRUPTIBLE); wake_up(&sci->sc_wait_daemon); for (;;) { + set_current_state(TASK_INTERRUPTIBLE); + if (atomic_read(&wait_req.done)) { err = wait_req.err; break; From 6696ef522ef729e48bb88e624f4b450cc48d0008 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi Date: Mon, 20 May 2024 22:26:21 +0900 Subject: [PATCH 004/182] nilfs2: fix potential hang in nilfs_detach_log_writer() commit eb85dace897c5986bc2f36b3c783c6abb8a4292e upstream. Syzbot has reported a potential hang in nilfs_detach_log_writer() called during nilfs2 unmount. Analysis revealed that this is because nilfs_segctor_sync(), which synchronizes with the log writer thread, can be called after nilfs_segctor_destroy() terminates that thread, as shown in the call trace below: nilfs_detach_log_writer nilfs_segctor_destroy nilfs_segctor_kill_thread --> Shut down log writer thread flush_work nilfs_iput_work_func nilfs_dispose_list iput nilfs_evict_inode nilfs_transaction_commit nilfs_construct_segment (if inode needs sync) nilfs_segctor_sync --> Attempt to synchronize with log writer thread *** DEADLOCK *** Fix this issue by changing nilfs_segctor_sync() so that the log writer thread returns normally without synchronizing after it terminates, and by forcing tasks that are already waiting to complete once after the thread terminates. The skipped inode metadata flushout will then be processed together in the subsequent cleanup work in nilfs_segctor_destroy(). Link: https://lkml.kernel.org/r/20240520132621.4054-4-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi Reported-by: syzbot+e3973c409251e136fdd0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=e3973c409251e136fdd0 Tested-by: Ryusuke Konishi Cc: Cc: "Bai, Shuangpeng" Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 911d38be151921a5d152bb55e81fd752384c6830) Signed-off-by: Vegard Nossum --- fs/nilfs2/segment.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c index 254404c0e06f..d42df457d761 100644 --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -2242,6 +2242,14 @@ static int nilfs_segctor_sync(struct nilfs_sc_info *sci) for (;;) { set_current_state(TASK_INTERRUPTIBLE); + /* + * Synchronize only while the log writer thread is alive. + * Leave flushing out after the log writer thread exits to + * the cleanup work in nilfs_segctor_destroy(). + */ + if (!sci->sc_task) + break; + if (atomic_read(&wait_req.done)) { err = wait_req.err; break; @@ -2257,7 +2265,7 @@ static int nilfs_segctor_sync(struct nilfs_sc_info *sci) return err; } -static void nilfs_segctor_wakeup(struct nilfs_sc_info *sci, int err) +static void nilfs_segctor_wakeup(struct nilfs_sc_info *sci, int err, bool force) { struct nilfs_segctor_wait_request *wrq, *n; unsigned long flags; @@ -2265,7 +2273,7 @@ static void nilfs_segctor_wakeup(struct nilfs_sc_info *sci, int err) spin_lock_irqsave(&sci->sc_wait_request.lock, flags); list_for_each_entry_safe(wrq, n, &sci->sc_wait_request.head, wq.entry) { if (!atomic_read(&wrq->done) && - nilfs_cnt32_ge(sci->sc_seq_done, wrq->seq)) { + (force || nilfs_cnt32_ge(sci->sc_seq_done, wrq->seq))) { wrq->err = err; atomic_set(&wrq->done, 1); } @@ -2405,7 +2413,7 @@ static void nilfs_segctor_notify(struct nilfs_sc_info *sci, int mode, int err) if (mode == SC_LSEG_SR) { sci->sc_state &= ~NILFS_SEGCTOR_COMMIT; sci->sc_seq_done = sci->sc_seq_accepted; - nilfs_segctor_wakeup(sci, err); + nilfs_segctor_wakeup(sci, err, false); sci->sc_flush_request = 0; } else { if (mode == SC_FLUSH_FILE) @@ -2788,6 +2796,13 @@ static void nilfs_segctor_destroy(struct nilfs_sc_info *sci) || sci->sc_seq_request != sci->sc_seq_done); spin_unlock(&sci->sc_state_lock); + /* + * Forcibly wake up tasks waiting in nilfs_segctor_sync(), which can + * be called from delayed iput() via nilfs_evict_inode() and can race + * with the above log writer thread termination. + */ + nilfs_segctor_wakeup(sci, 0, true); + if (flush_work(&sci->sc_iput_work)) flag = true; From 478b032b9b295f6e4d224766b1d74f3f8d8015f5 Mon Sep 17 00:00:00 2001 From: Daniel Starke Date: Wed, 24 Apr 2024 07:48:41 +0200 Subject: [PATCH 005/182] tty: n_gsm: fix possible out-of-bounds in gsm0_receive() commit 47388e807f85948eefc403a8a5fdc5b406a65d5a upstream. Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size. Reported-by: j51569436@gmail.com Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218708 Tested-by: j51569436@gmail.com Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Cc: stable@vger.kernel.org Signed-off-by: Daniel Starke Link: https://lore.kernel.org/r/20240424054842.7741-1-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 9513d4148950b05bc99fa7314dc883cc0e1605e5) Signed-off-by: Vegard Nossum --- drivers/tty/n_gsm.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index a60d4b5a6161..f7c8b0fe7192 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -1986,8 +1986,12 @@ static void gsm0_receive(struct gsm_mux *gsm, unsigned char c) break; case GSM_DATA: /* Data */ gsm->buf[gsm->count++] = c; - if (gsm->count == gsm->len) + if (gsm->count >= MAX_MRU) { + gsm->bad_size++; + gsm->state = GSM_SEARCH; + } else if (gsm->count >= gsm->len) { gsm->state = GSM_FCS; + } break; case GSM_FCS: /* FCS follows the packet */ gsm->received_fcs = c; @@ -2067,7 +2071,7 @@ static void gsm1_receive(struct gsm_mux *gsm, unsigned char c) gsm->state = GSM_DATA; break; case GSM_DATA: /* Data */ - if (gsm->count > gsm->mru) { /* Allow one for the FCS */ + if (gsm->count > gsm->mru || gsm->count > MAX_MRU) { /* Allow one for the FCS */ gsm->state = GSM_OVERRUN; gsm->bad_size++; } else From 0e454ea0aef962c0bc28aaec416c987c472ee16f Mon Sep 17 00:00:00 2001 From: Igor Artemiev Date: Fri, 5 Apr 2024 18:24:30 +0300 Subject: [PATCH 006/182] wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class [ Upstream commit 9ef369973cd2c97cce3388d2c0c7e3c056656e8a ] The declarations of the tx_rx_evt class and the rdev_set_antenna event use the wrong order of arguments in the TP_ARGS macro. Fix the order of arguments in the TP_ARGS macro. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Igor Artemiev Link: https://msgid.link/20240405152431.270267-1-Igor.A.Artemiev@mcst.ru Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin (cherry picked from commit 5099e30dde0caffa9f0e2c41d7327fc3ed987fd5) Signed-off-by: Vegard Nossum --- net/wireless/trace.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/wireless/trace.h b/net/wireless/trace.h index cd0a1c7c185d..bba3e6197e1d 100644 --- a/net/wireless/trace.h +++ b/net/wireless/trace.h @@ -1591,7 +1591,7 @@ TRACE_EVENT(rdev_return_void_tx_rx, DECLARE_EVENT_CLASS(tx_rx_evt, TP_PROTO(struct wiphy *wiphy, u32 tx, u32 rx), - TP_ARGS(wiphy, rx, tx), + TP_ARGS(wiphy, tx, rx), TP_STRUCT__entry( WIPHY_ENTRY __field(u32, tx) @@ -1608,7 +1608,7 @@ DECLARE_EVENT_CLASS(tx_rx_evt, DEFINE_EVENT(tx_rx_evt, rdev_set_antenna, TP_PROTO(struct wiphy *wiphy, u32 tx, u32 rx), - TP_ARGS(wiphy, rx, tx) + TP_ARGS(wiphy, tx, rx) ); DECLARE_EVENT_CLASS(wiphy_netdev_id_evt, From 52bed87bdd7ff234fbf08cffb5805fec3753a574 Mon Sep 17 00:00:00 2001 From: Daniele Palmas Date: Thu, 18 Apr 2024 13:12:07 +0200 Subject: [PATCH 007/182] net: usb: qmi_wwan: add Telit FN920C04 compositions [ Upstream commit 0b8fe5bd73249dc20be2e88a12041f8920797b59 ] Add the following Telit FN920C04 compositions: 0x10a0: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag) T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 5 Spd=480 MxCh= 0 D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10a0 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FN920 S: SerialNumber=92c4c4d8 C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10a4: rmnet + tty (AT) + tty (AT) + tty (diag) T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 8 Spd=480 MxCh= 0 D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10a4 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FN920 S: SerialNumber=92c4c4d8 C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10a9: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 9 Spd=480 MxCh= 0 D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10a9 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FN920 S: SerialNumber=92c4c4d8 C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Daniele Palmas Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 25468fffbbd2b0f06b4b12d79ff56cc5c40bfd1f) Signed-off-by: Vegard Nossum --- drivers/net/usb/qmi_wwan.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c index 5560c08e44fa..ec09ef974302 100644 --- a/drivers/net/usb/qmi_wwan.c +++ b/drivers/net/usb/qmi_wwan.c @@ -1315,6 +1315,9 @@ static const struct usb_device_id products[] = { {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1070, 2)}, /* Telit FN990 */ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1080, 2)}, /* Telit FE990 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a0, 0)}, /* Telit FN920C04 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a4, 0)}, /* Telit FN920C04 */ + {QMI_QUIRK_SET_DTR(0x1bc7, 0x10a9, 0)}, /* Telit FN920C04 */ {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */ {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */ From 1de2264213019b0e94512027fedda73173da635e Mon Sep 17 00:00:00 2001 From: Derek Fang Date: Mon, 8 Apr 2024 17:10:56 +0800 Subject: [PATCH 008/182] ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating [ Upstream commit 103abab975087e1f01b76fcb54c91dbb65dbc249 ] The codec leaves tie combo jack's sleeve/ring2 to floating status default. It would cause electric noise while connecting the active speaker jack during boot or shutdown. This patch requests a gpio to control the additional jack circuit to tie the contacts to the ground or floating. Signed-off-by: Derek Fang Link: https://msgid.link/r/20240408091057.14165-1-derek.fang@realtek.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin (cherry picked from commit 5c50d2e998143ce00c0629dcaabd73c3d962545c) [Vegard: fix conflict in context due to missing commit 79223bf190919199652441d9f455cb0deabc75f5 ("ASoC: rt5645/rt5677: replace codec to component").] Signed-off-by: Vegard Nossum --- sound/soc/codecs/rt5645.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/sound/soc/codecs/rt5645.c b/sound/soc/codecs/rt5645.c index 536a33820265..6a0865572772 100644 --- a/sound/soc/codecs/rt5645.c +++ b/sound/soc/codecs/rt5645.c @@ -410,6 +410,7 @@ struct rt5645_priv { struct regmap *regmap; struct i2c_client *i2c; struct gpio_desc *gpiod_hp_det; + struct gpio_desc *gpiod_cbj_sleeve; struct snd_soc_jack *hp_jack; struct snd_soc_jack *mic_jack; struct snd_soc_jack *btn_jack; @@ -3148,6 +3149,9 @@ static int rt5645_jack_detect(struct snd_soc_codec *codec, int jack_insert) regmap_update_bits(rt5645->regmap, RT5645_IN1_CTRL2, RT5645_CBJ_MN_JD, 0); + if (rt5645->gpiod_cbj_sleeve) + gpiod_set_value(rt5645->gpiod_cbj_sleeve, 1); + msleep(600); regmap_read(rt5645->regmap, RT5645_IN1_CTRL3, &val); val &= 0x7; @@ -3164,6 +3168,8 @@ static int rt5645_jack_detect(struct snd_soc_codec *codec, int jack_insert) snd_soc_dapm_disable_pin(dapm, "Mic Det Power"); snd_soc_dapm_sync(dapm); rt5645->jack_type = SND_JACK_HEADPHONE; + if (rt5645->gpiod_cbj_sleeve) + gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0); } if (rt5645->pdata.level_trigger_irq) regmap_update_bits(rt5645->regmap, RT5645_IRQ_CTRL2, @@ -3189,6 +3195,9 @@ static int rt5645_jack_detect(struct snd_soc_codec *codec, int jack_insert) if (rt5645->pdata.level_trigger_irq) regmap_update_bits(rt5645->regmap, RT5645_IRQ_CTRL2, RT5645_JD_1_1_MASK, RT5645_JD_1_1_INV); + + if (rt5645->gpiod_cbj_sleeve) + gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0); } return rt5645->jack_type; @@ -3760,6 +3769,16 @@ static int rt5645_i2c_probe(struct i2c_client *i2c, return ret; } + rt5645->gpiod_cbj_sleeve = devm_gpiod_get_optional(&i2c->dev, "cbj-sleeve", + GPIOD_OUT_LOW); + + if (IS_ERR(rt5645->gpiod_cbj_sleeve)) { + ret = PTR_ERR(rt5645->gpiod_cbj_sleeve); + dev_info(&i2c->dev, "failed to initialize gpiod, ret=%d\n", ret); + if (ret != -ENOENT) + return ret; + } + for (i = 0; i < ARRAY_SIZE(rt5645->supplies); i++) rt5645->supplies[i].supply = rt5645_supply_names[i]; @@ -3992,7 +4011,11 @@ static int rt5645_i2c_remove(struct i2c_client *i2c) cancel_delayed_work_sync(&rt5645->jack_detect_work); cancel_delayed_work_sync(&rt5645->rcclock_work); + if (rt5645->gpiod_cbj_sleeve) + gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0); + snd_soc_unregister_codec(&i2c->dev); + regulator_bulk_disable(ARRAY_SIZE(rt5645->supplies), rt5645->supplies); return 0; @@ -4010,6 +4033,9 @@ static void rt5645_i2c_shutdown(struct i2c_client *i2c) 0); msleep(20); regmap_write(rt5645->regmap, RT5645_RESET, 0); + + if (rt5645->gpiod_cbj_sleeve) + gpiod_set_value(rt5645->gpiod_cbj_sleeve, 0); } static struct i2c_driver rt5645_i2c_driver = { From f5822a115c534c96bcde99428ab661088e193a09 Mon Sep 17 00:00:00 2001 From: Derek Fang Date: Mon, 8 Apr 2024 17:10:57 +0800 Subject: [PATCH 009/182] ASoC: dt-bindings: rt5645: add cbj sleeve gpio property [ Upstream commit 306b38e3fa727d22454a148a364123709e356600 ] Add an optional gpio property to control external CBJ circuits to avoid some electric noise caused by sleeve/ring2 contacts floating. Signed-off-by: Derek Fang Link: https://msgid.link/r/20240408091057.14165-2-derek.fang@realtek.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin (cherry picked from commit 5af06b6c57a9bbfa9bd5421e28bcd5c571c5821e) Signed-off-by: Vegard Nossum --- Documentation/devicetree/bindings/sound/rt5645.txt | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Documentation/devicetree/bindings/sound/rt5645.txt b/Documentation/devicetree/bindings/sound/rt5645.txt index 7cee1f518f59..525d36f7f50f 100644 --- a/Documentation/devicetree/bindings/sound/rt5645.txt +++ b/Documentation/devicetree/bindings/sound/rt5645.txt @@ -16,6 +16,11 @@ Optional properties: a GPIO spec for the external headphone detect pin. If jd-mode = 0, we will get the JD status by getting the value of hp-detect-gpios. +- cbj-sleeve-gpios: + a GPIO spec to control the external combo jack circuit to tie the sleeve/ring2 + contacts to the ground or floating. It could avoid some electric noise from the + active speaker jacks. + - realtek,in2-differential Boolean. Indicate MIC2 input are differential, rather than single-ended. @@ -64,6 +69,7 @@ codec: rt5650@1a { compatible = "realtek,rt5650"; reg = <0x1a>; hp-detect-gpios = <&gpio 19 0>; + cbj-sleeve-gpios = <&gpio 20 0>; interrupt-parent = <&gpio>; interrupts = <7 IRQ_TYPE_EDGE_FALLING>; realtek,dmic-en = "true"; From 6c8dd658875782d45f021c5015b9ec9bf5f5ff87 Mon Sep 17 00:00:00 2001 From: Pierre-Louis Bossart Date: Fri, 26 Apr 2024 10:30:33 -0500 Subject: [PATCH 010/182] ASoC: da7219-aad: fix usage of device_get_named_child_node() [ Upstream commit e8a6a5ad73acbafd98e8fd3f0cbf6e379771bb76 ] The documentation for device_get_named_child_node() mentions this important point: " The caller is responsible for calling fwnode_handle_put() on the returned fwnode pointer. " Add fwnode_handle_put() to avoid a leaked reference. Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20240426153033.38500-1-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin (cherry picked from commit 6d2d2aaae1faa64c2f803d6f11f4b2df3b3c2cff) [Vegard: fix conflict in context due to missing 4510112217116d97df02121d3e1442858efb4897 ("ASoC: hdac_hdmi/nau8825/rt286/rt298/rt5663/da7219: replace codec to component") which changed devm_kzalloc(dev, ...) to devm_kzalloc(codec->dev, ...).] Signed-off-by: Vegard Nossum --- sound/soc/codecs/da7219-aad.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/sound/soc/codecs/da7219-aad.c b/sound/soc/codecs/da7219-aad.c index 5a31a4db1e23..47576e4feae4 100644 --- a/sound/soc/codecs/da7219-aad.c +++ b/sound/soc/codecs/da7219-aad.c @@ -625,8 +625,10 @@ static struct da7219_aad_pdata *da7219_aad_fw_to_pdata(struct snd_soc_codec *cod return NULL; aad_pdata = devm_kzalloc(codec->dev, sizeof(*aad_pdata), GFP_KERNEL); - if (!aad_pdata) + if (!aad_pdata) { + fwnode_handle_put(aad_np); return NULL; + } aad_pdata->irq = i2c->irq; @@ -701,6 +703,8 @@ static struct da7219_aad_pdata *da7219_aad_fw_to_pdata(struct snd_soc_codec *cod else aad_pdata->adc_1bit_rpt = DA7219_AAD_ADC_1BIT_RPT_1; + fwnode_handle_put(aad_np); + return aad_pdata; } From 8355ba0b459240e847584f780402073b8236df46 Mon Sep 17 00:00:00 2001 From: Aleksandr Mishin Date: Fri, 22 Mar 2024 23:59:15 +0300 Subject: [PATCH 011/182] crypto: bcm - Fix pointer arithmetic [ Upstream commit 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9 ] In spu2_dump_omd() value of ptr is increased by ciph_key_len instead of hash_iv_len which could lead to going beyond the buffer boundaries. Fix this bug by changing ciph_key_len to hash_iv_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Aleksandr Mishin Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin (cherry picked from commit c256b616067bfd6d274c679c06986b78d2402434) Signed-off-by: Vegard Nossum --- drivers/crypto/bcm/spu2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c index bf7ac621c591..0f6023347cc8 100644 --- a/drivers/crypto/bcm/spu2.c +++ b/drivers/crypto/bcm/spu2.c @@ -506,7 +506,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len, if (hash_iv_len) { packet_log(" Hash IV Length %u bytes\n", hash_iv_len); packet_dump(" hash IV: ", ptr, hash_iv_len); - ptr += ciph_key_len; + ptr += hash_iv_len; } if (ciph_iv_len) { From 09020d6f62421e7fd4240279ff30dde78a0300bc Mon Sep 17 00:00:00 2001 From: Laurent Pinchart Date: Tue, 26 Mar 2024 21:58:06 +0200 Subject: [PATCH 012/182] firmware: raspberrypi: Use correct device for DMA mappings [ Upstream commit df518a0ae1b982a4dcf2235464016c0c4576a34d ] The buffer used to transfer data over the mailbox interface is mapped using the client's device. This is incorrect, as the device performing the DMA transfer is the mailbox itself. Fix it by using the mailbox controller device instead. This requires including the mailbox_controller.h header to dereference the mbox_chan and mbox_controller structures. The header is not meant to be included by clients. This could be fixed by extending the client API with a function to access the controller's device. Fixes: 4e3d60656a72 ("ARM: bcm2835: Add the Raspberry Pi firmware driver") Signed-off-by: Laurent Pinchart Reviewed-by: Stefan Wahren Tested-by: Ivan T. Ivanov Link: https://lore.kernel.org/r/20240326195807.15163-3-laurent.pinchart@ideasonboard.com Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin (cherry picked from commit b7277844e7e367381b2377853afceb58427cf6fb) Signed-off-by: Vegard Nossum --- drivers/firmware/raspberrypi.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/firmware/raspberrypi.c b/drivers/firmware/raspberrypi.c index dd506cd3a5b8..a1bb471e4f51 100644 --- a/drivers/firmware/raspberrypi.c +++ b/drivers/firmware/raspberrypi.c @@ -11,6 +11,7 @@ #include #include +#include #include #include #include @@ -88,8 +89,8 @@ int rpi_firmware_property_list(struct rpi_firmware *fw, if (size & 3) return -EINVAL; - buf = dma_alloc_coherent(fw->cl.dev, PAGE_ALIGN(size), &bus_addr, - GFP_ATOMIC); + buf = dma_alloc_coherent(fw->chan->mbox->dev, PAGE_ALIGN(size), + &bus_addr, GFP_ATOMIC); if (!buf) return -ENOMEM; @@ -117,7 +118,7 @@ int rpi_firmware_property_list(struct rpi_firmware *fw, ret = -EINVAL; } - dma_free_coherent(fw->cl.dev, PAGE_ALIGN(size), buf, bus_addr); + dma_free_coherent(fw->chan->mbox->dev, PAGE_ALIGN(size), buf, bus_addr); return ret; } From 78f8f3e6cf95446a03837bb11a67c4c2569ced32 Mon Sep 17 00:00:00 2001 From: Brian Kubisiak Date: Sun, 17 Mar 2024 07:46:00 -0700 Subject: [PATCH 013/182] ecryptfs: Fix buffer size for tag 66 packet [ Upstream commit 85a6a1aff08ec9f5b929d345d066e2830e8818e5 ] The 'TAG 66 Packet Format' description is missing the cipher code and checksum fields that are packed into the message packet. As a result, the buffer allocated for the packet is 3 bytes too small and write_tag_66_packet() will write up to 3 bytes past the end of the buffer. Fix this by increasing the size of the allocation so the whole packet will always fit in the buffer. This fixes the below kasan slab-out-of-bounds bug: BUG: KASAN: slab-out-of-bounds in ecryptfs_generate_key_packet_set+0x7d6/0xde0 Write of size 1 at addr ffff88800afbb2a5 by task touch/181 CPU: 0 PID: 181 Comm: touch Not tainted 6.6.13-gnu #1 4c9534092be820851bb687b82d1f92a426598dc6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2/GNU Guix 04/01/2014 Call Trace: dump_stack_lvl+0x4c/0x70 print_report+0xc5/0x610 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 ? kasan_complete_mode_report_info+0x44/0x210 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 kasan_report+0xc2/0x110 ? ecryptfs_generate_key_packet_set+0x7d6/0xde0 __asan_store1+0x62/0x80 ecryptfs_generate_key_packet_set+0x7d6/0xde0 ? __pfx_ecryptfs_generate_key_packet_set+0x10/0x10 ? __alloc_pages+0x2e2/0x540 ? __pfx_ovl_open+0x10/0x10 [overlay 30837f11141636a8e1793533a02e6e2e885dad1d] ? dentry_open+0x8f/0xd0 ecryptfs_write_metadata+0x30a/0x550 ? __pfx_ecryptfs_write_metadata+0x10/0x10 ? ecryptfs_get_lower_file+0x6b/0x190 ecryptfs_initialize_file+0x77/0x150 ecryptfs_create+0x1c2/0x2f0 path_openat+0x17cf/0x1ba0 ? __pfx_path_openat+0x10/0x10 do_filp_open+0x15e/0x290 ? __pfx_do_filp_open+0x10/0x10 ? __kasan_check_write+0x18/0x30 ? _raw_spin_lock+0x86/0xf0 ? __pfx__raw_spin_lock+0x10/0x10 ? __kasan_check_write+0x18/0x30 ? alloc_fd+0xf4/0x330 do_sys_openat2+0x122/0x160 ? __pfx_do_sys_openat2+0x10/0x10 __x64_sys_openat+0xef/0x170 ? __pfx___x64_sys_openat+0x10/0x10 do_syscall_64+0x60/0xd0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7f00a703fd67 Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f RSP: 002b:00007ffc088e30b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007ffc088e3368 RCX: 00007f00a703fd67 RDX: 0000000000000941 RSI: 00007ffc088e48d7 RDI: 00000000ffffff9c RBP: 00007ffc088e48d7 R08: 0000000000000001 R09: 0000000000000000 R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941 R13: 0000000000000000 R14: 00007ffc088e48d7 R15: 00007f00a7180040 Allocated by task 181: kasan_save_stack+0x2f/0x60 kasan_set_track+0x29/0x40 kasan_save_alloc_info+0x25/0x40 __kasan_kmalloc+0xc5/0xd0 __kmalloc+0x66/0x160 ecryptfs_generate_key_packet_set+0x6d2/0xde0 ecryptfs_write_metadata+0x30a/0x550 ecryptfs_initialize_file+0x77/0x150 ecryptfs_create+0x1c2/0x2f0 path_openat+0x17cf/0x1ba0 do_filp_open+0x15e/0x290 do_sys_openat2+0x122/0x160 __x64_sys_openat+0xef/0x170 do_syscall_64+0x60/0xd0 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Fixes: dddfa461fc89 ("[PATCH] eCryptfs: Public key; packet management") Signed-off-by: Brian Kubisiak Link: https://lore.kernel.org/r/5j2q56p6qkhezva6b2yuqfrsurmvrrqtxxzrnp3wqu7xrz22i7@hoecdztoplbl Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin (cherry picked from commit 1c125b9287e58f364d82174efb167414b92b11f1) Signed-off-by: Vegard Nossum --- fs/ecryptfs/keystore.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c index b134315fb69d..ceb1c1188a7a 100644 --- a/fs/ecryptfs/keystore.c +++ b/fs/ecryptfs/keystore.c @@ -314,9 +314,11 @@ write_tag_66_packet(char *signature, u8 cipher_code, * | Key Identifier Size | 1 or 2 bytes | * | Key Identifier | arbitrary | * | File Encryption Key Size | 1 or 2 bytes | + * | Cipher Code | 1 byte | * | File Encryption Key | arbitrary | + * | Checksum | 2 bytes | */ - data_len = (5 + ECRYPTFS_SIG_SIZE_HEX + crypt_stat->key_size); + data_len = (8 + ECRYPTFS_SIG_SIZE_HEX + crypt_stat->key_size); *packet = kmalloc(data_len, GFP_KERNEL); message = *packet; if (!message) { From 7ee6938a59b80751d7919f67a3c4fb585d3829f6 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Thu, 28 Mar 2024 15:30:44 +0100 Subject: [PATCH 014/182] nilfs2: fix out-of-range warning [ Upstream commit c473bcdd80d4ab2ae79a7a509a6712818366e32a ] clang-14 points out that v_size is always smaller than a 64KB page size if that is configured by the CPU architecture: fs/nilfs2/ioctl.c:63:19: error: result of comparison of constant 65536 with expression of type '__u16' (aka 'unsigned short') is always false [-Werror,-Wtautological-constant-out-of-range-compare] if (argv->v_size > PAGE_SIZE) ~~~~~~~~~~~~ ^ ~~~~~~~~~ This is ok, so just shut up that warning with a cast. Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20240328143051.1069575-7-arnd@kernel.org Fixes: 3358b4aaa84f ("nilfs2: fix problems of memory allocation in ioctl") Acked-by: Ryusuke Konishi Reviewed-by: Justin Stitt Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin (cherry picked from commit 7610fd35b74211ab8def4e124095e600a1ae945b) Signed-off-by: Vegard Nossum --- fs/nilfs2/ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c index 1d63a2953099..f6d887ba09aa 100644 --- a/fs/nilfs2/ioctl.c +++ b/fs/nilfs2/ioctl.c @@ -68,7 +68,7 @@ static int nilfs_ioctl_wrap_copy(struct the_nilfs *nilfs, if (argv->v_nmembs == 0) return 0; - if (argv->v_size > PAGE_SIZE) + if ((size_t)argv->v_size > PAGE_SIZE) return -EINVAL; /* From 72d5387b60255610eb6fd5c18bb819fc39cc8917 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Mon, 1 Apr 2024 22:35:54 -0400 Subject: [PATCH 015/182] parisc: add missing export of __cmpxchg_u8() [ Upstream commit c57e5dccb06decf3cb6c272ab138c033727149b5 ] __cmpxchg_u8() had been added (initially) for the sake of drivers/phy/ti/phy-tusb1210.c; the thing is, that drivers is modular, so we need an export Fixes: b344d6a83d01 "parisc: add support for cmpxchg on u8 pointers" Signed-off-by: Al Viro Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin (cherry picked from commit 63d5a72afbd1505f180e81bc72e056ceea28b43b) Signed-off-by: Vegard Nossum --- arch/parisc/kernel/parisc_ksyms.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/parisc/kernel/parisc_ksyms.c b/arch/parisc/kernel/parisc_ksyms.c index 7baa2265d439..e0d4b7d20f67 100644 --- a/arch/parisc/kernel/parisc_ksyms.c +++ b/arch/parisc/kernel/parisc_ksyms.c @@ -34,6 +34,7 @@ EXPORT_SYMBOL(memset); #include EXPORT_SYMBOL(__xchg8); EXPORT_SYMBOL(__xchg32); +EXPORT_SYMBOL(__cmpxchg_u8); EXPORT_SYMBOL(__cmpxchg_u32); EXPORT_SYMBOL(__cmpxchg_u64); #ifdef CONFIG_SMP From 7eb7c75444aa358909836ea7ff4f692a53b199f9 Mon Sep 17 00:00:00 2001 From: Nathan Chancellor Date: Mon, 24 Sep 2018 10:26:15 -0700 Subject: [PATCH 016/182] crypto: ccp - Remove forward declaration [ Upstream commit 3512dcb4e6c64733871202c01f0ec6b5d84d32ac ] Clang emits a warning about this construct: drivers/crypto/ccp/sp-platform.c:36:36: warning: tentative array definition assumed to have one element static const struct acpi_device_id sp_acpi_match[]; ^ 1 warning generated. Just remove the forward declarations and move the initializations up so that they can be used in sp_get_of_version and sp_get_acpi_version. Reported-by: Nick Desaulniers Signed-off-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Acked-by: Gary R Hook Signed-off-by: Herbert Xu Stable-dep-of: 42c2d7d02977 ("crypto: ccp - drop platform ifdef checks") Signed-off-by: Sasha Levin (cherry picked from commit 4b713a1581b17a94a21699165a20d82eb0eca2dc) Signed-off-by: Vegard Nossum --- drivers/crypto/ccp/sp-platform.c | 53 +++++++++++++++----------------- 1 file changed, 25 insertions(+), 28 deletions(-) diff --git a/drivers/crypto/ccp/sp-platform.c b/drivers/crypto/ccp/sp-platform.c index 71734f254fd1..b75dc7db2d4a 100644 --- a/drivers/crypto/ccp/sp-platform.c +++ b/drivers/crypto/ccp/sp-platform.c @@ -33,8 +33,31 @@ struct sp_platform { unsigned int irq_count; }; -static const struct acpi_device_id sp_acpi_match[]; -static const struct of_device_id sp_of_match[]; +static const struct sp_dev_vdata dev_vdata[] = { + { + .bar = 0, +#ifdef CONFIG_CRYPTO_DEV_SP_CCP + .ccp_vdata = &ccpv3_platform, +#endif + }, +}; + +#ifdef CONFIG_ACPI +static const struct acpi_device_id sp_acpi_match[] = { + { "AMDI0C00", (kernel_ulong_t)&dev_vdata[0] }, + { }, +}; +MODULE_DEVICE_TABLE(acpi, sp_acpi_match); +#endif + +#ifdef CONFIG_OF +static const struct of_device_id sp_of_match[] = { + { .compatible = "amd,ccp-seattle-v1a", + .data = (const void *)&dev_vdata[0] }, + { }, +}; +MODULE_DEVICE_TABLE(of, sp_of_match); +#endif static struct sp_dev_vdata *sp_get_of_version(struct platform_device *pdev) { @@ -201,32 +224,6 @@ static int sp_platform_resume(struct platform_device *pdev) } #endif -static const struct sp_dev_vdata dev_vdata[] = { - { - .bar = 0, -#ifdef CONFIG_CRYPTO_DEV_SP_CCP - .ccp_vdata = &ccpv3_platform, -#endif - }, -}; - -#ifdef CONFIG_ACPI -static const struct acpi_device_id sp_acpi_match[] = { - { "AMDI0C00", (kernel_ulong_t)&dev_vdata[0] }, - { }, -}; -MODULE_DEVICE_TABLE(acpi, sp_acpi_match); -#endif - -#ifdef CONFIG_OF -static const struct of_device_id sp_of_match[] = { - { .compatible = "amd,ccp-seattle-v1a", - .data = (const void *)&dev_vdata[0] }, - { }, -}; -MODULE_DEVICE_TABLE(of, sp_of_match); -#endif - static struct platform_driver sp_platform_driver = { .driver = { .name = "ccp", From afb1d97ca2b2cdfa5f46e8eb9fc37934349bc34e Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Wed, 3 Apr 2024 10:06:42 +0200 Subject: [PATCH 017/182] crypto: ccp - drop platform ifdef checks [ Upstream commit 42c2d7d02977ef09d434b1f5b354f5bc6c1027ab ] When both ACPI and OF are disabled, the dev_vdata variable is unused: drivers/crypto/ccp/sp-platform.c:33:34: error: unused variable 'dev_vdata' [-Werror,-Wunused-const-variable] This is not a useful configuration, and there is not much point in saving a few bytes when only one of the two is enabled, so just remove all these ifdef checks and rely on of_match_node() and acpi_match_device() returning NULL when these subsystems are disabled. Fixes: 6c5063434098 ("crypto: ccp - Add ACPI support") Signed-off-by: Arnd Bergmann Acked-by: Tom Lendacky Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin (cherry picked from commit ce8f89223c9552d18b118596a85fd6cc237bc0e9) Signed-off-by: Vegard Nossum --- drivers/crypto/ccp/sp-platform.c | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/drivers/crypto/ccp/sp-platform.c b/drivers/crypto/ccp/sp-platform.c index b75dc7db2d4a..8494f7d8912c 100644 --- a/drivers/crypto/ccp/sp-platform.c +++ b/drivers/crypto/ccp/sp-platform.c @@ -42,44 +42,38 @@ static const struct sp_dev_vdata dev_vdata[] = { }, }; -#ifdef CONFIG_ACPI static const struct acpi_device_id sp_acpi_match[] = { { "AMDI0C00", (kernel_ulong_t)&dev_vdata[0] }, { }, }; MODULE_DEVICE_TABLE(acpi, sp_acpi_match); -#endif -#ifdef CONFIG_OF static const struct of_device_id sp_of_match[] = { { .compatible = "amd,ccp-seattle-v1a", .data = (const void *)&dev_vdata[0] }, { }, }; MODULE_DEVICE_TABLE(of, sp_of_match); -#endif static struct sp_dev_vdata *sp_get_of_version(struct platform_device *pdev) { -#ifdef CONFIG_OF const struct of_device_id *match; match = of_match_node(sp_of_match, pdev->dev.of_node); if (match && match->data) return (struct sp_dev_vdata *)match->data; -#endif + return NULL; } static struct sp_dev_vdata *sp_get_acpi_version(struct platform_device *pdev) { -#ifdef CONFIG_ACPI const struct acpi_device_id *match; match = acpi_match_device(sp_acpi_match, &pdev->dev); if (match && match->driver_data) return (struct sp_dev_vdata *)match->driver_data; -#endif + return NULL; } @@ -227,12 +221,8 @@ static int sp_platform_resume(struct platform_device *pdev) static struct platform_driver sp_platform_driver = { .driver = { .name = "ccp", -#ifdef CONFIG_ACPI .acpi_match_table = sp_acpi_match, -#endif -#ifdef CONFIG_OF .of_match_table = sp_of_match, -#endif }, .probe = sp_platform_probe, .remove = sp_platform_remove, From 7375909839424727552bd0bb2022ca3db5c6ffe8 Mon Sep 17 00:00:00 2001 From: Ilya Denisyev Date: Fri, 12 Apr 2024 18:53:54 +0300 Subject: [PATCH 018/182] jffs2: prevent xattr node from overflowing the eraseblock [ Upstream commit c6854e5a267c28300ff045480b5a7ee7f6f1d913 ] Add a check to make sure that the requested xattr node size is no larger than the eraseblock minus the cleanmarker. Unlike the usual inode nodes, the xattr nodes aren't split into parts and spread across multiple eraseblocks, which means that a xattr node must not occupy more than one eraseblock. If the requested xattr value is too large, the xattr node can spill onto the next eraseblock, overwriting the nodes and causing errors such as: jffs2: argh. node added in wrong place at 0x0000b050(2) jffs2: nextblock 0x0000a000, expected at 0000b00c jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050, read=0xfc892c93, calc=0x000000 jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed at 0x01e00c. {848f,2fc4,0fef511f,59a3d171} jffs2: Node at 0x0000000c with length 0x00001044 would run over the end of the erase block jffs2: Perhaps the file system was created with the wrong erase size? jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000010: 0x1044 instead This breaks the filesystem and can lead to KASAN crashes such as: BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0 Read of size 4 at addr ffff88802c31e914 by task repro/830 CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Call Trace: dump_stack_lvl+0xc6/0x120 print_report+0xc4/0x620 ? __virt_addr_valid+0x308/0x5b0 kasan_report+0xc1/0xf0 ? jffs2_sum_add_kvec+0x125e/0x15d0 ? jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_flash_direct_writev+0xa8/0xd0 jffs2_flash_writev+0x9c9/0xef0 ? __x64_sys_setxattr+0xc4/0x160 ? do_syscall_64+0x69/0x140 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: aa98d7cf59b5 ("[JFFS2][XATTR] XATTR support on JFFS2 (version. 5)") Signed-off-by: Ilya Denisyev Link: https://lore.kernel.org/r/20240412155357.237803-1-dev@elkcl.ru Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin (cherry picked from commit 2904e1d9b64f72d291095e3cbb31634f08788b11) Signed-off-by: Vegard Nossum --- fs/jffs2/xattr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/jffs2/xattr.c b/fs/jffs2/xattr.c index acb4492f5970..5a31220f96f5 100644 --- a/fs/jffs2/xattr.c +++ b/fs/jffs2/xattr.c @@ -1111,6 +1111,9 @@ int do_jffs2_setxattr(struct inode *inode, int xprefix, const char *xname, return rc; request = PAD(sizeof(struct jffs2_raw_xattr) + strlen(xname) + 1 + size); + if (request > c->sector_size - c->cleanmarker_size) + return -ERANGE; + rc = jffs2_reserve_space(c, request, &length, ALLOC_NORMAL, JFFS2_SUMMARY_XATTR_SIZE); if (rc) { From a28a74b9a53b5b25cde8cfbea4c071f7a1c9beed Mon Sep 17 00:00:00 2001 From: Zhu Yanjun Date: Thu, 25 Apr 2024 19:16:35 +0200 Subject: [PATCH 019/182] null_blk: Fix missing mutex_destroy() at module removal [ Upstream commit 07d1b99825f40f9c0d93e6b99d79a08d0717bac1 ] When a mutex lock is not used any more, the function mutex_destroy should be called to mark the mutex lock uninitialized. Fixes: f2298c0403b0 ("null_blk: multi queue aware block test driver") Signed-off-by: Zhu Yanjun Link: https://lore.kernel.org/r/20240425171635.4227-1-yanjun.zhu@linux.dev Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin (cherry picked from commit 54ee1f7e2ea06e5c5341dc54255881fa5d11b312) [Vegard: fix conflict in context due to missing commit 74ede5af27c7fb91b18d8386128486290b8d44be ("null_blk: remove lightnvm support").] Signed-off-by: Vegard Nossum --- drivers/block/null_blk.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/block/null_blk.c b/drivers/block/null_blk.c index b499e72b2847..fb748669d8c5 100644 --- a/drivers/block/null_blk.c +++ b/drivers/block/null_blk.c @@ -2053,6 +2053,8 @@ static void __exit null_exit(void) blk_mq_free_tag_set(&tag_set); kmem_cache_destroy(ppa_cache); + + mutex_destroy(&lock); } module_init(null_init); From 520ccb81e3976c1c21d19d43265958faad0aee46 Mon Sep 17 00:00:00 2001 From: NeilBrown Date: Mon, 8 Apr 2024 12:09:18 +1000 Subject: [PATCH 020/182] nfsd: drop st_mutex before calling move_to_close_lru() [ Upstream commit 56c35f43eef013579c76c007ba1f386d8c2cac14 ] move_to_close_lru() is currently called with ->st_mutex held. This can lead to a deadlock as move_to_close_lru() waits for sc_count to drop to 2, and some threads holding a reference might be waiting for the mutex. These references will never be dropped so sc_count will never reach 2. There can be no harm in dropping ->st_mutex before move_to_close_lru() because the only place that takes the mutex is nfsd4_lock_ol_stateid(), and it quickly aborts if sc_type is NFS4_CLOSED_STID, which it will be before move_to_close_lru() is called. See also https://lore.kernel.org/lkml/4dd1fe21e11344e5969bb112e954affb@jd.com/T/ where this problem was raised but not successfully resolved. Reviewed-by: Jeff Layton Signed-off-by: NeilBrown Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin (cherry picked from commit 52d3370e8022ce28cd8cf4d16c09245aa683d7fb) Signed-off-by: Vegard Nossum --- fs/nfsd/nfs4state.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c index e2de156849fd..e612b71205a4 100644 --- a/fs/nfsd/nfs4state.c +++ b/fs/nfsd/nfs4state.c @@ -5454,7 +5454,7 @@ nfsd4_open_downgrade(struct svc_rqst *rqstp, return status; } -static void nfsd4_close_open_stateid(struct nfs4_ol_stateid *s) +static bool nfsd4_close_open_stateid(struct nfs4_ol_stateid *s) { struct nfs4_client *clp = s->st_stid.sc_client; bool unhashed; @@ -5468,11 +5468,11 @@ static void nfsd4_close_open_stateid(struct nfs4_ol_stateid *s) put_ol_stateid_locked(s, &reaplist); spin_unlock(&clp->cl_lock); free_ol_stateid_reaplist(&reaplist); + return false; } else { spin_unlock(&clp->cl_lock); free_ol_stateid_reaplist(&reaplist); - if (unhashed) - move_to_close_lru(s, clp->net); + return unhashed; } } @@ -5488,6 +5488,7 @@ nfsd4_close(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, struct nfs4_ol_stateid *stp; struct net *net = SVC_NET(rqstp); struct nfsd_net *nn = net_generic(net, nfsd_net_id); + bool need_move_to_close_list; dprintk("NFSD: nfsd4_close on file %pd\n", cstate->current_fh.fh_dentry); @@ -5503,8 +5504,10 @@ nfsd4_close(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, stp->st_stid.sc_type = NFS4_CLOSED_STID; nfs4_inc_and_copy_stateid(&close->cl_stateid, &stp->st_stid); - nfsd4_close_open_stateid(stp); + need_move_to_close_list = nfsd4_close_open_stateid(stp); mutex_unlock(&stp->st_mutex); + if (need_move_to_close_list) + move_to_close_lru(stp, net); /* See RFC5661 sectionm 18.2.4 */ if (stp->st_stid.sc_client->cl_minorversion) From 6faa6059493e8a857fe5c3b5e12a3ceec730cda3 Mon Sep 17 00:00:00 2001 From: Baochen Qiang Date: Wed, 6 Mar 2024 07:15:14 +0200 Subject: [PATCH 021/182] wifi: ath10k: poll service ready message before failing [ Upstream commit e57b7d62a1b2f496caf0beba81cec3c90fad80d5 ] Currently host relies on CE interrupts to get notified that the service ready message is ready. This results in timeout issue if the interrupt is not fired, due to some unknown reasons. See below logs: [76321.937866] ath10k_pci 0000:02:00.0: wmi service ready event not received ... [76322.016738] ath10k_pci 0000:02:00.0: Could not init core: -110 And finally it causes WLAN interface bring up failure. Change to give it one more chance here by polling CE rings, before failing directly. Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00157-QCARMSWPZ-1 Fixes: 5e3dd157d7e7 ("ath10k: mac80211 driver for Qualcomm Atheros 802.11ac CQA98xx devices") Reported-by: James Prestwood Tested-By: James Prestwood # on QCA6174 hw3.2 Link: https://lore.kernel.org/linux-wireless/304ce305-fbe6-420e-ac2a-d61ae5e6ca1a@gmail.com/ Signed-off-by: Baochen Qiang Acked-by: Jeff Johnson Signed-off-by: Kalle Valo Link: https://msgid.link/20240227030409.89702-1-quic_bqiang@quicinc.com Signed-off-by: Sasha Levin (cherry picked from commit 54e3970b1848856e49f8cd08751dcb010ac3296b) Signed-off-by: Vegard Nossum --- drivers/net/wireless/ath/ath10k/wmi.c | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c index 25f51ca06093..a805dcb1f634 100644 --- a/drivers/net/wireless/ath/ath10k/wmi.c +++ b/drivers/net/wireless/ath/ath10k/wmi.c @@ -1680,12 +1680,32 @@ void ath10k_wmi_put_wmi_channel(struct wmi_channel *ch, int ath10k_wmi_wait_for_service_ready(struct ath10k *ar) { - unsigned long time_left; + unsigned long time_left, i; time_left = wait_for_completion_timeout(&ar->wmi.service_ready, WMI_SERVICE_READY_TIMEOUT_HZ); - if (!time_left) - return -ETIMEDOUT; + if (!time_left) { + /* Sometimes the PCI HIF doesn't receive interrupt + * for the service ready message even if the buffer + * was completed. PCIe sniffer shows that it's + * because the corresponding CE ring doesn't fires + * it. Workaround here by polling CE rings once. + */ + ath10k_warn(ar, "failed to receive service ready completion, polling..\n"); + + for (i = 0; i < CE_COUNT; i++) + ath10k_hif_send_complete_check(ar, i, 1); + + time_left = wait_for_completion_timeout(&ar->wmi.service_ready, + WMI_SERVICE_READY_TIMEOUT_HZ); + if (!time_left) { + ath10k_warn(ar, "polling timed out\n"); + return -ETIMEDOUT; + } + + ath10k_warn(ar, "service ready completion received, continuing normally\n"); + } + return 0; } From a2c3254bc18b8f7bea19a00d8e7ea4ec52e941c1 Mon Sep 17 00:00:00 2001 From: Guixiong Wei Date: Sun, 17 Mar 2024 23:05:47 +0800 Subject: [PATCH 022/182] x86/boot: Ignore relocations in .notes sections in walk_relocs() too [ Upstream commit 76e9762d66373354b45c33b60e9a53ef2a3c5ff2 ] Commit: aaa8736370db ("x86, relocs: Ignore relocations in .notes section") ... only started ignoring the .notes sections in print_absolute_relocs(), but the same logic should also by applied in walk_relocs() to avoid such relocations. [ mingo: Fixed various typos in the changelog, removed extra curly braces from the code. ] Fixes: aaa8736370db ("x86, relocs: Ignore relocations in .notes section") Fixes: 5ead97c84fa7 ("xen: Core Xen implementation") Fixes: da1a679cde9b ("Add /sys/kernel/notes") Signed-off-by: Guixiong Wei Signed-off-by: Ingo Molnar Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/20240317150547.24910-1-weiguixiong@bytedance.com Signed-off-by: Sasha Levin (cherry picked from commit 2487db16d4b9faead07b7825d33294e9e783791d) Signed-off-by: Vegard Nossum --- arch/x86/tools/relocs.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c index 5bec866043be..ce6b3c999b4c 100644 --- a/arch/x86/tools/relocs.c +++ b/arch/x86/tools/relocs.c @@ -671,6 +671,15 @@ static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel, if (!(sec_applies->shdr.sh_flags & SHF_ALLOC)) { continue; } + + /* + * Do not perform relocations in .notes sections; any + * values there are meant for pre-boot consumption (e.g. + * startup_xen). + */ + if (sec_applies->shdr.sh_type == SHT_NOTE) + continue; + sh_symtab = sec_symtab->symtab; sym_strtab = sec_symtab->link->strtab; for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) { From 5b61b9cefdb45e69ab265050d603cdd30f3d089b Mon Sep 17 00:00:00 2001 From: Andrew Halaney Date: Fri, 29 Mar 2024 15:46:43 -0500 Subject: [PATCH 023/182] scsi: ufs: qcom: Perform read back after writing reset bit [ Upstream commit c4d28e06b0c94636f6e35d003fa9ebac0a94e1ae ] Currently, the reset bit for the UFS provided reset controller (used by its phy) is written to, and then a mb() happens to try and ensure that hit the device. Immediately afterwards a usleep_range() occurs. mb() ensures that the write completes, but completion doesn't mean that it isn't stored in a buffer somewhere. The recommendation for ensuring this bit has taken effect on the device is to perform a read back to force it to make it all the way to the device. This is documented in device-io.rst and a talk by Will Deacon on this can be seen over here: https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 Let's do that to ensure the bit hits the device. By doing so and guaranteeing the ordering against the immediately following usleep_range(), the mb() can safely be removed. Fixes: 81c0fc51b7a7 ("ufs-qcom: add support for Qualcomm Technologies Inc platforms") Reviewed-by: Manivannan Sadhasivam Reviewed-by: Can Guo Signed-off-by: Andrew Halaney Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-1-181252004586@redhat.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin (cherry picked from commit e6bfc88b60f0874a00b22f243a94a5e8601d5039) Signed-off-by: Vegard Nossum --- drivers/scsi/ufs/ufs-qcom.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/scsi/ufs/ufs-qcom.h b/drivers/scsi/ufs/ufs-qcom.h index 076f52813a4c..275aa7d48704 100644 --- a/drivers/scsi/ufs/ufs-qcom.h +++ b/drivers/scsi/ufs/ufs-qcom.h @@ -166,10 +166,10 @@ static inline void ufs_qcom_assert_reset(struct ufs_hba *hba) 1 << OFFSET_UFS_PHY_SOFT_RESET, REG_UFS_CFG1); /* - * Make sure assertion of ufs phy reset is written to - * register before returning + * Dummy read to ensure the write takes effect before doing any sort + * of delay */ - mb(); + ufshcd_readl(hba, REG_UFS_CFG1); } static inline void ufs_qcom_deassert_reset(struct ufs_hba *hba) @@ -178,10 +178,10 @@ static inline void ufs_qcom_deassert_reset(struct ufs_hba *hba) 0 << OFFSET_UFS_PHY_SOFT_RESET, REG_UFS_CFG1); /* - * Make sure de-assertion of ufs phy reset is written to - * register before returning + * Dummy read to ensure the write takes effect before doing any sort + * of delay */ - mb(); + ufshcd_readl(hba, REG_UFS_CFG1); } struct ufs_qcom_bus_vote { From 936e250e7ec6cb3bad3a8aa3a699a625e62cb5a6 Mon Sep 17 00:00:00 2001 From: Andrew Halaney Date: Fri, 29 Mar 2024 15:46:50 -0500 Subject: [PATCH 024/182] scsi: ufs: core: Perform read back after disabling interrupts [ Upstream commit e4a628877119bd40164a651d20321247b6f94a8b ] Currently, interrupts are cleared and disabled prior to registering the interrupt. An mb() is used to complete the clear/disable writes before the interrupt is registered. mb() ensures that the write completes, but completion doesn't mean that it isn't stored in a buffer somewhere. The recommendation for ensuring these bits have taken effect on the device is to perform a read back to force it to make it all the way to the device. This is documented in device-io.rst and a talk by Will Deacon on this can be seen over here: https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 Let's do that to ensure these bits hit the device. Because the mb()'s purpose wasn't to add extra ordering (on top of the ordering guaranteed by writel()/readl()), it can safely be removed. Fixes: 199ef13cac7d ("scsi: ufs: avoid spurious UFS host controller interrupts") Reviewed-by: Manivannan Sadhasivam Reviewed-by: Bart Van Assche Reviewed-by: Can Guo Signed-off-by: Andrew Halaney Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-8-181252004586@redhat.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin (cherry picked from commit bf144a2e3b5048e5a9e3baf19f54d5e865d578b4) Signed-off-by: Vegard Nossum --- drivers/scsi/ufs/ufshcd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c index fe7db66ab1f3..9ab17266f180 100644 --- a/drivers/scsi/ufs/ufshcd.c +++ b/drivers/scsi/ufs/ufshcd.c @@ -8003,7 +8003,7 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq) * Make sure that UFS interrupts are disabled and any pending interrupt * status is cleared before registering UFS interrupt handler. */ - mb(); + ufshcd_readl(hba, REG_INTERRUPT_ENABLE); /* IRQ registration */ err = devm_request_irq(dev, irq, ufshcd_intr, IRQF_SHARED, UFSHCD, hba); From c5a8d87d1f0792ab4f65cf240309a4effe22de01 Mon Sep 17 00:00:00 2001 From: Andrew Halaney Date: Fri, 29 Mar 2024 15:46:51 -0500 Subject: [PATCH 025/182] scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL [ Upstream commit 4bf3855497b60765ca03b983d064b25e99b97657 ] Currently, the UIC_COMMAND_COMPL interrupt is disabled and a wmb() is used to complete the register write before any following writes. wmb() ensures the writes complete in that order, but completion doesn't mean that it isn't stored in a buffer somewhere. The recommendation for ensuring this bit has taken effect on the device is to perform a read back to force it to make it all the way to the device. This is documented in device-io.rst and a talk by Will Deacon on this can be seen over here: https://youtu.be/i6DayghhA8Q?si=MiyxB5cKJXSaoc01&t=1678 Let's do that to ensure the bit hits the device. Because the wmb()'s purpose wasn't to add extra ordering (on top of the ordering guaranteed by writel()/readl()), it can safely be removed. Fixes: d75f7fe495cf ("scsi: ufs: reduce the interrupts for power mode change requests") Reviewed-by: Bart Van Assche Reviewed-by: Can Guo Reviewed-by: Manivannan Sadhasivam Signed-off-by: Andrew Halaney Link: https://lore.kernel.org/r/20240329-ufs-reset-ensure-effect-before-delay-v5-9-181252004586@redhat.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin (cherry picked from commit 8dfd79c1c31660549a03439d42794c138efa5432) Signed-off-by: Vegard Nossum --- drivers/scsi/ufs/ufshcd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c index 9ab17266f180..e491155781e3 100644 --- a/drivers/scsi/ufs/ufshcd.c +++ b/drivers/scsi/ufs/ufshcd.c @@ -3583,7 +3583,7 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd) * Make sure UIC command completion interrupt is disabled before * issuing UIC command. */ - wmb(); + ufshcd_readl(hba, REG_INTERRUPT_ENABLE); reenable_intr = true; } ret = __ufshcd_send_uic_cmd(hba, cmd, false); From 94707145849c4be8019d4f7b2cce86402f9f9127 Mon Sep 17 00:00:00 2001 From: Zenghui Yu Date: Wed, 27 Mar 2024 22:23:05 +0800 Subject: [PATCH 026/182] irqchip/alpine-msi: Fix off-by-one in allocation error path [ Upstream commit ff3669a71afa06208de58d6bea1cc49d5e3fcbd1 ] When alpine_msix_gic_domain_alloc() fails, there is an off-by-one in the number of interrupts to be freed. Fix it by passing the number of successfully allocated interrupts, instead of the relative index of the last allocated one. Fixes: 3841245e8498 ("irqchip/alpine-msi: Fix freeing of interrupts on allocation error path") Signed-off-by: Zenghui Yu Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/r/20240327142305.1048-1-yuzenghui@huawei.com Signed-off-by: Sasha Levin (cherry picked from commit 4654dfa98682444152aac9bcef50e0d5e114a135) Signed-off-by: Vegard Nossum --- drivers/irqchip/irq-alpine-msi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/irqchip/irq-alpine-msi.c b/drivers/irqchip/irq-alpine-msi.c index 5e03574e1c5f..2d8177055a0e 100644 --- a/drivers/irqchip/irq-alpine-msi.c +++ b/drivers/irqchip/irq-alpine-msi.c @@ -165,7 +165,7 @@ static int alpine_msix_middle_domain_alloc(struct irq_domain *domain, return 0; err_sgi: - irq_domain_free_irqs_parent(domain, virq, i - 1); + irq_domain_free_irqs_parent(domain, virq, i); alpine_msix_free_sgi(priv, sgi, nr_irqs); return err; } From 96f2e9bb5b58c10a84e2a0064c7dc88cdcfff4d8 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Tue, 9 Apr 2024 16:00:55 +0200 Subject: [PATCH 027/182] ACPI: disable -Wstringop-truncation [ Upstream commit a3403d304708f60565582d60af4316289d0316a0 ] gcc -Wstringop-truncation warns about copying a string that results in a missing nul termination: drivers/acpi/acpica/tbfind.c: In function 'acpi_tb_find_table': drivers/acpi/acpica/tbfind.c:60:9: error: 'strncpy' specified bound 6 equals destination size [-Werror=stringop-truncation] 60 | strncpy(header.oem_id, oem_id, ACPI_OEM_ID_SIZE); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/acpi/acpica/tbfind.c:61:9: error: 'strncpy' specified bound 8 equals destination size [-Werror=stringop-truncation] 61 | strncpy(header.oem_table_id, oem_table_id, ACPI_OEM_TABLE_ID_SIZE); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The code works as intended, and the warning could be addressed by using a memcpy(), but turning the warning off for this file works equally well and may be easier to merge. Fixes: 47c08729bf1c ("ACPICA: Fix for LoadTable operator, input strings") Link: https://lore.kernel.org/lkml/CAJZ5v0hoUfv54KW7y4223Mn9E7D4xvR7whRFNLTBqCZMUxT50Q@mail.gmail.com/#t Signed-off-by: Arnd Bergmann Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin (cherry picked from commit 2e816914b5ba234c3815ca80bffd2f3b3a7de6b0) Signed-off-by: Vegard Nossum --- drivers/acpi/acpica/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/acpi/acpica/Makefile b/drivers/acpi/acpica/Makefile index 1e8e4e7a29cb..8410d09e0cbc 100644 --- a/drivers/acpi/acpica/Makefile +++ b/drivers/acpi/acpica/Makefile @@ -5,6 +5,7 @@ ccflags-y := -D_LINUX -DBUILDING_ACPICA ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT +CFLAGS_tbfind.o += $(call cc-disable-warning, stringop-truncation) # use acpi.o to put all files here into acpi.o modparam namespace obj-y += acpi.o From 8734c83b6dae36fbe4d97f42409e04459426858c Mon Sep 17 00:00:00 2001 From: Xingui Yang Date: Tue, 12 Mar 2024 14:11:03 +0000 Subject: [PATCH 028/182] scsi: libsas: Fix the failure of adding phy with zero-address to port [ Upstream commit 06036a0a5db34642c5dbe22021a767141f010b7a ] As of commit 7d1d86518118 ("[SCSI] libsas: fix false positive 'device attached' conditions"), reset the phy->entacted_sas_addr address to a zero-address when the link rate is less than 1.5G. Currently we find that when a new device is attached, and the link rate is less than 1.5G, but the device type is not NO_DEVICE, for example: the link rate is SAS_PHY_RESET_IN_PROGRESS and the device type is stp. After setting the phy->entacted_sas_addr address to the zero address, the port will continue to be created for the phy with the zero-address, and other phys with the zero-address will be tried to be added to the new port: [562240.051197] sas: ex 500e004aaaaaaa1f phy19:U:0 attached: 0000000000000000 (no device) // phy19 is deleted but still on the parent port's phy_list [562240.062536] sas: ex 500e004aaaaaaa1f phy0 new device attached [562240.062616] sas: ex 500e004aaaaaaa1f phy00:U:5 attached: 0000000000000000 (stp) [562240.062680] port-7:7:0: trying to add phy phy-7:7:19 fails: it's already part of another port Therefore, it should be the same as sas_get_phy_attached_dev(). Only when device_type is SAS_PHY_UNUSED, sas_address is set to the 0 address. Fixes: 7d1d86518118 ("[SCSI] libsas: fix false positive 'device attached' conditions") Signed-off-by: Xingui Yang Link: https://lore.kernel.org/r/20240312141103.31358-5-yangxingui@huawei.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin (cherry picked from commit 2d8f31aa03df040c58a2e4a0382b96269c1bf96a) Signed-off-by: Vegard Nossum --- drivers/scsi/libsas/sas_expander.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c index f77d72f01da9..f84679036908 100644 --- a/drivers/scsi/libsas/sas_expander.c +++ b/drivers/scsi/libsas/sas_expander.c @@ -269,8 +269,7 @@ static void sas_set_ex_phy(struct domain_device *dev, int phy_id, void *rsp) /* help some expanders that fail to zero sas_address in the 'no * device' case */ - if (phy->attached_dev_type == SAS_PHY_UNUSED || - phy->linkrate < SAS_LINK_RATE_1_5_GBPS) + if (phy->attached_dev_type == SAS_PHY_UNUSED) memset(phy->attached_sas_addr, 0, SAS_ADDR_SIZE); else memcpy(phy->attached_sas_addr, dr->attached_sas_addr, SAS_ADDR_SIZE); From 784e2dc0d9be9b2e2ff8e3d05713f4d82895a489 Mon Sep 17 00:00:00 2001 From: Yuri Karpov Date: Tue, 12 Mar 2024 20:04:47 +0300 Subject: [PATCH 029/182] scsi: hpsa: Fix allocation size for Scsi_Host private data [ Upstream commit 504e2bed5d50610c1836046c0c195b0a6dba9c72 ] struct Scsi_Host private data contains pointer to struct ctlr_info. Restore allocation of only 8 bytes to store pointer in struct Scsi_Host private data area. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: bbbd25499100 ("scsi: hpsa: Fix allocation size for scsi_host_alloc()") Signed-off-by: Yuri Karpov Link: https://lore.kernel.org/r/20240312170447.743709-1-YKarpov@ispras.ru Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin (cherry picked from commit 9fc44d44b3b8eadd8b797462c733eb6c63598e6f) Signed-off-by: Vegard Nossum --- drivers/scsi/hpsa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c index 34434b7107ee..f903d21dcdb7 100644 --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c @@ -5627,7 +5627,7 @@ static int hpsa_scsi_host_alloc(struct ctlr_info *h) { struct Scsi_Host *sh; - sh = scsi_host_alloc(&hpsa_driver_template, sizeof(struct ctlr_info)); + sh = scsi_host_alloc(&hpsa_driver_template, sizeof(struct ctlr_info *)); if (sh == NULL) { dev_err(&h->pdev->dev, "scsi_host_alloc failed\n"); return -ENOMEM; From 6541bba29a4584f20a372e98ca07659b1b971c3e Mon Sep 17 00:00:00 2001 From: Su Hui Date: Mon, 22 Apr 2024 11:42:44 +0800 Subject: [PATCH 030/182] wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger() [ Upstream commit c511a9c12674d246916bb16c479d496b76983193 ] Clang Static Checker (scan-build) warns: drivers/net/wireless/ath/ath10k/debugfs_sta.c:line 429, column 3 Value stored to 'ret' is never read. Return 'ret' rather than 'count' when 'ret' stores an error code. Fixes: ee8b08a1be82 ("ath10k: add debugfs support to get per peer tids log via tracing") Signed-off-by: Su Hui Acked-by: Jeff Johnson Signed-off-by: Kalle Valo Link: https://msgid.link/20240422034243.938962-1-suhui@nfschina.com Signed-off-by: Sasha Levin (cherry picked from commit 569da482fdec15251ff113462717182d85bd1665) Signed-off-by: Vegard Nossum --- drivers/net/wireless/ath/ath10k/debugfs_sta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath10k/debugfs_sta.c b/drivers/net/wireless/ath/ath10k/debugfs_sta.c index d59ac6b83340..948c526394f8 100644 --- a/drivers/net/wireless/ath/ath10k/debugfs_sta.c +++ b/drivers/net/wireless/ath/ath10k/debugfs_sta.c @@ -358,7 +358,7 @@ ath10k_dbg_sta_write_peer_debug_trigger(struct file *file, } out: mutex_unlock(&ar->conf_mutex); - return count; + return ret ?: count; } static const struct file_operations fops_peer_debug_trigger = { From d85d76f39ef8f74c3ce4b2084bc1d56b90f808ce Mon Sep 17 00:00:00 2001 From: Finn Thain Date: Tue, 11 Sep 2018 20:18:44 -0400 Subject: [PATCH 031/182] macintosh/via-macii: Remove BUG_ON assertions [ Upstream commit 5f93d7081a47e1972031ccf57c4b2779eee162fb ] The BUG_ON assertions I added to the via-macii driver over a decade ago haven't fired AFAIK. Some can never fire (by inspection). One assertion checks for a NULL pointer, but that would merely substitute a BUG crash for an Oops crash. Remove the pointless BUG_ON assertions and replace the others with a WARN_ON and an array bounds check. Tested-by: Stan Johnson Signed-off-by: Finn Thain Signed-off-by: Michael Ellerman Stable-dep-of: d301a71c76ee ("macintosh/via-macii: Fix "BUG: sleeping function called from invalid context"") Signed-off-by: Sasha Levin (cherry picked from commit 880897e8a5ade054a04575e5d8cc2666da415ab4) Signed-off-by: Vegard Nossum --- drivers/macintosh/via-macii.c | 49 +++++------------------------------ 1 file changed, 7 insertions(+), 42 deletions(-) diff --git a/drivers/macintosh/via-macii.c b/drivers/macintosh/via-macii.c index 4ba06a1695ea..ba0734783ab8 100644 --- a/drivers/macintosh/via-macii.c +++ b/drivers/macintosh/via-macii.c @@ -120,23 +120,6 @@ static int srq_asserted; /* have to poll for the device that asserted it */ static int command_byte; /* the most recent command byte transmitted */ static int autopoll_devs; /* bits set are device addresses to be polled */ -/* Sanity check for request queue. Doesn't check for cycles. */ -static int request_is_queued(struct adb_request *req) { - struct adb_request *cur; - unsigned long flags; - local_irq_save(flags); - cur = current_req; - while (cur) { - if (cur == req) { - local_irq_restore(flags); - return 1; - } - cur = cur->next; - } - local_irq_restore(flags); - return 0; -} - /* Check for MacII style ADB */ static int macii_probe(void) { @@ -213,8 +196,6 @@ static void macii_queue_poll(void) else next_device = ffs(autopoll_devs) - 1; - BUG_ON(request_is_queued(&req)); - adb_request(&req, NULL, ADBREQ_NOSEND, 1, ADB_READREG(next_device, 0)); @@ -237,18 +218,13 @@ static int macii_send_request(struct adb_request *req, int sync) int err; unsigned long flags; - BUG_ON(request_is_queued(req)); - local_irq_save(flags); err = macii_write(req); local_irq_restore(flags); - if (!err && sync) { - while (!req->complete) { + if (!err && sync) + while (!req->complete) macii_poll(); - } - BUG_ON(request_is_queued(req)); - } return err; } @@ -327,9 +303,6 @@ static int macii_reset_bus(void) { static struct adb_request req; - if (request_is_queued(&req)) - return 0; - /* Command = 0, Address = ignored */ adb_request(&req, NULL, 0, 1, ADB_BUSRESET); @@ -346,10 +319,6 @@ static void macii_start(void) req = current_req; - BUG_ON(req == NULL); - - BUG_ON(macii_state != idle); - /* Now send it. Be careful though, that first byte of the request * is actually ADB_PACKET; the real data begins at index 1! * And req->nbytes is the number of bytes of real data plus one. @@ -387,7 +356,6 @@ static void macii_start(void) static irqreturn_t macii_interrupt(int irq, void *arg) { int x; - static int entered; struct adb_request *req; if (!arg) { @@ -398,8 +366,6 @@ static irqreturn_t macii_interrupt(int irq, void *arg) return IRQ_NONE; } - BUG_ON(entered++); - last_status = status; status = via[B] & (ST_MASK|CTLR_IRQ); @@ -408,7 +374,7 @@ static irqreturn_t macii_interrupt(int irq, void *arg) if (reading_reply) { reply_ptr = current_req->reply; } else { - BUG_ON(current_req != NULL); + WARN_ON(current_req); reply_ptr = reply_buf; } @@ -473,8 +439,8 @@ static irqreturn_t macii_interrupt(int irq, void *arg) case reading: x = via[SR]; - BUG_ON((status & ST_MASK) == ST_CMD || - (status & ST_MASK) == ST_IDLE); + WARN_ON((status & ST_MASK) == ST_CMD || + (status & ST_MASK) == ST_IDLE); /* Bus timeout with SRQ sequence: * data is "XX FF" while CTLR_IRQ is "L L" @@ -501,8 +467,8 @@ static irqreturn_t macii_interrupt(int irq, void *arg) } } - if (macii_state == reading) { - BUG_ON(reply_len > 15); + if (macii_state == reading && + reply_len < ARRAY_SIZE(reply_buf)) { reply_ptr++; *reply_ptr = x; reply_len++; @@ -545,6 +511,5 @@ static irqreturn_t macii_interrupt(int irq, void *arg) break; } - entered--; return IRQ_HANDLED; } From cbe81c90b06ebd1a23367c8c594dbddac39d531c Mon Sep 17 00:00:00 2001 From: Finn Thain Date: Thu, 26 Oct 2017 22:45:24 -0400 Subject: [PATCH 032/182] m68k/mac: Add mutual exclusion for IOP interrupt polling The IOP interrupt handler iop_ism_irq() is used by the adb-iop driver to poll for ADB request completion. Unfortunately, it is not re-entrant. Fix the race condition by adding an iop_ism_irq_poll() function with suitable mutual exclusion. Tested-by: Stan Johnson Signed-off-by: Finn Thain Cc: Benjamin Herrenschmidt Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Geert Uytterhoeven (cherry picked from commit 92178fcabbcd39fc9ccd4e58ec4be83dd5323a46) Signed-off-by: Vegard Nossum --- arch/m68k/include/asm/mac_iop.h | 1 + arch/m68k/mac/iop.c | 9 +++++++++ drivers/macintosh/adb-iop.c | 4 +--- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/arch/m68k/include/asm/mac_iop.h b/arch/m68k/include/asm/mac_iop.h index 73dae2abeba3..32f1c79c818f 100644 --- a/arch/m68k/include/asm/mac_iop.h +++ b/arch/m68k/include/asm/mac_iop.h @@ -159,6 +159,7 @@ extern void iop_complete_message(struct iop_msg *); extern void iop_upload_code(uint, __u8 *, uint, __u16); extern void iop_download_code(uint, __u8 *, uint, __u16); extern __u8 *iop_compare_code(uint, __u8 *, uint, __u16); +extern void iop_ism_irq_poll(uint); extern void iop_register_interrupts(void); diff --git a/arch/m68k/mac/iop.c b/arch/m68k/mac/iop.c index 0b94f6672c5f..9c80ed858a1c 100644 --- a/arch/m68k/mac/iop.c +++ b/arch/m68k/mac/iop.c @@ -589,3 +589,12 @@ irqreturn_t iop_ism_irq(int irq, void *dev_id) } return IRQ_HANDLED; } + +void iop_ism_irq_poll(uint iop_num) +{ + unsigned long flags; + + local_irq_save(flags); + iop_ism_irq(0, (void *)iop_num); + local_irq_restore(flags); +} diff --git a/drivers/macintosh/adb-iop.c b/drivers/macintosh/adb-iop.c index dbc4a3e63396..15db69d8ba69 100644 --- a/drivers/macintosh/adb-iop.c +++ b/drivers/macintosh/adb-iop.c @@ -30,8 +30,6 @@ /*#define DEBUG_ADB_IOP*/ -extern void iop_ism_irq(int, void *); - static struct adb_request *current_req; static struct adb_request *last_req; #if 0 @@ -266,7 +264,7 @@ int adb_iop_autopoll(int devs) void adb_iop_poll(void) { if (adb_iop_state == idle) adb_iop_start(); - iop_ism_irq(0, (void *) ADB_IOP); + iop_ism_irq_poll(ADB_IOP); } int adb_iop_reset_bus(void) From fad0ed0dd7bf14e6c89489e1db0486828e45f563 Mon Sep 17 00:00:00 2001 From: Finn Thain Date: Tue, 11 Sep 2018 20:18:44 -0400 Subject: [PATCH 033/182] macintosh/via-macii, macintosh/adb-iop: Clean up whitespace [ Upstream commit 47fd2060660e62b169990a6fcd9eb61bc1a85c5c ] Signed-off-by: Finn Thain Signed-off-by: Michael Ellerman Stable-dep-of: d301a71c76ee ("macintosh/via-macii: Fix "BUG: sleeping function called from invalid context"") Signed-off-by: Sasha Levin (cherry picked from commit d0aa752285c9a35ee1ae0f2a4da10c5ceb6c09b6) Signed-off-by: Vegard Nossum --- drivers/macintosh/adb-iop.c | 48 +++--- drivers/macintosh/via-macii.c | 288 +++++++++++++++++----------------- 2 files changed, 175 insertions(+), 161 deletions(-) diff --git a/drivers/macintosh/adb-iop.c b/drivers/macintosh/adb-iop.c index 15db69d8ba69..9febd84e4548 100644 --- a/drivers/macintosh/adb-iop.c +++ b/drivers/macintosh/adb-iop.c @@ -20,13 +20,13 @@ #include #include -#include -#include +#include +#include #include #include #include -#include +#include /*#define DEBUG_ADB_IOP*/ @@ -38,9 +38,9 @@ static unsigned char *reply_ptr; #endif static enum adb_iop_state { - idle, - sending, - awaiting_reply + idle, + sending, + awaiting_reply } adb_iop_state; static void adb_iop_start(void); @@ -66,7 +66,8 @@ static void adb_iop_end_req(struct adb_request *req, int state) { req->complete = 1; current_req = req->next; - if (req->done) (*req->done)(req); + if (req->done) + (*req->done)(req); adb_iop_state = state; } @@ -100,7 +101,7 @@ static void adb_iop_complete(struct iop_msg *msg) static void adb_iop_listen(struct iop_msg *msg) { - struct adb_iopmsg *amsg = (struct adb_iopmsg *) msg->message; + struct adb_iopmsg *amsg = (struct adb_iopmsg *)msg->message; struct adb_request *req; unsigned long flags; #ifdef DEBUG_ADB_IOP @@ -113,9 +114,9 @@ static void adb_iop_listen(struct iop_msg *msg) #ifdef DEBUG_ADB_IOP printk("adb_iop_listen %p: rcvd packet, %d bytes: %02X %02X", req, - (uint) amsg->count + 2, (uint) amsg->flags, (uint) amsg->cmd); + (uint)amsg->count + 2, (uint)amsg->flags, (uint)amsg->cmd); for (i = 0; i < amsg->count; i++) - printk(" %02X", (uint) amsg->data[i]); + printk(" %02X", (uint)amsg->data[i]); printk("\n"); #endif @@ -168,14 +169,15 @@ static void adb_iop_start(void) /* get the packet to send */ req = current_req; - if (!req) return; + if (!req) + return; local_irq_save(flags); #ifdef DEBUG_ADB_IOP printk("adb_iop_start %p: sending packet, %d bytes:", req, req->nbytes); - for (i = 0 ; i < req->nbytes ; i++) - printk(" %02X", (uint) req->data[i]); + for (i = 0; i < req->nbytes; i++) + printk(" %02X", (uint)req->data[i]); printk("\n"); #endif @@ -196,13 +198,14 @@ static void adb_iop_start(void) /* Now send it. The IOP manager will call adb_iop_complete */ /* when the packet has been sent. */ - iop_send_message(ADB_IOP, ADB_CHAN, req, - sizeof(amsg), (__u8 *) &amsg, adb_iop_complete); + iop_send_message(ADB_IOP, ADB_CHAN, req, sizeof(amsg), (__u8 *)&amsg, + adb_iop_complete); } int adb_iop_probe(void) { - if (!iop_ism_present) return -ENODEV; + if (!iop_ism_present) + return -ENODEV; return 0; } @@ -218,10 +221,12 @@ int adb_iop_send_request(struct adb_request *req, int sync) int err; err = adb_iop_write(req); - if (err) return err; + if (err) + return err; if (sync) { - while (!req->complete) adb_iop_poll(); + while (!req->complete) + adb_iop_poll(); } return 0; } @@ -251,7 +256,9 @@ static int adb_iop_write(struct adb_request *req) } local_irq_restore(flags); - if (adb_iop_state == idle) adb_iop_start(); + + if (adb_iop_state == idle) + adb_iop_start(); return 0; } @@ -263,7 +270,8 @@ int adb_iop_autopoll(int devs) void adb_iop_poll(void) { - if (adb_iop_state == idle) adb_iop_start(); + if (adb_iop_state == idle) + adb_iop_start(); iop_ism_irq_poll(ADB_IOP); } diff --git a/drivers/macintosh/via-macii.c b/drivers/macintosh/via-macii.c index ba0734783ab8..c48478381fa5 100644 --- a/drivers/macintosh/via-macii.c +++ b/drivers/macintosh/via-macii.c @@ -12,7 +12,7 @@ * * 1999-08-02 (jmt) - Initial rewrite for Unified ADB. * 2000-03-29 Tony Mantler - * - Big overhaul, should actually work now. + * - Big overhaul, should actually work now. * 2006-12-31 Finn Thain - Another overhaul. * * Suggested reading: @@ -23,7 +23,7 @@ * Apple's "ADB Analyzer" bus sniffer is invaluable: * ftp://ftp.apple.com/developer/Tool_Chest/Devices_-_Hardware/Apple_Desktop_Bus/ */ - + #include #include #include @@ -77,7 +77,7 @@ static volatile unsigned char *via; #define ST_ODD 0x20 /* ADB state: odd data byte */ #define ST_IDLE 0x30 /* ADB state: idle, nothing to send */ -static int macii_init_via(void); +static int macii_init_via(void); static void macii_start(void); static irqreturn_t macii_interrupt(int irq, void *arg); static void macii_queue_poll(void); @@ -123,7 +123,8 @@ static int autopoll_devs; /* bits set are device addresses to be polled */ /* Check for MacII style ADB */ static int macii_probe(void) { - if (macintosh_config->adb_type != MAC_ADB_II) return -ENODEV; + if (macintosh_config->adb_type != MAC_ADB_II) + return -ENODEV; via = via1; @@ -136,15 +137,17 @@ int macii_init(void) { unsigned long flags; int err; - + local_irq_save(flags); - + err = macii_init_via(); - if (err) goto out; + if (err) + goto out; err = request_irq(IRQ_MAC_ADB, macii_interrupt, 0, "ADB", macii_interrupt); - if (err) goto out; + if (err) + goto out; macii_state = idle; out: @@ -152,7 +155,7 @@ int macii_init(void) return err; } -/* initialize the hardware */ +/* initialize the hardware */ static int macii_init_via(void) { unsigned char x; @@ -162,7 +165,7 @@ static int macii_init_via(void) /* Set up state: idle */ via[B] |= ST_IDLE; - last_status = via[B] & (ST_MASK|CTLR_IRQ); + last_status = via[B] & (ST_MASK | CTLR_IRQ); /* Shift register on input */ via[ACR] = (via[ACR] & ~SR_CTRL) | SR_EXT; @@ -188,7 +191,8 @@ static void macii_queue_poll(void) int next_device; static struct adb_request req; - if (!autopoll_devs) return; + if (!autopoll_devs) + return; device_mask = (1 << (((command_byte & 0xF0) >> 4) + 1)) - 1; if (autopoll_devs & ~device_mask) @@ -196,8 +200,7 @@ static void macii_queue_poll(void) else next_device = ffs(autopoll_devs) - 1; - adb_request(&req, NULL, ADBREQ_NOSEND, 1, - ADB_READREG(next_device, 0)); + adb_request(&req, NULL, ADBREQ_NOSEND, 1, ADB_READREG(next_device, 0)); req.sent = 0; req.complete = 0; @@ -236,7 +239,7 @@ static int macii_write(struct adb_request *req) req->complete = 1; return -EINVAL; } - + req->next = NULL; req->sent = 0; req->complete = 0; @@ -248,7 +251,8 @@ static int macii_write(struct adb_request *req) } else { current_req = req; last_req = req; - if (macii_state == idle) macii_start(); + if (macii_state == idle) + macii_start(); } return 0; } @@ -263,7 +267,8 @@ static int macii_autopoll(int devs) /* bit 1 == device 1, and so on. */ autopoll_devs = devs & 0xFFFE; - if (!autopoll_devs) return 0; + if (!autopoll_devs) + return 0; local_irq_save(flags); @@ -280,7 +285,8 @@ static int macii_autopoll(int devs) return err; } -static inline int need_autopoll(void) { +static inline int need_autopoll(void) +{ /* Was the last command Talk Reg 0 * and is the target on the autopoll list? */ @@ -302,7 +308,7 @@ static void macii_poll(void) static int macii_reset_bus(void) { static struct adb_request req; - + /* Command = 0, Address = ignored */ adb_request(&req, NULL, 0, 1, ADB_BUSRESET); @@ -344,7 +350,7 @@ static void macii_start(void) * to be activity on the ADB bus. The chip will poll to achieve this. * * The basic ADB state machine was left unchanged from the original MacII code - * by Alan Cox, which was based on the CUDA driver for PowerMac. + * by Alan Cox, which was based on the CUDA driver for PowerMac. * The syntax of the ADB status lines is totally different on MacII, * though. MacII uses the states Command -> Even -> Odd -> Even ->...-> Idle * for sending and Idle -> Even -> Odd -> Even ->...-> Idle for receiving. @@ -367,147 +373,147 @@ static irqreturn_t macii_interrupt(int irq, void *arg) } last_status = status; - status = via[B] & (ST_MASK|CTLR_IRQ); + status = via[B] & (ST_MASK | CTLR_IRQ); switch (macii_state) { - case idle: - if (reading_reply) { - reply_ptr = current_req->reply; - } else { - WARN_ON(current_req); - reply_ptr = reply_buf; - } + case idle: + if (reading_reply) { + reply_ptr = current_req->reply; + } else { + WARN_ON(current_req); + reply_ptr = reply_buf; + } + + x = via[SR]; + + if ((status & CTLR_IRQ) && (x == 0xFF)) { + /* Bus timeout without SRQ sequence: + * data is "FF" while CTLR_IRQ is "H" + */ + reply_len = 0; + srq_asserted = 0; + macii_state = read_done; + } else { + macii_state = reading; + *reply_ptr = x; + reply_len = 1; + } + + /* set ADB state = even for first data byte */ + via[B] = (via[B] & ~ST_MASK) | ST_EVEN; + break; - x = via[SR]; + case sending: + req = current_req; + if (data_index >= req->nbytes) { + req->sent = 1; + macii_state = idle; - if ((status & CTLR_IRQ) && (x == 0xFF)) { - /* Bus timeout without SRQ sequence: - * data is "FF" while CTLR_IRQ is "H" - */ - reply_len = 0; - srq_asserted = 0; - macii_state = read_done; + if (req->reply_expected) { + reading_reply = 1; } else { - macii_state = reading; - *reply_ptr = x; - reply_len = 1; - } + req->complete = 1; + current_req = req->next; + if (req->done) + (*req->done)(req); - /* set ADB state = even for first data byte */ - via[B] = (via[B] & ~ST_MASK) | ST_EVEN; - break; + if (current_req) + macii_start(); + else if (need_autopoll()) + macii_autopoll(autopoll_devs); + } - case sending: - req = current_req; - if (data_index >= req->nbytes) { - req->sent = 1; - macii_state = idle; - - if (req->reply_expected) { - reading_reply = 1; - } else { - req->complete = 1; - current_req = req->next; - if (req->done) (*req->done)(req); - - if (current_req) - macii_start(); - else - if (need_autopoll()) - macii_autopoll(autopoll_devs); - } + if (macii_state == idle) { + /* reset to shift in */ + via[ACR] &= ~SR_OUT; + x = via[SR]; + /* set ADB state idle - might get SRQ */ + via[B] = (via[B] & ~ST_MASK) | ST_IDLE; + } + } else { + via[SR] = req->data[data_index++]; - if (macii_state == idle) { - /* reset to shift in */ - via[ACR] &= ~SR_OUT; - x = via[SR]; - /* set ADB state idle - might get SRQ */ - via[B] = (via[B] & ~ST_MASK) | ST_IDLE; - } + if ((via[B] & ST_MASK) == ST_CMD) { + /* just sent the command byte, set to EVEN */ + via[B] = (via[B] & ~ST_MASK) | ST_EVEN; } else { - via[SR] = req->data[data_index++]; - - if ( (via[B] & ST_MASK) == ST_CMD ) { - /* just sent the command byte, set to EVEN */ - via[B] = (via[B] & ~ST_MASK) | ST_EVEN; - } else { - /* invert state bits, toggle ODD/EVEN */ - via[B] ^= ST_MASK; - } + /* invert state bits, toggle ODD/EVEN */ + via[B] ^= ST_MASK; } - break; - - case reading: - x = via[SR]; - WARN_ON((status & ST_MASK) == ST_CMD || - (status & ST_MASK) == ST_IDLE); - - /* Bus timeout with SRQ sequence: - * data is "XX FF" while CTLR_IRQ is "L L" - * End of packet without SRQ sequence: - * data is "XX...YY 00" while CTLR_IRQ is "L...H L" - * End of packet SRQ sequence: - * data is "XX...YY 00" while CTLR_IRQ is "L...L L" - * (where XX is the first response byte and - * YY is the last byte of valid response data.) - */ + } + break; - srq_asserted = 0; - if (!(status & CTLR_IRQ)) { - if (x == 0xFF) { - if (!(last_status & CTLR_IRQ)) { - macii_state = read_done; - reply_len = 0; - srq_asserted = 1; - } - } else if (x == 0x00) { + case reading: + x = via[SR]; + WARN_ON((status & ST_MASK) == ST_CMD || + (status & ST_MASK) == ST_IDLE); + + /* Bus timeout with SRQ sequence: + * data is "XX FF" while CTLR_IRQ is "L L" + * End of packet without SRQ sequence: + * data is "XX...YY 00" while CTLR_IRQ is "L...H L" + * End of packet SRQ sequence: + * data is "XX...YY 00" while CTLR_IRQ is "L...L L" + * (where XX is the first response byte and + * YY is the last byte of valid response data.) + */ + + srq_asserted = 0; + if (!(status & CTLR_IRQ)) { + if (x == 0xFF) { + if (!(last_status & CTLR_IRQ)) { macii_state = read_done; - if (!(last_status & CTLR_IRQ)) - srq_asserted = 1; + reply_len = 0; + srq_asserted = 1; } + } else if (x == 0x00) { + macii_state = read_done; + if (!(last_status & CTLR_IRQ)) + srq_asserted = 1; } + } - if (macii_state == reading && - reply_len < ARRAY_SIZE(reply_buf)) { - reply_ptr++; - *reply_ptr = x; - reply_len++; - } - - /* invert state bits, toggle ODD/EVEN */ - via[B] ^= ST_MASK; - break; + if (macii_state == reading && + reply_len < ARRAY_SIZE(reply_buf)) { + reply_ptr++; + *reply_ptr = x; + reply_len++; + } - case read_done: - x = via[SR]; - - if (reading_reply) { - reading_reply = 0; - req = current_req; - req->reply_len = reply_len; - req->complete = 1; - current_req = req->next; - if (req->done) (*req->done)(req); - } else if (reply_len && autopoll_devs) - adb_input(reply_buf, reply_len, 0); - - macii_state = idle; - - /* SRQ seen before, initiate poll now */ - if (srq_asserted) - macii_queue_poll(); + /* invert state bits, toggle ODD/EVEN */ + via[B] ^= ST_MASK; + break; - if (current_req) - macii_start(); - else - if (need_autopoll()) - macii_autopoll(autopoll_devs); + case read_done: + x = via[SR]; - if (macii_state == idle) - via[B] = (via[B] & ~ST_MASK) | ST_IDLE; - break; + if (reading_reply) { + reading_reply = 0; + req = current_req; + req->reply_len = reply_len; + req->complete = 1; + current_req = req->next; + if (req->done) + (*req->done)(req); + } else if (reply_len && autopoll_devs) + adb_input(reply_buf, reply_len, 0); + + macii_state = idle; + + /* SRQ seen before, initiate poll now */ + if (srq_asserted) + macii_queue_poll(); + + if (current_req) + macii_start(); + else if (need_autopoll()) + macii_autopoll(autopoll_devs); + + if (macii_state == idle) + via[B] = (via[B] & ~ST_MASK) | ST_IDLE; + break; - default: + default: break; } From 82b5124ff8448c3b27d5cf963d835806a4ec8726 Mon Sep 17 00:00:00 2001 From: Finn Thain Date: Wed, 13 Mar 2024 13:53:41 +1100 Subject: [PATCH 034/182] macintosh/via-macii: Fix "BUG: sleeping function called from invalid context" [ Upstream commit d301a71c76ee4c384b4e03cdc320a55f5cf1df05 ] The via-macii ADB driver calls request_irq() after disabling hard interrupts. But disabling interrupts isn't necessary here because the VIA shift register interrupt was masked during VIA1 initialization. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Finn Thain Reviewed-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/419fcc09d0e563b425c419053d02236b044d86b0.1710298421.git.fthain@linux-m68k.org Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin (cherry picked from commit e4ff8bcfb2841fe4e17e5901578b632adb89036d) Signed-off-by: Vegard Nossum --- drivers/macintosh/via-macii.