[PATCH AUTOSEL 5.4 01/27] spi: spi-cadence: Fix SPI CS gets toggling sporadically

List overview All Threads
Download

newer

older

[PATCH AUTOSEL 4.14 01/17] spi:...

Dear Old Friend

Sasha Levin

28 Jun 2022 28 Jun '22

2:23 a.m.

From: Sai Krishna Potthuri lakshmi.sai.krishna.potthuri@xilinx.com

[ Upstream commit 21b511ddee09a78909035ec47a6a594349fe3296 ]

As part of unprepare_transfer_hardware, SPI controller will be disabled which will indirectly deassert the CS line. This will create a problem in some of the devices where message will be transferred with cs_change flag set(CS should not be deasserted). As per SPI controller implementation, if SPI controller is disabled then all output enables are inactive and all pins are set to input mode which means CS will go to default state high(deassert). This leads to an issue when core explicitly ask not to deassert the CS (cs_change = 1). This patch fix the above issue by checking the Slave select status bits from configuration register before disabling the SPI.

Signed-off-by: Sai Krishna Potthuri lakshmi.sai.krishna.potthuri@xilinx.com Signed-off-by: Amit Kumar Mahapatra amit.kumar-mahapatra@xilinx.com Link: https://lore.kernel.org/r/20220606062525.18447-1-amit.kumar-mahapatra@xilinx... Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/spi/spi-cadence.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c index 5ac60d06c674..91cd1578ec70 100644 --- a/drivers/spi/spi-cadence.c +++ b/drivers/spi/spi-cadence.c @@ -69,6 +69,7 @@ #define CDNS_SPI_BAUD_DIV_SHIFT 3 /* Baud rate divisor shift in CR */ #define CDNS_SPI_SS_SHIFT 10 /* Slave Select field shift in CR */ #define CDNS_SPI_SS0 0x1 /* Slave Select zero */ +#define CDNS_SPI_NOSS 0x3C /* No Slave select */

/* * SPI Interrupt Registers bit Masks @@ -449,15 +450,20 @@ static int cdns_prepare_transfer_hardware(struct spi_master *master) * @master: Pointer to the spi_master structure which provides * information about the controller. * - * This function disables the SPI master controller. + * This function disables the SPI master controller when no slave selected. * * Return: 0 always */ static int cdns_unprepare_transfer_hardware(struct spi_master *master) { struct cdns_spi *xspi = spi_master_get_devdata(master); + u32 ctrl_reg;

- cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE); + /* Disable the SPI if slave is deselected */ + ctrl_reg = cdns_spi_read(xspi, CDNS_SPI_CR); + ctrl_reg = (ctrl_reg & CDNS_SPI_CR_SSCTRL) >> CDNS_SPI_SS_SHIFT; + if (ctrl_reg == CDNS_SPI_NOSS) + cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);

return 0; }

-- 2.35.1

Show replies by date

Sasha Levin

28 Jun 28 Jun

2:23 a.m.

New subject: [PATCH AUTOSEL 5.4 02/27] spi: cadence: Detect transmit FIFO depth

From: Lars-Peter Clausen lars@metafoo.de

[ Upstream commit 7b40322f7183a92c4303457528ae7cda571c60b9 ]

The depth of the transmit FIFO for the Cadence SPI controller is currently hardcoded to 128. But the depth is a synthesis configuration parameter of the core and can vary between different SoCs.

If the configured FIFO size is less than 128 the driver will busy loop in the cdns_spi_fill_tx_fifo() function waiting for FIFO space to become available.

Depending on the length and speed of the transfer it can spin for a significant amount of time. The cdns_spi_fill_tx_fifo() function is called from the drivers interrupt handler, so it can leave interrupts disabled for a prolonged amount of time.

In addition the read FIFO will also overflow and data will be discarded.

To avoid this detect the actual size of the FIFO and use that rather than the hardcoded value.

To detect the FIFO size the FIFO threshold register is used. The register is sized so that it can hold FIFO size - 1 as its maximum value. Bits that are not needed to hold the threshold value will always read 0. By writing 0xffff to the register and then reading back the value in the register we get the FIFO size.

Signed-off-by: Lars-Peter Clausen lars@metafoo.de Link: https://lore.kernel.org/r/20220527091143.3780378-1-lars@metafoo.de Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/spi/spi-cadence.c | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c index 91cd1578ec70..af47525faefb 100644 --- a/drivers/spi/spi-cadence.c +++ b/drivers/spi/spi-cadence.c @@ -93,9 +93,6 @@ #define CDNS_SPI_ER_ENABLE 0x00000001 /* SPI Enable Bit Mask */ #define CDNS_SPI_ER_DISABLE 0x0 /* SPI Disable Bit Mask */

-/* SPI FIFO depth in bytes */ -#define CDNS_SPI_FIFO_DEPTH 128 - /* Default number of chip select lines */ #define CDNS_SPI_DEFAULT_NUM_CS 4

@@ -111,6 +108,7 @@ * @rx_bytes: Number of bytes requested * @dev_busy: Device busy flag * @is_decoded_cs: Flag for decoder property set or not + * @tx_fifo_depth: Depth of the TX FIFO */ struct cdns_spi { void __iomem *regs; @@ -124,6 +122,7 @@ struct cdns_spi { int rx_bytes; u8 dev_busy; u32 is_decoded_cs; + unsigned int tx_fifo_depth; };

/* Macros for the SPI controller read/write */ @@ -305,7 +304,7 @@ static void cdns_spi_fill_tx_fifo(struct cdns_spi *xspi) { unsigned long trans_cnt = 0;

- while ((trans_cnt < CDNS_SPI_FIFO_DEPTH) && + while ((trans_cnt < xspi->tx_fifo_depth) && (xspi->tx_bytes > 0)) {

/* When xspi in busy condition, bytes may send failed, @@ -468,6 +467,24 @@ static int cdns_unprepare_transfer_hardware(struct spi_master *master) return 0; }

+/** + * cdns_spi_detect_fifo_depth - Detect the FIFO depth of the hardware + * @xspi: Pointer to the cdns_spi structure + * + * The depth of the TX FIFO is a synthesis configuration parameter of the SPI + * IP. The FIFO threshold register is sized so that its maximum value can be the + * FIFO size - 1. This is used to detect the size of the FIFO. + */ +static void cdns_spi_detect_fifo_depth(struct cdns_spi *xspi) +{ + /* The MSBs will get truncated giving us the size of the FIFO */ + cdns_spi_write(xspi, CDNS_SPI_THLD, 0xffff); + xspi->tx_fifo_depth = cdns_spi_read(xspi, CDNS_SPI_THLD) + 1; + + /* Reset to default */ + cdns_spi_write(xspi, CDNS_SPI_THLD, 0x1); +} + /** * cdns_spi_probe - Probe method for the SPI driver * @pdev: Pointer to the platform_device structure @@ -540,6 +557,8 @@ static int cdns_spi_probe(struct platform_device *pdev) if (ret < 0) xspi->is_decoded_cs = 0;

+ cdns_spi_detect_fifo_depth(xspi); + /* SPI controller initializations */ cdns_spi_init_hw(xspi);

-- 2.35.1

Sasha Levin

2:23 a.m.

