commit 3e98e33d345e981800e03dd29f6f6343286d30b6 Author: Greg Kroah-Hartman Date: Fri Sep 23 14:15:52 2022 +0200 Linux 5.15.70 Link: https://lore.kernel.org/r/20220921153646.931277075@linuxfoundation.org Tested-by: Shuah Khan Tested-by: Bagas Sanjaya Tested-by: Jon Hunter Tested-by: Sudip Mukherjee Tested-by: Florian Fainelli Tested-by: Ron Economos Signed-off-by: Greg Kroah-Hartman commit 21f948cab86617501da4f97bfac197cac2b103f2 Author: Takashi Iwai Date: Mon Sep 5 15:06:30 2022 +0200 ALSA: hda/sigmatel: Fix unused variable warning for beep power change commit 51bdc8bb82525cd70feb92279c8b7660ad7948dd upstream. The newly added stac_check_power_status() caused a compile warning when CONFIG_SND_HDA_INPUT_BEEP is disabled. Fix it. Fixes: 414d38ba8710 ("ALSA: hda/sigmatel: Keep power up while beep is enabled") Reported-by: kernel test robot Link: https://lore.kernel.org/r/20220905130630.2845-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 5db17805b6ba4c34dab303f49aea3562fc25af75 Author: Tetsuo Handa Date: Thu Aug 25 17:38:38 2022 +0900 cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() commit 43626dade36fa74d3329046f4ae2d7fdefe401c6 upstream. syzbot is hitting percpu_rwsem_assert_held(&cpu_hotplug_lock) warning at cpuset_attach() [1], for commit 4f7e7236435ca0ab ("cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock") missed that cpuset_attach() is also called from cgroup_attach_task_all(). Add cpus_read_lock() like what cgroup_procs_write_start() does. Link: https://syzkaller.appspot.com/bug?extid=29d3a3b4d86c8136ad9e [1] Reported-by: syzbot Signed-off-by: Tetsuo Handa Fixes: 4f7e7236435ca0ab ("cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock") Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 39b0235284c7aa33a64e07b825add7a2c108094a Author: Mingwei Zhang Date: Thu Apr 21 03:14:07 2022 +0000 KVM: SEV: add cache flush to solve SEV cache incoherency issues commit 683412ccf61294d727ead4a73d97397396e69a6b upstream. Flush the CPU caches when memory is reclaimed from an SEV guest (where reclaim also includes it being unmapped from KVM's memslots). Due to lack of coherency for SEV encrypted memory, failure to flush results in silent data corruption if userspace is malicious/broken and doesn't ensure SEV guest memory is properly pinned and unpinned. Cache coherency is not enforced across the VM boundary in SEV (AMD APM vol.2 Section 15.34.7). Confidential cachelines, generated by confidential VM guests have to be explicitly flushed on the host side. If a memory page containing dirty confidential cachelines was released by VM and reallocated to another user, the cachelines may corrupt the new user at a later time. KVM takes a shortcut by assuming all confidential memory remain pinned until the end of VM lifetime. Therefore, KVM does not flush cache at mmu_notifier invalidation events. Because of this incorrect assumption and the lack of cache flushing, malicous userspace can crash the host kernel: creating a malicious VM and continuously allocates/releases unpinned confidential memory pages when the VM is running. Add cache flush operations to mmu_notifier operations to ensure that any physical memory leaving the guest VM get flushed. In particular, hook mmu_notifier_invalidate_range_start and mmu_notifier_release events and flush cache accordingly. The hook after releasing the mmu lock to avoid contention with other vCPUs. Cc: stable@vger.kernel.org Suggested-by: Sean Christpherson Reported-by: Mingwei Zhang Signed-off-by: Mingwei Zhang Message-Id: <20220421031407.2516575-4-mizhang@google.com> Signed-off-by: Paolo Bonzini [OP: adjusted KVM_X86_OP_OPTIONAL() -> KVM_X86_OP_NULL, applied kvm_arch_guest_memory_reclaimed() call in kvm_set_memslot()] Signed-off-by: Ovidiu Panait Signed-off-by: Greg Kroah-Hartman commit d9bf46e747353789466321e28f8ee3c585b15cd6 Author: sewookseo Date: Thu Jul 7 10:01:39 2022 +0000 net: Find dst with sk's xfrm policy not ctl_sk commit e22aa14866684f77b4f6b6cae98539e520ddb731 upstream. If we set XFRM security policy by calling setsockopt with option IPV6_XFRM_POLICY, the policy will be stored in 'sock_policy' in 'sock' struct. However tcp_v6_send_response doesn't look up dst_entry with the actual socket but looks up with tcp control socket. This may cause a problem that a RST packet is sent without ESP encryption & peer's TCP socket can't receive it. This patch will make the function look up dest_entry with actual socket, if the socket has XFRM policy(sock_policy), so that the TCP response packet via this function can be encrypted, & aligned on the encrypted TCP socket. Tested: We encountered this problem when a TCP socket which is encrypted in ESP transport mode encryption, receives challenge ACK at SYN_SENT state. After receiving challenge ACK, TCP needs to send RST to establish the socket at next SYN try. But the RST was not encrypted & peer TCP socket still remains on ESTABLISHED state. So we verified this with test step as below. [Test step] 1. Making a TCP state mismatch between client(IDLE) & server(ESTABLISHED). 