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/drivers/macintosh/via-macii.c b/drivers/macintosh/via-macii.c index c48478381fa5..552d60fd855d 100644 --- a/drivers/macintosh/via-macii.c +++ b/drivers/macintosh/via-macii.c @@ -135,24 +135,19 @@ static int macii_probe(void) /* Initialize the driver */ int macii_init(void) { - unsigned long flags; int err; - local_irq_save(flags); - err = macii_init_via(); if (err) - goto out; + return err; err = request_irq(IRQ_MAC_ADB, macii_interrupt, 0, "ADB", macii_interrupt); if (err) - goto out; + return err; macii_state = idle; -out: - local_irq_restore(flags); - return err; + return 0; } /* initialize the hardware */ From e6c959db704b9f17b53d0d695ac791ddb180649b Mon Sep 17 00:00:00 2001 From: Nikita Zhandarovich Date: Mon, 22 Apr 2024 11:33:55 -0700 Subject: [PATCH 035/182] wifi: carl9170: add a proper sanity check for endpoints [ Upstream commit b6dd09b3dac89b45d1ea3e3bd035a3859c0369a0 ] Syzkaller reports [1] hitting a warning which is caused by presence of a wrong endpoint type at the URB sumbitting stage. While there was a check for a specific 4th endpoint, since it can switch types between bulk and interrupt, other endpoints are trusted implicitly. Similar warning is triggered in a couple of other syzbot issues [2]. Fix the issue by doing a comprehensive check of all endpoints taking into account difference between high- and full-speed configuration. [1] Syzkaller report: ... WARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504 carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline] carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline] carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028 request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 [2] Related syzkaller crashes: Link: https://syzkaller.appspot.com/bug?extid=e394db78ae0b0032cb4d Link: https://syzkaller.appspot.com/bug?extid=9468df99cb63a4a4c4e1 Reported-and-tested-by: syzbot+0ae4804973be759fa420@syzkaller.appspotmail.com Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend") Signed-off-by: Nikita Zhandarovich Acked-By: Christian Lamparter Signed-off-by: Kalle Valo Link: https://msgid.link/20240422183355.3785-1-n.zhandarovich@fintech.ru Signed-off-by: Sasha Levin (cherry picked from commit eb0f2fc3ff5806cc572cd9055ce7c52a01e97645) Signed-off-by: Vegard Nossum --- drivers/net/wireless/ath/carl9170/usb.c | 32 +++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/drivers/net/wireless/ath/carl9170/usb.c b/drivers/net/wireless/ath/carl9170/usb.c index 99f1897a775d..738f43b17e95 100644 --- a/drivers/net/wireless/ath/carl9170/usb.c +++ b/drivers/net/wireless/ath/carl9170/usb.c @@ -1069,6 +1069,38 @@ static int carl9170_usb_probe(struct usb_interface *intf, ar->usb_ep_cmd_is_bulk = true; } + /* Verify that all expected endpoints are present */ + if (ar->usb_ep_cmd_is_bulk) { + u8 bulk_ep_addr[] = { + AR9170_USB_EP_RX | USB_DIR_IN, + AR9170_USB_EP_TX | USB_DIR_OUT, + AR9170_USB_EP_CMD | USB_DIR_OUT, + 0}; + u8 int_ep_addr[] = { + AR9170_USB_EP_IRQ | USB_DIR_IN, + 0}; + if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) || + !usb_check_int_endpoints(intf, int_ep_addr)) + err = -ENODEV; + } else { + u8 bulk_ep_addr[] = { + AR9170_USB_EP_RX | USB_DIR_IN, + AR9170_USB_EP_TX | USB_DIR_OUT, + 0}; + u8 int_ep_addr[] = { + AR9170_USB_EP_IRQ | USB_DIR_IN, + AR9170_USB_EP_CMD | USB_DIR_OUT, + 0}; + if (!usb_check_bulk_endpoints(intf, bulk_ep_addr) || + !usb_check_int_endpoints(intf, int_ep_addr)) + err = -ENODEV; + } + + if (err) { + carl9170_free(ar); + return err; + } + usb_set_intfdata(intf, ar); SET_IEEE80211_DEV(ar->hw, &intf->dev); From 0e282a437be278b5a28b5de56553710ca304877a Mon Sep 17 00:00:00 2001 From: Nikita Zhandarovich Date: Mon, 8 Apr 2024 05:14:25 -0700 Subject: [PATCH 036/182] wifi: ar5523: enable proper endpoint verification [ Upstream commit e120b6388d7d88635d67dcae6483f39c37111850 ] Syzkaller reports [1] hitting a warning about an endpoint in use not having an expected type to it. Fix the issue by checking for the existence of all proper endpoints with their according types intact. Sadly, this patch has not been tested on real hardware. [1] Syzkaller report: ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 3643 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: ar5523_cmd+0x41b/0x780 drivers/net/wireless/ath/ar5523/ar5523.c:275 ar5523_cmd_read drivers/net/wireless/ath/ar5523/ar5523.c:302 [inline] ar5523_host_available drivers/net/wireless/ath/ar5523/ar5523.c:1376 [inline] ar5523_probe+0x14b0/0x1d10 drivers/net/wireless/ath/ar5523/ar5523.c:1655 usb_probe_interface+0x30f/0x7f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:560 [inline] really_probe+0x249/0xb90 drivers/base/dd.c:639 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808 __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936 bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427 __device_attach+0x1e4/0x530 drivers/base/dd.c:1008 bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487 device_add+0xbd9/0x1e90 drivers/base/core.c:3517 usb_set_configuration+0x101d/0x1900 drivers/usb/core/message.c:2170 usb_generic_driver_probe+0xbe/0x100 drivers/usb/core/generic.c:238 usb_probe_device+0xd8/0x2c0 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:560 [inline] really_probe+0x249/0xb90 drivers/base/dd.c:639 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:778 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:808 __device_attach_driver+0x1d4/0x2e0 drivers/base/dd.c:936 bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:427 __device_attach+0x1e4/0x530 drivers/base/dd.c:1008 bus_probe_device+0x1e8/0x2a0 drivers/base/bus.c:487 device_add+0xbd9/0x1e90 drivers/base/core.c:3517 usb_new_device.cold+0x685/0x10ad drivers/usb/core/hub.c:2573 hub_port_connect drivers/usb/core/hub.c:5353 [inline] hub_port_connect_change drivers/usb/core/hub.c:5497 [inline] port_event drivers/usb/core/hub.c:5653 [inline] hub_event+0x26cb/0x45d0 drivers/usb/core/hub.c:5735 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 Reported-and-tested-by: syzbot+1bc2c2afd44f820a669f@syzkaller.appspotmail.com Fixes: b7d572e1871d ("ar5523: Add new driver") Signed-off-by: Nikita Zhandarovich Signed-off-by: Kalle Valo Link: https://msgid.link/20240408121425.29392-1-n.zhandarovich@fintech.ru Signed-off-by: Sasha Levin (cherry picked from commit 79ddf5f2020fd593d50f1363bb5131283d74f78f) Signed-off-by: Vegard Nossum --- drivers/net/wireless/ath/ar5523/ar5523.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c index 74f23e4ded1c..0c1a7f60b84e 100644 --- a/drivers/net/wireless/ath/ar5523/ar5523.c +++ b/drivers/net/wireless/ath/ar5523/ar5523.c @@ -1590,6 +1590,20 @@ static int ar5523_probe(struct usb_interface *intf, struct ar5523 *ar; int error = -ENOMEM; + static const u8 bulk_ep_addr[] = { + AR5523_CMD_TX_PIPE | USB_DIR_OUT, + AR5523_DATA_TX_PIPE | USB_DIR_OUT, + AR5523_CMD_RX_PIPE | USB_DIR_IN, + AR5523_DATA_RX_PIPE | USB_DIR_IN, + 0}; + + if (!usb_check_bulk_endpoints(intf, bulk_ep_addr)) { + dev_err(&dev->dev, + "Could not find all expected endpoints\n"); + error = -ENODEV; + goto out; + } + /* * Load firmware if the device requires it. This will return * -ENXIO on success and we'll get called back afer the usb From 08d55870d721795f5ca9affb641a9d77a5cde478 Mon Sep 17 00:00:00 2001 From: Geert Uytterhoeven Date: Fri, 1 Mar 2024 22:02:30 +0100 Subject: [PATCH 037/182] sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe() [ Upstream commit 1422ae080b66134fe192082d9b721ab7bd93fcc5 ] arch/sh/kernel/kprobes.c:52:16: warning: no previous prototype for 'arch_copy_kprobe' [-Wmissing-prototypes] Although SH kprobes support was only merged in v2.6.28, it missed the earlier removal of the arch_copy_kprobe() callback in v2.6.15. Based on the powerpc part of commit 49a2a1b83ba6fa40 ("[PATCH] kprobes: changed from using spinlock to mutex"). Fixes: d39f5450146ff39f ("sh: Add kprobes support.") Signed-off-by: Geert Uytterhoeven Reviewed-by: John Paul Adrian Glaubitz Link: https://lore.kernel.org/r/717d47a19689cc944fae6e981a1ad7cae1642c89.1709326528.git.geert+renesas@glider.be Signed-off-by: John Paul Adrian Glaubitz Signed-off-by: Sasha Levin (cherry picked from commit 8ed15460d8bbc517bf54b24c7694e6c0ff174968) Signed-off-by: Vegard Nossum --- arch/sh/kernel/kprobes.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/arch/sh/kernel/kprobes.c b/arch/sh/kernel/kprobes.c index 52a5e11247d1..a65502940b01 100644 --- a/arch/sh/kernel/kprobes.c +++ b/arch/sh/kernel/kprobes.c @@ -47,17 +47,12 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p) if (OPCODE_RTE(opcode)) return -EFAULT; /* Bad breakpoint */ + memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); p->opcode = opcode; return 0; } -void __kprobes arch_copy_kprobe(struct kprobe *p) -{ - memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t)); - p->opcode = *p->addr; -} - void __kprobes arch_arm_kprobe(struct kprobe *p) { *p->addr = BREAKPOINT_INSTRUCTION; From 3d986276f8b5fa0dc170e1b35f0659b9ba4b2cd0 Mon Sep 17 00:00:00 2001 From: Guenter Roeck Date: Sun, 24 Mar 2024 16:18:04 -0700 Subject: [PATCH 038/182] Revert "sh: Handle calling csum_partial with misaligned data" [ Upstream commit b5319c96292ff877f6b58d349acf0a9dc8d3b454 ] This reverts commit cadc4e1a2b4d20d0cc0e81f2c6ba0588775e54e5. Commit cadc4e1a2b4d ("sh: Handle calling csum_partial with misaligned data") causes bad checksum calculations on unaligned data. Reverting it fixes the problem. # Subtest: checksum # module: checksum_kunit 1..5 # test_csum_fixed_random_inputs: ASSERTION FAILED at lib/checksum_kunit.c:500 Expected ( u64)result == ( u64)expec, but ( u64)result == 53378 (0xd082) ( u64)expec == 33488 (0x82d0) # test_csum_fixed_random_inputs: pass:0 fail:1 skip:0 total:1 not ok 1 test_csum_fixed_random_inputs # test_csum_all_carry_inputs: ASSERTION FAILED at lib/checksum_kunit.c:525 Expected ( u64)result == ( u64)expec, but ( u64)result == 65281 (0xff01) ( u64)expec == 65280 (0xff00) # test_csum_all_carry_inputs: pass:0 fail:1 skip:0 total:1 not ok 2 test_csum_all_carry_inputs # test_csum_no_carry_inputs: ASSERTION FAILED at lib/checksum_kunit.c:573 Expected ( u64)result == ( u64)expec, but ( u64)result == 65535 (0xffff) ( u64)expec == 65534 (0xfffe) # test_csum_no_carry_inputs: pass:0 fail:1 skip:0 total:1 not ok 3 test_csum_no_carry_inputs # test_ip_fast_csum: pass:1 fail:0 skip:0 total:1 ok 4 test_ip_fast_csum # test_csum_ipv6_magic: pass:1 fail:0 skip:0 total:1 ok 5 test_csum_ipv6_magic # checksum: pass:2 fail:3 skip:0 total:5 # Totals: pass:2 fail:3 skip:0 total:5 not ok 22 checksum Fixes: cadc4e1a2b4d ("sh: Handle calling csum_partial with misaligned data") Signed-off-by: Guenter Roeck Tested-by: Geert Uytterhoeven Reviewed-by: John Paul Adrian Glaubitz Link: https://lore.kernel.org/r/20240324231804.841099-1-linux@roeck-us.net Signed-off-by: John Paul Adrian Glaubitz Signed-off-by: Sasha Levin (cherry picked from commit 3c37203af733254154602273a970cfb7400c223e) Signed-off-by: Vegard Nossum --- arch/sh/lib/checksum.S | 67 ++++++++++++------------------------------ 1 file changed, 18 insertions(+), 49 deletions(-) diff --git a/arch/sh/lib/checksum.S b/arch/sh/lib/checksum.S index 356c8ec92893..1fc361b64119 100644 --- a/arch/sh/lib/checksum.S +++ b/arch/sh/lib/checksum.S @@ -36,7 +36,8 @@ */ /* - * asmlinkage __wsum csum_partial(const void *buf, int len, __wsum sum); + * unsigned int csum_partial(const unsigned char *buf, int len, + * unsigned int sum); */ .text @@ -48,31 +49,11 @@ ENTRY(csum_partial) * Fortunately, it is easy to convert 2-byte alignment to 4-byte * alignment for the unrolled loop. */ + mov r5, r1 mov r4, r0 - tst #3, r0 ! Check alignment. - bt/s 2f ! Jump if alignment is ok. - mov r4, r7 ! Keep a copy to check for alignment + tst #2, r0 ! Check alignment. + bt 2f ! Jump if alignment is ok. ! - tst #1, r0 ! Check alignment. - bt 21f ! Jump if alignment is boundary of 2bytes. - - ! buf is odd - tst r5, r5 - add #-1, r5 - bt 9f - mov.b @r4+, r0 - extu.b r0, r0 - addc r0, r6 ! t=0 from previous tst - mov r6, r0 - shll8 r6 - shlr16 r0 - shlr8 r0 - or r0, r6 - mov r4, r0 - tst #2, r0 - bt 2f -21: - ! buf is 2 byte aligned (len could be 0) add #-2, r5 ! Alignment uses up two bytes. cmp/pz r5 ! bt/s 1f ! Jump if we had at least two bytes. @@ -80,17 +61,16 @@ ENTRY(csum_partial) bra 6f add #2, r5 ! r5 was < 2. Deal with it. 1: + mov r5, r1 ! Save new len for later use. mov.w @r4+, r0 extu.w r0, r0 addc r0, r6 bf 2f add #1, r6 2: - ! buf is 4 byte aligned (len could be 0) - mov r5, r1 mov #-5, r0 - shld r0, r1 - tst r1, r1 + shld r0, r5 + tst r5, r5 bt/s 4f ! if it's =0, go to 4f clrt .align 2 @@ -112,31 +92,30 @@ ENTRY(csum_partial) addc r0, r6 addc r2, r6 movt r0 - dt r1 + dt r5 bf/s 3b cmp/eq #1, r0 - ! here, we know r1==0 - addc r1, r6 ! add carry to r6 + ! here, we know r5==0 + addc r5, r6 ! add carry to r6 4: - mov r5, r0 + mov r1, r0 and #0x1c, r0 tst r0, r0 - bt 6f - ! 4 bytes or more remaining - mov r0, r1 - shlr2 r1 + bt/s 6f + mov r0, r5 + shlr2 r5 mov #0, r2 5: addc r2, r6 mov.l @r4+, r2 movt r0 - dt r1 + dt r5 bf/s 5b cmp/eq #1, r0 addc r2, r6 - addc r1, r6 ! r1==0 here, so it means add carry-bit + addc r5, r6 ! r5==0 here, so it means add carry-bit 6: - ! 3 bytes or less remaining + mov r1, r5 mov #3, r0 and r0, r5 tst r5, r5 @@ -162,16 +141,6 @@ ENTRY(csum_partial) mov #0, r0 addc r0, r6 9: - ! Check if the buffer was misaligned, if so realign sum - mov r7, r0 - tst #1, r0 - bt 10f - mov r6, r0 - shll8 r6 - shlr16 r0 - shlr8 r0 - or r0, r6 -10: rts mov r6, r0 From 2461969d18d1b3a8ca40c5203819221813d2fa47 Mon Sep 17 00:00:00 2001 From: Bui Quang Minh Date: Wed, 24 Apr 2024 21:44:20 +0700 Subject: [PATCH 039/182] scsi: bfa: Ensure the copied buf is NUL terminated [ Upstream commit 13d0cecb4626fae67c00c84d3c7851f6b62f7df3 ] Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using sscanf. Fix this issue by using memdup_user_nul instead of memdup_user. Fixes: 9f30b674759b ("bfa: replace 2 kzalloc/copy_from_user by memdup_user") Signed-off-by: Bui Quang Minh Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-3-f1f1b53a10f4@gmail.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin (cherry picked from commit 481fc0c8617304a67649027c4a44723a139a0462) Signed-off-by: Vegard Nossum --- drivers/scsi/bfa/bfad_debugfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/bfa/bfad_debugfs.c b/drivers/scsi/bfa/bfad_debugfs.c index 05f523971348..89b8aa93eda5 100644 --- a/drivers/scsi/bfa/bfad_debugfs.c +++ b/drivers/scsi/bfa/bfad_debugfs.c @@ -262,7 +262,7 @@ bfad_debugfs_write_regrd(struct file *file, const char __user *buf, unsigned long flags; void *kern_buf; - kern_buf = memdup_user(buf, nbytes); + kern_buf = memdup_user_nul(buf, nbytes); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); @@ -329,7 +329,7 @@ bfad_debugfs_write_regwr(struct file *file, const char __user *buf, unsigned long flags; void *kern_buf; - kern_buf = memdup_user(buf, nbytes); + kern_buf = memdup_user_nul(buf, nbytes); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); From c2d34a41a30021d6947d93dee2373e98416296b8 Mon Sep 17 00:00:00 2001 From: Bui Quang Minh Date: Wed, 24 Apr 2024 21:44:21 +0700 Subject: [PATCH 040/182] scsi: qedf: Ensure the copied buf is NUL terminated [ Upstream commit d0184a375ee797eb657d74861ba0935b6e405c62 ] Currently, we allocate a count-sized kernel buffer and copy count from userspace to that buffer. Later, we use kstrtouint on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using kstrtouint. Fix this issue by using memdup_user_nul instead of memdup_user. Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") Signed-off-by: Bui Quang Minh Link: https://lore.kernel.org/r/20240424-fix-oob-read-v2-4-f1f1b53a10f4@gmail.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin (cherry picked from commit 1f84a2744ad813be23fc4be99fb74bfb24aadb95) Signed-off-by: Vegard Nossum --- drivers/scsi/qedf/qedf_debugfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/qedf/qedf_debugfs.c b/drivers/scsi/qedf/qedf_debugfs.c index 41fa846f0bdb..2a3a2d456b47 100644 --- a/drivers/scsi/qedf/qedf_debugfs.c +++ b/drivers/scsi/qedf/qedf_debugfs.c @@ -190,7 +190,7 @@ qedf_dbg_debug_cmd_write(struct file *filp, const char __user *buffer, if (!count || *ppos) return 0; - kern_buf = memdup_user(buffer, count); + kern_buf = memdup_user_nul(buffer, count); if (IS_ERR(kern_buf)) return PTR_ERR(kern_buf); From ceee9c23ca78be8cbe0b677623554c14da4a8ffe Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Sat, 4 May 2024 14:38:15 +0300 Subject: [PATCH 041/182] wifi: mwl8k: initialize cmd->addr[] properly [ Upstream commit 1d60eabb82694e58543e2b6366dae3e7465892a5 ] This loop is supposed to copy the mac address to cmd->addr but the i++ increment is missing so it copies everything to cmd->addr[0] and only the last address is recorded. Fixes: 22bedad3ce11 ("net: convert multicast list to list_head") Signed-off-by: Dan Carpenter Signed-off-by: Kalle Valo Link: https://msgid.link/b788be9a-15f5-4cca-a3fe-79df4c8ce7b2@moroto.mountain Signed-off-by: Sasha Levin (cherry picked from commit 6bc4e51e8d8451d40ec092d01119287af2acffcf) Signed-off-by: Vegard Nossum --- drivers/net/wireless/marvell/mwl8k.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c index d5f766044221..95454eca7a01 100644 --- a/drivers/net/wireless/marvell/mwl8k.c +++ b/drivers/net/wireless/marvell/mwl8k.c @@ -2706,7 +2706,7 @@ __mwl8k_cmd_mac_multicast_adr(struct ieee80211_hw *hw, int allmulti, cmd->action |= cpu_to_le16(MWL8K_ENABLE_RX_MULTICAST); cmd->numaddr = cpu_to_le16(mc_count); netdev_hw_addr_list_for_each(ha, mc_list) { - memcpy(cmd->addr[i], ha->addr, ETH_ALEN); + memcpy(cmd->addr[i++], ha->addr, ETH_ALEN); } } From 2341a1b273189a5673cfbb6a5badecca8e25d24a Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Mon, 6 May 2024 14:39:39 +0000 Subject: [PATCH 042/182] net: usb: sr9700: stop lying about skb->truesize [ Upstream commit 05417aa9c0c038da2464a0c504b9d4f99814a23b ] Some usb drivers set small skb->truesize and break core networking stacks. In this patch, I removed one of the skb->truesize override. I also replaced one skb_clone() by an allocation of a fresh and small skb, to get minimally sized skbs, like we did in commit 1e2c61172342 ("net: cdc_ncm: reduce skb truesize in rx path") and 4ce62d5b2f7a ("net: usb: ax88179_178a: stop lying about skb->truesize") Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/20240506143939.3673865-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit c0aff9978bb6ead0aec382a2645a563a3dd2df38) Signed-off-by: Vegard Nossum --- drivers/net/usb/sr9700.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c index dbdb027abe47..4a723696103b 100644 --- a/drivers/net/usb/sr9700.c +++ b/drivers/net/usb/sr9700.c @@ -418,19 +418,15 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb) skb_pull(skb, 3); skb->len = len; skb_set_tail_pointer(skb, len); - skb->truesize = len + sizeof(struct sk_buff); return 2; } - /* skb_clone is used for address align */ - sr_skb = skb_clone(skb, GFP_ATOMIC); + sr_skb = netdev_alloc_skb_ip_align(dev->net, len); if (!sr_skb) return 0; - sr_skb->len = len; - sr_skb->data = skb->data + 3; - skb_set_tail_pointer(sr_skb, len); - sr_skb->truesize = len + sizeof(struct sk_buff); + skb_put(sr_skb, len); + memcpy(sr_skb->data, skb->data + 3, len); usbnet_skb_return(dev, sr_skb); skb_pull(skb, len + SR_RX_OVERHEAD); From 314fdca9aa1eac5417fd9621bf4ebbacfd100e75 Mon Sep 17 00:00:00 2001 From: Michael Schmitz Date: Thu, 11 Apr 2024 15:36:31 +1200 Subject: [PATCH 043/182] m68k: Fix spinlock race in kernel thread creation [ Upstream commit da89ce46f02470ef08f0f580755d14d547da59ed ] Context switching does take care to retain the correct lock owner across the switch from 'prev' to 'next' tasks. This does rely on interrupts remaining disabled for the entire duration of the switch. This condition is guaranteed for normal process creation and context switching between already running processes, because both 'prev' and 'next' already have interrupts disabled in their saved copies of the status register. The situation is different for newly created kernel threads. The status register is set to PS_S in copy_thread(), which does leave the IPL at 0. Upon restoring the 'next' thread's status register in switch_to() aka resume(), interrupts then become enabled prematurely. resume() then returns via ret_from_kernel_thread() and schedule_tail() where run queue lock is released (see finish_task_switch() and finish_lock_switch()). A timer interrupt calling scheduler_tick() before the lock is released in finish_task_switch() will find the lock already taken, with the current task as lock owner. This causes a spinlock recursion warning as reported by Guenter Roeck. As far as I can ascertain, this race has been opened in commit 533e6903bea0 ("m68k: split ret_from_fork(), simplify kernel_thread()") but I haven't done a detailed study of kernel history so it may well predate that commit. Interrupts cannot be disabled in the saved status register copy for kernel threads (init will complain about interrupts disabled when finally starting user space). Disable interrupts temporarily when switching the tasks' register sets in resume(). Note that a simple oriw 0x700,%sr after restoring sr is not enough here - this leaves enough of a race for the 'spinlock recursion' warning to still be observed. Tested on ARAnyM and qemu (Quadra 800 emulation). Fixes: 533e6903bea0 ("m68k: split ret_from_fork(), simplify kernel_thread()") Reported-by: Guenter Roeck Closes: https://lore.kernel.org/all/07811b26-677c-4d05-aeb4-996cd880b789@roeck-us.net Signed-off-by: Michael Schmitz Tested-by: Guenter Roeck Reviewed-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20240411033631.16335-1-schmitzmic@gmail.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin (cherry picked from commit 2a8d1d95302c7d52c6ac8fa5cb4a6948ae0d3a14) Signed-off-by: Vegard Nossum --- arch/m68k/kernel/entry.S | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/m68k/kernel/entry.S b/arch/m68k/kernel/entry.S index 9a66657773be..417d8f0e8962 100644 --- a/arch/m68k/kernel/entry.S +++ b/arch/m68k/kernel/entry.S @@ -425,7 +425,9 @@ resume: movec %a0,%dfc /* restore status register */ - movew %a1@(TASK_THREAD+THREAD_SR),%sr + movew %a1@(TASK_THREAD+THREAD_SR),%d0 + oriw #0x0700,%d0 + movew %d0,%sr rts From 4e23b79c4b130dd3049e3c0001d4926dcfacded5 Mon Sep 17 00:00:00 2001 From: Finn Thain Date: Sat, 22 Dec 2018 13:18:01 +1100 Subject: [PATCH 044/182] m68k/mac: Use '030 reset method on SE/30 [ Upstream commit 9c0e91f6b701dce6902408d50c4df9cebe4744f5 ] The comment says that calling the ROM routine doesn't work. But testing shows that the 68030 fall-back reset method does work, so just use that. Tested-by: Stan Johnson Signed-off-by: Finn Thain Signed-off-by: Geert Uytterhoeven Stable-dep-of: 265a3b322df9 ("m68k: mac: Fix reboot hang on Mac IIci") Signed-off-by: Sasha Levin (cherry picked from commit c96430d59c71a0e5c641b5267ccf141c501fe15e) Signed-off-by: Vegard Nossum --- arch/m68k/mac/misc.c | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/arch/m68k/mac/misc.c b/arch/m68k/mac/misc.c index 4956edaac926..164ea3a419d1 100644 --- a/arch/m68k/mac/misc.c +++ b/arch/m68k/mac/misc.c @@ -483,9 +483,8 @@ void mac_poweroff(void) void mac_reset(void) { - if (macintosh_config->adb_type == MAC_ADB_II) { - unsigned long flags; - + if (macintosh_config->adb_type == MAC_ADB_II && + macintosh_config->ident != MAC_MODEL_SE30) { /* need ROMBASE in booter */ /* indeed, plus need to MAP THE ROM !! */ @@ -495,17 +494,8 @@ void mac_reset(void) /* works on some */ rom_reset = (void *) (mac_bi_data.rombase + 0xa); - if (macintosh_config->ident == MAC_MODEL_SE30) { - /* - * MSch: Machines known to crash on ROM reset ... - */ - } else { - local_irq_save(flags); - - rom_reset(); - - local_irq_restore(flags); - } + local_irq_disable(); + rom_reset(); #ifdef CONFIG_ADB_CUDA } else if (macintosh_config->adb_type == MAC_ADB_EGRET || macintosh_config->adb_type == MAC_ADB_CUDA) { From 3d47f159d4991609f1a71bb15683f1b8cac8d2a8 Mon Sep 17 00:00:00 2001 From: Finn Thain Date: Sat, 4 May 2024 14:31:12 +1000 Subject: [PATCH 045/182] m68k: mac: Fix reboot hang on Mac IIci [ Upstream commit 265a3b322df9a973ff1fc63da70af456ab6ae1d6 ] Calling mac_reset() on a Mac IIci does reset the system, but what follows is a POST failure that requires a manual reset to resolve. Avoid that by using the 68030 asm implementation instead of the C implementation. Apparently the SE/30 has a similar problem as it has used the asm implementation since before git. This patch extends that solution to other systems with a similar ROM. After this patch, the only systems still using the C implementation are 68040 systems where adb_type is either MAC_ADB_IOP or MAC_ADB_II. This implies a 1 MiB Quadra ROM. This now includes the Quadra 900/950, which previously fell through to the "should never get here" catch-all. Reported-and-tested-by: Stan Johnson Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Finn Thain Reviewed-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/480ebd1249d229c6dc1f3f1c6d599b8505483fd8.1714797072.git.fthain@linux-m68k.org Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin (cherry picked from commit 8055e882c57031a5ca7fbf278796c19ded9f9d6f) [Vegard: fix conflicts due to missing commits 6df2afba7a87afa71d4baf9875ec846d3040f9bb ("m68k/mac: Enable RTC for 100-series PowerBooks") and ebd722275f9cfc6752e29d2412fa3816ca05764b ("macintosh/via-pmu: Replace via-pmu68k driver with via-pmu driver").] Signed-off-by: Vegard Nossum --- arch/m68k/mac/misc.c | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/arch/m68k/mac/misc.c b/arch/m68k/mac/misc.c index 164ea3a419d1..d4cb7b50a6b5 100644 --- a/arch/m68k/mac/misc.c +++ b/arch/m68k/mac/misc.c @@ -483,31 +483,19 @@ void mac_poweroff(void) void mac_reset(void) { - if (macintosh_config->adb_type == MAC_ADB_II && - macintosh_config->ident != MAC_MODEL_SE30) { - /* need ROMBASE in booter */ - /* indeed, plus need to MAP THE ROM !! */ - - if (mac_bi_data.rombase == 0) - mac_bi_data.rombase = 0x40800000; - - /* works on some */ - rom_reset = (void *) (mac_bi_data.rombase + 0xa); - - local_irq_disable(); - rom_reset(); #ifdef CONFIG_ADB_CUDA - } else if (macintosh_config->adb_type == MAC_ADB_EGRET || - macintosh_config->adb_type == MAC_ADB_CUDA) { + if (macintosh_config->adb_type == MAC_ADB_EGRET || + macintosh_config->adb_type == MAC_ADB_CUDA) { cuda_restart(); + } else #endif #ifdef CONFIG_ADB_PMU68K - } else if (macintosh_config->adb_type == MAC_ADB_PB1 - || macintosh_config->adb_type == MAC_ADB_PB2) { + if (macintosh_config->adb_type == MAC_ADB_PB1 || + macintosh_config->adb_type == MAC_ADB_PB2) { pmu_restart(); + } else #endif - } else if (CPU_IS_030) { - + if (CPU_IS_030) { /* 030-specific reset routine. The idea is general, but the * specific registers to reset are '030-specific. Until I * have a non-030 machine, I can't test anything else. @@ -554,6 +542,18 @@ void mac_reset(void) "jmp %/a0@\n\t" /* jump to the reset vector */ ".chip 68k" : : "r" (offset), "a" (rombase) : "a0"); + } else { + /* need ROMBASE in booter */ + /* indeed, plus need to MAP THE ROM !! */ + + if (mac_bi_data.rombase == 0) + mac_bi_data.rombase = 0x40800000; + + /* works on some */ + rom_reset = (void *)(mac_bi_data.rombase + 0xa); + + local_irq_disable(); + rom_reset(); } /* should never get here */ From be1d9f0e9de4ae6b3c0baed5547aa84be06f6548 Mon Sep 17 00:00:00 2001 From: Breno Leitao Date: Thu, 9 May 2024 01:14:46 -0700 Subject: [PATCH 046/182] af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg [ Upstream commit 540bf24fba16b88c1b3b9353927204b4f1074e25 ] A data-race condition has been identified in af_unix. In one data path, the write function unix_release_sock() atomically writes to sk->sk_shutdown using WRITE_ONCE. However, on the reader side, unix_stream_sendmsg() does not read it atomically. Consequently, this issue is causing the following KCSAN splat to occur: BUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg write (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28: unix_release_sock (net/unix/af_unix.c:640) unix_release (net/unix/af_unix.c:1050) sock_close (net/socket.c:659 net/socket.c:1421) __fput (fs/file_table.c:422) __fput_sync (fs/file_table.c:508) __se_sys_close (fs/open.c:1559 fs/open.c:1541) __x64_sys_close (fs/open.c:1541) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14: unix_stream_sendmsg (net/unix/af_unix.c:2273) __sock_sendmsg (net/socket.c:730 net/socket.c:745) ____sys_sendmsg (net/socket.c:2584) __sys_sendmmsg (net/socket.c:2638 net/socket.c:2724) __x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x01 -> 0x03 The line numbers are related to commit dd5a440a31fa ("Linux 6.9-rc7"). Commit e1d09c2c2f57 ("af_unix: Fix data races around sk->sk_shutdown.") addressed a comparable issue in the past regarding sk->sk_shutdown. However, it overlooked resolving this particular data path. This patch only offending unix_stream_sendmsg() function, since the other reads seem to be protected by unix_state_lock() as discussed in Link: https://lore.kernel.org/all/20240508173324.53565-1-kuniyu@amazon.com/ Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Breno Leitao Reviewed-by: Kuniyuki Iwashima Link: https://lore.kernel.org/r/20240509081459.2807828-1-leitao@debian.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit fca6072e1a7b1e709ada5604b951513b89b4bd0a) Signed-off-by: Vegard Nossum --- net/unix/af_unix.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 36359b6192bc..ca62df6a9eb6 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -1899,7 +1899,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg, goto out_err; } - if (sk->sk_shutdown & SEND_SHUTDOWN) + if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) goto pipe_err; while (sent < len) { From 16d0a15317ccdd42565ee3b0b4414f7134f414ba Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Thu, 9 May 2024 08:33:13 +0000 Subject: [PATCH 047/182] net: usb: smsc95xx: stop lying about skb->truesize [ Upstream commit d50729f1d60bca822ef6d9c1a5fb28d486bd7593 ] Some usb drivers try to set small skb->truesize and break core networking stacks. In this patch, I removed one of the skb->truesize override. I also replaced one skb_clone() by an allocation of a fresh and small skb, to get minimally sized skbs, like we did in commit 1e2c61172342 ("net: cdc_ncm: reduce skb truesize in rx path") and 4ce62d5b2f7a ("net: usb: ax88179_178a: stop lying about skb->truesize") v3: also fix a sparse error ( https://lore.kernel.org/oe-kbuild-all/202405091310.KvncIecx-lkp@intel.com/ ) v2: leave the skb_trim() game because smsc95xx_rx_csum_offload() needs the csum part. (Jakub) While we are it, use get_unaligned() in smsc95xx_rx_csum_offload(). Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") Signed-off-by: Eric Dumazet Cc: Steve Glendinning Cc: UNGLinuxDriver@microchip.com Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/20240509083313.2113832-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 1010b50b2ebaaa863baeba7572267ac39bbb7adb) Signed-off-by: Vegard Nossum --- drivers/net/usb/smsc95xx.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c index e70eac578f5e..2006f6943290 100644 --- a/drivers/net/usb/smsc95xx.c +++ b/drivers/net/usb/smsc95xx.c @@ -1924,9 +1924,11 @@ static int smsc95xx_reset_resume(struct usb_interface *intf) static void smsc95xx_rx_csum_offload(struct sk_buff *skb) { - skb->csum = *(u16 *)(skb_tail_pointer(skb) - 2); + u16 *csum_ptr = (u16 *)(skb_tail_pointer(skb) - 2); + + skb->csum = (__force __wsum)get_unaligned(csum_ptr); skb->ip_summed = CHECKSUM_COMPLETE; - skb_trim(skb, skb->len - 2); + skb_trim(skb, skb->len - 2); /* remove csum */ } static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) @@ -1985,25 +1987,22 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) if (dev->net->features & NETIF_F_RXCSUM) smsc95xx_rx_csum_offload(skb); skb_trim(skb, skb->len - 4); /* remove fcs */ - skb->truesize = size + sizeof(struct sk_buff); return 1; } - ax_skb = skb_clone(skb, GFP_ATOMIC); + ax_skb = netdev_alloc_skb_ip_align(dev->net, size); if (unlikely(!ax_skb)) { netdev_warn(dev->net, "Error allocating skb\n"); return 0; } - ax_skb->len = size; - ax_skb->data = packet; - skb_set_tail_pointer(ax_skb, size); + skb_put(ax_skb, size); + memcpy(ax_skb->data, packet, size); if (dev->net->features & NETIF_F_RXCSUM) smsc95xx_rx_csum_offload(ax_skb); skb_trim(ax_skb, ax_skb->len - 4); /* remove fcs */ - ax_skb->truesize = size + sizeof(struct sk_buff); usbnet_skb_return(dev, ax_skb); } From d84c07f0a36edfbb017f66723aff19b75408ec6a Mon Sep 17 00:00:00 2001 From: Ilya Maximets Date: Thu, 9 May 2024 11:38:05 +0200 Subject: [PATCH 048/182] net: openvswitch: fix overwriting ct original tuple for ICMPv6 [ Upstream commit 7c988176b6c16c516474f6fceebe0f055af5eb56 ] OVS_PACKET_CMD_EXECUTE has 3 main attributes: - OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format. - OVS_PACKET_ATTR_PACKET - Binary packet content. - OVS_PACKET_ATTR_ACTIONS - Actions to execute on the packet. OVS_PACKET_ATTR_KEY is parsed first to populate sw_flow_key structure with the metadata like conntrack state, input port, recirculation id, etc. Then the packet itself gets parsed to populate the rest of the keys from the packet headers. Whenever the packet parsing code starts parsing the ICMPv6 header, it first zeroes out fields in the key corresponding to Neighbor Discovery information even if it is not an ND packet. It is an 'ipv6.nd' field. However, the 'ipv6' is a union that shares the space between 'nd' and 'ct_orig' that holds the original tuple conntrack metadata parsed from the OVS_PACKET_ATTR_KEY. ND packets should not normally have conntrack state, so it's fine to share the space, but normal ICMPv6 Echo packets or maybe other types of ICMPv6 can have the state attached and it should not be overwritten. The issue results in all but the last 4 bytes of the destination address being wiped from the original conntrack tuple leading to incorrect packet matching and potentially executing wrong actions in case this packet recirculates within the datapath or goes back to userspace. ND fields should not be accessed in non-ND packets, so not clearing them should be fine. Executing memset() only for actual ND packets to avoid the issue. Initializing the whole thing before parsing is needed because ND packet may not contain all the options. The issue only affects the OVS_PACKET_CMD_EXECUTE path and doesn't affect packets entering OVS datapath from network interfaces, because in this case CT metadata is populated from skb after the packet is already parsed. Fixes: 9dd7f8907c37 ("openvswitch: Add original direction conntrack tuple to sw_flow_key.") Reported-by: Antonin Bas Closes: https://github.com/openvswitch/ovs-issues/issues/327 Signed-off-by: Ilya Maximets Acked-by: Aaron Conole Acked-by: Eelco Chaudron Link: https://lore.kernel.org/r/20240509094228.1035477-1-i.maximets@ovn.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 6a51ac92bf35d34b4996d6eb67e2fe469f573b11) Signed-off-by: Vegard Nossum --- net/openvswitch/flow.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c index dbe1079a1651..0b269713a71a 100644 --- a/net/openvswitch/flow.c +++ b/net/openvswitch/flow.c @@ -426,7 +426,6 @@ static int parse_icmpv6(struct sk_buff *skb, struct sw_flow_key *key, */ key->tp.src = htons(icmp->icmp6_type); key->tp.dst = htons(icmp->icmp6_code); - memset(&key->ipv6.nd, 0, sizeof(key->ipv6.nd)); if (icmp->icmp6_code == 0 && (icmp->icmp6_type == NDISC_NEIGHBOUR_SOLICITATION || @@ -435,6 +434,8 @@ static int parse_icmpv6(struct sk_buff *skb, struct sw_flow_key *key, struct nd_msg *nd; int offset; + memset(&key->ipv6.nd, 0, sizeof(key->ipv6.nd)); + /* In order to process neighbor discovery options, we need the * entire packet. */ From e990bf08d73df105508439d775a40706fa34e4da Mon Sep 17 00:00:00 2001 From: Hangbin Liu Date: Thu, 9 May 2024 21:18:10 +0800 Subject: [PATCH 049/182] ipv6: sr: add missing seg6_local_exit [ Upstream commit 3321687e321307629c71b664225b861ebf3e5753 ] Currently, we only call seg6_local_exit() in seg6_init() if seg6_local_init() failed. But forgot to call it in seg6_exit(). Fixes: d1df6fd8a1d2 ("ipv6: sr: define core operations for seg6local lightweight tunnel") Signed-off-by: Hangbin Liu Reviewed-by: Sabrina Dubroca Reviewed-by: David Ahern Link: https://lore.kernel.org/r/20240509131812.1662197-2-liuhangbin@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 9acb7ed4ff0e57b29326768aa8780f2ba2310090) Signed-off-by: Vegard Nossum --- net/ipv6/seg6.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c index b785bf569049..5ced629d93e7 100644 --- a/net/ipv6/seg6.c +++ b/net/ipv6/seg6.c @@ -499,6 +499,7 @@ void seg6_exit(void) seg6_hmac_exit(); #endif #ifdef CONFIG_IPV6_SEG6_LWTUNNEL + seg6_local_exit(); seg6_iptunnel_exit(); #endif unregister_pernet_subsys(&ip6_segments_ops); From 32cc76dc98c3a167b25dfe1548848036fc07d834 Mon Sep 17 00:00:00 2001 From: Hangbin Liu Date: Thu, 9 May 2024 21:18:11 +0800 Subject: [PATCH 050/182] ipv6: sr: fix incorrect unregister order [ Upstream commit 6e370a771d2985107e82d0f6174381c1acb49c20 ] Commit 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref") changed the register order in seg6_init(). But the unregister order in seg6_exit() is not updated. Fixes: 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref") Signed-off-by: Hangbin Liu Reviewed-by: Sabrina Dubroca Reviewed-by: David Ahern Link: https://lore.kernel.org/r/20240509131812.1662197-3-liuhangbin@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit d55cf7ced48c5054a79829a0b14203710006a277) Signed-off-by: Vegard Nossum --- net/ipv6/seg6.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c index 5ced629d93e7..36b4354b022b 100644 --- a/net/ipv6/seg6.c +++ b/net/ipv6/seg6.c @@ -502,6 +502,6 @@ void seg6_exit(void) seg6_local_exit(); seg6_iptunnel_exit(); #endif - unregister_pernet_subsys(&ip6_segments_ops); genl_unregister_family(&seg6_genl_family); + unregister_pernet_subsys(&ip6_segments_ops); } From a7eb748e89ec4c74a795fd32380019f21ae75895 Mon Sep 17 00:00:00 2001 From: Hangbin Liu Date: Thu, 9 May 2024 21:18:12 +0800 Subject: [PATCH 051/182] ipv6: sr: fix invalid unregister error path [ Upstream commit 160e9d2752181fcf18c662e74022d77d3164cd45 ] The error path of seg6_init() is wrong in case CONFIG_IPV6_SEG6_LWTUNNEL is not defined. In that case if seg6_hmac_init() fails, the genl_unregister_family() isn't called. This issue exist since commit 46738b1317e1 ("ipv6: sr: add option to control lwtunnel support"), and commit 5559cea2d5aa ("ipv6: sr: fix possible use-after-free and null-ptr-deref") replaced unregister_pernet_subsys() with genl_unregister_family() in this error path. Fixes: 46738b1317e1 ("ipv6: sr: add option to control lwtunnel support") Reported-by: Guillaume Nault Signed-off-by: Hangbin Liu Reviewed-by: Sabrina Dubroca Reviewed-by: David Ahern Link: https://lore.kernel.org/r/20240509131812.1662197-4-liuhangbin@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 10610575a3ac2a702bf5c57aa931beaf847949c7) Signed-off-by: Vegard Nossum --- net/ipv6/seg6.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c index 36b4354b022b..00d8f7693e8e 100644 --- a/net/ipv6/seg6.c +++ b/net/ipv6/seg6.c @@ -486,6 +486,8 @@ int __init seg6_init(void) #endif #ifdef CONFIG_IPV6_SEG6_LWTUNNEL out_unregister_genl: +#endif +#if IS_ENABLED(CONFIG_IPV6_SEG6_LWTUNNEL) || IS_ENABLED(CONFIG_IPV6_SEG6_HMAC) genl_unregister_family(&seg6_genl_family); #endif out_unregister_pernet: From 73bc0203a1791e5252c190a016d46502406d53f0 Mon Sep 17 00:00:00 2001 From: Maxim Korotkov Date: Wed, 13 Mar 2024 13:27:20 +0300 Subject: [PATCH 052/182] mtd: rawnand: hynix: fixed typo [ Upstream commit 6819db94e1cd3ce24a432f3616cd563ed0c4eaba ] The function hynix_nand_rr_init() should probably return an error code. Judging by the usage, it seems that the return code is passed up the call stack. Right now, it always returns 0 and the function hynix_nand_cleanup() in hynix_nand_init() has never been called. Found by RASU JSC and Linux Verification Center (linuxtesting.org) Fixes: 626994e07480 ("mtd: nand: hynix: Add read-retry support for 1x nm MLC NANDs") Signed-off-by: Maxim Korotkov Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20240313102721.1991299-1-korotkov.maxim.s@gmail.com Signed-off-by: Sasha Levin (cherry picked from commit 80850a39e2548988f4feae26f3fd66286b460278) Signed-off-by: Vegard Nossum --- drivers/mtd/nand/nand_hynix.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/nand_hynix.c b/drivers/mtd/nand/nand_hynix.c index 985751eda317..9863701b4c6b 100644 --- a/drivers/mtd/nand/nand_hynix.c +++ b/drivers/mtd/nand/nand_hynix.c @@ -359,7 +359,7 @@ static int hynix_nand_rr_init(struct nand_chip *chip) if (ret) pr_warn("failed to initialize read-retry infrastructure"); - return 0; + return ret; } static void hynix_nand_extract_oobsize(struct nand_chip *chip, From 4ba8a5fa126c85d319a0f1c773a15c04dde7d74c Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Tue, 26 Mar 2024 23:38:00 +0100 Subject: [PATCH 053/182] fbdev: shmobile: fix snprintf truncation [ Upstream commit 26c8cfb9d1e4b252336d23dd5127a8cbed414a32 ] The name of the overlay does not fit into the fixed-length field: drivers/video/fbdev/sh_mobile_lcdcfb.c:1577:2: error: 'snprintf' will always be truncated; specified size is 16, but format string expands to at least 25 Make it short enough by changing the string. Fixes: c5deac3c9b22 ("fbdev: sh_mobile_lcdc: Implement overlays support") Signed-off-by: Arnd Bergmann Reviewed-by: Laurent Pinchart Signed-off-by: Helge Deller Signed-off-by: Sasha Levin (cherry picked from commit f6100ea560ed320a397d99aad6ad6918f0f1a70a) Signed-off-by: Vegard Nossum --- drivers/video/fbdev/sh_mobile_lcdcfb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/sh_mobile_lcdcfb.c b/drivers/video/fbdev/sh_mobile_lcdcfb.c index c3a46506e47e..f4d1f94ad43d 100644 --- a/drivers/video/fbdev/sh_mobile_lcdcfb.c +++ b/drivers/video/fbdev/sh_mobile_lcdcfb.c @@ -1718,7 +1718,7 @@ sh_mobile_lcdc_overlay_fb_init(struct sh_mobile_lcdc_overlay *ovl) */ info->fix = sh_mobile_lcdc_overlay_fix; snprintf(info->fix.id, sizeof(info->fix.id), - "SH Mobile LCDC Overlay %u", ovl->index); + "SHMobile ovl %u", ovl->index); info->fix.smem_start = ovl->dma_handle; info->fix.smem_len = ovl->fb_size; info->fix.line_length = ovl->pitch; From 43f9acac76b1661328292b13c57936252536a7ee Mon Sep 17 00:00:00 2001 From: Justin Green Date: Thu, 7 Mar 2024 13:00:51 -0500 Subject: [PATCH 054/182] drm/mediatek: Add 0 size check to mtk_drm_gem_obj [ Upstream commit 1e4350095e8ab2577ee05f8c3b044e661b5af9a0 ] Add a check to mtk_drm_gem_init if we attempt to allocate a GEM object of 0 bytes. Currently, no such check exists and the kernel will panic if a userspace application attempts to allocate a 0x0 GBM buffer. Tested by attempting to allocate a 0x0 GBM buffer on an MT8188 and verifying that we now return EINVAL. Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") Signed-off-by: Justin Green Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: CK Hu Link: https://patchwork.kernel.org/project/dri-devel/patch/20240307180051.4104425-1-greenjustin@chromium.org/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin (cherry picked from commit 79078880795478d551a05acc41f957700030d364) Signed-off-by: Vegard Nossum --- drivers/gpu/drm/mediatek/mtk_drm_gem.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c index 1818980dafce..46436e6777b8 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c @@ -26,6 +26,9 @@ static struct mtk_drm_gem_obj *mtk_drm_gem_init(struct drm_device *dev, size = round_up(size, PAGE_SIZE); + if (size == 0) + return ERR_PTR(-EINVAL); + mtk_gem_obj = kzalloc(sizeof(*mtk_gem_obj), GFP_KERNEL); if (!mtk_gem_obj) return ERR_PTR(-ENOMEM); From 27a754ac9d1b146c6690b8cc566be4df02028430 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Wed, 3 Apr 2024 10:06:19 +0200 Subject: [PATCH 055/182] powerpc/fsl-soc: hide unused const variable [ Upstream commit 01acaf3aa75e1641442cc23d8fe0a7bb4226efb1 ] vmpic_msi_feature is only used conditionally, which triggers a rare -Werror=unused-const-variable= warning with gcc: arch/powerpc/sysdev/fsl_msi.c:567:37: error: 'vmpic_msi_feature' defined but not used [-Werror=unused-const-variable=] 567 | static const struct fsl_msi_feature vmpic_msi_feature = Hide this one in the same #ifdef as the reference so we can turn on the warning by default. Fixes: 305bcf26128e ("powerpc/fsl-soc: use CONFIG_EPAPR_PARAVIRT for hcalls") Signed-off-by: Arnd Bergmann Reviewed-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://msgid.link/20240403080702.3509288-2-arnd@kernel.org Signed-off-by: Sasha Levin (cherry picked from commit b798cfeea12ebfd74c4bba511deb02956c97789e) Signed-off-by: Vegard Nossum --- arch/powerpc/sysdev/fsl_msi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/powerpc/sysdev/fsl_msi.c b/arch/powerpc/sysdev/fsl_msi.c index d43d3d1b27ed..6a686e570b1d 100644 --- a/arch/powerpc/sysdev/fsl_msi.c +++ b/arch/powerpc/sysdev/fsl_msi.c @@ -576,10 +576,12 @@ static const struct fsl_msi_feature ipic_msi_feature = { .msiir_offset = 0x38, }; +#ifdef CONFIG_EPAPR_PARAVIRT static const struct fsl_msi_feature vmpic_msi_feature = { .fsl_pic_ip = FSL_PIC_IP_VMPIC, .msiir_offset = 0, }; +#endif static const struct of_device_id fsl_of_msi_ids[] = { { From a36a6656bdcc519ee8206e91a484c9545e41c428 Mon Sep 17 00:00:00 2001 From: Aleksandr Burakov Date: Fri, 1 Mar 2024 14:15:53 +0300 Subject: [PATCH 056/182] media: ngene: Add dvb_ca_en50221_init return value check [ Upstream commit 9bb1fd7eddcab2d28cfc11eb20f1029154dac718 ] The return value of dvb_ca_en50221_init() is not checked here that may cause undefined behavior in case of nonzero value return. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 25aee3debe04 ("[media] Rename media/dvb as media/pci") Signed-off-by: Aleksandr Burakov Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin (cherry picked from commit 7394bab35c51cead246ef50d8c2e699e36032aed) Signed-off-by: Vegard Nossum --- drivers/media/pci/ngene/ngene-core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/media/pci/ngene/ngene-core.c b/drivers/media/pci/ngene/ngene-core.c index 96d0cbffa77c..714096b3ea4a 100644 --- a/drivers/media/pci/ngene/ngene-core.c +++ b/drivers/media/pci/ngene/ngene-core.c @@ -1499,7 +1499,9 @@ static int init_channel(struct ngene_channel *chan) } if (dev->ci.en && (io & NGENE_IO_TSOUT)) { - dvb_ca_en50221_init(adapter, dev->ci.en, 0, 1); + ret = dvb_ca_en50221_init(adapter, dev->ci.en, 0, 1); + if (ret != 0) + goto err; set_transfer(chan, 1); chan->dev->channel[2].DataFormatFlags = DF_SWAP32; set_transfer(&chan->dev->channel[2], 1); From 83fe7e17269e69bb85c5dcde3543fe69a7d14907 Mon Sep 17 00:00:00 2001 From: Ricardo Ribalda Date: Mon, 25 Mar 2024 14:50:24 +0000 Subject: [PATCH 057/182] media: radio-shark2: Avoid led_names truncations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 1820e16a3019b6258e6009d34432946a6ddd0a90 ] Increase the size of led_names so it can fit any valid v4l2 device name. Fixes: drivers/media/radio/radio-shark2.c:197:17: warning: ‘%s’ directive output may be truncated writing up to 35 bytes into a region of size 32 [-Wformat-truncation=] Signed-off-by: Ricardo Ribalda Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin (cherry picked from commit cbc12c9693fad0545fb0e753d78979026ae0772a) Signed-off-by: Vegard Nossum --- drivers/media/radio/radio-shark2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/radio/radio-shark2.c b/drivers/media/radio/radio-shark2.c index 5356941f54ae..fda988139fa4 100644 --- a/drivers/media/radio/radio-shark2.c +++ b/drivers/media/radio/radio-shark2.c @@ -62,7 +62,7 @@ struct shark_device { #ifdef SHARK_USE_LEDS struct work_struct led_work; struct led_classdev leds[NO_LEDS]; - char led_names[NO_LEDS][32]; + char led_names[NO_LEDS][64]; atomic_t brightness[NO_LEDS]; unsigned long brightness_new; #endif From d1bafe8dbdd69b5b94c648616261b10f89e9e634 Mon Sep 17 00:00:00 2001 From: Randy Dunlap Date: Fri, 9 Feb 2024 21:39:38 -0800 Subject: [PATCH 058/182] fbdev: sh7760fb: allow modular build [ Upstream commit 51084f89d687e14d96278241e5200cde4b0985c7 ] There is no reason to prohibit sh7760fb from being built as a loadable module as suggested by Geert, so change the config symbol from bool to tristate to allow that and change the FB dependency as needed. Fixes: f75f71b2c418 ("fbdev/sh7760fb: Depend on FB=y") Suggested-by: Geert Uytterhoeven Signed-off-by: Randy Dunlap Cc: Thomas Zimmermann Cc: Javier Martinez Canillas Cc: John Paul Adrian Glaubitz Cc: Sam Ravnborg Cc: Helge Deller Cc: linux-fbdev@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Acked-by: John Paul Adrian Glaubitz Acked-by: Javier Martinez Canillas Signed-off-by: Helge Deller Signed-off-by: Sasha Levin (cherry picked from commit 74bafc897cb6c83b29c66cb39e82936204a5e51f) Signed-off-by: Vegard Nossum --- drivers/video/fbdev/Kconfig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig index 30654608297f..00a3a9e15a7c 100644 --- a/drivers/video/fbdev/Kconfig +++ b/drivers/video/fbdev/Kconfig @@ -2196,8 +2196,8 @@ config FB_COBALT depends on FB && MIPS_COBALT config FB_SH7760 - bool "SH7760/SH7763/SH7720/SH7721 LCDC support" - depends on FB=y && (CPU_SUBTYPE_SH7760 || CPU_SUBTYPE_SH7763 \ + tristate "SH7760/SH7763/SH7720/SH7721 LCDC support" + depends on FB && (CPU_SUBTYPE_SH7760 || CPU_SUBTYPE_SH7763 \ || CPU_SUBTYPE_SH7720 || CPU_SUBTYPE_SH7721) select FB_CFB_FILLRECT select FB_CFB_COPYAREA From 8b76f73f5124b83712d6cdcb3ef990263e40c5f0 Mon Sep 17 00:00:00 2001 From: Steven Rostedt Date: Tue, 16 Apr 2024 00:03:03 -0400 Subject: [PATCH 059/182] ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value [ Upstream commit 58300f8d6a48e58d1843199be743f819e2791ea3 ] The string SND_SOC_DAPM_DIR_OUT is printed in the snd_soc_dapm_path trace event instead of its value: (((REC->path_dir) == SND_SOC_DAPM_DIR_OUT) ? "->" : "<-") User space cannot parse this, as it has no idea what SND_SOC_DAPM_DIR_OUT is. Use TRACE_DEFINE_ENUM() to convert it to its value: (((REC->path_dir) == 1) ? "->" : "<-") So that user space tools, such as perf and trace-cmd, can parse it correctly. Reported-by: Luca Ceresoli Fixes: 6e588a0d839b5 ("ASoC: dapm: Consolidate path trace events") Signed-off-by: Steven Rostedt (Google) Link: https://lore.kernel.org/r/20240416000303.04670cdf@rorschach.local.home Signed-off-by: Mark Brown Signed-off-by: Sasha Levin (cherry picked from commit 60c68092723ea420215e9c3d5530038bc6568739) Signed-off-by: Vegard Nossum --- include/trace/events/asoc.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/trace/events/asoc.h b/include/trace/events/asoc.h index ccd1a3bdff46..e7bfe62c1210 100644 --- a/include/trace/events/asoc.h +++ b/include/trace/events/asoc.h @@ -11,6 +11,8 @@ #define DAPM_DIRECT "(direct)" #define DAPM_ARROW(dir) (((dir) == SND_SOC_DAPM_DIR_OUT) ? "->" : "<-") +TRACE_DEFINE_ENUM(SND_SOC_DAPM_DIR_OUT); + struct snd_soc_jack; struct snd_soc_codec; struct snd_soc_card; From e39747d5b28a334d3aa4a7d53db14f9f30390923 Mon Sep 17 00:00:00 2001 From: Adrian Hunter Date: Thu, 2 May 2024 13:58:45 +0300 Subject: [PATCH 060/182] x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map [ Upstream commit 59162e0c11d7257cde15f907d19fefe26da66692 ] The x86 instruction decoder is used not only for decoding kernel instructions. It is also used by perf uprobes (user space probes) and by perf tools Intel Processor Trace decoding. Consequently, it needs to support instructions executed by user space also. Opcode 0x68 PUSH instruction is currently defined as 64-bit operand size only i.e. (d64). That was based on Intel SDM Opcode Map. However that is contradicted by the Instruction Set Reference section for PUSH in the same manual. Remove 64-bit operand size only annotation from opcode 0x68 PUSH instruction. Example: $ cat pushw.s .global _start .text _start: pushw $0x1234 mov $0x1,%eax # system call number (sys_exit) int $0x80 $ as -o pushw.o pushw.s $ ld -s -o pushw pushw.o $ objdump -d pushw | tail -4 0000000000401000 <.text>: 401000: 66 68 34 12 pushw $0x1234 401004: b8 01 00 00 00 mov $0x1,%eax 401009: cd 80 int $0x80 $ perf record -e intel_pt//u ./pushw [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.014 MB perf.data ] Before: $ perf script --insn-trace=disasm Warning: 1 instruction trace errors pushw 10349 [000] 10586.869237014: 401000 [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) pushw $0x1234 pushw 10349 [000] 10586.869237014: 401006 [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) addb %al, (%rax) pushw 10349 [000] 10586.869237014: 401008 [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) addb %cl, %ch pushw 10349 [000] 10586.869237014: 40100a [unknown] (/home/ahunter/git/misc/rtit-tests/pushw) addb $0x2e, (%rax) instruction trace error type 1 time 10586.869237224 cpu 0 pid 10349 tid 10349 ip 0x40100d code 6: Trace doesn't match instruction After: $ perf script --insn-trace=disasm pushw 10349 [000] 10586.869237014: 401000 [unknown] (./pushw) pushw $0x1234 pushw 10349 [000] 10586.869237014: 401004 [unknown] (./pushw) movl $1, %eax Fixes: eb13296cfaf6 ("x86: Instruction decoder API") Signed-off-by: Adrian Hunter Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/20240502105853.5338-3-adrian.hunter@intel.com Signed-off-by: Sasha Levin (cherry picked from commit ef10bbdf4d59a98cf57ddf943756f14ef3cdbccd) Signed-off-by: Vegard Nossum --- arch/x86/lib/x86-opcode-map.txt | 2 +- tools/objtool/arch/x86/lib/x86-opcode-map.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/lib/x86-opcode-map.txt b/arch/x86/lib/x86-opcode-map.txt index 5cb9f009f2be..996a3a250026 100644 --- a/arch/x86/lib/x86-opcode-map.txt +++ b/arch/x86/lib/x86-opcode-map.txt @@ -148,7 +148,7 @@ AVXcode: 65: SEG=GS (Prefix) 66: Operand-Size (Prefix) 67: Address-Size (Prefix) -68: PUSH Iz (d64) +68: PUSH Iz 69: IMUL Gv,Ev,Iz 6a: PUSH Ib (d64) 6b: IMUL Gv,Ev,Ib diff --git a/tools/objtool/arch/x86/lib/x86-opcode-map.txt b/tools/objtool/arch/x86/lib/x86-opcode-map.txt index 5cb9f009f2be..996a3a250026 100644 --- a/tools/objtool/arch/x86/lib/x86-opcode-map.txt +++ b/tools/objtool/arch/x86/lib/x86-opcode-map.txt @@ -148,7 +148,7 @@ AVXcode: 65: SEG=GS (Prefix) 66: Operand-Size (Prefix) 67: Address-Size (Prefix) -68: PUSH Iz (d64) +68: PUSH Iz 69: IMUL Gv,Ev,Iz 6a: PUSH Ib (d64) 6b: IMUL Gv,Ev,Ib From 668cfe934e0081e60581269d5afab127489cdfda Mon Sep 17 00:00:00 2001 From: Jan Kara Date: Thu, 7 Mar 2024 12:53:20 +0100 Subject: [PATCH 061/182] ext4: avoid excessive credit estimate in ext4_tmpfile() [ Upstream commit 35a1f12f0ca857fee1d7a04ef52cbd5f1f84de13 ] A user with minimum journal size (1024 blocks these days) complained about the following error triggered by generic/697 test in ext4_tmpfile(): run fstests generic/697 at 2024-02-28 05:34:46 JBD2: vfstest wants too many credits credits:260 rsv_credits:0 max:256 EXT4-fs error (device loop0) in __ext4_new_inode:1083: error 28 Indeed the credit estimate in ext4_tmpfile() is huge. EXT4_MAXQUOTAS_INIT_BLOCKS() is 219, then 10 credits from ext4_tmpfile() itself and then ext4_xattr_credits_for_new_inode() adds more credits needed for security attributes and ACLs. Now the EXT4_MAXQUOTAS_INIT_BLOCKS() is in fact unnecessary because we've already initialized quotas with dquot_init() shortly before and so EXT4_MAXQUOTAS_TRANS_BLOCKS() is enough (which boils down to 3 credits). Fixes: af51a2ac36d1 ("ext4: ->tmpfile() support") Signed-off-by: Jan Kara Tested-by: Luis Henriques Tested-by: Disha Goel Link: https://lore.kernel.org/r/20240307115320.28949-1-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin (cherry picked from commit 1f9e32f9ea3454f79d80c8af7fac54843beba7f6) Signed-off-by: Vegard Nossum --- fs/ext4/namei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index a763216e1c15..76744b42f989 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -2603,7 +2603,7 @@ static int ext4_tmpfile(struct inode *dir, struct dentry *dentry, umode_t mode) inode = ext4_new_inode_start_handle(dir, mode, NULL, 0, NULL, EXT4_HT_DIR, - EXT4_MAXQUOTAS_INIT_BLOCKS(dir->i_sb) + + EXT4_MAXQUOTAS_TRANS_BLOCKS(dir->i_sb) + 4 + EXT4_XATTR_TRANS_BLOCKS); handle = ext4_journal_current_handle(); err = PTR_ERR(inode); From 0f0c8dcfaaff549a0397d3e63ec093c2ff6d602d Mon Sep 17 00:00:00 2001 From: Gautam Menghani Date: Thu, 30 Jun 2022 00:58:22 +0530 Subject: [PATCH 062/182] selftests/kcmp: Make the test output consistent and clear [ Upstream commit ff682226a353d88ffa5db9c2a9b945066776311e ] Make the output format of this test consistent. Currently the output is as follows: +TAP version 13 +1..1 +# selftests: kcmp: kcmp_test +# pid1: 45814 pid2: 45815 FD: 1 FILES: 1 VM: 2 FS: 1 SIGHAND: 2 + IO: 0 SYSVSEM: 0 INV: -1 +# PASS: 0 returned as expected +# PASS: 0 returned as expected +# PASS: 0 returned as expected +# # Planned tests != run tests (0 != 3) +# # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0 +# # Planned tests != run tests (0 != 3) +# # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0 +# # Totals: pass:0 fail:0 xfail:0 xpass:0 skip:0 error:0 +ok 1 selftests: kcmp: kcmp_test With this patch applied the output is as follows: +TAP version 13 +1..1 +# selftests: kcmp: kcmp_test +# TAP version 13 +# 1..3 +# pid1: 46330 pid2: 46331 FD: 1 FILES: 2 VM: 2 FS: 2 SIGHAND: 1 + IO: 0 SYSVSEM: 0 INV: -1 +# PASS: 0 returned as expected +# PASS: 0 returned as expected +# PASS: 0 returned as expected +# # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0 +ok 1 selftests: kcmp: kcmp_test Signed-off-by: Gautam Menghani Signed-off-by: Shuah Khan Stable-dep-of: eb59a5811371 ("selftests/kcmp: remove unused open mode") Signed-off-by: Sasha Levin (cherry picked from commit 32b0469d13ebeb008b39613eb5acf529a10e0bde) Signed-off-by: Vegard Nossum --- tools/testing/selftests/kcmp/kcmp_test.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/kcmp/kcmp_test.c b/tools/testing/selftests/kcmp/kcmp_test.c index 6ea7b9f37a41..25110c7c0b3e 100644 --- a/tools/testing/selftests/kcmp/kcmp_test.c +++ b/tools/testing/selftests/kcmp/kcmp_test.c @@ -88,6 +88,9 @@ int main(int argc, char **argv) int pid2 = getpid(); int ret; + ksft_print_header(); + ksft_set_plan(3); + fd2 = open(kpath, O_RDWR, 0644); if (fd2 < 0) { perror("Can't open file"); @@ -152,7 +155,6 @@ int main(int argc, char **argv) ksft_inc_pass_cnt(); } - ksft_print_cnts(); if (ret) ksft_exit_fail(); @@ -162,5 +164,5 @@ int main(int argc, char **argv) waitpid(pid2, &status, P_ALL); - return ksft_exit_pass(); + return 0; } From eea262830c62f8856fed4c532b5598f83c2972a9 Mon Sep 17 00:00:00 2001 From: Edward Liaw Date: Mon, 29 Apr 2024 23:46:09 +0000 Subject: [PATCH 063/182] selftests/kcmp: remove unused open mode [ Upstream commit eb59a58113717df04b8a8229befd8ab1e5dbf86e ] Android bionic warns that open modes are ignored if O_CREAT or O_TMPFILE aren't specified. The permissions for the file are set above: fd1 = open(kpath, O_RDWR | O_CREAT | O_TRUNC, 0644); Link: https://lkml.kernel.org/r/20240429234610.191144-1-edliaw@google.com Fixes: d97b46a64674 ("syscalls, x86: add __NR_kcmp syscall") Signed-off-by: Edward Liaw Reviewed-by: Cyrill Gorcunov Cc: Eric Biederman Cc: Shuah Khan Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin (cherry picked from commit 24331545d6ff749a8dbfb09925af86e8cc50dad5) Signed-off-by: Vegard Nossum --- tools/testing/selftests/kcmp/kcmp_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/kcmp/kcmp_test.c b/tools/testing/selftests/kcmp/kcmp_test.c index 25110c7c0b3e..d7a8e321bb16 100644 --- a/tools/testing/selftests/kcmp/kcmp_test.c +++ b/tools/testing/selftests/kcmp/kcmp_test.c @@ -91,7 +91,7 @@ int main(int argc, char **argv) ksft_print_header(); ksft_set_plan(3); - fd2 = open(kpath, O_RDWR, 0644); + fd2 = open(kpath, O_RDWR); if (fd2 < 0) { perror("Can't open file"); ksft_exit_fail(); From b3ab7172b68826ae894b394561679727af8e970d Mon Sep 17 00:00:00 2001 From: Kamal Heib Date: Thu, 5 Jul 2018 00:52:51 +0300 Subject: [PATCH 064/182] RDMA/ipoib: Fix use of sizeof() Make sure to use sizeof(...) instead of sizeof ... which is more preferred. Signed-off-by: Kamal Heib Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe (cherry picked from commit b1b639708f7431c85df4f70ae0d82c336705d7d4) Signed-off-by: Vegard Nossum --- drivers/infiniband/ulp/ipoib/ipoib_cm.c | 16 ++++++++-------- drivers/infiniband/ulp/ipoib/ipoib_fs.c | 6 +++--- drivers/infiniband/ulp/ipoib/ipoib_ib.c | 4 ++-- drivers/infiniband/ulp/ipoib/ipoib_main.c | 10 +++++----- drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 6 +++--- drivers/infiniband/ulp/ipoib/ipoib_verbs.c | 2 +- drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 2 +- 7 files changed, 23 insertions(+), 23 deletions(-) diff --git a/drivers/infiniband/ulp/ipoib/ipoib_cm.c b/drivers/infiniband/ulp/ipoib/ipoib_cm.c index 0e85b3445c07..945e2096f3b5 100644 --- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c @@ -362,7 +362,7 @@ static int ipoib_cm_nonsrq_init_rx(struct net_device *dev, struct ib_cm_id *cm_i if (!rx->rx_ring) return -ENOMEM; - t = kmalloc(sizeof *t, GFP_KERNEL); + t = kmalloc(sizeof(*t), GFP_KERNEL); if (!t) { ret = -ENOMEM; goto err_free_1; @@ -431,7 +431,7 @@ static int ipoib_cm_send_rep(struct net_device *dev, struct ib_cm_id *cm_id, data.mtu = cpu_to_be32(IPOIB_CM_BUF_SIZE); rep.private_data = &data; - rep.private_data_len = sizeof data; + rep.private_data_len = sizeof(data); rep.flow_control = 0; rep.rnr_retry_count = req->rnr_retry_count; rep.srq = ipoib_cm_has_srq(dev); @@ -449,7 +449,7 @@ static int ipoib_cm_req_handler(struct ib_cm_id *cm_id, struct ib_cm_event *even int ret; ipoib_dbg(priv, "REQ arrived\n"); - p = kzalloc(sizeof *p, GFP_KERNEL); + p = kzalloc(sizeof(*p), GFP_KERNEL); if (!p) return -ENOMEM; p->dev = dev; @@ -656,7 +656,7 @@ void ipoib_cm_handle_rx_wc(struct net_device *dev, struct ib_wc *wc) } ipoib_cm_dma_unmap_rx(priv, frags, rx_ring[wr_id].mapping); - memcpy(rx_ring[wr_id].mapping, mapping, (frags + 1) * sizeof *mapping); + memcpy(rx_ring[wr_id].mapping, mapping, (frags + 1) * sizeof(*mapping)); ipoib_dbg_data(priv, "received %d bytes, SLID 0x%04x\n", wc->byte_len, wc->slid); @@ -1086,7 +1086,7 @@ static int ipoib_cm_send_req(struct net_device *dev, req.qp_num = qp->qp_num; req.qp_type = qp->qp_type; req.private_data = &data; - req.private_data_len = sizeof data; + req.private_data_len = sizeof(data); req.flow_control = 0; req.starting_psn = 0; /* FIXME */ @@ -1143,7 +1143,7 @@ static int ipoib_cm_tx_init(struct ipoib_cm_tx *p, u32 qpn, ret = -ENOMEM; goto err_tx; } - memset(p->tx_ring, 0, ipoib_sendq_size * sizeof *p->tx_ring); + memset(p->tx_ring, 0, ipoib_sendq_size * sizeof(*p->tx_ring)); p->qp = ipoib_cm_create_tx_qp(p->dev, p); memalloc_noio_restore(noio_flag); @@ -1295,7 +1295,7 @@ struct ipoib_cm_tx *ipoib_cm_create_tx(struct net_device *dev, struct ipoib_path struct ipoib_dev_priv *priv = ipoib_priv(dev); struct ipoib_cm_tx *tx; - tx = kzalloc(sizeof *tx, GFP_ATOMIC); + tx = kzalloc(sizeof(*tx), GFP_ATOMIC); if (!tx) return NULL; @@ -1360,7 +1360,7 @@ static void ipoib_cm_tx_start(struct work_struct *work) neigh->daddr + QPN_AND_OPTIONS_OFFSET); goto free_neigh; } - memcpy(&pathrec, &p->path->pathrec, sizeof pathrec); + memcpy(&pathrec, &p->path->pathrec, sizeof(pathrec)); spin_unlock_irqrestore(&priv->lock, flags); netif_tx_unlock_bh(dev); diff --git a/drivers/infiniband/ulp/ipoib/ipoib_fs.c b/drivers/infiniband/ulp/ipoib/ipoib_fs.c index 11f74cbe6660..23152450ba0a 100644 --- a/drivers/infiniband/ulp/ipoib/ipoib_fs.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_fs.c @@ -262,15 +262,15 @@ static const struct file_operations ipoib_path_fops = { void ipoib_create_debug_files(struct net_device *dev) { struct ipoib_dev_priv *priv = ipoib_priv(dev); - char name[IFNAMSIZ + sizeof "_path"]; + char name[IFNAMSIZ + sizeof("_path")]; - snprintf(name, sizeof name, "%s_mcg", dev->name); + snprintf(name, sizeof(name), "%s_mcg", dev->name); priv->mcg_dentry = debugfs_create_file(name, S_IFREG | S_IRUGO, ipoib_root, dev, &ipoib_mcg_fops); if (!priv->mcg_dentry) ipoib_warn(priv, "failed to create mcg debug file\n"); - snprintf(name, sizeof name, "%s_path", dev->name); + snprintf(name, sizeof(name), "%s_path", dev->name); priv->path_dentry = debugfs_create_file(name, S_IFREG | S_IRUGO, ipoib_root, dev, &ipoib_path_fops); if (!priv->path_dentry) diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c index 8e1f48fe6f2e..d30387e32f77 100644 --- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c @@ -57,7 +57,7 @@ struct ipoib_ah *ipoib_create_ah(struct net_device *dev, struct ipoib_ah *ah; struct ib_ah *vah; - ah = kmalloc(sizeof *ah, GFP_KERNEL); + ah = kmalloc(sizeof(*ah), GFP_KERNEL); if (!ah) return ERR_PTR(-ENOMEM); @@ -202,7 +202,7 @@ static void ipoib_ib_handle_rx_wc(struct net_device *dev, struct ib_wc *wc) } memcpy(mapping, priv->rx_ring[wr_id].mapping, - IPOIB_UD_RX_SG * sizeof *mapping); + IPOIB_UD_RX_SG * sizeof(*mapping)); /* * If we can't allocate a new RX buffer, dump diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c index caae4bfab950..86044aa948ea 100644 --- a/drivers/infiniband/ulp/ipoib/ipoib_main.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c @@ -636,7 +636,7 @@ struct ipoib_path_iter *ipoib_path_iter_init(struct net_device *dev) { struct ipoib_path_iter *iter; - iter = kmalloc(sizeof *iter, GFP_KERNEL); + iter = kmalloc(sizeof(*iter), GFP_KERNEL); if (!iter) return NULL; @@ -866,7 +866,7 @@ static struct ipoib_path *path_rec_create(struct net_device *dev, void *gid) if (!priv->broadcast) return NULL; - path = kzalloc(sizeof *path, GFP_ATOMIC); + path = kzalloc(sizeof(*path), GFP_ATOMIC); if (!path) return NULL; @@ -1184,7 +1184,7 @@ static int ipoib_hard_header(struct sk_buff *skb, { struct ipoib_header *header; - header = skb_push(skb, sizeof *header); + header = skb_push(skb, sizeof(*header)); header->proto = htons(type); header->reserved = 0; @@ -1352,7 +1352,7 @@ static struct ipoib_neigh *ipoib_neigh_ctor(u8 *daddr, { struct ipoib_neigh *neigh; - neigh = kzalloc(sizeof *neigh, GFP_ATOMIC); + neigh = kzalloc(sizeof(*neigh), GFP_ATOMIC); if (!neigh) return NULL; @@ -2329,7 +2329,7 @@ static void ipoib_add_one(struct ib_device *device) int p; int count = 0; - dev_list = kmalloc(sizeof *dev_list, GFP_KERNEL); + dev_list = kmalloc(sizeof(*dev_list), GFP_KERNEL); if (!dev_list) return; diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c index 25d7d9219591..d3ecda2931d2 100644 --- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c @@ -140,7 +140,7 @@ static struct ipoib_mcast *ipoib_mcast_alloc(struct net_device *dev, { struct ipoib_mcast *mcast; - mcast = kzalloc(sizeof *mcast, can_sleep ? GFP_KERNEL : GFP_ATOMIC); + mcast = kzalloc(sizeof(*mcast), can_sleep ? GFP_KERNEL : GFP_ATOMIC); if (!mcast) return NULL; @@ -916,7 +916,7 @@ void ipoib_mcast_restart_task(struct work_struct *work) if (!ipoib_mcast_addr_is_valid(ha->addr, dev->broadcast)) continue; - memcpy(mgid.raw, ha->addr + 4, sizeof mgid); + memcpy(mgid.raw, ha->addr + 4, sizeof(mgid)); mcast = __ipoib_mcast_find(dev, &mgid); if (!mcast || test_bit(IPOIB_MCAST_FLAG_SENDONLY, &mcast->flags)) { @@ -997,7 +997,7 @@ struct ipoib_mcast_iter *ipoib_mcast_iter_init(struct net_device *dev) { struct ipoib_mcast_iter *iter; - iter = kmalloc(sizeof *iter, GFP_KERNEL); + iter = kmalloc(sizeof(*iter), GFP_KERNEL); if (!iter) return NULL; diff --git a/drivers/infiniband/ulp/ipoib/ipoib_verbs.c b/drivers/infiniband/ulp/ipoib/ipoib_verbs.c index bb64baf25309..0dd6b48d0b90 100644 --- a/drivers/infiniband/ulp/ipoib/ipoib_verbs.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_verbs.c @@ -52,7 +52,7 @@ int ipoib_mcast_attach(struct net_device *dev, struct ib_device *hca, if (set_qkey) { ret = -ENOMEM; - qp_attr = kmalloc(sizeof *qp_attr, GFP_KERNEL); + qp_attr = kmalloc(sizeof(*qp_attr), GFP_KERNEL); if (!qp_attr) goto out; diff --git a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c index 55a9b71ed05a..b067ad5e4c7e 100644 --- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c @@ -130,7 +130,7 @@ int ipoib_vlan_add(struct net_device *pdev, unsigned short pkey) if (test_bit(IPOIB_FLAG_GOING_DOWN, &ppriv->flags)) return -EPERM; - snprintf(intf_name, sizeof intf_name, "%s.%04x", + snprintf(intf_name, sizeof(intf_name), "%s.%04x", ppriv->dev->name, pkey); if (!mutex_trylock(&ppriv->sysfs_mutex)) From 183cb1a936e35c5ae205498945addd70a31a61e0 Mon Sep 17 00:00:00 2001 From: Leon Romanovsky Date: Thu, 9 May 2024 10:39:33 +0300 Subject: [PATCH 065/182] RDMA/IPoIB: Fix format truncation compilation errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 49ca2b2ef3d003402584c68ae7b3055ba72e750a ] Truncate the device name to store IPoIB VLAN name. [leonro@5b4e8fba4ddd kernel]$ make -s -j 20 allmodconfig [leonro@5b4e8fba4ddd kernel]$ make -s -j 20 W=1 drivers/infiniband/ulp/ipoib/ drivers/infiniband/ulp/ipoib/ipoib_vlan.c: In function ‘ipoib_vlan_add’: drivers/infiniband/ulp/ipoib/ipoib_vlan.c:187:52: error: ‘%04x’ directive output may be truncated writing 4 bytes into a region of size between 0 and 15 [-Werror=format-truncation=] 187 | snprintf(intf_name, sizeof(intf_name), "%s.%04x", | ^~~~ drivers/infiniband/ulp/ipoib/ipoib_vlan.c:187:48: note: directive argument in the range [0, 65535] 187 | snprintf(intf_name, sizeof(intf_name), "%s.%04x", | ^~~~~~~~~ drivers/infiniband/ulp/ipoib/ipoib_vlan.c:187:9: note: ‘snprintf’ output between 6 and 21 bytes into a destination of size 16 187 | snprintf(intf_name, sizeof(intf_name), "%s.%04x", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 188 | ppriv->dev->name, pkey); | ~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors make[6]: *** [scripts/Makefile.build:244: drivers/infiniband/ulp/ipoib/ipoib_vlan.o] Error 1 make[6]: *** Waiting for unfinished jobs.... Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support") Link: https://lore.kernel.org/r/e9d3e1fef69df4c9beaf402cc3ac342bad680791.1715240029.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin (cherry picked from commit b469345f1fca84bed4dea3cae85faa401cf9bf3e) [Vegard: fix conflict in context due to missing commit 577e07ffbad9960551a6821b74af90a216ac10e2 ("IB/ipoib: Get rid of IPOIB_FLAG_GOING_DOWN").] Signed-off-by: Vegard Nossum --- drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c index b067ad5e4c7e..248eb734d29d 100644 --- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c @@ -130,8 +130,12 @@ int ipoib_vlan_add(struct net_device *pdev, unsigned short pkey) if (test_bit(IPOIB_FLAG_GOING_DOWN, &ppriv->flags)) return -EPERM; - snprintf(intf_name, sizeof(intf_name), "%s.%04x", - ppriv->dev->name, pkey); + /* If you increase IFNAMSIZ, update snprintf below + * to allow longer names. + */ + BUILD_BUG_ON(IFNAMSIZ != 16); + snprintf(intf_name, sizeof(intf_name), "%.10s.%04x", ppriv->dev->name, + pkey); if (!mutex_trylock(&ppriv->sysfs_mutex)) return restart_syscall(); From 08f41b353c1621f65bd6f61aa5f5aed2fc1feb11 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Wed, 15 May 2024 14:29:34 +0000 Subject: [PATCH 066/182] netrom: fix possible dead-lock in nr_rt_ioctl() [ Upstream commit e03e7f20ebf7e1611d40d1fdc1bde900fd3335f6 ] syzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1] Make sure we always acquire nr_node_list_lock before nr_node_lock(nr_node) [1] WARNING: possible circular locking dependency detected 6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted ------------------------------------------------------ syz-executor350/5129 is trying to acquire lock: ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline] ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline] ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 but task is already holding lock: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline] ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (nr_node_list_lock){+...}-{2:2}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] nr_remove_node net/netrom/nr_route.c:299 [inline] nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355 nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&nr_node->node_lock){+...}-{2:2}: check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] nr_node_lock include/net/netrom.h:152 [inline] nr_dec_obs net/netrom/nr_route.c:464 [inline] nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(nr_node_list_lock); lock(&nr_node->node_lock); lock(nr_node_list_lock); lock(&nr_node->node_lock); *** DEADLOCK *** 1 lock held by syz-executor350/5129: #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline] #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697 stack backtrace: CPU: 0 PID: 5129 Comm: syz-executor350 Not tainted 6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187 check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] nr_node_lock include/net/netrom.h:152 [inline] nr_dec_obs net/netrom/nr_route.c:464 [inline] nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot Signed-off-by: Eric Dumazet Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/20240515142934.3708038-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit b9d663fbf74290cb68fbc66ae4367bd56837ad1d) Signed-off-by: Vegard Nossum --- net/netrom/nr_route.c | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c index 879c811892ff..b13eb8047d8c 100644 --- a/net/netrom/nr_route.c +++ b/net/netrom/nr_route.c @@ -313,22 +313,14 @@ static int __must_check nr_add_node(ax25_address *nr, const char *mnemonic, return 0; } -static inline void __nr_remove_node(struct nr_node *nr_node) +static void nr_remove_node_locked(struct nr_node *nr_node) { + lockdep_assert_held(&nr_node_list_lock); + hlist_del_init(&nr_node->node_node); nr_node_put(nr_node); } -#define nr_remove_node_locked(__node) \ - __nr_remove_node(__node) - -static void nr_remove_node(struct nr_node *nr_node) -{ - spin_lock_bh(&nr_node_list_lock); - __nr_remove_node(nr_node); - spin_unlock_bh(&nr_node_list_lock); -} - static inline void __nr_remove_neigh(struct nr_neigh *nr_neigh) { hlist_del_init(&nr_neigh->neigh_node); @@ -367,6 +359,7 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n return -EINVAL; } + spin_lock_bh(&nr_node_list_lock); nr_node_lock(nr_node); for (i = 0; i < nr_node->count; i++) { if (nr_node->routes[i].neighbour == nr_neigh) { @@ -380,7 +373,7 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n nr_node->count--; if (nr_node->count == 0) { - nr_remove_node(nr_node); + nr_remove_node_locked(nr_node); } else { switch (i) { case 0: @@ -393,12 +386,14 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n nr_node_put(nr_node); } nr_node_unlock(nr_node); + spin_unlock_bh(&nr_node_list_lock); return 0; } } nr_neigh_put(nr_neigh); nr_node_unlock(nr_node); + spin_unlock_bh(&nr_node_list_lock); nr_node_put(nr_node); return -EINVAL; From 79417a25cb5eb9644fe89e5aae703a6b591669d5 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Wed, 15 May 2024 16:33:58 +0000 Subject: [PATCH 067/182] af_packet: do not call packet_read_pending() from tpacket_destruct_skb() [ Upstream commit 581073f626e387d3e7eed55c48c8495584ead7ba ] trafgen performance considerably sank on hosts with many cores after the blamed commit. packet_read_pending() is very expensive, and calling it in af_packet fast path defeats Daniel intent in commit b013840810c2 ("packet: use percpu mmap tx frame pending refcount") tpacket_destruct_skb() makes room for one packet, we can immediately wakeup a producer, no need to completely drain the tx ring. Fixes: 89ed5b519004 ("af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET") Signed-off-by: Eric Dumazet Cc: Neil Horman Cc: Daniel Borkmann Reviewed-by: Willem de Bruijn Link: https://lore.kernel.org/r/20240515163358.4105915-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 4f3ae7d846b4565c0b80d65ed607c3277bc984d4) Signed-off-by: Vegard Nossum --- net/packet/af_packet.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 6a02cf8d7141..0cc0a0002584 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -2480,8 +2480,7 @@ static void tpacket_destruct_skb(struct sk_buff *skb) ts = __packet_set_timestamp(po, ph, skb); __packet_set_status(po, ph, TP_STATUS_AVAILABLE | ts); - if (!packet_read_pending(&po->tx_ring)) - complete(&po->skb_completion); + complete(&po->skb_completion); } sock_wfree(skb); From 03baaba21b3291e6300e4fafb8d2849f0389de3d Mon Sep 17 00:00:00 2001 From: Valentin Schneider Date: Mon, 14 Oct 2019 17:44:08 +0100 Subject: [PATCH 068/182] sched/topology: Don't set SD_BALANCE_WAKE on cpuset domain relax [ Upstream commit 9ae7ab20b4835dbea0e5fc6a5c70171dc354a72e ] As pointed out in commit 182a85f8a119 ("sched: Disable wakeup balancing") SD_BALANCE_WAKE is a tad too aggressive, and is usually left unset. However, it turns out cpuset domain relaxation will unconditionally set it on domains below the relaxation level. This made sense back when SD_BALANCE_WAKE was set unconditionally, but it no longer is the case. We can improve things slightly by noticing that set_domain_attribute() is always called after sd_init(), so rather than setting flags we can rely on whatever sd_init() is doing and only clear certain flags when above the relaxation level. While at it, slightly clean up the function and flip the relax level check to be more human readable. Signed-off-by: Valentin Schneider Signed-off-by: Peter Zijlstra (Intel) Cc: mingo@kernel.org Cc: vincent.guittot@linaro.org Cc: juri.lelli@redhat.com Cc: seto.hidetoshi@jp.fujitsu.com Cc: qperret@google.com Cc: Dietmar.Eggemann@arm.com Cc: morten.rasmussen@arm.com Link: https://lkml.kernel.org/r/20191014164408.32596-1-valentin.schneider@arm.com Stable-dep-of: a1fd0b9d751f ("sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level") Signed-off-by: Sasha Levin (cherry picked from commit 046daa54c348ccec12ab38b92923060dd09ef00b) Signed-off-by: Vegard Nossum --- kernel/sched/topology.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c index 152ffe0c2433..a47d6de1683f 100644 --- a/kernel/sched/topology.c +++ b/kernel/sched/topology.c @@ -987,16 +987,13 @@ static void set_domain_attribute(struct sched_domain *sd, if (!attr || attr->relax_domain_level < 0) { if (default_relax_domain_level < 0) return; - else - request = default_relax_domain_level; + request = default_relax_domain_level; } else request = attr->relax_domain_level; - if (request < sd->level) { + + if (sd->level > request) { /* Turn off idle balance on this domain: */ sd->flags &= ~(SD_BALANCE_WAKE|SD_BALANCE_NEWIDLE); - } else { - /* Turn on idle balance on this domain: */ - sd->flags |= (SD_BALANCE_WAKE|SD_BALANCE_NEWIDLE); } } From cd212b4b364b6efe32441d764cabaef2402c8eba Mon Sep 17 00:00:00 2001 From: Vitalii Bursov Date: Tue, 30 Apr 2024 18:05:23 +0300 Subject: [PATCH 069/182] sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level [ Upstream commit a1fd0b9d751f840df23ef0e75b691fc00cfd4743 ] Change relax_domain_level checks so that it would be possible to include or exclude all domains from newidle balancing. This matches the behavior described in the documentation: -1 no request. use system default or follow request of others. 0 no search. 1 search siblings (hyperthreads in a core). "2" enables levels 0 and 1, level_max excludes the last (level_max) level, and level_max+1 includes all levels. Fixes: 1d3504fcf560 ("sched, cpuset: customize sched domains, core") Signed-off-by: Vitalii Bursov Signed-off-by: Ingo Molnar Tested-by: Dietmar Eggemann Reviewed-by: Vincent Guittot Reviewed-by: Valentin Schneider Link: https://lore.kernel.org/r/bd6de28e80073c79466ec6401cdeae78f0d4423d.1714488502.git.vitaly@bursov.com Signed-off-by: Sasha Levin (cherry picked from commit 454de5ed81766fbbf4777c43392d8b0b35e7e16d) Signed-off-by: Vegard Nossum --- kernel/cgroup/cpuset.c | 2 +- kernel/sched/topology.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c index 20c1ccc6a0bb..85b16b31269a 100644 --- a/kernel/cgroup/cpuset.c +++ b/kernel/cgroup/cpuset.c @@ -1273,7 +1273,7 @@ int current_cpuset_is_being_rebound(void) static int update_relax_domain_level(struct cpuset *cs, s64 val) { #ifdef CONFIG_SMP - if (val < -1 || val >= sched_domain_level_max) + if (val < -1 || val > sched_domain_level_max + 1) return -EINVAL; #endif diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c index a47d6de1683f..86149060dc41 100644 --- a/kernel/sched/topology.c +++ b/kernel/sched/topology.c @@ -991,7 +991,7 @@ static void set_domain_attribute(struct sched_domain *sd, } else request = attr->relax_domain_level; - if (sd->level > request) { + if (sd->level >= request) { /* Turn off idle balance on this domain: */ sd->flags &= ~(SD_BALANCE_WAKE|SD_BALANCE_NEWIDLE); } From 8d680792eafdefb9e3e547a305a505da085932ff Mon Sep 17 00:00:00 2001 From: Rui Miguel Silva Date: Mon, 25 Mar 2024 22:09:55 +0000 Subject: [PATCH 070/182] greybus: lights: check return of get_channel_from_mode [ Upstream commit a1ba19a1ae7cd1e324685ded4ab563e78fe68648 ] If channel for the given node is not found we return null from get_channel_from_mode. Make sure we validate the return pointer before using it in two of the missing places. This was originally reported in [0]: Found by Linux Verification Center (linuxtesting.org) with SVACE. [0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru Fixes: 2870b52bae4c ("greybus: lights: add lights implementation") Reported-by: Mikhail Lobanov Suggested-by: Mikhail Lobanov Suggested-by: Alex Elder Signed-off-by: Rui Miguel Silva Link: https://lore.kernel.org/r/20240325221549.2185265-1-rmfrfs@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin (cherry picked from commit 8f4a76d477f0cc3c54d512f07f6f88c8e1c1e07b) Signed-off-by: Vegard Nossum --- drivers/staging/greybus/light.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/staging/greybus/light.c b/drivers/staging/greybus/light.c index 031a91614552..9744c13baa49 100644 --- a/drivers/staging/greybus/light.c +++ b/drivers/staging/greybus/light.c @@ -150,6 +150,9 @@ static int __gb_lights_flash_brightness_set(struct gb_channel *channel) channel = get_channel_from_mode(channel->light, GB_CHANNEL_MODE_TORCH); + if (!channel) + return -EINVAL; + /* For not flash we need to convert brightness to intensity */ intensity = channel->intensity_uA.min + (channel->intensity_uA.step * channel->led->brightness); @@ -553,7 +556,10 @@ static int gb_lights_light_v4l2_register(struct gb_light *light) } channel_flash = get_channel_from_mode(light, GB_CHANNEL_MODE_FLASH); - WARN_ON(!channel_flash); + if (!channel_flash) { + dev_err(dev, "failed to get flash channel from mode\n"); + return -EINVAL; + } fled = &channel_flash->fled; From 0d0f766835c349005332fd8e7b296660a7d6a65a Mon Sep 17 00:00:00 2001 From: Chen Ni Date: Wed, 3 Apr 2024 02:49:32 +0000 Subject: [PATCH 071/182] dmaengine: idma64: Add check for dma_set_max_seg_size [ Upstream commit 2b1c1cf08a0addb6df42f16b37133dc7a351de29 ] As the possible failure of the dma_set_max_seg_size(), it should be better to check the return value of the dma_set_max_seg_size(). Fixes: e3fdb1894cfa ("dmaengine: idma64: set maximum allowed segment size for DMA") Signed-off-by: Chen Ni Acked-by: Andy Shevchenko Link: https://lore.kernel.org/r/20240403024932.3342606-1-nichen@iscas.ac.cn Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin (cherry picked from commit 12c70cc851b263b8cc9479a23488992eeb4c35e6) Signed-off-by: Vegard Nossum --- drivers/dma/idma64.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/dma/idma64.c b/drivers/dma/idma64.c index 0e0737ce54c8..bd32286a9db3 100644 --- a/drivers/dma/idma64.c +++ b/drivers/dma/idma64.c @@ -595,7 +595,9 @@ static int idma64_probe(struct idma64_chip *chip) idma64->dma.dev = chip->sysdev; - dma_set_max_seg_size(idma64->dma.dev, IDMA64C_CTLH_BLOCK_TS_MASK); + ret = dma_set_max_seg_size(idma64->dma.dev, IDMA64C_CTLH_BLOCK_TS_MASK); + if (ret) + return ret; ret = dma_async_device_register(&idma64->dma); if (ret) From e9c8e448b86118386e2aed7e3bb0e02fdbb68d14 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Mon, 8 Apr 2024 09:34:24 +0200 Subject: [PATCH 072/182] firmware: dmi-id: add a release callback function [ Upstream commit cf770af5645a41a753c55a053fa1237105b0964a ] dmi_class uses kfree() as the .release function, but that now causes a warning with clang-16 as it violates control flow integrity (KCFI) rules: drivers/firmware/dmi-id.c:174:17: error: cast from 'void (*)(const void *)' to 'void (*)(struct device *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] 174 | .dev_release = (void(*)(struct device *)) kfree, Add an explicit function to call kfree() instead. Fixes: 4f5c791a850e ("DMI-based module autoloading") Link: https://lore.kernel.org/lkml/20240213100238.456912-1-arnd@kernel.org/ Signed-off-by: Arnd Bergmann Signed-off-by: Jean Delvare Signed-off-by: Sasha Levin (cherry picked from commit 20595142ca22ac2c8357564d9e7d52a0ffa471af) Signed-off-by: Vegard Nossum --- drivers/firmware/dmi-id.