New subject: [PATCH AUTOSEL 5.4 03/27] ALSA: usb-audio: US16x08: Move overflow check before array access

From: Daniil Dementev d.dementev@ispras.ru

[ Upstream commit 3ddbe35d9a2ebd4924d458e0246b4ba6c13bb456 ]

Buffer overflow could occur in the loop "while", due to accessing an array element before checking the index.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Daniil Dementev d.dementev@ispras.ru Reviewed-by: Alexey Khoroshilov khoroshilov@ispras.ru Link: https://lore.kernel.org/r/20220610165732.2904-1-d.dementev@ispras.ru Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Sasha Levin sashal@kernel.org --- sound/usb/mixer_us16x08.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sound/usb/mixer_us16x08.c b/sound/usb/mixer_us16x08.c index c6c834ac83ac..5e4aa1207c1b 100644 --- a/sound/usb/mixer_us16x08.c +++ b/sound/usb/mixer_us16x08.c @@ -637,10 +637,10 @@ static int snd_get_meter_comp_index(struct snd_us16x08_meter_store *store) } } else { /* skip channels with no compressor active */ - while (!store->comp_store->val[ + while (store->comp_index <= SND_US16X08_MAX_CHANNELS + && !store->comp_store->val[ COMP_STORE_IDX(SND_US16X08_ID_COMP_SWITCH)] - [store->comp_index - 1] - && store->comp_index <= SND_US16X08_MAX_CHANNELS) { + [store->comp_index - 1]) { store->comp_index++; } ret = store->comp_index++;

-- 2.35.1

Sasha Levin

2:23 a.m.

New subject: [PATCH AUTOSEL 5.4 04/27] drm/vc4: crtc: Use an union to store the page flip callback

From: Maxime Ripard maxime@cerno.tech

[ Upstream commit 2523e9dcc3be91bf9fdc0d1e542557ca00bbef42 ]

We'll need to extend the vc4_async_flip_state structure to rely on another callback implementation, so let's move the current one into a union.

Reviewed-by: Melissa Wen mwen@igalia.com Signed-off-by: Maxime Ripard maxime@cerno.tech Link: https://lore.kernel.org/r/20220610115149.964394-10-maxime@cerno.tech Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/vc4/vc4_crtc.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c index f1f0a7c87771..c2ff62917c09 100644 --- a/drivers/gpu/drm/vc4/vc4_crtc.c +++ b/drivers/gpu/drm/vc4/vc4_crtc.c @@ -834,17 +834,17 @@ struct vc4_async_flip_state { struct drm_framebuffer *old_fb; struct drm_pending_vblank_event *event;

- struct vc4_seqno_cb cb; + union { + struct vc4_seqno_cb seqno; + } cb; };

/* Called when the V3D execution for the BO being flipped to is done, so that * we can actually update the plane's address to point to it. */ static void -vc4_async_page_flip_complete(struct vc4_seqno_cb *cb) +vc4_async_page_flip_complete(struct vc4_async_flip_state *flip_state) { - struct vc4_async_flip_state *flip_state = - container_of(cb, struct vc4_async_flip_state, cb); struct drm_crtc *crtc = flip_state->crtc; struct drm_device *dev = crtc->dev; struct vc4_dev *vc4 = to_vc4_dev(dev); @@ -883,6 +883,14 @@ vc4_async_page_flip_complete(struct vc4_seqno_cb *cb) up(&vc4->async_modeset); }

+static void vc4_async_page_flip_seqno_complete(struct vc4_seqno_cb *cb) +{ + struct vc4_async_flip_state *flip_state = + container_of(cb, struct vc4_async_flip_state, cb.seqno); + + vc4_async_page_flip_complete(flip_state); +} + /* Implements async (non-vblank-synced) page flips. * * The page flip ioctl needs to return immediately, so we grab the @@ -953,8 +961,8 @@ static int vc4_async_page_flip(struct drm_crtc *crtc, */ drm_atomic_set_fb_for_plane(plane->state, fb);

- vc4_queue_seqno_cb(dev, &flip_state->cb, bo->seqno, - vc4_async_page_flip_complete); + vc4_queue_seqno_cb(dev, &flip_state->cb.seqno, bo->seqno, + vc4_async_page_flip_seqno_complete);

/* Driver takes ownership of state on successful async commit. */ return 0;

-- 2.35.1

Sasha Levin

2:23 a.m.

New subject: [PATCH AUTOSEL 5.4 05/27] drm/vc4: crtc: Move the BO handling out of common page-flip callback

From: Maxime Ripard maxime@cerno.tech

[ Upstream commit 4d12c36fb73b5c49fe2f95d06515fd9846010fd2 ]

We'll soon introduce another completion callback source that won't need to use the BO reference counting, so let's move it around to create a function we will be able to share between both callbacks.

Reviewed-by: Melissa Wen mwen@igalia.com Signed-off-by: Maxime Ripard maxime@cerno.tech Link: https://lore.kernel.org/r/20220610115149.964394-11-maxime@cerno.tech Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/vc4/vc4_crtc.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c index c2ff62917c09..a977172ba26f 100644 --- a/drivers/gpu/drm/vc4/vc4_crtc.c +++ b/drivers/gpu/drm/vc4/vc4_crtc.c @@ -862,21 +862,8 @@ vc4_async_page_flip_complete(struct vc4_async_flip_state *flip_state) drm_crtc_vblank_put(crtc); drm_framebuffer_put(flip_state->fb);

- /* Decrement the BO usecnt in order to keep the inc/dec calls balanced - * when the planes are updated through the async update path. - * FIXME: we should move to generic async-page-flip when it's - * available, so that we can get rid of this hand-made cleanup_fb() - * logic. - */ - if (flip_state->old_fb) { - struct drm_gem_cma_object *cma_bo; - struct vc4_bo *bo; - - cma_bo = drm_fb_cma_get_gem_obj(flip_state->old_fb, 0); - bo = to_vc4_bo(&cma_bo->base); - vc4_bo_dec_usecnt(bo); + if (flip_state->old_fb) drm_framebuffer_put(flip_state->old_fb); - }

kfree(flip_state);

@@ -887,8 +874,27 @@ static void vc4_async_page_flip_seqno_complete(struct vc4_seqno_cb *cb) { struct vc4_async_flip_state *flip_state = container_of(cb, struct vc4_async_flip_state, cb.seqno); + struct vc4_bo *bo = NULL; + + if (flip_state->old_fb) { + struct drm_gem_cma_object *cma_bo = + drm_fb_cma_get_gem_obj(flip_state->old_fb, 0); + bo = to_vc4_bo(&cma_bo->base); + }

vc4_async_page_flip_complete(flip_state); + + /* + * Decrement the BO usecnt in order to keep the inc/dec + * calls balanced when the planes are updated through + * the async update path. + * + * FIXME: we should move to generic async-page-flip when + * it's available, so that we can get rid of this + * hand-made cleanup_fb() logic. + */ + if (bo) + vc4_bo_dec_usecnt(bo); }

/* Implements async (non-vblank-synced) page flips.

-- 2.35.1

Sasha Levin

2:23 a.m.

New subject: [PATCH AUTOSEL 5.4 06/27] ALSA: x86: intel_hdmi_audio: enable pm_runtime and set autosuspend delay

From: Pierre-Louis Bossart pierre-louis.bossart@linux.intel.com

[ Upstream commit e87c65aeb46ca4f5b7dc08531200bcb8a426c62e ]

The existing code uses pm_runtime_get_sync/put_autosuspend, but pm_runtime was not explicitly enabled. The autosuspend delay was not set either, the value is set to 5s since HDMI is rather painful to resume.

