This is the start of the stable review cycle for the 5.10.148 release. There are 54 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sat, 15 Oct 2022 17:51:33 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.148-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below.
thanks,
greg k-h
------------- Pseudo-Shortlog of commits:
Greg Kroah-Hartman gregkh@linuxfoundation.org Linux 5.10.148-rc1
Shunsuke Mie mie@igel.co.jp misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic
Shunsuke Mie mie@igel.co.jp misc: pci_endpoint_test: Aggregate params checking for xfer
Cameron Gutman aicommander@gmail.com Input: xpad - fix wireless 360 controller breaking after suspend
Pavel Rojtberg rojtberg@gmail.com Input: xpad - add supported devices as contributed on github
Johannes Berg johannes.berg@intel.com wifi: cfg80211: update hidden BSSes to avoid WARN_ON
Johannes Berg johannes.berg@intel.com wifi: mac80211: fix crash in beacon protection for P2P-device
Johannes Berg johannes.berg@intel.com wifi: mac80211_hwsim: avoid mac80211 warning on bad rate
Johannes Berg johannes.berg@intel.com wifi: cfg80211: avoid nontransmitted BSS list corruption
Johannes Berg johannes.berg@intel.com wifi: cfg80211: fix BSS refcounting bugs
Johannes Berg johannes.berg@intel.com wifi: cfg80211: ensure length byte is present before access
Johannes Berg johannes.berg@intel.com wifi: cfg80211/mac80211: reject bad MBSSID elements
Johannes Berg johannes.berg@intel.com wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()
Jason A. Donenfeld Jason@zx2c4.com random: use expired timer rather than wq for mixing fast pool
Jason A. Donenfeld Jason@zx2c4.com random: avoid reading two cache lines on irq randomness
Frank Wunderlich frank-w@public-files.de USB: serial: qcserial: add new usb-id for Dell branded EM7455
Linus Torvalds torvalds@linux-foundation.org scsi: stex: Properly zero out the passthrough command structure
Orlando Chamberlain redecorating@protonmail.com efi: Correct Macmini DMI match in uefi cert quirk
Takashi Iwai tiwai@suse.de ALSA: hda: Fix position reporting on Poulsbo
Jason A. Donenfeld Jason@zx2c4.com random: clamp credited irq bits to maximum mixed
Jason A. Donenfeld Jason@zx2c4.com random: restore O_NONBLOCK support
Sasha Levin sashal@kernel.org Revert "clk: ti: Stop using legacy clkctrl names for omap4 and 5"
Krzysztof Kozlowski krzysztof.kozlowski@linaro.org rpmsg: qcom: glink: replace strncpy() with strscpy_pad()
Johan Hovold johan@kernel.org USB: serial: ftdi_sio: fix 300 bps rate for SIO
Tadeusz Struk tadeusz.struk@linaro.org usb: mon: make mmapped memory read only
Brian Norris briannorris@chromium.org mmc: core: Terminate infinite loop in SD-UHS voltage switch
ChanWoo Lee cw9316.lee@samsung.com mmc: core: Replace with already defined values for readability
zhikzhai zhikai.zhai@amd.com drm/amd/display: skip audio setup when audio stream is enabled
Hugo Hu hugo.hu@amd.com drm/amd/display: update gamut remap if plane has changed
Jianglei Nie niejianglei2021@163.com net: atlantic: fix potential memory leak in aq_ndev_close()
David Gow davidgow@google.com arch: um: Mark the stack non-executable to fix a binutils warning
Lukas Straub lukasstraub2@web.de um: Cleanup compiler warning in arch/x86/um/tls_32.c
Lukas Straub lukasstraub2@web.de um: Cleanup syscall_handler_t cast in syscalls_32.h
Jaroslav Kysela perex@perex.cz ALSA: hda/hdmi: Fix the converter reuse for the silent stream
Haimin Zhang tcs.kernel@gmail.com net/ieee802154: fix uninit value bug in dgram_sendmsg
Letu Ren fantasquex@gmail.com scsi: qedf: Fix a UAF bug in __qedf_probe()
Sergei Antonov saproj@gmail.com ARM: dts: fix Moxa SDIO 'compatible', remove 'sdhci' misnomer
Swati Agarwal swati.agarwal@xilinx.com dmaengine: xilinx_dma: Report error in case of dma_set_mask_and_coherent API failure
Swati Agarwal swati.agarwal@xilinx.com dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property
Swati Agarwal swati.agarwal@xilinx.com dmaengine: xilinx_dma: Fix devm_platform_ioremap_resource error handling
Cristian Marussi cristian.marussi@arm.com firmware: arm_scmi: Add SCMI PM driver remove routine
Nick Desaulniers ndesaulniers@google.com compiler_attributes.h: move __compiletime_{error|warning}
Dongliang Mu mudongliangabcd@gmail.com fs: fix UAF/GPF bug in nilfs_mdt_destroy
Yang Shi shy828301@gmail.com powerpc/64s/radix: don't need to broadcast IPI for radix pmd collapse flush
Yang Shi shy828301@gmail.com mm: gup: fix the fast GUP race against THP collapse
Takashi Iwai tiwai@suse.de ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC
Jalal Mostafa jalal.a.mostapha@gmail.com xsk: Inherit need_wakeup flag for shared sockets
Alexey Dobriyan adobriyan@gmail.com perf tools: Fixup get_current_dir_name() compilation
Shuah Khan skhan@linuxfoundation.org docs: update mediator information in CoC docs
Sami Tolvanen samitolvanen@google.com Makefile.extrawarn: Move -Wcast-function-type-strict to W=1
Hu Weiwen sehuww@mail.scut.edu.cn ceph: don't truncate file in atomic_open
Ryusuke Konishi konishi.ryusuke@gmail.com nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure
Ryusuke Konishi konishi.ryusuke@gmail.com nilfs2: fix leak of nilfs_root in case of writer thread creation failure
Ryusuke Konishi konishi.ryusuke@gmail.com nilfs2: fix use-after-free bug of struct nilfs_root
Ryusuke Konishi konishi.ryusuke@gmail.com nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level()
-------------
Diffstat:
.../devicetree/bindings/dma/moxa,moxart-dma.txt | 4 +- .../process/code-of-conduct-interpretation.rst | 2 +- Makefile | 4 +- arch/arm/boot/dts/moxart-uc7112lx.dts | 2 +- arch/arm/boot/dts/moxart.dtsi | 4 +- arch/powerpc/mm/book3s64/radix_pgtable.c | 9 - arch/um/Makefile | 8 + arch/x86/um/shared/sysdep/syscalls_32.h | 5 +- arch/x86/um/tls_32.c | 6 - arch/x86/um/vdso/Makefile | 2 +- drivers/char/mem.c | 4 +- drivers/char/random.c | 25 ++- drivers/clk/ti/clk-44xx.c | 210 ++++++++++----------- drivers/clk/ti/clk-54xx.c | 160 ++++++++-------- drivers/clk/ti/clkctrl.c | 4 + drivers/dma/xilinx/xilinx_dma.c | 21 ++- drivers/firmware/arm_scmi/scmi_pm_domain.c | 20 ++ .../amd/display/dc/dce110/dce110_hw_sequencer.c | 6 +- drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 1 + drivers/input/joystick/xpad.c | 20 +- drivers/misc/pci_endpoint_test.c | 34 +++- drivers/mmc/core/sd.c | 3 +- drivers/net/ethernet/aquantia/atlantic/aq_main.c | 3 - drivers/net/wireless/mac80211_hwsim.c | 2 + drivers/rpmsg/qcom_glink_native.c | 2 +- drivers/rpmsg/qcom_smd.c | 4 +- drivers/scsi/qedf/qedf_main.c | 5 - drivers/scsi/stex.c | 17 +- drivers/usb/mon/mon_bin.c | 5 + drivers/usb/serial/ftdi_sio.c | 3 +- drivers/usb/serial/qcserial.c | 1 + fs/ceph/file.c | 10 +- fs/inode.c | 7 +- fs/nilfs2/inode.c | 19 +- fs/nilfs2/segment.c | 21 ++- include/linux/compiler-gcc.h | 3 - include/linux/compiler_attributes.h | 24 +++ include/linux/compiler_types.h | 6 - include/net/ieee802154_netdev.h | 37 ++++ include/net/xsk_buff_pool.h | 2 +- include/scsi/scsi_cmnd.h | 2 +- mm/gup.c | 34 +++- mm/khugepaged.c | 10 +- net/ieee802154/socket.c | 42 +++-- net/mac80211/rx.c | 12 +- net/mac80211/util.c | 2 + net/wireless/scan.c | 77 +++++--- net/xdp/xsk.c | 4 +- net/xdp/xsk_buff_pool.c | 5 +- scripts/Makefile.extrawarn | 1 + security/integrity/platform_certs/load_uefi.c | 2 +- sound/core/oss/pcm_oss.c | 5 +- sound/pci/hda/hda_intel.c | 3 +- sound/pci/hda/patch_hdmi.c | 1 + tools/perf/util/get_current_dir_name.c | 3 +- 55 files changed, 570 insertions(+), 358 deletions(-)
From: Ryusuke Konishi konishi.ryusuke@gmail.com
commit 21a87d88c2253350e115029f14fe2a10a7e6c856 upstream.
If the i_mode field in inode of metadata files is corrupted on disk, it can cause the initialization of bmap structure, which should have been called from nilfs_read_inode_common(), not to be called. This causes a lockdep warning followed by a NULL pointer dereference at nilfs_bmap_lookup_at_level().
This patch fixes these issues by adding a missing sanitiy check for the i_mode field of metadata file's inode.
Link: https://lkml.kernel.org/r/20221002030804.29978-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi konishi.ryusuke@gmail.com Reported-by: syzbot+2b32eb36c1a825b7a74c@syzkaller.appspotmail.com Reported-by: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Tested-by: Ryusuke Konishi konishi.ryusuke@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/nilfs2/inode.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/fs/nilfs2/inode.c +++ b/fs/nilfs2/inode.c @@ -444,6 +444,8 @@ int nilfs_read_inode_common(struct inode inode->i_atime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec); inode->i_ctime.tv_nsec = le32_to_cpu(raw_inode->i_ctime_nsec); inode->i_mtime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec); + if (nilfs_is_metadata_file_inode(inode) && !S_ISREG(inode->i_mode)) + return -EIO; /* this inode is for metadata and corrupted */ if (inode->i_nlink == 0) return -ESTALE; /* this inode is deleted */
From: Ryusuke Konishi konishi.ryusuke@gmail.com
commit d325dc6eb763c10f591c239550b8c7e5466a5d09 upstream.
If the beginning of the inode bitmap area is corrupted on disk, an inode with the same inode number as the root inode can be allocated and fail soon after. In this case, the subsequent call to nilfs_clear_inode() on that bogus root inode will wrongly decrement the reference counter of struct nilfs_root, and this will erroneously free struct nilfs_root, causing kernel oopses.
This fixes the problem by changing nilfs_new_inode() to skip reserved inode numbers while repairing the inode bitmap.
Link: https://lkml.kernel.org/r/20221003150519.39789-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi konishi.ryusuke@gmail.com Reported-by: syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com Reported-by: Khalid Masum khalid.masum.92@gmail.com Tested-by: Ryusuke Konishi konishi.ryusuke@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/nilfs2/inode.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-)
--- a/fs/nilfs2/inode.c +++ b/fs/nilfs2/inode.c @@ -332,6 +332,7 @@ struct inode *nilfs_new_inode(struct ino struct inode *inode; struct nilfs_inode_info *ii; struct nilfs_root *root; + struct buffer_head *bh; int err = -ENOMEM; ino_t ino;
@@ -347,11 +348,25 @@ struct inode *nilfs_new_inode(struct ino ii->i_state = BIT(NILFS_I_NEW); ii->i_root = root;
- err = nilfs_ifile_create_inode(root->ifile, &ino, &ii->i_bh); + err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); if (unlikely(err)) goto failed_ifile_create_inode; /* reference count of i_bh inherits from nilfs_mdt_read_block() */
+ if (unlikely(ino < NILFS_USER_INO)) { + nilfs_warn(sb, + "inode bitmap is inconsistent for reserved inodes"); + do { + brelse(bh); + err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); + if (unlikely(err)) + goto failed_ifile_create_inode; + } while (ino < NILFS_USER_INO); + + nilfs_info(sb, "repaired inode bitmap for reserved inodes"); + } + ii->i_bh = bh; + atomic64_inc(&root->inodes_count); inode_init_owner(inode, dir, mode); inode->i_ino = ino;
From: Ryusuke Konishi konishi.ryusuke@gmail.com
commit d0d51a97063db4704a5ef6bc978dddab1636a306 upstream.
If nilfs_attach_log_writer() failed to create a log writer thread, it frees a data structure of the log writer without any cleanup. After commit e912a5b66837 ("nilfs2: use root object to get ifile"), this causes a leak of struct nilfs_root, which started to leak an ifile metadata inode and a kobject on that struct.
In addition, if the kernel is booted with panic_on_warn, the above ifile metadata inode leak will cause the following panic when the nilfs2 kernel module is removed:
kmem_cache_destroy nilfs2_inode_cache: Slab cache still has objects when called from nilfs_destroy_cachep+0x16/0x3a [nilfs2] WARNING: CPU: 8 PID: 1464 at mm/slab_common.c:494 kmem_cache_destroy+0x138/0x140 ... RIP: 0010:kmem_cache_destroy+0x138/0x140 Code: 00 20 00 00 e8 a9 55 d8 ff e9 76 ff ff ff 48 8b 53 60 48 c7 c6 20 70 65 86 48 c7 c7 d8 69 9c 86 48 8b 4c 24 28 e8 ef 71 c7 00 <0f> 0b e9 53 ff ff ff c3 48 81 ff ff 0f 00 00 77 03 31 c0 c3 53 48 ... Call Trace: <TASK> ? nilfs_palloc_freev.cold.24+0x58/0x58 [nilfs2] nilfs_destroy_cachep+0x16/0x3a [nilfs2] exit_nilfs_fs+0xa/0x1b [nilfs2] __x64_sys_delete_module+0x1d9/0x3a0 ? __sanitizer_cov_trace_pc+0x1a/0x50 ? syscall_trace_enter.isra.19+0x119/0x190 do_syscall_64+0x34/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd ... </TASK> Kernel panic - not syncing: panic_on_warn set ...
This patch fixes these issues by calling nilfs_detach_log_writer() cleanup function if spawning the log writer thread fails.
Link: https://lkml.kernel.org/r/20221007085226.57667-1-konishi.ryusuke@gmail.com Fixes: e912a5b66837 ("nilfs2: use root object to get ifile") Signed-off-by: Ryusuke Konishi konishi.ryusuke@gmail.com Reported-by: syzbot+7381dc4ad60658ca4c05@syzkaller.appspotmail.com Tested-by: Ryusuke Konishi konishi.ryusuke@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/nilfs2/segment.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)
--- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -2791,10 +2791,9 @@ int nilfs_attach_log_writer(struct super inode_attach_wb(nilfs->ns_bdev->bd_inode, NULL);
err = nilfs_segctor_start_thread(nilfs->ns_writer); - if (err) { - kfree(nilfs->ns_writer); - nilfs->ns_writer = NULL; - } + if (unlikely(err)) + nilfs_detach_log_writer(sb); + return err; }
From: Ryusuke Konishi konishi.ryusuke@gmail.com
commit 723ac751208f6d6540191689cfbf6c77135a7a1b upstream.
If creation or finalization of a checkpoint fails due to anomalies in the checkpoint metadata on disk, a kernel warning is generated.
This patch replaces the WARN_ONs by nilfs_error, so that a kernel, booted with panic_on_warn, does not panic. A nilfs_error is appropriate here to handle the abnormal filesystem condition.
This also replaces the detected error codes with an I/O error so that neither of the internal error codes is returned to callers.
Link: https://lkml.kernel.org/r/20220929123330.19658-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi konishi.ryusuke@gmail.com Reported-by: syzbot+fbb3e0b24e8dae5a16ee@syzkaller.appspotmail.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/nilfs2/segment.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-)
--- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -880,9 +880,11 @@ static int nilfs_segctor_create_checkpoi nilfs_mdt_mark_dirty(nilfs->ns_cpfile); nilfs_cpfile_put_checkpoint( nilfs->ns_cpfile, nilfs->ns_cno, bh_cp); - } else - WARN_ON(err == -EINVAL || err == -ENOENT); - + } else if (err == -EINVAL || err == -ENOENT) { + nilfs_error(sci->sc_super, + "checkpoint creation failed due to metadata corruption."); + err = -EIO; + } return err; }
@@ -896,7 +898,11 @@ static int nilfs_segctor_fill_in_checkpo err = nilfs_cpfile_get_checkpoint(nilfs->ns_cpfile, nilfs->ns_cno, 0, &raw_cp, &bh_cp); if (unlikely(err)) { - WARN_ON(err == -EINVAL || err == -ENOENT); + if (err == -EINVAL || err == -ENOENT) { + nilfs_error(sci->sc_super, + "checkpoint finalization failed due to metadata corruption."); + err = -EIO; + } goto failed_ibh; } raw_cp->cp_snapshot_list.ssl_next = 0;
From: Hu Weiwen sehuww@mail.scut.edu.cn
commit 7cb9994754f8a36ae9e5ec4597c5c4c2d6c03832 upstream.
Clear O_TRUNC from the flags sent in the MDS create request.
`atomic_open' is called before permission check. We should not do any modification to the file here. The caller will do the truncation afterward.
Fixes: 124e68e74099 ("ceph: file operations") Signed-off-by: Hu Weiwen sehuww@mail.scut.edu.cn Reviewed-by: Xiubo Li xiubli@redhat.com Signed-off-by: Ilya Dryomov idryomov@gmail.com [Xiubo: fixed a trivial conflict for 5.10 backport] Signed-off-by: Xiubo Li xiubli@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/ceph/file.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)
--- a/fs/ceph/file.c +++ b/fs/ceph/file.c @@ -703,6 +703,12 @@ int ceph_atomic_open(struct inode *dir, if (dentry->d_name.len > NAME_MAX) return -ENAMETOOLONG;
+ /* + * Do not truncate the file, since atomic_open is called before the + * permission check. The caller will do the truncation afterward. + */ + flags &= ~O_TRUNC; + if (flags & O_CREAT) { if (ceph_quota_is_max_files_exceeded(dir)) return -EDQUOT; @@ -769,9 +775,7 @@ retry: }
set_bit(CEPH_MDS_R_PARENT_LOCKED, &req->r_req_flags); - err = ceph_mdsc_do_request(mdsc, - (flags & (O_CREAT|O_TRUNC)) ? dir : NULL, - req); + err = ceph_mdsc_do_request(mdsc, (flags & O_CREAT) ? dir : NULL, req); err = ceph_handle_snapdir(req, dentry, err); if (err) goto out_req;
From: Sami Tolvanen samitolvanen@google.com
commit 2120635108b35ecad9c59c8b44f6cbdf4f98214e upstream.
We enable -Wcast-function-type globally in the kernel to warn about mismatching types in function pointer casts. Compilers currently warn only about ABI incompability with this flag, but Clang 16 will enable a stricter version of the check by default that checks for an exact type match. This will be very noisy in the kernel, so disable -Wcast-function-type-strict without W=1 until the new warnings have been addressed.
Cc: stable@vger.kernel.org Link: https://reviews.llvm.org/D134831 Link: https://github.com/ClangBuiltLinux/linux/issues/1724 Suggested-by: Nathan Chancellor nathan@kernel.org Signed-off-by: Sami Tolvanen samitolvanen@google.com Signed-off-by: Kees Cook keescook@chromium.org Link: https://lore.kernel.org/r/20220930203310.4010564-1-samitolvanen@google.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- scripts/Makefile.extrawarn | 1 + 1 file changed, 1 insertion(+)
--- a/scripts/Makefile.extrawarn +++ b/scripts/Makefile.extrawarn @@ -52,6 +52,7 @@ KBUILD_CFLAGS += -Wno-format-zero-length KBUILD_CFLAGS += $(call cc-disable-warning, pointer-to-enum-cast) KBUILD_CFLAGS += -Wno-tautological-constant-out-of-range-compare KBUILD_CFLAGS += $(call cc-disable-warning, unaligned-access) +KBUILD_CFLAGS += $(call cc-disable-warning, cast-function-type-strict) endif
endif
From: Shuah Khan skhan@linuxfoundation.org
commit 8bfdfa0d6b929ede7b6189e0e546ceb6a124d05d upstream.
Update mediator information in the CoC interpretation document.
Signed-off-by: Shuah Khan skhan@linuxfoundation.org Link: https://lore.kernel.org/r/20220901212319.56644-1-skhan@linuxfoundation.org Cc: stable@vger.kernel.org Signed-off-by: Jonathan Corbet corbet@lwn.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- Documentation/process/code-of-conduct-interpretation.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Documentation/process/code-of-conduct-interpretation.rst +++ b/Documentation/process/code-of-conduct-interpretation.rst @@ -51,7 +51,7 @@ the Technical Advisory Board (TAB) or ot uncertain how to handle situations that come up. It will not be considered a violation report unless you want it to be. If you are uncertain about approaching the TAB or any other maintainers, please -reach out to our conflict mediator, Mishi Choudhary mishi@linux.com. +reach out to our conflict mediator, Joanna Lee joanna.lee@gesmer.com.
In the end, "be kind to each other" is really what the end goal is for everybody. We know everyone is human and we all fail at times, but the
From: Alexey Dobriyan adobriyan@gmail.com
commit 128dbd78bd673f9edbc4413072b23efb6657feb0 upstream.
strdup() prototype doesn't live in stdlib.h .
Add limits.h for PATH_MAX definition as well.
This fixes the build on Android.
Signed-off-by: Alexey Dobriyan (SK hynix) adobriyan@gmail.com Acked-by: Namhyung Kim namhyung@kernel.org Link: http://lore.kernel.org/lkml/YRukaQbrgDWhiwGr@localhost.localdomain Signed-off-by: Arnaldo Carvalho de Melo acme@redhat.com Signed-off-by: Florian Fainelli f.fainelli@gmail.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- tools/perf/util/get_current_dir_name.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/tools/perf/util/get_current_dir_name.c +++ b/tools/perf/util/get_current_dir_name.c @@ -3,8 +3,9 @@ // #ifndef HAVE_GET_CURRENT_DIR_NAME #include "get_current_dir_name.h" +#include <limits.h> +#include <string.h> #include <unistd.h> -#include <stdlib.h>
/* Android's 'bionic' library, for one, doesn't have this */
From: Jalal Mostafa jalal.a.mostapha@gmail.com
commit 60240bc26114543fcbfcd8a28466e67e77b20388 upstream.
The flag for need_wakeup is not set for xsks with `XDP_SHARED_UMEM` flag and of different queue ids and/or devices. They should inherit the flag from the first socket buffer pool since no flags can be specified once `XDP_SHARED_UMEM` is specified.
