Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.14 commit in: /
Date: Sat, 20 Apr 2019 23:20:44
Message-Id: 1555758442.650251e45f1b8a628c9033e8e47bf15d3cf91b63.mpagano@gentoo
1 commit: 650251e45f1b8a628c9033e8e47bf15d3cf91b63
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sat Apr 20 11:07:22 2019 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Sat Apr 20 11:07:22 2019 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=650251e4
7
8 Linux patch 4.14.113
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1112_linux-4.14.113.patch | 7351 +++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 7355 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index ea26cf5..08bf515 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -491,6 +491,10 @@ Patch: 1111_4.14.112.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.14.112
23
24 +Patch: 1112_4.14.113.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.14.113
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1112_linux-4.14.113.patch b/1112_linux-4.14.113.patch
33 new file mode 100644
34 index 0000000..d7ada5f
35 --- /dev/null
36 +++ b/1112_linux-4.14.113.patch
37 @@ -0,0 +1,7351 @@
38 +diff --git a/Makefile b/Makefile
39 +index 94673d2a6a27..fcfef30ca9a6 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,7 +1,7 @@
43 + # SPDX-License-Identifier: GPL-2.0
44 + VERSION = 4
45 + PATCHLEVEL = 14
46 +-SUBLEVEL = 112
47 ++SUBLEVEL = 113
48 + EXTRAVERSION =
49 + NAME = Petit Gorille
50 +
51 +diff --git a/arch/arc/configs/hsdk_defconfig b/arch/arc/configs/hsdk_defconfig
52 +index 083560e9e571..4dac1169f528 100644
53 +--- a/arch/arc/configs/hsdk_defconfig
54 ++++ b/arch/arc/configs/hsdk_defconfig
55 +@@ -9,6 +9,7 @@ CONFIG_NAMESPACES=y
56 + # CONFIG_UTS_NS is not set
57 + # CONFIG_PID_NS is not set
58 + CONFIG_BLK_DEV_INITRD=y
59 ++CONFIG_BLK_DEV_RAM=y
60 + CONFIG_EMBEDDED=y
61 + CONFIG_PERF_EVENTS=y
62 + # CONFIG_VM_EVENT_COUNTERS is not set
63 +diff --git a/arch/arc/kernel/head.S b/arch/arc/kernel/head.S
64 +index 1f945d0f40da..208bf2c9e7b0 100644
65 +--- a/arch/arc/kernel/head.S
66 ++++ b/arch/arc/kernel/head.S
67 +@@ -107,6 +107,7 @@ ENTRY(stext)
68 + ; r2 = pointer to uboot provided cmdline or external DTB in mem
69 + ; These are handled later in handle_uboot_args()
70 + st r0, [@uboot_tag]
71 ++ st r1, [@uboot_magic]
72 + st r2, [@uboot_arg]
73 + #endif
74 +
75 +diff --git a/arch/arc/kernel/setup.c b/arch/arc/kernel/setup.c
76 +index 709649e5f9bc..6b8d106e0d53 100644
77 +--- a/arch/arc/kernel/setup.c
78 ++++ b/arch/arc/kernel/setup.c
79 +@@ -35,6 +35,7 @@ unsigned int intr_to_DE_cnt;
80 +
81 + /* Part of U-boot ABI: see head.S */
82 + int __initdata uboot_tag;
83 ++int __initdata uboot_magic;
84 + char __initdata *uboot_arg;
85 +
86 + const struct machine_desc *machine_desc;
87 +@@ -433,6 +434,8 @@ static inline bool uboot_arg_invalid(unsigned long addr)
88 + #define UBOOT_TAG_NONE 0
89 + #define UBOOT_TAG_CMDLINE 1
90 + #define UBOOT_TAG_DTB 2
91 ++/* We always pass 0 as magic from U-boot */
92 ++#define UBOOT_MAGIC_VALUE 0
93 +
94 + void __init handle_uboot_args(void)
95 + {
96 +@@ -448,6 +451,11 @@ void __init handle_uboot_args(void)
97 + goto ignore_uboot_args;
98 + }
99 +
100 ++ if (uboot_magic != UBOOT_MAGIC_VALUE) {
101 ++ pr_warn(IGNORE_ARGS "non zero uboot magic\n");
102 ++ goto ignore_uboot_args;
103 ++ }
104 ++
105 + if (uboot_tag != UBOOT_TAG_NONE &&
106 + uboot_arg_invalid((unsigned long)uboot_arg)) {
107 + pr_warn(IGNORE_ARGS "invalid uboot arg: '%px'\n", uboot_arg);
108 +diff --git a/arch/arm/crypto/sha256-armv4.pl b/arch/arm/crypto/sha256-armv4.pl
109 +index fac0533ea633..f64e8413ab9a 100644
110 +--- a/arch/arm/crypto/sha256-armv4.pl
111 ++++ b/arch/arm/crypto/sha256-armv4.pl
112 +@@ -205,10 +205,11 @@ K256:
113 + .global sha256_block_data_order
114 + .type sha256_block_data_order,%function
115 + sha256_block_data_order:
116 ++.Lsha256_block_data_order:
117 + #if __ARM_ARCH__<7
118 + sub r3,pc,#8 @ sha256_block_data_order
119 + #else
120 +- adr r3,sha256_block_data_order
121 ++ adr r3,.Lsha256_block_data_order
122 + #endif
123 + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
124 + ldr r12,.LOPENSSL_armcap
125 +diff --git a/arch/arm/crypto/sha256-core.S_shipped b/arch/arm/crypto/sha256-core.S_shipped
126 +index 555a1a8eec90..72c248081d27 100644
127 +--- a/arch/arm/crypto/sha256-core.S_shipped
128 ++++ b/arch/arm/crypto/sha256-core.S_shipped
129 +@@ -86,10 +86,11 @@ K256:
130 + .global sha256_block_data_order
131 + .type sha256_block_data_order,%function
132 + sha256_block_data_order:
133 ++.Lsha256_block_data_order:
134 + #if __ARM_ARCH__<7
135 + sub r3,pc,#8 @ sha256_block_data_order
136 + #else
137 +- adr r3,sha256_block_data_order
138 ++ adr r3,.Lsha256_block_data_order
139 + #endif
140 + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
141 + ldr r12,.LOPENSSL_armcap
142 +diff --git a/arch/arm/crypto/sha512-armv4.pl b/arch/arm/crypto/sha512-armv4.pl
143 +index a2b11a844357..5fe336420bcf 100644
144 +--- a/arch/arm/crypto/sha512-armv4.pl
145 ++++ b/arch/arm/crypto/sha512-armv4.pl
146 +@@ -267,10 +267,11 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817)
147 + .global sha512_block_data_order
148 + .type sha512_block_data_order,%function
149 + sha512_block_data_order:
150 ++.Lsha512_block_data_order:
151 + #if __ARM_ARCH__<7
152 + sub r3,pc,#8 @ sha512_block_data_order
153 + #else
154 +- adr r3,sha512_block_data_order
155 ++ adr r3,.Lsha512_block_data_order
156 + #endif
157 + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
158 + ldr r12,.LOPENSSL_armcap
159 +diff --git a/arch/arm/crypto/sha512-core.S_shipped b/arch/arm/crypto/sha512-core.S_shipped
160 +index 3694c4d4ca2b..de9bd7f55242 100644
161 +--- a/arch/arm/crypto/sha512-core.S_shipped
162 ++++ b/arch/arm/crypto/sha512-core.S_shipped
163 +@@ -134,10 +134,11 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817)
164 + .global sha512_block_data_order
165 + .type sha512_block_data_order,%function
166 + sha512_block_data_order:
167 ++.Lsha512_block_data_order:
168 + #if __ARM_ARCH__<7
169 + sub r3,pc,#8 @ sha512_block_data_order
170 + #else
171 +- adr r3,sha512_block_data_order
172 ++ adr r3,.Lsha512_block_data_order
173 + #endif
174 + #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
175 + ldr r12,.LOPENSSL_armcap
176 +diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c
177 +index a50dc00d79a2..d0a05a3bdb96 100644
178 +--- a/arch/arm/kernel/patch.c
179 ++++ b/arch/arm/kernel/patch.c
180 +@@ -16,7 +16,7 @@ struct patch {
181 + unsigned int insn;
182 + };
183 +
184 +-static DEFINE_SPINLOCK(patch_lock);
185 ++static DEFINE_RAW_SPINLOCK(patch_lock);
186 +
187 + static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags)
188 + __acquires(&patch_lock)
189 +@@ -33,7 +33,7 @@ static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags)
190 + return addr;
191 +
192 + if (flags)
193 +- spin_lock_irqsave(&patch_lock, *flags);
194 ++ raw_spin_lock_irqsave(&patch_lock, *flags);
195 + else
196 + __acquire(&patch_lock);
197 +
198 +@@ -48,7 +48,7 @@ static void __kprobes patch_unmap(int fixmap, unsigned long *flags)
199 + clear_fixmap(fixmap);
200 +
201 + if (flags)
202 +- spin_unlock_irqrestore(&patch_lock, *flags);
203 ++ raw_spin_unlock_irqrestore(&patch_lock, *flags);
204 + else
205 + __release(&patch_lock);
206 + }
207 +diff --git a/arch/arm/plat-samsung/Kconfig b/arch/arm/plat-samsung/Kconfig
208 +index e8229b9fee4a..3265b8f86069 100644
209 +--- a/arch/arm/plat-samsung/Kconfig
210 ++++ b/arch/arm/plat-samsung/Kconfig
211 +@@ -258,7 +258,7 @@ config S3C_PM_DEBUG_LED_SMDK
212 +
213 + config SAMSUNG_PM_CHECK
214 + bool "S3C2410 PM Suspend Memory CRC"
215 +- depends on PM
216 ++ depends on PM && (PLAT_S3C24XX || ARCH_S3C64XX || ARCH_S5PV210)
217 + select CRC32
218 + help
219 + Enable the PM code's memory area checksum over sleep. This option
220 +diff --git a/arch/powerpc/kernel/rtasd.c b/arch/powerpc/kernel/rtasd.c
221 +index 0f0b1b2f3b60..7caeae73348d 100644
222 +--- a/arch/powerpc/kernel/rtasd.c
223 ++++ b/arch/powerpc/kernel/rtasd.c
224 +@@ -274,27 +274,16 @@ void pSeries_log_error(char *buf, unsigned int err_type, int fatal)
225 + }
226 +
227 + #ifdef CONFIG_PPC_PSERIES
228 +-static s32 prrn_update_scope;
229 +-
230 +-static void prrn_work_fn(struct work_struct *work)
231 ++static void handle_prrn_event(s32 scope)
232 + {
233 + /*
234 + * For PRRN, we must pass the negative of the scope value in
235 + * the RTAS event.
236 + */
237 +- pseries_devicetree_update(-prrn_update_scope);
238 ++ pseries_devicetree_update(-scope);
239 + numa_update_cpu_topology(false);
240 + }
241 +
242 +-static DECLARE_WORK(prrn_work, prrn_work_fn);
243 +-
244 +-static void prrn_schedule_update(u32 scope)
245 +-{
246 +- flush_work(&prrn_work);
247 +- prrn_update_scope = scope;
248 +- schedule_work(&prrn_work);
249 +-}
250 +-
251 + static void handle_rtas_event(const struct rtas_error_log *log)
252 + {
253 + if (rtas_error_type(log) != RTAS_TYPE_PRRN || !prrn_is_enabled())
254 +@@ -303,7 +292,7 @@ static void handle_rtas_event(const struct rtas_error_log *log)
255 + /* For PRRN Events the extended log length is used to denote
256 + * the scope for calling rtas update-nodes.
257 + */
258 +- prrn_schedule_update(rtas_error_extended_log_length(log));
259 ++ handle_prrn_event(rtas_error_extended_log_length(log));
260 + }
261 +
262 + #else
263 +diff --git a/arch/x86/kernel/cpu/cyrix.c b/arch/x86/kernel/cpu/cyrix.c
264 +index 8949b7ae6d92..fa61c870ada9 100644
265 +--- a/arch/x86/kernel/cpu/cyrix.c
266 ++++ b/arch/x86/kernel/cpu/cyrix.c
267 +@@ -124,7 +124,7 @@ static void set_cx86_reorder(void)
268 + setCx86(CX86_CCR3, (ccr3 & 0x0f) | 0x10); /* enable MAPEN */
269 +
270 + /* Load/Store Serialize to mem access disable (=reorder it) */
271 +- setCx86_old(CX86_PCR0, getCx86_old(CX86_PCR0) & ~0x80);
272 ++ setCx86(CX86_PCR0, getCx86(CX86_PCR0) & ~0x80);
273 + /* set load/store serialize from 1GB to 4GB */
274 + ccr3 |= 0xe0;
275 + setCx86(CX86_CCR3, ccr3);
276 +@@ -135,11 +135,11 @@ static void set_cx86_memwb(void)
277 + pr_info("Enable Memory-Write-back mode on Cyrix/NSC processor.\n");
278 +
279 + /* CCR2 bit 2: unlock NW bit */
280 +- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) & ~0x04);
281 ++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) & ~0x04);
282 + /* set 'Not Write-through' */
283 + write_cr0(read_cr0() | X86_CR0_NW);
284 + /* CCR2 bit 2: lock NW bit and set WT1 */
285 +- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) | 0x14);
286 ++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x14);
287 + }
288 +
289 + /*
290 +@@ -153,14 +153,14 @@ static void geode_configure(void)
291 + local_irq_save(flags);
292 +
293 + /* Suspend on halt power saving and enable #SUSP pin */
294 +- setCx86_old(CX86_CCR2, getCx86_old(CX86_CCR2) | 0x88);
295 ++ setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88);
296 +
297 + ccr3 = getCx86(CX86_CCR3);
298 + setCx86(CX86_CCR3, (ccr3 & 0x0f) | 0x10); /* enable MAPEN */
299 +
300 +
301 + /* FPU fast, DTE cache, Mem bypass */
302 +- setCx86_old(CX86_CCR4, getCx86_old(CX86_CCR4) | 0x38);
303 ++ setCx86(CX86_CCR4, getCx86(CX86_CCR4) | 0x38);
304 + setCx86(CX86_CCR3, ccr3); /* disable MAPEN */
305 +
306 + set_cx86_memwb();
307 +@@ -296,7 +296,7 @@ static void init_cyrix(struct cpuinfo_x86 *c)
308 + /* GXm supports extended cpuid levels 'ala' AMD */
309 + if (c->cpuid_level == 2) {
310 + /* Enable cxMMX extensions (GX1 Datasheet 54) */
311 +- setCx86_old(CX86_CCR7, getCx86_old(CX86_CCR7) | 1);
312 ++ setCx86(CX86_CCR7, getCx86(CX86_CCR7) | 1);
313 +
314 + /*
315 + * GXm : 0x30 ... 0x5f GXm datasheet 51
316 +@@ -319,7 +319,7 @@ static void init_cyrix(struct cpuinfo_x86 *c)
317 + if (dir1 > 7) {
318 + dir0_msn++; /* M II */
319 + /* Enable MMX extensions (App note 108) */
320 +- setCx86_old(CX86_CCR7, getCx86_old(CX86_CCR7)|1);
321 ++ setCx86(CX86_CCR7, getCx86(CX86_CCR7)|1);
322 + } else {
323 + /* A 6x86MX - it has the bug. */
324 + set_cpu_bug(c, X86_BUG_COMA);
325 +diff --git a/arch/x86/kernel/hpet.c b/arch/x86/kernel/hpet.c
326 +index afa1a204bc6d..df767e6de8dd 100644
327 +--- a/arch/x86/kernel/hpet.c
328 ++++ b/arch/x86/kernel/hpet.c
329 +@@ -909,6 +909,8 @@ int __init hpet_enable(void)
330 + return 0;
331 +
332 + hpet_set_mapping();
333 ++ if (!hpet_virt_address)
334 ++ return 0;
335 +
336 + /*
337 + * Read the period and check for a sane value:
338 +diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c
339 +index 8771766d46b6..9954a604a822 100644
340 +--- a/arch/x86/kernel/hw_breakpoint.c
341 ++++ b/arch/x86/kernel/hw_breakpoint.c
342 +@@ -352,6 +352,7 @@ int arch_validate_hwbkpt_settings(struct perf_event *bp)
343 + #endif
344 + default:
345 + WARN_ON_ONCE(1);
346 ++ return -EINVAL;
347 + }
348 +
349 + /*
350 +diff --git a/arch/x86/kernel/mpparse.c b/arch/x86/kernel/mpparse.c
351 +index bc6bc6689e68..1c52acaa5bec 100644
352 +--- a/arch/x86/kernel/mpparse.c
353 ++++ b/arch/x86/kernel/mpparse.c
354 +@@ -596,8 +596,8 @@ static int __init smp_scan_config(unsigned long base, unsigned long length)
355 + mpf_base = base;
356 + mpf_found = true;
357 +
358 +- pr_info("found SMP MP-table at [mem %#010lx-%#010lx] mapped at [%p]\n",
359 +- base, base + sizeof(*mpf) - 1, mpf);
360 ++ pr_info("found SMP MP-table at [mem %#010lx-%#010lx]\n",
361 ++ base, base + sizeof(*mpf) - 1);
362 +
363 + memblock_reserve(base, sizeof(*mpf));
364 + if (mpf->physptr)
365 +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
366 +index 4bd878c9f7d2..90b7eee6d0f9 100644
367 +--- a/arch/x86/kvm/vmx.c
368 ++++ b/arch/x86/kvm/vmx.c
369 +@@ -11846,24 +11846,6 @@ static void prepare_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12,
370 + kvm_clear_interrupt_queue(vcpu);
371 + }
372 +
373 +-static void load_vmcs12_mmu_host_state(struct kvm_vcpu *vcpu,
374 +- struct vmcs12 *vmcs12)
375 +-{
376 +- u32 entry_failure_code;
377 +-
378 +- nested_ept_uninit_mmu_context(vcpu);
379 +-
380 +- /*
381 +- * Only PDPTE load can fail as the value of cr3 was checked on entry and
382 +- * couldn't have changed.
383 +- */
384 +- if (nested_vmx_load_cr3(vcpu, vmcs12->host_cr3, false, &entry_failure_code))
385 +- nested_vmx_abort(vcpu, VMX_ABORT_LOAD_HOST_PDPTE_FAIL);
386 +-
387 +- if (!enable_ept)
388 +- vcpu->arch.walk_mmu->inject_page_fault = kvm_inject_page_fault;
389 +-}
390 +-
391 + /*
392 + * A part of what we need to when the nested L2 guest exits and we want to
393 + * run its L1 parent, is to reset L1's guest state to the host state specified
394 +@@ -11877,6 +11859,7 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu,
395 + struct vmcs12 *vmcs12)
396 + {
397 + struct kvm_segment seg;
398 ++ u32 entry_failure_code;
399 +
400 + if (vmcs12->vm_exit_controls & VM_EXIT_LOAD_IA32_EFER)
401 + vcpu->arch.efer = vmcs12->host_ia32_efer;
402 +@@ -11903,7 +11886,17 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu,
403 + vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(CR4_GUEST_HOST_MASK);
404 + vmx_set_cr4(vcpu, vmcs12->host_cr4);
405 +
406 +- load_vmcs12_mmu_host_state(vcpu, vmcs12);
407 ++ nested_ept_uninit_mmu_context(vcpu);
408 ++
409 ++ /*
410 ++ * Only PDPTE load can fail as the value of cr3 was checked on entry and
411 ++ * couldn't have changed.
412 ++ */
413 ++ if (nested_vmx_load_cr3(vcpu, vmcs12->host_cr3, false, &entry_failure_code))
414 ++ nested_vmx_abort(vcpu, VMX_ABORT_LOAD_HOST_PDPTE_FAIL);
415 ++
416 ++ if (!enable_ept)
417 ++ vcpu->arch.walk_mmu->inject_page_fault = kvm_inject_page_fault;
418 +
419 + if (enable_vpid) {
420 + /*
421 +@@ -11994,6 +11987,140 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu,
422 + nested_vmx_abort(vcpu, VMX_ABORT_LOAD_HOST_MSR_FAIL);
423 + }
424 +
425 ++static inline u64 nested_vmx_get_vmcs01_guest_efer(struct vcpu_vmx *vmx)
426 ++{
427 ++ struct shared_msr_entry *efer_msr;
428 ++ unsigned int i;
429 ++
430 ++ if (vm_entry_controls_get(vmx) & VM_ENTRY_LOAD_IA32_EFER)
431 ++ return vmcs_read64(GUEST_IA32_EFER);
432 ++
433 ++ if (cpu_has_load_ia32_efer)
434 ++ return host_efer;
435 ++
436 ++ for (i = 0; i < vmx->msr_autoload.guest.nr; ++i) {
437 ++ if (vmx->msr_autoload.guest.val[i].index == MSR_EFER)
438 ++ return vmx->msr_autoload.guest.val[i].value;
439 ++ }
440 ++
441 ++ efer_msr = find_msr_entry(vmx, MSR_EFER);
442 ++ if (efer_msr)
443 ++ return efer_msr->data;
444 ++
445 ++ return host_efer;
446 ++}
447 ++
448 ++static void nested_vmx_restore_host_state(struct kvm_vcpu *vcpu)
449 ++{
450 ++ struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
451 ++ struct vcpu_vmx *vmx = to_vmx(vcpu);
452 ++ struct vmx_msr_entry g, h;
453 ++ struct msr_data msr;
454 ++ gpa_t gpa;
455 ++ u32 i, j;
456 ++
457 ++ vcpu->arch.pat = vmcs_read64(GUEST_IA32_PAT);
458 ++
459 ++ if (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) {
460 ++ /*
461 ++ * L1's host DR7 is lost if KVM_GUESTDBG_USE_HW_BP is set
462 ++ * as vmcs01.GUEST_DR7 contains a userspace defined value
463 ++ * and vcpu->arch.dr7 is not squirreled away before the
464 ++ * nested VMENTER (not worth adding a variable in nested_vmx).
465 ++ */
466 ++ if (vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP)
467 ++ kvm_set_dr(vcpu, 7, DR7_FIXED_1);
468 ++ else
469 ++ WARN_ON(kvm_set_dr(vcpu, 7, vmcs_readl(GUEST_DR7)));
470 ++ }
471 ++
472 ++ /*
473 ++ * Note that calling vmx_set_{efer,cr0,cr4} is important as they
474 ++ * handle a variety of side effects to KVM's software model.
475 ++ */
476 ++ vmx_set_efer(vcpu, nested_vmx_get_vmcs01_guest_efer(vmx));
477 ++
478 ++ vcpu->arch.cr0_guest_owned_bits = X86_CR0_TS;
479 ++ vmx_set_cr0(vcpu, vmcs_readl(CR0_READ_SHADOW));
480 ++
481 ++ vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(CR4_GUEST_HOST_MASK);
482 ++ vmx_set_cr4(vcpu, vmcs_readl(CR4_READ_SHADOW));
483 ++
484 ++ nested_ept_uninit_mmu_context(vcpu);
485 ++ vcpu->arch.cr3 = vmcs_readl(GUEST_CR3);
486 ++ __set_bit(VCPU_EXREG_CR3, (ulong *)&vcpu->arch.regs_avail);
487 ++
488 ++ /*
489 ++ * Use ept_save_pdptrs(vcpu) to load the MMU's cached PDPTRs
490 ++ * from vmcs01 (if necessary). The PDPTRs are not loaded on
491 ++ * VMFail, like everything else we just need to ensure our
492 ++ * software model is up-to-date.
493 ++ */
494 ++ ept_save_pdptrs(vcpu);
495 ++
496 ++ kvm_mmu_reset_context(vcpu);
497 ++
498 ++ if (cpu_has_vmx_msr_bitmap())
499 ++ vmx_update_msr_bitmap(vcpu);
500 ++
501 ++ /*
502 ++ * This nasty bit of open coding is a compromise between blindly
503 ++ * loading L1's MSRs using the exit load lists (incorrect emulation
504 ++ * of VMFail), leaving the nested VM's MSRs in the software model
505 ++ * (incorrect behavior) and snapshotting the modified MSRs (too
506 ++ * expensive since the lists are unbound by hardware). For each
507 ++ * MSR that was (prematurely) loaded from the nested VMEntry load
508 ++ * list, reload it from the exit load list if it exists and differs
509 ++ * from the guest value. The intent is to stuff host state as
510 ++ * silently as possible, not to fully process the exit load list.
511 ++ */
512 ++ msr.host_initiated = false;
513 ++ for (i = 0; i < vmcs12->vm_entry_msr_load_count; i++) {
514 ++ gpa = vmcs12->vm_entry_msr_load_addr + (i * sizeof(g));
515 ++ if (kvm_vcpu_read_guest(vcpu, gpa, &g, sizeof(g))) {
516 ++ pr_debug_ratelimited(
517 ++ "%s read MSR index failed (%u, 0x%08llx)\n",
518 ++ __func__, i, gpa);
519 ++ goto vmabort;
520 ++ }
521 ++
522 ++ for (j = 0; j < vmcs12->vm_exit_msr_load_count; j++) {
523 ++ gpa = vmcs12->vm_exit_msr_load_addr + (j * sizeof(h));
524 ++ if (kvm_vcpu_read_guest(vcpu, gpa, &h, sizeof(h))) {
525 ++ pr_debug_ratelimited(
526 ++ "%s read MSR failed (%u, 0x%08llx)\n",
527 ++ __func__, j, gpa);
528 ++ goto vmabort;
529 ++ }
530 ++ if (h.index != g.index)
531 ++ continue;
532 ++ if (h.value == g.value)
533 ++ break;
534 ++
535 ++ if (nested_vmx_load_msr_check(vcpu, &h)) {
536 ++ pr_debug_ratelimited(
537 ++ "%s check failed (%u, 0x%x, 0x%x)\n",
538 ++ __func__, j, h.index, h.reserved);
539 ++ goto vmabort;
540 ++ }
541 ++
542 ++ msr.index = h.index;
543 ++ msr.data = h.value;
544 ++ if (kvm_set_msr(vcpu, &msr)) {
545 ++ pr_debug_ratelimited(
546 ++ "%s WRMSR failed (%u, 0x%x, 0x%llx)\n",
547 ++ __func__, j, h.index, h.value);
548 ++ goto vmabort;
549 ++ }
550 ++ }
551 ++ }
552 ++
553 ++ return;
554 ++
555 ++vmabort:
556 ++ nested_vmx_abort(vcpu, VMX_ABORT_LOAD_HOST_MSR_FAIL);
557 ++}
558 ++
559 + /*
560 + * Emulate an exit from nested guest (L2) to L1, i.e., prepare to run L1
561 + * and modify vmcs12 to make it see what it would expect to see there if
562 +@@ -12126,7 +12253,13 @@ static void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 exit_reason,
563 + */
564 + nested_vmx_failValid(vcpu, VMXERR_ENTRY_INVALID_CONTROL_FIELD);
565 +
566 +- load_vmcs12_mmu_host_state(vcpu, vmcs12);
567 ++ /*
568 ++ * Restore L1's host state to KVM's software model. We're here
569 ++ * because a consistency check was caught by hardware, which
570 ++ * means some amount of guest state has been propagated to KVM's
571 ++ * model and needs to be unwound to the host's state.
572 ++ */
573 ++ nested_vmx_restore_host_state(vcpu);
574 +
575 + /*
576 + * The emulated instruction was already skipped in
577 +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
578 +index 3d624c72c6c2..ebfc06f29f7b 100644
579 +--- a/drivers/acpi/ec.c
580 ++++ b/drivers/acpi/ec.c
581 +@@ -194,6 +194,7 @@ static struct workqueue_struct *ec_query_wq;
582 + static int EC_FLAGS_QUERY_HANDSHAKE; /* Needs QR_EC issued when SCI_EVT set */
583 + static int EC_FLAGS_CORRECT_ECDT; /* Needs ECDT port address correction */
584 + static int EC_FLAGS_IGNORE_DSDT_GPE; /* Needs ECDT GPE as correction setting */
585 ++static int EC_FLAGS_CLEAR_ON_RESUME; /* Needs acpi_ec_clear() on boot/resume */
586 +
587 + /* --------------------------------------------------------------------------
588 + * Logging/Debugging
589 +@@ -499,6 +500,26 @@ static inline void __acpi_ec_disable_event(struct acpi_ec *ec)
590 + ec_log_drv("event blocked");
591 + }
592 +
593 ++/*
594 ++ * Process _Q events that might have accumulated in the EC.
595 ++ * Run with locked ec mutex.
596 ++ */
597 ++static void acpi_ec_clear(struct acpi_ec *ec)
598 ++{
599 ++ int i, status;
600 ++ u8 value = 0;
601 ++
602 ++ for (i = 0; i < ACPI_EC_CLEAR_MAX; i++) {
603 ++ status = acpi_ec_query(ec, &value);
604 ++ if (status || !value)
605 ++ break;
606 ++ }
607 ++ if (unlikely(i == ACPI_EC_CLEAR_MAX))
608 ++ pr_warn("Warning: Maximum of %d stale EC events cleared\n", i);
609 ++ else
610 ++ pr_info("%d stale EC events cleared\n", i);
611 ++}
612 ++
613 + static void acpi_ec_enable_event(struct acpi_ec *ec)
614 + {
615 + unsigned long flags;
616 +@@ -507,6 +528,10 @@ static void acpi_ec_enable_event(struct acpi_ec *ec)
617 + if (acpi_ec_started(ec))
618 + __acpi_ec_enable_event(ec);
619 + spin_unlock_irqrestore(&ec->lock, flags);
620 ++
621 ++ /* Drain additional events if hardware requires that */
622 ++ if (EC_FLAGS_CLEAR_ON_RESUME)
623 ++ acpi_ec_clear(ec);
624 + }
625 +
626 + #ifdef CONFIG_PM_SLEEP
627 +@@ -1802,6 +1827,31 @@ static int ec_flag_query_handshake(const struct dmi_system_id *id)
628 + }
629 + #endif
630 +
631 ++/*
632 ++ * On some hardware it is necessary to clear events accumulated by the EC during
633 ++ * sleep. These ECs stop reporting GPEs until they are manually polled, if too
634 ++ * many events are accumulated. (e.g. Samsung Series 5/9 notebooks)
635 ++ *
636 ++ * https://bugzilla.kernel.org/show_bug.cgi?id=44161
637 ++ *
638 ++ * Ideally, the EC should also be instructed NOT to accumulate events during
639 ++ * sleep (which Windows seems to do somehow), but the interface to control this
640 ++ * behaviour is not known at this time.
641 ++ *
642 ++ * Models known to be affected are Samsung 530Uxx/535Uxx/540Uxx/550Pxx/900Xxx,
643 ++ * however it is very likely that other Samsung models are affected.
644 ++ *
645 ++ * On systems which don't accumulate _Q events during sleep, this extra check
646 ++ * should be harmless.
647 ++ */
648 ++static int ec_clear_on_resume(const struct dmi_system_id *id)
649 ++{
650 ++ pr_debug("Detected system needing EC poll on resume.\n");
651 ++ EC_FLAGS_CLEAR_ON_RESUME = 1;
652 ++ ec_event_clearing = ACPI_EC_EVT_TIMING_STATUS;
653 ++ return 0;
654 ++}
655 ++
656 + /*
657 + * Some ECDTs contain wrong register addresses.
658 + * MSI MS-171F
659 +@@ -1851,6 +1901,9 @@ static const struct dmi_system_id ec_dmi_table[] __initconst = {
660 + ec_honor_ecdt_gpe, "ASUS X580VD", {
661 + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
662 + DMI_MATCH(DMI_PRODUCT_NAME, "X580VD"),}, NULL},
663 ++ {
664 ++ ec_clear_on_resume, "Samsung hardware", {
665 ++ DMI_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD.")}, NULL},
666 + {},
667 + };
668 +
669 +diff --git a/drivers/acpi/sbs.c b/drivers/acpi/sbs.c
670 +index a2428e9462dd..3c092f07d7e3 100644
671 +--- a/drivers/acpi/sbs.c
672 ++++ b/drivers/acpi/sbs.c
673 +@@ -441,9 +441,13 @@ static int acpi_ac_get_present(struct acpi_sbs *sbs)
674 +
675 + /*
676 + * The spec requires that bit 4 always be 1. If it's not set, assume
677 +- * that the implementation doesn't support an SBS charger
678 ++ * that the implementation doesn't support an SBS charger.
679 ++ *
680 ++ * And on some MacBooks a status of 0xffff is always returned, no
681 ++ * matter whether the charger is plugged in or not, which is also
682 ++ * wrong, so ignore the SBS charger for those too.
