AgeCommit message (Collapse)Author
8 daysarm64: dts: imx8mp-verdin: fix ctrl_sleep_mocitoradex_5.4-2.3.x-imxMax Krummenacher
The GPIO signaling ctrl_sleep_moci is currently handled as a gpio hog. But the gpio-hog node is made a child of the wrong gpio controller. Move it to the node representing gpio4 so that it actually works. Without this carrier board components jumpered to use the signal are unconditionally switched off. Fixes: 1d8df9c74bff ("arm64: dts: freescale: add initial support for verdin imx8m plus") Upstream-status: Submitted [] Signed-off-by: Max Krummenacher <>
2022-08-29arm64: dts: imx8mm-verdin: add yavia carrier boardAishwarya Kothari
Add device tree files for the Verdin Yavia carrier board mated with Verdin iMX8M Mini SoM. Signed-off-by: Aishwarya Kothari <>
2022-08-26arm64: dts: imx8mp-verdin: add yavia carrier boardAishwarya Kothari
Add device tree files for the Verdin Yavia carrier board mated with Verdin iMX8M Plus SoM. Signed-off-by: Aishwarya Kothari <>
2022-08-23arm64: imx8x-colibri: fix default rtcAishwarya Kothari
On the iris-v2 board, the external battery operated RTC is now mapped to /dev/rtc0 and because of this the clock setup works as expected. Signed-off-by: Aishwarya Kothari <>
2022-07-11arm64: dts: apalis-imx8: enable CAN on Ixora v1.1Andrejs Cainikovs
Both CAN controllers on Ixora v1.1 were left disabled for some reason, even though these are present on both Ixora v1.1 and v1.2. Lets align this and have enabled all existing CAN controllers on all Ixora variants. Signed-off-by: Andrejs Cainikovs <>
2022-07-06arm64: dts: apalis-imx8: add sd card sleep stateAndrejs Cainikovs
This adds SD card sleep state and relevant pinmux configuration for Apalis iMX8 boards. Pins for sleep state are configured for pull-disable, except card detect pin which is always pull-up. Signed-off-by: Andrejs Cainikovs <>
2022-06-29ARM: dts: colibri-imx6ull: fix snvs pinmux groupMax Krummenacher
A pin controlled by the iomuxc-snvs pin controller must be specified under the dtb's iomuxc-snvs node. Move the one and only pin of that category from the iomuxc node and set the pinctrl-0 using it accordingly. Signed-off-by: Max Krummenacher <>
2022-06-28mxc_lcdif.c: add additonal LCD timingsMax Krummenacher
[ commit 20ab378e5462c4e9b4703264d143d3aeb9882023 on toradex_4.14-2.3.x-imx ] FusionF10A: 1024x600, used with external parallel to LVDS converter FusionF07A: 800x480 EDT-VGA: 640x480 EDT-480x272: 480x272 Signed-off-by: Max Krummenacher <> Acked-by: Marcel Ziswiler <> [ps: forward port from toradex_4.14-2.3.x-imx] Signed-off-by: Philippe Schenker <>
2022-06-24ASoC: sgtl5000: Fix noise on shutdown/removeFrancesco Dolcini
Put the SGTL5000 in a silent/safe state on shutdown/remove, this is required since the SGTL5000 produces a constant noise on its output after it is configured and its clock is removed. Without this change this is happening every time the module is unbound/removed or from reboot till the clock is enabled again. The issue was experienced on both a Toradex Colibri/Apalis iMX6, but can be easily reproduced everywhere just playing something on the codec and after that removing/unbinding the driver. Fixes: 9b34e6cc3bc2 ("ASoC: Add Freescale SGTL5000 codec support") Signed-off-by: Francesco Dolcini <>
2022-06-23arm64: dts: apalis-imx8: pin config for ixora ledsAndrejs Cainikovs
Ixora board has external resistors on LED_4_* and LED_5_*. Pins which are driving these LEDs should have no pull. Also, configure LED pins for input/output. Signed-off-by: Andrejs Cainikovs <>
2022-06-23arm64: dts: apalis-imx8: no pull on ixora card cdAndrejs Cainikovs
Pull configuration should be set as pull-disabled for SD card CD# pin, as it already has an external pull-up. Signed-off-by: Andrejs Cainikovs <>
