December 2022 - Linux-stable-mirror

[PATCH 5.15 5.10 5.4 v2] kbuild: fix Build ID if CONFIG_MODVERSIONS

by Tom Saeger

Backport of: commit 0d362be5b142 ("Makefile: link with -z noexecstack --no-warn-rwx-segments") breaks arm64 Build ID when CONFIG_MODVERSIONS=y for all kernels from: commit e4484a495586 ("Merge tag 'kbuild-fixes-v5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild") until: commit df202b452fe6 ("Merge tag 'kbuild-v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild") Linus's tree doesn't have this issue since 0d362be5b142 was merged after df202b452fe6 which included: commit 7b4537199a4a ("kbuild: link symbol CRCs at final link, removing CONFIG_MODULE_REL_CRCS") This kernel's KBUILD CONFIG_MODVERSIONS tooling compiles and links .S targets with relocatable (-r) and now (-z noexecstack) which results in ld adding a .note.GNU-stack section to .o files. Final linking of vmlinux should add a .NOTES segment containing the Build ID, but does NOT (on some architectures like arm64) if a .note.GNU-stack section is found in .o's supplied during link of vmlinux. DISCARD .note.GNU-stack sections of .S targets. Final link of vmlinux then properly adds .NOTES segment containing Build ID that can be read using tools like 'readelf -n'. Fixes: 0d362be5b142 ("Makefile: link with -z noexecstack --no-warn-rwx-segments") Cc: <stable(a)vger.kernel.org> # 5.15, 5.10, 5.4 Cc: <linux-kbuild(a)vger.kernel.org> Cc: Nick Desaulniers <ndesaulniers(a)google.com> Cc: Masahiro Yamada <masahiroy(a)kernel.org> Cc: Nicholas Piggin <npiggin(a)gmail.com> Cc: Michal Marek <michal.lkml(a)markovi.net> Cc: Nathan Chancellor <nathan(a)kernel.org> Signed-off-by: Tom Saeger <tom.saeger(a)oracle.com> --- v2: - Changed approach to append DISCARD section to generated linker script. - ld no longer emits warning (which was intent of 0d362b35b142) this addresses Nick's v1 feedback. - this is applied to all arches, not just arm64 - added commit refs and notes why this doesn't occur in Linus's tree to address Greg's v1 feedback. - added Fixes: 0d362b35b142 requested by Nick - added note to changelog for 7b4537199a4a requested by Nick - build tested on arm64 and x86 version works(vmlinux contains Build ID) v4.14.302 x86, arm64 v4.14.302.patched x86, arm64 v4.19.269 x86, arm64 v4.19.269.patched x86, arm64 v5.4.227 x86 v5.4.227.patched x86, arm64 v5.10.159 x86 v5.10.159.patched x86, arm64 v5.15.83 x86 v5.15.83.patched x86, arm64 v1: https://lore.kernel.org/all/cover.1670358255.git.tom.saeger@oracle.com/ scripts/Makefile.build | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/Makefile.build b/scripts/Makefile.build index 17aa8ef2d52a..e3939676eeb5 100644 --- a/scripts/Makefile.build +++ b/scripts/Makefile.build @@ -379,6 +379,8 @@ cmd_modversions_S = \ if $(OBJDUMP) -h $@ | grep -q __ksymtab; then \ $(call cmd_gensymtypes_S,$(KBUILD_SYMTYPES),$(@:.o=.symtypes)) \ > $(@D)/.tmp_$(@F:.o=.ver); \ + echo "SECTIONS { /DISCARD/ : { *(.note.GNU-stack) } }" \ + >> $(@D)/.tmp_$(@F:.o=.ver); \ \ $(LD) $(KBUILD_LDFLAGS) -r -o $(@D)/.tmp_$(@F) $@ \ -T $(@D)/.tmp_$(@F:.o=.ver); \ base-commit: fd6d66840b4269da4e90e1ea807ae3197433bc66 -- 2.38.1

1 year, 10 months

4
22
0 0

[PATCH v6 1/6] locking/rwsem: Prevent non-first waiter from spinning in down_write() slowpath

by Waiman Long

A non-first waiter can potentially spin in the for loop of rwsem_down_write_slowpath() without sleeping but fail to acquire the lock even if the rwsem is free if the following sequence happens: Non-first RT waiter First waiter Lock holder ------------------- ------------ ----------- Acquire wait_lock rwsem_try_write_lock(): Set handoff bit if RT or wait too long Set waiter->handoff_set Release wait_lock Acquire wait_lock Inherit waiter->handoff_set Release wait_lock Clear owner Release lock if (waiter.handoff_set) { rwsem_spin_on_owner((); if (OWNER_NULL) goto trylock_again; } trylock_again: Acquire wait_lock rwsem_try_write_lock(): if (first->handoff_set && (waiter != first)) return false; Release wait_lock A non-first waiter cannot really acquire the rwsem even if it mistakenly believes that it can spin on OWNER_NULL value. If that waiter happens to be an RT task running on the same CPU as the first waiter, it can block the first waiter from acquiring the rwsem leading to live lock. Fix this problem by making sure that a non-first waiter cannot spin in the slowpath loop without sleeping. Fixes: d257cc8cb8d5 ("locking/rwsem: Make handoff bit handling more consistent") Reviewed-and-tested-by: Mukesh Ojha <quic_mojha(a)quicinc.com> Signed-off-by: Waiman Long <longman(a)redhat.com> Cc: stable(a)vger.kernel.org --- kernel/locking/rwsem.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c index 44873594de03..be2df9ea7c30 100644 --- a/kernel/locking/rwsem.c +++ b/kernel/locking/rwsem.c @@ -624,18 +624,16 @@ static inline bool rwsem_try_write_lock(struct rw_semaphore *sem, */ if (first->handoff_set && (waiter != first)) return false; - - /* - * First waiter can inherit a previously set handoff - * bit and spin on rwsem if lock acquisition fails. - */ - if (waiter == first) - waiter->handoff_set = true; } new = count; if (count & RWSEM_LOCK_MASK) { + /* + * A waiter (first or not) can set the handoff bit + * if it is an RT task or wait in the wait queue + * for too long. + */ if (has_handoff || (!rt_task(waiter->task) && !time_after(jiffies, waiter->timeout))) return false; @@ -651,11 +649,12 @@ static inline bool rwsem_try_write_lock(struct rw_semaphore *sem, } while (!atomic_long_try_cmpxchg_acquire(&sem->count, &count, new)); /* - * We have either acquired the lock with handoff bit cleared or - * set the handoff bit. + * We have either acquired the lock with handoff bit cleared or set + * the handoff bit. Only the first waiter can have its handoff_set + * set here to enable optimistic spinning in slowpath loop. */ if (new & RWSEM_FLAG_HANDOFF) { - waiter->handoff_set = true; + first->handoff_set = true; lockevent_inc(rwsem_wlock_handoff); return false; } -- 2.31.1

1 year, 10 months

2
2
0 0

[PATCH] HID: multitouch: enable trackstick of Asus ExpertBook B2502

by Benjamin Tissoires

This device has a trackstick that is sent through the same HID device than the touchpad. Unfortunately there are 2 mice attached to that device descriptor, with the first one for the touchpad when the second is for the trackstick. Force all devices to be exported. Cc: stable(a)vger.kernel.org # 5.8+ Link: https://bugzilla.redhat.com/show_bug.cgi?id=2154204 Signed-off-by: Benjamin Tissoires <benjamin.tissoires(a)redhat.com> --- drivers/hid/hid-multitouch.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c index 91a4d3fc30e0..91ac72b32d45 100644 --- a/drivers/hid/hid-multitouch.c +++ b/drivers/hid/hid-multitouch.c @@ -1860,6 +1860,12 @@ static const struct hid_device_id mt_devices[] = { USB_VENDOR_ID_ASUSTEK, USB_DEVICE_ID_ASUSTEK_T304_KEYBOARD) }, + /* Asus ExpertBook with trackstick */ + { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, + HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8, + USB_VENDOR_ID_ELAN, + 0x3148) }, + /* Atmel panels */ { .driver_data = MT_CLS_SERIAL, MT_USB_DEVICE(USB_VENDOR_ID_ATMEL, -- 2.38.1