Fixes: b5aea28dca134 ("xsk: Add shared umem support between queue ids") Signed-off-by: Jalal Mostafa jalal.a.mostapha@gmail.com Signed-off-by: Daniel Borkmann daniel@iogearbox.net Acked-by: Magnus Karlsson magnus.karlsson@intel.com Link: https://lore.kernel.org/bpf/20220921135701.10199-1-jalal.a.mostapha@gmail.co... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- include/net/xsk_buff_pool.h | 2 +- net/xdp/xsk.c | 4 ++-- net/xdp/xsk_buff_pool.c | 5 +++-- 3 files changed, 6 insertions(+), 5 deletions(-)
--- a/include/net/xsk_buff_pool.h +++ b/include/net/xsk_buff_pool.h @@ -86,7 +86,7 @@ struct xsk_buff_pool *xp_create_and_assi struct xdp_umem *umem); int xp_assign_dev(struct xsk_buff_pool *pool, struct net_device *dev, u16 queue_id, u16 flags); -int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_umem *umem, +int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_sock *umem_xs, struct net_device *dev, u16 queue_id); void xp_destroy(struct xsk_buff_pool *pool); void xp_release(struct xdp_buff_xsk *xskb); --- a/net/xdp/xsk.c +++ b/net/xdp/xsk.c @@ -742,8 +742,8 @@ static int xsk_bind(struct socket *sock, goto out_unlock; }
- err = xp_assign_dev_shared(xs->pool, umem_xs->umem, - dev, qid); + err = xp_assign_dev_shared(xs->pool, umem_xs, dev, + qid); if (err) { xp_destroy(xs->pool); xs->pool = NULL; --- a/net/xdp/xsk_buff_pool.c +++ b/net/xdp/xsk_buff_pool.c @@ -198,17 +198,18 @@ int xp_assign_dev(struct xsk_buff_pool * return __xp_assign_dev(pool, dev, queue_id, flags); }
-int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_umem *umem, +int xp_assign_dev_shared(struct xsk_buff_pool *pool, struct xdp_sock *umem_xs, struct net_device *dev, u16 queue_id) { u16 flags; + struct xdp_umem *umem = umem_xs->umem;
/* One fill and completion ring required for each queue id. */ if (!pool->fq || !pool->cq) return -EINVAL;
flags = umem->zc ? XDP_ZEROCOPY : XDP_COPY; - if (pool->uses_need_wakeup) + if (umem_xs->pool->uses_need_wakeup) flags |= XDP_USE_NEED_WAKEUP;
return __xp_assign_dev(pool, dev, queue_id, flags);
From: Takashi Iwai tiwai@suse.de
commit 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d upstream.
There is a small race window at snd_pcm_oss_sync() that is called from OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls snd_pcm_oss_make_ready() at first, then takes the params_lock mutex for the rest. When the stream is set up again by another thread between them, it leads to inconsistency, and may result in unexpected results such as NULL dereference of OSS buffer as a fuzzer spotted recently.
The fix is simply to cover snd_pcm_oss_make_ready() call into the same params_lock mutex with snd_pcm_oss_make_ready_locked() variant.
Reported-and-tested-by: butt3rflyh4ck butterflyhuangxx@gmail.com Reviewed-by: Jaroslav Kysela perex@perex.cz Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZ... Link: https://lore.kernel.org/r/20220905060714.22549-1-tiwai@suse.de Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Zubin Mithra zsm@google.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- sound/core/oss/pcm_oss.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
--- a/sound/core/oss/pcm_oss.c +++ b/sound/core/oss/pcm_oss.c @@ -1662,13 +1662,14 @@ static int snd_pcm_oss_sync(struct snd_p runtime = substream->runtime; if (atomic_read(&substream->mmap_count)) goto __direct; - if ((err = snd_pcm_oss_make_ready(substream)) < 0) - return err; atomic_inc(&runtime->oss.rw_ref); if (mutex_lock_interruptible(&runtime->oss.params_lock)) { atomic_dec(&runtime->oss.rw_ref); return -ERESTARTSYS; } + err = snd_pcm_oss_make_ready_locked(substream); + if (err < 0) + goto unlock; format = snd_pcm_oss_format_from(runtime->oss.format); width = snd_pcm_format_physical_width(format); if (runtime->oss.buffer_used > 0) {
From: Yang Shi shy828301@gmail.com
commit 70cbc3cc78a997d8247b50389d37c4e1736019da upstream.
Since general RCU GUP fast was introduced in commit 2667f50e8b81 ("mm: introduce a general RCU get_user_pages_fast()"), a TLB flush is no longer sufficient to handle concurrent GUP-fast in all cases, it only handles traditional IPI-based GUP-fast correctly. On architectures that send an IPI broadcast on TLB flush, it works as expected. But on the architectures that do not use IPI to broadcast TLB flush, it may have the below race:
CPU A CPU B THP collapse fast GUP gup_pmd_range() <-- see valid pmd gup_pte_range() <-- work on pte pmdp_collapse_flush() <-- clear pmd and flush __collapse_huge_page_isolate() check page pinned <-- before GUP bump refcount pin the page check PTE <-- no change __collapse_huge_page_copy() copy data to huge page ptep_clear() install huge pmd for the huge page return the stale page discard the stale page
The race can be fixed by checking whether PMD is changed or not after taking the page pin in fast GUP, just like what it does for PTE. If the PMD is changed it means there may be parallel THP collapse, so GUP should back off.
Also update the stale comment about serializing against fast GUP in khugepaged.
Link: https://lkml.kernel.org/r/20220907180144.555485-1-shy828301@gmail.com Fixes: 2667f50e8b81 ("mm: introduce a general RCU get_user_pages_fast()") Acked-by: David Hildenbrand david@redhat.com Acked-by: Peter Xu peterx@redhat.com Signed-off-by: Yang Shi shy828301@gmail.com Reviewed-by: John Hubbard jhubbard@nvidia.com Cc: "Aneesh Kumar K.V" aneesh.kumar@linux.ibm.com Cc: Hugh Dickins hughd@google.com Cc: Jason Gunthorpe jgg@nvidia.com Cc: "Kirill A. Shutemov" kirill.shutemov@linux.intel.com Cc: Michael Ellerman mpe@ellerman.id.au Cc: Nicholas Piggin npiggin@gmail.com Cc: Christophe Leroy christophe.leroy@csgroup.eu Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- mm/gup.c | 34 ++++++++++++++++++++++++++++------ mm/khugepaged.c | 10 ++++++---- 2 files changed, 34 insertions(+), 10 deletions(-)
--- a/mm/gup.c +++ b/mm/gup.c @@ -2128,8 +2128,28 @@ static void __maybe_unused undo_dev_page }
#ifdef CONFIG_ARCH_HAS_PTE_SPECIAL -static int gup_pte_range(pmd_t pmd, unsigned long addr, unsigned long end, - unsigned int flags, struct page **pages, int *nr) +/* + * Fast-gup relies on pte change detection to avoid concurrent pgtable + * operations. + * + * To pin the page, fast-gup needs to do below in order: + * (1) pin the page (by prefetching pte), then (2) check pte not changed. + * + * For the rest of pgtable operations where pgtable updates can be racy + * with fast-gup, we need to do (1) clear pte, then (2) check whether page + * is pinned. + * + * Above will work for all pte-level operations, including THP split. + * + * For THP collapse, it's a bit more complicated because fast-gup may be + * walking a pgtable page that is being freed (pte is still valid but pmd + * can be cleared already). To avoid race in such condition, we need to + * also check pmd here to make sure pmd doesn't change (corresponds to + * pmdp_collapse_flush() in the THP collapse code path). + */ +static int gup_pte_range(pmd_t pmd, pmd_t *pmdp, unsigned long addr, + unsigned long end, unsigned int flags, + struct page **pages, int *nr) { struct dev_pagemap *pgmap = NULL; int nr_start = *nr, ret = 0; @@ -2169,7 +2189,8 @@ static int gup_pte_range(pmd_t pmd, unsi if (!head) goto pte_unmap;
- if (unlikely(pte_val(pte) != pte_val(*ptep))) { + if (unlikely(pmd_val(pmd) != pmd_val(*pmdp)) || + unlikely(pte_val(pte) != pte_val(*ptep))) { put_compound_head(head, 1, flags); goto pte_unmap; } @@ -2214,8 +2235,9 @@ pte_unmap: * get_user_pages_fast_only implementation that can pin pages. Thus it's still * useful to have gup_huge_pmd even if we can't operate on ptes. */ -static int gup_pte_range(pmd_t pmd, unsigned long addr, unsigned long end, - unsigned int flags, struct page **pages, int *nr) +static int gup_pte_range(pmd_t pmd, pmd_t *pmdp, unsigned long addr, + unsigned long end, unsigned int flags, + struct page **pages, int *nr) { return 0; } @@ -2522,7 +2544,7 @@ static int gup_pmd_range(pud_t *pudp, pu if (!gup_huge_pd(__hugepd(pmd_val(pmd)), addr, PMD_SHIFT, next, flags, pages, nr)) return 0; - } else if (!gup_pte_range(pmd, addr, next, flags, pages, nr)) + } else if (!gup_pte_range(pmd, pmdp, addr, next, flags, pages, nr)) return 0; } while (pmdp++, addr = next, addr != end);
--- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -1144,10 +1144,12 @@ static void collapse_huge_page(struct mm
pmd_ptl = pmd_lock(mm, pmd); /* probably unnecessary */ /* - * After this gup_fast can't run anymore. This also removes - * any huge TLB entry from the CPU so we won't allow - * huge and small TLB entries for the same virtual address - * to avoid the risk of CPU bugs in that area. + * This removes any huge TLB entry from the CPU so we won't allow + * huge and small TLB entries for the same virtual address to + * avoid the risk of CPU bugs in that area. + * + * Parallel fast GUP is fine since fast GUP will back off when + * it detects PMD is changed. */ _pmd = pmdp_collapse_flush(vma, address, pmd); spin_unlock(pmd_ptl);
From: Yang Shi shy828301@gmail.com
commit bedf03416913d88c796288f9dca109a53608c745 upstream.
The IPI broadcast is used to serialize against fast-GUP, but fast-GUP will move to use RCU instead of disabling local interrupts in fast-GUP. Using an IPI is the old-styled way of serializing against fast-GUP although it still works as expected now.
And fast-GUP now fixed the potential race with THP collapse by checking whether PMD is changed or not. So IPI broadcast in radix pmd collapse flush is not necessary anymore. But it is still needed for hash TLB.
Link: https://lkml.kernel.org/r/20220907180144.555485-2-shy828301@gmail.com Suggested-by: Aneesh Kumar K.V aneesh.kumar@linux.ibm.com Signed-off-by: Yang Shi shy828301@gmail.com Acked-by: David Hildenbrand david@redhat.com Acked-by: Peter Xu peterx@redhat.com Cc: Christophe Leroy christophe.leroy@csgroup.eu Cc: Hugh Dickins hughd@google.com Cc: Jason Gunthorpe jgg@nvidia.com Cc: John Hubbard jhubbard@nvidia.com Cc: "Kirill A. Shutemov" kirill.shutemov@linux.intel.com Cc: Michael Ellerman mpe@ellerman.id.au Cc: Nicholas Piggin npiggin@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- arch/powerpc/mm/book3s64/radix_pgtable.c | 9 --------- 1 file changed, 9 deletions(-)
--- a/arch/powerpc/mm/book3s64/radix_pgtable.c +++ b/arch/powerpc/mm/book3s64/radix_pgtable.c @@ -997,15 +997,6 @@ pmd_t radix__pmdp_collapse_flush(struct pmd = *pmdp; pmd_clear(pmdp);
- /* - * pmdp collapse_flush need to ensure that there are no parallel gup - * walk after this call. This is needed so that we can have stable - * page ref count when collapsing a page. We don't allow a collapse page - * if we have gup taken on the page. We can ensure that by sending IPI - * because gup walk happens with IRQ disabled. - */ - serialize_against_pte_lookup(vma->vm_mm); - radix__flush_tlb_collapsed_pmd(vma->vm_mm, address);
return pmd;
From: Dongliang Mu mudongliangabcd@gmail.com
commit 2e488f13755ffbb60f307e991b27024716a33b29 upstream.
In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF).
Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes)
Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vf... Reported-by: butt3rflyh4ck butterflyhuangxx@gmail.com Reported-by: Hao Sun sunhao.th@gmail.com Reported-by: Jiacheng Xu stitch@zju.edu.cn Reviewed-by: Christian Brauner (Microsoft) brauner@kernel.org Signed-off-by: Dongliang Mu mudongliangabcd@gmail.com Cc: Al Viro viro@zeniv.linux.org.uk Cc: stable@vger.kernel.org Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/inode.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)
--- a/fs/inode.c +++ b/fs/inode.c @@ -168,8 +168,6 @@ int inode_init_always(struct super_block inode->i_wb_frn_history = 0; #endif
- if (security_inode_alloc(inode)) - goto out; spin_lock_init(&inode->i_lock); lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);
@@ -202,11 +200,12 @@ int inode_init_always(struct super_block inode->i_fsnotify_mask = 0; #endif inode->i_flctx = NULL; + + if (unlikely(security_inode_alloc(inode))) + return -ENOMEM; this_cpu_inc(nr_inodes);
return 0; -out: - return -ENOMEM; } EXPORT_SYMBOL(inode_init_always);
From: Nick Desaulniers ndesaulniers@google.com
commit b83a908498d68fafca931e1276e145b339cac5fb upstream.
Clang 14 will add support for __attribute__((__error__(""))) and __attribute__((__warning__(""))). To make use of these in __compiletime_error and __compiletime_warning (as used by BUILD_BUG and friends) for newer clang and detect/fallback for older versions of clang, move these to compiler_attributes.h and guard them with __has_attribute preprocessor guards.
Link: https://reviews.llvm.org/D106030 Link: https://bugs.llvm.org/show_bug.cgi?id=16428 Link: https://github.com/ClangBuiltLinux/linux/issues/1173 Signed-off-by: Nick Desaulniers ndesaulniers@google.com Reviewed-by: Nathan Chancellor nathan@kernel.org Reviewed-by: Kees Cook keescook@chromium.org [Reworded, landed in Clang 14] Signed-off-by: Miguel Ojeda ojeda@kernel.org Signed-off-by: Bart Van Assche bvanassche@acm.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- include/linux/compiler-gcc.h | 3 --- include/linux/compiler_attributes.h | 24 ++++++++++++++++++++++++ include/linux/compiler_types.h | 6 ------ 3 files changed, 24 insertions(+), 9 deletions(-)
--- a/include/linux/compiler-gcc.h +++ b/include/linux/compiler-gcc.h @@ -54,9 +54,6 @@
#define __compiletime_object_size(obj) __builtin_object_size(obj, 0)
-#define __compiletime_warning(message) __attribute__((__warning__(message))) -#define __compiletime_error(message) __attribute__((__error__(message))) - #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__) #define __latent_entropy __attribute__((latent_entropy)) #endif --- a/include/linux/compiler_attributes.h +++ b/include/linux/compiler_attributes.h @@ -30,6 +30,7 @@ # define __GCC4_has_attribute___assume_aligned__ (__GNUC_MINOR__ >= 9) # define __GCC4_has_attribute___copy__ 0 # define __GCC4_has_attribute___designated_init__ 0 +# define __GCC4_has_attribute___error__ 1 # define __GCC4_has_attribute___externally_visible__ 1 # define __GCC4_has_attribute___no_caller_saved_registers__ 0 # define __GCC4_has_attribute___noclone__ 1 @@ -37,6 +38,7 @@ # define __GCC4_has_attribute___no_sanitize_address__ (__GNUC_MINOR__ >= 8) # define __GCC4_has_attribute___no_sanitize_undefined__ (__GNUC_MINOR__ >= 9) # define __GCC4_has_attribute___fallthrough__ 0 +# define __GCC4_has_attribute___warning__ 1 #endif
/* @@ -137,6 +139,17 @@ #endif
/* + * Optional: only supported since clang >= 14.0 + * + * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-err... + */ +#if __has_attribute(__error__) +# define __compiletime_error(msg) __attribute__((__error__(msg))) +#else +# define __compiletime_error(msg) +#endif + +/* * Optional: not supported by clang * * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-ext... @@ -273,6 +286,17 @@ #define __used __attribute__((__used__))
/* + * Optional: only supported since clang >= 14.0 + * + * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-war... + */ +#if __has_attribute(__warning__) +# define __compiletime_warning(msg) __attribute__((__warning__(msg))) +#else +# define __compiletime_warning(msg) +#endif + +/* * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-wea... * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-wea... */ --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -281,12 +281,6 @@ struct ftrace_likely_data { #ifndef __compiletime_object_size # define __compiletime_object_size(obj) -1 #endif -#ifndef __compiletime_warning -# define __compiletime_warning(message) -#endif -#ifndef __compiletime_error -# define __compiletime_error(message) -#endif
#ifdef __OPTIMIZE__ # define __compiletime_assert(condition, msg, prefix, suffix) \
From: Cristian Marussi cristian.marussi@arm.com
[ Upstream commit dea796fcab0a219830831c070b8dc367d7e0f708 ]
Currently, when removing the SCMI PM driver not all the resources registered with genpd subsystem are properly de-registered.
As a side effect of this after a driver unload/load cycle you get a splat with a few warnings like this:
| debugfs: Directory 'BIG_CPU0' with parent 'pm_genpd' already present! | debugfs: Directory 'BIG_CPU1' with parent 'pm_genpd' already present! | debugfs: Directory 'LITTLE_CPU0' with parent 'pm_genpd' already present! | debugfs: Directory 'LITTLE_CPU1' with parent 'pm_genpd' already present! | debugfs: Directory 'LITTLE_CPU2' with parent 'pm_genpd' already present! | debugfs: Directory 'LITTLE_CPU3' with parent 'pm_genpd' already present! | debugfs: Directory 'BIG_SSTOP' with parent 'pm_genpd' already present! | debugfs: Directory 'LITTLE_SSTOP' with parent 'pm_genpd' already present! | debugfs: Directory 'DBGSYS' with parent 'pm_genpd' already present! | debugfs: Directory 'GPUTOP' with parent 'pm_genpd' already present!
Add a proper scmi_pm_domain_remove callback to the driver in order to take care of all the needed cleanups not handled by devres framework.
Link: https://lore.kernel.org/r/20220817172731.1185305-7-cristian.marussi@arm.com Signed-off-by: Cristian Marussi cristian.marussi@arm.com Signed-off-by: Sudeep Holla sudeep.holla@arm.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/firmware/arm_scmi/scmi_pm_domain.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+)
diff --git a/drivers/firmware/arm_scmi/scmi_pm_domain.c b/drivers/firmware/arm_scmi/scmi_pm_domain.c index a4e4aa9a3542..af74e521f89f 100644 --- a/drivers/firmware/arm_scmi/scmi_pm_domain.c +++ b/drivers/firmware/arm_scmi/scmi_pm_domain.c @@ -106,9 +106,28 @@ static int scmi_pm_domain_probe(struct scmi_device *sdev) scmi_pd_data->domains = domains; scmi_pd_data->num_domains = num_domains;
+ dev_set_drvdata(dev, scmi_pd_data); + return of_genpd_add_provider_onecell(np, scmi_pd_data); }
+static void scmi_pm_domain_remove(struct scmi_device *sdev) +{ + int i; + struct genpd_onecell_data *scmi_pd_data; + struct device *dev = &sdev->dev; + struct device_node *np = dev->of_node; + + of_genpd_del_provider(np); + + scmi_pd_data = dev_get_drvdata(dev); + for (i = 0; i < scmi_pd_data->num_domains; i++) { + if (!scmi_pd_data->domains[i]) + continue; + pm_genpd_remove(scmi_pd_data->domains[i]); + } +} + static const struct scmi_device_id scmi_id_table[] = { { SCMI_PROTOCOL_POWER, "genpd" }, { }, @@ -118,6 +137,7 @@ MODULE_DEVICE_TABLE(scmi, scmi_id_table); static struct scmi_driver scmi_power_domain_driver = { .name = "scmi-power-domain", .probe = scmi_pm_domain_probe, + .remove = scmi_pm_domain_remove, .id_table = scmi_id_table, }; module_scmi_driver(scmi_power_domain_driver);
From: Swati Agarwal swati.agarwal@xilinx.com
[ Upstream commit 91df7751eb890e970afc08f50b8f0fa5ea39e03d ]
Add missing cleanup in devm_platform_ioremap_resource(). When probe fails remove dma channel resources and disable clocks in accordance with the order of resources allocated .
Signed-off-by: Swati Agarwal swati.agarwal@xilinx.com Link: https://lore.kernel.org/r/20220817061125.4720-2-swati.agarwal@xilinx.com Signed-off-by: Vinod Koul vkoul@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/dma/xilinx/xilinx_dma.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c index cab4719e4cf9..36801126312e 100644 --- a/drivers/dma/xilinx/xilinx_dma.c +++ b/drivers/dma/xilinx/xilinx_dma.c @@ -3020,9 +3020,10 @@ static int xilinx_dma_probe(struct platform_device *pdev)
/* Request and map I/O memory */ xdev->regs = devm_platform_ioremap_resource(pdev, 0); - if (IS_ERR(xdev->regs)) - return PTR_ERR(xdev->regs); - + if (IS_ERR(xdev->regs)) { + err = PTR_ERR(xdev->regs); + goto disable_clks; + } /* Retrieve the DMA engine properties from the device tree */ xdev->max_buffer_len = GENMASK(XILINX_DMA_MAX_TRANS_LEN_MAX - 1, 0); xdev->s2mm_chan_id = xdev->dma_config->max_channels / 2; @@ -3115,7 +3116,7 @@ static int xilinx_dma_probe(struct platform_device *pdev) for_each_child_of_node(node, child) { err = xilinx_dma_child_probe(xdev, child); if (err < 0) - goto disable_clks; + goto error; }
if (xdev->dma_config->dmatype == XDMA_TYPE_VDMA) { @@ -3150,12 +3151,12 @@ static int xilinx_dma_probe(struct platform_device *pdev)
return 0;
-disable_clks: - xdma_disable_allclks(xdev); error: for (i = 0; i < xdev->dma_config->max_channels; i++) if (xdev->chan[i]) xilinx_dma_chan_remove(xdev->chan[i]); +disable_clks: + xdma_disable_allclks(xdev);
return err; }
From: Swati Agarwal swati.agarwal@xilinx.com
[ Upstream commit 462bce790e6a7e68620a4ce260cc38f7ed0255d5 ]
Free the allocated resources for missing xlnx,num-fstores property.
Signed-off-by: Swati Agarwal swati.agarwal@xilinx.com Link: https://lore.kernel.org/r/20220817061125.4720-3-swati.agarwal@xilinx.com Signed-off-by: Vinod Koul vkoul@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/dma/xilinx/xilinx_dma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c index 36801126312e..b91378fb891c 100644 --- a/drivers/dma/xilinx/xilinx_dma.c +++ b/drivers/dma/xilinx/xilinx_dma.c @@ -3051,7 +3051,7 @@ static int xilinx_dma_probe(struct platform_device *pdev) if (err < 0) { dev_err(xdev->dev, "missing xlnx,num-fstores property\n"); - return err; + goto disable_clks; }
err = of_property_read_u32(node, "xlnx,flush-fsync",
From: Swati Agarwal swati.agarwal@xilinx.com
[ Upstream commit 8f2b6bc79c32f0fa60df000ae387a790ec80eae9 ]
The driver does not handle the failure case while calling dma_set_mask_and_coherent API.
In case of failure, capture the return value of API and then report an error.
Addresses-coverity: Unchecked return value (CHECKED_RETURN)
Signed-off-by: Swati Agarwal swati.agarwal@xilinx.com Reviewed-by: Radhey Shyam Pandey radhey.shyam.pandey@xilinx.com Link: https://lore.kernel.org/r/20220817061125.4720-4-swati.agarwal@xilinx.com Signed-off-by: Vinod Koul vkoul@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/dma/xilinx/xilinx_dma.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c index b91378fb891c..e76adc31ab66 100644 --- a/drivers/dma/xilinx/xilinx_dma.c +++ b/drivers/dma/xilinx/xilinx_dma.c @@ -3071,7 +3071,11 @@ static int xilinx_dma_probe(struct platform_device *pdev) xdev->ext_addr = false;
/* Set the dma mask bits */ - dma_set_mask_and_coherent(xdev->dev, DMA_BIT_MASK(addr_width)); + err = dma_set_mask_and_coherent(xdev->dev, DMA_BIT_MASK(addr_width)); + if (err < 0) { + dev_err(xdev->dev, "DMA mask error %d\n", err); + goto disable_clks; + }
/* Initialize the DMA engine */ xdev->common.dev = &pdev->dev;
From: Sergei Antonov saproj@gmail.com
[ Upstream commit 02181e68275d28cab3c3f755852770367f1bc229 ]
Driver moxart-mmc.c has .compatible = "moxa,moxart-mmc".
