January 2024 - Linux-stable-mirror

[PATCH 5/7] ext4: fix slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists()

by Baokun Li

We can trigger a slab-out-of-bounds with the following commands: mkfs.ext4 -F /dev/$disk 10G mount /dev/$disk /tmp/test echo 2147483647 > /sys/fs/ext4/$disk/mb_group_prealloc echo test > /tmp/test/file && sync ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4] Read of size 8 at addr ffff888121b9d0f0 by task kworker/u2:0/11 CPU: 0 PID: 11 Comm: kworker/u2:0 Tainted: GL 6.7.0-next-20240118 #521 Call Trace: dump_stack_lvl+0x2c/0x50 kasan_report+0xb6/0xf0 ext4_mb_find_good_group_avg_frag_lists+0x8a/0x200 [ext4] ext4_mb_regular_allocator+0x19e9/0x2370 [ext4] ext4_mb_new_blocks+0x88a/0x1370 [ext4] ext4_ext_map_blocks+0x14f7/0x2390 [ext4] ext4_map_blocks+0x569/0xea0 [ext4] ext4_do_writepages+0x10f6/0x1bc0 [ext4] [...] ================================================================== The flow of issue triggering is as follows: // Set s_mb_group_prealloc to 2147483647 via sysfs ext4_mb_new_blocks ext4_mb_normalize_request ext4_mb_normalize_group_request ac->ac_g_ex.fe_len = EXT4_SB(sb)->s_mb_group_prealloc ext4_mb_regular_allocator ext4_mb_choose_next_group ext4_mb_choose_next_group_best_avail mb_avg_fragment_size_order order = fls(len) - 2 = 29 ext4_mb_find_good_group_avg_frag_lists frag_list = &sbi->s_mb_avg_fragment_size[order] if (list_empty(frag_list)) // Trigger SOOB! At 4k block size, the length of the s_mb_avg_fragment_size list is 14, but an oversized s_mb_group_prealloc is set, causing slab-out-of-bounds to be triggered by an attempt to access an element at index 29. Therefore it is not allowed to set s_mb_group_prealloc to a value greater than s_clusters_per_group via sysfs, and to avoid returning an order from mb_avg_fragment_size_order() that is greater than MB_NUM_ORDERS(sb). Fixes: 7e170922f06b ("ext4: Add allocation criteria 1.5 (CR1_5)") CC: stable(a)vger.kernel.org Signed-off-by: Baokun Li <libaokun1(a)huawei.com> --- fs/ext4/mballoc.c | 2 ++ fs/ext4/sysfs.c | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index f44f668e407f..1ea6491b6b00 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -832,6 +832,8 @@ static int mb_avg_fragment_size_order(struct super_block *sb, ext4_grpblk_t len) return 0; if (order == MB_NUM_ORDERS(sb)) order--; + if (WARN_ON_ONCE(order > MB_NUM_ORDERS(sb))) + order = MB_NUM_ORDERS(sb) - 1; return order; } diff --git a/fs/ext4/sysfs.c b/fs/ext4/sysfs.c index 6f9f96e00f2f..60ca7b2797b2 100644 --- a/fs/ext4/sysfs.c +++ b/fs/ext4/sysfs.c @@ -29,6 +29,7 @@ typedef enum { attr_trigger_test_error, attr_first_error_time, attr_last_error_time, + attr_group_prealloc, attr_feature, attr_pointer_pi, attr_pointer_ui, @@ -211,13 +212,14 @@ EXT4_ATTR_FUNC(sra_exceeded_retry_limit, 0444); EXT4_ATTR_OFFSET(inode_readahead_blks, 0644, inode_readahead, ext4_sb_info, s_inode_readahead_blks); +EXT4_ATTR_OFFSET(mb_group_prealloc, 0644, group_prealloc, + ext4_sb_info, s_mb_group_prealloc); EXT4_RW_ATTR_SBI_UI(inode_goal, s_inode_goal); EXT4_RW_ATTR_SBI_UI(mb_stats, s_mb_stats); EXT4_RW_ATTR_SBI_UI(mb_max_to_scan, s_mb_max_to_scan); EXT4_RW_ATTR_SBI_UI(mb_min_to_scan, s_mb_min_to_scan); EXT4_RW_ATTR_SBI_UI(mb_order2_req, s_mb_order2_reqs); EXT4_RW_ATTR_SBI_UI(mb_stream_req, s_mb_stream_request); -EXT4_RW_ATTR_SBI_PI(mb_group_prealloc, s_mb_group_prealloc); EXT4_RW_ATTR_SBI_UI(mb_max_linear_groups, s_mb_max_linear_groups); EXT4_RW_ATTR_SBI_UI(extent_max_zeroout_kb, s_extent_max_zeroout_kb); EXT4_ATTR(trigger_fs_error, 0200, trigger_test_error); @@ -380,6 +382,7 @@ static ssize_t ext4_generic_attr_show(struct ext4_attr *a, switch (a->attr_id) { case attr_inode_readahead: + case attr_group_prealloc: case attr_pointer_pi: case attr_pointer_ui: if (a->attr_ptr == ptr_ext4_super_block_offset) @@ -453,6 +456,10 @@ static ssize_t ext4_generic_attr_store(struct ext4_attr *a, return ret; switch (a->attr_id) { + case attr_group_prealloc: + if (t > sbi->s_clusters_per_group) + return -EINVAL; + fallthrough; case attr_pointer_pi: if ((int)t < 0) return -EINVAL; -- 2.31.1

1 year, 2 months

4
4
0 0

xfrm: Remove inner/outer modes from input/output path

by Sri Sakthi

Hi, Below 2 xfrm ipsec related commits have already been merged to mainline. From Herbert Xu. Description: Remove inner/outer modes from input/output path. These are not needed anymore. xfrm: Remove inner/outer modes from output path (commit: f4796398f21b9844017a2dac883b1dd6ad6edd60) xfrm: Remove inner/outer modes from input path (commit: 5f24f41e8ea62a6a9095f9bbafb8b3aebe265c68) Reason for backporting – We have transport mode interleaved with tunnel mode support as part of ipsec with compression offering. These commits in v6.1 LTS would help. Requesting to apply these commits to Kernel LTS version 6.1. Thanks, Srisakthi S