Signed-off-by: Pierre-Louis Bossart pierre-louis.bossart@linux.intel.com Reviewed-by: Bard Liao yung-chuan.liao@linux.intel.com Reviewed-by: Kai Vehmanen kai.vehmanen@linux.intel.com Reviewed-by: Ranjani Sridharan ranjani.sridharan@linux.intel.com Link: https://lore.kernel.org/r/20220616222910.136854-2-pierre-louis.bossart@linux... Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Sasha Levin sashal@kernel.org --- sound/x86/intel_hdmi_audio.c | 5 +++++ 1 file changed, 5 insertions(+)

diff --git a/sound/x86/intel_hdmi_audio.c b/sound/x86/intel_hdmi_audio.c index a314f13e3292..f16e936559c3 100644 --- a/sound/x86/intel_hdmi_audio.c +++ b/sound/x86/intel_hdmi_audio.c @@ -33,6 +33,8 @@ #include <drm/intel_lpe_audio.h> #include "intel_hdmi_audio.h"

+#define INTEL_HDMI_AUDIO_SUSPEND_DELAY_MS 5000 + #define for_each_pipe(card_ctx, pipe) \ for ((pipe) = 0; (pipe) < (card_ctx)->num_pipes; (pipe)++) #define for_each_port(card_ctx, port) \ @@ -1843,8 +1845,11 @@ static int hdmi_lpe_audio_probe(struct platform_device *pdev) pdata->notify_audio_lpe = notify_audio_lpe; spin_unlock_irq(&pdata->lpe_audio_slock);

+ pm_runtime_set_autosuspend_delay(&pdev->dev, INTEL_HDMI_AUDIO_SUSPEND_DELAY_MS); pm_runtime_use_autosuspend(&pdev->dev); + pm_runtime_enable(&pdev->dev); pm_runtime_mark_last_busy(&pdev->dev); + pm_runtime_idle(&pdev->dev);

dev_dbg(&pdev->dev, "%s: handle pending notification\n", __func__); for_each_port(card_ctx, port) {

-- 2.35.1

Sasha Levin

2:23 a.m.

New subject: [PATCH AUTOSEL 5.4 07/27] ALSA: x86: intel_hdmi_audio: use pm_runtime_resume_and_get()

From: Pierre-Louis Bossart pierre-louis.bossart@linux.intel.com

[ Upstream commit bb30b453fedac277d66220431fd7063d9ddc10d8 ]

The current code does not check for errors and does not release the reference on errors.

Signed-off-by: Pierre-Louis Bossart pierre-louis.bossart@linux.intel.com Reviewed-by: Bard Liao yung-chuan.liao@linux.intel.com Reviewed-by: Kai Vehmanen kai.vehmanen@linux.intel.com Reviewed-by: Ranjani Sridharan ranjani.sridharan@linux.intel.com Link: https://lore.kernel.org/r/20220616222910.136854-3-pierre-louis.bossart@linux... Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Sasha Levin sashal@kernel.org --- sound/x86/intel_hdmi_audio.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/sound/x86/intel_hdmi_audio.c b/sound/x86/intel_hdmi_audio.c index f16e936559c3..e6f6a1b59047 100644 --- a/sound/x86/intel_hdmi_audio.c +++ b/sound/x86/intel_hdmi_audio.c @@ -1067,7 +1067,9 @@ static int had_pcm_open(struct snd_pcm_substream *substream) intelhaddata = snd_pcm_substream_chip(substream); runtime = substream->runtime;

- pm_runtime_get_sync(intelhaddata->dev); + retval = pm_runtime_resume_and_get(intelhaddata->dev); + if (retval < 0) + return retval;

/* set the runtime hw parameter with local snd_pcm_hardware struct */ runtime->hw = had_pcm_hardware; @@ -1568,8 +1570,12 @@ static void had_audio_wq(struct work_struct *work) container_of(work, struct snd_intelhad, hdmi_audio_wq); struct intel_hdmi_lpe_audio_pdata *pdata = ctx->dev->platform_data; struct intel_hdmi_lpe_audio_port_pdata *ppdata = &pdata->port[ctx->port]; + int ret; + + ret = pm_runtime_resume_and_get(ctx->dev); + if (ret < 0) + return;

- pm_runtime_get_sync(ctx->dev); mutex_lock(&ctx->mutex); if (ppdata->pipe < 0) { dev_dbg(ctx->dev, "%s: Event: HAD_NOTIFY_HOT_UNPLUG : port = %d\n",

-- 2.35.1

Sasha Levin

2:23 a.m.

New subject: [PATCH AUTOSEL 5.4 08/27] hamradio: 6pack: fix array-index-out-of-bounds in decode_std_command()

From: Xu Jia xujia39@huawei.com

[ Upstream commit 2b04495e21cdb9b45c28c6aeb2da560184de20a3 ]

Hulk Robot reports incorrect sp->rx_count_cooked value in decode_std_command(). This should be caused by the subtracting from sp->rx_count_cooked before. It seems that sp->rx_count_cooked value is changed to 0, which bypassed the previous judgment.

The situation is shown below:

sp->rx_count_cooked is a shared variable but is not protected by a lock. The same applies to sp->rx_count. This patch adds a lock to fix the bug.

The fail log is shown below: ======================================================================= UBSAN: array-index-out-of-bounds in drivers/net/hamradio/6pack.c:925:31 index 400 is out of range for type 'unsigned char [400]' CPU: 3 PID: 7433 Comm: kworker/u10:1 Not tainted 5.18.0-rc5-00163-g4b97bac0756a #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: events_unbound flush_to_ldisc Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 ubsan_epilogue+0xb/0x50 __ubsan_handle_out_of_bounds.cold+0x62/0x6c sixpack_receive_buf+0xfda/0x1330 tty_ldisc_receive_buf+0x13e/0x180 tty_port_default_receive_buf+0x6d/0xa0 flush_to_ldisc+0x213/0x3f0 process_one_work+0x98f/0x1620 worker_thread+0x665/0x1080 kthread+0x2e9/0x3a0 ret_from_fork+0x1f/0x30 ...

Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Xu Jia xujia39@huawei.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/hamradio/6pack.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c index 83dc1c2c3b84..d92df9bafbbd 100644 --- a/drivers/net/hamradio/6pack.c +++ b/drivers/net/hamradio/6pack.c @@ -99,6 +99,7 @@ struct sixpack {

unsigned int rx_count; unsigned int rx_count_cooked; + spinlock_t rxlock;

int mtu; /* Our mtu (to spot changes!) */ int buffsize; /* Max buffers sizes */ @@ -570,6 +571,7 @@ static int sixpack_open(struct tty_struct *tty) sp->dev = dev;

spin_lock_init(&sp->lock); + spin_lock_init(&sp->rxlock); refcount_set(&sp->refcnt, 1); init_completion(&sp->dead);

@@ -925,6 +927,7 @@ static void decode_std_command(struct sixpack *sp, unsigned char cmd) sp->led_state = 0x60; /* fill trailing bytes with zeroes */ sp->tty->ops->write(sp->tty, &sp->led_state, 1); + spin_lock_bh(&sp->rxlock); rest = sp->rx_count; if (rest != 0) for (i = rest; i <= 3; i++) @@ -942,6 +945,7 @@ static void decode_std_command(struct sixpack *sp, unsigned char cmd) sp_bump(sp, 0); } sp->rx_count_cooked = 0; + spin_unlock_bh(&sp->rxlock); } break; case SIXP_TX_URUN: printk(KERN_DEBUG "6pack: TX underrun\n"); @@ -971,8 +975,11 @@ sixpack_decode(struct sixpack *sp, const unsigned char *pre_rbuff, int count) decode_prio_command(sp, inbyte); else if ((inbyte & SIXP_STD_CMD_MASK) != 0) decode_std_command(sp, inbyte); - else if ((sp->status & SIXP_RX_DCD_MASK) == SIXP_RX_DCD_MASK) + else if ((sp->status & SIXP_RX_DCD_MASK) == SIXP_RX_DCD_MASK) { + spin_lock_bh(&sp->rxlock); decode_data(sp, inbyte); + spin_unlock_bh(&sp->rxlock); + } } }

-- 2.35.1

Sasha Levin

2:23 a.m.