But moxart .dts/.dtsi and the documentation file moxa,moxart-dma.txt contain compatible = "moxa,moxart-sdhci".
Change moxart .dts/.dtsi files and moxa,moxart-dma.txt to match the driver.
Replace 'sdhci' with 'mmc' in names too, since SDHCI is a different controller from FTSDC010.
Suggested-by: Arnd Bergmann arnd@arndb.de Signed-off-by: Sergei Antonov saproj@gmail.com Cc: Jonas Jensen jonas.jensen@gmail.com Link: https://lore.kernel.org/r/20220907175341.1477383-1-saproj@gmail.com' Signed-off-by: Arnd Bergmann arnd@arndb.de Signed-off-by: Sasha Levin sashal@kernel.org --- Documentation/devicetree/bindings/dma/moxa,moxart-dma.txt | 4 ++-- arch/arm/boot/dts/moxart-uc7112lx.dts | 2 +- arch/arm/boot/dts/moxart.dtsi | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Documentation/devicetree/bindings/dma/moxa,moxart-dma.txt b/Documentation/devicetree/bindings/dma/moxa,moxart-dma.txt index 8a9f3559335b..7e14e26676ec 100644 --- a/Documentation/devicetree/bindings/dma/moxa,moxart-dma.txt +++ b/Documentation/devicetree/bindings/dma/moxa,moxart-dma.txt @@ -34,8 +34,8 @@ Example: Use specific request line passing from dma For example, MMC request line is 5
- sdhci: sdhci@98e00000 { - compatible = "moxa,moxart-sdhci"; + mmc: mmc@98e00000 { + compatible = "moxa,moxart-mmc"; reg = <0x98e00000 0x5C>; interrupts = <5 0>; clocks = <&clk_apb>; diff --git a/arch/arm/boot/dts/moxart-uc7112lx.dts b/arch/arm/boot/dts/moxart-uc7112lx.dts index eb5291b0ee3a..e07b807b4cec 100644 --- a/arch/arm/boot/dts/moxart-uc7112lx.dts +++ b/arch/arm/boot/dts/moxart-uc7112lx.dts @@ -79,7 +79,7 @@ &clk_pll { clocks = <&ref12>; };
-&sdhci { +&mmc { status = "okay"; };
diff --git a/arch/arm/boot/dts/moxart.dtsi b/arch/arm/boot/dts/moxart.dtsi index f5f070a87482..764832ddfa78 100644 --- a/arch/arm/boot/dts/moxart.dtsi +++ b/arch/arm/boot/dts/moxart.dtsi @@ -93,8 +93,8 @@ watchdog: watchdog@98500000 { clock-names = "PCLK"; };
- sdhci: sdhci@98e00000 { - compatible = "moxa,moxart-sdhci"; + mmc: mmc@98e00000 { + compatible = "moxa,moxart-mmc"; reg = <0x98e00000 0x5C>; interrupts = <5 IRQ_TYPE_LEVEL_HIGH>; clocks = <&clk_apb>;
From: Letu Ren fantasquex@gmail.com
[ Upstream commit fbfe96869b782364caebae0445763969ddb6ea67 ]
In __qedf_probe(), if qedf->cdev is NULL which means qed_ops->common->probe() failed, then the program will goto label err1, and scsi_host_put() will free lport->host pointer. Because the memory qedf points to is allocated by libfc_host_alloc(), it will be freed by scsi_host_put(). However, the if statement below label err0 only checks whether qedf is NULL but doesn't check whether the memory has been freed. So a UAF bug can occur.
There are two ways to reach the statements below err0. The first one is described as before, "qedf" should be set to NULL. The second one is goto "err0" directly. In the latter scenario qedf hasn't been changed and it has the initial value NULL. As a result the if statement is not reachable in any situation.
The KASAN logs are as follows:
[ 2.312969] BUG: KASAN: use-after-free in __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] [ 2.312969] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 2.312969] Call Trace: [ 2.312969] dump_stack_lvl+0x59/0x7b [ 2.312969] print_address_description+0x7c/0x3b0 [ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] __kasan_report+0x160/0x1c0 [ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] kasan_report+0x4b/0x70 [ 2.312969] ? kobject_put+0x25d/0x290 [ 2.312969] kasan_check_range+0x2ca/0x310 [ 2.312969] __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] ? selinux_kernfs_init_security+0xdc/0x5f0 [ 2.312969] ? trace_rpm_return_int_rcuidle+0x18/0x120 [ 2.312969] ? rpm_resume+0xa5c/0x16e0 [ 2.312969] ? qedf_get_generic_tlv_data+0x160/0x160 [ 2.312969] local_pci_probe+0x13c/0x1f0 [ 2.312969] pci_device_probe+0x37e/0x6c0
Link: https://lore.kernel.org/r/20211112120641.16073-1-fantasquex@gmail.com Reported-by: Zheyu Ma zheyuma97@gmail.com Acked-by: Saurav Kashyap skashyap@marvell.com Co-developed-by: Wende Tan twd2.me@gmail.com Signed-off-by: Wende Tan twd2.me@gmail.com Signed-off-by: Letu Ren fantasquex@gmail.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/scsi/qedf/qedf_main.c | 5 ----- 1 file changed, 5 deletions(-)
diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c index e64457f53da8..de5b6453827c 100644 --- a/drivers/scsi/qedf/qedf_main.c +++ b/drivers/scsi/qedf/qedf_main.c @@ -3671,11 +3671,6 @@ static int __qedf_probe(struct pci_dev *pdev, int mode) err1: scsi_host_put(lport->host); err0: - if (qedf) { - QEDF_INFO(&qedf->dbg_ctx, QEDF_LOG_DISC, "Probe done.\n"); - - clear_bit(QEDF_PROBING, &qedf->flags); - } return rc; }
From: Haimin Zhang tcs.kernel@gmail.com
[ Upstream commit 94160108a70c8af17fa1484a37e05181c0e094af ]
There is uninit value bug in dgram_sendmsg function in net/ieee802154/socket.c when the length of valid data pointed by the msg->msg_name isn't verified.
We introducing a helper function ieee802154_sockaddr_check_size to check namelen. First we check there is addr_type in ieee802154_addr_sa. Then, we check namelen according to addr_type.
Also fixed in raw_bind, dgram_bind, dgram_connect.
Signed-off-by: Haimin Zhang tcs_kernel@tencent.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- include/net/ieee802154_netdev.h | 37 +++++++++++++++++++++++++++++ net/ieee802154/socket.c | 42 ++++++++++++++++++--------------- 2 files changed, 60 insertions(+), 19 deletions(-)
diff --git a/include/net/ieee802154_netdev.h b/include/net/ieee802154_netdev.h index d0d188c3294b..a8994f307fc3 100644 --- a/include/net/ieee802154_netdev.h +++ b/include/net/ieee802154_netdev.h @@ -15,6 +15,22 @@ #ifndef IEEE802154_NETDEVICE_H #define IEEE802154_NETDEVICE_H
+#define IEEE802154_REQUIRED_SIZE(struct_type, member) \ + (offsetof(typeof(struct_type), member) + \ + sizeof(((typeof(struct_type) *)(NULL))->member)) + +#define IEEE802154_ADDR_OFFSET \ + offsetof(typeof(struct sockaddr_ieee802154), addr) + +#define IEEE802154_MIN_NAMELEN (IEEE802154_ADDR_OFFSET + \ + IEEE802154_REQUIRED_SIZE(struct ieee802154_addr_sa, addr_type)) + +#define IEEE802154_NAMELEN_SHORT (IEEE802154_ADDR_OFFSET + \ + IEEE802154_REQUIRED_SIZE(struct ieee802154_addr_sa, short_addr)) + +#define IEEE802154_NAMELEN_LONG (IEEE802154_ADDR_OFFSET + \ + IEEE802154_REQUIRED_SIZE(struct ieee802154_addr_sa, hwaddr)) + #include <net/af_ieee802154.h> #include <linux/netdevice.h> #include <linux/skbuff.h> @@ -165,6 +181,27 @@ static inline void ieee802154_devaddr_to_raw(void *raw, __le64 addr) memcpy(raw, &temp, IEEE802154_ADDR_LEN); }
+static inline int +ieee802154_sockaddr_check_size(struct sockaddr_ieee802154 *daddr, int len) +{ + struct ieee802154_addr_sa *sa; + + sa = &daddr->addr; + if (len < IEEE802154_MIN_NAMELEN) + return -EINVAL; + switch (sa->addr_type) { + case IEEE802154_ADDR_SHORT: + if (len < IEEE802154_NAMELEN_SHORT) + return -EINVAL; + break; + case IEEE802154_ADDR_LONG: + if (len < IEEE802154_NAMELEN_LONG) + return -EINVAL; + break; + } + return 0; +} + static inline void ieee802154_addr_from_sa(struct ieee802154_addr *a, const struct ieee802154_addr_sa *sa) { diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c index c25f7617770c..7edec210780a 100644 --- a/net/ieee802154/socket.c +++ b/net/ieee802154/socket.c @@ -201,8 +201,9 @@ static int raw_bind(struct sock *sk, struct sockaddr *_uaddr, int len) int err = 0; struct net_device *dev = NULL;
- if (len < sizeof(*uaddr)) - return -EINVAL; + err = ieee802154_sockaddr_check_size(uaddr, len); + if (err < 0) + return err;
uaddr = (struct sockaddr_ieee802154 *)_uaddr; if (uaddr->family != AF_IEEE802154) @@ -494,7 +495,8 @@ static int dgram_bind(struct sock *sk, struct sockaddr *uaddr, int len)
ro->bound = 0;
- if (len < sizeof(*addr)) + err = ieee802154_sockaddr_check_size(addr, len); + if (err < 0) goto out;
if (addr->family != AF_IEEE802154) @@ -565,8 +567,9 @@ static int dgram_connect(struct sock *sk, struct sockaddr *uaddr, struct dgram_sock *ro = dgram_sk(sk); int err = 0;
- if (len < sizeof(*addr)) - return -EINVAL; + err = ieee802154_sockaddr_check_size(addr, len); + if (err < 0) + return err;
if (addr->family != AF_IEEE802154) return -EINVAL; @@ -605,6 +608,7 @@ static int dgram_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) struct ieee802154_mac_cb *cb; struct dgram_sock *ro = dgram_sk(sk); struct ieee802154_addr dst_addr; + DECLARE_SOCKADDR(struct sockaddr_ieee802154*, daddr, msg->msg_name); int hlen, tlen; int err;
@@ -613,10 +617,20 @@ static int dgram_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) return -EOPNOTSUPP; }
- if (!ro->connected && !msg->msg_name) - return -EDESTADDRREQ; - else if (ro->connected && msg->msg_name) - return -EISCONN; + if (msg->msg_name) { + if (ro->connected) + return -EISCONN; + if (msg->msg_namelen < IEEE802154_MIN_NAMELEN) + return -EINVAL; + err = ieee802154_sockaddr_check_size(daddr, msg->msg_namelen); + if (err < 0) + return err; + ieee802154_addr_from_sa(&dst_addr, &daddr->addr); + } else { + if (!ro->connected) + return -EDESTADDRREQ; + dst_addr = ro->dst_addr; + }
if (!ro->bound) dev = dev_getfirstbyhwtype(sock_net(sk), ARPHRD_IEEE802154); @@ -652,16 +666,6 @@ static int dgram_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) cb = mac_cb_init(skb); cb->type = IEEE802154_FC_TYPE_DATA; cb->ackreq = ro->want_ack; - - if (msg->msg_name) { - DECLARE_SOCKADDR(struct sockaddr_ieee802154*, - daddr, msg->msg_name); - - ieee802154_addr_from_sa(&dst_addr, &daddr->addr); - } else { - dst_addr = ro->dst_addr; - } - cb->secen = ro->secen; cb->secen_override = ro->secen_override; cb->seclevel = ro->seclevel;
From: Jaroslav Kysela perex@perex.cz
[ Upstream commit 5f80d6bd2b01de4cafac3302f58456bf860322fc ]
When the user space pcm stream uses the silent stream converter, it is no longer allocated for the silent stream. Clear the appropriate flag in the hdmi_pcm_open() function. The silent stream setup may be applied in hdmi_pcm_close() (and the error path - open fcn) again.
If the flag is not cleared, the reuse conditions for the silent stream converter in hdmi_choose_cvt() may improperly share this converter.
Cc: Kai Vehmanen kai.vehmanen@linux.intel.com Signed-off-by: Jaroslav Kysela perex@perex.cz Link: https://lore.kernel.org/r/20220913070216.3233974-1-perex@perex.cz Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Sasha Levin sashal@kernel.org --- sound/pci/hda/patch_hdmi.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c index e6f261e8c5ae..c3fcf478037f 100644 --- a/sound/pci/hda/patch_hdmi.c +++ b/sound/pci/hda/patch_hdmi.c @@ -1269,6 +1269,7 @@ static int hdmi_pcm_open(struct hda_pcm_stream *hinfo, set_bit(pcm_idx, &spec->pcm_in_use); per_pin = get_pin(spec, pin_idx); per_pin->cvt_nid = per_cvt->cvt_nid; + per_pin->silent_stream = false; hinfo->nid = per_cvt->cvt_nid;
/* flip stripe flag for the assigned stream if supported */
From: Lukas Straub lukasstraub2@web.de
[ Upstream commit 61670b4d270c71219def1fbc9441debc2ac2e6e9 ]
Like in f4f03f299a56ce4d73c5431e0327b3b6cb55ebb9 "um: Cleanup syscall_handler_t definition/cast, fix warning", remove the cast to to fix the compiler warning.
Signed-off-by: Lukas Straub lukasstraub2@web.de Acked-by: Randy Dunlap rdunlap@infradead.org # build-tested Signed-off-by: Richard Weinberger richard@nod.at Signed-off-by: Sasha Levin sashal@kernel.org --- arch/x86/um/shared/sysdep/syscalls_32.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/x86/um/shared/sysdep/syscalls_32.h b/arch/x86/um/shared/sysdep/syscalls_32.h index 68fd2cf526fd..f6e9f84397e7 100644 --- a/arch/x86/um/shared/sysdep/syscalls_32.h +++ b/arch/x86/um/shared/sysdep/syscalls_32.h @@ -6,10 +6,9 @@ #include <asm/unistd.h> #include <sysdep/ptrace.h>
-typedef long syscall_handler_t(struct pt_regs); +typedef long syscall_handler_t(struct syscall_args);
extern syscall_handler_t *sys_call_table[];
#define EXECUTE_SYSCALL(syscall, regs) \ - ((long (*)(struct syscall_args)) \ - (*sys_call_table[syscall]))(SYSCALL_ARGS(®s->regs)) + ((*sys_call_table[syscall]))(SYSCALL_ARGS(®s->regs))
From: Lukas Straub lukasstraub2@web.de
[ Upstream commit d27fff3499671dc23a08efd01cdb8b3764a391c4 ]
arch.tls_array is statically allocated so checking for NULL doesn't make sense. This causes the compiler warning below.
Remove the checks to silence these warnings.
../arch/x86/um/tls_32.c: In function 'get_free_idx': ../arch/x86/um/tls_32.c:68:13: warning: the comparison will always evaluate as 'true' for the address of 'tls_array' will never be NULL [-Waddress] 68 | if (!t->arch.tls_array) | ^ In file included from ../arch/x86/um/asm/processor.h:10, from ../include/linux/rcupdate.h:30, from ../include/linux/rculist.h:11, from ../include/linux/pid.h:5, from ../include/linux/sched.h:14, from ../arch/x86/um/tls_32.c:7: ../arch/x86/um/asm/processor_32.h:22:31: note: 'tls_array' declared here 22 | struct uml_tls_struct tls_array[GDT_ENTRY_TLS_ENTRIES]; | ^~~~~~~~~ ../arch/x86/um/tls_32.c: In function 'get_tls_entry': ../arch/x86/um/tls_32.c:243:13: warning: the comparison will always evaluate as 'true' for the address of 'tls_array' will never be NULL [-Waddress] 243 | if (!t->arch.tls_array) | ^ ../arch/x86/um/asm/processor_32.h:22:31: note: 'tls_array' declared here 22 | struct uml_tls_struct tls_array[GDT_ENTRY_TLS_ENTRIES]; | ^~~~~~~~~
Signed-off-by: Lukas Straub lukasstraub2@web.de Acked-by: Randy Dunlap rdunlap@infradead.org # build-tested Signed-off-by: Richard Weinberger richard@nod.at Signed-off-by: Sasha Levin sashal@kernel.org --- arch/x86/um/tls_32.c | 6 ------ 1 file changed, 6 deletions(-)
diff --git a/arch/x86/um/tls_32.c b/arch/x86/um/tls_32.c index ac8eee093f9c..66162eafd8e8 100644 --- a/arch/x86/um/tls_32.c +++ b/arch/x86/um/tls_32.c @@ -65,9 +65,6 @@ static int get_free_idx(struct task_struct* task) struct thread_struct *t = &task->thread; int idx;
- if (!t->arch.tls_array) - return GDT_ENTRY_TLS_MIN; - for (idx = 0; idx < GDT_ENTRY_TLS_ENTRIES; idx++) if (!t->arch.tls_array[idx].present) return idx + GDT_ENTRY_TLS_MIN; @@ -240,9 +237,6 @@ static int get_tls_entry(struct task_struct *task, struct user_desc *info, { struct thread_struct *t = &task->thread;
- if (!t->arch.tls_array) - goto clear; - if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) return -EINVAL;
From: David Gow davidgow@google.com
[ Upstream commit bd71558d585ac61cfd799db7f25e78dca404dd7a ]
Since binutils 2.39, ld will print a warning if any stack section is executable, which is the default for stack sections on files without a .note.GNU-stack section.
This was fixed for x86 in commit ffcf9c5700e4 ("x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments"), but remained broken for UML, resulting in several warnings:
/usr/bin/ld: warning: arch/x86/um/vdso/vdso.o: missing .note.GNU-stack section implies executable stack /usr/bin/ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker /usr/bin/ld: warning: .tmp_vmlinux.kallsyms1 has a LOAD segment with RWX permissions /usr/bin/ld: warning: .tmp_vmlinux.kallsyms1.o: missing .note.GNU-stack section implies executable stack /usr/bin/ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker /usr/bin/ld: warning: .tmp_vmlinux.kallsyms2 has a LOAD segment with RWX permissions /usr/bin/ld: warning: .tmp_vmlinux.kallsyms2.o: missing .note.GNU-stack section implies executable stack /usr/bin/ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker /usr/bin/ld: warning: vmlinux has a LOAD segment with RWX permissions
Link both the VDSO and vmlinux with -z noexecstack, fixing the warnings about .note.GNU-stack sections. In addition, pass --no-warn-rwx-segments to dodge the remaining warnings about LOAD segments with RWX permissions in the kallsyms objects. (Note that this flag is apparently not available on lld, so hide it behind a test for BFD, which is what the x86 patch does.)
Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... Link: https://sourceware.org/git/?p=binutils-gdb.git%3Ba=commit%3Bh=ba951afb99912d... Signed-off-by: David Gow davidgow@google.com Reviewed-by: Lukas Straub lukasstraub2@web.de Tested-by: Lukas Straub lukasstraub2@web.de Acked-by: Randy Dunlap rdunlap@infradead.org # build-tested Signed-off-by: Richard Weinberger richard@nod.at Signed-off-by: Sasha Levin sashal@kernel.org --- arch/um/Makefile | 8 ++++++++ arch/x86/um/vdso/Makefile | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/arch/um/Makefile b/arch/um/Makefile index 1cea46ff9bb7..775615141339 100644 --- a/arch/um/Makefile +++ b/arch/um/Makefile @@ -131,10 +131,18 @@ export LDS_ELF_FORMAT := $(ELF_FORMAT) # The wrappers will select whether using "malloc" or the kernel allocator. LINK_WRAPS = -Wl,--wrap,malloc -Wl,--wrap,free -Wl,--wrap,calloc
+# Avoid binutils 2.39+ warnings by marking the stack non-executable and +# ignorning warnings for the kallsyms sections. +LDFLAGS_EXECSTACK = -z noexecstack +ifeq ($(CONFIG_LD_IS_BFD),y) +LDFLAGS_EXECSTACK += $(call ld-option,--no-warn-rwx-segments) +endif + LD_FLAGS_CMDLINE = $(foreach opt,$(KBUILD_LDFLAGS),-Wl,$(opt))
# Used by link-vmlinux.sh which has special support for um link export CFLAGS_vmlinux := $(LINK-y) $(LINK_WRAPS) $(LD_FLAGS_CMDLINE) +export LDFLAGS_vmlinux := $(LDFLAGS_EXECSTACK)
# When cleaning we don't include .config, so we don't include # TT or skas makefiles and don't clean skas_ptregs.h. diff --git a/arch/x86/um/vdso/Makefile b/arch/x86/um/vdso/Makefile index 5943387e3f35..5ca366e15c76 100644 --- a/arch/x86/um/vdso/Makefile +++ b/arch/x86/um/vdso/Makefile @@ -62,7 +62,7 @@ quiet_cmd_vdso = VDSO $@ -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \ sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
-VDSO_LDFLAGS = -fPIC -shared -Wl,--hash-style=sysv +VDSO_LDFLAGS = -fPIC -shared -Wl,--hash-style=sysv -z noexecstack GCOV_PROFILE := n
#
From: Jianglei Nie niejianglei2021@163.com
[ Upstream commit 65e5d27df61283e5390f04b09dc79cd832f95607 ]
If aq_nic_stop() fails, aq_ndev_close() returns err without calling aq_nic_deinit() to release the relevant memory and resource, which will lead to a memory leak.
We can fix it by deleting the if condition judgment and goto statement to call aq_nic_deinit() directly after aq_nic_stop() to fix the memory leak.
Signed-off-by: Jianglei Nie niejianglei2021@163.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/ethernet/aquantia/atlantic/aq_main.c | 3 --- 1 file changed, 3 deletions(-)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_main.c b/drivers/net/ethernet/aquantia/atlantic/aq_main.c index 4af0cd9530de..ff245f75fa3d 100644 --- a/drivers/net/ethernet/aquantia/atlantic/aq_main.c +++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.c @@ -89,11 +89,8 @@ static int aq_ndev_close(struct net_device *ndev) int err = 0;
err = aq_nic_stop(aq_nic); - if (err < 0) - goto err_exit; aq_nic_deinit(aq_nic, true);
-err_exit: return err; }
From: Hugo Hu hugo.hu@amd.com
[ Upstream commit 52bb21499cf54fa65b56d97cd0d68579c90207dd ]
[Why] The desktop plane and full-screen game plane may have different gamut remap coefficients, if switching between desktop and full-screen game without updating the gamut remap will cause incorrect color.
[How] Update gamut remap if planes change.
Reviewed-by: Dmytro Laktyushkin Dmytro.Laktyushkin@amd.com Acked-by: Wayne Lin wayne.lin@amd.com Signed-off-by: Hugo Hu hugo.hu@amd.com Tested-by: Daniel Wheeler daniel.wheeler@amd.com Signed-off-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c index 3d778760a3b5..8f66eef0c683 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c @@ -1481,6 +1481,7 @@ static void dcn20_update_dchubp_dpp( /* Any updates are handled in dc interface, just need * to apply existing for plane enable / opp change */ if (pipe_ctx->update_flags.bits.enable || pipe_ctx->update_flags.bits.opp_changed + || pipe_ctx->update_flags.bits.plane_changed || pipe_ctx->stream->update_flags.bits.gamut_remap || pipe_ctx->stream->update_flags.bits.out_csc) { #if defined(CONFIG_DRM_AMD_DC_DCN3_0)
From: zhikzhai zhikai.zhai@amd.com
[ Upstream commit 65fbfb02c2734cacffec5e3f492e1b4f1dabcf98 ]
[why] We have minimal pipe split transition method to avoid pipe allocation outage.However, this method will invoke audio setup which cause audio output stuck once pipe reallocate.