1 year, 2 months

2
1
0 0

[PATCH stable] mptcp: introduce explicit flag for first subflow disposal

by Christoph Paasch

From: Paolo Abeni <pabeni(a)redhat.com> This is a partial backport of the upstram commit 39880bd808ad ("mptcp: get rid of msk->subflow"). It's partial to avoid a long a complex dependency chain not suitable for stable. The only bit remaning from the original commit is the introduction of a new field avoid a race at close time causing an UaF: BUG: KASAN: use-after-free in mptcp_subflow_queue_clean+0x2c9/0x390 include/net/mptcp.h:104 Read of size 1 at addr ffff88803bf72884 by task syz-executor.6/23092 CPU: 0 PID: 23092 Comm: syz-executor.6 Not tainted 6.1.65-gc6114c845984 #50 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x125/0x18f lib/dump_stack.c:106 print_report+0x163/0x4f0 mm/kasan/report.c:284 kasan_report+0xc4/0x100 mm/kasan/report.c:495 mptcp_subflow_queue_clean+0x2c9/0x390 include/net/mptcp.h:104 mptcp_check_listen_stop+0x190/0x2a0 net/mptcp/protocol.c:3009 __mptcp_close+0x9a/0x970 net/mptcp/protocol.c:3024 mptcp_close+0x2a/0x130 net/mptcp/protocol.c:3089 inet_release+0x13d/0x190 net/ipv4/af_inet.c:429 sock_close+0xcf/0x230 net/socket.c:652 __fput+0x3a2/0x870 fs/file_table.c:320 task_work_run+0x24e/0x300 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0xa4/0xc0 kernel/entry/common.c:171 exit_to_user_mode_prepare+0x51/0x90 kernel/entry/common.c:204 syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:286 do_syscall_64+0x53/0xa0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x64/0xce RIP: 0033:0x41d791 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 74 2a 00 00 c3 48 83 ec 08 e8 9a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 e3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00000000008bfb90 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 000000000041d791 RDX: 0000001b33920000 RSI: ffffffff8139adff RDI: 0000000000000003 RBP: 000000000079d980 R08: 0000001b33d20000 R09: 0000000000000951 R10: 000000008139a955 R11: 0000000000000293 R12: 00000000000c739b R13: 000000000079bf8c R14: 00007fa301053000 R15: 00000000000c705a </TASK> Allocated by task 22528: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x40/0x70 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0xa0/0xb0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slab_common.c:955 [inline] __kmalloc+0xaa/0x1c0 mm/slab_common.c:968 kmalloc include/linux/slab.h:558 [inline] sk_prot_alloc+0xac/0x200 net/core/sock.c:2038 sk_clone_lock+0x56/0x1090 net/core/sock.c:2236 inet_csk_clone_lock+0x26/0x420 net/ipv4/inet_connection_sock.c:1141 tcp_create_openreq_child+0x30/0x1910 net/ipv4/tcp_minisocks.c:474 tcp_v6_syn_recv_sock+0x413/0x1a90 net/ipv6/tcp_ipv6.c:1283 subflow_syn_recv_sock+0x621/0x1300 net/mptcp/subflow.c:730 tcp_get_cookie_sock+0xf0/0x5f0 net/ipv4/syncookies.c:201 cookie_v6_check+0x130f/0x1c50 net/ipv6/syncookies.c:261 tcp_v6_do_rcv+0x7e0/0x12b0 net/ipv6/tcp_ipv6.c:1147 tcp_v6_rcv+0x2494/0x2f50 net/ipv6/tcp_ipv6.c:1743 ip6_protocol_deliver_rcu+0xba3/0x1620 net/ipv6/ip6_input.c:438 ip6_input+0x1bc/0x470 net/ipv6/ip6_input.c:483 ipv6_rcv+0xef/0x2c0 include/linux/netfilter.h:302 __netif_receive_skb+0x1ea/0x6a0 net/core/dev.c:5525 process_backlog+0x353/0x660 net/core/dev.c:5967 __napi_poll+0xc6/0x5a0 net/core/dev.c:6534 net_rx_action+0x652/0xea0 net/core/dev.c:6601 __do_softirq+0x176/0x525 kernel/softirq.c:571 Freed by task 23093: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x40/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:516 ____kasan_slab_free+0x13a/0x1b0 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook mm/slub.c:1750 [inline] slab_free mm/slub.c:3661 [inline] __kmem_cache_free+0x1eb/0x340 mm/slub.c:3674 sk_prot_free net/core/sock.c:2074 [inline] __sk_destruct+0x4ad/0x620 net/core/sock.c:2160 tcp_v6_rcv+0x269c/0x2f50 net/ipv6/tcp_ipv6.c:1761 ip6_protocol_deliver_rcu+0xba3/0x1620 net/ipv6/ip6_input.c:438 ip6_input+0x1bc/0x470 net/ipv6/ip6_input.c:483 ipv6_rcv+0xef/0x2c0 include/linux/netfilter.h:302 __netif_receive_skb+0x1ea/0x6a0 net/core/dev.c:5525 process_backlog+0x353/0x660 net/core/dev.c:5967 __napi_poll+0xc6/0x5a0 net/core/dev.c:6534 net_rx_action+0x652/0xea0 net/core/dev.c:6601 __do_softirq+0x176/0x525 kernel/softirq.c:571 The buggy address belongs to the object at ffff88803bf72000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 2180 bytes inside of 4096-byte region [ffff88803bf72000, ffff88803bf73000) The buggy address belongs to the physical page: page:00000000a72e4e51 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3bf70 head:00000000a72e4e51 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head|node=0|zone=1) raw: 0100000000010200 ffffea0000a0ea00 dead000000000002 ffff888100042140 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88803bf72780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88803bf72800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88803bf72880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88803bf72900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88803bf72980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Prevent the MPTCP worker from freeing the first subflow for unaccepted socket when such sockets transition to TCP_CLOSE state, and let that happen at accept() or listener close() time. Fixes: b6985b9b8295 ("mptcp: use the workqueue to destroy unaccepted sockets") Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Mat Martineau <martineau(a)kernel.org> Reported-by: Christoph Paasch <cpaasch(a)apple.com> Tested-by: Christoph Paasch <cpaasch(a)apple.com> --- Notes: This patch is targeted only for -stable and specifically v6.1.x The Fixes-tag is from the upstream tree. We can change that to the commit in the v6.1.x-tree if needed. net/mptcp/protocol.c | 9 ++++----- net/mptcp/protocol.h | 3 ++- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 76539d1004eb..db5369b6442d 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2422,7 +2422,7 @@ static void __mptcp_close_ssk(struct sock *sk, struct sock *ssk, goto out_release; } - dispose_it = !msk->subflow || ssk != msk->subflow->sk; + dispose_it = msk->free_first || ssk != msk->first; if (dispose_it) list_del(&subflow->node); @@ -2440,7 +2440,6 @@ static void __mptcp_close_ssk(struct sock *sk, struct sock *ssk, need_push = (flags & MPTCP_CF_PUSH) && __mptcp_retransmit_pending_data(sk); if (!dispose_it) { __mptcp_subflow_disconnect(ssk, subflow, flags); - msk->subflow->state = SS_UNCONNECTED; release_sock(ssk); goto out; @@ -3341,10 +3340,10 @@ static void mptcp_destroy(struct sock *sk) { struct mptcp_sock *msk = mptcp_sk(sk); - /* clears msk->subflow, allowing the following to close - * even the initial subflow - */ mptcp_dispose_initial_subflow(msk); + + /* allow the following to close even the initial subflow */ + msk->free_first = 1; mptcp_destroy_common(msk, 0); sk_sockets_allocated_dec(sk); } diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h index 4ec8e0a81b5a..e5d553dfc13f 100644 --- a/net/mptcp/protocol.h +++ b/net/mptcp/protocol.h @@ -287,7 +287,8 @@ struct mptcp_sock { cork:1, nodelay:1, fastopening:1, - in_accept_queue:1; + in_accept_queue:1, + free_first:1; struct work_struct work; struct sk_buff *ooo_last_skb; struct rb_root out_of_order_queue; -- 2.32.3 (Apple Git-135)

1 year, 2 months

2
1
0 0

[PATCH] i2c: core: Fix atomic xfer check for non-preempt config

by Benjamin Bara

From: Benjamin Bara <benjamin.bara(a)skidata.com> Since commit aa49c90894d0 ("i2c: core: Run atomic i2c xfer when !preemptible"), the whole reboot/power off sequence on non-preempt kernels is using atomic i2c xfer, as !preemptible() always results to 1. During device_shutdown(), the i2c might be used a lot and not all busses have implemented an atomic xfer handler. This results in a lot of avoidable noise, like: [ 12.687169] No atomic I2C transfer handler for 'i2c-0' [ 12.692313] WARNING: CPU: 6 PID: 275 at drivers/i2c/i2c-core.h:40 i2c_smbus_xfer+0x100/0x118 ... Fix this by allowing non-atomic xfer when the interrupts are enabled, as it was before. Fixes: aa49c90894d0 ("i2c: core: Run atomic i2c xfer when !preemptible") Cc: stable(a)vger.kernel.org # v5.2+ Signed-off-by: Benjamin Bara <benjamin.bara(a)skidata.com> --- Hi! As there are a couple of bug reports already about missing atomic i2c xfer handler warnings on non-preemptive configs around [1], this is an attempt to reduce the avoidable noise. thanks & regards Benjamin [1] https://lore.kernel.org/all/20230327-tegra-pmic-reboot-v7-2-18699d5dcd76@sk… --- drivers/i2c/i2c-core.h | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/i2c/i2c-core.h b/drivers/i2c/i2c-core.h index 05b8b8dfa9bd..e48c0cd21438 100644 --- a/drivers/i2c/i2c-core.h +++ b/drivers/i2c/i2c-core.h @@ -3,6 +3,7 @@ * i2c-core.h - interfaces internal to the I2C framework */ +#include <linux/kconfig.h> #include <linux/rwsem.h> struct i2c_devinfo { @@ -29,7 +30,14 @@ int i2c_dev_irq_from_resources(const struct resource *resources, */ static inline bool i2c_in_atomic_xfer_mode(void) { - return system_state > SYSTEM_RUNNING && !preemptible(); + /* + * non-atomic xfers often use wait_for_completion*() calls to wait + * efficiently (schedule out voluntarily) on the completion of the xfer, + * which are then "completed" by an IRQ. If the constraints are not + * satisfied, fall back to an atomic xfer. + */ + return system_state > SYSTEM_RUNNING && + (IS_ENABLED(CONFIG_PREEMPT_COUNT) ? !preemptible() : irqs_disabled()); } static inline int __i2c_lock_bus_helper(struct i2c_adapter *adap) --- base-commit: 610a9b8f49fbcf1100716370d3b5f6f884a2835a change-id: 20240104-i2c-atomic-2435f835b598 Best regards, -- Benjamin Bara <benjamin.bara(a)skidata.com>