New subject: [PATCH AUTOSEL 5.4 09/27] drivers/net/ethernet/neterion/vxge: Fix a use-after-free bug in vxge-main.c

From: Wentao_Liang Wentao_Liang_g@163.com

[ Upstream commit 8fc74d18639a2402ca52b177e990428e26ea881f ]

The pointer vdev points to a memory region adjacent to a net_device structure ndev, which is a field of hldev. At line 4740, the invocation to vxge_device_unregister unregisters device hldev, and it also releases the memory region pointed by vdev->bar0. At line 4743, the freed memory region is referenced (i.e., iounmap(vdev->bar0)), resulting in a use-after-free vulnerability. We can fix the bug by calling iounmap before vxge_device_unregister.

4721. static void vxge_remove(struct pci_dev *pdev) 4722. { 4723. struct __vxge_hw_device *hldev; 4724. struct vxgedev *vdev; … 4731. vdev = netdev_priv(hldev->ndev); … 4740. vxge_device_unregister(hldev); 4741. /* Do not call pci_disable_sriov here, as it will break child devices */ 4742. vxge_hw_device_terminate(hldev); 4743. iounmap(vdev->bar0); … 4749 vxge_debug_init(vdev->level_trace, "%s:%d Device unregistered", 4750 __func__, __LINE__); 4751 vxge_debug_entryexit(vdev->level_trace, "%s:%d Exiting...", __func__, 4752 __LINE__); 4753. }

This is the screenshot when the vulnerability is triggered by using KASAN. We can see that there is a use-after-free reported by KASAN.

/***************************start**************************/

root@kernel:~# echo 1 > /sys/bus/pci/devices/0000:00:03.0/remove [ 178.296316] vxge_remove [ 182.057081] ================================================================== [ 182.057548] BUG: KASAN: use-after-free in vxge_remove+0xe0/0x15c [ 182.057760] Read of size 8 at addr ffff888006c76598 by task bash/119 [ 182.057983] [ 182.058747] CPU: 0 PID: 119 Comm: bash Not tainted 5.18.0 #5 [ 182.058919] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 182.059463] Call Trace: [ 182.059726] <TASK> [ 182.060017] dump_stack_lvl+0x34/0x44 [ 182.060316] print_report.cold+0xb2/0x6b7 [ 182.060401] ? kfree+0x89/0x290 [ 182.060478] ? vxge_remove+0xe0/0x15c [ 182.060545] kasan_report+0xa9/0x120 [ 182.060629] ? vxge_remove+0xe0/0x15c [ 182.060706] vxge_remove+0xe0/0x15c [ 182.060793] pci_device_remove+0x5d/0xe0 [ 182.060968] device_release_driver_internal+0xf1/0x180 [ 182.061063] pci_stop_bus_device+0xae/0xe0 [ 182.061150] pci_stop_and_remove_bus_device_locked+0x11/0x20 [ 182.061236] remove_store+0xc6/0xe0 [ 182.061297] ? subordinate_bus_number_show+0xc0/0xc0 [ 182.061359] ? __mutex_lock_slowpath+0x10/0x10 [ 182.061438] ? sysfs_kf_write+0x6d/0xa0 [ 182.061525] kernfs_fop_write_iter+0x1b0/0x260 [ 182.061610] ? sysfs_kf_bin_read+0xf0/0xf0 [ 182.061695] new_sync_write+0x209/0x310 [ 182.061789] ? new_sync_read+0x310/0x310 [ 182.061865] ? cgroup_rstat_updated+0x5c/0x170 [ 182.061937] ? preempt_count_sub+0xf/0xb0 [ 182.061995] ? pick_next_entity+0x13a/0x220 [ 182.062063] ? __inode_security_revalidate+0x44/0x80 [ 182.062155] ? security_file_permission+0x46/0x2a0 [ 182.062230] vfs_write+0x33f/0x3e0 [ 182.062303] ksys_write+0xb4/0x150 [ 182.062369] ? __ia32_sys_read+0x40/0x40 [ 182.062451] do_syscall_64+0x3b/0x90 [ 182.062531] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 182.062894] RIP: 0033:0x7f3f37d17274 [ 182.063558] Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 48 8d 05 89 54 0d 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 49 89 d4 55 48 89 f5 53 [ 182.063797] RSP: 002b:00007ffd5ba9e178 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 182.064117] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f3f37d17274 [ 182.064219] RDX: 0000000000000002 RSI: 000055bbec327180 RDI: 0000000000000001 [ 182.064315] RBP: 000055bbec327180 R08: 000000000000000a R09: 00007f3f37de7cf0 [ 182.064414] R10: 000000000000000a R11: 0000000000000246 R12: 00007f3f37de8760 [ 182.064513] R13: 0000000000000002 R14: 00007f3f37de3760 R15: 0000000000000002 [ 182.064691] </TASK> [ 182.064916] [ 182.065224] The buggy address belongs to the physical page: [ 182.065804] page:00000000ef31e4f4 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6c76 [ 182.067419] flags: 0x100000000000000(node=0|zone=1) [ 182.068997] raw: 0100000000000000 0000000000000000 ffffea00001b1d88 0000000000000000 [ 182.069118] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 182.069294] page dumped because: kasan: bad access detected [ 182.069331] [ 182.069360] Memory state around the buggy address: [ 182.070006] ffff888006c76480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 182.070136] ffff888006c76500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 182.070230] >ffff888006c76580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 182.070305] ^ [ 182.070456] ffff888006c76600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 182.070505] ffff888006c76680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 182.070606] ================================================================== [ 182.071374] Disabling lock debugging due to kernel taint

/*****************************end*****************************/

After fixing the bug as done in the patch, we can find KASAN do not report the bug and the device(00:03.0) has been successfully removed.