2. Client tries a new connection on the same TCP ports(src & dst). 3. Server will return challenge ACK instead of SYN,ACK. 4. Client will send RST to server to clear the SOCKET. 5. Client will retransmit SYN to server on the same TCP ports. [Expected result] The TCP connection should be established. Cc: Maciej Żenczykowski Cc: Eric Dumazet Cc: Steffen Klassert Cc: Sehee Lee Signed-off-by: Sewook Seo Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ab5140c6ddd7473509e12f468948de91138b124e Author: Hyunwoo Kim Date: Mon Jun 20 07:17:46 2022 -0700 video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write [ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ] In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of type int. Then, copy_from_user() may cause a heap overflow because it is used as the third argument of copy_from_user(). Signed-off-by: Hyunwoo Kim Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 9af7af862cb8e2557c23589446a5356e37c9d633 Author: Youling Tang Date: Thu Sep 1 19:10:59 2022 +0800 mksysmap: Fix the mismatch of 'L0' symbols in System.map [ Upstream commit c17a2538704f926ee4d167ba625e09b1040d8439 ] When System.map was generated, the kernel used mksysmap to filter the kernel symbols, we need to filter "L0" symbols in LoongArch architecture. $ cat System.map | grep L0 9000000000221540 t L0 The L0 symbol exists in System.map, but not in .tmp_System.map. When "cmp -s System.map .tmp_System.map" will show "Inconsistent kallsyms data" error message in link-vmlinux.sh script. Signed-off-by: Youling Tang Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit 2340f23c770de46d2b3ee2823dba53304ba1edb2 Author: Clément Péron Date: Tue Sep 6 17:30:33 2022 +0200 drm/panfrost: devfreq: set opp to the recommended one to configure regulator [ Upstream commit d76034a427a2660b080bc155e4fd8f6393eefb48 ] Enabling panfrost GPU OPP with dynamic regulator will make OPP responsible to enable and configure it. Unfortunately OPP configure and enable the regulator when an OPP is asked to be set, which is not the case during panfrost_devfreq_init(). This leave the regulator unconfigured and if no GPU load is triggered, no OPP is asked to be set which make the regulator framework switching it off during regulator_late_cleanup() without noticing and therefore make the board hang as any access to GPU memory space make bus locks up. Call dev_pm_opp_set_opp() with the recommend OPP in panfrost_devfreq_init() to enable the regulator, this will properly configure and enable the regulator and will avoid any switch off by regulator_late_cleanup(). Suggested-by: Viresh Kumar Signed-off-by: Clément Péron Reviewed-by: Steven Price Signed-off-by: Steven Price Link: https://patchwork.freedesktop.org/patch/msgid/20220906153034.153321-5-peron.clem@gmail.com Signed-off-by: Sasha Levin commit 7e8df4920b2a5e9e667fb65f0da44d9f19f69bf7 Author: Alexander Sverdlin Date: Tue Sep 6 11:59:43 2022 +0200 MIPS: OCTEON: irq: Fix octeon_irq_force_ciu_mapping() [ Upstream commit ba912afbd611d3a5f22af247721a071ad1d5b9e0 ] For irq_domain_associate() to work the virq descriptor has to be pre-allocated in advance. Otherwise the following happens: WARNING: CPU: 0 PID: 0 at .../kernel/irq/irqdomain.c:527 irq_domain_associate+0x298/0x2e8 error: virq128 is not allocated Modules linked in: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.19.78-... #1 ... Call Trace: [] show_stack+0x9c/0x130 [] dump_stack+0x90/0xd0 [] __warn+0x118/0x130 [] warn_slowpath_fmt+0x4c/0x70 [] irq_domain_associate+0x298/0x2e8 [] octeon_irq_init_ciu+0x4c8/0x53c [] of_irq_init+0x1e0/0x388 [] init_IRQ+0x4c/0xf4 [] start_kernel+0x404/0x698 Use irq_alloc_desc_at() to avoid the above problem. Signed-off-by: Alexander Sverdlin Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit af88da4c737a4292236b89f9c4b3db3db9b6d941 Author: David Howells Date: Tue Sep 6 22:09:11 2022 +0100 afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked [ Upstream commit 0066f1b0e27556381402db3ff31f85d2a2265858 ] When trying to get a file lock on an AFS file, the server may return UAEAGAIN to indicate that the lock is already held. This is currently translated by the default path to -EREMOTEIO. Translate it instead to -EAGAIN so that we know we can retry it. Signed-off-by: David Howells Reviewed-by: Jeffrey E Altman cc: Marc Dionne cc: linux-afs@lists.infradead.org Link: https://lore.kernel.org/r/166075761334.3533338.2591992675160918098.stgit@warthog.procyon.org.uk/ Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 2dd0ae85fb3c7a8a2b35495638e01eccc94f96ee Author: jerry.meng Date: Mon Sep 5 09:24:52 2022 +0800 net: usb: qmi_wwan: add Quectel RM520N [ Upstream commit e1091e226a2bab4ded1fe26efba2aee1aab06450 ] add support for Quectel RM520N which is based on Qualcomm SDX62 chip. 0x0801: DIAG + NMEA + AT + MODEM + RMNET T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 10 Spd=480 MxCh= 0 D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=2c7c ProdID=0801 Rev= 5.04 S: Manufacturer=Quectel S: Product=RM520N-GL S: SerialNumber=384af524 C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: jerry.meng Acked-by: Bjørn Mork Link: https://lore.kernel.org/r/tencent_E50CA8A206904897C2D20DDAE90731183C05@qq.