1. 12 Dec, 2022 3 commits
    • Rafael J. Wysocki's avatar
      Merge branches 'acpi-pm', 'acpi-processor', 'acpi-ec' and 'acpi-video' · 6f158181
      Rafael J. Wysocki authored
      Make ACPI power management changes, ACPI processor driver updates, ACPI
      EC driver quirk and ACPI backlight driver updates for 6.2-rc1:
      
       - Print full name paths of ACPI power resources objects during
         enumeration (Kane Chen).
      
       - Eliminate a compiler warning regarding a missing function prototype
         in the ACPI power management code (Sudeep Holla).
      
       - Fix and clean up the ACPI processor driver (Rafael Wysocki, Li Zhong,
         Colin Ian King, Sudeep Holla).
      
       - Add quirk for the HP Pavilion Gaming 15-cx0041ur to the ACPI EC
         driver (Mia Kanashi).
      
       - Add some mew ACPI backlight handling quirks and update some existing
         ones (Hans de Goede).
      
       - Make the ACPI backlight driver prefer the native backlight control
         over vendor backlight control when possible (Hans de Goede).
      
      * acpi-pm:
        ACPI: PM: Silence missing prototype warning
        ACPI: PM: Print full name path while adding power resource
      
      * acpi-processor:
        ACPI: processor: perflib: Adjust acpi_processor_notify_smm() return value
        ACPI: processor: perflib: Rearrange acpi_processor_notify_smm()
        ACPI: processor: perflib: Rearrange unregistration routine
        ACPI: processor: perflib: Drop redundant parentheses
        ACPI: processor: perflib: Adjust white space
        ACPI: processor: idle: Drop unnecessary statements and parens
        ACPI: processor: Silence missing prototype warnings
        ACPI: processor_idle: Silence missing prototype warnings
        ACPI: processor: throttling: remove variable count
        ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value
      
      * acpi-ec:
        ACPI: EC: Add quirk for the HP Pavilion Gaming 15-cx0041ur
      
      * acpi-video:
        ACPI: video: Prefer native over vendor
        ACPI: video: Simplify __acpi_video_get_backlight_type()
        ACPI: video: Add force_native quirk for Sony Vaio VPCY11S1E
        ACPI: video: Add force_vendor quirk for Sony Vaio PCG-FRV35
        ACPI: video: Change Sony Vaio VPCEH3U1E quirk to force_native
        ACPI: video: Change GIGABYTE GB-BXBT-2807 quirk to force_none
        ACPI: video: Add a few bugtracker links to DMI quirks
      6f158181
    • Rafael J. Wysocki's avatar
      Merge branches 'acpi-scan', 'acpi-bus', 'acpi-tables' and 'acpi-sysfs' · 45494d77
      Rafael J. Wysocki authored
      Merge ACPI changes related to device enumeration, device object
      managenet, operation region handling, table parsing and sysfs
      interface:
      
       - Use ZERO_PAGE(0) instead of empty_zero_page in the ACPI device
         enumeration code (Giulio Benetti).
      
       - Change the return type of the ACPI driver remove callback to void and
         update its users accordingly (Dawei Li).
      
       - Add general support for FFH address space type and implement the low-
         level part of it for ARM64 (Sudeep Holla).
      
       - Fix stale comments in the ACPI tables parsing code and make it print
         more messages related to MADT (Hanjun Guo, Huacai Chen).
      
       - Replace invocations of generic library functions with more kernel-
         specific counterparts in the ACPI sysfs interface (Christophe JAILLET,
         Xu Panda).
      
      * acpi-scan:
        ACPI: scan: substitute empty_zero_page with helper ZERO_PAGE(0)
      
      * acpi-bus:
        ACPI: FFH: Silence missing prototype warnings
        ACPI: make remove callback of ACPI driver void
        ACPI: bus: Fix the _OSC capability check for FFH OpRegion
        arm64: Add architecture specific ACPI FFH Opregion callbacks
        ACPI: Implement a generic FFH Opregion handler
      
      * acpi-tables:
        ACPI: tables: Fix the stale comments for acpi_locate_initial_tables()
        ACPI: tables: Print CORE_PIC information when MADT is parsed
      