/*****************************start***************************/

root@kernel:~# echo 1 > /sys/bus/pci/devices/0000:00:03.0/remove root@kernel:~#

/******************************end****************************/

Signed-off-by: Wentao_Liang Wentao_Liang_g@163.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/ethernet/neterion/vxge/vxge-main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/neterion/vxge/vxge-main.c b/drivers/net/ethernet/neterion/vxge/vxge-main.c index 607e2ff272dc..b734347ca0d7 100644 --- a/drivers/net/ethernet/neterion/vxge/vxge-main.c +++ b/drivers/net/ethernet/neterion/vxge/vxge-main.c @@ -4775,10 +4775,10 @@ static void vxge_remove(struct pci_dev *pdev) for (i = 0; i < vdev->no_of_vpath; i++) vxge_free_mac_add_list(&vdev->vpaths[i]);

+ iounmap(vdev->bar0); vxge_device_unregister(hldev); /* Do not call pci_disable_sriov here, as it will break child devices */ vxge_hw_device_terminate(hldev); - iounmap(vdev->bar0); pci_release_region(pdev, 0); pci_disable_device(pdev); driver_config->config_dev_cnt--;

-- 2.35.1

Sasha Levin

2:23 a.m.

New subject: [PATCH AUTOSEL 5.4 10/27] powerpc/prom_init: Fix build failure with GCC_PLUGIN_STRUCTLEAK_BYREF_ALL and KASAN

From: Christophe Leroy christophe.leroy@csgroup.eu

[ Upstream commit ca5dabcff1df6bc8c413922b5fa63cc602858803 ]

When CONFIG_KASAN is selected, we expect prom_init to use __memset() because it is too early to use memset().

But with CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL, the compiler adds calls to memset() to clear objects on stack, hence the following failure:

PROMCHK arch/powerpc/kernel/prom_init_check Error: External symbol 'memset' referenced from prom_init.c make[2]: *** [arch/powerpc/kernel/Makefile:204 : arch/powerpc/kernel/prom_init_check] Erreur 1

prom_find_machine_type() is called from prom_init() and is called only once, so lets put compat[] in BSS instead of stack to avoid that.

Signed-off-by: Christophe Leroy christophe.leroy@csgroup.eu Signed-off-by: Michael Ellerman mpe@ellerman.id.au Link: https://lore.kernel.org/r/3802811f7cf94f730be44688539c01bba3a3b5c0.165487580... Signed-off-by: Sasha Levin sashal@kernel.org --- arch/powerpc/kernel/prom_init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c index 7f4e2c031a9a..0391b3225970 100644 --- a/arch/powerpc/kernel/prom_init.c +++ b/arch/powerpc/kernel/prom_init.c @@ -2237,7 +2237,7 @@ static void __init prom_init_stdout(void)

static int __init prom_find_machine_type(void) { - char compat[256]; + static char compat[256] __prombss; int len, i = 0; #ifdef CONFIG_PPC64 phandle rtas;

-- 2.35.1

Sasha Levin

2:23 a.m.

New subject: [PATCH AUTOSEL 5.4 11/27] video: fbdev: skeletonfb: Fix syntax errors in comments

From: Xiang wangx wangxiang@cdjrlc.com

[ Upstream commit fc378794a2f7a19cf26010dc33b89ba608d4c70f ]

Delete the redundant word 'its'.

Signed-off-by: Xiang wangx wangxiang@cdjrlc.com Signed-off-by: Helge Deller deller@gmx.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/video/fbdev/skeletonfb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/skeletonfb.c b/drivers/video/fbdev/skeletonfb.c index 812a36cb60c3..ac354909aecf 100644 --- a/drivers/video/fbdev/skeletonfb.c +++ b/drivers/video/fbdev/skeletonfb.c @@ -96,7 +96,7 @@ static const struct fb_fix_screeninfo xxxfb_fix = {

/* * Modern graphical hardware not only supports pipelines but some - * also support multiple monitors where each display can have its + * also support multiple monitors where each display can have * its own unique data. In this case each display could be * represented by a separate framebuffer device thus a separate * struct fb_info. Now the struct xxx_par represents the graphics

-- 2.35.1

Sasha Levin

2:23 a.m.

New subject: [PATCH AUTOSEL 5.4 12/27] video: fbdev: intelfb: Use aperture size from pci_resource_len

From: Petr Cvek petrcvekcz@gmail.com

[ Upstream commit 25c9a15fb7bbfafb94dd3b4e3165c18b8e1bd039 ]

Aperture size for i9x5 variants is determined from PCI base address.

if (pci_resource_start(pdev, 2) & 0x08000000) *aperture_size = MB(128); ...

This condition is incorrect as 128 MiB address can have the address set as 0x?8000000 or 0x?0000000. Also the code can be simplified to just use pci_resource_len().

The true settings of the aperture size is in the MSAC register, which could be used instead. However the value is used only as an info message, so it doesn't matter.

Signed-off-by: Petr Cvek petrcvekcz@gmail.com Signed-off-by: Helge Deller deller@gmx.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/video/fbdev/intelfb/intelfbhw.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/drivers/video/fbdev/intelfb/intelfbhw.c b/drivers/video/fbdev/intelfb/intelfbhw.c index 57aff7450bce..2086e06532ee 100644 --- a/drivers/video/fbdev/intelfb/intelfbhw.c +++ b/drivers/video/fbdev/intelfb/intelfbhw.c @@ -201,13 +201,11 @@ int intelfbhw_get_memory(struct pci_dev *pdev, int *aperture_size, case PCI_DEVICE_ID_INTEL_945GME: case PCI_DEVICE_ID_INTEL_965G: case PCI_DEVICE_ID_INTEL_965GM: - /* 915, 945 and 965 chipsets support a 256MB aperture. - Aperture size is determined by inspected the - base address of the aperture. */ - if (pci_resource_start(pdev, 2) & 0x08000000) - *aperture_size = MB(128); - else - *aperture_size = MB(256); + /* + * 915, 945 and 965 chipsets support 64MB, 128MB or 256MB + * aperture. Determine size from PCI resource length. + */ + *aperture_size = pci_resource_len(pdev, 2); break; default: if ((tmp & INTEL_GMCH_MEM_MASK) == INTEL_GMCH_MEM_64M)

-- 2.35.1

Sasha Levin

2:23 a.m.

New subject: [PATCH AUTOSEL 5.4 13/27] video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write

From: Hyunwoo Kim imv4bel@gmail.com

[ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ]

In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of type int. Then, copy_from_user() may cause a heap overflow because it is used as the third argument of copy_from_user().

Signed-off-by: Hyunwoo Kim imv4bel@gmail.com Signed-off-by: Helge Deller deller@gmx.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/video/fbdev/pxa3xx-gcu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c index 7c4694d70dac..15162b37f302 100644 --- a/drivers/video/fbdev/pxa3xx-gcu.c +++ b/drivers/video/fbdev/pxa3xx-gcu.c @@ -382,7 +382,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, struct pxa3xx_gcu_batch *buffer; struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file);

- int words = count / 4; + size_t words = count / 4;

/* Does not need to be atomic. There's a lock in user space, * but anyhow, this is just for statistics. */

-- 2.35.1

Sasha Levin

2:24 a.m.

New subject: [PATCH AUTOSEL 5.4 14/27] video: fbdev: simplefb: Check before clk_put() not needed

From: Yihao Han hanyihao@vivo.com

[ Upstream commit 5491424d17bdeb7b7852a59367858251783f8398 ]

clk_put() already checks the clk ptr using !clk and IS_ERR() so there is no need to check it again before calling it.