1 year, 10 months

1
1
0 0

[PATCH 1/5] pwm: jz4740: Fix pin level of disabled TCU2 channels, part 1

by Paul Cercueil

The "duty > cycle" trick to force the pin level of a disabled TCU2 channel would only work when the channel had been enabled previously. Address this issue by enabling the PWM mode in jz4740_pwm_disable (I know, right) so that the "duty > cycle" trick works before disabling the PWM channel right after. This issue went unnoticed, as the PWM pins on the majority of the boards tested would default to the inactive level once the corresponding TCU clock was enabled, so the first call to jz4740_pwm_disable() would not actually change the pin levels. On the GCW Zero however, the PWM pin for the backlight (PWM1, which is a TCU2 channel) goes active as soon as the timer1 clock is enabled. Since the jz4740_pwm_disable() function did not work on channels not previously enabled, the backlight would shine at full brightness from the moment the backlight driver would probe, until the backlight driver tried to *enable* the PWM output. With this fix, the PWM pins will be forced inactive as soon as jz4740_pwm_apply() is called (and might be reconfigured to active if dictated by the pwm_state). This means that there is still a tiny time frame between the .request() and .apply() callbacks where the PWM pin might be active. Sadly, there is no way to fix this issue: it is impossible to write a PWM channel's registers if the corresponding clock is not enabled, and enabling the clock is what causes the PWM pin to go active. There is a workaround, though, which complements this fix: simply starting the backlight driver (or any PWM client driver) with a "init" pinctrl state that sets the pin as an inactive GPIO. Once the driver is probed and the pinctrl state switches to "default", the regular PWM pin configuration can be used as it will be properly driven. Fixes: c2693514a0a1 ("pwm: jz4740: Obtain regmap from parent node") Signed-off-by: Paul Cercueil <paul(a)crapouillou.net> Cc: stable(a)vger.kernel.org --- drivers/pwm/pwm-jz4740.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/pwm/pwm-jz4740.c b/drivers/pwm/pwm-jz4740.c index a5fdf97c0d2e..228eb104bf1e 100644 --- a/drivers/pwm/pwm-jz4740.c +++ b/drivers/pwm/pwm-jz4740.c @@ -102,11 +102,14 @@ static void jz4740_pwm_disable(struct pwm_chip *chip, struct pwm_device *pwm) struct jz4740_pwm_chip *jz = to_jz4740(chip); /* - * Set duty > period. This trick allows the TCU channels in TCU2 mode to - * properly return to their init level. + * Set duty > period, then enable PWM mode and start the counter. + * This trick allows to force the inactive pin level for the TCU2 + * channels. */ regmap_write(jz->map, TCU_REG_TDHRc(pwm->hwpwm), 0xffff); regmap_write(jz->map, TCU_REG_TDFRc(pwm->hwpwm), 0x0); + regmap_set_bits(jz->map, TCU_REG_TCSRc(pwm->hwpwm), TCU_TCSR_PWM_EN); + regmap_write(jz->map, TCU_REG_TESR, BIT(pwm->hwpwm)); /* * Disable PWM output. -- 2.35.1

1 year, 10 months

2
7
0 0

[PATCH] scsi: ufs: core: fix devfreq deadlocks

by Johan Hovold

There is a lock inversion and rwsem read-lock recursion in the devfreq target callback which can lead to deadlocks. Specifically, ufshcd_devfreq_scale() already holds a clk_scaling_lock read lock when toggling the write booster, which involves taking the dev_cmd mutex before taking another clk_scaling_lock read lock. This can lead to a deadlock if another thread: 1) tries to acquire the dev_cmd and clk_scaling locks in the correct order, or 2) takes a clk_scaling write lock before the attempt to take the clk_scaling read lock a second time. Fix this by dropping the clk_scaling_lock before toggling the write booster as was done before commit 0e9d4ca43ba8 ("scsi: ufs: Protect some contexts from unexpected clock scaling"). While the devfreq callbacks are already serialised, add a second serialising mutex to handle the unlikely case where a callback triggered through the devfreq sysfs interface is racing with a request to disable clock scaling through the UFS controller 'clkscale_enable' sysfs attribute. This could otherwise lead to the write booster being left disabled after having disabled clock scaling. Also take the new mutex in ufshcd_clk_scaling_allow() to make sure that any pending write booster update has completed on return. Note that this currently only affects Qualcomm platforms since commit 87bd05016a64 ("scsi: ufs: core: Allow host driver to disable wb toggling during clock scaling"). The lock inversion (i.e. 1 above) was reported by lockdep as: ====================================================== WARNING: possible circular locking dependency detected 6.1.0-next-20221216 #211 Not tainted ------------------------------------------------------ kworker/u16:2/71 is trying to acquire lock: ffff076280ba98a0 (&hba->dev_cmd.lock){+.+.}-{3:3}, at: ufshcd_query_flag+0x50/0x1c0 but task is already holding lock: ffff076280ba9cf0 (&hba->clk_scaling_lock){++++}-{3:3}, at: ufshcd_devfreq_scale+0x2b8/0x380 which lock already depends on the new lock. [ +0.011606] the existing dependency chain (in reverse order) is: -> #1 (&hba->clk_scaling_lock){++++}-{3:3}: lock_acquire+0x68/0x90 down_read+0x58/0x80 ufshcd_exec_dev_cmd+0x70/0x2c0 ufshcd_verify_dev_init+0x68/0x170 ufshcd_probe_hba+0x398/0x1180 ufshcd_async_scan+0x30/0x320 async_run_entry_fn+0x34/0x150 process_one_work+0x288/0x6c0 worker_thread+0x74/0x450 kthread+0x118/0x120 ret_from_fork+0x10/0x20 -> #0 (&hba->dev_cmd.lock){+.+.}-{3:3}: __lock_acquire+0x12a0/0x2240 lock_acquire.part.0+0xcc/0x220 lock_acquire+0x68/0x90 __mutex_lock+0x98/0x430 mutex_lock_nested+0x2c/0x40 ufshcd_query_flag+0x50/0x1c0 ufshcd_query_flag_retry+0x64/0x100 ufshcd_wb_toggle+0x5c/0x120 ufshcd_devfreq_scale+0x2c4/0x380 ufshcd_devfreq_target+0xf4/0x230 devfreq_set_target+0x84/0x2f0 devfreq_update_target+0xc4/0xf0 devfreq_monitor+0x38/0x1f0 process_one_work+0x288/0x6c0 worker_thread+0x74/0x450 kthread+0x118/0x120 ret_from_fork+0x10/0x20 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&hba->clk_scaling_lock); lock(&hba->dev_cmd.lock); lock(&hba->clk_scaling_lock); lock(&hba->dev_cmd.lock); *** DEADLOCK *** Fixes: 0e9d4ca43ba8 ("scsi: ufs: Protect some contexts from unexpected clock scaling") Cc: stable(a)vger.kernel.org # 5.12 Cc: Can Guo <quic_cang(a)quicinc.com> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- This issue has apparently been known for over a year [1] without anyone bothering to fix it. Aside from the potential deadlocks, this also leads to developers using Qualcomm platforms not being able to use lockdep to prevent further issues like this from being introduced in other places. Johan [1] https://lore.kernel.org/lkml/1631843521-2863-1-git-send-email-cang@codeauro… drivers/ufs/core/ufshcd.c | 29 +++++++++++++++-------------- include/ufs/ufshcd.h | 2 ++ 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index bda61be5f035..5c3821b2fcf8 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -1234,12 +1234,14 @@ static int ufshcd_clock_scaling_prepare(struct ufs_hba *hba) * clock scaling is in progress */ ufshcd_scsi_block_requests(hba); + mutex_lock(&hba->wb_mutex); down_write(&hba->clk_scaling_lock); if (!hba->clk_scaling.is_allowed || ufshcd_wait_for_doorbell_clr(hba, DOORBELL_CLR_TOUT_US)) { ret = -EBUSY; up_write(&hba->clk_scaling_lock); + mutex_unlock(&hba->wb_mutex); ufshcd_scsi_unblock_requests(hba); goto out; } @@ -1251,12 +1253,16 @@ static int ufshcd_clock_scaling_prepare(struct ufs_hba *hba) return ret; } -static void ufshcd_clock_scaling_unprepare(struct ufs_hba *hba, bool writelock) +static void ufshcd_clock_scaling_unprepare(struct ufs_hba *hba, bool scale_up) { - if (writelock) - up_write(&hba->clk_scaling_lock); - else - up_read(&hba->clk_scaling_lock); + up_write(&hba->clk_scaling_lock); + + /* Enable Write Booster if we have scaled up else disable it */ + if (ufshcd_enable_wb_if_scaling_up(hba)) + ufshcd_wb_toggle(hba, scale_up); + + mutex_unlock(&hba->wb_mutex); + ufshcd_scsi_unblock_requests(hba); ufshcd_release(hba); } @@ -1273,7 +1279,6 @@ static void ufshcd_clock_scaling_unprepare(struct ufs_hba *hba, bool writelock) static int ufshcd_devfreq_scale(struct ufs_hba *hba, bool scale_up) { int ret = 0; - bool is_writelock = true; ret = ufshcd_clock_scaling_prepare(hba); if (ret) @@ -1302,15 +1307,8 @@ static int ufshcd_devfreq_scale(struct ufs_hba *hba, bool scale_up) } } - /* Enable Write Booster if we have scaled up else disable it */ - if (ufshcd_enable_wb_if_scaling_up(hba)) { - downgrade_write(&hba->clk_scaling_lock); - is_writelock = false; - ufshcd_wb_toggle(hba, scale_up); - } - out_unprepare: - ufshcd_clock_scaling_unprepare(hba, is_writelock); + ufshcd_clock_scaling_unprepare(hba, scale_up); return ret; } @@ -6066,9 +6064,11 @@ static void ufshcd_force_error_recovery(struct ufs_hba *hba) static void ufshcd_clk_scaling_allow(struct ufs_hba *hba, bool allow) { + mutex_lock(&hba->wb_mutex); down_write(&hba->clk_scaling_lock); hba->clk_scaling.is_allowed = allow; up_write(&hba->clk_scaling_lock); + mutex_unlock(&hba->wb_mutex); } static void ufshcd_clk_scaling_suspend(struct ufs_hba *hba, bool suspend) @@ -9793,6 +9793,7 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq) /* Initialize mutex for exception event control */ mutex_init(&hba->ee_ctrl_mutex); + mutex_init(&hba->wb_mutex); init_rwsem(&hba->clk_scaling_lock); ufshcd_init_clk_gating(hba); diff --git a/include/ufs/ufshcd.h b/include/ufs/ufshcd.h index 5cf81dff60aa..727084cd79be 100644 --- a/include/ufs/ufshcd.h +++ b/include/ufs/ufshcd.h @@ -808,6 +808,7 @@ struct ufs_hba_monitor { * @urgent_bkops_lvl: keeps track of urgent bkops level for device * @is_urgent_bkops_lvl_checked: keeps track if the urgent bkops level for * device is known or not. + * @wb_mutex: used to serialize devfreq and sysfs write booster toggling * @clk_scaling_lock: used to serialize device commands and clock scaling * @desc_size: descriptor sizes reported by device * @scsi_block_reqs_cnt: reference counting for scsi block requests @@ -951,6 +952,7 @@ struct ufs_hba { enum bkops_status urgent_bkops_lvl; bool is_urgent_bkops_lvl_checked; + struct mutex wb_mutex; struct rw_semaphore clk_scaling_lock; unsigned char desc_size[QUERY_DESC_IDN_MAX]; atomic_t scsi_block_reqs_cnt; -- 2.37.4