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/firmware/dmi-id.c b/drivers/firmware/dmi-id.c index 951b6c79f166..13563a97b1f6 100644 --- a/drivers/firmware/dmi-id.c +++ b/drivers/firmware/dmi-id.c @@ -160,9 +160,14 @@ static int dmi_dev_uevent(struct device *dev, struct kobj_uevent_env *env) return 0; } +static void dmi_dev_release(struct device *dev) +{ + kfree(dev); +} + static struct class dmi_class = { .name = "dmi", - .dev_release = (void(*)(struct device *)) kfree, + .dev_release = dmi_dev_release, .dev_uevent = dmi_dev_uevent, }; From bcbacbcfd59ba38747a001592ffb3aae1118e5de Mon Sep 17 00:00:00 2001 From: Andy Shevchenko Date: Tue, 2 Apr 2024 22:50:28 +0300 Subject: [PATCH 073/182] serial: max3100: Lock port->lock when calling uart_handle_cts_change() [ Upstream commit 77ab53371a2066fdf9b895246505f5ef5a4b5d47 ] uart_handle_cts_change() has to be called with port lock taken, Since we run it in a separate work, the lock may not be taken at the time of running. Make sure that it's taken by explicitly doing that. Without it we got a splat: WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0 ... Workqueue: max3100-0 max3100_work [max3100] RIP: 0010:uart_handle_cts_change+0xa6/0xb0 ... max3100_handlerx+0xc5/0x110 [max3100] max3100_work+0x12a/0x340 [max3100] Fixes: 7831d56b0a35 ("tty: MAX3100") Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20240402195306.269276-2-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin (cherry picked from commit 44b38924135d2093e2ec1812969464845dd66dc9) Signed-off-by: Vegard Nossum --- drivers/tty/serial/max3100.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/max3100.c b/drivers/tty/serial/max3100.c index ace82645b123..18be55b26dbd 100644 --- a/drivers/tty/serial/max3100.c +++ b/drivers/tty/serial/max3100.c @@ -218,7 +218,7 @@ static int max3100_sr(struct max3100_port *s, u16 tx, u16 *rx) return 0; } -static int max3100_handlerx(struct max3100_port *s, u16 rx) +static int max3100_handlerx_unlocked(struct max3100_port *s, u16 rx) { unsigned int ch, flg, status = 0; int ret = 0, cts; @@ -258,6 +258,17 @@ static int max3100_handlerx(struct max3100_port *s, u16 rx) return ret; } +static int max3100_handlerx(struct max3100_port *s, u16 rx) +{ + unsigned long flags; + int ret; + + uart_port_lock_irqsave(&s->port, &flags); + ret = max3100_handlerx_unlocked(s, rx); + uart_port_unlock_irqrestore(&s->port, flags); + return ret; +} + static void max3100_work(struct work_struct *w) { struct max3100_port *s = container_of(w, struct max3100_port, work); From c6cf8b544d9ca71186322b2ede24e7ded577381a Mon Sep 17 00:00:00 2001 From: Andy Shevchenko Date: Tue, 2 Apr 2024 22:50:29 +0300 Subject: [PATCH 074/182] serial: max3100: Update uart_driver_registered on driver removal MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 712a1fcb38dc7cac6da63ee79a88708fbf9c45ec ] The removal of the last MAX3100 device triggers the removal of the driver. However, code doesn't update the respective global variable and after insmod — rmmod — insmod cycle the kernel oopses: max3100 spi-PRP0001:01: max3100_probe: adding port 0 BUG: kernel NULL pointer dereference, address: 0000000000000408 ... RIP: 0010:serial_core_register_port+0xa0/0x840 ... max3100_probe+0x1b6/0x280 [max3100] spi_probe+0x8d/0xb0 Update the actual state so next time UART driver will be registered again. Hugo also noticed, that the error path in the probe also affected by having the variable set, and not cleared. Instead of clearing it move the assignment after the successfull uart_register_driver() call. Fixes: 7831d56b0a35 ("tty: MAX3100") Signed-off-by: Andy Shevchenko Reviewed-by: Hugo Villeneuve Link: https://lore.kernel.org/r/20240402195306.269276-3-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin (cherry picked from commit 21a61a7fbcfdd3493cede43ebc7c4dfae2147a8b) Signed-off-by: Vegard Nossum --- drivers/tty/serial/max3100.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/max3100.c b/drivers/tty/serial/max3100.c index 18be55b26dbd..8a877270e26a 100644 --- a/drivers/tty/serial/max3100.c +++ b/drivers/tty/serial/max3100.c @@ -761,13 +761,14 @@ static int max3100_probe(struct spi_device *spi) mutex_lock(&max3100s_lock); if (!uart_driver_registered) { - uart_driver_registered = 1; retval = uart_register_driver(&max3100_uart_driver); if (retval) { printk(KERN_ERR "Couldn't register max3100 uart driver\n"); mutex_unlock(&max3100s_lock); return retval; } + + uart_driver_registered = 1; } for (i = 0; i < MAX_MAX3100; i++) @@ -855,6 +856,7 @@ static int max3100_remove(struct spi_device *spi) } pr_debug("removing max3100 driver\n"); uart_unregister_driver(&max3100_uart_driver); + uart_driver_registered = 0; mutex_unlock(&max3100s_lock); return 0; From 647c442cedd75f319c8ce8dc039c2d7baec68317 Mon Sep 17 00:00:00 2001 From: Andy Shevchenko Date: Tue, 2 Apr 2024 22:50:30 +0300 Subject: [PATCH 075/182] serial: max3100: Fix bitwise types [ Upstream commit e60955dbecb97f080848a57524827e2db29c70fd ] Sparse is not happy about misuse of bitwise types: .../max3100.c:194:13: warning: incorrect type in assignment (different base types) .../max3100.c:194:13: expected unsigned short [addressable] [usertype] etx .../max3100.c:194:13: got restricted __be16 [usertype] .../max3100.c:202:15: warning: cast to restricted __be16 Fix this by choosing proper types for the respective variables. Fixes: 7831d56b0a35 ("tty: MAX3100") Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20240402195306.269276-4-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin (cherry picked from commit 2ae8d5726526c05452aff0444b0f305fdf89a32d) Signed-off-by: Vegard Nossum --- drivers/tty/serial/max3100.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/max3100.c b/drivers/tty/serial/max3100.c index 8a877270e26a..3584101e3f8a 100644 --- a/drivers/tty/serial/max3100.c +++ b/drivers/tty/serial/max3100.c @@ -50,6 +50,9 @@ #include #include #include +#include + +#include #include @@ -196,7 +199,7 @@ static void max3100_timeout(unsigned long data) static int max3100_sr(struct max3100_port *s, u16 tx, u16 *rx) { struct spi_message message; - u16 etx, erx; + __be16 etx, erx; int status; struct spi_transfer tran = { .tx_buf = &etx, From 89f965ae0a3f751235963e2597c63fd9ce035113 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Wed, 3 Apr 2024 10:06:35 +0200 Subject: [PATCH 076/182] greybus: arche-ctrl: move device table to its right location [ Upstream commit 6a0b8c0da8d8d418cde6894a104cf74e6098ddfa ] The arche-ctrl has two platform drivers and three of_device_id tables, but one table is only used for the the module loader, while the other two seem to be associated with their drivers. This leads to a W=1 warning when the driver is built-in: drivers/staging/greybus/arche-platform.c:623:34: error: 'arche_combined_id' defined but not used [-Werror=unused-const-variable=] 623 | static const struct of_device_id arche_combined_id[] = { Drop the extra table and register both tables that are actually used as the ones for the module loader instead. Fixes: 7b62b61c752a ("greybus: arche-ctrl: Don't expose driver internals to arche-platform driver") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20240403080702.3509288-18-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin (cherry picked from commit 22e65ed6799f2bfd059d633890d6c7ebe46abc9b) Signed-off-by: Vegard Nossum --- drivers/staging/greybus/arche-apb-ctrl.c | 1 + drivers/staging/greybus/arche-platform.c | 9 +-------- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/drivers/staging/greybus/arche-apb-ctrl.c b/drivers/staging/greybus/arche-apb-ctrl.c index 0412f3d06efb..fc723ebfeaea 100644 --- a/drivers/staging/greybus/arche-apb-ctrl.c +++ b/drivers/staging/greybus/arche-apb-ctrl.c @@ -499,6 +499,7 @@ static const struct of_device_id arche_apb_ctrl_of_match[] = { { .compatible = "usbffff,2", }, { }, }; +MODULE_DEVICE_TABLE(of, arche_apb_ctrl_of_match); static struct platform_driver arche_apb_ctrl_device_driver = { .probe = arche_apb_ctrl_probe, diff --git a/drivers/staging/greybus/arche-platform.c b/drivers/staging/greybus/arche-platform.c index 21ac92d0f533..e7351e187606 100644 --- a/drivers/staging/greybus/arche-platform.c +++ b/drivers/staging/greybus/arche-platform.c @@ -663,14 +663,7 @@ static const struct of_device_id arche_platform_of_match[] = { { .compatible = "google,arche-platform", }, { }, }; - -static const struct of_device_id arche_combined_id[] = { - /* Use PID/VID of SVC device */ - { .compatible = "google,arche-platform", }, - { .compatible = "usbffff,2", }, - { }, -}; -MODULE_DEVICE_TABLE(of, arche_combined_id); +MODULE_DEVICE_TABLE(of, arche_platform_of_match); static struct platform_driver arche_platform_device_driver = { .probe = arche_platform_probe, From 0328af15e33a89109f97c8abcce2119896607fb4 Mon Sep 17 00:00:00 2001 From: Chris Wulff Date: Thu, 25 Apr 2024 15:20:20 +0000 Subject: [PATCH 077/182] usb: gadget: u_audio: Clear uac pointer when freed. [ Upstream commit a2cf936ebef291ef7395172b9e2f624779fb6dc0 ] This prevents use of a stale pointer if functions are called after g_cleanup that shouldn't be. This doesn't fix any races, but converts a possibly silent kernel memory corruption into an obvious NULL pointer dereference report. Fixes: eb9fecb9e69b ("usb: gadget: f_uac2: split out audio core") Signed-off-by: Chris Wulff Link: https://lore.kernel.org/stable/CO1PR17MB54194226DA08BFC9EBD8C163E1172%40CO1PR17MB5419.namprd17.prod.outlook.com Link: https://lore.kernel.org/r/CO1PR17MB54194226DA08BFC9EBD8C163E1172@CO1PR17MB5419.namprd17.prod.outlook.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin (cherry picked from commit a646645af00f65db78fe4a60f753f2b07df35b6e) Signed-off-by: Vegard Nossum --- drivers/usb/gadget/function/u_audio.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c index 48661e9a7404..d768065c85c3 100644 --- a/drivers/usb/gadget/function/u_audio.c +++ b/drivers/usb/gadget/function/u_audio.c @@ -633,6 +633,8 @@ void g_audio_cleanup(struct g_audio *g_audio) return; uac = g_audio->uac; + g_audio->uac = NULL; + card = uac->card; if (card) snd_card_free_when_closed(card); From 5bbc7d325cef8fbd593fd8e71f12343c47028be1 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Mon, 29 Apr 2024 16:01:05 +0300 Subject: [PATCH 078/182] stm class: Fix a double free in stm_register_device() [ Upstream commit 3df463865ba42b8f88a590326f4c9ea17a1ce459 ] The put_device(&stm->dev) call will trigger stm_device_release() which frees "stm" so the vfree(stm) on the next line is a double free. Fixes: 389b6699a2aa ("stm class: Fix stm device initialization order") Signed-off-by: Dan Carpenter Reviewed-by: Amelie Delaunay Reviewed-by: Andy Shevchenko Signed-off-by: Alexander Shishkin Link: https://lore.kernel.org/r/20240429130119.1518073-2-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin (cherry picked from commit 6cc30ef8eb6d8f8d6df43152264bbf8835d99931) Signed-off-by: Vegard Nossum --- drivers/hwtracing/stm/core.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c index c592cef4e82c..a5b8e3f9a26e 100644 --- a/drivers/hwtracing/stm/core.c +++ b/drivers/hwtracing/stm/core.c @@ -710,8 +710,11 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, return -ENOMEM; stm->major = register_chrdev(0, stm_data->name, &stm_fops); - if (stm->major < 0) - goto err_free; + if (stm->major < 0) { + err = stm->major; + vfree(stm); + return err; + } device_initialize(&stm->dev); stm->dev.devt = MKDEV(stm->major, 0); @@ -755,10 +758,8 @@ int stm_register_device(struct device *parent, struct stm_data *stm_data, err_device: unregister_chrdev(stm->major, stm_data->name); - /* matches device_initialize() above */ + /* calls stm_device_release() */ put_device(&stm->dev); -err_free: - vfree(stm); return err; } From 4b405ede3c118293dde04b2c6d5822ff071ffc74 Mon Sep 17 00:00:00 2001 From: itsshashanksp <9945shashank@gmail.com> Date: Wed, 10 Jul 2024 11:23:30 +0530 Subject: [PATCH 079/182] arm64: configs: Bump devfreq input boost duration * Set devfreq input boost duration milliseconds to 100 for better real-time response also improves performance. Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- arch/arm64/configs/vendor/sdmsteppe-perf_defconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig b/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig index 1eaf50aa72f4..a1a4f14a9bed 100644 --- a/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig +++ b/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig @@ -4467,7 +4467,7 @@ CONFIG_QCOM_DEVFREQ_DEVBW=y # CONFIG_DEVFREQ_SPDM is not set CONFIG_DEVFREQ_GOV_CDSPL3=y CONFIG_DEVFREQ_BOOST=y -CONFIG_DEVFREQ_INPUT_BOOST_DURATION_MS=58 +CONFIG_DEVFREQ_INPUT_BOOST_DURATION_MS=100 CONFIG_DEVFREQ_WAKE_BOOST_DURATION_MS=1000 CONFIG_DEVFREQ_CPU_CPU_LLCC_BW_BOOST_FREQ=9155 # CONFIG_PM_DEVFREQ_EVENT is not set From b0fbf2f90bba48bc5a6aaa00144bd7cca5a2daba Mon Sep 17 00:00:00 2001 From: itsshashanksp <9945shashank@gmail.com> Date: Sat, 13 Jul 2024 16:38:30 +0530 Subject: [PATCH 080/182] Revert "kernel: power: process: decrease task freezing timeout" This reverts commit 5f25219627e91092786ba6ae0c34db0d51bc90bf. --- kernel/power/process.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/kernel/power/process.c b/kernel/power/process.c index 25bbfc8d397b..39dbcd767476 100644 --- a/kernel/power/process.c +++ b/kernel/power/process.c @@ -28,8 +28,7 @@ * Timeout for stopping processes * Put a lower value coz we need to freeze stuffs more */ -unsigned int __read_mostly freeze_timeout_msecs = - IS_ENABLED(CONFIG_ANDROID) ? MSEC_PER_SEC : 2 * MSEC_PER_SEC; +unsigned int __read_mostly freeze_timeout_msecs = 2 * MSEC_PER_SEC; static int try_to_freeze_tasks(bool user_only) { From 7c44b26f35f8f31a796fa8e1f9a66483eb411ade Mon Sep 17 00:00:00 2001 From: Sultan Alsawaf Date: Tue, 3 May 2022 23:21:44 -0700 Subject: [PATCH 081/182] PM / freezer: Reduce freeze timeout to 1 second for Android Freezing processes on Android usually takes less than 100 ms, and if it takes longer than that to the point where the 20 second freeze timeout is reached, it's because the remaining processes to be frozen are deadlocked waiting for something from a process which is already frozen. There's no point in burning power trying to freeze for that long, so reduce the freeze timeout to a very generous 1 second for Android and don't let anything mess with it. Signed-off-by: Sultan Alsawaf --- kernel/power/main.c | 3 +++ kernel/power/process.c | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/kernel/power/main.c b/kernel/power/main.c index 2dd7daa1ca5b..0890d27f86f0 100644 --- a/kernel/power/main.c +++ b/kernel/power/main.c @@ -801,6 +801,9 @@ static ssize_t pm_freeze_timeout_store(struct kobject *kobj, { unsigned long val; + if (IS_ENABLED(CONFIG_ANDROID)) + return n; + if (kstrtoul(buf, 10, &val)) return -EINVAL; diff --git a/kernel/power/process.c b/kernel/power/process.c index 39dbcd767476..d86ff9d4e5a2 100644 --- a/kernel/power/process.c +++ b/kernel/power/process.c @@ -28,7 +28,8 @@ * Timeout for stopping processes * Put a lower value coz we need to freeze stuffs more */ -unsigned int __read_mostly freeze_timeout_msecs = 2 * MSEC_PER_SEC; +unsigned int __read_mostly freeze_timeout_msecs = + IS_ENABLED(CONFIG_ANDROID) ? MSEC_PER_SEC : 2 * MSEC_PER_SEC; static int try_to_freeze_tasks(bool user_only) { From 84b806353f52bf136dc3406760e313ca546b7c9b Mon Sep 17 00:00:00 2001 From: itsshashanksp <9945shashank@gmail.com> Date: Sat, 13 Jul 2024 16:43:24 +0530 Subject: [PATCH 082/182] kernel: power: process: Increase task freezing timeout Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- kernel/power/process.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/power/process.c b/kernel/power/process.c index d86ff9d4e5a2..5a47e0071af7 100644 --- a/kernel/power/process.c +++ b/kernel/power/process.c @@ -29,7 +29,7 @@ * Put a lower value coz we need to freeze stuffs more */ unsigned int __read_mostly freeze_timeout_msecs = - IS_ENABLED(CONFIG_ANDROID) ? MSEC_PER_SEC : 2 * MSEC_PER_SEC; + IS_ENABLED(CONFIG_ANDROID) ? MSEC_PER_SEC : 5 * MSEC_PER_SEC; static int try_to_freeze_tasks(bool user_only) { From 23310edb37620b4054e550663940bb69fde326f4 Mon Sep 17 00:00:00 2001 From: freak07 Date: Tue, 14 Jan 2020 11:24:43 +0100 Subject: [PATCH 083/182] kernel: use power efficient workingqueues (cherry picked from commit 28e2f86a8aff5ffb74b85f4e373609acd0c85931) (cherry picked from commit 5312bcd3348868f63d88b5d35ff737bda0f47947) Signed-off-by: CloudedQuartz Signed-off-by: Cyber Knight Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- kernel/jump_label.c | 2 +- kernel/power/qos.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/jump_label.c b/kernel/jump_label.c index 2a92e19241f2..b3a4e813b99b 100644 --- a/kernel/jump_label.c +++ b/kernel/jump_label.c @@ -273,7 +273,7 @@ void __static_key_slow_dec_deferred(struct static_key *key, if (static_key_slow_try_dec(key)) return; - schedule_delayed_work(work, timeout); + queue_delayed_work(system_power_efficient_wq, work, timeout); } EXPORT_SYMBOL_GPL(__static_key_slow_dec_deferred); diff --git a/kernel/power/qos.c b/kernel/power/qos.c index 954e4726268d..a6f0d4269bdd 100644 --- a/kernel/power/qos.c +++ b/kernel/power/qos.c @@ -706,7 +706,7 @@ void pm_qos_update_request_timeout(struct pm_qos_request *req, s32 new_value, pm_qos_array[req->pm_qos_class]->constraints, &req->node, PM_QOS_UPDATE_REQ, new_value); - schedule_delayed_work(&req->work, usecs_to_jiffies(timeout_us)); + queue_delayed_work(system_power_efficient_wq, &req->work, usecs_to_jiffies(timeout_us)); } /** From edaf0dbb9c7e0bcd61670926756e2af96bdd97a1 Mon Sep 17 00:00:00 2001 From: Sultan Alsawaf Date: Mon, 11 Jan 2021 23:24:02 -0800 Subject: [PATCH 084/182] PM: sleep: Don't allow s2idle to be used Unfortunately, s2idle is only somewhat functional. Although commit 70441d36af58 ("cpuidle: lpm_levels: add soft watchdog for s2idle") makes s2idle usable, there are still CPU stalls caused by s2idle's buggy behavior, and the aforementioned hack doesn't address them. Therefore, let's stop userspace from enabling s2idle and instead enforce the default deep sleep mode. Signed-off-by: Sultan Alsawaf Signed-off-by: Cyber Knight --- kernel/power/main.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/power/main.c b/kernel/power/main.c index 0890d27f86f0..99d60a77d7a1 100644 --- a/kernel/power/main.c +++ b/kernel/power/main.c @@ -127,6 +127,8 @@ static ssize_t mem_sleep_store(struct kobject *kobj, struct kobj_attribute *attr suspend_state_t state; int error; + /* Don't allow userspace to select s2idle */ + return n; error = pm_autosleep_lock(); if (error) return error; From 97be6d52816ebef58d95f0a253ecf0fa0ca35806 Mon Sep 17 00:00:00 2001 From: itsshashanksp <9945shashank@gmail.com> Date: Mon, 15 Jul 2024 17:36:32 +0530 Subject: [PATCH 085/182] PM / suspend: Set mem sleep current to deep suspend instead of s2idle * Actually we don't use s2idle because of its buggy behavior. Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- kernel/power/suspend.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/power/suspend.c b/kernel/power/suspend.c index f4b59a40c198..5e2ca3c442c1 100644 --- a/kernel/power/suspend.c +++ b/kernel/power/suspend.c @@ -54,7 +54,7 @@ static const char * const mem_sleep_labels[] = { }; const char *mem_sleep_states[PM_SUSPEND_MAX]; -suspend_state_t mem_sleep_current = PM_SUSPEND_TO_IDLE; +suspend_state_t mem_sleep_current = PM_SUSPEND_MEM; suspend_state_t mem_sleep_default = PM_SUSPEND_MAX; suspend_state_t pm_suspend_target_state; EXPORT_SYMBOL_GPL(pm_suspend_target_state); From 44a8fe644dc2c2d129443d5ea20168c61c0c085d Mon Sep 17 00:00:00 2001 From: Sultan Alsawaf Date: Fri, 3 May 2019 00:34:19 -0700 Subject: [PATCH 086/182] qos: Don't allow userspace to impose restrictions on CPU idle levels Giving userspace intimate control over CPU latency requirements is nonsense. Userspace can't even stop itself from being preempted, so there's no reason for it to have access to a mechanism primarily used to eliminate CPU delays on the order of microseconds. Remove userspace's ability to send pm_qos requests so that it can't hurt power consumption. Signed-off-by: Sultan Alsawaf Signed-off-by: Cyber Knight --- kernel/power/qos.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/power/qos.c b/kernel/power/qos.c index a6f0d4269bdd..f4d1744932a2 100644 --- a/kernel/power/qos.c +++ b/kernel/power/qos.c @@ -870,6 +870,9 @@ static ssize_t pm_qos_power_write(struct file *filp, const char __user *buf, s32 value; struct pm_qos_request *req; + /* Don't let userspace impose restrictions on CPU idle levels */ + return count; + if (count == sizeof(s32)) { if (copy_from_user(&value, buf, sizeof(s32))) return -EFAULT; From 16e15c7fd21ec24f98668e5a7bf28ef5c1a0fcaa Mon Sep 17 00:00:00 2001 From: Huai-Yuan Liu Date: Fri, 12 Apr 2024 16:38:40 +0800 Subject: [PATCH 087/182] ppdev: Add an error check in register_device [ Upstream commit fbf740aeb86a4fe82ad158d26d711f2f3be79b3e ] In register_device, the return value of ida_simple_get is unchecked, in witch ida_simple_get will use an invalid index value. To address this issue, index should be checked after ida_simple_get. When the index value is abnormal, a warning message should be printed, the port should be dropped, and the value should be recorded. Fixes: 9a69645dde11 ("ppdev: fix registering same device name") Signed-off-by: Huai-Yuan Liu Link: https://lore.kernel.org/r/20240412083840.234085-1-qq810974084@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin [Harshit: fix minor conflicts due to missing ida_alloc/free conversion] Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- drivers/char/ppdev.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/char/ppdev.c b/drivers/char/ppdev.c index 0023bde4d4ff..a673c727a97d 100644 --- a/drivers/char/ppdev.c +++ b/drivers/char/ppdev.c @@ -300,28 +300,35 @@ static int register_device(int minor, struct pp_struct *pp) if (!port) { pr_warn("%s: no associated port!\n", name); rc = -ENXIO; - goto err; + goto err_free_name; } index = ida_simple_get(&ida_index, 0, 0, GFP_KERNEL); + if (index < 0) { + pr_warn("%s: failed to get index!\n", name); + rc = index; + goto err_put_port; + } + memset(&ppdev_cb, 0, sizeof(ppdev_cb)); ppdev_cb.irq_func = pp_irq; ppdev_cb.flags = (pp->flags & PP_EXCL) ? PARPORT_FLAG_EXCL : 0; ppdev_cb.private = pp; pdev = parport_register_dev_model(port, name, &ppdev_cb, index); - parport_put_port(port); if (!pdev) { pr_warn("%s: failed to register device!\n", name); rc = -ENXIO; ida_simple_remove(&ida_index, index); - goto err; + goto err_put_port; } pp->pdev = pdev; pp->index = index; dev_dbg(&pdev->dev, "registered pardevice\n"); -err: +err_put_port: + parport_put_port(port); +err_free_name: kfree(name); return rc; } From d1e6203d776319b888b57b1176df438ee85e67f7 Mon Sep 17 00:00:00 2001 From: Randy Dunlap Date: Mon, 12 Feb 2024 22:00:28 -0800 Subject: [PATCH 088/182] extcon: max8997: select IRQ_DOMAIN instead of depending on it [ Upstream commit b1781d0a1458070d40134e4f3412ec9d70099bec ] IRQ_DOMAIN is a hidden (not user visible) symbol. Users cannot set it directly thru "make *config", so drivers should select it instead of depending on it if they need it. Relying on it being set for a dependency is risky. Consistently using "select" or "depends on" can also help reduce Kconfig circular dependency issues. Therefore, change EXTCON_MAX8997's use of "depends on" for IRQ_DOMAIN to "select". Link: https://lore.kernel.org/lkml/20240213060028.9744-1-rdunlap@infradead.org/ Fixes: dca1a71e4108 ("extcon: Add support irq domain for MAX8997 muic") Signed-off-by: Randy Dunlap Acked-by: Arnd Bergmann Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin (cherry picked from commit b463819e3725b60c550145df952080b5d0fe85a7) Signed-off-by: Vegard Nossum --- drivers/extcon/Kconfig | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/extcon/Kconfig b/drivers/extcon/Kconfig index a7bca4207f44..a0361073e33e 100644 --- a/drivers/extcon/Kconfig +++ b/drivers/extcon/Kconfig @@ -100,7 +100,8 @@ config EXTCON_MAX77843 config EXTCON_MAX8997 tristate "Maxim MAX8997 EXTCON Support" - depends on MFD_MAX8997 && IRQ_DOMAIN + depends on MFD_MAX8997 + select IRQ_DOMAIN help If you say yes here you get support for the MUIC device of Maxim MAX8997 PMIC. The MAX8997 MUIC is a USB port accessory From 46dc390d5714351d5b798312f8edf666e327a1ef Mon Sep 17 00:00:00 2001 From: Sahitya Tummala Date: Thu, 23 May 2019 09:49:17 +0530 Subject: [PATCH 089/182] f2fs: add error prints for debugging mount failure [ Upstream commit 9227d5227b8db354d386f592f159eaa44db1c0b8 ] Add error prints to get more details on the mount failure. Signed-off-by: Sahitya Tummala Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Stable-dep-of: 0fa4e57c1db2 ("f2fs: fix to release node block count in error path of f2fs_new_node_page()") Signed-off-by: Sasha Levin (cherry picked from commit 3506e1b893b5c2afa96922f36a01f018e4c4bbba) Signed-off-by: Vegard Nossum --- fs/f2fs/segment.c | 6 +++++- fs/f2fs/super.c | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c index 4307f8db6c8f..1568e3773073 100644 --- a/fs/f2fs/segment.c +++ b/fs/f2fs/segment.c @@ -2749,8 +2749,12 @@ static int restore_curseg_summaries(struct f2fs_sb_info *sbi) /* sanity check for summary blocks */ if (nats_in_cursum(nat_j) > NAT_JOURNAL_ENTRIES || - sits_in_cursum(sit_j) > SIT_JOURNAL_ENTRIES) + sits_in_cursum(sit_j) > SIT_JOURNAL_ENTRIES) { + f2fs_msg(sbi->sb, KERN_ERR, + "invalid journal entries nats %u sits %u\n", + nats_in_cursum(nat_j), sits_in_cursum(sit_j)); return -EINVAL; + } return 0; } diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index b2c747f53c0c..126734e1a885 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -2581,13 +2581,13 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) err = build_segment_manager(sbi); if (err) { f2fs_msg(sb, KERN_ERR, - "Failed to initialize F2FS segment manager"); + "Failed to initialize F2FS segment manager (%d)", err); goto free_sm; } err = build_node_manager(sbi); if (err) { f2fs_msg(sb, KERN_ERR, - "Failed to initialize F2FS node manager"); + "Failed to initialize F2FS node manager (%d)", err); goto free_nm; } From 3fa32fd0a2737a59698613854994f72051a6d4bb Mon Sep 17 00:00:00 2001 From: Ian Rogers Date: Wed, 8 May 2024 22:20:15 -0700 Subject: [PATCH 090/182] libsubcmd: Fix parse-options memory leak [ Upstream commit 230a7a71f92212e723fa435d4ca5922de33ec88a ] If a usage string is built in parse_options_subcommand, also free it. Fixes: 901421a5bdf605d2 ("perf tools: Remove subcmd dependencies on strbuf") Signed-off-by: Ian Rogers Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ingo Molnar Cc: Jiri Olsa Cc: Josh Poimboeuf Cc: Kan Liang Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20240509052015.1914670-1-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin (cherry picked from commit 3625187a973f16a3df59b803297816fe51d32400) Signed-off-by: Vegard Nossum --- tools/lib/subcmd/parse-options.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tools/lib/subcmd/parse-options.c b/tools/lib/subcmd/parse-options.c index f6a1babcbac4..264db22279e3 100644 --- a/tools/lib/subcmd/parse-options.c +++ b/tools/lib/subcmd/parse-options.c @@ -612,11 +612,10 @@ int parse_options_subcommand(int argc, const char **argv, const struct option *o const char *const subcommands[], const char *usagestr[], int flags) { struct parse_opt_ctx_t ctx; + char *buf = NULL; /* build usage string if it's not provided */ if (subcommands && !usagestr[0]) { - char *buf = NULL; - astrcatf(&buf, "%s %s [] {", subcmd_config.exec_name, argv[0]); for (int i = 0; subcommands[i]; i++) { @@ -658,7 +657,10 @@ int parse_options_subcommand(int argc, const char **argv, const struct option *o astrcatf(&error_buf, "unknown switch `%c'", *ctx.opt); usage_with_options(usagestr, options); } - + if (buf) { + usagestr[0] = NULL; + free(buf); + } return parse_options_end(&ctx); } From 41c0d9061a68f5979e3244c26854cef37d91382b Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Thu, 28 Mar 2024 13:28:56 -0700 Subject: [PATCH 091/182] Input: ims-pcu - fix printf string overflow [ Upstream commit bf32bceedd0453c70d9d022e2e29f98e446d7161 ] clang warns about a string overflow in this driver drivers/input/misc/ims-pcu.c:1802:2: error: 'snprintf' will always be truncated; specified size is 10, but format string expands to at least 12 [-Werror,-Wformat-truncation] drivers/input/misc/ims-pcu.c:1814:2: error: 'snprintf' will always be truncated; specified size is 10, but format string expands to at least 12 [-Werror,-Wformat-truncation] Make the buffer a little longer to ensure it always fits. Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20240326223825.4084412-7-arnd@kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin (cherry picked from commit 502f295dcccf0ee7c4bddcf1ff2876987aaf89ca) Signed-off-by: Vegard Nossum --- drivers/input/misc/ims-pcu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c index ae473123583b..9629cfa71ddd 100644 --- a/drivers/input/misc/ims-pcu.c +++ b/drivers/input/misc/ims-pcu.c @@ -47,8 +47,8 @@ struct ims_pcu_backlight { #define IMS_PCU_PART_NUMBER_LEN 15 #define IMS_PCU_SERIAL_NUMBER_LEN 8 #define IMS_PCU_DOM_LEN 8 -#define IMS_PCU_FW_VERSION_LEN (9 + 1) -#define IMS_PCU_BL_VERSION_LEN (9 + 1) +#define IMS_PCU_FW_VERSION_LEN 16 +#define IMS_PCU_BL_VERSION_LEN 16 #define IMS_PCU_BL_RESET_REASON_LEN (2 + 1) #define IMS_PCU_PCU_B_DEVICE_ID 5 From 7dfc577218ae7aeeadc5bdffe5727d57337904ee Mon Sep 17 00:00:00 2001 From: Fenglin Wu Date: Mon, 15 Apr 2024 16:03:40 -0700 Subject: [PATCH 092/182] Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation [ Upstream commit 48c0687a322d54ac7e7a685c0b6db78d78f593af ] The output voltage is inclusive hence the max level calculation is off-by-one-step. Correct it. iWhile we are at it also add a define for the step size instead of using the magic value. Fixes: 11205bb63e5c ("Input: add support for pm8xxx based vibrator driver") Signed-off-by: Fenglin Wu Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20240412-pm8xxx-vibrator-new-design-v10-1-0ec0ad133866@quicinc.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin (cherry picked from commit fd4bb5284d34687c82356f07efe957af89ee51fe) Signed-off-by: Vegard Nossum --- drivers/input/misc/pm8xxx-vibrator.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/input/misc/pm8xxx-vibrator.c b/drivers/input/misc/pm8xxx-vibrator.c index 27b3db154a33..97bf7d94e8c6 100644 --- a/drivers/input/misc/pm8xxx-vibrator.c +++ b/drivers/input/misc/pm8xxx-vibrator.c @@ -22,7 +22,8 @@ #define VIB_MAX_LEVEL_mV (3100) #define VIB_MIN_LEVEL_mV (1200) -#define VIB_MAX_LEVELS (VIB_MAX_LEVEL_mV - VIB_MIN_LEVEL_mV) +#define VIB_PER_STEP_mV (100) +#define VIB_MAX_LEVELS (VIB_MAX_LEVEL_mV - VIB_MIN_LEVEL_mV + VIB_PER_STEP_mV) #define MAX_FF_SPEED 0xff @@ -126,10 +127,10 @@ static void pm8xxx_work_handler(struct work_struct *work) vib->active = true; vib->level = ((VIB_MAX_LEVELS * vib->speed) / MAX_FF_SPEED) + VIB_MIN_LEVEL_mV; - vib->level /= 100; + vib->level /= VIB_PER_STEP_mV; } else { vib->active = false; - vib->level = VIB_MIN_LEVEL_mV / 100; + vib->level = VIB_MIN_LEVEL_mV / VIB_PER_STEP_mV; } pm8xxx_vib_set(vib, vib->active); From bb75c00bad0d04025b00991fe16db2fc0504ce58 Mon Sep 17 00:00:00 2001 From: Duoming Zhou Date: Wed, 6 Mar 2024 17:12:59 +0800 Subject: [PATCH 093/182] um: Fix return value in ubd_init() [ Upstream commit 31a5990ed253a66712d7ddc29c92d297a991fdf2 ] When kmalloc_array() fails to allocate memory, the ubd_init() should return -ENOMEM instead of -1. So, fix it. Fixes: f88f0bdfc32f ("um: UBD Improvements") Signed-off-by: Duoming Zhou Reviewed-by: Johannes Berg Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin (cherry picked from commit d2640251f94078e1dcf0a26b1815601f6dbd5440) Signed-off-by: Vegard Nossum --- arch/um/drivers/ubd_kern.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/um/drivers/ubd_kern.c b/arch/um/drivers/ubd_kern.c index b55fe9bf5d3e..0a16ab92c252 100644 --- a/arch/um/drivers/ubd_kern.c +++ b/arch/um/drivers/ubd_kern.c @@ -1147,7 +1147,7 @@ static int __init ubd_init(void) if (irq_req_buffer == NULL) { printk(KERN_ERR "Failed to initialize ubd buffering\n"); - return -1; + return -ENOMEM; } io_req_buffer = kmalloc( sizeof(struct io_thread_req *) * UBD_REQ_BUFFER_SIZE, @@ -1158,7 +1158,7 @@ static int __init ubd_init(void) if (io_req_buffer == NULL) { printk(KERN_ERR "Failed to initialize ubd buffering\n"); - return -1; + return -ENOMEM; } platform_driver_register(&ubd_driver); mutex_lock(&ubd_lock); From 330646466ce0f4978524457d109ac80ece62c547 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Thu, 7 Mar 2024 11:49:26 +0100 Subject: [PATCH 094/182] um: Add winch to winch_handlers before registering winch IRQ [ Upstream commit a0fbbd36c156b9f7b2276871d499c9943dfe5101 ] Registering a winch IRQ is racy, an interrupt may occur before the winch is added to the winch_handlers list. If that happens, register_winch_irq() adds to that list a winch that is scheduled to be (or has already been) freed, causing a panic later in winch_cleanup(). Avoid the race by adding the winch to the winch_handlers list before registering the IRQ, and rolling back if um_request_irq() fails. Fixes: 42a359e31a0e ("uml: SIGIO support cleanup") Signed-off-by: Roberto Sassu Reviewed-by: Johannes Berg Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin (cherry picked from commit 66ea9a7c6824821476914bed21a476cd20094f33) Signed-off-by: Vegard Nossum --- arch/um/drivers/line.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c index 7e524efed584..71e26488dfde 100644 --- a/arch/um/drivers/line.c +++ b/arch/um/drivers/line.c @@ -683,24 +683,26 @@ void register_winch_irq(int fd, int tty_fd, int pid, struct tty_port *port, goto cleanup; } - *winch = ((struct winch) { .list = LIST_HEAD_INIT(winch->list), - .fd = fd, + *winch = ((struct winch) { .fd = fd, .tty_fd = tty_fd, .pid = pid, .port = port, .stack = stack }); + spin_lock(&winch_handler_lock); + list_add(&winch->list, &winch_handlers); + spin_unlock(&winch_handler_lock); + if (um_request_irq(WINCH_IRQ, fd, IRQ_READ, winch_interrupt, IRQF_SHARED, "winch", winch) < 0) { printk(KERN_ERR "register_winch_irq - failed to register " "IRQ\n"); + spin_lock(&winch_handler_lock); + list_del(&winch->list); + spin_unlock(&winch_handler_lock); goto out_free; } - spin_lock(&winch_handler_lock); - list_add(&winch->list, &winch_handlers); - spin_unlock(&winch_handler_lock); - return; out_free: From b7d9420c157cdb207a95dfc4a40edd116dedf355 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Mon, 22 Apr 2024 12:32:44 +0300 Subject: [PATCH 095/182] media: stk1160: fix bounds checking in stk1160_copy_video() [ Upstream commit faa4364bef2ec0060de381ff028d1d836600a381 ] The subtract in this condition is reversed. The ->length is the length of the buffer. The ->bytesused is how many bytes we have copied thus far. When the condition is reversed that means the result of the subtraction is always negative but since it's unsigned then the result is a very high positive value. That means the overflow check is never true. Additionally, the ->bytesused doesn't actually work for this purpose because we're not writing to "buf->mem + buf->bytesused". Instead, the math to calculate the destination where we are writing is a bit involved. You calculate the number of full lines already written, multiply by two, skip a line if necessary so that we start on an odd numbered line, and add the offset into the line. To fix this buffer overflow, just take the actual destination where we are writing, if the offset is already out of bounds print an error and return. Otherwise, write up to buf->length bytes. Fixes: 9cb2173e6ea8 ("[media] media: Add stk1160 new driver (easycap replacement)") Signed-off-by: Dan Carpenter Reviewed-by: Ricardo Ribalda Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin (cherry picked from commit f6a392266276730bea893b55d12940e32a25f56a) Signed-off-by: Vegard Nossum --- drivers/media/usb/stk1160/stk1160-video.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/drivers/media/usb/stk1160/stk1160-video.c b/drivers/media/usb/stk1160/stk1160-video.c index 8a6cdbc36a08..4f16e15ef965 100644 --- a/drivers/media/usb/stk1160/stk1160-video.c +++ b/drivers/media/usb/stk1160/stk1160-video.c @@ -109,7 +109,7 @@ void stk1160_buffer_done(struct stk1160 *dev) static inline void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len) { - int linesdone, lineoff, lencopy; + int linesdone, lineoff, lencopy, offset; int bytesperline = dev->width * 2; struct stk1160_buffer *buf = dev->isoc_ctl.buf; u8 *dst = buf->mem; @@ -149,8 +149,13 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len) * Check if we have enough space left in the buffer. * In that case, we force loop exit after copy. */ - if (lencopy > buf->bytesused - buf->length) { - lencopy = buf->bytesused - buf->length; + offset = dst - (u8 *)buf->mem; + if (offset > buf->length) { + dev_warn_ratelimited(dev->dev, "out of bounds offset\n"); + return; + } + if (lencopy > buf->length - offset) { + lencopy = buf->length - offset; remain = lencopy; } @@ -192,8 +197,13 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len) * Check if we have enough space left in the buffer. * In that case, we force loop exit after copy. */ - if (lencopy > buf->bytesused - buf->length) { - lencopy = buf->bytesused - buf->length; + offset = dst - (u8 *)buf->mem; + if (offset > buf->length) { + dev_warn_ratelimited(dev->dev, "offset out of bounds\n"); + return; + } + if (lencopy > buf->length - offset) { + lencopy = buf->length - offset; remain = lencopy; } From cd05d6e21092d824ec4d37f39f7583310d0442fa Mon Sep 17 00:00:00 2001 From: Shrikanth Hegde Date: Fri, 12 Apr 2024 14:50:47 +0530 Subject: [PATCH 096/182] powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp [ Upstream commit 6d4341638516bf97b9a34947e0bd95035a8230a5 ] Couple of Minor fixes: - hcall return values are long. Fix that for h_get_mpp, h_get_ppp and parse_ppp_data - If hcall fails, values set should be at-least zero. It shouldn't be uninitialized values. Fix that for h_get_mpp and h_get_ppp Signed-off-by: Shrikanth Hegde Signed-off-by: Michael Ellerman Link: https://msgid.link/20240412092047.455483-3-sshegde@linux.ibm.com Signed-off-by: Sasha Levin (cherry picked from commit f0f4cb4cc3f43324bab3b5541b27e79cbd15c8d1) Signed-off-by: Vegard Nossum --- arch/powerpc/include/asm/hvcall.h | 2 +- arch/powerpc/platforms/pseries/lpar.c | 6 +++--- arch/powerpc/platforms/pseries/lparcfg.c | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h index 15cef59092c7..63907b4ae28b 100644 --- a/arch/powerpc/include/asm/hvcall.h +++ b/arch/powerpc/include/asm/hvcall.h @@ -422,7 +422,7 @@ struct hvcall_mpp_data { unsigned long backing_mem; }; -int h_get_mpp(struct hvcall_mpp_data *); +long h_get_mpp(struct hvcall_mpp_data *mpp_data); struct hvcall_mpp_x_data { unsigned long coalesced_bytes; diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c index 215b14a373cb..ae75f53ad15e 100644 --- a/arch/powerpc/platforms/pseries/lpar.c +++ b/arch/powerpc/platforms/pseries/lpar.c @@ -937,10 +937,10 @@ void __trace_hcall_exit(long opcode, unsigned long retval, * h_get_mpp * H_GET_MPP hcall returns info in 7 parms */ -int h_get_mpp(struct hvcall_mpp_data *mpp_data) +long h_get_mpp(struct hvcall_mpp_data *mpp_data) { - int rc; - unsigned long retbuf[PLPAR_HCALL9_BUFSIZE]; + unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = {0}; + long rc; rc = plpar_hcall9(H_GET_MPP, retbuf); diff --git a/arch/powerpc/platforms/pseries/lparcfg.c b/arch/powerpc/platforms/pseries/lparcfg.c index f40dabf7d163..9324be19a5e2 100644 --- a/arch/powerpc/platforms/pseries/lparcfg.c +++ b/arch/powerpc/platforms/pseries/lparcfg.c @@ -112,8 +112,8 @@ struct hvcall_ppp_data { */ static unsigned int h_get_ppp(struct hvcall_ppp_data *ppp_data) { - unsigned long rc; - unsigned long retbuf[PLPAR_HCALL9_BUFSIZE]; + unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = {0}; + long rc; rc = plpar_hcall9(H_GET_PPP, retbuf); @@ -159,7 +159,7 @@ static void parse_ppp_data(struct seq_file *m) struct hvcall_ppp_data ppp_data; struct device_node *root; const __be32 *perf_level; - int rc; + long rc; rc = h_get_ppp(&ppp_data); if (rc) From d6c506b111a38e5583e5bdd880cc0c04d7ef3948 Mon Sep 17 00:00:00 2001 From: Tiwei Bie Date: Tue, 23 Apr 2024 20:58:53 +0800 Subject: [PATCH 097/182] um: Fix the -Wmissing-prototypes warning for __switch_mm [ Upstream commit 2cbade17b18c0f0fd9963f26c9fc9b057eb1cb3a ] The __switch_mm function is defined in the user code, and is called by the kernel code. It should be declared in a shared header. Fixes: 4dc706c2f292 ("um: take um_mmu.h to asm/mmu.h, clean asm/mmu_context.h a bit") Signed-off-by: Tiwei Bie Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin (cherry picked from commit c08650c13bfc05794855480cc51075fdfcc388e0) Signed-off-by: Vegard Nossum --- arch/um/include/asm/mmu.h | 2 -- arch/um/include/shared/skas/mm_id.h | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/um/include/asm/mmu.h b/arch/um/include/asm/mmu.h index da705448590f..21fbe5454dbd 100644 --- a/arch/um/include/asm/mmu.h +++ b/arch/um/include/asm/mmu.h @@ -15,8 +15,6 @@ typedef struct mm_context { struct page *stub_pages[2]; } mm_context_t; -extern void __switch_mm(struct mm_id * mm_idp); - /* Avoid tangled inclusion with asm/ldt.h */ extern long init_new_ldt(struct mm_context *to_mm, struct mm_context *from_mm); extern void free_ldt(struct mm_context *mm); diff --git a/arch/um/include/shared/skas/mm_id.h b/arch/um/include/shared/skas/mm_id.h index 48dd0989ddaa..169482ec95f9 100644 --- a/arch/um/include/shared/skas/mm_id.h +++ b/arch/um/include/shared/skas/mm_id.h @@ -14,4 +14,6 @@ struct mm_id { unsigned long stack; }; +void __switch_mm(struct mm_id *mm_idp); + #endif From 75fd6535ba80c0726e31004af666d80a0b9c3df8 Mon Sep 17 00:00:00 2001 From: Hans Verkuil Date: Fri, 23 Feb 2024 12:25:55 +0000 Subject: [PATCH 098/182] media: cec: cec-api: add locking in cec_release() [ Upstream commit 42bcaacae924bf18ae387c3f78c202df0b739292 ] When cec_release() uses fh->msgs it has to take fh->lock, otherwise the list can get corrupted. Signed-off-by: Hans Verkuil Reported-by: Yang, Chenyuan Closes: https://lore.kernel.org/linux-media/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com/ Fixes: ca684386e6e2 ("[media] cec: add HDMI CEC framework (api)") Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin (cherry picked from commit d2cfbc5298add5e0c6cfe8b343f73dfdf01c8b1c) Signed-off-by: Vegard Nossum --- drivers/media/cec/cec-api.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/media/cec/cec-api.c b/drivers/media/cec/cec-api.c index 66ef06f4670c..65297cd32dd1 100644 --- a/drivers/media/cec/cec-api.c +++ b/drivers/media/cec/cec-api.c @@ -645,6 +645,8 @@ static int cec_release(struct inode *inode, struct file *filp) list_del(&data->xfer_list); } mutex_unlock(&adap->lock); + + mutex_lock(&fh->lock); while (!list_empty(&fh->msgs)) { struct cec_msg_entry *entry = list_first_entry(&fh->msgs, struct cec_msg_entry, list); @@ -662,6 +664,7 @@ static int cec_release(struct inode *inode, struct file *filp) kfree(entry); } } + mutex_unlock(&fh->lock); kfree(fh); cec_put_device(devnode); From 9da7f2b727fd54add9890e238847acf82d6807a1 Mon Sep 17 00:00:00 2001 From: Zhu Yanjun Date: Mon, 6 May 2024 09:55:38 +0200 Subject: [PATCH 099/182] null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION() [ Upstream commit 9e6727f824edcdb8fdd3e6e8a0862eb49546e1cd ] No functional changes intended. Fixes: f2298c0403b0 ("null_blk: multi queue aware block test driver") Signed-off-by: Zhu Yanjun Reviewed-by: Chaitanya Kulkarni Link: https://lore.kernel.org/r/20240506075538.6064-1-yanjun.zhu@linux.dev Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin (cherry picked from commit 7471d0be031ab830a0fa154437601cff98f7068b) Signed-off-by: Vegard Nossum --- drivers/block/null_blk.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/block/null_blk.c b/drivers/block/null_blk.c index fb748669d8c5..a0ff9ecaf771 100644 --- a/drivers/block/null_blk.c +++ b/drivers/block/null_blk.c @@ -2061,4 +2061,5 @@ module_init(null_init); module_exit(null_exit); MODULE_AUTHOR("Jens Axboe "); +MODULE_DESCRIPTION("multi queue aware block test driver"); MODULE_LICENSE("GPL"); From 4e00769cc5020fde90269bdd1e5c24302b0ba6ce Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Sun, 4 Feb 2024 21:20:03 +0900 Subject: [PATCH 100/182] x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y [ Upstream commit 66ee3636eddcc82ab82b539d08b85fb5ac1dff9b ] It took me some time to understand the purpose of the tricky code at the end of arch/x86/Kconfig.debug. Without it, the following would be shown: WARNING: unmet direct dependencies detected for FRAME_POINTER because 81d387190039 ("x86/kconfig: Consolidate unwinders into multiple choice selection") removed 'select ARCH_WANT_FRAME_POINTERS'. The correct and more straightforward approach should have been to move it where 'select FRAME_POINTER' is located. Several architectures properly handle the conditional selection of ARCH_WANT_FRAME_POINTERS. For example, 'config UNWINDER_FRAME_POINTER' in arch/arm/Kconfig.debug. Fixes: 81d387190039 ("x86/kconfig: Consolidate unwinders into multiple choice selection") Signed-off-by: Masahiro Yamada Signed-off-by: Borislav Petkov (AMD) Acked-by: Josh Poimboeuf Link: https://lore.kernel.org/r/20240204122003.53795-1-masahiroy@kernel.org Signed-off-by: Sasha Levin (cherry picked from commit 28a7a1f9571068bb2ddc8a11f0afe5dfa9863462) [Vegard: fix trivial conflict in context due to missing commit 06ec64b84c357693e9a5540de8eedfc775dbae12 ("Kconfig: consolidate the "Kernel hacking" menu").] Signed-off-by: Vegard Nossum --- arch/x86/Kconfig.debug | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug index bec0952c5595..46906a01f815 100644 --- a/arch/x86/Kconfig.debug +++ b/arch/x86/Kconfig.debug @@ -384,6 +384,7 @@ config UNWINDER_ORC config UNWINDER_FRAME_POINTER bool "Frame pointer unwinder" + select ARCH_WANT_FRAME_POINTERS select FRAME_POINTER ---help--- This option enables the frame pointer unwinder for unwinding kernel @@ -411,8 +412,4 @@ config UNWINDER_GUESS endchoice -config FRAME_POINTER - depends on !UNWINDER_ORC && !UNWINDER_GUESS - bool - endmenu From 3327ed68607e86e489af26305145830bf3f299a6 Mon Sep 17 00:00:00 2001 From: Ryosuke Yasuoka Date: Sun, 19 May 2024 18:43:03 +0900 Subject: [PATCH 101/182] nfc: nci: Fix uninit-value in nci_rx_work [ Upstream commit e4a87abf588536d1cdfb128595e6e680af5cf3ed ] syzbot reported the following uninit-value access issue [1] nci_rx_work() parses received packet from ndev->rx_q. It should be validated header size, payload size and total packet size before processing the packet. If an invalid packet is detected, it should be silently discarded. Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet") Reported-and-tested-by: syzbot+d7b4dc6cd50410152534@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d7b4dc6cd50410152534 [1] Signed-off-by: Ryosuke Yasuoka Reviewed-by: Krzysztof Kozlowski Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 406cfac9debd4a6d3dc5d9258ee086372a8c08b6) Signed-off-by: Vegard Nossum --- net/nfc/nci/core.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c index bed8bbcb632c..db7f6ada4ff7 100644 --- a/net/nfc/nci/core.c +++ b/net/nfc/nci/core.c @@ -1463,6 +1463,19 @@ int nci_core_ntf_packet(struct nci_dev *ndev, __u16 opcode, ndev->ops->n_core_ops); } +static bool nci_valid_size(struct sk_buff *skb) +{ + unsigned int hdr_size = NCI_CTRL_HDR_SIZE; + BUILD_BUG_ON(NCI_CTRL_HDR_SIZE != NCI_DATA_HDR_SIZE); + + if (skb->len < hdr_size || + !nci_plen(skb->data) || + skb->len < hdr_size + nci_plen(skb->data)) { + return false; + } + return true; +} + /* ---- NCI TX Data worker thread ---- */ static void nci_tx_work(struct work_struct *work) @@ -1513,7 +1526,7 @@ static void nci_rx_work(struct work_struct *work) nfc_send_to_raw_sock(ndev->nfc_dev, skb, RAW_PAYLOAD_NCI, NFC_DIRECTION_RX); - if (!nci_plen(skb->data)) { + if (!nci_valid_size(skb)) { kfree_skb(skb); break; } From 2d5acfc9e45f4597b931857dd92d2f29d2382ad7 Mon Sep 17 00:00:00 2001 From: Hangbin Liu Date: Fri, 17 May 2024 08:54:35 +0800 Subject: [PATCH 102/182] ipv6: sr: fix memleak in seg6_hmac_init_algo [ Upstream commit efb9f4f19f8e37fde43dfecebc80292d179f56c6 ] seg6_hmac_init_algo returns without cleaning up the previous allocations if one fails, so it's going to leak all that memory and the crypto tfms. Update seg6_hmac_exit to only free the memory when allocated, so we can reuse the code directly. Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") Reported-by: Sabrina Dubroca Closes: https://lore.kernel.org/netdev/Zj3bh-gE7eT6V6aH@hog/ Signed-off-by: Hangbin Liu Reviewed-by: Simon Horman Reviewed-by: Sabrina Dubroca Link: https://lore.kernel.org/r/20240517005435.2600277-1-liuhangbin@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit afd5730969aec960a2fee4e5ee839a6014643976) Signed-off-by: Vegard Nossum --- net/ipv6/seg6_hmac.c | 42 ++++++++++++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c index 73ef23dae184..1e609e94c967 100644 --- a/net/ipv6/seg6_hmac.c +++ b/net/ipv6/seg6_hmac.c @@ -360,6 +360,7 @@ static int seg6_hmac_init_algo(void) struct crypto_shash *tfm; struct shash_desc *shash; int i, alg_count, cpu; + int ret = -ENOMEM; alg_count = ARRAY_SIZE(hmac_algos); @@ -370,12 +371,14 @@ static int seg6_hmac_init_algo(void) algo = &hmac_algos[i]; algo->tfms = alloc_percpu(struct crypto_shash *); if (!algo->tfms) - return -ENOMEM; + goto error_out; for_each_possible_cpu(cpu) { tfm = crypto_alloc_shash(algo->name, 0, 0); - if (IS_ERR(tfm)) - return PTR_ERR(tfm); + if (IS_ERR(tfm)) { + ret = PTR_ERR(tfm); + goto error_out; + } p_tfm = per_cpu_ptr(algo->tfms, cpu); *p_tfm = tfm; } @@ -387,18 +390,22 @@ static int seg6_hmac_init_algo(void) algo->shashs = alloc_percpu(struct shash_desc *); if (!algo->shashs) - return -ENOMEM; + goto error_out; for_each_possible_cpu(cpu) { shash = kzalloc_node(shsize, GFP_KERNEL, cpu_to_node(cpu)); if (!shash) - return -ENOMEM; + goto error_out; *per_cpu_ptr(algo->shashs, cpu) = shash; } } return 0; + +error_out: + seg6_hmac_exit(); + return ret; } int __init seg6_hmac_init(void) @@ -418,22 +425,29 @@ int __net_init seg6_hmac_net_init(struct net *net) void seg6_hmac_exit(void) { struct seg6_hmac_algo *algo = NULL; + struct crypto_shash *tfm; + struct shash_desc *shash; int i, alg_count, cpu; alg_count = ARRAY_SIZE(hmac_algos); for (i = 0; i < alg_count; i++) { algo = &hmac_algos[i]; - for_each_possible_cpu(cpu) { - struct crypto_shash *tfm; - struct shash_desc *shash; - shash = *per_cpu_ptr(algo->shashs, cpu); - kfree(shash); - tfm = *per_cpu_ptr(algo->tfms, cpu); - crypto_free_shash(tfm); + if (algo->shashs) { + for_each_possible_cpu(cpu) { + shash = *per_cpu_ptr(algo->shashs, cpu); + kfree(shash); + } + free_percpu(algo->shashs); + } + + if (algo->tfms) { + for_each_possible_cpu(cpu) { + tfm = *per_cpu_ptr(algo->tfms, cpu); + crypto_free_shash(tfm); + } + free_percpu(algo->tfms); } - free_percpu(algo->tfms); - free_percpu(algo->shashs); } } EXPORT_SYMBOL(seg6_hmac_exit); From 45e0b129726564750a58c06f1b4060b23f158960 Mon Sep 17 00:00:00 2001 From: Sagi Grimberg Date: Wed, 16 Jun 2021 14:19:33 -0700 Subject: [PATCH 103/182] params: lift param_set_uint_minmax to common code [ Upstream commit 2a14c9ae15a38148484a128b84bff7e9ffd90d68 ] It is a useful helper hence move it to common code so others can enjoy it. Suggested-by: Christoph Hellwig Reviewed-by: Chaitanya Kulkarni Reviewed-by: Hannes Reinecke Signed-off-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Stable-dep-of: 3ebc46ca8675 ("tcp: Fix shift-out-of-bounds in dctcp_update_alpha().") Signed-off-by: Sasha Levin (cherry picked from commit 459de98d7a6b3d504b5e8664f32f59a306dd425c) [Harshit: Also lift param_set_uint_minmax from staging lustre driver, it is removed in 4.19.y so this upstream commit didnot try cleaning it up there] Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- drivers/staging/lustre/lnet/libcfs/debug.c | 16 ---------------- include/linux/moduleparam.h | 2 ++ kernel/params.c | 18 ++++++++++++++++++ net/sunrpc/xprtsock.c | 18 ------------------ 4 files changed, 20 insertions(+), 34 deletions(-) diff --git a/drivers/staging/lustre/lnet/libcfs/debug.c b/drivers/staging/lustre/lnet/libcfs/debug.c index 1ab394c1fabc..8a36845bee9c 100644 --- a/drivers/staging/lustre/lnet/libcfs/debug.c +++ b/drivers/staging/lustre/lnet/libcfs/debug.c @@ -167,22 +167,6 @@ static const struct kernel_param_ops param_ops_console_min_delay = { module_param(libcfs_console_min_delay, console_min_delay, 0644); MODULE_PARM_DESC(libcfs_console_min_delay, "Lustre kernel debug console min delay (jiffies)"); -static int param_set_uint_minmax(const char *val, - const struct kernel_param *kp, - unsigned int min, unsigned int max) -{ - unsigned int num; - int ret; - - if (!val) - return -EINVAL; - ret = kstrtouint(val, 0, &num); - if (ret < 0 || num < min || num > max) - return -EINVAL; - *((unsigned int *)kp->arg) = num; - return 0; -} - static int param_set_uintpos(const char *val, const struct kernel_param *kp) { return param_set_uint_minmax(val, kp, 1, -1); diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h index 1d7140fef154..a576afbada9d 100644 --- a/include/linux/moduleparam.h +++ b/include/linux/moduleparam.h @@ -369,6 +369,8 @@ extern int param_get_int(char *buffer, const struct kernel_param *kp); extern const struct kernel_param_ops param_ops_uint; extern int param_set_uint(const char *val, const struct kernel_param *kp); extern int param_get_uint(char *buffer, const struct kernel_param *kp); +int param_set_uint_minmax(const char *val, const struct kernel_param *kp, + unsigned int min, unsigned int max); #define param_check_uint(name, p) __param_check(name, p, unsigned int) extern const struct kernel_param_ops param_ops_long; diff --git a/kernel/params.c b/kernel/params.c index cc9108c2a1fd..395cb9753ef9 100644 --- a/kernel/params.c +++ b/kernel/params.c @@ -245,6 +245,24 @@ STANDARD_PARAM_DEF(long, long, "%li", kstrtol); STANDARD_PARAM_DEF(ulong, unsigned long, "%lu", kstrtoul); STANDARD_PARAM_DEF(ullong, unsigned long long, "%llu", kstrtoull); +int param_set_uint_minmax(const char *val, const struct kernel_param *kp, + unsigned int min, unsigned int max) +{ + unsigned int num; + int ret; + + if (!val) + return -EINVAL; + ret = kstrtouint(val, 0, &num); + if (ret) + return ret; + if (num < min || num > max) + return -EINVAL; + *((unsigned int *)kp->arg) = num; + return 0; +} +EXPORT_SYMBOL_GPL(param_set_uint_minmax); + int param_set_charp(const char *val, const struct kernel_param *kp) { if (strlen(val) > 1024) { diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 1fd2939eb05d..aa1850fa1a72 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -3273,24 +3273,6 @@ void cleanup_socket_xprt(void) xprt_unregister_transport(&xs_bc_tcp_transport); } -static int param_set_uint_minmax(const char *val, - const struct kernel_param *kp, - unsigned int min, unsigned int max) -{ - unsigned int num; - int ret; - - if (!val) - return -EINVAL; - ret = kstrtouint(val, 0, &num); - if (ret) - return ret; - if (num < min || num > max) - return -EINVAL; - *((unsigned int *)kp->arg) = num; - return 0; -} - static int param_set_portnr(const char *val, const struct kernel_param *kp) { return param_set_uint_minmax(val, kp, From cf1096a1c8e1905df5e69949153c2598060457f0 Mon Sep 17 00:00:00 2001 From: Kuniyuki Iwashima Date: Fri, 17 May 2024 18:16:26 +0900 Subject: [PATCH 104/182] tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). [ Upstream commit 3ebc46ca8675de6378e3f8f40768e180bb8afa66 ] In dctcp_update_alpha(), we use a module parameter dctcp_shift_g as follows: alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g); ... delivered_ce <<= (10 - dctcp_shift_g); It seems syzkaller started fuzzing module parameters and triggered shift-out-of-bounds [0] by setting 100 to dctcp_shift_g: memcpy((void*)0x20000080, "/sys/module/tcp_dctcp/parameters/dctcp_shift_g\000", 47); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul, /*flags=*/2ul, /*mode=*/0ul); memcpy((void*)0x20000000, "100\000", 4); syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul); Let's limit the max value of dctcp_shift_g by param_set_uint_minmax(). With this patch: # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g 10 # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g -bash: echo: write error: Invalid argument [0]: UBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12 shift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int') CPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468 dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143 tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline] tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948 tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711 tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937 sk_backlog_rcv include/net/sock.h:1106 [inline] __release_sock+0x20f/0x350 net/core/sock.c:2983 release_sock+0x61/0x1f0 net/core/sock.c:3549 mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907 mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976 __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072 mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127 inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437 __sock_release net/socket.c:659 [inline] sock_close+0xc0/0x240 net/socket.c:1421 __fput+0x41b/0x890 fs/file_table.c:422 task_work_run+0x23b/0x300 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x9c8/0x2540 kernel/exit.c:878 do_group_exit+0x201/0x2b0 kernel/exit.c:1027 __do_sys_exit_group kernel/exit.c:1038 [inline] __se_sys_exit_group kernel/exit.c:1036 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f6c2b5005b6 Code: Unable to access opcode bytes at 0x7f6c2b50058c. RSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6 RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0 R10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 Reported-by: syzkaller Reported-by: Yue Sun Reported-by: xingwei lee Closes: https://lore.kernel.org/netdev/CAEkJfYNJM=cw-8x7_Vmj1J6uYVCWMbbvD=EFmDPVBGpTsqOxEA@mail.gmail.com/ Fixes: e3118e8359bb ("net: tcp: add DCTCP congestion control algorithm") Signed-off-by: Kuniyuki Iwashima Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/20240517091626.32772-1-kuniyu@amazon.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6) Signed-off-by: Vegard Nossum --- net/ipv4/tcp_dctcp.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c index f0de9fb92f0d..ff720fc6d88f 100644 --- a/net/ipv4/tcp_dctcp.c +++ b/net/ipv4/tcp_dctcp.c @@ -59,7 +59,18 @@ struct dctcp { }; static unsigned int dctcp_shift_g __read_mostly = 4; /* g = 1/2^4 */ -module_param(dctcp_shift_g, uint, 0644); + +static int dctcp_shift_g_set(const char *val, const struct kernel_param *kp) +{ + return param_set_uint_minmax(val, kp, 0, 10); +} + +static const struct kernel_param_ops dctcp_shift_g_ops = { + .set = dctcp_shift_g_set, + .get = param_get_uint, +}; + +module_param_cb(dctcp_shift_g, &dctcp_shift_g_ops, &dctcp_shift_g, 0644); MODULE_PARM_DESC(dctcp_shift_g, "parameter g for updating dctcp_alpha"); static unsigned int dctcp_alpha_on_init __read_mostly = DCTCP_MAX_ALPHA; From a629b0579dee6b041fdcad1859fa9f6a86da4ced Mon Sep 17 00:00:00 2001 From: Aaron Conole Date: Thu, 16 May 2024 16:09:41 -0400 Subject: [PATCH 105/182] openvswitch: Set the skbuff pkt_type for proper pmtud support. [ Upstream commit 30a92c9e3d6b073932762bef2ac66f4ee784c657 ] Open vSwitch is originally intended to switch at layer 2, only dealing with Ethernet frames. With the introduction of l3 tunnels support, it crossed into the realm of needing to care a bit about some routing details when making forwarding decisions. If an oversized packet would need to be fragmented during this forwarding decision, there is a chance for pmtu to get involved and generate a routing exception. This is gated by the skbuff->pkt_type field. When a flow is already loaded into the openvswitch module this field is set up and transitioned properly as a packet moves from one port to another. In the case that a packet execute is invoked after a flow is newly installed this field is not properly initialized. This causes the pmtud mechanism to omit sending the required exception messages across the tunnel boundary and a second attempt needs to be made to make sure that the routing exception is properly setup. To fix this, we set the outgoing packet's pkt_type to PACKET_OUTGOING, since it can only get to the openvswitch module via a port device or packet command. Even for bridge ports as users, the pkt_type needs to be reset when doing the transmit as the packet is truly outgoing and routing needs to get involved post packet transformations, in the case of VXLAN/GENEVE/udp-tunnel packets. In general, the pkt_type on output gets ignored, since we go straight to the driver, but in the case of tunnel ports they go through IP routing layer. This issue is periodically encountered in complex setups, such as large openshift deployments, where multiple sets of tunnel traversal occurs. A way to recreate this is with the ovn-heater project that can setup a networking environment which mimics such large deployments. We need larger environments for this because we need to ensure that flow misses occur. In these environment, without this patch, we can see: ./ovn_cluster.sh start podman exec ovn-chassis-1 ip r a 170.168.0.5/32 dev eth1 mtu 1200 podman exec ovn-chassis-1 ip netns exec sw01p1 ip r flush cache podman exec ovn-chassis-1 ip netns exec sw01p1 \ ping 21.0.0.3 -M do -s 1300 -c2 PING 21.0.0.3 (21.0.0.3) 1300(1328) bytes of data. From 21.0.0.3 icmp_seq=2 Frag needed and DF set (mtu = 1142) --- 21.0.0.3 ping statistics --- ... Using tcpdump, we can also see the expected ICMP FRAG_NEEDED message is not sent into the server. With this patch, setting the pkt_type, we see the following: podman exec ovn-chassis-1 ip netns exec sw01p1 \ ping 21.0.0.3 -M do -s 1300 -c2 PING 21.0.0.3 (21.0.0.3) 1300(1328) bytes of data. From 21.0.0.3 icmp_seq=1 Frag needed and DF set (mtu = 1222) ping: local error: message too long, mtu=1222 --- 21.0.0.3 ping statistics --- ... In this case, the first ping request receives the FRAG_NEEDED message and a local routing exception is created. Tested-by: Jaime Caamano Reported-at: https://issues.redhat.com/browse/FDP-164 Fixes: 58264848a5a7 ("openvswitch: Add vxlan tunneling support.") Signed-off-by: Aaron Conole Acked-by: Eelco Chaudron Link: https://lore.kernel.org/r/20240516200941.16152-1-aconole@redhat.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 62a95de44a9bc006e01b0afa1b1e8868dc6de9d1) Signed-off-by: Vegard Nossum --- net/openvswitch/actions.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c index 93eb9631e2aa..adc37cdd4968 100644 --- a/net/openvswitch/actions.c +++ b/net/openvswitch/actions.c @@ -890,6 +890,12 @@ static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port, pskb_trim(skb, ovs_mac_header_len(key)); } + /* Need to set the pkt_type to involve the routing layer. The + * packet movement through the OVS datapath doesn't generally + * use routing, but this is needed for tunnel cases. + */ + skb->pkt_type = PACKET_OUTGOING; + if (likely(!mru || (skb->len <= mru + vport->dev->hard_header_len))) { ovs_vport_send(vport, skb, ovs_key_mac_proto(key)); From 0374a08aa5206c6200a88e0a122500dfd1d195f0 Mon Sep 17 00:00:00 2001 From: Jiangfeng Xiao Date: Mon, 20 May 2024 21:34:37 +0800 Subject: [PATCH 106/182] arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY [ Upstream commit ffbf4fb9b5c12ff878a10ea17997147ea4ebea6f ] When CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes to bug_table entries, and as a result the last entry in a bug table will be ignored, potentially leading to an unexpected panic(). All prior entries in the table will be handled correctly. The arm64 ABI requires that struct fields of up to 8 bytes are naturally-aligned, with padding added within a struct such that struct are suitably aligned within arrays. When CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is: struct bug_entry { signed int bug_addr_disp; // 4 bytes signed int file_disp; // 4 bytes unsigned short line; // 2 bytes unsigned short flags; // 2 bytes } ... with 12 bytes total, requiring 4-byte alignment. When CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is: struct bug_entry { signed int bug_addr_disp; // 4 bytes unsigned short flags; // 2 bytes < implicit padding > // 2 bytes } ... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing padding, requiring 4-byte alginment. When we create a bug_entry in assembly, we align the start of the entry to 4 bytes, which implicitly handles padding for any prior entries. However, we do not align the end of the entry, and so when CONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding bytes. For the main kernel image this is not a problem as find_bug() doesn't depend on the trailing padding bytes when searching for entries: for (bug = __start___bug_table; bug < __stop___bug_table; ++bug) if (bugaddr == bug_addr(bug)) return bug; However for modules, module_bug_finalize() depends on the trailing bytes when calculating the number of entries: mod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry); ... and as the last bug_entry lacks the necessary padding bytes, this entry will not be counted, e.g. in the case of a single entry: sechdrs[i].sh_size == 6 sizeof(struct bug_entry) == 8; sechdrs[i].sh_size / sizeof(struct bug_entry) == 0; Consequently module_find_bug() will miss the last bug_entry when it does: for (i = 0; i < mod->num_bugs; ++i, ++bug) if (bugaddr == bug_addr(bug)) goto out; ... which can lead to a kenrel panic due to an unhandled bug. This can be demonstrated with the following module: static int __init buginit(void) { WARN(1, "hello\n"); return 0; } static void __exit bugexit(void) { } module_init(buginit); module_exit(bugexit); MODULE_LICENSE("GPL"); ... which will trigger a kernel panic when loaded: ------------[ cut here ]------------ hello Unexpected kernel BRK exception at EL1 Internal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: hello(O+) CPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8 Hardware name: linux,dummy-virt (DT) pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : buginit+0x18/0x1000 [hello] lr : buginit+0x18/0x1000 [hello] sp : ffff800080533ae0 x29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000 x26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58 x23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0 x20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006 x17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720 x14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312 x11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8 x8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000 x5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0 Call trace: buginit+0x18/0x1000 [hello] do_one_initcall+0x80/0x1c8 do_init_module+0x60/0x218 load_module+0x1ba4/0x1d70 __do_sys_init_module+0x198/0x1d0 __arm64_sys_init_module+0x1c/0x28 invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xd8 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 Code: d0ffffe0 910003fd 91000000 9400000b (d4210000) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: BRK handler: Fatal exception Fix this by always aligning the end of a bug_entry to 4 bytes, which is correct regardless of CONFIG_DEBUG_BUGVERBOSE. Fixes: 9fb7410f955f ("arm64/BUG: Use BRK instruction for generic BUG traps") Signed-off-by: Yuanbin Xie Signed-off-by: Jiangfeng Xiao Reviewed-by: Mark Rutland Link: https://lore.kernel.org/r/1716212077-43826-1-git-send-email-xiaojiangfeng@huawei.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin (cherry picked from commit f221bd58db0f6ca087ac0392284f6bce21f4f8ea) Signed-off-by: Vegard Nossum --- arch/arm64/include/asm/asm-bug.h | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/include/asm/asm-bug.h b/arch/arm64/include/asm/asm-bug.h index 636e755bcdca..63ea62fbf093 100644 --- a/arch/arm64/include/asm/asm-bug.h +++ b/arch/arm64/include/asm/asm-bug.h @@ -39,6 +39,7 @@ 0: .long 1f - 0b; \ _BUGVERBOSE_LOCATION(__FILE__, __LINE__) \ .short flags; \ + .align 2; \ .popsection; \ 1: #else From 63c5945dbfcb8b6f4c260aef57172893a15ebbb3 Mon Sep 17 00:00:00 2001 From: Jiri Pirko Date: Fri, 26 Apr 2024 17:08:45 +0200 Subject: [PATCH 107/182] virtio: delete vq in vp_find_vqs_msix() when request_irq() fails [ Upstream commit 89875151fccdd024d571aa884ea97a0128b968b6 ] When request_irq() fails, error path calls vp_del_vqs(). There, as vq is present in the list, free_irq() is called for the same vector. That causes following splat: [ 0.414355] Trying to free already-free IRQ 27 [ 0.414403] WARNING: CPU: 1 PID: 1 at kernel/irq/manage.c:1899 free_irq+0x1a1/0x2d0 [ 0.414510] Modules linked in: [ 0.414540] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4+ #27 [ 0.414540] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 [ 0.414540] RIP: 0010:free_irq+0x1a1/0x2d0 [ 0.414540] Code: 1e 00 48 83 c4 08 48 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 90 8b 74 24 04 48 c7 c7 98 80 6c b1 e8 00 c9 f7 ff 90 <0f> 0b 90 90 48 89 ee 4c 89 ef e8 e0 20 b8 00 49 8b 47 40 48 8b 40 [ 0.414540] RSP: 0000:ffffb71480013ae0 EFLAGS: 00010086 [ 0.414540] RAX: 0000000000000000 RBX: ffffa099c2722000 RCX: 0000000000000000 [ 0.414540] RDX: 0000000000000000 RSI: ffffb71480013998 RDI: 0000000000000001 [ 0.414540] RBP: 0000000000000246 R08: 00000000ffffdfff R09: 0000000000000001 [ 0.414540] R10: 00000000ffffdfff R11: ffffffffb18729c0 R12: ffffa099c1c91760 [ 0.414540] R13: ffffa099c1c916a4 R14: ffffa099c1d2f200 R15: ffffa099c1c91600 [ 0.414540] FS: 0000000000000000(0000) GS:ffffa099fec40000(0000) knlGS:0000000000000000 [ 0.414540] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.414540] CR2: 0000000000000000 CR3: 0000000008e3e001 CR4: 0000000000370ef0 [ 0.414540] Call Trace: [ 0.414540] [ 0.414540] ? __warn+0x80/0x120 [ 0.414540] ? free_irq+0x1a1/0x2d0 [ 0.414540] ? report_bug+0x164/0x190 [ 0.414540] ? handle_bug+0x3b/0x70 [ 0.414540] ? exc_invalid_op+0x17/0x70 [ 0.414540] ? asm_exc_invalid_op+0x1a/0x20 [ 0.414540] ? free_irq+0x1a1/0x2d0 [ 0.414540] vp_del_vqs+0xc1/0x220 [ 0.414540] vp_find_vqs_msix+0x305/0x470 [ 0.414540] vp_find_vqs+0x3e/0x1a0 [ 0.414540] vp_modern_find_vqs+0x1b/0x70 [ 0.414540] init_vqs+0x387/0x600 [ 0.414540] virtnet_probe+0x50a/0xc80 [ 0.414540] virtio_dev_probe+0x1e0/0x2b0 [ 0.414540] really_probe+0xc0/0x2c0 [ 0.414540] ? __pfx___driver_attach+0x10/0x10 [ 0.414540] __driver_probe_device+0x73/0x120 [ 0.414540] driver_probe_device+0x1f/0xe0 [ 0.414540] __driver_attach+0x88/0x180 [ 0.414540] bus_for_each_dev+0x85/0xd0 [ 0.414540] bus_add_driver+0xec/0x1f0 [ 0.414540] driver_register+0x59/0x100 [ 0.414540] ? __pfx_virtio_net_driver_init+0x10/0x10 [ 0.414540] virtio_net_driver_init+0x90/0xb0 [ 0.414540] do_one_initcall+0x58/0x230 [ 0.414540] kernel_init_freeable+0x1a3/0x2d0 [ 0.414540] ? __pfx_kernel_init+0x10/0x10 [ 0.414540] kernel_init+0x1a/0x1c0 [ 0.414540] ret_from_fork+0x31/0x50 [ 0.414540] ? __pfx_kernel_init+0x10/0x10 [ 0.414540] ret_from_fork_asm+0x1a/0x30 [ 0.414540] Fix this by calling deleting the current vq when request_irq() fails. Fixes: 0b0f9dc52ed0 ("Revert "virtio_pci: use shared interrupts for virtqueues"") Signed-off-by: Jiri Pirko Message-Id: <20240426150845.3999481-1-jiri@resnulli.us> Signed-off-by: Michael S. Tsirkin Signed-off-by: Sasha Levin (cherry picked from commit cb7a7c8144b434e06aba99b13b045a7efe859587) Signed-off-by: Vegard Nossum --- drivers/virtio/virtio_pci_common.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c index 924554b7010d..313b6f856c47 100644 --- a/drivers/virtio/virtio_pci_common.c +++ b/drivers/virtio/virtio_pci_common.c @@ -341,8 +341,10 @@ static int vp_find_vqs_msix(struct virtio_device *vdev, unsigned nvqs, vring_interrupt, 0, vp_dev->msix_names[msix_vec], vqs[i]); - if (err) + if (err) { + vp_del_vq(vqs[i]); goto error_find; + } } return 0; From 273d17ed35348d5e6cabe23d9170c876f95f3946 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Wed, 4 Jul 2018 08:49:43 +0100 Subject: [PATCH 108/182] net: fec: remove redundant variable 'inc' Variable 'inc' is being assigned but is never used hence it is redundant and can be removed. Cleans up clang warning: warning: variable 'inc' set but not used [-Wunused-but-set-variable] Signed-off-by: Colin Ian King Acked-by: Fugang Duan Signed-off-by: David S. Miller (cherry picked from commit f06bd2ed745cdca87ca398e27ef0bbbdf1089b05) Signed-off-by: Vegard Nossum --- drivers/net/ethernet/freescale/fec_ptp.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c index e22a69f02186..e35df657ef3f 100644 --- a/drivers/net/ethernet/freescale/fec_ptp.c +++ b/drivers/net/ethernet/freescale/fec_ptp.c @@ -111,7 +111,6 @@ static int fec_ptp_enable_pps(struct fec_enet_private *fep, uint enable) { unsigned long flags; u32 val, tempval; - int inc; struct timespec64 ts; u64 ns; val = 0; @@ -126,7 +125,6 @@ static int fec_ptp_enable_pps(struct fec_enet_private *fep, uint enable) fep->pps_channel = DEFAULT_PPS_CHANNEL; fep->reload_period = PPS_OUPUT_RELOAD_PERIOD; - inc = fep->ptp_inc; spin_lock_irqsave(&fep->tmreg_lock, flags); From 76ff93a5ccf6378571ba77875039f77752ac8a33 Mon Sep 17 00:00:00 2001 From: Wei Fang Date: Tue, 21 May 2024 10:38:00 +0800 Subject: [PATCH 109/182] net: fec: avoid lock evasion when reading pps_enable [ Upstream commit 3b1c92f8e5371700fada307cc8fd2c51fa7bc8c1 ] The assignment of pps_enable is protected by tmreg_lock, but the read operation of pps_enable is not. So the Coverity tool reports a lock evasion warning which may cause data race to occur when running in a multithread environment. Although this issue is almost impossible to occur, we'd better fix it, at least it seems more logically reasonable, and it also prevents Coverity from continuing to issue warnings. Fixes: 278d24047891 ("net: fec: ptp: Enable PPS output based on ptp clock") Signed-off-by: Wei Fang Link: https://lore.kernel.org/r/20240521023800.17102-1-wei.fang@nxp.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 4e4efb8f1b275e85c5c7f69087e392dbae437a8d) Signed-off-by: Vegard Nossum --- drivers/net/ethernet/freescale/fec_ptp.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c index e35df657ef3f..b42c68833292 100644 --- a/drivers/net/ethernet/freescale/fec_ptp.c +++ b/drivers/net/ethernet/freescale/fec_ptp.c @@ -120,14 +120,13 @@ static int fec_ptp_enable_pps(struct fec_enet_private *fep, uint enable) return -EINVAL; } - if (fep->pps_enable == enable) - return 0; - - fep->pps_channel = DEFAULT_PPS_CHANNEL; - fep->reload_period = PPS_OUPUT_RELOAD_PERIOD; - spin_lock_irqsave(&fep->tmreg_lock, flags); + if (fep->pps_enable == enable) { + spin_unlock_irqrestore(&fep->tmreg_lock, flags); + return 0; + } + if (enable) { /* clear capture or output compare interrupt status if have. */ @@ -460,6 +459,9 @@ static int fec_ptp_enable(struct ptp_clock_info *ptp, int ret = 0; if (rq->type == PTP_CLK_REQ_PPS) { + fep->pps_channel = DEFAULT_PPS_CHANNEL; + fep->reload_period = PPS_OUPUT_RELOAD_PERIOD; + ret = fec_ptp_enable_pps(fep, on); return ret; From 3267e236cb890a2ff6450ba831f3ad66386d6c4b Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Sun, 5 May 2024 19:36:49 +0900 Subject: [PATCH 110/182] nfc: nci: Fix kcov check in nci_rx_work() [ Upstream commit 19e35f24750ddf860c51e51c68cf07ea181b4881 ] Commit 7e8cdc97148c ("nfc: Add KCOV annotations") added kcov_remote_start_common()/kcov_remote_stop() pair into nci_rx_work(), with an assumption that kcov_remote_stop() is called upon continue of the for loop. But commit d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet") forgot to call kcov_remote_stop() before break of the for loop. Reported-by: syzbot Closes: https://syzkaller.appspot.com/bug?extid=0438378d6f157baae1a2 Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet") Suggested-by: Andrey Konovalov Signed-off-by: Tetsuo Handa Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/6d10f829-5a0c-405a-b39a-d7266f3a1a0b@I-love.SAKURA.ne.jp Signed-off-by: Jakub Kicinski Stable-dep-of: 6671e352497c ("nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()") Signed-off-by: Sasha Levin (cherry picked from commit c6c938ef515733a1c7af2c87dbc23138f402ba97) Signed-off-by: Vegard Nossum --- net/nfc/nci/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c index db7f6ada4ff7..bb4c61348362 100644 --- a/net/nfc/nci/core.c +++ b/net/nfc/nci/core.c @@ -1528,6 +1528,7 @@ static void nci_rx_work(struct work_struct *work) if (!nci_valid_size(skb)) { kfree_skb(skb); + kcov_remote_stop(); break; } From 1a7a9cc0bb2c966cb7edee4a47dc81053e9030d8 Mon Sep 17 00:00:00 2001 From: Ryosuke Yasuoka Date: Wed, 22 May 2024 00:34:42 +0900 Subject: [PATCH 111/182] nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() [ Upstream commit 6671e352497ca4bb07a96c48e03907065ff77d8a ] When nci_rx_work() receives a zero-length payload packet, it should not discard the packet and exit the loop. Instead, it should continue processing subsequent packets. Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet") Signed-off-by: Ryosuke Yasuoka Reviewed-by: Simon Horman Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20240521153444.535399-1-ryasuoka@redhat.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 8f02d494cebae48dbd14c582ad4b36846e211b6a) Signed-off-by: Vegard Nossum --- net/nfc/nci/core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c index bb4c61348362..28b46b8fde70 100644 --- a/net/nfc/nci/core.c +++ b/net/nfc/nci/core.c @@ -1528,8 +1528,7 @@ static void nci_rx_work(struct work_struct *work) if (!nci_valid_size(skb)) { kfree_skb(skb); - kcov_remote_stop(); - break; + continue; } /* Process frame */ From ac335a5fe30958ed4c81fac6b76e4b6c77f6f95d Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Wed, 15 May 2024 13:23:39 +0000 Subject: [PATCH 112/182] netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() [ Upstream commit dc21c6cc3d6986d938efbf95de62473982c98dec ] syzbot reported that nf_reinject() could be called without rcu_read_lock() : WARNING: suspicious RCU usage 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted net/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor.4/13427: #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471 #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172 stack backtrace: CPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline] nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397 nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline] instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172 rcu_do_batch kernel/rcu/tree.c:2196 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471 handle_softirqs+0x2d6/0x990 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 Fixes: 9872bec773c2 ("[NETFILTER]: nfnetlink: use RCU for queue instances hash") Reported-by: syzbot Signed-off-by: Eric Dumazet Acked-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin (cherry picked from commit 8658bd777cbfcb0c13df23d0ea120e70517761b9) Signed-off-by: Vegard Nossum --- net/netfilter/nfnetlink_queue.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 0c40438c5b6f..c236860c4ecb 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -168,7 +168,9 @@ instance_destroy_rcu(struct rcu_head *head) struct nfqnl_instance *inst = container_of(head, struct nfqnl_instance, rcu); + rcu_read_lock(); nfqnl_flush(inst, NULL, 0); + rcu_read_unlock(); kfree(inst); module_put(THIS_MODULE); } From 0a359294f4d22e037ff38999b1fdaa688aab6e5f Mon Sep 17 00:00:00 2001 From: Andy Shevchenko Date: Wed, 22 May 2024 20:09:49 +0300 Subject: [PATCH 113/182] spi: Don't mark message DMA mapped when no transfer in it is [ Upstream commit 9f788ba457b45b0ce422943fcec9fa35c4587764 ] There is no need to set the DMA mapped flag of the message if it has no mapped transfers. Moreover, it may give the code a chance to take the wrong paths, i.e. to exercise DMA related APIs on unmapped data. Make __spi_map_msg() to bail earlier on the above mentioned cases. Fixes: 99adef310f68 ("spi: Provide core support for DMA mapping transfers") Signed-off-by: Andy Shevchenko Link: https://msgid.link/r/20240522171018.3362521-2-andriy.shevchenko@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin (cherry picked from commit c7893975764ba3b7a58a186f63dae188f7eddb18) Signed-off-by: Vegard Nossum --- drivers/spi/spi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index 1031c8e38144..f51fa1d0ec1b 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -861,6 +861,7 @@ static int __spi_map_msg(struct spi_controller *ctlr, struct spi_message *msg) else rx_dev = ctlr->dev.parent; + ret = -ENOMSG; list_for_each_entry(xfer, &msg->transfers, transfer_list) { if (!ctlr->can_dma(ctlr, msg->spi, xfer)) continue; @@ -884,6 +885,9 @@ static int __spi_map_msg(struct spi_controller *ctlr, struct spi_message *msg) } } } + /* No transfer has been mapped, bail out with success */ + if (ret) + return 0; ctlr->cur_msg_mapped = true; From 5584ee5ae01187bdcb286738c27d8cecf7c2b92d Mon Sep 17 00:00:00 2001 From: Sagi Grimberg Date: Tue, 21 May 2024 23:20:28 +0300 Subject: [PATCH 114/182] nvmet: fix ns enable/disable possible hang [ Upstream commit f97914e35fd98b2b18fb8a092e0a0799f73afdfe ] When disabling an nvmet namespace, there is a period where the subsys->lock is released, as the ns disable waits for backend IO to complete, and the ns percpu ref to be properly killed. The original intent was to avoid taking the subsystem lock for a prolong period as other processes may need to acquire it (for example new incoming connections). However, it opens up a window where another process may come in and enable the ns, (re)intiailizing the ns percpu_ref, causing the disable sequence to hang. Solve this by taking the global nvmet_config_sem over the entire configfs enable/disable sequence. Fixes: a07b4970f464 ("nvmet: add a generic NVMe target") Signed-off-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Reviewed-by: Chaitanya Kulkarni Signed-off-by: Keith Busch Signed-off-by: Sasha Levin (cherry picked from commit 36a935c8785a9ca95b094440a0450cd56b90e70c) Signed-off-by: Vegard Nossum --- drivers/nvme/target/configfs.