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit a5e949e088bcf02b7add113942f0595128cdfc16 Author: Mohan Kumar Date: Mon Sep 5 22:54:20 2022 +0530 ALSA: hda/tegra: Align BDL entry to 4KB boundary [ Upstream commit 8d44e6044a0e885acdd01813768a0b27906d64fd ] AZA HW may send a burst read/write request crossing 4K memory boundary. The 4KB boundary is not guaranteed by Tegra HDA HW. Make SW change to include the flag AZX_DCAPS_4K_BDLE_BOUNDARY to align BDLE to 4K boundary. Signed-off-by: Mohan Kumar Link: https://lore.kernel.org/r/20220905172420.3801-1-mkumard@nvidia.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 3d25aaf71fe0fb5476ae485f9855cf74b87a5474 Author: Takashi Iwai Date: Sun Sep 4 09:27:50 2022 +0200 ALSA: hda/sigmatel: Keep power up while beep is enabled [ Upstream commit 414d38ba871092aeac4ed097ac4ced89486646f7 ] It seems that the beep playback doesn't work well on IDT codec devices when the codec auto-pm is enabled. Keep the power on while the beep switch is enabled. Link: https://bugzilla.suse.com/show_bug.cgi?id=1200544 Link: https://lore.kernel.org/r/20220904072750.26164-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit d582756bfc719330d76739358b3efea30860e25d Author: Soenke Huster Date: Fri Sep 2 10:19:58 2022 +0200 wifi: mac80211_hwsim: check length for virtio packets [ Upstream commit 8c0427842aaef161a38ac83b7e8d8fe050b4be04 ] An invalid packet with a length shorter than the specified length in the netlink header can lead to use-after-frees and slab-out-of-bounds in the processing of the netlink attributes, such as the following: BUG: KASAN: slab-out-of-bounds in __nla_validate_parse+0x1258/0x2010 Read of size 2 at addr ffff88800ac7952c by task kworker/0:1/12 Workqueue: events hwsim_virtio_rx_work Call Trace: dump_stack_lvl+0x45/0x5d print_report.cold+0x5e/0x5e5 kasan_report+0xb1/0x1c0 __nla_validate_parse+0x1258/0x2010 __nla_parse+0x22/0x30 hwsim_virtio_handle_cmd.isra.0+0x13f/0x2d0 hwsim_virtio_rx_work+0x1b2/0x370 process_one_work+0x8df/0x1530 worker_thread+0x575/0x11a0 kthread+0x29d/0x340 ret_from_fork+0x22/0x30 Discarding packets with an invalid length solves this. Therefore, skb->len must be set at reception. Change-Id: Ieaeb9a4c62d3beede274881a7c2722c6c6f477b6 Signed-off-by: Soenke Huster Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 17898c3b578a372d4e5d2f6c750a8e5c564a3bd6 Author: David Howells Date: Tue Apr 5 13:34:09 2022 +0100 rxrpc: Fix calc of resend age [ Upstream commit 214a9dc7d852216e83acac7b75bc18f01ce184c2 ] Fix the calculation of the resend age to add a microsecond value as microseconds, not nanoseconds. Signed-off-by: David Howells Signed-off-by: Sasha Levin commit 1bbcd88c3c99430162bfd2f1f3f0cdf8e55d2334 Author: David Howells Date: Fri May 6 23:55:21 2022 +0100 rxrpc: Fix local destruction being repeated [ Upstream commit d3d863036d688313f8d566b87acd7d99daf82749 ] If the local processor work item for the rxrpc local endpoint gets requeued by an event (such as an incoming packet) between it getting scheduled for destruction and the UDP socket being closed, the rxrpc_local_destroyer() function can get run twice. The second time it can hang because it can end up waiting for cleanup events that will never happen. Signed-off-by: David Howells Signed-off-by: Sasha Levin commit 87cd4c02bdb174a5f47252fe3363aa53853b9561 Author: Hannes Reinecke Date: Wed Aug 24 08:00:33 2022 +0200 scsi: lpfc: Return DID_TRANSPORT_DISRUPTED instead of DID_REQUEUE [ Upstream commit c0a50cd389c3ed54831e240023dd12bafa56b3a6 ] When the driver hits an internal error condition returning DID_REQUEUE the I/O will be retried on the same ITL nexus. This will inhibit multipathing, resulting in endless retries even if the error could have been resolved by using a different ITL nexus. Return DID_TRANSPORT_DISRUPTED to allow for multipath to engage and route I/O to another ITL nexus. Link: https://lore.kernel.org/r/20220824060033.138661-1-hare@suse.de Reviewed-by: James Smart Signed-off-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit f08a320b4b6048e018c7f847c9cbea60644fee83 Author: Xiaolei Wang Date: Thu Aug 25 19:19:22 2022 +0800 regulator: pfuze100: Fix the global-out-of-bounds access in pfuze100_regulator_probe() [ Upstream commit 78e1e867f44e6bdc72c0e6a2609a3407642fb30b ] The pfuze_chip::regulator_descs is an array of size PFUZE100_MAX_REGULATOR, the pfuze_chip::pfuze_regulators is the pointer to the real regulators of a specific device. The number of real regulator is supposed to be less than the PFUZE100_MAX_REGULATOR, so we should use the size of 'regulator_num * sizeof(struct pfuze_regulator)' in memcpy(). This fixes the out of bounds access bug reported by KASAN. Signed-off-by: Xiaolei Wang Link: https://lore.kernel.org/r/20220825111922.1368055-1-xiaolei.wang@windriver.