1 year, 10 months

7
11
0 0

[PATCH] usb: cdns3: remove fetched trb from cache before dequeuing

by Pawel Laszczak

After doorbell DMA fetches the TRB. If during dequeuing request driver changes NORMAL TRB to LINK TRB but doesn't delete it from controller cache then controller will handle cached TRB and packet can be lost. The example scenario for this issue looks like: 1. queue request - set doorbell 2. dequeue request 3. send OUT data packet from host 4. Device will accept this packet which is unexpected 5. queue new request - set doorbell 6. Device lost the expected packet. By setting DFLUSH controller clears DRDY bit and stop DMA transfer. Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") cc: <stable(a)vger.kernel.org> Signed-off-by: Pawel Laszczak <pawell(a)cadence.com> --- drivers/usb/cdns3/cdns3-gadget.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gadget.c index 5adcb349718c..ccfaebca6faa 100644 --- a/drivers/usb/cdns3/cdns3-gadget.c +++ b/drivers/usb/cdns3/cdns3-gadget.c @@ -2614,6 +2614,7 @@ int cdns3_gadget_ep_dequeue(struct usb_ep *ep, u8 req_on_hw_ring = 0; unsigned long flags; int ret = 0; + int val; if (!ep || !request || !ep->desc) return -EINVAL; @@ -2649,6 +2650,13 @@ int cdns3_gadget_ep_dequeue(struct usb_ep *ep, /* Update ring only if removed request is on pending_req_list list */ if (req_on_hw_ring && link_trb) { + /* Stop DMA */ + writel(EP_CMD_DFLUSH, &priv_dev->regs->ep_cmd); + + /* wait for DFLUSH cleared */ + readl_poll_timeout_atomic(&priv_dev->regs->ep_cmd, val, + !(val & EP_CMD_DFLUSH), 1, 1000); + link_trb->buffer = cpu_to_le32(TRB_BUFFER(priv_ep->trb_pool_dma + ((priv_req->end_trb + 1) * TRB_SIZE))); link_trb->control = cpu_to_le32((le32_to_cpu(link_trb->control) & TRB_CYCLE) | @@ -2660,6 +2668,10 @@ int cdns3_gadget_ep_dequeue(struct usb_ep *ep, cdns3_gadget_giveback(priv_ep, priv_req, -ECONNRESET); + req = cdns3_next_request(&priv_ep->pending_req_list); + if (req) + cdns3_rearm_transfer(priv_ep, 1); + not_found: spin_unlock_irqrestore(&priv_dev->lock, flags); return ret; -- 2.25.1