      * acpi-sysfs:
        ACPI: sysfs: use sysfs_emit() to instead of scnprintf()
        ACPI: sysfs: Use kstrtobool() instead of strtobool()
      45494d77
    • Rafael J. Wysocki's avatar
      Merge branch 'acpica' · 888bc86e
      Rafael J. Wysocki authored
      Merge ACPICA changes, including bug fixes and cleanups as well as support
      for some recently defined data structures, for 6.2-rc1:
      
       - Make acpi_ex_load_op() match upstream implementation (Rafael Wysocki).
       - Add support for loong_arch-specific APICs in MADT (Huacai Chen).
       - Add support for fixed PCIe wake event (Huacai Chen).
       - Add EBDA pointer sanity checks (Vit Kabele).
       - Avoid accessing VGA memory when EBDA < 1KiB (Vit Kabele).
       - Add CCEL table support to both compiler/disassembler (Kuppuswamy
         Sathyanarayanan).
       - Add a couple of new UUIDs to the known UUID list (Bob Moore).
       - Add support for FFH Opregion special context data (Sudeep Holla).
       - Improve warning message for "invalid ACPI name" (Bob Moore).
       - Add support for CXL 3.0 structures (CXIMS & RDPAS) in the CEDT table
         (Alison Schofield).
       - Prepare IORT support for revision E.e (Robin Murphy).
       - Finish support for the CDAT table (Bob Moore).
       - Fix error code path in acpi_ds_call_control_method() (Rafael Wysocki).
       - Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() (Li Zetao).
       - Update the version of the ACPICA code in the kernel (Bob Moore).
      
      * acpica:
        ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
        ACPICA: Fix error code path in acpi_ds_call_control_method()
        ACPICA: Update version to 20221020
        ACPICA: Add utcksum.o to the acpidump Makefile
        Revert "LoongArch: Provisionally add ACPICA data structures"
        ACPICA: Finish support for the CDAT table
        ACPICA: IORT: Update for revision E.e
        ACPICA: Add CXL 3.0 structures (CXIMS & RDPAS) to the CEDT table
        ACPICA: Improve warning message for "invalid ACPI name"
        ACPICA: Add support for FFH Opregion special context data
        ACPICA: Add a couple of new UUIDs to the known UUID list
        ACPICA: iASL: Add CCEL table to both compiler/disassembler
        ACPICA: Do not touch VGA memory when EBDA < 1ki_b
        ACPICA: Check that EBDA pointer is in valid memory
        ACPICA: Events: Support fixed PCIe wake event
        ACPICA: MADT: Add loong_arch-specific APICs support
        ACPICA: Make acpi_ex_load_op() match upstream
      888bc86e
  2. 07 Dec, 2022 7 commits
  3. 04 Dec, 2022 7 commits
  4. 03 Dec, 2022 5 commits
    • Linus Torvalds's avatar
      Merge tag 'i2c-for-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · c2bf05db
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "A power state fix in the core for ACPI devices, a regression fix
        regarding bus recovery for the cadence driver, a DMA handling fix for
        the imx driver, and two error path fixes (npcm7xx and qcom-geni)"
      
      * tag 'i2c-for-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: imx: Only DMA messages with I2C_M_DMA_SAFE flag set
        i2c: qcom-geni: fix error return code in geni_i2c_gpi_xfer
        i2c: cadence: Fix regression with bus recovery
        i2c: Restore initial power state if probe fails
        i2c: npcm7xx: Fix error handling in npcm_i2c_init()
      c2bf05db
    • Linus Torvalds's avatar
      Merge tag 'dax-fixes-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · 6085bc95
      Linus Torvalds authored
      Pull dax fixes from Dan Williams:
       "A few bug fixes around the handling of "Soft Reserved" memory and
        memory tiering information.
      
        Linux is starting to enounter more real world systems that deploy an
        ACPI HMAT to describe different performance classes of memory, as well
        the "special purpose" (Linux "Soft Reserved") designation from EFI.
      
        These fixes result from that testing.
      
        It has all appeared in -next for a while with no known issues.
      