2022-06-23arm64: dts: apalis-imx8: remove ixora sdcard sleepAndrejs Cainikovs
Remove sleep state from SD card pinmux configuration. Signed-off-by: Andrejs Cainikovs <>
2022-06-23arm64: dts: apalis-imx8: ixora sd card is 4-bitAndrejs Cainikovs
Ixora board v1.1 MicroSD card is 4-bit wide, same as v1.2. This change leaves data pins 4-7 not configured, so that these can be used for other purposes. Signed-off-by: Andrejs Cainikovs <>
2022-06-23arm64: dts: apalis-imx8: fix ixora pinmux configAndrejs Cainikovs
This fixes Ixora pinmux configuration, which should be defined within apalis-imx8qm block. Signed-off-by: Andrejs Cainikovs <>
2022-06-22arm64: dts: imx8m{m,p}-verdin: use IT temperaturesPhilippe Schenker
Use IT temperature threshold for critical/passive trip point on Verdin iMX8M Plus and Mini. Signed-off-by: Philippe Schenker <> Reviewed-by: Francesco Dolcini <>
2022-06-13ARM: dts: imx7d-colibri: Move usdhc1-cd-slp definition to iomuxc_lpsrRafael Beims
The usdhc1-cd-slp-grp node in the device tree is making use of PAD_LPSR definitions and these definitions are not compatible with the iomuxc node. Because of that, instead of setting up GPIO1_IO00 this group is setting up the registers for GPIO1_IO15. Moving the group to the iomuxc_lpsr node makes the setup for the correct pin and also makes GPIO1_IO15 available again as a standard GPIO. Relates-to: ELB-4525 Signed-off-by: Rafael Beims <>
2022-05-24mwifiex: Add SD8997 SDIO-UART firmwareAndrejs Cainikovs
commit 562354ab9f0aa4fcd8f2184506dcb9c18a792182 upstream. With a recent change now it is possible to detect the strapping option on SD8997, which allows to pick up a correct firmware for either SDIO-SDIO or SDIO-UART. This commit enables SDIO-UART firmware on SD8997. Signed-off-by: Andrejs Cainikovs <> Signed-off-by: Kalle Valo <> Link:
2022-05-24mwifiex: Select firmware based on strappingAndrejs Cainikovs
commit 255ca28a659d3cfb069f73c7644853ed93aecdb0 upstream. Some WiFi/Bluetooth modules might have different host connection options, allowing to either use SDIO for both WiFi and Bluetooth, or SDIO for WiFi and UART for Bluetooth. It is possible to detect whether a module has SDIO-SDIO or SDIO-UART connection by reading its host strap register. This change introduces a way to automatically select appropriate firmware depending of the connection method, and removes a need of symlinking or overwriting the original firmware file with a required one. Host strap register used in this commit comes from the NXP driver [1] hosted at Code Aurora. [1] Signed-off-by: Andrejs Cainikovs <> Reviewed-by: Alvin Šipraga <> Signed-off-by: Kalle Valo <> Link:
2022-05-20Revert "clk: imx7d: Remove audio_mclk_root_clk"Philippe Schenker
This reverts commit b576488fa3b5715a1ef3eafc0b1c1d3514345613. As it uses to break audio on i.MX 7 based modules. Signed-off-by: Philippe Schenker <>
2022-05-19Merge remote-tracking branch 'gh-fslc/5.4-2.3.x-imx' into toradex_5.4-2.3.x-imxPhilippe Schenker
2022-05-19Merge pull request #565 from ↵Otavio Salvador
philschenker/update-to-5.4.193__update-to-2.3.7__5.4-2.3.x-imx Update Patchlevel on Branch 5.4-2.3.x-imx from 5.4.161->5.4.193
2022-05-19Merge pull request #564 from philschenker/update-to-2.3.7__5.4-2.3.x-imxOtavio Salvador
Update Kernel 5.4-2.3.x-imx to NXP Release Linux 5.4.70_2.3.7 Patch
2022-05-19Merge tag 'v5.4.193' into update-to-2.3.7__5.4-2.3.x-imxPhilippe Schenker
This is the 5.4.193 stable release Conflicts: arch/arm64/boot/dts/freescale/fsl-ls1028a-qds.dts drivers/edac/synopsys_edac.c drivers/mmc/host/sdhci-esdhc-imx.c drivers/mmc/host/sdhci.c drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c sound/soc/codecs/msm8916-wcd-analog.c