1 year, 2 months

5
4
0 0

[PATCH 5.4 000/194] 5.4.268-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.268 release. There are 194 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 24 Jan 2024 23:56:49 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.268-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.268-rc1 Tiezhu Yang <yangtiezhu(a)loongson.cn> perf top: Skip side-band event setup if HAVE_LIBBPF_SUPPORT is not set Marek Szyprowski <m.szyprowski(a)samsung.com> i2c: s3c24xx: fix transferring more than one message in polling mode Marek Szyprowski <m.szyprowski(a)samsung.com> i2c: s3c24xx: fix read transfers in polling mode Amit Cohen <amcohen(a)nvidia.com> mlxsw: spectrum_acl_erp: Fix error flow of pool allocation failure Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> kdb: Fix a potential buffer overflow in kdb_local() Daniel Thompson <daniel.thompson(a)linaro.org> kdb: Censor attempts to set PROMPT without ENABLE_MEM_READ Fedor Pchelkin <pchelkin(a)ispras.ru> ipvs: avoid stat macros calls from preemptible context Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: skip dead set elements in netlink dump Kunwu Chan <chentao(a)kylinos.cn> net: dsa: vsc73xx: Add null pointer check to vsc73xx_gpio_probe Nikita Yushchenko <nikita.yoush(a)cogentembedded.com> net: ravb: Fix dma_addr_t truncation in error case Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> net: phy: micrel: populate .soft_reset for KSZ9131 Lin Ma <linma(a)zju.edu.cn> net: qualcomm: rmnet: fix global oob in rmnet_policy Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: fix max size calculation in zpci_memcpy_toio() Siddharth Vadapalli <s-vadapalli(a)ti.com> PCI: keystone: Fix race condition when initializing PHYs Maurizio Lombardi <mlombard(a)redhat.com> nvmet-tcp: Fix the H2C expected PDU len calculation Christoph Niedermaier <cniedermaier(a)dh-electronics.com> serial: imx: Correct clock error message in function probe() Fedor Pchelkin <pchelkin(a)ispras.ru> apparmor: avoid crash when parsed profile name is empty Ian Rogers <irogers(a)google.com> perf env: Avoid recursively taking env->bpf_progs.lock Arnaldo Carvalho de Melo <acme(a)redhat.com> perf bpf: Decouple creating the evlist from adding the SB event Arnaldo Carvalho de Melo <acme(a)redhat.com> perf top: Move sb_evlist to 'struct perf_top' Arnaldo Carvalho de Melo <acme(a)redhat.com> perf record: Move sb_evlist to 'struct record' Jiri Olsa <jolsa(a)kernel.org> perf env: Add perf_env__numa_node() Maurizio Lombardi <mlombard(a)redhat.com> nvmet-tcp: fix a crash in nvmet_req_complete() Maurizio Lombardi <mlombard(a)redhat.com> nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length Namhyung Kim <namhyung(a)kernel.org> perf genelf: Set ELF program header addresses properly Sakari Ailus <sakari.ailus(a)linux.intel.com> software node: Let args be NULL in software_node_get_reference_args Sakari Ailus <sakari.ailus(a)linux.intel.com> acpi: property: Let args be NULL in __acpi_node_get_property_reference Martijn Coenen <maco(a)android.com> binder: print warnings when detecting oneway spamming. Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> MIPS: Alchemy: Fix an out-of-bound access in db1550_dev_setup() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> MIPS: Alchemy: Fix an out-of-bound access in db1200_dev_setup() Serge Semin <fancer.lancer(a)gmail.com> mips: Fix incorrect max_low_pfn adjustment Jason Gerecke <jason.gerecke(a)wacom.com> HID: wacom: Correct behavior when processing some confidence == false touches Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/kvm: Do not try to disable kvmclock if it was not enabled David Lin <yu-hao.lin(a)nxp.com> wifi: mwifiex: configure BSSID consistently when starting AP Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> wifi: rtlwifi: Convert LNKCTL change to PCIe cap RMW accessors Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> wifi: rtlwifi: Remove bogus and dangerous ASPM disable/enable code Stefan Berger <stefanb(a)linux.ibm.com> rootfs: Fix support for rootfstype= when root= is given Nam Cao <namcao(a)linutronix.de> fbdev: flush deferred work in fb_deferred_io_fsync() Takashi Iwai <tiwai(a)suse.de> ALSA: oxygen: Fix right channel of capture volume mixer Gui-Dong Han <2045gemini(a)gmail.com> usb: mon: Fix atomicity violation in mon_bin_vma_fault RD Babiera <rdbabiera(a)google.com> usb: typec: class: fix typec_altmode_put_partner to put plugs Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Revert "usb: typec: class: fix typec_altmode_put_partner to put plugs" Xu Yang <xu.yang_2(a)nxp.com> usb: chipidea: wait controller resume finished for wakeup irq Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Revert "usb: dwc3: don't reset device side if dwc3 was configured as host-only" Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Revert "usb: dwc3: Soft reset phy on probe for host" Uttkarsh Aggarwal <quic_uaggarwa(a)quicinc.com> usb: dwc: ep0: Update request status in dwc3_ep0_stall_restart Xu Yang <xu.yang_2(a)nxp.com> usb: phy: mxs: remove CONFIG_USB_OTG condition for mxs_phy_is_otg_host() Heiko Carstens <hca(a)linux.ibm.com> tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug Carlos Llamas <cmllamas(a)google.com> binder: fix unused alloc->free_async_space Carlos Llamas <cmllamas(a)google.com> binder: fix race between mmput() and do_exit() Jan Beulich <jbeulich(a)suse.com> xen-netback: don't produce zero-size SKB frags Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek" Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - use ab83 as id when skipping the getid command Carlos Llamas <cmllamas(a)google.com> binder: fix use-after-free in shinker's callback Carlos Llamas <cmllamas(a)google.com> binder: fix async space check for 0-sized buffers Geert Uytterhoeven <geert+renesas(a)glider.be> of: unittest: Fix of_count_phandle_with_args() expected value message Christian A. Ehrhardt <lk(a)c--e.de> of: Fix double free in of_parse_phandle_with_args_map Peter Robinson <pbrobinson(a)gmail.com> mmc: sdhci_omap: Fix TI SoC dependencies Su Hui <suhui(a)nfschina.com> clk: si5341: fix an error code problem in si5341_output_clk_set_rate Stefan Wahren <wahrenst(a)gmx.net> watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling Jerry Hoemann <jerry.hoemann(a)hpe.com> watchdog/hpwdt: Only claim UNKNOWN NMI if from iLO Curtis Klein <curtis.klein(a)hpe.com> watchdog: set cdev owner before adding Jay Buddhabhatti <jay.buddhabhatti(a)amd.com> drivers: clk: zynqmp: calculate closest mux rate Zhipeng Lu <alexious(a)zju.edu.cn> gpu/drm/radeon: fix two memleaks in radeon_vm_init Zhipeng Lu <alexious(a)zju.edu.cn> drivers/amd/pm: fix a use-after-free in kv_parse_power_table Zhipeng Lu <alexious(a)zju.edu.cn> drm/amd/pm: fix a double-free in si_dpm_init Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/debugfs: fix error code when smc register accessors are NULL Dan Carpenter <dan.carpenter(a)linaro.org> media: dvbdev: drop refcount on error path in dvb_device_open() Zhipeng Lu <alexious(a)zju.edu.cn> media: cx231xx: fix a memleak in cx231xx_init_isoc Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/bridge: tc358767: Fix return value on error case Zhipeng Lu <alexious(a)zju.edu.cn> drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table Zhipeng Lu <alexious(a)zju.edu.cn> drm/radeon/dpm: fix a memleak in sumo_parse_power_table Yang Yingliang <yangyingliang(a)huawei.com> drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/drv: propagate errors from drm_modeset_register_all() Konrad Dybcio <konrad.dybcio(a)linaro.org> drm/msm/dsi: Use pm_runtime_resume_and_get to prevent refcnt leaks Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/mdp4: flush vblank event on disable Linus Walleij <linus.walleij(a)linaro.org> ASoC: cs35l34: Fix GPIO name and drop legacy include Linus Walleij <linus.walleij(a)linaro.org> ASoC: cs35l33: Fix GPIO name and drop legacy include Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon: check return value of radeon_ring_lock() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg() Chao Yu <chao(a)kernel.org> f2fs: fix to avoid dirent corruption Dario Binacchi <dario.binacchi(a)amarulasolutions.com> drm/bridge: Fix typo in post_disable() description Ricardo B. Marliere <ricardo(a)marliere.net> media: pvrusb2: fix use after free on context disconnection Leon Romanovsky <leonro(a)nvidia.com> RDMA/usnic: Silence uninitialized symbol smatch warnings Arnd Bergmann <arnd(a)arndb.de> ARM: davinci: always select CONFIG_CPU_ARM926T Eric Dumazet <edumazet(a)google.com> ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() Francesco Dolcini <francesco.dolcini(a)toradex.com> Bluetooth: btmtkuart: fix recv_buf() return value Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: Fix bogus check for re-auth no supported with non-ssp Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: mark newset as dead on transaction abort Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8192se: using calculate_bit_shift() Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8192ee: using calculate_bit_shift() Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8192de: using calculate_bit_shift() Colin Ian King <colin.king(a)canonical.com> rtlwifi: rtl8192de: make arrays static const, makes object smaller Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8192ce: using calculate_bit_shift() Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8192cu: using calculate_bit_shift() Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8192c: using calculate_bit_shift() Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift() Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: add calculate_bit_shift() Joakim Zhang <joakim.zhang(a)cixtech.com> dma-mapping: clear dev->dma_mem to NULL after freeing it Arseniy Krasnov <avkrasnov(a)salutedevices.com> virtio/vsock: fix logic which reduces credit update messages Hangbin Liu <liuhangbin(a)gmail.com> selftests/net: fix grep checking for fib_nexthop_multiprefix Yihang Li <liyihang9(a)huawei.com> scsi: hisi_sas: Replace with standard error code return value Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sdm845-db845c: correct LED panic indicator Artem Chernyshev <artem.chernyshev(a)red-soft.ru> scsi: fnic: Return error if vmalloc() failed Su Hui <suhui(a)nfschina.com> wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift behavior Joe Perches <joe(a)perches.com> rtlwifi: Use ffs in <foo>_phy_calculate_bit_shift Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create() Peter Delevoryas <peter(a)pjd.dev> net/ncsi: Fix netlink major/minor version numbers Bhaskar Chowdhury <unixbhaskar(a)gmail.com> ncsi: internal.h: Fix a spello Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> ARM: dts: qcom: apq8064: correct XOADC register address Arnd Bergmann <arnd(a)arndb.de> wifi: libertas: stop selecting wext Florian Lehner <dev(a)der-flo.net> bpf, lpm: Fix check prefixlen before walking trie Chih-Kang Chang <gary.chang(a)realtek.com> wifi: rtw88: fix RX filter in FIF_ALLMULTI flag Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT Benjamin Coddington <bcodding(a)redhat.com> blocklayoutdriver: Fix reference leak of pnfs_device_node Chengming Zhou <zhouchengming(a)bytedance.com> crypto: scomp - fix req->dst buffer overflow Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - do not resize req->src when doing hash operations Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - fix processing hash requests with req->nbytes < sg->length Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - improve error handling in sahara_sha_process() Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - fix wait_for_completion_timeout() error handling Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - fix ahash reqsize wangyangxin <wangyangxin1(a)huawei.com> crypto: virtio - Wait for tasklet to complete on device remove Osama Muhammad <osmtendev(a)gmail.com> gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump Sergey Shtylyov <s.shtylyov(a)omp.ru> pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - fix error handling in sahara_hw_descriptor_create() Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - fix processing requests with cryptlen < sg->length Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - fix ahash selftest failure Ovidiu Panait <ovidiu.panait(a)windriver.com> crypto: sahara - remove FLAGS_NEW_KEY logic Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Disallow multiple in-flight AIO requests Dinghao Liu <dinghao.liu(a)zju.edu.cn> crypto: ccp - fix memleak in ccp_init_dm_workarea zhenwei pi <pizhenwei(a)bytedance.com> virtio_crypto: Introduce VIRTIO_CRYPTO_NOSPC Ram Muthiah <rammuthiah(a)google.com> crypto: virtio - don't use 'default m' Gonglei (Arei) <arei.gonglei(a)huawei.com> crypto: virtio - Handle dataq logic with tasklet Mickaël Salaün <mic(a)digikod.net> selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket ZhaoLong Wang <wangzhaolong1(a)huawei.com> mtd: Fix gluebi NULL pointer dereference caused by ftl notifier Wolfram Sang <wsa+renesas(a)sang-engineering.com> spi: sh-msiof: Enforce fixed DTDL for R-Car H3 Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> calipso: fix memory leak in netlbl_calipso_add_pass() Zheng Yejian <zhengyejian1(a)huawei.com> netlabel: remove unused parameter in netlbl_netlink_auditinfo() Andrew Lunn <andrew(a)lunn.ch> net: netlabel: Fix kerneldoc warnings Nikita Kiryushin <kiryushin(a)ancud.ru> ACPI: LPIT: Avoid u32 multiplication overflow Nikita Kiryushin <kiryushin(a)ancud.ru> ACPI: video: check for error while searching for backlight device parent Ronald Monthero <debug.penguin32(a)gmail.com> mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller response Kunwu Chan <chentao(a)kylinos.cn> powerpc/imc-pmu: Add a null pointer check in update_events_in_group() Kunwu Chan <chentao(a)kylinos.cn> powerpc/powernv: Add a null pointer check in opal_powercap_init() Kunwu Chan <chentao(a)kylinos.cn> powerpc/powernv: Add a null pointer check in opal_event_init() Kunwu Chan <chentao(a)kylinos.cn> powerpc/powernv: Add a null pointer check to scom_debug_init_one() Michael Ellerman <mpe(a)ellerman.id.au> selftests/powerpc: Fix error handling in FPU/VMX preemption tests Nathan Lynch <nathanl(a)linux.ibm.com> powerpc/pseries/memhp: Fix access beyond end of drmem array Laurent Dufour <ldufour(a)linux.ibm.com> powerpc/pseries/memhotplug: Quieten some DLPAR operations Randy Dunlap <rdunlap(a)infradead.org> powerpc/44x: select I2C for CURRITUCK Masahiro Yamada <masahiroy(a)kernel.org> powerpc: add crtsavres.o to always-y instead of extra-y Arnd Bergmann <arnd(a)arndb.de> EDAC/thunderx: Fix possible out-of-bounds string access Colin Ian King <colin.i.king(a)gmail.com> x86/lib: Fix overflow when counting digits James Clark <james.clark(a)arm.com> coresight: etm4x: Fix width of CCITMIN field Cameron Williams <cang1(a)live.co.uk> parport: parport_serial: Add Brainboxes device IDs and geometry Cameron Williams <cang1(a)live.co.uk> parport: parport_serial: Add Brainboxes BAR details Guanghui Feng <guanghuifeng(a)linux.alibaba.com> uio: Fix use-after-free in uio_open Carlos Llamas <cmllamas(a)google.com> binder: fix comment on binder_alloc_new_buf() return value Carlos Llamas <cmllamas(a)google.com> binder: fix trivial typo of binder_free_buf_locked() Carlos Llamas <cmllamas(a)google.com> binder: use EPOLLERR from eventpoll.h Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add another DMI match for the TongFang GMxXGxx Jani Nikula <jani.nikula(a)intel.com> drm/crtc: fix uninitialized variable use Stefan Wahren <wahrenst(a)gmx.net> ARM: sun9i: smp: fix return code check of of_property_match_string Matthew Wilcox (Oracle) <willy(a)infradead.org> ida: Fix crash in ida_free when the bitmap is empty Luca Weiss <luca(a)z3ntu.xyz> Input: xpad - add Razer Wolverine V2 support Vineet Gupta <vgupta(a)kernel.org> ARC: fix spare error Vineeth Vijayan <vneethv(a)linux.ibm.com> s390/scm: fix virtual vs physical address confusion Esther Shimanovich <eshimanovich(a)chromium.org> Input: i8042 - add nomux quirk for Acer P459-G2-M Hans de Goede <hdegoede(a)redhat.com> Input: atkbd - skip ATKBD_CMD_GETID in translated mode Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning Steven Rostedt (Google) <rostedt(a)goodmis.org> ring-buffer: Do not record in NMI if the arch does not support cmpxchg in NMI Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Add size check when printing trace_marker output Steven Rostedt (Google) <rostedt(a)goodmis.org> tracing: Have large events show up as '[LINE TOO BIG]' instead of nothing Judy Hsiao <judyhsiao(a)chromium.org> neighbour: Don't let neigh_forced_gc() disable preemption for long Ziqi Zhao <astrajoan(a)yahoo.com> drm/crtc: Fix uninit-value bug in drm_mode_setcrtc Zhang Yi <yi.zhang(a)huawei.com> jbd2: correct the printing of write_flags in jbd2_write_superblock() Weihao Li <cn.liweihao(a)gmail.com> clk: rockchip: rk3128: Fix HCLK_OTG gate register Inki Dae <inki.dae(a)samsung.com> drm/exynos: fix a wrong error checking Xiang Yang <xiangyang3(a)huawei.com> drm/exynos: fix a potential error pointer dereference Keith Busch <kbusch(a)kernel.org> nvme: introduce helper function to get ctrl state David Rau <David.Rau.opensource(a)dm.renesas.com> ASoC: da7219: Support low DC impedance headset Thinh Tran <thinhtr(a)linux.vnet.ibm.com> net/tg3: fix race condition in tg3_reset_task() Dave Airlie <airlied(a)redhat.com> nouveau/tu102: flush all pdbs on vmm flush Shuming Fan <shumingf(a)realtek.com> ASoC: rt5650: add mutex to avoid the jack detection failure Maciej Strozek <mstrozek(a)opensource.cirrus.com> ASoC: cs43130: Fix incorrect frame delay configuration Maciej Strozek <mstrozek(a)opensource.cirrus.com> ASoC: cs43130: Fix the position of const qualifier Kamil Duljas <kamil.duljas(a)gmail.com> ASoC: Intel: Skylake: mem leak in skl register function David Lin <CTLIN0(a)nuvoton.com> ASoC: nau8822: Fix incorrect type in assignment and cast to restricted __be16 Kamil Duljas <kamil.duljas(a)gmail.com> ASoC: Intel: Skylake: Fix mem leak in few functions Vasiliy Kovalev <kovalev(a)altlinux.org> ALSA: hda - Fix speaker and headset mic pin config for CHUWI CoreBook XPro Charles Keepax <ckeepax(a)opensource.cirrus.com> pinctrl: lochnagar: Don't build on MIPS Eric Biggers <ebiggers(a)google.com> f2fs: explicitly null-terminate the xattr list ------------- Diffstat: Makefile | 4 +- arch/arc/kernel/signal.c | 6 +- arch/arm/boot/dts/qcom-apq8064.dtsi | 2 +- arch/arm/mach-davinci/Kconfig | 1 + arch/arm/mach-sunxi/mc_smp.c | 4 +- arch/arm64/boot/dts/qcom/sdm845-db845c.dts | 2 +- arch/mips/alchemy/devboards/db1200.c | 2 +- arch/mips/alchemy/devboards/db1550.c | 2 +- arch/mips/kernel/setup.c | 4 +- arch/powerpc/lib/Makefile | 2 +- arch/powerpc/perf/imc-pmu.c | 6 + arch/powerpc/platforms/44x/Kconfig | 1 + arch/powerpc/platforms/powernv/opal-irqchip.c | 2 + arch/powerpc/platforms/powernv/opal-powercap.c | 6 + arch/powerpc/platforms/powernv/opal-xscom.c | 5 + arch/powerpc/platforms/pseries/hotplug-memory.c | 21 ++-- arch/s390/include/asm/pci_io.h | 32 +++--- arch/s390/pci/pci_mmio.c | 12 +- arch/x86/kernel/kvmclock.c | 12 +- arch/x86/lib/misc.c | 2 +- crypto/af_alg.c | 14 ++- crypto/scompress.c | 6 + drivers/acpi/acpi_lpit.c | 2 +- drivers/acpi/acpi_video.c | 12 +- drivers/acpi/property.c | 4 + drivers/acpi/resource.c | 7 ++ drivers/android/binder.c | 4 +- drivers/android/binder_alloc.c | 84 +++++++++++--- drivers/android/binder_alloc.h | 5 +- drivers/android/binder_alloc_selftest.c | 2 +- drivers/base/swnode.c | 3 + drivers/bluetooth/btmtkuart.c | 11 +- drivers/clk/clk-si5341.c | 4 +- drivers/clk/rockchip/clk-rk3128.c | 2 +- drivers/clk/zynqmp/clk-mux-zynqmp.c | 2 +- drivers/crypto/ccp/ccp-ops.c | 5 +- drivers/crypto/sahara.c | 127 ++++++++------------- drivers/crypto/virtio/Kconfig | 1 - drivers/crypto/virtio/virtio_crypto_common.h | 2 + drivers/crypto/virtio/virtio_crypto_core.c | 26 +++-- drivers/edac/thunderx_edac.c | 10 +- drivers/firmware/ti_sci.c | 10 +- drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 4 +- drivers/gpu/drm/amd/amdgpu/kv_dpm.c | 4 +- drivers/gpu/drm/amd/amdgpu/si_dpm.c | 5 +- drivers/gpu/drm/bridge/tc358767.c | 2 +- drivers/gpu/drm/drm_crtc.c | 8 +- drivers/gpu/drm/drm_drv.c | 10 +- drivers/gpu/drm/exynos/exynos_drm_dma.c | 8 +- drivers/gpu/drm/exynos/exynos_hdmi.c | 2 + drivers/gpu/drm/msm/disp/mdp4/mdp4_crtc.c | 9 ++ drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 4 +- drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmmtu102.c | 2 +- drivers/gpu/drm/radeon/r100.c | 4 +- drivers/gpu/drm/radeon/r600_cs.c | 4 +- drivers/gpu/drm/radeon/radeon_display.c | 7 +- drivers/gpu/drm/radeon/radeon_vm.c | 8 +- drivers/gpu/drm/radeon/si.c | 4 + drivers/gpu/drm/radeon/sumo_dpm.c | 4 +- drivers/gpu/drm/radeon/trinity_dpm.c | 4 +- drivers/hid/wacom_wac.c | 32 +----- drivers/hwtracing/coresight/coresight-etm4x.h | 2 +- drivers/i2c/busses/i2c-s3c2410.c | 40 ++++--- drivers/infiniband/hw/mthca/mthca_cmd.c | 4 +- drivers/infiniband/hw/mthca/mthca_main.c | 2 +- drivers/input/joystick/xpad.c | 1 + drivers/input/keyboard/atkbd.c | 50 +++++++- drivers/input/serio/i8042-x86ia64io.h | 8 ++ drivers/media/dvb-core/dvbdev.c | 2 + drivers/media/usb/cx231xx/cx231xx-core.c | 2 + drivers/media/usb/pvrusb2/pvrusb2-context.c | 3 +- drivers/mmc/host/Kconfig | 5 +- drivers/mtd/mtd_blkdevs.c | 4 +- drivers/mtd/nand/raw/fsl_ifc_nand.c | 2 +- drivers/net/dsa/vitesse-vsc73xx-core.c | 2 + drivers/net/ethernet/broadcom/tg3.c | 11 +- .../net/ethernet/mellanox/mlxsw/spectrum_acl_erp.c | 8 +- drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 2 +- drivers/net/ethernet/renesas/ravb_main.c | 2 +- drivers/net/phy/micrel.c | 1 + drivers/net/wireless/marvell/libertas/Kconfig | 2 - drivers/net/wireless/marvell/mwifiex/cfg80211.c | 2 + drivers/net/wireless/marvell/mwifiex/fw.h | 1 + drivers/net/wireless/marvell/mwifiex/ioctl.h | 1 + drivers/net/wireless/marvell/mwifiex/uap_cmd.c | 8 ++ drivers/net/wireless/realtek/rtlwifi/pci.c | 79 +++---------- drivers/net/wireless/realtek/rtlwifi/pci.h | 5 - .../net/wireless/realtek/rtlwifi/rtl8188ee/phy.c | 20 +--- .../wireless/realtek/rtlwifi/rtl8192c/phy_common.c | 16 +-- .../wireless/realtek/rtlwifi/rtl8192c/phy_common.h | 1 - .../net/wireless/realtek/rtlwifi/rtl8192ce/phy.c | 6 +- .../net/wireless/realtek/rtlwifi/rtl8192ce/phy.h | 1 - .../net/wireless/realtek/rtlwifi/rtl8192cu/phy.c | 6 +- .../net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 66 ++++------- .../net/wireless/realtek/rtlwifi/rtl8192ee/phy.c | 20 +--- .../net/wireless/realtek/rtlwifi/rtl8192se/phy.c | 20 +--- .../realtek/rtlwifi/rtl8723com/phy_common.c | 8 +- .../net/wireless/realtek/rtlwifi/rtl8821ae/phy.c | 19 ++- drivers/net/wireless/realtek/rtlwifi/wifi.h | 7 ++ drivers/net/wireless/realtek/rtw88/mac80211.c | 4 +- drivers/net/xen-netback/netback.c | 44 ++++++- drivers/nvme/host/nvme.h | 5 + drivers/nvme/target/tcp.c | 20 +++- drivers/of/base.c | 1 + drivers/of/unittest-data/tests-phandle.dtsi | 10 +- drivers/of/unittest.c | 74 +++++++----- drivers/parport/parport_serial.c | 64 +++++++++++ drivers/pci/controller/dwc/pci-keystone.c | 9 ++ drivers/pinctrl/cirrus/Kconfig | 3 +- drivers/reset/hisilicon/hi6220_reset.c | 2 +- drivers/s390/block/scm_blk.c | 7 +- drivers/scsi/fnic/fnic_debugfs.c | 3 +- drivers/scsi/hisi_sas/hisi_sas_main.c | 4 +- drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 2 +- drivers/spi/spi-sh-msiof.c | 17 +++ drivers/tty/serial/8250/8250_omap.c | 2 +- drivers/tty/serial/imx.c | 2 +- drivers/uio/uio.c | 7 +- drivers/usb/chipidea/core.c | 7 ++ drivers/usb/dwc3/core.c | 39 +------ drivers/usb/dwc3/ep0.c | 5 +- drivers/usb/mon/mon_bin.c | 7 +- drivers/usb/phy/phy-mxs-usb.c | 3 +- drivers/usb/typec/class.c | 4 +- drivers/video/fbdev/core/fb_defio.c | 6 +- drivers/watchdog/bcm2835_wdt.c | 3 +- drivers/watchdog/hpwdt.c | 2 +- drivers/watchdog/watchdog_dev.c | 3 +- fs/f2fs/namei.c | 2 +- fs/f2fs/xattr.c | 6 + fs/gfs2/rgrp.c | 2 +- fs/jbd2/journal.c | 4 +- fs/nfs/blocklayout/blocklayout.c | 2 + fs/nfs/nfs4proc.c | 3 + fs/pstore/ram_core.c | 2 +- include/crypto/if_alg.h | 3 + include/drm/drm_bridge.h | 2 +- include/net/bluetooth/hci_core.h | 1 - include/uapi/linux/virtio_crypto.h | 1 + init/do_mounts.c | 9 +- kernel/bpf/lpm_trie.c | 3 + kernel/debug/kdb/kdb_main.c | 14 ++- kernel/dma/coherent.c | 4 +- kernel/time/tick-sched.c | 5 + kernel/trace/ring_buffer.c | 6 + kernel/trace/trace.c | 6 +- kernel/trace/trace_output.c | 6 +- lib/idr.c | 2 +- lib/test_ida.c | 40 +++++++ net/bluetooth/hci_conn.c | 8 +- net/bluetooth/hci_event.c | 11 +- net/core/neighbour.c | 9 +- net/ipv6/ip6_tunnel.c | 26 ++--- net/ncsi/internal.h | 9 +- net/ncsi/ncsi-netlink.c | 4 +- net/ncsi/ncsi-pkt.h | 7 +- net/ncsi/ncsi-rsp.c | 26 ++++- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_tables_api.c | 3 +- net/netlabel/netlabel_calipso.c | 52 +++++---- net/netlabel/netlabel_cipso_v4.c | 4 +- net/netlabel/netlabel_mgmt.c | 8 +- net/netlabel/netlabel_unlabeled.c | 10 +- net/netlabel/netlabel_user.h | 4 +- net/vmw_vsock/virtio_transport_common.c | 13 ++- security/apparmor/policy_unpack.c | 4 + security/selinux/hooks.c | 7 ++ sound/pci/hda/patch_realtek.c | 10 ++ sound/pci/oxygen/oxygen_mixer.c | 2 +- sound/soc/atmel/sam9g20_wm8731.c | 61 ++++++++++ sound/soc/codecs/cs35l33.c | 4 +- sound/soc/codecs/cs35l34.c | 4 +- sound/soc/codecs/cs43130.c | 6 +- sound/soc/codecs/da7219-aad.c | 2 +- sound/soc/codecs/nau8822.c | 9 +- sound/soc/codecs/rt5645.c | 10 +- sound/soc/intel/skylake/skl-pcm.c | 9 +- sound/soc/intel/skylake/skl-sst-ipc.c | 4 +- tools/perf/builtin-record.c | 23 +++- tools/perf/builtin-top.c | 22 +++- tools/perf/util/bpf-event.c | 11 +- tools/perf/util/bpf-event.h | 19 ++- tools/perf/util/env.c | 90 ++++++++++++--- tools/perf/util/env.h | 10 ++ tools/perf/util/evlist.c | 21 +--- tools/perf/util/evlist.h | 2 +- tools/perf/util/genelf.c | 6 +- tools/perf/util/header.c | 8 +- tools/perf/util/top.h | 2 +- .../drivers/net/mlxsw/spectrum-2/tc_flower.sh | 52 ++++++++- .../selftests/net/fib_nexthop_multiprefix.sh | 4 +- tools/testing/selftests/powerpc/math/fpu_preempt.c | 9 +- tools/testing/selftests/powerpc/math/vmx_preempt.c | 10 +- 193 files changed, 1335 insertions(+), 801 deletions(-)