683 + */
684 +- if (!((status >> 4) & 0x1))
685 ++ if (!((status >> 4) & 0x1) || status == 0xffff)
686 + return -ENODEV;
687 +
688 + sbs->charger_present = (status >> 15) & 0x1;
689 +diff --git a/drivers/auxdisplay/hd44780.c b/drivers/auxdisplay/hd44780.c
690 +index 036eec404289..2d927feb3db4 100644
691 +--- a/drivers/auxdisplay/hd44780.c
692 ++++ b/drivers/auxdisplay/hd44780.c
693 +@@ -302,6 +302,8 @@ static int hd44780_remove(struct platform_device *pdev)
694 + struct charlcd *lcd = platform_get_drvdata(pdev);
695 +
696 + charlcd_unregister(lcd);
697 ++
698 ++ kfree(lcd);
699 + return 0;
700 + }
701 +
702 +diff --git a/drivers/base/node.c b/drivers/base/node.c
703 +index ee090ab9171c..5c39f14d15a5 100644
704 +--- a/drivers/base/node.c
705 ++++ b/drivers/base/node.c
706 +@@ -197,11 +197,16 @@ static ssize_t node_read_vmstat(struct device *dev,
707 + sum_zone_numa_state(nid, i));
708 + #endif
709 +
710 +- for (i = 0; i < NR_VM_NODE_STAT_ITEMS; i++)
711 ++ for (i = 0; i < NR_VM_NODE_STAT_ITEMS; i++) {
712 ++ /* Skip hidden vmstat items. */
713 ++ if (*vmstat_text[i + NR_VM_ZONE_STAT_ITEMS +
714 ++ NR_VM_NUMA_STAT_ITEMS] == '\0')
715 ++ continue;
716 + n += sprintf(buf+n, "%s %lu\n",
717 + vmstat_text[i + NR_VM_ZONE_STAT_ITEMS +
718 + NR_VM_NUMA_STAT_ITEMS],
719 + node_page_state(pgdat, i));
720 ++ }
721 +
722 + return n;
723 + }
724 +diff --git a/drivers/crypto/axis/artpec6_crypto.c b/drivers/crypto/axis/artpec6_crypto.c
725 +index 6eb5cb92b986..9f82e14983f6 100644
726 +--- a/drivers/crypto/axis/artpec6_crypto.c
727 ++++ b/drivers/crypto/axis/artpec6_crypto.c
728 +@@ -284,6 +284,7 @@ enum artpec6_crypto_hash_flags {
729 +
730 + struct artpec6_crypto_req_common {
731 + struct list_head list;
732 ++ struct list_head complete_in_progress;
733 + struct artpec6_crypto_dma_descriptors *dma;
734 + struct crypto_async_request *req;
735 + void (*complete)(struct crypto_async_request *req);
736 +@@ -2046,7 +2047,8 @@ static int artpec6_crypto_prepare_aead(struct aead_request *areq)
737 + return artpec6_crypto_dma_map_descs(common);
738 + }
739 +
740 +-static void artpec6_crypto_process_queue(struct artpec6_crypto *ac)
741 ++static void artpec6_crypto_process_queue(struct artpec6_crypto *ac,
742 ++ struct list_head *completions)
743 + {
744 + struct artpec6_crypto_req_common *req;
745 +
746 +@@ -2057,7 +2059,7 @@ static void artpec6_crypto_process_queue(struct artpec6_crypto *ac)
747 + list_move_tail(&req->list, &ac->pending);
748 + artpec6_crypto_start_dma(req);
749 +
750 +- req->req->complete(req->req, -EINPROGRESS);
751 ++ list_add_tail(&req->complete_in_progress, completions);
752 + }
753 +
754 + /*
755 +@@ -2087,6 +2089,11 @@ static void artpec6_crypto_task(unsigned long data)
756 + struct artpec6_crypto *ac = (struct artpec6_crypto *)data;
757 + struct artpec6_crypto_req_common *req;
758 + struct artpec6_crypto_req_common *n;
759 ++ struct list_head complete_done;
760 ++ struct list_head complete_in_progress;
761 ++
762 ++ INIT_LIST_HEAD(&complete_done);
763 ++ INIT_LIST_HEAD(&complete_in_progress);
764 +
765 + if (list_empty(&ac->pending)) {
766 + pr_debug("Spurious IRQ\n");
767 +@@ -2120,19 +2127,30 @@ static void artpec6_crypto_task(unsigned long data)
768 +
769 + pr_debug("Completing request %p\n", req);
770 +
771 +- list_del(&req->list);
772 ++ list_move_tail(&req->list, &complete_done);
773 +
774 + artpec6_crypto_dma_unmap_all(req);
775 + artpec6_crypto_copy_bounce_buffers(req);
776 +
777 + ac->pending_count--;
778 + artpec6_crypto_common_destroy(req);
779 +- req->complete(req->req);
780 + }
781 +
782 +- artpec6_crypto_process_queue(ac);
783 ++ artpec6_crypto_process_queue(ac, &complete_in_progress);
784 +
785 + spin_unlock_bh(&ac->queue_lock);
786 ++
787 ++ /* Perform the completion callbacks without holding the queue lock
788 ++ * to allow new request submissions from the callbacks.
789 ++ */
790 ++ list_for_each_entry_safe(req, n, &complete_done, list) {
791 ++ req->complete(req->req);
792 ++ }
793 ++
794 ++ list_for_each_entry_safe(req, n, &complete_in_progress,
795 ++ complete_in_progress) {
796 ++ req->req->complete(req->req, -EINPROGRESS);
797 ++ }
798 + }
799 +
800 + static void artpec6_crypto_complete_crypto(struct crypto_async_request *req)
801 +diff --git a/drivers/gpio/gpio-pxa.c b/drivers/gpio/gpio-pxa.c
802 +index 2943dfc4c470..822ad220f0af 100644
803 +--- a/drivers/gpio/gpio-pxa.c
804 ++++ b/drivers/gpio/gpio-pxa.c
805 +@@ -776,6 +776,9 @@ static int pxa_gpio_suspend(void)
806 + struct pxa_gpio_bank *c;
807 + int gpio;
808 +
809 ++ if (!pchip)
810 ++ return 0;
811 ++
812 + for_each_gpio_bank(gpio, c, pchip) {
813 + c->saved_gplr = readl_relaxed(c->regbase + GPLR_OFFSET);
814 + c->saved_gpdr = readl_relaxed(c->regbase + GPDR_OFFSET);
815 +@@ -794,6 +797,9 @@ static void pxa_gpio_resume(void)
816 + struct pxa_gpio_bank *c;
817 + int gpio;
818 +
819 ++ if (!pchip)
820 ++ return;
821 ++
822 + for_each_gpio_bank(gpio, c, pchip) {
823 + /* restore level with set/clear */
824 + writel_relaxed(c->saved_gplr, c->regbase + GPSR_OFFSET);
825 +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c
826 +index 164fa4b1f9a9..732b8fbbca68 100644
827 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c
828 ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_cik.c
829 +@@ -285,57 +285,7 @@ static int init_mqd_hiq(struct mqd_manager *mm, void **mqd,
830 + struct kfd_mem_obj **mqd_mem_obj, uint64_t *gart_addr,
831 + struct queue_properties *q)
832 + {
833 +- uint64_t addr;
834 +- struct cik_mqd *m;
835 +- int retval;
836 +-
837 +- retval = kfd_gtt_sa_allocate(mm->dev, sizeof(struct cik_mqd),
838 +- mqd_mem_obj);
839 +-
840 +- if (retval != 0)
841 +- return -ENOMEM;
842 +-
843 +- m = (struct cik_mqd *) (*mqd_mem_obj)->cpu_ptr;
844 +- addr = (*mqd_mem_obj)->gpu_addr;
845 +-
846 +- memset(m, 0, ALIGN(sizeof(struct cik_mqd), 256));
847 +-
848 +- m->header = 0xC0310800;
849 +- m->compute_pipelinestat_enable = 1;
850 +- m->compute_static_thread_mgmt_se0 = 0xFFFFFFFF;
851 +- m->compute_static_thread_mgmt_se1 = 0xFFFFFFFF;
852 +- m->compute_static_thread_mgmt_se2 = 0xFFFFFFFF;
853 +- m->compute_static_thread_mgmt_se3 = 0xFFFFFFFF;
854 +-
855 +- m->cp_hqd_persistent_state = DEFAULT_CP_HQD_PERSISTENT_STATE |
856 +- PRELOAD_REQ;
857 +- m->cp_hqd_quantum = QUANTUM_EN | QUANTUM_SCALE_1MS |
858 +- QUANTUM_DURATION(10);
859 +-
860 +- m->cp_mqd_control = MQD_CONTROL_PRIV_STATE_EN;
861 +- m->cp_mqd_base_addr_lo = lower_32_bits(addr);
862 +- m->cp_mqd_base_addr_hi = upper_32_bits(addr);
863 +-
864 +- m->cp_hqd_ib_control = DEFAULT_MIN_IB_AVAIL_SIZE;
865 +-
866 +- /*
867 +- * Pipe Priority
868 +- * Identifies the pipe relative priority when this queue is connected
869 +- * to the pipeline. The pipe priority is against the GFX pipe and HP3D.
870 +- * In KFD we are using a fixed pipe priority set to CS_MEDIUM.
871 +- * 0 = CS_LOW (typically below GFX)
872 +- * 1 = CS_MEDIUM (typically between HP3D and GFX
873 +- * 2 = CS_HIGH (typically above HP3D)
874 +- */
875 +- m->cp_hqd_pipe_priority = 1;
876 +- m->cp_hqd_queue_priority = 15;
877 +-
878 +- *mqd = m;
879 +- if (gart_addr)
880 +- *gart_addr = addr;
881 +- retval = mm->update_mqd(mm, m, q);
882 +-
883 +- return retval;
884 ++ return init_mqd(mm, mqd, mqd_mem_obj, gart_addr, q);
885 + }
886 +
887 + static int update_mqd_hiq(struct mqd_manager *mm, void *mqd,
888 +diff --git a/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h b/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h
889 +index 8a0f85f5fc1a..6a765682fbfa 100644
890 +--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h
891 ++++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/volt.h
892 +@@ -38,6 +38,7 @@ int nvkm_volt_set_id(struct nvkm_volt *, u8 id, u8 min_id, u8 temp,
893 +
894 + int nv40_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
895 + int gf100_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
896 ++int gf117_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
897 + int gk104_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
898 + int gk20a_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
899 + int gm20b_volt_new(struct nvkm_device *, int, struct nvkm_volt **);
900 +diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.c b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
901 +index 9109b69cd052..9635704a1d86 100644
902 +--- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c
903 ++++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
904 +@@ -161,7 +161,7 @@ nouveau_debugfs_pstate_set(struct file *file, const char __user *ubuf,
905 + }
906 +
907 + ret = pm_runtime_get_sync(drm->dev);
908 +- if (IS_ERR_VALUE(ret) && ret != -EACCES)
909 ++ if (ret < 0 && ret != -EACCES)
910 + return ret;
911 + ret = nvif_mthd(ctrl, NVIF_CONTROL_PSTATE_USER, &args, sizeof(args));
912 + pm_runtime_put_autosuspend(drm->dev);
913 +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c b/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
914 +index e096a5d9c292..f8dd78e21456 100644
915 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
916 ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
917 +@@ -1612,7 +1612,7 @@ nvd7_chipset = {
918 + .pci = gf106_pci_new,
919 + .therm = gf119_therm_new,
920 + .timer = nv41_timer_new,
921 +- .volt = gf100_volt_new,
922 ++ .volt = gf117_volt_new,
923 + .ce[0] = gf100_ce_new,
924 + .disp = gf119_disp_new,
925 + .dma = gf119_dma_new,
926 +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild
927 +index bcd179ba11d0..146adcdd316a 100644
928 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild
929 ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/Kbuild
930 +@@ -2,6 +2,7 @@ nvkm-y += nvkm/subdev/volt/base.o
931 + nvkm-y += nvkm/subdev/volt/gpio.o
932 + nvkm-y += nvkm/subdev/volt/nv40.o
933 + nvkm-y += nvkm/subdev/volt/gf100.o
934 ++nvkm-y += nvkm/subdev/volt/gf117.o
935 + nvkm-y += nvkm/subdev/volt/gk104.o
936 + nvkm-y += nvkm/subdev/volt/gk20a.o
937 + nvkm-y += nvkm/subdev/volt/gm20b.o
938 +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c
939 +new file mode 100644
940 +index 000000000000..547a58f0aeac
941 +--- /dev/null
942 ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/volt/gf117.c
943 +@@ -0,0 +1,60 @@
944 ++/*
945 ++ * Copyright 2019 Ilia Mirkin
946 ++ *
947 ++ * Permission is hereby granted, free of charge, to any person obtaining a
948 ++ * copy of this software and associated documentation files (the "Software"),
949 ++ * to deal in the Software without restriction, including without limitation
950 ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
951 ++ * and/or sell copies of the Software, and to permit persons to whom the
952 ++ * Software is furnished to do so, subject to the following conditions:
953 ++ *
954 ++ * The above copyright notice and this permission notice shall be included in
955 ++ * all copies or substantial portions of the Software.
956 ++ *
957 ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
958 ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
959 ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
960 ++ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR
961 ++ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
962 ++ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
963 ++ * OTHER DEALINGS IN THE SOFTWARE.
964 ++ *
965 ++ * Authors: Ilia Mirkin
966 ++ */
967 ++#include "priv.h"
968 ++
969 ++#include <subdev/fuse.h>
970 ++
971 ++static int
972 ++gf117_volt_speedo_read(struct nvkm_volt *volt)
973 ++{
974 ++ struct nvkm_device *device = volt->subdev.device;
975 ++ struct nvkm_fuse *fuse = device->fuse;
976 ++
977 ++ if (!fuse)
978 ++ return -EINVAL;
979 ++
980 ++ return nvkm_fuse_read(fuse, 0x3a8);
981 ++}
982 ++
983 ++static const struct nvkm_volt_func
984 ++gf117_volt = {
985 ++ .oneinit = gf100_volt_oneinit,
986 ++ .vid_get = nvkm_voltgpio_get,
987 ++ .vid_set = nvkm_voltgpio_set,
988 ++ .speedo_read = gf117_volt_speedo_read,
989 ++};
990 ++
991 ++int
992 ++gf117_volt_new(struct nvkm_device *device, int index, struct nvkm_volt **pvolt)
993 ++{
994 ++ struct nvkm_volt *volt;
995 ++ int ret;
996 ++
997 ++ ret = nvkm_volt_new_(&gf117_volt, device, index, &volt);
998 ++ *pvolt = volt;
999 ++ if (ret)
1000 ++ return ret;
1001 ++
1002 ++ return nvkm_voltgpio_init(volt);
1003 ++}
1004 +diff --git a/drivers/gpu/drm/panel/panel-innolux-p079zca.c b/drivers/gpu/drm/panel/panel-innolux-p079zca.c
1005 +index 6ba93449fcfb..58b67e0cc385 100644
1006 +--- a/drivers/gpu/drm/panel/panel-innolux-p079zca.c
1007 ++++ b/drivers/gpu/drm/panel/panel-innolux-p079zca.c
1008 +@@ -40,7 +40,6 @@ static inline struct innolux_panel *to_innolux_panel(struct drm_panel *panel)
1009 + static int innolux_panel_disable(struct drm_panel *panel)
1010 + {
1011 + struct innolux_panel *innolux = to_innolux_panel(panel);
1012 +- int err;
1013 +
1014 + if (!innolux->enabled)
1015 + return 0;
1016 +@@ -48,11 +47,6 @@ static int innolux_panel_disable(struct drm_panel *panel)
1017 + innolux->backlight->props.power = FB_BLANK_POWERDOWN;
1018 + backlight_update_status(innolux->backlight);
1019 +
1020 +- err = mipi_dsi_dcs_set_display_off(innolux->link);
1021 +- if (err < 0)
1022 +- DRM_DEV_ERROR(panel->dev, "failed to set display off: %d\n",
1023 +- err);
1024 +-
1025 + innolux->enabled = false;
1026 +
1027 + return 0;
1028 +@@ -66,6 +60,11 @@ static int innolux_panel_unprepare(struct drm_panel *panel)
1029 + if (!innolux->prepared)
1030 + return 0;
1031 +
1032 ++ err = mipi_dsi_dcs_set_display_off(innolux->link);
1033 ++ if (err < 0)
1034 ++ DRM_DEV_ERROR(panel->dev, "failed to set display off: %d\n",
1035 ++ err);
1036 ++
1037 + err = mipi_dsi_dcs_enter_sleep_mode(innolux->link);
1038 + if (err < 0) {
1039 + DRM_DEV_ERROR(panel->dev, "failed to enter sleep mode: %d\n",
1040 +diff --git a/drivers/hid/i2c-hid/Makefile b/drivers/hid/i2c-hid/Makefile
1041 +index 832d8f9aaba2..099e1ce2f234 100644
1042 +--- a/drivers/hid/i2c-hid/Makefile
1043 ++++ b/drivers/hid/i2c-hid/Makefile
1044 +@@ -3,3 +3,6 @@
1045 + #
1046 +
1047 + obj-$(CONFIG_I2C_HID) += i2c-hid.o
1048 ++
1049 ++i2c-hid-objs = i2c-hid-core.o
1050 ++i2c-hid-$(CONFIG_DMI) += i2c-hid-dmi-quirks.o
1051 +diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c
1052 +new file mode 100644
1053 +index 000000000000..7842d76aa813
1054 +--- /dev/null
1055 ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c
1056 +@@ -0,0 +1,1299 @@
1057 ++/*
1058 ++ * HID over I2C protocol implementation
1059 ++ *
1060 ++ * Copyright (c) 2012 Benjamin Tissoires <benjamin.tissoires@×××××.com>
1061 ++ * Copyright (c) 2012 Ecole Nationale de l'Aviation Civile, France
1062 ++ * Copyright (c) 2012 Red Hat, Inc
1063 ++ *
1064 ++ * This code is partly based on "USB HID support for Linux":
1065 ++ *
1066 ++ * Copyright (c) 1999 Andreas Gal
1067 ++ * Copyright (c) 2000-2005 Vojtech Pavlik <vojtech@××××.cz>
1068 ++ * Copyright (c) 2005 Michael Haboustak <mike-@××××××××.com> for Concept2, Inc
1069 ++ * Copyright (c) 2007-2008 Oliver Neukum
1070 ++ * Copyright (c) 2006-2010 Jiri Kosina
1071 ++ *
1072 ++ * This file is subject to the terms and conditions of the GNU General Public
1073 ++ * License. See the file COPYING in the main directory of this archive for
1074 ++ * more details.
1075 ++ */
1076 ++
1077 ++#include <linux/module.h>
1078 ++#include <linux/i2c.h>
1079 ++#include <linux/interrupt.h>
1080 ++#include <linux/input.h>
1081 ++#include <linux/irq.h>
1082 ++#include <linux/delay.h>
1083 ++#include <linux/slab.h>
1084 ++#include <linux/pm.h>
1085 ++#include <linux/pm_runtime.h>
1086 ++#include <linux/device.h>
1087 ++#include <linux/wait.h>
1088 ++#include <linux/err.h>
1089 ++#include <linux/string.h>
1090 ++#include <linux/list.h>
1091 ++#include <linux/jiffies.h>
1092 ++#include <linux/kernel.h>
1093 ++#include <linux/hid.h>
1094 ++#include <linux/mutex.h>
1095 ++#include <linux/acpi.h>
1096 ++#include <linux/of.h>
1097 ++#include <linux/regulator/consumer.h>
1098 ++
1099 ++#include <linux/platform_data/i2c-hid.h>
1100 ++
1101 ++#include "../hid-ids.h"
1102 ++#include "i2c-hid.h"
1103 ++
1104 ++/* quirks to control the device */
1105 ++#define I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV BIT(0)
1106 ++
1107 ++/* flags */
1108 ++#define I2C_HID_STARTED 0
1109 ++#define I2C_HID_RESET_PENDING 1
1110 ++#define I2C_HID_READ_PENDING 2
1111 ++
1112 ++#define I2C_HID_PWR_ON 0x00
1113 ++#define I2C_HID_PWR_SLEEP 0x01
1114 ++
1115 ++/* debug option */
1116 ++static bool debug;
1117 ++module_param(debug, bool, 0444);
1118 ++MODULE_PARM_DESC(debug, "print a lot of debug information");
1119 ++
1120 ++#define i2c_hid_dbg(ihid, fmt, arg...) \
1121 ++do { \
1122 ++ if (debug) \
1123 ++ dev_printk(KERN_DEBUG, &(ihid)->client->dev, fmt, ##arg); \
1124 ++} while (0)
1125 ++
1126 ++struct i2c_hid_desc {
1127 ++ __le16 wHIDDescLength;
1128 ++ __le16 bcdVersion;
1129 ++ __le16 wReportDescLength;
1130 ++ __le16 wReportDescRegister;
1131 ++ __le16 wInputRegister;
1132 ++ __le16 wMaxInputLength;
1133 ++ __le16 wOutputRegister;
1134 ++ __le16 wMaxOutputLength;
1135 ++ __le16 wCommandRegister;
1136 ++ __le16 wDataRegister;
1137 ++ __le16 wVendorID;
1138 ++ __le16 wProductID;
1139 ++ __le16 wVersionID;
1140 ++ __le32 reserved;
1141 ++} __packed;
1142 ++
1143 ++struct i2c_hid_cmd {
1144 ++ unsigned int registerIndex;
1145 ++ __u8 opcode;
1146 ++ unsigned int length;
1147 ++ bool wait;
1148 ++};
1149 ++
1150 ++union command {
1151 ++ u8 data[0];
1152 ++ struct cmd {
1153 ++ __le16 reg;
1154 ++ __u8 reportTypeID;
1155 ++ __u8 opcode;
1156 ++ } __packed c;
1157 ++};
1158 ++
1159 ++#define I2C_HID_CMD(opcode_) \
1160 ++ .opcode = opcode_, .length = 4, \
1161 ++ .registerIndex = offsetof(struct i2c_hid_desc, wCommandRegister)
1162 ++
1163 ++/* fetch HID descriptor */
1164 ++static const struct i2c_hid_cmd hid_descr_cmd = { .length = 2 };
1165 ++/* fetch report descriptors */
1166 ++static const struct i2c_hid_cmd hid_report_descr_cmd = {
1167 ++ .registerIndex = offsetof(struct i2c_hid_desc,
1168 ++ wReportDescRegister),
1169 ++ .opcode = 0x00,
1170 ++ .length = 2 };
1171 ++/* commands */
1172 ++static const struct i2c_hid_cmd hid_reset_cmd = { I2C_HID_CMD(0x01),
1173 ++ .wait = true };
1174 ++static const struct i2c_hid_cmd hid_get_report_cmd = { I2C_HID_CMD(0x02) };
1175 ++static const struct i2c_hid_cmd hid_set_report_cmd = { I2C_HID_CMD(0x03) };
1176 ++static const struct i2c_hid_cmd hid_set_power_cmd = { I2C_HID_CMD(0x08) };
1177 ++static const struct i2c_hid_cmd hid_no_cmd = { .length = 0 };
1178 ++
1179 ++/*
1180 ++ * These definitions are not used here, but are defined by the spec.
1181 ++ * Keeping them here for documentation purposes.
1182 ++ *
1183 ++ * static const struct i2c_hid_cmd hid_get_idle_cmd = { I2C_HID_CMD(0x04) };
1184 ++ * static const struct i2c_hid_cmd hid_set_idle_cmd = { I2C_HID_CMD(0x05) };
1185 ++ * static const struct i2c_hid_cmd hid_get_protocol_cmd = { I2C_HID_CMD(0x06) };
1186 ++ * static const struct i2c_hid_cmd hid_set_protocol_cmd = { I2C_HID_CMD(0x07) };
1187 ++ */
1188 ++
1189 ++static DEFINE_MUTEX(i2c_hid_open_mut);
1190 ++
1191 ++/* The main device structure */
1192 ++struct i2c_hid {
1193 ++ struct i2c_client *client; /* i2c client */
1194 ++ struct hid_device *hid; /* pointer to corresponding HID dev */
1195 ++ union {
1196 ++ __u8 hdesc_buffer[sizeof(struct i2c_hid_desc)];
1197 ++ struct i2c_hid_desc hdesc; /* the HID Descriptor */
1198 ++ };
1199 ++ __le16 wHIDDescRegister; /* location of the i2c
1200 ++ * register of the HID
1201 ++ * descriptor. */
1202 ++ unsigned int bufsize; /* i2c buffer size */
1203 ++ u8 *inbuf; /* Input buffer */
1204 ++ u8 *rawbuf; /* Raw Input buffer */
1205 ++ u8 *cmdbuf; /* Command buffer */
1206 ++ u8 *argsbuf; /* Command arguments buffer */
1207 ++
1208 ++ unsigned long flags; /* device flags */
1209 ++ unsigned long quirks; /* Various quirks */
1210 ++
1211 ++ wait_queue_head_t wait; /* For waiting the interrupt */
1212 ++
1213 ++ struct i2c_hid_platform_data pdata;
1214 ++
1215 ++ bool irq_wake_enabled;
1216 ++ struct mutex reset_lock;
1217 ++};
1218 ++
1219 ++static const struct i2c_hid_quirks {
1220 ++ __u16 idVendor;
1221 ++ __u16 idProduct;
1222 ++ __u32 quirks;
1223 ++} i2c_hid_quirks[] = {
1224 ++ { USB_VENDOR_ID_WEIDA, USB_DEVICE_ID_WEIDA_8752,
1225 ++ I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV },
1226 ++ { USB_VENDOR_ID_WEIDA, USB_DEVICE_ID_WEIDA_8755,
1227 ++ I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV },
1228 ++ { 0, 0 }
1229 ++};
1230 ++
1231 ++/*
1232 ++ * i2c_hid_lookup_quirk: return any quirks associated with a I2C HID device
1233 ++ * @idVendor: the 16-bit vendor ID
1234 ++ * @idProduct: the 16-bit product ID
1235 ++ *
1236 ++ * Returns: a u32 quirks value.
1237 ++ */
1238 ++static u32 i2c_hid_lookup_quirk(const u16 idVendor, const u16 idProduct)
1239 ++{
1240 ++ u32 quirks = 0;
1241 ++ int n;
1242 ++
1243 ++ for (n = 0; i2c_hid_quirks[n].idVendor; n++)
1244 ++ if (i2c_hid_quirks[n].idVendor == idVendor &&
1245 ++ (i2c_hid_quirks[n].idProduct == (__u16)HID_ANY_ID ||
1246 ++ i2c_hid_quirks[n].idProduct == idProduct))
1247 ++ quirks = i2c_hid_quirks[n].quirks;
1248 ++
1249 ++ return quirks;
1250 ++}
1251 ++
1252 ++static int __i2c_hid_command(struct i2c_client *client,
1253 ++ const struct i2c_hid_cmd *command, u8 reportID,
1254 ++ u8 reportType, u8 *args, int args_len,
1255 ++ unsigned char *buf_recv, int data_len)
1256 ++{
1257 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
1258 ++ union command *cmd = (union command *)ihid->cmdbuf;
1259 ++ int ret;
1260 ++ struct i2c_msg msg[2];
1261 ++ int msg_num = 1;
1262 ++
1263 ++ int length = command->length;
1264 ++ bool wait = command->wait;
1265 ++ unsigned int registerIndex = command->registerIndex;
1266 ++
1267 ++ /* special case for hid_descr_cmd */
1268 ++ if (command == &hid_descr_cmd) {
1269 ++ cmd->c.reg = ihid->wHIDDescRegister;
1270 ++ } else {
1271 ++ cmd->data[0] = ihid->hdesc_buffer[registerIndex];
1272 ++ cmd->data[1] = ihid->hdesc_buffer[registerIndex + 1];
1273 ++ }
1274 ++
1275 ++ if (length > 2) {
1276 ++ cmd->c.opcode = command->opcode;
1277 ++ cmd->c.reportTypeID = reportID | reportType << 4;
1278 ++ }
1279 ++
1280 ++ memcpy(cmd->data + length, args, args_len);
1281 ++ length += args_len;
1282 ++
1283 ++ i2c_hid_dbg(ihid, "%s: cmd=%*ph\n", __func__, length, cmd->data);
1284 ++
1285 ++ msg[0].addr = client->addr;
1286 ++ msg[0].flags = client->flags & I2C_M_TEN;
1287 ++ msg[0].len = length;
1288 ++ msg[0].buf = cmd->data;
1289 ++ if (data_len > 0) {
1290 ++ msg[1].addr = client->addr;
1291 ++ msg[1].flags = client->flags & I2C_M_TEN;
1292 ++ msg[1].flags |= I2C_M_RD;
1293 ++ msg[1].len = data_len;
1294 ++ msg[1].buf = buf_recv;
1295 ++ msg_num = 2;
1296 ++ set_bit(I2C_HID_READ_PENDING, &ihid->flags);
1297 ++ }
1298 ++
1299 ++ if (wait)
1300 ++ set_bit(I2C_HID_RESET_PENDING, &ihid->flags);
1301 ++
1302 ++ ret = i2c_transfer(client->adapter, msg, msg_num);
1303 ++
1304 ++ if (data_len > 0)
1305 ++ clear_bit(I2C_HID_READ_PENDING, &ihid->flags);
1306 ++
1307 ++ if (ret != msg_num)
1308 ++ return ret < 0 ? ret : -EIO;
1309 ++
1310 ++ ret = 0;
1311 ++
1312 ++ if (wait) {
1313 ++ i2c_hid_dbg(ihid, "%s: waiting...\n", __func__);
1314 ++ if (!wait_event_timeout(ihid->wait,
1315 ++ !test_bit(I2C_HID_RESET_PENDING, &ihid->flags),
1316 ++ msecs_to_jiffies(5000)))
1317 ++ ret = -ENODATA;
1318 ++ i2c_hid_dbg(ihid, "%s: finished.\n", __func__);
1319 ++ }
1320 ++
1321 ++ return ret;
1322 ++}
1323 ++
1324 ++static int i2c_hid_command(struct i2c_client *client,
1325 ++ const struct i2c_hid_cmd *command,
1326 ++ unsigned char *buf_recv, int data_len)
1327 ++{
1328 ++ return __i2c_hid_command(client, command, 0, 0, NULL, 0,
1329 ++ buf_recv, data_len);
1330 ++}
1331 ++
1332 ++static int i2c_hid_get_report(struct i2c_client *client, u8 reportType,
1333 ++ u8 reportID, unsigned char *buf_recv, int data_len)
1334 ++{
1335 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
1336 ++ u8 args[3];
1337 ++ int ret;
1338 ++ int args_len = 0;
1339 ++ u16 readRegister = le16_to_cpu(ihid->hdesc.wDataRegister);
1340 ++
1341 ++ i2c_hid_dbg(ihid, "%s\n", __func__);
1342 ++
1343 ++ if (reportID >= 0x0F) {
1344 ++ args[args_len++] = reportID;
1345 ++ reportID = 0x0F;
1346 ++ }
1347 ++
1348 ++ args[args_len++] = readRegister & 0xFF;
1349 ++ args[args_len++] = readRegister >> 8;
1350 ++
1351 ++ ret = __i2c_hid_command(client, &hid_get_report_cmd, reportID,
1352 ++ reportType, args, args_len, buf_recv, data_len);
1353 ++ if (ret) {
1354 ++ dev_err(&client->dev,
1355 ++ "failed to retrieve report from device.\n");
1356 ++ return ret;
1357 ++ }
1358 ++
1359 ++ return 0;
1360 ++}
1361 ++
1362 ++/**
1363 ++ * i2c_hid_set_or_send_report: forward an incoming report to the device
1364 ++ * @client: the i2c_client of the device
1365 ++ * @reportType: 0x03 for HID_FEATURE_REPORT ; 0x02 for HID_OUTPUT_REPORT
1366 ++ * @reportID: the report ID
1367 ++ * @buf: the actual data to transfer, without the report ID
1368 ++ * @len: size of buf
1369 ++ * @use_data: true: use SET_REPORT HID command, false: send plain OUTPUT report
1370 ++ */
1371 ++static int i2c_hid_set_or_send_report(struct i2c_client *client, u8 reportType,
1372 ++ u8 reportID, unsigned char *buf, size_t data_len, bool use_data)
1373 ++{
1374 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
1375 ++ u8 *args = ihid->argsbuf;
1376 ++ const struct i2c_hid_cmd *hidcmd;
1377 ++ int ret;
1378 ++ u16 dataRegister = le16_to_cpu(ihid->hdesc.wDataRegister);
1379 ++ u16 outputRegister = le16_to_cpu(ihid->hdesc.wOutputRegister);
1380 ++ u16 maxOutputLength = le16_to_cpu(ihid->hdesc.wMaxOutputLength);
1381 ++ u16 size;
1382 ++ int args_len;
1383 ++ int index = 0;
1384 ++
1385 ++ i2c_hid_dbg(ihid, "%s\n", __func__);
1386 ++
1387 ++ if (data_len > ihid->bufsize)
1388 ++ return -EINVAL;
1389 ++
1390 ++ size = 2 /* size */ +
1391 ++ (reportID ? 1 : 0) /* reportID */ +
1392 ++ data_len /* buf */;
1393 ++ args_len = (reportID >= 0x0F ? 1 : 0) /* optional third byte */ +
1394 ++ 2 /* dataRegister */ +
1395 ++ size /* args */;
1396 ++
1397 ++ if (!use_data && maxOutputLength == 0)
1398 ++ return -ENOSYS;
1399 ++
1400 ++ if (reportID >= 0x0F) {
1401 ++ args[index++] = reportID;
1402 ++ reportID = 0x0F;
1403 ++ }
1404 ++
1405 ++ /*
1406 ++ * use the data register for feature reports or if the device does not
1407 ++ * support the output register
1408 ++ */
1409 ++ if (use_data) {
1410 ++ args[index++] = dataRegister & 0xFF;
1411 ++ args[index++] = dataRegister >> 8;
1412 ++ hidcmd = &hid_set_report_cmd;
1413 ++ } else {
1414 ++ args[index++] = outputRegister & 0xFF;
1415 ++ args[index++] = outputRegister >> 8;
1416 ++ hidcmd = &hid_no_cmd;
1417 ++ }
1418 ++
1419 ++ args[index++] = size & 0xFF;
1420 ++ args[index++] = size >> 8;
1421 ++
1422 ++ if (reportID)
1423 ++ args[index++] = reportID;
1424 ++
1425 ++ memcpy(&args[index], buf, data_len);
1426 ++
1427 ++ ret = __i2c_hid_command(client, hidcmd, reportID,
1428 ++ reportType, args, args_len, NULL, 0);
1429 ++ if (ret) {
1430 ++ dev_err(&client->dev, "failed to set a report to device.\n");
1431 ++ return ret;
1432 ++ }
1433 ++
1434 ++ return data_len;
1435 ++}
1436 ++
1437 ++static int i2c_hid_set_power(struct i2c_client *client, int power_state)
1438 ++{
1439 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
1440 ++ int ret;
1441 ++
1442 ++ i2c_hid_dbg(ihid, "%s\n", __func__);
1443 ++
1444 ++ /*
1445 ++ * Some devices require to send a command to wakeup before power on.