         - Fix duplicate overlapping device-dax instances for HMAT described
           "Soft Reserved" Memory
      
         - Fix missing node targets in the sysfs representation of memory
           tiers
      
         - Remove a confusing variable initialization"
      
      * tag 'dax-fixes-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        device-dax: Fix duplicate 'hmem' device registration
        ACPI: HMAT: Fix initiator registration for single-initiator systems
        ACPI: HMAT: remove unnecessary variable initialization
      6085bc95
    • Linus Torvalds's avatar
      Merge tag 'block-6.1-2022-12-02' of git://git.kernel.dk/linux · 97ee9d1c
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Just a small NVMe merge for this week, fixing protection of the name
        space list, and a missing clear of a reserved field when unused"
      
      * tag 'block-6.1-2022-12-02' of git://git.kernel.dk/linux:
        nvme: fix SRCU protection of nvme_ns_head list
        nvme-pci: clear the prp2 field when not used
      97ee9d1c
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v6.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 63050a5c
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "Three driver fixes. The Intel fix looks like the most important.
      
         - Fix a potential divide by zero in pinctrl-singe (OMAP and
           HiSilicon)
      
         - Disable IRQs on startup in the Mediatek driver. This is a classic,
           we should be looking out for this more.
      
         - Save and restore pins in 'direct IRQ' mode in the Intel driver,
           this works around firmware bugs"
      
      * tag 'pinctrl-v6.1-5' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: intel: Save and restore pins in "direct IRQ" mode
        pinctrl: meditatek: Startup with the IRQs disabled
        pinctrl: single: Fix potential division by zero
      63050a5c
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 0e15c3c7
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
      
       - build fix for the NR_CPUS Kconfig SBI version dependency
      
       - fixes to early memory initialization, to fix page permissions in EFI
         and post-initmem-free
      
       - build fix for the VDSO, to avoid trying to profile the VDSO functions
      
       - fixes for kexec crash handling, to fix multi-core and interrupt
         related initialization inside the crash kernel
      
       - fix for a race condition when handling multiple concurrect kernel
         stack overflows
      
      * tag 'riscv-for-linus-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        riscv: kexec: Fixup crash_smp_send_stop without multi cores
        riscv: kexec: Fixup irq controller broken in kexec crash path
        riscv: mm: Proper page permissions after initmem free
        riscv: vdso: fix section overlapping under some conditions
        riscv: fix race when vmap stack overflow
        riscv: Sync efi page table's kernel mappings before switching
        riscv: Fix NR_CPUS range conditions
      0e15c3c7
  5. 02 Dec, 2022 14 commits
    • Linus Torvalds's avatar
      Merge tag 'mmc-v6.1-rc5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 2df2adc3
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "MMC core:
         - Fix ambiguous TRIM and DISCARD args
         - Fix removal of debugfs file for mmc_test
      
        MMC host:
         - mtk-sd: Add missing clk_disable_unprepare() in an error path
         - sdhci: Fix I/O voltage switch delay for UHS-I SD cards
         - sdhci-esdhc-imx: Fix CQHCI exit halt state check
         - sdhci-sprd: Fix voltage switch"
      
      * tag 'mmc-v6.1-rc5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: sdhci-sprd: Fix no reset data and command after voltage switch
        mmc: sdhci: Fix voltage switch delay
        mmc: mtk-sd: Fix missing clk_disable_unprepare in msdc_of_clock_parse()
        mmc: mmc_test: Fix removal of debugfs file
        mmc: sdhci-esdhc-imx: correct CQHCI exit halt state check
        mmc: core: Fix ambiguous TRIM and DISCARD arg
      2df2adc3
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v6.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · f66f62f8
      Linus Torvalds authored
      Pull iommu fixes from Joerg Roedel:
       "Intel VT-d fixes:
      
         - IO/TLB flush fix
      
         - Various pci_dev refcount fixes"
      
      * tag 'iommu-fixes-v6.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init()
        iommu/vt-d: Fix PCI device refcount leak in has_external_pci()
        iommu/vt-d: Fix PCI device refcount leak in prq_event_thread()
        iommu/vt-d: Add a fix for devices need extra dtlb flush
      f66f62f8
    • Pawan Gupta's avatar
      x86/bugs: Make sure MSR_SPEC_CTRL is updated properly upon resume from S3 · 66065157
      Pawan Gupta authored
      The "force" argument to write_spec_ctrl_current() is currently ambiguous
      as it does not guarantee the MSR write. This is due to the optimization
      that writes to the MSR happen only when the new value differs from the
      cached value.
      