2022-05-19LF-3705-1: caam: imx8m: fix the built-in caam driver cannot match soc_idAlice Guo
drivers/soc/imx/soc-imx8m.c is probed later than the caam driver so that return -EPROBE_DEFER is needed after calling soc_device_match() in drivers/crypto/caam/ctrl.c. For i.MX8M, soc_device_match returning NULL can be considered that the SoC device has not been probed yet, so it returns -EPROBE_DEFER directly. Fixes: 6375d33dce9a ("soc: imx8m: change to use platform driver") Signed-off-by: Alice Guo <> Reviewed-by: Horia Geantă <> (cherry picked from commit d5df21ff810453741e23aa62de3e3911957c42b1)
2022-05-18MLK-25133: arm: dts: remove power domains for i2c chipsOliver Brown
The power domains are causing the i2c expander to be reset during suspend resume. After resume the expander state is not being restored properly. So since the reset is optional, I am removing the power domains. Signed-off-by: Oliver Brown <> Reviewed-by: Shenwei Wang <> (cherry picked from commit b928f18fdf653d70871958f561357ad98fa4aa86)
2022-05-18LF-4020: clk: imx8qxp: Fix elcdif_pll clockRobert Chiras
Move the elcdif_pll clock initialization before the lcd_clk, since the elcdif_clk needs to be initialized ahead of lcd_clk, being its parent. This change fixes issues with the LCD clocks during suspend/resume. Signed-off-by: Robert Chiras <> Suggested-by: Ranjani Vaidyanathan <> Acked-by: Laurentiu Palcu <> (cherry picked from commit 0668a88908ccc841081b0509d80e0b4f6b5f9a78)
2022-05-18MLK-25088: drm/mxsfb: Change connector type for panelOliver Brown
The connector type for a panel without a bridge should be DRM_MODE_CONNECTOR_DPI. Signed-off-by: Oliver Brown <> Reviewed-by: Robert Chiras <> (cherry picked from commit cc8cfef78c0ebaa5936af8d1a65f9372680b6634)
2022-05-18LF-3217: media: isi: cap: call streamoff if the process abnormal exitGuoniu.zhou
For normal case, userspace should call streamon/streamoff balance, but for some special case, the process will be killed or terminated and the streamoff ioctl will be ignored. So driver need to handle the case. Signed-off-by: Guoniu.zhou <> Reviewed-by: Robby Cai <> (cherry picked from commit 057b44588095cb6be35175f42467c1481d0dd54b)
2022-05-18MLK-25649-7 rpmsg: imx: Add support for identifying SCU wakeup source from sysfsRanjani Vaidyanathan
Consolidate SCU wakeup defines in the header file. Signed-off-by: Ranjani Vaidyanathan <> (cherry picked from commit d7b1dd90185df67fe1e713ff439fc898201cb8c8) (cherry picked from commit 5693275abe2a558f7a433bba23eb8ae35bd30749)
2022-05-18MLK-25649-8 rtc: imx-sc: Add support for identifying SCU wakeup source from ↵Ranjani Vaidyanathan
sysfs Consolidate SCU wakeup defines in the header file. Signed-off-by: Ranjani Vaidyanathan <> (cherry picked from commit ae44e6f054423fd6b228a147571cc77bc768138e) (cherry picked from commit 8924966cd6cb48c0c549d07f028ee544fa6dca1a)
2022-05-18MLK-25649-9 watchdog: imx_sc_wdt: Add support for identifying SCU wakeup ↵Ranjani Vaidyanathan
source from sysfs Consolidate SCU wakeup defines in the header file. Signed-off-by: Ranjani Vaidyanathan <> (cherry picked from commit 9d2e7cc3a10f2ce1e36fc40acb494494bed08109) (cherry picked from commit 0096d3876d96b1b400f5bf2cb999078236e28bf0) Ported from codeaurora/imx_5.4.70_2.3.0 Signed-off-by: Philippe Schenker <>
2022-05-18MLK-25649-4 mailbox: imx: Add support for identifying SCU wakeup source from ↵Ranjani Vaidyanathan
sysfs Record SCU wakeup interrupt in /sys/power/pm_wakeup_irq Signed-off-by: Ranjani Vaidyanathan <> (cherry picked from commit e8d90d8901e42f9ac039086af9f1829030204fa8) (cherry picked from commit 2b5bb07b7c25ae047530a78d5d19466f7b6b330c)
2022-05-18MLK-25649-6 remoteproc: imx_proc: Add support for identifying SCU wakeup sou ↵Ranjani Vaidyanathan