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c index b6aeb1d70951..3635a38f1f12 100644 --- a/drivers/nvme/target/configfs.c +++ b/drivers/nvme/target/configfs.c @@ -396,10 +396,18 @@ static ssize_t nvmet_ns_enable_store(struct config_item *item, if (strtobool(page, &enable)) return -EINVAL; + /* + * take a global nvmet_config_sem because the disable routine has a + * window where it releases the subsys-lock, giving a chance to + * a parallel enable to concurrently execute causing the disable to + * have a misaccounting of the ns percpu_ref. + */ + down_write(&nvmet_config_sem); if (enable) ret = nvmet_ns_enable(ns); else nvmet_ns_disable(ns); + up_write(&nvmet_config_sem); return ret ? ret : count; } From d6e67757cebbeb5857838f51e2c514a3c9fc5557 Mon Sep 17 00:00:00 2001 From: Carolina Jubran Date: Wed, 22 May 2024 22:26:58 +0300 Subject: [PATCH 115/182] net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion [ Upstream commit 5c74195d5dd977e97556e6fa76909b831c241230 ] Previously, the driver incorrectly used rx_dropped to report device buffer exhaustion. According to the documentation, rx_dropped should not be used to count packets dropped due to buffer exhaustion, which is the purpose of rx_missed_errors. Use rx_missed_errors as intended for counting packets dropped due to buffer exhaustion. Fixes: 269e6b3af3bf ("net/mlx5e: Report additional error statistics in get stats ndo") Signed-off-by: Carolina Jubran Signed-off-by: Tariq Toukan Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 19f9b6cb94eebb4ef2a4a6bca0ef595039d73e04) Signed-off-by: Vegard Nossum --- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c index 14bab8a5550d..75c491ab6127 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c @@ -3152,7 +3152,7 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats) stats->tx_dropped = sstats->tx_queue_dropped; } - stats->rx_dropped = priv->stats.qcnt.rx_out_of_buffer; + stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer; stats->rx_length_errors = PPORT_802_3_GET(pstats, a_in_range_length_errors) + From 5beeab6917b9b59ab2c15744b190b3ad93c58687 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Sun, 5 May 2024 23:08:31 +0900 Subject: [PATCH 116/182] dma-buf/sw-sync: don't enable IRQ from sync_print_obj() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit b794918961516f667b0c745aebdfebbb8a98df39 ] Since commit a6aa8fca4d79 ("dma-buf/sw-sync: Reduce irqsave/irqrestore from known context") by error replaced spin_unlock_irqrestore() with spin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite sync_print_obj() is called from sync_debugfs_show(), lockdep complains inconsistent lock state warning. Use plain spin_{lock,unlock}() for sync_print_obj(), for sync_debugfs_show() is already using spin_{lock,unlock}_irq(). Reported-by: syzbot Closes: https://syzkaller.appspot.com/bug?extid=a225ee3df7e7f9372dbe Fixes: a6aa8fca4d79 ("dma-buf/sw-sync: Reduce irqsave/irqrestore from known context") Signed-off-by: Tetsuo Handa Reviewed-by: Christian König Link: https://patchwork.freedesktop.org/patch/msgid/c2e46020-aaa6-4e06-bf73-f05823f913f0@I-love.SAKURA.ne.jp Signed-off-by: Christian König Signed-off-by: Sasha Levin (cherry picked from commit 1ff116f68560a25656933d5a18e7619cb6773d8a) Signed-off-by: Vegard Nossum --- drivers/dma-buf/sync_debug.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/dma-buf/sync_debug.c b/drivers/dma-buf/sync_debug.c index c4c8ecb24aa9..cfe31e52d78d 100644 --- a/drivers/dma-buf/sync_debug.c +++ b/drivers/dma-buf/sync_debug.c @@ -119,12 +119,12 @@ static void sync_print_obj(struct seq_file *s, struct sync_timeline *obj) seq_printf(s, "%s: %d\n", obj->name, obj->value); - spin_lock_irq(&obj->lock); + spin_lock(&obj->lock); /* Caller already disabled IRQ. */ list_for_each(pos, &obj->pt_list) { struct sync_pt *pt = container_of(pos, struct sync_pt, link); sync_print_fence(s, &pt->base, false); } - spin_unlock_irq(&obj->lock); + spin_unlock(&obj->lock); } static void sync_print_sync_file(struct seq_file *s, From 3d00c58ac6d7f0fa0882aafb5b1ca2c3c22838eb Mon Sep 17 00:00:00 2001 From: Roded Zats Date: Wed, 22 May 2024 10:30:44 +0300 Subject: [PATCH 117/182] enic: Validate length of nl attributes in enic_set_vf_port [ Upstream commit e8021b94b0412c37bcc79027c2e382086b6ce449 ] enic_set_vf_port assumes that the nl attribute IFLA_PORT_PROFILE is of length PORT_PROFILE_MAX and that the nl attributes IFLA_PORT_INSTANCE_UUID, IFLA_PORT_HOST_UUID are of length PORT_UUID_MAX. These attributes are validated (in the function do_setlink in rtnetlink.c) using the nla_policy ifla_port_policy. The policy defines IFLA_PORT_PROFILE as NLA_STRING, IFLA_PORT_INSTANCE_UUID as NLA_BINARY and IFLA_PORT_HOST_UUID as NLA_STRING. That means that the length validation using the policy is for the max size of the attributes and not on exact size so the length of these attributes might be less than the sizes that enic_set_vf_port expects. This might cause an out of bands read access in the memcpys of the data of these attributes in enic_set_vf_port. Fixes: f8bd909183ac ("net: Add ndo_{set|get}_vf_port support for enic dynamic vnics") Signed-off-by: Roded Zats Link: https://lore.kernel.org/r/20240522073044.33519-1-rzats@paloaltonetworks.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 2b649d7e0cb42a660f0260ef25fd55fdc9c6c600) Signed-off-by: Vegard Nossum --- drivers/net/ethernet/cisco/enic/enic_main.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c index f0bbc0fdeddc..fa882e973a51 100644 --- a/drivers/net/ethernet/cisco/enic/enic_main.c +++ b/drivers/net/ethernet/cisco/enic/enic_main.c @@ -1108,18 +1108,30 @@ static int enic_set_vf_port(struct net_device *netdev, int vf, pp->request = nla_get_u8(port[IFLA_PORT_REQUEST]); if (port[IFLA_PORT_PROFILE]) { + if (nla_len(port[IFLA_PORT_PROFILE]) != PORT_PROFILE_MAX) { + memcpy(pp, &prev_pp, sizeof(*pp)); + return -EINVAL; + } pp->set |= ENIC_SET_NAME; memcpy(pp->name, nla_data(port[IFLA_PORT_PROFILE]), PORT_PROFILE_MAX); } if (port[IFLA_PORT_INSTANCE_UUID]) { + if (nla_len(port[IFLA_PORT_INSTANCE_UUID]) != PORT_UUID_MAX) { + memcpy(pp, &prev_pp, sizeof(*pp)); + return -EINVAL; + } pp->set |= ENIC_SET_INSTANCE; memcpy(pp->instance_uuid, nla_data(port[IFLA_PORT_INSTANCE_UUID]), PORT_UUID_MAX); } if (port[IFLA_PORT_HOST_UUID]) { + if (nla_len(port[IFLA_PORT_HOST_UUID]) != PORT_UUID_MAX) { + memcpy(pp, &prev_pp, sizeof(*pp)); + return -EINVAL; + } pp->set |= ENIC_SET_HOST; memcpy(pp->host_uuid, nla_data(port[IFLA_PORT_HOST_UUID]), PORT_UUID_MAX); From d7936abfc24afa29d587b2bdd0829092dc478ebf Mon Sep 17 00:00:00 2001 From: Andre Edich Date: Wed, 26 Aug 2020 13:17:15 +0200 Subject: [PATCH 118/182] smsc95xx: remove redundant function arguments [ Upstream commit 368be1ca28f66deba16627e2a02e78adedd023a6 ] This patch removes arguments netdev and phy_id from the functions smsc95xx_mdio_read_nopm and smsc95xx_mdio_write_nopm. Both removed arguments are recovered from a new argument `struct usbnet *dev`. Signed-off-by: Andre Edich Signed-off-by: David S. Miller Stable-dep-of: 52a2f0608366 ("net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM") Signed-off-by: Sasha Levin (cherry picked from commit eced17c8715d43ce16f61c5a6a49299fbf37c0a0) Signed-off-by: Vegard Nossum --- drivers/net/usb/smsc95xx.c | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c index 2006f6943290..d33d98447d8e 100644 --- a/drivers/net/usb/smsc95xx.c +++ b/drivers/net/usb/smsc95xx.c @@ -273,16 +273,18 @@ static void __smsc95xx_mdio_write(struct net_device *netdev, int phy_id, mutex_unlock(&dev->phy_mutex); } -static int smsc95xx_mdio_read_nopm(struct net_device *netdev, int phy_id, - int idx) +static int smsc95xx_mdio_read_nopm(struct usbnet *dev, int idx) { - return __smsc95xx_mdio_read(netdev, phy_id, idx, 1); + struct mii_if_info *mii = &dev->mii; + + return __smsc95xx_mdio_read(dev->net, mii->phy_id, idx, 1); } -static void smsc95xx_mdio_write_nopm(struct net_device *netdev, int phy_id, - int idx, int regval) +static void smsc95xx_mdio_write_nopm(struct usbnet *dev, int idx, int regval) { - __smsc95xx_mdio_write(netdev, phy_id, idx, regval, 1); + struct mii_if_info *mii = &dev->mii; + + __smsc95xx_mdio_write(dev->net, mii->phy_id, idx, regval, 1); } static int smsc95xx_mdio_read(struct net_device *netdev, int phy_id, int idx) @@ -1361,39 +1363,37 @@ static u32 smsc_crc(const u8 *buffer, size_t len, int filter) static int smsc95xx_enable_phy_wakeup_interrupts(struct usbnet *dev, u16 mask) { - struct mii_if_info *mii = &dev->mii; int ret; netdev_dbg(dev->net, "enabling PHY wakeup interrupts\n"); /* read to clear */ - ret = smsc95xx_mdio_read_nopm(dev->net, mii->phy_id, PHY_INT_SRC); + ret = smsc95xx_mdio_read_nopm(dev, PHY_INT_SRC); if (ret < 0) return ret; /* enable interrupt source */ - ret = smsc95xx_mdio_read_nopm(dev->net, mii->phy_id, PHY_INT_MASK); + ret = smsc95xx_mdio_read_nopm(dev, PHY_INT_MASK); if (ret < 0) return ret; ret |= mask; - smsc95xx_mdio_write_nopm(dev->net, mii->phy_id, PHY_INT_MASK, ret); + smsc95xx_mdio_write_nopm(dev, PHY_INT_MASK, ret); return 0; } static int smsc95xx_link_ok_nopm(struct usbnet *dev) { - struct mii_if_info *mii = &dev->mii; int ret; /* first, a dummy read, needed to latch some MII phys */ - ret = smsc95xx_mdio_read_nopm(dev->net, mii->phy_id, MII_BMSR); + ret = smsc95xx_mdio_read_nopm(dev, MII_BMSR); if (ret < 0) return ret; - ret = smsc95xx_mdio_read_nopm(dev->net, mii->phy_id, MII_BMSR); + ret = smsc95xx_mdio_read_nopm(dev, MII_BMSR); if (ret < 0) return ret; @@ -1442,7 +1442,6 @@ static int smsc95xx_enter_suspend0(struct usbnet *dev) static int smsc95xx_enter_suspend1(struct usbnet *dev) { struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); - struct mii_if_info *mii = &dev->mii; u32 val; int ret; @@ -1450,17 +1449,17 @@ static int smsc95xx_enter_suspend1(struct usbnet *dev) * compatibility with non-standard link partners */ if (pdata->features & FEATURE_PHY_NLP_CROSSOVER) - smsc95xx_mdio_write_nopm(dev->net, mii->phy_id, PHY_EDPD_CONFIG, - PHY_EDPD_CONFIG_DEFAULT); + smsc95xx_mdio_write_nopm(dev, PHY_EDPD_CONFIG, + PHY_EDPD_CONFIG_DEFAULT); /* enable energy detect power-down mode */ - ret = smsc95xx_mdio_read_nopm(dev->net, mii->phy_id, PHY_MODE_CTRL_STS); + ret = smsc95xx_mdio_read_nopm(dev, PHY_MODE_CTRL_STS); if (ret < 0) return ret; ret |= MODE_CTRL_STS_EDPWRDOWN_; - smsc95xx_mdio_write_nopm(dev->net, mii->phy_id, PHY_MODE_CTRL_STS, ret); + smsc95xx_mdio_write_nopm(dev, PHY_MODE_CTRL_STS, ret); /* enter SUSPEND1 mode */ ret = smsc95xx_read_reg_nopm(dev, PM_CTRL, &val); From 17ddb0fdf87c7f3f7c07e2721f688301411d2792 Mon Sep 17 00:00:00 2001 From: Andre Edich Date: Wed, 26 Aug 2020 13:17:16 +0200 Subject: [PATCH 119/182] smsc95xx: use usbnet->driver_priv [ Upstream commit ad90a73f0236c41f7a2dedc2e75c7b5a364eb93e ] Using `void *driver_priv` instead of `unsigned long data[]` is more straightforward way to recover the `struct smsc95xx_priv *` from the `struct net_device *`. Signed-off-by: Andre Edich Signed-off-by: David S. Miller Stable-dep-of: 52a2f0608366 ("net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM") Signed-off-by: Sasha Levin (cherry picked from commit bcc526fec891dee22162082b1beeb9068b9eabb0) Signed-off-by: Vegard Nossum --- drivers/net/usb/smsc95xx.c | 61 +++++++++++++++++--------------------- 1 file changed, 28 insertions(+), 33 deletions(-) diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c index d33d98447d8e..e35bdd8fdf62 100644 --- a/drivers/net/usb/smsc95xx.c +++ b/drivers/net/usb/smsc95xx.c @@ -469,7 +469,7 @@ static unsigned int smsc95xx_hash(char addr[ETH_ALEN]) static void smsc95xx_set_multicast(struct net_device *netdev) { struct usbnet *dev = netdev_priv(netdev); - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; unsigned long flags; int ret; @@ -564,7 +564,7 @@ static int smsc95xx_phy_update_flowcontrol(struct usbnet *dev, u8 duplex, static int smsc95xx_link_reset(struct usbnet *dev) { - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; struct mii_if_info *mii = &dev->mii; struct ethtool_cmd ecmd = { .cmd = ETHTOOL_GSET }; unsigned long flags; @@ -634,7 +634,7 @@ static void smsc95xx_status(struct usbnet *dev, struct urb *urb) static void set_carrier(struct usbnet *dev, bool link) { - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; if (pdata->link_ok == link) return; @@ -763,7 +763,7 @@ static void smsc95xx_ethtool_get_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo) { struct usbnet *dev = netdev_priv(net); - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; wolinfo->supported = SUPPORTED_WAKE; wolinfo->wolopts = pdata->wolopts; @@ -773,7 +773,7 @@ static int smsc95xx_ethtool_set_wol(struct net_device *net, struct ethtool_wolinfo *wolinfo) { struct usbnet *dev = netdev_priv(net); - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; int ret; if (wolinfo->wolopts & ~SUPPORTED_WAKE) @@ -812,7 +812,7 @@ static int get_mdix_status(struct net_device *net) static void set_mdix_status(struct net_device *net, __u8 mdix_ctrl) { struct usbnet *dev = netdev_priv(net); - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; int buf; if ((pdata->chip_id == ID_REV_CHIP_ID_9500A_) || @@ -861,7 +861,7 @@ static int smsc95xx_get_link_ksettings(struct net_device *net, struct ethtool_link_ksettings *cmd) { struct usbnet *dev = netdev_priv(net); - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; int retval; retval = usbnet_get_link_ksettings(net, cmd); @@ -876,7 +876,7 @@ static int smsc95xx_set_link_ksettings(struct net_device *net, const struct ethtool_link_ksettings *cmd) { struct usbnet *dev = netdev_priv(net); - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; int retval; if (pdata->mdix_ctrl != cmd->base.eth_tp_mdix_ctrl) @@ -958,7 +958,7 @@ static int smsc95xx_set_mac_address(struct usbnet *dev) /* starts the TX path */ static int smsc95xx_start_tx_path(struct usbnet *dev) { - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; unsigned long flags; int ret; @@ -978,7 +978,7 @@ static int smsc95xx_start_tx_path(struct usbnet *dev) /* Starts the Receive path */ static int smsc95xx_start_rx_path(struct usbnet *dev, int in_pm) { - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; unsigned long flags; spin_lock_irqsave(&pdata->mac_cr_lock, flags); @@ -1035,7 +1035,7 @@ static int smsc95xx_phy_initialize(struct usbnet *dev) static int smsc95xx_reset(struct usbnet *dev) { - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; u32 read_buf, write_buf, burst_cap; int ret = 0, timeout; @@ -1263,7 +1263,7 @@ static const struct net_device_ops smsc95xx_netdev_ops = { static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf) { - struct smsc95xx_priv *pdata = NULL; + struct smsc95xx_priv *pdata; u32 val; int ret; @@ -1275,13 +1275,12 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf) return ret; } - dev->data[0] = (unsigned long)kzalloc(sizeof(struct smsc95xx_priv), - GFP_KERNEL); - - pdata = (struct smsc95xx_priv *)(dev->data[0]); + pdata = kzalloc(sizeof(*pdata), GFP_KERNEL); if (!pdata) return -ENOMEM; + dev->driver_priv = pdata; + spin_lock_init(&pdata->mac_cr_lock); /* LAN95xx devices do not alter the computed checksum of 0 to 0xffff. @@ -1344,15 +1343,11 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf) static void smsc95xx_unbind(struct usbnet *dev, struct usb_interface *intf) { - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); - - if (pdata) { - cancel_delayed_work_sync(&pdata->carrier_check); - netif_dbg(dev, ifdown, dev->net, "free pdata\n"); - kfree(pdata); - pdata = NULL; - dev->data[0] = 0; - } + struct smsc95xx_priv *pdata = dev->driver_priv; + + cancel_delayed_work_sync(&pdata->carrier_check); + netif_dbg(dev, ifdown, dev->net, "free pdata\n"); + kfree(pdata); } static u32 smsc_crc(const u8 *buffer, size_t len, int filter) @@ -1402,7 +1397,7 @@ static int smsc95xx_link_ok_nopm(struct usbnet *dev) static int smsc95xx_enter_suspend0(struct usbnet *dev) { - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; u32 val; int ret; @@ -1441,7 +1436,7 @@ static int smsc95xx_enter_suspend0(struct usbnet *dev) static int smsc95xx_enter_suspend1(struct usbnet *dev) { - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; u32 val; int ret; @@ -1488,7 +1483,7 @@ static int smsc95xx_enter_suspend1(struct usbnet *dev) static int smsc95xx_enter_suspend2(struct usbnet *dev) { - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; u32 val; int ret; @@ -1510,7 +1505,7 @@ static int smsc95xx_enter_suspend2(struct usbnet *dev) static int smsc95xx_enter_suspend3(struct usbnet *dev) { - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; u32 val; int ret; @@ -1549,7 +1544,7 @@ static int smsc95xx_enter_suspend3(struct usbnet *dev) static int smsc95xx_autosuspend(struct usbnet *dev, u32 link_up) { - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; int ret; if (!netif_running(dev->net)) { @@ -1597,7 +1592,7 @@ static int smsc95xx_autosuspend(struct usbnet *dev, u32 link_up) static int smsc95xx_suspend(struct usb_interface *intf, pm_message_t message) { struct usbnet *dev = usb_get_intfdata(intf); - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; u32 val, link_up; int ret; @@ -1868,7 +1863,7 @@ static int smsc95xx_resume(struct usb_interface *intf) u32 val; BUG_ON(!dev); - pdata = (struct smsc95xx_priv *)(dev->data[0]); + pdata = dev->driver_priv; suspend_flags = pdata->suspend_flags; netdev_dbg(dev->net, "resume suspend_flags=0x%02x\n", suspend_flags); @@ -2079,7 +2074,7 @@ static struct sk_buff *smsc95xx_tx_fixup(struct usbnet *dev, static int smsc95xx_manage_power(struct usbnet *dev, int on) { - struct smsc95xx_priv *pdata = (struct smsc95xx_priv *)(dev->data[0]); + struct smsc95xx_priv *pdata = dev->driver_priv; dev->intf->needs_remote_wakeup = on; From e0bd5cab3be56a1437e713a5411c458b80fa039c Mon Sep 17 00:00:00 2001 From: Parthiban Veerasooran Date: Thu, 23 May 2024 14:23:14 +0530 Subject: [PATCH 120/182] net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM [ Upstream commit 52a2f0608366a629d43dacd3191039c95fef74ba ] LED Select (LED_SEL) bit in the LED General Purpose IO Configuration register is used to determine the functionality of external LED pins (Speed Indicator, Link and Activity Indicator, Full Duplex Link Indicator). The default value for this bit is 0 when no EEPROM is present. If a EEPROM is present, the default value is the value of the LED Select bit in the Configuration Flags of the EEPROM. A USB Reset or Lite Reset (LRST) will cause this bit to be restored to the image value last loaded from EEPROM, or to be set to 0 if no EEPROM is present. While configuring the dual purpose GPIO/LED pins to LED outputs in the LED General Purpose IO Configuration register, the LED_SEL bit is changed as 0 and resulting the configured value from the EEPROM is cleared. The issue is fixed by using read-modify-write approach. Fixes: f293501c61c5 ("smsc95xx: configure LED outputs") Signed-off-by: Parthiban Veerasooran Reviewed-by: Simon Horman Reviewed-by: Woojung Huh Link: https://lore.kernel.org/r/20240523085314.167650-1-Parthiban.Veerasooran@microchip.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 85b6bcf9d5e332aa9c4b7820cb3aa748c3df6a80) Signed-off-by: Vegard Nossum --- drivers/net/usb/smsc95xx.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c index e35bdd8fdf62..038a221e4acc 100644 --- a/drivers/net/usb/smsc95xx.c +++ b/drivers/net/usb/smsc95xx.c @@ -1036,7 +1036,7 @@ static int smsc95xx_phy_initialize(struct usbnet *dev) static int smsc95xx_reset(struct usbnet *dev) { struct smsc95xx_priv *pdata = dev->driver_priv; - u32 read_buf, write_buf, burst_cap; + u32 read_buf, burst_cap; int ret = 0, timeout; netif_dbg(dev, ifup, dev->net, "entering smsc95xx_reset\n"); @@ -1178,10 +1178,13 @@ static int smsc95xx_reset(struct usbnet *dev) return ret; netif_dbg(dev, ifup, dev->net, "ID_REV = 0x%08x\n", read_buf); + ret = smsc95xx_read_reg(dev, LED_GPIO_CFG, &read_buf); + if (ret < 0) + return ret; /* Configure GPIO pins as LED outputs */ - write_buf = LED_GPIO_CFG_SPD_LED | LED_GPIO_CFG_LNK_LED | - LED_GPIO_CFG_FDX_LED; - ret = smsc95xx_write_reg(dev, LED_GPIO_CFG, write_buf); + read_buf |= LED_GPIO_CFG_SPD_LED | LED_GPIO_CFG_LNK_LED | + LED_GPIO_CFG_FDX_LED; + ret = smsc95xx_write_reg(dev, LED_GPIO_CFG, read_buf); if (ret < 0) return ret; From 4c2d953d579bbc6018f916d7474ca42a0ea2471f Mon Sep 17 00:00:00 2001 From: Xiaolei Wang Date: Fri, 24 May 2024 13:05:28 +0800 Subject: [PATCH 121/182] net:fec: Add fec_enet_deinit() [ Upstream commit bf0497f53c8535f99b72041529d3f7708a6e2c0d ] When fec_probe() fails or fec_drv_remove() needs to release the fec queue and remove a NAPI context, therefore add a function corresponding to fec_enet_init() and call fec_enet_deinit() which does the opposite to release memory and remove a NAPI context. Fixes: 59d0f7465644 ("net: fec: init multi queue date structure") Signed-off-by: Xiaolei Wang Reviewed-by: Wei Fang Reviewed-by: Andrew Lunn Link: https://lore.kernel.org/r/20240524050528.4115581-1-xiaolei.wang@windriver.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 416b0756721dcee2bb6227a4403e694011c32874) Signed-off-by: Vegard Nossum --- drivers/net/ethernet/freescale/fec_main.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c index 4b169890d301..22cec349dead 100644 --- a/drivers/net/ethernet/freescale/fec_main.c +++ b/drivers/net/ethernet/freescale/fec_main.c @@ -3224,6 +3224,14 @@ static int fec_enet_init(struct net_device *ndev) return 0; } +static void fec_enet_deinit(struct net_device *ndev) +{ + struct fec_enet_private *fep = netdev_priv(ndev); + + netif_napi_del(&fep->napi); + fec_enet_free_queue(ndev); +} + #ifdef CONFIG_OF static int fec_reset_phy(struct platform_device *pdev) { @@ -3536,6 +3544,7 @@ fec_probe(struct platform_device *pdev) fec_enet_mii_remove(fep); failed_mii_init: failed_irq: + fec_enet_deinit(ndev); failed_init: fec_ptp_stop(pdev); failed_reset: @@ -3596,6 +3605,7 @@ fec_drv_remove(struct platform_device *pdev) pm_runtime_put_noidle(&pdev->dev); pm_runtime_disable(&pdev->dev); + fec_enet_deinit(ndev); free_netdev(ndev); return 0; } From c00f30ffce7c99732b9610771908b84af2f7e95a Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Sun, 19 May 2024 18:22:27 +0900 Subject: [PATCH 122/182] kconfig: fix comparison to constant symbols, 'm', 'n' [ Upstream commit aabdc960a283ba78086b0bf66ee74326f49e218e ] Currently, comparisons to 'm' or 'n' result in incorrect output. [Test Code] config MODULES def_bool y modules config A def_tristate m config B def_bool A > n CONFIG_B is unset, while CONFIG_B=y is expected. The reason for the issue is because Kconfig compares the tristate values as strings. Currently, the .type fields in the constant symbol definitions, symbol_{yes,mod,no} are unspecified, i.e., S_UNKNOWN. When expr_calc_value() evaluates 'A > n', it checks the types of 'A' and 'n' to determine how to compare them. The left-hand side, 'A', is a tristate symbol with a value of 'm', which corresponds to a numeric value of 1. (Internally, 'y', 'm', and 'n' are represented as 2, 1, and 0, respectively.) The right-hand side, 'n', has an unknown type, so it is treated as the string "n" during the comparison. expr_calc_value() compares two values numerically only when both can have numeric values. Otherwise, they are compared as strings. symbol numeric value ASCII code ------------------------------------- y 2 0x79 m 1 0x6d n 0 0x6e 'm' is greater than 'n' if compared numerically (since 1 is greater than 0), but smaller than 'n' if compared as strings (since the ASCII code 0x6d is smaller than 0x6e). Specifying .type=S_TRISTATE for symbol_{yes,mod,no} fixes the above test code. Doing so, however, would cause a regression to the following test code. [Test Code 2] config MODULES def_bool n modules config A def_tristate n config B def_bool A = m You would get CONFIG_B=y, while CONFIG_B should not be set. The reason is because sym_get_string_value() turns 'm' into 'n' when the module feature is disabled. Consequently, expr_calc_value() evaluates 'A = n' instead of 'A = m'. This oddity has been hidden because the type of 'm' was previously S_UNKNOWN instead of S_TRISTATE. sym_get_string_value() should not tweak the string because the tristate value has already been correctly calculated. There is no reason to return the string "n" where its tristate value is mod. Fixes: 31847b67bec0 ("kconfig: allow use of relations other than (in)equality") Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin (cherry picked from commit 6bfda3ef7f6a2c1de30e70d67e901aa966f40c17) Signed-off-by: Vegard Nossum --- scripts/kconfig/symbol.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/kconfig/symbol.c b/scripts/kconfig/symbol.c index 2956d1556cc3..d0c26d19a9e1 100644 --- a/scripts/kconfig/symbol.c +++ b/scripts/kconfig/symbol.c @@ -13,14 +13,17 @@ struct symbol symbol_yes = { .name = "y", + .type = S_TRISTATE, .curr = { "y", yes }, .flags = SYMBOL_CONST|SYMBOL_VALID, }, symbol_mod = { .name = "m", + .type = S_TRISTATE, .curr = { "m", mod }, .flags = SYMBOL_CONST|SYMBOL_VALID, }, symbol_no = { .name = "n", + .type = S_TRISTATE, .curr = { "n", no }, .flags = SYMBOL_CONST|SYMBOL_VALID, }, symbol_empty = { @@ -802,8 +805,7 @@ const char *sym_get_string_value(struct symbol *sym) case no: return "n"; case mod: - sym_calc_value(modules_sym); - return (modules_sym->curr.tri == no) ? "n" : "m"; + return "m"; case yes: return "y"; } From 59e5a44b8b298cec43305d8ba650673094448b28 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Thu, 21 Sep 2023 08:52:16 +0000 Subject: [PATCH 123/182] net: add DEV_STATS_READ() helper [ Upstream commit 0b068c714ca9479d2783cc333fff5bc2d4a6d45c ] Companion of DEV_STATS_INC() & DEV_STATS_ADD(). This is going to be used in the series. Use it in macsec_get_stats64(). Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Stable-dep-of: ff672b9ffeb3 ("ipvlan: properly track tx_errors") Signed-off-by: Sasha Levin (cherry picked from commit 1d5224e02a1c0be7da369ffac531c392f262b162) Signed-off-by: Vegard Nossum --- drivers/net/macsec.c | 4 ++-- include/linux/netdevice.h | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c index 577b7804ed66..893f542d44ec 100644 --- a/drivers/net/macsec.c +++ b/drivers/net/macsec.c @@ -2945,8 +2945,8 @@ static void macsec_get_stats64(struct net_device *dev, s->tx_bytes += tmp.tx_bytes; } - s->rx_dropped = dev->stats.rx_dropped; - s->tx_dropped = dev->stats.tx_dropped; + s->rx_dropped = DEV_STATS_READ(dev, rx_dropped); + s->tx_dropped = DEV_STATS_READ(dev, tx_dropped); } static int macsec_get_iflink(const struct net_device *dev) diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index c10b2ede20e0..ec8f06bc4fed 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -4529,5 +4529,6 @@ do { \ #define DEV_STATS_INC(DEV, FIELD) atomic_long_inc(&(DEV)->stats.__##FIELD) #define DEV_STATS_ADD(DEV, FIELD, VAL) \ atomic_long_add((VAL), &(DEV)->stats.__##FIELD) +#define DEV_STATS_READ(DEV, FIELD) atomic_long_read(&(DEV)->stats.__##FIELD) #endif /* _LINUX_NETDEVICE_H */ From f18d1f1dd0f85682cce01581ea7c2596d0d35ead Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Thu, 26 Oct 2023 13:14:46 +0000 Subject: [PATCH 124/182] ipvlan: properly track tx_errors [ Upstream commit ff672b9ffeb3f82135488ac16c5c5eb4b992999b ] Both ipvlan_process_v4_outbound() and ipvlan_process_v6_outbound() increment dev->stats.tx_errors in case of errors. Unfortunately there are two issues : 1) ipvlan_get_stats64() does not propagate dev->stats.tx_errors to user. 2) Increments are not atomic. KCSAN would complain eventually. Use DEV_STATS_INC() to not miss an update, and change ipvlan_get_stats64() to copy the value back to user. Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") Signed-off-by: Eric Dumazet Cc: Mahesh Bandewar Link: https://lore.kernel.org/r/20231026131446.3933175-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit c373feafd7058501d149c1d832d24a9a8319c7b7) Signed-off-by: Vegard Nossum --- drivers/net/ipvlan/ipvlan_core.c | 8 ++++---- drivers/net/ipvlan/ipvlan_main.c | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c index 6283cbc9f6ed..40f3715c0f5c 100644 --- a/drivers/net/ipvlan/ipvlan_core.c +++ b/drivers/net/ipvlan/ipvlan_core.c @@ -399,12 +399,12 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb) err = ip_local_out(net, skb->sk, skb); if (unlikely(net_xmit_eval(err))) - dev->stats.tx_errors++; + DEV_STATS_INC(dev, tx_errors); else ret = NET_XMIT_SUCCESS; goto out; err: - dev->stats.tx_errors++; + DEV_STATS_INC(dev, tx_errors); kfree_skb(skb); out: return ret; @@ -439,12 +439,12 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) err = ip6_local_out(net, skb->sk, skb); if (unlikely(net_xmit_eval(err))) - dev->stats.tx_errors++; + DEV_STATS_INC(dev, tx_errors); else ret = NET_XMIT_SUCCESS; goto out; err: - dev->stats.tx_errors++; + DEV_STATS_INC(dev, tx_errors); kfree_skb(skb); out: return ret; diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c index 11b7006142ce..70131c4f1aae 100644 --- a/drivers/net/ipvlan/ipvlan_main.c +++ b/drivers/net/ipvlan/ipvlan_main.c @@ -388,6 +388,7 @@ static void ipvlan_get_stats64(struct net_device *dev, s->rx_dropped = rx_errs; s->tx_dropped = tx_drps; } + s->tx_errors = DEV_STATS_READ(dev, tx_errors); } static int ipvlan_vlan_rx_add_vid(struct net_device *dev, __be16 proto, u16 vid) From 41e5da22e02a94825b061ad86f10c9d6955727fd Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Thu, 9 Nov 2023 15:22:41 +0000 Subject: [PATCH 125/182] ipvlan: add ipvlan_route_v6_outbound() helper [ Upstream commit 18f039428c7df183b09c69ebf10ffd4e521035d2 ] Inspired by syzbot reports using a stack of multiple ipvlan devices. Reduce stack size needed in ipvlan_process_v6_outbound() by moving the flowi6 struct used for the route lookup in an non inlined helper. ipvlan_route_v6_outbound() needs 120 bytes on the stack, immediately reclaimed. Also make sure ipvlan_process_v4_outbound() is not inlined. We might also have to lower MAX_NEST_DEV, because only syzbot uses setups with more than four stacked devices. BUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000) stack guard page: 0000 [#1] SMP KASAN CPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 RIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188 Code: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89 RSP: 0018:ffffc9000e804000 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568 RBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c R13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000 FS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <#DF> [] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31 [] instrument_atomic_read include/linux/instrumented.h:72 [inline] [] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] [] cpumask_test_cpu include/linux/cpumask.h:506 [inline] [] cpu_online include/linux/cpumask.h:1092 [inline] [] trace_lock_acquire include/trace/events/lock.h:24 [inline] [] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632 [] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306 [] rcu_read_lock include/linux/rcupdate.h:747 [inline] [] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221 [] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606 [] pol_lookup_func include/net/ip6_fib.h:584 [inline] [] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116 [] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638 [] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651 [] ip6_route_output include/net/ip6_route.h:100 [inline] [] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline] [] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [] xmit_one net/core/dev.c:3644 [inline] [] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [] neigh_hh_output include/net/neighbour.h:529 [inline] [] neigh_output include/net/neighbour.h:543 [inline] [] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [] dst_output include/net/dst.h:444 [inline] [] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [] xmit_one net/core/dev.c:3644 [inline] [] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [] neigh_hh_output include/net/neighbour.h:529 [inline] [] neigh_output include/net/neighbour.h:543 [inline] [] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [] dst_output include/net/dst.h:444 [inline] [] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [] xmit_one net/core/dev.c:3644 [inline] [] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [] neigh_hh_output include/net/neighbour.h:529 [inline] [] neigh_output include/net/neighbour.h:543 [inline] [] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [] dst_output include/net/dst.h:444 [inline] [] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [] xmit_one net/core/dev.c:3644 [inline] [] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [] neigh_hh_output include/net/neighbour.h:529 [inline] [] neigh_output include/net/neighbour.h:543 [inline] [] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [] dst_output include/net/dst.h:444 [inline] [] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [] xmit_one net/core/dev.c:3644 [inline] [] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [] neigh_resolve_output+0x64e/0x750 net/core/neighbour.c:1560 [] neigh_output include/net/neighbour.h:545 [inline] [] ip6_finish_output2+0x1643/0x1ae0 net/ipv6/ip6_output.c:139 [] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [] dst_output include/net/dst.h:444 [inline] [] NF_HOOK include/linux/netfilter.h:309 [inline] [] ip6_xmit+0x11a4/0x1b20 net/ipv6/ip6_output.c:352 [] sctp_v6_xmit+0x9ae/0x1230 net/sctp/ipv6.c:250 [] sctp_packet_transmit+0x25de/0x2bc0 net/sctp/output.c:653 [] sctp_packet_singleton+0x202/0x310 net/sctp/outqueue.c:783 [] sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] [] sctp_outq_flush+0x661/0x3d40 net/sctp/outqueue.c:1212 [] sctp_outq_uncork+0x79/0xb0 net/sctp/outqueue.c:764 [] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] [] sctp_do_sm+0x55c0/0x5c30 net/sctp/sm_sideeffect.c:1170 [] sctp_primitive_ASSOCIATE+0x97/0xc0 net/sctp/primitive.c:73 [] sctp_sendmsg_to_asoc+0xf62/0x17b0 net/sctp/socket.c:1839 [] sctp_sendmsg+0x212e/0x33b0 net/sctp/socket.c:2029 [] inet_sendmsg+0x149/0x310 net/ipv4/af_inet.c:849 [] sock_sendmsg_nosec net/socket.c:716 [inline] [] sock_sendmsg net/socket.c:736 [inline] [] ____sys_sendmsg+0x572/0x8c0 net/socket.c:2504 [] ___sys_sendmsg net/socket.c:2558 [inline] [] __sys_sendmsg+0x271/0x360 net/socket.c:2587 [] __do_sys_sendmsg net/socket.c:2596 [inline] [] __se_sys_sendmsg net/socket.c:2594 [inline] [] __x64_sys_sendmsg+0x7f/0x90 net/socket.c:2594 [] do_syscall_x64 arch/x86/entry/common.c:51 [inline] [] do_syscall_64+0x53/0x80 arch/x86/entry/common.c:84 [] entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") Reported-by: syzbot Signed-off-by: Eric Dumazet Cc: Mahesh Bandewar Cc: Willem de Bruijn Reviewed-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 4f7f850611aa27aaaf1bf5687702ad2240ae442a) [Vegard: fix trivial IS_ENABLED(CONFIG_IPV6) conflict due to missing commit 94333fac44d1da19ebdf41704780c1af3cabea61 ("ipvlan: drop ipv6 dependency").] Signed-off-by: Vegard Nossum --- drivers/net/ipvlan/ipvlan_core.c | 40 +++++++++++++++++++------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c index 40f3715c0f5c..f0037debe4ee 100644 --- a/drivers/net/ipvlan/ipvlan_core.c +++ b/drivers/net/ipvlan/ipvlan_core.c @@ -369,7 +369,7 @@ static struct ipvl_addr *ipvlan_addr_lookup(struct ipvl_port *port, return addr; } -static int ipvlan_process_v4_outbound(struct sk_buff *skb) +static noinline_for_stack int ipvlan_process_v4_outbound(struct sk_buff *skb) { const struct iphdr *ip4h = ip_hdr(skb); struct net_device *dev = skb->dev; @@ -410,13 +410,10 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb) return ret; } -static int ipvlan_process_v6_outbound(struct sk_buff *skb) +static noinline_for_stack int +ipvlan_route_v6_outbound(struct net_device *dev, struct sk_buff *skb) { const struct ipv6hdr *ip6h = ipv6_hdr(skb); - struct net_device *dev = skb->dev; - struct net *net = dev_net(dev); - struct dst_entry *dst; - int err, ret = NET_XMIT_DROP; struct flowi6 fl6 = { .flowi6_oif = dev->ifindex, .daddr = ip6h->daddr, @@ -426,27 +423,38 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) .flowi6_mark = skb->mark, .flowi6_proto = ip6h->nexthdr, }; + struct dst_entry *dst; + int err; - dst = ip6_route_output(net, NULL, &fl6); - if (dst->error) { - ret = dst->error; + dst = ip6_route_output(dev_net(dev), NULL, &fl6); + err = dst->error; + if (err) { dst_release(dst); - goto err; + return err; } skb_dst_set(skb, dst); + return 0; +} + +static int ipvlan_process_v6_outbound(struct sk_buff *skb) +{ + struct net_device *dev = skb->dev; + int err, ret = NET_XMIT_DROP; + + err = ipvlan_route_v6_outbound(dev, skb); + if (unlikely(err)) { + DEV_STATS_INC(dev, tx_errors); + kfree_skb(skb); + return err; + } memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); - err = ip6_local_out(net, skb->sk, skb); + err = ip6_local_out(dev_net(dev), skb->sk, skb); if (unlikely(net_xmit_eval(err))) DEV_STATS_INC(dev, tx_errors); else ret = NET_XMIT_SUCCESS; - goto out; -err: - DEV_STATS_INC(dev, tx_errors); - kfree_skb(skb); -out: return ret; } From 3a016fed8503f04152b170bc324fd7fbbfb155e4 Mon Sep 17 00:00:00 2001 From: Yue Haibing Date: Wed, 29 May 2024 17:56:33 +0800 Subject: [PATCH 126/182] ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound [ Upstream commit b3dc6e8003b500861fa307e9a3400c52e78e4d3a ] Raw packet from PF_PACKET socket ontop of an IPv6-backed ipvlan device will hit WARN_ON_ONCE() in sk_mc_loop() through sch_direct_xmit() path. WARNING: CPU: 2 PID: 0 at net/core/sock.c:775 sk_mc_loop+0x2d/0x70 Modules linked in: sch_netem ipvlan rfkill cirrus drm_shmem_helper sg drm_kms_helper CPU: 2 PID: 0 Comm: swapper/2 Kdump: loaded Not tainted 6.9.0+ #279 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:sk_mc_loop+0x2d/0x70 Code: fa 0f 1f 44 00 00 65 0f b7 15 f7 96 a3 4f 31 c0 66 85 d2 75 26 48 85 ff 74 1c RSP: 0018:ffffa9584015cd78 EFLAGS: 00010212 RAX: 0000000000000011 RBX: ffff91e585793e00 RCX: 0000000002c6a001 RDX: 0000000000000000 RSI: 0000000000000040 RDI: ffff91e589c0f000 RBP: ffff91e5855bd100 R08: 0000000000000000 R09: 3d00545216f43d00 R10: ffff91e584fdcc50 R11: 00000060dd8616f4 R12: ffff91e58132d000 R13: ffff91e584fdcc68 R14: ffff91e5869ce800 R15: ffff91e589c0f000 FS: 0000000000000000(0000) GS:ffff91e898100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f788f7c44c0 CR3: 0000000008e1a000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __warn (kernel/panic.c:693) ? sk_mc_loop (net/core/sock.c:760) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:239) ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? sk_mc_loop (net/core/sock.c:760) ip6_finish_output2 (net/ipv6/ip6_output.c:83 (discriminator 1)) ? nf_hook_slow (net/netfilter/core.c:626) ip6_finish_output (net/ipv6/ip6_output.c:222) ? __pfx_ip6_finish_output (net/ipv6/ip6_output.c:215) ipvlan_xmit_mode_l3 (drivers/net/ipvlan/ipvlan_core.c:602) ipvlan ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:226) ipvlan dev_hard_start_xmit (net/core/dev.c:3594) sch_direct_xmit (net/sched/sch_generic.c:343) __qdisc_run (net/sched/sch_generic.c:416) net_tx_action (net/core/dev.c:5286) handle_softirqs (kernel/softirq.c:555) __irq_exit_rcu (kernel/softirq.c:589) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1043) The warning triggers as this: packet_sendmsg packet_snd //skb->sk is packet sk __dev_queue_xmit __dev_xmit_skb //q->enqueue is not NULL __qdisc_run sch_direct_xmit dev_hard_start_xmit ipvlan_start_xmit ipvlan_xmit_mode_l3 //l3 mode ipvlan_process_outbound //vepa flag ipvlan_process_v6_outbound ip6_local_out __ip6_finish_output ip6_finish_output2 //multicast packet sk_mc_loop //sk->sk_family is AF_PACKET Call ip{6}_local_out() with NULL sk in ipvlan as other tunnels to fix this. Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") Suggested-by: Eric Dumazet Signed-off-by: Yue Haibing Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20240529095633.613103-1-yuehaibing@huawei.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 0049a623dfbbb49888de7f0c2f33a582b5ead989) --- drivers/net/ipvlan/ipvlan_core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c index f0037debe4ee..ab9beca09ca5 100644 --- a/drivers/net/ipvlan/ipvlan_core.c +++ b/drivers/net/ipvlan/ipvlan_core.c @@ -397,7 +397,7 @@ static noinline_for_stack int ipvlan_process_v4_outbound(struct sk_buff *skb) memset(IPCB(skb), 0, sizeof(*IPCB(skb))); - err = ip_local_out(net, skb->sk, skb); + err = ip_local_out(net, NULL, skb); if (unlikely(net_xmit_eval(err))) DEV_STATS_INC(dev, tx_errors); else @@ -450,7 +450,7 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); - err = ip6_local_out(dev_net(dev), skb->sk, skb); + err = ip6_local_out(dev_net(dev), NULL, skb); if (unlikely(net_xmit_eval(err))) DEV_STATS_INC(dev, tx_errors); else From 24212e46bb2a25ec7c7ef9c45a40670608a3a0f8 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Wed, 16 May 2018 23:45:33 +0200 Subject: [PATCH 127/182] ALSA: timer: Simplify timer hw resolution calls There multiple open-codes to get the hardware timer resolution. Make a local helper function snd_timer_hw_resolution() and call it from all relevant places. There is no functional change by this, just a preliminary work for the following timer resolution hardening patch. Signed-off-by: Takashi Iwai Signed-off-by: Vegard Nossum --- sound/core/timer.c | 33 ++++++++++++++------------------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/sound/core/timer.c b/sound/core/timer.c index 720d63574bfb..5b898e7b752d 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -448,6 +448,14 @@ int snd_timer_close(struct snd_timer_instance *timeri) } EXPORT_SYMBOL(snd_timer_close); +static unsigned long snd_timer_hw_resolution(struct snd_timer *timer) +{ + if (timer->hw.c_resolution) + return timer->hw.c_resolution(timer); + else + return timer->hw.resolution; +} + unsigned long snd_timer_resolution(struct snd_timer_instance *timeri) { struct snd_timer * timer; @@ -455,11 +463,8 @@ unsigned long snd_timer_resolution(struct snd_timer_instance *timeri) if (timeri == NULL) return 0; timer = timeri->timer; - if (timer) { - if (timer->hw.c_resolution) - return timer->hw.c_resolution(timer); - return timer->hw.resolution; - } + if (timer) + return snd_timer_hw_resolution(timer); return 0; } EXPORT_SYMBOL(snd_timer_resolution); @@ -792,10 +797,7 @@ void snd_timer_interrupt(struct snd_timer * timer, unsigned long ticks_left) spin_lock_irqsave(&timer->lock, flags); /* remember the current resolution */ - if (timer->hw.c_resolution) - resolution = timer->hw.c_resolution(timer); - else - resolution = timer->hw.resolution; + resolution = snd_timer_hw_resolution(timer); /* loop for all active instances * Here we cannot use list_for_each_entry because the active_list of a @@ -1035,12 +1037,8 @@ void snd_timer_notify(struct snd_timer *timer, int event, struct timespec *tstam spin_lock_irqsave(&timer->lock, flags); if (event == SNDRV_TIMER_EVENT_MSTART || event == SNDRV_TIMER_EVENT_MCONTINUE || - event == SNDRV_TIMER_EVENT_MRESUME) { - if (timer->hw.c_resolution) - resolution = timer->hw.c_resolution(timer); - else - resolution = timer->hw.resolution; - } + event == SNDRV_TIMER_EVENT_MRESUME) + resolution = snd_timer_hw_resolution(timer); list_for_each_entry(ti, &timer->active_list_head, active_list) { if (ti->ccallback) ti->ccallback(ti, event, tstamp, resolution); @@ -1675,10 +1673,7 @@ static int snd_timer_user_gstatus(struct file *file, mutex_lock(®ister_mutex); t = snd_timer_find(&tid); if (t != NULL) { - if (t->hw.c_resolution) - gstatus.resolution = t->hw.c_resolution(t); - else - gstatus.resolution = t->hw.resolution; + gstatus.resolution = snd_timer_hw_resolution(t); if (t->hw.precise_resolution) { t->hw.precise_resolution(t, &gstatus.resolution_num, &gstatus.resolution_den); From 804b59ac965568b4ac7b1788ba8b3b324e362693 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Tue, 14 May 2024 20:27:36 +0200 Subject: [PATCH 128/182] ALSA: timer: Set lower bound of start tick time commit 4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e upstream. Currently ALSA timer doesn't have the lower limit of the start tick time, and it allows a very small size, e.g. 1 tick with 1ns resolution for hrtimer. Such a situation may lead to an unexpected RCU stall, where the callback repeatedly queuing the expire update, as reported by fuzzer. This patch introduces a sanity check of the timer start tick time, so that the system returns an error when a too small start size is set. As of this patch, the lower limit is hard-coded to 100us, which is small enough but can still work somehow. Reported-by: syzbot+43120c2af6ca2938cc38@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/000000000000fa00a1061740ab6d@google.com Cc: Link: https://lore.kernel.org/r/20240514182745.4015-1-tiwai@suse.de Signed-off-by: Takashi Iwai [ backport note: the error handling is changed, as the original commit is based on the recent cleanup with guard() in commit beb45974dd49 -- tiwai ] Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 68396c825c43664b20a3a1ba546844deb2b4e48f) Signed-off-by: Vegard Nossum --- sound/core/timer.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/sound/core/timer.c b/sound/core/timer.c index 5b898e7b752d..15aa82dee7c8 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -524,6 +524,16 @@ static int snd_timer_start1(struct snd_timer_instance *timeri, goto unlock; } + /* check the actual time for the start tick; + * bail out as error if it's way too low (< 100us) + */ + if (start) { + if ((u64)snd_timer_hw_resolution(timer) * ticks < 100000) { + result = -EINVAL; + goto unlock; + } + } + if (start) timeri->ticks = timeri->cticks = ticks; else if (!timeri->cticks) From f642f364e2b4e4302e6b41f1583603a9be83baef Mon Sep 17 00:00:00 2001 From: Carlos Llamas Date: Sun, 21 Apr 2024 17:37:49 +0000 Subject: [PATCH 129/182] binder: fix max_thread type inconsistency MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 42316941335644a98335f209daafa4c122f28983 upstream. The type defined for the BINDER_SET_MAX_THREADS ioctl was changed from size_t to __u32 in order to avoid incompatibility issues between 32 and 64-bit kernels. However, the internal types used to copy from user and store the value were never updated. Use u32 to fix the inconsistency. Fixes: a9350fc859ae ("staging: android: binder: fix BINDER_SET_MAX_THREADS declaration") Reported-by: Arve HjønnevÃ¥g Cc: stable@vger.kernel.org Signed-off-by: Carlos Llamas Reviewed-by: Alice Ryhl Link: https://lore.kernel.org/r/20240421173750.3117808-1-cmllamas@google.com [cmllamas: resolve minor conflicts due to missing commit 421518a2740f] Signed-off-by: Carlos Llamas Signed-off-by: Greg Kroah-Hartman (cherry picked from commit c437184be3c16f7123e5c59b4c85c1101f4dc96b) Signed-off-by: Vegard Nossum --- drivers/android/binder.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 71c0441c1271..e85a1fe2039d 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -544,7 +544,7 @@ struct binder_proc { wait_queue_head_t wait; struct binder_stats stats; struct list_head delivered_death; - int max_threads; + u32 max_threads; int requested_threads; int requested_threads_started; int tmp_ref; @@ -4641,7 +4641,7 @@ static long binder_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) goto err; break; case BINDER_SET_MAX_THREADS: { - int max_threads; + u32 max_threads; if (copy_from_user(&max_threads, ubuf, sizeof(max_threads))) { From 5584cc5bd6c850f9738f7b249be3d298f0012a16 Mon Sep 17 00:00:00 2001 From: Jorge Ramirez-Ortiz Date: Wed, 3 Jan 2024 12:29:11 +0100 Subject: [PATCH 130/182] mmc: core: Do not force a retune before RPMB switch commit 67380251e8bbd3302c64fea07f95c31971b91c22 upstream. Requesting a retune before switching to the RPMB partition has been observed to cause CRC errors on the RPMB reads (-EILSEQ). Since RPMB reads can not be retried, the clients would be directly affected by the errors. This commit disables the retune request prior to switching to the RPMB partition: mmc_retune_pause() no longer triggers a retune before the pause period begins. This was verified with the sdhci-of-arasan driver (ZynqMP) configured for HS200 using two separate eMMC cards (DG4064 and 064GB2). In both cases, the error was easy to reproduce triggering every few tenths of reads. With this commit, systems that were utilizing OP-TEE to access RPMB variables will experience an enhanced performance. Specifically, when OP-TEE is configured to employ RPMB as a secure storage solution, it not only writes the data but also the secure filesystem within the partition. As a result, retrieving any variable involves multiple RPMB reads, typically around five. For context, on ZynqMP, each retune request consumed approximately 8ms. Consequently, reading any RPMB variable used to take at the very minimum 40ms. After droping the need to retune before switching to the RPMB partition, this is no longer the case. Signed-off-by: Jorge Ramirez-Ortiz Acked-by: Avri Altman Acked-by: Adrian Hunter Link: https://lore.kernel.org/r/20240103112911.2954632-1-jorge@foundries.io Signed-off-by: Ulf Hansson Signed-off-by: Florian Fainelli Signed-off-by: Greg Kroah-Hartman (cherry picked from commit bda1d354bef71be32aaf2c5e6b96eef854b3dd4e) Signed-off-by: Vegard Nossum --- drivers/mmc/core/host.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/mmc/core/host.c b/drivers/mmc/core/host.c index 7d7114d0fa25..975771489c8f 100644 --- a/drivers/mmc/core/host.c +++ b/drivers/mmc/core/host.c @@ -68,13 +68,12 @@ void mmc_retune_enable(struct mmc_host *host) /* * Pause re-tuning for a small set of operations. The pause begins after the - * next command and after first doing re-tuning. + * next command. */ void mmc_retune_pause(struct mmc_host *host) { if (!host->retune_paused) { host->retune_paused = 1; - mmc_retune_needed(host); mmc_retune_hold(host); } } From 042d63a09767b3d6d006fc867d77cf610bfcdebf Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Fri, 17 Nov 2017 15:29:32 -0800 Subject: [PATCH 131/182] fs/nilfs2: convert timers to use timer_setup() In preparation for unconditionally passing the struct timer_list pointer to all timer callbacks, switch to using the new timer_setup() and from_timer() to pass the timer pointer explicitly. This requires adding a pointer to hold the timer's target task, as the lifetime of sc_task doesn't appear to match the timer's task. Link: http://lkml.kernel.org/r/20171016235900.GA102729@beast Signed-off-by: Kees Cook Acked-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds (cherry picked from commit 7554e9c4cfa208acf3164a86c05aaa967b043425) Signed-off-by: Vegard Nossum --- fs/nilfs2/segment.c | 11 +++++------ fs/nilfs2/segment.h | 1 + 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c index d42df457d761..fbf62cc05f86 100644 --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -2469,11 +2469,11 @@ static int nilfs_segctor_construct(struct nilfs_sc_info *sci, int mode) return err; } -static void nilfs_construction_timeout(unsigned long data) +static void nilfs_construction_timeout(struct timer_list *t) { - struct task_struct *p = (struct task_struct *)data; + struct nilfs_sc_info *sci = from_timer(sci, t, sc_timer); - wake_up_process(p); + wake_up_process(sci->sc_timer_task); } static void @@ -2611,8 +2611,7 @@ static int nilfs_segctor_thread(void *arg) struct the_nilfs *nilfs = sci->sc_super->s_fs_info; int timeout = 0; - sci->sc_timer.data = (unsigned long)current; - sci->sc_timer.function = nilfs_construction_timeout; + sci->sc_timer_task = current; /* start sync. */ sci->sc_task = current; @@ -2742,7 +2741,7 @@ static struct nilfs_sc_info *nilfs_segctor_new(struct super_block *sb, INIT_LIST_HEAD(&sci->sc_gc_inodes); INIT_LIST_HEAD(&sci->sc_iput_queue); INIT_WORK(&sci->sc_iput_work, nilfs_iput_work_func); - init_timer(&sci->sc_timer); + timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0); sci->sc_interval = HZ * NILFS_SC_DEFAULT_TIMEOUT; sci->sc_mjcp_freq = HZ * NILFS_SC_DEFAULT_SR_FREQ; diff --git a/fs/nilfs2/segment.h b/fs/nilfs2/segment.h index 1060949d7dd2..84084a4d9b3e 100644 --- a/fs/nilfs2/segment.h +++ b/fs/nilfs2/segment.h @@ -180,6 +180,7 @@ struct nilfs_sc_info { unsigned long sc_watermark; struct timer_list sc_timer; + struct task_struct *sc_timer_task; struct task_struct *sc_task; }; From 705fabd9032429d644eee84edc1d45f740edcc81 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi Date: Mon, 20 May 2024 22:26:19 +0900 Subject: [PATCH 132/182] nilfs2: fix use-after-free of timer for log writer thread commit f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 upstream. Patch series "nilfs2: fix log writer related issues". This bug fix series covers three nilfs2 log writer-related issues, including a timer use-after-free issue and potential deadlock issue on unmount, and a potential freeze issue in event synchronization found during their analysis. Details are described in each commit log. This patch (of 3): A use-after-free issue has been reported regarding the timer sc_timer on the nilfs_sc_info structure. The problem is that even though it is used to wake up a sleeping log writer thread, sc_timer is not shut down until the nilfs_sc_info structure is about to be freed, and is used regardless of the thread's lifetime. Fix this issue by limiting the use of sc_timer only while the log writer thread is alive. Link: https://lkml.kernel.org/r/20240520132621.4054-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20240520132621.4054-2-konishi.ryusuke@gmail.com Fixes: fdce895ea5dd ("nilfs2: change sc_timer from a pointer to an embedded one in struct nilfs_sc_info") Signed-off-by: Ryusuke Konishi Reported-by: "Bai, Shuangpeng" Closes: https://groups.google.com/g/syzkaller/c/MK_LYqtt8ko/m/8rgdWeseAwAJ Tested-by: Ryusuke Konishi Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 822ae5a8eac30478578a75f7e064f0584931bf2d) Signed-off-by: Vegard Nossum --- fs/nilfs2/segment.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c index fbf62cc05f86..371bc336c4b0 100644 --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -2172,8 +2172,10 @@ static void nilfs_segctor_start_timer(struct nilfs_sc_info *sci) { spin_lock(&sci->sc_state_lock); if (!(sci->sc_state & NILFS_SEGCTOR_COMMIT)) { - sci->sc_timer.expires = jiffies + sci->sc_interval; - add_timer(&sci->sc_timer); + if (sci->sc_task) { + sci->sc_timer.expires = jiffies + sci->sc_interval; + add_timer(&sci->sc_timer); + } sci->sc_state |= NILFS_SEGCTOR_COMMIT; } spin_unlock(&sci->sc_state_lock); @@ -2393,10 +2395,21 @@ int nilfs_construct_dsync_segment(struct super_block *sb, struct inode *inode, */ static void nilfs_segctor_accept(struct nilfs_sc_info *sci) { + bool thread_is_alive; + spin_lock(&sci->sc_state_lock); sci->sc_seq_accepted = sci->sc_seq_request; + thread_is_alive = (bool)sci->sc_task; spin_unlock(&sci->sc_state_lock); - del_timer_sync(&sci->sc_timer); + + /* + * This function does not race with the log writer thread's + * termination. Therefore, deleting sc_timer, which should not be + * done after the log writer thread exits, can be done safely outside + * the area protected by sc_state_lock. + */ + if (thread_is_alive) + del_timer_sync(&sci->sc_timer); } /** @@ -2422,7 +2435,7 @@ static void nilfs_segctor_notify(struct nilfs_sc_info *sci, int mode, int err) sci->sc_flush_request &= ~FLUSH_DAT_BIT; /* re-enable timer if checkpoint creation was not done */ - if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && + if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && sci->sc_task && time_before(jiffies, sci->sc_timer.expires)) add_timer(&sci->sc_timer); } @@ -2612,6 +2625,7 @@ static int nilfs_segctor_thread(void *arg) int timeout = 0; sci->sc_timer_task = current; + timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0); /* start sync. */ sci->sc_task = current; @@ -2678,6 +2692,7 @@ static int nilfs_segctor_thread(void *arg) end_thread: /* end sync. */ sci->sc_task = NULL; + del_timer_sync(&sci->sc_timer); wake_up(&sci->sc_wait_task); /* for nilfs_segctor_kill_thread() */ spin_unlock(&sci->sc_state_lock); return 0; @@ -2741,7 +2756,6 @@ static struct nilfs_sc_info *nilfs_segctor_new(struct super_block *sb, INIT_LIST_HEAD(&sci->sc_gc_inodes); INIT_LIST_HEAD(&sci->sc_iput_queue); INIT_WORK(&sci->sc_iput_work, nilfs_iput_work_func); - timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0); sci->sc_interval = HZ * NILFS_SC_DEFAULT_TIMEOUT; sci->sc_mjcp_freq = HZ * NILFS_SC_DEFAULT_SR_FREQ; @@ -2827,7 +2841,6 @@ static void nilfs_segctor_destroy(struct nilfs_sc_info *sci) down_write(&nilfs->ns_segctor_sem); - del_timer_sync(&sci->sc_timer); kfree(sci); } From 7e6f3eaf97955faec6cf408b6404a35cf2c82ea0 Mon Sep 17 00:00:00 2001 From: Daniel Borkmann Date: Mon, 3 Jun 2024 10:59:26 +0200 Subject: [PATCH 133/182] vxlan: Fix regression when dropping packets due to invalid src addresses commit 1cd4bc987abb2823836cbb8f887026011ccddc8a upstream. Commit f58f45c1e5b9 ("vxlan: drop packets from invalid src-address") has recently been added to vxlan mainly in the context of source address snooping/learning so that when it is enabled, an entry in the FDB is not being created for an invalid address for the corresponding tunnel endpoint. Before commit f58f45c1e5b9 vxlan was similarly behaving as geneve in that it passed through whichever macs were set in the L2 header. It turns out that this change in behavior breaks setups, for example, Cilium with netkit in L3 mode for Pods as well as tunnel mode has been passing before the change in f58f45c1e5b9 for both vxlan and geneve. After mentioned change it is only passing for geneve as in case of vxlan packets are dropped due to vxlan_set_mac() returning false as source and destination macs are zero which for E/W traffic via tunnel is totally fine. Fix it by only opting into the is_valid_ether_addr() check in vxlan_set_mac() when in fact source address snooping/learning is actually enabled in vxlan. This is done by moving the check into vxlan_snoop(). With this change, the Cilium connectivity test suite passes again for both tunnel flavors. Fixes: f58f45c1e5b9 ("vxlan: drop packets from invalid src-address") Signed-off-by: Daniel Borkmann Cc: David Bauer Cc: Ido Schimmel Cc: Nikolay Aleksandrov Cc: Martin KaFai Lau Reviewed-by: Ido Schimmel Reviewed-by: Nikolay Aleksandrov Reviewed-by: David Bauer Signed-off-by: David S. Miller [ Backport note: vxlan snooping/learning not supported in 6.8 or older, so commit is simply a revert. ] Signed-off-by: Daniel Borkmann Signed-off-by: Greg Kroah-Hartman (cherry picked from commit f6141cbc2b5af521b1711e95363302b858a38729) Signed-off-by: Vegard Nossum --- drivers/net/vxlan.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c index 1c0e0694c7e7..31657f15eb07 100644 --- a/drivers/net/vxlan.c +++ b/drivers/net/vxlan.c @@ -1322,10 +1322,6 @@ static bool vxlan_set_mac(struct vxlan_dev *vxlan, if (ether_addr_equal(eth_hdr(skb)->h_source, vxlan->dev->dev_addr)) return false; - /* Ignore packets from invalid src-address */ - if (!is_valid_ether_addr(eth_hdr(skb)->h_source)) - return false; - /* Get address from the outer IP header */ if (vxlan_get_sk_family(vs) == AF_INET) { saddr.sin.sin_addr.s_addr = ip_hdr(skb)->saddr; From 34358bf261de42b079db6cbd5ae3b074282cd00f Mon Sep 17 00:00:00 2001 From: Qingfang DENG Date: Thu, 1 Jun 2023 09:54:32 +0800 Subject: [PATCH 134/182] neighbour: fix unaligned access to pneigh_entry commit ed779fe4c9b5a20b4ab4fd6f3e19807445bb78c7 upstream. After the blamed commit, the member key is longer 4-byte aligned. On platforms that do not support unaligned access, e.g., MIPS32R2 with unaligned_action set to 1, this will trigger a crash when accessing an IPv6 pneigh_entry, as the key is cast to an in6_addr pointer. Change the type of the key to u32 to make it aligned. Fixes: 62dd93181aaa ("[IPV6] NDISC: Set per-entry is_router flag in Proxy NA.") Signed-off-by: Qingfang DENG Link: https://lore.kernel.org/r/20230601015432.159066-1-dqfext@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman (cherry picked from commit f451d1a013fd585cbf70a65ca6b9cf3548bb039f) Signed-off-by: Vegard Nossum --- include/net/neighbour.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/neighbour.h b/include/net/neighbour.h index cb4c3133be56..240d08f9412d 100644 --- a/include/net/neighbour.h +++ b/include/net/neighbour.h @@ -172,7 +172,7 @@ struct pneigh_entry { possible_net_t net; struct net_device *dev; u8 flags; - u8 key[0]; + u32 key[0]; }; /* From 792524d8e1b344cedcb40983a8756d4793a22e9e Mon Sep 17 00:00:00 2001 From: Sergey Shtylyov Date: Sat, 4 May 2024 23:27:25 +0300 Subject: [PATCH 135/182] ata: pata_legacy: make legacy_exit() work again commit d4a89339f17c87c4990070e9116462d16e75894f upstream. Commit defc9cd826e4 ("pata_legacy: resychronize with upstream changes and resubmit") missed to update legacy_exit(), so that it now fails to do any cleanup -- the loop body there can never be entered. Fix that and finally remove now useless nr_legacy_host variable... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Fixes: defc9cd826e4 ("pata_legacy: resychronize with upstream changes and resubmit") Cc: stable@vger.kernel.org Signed-off-by: Sergey Shtylyov Reviewed-by: Niklas Cassel Signed-off-by: Damien Le Moal Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 21604179f67bd484790c296565bdc38f7a40fe35) Signed-off-by: Vegard Nossum --- drivers/ata/pata_legacy.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/ata/pata_legacy.c b/drivers/ata/pata_legacy.c index c72d3cf903f1..9d898fc8e3a7 100644 --- a/drivers/ata/pata_legacy.c +++ b/drivers/ata/pata_legacy.c @@ -128,8 +128,6 @@ static int legacy_port[NR_HOST] = { 0x1f0, 0x170, 0x1e8, 0x168, 0x1e0, 0x160 }; static struct legacy_probe probe_list[NR_HOST]; static struct legacy_data legacy_data[NR_HOST]; static struct ata_host *legacy_host[NR_HOST]; -static int nr_legacy_host; - static int probe_all; /* Set to check all ISA port ranges */ static int ht6560a; /* HT 6560A on primary 1, second 2, both 3 */ @@ -1253,9 +1251,11 @@ static __exit void legacy_exit(void) { int i; - for (i = 0; i < nr_legacy_host; i++) { + for (i = 0; i < NR_HOST; i++) { struct legacy_data *ld = &legacy_data[i]; - ata_host_detach(legacy_host[i]); + + if (legacy_host[i]) + ata_host_detach(legacy_host[i]); platform_device_unregister(ld->platform_dev); } } From aa9c43942fc69f5e652d6b4f68e0e2bf75868c7e Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski Date: Mon, 1 Apr 2024 16:08:54 +0200 Subject: [PATCH 136/182] arm64: tegra: Correct Tegra132 I2C alias commit 2633c58e1354d7de2c8e7be8bdb6f68a0a01bad7 upstream. There is no such device as "as3722@40", because its name is "pmic". Use phandles for aliases to fix relying on full node path. This corrects aliases for RTC devices and also fixes dtc W=1 warning: tegra132-norrin.dts:12.3-36: Warning (alias_paths): /aliases:rtc0: aliases property is not a valid node (/i2c@7000d000/as3722@40) Fixes: 0f279ebdf3ce ("arm64: tegra: Add NVIDIA Tegra132 Norrin support") Cc: stable@vger.kernel.org Signed-off-by: Krzysztof Kozlowski Reviewed-by: Jon Hunter Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 40f76e72ec0ebe27dcff9bfd5de8e65e1a2b8939) Signed-off-by: Vegard Nossum --- arch/arm64/boot/dts/nvidia/tegra132-norrin.dts | 4 ++-- arch/arm64/boot/dts/nvidia/tegra132.dtsi | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/arm64/boot/dts/nvidia/tegra132-norrin.dts b/arch/arm64/boot/dts/nvidia/tegra132-norrin.dts index a0385a386a3f..dc7bfc90d4c2 100644 --- a/arch/arm64/boot/dts/nvidia/tegra132-norrin.dts +++ b/arch/arm64/boot/dts/nvidia/tegra132-norrin.dts @@ -9,8 +9,8 @@ compatible = "nvidia,norrin", "nvidia,tegra132", "nvidia,tegra124"; aliases { - rtc0 = "/i2c@7000d000/as3722@40"; - rtc1 = "/rtc@7000e000"; + rtc0 = &as3722; + rtc1 = &tegra_rtc; serial0 = &uarta; }; diff --git a/arch/arm64/boot/dts/nvidia/tegra132.dtsi b/arch/arm64/boot/dts/nvidia/tegra132.dtsi index fa5a7c4bc807..d99ffa4acd58 100644 --- a/arch/arm64/boot/dts/nvidia/tegra132.dtsi +++ b/arch/arm64/boot/dts/nvidia/tegra132.dtsi @@ -569,7 +569,7 @@ status = "disabled"; }; - rtc@7000e000 { + tegra_rtc: rtc@7000e000 { compatible = "nvidia,tegra124-rtc", "nvidia,tegra20-rtc"; reg = <0x0 0x7000e000 0x0 0x100>; interrupts = ; From d7263704edf4ee2783b116f64f407752d5b2f2bf Mon Sep 17 00:00:00 2001 From: Yu Kuai Date: Fri, 22 Mar 2024 16:10:05 +0800 Subject: [PATCH 137/182] md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING commit 151f66bb618d1fd0eeb84acb61b4a9fa5d8bb0fa upstream. Xiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with small possibility, the root cause is exactly the same as commit bed9e27baf52 ("Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"") However, Dan reported another hang after that, and junxiao investigated the problem and found out that this is caused by plugged bio can't issue from raid5d(). Current implementation in raid5d() has a weird dependence: 1) md_check_recovery() from raid5d() must hold 'reconfig_mutex' to clear MD_SB_CHANGE_PENDING; 2) raid5d() handles IO in a deadloop, until all IO are issued; 3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared; This behaviour is introduce before v2.6, and for consequence, if other context hold 'reconfig_mutex', and md_check_recovery() can't update super_block, then raid5d() will waste one cpu 100% by the deadloop, until 'reconfig_mutex' is released. Refer to the implementation from raid1 and raid10, fix this problem by skipping issue IO if MD_SB_CHANGE_PENDING is still set after md_check_recovery(), daemon thread will be woken up when 'reconfig_mutex' is released. Meanwhile, the hang problem will be fixed as well. Fixes: 5e2cf333b7bd ("md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d") Cc: stable@vger.kernel.org # v5.19+ Reported-and-tested-by: Dan Moulding Closes: https://lore.kernel.org/all/20240123005700.9302-1-dan@danm.net/ Investigated-by: Junxiao Bi Signed-off-by: Yu Kuai Link: https://lore.kernel.org/r/20240322081005.1112401-1-yukuai1@huaweicloud.com Signed-off-by: Song Liu Signed-off-by: Greg Kroah-Hartman (cherry picked from commit b32aa95843cac6b12c2c014d40fca18aef24a347) Signed-off-by: Vegard Nossum --- drivers/md/raid5.c | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c index d2ac3d189410..a8b3beb0aa3a 100644 --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c @@ -44,7 +44,6 @@ */ #include -#include #include #include #include @@ -6273,6 +6272,9 @@ static void raid5d(struct md_thread *thread) int batch_size, released; unsigned int offset; + if (test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags)) + break; + released = release_stripe_list(conf, conf->temp_inactive_list); if (released) clear_bit(R5_DID_ALLOC, &conf->cache_state); @@ -6309,18 +6311,7 @@ static void raid5d(struct md_thread *thread) spin_unlock_irq(&conf->device_lock); md_check_recovery(mddev); spin_lock_irq(&conf->device_lock); - - /* - * Waiting on MD_SB_CHANGE_PENDING below may deadlock - * seeing md_check_recovery() is needed to clear - * the flag when using mdmon. - */ - continue; } - - wait_event_lock_irq(mddev->sb_wait, - !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags), - conf->device_lock); } pr_debug("%d stripes handled\n", handled); From 964fdd7feb56e40a55b89328877b0a7103bb4084 Mon Sep 17 00:00:00 2001 From: Yang Xiwen Date: Mon, 19 Feb 2024 23:05:26 +0800 Subject: [PATCH 138/182] arm64: dts: hi3798cv200: fix the size of GICR commit 428a575dc9038846ad259466d5ba109858c0a023 upstream. During boot, Linux kernel complains: [ 0.000000] GIC: GICv2 detected, but range too small and irqchip.gicv2_force_probe not set This SoC is using a regular GIC-400 and the GICR space size should be 8KB rather than 256B. With this patch: [ 0.000000] GIC: Using split EOI/Deactivate mode So this should be the correct fix. Fixes: 2f20182ed670 ("arm64: dts: hisilicon: add dts files for hi3798cv200-poplar board") Signed-off-by: Yang Xiwen Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240219-cache-v3-1-a33c57534ae9@outlook.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 26e62b983a31b304733fb21f4b576a4a1e171297) Signed-off-by: Vegard Nossum --- arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi b/arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi index 75865f8a862a..0ffdc9256502 100644 --- a/arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi +++ b/arch/arm64/boot/dts/hisilicon/hi3798cv200.dtsi @@ -58,7 +58,7 @@ gic: interrupt-controller@f1001000 { compatible = "arm,gic-400"; reg = <0x0 0xf1001000 0x0 0x1000>, /* GICD */ - <0x0 0xf1002000 0x0 0x100>; /* GICC */ + <0x0 0xf1002000 0x0 0x2000>; /* GICC */ #address-cells = <0>; #interrupt-cells = <3>; interrupt-controller; From 35d3fa1859980a84c64c51b04a2ac57ffe5af109 Mon Sep 17 00:00:00 2001 From: Nathan Chancellor Date: Fri, 12 Jan 2024 00:40:36 +0000 Subject: [PATCH 139/182] media: mxl5xx: Move xpt structures off stack commit 526f4527545b2d4ce0733733929fac7b6da09ac6 upstream. When building for LoongArch with clang 18.0.0, the stack usage of probe() is larger than the allowed 2048 bytes: drivers/media/dvb-frontends/mxl5xx.c:1698:12: warning: stack frame size (2368) exceeds limit (2048) in 'probe' [-Wframe-larger-than] 1698 | static int probe(struct mxl *state, struct mxl5xx_cfg *cfg) | ^ 1 warning generated. This is the result of the linked LLVM commit, which changes how the arrays of structures in config_ts() get handled with CONFIG_INIT_STACK_ZERO and CONFIG_INIT_STACK_PATTERN, which causes the above warning in combination with inlining, as config_ts() gets inlined into probe(). This warning can be easily fixed by moving the array of structures off of the stackvia 'static const', which is a better location for these variables anyways because they are static data that is only ever read from, never modified, so allocating the stack space is wasteful. This drops the stack usage from 2368 bytes to 256 bytes with the same compiler and configuration. Link: https://lore.kernel.org/linux-media/20240111-dvb-mxl5xx-move-structs-off-stack-v1-1-ca4230e67c11@kernel.org Cc: stable@vger.kernel.org Closes: https://github.com/ClangBuiltLinux/linux/issues/1977 Link: https://github.com/llvm/llvm-project/commit/afe8b93ffdfef5d8879e1894b9d7dda40dee2b8d Signed-off-by: Nathan Chancellor Reviewed-by: Miguel Ojeda Tested-by: Miguel Ojeda Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 772f5e31ed2d6bc5e8698394e4d13b298060c74a) Signed-off-by: Vegard Nossum --- drivers/media/dvb-frontends/mxl5xx.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/drivers/media/dvb-frontends/mxl5xx.c b/drivers/media/dvb-frontends/mxl5xx.c index 676c96c216c3..802d402d546e 100644 --- a/drivers/media/dvb-frontends/mxl5xx.c +++ b/drivers/media/dvb-frontends/mxl5xx.c @@ -1367,57 +1367,57 @@ static int config_ts(struct mxl *state, enum MXL_HYDRA_DEMOD_ID_E demod_id, u32 nco_count_min = 0; u32 clk_type = 0; - struct MXL_REG_FIELD_T xpt_sync_polarity[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_sync_polarity[MXL_HYDRA_DEMOD_MAX] = { {0x90700010, 8, 1}, {0x90700010, 9, 1}, {0x90700010, 10, 1}, {0x90700010, 11, 1}, {0x90700010, 12, 1}, {0x90700010, 13, 1}, {0x90700010, 14, 1}, {0x90700010, 15, 1} }; - struct MXL_REG_FIELD_T xpt_clock_polarity[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_clock_polarity[MXL_HYDRA_DEMOD_MAX] = { {0x90700010, 16, 1}, {0x90700010, 17, 1}, {0x90700010, 18, 1}, {0x90700010, 19, 1}, {0x90700010, 20, 1}, {0x90700010, 21, 1}, {0x90700010, 22, 1}, {0x90700010, 23, 1} }; - struct MXL_REG_FIELD_T xpt_valid_polarity[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_valid_polarity[MXL_HYDRA_DEMOD_MAX] = { {0x90700014, 0, 1}, {0x90700014, 1, 1}, {0x90700014, 2, 1}, {0x90700014, 3, 1}, {0x90700014, 4, 1}, {0x90700014, 5, 1}, {0x90700014, 6, 1}, {0x90700014, 7, 1} }; - struct MXL_REG_FIELD_T xpt_ts_clock_phase[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_ts_clock_phase[MXL_HYDRA_DEMOD_MAX] = { {0x90700018, 0, 3}, {0x90700018, 4, 3}, {0x90700018, 8, 3}, {0x90700018, 12, 3}, {0x90700018, 16, 3}, {0x90700018, 20, 3}, {0x90700018, 24, 3}, {0x90700018, 28, 3} }; - struct MXL_REG_FIELD_T xpt_lsb_first[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_lsb_first[MXL_HYDRA_DEMOD_MAX] = { {0x9070000C, 16, 1}, {0x9070000C, 17, 1}, {0x9070000C, 18, 1}, {0x9070000C, 19, 1}, {0x9070000C, 20, 1}, {0x9070000C, 21, 1}, {0x9070000C, 22, 1}, {0x9070000C, 23, 1} }; - struct MXL_REG_FIELD_T xpt_sync_byte[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_sync_byte[MXL_HYDRA_DEMOD_MAX] = { {0x90700010, 0, 1}, {0x90700010, 1, 1}, {0x90700010, 2, 1}, {0x90700010, 3, 1}, {0x90700010, 4, 1}, {0x90700010, 5, 1}, {0x90700010, 6, 1}, {0x90700010, 7, 1} }; - struct MXL_REG_FIELD_T xpt_enable_output[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_enable_output[MXL_HYDRA_DEMOD_MAX] = { {0x9070000C, 0, 1}, {0x9070000C, 1, 1}, {0x9070000C, 2, 1}, {0x9070000C, 3, 1}, {0x9070000C, 4, 1}, {0x9070000C, 5, 1}, {0x9070000C, 6, 1}, {0x9070000C, 7, 1} }; - struct MXL_REG_FIELD_T xpt_err_replace_sync[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_err_replace_sync[MXL_HYDRA_DEMOD_MAX] = { {0x9070000C, 24, 1}, {0x9070000C, 25, 1}, {0x9070000C, 26, 1}, {0x9070000C, 27, 1}, {0x9070000C, 28, 1}, {0x9070000C, 29, 1}, {0x9070000C, 30, 1}, {0x9070000C, 31, 1} }; - struct MXL_REG_FIELD_T xpt_err_replace_valid[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_err_replace_valid[MXL_HYDRA_DEMOD_MAX] = { {0x90700014, 8, 1}, {0x90700014, 9, 1}, {0x90700014, 10, 1}, {0x90700014, 11, 1}, {0x90700014, 12, 1}, {0x90700014, 13, 1}, {0x90700014, 14, 1}, {0x90700014, 15, 1} }; - struct MXL_REG_FIELD_T xpt_continuous_clock[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_continuous_clock[MXL_HYDRA_DEMOD_MAX] = { {0x907001D4, 0, 1}, {0x907001D4, 1, 1}, {0x907001D4, 2, 1}, {0x907001D4, 3, 1}, {0x907001D4, 4, 1}, {0x907001D4, 5, 1}, {0x907001D4, 6, 1}, {0x907001D4, 7, 1} }; - struct MXL_REG_FIELD_T xpt_nco_clock_rate[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_nco_clock_rate[MXL_HYDRA_DEMOD_MAX] = { {0x90700044, 16, 80}, {0x90700044, 16, 81}, {0x90700044, 16, 82}, {0x90700044, 16, 83}, {0x90700044, 16, 84}, {0x90700044, 16, 85}, From 2046df24d6472a520a62d52a72d84d180b3e363c Mon Sep 17 00:00:00 2001 From: Hans Verkuil Date: Fri, 23 Feb 2024 09:45:36 +0100 Subject: [PATCH 140/182] media: v4l2-core: hold videodev_lock until dev reg, finishes commit 1ed4477f2ea4743e7c5e1f9f3722152d14e6eeb1 upstream. After the new V4L2 device node was registered, some additional initialization was done before the device node was marked as 'registered'. During the time between creating the device node and marking it as 'registered' it was possible to open the device node, which would return -ENODEV since the 'registered' flag was not yet set. Hold the videodev_lock mutex from just before the device node is registered until the 'registered' flag is set. Since v4l2_open will take the same lock, it will wait until this registration process is finished. This resolves this race condition. Signed-off-by: Hans Verkuil Reviewed-by: Sakari Ailus Cc: # for vi4.18 and up Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 1ea3de272f5cc7603610b96316f9ed07bec6c2d0) [Vegard: fix conflict due to missing commit baa057e29b5824b3727e2eb643e513ba5e35aea0 ("media: v4l2-dev: use pr_foo() for printing messages")] Signed-off-by: Vegard Nossum --- drivers/media/v4l2-core/v4l2-dev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/media/v4l2-core/v4l2-dev.c b/drivers/media/v4l2-core/v4l2-dev.c index c647ba648805..13754460f5a0 100644 --- a/drivers/media/v4l2-core/v4l2-dev.c +++ b/drivers/media/v4l2-core/v4l2-dev.c @@ -969,8 +969,10 @@ int __video_register_device(struct video_device *vdev, int type, int nr, vdev->dev.devt = MKDEV(VIDEO_MAJOR, vdev->minor); vdev->dev.parent = vdev->dev_parent; dev_set_name(&vdev->dev, "%s%d", name_base, vdev->num); + mutex_lock(&videodev_lock); ret = device_register(&vdev->dev); if (ret < 0) { + mutex_unlock(&videodev_lock); printk(KERN_ERR "%s: device_register failed\n", __func__); goto cleanup; } @@ -990,6 +992,7 @@ int __video_register_device(struct video_device *vdev, int type, int nr, /* Part 6: Activate this minor. The char device can now be used. */ set_bit(V4L2_FL_REGISTERED, &vdev->flags); + mutex_unlock(&videodev_lock); return 0; From 293140832f7230044b5f6888d0110714f51b554f Mon Sep 17 00:00:00 2001 From: Cai Xinchen Date: Tue, 16 Apr 2024 06:51:37 +0000 Subject: [PATCH 141/182] fbdev: savage: Handle err return when savagefb_check_var failed commit 6ad959b6703e2c4c5d7af03b4cfd5ff608036339 upstream. The commit 04e5eac8f3ab("fbdev: savage: Error out if pixclock equals zero") checks the value of pixclock to avoid divide-by-zero error. However the function savagefb_probe doesn't handle the error return of savagefb_check_var. When pixclock is 0, it will cause divide-by-zero error. Fixes: 04e5eac8f3ab ("fbdev: savage: Error out if pixclock equals zero") Signed-off-by: Cai Xinchen Cc: stable@vger.kernel.org Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman (cherry picked from commit be754cbd77eaf2932408a4e18532e4945274a5c7) Signed-off-by: Vegard Nossum --- drivers/video/fbdev/savage/savagefb_driver.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/video/fbdev/savage/savagefb_driver.c b/drivers/video/fbdev/savage/savagefb_driver.c index a4f15b9de2b6..13e9d70017cf 100644 --- a/drivers/video/fbdev/savage/savagefb_driver.c +++ b/drivers/video/fbdev/savage/savagefb_driver.c @@ -2271,7 +2271,10 @@ static int savagefb_probe(struct pci_dev *dev, const struct pci_device_id *id) if (info->var.xres_virtual > 0x1000) info->var.xres_virtual = 0x1000; #endif - savagefb_check_var(&info->var, info); + err = savagefb_check_var(&info->var, info); + if (err) + goto failed; + savagefb_set_fix(info); /* From 832e81e147209b23bc09678738383b7bc258b448 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 24 Nov 2017 13:39:57 +0100 Subject: [PATCH 142/182] netfilter: nf_tables: add nft_set_is_anonymous() helper Add helper function to test for the NFT_SET_ANONYMOUS flag. Signed-off-by: Pablo Neira Ayuso (cherry picked from commit 408070d6ee3490da63430bc8ce13348cf2eb47ea) [Harshit: Adding this helper commit as it would help for future commit backports, fix conlfict reoslution due to missing commit: af26f3e2903b ("netfilter: nf_tables: unbind set in rule from commit path") which is a later commit but applied to 4.14.y already and I have considered using nft_is_anonymous() helper at couple of other places where the previous backports avoided to use it as the helper wasn't present] Signed-off-by: Harshit Mogalapalli --- include/net/netfilter/nf_tables.h | 5 +++++ net/netfilter/nf_tables_api.c | 18 +++++++++--------- net/netfilter/nft_dynset.c | 2 +- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index e71e155f3b88..4a0ddfd5ea4f 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -429,6 +429,11 @@ struct nft_set { __attribute__((aligned(__alignof__(u64)))); }; +static inline bool nft_set_is_anonymous(const struct nft_set *set) +{ + return set->flags & NFT_SET_ANONYMOUS; +} + static inline void *nft_set_priv(const struct nft_set *set) { return (void *)set->data; diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 17ba662aadcf..427d3ebaca69 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -148,7 +148,7 @@ static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set, struct net *net = ctx->net; struct nft_trans *trans; - if (!(set->flags & NFT_SET_ANONYMOUS)) + if (!nft_set_is_anonymous(set)) return; list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { @@ -870,7 +870,7 @@ static int nft_flush_table(struct nft_ctx *ctx) if (!nft_is_active_next(ctx->net, set)) continue; - if (set->flags & NFT_SET_ANONYMOUS && + if (nft_set_is_anonymous(set) && !list_empty(&set->bindings)) continue; @@ -3460,7 +3460,7 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, struct nft_set_binding *i; struct nft_set_iter iter; - if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS) + if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) return -EBUSY; if (binding->flags & NFT_SET_MAP) { @@ -3500,7 +3500,7 @@ void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, { list_del_rcu(&binding->list); - if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS) { + if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { list_del_rcu(&set->list); if (event) nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, @@ -3511,7 +3511,7 @@ EXPORT_SYMBOL_GPL(nf_tables_unbind_set); void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set) { - if (set->flags & NFT_SET_ANONYMOUS) + if (nft_set_is_anonymous(set)) nft_clear(ctx->net, set); nft_use_inc_restore(&set->use); @@ -3525,7 +3525,7 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, switch (phase) { case NFT_TRANS_PREPARE_ERROR: nft_set_trans_unbind(ctx, set); - if (set->flags & NFT_SET_ANONYMOUS) + if (nft_set_is_anonymous(set)) nft_deactivate_next(ctx->net, set); else list_del_rcu(&binding->list); @@ -3533,7 +3533,7 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, nft_use_dec(&set->use); break; case NFT_TRANS_PREPARE: - if (set->flags & NFT_SET_ANONYMOUS) + if (nft_set_is_anonymous(set)) nft_deactivate_next(ctx->net, set); nft_use_dec(&set->use); @@ -3551,7 +3551,7 @@ EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) { - if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS) + if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) nft_set_destroy(set); } EXPORT_SYMBOL_GPL(nf_tables_destroy_set); @@ -5386,7 +5386,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) /* This avoids hitting -EBUSY when deleting the table * from the transaction. */ - if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS && + if (nft_set_is_anonymous(nft_trans_set(trans)) && !list_empty(&nft_trans_set(trans)->bindings)) nft_use_dec(&trans->ctx.table->use); diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c index 461bdecbe7fc..4165e894791a 100644 --- a/net/netfilter/nft_dynset.c +++ b/net/netfilter/nft_dynset.c @@ -187,7 +187,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx, if (tb[NFTA_DYNSET_EXPR] != NULL) { if (!