      This is fine in most cases, but breaks for S3 resume when the cached MSR
      value gets out of sync with the hardware MSR value due to S3 resetting
      it.
      
      When x86_spec_ctrl_current is same as x86_spec_ctrl_base, the MSR write
      is skipped. Which results in SPEC_CTRL mitigations not getting restored.
      
      Move the MSR write from write_spec_ctrl_current() to a new function that
      unconditionally writes to the MSR. Update the callers accordingly and
      rename functions.
      
        [ bp: Rework a bit. ]
      
      Fixes: caa0ff24 ("x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value")
      Suggested-by: default avatarBorislav Petkov <bp@alien8.de>
      Signed-off-by: default avatarPawan Gupta <pawan.kumar.gupta@linux.intel.com>
      Signed-off-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
      Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: <stable@kernel.org>
      Link: https://lore.kernel.org/r/806d39b0bfec2fe8f50dc5446dff20f5bb24a959.1669821572.git.pawan.kumar.gupta@linux.intel.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      66065157
    • Zhang Xiaoxu's avatar
      Input: raydium_ts_i2c - fix memory leak in raydium_i2c_send() · 8c9a5993
      Zhang Xiaoxu authored
      There is a kmemleak when test the raydium_i2c_ts with bpf mock device:
      
        unreferenced object 0xffff88812d3675a0 (size 8):
          comm "python3", pid 349, jiffies 4294741067 (age 95.695s)
          hex dump (first 8 bytes):
            11 0e 10 c0 01 00 04 00                          ........
          backtrace:
            [<0000000068427125>] __kmalloc+0x46/0x1b0
            [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts]
            [<000000006e631aee>] raydium_i2c_initialize.cold+0xbc/0x3e4 [raydium_i2c_ts]
            [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts]
            [<00000000a310de16>] i2c_device_probe+0x651/0x680
            [<00000000f5a96bf3>] really_probe+0x17c/0x3f0
            [<00000000096ba499>] __driver_probe_device+0xe3/0x170
            [<00000000c5acb4d9>] driver_probe_device+0x49/0x120
            [<00000000264fe082>] __device_attach_driver+0xf7/0x150
            [<00000000f919423c>] bus_for_each_drv+0x114/0x180
            [<00000000e067feca>] __device_attach+0x1e5/0x2d0
            [<0000000054301fc2>] bus_probe_device+0x126/0x140
            [<00000000aad93b22>] device_add+0x810/0x1130
            [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0
            [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110
            [<00000000ffec4177>] of_i2c_notify+0x100/0x160
        unreferenced object 0xffff88812d3675c8 (size 8):
          comm "python3", pid 349, jiffies 4294741070 (age 95.692s)
          hex dump (first 8 bytes):
            22 00 36 2d 81 88 ff ff                          ".6-....
          backtrace:
            [<0000000068427125>] __kmalloc+0x46/0x1b0
            [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts]
            [<000000001d5c9620>] raydium_i2c_initialize.cold+0x223/0x3e4 [raydium_i2c_ts]
            [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts]
            [<00000000a310de16>] i2c_device_probe+0x651/0x680
            [<00000000f5a96bf3>] really_probe+0x17c/0x3f0
            [<00000000096ba499>] __driver_probe_device+0xe3/0x170
            [<00000000c5acb4d9>] driver_probe_device+0x49/0x120
            [<00000000264fe082>] __device_attach_driver+0xf7/0x150
            [<00000000f919423c>] bus_for_each_drv+0x114/0x180
            [<00000000e067feca>] __device_attach+0x1e5/0x2d0
            [<0000000054301fc2>] bus_probe_device+0x126/0x140
            [<00000000aad93b22>] device_add+0x810/0x1130
            [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0
            [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110
            [<00000000ffec4177>] of_i2c_notify+0x100/0x160
      
      After BANK_SWITCH command from i2c BUS, no matter success or error
      happened, the tx_buf should be freed.
      