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 80c7be217ba7d57e7c6cdaeac30e68ceb47a0fbb Author: Takashi Iwai Date: Tue Aug 23 10:09:57 2022 +0200 ASoC: nau8824: Fix semaphore unbalance at error paths [ Upstream commit 5628560e90395d3812800a8e44a01c32ffa429ec ] The semaphore of nau8824 wasn't properly unlocked at some error handling code paths, hence this may result in the unbalance (and potential lock-up). Fix them to handle the semaphore up properly. Signed-off-by: Takashi Iwai Link: https://lore.kernel.org/r/20220823081000.2965-3-tiwai@suse.de Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f1d57c4c99c2c86929254ae448e5b2c866942587 Author: Jassi Brar Date: Mon Aug 1 09:10:05 2022 -0500 arm64: dts: juno: Add missing MHU secure-irq [ Upstream commit 422ab8fe15e30066d4c8e236b747c77069bfca45 ] The MHU secure interrupt exists physically but is missing in the DT node. Specify the interrupt in DT node to fix a warning on Arm Juno board: mhu@2b1f0000: interrupts: [[0, 36, 4], [0, 35, 4]] is too short Link: https://lore.kernel.org/r/20220801141005.599258-1-jassisinghbrar@gmail.com Signed-off-by: Jassi Brar Signed-off-by: Sudeep Holla Signed-off-by: Sasha Levin commit 59b756da49bfa51a00a0b58b4147ce2652bc3d28 Author: Zheyu Ma Date: Mon Apr 4 16:47:17 2022 +0800 video: fbdev: i740fb: Error out if 'pixclock' equals zero commit 15cf0b82271b1823fb02ab8c377badba614d95d5 upstream. The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero in the function i740fb_check_var(). The following log reveals it: divide error: 0000 [#1] PREEMPT SMP KASAN PTI RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:444 [inline] RIP: 0010:i740fb_set_par+0x272f/0x3bb0 drivers/video/fbdev/i740fb.c:739 Call Trace: fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1036 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1112 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] Signed-off-by: Zheyu Ma Signed-off-by: Helge Deller Signed-off-by: Stefan Ghinea Signed-off-by: Greg Kroah-Hartman commit 899f4160b1404c6ee04f87a34546ab6a3767ac46 Author: Carlos Llamas Date: Tue Sep 20 05:24:43 2022 +0000 binder: remove inaccurate mmap_assert_locked() Acquiring the mmap_lock during exit_mmap() was only added recently in v5.17 by commit 64591e8605d6 ("mm: protect free_pgtables with mmap_lock write lock in exit_mmap"). Soon after, asserts for holding this lock were added to the binder_alloc_set_vma() callback by the following two fix commits in mainline: commit b0cab80ecd54 ("android: binder: fix lockdep check on clearing vma") and commit a43cfc87caaf ("android: binder: stop saving a pointer to the VMA"). These two fix commits were picked for stable trees including v5.15 were unfortunately the mmap_lock is not held during exit_mmap() yet and this unmet dependency leads to the following BUG report: ------------[ cut here ]------------ kernel BUG at include/linux/mmap_lock.h:156! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP Modules linked in: CPU: 3 PID: 437 Comm: binder Not tainted 5.15.68 #5 Hardware name: linux,dummy-virt (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : binder_alloc_vma_close+0x6c/0x70 lr : binder_alloc_vma_close+0x6c/0x70 sp : ffff800008687a70 x29: ffff800008687a70 x28: ffff02a7ccf89d00 x27: ffff02a7c92f99e8 x26: 000000000000012a x25: ffff02a7c6284740 x24: ffff02a7ccf8a360 x23: ffff02a7c92f9980 x22: 1ffff000010d0f6c x21: ffff02a7c92f99e8 x20: ffff02a7c92f9980 x19: ffff02a7d16b79a8 x18: 0000ffffe1702d20 x17: 3334373239343932 x16: 34206e6163735f74 x15: 78656e5f616d756e x14: 0a30303030303030 x13: 7366666f5f6e6163 x12: ffff60550564a12b x11: 1fffe0550564a12a x10: ffff60550564a12a x9 : dfff800000000000 x8 : ffff02a82b250957 x7 : 0000000000000001 x6 : ffff60550564a12a x5 : ffff02a82b250950 x4 : dfff800000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff02a7ccf89d00 x0 : 0000000000000374 Call trace: binder_alloc_vma_close+0x6c/0x70 binder_vma_close+0x38/0xf4 remove_vma+0x4c/0x94 exit_mmap+0x14c/0x2bc __mmput+0x70/0x19c mmput+0x68/0x80 do_exit+0x484/0xeb0 do_group_exit+0x5c/0x100 [...] This patch removes the inaccurate assert specifically from v5.15 since