1 year, 10 months

3
7
0 0

[PATCH 5.15 000/230] 5.15.54-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.54 release. There are 230 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 13 Jul 2022 09:05:28 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.54-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.54-rc1 Hangbin Liu <liuhangbin(a)gmail.com> selftests/net: fix section name when using xdp_dummy.o Dave Jiang <dave.jiang(a)intel.com> dmaengine: idxd: force wq context cleanup on device disable path Miaoqian Lin <linmq006(a)gmail.com> dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate Caleb Connolly <caleb.connolly(a)linaro.org> dmaengine: qcom: bam_dma: fix runtime PM underflow Miaoqian Lin <linmq006(a)gmail.com> dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate Michael Walle <michael(a)walle.cc> dmaengine: at_xdma: handle errors of at_xdmac_alloc_desc() correctly Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> dmaengine: lgm: Fix an error handling path in intel_ldma_probe() Dmitry Osipenko <dmitry.osipenko(a)collabora.com> dmaengine: pl330: Fix lockdep warning about non-static key Linus Torvalds <torvalds(a)linux-foundation.org> ida: don't use BUG_ON() for debugging Samuel Holland <samuel(a)sholland.org> dt-bindings: dma: allwinner,sun50i-a64-dma: Fix min/max typo AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Revert "serial: 8250_mtk: Make sure to select the right FEATURE_SEL" Naoya Horiguchi <naoya.horiguchi(a)nec.com> Revert "mm/memory-failure.c: fix race with changing page compound again" Shuah Khan <skhan(a)linuxfoundation.org> misc: rtsx_usb: set return value in rsp_buf alloc err path Shuah Khan <skhan(a)linuxfoundation.org> misc: rtsx_usb: use separate command and response buffers Shuah Khan <skhan(a)linuxfoundation.org> misc: rtsx_usb: fix use of dma mapped buffer for usb bulk transfer Peter Robinson <pbrobinson(a)gmail.com> dmaengine: imx-sdma: Allow imx8m for imx7 FW revs Satish Nagireddy <satish.nagireddy(a)getcruise.com> i2c: cadence: Unregister the clk notifier in error path Heiner Kallweit <hkallweit1(a)gmail.com> r8169: fix accessing unset transport header Vladimir Oltean <vladimir.oltean(a)nxp.com> selftests: forwarding: fix error message in learning_test Vladimir Oltean <vladimir.oltean(a)nxp.com> selftests: forwarding: fix learning_test when h1 supports IFF_UNICAST_FLT Vladimir Oltean <vladimir.oltean(a)nxp.com> selftests: forwarding: fix flood_unicast_test when h2 supports IFF_UNICAST_FLT Rick Lindsley <ricklind(a)us.ibm.com> ibmvnic: Properly dispose of all skbs during a failover. Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> ARM: dts: stm32: add missing usbh clock and fix clk order on stm32mp15 Amelie Delaunay <amelie.delaunay(a)foss.st.com> ARM: dts: stm32: use usbphyc ck_usbo_48m as USBH OHCI clock on stm32mp151 Norbert Zulinski <norbertx.zulinski(a)intel.com> i40e: Fix VF's MAC Address change on VM Lukasz Cieplicki <lukaszx.cieplicki(a)intel.com> i40e: Fix dropped jumbo frames statistics Jean Delvare <jdelvare(a)suse.de> i2c: piix4: Fix a memory leak in the EFCH MMIO support Ivan Malov <ivan.malov(a)oktetlabs.ru> xsk: Clear page contiguity bit when unmapping pool Mihai Sain <mihai.sain(a)microchip.com> ARM: at91: fix soc detection for SAM9X60 SiPs Eugen Hristev <eugen.hristev(a)microchip.com> ARM: dts: at91: sama5d2_icp: fix eeprom compatibles Eugen Hristev <eugen.hristev(a)microchip.com> ARM: dts: at91: sam9x60ek: fix eeprom compatible and size Claudiu Beznea <claudiu.beznea(a)microchip.com> ARM: at91: pm: use proper compatibles for sama7g5's rtc and rtt Claudiu Beznea <claudiu.beznea(a)microchip.com> ARM: at91: pm: use proper compatibles for sam9x60's rtc and rtt Claudiu Beznea <claudiu.beznea(a)microchip.com> ARM: at91: pm: use proper compatible for sama5d2's rtc Stephan Gerhold <stephan.gerhold(a)kernkonzept.com> arm64: dts: qcom: msm8992-*: Fix vdd_lvs1_2-supply typo Andrei Lalaev <andrey.lalaev(a)gmail.com> pinctrl: sunxi: sunxi_pconf_set: use correct offset Peng Fan <peng.fan(a)nxp.com> arm64: dts: imx8mp-phyboard-pollux-rdk: correct i2c2 & mmc settings Peng Fan <peng.fan(a)nxp.com> arm64: dts: imx8mp-phyboard-pollux-rdk: correct eqos pad settings Peng Fan <peng.fan(a)nxp.com> arm64: dts: imx8mp-phyboard-pollux-rdk: correct uart pad settings Peng Fan <peng.fan(a)nxp.com> arm64: dts: imx8mp-evk: correct I2C3 pad settings Peng Fan <peng.fan(a)nxp.com> arm64: dts: imx8mp-evk: correct I2C1 pad settings Peng Fan <peng.fan(a)nxp.com> arm64: dts: imx8mp-evk: correct eqos pad settings Peng Fan <peng.fan(a)nxp.com> arm64: dts: imx8mp-evk: correct vbus pad settings Peng Fan <peng.fan(a)nxp.com> arm64: dts: imx8mp-evk: correct gpio-led pad settings Sherry Sun <sherry.sun(a)nxp.com> arm64: dts: imx8mp-evk: correct the uart2 pinctl value Peng Fan <peng.fan(a)nxp.com> arm64: dts: imx8mp-evk: correct mmc pad settings Fabio Estevam <festevam(a)denx.de> ARM: mxs_defconfig: Enable the framebuffer Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: sdm845: use dispcc AHB clock for mdss node Konrad Dybcio <konrad.dybcio(a)somainline.org> arm64: dts: qcom: msm8994: Fix CPU6/7 reg values Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: codecs: rt700/rt711/rt711-sdca: resume bus/codec in .set_jack_detect Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: rt711-sdca: Add endianness flag in snd_soc_component_driver Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: rt711: Add endianness flag in snd_soc_component_driver Samuel Holland <samuel(a)sholland.org> pinctrl: sunxi: a83t: Fix NAND function name for some pins Miaoqian Lin <linmq006(a)gmail.com> ARM: meson: Fix refcount leak in meson_smp_prepare_cpus daniel.starke(a)siemens.com <daniel.starke(a)siemens.com> tty: n_gsm: fix encoding of command/response bit Tom Rix <trix(a)redhat.com> btrfs: fix use of uninitialized variable at rm device ioctl Ye Guojin <ye.guojin(a)zte.com.cn> virtio-blk: modify the value type of num in virtio_queue_rq() Dan Carpenter <dan.carpenter(a)oracle.com> btrfs: fix error pointer dereference in btrfs_ioctl_rm_dev_v2() Hui Wang <hui.wang(a)canonical.com> Revert "serial: sc16is7xx: Clear RS485 bits in the shutdown" Eric Sandeen <sandeen(a)redhat.com> xfs: remove incorrect ASSERT in xfs_rename Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_usb: kvaser_usb_leaf: fix bittiming limits Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_usb: kvaser_usb_leaf: fix CAN clock frequency regression Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_usb: replace run-time checks with struct kvaser_usb_driver_info Christian Marangi <ansuelsmth(a)gmail.com> net: dsa: qca8k: reset cpu port on MTU change Jason A. Donenfeld <Jason(a)zx2c4.com> powerpc/powernv: delay rng platform device creation until later in boot Hsin-Yi Wang <hsinyi(a)chromium.org> video: of_display_timing.h: include errno.h Dan Williams <dan.j.williams(a)intel.com> memregion: Fix memregion_free() fallback definition Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: runtime: Redefine pm_runtime_release_supplier() Helge Deller <deller(a)gmx.de> fbcon: Prevent that screen size is smaller than font size Helge Deller <deller(a)gmx.de> fbcon: Disallow setting font bigger than screen size Helge Deller <deller(a)gmx.de> fbmem: Check virtual screen sizes in fb_set_var() Guiling Deng <greens9(a)163.com> fbdev: fbmem: Fix logo center image dx issue Yian Chen <yian.chen(a)intel.com> iommu/vt-d: Fix PCI bus rescan device hot add Alexey Dobriyan <adobriyan(a)gmail.com> module: fix [e_shstrndx].sh_size=0 OOB access Shuah Khan <skhan(a)linuxfoundation.org> module: change to print useful messages from elf_validity_check() Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> dt-bindings: soc: qcom: smd-rpm: Fix missing MSM8936 compatible Vladimir Lypak <vladimir.lypak(a)gmail.com> dt-bindings: soc: qcom: smd-rpm: Add compatible for MSM8953 SoC David Howells <dhowells(a)redhat.com> rxrpc: Fix locking issue Mark Rutland <mark.rutland(a)arm.com> irqchip/gic-v3: Ensure pseudo-NMIs have an ISB between ack and handling Pavel Begunkov <asml.silence(a)gmail.com> io_uring: avoid io-wq -EAGAIN looping for !IOPOLL Sean Wang <sean.wang(a)mediatek.com> Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event Niels Dossche <dossche.niels(a)gmail.com> Bluetooth: protect