(set->flags & NFT_SET_EVAL)) return -EINVAL; - if (!(set->flags & NFT_SET_ANONYMOUS)) + if (!nft_set_is_anonymous(set)) return -EOPNOTSUPP; priv->expr = nft_expr_init(ctx, tb[NFTA_DYNSET_EXPR]); From 05084047e524051c0ea37f6b3183017d783e6e20 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 8 Mar 2019 00:58:53 +0100 Subject: [PATCH 143/182] netfilter: nf_tables: fix set double-free in abort path [ Upstream commit 40ba1d9b4d19796afc9b7ece872f5f3e8f5e2c13 ] The abort path can cause a double-free of an anonymous set. Added-and-to-be-aborted rule looks like this: udp dport { 137, 138 } drop The to-be-aborted transaction list looks like this: newset newsetelem newsetelem rule This gets walked in reverse order, so first pass disables the rule, the set elements, then the set. After synchronize_rcu(), we then destroy those in same order: rule, set element, set element, newset. Problem is that the anonymous set has already been bound to the rule, so the rule (lookup expression destructor) already frees the set, when then cause use-after-free when trying to delete the elements from this set, then try to free the set again when handling the newset expression. Rule releases the bound set in first place from the abort path, this causes the use-after-free on set element removal when undoing the new element transactions. To handle this, skip new element transaction if set is bound from the abort path. This is still causes the use-after-free on set element removal. To handle this, remove transaction from the list when the set is already bound. Joint work with Florian Westphal. Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path") Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1325 Acked-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin (cherry picked from commit 25ddad73070c8fd15528fe804db90f0bda0dc6ad) [Vegard: fix conflicts due to commit 59c38c80769a5528a617ea8857049b94a4b67041 ("netfilter: nf_tables: use-after-free in failing rule with bound set") which included extra code for the NFT_MSG_NEWSETELEM case that was added upstream in commit 40ba1d9b4d19796afc9b7ece872f5f3e8f5e2c13 ("netfilter: nf_tables: fix set double-free in abort path") and conflicts due to commit 63d921c3e52a14125f293efea5f78508c36668c1 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") for the bind/true differences.] Signed-off-by: Vegard Nossum --- include/net/netfilter/nf_tables.h | 6 ++---- net/netfilter/nf_tables_api.c | 12 +++++------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 4a0ddfd5ea4f..272554e04905 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -421,7 +421,8 @@ struct nft_set { unsigned char *udata; /* runtime data below here */ const struct nft_set_ops *ops ____cacheline_aligned; - u16 flags:14, + u16 flags:13, + bound:1, genmask:2; u8 klen; u8 dlen; @@ -1337,15 +1338,12 @@ struct nft_trans_rule { struct nft_trans_set { struct nft_set *set; u32 set_id; - bool bound; }; #define nft_trans_set(trans) \ (((struct nft_trans_set *)trans->data)->set) #define nft_trans_set_id(trans) \ (((struct nft_trans_set *)trans->data)->set_id) -#define nft_trans_set_bound(trans) \ - (((struct nft_trans_set *)trans->data)->bound) struct nft_trans_chain { bool update; diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 427d3ebaca69..7c1c24926625 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -155,11 +155,11 @@ static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set, switch (trans->msg_type) { case NFT_MSG_NEWSET: if (nft_trans_set(trans) == set) - nft_trans_set_bound(trans) = bind; + set->bound = true; break; case NFT_MSG_NEWSETELEM: if (nft_trans_elem_set(trans) == set) - nft_trans_elem_set_bound(trans) = bind; + set->bound = true; break; } } @@ -5457,8 +5457,7 @@ static void nf_tables_abort_release(struct nft_trans *trans) nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); break; case NFT_MSG_NEWSET: - if (!nft_trans_set_bound(trans)) - nft_set_destroy(nft_trans_set(trans)); + nft_set_destroy(nft_trans_set(trans)); break; case NFT_MSG_NEWSETELEM: nft_set_elem_destroy(nft_trans_elem_set(trans), @@ -5530,7 +5529,7 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb) break; case NFT_MSG_NEWSET: nft_use_dec_restore(&trans->ctx.table->use); - if (nft_trans_set_bound(trans)) { + if (nft_trans_set(trans)->bound) { nft_trans_destroy(trans); break; } @@ -5542,12 +5541,11 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb) nft_trans_destroy(trans); break; case NFT_MSG_NEWSETELEM: - if (nft_trans_elem_set_bound(trans)) { + if (nft_trans_elem_set(trans)->bound) { nft_trans_destroy(trans); break; } te = (struct nft_trans_elem *)trans->data; - te->set->ops->remove(net, te->set, &te->elem); atomic_dec(&te->set->nelems); break; From c4af59f2d8336214168c4e0778a1a0a62afcbdc4 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 13 Jun 2024 03:01:30 +0200 Subject: [PATCH 144/182] netfilter: nf_tables: pass context to nft_set_destroy() commit 0c2a85edd143162b3a698f31e94bf8cdc041da87 upstream. The patch that adds support for stateful expressions in set definitions require this. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 525561faa075cb49905783fd3e4e16b66b218846) [Harshit: Fixed conflicts due to missing commit: dd4cbef72351 ("netfilter: nf_tables: get rid of pernet families") and missing commit: 25ddad73070c ("netfilter: nf_tables: fix set double-free in abort path and commit: 88bae77d6606 ("netfilter: nf_tables: use net_generic infra for transaction data") in 4.14.y"] Signed-off-by: Harshit Mogalapalli --- net/netfilter/nf_tables_api.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 7c1c24926625..7a69328746b1 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3391,7 +3391,7 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk, return err; } -static void nft_set_destroy(struct nft_set *set) +static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) { if (WARN_ON(set->use > 0)) return; @@ -3552,7 +3552,7 @@ EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) { if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) - nft_set_destroy(set); + nft_set_destroy(ctx, set); } EXPORT_SYMBOL_GPL(nf_tables_destroy_set); @@ -5297,7 +5297,7 @@ static void nf_tables_commit_release(struct nft_trans *trans) nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); break; case NFT_MSG_DELSET: - nft_set_destroy(nft_trans_set(trans)); + nft_set_destroy(&trans->ctx, nft_trans_set(trans)); break; case NFT_MSG_DELSETELEM: nf_tables_set_elem_destroy(nft_trans_elem_set(trans), @@ -5457,7 +5457,7 @@ static void nf_tables_abort_release(struct nft_trans *trans) nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); break; case NFT_MSG_NEWSET: - nft_set_destroy(nft_trans_set(trans)); + nft_set_destroy(&trans->ctx, nft_trans_set(trans)); break; case NFT_MSG_NEWSETELEM: nft_set_elem_destroy(nft_trans_elem_set(trans), @@ -6182,7 +6182,7 @@ static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi) list_for_each_entry_safe(set, ns, &table->sets, list) { list_del(&set->list); nft_use_dec(&table->use); - nft_set_destroy(set); + nft_set_destroy(&ctx, set); } list_for_each_entry_safe(obj, ne, &table->objects, list) { list_del(&obj->list); From b42c75cd69307b546b719cc59fb421a7c80a980f Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 13 Jun 2024 03:01:31 +0200 Subject: [PATCH 145/182] netfilter: nftables: rename set element data activation/deactivation functions commit f8bb7889af58d8e74d2d61c76b1418230f1610fa upstream. Rename: - nft_set_elem_activate() to nft_set_elem_data_activate(). - nft_set_elem_deactivate() to nft_set_elem_data_deactivate(). To prepare for updates in the set element infrastructure to add support for the special catch-all element. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 68b10f33a37e942bdc06b9cb313ad4e1b1f612e8) Signed-off-by: Vegard Nossum --- net/netfilter/nf_tables_api.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 7a69328746b1..197e471500e4 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -4018,8 +4018,8 @@ void nft_set_elem_destroy(const struct nft_set *set, void *elem, } EXPORT_SYMBOL_GPL(nft_set_elem_destroy); -/* Only called from commit path, nft_set_elem_deactivate() already deals with - * the refcounting from the preparation phase. +/* Only called from commit path, nft_setelem_data_deactivate() already deals + * with the refcounting from the preparation phase. */ static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem) { @@ -4352,9 +4352,9 @@ void nft_data_hold(const struct nft_data *data, enum nft_data_types type) } } -static void nft_set_elem_activate(const struct net *net, - const struct nft_set *set, - struct nft_set_elem *elem) +static void nft_setelem_data_activate(const struct net *net, + const struct nft_set *set, + struct nft_set_elem *elem) { const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); @@ -4364,9 +4364,9 @@ static void nft_set_elem_activate(const struct net *net, nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use); } -static void nft_set_elem_deactivate(const struct net *net, - const struct nft_set *set, - struct nft_set_elem *elem) +static void nft_setelem_data_deactivate(const struct net *net, + const struct nft_set *set, + struct nft_set_elem *elem) { const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); @@ -4433,7 +4433,7 @@ static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, kfree(elem.priv); elem.priv = priv; - nft_set_elem_deactivate(ctx->net, set, &elem); + nft_setelem_data_deactivate(ctx->net, set, &elem); nft_trans_elem(trans) = elem; list_add_tail(&trans->list, &ctx->net->nft.commit_list); @@ -4467,7 +4467,7 @@ static int nft_flush_set(const struct nft_ctx *ctx, } set->ndeact++; - nft_set_elem_deactivate(ctx->net, set, elem); + nft_setelem_data_deactivate(ctx->net, set, elem); nft_trans_elem_set(trans) = set; nft_trans_elem(trans) = *elem; list_add_tail(&trans->list, &ctx->net->nft.commit_list); @@ -5552,7 +5552,7 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb) case NFT_MSG_DELSETELEM: te = (struct nft_trans_elem *)trans->data; - nft_set_elem_activate(net, te->set, &te->elem); + nft_setelem_data_activate(net, te->set, &te->elem); te->set->ops->activate(net, te->set, &te->elem); te->set->ndeact--; From e4382ad0d81a0f37c3d430a3009f597568a949a4 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 2 Jun 2018 23:38:48 +0200 Subject: [PATCH 146/182] netfilter: nf_tables: pass ctx to nf_tables_expr_destroy() nft_set_elem_destroy() can be called from call_rcu context. Annotate netns and table in set object so we can populate the context object. Moreover, pass context object to nf_tables_set_elem_destroy() from the commit phase, since it is already available from there. Signed-off-by: Pablo Neira Ayuso (cherry picked from commit 3453c92731884bad7c4c3a0667228b964747f3d5) [Harshit: 4.14.y had backport commit: 4e0dbab570de ("netfilter: nf_tables: do not allow SET_ID to refer to another table") which does add couple of things which this commit is supposed to add] Signed-off-by: Harshit Mogalapalli [Vegard: removed .family = set->table->family assignment in nft_set_elem_destroy() as we're missing commit 36596dadf54a920d26286cf9f421fb4ef648b51f ("netfilter: nf_tables: add single table list for all families").] Signed-off-by: Vegard Nossum --- include/net/netfilter/nf_tables.h | 2 ++ net/netfilter/nf_tables_api.c | 14 ++++++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 272554e04905..327fc3fecf34 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -382,6 +382,7 @@ void nft_unregister_set(struct nft_set_type *type); * @list: table set list node * @bindings: list of set bindings * @table: table this set belongs to + * @net: netnamespace this set belongs to * @name: name of the set * @ktype: key type (numeric type defined by userspace, not used in the kernel) * @dtype: data type (verdict or numeric type defined by userspace) @@ -406,6 +407,7 @@ struct nft_set { struct list_head list; struct list_head bindings; struct nft_table *table; + possible_net_t net; char *name; u32 ktype; u32 dtype; diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 197e471500e4..f0eec5f75deb 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3352,6 +3352,7 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk, INIT_LIST_HEAD(&set->bindings); set->table = table; + write_pnet(&set->net, net); set->ops = ops; set->ktype = ktype; set->klen = desc.klen; @@ -4006,12 +4007,15 @@ void nft_set_elem_destroy(const struct nft_set *set, void *elem, bool destroy_expr) { struct nft_set_ext *ext = nft_set_elem_ext(set, elem); + struct nft_ctx ctx = { + .net = read_pnet(&set->net), + }; nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE); if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) nft_data_release(nft_set_ext_data(ext), set->dtype); if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) - nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext)); + nf_tables_expr_destroy(&ctx, nft_set_ext_expr(ext)); if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) nft_use_dec(&(*nft_set_ext_obj(ext))->use); kfree(elem); @@ -4021,12 +4025,13 @@ EXPORT_SYMBOL_GPL(nft_set_elem_destroy); /* Only called from commit path, nft_setelem_data_deactivate() already deals * with the refcounting from the preparation phase. */ -static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem) +static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, + const struct nft_set *set, void *elem) { struct nft_set_ext *ext = nft_set_elem_ext(set, elem); if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) - nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext)); + nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext)); kfree(elem); } @@ -5300,7 +5305,8 @@ static void nf_tables_commit_release(struct nft_trans *trans) nft_set_destroy(&trans->ctx, nft_trans_set(trans)); break; case NFT_MSG_DELSETELEM: - nf_tables_set_elem_destroy(nft_trans_elem_set(trans), + nf_tables_set_elem_destroy(&trans->ctx, + nft_trans_elem_set(trans), nft_trans_elem(trans).priv); break; case NFT_MSG_DELOBJ: From 50bfcb0af95ae860d93c151604451b9a10af6e06 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 13 Jun 2024 03:01:32 +0200 Subject: [PATCH 147/182] netfilter: nf_tables: drop map element references from preparation phase [ Upstream commit 628bd3e49cba1c066228e23d71a852c23e26da73 ] set .destroy callback releases the references to other objects in maps. This is very late and it results in spurious EBUSY errors. Drop refcount from the preparation phase instead, update set backend not to drop reference counter from set .destroy path. Exceptions: NFT_TRANS_PREPARE_ERROR does not require to drop the reference counter because the transaction abort path releases the map references for each element since the set is unbound. The abort path also deals with releasing reference counter for new elements added to unbound sets. Fixes: 591054469b3e ("netfilter: nf_tables: revisit chain/object refcounting from elements") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman (cherry picked from commit bc9f791d2593f17e39f87c6e2b3a36549a3705b1) [Harshit: Fixed 3 different conflicts due to missing commit: 71cc0873e0e0 ("netfilter: nf_tables: Simplify set backend selection") and commit: 79b174ade16d ("netfilter: nf_tables: garbage collection for stateful expressions") and commit: 88bae77d6606 ("netfilter: nf_tables: use net_generic infra for transaction data") and these can't be backported to 4.14.y] Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- include/net/netfilter/nf_tables.h | 5 +- net/netfilter/nf_tables_api.c | 89 +++++++++++++++++++++++++++---- net/netfilter/nft_set_bitmap.c | 5 +- net/netfilter/nft_set_hash.c | 23 ++++++-- net/netfilter/nft_set_rbtree.c | 5 +- 5 files changed, 108 insertions(+), 19 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 327fc3fecf34..55c5717e0857 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -366,7 +366,8 @@ struct nft_set_ops { int (*init)(const struct nft_set *set, const struct nft_set_desc *desc, const struct nlattr * const nla[]); - void (*destroy)(const struct nft_set *set); + void (*destroy)(const struct nft_ctx *ctx, + const struct nft_set *set); unsigned int elemsize; u32 features; @@ -646,6 +647,8 @@ void *nft_set_elem_init(const struct nft_set *set, u64 timeout, gfp_t gfp); void nft_set_elem_destroy(const struct nft_set *set, void *elem, bool destroy_expr); +void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, + const struct nft_set *set, void *elem); /** * struct nft_set_gc_batch_head - nf_tables set garbage collection batch diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index f0eec5f75deb..8e3531de9d58 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -371,6 +371,31 @@ static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, return 0; } +static void nft_setelem_data_deactivate(const struct net *net, + const struct nft_set *set, + struct nft_set_elem *elem); + +static int nft_mapelem_deactivate(const struct nft_ctx *ctx, + struct nft_set *set, + const struct nft_set_iter *iter, + struct nft_set_elem *elem) +{ + nft_setelem_data_deactivate(ctx->net, set, elem); + + return 0; +} + +static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set) +{ + struct nft_set_iter iter = { + .genmask = nft_genmask_next(ctx->net), + .fn = nft_mapelem_deactivate, + }; + + set->ops->walk(ctx, set, &iter); + WARN_ON_ONCE(iter.err); +} + static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) { int err; @@ -379,6 +404,9 @@ static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) if (err < 0) return err; + if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) + nft_map_deactivate(ctx, set); + nft_deactivate_next(ctx->net, set); nft_use_dec(&ctx->table->use); @@ -3380,7 +3408,7 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk, return 0; err4: - ops->destroy(set); + ops->destroy(&ctx, set); err3: kfree(set->name); err2: @@ -3397,7 +3425,7 @@ static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) if (WARN_ON(set->use > 0)) return; - set->ops->destroy(set); + set->ops->destroy(ctx, set); module_put(set->ops->type->owner); kfree(set->name); kvfree(set); @@ -3510,10 +3538,39 @@ void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, } EXPORT_SYMBOL_GPL(nf_tables_unbind_set); +static void nft_setelem_data_activate(const struct net *net, + const struct nft_set *set, + struct nft_set_elem *elem); + +static int nft_mapelem_activate(const struct nft_ctx *ctx, + struct nft_set *set, + const struct nft_set_iter *iter, + struct nft_set_elem *elem) +{ + nft_setelem_data_activate(ctx->net, set, elem); + + return 0; +} + +static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set) +{ + struct nft_set_iter iter = { + .genmask = nft_genmask_next(ctx->net), + .fn = nft_mapelem_activate, + }; + + set->ops->walk(ctx, set, &iter); + WARN_ON_ONCE(iter.err); +} + void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set) { - if (nft_set_is_anonymous(set)) + if (nft_set_is_anonymous(set)) { + if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) + nft_map_activate(ctx, set); + nft_clear(ctx->net, set); + } nft_use_inc_restore(&set->use); } @@ -3534,13 +3591,20 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, nft_use_dec(&set->use); break; case NFT_TRANS_PREPARE: - if (nft_set_is_anonymous(set)) - nft_deactivate_next(ctx->net, set); + if (nft_set_is_anonymous(set)) { + if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) + nft_map_deactivate(ctx, set); + nft_deactivate_next(ctx->net, set); + } nft_use_dec(&set->use); return; case NFT_TRANS_ABORT: case NFT_TRANS_RELEASE: + if (nft_set_is_anonymous(set) && + set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) + nft_map_deactivate(ctx, set); + nft_use_dec(&set->use); /* fall through */ default: @@ -4003,6 +4067,7 @@ void *nft_set_elem_init(const struct nft_set *set, return elem; } +/* Drop references and destroy. Called from gc, dynset and abort path. */ void nft_set_elem_destroy(const struct nft_set *set, void *elem, bool destroy_expr) { @@ -4022,11 +4087,11 @@ void nft_set_elem_destroy(const struct nft_set *set, void *elem, } EXPORT_SYMBOL_GPL(nft_set_elem_destroy); -/* Only called from commit path, nft_setelem_data_deactivate() already deals - * with the refcounting from the preparation phase. +/* Destroy element. References have been already dropped in the preparation + * path via nft_setelem_data_deactivate(). */ -static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, - const struct nft_set *set, void *elem) +void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, + const struct nft_set *set, void *elem) { struct nft_set_ext *ext = nft_set_elem_ext(set, elem); @@ -4034,6 +4099,7 @@ static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext)); kfree(elem); } +EXPORT_SYMBOL_GPL(nf_tables_set_elem_destroy); static int nft_setelem_parse_flags(const struct nft_set *set, const struct nlattr *attr, u32 *flags) @@ -5544,6 +5610,8 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb) case NFT_MSG_DELSET: nft_use_inc_restore(&trans->ctx.table->use); nft_clear(trans->ctx.net, nft_trans_set(trans)); + if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) + nft_map_activate(&trans->ctx, nft_trans_set(trans)); nft_trans_destroy(trans); break; case NFT_MSG_NEWSETELEM: @@ -6188,6 +6256,9 @@ static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi) list_for_each_entry_safe(set, ns, &table->sets, list) { list_del(&set->list); nft_use_dec(&table->use); + if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) + nft_map_deactivate(&ctx, set); + nft_set_destroy(&ctx, set); } list_for_each_entry_safe(obj, ne, &table->objects, list) { diff --git a/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c index 734989c40579..d50daba3fd09 100644 --- a/net/netfilter/nft_set_bitmap.c +++ b/net/netfilter/nft_set_bitmap.c @@ -256,13 +256,14 @@ static int nft_bitmap_init(const struct nft_set *set, return 0; } -static void nft_bitmap_destroy(const struct nft_set *set) +static void nft_bitmap_destroy(const struct nft_ctx *ctx, + const struct nft_set *set) { struct nft_bitmap *priv = nft_set_priv(set); struct nft_bitmap_elem *be, *n; list_for_each_entry_safe(be, n, &priv->list, head) - nft_set_elem_destroy(set, be, true); + nf_tables_set_elem_destroy(ctx, set, be); } static bool nft_bitmap_estimate(const struct nft_set_desc *desc, u32 features, diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index eb7db31dd173..066a346e5adf 100644 --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -351,19 +351,31 @@ static int nft_rhash_init(const struct nft_set *set, return 0; } +struct nft_rhash_ctx { + const struct nft_ctx ctx; + const struct nft_set *set; +}; + static void nft_rhash_elem_destroy(void *ptr, void *arg) { - nft_set_elem_destroy(arg, ptr, true); + struct nft_rhash_ctx *rhash_ctx = arg; + + nf_tables_set_elem_destroy(&rhash_ctx->ctx, rhash_ctx->set, ptr); } -static void nft_rhash_destroy(const struct nft_set *set) +static void nft_rhash_destroy(const struct nft_ctx *ctx, + const struct nft_set *set) { struct nft_rhash *priv = nft_set_priv(set); + struct nft_rhash_ctx rhash_ctx = { + .ctx = *ctx, + .set = set, + }; cancel_delayed_work_sync(&priv->gc_work); rcu_barrier(); rhashtable_free_and_destroy(&priv->ht, nft_rhash_elem_destroy, - (void *)set); + (void *)&rhash_ctx); } /* Number of buckets is stored in u32, so cap our result to 1U<<31 */ @@ -583,7 +595,8 @@ static int nft_hash_init(const struct nft_set *set, return 0; } -static void nft_hash_destroy(const struct nft_set *set) +static void nft_hash_destroy(const struct nft_ctx *ctx, + const struct nft_set *set) { struct nft_hash *priv = nft_set_priv(set); struct nft_hash_elem *he; @@ -593,7 +606,7 @@ static void nft_hash_destroy(const struct nft_set *set) for (i = 0; i < priv->buckets; i++) { hlist_for_each_entry_safe(he, next, &priv->table[i], node) { hlist_del_rcu(&he->node); - nft_set_elem_destroy(set, he, true); + nf_tables_set_elem_destroy(ctx, set, he); } } } diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c index 6f3205de887f..40fe16519a00 100644 --- a/net/netfilter/nft_set_rbtree.c +++ b/net/netfilter/nft_set_rbtree.c @@ -292,7 +292,8 @@ static int nft_rbtree_init(const struct nft_set *set, return 0; } -static void nft_rbtree_destroy(const struct nft_set *set) +static void nft_rbtree_destroy(const struct nft_ctx *ctx, + const struct nft_set *set) { struct nft_rbtree *priv = nft_set_priv(set); struct nft_rbtree_elem *rbe; @@ -301,7 +302,7 @@ static void nft_rbtree_destroy(const struct nft_set *set) while ((node = priv->root.rb_node) != NULL) { rb_erase(node, &priv->root); rbe = rb_entry(node, struct nft_rbtree_elem, node); - nft_set_elem_destroy(set, rbe, true); + nf_tables_set_elem_destroy(ctx, set, rbe); } } From 4538b02484e4c2d0c016ca190c5219fd97f932fb Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 13 Jun 2024 03:01:38 +0200 Subject: [PATCH 148/182] netfilter: nf_tables: don't skip expired elements during walk commit 24138933b97b055d486e8064b4a1721702442a9b upstream. There is an asymmetry between commit/abort and preparation phase if the following conditions are met: 1. set is a verdict map ("1.2.3.4 : jump foo") 2. timeouts are enabled In this case, following sequence is problematic: 1. element E in set S refers to chain C 2. userspace requests removal of set S 3. kernel does a set walk to decrement chain->use count for all elements from preparation phase 4. kernel does another set walk to remove elements from the commit phase (or another walk to do a chain->use increment for all elements from abort phase) If E has already expired in 1), it will be ignored during list walk, so its use count won't have been changed. Then, when set is culled, ->destroy callback will zap the element via nf_tables_set_elem_destroy(), but this function is only safe for elements that have been deactivated earlier from the preparation phase: lack of earlier deactivate removes the element but leaks the chain use count, which results in a WARN splat when the chain gets removed later, plus a leak of the nft_chain structure. Update pipapo_get() not to skip expired elements, otherwise flush command reports bogus ENOENT errors. Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support") Fixes: 9d0982927e79 ("netfilter: nft_hash: add support for timeouts") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 94313a196b44184b5b52c1876da6a537701b425a) Signed-off-by: Vegard Nossum --- net/netfilter/nf_tables_api.c | 4 ++++ net/netfilter/nft_set_hash.c | 2 -- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 8e3531de9d58..92d02a4611ac 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3787,8 +3787,12 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx, const struct nft_set_iter *iter, struct nft_set_elem *elem) { + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); struct nft_set_dump_args *args; + if (nft_set_elem_expired(ext)) + return 0; + args = container_of(iter, struct nft_set_dump_args, iter); return nf_tables_fill_setelem(args->skb, set, elem); } diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index 066a346e5adf..37f0ecdbbd09 100644 --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -254,8 +254,6 @@ static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set, if (iter->count < iter->skip) goto cont; - if (nft_set_elem_expired(&he->ext)) - goto cont; if (!nft_set_elem_active(&he->ext, iter->genmask)) goto cont; From ea71b10a3d18e5589f44b836a83003a6e741d6bb Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 13 Jun 2024 03:01:58 +0200 Subject: [PATCH 149/182] netfilter: nft_dynset: report EOPNOTSUPP on missing set feature commit 95cd4bca7b1f4a25810f3ddfc5e767fb46931789 upstream. If userspace requests a feature which is not available the original set definition, then bail out with EOPNOTSUPP. If userspace sends unsupported dynset flags (new feature not supported by this kernel), then report EOPNOTSUPP to userspace. EINVAL should be only used to report malformed netlink messages from userspace. Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman (cherry picked from commit c5c4746c8cd6d049dcbf39c811172c917ea6fb6e) [Vegard: fix conflicts due to missing commits 8e1102d5a1596dca10f51e3de800809944f8816d ("netfilter: nf_tables: support timeouts larger than 23 days") and b13468dc577498002cf4e62978359ff97ffcd187 ("netfilter: nft_dynset: fix timeout updates on 32bit").] Signed-off-by: Vegard Nossum --- net/netfilter/nft_dynset.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c index 4165e894791a..b4680cdfdfda 100644 --- a/net/netfilter/nft_dynset.c +++ b/net/netfilter/nft_dynset.c @@ -127,7 +127,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx, u32 flags = ntohl(nla_get_be32(tb[NFTA_DYNSET_FLAGS])); if (flags & ~NFT_DYNSET_F_INV) - return -EINVAL; + return -EOPNOTSUPP; if (flags & NFT_DYNSET_F_INV) priv->invert = true; } @@ -161,7 +161,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx, timeout = 0; if (tb[NFTA_DYNSET_TIMEOUT] != NULL) { if (!(set->flags & NFT_SET_TIMEOUT)) - return -EINVAL; + return -EOPNOTSUPP; timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64( tb[NFTA_DYNSET_TIMEOUT]))); } @@ -173,7 +173,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx, if (tb[NFTA_DYNSET_SREG_DATA] != NULL) { if (!(set->flags & NFT_SET_MAP)) - return -EINVAL; + return -EOPNOTSUPP; if (set->dtype == NFT_DATA_VERDICT) return -EOPNOTSUPP; From fa8b9918795f9be7f4ca95f5440acff86fe946db Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 13 Jun 2024 03:01:59 +0200 Subject: [PATCH 150/182] netfilter: nft_dynset: relax superfluous check on set updates commit 7b1394892de8d95748d05e3ee41e85edb4abbfa1 upstream. Relax this condition to make add and update commands idempotent for sets with no timeout. The eval function already checks if the set element timeout is available and updates it if the update command is used. Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 79e98cd78610560a6a6cf85200eb31331602f9a9) Signed-off-by: Vegard Nossum --- net/netfilter/nft_dynset.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c index b4680cdfdfda..af027310da56 100644 --- a/net/netfilter/nft_dynset.c +++ b/net/netfilter/nft_dynset.c @@ -147,16 +147,8 @@ static int nft_dynset_init(const struct nft_ctx *ctx, return -EBUSY; priv->op = ntohl(nla_get_be32(tb[NFTA_DYNSET_OP])); - switch (priv->op) { - case NFT_DYNSET_OP_ADD: - break; - case NFT_DYNSET_OP_UPDATE: - if (!(set->flags & NFT_SET_TIMEOUT)) - return -EOPNOTSUPP; - break; - default: + if (priv->op > NFT_DYNSET_OP_UPDATE) return -EOPNOTSUPP; - } timeout = 0; if (tb[NFTA_DYNSET_TIMEOUT] != NULL) { From 6658c1ef0cb35d3d594507db800cb44a54db4f75 Mon Sep 17 00:00:00 2001 From: Marc Zyngier Date: Fri, 24 May 2024 15:19:55 +0100 Subject: [PATCH 151/182] KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode commit dfe6d190f38fc5df5ff2614b463a5195a399c885 upstream. It appears that we don't allow a vcpu to be restored in AArch32 System mode, as we *never* included it in the list of valid modes. Just add it to the list of allowed modes. Fixes: 0d854a60b1d7 ("arm64: KVM: enable initialization of a 32bit vcpu") Cc: stable@vger.kernel.org Acked-by: Oliver Upton Link: https://lore.kernel.org/r/20240524141956.1450304-3-maz@kernel.org Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 3c9ee8294728633e707c25fe0a321eeac1cc7515) [Vegard: fix conflicts due to missing commit 256c0960b7b6453dc90a4e879da52ab76b4037f9 ("kvm/arm: use PSR_AA32 definitions").] Signed-off-by: Vegard Nossum --- arch/arm64/kvm/guest.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c index 8ae0f408b89c..fdc98b9f8ac6 100644 --- a/arch/arm64/kvm/guest.c +++ b/arch/arm64/kvm/guest.c @@ -175,6 +175,7 @@ static int set_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) case COMPAT_PSR_MODE_SVC: case COMPAT_PSR_MODE_ABT: case COMPAT_PSR_MODE_UND: + case COMPAT_PSR_MODE_SYS: if (!vcpu_el1_is_32bit(vcpu)) return -EINVAL; break; From 9d5b95ce1488266fd3dc3951da6c8ce25c366ada Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Wed, 8 May 2024 16:39:51 +0800 Subject: [PATCH 152/182] crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak commit d3b17c6d9dddc2db3670bc9be628b122416a3d26 upstream. Using completion_done to determine whether the caller has gone away only works after a complete call. Furthermore it's still possible that the caller has not yet called wait_for_completion, resulting in another potential UAF. Fix this by making the caller use cancel_work_sync and then freeing the memory safely. Fixes: 7d42e097607c ("crypto: qat - resolve race condition during AER recovery") Cc: #6.8+ Signed-off-by: Herbert Xu Reviewed-by: Giovanni Cabiddu Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 0ce5964b82f212f4df6a9813f09a0b5de15bd9c8) Signed-off-by: Vegard Nossum --- drivers/crypto/qat/qat_common/adf_aer.c | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/drivers/crypto/qat/qat_common/adf_aer.c b/drivers/crypto/qat/qat_common/adf_aer.c index b41c29abb140..e3f85e037153 100644 --- a/drivers/crypto/qat/qat_common/adf_aer.c +++ b/drivers/crypto/qat/qat_common/adf_aer.c @@ -139,8 +139,7 @@ static void adf_device_reset_worker(struct work_struct *work) if (adf_dev_init(accel_dev) || adf_dev_start(accel_dev)) { /* The device hanged and we can't restart it so stop here */ dev_err(&GET_DEV(accel_dev), "Restart device failed\n"); - if (reset_data->mode == ADF_DEV_RESET_ASYNC || - completion_done(&reset_data->compl)) + if (reset_data->mode == ADF_DEV_RESET_ASYNC) kfree(reset_data); WARN(1, "QAT: device restart failed. Device is unusable\n"); return; @@ -148,16 +147,8 @@ static void adf_device_reset_worker(struct work_struct *work) adf_dev_restarted_notify(accel_dev); clear_bit(ADF_STATUS_RESTARTING, &accel_dev->status); - /* - * The dev is back alive. Notify the caller if in sync mode - * - * If device restart will take a more time than expected, - * the schedule_reset() function can timeout and exit. This can be - * detected by calling the completion_done() function. In this case - * the reset_data structure needs to be freed here. - */ - if (reset_data->mode == ADF_DEV_RESET_ASYNC || - completion_done(&reset_data->compl)) + /* The dev is back alive. Notify the caller if in sync mode */ + if (reset_data->mode == ADF_DEV_RESET_ASYNC) kfree(reset_data); else complete(&reset_data->compl); @@ -192,10 +183,10 @@ static int adf_dev_aer_schedule_reset(struct adf_accel_dev *accel_dev, if (!timeout) { dev_err(&GET_DEV(accel_dev), "Reset device timeout expired\n"); + cancel_work_sync(&reset_data->reset_work); ret = -EFAULT; - } else { - kfree(reset_data); } + kfree(reset_data); return ret; } return 0; From 9a9a74f4cdb1295a5a854d2ca6cb87fc19048ef3 Mon Sep 17 00:00:00 2001 From: Nikita Zhandarovich Date: Mon, 8 Apr 2024 07:10:39 -0700 Subject: [PATCH 153/182] net/9p: fix uninit-value in p9_client_rpc() commit 25460d6f39024cc3b8241b14c7ccf0d6f11a736a upstream. Syzbot with the help of KMSAN reported the following error: BUG: KMSAN: uninit-value in trace_9p_client_res include/trace/events/9p.h:146 [inline] BUG: KMSAN: uninit-value in p9_client_rpc+0x1314/0x1340 net/9p/client.c:754 trace_9p_client_res include/trace/events/9p.h:146 [inline] p9_client_rpc+0x1314/0x1340 net/9p/client.c:754 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031 v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122 legacy_get_tree+0x114/0x290 fs/fs_context.c:662 vfs_get_tree+0xa7/0x570 fs/super.c:1797 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 path_mount+0x742/0x1f20 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x725/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: __alloc_pages+0x9d6/0xe70 mm/page_alloc.c:4598 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page mm/slub.c:2175 [inline] allocate_slab mm/slub.c:2338 [inline] new_slab+0x2de/0x1400 mm/slub.c:2391 ___slab_alloc+0x1184/0x33d0 mm/slub.c:3525 __slab_alloc mm/slub.c:3610 [inline] __slab_alloc_node mm/slub.c:3663 [inline] slab_alloc_node mm/slub.c:3835 [inline] kmem_cache_alloc+0x6d3/0xbe0 mm/slub.c:3852 p9_tag_alloc net/9p/client.c:278 [inline] p9_client_prepare_req+0x20a/0x1770 net/9p/client.c:641 p9_client_rpc+0x27e/0x1340 net/9p/client.c:688 p9_client_create+0x1551/0x1ff0 net/9p/client.c:1031 v9fs_session_init+0x1b9/0x28e0 fs/9p/v9fs.c:410 v9fs_mount+0xe2/0x12b0 fs/9p/vfs_super.c:122 legacy_get_tree+0x114/0x290 fs/fs_context.c:662 vfs_get_tree+0xa7/0x570 fs/super.c:1797 do_new_mount+0x71f/0x15e0 fs/namespace.c:3352 path_mount+0x742/0x1f20 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x725/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x150 fs/namespace.c:3875 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 If p9_check_errors() fails early in p9_client_rpc(), req->rc.tag will not be properly initialized. However, trace_9p_client_res() ends up trying to print it out anyway before p9_client_rpc() finishes. Fix this issue by assigning default values to p9_fcall fields such as 'tag' and (just in case KMSAN unearths something new) 'id' during the tag allocation stage. Reported-and-tested-by: syzbot+ff14db38f56329ef68df@syzkaller.appspotmail.com Fixes: 348b59012e5c ("net/9p: Convert net/9p protocol dumps to tracepoints") Signed-off-by: Nikita Zhandarovich Reviewed-by: Christian Schoenebeck Cc: stable@vger.kernel.org Message-ID: <20240408141039.30428-1-n.zhandarovich@fintech.ru> Signed-off-by: Dominique Martinet Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 72c5d8e416ecc46af370a1340b3db5ff0b0cc867) [Vegard: fix conflicts due to missing commits 1555583b63b344c634bbaaf6d966923d3fe96d44 ("9p: embed fcall in req to round down buffer allocs") and be87f21e6b25e3b09eb913dd4f8e416a2a81a3a0 ("9p: add a per-client fcall kmem_cache").] Signed-off-by: Vegard Nossum --- net/9p/client.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/9p/client.c b/net/9p/client.c index 8b1ec2f61b5c..09f7ddb5fd77 100644 --- a/net/9p/client.c +++ b/net/9p/client.c @@ -243,6 +243,8 @@ static struct p9_fcall *p9_fcall_alloc(int alloc_msize) if (!fc) return NULL; fc->capacity = alloc_msize; + fc->id = 0; + fc->tag = P9_NOTAG; fc->sdata = (char *) fc + sizeof(struct p9_fcall); return fc; } From 471ea347bb7d4b16dd62a6642efb111fa36f2da7 Mon Sep 17 00:00:00 2001 From: Alexander Shishkin Date: Mon, 29 Apr 2024 16:01:18 +0300 Subject: [PATCH 154/182] intel_th: pci: Add Meteor Lake-S CPU support commit a4f813c3ec9d1c32bc402becd1f011b3904dd699 upstream. Add support for the Trace Hub in Meteor Lake-S CPU. Signed-off-by: Alexander Shishkin Reviewed-by: Andy Shevchenko Cc: stable@kernel.org Link: https://lore.kernel.org/r/20240429130119.1518073-15-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 58c0309c73fe1e9c477ed4cc5d02fc9015336979) Signed-off-by: Vegard Nossum --- drivers/hwtracing/intel_th/pci.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/hwtracing/intel_th/pci.c b/drivers/hwtracing/intel_th/pci.c index 3c5eba924e3b..625e6dc4e3f4 100644 --- a/drivers/hwtracing/intel_th/pci.c +++ b/drivers/hwtracing/intel_th/pci.c @@ -258,6 +258,11 @@ static const struct pci_device_id intel_th_pci_id_table[] = { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa76f), .driver_data = (kernel_ulong_t)&intel_th_2x, }, + { + /* Meteor Lake-S CPU */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xae24), + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, { /* Raptor Lake-S */ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x7a26), From 9f2edbc910b189e46e7ca3d17680e36fde63276d Mon Sep 17 00:00:00 2001 From: Sam Ravnborg Date: Sat, 30 Mar 2024 10:57:45 +0100 Subject: [PATCH 155/182] sparc64: Fix number of online CPUs commit 98937707fea8375e8acea0aaa0b68a956dd52719 upstream. Nick Bowler reported: When using newer kernels on my Ultra 60 with dual 450MHz UltraSPARC-II CPUs, I noticed that only CPU 0 comes up, while older kernels (including 4.7) are working fine with both CPUs. I bisected the failure to this commit: 9b2f753ec23710aa32c0d837d2499db92fe9115b is the first bad commit commit 9b2f753ec23710aa32c0d837d2499db92fe9115b Author: Atish Patra Date: Thu Sep 15 14:54:40 2016 -0600 sparc64: Fix cpu_possible_mask if nr_cpus is set This is a small change that reverts very easily on top of 5.18: there is just one trivial conflict. Once reverted, both CPUs work again. Maybe this is related to the fact that the CPUs on this system are numbered CPU0 and CPU2 (there is no CPU1)? The current code that adjust cpu_possible based on nr_cpu_ids do not take into account that CPU's may not come one after each other. Move the chech to the function that setup the cpu_possible mask so there is no need to adjust it later. Signed-off-by: Sam Ravnborg Fixes: 9b2f753ec237 ("sparc64: Fix cpu_possible_mask if nr_cpus is set") Reported-by: Nick Bowler Tested-by: Nick Bowler Link: https://lore.kernel.org/sparclinux/20201009161924.c8f031c079dd852941307870@gmx.de/ Link: https://lore.kernel.org/all/CADyTPEwt=ZNams+1bpMB1F9w_vUdPsGCt92DBQxxq_VtaLoTdw@mail.gmail.com/ Cc: stable@vger.kernel.org # v4.8+ Cc: Andreas Larsson Cc: David S. Miller Cc: Atish Patra Cc: Bob Picco Cc: Vijay Kumar Cc: David S. Miller Reviewed-by: Andreas Larsson Acked-by: Arnd Bergmann Link: https://lore.kernel.org/r/20240330-sparc64-warnings-v1-9-37201023ee2f@ravnborg.org Signed-off-by: Andreas Larsson Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 180b2e4c1ba4f6e3e4c52d6664cb019f6eac02f8) Signed-off-by: Vegard Nossum --- arch/sparc/include/asm/smp_64.h | 2 -- arch/sparc/kernel/prom_64.c | 4 +++- arch/sparc/kernel/setup_64.c | 1 - arch/sparc/kernel/smp_64.c | 14 -------------- 4 files changed, 3 insertions(+), 18 deletions(-) diff --git a/arch/sparc/include/asm/smp_64.h b/arch/sparc/include/asm/smp_64.h index e75783b6abc4..16ab904616a0 100644 --- a/arch/sparc/include/asm/smp_64.h +++ b/arch/sparc/include/asm/smp_64.h @@ -47,7 +47,6 @@ void arch_send_call_function_ipi_mask(const struct cpumask *mask); int hard_smp_processor_id(void); #define raw_smp_processor_id() (current_thread_info()->cpu) -void smp_fill_in_cpu_possible_map(void); void smp_fill_in_sib_core_maps(void); void cpu_play_dead(void); @@ -77,7 +76,6 @@ void __cpu_die(unsigned int cpu); #define smp_fill_in_sib_core_maps() do { } while (0) #define smp_fetch_global_regs() do { } while (0) #define smp_fetch_global_pmu() do { } while (0) -#define smp_fill_in_cpu_possible_map() do { } while (0) #define smp_init_cpu_poke() do { } while (0) #define scheduler_poke() do { } while (0) diff --git a/arch/sparc/kernel/prom_64.c b/arch/sparc/kernel/prom_64.c index baeaeed64993..4bc082187b0e 100644 --- a/arch/sparc/kernel/prom_64.c +++ b/arch/sparc/kernel/prom_64.c @@ -479,7 +479,9 @@ static void *record_one_cpu(struct device_node *dp, int cpuid, int arg) ncpus_probed++; #ifdef CONFIG_SMP set_cpu_present(cpuid, true); - set_cpu_possible(cpuid, true); + + if (num_possible_cpus() < nr_cpu_ids) + set_cpu_possible(cpuid, true); #endif return NULL; } diff --git a/arch/sparc/kernel/setup_64.c b/arch/sparc/kernel/setup_64.c index 34f7a533a74f..8210b499f42d 100644 --- a/arch/sparc/kernel/setup_64.c +++ b/arch/sparc/kernel/setup_64.c @@ -688,7 +688,6 @@ void __init setup_arch(char **cmdline_p) paging_init(); init_sparc64_elf_hwcap(); - smp_fill_in_cpu_possible_map(); /* * Once the OF device tree and MDESC have been setup and nr_cpus has * been parsed, we know the list of possible cpus. Therefore we can diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c index 98825058e1df..4d8ffc11d05f 100644 --- a/arch/sparc/kernel/smp_64.c +++ b/arch/sparc/kernel/smp_64.c @@ -1213,20 +1213,6 @@ void __init smp_setup_processor_id(void) xcall_deliver_impl = hypervisor_xcall_deliver; } -void __init smp_fill_in_cpu_possible_map(void) -{ - int possible_cpus = num_possible_cpus(); - int i; - - if (possible_cpus > nr_cpu_ids) - possible_cpus = nr_cpu_ids; - - for (i = 0; i < possible_cpus; i++) - set_cpu_possible(i, true); - for (; i < NR_CPUS; i++) - set_cpu_possible(i, false); -} - void smp_fill_in_sib_core_maps(void) { unsigned int i; From f751d9a9f3d6c01908cf9bc9d966a35ecc1a2f64 Mon Sep 17 00:00:00 2001 From: Daniel Thompson Date: Wed, 24 Apr 2024 15:03:34 +0100 Subject: [PATCH 156/182] kdb: Fix buffer overflow during tab-complete commit e9730744bf3af04cda23799029342aa3cddbc454 upstream. Currently, when the user attempts symbol completion with the Tab key, kdb will use strncpy() to insert the completed symbol into the command buffer. Unfortunately it passes the size of the source buffer rather than the destination to strncpy() with predictably horrible results. Most obviously if the command buffer is already full but cp, the cursor position, is in the middle of the buffer, then we will write past the end of the supplied buffer. Fix this by replacing the dubious strncpy() calls with memmove()/memcpy() calls plus explicit boundary checks to make sure we have enough space before we start moving characters around. Reported-by: Justin Stitt Closes: https://lore.kernel.org/all/CAFhGd8qESuuifuHsNjFPR-Va3P80bxrw+LqvC8deA8GziUJLpw@mail.gmail.com/ Cc: stable@vger.kernel.org Reviewed-by: Douglas Anderson Reviewed-by: Justin Stitt Tested-by: Justin Stitt Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-1-f236dbe9828d@linaro.org Signed-off-by: Daniel Thompson Signed-off-by: Greg Kroah-Hartman (cherry picked from commit fb824a99e148ff272a53d71d84122728b5f00992) Signed-off-by: Vegard Nossum --- kernel/debug/kdb/kdb_io.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c index b45576ca3b0d..e7d1a7462edd 100644 --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -364,14 +364,19 @@ static char *kdb_read(char *buffer, size_t bufsize) kdb_printf(kdb_prompt_str); kdb_printf("%s", buffer); } else if (tab != 2 && count > 0) { - len_tmp = strlen(p_tmp); - strncpy(p_tmp+len_tmp, cp, lastchar-cp+1); - len_tmp = strlen(p_tmp); - strncpy(cp, p_tmp+len, len_tmp-len + 1); - len = len_tmp - len; - kdb_printf("%s", cp); - cp += len; - lastchar += len; + /* How many new characters do we want from tmpbuffer? */ + len_tmp = strlen(p_tmp) - len; + if (lastchar + len_tmp >= bufend) + len_tmp = bufend - lastchar; + + if (len_tmp) { + /* + 1 ensures the '\0' is memmove'd */ + memmove(cp+len_tmp, cp, (lastchar-cp) + 1); + memcpy(cp, p_tmp+len, len_tmp); + kdb_printf("%s", cp); + cp += len_tmp; + lastchar += len_tmp; + } } kdb_nextline = 1; /* reset output line number */ break; From f990953b6d8d752849e6f682628d4632f051b7de Mon Sep 17 00:00:00 2001 From: Daniel Thompson Date: Wed, 24 Apr 2024 15:03:35 +0100 Subject: [PATCH 157/182] kdb: Use format-strings rather than '\0' injection in kdb_read() commit 09b35989421dfd5573f0b4683c7700a7483c71f9 upstream. Currently when kdb_read() needs to reposition the cursor it uses copy and paste code that works by injecting an '\0' at the cursor position before delivering a carriage-return and reprinting the line (which stops at the '\0'). Tidy up the code by hoisting the copy and paste code into an appropriately named function. Additionally let's replace the '\0' injection with a proper field width parameter so that the string will be abridged during formatting instead. Cc: stable@vger.kernel.org # Not a bug fix but it is needed for later bug fixes Tested-by: Justin Stitt Reviewed-by: Douglas Anderson Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-2-f236dbe9828d@linaro.org Signed-off-by: Daniel Thompson Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 4edfbbaca46491b06af14e49dcb79ac661d0bbdc) Signed-off-by: Vegard Nossum --- kernel/debug/kdb/kdb_io.c | 55 ++++++++++++++++++++++++--------------- 1 file changed, 34 insertions(+), 21 deletions(-) diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c index e7d1a7462edd..ccffc6979544 100644 --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -170,6 +170,33 @@ static int kdb_read_get_key(char *buffer, size_t bufsize) return key; } +/** + * kdb_position_cursor() - Place cursor in the correct horizontal position + * @prompt: Nil-terminated string containing the prompt string + * @buffer: Nil-terminated string containing the entire command line + * @cp: Cursor position, pointer the character in buffer where the cursor + * should be positioned. + * + * The cursor is positioned by sending a carriage-return and then printing + * the content of the line until we reach the correct cursor position. + * + * There is some additional fine detail here. + * + * Firstly, even though kdb_printf() will correctly format zero-width fields + * we want the second call to kdb_printf() to be conditional. That keeps things + * a little cleaner when LOGGING=1. + * + * Secondly, we can't combine everything into one call to kdb_printf() since + * that renders into a fixed length buffer and the combined print could result + * in unwanted truncation. + */ +static void kdb_position_cursor(char *prompt, char *buffer, char *cp) +{ + kdb_printf("\r%s", kdb_prompt_str); + if (cp > buffer) + kdb_printf("%.*s", (int)(cp - buffer), buffer); +} + /* * kdb_read * @@ -208,7 +235,6 @@ static char *kdb_read(char *buffer, size_t bufsize) * and null byte */ char *lastchar; char *p_tmp; - char tmp; static char tmpbuffer[CMD_BUFLEN]; int len = strlen(buffer); int len_tmp; @@ -247,12 +273,8 @@ static char *kdb_read(char *buffer, size_t bufsize) } *(--lastchar) = '\0'; --cp; - kdb_printf("\b%s \r", cp); - tmp = *cp; - *cp = '\0'; - kdb_printf(kdb_prompt_str); - kdb_printf("%s", buffer); - *cp = tmp; + kdb_printf("\b%s ", cp); + kdb_position_cursor(kdb_prompt_str, buffer, cp); } break; case 13: /* enter */ @@ -269,19 +291,14 @@ static char *kdb_read(char *buffer, size_t bufsize) memcpy(tmpbuffer, cp+1, lastchar - cp - 1); memcpy(cp, tmpbuffer, lastchar - cp - 1); *(--lastchar) = '\0'; - kdb_printf("%s \r", cp); - tmp = *cp; - *cp = '\0'; - kdb_printf(kdb_prompt_str); - kdb_printf("%s", buffer); - *cp = tmp; + kdb_printf("%s ", cp); + kdb_position_cursor(kdb_prompt_str, buffer, cp); } break; case 1: /* Home */ if (cp > buffer) { - kdb_printf("\r"); - kdb_printf(kdb_prompt_str); cp = buffer; + kdb_position_cursor(kdb_prompt_str, buffer, cp); } break; case 5: /* End */ @@ -387,13 +404,9 @@ static char *kdb_read(char *buffer, size_t bufsize) memcpy(cp+1, tmpbuffer, lastchar - cp); *++lastchar = '\0'; *cp = key; - kdb_printf("%s\r", cp); + kdb_printf("%s", cp); ++cp; - tmp = *cp; - *cp = '\0'; - kdb_printf(kdb_prompt_str); - kdb_printf("%s", buffer); - *cp = tmp; + kdb_position_cursor(kdb_prompt_str, buffer, cp); } else { *++lastchar = '\0'; *cp++ = key; From fc2a098bc09c4f9968c93222902d72f518ec6953 Mon Sep 17 00:00:00 2001 From: Daniel Thompson Date: Wed, 24 Apr 2024 15:03:36 +0100 Subject: [PATCH 158/182] kdb: Fix console handling when editing and tab-completing commands commit db2f9c7dc29114f531df4a425d0867d01e1f1e28 upstream. Currently, if the cursor position is not at the end of the command buffer and the user uses the Tab-complete functions, then the console does not leave the cursor in the correct position. For example consider the following buffer with the cursor positioned at the ^: md kdb_pro 10 ^ Pressing tab should result in: md kdb_prompt_str 10 ^ However this does not happen. Instead the cursor is placed at the end (after then 10) and further cursor movement redraws incorrectly. The same problem exists when we double-Tab but in a different part of the code. Fix this by sending a carriage return and then redisplaying the text to the left of the cursor. Cc: stable@vger.kernel.org Reviewed-by: Douglas Anderson Tested-by: Justin Stitt Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-3-f236dbe9828d@linaro.org Signed-off-by: Daniel Thompson Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 21c068c1bbb4c336741749596d004b1965faab2c) Signed-off-by: Vegard Nossum --- kernel/debug/kdb/kdb_io.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c index ccffc6979544..960a057197b9 100644 --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -380,6 +380,8 @@ static char *kdb_read(char *buffer, size_t bufsize) kdb_printf("\n"); kdb_printf(kdb_prompt_str); kdb_printf("%s", buffer); + if (cp != lastchar) + kdb_position_cursor(kdb_prompt_str, buffer, cp); } else if (tab != 2 && count > 0) { /* How many new characters do we want from tmpbuffer? */ len_tmp = strlen(p_tmp) - len; @@ -393,6 +395,9 @@ static char *kdb_read(char *buffer, size_t bufsize) kdb_printf("%s", cp); cp += len_tmp; lastchar += len_tmp; + if (cp != lastchar) + kdb_position_cursor(kdb_prompt_str, + buffer, cp); } } kdb_nextline = 1; /* reset output line number */ From 201f3d45deb9bcf1046483d72642d8457976c7a9 Mon Sep 17 00:00:00 2001 From: Daniel Thompson Date: Wed, 24 Apr 2024 15:03:37 +0100 Subject: [PATCH 159/182] kdb: Merge identical case statements in kdb_read() commit 6244917f377bf64719551b58592a02a0336a7439 upstream. The code that handles case 14 (down) and case 16 (up) has been copy and pasted despite being byte-for-byte identical. Combine them. Cc: stable@vger.kernel.org # Not a bug fix but it is needed for later bug fixes Reviewed-by: Douglas Anderson Tested-by: Justin Stitt Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-4-f236dbe9828d@linaro.org Signed-off-by: Daniel Thompson Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 4a89182788f9af9a290c19098382fb972ebe2783) Signed-off-by: Vegard Nossum --- kernel/debug/kdb/kdb_io.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c index 960a057197b9..b72a0120b07b 100644 --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -314,6 +314,7 @@ static char *kdb_read(char *buffer, size_t bufsize) } break; case 14: /* Down */ + case 16: /* Up */ memset(tmpbuffer, ' ', strlen(kdb_prompt_str) + (lastchar-buffer)); *(tmpbuffer+strlen(kdb_prompt_str) + @@ -328,15 +329,6 @@ static char *kdb_read(char *buffer, size_t bufsize) ++cp; } break; - case 16: /* Up */ - memset(tmpbuffer, ' ', - strlen(kdb_prompt_str) + (lastchar-buffer)); - *(tmpbuffer+strlen(kdb_prompt_str) + - (lastchar-buffer)) = '\0'; - kdb_printf("\r%s\r", tmpbuffer); - *lastchar = (char)key; - *(lastchar+1) = '\0'; - return lastchar; case 9: /* Tab */ if (tab < 2) ++tab; From c89fb4fb7559ec8e3f74ecbc29ef856a47cc85d4 Mon Sep 17 00:00:00 2001 From: Daniel Thompson Date: Wed, 24 Apr 2024 15:03:38 +0100 Subject: [PATCH 160/182] kdb: Use format-specifiers rather than memset() for padding in kdb_read() commit c9b51ddb66b1d96e4d364c088da0f1dfb004c574 upstream. Currently when the current line should be removed from the display kdb_read() uses memset() to fill a temporary buffer with spaces. The problem is not that this could be trivially implemented using a format string rather than open coding it. The real problem is that it is possible, on systems with a long kdb_prompt_str, to write past the end of the tmpbuffer. Happily, as mentioned above, this can be trivially implemented using a format string. Make it so! Cc: stable@vger.kernel.org Reviewed-by: Douglas Anderson Tested-by: Justin Stitt Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-5-f236dbe9828d@linaro.org Signed-off-by: Daniel Thompson Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 2467f3f182eb35627534effd4956fceb2504c127) Signed-off-by: Vegard Nossum --- kernel/debug/kdb/kdb_io.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c index b72a0120b07b..acc8e13b823b 100644 --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -315,11 +315,9 @@ static char *kdb_read(char *buffer, size_t bufsize) break; case 14: /* Down */ case 16: /* Up */ - memset(tmpbuffer, ' ', - strlen(kdb_prompt_str) + (lastchar-buffer)); - *(tmpbuffer+strlen(kdb_prompt_str) + - (lastchar-buffer)) = '\0'; - kdb_printf("\r%s\r", tmpbuffer); + kdb_printf("\r%*c\r", + (int)(strlen(kdb_prompt_str) + (lastchar - buffer)), + ' '); *lastchar = (char)key; *(lastchar+1) = '\0'; return lastchar; From 212ca5dd4286a76808254db293bd898a062b56e3 Mon Sep 17 00:00:00 2001 From: Mike Gilbert Date: Wed, 6 Mar 2024 12:11:47 -0500 Subject: [PATCH 161/182] sparc: move struct termio to asm/termios.h commit c32d18e7942d7589b62e301eb426b32623366565 upstream. Every other arch declares struct termio in asm/termios.h, so make sparc match them. Resolves a build failure in the PPP software package, which includes both bits/ioctl-types.h via sys/ioctl.h (glibc) and asm/termbits.h. Closes: https://bugs.gentoo.org/918992 Signed-off-by: Mike Gilbert Cc: stable@vger.kernel.org Reviewed-by: Andreas Larsson Tested-by: Andreas Larsson Link: https://lore.kernel.org/r/20240306171149.3843481-1-floppym@gentoo.org Signed-off-by: Andreas Larsson Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 980a1cd6e092eab9398a78f517809a7dacaa0468) Signed-off-by: Vegard Nossum --- arch/sparc/include/uapi/asm/termbits.h | 10 ---------- arch/sparc/include/uapi/asm/termios.h | 9 +++++++++ 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/arch/sparc/include/uapi/asm/termbits.h b/arch/sparc/include/uapi/asm/termbits.h index ce5ad5d0f105..0614e179bccc 100644 --- a/arch/sparc/include/uapi/asm/termbits.h +++ b/arch/sparc/include/uapi/asm/termbits.h @@ -13,16 +13,6 @@ typedef unsigned int tcflag_t; typedef unsigned long tcflag_t; #endif -#define NCC 8 -struct termio { - unsigned short c_iflag; /* input mode flags */ - unsigned short c_oflag; /* output mode flags */ - unsigned short c_cflag; /* control mode flags */ - unsigned short c_lflag; /* local mode flags */ - unsigned char c_line; /* line discipline */ - unsigned char c_cc[NCC]; /* control characters */ -}; - #define NCCS 17 struct termios { tcflag_t c_iflag; /* input mode flags */ diff --git a/arch/sparc/include/uapi/asm/termios.h b/arch/sparc/include/uapi/asm/termios.h index ee86f4093d83..cceb32260881 100644 --- a/arch/sparc/include/uapi/asm/termios.h +++ b/arch/sparc/include/uapi/asm/termios.h @@ -40,5 +40,14 @@ struct winsize { unsigned short ws_ypixel; }; +#define NCC 8 +struct termio { + unsigned short c_iflag; /* input mode flags */ + unsigned short c_oflag; /* output mode flags */ + unsigned short c_cflag; /* control mode flags */ + unsigned short c_lflag; /* local mode flags */ + unsigned char c_line; /* line discipline */ + unsigned char c_cc[NCC]; /* control characters */ +}; #endif /* _UAPI_SPARC_TERMIOS_H */ From 199f7d837409f78087fde12a33c486d4d866c16e Mon Sep 17 00:00:00 2001 From: Baokun Li Date: Sat, 4 May 2024 15:55:25 +0800 Subject: [PATCH 162/182] ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() commit 0c0b4a49d3e7f49690a6827a41faeffad5df7e21 upstream. Syzbot reports a warning as follows: ============================================ WARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290 Modules linked in: CPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7 RIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419 Call Trace: ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375 generic_shutdown_super+0x136/0x2d0 fs/super.c:641 kill_block_super+0x44/0x90 fs/super.c:1675 ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327 [...] ============================================ This is because when finding an entry in ext4_xattr_block_cache_find(), if ext4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown in the __entry_find(), won't be put away, and eventually trigger the above issue in mb_cache_destroy() due to reference count leakage. So call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix. Reported-by: syzbot+dd43bd0f7474512edc47@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=dd43bd0f7474512edc47 Fixes: fb265c9cb49e ("ext4: add ext4_sb_bread() to disambiguate ENOMEM cases") Cc: stable@kernel.org Signed-off-by: Baokun Li Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20240504075526.2254349-2-libaokun@huaweicloud.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 9ad75e78747b5a50dc5a52f0f8e92e920a653f16) Signed-off-by: Vegard Nossum --- fs/ext4/xattr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 11b7b8b89f5e..f529ced0b692 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -3090,8 +3090,10 @@ ext4_xattr_block_cache_find(struct inode *inode, bh = ext4_sb_bread(inode->i_sb, ce->e_value, REQ_PRIO); if (IS_ERR(bh)) { - if (PTR_ERR(bh) == -ENOMEM) + if (PTR_ERR(bh) == -ENOMEM) { + mb_cache_entry_put(ea_block_cache, ce); return NULL; + } bh = NULL; EXT4_ERROR_INODE(inode, "block %lu read error", (unsigned long)ce->e_value); From 593e234893f02097b207840c7c31b4d91b64ca14 Mon Sep 17 00:00:00 2001 From: Sergey Shtylyov Date: Fri, 10 May 2024 23:24:04 +0300 Subject: [PATCH 163/182] nfs: fix undefined behavior in nfs_block_bits() commit 3c0a2e0b0ae661457c8505fecc7be5501aa7a715 upstream. Shifting *signed int* typed constant 1 left by 31 bits causes undefined behavior. Specify the correct *unsigned long* type by using 1UL instead. Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Cc: stable@vger.kernel.org Signed-off-by: Sergey Shtylyov Reviewed-by: Benjamin Coddington Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 74ea538aa24490d7d259c881189bb58dbf1f692c) Signed-off-by: Vegard Nossum --- fs/nfs/internal.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h index 6f3dc6a5cc7f..5a4fc865ca7b 100644 --- a/fs/nfs/internal.h +++ b/fs/nfs/internal.h @@ -615,9 +615,9 @@ unsigned long nfs_block_bits(unsigned long bsize, unsigned char *nrbitsp) if ((bsize & (bsize - 1)) || nrbitsp) { unsigned char nrbits; - for (nrbits = 31; nrbits && !(bsize & (1 << nrbits)); nrbits--) + for (nrbits = 31; nrbits && !(bsize & (1UL << nrbits)); nrbits--) ; - bsize = 1 << nrbits; + bsize = 1UL << nrbits; if (nrbitsp) *nrbitsp = nrbits; } From aa4a1101113a8425c065d44e33c636cad583327d Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Wed, 12 Aug 2020 14:58:25 +0200 Subject: [PATCH 164/182] crypto: algif_aead - fix uninitialized ctx->init commit 21dfbcd1f5cbff9cf2f9e7e43475aed8d072b0dd upstram. In skcipher_accept_parent_nokey() the whole af_alg_ctx structure is cleared by memset() after allocation, so add such memset() also to aead_accept_parent_nokey() so that the new "init" field is also initialized to zero. Without that the initial ctx->init checks might randomly return true and cause errors. While there, also remove the redundant zero assignments in both functions. Found via libkcapi testsuite. Cc: Stephan Mueller Fixes: f3c802a1f300 ("crypto: algif_aead - Only wake up when ctx->more is zero") Suggested-by: Herbert Xu Signed-off-by: Ondrej Mosnacek Signed-off-by: Herbert Xu Signed-off-by: Suraj Jitindar Singh Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- crypto/algif_aead.c | 6 ------ crypto/algif_skcipher.c | 7 +------ 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c index eea987f5a429..0c9db7ec5331 100644 --- a/crypto/algif_aead.c +++ b/crypto/algif_aead.c @@ -568,12 +568,6 @@ static int aead_accept_parent_nokey(void *private, struct sock *sk) INIT_LIST_HEAD(&ctx->tsgl_list); ctx->len = len; - ctx->used = 0; - atomic_set(&ctx->rcvused, 0); - ctx->more = 0; - ctx->merge = 0; - ctx->enc = 0; - ctx->aead_assoclen = 0; af_alg_init_completion(&ctx->completion); ask->private = ctx; diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c index 8ce6f8cee0d0..0c5d64d205f9 100644 --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -371,6 +371,7 @@ static int skcipher_accept_parent_nokey(void *private, struct sock *sk) ctx = sock_kmalloc(sk, len, GFP_KERNEL); if (!ctx) return -ENOMEM; + memset(ctx, 0, len); ctx->iv = sock_kmalloc(sk, crypto_skcipher_ivsize(skcipher), GFP_KERNEL); @@ -378,16 +379,10 @@ static int skcipher_accept_parent_nokey(void *private, struct sock *sk) sock_kfree_s(sk, ctx, len); return -ENOMEM; } - memset(ctx->iv, 0, crypto_skcipher_ivsize(skcipher)); INIT_LIST_HEAD(&ctx->tsgl_list); ctx->len = len; - ctx->used = 0; - atomic_set(&ctx->rcvused, 0); - ctx->more = 0; - ctx->merge = 0; - ctx->enc = 0; af_alg_init_completion(&ctx->completion); ask->private = ctx; From 8949bc46fedc763c195c9a72f69abb9405cac9dc Mon Sep 17 00:00:00 2001 From: Vitaly Kuznetsov Date: Mon, 31 May 2021 16:03:45 +0200 Subject: [PATCH 165/182] x86/kvm: Teardown PV features on boot CPU as well commit 8b79feffeca28c5459458fe78676b081e87c93a4 upstream. Various PV features (Async PF, PV EOI, steal time) work through memory shared with hypervisor and when we restore from hibernation we must properly teardown all these features to make sure hypervisor doesn't write to stale locations after we jump to the previously hibernated kernel (which can try to place anything there). For secondary CPUs the job is already done by kvm_cpu_down_prepare(), register syscore ops to do the same for boot CPU. Signed-off-by: Vitaly Kuznetsov Message-Id: <20210414123544.1060604-3-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Mahmoud Adam Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- arch/x86/kernel/kvm.c | 49 ++++++++++++++++++++++++++++++++----------- 1 file changed, 37 insertions(+), 12 deletions(-) diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c index 5853eb50138e..9182475c5d81 100644 --- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c @@ -37,6 +37,7 @@ #include #include #include +#include #include #include #include @@ -426,14 +427,6 @@ void kvm_disable_steal_time(void) wrmsr(MSR_KVM_STEAL_TIME, 0, 0); } -#ifdef CONFIG_SMP -static void __init kvm_smp_prepare_boot_cpu(void) -{ - kvm_guest_cpu_init(); - native_smp_prepare_boot_cpu(); - kvm_spinlock_init(); -} - static void kvm_guest_cpu_offline(void) { kvm_disable_steal_time(); @@ -445,21 +438,51 @@ static void kvm_guest_cpu_offline(void) static int kvm_cpu_online(unsigned int cpu) { - local_irq_disable(); + unsigned long flags; + + local_irq_save(flags); kvm_guest_cpu_init(); - local_irq_enable(); + local_irq_restore(flags); return 0; } +#ifdef CONFIG_SMP +static void __init kvm_smp_prepare_boot_cpu(void) +{ + kvm_guest_cpu_init(); + native_smp_prepare_boot_cpu(); + kvm_spinlock_init(); +} + static int kvm_cpu_down_prepare(unsigned int cpu) { - local_irq_disable(); + unsigned long flags; + + local_irq_save(flags); kvm_guest_cpu_offline(); - local_irq_enable(); + local_irq_restore(flags); return 0; } + #endif +static int kvm_suspend(void) +{ + kvm_guest_cpu_offline(); + + return 0; +} + +static void kvm_resume(void) +{ + kvm_cpu_online(raw_smp_processor_id()); +} + +static struct syscore_ops kvm_syscore_ops = { + .suspend = kvm_suspend, + .resume = kvm_resume, +}; + static void __init kvm_apf_trap_init(void) { update_intr_gate(X86_TRAP_PF, async_page_fault); @@ -499,6 +522,8 @@ void __init kvm_guest_init(void) kvm_guest_cpu_init(); #endif + register_syscore_ops(&kvm_syscore_ops); + /* * Hard lockup detection is enabled by default. Disable it, as guests * can get false positives too easily, for example if the host is From 227178f3eba56c465bdd554e9786a0699bbf40d4 Mon Sep 17 00:00:00 2001 From: Vitaly Kuznetsov Date: Mon, 31 May 2021 16:03:46 +0200 Subject: [PATCH 166/182] x86/kvm: Disable kvmclock on all CPUs on shutdown commit c02027b5742b5aa804ef08a4a9db433295533046 upstream. Currenly, we disable kvmclock from machine_shutdown() hook and this only happens for boot CPU. We need to disable it for all CPUs to guard against memory corruption e.g. on restore from hibernate. Note, writing '0' to kvmclock MSR doesn't clear memory location, it just prevents hypervisor from updating the location so for the short while after write and while CPU is still alive, the clock remains usable and correct so we don't need to switch to some other clocksource. Signed-off-by: Vitaly Kuznetsov Message-Id: <20210414123544.1060604-4-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Mahmoud Adam Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- arch/x86/include/asm/kvm_para.h | 3 ++- arch/x86/kernel/kvm.c | 1 + arch/x86/kernel/kvmclock.c | 5 +---- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/arch/x86/include/asm/kvm_para.h b/arch/x86/include/asm/kvm_para.h index c373e44049b1..6dddd06ba94f 100644 --- a/arch/x86/include/asm/kvm_para.h +++ b/arch/x86/include/asm/kvm_para.h @@ -6,7 +6,6 @@ #include #include -extern void kvmclock_init(void); extern int kvm_register_clock(char *txt); #ifdef CONFIG_KVM_GUEST @@ -86,6 +85,8 @@ static inline long kvm_hypercall4(unsigned int nr, unsigned long p1, } #ifdef CONFIG_KVM_GUEST +void kvmclock_init(void); +void kvmclock_disable(void); bool kvm_para_available(void); unsigned int kvm_arch_para_features(void); void __init kvm_guest_init(void); diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c index 9182475c5d81..05ce85e910da 100644 --- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c @@ -434,6 +434,7 @@ static void kvm_guest_cpu_offline(void) wrmsrl(MSR_KVM_PV_EOI_EN, 0); kvm_pv_disable_apf(); apf_task_wake_all(); + kvmclock_disable(); } static int kvm_cpu_online(unsigned int cpu) diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c index 08806d64eacd..7d00a55177e0 100644 --- a/arch/x86/kernel/kvmclock.c +++ b/arch/x86/kernel/kvmclock.c @@ -237,11 +237,9 @@ static void kvm_crash_shutdown(struct pt_regs *regs) } #endif -static void kvm_shutdown(void) +void kvmclock_disable(void) { native_write_msr(msr_kvm_system_time, 0, 0); - kvm_disable_steal_time(); - native_machine_shutdown(); } void __init kvmclock_init(void) @@ -297,7 +295,6 @@ void __init kvmclock_init(void) #endif x86_platform.save_sched_clock_state = kvm_save_sched_clock_state; x86_platform.restore_sched_clock_state = kvm_restore_sched_clock_state; - machine_ops.shutdown = kvm_shutdown; #ifdef CONFIG_KEXEC_CORE machine_ops.crash_shutdown = kvm_crash_shutdown; #endif From f07e26ece43c2b61389d2a56226ea19d3bd40c57 Mon Sep 17 00:00:00 2001 From: Vitaly Kuznetsov Date: Wed, 14 Apr 2021 14:35:43 +0200 Subject: [PATCH 167/182] x86/kvm: Disable all PV features on crash commit 3d6b84132d2a57b5a74100f6923a8feb679ac2ce upstream. Crash shutdown handler only disables kvmclock and steal time, other PV features remain active so we risk corrupting memory or getting some side-effects in kdump kernel. Move crash handler to kvm.c and unify with CPU offline. Signed-off-by: Vitaly Kuznetsov Message-Id: <20210414123544.1060604-5-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Mahmoud Adam Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- arch/x86/include/asm/kvm_para.h | 5 ---- arch/x86/kernel/kvm.c | 44 ++++++++++++++++++++++++--------- arch/x86/kernel/kvmclock.c | 21 ---------------- 3 files changed, 32 insertions(+), 38 deletions(-) diff --git a/arch/x86/include/asm/kvm_para.h b/arch/x86/include/asm/kvm_para.h index 6dddd06ba94f..ec51eee2fe3f 100644 --- a/arch/x86/include/asm/kvm_para.h +++ b/arch/x86/include/asm/kvm_para.h @@ -93,7 +93,6 @@ void __init kvm_guest_init(void); void kvm_async_pf_task_wait(u32 token, int interrupt_kernel); void kvm_async_pf_task_wake(u32 token); u32 kvm_read_and_reset_pf_reason(void); -extern void kvm_disable_steal_time(void); #ifdef CONFIG_PARAVIRT_SPINLOCKS void __init kvm_spinlock_init(void); @@ -123,10 +122,6 @@ static inline u32 kvm_read_and_reset_pf_reason(void) return 0; } -static inline void kvm_disable_steal_time(void) -{ - return; -} #endif #endif /* _ASM_X86_KVM_PARA_H */ diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c index 05ce85e910da..c4c885b172d0 100644 --- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c @@ -47,6 +47,7 @@ #include #include #include +#include static int kvmapf = 1; @@ -377,6 +378,14 @@ static void kvm_pv_disable_apf(void) smp_processor_id()); } +static void kvm_disable_steal_time(void) +{ + if (!has_steal_clock) + return; + + wrmsr(MSR_KVM_STEAL_TIME, 0, 0); +} + static void kvm_pv_guest_cpu_reboot(void *unused) { /* @@ -419,21 +428,14 @@ static u64 kvm_steal_clock(int cpu) return steal; } -void kvm_disable_steal_time(void) -{ - if (!has_steal_clock) - return; - - wrmsr(MSR_KVM_STEAL_TIME, 0, 0); -} - -static void kvm_guest_cpu_offline(void) +static void kvm_guest_cpu_offline(bool shutdown) { kvm_disable_steal_time(); if (kvm_para_has_feature(KVM_FEATURE_PV_EOI)) wrmsrl(MSR_KVM_PV_EOI_EN, 0); kvm_pv_disable_apf(); - apf_task_wake_all(); + if (!shutdown) + apf_task_wake_all(); kvmclock_disable(); } @@ -460,7 +462,7 @@ static int kvm_cpu_down_prepare(unsigned int cpu) unsigned long flags; local_irq_save(flags); - kvm_guest_cpu_offline(); + kvm_guest_cpu_offline(false); local_irq_restore(flags); return 0; } @@ -469,7 +471,7 @@ static int kvm_cpu_down_prepare(unsigned int cpu) static int kvm_suspend(void) { - kvm_guest_cpu_offline(); + kvm_guest_cpu_offline(false); return 0; } @@ -489,6 +491,20 @@ static void __init kvm_apf_trap_init(void) update_intr_gate(X86_TRAP_PF, async_page_fault); } +/* + * After a PV feature is registered, the host will keep writing to the + * registered memory location. If the guest happens to shutdown, this memory + * won't be valid. In cases like kexec, in which you install a new kernel, this + * means a random memory location will be kept being written. + */ +#ifdef CONFIG_KEXEC_CORE +static void kvm_crash_shutdown(struct pt_regs *regs) +{ + kvm_guest_cpu_offline(true); + native_machine_crash_shutdown(regs); +} +#endif + void __init kvm_guest_init(void) { int i; @@ -523,6 +539,10 @@ void __init kvm_guest_init(void) kvm_guest_cpu_init(); #endif +#ifdef CONFIG_KEXEC_CORE + machine_ops.crash_shutdown = kvm_crash_shutdown; +#endif + register_syscore_ops(&kvm_syscore_ops); /* diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c index 7d00a55177e0..9b8524cb0346 100644 --- a/arch/x86/kernel/kvmclock.c +++ b/arch/x86/kernel/kvmclock.c @@ -28,7 +28,6 @@ #include #include -#include #include static int kvmclock __ro_after_init = 1; @@ -220,23 +219,6 @@ static void kvm_setup_secondary_clock(void) } #endif -/* - * After the clock is registered, the host will keep writing to the - * registered memory location. If the guest happens to shutdown, this memory - * won't be valid. In cases like kexec, in which you install a new kernel, this - * means a random memory location will be kept being written. So before any - * kind of shutdown from our side, we unregister the clock by writing anything - * that does not have the 'enable' bit set in the msr - */ -#ifdef CONFIG_KEXEC_CORE -static void kvm_crash_shutdown(struct pt_regs *regs) -{ - native_write_msr(msr_kvm_system_time, 0, 0); - kvm_disable_steal_time(); - native_machine_crash_shutdown(regs); -} -#endif - void kvmclock_disable(void) { native_write_msr(msr_kvm_system_time, 0, 0); @@ -295,9 +277,6 @@ void __init kvmclock_init(void) #endif x86_platform.save_sched_clock_state = kvm_save_sched_clock_state; x86_platform.restore_sched_clock_state = kvm_restore_sched_clock_state; -#ifdef CONFIG_KEXEC_CORE - machine_ops.crash_shutdown = kvm_crash_shutdown; -#endif kvm_get_preset_lpj(); clocksource_register_hz(&kvm_clock, NSEC_PER_SEC); pv_info.name = "KVM"; From e4913de9177c1394c3b2b73c86f5e7d9d9614388 Mon Sep 17 00:00:00 2001 From: Vegard Nossum Date: Wed, 17 Jul 2024 21:00:04 +0000 Subject: [PATCH 168/182] LTS: Update to 4.14.349 This corresponds to 4.19.316 upstream (v4.19.315..v4.19.316). Signed-off-by: Vegard Nossum --- .elts/config.yaml | 4 +- .elts/meta/4.14.349.yaml | 613 ++++++++++++++++++++++++++ .elts/upstream/4.19.316.yaml | 830 +++++++++++++++++++++++++++++++++++ Makefile | 2 +- 4 files changed, 1446 insertions(+), 3 deletions(-) create mode 100644 .elts/meta/4.14.349.yaml create mode 100644 .elts/upstream/4.19.316.yaml diff --git a/.elts/config.yaml b/.elts/config.yaml index d253bca5c62d..2bb1b0280ccb 100644 --- a/.elts/config.yaml +++ b/.elts/config.yaml @@ -1,5 +1,5 @@ upstream_repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git upstream_base: 4.19.304 base: 4.14.336 -upstream_version: 4.19.315 -version: 4.14.348 +upstream_version: 4.19.316 +version: 4.14.349 diff --git a/.elts/meta/4.14.349.yaml b/.elts/meta/4.14.349.yaml new file mode 100644 index 000000000000..1266db87a0b5 --- /dev/null +++ b/.elts/meta/4.14.349.yaml @@ -0,0 +1,613 @@ +8bb6ee62c33b1f281b98b2dd19f1d7249a1ee5ab: + title: 'speakup: Fix sizeof() vs ARRAY_SIZE() bug' + mainline: 008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b + upstream: 42f0a3f67158ed6b2908d2b9ffbf7e96d23fd358 +a43f1f02b3a93c9a2da8ea92e4d6509d0a61ebd8: + title: 'ring-buffer: Fix a race between readers and resize checks' + mainline: c2274b908db05529980ec056359fae916939fdaa + upstream: b50932ea673b5a089a4bb570a8a868d95c72854e +39d470c1d65655756f7bc56eef30977466000040: + title: 'nilfs2: fix unexpected freezing of nilfs_segctor_sync()' + mainline: 936184eadd82906992ff1f5ab3aada70cce44cee + upstream: 072980bc50626c4557694ce54e3f6f2bde02b6e0 +6696ef522ef729e48bb88e624f4b450cc48d0008: + title: 'nilfs2: fix potential hang in nilfs_detach_log_writer()' + mainline: eb85dace897c5986bc2f36b3c783c6abb8a4292e + upstream: 911d38be151921a5d152bb55e81fd752384c6830 +478b032b9b295f6e4d224766b1d74f3f8d8015f5: + title: 'tty: n_gsm: fix possible out-of-bounds in gsm0_receive()' + mainline: 47388e807f85948eefc403a8a5fdc5b406a65d5a + upstream: 9513d4148950b05bc99fa7314dc883cc0e1605e5 +0e454ea0aef962c0bc28aaec416c987c472ee16f: + title: 'wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class' + mainline: 9ef369973cd2c97cce3388d2c0c7e3c056656e8a + upstream: 5099e30dde0caffa9f0e2c41d7327fc3ed987fd5 +52bed87bdd7ff234fbf08cffb5805fec3753a574: + title: 'net: usb: qmi_wwan: add Telit FN920C04 compositions' + mainline: 0b8fe5bd73249dc20be2e88a12041f8920797b59 + upstream: 25468fffbbd2b0f06b4b12d79ff56cc5c40bfd1f +1de2264213019b0e94512027fedda73173da635e: + title: 'ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating' + mainline: 103abab975087e1f01b76fcb54c91dbb65dbc249 + upstream: 5c50d2e998143ce00c0629dcaabd73c3d962545c +f5822a115c534c96bcde99428ab661088e193a09: + title: 'ASoC: dt-bindings: rt5645: add cbj sleeve gpio property' + mainline: 306b38e3fa727d22454a148a364123709e356600 + upstream: 5af06b6c57a9bbfa9bd5421e28bcd5c571c5821e +6c8dd658875782d45f021c5015b9ec9bf5f5ff87: + title: 'ASoC: da7219-aad: fix usage of device_get_named_child_node()' + mainline: e8a6a5ad73acbafd98e8fd3f0cbf6e379771bb76 + upstream: 6d2d2aaae1faa64c2f803d6f11f4b2df3b3c2cff +8355ba0b459240e847584f780402073b8236df46: + title: 'crypto: bcm - Fix pointer arithmetic' + mainline: 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9 + upstream: c256b616067bfd6d274c679c06986b78d2402434 +09020d6f62421e7fd4240279ff30dde78a0300bc: + title: 'firmware: raspberrypi: Use correct device for DMA mappings' + mainline: df518a0ae1b982a4dcf2235464016c0c4576a34d + upstream: b7277844e7e367381b2377853afceb58427cf6fb +78f8f3e6cf95446a03837bb11a67c4c2569ced32: + title: 'ecryptfs: Fix buffer size for tag 66 packet' + mainline: 85a6a1aff08ec9f5b929d345d066e2830e8818e5 + upstream: 1c125b9287e58f364d82174efb167414b92b11f1 +7ee6938a59b80751d7919f67a3c4fb585d3829f6: + title: 'nilfs2: fix out-of-range warning' + mainline: c473bcdd80d4ab2ae79a7a509a6712818366e32a + upstream: 7610fd35b74211ab8def4e124095e600a1ae945b +72d5387b60255610eb6fd5c18bb819fc39cc8917: + title: 'parisc: add missing export of __cmpxchg_u8()' + mainline: c57e5dccb06decf3cb6c272ab138c033727149b5 + upstream: 63d5a72afbd1505f180e81bc72e056ceea28b43b +7eb7c75444aa358909836ea7ff4f692a53b199f9: + title: 'crypto: ccp - Remove forward declaration' + mainline: 3512dcb4e6c64733871202c01f0ec6b5d84d32ac + upstream: 4b713a1581b17a94a21699165a20d82eb0eca2dc +afb1d97ca2b2cdfa5f46e8eb9fc37934349bc34e: + title: 'crypto: ccp - drop platform ifdef checks' + mainline: 42c2d7d02977ef09d434b1f5b354f5bc6c1027ab + upstream: ce8f89223c9552d18b118596a85fd6cc237bc0e9 +7375909839424727552bd0bb2022ca3db5c6ffe8: + title: 'jffs2: prevent xattr node from overflowing the eraseblock' + mainline: c6854e5a267c28300ff045480b5a7ee7f6f1d913 + upstream: 2904e1d9b64f72d291095e3cbb31634f08788b11 +a28a74b9a53b5b25cde8cfbea4c071f7a1c9beed: + title: 'null_blk: Fix missing mutex_destroy() at module removal' + mainline: 07d1b99825f40f9c0d93e6b99d79a08d0717bac1 + upstream: 54ee1f7e2ea06e5c5341dc54255881fa5d11b312 +520ccb81e3976c1c21d19d43265958faad0aee46: + title: 'nfsd: drop st_mutex before calling move_to_close_lru()' + mainline: 56c35f43eef013579c76c007ba1f386d8c2cac14 + upstream: 52d3370e8022ce28cd8cf4d16c09245aa683d7fb +6faa6059493e8a857fe5c3b5e12a3ceec730cda3: + title: 'wifi: ath10k: poll service ready message before failing' + mainline: e57b7d62a1b2f496caf0beba81cec3c90fad80d5 + upstream: 54e3970b1848856e49f8cd08751dcb010ac3296b +a2c3254bc18b8f7bea19a00d8e7ea4ec52e941c1: + title: 'x86/boot: Ignore relocations in .notes sections in walk_relocs() too' + mainline: 76e9762d66373354b45c33b60e9a53ef2a3c5ff2 + upstream: 2487db16d4b9faead07b7825d33294e9e783791d +5b61b9cefdb45e69ab265050d603cdd30f3d089b: + title: 'scsi: ufs: qcom: Perform read back after writing reset bit' + mainline: c4d28e06b0c94636f6e35d003fa9ebac0a94e1ae + upstream: e6bfc88b60f0874a00b22f243a94a5e8601d5039 +936e250e7ec6cb3bad3a8aa3a699a625e62cb5a6: + title: 'scsi: ufs: core: Perform read back after disabling interrupts' + mainline: e4a628877119bd40164a651d20321247b6f94a8b + upstream: bf144a2e3b5048e5a9e3baf19f54d5e865d578b4 +c5a8d87d1f0792ab4f65cf240309a4effe22de01: + title: 'scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL' + mainline: 4bf3855497b60765ca03b983d064b25e99b97657 + upstream: 8dfd79c1c31660549a03439d42794c138efa5432 +94707145849c4be8019d4f7b2cce86402f9f9127: + title: 