1 year, 2 months

7
202
0 0

[PATCH v3] usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend

by Uttkarsh Aggarwal

In current scenario if Plug-out and Plug-In performed continuously there could be a chance while checking for dwc->gadget_driver in dwc3_gadget_suspend, a NULL pointer dereference may occur. Call Stack: CPU1: CPU2: gadget_unbind_driver dwc3_suspend_common dwc3_gadget_stop dwc3_gadget_suspend dwc3_disconnect_gadget CPU1 basically clears the variable and CPU2 checks the variable. Consider CPU1 is running and right before gadget_driver is cleared and in parallel CPU2 executes dwc3_gadget_suspend where it finds dwc->gadget_driver which is not NULL and resumes execution and then CPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where it checks dwc->gadget_driver is already NULL because of which the NULL pointer deference occur. Cc: <stable(a)vger.kernel.org> Fixes: 9772b47a4c29 ("usb: dwc3: gadget: Fix suspend/resume during device mode") Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Uttkarsh Aggarwal <quic_uaggarwa(a)quicinc.com> --- changes in v3: Corrected fixes tag and typo mistake in commit message dw3_gadget_stop -> dwc3_gadget_stop. Link to v2: https://lore.kernel.org/linux-usb/CAKzKK0r8RUqgXy1o5dndU21KuTKtyZ5rn5Fb9sZq… Changes in v2: Added cc and fixes tag missing in v1. Link to v1: https://lore.kernel.org/linux-usb/20240110095532.4776-1-quic_uaggarwa@quici… drivers/usb/dwc3/gadget.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 019368f8e9c4..564976b3e2b9 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -4709,15 +4709,13 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) unsigned long flags; int ret; - if (!dwc->gadget_driver) - return 0; - ret = dwc3_gadget_soft_disconnect(dwc); if (ret) goto err; spin_lock_irqsave(&dwc->lock, flags); - dwc3_disconnect_gadget(dwc); + if (dwc->gadget_driver) + dwc3_disconnect_gadget(dwc); spin_unlock_irqrestore(&dwc->lock, flags); return 0; -- 2.17.1

1 year, 3 months

3
4
0 0

[PATCH 5.10.y] bpf: Convert BPF_DISPATCHER to use static_call() (not ftrace)

by kovalev＠altlinux.org

From: Peter Zijlstra <peterz(a)infradead.org> [ Upstream commit c86df29d11dfba27c0a1f5039cd6fe387fbf4239 ] The dispatcher function is currently abusing the ftrace __fentry__ call location for its own purposes -- this obviously gives trouble when the dispatcher and ftrace are both in use. A previous solution tried using __attribute__((patchable_function_entry())) which works, except it is GCC-8+ only, breaking the build on the earlier still supported compilers. Instead use static_call() -- which has its own annotations and does not conflict with ftrace -- to rewrite the dispatch function. By using: return static_call()(ctx, insni, bpf_func) you get a perfect forwarding tail call as function body (iow a single jmp instruction). By having the default static_call() target be bpf_dispatcher_nop_func() it retains the default behaviour (an indirect call to the argument function). Only once a dispatcher program is attached is the target rewritten to directly call the JIT'ed image. Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Tested-by: Björn Töpel <bjorn(a)kernel.org> Tested-by: Jiri Olsa <jolsa(a)kernel.org> Acked-by: Björn Töpel <bjorn(a)kernel.org> Acked-by: Jiri Olsa <jolsa(a)kernel.org> Link: https://lkml.kernel.org/r/Y1/oBlK0yFk5c/Im@hirez.programming.kicks-ass.net Link: https://lore.kernel.org/bpf/20221103120647.796772565@infradead.org Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- include/linux/bpf.h | 39 ++++++++++++++++++++++++++++++++++++++- kernel/bpf/dispatcher.c | 22 ++++++++-------------- 2 files changed, 46 insertions(+), 15 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 8f4379e93ad49b..2c8c7515609a07 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -21,6 +21,7 @@ #include <linux/kallsyms.h> #include <linux/capability.h> #include <linux/percpu-refcount.h> +#include <linux/static_call.h> struct bpf_verifier_env; struct bpf_verifier_log; @@ -650,6 +651,10 @@ struct bpf_dispatcher { void *image; u32 image_off; struct bpf_ksym ksym; +#ifdef CONFIG_HAVE_STATIC_CALL + struct static_call_key *sc_key; + void *sc_tramp; +#endif }; static __always_inline unsigned int bpf_dispatcher_nop_func( @@ -667,6 +672,34 @@ struct bpf_trampoline *bpf_trampoline_get(u64 key, struct bpf_attach_target_info *tgt_info); void bpf_trampoline_put(struct bpf_trampoline *tr); int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs); + +/* + * When the architecture supports STATIC_CALL replace the bpf_dispatcher_fn + * indirection with a direct call to the bpf program. If the architecture does + * not have STATIC_CALL, avoid a double-indirection. + */ +#ifdef CONFIG_HAVE_STATIC_CALL + +#define __BPF_DISPATCHER_SC_INIT(_name) \ + .sc_key = &STATIC_CALL_KEY(_name), \ + .sc_tramp = STATIC_CALL_TRAMP_ADDR(_name), + +#define __BPF_DISPATCHER_SC(name) \ + DEFINE_STATIC_CALL(bpf_dispatcher_##name##_call, bpf_dispatcher_nop_func) + +#define __BPF_DISPATCHER_CALL(name) \ + static_call(bpf_dispatcher_##name##_call)(ctx, insnsi, bpf_func) + +#define __BPF_DISPATCHER_UPDATE(_d, _new) \ + __static_call_update((_d)->sc_key, (_d)->sc_tramp, (_new)) + +#else +#define __BPF_DISPATCHER_SC_INIT(name) +#define __BPF_DISPATCHER_SC(name) +#define __BPF_DISPATCHER_CALL(name) bpf_func(ctx, insnsi) +#define __BPF_DISPATCHER_UPDATE(_d, _new) +#endif + #define BPF_DISPATCHER_INIT(_name) { \ .mutex = __MUTEX_INITIALIZER(_name.mutex), \ .func = &_name##_func, \ @@ -678,20 +711,23 @@ int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs); .name = #_name, \ .lnode = LIST_HEAD_INIT(_name.ksym.lnode), \ }, \ + __BPF_DISPATCHER_SC_INIT(_name##_call) \ } #define DEFINE_BPF_DISPATCHER(name) \ + __BPF_DISPATCHER_SC(name); \ noinline unsigned int bpf_dispatcher_##name##_func( \ const void *ctx, \ const struct bpf_insn *insnsi, \ unsigned int (*bpf_func)(const void *, \ const struct bpf_insn *)) \ { \ - return bpf_func(ctx, insnsi); \ + return __BPF_DISPATCHER_CALL(name); \ } \ EXPORT_SYMBOL(bpf_dispatcher_##name##_func); \ struct bpf_dispatcher bpf_dispatcher_##name = \ BPF_DISPATCHER_INIT(bpf_dispatcher_##name); + #define DECLARE_BPF_DISPATCHER(name) \ unsigned int bpf_dispatcher_##name##_func( \ const void *ctx, \ @@ -699,6 +735,7 @@ int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs); unsigned int (*bpf_func)(const void *, \ const struct bpf_insn *)); \ extern struct bpf_dispatcher bpf_dispatcher_##name; + #define BPF_DISPATCHER_FUNC(name) bpf_dispatcher_##name##_func #define BPF_DISPATCHER_PTR(name) (&bpf_dispatcher_##name) void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from, diff --git a/kernel/bpf/dispatcher.c b/kernel/bpf/dispatcher.c index 2444bd15cc2d03..4c6c2e3ac56459 100644 --- a/kernel/bpf/dispatcher.c +++ b/kernel/bpf/dispatcher.c @@ -4,6 +4,7 @@ #include <linux/hash.h> #include <linux/bpf.h> #include <linux/filter.h> +#include <linux/static_call.h> /* The BPF dispatcher is a multiway branch code generator. The * dispatcher is a mechanism to avoid the performance penalty of an @@ -104,17 +105,11 @@ static int bpf_dispatcher_prepare(struct bpf_dispatcher *d, void *image) static void bpf_dispatcher_update(struct bpf_dispatcher *d, int prev_num_progs) { - void *old, *new; - u32 noff; - int err; - - if (!prev_num_progs) { - old = NULL; - noff = 0; - } else { - old = d->image + d->image_off; + void *new; + u32 noff = 0; + + if (prev_num_progs) noff = d->image_off ^ (PAGE_SIZE / 2); - } new = d->num_progs ? d->image + noff : NULL; if (new) { @@ -122,11 +117,10 @@ static void bpf_dispatcher_update(struct bpf_dispatcher *d, int prev_num_progs) return; } - err = bpf_arch_text_poke(d->func, BPF_MOD_JUMP, old, new); - if (err || !new) - return; + __BPF_DISPATCHER_UPDATE(d, new ?: &bpf_dispatcher_nop_func); - d->image_off = noff; + if (new) + d->image_off = noff; } void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from, -- 2.33.8