le accept and resolv lists with hdev->lock Rex-BC Chen <rex-bc.chen(a)mediatek.com> drm/mediatek: Add vblank register/unregister callback functions Chun-Kuang Hu <chunkuang.hu(a)kernel.org> drm/mediatek: Add cmdq_handle in mtk_crtc Chun-Kuang Hu <chunkuang.hu(a)kernel.org> drm/mediatek: Detect CMDQ execution timeout Chun-Kuang Hu <chunkuang.hu(a)kernel.org> drm/mediatek: Remove the pointer of struct cmdq_client Chun-Kuang Hu <chunkuang.hu(a)kernel.org> drm/mediatek: Use mailbox rx_callback instead of cmdq_task_cb Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/i915: Fix a race between vma / object destruction and unbinding Richard Gong <richard.gong(a)amd.com> drm/amdgpu: vi: disable ASPM on Intel Alder Lake based systems Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Refactor `amdgpu_aspm` to be evaluated per device Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: drop flags check for CHIP_IP_DISCOVERY Lukas Fink <lukas.fink1(a)gmail.com> drm/amdgpu: Fix rejecting Tahiti GPUs Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: bind to any 0x1002 PCI diplay class device Daniel Starke <daniel.starke(a)siemens.com> tty: n_gsm: fix invalid gsmtty_write_room() result AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> serial: 8250_mtk: Make sure to select the right FEATURE_SEL Michael Ellerman <mpe(a)ellerman.id.au> powerpc/vdso: Fix incorrect CFI in gettimeofday.S Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/vdso: Move cvdso_call macro into gettimeofday.S Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/vdso: Remove cvdso_call_time macro Daniel Starke <daniel.starke(a)siemens.com> tty: n_gsm: fix sometimes uninitialized warning in gsm_dlci_modem_output() Daniel Starke <daniel.starke(a)siemens.com> tty: n_gsm: fix invalid use of MSC in advanced option Naoya Horiguchi <naoya.horiguchi(a)nec.com> mm/hwpoison: fix race between hugetlb free/demotion and memory_failure_hugetlb() Miaohe Lin <linmiaohe(a)huawei.com> mm/memory-failure.c: fix race with changing page compound again luofei <luofei(a)unicloud.com> mm/hwpoison: avoid the impact of hwpoison_filter() return value on mce handler Naoya Horiguchi <naoya.horiguchi(a)nec.com> mm/hwpoison: mf_mutex for soft offline and unpoison Sean Christopherson <seanjc(a)google.com> KVM: Initialize debugfs_dentry when a VM is created to avoid NULL deref Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: use dedicated lock for data relocation Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: encapsulate inode locking for zoned relocation Daniel Starke <daniel.starke(a)siemens.com> tty: n_gsm: fix missing update of modem controls after DLCI open Maurizio Avogadro <mavoga(a)gmail.com> ALSA: usb-audio: add mapping for MSI MAG X570S Torpedo MAX. Johannes Schickel <lordhoto(a)gmail.com> ALSA: usb-audio: add mapping for MSI MPG X570S Carbon Max Wifi. Daniel Starke <daniel.starke(a)siemens.com> tty: n_gsm: fix frame reception handling Zhenguo Zhao <Zhenguo.Zhao1(a)unisoc.com> tty: n_gsm: Save dlci address open status when config requester Zhenguo Zhao <Zhenguo.Zhao1(a)unisoc.com> tty: n_gsm: Modify CR,PF bit when config requester Oliver Upton <oupton(a)google.com> KVM: Don't create VM debugfs files outside of the VM directory tiancyin <tianci.yin(a)amd.com> drm/amd/vcn: fix an error msg on vcn 3.0 Xiaomeng Tong <xiam0nd.tong(a)gmail.com> ASoC: rt5682: fix an incorrect NULL check on list iterator Jack Yu <jack.yu(a)realtek.com> ASoC: rt5682: move clk related code to rt5682_i2c_probe Tadeusz Struk <tadeusz.struk(a)linaro.org> uapi/linux/stddef.h: Add include guards Kees Cook <keescook(a)chromium.org> stddef: Introduce DECLARE_FLEX_ARRAY() helper Paul Davey <paul.davey(a)alliedtelesis.co.nz> bus: mhi: Fix pm_state conversion to string Kees Cook <keescook(a)chromium.org> bus: mhi: core: Use correctly sized arguments for bit field Hui Wang <hui.wang(a)canonical.com> serial: sc16is7xx: Clear RS485 bits in the shutdown Nicholas Piggin <npiggin(a)gmail.com> powerpc/tm: Fix more userspace r13 corruption Nicholas Piggin <npiggin(a)gmail.com> powerpc: flexible GPR range save/restore macros Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/32: Don't use lmw/stmw for saving/restoring non volatile regs Arun Easi <aeasi(a)marvell.com> scsi: qla2xxx: Fix loss of NVMe namespaces after driver reload test Claudio Imbrenda <imbrenda(a)linux.ibm.com> KVM: s390x: fix SCK locking Dongliang Mu <mudongliangabcd(a)gmail.com> btrfs: don't access possibly stale fs_info data in device_list_add Paolo Bonzini <pbonzini(a)redhat.com> KVM: use __vcalloc for very large allocations Paolo Bonzini <pbonzini(a)redhat.com> mm: vmalloc: introduce array allocation functions Kees Cook <keescook(a)chromium.org> Compiler Attributes: add __alloc_size() for better bounds checking Tudor Ambarus <tudor.ambarus(a)microchip.com> mtd: spi-nor: Skip erase logic when SPI_NOR_NO_ERASE is set Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> batman-adv: Use netif_rx(). Haibo Chen <haibo.chen(a)nxp.com> iio: accel: mma8452: use the correct logic to get mma8452_data Palmer Dabbelt <palmer(a)rivosinc.com> riscv/mm: Add XIP_FIXUP for riscv_pfn_base Chuck Lever <chuck.lever(a)oracle.com> NFSD: COMMIT operations must not return NFS?ERR_INVAL Chuck Lever <chuck.lever(a)oracle.com> NFSD: De-duplicate net_generic(nf->nf_net, nfsd_net_id) CHANDAN VURDIGERE NATARAJ <chandan.vurdigerenataraj(a)amd.com> drm/amd/display: Fix by adding FPU protection for dcn30_internal_validate_bw Michael Strauss <michael.strauss(a)amd.com> drm/amd/display: Set min dcfclk if pipe count is 0 Xiaomeng Tong <xiam0nd.tong(a)gmail.com> drbd: fix an invalid memory access caused by incorrect use of list iterator Wu Bo <wubo40(a)huawei.com> drbd: Fix double free problem in drbd_create_device Luis Chamberlain <mcgrof(a)kernel.org> drbd: add error handling support for add_disk() Qu Wenruo <wqu(a)suse.com> btrfs: remove device item and update super block in the same transaction Josef Bacik <josef(a)toxicpanda.com> btrfs: use btrfs_get_dev_args_from_path in dev removal ioctls Josef Bacik <josef(a)toxicpanda.com> btrfs: add a btrfs_get_dev_args_from_path helper Josef Bacik <josef(a)toxicpanda.com> btrfs: handle device lookup with btrfs_dev_lookup_args Eli Cohen <elic(a)nvidia.com> vdpa/mlx5: Avoid processing works if workqueue was destroyed Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Fix gfs2_file_buffered_write endless loop workaround Arun Easi <aeasi(a)marvell.com> scsi: qla2xxx: Fix crash during module load unload test Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: edif: Replace list_for_each_safe with list_for_each_entry_safe Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix laggy FC remote port session recovery Manish Rangankar <mrangankar(a)marvell.com> scsi: qla2xxx: Move heartbeat handling from DPC thread to workqueue Sean Christopherson <seanjc(a)google.com> KVM: x86/mmu: Use common TDP MMU zap helper for MMU notifier unmap hook Sean Christopherson <seanjc(a)google.com> KVM: x86/mmu: Use yield-safe TDP MMU root iter in MMU notifier unmapping Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> clk: renesas: r9a07g044: Update multiplier and divider values for PLL2/3 Dan Williams <dan.j.williams(a)intel.com> cxl/port: Hold port reference until decoder release Lorenzo Bianconi <lorenzo(a)kernel.org> mt76: mt7921: do not always disable fw runtime-pm Sean Wang <sean.wang(a)mediatek.com> mt76: mt76_connac: fix MCU_CE_CMD_SET_ROC definition error Johan Hovold <johan(a)kernel.org> media: davinci: vpif: fix use-after-free on driver unbind Kees Cook <keescook(a)chromium.org> media: omap3isp: Use struct_group() for memcpy() region Kees Cook <keescook(a)chromium.org> stddef: Introduce struct_group() helper macro Tejun Heo <tj(a)kernel.org> block: fix rq-qos breakage from skipping rq_qos_done_bio() Jens Axboe <axboe(a)kernel.dk> block: only mark bio as tracked if it really is tracked Pavel Begunkov <asml.silence(a)gmail.com> block: use bdev_get_queue() in bio.c Jens Axboe <axboe(a)kernel.dk> io_uring: ensure that fsnotify is always called Max Gurtovoy <mgurtovoy(a)nvidia.com> virtio-blk: avoid preallocating big SGL for data Sukadev Bhattiprolu <sukadev(a)linux.ibm.com> ibmvnic: Allow queueing resets during probe Sukadev Bhattiprolu <sukadev(a)linux.ibm.com> ibmvnic: clear