1446 ++ * The call will get a return value (EREMOTEIO) but device will be
1447 ++ * triggered and activated. After that, it goes like a normal device.
1448 ++ */
1449 ++ if (power_state == I2C_HID_PWR_ON &&
1450 ++ ihid->quirks & I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV) {
1451 ++ ret = i2c_hid_command(client, &hid_set_power_cmd, NULL, 0);
1452 ++
1453 ++ /* Device was already activated */
1454 ++ if (!ret)
1455 ++ goto set_pwr_exit;
1456 ++ }
1457 ++
1458 ++ ret = __i2c_hid_command(client, &hid_set_power_cmd, power_state,
1459 ++ 0, NULL, 0, NULL, 0);
1460 ++
1461 ++ if (ret)
1462 ++ dev_err(&client->dev, "failed to change power setting.\n");
1463 ++
1464 ++set_pwr_exit:
1465 ++ return ret;
1466 ++}
1467 ++
1468 ++static int i2c_hid_hwreset(struct i2c_client *client)
1469 ++{
1470 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
1471 ++ int ret;
1472 ++
1473 ++ i2c_hid_dbg(ihid, "%s\n", __func__);
1474 ++
1475 ++ /*
1476 ++ * This prevents sending feature reports while the device is
1477 ++ * being reset. Otherwise we may lose the reset complete
1478 ++ * interrupt.
1479 ++ */
1480 ++ mutex_lock(&ihid->reset_lock);
1481 ++
1482 ++ ret = i2c_hid_set_power(client, I2C_HID_PWR_ON);
1483 ++ if (ret)
1484 ++ goto out_unlock;
1485 ++
1486 ++ /*
1487 ++ * The HID over I2C specification states that if a DEVICE needs time
1488 ++ * after the PWR_ON request, it should utilise CLOCK stretching.
1489 ++ * However, it has been observered that the Windows driver provides a
1490 ++ * 1ms sleep between the PWR_ON and RESET requests and that some devices
1491 ++ * rely on this.
1492 ++ */
1493 ++ usleep_range(1000, 5000);
1494 ++
1495 ++ i2c_hid_dbg(ihid, "resetting...\n");
1496 ++
1497 ++ ret = i2c_hid_command(client, &hid_reset_cmd, NULL, 0);
1498 ++ if (ret) {
1499 ++ dev_err(&client->dev, "failed to reset device.\n");
1500 ++ i2c_hid_set_power(client, I2C_HID_PWR_SLEEP);
1501 ++ }
1502 ++
1503 ++out_unlock:
1504 ++ mutex_unlock(&ihid->reset_lock);
1505 ++ return ret;
1506 ++}
1507 ++
1508 ++static void i2c_hid_get_input(struct i2c_hid *ihid)
1509 ++{
1510 ++ int ret;
1511 ++ u32 ret_size;
1512 ++ int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
1513 ++
1514 ++ if (size > ihid->bufsize)
1515 ++ size = ihid->bufsize;
1516 ++
1517 ++ ret = i2c_master_recv(ihid->client, ihid->inbuf, size);
1518 ++ if (ret != size) {
1519 ++ if (ret < 0)
1520 ++ return;
1521 ++
1522 ++ dev_err(&ihid->client->dev, "%s: got %d data instead of %d\n",
1523 ++ __func__, ret, size);
1524 ++ return;
1525 ++ }
1526 ++
1527 ++ ret_size = ihid->inbuf[0] | ihid->inbuf[1] << 8;
1528 ++
1529 ++ if (!ret_size) {
1530 ++ /* host or device initiated RESET completed */
1531 ++ if (test_and_clear_bit(I2C_HID_RESET_PENDING, &ihid->flags))
1532 ++ wake_up(&ihid->wait);
1533 ++ return;
1534 ++ }
1535 ++
1536 ++ if ((ret_size > size) || (ret_size < 2)) {
1537 ++ dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n",
1538 ++ __func__, size, ret_size);
1539 ++ return;
1540 ++ }
1541 ++
1542 ++ i2c_hid_dbg(ihid, "input: %*ph\n", ret_size, ihid->inbuf);
1543 ++
1544 ++ if (test_bit(I2C_HID_STARTED, &ihid->flags))
1545 ++ hid_input_report(ihid->hid, HID_INPUT_REPORT, ihid->inbuf + 2,
1546 ++ ret_size - 2, 1);
1547 ++
1548 ++ return;
1549 ++}
1550 ++
1551 ++static irqreturn_t i2c_hid_irq(int irq, void *dev_id)
1552 ++{
1553 ++ struct i2c_hid *ihid = dev_id;
1554 ++
1555 ++ if (test_bit(I2C_HID_READ_PENDING, &ihid->flags))
1556 ++ return IRQ_HANDLED;
1557 ++
1558 ++ i2c_hid_get_input(ihid);
1559 ++
1560 ++ return IRQ_HANDLED;
1561 ++}
1562 ++
1563 ++static int i2c_hid_get_report_length(struct hid_report *report)
1564 ++{
1565 ++ return ((report->size - 1) >> 3) + 1 +
1566 ++ report->device->report_enum[report->type].numbered + 2;
1567 ++}
1568 ++
1569 ++/*
1570 ++ * Traverse the supplied list of reports and find the longest
1571 ++ */
1572 ++static void i2c_hid_find_max_report(struct hid_device *hid, unsigned int type,
1573 ++ unsigned int *max)
1574 ++{
1575 ++ struct hid_report *report;
1576 ++ unsigned int size;
1577 ++
1578 ++ /* We should not rely on wMaxInputLength, as some devices may set it to
1579 ++ * a wrong length. */
1580 ++ list_for_each_entry(report, &hid->report_enum[type].report_list, list) {
1581 ++ size = i2c_hid_get_report_length(report);
1582 ++ if (*max < size)
1583 ++ *max = size;
1584 ++ }
1585 ++}
1586 ++
1587 ++static void i2c_hid_free_buffers(struct i2c_hid *ihid)
1588 ++{
1589 ++ kfree(ihid->inbuf);
1590 ++ kfree(ihid->rawbuf);
1591 ++ kfree(ihid->argsbuf);
1592 ++ kfree(ihid->cmdbuf);
1593 ++ ihid->inbuf = NULL;
1594 ++ ihid->rawbuf = NULL;
1595 ++ ihid->cmdbuf = NULL;
1596 ++ ihid->argsbuf = NULL;
1597 ++ ihid->bufsize = 0;
1598 ++}
1599 ++
1600 ++static int i2c_hid_alloc_buffers(struct i2c_hid *ihid, size_t report_size)
1601 ++{
1602 ++ /* the worst case is computed from the set_report command with a
1603 ++ * reportID > 15 and the maximum report length */
1604 ++ int args_len = sizeof(__u8) + /* ReportID */
1605 ++ sizeof(__u8) + /* optional ReportID byte */
1606 ++ sizeof(__u16) + /* data register */
1607 ++ sizeof(__u16) + /* size of the report */
1608 ++ report_size; /* report */
1609 ++
1610 ++ ihid->inbuf = kzalloc(report_size, GFP_KERNEL);
1611 ++ ihid->rawbuf = kzalloc(report_size, GFP_KERNEL);
1612 ++ ihid->argsbuf = kzalloc(args_len, GFP_KERNEL);
1613 ++ ihid->cmdbuf = kzalloc(sizeof(union command) + args_len, GFP_KERNEL);
1614 ++
1615 ++ if (!ihid->inbuf || !ihid->rawbuf || !ihid->argsbuf || !ihid->cmdbuf) {
1616 ++ i2c_hid_free_buffers(ihid);
1617 ++ return -ENOMEM;
1618 ++ }
1619 ++
1620 ++ ihid->bufsize = report_size;
1621 ++
1622 ++ return 0;
1623 ++}
1624 ++
1625 ++static int i2c_hid_get_raw_report(struct hid_device *hid,
1626 ++ unsigned char report_number, __u8 *buf, size_t count,
1627 ++ unsigned char report_type)
1628 ++{
1629 ++ struct i2c_client *client = hid->driver_data;
1630 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
1631 ++ size_t ret_count, ask_count;
1632 ++ int ret;
1633 ++
1634 ++ if (report_type == HID_OUTPUT_REPORT)
1635 ++ return -EINVAL;
1636 ++
1637 ++ /* +2 bytes to include the size of the reply in the query buffer */
1638 ++ ask_count = min(count + 2, (size_t)ihid->bufsize);
1639 ++
1640 ++ ret = i2c_hid_get_report(client,
1641 ++ report_type == HID_FEATURE_REPORT ? 0x03 : 0x01,
1642 ++ report_number, ihid->rawbuf, ask_count);
1643 ++
1644 ++ if (ret < 0)
1645 ++ return ret;
1646 ++
1647 ++ ret_count = ihid->rawbuf[0] | (ihid->rawbuf[1] << 8);
1648 ++
1649 ++ if (ret_count <= 2)
1650 ++ return 0;
1651 ++
1652 ++ ret_count = min(ret_count, ask_count);
1653 ++
1654 ++ /* The query buffer contains the size, dropping it in the reply */
1655 ++ count = min(count, ret_count - 2);
1656 ++ memcpy(buf, ihid->rawbuf + 2, count);
1657 ++
1658 ++ return count;
1659 ++}
1660 ++
1661 ++static int i2c_hid_output_raw_report(struct hid_device *hid, __u8 *buf,
1662 ++ size_t count, unsigned char report_type, bool use_data)
1663 ++{
1664 ++ struct i2c_client *client = hid->driver_data;
1665 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
1666 ++ int report_id = buf[0];
1667 ++ int ret;
1668 ++
1669 ++ if (report_type == HID_INPUT_REPORT)
1670 ++ return -EINVAL;
1671 ++
1672 ++ mutex_lock(&ihid->reset_lock);
1673 ++
1674 ++ if (report_id) {
1675 ++ buf++;
1676 ++ count--;
1677 ++ }
1678 ++
1679 ++ ret = i2c_hid_set_or_send_report(client,
1680 ++ report_type == HID_FEATURE_REPORT ? 0x03 : 0x02,
1681 ++ report_id, buf, count, use_data);
1682 ++
1683 ++ if (report_id && ret >= 0)
1684 ++ ret++; /* add report_id to the number of transfered bytes */
1685 ++
1686 ++ mutex_unlock(&ihid->reset_lock);
1687 ++
1688 ++ return ret;
1689 ++}
1690 ++
1691 ++static int i2c_hid_output_report(struct hid_device *hid, __u8 *buf,
1692 ++ size_t count)
1693 ++{
1694 ++ return i2c_hid_output_raw_report(hid, buf, count, HID_OUTPUT_REPORT,
1695 ++ false);
1696 ++}
1697 ++
1698 ++static int i2c_hid_raw_request(struct hid_device *hid, unsigned char reportnum,
1699 ++ __u8 *buf, size_t len, unsigned char rtype,
1700 ++ int reqtype)
1701 ++{
1702 ++ switch (reqtype) {
1703 ++ case HID_REQ_GET_REPORT:
1704 ++ return i2c_hid_get_raw_report(hid, reportnum, buf, len, rtype);
1705 ++ case HID_REQ_SET_REPORT:
1706 ++ if (buf[0] != reportnum)
1707 ++ return -EINVAL;
1708 ++ return i2c_hid_output_raw_report(hid, buf, len, rtype, true);
1709 ++ default:
1710 ++ return -EIO;
1711 ++ }
1712 ++}
1713 ++
1714 ++static int i2c_hid_parse(struct hid_device *hid)
1715 ++{
1716 ++ struct i2c_client *client = hid->driver_data;
1717 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
1718 ++ struct i2c_hid_desc *hdesc = &ihid->hdesc;
1719 ++ unsigned int rsize;
1720 ++ char *rdesc;
1721 ++ int ret;
1722 ++ int tries = 3;
1723 ++ char *use_override;
1724 ++
1725 ++ i2c_hid_dbg(ihid, "entering %s\n", __func__);
1726 ++
1727 ++ rsize = le16_to_cpu(hdesc->wReportDescLength);
1728 ++ if (!rsize || rsize > HID_MAX_DESCRIPTOR_SIZE) {
1729 ++ dbg_hid("weird size of report descriptor (%u)\n", rsize);
1730 ++ return -EINVAL;
1731 ++ }
1732 ++
1733 ++ do {
1734 ++ ret = i2c_hid_hwreset(client);
1735 ++ if (ret)
1736 ++ msleep(1000);
1737 ++ } while (tries-- > 0 && ret);
1738 ++
1739 ++ if (ret)
1740 ++ return ret;
1741 ++
1742 ++ use_override = i2c_hid_get_dmi_hid_report_desc_override(client->name,
1743 ++ &rsize);
1744 ++
1745 ++ if (use_override) {
1746 ++ rdesc = use_override;
1747 ++ i2c_hid_dbg(ihid, "Using a HID report descriptor override\n");
1748 ++ } else {
1749 ++ rdesc = kzalloc(rsize, GFP_KERNEL);
1750 ++
1751 ++ if (!rdesc) {
1752 ++ dbg_hid("couldn't allocate rdesc memory\n");
1753 ++ return -ENOMEM;
1754 ++ }
1755 ++
1756 ++ i2c_hid_dbg(ihid, "asking HID report descriptor\n");
1757 ++
1758 ++ ret = i2c_hid_command(client, &hid_report_descr_cmd,
1759 ++ rdesc, rsize);
1760 ++ if (ret) {
1761 ++ hid_err(hid, "reading report descriptor failed\n");
1762 ++ kfree(rdesc);
1763 ++ return -EIO;
1764 ++ }
1765 ++ }
1766 ++
1767 ++ i2c_hid_dbg(ihid, "Report Descriptor: %*ph\n", rsize, rdesc);
1768 ++
1769 ++ ret = hid_parse_report(hid, rdesc, rsize);
1770 ++ if (!use_override)
1771 ++ kfree(rdesc);
1772 ++
1773 ++ if (ret) {
1774 ++ dbg_hid("parsing report descriptor failed\n");
1775 ++ return ret;
1776 ++ }
1777 ++
1778 ++ return 0;
1779 ++}
1780 ++
1781 ++static int i2c_hid_start(struct hid_device *hid)
1782 ++{
1783 ++ struct i2c_client *client = hid->driver_data;
1784 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
1785 ++ int ret;
1786 ++ unsigned int bufsize = HID_MIN_BUFFER_SIZE;
1787 ++
1788 ++ i2c_hid_find_max_report(hid, HID_INPUT_REPORT, &bufsize);
1789 ++ i2c_hid_find_max_report(hid, HID_OUTPUT_REPORT, &bufsize);
1790 ++ i2c_hid_find_max_report(hid, HID_FEATURE_REPORT, &bufsize);
1791 ++
1792 ++ if (bufsize > ihid->bufsize) {
1793 ++ disable_irq(client->irq);
1794 ++ i2c_hid_free_buffers(ihid);
1795 ++
1796 ++ ret = i2c_hid_alloc_buffers(ihid, bufsize);
1797 ++ enable_irq(client->irq);
1798 ++
1799 ++ if (ret)
1800 ++ return ret;
1801 ++ }
1802 ++
1803 ++ return 0;
1804 ++}
1805 ++
1806 ++static void i2c_hid_stop(struct hid_device *hid)
1807 ++{
1808 ++ hid->claimed = 0;
1809 ++}
1810 ++
1811 ++static int i2c_hid_open(struct hid_device *hid)
1812 ++{
1813 ++ struct i2c_client *client = hid->driver_data;
1814 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
1815 ++ int ret = 0;
1816 ++
1817 ++ ret = pm_runtime_get_sync(&client->dev);
1818 ++ if (ret < 0)
1819 ++ return ret;
1820 ++
1821 ++ set_bit(I2C_HID_STARTED, &ihid->flags);
1822 ++ return 0;
1823 ++}
1824 ++
1825 ++static void i2c_hid_close(struct hid_device *hid)
1826 ++{
1827 ++ struct i2c_client *client = hid->driver_data;
1828 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
1829 ++
1830 ++ clear_bit(I2C_HID_STARTED, &ihid->flags);
1831 ++
1832 ++ /* Save some power */
1833 ++ pm_runtime_put(&client->dev);
1834 ++}
1835 ++
1836 ++static int i2c_hid_power(struct hid_device *hid, int lvl)
1837 ++{
1838 ++ struct i2c_client *client = hid->driver_data;
1839 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
1840 ++
1841 ++ i2c_hid_dbg(ihid, "%s lvl:%d\n", __func__, lvl);
1842 ++
1843 ++ switch (lvl) {
1844 ++ case PM_HINT_FULLON:
1845 ++ pm_runtime_get_sync(&client->dev);
1846 ++ break;
1847 ++ case PM_HINT_NORMAL:
1848 ++ pm_runtime_put(&client->dev);
1849 ++ break;
1850 ++ }
1851 ++ return 0;
1852 ++}
1853 ++
1854 ++struct hid_ll_driver i2c_hid_ll_driver = {
1855 ++ .parse = i2c_hid_parse,
1856 ++ .start = i2c_hid_start,
1857 ++ .stop = i2c_hid_stop,
1858 ++ .open = i2c_hid_open,
1859 ++ .close = i2c_hid_close,
1860 ++ .power = i2c_hid_power,
1861 ++ .output_report = i2c_hid_output_report,
1862 ++ .raw_request = i2c_hid_raw_request,
1863 ++};
1864 ++EXPORT_SYMBOL_GPL(i2c_hid_ll_driver);
1865 ++
1866 ++static int i2c_hid_init_irq(struct i2c_client *client)
1867 ++{
1868 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
1869 ++ unsigned long irqflags = 0;
1870 ++ int ret;
1871 ++
1872 ++ dev_dbg(&client->dev, "Requesting IRQ: %d\n", client->irq);
1873 ++
1874 ++ if (!irq_get_trigger_type(client->irq))
1875 ++ irqflags = IRQF_TRIGGER_LOW;
1876 ++
1877 ++ ret = request_threaded_irq(client->irq, NULL, i2c_hid_irq,
1878 ++ irqflags | IRQF_ONESHOT, client->name, ihid);
1879 ++ if (ret < 0) {
1880 ++ dev_warn(&client->dev,
1881 ++ "Could not register for %s interrupt, irq = %d,"
1882 ++ " ret = %d\n",
1883 ++ client->name, client->irq, ret);
1884 ++
1885 ++ return ret;
1886 ++ }
1887 ++
1888 ++ return 0;
1889 ++}
1890 ++
1891 ++static int i2c_hid_fetch_hid_descriptor(struct i2c_hid *ihid)
1892 ++{
1893 ++ struct i2c_client *client = ihid->client;
1894 ++ struct i2c_hid_desc *hdesc = &ihid->hdesc;
1895 ++ unsigned int dsize;
1896 ++ int ret;
1897 ++
1898 ++ /* i2c hid fetch using a fixed descriptor size (30 bytes) */
1899 ++ if (i2c_hid_get_dmi_i2c_hid_desc_override(client->name)) {
1900 ++ i2c_hid_dbg(ihid, "Using a HID descriptor override\n");
1901 ++ ihid->hdesc =
1902 ++ *i2c_hid_get_dmi_i2c_hid_desc_override(client->name);
1903 ++ } else {
1904 ++ i2c_hid_dbg(ihid, "Fetching the HID descriptor\n");
1905 ++ ret = i2c_hid_command(client, &hid_descr_cmd,
1906 ++ ihid->hdesc_buffer,
1907 ++ sizeof(struct i2c_hid_desc));
1908 ++ if (ret) {
1909 ++ dev_err(&client->dev, "hid_descr_cmd failed\n");
1910 ++ return -ENODEV;
1911 ++ }
1912 ++ }
1913 ++
1914 ++ /* Validate the length of HID descriptor, the 4 first bytes:
1915 ++ * bytes 0-1 -> length
1916 ++ * bytes 2-3 -> bcdVersion (has to be 1.00) */
1917 ++ /* check bcdVersion == 1.0 */
1918 ++ if (le16_to_cpu(hdesc->bcdVersion) != 0x0100) {
1919 ++ dev_err(&client->dev,
1920 ++ "unexpected HID descriptor bcdVersion (0x%04hx)\n",
1921 ++ le16_to_cpu(hdesc->bcdVersion));
1922 ++ return -ENODEV;
1923 ++ }
1924 ++
1925 ++ /* Descriptor length should be 30 bytes as per the specification */
1926 ++ dsize = le16_to_cpu(hdesc->wHIDDescLength);
1927 ++ if (dsize != sizeof(struct i2c_hid_desc)) {
1928 ++ dev_err(&client->dev, "weird size of HID descriptor (%u)\n",
1929 ++ dsize);
1930 ++ return -ENODEV;
1931 ++ }
1932 ++ i2c_hid_dbg(ihid, "HID Descriptor: %*ph\n", dsize, ihid->hdesc_buffer);
1933 ++ return 0;
1934 ++}
1935 ++
1936 ++#ifdef CONFIG_ACPI
1937 ++static int i2c_hid_acpi_pdata(struct i2c_client *client,
1938 ++ struct i2c_hid_platform_data *pdata)
1939 ++{
1940 ++ static guid_t i2c_hid_guid =
1941 ++ GUID_INIT(0x3CDFF6F7, 0x4267, 0x4555,
1942 ++ 0xAD, 0x05, 0xB3, 0x0A, 0x3D, 0x89, 0x38, 0xDE);
1943 ++ union acpi_object *obj;
1944 ++ struct acpi_device *adev;
1945 ++ acpi_handle handle;
1946 ++
1947 ++ handle = ACPI_HANDLE(&client->dev);
1948 ++ if (!handle || acpi_bus_get_device(handle, &adev))
1949 ++ return -ENODEV;
1950 ++
1951 ++ obj = acpi_evaluate_dsm_typed(handle, &i2c_hid_guid, 1, 1, NULL,
1952 ++ ACPI_TYPE_INTEGER);
1953 ++ if (!obj) {
1954 ++ dev_err(&client->dev, "device _DSM execution failed\n");
1955 ++ return -ENODEV;
1956 ++ }
1957 ++
1958 ++ pdata->hid_descriptor_address = obj->integer.value;
1959 ++ ACPI_FREE(obj);
1960 ++
1961 ++ return 0;
1962 ++}
1963 ++
1964 ++static void i2c_hid_acpi_fix_up_power(struct device *dev)
1965 ++{
1966 ++ acpi_handle handle = ACPI_HANDLE(dev);
1967 ++ struct acpi_device *adev;
1968 ++
1969 ++ if (handle && acpi_bus_get_device(handle, &adev) == 0)
1970 ++ acpi_device_fix_up_power(adev);
1971 ++}
1972 ++
1973 ++static const struct acpi_device_id i2c_hid_acpi_match[] = {
1974 ++ {"ACPI0C50", 0 },
1975 ++ {"PNP0C50", 0 },
1976 ++ { },
1977 ++};
1978 ++MODULE_DEVICE_TABLE(acpi, i2c_hid_acpi_match);
1979 ++#else
1980 ++static inline int i2c_hid_acpi_pdata(struct i2c_client *client,
1981 ++ struct i2c_hid_platform_data *pdata)
1982 ++{
1983 ++ return -ENODEV;
1984 ++}
1985 ++
1986 ++static inline void i2c_hid_acpi_fix_up_power(struct device *dev) {}
1987 ++#endif
1988 ++
1989 ++#ifdef CONFIG_OF
1990 ++static int i2c_hid_of_probe(struct i2c_client *client,
1991 ++ struct i2c_hid_platform_data *pdata)
1992 ++{
1993 ++ struct device *dev = &client->dev;
1994 ++ u32 val;
1995 ++ int ret;
1996 ++
1997 ++ ret = of_property_read_u32(dev->of_node, "hid-descr-addr", &val);
1998 ++ if (ret) {
1999 ++ dev_err(&client->dev, "HID register address not provided\n");
2000 ++ return -ENODEV;
2001 ++ }
2002 ++ if (val >> 16) {
2003 ++ dev_err(&client->dev, "Bad HID register address: 0x%08x\n",
2004 ++ val);
2005 ++ return -EINVAL;
2006 ++ }
2007 ++ pdata->hid_descriptor_address = val;
2008 ++
2009 ++ ret = of_property_read_u32(dev->of_node, "post-power-on-delay-ms",
2010 ++ &val);
2011 ++ if (!ret)
2012 ++ pdata->post_power_delay_ms = val;
2013 ++
2014 ++ return 0;
2015 ++}
2016 ++
2017 ++static const struct of_device_id i2c_hid_of_match[] = {
2018 ++ { .compatible = "hid-over-i2c" },
2019 ++ {},
2020 ++};
2021 ++MODULE_DEVICE_TABLE(of, i2c_hid_of_match);
2022 ++#else
2023 ++static inline int i2c_hid_of_probe(struct i2c_client *client,
2024 ++ struct i2c_hid_platform_data *pdata)
2025 ++{
2026 ++ return -ENODEV;
2027 ++}
2028 ++#endif
2029 ++
2030 ++static int i2c_hid_probe(struct i2c_client *client,
2031 ++ const struct i2c_device_id *dev_id)
2032 ++{
2033 ++ int ret;
2034 ++ struct i2c_hid *ihid;
2035 ++ struct hid_device *hid;
2036 ++ __u16 hidRegister;
2037 ++ struct i2c_hid_platform_data *platform_data = client->dev.platform_data;
2038 ++
2039 ++ dbg_hid("HID probe called for i2c 0x%02x\n", client->addr);
2040 ++
2041 ++ if (!client->irq) {
2042 ++ dev_err(&client->dev,
2043 ++ "HID over i2c has not been provided an Int IRQ\n");
2044 ++ return -EINVAL;
2045 ++ }
2046 ++
2047 ++ if (client->irq < 0) {
2048 ++ if (client->irq != -EPROBE_DEFER)
2049 ++ dev_err(&client->dev,
2050 ++ "HID over i2c doesn't have a valid IRQ\n");
2051 ++ return client->irq;
2052 ++ }
2053 ++
2054 ++ ihid = kzalloc(sizeof(struct i2c_hid), GFP_KERNEL);
2055 ++ if (!ihid)
2056 ++ return -ENOMEM;
2057 ++
2058 ++ if (client->dev.of_node) {
2059 ++ ret = i2c_hid_of_probe(client, &ihid->pdata);
2060 ++ if (ret)
2061 ++ goto err;
2062 ++ } else if (!platform_data) {
2063 ++ ret = i2c_hid_acpi_pdata(client, &ihid->pdata);
2064 ++ if (ret) {
2065 ++ dev_err(&client->dev,
2066 ++ "HID register address not provided\n");
2067 ++ goto err;
2068 ++ }
2069 ++ } else {
2070 ++ ihid->pdata = *platform_data;
2071 ++ }
2072 ++
2073 ++ ihid->pdata.supply = devm_regulator_get(&client->dev, "vdd");
2074 ++ if (IS_ERR(ihid->pdata.supply)) {
2075 ++ ret = PTR_ERR(ihid->pdata.supply);
2076 ++ if (ret != -EPROBE_DEFER)
2077 ++ dev_err(&client->dev, "Failed to get regulator: %d\n",
2078 ++ ret);
2079 ++ goto err;
2080 ++ }
2081 ++
2082 ++ ret = regulator_enable(ihid->pdata.supply);
2083 ++ if (ret < 0) {
2084 ++ dev_err(&client->dev, "Failed to enable regulator: %d\n",
2085 ++ ret);
2086 ++ goto err;
2087 ++ }
2088 ++ if (ihid->pdata.post_power_delay_ms)
2089 ++ msleep(ihid->pdata.post_power_delay_ms);
2090 ++
2091 ++ i2c_set_clientdata(client, ihid);
2092 ++
2093 ++ ihid->client = client;
2094 ++
2095 ++ hidRegister = ihid->pdata.hid_descriptor_address;
2096 ++ ihid->wHIDDescRegister = cpu_to_le16(hidRegister);
2097 ++
2098 ++ init_waitqueue_head(&ihid->wait);
2099 ++ mutex_init(&ihid->reset_lock);
2100 ++
2101 ++ /* we need to allocate the command buffer without knowing the maximum
2102 ++ * size of the reports. Let's use HID_MIN_BUFFER_SIZE, then we do the
2103 ++ * real computation later. */
2104 ++ ret = i2c_hid_alloc_buffers(ihid, HID_MIN_BUFFER_SIZE);
2105 ++ if (ret < 0)
2106 ++ goto err_regulator;
2107 ++
2108 ++ i2c_hid_acpi_fix_up_power(&client->dev);
2109 ++
2110 ++ pm_runtime_get_noresume(&client->dev);
2111 ++ pm_runtime_set_active(&client->dev);
2112 ++ pm_runtime_enable(&client->dev);
2113 ++ device_enable_async_suspend(&client->dev);
2114 ++
2115 ++ /* Make sure there is something at this address */
2116 ++ ret = i2c_smbus_read_byte(client);
2117 ++ if (ret < 0) {
2118 ++ dev_dbg(&client->dev, "nothing at this address: %d\n", ret);
2119 ++ ret = -ENXIO;
2120 ++ goto err_pm;
2121 ++ }
2122 ++
2123 ++ ret = i2c_hid_fetch_hid_descriptor(ihid);
2124 ++ if (ret < 0)
2125 ++ goto err_pm;
2126 ++
2127 ++ ret = i2c_hid_init_irq(client);
2128 ++ if (ret < 0)
2129 ++ goto err_pm;
2130 ++
2131 ++ hid = hid_allocate_device();
2132 ++ if (IS_ERR(hid)) {
2133 ++ ret = PTR_ERR(hid);
2134 ++ goto err_irq;
2135 ++ }
2136 ++
2137 ++ ihid->hid = hid;
2138 ++
2139 ++ hid->driver_data = client;
2140 ++ hid->ll_driver = &i2c_hid_ll_driver;
2141 ++ hid->dev.parent = &client->dev;
2142 ++ hid->bus = BUS_I2C;
2143 ++ hid->version = le16_to_cpu(ihid->hdesc.bcdVersion);
2144 ++ hid->vendor = le16_to_cpu(ihid->hdesc.wVendorID);
2145 ++ hid->product = le16_to_cpu(ihid->hdesc.wProductID);
2146 ++
2147 ++ snprintf(hid->name, sizeof(hid->name), "%s %04hX:%04hX",
2148 ++ client->name, hid->vendor, hid->product);
2149 ++ strlcpy(hid->phys, dev_name(&client->dev), sizeof(hid->phys));
2150 ++
2151 ++ ihid->quirks = i2c_hid_lookup_quirk(hid->vendor, hid->product);
2152 ++
2153 ++ ret = hid_add_device(hid);
2154 ++ if (ret) {
2155 ++ if (ret != -ENODEV)
2156 ++ hid_err(client, "can't add hid device: %d\n", ret);
2157 ++ goto err_mem_free;
2158 ++ }
2159 ++
2160 ++ pm_runtime_put(&client->dev);
2161 ++ return 0;
2162 ++
2163 ++err_mem_free:
2164 ++ hid_destroy_device(hid);
2165 ++
2166 ++err_irq:
2167 ++ free_irq(client->irq, ihid);
2168 ++
2169 ++err_pm:
2170 ++ pm_runtime_put_noidle(&client->dev);
2171 ++ pm_runtime_disable(&client->dev);
2172 ++
2173 ++err_regulator:
2174 ++ regulator_disable(ihid->pdata.supply);
2175 ++
2176 ++err:
2177 ++ i2c_hid_free_buffers(ihid);
2178 ++ kfree(ihid);
2179 ++ return ret;
2180 ++}
2181 ++
2182 ++static int i2c_hid_remove(struct i2c_client *client)
2183 ++{
2184 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
2185 ++ struct hid_device *hid;
2186 ++
2187 ++ pm_runtime_get_sync(&client->dev);
2188 ++ pm_runtime_disable(&client->dev);
2189 ++ pm_runtime_set_suspended(&client->dev);
2190 ++ pm_runtime_put_noidle(&client->dev);
2191 ++
2192 ++ hid = ihid->hid;
2193 ++ hid_destroy_device(hid);
2194 ++
2195 ++ free_irq(client->irq, ihid);
2196 ++
2197 ++ if (ihid->bufsize)
2198 ++ i2c_hid_free_buffers(ihid);
2199 ++
2200 ++ regulator_disable(ihid->pdata.supply);
2201 ++
2202 ++ kfree(ihid);
2203 ++
2204 ++ return 0;
2205 ++}
2206 ++
2207 ++static void i2c_hid_shutdown(struct i2c_client *client)
2208 ++{
2209 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
2210 ++
2211 ++ i2c_hid_set_power(client, I2C_HID_PWR_SLEEP);
2212 ++ free_irq(client->irq, ihid);
2213 ++}
2214 ++
2215 ++#ifdef CONFIG_PM_SLEEP
2216 ++static int i2c_hid_suspend(struct device *dev)
2217 ++{
2218 ++ struct i2c_client *client = to_i2c_client(dev);
2219 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
2220 ++ struct hid_device *hid = ihid->hid;
2221 ++ int ret;
2222 ++ int wake_status;
2223 ++
2224 ++ if (hid->driver && hid->driver->suspend) {
2225 ++ /*
2226 ++ * Wake up the device so that IO issues in
2227 ++ * HID driver's suspend code can succeed.