'irqchip/alpine-msi: Fix off-by-one in allocation error path' + mainline: ff3669a71afa06208de58d6bea1cc49d5e3fcbd1 + upstream: 4654dfa98682444152aac9bcef50e0d5e114a135 +96f2e9bb5b58c10a84e2a0064c7dc88cdcfff4d8: + title: 'ACPI: disable -Wstringop-truncation' + mainline: a3403d304708f60565582d60af4316289d0316a0 + upstream: 2e816914b5ba234c3815ca80bffd2f3b3a7de6b0 +8734c83b6dae36fbe4d97f42409e04459426858c: + title: 'scsi: libsas: Fix the failure of adding phy with zero-address to port' + mainline: 06036a0a5db34642c5dbe22021a767141f010b7a + upstream: 2d8f31aa03df040c58a2e4a0382b96269c1bf96a +784e2dc0d9be9b2e2ff8e3d05713f4d82895a489: + title: 'scsi: hpsa: Fix allocation size for Scsi_Host private data' + mainline: 504e2bed5d50610c1836046c0c195b0a6dba9c72 + upstream: 9fc44d44b3b8eadd8b797462c733eb6c63598e6f +6541bba29a4584f20a372e98ca07659b1b971c3e: + title: 'wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger()' + mainline: c511a9c12674d246916bb16c479d496b76983193 + upstream: 569da482fdec15251ff113462717182d85bd1665 +d85d76f39ef8f74c3ce4b2084bc1d56b90f808ce: + title: 'macintosh/via-macii: Remove BUG_ON assertions' + mainline: 5f93d7081a47e1972031ccf57c4b2779eee162fb + upstream: 880897e8a5ade054a04575e5d8cc2666da415ab4 +cbe81c90b06ebd1a23367c8c594dbddac39d531c: + title: 'm68k/mac: Add mutual exclusion for IOP interrupt polling' +fad0ed0dd7bf14e6c89489e1db0486828e45f563: + title: 'macintosh/via-macii, macintosh/adb-iop: Clean up whitespace' + mainline: 47fd2060660e62b169990a6fcd9eb61bc1a85c5c + upstream: d0aa752285c9a35ee1ae0f2a4da10c5ceb6c09b6 +82b5124ff8448c3b27d5cf963d835806a4ec8726: + title: 'macintosh/via-macii: Fix "BUG: sleeping function called from invalid context"' + mainline: d301a71c76ee4c384b4e03cdc320a55f5cf1df05 + upstream: e4ff8bcfb2841fe4e17e5901578b632adb89036d +e6c959db704b9f17b53d0d695ac791ddb180649b: + title: 'wifi: carl9170: add a proper sanity check for endpoints' + mainline: b6dd09b3dac89b45d1ea3e3bd035a3859c0369a0 + upstream: eb0f2fc3ff5806cc572cd9055ce7c52a01e97645 +0e282a437be278b5a28b5de56553710ca304877a: + title: 'wifi: ar5523: enable proper endpoint verification' + mainline: e120b6388d7d88635d67dcae6483f39c37111850 + upstream: 79ddf5f2020fd593d50f1363bb5131283d74f78f +08d55870d721795f5ca9affb641a9d77a5cde478: + title: 'sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()' + mainline: 1422ae080b66134fe192082d9b721ab7bd93fcc5 + upstream: 8ed15460d8bbc517bf54b24c7694e6c0ff174968 +3d986276f8b5fa0dc170e1b35f0659b9ba4b2cd0: + title: 'Revert "sh: Handle calling csum_partial with misaligned data"' + mainline: b5319c96292ff877f6b58d349acf0a9dc8d3b454 + upstream: 3c37203af733254154602273a970cfb7400c223e +2461969d18d1b3a8ca40c5203819221813d2fa47: + title: 'scsi: bfa: Ensure the copied buf is NUL terminated' + mainline: 13d0cecb4626fae67c00c84d3c7851f6b62f7df3 + upstream: 481fc0c8617304a67649027c4a44723a139a0462 +c2d34a41a30021d6947d93dee2373e98416296b8: + title: 'scsi: qedf: Ensure the copied buf is NUL terminated' + mainline: d0184a375ee797eb657d74861ba0935b6e405c62 + upstream: 1f84a2744ad813be23fc4be99fb74bfb24aadb95 +ceee9c23ca78be8cbe0b677623554c14da4a8ffe: + title: 'wifi: mwl8k: initialize cmd->addr[] properly' + mainline: 1d60eabb82694e58543e2b6366dae3e7465892a5 + upstream: 6bc4e51e8d8451d40ec092d01119287af2acffcf +2341a1b273189a5673cfbb6a5badecca8e25d24a: + title: 'net: usb: sr9700: stop lying about skb->truesize' + mainline: 05417aa9c0c038da2464a0c504b9d4f99814a23b + upstream: c0aff9978bb6ead0aec382a2645a563a3dd2df38 +314fdca9aa1eac5417fd9621bf4ebbacfd100e75: + title: 'm68k: Fix spinlock race in kernel thread creation' + mainline: da89ce46f02470ef08f0f580755d14d547da59ed + upstream: 2a8d1d95302c7d52c6ac8fa5cb4a6948ae0d3a14 +4e23b79c4b130dd3049e3c0001d4926dcfacded5: + title: 'm68k/mac: Use ''030 reset method on SE/30' + mainline: 9c0e91f6b701dce6902408d50c4df9cebe4744f5 + upstream: c96430d59c71a0e5c641b5267ccf141c501fe15e +3d47f159d4991609f1a71bb15683f1b8cac8d2a8: + title: 'm68k: mac: Fix reboot hang on Mac IIci' + mainline: 265a3b322df9a973ff1fc63da70af456ab6ae1d6 + upstream: 8055e882c57031a5ca7fbf278796c19ded9f9d6f +be1d9f0e9de4ae6b3c0baed5547aa84be06f6548: + title: 'af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg' + mainline: 540bf24fba16b88c1b3b9353927204b4f1074e25 + upstream: fca6072e1a7b1e709ada5604b951513b89b4bd0a +16d0a15317ccdd42565ee3b0b4414f7134f414ba: + title: 'net: usb: smsc95xx: stop lying about skb->truesize' + mainline: d50729f1d60bca822ef6d9c1a5fb28d486bd7593 + upstream: 1010b50b2ebaaa863baeba7572267ac39bbb7adb +d84c07f0a36edfbb017f66723aff19b75408ec6a: + title: 'net: openvswitch: fix overwriting ct original tuple for ICMPv6' + mainline: 7c988176b6c16c516474f6fceebe0f055af5eb56 + upstream: 6a51ac92bf35d34b4996d6eb67e2fe469f573b11 +e990bf08d73df105508439d775a40706fa34e4da: + title: 'ipv6: sr: add missing seg6_local_exit' + mainline: 3321687e321307629c71b664225b861ebf3e5753 + upstream: 9acb7ed4ff0e57b29326768aa8780f2ba2310090 +32cc76dc98c3a167b25dfe1548848036fc07d834: + title: 'ipv6: sr: fix incorrect unregister order' + mainline: 6e370a771d2985107e82d0f6174381c1acb49c20 + upstream: d55cf7ced48c5054a79829a0b14203710006a277 +a7eb748e89ec4c74a795fd32380019f21ae75895: + title: 'ipv6: sr: fix invalid unregister error path' + mainline: 160e9d2752181fcf18c662e74022d77d3164cd45 + upstream: 10610575a3ac2a702bf5c57aa931beaf847949c7 +73bc0203a1791e5252c190a016d46502406d53f0: + title: 'mtd: rawnand: hynix: fixed typo' + mainline: 6819db94e1cd3ce24a432f3616cd563ed0c4eaba + upstream: 80850a39e2548988f4feae26f3fd66286b460278 +4ba8a5fa126c85d319a0f1c773a15c04dde7d74c: + title: 'fbdev: shmobile: fix snprintf truncation' + mainline: 26c8cfb9d1e4b252336d23dd5127a8cbed414a32 + upstream: f6100ea560ed320a397d99aad6ad6918f0f1a70a +43f9acac76b1661328292b13c57936252536a7ee: + title: 'drm/mediatek: Add 0 size check to mtk_drm_gem_obj' + mainline: 1e4350095e8ab2577ee05f8c3b044e661b5af9a0 + upstream: 79078880795478d551a05acc41f957700030d364 +27a754ac9d1b146c6690b8cc566be4df02028430: + title: 'powerpc/fsl-soc: hide unused const variable' + mainline: 01acaf3aa75e1641442cc23d8fe0a7bb4226efb1 + upstream: b798cfeea12ebfd74c4bba511deb02956c97789e +a36a6656bdcc519ee8206e91a484c9545e41c428: + title: 'media: ngene: Add dvb_ca_en50221_init return value check' + mainline: 9bb1fd7eddcab2d28cfc11eb20f1029154dac718 + upstream: 7394bab35c51cead246ef50d8c2e699e36032aed +83fe7e17269e69bb85c5dcde3543fe69a7d14907: + title: 'media: radio-shark2: Avoid led_names truncations' + mainline: 1820e16a3019b6258e6009d34432946a6ddd0a90 + upstream: cbc12c9693fad0545fb0e753d78979026ae0772a +d1bafe8dbdd69b5b94c648616261b10f89e9e634: + title: 'fbdev: sh7760fb: allow modular build' + mainline: 51084f89d687e14d96278241e5200cde4b0985c7 + upstream: 74bafc897cb6c83b29c66cb39e82936204a5e51f +8b76f73f5124b83712d6cdcb3ef990263e40c5f0: + title: 'ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value' + mainline: 58300f8d6a48e58d1843199be743f819e2791ea3 + upstream: 60c68092723ea420215e9c3d5530038bc6568739 +e39747d5b28a334d3aa4a7d53db14f9f30390923: + title: 'x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map' + mainline: 59162e0c11d7257cde15f907d19fefe26da66692 + upstream: ef10bbdf4d59a98cf57ddf943756f14ef3cdbccd +668cfe934e0081e60581269d5afab127489cdfda: + title: 'ext4: avoid excessive credit estimate in ext4_tmpfile()' + mainline: 35a1f12f0ca857fee1d7a04ef52cbd5f1f84de13 + upstream: 1f9e32f9ea3454f79d80c8af7fac54843beba7f6 +0f0c8dcfaaff549a0397d3e63ec093c2ff6d602d: + title: 'selftests/kcmp: Make the test output consistent and clear' + mainline: ff682226a353d88ffa5db9c2a9b945066776311e + upstream: 32b0469d13ebeb008b39613eb5acf529a10e0bde +eea262830c62f8856fed4c532b5598f83c2972a9: + title: 'selftests/kcmp: remove unused open mode' + mainline: eb59a58113717df04b8a8229befd8ab1e5dbf86e + upstream: 24331545d6ff749a8dbfb09925af86e8cc50dad5 +b3ab7172b68826ae894b394561679727af8e970d: + title: 'RDMA/ipoib: Fix use of sizeof()' +183cb1a936e35c5ae205498945addd70a31a61e0: + title: 'RDMA/IPoIB: Fix format truncation compilation errors' + mainline: 49ca2b2ef3d003402584c68ae7b3055ba72e750a + upstream: b469345f1fca84bed4dea3cae85faa401cf9bf3e +08f41b353c1621f65bd6f61aa5f5aed2fc1feb11: + title: 'netrom: fix possible dead-lock in nr_rt_ioctl()' + mainline: e03e7f20ebf7e1611d40d1fdc1bde900fd3335f6 + upstream: b9d663fbf74290cb68fbc66ae4367bd56837ad1d +79417a25cb5eb9644fe89e5aae703a6b591669d5: + title: 'af_packet: do not call packet_read_pending() from tpacket_destruct_skb()' + mainline: 581073f626e387d3e7eed55c48c8495584ead7ba + upstream: 4f3ae7d846b4565c0b80d65ed607c3277bc984d4 +03baaba21b3291e6300e4fafb8d2849f0389de3d: + title: 'sched/topology: Don''t set SD_BALANCE_WAKE on cpuset domain relax' + mainline: 9ae7ab20b4835dbea0e5fc6a5c70171dc354a72e + upstream: 046daa54c348ccec12ab38b92923060dd09ef00b +cd212b4b364b6efe32441d764cabaef2402c8eba: + title: 'sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level' + mainline: a1fd0b9d751f840df23ef0e75b691fc00cfd4743 + upstream: 454de5ed81766fbbf4777c43392d8b0b35e7e16d +8d680792eafdefb9e3e547a305a505da085932ff: + title: 'greybus: lights: check return of get_channel_from_mode' + mainline: a1ba19a1ae7cd1e324685ded4ab563e78fe68648 + upstream: 8f4a76d477f0cc3c54d512f07f6f88c8e1c1e07b +0d0f766835c349005332fd8e7b296660a7d6a65a: + title: 'dmaengine: idma64: Add check for dma_set_max_seg_size' + mainline: 2b1c1cf08a0addb6df42f16b37133dc7a351de29 + upstream: 12c70cc851b263b8cc9479a23488992eeb4c35e6 +e9c8e448b86118386e2aed7e3bb0e02fdbb68d14: + title: 'firmware: dmi-id: add a release callback function' + mainline: cf770af5645a41a753c55a053fa1237105b0964a + upstream: 20595142ca22ac2c8357564d9e7d52a0ffa471af +bcbacbcfd59ba38747a001592ffb3aae1118e5de: + title: 'serial: max3100: Lock port->lock when calling uart_handle_cts_change()' + mainline: 77ab53371a2066fdf9b895246505f5ef5a4b5d47 + upstream: 44b38924135d2093e2ec1812969464845dd66dc9 +c6cf8b544d9ca71186322b2ede24e7ded577381a: + title: 'serial: max3100: Update uart_driver_registered on driver removal' + mainline: 712a1fcb38dc7cac6da63ee79a88708fbf9c45ec + upstream: 21a61a7fbcfdd3493cede43ebc7c4dfae2147a8b +647c442cedd75f319c8ce8dc039c2d7baec68317: + title: 'serial: max3100: Fix bitwise types' + mainline: e60955dbecb97f080848a57524827e2db29c70fd + upstream: 2ae8d5726526c05452aff0444b0f305fdf89a32d +89f965ae0a3f751235963e2597c63fd9ce035113: + title: 'greybus: arche-ctrl: move device table to its right location' + mainline: 6a0b8c0da8d8d418cde6894a104cf74e6098ddfa + upstream: 22e65ed6799f2bfd059d633890d6c7ebe46abc9b +0328af15e33a89109f97c8abcce2119896607fb4: + title: 'usb: gadget: u_audio: Clear uac pointer when freed.' + mainline: a2cf936ebef291ef7395172b9e2f624779fb6dc0 + upstream: a646645af00f65db78fe4a60f753f2b07df35b6e +5bbc7d325cef8fbd593fd8e71f12343c47028be1: + title: 'stm class: Fix a double free in stm_register_device()' + mainline: 3df463865ba42b8f88a590326f4c9ea17a1ce459 + upstream: 6cc30ef8eb6d8f8d6df43152264bbf8835d99931 +16e15c7fd21ec24f98668e5a7bf28ef5c1a0fcaa: + title: 'ppdev: Add an error check in register_device' + mainline: fbf740aeb86a4fe82ad158d26d711f2f3be79b3e + upstream: 65cd017d43f4319a56747d38308b0a24cf57299e +d1e6203d776319b888b57b1176df438ee85e67f7: + title: 'extcon: max8997: select IRQ_DOMAIN instead of depending on it' + mainline: b1781d0a1458070d40134e4f3412ec9d70099bec + upstream: b463819e3725b60c550145df952080b5d0fe85a7 +46dc390d5714351d5b798312f8edf666e327a1ef: + title: 'f2fs: add error prints for debugging mount failure' + mainline: 9227d5227b8db354d386f592f159eaa44db1c0b8 + upstream: 3506e1b893b5c2afa96922f36a01f018e4c4bbba +3fa32fd0a2737a59698613854994f72051a6d4bb: + title: 'libsubcmd: Fix parse-options memory leak' + mainline: 230a7a71f92212e723fa435d4ca5922de33ec88a + upstream: 3625187a973f16a3df59b803297816fe51d32400 +41c0d9061a68f5979e3244c26854cef37d91382b: + title: 'Input: ims-pcu - fix printf string overflow' + mainline: bf32bceedd0453c70d9d022e2e29f98e446d7161 + upstream: 502f295dcccf0ee7c4bddcf1ff2876987aaf89ca +7dfc577218ae7aeeadc5bdffe5727d57337904ee: + title: 'Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation' + mainline: 48c0687a322d54ac7e7a685c0b6db78d78f593af + upstream: fd4bb5284d34687c82356f07efe957af89ee51fe +bb75c00bad0d04025b00991fe16db2fc0504ce58: + title: 'um: Fix return value in ubd_init()' + mainline: 31a5990ed253a66712d7ddc29c92d297a991fdf2 + upstream: d2640251f94078e1dcf0a26b1815601f6dbd5440 +330646466ce0f4978524457d109ac80ece62c547: + title: 'um: Add winch to winch_handlers before registering winch IRQ' + mainline: a0fbbd36c156b9f7b2276871d499c9943dfe5101 + upstream: 66ea9a7c6824821476914bed21a476cd20094f33 +b7d9420c157cdb207a95dfc4a40edd116dedf355: + title: 'media: stk1160: fix bounds checking in stk1160_copy_video()' + mainline: faa4364bef2ec0060de381ff028d1d836600a381 + upstream: f6a392266276730bea893b55d12940e32a25f56a +cd05d6e21092d824ec4d37f39f7583310d0442fa: + title: 'powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp' + mainline: 6d4341638516bf97b9a34947e0bd95035a8230a5 + upstream: f0f4cb4cc3f43324bab3b5541b27e79cbd15c8d1 +d6c506b111a38e5583e5bdd880cc0c04d7ef3948: + title: 'um: Fix the -Wmissing-prototypes warning for __switch_mm' + mainline: 2cbade17b18c0f0fd9963f26c9fc9b057eb1cb3a + upstream: c08650c13bfc05794855480cc51075fdfcc388e0 +75fd6535ba80c0726e31004af666d80a0b9c3df8: + title: 'media: cec: cec-api: add locking in cec_release()' + mainline: 42bcaacae924bf18ae387c3f78c202df0b739292 + upstream: d2cfbc5298add5e0c6cfe8b343f73dfdf01c8b1c +9da7f2b727fd54add9890e238847acf82d6807a1: + title: 'null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()' + mainline: 9e6727f824edcdb8fdd3e6e8a0862eb49546e1cd + upstream: 7471d0be031ab830a0fa154437601cff98f7068b +4e00769cc5020fde90269bdd1e5c24302b0ba6ce: + title: 'x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y' + mainline: 66ee3636eddcc82ab82b539d08b85fb5ac1dff9b + upstream: 28a7a1f9571068bb2ddc8a11f0afe5dfa9863462 +3327ed68607e86e489af26305145830bf3f299a6: + title: 'nfc: nci: Fix uninit-value in nci_rx_work' + mainline: e4a87abf588536d1cdfb128595e6e680af5cf3ed + upstream: 406cfac9debd4a6d3dc5d9258ee086372a8c08b6 +2d5acfc9e45f4597b931857dd92d2f29d2382ad7: + title: 'ipv6: sr: fix memleak in seg6_hmac_init_algo' + mainline: efb9f4f19f8e37fde43dfecebc80292d179f56c6 + upstream: afd5730969aec960a2fee4e5ee839a6014643976 +45e0b129726564750a58c06f1b4060b23f158960: + title: 'params: lift param_set_uint_minmax to common code' + mainline: 2a14c9ae15a38148484a128b84bff7e9ffd90d68 + upstream: 459de98d7a6b3d504b5e8664f32f59a306dd425c +cf1096a1c8e1905df5e69949153c2598060457f0: + title: 'tcp: Fix shift-out-of-bounds in dctcp_update_alpha().' + mainline: 3ebc46ca8675de6378e3f8f40768e180bb8afa66 + upstream: 06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6 +a629b0579dee6b041fdcad1859fa9f6a86da4ced: + title: 'openvswitch: Set the skbuff pkt_type for proper pmtud support.' + mainline: 30a92c9e3d6b073932762bef2ac66f4ee784c657 + upstream: 62a95de44a9bc006e01b0afa1b1e8868dc6de9d1 +0374a08aa5206c6200a88e0a122500dfd1d195f0: + title: 'arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY' + mainline: ffbf4fb9b5c12ff878a10ea17997147ea4ebea6f + upstream: f221bd58db0f6ca087ac0392284f6bce21f4f8ea +63c5945dbfcb8b6f4c260aef57172893a15ebbb3: + title: 'virtio: delete vq in vp_find_vqs_msix() when request_irq() fails' + mainline: 89875151fccdd024d571aa884ea97a0128b968b6 + upstream: cb7a7c8144b434e06aba99b13b045a7efe859587 +273d17ed35348d5e6cabe23d9170c876f95f3946: + title: 'net: fec: remove redundant variable ''inc''' +76ff93a5ccf6378571ba77875039f77752ac8a33: + title: 'net: fec: avoid lock evasion when reading pps_enable' + mainline: 3b1c92f8e5371700fada307cc8fd2c51fa7bc8c1 + upstream: 4e4efb8f1b275e85c5c7f69087e392dbae437a8d +3267e236cb890a2ff6450ba831f3ad66386d6c4b: + title: 'nfc: nci: Fix kcov check in nci_rx_work()' + mainline: 19e35f24750ddf860c51e51c68cf07ea181b4881 + upstream: c6c938ef515733a1c7af2c87dbc23138f402ba97 +1a7a9cc0bb2c966cb7edee4a47dc81053e9030d8: + title: 'nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()' + mainline: 6671e352497ca4bb07a96c48e03907065ff77d8a + upstream: 8f02d494cebae48dbd14c582ad4b36846e211b6a +ac335a5fe30958ed4c81fac6b76e4b6c77f6f95d: + title: 'netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()' + mainline: dc21c6cc3d6986d938efbf95de62473982c98dec + upstream: 8658bd777cbfcb0c13df23d0ea120e70517761b9 +0a359294f4d22e037ff38999b1fdaa688aab6e5f: + title: 'spi: Don''t mark message DMA mapped when no transfer in it is' + mainline: 9f788ba457b45b0ce422943fcec9fa35c4587764 + upstream: c7893975764ba3b7a58a186f63dae188f7eddb18 +5584ee5ae01187bdcb286738c27d8cecf7c2b92d: + title: 'nvmet: fix ns enable/disable possible hang' + mainline: f97914e35fd98b2b18fb8a092e0a0799f73afdfe + upstream: 36a935c8785a9ca95b094440a0450cd56b90e70c +d6e67757cebbeb5857838f51e2c514a3c9fc5557: + title: 'net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion' + mainline: 5c74195d5dd977e97556e6fa76909b831c241230 + upstream: 19f9b6cb94eebb4ef2a4a6bca0ef595039d73e04 +5beeab6917b9b59ab2c15744b190b3ad93c58687: + title: 'dma-buf/sw-sync: don''t enable IRQ from sync_print_obj()' + mainline: b794918961516f667b0c745aebdfebbb8a98df39 + upstream: 1ff116f68560a25656933d5a18e7619cb6773d8a +3d00c58ac6d7f0fa0882aafb5b1ca2c3c22838eb: + title: 'enic: Validate length of nl attributes in enic_set_vf_port' + mainline: e8021b94b0412c37bcc79027c2e382086b6ce449 + upstream: 2b649d7e0cb42a660f0260ef25fd55fdc9c6c600 +d7936abfc24afa29d587b2bdd0829092dc478ebf: + title: 'smsc95xx: remove redundant function arguments' + mainline: 368be1ca28f66deba16627e2a02e78adedd023a6 + upstream: eced17c8715d43ce16f61c5a6a49299fbf37c0a0 +17ddb0fdf87c7f3f7c07e2721f688301411d2792: + title: 'smsc95xx: use usbnet->driver_priv' + mainline: ad90a73f0236c41f7a2dedc2e75c7b5a364eb93e + upstream: bcc526fec891dee22162082b1beeb9068b9eabb0 +e0bd5cab3be56a1437e713a5411c458b80fa039c: + title: 'net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM' + mainline: 52a2f0608366a629d43dacd3191039c95fef74ba + upstream: 85b6bcf9d5e332aa9c4b7820cb3aa748c3df6a80 +4c2d953d579bbc6018f916d7474ca42a0ea2471f: + title: 'net:fec: Add fec_enet_deinit()' + mainline: bf0497f53c8535f99b72041529d3f7708a6e2c0d + upstream: 416b0756721dcee2bb6227a4403e694011c32874 +c00f30ffce7c99732b9610771908b84af2f7e95a: + title: 'kconfig: fix comparison to constant symbols, ''m'', ''n''' + mainline: aabdc960a283ba78086b0bf66ee74326f49e218e + upstream: 6bfda3ef7f6a2c1de30e70d67e901aa966f40c17 +59e5a44b8b298cec43305d8ba650673094448b28: + title: 'net: add DEV_STATS_READ() helper' + mainline: 0b068c714ca9479d2783cc333fff5bc2d4a6d45c +f18d1f1dd0f85682cce01581ea7c2596d0d35ead: + title: 'ipvlan: properly track tx_errors' + mainline: ff672b9ffeb3f82135488ac16c5c5eb4b992999b +41e5da22e02a94825b061ad86f10c9d6955727fd: + title: 'ipvlan: add ipvlan_route_v6_outbound() helper' + mainline: 18f039428c7df183b09c69ebf10ffd4e521035d2 +3a016fed8503f04152b170bc324fd7fbbfb155e4: + title: 'ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound' + mainline: b3dc6e8003b500861fa307e9a3400c52e78e4d3a + upstream: 0049a623dfbbb49888de7f0c2f33a582b5ead989 +24212e46bb2a25ec7c7ef9c45a40670608a3a0f8: + title: 'ALSA: timer: Simplify timer hw resolution calls' +804b59ac965568b4ac7b1788ba8b3b324e362693: + title: 'ALSA: timer: Set lower bound of start tick time' + mainline: 4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e + upstream: 68396c825c43664b20a3a1ba546844deb2b4e48f +f642f364e2b4e4302e6b41f1583603a9be83baef: + title: 'binder: fix max_thread type inconsistency' + mainline: 42316941335644a98335f209daafa4c122f28983 + upstream: c437184be3c16f7123e5c59b4c85c1101f4dc96b +5584cc5bd6c850f9738f7b249be3d298f0012a16: + title: 'mmc: core: Do not force a retune before RPMB switch' + mainline: 67380251e8bbd3302c64fea07f95c31971b91c22 + upstream: bda1d354bef71be32aaf2c5e6b96eef854b3dd4e +042d63a09767b3d6d006fc867d77cf610bfcdebf: + title: 'fs/nilfs2: convert timers to use timer_setup()' +705fabd9032429d644eee84edc1d45f740edcc81: + title: 'nilfs2: fix use-after-free of timer for log writer thread' + mainline: f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 + upstream: 822ae5a8eac30478578a75f7e064f0584931bf2d +7e6f3eaf97955faec6cf408b6404a35cf2c82ea0: + title: 'vxlan: Fix regression when dropping packets due to invalid src addresses' + mainline: 1cd4bc987abb2823836cbb8f887026011ccddc8a + upstream: f6141cbc2b5af521b1711e95363302b858a38729 +34358bf261de42b079db6cbd5ae3b074282cd00f: + title: 'neighbour: fix unaligned access to pneigh_entry' + mainline: ed779fe4c9b5a20b4ab4fd6f3e19807445bb78c7 + upstream: f451d1a013fd585cbf70a65ca6b9cf3548bb039f +792524d8e1b344cedcb40983a8756d4793a22e9e: + title: 'ata: pata_legacy: make legacy_exit() work again' + mainline: d4a89339f17c87c4990070e9116462d16e75894f + upstream: 21604179f67bd484790c296565bdc38f7a40fe35 +aa9c43942fc69f5e652d6b4f68e0e2bf75868c7e: + title: 'arm64: tegra: Correct Tegra132 I2C alias' + mainline: 2633c58e1354d7de2c8e7be8bdb6f68a0a01bad7 + upstream: 40f76e72ec0ebe27dcff9bfd5de8e65e1a2b8939 +d7263704edf4ee2783b116f64f407752d5b2f2bf: + title: 'md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING' + mainline: 151f66bb618d1fd0eeb84acb61b4a9fa5d8bb0fa + upstream: b32aa95843cac6b12c2c014d40fca18aef24a347 +964fdd7feb56e40a55b89328877b0a7103bb4084: + title: 'arm64: dts: hi3798cv200: fix the size of GICR' + mainline: 428a575dc9038846ad259466d5ba109858c0a023 + upstream: 26e62b983a31b304733fb21f4b576a4a1e171297 +35d3fa1859980a84c64c51b04a2ac57ffe5af109: + title: 'media: mxl5xx: Move xpt structures off stack' + mainline: 526f4527545b2d4ce0733733929fac7b6da09ac6 + upstream: 772f5e31ed2d6bc5e8698394e4d13b298060c74a +2046df24d6472a520a62d52a72d84d180b3e363c: + title: 'media: v4l2-core: hold videodev_lock until dev reg, finishes' + mainline: 1ed4477f2ea4743e7c5e1f9f3722152d14e6eeb1 + upstream: 1ea3de272f5cc7603610b96316f9ed07bec6c2d0 +293140832f7230044b5f6888d0110714f51b554f: + title: 'fbdev: savage: Handle err return when savagefb_check_var failed' + mainline: 6ad959b6703e2c4c5d7af03b4cfd5ff608036339 + upstream: be754cbd77eaf2932408a4e18532e4945274a5c7 +832e81e147209b23bc09678738383b7bc258b448: + title: 'netfilter: nf_tables: add nft_set_is_anonymous() helper' +05084047e524051c0ea37f6b3183017d783e6e20: + title: 'netfilter: nf_tables: fix set double-free in abort path' + mainline: 40ba1d9b4d19796afc9b7ece872f5f3e8f5e2c13 +c4af59f2d8336214168c4e0778a1a0a62afcbdc4: + title: 'netfilter: nf_tables: pass context to nft_set_destroy()' + mainline: 0c2a85edd143162b3a698f31e94bf8cdc041da87 + upstream: 525561faa075cb49905783fd3e4e16b66b218846 +b42c75cd69307b546b719cc59fb421a7c80a980f: + title: 'netfilter: nftables: rename set element data activation/deactivation functions' + mainline: f8bb7889af58d8e74d2d61c76b1418230f1610fa + upstream: 68b10f33a37e942bdc06b9cb313ad4e1b1f612e8 +e4382ad0d81a0f37c3d430a3009f597568a949a4: + title: 'netfilter: nf_tables: pass ctx to nf_tables_expr_destroy()' +50bfcb0af95ae860d93c151604451b9a10af6e06: + title: 'netfilter: nf_tables: drop map element references from preparation phase' + mainline: 628bd3e49cba1c066228e23d71a852c23e26da73 + upstream: bc9f791d2593f17e39f87c6e2b3a36549a3705b1 +4538b02484e4c2d0c016ca190c5219fd97f932fb: + title: 'netfilter: nf_tables: don''t skip expired elements during walk' + mainline: 24138933b97b055d486e8064b4a1721702442a9b + upstream: 94313a196b44184b5b52c1876da6a537701b425a +ea71b10a3d18e5589f44b836a83003a6e741d6bb: + title: 'netfilter: nft_dynset: report EOPNOTSUPP on missing set feature' + mainline: 95cd4bca7b1f4a25810f3ddfc5e767fb46931789 + upstream: c5c4746c8cd6d049dcbf39c811172c917ea6fb6e +fa8b9918795f9be7f4ca95f5440acff86fe946db: + title: 'netfilter: nft_dynset: relax superfluous check on set updates' + mainline: 7b1394892de8d95748d05e3ee41e85edb4abbfa1 + upstream: 79e98cd78610560a6a6cf85200eb31331602f9a9 +6658c1ef0cb35d3d594507db800cb44a54db4f75: + title: 'KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode' + mainline: dfe6d190f38fc5df5ff2614b463a5195a399c885 + upstream: 3c9ee8294728633e707c25fe0a321eeac1cc7515 +9d5b95ce1488266fd3dc3951da6c8ce25c366ada: + title: 'crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak' + mainline: d3b17c6d9dddc2db3670bc9be628b122416a3d26 + upstream: 0ce5964b82f212f4df6a9813f09a0b5de15bd9c8 +9a9a74f4cdb1295a5a854d2ca6cb87fc19048ef3: + title: 'net/9p: fix uninit-value in p9_client_rpc()' + mainline: 25460d6f39024cc3b8241b14c7ccf0d6f11a736a + upstream: 72c5d8e416ecc46af370a1340b3db5ff0b0cc867 +471ea347bb7d4b16dd62a6642efb111fa36f2da7: + title: 'intel_th: pci: Add Meteor Lake-S CPU support' + mainline: a4f813c3ec9d1c32bc402becd1f011b3904dd699 + upstream: 58c0309c73fe1e9c477ed4cc5d02fc9015336979 +9f2edbc910b189e46e7ca3d17680e36fde63276d: + title: 'sparc64: Fix number of online CPUs' + mainline: 98937707fea8375e8acea0aaa0b68a956dd52719 + upstream: 180b2e4c1ba4f6e3e4c52d6664cb019f6eac02f8 +f751d9a9f3d6c01908cf9bc9d966a35ecc1a2f64: + title: 'kdb: Fix buffer overflow during tab-complete' + mainline: e9730744bf3af04cda23799029342aa3cddbc454 + upstream: fb824a99e148ff272a53d71d84122728b5f00992 +f990953b6d8d752849e6f682628d4632f051b7de: + title: 'kdb: Use format-strings rather than ''\0'' injection in kdb_read()' + mainline: 09b35989421dfd5573f0b4683c7700a7483c71f9 + upstream: 4edfbbaca46491b06af14e49dcb79ac661d0bbdc +fc2a098bc09c4f9968c93222902d72f518ec6953: + title: 'kdb: Fix console handling when editing and tab-completing commands' + mainline: db2f9c7dc29114f531df4a425d0867d01e1f1e28 + upstream: 21c068c1bbb4c336741749596d004b1965faab2c +201f3d45deb9bcf1046483d72642d8457976c7a9: + title: 'kdb: Merge identical case statements in kdb_read()' + mainline: 6244917f377bf64719551b58592a02a0336a7439 + upstream: 4a89182788f9af9a290c19098382fb972ebe2783 +c89fb4fb7559ec8e3f74ecbc29ef856a47cc85d4: + title: 'kdb: Use format-specifiers rather than memset() for padding in kdb_read()' + mainline: c9b51ddb66b1d96e4d364c088da0f1dfb004c574 + upstream: 2467f3f182eb35627534effd4956fceb2504c127 +212ca5dd4286a76808254db293bd898a062b56e3: + title: 'sparc: move struct termio to asm/termios.h' + mainline: c32d18e7942d7589b62e301eb426b32623366565 + upstream: 980a1cd6e092eab9398a78f517809a7dacaa0468 +199f7d837409f78087fde12a33c486d4d866c16e: + title: 'ext4: fix mb_cache_entry''s e_refcnt leak in ext4_xattr_block_cache_find()' + mainline: 0c0b4a49d3e7f49690a6827a41faeffad5df7e21 + upstream: 9ad75e78747b5a50dc5a52f0f8e92e920a653f16 +593e234893f02097b207840c7c31b4d91b64ca14: + title: 'nfs: fix undefined behavior in nfs_block_bits()' + mainline: 3c0a2e0b0ae661457c8505fecc7be5501aa7a715 + upstream: 74ea538aa24490d7d259c881189bb58dbf1f692c +aa4a1101113a8425c065d44e33c636cad583327d: + title: 'crypto: algif_aead - fix uninitialized ctx->init' +8949bc46fedc763c195c9a72f69abb9405cac9dc: + title: 'x86/kvm: Teardown PV features on boot CPU as well' + mainline: 8b79feffeca28c5459458fe78676b081e87c93a4 +227178f3eba56c465bdd554e9786a0699bbf40d4: + title: 'x86/kvm: Disable kvmclock on all CPUs on shutdown' + mainline: c02027b5742b5aa804ef08a4a9db433295533046 +f07e26ece43c2b61389d2a56226ea19d3bd40c57: + title: 'x86/kvm: Disable all PV features on crash' + mainline: 3d6b84132d2a57b5a74100f6923a8feb679ac2ce diff --git a/.elts/upstream/4.19.316.yaml b/.elts/upstream/4.19.316.yaml new file mode 100644 index 000000000000..a74d962d5a80 --- /dev/null +++ b/.elts/upstream/4.19.316.yaml @@ -0,0 +1,830 @@ +bfaadbda9b75e4726783f8ca55ceac1fedbf2deb: + title: 'x86/tsc: Trust initial offset in architectural TSC-adjust MSRs' + mainline: 455f9075f14484f358b3c1d6845b4a438de198a7 + skipped: commit did not cherry-pick cleanly +42f0a3f67158ed6b2908d2b9ffbf7e96d23fd358: + title: 'speakup: Fix sizeof() vs ARRAY_SIZE() bug' + mainline: 008ab3c53bc4f0b2f20013c8f6c204a3203d0b8b + backport: 8bb6ee62c33b1f281b98b2dd19f1d7249a1ee5ab +b50932ea673b5a089a4bb570a8a868d95c72854e: + title: 'ring-buffer: Fix a race between readers and resize checks' + mainline: c2274b908db05529980ec056359fae916939fdaa + backport: a43f1f02b3a93c9a2da8ea92e4d6509d0a61ebd8 +0ca720bd1834c4577426d1fb5a75faa19aa089bf: + title: 'net: smc91x: Fix m68k kernel compilation for ColdFire CPU' + mainline: 5eefb477d21a26183bc3499aeefa991198315a2d + skipped: fixes patch not in branch +072980bc50626c4557694ce54e3f6f2bde02b6e0: + title: 'nilfs2: fix unexpected freezing of nilfs_segctor_sync()' + mainline: 936184eadd82906992ff1f5ab3aada70cce44cee + backport: 39d470c1d65655756f7bc56eef30977466000040 +911d38be151921a5d152bb55e81fd752384c6830: + title: 'nilfs2: fix potential hang in nilfs_detach_log_writer()' + mainline: eb85dace897c5986bc2f36b3c783c6abb8a4292e + backport: 6696ef522ef729e48bb88e624f4b450cc48d0008 +9513d4148950b05bc99fa7314dc883cc0e1605e5: + title: 'tty: n_gsm: fix possible out-of-bounds in gsm0_receive()' + mainline: 47388e807f85948eefc403a8a5fdc5b406a65d5a + backport: 478b032b9b295f6e4d224766b1d74f3f8d8015f5 +5099e30dde0caffa9f0e2c41d7327fc3ed987fd5: + title: 'wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class' + mainline: 9ef369973cd2c97cce3388d2c0c7e3c056656e8a + backport: 0e454ea0aef962c0bc28aaec416c987c472ee16f +25468fffbbd2b0f06b4b12d79ff56cc5c40bfd1f: + title: 'net: usb: qmi_wwan: add Telit FN920C04 compositions' + mainline: 0b8fe5bd73249dc20be2e88a12041f8920797b59 + backport: 52bed87bdd7ff234fbf08cffb5805fec3753a574 +074218a00cf59abff526b79dcd34d461ce81ae4c: + title: 'drm/amd/display: Set color_mgmt_changed to true on unsuspend' + mainline: 2eb9dd497a698dc384c0dd3e0311d541eb2e13dd + skipped: file is not in 4.14.y +5c50d2e998143ce00c0629dcaabd73c3d962545c: + title: 'ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating' + mainline: 103abab975087e1f01b76fcb54c91dbb65dbc249 + backport: 1de2264213019b0e94512027fedda73173da635e +5af06b6c57a9bbfa9bd5421e28bcd5c571c5821e: + title: 'ASoC: dt-bindings: rt5645: add cbj sleeve gpio property' + mainline: 306b38e3fa727d22454a148a364123709e356600 + backport: f5822a115c534c96bcde99428ab661088e193a09 +6d2d2aaae1faa64c2f803d6f11f4b2df3b3c2cff: + title: 'ASoC: da7219-aad: fix usage of device_get_named_child_node()' + mainline: e8a6a5ad73acbafd98e8fd3f0cbf6e379771bb76 + backport: 6c8dd658875782d45f021c5015b9ec9bf5f5ff87 +c256b616067bfd6d274c679c06986b78d2402434: + title: 'crypto: bcm - Fix pointer arithmetic' + mainline: 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9 + backport: 8355ba0b459240e847584f780402073b8236df46 +b7277844e7e367381b2377853afceb58427cf6fb: + title: 'firmware: raspberrypi: Use correct device for DMA mappings' + mainline: df518a0ae1b982a4dcf2235464016c0c4576a34d + backport: 09020d6f62421e7fd4240279ff30dde78a0300bc +1c125b9287e58f364d82174efb167414b92b11f1: + title: 'ecryptfs: Fix buffer size for tag 66 packet' + mainline: 85a6a1aff08ec9f5b929d345d066e2830e8818e5 + backport: 78f8f3e6cf95446a03837bb11a67c4c2569ced32 +7610fd35b74211ab8def4e124095e600a1ae945b: + title: 'nilfs2: fix out-of-range warning' + mainline: c473bcdd80d4ab2ae79a7a509a6712818366e32a + backport: 7ee6938a59b80751d7919f67a3c4fb585d3829f6 +63d5a72afbd1505f180e81bc72e056ceea28b43b: + title: 'parisc: add missing export of __cmpxchg_u8()' + mainline: c57e5dccb06decf3cb6c272ab138c033727149b5 + backport: 72d5387b60255610eb6fd5c18bb819fc39cc8917 +4b713a1581b17a94a21699165a20d82eb0eca2dc: + title: 'crypto: ccp - Remove forward declaration' + mainline: 3512dcb4e6c64733871202c01f0ec6b5d84d32ac + backport: 7eb7c75444aa358909836ea7ff4f692a53b199f9 +ce8f89223c9552d18b118596a85fd6cc237bc0e9: + title: 'crypto: ccp - drop platform ifdef checks' + mainline: 42c2d7d02977ef09d434b1f5b354f5bc6c1027ab + backport: afb1d97ca2b2cdfa5f46e8eb9fc37934349bc34e +77edda3c53d696fa30fa0352e18aad485716ffad: + title: 's390/cio: fix tracepoint subchannel type field' + mainline: 8692a24d0fae19f674d51726d179ad04ba95d958 + skipped: fixes patch not in branch +2904e1d9b64f72d291095e3cbb31634f08788b11: + title: 'jffs2: prevent xattr node from overflowing the eraseblock' + mainline: c6854e5a267c28300ff045480b5a7ee7f6f1d913 + backport: 7375909839424727552bd0bb2022ca3db5c6ffe8 +54ee1f7e2ea06e5c5341dc54255881fa5d11b312: + title: 'null_blk: Fix missing mutex_destroy() at module removal' + mainline: 07d1b99825f40f9c0d93e6b99d79a08d0717bac1 + backport: a28a74b9a53b5b25cde8cfbea4c071f7a1c9beed +d4b9c764d48fa41caa24cfb4275f3aa9fb4bd798: + title: 'md: fix resync softlockup when bitmap size is less than array size' + mainline: f0e729af2eb6bee9eb58c4df1087f14ebaefe26b + skipped: fixes patch not in branch +eb984e08100e42c20f05e425590ee1e78e092b9d: + title: 'power: supply: cros_usbpd: provide ID table for avoiding fallback match' + mainline: 0f8678c34cbfdc63569a9b0ede1fe235ec6ec693 + skipped: file is not in 4.14.y +52d3370e8022ce28cd8cf4d16c09245aa683d7fb: + title: 'nfsd: drop st_mutex before calling move_to_close_lru()' + mainline: 56c35f43eef013579c76c007ba1f386d8c2cac14 + backport: 520ccb81e3976c1c21d19d43265958faad0aee46 +54e3970b1848856e49f8cd08751dcb010ac3296b: + title: 'wifi: ath10k: poll service ready message before failing' + mainline: e57b7d62a1b2f496caf0beba81cec3c90fad80d5 + backport: 6faa6059493e8a857fe5c3b5e12a3ceec730cda3 +2487db16d4b9faead07b7825d33294e9e783791d: + title: 'x86/boot: Ignore relocations in .notes sections in walk_relocs() too' + mainline: 76e9762d66373354b45c33b60e9a53ef2a3c5ff2 + backport: a2c3254bc18b8f7bea19a00d8e7ea4ec52e941c1 +6780fe28e415c84f81ee7fc30027e57105f0b136: + title: 'qed: avoid truncating work queue length' + mainline: 954fd908f177604d4cce77e2a88cc50b29bad5ff + skipped: fixes patch not in branch +e6bfc88b60f0874a00b22f243a94a5e8601d5039: + title: 'scsi: ufs: qcom: Perform read back after writing reset bit' + mainline: c4d28e06b0c94636f6e35d003fa9ebac0a94e1ae + backport: 5b61b9cefdb45e69ab265050d603cdd30f3d089b +ea2cebd3b66bffa2630e413553776a4dbdca641a: + title: 'scsi: ufs: cleanup struct utp_task_req_desc' + mainline: 391e388f853dad5d1d7462a31bb50ff2446e37f0 + skipped: commit did not cherry-pick cleanly +359975cbf2551e40130cc604e2753f65585b68d0: + title: 'scsi: ufs: add a low-level __ufshcd_issue_tm_cmd helper' + mainline: c6049cd98212dfe39f67fb411d18d53df0ad9436 + skipped: commit did not cherry-pick cleanly +bf144a2e3b5048e5a9e3baf19f54d5e865d578b4: + title: 'scsi: ufs: core: Perform read back after disabling interrupts' + mainline: e4a628877119bd40164a651d20321247b6f94a8b + backport: 936e250e7ec6cb3bad3a8aa3a699a625e62cb5a6 +8dfd79c1c31660549a03439d42794c138efa5432: + title: 'scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL' + mainline: 4bf3855497b60765ca03b983d064b25e99b97657 + backport: c5a8d87d1f0792ab4f65cf240309a4effe22de01 +4654dfa98682444152aac9bcef50e0d5e114a135: + title: 'irqchip/alpine-msi: Fix off-by-one in allocation error path' + mainline: ff3669a71afa06208de58d6bea1cc49d5e3fcbd1 + backport: 94707145849c4be8019d4f7b2cce86402f9f9127 +2e816914b5ba234c3815ca80bffd2f3b3a7de6b0: + title: 'ACPI: disable -Wstringop-truncation' + mainline: a3403d304708f60565582d60af4316289d0316a0 + backport: 96f2e9bb5b58c10a84e2a0064c7dc88cdcfff4d8 +2d8f31aa03df040c58a2e4a0382b96269c1bf96a: + title: 'scsi: libsas: Fix the failure of adding phy with zero-address to port' + mainline: 06036a0a5db34642c5dbe22021a767141f010b7a + backport: 8734c83b6dae36fbe4d97f42409e04459426858c +9fc44d44b3b8eadd8b797462c733eb6c63598e6f: + title: 'scsi: hpsa: Fix allocation size for Scsi_Host private data' + mainline: 504e2bed5d50610c1836046c0c195b0a6dba9c72 + backport: 784e2dc0d9be9b2e2ff8e3d05713f4d82895a489 +8b434681a6e7b2cae1452f1932d59c069236e9d2: + title: 'x86/purgatory: Switch to the position-independent small code model' + mainline: cba786af84a0f9716204e09f518ce3b7ada8555e + skipped: fixes patch not in branch +569da482fdec15251ff113462717182d85bd1665: + title: 'wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger()' + mainline: c511a9c12674d246916bb16c479d496b76983193 + backport: 6541bba29a4584f20a372e98ca07659b1b971c3e +7020f6ad57cfd532a106542c2015710170270d21: + title: 'wifi: ath10k: populate board data for WCN3990' + mainline: f1f1b5b055c9f27a2f90fd0f0521f5920e9b3c18 + skipped: fixes patch not in branch +880897e8a5ade054a04575e5d8cc2666da415ab4: + title: 'macintosh/via-macii: Remove BUG_ON assertions' + mainline: 5f93d7081a47e1972031ccf57c4b2779eee162fb + backport: d85d76f39ef8f74c3ce4b2084bc1d56b90f808ce +d0aa752285c9a35ee1ae0f2a4da10c5ceb6c09b6: + title: 'macintosh/via-macii, macintosh/adb-iop: Clean up whitespace' + mainline: 47fd2060660e62b169990a6fcd9eb61bc1a85c5c + backport: fad0ed0dd7bf14e6c89489e1db0486828e45f563 +e4ff8bcfb2841fe4e17e5901578b632adb89036d: + title: 'macintosh/via-macii: Fix "BUG: sleeping function called from invalid context"' + mainline: d301a71c76ee4c384b4e03cdc320a55f5cf1df05 + backport: 82b5124ff8448c3b27d5cf963d835806a4ec8726 +eb0f2fc3ff5806cc572cd9055ce7c52a01e97645: + title: 'wifi: carl9170: add a proper sanity check for endpoints' + mainline: b6dd09b3dac89b45d1ea3e3bd035a3859c0369a0 + backport: e6c959db704b9f17b53d0d695ac791ddb180649b +79ddf5f2020fd593d50f1363bb5131283d74f78f: + title: 'wifi: ar5523: enable proper endpoint verification' + mainline: e120b6388d7d88635d67dcae6483f39c37111850 + backport: 0e282a437be278b5a28b5de56553710ca304877a +8ed15460d8bbc517bf54b24c7694e6c0ff174968: + title: 'sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()' + mainline: 1422ae080b66134fe192082d9b721ab7bd93fcc5 + backport: 08d55870d721795f5ca9affb641a9d77a5cde478 +3c37203af733254154602273a970cfb7400c223e: + title: 'Revert "sh: Handle calling csum_partial with misaligned data"' + mainline: b5319c96292ff877f6b58d349acf0a9dc8d3b454 + backport: 3d986276f8b5fa0dc170e1b35f0659b9ba4b2cd0 +481fc0c8617304a67649027c4a44723a139a0462: + title: 'scsi: bfa: Ensure the copied buf is NUL terminated' + mainline: 13d0cecb4626fae67c00c84d3c7851f6b62f7df3 + backport: 2461969d18d1b3a8ca40c5203819221813d2fa47 +1f84a2744ad813be23fc4be99fb74bfb24aadb95: + title: 'scsi: qedf: Ensure the copied buf is NUL terminated' + mainline: d0184a375ee797eb657d74861ba0935b6e405c62 + backport: c2d34a41a30021d6947d93dee2373e98416296b8 +6bc4e51e8d8451d40ec092d01119287af2acffcf: + title: 'wifi: mwl8k: initialize cmd->addr[] properly' + mainline: 1d60eabb82694e58543e2b6366dae3e7465892a5 + backport: ceee9c23ca78be8cbe0b677623554c14da4a8ffe +c0aff9978bb6ead0aec382a2645a563a3dd2df38: + title: 'net: usb: sr9700: stop lying about skb->truesize' + mainline: 05417aa9c0c038da2464a0c504b9d4f99814a23b + backport: 2341a1b273189a5673cfbb6a5badecca8e25d24a +2a8d1d95302c7d52c6ac8fa5cb4a6948ae0d3a14: + title: 'm68k: Fix spinlock race in kernel thread creation' + mainline: da89ce46f02470ef08f0f580755d14d547da59ed + backport: 314fdca9aa1eac5417fd9621bf4ebbacfd100e75 +c96430d59c71a0e5c641b5267ccf141c501fe15e: + title: 'm68k/mac: Use ''030 reset method on SE/30' + mainline: 9c0e91f6b701dce6902408d50c4df9cebe4744f5 + backport: 4e23b79c4b130dd3049e3c0001d4926dcfacded5 +8055e882c57031a5ca7fbf278796c19ded9f9d6f: + title: 'm68k: mac: Fix reboot hang on Mac IIci' + mainline: 265a3b322df9a973ff1fc63da70af456ab6ae1d6 + backport: 3d47f159d4991609f1a71bb15683f1b8cac8d2a8 +0a60bdd5ac8a51ac9c04bd19fee30c1c4f178dc3: + title: 'net: ethernet: cortina: Locking fixes' + mainline: 812552808f7ff71133fc59768cdc253c5b8ca1bf + skipped: fixes patch not in branch +fca6072e1a7b1e709ada5604b951513b89b4bd0a: + title: 'af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg' + mainline: 540bf24fba16b88c1b3b9353927204b4f1074e25 + backport: be1d9f0e9de4ae6b3c0baed5547aa84be06f6548 +1010b50b2ebaaa863baeba7572267ac39bbb7adb: + title: 'net: usb: smsc95xx: stop lying about skb->truesize' + mainline: d50729f1d60bca822ef6d9c1a5fb28d486bd7593 + backport: 16d0a15317ccdd42565ee3b0b4414f7134f414ba +6a51ac92bf35d34b4996d6eb67e2fe469f573b11: + title: 'net: openvswitch: fix overwriting ct original tuple for ICMPv6' + mainline: 7c988176b6c16c516474f6fceebe0f055af5eb56 + backport: d84c07f0a36edfbb017f66723aff19b75408ec6a +9acb7ed4ff0e57b29326768aa8780f2ba2310090: + title: 'ipv6: sr: add missing seg6_local_exit' + mainline: 3321687e321307629c71b664225b861ebf3e5753 + backport: e990bf08d73df105508439d775a40706fa34e4da +d55cf7ced48c5054a79829a0b14203710006a277: + title: 'ipv6: sr: fix incorrect unregister order' + mainline: 6e370a771d2985107e82d0f6174381c1acb49c20 + backport: 32cc76dc98c3a167b25dfe1548848036fc07d834 +10610575a3ac2a702bf5c57aa931beaf847949c7: + title: 'ipv6: sr: fix invalid unregister error path' + mainline: 160e9d2752181fcf18c662e74022d77d3164cd45 + backport: a7eb748e89ec4c74a795fd32380019f21ae75895 +604c506ca43fce52bb882cff9c1fdf2ec3b4029c: + title: 'drm/amd/display: Fix potential index out of bounds in color transformation function' + mainline: 63ae548f1054a0b71678d0349c7dc9628ddd42ca + skipped: fixes patch not in branch +80850a39e2548988f4feae26f3fd66286b460278: + title: 'mtd: rawnand: hynix: fixed typo' + mainline: 6819db94e1cd3ce24a432f3616cd563ed0c4eaba + backport: 73bc0203a1791e5252c190a016d46502406d53f0 +f6100ea560ed320a397d99aad6ad6918f0f1a70a: + title: 'fbdev: shmobile: fix snprintf truncation' + mainline: 26c8cfb9d1e4b252336d23dd5127a8cbed414a32 + backport: 4ba8a5fa126c85d319a0f1c773a15c04dde7d74c +79078880795478d551a05acc41f957700030d364: + title: 'drm/mediatek: Add 0 size check to mtk_drm_gem_obj' + mainline: 1e4350095e8ab2577ee05f8c3b044e661b5af9a0 + backport: 43f9acac76b1661328292b13c57936252536a7ee +b798cfeea12ebfd74c4bba511deb02956c97789e: + title: 'powerpc/fsl-soc: hide unused const variable' + mainline: 01acaf3aa75e1641442cc23d8fe0a7bb4226efb1 + backport: 27a754ac9d1b146c6690b8cc566be4df02028430 +6891334b1458739701885fef2909daef754654fa: + title: 'fbdev: sisfb: hide unused variables' + mainline: 688cf598665851b9e8cb5083ff1d208ce43d10ff + skipped: fixes patch not in branch +7394bab35c51cead246ef50d8c2e699e36032aed: + title: 'media: ngene: Add dvb_ca_en50221_init return value check' + mainline: 9bb1fd7eddcab2d28cfc11eb20f1029154dac718 + backport: a36a6656bdcc519ee8206e91a484c9545e41c428 +cbc12c9693fad0545fb0e753d78979026ae0772a: + title: 'media: radio-shark2: Avoid led_names truncations' + mainline: 1820e16a3019b6258e6009d34432946a6ddd0a90 + backport: 83fe7e17269e69bb85c5dcde3543fe69a7d14907 +74bafc897cb6c83b29c66cb39e82936204a5e51f: + title: 'fbdev: sh7760fb: allow modular build' + mainline: 51084f89d687e14d96278241e5200cde4b0985c7 + backport: d1bafe8dbdd69b5b94c648616261b10f89e9e634 +b6cc5dd06336ed8bb3a7a1fc5aaf7d5e88bc0818: + title: 'drm/arm/malidp: fix a possible null pointer dereference' + mainline: a1f95aede6285dba6dd036d907196f35ae3a11ea + skipped: fixes patch not in branch +60c68092723ea420215e9c3d5530038bc6568739: + title: 'ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value' + mainline: 58300f8d6a48e58d1843199be743f819e2791ea3 + backport: 8b76f73f5124b83712d6cdcb3ef990263e40c5f0 +9b7b7f640f078cfe90319190b59efcde3acc1952: + title: 'RDMA/hns: Use complete parentheses in macros' + mainline: 4125269bb9b22e1d8cdf4412c81be8074dbc61ca + skipped: fixes patch not in branch +ef10bbdf4d59a98cf57ddf943756f14ef3cdbccd: + title: 'x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map' + mainline: 59162e0c11d7257cde15f907d19fefe26da66692 + backport: e39747d5b28a334d3aa4a7d53db14f9f30390923 +1f9e32f9ea3454f79d80c8af7fac54843beba7f6: + title: 'ext4: avoid excessive credit estimate in ext4_tmpfile()' + mainline: 35a1f12f0ca857fee1d7a04ef52cbd5f1f84de13 + backport: 668cfe934e0081e60581269d5afab127489cdfda +ab8466d4e26806a4ae82c282762c4545eecf45ef: + title: 'SUNRPC: Fix gss_free_in_token_pages()' + mainline: bafa6b4d95d97877baa61883ff90f7e374427fae + skipped: fixes patch not in branch +32b0469d13ebeb008b39613eb5acf529a10e0bde: + title: 'selftests/kcmp: Make the test output consistent and clear' + mainline: ff682226a353d88ffa5db9c2a9b945066776311e + backport: 0f0c8dcfaaff549a0397d3e63ec093c2ff6d602d +24331545d6ff749a8dbfb09925af86e8cc50dad5: + title: 'selftests/kcmp: remove unused open mode' + mainline: eb59a58113717df04b8a8229befd8ab1e5dbf86e + backport: eea262830c62f8856fed4c532b5598f83c2972a9 +b469345f1fca84bed4dea3cae85faa401cf9bf3e: + title: 'RDMA/IPoIB: Fix format truncation compilation errors' + mainline: 49ca2b2ef3d003402584c68ae7b3055ba72e750a + backport: 183cb1a936e35c5ae205498945addd70a31a61e0 +b9d663fbf74290cb68fbc66ae4367bd56837ad1d: + title: 'netrom: fix possible dead-lock in nr_rt_ioctl()' + mainline: e03e7f20ebf7e1611d40d1fdc1bde900fd3335f6 + backport: 08f41b353c1621f65bd6f61aa5f5aed2fc1feb11 +4f3ae7d846b4565c0b80d65ed607c3277bc984d4: + title: 'af_packet: do not call packet_read_pending() from tpacket_destruct_skb()' + mainline: 581073f626e387d3e7eed55c48c8495584ead7ba + backport: 79417a25cb5eb9644fe89e5aae703a6b591669d5 +046daa54c348ccec12ab38b92923060dd09ef00b: + title: 'sched/topology: Don''t set SD_BALANCE_WAKE on cpuset domain relax' + mainline: 9ae7ab20b4835dbea0e5fc6a5c70171dc354a72e + backport: 03baaba21b3291e6300e4fafb8d2849f0389de3d +454de5ed81766fbbf4777c43392d8b0b35e7e16d: + title: 'sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level' + mainline: a1fd0b9d751f840df23ef0e75b691fc00cfd4743 + backport: cd212b4b364b6efe32441d764cabaef2402c8eba +8f4a76d477f0cc3c54d512f07f6f88c8e1c1e07b: + title: 'greybus: lights: check return of get_channel_from_mode' + mainline: a1ba19a1ae7cd1e324685ded4ab563e78fe68648 + backport: 8d680792eafdefb9e3e547a305a505da085932ff +12c70cc851b263b8cc9479a23488992eeb4c35e6: + title: 'dmaengine: idma64: Add check for dma_set_max_seg_size' + mainline: 2b1c1cf08a0addb6df42f16b37133dc7a351de29 + backport: 0d0f766835c349005332fd8e7b296660a7d6a65a +20595142ca22ac2c8357564d9e7d52a0ffa471af: + title: 'firmware: dmi-id: add a release callback function' + mainline: cf770af5645a41a753c55a053fa1237105b0964a + backport: e9c8e448b86118386e2aed7e3bb0e02fdbb68d14 +44b38924135d2093e2ec1812969464845dd66dc9: + title: 'serial: max3100: Lock port->lock when calling uart_handle_cts_change()' + mainline: 77ab53371a2066fdf9b895246505f5ef5a4b5d47 + backport: bcbacbcfd59ba38747a001592ffb3aae1118e5de +21a61a7fbcfdd3493cede43ebc7c4dfae2147a8b: + title: 'serial: max3100: Update uart_driver_registered on driver removal' + mainline: 712a1fcb38dc7cac6da63ee79a88708fbf9c45ec + backport: c6cf8b544d9ca71186322b2ede24e7ded577381a +2ae8d5726526c05452aff0444b0f305fdf89a32d: + title: 'serial: max3100: Fix bitwise types' + mainline: e60955dbecb97f080848a57524827e2db29c70fd + backport: 647c442cedd75f319c8ce8dc039c2d7baec68317 +22e65ed6799f2bfd059d633890d6c7ebe46abc9b: + title: 'greybus: arche-ctrl: move device table to its right location' + mainline: 6a0b8c0da8d8d418cde6894a104cf74e6098ddfa + backport: 89f965ae0a3f751235963e2597c63fd9ce035113 +2822594f2dac6e493379885cef54fd179d8de8c5: + title: 'microblaze: Remove gcc flag for non existing early_printk.c file' + mainline: edc66cf0c4164aa3daf6cc55e970bb94383a6a57 + skipped: fixes patch not in branch +d481ddb83d2d92c31479cdfaa7fdd97a73697992: + title: 'microblaze: Remove early printk call from cpuinfo-static.c' + mainline: 58d647506c92ccd3cfa0c453c68ddd14f40bf06f + skipped: fixes patch not in branch +a646645af00f65db78fe4a60f753f2b07df35b6e: + title: 'usb: gadget: u_audio: Clear uac pointer when freed.' + mainline: a2cf936ebef291ef7395172b9e2f624779fb6dc0 + backport: 0328af15e33a89109f97c8abcce2119896607fb4 +6cc30ef8eb6d8f8d6df43152264bbf8835d99931: + title: 'stm class: Fix a double free in stm_register_device()' + mainline: 3df463865ba42b8f88a590326f4c9ea17a1ce459 + backport: 5bbc7d325cef8fbd593fd8e71f12343c47028be1 +1e4805ba1b7800f2acfdd0b2e6588e4b64d6c493: + title: 'ppdev: Remove usage of the deprecated ida_simple_xx() API' + mainline: d8407f71ebeaeb6f50bd89791837873e44609708 + skipped: new API does not exist in 4.14 +65cd017d43f4319a56747d38308b0a24cf57299e: + title: 'ppdev: Add an error check in register_device' + mainline: fbf740aeb86a4fe82ad158d26d711f2f3be79b3e + backport: 16e15c7fd21ec24f98668e5a7bf28ef5c1a0fcaa +b463819e3725b60c550145df952080b5d0fe85a7: + title: 'extcon: max8997: select IRQ_DOMAIN instead of depending on it' + mainline: b1781d0a1458070d40134e4f3412ec9d70099bec + backport: d1e6203d776319b888b57b1176df438ee85e67f7 +3506e1b893b5c2afa96922f36a01f018e4c4bbba: + title: 'f2fs: add error prints for debugging mount failure' + mainline: 9227d5227b8db354d386f592f159eaa44db1c0b8 + backport: 46dc390d5714351d5b798312f8edf666e327a1ef +bc14bb3ef307947fc3110bca8a34a85a63300b6c: + title: 'f2fs: fix to release node block count in error path of f2fs_new_node_page()' + mainline: 0fa4e57c1db263effd72d2149d4e21da0055c316 + skipped: fixes patch not in branch +82b6263b330a2b94a0b1d5c5d5543db7e24340ec: + title: 'serial: sh-sci: Extract sci_dma_rx_chan_invalidate()' + mainline: 11b3770d54b28dcd905155a6d4aa551187ff00eb + skipped: dependency for a patch not needed for 4.14.y +03023fd058fab714309a8d91ccdf1b3c5bb816d3: + title: 'serial: sh-sci: protect invalidating RXDMA on shutdown' + mainline: aae20f6e34cd0cbd67a1d0e5877561c40109a81b + skipped: fixes patch not in branch +3625187a973f16a3df59b803297816fe51d32400: + title: 'libsubcmd: Fix parse-options memory leak' + mainline: 230a7a71f92212e723fa435d4ca5922de33ec88a + backport: 3fa32fd0a2737a59698613854994f72051a6d4bb +502f295dcccf0ee7c4bddcf1ff2876987aaf89ca: + title: 'Input: ims-pcu - fix printf string overflow' + mainline: bf32bceedd0453c70d9d022e2e29f98e446d7161 + backport: 41c0d9061a68f5979e3244c26854cef37d91382b +fd4bb5284d34687c82356f07efe957af89ee51fe: + title: 'Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation' + mainline: 48c0687a322d54ac7e7a685c0b6db78d78f593af + backport: 7dfc577218ae7aeeadc5bdffe5727d57337904ee +732e700a1689fbdb8ac94faeb7765e81456b0a95: + title: 'drm/msm/dpu: use kms stored hw mdp block' + mainline: 57250ca5433306774e7f83b11503609ed1bf28cf + skipped: file is not in 4.14.y +d2640251f94078e1dcf0a26b1815601f6dbd5440: + title: 'um: Fix return value in ubd_init()' + mainline: 31a5990ed253a66712d7ddc29c92d297a991fdf2 + backport: bb75c00bad0d04025b00991fe16db2fc0504ce58 +66ea9a7c6824821476914bed21a476cd20094f33: + title: 'um: Add winch to winch_handlers before registering winch IRQ' + mainline: a0fbbd36c156b9f7b2276871d499c9943dfe5101 + backport: 330646466ce0f4978524457d109ac80ece62c547 +f6a392266276730bea893b55d12940e32a25f56a: + title: 'media: stk1160: fix bounds checking in stk1160_copy_video()' + mainline: faa4364bef2ec0060de381ff028d1d836600a381 + backport: b7d9420c157cdb207a95dfc4a40edd116dedf355 +f0f4cb4cc3f43324bab3b5541b27e79cbd15c8d1: + title: 'powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp' + mainline: 6d4341638516bf97b9a34947e0bd95035a8230a5 + backport: cd05d6e21092d824ec4d37f39f7583310d0442fa +c08650c13bfc05794855480cc51075fdfcc388e0: + title: 'um: Fix the -Wmissing-prototypes warning for __switch_mm' + mainline: 2cbade17b18c0f0fd9963f26c9fc9b057eb1cb3a + backport: d6c506b111a38e5583e5bdd880cc0c04d7ef3948 +896dfd4d74f84c854d3a24d889e54a44329d313e: + title: 'media: cec: cec-adap: always cancel work in cec_transmit_msg_fh' + mainline: 9fe2816816a3c765dff3b88af5b5c3d9bbb911ce + skipped: fixes patch not in branch +d2cfbc5298add5e0c6cfe8b343f73dfdf01c8b1c: + title: 'media: cec: cec-api: add locking in cec_release()' + mainline: 42bcaacae924bf18ae387c3f78c202df0b739292 + backport: 75fd6535ba80c0726e31004af666d80a0b9c3df8 +7471d0be031ab830a0fa154437601cff98f7068b: + title: 'null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()' + mainline: 9e6727f824edcdb8fdd3e6e8a0862eb49546e1cd + backport: 9da7f2b727fd54add9890e238847acf82d6807a1 +28a7a1f9571068bb2ddc8a11f0afe5dfa9863462: + title: 'x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y' + mainline: 66ee3636eddcc82ab82b539d08b85fb5ac1dff9b + backport: 4e00769cc5020fde90269bdd1e5c24302b0ba6ce +406cfac9debd4a6d3dc5d9258ee086372a8c08b6: + title: 'nfc: nci: Fix uninit-value in nci_rx_work' + mainline: e4a87abf588536d1cdfb128595e6e680af5cf3ed + backport: 3327ed68607e86e489af26305145830bf3f299a6 +afd5730969aec960a2fee4e5ee839a6014643976: + title: 'ipv6: sr: fix memleak in seg6_hmac_init_algo' + mainline: efb9f4f19f8e37fde43dfecebc80292d179f56c6 + backport: 2d5acfc9e45f4597b931857dd92d2f29d2382ad7 +459de98d7a6b3d504b5e8664f32f59a306dd425c: + title: 'params: lift param_set_uint_minmax to common code' + mainline: 2a14c9ae15a38148484a128b84bff7e9ffd90d68 + backport: 45e0b129726564750a58c06f1b4060b23f158960 +06d0fe049b51b0a92a70df8333fd85c4ba3eb2c6: + title: 'tcp: Fix shift-out-of-bounds in dctcp_update_alpha().' + mainline: 3ebc46ca8675de6378e3f8f40768e180bb8afa66 + backport: cf1096a1c8e1905df5e69949153c2598060457f0 +62a95de44a9bc006e01b0afa1b1e8868dc6de9d1: + title: 'openvswitch: Set the skbuff pkt_type for proper pmtud support.' + mainline: 30a92c9e3d6b073932762bef2ac66f4ee784c657 + backport: a629b0579dee6b041fdcad1859fa9f6a86da4ced +f221bd58db0f6ca087ac0392284f6bce21f4f8ea: + title: 'arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY' + mainline: ffbf4fb9b5c12ff878a10ea17997147ea4ebea6f + backport: 0374a08aa5206c6200a88e0a122500dfd1d195f0 +cb7a7c8144b434e06aba99b13b045a7efe859587: + title: 'virtio: delete vq in vp_find_vqs_msix() when request_irq() fails' + mainline: 89875151fccdd024d571aa884ea97a0128b968b6 + backport: 63c5945dbfcb8b6f4c260aef57172893a15ebbb3 +4e4efb8f1b275e85c5c7f69087e392dbae437a8d: + title: 'net: fec: avoid lock evasion when reading pps_enable' + mainline: 3b1c92f8e5371700fada307cc8fd2c51fa7bc8c1 + backport: 76ff93a5ccf6378571ba77875039f77752ac8a33 +c6c938ef515733a1c7af2c87dbc23138f402ba97: + title: 'nfc: nci: Fix kcov check in nci_rx_work()' + mainline: 19e35f24750ddf860c51e51c68cf07ea181b4881 + backport: 3267e236cb890a2ff6450ba831f3ad66386d6c4b +8f02d494cebae48dbd14c582ad4b36846e211b6a: + title: 'nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()' + mainline: 6671e352497ca4bb07a96c48e03907065ff77d8a + backport: 1a7a9cc0bb2c966cb7edee4a47dc81053e9030d8 +8658bd777cbfcb0c13df23d0ea120e70517761b9: + title: 'netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()' + mainline: dc21c6cc3d6986d938efbf95de62473982c98dec + backport: ac335a5fe30958ed4c81fac6b76e4b6c77f6f95d +c7893975764ba3b7a58a186f63dae188f7eddb18: + title: 'spi: Don''t mark message DMA mapped when no transfer in it is' + mainline: 9f788ba457b45b0ce422943fcec9fa35c4587764 + backport: 0a359294f4d22e037ff38999b1fdaa688aab6e5f +36a935c8785a9ca95b094440a0450cd56b90e70c: + title: 'nvmet: fix ns enable/disable possible hang' + mainline: f97914e35fd98b2b18fb8a092e0a0799f73afdfe + backport: 5584ee5ae01187bdcb286738c27d8cecf7c2b92d +19f9b6cb94eebb4ef2a4a6bca0ef595039d73e04: + title: 'net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion' + mainline: 5c74195d5dd977e97556e6fa76909b831c241230 + backport: d6e67757cebbeb5857838f51e2c514a3c9fc5557 +1ff116f68560a25656933d5a18e7619cb6773d8a: + title: 'dma-buf/sw-sync: don''t enable IRQ from sync_print_obj()' + mainline: b794918961516f667b0c745aebdfebbb8a98df39 + backport: 5beeab6917b9b59ab2c15744b190b3ad93c58687 +2b649d7e0cb42a660f0260ef25fd55fdc9c6c600: + title: 'enic: Validate length of nl attributes in enic_set_vf_port' + mainline: e8021b94b0412c37bcc79027c2e382086b6ce449 + backport: 3d00c58ac6d7f0fa0882aafb5b1ca2c3c22838eb +eced17c8715d43ce16f61c5a6a49299fbf37c0a0: + title: 'smsc95xx: remove redundant function arguments' + mainline: 368be1ca28f66deba16627e2a02e78adedd023a6 + backport: d7936abfc24afa29d587b2bdd0829092dc478ebf +bcc526fec891dee22162082b1beeb9068b9eabb0: + title: 'smsc95xx: use usbnet->driver_priv' + mainline: ad90a73f0236c41f7a2dedc2e75c7b5a364eb93e + backport: 17ddb0fdf87c7f3f7c07e2721f688301411d2792 +85b6bcf9d5e332aa9c4b7820cb3aa748c3df6a80: + title: 'net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM' + mainline: 52a2f0608366a629d43dacd3191039c95fef74ba + backport: e0bd5cab3be56a1437e713a5411c458b80fa039c +416b0756721dcee2bb6227a4403e694011c32874: + title: 'net:fec: Add fec_enet_deinit()' + mainline: bf0497f53c8535f99b72041529d3f7708a6e2c0d + backport: 4c2d953d579bbc6018f916d7474ca42a0ea2471f +6bfda3ef7f6a2c1de30e70d67e901aa966f40c17: + title: 'kconfig: fix comparison to constant symbols, ''m'', ''n''' + mainline: aabdc960a283ba78086b0bf66ee74326f49e218e + backport: c00f30ffce7c99732b9610771908b84af2f7e95a +0049a623dfbbb49888de7f0c2f33a582b5ead989: + title: 'ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound' + mainline: b3dc6e8003b500861fa307e9a3400c52e78e4d3a + backport: 3a016fed8503f04152b170bc324fd7fbbfb155e4 +68396c825c43664b20a3a1ba546844deb2b4e48f: + title: 'ALSA: timer: Set lower bound of start tick time' + mainline: 4a63bd179fa8d3fcc44a0d9d71d941ddd62f0c4e + backport: 804b59ac965568b4ac7b1788ba8b3b324e362693 +a40209d355afe4ed6d533507838c9e5cd70a76d8: + title: 'genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline' + mainline: a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32 + skipped: too risky to backport +57ff6c0a175930856213b2aa39f8c845a53e5b1c: + title: 'SUNRPC: Fix loop termination condition in gss_free_in_token_pages()' + mainline: 4a77c3dead97339478c7422eb07bf4bf63577008 + skipped: fixes patch not in branch +c437184be3c16f7123e5c59b4c85c1101f4dc96b: + title: 'binder: fix max_thread type inconsistency' + mainline: 42316941335644a98335f209daafa4c122f28983 + backport: f642f364e2b4e4302e6b41f1583603a9be83baef +bda1d354bef71be32aaf2c5e6b96eef854b3dd4e: + title: 'mmc: core: Do not force a retune before RPMB switch' + mainline: 67380251e8bbd3302c64fea07f95c31971b91c22 + backport: 5584cc5bd6c850f9738f7b249be3d298f0012a16 +822ae5a8eac30478578a75f7e064f0584931bf2d: + title: 'nilfs2: fix use-after-free of timer for log writer thread' + mainline: f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 + backport: 705fabd9032429d644eee84edc1d45f740edcc81 +f6141cbc2b5af521b1711e95363302b858a38729: + title: 'vxlan: Fix regression when dropping packets due to invalid src addresses' + mainline: 1cd4bc987abb2823836cbb8f887026011ccddc8a + backport: 7e6f3eaf97955faec6cf408b6404a35cf2c82ea0 +f451d1a013fd585cbf70a65ca6b9cf3548bb039f: + title: 'neighbour: fix unaligned access to pneigh_entry' + mainline: ed779fe4c9b5a20b4ab4fd6f3e19807445bb78c7 + backport: 34358bf261de42b079db6cbd5ae3b074282cd00f +21604179f67bd484790c296565bdc38f7a40fe35: + title: 'ata: pata_legacy: make legacy_exit() work again' + mainline: d4a89339f17c87c4990070e9116462d16e75894f + backport: 792524d8e1b344cedcb40983a8756d4793a22e9e +40f76e72ec0ebe27dcff9bfd5de8e65e1a2b8939: + title: 'arm64: tegra: Correct Tegra132 I2C alias' + mainline: 2633c58e1354d7de2c8e7be8bdb6f68a0a01bad7 + backport: aa9c43942fc69f5e652d6b4f68e0e2bf75868c7e +b32aa95843cac6b12c2c014d40fca18aef24a347: + title: 'md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING' + mainline: 151f66bb618d1fd0eeb84acb61b4a9fa5d8bb0fa + backport: d7263704edf4ee2783b116f64f407752d5b2f2bf +e9b77b537a198235a518f71a274348afd1288467: + title: 'wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU' + mainline: 08b5d052d17a89bb8706b2888277d0b682dc1610 + skipped: u32_get_bits() does not build +26e62b983a31b304733fb21f4b576a4a1e171297: + title: 'arm64: dts: hi3798cv200: fix the size of GICR' + mainline: 428a575dc9038846ad259466d5ba109858c0a023 + backport: 964fdd7feb56e40a55b89328877b0a7103bb4084 +772f5e31ed2d6bc5e8698394e4d13b298060c74a: + title: 'media: mxl5xx: Move xpt structures off stack' + mainline: 526f4527545b2d4ce0733733929fac7b6da09ac6 + backport: 35d3fa1859980a84c64c51b04a2ac57ffe5af109 +1ea3de272f5cc7603610b96316f9ed07bec6c2d0: + title: 'media: v4l2-core: hold videodev_lock until dev reg, finishes' + mainline: 1ed4477f2ea4743e7c5e1f9f3722152d14e6eeb1 + backport: 2046df24d6472a520a62d52a72d84d180b3e363c +be754cbd77eaf2932408a4e18532e4945274a5c7: + title: 'fbdev: savage: Handle err return when savagefb_check_var failed' + mainline: 6ad959b6703e2c4c5d7af03b4cfd5ff608036339 + backport: 293140832f7230044b5f6888d0110714f51b554f +525561faa075cb49905783fd3e4e16b66b218846: + title: 'netfilter: nf_tables: pass context to nft_set_destroy()' + mainline: 0c2a85edd143162b3a698f31e94bf8cdc041da87 + backport: c4af59f2d8336214168c4e0778a1a0a62afcbdc4 +68b10f33a37e942bdc06b9cb313ad4e1b1f612e8: + title: 'netfilter: nftables: rename set element data activation/deactivation functions' + mainline: f8bb7889af58d8e74d2d61c76b1418230f1610fa + backport: b42c75cd69307b546b719cc59fb421a7c80a980f +bc9f791d2593f17e39f87c6e2b3a36549a3705b1: + title: 'netfilter: nf_tables: drop map element references from preparation phase' + mainline: 628bd3e49cba1c066228e23d71a852c23e26da73 + backport: 50bfcb0af95ae860d93c151604451b9a10af6e06 +c6d5477753caa9ab0c5c043bf5d0fad29d1e596d: + title: 'netfilter: nft_set_rbtree: allow loose matching of closing element in interval' + mainline: 3b18d5eba491b2328b31efa4235724a2354af010 + skipped: fixes patch not in branch +1302ba27fdc84ba0786301575dbcd2e1eddbcdc0: + title: 'netfilter: nft_set_rbtree: Add missing expired checks' + mainline: 340eaff651160234bdbce07ef34b92a8e45cd540 + skipped: fixes patch not in branch +7ab87a326f20c52ff4d9972052d085be951c704b: + title: 'netfilter: nft_set_rbtree: Switch to node list walk for overlap detection' + mainline: c9e6978e2725a7d4b6cd23b2facd3f11422c0643 + skipped: fixes patch not in branch +b76db53ee8802ee5683f8cb401d7e2ec6f9b3d56: + title: 'netfilter: nft_set_rbtree: fix null deref on element insertion' + mainline: 61ae320a29b0540c16931816299eb86bf2b66c08 + skipped: fixes patch not in branch +8284a79136c384059e85e278da2210b809730287: + title: 'netfilter: nft_set_rbtree: fix overlap expiration walk' + mainline: f718863aca469a109895cb855e6b81fff4827d71 + skipped: fixes patch not in branch +94313a196b44184b5b52c1876da6a537701b425a: + title: 'netfilter: nf_tables: don''t skip expired elements during walk' + mainline: 24138933b97b055d486e8064b4a1721702442a9b + backport: 4538b02484e4c2d0c016ca190c5219fd97f932fb +8da1b048f9a501d3d7d38c188ba09d7d0d5b8c27: + title: 'netfilter: nf_tables: GC transaction API to avoid race with control plane' + mainline: 5f68718b34a531a556f2f50300ead2862278da26 + skipped: too risky to backport +cb4d00b563675ba8ff6ef94b077f58d816f68ba3: + title: 'netfilter: nf_tables: adapt set backend to use GC transaction API' + mainline: f6c383b8c31a93752a52697f8430a71dcbc46adf + skipped: too risky to backport +a35a20e083be2b507c30cc216b59d1a57f381d9b: + title: 'netfilter: nf_tables: remove busy mark and gc batch API' + mainline: a2dd0233cbc4d8a0abb5f64487487ffc9265beb5 + skipped: too risky to backport +e7b86599fa945f3ce2bcbb95b4bbf1febbd3b087: + title: 'netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path' + mainline: 6a33d8b73dfac0a41f3877894b38082bd0c9a5bc + skipped: too risky to backport +9a3f450ed90c72b6b80fd6e8974cbe8683c7365f: + title: 'netfilter: nf_tables: GC transaction race with netns dismantle' + mainline: 02c6c24402bf1c1e986899c14ba22a10b510916b + skipped: too risky to backport +f85ca36090cbb252bcbc95fc74c2853fc792694f: + title: 'netfilter: nf_tables: GC transaction race with abort path' + mainline: 720344340fb9be2765bbaab7b292ece0a4570eae + skipped: too risky to backport +9c22bd1ab442c552e9481f1157589362887a7f47: + title: 'netfilter: nf_tables: defer gc run if previous batch is still pending' + mainline: 8e51830e29e12670b4c10df070a4ea4c9593e961 + skipped: too risky to backport +9db9feb841f7449772f9393c16b9ef4536d8c127: + title: 'netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction' + mainline: 2ee52ae94baabf7ee09cf2a8d854b990dac5d0e4 + skipped: too risky to backport +b3558703731028be2aee61baf341e53a3734e2a9: + title: 'netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention' + mainline: 96b33300fba880ec0eafcf3d82486f3463b4b6da + skipped: too risky to backport +b6a744ba74f2388034c422f57568451bb6111d00: + title: 'netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration' + mainline: b079155faae94e9b3ab9337e82100a914ebb4e8d + skipped: too risky to backport +7cf055b43756b10aa2b851c927c940f5ed652125: + title: 'netfilter: nf_tables: fix memleak when more than 255 elements expired' + mainline: cf5000a7787cbc10341091d37245a42c119d26c5 + skipped: too risky to backport +88c795491bf45a8c08a0f94c9ca4f13722e51013: + title: 'netfilter: nf_tables: unregister flowtable hooks on netns exit' + mainline: 6069da443bf65f513bb507bb21e2f87cfb1ad0b6 + skipped: fixes patch not in branch +c73955a09408e7374d9abfd0e78ce3de9cda0635: + title: 'netfilter: nf_tables: double hook unregistration in netns path' + mainline: f9a43007d3f7ba76d5e7f9421094f00f2ef202f8 + skipped: fixes patch not in branch +2565d90ab654f775d8865512f2a6aa3940182038: + title: 'netfilter: nftables: update table flags from the commit phase' + mainline: 0ce7cf4127f14078ca598ba9700d813178a59409 + skipped: too risky to backport +bf8083bbf8fa202e6e5316bbd99759ab82bfe7a3: + title: 'netfilter: nf_tables: fix table flag updates' + mainline: 179d9ba5559a756f4322583388b3213fe4e391b0 + skipped: too risky to backport +746523b4a3927fb922c82a6e997c4d1ba74c7f13: + title: 'netfilter: nf_tables: disable toggling dormant table state more than once' + mainline: c9bd26513b3a11b3adb3c2ed8a31a01a87173ff1 + skipped: too risky to backport +a118e0d82bb4b7760db8f704c05e2b8713b9bcc1: + title: 'netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush (for 4.19)' +6a67f972de8994ee1c3092b19b6f5569b66b9904: + title: 'netfilter: nft_dynset: fix timeouts later than 23 days' + mainline: 917d80d376ffbaa9725fde9e3c0282f63643f278 + skipped: too risky to backport +28a97c43c9e32f437ebb8d6126f9bb7f3ca9521a: + title: 'netfilter: nftables: exthdr: fix 4-byte stack OOB write' + mainline: fd94d9dadee58e09b49075240fe83423eb1dcd36 + skipped: commit is already present in branch +c5c4746c8cd6d049dcbf39c811172c917ea6fb6e: + title: 'netfilter: nft_dynset: report EOPNOTSUPP on missing set feature' + mainline: 95cd4bca7b1f4a25810f3ddfc5e767fb46931789 + backport: ea71b10a3d18e5589f44b836a83003a6e741d6bb +79e98cd78610560a6a6cf85200eb31331602f9a9: + title: 'netfilter: nft_dynset: relax superfluous check on set updates' + mainline: 7b1394892de8d95748d05e3ee41e85edb4abbfa1 + backport: fa8b9918795f9be7f4ca95f5440acff86fe946db +451dc4678c1342fc5c3a2d23e1d8e120e58f6304: + title: 'netfilter: nf_tables: mark newset as dead on transaction abort' + mainline: 08e4c8c5919fd405a4d709b4ba43d836894a26eb + skipped: too risky to backport +18f1f50558e1736d34597fdf08554aee94f59405: + title: 'netfilter: nf_tables: skip dead set elements in netlink dump' + mainline: 6b1ca88e4bb63673dc9f9c7f23c899f22c3cb17a + skipped: too risky to backport +a5bbd579c81ffb9f65cb280fa89be9ec9c01029b: + title: 'netfilter: nf_tables: validate NFPROTO_* family' + mainline: d0009effa8862c20a13af4cb7475d9771b905693 + skipped: too risky to backport +c60d252949caf9aba537525195edae6bbabc35eb: + title: 'netfilter: nft_set_rbtree: skip end interval element from gc' + mainline: 60c0c230c6f046da536d3df8b39a20b9a9fd6af0 + skipped: fixes patch not in branch +a6411f3c48f991c19aaf9a24fce36865fbba28d7: + title: 'netfilter: nf_tables: set dormant flag on hook register failure' + mainline: bccebf64701735533c8db37773eeacc6566cc8ec + skipped: fixes issue not in 4.14 +d8853cfe273c181b2e45528db7300536e860b758: + title: 'netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()' + mainline: 7e0f122c65912740327e4c54472acaa5f85868cb + skipped: too risky to backport +845083249d6a392f3a88804e1669bdb936ee129f: + title: 'netfilter: nf_tables: do not compare internal table flags on updates' + mainline: 4a0e7f2decbf9bd72461226f1f5f7dcc4b08f139 + skipped: too risky to backport +d75a589bb92af1abf3b779cfcd1977ca11b27033: + title: 'netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout' + mainline: 552705a3650bbf46a22b1adedc1b04181490fc36 + skipped: too risky to backport +6d12f21f8bbe23fde25b77c2bf5973c136b8bef8: + title: 'netfilter: nf_tables: reject new basechain after table flag update' + mainline: 994209ddf4f430946f6247616b2e33d179243769 + skipped: too risky to backport +e75faf01e22ec7dc671640fa0e0968964fafd2fc: + title: 'netfilter: nf_tables: discard table flag update with pending basechain deletion' + mainline: 1bc83a019bbe268be3526406245ec28c2458a518 + skipped: too risky to backport +3c9ee8294728633e707c25fe0a321eeac1cc7515: + title: 'KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode' + mainline: dfe6d190f38fc5df5ff2614b463a5195a399c885 + backport: 6658c1ef0cb35d3d594507db800cb44a54db4f75 +0ce5964b82f212f4df6a9813f09a0b5de15bd9c8: + title: 'crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak' + mainline: d3b17c6d9dddc2db3670bc9be628b122416a3d26 + backport: 9d5b95ce1488266fd3dc3951da6c8ce25c366ada +72c5d8e416ecc46af370a1340b3db5ff0b0cc867: + title: 'net/9p: fix uninit-value in p9_client_rpc()' + mainline: 25460d6f39024cc3b8241b14c7ccf0d6f11a736a + backport: 9a9a74f4cdb1295a5a854d2ca6cb87fc19048ef3 +58c0309c73fe1e9c477ed4cc5d02fc9015336979: + title: 'intel_th: pci: Add Meteor Lake-S CPU support' + mainline: a4f813c3ec9d1c32bc402becd1f011b3904dd699 + backport: 471ea347bb7d4b16dd62a6642efb111fa36f2da7 +180b2e4c1ba4f6e3e4c52d6664cb019f6eac02f8: + title: 'sparc64: Fix number of online CPUs' + mainline: 98937707fea8375e8acea0aaa0b68a956dd52719 + backport: 9f2edbc910b189e46e7ca3d17680e36fde63276d +fb824a99e148ff272a53d71d84122728b5f00992: + title: 'kdb: Fix buffer overflow during tab-complete' + mainline: e9730744bf3af04cda23799029342aa3cddbc454 + backport: f751d9a9f3d6c01908cf9bc9d966a35ecc1a2f64 +4edfbbaca46491b06af14e49dcb79ac661d0bbdc: + title: 'kdb: Use format-strings rather than ''\0'' injection in kdb_read()' + mainline: 09b35989421dfd5573f0b4683c7700a7483c71f9 + backport: f990953b6d8d752849e6f682628d4632f051b7de +21c068c1bbb4c336741749596d004b1965faab2c: + title: 'kdb: Fix console handling when editing and tab-completing commands' + mainline: db2f9c7dc29114f531df4a425d0867d01e1f1e28 + backport: fc2a098bc09c4f9968c93222902d72f518ec6953 +4a89182788f9af9a290c19098382fb972ebe2783: + title: 'kdb: Merge identical case statements in kdb_read()' + mainline: 6244917f377bf64719551b58592a02a0336a7439 + backport: 201f3d45deb9bcf1046483d72642d8457976c7a9 +2467f3f182eb35627534effd4956fceb2504c127: + title: 'kdb: Use format-specifiers rather than memset() for padding in kdb_read()' + mainline: c9b51ddb66b1d96e4d364c088da0f1dfb004c574 + backport: c89fb4fb7559ec8e3f74ecbc29ef856a47cc85d4 +051c0bde9f0450a2ec3d62a86d2a0d2fad117f13: + title: 'net: fix __dst_negative_advice() race' + mainline: 92f1655aa2b2294d0b49925f3b875a634bd3b59e + skipped: fixes patch not in branch +980a1cd6e092eab9398a78f517809a7dacaa0468: + title: 'sparc: move struct termio to asm/termios.h' + mainline: c32d18e7942d7589b62e301eb426b32623366565 + backport: 212ca5dd4286a76808254db293bd898a062b56e3 +9ad75e78747b5a50dc5a52f0f8e92e920a653f16: + title: 'ext4: fix mb_cache_entry''s e_refcnt leak in ext4_xattr_block_cache_find()' + mainline: 0c0b4a49d3e7f49690a6827a41faeffad5df7e21 + backport: 199f7d837409f78087fde12a33c486d4d866c16e +2062e3f1f2374102f8014d7ca286b9aa527bd558: + title: 's390/ap: Fix crash in AP internal function modify_bitmap()' + mainline: d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9 + skipped: depends on missing commit 3d8f60d38e249f989a7fca9c2370c31c3d5487e1 +74ea538aa24490d7d259c881189bb58dbf1f692c: + title: 'nfs: fix undefined behavior in nfs_block_bits()' + mainline: 3c0a2e0b0ae661457c8505fecc7be5501aa7a715 + backport: 593e234893f02097b207840c7c31b4d91b64ca14 diff --git a/Makefile b/Makefile index 37cb5088dfeb..f958d4d3b7f3 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 VERSION = 4 PATCHLEVEL = 14 -SUBLEVEL = 348 +SUBLEVEL = 349 EXTRAVERSION = -openela NAME = Petit Gorille From 601388a509114e93cba730306078a68b08795ab1 Mon Sep 17 00:00:00 2001 From: Shashank Patil <9945shashank@gmail.com> Date: Thu, 11 Jul 2024 23:51:33 +0530 Subject: [PATCH 169/182] power: supply: ti & qcom: Import smblib USB reverse charging workr * imported from sweet-ka6a-r-oss Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- drivers/power/supply/qcom/qpnp-smb5.c | 2 + drivers/power/supply/qcom/smb5-lib.c | 73 +++++++++++++++++++++++++++ drivers/power/supply/qcom/smb5-lib.h | 9 ++++ drivers/power/supply/qcom/smb5-reg.h | 6 +++ drivers/power/supply/ti/cp_qc30.c | 27 +++++++++- 5 files changed, 115 insertions(+), 2 deletions(-) diff --git a/drivers/power/supply/qcom/qpnp-smb5.c b/drivers/power/supply/qcom/qpnp-smb5.c index f89e77cf35e9..f1db84d509cd 100644 --- a/drivers/power/supply/qcom/qpnp-smb5.c +++ b/drivers/power/supply/qcom/qpnp-smb5.c @@ -944,6 +944,8 @@ static int smb5_parse_dt(struct smb5 *chip) } } + chg->reverse_boost_wa = of_property_read_bool(node, "mi,reverse_boost-wa"); + chg->uart_en_gpio = of_get_named_gpio(node, "uart-en-gpio", 0); if (!gpio_is_valid(chg->uart_en_gpio)) pr_err("failed to get uart_en_gpio\n"); diff --git a/drivers/power/supply/qcom/smb5-lib.c b/drivers/power/supply/qcom/smb5-lib.c index 79aba09ad1ca..cc1afd24d234 100644 --- a/drivers/power/supply/qcom/smb5-lib.c +++ b/drivers/power/supply/qcom/smb5-lib.c @@ -3997,6 +3997,69 @@ static int smblib_set_sw_conn_therm_regulation(struct smb_charger *chg, return rc; } +static void smblib_reverse_boost_work(struct work_struct *work) +{ + struct smb_charger *chg = container_of(work, struct smb_charger, reverse_boost_work.work); + union power_supply_propval pval = {0, }; + int rc = 0; + u8 reg = 0; + + if (!chg->reverse_boost_wa) + return; + + if (chg->real_charger_type == POWER_SUPPLY_TYPE_USB_CDP || chg->real_charger_type == POWER_SUPPLY_TYPE_USB) + return; + else if (chg->real_charger_type != POWER_SUPPLY_TYPE_USB_HVDCP_3 && chg->real_charger_type != POWER_SUPPLY_TYPE_USB_HVDCP_3P5 && chg->pd_active != POWER_SUPPLY_PD_PPS_ACTIVE) + goto clear_count; + + rc = smblib_read(chg, AICL_STATUS_REG, ®); + if (rc < 0 || !(reg & ICL_MIN_BIT)) + goto clear_count; + + rc = smblib_read(chg, TYPE_C_SENSOR_SM_STATUS_REG, ®); + if (rc < 0 || (reg & VBUS_VSAFE5V_BIT)) + goto clear_count; + + rc = smblib_read(chg, INT_RT_STS_REG, ®); + if (rc < 0 || !(reg & USBIN_PLUGIN_RT_STS_BIT)) + goto clear_count; + + if (!chg->cp_psy) + chg->cp_psy = power_supply_get_by_name("bq2597x-standalone"); + + if (!chg->bms_psy || !chg->cp_psy || !chg->usb_psy) + goto clear_count; + + rc = power_supply_get_property(chg->cp_psy, POWER_SUPPLY_PROP_CHARGING_ENABLED, &pval); + if (pval.intval) + goto clear_count; + + rc = power_supply_get_property(chg->bms_psy, POWER_SUPPLY_PROP_CURRENT_NOW, &pval); + if ((pval.intval / 1000) <= REVERSE_BOOST_MIN_IBAT_MA) + goto clear_count; + + rc = power_supply_get_property(chg->usb_psy, POWER_SUPPLY_PROP_INPUT_CURRENT_NOW, &pval); + if ((pval.intval / 1000) >= REVERSE_BOOST_MAX_IBUS_MA) + goto clear_count; + + chg->reverse_count++; + goto recheck; + +clear_count: + chg->reverse_count = 0; + +recheck: + if (chg->reverse_count >= 2) { + smblib_masked_write(chg, USBIN_CMD_IL_REG, USBIN_SUSPEND_BIT, USBIN_SUSPEND_BIT); + msleep(250); + smblib_masked_write(chg, USBIN_CMD_IL_REG, USBIN_SUSPEND_BIT, 0); + } else { + schedule_delayed_work(&chg->reverse_boost_work, msecs_to_jiffies(REVERSE_BOOST_WORK_RECHECK_DELAY_MS)); + } + + return; +} + #define CHG_DETECT_CONN_THERM_US 120000000 /* 120sec */ static void smblib_conn_therm_work(struct work_struct *work) { @@ -6748,6 +6811,8 @@ void smblib_usb_plugin_hard_reset_locked(struct smb_charger *chg) vbus_rising = (bool)(stat & USBIN_PLUGIN_RT_STS_BIT); if (vbus_rising) { + chg->reverse_count = 0; + schedule_delayed_work(&chg->reverse_boost_work, msecs_to_jiffies(REVERSE_BOOST_WORK_START_DELAY_MS)); /* hold chg_awake wakeup source when charger is present */ vote(chg->awake_votable, CHG_AWAKE_VOTER, true, 0); /* Remove FCC_STEPPER 1.5A init vote to allow FCC ramp up */ @@ -6769,6 +6834,8 @@ void smblib_usb_plugin_hard_reset_locked(struct smb_charger *chg) } } + chg->reverse_count = 0; + cancel_delayed_work_sync(&chg->reverse_boost_work); cancel_delayed_work_sync(&chg->charger_type_recheck); chg->hvdcp_recheck_status = false; chg->recheck_charger = false; @@ -6848,11 +6915,15 @@ void smblib_usb_plugin_locked(struct smb_charger *chg) msecs_to_jiffies(CHARGER_RECHECK_DELAY_MS)); schedule_delayed_work(&chg->cc_un_compliant_charge_work, msecs_to_jiffies(CC_UN_COMPLIANT_START_DELAY_MS)); + chg->reverse_count = 0; + schedule_delayed_work(&chg->reverse_boost_work, msecs_to_jiffies(REVERSE_BOOST_WORK_START_DELAY_MS)); if (chg->use_bq_pump) schedule_delayed_work(&chg->reduce_fcc_work, msecs_to_jiffies(ESR_WORK_TIME_180S)); } else { cancel_delayed_work_sync(&chg->charger_type_recheck); + chg->reverse_count = 0; + cancel_delayed_work_sync(&chg->reverse_boost_work); if (chg->use_bq_pump) { cancel_delayed_work_sync(&chg->reduce_fcc_work); vote(chg->fcc_votable, ESR_WORK_VOTER, false, 0); @@ -10028,6 +10099,7 @@ int smblib_init(struct smb_charger *chg) } INIT_DELAYED_WORK(&chg->pr_lock_clear_work, smblib_pr_lock_clear_work); + INIT_DELAYED_WORK(&chg->reverse_boost_work, smblib_reverse_boost_work); if (chg->dcin_uusb_over_gpio_en) INIT_DELAYED_WORK(&chg->micro_usb_switch_work, smblib_micro_usb_switch_work); @@ -10203,6 +10275,7 @@ int smblib_deinit(struct smb_charger *chg) cancel_delayed_work_sync(&chg->six_pin_batt_step_chg_work); cancel_delayed_work_sync(&chg->role_reversal_check); cancel_delayed_work_sync(&chg->pr_swap_detach_work); + cancel_delayed_work_sync(&chg->reverse_boost_work); power_supply_unreg_notifier(&chg->nb); smblib_destroy_votables(chg); qcom_step_chg_deinit(); diff --git a/drivers/power/supply/qcom/smb5-lib.h b/drivers/power/supply/qcom/smb5-lib.h index 6457dffc02c5..ef55a86b5876 100644 --- a/drivers/power/supply/qcom/smb5-lib.h +++ b/drivers/power/supply/qcom/smb5-lib.h @@ -168,6 +168,11 @@ enum print_reason { /* defined for un_compliant Type-C cable */ #define CC_UN_COMPLIANT_START_DELAY_MS 700 +#define REVERSE_BOOST_WORK_RECHECK_DELAY_MS 100 +#define REVERSE_BOOST_WORK_START_DELAY_MS 300 +#define REVERSE_BOOST_MIN_IBAT_MA 100 +#define REVERSE_BOOST_MAX_IBUS_MA 200 + #define VBAT_TO_VRAW_ADC(v) div_u64((u64)v * 1000000UL, 194637UL) #define ITERM_LIMITS_PMI632_MA 5000 @@ -638,6 +643,7 @@ struct smb_charger { struct delayed_work reduce_fcc_work; struct delayed_work status_report_work; struct delayed_work thermal_setting_work; + struct delayed_work reverse_boost_work; struct alarm lpd_recheck_timer; struct alarm moisture_protection_alarm; @@ -880,6 +886,9 @@ struct smb_charger { int qc3p5_power_limit_w; bool pps_fcc_therm_work_disabled; + + bool reverse_boost_wa; + int reverse_count; }; enum quick_charge_type { diff --git a/drivers/power/supply/qcom/smb5-reg.h b/drivers/power/supply/qcom/smb5-reg.h index 8b4de0d4fdf0..e685700826b0 100644 --- a/drivers/power/supply/qcom/smb5-reg.h +++ b/drivers/power/supply/qcom/smb5-reg.h @@ -138,6 +138,7 @@ enum { #define AICL_STATUS_REG (DCDC_BASE + 0x0A) #define SOFT_ILIMIT_BIT BIT(6) +#define ICL_MIN_BIT BIT(2) #define AICL_DONE_BIT BIT(0) #define POWER_PATH_STATUS_REG (DCDC_BASE + 0x0B) @@ -233,6 +234,8 @@ enum { #define QC_5V_BIT BIT(0) #define QC_2P0_STATUS_MASK GENMASK(2, 0) +#define INT_RT_STS_REG (USBIN_BASE + 0x10) + /* USBIN Interrupt Bits */ #define USBIN_ICL_CHANGE_RT_STS_BIT BIT(7) #define USBIN_SOURCE_CHANGE_RT_STS_BIT BIT(6) @@ -386,6 +389,9 @@ enum { #define TYPE_C_STATE_MACHINE_STATUS_REG (TYPEC_BASE + 0x09) #define TYPEC_ATTACH_DETACH_STATE_BIT BIT(5) +#define TYPE_C_SENSOR_SM_STATUS_REG (TYPEC_BASE + 0x0A) +#define VBUS_VSAFE5V_BIT BIT(5) + #define TYPE_C_MISC_STATUS_REG (TYPEC_BASE + 0x0B) #define TYPEC_WATER_DETECTION_STATUS_BIT BIT(7) #define SNK_SRC_MODE_BIT BIT(6) diff --git a/drivers/power/supply/ti/cp_qc30.c b/drivers/power/supply/ti/cp_qc30.c index 60562a34e4e5..5cb4357d29b6 100644 --- a/drivers/power/supply/ti/cp_qc30.c +++ b/drivers/power/supply/ti/cp_qc30.c @@ -135,6 +135,7 @@ static pm_t pm_state; static int fc2_taper_timer; static int ibus_lmt_change_timer; +static int reverse_count = 0; static struct power_supply *cp_get_sw_psy(void) { @@ -1109,7 +1110,13 @@ void cp_statemachine(unsigned int port) } else { pr_err("vvbus:%d, tuned above expected voltage, retry_times:%d\n", pm_state.bq2597x.vbus_volt, tune_vbus_retry); - cp_move_state(CP_STATE_FLASH2_ENTRY_3); + if (pm_state.usb_type == POWER_SUPPLY_TYPE_USB_HVDCP_3 && pm_state.bq2597x.vbus_volt > 11000) { + cp_move_state(CP_STATE_SW_ENTRY); + cp_limit_sw(false); + cp_set_fake_hvdcp3(true); + } else { + cp_move_state(CP_STATE_FLASH2_ENTRY_3); + } break; } #else @@ -1147,12 +1154,21 @@ void cp_statemachine(unsigned int port) case CP_STATE_FLASH2_ENTRY_3: #ifdef CONFIG_K6_CHARGE if (pm_state.bq2597x.bus_error_status == VBUS_ERROR_HIGH) { + reverse_count = 0; pr_err("vvbus=%d, too high to open cp switcher, decrease it.\n", pm_state.bq2597x.vbus_volt); cp_tune_vbus_volt(VOLT_DOWN); } else if (pm_state.bq2597x.bus_error_status == VBUS_ERROR_LOW) { pr_err("vvbus=%d, too low to open cp switcher, increase it.