1 year, 3 months

1
1
0 0

[PATCH 5.15.y] bpf: Convert BPF_DISPATCHER to use static_call() (not ftrace)

by kovalev＠altlinux.org

From: Peter Zijlstra <peterz(a)infradead.org> [ Upstream commit c86df29d11dfba27c0a1f5039cd6fe387fbf4239 ] The dispatcher function is currently abusing the ftrace __fentry__ call location for its own purposes -- this obviously gives trouble when the dispatcher and ftrace are both in use. A previous solution tried using __attribute__((patchable_function_entry())) which works, except it is GCC-8+ only, breaking the build on the earlier still supported compilers. Instead use static_call() -- which has its own annotations and does not conflict with ftrace -- to rewrite the dispatch function. By using: return static_call()(ctx, insni, bpf_func) you get a perfect forwarding tail call as function body (iow a single jmp instruction). By having the default static_call() target be bpf_dispatcher_nop_func() it retains the default behaviour (an indirect call to the argument function). Only once a dispatcher program is attached is the target rewritten to directly call the JIT'ed image. Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Tested-by: Björn Töpel <bjorn(a)kernel.org> Tested-by: Jiri Olsa <jolsa(a)kernel.org> Acked-by: Björn Töpel <bjorn(a)kernel.org> Acked-by: Jiri Olsa <jolsa(a)kernel.org> Link: https://lkml.kernel.org/r/Y1/oBlK0yFk5c/Im@hirez.programming.kicks-ass.net Link: https://lore.kernel.org/bpf/20221103120647.796772565@infradead.org Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- include/linux/bpf.h | 39 ++++++++++++++++++++++++++++++++++++++- kernel/bpf/dispatcher.c | 22 ++++++++-------------- 2 files changed, 46 insertions(+), 15 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 00c615fc8ec3c3..633b8842e617e8 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -23,6 +23,7 @@ #include <linux/slab.h> #include <linux/percpu-refcount.h> #include <linux/bpfptr.h> +#include <linux/static_call.h> struct bpf_verifier_env; struct bpf_verifier_log; @@ -765,6 +766,10 @@ struct bpf_dispatcher { void *image; u32 image_off; struct bpf_ksym ksym; +#ifdef CONFIG_HAVE_STATIC_CALL + struct static_call_key *sc_key; + void *sc_tramp; +#endif }; static __always_inline __nocfi unsigned int bpf_dispatcher_nop_func( @@ -782,6 +787,34 @@ struct bpf_trampoline *bpf_trampoline_get(u64 key, struct bpf_attach_target_info *tgt_info); void bpf_trampoline_put(struct bpf_trampoline *tr); int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs); + +/* + * When the architecture supports STATIC_CALL replace the bpf_dispatcher_fn + * indirection with a direct call to the bpf program. If the architecture does + * not have STATIC_CALL, avoid a double-indirection. + */ +#ifdef CONFIG_HAVE_STATIC_CALL + +#define __BPF_DISPATCHER_SC_INIT(_name) \ + .sc_key = &STATIC_CALL_KEY(_name), \ + .sc_tramp = STATIC_CALL_TRAMP_ADDR(_name), + +#define __BPF_DISPATCHER_SC(name) \ + DEFINE_STATIC_CALL(bpf_dispatcher_##name##_call, bpf_dispatcher_nop_func) + +#define __BPF_DISPATCHER_CALL(name) \ + static_call(bpf_dispatcher_##name##_call)(ctx, insnsi, bpf_func) + +#define __BPF_DISPATCHER_UPDATE(_d, _new) \ + __static_call_update((_d)->sc_key, (_d)->sc_tramp, (_new)) + +#else +#define __BPF_DISPATCHER_SC_INIT(name) +#define __BPF_DISPATCHER_SC(name) +#define __BPF_DISPATCHER_CALL(name) bpf_func(ctx, insnsi) +#define __BPF_DISPATCHER_UPDATE(_d, _new) +#endif + #define BPF_DISPATCHER_INIT(_name) { \ .mutex = __MUTEX_INITIALIZER(_name.mutex), \ .func = &_name##_func, \ @@ -793,20 +826,23 @@ int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs); .name = #_name, \ .lnode = LIST_HEAD_INIT(_name.ksym.lnode), \ }, \ + __BPF_DISPATCHER_SC_INIT(_name##_call) \ } #define DEFINE_BPF_DISPATCHER(name) \ + __BPF_DISPATCHER_SC(name); \ noinline __nocfi unsigned int bpf_dispatcher_##name##_func( \ const void *ctx, \ const struct bpf_insn *insnsi, \ unsigned int (*bpf_func)(const void *, \ const struct bpf_insn *)) \ { \ - return bpf_func(ctx, insnsi); \ + return __BPF_DISPATCHER_CALL(name); \ } \ EXPORT_SYMBOL(bpf_dispatcher_##name##_func); \ struct bpf_dispatcher bpf_dispatcher_##name = \ BPF_DISPATCHER_INIT(bpf_dispatcher_##name); + #define DECLARE_BPF_DISPATCHER(name) \ unsigned int bpf_dispatcher_##name##_func( \ const void *ctx, \ @@ -814,6 +850,7 @@ int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs); unsigned int (*bpf_func)(const void *, \ const struct bpf_insn *)); \ extern struct bpf_dispatcher bpf_dispatcher_##name; + #define BPF_DISPATCHER_FUNC(name) bpf_dispatcher_##name##_func #define BPF_DISPATCHER_PTR(name) (&bpf_dispatcher_##name) void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from, diff --git a/kernel/bpf/dispatcher.c b/kernel/bpf/dispatcher.c index 2444bd15cc2d03..23042cfb5e809b 100644 --- a/kernel/bpf/dispatcher.c +++ b/kernel/bpf/dispatcher.c @@ -4,6 +4,7 @@ #include <linux/hash.h> #include <linux/bpf.h> #include <linux/filter.h> +#include <linux/static_call.h> /* The BPF dispatcher is a multiway branch code generator. The * dispatcher is a mechanism to avoid the performance penalty of an @@ -104,17 +105,11 @@ static int bpf_dispatcher_prepare(struct bpf_dispatcher *d, void *image) static void bpf_dispatcher_update(struct bpf_dispatcher *d, int prev_num_progs) { - void *old, *new; - u32 noff; - int err; - - if (!prev_num_progs) { - old = NULL; - noff = 0; - } else { - old = d->image + d->image_off; + void *new; + u32 noff = 0; + + if (prev_num_progs) noff = d->image_off ^ (PAGE_SIZE / 2); - } new = d->num_progs ? d->image + noff : NULL; if (new) { @@ -122,11 +117,10 @@ static void bpf_dispatcher_update(struct bpf_dispatcher *d, int prev_num_progs) return; } - err = bpf_arch_text_poke(d->func, BPF_MOD_JUMP, old, new); - if (err || !new) - return; + __BPF_DISPATCHER_UPDATE(d, new ?: &bpf_dispatcher_nop_func); - d->image_off = noff; + if (new) + d->image_off = noff; } void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from, -- 2.33.8