2228 ++ */
2229 ++ ret = pm_runtime_resume(dev);
2230 ++ if (ret < 0)
2231 ++ return ret;
2232 ++
2233 ++ ret = hid->driver->suspend(hid, PMSG_SUSPEND);
2234 ++ if (ret < 0)
2235 ++ return ret;
2236 ++ }
2237 ++
2238 ++ if (!pm_runtime_suspended(dev)) {
2239 ++ /* Save some power */
2240 ++ i2c_hid_set_power(client, I2C_HID_PWR_SLEEP);
2241 ++
2242 ++ disable_irq(client->irq);
2243 ++ }
2244 ++
2245 ++ if (device_may_wakeup(&client->dev)) {
2246 ++ wake_status = enable_irq_wake(client->irq);
2247 ++ if (!wake_status)
2248 ++ ihid->irq_wake_enabled = true;
2249 ++ else
2250 ++ hid_warn(hid, "Failed to enable irq wake: %d\n",
2251 ++ wake_status);
2252 ++ } else {
2253 ++ ret = regulator_disable(ihid->pdata.supply);
2254 ++ if (ret < 0)
2255 ++ hid_warn(hid, "Failed to disable supply: %d\n", ret);
2256 ++ }
2257 ++
2258 ++ return 0;
2259 ++}
2260 ++
2261 ++static int i2c_hid_resume(struct device *dev)
2262 ++{
2263 ++ int ret;
2264 ++ struct i2c_client *client = to_i2c_client(dev);
2265 ++ struct i2c_hid *ihid = i2c_get_clientdata(client);
2266 ++ struct hid_device *hid = ihid->hid;
2267 ++ int wake_status;
2268 ++
2269 ++ if (!device_may_wakeup(&client->dev)) {
2270 ++ ret = regulator_enable(ihid->pdata.supply);
2271 ++ if (ret < 0)
2272 ++ hid_warn(hid, "Failed to enable supply: %d\n", ret);
2273 ++ if (ihid->pdata.post_power_delay_ms)
2274 ++ msleep(ihid->pdata.post_power_delay_ms);
2275 ++ } else if (ihid->irq_wake_enabled) {
2276 ++ wake_status = disable_irq_wake(client->irq);
2277 ++ if (!wake_status)
2278 ++ ihid->irq_wake_enabled = false;
2279 ++ else
2280 ++ hid_warn(hid, "Failed to disable irq wake: %d\n",
2281 ++ wake_status);
2282 ++ }
2283 ++
2284 ++ /* We'll resume to full power */
2285 ++ pm_runtime_disable(dev);
2286 ++ pm_runtime_set_active(dev);
2287 ++ pm_runtime_enable(dev);
2288 ++
2289 ++ enable_irq(client->irq);
2290 ++ ret = i2c_hid_hwreset(client);
2291 ++ if (ret)
2292 ++ return ret;
2293 ++
2294 ++ if (hid->driver && hid->driver->reset_resume) {
2295 ++ ret = hid->driver->reset_resume(hid);
2296 ++ return ret;
2297 ++ }
2298 ++
2299 ++ return 0;
2300 ++}
2301 ++#endif
2302 ++
2303 ++#ifdef CONFIG_PM
2304 ++static int i2c_hid_runtime_suspend(struct device *dev)
2305 ++{
2306 ++ struct i2c_client *client = to_i2c_client(dev);
2307 ++
2308 ++ i2c_hid_set_power(client, I2C_HID_PWR_SLEEP);
2309 ++ disable_irq(client->irq);
2310 ++ return 0;
2311 ++}
2312 ++
2313 ++static int i2c_hid_runtime_resume(struct device *dev)
2314 ++{
2315 ++ struct i2c_client *client = to_i2c_client(dev);
2316 ++
2317 ++ enable_irq(client->irq);
2318 ++ i2c_hid_set_power(client, I2C_HID_PWR_ON);
2319 ++ return 0;
2320 ++}
2321 ++#endif
2322 ++
2323 ++static const struct dev_pm_ops i2c_hid_pm = {
2324 ++ SET_SYSTEM_SLEEP_PM_OPS(i2c_hid_suspend, i2c_hid_resume)
2325 ++ SET_RUNTIME_PM_OPS(i2c_hid_runtime_suspend, i2c_hid_runtime_resume,
2326 ++ NULL)
2327 ++};
2328 ++
2329 ++static const struct i2c_device_id i2c_hid_id_table[] = {
2330 ++ { "hid", 0 },
2331 ++ { "hid-over-i2c", 0 },
2332 ++ { },
2333 ++};
2334 ++MODULE_DEVICE_TABLE(i2c, i2c_hid_id_table);
2335 ++
2336 ++
2337 ++static struct i2c_driver i2c_hid_driver = {
2338 ++ .driver = {
2339 ++ .name = "i2c_hid",
2340 ++ .pm = &i2c_hid_pm,
2341 ++ .acpi_match_table = ACPI_PTR(i2c_hid_acpi_match),
2342 ++ .of_match_table = of_match_ptr(i2c_hid_of_match),
2343 ++ },
2344 ++
2345 ++ .probe = i2c_hid_probe,
2346 ++ .remove = i2c_hid_remove,
2347 ++ .shutdown = i2c_hid_shutdown,
2348 ++ .id_table = i2c_hid_id_table,
2349 ++};
2350 ++
2351 ++module_i2c_driver(i2c_hid_driver);
2352 ++
2353 ++MODULE_DESCRIPTION("HID over I2C core driver");
2354 ++MODULE_AUTHOR("Benjamin Tissoires <benjamin.tissoires@×××××.com>");
2355 ++MODULE_LICENSE("GPL");
2356 +diff --git a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
2357 +new file mode 100644
2358 +index 000000000000..1d645c9ab417
2359 +--- /dev/null
2360 ++++ b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c
2361 +@@ -0,0 +1,376 @@
2362 ++// SPDX-License-Identifier: GPL-2.0+
2363 ++
2364 ++/*
2365 ++ * Quirks for I2C-HID devices that do not supply proper descriptors
2366 ++ *
2367 ++ * Copyright (c) 2018 Julian Sax <jsbc@×××.de>
2368 ++ *
2369 ++ */
2370 ++
2371 ++#include <linux/types.h>
2372 ++#include <linux/dmi.h>
2373 ++#include <linux/mod_devicetable.h>
2374 ++
2375 ++#include "i2c-hid.h"
2376 ++
2377 ++
2378 ++struct i2c_hid_desc_override {
2379 ++ union {
2380 ++ struct i2c_hid_desc *i2c_hid_desc;
2381 ++ uint8_t *i2c_hid_desc_buffer;
2382 ++ };
2383 ++ uint8_t *hid_report_desc;
2384 ++ unsigned int hid_report_desc_size;
2385 ++ uint8_t *i2c_name;
2386 ++};
2387 ++
2388 ++
2389 ++/*
2390 ++ * descriptors for the SIPODEV SP1064 touchpad
2391 ++ *
2392 ++ * This device does not supply any descriptors and on windows a filter
2393 ++ * driver operates between the i2c-hid layer and the device and injects
2394 ++ * these descriptors when the device is prompted. The descriptors were
2395 ++ * extracted by listening to the i2c-hid traffic that occurs between the
2396 ++ * windows filter driver and the windows i2c-hid driver.
2397 ++ */
2398 ++
2399 ++static const struct i2c_hid_desc_override sipodev_desc = {
2400 ++ .i2c_hid_desc_buffer = (uint8_t [])
2401 ++ {0x1e, 0x00, /* Length of descriptor */
2402 ++ 0x00, 0x01, /* Version of descriptor */
2403 ++ 0xdb, 0x01, /* Length of report descriptor */
2404 ++ 0x21, 0x00, /* Location of report descriptor */
2405 ++ 0x24, 0x00, /* Location of input report */
2406 ++ 0x1b, 0x00, /* Max input report length */
2407 ++ 0x25, 0x00, /* Location of output report */
2408 ++ 0x11, 0x00, /* Max output report length */
2409 ++ 0x22, 0x00, /* Location of command register */
2410 ++ 0x23, 0x00, /* Location of data register */
2411 ++ 0x11, 0x09, /* Vendor ID */
2412 ++ 0x88, 0x52, /* Product ID */
2413 ++ 0x06, 0x00, /* Version ID */
2414 ++ 0x00, 0x00, 0x00, 0x00 /* Reserved */
2415 ++ },
2416 ++
2417 ++ .hid_report_desc = (uint8_t [])
2418 ++ {0x05, 0x01, /* Usage Page (Desktop), */
2419 ++ 0x09, 0x02, /* Usage (Mouse), */
2420 ++ 0xA1, 0x01, /* Collection (Application), */
2421 ++ 0x85, 0x01, /* Report ID (1), */
2422 ++ 0x09, 0x01, /* Usage (Pointer), */
2423 ++ 0xA1, 0x00, /* Collection (Physical), */
2424 ++ 0x05, 0x09, /* Usage Page (Button), */
2425 ++ 0x19, 0x01, /* Usage Minimum (01h), */
2426 ++ 0x29, 0x02, /* Usage Maximum (02h), */
2427 ++ 0x25, 0x01, /* Logical Maximum (1), */
2428 ++ 0x75, 0x01, /* Report Size (1), */
2429 ++ 0x95, 0x02, /* Report Count (2), */
2430 ++ 0x81, 0x02, /* Input (Variable), */
2431 ++ 0x95, 0x06, /* Report Count (6), */
2432 ++ 0x81, 0x01, /* Input (Constant), */
2433 ++ 0x05, 0x01, /* Usage Page (Desktop), */
2434 ++ 0x09, 0x30, /* Usage (X), */
2435 ++ 0x09, 0x31, /* Usage (Y), */
2436 ++ 0x15, 0x81, /* Logical Minimum (-127), */
2437 ++ 0x25, 0x7F, /* Logical Maximum (127), */
2438 ++ 0x75, 0x08, /* Report Size (8), */
2439 ++ 0x95, 0x02, /* Report Count (2), */
2440 ++ 0x81, 0x06, /* Input (Variable, Relative), */
2441 ++ 0xC0, /* End Collection, */
2442 ++ 0xC0, /* End Collection, */
2443 ++ 0x05, 0x0D, /* Usage Page (Digitizer), */
2444 ++ 0x09, 0x05, /* Usage (Touchpad), */
2445 ++ 0xA1, 0x01, /* Collection (Application), */
2446 ++ 0x85, 0x04, /* Report ID (4), */
2447 ++ 0x05, 0x0D, /* Usage Page (Digitizer), */
2448 ++ 0x09, 0x22, /* Usage (Finger), */
2449 ++ 0xA1, 0x02, /* Collection (Logical), */
2450 ++ 0x15, 0x00, /* Logical Minimum (0), */
2451 ++ 0x25, 0x01, /* Logical Maximum (1), */
2452 ++ 0x09, 0x47, /* Usage (Touch Valid), */
2453 ++ 0x09, 0x42, /* Usage (Tip Switch), */
2454 ++ 0x95, 0x02, /* Report Count (2), */
2455 ++ 0x75, 0x01, /* Report Size (1), */
2456 ++ 0x81, 0x02, /* Input (Variable), */
2457 ++ 0x95, 0x01, /* Report Count (1), */
2458 ++ 0x75, 0x03, /* Report Size (3), */
2459 ++ 0x25, 0x05, /* Logical Maximum (5), */
2460 ++ 0x09, 0x51, /* Usage (Contact Identifier), */
2461 ++ 0x81, 0x02, /* Input (Variable), */
2462 ++ 0x75, 0x01, /* Report Size (1), */
2463 ++ 0x95, 0x03, /* Report Count (3), */
2464 ++ 0x81, 0x03, /* Input (Constant, Variable), */
2465 ++ 0x05, 0x01, /* Usage Page (Desktop), */
2466 ++ 0x26, 0x44, 0x0A, /* Logical Maximum (2628), */
2467 ++ 0x75, 0x10, /* Report Size (16), */
2468 ++ 0x55, 0x0E, /* Unit Exponent (14), */
2469 ++ 0x65, 0x11, /* Unit (Centimeter), */
2470 ++ 0x09, 0x30, /* Usage (X), */
2471 ++ 0x46, 0x1A, 0x04, /* Physical Maximum (1050), */
2472 ++ 0x95, 0x01, /* Report Count (1), */
2473 ++ 0x81, 0x02, /* Input (Variable), */
2474 ++ 0x46, 0xBC, 0x02, /* Physical Maximum (700), */
2475 ++ 0x26, 0x34, 0x05, /* Logical Maximum (1332), */
2476 ++ 0x09, 0x31, /* Usage (Y), */
2477 ++ 0x81, 0x02, /* Input (Variable), */
2478 ++ 0xC0, /* End Collection, */
2479 ++ 0x05, 0x0D, /* Usage Page (Digitizer), */
2480 ++ 0x09, 0x22, /* Usage (Finger), */
2481 ++ 0xA1, 0x02, /* Collection (Logical), */
2482 ++ 0x25, 0x01, /* Logical Maximum (1), */
2483 ++ 0x09, 0x47, /* Usage (Touch Valid), */
2484 ++ 0x09, 0x42, /* Usage (Tip Switch), */
2485 ++ 0x95, 0x02, /* Report Count (2), */
2486 ++ 0x75, 0x01, /* Report Size (1), */
2487 ++ 0x81, 0x02, /* Input (Variable), */
2488 ++ 0x95, 0x01, /* Report Count (1), */
2489 ++ 0x75, 0x03, /* Report Size (3), */
2490 ++ 0x25, 0x05, /* Logical Maximum (5), */
2491 ++ 0x09, 0x51, /* Usage (Contact Identifier), */
2492 ++ 0x81, 0x02, /* Input (Variable), */
2493 ++ 0x75, 0x01, /* Report Size (1), */
2494 ++ 0x95, 0x03, /* Report Count (3), */
2495 ++ 0x81, 0x03, /* Input (Constant, Variable), */
2496 ++ 0x05, 0x01, /* Usage Page (Desktop), */
2497 ++ 0x26, 0x44, 0x0A, /* Logical Maximum (2628), */
2498 ++ 0x75, 0x10, /* Report Size (16), */
2499 ++ 0x09, 0x30, /* Usage (X), */
2500 ++ 0x46, 0x1A, 0x04, /* Physical Maximum (1050), */
2501 ++ 0x95, 0x01, /* Report Count (1), */
2502 ++ 0x81, 0x02, /* Input (Variable), */
2503 ++ 0x46, 0xBC, 0x02, /* Physical Maximum (700), */
2504 ++ 0x26, 0x34, 0x05, /* Logical Maximum (1332), */
2505 ++ 0x09, 0x31, /* Usage (Y), */
2506 ++ 0x81, 0x02, /* Input (Variable), */
2507 ++ 0xC0, /* End Collection, */
2508 ++ 0x05, 0x0D, /* Usage Page (Digitizer), */
2509 ++ 0x09, 0x22, /* Usage (Finger), */
2510 ++ 0xA1, 0x02, /* Collection (Logical), */
2511 ++ 0x25, 0x01, /* Logical Maximum (1), */
2512 ++ 0x09, 0x47, /* Usage (Touch Valid), */
2513 ++ 0x09, 0x42, /* Usage (Tip Switch), */
2514 ++ 0x95, 0x02, /* Report Count (2), */
2515 ++ 0x75, 0x01, /* Report Size (1), */
2516 ++ 0x81, 0x02, /* Input (Variable), */
2517 ++ 0x95, 0x01, /* Report Count (1), */
2518 ++ 0x75, 0x03, /* Report Size (3), */
2519 ++ 0x25, 0x05, /* Logical Maximum (5), */
2520 ++ 0x09, 0x51, /* Usage (Contact Identifier), */
2521 ++ 0x81, 0x02, /* Input (Variable), */
2522 ++ 0x75, 0x01, /* Report Size (1), */
2523 ++ 0x95, 0x03, /* Report Count (3), */
2524 ++ 0x81, 0x03, /* Input (Constant, Variable), */
2525 ++ 0x05, 0x01, /* Usage Page (Desktop), */
2526 ++ 0x26, 0x44, 0x0A, /* Logical Maximum (2628), */
2527 ++ 0x75, 0x10, /* Report Size (16), */
2528 ++ 0x09, 0x30, /* Usage (X), */
2529 ++ 0x46, 0x1A, 0x04, /* Physical Maximum (1050), */
2530 ++ 0x95, 0x01, /* Report Count (1), */
2531 ++ 0x81, 0x02, /* Input (Variable), */
2532 ++ 0x46, 0xBC, 0x02, /* Physical Maximum (700), */
2533 ++ 0x26, 0x34, 0x05, /* Logical Maximum (1332), */
2534 ++ 0x09, 0x31, /* Usage (Y), */
2535 ++ 0x81, 0x02, /* Input (Variable), */
2536 ++ 0xC0, /* End Collection, */
2537 ++ 0x05, 0x0D, /* Usage Page (Digitizer), */
2538 ++ 0x09, 0x22, /* Usage (Finger), */
2539 ++ 0xA1, 0x02, /* Collection (Logical), */
2540 ++ 0x25, 0x01, /* Logical Maximum (1), */
2541 ++ 0x09, 0x47, /* Usage (Touch Valid), */
2542 ++ 0x09, 0x42, /* Usage (Tip Switch), */
2543 ++ 0x95, 0x02, /* Report Count (2), */
2544 ++ 0x75, 0x01, /* Report Size (1), */
2545 ++ 0x81, 0x02, /* Input (Variable), */
2546 ++ 0x95, 0x01, /* Report Count (1), */
2547 ++ 0x75, 0x03, /* Report Size (3), */
2548 ++ 0x25, 0x05, /* Logical Maximum (5), */
2549 ++ 0x09, 0x51, /* Usage (Contact Identifier), */
2550 ++ 0x81, 0x02, /* Input (Variable), */
2551 ++ 0x75, 0x01, /* Report Size (1), */
2552 ++ 0x95, 0x03, /* Report Count (3), */
2553 ++ 0x81, 0x03, /* Input (Constant, Variable), */
2554 ++ 0x05, 0x01, /* Usage Page (Desktop), */
2555 ++ 0x26, 0x44, 0x0A, /* Logical Maximum (2628), */
2556 ++ 0x75, 0x10, /* Report Size (16), */
2557 ++ 0x09, 0x30, /* Usage (X), */
2558 ++ 0x46, 0x1A, 0x04, /* Physical Maximum (1050), */
2559 ++ 0x95, 0x01, /* Report Count (1), */
2560 ++ 0x81, 0x02, /* Input (Variable), */
2561 ++ 0x46, 0xBC, 0x02, /* Physical Maximum (700), */
2562 ++ 0x26, 0x34, 0x05, /* Logical Maximum (1332), */
2563 ++ 0x09, 0x31, /* Usage (Y), */
2564 ++ 0x81, 0x02, /* Input (Variable), */
2565 ++ 0xC0, /* End Collection, */
2566 ++ 0x05, 0x0D, /* Usage Page (Digitizer), */
2567 ++ 0x55, 0x0C, /* Unit Exponent (12), */
2568 ++ 0x66, 0x01, 0x10, /* Unit (Seconds), */
2569 ++ 0x47, 0xFF, 0xFF, 0x00, 0x00,/* Physical Maximum (65535), */
2570 ++ 0x27, 0xFF, 0xFF, 0x00, 0x00,/* Logical Maximum (65535), */
2571 ++ 0x75, 0x10, /* Report Size (16), */
2572 ++ 0x95, 0x01, /* Report Count (1), */
2573 ++ 0x09, 0x56, /* Usage (Scan Time), */
2574 ++ 0x81, 0x02, /* Input (Variable), */
2575 ++ 0x09, 0x54, /* Usage (Contact Count), */
2576 ++ 0x25, 0x7F, /* Logical Maximum (127), */
2577 ++ 0x75, 0x08, /* Report Size (8), */
2578 ++ 0x81, 0x02, /* Input (Variable), */
2579 ++ 0x05, 0x09, /* Usage Page (Button), */
2580 ++ 0x09, 0x01, /* Usage (01h), */
2581 ++ 0x25, 0x01, /* Logical Maximum (1), */
2582 ++ 0x75, 0x01, /* Report Size (1), */
2583 ++ 0x95, 0x01, /* Report Count (1), */
2584 ++ 0x81, 0x02, /* Input (Variable), */
2585 ++ 0x95, 0x07, /* Report Count (7), */
2586 ++ 0x81, 0x03, /* Input (Constant, Variable), */
2587 ++ 0x05, 0x0D, /* Usage Page (Digitizer), */
2588 ++ 0x85, 0x02, /* Report ID (2), */
2589 ++ 0x09, 0x55, /* Usage (Contact Count Maximum), */
2590 ++ 0x09, 0x59, /* Usage (59h), */
2591 ++ 0x75, 0x04, /* Report Size (4), */
2592 ++ 0x95, 0x02, /* Report Count (2), */
2593 ++ 0x25, 0x0F, /* Logical Maximum (15), */
2594 ++ 0xB1, 0x02, /* Feature (Variable), */
2595 ++ 0x05, 0x0D, /* Usage Page (Digitizer), */
2596 ++ 0x85, 0x07, /* Report ID (7), */
2597 ++ 0x09, 0x60, /* Usage (60h), */
2598 ++ 0x75, 0x01, /* Report Size (1), */
2599 ++ 0x95, 0x01, /* Report Count (1), */
2600 ++ 0x25, 0x01, /* Logical Maximum (1), */
2601 ++ 0xB1, 0x02, /* Feature (Variable), */
2602 ++ 0x95, 0x07, /* Report Count (7), */
2603 ++ 0xB1, 0x03, /* Feature (Constant, Variable), */
2604 ++ 0x85, 0x06, /* Report ID (6), */
2605 ++ 0x06, 0x00, 0xFF, /* Usage Page (FF00h), */
2606 ++ 0x09, 0xC5, /* Usage (C5h), */
2607 ++ 0x26, 0xFF, 0x00, /* Logical Maximum (255), */
2608 ++ 0x75, 0x08, /* Report Size (8), */
2609 ++ 0x96, 0x00, 0x01, /* Report Count (256), */
2610 ++ 0xB1, 0x02, /* Feature (Variable), */
2611 ++ 0xC0, /* End Collection, */
2612 ++ 0x06, 0x00, 0xFF, /* Usage Page (FF00h), */
2613 ++ 0x09, 0x01, /* Usage (01h), */
2614 ++ 0xA1, 0x01, /* Collection (Application), */
2615 ++ 0x85, 0x0D, /* Report ID (13), */
2616 ++ 0x26, 0xFF, 0x00, /* Logical Maximum (255), */
2617 ++ 0x19, 0x01, /* Usage Minimum (01h), */
2618 ++ 0x29, 0x02, /* Usage Maximum (02h), */
2619 ++ 0x75, 0x08, /* Report Size (8), */
2620 ++ 0x95, 0x02, /* Report Count (2), */
2621 ++ 0xB1, 0x02, /* Feature (Variable), */
2622 ++ 0xC0, /* End Collection, */
2623 ++ 0x05, 0x0D, /* Usage Page (Digitizer), */
2624 ++ 0x09, 0x0E, /* Usage (Configuration), */
2625 ++ 0xA1, 0x01, /* Collection (Application), */
2626 ++ 0x85, 0x03, /* Report ID (3), */
2627 ++ 0x09, 0x22, /* Usage (Finger), */
2628 ++ 0xA1, 0x02, /* Collection (Logical), */
2629 ++ 0x09, 0x52, /* Usage (Device Mode), */
2630 ++ 0x25, 0x0A, /* Logical Maximum (10), */
2631 ++ 0x95, 0x01, /* Report Count (1), */
2632 ++ 0xB1, 0x02, /* Feature (Variable), */
2633 ++ 0xC0, /* End Collection, */
2634 ++ 0x09, 0x22, /* Usage (Finger), */
2635 ++ 0xA1, 0x00, /* Collection (Physical), */
2636 ++ 0x85, 0x05, /* Report ID (5), */
2637 ++ 0x09, 0x57, /* Usage (57h), */
2638 ++ 0x09, 0x58, /* Usage (58h), */
2639 ++ 0x75, 0x01, /* Report Size (1), */
2640 ++ 0x95, 0x02, /* Report Count (2), */
2641 ++ 0x25, 0x01, /* Logical Maximum (1), */
2642 ++ 0xB1, 0x02, /* Feature (Variable), */
2643 ++ 0x95, 0x06, /* Report Count (6), */
2644 ++ 0xB1, 0x03, /* Feature (Constant, Variable),*/
2645 ++ 0xC0, /* End Collection, */
2646 ++ 0xC0 /* End Collection */
2647 ++ },
2648 ++ .hid_report_desc_size = 475,
2649 ++ .i2c_name = "SYNA3602:00"
2650 ++};
2651 ++
2652 ++
2653 ++static const struct dmi_system_id i2c_hid_dmi_desc_override_table[] = {
2654 ++ {
2655 ++ .ident = "Teclast F6 Pro",
2656 ++ .matches = {
2657 ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "TECLAST"),
2658 ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "F6 Pro"),
2659 ++ },
2660 ++ .driver_data = (void *)&sipodev_desc
2661 ++ },
2662 ++ {
2663 ++ .ident = "Teclast F7",
2664 ++ .matches = {
2665 ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "TECLAST"),
2666 ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "F7"),
2667 ++ },
2668 ++ .driver_data = (void *)&sipodev_desc
2669 ++ },
2670 ++ {
2671 ++ .ident = "Trekstor Primebook C13",
2672 ++ .matches = {
2673 ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "TREKSTOR"),
2674 ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Primebook C13"),
2675 ++ },
2676 ++ .driver_data = (void *)&sipodev_desc
2677 ++ },
2678 ++ {
2679 ++ .ident = "Trekstor Primebook C11",
2680 ++ .matches = {
2681 ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "TREKSTOR"),
2682 ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Primebook C11"),
2683 ++ },
2684 ++ .driver_data = (void *)&sipodev_desc
2685 ++ },
2686 ++ {
2687 ++ .ident = "Direkt-Tek DTLAPY116-2",
2688 ++ .matches = {
2689 ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Direkt-Tek"),
2690 ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "DTLAPY116-2"),
2691 ++ },
2692 ++ .driver_data = (void *)&sipodev_desc
2693 ++ },
2694 ++ {
2695 ++ .ident = "Mediacom Flexbook Edge 11",
2696 ++ .matches = {
2697 ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "MEDIACOM"),
2698 ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "FlexBook edge11 - M-FBE11"),
2699 ++ },
2700 ++ .driver_data = (void *)&sipodev_desc
2701 ++ }
2702 ++};
2703 ++
2704 ++
2705 ++struct i2c_hid_desc *i2c_hid_get_dmi_i2c_hid_desc_override(uint8_t *i2c_name)
2706 ++{
2707 ++ struct i2c_hid_desc_override *override;
2708 ++ const struct dmi_system_id *system_id;
2709 ++
2710 ++ system_id = dmi_first_match(i2c_hid_dmi_desc_override_table);
2711 ++ if (!system_id)
2712 ++ return NULL;
2713 ++
2714 ++ override = system_id->driver_data;
2715 ++ if (strcmp(override->i2c_name, i2c_name))
2716 ++ return NULL;
2717 ++
2718 ++ return override->i2c_hid_desc;
2719 ++}
2720 ++
2721 ++char *i2c_hid_get_dmi_hid_report_desc_override(uint8_t *i2c_name,
2722 ++ unsigned int *size)
2723 ++{
2724 ++ struct i2c_hid_desc_override *override;
2725 ++ const struct dmi_system_id *system_id;
2726 ++
2727 ++ system_id = dmi_first_match(i2c_hid_dmi_desc_override_table);
2728 ++ if (!system_id)
2729 ++ return NULL;
2730 ++
2731 ++ override = system_id->driver_data;
2732 ++ if (strcmp(override->i2c_name, i2c_name))
2733 ++ return NULL;
2734 ++
2735 ++ *size = override->hid_report_desc_size;
2736 ++ return override->hid_report_desc;
2737 ++}
2738 +diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
2739 +deleted file mode 100644
2740 +index 136a34dc31b8..000000000000
2741 +--- a/drivers/hid/i2c-hid/i2c-hid.c
2742 ++++ /dev/null
2743 +@@ -1,1279 +0,0 @@
2744 +-/*
2745 +- * HID over I2C protocol implementation
2746 +- *
2747 +- * Copyright (c) 2012 Benjamin Tissoires <benjamin.tissoires@×××××.com>
2748 +- * Copyright (c) 2012 Ecole Nationale de l'Aviation Civile, France
2749 +- * Copyright (c) 2012 Red Hat, Inc
2750 +- *
2751 +- * This code is partly based on "USB HID support for Linux":
2752 +- *
2753 +- * Copyright (c) 1999 Andreas Gal
2754 +- * Copyright (c) 2000-2005 Vojtech Pavlik <vojtech@××××.cz>
2755 +- * Copyright (c) 2005 Michael Haboustak <mike-@××××××××.com> for Concept2, Inc
2756 +- * Copyright (c) 2007-2008 Oliver Neukum
2757 +- * Copyright (c) 2006-2010 Jiri Kosina
2758 +- *
2759 +- * This file is subject to the terms and conditions of the GNU General Public
2760 +- * License. See the file COPYING in the main directory of this archive for
2761 +- * more details.
2762 +- */
2763 +-
2764 +-#include <linux/module.h>
2765 +-#include <linux/i2c.h>
2766 +-#include <linux/interrupt.h>
2767 +-#include <linux/input.h>
2768 +-#include <linux/irq.h>
2769 +-#include <linux/delay.h>
2770 +-#include <linux/slab.h>
2771 +-#include <linux/pm.h>
2772 +-#include <linux/pm_runtime.h>
2773 +-#include <linux/device.h>
2774 +-#include <linux/wait.h>
2775 +-#include <linux/err.h>
2776 +-#include <linux/string.h>
2777 +-#include <linux/list.h>
2778 +-#include <linux/jiffies.h>
2779 +-#include <linux/kernel.h>
2780 +-#include <linux/hid.h>
2781 +-#include <linux/mutex.h>
2782 +-#include <linux/acpi.h>
2783 +-#include <linux/of.h>
2784 +-#include <linux/regulator/consumer.h>
2785 +-
2786 +-#include <linux/platform_data/i2c-hid.h>
2787 +-
2788 +-#include "../hid-ids.h"
2789 +-
2790 +-/* quirks to control the device */
2791 +-#define I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV BIT(0)
2792 +-
2793 +-/* flags */
2794 +-#define I2C_HID_STARTED 0
2795 +-#define I2C_HID_RESET_PENDING 1
2796 +-#define I2C_HID_READ_PENDING 2
2797 +-
2798 +-#define I2C_HID_PWR_ON 0x00
2799 +-#define I2C_HID_PWR_SLEEP 0x01
2800 +-
2801 +-/* debug option */
2802 +-static bool debug;
2803 +-module_param(debug, bool, 0444);
2804 +-MODULE_PARM_DESC(debug, "print a lot of debug information");
2805 +-
2806 +-#define i2c_hid_dbg(ihid, fmt, arg...) \
2807 +-do { \
2808 +- if (debug) \
2809 +- dev_printk(KERN_DEBUG, &(ihid)->client->dev, fmt, ##arg); \
2810 +-} while (0)
2811 +-
2812 +-struct i2c_hid_desc {
2813 +- __le16 wHIDDescLength;
2814 +- __le16 bcdVersion;
2815 +- __le16 wReportDescLength;
2816 +- __le16 wReportDescRegister;
2817 +- __le16 wInputRegister;
2818 +- __le16 wMaxInputLength;
2819 +- __le16 wOutputRegister;
2820 +- __le16 wMaxOutputLength;
2821 +- __le16 wCommandRegister;
2822 +- __le16 wDataRegister;
2823 +- __le16 wVendorID;
2824 +- __le16 wProductID;
2825 +- __le16 wVersionID;
2826 +- __le32 reserved;
2827 +-} __packed;
2828 +-
2829 +-struct i2c_hid_cmd {
2830 +- unsigned int registerIndex;
2831 +- __u8 opcode;
2832 +- unsigned int length;
2833 +- bool wait;
2834 +-};
2835 +-
2836 +-union command {
2837 +- u8 data[0];
2838 +- struct cmd {
2839 +- __le16 reg;
2840 +- __u8 reportTypeID;
2841 +- __u8 opcode;
2842 +- } __packed c;
2843 +-};
2844 +-
2845 +-#define I2C_HID_CMD(opcode_) \
2846 +- .opcode = opcode_, .length = 4, \
2847 +- .registerIndex = offsetof(struct i2c_hid_desc, wCommandRegister)
2848 +-
2849 +-/* fetch HID descriptor */
2850 +-static const struct i2c_hid_cmd hid_descr_cmd = { .length = 2 };
2851 +-/* fetch report descriptors */
2852 +-static const struct i2c_hid_cmd hid_report_descr_cmd = {
2853 +- .registerIndex = offsetof(struct i2c_hid_desc,
2854 +- wReportDescRegister),
2855 +- .opcode = 0x00,
2856 +- .length = 2 };
2857 +-/* commands */
2858 +-static const struct i2c_hid_cmd hid_reset_cmd = { I2C_HID_CMD(0x01),
2859 +- .wait = true };
2860 +-static const struct i2c_hid_cmd hid_get_report_cmd = { I2C_HID_CMD(0x02) };
2861 +-static const struct i2c_hid_cmd hid_set_report_cmd = { I2C_HID_CMD(0x03) };
2862 +-static const struct i2c_hid_cmd hid_set_power_cmd = { I2C_HID_CMD(0x08) };
2863 +-static const struct i2c_hid_cmd hid_no_cmd = { .length = 0 };
2864 +-
2865 +-/*
2866 +- * These definitions are not used here, but are defined by the spec.
2867 +- * Keeping them here for documentation purposes.