      Fixes: 3b384bd6 ("Input: raydium_ts_i2c - do not split tx transactions")
      Signed-off-by: default avatarZhang Xiaoxu <zhangxiaoxu5@huawei.com>
      Link: https://lore.kernel.org/r/20221202103412.2120169-1-zhangxiaoxu5@huawei.com
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      8c9a5993
    • Linus Torvalds's avatar
      Merge tag 'sound-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · a1e9185d
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Likely the last piece for 6.1; the only significant fixes are ASoC
        core ops fixes, while others are device-specific (rather minor) fixes
        in ASoC and FireWire drivers.
      
        All appear safe enough to take as a late stage material"
      
      * tag 'sound-6.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: dice: fix regression for Lexicon I-ONIX FW810S
        ASoC: cs42l51: Correct PGA Volume minimum value
        ASoC: ops: Correct bounds check for second channel on SX controls
        ASoC: tlv320adc3xxx: Fix build error for implicit function declaration
        ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()
        ASoC: ops: Fix bounds check for _sx controls
        ASoC: fsl_micfil: explicitly clear CHnF flags
        ASoC: fsl_micfil: explicitly clear software reset bit
      a1e9185d
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2022-12-02' of git://anongit.freedesktop.org/drm/drm · c290db01
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Things do seem to have finally settled down, just four i915 and one
        amdgpu this week. Probably won't have much for next week if you do
        push rc8 out.
      
        i915:
         - Fix dram info readout
         - Remove non-existent pipes from bigjoiner pipe mask
         - Fix negative value passed as remaining time
         - Never return 0 if not all requests retired
      
        amdgpu:
         - VCN fix for vangogh"
      
      * tag 'drm-fixes-2022-12-02' of git://anongit.freedesktop.org/drm/drm:
        drm/amdgpu: enable Vangogh VCN indirect sram mode
        drm/i915: Never return 0 if not all requests retired
        drm/i915: Fix negative value passed as remaining time
        drm/i915: Remove non-existent pipes from bigjoiner pipe mask
        drm/i915/mtl: Fix dram info readout
      c290db01
    • Linus Torvalds's avatar
      Merge tag 'mm-hotfixes-stable-2022-12-02' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm · bdaa78c6
      Linus Torvalds authored
      Pull misc hotfixes from Andrew Morton:
       "15 hotfixes,  11 marked cc:stable.
      
        Only three or four of the latter address post-6.0 issues, which is
        hopefully a sign that things are converging"
      
      * tag 'mm-hotfixes-stable-2022-12-02' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
        revert "kbuild: fix -Wimplicit-function-declaration in license_is_gpl_compatible"
        Kconfig.debug: provide a little extra FRAME_WARN leeway when KASAN is enabled
        drm/amdgpu: temporarily disable broken Clang builds due to blown stack-frame
        mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
        mm/khugepaged: fix GUP-fast interaction by sending IPI
        mm/khugepaged: take the right locks for page table retraction
        mm: migrate: fix THP's mapcount on isolation
        mm: introduce arch_has_hw_nonleaf_pmd_young()
        mm: add dummy pmd_young() for architectures not having it
        mm/damon/sysfs: fix wrong empty schemes assumption under online tuning in damon_sysfs_set_schemes()
        tools/vm/slabinfo-gnuplot: use "grep -E" instead of "egrep"
        nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()
        hugetlb: don't delete vma_lock in hugetlb MADV_DONTNEED processing
        madvise: use zap_page_range_single for madvise dontneed
        mm: replace VM_WARN_ON to pr_warn if the node is offline with __GFP_THISNODE
      bdaa78c6
    • Linus Torvalds's avatar
      v4l2: don't fall back to follow_pfn() if pin_user_pages_fast() fails · 6647e76a
      Linus Torvalds authored
      The V4L2_MEMORY_USERPTR interface is long deprecated and shouldn't be
      used (and is discouraged for any modern v4l drivers).  And Seth Jenkins
      points out that the fallback to VM_PFNMAP/VM_IO is fundamentally racy
      and dangerous.
      
      Note that it's not even a case that should trigger, since any normal
      user pointer logic ends up just using the pin_user_pages_fast() call
      that does the proper page reference counting.  That's not the problem
      case, only if you try to use special device mappings do you have any
      issues.
      