it's the only release with such issue. Note the mmap_lock is technically not needed here as the mm->mm_users has dropped to zero at this point. More context: https://lore.kernel.org/all/YxpQaio7xm3z9TUw@google.com/. Fixes: b0cab80ecd54 ("android: binder: fix lockdep check on clearing vma") Fixes: a43cfc87caaf ("android: binder: stop saving a pointer to the VMA") Cc: Liam Howlett Cc: Suren Baghdasaryan Cc: # v5.15 Signed-off-by: Carlos Llamas Signed-off-by: Greg Kroah-Hartman commit 8c2bbfb0ded3f41e2985a7856da56f130288d926 Author: Alex Deucher Date: Fri Sep 9 11:53:27 2022 -0400 drm/amdgpu: move nbio sdma_doorbell_range() into sdma code for vega commit e3163bc8ffdfdb405e10530b140135b2ee487f89 upstream. This mirrors what we do for other asics and this way we are sure the sdma doorbell range is properly initialized. There is a comment about the way doorbells on gfx9 work that requires that they are initialized for other IPs before GFX is initialized. However, the statement says that it applies to multimedia as well, but the VCN code currently initializes doorbells after GFX and there are no known issues there. In my testing at least I don't see any problems on SDMA. This is a prerequisite for fixing the Unsupported Request error reported through AER during driver load. Link: https://bugzilla.kernel.org/show_bug.cgi?id=216373 The error was unnoticed before and got visible because of the commit referenced below. This doesn't fix anything in the commit below, rather fixes the issue in amdgpu exposed by the commit. The reference is only to associate this commit with below one so that both go together. Fixes: 8795e182b02d ("PCI/portdrv: Don't disable AER reporting in get_port_device_capability()") Acked-by: Christian König Reviewed-by: Lijo Lazar Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 0a7d86f156fad2a4420404c1f71c9ee79970ab0c Author: Alex Deucher Date: Fri Sep 9 11:47:20 2022 -0400 drm/amdgpu: move nbio ih_doorbell_range() into ih code for vega commit dc1d85cb790f2091eea074cee24a704b2d6c4a06 upstream. This mirrors what we do for other asics and this way we are sure the ih doorbell range is properly initialized. There is a comment about the way doorbells on gfx9 work that requires that they are initialized for other IPs before GFX is initialized. In this case IH is initialized before GFX, so there should be no issue. This is a prerequisite for fixing the Unsupported Request error reported through AER during driver load. Link: https://bugzilla.kernel.org/show_bug.cgi?id=216373 The error was unnoticed before and got visible because of the commit referenced below. This doesn't fix anything in the commit below, rather fixes the issue in amdgpu exposed by the commit. The reference is only to associate this commit with below one so that both go together. Fixes: 8795e182b02d ("PCI/portdrv: Don't disable AER reporting in get_port_device_capability()") Acked-by: Christian König Reviewed-by: Lijo Lazar Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit dcef16f64969eefb83c8711173fd025611f258f8 Author: Lijo Lazar Date: Thu Sep 8 08:28:57 2022 +0530 drm/amdgpu: Don't enable LTR if not supported commit 6c20490663553cd7e07d8de8af482012329ab9d6 upstream. As per PCIE Base Spec r4.0 Section 6.18 'Software must not enable LTR in an Endpoint unless the Root Complex and all intermediate Switches indicate support for LTR.' This fixes the Unsupported Request error reported through AER during ASPM enablement. Link: https://bugzilla.kernel.org/show_bug.cgi?id=216455 The error was unnoticed before and got visible because of the commit referenced below. This doesn't fix anything in the commit below, rather fixes the issue in amdgpu exposed by the commit. The reference is only to associate this commit with below one so that both go together. Fixes: 8795e182b02d ("PCI/portdrv: Don't disable AER reporting in get_port_device_capability()") Reported-by: Gustaw Smolarczyk Signed-off-by: Lijo Lazar Reviewed-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman Cc: stable@vger.kernel.org Signed-off-by: Alex Deucher commit 710ebf8f1a088903c733a23ce7014428d8542cdf Author: Ben Hutchings Date: Tue Aug 25 23:27:40 2020 +0100 tools/include/uapi: Fix for parisc and xtensa commit 95363747a6f39e88a3052fcf6ce6237769495ce0 upstream. tools/include/uapi/asm/errno.h currently attempts to include non-existent arch-specific errno.h header for xtensa. Remove this case so that is used instead, and add the missing arch-specific header for parisc. References: https://buildd.debian.org/status/fetch.php?pkg=linux&arch=ia64&ver=5.8.3-1%7Eexp1&stamp=1598340829&raw=1 Signed-off-by: Ben Hutchings Signed-off-by: Salvatore Bonaccorso Cc: # 5.10+ Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 309e9f4a17cf76e730c3101ecb5addfd93368556 Author: Helge Deller