\n", pm_state.bq2597x.vbus_volt); + if (pm_state.bq2597x.vbus_volt <= 4500) + reverse_count++; + if (reverse_count >= 3) { + pr_err("cp enable cause reverse boost, turn off cp\n"); + reverse_count = 0; + cp_enable_fc(false); + cp_move_state(CP_STATE_DISCONNECT); + } cp_tune_vbus_volt(VOLT_UP); #else if (pm_state.bq2597x.vbus_volt > @@ -1161,6 +1177,7 @@ void cp_statemachine(unsigned int port) /* voltage is too high, wait for voltage down, keep charge disabled to discharge */ #endif } else { + reverse_count = 0; pr_err("vbat volt is ok, enable flash charging\n"); if (!pm_state.bq2597x.charge_enabled) { cp_enable_fc(true); @@ -1252,12 +1269,18 @@ static void cp_workfunc(struct work_struct *work) if (pm_state.usb_present == 0) { cp_set_qc_bus_protections(HVDCP3_NONE); cp_set_fake_hvdcp3(false); +#ifdef CONFIG_K6_CHARGE + pm_state.state = CP_STATE_DISCONNECT; +#endif return; } if (pm_state.usb_type == POWER_SUPPLY_TYPE_USB_HVDCP_3) { #ifdef CONFIG_K6_CHARGE - schedule_delayed_work(&pm_state.qc3_pm_work, msecs_to_jiffies(300)); + if (reverse_count) + schedule_delayed_work(&pm_state.qc3_pm_work, msecs_to_jiffies(100)); + else + schedule_delayed_work(&pm_state.qc3_pm_work, msecs_to_jiffies(300)); #else schedule_delayed_work(&pm_state.qc3_pm_work, HZ); #endif From 1ef7390fdcee2cb285487972cefd7319aa9777e5 Mon Sep 17 00:00:00 2001 From: itsshashanksp <9945shashank@gmail.com> Date: Fri, 12 Jul 2024 00:30:28 +0530 Subject: [PATCH 170/182] arm64: dts: sweet: Enable smblib USB reverse charging workr Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- arch/arm64/boot/dts/qcom/xiaomi/sweet/sweet-sdmmagpie.dtsi | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/boot/dts/qcom/xiaomi/sweet/sweet-sdmmagpie.dtsi b/arch/arm64/boot/dts/qcom/xiaomi/sweet/sweet-sdmmagpie.dtsi index d0bd9c26a094..a079faf20b2d 100755 --- a/arch/arm64/boot/dts/qcom/xiaomi/sweet/sweet-sdmmagpie.dtsi +++ b/arch/arm64/boot/dts/qcom/xiaomi/sweet/sweet-sdmmagpie.dtsi @@ -466,6 +466,7 @@ And public attribution of xiaomi platforms(like F3 and so and) mi,support-qc3p5-without-smb; mi,ffc-low-tbat = <150>; mi,ffc-high-tbat = <480>; + mi,reverse_boost-wa; }; &pm6150_pdphy { From 5e82aeadde8328c4c5b544afcf27b3cace168df6 Mon Sep 17 00:00:00 2001 From: itsshashanksp <9945shashank@gmail.com> Date: Fri, 12 Jul 2024 00:42:04 +0530 Subject: [PATCH 171/182] power: supply: qcom: Import bq2597x charge voter * imported from nabu-r-oss Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- drivers/power/supply/qcom/smb5-lib.c | 51 ++++++++++++++++++++++++++++ drivers/power/supply/qcom/smb5-lib.h | 4 +++ 2 files changed, 55 insertions(+) diff --git a/drivers/power/supply/qcom/smb5-lib.c b/drivers/power/supply/qcom/smb5-lib.c index cc1afd24d234..d662470b595e 100644 --- a/drivers/power/supply/qcom/smb5-lib.c +++ b/drivers/power/supply/qcom/smb5-lib.c @@ -6670,6 +6670,50 @@ static void smblib_cc_un_compliant_charge_work(struct work_struct *work) } } +static int fv_over_limit_times; +#define OVER_FV_MAX_TIMES 10 +static void smblib_check_vbat_work(struct work_struct *work) +{ + int rc; + int effective_fv_uv; + union power_supply_propval val; + + struct smb_charger *chg = container_of(work, struct smb_charger, + check_vbat_work.work); + if (!chg->cp_psy) { + chg->cp_psy = power_supply_get_by_name("bq2597x-standalone"); + if (!chg->cp_psy) + pr_err("cp_psy not found\n"); + return; + } + + rc = power_supply_get_property(chg->cp_psy, + POWER_SUPPLY_PROP_MODEL_NAME, &val); + if (rc < 0) { + pr_err("Error in getting charge IC name, rc=%d\n", rc); + return; + } + + if (strcmp(val.strval, "bq2597x-standalone") == 0) { + rc = power_supply_get_property(chg->cp_psy, + POWER_SUPPLY_PROP_TI_BATTERY_VOLTAGE, &val); + pr_err("getting ti battery voltage = %d\n", val.intval); + if (rc < 0) { + pr_err("Error in getting ti battery voltage, rc=%d\n", rc); + return; + } + if (val.intval > 4800) { + if (fv_over_limit_times++ > OVER_FV_MAX_TIMES) { + fv_over_limit_times = 0; + effective_fv_uv = get_effective_result_locked(chg->fv_votable); + vote(chg->fv_votable, BATT_BQ2597X_VOTER, true, effective_fv_uv - 10000); + } + } + } + schedule_delayed_work(&chg->check_vbat_work, msecs_to_jiffies(200)); + +} + #define REDUCED_CURRENT 500000 static int smblib_get_effective_fcc_val(struct smb_charger *chg) { @@ -6915,6 +6959,7 @@ void smblib_usb_plugin_locked(struct smb_charger *chg) msecs_to_jiffies(CHARGER_RECHECK_DELAY_MS)); schedule_delayed_work(&chg->cc_un_compliant_charge_work, msecs_to_jiffies(CC_UN_COMPLIANT_START_DELAY_MS)); + schedule_delayed_work(&chg->check_vbat_work, msecs_to_jiffies(200)); chg->reverse_count = 0; schedule_delayed_work(&chg->reverse_boost_work, msecs_to_jiffies(REVERSE_BOOST_WORK_START_DELAY_MS)); if (chg->use_bq_pump) @@ -7929,6 +7974,7 @@ static void typec_src_removal(struct smb_charger *chg) cancel_delayed_work_sync(&chg->pl_enable_work); cancel_delayed_work_sync(&chg->raise_qc3_vbus_work); + cancel_delayed_work_sync(&chg->check_vbat_work); /* reset input current limit voters */ vote(chg->usb_icl_votable, SW_ICL_MAX_VOTER, true, @@ -8000,6 +8046,9 @@ static void typec_src_removal(struct smb_charger *chg) cancel_delayed_work_sync(&chg->six_pin_batt_step_chg_work); } + /* BQ2597X votes */ + vote(chg->fv_votable, BATT_BQ2597X_VOTER, false, 0); + /* Reset CC mode votes */ vote(chg->fcc_main_votable, MAIN_FCC_VOTER, false, 0); vote(chg->fcc_votable, FCC_MAX_QC3P5_VOTER, false, 0); @@ -10093,6 +10142,7 @@ int smblib_init(struct smb_charger *chg) smblib_dual_role_check_work); INIT_DELAYED_WORK(&chg->pr_swap_detach_work, smblib_pr_swap_detach_work); + INIT_DELAYED_WORK(&chg->check_vbat_work, smblib_check_vbat_work); if (chg->use_bq_pump) { INIT_DELAYED_WORK(&chg->reduce_fcc_work, reduce_fcc_work); INIT_DELAYED_WORK(&chg->thermal_setting_work, smblib_thermal_setting_work); @@ -10275,6 +10325,7 @@ int smblib_deinit(struct smb_charger *chg) cancel_delayed_work_sync(&chg->six_pin_batt_step_chg_work); cancel_delayed_work_sync(&chg->role_reversal_check); cancel_delayed_work_sync(&chg->pr_swap_detach_work); + cancel_delayed_work_sync(&chg->check_vbat_work); cancel_delayed_work_sync(&chg->reverse_boost_work); power_supply_unreg_notifier(&chg->nb); smblib_destroy_votables(chg); diff --git a/drivers/power/supply/qcom/smb5-lib.h b/drivers/power/supply/qcom/smb5-lib.h index ef55a86b5876..95bdcf0ce2ce 100644 --- a/drivers/power/supply/qcom/smb5-lib.h +++ b/drivers/power/supply/qcom/smb5-lib.h @@ -117,6 +117,9 @@ enum print_reason { #define QC3P5_VOTER "QC3P5_VOTER" #define FCC_MAX_QC3P5_VOTER "FCC_MAX_QC3P5_VOTER" +/* use for BQ2597X */ +#define BATT_BQ2597X_VOTER "BATT_BQ2597X_VOTER" + #define BOOST_BACK_STORM_COUNT 3 #define WEAK_CHG_STORM_COUNT 8 @@ -643,6 +646,7 @@ struct smb_charger { struct delayed_work reduce_fcc_work; struct delayed_work status_report_work; struct delayed_work thermal_setting_work; + struct delayed_work check_vbat_work; struct delayed_work reverse_boost_work; struct alarm lpd_recheck_timer; From 9e8e9aff4fe7e9053eeb4ced78609d3c692a03c6 Mon Sep 17 00:00:00 2001 From: itsshashanksp <9945shashank@gmail.com> Date: Fri, 12 Jul 2024 00:59:41 +0530 Subject: [PATCH 172/182] power: supply: ti & qcom: Import lionsemi ln8000 charge pump driver * imported from nabu-r-oss & sweet-ka6a-r-oss Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- drivers/power/supply/qcom/smb5-lib.c | 56 +- drivers/power/supply/qcom/smb5-lib.h | 3 + drivers/power/supply/qcom/step-chg-jeita.c | 3 + drivers/power/supply/ti/Kconfig | 7 + drivers/power/supply/ti/Makefile | 1 + drivers/power/supply/ti/cp_qc30.c | 6 + drivers/power/supply/ti/ln8000_charger.c | 1759 +++++++++++++++++++ drivers/power/supply/ti/ln8000_charger.h | 339 ++++ drivers/power/supply/ti/pd_policy_manager.c | 8 +- 9 files changed, 2174 insertions(+), 8 deletions(-) create mode 100644 drivers/power/supply/ti/ln8000_charger.c create mode 100644 drivers/power/supply/ti/ln8000_charger.h diff --git a/drivers/power/supply/qcom/smb5-lib.c b/drivers/power/supply/qcom/smb5-lib.c index d662470b595e..a94836d1a148 100644 --- a/drivers/power/supply/qcom/smb5-lib.c +++ b/drivers/power/supply/qcom/smb5-lib.c @@ -879,6 +879,35 @@ int smb5_config_iterm(struct smb_charger *chg, int hi_thresh, int low_thresh) return 0; } +static int set_ln8000_fv(struct smb_charger *chg) +{ + int rc; + union power_supply_propval val; + + if (!chg->cp_psy) { + chg->cp_psy = power_supply_get_by_name("bq2597x-standalone"); + if (!chg->cp_psy) { + chg->cp_psy = power_supply_get_by_name("ln8000"); + if (!chg->cp_psy) { + pr_err("cp_psy not found\n"); + return 0; + } + } + } + + rc = power_supply_get_property(chg->cp_psy, + POWER_SUPPLY_PROP_MODEL_NAME, &val); + if (rc < 0) { + pr_err("Error in getting charge IC name, rc=%d\n", rc); + return 0; + } + + if (strcmp(val.strval, "ln8000") == 0) { + vote(chg->fv_votable, BATT_LN8000_VOTER, true, 4470000); + } + return 0; +} + int smblib_get_fastcharge_mode(struct smb_charger *chg) { union power_supply_propval pval = {0,}; @@ -963,6 +992,7 @@ int smblib_set_fastcharge_mode(struct smb_charger *chg, bool enable) if (enable) { /* ffc need clear 4.4V non_fcc_vfloat_voter first */ vote(chg->fv_votable, NON_FFC_VFLOAT_VOTER, false, 0); + set_ln8000_fv(chg); rc = power_supply_get_property(chg->bms_psy, POWER_SUPPLY_PROP_FFC_CHG_TERMINATION_CURRENT, &pval); if (rc < 0) { @@ -2670,6 +2700,9 @@ static bool is_bq25970_available(struct smb_charger *chg) if (!chg->cp_psy) chg->cp_psy = power_supply_get_by_name("bq2597x-standalone"); + if (!chg->cp_psy) + chg->cp_psy = power_supply_get_by_name("ln8000"); + if (!chg->cp_psy) return false; @@ -4027,6 +4060,9 @@ static void smblib_reverse_boost_work(struct work_struct *work) if (!chg->cp_psy) chg->cp_psy = power_supply_get_by_name("bq2597x-standalone"); + if (!chg->cp_psy) + chg->cp_psy = power_supply_get_by_name("ln8000"); + if (!chg->bms_psy || !chg->cp_psy || !chg->usb_psy) goto clear_count; @@ -6682,9 +6718,13 @@ static void smblib_check_vbat_work(struct work_struct *work) check_vbat_work.work); if (!chg->cp_psy) { chg->cp_psy = power_supply_get_by_name("bq2597x-standalone"); - if (!chg->cp_psy) - pr_err("cp_psy not found\n"); - return; + if (!chg->cp_psy) { + chg->cp_psy = power_supply_get_by_name("ln8000"); + if (!chg->cp_psy) { + pr_err("cp_psy not found\n"); + return; + } + } } rc = power_supply_get_property(chg->cp_psy, @@ -6731,9 +6771,13 @@ static int check_reduce_fcc_condition(struct smb_charger *chg) if (!chg->cp_psy) { chg->cp_psy = power_supply_get_by_name("bq2597x-standalone"); - if (!chg->cp_psy) - pr_err("cp_psy not found\n"); - return 0; + if (!chg->cp_psy) { + chg->cp_psy = power_supply_get_by_name("ln8000"); + if (!chg->cp_psy) { + pr_err("cp_psy not found\n"); + return 0; + } + } } rc = power_supply_get_property(chg->cp_psy, diff --git a/drivers/power/supply/qcom/smb5-lib.h b/drivers/power/supply/qcom/smb5-lib.h index 95bdcf0ce2ce..38bb038742e0 100644 --- a/drivers/power/supply/qcom/smb5-lib.h +++ b/drivers/power/supply/qcom/smb5-lib.h @@ -120,6 +120,9 @@ enum print_reason { /* use for BQ2597X */ #define BATT_BQ2597X_VOTER "BATT_BQ2597X_VOTER" +/* use for LN8000 */ +#define BATT_LN8000_VOTER "BATT_LN8000_VOTER" + #define BOOST_BACK_STORM_COUNT 3 #define WEAK_CHG_STORM_COUNT 8 diff --git a/drivers/power/supply/qcom/step-chg-jeita.c b/drivers/power/supply/qcom/step-chg-jeita.c index ff45e3bda74a..ec9f508b66e0 100644 --- a/drivers/power/supply/qcom/step-chg-jeita.c +++ b/drivers/power/supply/qcom/step-chg-jeita.c @@ -146,6 +146,9 @@ static bool is_bq25970_available(struct step_chg_info *chip) if (!chip->bq_psy) chip->bq_psy = power_supply_get_by_name("bq2597x-standalone"); + if (!chip->bq_psy) + chip->bq_psy = power_supply_get_by_name("ln8000"); + if (!chip->bq_psy) return false; diff --git a/drivers/power/supply/ti/Kconfig b/drivers/power/supply/ti/Kconfig index c9d810c20d45..4c6e195b232b 100644 --- a/drivers/power/supply/ti/Kconfig +++ b/drivers/power/supply/ti/Kconfig @@ -9,6 +9,13 @@ config BQ2597X_CHARGE_PUMP BQ2597X is a div2 charge pump capable of delivering 8A charge current with very high efficiency. +config CHARGER_LN8000 + tristate "LionSemi LN8000 Battery Charger" + depends on I2C + select REGMAP_I2C + help + Say Y to enable support for the LN8000 charger. + config K9A_CHARGE bool prompt "K9A special modify." diff --git a/drivers/power/supply/ti/Makefile b/drivers/power/supply/ti/Makefile index a911e6a00da0..5a5c9ab3f220 100644 --- a/drivers/power/supply/ti/Makefile +++ b/drivers/power/supply/ti/Makefile @@ -1,4 +1,5 @@ obj-$(CONFIG_BQ2597X_CHARGE_PUMP) += bq2597x_charger.o pd_policy_manager.o cp_qc30.o +obj-$(CONFIG_CHARGER_LN8000) += ln8000_charger.o pd_policy_manager.o cp_qc30.o CFLAGS_REMOVE_bq2597x_charger.o += -mgeneral-regs-only CFLAGS_bq2597x_charger.o += -mno-implicit-float diff --git a/drivers/power/supply/ti/cp_qc30.c b/drivers/power/supply/ti/cp_qc30.c index 5cb4357d29b6..daf356bf05c2 100644 --- a/drivers/power/supply/ti/cp_qc30.c +++ b/drivers/power/supply/ti/cp_qc30.c @@ -186,6 +186,12 @@ static struct power_supply *cp_get_fc_psy(void) pm_state.fc_psy = power_supply_get_by_name("bq2597x-master"); else pm_state.fc_psy = power_supply_get_by_name("bq2597x-standalone"); + if (!pm_state.fc_psy) { + pm_state.fc_psy = power_supply_get_by_name("ln8000"); + if (!pm_state.fc_psy) { + pr_err("cp_psy not found\n"); + } + } } return pm_state.fc_psy; diff --git a/drivers/power/supply/ti/ln8000_charger.c b/drivers/power/supply/ti/ln8000_charger.c new file mode 100644 index 000000000000..5dc67f40c477 --- /dev/null +++ b/drivers/power/supply/ti/ln8000_charger.c @@ -0,0 +1,1759 @@ +/* + * ln8000-charger.c - Charger driver for LIONSEMI LN8000 + * + * Copyright (C) 2021 Lion Semiconductor Inc. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +//#include +#include "ln8000_charger.h" +#include "cp_qc30.h" + +#define ln_err(fmt, ...) \ +do { \ + if (info->dev_role == LN_PRIMARY) \ + printk(KERN_ERR "ln8000@pri: %s: " fmt, __func__, ##__VA_ARGS__); \ + else \ + printk(KERN_ERR "ln8000@sec: %s: " fmt, __func__, ##__VA_ARGS__); \ +} while (0); + +#define ln_info(fmt, ...) \ +do { \ + if (info->dev_role == LN_PRIMARY) \ + printk(KERN_INFO "ln8000@pri: %s: " fmt, __func__, ##__VA_ARGS__); \ + else \ + printk(KERN_INFO "ln8000@sec: %s: " fmt, __func__, ##__VA_ARGS__); \ +} while (0); + +#define ln_dbg(fmt, ...) \ +do { \ + if (info->dev_role == LN_PRIMARY) \ + printk(KERN_DEBUG "ln8000@pri: %s: " fmt, __func__, ##__VA_ARGS__); \ + else \ + printk(KERN_DEBUG "ln8000@sec: %s: " fmt, __func__, ##__VA_ARGS__); \ +} while (0); + +#define LN8000_REG_PRINT(reg_addr, val) \ +do { \ + ln_info(" --> [%-20s] 0x%02X : 0x%02X\n", \ + #reg_addr, LN8000_REG_##reg_addr, (val) & 0xFF); \ +} while (0); + +#define LN8000_PARSE_PROP(ret, pdata, field, prop, default_prop) \ +do { \ + if (ret) { \ + ln_info("%s = %d (set to default)\n", #field, default_prop); \ + pdata->field = default_prop; \ + } else { \ + ln_info("%s = %d\n", #field, prop); \ + pdata->field = prop; \ + } \ +} while (0); + +#define LN8000_BIT_CHECK(val, idx, desc) if(val & (1< %s\n", desc) +#define LN8000_IS_PRIMARY(info) (info->dev_role==LN_PRIMARY) +#define LN8000_ROLE(info) (LN8000_IS_PRIMARY(info) ? "prim" : "sec ") +#define LN8000_USE_GPIO(pdata) ((pdata != NULL) && (!IS_ERR_OR_NULL(pdata->irq_gpio))) +#define LN8000_STATUS(val, mask) ((val & mask) ? true : false) + +/** + * I2C control functions : when occurred I2C tranfer fault, we + * will retry to it. (default count:3) + */ +#define I2C_RETRY_CNT 3 +static int ln8000_read_reg(struct ln8000_info *info, u8 addr, void *data) +{ + int i, ret = 0; + + mutex_lock(&info->i2c_lock); + for (i=0; i < I2C_RETRY_CNT; ++i) { + ret = regmap_read(info->regmap, addr, data); + if (IS_ERR_VALUE((unsigned long)ret)) { + ln_info("failed-read, reg(0x%02X), ret(%d)\n", addr, ret); + } else { + break; + } + } + mutex_unlock(&info->i2c_lock); + return ret; +} + +static int ln8000_bulk_read_reg(struct ln8000_info *info, u8 addr, void *data, int count) +{ + int i, ret = 0; + + mutex_lock(&info->i2c_lock); + for (i=0; i < I2C_RETRY_CNT; ++i) { + ret = regmap_bulk_read(info->regmap, addr, data, count); + if (IS_ERR_VALUE((unsigned long)ret)) { + ln_info("failed-bulk-read, reg(0x%02X, %d bytes), ret(%d)\n", addr, count, ret); + } else { + break; + } + } + mutex_unlock(&info->i2c_lock); + return ret; +} + +static int ln8000_write_reg(struct ln8000_info *info, u8 addr, u8 data) +{ + int i, ret = 0; + + mutex_lock(&info->i2c_lock); + for (i=0; i < I2C_RETRY_CNT; ++i) { + ret = regmap_write(info->regmap, addr, data); + if (IS_ERR_VALUE((unsigned long)ret)) { + ln_info("failed-write, reg(0x%02X), ret(%d)\n", addr, ret); + } else { + break; + } + } + mutex_unlock(&info->i2c_lock); + return ret; +} + +static int ln8000_update_reg(struct ln8000_info *info, u8 addr, u8 mask, u8 data) +{ + int i, ret = 0; + + mutex_lock(&info->i2c_lock); + for (i=0; i < I2C_RETRY_CNT; ++i) { + ret = regmap_update_bits(info->regmap, addr, mask, data); + if (IS_ERR_VALUE((unsigned long)ret)) { + ln_info("failed-update, reg(0x%02X), ret(%d)\n", addr, ret); + } else { + break; + } + } + mutex_unlock(&info->i2c_lock); + return ret; +} + +/** + * Register control functions + */ +#if 0 +static int ln8000_set_sw_freq(struct ln8000_info *info, unsigned int cfg) +{ + return ln8000_update_reg(info, LN8000_REG_SYS_CTRL, 0xF << 4, cfg << 4); +} +#endif + +static int ln8000_set_vac_ovp(struct ln8000_info *info, unsigned int ovp_th) +{ + u8 cfg; + + if (ovp_th <= 6500000) { + cfg = LN8000_VAC_OVP_6P5V; + } else if (ovp_th <= 11000000) { + cfg = LN8000_VAC_OVP_11V; + } else if (ovp_th <= 12000000) { + cfg = LN8000_VAC_OVP_12V; + } else { + cfg = LN8000_VAC_OVP_13V; + } + + return ln8000_update_reg(info, LN8000_REG_GLITCH_CTRL, 0x3 << 2, cfg << 2); +} + +/* battery float voltage */ +static int ln8000_set_vbat_float(struct ln8000_info *info, unsigned int cfg) +{ + u8 val; + + if (cfg < LN8000_VBAT_FLOAT_MIN) + val = 0x00; + else if (cfg > LN8000_VBAT_FLOAT_MAX) + val = 0xFF; + else + val = (cfg - LN8000_VBAT_FLOAT_MIN) / LN8000_VBAT_FLOAT_LSB; + + return ln8000_write_reg(info, LN8000_REG_V_FLOAT_CTRL, val); +} + +static int ln8000_set_iin_limit(struct ln8000_info *info, unsigned int cfg) +{ + u8 val = cfg / LN8000_IIN_CFG_LSB; + + ln_info("iin_limit=%dmV(iin_ctrl=0x%x)\n", cfg / 1000, val); + + return ln8000_update_reg(info, LN8000_REG_IIN_CTRL, 0x7F, val); +} + +static int ln8000_set_ntc_alarm(struct ln8000_info *info, unsigned int cfg) +{ + int ret; + + /* update lower bits */ + ret = ln8000_write_reg(info, LN8000_REG_NTC_CTRL, (cfg & 0xFF)); + if (ret < 0) + return ret; + + /* update upper bits */ + ret = ln8000_update_reg(info, LN8000_REG_ADC_CTRL, 0x3, (cfg >> 8)); + return ret; +} + +/* battery voltage OV protection */ +static int ln8000_enable_vbat_ovp(struct ln8000_info *info, bool enable) +{ + u8 val; + + val = (enable) ? 0 : 1;//disable + val <<= LN8000_BIT_DISABLE_VBAT_OV; + + return ln8000_update_reg(info, LN8000_REG_FAULT_CTRL, BIT(LN8000_BIT_DISABLE_VBAT_OV), val); +} + +static int ln8000_enable_vbat_regulation(struct ln8000_info *info, bool enable) +{ + return ln8000_update_reg(info, LN8000_REG_REGULATION_CTRL, + 0x1 << LN8000_BIT_DISABLE_VFLOAT_LOOP, + !(enable) << LN8000_BIT_DISABLE_VFLOAT_LOOP); +} + +static int ln8000_enable_vbat_loop_int(struct ln8000_info *info, bool enable) +{ + return ln8000_update_reg(info, LN8000_REG_REGULATION_CTRL, + 0x1 << LN8000_BIT_ENABLE_VFLOAT_LOOP_INT, + enable << LN8000_BIT_ENABLE_VFLOAT_LOOP_INT); +} + +/* input current OC protection */ +static int ln8000_enable_iin_ocp(struct ln8000_info *info, bool enable) +{ + return ln8000_update_reg(info, LN8000_REG_FAULT_CTRL, + 0x1 << LN8000_BIT_DISABLE_IIN_OCP, + !(enable) << LN8000_BIT_DISABLE_IIN_OCP); +} + +static int ln8000_enable_iin_regulation(struct ln8000_info *info, bool enable) +{ + return ln8000_update_reg(info, LN8000_REG_REGULATION_CTRL, + 0x1 << LN8000_BIT_DISABLE_IIN_LOOP, + !(enable) << LN8000_BIT_DISABLE_IIN_LOOP); +} + +static int ln8000_enable_iin_loop_int(struct ln8000_info *info, bool enable) +{ + return ln8000_update_reg(info, LN8000_REG_REGULATION_CTRL, + 0x1 << LN8000_BIT_ENABLE_IIN_LOOP_INT, + enable << LN8000_BIT_ENABLE_IIN_LOOP_INT); +} + +static int ln8000_enable_vac_ov(struct ln8000_info *info, bool enable) +{ + return ln8000_update_reg(info, LN8000_REG_FAULT_CTRL, + 0x1 << LN8000_BIT_DISABLE_VAC_OV, + !(enable) << LN8000_BIT_DISABLE_VAC_OV); +} + +static int ln8000_enable_tdie_prot(struct ln8000_info *info, bool enable) +{ + return ln8000_update_reg(info, LN8000_REG_REGULATION_CTRL, + 0x1 << LN8000_BIT_TEMP_MAX_EN, enable << LN8000_BIT_TEMP_MAX_EN); +} + +static int ln8000_enable_tdie_regulation(struct ln8000_info *info, bool enable) +{ + return ln8000_update_reg(info, LN8000_REG_REGULATION_CTRL, + 0x1 << LN8000_BIT_TEMP_REG_EN, enable << LN8000_BIT_TEMP_REG_EN); +} + +/* ADC channel enable */ +static int ln8000_set_adc_ch(struct ln8000_info *info, unsigned int ch, bool enable) +{ + u8 mask; + u8 val; + int ret; + + if ((ch > LN8000_ADC_CH_ALL) || (ch < 1)) + return -EINVAL; + + if (ch == LN8000_ADC_CH_ALL) { + // update all channels + val = (enable) ? 0x3E : 0x00; + ret = ln8000_write_reg(info, LN8000_REG_ADC_CFG, val); + } else { + // update selected channel + mask = 1<<(ch-1); + val = (enable) ? 1 : 0; + val <<= (ch-1); + ret = ln8000_update_reg(info, LN8000_REG_ADC_CFG, mask, val); + } + + return ret; +} + +/* BUS temperature monitoring (protection+alarm) */ +static int ln8000_enable_tbus_monitor(struct ln8000_info *info, bool enable) +{ + int ret; + + /* enable BUS monitoring */ + ret = ln8000_update_reg(info, LN8000_REG_RECOVERY_CTRL, 0x1 << 1, enable << 1); + if (ret < 0) + return ret; + + /* enable BUS ADC channel */ + if (enable) { + ret = ln8000_set_adc_ch(info, LN8000_ADC_CH_TSBUS, true); + } + return ret; +} + +/* BAT temperature monitoring (protection+alarm) */ +static int ln8000_enable_tbat_monitor(struct ln8000_info *info, bool enable) +{ + int ret; + + /* enable BAT monitoring */ + ret = ln8000_update_reg(info, LN8000_REG_RECOVERY_CTRL, 0x1 << 0, enable << 0); + if (ret < 0) + return ret; + + /* enable BAT ADC channel */ + if (enable) { + ret = ln8000_set_adc_ch(info, LN8000_ADC_CH_TSBAT, true); + } + return ret; +} + +/* watchdog timer */ +static int ln8000_enable_wdt(struct ln8000_info *info, bool enable) +{ + return ln8000_update_reg(info, LN8000_REG_TIMER_CTRL, 0x1 << 7, enable << 7); +} + +#if 0 +static int ln8000_set_wdt(struct ln8000_info *info, unsigned int cfg) +{ + if (cfg >= LN8000_WATCHDOG_MAX) { + cfg = LN8000_WATCHDOG_40SEC; + } + + return ln8000_update_reg(info, LN8000_REG_TIMER_CTRL, 0x3 << 5, cfg << 5); +} +#endif + +/* unplug / reverse-current detection */ +static int ln8000_enable_rcp(struct ln8000_info *info, bool enable) +{ + info->rcp_en = enable; + + return ln8000_update_reg(info, LN8000_REG_SYS_CTRL, + BIT(LN8000_BIT_REV_IIN_DET), + enable << LN8000_BIT_REV_IIN_DET); +} + +/* auto-recovery */ +static int ln8000_enable_auto_recovery(struct ln8000_info *info, bool enable) +{ + return ln8000_update_reg(info, LN8000_REG_RECOVERY_CTRL, 0xF << 4, ((0xF << 4) * enable)); +} + +static int ln8000_set_adc_mode(struct ln8000_info *info, unsigned int cfg) +{ + return ln8000_update_reg(info, LN8000_REG_ADC_CTRL, 0x7 << 5, cfg << 5); +} + +static int ln8000_set_adc_hib_delay(struct ln8000_info *info, unsigned int cfg) +{ + return ln8000_update_reg(info, LN8000_REG_ADC_CTRL, 0x3 << 3, cfg << 3); +} + +/* check if device has been initialized (by SW) */ +#if defined(LN8000_DUAL_CONFIG) +static bool ln8000_is_sw_init(struct ln8000_info *info) +{ + u32 val; + + ln8000_read_reg(info, LN8000_REG_CHARGE_CTRL, &val); + + return (val >> 7); +} +#endif + +/* grab programmed battery float voltage (uV) */ +static int ln8000_get_vbat_float(struct ln8000_info *info) +{ + int ret, val; + + ret = ln8000_read_reg(info, LN8000_REG_V_FLOAT_CTRL, &val); + if (ret < 0) + return ret; + + return ((val & 0xFF) * LN8000_VBAT_FLOAT_LSB + LN8000_VBAT_FLOAT_MIN);//uV +} + +/* grab programmed input current limit (uA) */ +static int ln8000_get_iin_limit(struct ln8000_info *info) +{ + int ret, val; + int iin; + + ret = ln8000_read_reg(info, LN8000_REG_IIN_CTRL, &val); + if (ret < 0) + return ret; + + iin = ((val & 0x7F) * LN8000_IIN_CFG_LSB); + + if (iin < LN8000_IIN_CFG_MIN) { + iin = LN8000_IIN_CFG_MIN; + } + + return iin; +} + +/* enable/disable STANDBY */ +static inline void ln8000_sw_standby(struct ln8000_info *info, bool standby) +{ + u8 val = (standby) ? BIT(LN8000_BIT_STANDBY_EN) : 0x00; + ln8000_update_reg(info, LN8000_REG_SYS_CTRL, BIT(LN8000_BIT_STANDBY_EN), val); +} + +/* Convert Raw ADC Code */ +static void ln8000_convert_adc_code(struct ln8000_info *info, unsigned int ch, u8 *sts, int *result) +{ + int adc_raw; // raw ADC value + int adc_final; // final (converted) ADC value + + switch (ch) { + case LN8000_ADC_CH_VOUT: + adc_raw = ((sts[1] & 0xFF)<<2) | ((sts[0] & 0xC0)>>6); + adc_final = adc_raw * LN8000_ADC_VOUT_STEP;//uV + break; + case LN8000_ADC_CH_VIN: + adc_raw = ((sts[1] & 0x3F)<<4) | ((sts[0] & 0xF0)>>4); + adc_final = adc_raw * LN8000_ADC_VIN_STEP;//uV + break; + case LN8000_ADC_CH_VBAT: + adc_raw = ((sts[1] & 0x03)<<8) | (sts[0] & 0xFF); + adc_final = adc_raw * LN8000_ADC_VBAT_STEP;//uV + break; + case LN8000_ADC_CH_VAC: + adc_raw = (((sts[1] & 0x0F)<<6) | ((sts[0] & 0xFC)>>2)) + LN8000_ADC_VAC_OS; + adc_final = adc_raw * LN8000_ADC_VAC_STEP;//uV + break; + case LN8000_ADC_CH_IIN: + adc_raw = ((sts[1] & 0x03)<<8) | (sts[0] & 0xFF); + adc_final = adc_raw * LN8000_ADC_IIN_STEP;//uA + break; + case LN8000_ADC_CH_DIETEMP: + adc_raw = ((sts[1] & 0x0F)<<6) | ((sts[0] & 0xFC)>>2); + adc_final = (935 - adc_raw) * LN8000_ADC_DIETEMP_STEP / LN8000_ADC_DIETEMP_DENOM;//dC + if (adc_final > LN8000_ADC_DIETEMP_MAX) + adc_final = LN8000_ADC_DIETEMP_MAX; + else if (adc_final < LN8000_ADC_DIETEMP_MIN) + adc_final = LN8000_ADC_DIETEMP_MIN; + break; + case LN8000_ADC_CH_TSBAT: + adc_raw = ((sts[1] & 0x3F)<<4) | ((sts[0] & 0xF0)>>4); + adc_final = adc_raw * LN8000_ADC_NTCV_STEP;//(NTC) uV + break; + case LN8000_ADC_CH_TSBUS: + adc_raw = ((sts[1] & 0xFF)<<2) | ((sts[0] & 0xC0)>>6); + adc_final = adc_raw * LN8000_ADC_NTCV_STEP;//(NTC) uV + break; + default: + adc_raw = -EINVAL; + adc_final = -EINVAL; + break; + } + + *result = adc_final; + return; +} + +static void ln8000_print_regmap(struct ln8000_info *info) +{ + const u8 print_reg_num = (LN8000_REG_CHARGE_CTRL - LN8000_REG_INT1_MSK) + 1; + u32 regs[64] = {0x0, }; + char temp_buf[128] = {0,}; + int i, ret; + + for (i = 0; i < print_reg_num; ++i) { + ret = ln8000_read_reg(info, LN8000_REG_INT1_MSK + i, ®s[i]); + if (IS_ERR_VALUE((unsigned long)ret)) { + ln_err("fail to read reg for print_regmap[%d]\n", i); + regs[i] = 0xFF; + } + sprintf(temp_buf + strlen(temp_buf), "0x%02X[0x%02X],", LN8000_REG_INT1_MSK + i, regs[i]); + if (((i+1) % 10 == 0) || ((i+1) == print_reg_num)) { + ln_info("%s\n", temp_buf); + memset(temp_buf, 0x0, sizeof(temp_buf)); + } + } +} + +/** + * LN8000 device driver control routines + */ +static int ln8000_check_status(struct ln8000_info *info) +{ + u8 val[4]; + + if (ln8000_bulk_read_reg(info, LN8000_REG_SYS_STS, val, 4) < 0) { + return -EINVAL; + } + + mutex_lock(&info->data_lock); + + info->vbat_regulated = LN8000_STATUS(val[0], LN8000_MASK_VFLOAT_LOOP_STS); + info->iin_regulated = LN8000_STATUS(val[0], LN8000_MASK_IIN_LOOP_STS); + info->pwr_status = val[0] & (LN8000_MASK_BYPASS_ENABLED | LN8000_MASK_SWITCHING_ENABLED | \ + LN8000_MASK_STANDBY_STS | LN8000_MASK_SHUTDOWN_STS); + info->tdie_fault = LN8000_STATUS(val[1], LN8000_MASK_TEMP_MAX_STS); + info->tdie_alarm = LN8000_STATUS(val[1], LN8000_MASK_TEMP_REGULATION_STS); + if (!info->pdata->tbat_mon_disable || !info->pdata->tbus_mon_disable) { + info->tbus_tbat_fault = LN8000_STATUS(val[1], LN8000_MASK_NTC_SHUTDOWN_STS); //tbus or tbat + info->tbus_tbat_alarm = LN8000_STATUS(val[1], LN8000_MASK_NTC_ALARM_STS);//tbus or tbat + } + info->iin_rc = LN8000_STATUS(val[1], LN8000_MASK_REV_IIN_STS); + + info->wdt_fault = LN8000_STATUS(val[2], LN8000_MASK_WATCHDOG_TIMER_STS); + info->vbat_ov = LN8000_STATUS(val[2], LN8000_MASK_VBAT_OV_STS); + info->vac_unplug = LN8000_STATUS(val[2], LN8000_MASK_VAC_UNPLUG_STS); + info->vac_ov = LN8000_STATUS(val[2], LN8000_MASK_VAC_OV_STS); + info->vbus_ov = LN8000_STATUS(val[2], LN8000_MASK_VIN_OV_STS); + info->volt_qual = !(LN8000_STATUS(val[2], 0x7F)); + if (info->volt_qual == 1 && info->chg_en == 1) { + info->volt_qual = !(LN8000_STATUS(val[3], 1 << 5)); + if (info->volt_qual == 0) { + ln_info("volt_fault_detected (volt_qual=%d)\n", info->volt_qual); + /* clear latched status */ + ln8000_update_reg(info, LN8000_REG_TIMER_CTRL, 0x1 << 2, 0x1 << 2); + ln8000_update_reg(info, LN8000_REG_TIMER_CTRL, 0x1 << 2, 0x0 << 2); + } + } + info->iin_oc = LN8000_STATUS(val[3], LN8000_MASK_IIN_OC_DETECTED); + + mutex_unlock(&info->data_lock); + + return 0; +} + +static void ln8000_irq_sleep(struct ln8000_info *info, int suspend) +{ + if (info->client->irq <= 0) + return; + + if (suspend) { + ln_info("disable/suspend IRQ\n"); + disable_irq(info->client->irq); + } else { + ln_info("enable/resume IRQ\n"); + enable_irq(info->client->irq); + } +} + +static void ln8000_soft_reset(struct ln8000_info *info) +{ + ln8000_write_reg(info, LN8000_REG_LION_CTRL, 0xC6); + + ln8000_irq_sleep(info, 1); + + ln_info("Trigger soft-reset\n"); + ln8000_update_reg(info, LN8000_REG_BC_OP_2, 0x1 << 0, 0x1 << 0); + msleep(5 * 2); /* ln8000 min wait time 5ms (after POR) */ + + ln8000_irq_sleep(info, 0); +} + +static void ln8000_update_opmode(struct ln8000_info *info) +{ + unsigned int op_mode; + u32 val; + + /* chack mode status */ + ln8000_read_reg(info, LN8000_REG_SYS_STS, &val); + + if (val & LN8000_MASK_SHUTDOWN_STS) { + op_mode = LN8000_OPMODE_STANDBY; + } else if (val & LN8000_MASK_STANDBY_STS) { + op_mode = LN8000_OPMODE_STANDBY; + } else if (val & LN8000_MASK_SWITCHING_ENABLED) { + op_mode = LN8000_OPMODE_SWITCHING; + } else if (val & LN8000_MASK_BYPASS_ENABLED) { + op_mode = LN8000_OPMODE_BYPASS; + } else { + op_mode = LN8000_OPMODE_UNKNOWN; + } + + if (op_mode != info->op_mode) { + /* IC already has been entered standby_mode, need to trigger standbt_en bit */ + if (op_mode == LN8000_OPMODE_STANDBY) { + ln8000_update_reg(info, LN8000_REG_SYS_CTRL, 1 << LN8000_BIT_STANDBY_EN, 1 << LN8000_BIT_STANDBY_EN); + ln_info("forced trigger standby_en\n"); + info->chg_en = 0; + } + ln_info("op_mode has been changed [%d]->[%d] (sys_st=0x%x)\n", info->op_mode, op_mode, val); + info->op_mode = op_mode; + } + + return; +} + +static int ln8000_change_opmode(struct ln8000_info *info, unsigned int target_mode) +{ + int ret = 0; + u8 val, msk = (0x1 << LN8000_BIT_STANDBY_EN | 0x1 << LN8000_BIT_EN_1TO1); + + switch(target_mode) { + case LN8000_OPMODE_STANDBY: + val = (1 << LN8000_BIT_STANDBY_EN); + break; + case LN8000_OPMODE_BYPASS: + val = (0 << LN8000_BIT_STANDBY_EN) | (1 << LN8000_BIT_EN_1TO1); + break; + case LN8000_OPMODE_SWITCHING: + val = (0 << LN8000_BIT_STANDBY_EN) | (0 << LN8000_BIT_EN_1TO1); + break; + default: + ln_err("invalid index (target_mode=%d)\n", target_mode); + return -EINVAL; + } + ret = ln8000_update_reg(info, LN8000_REG_SYS_CTRL, msk, val); + if (IS_ERR_VALUE((unsigned long)ret)) { + return -EINVAL; + } + ln_info("changed opmode [%d] -> [%d]\n", info->op_mode, target_mode); + info->op_mode = target_mode; + + return 0; +} + +static int ln8000_init_device(struct ln8000_info *info) +{ + unsigned int vbat_float; + + /* config default charging paramter by dt */ + vbat_float = info->pdata->bat_ovp_th * 100 / 102; /* ovp thershold = v_float x 1.02 */ + vbat_float = (vbat_float /1000) * 1000; + ln_info("bat_ovp_th=%d, vbat_float=%d\n", info->pdata->bat_ovp_th, vbat_float); + ln8000_set_vbat_float(info, vbat_float); + info->vbat_ovp_alarm_th = info->pdata->bat_ovp_alarm_th; + ln8000_set_vac_ovp(info, info->pdata->bus_ovp_th); + info->vin_ovp_alarm_th = info->pdata->bus_ovp_alarm_th; + ln8000_set_iin_limit(info, info->pdata->bus_ocp_th - 700000); + info->iin_ocp_alarm_th = info->pdata->bus_ocp_alarm_th; + ln8000_set_ntc_alarm(info, info->pdata->ntc_alarm_cfg); + + ln8000_update_reg(info, LN8000_REG_REGULATION_CTRL, 0x3 << 2, LN8000_NTC_SHUTDOWN_CFG); + ln8000_enable_auto_recovery(info, 0); + + /* config charging protection */ + ln8000_enable_vbat_ovp(info, !info->pdata->vbat_ovp_disable); + ln8000_enable_vbat_regulation(info, !info->pdata->vbat_reg_disable); + ln8000_enable_vbat_loop_int(info, !info->pdata->vbat_reg_disable); + ln8000_enable_iin_ocp(info, !info->pdata->iin_ocp_disable); + ln8000_enable_iin_regulation(info, !info->pdata->iin_reg_disable); + ln8000_enable_iin_loop_int(info, !info->pdata->iin_reg_disable); + ln8000_enable_tdie_regulation(info, !info->pdata->tdie_reg_disable); + ln8000_enable_tdie_prot(info, !info->pdata->tdie_prot_disable); + ln8000_enable_rcp(info, 0); + ln8000_change_opmode(info, LN8000_OPMODE_STANDBY); + ln8000_enable_vac_ov(info, 1); + + /* wdt : disable, adc : shutdown mode */ + ln8000_enable_wdt(info, false); + ln8000_set_adc_mode(info, ADC_SHUTDOWN_MODE);//disable before updating + ln8000_set_adc_hib_delay(info, ADC_HIBERNATE_4S); + ln8000_set_adc_ch(info, LN8000_ADC_CH_ALL, true); + ln8000_enable_tbus_monitor(info, !info->pdata->tbus_mon_disable);//+enables ADC ch + ln8000_enable_tbat_monitor(info, !info->pdata->tbat_mon_disable);//+enables ADC ch + ln8000_set_adc_mode(info, ADC_AUTO_HIB_MODE); + + /* mark sw initialized (used CHARGE_CTRL bit:7) */ + ln8000_update_reg(info, LN8000_REG_CHARGE_CTRL, 0x1 << 7, 0x1 << 7); + ln8000_write_reg(info, LN8000_REG_THRESHOLD_CTRL, 0x0E); + + ln8000_print_regmap(info); + + ln_info(" done.\n"); + + return 0; +} + +/** + * Support power_supply platform for charger block. + * propertis are compatible by Xiaomi platform + */ +static int ln8000_get_adc_data(struct ln8000_info *info, unsigned int ch, int *result) +{ + int ret; + u8 sts[2]; + + /* pause adc update */ + ret = ln8000_update_reg(info, LN8000_REG_TIMER_CTRL, 0x1 << 1, 0x1 << 1); + if (ret < 0) { + ln_err("fail to update bit PAUSE_ADC_UPDATE:1 (ret=%d)\n", ret); + return ret; + } + + switch (ch) { + case LN8000_ADC_CH_VOUT: + ret = ln8000_bulk_read_reg(info, LN8000_REG_ADC04_STS, sts, 2); + break; + case LN8000_ADC_CH_VIN: + ret = ln8000_bulk_read_reg(info, LN8000_REG_ADC03_STS, sts, 2); + break; + case LN8000_ADC_CH_VBAT: + ret = ln8000_bulk_read_reg(info, LN8000_REG_ADC06_STS, sts, 2); + break; + case LN8000_ADC_CH_VAC: + ret = ln8000_bulk_read_reg(info, LN8000_REG_ADC02_STS, sts, 2); + break; + case LN8000_ADC_CH_IIN: + ret = ln8000_bulk_read_reg(info, LN8000_REG_ADC01_STS, sts, 2); + break; + case LN8000_ADC_CH_DIETEMP: + ret = ln8000_bulk_read_reg(info, LN8000_REG_ADC07_STS, sts, 2); + break; + case LN8000_ADC_CH_TSBAT: + ret = ln8000_bulk_read_reg(info, LN8000_REG_ADC08_STS, sts, 2); + break; + case LN8000_ADC_CH_TSBUS: + ret = ln8000_bulk_read_reg(info, LN8000_REG_ADC09_STS, sts, 2); + break; + default: + ln_err("invalid ch(%d)\n", ch); + ret = -EINVAL; + break; + } + + /* resume adc update */ + ln8000_update_reg(info, LN8000_REG_TIMER_CTRL, 0x1 << 1, 0x0 << 1); + + if (IS_ERR_VALUE((unsigned long)ret) == false) { + ln8000_convert_adc_code(info, ch, sts, result); + } + + return ret; +} + +static int psy_chg_get_charging_enabled(struct ln8000_info *info) +{ + int enabled = 0; /* disabled */ + + if (info->chg_en) { + ln8000_update_opmode(info); + if (info->op_mode >= LN8000_OPMODE_BYPASS) { + enabled = 1; + } + } + + return enabled; +} + +static int psy_chg_get_ti_alarm_status(struct ln8000_info *info) +{ + int alarm; + unsigned int v_offset; + bool bus_ovp, bus_ocp, bat_ovp; + u8 val[4]; + + ln8000_check_status(info); + ln8000_get_adc_data(info, LN8000_ADC_CH_VIN, &info->vbus_uV); + ln8000_get_adc_data(info, LN8000_ADC_CH_IIN, &info->iin_uA); + ln8000_get_adc_data(info, LN8000_ADC_CH_VBAT, &info->vbat_uV); + + bus_ovp = (info->vbus_uV > info->vin_ovp_alarm_th) ? 1 : 0; + bus_ocp = (info->iin_uA > info->iin_ocp_alarm_th) ? 1 : 0; + bat_ovp = (info->vbat_uV > info->vbat_ovp_alarm_th) ? 1 : 0; + + /* BAT alarm status not support (ovp/ocp/ucp) */ + alarm = ((bus_ovp << BUS_OVP_ALARM_SHIFT) | + (bus_ocp << BUS_OCP_ALARM_SHIFT) | + (bat_ovp << BAT_OVP_ALARM_SHIFT) | + (info->tbus_tbat_alarm << BAT_THERM_ALARM_SHIFT) | + (info->tbus_tbat_alarm << BUS_THERM_ALARM_SHIFT) | + (info->tdie_alarm << DIE_THERM_ALARM_SHIFT)); + + if (info->vbus_uV < (info->vbat_uV * 2)) { + v_offset = 0; + } else { + v_offset = info->vbus_uV - (info->vbat_uV * 2); + } + + /* after charging-enabled, When the input current rises above rcp_th(over 200mA), it activates rcp. */ + if (info->chg_en && !(info->rcp_en)) { + /* v_offset > 300mV will be impossible sometimes */ + /* Considering the accuracy of ADC, iin > 400mA better than before */ + if (info->iin_uA > 400000) { + ln8000_enable_rcp(info, 1); + ln_info("enabled rcp\n"); + } + } + /* If an unplug event occurs when vbus voltage lower then vin_start_up_th, switch to standby mode. */ + if (info->chg_en && !(info->rcp_en)) { + /* v_offset can be lower then 100mV, because VBAT and VBUS will be closed proceed charging */ + /* Therefore we need to check ibus current. confirm to charging status */ + if (info->iin_uA < 70000 && v_offset < 100000) { + ln8000_change_opmode(info, LN8000_OPMODE_STANDBY); + ln_info("forced change standby_mode for prevent reverse current\n"); + info->chg_en = 0; + } + } + + ln8000_bulk_read_reg(info, LN8000_REG_SYS_STS, val, 4); + ln_info("adc_vin=%d(th=%d), adc_iin=%d(th=%d), adc_vbat=%d(th=%d), v_offset=%d\n", + info->vbus_uV / 1000, info->vin_ovp_alarm_th / 1000, + info->iin_uA / 1000, info->iin_ocp_alarm_th / 1000, + info->vbat_uV / 1000, info->vbat_ovp_alarm_th / 1000, + v_offset / 1000); + ln_info("st:0x%x:0x%x:0x%x:0x%x alarm=0x%x\n", val[0], val[1], val[2], val[3], alarm); + + return alarm; +} + +static int psy_chg_get_ti_fault_status(struct ln8000_info *info) +{ + int fault; + + ln8000_check_status(info); + + /* BAT ocp fault status not suppport */ + fault = ((info->vbat_ov << BAT_OVP_FAULT_SHIFT) | + (info->vbus_ov << BUS_OVP_FAULT_SHIFT) | + (info->iin_oc << BUS_OCP_FAULT_SHIFT) | + (info->tbus_tbat_fault << BAT_THERM_FAULT_SHIFT) | + (info->tbus_tbat_fault << BUS_THERM_FAULT_SHIFT) | + (info->tdie_fault << DIE_THERM_FAULT_SHIFT)); + + if (info->volt_qual == 0) { + fault |= ((1 << BAT_OVP_FAULT_SHIFT) | + (1 << BUS_OVP_FAULT_SHIFT)); + } + + if (fault) { + ln_info("fault=0x%x\n", fault); + } + + return fault; +} + +static int ln8000_charger_get_property(struct power_supply *psy, + enum power_supply_property prop, + union power_supply_propval *val) +{ + struct ln8000_info *info = power_supply_get_drvdata(psy); + + switch (prop) { + case POWER_SUPPLY_PROP_CHARGING_ENABLED: + val->intval = psy_chg_get_charging_enabled(info); + break; + case POWER_SUPPLY_PROP_STATUS: + val->intval = 0; + break; + case POWER_SUPPLY_PROP_PRESENT: + val->intval = info->usb_present; + break; + case POWER_SUPPLY_PROP_CONSTANT_CHARGE_VOLTAGE: + val->intval = ln8000_get_vbat_float(info); + break; + case POWER_SUPPLY_PROP_INPUT_CURRENT_LIMIT: + val->intval = ln8000_get_iin_limit(info); + break; + case POWER_SUPPLY_PROP_TI_BATTERY_PRESENT: + ln8000_get_adc_data(info, LN8000_ADC_CH_VBAT, &info->vbat_uV); + if (info->vbat_uV > LN8000_ADC_VBAT_MIN) { + val->intval = 1; /* detected battery */ + } else { + val->intval = 0; /* non-detected battery */ + } + break; + case POWER_SUPPLY_PROP_TI_VBUS_PRESENT: + ln8000_check_status(info); + val->intval = !(info->vac_unplug); + break; + case POWER_SUPPLY_PROP_TI_BATTERY_VOLTAGE: + ln8000_get_adc_data(info, LN8000_ADC_CH_VBAT, &info->vbat_uV); + val->intval = info->vbat_uV/1000; + break; + case POWER_SUPPLY_PROP_TI_BATTERY_CURRENT: /* ln8000 not support IBAT_ADC */ + ln8000_get_adc_data(info, LN8000_ADC_CH_IIN, &info->iin_uA); + val->intval = (info->iin_uA * 2)/1000; /* return to IBUS_ADC x 2 */ + break; + case POWER_SUPPLY_PROP_TI_BATTERY_TEMPERATURE: + if (info->pdata->tbat_mon_disable) { + val->intval = 0; + } else { + ln8000_get_adc_data(info, LN8000_ADC_CH_TSBAT, &info->tbat_uV); + val->intval = info->tbat_uV; + ln_info("ti_battery_temperature: adc_tbat=%d\n", val->intval); + } + break; + case POWER_SUPPLY_PROP_TI_BUS_VOLTAGE: + ln8000_get_adc_data(info, LN8000_ADC_CH_VIN, &info->vbus_uV); + val->intval = info->vbus_uV/1000; + break; + case POWER_SUPPLY_PROP_TI_BUS_CURRENT: + ln8000_get_adc_data(info, LN8000_ADC_CH_IIN, &info->iin_uA); + val->intval = info->iin_uA/1000; + break; + case POWER_SUPPLY_PROP_TI_BUS_TEMPERATURE: + if (info->pdata->tbus_mon_disable) { + val->intval = 0; + } else { + ln8000_get_adc_data(info, LN8000_ADC_CH_TSBUS, &info->tbus_uV); + val->intval = info->tbus_uV; + ln_info("ti_bus_temperature: adc_tbus=%d\n", val->intval); + } + break; + case POWER_SUPPLY_PROP_TI_DIE_TEMPERATURE: + ln8000_get_adc_data(info, LN8000_ADC_CH_DIETEMP, &info->tdie_dC); + val->intval = info->tdie_dC; + ln_info("ti_die_temperature: adc_tdie=%d\n", val->intval); + break; + case POWER_SUPPLY_PROP_TI_ALARM_STATUS: + val->intval = psy_chg_get_ti_alarm_status(info); + break; + case POWER_SUPPLY_PROP_TI_FAULT_STATUS: + val->intval = psy_chg_get_ti_fault_status(info); + break; + case POWER_SUPPLY_PROP_TI_REG_STATUS: + ln8000_check_status(info); + val->intval = ((info->vbat_regulated << VBAT_REG_STATUS_SHIFT) | + /* ln8000 not support ibat_reg, we are can be ibus_reg */ + (info->iin_regulated << IBAT_REG_STATUS_SHIFT)); + if (val->intval) { + ln_info("ti_reg_status: intavl=0x%x\n", val->intval); + } + break; + case POWER_SUPPLY_PROP_MODEL_NAME: + val->strval = "bq2597x-master"; + break; + default: + return -EINVAL; + } + + return 0; +} + +static int psy_chg_set_charging_enable(struct ln8000_info *info, int val) +{ + int op_mode; + + if (val) { + ln_info("start charging\n"); + op_mode = LN8000_OPMODE_SWITCHING; + } else { + ln_info("stop charging\n"); + op_mode = LN8000_OPMODE_STANDBY; + } + + /* when the start-up to charging, we need to disabled rcp. */ + ln8000_enable_rcp(info, 0); + + ln8000_change_opmode(info, op_mode); + msleep(10); + ln8000_update_opmode(info); + + ln8000_print_regmap(info); + info->chg_en = val; + + ln_info("op_mode=%d\n", info->op_mode); + + return 0; +} + +static int psy_chg_set_present(struct ln8000_info *info, int val) +{ + bool usb_present = (bool)val; + + if (usb_present != info->usb_present) { + ln_info("changed usb_present [%d] -> [%d]\n", info->usb_present, usb_present); + if (usb_present) { + ln8000_init_device(info); + } + info->usb_present = usb_present; + } + + return 0; +} + +static int psy_chg_set_bus_protection_for_qc3(struct ln8000_info *info, int hvdcp3_type) +{ + ln_info("hvdcp3_type: %d\n", hvdcp3_type); + + if (hvdcp3_type == HVDCP3_CLASSA_18W) { + ln8000_set_vac_ovp(info, BUS_OVP_FOR_QC); + info->vin_ovp_alarm_th = BUS_OVP_ALARM_FOR_QC; + ln8000_set_iin_limit(info, BUS_OCP_FOR_QC_CLASS_A - 700000); + info->iin_ocp_alarm_th = BUS_OCP_ALARM_FOR_QC_CLASS_A; + } else if (hvdcp3_type == HVDCP3_CLASSB_27W) { + ln8000_set_vac_ovp(info, BUS_OVP_FOR_QC); + info->vin_ovp_alarm_th = BUS_OVP_ALARM_FOR_QC; + ln8000_set_iin_limit(info, BUS_OCP_FOR_QC_CLASS_B - 700000); + info->iin_ocp_alarm_th = BUS_OCP_ALARM_FOR_QC_CLASS_B; + } else if (hvdcp3_type == HVDCP3P5_CLASSA_18W) { + ln8000_set_vac_ovp(info, BUS_OVP_FOR_QC); + info->vin_ovp_alarm_th = BUS_OVP_ALARM_FOR_QC; + ln8000_set_iin_limit(info, BUS_OCP_FOR_QC3P5_CLASS_A - 700000); + info->iin_ocp_alarm_th = BUS_OCP_ALARM_FOR_QC3P5_CLASS_A; + } else if (hvdcp3_type == HVDCP3P5_CLASSB_27W) { + ln8000_set_vac_ovp(info, BUS_OVP_FOR_QC); + info->vin_ovp_alarm_th = BUS_OVP_ALARM_FOR_QC; + ln8000_set_iin_limit(info, BUS_OCP_FOR_QC3P5_CLASS_B - 700000); + info->iin_ocp_alarm_th = BUS_OCP_ALARM_FOR_QC3P5_CLASS_B; + } else { + ln8000_set_vac_ovp(info, info->pdata->bus_ovp_th); + info->vin_ovp_alarm_th = info->pdata->bus_ovp_alarm_th; + ln8000_set_iin_limit(info, info->pdata->bus_ocp_th - 700000); + info->iin_ocp_alarm_th = info->pdata->bus_ocp_alarm_th; + } + + ln8000_print_regmap(info); + + return 0; +} + +static int ln8000_charger_set_property(struct power_supply *psy, + enum power_supply_property prop, + const union power_supply_propval *val) +{ + struct ln8000_info *info = power_supply_get_drvdata(psy); + int ret = 0; + + switch (prop) { + case POWER_SUPPLY_PROP_CHARGING_ENABLED: + ret = psy_chg_set_charging_enable(info, val->intval); + break; + case POWER_SUPPLY_PROP_PRESENT: + ret = psy_chg_set_present(info, val->intval); + break; + case POWER_SUPPLY_PROP_TI_SET_BUS_PROTECTION_FOR_QC3: + ret = psy_chg_set_bus_protection_for_qc3(info, val->intval); + break; + case POWER_SUPPLY_PROP_CONSTANT_CHARGE_VOLTAGE: + ret = ln8000_set_vbat_float(info, val->intval); + break; + case POWER_SUPPLY_PROP_INPUT_CURRENT_LIMIT: + ret = ln8000_set_iin_limit(info, val->intval); + break; + default: + ret = -EINVAL; + break; + } + + return ret; +} + +static int ln8000_charger_is_writeable(struct power_supply *psy, + enum power_supply_property prop) { + int ret; + + switch (prop) { + case POWER_SUPPLY_PROP_PRESENT: + case POWER_SUPPLY_PROP_CHARGING_ENABLED: + case POWER_SUPPLY_PROP_CONSTANT_CHARGE_VOLTAGE: + case POWER_SUPPLY_PROP_INPUT_CURRENT_LIMIT: + case POWER_SUPPLY_PROP_TI_SET_BUS_PROTECTION_FOR_QC3: + ret = 1; + break; + default: + ret = 0; + break; + } + + return ret; +} + +static enum power_supply_property ln8000_charger_props[] = { + POWER_SUPPLY_PROP_PRESENT, + POWER_SUPPLY_PROP_CHARGING_ENABLED, + POWER_SUPPLY_PROP_STATUS, + POWER_SUPPLY_PROP_CONSTANT_CHARGE_VOLTAGE, + POWER_SUPPLY_PROP_INPUT_CURRENT_LIMIT, + /* support TI extended propertis */ + POWER_SUPPLY_PROP_TI_BATTERY_PRESENT, + POWER_SUPPLY_PROP_TI_VBUS_PRESENT, + POWER_SUPPLY_PROP_TI_BATTERY_VOLTAGE, + POWER_SUPPLY_PROP_TI_BATTERY_CURRENT, + POWER_SUPPLY_PROP_TI_BATTERY_TEMPERATURE, + POWER_SUPPLY_PROP_TI_BUS_VOLTAGE, + POWER_SUPPLY_PROP_TI_BUS_CURRENT, + POWER_SUPPLY_PROP_TI_BUS_TEMPERATURE, + POWER_SUPPLY_PROP_TI_DIE_TEMPERATURE, + POWER_SUPPLY_PROP_TI_ALARM_STATUS, + POWER_SUPPLY_PROP_TI_FAULT_STATUS, + POWER_SUPPLY_PROP_TI_REG_STATUS, + POWER_SUPPLY_PROP_TI_SET_BUS_PROTECTION_FOR_QC3, + POWER_SUPPLY_PROP_MODEL_NAME, +}; + +static int read_reg(void *data, u64 *val) +{ + struct ln8000_info *info = data; + int ret; + unsigned int temp; + + ret = regmap_read(info->regmap, info->debug_address, &temp); + if (ret) { + ln_err("Unable to read reg(0x%02X), ret=%d\n", info->debug_address, ret); + return -EAGAIN; + } + *val = temp; + return 0; +} + +static int write_reg(void *data, u64 val) +{ + struct ln8000_info *info = data; + int ret; + u8 temp = (u8) val; + + ret = regmap_write(info->regmap, info->debug_address, temp); + if (ret) { + ln_err("Unable to write reg(0x%02X), data(0x%02X), ret=%d\n", + info->debug_address, temp, ret); + return -EAGAIN; + } + return 0; +} + +DEFINE_SIMPLE_ATTRIBUTE(register_debug_ops, read_reg, write_reg, "0x%02llX\n"); + +static int ln8000_create_debugfs_entries(struct ln8000_info *info) +{ + struct dentry *ent; + + info->debug_root = debugfs_create_dir((LN8000_IS_PRIMARY(info) ? "ln8000" : "ln8000-secondary"), NULL); + if (!info->debug_root) { + ln_err("unable to create debug dir\n"); + return -ENOENT; + } else { + ent = debugfs_create_x32("address", S_IFREG | S_IWUSR | S_IRUGO, info->debug_root, &(info->debug_address)); + if (!ent) { + ln_err("unable to create address debug file\n"); + return -ENOENT; + } + ent = debugfs_create_file("data", S_IFREG | S_IWUSR | S_IRUGO, info->debug_root, info, ®ister_debug_ops); + if (!ent) { + ln_err("unable to create data debug file\n"); + return -ENOENT; + } + } + + return 0; +} + +/** + * Support IRQ interface + */ +static int ln8000_read_int_value(struct ln8000_info *info, u32 *reg_val) +{ + int ret; + + /* pause INT updates */ + ln8000_update_reg(info, LN8000_REG_TIMER_CTRL, 0x1, 0x1); + mdelay(1); + + ret = ln8000_read_reg(info, LN8000_REG_INT1, reg_val); + + /* resume INT updates */ + ln8000_update_reg(info, LN8000_REG_TIMER_CTRL, 0x1, 0x0); + + return ret; +} + +static void vac_ov_control_work(struct work_struct *work) +{ + struct ln8000_info *info = container_of(work, struct ln8000_info, vac_ov_work.work); + int i, cnt, ta_detached, delay = 50; + u32 sys_st; + bool enable_vac_ov = 1; + + ta_detached = 0; + cnt = 5000 / delay; + for (i = 0; i < cnt; ++i) { + ln8000_get_adc_data(info, LN8000_ADC_CH_VIN, &info->vbus_uV); + ln8000_read_reg(info, LN8000_REG_SYS_STS, &sys_st); + + if (enable_vac_ov) { + /* Check ADC_VIN during the 5sec, if vin higher then 10V, disable to vac_ov */ + if (info->vbus_uV > 10000000) { + enable_vac_ov = 0; + ln8000_enable_vac_ov(info, enable_vac_ov); + ln_info("vac_ov=disable, vin=%dmV, i=%d, cnt=%d, delay=%d\n", info->vbus_uV/1000, i, cnt, delay); + } + } else { + /* After disabled vac_ov, if ADC_VIN lower then 7V goto the terminate work */ + if (info->vbus_uV < 7000000) { + enable_vac_ov = 1; + ln_info("vac_ov=enable, vin=%dmV, i=%d, cnt=%d, delay=%d\n", info->vbus_uV/1000, i, cnt, delay); + goto teminate_work; + } + } + /* If judged 3 times by TA disconnected, goto the terminate work */ + if (sys_st == 0x1) { /* it's means entered shutdown mode */ + ta_detached += 1; + ln_info("sys_st=0x%x, ta_detached=%d\n", sys_st, ta_detached); + if (ta_detached > 2) { + goto teminate_work; + } + } + + msleep(delay); + } + +teminate_work: + ln8000_enable_vac_ov(info, 1); + info->vac_ov_work_on = 0; +} + +static void check_vac_ov_work(struct ln8000_info *info) +{ + u32 sys_st, fault1_st; + + ln8000_read_reg(info, LN8000_REG_SYS_STS, &sys_st); + ln8000_read_reg(info, LN8000_REG_FAULT1_STS, &fault1_st); + + if (sys_st == 0x02 && fault1_st == 0x00) { /* connected valid VBUS */ + if (info->vac_ov_work_on == 0) { /* vac_ov_work not worked */ + schedule_delayed_work(&info->vac_ov_work, msecs_to_jiffies(0)); + info->vac_ov_work_on = 1; + ln_info("schedule_work : vac_ov_work\n"); + } + } +} + +static irqreturn_t ln8000_interrupt_handler(int irq, void *data) +{ + struct ln8000_info *info = data; + u32 int_reg, int_msk; + u8 masked_int; + int ret; + ln_err("ln8000_interrupt_handler enter!\n"); + ret = ln8000_read_int_value(info, &int_reg); + if (IS_ERR_VALUE((unsigned long)ret)) { + ln_err("fail to read INT reg (ret=%d)\n", ret); + return IRQ_NONE; + } + ln8000_read_reg(info, LN8000_REG_INT1_MSK, &int_msk); + masked_int = int_reg & ~int_msk; + + ln_info("int_reg=0x%x, int_msk=0x%x, masked_int=0x%x\n", int_reg, int_msk, masked_int); + + ln8000_print_regmap(info); + LN8000_BIT_CHECK(masked_int, 7, "(INT) FAULT_INT"); + LN8000_BIT_CHECK(masked_int, 6, "(INT) NTC_PROT_INT"); + LN8000_BIT_CHECK(masked_int, 5, "(INT) CHARGE_PHASE_INT"); + LN8000_BIT_CHECK(masked_int, 4, "(INT) MODE_INT"); + LN8000_BIT_CHECK(masked_int, 3, "(INT) REV_CURR_INT"); + LN8000_BIT_CHECK(masked_int, 2, "(INT) TEMP_INT"); + LN8000_BIT_CHECK(masked_int, 1, "(INT) ADC_DONE_INT"); + LN8000_BIT_CHECK(masked_int, 0, "(INT) TIMER_INT"); + ln8000_check_status(info); + + if (masked_int & LN8000_MASK_FAULT_INT) { /* FAULT_INT */ + if (info->volt_qual) { + ln_info("connected to power_supplier\n"); + } else { + ln_info("FAULT_INT has occurred\n"); + } + } + if (masked_int & LN8000_MASK_NTC_PROT_INT) { /* NTC_PROT_INT */ + ln_info("NTC_PROT_INT has occurred(ntc_fault=%d, ntc_alarm=%d)\n", + info->tbus_tbat_fault, info->tbus_tbat_alarm); + } + if (masked_int & LN8000_MASK_CHARGE_PHASE_INT) { /* CHARGE_PHASE_INT */ + if (info->vbat_regulated) { + ln_info("CHARGE_PHASE_INT: VFLOAT regulated\n"); + } else if (info->iin_regulated) { + ln_info("CHARGE_PHASE_INT: IIN regulated\n"); + } + } + if (masked_int & LN8000_MASK_MODE_INT) { /* MODE_INT */ + switch(info->pwr_status) { + case LN8000_MASK_BYPASS_ENABLED: + ln_info("MODE_INT: device in BYPASS mode\n"); + break; + case LN8000_MASK_SWITCHING_ENABLED: + ln_info("MODE_INT: device in SWITCHING mode\n"); + break; + case LN8000_MASK_STANDBY_STS: + ln_info("MODE_INT: device in STANDBY mode\n"); + break; + case LN8000_MASK_SHUTDOWN_STS: + ln_info("MODE_INT: device in SHUTDOWN mode\n"); + break; + default: + ln_info("MODE_INT: device in unknown mode\n"); + break; + } + } + if (masked_int & LN8000_MASK_TEMP_INT) { /* TEMP_INT */ + ln_info("TEMP_INT has occurred(tdie_fault=%d, tdie_alarm=%d)\n", + info->tdie_fault, info->tdie_alarm); + } + if (masked_int & LN8000_MASK_TIMER_INT) { /* TIMER_INT */ + ln_info("Watchdog timer has expired(wdt_fault=%d)\n", info->wdt_fault); + } + + check_vac_ov_work(info); + + return IRQ_HANDLED; +} + +static int ln8000_irq_init(struct ln8000_info *info) +{ + const struct ln8000_platform_data *pdata = info->pdata; + int ret; + u8 mask; + u32 int_reg; + + if (LN8000_IS_PRIMARY(info)) { + if (info->pdata->irq_gpio) { + info->client->irq = gpiod_to_irq(pdata->irq_gpio); + if (info->client->irq < 0) { + ln_err("fail to get irq from gpio(irq_gpio=%p)\n", pdata->irq_gpio) + info->client->irq = 0; + return -EINVAL; + } + ln_info("mapped GPIO to irq (%d)\n", info->client->irq); + } + } else { + /* grab IRQ from primary device */ + ln_info("mapped shared GPIO to (primary dev) irq (%d)\n", info->client->irq); + } + /* interrupt mask setting */ + mask = LN8000_MASK_ADC_DONE_INT | LN8000_MASK_TIMER_INT | LN8000_MASK_MODE_INT | LN8000_MASK_REV_CURR_INT; + if (info->pdata->tdie_prot_disable && info->pdata->tdie_reg_disable) + mask |= LN8000_MASK_TEMP_INT; + if (info->pdata->iin_reg_disable && info->pdata->vbat_reg_disable) + mask |= LN8000_MASK_CHARGE_PHASE_INT; + if (info->pdata->tbat_mon_disable && info->pdata->tbus_mon_disable) + mask |= LN8000_MASK_NTC_PROT_INT; + ln8000_write_reg(info, LN8000_REG_INT1_MSK, mask); + /* read clear int_reg */ + ret = ln8000_read_int_value(info, &int_reg); + if (IS_ERR_VALUE((unsigned long)ret)) { + ln_err("fail to read INT reg (ret=%d)\n", ret); + return IRQ_NONE; + } + ln_info("int1_msk=0x%x\n", mask); + + return 0; +} + +static void determine_initial_status(struct ln8000_info *info) +{ + if (info->client->irq) + ln8000_interrupt_handler(info->client->irq, info); +} + + +static const struct of_device_id ln8000_dt_match[] = { + { .compatible = "lionsemi,ln8000", + .data = (void *) LN_PRIMARY + }, + { .compatible = "lionsemi,ln8000-secondary", + .data = (void *) LN_SECONDARY + }, + { }, +}; +MODULE_DEVICE_TABLE(of, ln8000_dt_match); + +static const struct i2c_device_id ln8000_id[] = { + { "ln8000", LN_PRIMARY }, + { "ln8000-secondary", LN_SECONDARY }, + { } +}; + +static const struct regmap_config ln8000_regmap_config = { + .reg_bits = 8, + .val_bits = 8, + .max_register = LN8000_REG_MAX, +}; + +static int try_to_find_i2c_regess(struct ln8000_info *info) +{ + uint8_t reg_set[] = {0x51, 0x55, 0x5b, 0x5f}; + uint8_t ori_reg = info->client->addr; + int i, ret = 0; + + for (i = 0; i < 4; i++) { + info->client->addr = reg_set[i]; + info->regmap = devm_regmap_init_i2c(info->client, &ln8000_regmap_config); + ret = i2c_smbus_read_byte_data(info->client, LN8000_REG_DEVICE_ID); + if (ret == 0x42) { + ln_info("find to can be access regess(0x%02x)(ori=0x%02x).\n", + info->client->addr, ori_reg); + ln8000_soft_reset(info); + return ret; + } else { + ln_err("can't access regess(0x%02x)(ori=0x%02x).\n", + info->client->addr, ori_reg); + } + } + + info->client->addr = ori_reg; + ln_info("retry (0x%02x).\n", info->client->addr); + info->regmap = devm_regmap_init_i2c(info->client, &ln8000_regmap_config); + ret = i2c_smbus_read_byte_data(info->client, LN8000_REG_DEVICE_ID); + if (ret == 0x42) { + ln_info("retry (0x%02x) can be access regess.\n", info->client->addr); + ln8000_soft_reset(info); + return ret; + } + + return ret; +} + +static int ln8000_get_dev_role(struct i2c_client *client) +{ + const struct of_device_id *of_id; + + of_id = of_match_device(of_match_ptr(ln8000_dt_match), &client->dev); + if (of_id == NULL) { + dev_err(&client->dev,"%s: fail to matched of_device_id\n", __func__); + return -EINVAL; + } + + dev_info(&client->dev,"%s: matched to %s\n", __func__, of_id->compatible); + + return (long)of_id->data; +} + +static int ln8000_parse_dt(struct ln8000_info *info) +{ + struct device *dev = info->dev; + struct ln8000_platform_data *pdata = info->pdata; + struct device_node *np = dev->of_node; + u32 prop; + int ret; + + if (np == NULL) + return -EINVAL; + + /* first we try to used client->irq */ + if (info->client->irq == 0) { + /* sencond we try to used irq_index info */ + ret = of_property_read_u32(np, "ln8000_charger,irq_index", &prop); + if (ret < 0) { + ln_err("can't get irq_index(ret=%d)\n", ret); + prop = 0; + } + info->client->irq = prop; + } + ln_info("info->client->irq=%d\n", info->client->irq); + + if (!info->client->irq) { + pdata->irq_gpio = gpiod_get(dev, "irqb", GPIOD_IN); + if (LN8000_USE_GPIO(pdata)) { + ln_info("[gpio] found valid GPIO/IRQ descriptor\n"); + } else { + ln_info("[gpio] unspecified or invalid GPIO descriptor\n"); + pdata->irq_gpio = 0; + } + } + + /* device configuration */ + ret = of_property_read_u32(np, "ln8000_charger,bat-ovp-threshold", &prop); + LN8000_PARSE_PROP(ret, pdata, bat_ovp_th, (prop*1000/*uV*/), LN8000_BAT_OVP_DEFAULT); + ret = of_property_read_u32(np, "ln8000_charger,bat-ovp-alarm-threshold", &prop); + LN8000_PARSE_PROP(ret, pdata, bat_ovp_alarm_th, (prop*1000/*uV*/), 0); + ret = of_property_read_u32(np, "ln8000_charger,bus-ovp-threshold", &prop); + LN8000_PARSE_PROP(ret, pdata, bus_ovp_th, (prop*1000/*uV*/), LN8000_BUS_OVP_DEFAULT); + ret = of_property_read_u32(np, "ln8000_charger,bus-ovp-alarm-threshold", &prop); + LN8000_PARSE_PROP(ret, pdata, bus_ovp_alarm_th, (prop*1000/*uA*/), 0); + ret = of_property_read_u32(np, "ln8000_charger,bus-ocp-threshold", &prop); + LN8000_PARSE_PROP(ret, pdata, bus_ocp_th, (prop*1000/*uA*/), LN8000_BUS_OCP_DEFAULT); + ret = of_property_read_u32(np, "ln8000_charger,bus-ocp-alarm-threshold", &prop); + LN8000_PARSE_PROP(ret, pdata, bus_ocp_alarm_th, (prop*1000/*uA*/), 0); + ret = of_property_read_u32(np, "ln8000_charger,ntc-alarm-cfg", &prop); + LN8000_PARSE_PROP(ret, pdata, ntc_alarm_cfg, prop, LN8000_NTC_ALARM_CFG_DEFAULT); + + /* protection/alarm disable (defaults to enable) */ + pdata->vbat_ovp_disable = of_property_read_bool(np, "ln8000_charger,vbat-ovp-disable"); + pdata->vbat_reg_disable = of_property_read_bool(np, "ln8000_charger,vbat-reg-disable"); + pdata->iin_ocp_disable = of_property_read_bool(np, "ln8000_charger,iin-ocp-disable"); + pdata->iin_reg_disable = of_property_read_bool(np, "ln8000_charger,iin-reg-disable"); + pdata->tbus_mon_disable = of_property_read_bool(np, "ln8000_charger,tbus-mon-disable"); + pdata->tbat_mon_disable = of_property_read_bool(np, "ln8000_charger,tbat-mon-disable"); + pdata->tdie_prot_disable = of_property_read_bool(np, "ln8000_charger,tdie-prot-disable"); + pdata->tdie_reg_disable = of_property_read_bool(np, "ln8000_charger,tdie-reg-disable"); + pdata->revcurr_prot_disable = of_property_read_bool(np, "ln8000_charger,revcurr-prot-disable"); + +#ifdef LN8000_DUAL_CONFIG + /* override device tree */ + if (info->dev_role == LN_PRIMARY) { + ln_info("disable TS_BAT monitor for primary device on dual-mode\n"); + pdata->tbat_mon_disable = true; + } else { + ln_info("disable VBAT_OVP and TS_BAT for secondary device on dual-mode\n"); + pdata->vbat_ovp_disable = true; + pdata->tbat_mon_disable = true; + } +#endif + ln_info("vbat_ovp_disable = %d\n", pdata->vbat_ovp_disable); + ln_info("vbat_reg_disable = %d\n", pdata->vbat_reg_disable); + ln_info("iin_ocp_disable = %d\n", pdata->iin_ocp_disable); + ln_info("iin_reg_disable = %d\n", pdata->iin_reg_disable); + ln_info("tbus_mon_disable = %d\n", pdata->tbus_mon_disable); + ln_info("tbat_mon_disable = %d\n", pdata->tbat_mon_disable); + ln_info("tdie_prot_disable = %d\n", pdata->tdie_prot_disable); + ln_info("tdie_reg_disable = %d\n", pdata->tdie_reg_disable); + ln_info("revcurr_prot_disable = %d\n", pdata->revcurr_prot_disable); + + return 0; +} + +static int ln8000_psy_register(struct ln8000_info *info) +{ + info->psy_cfg.drv_data = info; + info->psy_cfg.of_node = info->client->dev.of_node; + info->psy_desc.name = "bq2597x-standalone"; + info->psy_desc.type = POWER_SUPPLY_TYPE_MAINS; + info->psy_desc.properties = ln8000_charger_props; + info->psy_desc.num_properties = ARRAY_SIZE(ln8000_charger_props); + info->psy_desc.get_property = ln8000_charger_get_property; + info->psy_desc.set_property = ln8000_charger_set_property; + info->psy_desc.property_is_writeable = ln8000_charger_is_writeable; + info->psy_chg = devm_power_supply_register(&info->client->dev, &info->psy_desc, &info->psy_cfg); + if (IS_ERR(info->psy_chg)) { + ln_err("(%s) failed to register power supply\n", LN8000_ROLE(info)); + return PTR_ERR(info->psy_chg); + } + + ln_info("(%s) successfully registered power supply\n", LN8000_ROLE(info)); + + return 0; +} + +static int ln8000_probe(struct i2c_client *client, const struct i2c_device_id *id) +{ + struct ln8000_info *info; + int ret = 0; + + info = devm_kzalloc(&client->dev, sizeof(struct ln8000_info), GFP_KERNEL); + if (info == NULL) { + dev_err(&client->dev, "%s: fail to alloc devm for ln8000_info\n", __func__); + return -ENOMEM; + } + + info->dev = &client->dev; + info->client = client; + + /* detect device on connected i2c bus */ + ret = i2c_smbus_read_byte_data(client, LN8000_REG_DEVICE_ID); + if (IS_ERR_VALUE((unsigned long)ret)) { + ret = try_to_find_i2c_regess(info); + if (ret != 0x42) { + dev_err(&client->dev, "fail to detect ln8000 on i2c_bus(addr=0x%x)\n", client->addr); + return -ENODEV; + } + } + dev_info(&client->dev, "device id=0x%x\n", ret); + + info->dev_role = ln8000_get_dev_role(client); + if (IS_ERR_VALUE((unsigned long)info->dev_role)) { + kfree(info); + return -EINVAL; + } + + info->pdata = devm_kzalloc(&client->dev, sizeof(struct ln8000_platform_data), GFP_KERNEL); + if (info->pdata == NULL) { + ln_err("fail to alloc devm for ln8000_platform_data\n"); + kfree(info); + return -ENOMEM; + } + + ret = ln8000_parse_dt(info); + if (IS_ERR_VALUE((unsigned long)ret)) { + ln_err("fail to parsed dt\n"); + goto err_devmem; + } + + info->regmap = devm_regmap_init_i2c(client, &ln8000_regmap_config); + if (IS_ERR(info->regmap)) { + ln_err("fail to initialize regmap\n"); + ret = PTR_ERR(info->regmap); + goto err_devmem; + } + + mutex_init(&info->data_lock); + mutex_init(&info->i2c_lock); + mutex_init(&info->irq_lock); + i2c_set_clientdata(client, info); + + ln8000_soft_reset(info); + ln8000_init_device(info); + + ret = ln8000_psy_register(info); + if (ret) { + goto err_cleanup; + } + + ret = ln8000_irq_init(info); + if (ret < 0) { + goto err_psy; + } + + if (client->irq) { + ret = devm_request_threaded_irq(&client->dev, client->irq, + NULL, ln8000_interrupt_handler, + IRQF_TRIGGER_FALLING | IRQF_ONESHOT, + "ln8000-charger-irq", info); + if (ret < 0) { + ln_err("request irq for irq=%d failed, ret =%d\n", + client->irq, ret); + goto err_wakeup; + } + enable_irq_wake(client->irq); + INIT_DELAYED_WORK(&info->vac_ov_work, vac_ov_control_work); + } else { + ln_info("don't support isr(irq=%d)\n", info->client->irq); + } + + device_init_wakeup(info->dev, 1); + + ret = ln8000_create_debugfs_entries(info); + if (IS_ERR_VALUE((unsigned long)ret)) { + goto err_wakeup; + } + + determine_initial_status(info); + + return 0; + +err_wakeup: + if (LN8000_IS_PRIMARY(info) && client->irq) { + free_irq(client->irq, info); + if (info->pdata->irq_gpio) { + gpiod_put(info->pdata->irq_gpio); + } + } +err_psy: + power_supply_unregister(info->psy_chg); + +err_cleanup: + i2c_set_clientdata(client, NULL); + mutex_destroy(&info->data_lock); + mutex_destroy(&info->i2c_lock); + mutex_destroy(&info->irq_lock); +err_devmem: + kfree(info->pdata); + kfree(info); + + return ret; +} + +static int ln8000_remove(struct i2c_client *client) +{ + struct ln8000_info *info = i2c_get_clientdata(client); + + ln8000_change_opmode(info, LN8000_OPMODE_STANDBY); + + debugfs_remove_recursive(info->debug_root); + + if (LN8000_IS_PRIMARY(info) && client->irq) { + free_irq(client->irq, info); + if (info->pdata->irq_gpio) { + gpiod_put(info->pdata->irq_gpio); + } + } + + power_supply_unregister(info->psy_chg); + i2c_set_clientdata(info->client, NULL); + + mutex_destroy(&info->data_lock); + mutex_destroy(&info->i2c_lock); + mutex_destroy(&info->irq_lock); + + kfree(info->pdata); + kfree(info); + + return 0; +} + +static void ln8000_shutdown(struct i2c_client *client) +{ + struct ln8000_info *info = i2c_get_clientdata(client); + + ln8000_change_opmode(info, LN8000_OPMODE_STANDBY); +} + +#if defined(CONFIG_PM) +static int ln8000_suspend(struct device *dev) +{ + struct ln8000_info *info = dev_get_drvdata(dev); + + if (device_may_wakeup(dev) && info->client->irq) + enable_irq_wake(info->client->irq); + + ln8000_irq_sleep(info, 1); + + return 0; +} + +static int ln8000_resume(struct device *dev) +{ + struct ln8000_info *info = dev_get_drvdata(dev); + + if (device_may_wakeup(dev) && info->client->irq) + disable_irq_wake(info->client->irq); + + ln8000_irq_sleep(info, 0); + + return 0; +} + +static const struct dev_pm_ops ln8000_pm_ops = { + .suspend = ln8000_suspend, + .resume = ln8000_resume, +}; +#endif + +static struct i2c_driver ln8000_driver = { + .driver = { + .name = "ln8000_charger", + .owner = THIS_MODULE, + .of_match_table = of_match_ptr(ln8000_dt_match), +#if defined(CONFIG_PM) + .pm = &ln8000_pm_ops, +#endif + }, + .probe = ln8000_probe, + .remove = ln8000_remove, + .shutdown = ln8000_shutdown, + .id_table = ln8000_id, +}; +module_i2c_driver(ln8000_driver); + +MODULE_AUTHOR("sungdae choi"); +MODULE_DESCRIPTION("LIONSEMI LN8000 charger driver"); +MODULE_LICENSE("GPL v2"); +MODULE_VERSION("0.3.0"); diff --git a/drivers/power/supply/ti/ln8000_charger.h b/drivers/power/supply/ti/ln8000_charger.h new file mode 100644 index 000000000000..44b797992298 --- /dev/null +++ b/drivers/power/supply/ti/ln8000_charger.h @@ -0,0 +1,339 @@ +/* + * ln8000-charger.h - Charger driver for LIONSEMI LN8000 + * + * Copyright (C) 2021 Lion Semiconductor Inc. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + */ + +#ifndef __LN8000_CHARGER_H__ +#define __LN8000_CHARGER_H__ + +//#define LN8000_DUAL_CONFIG /* uncomment to enable DUAL chip operation */ +//#define LN8000_DEBUG_SUPPORT + +/** + * ln8000 device descripion definition + */ +#define ASSIGNED_BITS(_end, _start) ((BIT(_end) - BIT(_start)) + BIT(_end)) + +/* register map description */ +enum ln8000_int1_desc { + LN8000_MASK_FAULT_INT = BIT(7), + LN8000_MASK_NTC_PROT_INT = BIT(6), + LN8000_MASK_CHARGE_PHASE_INT = BIT(5), + LN8000_MASK_MODE_INT = BIT(4), + LN8000_MASK_REV_CURR_INT = BIT(3), + LN8000_MASK_TEMP_INT = BIT(2), + LN8000_MASK_ADC_DONE_INT = BIT(1), + LN8000_MASK_TIMER_INT = BIT(0), +}; + +enum ln8000_sys_sts_desc { + LN8000_MASK_IIN_LOOP_STS = BIT(7), + LN8000_MASK_VFLOAT_LOOP_STS = BIT(6), + LN8000_MASK_BYPASS_ENABLED = BIT(3), + LN8000_MASK_SWITCHING_ENABLED = BIT(2), + LN8000_MASK_STANDBY_STS = BIT(1), + LN8000_MASK_SHUTDOWN_STS = BIT(0), +}; + +enum ln8000_safety_sts_desc { + LN8000_MASK_TEMP_MAX_STS = BIT(6), + LN8000_MASK_TEMP_REGULATION_STS = BIT(5), + LN8000_MASK_NTC_ALARM_STS = BIT(4), + LN8000_MASK_NTC_SHUTDOWN_STS = BIT(3), + LN8000_MASK_REV_IIN_STS = BIT(2), +}; + +enum ln8000_fault1_sts_desc { + LN8000_MASK_WATCHDOG_TIMER_STS = BIT(7), + LN8000_MASK_VBAT_OV_STS = BIT(6), + LN8000_MASK_VAC_UNPLUG_STS = BIT(4), + LN8000_MASK_VAC_OV_STS = BIT(3), + LN8000_MASK_VIN_OV_STS = BIT(1), + LN8000_MASK_VFAULTS = ASSIGNED_BITS(6,0), +}; + +enum ln8000_fault2_sts_desc { + LN8000_MASK_IIN_OC_DETECTED = BIT(7), +}; + +enum ln8000_ldo_sts_desc { + LN8000_MASK_VBAT_MIN_OK_STS = BIT(7), + LN8000_MASK_CHARGE_TERM_STS = BIT(5), + LN8000_MASK_RECHARGE_STS = BIT(4), +}; + +enum ln8000_regulation_ctrl_desc { + LN8000_BIT_ENABLE_VFLOAT_LOOP_INT = 7, + LN8000_BIT_ENABLE_IIN_LOOP_INT = 6, + LN8000_BIT_DISABLE_VFLOAT_LOOP = 5, + LN8000_BIT_DISABLE_IIN_LOOP = 4, + LN8000_BIT_TEMP_MAX_EN = 2, + LN8000_BIT_TEMP_REG_EN = 1, +}; + +enum ln8000_sys_ctrl_desc { + LN8000_BIT_STANDBY_EN = 3, + LN8000_BIT_REV_IIN_DET = 2, + LN8000_BIT_EN_1TO1 = 0, +}; + +enum ln8000_fault_ctrl_desc { + LN8000_BIT_DISABLE_IIN_OCP = 6, + LN8000_BIT_DISABLE_VBAT_OV = 5, + LN8000_BIT_DISABLE_VAC_OV = 4, + LN8000_BIT_DISABLE_VAC_UV = 3, + LN8000_BIT_DISABLE_VIN_OV = 2, +}; + +enum ln8000_bc_op1_desc { + LN8000_BIT_DUAL_FUNCTION_EN = 2, + LN8000_BIT_DUAL_CFG = 1, + LN8000_BIT_DUAL_LOCKOUT_EN = 0, +}; + +enum ln8000_reg_addr { + LN8000_REG_DEVICE_ID = 0x00, + LN8000_REG_INT1 = 0x01, + LN8000_REG_INT1_MSK = 0x02, + LN8000_REG_SYS_STS = 0x03, + LN8000_REG_SAFETY_STS = 0x04, + LN8000_REG_FAULT1_STS = 0x05, + LN8000_REG_FAULT2_STS = 0x06, + LN8000_REG_CURR1_STS = 0x07, + LN8000_REG_LDO_STS = 0x08, + LN8000_REG_ADC01_STS = 0x09, + LN8000_REG_ADC02_STS = 0x0A, + LN8000_REG_ADC03_STS = 0x0B, + LN8000_REG_ADC04_STS = 0x0C, + LN8000_REG_ADC05_STS = 0x0D, + LN8000_REG_ADC06_STS = 0x0E, + LN8000_REG_ADC07_STS = 0x0F, + LN8000_REG_ADC08_STS = 0x10, + LN8000_REG_ADC09_STS = 0x11, + LN8000_REG_ADC10_STS = 0x12, + LN8000_REG_IIN_CTRL = 0x1B, + LN8000_REG_REGULATION_CTRL = 0x1C, + LN8000_REG_PWR_CTRL = 0x1D, + LN8000_REG_SYS_CTRL = 0x1E, + LN8000_REG_LDO_CTRL = 0x1F, + LN8000_REG_GLITCH_CTRL = 0x20, + LN8000_REG_FAULT_CTRL = 0x21, + LN8000_REG_NTC_CTRL = 0x22, + LN8000_REG_ADC_CTRL = 0x23, + LN8000_REG_ADC_CFG = 0x24, + LN8000_REG_RECOVERY_CTRL = 0x25, + LN8000_REG_TIMER_CTRL = 0x26, + LN8000_REG_THRESHOLD_CTRL = 0x27, + LN8000_REG_V_FLOAT_CTRL = 0x28, + LN8000_REG_CHARGE_CTRL = 0x29, + LN8000_REG_LION_CTRL = 0x30, + LN8000_REG_BC_OP_1 = 0x41, + LN8000_REG_BC_OP_2 = 0x42, + LN8000_REG_BC_STS_A = 0x49, + LN8000_REG_BC_STS_B = 0x4A, + LN8000_REG_BC_STS_C = 0x4B, + LN8000_REG_BC_STS_D = 0x4C, + LN8000_REG_BC_STS_E = 0x4D, + LN8000_REG_MAX, +}; + +/* device feature configuration desc */ +#define LN8000_DEVICE_ID 0x42 + +enum ln8000_role { + LN_PRIMARY = 0x0, + LN_SECONDARY = 0x1, +}; + +enum ln8000_opmode_{ + LN8000_OPMODE_UNKNOWN = 0x0, + LN8000_OPMODE_STANDBY = 0x1, + LN8000_OPMODE_BYPASS = 0x2, + LN8000_OPMODE_SWITCHING = 0x3, +}; + +enum ln8000_vac_ov_cfg_desc { + LN8000_VAC_OVP_6P5V = 0x0, + LN8000_VAC_OVP_11V = 0x1, + LN8000_VAC_OVP_12V = 0x2, + LN8000_VAC_OVP_13V = 0x3, +}; + +enum ln8000_watchdpg_cfg_desc { + LN8000_WATCHDOG_5SEC = 0x0, + LN8000_WATCHDOG_10SEC = 0x1, + LN8000_WATCHDOG_20SEC = 0x2, + LN8000_WATCHDOG_40SEC = 0x3, + LN8000_WATCHDOG_MAX +}; + +enum ln8000_adc_channel_index { + LN8000_ADC_CH_VOUT = 1, + LN8000_ADC_CH_VIN, + LN8000_ADC_CH_VBAT, + LN8000_ADC_CH_VAC, + LN8000_ADC_CH_IIN, + LN8000_ADC_CH_DIETEMP, + LN8000_ADC_CH_TSBAT, + LN8000_ADC_CH_TSBUS, + LN8000_ADC_CH_ALL +}; + +enum ln8000_adc_mode_desc { /* used FORCE_ADC_MODE + ADC_SHUTDOWN_CFG */ + ADC_AUTO_HIB_MODE = 0x0, + ADC_AUTO_SHD_MODE = 0x1, + ADC_SHUTDOWN_MODE = 0x2, + ADC_HIBERNATE_MODE = 0x4, + ADC_NORMAL_MODE = 0x6, +}; + +enum ln8000_adc_hibernate_delay_desc { + ADC_HIBERNATE_500MS = 0x0, + ADC_HIBERNATE_1S = 0x1, + ADC_HIBERNATE_2S = 0x2, + ADC_HIBERNATE_4S = 0x3, +}; + +/* electrical numeric calculation unit description */ +#define LN8000_VBAT_FLOAT_MIN 3725000 /* unit = uV */ +#define LN8000_VBAT_FLOAT_MAX 5000000 +#define LN8000_VBAT_FLOAT_LSB 5000 +#define LN8000_ADC_VOUT_STEP 5000 /* 5mV= 5000uV LSB (0V ~ 5.115V) */ +#define LN8000_ADC_VIN_STEP 16000 /* 16mV=16000uV LSB (0V ~ 16.386V) */ +#define LN8000_ADC_VBAT_STEP 5000 /* 5mV= 5000uV LSB (0V ~ 5.115V) */ +#define LN8000_ADC_VBAT_MIN 1000000 /* 1V */ +#define LN8000_ADC_VAC_STEP 16000 /* 16mV=16000uV LSB (0V ~ 16.386V) */ +#define LN8000_ADC_VAC_OS 5 +#define LN8000_ADC_IIN_STEP 4890 /* 4.89mA=4890uA LSB (0A ~ 5A) */ +#define LN8000_ADC_DIETEMP_STEP 4350 /* 0.435C LSB = 4350dC/1000 (-25C ~ 160C) */ +#define LN8000_ADC_DIETEMP_DENOM 1000 /* 1000 */ +#define LN8000_ADC_DIETEMP_MIN (-250) /* -25C = -250dC */ +#define LN8000_ADC_DIETEMP_MAX 1600 /* 160C = 1600dC */ +#define LN8000_ADC_NTCV_STEP 2933 /* 2.933mV=2933uV LSB (0V ~ 3V) */ +#define LN8000_IIN_CFG_MIN 500000 /* 500mA=500,000uA */ +#define LN8000_IIN_CFG_LSB 50000 /* 50mA=50,000uA */ + +/* device default values */ +#define LN8000_BAT_OVP_DEFAULT 4440000 +#define LN8000_BUS_OVP_DEFAULT 9500000 +#define LN8000_BUS_OCP_DEFAULT 2000000 + +#define LN8000_NTC_ALARM_CFG_DEFAULT 226 /* NTC alarm threshold (~40C) */ +#define LN8000_NTC_SHUTDOWN_CFG 2 /* NTC shutdown config (-16LSB ~ 4.3C) */ +#define LN8000_DEFAULT_FSW_CFG 8 /* 8=440kHz, switching freq */ +#define LN8000_IIN_CFG_DEFAULT 2000000 /* 2A=2,000,000uA, input current limit */ + +/* bus protection values for QC */ +#define BUS_OVP_FOR_QC 13000000 /* ln8000 didn't used 10V, (support tot 6.5V, 11V, 12V, 13V) */ +#define BUS_OVP_ALARM_FOR_QC 9500000 +#define BUS_OCP_FOR_QC_CLASS_A 3250000 +#define BUS_OCP_ALARM_FOR_QC_CLASS_A 2000000 +#define BUS_OCP_FOR_QC_CLASS_B 3750000 +#define BUS_OCP_ALARM_FOR_QC_CLASS_B 2800000 +#define BUS_OCP_FOR_QC3P5_CLASS_A 3000000 +#define BUS_OCP_ALARM_FOR_QC3P5_CLASS_A 2500000 +#define BUS_OCP_FOR_QC3P5_CLASS_B 3500000 +#define BUS_OCP_ALARM_FOR_QC3P5_CLASS_B 3200000 + +/** + * driver instance structure definition + */ +struct ln8000_platform_data { + struct gpio_desc *irq_gpio; /* GPIO pin for (generic/power-on) interrupt */ + + /* feature configuration */ + unsigned int bat_ovp_th; /* battery ovp threshold (mV) */ + unsigned int bat_ovp_alarm_th; /* battery ovp alarm threshold (mV) */ + unsigned int bus_ovp_th; /* IIN ovp threshold (mV) */ + unsigned int bus_ovp_alarm_th; /* IIN ovp alarm threshold (mV) */ + unsigned int bus_ocp_th; /* IIN ocp threshold (mA) */ + unsigned int bus_ocp_alarm_th; /* IIN ocp alarm threshold */ + unsigned int ntc_alarm_cfg; /* input/battery NTC voltage threshold code: 0~1023 */ + + /* protection enable/disable */ + bool vbat_ovp_disable; /* disable battery voltage OVP */ + bool vbat_reg_disable; /* disable battery voltage (float) regulation */ + bool iin_ocp_disable; /* disable input current OCP */ + bool iin_reg_disable; /* disable input current regulation */ + bool tbus_mon_disable; /* disable BUS temperature monitor (prot/alarm) */ + bool tbat_mon_disable; /* disable BAT temperature monitor (prot/alarm) */ + bool tdie_prot_disable; /* disable die temperature protection */ + bool tdie_reg_disable; /* disable die temperature regulation */ + bool revcurr_prot_disable; /* disable reverse current protection */ +}; + +struct ln8000_info { + struct device *dev; + struct i2c_client *client; + struct ln8000_platform_data *pdata; + struct power_supply *psy_chg; + + struct mutex data_lock; + struct mutex i2c_lock; + struct mutex irq_lock; + struct regmap *regmap; + struct power_supply_config psy_cfg; + struct power_supply_desc psy_desc; + + unsigned int op_mode; /* target operation mode */ + unsigned int pwr_status; /* current device status */ + unsigned int dev_role; /* device role */ + + /* system/device status */ + bool vbat_regulated; /* vbat loop is active (+ OV alarm) */ + bool iin_regulated; /* iin loop is active (+ OC alarm) */ + bool tdie_fault; /* die temperature fault */ + bool tbus_tbat_fault; /* BUS/BAT temperature fault */ + bool tdie_alarm; /* die temperature alarm (regulated) */ + bool tbus_tbat_alarm; /* BUS/BAT temperature alarm */ + bool wdt_fault; /* watchdog timer expiration */ + bool vbat_ov; /* vbat OV fault */ + bool vac_ov; /* vac OV fault */ + bool vbus_ov; /* vbus OV fault */ + bool iin_oc; /* iin OC fault */ + bool vac_unplug; /* vac unplugged */ + bool iin_rc; /* iin reverse current detected */ + bool volt_qual; /* all voltages are qualified */ + bool usb_present; /* usb plugged (present) */ + bool chg_en; /* charging enavbled */ + bool rcp_en; /* reverse current protection enabled */ + int vbat_ovp_alarm_th; /* vbat ovp alarm threshold */ + int vin_ovp_alarm_th; /* vin ovp alarm threshold */ + int iin_ocp_alarm_th; /* iin ocp alarm threshold */ + + /* ADC readings */ + int tbat_uV; /* BAT temperature (NTC, uV) */ + int tbus_uV; /* BUS temperature (NTC, uV) */ + int tdie_dC; /* die temperature (deci-Celsius) */ + int vbat_uV; /* battery voltage (uV) */ + int vbus_uV; /* input voltage (uV) */ + int iin_uA; /* input current (uV) */ + + /* VAC_OV control for QC3 */ + struct delayed_work vac_ov_work; + bool vac_ov_work_on; + +#ifdef LN8000_ROLE_MASTER + bool ibat_term; /* battery current below termination threshold */ + bool vbat_rechg; /* battery voltage below recharge threshold */ + bool vbat_min; /* battery voltage above min. threshold */ +#endif + + /* debugfs */ + struct dentry *debug_root; + u32 debug_address; +}; + +#endif /* __LN8000_CHARGER_H__ */ diff --git a/drivers/power/supply/ti/pd_policy_manager.c b/drivers/power/supply/ti/pd_policy_manager.c index 729b11249934..bfcb4fad3238 100644 --- a/drivers/power/supply/ti/pd_policy_manager.c +++ b/drivers/power/supply/ti/pd_policy_manager.c @@ -337,8 +337,12 @@ static void usbpd_check_cp_psy(struct usbpd_pm *pdpm) pdpm->cp_psy = power_supply_get_by_name("bq2597x-master"); else pdpm->cp_psy = power_supply_get_by_name("bq2597x-standalone"); - if (!pdpm->cp_psy) - pr_err("cp_psy not found\n"); + if (!pdpm->cp_psy) { + pdpm->cp_psy = power_supply_get_by_name("ln8000"); + if (!pdpm->cp_psy) { + pr_err("cp_psy not found\n"); + } + } } } From 8b33842bb15a8998dc7eac69fc76154aed3e23f4 Mon Sep 17 00:00:00 2001 From: itsshashanksp <9945shashank@gmail.com> Date: Sat, 25 May 2024 01:11:32 +0530 Subject: [PATCH 173/182] arm64: dts: sweet: Import ln8000 charge pump dts changes * imported from sweet-ka6a-r-oss Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- .../qcom/xiaomi/sweet/sweet-sdmmagpie.dtsi | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/arch/arm64/boot/dts/qcom/xiaomi/sweet/sweet-sdmmagpie.dtsi b/arch/arm64/boot/dts/qcom/xiaomi/sweet/sweet-sdmmagpie.dtsi index a079faf20b2d..8ebf7ba55f12 100755 --- a/arch/arm64/boot/dts/qcom/xiaomi/sweet/sweet-sdmmagpie.dtsi +++ b/arch/arm64/boot/dts/qcom/xiaomi/sweet/sweet-sdmmagpie.dtsi @@ -215,6 +215,46 @@ And public attribution of xiaomi platforms(like F3 and so and) ti,bq2597x,ac-ovp-threshold = <14>; //ti,bq2597x,sense-resistor-mohm = <2>; }; + + ln8000_charger@51 { + compatible = "lionsemi,ln8000"; + reg = <0x51>; + /* bank */ + //irq-gpios = <&tlmm 55 0x2002>; + + //interrupt-parent = <&tlmm>; + //interrupts = <55 0x2002>; + //pinctrl-names = "default"; + //pinctrl-0 = <&bq2597x_int_default &bq2597x_int_suspend>; + ln8000_charger,irq_index = <296>; + /* device configuration */ + ln8000_charger,bat-ovp-threshold = <4560>; + ln8000_charger,bat-ovp-alarm-threshold = <4525>; + ln8000_charger,bus-ovp-threshold = <13000>; + ln8000_charger,bus-ovp-alarm-threshold = <11000>; + ln8000_charger,bus-ocp-threshold = <3750>; + ln8000_charger,bus-ocp-alarm-threshold = <3500>; + ln8000_charger,ntc-alarm-cfg = <226>; + /* protection enable/disable flags + * vbat-ovp-disable + * vbat-reg-disable + * iin-ocp-disable + * iin-reg-disable + * tbus-mon-disable + * tbat-mon-disable + * tdie-prot-disable + * tdie-reg-disable + * revcurr-prot-disable + */ + ln8000_charger,tdie-prot-disable; + ln8000_charger,tbus-mon-disable; + ln8000_charger,tbat-mon-disable; + ln8000_charger,iin-ocp-disable; + ln8000_charger,iin-reg-disable; + ln8000_charger,tdie-reg-disable; + ln8000_charger,vbat-reg-disable; + }; + aw8624_haptic@5A { compatible = "awinic,aw8624_haptic"; reg = <0x5A>; From 016ae669f997e621c876545156b47a1de95e7038 Mon Sep 17 00:00:00 2001 From: itsshashanksp <9945shashank@gmail.com> Date: Thu, 18 Jul 2024 05:47:50 +0530 Subject: [PATCH 174/182] power: supply: qcom: Add usbpd power supply prop online detection when charger is connected. * imported from sweet-ka6a-r-oss Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- drivers/power/supply/qcom/qpnp-smb5.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/power/supply/qcom/qpnp-smb5.c b/drivers/power/supply/qcom/qpnp-smb5.c index f1db84d509cd..5e469fec0a66 100644 --- a/drivers/power/supply/qcom/qpnp-smb5.c +++ b/drivers/power/supply/qcom/qpnp-smb5.c @@ -1186,7 +1186,8 @@ static int smb5_usb_get_prop(struct power_supply *psy, break; case POWER_SUPPLY_PROP_ONLINE: rc = smblib_get_prop_usb_online(chg, val); - if (!val->intval) + if ((!val->intval) && + (!chg->pd_hard_reset && chg->pd_active == POWER_SUPPLY_PD_INACTIVE)) break; if (((chg->typec_mode == POWER_SUPPLY_TYPEC_SOURCE_DEFAULT) || From 0ce2c8126d7efea92a35cd84988bc4bbf708e6b4 Mon Sep 17 00:00:00 2001 From: itsshashanksp <9945shashank@gmail.com> Date: Thu, 18 Jul 2024 05:18:25 +0530 Subject: [PATCH 175/182] power: supply: qcom: Add ffc battery current data for K6 * imported from nabu-r-oss & sweet-ka6a-r-oss Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- drivers/power/supply/qcom/qpnp-qg.