Signed-off-by: Yihao Han hanyihao@vivo.com Reviewed-by: Hans de Goede hdegoede@redhat.com Signed-off-by: Helge Deller deller@gmx.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/video/fbdev/simplefb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/video/fbdev/simplefb.c b/drivers/video/fbdev/simplefb.c index 7dc0105f700d..f03705666983 100644 --- a/drivers/video/fbdev/simplefb.c +++ b/drivers/video/fbdev/simplefb.c @@ -225,8 +225,7 @@ static int simplefb_clocks_get(struct simplefb_par *par, if (IS_ERR(clock)) { if (PTR_ERR(clock) == -EPROBE_DEFER) { while (--i >= 0) { - if (par->clks[i]) - clk_put(par->clks[i]); + clk_put(par->clks[i]); } kfree(par->clks); return -EPROBE_DEFER;

-- 2.35.1

Sasha Levin

2:24 a.m.

New subject: [PATCH AUTOSEL 5.4 15/27] btrfs: do not BUG_ON() on failure to migrate space when replacing extents

From: Filipe Manana fdmanana@suse.com

[ Upstream commit 650c9caba32a0167a018cca0fab32a2965d23513 ]

At btrfs_replace_file_extents(), if we fail to migrate reserved metadata space from the transaction block reserve into the local block reserve, we trigger a BUG_ON(). This is because it should not be possible to have a failure here, as we reserved more space when we started the transaction than the space we want to migrate. However having a BUG_ON() is way too drastic, we can perfectly handle the failure and return the error to the caller. So just do that instead, and add a WARN_ON() to make it easier to notice the failure if it ever happens (which is particularly useful for fstests, and the warning will trigger a failure of a test case).

Reviewed-by: Boris Burkov boris@bur.io Signed-off-by: Filipe Manana fdmanana@suse.com Signed-off-by: David Sterba dsterba@suse.com Signed-off-by: Sasha Levin sashal@kernel.org --- fs/btrfs/file.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c index 1279359ed172..db29bd901eef 100644 --- a/fs/btrfs/file.c +++ b/fs/btrfs/file.c @@ -2583,7 +2583,8 @@ int btrfs_punch_hole_range(struct inode *inode, struct btrfs_path *path,

ret = btrfs_block_rsv_migrate(&fs_info->trans_block_rsv, rsv, min_size, false); - BUG_ON(ret); + if (WARN_ON(ret)) + goto out_trans; trans->block_rsv = rsv;

cur_offset = start; @@ -2654,7 +2655,8 @@ int btrfs_punch_hole_range(struct inode *inode, struct btrfs_path *path,

ret = btrfs_block_rsv_migrate(&fs_info->trans_block_rsv, rsv, min_size, false); - BUG_ON(ret); /* shouldn't happen */ + if (WARN_ON(ret)) + break; trans->block_rsv = rsv;

if (!clone_info) {

-- 2.35.1

Sasha Levin

2:24 a.m.

New subject: [PATCH AUTOSEL 5.4 16/27] arch: mips: generic: Add missing of_node_put() in board-ranchu.c

From: Liang He windhl@126.com

[ Upstream commit 4becf6417bbdc293734a590fe4ed38437bbcea2c ]

In ranchu_measure_hpt_freq(), of_find_compatible_node() will return a node pointer with refcount incremented. We should use of_put_node() when it is not used anymore.

Signed-off-by: Liang He windhl@126.com Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/generic/board-ranchu.c | 1 + 1 file changed, 1 insertion(+)

diff --git a/arch/mips/generic/board-ranchu.c b/arch/mips/generic/board-ranchu.c index a89aaad59cb1..930c45041882 100644 --- a/arch/mips/generic/board-ranchu.c +++ b/arch/mips/generic/board-ranchu.c @@ -44,6 +44,7 @@ static __init unsigned int ranchu_measure_hpt_freq(void) __func__);

rtc_base = of_iomap(np, 0); + of_node_put(np); if (!rtc_base) panic("%s(): Failed to ioremap Goldfish RTC base!", __func__);

-- 2.35.1

Sasha Levin

2:24 a.m.

New subject: [PATCH AUTOSEL 5.4 17/27] mips: mti-malta: Fix refcount leak in malta-time.c

From: Liang He windhl@126.com

[ Upstream commit 608d94cb84c42585058d692f2fe5d327f8868cdb ]

In update_gic_frequency_dt(), of_find_compatible_node() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore.

Signed-off-by: Liang He windhl@126.com Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/mti-malta/malta-time.c | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/arch/mips/mti-malta/malta-time.c b/arch/mips/mti-malta/malta-time.c index 7efcfe0c9cd4..7ac06bc8a86e 100644 --- a/arch/mips/mti-malta/malta-time.c +++ b/arch/mips/mti-malta/malta-time.c @@ -219,6 +219,8 @@ static void update_gic_frequency_dt(void)

if (of_update_property(node, &gic_frequency_prop) < 0) pr_err("error updating gic frequency property\n"); + + of_node_put(node); }

#endif

-- 2.35.1

Sasha Levin

2:24 a.m.

New subject: [PATCH AUTOSEL 5.4 18/27] mips: ralink: Fix refcount leak in of.c

From: Liang He windhl@126.com

[ Upstream commit 48ca54e39173d1ed4c4dc8cf045484014bb26eaf ]

In plat_of_remap_node(), plat_of_remap_node() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore.

Signed-off-by: Liang He windhl@126.com Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/ralink/of.c | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/arch/mips/ralink/of.c b/arch/mips/ralink/of.c index e2c71c6c667d..a5ebc376ff11 100644 --- a/arch/mips/ralink/of.c +++ b/arch/mips/ralink/of.c @@ -40,6 +40,8 @@ __iomem void *plat_of_remap_node(const char *node) if (of_address_to_resource(np, 0, &res)) panic("Failed to get resource for %s", node);

+ of_node_put(np); + if (!request_mem_region(res.start, resource_size(&res), res.name))

-- 2.35.1

Sasha Levin

2:24 a.m.

New subject: [PATCH AUTOSEL 5.4 19/27] mips: lantiq: falcon: Fix refcount leak bug in sysctrl

From: Liang He windhl@126.com

[ Upstream commit 72a2af539fff975caadd9a4db3f99963569bd9c9 ]

In ltq_soc_init(), of_find_compatible_node() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore.

Signed-off-by: Liang He windhl@126.com Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/lantiq/falcon/sysctrl.c | 6 ++++++ 1 file changed, 6 insertions(+)

diff --git a/arch/mips/lantiq/falcon/sysctrl.c b/arch/mips/lantiq/falcon/sysctrl.c index a2837a54d972..07a33bc891a9 100644 --- a/arch/mips/lantiq/falcon/sysctrl.c +++ b/arch/mips/lantiq/falcon/sysctrl.c @@ -208,6 +208,12 @@ void __init ltq_soc_init(void) of_address_to_resource(np_sysgpe, 0, &res_sys[2])) panic("Failed to get core resources");

+ of_node_put(np_status); + of_node_put(np_ebu); + of_node_put(np_sys1); + of_node_put(np_syseth); + of_node_put(np_sysgpe); + if ((request_mem_region(res_status.start, resource_size(&res_status), res_status.name) < 0) || (request_mem_region(res_ebu.start, resource_size(&res_ebu),

-- 2.35.1

Sasha Levin

2:24 a.m.

New subject: [PATCH AUTOSEL 5.4 20/27] mips: lantiq: xway: Fix refcount leak bug in sysctrl

From: Liang He windhl@126.com

[ Upstream commit 76695592711ef1e215cc24ed3e1cd857d7fc3098 ]

In ltq_soc_init(), of_find_compatible_node() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore.