Date: Tue Sep 13 08:51:10 2022 +0200 parisc: Allow CONFIG_64BIT with ARCH=parisc commit 805ce8614958c925877ba6b6dc26cdf9f8800474 upstream. The previous patch triggered a build failure for the debian kernel, which has CONFIG_64BIT enabled, uses the CROSS_COMPILER environment variable and uses ARCH=parisc to configure the kernel for 64-bit support. This patch weakens the previous patch while keeping the recommended way to configure the kernel with: ARCH=parisc -> build 32-bit kernel ARCH=parisc64 -> build 64-bit kernel while adding the possibility for debian to configure a 64-bit kernel even if ARCH=parisc is set (PA8X00 CPU has to be selected and CONFIG_64BIT needs to be enabled). The downside of this patch is, that we now have a small window open again where people may get it wrong: if they enable CONFIG_64BIT and try to compile with a 32-bit compiler. Fixes: 3dcfb729b5f4 ("parisc: Make CONFIG_64BIT available for ARCH=parisc64 only") Signed-off-by: Helge Deller Cc: # 5.15+ Signed-off-by: Greg Kroah-Hartman commit 9a72466fb61b3cacf28faa9d805c1918f47f7029 Author: Stefan Metzmacher Date: Wed Sep 14 05:25:47 2022 +0200 cifs: always initialize struct msghdr smb_msg completely commit bedc8f76b3539ac4f952114b316bcc2251e808ce upstream. So far we were just lucky because the uninitialized members of struct msghdr are not used by default on a SOCK_STREAM tcp socket. But as new things like msg_ubuf and sg_from_iter where added recently, we should play on the safe side and avoid potention problems in future. Signed-off-by: Stefan Metzmacher Cc: stable@vger.kernel.org Reviewed-by: Paulo Alcantara (SUSE) Reviewed-by: Ronnie Sahlberg Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 21c47a08f96a3ec44c6f4a78614ea586faaa37f5 Author: Stefan Metzmacher Date: Wed Sep 14 05:25:46 2022 +0200 cifs: don't send down the destination address to sendmsg for a SOCK_STREAM commit 17d3df38dc5f4cec9b0ac6eb79c1859b6e2693a4 upstream. This is ignored anyway by the tcp layer. Signed-off-by: Stefan Metzmacher Cc: stable@vger.kernel.org Reviewed-by: Ronnie Sahlberg Reviewed-by: Paulo Alcantara (SUSE) Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit e1aad8c56090f1dda3dde400a23ff50ef74af781 Author: Ronnie Sahlberg Date: Mon Sep 12 13:04:46 2022 +1000 cifs: revalidate mapping when doing direct writes commit 7500a99281dfed2d4a84771c933bcb9e17af279b upstream. Kernel bugzilla: 216301 When doing direct writes we need to also invalidate the mapping in case we have a cached copy of the affected page(s) in memory or else subsequent reads of the data might return the old/stale content before we wrote an update to the server. Cc: stable@vger.kernel.org Reviewed-by: Paulo Alcantara (SUSE) Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit b04e0208d025a07b6e8f248cd00dfc4b14296d95 Author: Thierry Reding Date: Wed Aug 24 17:32:56 2022 +0200 of/device: Fix up of_dma_configure_id() stub commit 40bfe7a86d84cf08ac6a8fe2f0c8bf7a43edd110 upstream. Since the stub version of of_dma_configure_id() was added in commit a081bd4af4ce ("of/device: Add input id to of_dma_configure()"), it has not matched the signature of the full function, leading to build failure reports when code using this function is built on !OF configurations. Fixes: a081bd4af4ce ("of/device: Add input id to of_dma_configure()") Cc: stable@vger.kernel.org Signed-off-by: Thierry Reding Reviewed-by: Frank Rowand Acked-by: Lorenzo Pieralisi Link: https://lore.kernel.org/r/20220824153256.1437483-1-thierry.reding@gmail.com Signed-off-by: Rob Herring Signed-off-by: Greg Kroah-Hartman commit 8fd27239ca92c9d18b495df826570e184eb9eb66 Author: Yang Yingliang Date: Wed Aug 24 17:36:57 2022 +0800 parisc: ccio-dma: Add missing iounmap in error path in ccio_probe() [ Upstream commit 38238be4e881a5d0abbe4872b4cd6ed790be06c8 ] Add missing iounmap() before return from ccio_probe(), if ccio_init_resources() fails. Fixes: d46c742f827f ("parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources()") Signed-off-by: Yang Yingliang Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 5f285e4c47c3cd4f6a0eb0c6f33a1b1e979d3628 Author: Stefan Roesch Date: Mon Sep 12 09:53:25 2022 -0700 block: blk_queue_enter() / __bio_queue_enter() must return -EAGAIN for nowait [ Upstream commit 56f99b8d06ef1ed1c9730948f9f05ac2b930a20b ] Today blk_queue_enter() and __bio_queue_enter() return -EBUSY for the nowait code path. This is not correct: they should return -EAGAIN instead. This problem was detected by fio. The following command exposed the above problem: t/io_uring -p0 -d128 -b4096 -s32 -c32 -F1 -B0 -R0 -X1 -n24 -P1 -u1 -O0 /dev/ng0n1 By applying the patch, the retry case is handled correctly in the slow path. Signed-off-by: Stefan Roesch Fixes: bfd343aa1718 ("blk-mq: don't wait in blk_mq_queue_enter() if __GFP_WAIT isn't set") Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit f86092d12fbbaa928a821faa4286485521251a66 Author: Stuart Menefy Date: Thu Sep 8 16:52:43 2022 +0100 drm/meson: Fix OSD1 RGB to YCbCr coefficient [ Upstream commit 6463d3930ba5b6addcfc8f80a4543976a2fc7656 ] VPP_WRAP_OSD1_MATRIX_COEF22.Coeff22 is documented as being bits 0-12, not 16-28. Without this the output tends to have a pink hue, changing it results in better color accuracy. The vendor kernel doesn't use this register. However the code which sets VIU2_OSD1_MATRIX_COEF22 also uses bits 0-12. There is a slightly different style of registers for configuring some of the other matrices, which do use bits 16-28 for this coefficient, but those have names ending in MATRIX_COEF22_30, and this is not one of those. Signed-off-by: Stuart Menefy Fixes: 728883948b0d ("drm/meson: Add G12A Support for VIU setup") Reviewed-by: Neil Armstrong Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20220908155243.687143-1-stuart.menefy@mathembedded.com Signed-off-by: Sasha Levin commit d38eb1f37538b252906583ca67cf8a5c5795784d Author: Stuart Menefy Date: Thu Sep 8 16:51:03 2022 +0100 drm/meson: Correct OSD1 global alpha value [ Upstream commit 6836829c8ea453c9e3e518e61539e35881c8ed5f ] VIU_OSD1_CTRL_STAT.GLOBAL_ALPHA is a 9 bit field, so the maximum value is 0x100 not 0xff. This matches the vendor kernel. Signed-off-by: Stuart Menefy Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") Reviewed-by: Neil Armstrong Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20220908155103.686904-1-stuart.menefy@mathembedded.com Signed-off-by: Sasha Levin commit 89cfddd416bac41ff35f37f928ed3d7fefef908e Author: Pali Rohár Date: Tue Sep 6 12:54:31 2022 +0200 gpio: mpc8xxx: Fix support for IRQ_TYPE_LEVEL_LOW flow_type in mpc85xx [ Upstream commit 279c12df8d2efb28def9d037f288cbfb97c30fe2 ] Commit e39d5ef67804 ("powerpc/5xxx: extend mpc8xxx_gpio driver to support mpc512x gpios") implemented support for IRQ_TYPE_LEVEL_LOW flow type in mpc512x via falling edge type. Do same for mpc85xx which support was added in commit 345e5c8a1cc3 ("powerpc: Add interrupt support to mpc8xxx_gpio"). Fixes probing of lm90 hwmon driver on mpc85xx based board which use level interrupt. Without it kernel prints error and refuse lm90 to work: [ 15.258370] genirq: Setting trigger mode 8 for irq 49 failed (mpc8xxx_irq_set_type+0x0/0xf8) [ 15.267168] lm90 0-004c: cannot request IRQ 49 [ 15.272708] lm90: probe of 0-004c failed with error -22 Fixes: 345e5c8a1cc3 ("powerpc: Add interrupt support to mpc8xxx_gpio") Signed-off-by: Pali Rohár Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit 9a173db71a99476de9c03affb6616edd5b588c25 Author: Trond Myklebust Date: Thu Aug 25 14:49:05 2022 -0400 NFSv4: Turn off open-by-filehandle and NFS re-export for NFSv4.0 [ Upstream commit 2a9d683b48c8a87e61a4215792d44c90bcbbb536 ] The NFSv4.0 protocol only supports open() by name. It cannot therefore be used with open_by_handle() and friends, nor can it be re-exported by knfsd. Reported-by: Chuck Lever III Fixes: 20fa19027286 ("nfs: add export operations") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit cd358b2ee56f5b8187409c11da08decadc933638 Author: Michael Wu Date: Fri Aug 19 10:45:41 2022 +0800 pinctrl: sunxi: Fix name for A100 R_PIO [ Upstream commit 76648c867c6c03b8a468d9c9222025873ecc613d ] The name of A100 R_PIO driver should be sun50i-a100-r-pinctrl, not sun50iw10p1-r-pinctrl. Fixes: 473436e7647d6 ("pinctrl: sunxi: add support for the Allwinner A100 pin controller") Signed-off-by: Michael Wu Acked-by: Samuel Holland Link: https://lore.kernel.org/r/20220819024541.74191-1-michael@allwinnertech.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit ca2b798e53d46efa45ea1ba80856fe369fa34402 Author: João H. Spies Date: Mon Aug 8 02:51:20 2022 +0000 pinctrl: rockchip: Enhance support for IRQ_TYPE_EDGE_BOTH [ Upstream commit b871656aa4f54e04207f62bdd0d7572be1d86b36 ] Switching between falling/rising edges for IRQ_TYPE_EDGE_BOTH on pins that require debounce can cause the device to lose events due to a desync between pin state and irq type. This problem is resolved by switching between IRQ_TYPE_LEVEL_LOW and IRQ_TYPE_LEVEL_HIGH instead. Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio") Signed-off-by: João H. Spies Link: https://lore.kernel.org/r/20220808025121.110223-1-jhlspies@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 30fccb4fe449edc04c22e9600d69649eb4eebe22 Author: Molly Sophia Date: Sun Aug 7 20:26:45 2022 +0800 pinctrl: qcom: sc8180x: Fix wrong pin numbers [ Upstream commit 48ec73395887694f13c9452b4dcfb43710451757 ] The pin numbers for UFS_RESET and SDC2_* are not consistent in the pinctrl driver for sc8180x. So fix it. Signed-off-by: Molly Sophia Fixes: 97423113ec4b ("pinctrl: qcom: Add sc8180x TLMM driver") Reviewed-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220807122645.13830-3-mollysophia379@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit cbafdbb6f6cef80c550ee9da709d19b1b31b3080 Author: Molly Sophia Date: Sun Aug 7 20:26:44 2022 +0800 pinctrl: qcom: sc8180x: Fix gpio_wakeirq_map [ Upstream commit 6124cec530c7d8faab96d340ab2df5161e5d1c8a ] Currently in the wakeirq_map, gpio36 and gpio37 have the same wakeirq number, resulting in gpio37 being unable to trigger interrupts. It looks like that this is a typo in the wakeirq map. So fix it. Signed-off-by: Molly Sophia Fixes: 97423113ec4b ("pinctrl: qcom: Add sc8180x TLMM driver") Tested-by: Bjorn Andersson Reviewed-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220807122645.13830-2-mollysophia379@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit ba6b9f7cc1108bad6e2c53b1d6e0156379188db7 Author: Sergey Shtylyov Date: Sat Aug 13 23:34:16 2022 +0300 of: fdt: fix off-by-one error in unflatten_dt_nodes() [ Upstream commit 2f945a792f67815abca26fa8a5e863ccf3fa1181 ] Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") forgot to fix up the depth check in the loop body in unflatten_dt_nodes() which makes it possible to overflow the nps[] buffer... Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Fixes: 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") Signed-off-by: Sergey Shtylyov Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/7c354554-006f-6b31-c195-cdfe4caee392@omp.ru Signed-off-by: Sasha Levin commit c23065adf97f0931f7752c95184c7e8c17f3021f Author: Sergiu Moga Date: Wed Aug 24 17:29:03 2022 +0300 tty: serial: atmel: Preserve previous USART mode if RS485 disabled [ Upstream commit 692a8ebcfc24f4a5bea0eb2967e450f584193da6 ] Whenever the atmel_rs485_config() driver method would be called, the USART mode is reset to normal mode before even checking if RS485 flag is set, thus resulting in losing the previous USART mode in the case where the checking fails. Some tools, such as `linux-serial-test`, lead to the driver calling this method when doing the setup of the serial port: after setting the port mode (Hardware Flow Control, Normal Mode, RS485 Mode, etc.), `linux-serial-test` tries to enable/disable RS485 depending on the commandline arguments that were passed. Example of how this issue could reveal itself: When doing a serial communication with Hardware Flow Control through `linux-serial-test`, the tool would lead to the driver roughly doing the following: - set the corresponding bit to 1 (ATMEL_US_USMODE_HWHS bit in the ATMEL_US_MR register) through the atmel_set_termios() to enable Hardware Flow Control - disable RS485 through the atmel_config_rs485() method Thus, when the latter is called, the mode will be reset and the previously set bit is unset, leaving USART in normal mode instead of the expected Hardware Flow Control mode. This fix ensures that this reset is only done if the checking for RS485 succeeds and that the previous mode is preserved otherwise. Fixes: e8faff7330a35 ("ARM: 6092/1: atmel_serial: support for RS485 communications") Cc: stable Reviewed-by: Ilpo Järvinen Signed-off-by: Sergiu Moga Link: https://lore.kernel.org/r/20220824142902.502596-1-sergiu.moga@microchip.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 1d01d7beccba1a5270cfd4570107819a5bf4e009 Author: Lino Sanfilippo Date: Sun Apr 10 12:46:42 2022 +0200 serial: atmel: remove redundant assignment in rs485_config [ Upstream commit 60efd0513916f195dd85bfbf21653f74f9ab019c ] In uart_set_rs485_config() the serial core already assigns the passed serial_rs485 struct to the uart port. So remove the assignment from the drivers rs485_config() function to avoid redundancy. Reviewed-by: Claudiu Beznea Acked-by: Richard Genoud Signed-off-by: Lino Sanfilippo Link: https://lore.kernel.org/r/20220410104642.32195-10-LinoSanfilippo@gmx.de Signed-off-by: Greg Kroah-Hartman Stable-dep-of: 692a8ebcfc24 ("tty: serial: atmel: Preserve previous USART mode if RS485 disabled") Signed-off-by: Sasha Levin commit f3450c33411b0c1936623d0a52ae16f547db4bad Author: YueHaibing Date: Sat Mar 5 20:32:00 2022 +0800 drm/tegra: vic: Fix build warning when CONFIG_PM=n [ Upstream commit b5d5288a46876f6767950449aea310f71ac86277 ] drivers/gpu/drm/tegra/vic.c:326:12: error: ‘vic_runtime_suspend’ defined but not used [-Werror=unused-function] static int vic_runtime_suspend(struct device *dev) ^~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/tegra/vic.c:292:12: error: ‘vic_runtime_resume’ defined but not used [-Werror=unused-function] static int vic_runtime_resume(struct device *dev) ^~~~~~~~~~~~~~~~~~ Mark it as __maybe_unused. Signed-off-by: YueHaibing Signed-off-by: Thierry Reding Stable-dep-of: c7860cbee998 ("drm/tegra: Fix vmapping of prime buffers") Signed-off-by: Sasha Levin