2868 +- *
2869 +- * static const struct i2c_hid_cmd hid_get_idle_cmd = { I2C_HID_CMD(0x04) };
2870 +- * static const struct i2c_hid_cmd hid_set_idle_cmd = { I2C_HID_CMD(0x05) };
2871 +- * static const struct i2c_hid_cmd hid_get_protocol_cmd = { I2C_HID_CMD(0x06) };
2872 +- * static const struct i2c_hid_cmd hid_set_protocol_cmd = { I2C_HID_CMD(0x07) };
2873 +- */
2874 +-
2875 +-static DEFINE_MUTEX(i2c_hid_open_mut);
2876 +-
2877 +-/* The main device structure */
2878 +-struct i2c_hid {
2879 +- struct i2c_client *client; /* i2c client */
2880 +- struct hid_device *hid; /* pointer to corresponding HID dev */
2881 +- union {
2882 +- __u8 hdesc_buffer[sizeof(struct i2c_hid_desc)];
2883 +- struct i2c_hid_desc hdesc; /* the HID Descriptor */
2884 +- };
2885 +- __le16 wHIDDescRegister; /* location of the i2c
2886 +- * register of the HID
2887 +- * descriptor. */
2888 +- unsigned int bufsize; /* i2c buffer size */
2889 +- u8 *inbuf; /* Input buffer */
2890 +- u8 *rawbuf; /* Raw Input buffer */
2891 +- u8 *cmdbuf; /* Command buffer */
2892 +- u8 *argsbuf; /* Command arguments buffer */
2893 +-
2894 +- unsigned long flags; /* device flags */
2895 +- unsigned long quirks; /* Various quirks */
2896 +-
2897 +- wait_queue_head_t wait; /* For waiting the interrupt */
2898 +-
2899 +- struct i2c_hid_platform_data pdata;
2900 +-
2901 +- bool irq_wake_enabled;
2902 +- struct mutex reset_lock;
2903 +-};
2904 +-
2905 +-static const struct i2c_hid_quirks {
2906 +- __u16 idVendor;
2907 +- __u16 idProduct;
2908 +- __u32 quirks;
2909 +-} i2c_hid_quirks[] = {
2910 +- { USB_VENDOR_ID_WEIDA, USB_DEVICE_ID_WEIDA_8752,
2911 +- I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV },
2912 +- { USB_VENDOR_ID_WEIDA, USB_DEVICE_ID_WEIDA_8755,
2913 +- I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV },
2914 +- { 0, 0 }
2915 +-};
2916 +-
2917 +-/*
2918 +- * i2c_hid_lookup_quirk: return any quirks associated with a I2C HID device
2919 +- * @idVendor: the 16-bit vendor ID
2920 +- * @idProduct: the 16-bit product ID
2921 +- *
2922 +- * Returns: a u32 quirks value.
2923 +- */
2924 +-static u32 i2c_hid_lookup_quirk(const u16 idVendor, const u16 idProduct)
2925 +-{
2926 +- u32 quirks = 0;
2927 +- int n;
2928 +-
2929 +- for (n = 0; i2c_hid_quirks[n].idVendor; n++)
2930 +- if (i2c_hid_quirks[n].idVendor == idVendor &&
2931 +- (i2c_hid_quirks[n].idProduct == (__u16)HID_ANY_ID ||
2932 +- i2c_hid_quirks[n].idProduct == idProduct))
2933 +- quirks = i2c_hid_quirks[n].quirks;
2934 +-
2935 +- return quirks;
2936 +-}
2937 +-
2938 +-static int __i2c_hid_command(struct i2c_client *client,
2939 +- const struct i2c_hid_cmd *command, u8 reportID,
2940 +- u8 reportType, u8 *args, int args_len,
2941 +- unsigned char *buf_recv, int data_len)
2942 +-{
2943 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
2944 +- union command *cmd = (union command *)ihid->cmdbuf;
2945 +- int ret;
2946 +- struct i2c_msg msg[2];
2947 +- int msg_num = 1;
2948 +-
2949 +- int length = command->length;
2950 +- bool wait = command->wait;
2951 +- unsigned int registerIndex = command->registerIndex;
2952 +-
2953 +- /* special case for hid_descr_cmd */
2954 +- if (command == &hid_descr_cmd) {
2955 +- cmd->c.reg = ihid->wHIDDescRegister;
2956 +- } else {
2957 +- cmd->data[0] = ihid->hdesc_buffer[registerIndex];
2958 +- cmd->data[1] = ihid->hdesc_buffer[registerIndex + 1];
2959 +- }
2960 +-
2961 +- if (length > 2) {
2962 +- cmd->c.opcode = command->opcode;
2963 +- cmd->c.reportTypeID = reportID | reportType << 4;
2964 +- }
2965 +-
2966 +- memcpy(cmd->data + length, args, args_len);
2967 +- length += args_len;
2968 +-
2969 +- i2c_hid_dbg(ihid, "%s: cmd=%*ph\n", __func__, length, cmd->data);
2970 +-
2971 +- msg[0].addr = client->addr;
2972 +- msg[0].flags = client->flags & I2C_M_TEN;
2973 +- msg[0].len = length;
2974 +- msg[0].buf = cmd->data;
2975 +- if (data_len > 0) {
2976 +- msg[1].addr = client->addr;
2977 +- msg[1].flags = client->flags & I2C_M_TEN;
2978 +- msg[1].flags |= I2C_M_RD;
2979 +- msg[1].len = data_len;
2980 +- msg[1].buf = buf_recv;
2981 +- msg_num = 2;
2982 +- set_bit(I2C_HID_READ_PENDING, &ihid->flags);
2983 +- }
2984 +-
2985 +- if (wait)
2986 +- set_bit(I2C_HID_RESET_PENDING, &ihid->flags);
2987 +-
2988 +- ret = i2c_transfer(client->adapter, msg, msg_num);
2989 +-
2990 +- if (data_len > 0)
2991 +- clear_bit(I2C_HID_READ_PENDING, &ihid->flags);
2992 +-
2993 +- if (ret != msg_num)
2994 +- return ret < 0 ? ret : -EIO;
2995 +-
2996 +- ret = 0;
2997 +-
2998 +- if (wait) {
2999 +- i2c_hid_dbg(ihid, "%s: waiting...\n", __func__);
3000 +- if (!wait_event_timeout(ihid->wait,
3001 +- !test_bit(I2C_HID_RESET_PENDING, &ihid->flags),
3002 +- msecs_to_jiffies(5000)))
3003 +- ret = -ENODATA;
3004 +- i2c_hid_dbg(ihid, "%s: finished.\n", __func__);
3005 +- }
3006 +-
3007 +- return ret;
3008 +-}
3009 +-
3010 +-static int i2c_hid_command(struct i2c_client *client,
3011 +- const struct i2c_hid_cmd *command,
3012 +- unsigned char *buf_recv, int data_len)
3013 +-{
3014 +- return __i2c_hid_command(client, command, 0, 0, NULL, 0,
3015 +- buf_recv, data_len);
3016 +-}
3017 +-
3018 +-static int i2c_hid_get_report(struct i2c_client *client, u8 reportType,
3019 +- u8 reportID, unsigned char *buf_recv, int data_len)
3020 +-{
3021 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3022 +- u8 args[3];
3023 +- int ret;
3024 +- int args_len = 0;
3025 +- u16 readRegister = le16_to_cpu(ihid->hdesc.wDataRegister);
3026 +-
3027 +- i2c_hid_dbg(ihid, "%s\n", __func__);
3028 +-
3029 +- if (reportID >= 0x0F) {
3030 +- args[args_len++] = reportID;
3031 +- reportID = 0x0F;
3032 +- }
3033 +-
3034 +- args[args_len++] = readRegister & 0xFF;
3035 +- args[args_len++] = readRegister >> 8;
3036 +-
3037 +- ret = __i2c_hid_command(client, &hid_get_report_cmd, reportID,
3038 +- reportType, args, args_len, buf_recv, data_len);
3039 +- if (ret) {
3040 +- dev_err(&client->dev,
3041 +- "failed to retrieve report from device.\n");
3042 +- return ret;
3043 +- }
3044 +-
3045 +- return 0;
3046 +-}
3047 +-
3048 +-/**
3049 +- * i2c_hid_set_or_send_report: forward an incoming report to the device
3050 +- * @client: the i2c_client of the device
3051 +- * @reportType: 0x03 for HID_FEATURE_REPORT ; 0x02 for HID_OUTPUT_REPORT
3052 +- * @reportID: the report ID
3053 +- * @buf: the actual data to transfer, without the report ID
3054 +- * @len: size of buf
3055 +- * @use_data: true: use SET_REPORT HID command, false: send plain OUTPUT report
3056 +- */
3057 +-static int i2c_hid_set_or_send_report(struct i2c_client *client, u8 reportType,
3058 +- u8 reportID, unsigned char *buf, size_t data_len, bool use_data)
3059 +-{
3060 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3061 +- u8 *args = ihid->argsbuf;
3062 +- const struct i2c_hid_cmd *hidcmd;
3063 +- int ret;
3064 +- u16 dataRegister = le16_to_cpu(ihid->hdesc.wDataRegister);
3065 +- u16 outputRegister = le16_to_cpu(ihid->hdesc.wOutputRegister);
3066 +- u16 maxOutputLength = le16_to_cpu(ihid->hdesc.wMaxOutputLength);
3067 +- u16 size;
3068 +- int args_len;
3069 +- int index = 0;
3070 +-
3071 +- i2c_hid_dbg(ihid, "%s\n", __func__);
3072 +-
3073 +- if (data_len > ihid->bufsize)
3074 +- return -EINVAL;
3075 +-
3076 +- size = 2 /* size */ +
3077 +- (reportID ? 1 : 0) /* reportID */ +
3078 +- data_len /* buf */;
3079 +- args_len = (reportID >= 0x0F ? 1 : 0) /* optional third byte */ +
3080 +- 2 /* dataRegister */ +
3081 +- size /* args */;
3082 +-
3083 +- if (!use_data && maxOutputLength == 0)
3084 +- return -ENOSYS;
3085 +-
3086 +- if (reportID >= 0x0F) {
3087 +- args[index++] = reportID;
3088 +- reportID = 0x0F;
3089 +- }
3090 +-
3091 +- /*
3092 +- * use the data register for feature reports or if the device does not
3093 +- * support the output register
3094 +- */
3095 +- if (use_data) {
3096 +- args[index++] = dataRegister & 0xFF;
3097 +- args[index++] = dataRegister >> 8;
3098 +- hidcmd = &hid_set_report_cmd;
3099 +- } else {
3100 +- args[index++] = outputRegister & 0xFF;
3101 +- args[index++] = outputRegister >> 8;
3102 +- hidcmd = &hid_no_cmd;
3103 +- }
3104 +-
3105 +- args[index++] = size & 0xFF;
3106 +- args[index++] = size >> 8;
3107 +-
3108 +- if (reportID)
3109 +- args[index++] = reportID;
3110 +-
3111 +- memcpy(&args[index], buf, data_len);
3112 +-
3113 +- ret = __i2c_hid_command(client, hidcmd, reportID,
3114 +- reportType, args, args_len, NULL, 0);
3115 +- if (ret) {
3116 +- dev_err(&client->dev, "failed to set a report to device.\n");
3117 +- return ret;
3118 +- }
3119 +-
3120 +- return data_len;
3121 +-}
3122 +-
3123 +-static int i2c_hid_set_power(struct i2c_client *client, int power_state)
3124 +-{
3125 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3126 +- int ret;
3127 +-
3128 +- i2c_hid_dbg(ihid, "%s\n", __func__);
3129 +-
3130 +- /*
3131 +- * Some devices require to send a command to wakeup before power on.
3132 +- * The call will get a return value (EREMOTEIO) but device will be
3133 +- * triggered and activated. After that, it goes like a normal device.
3134 +- */
3135 +- if (power_state == I2C_HID_PWR_ON &&
3136 +- ihid->quirks & I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV) {
3137 +- ret = i2c_hid_command(client, &hid_set_power_cmd, NULL, 0);
3138 +-
3139 +- /* Device was already activated */
3140 +- if (!ret)
3141 +- goto set_pwr_exit;
3142 +- }
3143 +-
3144 +- ret = __i2c_hid_command(client, &hid_set_power_cmd, power_state,
3145 +- 0, NULL, 0, NULL, 0);
3146 +-
3147 +- if (ret)
3148 +- dev_err(&client->dev, "failed to change power setting.\n");
3149 +-
3150 +-set_pwr_exit:
3151 +- return ret;
3152 +-}
3153 +-
3154 +-static int i2c_hid_hwreset(struct i2c_client *client)
3155 +-{
3156 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3157 +- int ret;
3158 +-
3159 +- i2c_hid_dbg(ihid, "%s\n", __func__);
3160 +-
3161 +- /*
3162 +- * This prevents sending feature reports while the device is
3163 +- * being reset. Otherwise we may lose the reset complete
3164 +- * interrupt.
3165 +- */
3166 +- mutex_lock(&ihid->reset_lock);
3167 +-
3168 +- ret = i2c_hid_set_power(client, I2C_HID_PWR_ON);
3169 +- if (ret)
3170 +- goto out_unlock;
3171 +-
3172 +- /*
3173 +- * The HID over I2C specification states that if a DEVICE needs time
3174 +- * after the PWR_ON request, it should utilise CLOCK stretching.
3175 +- * However, it has been observered that the Windows driver provides a
3176 +- * 1ms sleep between the PWR_ON and RESET requests and that some devices
3177 +- * rely on this.
3178 +- */
3179 +- usleep_range(1000, 5000);
3180 +-
3181 +- i2c_hid_dbg(ihid, "resetting...\n");
3182 +-
3183 +- ret = i2c_hid_command(client, &hid_reset_cmd, NULL, 0);
3184 +- if (ret) {
3185 +- dev_err(&client->dev, "failed to reset device.\n");
3186 +- i2c_hid_set_power(client, I2C_HID_PWR_SLEEP);
3187 +- }
3188 +-
3189 +-out_unlock:
3190 +- mutex_unlock(&ihid->reset_lock);
3191 +- return ret;
3192 +-}
3193 +-
3194 +-static void i2c_hid_get_input(struct i2c_hid *ihid)
3195 +-{
3196 +- int ret;
3197 +- u32 ret_size;
3198 +- int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
3199 +-
3200 +- if (size > ihid->bufsize)
3201 +- size = ihid->bufsize;
3202 +-
3203 +- ret = i2c_master_recv(ihid->client, ihid->inbuf, size);
3204 +- if (ret != size) {
3205 +- if (ret < 0)
3206 +- return;
3207 +-
3208 +- dev_err(&ihid->client->dev, "%s: got %d data instead of %d\n",
3209 +- __func__, ret, size);
3210 +- return;
3211 +- }
3212 +-
3213 +- ret_size = ihid->inbuf[0] | ihid->inbuf[1] << 8;
3214 +-
3215 +- if (!ret_size) {
3216 +- /* host or device initiated RESET completed */
3217 +- if (test_and_clear_bit(I2C_HID_RESET_PENDING, &ihid->flags))
3218 +- wake_up(&ihid->wait);
3219 +- return;
3220 +- }
3221 +-
3222 +- if ((ret_size > size) || (ret_size < 2)) {
3223 +- dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n",
3224 +- __func__, size, ret_size);
3225 +- return;
3226 +- }
3227 +-
3228 +- i2c_hid_dbg(ihid, "input: %*ph\n", ret_size, ihid->inbuf);
3229 +-
3230 +- if (test_bit(I2C_HID_STARTED, &ihid->flags))
3231 +- hid_input_report(ihid->hid, HID_INPUT_REPORT, ihid->inbuf + 2,
3232 +- ret_size - 2, 1);
3233 +-
3234 +- return;
3235 +-}
3236 +-
3237 +-static irqreturn_t i2c_hid_irq(int irq, void *dev_id)
3238 +-{
3239 +- struct i2c_hid *ihid = dev_id;
3240 +-
3241 +- if (test_bit(I2C_HID_READ_PENDING, &ihid->flags))
3242 +- return IRQ_HANDLED;
3243 +-
3244 +- i2c_hid_get_input(ihid);
3245 +-
3246 +- return IRQ_HANDLED;
3247 +-}
3248 +-
3249 +-static int i2c_hid_get_report_length(struct hid_report *report)
3250 +-{
3251 +- return ((report->size - 1) >> 3) + 1 +
3252 +- report->device->report_enum[report->type].numbered + 2;
3253 +-}
3254 +-
3255 +-/*
3256 +- * Traverse the supplied list of reports and find the longest
3257 +- */
3258 +-static void i2c_hid_find_max_report(struct hid_device *hid, unsigned int type,
3259 +- unsigned int *max)
3260 +-{
3261 +- struct hid_report *report;
3262 +- unsigned int size;
3263 +-
3264 +- /* We should not rely on wMaxInputLength, as some devices may set it to
3265 +- * a wrong length. */
3266 +- list_for_each_entry(report, &hid->report_enum[type].report_list, list) {
3267 +- size = i2c_hid_get_report_length(report);
3268 +- if (*max < size)
3269 +- *max = size;
3270 +- }
3271 +-}
3272 +-
3273 +-static void i2c_hid_free_buffers(struct i2c_hid *ihid)
3274 +-{
3275 +- kfree(ihid->inbuf);
3276 +- kfree(ihid->rawbuf);
3277 +- kfree(ihid->argsbuf);
3278 +- kfree(ihid->cmdbuf);
3279 +- ihid->inbuf = NULL;
3280 +- ihid->rawbuf = NULL;
3281 +- ihid->cmdbuf = NULL;
3282 +- ihid->argsbuf = NULL;
3283 +- ihid->bufsize = 0;
3284 +-}
3285 +-
3286 +-static int i2c_hid_alloc_buffers(struct i2c_hid *ihid, size_t report_size)
3287 +-{
3288 +- /* the worst case is computed from the set_report command with a
3289 +- * reportID > 15 and the maximum report length */
3290 +- int args_len = sizeof(__u8) + /* ReportID */
3291 +- sizeof(__u8) + /* optional ReportID byte */
3292 +- sizeof(__u16) + /* data register */
3293 +- sizeof(__u16) + /* size of the report */
3294 +- report_size; /* report */
3295 +-
3296 +- ihid->inbuf = kzalloc(report_size, GFP_KERNEL);
3297 +- ihid->rawbuf = kzalloc(report_size, GFP_KERNEL);
3298 +- ihid->argsbuf = kzalloc(args_len, GFP_KERNEL);
3299 +- ihid->cmdbuf = kzalloc(sizeof(union command) + args_len, GFP_KERNEL);
3300 +-
3301 +- if (!ihid->inbuf || !ihid->rawbuf || !ihid->argsbuf || !ihid->cmdbuf) {
3302 +- i2c_hid_free_buffers(ihid);
3303 +- return -ENOMEM;
3304 +- }
3305 +-
3306 +- ihid->bufsize = report_size;
3307 +-
3308 +- return 0;
3309 +-}
3310 +-
3311 +-static int i2c_hid_get_raw_report(struct hid_device *hid,
3312 +- unsigned char report_number, __u8 *buf, size_t count,
3313 +- unsigned char report_type)
3314 +-{
3315 +- struct i2c_client *client = hid->driver_data;
3316 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3317 +- size_t ret_count, ask_count;
3318 +- int ret;
3319 +-
3320 +- if (report_type == HID_OUTPUT_REPORT)
3321 +- return -EINVAL;
3322 +-
3323 +- /* +2 bytes to include the size of the reply in the query buffer */
3324 +- ask_count = min(count + 2, (size_t)ihid->bufsize);
3325 +-
3326 +- ret = i2c_hid_get_report(client,
3327 +- report_type == HID_FEATURE_REPORT ? 0x03 : 0x01,
3328 +- report_number, ihid->rawbuf, ask_count);
3329 +-
3330 +- if (ret < 0)
3331 +- return ret;
3332 +-
3333 +- ret_count = ihid->rawbuf[0] | (ihid->rawbuf[1] << 8);
3334 +-
3335 +- if (ret_count <= 2)
3336 +- return 0;
3337 +-
3338 +- ret_count = min(ret_count, ask_count);
3339 +-
3340 +- /* The query buffer contains the size, dropping it in the reply */
3341 +- count = min(count, ret_count - 2);
3342 +- memcpy(buf, ihid->rawbuf + 2, count);
3343 +-
3344 +- return count;
3345 +-}
3346 +-
3347 +-static int i2c_hid_output_raw_report(struct hid_device *hid, __u8 *buf,
3348 +- size_t count, unsigned char report_type, bool use_data)
3349 +-{
3350 +- struct i2c_client *client = hid->driver_data;
3351 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3352 +- int report_id = buf[0];
3353 +- int ret;
3354 +-
3355 +- if (report_type == HID_INPUT_REPORT)
3356 +- return -EINVAL;
3357 +-
3358 +- mutex_lock(&ihid->reset_lock);
3359 +-
3360 +- if (report_id) {
3361 +- buf++;
3362 +- count--;
3363 +- }
3364 +-
3365 +- ret = i2c_hid_set_or_send_report(client,
3366 +- report_type == HID_FEATURE_REPORT ? 0x03 : 0x02,
3367 +- report_id, buf, count, use_data);
3368 +-
3369 +- if (report_id && ret >= 0)
3370 +- ret++; /* add report_id to the number of transfered bytes */
3371 +-
3372 +- mutex_unlock(&ihid->reset_lock);
3373 +-
3374 +- return ret;
3375 +-}
3376 +-
3377 +-static int i2c_hid_output_report(struct hid_device *hid, __u8 *buf,
3378 +- size_t count)
3379 +-{
3380 +- return i2c_hid_output_raw_report(hid, buf, count, HID_OUTPUT_REPORT,
3381 +- false);
3382 +-}
3383 +-
3384 +-static int i2c_hid_raw_request(struct hid_device *hid, unsigned char reportnum,
3385 +- __u8 *buf, size_t len, unsigned char rtype,
3386 +- int reqtype)
3387 +-{
3388 +- switch (reqtype) {
3389 +- case HID_REQ_GET_REPORT:
3390 +- return i2c_hid_get_raw_report(hid, reportnum, buf, len, rtype);
3391 +- case HID_REQ_SET_REPORT:
3392 +- if (buf[0] != reportnum)
3393 +- return -EINVAL;
3394 +- return i2c_hid_output_raw_report(hid, buf, len, rtype, true);
3395 +- default:
3396 +- return -EIO;
3397 +- }
3398 +-}
3399 +-
3400 +-static int i2c_hid_parse(struct hid_device *hid)
3401 +-{
3402 +- struct i2c_client *client = hid->driver_data;
3403 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3404 +- struct i2c_hid_desc *hdesc = &ihid->hdesc;
3405 +- unsigned int rsize;
3406 +- char *rdesc;
3407 +- int ret;
3408 +- int tries = 3;
3409 +-
3410 +- i2c_hid_dbg(ihid, "entering %s\n", __func__);
3411 +-
3412 +- rsize = le16_to_cpu(hdesc->wReportDescLength);
3413 +- if (!rsize || rsize > HID_MAX_DESCRIPTOR_SIZE) {
3414 +- dbg_hid("weird size of report descriptor (%u)\n", rsize);
3415 +- return -EINVAL;
3416 +- }
3417 +-
3418 +- do {
3419 +- ret = i2c_hid_hwreset(client);
3420 +- if (ret)
3421 +- msleep(1000);
3422 +- } while (tries-- > 0 && ret);
3423 +-
3424 +- if (ret)
3425 +- return ret;
3426 +-
3427 +- rdesc = kzalloc(rsize, GFP_KERNEL);
3428 +-
3429 +- if (!rdesc) {
3430 +- dbg_hid("couldn't allocate rdesc memory\n");
3431 +- return -ENOMEM;
3432 +- }
3433 +-
3434 +- i2c_hid_dbg(ihid, "asking HID report descriptor\n");
3435 +-
3436 +- ret = i2c_hid_command(client, &hid_report_descr_cmd, rdesc, rsize);
3437 +- if (ret) {
3438 +- hid_err(hid, "reading report descriptor failed\n");
3439 +- kfree(rdesc);
3440 +- return -EIO;
3441 +- }
3442 +-
3443 +- i2c_hid_dbg(ihid, "Report Descriptor: %*ph\n", rsize, rdesc);
3444 +-
3445 +- ret = hid_parse_report(hid, rdesc, rsize);
3446 +- kfree(rdesc);
3447 +- if (ret) {
3448 +- dbg_hid("parsing report descriptor failed\n");
3449 +- return ret;
3450 +- }
3451 +-
3452 +- return 0;
3453 +-}
3454 +-
3455 +-static int i2c_hid_start(struct hid_device *hid)
3456 +-{
3457 +- struct i2c_client *client = hid->driver_data;
3458 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3459 +- int ret;
3460 +- unsigned int bufsize = HID_MIN_BUFFER_SIZE;
3461 +-
3462 +- i2c_hid_find_max_report(hid, HID_INPUT_REPORT, &bufsize);
3463 +- i2c_hid_find_max_report(hid, HID_OUTPUT_REPORT, &bufsize);
3464 +- i2c_hid_find_max_report(hid, HID_FEATURE_REPORT, &bufsize);
3465 +-
3466 +- if (bufsize > ihid->bufsize) {
3467 +- disable_irq(client->irq);
3468 +- i2c_hid_free_buffers(ihid);
3469 +-
3470 +- ret = i2c_hid_alloc_buffers(ihid, bufsize);
3471 +- enable_irq(client->irq);
3472 +-
3473 +- if (ret)
3474 +- return ret;
3475 +- }
3476 +-
3477 +- return 0;
3478 +-}
3479 +-
3480 +-static void i2c_hid_stop(struct hid_device *hid)
3481 +-{
3482 +- hid->claimed = 0;
3483 +-}
3484 +-
3485 +-static int i2c_hid_open(struct hid_device *hid)
3486 +-{
3487 +- struct i2c_client *client = hid->driver_data;
3488 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3489 +- int ret = 0;
3490 +-
3491 +- ret = pm_runtime_get_sync(&client->dev);
3492 +- if (ret < 0)
3493 +- return ret;
3494 +-
3495 +- set_bit(I2C_HID_STARTED, &ihid->flags);
3496 +- return 0;
3497 +-}
3498 +-
3499 +-static void i2c_hid_close(struct hid_device *hid)
3500 +-{
3501 +- struct i2c_client *client = hid->driver_data;
3502 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3503 +-
3504 +- clear_bit(I2C_HID_STARTED, &ihid->flags);
3505 +-
3506 +- /* Save some power */
3507 +- pm_runtime_put(&client->dev);
3508 +-}
3509 +-
3510 +-static int i2c_hid_power(struct hid_device *hid, int lvl)
3511 +-{
3512 +- struct i2c_client *client = hid->driver_data;
3513 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3514 +-
3515 +- i2c_hid_dbg(ihid, "%s lvl:%d\n", __func__, lvl);
3516 +-
3517 +- switch (lvl) {
3518 +- case PM_HINT_FULLON:
3519 +- pm_runtime_get_sync(&client->dev);
3520 +- break;
3521 +- case PM_HINT_NORMAL:
3522 +- pm_runtime_put(&client->dev);
3523 +- break;
3524 +- }
3525 +- return 0;
3526 +-}
3527 +-
3528 +-struct hid_ll_driver i2c_hid_ll_driver = {
3529 +- .parse = i2c_hid_parse,
3530 +- .start = i2c_hid_start,
3531 +- .stop = i2c_hid_stop,
3532 +- .open = i2c_hid_open,
3533 +- .close = i2c_hid_close,
3534 +- .power = i2c_hid_power,
3535 +- .output_report = i2c_hid_output_report,
3536 +- .raw_request = i2c_hid_raw_request,
3537 +-};
3538 +-EXPORT_SYMBOL_GPL(i2c_hid_ll_driver);
3539 +-
3540 +-static int i2c_hid_init_irq(struct i2c_client *client)
3541 +-{
3542 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3543 +- unsigned long irqflags = 0;
3544 +- int ret;
3545 +-
3546 +- dev_dbg(&client->dev, "Requesting IRQ: %d\n", client->irq);
3547 +-
3548 +- if (!irq_get_trigger_type(client->irq))
3549 +- irqflags = IRQF_TRIGGER_LOW;
3550 +-
3551 +- ret = request_threaded_irq(client->irq, NULL, i2c_hid_irq,
3552 +- irqflags | IRQF_ONESHOT, client->name, ihid);
3553 +- if (ret < 0) {
3554 +- dev_warn(&client->dev,
3555 +- "Could not register for %s interrupt, irq = %d,"
3556 +- " ret = %d\n",
3557 +- client->name, client->irq, ret);
3558 +-
3559 +- return ret;
3560 +- }
3561 +-
3562 +- return 0;
3563 +-}
3564 +-
3565 +-static int i2c_hid_fetch_hid_descriptor(struct i2c_hid *ihid)
3566 +-{
3567 +- struct i2c_client *client = ihid->client;
3568 +- struct i2c_hid_desc *hdesc = &ihid->hdesc;
3569 +- unsigned int dsize;
3570 +- int ret;
3571 +-
3572 +- /* i2c hid fetch using a fixed descriptor size (30 bytes) */
3573 +- i2c_hid_dbg(ihid, "Fetching the HID descriptor\n");
3574 +- ret = i2c_hid_command(client, &hid_descr_cmd, ihid->hdesc_buffer,
3575 +- sizeof(struct i2c_hid_desc));
3576 +- if (ret) {
3577 +- dev_err(&client->dev, "hid_descr_cmd failed\n");
3578 +- return -ENODEV;
3579 +- }
3580 +-
3581 +- /* Validate the length of HID descriptor, the 4 first bytes:
3582 +- * bytes 0-1 -> length
3583 +- * bytes 2-3 -> bcdVersion (has to be 1.00) */
3584 +- /* check bcdVersion == 1.0 */
3585 +- if (le16_to_cpu(hdesc->bcdVersion) != 0x0100) {
3586 +- dev_err(&client->dev,
3587 +- "unexpected HID descriptor bcdVersion (0x%04hx)\n",
3588 +- le16_to_cpu(hdesc->bcdVersion));
3589 +- return -ENODEV;
3590 +- }
3591 +-
3592 +- /* Descriptor length should be 30 bytes as per the specification */
3593 +- dsize = le16_to_cpu(hdesc->wHIDDescLength);
3594 +- if (dsize != sizeof(struct i2c_hid_desc)) {
3595 +- dev_err(&client->dev, "weird size of HID descriptor (%u)\n",
3596 +- dsize);
3597 +- return -ENODEV;
3598 +- }
3599 +- i2c_hid_dbg(ihid, "HID Descriptor: %*ph\n", dsize, ihid->hdesc_buffer);
3600 +- return 0;
3601 +-}
3602 +-
3603 +-#ifdef CONFIG_ACPI
3604 +-static int i2c_hid_acpi_pdata(struct i2c_client *client,
3605 +- struct i2c_hid_platform_data *pdata)
3606 +-{
3607 +- static guid_t i2c_hid_guid =
3608 +- GUID_INIT(0x3CDFF6F7, 0x4267, 0x4555,
3609 +- 0xAD, 0x05, 0xB3, 0x0A, 0x3D, 0x89, 0x38, 0xDE);
3610 +- union acpi_object *obj;
3611 +- struct acpi_device *adev;
3612 +- acpi_handle handle;
3613 +-
3614 +- handle = ACPI_HANDLE(&client->dev);
3615 +- if (!handle || acpi_bus_get_device(handle, &adev))
3616 +- return -ENODEV;
3617 +-
3618 +- obj = acpi_evaluate_dsm_typed(handle, &i2c_hid_guid, 1, 1, NULL,
3619 +- ACPI_TYPE_INTEGER);
3620 +- if (!obj) {
3621 +- dev_err(&client->dev, "device _DSM execution failed\n");
3622 +- return -ENODEV;
3623 +- }
3624 +-
3625 +- pdata->hid_descriptor_address = obj->integer.value;
3626 +- ACPI_FREE(obj);
3627 +-
3628 +- return 0;
3629 +-}
3630 +-
3631 +-static void i2c_hid_acpi_fix_up_power(struct device *dev)
3632 +-{
3633 +- acpi_handle handle = ACPI_HANDLE(dev);
3634 +- struct acpi_device *adev;
3635 +-
3636 +- if (handle && acpi_bus_get_device(handle, &adev) == 0)
3637 +- acpi_device_fix_up_power(adev);
3638 +-}
3639 +-
3640 +-static const struct acpi_device_id i2c_hid_acpi_match[] = {
3641 +- {"ACPI0C50", 0 },
3642 +- {"PNP0C50", 0 },
3643 +- { },
3644 +-};
3645 +-MODULE_DEVICE_TABLE(acpi, i2c_hid_acpi_match);
3646 +-#else
3647 +-static inline int i2c_hid_acpi_pdata(struct i2c_client *client,
3648 +- struct i2c_hid_platform_data *pdata)
3649 +-{
3650 +- return -ENODEV;
3651 +-}
3652 +-
3653 +-static inline void i2c_hid_acpi_fix_up_power(struct device *dev) {}
3654 +-#endif
3655 +-
3656 +-#ifdef CONFIG_OF
3657 +-static int i2c_hid_of_probe(struct i2c_client *client,
3658 +- struct i2c_hid_platform_data *pdata)
3659 +-{
3660 +- struct device *dev = &client->dev;
3661 +- u32 val;
3662 +- int ret;
3663 +-
3664 +- ret = of_property_read_u32(dev->of_node, "hid-descr-addr", &val);
3665 +- if (ret) {
3666 +- dev_err(&client->dev, "HID register address not provided\n");
3667 +- return -ENODEV;
3668 +- }
3669 +- if (val >> 16) {
3670 +- dev_err(&client->dev, "Bad HID register address: 0x%08x\n",
3671 +- val);
3672 +- return -EINVAL;
3673 +- }
3674 +- pdata->hid_descriptor_address = val;
3675 +-
3676 +- ret = of_property_read_u32(dev->of_node, "post-power-on-delay-ms",
3677 +- &val);
3678 +- if (!ret)
3679 +- pdata->post_power_delay_ms = val;
3680 +-
3681 +- return 0;
3682 +-}
3683 +-
3684 +-static const struct of_device_id i2c_hid_of_match[] = {
3685 +- { .compatible = "hid-over-i2c" },
3686 +- {},
3687 +-};
3688 +-MODULE_DEVICE_TABLE(of, i2c_hid_of_match);
3689 +-#else
3690 +-static inline int i2c_hid_of_probe(struct i2c_client *client,
3691 +- struct i2c_hid_platform_data *pdata)
3692 +-{
3693 +- return -ENODEV;
3694 +-}
3695 +-#endif
3696 +-
3697 +-static int i2c_hid_probe(struct i2c_client *client,
3698 +- const struct i2c_device_id *dev_id)
3699 +-{
3700 +- int ret;
3701 +- struct i2c_hid *ihid;
3702 +- struct hid_device *hid;
3703 +- __u16 hidRegister;
3704 +- struct i2c_hid_platform_data *platform_data = client->dev.platform_data;
3705 +-
3706 +- dbg_hid("HID probe called for i2c 0x%02x\n", client->addr);
3707 +-
3708 +- if (!client->irq) {
3709 +- dev_err(&client->dev,
3710 +- "HID over i2c has not been provided an Int IRQ\n");
3711 +- return -EINVAL;
3712 +- }
3713 +-
3714 +- if (client->irq < 0) {
3715 +- if (client->irq != -EPROBE_DEFER)
3716 +- dev_err(&client->dev,
3717 +- "HID over i2c doesn't have a valid IRQ\n");
3718 +- return client->irq;
3719 +- }
3720 +-
3721 +- ihid = kzalloc(sizeof(struct i2c_hid), GFP_KERNEL);
3722 +- if (!ihid)
3723 +- return -ENOMEM;
3724 +-
3725 +- if (client->dev.of_node) {
3726 +- ret = i2c_hid_of_probe(client, &ihid->pdata);
3727 +- if (ret)
3728 +- goto err;
3729 +- } else if (!platform_data) {
3730 +- ret = i2c_hid_acpi_pdata(client, &ihid->pdata);
3731 +- if (ret) {
3732 +- dev_err(&client->dev,
3733 +- "HID register address not provided\n");
3734 +- goto err;
3735 +- }
3736 +- } else {
3737 +- ihid->pdata = *platform_data;
3738 +- }
3739 +-
3740 +- ihid->pdata.supply = devm_regulator_get(&client->dev, "vdd");
3741 +- if (IS_ERR(ihid->pdata.supply)) {
3742 +- ret = PTR_ERR(ihid->pdata.supply);
3743 +- if (ret != -EPROBE_DEFER)
3744 +- dev_err(&client->dev, "Failed to get regulator: %d\n",
3745 +- ret);
3746 +- goto err;
3747 +- }
3748 +-
3749 +- ret = regulator_enable(ihid->pdata.supply);
3750 +- if (ret < 0) {
3751 +- dev_err(&client->dev, "Failed to enable regulator: %d\n",
3752 +- ret);
3753 +- goto err;
3754 +- }
3755 +- if (ihid->pdata.post_power_delay_ms)
3756 +- msleep(ihid->pdata.post_power_delay_ms);
3757 +-
3758 +- i2c_set_clientdata(client, ihid);
3759 +-
3760 +- ihid->client = client;
3761 +-
3762 +- hidRegister = ihid->pdata.hid_descriptor_address;
3763 +- ihid->wHIDDescRegister = cpu_to_le16(hidRegister);
3764 +-
3765 +- init_waitqueue_head(&ihid->wait);
3766 +- mutex_init(&ihid->reset_lock);
3767 +-
3768 +- /* we need to allocate the command buffer without knowing the maximum
3769 +- * size of the reports. Let's use HID_MIN_BUFFER_SIZE, then we do the
3770 +- * real computation later. */
3771 +- ret = i2c_hid_alloc_buffers(ihid, HID_MIN_BUFFER_SIZE);
3772 +- if (ret < 0)
3773 +- goto err_regulator;
3774 +-
3775 +- i2c_hid_acpi_fix_up_power(&client->dev);
3776 +-
3777 +- pm_runtime_get_noresume(&client->dev);
3778 +- pm_runtime_set_active(&client->dev);
3779 +- pm_runtime_enable(&client->dev);
3780 +- device_enable_async_suspend(&client->dev);
3781 +-
3782 +- /* Make sure there is something at this address */
3783 +- ret = i2c_smbus_read_byte(client);
3784 +- if (ret < 0) {
3785 +- dev_dbg(&client->dev, "nothing at this address: %d\n", ret);
3786 +- ret = -ENXIO;
3787 +- goto err_pm;
3788 +- }
3789 +-
3790 +- ret = i2c_hid_fetch_hid_descriptor(ihid);
3791 +- if (ret < 0)
3792 +- goto err_pm;
3793 +-
3794 +- ret = i2c_hid_init_irq(client);
3795 +- if (ret < 0)
3796 +- goto err_pm;
3797 +-
3798 +- hid = hid_allocate_device();
3799 +- if (IS_ERR(hid)) {
3800 +- ret = PTR_ERR(hid);
3801 +- goto err_irq;
3802 +- }
3803 +-
3804 +- ihid->hid = hid;
3805 +-
3806 +- hid->driver_data = client;
3807 +- hid->ll_driver = &i2c_hid_ll_driver;
3808 +- hid->dev.parent = &client->dev;
3809 +- hid->bus = BUS_I2C;
3810 +- hid->version = le16_to_cpu(ihid->hdesc.bcdVersion);
3811 +- hid->vendor = le16_to_cpu(ihid->hdesc.wVendorID);
3812 +- hid->product = le16_to_cpu(ihid->hdesc.wProductID);
3813 +-
3814 +- snprintf(hid->name, sizeof(hid->name), "%s %04hX:%04hX",
3815 +- client->name, hid->vendor, hid->product);
3816 +- strlcpy(hid->phys, dev_name(&client->dev), sizeof(hid->phys));
3817 +-
3818 +- ihid->quirks = i2c_hid_lookup_quirk(hid->vendor, hid->product);
3819 +-
3820 +- ret = hid_add_device(hid);
3821 +- if (ret) {
3822 +- if (ret != -ENODEV)
3823 +- hid_err(client, "can't add hid device: %d\n", ret);
3824 +- goto err_mem_free;
3825 +- }
3826 +-
3827 +- pm_runtime_put(&client->dev);
3828 +- return 0;
3829 +-
3830 +-err_mem_free:
3831 +- hid_destroy_device(hid);
3832 +-
3833 +-err_irq:
3834 +- free_irq(client->irq, ihid);
3835 +-
3836 +-err_pm:
3837 +- pm_runtime_put_noidle(&client->dev);
3838 +- pm_runtime_disable(&client->dev);
3839 +-
3840 +-err_regulator:
3841 +- regulator_disable(ihid->pdata.supply);
3842 +-
3843 +-err:
3844 +- i2c_hid_free_buffers(ihid);
3845 +- kfree(ihid);
3846 +- return ret;
3847 +-}
3848 +-
3849 +-static int i2c_hid_remove(struct i2c_client *client)
3850 +-{
3851 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3852 +- struct hid_device *hid;
3853 +-
3854 +- pm_runtime_get_sync(&client->dev);
3855 +- pm_runtime_disable(&client->dev);
3856 +- pm_runtime_set_suspended(&client->dev);
3857 +- pm_runtime_put_noidle(&client->dev);
3858 +-
3859 +- hid = ihid->hid;
3860 +- hid_destroy_device(hid);
3861 +-
3862 +- free_irq(client->irq, ihid);
3863 +-
3864 +- if (ihid->bufsize)
3865 +- i2c_hid_free_buffers(ihid);
3866 +-
3867 +- regulator_disable(ihid->pdata.supply);
3868 +-
3869 +- kfree(ihid);
3870 +-
3871 +- return 0;
3872 +-}
3873 +-
3874 +-static void i2c_hid_shutdown(struct i2c_client *client)
3875 +-{
3876 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3877 +-
3878 +- i2c_hid_set_power(client, I2C_HID_PWR_SLEEP);
3879 +- free_irq(client->irq, ihid);
3880 +-}
3881 +-
3882 +-#ifdef CONFIG_PM_SLEEP
3883 +-static int i2c_hid_suspend(struct device *dev)
3884 +-{
3885 +- struct i2c_client *client = to_i2c_client(dev);
3886 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3887 +- struct hid_device *hid = ihid->hid;
3888 +- int ret;
3889 +- int wake_status;
3890 +-
3891 +- if (hid->driver && hid->driver->suspend) {
3892 +- /*
3893 +- * Wake up the device so that IO issues in
3894 +- * HID driver's suspend code can succeed.