[how] skip audio setup for pipelines which audio stream has been enabled
Reviewed-by: Charlene Liu Charlene.Liu@amd.com Acked-by: Wayne Lin wayne.lin@amd.com Signed-off-by: zhikzhai zhikai.zhai@amd.com Tested-by: Daniel Wheeler daniel.wheeler@amd.com Signed-off-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c index 3ac6c7b65a45..e33fe0207b9e 100644 --- a/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c +++ b/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c @@ -2047,7 +2047,8 @@ static void dce110_setup_audio_dto( continue; if (pipe_ctx->stream->signal != SIGNAL_TYPE_HDMI_TYPE_A) continue; - if (pipe_ctx->stream_res.audio != NULL) { + if (pipe_ctx->stream_res.audio != NULL && + pipe_ctx->stream_res.audio->enabled == false) { struct audio_output audio_output;
build_audio_output(context, pipe_ctx, &audio_output); @@ -2075,7 +2076,8 @@ static void dce110_setup_audio_dto( if (!dc_is_dp_signal(pipe_ctx->stream->signal)) continue;
- if (pipe_ctx->stream_res.audio != NULL) { + if (pipe_ctx->stream_res.audio != NULL && + pipe_ctx->stream_res.audio->enabled == false) { struct audio_output audio_output;
build_audio_output(context, pipe_ctx, &audio_output);
From: ChanWoo Lee cw9316.lee@samsung.com
[ Upstream commit e427266460826bea21b70f9b2bb29decfb2c2620 ]
SD_ROCR_S18A is already defined and is used to check the rocr value, so let's replace with already defined values for readability.
Signed-off-by: ChanWoo Lee cw9316.lee@samsung.com Reviewed-by: Linus Walleij linus.walleij@linaro.org Link: https://lore.kernel.org/r/20220706004840.24812-1-cw9316.lee@samsung.com Signed-off-by: Ulf Hansson ulf.hansson@linaro.org Stable-dep-of: e9233917a7e5 ("mmc: core: Terminate infinite loop in SD-UHS voltage switch") Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/mmc/core/sd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c index 899768ed1688..e2c34aa390f1 100644 --- a/drivers/mmc/core/sd.c +++ b/drivers/mmc/core/sd.c @@ -853,7 +853,7 @@ int mmc_sd_get_cid(struct mmc_host *host, u32 ocr, u32 *cid, u32 *rocr) * the CCS bit is set as well. We deliberately deviate from the spec in * regards to this, which allows UHS-I to be supported for SDSC cards. */ - if (!mmc_host_is_spi(host) && rocr && (*rocr & 0x01000000)) { + if (!mmc_host_is_spi(host) && rocr && (*rocr & SD_ROCR_S18A)) { err = mmc_set_uhs_voltage(host, pocr); if (err == -EAGAIN) { retries--;
From: Brian Norris briannorris@chromium.org
[ Upstream commit e9233917a7e53980664efbc565888163c0a33c3f ]
This loop intends to retry a max of 10 times, with some implicit termination based on the SD_{R,}OCR_S18A bit. Unfortunately, the termination condition depends on the value reported by the SD card (*rocr), which may or may not correctly reflect what we asked it to do.
Needless to say, it's not wise to rely on the card doing what we expect; we should at least terminate the loop regardless. So, check both the input and output values, so we ensure we will terminate regardless of the SD card behavior.
Note that SDIO learned a similar retry loop in commit 0797e5f1453b ("mmc: core: Fixup signal voltage switch"), but that used the 'ocr' result, and so the current pre-terminating condition looks like:
rocr & ocr & R4_18V_PRESENT
(i.e., it doesn't have the same bug.)
This addresses a number of crash reports seen on ChromeOS that look like the following:
... // lots of repeated: ... <4>[13142.846061] mmc1: Skipping voltage switch <4>[13143.406087] mmc1: Skipping voltage switch <4>[13143.964724] mmc1: Skipping voltage switch <4>[13144.526089] mmc1: Skipping voltage switch <4>[13145.086088] mmc1: Skipping voltage switch <4>[13145.645941] mmc1: Skipping voltage switch <3>[13146.153969] INFO: task halt:30352 blocked for more than 122 seconds. ...
Fixes: f2119df6b764 ("mmc: sd: add support for signal voltage switch procedure") Cc: stable@vger.kernel.org Signed-off-by: Brian Norris briannorris@chromium.org Reviewed-by: Guenter Roeck linux@roeck-us.net Link: https://lore.kernel.org/r/20220914014010.2076169-1-briannorris@chromium.org Signed-off-by: Ulf Hansson ulf.hansson@linaro.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/mmc/core/sd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c index e2c34aa390f1..868b121ce4f3 100644 --- a/drivers/mmc/core/sd.c +++ b/drivers/mmc/core/sd.c @@ -853,7 +853,8 @@ int mmc_sd_get_cid(struct mmc_host *host, u32 ocr, u32 *cid, u32 *rocr) * the CCS bit is set as well. We deliberately deviate from the spec in * regards to this, which allows UHS-I to be supported for SDSC cards. */ - if (!mmc_host_is_spi(host) && rocr && (*rocr & SD_ROCR_S18A)) { + if (!mmc_host_is_spi(host) && (ocr & SD_OCR_S18R) && + rocr && (*rocr & SD_ROCR_S18A)) { err = mmc_set_uhs_voltage(host, pocr); if (err == -EAGAIN) { retries--;
From: Tadeusz Struk tadeusz.struk@linaro.org
commit a659daf63d16aa883be42f3f34ff84235c302198 upstream.
Syzbot found an issue in usbmon module, where the user space client can corrupt the monitor's internal memory, causing the usbmon module to crash the kernel with segfault, UAF, etc.
The reproducer mmaps the /dev/usbmon memory to user space, and overwrites it with arbitrary data, which causes all kinds of issues.
Return an -EPERM error from mon_bin_mmap() if the flag VM_WRTIE is set. Also clear VM_MAYWRITE to make it impossible to change it to writable later.
Cc: "Dmitry Vyukov" dvyukov@google.com Cc: stable stable@kernel.org Fixes: 6f23ee1fefdc ("USB: add binary API to usbmon") Suggested-by: PaX Team pageexec@freemail.hu # for the VM_MAYRITE portion Link: https://syzkaller.appspot.com/bug?id=2eb1f35d6525fa4a74d75b4244971e5b1411c95... Reported-by: syzbot+23f57c5ae902429285d7@syzkaller.appspotmail.com Signed-off-by: Tadeusz Struk tadeusz.struk@linaro.org Link: https://lore.kernel.org/r/20220919215957.205681-1-tadeusz.struk@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/usb/mon/mon_bin.c | 5 +++++ 1 file changed, 5 insertions(+)
--- a/drivers/usb/mon/mon_bin.c +++ b/drivers/usb/mon/mon_bin.c @@ -1268,6 +1268,11 @@ static int mon_bin_mmap(struct file *fil { /* don't do anything here: "fault" will set up page table entries */ vma->vm_ops = &mon_bin_vm_ops; + + if (vma->vm_flags & VM_WRITE) + return -EPERM; + + vma->vm_flags &= ~VM_MAYWRITE; vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; vma->vm_private_data = filp->private_data; mon_bin_vma_open(vma);
From: Johan Hovold johan@kernel.org
commit 7bd7ad3c310cd6766f170927381eea0aa6f46c69 upstream.
The 300 bps rate of SIO devices has been mapped to 9600 bps since 2003... Let's fix the regression.
Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/usb/serial/ftdi_sio.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/usb/serial/ftdi_sio.c +++ b/drivers/usb/serial/ftdi_sio.c @@ -1320,8 +1320,7 @@ static u32 get_ftdi_divisor(struct tty_s case 38400: div_value = ftdi_sio_b38400; break; case 57600: div_value = ftdi_sio_b57600; break; case 115200: div_value = ftdi_sio_b115200; break; - } /* baud */ - if (div_value == 0) { + default: dev_dbg(dev, "%s - Baudrate (%d) requested is not supported\n", __func__, baud); div_value = ftdi_sio_b9600;
From: Krzysztof Kozlowski krzysztof.kozlowski@linaro.org
commit 766279a8f85df32345dbda03b102ca1ee3d5ddea upstream.
The use of strncpy() is considered deprecated for NUL-terminated strings[1]. Replace strncpy() with strscpy_pad(), to keep existing pad-behavior of strncpy, similarly to commit 08de420a8014 ("rpmsg: glink: Replace strncpy() with strscpy_pad()"). This fixes W=1 warning:
In function ‘qcom_glink_rx_close’, inlined from ‘qcom_glink_work’ at ../drivers/rpmsg/qcom_glink_native.c:1638:4: drivers/rpmsg/qcom_glink_native.c:1549:17: warning: ‘strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] 1549 | strncpy(chinfo.name, channel->name, sizeof(chinfo.name));
[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nu...
Signed-off-by: Krzysztof Kozlowski krzysztof.kozlowski@linaro.org Reviewed-by: Stephen Boyd sboyd@kernel.org Signed-off-by: Bjorn Andersson bjorn.andersson@linaro.org Link: https://lore.kernel.org/r/20220519073330.7187-1-krzysztof.kozlowski@linaro.o... Signed-off-by: Andrew Chernyakov acherniakov@astralinux.ru Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/rpmsg/qcom_glink_native.c | 2 +- drivers/rpmsg/qcom_smd.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/rpmsg/qcom_glink_native.c +++ b/drivers/rpmsg/qcom_glink_native.c @@ -1472,7 +1472,7 @@ static void qcom_glink_rx_close(struct q cancel_work_sync(&channel->intent_work);
if (channel->rpdev) { - strncpy(chinfo.name, channel->name, sizeof(chinfo.name)); + strscpy_pad(chinfo.name, channel->name, sizeof(chinfo.name)); chinfo.src = RPMSG_ADDR_ANY; chinfo.dst = RPMSG_ADDR_ANY;
--- a/drivers/rpmsg/qcom_smd.c +++ b/drivers/rpmsg/qcom_smd.c @@ -1073,7 +1073,7 @@ static int qcom_smd_create_device(struct
/* Assign public information to the rpmsg_device */ rpdev = &qsdev->rpdev; - strncpy(rpdev->id.name, channel->name, RPMSG_NAME_SIZE); + strscpy_pad(rpdev->id.name, channel->name, RPMSG_NAME_SIZE); rpdev->src = RPMSG_ADDR_ANY; rpdev->dst = RPMSG_ADDR_ANY;
@@ -1304,7 +1304,7 @@ static void qcom_channel_state_worker(st
spin_unlock_irqrestore(&edge->channels_lock, flags);
- strncpy(chinfo.name, channel->name, sizeof(chinfo.name)); + strscpy_pad(chinfo.name, channel->name, sizeof(chinfo.name)); chinfo.src = RPMSG_ADDR_ANY; chinfo.dst = RPMSG_ADDR_ANY; rpmsg_unregister_device(&edge->dev, &chinfo);
This reverts commit 67c830a6de835a36b4e19fe4d968dbaf8dc4e9c6.
Which was upstream commit 255584b138343d4a28c6d25bd82d04b09460d672.
Reported as causing boot failures.
Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/clk/ti/clk-44xx.c | 210 +++++++++++++++++++++++----------------------- drivers/clk/ti/clk-54xx.c | 160 +++++++++++++++++------------------ drivers/clk/ti/clkctrl.c | 4 3 files changed, 189 insertions(+), 185 deletions(-)
--- a/drivers/clk/ti/clk-44xx.c +++ b/drivers/clk/ti/clk-44xx.c @@ -56,7 +56,7 @@ static const struct omap_clkctrl_bit_dat };
static const char * const omap4_func_dmic_abe_gfclk_parents[] __initconst = { - "abe-clkctrl:0018:26", + "abe_cm:clk:0018:26", "pad_clks_ck", "slimbus_clk", NULL, @@ -76,7 +76,7 @@ static const struct omap_clkctrl_bit_dat };
static const char * const omap4_func_mcasp_abe_gfclk_parents[] __initconst = { - "abe-clkctrl:0020:26", + "abe_cm:clk:0020:26", "pad_clks_ck", "slimbus_clk", NULL, @@ -89,7 +89,7 @@ static const struct omap_clkctrl_bit_dat };
static const char * const omap4_func_mcbsp1_gfclk_parents[] __initconst = { - "abe-clkctrl:0028:26", + "abe_cm:clk:0028:26", "pad_clks_ck", "slimbus_clk", NULL, @@ -102,7 +102,7 @@ static const struct omap_clkctrl_bit_dat };
static const char * const omap4_func_mcbsp2_gfclk_parents[] __initconst = { - "abe-clkctrl:0030:26", + "abe_cm:clk:0030:26", "pad_clks_ck", "slimbus_clk", NULL, @@ -115,7 +115,7 @@ static const struct omap_clkctrl_bit_dat };
static const char * const omap4_func_mcbsp3_gfclk_parents[] __initconst = { - "abe-clkctrl:0038:26", + "abe_cm:clk:0038:26", "pad_clks_ck", "slimbus_clk", NULL, @@ -183,18 +183,18 @@ static const struct omap_clkctrl_bit_dat
static const struct omap_clkctrl_reg_data omap4_abe_clkctrl_regs[] __initconst = { { OMAP4_L4_ABE_CLKCTRL, NULL, 0, "ocp_abe_iclk" }, - { OMAP4_AESS_CLKCTRL, omap4_aess_bit_data, CLKF_SW_SUP, "abe-clkctrl:0008:24" }, + { OMAP4_AESS_CLKCTRL, omap4_aess_bit_data, CLKF_SW_SUP, "abe_cm:clk:0008:24" }, { OMAP4_MCPDM_CLKCTRL, NULL, CLKF_SW_SUP, "pad_clks_ck" }, - { OMAP4_DMIC_CLKCTRL, omap4_dmic_bit_data, CLKF_SW_SUP, "abe-clkctrl:0018:24" }, - { OMAP4_MCASP_CLKCTRL, omap4_mcasp_bit_data, CLKF_SW_SUP, "abe-clkctrl:0020:24" }, - { OMAP4_MCBSP1_CLKCTRL, omap4_mcbsp1_bit_data, CLKF_SW_SUP, "abe-clkctrl:0028:24" }, - { OMAP4_MCBSP2_CLKCTRL, omap4_mcbsp2_bit_data, CLKF_SW_SUP, "abe-clkctrl:0030:24" }, - { OMAP4_MCBSP3_CLKCTRL, omap4_mcbsp3_bit_data, CLKF_SW_SUP, "abe-clkctrl:0038:24" }, - { OMAP4_SLIMBUS1_CLKCTRL, omap4_slimbus1_bit_data, CLKF_SW_SUP, "abe-clkctrl:0040:8" }, - { OMAP4_TIMER5_CLKCTRL, omap4_timer5_bit_data, CLKF_SW_SUP, "abe-clkctrl:0048:24" }, - { OMAP4_TIMER6_CLKCTRL, omap4_timer6_bit_data, CLKF_SW_SUP, "abe-clkctrl:0050:24" }, - { OMAP4_TIMER7_CLKCTRL, omap4_timer7_bit_data, CLKF_SW_SUP, "abe-clkctrl:0058:24" }, - { OMAP4_TIMER8_CLKCTRL, omap4_timer8_bit_data, CLKF_SW_SUP, "abe-clkctrl:0060:24" }, + { OMAP4_DMIC_CLKCTRL, omap4_dmic_bit_data, CLKF_SW_SUP, "abe_cm:clk:0018:24" }, + { OMAP4_MCASP_CLKCTRL, omap4_mcasp_bit_data, CLKF_SW_SUP, "abe_cm:clk:0020:24" }, + { OMAP4_MCBSP1_CLKCTRL, omap4_mcbsp1_bit_data, CLKF_SW_SUP, "abe_cm:clk:0028:24" }, + { OMAP4_MCBSP2_CLKCTRL, omap4_mcbsp2_bit_data, CLKF_SW_SUP, "abe_cm:clk:0030:24" }, + { OMAP4_MCBSP3_CLKCTRL, omap4_mcbsp3_bit_data, CLKF_SW_SUP, "abe_cm:clk:0038:24" }, + { OMAP4_SLIMBUS1_CLKCTRL, omap4_slimbus1_bit_data, CLKF_SW_SUP, "abe_cm:clk:0040:8" }, + { OMAP4_TIMER5_CLKCTRL, omap4_timer5_bit_data, CLKF_SW_SUP, "abe_cm:clk:0048:24" }, + { OMAP4_TIMER6_CLKCTRL, omap4_timer6_bit_data, CLKF_SW_SUP, "abe_cm:clk:0050:24" }, + { OMAP4_TIMER7_CLKCTRL, omap4_timer7_bit_data, CLKF_SW_SUP, "abe_cm:clk:0058:24" }, + { OMAP4_TIMER8_CLKCTRL, omap4_timer8_bit_data, CLKF_SW_SUP, "abe_cm:clk:0060:24" }, { OMAP4_WD_TIMER3_CLKCTRL, NULL, CLKF_SW_SUP, "sys_32k_ck" }, { 0 }, }; @@ -287,7 +287,7 @@ static const struct omap_clkctrl_bit_dat
static const struct omap_clkctrl_reg_data omap4_iss_clkctrl_regs[] __initconst = { { OMAP4_ISS_CLKCTRL, omap4_iss_bit_data, CLKF_SW_SUP, "ducati_clk_mux_ck" }, - { OMAP4_FDIF_CLKCTRL, omap4_fdif_bit_data, CLKF_SW_SUP, "iss-clkctrl:0008:24" }, + { OMAP4_FDIF_CLKCTRL, omap4_fdif_bit_data, CLKF_SW_SUP, "iss_cm:clk:0008:24" }, { 0 }, };
@@ -320,7 +320,7 @@ static const struct omap_clkctrl_bit_dat };
static const struct omap_clkctrl_reg_data omap4_l3_dss_clkctrl_regs[] __initconst = { - { OMAP4_DSS_CORE_CLKCTRL, omap4_dss_core_bit_data, CLKF_SW_SUP, "l3-dss-clkctrl:0000:8" }, + { OMAP4_DSS_CORE_CLKCTRL, omap4_dss_core_bit_data, CLKF_SW_SUP, "l3_dss_cm:clk:0000:8" }, { 0 }, };
@@ -336,7 +336,7 @@ static const struct omap_clkctrl_bit_dat };
static const struct omap_clkctrl_reg_data omap4_l3_gfx_clkctrl_regs[] __initconst = { - { OMAP4_GPU_CLKCTRL, omap4_gpu_bit_data, CLKF_SW_SUP, "l3-gfx-clkctrl:0000:24" }, + { OMAP4_GPU_CLKCTRL, omap4_gpu_bit_data, CLKF_SW_SUP, "l3_gfx_cm:clk:0000:24" }, { 0 }, };
@@ -372,12 +372,12 @@ static const struct omap_clkctrl_bit_dat };
static const char * const omap4_usb_host_hs_utmi_p1_clk_parents[] __initconst = { - "l3-init-clkctrl:0038:24", + "l3_init_cm:clk:0038:24", NULL, };
static const char * const omap4_usb_host_hs_utmi_p2_clk_parents[] __initconst = { - "l3-init-clkctrl:0038:25", + "l3_init_cm:clk:0038:25", NULL, };
@@ -418,7 +418,7 @@ static const struct omap_clkctrl_bit_dat };
static const char * const omap4_usb_otg_hs_xclk_parents[] __initconst = { - "l3-init-clkctrl:0040:24", + "l3_init_cm:clk:0040:24", NULL, };
@@ -452,14 +452,14 @@ static const struct omap_clkctrl_bit_dat };
static const struct omap_clkctrl_reg_data omap4_l3_init_clkctrl_regs[] __initconst = { - { OMAP4_MMC1_CLKCTRL, omap4_mmc1_bit_data, CLKF_SW_SUP, "l3-init-clkctrl:0008:24" }, - { OMAP4_MMC2_CLKCTRL, omap4_mmc2_bit_data, CLKF_SW_SUP, "l3-init-clkctrl:0010:24" }, - { OMAP4_HSI_CLKCTRL, omap4_hsi_bit_data, CLKF_HW_SUP, "l3-init-clkctrl:0018:24" }, + { OMAP4_MMC1_CLKCTRL, omap4_mmc1_bit_data, CLKF_SW_SUP, "l3_init_cm:clk:0008:24" }, + { OMAP4_MMC2_CLKCTRL, omap4_mmc2_bit_data, CLKF_SW_SUP, "l3_init_cm:clk:0010:24" }, + { OMAP4_HSI_CLKCTRL, omap4_hsi_bit_data, CLKF_HW_SUP, "l3_init_cm:clk:0018:24" }, { OMAP4_USB_HOST_HS_CLKCTRL, omap4_usb_host_hs_bit_data, CLKF_SW_SUP, "init_60m_fclk" }, { OMAP4_USB_OTG_HS_CLKCTRL, omap4_usb_otg_hs_bit_data, CLKF_HW_SUP, "l3_div_ck" }, { OMAP4_USB_TLL_HS_CLKCTRL, omap4_usb_tll_hs_bit_data, CLKF_HW_SUP, "l4_div_ck" }, { OMAP4_USB_HOST_FS_CLKCTRL, NULL, CLKF_SW_SUP, "func_48mc_fclk" }, - { OMAP4_OCP2SCP_USB_PHY_CLKCTRL, omap4_ocp2scp_usb_phy_bit_data, CLKF_HW_SUP, "l3-init-clkctrl:00c0:8" }, + { OMAP4_OCP2SCP_USB_PHY_CLKCTRL, omap4_ocp2scp_usb_phy_bit_data, CLKF_HW_SUP, "l3_init_cm:clk:00c0:8" }, { 0 }, };