rce from sysfs Consolidate SCU wakeup defines in the header file. Signed-off-by: Ranjani Vaidyanathan <> (cherry picked from commit 012932b938d28eb47d05a505705fad3735b53d5d)
2022-05-18MLK-25649-10 firmware: seco_mu: Add support for identifying SCU wakeup ↵Ranjani Vaidyanathan
source from sysfs Consolidate SCU wakeup defines in the header file. Signed-off-by: Ranjani Vaidyanathan <> (cherry picked from commit 215433a807576abc8cafbbb1b64715650ed98224) (cherry picked from commit 7ca430575e9ae034a2c28798fa8dd7b931f0733c)
2022-05-18MLK-25649-2 gpio: mxc: Add support for identifying SCU wakeup source from sysfsRanjani Vaidyanathan
Consolidate SCU wakeup defines in the header file. Signed-off-by: Ranjani Vaidyanathan <> (cherry picked from commit 7d1a364e453397d3659cb80832e2297d49b62706) (cherry picked from commit 36bde0d134c97cfbbac9ad1078a2fbeb9b2cd9fa)
2022-05-18MLK-25649-1 firmware: imx: imx-scu-irq: Add support for identifying SCU ↵Ranjani Vaidyanathan
wakeup source from sysfs Record SCU wakeup interrupt in /sys/power/pm_wakeup_irq The user can further identify the exact wakeup source by using the following interface: cat /sys/firmware/scu_wakeup_source/wakeup_src The above will print the wake groups and the irqs that could have contributed to waking up the kernel. For example if ON/OFF button was the wakeup source: cat /sys/firmware/scu_wakeup_source/wakeup_src Wakeup source group = 3, irq = 0x1 The user can refer to the SCFW API documentation to identify all the wake groups and irqs. Signed-off-by: Ranjani Vaidyanathan <> (cherry picked from commit d49daabfb43eddf94144560fc2eef58015311454) (cherry picked from commit fed9f95ad512fd4b4cca7c8bfd08a78ddcaebeb9)
2022-05-18LF-4265: mailbox: imx: fix wakeup failure from freeze modeRobin Gong
Since IRQF_NO_SUSPEND used for imx mailbox driver, that means this irq can't be used for wakeup source so that can't wakeup from freeze mode. Add pm_system_wakeup() to wakeup from freeze mode. Signed-off-by: Robin Gong <> Reviewed-by: Jacky Bai <> Reviewed-by: Peng Fan <> (cherry picked from commit d12a9c6240167bab5a49180cf642cc9e6e518bca) (cherry picked from commit 23857411888f489fbff023d05a38a0cdc035af26)
2022-05-18MLK-25731: drm: imx: hdp: correct ipg clk disableOliver Brown
Change enable calls to disable calls in imx8qm_ipg_clk_disable Signed-off-by: Oliver Brown <> (cherry picked from commit 8d4eef776974fce47db4447226b3834d4eb5afc5)
2022-05-18MLK-25498 gpu: drm: imx: Add missing PHY init to cdns_mhdp_imx_resumeOliver Brown
This fixes an issue where there is no display after resuming from suspend due to missing PHY initialization. Signed-off-by: Oliver Brown <> Reviewed-by: Sandor Yu <> (cherry picked from commit 23617be31285b84b68e652d3fb39dc73875126c1)
2022-05-13net: phy: Fix race condition on link status changeFrancesco Dolcini
commit 91a7cda1f4b8bdf770000a3b60640576dafe0cec upstream. This fixes the following error caused by a race condition between phydev->adjust_link() and a MDIO transaction in the phy interrupt handler. The issue was reproduced with the ethernet FEC driver and a micrel KSZ9031 phy. [ 146.195696] fec 2188000.ethernet eth0: MDIO read timeout [ 146.201779] ------------[ cut here ]------------ [ 146.206671] WARNING: CPU: 0 PID: 571 at drivers/net/phy/phy.c:942 phy_error+0x24/0x6c [ 146.214744] Modules linked in: bnep imx_vdoa imx_sdma evbug [ 146.220640] CPU: 0 PID: 571 Comm: irq/128-2188000 Not tainted 5.18.0-rc3-00080-gd569e86915b7 #9 [ 146.229563] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) [ 146.236257] unwind_backtrace from show_stack+0x10/0x14 [ 146.241640] show_stack from dump_stack_lvl+0x58/0x70 [ 146.246841] dump_stack_lvl from __warn+0xb4/0x24c [ 146.251772] __warn from warn_slowpath_fmt+0x5c/0xd4 [ 146.256873] warn_slowpath_fmt from phy_error+0x24/0x6c [ 146.262249] phy_error from kszphy_handle_interrupt+0x40/0x48 [ 146.268159] kszphy_handle_interrupt from irq_thread_fn+0x1c/0x78 [ 146.274417] irq_thread_fn from irq_thread+0xf0/0x1dc [ 146.279605] irq_thread from kthread+0xe4/0x104 [ 146.284267] kthread from ret_from_fork+0x14/0x28 [ 146.289164] Exception stack(0xe6fa1fb0 to 0xe6fa1ff8) [ 146.294448] 1fa0: 00000000 00000000 00000000 00000000 [ 146.302842] 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 146.311281] 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 [ 146.318262] irq event stamp: 12325 [ 146.321780] hardirqs last enabled at (12333): [<c01984c4>] __up_console_sem+0x50/0x60 [ 146.330013] hardirqs last disabled at (12342): [<c01984b0>] __up_console_sem+0x3c/0x60 [ 146.338259] softirqs last enabled at (12324): [<c01017f0>] __do_softirq+0x2c0/0x624 [ 146.346311] softirqs last disabled at (12319): [<c01300ac>] __irq_exit_rcu+0x138/0x178 [ 146.354447] ---[ end trace 0000000000000000 ]--- With the FEC driver phydev->adjust_link() calls fec_enet_adjust_link() calls fec_stop()/fec_restart() and both these function reset and temporary disable the FEC disrupting any MII transaction that could be happening at the same time. fec_enet_adjust_link() and phy_read() can be running at the same time when we have one additional interrupt before the phy_state_machine() is able to terminate. Thread 1 (phylib WQ) | Thread 2 (phy interrupt) | | phy_interrupt() <-- PHY IRQ | handle_interrupt() | phy_read() | phy_trigger_machine() | --> schedule phylib WQ | | phy_state_machine() | phy_check_link_status() | phy_link_change() | phydev->adjust_link() | fec_enet_adjust_link() | --> FEC reset | phy_interrupt() <-- PHY IRQ | phy_read() | Fix this by acquiring the phydev lock in phy_interrupt(). Link: Fixes: c974bdbc3e77 ("net: phy: Use threaded IRQ, to allow IRQ from sleeping devices") cc: <> Signed-off-by: Francesco Dolcini <> Reviewed-by: Andrew Lunn <> Link: Signed-off-by: Jakub Kicinski <> [fd: backport: adapt locking before did_interrupt()/ack_interrupt() callbacks removal ] Signed-off-by: Francesco Dolcini <>
2022-05-12Linux 5.4.193Greg Kroah-Hartman
Link: Tested-by: Florian Fainelli <> Tested-by: Shuah Khan <> Tested-by: Guenter Roeck <> Tested-by: Hulk Robot <> Tested-by: Linux Kernel Functional Testing <> Tested-by: Jon Hunter <> Tested-by: Sudip Mukherjee <> Signed-off-by: Greg Kroah-Hartman <>
2022-05-12mmc: rtsx: add 74 Clocks in power on flowRicky WU
commit 1f311c94aabdb419c28e3147bcc8ab89269f1a7e upstream. SD spec definition: "Host provides at least 74 Clocks before issuing first command" After 1ms for the voltage stable then start issuing the Clock signals if POWER STATE is MMC_POWER_OFF to MMC_POWER_UP to issue Clock signal to card MMC_POWER_UP to MMC_POWER_ON to stop issuing signal to card Signed-off-by: Ricky Wu <> Link: Signed-off-by: Ulf Hansson <> Signed-off-by: Christian Loehle <> Signed-off-by: Greg Kroah-Hartman <>
2022-05-12PCI: aardvark: Fix reading MSI interrupt numberPali Rohár
commit 805dfc18dd3d4dd97a987d4406593b5a225b1253 upstream. In advk_pcie_handle_msi() it is expected that when bit i in the W1C register PCIE_MSI_STATUS_REG is cleared, the PCIE_MSI_PAYLOAD_REG is updated to contain the MSI number corresponding to index i. Experiments show that this is not so, and instead PCIE_MSI_PAYLOAD_REG always contains the number of the last received MSI, overall. Do not read PCIE_MSI_PAYLOAD_REG register for determining MSI interrupt number. Since Aardvark already forbids more than 32 interrupts and uses own allocated hwirq numbers, the msi_idx already corresponds to the received MSI number. Link: Fixes: 8c39d710363c ("PCI: aardvark: Add Aardvark PCI host controller driver") Signed-off-by: Pali Rohár <> Signed-off-by: Marek Behún <> Signed-off-by: Lorenzo Pieralisi <> Signed-off-by: Marek Behún <> Signed-off-by: Greg Kroah-Hartman <>