3895 +- */
3896 +- ret = pm_runtime_resume(dev);
3897 +- if (ret < 0)
3898 +- return ret;
3899 +-
3900 +- ret = hid->driver->suspend(hid, PMSG_SUSPEND);
3901 +- if (ret < 0)
3902 +- return ret;
3903 +- }
3904 +-
3905 +- if (!pm_runtime_suspended(dev)) {
3906 +- /* Save some power */
3907 +- i2c_hid_set_power(client, I2C_HID_PWR_SLEEP);
3908 +-
3909 +- disable_irq(client->irq);
3910 +- }
3911 +-
3912 +- if (device_may_wakeup(&client->dev)) {
3913 +- wake_status = enable_irq_wake(client->irq);
3914 +- if (!wake_status)
3915 +- ihid->irq_wake_enabled = true;
3916 +- else
3917 +- hid_warn(hid, "Failed to enable irq wake: %d\n",
3918 +- wake_status);
3919 +- } else {
3920 +- ret = regulator_disable(ihid->pdata.supply);
3921 +- if (ret < 0)
3922 +- hid_warn(hid, "Failed to disable supply: %d\n", ret);
3923 +- }
3924 +-
3925 +- return 0;
3926 +-}
3927 +-
3928 +-static int i2c_hid_resume(struct device *dev)
3929 +-{
3930 +- int ret;
3931 +- struct i2c_client *client = to_i2c_client(dev);
3932 +- struct i2c_hid *ihid = i2c_get_clientdata(client);
3933 +- struct hid_device *hid = ihid->hid;
3934 +- int wake_status;
3935 +-
3936 +- if (!device_may_wakeup(&client->dev)) {
3937 +- ret = regulator_enable(ihid->pdata.supply);
3938 +- if (ret < 0)
3939 +- hid_warn(hid, "Failed to enable supply: %d\n", ret);
3940 +- if (ihid->pdata.post_power_delay_ms)
3941 +- msleep(ihid->pdata.post_power_delay_ms);
3942 +- } else if (ihid->irq_wake_enabled) {
3943 +- wake_status = disable_irq_wake(client->irq);
3944 +- if (!wake_status)
3945 +- ihid->irq_wake_enabled = false;
3946 +- else
3947 +- hid_warn(hid, "Failed to disable irq wake: %d\n",
3948 +- wake_status);
3949 +- }
3950 +-
3951 +- /* We'll resume to full power */
3952 +- pm_runtime_disable(dev);
3953 +- pm_runtime_set_active(dev);
3954 +- pm_runtime_enable(dev);
3955 +-
3956 +- enable_irq(client->irq);
3957 +- ret = i2c_hid_hwreset(client);
3958 +- if (ret)
3959 +- return ret;
3960 +-
3961 +- if (hid->driver && hid->driver->reset_resume) {
3962 +- ret = hid->driver->reset_resume(hid);
3963 +- return ret;
3964 +- }
3965 +-
3966 +- return 0;
3967 +-}
3968 +-#endif
3969 +-
3970 +-#ifdef CONFIG_PM
3971 +-static int i2c_hid_runtime_suspend(struct device *dev)
3972 +-{
3973 +- struct i2c_client *client = to_i2c_client(dev);
3974 +-
3975 +- i2c_hid_set_power(client, I2C_HID_PWR_SLEEP);
3976 +- disable_irq(client->irq);
3977 +- return 0;
3978 +-}
3979 +-
3980 +-static int i2c_hid_runtime_resume(struct device *dev)
3981 +-{
3982 +- struct i2c_client *client = to_i2c_client(dev);
3983 +-
3984 +- enable_irq(client->irq);
3985 +- i2c_hid_set_power(client, I2C_HID_PWR_ON);
3986 +- return 0;
3987 +-}
3988 +-#endif
3989 +-
3990 +-static const struct dev_pm_ops i2c_hid_pm = {
3991 +- SET_SYSTEM_SLEEP_PM_OPS(i2c_hid_suspend, i2c_hid_resume)
3992 +- SET_RUNTIME_PM_OPS(i2c_hid_runtime_suspend, i2c_hid_runtime_resume,
3993 +- NULL)
3994 +-};
3995 +-
3996 +-static const struct i2c_device_id i2c_hid_id_table[] = {
3997 +- { "hid", 0 },
3998 +- { "hid-over-i2c", 0 },
3999 +- { },
4000 +-};
4001 +-MODULE_DEVICE_TABLE(i2c, i2c_hid_id_table);
4002 +-
4003 +-
4004 +-static struct i2c_driver i2c_hid_driver = {
4005 +- .driver = {
4006 +- .name = "i2c_hid",
4007 +- .pm = &i2c_hid_pm,
4008 +- .acpi_match_table = ACPI_PTR(i2c_hid_acpi_match),
4009 +- .of_match_table = of_match_ptr(i2c_hid_of_match),
4010 +- },
4011 +-
4012 +- .probe = i2c_hid_probe,
4013 +- .remove = i2c_hid_remove,
4014 +- .shutdown = i2c_hid_shutdown,
4015 +- .id_table = i2c_hid_id_table,
4016 +-};
4017 +-
4018 +-module_i2c_driver(i2c_hid_driver);
4019 +-
4020 +-MODULE_DESCRIPTION("HID over I2C core driver");
4021 +-MODULE_AUTHOR("Benjamin Tissoires <benjamin.tissoires@×××××.com>");
4022 +-MODULE_LICENSE("GPL");
4023 +diff --git a/drivers/hid/i2c-hid/i2c-hid.h b/drivers/hid/i2c-hid/i2c-hid.h
4024 +new file mode 100644
4025 +index 000000000000..a8c19aef5824
4026 +--- /dev/null
4027 ++++ b/drivers/hid/i2c-hid/i2c-hid.h
4028 +@@ -0,0 +1,20 @@
4029 ++/* SPDX-License-Identifier: GPL-2.0+ */
4030 ++
4031 ++#ifndef I2C_HID_H
4032 ++#define I2C_HID_H
4033 ++
4034 ++
4035 ++#ifdef CONFIG_DMI
4036 ++struct i2c_hid_desc *i2c_hid_get_dmi_i2c_hid_desc_override(uint8_t *i2c_name);
4037 ++char *i2c_hid_get_dmi_hid_report_desc_override(uint8_t *i2c_name,
4038 ++ unsigned int *size);
4039 ++#else
4040 ++static inline struct i2c_hid_desc
4041 ++ *i2c_hid_get_dmi_i2c_hid_desc_override(uint8_t *i2c_name)
4042 ++{ return NULL; }
4043 ++static inline char *i2c_hid_get_dmi_hid_report_desc_override(uint8_t *i2c_name,
4044 ++ unsigned int *size)
4045 ++{ return NULL; }
4046 ++#endif
4047 ++
4048 ++#endif
4049 +diff --git a/drivers/hwtracing/coresight/coresight-cpu-debug.c b/drivers/hwtracing/coresight/coresight-cpu-debug.c
4050 +index 9cdb3fbc8c1f..2f6f46ea68e9 100644
4051 +--- a/drivers/hwtracing/coresight/coresight-cpu-debug.c
4052 ++++ b/drivers/hwtracing/coresight/coresight-cpu-debug.c
4053 +@@ -680,6 +680,10 @@ static const struct amba_id debug_ids[] = {
4054 + .id = 0x000bbd08,
4055 + .mask = 0x000fffff,
4056 + },
4057 ++ { /* Debug for Cortex-A73 */
4058 ++ .id = 0x000bbd09,
4059 ++ .mask = 0x000fffff,
4060 ++ },
4061 + { 0, 0 },
4062 + };
4063 +
4064 +diff --git a/drivers/infiniband/hw/mlx4/alias_GUID.c b/drivers/infiniband/hw/mlx4/alias_GUID.c
4065 +index 155b4dfc0ae8..baab9afa9174 100644
4066 +--- a/drivers/infiniband/hw/mlx4/alias_GUID.c
4067 ++++ b/drivers/infiniband/hw/mlx4/alias_GUID.c
4068 +@@ -804,8 +804,8 @@ void mlx4_ib_destroy_alias_guid_service(struct mlx4_ib_dev *dev)
4069 + unsigned long flags;
4070 +
4071 + for (i = 0 ; i < dev->num_ports; i++) {
4072 +- cancel_delayed_work(&dev->sriov.alias_guid.ports_guid[i].alias_guid_work);
4073 + det = &sriov->alias_guid.ports_guid[i];
4074 ++ cancel_delayed_work_sync(&det->alias_guid_work);
4075 + spin_lock_irqsave(&sriov->alias_guid.ag_work_lock, flags);
4076 + while (!list_empty(&det->cb_list)) {
4077 + cb_ctx = list_entry(det->cb_list.next,
4078 +diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
4079 +index c0d1c4db5794..38d0128b8135 100644
4080 +--- a/drivers/iommu/dmar.c
4081 ++++ b/drivers/iommu/dmar.c
4082 +@@ -144,7 +144,7 @@ dmar_alloc_pci_notify_info(struct pci_dev *dev, unsigned long event)
4083 + for (tmp = dev; tmp; tmp = tmp->bus->self)
4084 + level++;
4085 +
4086 +- size = sizeof(*info) + level * sizeof(struct acpi_dmar_pci_path);
4087 ++ size = sizeof(*info) + level * sizeof(info->path[0]);
4088 + if (size <= sizeof(dmar_pci_notify_info_buf)) {
4089 + info = (struct dmar_pci_notify_info *)dmar_pci_notify_info_buf;
4090 + } else {
4091 +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
4092 +index 802ba7b16e09..fe935293fa7b 100644
4093 +--- a/drivers/iommu/intel-iommu.c
4094 ++++ b/drivers/iommu/intel-iommu.c
4095 +@@ -1646,6 +1646,9 @@ static void iommu_disable_protect_mem_regions(struct intel_iommu *iommu)
4096 + u32 pmen;
4097 + unsigned long flags;
4098 +
4099 ++ if (!cap_plmr(iommu->cap) && !cap_phmr(iommu->cap))
4100 ++ return;
4101 ++
4102 + raw_spin_lock_irqsave(&iommu->register_lock, flags);
4103 + pmen = readl(iommu->reg + DMAR_PMEN_REG);
4104 + pmen &= ~DMA_PMEN_EPM;
4105 +diff --git a/drivers/irqchip/irq-mbigen.c b/drivers/irqchip/irq-mbigen.c
4106 +index 567b29c47608..98b6e1d4b1a6 100644
4107 +--- a/drivers/irqchip/irq-mbigen.c
4108 ++++ b/drivers/irqchip/irq-mbigen.c
4109 +@@ -161,6 +161,9 @@ static void mbigen_write_msg(struct msi_desc *desc, struct msi_msg *msg)
4110 + void __iomem *base = d->chip_data;
4111 + u32 val;
4112 +
4113 ++ if (!msg->address_lo && !msg->address_hi)
4114 ++ return;
4115 ++
4116 + base += get_mbigen_vec_reg(d->hwirq);
4117 + val = readl_relaxed(base);
4118 +
4119 +diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
4120 +index 0d2005e5b24c..94b8d81f6020 100644
4121 +--- a/drivers/md/dm-crypt.c
4122 ++++ b/drivers/md/dm-crypt.c
4123 +@@ -334,7 +334,7 @@ static int crypt_iv_essiv_init(struct crypt_config *cc)
4124 +
4125 + sg_init_one(&sg, cc->key, cc->key_size);
4126 + ahash_request_set_tfm(req, essiv->hash_tfm);
4127 +- ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
4128 ++ ahash_request_set_callback(req, 0, NULL, NULL);
4129 + ahash_request_set_crypt(req, &sg, essiv->salt, cc->key_size);
4130 +
4131 + err = crypto_ahash_digest(req);
4132 +@@ -609,7 +609,7 @@ static int crypt_iv_lmk_one(struct crypt_config *cc, u8 *iv,
4133 + int i, r;
4134 +
4135 + desc->tfm = lmk->hash_tfm;
4136 +- desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
4137 ++ desc->flags = 0;
4138 +
4139 + r = crypto_shash_init(desc);
4140 + if (r)
4141 +@@ -771,7 +771,7 @@ static int crypt_iv_tcw_whitening(struct crypt_config *cc,
4142 +
4143 + /* calculate crc32 for every 32bit part and xor it */
4144 + desc->tfm = tcw->crc32_tfm;
4145 +- desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
4146 ++ desc->flags = 0;
4147 + for (i = 0; i < 4; i++) {
4148 + r = crypto_shash_init(desc);
4149 + if (r)
4150 +@@ -1254,7 +1254,7 @@ static void crypt_alloc_req_skcipher(struct crypt_config *cc,
4151 + * requests if driver request queue is full.
4152 + */
4153 + skcipher_request_set_callback(ctx->r.req,
4154 +- CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
4155 ++ CRYPTO_TFM_REQ_MAY_BACKLOG,
4156 + kcryptd_async_done, dmreq_of_req(cc, ctx->r.req));
4157 + }
4158 +
4159 +@@ -1271,7 +1271,7 @@ static void crypt_alloc_req_aead(struct crypt_config *cc,
4160 + * requests if driver request queue is full.
4161 + */
4162 + aead_request_set_callback(ctx->r.req_aead,
4163 +- CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
4164 ++ CRYPTO_TFM_REQ_MAY_BACKLOG,
4165 + kcryptd_async_done, dmreq_of_req(cc, ctx->r.req_aead));
4166 + }
4167 +
4168 +diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
4169 +index da4baea9cf83..036379a23499 100644
4170 +--- a/drivers/md/dm-integrity.c
4171 ++++ b/drivers/md/dm-integrity.c
4172 +@@ -493,7 +493,7 @@ static void section_mac(struct dm_integrity_c *ic, unsigned section, __u8 result
4173 + unsigned j, size;
4174 +
4175 + desc->tfm = ic->journal_mac;
4176 +- desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
4177 ++ desc->flags = 0;
4178 +
4179 + r = crypto_shash_init(desc);
4180 + if (unlikely(r)) {
4181 +@@ -637,7 +637,7 @@ static void complete_journal_encrypt(struct crypto_async_request *req, int err)
4182 + static bool do_crypt(bool encrypt, struct skcipher_request *req, struct journal_completion *comp)
4183 + {
4184 + int r;
4185 +- skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
4186 ++ skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
4187 + complete_journal_encrypt, comp);
4188 + if (likely(encrypt))
4189 + r = crypto_skcipher_encrypt(req);
4190 +diff --git a/drivers/media/usb/au0828/au0828-core.c b/drivers/media/usb/au0828/au0828-core.c
4191 +index cd363a2100d4..257ae0d8cfe2 100644
4192 +--- a/drivers/media/usb/au0828/au0828-core.c
4193 ++++ b/drivers/media/usb/au0828/au0828-core.c
4194 +@@ -629,7 +629,6 @@ static int au0828_usb_probe(struct usb_interface *interface,
4195 + pr_err("%s() au0282_dev_register failed to register on V4L2\n",
4196 + __func__);
4197 + mutex_unlock(&dev->lock);
4198 +- kfree(dev);
4199 + goto done;
4200 + }
4201 +
4202 +diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h
4203 +index 687a0dbbe199..614612325332 100644
4204 +--- a/drivers/misc/lkdtm.h
4205 ++++ b/drivers/misc/lkdtm.h
4206 +@@ -45,7 +45,9 @@ void lkdtm_EXEC_KMALLOC(void);
4207 + void lkdtm_EXEC_VMALLOC(void);
4208 + void lkdtm_EXEC_RODATA(void);
4209 + void lkdtm_EXEC_USERSPACE(void);
4210 ++void lkdtm_EXEC_NULL(void);
4211 + void lkdtm_ACCESS_USERSPACE(void);
4212 ++void lkdtm_ACCESS_NULL(void);
4213 +
4214 + /* lkdtm_refcount.c */
4215 + void lkdtm_REFCOUNT_INC_OVERFLOW(void);
4216 +diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c
4217 +index 981b3ef71e47..199271708aed 100644
4218 +--- a/drivers/misc/lkdtm_core.c
4219 ++++ b/drivers/misc/lkdtm_core.c
4220 +@@ -220,7 +220,9 @@ struct crashtype crashtypes[] = {
4221 + CRASHTYPE(EXEC_VMALLOC),
4222 + CRASHTYPE(EXEC_RODATA),
4223 + CRASHTYPE(EXEC_USERSPACE),
4224 ++ CRASHTYPE(EXEC_NULL),
4225 + CRASHTYPE(ACCESS_USERSPACE),
4226 ++ CRASHTYPE(ACCESS_NULL),
4227 + CRASHTYPE(WRITE_RO),
4228 + CRASHTYPE(WRITE_RO_AFTER_INIT),
4229 + CRASHTYPE(WRITE_KERN),
4230 +diff --git a/drivers/misc/lkdtm_perms.c b/drivers/misc/lkdtm_perms.c
4231 +index 53b85c9d16b8..62f76d506f04 100644
4232 +--- a/drivers/misc/lkdtm_perms.c
4233 ++++ b/drivers/misc/lkdtm_perms.c
4234 +@@ -47,7 +47,7 @@ static noinline void execute_location(void *dst, bool write)
4235 + {
4236 + void (*func)(void) = dst;
4237 +
4238 +- pr_info("attempting ok execution at %p\n", do_nothing);
4239 ++ pr_info("attempting ok execution at %px\n", do_nothing);
4240 + do_nothing();
4241 +
4242 + if (write == CODE_WRITE) {
4243 +@@ -55,7 +55,7 @@ static noinline void execute_location(void *dst, bool write)
4244 + flush_icache_range((unsigned long)dst,
4245 + (unsigned long)dst + EXEC_SIZE);
4246 + }
4247 +- pr_info("attempting bad execution at %p\n", func);
4248 ++ pr_info("attempting bad execution at %px\n", func);
4249 + func();
4250 + }
4251 +
4252 +@@ -66,14 +66,14 @@ static void execute_user_location(void *dst)
4253 + /* Intentionally crossing kernel/user memory boundary. */
4254 + void (*func)(void) = dst;
4255 +
4256 +- pr_info("attempting ok execution at %p\n", do_nothing);
4257 ++ pr_info("attempting ok execution at %px\n", do_nothing);
4258 + do_nothing();
4259 +
4260 + copied = access_process_vm(current, (unsigned long)dst, do_nothing,
4261 + EXEC_SIZE, FOLL_WRITE);
4262 + if (copied < EXEC_SIZE)
4263 + return;
4264 +- pr_info("attempting bad execution at %p\n", func);
4265 ++ pr_info("attempting bad execution at %px\n", func);
4266 + func();
4267 + }
4268 +
4269 +@@ -82,7 +82,7 @@ void lkdtm_WRITE_RO(void)
4270 + /* Explicitly cast away "const" for the test. */
4271 + unsigned long *ptr = (unsigned long *)&rodata;
4272 +
4273 +- pr_info("attempting bad rodata write at %p\n", ptr);
4274 ++ pr_info("attempting bad rodata write at %px\n", ptr);
4275 + *ptr ^= 0xabcd1234;
4276 + }
4277 +
4278 +@@ -100,7 +100,7 @@ void lkdtm_WRITE_RO_AFTER_INIT(void)
4279 + return;
4280 + }
4281 +
4282 +- pr_info("attempting bad ro_after_init write at %p\n", ptr);
4283 ++ pr_info("attempting bad ro_after_init write at %px\n", ptr);
4284 + *ptr ^= 0xabcd1234;
4285 + }
4286 +
4287 +@@ -112,7 +112,7 @@ void lkdtm_WRITE_KERN(void)
4288 + size = (unsigned long)do_overwritten - (unsigned long)do_nothing;
4289 + ptr = (unsigned char *)do_overwritten;
4290 +
4291 +- pr_info("attempting bad %zu byte write at %p\n", size, ptr);
4292 ++ pr_info("attempting bad %zu byte write at %px\n", size, ptr);
4293 + memcpy(ptr, (unsigned char *)do_nothing, size);
4294 + flush_icache_range((unsigned long)ptr, (unsigned long)(ptr + size));
4295 +
4296 +@@ -164,6 +164,11 @@ void lkdtm_EXEC_USERSPACE(void)
4297 + vm_munmap(user_addr, PAGE_SIZE);
4298 + }
4299 +
4300 ++void lkdtm_EXEC_NULL(void)
4301 ++{
4302 ++ execute_location(NULL, CODE_AS_IS);
4303 ++}
4304 ++
4305 + void lkdtm_ACCESS_USERSPACE(void)
4306 + {
4307 + unsigned long user_addr, tmp = 0;
4308 +@@ -185,16 +190,29 @@ void lkdtm_ACCESS_USERSPACE(void)
4309 +
4310 + ptr = (unsigned long *)user_addr;
4311 +
4312 +- pr_info("attempting bad read at %p\n", ptr);
4313 ++ pr_info("attempting bad read at %px\n", ptr);
4314 + tmp = *ptr;
4315 + tmp += 0xc0dec0de;
4316 +
4317 +- pr_info("attempting bad write at %p\n", ptr);
4318 ++ pr_info("attempting bad write at %px\n", ptr);
4319 + *ptr = tmp;
4320 +
4321 + vm_munmap(user_addr, PAGE_SIZE);
4322 + }
4323 +
4324 ++void lkdtm_ACCESS_NULL(void)
4325 ++{
4326 ++ unsigned long tmp;
4327 ++ unsigned long *ptr = (unsigned long *)NULL;
4328 ++
4329 ++ pr_info("attempting bad read at %px\n", ptr);
4330 ++ tmp = *ptr;
4331 ++ tmp += 0xc0dec0de;
4332 ++
4333 ++ pr_info("attempting bad write at %px\n", ptr);
4334 ++ *ptr = tmp;
4335 ++}
4336 ++
4337 + void __init lkdtm_perms_init(void)
4338 + {
4339 + /* Make sure we can write to __ro_after_init values during __init */
4340 +diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c
4341 +index 351330dfb954..1bd1819cca7d 100644
4342 +--- a/drivers/mmc/host/davinci_mmc.c
4343 ++++ b/drivers/mmc/host/davinci_mmc.c
4344 +@@ -1118,7 +1118,7 @@ static inline void mmc_davinci_cpufreq_deregister(struct mmc_davinci_host *host)
4345 + {
4346 + }
4347 + #endif
4348 +-static void __init init_mmcsd_host(struct mmc_davinci_host *host)
4349 ++static void init_mmcsd_host(struct mmc_davinci_host *host)
4350 + {
4351 +
4352 + mmc_davinci_reset_ctrl(host, 1);
4353 +diff --git a/drivers/net/ethernet/netronome/nfp/bpf/verifier.c b/drivers/net/ethernet/netronome/nfp/bpf/verifier.c
4354 +index 5b783a91b115..8793fa57f844 100644
4355 +--- a/drivers/net/ethernet/netronome/nfp/bpf/verifier.c
4356 ++++ b/drivers/net/ethernet/netronome/nfp/bpf/verifier.c
4357 +@@ -76,9 +76,9 @@ nfp_bpf_goto_meta(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta,
4358 +
4359 + static int
4360 + nfp_bpf_check_exit(struct nfp_prog *nfp_prog,
4361 +- const struct bpf_verifier_env *env)
4362 ++ struct bpf_verifier_env *env)
4363 + {
4364 +- const struct bpf_reg_state *reg0 = &env->cur_state.regs[0];
4365 ++ const struct bpf_reg_state *reg0 = cur_regs(env) + BPF_REG_0;
4366 + u64 imm;
4367 +
4368 + if (nfp_prog->act == NN_ACT_XDP)
4369 +@@ -113,9 +113,10 @@ nfp_bpf_check_exit(struct nfp_prog *nfp_prog,
4370 +
4371 + static int
4372 + nfp_bpf_check_ctx_ptr(struct nfp_prog *nfp_prog,
4373 +- const struct bpf_verifier_env *env, u8 reg)
4374 ++ struct bpf_verifier_env *env, u8 reg_no)
4375 + {
4376 +- if (env->cur_state.regs[reg].type != PTR_TO_CTX)
4377 ++ const struct bpf_reg_state *reg = cur_regs(env) + reg_no;
4378 ++ if (reg->type != PTR_TO_CTX)
4379 + return -EINVAL;
4380 +
4381 + return 0;
4382 +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
4383 +index 4a9dbee6f054..f2429ec07b57 100644
4384 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
4385 ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
4386 +@@ -2536,9 +2536,6 @@ static int stmmac_hw_setup(struct net_device *dev, bool init_ptp)
4387 + netdev_warn(priv->dev, "%s: failed debugFS registration\n",
4388 + __func__);
4389 + #endif
4390 +- /* Start the ball rolling... */
4391 +- stmmac_start_all_dma(priv);
4392 +-
4393 + priv->tx_lpi_timer = STMMAC_DEFAULT_TWT_LS;
4394 +
4395 + if ((priv->use_riwt) && (priv->hw->dma->rx_watchdog)) {
4396 +@@ -2558,6 +2555,9 @@ static int stmmac_hw_setup(struct net_device *dev, bool init_ptp)
4397 + priv->hw->dma->enable_tso(priv->ioaddr, 1, chan);
4398 + }
4399 +
4400 ++ /* Start the ball rolling... */
4401 ++ stmmac_start_all_dma(priv);
4402 ++
4403 + return 0;
4404 + }
4405 +
4406 +diff --git a/drivers/net/wireless/rsi/rsi_common.h b/drivers/net/wireless/rsi/rsi_common.h
4407 +index e579d694d13c..21986ba56a3c 100644
4408 +--- a/drivers/net/wireless/rsi/rsi_common.h
4409 ++++ b/drivers/net/wireless/rsi/rsi_common.h
4410 +@@ -74,7 +74,6 @@ static inline int rsi_kill_thread(struct rsi_thread *handle)
4411 + atomic_inc(&handle->thread_done);
4412 + rsi_set_event(&handle->event);
4413 +
4414 +- wait_for_completion(&handle->completion);
4415 + return kthread_stop(handle->task);
4416 + }
4417 +
4418 +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
4419 +index f6542c159ed6..b4d06bd9ed51 100644
4420 +--- a/drivers/scsi/scsi_transport_iscsi.c
4421 ++++ b/drivers/scsi/scsi_transport_iscsi.c
4422 +@@ -2185,6 +2185,8 @@ void iscsi_remove_session(struct iscsi_cls_session *session)
4423 + scsi_target_unblock(&session->dev, SDEV_TRANSPORT_OFFLINE);
4424 + /* flush running scans then delete devices */
4425 + flush_work(&session->scan_work);
4426 ++ /* flush running unbind operations */
4427 ++ flush_work(&session->unbind_work);
4428 + __iscsi_unbind_session(&session->unbind_work);
4429 +
4430 + /* hw iscsi may not have removed all connections from session */
4431 +diff --git a/drivers/soc/tegra/pmc.c b/drivers/soc/tegra/pmc.c
4432 +index 7e9ef3431bea..2422ed56895a 100644
4433 +--- a/drivers/soc/tegra/pmc.c
4434 ++++ b/drivers/soc/tegra/pmc.c
4435 +@@ -521,16 +521,10 @@ EXPORT_SYMBOL(tegra_powergate_power_off);
4436 + */
4437 + int tegra_powergate_is_powered(unsigned int id)
4438 + {
4439 +- int status;
4440 +-
4441 + if (!tegra_powergate_is_valid(id))
4442 + return -EINVAL;
4443 +
4444 +- mutex_lock(&pmc->powergates_lock);
4445 +- status = tegra_powergate_state(id);
4446 +- mutex_unlock(&pmc->powergates_lock);
4447 +-
4448 +- return status;
4449 ++ return tegra_powergate_state(id);
4450 + }
4451 +
4452 + /**
4453 +diff --git a/drivers/thermal/broadcom/bcm2835_thermal.c b/drivers/thermal/broadcom/bcm2835_thermal.c
4454 +index 24b006a95142..8646fb7425f2 100644
4455 +--- a/drivers/thermal/broadcom/bcm2835_thermal.c
4456 ++++ b/drivers/thermal/broadcom/bcm2835_thermal.c
4457 +@@ -128,8 +128,7 @@ static const struct debugfs_reg32 bcm2835_thermal_regs[] = {
4458 +
4459 + static void bcm2835_thermal_debugfs(struct platform_device *pdev)
4460 + {
4461 +- struct thermal_zone_device *tz = platform_get_drvdata(pdev);
4462 +- struct bcm2835_thermal_data *data = tz->devdata;
4463 ++ struct bcm2835_thermal_data *data = platform_get_drvdata(pdev);
4464 + struct debugfs_regset32 *regset;
4465 +
4466 + data->debugfsdir = debugfs_create_dir("bcm2835_thermal", NULL);
4467 +@@ -275,7 +274,7 @@ static int bcm2835_thermal_probe(struct platform_device *pdev)
4468 +
4469 + data->tz = tz;
4470 +
4471 +- platform_set_drvdata(pdev, tz);
4472 ++ platform_set_drvdata(pdev, data);
4473 +
4474 + /*
4475 + * Thermal_zone doesn't enable hwmon as default,
4476 +@@ -299,8 +298,8 @@ err_clk:
4477 +
4478 + static int bcm2835_thermal_remove(struct platform_device *pdev)
4479 + {
4480 +- struct thermal_zone_device *tz = platform_get_drvdata(pdev);
4481 +- struct bcm2835_thermal_data *data = tz->devdata;
4482 ++ struct bcm2835_thermal_data *data = platform_get_drvdata(pdev);
4483 ++ struct thermal_zone_device *tz = data->tz;
4484 +
4485 + debugfs_remove_recursive(data->debugfsdir);
4486 + thermal_zone_of_sensor_unregister(&pdev->dev, tz);
4487 +diff --git a/drivers/thermal/int340x_thermal/int3400_thermal.c b/drivers/thermal/int340x_thermal/int3400_thermal.c
4488 +index 43b90fd577e4..4a20f4d47b1d 100644
4489 +--- a/drivers/thermal/int340x_thermal/int3400_thermal.c
4490 ++++ b/drivers/thermal/int340x_thermal/int3400_thermal.c
4491 +@@ -22,6 +22,13 @@ enum int3400_thermal_uuid {
4492 + INT3400_THERMAL_PASSIVE_1,
4493 + INT3400_THERMAL_ACTIVE,
4494 + INT3400_THERMAL_CRITICAL,
4495 ++ INT3400_THERMAL_ADAPTIVE_PERFORMANCE,
4496 ++ INT3400_THERMAL_EMERGENCY_CALL_MODE,
4497 ++ INT3400_THERMAL_PASSIVE_2,
4498 ++ INT3400_THERMAL_POWER_BOSS,
4499 ++ INT3400_THERMAL_VIRTUAL_SENSOR,
4500 ++ INT3400_THERMAL_COOLING_MODE,
4501 ++ INT3400_THERMAL_HARDWARE_DUTY_CYCLING,
4502 + INT3400_THERMAL_MAXIMUM_UUID,
4503 + };
4504 +
4505 +@@ -29,6 +36,13 @@ static char *int3400_thermal_uuids[INT3400_THERMAL_MAXIMUM_UUID] = {
4506 + "42A441D6-AE6A-462b-A84B-4A8CE79027D3",
4507 + "3A95C389-E4B8-4629-A526-C52C88626BAE",
4508 + "97C68AE7-15FA-499c-B8C9-5DA81D606E0A",
4509 ++ "63BE270F-1C11-48FD-A6F7-3AF253FF3E2D",
4510 ++ "5349962F-71E6-431D-9AE8-0A635B710AEE",
4511 ++ "9E04115A-AE87-4D1C-9500-0F3E340BFE75",
4512 ++ "F5A35014-C209-46A4-993A-EB56DE7530A1",
4513 ++ "6ED722A7-9240-48A5-B479-31EEF723D7CF",
4514 ++ "16CAF1B7-DD38-40ED-B1C1-1B8A1913D531",
4515 ++ "BE84BABF-C4D4-403D-B495-3128FD44dAC1",
4516 + };
4517 +
4518 + struct int3400_thermal_priv {
4519 +@@ -302,10 +316,9 @@ static int int3400_thermal_probe(struct platform_device *pdev)
4520 +
4521 + platform_set_drvdata(pdev, priv);
4522 +
4523 +- if (priv->uuid_bitmap & 1 << INT3400_THERMAL_PASSIVE_1) {
4524 +- int3400_thermal_ops.get_mode = int3400_thermal_get_mode;
4525 +- int3400_thermal_ops.set_mode = int3400_thermal_set_mode;
4526 +- }
4527 ++ int3400_thermal_ops.get_mode = int3400_thermal_get_mode;
4528 ++ int3400_thermal_ops.set_mode = int3400_thermal_set_mode;
4529 ++
4530 + priv->thermal = thermal_zone_device_register("INT3400 Thermal", 0, 0,
4531 + priv, &int3400_thermal_ops,
4532 + &int3400_thermal_params, 0, 0);
4533 +diff --git a/drivers/thermal/intel_powerclamp.c b/drivers/thermal/intel_powerclamp.c
4534 +index d718cd179ddb..c3293fa2bb1b 100644
4535 +--- a/drivers/thermal/intel_powerclamp.c
4536 ++++ b/drivers/thermal/intel_powerclamp.c
4537 +@@ -101,7 +101,7 @@ struct powerclamp_worker_data {
4538 + bool clamping;
4539 + };
4540 +
4541 +-static struct powerclamp_worker_data * __percpu worker_data;
4542 ++static struct powerclamp_worker_data __percpu *worker_data;
4543 + static struct thermal_cooling_device *cooling_dev;
4544 + static unsigned long *cpu_clamping_mask; /* bit map for tracking per cpu
4545 + * clamping kthread worker
4546 +@@ -494,7 +494,7 @@ static void start_power_clamp_worker(unsigned long cpu)
4547 + struct powerclamp_worker_data *w_data = per_cpu_ptr(worker_data, cpu);
4548 + struct kthread_worker *worker;
4549 +
4550 +- worker = kthread_create_worker_on_cpu(cpu, 0, "kidle_inject/%ld", cpu);
4551 ++ worker = kthread_create_worker_on_cpu(cpu, 0, "kidle_inj/%ld", cpu);
4552 + if (IS_ERR(worker))
4553 + return;
4554 +
4555 +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c
4556 +index f438a2158006..b0da63737aa1 100644
4557 +--- a/drivers/tty/serial/xilinx_uartps.c
4558 ++++ b/drivers/tty/serial/xilinx_uartps.c
4559 +@@ -1270,7 +1270,7 @@ static void cdns_uart_console_write(struct console *co, const char *s,
4560 + *
4561 + * Return: 0 on success, negative errno otherwise.