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/power/supply/qcom/qpnp-qg.c b/drivers/power/supply/qcom/qpnp-qg.c index 1f19d475305b..c50e06ae0ad4 100644 --- a/drivers/power/supply/qcom/qpnp-qg.c +++ b/drivers/power/supply/qcom/qpnp-qg.c @@ -2098,6 +2098,8 @@ static int qg_reset(struct qpnp_qg *chip) #ifdef CONFIG_K6_CHARGE #define FFC_CHG_TERM_SWD_CURRENT -600 #define FFC_CHG_TERM_NVT_CURRENT -550 +#define FFC_BATT_FULL_NVT_CURRENT 925000 +#define FFC_BATT_FULL_SWD_CURRENT 880000 #define FFC_BATT_FULL_CURRENT 920000 #else #define FFC_CHG_TERM_CURRENT -830 @@ -2147,7 +2149,17 @@ static int qg_get_ffc_iterm_for_qg(struct qpnp_qg *chip) ffc_full_current = LOW_TEMP_FFC_BATT_FULL_CURRENT; } } else { +#ifdef CONFIG_K6_CHARGE + if (is_batt_vendor_nvt){ + ffc_full_current = FFC_BATT_FULL_NVT_CURRENT; + pr_err("ffc_FULL_current nvt is 925\n", rc); + }else{ + ffc_full_current = FFC_BATT_FULL_SWD_CURRENT; + pr_err("ffc_FULL_current swd is 880\n", rc); + } +#else ffc_full_current = FFC_BATT_FULL_CURRENT; +#endif } pr_info("ffc_full_current = %d\n", ffc_full_current); From 87fbbe3cbe9aa171d3093a4a9c3f21446e1897ff Mon Sep 17 00:00:00 2001 From: itsshashanksp <9945shashank@gmail.com> Date: Wed, 22 May 2024 02:03:11 +0530 Subject: [PATCH 176/182] arm64: dts: sweet: Update K6 sunwoda battery data * imported from sweet_ka6a-r-oss Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- .../sweet/batterydata-K6-sunwoda-5020mah.dtsi | 1570 ++++++++--------- 1 file changed, 785 insertions(+), 785 deletions(-) diff --git a/arch/arm64/boot/dts/qcom/xiaomi/sweet/batterydata-K6-sunwoda-5020mah.dtsi b/arch/arm64/boot/dts/qcom/xiaomi/sweet/batterydata-K6-sunwoda-5020mah.dtsi index 857c7fb32a41..fb1b608b33cc 100644 --- a/arch/arm64/boot/dts/qcom/xiaomi/sweet/batterydata-K6-sunwoda-5020mah.dtsi +++ b/arch/arm64/boot/dts/qcom/xiaomi/sweet/batterydata-K6-sunwoda-5020mah.dtsi @@ -45,12 +45,12 @@ qcom,04890898_xiaomi_K6_SWBN53_5020mah_FG { qcom,fcc1-temp-lut { qcom,lut-col-legend = <0 10 25 40 50>; - qcom,lut-data = <4757 4891 4997 5055 5078>; + qcom,lut-data = <4776 4878 4999 5042 5055>; }; qcom,fcc2-temp-lut { qcom,lut-col-legend = <(-10) 0 10 25 40 50>; - qcom,lut-data = <4968 4967 5004 5018 5018 5015>; + qcom,lut-data = <4966 4968 4980 5017 5005 4998>; }; qcom,pc-temp-v1-lut { @@ -67,61 +67,61 @@ qcom,04890898_xiaomi_K6_SWBN53_5020mah_FG { <1000 900 800 700 600>, <500 400 300 200 100>, <0>; - qcom,lut-data = <44123 44255 44335 44363 44372>, - <43931 44073 44168 44204 44214>, - <43728 43883 43990 44030 44042>, - <43515 43686 43802 43846 43859>, - <43289 43478 43604 43651 43667>, - <43055 43250 43393 43444 43463>, - <42819 43012 43164 43222 43245>, - <42578 42773 42925 42984 43012>, - <42339 42529 42684 42743 42771>, - <42102 42287 42438 42498 42528>, - <41870 42049 42194 42253 42282>, - <41643 41813 41951 42011 42040>, - <41421 41583 41713 41772 41800>, - <41206 41357 41480 41537 41564>, - <41001 41137 41253 41305 41332>, - <40803 40929 41033 41079 41105>, - <40600 40727 40819 40860 40885>, - <40386 40528 40611 40649 40671>, - <40177 40340 40414 40446 40465>, - <39990 40138 40230 40258 40274>, - <39824 39879 40021 40062 40082>, - <39642 39574 39731 39812 39844>, - <39397 39337 39435 39523 39560>, - <39137 39172 39244 39303 39330>, - <38966 39038 39106 39150 39172>, - <38857 38927 38982 39018 39038>, - <38771 38834 38865 38887 38902>, - <38696 38747 38756 38763 38771>, - <38633 38661 38652 38650 38654>, - <38573 38578 38551 38547 38553>, - <38513 38500 38459 38453 38460>, - <38456 38426 38377 38369 38372>, - <38404 38359 38302 38293 38289>, - <38355 38303 38234 38220 38209>, - <38310 38254 38172 38149 38132>, - <38268 38205 38115 38079 38056>, - <38229 38161 38063 38014 37979>, - <38177 38111 38011 37949 37901>, - <38096 38034 37937 37867 37810>, - <37993 37930 37833 37759 37699>, - <37877 37813 37715 37637 37573>, - <37737 37677 37586 37501 37429>, - <37579 37525 37445 37354 37274>, - <37404 37345 37280 37195 37114>, - <37310 37215 37153 37077 37010>, - <37223 37142 37078 37015 36950>, - <37190 37123 37057 36994 36929>, - <37160 37097 37042 36977 36914>, - <37123 37067 37012 36942 36865>, - <37016 36929 36885 36758 36651>, - <36677 36555 36525 36382 36267>, - <36194 36059 36046 35890 35773>, - <35582 35420 35428 35255 35133>, - <34752 34540 34583 34385 34252>, - <33439 33113 33256 32985 32824>, + qcom,lut-data = <44153 44259 44339 44362 44369>, + <43956 44102 44168 44187 44189>, + <43747 43908 43984 44002 44006>, + <43529 43687 43788 43810 43816>, + <43300 43462 43580 43608 43617>, + <43065 43231 43359 43396 43409>, + <42826 42996 43121 43171 43186>, + <42584 42759 42876 42934 42948>, + <42342 42520 42631 42693 42707>, + <42104 42279 42384 42447 42462>, + <41870 42034 42141 42200 42216>, + <41641 41791 41901 41957 41975>, + <41417 41557 41664 41714 41736>, + <41200 41329 41429 41476 41500>, + <40990 41113 41197 41244 41267>, + <40788 40917 40974 41019 41040>, + <40586 40728 40763 40805 40821>, + <40378 40530 40560 40600 40609>, + <40174 40327 40368 40403 40408>, + <39984 40117 40188 40220 40227>, + <39815 39889 39984 40025 40039>, + <39640 39643 39704 39773 39796>, + <39422 39417 39417 39489 39514>, + <39180 39206 39224 39275 39291>, + <38993 39028 39081 39121 39126>, + <38861 38904 38954 38987 38985>, + <38755 38808 38835 38854 38856>, + <38670 38720 38727 38729 38741>, + <38599 38632 38623 38619 38632>, + <38536 38550 38522 38522 38530>, + <38477 38474 38432 38434 38435>, + <38423 38402 38355 38351 38347>, + <38374 38337 38285 38274 38265>, + <38330 38282 38222 38202 38189>, + <38289 38234 38167 38135 38118>, + <38251 38188 38113 38070 38046>, + <38214 38150 38063 38007 37971>, + <38167 38105 38010 37944 37892>, + <38094 38031 37938 37862 37800>, + <37998 37929 37839 37757 37690>, + <37889 37816 37726 37638 37569>, + <37752 37687 37600 37509 37436>, + <37600 37542 37458 37369 37292>, + <37428 37367 37290 37208 37133>, + <37288 37227 37159 37089 37015>, + <37224 37147 37083 37017 36953>, + <37189 37120 37065 36996 36934>, + <37162 37101 37045 36981 36915>, + <37126 37077 37017 36942 36867>, + <37018 36974 36867 36754 36655>, + <36672 36639 36494 36377 36275>, + <36182 36163 36006 35886 35783>, + <35556 35553 35374 35252 35147>, + <34698 34721 34506 34372 34265>, + <33313 33404 33107 32955 32841>, <30000 30000 30000 30000 30000>; }; @@ -137,62 +137,62 @@ qcom,04890898_xiaomi_K6_SWBN53_5020mah_FG { <1600 1400 1200 1000 900 800>, <700 600 500 400 300 200>, <100 0>; - qcom,lut-data = <44365 44345 44335 44330 44290 44270>, - <44073 44080 44114 44124 44081 44062>, - <43806 43830 43898 43919 43873 43855>, - <43569 43600 43687 43715 43668 43650>, - <43363 43390 43485 43514 43465 43448>, - <43153 43176 43274 43304 43255 43238>, - <42920 42937 43041 43076 43028 43012>, - <42676 42687 42796 42836 42791 42777>, - <42428 42434 42551 42595 42552 42539>, - <42172 42175 42303 42349 42307 42294>, - <41922 41925 42057 42103 42064 42051>, - <41689 41696 41814 41861 41823 41810>, - <41466 41478 41575 41620 41584 41573>, - <41248 41258 41341 41385 41351 41340>, - <41041 41035 41111 41156 41123 41112>, - <40815 40815 40890 40932 40901 40890>, - <40509 40604 40686 40715 40685 40676>, - <40151 40395 40485 40503 40474 40467>, - <39863 40158 40257 40297 40272 40267>, - <39643 39870 39993 40100 40082 40078>, - <39440 39583 39731 39886 39876 39874>, - <39231 39336 39487 39617 39611 39613>, - <39025 39111 39256 39334 39330 39335>, - <38833 38912 39062 39121 39119 39126>, - <38649 38737 38896 38952 38954 38962>, - <38484 38577 38748 38806 38809 38817>, - <38343 38414 38613 38676 38680 38685>, - <38217 38256 38490 38561 38564 38566>, - <38125 38136 38377 38450 38456 38457>, - <38062 38045 38273 38345 38355 38357>, - <38009 37975 38176 38248 38263 38264>, - <37955 37928 38082 38159 38180 38179>, - <37903 37893 37995 38078 38102 38099>, - <37847 37858 37917 38003 38017 38009>, - <37789 37821 37846 37934 37929 37911>, - <37727 37780 37784 37861 37833 37807>, - <37661 37727 37733 37770 37726 37689>, - <37591 37659 37688 37672 37613 37564>, - <37512 37580 37625 37578 37510 37456>, - <37414 37485 37536 37488 37416 37362>, - <37309 37376 37430 37390 37316 37262>, - <37211 37256 37302 37276 37200 37143>, - <37115 37122 37160 37152 37077 37017>, - <37028 37010 37026 37014 36942 36878>, - <36947 36911 36924 36926 36865 36806>, - <36859 36810 36861 36887 36838 36781>, - <36807 36748 36830 36873 36826 36768>, - <36742 36670 36791 36851 36802 36742>, - <36646 36565 36715 36802 36737 36655>, - <36481 36407 36531 36631 36462 36340>, - <36210 36170 36160 36217 36014 35882>, - <35788 35773 35605 35676 35440 35296>, - <35176 35186 34846 34962 34686 34517>, - <34277 34354 33804 33970 33604 33420>, - <32804 32994 31968 32363 31950 31600>, - <28324 29464 26656 28793 27050 26674>; + qcom,lut-data = <44365 44350 44340 44335 44280 44260>, + <44091 44084 44113 44115 44064 44045>, + <43836 43832 43889 43898 43850 43831>, + <43606 43599 43672 43685 43638 43621>, + <43401 43386 43464 43478 43431 43413>, + <43190 43167 43248 43263 43216 43199>, + <42953 42926 43011 43029 42984 42969>, + <42704 42674 42766 42786 42742 42730>, + <42454 42422 42520 42541 42499 42489>, + <42199 42168 42273 42293 42253 42244>, + <41953 41920 42028 42046 42009 41999>, + <41731 41683 41787 41803 41767 41758>, + <41520 41454 41549 41562 41529 41520>, + <41291 41228 41315 41327 41295 41287>, + <41040 41008 41086 41098 41068 41058>, + <40780 40791 40863 40874 40847 40836>, + <40516 40580 40655 40658 40632 40624>, + <40247 40370 40452 40448 40423 40419>, + <39988 40134 40227 40243 40223 40221>, + <39732 39850 39970 40047 40035 40035>, + <39492 39571 39713 39835 39834 39835>, + <39284 39336 39473 39571 39578 39583>, + <39096 39125 39246 39294 39302 39309>, + <38920 38936 39053 39084 39091 39097>, + <38754 38767 38888 38917 38924 38933>, + <38597 38612 38740 38771 38780 38789>, + <38438 38465 38607 38640 38650 38659>, + <38283 38326 38486 38523 38534 38541>, + <38169 38203 38375 38415 38428 38433>, + <38089 38088 38272 38315 38330 38331>, + <38025 37994 38177 38223 38240 38238>, + <37966 37937 38085 38136 38160 38156>, + <37914 37897 37998 38056 38085 38080>, + <37860 37860 37920 37981 38005 37996>, + <37806 37828 37851 37914 37920 37902>, + <37750 37792 37790 37843 37829 37802>, + <37686 37744 37738 37755 37726 37688>, + <37617 37679 37693 37660 37615 37566>, + <37539 37601 37634 37570 37513 37458>, + <37450 37504 37553 37485 37421 37366>, + <37353 37390 37452 37392 37326 37272>, + <37255 37268 37332 37280 37215 37157>, + <37155 37135 37190 37156 37094 37030>, + <37063 37017 37053 37016 36957 36894>, + <36976 36913 36942 36927 36873 36813>, + <36885 36816 36875 36889 36844 36787>, + <36833 36752 36843 36873 36832 36774>, + <36768 36676 36809 36850 36809 36750>, + <36678 36565 36744 36792 36741 36659>, + <36518 36406 36589 36581 36480 36377>, + <36230 36128 36251 36150 36040 35920>, + <35778 35700 35732 35586 35470 35345>, + <35131 35080 35027 34844 34723 34586>, + <34161 34182 34058 33789 33664 33532>, + <32544 32618 32490 32094 32024 31689>, + <26757 28288 28401 26924 26615 26574>; }; qcom,pc-temp-z1-lut { @@ -209,62 +209,62 @@ qcom,04890898_xiaomi_K6_SWBN53_5020mah_FG { <1000 900 800 700 600>, <500 400 300 200 100>, <0>; - qcom,lut-data = <12324 11754 11200 10935 10845>, - <12334 11788 11232 10974 10885>, - <12340 11798 11251 10987 10898>, - <12343 11797 11254 10990 10904>, - <12344 11792 11250 10989 10904>, - <12343 11780 11245 10986 10902>, - <12341 11764 11238 10982 10900>, - <12339 11751 11228 10978 10897>, - <12334 11738 11220 10975 10895>, - <12302 11726 11211 10973 10895>, - <12260 11713 11206 10971 10895>, - <12243 11700 11203 10970 10894>, - <12236 11696 11201 10969 10894>, - <12229 11694 11200 10968 10893>, - <12215 11693 11199 10968 10893>, - <12198 11691 11199 10968 10894>, - <12185 11689 11198 10969 10894>, - <12171 11687 11198 10969 10896>, - <12160 11680 11198 10969 10897>, - <12158 11673 11199 10970 10898>, - <12158 11673 11199 10970 10899>, - <12159 11675 11199 10971 10900>, - <12160 11677 11200 10971 10900>, - <12164 11683 11201 10972 10901>, - <12166 11689 11203 10973 10903>, - <12164 11689 11205 10975 10906>, - <12164 11687 11208 10978 10908>, - <12171 11685 11211 10981 10911>, - <12180 11688 11215 10984 10914>, - <12186 11692 11219 10987 10916>, - <12186 11694 11223 10991 10919>, - <12186 11696 11227 10994 10922>, - <12188 11699 11231 10997 10926>, - <12199 11703 11236 11001 10930>, - <12210 11708 11242 11006 10933>, - <12215 11713 11247 11010 10937>, - <12217 11717 11251 11014 10941>, - <12218 11723 11254 11018 10944>, - <12235 11733 11259 11021 10948>, - <12256 11750 11267 11025 10951>, - <12261 11762 11273 11029 10953>, - <12266 11769 11278 11032 10956>, - <12275 11780 11282 11034 10958>, - <12297 11806 11288 11037 10960>, - <12318 11806 11299 11042 10963>, - <12300 11798 11304 11045 10965>, - <12309 11804 11304 11045 10965>, - <12302 11800 11302 11046 10967>, - <12292 11794 11304 11048 10969>, - <12315 11799 11316 11054 10973>, - <12330 11819 11321 11058 10977>, - <12351 11835 11328 11065 10983>, - <12575 11865 11334 11071 10989>, - <12356 11859 11348 11083 11000>, - <12356 11859 11348 11083 11000>, - <12356 11859 11348 11083 11000>; + qcom,lut-data = <12217 11691 11165 10905 10821>, + <12221 11712 11190 10950 10868>, + <12230 11721 11205 10962 10881>, + <12232 11727 11204 10965 10884>, + <12320 11724 11197 10962 10884>, + <12454 11707 11191 10958 10882>, + <12465 11687 11182 10954 10880>, + <12322 11671 11173 10948 10878>, + <12195 11656 11166 10945 10876>, + <12172 11643 11160 10943 10875>, + <12155 11632 11157 10942 10874>, + <12140 11624 11155 10941 10874>, + <12120 11621 11155 10940 10873>, + <12101 11618 11153 10939 10873>, + <12091 11616 11151 10939 10873>, + <12083 11611 11150 10939 10874>, + <12079 11606 11150 10939 10874>, + <12074 11604 11151 10940 10876>, + <12066 11602 11152 10941 10877>, + <12063 11600 11153 10942 10879>, + <12062 11601 11154 10943 10881>, + <12061 11603 11154 10944 10882>, + <12065 11606 11154 10944 10882>, + <12072 11610 11155 10944 10883>, + <12075 11614 11157 10946 10884>, + <12078 11619 11160 10949 10886>, + <12083 11626 11163 10951 10888>, + <12084 11630 11166 10954 10891>, + <12080 11626 11170 10957 10893>, + <12078 11621 11174 10960 10896>, + <12084 11621 11179 10963 10899>, + <12092 11626 11183 10967 10902>, + <12096 11632 11188 10970 10905>, + <12102 11639 11193 10974 10909>, + <12106 11647 11198 10979 10913>, + <12108 11655 11203 10983 10917>, + <12116 11662 11208 10987 10920>, + <12122 11669 11214 10991 10923>, + <12129 11679 11218 10995 10926>, + <12139 11690 11223 10999 10929>, + <12158 11696 11228 11002 10932>, + <12198 11698 11237 11005 10935>, + <12205 11704 11243 11007 10937>, + <12168 11738 11245 11010 10939>, + <12191 11741 11254 11014 10941>, + <12190 11725 11260 11017 10942>, + <12209 11725 11258 11016 10942>, + <12196 11726 11260 11018 10944>, + <12207 11736 11264 11023 10947>, + <12207 11741 11271 11025 10950>, + <12207 11742 11279 11029 10954>, + <12214 11751 11285 11036 10960>, + <12220 11776 11293 11043 10968>, + <12266 11945 11310 11054 10977>, + <12266 11945 11310 11054 10977>, + <12266 11945 11310 11054 10977>; }; qcom,pc-temp-z2-lut { @@ -281,62 +281,62 @@ qcom,04890898_xiaomi_K6_SWBN53_5020mah_FG { <1000 900 800 700 600>, <500 400 300 200 100>, <0>; - qcom,lut-data = <11147 10298 10813 10403 10266>, - <10909 10780 10834 10509 10460>, - <10730 10802 10841 10581 10424>, - <10641 10776 10830 10608 10395>, - <10587 10745 10783 10583 10386>, - <10546 10700 10731 10541 10371>, - <10512 10653 10678 10508 10361>, - <10483 10620 10628 10477 10344>, - <10468 10592 10591 10453 10329>, - <10462 10580 10560 10436 10325>, - <10458 10581 10549 10422 10322>, - <10460 10583 10571 10410 10296>, - <10477 10592 10604 10400 10201>, - <10501 10637 10622 10389 10144>, - <10532 10684 10634 10364 10148>, - <10574 10707 10648 10342 10156>, - <10614 10726 10669 10328 10168>, - <10655 10745 10693 10294 10193>, - <10690 10771 10714 10288 10221>, - <10715 10788 10733 10312 10250>, - <10735 10788 10758 10353 10280>, - <10744 10784 10810 10461 10315>, - <10729 10776 10861 10650 10353>, - <10700 10745 10850 10706 10389>, - <10688 10713 10779 10587 10416>, - <10685 10721 10740 10473 10444>, - <10683 10768 10820 10562 10491>, - <10688 10808 10927 10785 10555>, - <10706 10831 10937 10848 10572>, - <10723 10847 10906 10706 10420>, - <10736 10845 10868 10550 10242>, - <10747 10823 10810 10486 10188>, - <10757 10805 10755 10442 10151>, - <10765 10802 10749 10420 10147>, - <10774 10800 10761 10433 10194>, - <10786 10802 10779 10463 10264>, - <10801 10817 10820 10539 10334>, - <10820 10841 10879 10671 10414>, - <10853 10875 10938 10754 10475>, - <10893 10921 11007 10816 10516>, - <10932 10955 11045 10862 10563>, - <10970 10972 11050 10890 10673>, - <11044 10998 11054 10907 10788>, - <11164 11062 11066 10897 10808>, - <11003 11393 11124 10779 10686>, - <10822 11490 11148 10618 10471>, - <10770 11534 11095 10612 10452>, - <10764 11519 11081 10613 10484>, - <10775 11621 11133 10758 10636>, - <10709 11763 11195 10695 10552>, - <10682 11824 11088 10412 10256>, - <10511 11686 10933 10331 10191>, - <10398 11512 10852 10258 10146>, - <10181 11221 10771 10226 10062>, - <10181 11221 10771 10226 10062>, - <10181 11221 10771 10226 10062>; + qcom,lut-data = <11314 10842 10620 10364 10301>, + <10850 13703 11269 10365 10259>, + <10646 13021 11622 10394 10271>, + <10562 11330 11590 10407 10275>, + <10524 10654 11353 10415 10260>, + <10497 10599 11098 10433 10239>, + <10466 10574 10805 10584 10222>, + <10434 10634 10570 10923 10207>, + <10411 10826 10595 11006 10200>, + <10399 10921 10800 10632 10157>, + <10392 10758 10906 10268 10108>, + <10390 10538 11072 10219 10109>, + <10396 10501 11282 10196 10130>, + <10405 10525 11195 10192 10146>, + <10421 10587 10772 10228 10154>, + <10451 11968 10556 10292 10163>, + <10478 13823 10940 10512 10180>, + <10498 13798 11480 10927 10204>, + <10515 11966 11663 11139 10223>, + <10522 10668 11754 11236 10234>, + <10526 10643 11781 11294 10248>, + <10528 10641 11390 11146 10293>, + <10529 10641 10848 10778 10395>, + <10529 10629 10708 10608 10515>, + <10529 10614 10661 10493 10736>, + <10527 10618 10646 10416 10907>, + <10526 10641 10689 10476 10798>, + <10527 10661 10747 10604 10495>, + <10535 10674 10754 10629 10302>, + <10544 10683 10740 10511 10190>, + <10552 10683 10721 10378 10130>, + <10562 10676 10677 10296 10128>, + <10570 10671 10629 10231 10136>, + <10577 10674 10625 10221 10150>, + <10584 10681 10644 10255 10192>, + <10593 10688 10670 10305 10247>, + <10603 10696 10708 10366 10309>, + <10616 10708 10754 10446 10377>, + <10639 10733 10792 10535 10429>, + <10668 10771 10827 10655 10476>, + <10691 10792 10850 10725 10500>, + <10709 10798 10858 10714 10484>, + <10742 10809 10865 10695 10453>, + <10820 10852 10873 10671 10429>, + <11215 11072 10903 10592 10410>, + <11037 11156 10909 10540 10398>, + <10956 11147 10845 10525 10421>, + <10937 11187 10867 10543 10432>, + <10969 11413 10897 10641 10540>, + <10946 11531 10947 10576 10502>, + <10828 11628 10814 10336 10225>, + <10659 11691 10704 10284 10164>, + <10473 11569 10641 10239 10117>, + <10270 11359 10687 10174 10033>, + <10270 11359 10687 10174 10033>, + <10270 11359 10687 10174 10033>; }; qcom,pc-temp-z3-lut { @@ -353,62 +353,62 @@ qcom,04890898_xiaomi_K6_SWBN53_5020mah_FG { <1000 900 800 700 600>, <500 400 300 200 100>, <0>; - qcom,lut-data = <19535 19404 19340 19325 19325>, - <19607 19476 19387 19345 19335>, - <19665 19515 19422 19374 19358>, - <19702 19542 19439 19394 19380>, - <19729 19562 19450 19404 19389>, - <19749 19579 19457 19412 19395>, - <19764 19590 19464 19420 19402>, - <19777 19591 19469 19428 19409>, - <19784 19590 19469 19431 19412>, - <19789 19588 19468 19428 19411>, - <19793 19585 19466 19422 19407>, - <19792 19579 19459 19416 19403>, - <19787 19572 19450 19408 19396>, - <19780 19561 19441 19401 19390>, - <19771 19551 19432 19396 19386>, - <19759 19546 19425 19392 19382>, - <19749 19542 19421 19388 19379>, - <19741 19537 19418 19384 19376>, - <19733 19528 19415 19380 19373>, - <19728 19522 19411 19375 19368>, - <19724 19536 19409 19372 19364>, - <19722 19577 19424 19374 19363>, - <19737 19593 19444 19379 19364>, - <19762 19574 19440 19380 19364>, - <19768 19546 19411 19363 19359>, - <19757 19530 19395 19347 19353>, - <19742 19517 19395 19366 19366>, - <19730 19511 19395 19412 19408>, - <19717 19518 19402 19428 19426>, - <19710 19530 19428 19426 19416>, - <19707 19540 19444 19422 19402>, - <19705 19550 19445 19415 19393>, - <19703 19556 19445 19403 19386>, - <19701 19553 19442 19392 19378>, - <19698 19548 19435 19384 19369>, - <19694 19544 19428 19377 19361>, - <19689 19540 19420 19373 19358>, - <19683 19536 19413 19369 19355>, - <19675 19531 19411 19367 19354>, - <19665 19524 19409 19366 19353>, - <19655 19517 19409 19365 19353>, - <19644 19512 19410 19374 19363>, - <19627 19505 19410 19385 19379>, - <19596 19494 19405 19383 19380>, - <19344 19446 19384 19371 19369>, - <19305 19424 19374 19344 19344>, - <19298 19410 19373 19342 19340>, - <19295 19410 19362 19340 19330>, - <19294 19367 19355 19325 19322>, - <19293 19383 19349 19341 19334>, - <19297 19306 19356 19364 19360>, - <19297 19301 19346 19367 19360>, - <19299 19297 19343 19369 19362>, - <19304 19290 19344 19357 19360>, - <19304 19290 19344 19357 19360>, - <19304 19290 19344 19357 19360>; + qcom,lut-data = <19605 19378 19326 19339 19334>, + <19566 19355 19357 19348 19343>, + <19623 19402 19385 19369 19359>, + <19662 19499 19410 19385 19372>, + <19677 19542 19436 19393 19379>, + <19688 19546 19449 19401 19385>, + <19694 19550 19451 19412 19392>, + <19700 19560 19453 19425 19398>, + <19702 19580 19458 19429 19400>, + <19702 19590 19470 19414 19397>, + <19700 19575 19475 19397 19393>, + <19699 19550 19477 19393 19389>, + <19694 19536 19477 19391 19385>, + <19689 19528 19463 19389 19382>, + <19682 19519 19432 19387 19380>, + <19673 19482 19417 19385 19378>, + <19665 19440 19431 19385 19375>, + <19656 19442 19449 19388 19372>, + <19648 19473 19450 19387 19368>, + <19647 19498 19444 19382 19360>, + <19652 19513 19438 19376 19354>, + <19659 19535 19434 19376 19355>, + <19671 19543 19429 19378 19361>, + <19688 19533 19418 19375 19370>, + <19695 19520 19396 19361 19390>, + <19690 19510 19384 19350 19407>, + <19682 19501 19387 19370 19408>, + <19675 19498 19394 19412 19407>, + <19667 19501 19406 19423 19405>, + <19660 19508 19428 19415 19398>, + <19655 19514 19440 19404 19390>, + <19651 19520 19437 19396 19384>, + <19647 19524 19432 19390 19379>, + <19644 19523 19427 19383 19372>, + <19641 19520 19420 19375 19360>, + <19638 19517 19414 19369 19352>, + <19636 19513 19409 19364 19351>, + <19633 19509 19406 19360 19351>, + <19627 19506 19402 19359 19350>, + <19619 19502 19400 19360 19351>, + <19612 19498 19398 19361 19352>, + <19604 19493 19397 19366 19357>, + <19592 19486 19396 19370 19362>, + <19569 19477 19395 19370 19363>, + <19507 19444 19382 19360 19360>, + <19315 19423 19372 19346 19346>, + <19303 19422 19361 19344 19334>, + <19294 19408 19362 19334 19329>, + <19291 19358 19347 19326 19323>, + <19292 19350 19356 19344 19336>, + <19299 19316 19365 19363 19354>, + <19295 19310 19364 19364 19356>, + <19297 19302 19364 19356 19351>, + <19303 19299 19341 19358 19355>, + <19303 19299 19341 19358 19355>, + <19303 19299 19341 19358 19355>; }; qcom,pc-temp-z4-lut { @@ -425,62 +425,62 @@ qcom,04890898_xiaomi_K6_SWBN53_5020mah_FG { <1000 900 800 700 600>, <500 400 300 200 100>, <0>; - qcom,lut-data = <15538 15236 14999 14882 14826>, - <15517 15308 14998 14890 14847>, - <15484 15289 14996 14881 14843>, - <15436 15206 14982 14869 14836>, - <15341 15127 14939 14848 14822>, - <15239 15065 14898 14822 14799>, - <15164 15009 14867 14799 14779>, - <15098 14964 14840 14776 14761>, - <15042 14927 14817 14758 14745>, - <14993 14895 14796 14741 14730>, - <14951 14867 14779 14729 14719>, - <14918 14843 14765 14725 14715>, - <14891 14822 14754 14723 14714>, - <14868 14803 14748 14720 14713>, - <14845 14789 14745 14716 14709>, - <14825 14778 14741 14711 14705>, - <14815 14771 14734 14707 14700>, - <14812 14769 14726 14702 14695>, - <14809 14772 14723 14698 14691>, - <14808 14779 14721 14696 14690>, - <14806 14793 14721 14695 14689>, - <14806 14823 14756 14717 14706>, - <14832 14852 14810 14779 14771>, - <14879 14886 14842 14816 14803>, - <14897 14911 14866 14833 14803>, - <14901 14913 14875 14842 14802>, - <14902 14909 14868 14817 14782>, - <14899 14902 14853 14753 14724>, - <14885 14881 14830 14721 14698>, - <14869 14851 14790 14711 14697>, - <14853 14826 14760 14705 14696>, - <14836 14803 14744 14702 14694>, - <14821 14787 14733 14700 14689>, - <14809 14780 14729 14699 14687>, - <14799 14775 14728 14701 14689>, - <14790 14772 14727 14702 14690>, - <14782 14769 14728 14702 14691>, - <14776 14768 14729 14702 14691>, - <14773 14769 14732 14704 14693>, - <14770 14772 14741 14715 14703>, - <14763 14772 14746 14724 14711>, - <14750 14760 14738 14714 14703>, - <14738 14745 14727 14701 14690>, - <14728 14734 14724 14701 14691>, - <14864 14704 14707 14694 14686>, - <14886 14685 14679 14684 14671>, - <14885 14685 14667 14672 14662>, - <14879 14674 14658 14656 14651>, - <14877 14714 14653 14651 14640>, - <14876 14700 14669 14659 14663>, - <14885 14807 14691 14662 14662>, - <14891 14815 14704 14663 14666>, - <14894 14824 14710 14664 14666>, - <14902 14834 14711 14676 14668>, - <14902 14834 14711 14676 14668>, - <14902 14834 14711 14676 14668>; + qcom,lut-data = <15243 15203 14965 14853 14824>, + <15443 15207 14957 14864 14829>, + <15409 15176 14942 14855 14824>, + <15361 15106 14916 14842 14817>, + <15270 15042 14868 14822 14801>, + <15166 14989 14832 14797 14780>, + <15092 14938 14812 14767 14762>, + <15031 14875 14795 14731 14745>, + <14980 14803 14768 14716 14732>, + <14937 14773 14727 14720 14722>, + <14902 14776 14701 14724 14714>, + <14873 14780 14681 14720 14709>, + <14849 14778 14663 14715 14706>, + <14829 14766 14669 14709 14702>, + <14808 14756 14698 14704 14697>, + <14788 14778 14713 14697 14692>, + <14780 14807 14683 14684 14688>, + <14786 14800 14644 14667 14685>, + <14794 14762 14639 14660 14682>, + <14793 14743 14640 14658 14679>, + <14777 14753 14641 14657 14677>, + <14765 14763 14697 14687 14699>, + <14778 14778 14780 14756 14756>, + <14813 14821 14815 14790 14775>, + <14834 14857 14836 14804 14753>, + <14842 14859 14843 14810 14726>, + <14847 14852 14832 14783 14712>, + <14846 14842 14810 14725 14702>, + <14837 14826 14785 14704 14696>, + <14827 14805 14751 14700 14692>, + <14817 14787 14729 14698 14689>, + <14806 14772 14721 14695 14685>, + <14796 14761 14716 14691 14680>, + <14788 14756 14714 14691 14678>, + <14780 14752 14712 14691 14679>, + <14773 14749 14712 14691 14680>, + <14766 14745 14712 14691 14680>, + <14760 14742 14713 14691 14680>, + <14756 14743 14715 14693 14682>, + <14752 14744 14723 14702 14691>, + <14746 14744 14728 14709 14697>, + <14736 14733 14721 14702 14693>, + <14726 14721 14711 14694 14688>, + <14718 14712 14707 14695 14689>, + <14697 14683 14690 14688 14677>, + <14860 14670 14669 14670 14660>, + <14869 14663 14665 14660 14657>, + <14871 14667 14649 14650 14642>, + <14868 14714 14651 14641 14631>, + <14865 14723 14654 14647 14652>, + <14870 14777 14667 14652 14657>, + <14879 14786 14671 14655 14659>, + <14886 14799 14673 14664 14666>, + <14891 14806 14700 14663 14662>, + <14891 14806 14700 14663 14662>, + <14891 14806 14700 14663 14662>; }; qcom,pc-temp-z5-lut { @@ -497,62 +497,62 @@ qcom,04890898_xiaomi_K6_SWBN53_5020mah_FG { <1000 900 800 700 600>, <500 400 300 200 100>, <0>; - qcom,lut-data = <13138 12985 13500 13875 14350>, - <14188 14730 15281 14900 14974>, - <15064 15622 16528 16568 16703>, - <15704 16188 17034 17785 18361>, - <16151 16719 17308 18333 19126>, - <16599 17280 17596 18800 19710>, - <17197 17811 17962 19612 20554>, - <17922 18291 18343 20794 21826>, - <18741 18718 18705 21684 23014>, - <19782 19193 19061 22330 24035>, - <20934 19779 19446 22747 24854>, - <22002 20452 19999 22594 24857>, - <23080 21208 20452 21982 24146>, - <24181 22098 20426 21619 23693>, - <25218 22983 20150 21870 23812>, - <26272 23907 20016 22240 24088>, - <27706 24767 20581 22501 24565>, - <30434 24946 21453 23140 25628>, - <32812 24360 21919 23653 26449>, - <33106 23805 22184 24222 26902>, - <32880 30080 22714 24723 27195>, - <32794 47031 27829 24897 26789>, - <39083 53991 34105 24895 24828>, - <49798 43999 32902 24375 22514>, - <52398 30996 24374 20036 19181>, - <46447 25969 18921 16014 16396>, - <39443 23023 17913 17572 18649>, - <35950 21945 17369 22105 26398>, - <33330 22522 17830 24992 29633>, - <32327 23813 20369 26763 28113>, - <33013 25771 23079 27725 26472>, - <34396 29549 25391 27389 26462>, - <35900 32929 27534 26549 26917>, - <37880 34851 29079 26204 26999>, - <39817 36306 30405 26632 26536>, - <41246 37130 30963 27048 26135>, - <42463 37698 30497 27095 26369>, - <43547 37989 29631 27053 26949>, - <44647 37400 28840 26492 26904>, - <45538 35880 27818 24714 24564>, - <45911 34979 27295 23458 22578>, - <45946 34505 27348 25800 26567>, - <45435 34328 27397 28818 32474>, - <42949 34226 26145 27919 32544>, - <17074 33443 25068 25279 28665>, - <13468 31192 25892 19940 20952>, - <13204 26073 27431 20700 21130>, - <13137 27849 26089 23250 21487>, - <13108 22125 25989 21722 23386>, - <13164 21237 21541 25221 24234>, - <13244 13620 18391 23514 24384>, - <13066 13274 16300 22702 22231>, - <12952 12953 15517 21271 20649>, - <12790 12581 15188 17110 17819>, - <12790 12581 15188 17110 17819>, - <12790 12581 15188 17110 17819>; + qcom,lut-data = <14358 13042 13174 14799 15044>, + <14164 12590 14225 15336 15919>, + <15320 13713 15286 17048 17568>, + <16177 16338 16360 18355 18930>, + <16544 17771 17616 19017 19745>, + <16877 18096 18605 19700 20486>, + <17321 18407 19159 21411 21591>, + <17943 19477 19725 24101 23047>, + <18647 21748 21729 24894 24024>, + <19374 22939 26370 23063 24668>, + <20161 22585 28894 21311 25096>, + <20977 22002 31296 21370 25064>, + <21812 22033 33783 21840 24858>, + <22709 22749 31868 22418 24797>, + <23875 23393 25439 23255 25630>, + <25236 22295 22278 24230 26875>, + <25897 21100 30543 26677 27906>, + <25910 21505 41203 30900 28916>, + <25866 22342 42609 32258 29192>, + <26237 23800 42344 32463 28152>, + <28185 30288 41895 32746 26960>, + <31273 42506 40002 31744 26603>, + <37948 47069 36541 28646 26393>, + <48221 41039 31426 25570 26246>, + <52119 32878 23107 20159 25738>, + <48330 28592 18786 16252 25286>, + <42732 25303 18518 19274 25520>, + <39305 24132 18384 25765 26213>, + <36519 24617 19235 27556 26725>, + <35052 25687 23311 26834 27004>, + <34935 27459 26938 26246 27324>, + <35131 31009 28884 26481 28151>, + <35495 34195 30359 26992 29305>, + <36183 36217 31371 27213 29416>, + <37086 37796 32198 27299 27395>, + <38162 38512 32539 27338 25709>, + <39513 38911 32479 27307 26604>, + <40603 39114 32324 27203 28480>, + <41458 39085 31755 26945 28749>, + <42093 38892 29800 26140 26785>, + <42161 38542 28359 25586 25249>, + <41800 37479 27946 26263 26560>, + <41052 36367 27733 27084 28415>, + <38846 35410 27565 26853 28650>, + <34185 36237 27021 24518 28713>, + <13282 32634 27317 21940 23606>, + <12868 32053 24217 22646 20328>, + <12599 28592 27343 22129 22395>, + <12554 19252 22954 23464 26381>, + <12644 17563 24085 29261 28352>, + <12820 13714 21021 26234 25155>, + <12557 13313 19734 24012 23062>, + <12430 12834 18965 19294 19072>, + <12355 12596 15023 18255 18082>, + <12355 12596 15023 18255 18082>, + <12355 12596 15023 18255 18082>; }; qcom,pc-temp-z6-lut { @@ -569,62 +569,62 @@ qcom,04890898_xiaomi_K6_SWBN53_5020mah_FG { <1000 900 800 700 600>, <500 400 300 200 100>, <0>; - qcom,lut-data = <15508 14992 14667 14556 14518>, - <15504 15059 14699 14580 14542>, - <15492 15056 14716 14594 14556>, - <15471 15027 14714 14598 14563>, - <15422 14997 14702 14594 14561>, - <15366 14969 14688 14588 14556>, - <15324 14942 14677 14582 14552>, - <15286 14916 14667 14577 14548>, - <15252 14892 14656 14571 14544>, - <15221 14871 14645 14562 14538>, - <15193 14852 14635 14554 14531>, - <15168 14835 14625 14547 14525>, - <15146 14819 14615 14542 14521>, - <15125 14803 14608 14537 14517>, - <15103 14790 14601 14532 14513>, - <15082 14782 14595 14528 14509>, - <15067 14775 14589 14523 14505>, - <15055 14771 14584 14518 14501>, - <15047 14769 14581 14514 14497>, - <15044 14767 14578 14511 14494>, - <15042 14780 14577 14509 14491>, - <15041 14816 14603 14521 14498>, - <15061 14833 14637 14552 14527>, - <15095 14834 14641 14563 14540>, - <15105 14835 14640 14562 14539>, - <15101 14833 14637 14560 14536>, - <15096 14826 14633 14558 14534>, - <15089 14818 14629 14556 14533>, - <15078 14813 14625 14553 14531>, - <15068 14808 14621 14549 14526>, - <15060 14804 14617 14544 14519>, - <15053 14800 14612 14538 14514>, - <15047 14797 14608 14532 14509>, - <15043 14794 14604 14527 14504>, - <15039 14791 14601 14524 14500>, - <15036 14790 14598 14522 14497>, - <15033 14788 14595 14519 14495>, - <15032 14788 14593 14516 14493>, - <15034 14789 14593 14516 14493>, - <15036 14791 14598 14520 14496>, - <15036 14791 14600 14524 14500>, - <15034 14787 14598 14525 14503>, - <15031 14782 14595 14526 14506>, - <15023 14777 14592 14525 14507>, - <14967 14749 14576 14516 14499>, - <14956 14731 14559 14498 14480>, - <14952 14724 14554 14492 14475>, - <14950 14721 14545 14484 14464>, - <14953 14719 14539 14473 14455>, - <14958 14727 14545 14486 14471>, - <14970 14737 14560 14502 14488>, - <14979 14742 14563 14506 14492>, - <14989 14750 14567 14510 14496>, - <15008 14760 14572 14512 14499>, - <15008 14760 14572 14512 14499>, - <15008 14760 14572 14512 14499>; + qcom,lut-data = <15380 14956 14639 14545 14518>, + <15419 14940 14657 14564 14534>, + <15400 14939 14667 14574 14543>, + <15374 14940 14666 14576 14546>, + <15323 14936 14657 14571 14543>, + <15262 14908 14647 14565 14539>, + <15216 14872 14638 14559 14535>, + <15175 14845 14629 14552 14531>, + <15140 14820 14619 14546 14527>, + <15110 14801 14608 14538 14521>, + <15083 14786 14598 14531 14515>, + <15060 14773 14589 14526 14510>, + <15040 14762 14582 14523 14506>, + <15022 14751 14577 14519 14503>, + <15003 14742 14573 14515 14500>, + <14984 14732 14568 14511 14496>, + <14973 14724 14563 14506 14493>, + <14970 14722 14559 14501 14490>, + <14968 14722 14555 14497 14486>, + <14967 14723 14552 14493 14481>, + <14965 14731 14551 14490 14476>, + <14964 14749 14575 14504 14487>, + <14975 14763 14607 14535 14515>, + <15001 14776 14611 14544 14526>, + <15014 14785 14610 14543 14526>, + <15016 14784 14609 14542 14526>, + <15017 14777 14606 14541 14524>, + <15014 14771 14601 14539 14519>, + <15007 14766 14598 14536 14515>, + <15000 14762 14595 14531 14510>, + <14994 14759 14592 14525 14506>, + <14989 14756 14589 14520 14501>, + <14985 14755 14585 14516 14497>, + <14982 14754 14582 14512 14492>, + <14980 14753 14579 14509 14487>, + <14979 14752 14576 14506 14483>, + <14979 14751 14575 14503 14482>, + <14979 14750 14574 14501 14482>, + <14981 14751 14574 14502 14482>, + <14983 14754 14577 14507 14486>, + <14984 14754 14579 14510 14490>, + <14984 14751 14577 14510 14491>, + <14982 14747 14573 14509 14491>, + <14979 14744 14572 14510 14493>, + <14948 14724 14560 14502 14487>, + <14929 14709 14546 14488 14472>, + <14926 14706 14539 14482 14465>, + <14925 14703 14534 14473 14456>, + <14927 14701 14528 14465 14447>, + <14933 14705 14535 14477 14463>, + <14945 14715 14547 14492 14478>, + <14952 14721 14551 14496 14482>, + <14965 14728 14555 14498 14485>, + <14985 14738 14559 14501 14489>, + <14985 14738 14559 14501 14489>, + <14985 14738 14559 14501 14489>; }; qcom,pc-temp-y1-lut { @@ -639,62 +639,62 @@ qcom,04890898_xiaomi_K6_SWBN53_5020mah_FG { <1600 1400 1200 1000 900 800>, <700 600 500 400 300 200>, <100 0>; - qcom,lut-data = <5992 5573 5288 5013 4864 4813>, - <5980 5573 5297 5013 4863 4813>, - <5967 5573 5304 5012 4862 4812>, - <5955 5574 5308 5010 4861 4812>, - <5945 5575 5310 5009 4860 4811>, - <5941 5576 5311 5007 4859 4810>, - <5943 5579 5308 5004 4859 4810>, - <5946 5583 5303 5002 4858 4809>, - <5949 5584 5299 5000 4857 4809>, - <5954 5578 5294 4998 4856 4808>, - <5958 5573 5290 4997 4855 4808>, - <5957 5573 5287 4996 4854 4807>, - <5954 5574 5284 4996 4853 4807>, - <5954 5573 5284 4995 4852 4806>, - <5960 5567 5284 4993 4852 4806>, - <5969 5562 5285 4992 4852 4806>, - <5979 5572 5284 4992 4852 4805>, - <5990 5591 5283 4992 4852 4805>, - <5993 5597 5283 4993 4852 4805>, - <5988 5586 5285 4994 4852 4806>, - <5983 5577 5287 4995 4852 4807>, - <5979 5577 5285 4996 4854 4808>, - <5968 5579 5282 4996 4856 4808>, - <5964 5579 5282 4997 4857 4809>, - <5964 5581 5286 4999 4857 4811>, - <5962 5583 5289 5002 4858 4812>, - <5958 5582 5288 5003 4858 4813>, - <5950 5577 5285 5005 4860 4815>, - <5945 5572 5286 5007 4861 4816>, - <5941 5573 5292 5009 4863 4818>, - <5937 5575 5296 5012 4865 4820>, - <5935 5573 5297 5013 4867 4821>, - <5934 5568 5296 5014 4868 4822>, - <5933 5566 5297 5016 4870 4823>, - <5929 5569 5303 5018 4872 4824>, - <5924 5572 5307 5020 4873 4826>, - <5921 5569 5305 5021 4874 4827>, - <5916 5560 5300 5021 4875 4828>, - <5912 5553 5299 5022 4876 4829>, - <5905 5548 5301 5025 4877 4831>, - <5899 5543 5304 5027 4878 4832>, - <5899 5542 5309 5029 4879 4833>, - <5899 5544 5315 5032 4882 4835>, - <5896 5546 5323 5035 4884 4837>, - <5904 5549 5324 5040 4888 4839>, - <5979 5564 5333 5045 4888 4840>, - <5951 5571 5341 5044 4888 4840>, - <5952 5581 5332 5048 4888 4840>, - <5945 5587 5481 5042 4888 4841>, - <5965 5588 5369 5042 4889 4841>, - <5969 5590 5336 5048 4890 4843>, - <5957 5583 5350 5052 4894 4847>, - <5945 5585 5346 5059 4899 4851>, - <6007 5593 5348 5069 4907 4859>, - <6007 5593 5348 5069 4907 4859>, - <6007 5593 5348 5069 4907 4859>; + qcom,lut-data = <5797 5542 5294 4995 4852 4806>, + <5824 5545 5290 4994 4851 4805>, + <5847 5544 5283 4992 4849 4804>, + <5865 5541 5276 4989 4848 4803>, + <5877 5536 5270 4985 4846 4801>, + <5881 5531 5266 4983 4845 4800>, + <5875 5525 5265 4981 4843 4800>, + <5865 5518 5263 4979 4842 4799>, + <5862 5516 5262 4977 4840 4798>, + <5860 5520 5257 4975 4839 4797>, + <5859 5523 5253 4973 4838 4796>, + <5863 5523 5256 4971 4837 4795>, + <5869 5521 5260 4968 4837 4794>, + <5873 5534 5260 4967 4836 4794>, + <5876 5639 5252 4966 4835 4793>, + <5880 5727 5245 4965 4835 4793>, + <5970 5681 5244 4965 4835 4794>, + <6154 5575 5244 4965 4835 4794>, + <6198 5540 5244 4965 4835 4795>, + <6027 5536 5246 4965 4836 4795>, + <5869 5534 5248 4966 4836 4795>, + <5863 5535 5249 4968 4837 4796>, + <5865 5539 5251 4970 4838 4798>, + <5867 5540 5253 4972 4839 4799>, + <5868 5537 5255 4974 4841 4800>, + <5867 5534 5256 4976 4842 4800>, + <5862 5534 5256 4977 4843 4801>, + <5850 5534 5255 4979 4844 4803>, + <5845 5533 5254 4981 4846 4804>, + <5846 5536 5257 4983 4848 4806>, + <5848 5538 5260 4985 4850 4808>, + <5849 5536 5261 4988 4852 4809>, + <5848 5531 5262 4991 4854 4811>, + <5849 5529 5264 4994 4856 4813>, + <5851 5527 5266 4996 4858 4814>, + <5853 5526 5268 4998 4860 4816>, + <5851 5524 5268 4999 4862 4817>, + <5840 5520 5268 5001 4863 4819>, + <5831 5518 5269 5003 4864 4820>, + <5824 5519 5270 5006 4865 4821>, + <5817 5520 5273 5009 4866 4822>, + <5814 5517 5278 5010 4868 4824>, + <5816 5505 5285 5012 4869 4825>, + <5811 5504 5288 5017 4873 4829>, + <5805 5508 5293 5023 4876 4830>, + <5842 5520 5295 5026 4877 4830>, + <5867 5538 5303 5029 4877 4831>, + <5871 5541 5302 5029 4877 4831>, + <5853 5544 5308 5029 4876 4832>, + <5852 5542 5306 5028 4878 4833>, + <5853 5536 5315 5032 4883 4835>, + <5868 5537 5312 5043 4884 4837>, + <5902 5540 5316 5045 4888 4842>, + <5928 5557 5320 5060 4896 4849>, + <5928 5557 5320 5060 4896 4849>, + <5928 5557 5320 5060 4896 4849>; }; qcom,pc-temp-y2-lut { @@ -709,62 +709,62 @@ qcom,04890898_xiaomi_K6_SWBN53_5020mah_FG { <1600 1400 1200 1000 900 800>, <700 600 500 400 300 200>, <100 0>; - qcom,lut-data = <10597 10766 11398 11596 11200 11128>, - <10630 10803 11387 11536 11142 11076>, - <10709 10871 11372 11472 11082 11014>, - <10803 10947 11354 11411 11024 10951>, - <10883 11010 11334 11358 10973 10897>, - <10919 11037 11311 11321 10933 10860>, - <10919 11035 11280 11296 10899 10838>, - <10919 11030 11250 11277 10872 10820>, - <10919 11031 11241 11258 10859 10802>, - <10921 11044 11237 11237 10852 10777>, - <10925 11057 11236 11226 10847 10760>, - <10957 11056 11250 11233 10843 10756>, - <11022 11048 11282 11249 10838 10755>, - <11076 11062 11315 11266 10852 10756>, - <11140 11154 11351 11291 10929 10758>, - <11187 11244 11394 11325 10989 10760>, - <11200 11291 11463 11378 11001 10762>, - <11209 11345 11537 11452 11010 10765>, - <11221 11362 11565 11545 11063 10804>, - <11246 11371 11576 11682 11262 10990>, - <11274 11382 11581 11757 11389 11112>, - <11295 11394 11586 11702 11342 11102>, - <11313 11411 11598 11615 11262 11086>, - <11317 11427 11610 11603 11237 11083>, - <11287 11451 11634 11639 11235 11086>, - <11238 11470 11657 11679 11248 11090>, - <11075 11448 11672 11709 11310 11113>, - <10719 11382 11687 11739 11397 11159>, - <10527 11345 11710 11771 11426 11221>, - <10189 11352 11752 11808 11422 11330>, - <9834 11357 11779 11840 11431 11423>, - <9767 11313 11757 11864 11522 11480>, - <9741 11200 11712 11882 11641 11524>, - <9721 11056 11692 11890 11671 11546>, - <9703 10726 11686 11894 11675 11576>, - <9690 10374 11678 11891 11673 11580>, - <9683 10177 11641 11844 11569 11503>, - <9679 9874 11565 11766 11411 11383>, - <9675 9716 11486 11728 11385 11311>, - <9672 9693 11401 11709 11413 11262>, - <9670 9680 11303 11690 11431 11227>, - <9668 9673 11180 11664 11403 11208>, - <9667 9669 11041 11627 11342 11185>, - <9666 9666 10901 11523 11174 11068>, - <9664 9664 10767 11404 11005 10901>, - <9663 9663 10778 11336 10983 10832>, - <9662 9663 10771 11319 11048 10840>, - <9662 9662 10738 11314 11086 10887>, - <9661 9661 10723 11320 11144 10873>, - <9659 9660 10708 11349 11003 10834>, - <9658 9659 10638 11299 10876 10763>, - <9656 9658 10491 11190 10825 10710>, - <9653 9657 9948 11078 10781 10622>, - <9650 9655 9722 10982 10651 10446>, - <9650 9655 9722 10982 10651 10446>, - <9650 9655 9722 10982 10651 10446>; + qcom,lut-data = <10683 10820 11351 11507 11147 11061>, + <10709 10856 11341 11454 11098 11021>, + <10767 10914 11326 11395 11042 10983>, + <10835 10976 11308 11337 10988 10947>, + <10893 11027 11288 11287 10942 10914>, + <10919 11049 11269 11253 10912 10883>, + <10919 11045 11245 11232 10898 10855>, + <10918 11038 11221 11215 10888 10830>, + <10920 11037 11208 11197 10869 10810>, + <10936 11042 11198 11176 10835 10795>, + <10949 11045 11194 11163 10815 10783>, + <10940 11030 11202 11160 10818 10773>, + <10922 11000 11223 11160 10826 10763>, + <10937 11012 11245 11167 10845 10761>, + <11110 11186 11270 11194 10909 10761>, + <11257 11332 11302 11230 10952 10760>, + <11219 11319 11373 11268 10946 10761>, + <11130 11283 11465 11317 10936 10763>, + <11106 11274 11489 11393 10957 10780>, + <11159 11301 11484 11524 11107 10865>, + <11219 11333 11478 11599 11214 10959>, + <11248 11353 11483 11561 11196 11027>, + <11270 11371 11495 11501 11163 11085>, + <11276 11380 11506 11490 11156 11108>, + <11268 11383 11518 11503 11162 11107>, + <11260 11382 11532 11522 11173 11105>, + <11261 11360 11551 11548 11198 11115>, + <11263 11314 11576 11580 11237 11129>, + <11262 11297 11593 11607 11274 11150>, + <11250 11343 11607 11630 11310 11188>, + <11224 11393 11614 11654 11354 11227>, + <11072 11372 11611 11687 11439 11262>, + <10658 11282 11598 11718 11540 11295>, + <10378 11192 11585 11723 11570 11306>, + <10071 11124 11573 11719 11538 11308>, + <9772 11044 11558 11712 11503 11307>, + <9715 10862 11530 11670 11471 11294>, + <9697 10504 11483 11604 11415 11264>, + <9687 10267 11429 11577 11357 11235>, + <9680 10008 11363 11566 11284 11195>, + <9675 9738 11283 11553 11233 11160>, + <9672 9687 11186 11529 11241 11149>, + <9669 9676 11067 11492 11255 11139>, + <9667 9670 10938 11437 11181 11053>, + <9665 9666 10819 11324 11033 10905>, + <9664 9664 10743 11268 10931 10829>, + <9663 9664 10765 11258 10966 10822>, + <9662 9662 10733 11266 11022 10831>, + <9660 9661 10710 11275 11019 10849>, + <9659 9660 10685 11254 10967 10821>, + <9657 9659 10592 11201 10882 10767>, + <9654 9657 10447 11106 10803 10700>, + <9650 9656 9941 10985 10705 10601>, + <9648 9653 9703 10883 10566 10418>, + <9648 9653 9703 10883 10566 10418>, + <9648 9653 9703 10883 10566 10418>; }; qcom,pc-temp-y3-lut { @@ -779,62 +779,62 @@ qcom,04890898_xiaomi_K6_SWBN53_5020mah_FG { <1600 1400 1200 1000 900 800>, <700 600 500 400 300 200>, <100 0>; - qcom,lut-data = <13439 13416 13326 13287 13280 13279>, - <13446 13419 13330 13289 13281 13279>, - <13458 13422 13334 13291 13281 13280>, - <13473 13425 13337 13292 13282 13280>, - <13485 13427 13340 13294 13282 13281>, - <13491 13429 13343 13295 13283 13282>, - <13492 13430 13344 13295 13284 13283>, - <13493 13431 13345 13296 13285 13284>, - <13492 13432 13347 13297 13287 13285>, - <13487 13432 13349 13298 13288 13285>, - <13483 13432 13350 13298 13288 13285>, - <13495 13439 13350 13298 13289 13286>, - <13517 13451 13349 13298 13289 13287>, - <13519 13450 13348 13299 13290 13288>, - <13474 13410 13346 13303 13294 13289>, - <13437 13377 13343 13305 13297 13290>, - <13440 13385 13339 13304 13296 13291>, - <13448 13405 13335 13303 13294 13292>, - <13450 13411 13333 13304 13294 13293>, - <13439 13398 13332 13306 13298 13295>, - <13425 13383 13331 13308 13300 13296>, - <13415 13375 13328 13304 13295 13291>, - <13407 13369 13323 13296 13286 13284>, - <13399 13362 13321 13292 13282 13282>, - <13392 13356 13319 13289 13281 13281>, - <13385 13350 13318 13288 13280 13281>, - <13369 13346 13317 13289 13281 13280>, - <13344 13343 13317 13290 13281 13280>, - <13335 13339 13316 13290 13281 13281>, - <13343 13328 13314 13289 13280 13282>, - <13355 13320 13313 13289 13279 13282>, - <13369 13321 13313 13289 13280 13282>, - <13386 13331 13312 13289 13281 13281>, - <13406 13340 13312 13289 13281 13282>, - <13428 13348 13312 13290 13282 13282>, - <13454 13357 13312 13290 13282 13283>, - <13485 13372 13313 13290 13281 13282>, - <13522 13395 13317 13289 13280 13280>, - <13560 13422 13320 13289 13280 13280>, - <13599 13454 13322 13289 13282 13281>, - <13638 13493 13324 13289 13284 13282>, - <13680 13537 13326 13289 13284 13282>, - <13724 13588 13328 13289 13284 13282>, - <13779 13649 13333 13289 13282 13279>, - <13848 13724 13340 13292 13283 13280>, - <13923 13794 13345 13297 13291 13288>, - <13898 13747 13349 13302 13294 13290>, - <13964 13799 13359 13306 13296 13291>, - <14050 13848 13371 13309 13296 13290>, - <14155 13908 13378 13308 13289 13285>, - <14305 13965 13380 13301 13288 13285>, - <14563 14041 13388 13305 13290 13288>, - <15250 14208 13413 13308 13297 13294>, - <17272 14524 13522 13319 13305 13303>, - <17272 14524 13522 13319 13305 13303>, - <17272 14524 13522 13319 13305 13303>; + qcom,lut-data = <13415 13396 13327 13288 13277 13277>, + <13423 13398 13329 13289 13278 13278>, + <13433 13400 13330 13290 13280 13279>, + <13444 13402 13332 13291 13282 13280>, + <13453 13404 13333 13292 13283 13281>, + <13457 13405 13335 13293 13284 13282>, + <13456 13405 13335 13294 13284 13282>, + <13454 13406 13336 13294 13285 13283>, + <13453 13406 13337 13295 13285 13283>, + <13453 13406 13339 13296 13286 13284>, + <13452 13407 13340 13297 13287 13284>, + <13460 13408 13340 13297 13287 13285>, + <13476 13410 13340 13297 13288 13286>, + <13477 13407 13339 13298 13289 13286>, + <13445 13390 13337 13301 13292 13286>, + <13418 13377 13333 13303 13294 13286>, + <13419 13380 13332 13303 13293 13288>, + <13422 13387 13331 13303 13292 13290>, + <13422 13389 13330 13303 13292 13291>, + <13413 13379 13328 13303 13294 13291>, + <13403 13367 13326 13304 13295 13291>, + <13397 13360 13323 13300 13292 13288>, + <13393 13356 13319 13294 13285 13282>, + <13388 13351 13316 13291 13282 13280>, + <13384 13347 13314 13289 13281 13279>, + <13378 13344 13313 13288 13280 13279>, + <13367 13341 13313 13288 13280 13279>, + <13348 13338 13312 13287 13279 13280>, + <13338 13334 13312 13287 13279 13280>, + <13335 13326 13311 13288 13280 13279>, + <13334 13318 13310 13288 13280 13278>, + <13336 13318 13309 13288 13280 13278>, + <13341 13323 13309 13287 13281 13278>, + <13348 13328 13308 13287 13281 13279>, + <13363 13336 13307 13287 13281 13280>, + <13383 13344 13307 13288 13281 13281>, + <13403 13352 13308 13287 13281 13280>, + <13425 13359 13311 13286 13280 13279>, + <13448 13369 13313 13286 13280 13278>, + <13475 13387 13316 13287 13281 13280>, + <13505 13412 13318 13287 13282 13281>, + <13540 13441 13320 13288 13283 13281>, + <13583 13479 13322 13289 13284 13281>, + <13638 13533 13324 13289 13282 13279>, + <13709 13611 13329 13291 13282 13279>, + <13788 13703 13338 13294 13288 13286>, + <13772 13679 13338 13299 13291 13287>, + <13844 13743 13347 13302 13293 13288>, + <13944 13800 13358 13305 13292 13286>, + <14073 13873 13365 13303 13288 13283>, + <14280 13953 13369 13301 13286 13284>, + <14740 14091 13378 13303 13288 13287>, + <16468 14342 13411 13309 13294 13292>, + <20884 14990 13540 13319 13301 13299>, + <20884 14990 13540 13319 13301 13299>, + <20884 14990 13540 13319 13301 13299>; }; qcom,pc-temp-y4-lut { @@ -849,62 +849,62 @@ qcom,04890898_xiaomi_K6_SWBN53_5020mah_FG { <1600 1400 1200 1000 900 800>, <700 600 500 400 300 200>, <100 0>; - qcom,lut-data = <16736 16675 16565 16490 16464 16461>, - <16778 16733 16596 16491 16465 16463>, - <16855 16825 16632 16492 16468 16465>, - <16942 16923 16665 16494 16470 16466>, - <17015 17003 16689 16496 16472 16467>, - <17051 17038 16699 16498 16473 16468>, - <17056 17034 16695 16501 16474 16467>, - <17058 17024 16686 16504 16475 16467>, - <17061 17013 16680 16507 16476 16467>, - <17065 16999 16676 16511 16478 16470>, - <17068 16989 16674 16516 16481 16472>, - <17052 16983 16678 16523 16485 16474>, - <17023 16979 16687 16531 16490 16476>, - <17027 16991 16698 16537 16493 16479>, - <17139 17097 16716 16542 16494 16483>, - <17232 17185 16739 16548 16495 16487>, - <17145 17164 16779 16564 16504 16492>, - <16946 17099 16822 16586 16519 16498>, - <16864 17030 16823 16604 16535 16510>, - <16848 16946 16768 16624 16557 16530>, - <16834 16866 16706 16633 16568 16542>, - <16811 16812 16657 16592 16542 16522>, - <16778 16769 16615 16525 16499 16488>, - <16744 16735 16594 16505 16483 16475>, - <16699 16710 16582 16498 16478 16470>, - <16668 16685 16576 16496 16476 16467>, - <16678 16643 16574 16498 16478 16469>, - <16712 16589 16573 16504 16482 16472>, - <16736 16570 16573 16509 16488 16476>, - <16750 16581 16575 16516 16498 16482>, - <16763 16598 16576 16523 16509 16488>, - <16774 16611 16571 16530 16518 16498>, - <16784 16623 16560 16537 16526 16509>, - <16795 16641 16553 16541 16526 16511>, - <16808 16677 16546 16545 16523 16508>, - <16819 16717 16542 16547 16518 16504>, - <16824 16743 16549 16531 16506 16495>, - <16827 16771 16565 16504 16490 16484>, - <16828 16783 16579 16495 16483 16482>, - <16824 16784 16589 16492 16479 16484>, - <16819 16783 16599 16491 16477 16485>, - <16819 16778 16610 16495 16476 16483>, - <16823 16763 16620 16499 16476 16479>, - <16832 16764 16625 16491 16462 16458>, - <16857 16779 16636 16491 16462 16457>, - <16886 16822 16626 16498 16486 16500>, - <16851 16807 16636 16511 16516 16535>, - <16868 16847 16669 16536 16549 16565>, - <16885 16901 16707 16568 16566 16569>, - <16896 16932 16730 16553 16495 16483>, - <16896 16960 16715 16498 16475 16475>, - <16887 16959 16712 16502 16479 16475>, - <16948 16952 16773 16513 16479 16475>, - <17582 16950 16862 16542 16507 16521>, - <17582 16950 16862 16542 16507 16521>, - <17582 16950 16862 16542 16507 16521>; + qcom,lut-data = <16708 16647 16550 16482 16463 16459>, + <16738 16704 16581 16483 16463 16459>, + <16802 16782 16611 16484 16463 16460>, + <16877 16861 16636 16485 16462 16460>, + <16939 16923 16653 16486 16462 16461>, + <16967 16950 16660 16487 16462 16461>, + <16966 16944 16654 16488 16463 16461>, + <16965 16931 16644 16489 16465 16461>, + <16962 16920 16638 16490 16466 16462>, + <16960 16908 16635 16492 16468 16462>, + <16957 16900 16633 16495 16470 16463>, + <16955 16901 16635 16501 16473 16465>, + <16952 16904 16642 16508 16477 16467>, + <16959 16915 16651 16514 16479 16469>, + <17015 16979 16668 16518 16481 16474>, + <17063 17031 16691 16525 16483 16478>, + <17031 17021 16723 16539 16490 16483>, + <16947 16990 16758 16558 16503 16487>, + <16879 16950 16763 16579 16519 16497>, + <16824 16873 16721 16605 16545 16520>, + <16779 16794 16667 16618 16560 16535>, + <16753 16750 16625 16580 16537 16519>, + <16734 16716 16585 16515 16494 16485>, + <16713 16690 16565 16492 16476 16471>, + <16686 16669 16555 16484 16469 16465>, + <16663 16649 16548 16480 16466 16462>, + <16649 16622 16546 16482 16467 16462>, + <16637 16590 16544 16487 16472 16464>, + <16634 16570 16544 16492 16476 16466>, + <16640 16558 16545 16497 16483 16472>, + <16650 16550 16546 16503 16490 16480>, + <16661 16552 16542 16509 16499 16489>, + <16681 16564 16532 16516 16509 16499>, + <16697 16578 16525 16520 16511 16502>, + <16713 16593 16521 16523 16509 16500>, + <16728 16611 16518 16525 16505 16497>, + <16737 16635 16522 16511 16494 16489>, + <16745 16667 16536 16488 16479 16478>, + <16748 16687 16548 16481 16474 16476>, + <16748 16700 16557 16480 16473 16479>, + <16748 16710 16565 16480 16473 16482>, + <16749 16708 16572 16483 16472 16480>, + <16753 16700 16580 16486 16472 16476>, + <16761 16703 16586 16478 16457 16456>, + <16781 16725 16594 16480 16452 16449>, + <16806 16770 16607 16489 16481 16494>, + <16785 16764 16602 16506 16509 16526>, + <16806 16811 16635 16532 16542 16559>, + <16824 16859 16680 16562 16555 16555>, + <16834 16906 16709 16536 16491 16492>, + <16828 16926 16707 16496 16472 16471>, + <16817 16927 16703 16502 16473 16470>, + <17054 16924 16757 16519 16476 16471>, + <18206 16987 16856 16560 16509 16513>, + <18206 16987 16856 16560 16509 16513>, + <18206 16987 16856 16560 16509 16513>; }; qcom,pc-temp-y5-lut { @@ -919,62 +919,62 @@ qcom,04890898_xiaomi_K6_SWBN53_5020mah_FG { <1600 1400 1200 1000 900 800>, <700 600 500 400 300 200>, <100 0>; - qcom,lut-data = <12502 15656 18668 18954 18632 19508>, - <13631 16121 18502 18462 18254 19032>, - <14991 16578 18303 17976 17670 18585>, - <16356 17005 18096 17495 17032 18200>, - <17504 17377 17908 17020 16489 17911>, - <18207 17670 17764 16551 16194 17752>, - <18547 17919 17661 16063 16094 17758>, - <18765 18111 17559 15597 16008 17811>, - <18752 18125 17423 15241 15891 17631>, - <18390 17959 17215 14955 15709 16880>, - <18111 17831 16985 14673 15483 16241>, - <19283 18413 16586 14288 15118 15985>, - <21540 19536 16034 13942 14749 15804>, - <21946 19592 15608 13932 14809 15694>, - <20039 17364 15203 14194 15477 15759>, - <18440 15491 14999 14365 15913 15835>, - <19712 17553 15277 14164 15317 15660>, - <22546 22098 15984 13848 14383 15419>, - <23437 23491 17055 14204 14428 15561>, - <22716 22807 19180 16540 15733 16095>, - <21993 22180 20753 18489 16959 16753>, - <21845 22271 21153 19194 17668 17668>, - <21628 22581 21397 19638 18191 18574>, - <21358 22773 21527 19498 18114 18691>, - <20904 22886 21622 18386 17213 18376>, - <20211 22970 21704 17648 16449 17948>, - <18121 22813 21778 17989 16268 17191>, - <14128 22145 21846 18526 16252 16350>, - <12546 21161 21920 18543 16131 16216>, - <12537 17691 22017 18056 15502 16352>, - <12571 14339 22145 17734 15093 16461>, - <12668 14259 22745 17876 15461 16449>, - <12877 14920 23708 18230 16229 16469>, - <13072 15387 23773 18827 16964 16928>, - <13212 15397 22387 20119 17767 18559>, - <13359 15269 21056 21138 18498 19638>, - <13616 15102 20628 21582 19042 19597>, - <14005 14585 20318 21869 19538 19480>, - <14174 14305 19796 21649 20172 19692>, - <13942 14291 18785 20119 20992 20937>, - <13573 14279 17742 18727 21671 22391>, - <13309 14210 16866 18099 22207 23927>, - <13091 14060 16260 17700 22500 24925>, - <13065 14011 16226 17497 19716 19136>, - <13078 13961 16075 17255 16976 16903>, - <13094 13588 16658 17197 17836 16776>, - <13296 13796 16791 18041 17796 16271>, - <13442 14017 17249 18525 17289 15973>, - <13712 14337 18424 18759 17436 15758>, - <13869 15426 19566 19371 17037 16788>, - <14001 16296 19205 19446 16958 16357>, - <13804 15589 17860 19866 16511 16385>, - <12888 14114 14461 19649 19958 18394>, - <10792 13215 13585 22446 24524 26331>, - <10792 13215 13585 22446 24524 26331>, - <10792 13215 13585 22446 24524 26331>; + qcom,lut-data = <13821 15640 19630 19951 16167 19599>, + <14393 16036 19292 19545 17446 19635>, + <15310 16431 18894 19048 18223 19652>, + <16314 16801 18497 18513 18624 19653>, + <17145 17121 18164 17995 18773 19639>, + <17544 17365 17958 17545 18793 19612>, + <17570 17562 17872 17109 18228 19438>, + <17548 17710 17814 16686 17233 19088>, + <17513 17732 17730 16397 16788 18705>, + <17437 17675 17612 16183 16604 18208>, + <17383 17605 17442 15937 16417 17777>, + <18484 17721 17099 15485 16066 17417>, + <20615 17964 16587 15027 15713 17012>, + <20941 17780 16095 14988 15757 16614>, + <18550 16588 15515 15223 16427 16005>, + <16533 15638 15169 15377 16898 15638>, + <18247 17563 15518 15125 16268 15808>, + <22070 21736 16495 14728 15198 16120>, + <23191 22998 17735 14972 15031 16205>, + <21959 22303 19834 16858 15601 16170>, + <20823 21669 21417 18737 16413 16150>, + <21037 21808 21717 19975 17678 16855>, + <21710 22269 21872 20904 19085 18187>, + <22045 22637 21927 20928 19321 18741>, + <22167 22869 21903 20170 18788 18927>, + <22234 23101 21917 19427 18115 18913>, + <20728 23475 22156 18958 17320 18559>, + <16512 23939 22576 18604 16479 17933>, + <14337 23913 22871 18632 16281 17247>, + <13801 19984 23106 19112 16317 16293>, + <13500 15766 23372 19432 16391 15690>, + <13419 15487 23962 19351 16607 15765>, + <13312 15799 24849 19222 17051 16037>, + <13286 16220 25015 19481 17656 16600>, + <13414 17450 23477 21046 18731 18517>, + <13583 18744 21896 22087 19805 20160>, + <13722 18684 21589 22023 20679 20453>, + <13923 17576 21461 21855 21479 20600>, + <14012 16980 21240 21560 21839 20942>, + <13901 16137 20624 20877 21959 21997>, + <13695 15033 19824 20257 22125 23334>, + <13451 14751 18995 19902 23343 24876>, + <13156 14500 18128 19648 24757 26156>, + <13134 14222 17610 19418 22056 21835>, + <13211 13958 17383 18731 18454 17875>, + <13258 13880 17394 18195 17877 16921>, + <13327 14002 17498 18625 17679 16301>, + <13461 14493 17938 18927 17332 15951>, + <13926 15135 18830 19028 16902 15355>, + <14277 16366 19500 19642 17574 16232>, + <14178 16736 19282 21190 17281 16622>, + <13647 15905 18071 20937 16977 16687>, + <11789 14189 15316 21396 19300 19378>, + <10005 12727 13780 22830 25054 25011>, + <10005 12727 13780 22830 25054 25011>, + <10005 12727 13780 22830 25054 25011>; }; qcom,pc-temp-y6-lut { @@ -989,62 +989,62 @@ qcom,04890898_xiaomi_K6_SWBN53_5020mah_FG { <1600 1400 1200 1000 900 800>, <700 600 500 400 300 200>, <100 0>; - qcom,lut-data = <5609 5384 5142 5017 4986 4979>, - <5621 5404 5153 5018 4987 4980>, - <5636 5424 5163 5019 4988 4982>, - <5651 5442 5171 5021 4989 4983>, - <5662 5454 5176 5022 4990 4984>, - <5667 5459 5178 5023 4992 4985>, - <5666 5456 5176 5024 4993 4986>, - <5663 5450 5172 5025 4994 4986>, - <5660 5443 5169 5026 4995 4987>, - <5655 5436 5167 5028 4996 4988>, - <5652 5432 5166 5029 4997 4989>, - <5654 5433 5167 5031 4999 4990>, - <5657 5436 5167 5033 5000 4991>, - <5661 5439 5168 5036 5002 4993>, - <5667 5442 5171 5039 5004 4994>, - <5671 5444 5174 5043 5007 4996>, - <5653 5443 5182 5047 5010 4998>, - <5610 5439 5191 5052 5012 5001>, - <5589 5431 5191 5057 5017 5005>, - <5581 5400 5175 5064 5025 5012>, - <5574 5367 5156 5068 5030 5016>, - <5566 5348 5140 5053 5018 5006>, - <5557 5333 5125 5029 4999 4991>, - <5549 5322 5118 5020 4992 4985>, - <5540 5315 5114 5017 4990 4983>, - <5534 5308 5112 5016 4989 4982>, - <5533 5298 5112 5017 4989 4983>, - <5536 5288 5112 5019 4991 4984>, - <5540 5284 5113 5021 4993 4985>, - <5556 5289 5114 5023 4995 4987>, - <5581 5298 5114 5025 4998 4990>, - <5605 5312 5113 5027 5001 4993>, - <5632 5339 5112 5029 5004 4996>, - <5663 5370 5111 5031 5005 4996>, - <5697 5406 5111 5033 5004 4996>, - <5735 5447 5111 5034 5003 4995>, - <5774 5492 5116 5029 4999 4992>, - <5817 5541 5127 5022 4993 4988>, - <5858 5591 5137 5019 4993 4987>, - <5895 5641 5148 5019 4993 4989>, - <5932 5692 5160 5019 4993 4990>, - <5973 5743 5175 5020 4994 4990>, - <6016 5796 5194 5022 4994 4988>, - <6070 5859 5217 5021 4989 4981>, - <6140 5937 5247 5024 4990 4982>, - <6220 6020 5246 5030 5003 5000>, - <6210 5983 5253 5038 5014 5012>, - <6272 6041 5279 5048 5024 5021>, - <6351 6102 5307 5059 5030 5021>, - <6449 6162 5325 5054 5004 4994>, - <6582 6224 5334 5034 4998 4992>, - <6805 6294 5371 5039 5002 4995>, - <7419 6435 5466 5047 5008 5000>, - <9235 6696 5634 5065 5023 5022>, - <9235 6696 5634 5065 5023 5022>, - <9235 6696 5634 5065 5023 5022>; + qcom,lut-data = <5532 5340 5131 5013 4982 4976>, + <5551 5362 5144 5014 4983 4977>, + <5567 5379 5152 5014 4984 4979>, + <5580 5391 5156 5015 4985 4980>, + <5588 5399 5158 5015 4986 4980>, + <5591 5401 5158 5016 4987 4981>, + <5587 5398 5155 5016 4988 4982>, + <5581 5390 5150 5017 4988 4982>, + <5575 5383 5147 5017 4989 4983>, + <5570 5376 5145 5018 4990 4983>, + <5568 5372 5144 5019 4991 4984>, + <5571 5370 5144 5021 4992 4985>, + <5577 5369 5144 5023 4993 4986>, + <5578 5370 5144 5025 4995 4987>, + <5575 5375 5146 5028 4997 4988>, + <5569 5380 5150 5031 4999 4989>, + <5560 5379 5157 5035 5002 4991>, + <5545 5376 5166 5040 5004 4994>, + <5530 5369 5167 5046 5008 4998>, + <5513 5342 5153 5053 5017 5004>, + <5498 5311 5137 5057 5022 5009>, + <5491 5296 5122 5044 5012 5001>, + <5486 5284 5108 5021 4996 4987>, + <5481 5277 5101 5013 4988 4981>, + <5477 5272 5097 5009 4985 4979>, + <5473 5267 5095 5008 4984 4978>, + <5467 5261 5095 5008 4984 4978>, + <5461 5255 5096 5010 4985 4979>, + <5460 5251 5096 5011 4986 4980>, + <5469 5250 5097 5013 4988 4981>, + <5484 5250 5098 5016 4991 4983>, + <5500 5256 5098 5018 4994 4986>, + <5521 5275 5096 5019 4997 4989>, + <5544 5297 5095 5021 4998 4990>, + <5571 5324 5095 5023 4998 4990>, + <5601 5356 5096 5024 4997 4990>, + <5633 5391 5100 5019 4994 4988>, + <5669 5430 5109 5013 4989 4984>, + <5706 5470 5119 5011 4988 4983>, + <5743 5513 5128 5012 4988 4985>, + <5781 5558 5139 5013 4989 4987>, + <5822 5607 5152 5015 4990 4987>, + <5867 5661 5169 5017 4991 4986>, + <5923 5729 5188 5016 4986 4979>, + <5996 5816 5215 5019 4985 4978>, + <6082 5920 5239 5025 4998 4996>, + <6079 5904 5231 5033 5008 5006>, + <6149 5976 5259 5043 5019 5017>, + <6240 6042 5289 5053 5022 5014>, + <6360 6121 5313 5044 5001 4994>, + <6544 6202 5329 5033 4995 4989>, + <6950 6325 5369 5038 4997 4991>, + <8464 6544 5473 5050 5003 4996>, + <12069 7113 5666 5073 5019 5016>, + <12069 7113 5666 5073 5019 5016>, + <12069 7113 5666 5073 5019 5016>; }; }; From d38b21ab6cb04110a5617e8f303d52f3392919e5 Mon Sep 17 00:00:00 2001 From: itsshashanksp <9945shashank@gmail.com> Date: Fri, 12 Jul 2024 01:13:33 +0530 Subject: [PATCH 177/182] power: supply: qcom: Add K6 sunwoda batterydata profile * imported from sweet-ka6a-r-oss Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- drivers/power/supply/qcom/qpnp-qg.c | 6 ++++++ drivers/power/supply/qcom/step-chg-jeita.c | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/drivers/power/supply/qcom/qpnp-qg.c b/drivers/power/supply/qcom/qpnp-qg.c index c50e06ae0ad4..5652fc1e2726 100644 --- a/drivers/power/supply/qcom/qpnp-qg.c +++ b/drivers/power/supply/qcom/qpnp-qg.c @@ -3623,6 +3623,12 @@ static int qg_load_battery_profile(struct qpnp_qg *chip) } #endif +#ifdef CONFIG_K6_CHARGE + pr_err("is_batt_vendor_swd is %d\n", is_batt_vendor_swd); + profile_node = of_batterydata_get_best_profile(chip->batt_node, + chip->batt_id_ohm / 1000, "K6_sunwoda_5020mah"); +#endif + rc = of_property_read_string(profile_node, "qcom,battery-type", &chip->bp.batt_type_str); if (rc < 0) { diff --git a/drivers/power/supply/qcom/step-chg-jeita.c b/drivers/power/supply/qcom/step-chg-jeita.c index ec9f508b66e0..b8034784e908 100644 --- a/drivers/power/supply/qcom/step-chg-jeita.c +++ b/drivers/power/supply/qcom/step-chg-jeita.c @@ -294,8 +294,14 @@ static int get_step_chg_jeita_setting_from_profile(struct step_chg_info *chip) if (batt_id_ohms < 0) return -EBUSY; +#ifdef CONFIG_K6_CHARGE + profile_node = of_batterydata_get_best_profile(batt_node, + batt_id_ohms / 1000, "K6_sunwoda_5020mah"); +#else profile_node = of_batterydata_get_best_profile(batt_node, batt_id_ohms / 1000, NULL); +#endif + if (IS_ERR(profile_node)) return PTR_ERR(profile_node); From 17def3587c68e5fcf52ae5e48b45762d2e68c3f2 Mon Sep 17 00:00:00 2001 From: basamaryan Date: Tue, 16 Jul 2024 05:01:07 +0530 Subject: [PATCH 178/182] power: supply: ti: Get proper battery capacity from battery power supply * imported from nabu-r-oss Co-authored-by: Shashank Patil <9945shashank@gmail.com> Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- drivers/power/supply/ti/pd_policy_manager.c | 31 +++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/drivers/power/supply/ti/pd_policy_manager.c b/drivers/power/supply/ti/pd_policy_manager.c index bfcb4fad3238..f9d65e4e6993 100644 --- a/drivers/power/supply/ti/pd_policy_manager.c +++ b/drivers/power/supply/ti/pd_policy_manager.c @@ -143,6 +143,30 @@ static int pd_get_batt_current_thermal_level(struct usbpd_pm *pdpm, int *level) return rc; } +/* get capacity from battery power supply property */ +static int pd_get_batt_capacity(struct usbpd_pm *pdpm, int *capacity) +{ + union power_supply_propval pval = {0,}; + int rc = 0; + + usbpd_check_batt_psy(pdpm); + + if (!pdpm->sw_psy) + return -ENODEV; + + rc = power_supply_get_property(pdpm->sw_psy, + POWER_SUPPLY_PROP_CAPACITY, &pval); + if (rc < 0) { + pr_info("Couldn't get battery capacity:%d\n", rc); + return rc; + } + + pr_info("battery capacity is : %d\n", pval.intval); + + *capacity = pval.intval; + return rc; +} + /* determine whether to disable cp according to jeita status */ static bool pd_disable_cp_by_jeita_status(struct usbpd_pm *pdpm) { @@ -1138,6 +1162,7 @@ static int usbpd_pm_sm(struct usbpd_pm *pdpm) static bool recover; int effective_fcc_val = 0; int thermal_level = 0; + int capacity = 0; static int curr_fcc_lmt, curr_ibus_lmt, retry_count; static int request_fail_count = 0; @@ -1152,6 +1177,8 @@ static int usbpd_pm_sm(struct usbpd_pm *pdpm) pdpm->is_temp_out_fc2_range = pd_disable_cp_by_jeita_status(pdpm); pr_info("is_temp_out_fc2_range:%d\n", pdpm->is_temp_out_fc2_range); + pd_get_batt_capacity(pdpm, &capacity); + effective_fcc_val = usbpd_get_effective_fcc_val(pdpm); if (effective_fcc_val > 0) { @@ -1165,8 +1192,8 @@ static int usbpd_pm_sm(struct usbpd_pm *pdpm) if (pdpm->cp.vbat_volt < pm_config.min_vbat_for_cp) { pr_info("batt_volt %d, waiting...\n", pdpm->cp.vbat_volt); - } else if (pdpm->cp.vbat_volt > pm_config.bat_volt_lp_lmt - 50) { - pr_info("batt_volt %d is too high for cp, charging with switch charger\n", + } else if (pdpm->cp.vbat_volt > pm_config.bat_volt_lp_lmt - 50 || capacity > 95) { + pr_info("batt_volt %d or capacity is too high for cp, charging with switch charger\n", pdpm->cp.vbat_volt); usbpd_pm_move_state(pdpm, PD_PM_STATE_FC2_EXIT); if (pm_config.bat_volt_lp_lmt < BAT_VOLT_LOOP_LMT) From bee93bb3d75e595aa1ce2d727746967a28d54711 Mon Sep 17 00:00:00 2001 From: basamaryan Date: Fri, 19 Jul 2024 18:36:07 +0530 Subject: [PATCH 179/182] power: supply: ti: Increase usbpd taper & ibus timeout * Increase battery max charge volt. * This fixes Charging disconnect after Adding ln8000 charge pump driver. * imported from nabu-r-oss Co-authored-by: Shashank Patil <9945shashank@gmail.com> Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- drivers/power/supply/ti/pd_policy_manager.c | 22 +++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/drivers/power/supply/ti/pd_policy_manager.c b/drivers/power/supply/ti/pd_policy_manager.c index f9d65e4e6993..c13e3cb32e9c 100644 --- a/drivers/power/supply/ti/pd_policy_manager.c +++ b/drivers/power/supply/ti/pd_policy_manager.c @@ -32,7 +32,7 @@ #define PD_SRC_PDO_TYPE_VARIABLE 2 #define PD_SRC_PDO_TYPE_AUGMENTED 3 -#define BATT_MAX_CHG_VOLT 4400 +#define BATT_MAX_CHG_VOLT 4450 #define BATT_FAST_CHG_CURR 6000 #define BUS_OVP_THRESHOLD 12000 #define BUS_OVP_ALARM_THRESHOLD 9500 @@ -44,7 +44,9 @@ #define BAT_CURR_LOOP_LMT BATT_FAST_CHG_CURR #define BUS_VOLT_LOOP_LMT BUS_OVP_THRESHOLD -#define PM_WORK_RUN_INTERVAL 100 +#define PM_WORK_RUN_NORMAL_INTERVAL 500 +#define PM_WORK_RUN_QUICK_INTERVAL 200 +#define PM_WORK_RUN_CRITICAL_INTERVAL 100 enum { PM_ALGO_RET_OK, @@ -933,8 +935,8 @@ static void usbpd_update_pps_status(struct usbpd_pm *pdpm) } } -#define TAPER_TIMEOUT (5000 / PM_WORK_RUN_INTERVAL) -#define IBUS_CHANGE_TIMEOUT (500 / PM_WORK_RUN_INTERVAL) +#define TAPER_TIMEOUT (25000 / PM_WORK_RUN_NORMAL_INTERVAL) +#define IBUS_CHANGE_TIMEOUT (2500 / PM_WORK_RUN_NORMAL_INTERVAL) static int usbpd_pm_fc2_charge_algo(struct usbpd_pm *pdpm) { int ret = 0; @@ -1441,6 +1443,8 @@ static void usbpd_pm_workfunc(struct work_struct *work) struct usbpd_pm *pdpm = container_of(work, struct usbpd_pm, pm_work.work); + int internal = PM_WORK_RUN_NORMAL_INTERVAL; + usbpd_pm_update_sw_status(pdpm); usbpd_pm_update_cp_status(pdpm); usbpd_pm_update_cp_sec_status(pdpm); @@ -1449,9 +1453,15 @@ static void usbpd_pm_workfunc(struct work_struct *work) pr_info("%s:pd_bat_volt_lp_lmt=%d, vbatt_now=%d\n", __func__, pm_config.bat_volt_lp_lmt, pdpm->cp.vbat_volt); - if (!usbpd_pm_sm(pdpm) && pdpm->pd_active) + if (!usbpd_pm_sm(pdpm) && pdpm->pd_active) { + if (pdpm->state == PD_PM_STATE_FC2_ENTRY_2) + internal = PM_WORK_RUN_QUICK_INTERVAL; + else + internal = PM_WORK_RUN_NORMAL_INTERVAL; + schedule_delayed_work(&pdpm->pm_work, - msecs_to_jiffies(PM_WORK_RUN_INTERVAL)); + msecs_to_jiffies(internal)); + } } static void usbpd_pm_disconnect(struct usbpd_pm *pdpm) From b0744b0e492e74d1ddfae18c0bfaf1e6feec6499 Mon Sep 17 00:00:00 2001 From: Pranav Vashi Date: Sun, 9 Apr 2023 20:13:41 +0530 Subject: [PATCH 180/182] power: supply: Use bq2597x & ln8000 charge pump only when they available * This fixes charging speed with all chargers. Signed-off-by: Pranav Vashi Co-authored-by: Shashank Patil <9945shashank@gmail.com> Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- drivers/power/supply/qcom/smb5-lib.c | 84 +++++++++++----------- drivers/power/supply/qcom/step-chg-jeita.c | 2 +- 2 files changed, 43 insertions(+), 43 deletions(-) diff --git a/drivers/power/supply/qcom/smb5-lib.c b/drivers/power/supply/qcom/smb5-lib.c index a94836d1a148..e2ebff4c8693 100644 --- a/drivers/power/supply/qcom/smb5-lib.c +++ b/drivers/power/supply/qcom/smb5-lib.c @@ -908,6 +908,20 @@ static int set_ln8000_fv(struct smb_charger *chg) return 0; } +static bool is_bq25970_available(struct smb_charger *chg) +{ + if (!chg->cp_psy) + chg->cp_psy = power_supply_get_by_name("bq2597x-standalone"); + + if (!chg->cp_psy) + chg->cp_psy = power_supply_get_by_name("ln8000"); + + if (!chg->cp_psy) + return false; + + return true; +} + int smblib_get_fastcharge_mode(struct smb_charger *chg) { union power_supply_propval pval = {0,}; @@ -954,7 +968,7 @@ int smblib_set_fastcharge_mode(struct smb_charger *chg, bool enable) return rc; } - if (chg->use_bq_pump) + if (chg->use_bq_pump && is_bq25970_available(chg)) #ifdef CONFIG_K6_CHARGE fastcharge_soc_thr = 85; #else @@ -2498,7 +2512,7 @@ int smblib_get_prop_batt_status(struct smb_charger *chg, u8 stat; int rc, suspend = 0; - if (chg->use_bq_pump && (get_client_vote_locked(chg->usb_icl_votable, + if ((chg->use_bq_pump && is_bq25970_available(chg)) && (get_client_vote_locked(chg->usb_icl_votable, MAIN_CHG_VOTER) == MAIN_CHARGER_STOP_ICL)) { val->intval = POWER_SUPPLY_STATUS_CHARGING; return 0; @@ -2695,20 +2709,6 @@ int smblib_get_prop_batt_charge_type(struct smb_charger *chg, return rc; } -static bool is_bq25970_available(struct smb_charger *chg) -{ - if (!chg->cp_psy) - chg->cp_psy = power_supply_get_by_name("bq2597x-standalone"); - - if (!chg->cp_psy) - chg->cp_psy = power_supply_get_by_name("ln8000"); - - if (!chg->cp_psy) - return false; - - return true; -} - int smblib_get_prop_batt_health(struct smb_charger *chg, union power_supply_propval *val) { @@ -2976,7 +2976,7 @@ int smblib_set_prop_input_suspend(struct smb_charger *chg, return rc; } - if (chg->use_bq_pump) + if (chg->use_bq_pump && is_bq25970_available(chg)) chg->bq_input_suspend = !!(val->intval); power_supply_changed(chg->batt_psy); @@ -3133,7 +3133,7 @@ static int smblib_therm_charging(struct smb_charger *chg) thermal_icl_ua = chg->thermal_mitigation_qc2[chg->system_temp_level]; break; case POWER_SUPPLY_TYPE_USB_HVDCP_3: - if (chg->use_bq_pump) { + if (chg->use_bq_pump && is_bq25970_available(chg)) { thermal_fcc_ua = chg->thermal_fcc_qc3_cp[chg->system_temp_level]; } else { @@ -3159,7 +3159,7 @@ static int smblib_therm_charging(struct smb_charger *chg) chg->thermal_fcc_qc3_cp[chg->system_temp_level]; break; case POWER_SUPPLY_TYPE_USB_PD: - if (chg->use_bq_pump) { + if (chg->use_bq_pump && is_bq25970_available(chg)) { if (chg->pps_thermal_level < 0) chg->pps_thermal_level = chg->system_temp_level; pr_err("chg->pps_thermal_level=%d,chg->system_temp_level=%d\n", chg->pps_thermal_level, chg->system_temp_level); @@ -3222,7 +3222,7 @@ static int smblib_therm_charging(struct smb_charger *chg) if (chg->real_charger_type == POWER_SUPPLY_TYPE_USB_HVDCP_3 || chg->real_charger_type == POWER_SUPPLY_TYPE_USB_HVDCP_3P5 - || ((chg->cp_reason == POWER_SUPPLY_CP_PPS || chg->use_bq_pump) + || ((chg->cp_reason == POWER_SUPPLY_CP_PPS || (chg->use_bq_pump && is_bq25970_available(chg))) && chg->real_charger_type == POWER_SUPPLY_TYPE_USB_PD)) { /* if use qc3 or pps charge with cp, also limit icl when high level */ if (chg->system_temp_level >= ICL_LIMIT_LEVEL_THR) @@ -3318,7 +3318,7 @@ int smblib_set_prop_system_temp_level(struct smb_charger *chg, chg->system_temp_level = val->intval; - if (!chg->use_bq_pump) { + if (!(chg->use_bq_pump && is_bq25970_available(chg))) { if (chg->system_temp_level >= (chg->thermal_levels - 1)) { if (!chg->cp_disable_votable) chg->cp_disable_votable = find_votable("CP_DISABLE"); @@ -3331,11 +3331,11 @@ int smblib_set_prop_system_temp_level(struct smb_charger *chg, vote(chg->chg_disable_votable, THERMAL_DAEMON_VOTER, false, 0); - if (!chg->use_bq_pump && chg->cp_disable_votable) + if (!(chg->use_bq_pump && is_bq25970_available(chg)) && chg->cp_disable_votable) vote(chg->cp_disable_votable, THERMAL_DAEMON_VOTER, false, 0); #ifdef CONFIG_THERMAL - if (chg->use_bq_pump + if ((chg->use_bq_pump && is_bq25970_available(chg)) && chg->real_charger_type == POWER_SUPPLY_TYPE_USB_PD) { if (chg->pps_fcc_therm_work_disabled) { chg->pps_thermal_level = chg->system_temp_level; @@ -3536,7 +3536,7 @@ int smblib_dp_dm(struct smb_charger *chg, int val) union power_supply_propval pval; u8 stat; - if (chg->use_bq_pump) { + if (chg->use_bq_pump && is_bq25970_available(chg)) { pr_info("dp_dm is controled by our self\n"); return rc; } @@ -3788,7 +3788,7 @@ int smblib_dp_dm_bq(struct smb_charger *chg, int val) * maxium icl to 1.9A, as VBUS will raise to about 9V to 9.8V, * so we set icl to 1.9A when vbus raise above 7.4V */ - if (chg->is_qc_class_a && chg->use_bq_pump) { + if (chg->is_qc_class_a && (chg->use_bq_pump && is_bq25970_available(chg))) { if (chg->pulse_cnt >= HIGH_NUM_PULSE_THR && !chg->high_vbus_detected) { vote(chg->usb_icl_votable, QC_A_CP_ICL_MAX_VOTER, true, @@ -3808,7 +3808,7 @@ int smblib_dp_dm_bq(struct smb_charger *chg, int val) * if use class_a qc, and slave ic is charge pump, should restore * icl to 2.4A when charge pump is not working for class_a qc */ - if (chg->is_qc_class_a && chg->use_bq_pump) { + if (chg->is_qc_class_a && (chg->use_bq_pump && is_bq25970_available(chg))) { if (chg->pulse_cnt < HIGH_NUM_PULSE_THR && chg->high_vbus_detected) { vote(chg->usb_icl_votable, QC_A_CP_ICL_MAX_VOTER, false, @@ -4144,7 +4144,7 @@ static void smblib_conn_therm_work(struct work_struct *work) smblib_set_vbus_disable(chg, true); } else { smblib_masked_write(chg, DCDC_CMD_OTG_REG, OTG_EN_BIT, 0); - if (chg->use_bq_pump) + if (chg->use_bq_pump && is_bq25970_available(chg)) chg->bq_input_suspend = true; } } else { @@ -4153,7 +4153,7 @@ static void smblib_conn_therm_work(struct work_struct *work) if (gpio_is_valid(chg->vbus_disable_gpio)) { smblib_set_vbus_disable(chg, false); } else { - if (chg->use_bq_pump) + if (chg->use_bq_pump && is_bq25970_available(chg)) chg->bq_input_suspend = false; } } @@ -4279,7 +4279,7 @@ static int smblib_process_thermal_readings(struct smb_charger *chg) */ if (chg->thermal_status == TEMP_SHUT_DOWN_SMB) goto exit; - if (chg->use_bq_pump) + if (chg->use_bq_pump && is_bq25970_available(chg)) chg->bq_input_suspend = !!suspend_input; /* Suspend input if SHDN threshold reached */ @@ -4573,7 +4573,7 @@ int smblib_get_prop_usb_online(struct smb_charger *chg, return rc; } - if (chg->use_bq_pump) { + if (chg->use_bq_pump && is_bq25970_available(chg)) { rc = smblib_get_prop_usb_present(chg, &pval); if (rc < 0) { smblib_err(chg, "Couldn't get usb present rc = %d\n", rc); @@ -4582,7 +4582,7 @@ int smblib_get_prop_usb_online(struct smb_charger *chg, usb_present = pval.intval; - if (usb_present && chg->use_bq_pump + if (usb_present && (chg->use_bq_pump && is_bq25970_available(chg)) && (get_client_vote_locked(chg->usb_icl_votable, MAIN_CHG_VOTER) == MAIN_CHARGER_STOP_ICL)) { val->intval = true; @@ -5892,7 +5892,7 @@ int smblib_set_prop_pd_active(struct smb_charger *chg, smblib_apsd_enable(chg, !chg->pd_active); - if (!chg->pd && chg->use_bq_pump) { + if (!chg->pd && (chg->use_bq_pump && is_bq25970_available(chg))) { chg->pd = devm_usbpd_get_by_phandle(chg->dev, "qcom,usbpd-phandle"); if (IS_ERR_OR_NULL(chg->pd)) @@ -7006,14 +7006,14 @@ void smblib_usb_plugin_locked(struct smb_charger *chg) schedule_delayed_work(&chg->check_vbat_work, msecs_to_jiffies(200)); chg->reverse_count = 0; schedule_delayed_work(&chg->reverse_boost_work, msecs_to_jiffies(REVERSE_BOOST_WORK_START_DELAY_MS)); - if (chg->use_bq_pump) + if (chg->use_bq_pump && is_bq25970_available(chg)) schedule_delayed_work(&chg->reduce_fcc_work, msecs_to_jiffies(ESR_WORK_TIME_180S)); } else { cancel_delayed_work_sync(&chg->charger_type_recheck); chg->reverse_count = 0; cancel_delayed_work_sync(&chg->reverse_boost_work); - if (chg->use_bq_pump) { + if (chg->use_bq_pump && is_bq25970_available(chg)) { cancel_delayed_work_sync(&chg->reduce_fcc_work); vote(chg->fcc_votable, ESR_WORK_VOTER, false, 0); } @@ -7318,7 +7318,7 @@ static void smblib_raise_qc3_vbus_work(struct work_struct *work) if (chg->pd_hard_reset) { if (chg->detect_low_power_qc3_charger) chg->detect_low_power_qc3_charger = false; - if (chg->use_bq_pump) + if (chg->use_bq_pump && is_bq25970_available(chg)) vote(chg->usb_icl_votable, HVDCP3_START_ICL_VOTER, false, 0); pr_info("pd hard reset, no need to raise vbus now\n"); return; @@ -7389,10 +7389,10 @@ static void smblib_raise_qc3_vbus_work(struct work_struct *work) } } - if (chg->use_bq_pump) + if (chg->use_bq_pump && is_bq25970_available(chg)) vote(chg->usb_icl_votable, HVDCP3_START_ICL_VOTER, false, 0); - if (!chg->use_bq_pump) { + if (!(chg->use_bq_pump && is_bq25970_available(chg))) { /* select charge pump as second charger */ rc = smblib_select_sec_charger(chg, POWER_SUPPLY_CHARGER_SEC_CP, POWER_SUPPLY_CP_HVDCP3, false); @@ -7500,7 +7500,7 @@ static void smblib_handle_hvdcp_3p0_auth_done(struct smb_charger *chg, /* for QC3, switch to CP if present */ if ((apsd_result->bit & QC_3P0_BIT) - && (chg->sec_cp_present || chg->use_bq_pump)) { + && (chg->sec_cp_present || (chg->use_bq_pump && is_bq25970_available(chg)))) { if (!chg->qc_class_ab) { rc = smblib_select_sec_charger(chg, POWER_SUPPLY_CHARGER_SEC_CP, POWER_SUPPLY_CP_HVDCP3, false); @@ -7510,7 +7510,7 @@ static void smblib_handle_hvdcp_3p0_auth_done(struct smb_charger *chg, } else { if (!chg->detect_low_power_qc3_charger && (!chg->qc3p5_supported || !chg->qc3p5_authenticated)) { - if (!chg->use_bq_pump) + if (!(chg->use_bq_pump && is_bq25970_available(chg))) vote(chg->usb_icl_votable, SW_ICL_MAX_VOTER, true, HVDCP_START_CURRENT_UA); else { @@ -7564,7 +7564,7 @@ static void smblib_handle_hvdcp_check_timeout(struct smb_charger *chg, vote(chg->usb_icl_votable, SW_ICL_MAX_VOTER, true, HVDCP2_CURRENT_UA); } else { - if (chg->six_pin_step_charge_enable || chg->use_bq_pump) + if (chg->six_pin_step_charge_enable || (chg->use_bq_pump && is_bq25970_available(chg))) vote(chg->usb_icl_votable, SW_ICL_MAX_VOTER, true, HVDCP_CLASS_B_CURRENT_UA); else @@ -8054,7 +8054,7 @@ static void typec_src_removal(struct smb_charger *chg) vote(chg->fcc_votable, PD_VERIFED_VOTER, true, PD_UNVERIFED_CURRENT); vote(chg->usb_icl_votable, QC_A_CP_ICL_MAX_VOTER, false, 0); vote(chg->usb_icl_votable, QC2_UNSUPPORTED_VOTER, false, 0); - if (chg->use_bq_pump) { + if (chg->use_bq_pump && is_bq25970_available(chg)) { vote(chg->usb_icl_votable, HVDCP3_START_ICL_VOTER, false, 0); vote(chg->usb_icl_votable, MAIN_CHG_VOTER, false, 0); vote(chg->fcc_votable, SLOWLY_CHARGING_VOTER, false, 0); @@ -10187,7 +10187,7 @@ int smblib_init(struct smb_charger *chg) INIT_DELAYED_WORK(&chg->pr_swap_detach_work, smblib_pr_swap_detach_work); INIT_DELAYED_WORK(&chg->check_vbat_work, smblib_check_vbat_work); - if (chg->use_bq_pump) { + if (chg->use_bq_pump && is_bq25970_available(chg)) { INIT_DELAYED_WORK(&chg->reduce_fcc_work, reduce_fcc_work); INIT_DELAYED_WORK(&chg->thermal_setting_work, smblib_thermal_setting_work); } diff --git a/drivers/power/supply/qcom/step-chg-jeita.c b/drivers/power/supply/qcom/step-chg-jeita.c index b8034784e908..574ed96df80b 100644 --- a/drivers/power/supply/qcom/step-chg-jeita.c +++ b/drivers/power/supply/qcom/step-chg-jeita.c @@ -834,7 +834,7 @@ static int handle_jeita(struct step_chg_info *chip) temp = pval.intval; /* should disable/enable cp(smb1390) when soft jeita trigger and clear */ - if (chip->six_pin_battery && !chip->use_bq_pump) { + if (chip->six_pin_battery && !(chip->use_bq_pump && is_bq25970_available(chip))) { if (!chip->cp_disable_votable) chip->cp_disable_votable = find_votable("CP_DISABLE"); From a2c57b4113e851ba41c9cdcdd386a5ee43a332f9 Mon Sep 17 00:00:00 2001 From: itsshashanksp <9945shashank@gmail.com> Date: Tue, 23 Apr 2024 01:39:35 +0530 Subject: [PATCH 181/182] arm64: configs: sweet: Enable ln8000 charge pump driver Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- arch/arm64/configs/vendor/sdmsteppe-perf_defconfig | 1 + arch/arm64/configs/vendor/sweet.config | 1 + 2 files changed, 2 insertions(+) diff --git a/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig b/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig index a1a4f14a9bed..11b289088263 100644 --- a/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig +++ b/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig @@ -2473,6 +2473,7 @@ CONFIG_SMB1390_CHARGE_PUMP_PSY=y # TI Technologies, Inc. Charger support # # CONFIG_BQ2597X_CHARGE_PUMP is not set +# CONFIG_CHARGER_LN8000 is not set # CONFIG_K9A_CHARGE is not set CONFIG_HWMON=y # CONFIG_HWMON_VID is not set diff --git a/arch/arm64/configs/vendor/sweet.config b/arch/arm64/configs/vendor/sweet.config index 96b27e1b9b2b..cc658755b40e 100644 --- a/arch/arm64/configs/vendor/sweet.config +++ b/arch/arm64/configs/vendor/sweet.config @@ -60,6 +60,7 @@ CONFIG_NFC_NQ_PN80T=y # Power CONFIG_BATT_VERIFY_BY_DS28E16=y CONFIG_BQ2597X_CHARGE_PUMP=y +CONFIG_CHARGER_LN8000=y CONFIG_K6_CHARGE=y CONFIG_ONEWIRE_GPIO=y # CONFIG_SMB1355_SLAVE_CHARGER is not set From 3985a9b1db4fa6eb81b07bb77b1f1f558510e737 Mon Sep 17 00:00:00 2001 From: itsshashanksp <9945shashank@gmail.com> Date: Thu, 18 Jul 2024 14:55:39 +0530 Subject: [PATCH 182/182] arm64: configs: Bump devfreq input boost duration * Set devfreq input boost duration milliseconds to 200 for better real-time response also improves performance. Signed-off-by: Shashank Patil <9945shashank@gmail.com> --- arch/arm64/configs/vendor/sdmsteppe-perf_defconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig b/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig index 11b289088263..85af3acf393e 100644 --- a/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig +++ b/arch/arm64/configs/vendor/sdmsteppe-perf_defconfig @@ -4468,7 +4468,7 @@ CONFIG_QCOM_DEVFREQ_DEVBW=y # CONFIG_DEVFREQ_SPDM is not set CONFIG_DEVFREQ_GOV_CDSPL3=y CONFIG_DEVFREQ_BOOST=y -CONFIG_DEVFREQ_INPUT_BOOST_DURATION_MS=100 +CONFIG_DEVFREQ_INPUT_BOOST_DURATION_MS=200 CONFIG_DEVFREQ_WAKE_BOOST_DURATION_MS=1000 CONFIG_DEVFREQ_CPU_CPU_LLCC_BW_BOOST_FREQ=9155 # CONFIG_PM_DEVFREQ_EVENT is not set