2022-05-12PCI: aardvark: Clear all MSIs at setupPali Rohár
commit 7d8dc1f7cd007a7ce94c5b4c20d63a8b8d6d7751 upstream. We already clear all the other interrupts (ISR0, ISR1, HOST_CTRL_INT). Define a new macro PCIE_MSI_ALL_MASK and do the same clearing for MSIs, to ensure that we don't start receiving spurious interrupts. Use this new mask in advk_pcie_handle_msi(); Link: Signed-off-by: Pali Rohár <> Signed-off-by: Marek Behún <> Signed-off-by: Lorenzo Pieralisi <> Signed-off-by: Greg Kroah-Hartman <>
2022-05-12dm: interlock pending dm_io and dm_wait_for_bios_completionMike Snitzer
commit 9f6dc633761006f974701d4c88da71ab68670749 upstream. Commit d208b89401e0 ("dm: fix mempool NULL pointer race when completing IO") didn't go far enough. When bio_end_io_acct ends the count of in-flight I/Os may reach zero and the DM device may be suspended. There is a possibility that the suspend races with dm_stats_account_io. Fix this by adding percpu "pending_io" counters to track outstanding dm_io. Move kicking of suspend queue to dm_io_dec_pending(). Also, rename md_in_flight_bios() to dm_in_flight_bios() and update it to iterate all pending_io counters. Fixes: d208b89401e0 ("dm: fix mempool NULL pointer race when completing IO") Cc: Co-developed-by: Mikulas Patocka <> Signed-off-by: Mikulas Patocka <> Signed-off-by: Mike Snitzer <> Signed-off-by: Mikulas Patocka <> Reviewed-by: Mike Snitzer <> Signed-off-by: Greg Kroah-Hartman <>
2022-05-12dm: fix mempool NULL pointer race when completing IOJiazi Li
commit d208b89401e073de986dc891037c5a668f5d5d95 upstream. dm_io_dec_pending() calls end_io_acct() first and will then dec md in-flight pending count. But if a task is swapping DM table at same time this can result in a crash due to mempool->elements being NULL: task1 task2 do_resume ->do_suspend ->dm_wait_for_completion bio_endio ->clone_endio ->dm_io_dec_pending ->end_io_acct ->wakeup task1 ->dm_swap_table ->__bind ->__bind_mempools ->bioset_exit ->mempool_exit ->free_io [ 67.330330] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 ...... [ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO) [ 67.330510] pc : mempool_free+0x70/0xa0 [ 67.330515] lr : mempool_free+0x4c/0xa0 [ 67.330520] sp : ffffff8008013b20 [ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004 [ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8 [ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800 [ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800 [ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80 [ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c [ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd [ 67.330563] x15: 000000000093b41e x14: 0000000000000010 [ 67.330569] x13: 0000000000007f7a x12: 0000000034155555 [ 67.330574] x11: 0000000000000001 x10: 0000000000000001 [ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000 [ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a [ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001 [ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8 [ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970 [ 67.330609] Call trace: [ 67.330616] mempool_free+0x70/0xa0 [ 67.330627] bio_put+0xf8/0x110 [ 67.330638] dec_pending+0x13c/0x230 [ 67.330644] clone_endio+0x90/0x180 [ 67.330649] bio_endio+0x198/0x1b8 [ 67.330655] dec_pending+0x190/0x230 [ 67.330660] clone_endio+0x90/0x180 [ 67.330665] bio_endio+0x198/0x1b8 [ 67.330673] blk_update_request+0x214/0x428 [ 67.330683] scsi_end_request+0x2c/0x300 [ 67.330688] scsi_io_completion+0xa0/0x710 [ 67.330695] scsi_finish_command+0xd8/0x110 [ 67.330700] scsi_softirq_done+0x114/0x148 [ 67.330708] blk_done_softirq+0x74/0xd0 [ 67.330716] __do_softirq+0x18c/0x374 [ 67.330724] irq_exit+0xb4/0xb8 [ 67.330732] __handle_domain_irq+0x84/0xc0 [ 67.330737] gic_handle_irq+0x148/0x1b0 [ 67.330744] el1_irq+0xe8/0x190 [ 67.330753] lpm_cpuidle_enter+0x4f8/0x538 [ 67.330759] cpuidle_enter_state+0x1fc/0x398 [ 67.330764] cpuidle_enter+0x18/0x20 [ 67.330772] do_idle+0x1b4/0x290 [ 67.330778] cpu_startup_entry+0x20/0x28 [ 67.330786] secondary_start_kernel+0x160/0x170 Fix this by: 1) Establishing pointers to 'struct dm_io' members in dm_io_dec_pending() so that they may be passed into end_io_acct() _after_ free_io() is called. 2) Moving end_io_acct() after free_io(). Cc: Signed-off-by: Jiazi Li <> Signed-off-by: Mike Snitzer <> Signed-off-by: Mikulas Patocka <> Reviewed-by: Mike Snitzer <> Signed-off-by: Greg Kroah-Hartman <>
2022-05-12tcp: make sure treq->af_specific is initializedEric Dumazet
commit ba5a4fdd63ae0c575707030db0b634b160baddd7 upstream. syzbot complained about a recent change in TCP stack, hitting a NULL pointer [1] tcp request sockets have an af_specific pointer, which was used before the blamed change only for SYNACK generation in non SYNCOOKIE mode. tcp requests sockets momentarily created when third packet coming from client in SYNCOOKIE mode were not using treq->af_specific. Make sure this field is populated, in the same way normal TCP requests sockets do in tcp_conn_request(). [1] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 3695 Comm: syz-executor864 Not tainted 5.18.0-rc3-syzkaller-00224-g5fd1fe4807f9 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:tcp_create_openreq_child+0xe16/0x16b0 net/ipv4/tcp_minisocks.c:534 Code: 48 c1 ea 03 80 3c 02 00 0f 85 e5 07 00 00 4c 8b b3 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7e 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 c9 07 00 00 48 8b 3c 24 48 89 de 41 ff 56 08 48 RSP: 0018:ffffc90000de0588 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffff888076490330 RCX: 0000000000000100 RDX: 0000000000000001 RSI: ffffffff87d67ff0 RDI: 0000000000000008 RBP: ffff88806ee1c7f8 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff87d67f00 R11: 0000000000000000 R12: ffff88806ee1bfc0 R13: ffff88801b0e0368 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f517fe58700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffcead76960 CR3: 000000006f97b000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> tcp_v6_syn_recv_sock+0x199/0x23b0 net/ipv6/tcp_ipv6.c:1267 tcp_get_cookie_sock+0xc9/0x850 net/ipv4/syncookies.c:207 cookie_v6_check+0x15c3/0x2340 net/ipv6/syncookies.c:258 tcp_v6_cookie_check net/ipv6/tcp_ipv6.c:1131 [inline] tcp_v6_do_rcv+0x1148/0x13b0 net/ipv6/tcp_ipv6.c:1486 tcp_v6_rcv+0x3305/0x3840 net/ipv6/tcp_ipv6.c:1725 ip6_protocol_deliver_rcu+0x2e9/0x1900 net/ipv6/ip6_input.c:422 ip6_input_finish+0x14c/0x2c0 net/ipv6/ip6_input.c:464 NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:473 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline] NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ipv6_rcv+0x27f/0x3b0 net/ipv6/ip6_input.c:297 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5405 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5519 process_backlog+0x3a0/0x7c0 net/core/dev.c:5847 __napi_poll+0xb3/0x6e0 net/core/dev.c:6413 napi_poll net/core/dev.c:6480 [inline] net_rx_action+0x8ec/0xc60 net/core/dev.c:6567 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097 Fixes: 5b0b9e4c2c89 ("tcp: md5: incorrect tcp_header_len for incoming connections") Signed-off-by: Eric Dumazet <> Cc: Francesco Ruggeri <> Signed-off-by: David S. Miller <> [fruggeri: Account for backport conflicts from 35b2c3211609 and 6fc8c827dd4f] Signed-off-by: Francesco Ruggeri <> Signed-off-by: Greg Kroah-Hartman <>