@@ -530,7 +530,7 @@ static const struct omap_clkctrl_bit_dat };
static const char * const omap4_per_mcbsp4_gfclk_parents[] __initconst = { - "l4-per-clkctrl:00c0:26", + "l4_per_cm:clk:00c0:26", "pad_clks_ck", NULL, }; @@ -570,12 +570,12 @@ static const struct omap_clkctrl_bit_dat };
static const struct omap_clkctrl_reg_data omap4_l4_per_clkctrl_regs[] __initconst = { - { OMAP4_TIMER10_CLKCTRL, omap4_timer10_bit_data, CLKF_SW_SUP, "l4-per-clkctrl:0008:24" }, - { OMAP4_TIMER11_CLKCTRL, omap4_timer11_bit_data, CLKF_SW_SUP, "l4-per-clkctrl:0010:24" }, - { OMAP4_TIMER2_CLKCTRL, omap4_timer2_bit_data, CLKF_SW_SUP, "l4-per-clkctrl:0018:24" }, - { OMAP4_TIMER3_CLKCTRL, omap4_timer3_bit_data, CLKF_SW_SUP, "l4-per-clkctrl:0020:24" }, - { OMAP4_TIMER4_CLKCTRL, omap4_timer4_bit_data, CLKF_SW_SUP, "l4-per-clkctrl:0028:24" }, - { OMAP4_TIMER9_CLKCTRL, omap4_timer9_bit_data, CLKF_SW_SUP, "l4-per-clkctrl:0030:24" }, + { OMAP4_TIMER10_CLKCTRL, omap4_timer10_bit_data, CLKF_SW_SUP, "l4_per_cm:clk:0008:24" }, + { OMAP4_TIMER11_CLKCTRL, omap4_timer11_bit_data, CLKF_SW_SUP, "l4_per_cm:clk:0010:24" }, + { OMAP4_TIMER2_CLKCTRL, omap4_timer2_bit_data, CLKF_SW_SUP, "l4_per_cm:clk:0018:24" }, + { OMAP4_TIMER3_CLKCTRL, omap4_timer3_bit_data, CLKF_SW_SUP, "l4_per_cm:clk:0020:24" }, + { OMAP4_TIMER4_CLKCTRL, omap4_timer4_bit_data, CLKF_SW_SUP, "l4_per_cm:clk:0028:24" }, + { OMAP4_TIMER9_CLKCTRL, omap4_timer9_bit_data, CLKF_SW_SUP, "l4_per_cm:clk:0030:24" }, { OMAP4_ELM_CLKCTRL, NULL, 0, "l4_div_ck" }, { OMAP4_GPIO2_CLKCTRL, omap4_gpio2_bit_data, CLKF_HW_SUP, "l4_div_ck" }, { OMAP4_GPIO3_CLKCTRL, omap4_gpio3_bit_data, CLKF_HW_SUP, "l4_div_ck" }, @@ -588,14 +588,14 @@ static const struct omap_clkctrl_reg_dat { OMAP4_I2C3_CLKCTRL, NULL, CLKF_SW_SUP, "func_96m_fclk" }, { OMAP4_I2C4_CLKCTRL, NULL, CLKF_SW_SUP, "func_96m_fclk" }, { OMAP4_L4_PER_CLKCTRL, NULL, 0, "l4_div_ck" }, - { OMAP4_MCBSP4_CLKCTRL, omap4_mcbsp4_bit_data, CLKF_SW_SUP, "l4-per-clkctrl:00c0:24" }, + { OMAP4_MCBSP4_CLKCTRL, omap4_mcbsp4_bit_data, CLKF_SW_SUP, "l4_per_cm:clk:00c0:24" }, { OMAP4_MCSPI1_CLKCTRL, NULL, CLKF_SW_SUP, "func_48m_fclk" }, { OMAP4_MCSPI2_CLKCTRL, NULL, CLKF_SW_SUP, "func_48m_fclk" }, { OMAP4_MCSPI3_CLKCTRL, NULL, CLKF_SW_SUP, "func_48m_fclk" }, { OMAP4_MCSPI4_CLKCTRL, NULL, CLKF_SW_SUP, "func_48m_fclk" }, { OMAP4_MMC3_CLKCTRL, NULL, CLKF_SW_SUP, "func_48m_fclk" }, { OMAP4_MMC4_CLKCTRL, NULL, CLKF_SW_SUP, "func_48m_fclk" }, - { OMAP4_SLIMBUS2_CLKCTRL, omap4_slimbus2_bit_data, CLKF_SW_SUP, "l4-per-clkctrl:0118:8" }, + { OMAP4_SLIMBUS2_CLKCTRL, omap4_slimbus2_bit_data, CLKF_SW_SUP, "l4_per_cm:clk:0118:8" }, { OMAP4_UART1_CLKCTRL, NULL, CLKF_SW_SUP, "func_48m_fclk" }, { OMAP4_UART2_CLKCTRL, NULL, CLKF_SW_SUP, "func_48m_fclk" }, { OMAP4_UART3_CLKCTRL, NULL, CLKF_SW_SUP, "func_48m_fclk" }, @@ -630,7 +630,7 @@ static const struct omap_clkctrl_reg_dat { OMAP4_L4_WKUP_CLKCTRL, NULL, 0, "l4_wkup_clk_mux_ck" }, { OMAP4_WD_TIMER2_CLKCTRL, NULL, CLKF_SW_SUP, "sys_32k_ck" }, { OMAP4_GPIO1_CLKCTRL, omap4_gpio1_bit_data, CLKF_HW_SUP, "l4_wkup_clk_mux_ck" }, - { OMAP4_TIMER1_CLKCTRL, omap4_timer1_bit_data, CLKF_SW_SUP, "l4-wkup-clkctrl:0020:24" }, + { OMAP4_TIMER1_CLKCTRL, omap4_timer1_bit_data, CLKF_SW_SUP, "l4_wkup_cm:clk:0020:24" }, { OMAP4_COUNTER_32K_CLKCTRL, NULL, 0, "sys_32k_ck" }, { OMAP4_KBD_CLKCTRL, NULL, CLKF_SW_SUP, "sys_32k_ck" }, { 0 }, @@ -644,7 +644,7 @@ static const char * const omap4_pmd_stm_ };
static const char * const omap4_trace_clk_div_div_ck_parents[] __initconst = { - "emu-sys-clkctrl:0000:22", + "emu_sys_cm:clk:0000:22", NULL, };
@@ -662,7 +662,7 @@ static const struct omap_clkctrl_div_dat };
static const char * const omap4_stm_clk_div_ck_parents[] __initconst = { - "emu-sys-clkctrl:0000:20", + "emu_sys_cm:clk:0000:20", NULL, };
@@ -716,73 +716,73 @@ static struct ti_dt_clk omap44xx_clks[] * hwmod support. Once hwmod is removed, these can be removed * also. */ - DT_CLK(NULL, "aess_fclk", "abe-clkctrl:0008:24"), - DT_CLK(NULL, "cm2_dm10_mux", "l4-per-clkctrl:0008:24"), - DT_CLK(NULL, "cm2_dm11_mux", "l4-per-clkctrl:0010:24"), - DT_CLK(NULL, "cm2_dm2_mux", "l4-per-clkctrl:0018:24"), - DT_CLK(NULL, "cm2_dm3_mux", "l4-per-clkctrl:0020:24"), - DT_CLK(NULL, "cm2_dm4_mux", "l4-per-clkctrl:0028:24"), - DT_CLK(NULL, "cm2_dm9_mux", "l4-per-clkctrl:0030:24"), - DT_CLK(NULL, "dmic_sync_mux_ck", "abe-clkctrl:0018:26"), - DT_CLK(NULL, "dmt1_clk_mux", "l4-wkup-clkctrl:0020:24"), - DT_CLK(NULL, "dss_48mhz_clk", "l3-dss-clkctrl:0000:9"), - DT_CLK(NULL, "dss_dss_clk", "l3-dss-clkctrl:0000:8"), - DT_CLK(NULL, "dss_sys_clk", "l3-dss-clkctrl:0000:10"), - DT_CLK(NULL, "dss_tv_clk", "l3-dss-clkctrl:0000:11"), - DT_CLK(NULL, "fdif_fck", "iss-clkctrl:0008:24"), - DT_CLK(NULL, "func_dmic_abe_gfclk", "abe-clkctrl:0018:24"), - DT_CLK(NULL, "func_mcasp_abe_gfclk", "abe-clkctrl:0020:24"), - DT_CLK(NULL, "func_mcbsp1_gfclk", "abe-clkctrl:0028:24"), - DT_CLK(NULL, "func_mcbsp2_gfclk", "abe-clkctrl:0030:24"), - DT_CLK(NULL, "func_mcbsp3_gfclk", "abe-clkctrl:0038:24"), - DT_CLK(NULL, "gpio1_dbclk", "l4-wkup-clkctrl:0018:8"), - DT_CLK(NULL, "gpio2_dbclk", "l4-per-clkctrl:0040:8"), - DT_CLK(NULL, "gpio3_dbclk", "l4-per-clkctrl:0048:8"), - DT_CLK(NULL, "gpio4_dbclk", "l4-per-clkctrl:0050:8"), - DT_CLK(NULL, "gpio5_dbclk", "l4-per-clkctrl:0058:8"), - DT_CLK(NULL, "gpio6_dbclk", "l4-per-clkctrl:0060:8"), - DT_CLK(NULL, "hsi_fck", "l3-init-clkctrl:0018:24"), - DT_CLK(NULL, "hsmmc1_fclk", "l3-init-clkctrl:0008:24"), - DT_CLK(NULL, "hsmmc2_fclk", "l3-init-clkctrl:0010:24"), - DT_CLK(NULL, "iss_ctrlclk", "iss-clkctrl:0000:8"), - DT_CLK(NULL, "mcasp_sync_mux_ck", "abe-clkctrl:0020:26"), - DT_CLK(NULL, "mcbsp1_sync_mux_ck", "abe-clkctrl:0028:26"), - DT_CLK(NULL, "mcbsp2_sync_mux_ck", "abe-clkctrl:0030:26"), - DT_CLK(NULL, "mcbsp3_sync_mux_ck", "abe-clkctrl:0038:26"), - DT_CLK(NULL, "mcbsp4_sync_mux_ck", "l4-per-clkctrl:00c0:26"), - DT_CLK(NULL, "ocp2scp_usb_phy_phy_48m", "l3-init-clkctrl:00c0:8"), - DT_CLK(NULL, "otg_60m_gfclk", "l3-init-clkctrl:0040:24"), - DT_CLK(NULL, "per_mcbsp4_gfclk", "l4-per-clkctrl:00c0:24"), - DT_CLK(NULL, "pmd_stm_clock_mux_ck", "emu-sys-clkctrl:0000:20"), - DT_CLK(NULL, "pmd_trace_clk_mux_ck", "emu-sys-clkctrl:0000:22"), - DT_CLK(NULL, "sgx_clk_mux", "l3-gfx-clkctrl:0000:24"), - DT_CLK(NULL, "slimbus1_fclk_0", "abe-clkctrl:0040:8"), - DT_CLK(NULL, "slimbus1_fclk_1", "abe-clkctrl:0040:9"), - DT_CLK(NULL, "slimbus1_fclk_2", "abe-clkctrl:0040:10"), - DT_CLK(NULL, "slimbus1_slimbus_clk", "abe-clkctrl:0040:11"), - DT_CLK(NULL, "slimbus2_fclk_0", "l4-per-clkctrl:0118:8"), - DT_CLK(NULL, "slimbus2_fclk_1", "l4-per-clkctrl:0118:9"), - DT_CLK(NULL, "slimbus2_slimbus_clk", "l4-per-clkctrl:0118:10"), - DT_CLK(NULL, "stm_clk_div_ck", "emu-sys-clkctrl:0000:27"), - DT_CLK(NULL, "timer5_sync_mux", "abe-clkctrl:0048:24"), - DT_CLK(NULL, "timer6_sync_mux", "abe-clkctrl:0050:24"), - DT_CLK(NULL, "timer7_sync_mux", "abe-clkctrl:0058:24"), - DT_CLK(NULL, "timer8_sync_mux", "abe-clkctrl:0060:24"), - DT_CLK(NULL, "trace_clk_div_div_ck", "emu-sys-clkctrl:0000:24"), - DT_CLK(NULL, "usb_host_hs_func48mclk", "l3-init-clkctrl:0038:15"), - DT_CLK(NULL, "usb_host_hs_hsic480m_p1_clk", "l3-init-clkctrl:0038:13"), - DT_CLK(NULL, "usb_host_hs_hsic480m_p2_clk", "l3-init-clkctrl:0038:14"), - DT_CLK(NULL, "usb_host_hs_hsic60m_p1_clk", "l3-init-clkctrl:0038:11"), - DT_CLK(NULL, "usb_host_hs_hsic60m_p2_clk", "l3-init-clkctrl:0038:12"), - DT_CLK(NULL, "usb_host_hs_utmi_p1_clk", "l3-init-clkctrl:0038:8"), - DT_CLK(NULL, "usb_host_hs_utmi_p2_clk", "l3-init-clkctrl:0038:9"), - DT_CLK(NULL, "usb_host_hs_utmi_p3_clk", "l3_init-clkctrl:0038:10"), - DT_CLK(NULL, "usb_otg_hs_xclk", "l3-init-clkctrl:0040:8"), - DT_CLK(NULL, "usb_tll_hs_usb_ch0_clk", "l3-init-clkctrl:0048:8"), - DT_CLK(NULL, "usb_tll_hs_usb_ch1_clk", "l3-init-clkctrl:0048:9"), - DT_CLK(NULL, "usb_tll_hs_usb_ch2_clk", "l3-init-clkctrl:0048:10"), - DT_CLK(NULL, "utmi_p1_gfclk", "l3-init-clkctrl:0038:24"), - DT_CLK(NULL, "utmi_p2_gfclk", "l3-init-clkctrl:0038:25"), + DT_CLK(NULL, "aess_fclk", "abe_cm:0008:24"), + DT_CLK(NULL, "cm2_dm10_mux", "l4_per_cm:0008:24"), + DT_CLK(NULL, "cm2_dm11_mux", "l4_per_cm:0010:24"), + DT_CLK(NULL, "cm2_dm2_mux", "l4_per_cm:0018:24"), + DT_CLK(NULL, "cm2_dm3_mux", "l4_per_cm:0020:24"), + DT_CLK(NULL, "cm2_dm4_mux", "l4_per_cm:0028:24"), + DT_CLK(NULL, "cm2_dm9_mux", "l4_per_cm:0030:24"), + DT_CLK(NULL, "dmic_sync_mux_ck", "abe_cm:0018:26"), + DT_CLK(NULL, "dmt1_clk_mux", "l4_wkup_cm:0020:24"), + DT_CLK(NULL, "dss_48mhz_clk", "l3_dss_cm:0000:9"), + DT_CLK(NULL, "dss_dss_clk", "l3_dss_cm:0000:8"), + DT_CLK(NULL, "dss_sys_clk", "l3_dss_cm:0000:10"), + DT_CLK(NULL, "dss_tv_clk", "l3_dss_cm:0000:11"), + DT_CLK(NULL, "fdif_fck", "iss_cm:0008:24"), + DT_CLK(NULL, "func_dmic_abe_gfclk", "abe_cm:0018:24"), + DT_CLK(NULL, "func_mcasp_abe_gfclk", "abe_cm:0020:24"), + DT_CLK(NULL, "func_mcbsp1_gfclk", "abe_cm:0028:24"), + DT_CLK(NULL, "func_mcbsp2_gfclk", "abe_cm:0030:24"), + DT_CLK(NULL, "func_mcbsp3_gfclk", "abe_cm:0038:24"), + DT_CLK(NULL, "gpio1_dbclk", "l4_wkup_cm:0018:8"), + DT_CLK(NULL, "gpio2_dbclk", "l4_per_cm:0040:8"), + DT_CLK(NULL, "gpio3_dbclk", "l4_per_cm:0048:8"), + DT_CLK(NULL, "gpio4_dbclk", "l4_per_cm:0050:8"), + DT_CLK(NULL, "gpio5_dbclk", "l4_per_cm:0058:8"), + DT_CLK(NULL, "gpio6_dbclk", "l4_per_cm:0060:8"), + DT_CLK(NULL, "hsi_fck", "l3_init_cm:0018:24"), + DT_CLK(NULL, "hsmmc1_fclk", "l3_init_cm:0008:24"), + DT_CLK(NULL, "hsmmc2_fclk", "l3_init_cm:0010:24"), + DT_CLK(NULL, "iss_ctrlclk", "iss_cm:0000:8"), + DT_CLK(NULL, "mcasp_sync_mux_ck", "abe_cm:0020:26"), + DT_CLK(NULL, "mcbsp1_sync_mux_ck", "abe_cm:0028:26"), + DT_CLK(NULL, "mcbsp2_sync_mux_ck", "abe_cm:0030:26"), + DT_CLK(NULL, "mcbsp3_sync_mux_ck", "abe_cm:0038:26"), + DT_CLK(NULL, "mcbsp4_sync_mux_ck", "l4_per_cm:00c0:26"), + DT_CLK(NULL, "ocp2scp_usb_phy_phy_48m", "l3_init_cm:00c0:8"), + DT_CLK(NULL, "otg_60m_gfclk", "l3_init_cm:0040:24"), + DT_CLK(NULL, "per_mcbsp4_gfclk", "l4_per_cm:00c0:24"), + DT_CLK(NULL, "pmd_stm_clock_mux_ck", "emu_sys_cm:0000:20"), + DT_CLK(NULL, "pmd_trace_clk_mux_ck", "emu_sys_cm:0000:22"), + DT_CLK(NULL, "sgx_clk_mux", "l3_gfx_cm:0000:24"), + DT_CLK(NULL, "slimbus1_fclk_0", "abe_cm:0040:8"), + DT_CLK(NULL, "slimbus1_fclk_1", "abe_cm:0040:9"), + DT_CLK(NULL, "slimbus1_fclk_2", "abe_cm:0040:10"), + DT_CLK(NULL, "slimbus1_slimbus_clk", "abe_cm:0040:11"), + DT_CLK(NULL, "slimbus2_fclk_0", "l4_per_cm:0118:8"), + DT_CLK(NULL, "slimbus2_fclk_1", "l4_per_cm:0118:9"), + DT_CLK(NULL, "slimbus2_slimbus_clk", "l4_per_cm:0118:10"), + DT_CLK(NULL, "stm_clk_div_ck", "emu_sys_cm:0000:27"), + DT_CLK(NULL, "timer5_sync_mux", "abe_cm:0048:24"), + DT_CLK(NULL, "timer6_sync_mux", "abe_cm:0050:24"), + DT_CLK(NULL, "timer7_sync_mux", "abe_cm:0058:24"), + DT_CLK(NULL, "timer8_sync_mux", "abe_cm:0060:24"), + DT_CLK(NULL, "trace_clk_div_div_ck", "emu_sys_cm:0000:24"), + DT_CLK(NULL, "usb_host_hs_func48mclk", "l3_init_cm:0038:15"), + DT_CLK(NULL, "usb_host_hs_hsic480m_p1_clk", "l3_init_cm:0038:13"), + DT_CLK(NULL, "usb_host_hs_hsic480m_p2_clk", "l3_init_cm:0038:14"), + DT_CLK(NULL, "usb_host_hs_hsic60m_p1_clk", "l3_init_cm:0038:11"), + DT_CLK(NULL, "usb_host_hs_hsic60m_p2_clk", "l3_init_cm:0038:12"), + DT_CLK(NULL, "usb_host_hs_utmi_p1_clk", "l3_init_cm:0038:8"), + DT_CLK(NULL, "usb_host_hs_utmi_p2_clk", "l3_init_cm:0038:9"), + DT_CLK(NULL, "usb_host_hs_utmi_p3_clk", "l3_init_cm:0038:10"), + DT_CLK(NULL, "usb_otg_hs_xclk", "l3_init_cm:0040:8"), + DT_CLK(NULL, "usb_tll_hs_usb_ch0_clk", "l3_init_cm:0048:8"), + DT_CLK(NULL, "usb_tll_hs_usb_ch1_clk", "l3_init_cm:0048:9"), + DT_CLK(NULL, "usb_tll_hs_usb_ch2_clk", "l3_init_cm:0048:10"), + DT_CLK(NULL, "utmi_p1_gfclk", "l3_init_cm:0038:24"), + DT_CLK(NULL, "utmi_p2_gfclk", "l3_init_cm:0038:25"), { .node_name = NULL }, };
--- a/drivers/clk/ti/clk-54xx.c +++ b/drivers/clk/ti/clk-54xx.c @@ -50,7 +50,7 @@ static const struct omap_clkctrl_bit_dat };
static const char * const omap5_dmic_gfclk_parents[] __initconst = { - "abe-clkctrl:0018:26", + "abe_cm:clk:0018:26", "pad_clks_ck", "slimbus_clk", NULL, @@ -70,7 +70,7 @@ static const struct omap_clkctrl_bit_dat };
static const char * const omap5_mcbsp1_gfclk_parents[] __initconst = { - "abe-clkctrl:0028:26", + "abe_cm:clk:0028:26", "pad_clks_ck", "slimbus_clk", NULL, @@ -83,7 +83,7 @@ static const struct omap_clkctrl_bit_dat };
static const char * const omap5_mcbsp2_gfclk_parents[] __initconst = { - "abe-clkctrl:0030:26", + "abe_cm:clk:0030:26", "pad_clks_ck", "slimbus_clk", NULL, @@ -96,7 +96,7 @@ static const struct omap_clkctrl_bit_dat };
static const char * const omap5_mcbsp3_gfclk_parents[] __initconst = { - "abe-clkctrl:0038:26", + "abe_cm:clk:0038:26", "pad_clks_ck", "slimbus_clk", NULL, @@ -136,16 +136,16 @@ static const struct omap_clkctrl_bit_dat
static const struct omap_clkctrl_reg_data omap5_abe_clkctrl_regs[] __initconst = { { OMAP5_L4_ABE_CLKCTRL, NULL, 0, "abe_iclk" }, - { OMAP5_AESS_CLKCTRL, omap5_aess_bit_data, CLKF_SW_SUP, "abe-clkctrl:0008:24" }, + { OMAP5_AESS_CLKCTRL, omap5_aess_bit_data, CLKF_SW_SUP, "abe_cm:clk:0008:24" }, { OMAP5_MCPDM_CLKCTRL, NULL, CLKF_SW_SUP, "pad_clks_ck" }, - { OMAP5_DMIC_CLKCTRL, omap5_dmic_bit_data, CLKF_SW_SUP, "abe-clkctrl:0018:24" }, - { OMAP5_MCBSP1_CLKCTRL, omap5_mcbsp1_bit_data, CLKF_SW_SUP, "abe-clkctrl:0028:24" }, - { OMAP5_MCBSP2_CLKCTRL, omap5_mcbsp2_bit_data, CLKF_SW_SUP, "abe-clkctrl:0030:24" }, - { OMAP5_MCBSP3_CLKCTRL, omap5_mcbsp3_bit_data, CLKF_SW_SUP, "abe-clkctrl:0038:24" }, - { OMAP5_TIMER5_CLKCTRL, omap5_timer5_bit_data, CLKF_SW_SUP, "abe-clkctrl:0048:24" }, - { OMAP5_TIMER6_CLKCTRL, omap5_timer6_bit_data, CLKF_SW_SUP, "abe-clkctrl:0050:24" }, - { OMAP5_TIMER7_CLKCTRL, omap5_timer7_bit_data, CLKF_SW_SUP, "abe-clkctrl:0058:24" }, - { OMAP5_TIMER8_CLKCTRL, omap5_timer8_bit_data, CLKF_SW_SUP, "abe-clkctrl:0060:24" }, + { OMAP5_DMIC_CLKCTRL, omap5_dmic_bit_data, CLKF_SW_SUP, "abe_cm:clk:0018:24" }, + { OMAP5_MCBSP1_CLKCTRL, omap5_mcbsp1_bit_data, CLKF_SW_SUP, "abe_cm:clk:0028:24" }, + { OMAP5_MCBSP2_CLKCTRL, omap5_mcbsp2_bit_data, CLKF_SW_SUP, "abe_cm:clk:0030:24" }, + { OMAP5_MCBSP3_CLKCTRL, omap5_mcbsp3_bit_data, CLKF_SW_SUP, "abe_cm:clk:0038:24" }, + { OMAP5_TIMER5_CLKCTRL, omap5_timer5_bit_data, CLKF_SW_SUP, "abe_cm:clk:0048:24" }, + { OMAP5_TIMER6_CLKCTRL, omap5_timer6_bit_data, CLKF_SW_SUP, "abe_cm:clk:0050:24" }, + { OMAP5_TIMER7_CLKCTRL, omap5_timer7_bit_data, CLKF_SW_SUP, "abe_cm:clk:0058:24" }, + { OMAP5_TIMER8_CLKCTRL, omap5_timer8_bit_data, CLKF_SW_SUP, "abe_cm:clk:0060:24" }, { 0 }, };
@@ -266,12 +266,12 @@ static const struct omap_clkctrl_bit_dat };
static const struct omap_clkctrl_reg_data omap5_l4per_clkctrl_regs[] __initconst = { - { OMAP5_TIMER10_CLKCTRL, omap5_timer10_bit_data, CLKF_SW_SUP, "l4per-clkctrl:0008:24" }, - { OMAP5_TIMER11_CLKCTRL, omap5_timer11_bit_data, CLKF_SW_SUP, "l4per-clkctrl:0010:24" }, - { OMAP5_TIMER2_CLKCTRL, omap5_timer2_bit_data, CLKF_SW_SUP, "l4per-clkctrl:0018:24" }, - { OMAP5_TIMER3_CLKCTRL, omap5_timer3_bit_data, CLKF_SW_SUP, "l4per-clkctrl:0020:24" }, - { OMAP5_TIMER4_CLKCTRL, omap5_timer4_bit_data, CLKF_SW_SUP, "l4per-clkctrl:0028:24" }, - { OMAP5_TIMER9_CLKCTRL, omap5_timer9_bit_data, CLKF_SW_SUP, "l4per-clkctrl:0030:24" }, + { OMAP5_TIMER10_CLKCTRL, omap5_timer10_bit_data, CLKF_SW_SUP, "l4per_cm:clk:0008:24" }, + { OMAP5_TIMER11_CLKCTRL, omap5_timer11_bit_data, CLKF_SW_SUP, "l4per_cm:clk:0010:24" }, + { OMAP5_TIMER2_CLKCTRL, omap5_timer2_bit_data, CLKF_SW_SUP, "l4per_cm:clk:0018:24" }, + { OMAP5_TIMER3_CLKCTRL, omap5_timer3_bit_data, CLKF_SW_SUP, "l4per_cm:clk:0020:24" }, + { OMAP5_TIMER4_CLKCTRL, omap5_timer4_bit_data, CLKF_SW_SUP, "l4per_cm:clk:0028:24" }, + { OMAP5_TIMER9_CLKCTRL, omap5_timer9_bit_data, CLKF_SW_SUP, "l4per_cm:clk:0030:24" }, { OMAP5_GPIO2_CLKCTRL, omap5_gpio2_bit_data, CLKF_HW_SUP, "l4_root_clk_div" }, { OMAP5_GPIO3_CLKCTRL, omap5_gpio3_bit_data, CLKF_HW_SUP, "l4_root_clk_div" }, { OMAP5_GPIO4_CLKCTRL, omap5_gpio4_bit_data, CLKF_HW_SUP, "l4_root_clk_div" }, @@ -343,7 +343,7 @@ static const struct omap_clkctrl_bit_dat };