4562 + */
4563 +-static int __init cdns_uart_console_setup(struct console *co, char *options)
4564 ++static int cdns_uart_console_setup(struct console *co, char *options)
4565 + {
4566 + struct uart_port *port = &cdns_uart_port[co->index];
4567 + int baud = 9600;
4568 +diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c
4569 +index 8fb89ddc6cc7..c52f10efdc9c 100644
4570 +--- a/fs/9p/v9fs.c
4571 ++++ b/fs/9p/v9fs.c
4572 +@@ -61,6 +61,8 @@ enum {
4573 + Opt_cache_loose, Opt_fscache, Opt_mmap,
4574 + /* Access options */
4575 + Opt_access, Opt_posixacl,
4576 ++ /* Lock timeout option */
4577 ++ Opt_locktimeout,
4578 + /* Error token */
4579 + Opt_err
4580 + };
4581 +@@ -80,6 +82,7 @@ static const match_table_t tokens = {
4582 + {Opt_cachetag, "cachetag=%s"},
4583 + {Opt_access, "access=%s"},
4584 + {Opt_posixacl, "posixacl"},
4585 ++ {Opt_locktimeout, "locktimeout=%u"},
4586 + {Opt_err, NULL}
4587 + };
4588 +
4589 +@@ -187,6 +190,7 @@ static int v9fs_parse_options(struct v9fs_session_info *v9ses, char *opts)
4590 + #ifdef CONFIG_9P_FSCACHE
4591 + v9ses->cachetag = NULL;
4592 + #endif
4593 ++ v9ses->session_lock_timeout = P9_LOCK_TIMEOUT;
4594 +
4595 + if (!opts)
4596 + return 0;
4597 +@@ -360,6 +364,23 @@ static int v9fs_parse_options(struct v9fs_session_info *v9ses, char *opts)
4598 + #endif
4599 + break;
4600 +
4601 ++ case Opt_locktimeout:
4602 ++ r = match_int(&args[0], &option);
4603 ++ if (r < 0) {
4604 ++ p9_debug(P9_DEBUG_ERROR,
4605 ++ "integer field, but no integer?\n");
4606 ++ ret = r;
4607 ++ continue;
4608 ++ }
4609 ++ if (option < 1) {
4610 ++ p9_debug(P9_DEBUG_ERROR,
4611 ++ "locktimeout must be a greater than zero integer.\n");
4612 ++ ret = -EINVAL;
4613 ++ continue;
4614 ++ }
4615 ++ v9ses->session_lock_timeout = (long)option * HZ;
4616 ++ break;
4617 ++
4618 + default:
4619 + continue;
4620 + }
4621 +diff --git a/fs/9p/v9fs.h b/fs/9p/v9fs.h
4622 +index 982e017acadb..129e5243a6bf 100644
4623 +--- a/fs/9p/v9fs.h
4624 ++++ b/fs/9p/v9fs.h
4625 +@@ -116,6 +116,7 @@ struct v9fs_session_info {
4626 + struct p9_client *clnt; /* 9p client */
4627 + struct list_head slist; /* list of sessions registered with v9fs */
4628 + struct rw_semaphore rename_sem;
4629 ++ long session_lock_timeout; /* retry interval for blocking locks */
4630 + };
4631 +
4632 + /* cache_validity flags */
4633 +diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
4634 +index 48db9a9f13f9..cb6c4031af55 100644
4635 +--- a/fs/9p/vfs_dir.c
4636 ++++ b/fs/9p/vfs_dir.c
4637 +@@ -105,7 +105,6 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx)
4638 + int err = 0;
4639 + struct p9_fid *fid;
4640 + int buflen;
4641 +- int reclen = 0;
4642 + struct p9_rdir *rdir;
4643 + struct kvec kvec;
4644 +
4645 +@@ -138,11 +137,10 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx)
4646 + while (rdir->head < rdir->tail) {
4647 + err = p9stat_read(fid->clnt, rdir->buf + rdir->head,
4648 + rdir->tail - rdir->head, &st);
4649 +- if (err) {
4650 ++ if (err <= 0) {
4651 + p9_debug(P9_DEBUG_VFS, "returned %d\n", err);
4652 + return -EIO;
4653 + }
4654 +- reclen = st.size+2;
4655 +
4656 + over = !dir_emit(ctx, st.name, strlen(st.name),
4657 + v9fs_qid2ino(&st.qid), dt_type(&st));
4658 +@@ -150,8 +148,8 @@ static int v9fs_dir_readdir(struct file *file, struct dir_context *ctx)
4659 + if (over)
4660 + return 0;
4661 +
4662 +- rdir->head += reclen;
4663 +- ctx->pos += reclen;
4664 ++ rdir->head += err;
4665 ++ ctx->pos += err;
4666 + }
4667 + }
4668 + }
4669 +diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
4670 +index af8cac975a74..89e69904976a 100644
4671 +--- a/fs/9p/vfs_file.c
4672 ++++ b/fs/9p/vfs_file.c
4673 +@@ -154,6 +154,7 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl)
4674 + uint8_t status = P9_LOCK_ERROR;
4675 + int res = 0;
4676 + unsigned char fl_type;
4677 ++ struct v9fs_session_info *v9ses;
4678 +
4679 + fid = filp->private_data;
4680 + BUG_ON(fid == NULL);
4681 +@@ -189,6 +190,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl)
4682 + if (IS_SETLKW(cmd))
4683 + flock.flags = P9_LOCK_FLAGS_BLOCK;
4684 +
4685 ++ v9ses = v9fs_inode2v9ses(file_inode(filp));
4686 ++
4687 + /*
4688 + * if its a blocked request and we get P9_LOCK_BLOCKED as the status
4689 + * for lock request, keep on trying
4690 +@@ -202,7 +205,8 @@ static int v9fs_file_do_lock(struct file *filp, int cmd, struct file_lock *fl)
4691 + break;
4692 + if (status == P9_LOCK_BLOCKED && !IS_SETLKW(cmd))
4693 + break;
4694 +- if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0)
4695 ++ if (schedule_timeout_interruptible(v9ses->session_lock_timeout)
4696 ++ != 0)
4697 + break;
4698 + /*
4699 + * p9_client_lock_dotl overwrites flock.client_id with the
4700 +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
4701 +index a90a637ae79a..6fd4a6a75234 100644
4702 +--- a/fs/cifs/inode.c
4703 ++++ b/fs/cifs/inode.c
4704 +@@ -779,43 +779,50 @@ cifs_get_inode_info(struct inode **inode, const char *full_path,
4705 + } else if ((rc == -EACCES) && backup_cred(cifs_sb) &&
4706 + (strcmp(server->vals->version_string, SMB1_VERSION_STRING)
4707 + == 0)) {
4708 +- /*
4709 +- * For SMB2 and later the backup intent flag is already
4710 +- * sent if needed on open and there is no path based
4711 +- * FindFirst operation to use to retry with
4712 +- */
4713 ++ /*
4714 ++ * For SMB2 and later the backup intent flag is already
4715 ++ * sent if needed on open and there is no path based
4716 ++ * FindFirst operation to use to retry with
4717 ++ */
4718 +
4719 +- srchinf = kzalloc(sizeof(struct cifs_search_info),
4720 +- GFP_KERNEL);
4721 +- if (srchinf == NULL) {
4722 +- rc = -ENOMEM;
4723 +- goto cgii_exit;
4724 +- }
4725 ++ srchinf = kzalloc(sizeof(struct cifs_search_info),
4726 ++ GFP_KERNEL);
4727 ++ if (srchinf == NULL) {
4728 ++ rc = -ENOMEM;
4729 ++ goto cgii_exit;
4730 ++ }
4731 +
4732 +- srchinf->endOfSearch = false;
4733 ++ srchinf->endOfSearch = false;
4734 ++ if (tcon->unix_ext)
4735 ++ srchinf->info_level = SMB_FIND_FILE_UNIX;
4736 ++ else if ((tcon->ses->capabilities &
4737 ++ tcon->ses->server->vals->cap_nt_find) == 0)
4738 ++ srchinf->info_level = SMB_FIND_FILE_INFO_STANDARD;
4739 ++ else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SERVER_INUM)
4740 + srchinf->info_level = SMB_FIND_FILE_ID_FULL_DIR_INFO;
4741 ++ else /* no srvino useful for fallback to some netapp */
4742 ++ srchinf->info_level = SMB_FIND_FILE_DIRECTORY_INFO;
4743 +
4744 +- srchflgs = CIFS_SEARCH_CLOSE_ALWAYS |
4745 +- CIFS_SEARCH_CLOSE_AT_END |
4746 +- CIFS_SEARCH_BACKUP_SEARCH;
4747 ++ srchflgs = CIFS_SEARCH_CLOSE_ALWAYS |
4748 ++ CIFS_SEARCH_CLOSE_AT_END |
4749 ++ CIFS_SEARCH_BACKUP_SEARCH;
4750 +
4751 +- rc = CIFSFindFirst(xid, tcon, full_path,
4752 +- cifs_sb, NULL, srchflgs, srchinf, false);
4753 +- if (!rc) {
4754 +- data =
4755 +- (FILE_ALL_INFO *)srchinf->srch_entries_start;
4756 ++ rc = CIFSFindFirst(xid, tcon, full_path,
4757 ++ cifs_sb, NULL, srchflgs, srchinf, false);
4758 ++ if (!rc) {
4759 ++ data = (FILE_ALL_INFO *)srchinf->srch_entries_start;
4760 +
4761 +- cifs_dir_info_to_fattr(&fattr,
4762 +- (FILE_DIRECTORY_INFO *)data, cifs_sb);
4763 +- fattr.cf_uniqueid = le64_to_cpu(
4764 +- ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId);
4765 +- validinum = true;
4766 ++ cifs_dir_info_to_fattr(&fattr,
4767 ++ (FILE_DIRECTORY_INFO *)data, cifs_sb);
4768 ++ fattr.cf_uniqueid = le64_to_cpu(
4769 ++ ((SEARCH_ID_FULL_DIR_INFO *)data)->UniqueId);
4770 ++ validinum = true;
4771 +
4772 +- cifs_buf_release(srchinf->ntwrk_buf_start);
4773 +- }
4774 +- kfree(srchinf);
4775 +- if (rc)
4776 +- goto cgii_exit;
4777 ++ cifs_buf_release(srchinf->ntwrk_buf_start);
4778 ++ }
4779 ++ kfree(srchinf);
4780 ++ if (rc)
4781 ++ goto cgii_exit;
4782 + } else
4783 + goto cgii_exit;
4784 +
4785 +diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c
4786 +index d7e839cb773f..92c9cdf4704d 100644
4787 +--- a/fs/cifs/smb2maperror.c
4788 ++++ b/fs/cifs/smb2maperror.c
4789 +@@ -1035,7 +1035,8 @@ static const struct status_to_posix_error smb2_error_map_table[] = {
4790 + {STATUS_UNFINISHED_CONTEXT_DELETED, -EIO,
4791 + "STATUS_UNFINISHED_CONTEXT_DELETED"},
4792 + {STATUS_NO_TGT_REPLY, -EIO, "STATUS_NO_TGT_REPLY"},
4793 +- {STATUS_OBJECTID_NOT_FOUND, -EIO, "STATUS_OBJECTID_NOT_FOUND"},
4794 ++ /* Note that ENOATTTR and ENODATA are the same errno */
4795 ++ {STATUS_OBJECTID_NOT_FOUND, -ENODATA, "STATUS_OBJECTID_NOT_FOUND"},
4796 + {STATUS_NO_IP_ADDRESSES, -EIO, "STATUS_NO_IP_ADDRESSES"},
4797 + {STATUS_WRONG_CREDENTIAL_HANDLE, -EIO,
4798 + "STATUS_WRONG_CREDENTIAL_HANDLE"},
4799 +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
4800 +index 7917cc89ab21..3dbf4e414706 100644
4801 +--- a/fs/ext4/ioctl.c
4802 ++++ b/fs/ext4/ioctl.c
4803 +@@ -940,6 +940,13 @@ resizefs_out:
4804 + if (!blk_queue_discard(q))
4805 + return -EOPNOTSUPP;
4806 +
4807 ++ /*
4808 ++ * We haven't replayed the journal, so we cannot use our
4809 ++ * block-bitmap-guided storage zapping commands.
4810 ++ */
4811 ++ if (test_opt(sb, NOLOAD) && ext4_has_feature_journal(sb))
4812 ++ return -EROFS;
4813 ++
4814 + if (copy_from_user(&range, (struct fstrim_range __user *)arg,
4815 + sizeof(range)))
4816 + return -EFAULT;
4817 +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
4818 +index 6f0acfe31418..333fba05e1a5 100644
4819 +--- a/fs/ext4/resize.c
4820 ++++ b/fs/ext4/resize.c
4821 +@@ -907,11 +907,18 @@ static int add_new_gdb_meta_bg(struct super_block *sb,
4822 + memcpy(n_group_desc, o_group_desc,
4823 + EXT4_SB(sb)->s_gdb_count * sizeof(struct buffer_head *));
4824 + n_group_desc[gdb_num] = gdb_bh;
4825 ++
4826 ++ BUFFER_TRACE(gdb_bh, "get_write_access");
4827 ++ err = ext4_journal_get_write_access(handle, gdb_bh);
4828 ++ if (err) {
4829 ++ kvfree(n_group_desc);
4830 ++ brelse(gdb_bh);
4831 ++ return err;
4832 ++ }
4833 ++
4834 + EXT4_SB(sb)->s_group_desc = n_group_desc;
4835 + EXT4_SB(sb)->s_gdb_count++;
4836 + kvfree(o_group_desc);
4837 +- BUFFER_TRACE(gdb_bh, "get_write_access");
4838 +- err = ext4_journal_get_write_access(handle, gdb_bh);
4839 + return err;
4840 + }
4841 +
4842 +@@ -2042,6 +2049,10 @@ out:
4843 + free_flex_gd(flex_gd);
4844 + if (resize_inode != NULL)
4845 + iput(resize_inode);
4846 +- ext4_msg(sb, KERN_INFO, "resized filesystem to %llu", n_blocks_count);
4847 ++ if (err)
4848 ++ ext4_warning(sb, "error (%d) occurred during "
4849 ++ "file system resize", err);
4850 ++ ext4_msg(sb, KERN_INFO, "resized filesystem to %llu",
4851 ++ ext4_blocks_count(es));
4852 + return err;
4853 + }
4854 +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
4855 +index fc5c41257e68..4c169ba50c0f 100644
4856 +--- a/fs/f2fs/super.c
4857 ++++ b/fs/f2fs/super.c
4858 +@@ -1959,7 +1959,7 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
4859 + unsigned int segment_count_main;
4860 + unsigned int cp_pack_start_sum, cp_payload;
4861 + block_t user_block_count;
4862 +- int i;
4863 ++ int i, j;
4864 +
4865 + total = le32_to_cpu(raw_super->segment_count);
4866 + fsmeta = le32_to_cpu(raw_super->segment_count_ckpt);
4867 +@@ -2000,11 +2000,43 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
4868 + if (le32_to_cpu(ckpt->cur_node_segno[i]) >= main_segs ||
4869 + le16_to_cpu(ckpt->cur_node_blkoff[i]) >= blocks_per_seg)
4870 + return 1;
4871 ++ for (j = i + 1; j < NR_CURSEG_NODE_TYPE; j++) {
4872 ++ if (le32_to_cpu(ckpt->cur_node_segno[i]) ==
4873 ++ le32_to_cpu(ckpt->cur_node_segno[j])) {
4874 ++ f2fs_msg(sbi->sb, KERN_ERR,
4875 ++ "Node segment (%u, %u) has the same "
4876 ++ "segno: %u", i, j,
4877 ++ le32_to_cpu(ckpt->cur_node_segno[i]));
4878 ++ return 1;
4879 ++ }
4880 ++ }
4881 + }
4882 + for (i = 0; i < NR_CURSEG_DATA_TYPE; i++) {
4883 + if (le32_to_cpu(ckpt->cur_data_segno[i]) >= main_segs ||
4884 + le16_to_cpu(ckpt->cur_data_blkoff[i]) >= blocks_per_seg)
4885 + return 1;
4886 ++ for (j = i + 1; j < NR_CURSEG_DATA_TYPE; j++) {
4887 ++ if (le32_to_cpu(ckpt->cur_data_segno[i]) ==
4888 ++ le32_to_cpu(ckpt->cur_data_segno[j])) {
4889 ++ f2fs_msg(sbi->sb, KERN_ERR,
4890 ++ "Data segment (%u, %u) has the same "
4891 ++ "segno: %u", i, j,
4892 ++ le32_to_cpu(ckpt->cur_data_segno[i]));
4893 ++ return 1;
4894 ++ }
4895 ++ }
4896 ++ }
4897 ++ for (i = 0; i < NR_CURSEG_NODE_TYPE; i++) {
4898 ++ for (j = i; j < NR_CURSEG_DATA_TYPE; j++) {
4899 ++ if (le32_to_cpu(ckpt->cur_node_segno[i]) ==
4900 ++ le32_to_cpu(ckpt->cur_data_segno[j])) {
4901 ++ f2fs_msg(sbi->sb, KERN_ERR,
4902 ++ "Data segment (%u) and Data segment (%u)"
4903 ++ " has the same segno: %u", i, j,
4904 ++ le32_to_cpu(ckpt->cur_node_segno[i]));
4905 ++ return 1;
4906 ++ }
4907 ++ }
4908 + }
4909 +
4910 + sit_bitmap_size = le32_to_cpu(ckpt->sit_ver_bitmap_bytesize);
4911 +diff --git a/include/linux/atalk.h b/include/linux/atalk.h
4912 +index 4d356e168692..03885e63f92b 100644
4913 +--- a/include/linux/atalk.h
4914 ++++ b/include/linux/atalk.h
4915 +@@ -151,19 +151,29 @@ extern int sysctl_aarp_retransmit_limit;
4916 + extern int sysctl_aarp_resolve_time;
4917 +
4918 + #ifdef CONFIG_SYSCTL
4919 +-extern void atalk_register_sysctl(void);
4920 ++extern int atalk_register_sysctl(void);
4921 + extern void atalk_unregister_sysctl(void);
4922 + #else
4923 +-#define atalk_register_sysctl() do { } while(0)
4924 +-#define atalk_unregister_sysctl() do { } while(0)
4925 ++static inline int atalk_register_sysctl(void)
4926 ++{
4927 ++ return 0;
4928 ++}
4929 ++static inline void atalk_unregister_sysctl(void)
4930 ++{
4931 ++}
4932 + #endif
4933 +
4934 + #ifdef CONFIG_PROC_FS
4935 + extern int atalk_proc_init(void);
4936 + extern void atalk_proc_exit(void);
4937 + #else
4938 +-#define atalk_proc_init() ({ 0; })
4939 +-#define atalk_proc_exit() do { } while(0)
4940 ++static inline int atalk_proc_init(void)
4941 ++{
4942 ++ return 0;
4943 ++}
4944 ++static inline void atalk_proc_exit(void)
4945 ++{
4946 ++}
4947 + #endif /* CONFIG_PROC_FS */
4948 +
4949 + #endif /* __LINUX_ATALK_H__ */
4950 +diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
4951 +index 8458cc5fbce5..d8b3240cfe6e 100644
4952 +--- a/include/linux/bpf_verifier.h
4953 ++++ b/include/linux/bpf_verifier.h
4954 +@@ -91,14 +91,20 @@ enum bpf_stack_slot_type {
4955 +
4956 + #define BPF_REG_SIZE 8 /* size of eBPF register in bytes */
4957 +
4958 ++struct bpf_stack_state {
4959 ++ struct bpf_reg_state spilled_ptr;
4960 ++ u8 slot_type[BPF_REG_SIZE];
4961 ++};
4962 ++
4963 + /* state of the program:
4964 + * type of all registers and stack info
4965 + */
4966 + struct bpf_verifier_state {
4967 + struct bpf_reg_state regs[MAX_BPF_REG];
4968 +- u8 stack_slot_type[MAX_BPF_STACK];
4969 +- struct bpf_reg_state spilled_regs[MAX_BPF_STACK / BPF_REG_SIZE];
4970 + struct bpf_verifier_state *parent;
4971 ++ int allocated_stack;
4972 ++ struct bpf_stack_state *stack;
4973 ++ bool speculative;
4974 + };
4975 +
4976 + /* linked list of verifier states used to prune search */
4977 +@@ -107,14 +113,24 @@ struct bpf_verifier_state_list {
4978 + struct bpf_verifier_state_list *next;
4979 + };
4980 +
4981 ++/* Possible states for alu_state member. */
4982 ++#define BPF_ALU_SANITIZE_SRC 1U
4983 ++#define BPF_ALU_SANITIZE_DST 2U
4984 ++#define BPF_ALU_NEG_VALUE (1U << 2)
4985 ++#define BPF_ALU_NON_POINTER (1U << 3)
4986 ++#define BPF_ALU_SANITIZE (BPF_ALU_SANITIZE_SRC | \
4987 ++ BPF_ALU_SANITIZE_DST)
4988 ++
4989 + struct bpf_insn_aux_data {
4990 + union {
4991 + enum bpf_reg_type ptr_type; /* pointer type for load/store insns */
4992 + struct bpf_map *map_ptr; /* pointer for call insn into lookup_elem */
4993 ++ u32 alu_limit; /* limit for add/sub register with pointer */
4994 + };
4995 + int ctx_field_size; /* the ctx field size for load insn, maybe 0 */
4996 + int sanitize_stack_off; /* stack slot to be cleared */
4997 + bool seen; /* this insn was processed by the verifier */
4998 ++ u8 alu_state; /* used in combination with alu_limit */
4999 + };
5000 +
5001 + #define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
5002 +@@ -129,11 +145,13 @@ struct bpf_ext_analyzer_ops {
5003 + * one verifier_env per bpf_check() call
5004 + */
5005 + struct bpf_verifier_env {
5006 ++ u32 insn_idx;
5007 ++ u32 prev_insn_idx;
5008 + struct bpf_prog *prog; /* eBPF program being verified */
5009 + struct bpf_verifier_stack_elem *head; /* stack of verifier states to be processed */
5010 + int stack_size; /* number of states to be processed */
5011 + bool strict_alignment; /* perform strict pointer alignment checks */
5012 +- struct bpf_verifier_state cur_state; /* current verifier state */
5013 ++ struct bpf_verifier_state *cur_state; /* current verifier state */
5014 + struct bpf_verifier_state_list **explored_states; /* search pruning optimization */
5015 + const struct bpf_ext_analyzer_ops *analyzer_ops; /* external analyzer ops */
5016 + void *analyzer_priv; /* pointer to external analyzer's private data */
5017 +@@ -145,6 +163,11 @@ struct bpf_verifier_env {
5018 + struct bpf_insn_aux_data *insn_aux_data; /* array of per-insn state */
5019 + };
5020 +
5021 ++static inline struct bpf_reg_state *cur_regs(struct bpf_verifier_env *env)
5022 ++{
5023 ++ return env->cur_state->regs;
5024 ++}
5025 ++
5026 + int bpf_analyzer(struct bpf_prog *prog, const struct bpf_ext_analyzer_ops *ops,
5027 + void *priv);
5028 +
5029 +diff --git a/include/linux/compiler.h b/include/linux/compiler.h
5030 +index a704d032713b..67c3934fb9ed 100644
5031 +--- a/include/linux/compiler.h
5032 ++++ b/include/linux/compiler.h
5033 +@@ -119,7 +119,10 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
5034 + # define ASM_UNREACHABLE
5035 + #endif
5036 + #ifndef unreachable
5037 +-# define unreachable() do { annotate_reachable(); do { } while (1); } while (0)
5038 ++# define unreachable() do { \
5039 ++ annotate_unreachable(); \
5040 ++ __builtin_unreachable(); \
5041 ++} while (0)
5042 + #endif
5043 +
5044 + /*
5045 +diff --git a/include/linux/filter.h b/include/linux/filter.h
5046 +index 56d2cda9931b..ac2272778f2e 100644
5047 +--- a/include/linux/filter.h
5048 ++++ b/include/linux/filter.h
5049 +@@ -46,14 +46,10 @@ struct bpf_prog_aux;
5050 + #define BPF_REG_X BPF_REG_7
5051 + #define BPF_REG_TMP BPF_REG_8
5052 +
5053 +-/* Kernel hidden auxiliary/helper register for hardening step.
5054 +- * Only used by eBPF JITs. It's nothing more than a temporary
5055 +- * register that JITs use internally, only that here it's part
5056 +- * of eBPF instructions that have been rewritten for blinding
5057 +- * constants. See JIT pre-step in bpf_jit_blind_constants().
5058 +- */
5059 ++/* Kernel hidden auxiliary/helper register. */
5060 + #define BPF_REG_AX MAX_BPF_REG
5061 +-#define MAX_BPF_JIT_REG (MAX_BPF_REG + 1)
5062 ++#define MAX_BPF_EXT_REG (MAX_BPF_REG + 1)
5063 ++#define MAX_BPF_JIT_REG MAX_BPF_EXT_REG
5064 +
5065 + /* unused opcode to mark special call to bpf_tail_call() helper */
5066 + #define BPF_TAIL_CALL 0xf0
5067 +diff --git a/include/linux/swap.h b/include/linux/swap.h
5068 +index 4fd1ab9565ba..e643866912b7 100644
5069 +--- a/include/linux/swap.h
5070 ++++ b/include/linux/swap.h
5071 +@@ -155,9 +155,9 @@ struct swap_extent {
5072 + /*
5073 + * Max bad pages in the new format..