fop when retrying probe Sukadev Bhattiprolu <sukadev(a)linux.ibm.com> ibmvnic: init init_done_rc earlier Alexander Egorenkov <egorenar(a)linux.ibm.com> s390/setup: preserve memory at OLDMEM_BASE and OLDMEM_SIZE Alexander Gordeev <agordeev(a)linux.ibm.com> s390/setup: use physical pointers for memblock_reserve() Alexander Gordeev <agordeev(a)linux.ibm.com> s390/boot: allocate amode31 section in decompressor Florian Westphal <fw(a)strlen.de> netfilter: nft_payload: don't allow th access for fragments Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_payload: support for inner header matching / mangling Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: convert pktinfo->tprot_set to flags field Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: rt5682: Fix deadlock on resume Derek Fang <derek.fang(a)realtek.com> ASoC: rt5682: Re-detect the combo jack after resuming Derek Fang <derek.fang(a)realtek.com> ASoC: rt5682: Avoid the unexpected IRQ event during going to suspend Roi Dayan <roid(a)nvidia.com> net/mlx5e: TC, Reject rules with forward and drop actions Roi Dayan <roid(a)nvidia.com> net/mlx5e: TC, Reject rules with drop and modify hdr action Roi Dayan <roid(a)nvidia.com> net/mlx5e: Split actions_match_supported() into a sub function Roi Dayan <roid(a)nvidia.com> net/mlx5e: Check action fwd/drop flag exists also for nic flows Palmer Dabbelt <palmer(a)rivosinc.com> RISC-V: defconfigs: Set CONFIG_FB=y, for FB console Heinrich Schuchardt <heinrich.schuchardt(a)canonical.com> riscv: defconfig: enable DRM_NOUVEAU Hou Tao <houtao1(a)huawei.com> bpf, arm64: Use emit_addr_mov_i64() for BPF_PSEUDO_FUNC Lorenzo Bianconi <lorenzo(a)kernel.org> mt76: mt7921: fix a possible race enabling/disabling runtime-pm Lorenzo Bianconi <lorenzo(a)kernel.org> mt76: mt7921: introduce mt7921_mcu_set_beacon_filter utility routine Lorenzo Bianconi <lorenzo(a)kernel.org> mt76: mt7921: get rid of mt7921_mac_set_beacon_filter Hans de Goede <hdegoede(a)redhat.com> platform/x86: wmi: Fix driver->notify() vs ->probe() race Hans de Goede <hdegoede(a)redhat.com> platform/x86: wmi: Replace read_takes_no_args with a flags field Barnabás Pőcze <pobrn(a)protonmail.com> platform/x86: wmi: introduce helper to convert driver to WMI driver Shai Malin <smalin(a)marvell.com> qed: Improve the stack space of filter_config() Seevalamuthu Mariappan <quic_seevalam(a)quicinc.com> ath11k: add hw_param for wakeup_mhi Andrew Gabbasov <andrew_gabbasov(a)mentor.com> memory: renesas-rpc-if: Avoid unaligned bus access for HyperFlash Sean Young <sean(a)mess.org> media: ir_toy: prevent device from hanging during transmit Lukas Wunner <lukas(a)wunner.de> PCI: pciehp: Ignore Link Down/Up caused by error-induced Hot Reset Lukas Wunner <lukas(a)wunner.de> PCI/portdrv: Rename pm_iter() to pcie_port_device_iter() Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915: Replace the unconditional clflush with drm_clflush_virt_range() Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/i915/gt: Register the migrate contexts with their engines Matthew Brost <matthew.brost(a)intel.com> drm/i915: Disable bonding on gen12+ platforms Filipe Manana <fdmanana(a)suse.com> btrfs: fix deadlock between chunk allocation and chunk btree modifications Michel Dänzer <mdaenzer(a)redhat.com> dma-buf/poll: Get a file reference for outstanding fence callbacks Hans de Goede <hdegoede(a)redhat.com> Input: goodix - try not to touch the reset-pin on x86/ACPI devices Hans de Goede <hdegoede(a)redhat.com> Input: goodix - refactor reset handling Hans de Goede <hdegoede(a)redhat.com> Input: goodix - add a goodix.h header file Hans de Goede <hdegoede(a)redhat.com> Input: goodix - change goodix_i2c_write() len parameter type to int Tang Bin <tangbin(a)cmss.chinamobile.com> Input: cpcap-pwrbutton - handle errors from platform_get_irq() Filipe Manana <fdmanana(a)suse.com> btrfs: fix warning when freeing leaf after subvolume creation failure Filipe Manana <fdmanana(a)suse.com> btrfs: fix invalid delayed ref after subvolume creation failure Nikolay Borisov <nborisov(a)suse.com> btrfs: add additional parameters to btrfs_init_tree_ref/btrfs_init_data_ref Nikolay Borisov <nborisov(a)suse.com> btrfs: rename btrfs_alloc_chunk to btrfs_create_chunk Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: stricter validation of element data Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_set_pipapo: release elements in clone from abort path Duoming Zhou <duoming(a)zju.edu.cn> net: rose: fix UAF bug caused by rose_t0timer_expiry Oliver Neukum <oneukum(a)suse.com> usbnet: fix memory leak in error case Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix insufficient bounds propagation from adjust_scalar_min_max_vals Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix incorrect verifier simulation around jmp32's jeq/jne Thomas Kopp <thomas.kopp(a)microchip.com> can: mcp251xfd: mcp251xfd_regmap_crc_read(): update workaround broken CRC on TBC register Thomas Kopp <thomas.kopp(a)microchip.com> can: mcp251xfd: mcp251xfd_regmap_crc_read(): improve workaround handling for mcp2517fd Marc Kleine-Budde <mkl(a)pengutronix.de> can: m_can: m_can_{read_fifo,echo_tx_event}(): shift timestamp to full 32 bits Marc Kleine-Budde <mkl(a)pengutronix.de> can: m_can: m_can_chip_config(): actually enable internal timestamping Rhett Aultman <rhett.aultman(a)samsara.com> can: gs_usb: gs_usb_open/close(): fix memory leak Liang He <windhl(a)126.com> can: grcan: grcan_probe(): remove extra of_node_get() Oliver Hartkopp <socketcan(a)hartkopp.net> can: bcm: use call_rcu() instead of costly synchronize_rcu() Takashi Iwai <tiwai(a)suse.de> ALSA: cs46xx: Fix missing snd_card_free() call at probe error Tim Crawford <tcrawford(a)system76.com> ALSA: hda/realtek: Add quirk for Clevo L140PU Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Workarounds for Behringer UMC 204/404 HD Po-Hsu Lin <po-hsu.lin(a)canonical.com> Revert "selftests/bpf: Add test for bpf_timer overwriting crash" Liu Shixin <liushixin2(a)huawei.com> mm/filemap: fix UAF in find_lock_entries Jann Horn <jannh(a)google.com> mm/slub: add missing TID updates on slab deactivation ------------- Diffstat: .../bindings/dma/allwinner,sun50i-a64-dma.yaml | 2 +- .../devicetree/bindings/soc/qcom/qcom,smd-rpm.yaml | 3 + MAINTAINERS | 3 +- Makefile | 19 +- arch/arm/boot/dts/at91-sam9x60ek.dts | 3 +- arch/arm/boot/dts/at91-sama5d2_icp.dts | 6 +- arch/arm/boot/dts/stm32mp151.dtsi | 4 +- arch/arm/configs/mxs_defconfig | 1 + arch/arm/mach-at91/pm.c | 10 +- arch/arm/mach-meson/platsmp.c | 2 + arch/arm64/boot/dts/freescale/imx8mp-evk.dts | 54 ++-- .../dts/freescale/imx8mp-phyboard-pollux-rdk.dts | 48 ++-- .../boot/dts/qcom/msm8992-bullhead-rev-101.dts | 2 +- arch/arm64/boot/dts/qcom/msm8992-xiaomi-libra.dts | 2 +- arch/arm64/boot/dts/qcom/msm8994.dtsi | 4 +- arch/arm64/boot/dts/qcom/sdm845.dtsi | 2 +- arch/arm64/net/bpf_jit_comp.c | 5 +- arch/powerpc/boot/crt0.S | 31 +-- arch/powerpc/crypto/md5-asm.S | 10 +- arch/powerpc/crypto/sha1-powerpc-asm.S | 6 +- arch/powerpc/include/asm/ppc_asm.h | 43 +-- arch/powerpc/include/asm/vdso/gettimeofday.h | 69 +---- arch/powerpc/kernel/entry_32.S | 23 +- arch/powerpc/kernel/exceptions-64e.S | 14 +- arch/powerpc/kernel/exceptions-64s.S | 6 +- arch/powerpc/kernel/head_32.h | 3 +- arch/powerpc/kernel/head_booke.h | 3 +- arch/powerpc/kernel/interrupt_64.S | 34 +-- arch/powerpc/kernel/optprobes_head.S | 4 +- arch/powerpc/kernel/tm.S | 38 +-- arch/powerpc/kernel/trace/ftrace_64_mprofile.S | 15 +- arch/powerpc/kernel/vdso32/gettimeofday.S | 51 +++- arch/powerpc/kvm/book3s_hv_rmhandlers.S | 5 +- arch/powerpc/kvm/book3s_hv_uvmem.c | 2 +- arch/powerpc/lib/test_emulate_step_exec_instr.S | 8 +- arch/powerpc/platforms/powernv/rng.c | 16 +- arch/riscv/configs/defconfig | 8 +- arch/riscv/configs/rv32_defconfig | 1 + arch/riscv/mm/init.c | 1 + arch/s390/boot/compressed/decompressor.h | 1 + arch/s390/boot/startup.c | 8 + arch/s390/kernel/entry.h | 1 + arch/s390/kernel/setup.c | 31 +-- arch/s390/kernel/vmlinux.lds.S | 1 + arch/s390/kvm/kvm-s390.c | 19 +- arch/s390/kvm/kvm-s390.h | 4 +- arch/s390/kvm/priv.c | 15 +- arch/x86/kernel/cpu/mce/core.c | 8 +- arch/x86/kvm/mmu/page_track.c | 4 +- arch/x86/kvm/mmu/tdp_mmu.c | 9 +- arch/x86/kvm/x86.c | 4 +- block/bio.c | 11 +- block/blk-iolatency.c | 2 +- block/blk-rq-qos.h | 23 +- drivers/base/core.c | 3 +- drivers/base/memory.c | 2 + drivers/base/power/runtime.c | 20 +- drivers/block/Kconfig | 1 + drivers/block/drbd/drbd_main.c | 8 +- drivers/block/virtio_blk.c | 158 +++++++---- drivers/bluetooth/btmtksdio.c | 3 +- drivers/bus/mhi/core/init.c | 9 +- drivers/bus/mhi/core/internal.h | 2 +- drivers/clk/renesas/r9a07g044-cpg.c | 4 +- drivers/cxl/core/bus.c | 4 + drivers/dma-buf/dma-buf.c | 19 +- drivers/dma/at_xdmac.c | 5 + drivers/dma/idxd/device.c | 5 +- drivers/dma/imx-sdma.c | 2 +- drivers/dma/lgm/lgm-dma.c | 3 +- drivers/dma/pl330.c | 2 +- drivers/dma/qcom/bam_dma.c | 39 +-- drivers/dma/ti/dma-crossbar.c | 5 + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 25 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 10 + drivers/gpu/drm/amd/amdgpu/cik.c | 2 +- drivers/gpu/drm/amd/amdgpu/nv.c | 2 +- drivers/gpu/drm/amd/amdgpu/si.c | 2 +- drivers/gpu/drm/amd/amdgpu/soc15.c | 2 +- drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/vi.c | 17 +- .../gpu/drm/amd/display/dc/dcn30/dcn30_resource.c | 2 +- .../gpu/drm/amd/display/dc/dcn30/dcn30_resource.h | 7 + .../gpu/drm/amd/display/dc/dcn31/dcn31_resource.c | 65 ++++- .../drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 2 +- drivers/gpu/drm/i915/gem/i915_gem_context.c | 7 + drivers/gpu/drm/i915/gem/i915_gem_object.c | 6 + drivers/gpu/drm/i915/gt/intel_context_types.h | 8 + drivers/gpu/drm/i915/gt/intel_engine_cs.c | 4 + drivers/gpu/drm/i915/gt/intel_engine_pm.c | 23 ++ drivers/gpu/drm/i915/gt/intel_engine_pm.h | 2 + drivers/gpu/drm/i915/gt/intel_engine_types.h | 7 + .../gpu/drm/i915/gt/intel_execlists_submission.c | 2 + drivers/gpu/drm/i915/gt/intel_ring_submission.c | 5 +- drivers/gpu/drm/i915/gt/mock_engine.c | 2 + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 12 +- drivers/gpu/drm/mediatek/mtk_disp_drv.h | 16 +- drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 22 +- drivers/gpu/drm/mediatek/mtk_disp_rdma.c | 20 +- drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 133 +++++++-- drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c | 4 + drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.h | 29 +- drivers/i2c/busses/i2c-cadence.c | 1 + drivers/i2c/busses/i2c-piix4.c | 16 +- drivers/iio/accel/mma8452.c | 4 +- drivers/input/misc/cpcap-pwrbutton.c | 6 +- drivers/input/touchscreen/goodix.c | 150 +++++----- drivers/input/touchscreen/goodix.h | 75 +++++ drivers/iommu/intel/dmar.c | 2 +- drivers/irqchip/irq-gic-v3.c | 3 + drivers/media/platform/davinci/vpif.c | 97 +++++-- drivers/media/platform/omap3isp/ispstat.c | 5 +- drivers/media/rc/ir_toy.c | 2 +- drivers/memory/renesas-rpc-if.c | 48 +++- drivers/misc/cardreader/rtsx_usb.c | 27 +- drivers/mtd/spi-nor/core.c | 3 +- drivers/net/can/grcan.c | 1 - drivers/net/can/m_can/m_can.c | 8 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-regmap.c | 22 +- drivers/net/can/usb/gs_usb.c | 23 +- drivers/net/can/usb/kvaser_usb/kvaser_usb.h | 25 +- drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 286 ++++++++++--------- drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 4 +- drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 119 ++++---- drivers/net/dsa/qca8k.c | 23 +- drivers/net/ethernet/ibm/ibmvnic.c | 147 +++++++++- drivers/net/ethernet/ibm/ibmvnic.h | 1 + drivers/net/ethernet/intel/i40e/i40e.h | 16 ++ drivers/net/ethernet/intel/i40e/i40e_main.c | 73 +++++ drivers/net/ethernet/intel/i40e/i40e_register.h | 13 + drivers/net/ethernet/intel/i40e/i40e_type.h | 1 + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 88 +++--- drivers/net/ethernet/qlogic/qed/qed_l2.c | 23 +- drivers/net/ethernet/qlogic/qede/qede_filter.c | 47 ++-- drivers/net/ethernet/realtek/r8169_main.c | 10 +- drivers/net/usb/usbnet.c | 17 +- drivers/net/wireless/ath/ath11k/core.c | 5 + drivers/net/wireless/ath/ath11k/hw.h | 1 + drivers/net/wireless/ath/ath11k/pci.c | 12 +- .../net/wireless/mediatek/mt76/mt76_connac_mac.c | 3 - .../net/wireless/mediatek/mt76/mt76_connac_mcu.h | 2 +- .../net/wireless/mediatek/mt76/mt7921/debugfs.c | 31 ++- drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 28 -- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 33 +-- drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 47 ++-- drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h | 11 +- drivers/pci/hotplug/pciehp.h | 2 + drivers/pci/hotplug/pciehp_core.c | 2 + drivers/pci/hotplug/pciehp_hpc.c | 26 ++ drivers/pci/pcie/portdrv.h | 3 + drivers/pci/pcie/portdrv_core.c | 20 +- drivers/pci/pcie/portdrv_pci.c | 3 + drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c | 10 +- drivers/pinctrl/sunxi/pinctrl-sunxi.c | 2 + drivers/platform/x86/wmi.c | 39 +-- drivers/scsi/qla2xxx/qla_def.h | 5 +- drivers/scsi/qla2xxx/qla_edif.c | 39 +-- drivers/scsi/qla2xxx/qla_edif.h | 1 - drivers/scsi/qla2xxx/qla_init.c | 2 + drivers/scsi/qla2xxx/qla_nvme.c | 27 +- drivers/scsi/qla2xxx/qla_os.c | 102 ++++--- drivers/soc/atmel/soc.c | 12 +- drivers/tty/n_gsm.c | 263 ++++++++++++++--- drivers/vdpa/mlx5/net/mlx5_vnet.c | 7 +- drivers/video/fbdev/core/fbcon.c | 33 +++ drivers/video/fbdev/core/fbmem.c | 16 +- fs/btrfs/block-group.c | 152 ++++++---- fs/btrfs/block-group.h | 2 + fs/btrfs/ctree.c | 17 +- fs/btrfs/ctree.h | 8 +- fs/btrfs/delayed-ref.h | 5 +- fs/btrfs/dev-replace.c | 16 +- fs/btrfs/disk-io.c | 1 + fs/btrfs/extent-tree.c | 28 +- fs/btrfs/extent_io.c | 8 +- fs/btrfs/file.c | 13 +- fs/btrfs/free-space-tree.c | 4 +- fs/btrfs/inode.c | 3 +- fs/btrfs/ioctl.c | 96 ++++--- fs/btrfs/qgroup.c | 3 +- fs/btrfs/relocation.c | 25 +- fs/btrfs/scrub.c | 6 +- fs/btrfs/tree-log.c | 2 +- fs/btrfs/volumes.c | 310 +++++++++++++-------- fs/btrfs/volumes.h | 28 +- fs/btrfs/zoned.c | 2 +- fs/btrfs/zoned.h | 17 ++ fs/gfs2/file.c | 1 + fs/io_uring.c | 10 +- fs/nfsd/nfs3proc.c | 6 - fs/nfsd/vfs.c | 64 +++-- fs/nfsd/vfs.h | 4 +- fs/seq_file.c | 32 +++ fs/xfs/xfs_inode.c | 1 - include/linux/blk_types.h | 3 +- include/linux/compiler-gcc.h | 8 + include/linux/compiler_attributes.h | 10 + include/linux/compiler_types.h | 12 + include/linux/fbcon.h | 4 + include/linux/hugetlb.h | 6 + include/linux/list.h | 10 + include/linux/memregion.h | 2 +- include/linux/mm.h | 8 + include/linux/pm_runtime.h | 5 +- include/linux/qed/qed_eth_if.h | 21 +- include/linux/rtsx_usb.h | 2 - include/linux/seq_file.h | 4 + include/linux/stddef.h | 61 ++++ include/linux/vmalloc.h | 5 + include/net/netfilter/nf_tables.h | 10 +- include/net/netfilter/nf_tables_ipv4.h | 7 +- include/net/netfilter/nf_tables_ipv6.h | 6 +- include/uapi/linux/netfilter/nf_tables.h | 2 + include/uapi/linux/omap3isp.h | 21 +- include/uapi/linux/stddef.h | 41 +++ include/video/of_display_timing.h | 2 + kernel/bpf/verifier.c | 113 ++++---- kernel/module.c | 79 ++++-- lib/idr.c | 3 +- mm/filemap.c | 12 +- mm/hugetlb.c | 10 + mm/hwpoison-inject.c | 3 +- mm/madvise.c | 2 + mm/memory-failure.c | 205 ++++++++------ mm/slub.c | 2 + mm/util.c | 50 ++++ net/batman-adv/bridge_loop_avoidance.c | 2 +- net/bluetooth/hci_event.c | 12 + net/can/bcm.c | 18 +- net/netfilter/nf_tables_api.c | 9 +- net/netfilter/nf_tables_core.c | 2 +- net/netfilter/nf_tables_trace.c | 4 +- net/netfilter/nft_exthdr.c | 2 +- net/netfilter/nft_meta.c | 2 +- net/netfilter/nft_payload.c | 63 ++++- net/netfilter/nft_set_pipapo.c | 48 +++- net/rose/rose_route.c | 4 +- net/rxrpc/ar-internal.h | 2 +- net/rxrpc/call_accept.c | 6 +- net/rxrpc/call_object.c | 18 +- net/rxrpc/net_ns.c | 2 +- net/rxrpc/proc.c | 10 +- net/xdp/xsk_buff_pool.c | 1 + scripts/checkpatch.pl | 3 +- scripts/kernel-doc | 9 + sound/pci/cs46xx/cs46xx.c | 22 +- sound/pci/hda/patch_realtek.c | 1 + sound/soc/codecs/rt5682-i2c.c | 36 ++- sound/soc/codecs/rt5682.c | 125 ++++----- sound/soc/codecs/rt5682.h | 4 +- sound/soc/codecs/rt700.c | 16 +- sound/soc/codecs/rt711-sdca.c | 27 +- sound/soc/codecs/rt711.c | 25 +- sound/usb/mixer_maps.c | 16 ++ sound/usb/quirks.c | 4 + .../testing/selftests/bpf/prog_tests/timer_crash.c | 32 --- tools/testing/selftests/bpf/progs/timer_crash.c | 54 ---- tools/testing/selftests/net/forwarding/lib.sh | 6 +- tools/testing/selftests/net/udpgro.sh | 2 +- tools/testing/selftests/net/udpgro_bench.sh | 2 +- tools/testing/selftests/net/udpgro_fwd.sh | 2 +- tools/testing/selftests/net/veth.sh | 6 +- virt/kvm/kvm_main.c | 14 +- 265 files changed, 3774 insertions(+), 2044 deletions(-)