Signed-off-by: Liang He windhl@126.com Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/lantiq/xway/sysctrl.c | 4 ++++ 1 file changed, 4 insertions(+)

diff --git a/arch/mips/lantiq/xway/sysctrl.c b/arch/mips/lantiq/xway/sysctrl.c index 6c2d9779ac72..c5eb7830bab1 100644 --- a/arch/mips/lantiq/xway/sysctrl.c +++ b/arch/mips/lantiq/xway/sysctrl.c @@ -437,6 +437,10 @@ void __init ltq_soc_init(void) of_address_to_resource(np_ebu, 0, &res_ebu)) panic("Failed to get core resources");

+ of_node_put(np_pmu); + of_node_put(np_cgu); + of_node_put(np_ebu); + if (!request_mem_region(res_pmu.start, resource_size(&res_pmu), res_pmu.name) || !request_mem_region(res_cgu.start, resource_size(&res_cgu),

-- 2.35.1

Sasha Levin

2:24 a.m.

New subject: [PATCH AUTOSEL 5.4 21/27] mips/pic32/pic32mzda: Fix refcount leak bugs

From: Liang He windhl@126.com

[ Upstream commit eb9e9bc4fa5fb489c92ec588b3fb35f042ba6d86 ]

of_find_matching_node(), of_find_compatible_node() and of_find_node_by_path() will return node pointers with refcout incremented. We should call of_node_put() when they are not used anymore.

Signed-off-by: Liang He windhl@126.com Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/pic32/pic32mzda/init.c | 7 ++++++- arch/mips/pic32/pic32mzda/time.c | 3 +++ 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/arch/mips/pic32/pic32mzda/init.c b/arch/mips/pic32/pic32mzda/init.c index f232c77ff526..0b2cd87b33d3 100644 --- a/arch/mips/pic32/pic32mzda/init.c +++ b/arch/mips/pic32/pic32mzda/init.c @@ -123,13 +123,18 @@ static int __init pic32_of_prepare_platform_data(struct of_dev_auxdata *lookup) np = of_find_compatible_node(NULL, NULL, lookup->compatible); if (np) { lookup->name = (char *)np->name; - if (lookup->phys_addr) + if (lookup->phys_addr) { + of_node_put(np); continue; + } if (!of_address_to_resource(np, 0, &res)) lookup->phys_addr = res.start; + of_node_put(np); } }

+ of_node_put(root); + return 0; }

diff --git a/arch/mips/pic32/pic32mzda/time.c b/arch/mips/pic32/pic32mzda/time.c index 905ec1d86928..f4b533c2e94c 100644 --- a/arch/mips/pic32/pic32mzda/time.c +++ b/arch/mips/pic32/pic32mzda/time.c @@ -32,6 +32,9 @@ static unsigned int pic32_xlate_core_timer_irq(void) goto default_map;

irq = irq_of_parse_and_map(node, 0); + + of_node_put(node); + if (!irq) goto default_map;

-- 2.35.1

Sasha Levin

2:24 a.m.

New subject: [PATCH AUTOSEL 5.4 22/27] mips: lantiq: Add missing of_node_put() in irq.c

From: Liang He windhl@126.com

[ Upstream commit 3748d2185ac4c2c6f80989672253aad909ecaf95 ]

In icu_of_init(), of_find_compatible_node() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore.

diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c index 9fcc118312cb..d179e37f8881 100644 --- a/arch/mips/lantiq/irq.c +++ b/arch/mips/lantiq/irq.c @@ -407,6 +407,7 @@ int __init icu_of_init(struct device_node *node, struct device_node *parent) if (!ltq_eiu_membase) panic("Failed to remap eiu memory"); } + of_node_put(eiu_node);

return 0; }

-- 2.35.1

Sasha Levin

2:24 a.m.

New subject: [PATCH AUTOSEL 5.4 23/27] drm/sun4i: Add DMA mask and segment size

From: Jernej Skrabec jernej.skrabec@gmail.com

[ Upstream commit f5aa16807aa4f99293044944590dde81364f434f ]

Kernel occasionally complains that there is mismatch in segment size when trying to render HW decoded videos and rendering them directly with sun4i DRM driver. Following message can be observed on H6 SoC:

[ 184.298308] ------------[ cut here ]------------ [ 184.298326] DMA-API: sun4i-drm display-engine: mapping sg segment longer than device claims to support [len=6144000] [max=65536] [ 184.298364] WARNING: CPU: 1 PID: 382 at kernel/dma/debug.c:1162 debug_dma_map_sg+0x2b0/0x350 [ 184.322997] CPU: 1 PID: 382 Comm: ffmpeg Not tainted 5.19.0-rc1+ #1331 [ 184.329533] Hardware name: Tanix TX6 (DT) [ 184.333544] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 184.340512] pc : debug_dma_map_sg+0x2b0/0x350 [ 184.344882] lr : debug_dma_map_sg+0x2b0/0x350 [ 184.349250] sp : ffff800009f33a50 [ 184.352567] x29: ffff800009f33a50 x28: 0000000000010000 x27: ffff000001b86c00 [ 184.359725] x26: ffffffffffffffff x25: ffff000005d8cc80 x24: 0000000000000000 [ 184.366879] x23: ffff80000939ab18 x22: 0000000000000001 x21: 0000000000000001 [ 184.374031] x20: 0000000000000000 x19: ffff0000018a7410 x18: ffffffffffffffff [ 184.381186] x17: 0000000000000000 x16: 0000000000000000 x15: ffffffffffffffff [ 184.388338] x14: 0000000000000001 x13: ffff800009534e86 x12: 6f70707573206f74 [ 184.395493] x11: 20736d69616c6320 x10: 000000000000000a x9 : 0000000000010000 [ 184.402647] x8 : ffff8000093b6d40 x7 : ffff800009f33850 x6 : 000000000000000c [ 184.409800] x5 : ffff0000bf997940 x4 : 0000000000000000 x3 : 0000000000000027 [ 184.416953] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000003960e80 [ 184.424106] Call trace: [ 184.426556] debug_dma_map_sg+0x2b0/0x350 [ 184.430580] __dma_map_sg_attrs+0xa0/0x110 [ 184.434687] dma_map_sgtable+0x28/0x4c [ 184.438447] vb2_dc_dmabuf_ops_map+0x60/0xcc [ 184.442729] __map_dma_buf+0x2c/0xd4 [ 184.446321] dma_buf_map_attachment+0xa0/0x130 [ 184.450777] drm_gem_prime_import_dev+0x7c/0x18c [ 184.455410] drm_gem_prime_fd_to_handle+0x1b8/0x214 [ 184.460300] drm_prime_fd_to_handle_ioctl+0x2c/0x40 [ 184.465190] drm_ioctl_kernel+0xc4/0x174 [ 184.469123] drm_ioctl+0x204/0x420 [ 184.472534] __arm64_sys_ioctl+0xac/0xf0 [ 184.476474] invoke_syscall+0x48/0x114 [ 184.480240] el0_svc_common.constprop.0+0x44/0xec [ 184.484956] do_el0_svc+0x2c/0xc0 [ 184.488283] el0_svc+0x2c/0x84 [ 184.491354] el0t_64_sync_handler+0x11c/0x150 [ 184.495723] el0t_64_sync+0x18c/0x190 [ 184.499397] ---[ end trace 0000000000000000 ]---

Fix that by setting DMA mask and segment size.