      Normally I'd just remove this during the merge window, but since Seth
      pointed out the problem cases, we really want to know as soon as
      possible if there are actually any users of this odd special case of a
      legacy interface.  Neither Hans nor Mauro seem to think that such
      mis-uses of the old legacy interface should exist.  As Mauro says:
      
       "See, V4L2 has actually 4 streaming APIs:
              - Kernel-allocated mmap (usually referred simply as just mmap);
              - USERPTR mmap;
              - read();
              - dmabuf;
      
        The USERPTR is one of the oldest way to use it, coming from V4L
        version 1 times, and by far the least used one"
      
      And Hans chimed in on the USERPTR interface:
      
       "To be honest, I wouldn't mind if it goes away completely, but that's a
        bit of a pipe dream right now"
      
      but while removing this legacy interface entirely may be a pipe dream we
      can at least try to remove the unlikely (and actively broken) case of
      using special device mappings for USERPTR accesses.
      
      This replaces it with a WARN_ONCE() that we can remove once we've
      hopefully confirmed that no actual users exist.
      
      NOTE! Longer term, this means that a 'struct frame_vector' only ever
      contains proper page pointers, and all the games we have with converting
      them to pages can go away (grep for 'frame_vector_to_pages()' and the
      uses of 'vec->is_pfns').  But this is just the first step, to verify
      that this code really is all dead, and do so as quickly as possible.
      Reported-by: default avatarSeth Jenkins <sethjenkins@google.com>
      Acked-by: default avatarHans Verkuil <hverkuil@xs4all.nl>
      Acked-by: default avatarMauro Carvalho Chehab <mchehab@kernel.org>
      Cc: David Hildenbrand <david@redhat.com>
      Cc: Jan Kara <jack@suse.cz>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6647e76a
    • Li Zetao's avatar
      ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() · 470188b0
      Li Zetao authored
      There is an use-after-free reported by KASAN:
      
        BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82
        Read of size 1 at addr ffff888112afc460 by task modprobe/2111
        CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
        Call Trace:
         <TASK>
         kasan_report+0xae/0xe0
         acpi_ut_remove_reference+0x3b/0x82
         acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5
         acpi_ds_store_object_to_local+0x15d/0x3a0
         acpi_ex_store+0x78d/0x7fd
         acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b
         acpi_ps_parse_aml+0x217/0x8d5
         ...
         </TASK>
      
      The root cause of the problem is that the acpi_operand_object
      is freed when acpi_ut_walk_package_tree() fails in
      acpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in
      acpi_ut_copy_iobject_to_iobject(). The problem was introduced
      by "8aa5e56e" commit, this commit is to fix memory leak in
      acpi_ut_copy_iobject_to_iobject(), repeatedly adding remove
      operation, lead to "acpi_operand_object" used after free.
      
      Fix it by removing acpi_ut_remove_reference() in
      acpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()
      is called to copy an internal package object into another internal
      package object, when it fails, the memory of acpi_operand_object
      should be freed by the caller.
      
      Fixes: 8aa5e56e ("ACPICA: Utilities: Fix memory leak in acpi_ut_copy_iobject_to_iobject")
      Signed-off-by: default avatarLi Zetao <lizetao1@huawei.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      470188b0
    • Jens Axboe's avatar
      Merge tag 'nvme-6.1-2022-01-02' of git://git.infradead.org/nvme into block-6.1 · d0f411c0
      Jens Axboe authored
      Pull NVMe fixes from Christoph:
      
      "nvme fixes for Linux 6.1
      
       - fix SRCU protection of nvme_ns_head list (Caleb Sander)
       - clear the prp2 field when not used (Lei Rao)"
      
      * tag 'nvme-6.1-2022-01-02' of git://git.infradead.org/nvme:
        nvme: fix SRCU protection of nvme_ns_head list
        nvme-pci: clear the prp2 field when not used
      d0f411c0
    • Xiongfeng Wang's avatar
      iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init() · 4bedbbd7
      Xiongfeng Wang authored
      for_each_pci_dev() is implemented by pci_get_device(). The comment of
      pci_get_device() says that it will increase the reference count for the
      returned pci_dev and also decrease the reference count for the input
      pci_dev @from if it is not NULL.
      
      If we break for_each_pci_dev() loop with pdev not NULL, we need to call
      pci_dev_put() to decrease the reference count. Add the missing
      pci_dev_put() for the error path to avoid reference count leak.
      