static const struct omap_clkctrl_reg_data omap5_dss_clkctrl_regs[] __initconst = { - { OMAP5_DSS_CORE_CLKCTRL, omap5_dss_core_bit_data, CLKF_SW_SUP, "dss-clkctrl:0000:8" }, + { OMAP5_DSS_CORE_CLKCTRL, omap5_dss_core_bit_data, CLKF_SW_SUP, "dss_cm:clk:0000:8" }, { 0 }, };
@@ -376,7 +376,7 @@ static const struct omap_clkctrl_bit_dat };
static const struct omap_clkctrl_reg_data omap5_gpu_clkctrl_regs[] __initconst = { - { OMAP5_GPU_CLKCTRL, omap5_gpu_core_bit_data, CLKF_SW_SUP, "gpu-clkctrl:0000:24" }, + { OMAP5_GPU_CLKCTRL, omap5_gpu_core_bit_data, CLKF_SW_SUP, "gpu_cm:clk:0000:24" }, { 0 }, };
@@ -387,7 +387,7 @@ static const char * const omap5_mmc1_fcl };
static const char * const omap5_mmc1_fclk_parents[] __initconst = { - "l3init-clkctrl:0008:24", + "l3init_cm:clk:0008:24", NULL, };
@@ -403,7 +403,7 @@ static const struct omap_clkctrl_bit_dat };
static const char * const omap5_mmc2_fclk_parents[] __initconst = { - "l3init-clkctrl:0010:24", + "l3init_cm:clk:0010:24", NULL, };
@@ -428,12 +428,12 @@ static const char * const omap5_usb_host };
static const char * const omap5_usb_host_hs_utmi_p1_clk_parents[] __initconst = { - "l3init-clkctrl:0038:24", + "l3init_cm:clk:0038:24", NULL, };
static const char * const omap5_usb_host_hs_utmi_p2_clk_parents[] __initconst = { - "l3init-clkctrl:0038:25", + "l3init_cm:clk:0038:25", NULL, };
@@ -492,8 +492,8 @@ static const struct omap_clkctrl_bit_dat };
static const struct omap_clkctrl_reg_data omap5_l3init_clkctrl_regs[] __initconst = { - { OMAP5_MMC1_CLKCTRL, omap5_mmc1_bit_data, CLKF_SW_SUP, "l3init-clkctrl:0008:25" }, - { OMAP5_MMC2_CLKCTRL, omap5_mmc2_bit_data, CLKF_SW_SUP, "l3init-clkctrl:0010:25" }, + { OMAP5_MMC1_CLKCTRL, omap5_mmc1_bit_data, CLKF_SW_SUP, "l3init_cm:clk:0008:25" }, + { OMAP5_MMC2_CLKCTRL, omap5_mmc2_bit_data, CLKF_SW_SUP, "l3init_cm:clk:0010:25" }, { OMAP5_USB_HOST_HS_CLKCTRL, omap5_usb_host_hs_bit_data, CLKF_SW_SUP, "l3init_60m_fclk" }, { OMAP5_USB_TLL_HS_CLKCTRL, omap5_usb_tll_hs_bit_data, CLKF_HW_SUP, "l4_root_clk_div" }, { OMAP5_SATA_CLKCTRL, omap5_sata_bit_data, CLKF_SW_SUP, "func_48m_fclk" }, @@ -517,7 +517,7 @@ static const struct omap_clkctrl_reg_dat { OMAP5_L4_WKUP_CLKCTRL, NULL, 0, "wkupaon_iclk_mux" }, { OMAP5_WD_TIMER2_CLKCTRL, NULL, CLKF_SW_SUP, "sys_32k_ck" }, { OMAP5_GPIO1_CLKCTRL, omap5_gpio1_bit_data, CLKF_HW_SUP, "wkupaon_iclk_mux" }, - { OMAP5_TIMER1_CLKCTRL, omap5_timer1_bit_data, CLKF_SW_SUP, "wkupaon-clkctrl:0020:24" }, + { OMAP5_TIMER1_CLKCTRL, omap5_timer1_bit_data, CLKF_SW_SUP, "wkupaon_cm:clk:0020:24" }, { OMAP5_COUNTER_32K_CLKCTRL, NULL, 0, "wkupaon_iclk_mux" }, { OMAP5_KBD_CLKCTRL, NULL, CLKF_SW_SUP, "sys_32k_ck" }, { 0 }, @@ -547,58 +547,58 @@ const struct omap_clkctrl_data omap5_clk static struct ti_dt_clk omap54xx_clks[] = { DT_CLK(NULL, "timer_32k_ck", "sys_32k_ck"), DT_CLK(NULL, "sys_clkin_ck", "sys_clkin"), - DT_CLK(NULL, "dmic_gfclk", "abe-clkctrl:0018:24"), - DT_CLK(NULL, "dmic_sync_mux_ck", "abe-clkctrl:0018:26"), - DT_CLK(NULL, "dss_32khz_clk", "dss-clkctrl:0000:11"), - DT_CLK(NULL, "dss_48mhz_clk", "dss-clkctrl:0000:9"), - DT_CLK(NULL, "dss_dss_clk", "dss-clkctrl:0000:8"), - DT_CLK(NULL, "dss_sys_clk", "dss-clkctrl:0000:10"), - DT_CLK(NULL, "gpio1_dbclk", "wkupaon-clkctrl:0018:8"), - DT_CLK(NULL, "gpio2_dbclk", "l4per-clkctrl:0040:8"), - DT_CLK(NULL, "gpio3_dbclk", "l4per-clkctrl:0048:8"), - DT_CLK(NULL, "gpio4_dbclk", "l4per-clkctrl:0050:8"), - DT_CLK(NULL, "gpio5_dbclk", "l4per-clkctrl:0058:8"), - DT_CLK(NULL, "gpio6_dbclk", "l4per-clkctrl:0060:8"), - DT_CLK(NULL, "gpio7_dbclk", "l4per-clkctrl:00f0:8"), - DT_CLK(NULL, "gpio8_dbclk", "l4per-clkctrl:00f8:8"), - DT_CLK(NULL, "mcbsp1_gfclk", "abe-clkctrl:0028:24"), - DT_CLK(NULL, "mcbsp1_sync_mux_ck", "abe-clkctrl:0028:26"), - DT_CLK(NULL, "mcbsp2_gfclk", "abe-clkctrl:0030:24"), - DT_CLK(NULL, "mcbsp2_sync_mux_ck", "abe-clkctrl:0030:26"), - DT_CLK(NULL, "mcbsp3_gfclk", "abe-clkctrl:0038:24"), - DT_CLK(NULL, "mcbsp3_sync_mux_ck", "abe-clkctrl:0038:26"), - DT_CLK(NULL, "mmc1_32khz_clk", "l3init-clkctrl:0008:8"), - DT_CLK(NULL, "mmc1_fclk", "l3init-clkctrl:0008:25"), - DT_CLK(NULL, "mmc1_fclk_mux", "l3init-clkctrl:0008:24"), - DT_CLK(NULL, "mmc2_fclk", "l3init-clkctrl:0010:25"), - DT_CLK(NULL, "mmc2_fclk_mux", "l3init-clkctrl:0010:24"), - DT_CLK(NULL, "sata_ref_clk", "l3init-clkctrl:0068:8"), - DT_CLK(NULL, "timer10_gfclk_mux", "l4per-clkctrl:0008:24"), - DT_CLK(NULL, "timer11_gfclk_mux", "l4per-clkctrl:0010:24"), - DT_CLK(NULL, "timer1_gfclk_mux", "wkupaon-clkctrl:0020:24"), - DT_CLK(NULL, "timer2_gfclk_mux", "l4per-clkctrl:0018:24"), - DT_CLK(NULL, "timer3_gfclk_mux", "l4per-clkctrl:0020:24"), - DT_CLK(NULL, "timer4_gfclk_mux", "l4per-clkctrl:0028:24"), - DT_CLK(NULL, "timer5_gfclk_mux", "abe-clkctrl:0048:24"), - DT_CLK(NULL, "timer6_gfclk_mux", "abe-clkctrl:0050:24"), - DT_CLK(NULL, "timer7_gfclk_mux", "abe-clkctrl:0058:24"), - DT_CLK(NULL, "timer8_gfclk_mux", "abe-clkctrl:0060:24"), - DT_CLK(NULL, "timer9_gfclk_mux", "l4per-clkctrl:0030:24"), - DT_CLK(NULL, "usb_host_hs_hsic480m_p1_clk", "l3init-clkctrl:0038:13"), - DT_CLK(NULL, "usb_host_hs_hsic480m_p2_clk", "l3init-clkctrl:0038:14"), - DT_CLK(NULL, "usb_host_hs_hsic480m_p3_clk", "l3init-clkctrl:0038:7"), - DT_CLK(NULL, "usb_host_hs_hsic60m_p1_clk", "l3init-clkctrl:0038:11"), - DT_CLK(NULL, "usb_host_hs_hsic60m_p2_clk", "l3init-clkctrl:0038:12"), - DT_CLK(NULL, "usb_host_hs_hsic60m_p3_clk", "l3init-clkctrl:0038:6"), - DT_CLK(NULL, "usb_host_hs_utmi_p1_clk", "l3init-clkctrl:0038:8"), - DT_CLK(NULL, "usb_host_hs_utmi_p2_clk", "l3init-clkctrl:0038:9"), - DT_CLK(NULL, "usb_host_hs_utmi_p3_clk", "l3init-clkctrl:0038:10"), - DT_CLK(NULL, "usb_otg_ss_refclk960m", "l3init-clkctrl:00d0:8"), - DT_CLK(NULL, "usb_tll_hs_usb_ch0_clk", "l3init-clkctrl:0048:8"), - DT_CLK(NULL, "usb_tll_hs_usb_ch1_clk", "l3init-clkctrl:0048:9"), - DT_CLK(NULL, "usb_tll_hs_usb_ch2_clk", "l3init-clkctrl:0048:10"), - DT_CLK(NULL, "utmi_p1_gfclk", "l3init-clkctrl:0038:24"), - DT_CLK(NULL, "utmi_p2_gfclk", "l3init-clkctrl:0038:25"), + DT_CLK(NULL, "dmic_gfclk", "abe_cm:0018:24"), + DT_CLK(NULL, "dmic_sync_mux_ck", "abe_cm:0018:26"), + DT_CLK(NULL, "dss_32khz_clk", "dss_cm:0000:11"), + DT_CLK(NULL, "dss_48mhz_clk", "dss_cm:0000:9"), + DT_CLK(NULL, "dss_dss_clk", "dss_cm:0000:8"), + DT_CLK(NULL, "dss_sys_clk", "dss_cm:0000:10"), + DT_CLK(NULL, "gpio1_dbclk", "wkupaon_cm:0018:8"), + DT_CLK(NULL, "gpio2_dbclk", "l4per_cm:0040:8"), + DT_CLK(NULL, "gpio3_dbclk", "l4per_cm:0048:8"), + DT_CLK(NULL, "gpio4_dbclk", "l4per_cm:0050:8"), + DT_CLK(NULL, "gpio5_dbclk", "l4per_cm:0058:8"), + DT_CLK(NULL, "gpio6_dbclk", "l4per_cm:0060:8"), + DT_CLK(NULL, "gpio7_dbclk", "l4per_cm:00f0:8"), + DT_CLK(NULL, "gpio8_dbclk", "l4per_cm:00f8:8"), + DT_CLK(NULL, "mcbsp1_gfclk", "abe_cm:0028:24"), + DT_CLK(NULL, "mcbsp1_sync_mux_ck", "abe_cm:0028:26"), + DT_CLK(NULL, "mcbsp2_gfclk", "abe_cm:0030:24"), + DT_CLK(NULL, "mcbsp2_sync_mux_ck", "abe_cm:0030:26"), + DT_CLK(NULL, "mcbsp3_gfclk", "abe_cm:0038:24"), + DT_CLK(NULL, "mcbsp3_sync_mux_ck", "abe_cm:0038:26"), + DT_CLK(NULL, "mmc1_32khz_clk", "l3init_cm:0008:8"), + DT_CLK(NULL, "mmc1_fclk", "l3init_cm:0008:25"), + DT_CLK(NULL, "mmc1_fclk_mux", "l3init_cm:0008:24"), + DT_CLK(NULL, "mmc2_fclk", "l3init_cm:0010:25"), + DT_CLK(NULL, "mmc2_fclk_mux", "l3init_cm:0010:24"), + DT_CLK(NULL, "sata_ref_clk", "l3init_cm:0068:8"), + DT_CLK(NULL, "timer10_gfclk_mux", "l4per_cm:0008:24"), + DT_CLK(NULL, "timer11_gfclk_mux", "l4per_cm:0010:24"), + DT_CLK(NULL, "timer1_gfclk_mux", "wkupaon_cm:0020:24"), + DT_CLK(NULL, "timer2_gfclk_mux", "l4per_cm:0018:24"), + DT_CLK(NULL, "timer3_gfclk_mux", "l4per_cm:0020:24"), + DT_CLK(NULL, "timer4_gfclk_mux", "l4per_cm:0028:24"), + DT_CLK(NULL, "timer5_gfclk_mux", "abe_cm:0048:24"), + DT_CLK(NULL, "timer6_gfclk_mux", "abe_cm:0050:24"), + DT_CLK(NULL, "timer7_gfclk_mux", "abe_cm:0058:24"), + DT_CLK(NULL, "timer8_gfclk_mux", "abe_cm:0060:24"), + DT_CLK(NULL, "timer9_gfclk_mux", "l4per_cm:0030:24"), + DT_CLK(NULL, "usb_host_hs_hsic480m_p1_clk", "l3init_cm:0038:13"), + DT_CLK(NULL, "usb_host_hs_hsic480m_p2_clk", "l3init_cm:0038:14"), + DT_CLK(NULL, "usb_host_hs_hsic480m_p3_clk", "l3init_cm:0038:7"), + DT_CLK(NULL, "usb_host_hs_hsic60m_p1_clk", "l3init_cm:0038:11"), + DT_CLK(NULL, "usb_host_hs_hsic60m_p2_clk", "l3init_cm:0038:12"), + DT_CLK(NULL, "usb_host_hs_hsic60m_p3_clk", "l3init_cm:0038:6"), + DT_CLK(NULL, "usb_host_hs_utmi_p1_clk", "l3init_cm:0038:8"), + DT_CLK(NULL, "usb_host_hs_utmi_p2_clk", "l3init_cm:0038:9"), + DT_CLK(NULL, "usb_host_hs_utmi_p3_clk", "l3init_cm:0038:10"), + DT_CLK(NULL, "usb_otg_ss_refclk960m", "l3init_cm:00d0:8"), + DT_CLK(NULL, "usb_tll_hs_usb_ch0_clk", "l3init_cm:0048:8"), + DT_CLK(NULL, "usb_tll_hs_usb_ch1_clk", "l3init_cm:0048:9"), + DT_CLK(NULL, "usb_tll_hs_usb_ch2_clk", "l3init_cm:0048:10"), + DT_CLK(NULL, "utmi_p1_gfclk", "l3init_cm:0038:24"), + DT_CLK(NULL, "utmi_p2_gfclk", "l3init_cm:0038:25"), { .node_name = NULL }, };
--- a/drivers/clk/ti/clkctrl.c +++ b/drivers/clk/ti/clkctrl.c @@ -511,6 +511,10 @@ static void __init _ti_omap4_clkctrl_set char *c; u16 soc_mask = 0;
+ if (!(ti_clk_get_features()->flags & TI_CLK_CLKCTRL_COMPAT) && + of_node_name_eq(node, "clk")) + ti_clk_features.flags |= TI_CLK_CLKCTRL_COMPAT; + addrp = of_get_address(node, 0, NULL, NULL); addr = (u32)of_translate_address(node, addrp);
From: Jason A. Donenfeld Jason@zx2c4.com
commit cd4f24ae9404fd31fc461066e57889be3b68641b upstream.
Prior to 5.6, when /dev/random was opened with O_NONBLOCK, it would return -EAGAIN if there was no entropy. When the pools were unified in 5.6, this was lost. The post 5.6 behavior of blocking until the pool is initialized, and ignoring O_NONBLOCK in the process, went unnoticed, with no reports about the regression received for two and a half years. However, eventually this indeed did break somebody's userspace.
So we restore the old behavior, by returning -EAGAIN if the pool is not initialized. Unlike the old /dev/random, this can only occur during early boot, after which it never blocks again.
In order to make this O_NONBLOCK behavior consistent with other expectations, also respect users reading with preadv2(RWF_NOWAIT) and similar.
Fixes: 30c08efec888 ("random: make /dev/random be almost like /dev/urandom") Reported-by: Guozihua guozihua@huawei.com Reported-by: Zhongguohua zhongguohua1@huawei.com Cc: Al Viro viro@zeniv.linux.org.uk Cc: Theodore Ts'o tytso@mit.edu Cc: Andrew Lutomirski luto@kernel.org Cc: stable@vger.kernel.org Signed-off-by: Jason A. Donenfeld Jason@zx2c4.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/char/mem.c | 4 ++-- drivers/char/random.c | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -981,8 +981,8 @@ static const struct memdev { #endif [5] = { "zero", 0666, &zero_fops, 0 }, [7] = { "full", 0666, &full_fops, 0 }, - [8] = { "random", 0666, &random_fops, 0 }, - [9] = { "urandom", 0666, &urandom_fops, 0 }, + [8] = { "random", 0666, &random_fops, FMODE_NOWAIT }, + [9] = { "urandom", 0666, &urandom_fops, FMODE_NOWAIT }, #ifdef CONFIG_PRINTK [11] = { "kmsg", 0644, &kmsg_fops, 0 }, #endif --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1299,6 +1299,11 @@ static ssize_t random_read_iter(struct k { int ret;
+ if (!crng_ready() && + ((kiocb->ki_flags & (IOCB_NOWAIT | IOCB_NOIO)) || + (kiocb->ki_filp->f_flags & O_NONBLOCK))) + return -EAGAIN; + ret = wait_for_random_bytes(); if (ret != 0) return ret;
From: Jason A. Donenfeld Jason@zx2c4.com
commit e78a802a7b4febf53f2a92842f494b01062d85a8 upstream.
Since the most that's mixed into the pool is sizeof(long)*2, don't credit more than that many bytes of entropy.
Fixes: e3e33fc2ea7f ("random: do not use input pool from hard IRQs") Cc: stable@vger.kernel.org Signed-off-by: Jason A. Donenfeld Jason@zx2c4.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/char/random.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -981,7 +981,7 @@ static void mix_interrupt_randomness(str local_irq_enable();
mix_pool_bytes(pool, sizeof(pool)); - credit_init_bits(max(1u, (count & U16_MAX) / 64)); + credit_init_bits(clamp_t(unsigned int, (count & U16_MAX) / 64, 1, sizeof(pool) * 8));
memzero_explicit(pool, sizeof(pool)); }
From: Takashi Iwai tiwai@suse.de
commit 56e696c0f0c71b77fff921fc94b58a02f0445b2c upstream.
Hans reported that his Sony VAIO VPX11S1E showed the broken sound behavior at the start of the stream for a couple of seconds, and it turned out that the position_fix=1 option fixes the issue. It implies that the position reporting is inaccurate, and very likely hitting on all Poulsbo devices.
The patch applies the workaround for Poulsbo generically to switch to LPIB mode instead of the default position buffer.
Reported-and-tested-by: Hans de Goede hdegoede@redhat.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/3e8697e1-87c6-7a7b-d2e8-b21f1d2f181b@redhat.com Link: https://lore.kernel.org/r/20221001142124.7241-1-tiwai@suse.de Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- sound/pci/hda/hda_intel.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/pci/hda/hda_intel.c +++ b/sound/pci/hda/hda_intel.c @@ -2588,7 +2588,8 @@ static const struct pci_device_id azx_id .driver_data = AZX_DRIVER_SCH | AZX_DCAPS_INTEL_PCH_NOPM }, /* Poulsbo */ { PCI_DEVICE(0x8086, 0x811b), - .driver_data = AZX_DRIVER_SCH | AZX_DCAPS_INTEL_PCH_BASE }, + .driver_data = AZX_DRIVER_SCH | AZX_DCAPS_INTEL_PCH_BASE | + AZX_DCAPS_POSFIX_LPIB }, /* Oaktrail */ { PCI_DEVICE(0x8086, 0x080a), .driver_data = AZX_DRIVER_SCH | AZX_DCAPS_INTEL_PCH_BASE },
From: Orlando Chamberlain redecorating@protonmail.com
commit bab715bdaa9ebf28d99a6d1efb2704a30125e96d upstream.
It turns out Apple doesn't capitalise the "mini" in "Macmini" in DMI, which is inconsistent with other model line names.
Correct the capitalisation of Macmini in the quirk for skipping loading platform certs on T2 Macs.
Currently users get:
------------[ cut here ]------------ [Firmware Bug]: Page fault caused by firmware at PA: 0xffffa30640054000 WARNING: CPU: 1 PID: 8 at arch/x86/platform/efi/quirks.c:735 efi_crash_gracefully_on_page_fault+0x55/0xe0 Modules linked in: CPU: 1 PID: 8 Comm: kworker/u12:0 Not tainted 5.18.14-arch1-2-t2 #1 4535eb3fc40fd08edab32a509fbf4c9bc52d111e Hardware name: Apple Inc. Macmini8,1/Mac-7BA5B2DFE22DDD8C, BIOS 1731.120.10.0.0 (iBridge: 19.16.15071.0.0,0) 04/24/2022 Workqueue: efi_rts_wq efi_call_rts ... ---[ end trace 0000000000000000 ]--- efi: Froze efi_rts_wq and disabled EFI Runtime Services integrity: Couldn't get size: 0x8000000000000015 integrity: MODSIGN: Couldn't get UEFI db list efi: EFI Runtime Services are disabled! integrity: Couldn't get size: 0x8000000000000015 integrity: Couldn't get UEFI dbx list
Fixes: 155ca952c7ca ("efi: Do not import certificates from UEFI Secure Boot for T2 Macs") Cc: stable@vger.kernel.org Cc: Aditya Garg gargaditya08@live.com Tested-by: Samuel Jiang chyishian.jiang@gmail.com Signed-off-by: Orlando Chamberlain redecorating@protonmail.com Signed-off-by: Mimi Zohar zohar@linux.ibm.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- security/integrity/platform_certs/load_uefi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -30,7 +30,7 @@ static const struct dmi_system_id uefi_s { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,1") }, { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,2") }, { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir9,1") }, - { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacMini8,1") }, + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "Macmini8,1") }, { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1") }, { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1") }, { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2") },
From: Linus Torvalds torvalds@linux-foundation.org
commit 6022f210461fef67e6e676fd8544ca02d1bcfa7a upstream.