2022-05-12ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lockTakashi Iwai
commit bc55cfd5718c7c23e5524582e9fa70b4d10f2433 upstream. syzbot caught a potential deadlock between the PCM runtime->buffer_mutex and the mm->mmap_lock. It was brought by the recent fix to cover the racy read/write and other ioctls, and in that commit, I overlooked a (hopefully only) corner case that may take the revert lock, namely, the OSS mmap. The OSS mmap operation exceptionally allows to re-configure the parameters inside the OSS mmap syscall, where mm->mmap_mutex is already held. Meanwhile, the copy_from/to_user calls at read/write operations also take the mm->mmap_lock internally, hence it may lead to a AB/BA deadlock. A similar problem was already seen in the past and we fixed it with a refcount (in commit b248371628aa). The former fix covered only the call paths with OSS read/write and OSS ioctls, while we need to cover the concurrent access via both ALSA and OSS APIs now. This patch addresses the problem above by replacing the buffer_mutex lock in the read/write operations with a refcount similar as we've used for OSS. The new field, runtime->buffer_accessing, keeps the number of concurrent read/write operations. Unlike the former buffer_mutex protection, this protects only around the copy_from/to_user() calls; the other codes are basically protected by the PCM stream lock. The refcount can be a negative, meaning blocked by the ioctls. If a negative value is seen, the read/write aborts with -EBUSY. In the ioctl side, OTOH, they check this refcount, too, and set to a negative value for blocking unless it's already being accessed. Reported-by: Fixes: dca947d4d26d ("ALSA: pcm: Fix races among concurrent read/write and buffer changes") Cc: <> Link: Link: Signed-off-by: Takashi Iwai <> [OP: backport to 5.4: adjusted context] Signed-off-by: Ovidiu Panait <> Signed-off-by: Greg Kroah-Hartman <>
2022-05-12ALSA: pcm: Fix races among concurrent prealloc proc writesTakashi Iwai
commit 69534c48ba8ce552ce383b3dfdb271ffe51820c3 upstream. We have no protection against concurrent PCM buffer preallocation changes via proc files, and it may potentially lead to UAF or some weird problem. This patch applies the PCM open_mutex to the proc write operation for avoiding the racy proc writes and the PCM stream open (and further operations). Cc: <> Reviewed-by: Jaroslav Kysela <> Link: Signed-off-by: Takashi Iwai <> [OP: backport to 5.4: adjusted context] Signed-off-by: Ovidiu Panait <> Signed-off-by: Greg Kroah-Hartman <>
2022-05-12ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free callsTakashi Iwai
commit 3c3201f8c7bb77eb53b08a3ca8d9a4ddc500b4c0 upstream. Like the previous fixes to hw_params and hw_free ioctl races, we need to paper over the concurrent prepare ioctl calls against hw_params and hw_free, too. This patch implements the locking with the existing runtime->buffer_mutex for prepare ioctls. Unlike the previous case for snd_pcm_hw_hw_params() and snd_pcm_hw_free(), snd_pcm_prepare() is performed to the linked streams, hence the lock can't be applied simply on the top. For tracking the lock in each linked substream, we modify snd_pcm_action_group() slightly and apply the buffer_mutex for the case stream_lock=false (formerly there was no lock applied) there. Cc: <> Reviewed-by: Jaroslav Kysela <> Link: Signed-off-by: Takashi Iwai <> [OP: backport to 5.4: adjusted context] Signed-off-by: Ovidiu Panait <> Signed-off-by: Greg Kroah-Hartman <>