      Fixes: 2e455289 ("iommu/vt-d: Unify the way to process DMAR device scope array")
      Signed-off-by: default avatarXiongfeng Wang <wangxiongfeng2@huawei.com>
      Link: https://lore.kernel.org/r/20221121113649.190393-3-wangxiongfeng2@huawei.comSigned-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      4bedbbd7
    • Xiongfeng Wang's avatar
      iommu/vt-d: Fix PCI device refcount leak in has_external_pci() · afca9e19
      Xiongfeng Wang authored
      for_each_pci_dev() is implemented by pci_get_device(). The comment of
      pci_get_device() says that it will increase the reference count for the
      returned pci_dev and also decrease the reference count for the input
      pci_dev @from if it is not NULL.
      
      If we break for_each_pci_dev() loop with pdev not NULL, we need to call
      pci_dev_put() to decrease the reference count. Add the missing
      pci_dev_put() before 'return true' to avoid reference count leak.
      
      Fixes: 89a6079d ("iommu/vt-d: Force IOMMU on for platform opt in hint")
      Signed-off-by: default avatarXiongfeng Wang <wangxiongfeng2@huawei.com>
      Link: https://lore.kernel.org/r/20221121113649.190393-2-wangxiongfeng2@huawei.comSigned-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      afca9e19
    • Yang Yingliang's avatar
      iommu/vt-d: Fix PCI device refcount leak in prq_event_thread() · 6927d352
      Yang Yingliang authored
      As comment of pci_get_domain_bus_and_slot() says, it returns a pci device
      with refcount increment, when finish using it, the caller must decrease
      the reference count by calling pci_dev_put(). So call pci_dev_put() after
      using the 'pdev' to avoid refcount leak.
      
      Besides, if the 'pdev' is null or intel_svm_prq_report() returns error,
      there is no need to trace this fault.
      
      Fixes: 06f4b8d0 ("iommu/vt-d: Remove unnecessary SVA data accesses in page fault path")
      Suggested-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Link: https://lore.kernel.org/r/20221119144028.2452731-1-yangyingliang@huawei.comSigned-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      6927d352
    • Jacob Pan's avatar
      iommu/vt-d: Add a fix for devices need extra dtlb flush · e65a6897
      Jacob Pan authored
      QAT devices on Intel Sapphire Rapids and Emerald Rapids have a defect in
      address translation service (ATS). These devices may inadvertently issue
      ATS invalidation completion before posted writes initiated with
      translated address that utilized translations matching the invalidation
      address range, violating the invalidation completion ordering.
      
      This patch adds an extra device TLB invalidation for the affected devices,
      it is needed to ensure no more posted writes with translated address
      following the invalidation completion. Therefore, the ordering is
      preserved and data-corruption is prevented.
      
      Device TLBs are invalidated under the following six conditions:
      1. Device driver does DMA API unmap IOVA
      2. Device driver unbind a PASID from a process, sva_unbind_device()
      3. PASID is torn down, after PASID cache is flushed. e.g. process
      exit_mmap() due to crash
      4. Under SVA usage, called by mmu_notifier.invalidate_range() where
      VM has to free pages that were unmapped
      5. userspace driver unmaps a DMA buffer
      6. Cache invalidation in vSVA usage (upcoming)
      
      For #1 and #2, device drivers are responsible for stopping DMA traffic
      before unmap/unbind. For #3, iommu driver gets mmu_notifier to
      invalidate TLB the same way as normal user unmap which will do an extra
      invalidation. The dTLB invalidation after PASID cache flush does not
      need an extra invalidation.
      
      Therefore, we only need to deal with #4 and #5 in this patch. #1 is also
      covered by this patch due to common code path with #5.
      Tested-by: default avatarYuzhang Luo <yuzhang.luo@intel.com>
      Reviewed-by: default avatarAshok Raj <ashok.raj@intel.com>
      Reviewed-by: default avatarKevin Tian <kevin.tian@intel.com>
      Signed-off-by: default avatarJacob Pan <jacob.jun.pan@linux.intel.com>
      Link: https://lore.kernel.org/r/20221130062449.1360063-1-jacob.jun.pan@linux.intel.comSigned-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      e65a6897
  6. 01 Dec, 2022 4 commits