1 year, 3 months

1
1
0 0

[PATCH] media: mxl5xx: Move xpt structures off stack

by Nathan Chancellor

When building for LoongArch with clang 18.0.0, the stack usage of probe() is larger than the allowed 2048 bytes: drivers/media/dvb-frontends/mxl5xx.c:1698:12: warning: stack frame size (2368) exceeds limit (2048) in 'probe' [-Wframe-larger-than] 1698 | static int probe(struct mxl *state, struct mxl5xx_cfg *cfg) | ^ 1 warning generated. This is the result of the linked LLVM commit, which changes how the arrays of structures in config_ts() get handled with CONFIG_INIT_STACK_ZERO and CONFIG_INIT_STACK_PATTERN, which causes the above warning in combination with inlining, as config_ts() gets inlined into probe(). This warning can be easily fixed by moving the array of structures off of the stackvia 'static const', which is a better location for these variables anyways because they are static data that is only ever read from, never modified, so allocating the stack space is wasteful. This drops the stack usage from 2368 bytes to 256 bytes with the same compiler and configuration. Cc: stable(a)vger.kernel.org Closes: https://github.com/ClangBuiltLinux/linux/issues/1977 Link: https://github.com/llvm/llvm-project/commit/afe8b93ffdfef5d8879e1894b9d7dda… Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/media/dvb-frontends/mxl5xx.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/drivers/media/dvb-frontends/mxl5xx.c b/drivers/media/dvb-frontends/mxl5xx.c index 4ebbcf05cc09..91e9c378397c 100644 --- a/drivers/media/dvb-frontends/mxl5xx.c +++ b/drivers/media/dvb-frontends/mxl5xx.c @@ -1381,57 +1381,57 @@ static int config_ts(struct mxl *state, enum MXL_HYDRA_DEMOD_ID_E demod_id, u32 nco_count_min = 0; u32 clk_type = 0; - struct MXL_REG_FIELD_T xpt_sync_polarity[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_sync_polarity[MXL_HYDRA_DEMOD_MAX] = { {0x90700010, 8, 1}, {0x90700010, 9, 1}, {0x90700010, 10, 1}, {0x90700010, 11, 1}, {0x90700010, 12, 1}, {0x90700010, 13, 1}, {0x90700010, 14, 1}, {0x90700010, 15, 1} }; - struct MXL_REG_FIELD_T xpt_clock_polarity[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_clock_polarity[MXL_HYDRA_DEMOD_MAX] = { {0x90700010, 16, 1}, {0x90700010, 17, 1}, {0x90700010, 18, 1}, {0x90700010, 19, 1}, {0x90700010, 20, 1}, {0x90700010, 21, 1}, {0x90700010, 22, 1}, {0x90700010, 23, 1} }; - struct MXL_REG_FIELD_T xpt_valid_polarity[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_valid_polarity[MXL_HYDRA_DEMOD_MAX] = { {0x90700014, 0, 1}, {0x90700014, 1, 1}, {0x90700014, 2, 1}, {0x90700014, 3, 1}, {0x90700014, 4, 1}, {0x90700014, 5, 1}, {0x90700014, 6, 1}, {0x90700014, 7, 1} }; - struct MXL_REG_FIELD_T xpt_ts_clock_phase[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_ts_clock_phase[MXL_HYDRA_DEMOD_MAX] = { {0x90700018, 0, 3}, {0x90700018, 4, 3}, {0x90700018, 8, 3}, {0x90700018, 12, 3}, {0x90700018, 16, 3}, {0x90700018, 20, 3}, {0x90700018, 24, 3}, {0x90700018, 28, 3} }; - struct MXL_REG_FIELD_T xpt_lsb_first[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_lsb_first[MXL_HYDRA_DEMOD_MAX] = { {0x9070000C, 16, 1}, {0x9070000C, 17, 1}, {0x9070000C, 18, 1}, {0x9070000C, 19, 1}, {0x9070000C, 20, 1}, {0x9070000C, 21, 1}, {0x9070000C, 22, 1}, {0x9070000C, 23, 1} }; - struct MXL_REG_FIELD_T xpt_sync_byte[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_sync_byte[MXL_HYDRA_DEMOD_MAX] = { {0x90700010, 0, 1}, {0x90700010, 1, 1}, {0x90700010, 2, 1}, {0x90700010, 3, 1}, {0x90700010, 4, 1}, {0x90700010, 5, 1}, {0x90700010, 6, 1}, {0x90700010, 7, 1} }; - struct MXL_REG_FIELD_T xpt_enable_output[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_enable_output[MXL_HYDRA_DEMOD_MAX] = { {0x9070000C, 0, 1}, {0x9070000C, 1, 1}, {0x9070000C, 2, 1}, {0x9070000C, 3, 1}, {0x9070000C, 4, 1}, {0x9070000C, 5, 1}, {0x9070000C, 6, 1}, {0x9070000C, 7, 1} }; - struct MXL_REG_FIELD_T xpt_err_replace_sync[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_err_replace_sync[MXL_HYDRA_DEMOD_MAX] = { {0x9070000C, 24, 1}, {0x9070000C, 25, 1}, {0x9070000C, 26, 1}, {0x9070000C, 27, 1}, {0x9070000C, 28, 1}, {0x9070000C, 29, 1}, {0x9070000C, 30, 1}, {0x9070000C, 31, 1} }; - struct MXL_REG_FIELD_T xpt_err_replace_valid[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_err_replace_valid[MXL_HYDRA_DEMOD_MAX] = { {0x90700014, 8, 1}, {0x90700014, 9, 1}, {0x90700014, 10, 1}, {0x90700014, 11, 1}, {0x90700014, 12, 1}, {0x90700014, 13, 1}, {0x90700014, 14, 1}, {0x90700014, 15, 1} }; - struct MXL_REG_FIELD_T xpt_continuous_clock[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_continuous_clock[MXL_HYDRA_DEMOD_MAX] = { {0x907001D4, 0, 1}, {0x907001D4, 1, 1}, {0x907001D4, 2, 1}, {0x907001D4, 3, 1}, {0x907001D4, 4, 1}, {0x907001D4, 5, 1}, {0x907001D4, 6, 1}, {0x907001D4, 7, 1} }; - struct MXL_REG_FIELD_T xpt_nco_clock_rate[MXL_HYDRA_DEMOD_MAX] = { + static const struct MXL_REG_FIELD_T xpt_nco_clock_rate[MXL_HYDRA_DEMOD_MAX] = { {0x90700044, 16, 80}, {0x90700044, 16, 81}, {0x90700044, 16, 82}, {0x90700044, 16, 83}, {0x90700044, 16, 84}, {0x90700044, 16, 85}, --- base-commit: 02d4e62ae2452c83e4a3e279b8e4cb4dcbad4b31 change-id: 20240111-dvb-mxl5xx-move-structs-off-stack-e12172b1ef02 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

1 year, 3 months

3
3
0 0

[PATCH] Bluetooth: qca: fix device-address endianness

by Johan Hovold

The WCN6855 firmware on the Lenovo ThinkPad X13s expects the Bluetooth device address in MSB order when setting it using the EDL_WRITE_BD_ADDR_OPCODE command. Presumably, this is the case for all non-ROME devices which all use the EDL_WRITE_BD_ADDR_OPCODE command for this (unlike the ROME devices which use a different command and expect the address in LSB order). Reverse the little-endian address before setting it to make sure that the address can be configured using tools like btmgmt or using the 'local-bd-address' devicetree property. Note that this can potentially break systems with boot firmware which has started relying on the broken behaviour and is incorrectly passing the address via devicetree in MSB order. Fixes: 5c0a1001c8be ("Bluetooth: hci_qca: Add helper to set device address") Cc: stable(a)vger.kernel.org # 5.1 Cc: Balakrishna Godavarthi <quic_bgodavar(a)quicinc.com> Cc: Matthias Kaehlcke <mka(a)chromium.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- Hi Qualcomm people, Could you please verify with your documentation that all non-ROME devices expect the address provided in the EDL_WRITE_BD_ADDR_OPCODE command in MSB order? I assume this is not something that anyone would change between firmware revisions, but if that turns out to be the case, we'd need to reverse the address based on firmware revision or similar. Johan drivers/bluetooth/btqca.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c index fdb0fae88d1c..29035daf21bc 100644 --- a/drivers/bluetooth/btqca.c +++ b/drivers/bluetooth/btqca.c @@ -826,11 +826,15 @@ EXPORT_SYMBOL_GPL(qca_uart_setup); int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) { + bdaddr_t bdaddr_swapped; struct sk_buff *skb; int err; - skb = __hci_cmd_sync_ev(hdev, EDL_WRITE_BD_ADDR_OPCODE, 6, bdaddr, - HCI_EV_VENDOR, HCI_INIT_TIMEOUT); + baswap(&bdaddr_swapped, bdaddr); + + skb = __hci_cmd_sync_ev(hdev, EDL_WRITE_BD_ADDR_OPCODE, 6, + &bdaddr_swapped, HCI_EV_VENDOR, + HCI_INIT_TIMEOUT); if (IS_ERR(skb)) { err = PTR_ERR(skb); bt_dev_err(hdev, "QCA Change address cmd failed (%d)", err); -- 2.41.0

1 year, 3 months

6
15
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2024