1 year, 10 months

8
243
0 0

[PATCH] aio: fix mremap after fork null-deref

by Seth Jenkins

Commit e4a0d3e720e7 ("aio: Make it possible to remap aio ring") introduced a null-deref if mremap is called on an old aio mapping after fork as mm->ioctx_table will be set to NULL. Fixes: e4a0d3e720e7 ("aio: Make it possible to remap aio ring") Cc: stable(a)vger.kernel.org Signed-off-by: Seth Jenkins <sethjenkins(a)google.com> --- fs/aio.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/fs/aio.c b/fs/aio.c index 5b2ff20ad322..74eae7de7323 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -361,16 +361,18 @@ static int aio_ring_mremap(struct vm_area_struct *vma) spin_lock(&mm->ioctx_lock); rcu_read_lock(); table = rcu_dereference(mm->ioctx_table); - for (i = 0; i < table->nr; i++) { - struct kioctx *ctx; - - ctx = rcu_dereference(table->table[i]); - if (ctx && ctx->aio_ring_file == file) { - if (!atomic_read(&ctx->dead)) { - ctx->user_id = ctx->mmap_base = vma->vm_start; - res = 0; + if (table) { + for (i = 0; i < table->nr; i++) { + struct kioctx *ctx; + + ctx = rcu_dereference(table->table[i]); + if (ctx && ctx->aio_ring_file == file) { + if (!atomic_read(&ctx->dead)) { + ctx->user_id = ctx->mmap_base = vma->vm_start; + res = 0; + } + break; } - break; } } -- 2.38.1.431.g37b22c650d-goog

1 year, 10 months

4
7
0 0

[PATCH AUTOSEL 6.1 1/7] ASoC: SOF: Revert: "core: unregister clients and machine drivers in .shutdown"

by Sasha Levin

From: Kai Vehmanen <kai.vehmanen(a)linux.intel.com> [ Upstream commit 44fda61d2bcfb74a942df93959e083a4e8eff75f ] The unregister machine drivers call is not safe to do when kexec is used. Kexec-lite gets blocked with following backtrace: [ 84.943749] Freezing user space processes ... (elapsed 0.111 seconds) done. [ 246.784446] INFO: task kexec-lite:5123 blocked for more than 122 seconds. [ 246.819035] Call Trace: [ 246.821782] <TASK> [ 246.824186] __schedule+0x5f9/0x1263 [ 246.828231] schedule+0x87/0xc5 [ 246.831779] snd_card_disconnect_sync+0xb5/0x127 ... [ 246.889249] snd_sof_device_shutdown+0xb4/0x150 [ 246.899317] pci_device_shutdown+0x37/0x61 [ 246.903990] device_shutdown+0x14c/0x1d6 [ 246.908391] kernel_kexec+0x45/0xb9 This reverts commit 83bfc7e793b555291785136c3ae86abcdc046887. Reported-by: Ricardo Ribalda <ribalda(a)chromium.org> Cc: Ricardo Ribalda <ribalda(a)chromium.org> Signed-off-by: Kai Vehmanen <kai.vehmanen(a)linux.intel.com> Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> Reviewed-by: Péter Ujfalusi <peter.ujfalusi(a)linux.intel.com> Reviewed-by: Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> Link: https://lore.kernel.org/r/20221209114529.3909192-3-kai.vehmanen@linux.intel… Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/soc/sof/core.c | 9 --------- 1 file changed, 9 deletions(-) diff --git a/sound/soc/sof/core.c b/sound/soc/sof/core.c index 3e6141d03770..625977a29d8a 100644 --- a/sound/soc/sof/core.c +++ b/sound/soc/sof/core.c @@ -475,19 +475,10 @@ EXPORT_SYMBOL(snd_sof_device_remove); int snd_sof_device_shutdown(struct device *dev) { struct snd_sof_dev *sdev = dev_get_drvdata(dev); - struct snd_sof_pdata *pdata = sdev->pdata; if (IS_ENABLED(CONFIG_SND_SOC_SOF_PROBE_WORK_QUEUE)) cancel_work_sync(&sdev->probe_work); - /* - * make sure clients and machine driver(s) are unregistered to force - * all userspace devices to be closed prior to the DSP shutdown sequence - */ - sof_unregister_clients(sdev); - - snd_sof_machine_unregister(sdev, pdata); - if (sdev->fw_state == SOF_FW_BOOT_COMPLETE) return snd_sof_shutdown(sdev); -- 2.35.1

1 year, 10 months

3
9
0 0

[PATCH v2] Bluetooth: hci_qca: Fix driver shutdown on closed serdev

by Krzysztof Kozlowski

The driver shutdown callback (which sends EDL_SOC_RESET to the device over serdev) should not be invoked when HCI device is not open (e.g. if hci_dev_open_sync() failed), because the serdev and its TTY are not open either. Also skip this step if device is powered off (qca_power_shutdown()). The shutdown callback causes use-after-free during system reboot with Qualcomm Atheros Bluetooth: Unable to handle kernel paging request at virtual address 0072662f67726fd7 ... CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G W 6.1.0-rt5-00325-g8a5f56bcfcca #8 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: tty_driver_flush_buffer+0x4/0x30 serdev_device_write_flush+0x24/0x34 qca_serdev_shutdown+0x80/0x130 [hci_uart] device_shutdown+0x15c/0x260 kernel_restart+0x48/0xac KASAN report: BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50 Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1 CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted 6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: dump_backtrace.part.0+0xdc/0xf0 show_stack+0x18/0x30 dump_stack_lvl+0x68/0x84 print_report+0x188/0x488 kasan_report+0xa4/0xf0 __asan_load8+0x80/0xac tty_driver_flush_buffer+0x1c/0x50 ttyport_write_flush+0x34/0x44 serdev_device_write_flush+0x48/0x60 qca_serdev_shutdown+0x124/0x274 device_shutdown+0x1e8/0x350 kernel_restart+0x48/0xb0 __do_sys_reboot+0x244/0x2d0 __arm64_sys_reboot+0x54/0x70 invoke_syscall+0x60/0x190 el0_svc_common.constprop.0+0x7c/0x160 do_el0_svc+0x44/0xf0 el0_svc+0x2c/0x6c el0t_64_sync_handler+0xbc/0x140 el0t_64_sync+0x190/0x194 Fixes: 7e7bbddd029b ("Bluetooth: hci_qca: Fix qca6390 enable failure after warm reboot") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- Changes since v1: 1. Drop serdev patch and fix it only on BT side. 2. Update commit msg. --- drivers/bluetooth/hci_qca.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c index bb7623fe53a8..157fc4d024c1 100644 --- a/drivers/bluetooth/hci_qca.c +++ b/drivers/bluetooth/hci_qca.c @@ -2166,10 +2166,16 @@ static void qca_serdev_shutdown(struct device *dev) int timeout = msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS); struct serdev_device *serdev = to_serdev_device(dev); struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev); + struct hci_uart *hu = &qcadev->serdev_hu; + struct hci_dev *hdev = hu->hdev; + struct qca_data *qca = hu->priv; const u8 ibs_wake_cmd[] = { 0xFD }; const u8 edl_reset_soc_cmd[] = { 0x01, 0x00, 0xFC, 0x01, 0x05 }; if (qcadev->btsoc_type == QCA_QCA6390) { + if (test_bit(QCA_BT_OFF, &qca->flags) || !test_bit(HCI_RUNNING, &hdev->flags)) + return; + serdev_device_write_flush(serdev); ret = serdev_device_write_buf(serdev, ibs_wake_cmd, sizeof(ibs_wake_cmd)); -- 2.34.1

1 year, 10 months

2
3
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror December 2022