The passthrough structure is declared off of the stack, so it needs to be set to zero before copied back to userspace to prevent any unintentional data leakage. Switch things to be statically allocated which will fill the unused fields with 0 automatically.
Link: https://lore.kernel.org/r/YxrjN3OOw2HHl9tx@kroah.com Cc: stable@kernel.org Cc: "James E.J. Bottomley" jejb@linux.ibm.com Cc: "Martin K. Petersen" martin.petersen@oracle.com Cc: Dan Carpenter dan.carpenter@oracle.com Reported-by: hdthky hdthky0@gmail.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/scsi/stex.c | 17 +++++++++-------- include/scsi/scsi_cmnd.h | 2 +- 2 files changed, 10 insertions(+), 9 deletions(-)
--- a/drivers/scsi/stex.c +++ b/drivers/scsi/stex.c @@ -668,16 +668,17 @@ stex_queuecommand_lck(struct scsi_cmnd * return 0; case PASSTHRU_CMD: if (cmd->cmnd[1] == PASSTHRU_GET_DRVVER) { - struct st_drvver ver; + const struct st_drvver ver = { + .major = ST_VER_MAJOR, + .minor = ST_VER_MINOR, + .oem = ST_OEM, + .build = ST_BUILD_VER, + .signature[0] = PASSTHRU_SIGNATURE, + .console_id = host->max_id - 1, + .host_no = hba->host->host_no, + }; size_t cp_len = sizeof(ver);
- ver.major = ST_VER_MAJOR; - ver.minor = ST_VER_MINOR; - ver.oem = ST_OEM; - ver.build = ST_BUILD_VER; - ver.signature[0] = PASSTHRU_SIGNATURE; - ver.console_id = host->max_id - 1; - ver.host_no = hba->host->host_no; cp_len = scsi_sg_copy_from_buffer(cmd, &ver, cp_len); cmd->result = sizeof(ver) == cp_len ? DID_OK << 16 | COMMAND_COMPLETE << 8 : --- a/include/scsi/scsi_cmnd.h +++ b/include/scsi/scsi_cmnd.h @@ -205,7 +205,7 @@ static inline unsigned int scsi_get_resi for_each_sg(scsi_sglist(cmd), sg, nseg, __i)
static inline int scsi_sg_copy_from_buffer(struct scsi_cmnd *cmd, - void *buf, int buflen) + const void *buf, int buflen) { return sg_copy_from_buffer(scsi_sglist(cmd), scsi_sg_count(cmd), buf, buflen);
From: Frank Wunderlich frank-w@public-files.de
commit eee48781ea199e32c1d0c4732641c494833788ca upstream.
Add support for Dell 5811e (EM7455) with USB-id 0x413c:0x81c2.
Signed-off-by: Frank Wunderlich frank-w@public-files.de Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/usb/serial/qcserial.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/qcserial.c +++ b/drivers/usb/serial/qcserial.c @@ -177,6 +177,7 @@ static const struct usb_device_id id_tab {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */ {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */ {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */ + {DEVICE_SWI(0x413c, 0x81c2)}, /* Dell Wireless 5811e */ {DEVICE_SWI(0x413c, 0x81cb)}, /* Dell Wireless 5816e QDL */ {DEVICE_SWI(0x413c, 0x81cc)}, /* Dell Wireless 5816e */ {DEVICE_SWI(0x413c, 0x81cf)}, /* Dell Wireless 5819 */
From: Jason A. Donenfeld Jason@zx2c4.com
commit 9ee0507e896b45af6d65408c77815800bce30008 upstream.
In order to avoid reading and dirtying two cache lines on every IRQ, move the work_struct to the bottom of the fast_pool struct. add_ interrupt_randomness() always touches .pool and .count, which are currently split, because .mix pushes everything down. Instead, move .mix to the bottom, so that .pool and .count are always in the first cache line, since .mix is only accessed when the pool is full.
Fixes: 58340f8e952b ("random: defer fast pool mixing to worker") Reviewed-by: Sebastian Andrzej Siewior bigeasy@linutronix.de Signed-off-by: Jason A. Donenfeld Jason@zx2c4.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/char/random.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -895,10 +895,10 @@ void __cold add_bootloader_randomness(co EXPORT_SYMBOL_GPL(add_bootloader_randomness);
struct fast_pool { - struct work_struct mix; unsigned long pool[4]; unsigned long last; unsigned int count; + struct work_struct mix; };
static DEFINE_PER_CPU(struct fast_pool, irq_randomness) = {
From: Jason A. Donenfeld Jason@zx2c4.com
commit 748bc4dd9e663f23448d8ad7e58c011a67ea1eca upstream.
Previously, the fast pool was dumped into the main pool periodically in the fast pool's hard IRQ handler. This worked fine and there weren't problems with it, until RT came around. Since RT converts spinlocks into sleeping locks, problems cropped up. Rather than switching to raw spinlocks, the RT developers preferred we make the transformation from originally doing:
do_some_stuff() spin_lock() do_some_other_stuff() spin_unlock()
to doing:
do_some_stuff() queue_work_on(some_other_stuff_worker)
This is an ordinary pattern done all over the kernel. However, Sherry noticed a 10% performance regression in qperf TCP over a 40gbps InfiniBand card. Quoting her message:
MT27500 Family [ConnectX-3] cards: Infiniband device 'mlx4_0' port 1 status: default gid: fe80:0000:0000:0000:0010:e000:0178:9eb1 base lid: 0x6 sm lid: 0x1 state: 4: ACTIVE phys state: 5: LinkUp rate: 40 Gb/sec (4X QDR) link_layer: InfiniBand
Cards are configured with IP addresses on private subnet for IPoIB performance testing. Regression identified in this bug is in TCP latency in this stack as reported by qperf tcp_lat metric:
We have one system listen as a qperf server: [root@yourQperfServer ~]# qperf
Have the other system connect to qperf server as a client (in this case, it’s X7 server with Mellanox card): [root@yourQperfClient ~]# numactl -m0 -N0 qperf 20.20.20.101 -v -uu -ub --time 60 --wait_server 20 -oo msg_size:4K:1024K:*2 tcp_lat
Rather than incur the scheduling latency from queue_work_on, we can instead switch to running on the next timer tick, on the same core. This also batches things a bit more -- once per jiffy -- which is okay now that mix_interrupt_randomness() can credit multiple bits at once.
Reported-by: Sherry Yang sherry.yang@oracle.com Tested-by: Paul Webb paul.x.webb@oracle.com Cc: Sherry Yang sherry.yang@oracle.com Cc: Phillip Goerl phillip.goerl@oracle.com Cc: Jack Vogel jack.vogel@oracle.com Cc: Nicky Veitch nicky.veitch@oracle.com Cc: Colm Harrington colm.harrington@oracle.com Cc: Ramanan Govindarajan ramanan.govindarajan@oracle.com Cc: Sebastian Andrzej Siewior bigeasy@linutronix.de Cc: Dominik Brodowski linux@dominikbrodowski.net Cc: Tejun Heo tj@kernel.org Cc: Sultan Alsawaf sultan@kerneltoast.com Cc: stable@vger.kernel.org Fixes: 58340f8e952b ("random: defer fast pool mixing to worker") Signed-off-by: Jason A. Donenfeld Jason@zx2c4.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/char/random.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-)
--- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -898,17 +898,20 @@ struct fast_pool { unsigned long pool[4]; unsigned long last; unsigned int count; - struct work_struct mix; + struct timer_list mix; };
+static void mix_interrupt_randomness(struct timer_list *work); + static DEFINE_PER_CPU(struct fast_pool, irq_randomness) = { #ifdef CONFIG_64BIT #define FASTMIX_PERM SIPHASH_PERMUTATION - .pool = { SIPHASH_CONST_0, SIPHASH_CONST_1, SIPHASH_CONST_2, SIPHASH_CONST_3 } + .pool = { SIPHASH_CONST_0, SIPHASH_CONST_1, SIPHASH_CONST_2, SIPHASH_CONST_3 }, #else #define FASTMIX_PERM HSIPHASH_PERMUTATION - .pool = { HSIPHASH_CONST_0, HSIPHASH_CONST_1, HSIPHASH_CONST_2, HSIPHASH_CONST_3 } + .pool = { HSIPHASH_CONST_0, HSIPHASH_CONST_1, HSIPHASH_CONST_2, HSIPHASH_CONST_3 }, #endif + .mix = __TIMER_INITIALIZER(mix_interrupt_randomness, 0) };
/* @@ -950,7 +953,7 @@ int __cold random_online_cpu(unsigned in } #endif
-static void mix_interrupt_randomness(struct work_struct *work) +static void mix_interrupt_randomness(struct timer_list *work) { struct fast_pool *fast_pool = container_of(work, struct fast_pool, mix); /* @@ -1004,10 +1007,11 @@ void add_interrupt_randomness(int irq) if (new_count < 1024 && !time_is_before_jiffies(fast_pool->last + HZ)) return;
- if (unlikely(!fast_pool->mix.func)) - INIT_WORK(&fast_pool->mix, mix_interrupt_randomness); fast_pool->count |= MIX_INFLIGHT; - queue_work_on(raw_smp_processor_id(), system_highpri_wq, &fast_pool->mix); + if (!timer_pending(&fast_pool->mix)) { + fast_pool->mix.expires = jiffies; + add_timer_on(&fast_pool->mix, raw_smp_processor_id()); + } } EXPORT_SYMBOL_GPL(add_interrupt_randomness);
From: Johannes Berg johannes.berg@intel.com
commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream.
In the copy code of the elements, we do the following calculation to reach the end of the MBSSID element:
/* copy the IEs after MBSSID */ cpy_len = mbssid[1] + 2;
This looks fine, however, cpy_len is a u8, the same as mbssid[1], so the addition of two can overflow. In this case the subsequent memcpy() will overflow the allocated buffer, since it copies 256 bytes too much due to the way the allocation and memcpy() sizes are calculated.
Fix this by using size_t for the cpy_len variable.
This fixes CVE-2022-41674.
Reported-by: Soenke Huster shuster@seemoo.tu-darmstadt.de Tested-by: Soenke Huster shuster@seemoo.tu-darmstadt.de Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Reviewed-by: Kees Cook keescook@chromium.org Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/wireless/scan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -2228,7 +2228,7 @@ cfg80211_update_notlisted_nontrans(struc size_t new_ie_len; struct cfg80211_bss_ies *new_ies; const struct cfg80211_bss_ies *old; - u8 cpy_len; + size_t cpy_len;
lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);
From: Johannes Berg johannes.berg@intel.com
commit 8f033d2becc24aa6bfd2a5c104407963560caabc upstream.
Per spec, the maximum value for the MaxBSSID ('n') indicator is 8, and the minimum is 1 since a multiple BSSID set with just one BSSID doesn't make sense (the # of BSSIDs is limited by 2^n).
Limit this in the parsing in both cfg80211 and mac80211, rejecting any elements with an invalid value.
This fixes potentially bad shifts in the processing of these inside the cfg80211_gen_new_bssid() function later.
I found this during the investigation of CVE-2022-41674 fixed by the previous patch.
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Fixes: 78ac51f81532 ("mac80211: support multi-bssid") Reviewed-by: Kees Cook keescook@chromium.org Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/mac80211/util.c | 2 ++ net/wireless/scan.c | 2 ++ 2 files changed, 4 insertions(+)
--- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1409,6 +1409,8 @@ static size_t ieee802_11_find_bssid_prof for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { if (elem->datalen < 2) continue; + if (elem->data[0] < 1 || elem->data[0] > 8) + continue;
for_each_element(sub, elem->data + 1, elem->datalen - 1) { u8 new_bssid[ETH_ALEN]; --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -2093,6 +2093,8 @@ static void cfg80211_parse_mbssid_data(s for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) { if (elem->datalen < 4) continue; + if (elem->data[0] < 1 || (int)elem->data[0] > 8) + continue; for_each_element(sub, elem->data + 1, elem->datalen - 1) { u8 profile_len;
From: Johannes Berg johannes.berg@intel.com
commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream.
When iterating the elements here, ensure the length byte is present before checking it to see if the entire element will fit into the buffer.
Longer term, we should rewrite this code using the type-safe element iteration macros that check all of this.
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Reported-by: Soenke Huster shuster@seemoo.tu-darmstadt.de Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/wireless/scan.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie;
- while (tmp_old + tmp_old[1] + 2 - ie <= ielen) { + while (tmp_old + 2 - ie <= ielen && + tmp_old + tmp_old[1] + 2 - ie <= ielen) { if (tmp_old[0] == 0) { tmp_old++; continue; @@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const * copied to new ie, skip ssid, capability, bssid-index ie */ tmp_new = sub_copy; - while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { + while (tmp_new + 2 - sub_copy <= subie_len && + tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP || tmp_new[0] == WLAN_EID_SSID)) { memcpy(pos, tmp_new, tmp_new[1] + 2);
From: Johannes Berg johannes.berg@intel.com
commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f upstream.
There are multiple refcounting bugs related to multi-BSSID: - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then the bss pointer is overwritten before checking for the transmitted BSS, which is clearly wrong. Fix this by using the bss_from_pub() macro.
- In cfg80211_bss_update() we copy the transmitted_bss pointer from tmp into new, but then if we release new, we'll unref it erroneously. We already set the pointer and ref it, but need to NULL it since it was copied from the tmp data.
- In cfg80211_inform_single_bss_data(), if adding to the non- transmitted list fails, we unlink the BSS and yet still we return it, but this results in returning an entry without a reference. We shouldn't return it anyway if it was broken enough to not get added there.
This fixes CVE-2022-42720.
Reported-by: Sönke Huster shuster@seemoo.tu-darmstadt.de Tested-by: Sönke Huster shuster@seemoo.tu-darmstadt.de Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS") Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/wireless/scan.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-)
--- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -143,18 +143,12 @@ static inline void bss_ref_get(struct cf lockdep_assert_held(&rdev->bss_lock);
bss->refcount++; - if (bss->pub.hidden_beacon_bss) { - bss = container_of(bss->pub.hidden_beacon_bss, - struct cfg80211_internal_bss, - pub); - bss->refcount++; - } - if (bss->pub.transmitted_bss) { - bss = container_of(bss->pub.transmitted_bss, - struct cfg80211_internal_bss, - pub); - bss->refcount++; - } + + if (bss->pub.hidden_beacon_bss) + bss_from_pub(bss->pub.hidden_beacon_bss)->refcount++; + + if (bss->pub.transmitted_bss) + bss_from_pub(bss->pub.transmitted_bss)->refcount++; }
static inline void bss_ref_put(struct cfg80211_registered_device *rdev, @@ -1736,6 +1730,8 @@ cfg80211_bss_update(struct cfg80211_regi new->refcount = 1; INIT_LIST_HEAD(&new->hidden_list); INIT_LIST_HEAD(&new->pub.nontrans_list); + /* we'll set this later if it was non-NULL */ + new->pub.transmitted_bss = NULL;
if (rcu_access_pointer(tmp->pub.proberesp_ies)) { hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN); @@ -1973,10 +1969,15 @@ cfg80211_inform_single_bss_data(struct w spin_lock_bh(&rdev->bss_lock); if (cfg80211_add_nontrans_list(non_tx_data->tx_bss, &res->pub)) { - if (__cfg80211_unlink_bss(rdev, res)) + if (__cfg80211_unlink_bss(rdev, res)) { rdev->bss_generation++; + res = NULL; + } } spin_unlock_bh(&rdev->bss_lock); + + if (!res) + return NULL; }
trace_cfg80211_return_bss(&res->pub);
From: Johannes Berg johannes.berg@intel.com
commit bcca852027e5878aec911a347407ecc88d6fff7f upstream.
If a non-transmitted BSS shares enough information (both SSID and BSSID!) with another non-transmitted BSS of a different AP, then we can find and update it, and then try to add it to the non-transmitted BSS list. We do a search for it on the transmitted BSS, but if it's not there (but belongs to another transmitted BSS), the list gets corrupted.
Since this is an erroneous situation, simply fail the list insertion in this case and free the non-transmitted BSS.
This fixes CVE-2022-42721.
Reported-by: Sönke Huster shuster@seemoo.tu-darmstadt.de Tested-by: Sönke Huster shuster@seemoo.tu-darmstadt.de Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/wireless/scan.c | 9 +++++++++ 1 file changed, 9 insertions(+)
--- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -425,6 +425,15 @@ cfg80211_add_nontrans_list(struct cfg802
rcu_read_unlock();
+ /* + * This is a bit weird - it's not on the list, but already on another + * one! The only way that could happen is if there's some BSSID/SSID + * shared by multiple APs in their multi-BSSID profiles, potentially + * with hidden SSID mixed in ... ignore it. + */ + if (!list_empty(&nontrans_bss->nontrans_list)) + return -EINVAL; + /* add to the list */ list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list); return 0;
From: Johannes Berg johannes.berg@intel.com
commit 1833b6f46d7e2830251a063935ab464256defe22 upstream.
If the tool on the other side (e.g. wmediumd) gets confused about the rate, we hit a warning in mac80211. Silence that by effectively duplicating the check here and dropping the frame silently (in mac80211 it's dropped with the warning).
Reported-by: Sönke Huster shuster@seemoo.tu-darmstadt.de Tested-by: Sönke Huster shuster@seemoo.tu-darmstadt.de Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/net/wireless/mac80211_hwsim.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -3675,6 +3675,8 @@ static int hwsim_cloned_frame_received_n
rx_status.band = channel->band; rx_status.rate_idx = nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]); + if (rx_status.rate_idx >= data2->hw->wiphy->bands[rx_status.band]->n_bitrates) + goto out; rx_status.signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]);
hdr = (void *)skb->data;
From: Johannes Berg johannes.berg@intel.com
commit b2d03cabe2b2e150ff5a381731ea0355459be09f upstream.
If beacon protection is active but the beacon cannot be decrypted or is otherwise malformed, we call the cfg80211 API to report this to userspace, but that uses a netdev pointer, which isn't present for P2P-Device. Fix this to call it only conditionally to ensure cfg80211 won't crash in the case of P2P-Device.
This fixes CVE-2022-42722.
Reported-by: Sönke Huster shuster@seemoo.tu-darmstadt.de Fixes: 9eaf183af741 ("mac80211: Report beacon protection failures to user space") Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/mac80211/rx.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-)
--- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -1975,10 +1975,11 @@ ieee80211_rx_h_decrypt(struct ieee80211_
if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS || mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS + - NUM_DEFAULT_BEACON_KEYS) { - cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, - skb->data, - skb->len); + NUM_DEFAULT_BEACON_KEYS) { + if (rx->sdata->dev) + cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, + skb->data, + skb->len); return RX_DROP_MONITOR; /* unexpected BIP keyidx */ }
@@ -2126,7 +2127,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_ /* either the frame has been decrypted or will be dropped */ status->flag |= RX_FLAG_DECRYPTED;
- if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE)) + if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE && + rx->sdata->dev)) cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, skb->data, skb->len);
From: Johannes Berg johannes.berg@intel.com
commit c90b93b5b782891ebfda49d4e5da36632fefd5d1 upstream.
When updating beacon elements in a non-transmitted BSS, also update the hidden sub-entries to the same beacon elements, so that a future update through other paths won't trigger a WARN_ON().
The warning is triggered because the beacon elements in the hidden BSSes that are children of the BSS should always be the same as in the parent.
Reported-by: Sönke Huster shuster@seemoo.tu-darmstadt.de Tested-by: Sönke Huster shuster@seemoo.tu-darmstadt.de Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/wireless/scan.c | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-)
--- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1602,6 +1602,23 @@ struct cfg80211_non_tx_bss { u8 bssid_index; };
+static void cfg80211_update_hidden_bsses(struct cfg80211_internal_bss *known, + const struct cfg80211_bss_ies *new_ies, + const struct cfg80211_bss_ies *old_ies) +{ + struct cfg80211_internal_bss *bss; + + /* Assign beacon IEs to all sub entries */ + list_for_each_entry(bss, &known->hidden_list, hidden_list) { + const struct cfg80211_bss_ies *ies; + + ies = rcu_access_pointer(bss->pub.beacon_ies); + WARN_ON(ies != old_ies); + + rcu_assign_pointer(bss->pub.beacon_ies, new_ies); + } +} + static bool cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, struct cfg80211_internal_bss *known, @@ -1625,7 +1642,6 @@ cfg80211_update_known_bss(struct cfg8021 kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); } else if (rcu_access_pointer(new->pub.beacon_ies)) { const struct cfg80211_bss_ies *old; - struct cfg80211_internal_bss *bss;
if (known->pub.hidden_beacon_bss && !list_empty(&known->hidden_list)) { @@ -1653,16 +1669,7 @@ cfg80211_update_known_bss(struct cfg8021 if (old == rcu_access_pointer(known->pub.ies)) rcu_assign_pointer(known->pub.ies, new->pub.beacon_ies);
- /* Assign beacon IEs to all sub entries */ - list_for_each_entry(bss, &known->hidden_list, hidden_list) { - const struct cfg80211_bss_ies *ies; - - ies = rcu_access_pointer(bss->pub.beacon_ies); - WARN_ON(ies != old); - - rcu_assign_pointer(bss->pub.beacon_ies, - new->pub.beacon_ies); - } + cfg80211_update_hidden_bsses(known, new->pub.beacon_ies, old);
if (old) kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head); @@ -2309,6 +2316,8 @@ cfg80211_update_notlisted_nontrans(struc } else { old = rcu_access_pointer(nontrans_bss->beacon_ies); rcu_assign_pointer(nontrans_bss->beacon_ies, new_ies); + cfg80211_update_hidden_bsses(bss_from_pub(nontrans_bss), + new_ies, old); rcu_assign_pointer(nontrans_bss->ies, new_ies); if (old) kfree_rcu((struct cfg80211_bss_ies *)old, rcu_head);
From: Pavel Rojtberg rojtberg@gmail.com
commit b382c5e37344883dc97525d05f1f6b788f549985 upstream.