Signed-off-by: Jernej Skrabec jernej.skrabec@gmail.com Reviewed-by: Samuel Holland samuel@sholland.org Signed-off-by: Maxime Ripard maxime@cerno.tech Link: https://patchwork.freedesktop.org/patch/msgid/20220620181333.650301-1-jernej... Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/sun4i/sun4i_drv.c | 8 ++++++++ 1 file changed, 8 insertions(+)

diff --git a/drivers/gpu/drm/sun4i/sun4i_drv.c b/drivers/gpu/drm/sun4i/sun4i_drv.c index 5b54eff12cc0..4ae8a33b4479 100644 --- a/drivers/gpu/drm/sun4i/sun4i_drv.c +++ b/drivers/gpu/drm/sun4i/sun4i_drv.c @@ -7,6 +7,7 @@ */

#include <linux/component.h> +#include <linux/dma-mapping.h> #include <linux/kfifo.h> #include <linux/module.h> #include <linux/of_graph.h> @@ -354,6 +355,13 @@ static int sun4i_drv_probe(struct platform_device *pdev)

INIT_KFIFO(list.fifo);

+ /* + * DE2 and DE3 cores actually supports 40-bit addresses, but + * driver does not. + */ + dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(32)); + dma_set_max_seg_size(&pdev->dev, UINT_MAX); + for (i = 0;; i++) { struct device_node *pipeline = of_parse_phandle(np, "allwinner,pipelines",

-- 2.35.1

Sasha Levin

2:24 a.m.

New subject: [PATCH AUTOSEL 5.4 24/27] drm/sun4i: Return if frontend is not present

From: Saud Farooqui farooqui_saud@hotmail.com

[ Upstream commit 85016f66af8506cb601fd4f4fde23ed327a266be ]

Added return statement in sun4i_layer_format_mod_supported() in case frontend is not present.

Signed-off-by: Saud Farooqui farooqui_saud@hotmail.com Signed-off-by: Maxime Ripard maxime@cerno.tech Link: https://patchwork.freedesktop.org/patch/msgid/PA4P189MB1421E93EF5F8E8E00E71B... Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/sun4i/sun4i_layer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/sun4i/sun4i_layer.c b/drivers/gpu/drm/sun4i/sun4i_layer.c index c04f4ba0d69d..3104a2290b43 100644 --- a/drivers/gpu/drm/sun4i/sun4i_layer.c +++ b/drivers/gpu/drm/sun4i/sun4i_layer.c @@ -115,7 +115,7 @@ static bool sun4i_layer_format_mod_supported(struct drm_plane *plane, struct sun4i_layer *layer = plane_to_sun4i_layer(plane);

if (IS_ERR_OR_NULL(layer->backend->frontend)) - sun4i_backend_format_is_supported(format, modifier); + return sun4i_backend_format_is_supported(format, modifier);

return sun4i_backend_format_is_supported(format, modifier) || sun4i_frontend_format_is_supported(format, modifier);

-- 2.35.1

Sasha Levin

2:24 a.m.

New subject: [PATCH AUTOSEL 5.4 25/27] drm/amdgpu: Adjust logic around GTT size (v3)

From: Alex Deucher alexander.deucher@amd.com

[ Upstream commit f15345a377c6ea9c7cc74f079616af8856aff37f ]

Certain GL unit tests for large textures can cause problems with the OOM killer since there is no way to link this memory to a process. This was originally mitigated (but not necessarily eliminated) by limiting the GTT size. The problem is this limit is often too low for many modern games so just make the limit 1/2 of system memory. The OOM accounting needs to be addressed, but we shouldn't prevent common 3D applications from being usable just to potentially mitigate that corner case.

Set default GTT size to max(3G, 1/2 of system ram) by default.

v2: drop previous logic and default to 3/4 of ram v3: default to half of ram to align with ttm v4: fix spelling in comment (Kent)

Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1942 Reviewed-by: Marek Olšák marek.olsak@amd.com Signed-off-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index 870dd78d5a21..e70b33f3f363 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -1749,18 +1749,26 @@ int amdgpu_ttm_init(struct amdgpu_device *adev) DRM_INFO("amdgpu: %uM of VRAM memory ready\n", (unsigned) (adev->gmc.real_vram_size / (1024 * 1024)));

- /* Compute GTT size, either bsaed on 3/4th the size of RAM size + /* Compute GTT size, either based on 1/2 the size of RAM size * or whatever the user passed on module init */ if (amdgpu_gtt_size == -1) { struct sysinfo si;

si_meminfo(&si); - gtt_size = min(max((AMDGPU_DEFAULT_GTT_SIZE_MB << 20), - adev->gmc.mc_vram_size), - ((uint64_t)si.totalram * si.mem_unit * 3/4)); - } - else + /* Certain GL unit tests for large textures can cause problems + * with the OOM killer since there is no way to link this memory + * to a process. This was originally mitigated (but not necessarily + * eliminated) by limiting the GTT size. The problem is this limit + * is often too low for many modern games so just make the limit 1/2 + * of system memory which aligns with TTM. The OOM accounting needs + * to be addressed, but we shouldn't prevent common 3D applications + * from being usable just to potentially mitigate that corner case. + */ + gtt_size = max((AMDGPU_DEFAULT_GTT_SIZE_MB << 20), + (u64)si.totalram * si.mem_unit / 2); + } else { gtt_size = (uint64_t)amdgpu_gtt_size << 20; + }

/* Initialize GTT memory pool */ r = ttm_bo_init_mm(&adev->mman.bdev, TTM_PL_TT, gtt_size >> PAGE_SHIFT);

-- 2.35.1

Sasha Levin

2:24 a.m.

New subject: [PATCH AUTOSEL 5.4 26/27] nvme: add a bogus subsystem NQN quirk for Micron MTFDKBA2T0TFH

From: Leo Savernik l.savernik@aon.at

[ Upstream commit 41f38043f884c66af4114a7109cf540d6222f450 ]

The Micron MTFDKBA2T0TFH device reports the same subsysem NQN for all devices. Add a quick to ignore it.

Signed-off-by: Leo Savernik l.savernik@aon.at Reviewed-by: Keith Busch kbusch@kernel.org Signed-off-by: Christoph Hellwig hch@lst.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/nvme/host/pci.c | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c index 10fe7a7a2163..0dfb60a8037e 100644 --- a/drivers/nvme/host/pci.c +++ b/drivers/nvme/host/pci.c @@ -3196,6 +3196,8 @@ static const struct pci_device_id nvme_id_table[] = { { PCI_DEVICE(0x1cc1, 0x8201), /* ADATA SX8200PNP 512GB */ .driver_data = NVME_QUIRK_NO_DEEPEST_PS | NVME_QUIRK_IGNORE_DEV_SUBNQN, }, + { PCI_DEVICE(0x1344, 0x5407), /* Micron Technology Inc NVMe SSD */ + .driver_data = NVME_QUIRK_IGNORE_DEV_SUBNQN }, { PCI_DEVICE(0x1c5c, 0x1504), /* SK Hynix PC400 */ .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, { PCI_DEVICE_CLASS(PCI_CLASS_STORAGE_EXPRESS, 0xffffff) },

-- 2.35.1

914

days inactive

914

days old

linux-stable-mirror@lists.linaro.org

25 comments

participants

tags (0)

participants (1)

Sasha Levin