This is based on multiple commits at https://github.com/paroj/xpad
Cc: stable@vger.kernel.org Signed-off-by: Jasper Poppe jgpoppe@gmail.com Signed-off-by: Jeremy Palmer jpalmer@linz.govt.nz Signed-off-by: Ruineka ruinairas1992@gmail.com Signed-off-by: Cleber de Mattos Casali clebercasali@gmail.com Signed-off-by: Kyle Gospodnetich me@kylegospodneti.ch Signed-off-by: Pavel Rojtberg rojtberg@gmail.com Link: https://lore.kernel.org/r/20220818154411.510308-2-rojtberg@gmail.com Signed-off-by: Dmitry Torokhov dmitry.torokhov@gmail.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/input/joystick/xpad.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+)
--- a/drivers/input/joystick/xpad.c +++ b/drivers/input/joystick/xpad.c @@ -112,6 +112,8 @@ static const struct xpad_device { u8 xtype; } xpad_device[] = { { 0x0079, 0x18d4, "GPD Win 2 X-Box Controller", 0, XTYPE_XBOX360 }, + { 0x03eb, 0xff01, "Wooting One (Legacy)", 0, XTYPE_XBOX360 }, + { 0x03eb, 0xff02, "Wooting Two (Legacy)", 0, XTYPE_XBOX360 }, { 0x044f, 0x0f00, "Thrustmaster Wheel", 0, XTYPE_XBOX }, { 0x044f, 0x0f03, "Thrustmaster Wheel", 0, XTYPE_XBOX }, { 0x044f, 0x0f07, "Thrustmaster, Inc. Controller", 0, XTYPE_XBOX }, @@ -242,6 +244,7 @@ static const struct xpad_device { { 0x0f0d, 0x0063, "Hori Real Arcade Pro Hayabusa (USA) Xbox One", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOXONE }, { 0x0f0d, 0x0067, "HORIPAD ONE", 0, XTYPE_XBOXONE }, { 0x0f0d, 0x0078, "Hori Real Arcade Pro V Kai Xbox One", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOXONE }, + { 0x0f0d, 0x00c5, "Hori Fighting Commander ONE", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOXONE }, { 0x0f30, 0x010b, "Philips Recoil", 0, XTYPE_XBOX }, { 0x0f30, 0x0202, "Joytech Advanced Controller", 0, XTYPE_XBOX }, { 0x0f30, 0x8888, "BigBen XBMiniPad Controller", 0, XTYPE_XBOX }, @@ -258,6 +261,7 @@ static const struct xpad_device { { 0x1430, 0x8888, "TX6500+ Dance Pad (first generation)", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX }, { 0x1430, 0xf801, "RedOctane Controller", 0, XTYPE_XBOX360 }, { 0x146b, 0x0601, "BigBen Interactive XBOX 360 Controller", 0, XTYPE_XBOX360 }, + { 0x146b, 0x0604, "Bigben Interactive DAIJA Arcade Stick", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, { 0x1532, 0x0037, "Razer Sabertooth", 0, XTYPE_XBOX360 }, { 0x1532, 0x0a00, "Razer Atrox Arcade Stick", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOXONE }, { 0x1532, 0x0a03, "Razer Wildcat", 0, XTYPE_XBOXONE }, @@ -322,6 +326,7 @@ static const struct xpad_device { { 0x24c6, 0x5502, "Hori Fighting Stick VX Alt", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, { 0x24c6, 0x5503, "Hori Fighting Edge", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, { 0x24c6, 0x5506, "Hori SOULCALIBUR V Stick", 0, XTYPE_XBOX360 }, + { 0x24c6, 0x5510, "Hori Fighting Commander ONE (Xbox 360/PC Mode)", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, { 0x24c6, 0x550d, "Hori GEM Xbox controller", 0, XTYPE_XBOX360 }, { 0x24c6, 0x550e, "Hori Real Arcade Pro V Kai 360", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, { 0x24c6, 0x551a, "PowerA FUSION Pro Controller", 0, XTYPE_XBOXONE }, @@ -331,6 +336,14 @@ static const struct xpad_device { { 0x24c6, 0x5b03, "Thrustmaster Ferrari 458 Racing Wheel", 0, XTYPE_XBOX360 }, { 0x24c6, 0x5d04, "Razer Sabertooth", 0, XTYPE_XBOX360 }, { 0x24c6, 0xfafe, "Rock Candy Gamepad for Xbox 360", 0, XTYPE_XBOX360 }, + { 0x2563, 0x058d, "OneXPlayer Gamepad", 0, XTYPE_XBOX360 }, + { 0x2dc8, 0x2000, "8BitDo Pro 2 Wired Controller fox Xbox", 0, XTYPE_XBOXONE }, + { 0x31e3, 0x1100, "Wooting One", 0, XTYPE_XBOX360 }, + { 0x31e3, 0x1200, "Wooting Two", 0, XTYPE_XBOX360 }, + { 0x31e3, 0x1210, "Wooting Lekker", 0, XTYPE_XBOX360 }, + { 0x31e3, 0x1220, "Wooting Two HE", 0, XTYPE_XBOX360 }, + { 0x31e3, 0x1300, "Wooting 60HE (AVR)", 0, XTYPE_XBOX360 }, + { 0x31e3, 0x1310, "Wooting 60HE (ARM)", 0, XTYPE_XBOX360 }, { 0x3285, 0x0607, "Nacon GC-100", 0, XTYPE_XBOX360 }, { 0x3767, 0x0101, "Fanatec Speedster 3 Forceshock Wheel", 0, XTYPE_XBOX }, { 0xffff, 0xffff, "Chinese-made Xbox Controller", 0, XTYPE_XBOX }, @@ -416,6 +429,7 @@ static const signed short xpad_abs_trigg static const struct usb_device_id xpad_table[] = { { USB_INTERFACE_INFO('X', 'B', 0) }, /* X-Box USB-IF not approved class */ XPAD_XBOX360_VENDOR(0x0079), /* GPD Win 2 Controller */ + XPAD_XBOX360_VENDOR(0x03eb), /* Wooting Keyboards (Legacy) */ XPAD_XBOX360_VENDOR(0x044f), /* Thrustmaster X-Box 360 controllers */ XPAD_XBOX360_VENDOR(0x045e), /* Microsoft X-Box 360 controllers */ XPAD_XBOXONE_VENDOR(0x045e), /* Microsoft X-Box One controllers */ @@ -426,6 +440,7 @@ static const struct usb_device_id xpad_t { USB_DEVICE(0x0738, 0x4540) }, /* Mad Catz Beat Pad */ XPAD_XBOXONE_VENDOR(0x0738), /* Mad Catz FightStick TE 2 */ XPAD_XBOX360_VENDOR(0x07ff), /* Mad Catz GamePad */ + XPAD_XBOX360_VENDOR(0x0c12), /* Zeroplus X-Box 360 controllers */ XPAD_XBOX360_VENDOR(0x0e6f), /* 0x0e6f X-Box 360 controllers */ XPAD_XBOXONE_VENDOR(0x0e6f), /* 0x0e6f X-Box One controllers */ XPAD_XBOX360_VENDOR(0x0f0d), /* Hori Controllers */ @@ -446,8 +461,12 @@ static const struct usb_device_id xpad_t XPAD_XBOXONE_VENDOR(0x20d6), /* PowerA Controllers */ XPAD_XBOX360_VENDOR(0x24c6), /* PowerA Controllers */ XPAD_XBOXONE_VENDOR(0x24c6), /* PowerA Controllers */ + XPAD_XBOX360_VENDOR(0x2563), /* OneXPlayer Gamepad */ + XPAD_XBOX360_VENDOR(0x260d), /* Dareu H101 */ + XPAD_XBOXONE_VENDOR(0x2dc8), /* 8BitDo Pro 2 Wired Controller for Xbox */ XPAD_XBOXONE_VENDOR(0x2e24), /* Hyperkin Duke X-Box One pad */ XPAD_XBOX360_VENDOR(0x2f24), /* GameSir Controllers */ + XPAD_XBOX360_VENDOR(0x31e3), /* Wooting Keyboards */ XPAD_XBOX360_VENDOR(0x3285), /* Nacon GC-100 */ { } };
From: Cameron Gutman aicommander@gmail.com
commit a17b9841152e7f4621619902b347e2cc39c32996 upstream.
Suspending and resuming the system can sometimes cause the out URB to get hung after a reset_resume. This causes LED setting and force feedback to break on resume. To avoid this, just drop the reset_resume callback so the USB core rebinds xpad to the wireless pads on resume if a reset happened.
A nice side effect of this change is the LED ring on wireless controllers is now set correctly on system resume.
Cc: stable@vger.kernel.org Fixes: 4220f7db1e42 ("Input: xpad - workaround dead irq_out after suspend/ resume") Signed-off-by: Cameron Gutman aicommander@gmail.com Signed-off-by: Pavel Rojtberg rojtberg@gmail.com Link: https://lore.kernel.org/r/20220818154411.510308-3-rojtberg@gmail.com Signed-off-by: Dmitry Torokhov dmitry.torokhov@gmail.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/input/joystick/xpad.c | 1 - 1 file changed, 1 deletion(-)
--- a/drivers/input/joystick/xpad.c +++ b/drivers/input/joystick/xpad.c @@ -1983,7 +1983,6 @@ static struct usb_driver xpad_driver = { .disconnect = xpad_disconnect, .suspend = xpad_suspend, .resume = xpad_resume, - .reset_resume = xpad_resume, .id_table = xpad_table, };
From: Shunsuke Mie mie@igel.co.jp
commit 3e42deaac06567c7e86d287c305ccda24db4ae3d upstream.
Each transfer test functions have same parameter checking code. This patch unites those to an introduced function.
Signed-off-by: Shunsuke Mie mie@igel.co.jp Cc: stable stable@kernel.org Link: https://lore.kernel.org/r/20220907020100.122588-1-mie@igel.co.jp Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/misc/pci_endpoint_test.c | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-)
--- a/drivers/misc/pci_endpoint_test.c +++ b/drivers/misc/pci_endpoint_test.c @@ -331,6 +331,17 @@ static bool pci_endpoint_test_msi_irq(st return false; }
+static int pci_endpoint_test_validate_xfer_params(struct device *dev, + struct pci_endpoint_test_xfer_param *param, size_t alignment) +{ + if (param->size > SIZE_MAX - alignment) { + dev_dbg(dev, "Maximum transfer data size exceeded\n"); + return -EINVAL; + } + + return 0; +} + static bool pci_endpoint_test_copy(struct pci_endpoint_test *test, unsigned long arg) { @@ -362,9 +373,11 @@ static bool pci_endpoint_test_copy(struc return false; }
+ err = pci_endpoint_test_validate_xfer_params(dev, ¶m, alignment); + if (err) + return false; + size = param.size; - if (size > SIZE_MAX - alignment) - goto err;
use_dma = !!(param.flags & PCITEST_FLAGS_USE_DMA); if (use_dma) @@ -496,9 +509,11 @@ static bool pci_endpoint_test_write(stru return false; }
+ err = pci_endpoint_test_validate_xfer_params(dev, ¶m, alignment); + if (err) + return false; + size = param.size; - if (size > SIZE_MAX - alignment) - goto err;
use_dma = !!(param.flags & PCITEST_FLAGS_USE_DMA); if (use_dma) @@ -594,9 +609,11 @@ static bool pci_endpoint_test_read(struc return false; }
+ err = pci_endpoint_test_validate_xfer_params(dev, ¶m, alignment); + if (err) + return false; + size = param.size; - if (size > SIZE_MAX - alignment) - goto err;
use_dma = !!(param.flags & PCITEST_FLAGS_USE_DMA); if (use_dma)
From: Shunsuke Mie mie@igel.co.jp
commit 8e30538eca016de8e252bef174beadecd64239f0 upstream.
The dma_map_single() doesn't permit zero length mapping. It causes a follow panic.
A panic was reported on arm64:
[ 60.137988] ------------[ cut here ]------------ [ 60.142630] kernel BUG at kernel/dma/swiotlb.c:624! [ 60.147508] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [ 60.152992] Modules linked in: dw_hdmi_cec crct10dif_ce simple_bridge rcar_fdp1 vsp1 rcar_vin videobuf2_vmalloc rcar_csi2 v4l 2_mem2mem videobuf2_dma_contig videobuf2_memops pci_endpoint_test videobuf2_v4l2 videobuf2_common rcar_fcp v4l2_fwnode v4l2_asyn c videodev mc gpio_bd9571mwv max9611 pwm_rcar ccree at24 authenc libdes phy_rcar_gen3_usb3 usb_dmac display_connector pwm_bl [ 60.186252] CPU: 0 PID: 508 Comm: pcitest Not tainted 6.0.0-rc1rpci-dev+ #237 [ 60.193387] Hardware name: Renesas Salvator-X 2nd version board based on r8a77951 (DT) [ 60.201302] pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 60.208263] pc : swiotlb_tbl_map_single+0x2c0/0x590 [ 60.213149] lr : swiotlb_map+0x88/0x1f0 [ 60.216982] sp : ffff80000a883bc0 [ 60.220292] x29: ffff80000a883bc0 x28: 0000000000000000 x27: 0000000000000000 [ 60.227430] x26: 0000000000000000 x25: ffff0004c0da20d0 x24: ffff80000a1f77c0 [ 60.234567] x23: 0000000000000002 x22: 0001000040000010 x21: 000000007a000000 [ 60.241703] x20: 0000000000200000 x19: 0000000000000000 x18: 0000000000000000 [ 60.248840] x17: 0000000000000000 x16: 0000000000000000 x15: ffff0006ff7b9180 [ 60.255977] x14: ffff0006ff7b9180 x13: 0000000000000000 x12: 0000000000000000 [ 60.263113] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 60.270249] x8 : 0001000000000010 x7 : ffff0004c6754b20 x6 : 0000000000000000 [ 60.277385] x5 : ffff0004c0da2090 x4 : 0000000000000000 x3 : 0000000000000001 [ 60.284521] x2 : 0000000040000000 x1 : 0000000000000000 x0 : 0000000040000010 [ 60.291658] Call trace: [ 60.294100] swiotlb_tbl_map_single+0x2c0/0x590 [ 60.298629] swiotlb_map+0x88/0x1f0 [ 60.302115] dma_map_page_attrs+0x188/0x230 [ 60.306299] pci_endpoint_test_ioctl+0x5e4/0xd90 [pci_endpoint_test] [ 60.312660] __arm64_sys_ioctl+0xa8/0xf0 [ 60.316583] invoke_syscall+0x44/0x108 [ 60.320334] el0_svc_common.constprop.0+0xcc/0xf0 [ 60.325038] do_el0_svc+0x2c/0xb8 [ 60.328351] el0_svc+0x2c/0x88 [ 60.331406] el0t_64_sync_handler+0xb8/0xc0 [ 60.335587] el0t_64_sync+0x18c/0x190 [ 60.339251] Code: 52800013 d2e00414 35fff45c d503201f (d4210000) [ 60.345344] ---[ end trace 0000000000000000 ]---
To fix it, this patch adds a checking the payload length if it is zero.
Fixes: 343dc693f7b7 ("misc: pci_endpoint_test: Prevent some integer overflows") Cc: stable stable@kernel.org Signed-off-by: Shunsuke Mie mie@igel.co.jp Link: https://lore.kernel.org/r/20220907020100.122588-2-mie@igel.co.jp Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/misc/pci_endpoint_test.c | 5 +++++ 1 file changed, 5 insertions(+)
--- a/drivers/misc/pci_endpoint_test.c +++ b/drivers/misc/pci_endpoint_test.c @@ -334,6 +334,11 @@ static bool pci_endpoint_test_msi_irq(st static int pci_endpoint_test_validate_xfer_params(struct device *dev, struct pci_endpoint_test_xfer_param *param, size_t alignment) { + if (!param->size) { + dev_dbg(dev, "Data size is zero\n"); + return -EINVAL; + } + if (param->size > SIZE_MAX - alignment) { dev_dbg(dev, "Maximum transfer data size exceeded\n"); return -EINVAL;
Hi!
This is the start of the stable review cycle for the 5.10.148 release. There are 54 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-5...
Tested-by: Pavel Machek (CIP) pavel@denx.de
Best regards, Pavel
On 10/13/22 10:51, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 5.10.148 release. There are 54 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sat, 15 Oct 2022 17:51:33 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.148-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below.
thanks,
greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on BMIPS_GENERIC:
Tested-by: Florian Fainelli f.fainelli@gmail.com
On Thu, 13 Oct 2022 at 23:25, Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
This is the start of the stable review cycle for the 5.10.148 release. There are 54 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sat, 15 Oct 2022 17:51:33 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.148-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below.
thanks,
greg k-h
Results from Linaro's test farm. No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing lkft@linaro.org
## Build * kernel: 5.10.148-rc1 * git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc * git branch: linux-5.10.y * git commit: 4ff6e9bba3ff6321ee46a6d40266296a615fe9b9 * git describe: v5.10.147-55-g4ff6e9bba3ff * test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.10.y/build/v5.10....
## No Test Regressions (compared to v5.10.147)
## No Metric Regressions (compared to v5.10.147)
## No Test Fixes (compared to v5.10.147)
## No Metric Fixes (compared to v5.10.147)
## No Test result summary
total: 107457, pass: 92929, fail: 1326, skip: 12843, xfail: 359
## Build Summary * arc: 10 total, 10 passed, 0 failed * arm: 332 total, 332 passed, 0 failed * arm64: 65 total, 63 passed, 2 failed * i386: 55 total, 53 passed, 2 failed * mips: 56 total, 56 passed, 0 failed * parisc: 12 total, 12 passed, 0 failed * powerpc: 60 total, 55 passed, 5 failed * riscv: 27 total, 27 passed, 0 failed * s390: 24 total, 24 passed, 0 failed * sh: 24 total, 24 passed, 0 failed * sparc: 12 total, 12 passed, 0 failed * x86_64: 58 total, 56 passed, 2 failed
## Test suites summary * fwts * igt-gpu-tools * kselftest-android * kselftest-arm64 * kselftest-arm64/arm64.btitest.bti_c_func * kselftest-arm64/arm64.btitest.bti_j_func * kselftest-arm64/arm64.btitest.bti_jc_func * kselftest-arm64/arm64.btitest.bti_none_func * kselftest-arm64/arm64.btitest.nohint_func * kselftest-arm64/arm64.btitest.paciasp_func * kselftest-arm64/arm64.nobtitest.bti_c_func * kselftest-arm64/arm64.nobtitest.bti_j_func * kselftest-arm64/arm64.nobtitest.bti_jc_func * kselftest-arm64/arm64.nobtitest.bti_none_func * kselftest-arm64/arm64.nobtitest.nohint_func * kselftest-arm64/arm64.nobtitest.paciasp_func * kselftest-breakpoints * kselftest-capabilities * kselftest-drivers-dma-buf * kselftest-efivarfs * kselftest-filesystems * kselftest-filesystems-binderfs * kselftest-firmware * kselftest-fpu * kselftest-futex * kselftest-gpio * kselftest-intel_pstate * kselftest-ipc * kselftest-ir * kselftest-kcmp * kselftest-kexec * kselftest-kvm * kselftest-lib * kselftest-livepatch * kselftest-membarrier * kselftest-memfd * kselftest-memory-hotplug * kselftest-mincore * kselftest-mount * kselftest-mqueue * kselftest-net * kselftest-net-forwarding * kselftest-netfilter * kselftest-nsfs * kselftest-openat2 * kselftest-pid_namespace * kselftest-pidfd * kselftest-proc * kselftest-pstore * kselftest-ptrace * kselftest-rseq * kselftest-rtc * kselftest-tc-testing * kselftest-timens * kselftest-timers * kselftest-tmpfs * kselftest-tpm2 * kselftest-user * kselftest-vm * kselftest-x86 * kselftest-zram * kunit * kvm-unit-tests * libgpiod * libhugetlbfs * log-parser-boot * log-parser-test * ltp-cap_bounds * ltp-commands * ltp-containers * ltp-controllers * ltp-cpuhotplug * ltp-crypto * ltp-cve * ltp-dio * ltp-fcntl-locktests * ltp-filecaps * ltp-fs * ltp-fs_bind * ltp-fs_perms_simple * ltp-fsx * ltp-hugetlb * ltp-io * ltp-ipc * ltp-math * ltp-mm * ltp-nptl * ltp-open-posix-tests * ltp-pty * ltp-sched * ltp-securebits * ltp-syscalls * ltp-tracing * network-basic-tests * packetdrill * perf * perf/Zstd-perf.data-compression * rcutorture * v4l2-compliance * vdso
-- Linaro LKFT https://lkft.linaro.org
Hi Greg,
On Thu, Oct 13, 2022 at 07:51:54PM +0200, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 5.10.148 release. There are 54 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sat, 15 Oct 2022 17:51:33 +0000. Anything received after that time might be too late.
Build test (gcc version 11.3.1 20220925): mips: 63 configs -> no failure arm: 104 configs -> no failure arm64: 3 configs -> no failure x86_64: 4 configs -> no failure alpha allmodconfig -> no failure powerpc allmodconfig -> no failure riscv allmodconfig -> no failure s390 allmodconfig -> no failure xtensa allmodconfig -> no failure
Boot test: x86_64: Booted on my test laptop. No regression. x86_64: Booted on qemu. No regression. [1] arm64: Booted on rpi4b (4GB model). No regression. [2]
[1]. https://openqa.qa.codethink.co.uk/tests/1988 [2]. https://openqa.qa.codethink.co.uk/tests/1993
Tested-by: Sudip Mukherjee sudip.mukherjee@codethink.co.uk
On Thu, 13 Oct 2022 19:51:54 +0200, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 5.10.148 release. There are 54 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sat, 15 Oct 2022 17:51:33 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.148-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below.
thanks,
greg k-h
All tests passing for Tegra ...
Test results for stable-v5.10: 10 builds: 10 pass, 0 fail 28 boots: 28 pass, 0 fail 75 tests: 75 pass, 0 fail
Linux version: 5.10.148-rc1-g4ff6e9bba3ff Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000, tegra194-p2972-0000, tegra194-p3509-0000+p3668-0000, tegra20-ventana, tegra210-p2371-2180, tegra210-p3450-0000, tegra30-cardhu-a04
Tested-by: Jon Hunter jonathanh@nvidia.com
Jon
On 10/13/22 11:51, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 5.10.148 release. There are 54 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sat, 15 Oct 2022 17:51:33 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.148-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below.
thanks,
greg k-h
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan skhan@linuxfoundation.org
Just a note: I am debugging drm issue from a previous rc (5.10.146) and I will let you know once I bisect and figure the offending patch.
This is not related to this rc - doesn't stop from releasing this one.
thanks, -- Shuah
On Thu, Oct 13, 2022 at 1:55 PM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
This is the start of the stable review cycle for the 5.10.148 release. There are 54 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sat, 15 Oct 2022 17:51:33 +0000. Anything received after that time might be too late.
5.10.148-rc1 compiled and booted on my x86_64 test system. No errors or regressions.
Tested-by: Slade Watkins srw@sladewatkins.net
Thanks, -srw
On Thu, Oct 13, 2022 at 07:51:54PM +0200, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 5.10.148 release. There are 54 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sat, 15 Oct 2022 17:51:33 +0000. Anything received after that time might be too late.
Build results: total: 163 pass: 163 fail: 0 Qemu test results: total: 475 pass: 475 fail: 0
Tested-by: Guenter Roeck linux@roeck-us.net
Guenter
On Thu, Oct 13, 2022 at 07:51:54PM +0200, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 5.10.148 release. There are 54 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sat, 15 Oct 2022 17:51:33 +0000. Anything received after that time might be too late.
Hi Greg,
5.10.148-rc1 tested.
Run tested on: - Intel Skylake x86_64 (nuc6 i5-6260U)
In addition - build tested for: - Allwinner A64 - Allwinner H3 - Allwinner H5 - Allwinner H6 - Rockchip RK3288 - Rockchip RK3328 - Rockchip RK3399pro
Tested-by: Rudi Heitbaum rudi@heitbaum.com -- Rudi
On 2022/10/14 1:51, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 5.10.148 release. There are 54 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sat, 15 Oct 2022 17:51:33 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.148-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below.
thanks,
greg k-h
Tested on arm64 and x86 for 5.10.148-rc1,
Kernel repo:https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git Branch: linux-5.10.y Version: 5.10.148-rc1 Commit: 1a3141006d41369149bdab31a4f17d65a4e8e819 Compiler: gcc version 7.3.0 (GCC)
arm64: -------------------------------------------------------------------- Testcase Result Summary: total: 9023 passed: 9023 failed: 0 timeout: 0 --------------------------------------------------------------------
x86: -------------------------------------------------------------------- Testcase Result Summary: total: 9023 passed: 9023 failed: 0 timeout: 0 -------------------------------------------------------------------- Tested-by: Hulk Robot hulkrobot@huawei.com
linux-stable-mirror@lists.linaro.org
-
Florian Fainelli -
Greg Kroah-Hartman -
Guenter Roeck -
Jon Hunter -
Naresh Kamboju -
Pavel Machek -
Rudi Heitbaum -
Shuah Khan -
Slade Watkins -
Sudip Mukherjee (Codethink) -
zhouzhixiu