5074 + */
5075 +-#define __swapoffset(x) ((unsigned long)&((union swap_header *)0)->x)
5076 + #define MAX_SWAP_BADPAGES \
5077 +- ((__swapoffset(magic.magic) - __swapoffset(info.badpages)) / sizeof(int))
5078 ++ ((offsetof(union swap_header, magic.magic) - \
5079 ++ offsetof(union swap_header, info.badpages)) / sizeof(int))
5080 +
5081 + enum {
5082 + SWP_USED = (1 << 0), /* is slot in swap_info[] used? */
5083 +diff --git a/include/uapi/linux/netfilter/xt_cgroup.h b/include/uapi/linux/netfilter/xt_cgroup.h
5084 +index e96dfa1b34f7..b74e370d6133 100644
5085 +--- a/include/uapi/linux/netfilter/xt_cgroup.h
5086 ++++ b/include/uapi/linux/netfilter/xt_cgroup.h
5087 +@@ -22,4 +22,20 @@ struct xt_cgroup_info_v1 {
5088 + void *priv __attribute__((aligned(8)));
5089 + };
5090 +
5091 ++#define XT_CGROUP_PATH_MAX 512
5092 ++
5093 ++struct xt_cgroup_info_v2 {
5094 ++ __u8 has_path;
5095 ++ __u8 has_classid;
5096 ++ __u8 invert_path;
5097 ++ __u8 invert_classid;
5098 ++ union {
5099 ++ char path[XT_CGROUP_PATH_MAX];
5100 ++ __u32 classid;
5101 ++ };
5102 ++
5103 ++ /* kernel internal data */
5104 ++ void *priv __attribute__((aligned(8)));
5105 ++};
5106 ++
5107 + #endif /* _UAPI_XT_CGROUP_H */
5108 +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
5109 +index d203a5d6b726..e46106c6ac39 100644
5110 +--- a/kernel/bpf/core.c
5111 ++++ b/kernel/bpf/core.c
5112 +@@ -51,6 +51,7 @@
5113 + #define DST regs[insn->dst_reg]
5114 + #define SRC regs[insn->src_reg]
5115 + #define FP regs[BPF_REG_FP]
5116 ++#define AX regs[BPF_REG_AX]
5117 + #define ARG1 regs[BPF_REG_ARG1]
5118 + #define CTX regs[BPF_REG_CTX]
5119 + #define IMM insn->imm
5120 +@@ -552,6 +553,26 @@ static int bpf_jit_blind_insn(const struct bpf_insn *from,
5121 + BUILD_BUG_ON(BPF_REG_AX + 1 != MAX_BPF_JIT_REG);
5122 + BUILD_BUG_ON(MAX_BPF_REG + 1 != MAX_BPF_JIT_REG);
5123 +
5124 ++ /* Constraints on AX register:
5125 ++ *
5126 ++ * AX register is inaccessible from user space. It is mapped in
5127 ++ * all JITs, and used here for constant blinding rewrites. It is
5128 ++ * typically "stateless" meaning its contents are only valid within
5129 ++ * the executed instruction, but not across several instructions.
5130 ++ * There are a few exceptions however which are further detailed
5131 ++ * below.
5132 ++ *
5133 ++ * Constant blinding is only used by JITs, not in the interpreter.
5134 ++ * The interpreter uses AX in some occasions as a local temporary
5135 ++ * register e.g. in DIV or MOD instructions.
5136 ++ *
5137 ++ * In restricted circumstances, the verifier can also use the AX
5138 ++ * register for rewrites as long as they do not interfere with
5139 ++ * the above cases!
5140 ++ */
5141 ++ if (from->dst_reg == BPF_REG_AX || from->src_reg == BPF_REG_AX)
5142 ++ goto out;
5143 ++
5144 + if (from->imm == 0 &&
5145 + (from->code == (BPF_ALU | BPF_MOV | BPF_K) ||
5146 + from->code == (BPF_ALU64 | BPF_MOV | BPF_K))) {
5147 +@@ -939,22 +960,22 @@ select_insn:
5148 + ALU64_MOD_X:
5149 + if (unlikely(SRC == 0))
5150 + return 0;
5151 +- div64_u64_rem(DST, SRC, &tmp);
5152 +- DST = tmp;
5153 ++ div64_u64_rem(DST, SRC, &AX);
5154 ++ DST = AX;
5155 + CONT;
5156 + ALU_MOD_X:
5157 + if (unlikely((u32)SRC == 0))
5158 + return 0;
5159 +- tmp = (u32) DST;
5160 +- DST = do_div(tmp, (u32) SRC);
5161 ++ AX = (u32) DST;
5162 ++ DST = do_div(AX, (u32) SRC);
5163 + CONT;
5164 + ALU64_MOD_K:
5165 +- div64_u64_rem(DST, IMM, &tmp);
5166 +- DST = tmp;
5167 ++ div64_u64_rem(DST, IMM, &AX);
5168 ++ DST = AX;
5169 + CONT;
5170 + ALU_MOD_K:
5171 +- tmp = (u32) DST;
5172 +- DST = do_div(tmp, (u32) IMM);
5173 ++ AX = (u32) DST;
5174 ++ DST = do_div(AX, (u32) IMM);
5175 + CONT;
5176 + ALU64_DIV_X:
5177 + if (unlikely(SRC == 0))
5178 +@@ -964,17 +985,17 @@ select_insn:
5179 + ALU_DIV_X:
5180 + if (unlikely((u32)SRC == 0))
5181 + return 0;
5182 +- tmp = (u32) DST;
5183 +- do_div(tmp, (u32) SRC);
5184 +- DST = (u32) tmp;
5185 ++ AX = (u32) DST;
5186 ++ do_div(AX, (u32) SRC);
5187 ++ DST = (u32) AX;
5188 + CONT;
5189 + ALU64_DIV_K:
5190 + DST = div64_u64(DST, IMM);
5191 + CONT;
5192 + ALU_DIV_K:
5193 +- tmp = (u32) DST;
5194 +- do_div(tmp, (u32) IMM);
5195 +- DST = (u32) tmp;
5196 ++ AX = (u32) DST;
5197 ++ do_div(AX, (u32) IMM);
5198 ++ DST = (u32) AX;
5199 + CONT;
5200 + ALU_END_TO_BE:
5201 + switch (IMM) {
5202 +@@ -1278,7 +1299,7 @@ STACK_FRAME_NON_STANDARD(___bpf_prog_run); /* jump table */
5203 + static unsigned int PROG_NAME(stack_size)(const void *ctx, const struct bpf_insn *insn) \
5204 + { \
5205 + u64 stack[stack_size / sizeof(u64)]; \
5206 +- u64 regs[MAX_BPF_REG]; \
5207 ++ u64 regs[MAX_BPF_EXT_REG]; \
5208 + \
5209 + FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
5210 + ARG1 = (u64) (unsigned long) ctx; \
5211 +diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
5212 +index be1dde967208..ccf9ffd5da78 100644
5213 +--- a/kernel/bpf/inode.c
5214 ++++ b/kernel/bpf/inode.c
5215 +@@ -365,19 +365,6 @@ out:
5216 + }
5217 + EXPORT_SYMBOL_GPL(bpf_obj_get_user);
5218 +
5219 +-static void bpf_evict_inode(struct inode *inode)
5220 +-{
5221 +- enum bpf_type type;
5222 +-
5223 +- truncate_inode_pages_final(&inode->i_data);
5224 +- clear_inode(inode);
5225 +-
5226 +- if (S_ISLNK(inode->i_mode))
5227 +- kfree(inode->i_link);
5228 +- if (!bpf_inode_type(inode, &type))
5229 +- bpf_any_put(inode->i_private, type);
5230 +-}
5231 +-
5232 + /*
5233 + * Display the mount options in /proc/mounts.
5234 + */
5235 +@@ -390,11 +377,28 @@ static int bpf_show_options(struct seq_file *m, struct dentry *root)
5236 + return 0;
5237 + }
5238 +
5239 ++static void bpf_destroy_inode_deferred(struct rcu_head *head)
5240 ++{
5241 ++ struct inode *inode = container_of(head, struct inode, i_rcu);
5242 ++ enum bpf_type type;
5243 ++
5244 ++ if (S_ISLNK(inode->i_mode))
5245 ++ kfree(inode->i_link);
5246 ++ if (!bpf_inode_type(inode, &type))
5247 ++ bpf_any_put(inode->i_private, type);
5248 ++ free_inode_nonrcu(inode);
5249 ++}
5250 ++
5251 ++static void bpf_destroy_inode(struct inode *inode)
5252 ++{
5253 ++ call_rcu(&inode->i_rcu, bpf_destroy_inode_deferred);
5254 ++}
5255 ++
5256 + static const struct super_operations bpf_super_ops = {
5257 + .statfs = simple_statfs,
5258 + .drop_inode = generic_delete_inode,
5259 + .show_options = bpf_show_options,
5260 +- .evict_inode = bpf_evict_inode,
5261 ++ .destroy_inode = bpf_destroy_inode,
5262 + };
5263 +
5264 + enum {
5265 +diff --git a/kernel/bpf/map_in_map.c b/kernel/bpf/map_in_map.c
5266 +index 1da574612bea..c0c494b7647b 100644
5267 +--- a/kernel/bpf/map_in_map.c
5268 ++++ b/kernel/bpf/map_in_map.c
5269 +@@ -12,6 +12,7 @@
5270 + struct bpf_map *bpf_map_meta_alloc(int inner_map_ufd)
5271 + {
5272 + struct bpf_map *inner_map, *inner_map_meta;
5273 ++ u32 inner_map_meta_size;
5274 + struct fd f;
5275 +
5276 + f = fdget(inner_map_ufd);
5277 +@@ -34,7 +35,12 @@ struct bpf_map *bpf_map_meta_alloc(int inner_map_ufd)
5278 + return ERR_PTR(-EINVAL);
5279 + }
5280 +
5281 +- inner_map_meta = kzalloc(sizeof(*inner_map_meta), GFP_USER);
5282 ++ inner_map_meta_size = sizeof(*inner_map_meta);
5283 ++ /* In some cases verifier needs to access beyond just base map. */
5284 ++ if (inner_map->ops == &array_map_ops)
5285 ++ inner_map_meta_size = sizeof(struct bpf_array);
5286 ++
5287 ++ inner_map_meta = kzalloc(inner_map_meta_size, GFP_USER);
5288 + if (!inner_map_meta) {
5289 + fdput(f);
5290 + return ERR_PTR(-ENOMEM);
5291 +@@ -44,9 +50,16 @@ struct bpf_map *bpf_map_meta_alloc(int inner_map_ufd)
5292 + inner_map_meta->key_size = inner_map->key_size;
5293 + inner_map_meta->value_size = inner_map->value_size;
5294 + inner_map_meta->map_flags = inner_map->map_flags;
5295 +- inner_map_meta->ops = inner_map->ops;
5296 + inner_map_meta->max_entries = inner_map->max_entries;
5297 +
5298 ++ /* Misc members not needed in bpf_map_meta_equal() check. */
5299 ++ inner_map_meta->ops = inner_map->ops;
5300 ++ if (inner_map->ops == &array_map_ops) {
5301 ++ inner_map_meta->unpriv_array = inner_map->unpriv_array;
5302 ++ container_of(inner_map_meta, struct bpf_array, map)->index_mask =
5303 ++ container_of(inner_map, struct bpf_array, map)->index_mask;
5304 ++ }
5305 ++
5306 + fdput(f);
5307 + return inner_map_meta;
5308 + }
5309 +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
5310 +index f6755fd5bae2..a4875ff0bab1 100644
5311 +--- a/kernel/bpf/verifier.c
5312 ++++ b/kernel/bpf/verifier.c
5313 +@@ -265,10 +265,11 @@ static void print_verifier_state(struct bpf_verifier_state *state)
5314 + verbose(")");
5315 + }
5316 + }
5317 +- for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) {
5318 +- if (state->stack_slot_type[i] == STACK_SPILL)
5319 +- verbose(" fp%d=%s", -MAX_BPF_STACK + i,
5320 +- reg_type_str[state->spilled_regs[i / BPF_REG_SIZE].type]);
5321 ++ for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {
5322 ++ if (state->stack[i].slot_type[0] == STACK_SPILL)
5323 ++ verbose(" fp%d=%s",
5324 ++ (-i - 1) * BPF_REG_SIZE,
5325 ++ reg_type_str[state->stack[i].spilled_ptr.type]);
5326 + }
5327 + verbose("\n");
5328 + }
5329 +@@ -434,40 +435,133 @@ static void print_bpf_insn(const struct bpf_verifier_env *env,
5330 + }
5331 + }
5332 +
5333 +-static int pop_stack(struct bpf_verifier_env *env, int *prev_insn_idx)
5334 ++static int copy_stack_state(struct bpf_verifier_state *dst,
5335 ++ const struct bpf_verifier_state *src)
5336 + {
5337 +- struct bpf_verifier_stack_elem *elem;
5338 +- int insn_idx;
5339 ++ if (!src->stack)
5340 ++ return 0;
5341 ++ if (WARN_ON_ONCE(dst->allocated_stack < src->allocated_stack)) {
5342 ++ /* internal bug, make state invalid to reject the program */
5343 ++ memset(dst, 0, sizeof(*dst));
5344 ++ return -EFAULT;
5345 ++ }
5346 ++ memcpy(dst->stack, src->stack,
5347 ++ sizeof(*src->stack) * (src->allocated_stack / BPF_REG_SIZE));
5348 ++ return 0;
5349 ++}
5350 ++
5351 ++/* do_check() starts with zero-sized stack in struct bpf_verifier_state to
5352 ++ * make it consume minimal amount of memory. check_stack_write() access from
5353 ++ * the program calls into realloc_verifier_state() to grow the stack size.
5354 ++ * Note there is a non-zero 'parent' pointer inside bpf_verifier_state
5355 ++ * which this function copies over. It points to previous bpf_verifier_state
5356 ++ * which is never reallocated
5357 ++ */
5358 ++static int realloc_verifier_state(struct bpf_verifier_state *state, int size,
5359 ++ bool copy_old)
5360 ++{
5361 ++ u32 old_size = state->allocated_stack;
5362 ++ struct bpf_stack_state *new_stack;
5363 ++ int slot = size / BPF_REG_SIZE;
5364 ++
5365 ++ if (size <= old_size || !size) {
5366 ++ if (copy_old)
5367 ++ return 0;
5368 ++ state->allocated_stack = slot * BPF_REG_SIZE;
5369 ++ if (!size && old_size) {
5370 ++ kfree(state->stack);
5371 ++ state->stack = NULL;
5372 ++ }
5373 ++ return 0;
5374 ++ }
5375 ++ new_stack = kmalloc_array(slot, sizeof(struct bpf_stack_state),
5376 ++ GFP_KERNEL);
5377 ++ if (!new_stack)
5378 ++ return -ENOMEM;
5379 ++ if (copy_old) {
5380 ++ if (state->stack)
5381 ++ memcpy(new_stack, state->stack,
5382 ++ sizeof(*new_stack) * (old_size / BPF_REG_SIZE));
5383 ++ memset(new_stack + old_size / BPF_REG_SIZE, 0,
5384 ++ sizeof(*new_stack) * (size - old_size) / BPF_REG_SIZE);
5385 ++ }
5386 ++ state->allocated_stack = slot * BPF_REG_SIZE;
5387 ++ kfree(state->stack);
5388 ++ state->stack = new_stack;
5389 ++ return 0;
5390 ++}
5391 ++
5392 ++static void free_verifier_state(struct bpf_verifier_state *state,
5393 ++ bool free_self)
5394 ++{
5395 ++ kfree(state->stack);
5396 ++ if (free_self)
5397 ++ kfree(state);
5398 ++}
5399 ++
5400 ++/* copy verifier state from src to dst growing dst stack space
5401 ++ * when necessary to accommodate larger src stack
5402 ++ */
5403 ++static int copy_verifier_state(struct bpf_verifier_state *dst,
5404 ++ const struct bpf_verifier_state *src)
5405 ++{
5406 ++ int err;
5407 ++
5408 ++ err = realloc_verifier_state(dst, src->allocated_stack, false);
5409 ++ if (err)
5410 ++ return err;
5411 ++ memcpy(dst, src, offsetof(struct bpf_verifier_state, allocated_stack));
5412 ++ return copy_stack_state(dst, src);
5413 ++}
5414 ++
5415 ++static int pop_stack(struct bpf_verifier_env *env, int *prev_insn_idx,
5416 ++ int *insn_idx)
5417 ++{
5418 ++ struct bpf_verifier_state *cur = env->cur_state;
5419 ++ struct bpf_verifier_stack_elem *elem, *head = env->head;
5420 ++ int err;
5421 +
5422 + if (env->head == NULL)
5423 +- return -1;
5424 ++ return -ENOENT;
5425 +
5426 +- memcpy(&env->cur_state, &env->head->st, sizeof(env->cur_state));
5427 +- insn_idx = env->head->insn_idx;
5428 ++ if (cur) {
5429 ++ err = copy_verifier_state(cur, &head->st);
5430 ++ if (err)
5431 ++ return err;
5432 ++ }
5433 ++ if (insn_idx)
5434 ++ *insn_idx = head->insn_idx;
5435 + if (prev_insn_idx)
5436 +- *prev_insn_idx = env->head->prev_insn_idx;
5437 +- elem = env->head->next;
5438 +- kfree(env->head);
5439 ++ *prev_insn_idx = head->prev_insn_idx;
5440 ++ elem = head->next;
5441 ++ free_verifier_state(&head->st, false);
5442 ++ kfree(head);
5443 + env->head = elem;
5444 + env->stack_size--;
5445 +- return insn_idx;
5446 ++ return 0;
5447 + }
5448 +
5449 + static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,
5450 +- int insn_idx, int prev_insn_idx)
5451 ++ int insn_idx, int prev_insn_idx,
5452 ++ bool speculative)
5453 + {
5454 + struct bpf_verifier_stack_elem *elem;
5455 ++ struct bpf_verifier_state *cur = env->cur_state;
5456 ++ int err;
5457 +
5458 +- elem = kmalloc(sizeof(struct bpf_verifier_stack_elem), GFP_KERNEL);
5459 ++ elem = kzalloc(sizeof(struct bpf_verifier_stack_elem), GFP_KERNEL);
5460 + if (!elem)
5461 + goto err;
5462 +
5463 +- memcpy(&elem->st, &env->cur_state, sizeof(env->cur_state));
5464 + elem->insn_idx = insn_idx;
5465 + elem->prev_insn_idx = prev_insn_idx;
5466 + elem->next = env->head;
5467 ++ elem->st.speculative |= speculative;
5468 + env->head = elem;
5469 + env->stack_size++;
5470 ++ err = copy_verifier_state(&elem->st, cur);
5471 ++ if (err)
5472 ++ goto err;
5473 + if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) {
5474 + verbose("BPF program is too complex\n");
5475 + goto err;
5476 +@@ -475,7 +569,7 @@ static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,
5477 + return &elem->st;
5478 + err:
5479 + /* pop all elements and return */
5480 +- while (pop_stack(env, NULL) >= 0);
5481 ++ while (!pop_stack(env, NULL, NULL));
5482 + return NULL;
5483 + }
5484 +
5485 +@@ -671,7 +765,7 @@ static void mark_reg_read(const struct bpf_verifier_state *state, u32 regno)
5486 + static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,
5487 + enum reg_arg_type t)
5488 + {
5489 +- struct bpf_reg_state *regs = env->cur_state.regs;
5490 ++ struct bpf_reg_state *regs = env->cur_state->regs;
5491 +
5492 + if (regno >= MAX_BPF_REG) {
5493 + verbose("R%d is invalid\n", regno);
5494 +@@ -684,7 +778,7 @@ static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,
5495 + verbose("R%d !read_ok\n", regno);
5496 + return -EACCES;
5497 + }
5498 +- mark_reg_read(&env->cur_state, regno);
5499 ++ mark_reg_read(env->cur_state, regno);
5500 + } else {
5501 + /* check whether register used as dest operand can be written to */
5502 + if (regno == BPF_REG_FP) {
5503 +@@ -721,10 +815,21 @@ static int check_stack_write(struct bpf_verifier_env *env,
5504 + struct bpf_verifier_state *state, int off,
5505 + int size, int value_regno, int insn_idx)
5506 + {
5507 +- int i, spi = (MAX_BPF_STACK + off) / BPF_REG_SIZE;
5508 ++ int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;
5509 ++
5510 ++ err = realloc_verifier_state(state, round_up(slot + 1, BPF_REG_SIZE),
5511 ++ true);
5512 ++ if (err)
5513 ++ return err;
5514 + /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,
5515 + * so it's aligned access and [off, off + size) are within stack limits
5516 + */
5517 ++ if (!env->allow_ptr_leaks &&
5518 ++ state->stack[spi].slot_type[0] == STACK_SPILL &&
5519 ++ size != BPF_REG_SIZE) {
5520 ++ verbose("attempt to corrupt spilled pointer on stack\n");
5521 ++ return -EACCES;
5522 ++ }
5523 +
5524 + if (value_regno >= 0 &&
5525 + is_spillable_regtype(state->regs[value_regno].type)) {
5526 +@@ -736,11 +841,11 @@ static int check_stack_write(struct bpf_verifier_env *env,
5527 + }
5528 +
5529 + /* save register state */
5530 +- state->spilled_regs[spi] = state->regs[value_regno];
5531 +- state->spilled_regs[spi].live |= REG_LIVE_WRITTEN;
5532 ++ state->stack[spi].spilled_ptr = state->regs[value_regno];
5533 ++ state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
5534 +
5535 + for (i = 0; i < BPF_REG_SIZE; i++) {
5536 +- if (state->stack_slot_type[MAX_BPF_STACK + off + i] == STACK_MISC &&
5537 ++ if (state->stack[spi].slot_type[i] == STACK_MISC &&
5538 + !env->allow_ptr_leaks) {
5539 + int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off;
5540 + int soff = (-spi - 1) * BPF_REG_SIZE;
5541 +@@ -763,14 +868,15 @@ static int check_stack_write(struct bpf_verifier_env *env,
5542 + }
5543 + *poff = soff;
5544 + }
5545 +- state->stack_slot_type[MAX_BPF_STACK + off + i] = STACK_SPILL;
5546 ++ state->stack[spi].slot_type[i] = STACK_SPILL;
5547 + }
5548 + } else {
5549 + /* regular write of data into stack */
5550 +- state->spilled_regs[spi] = (struct bpf_reg_state) {};
5551 ++ state->stack[spi].spilled_ptr = (struct bpf_reg_state) {};
5552 +
5553 + for (i = 0; i < size; i++)
5554 +- state->stack_slot_type[MAX_BPF_STACK + off + i] = STACK_MISC;
5555 ++ state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] =
5556 ++ STACK_MISC;
5557 + }
5558 + return 0;
5559 + }
5560 +@@ -781,10 +887,10 @@ static void mark_stack_slot_read(const struct bpf_verifier_state *state, int slo
5561 +
5562 + while (parent) {
5563 + /* if read wasn't screened by an earlier write ... */
5564 +- if (state->spilled_regs[slot].live & REG_LIVE_WRITTEN)
5565 ++ if (state->stack[slot].spilled_ptr.live & REG_LIVE_WRITTEN)
5566 + break;
5567 + /* ... then we depend on parent's value */
5568 +- parent->spilled_regs[slot].live |= REG_LIVE_READ;
5569 ++ parent->stack[slot].spilled_ptr.live |= REG_LIVE_READ;
5570 + state = parent;
5571 + parent = state->parent;
5572 + }
5573 +@@ -793,34 +899,37 @@ static void mark_stack_slot_read(const struct bpf_verifier_state *state, int slo
5574 + static int check_stack_read(struct bpf_verifier_state *state, int off, int size,
5575 + int value_regno)
5576 + {
5577 +- u8 *slot_type;
5578 +- int i, spi;
5579 ++ int i, slot = -off - 1, spi = slot / BPF_REG_SIZE;
5580 ++ u8 *stype;
5581 +
5582 +- slot_type = &state->stack_slot_type[MAX_BPF_STACK + off];
5583 ++ if (state->allocated_stack <= slot) {
5584 ++ verbose("invalid read from stack off %d+0 size %d\n",
5585 ++ off, size);
5586 ++ return -EACCES;
5587 ++ }
5588 ++ stype = state->stack[spi].slot_type;
5589 +
5590 +- if (slot_type[0] == STACK_SPILL) {
5591 ++ if (stype[0] == STACK_SPILL) {
5592 + if (size != BPF_REG_SIZE) {
5593 + verbose("invalid size of register spill\n");
5594 + return -EACCES;
5595 + }
5596 + for (i = 1; i < BPF_REG_SIZE; i++) {
5597 +- if (slot_type[i] != STACK_SPILL) {
5598 ++ if (stype[(slot - i) % BPF_REG_SIZE] != STACK_SPILL) {
5599 + verbose("corrupted spill memory\n");
5600 + return -EACCES;
5601 + }
5602 + }
5603 +
5604 +- spi = (MAX_BPF_STACK + off) / BPF_REG_SIZE;
5605 +-
5606 + if (value_regno >= 0) {
5607 + /* restore register state from stack */
5608 +- state->regs[value_regno] = state->spilled_regs[spi];
5609 ++ state->regs[value_regno] = state->stack[spi].spilled_ptr;
5610 + mark_stack_slot_read(state, spi);
5611 + }
5612 + return 0;
5613 + } else {
5614 + for (i = 0; i < size; i++) {
5615 +- if (slot_type[i] != STACK_MISC) {
5616 ++ if (stype[(slot - i) % BPF_REG_SIZE] != STACK_MISC) {
5617 + verbose("invalid read from stack off %d+%d size %d\n",
5618 + off, i, size);
5619 + return -EACCES;
5620 +@@ -833,11 +942,37 @@ static int check_stack_read(struct bpf_verifier_state *state, int off, int size,
5621 + }
5622 + }
5623 +
5624 ++static int check_stack_access(struct bpf_verifier_env *env,
5625 ++ const struct bpf_reg_state *reg,
5626 ++ int off, int size)
5627 ++{
5628 ++ /* Stack accesses must be at a fixed offset, so that we
5629 ++ * can determine what type of data were returned. See
5630 ++ * check_stack_read().
5631 ++ */
5632 ++ if (!tnum_is_const(reg->var_off)) {
5633 ++ char tn_buf[48];
5634 ++
5635 ++ tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
5636 ++ verbose("variable stack access var_off=%s off=%d size=%d",
5637 ++ tn_buf, off, size);
5638 ++ return -EACCES;
5639 ++ }
5640 ++
5641 ++ if (off >= 0 || off < -MAX_BPF_STACK) {
5642 ++ verbose("invalid stack off=%d size=%d\n", off, size);
5643 ++ return -EACCES;
5644 ++ }
5645 ++
5646 ++ return 0;
5647 ++}
5648 ++
5649 + /* check read/write into map element returned by bpf_map_lookup_elem() */
5650 + static int __check_map_access(struct bpf_verifier_env *env, u32 regno, int off,
5651 + int size)
5652 + {
5653 +- struct bpf_map *map = env->cur_state.regs[regno].map_ptr;
5654 ++ struct bpf_reg_state *regs = cur_regs(env);
5655 ++ struct bpf_map *map = regs[regno].map_ptr;
5656 +
5657 + if (off < 0 || size <= 0 || off + size > map->value_size) {
5658 + verbose("invalid access to map value, value_size=%d off=%d size=%d\n",
5659 +@@ -849,9 +984,9 @@ static int __check_map_access(struct bpf_verifier_env *env, u32 regno, int off,
5660 +
5661 + /* check read/write into a map element with possible variable offset */
5662 + static int check_map_access(struct bpf_verifier_env *env, u32 regno,
5663 +- int off, int size)
5664 ++ int off, int size)
5665 + {
5666 +- struct bpf_verifier_state *state = &env->cur_state;
5667 ++ struct bpf_verifier_state *state = env->cur_state;
5668 + struct bpf_reg_state *reg = &state->regs[regno];
5669 + int err;
5670 +
5671 +@@ -861,13 +996,17 @@ static int check_map_access(struct bpf_verifier_env *env, u32 regno,
5672 + */
5673 + if (log_level)
5674 + print_verifier_state(state);
5675 ++
5676 + /* The minimum value is only important with signed
5677 + * comparisons where we can't assume the floor of a
5678 + * value is 0. If we are using signed variables for our
5679 + * index'es we need to make sure that whatever we use
5680 + * will have a set floor within our range.
5681 + */
5682 +- if (reg->smin_value < 0) {
5683 ++ if (reg->smin_value < 0 &&
5684 ++ (reg->smin_value == S64_MIN ||
5685 ++ (off + reg->smin_value != (s64)(s32)(off + reg->smin_value)) ||
5686 ++ reg->smin_value + off < 0)) {
5687 + verbose("R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",
5688 + regno);
5689 + return -EACCES;
5690 +@@ -924,7 +1063,7 @@ static bool may_access_direct_pkt_data(struct bpf_verifier_env *env,
5691 + static int __check_packet_access(struct bpf_verifier_env *env, u32 regno,
5692 + int off, int size)
5693 + {
5694 +- struct bpf_reg_state *regs = env->cur_state.regs;
5695 ++ struct bpf_reg_state *regs = cur_regs(env);
5696 + struct bpf_reg_state *reg = &regs[regno];
5697 +
5698 + if (off < 0 || size <= 0 || (u64)off + size > reg->range) {
5699 +@@ -938,7 +1077,7 @@ static int __check_packet_access(struct bpf_verifier_env *env, u32 regno,
5700 + static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off,
5701 + int size)
5702 + {
5703 +- struct bpf_reg_state *regs = env->cur_state.regs;
5704 ++ struct bpf_reg_state *regs = cur_regs(env);
5705 + struct bpf_reg_state *reg = &regs[regno];
5706 + int err;
5707 +
5708 +@@ -1008,19 +1147,19 @@ static bool __is_pointer_value(bool allow_ptr_leaks,
5709 +
5710 + static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
5711 + {
5712 +- return __is_pointer_value(env->allow_ptr_leaks, &env->cur_state.regs[regno]);
5713 ++ return __is_pointer_value(env->allow_ptr_leaks, cur_regs(env) + regno);
5714 + }
5715 +
5716 + static bool is_ctx_reg(struct bpf_verifier_env *env, int regno)
5717 + {
5718 +- const struct bpf_reg_state *reg = &env->cur_state.regs[regno];
5719 ++ const struct bpf_reg_state *reg = cur_regs(env) + regno;
5720 +
5721 + return reg->type == PTR_TO_CTX;
5722 + }
5723 +
5724 + static bool is_pkt_reg(struct bpf_verifier_env *env, int regno)
5725 + {
5726 +- const struct bpf_reg_state *reg = &env->cur_state.regs[regno];
5727 ++ const struct bpf_reg_state *reg = cur_regs(env) + regno;
5728 +
5729 + return reg->type == PTR_TO_PACKET;
5730 + }
5731 +@@ -1145,8 +1284,9 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
5732 + int off, int bpf_size, enum bpf_access_type t,
5733 + int value_regno, bool strict_alignment_once)
5734 + {
5735 +- struct bpf_verifier_state *state = &env->cur_state;
5736 +- struct bpf_reg_state *reg = &state->regs[regno];
5737 ++ struct bpf_verifier_state *state = env->cur_state;
5738 ++ struct bpf_reg_state *regs = cur_regs(env);
5739 ++ struct bpf_reg_state *reg = regs + regno;
5740 + int size, err = 0;
5741 +
5742 + size = bpf_size_to_bytes(bpf_size);
5743 +@@ -1170,7 +1310,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
5744 +
5745 + err = check_map_access(env, regno, off, size);
5746 + if (!err && t == BPF_READ && value_regno >= 0)
5747 +- mark_reg_unknown(state->regs, value_regno);
5748 ++ mark_reg_unknown(regs, value_regno);
5749 +
5750 + } else if (reg->type == PTR_TO_CTX) {
5751 + enum bpf_reg_type reg_type = SCALAR_VALUE;
5752 +@@ -1203,49 +1343,29 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
5753 + * the offset is zero.
5754 + */
5755 + if (reg_type == SCALAR_VALUE)
5756 +- mark_reg_unknown(state->regs, value_regno);
5757 ++ mark_reg_unknown(regs, value_regno);
5758 + else
5759 +- mark_reg_known_zero(state->regs, value_regno);
5760 +- state->regs[value_regno].id = 0;
5761 +- state->regs[value_regno].off = 0;
5762 +- state->regs[value_regno].range = 0;
5763 +- state->regs[value_regno].type = reg_type;
5764 ++ mark_reg_known_zero(regs, value_regno);
5765 ++ regs[value_regno].id = 0;
5766 ++ regs[value_regno].off = 0;
5767 ++ regs[value_regno].range = 0;
5768 ++ regs[value_regno].type = reg_type;
5769 + }
5770 +
5771 + } else if (reg->type == PTR_TO_STACK) {
5772 +- /* stack accesses must be at a fixed offset, so that we can
5773 +- * determine what type of data were returned.
5774 +- * See check_stack_read().
5775 +- */
5776 +- if (!tnum_is_const(reg->var_off)) {
5777 +- char tn_buf[48];
5778 +-
5779 +- tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
5780 +- verbose("variable stack access var_off=%s off=%d size=%d",
5781 +- tn_buf, off, size);
5782 +- return -EACCES;
5783 +- }
5784 + off += reg->var_off.value;
5785 +- if (off >= 0 || off < -MAX_BPF_STACK) {
5786 +- verbose("invalid stack off=%d size=%d\n", off, size);
5787 +- return -EACCES;
5788 +- }
5789 ++ err = check_stack_access(env, reg, off, size);
5790 ++ if (err)
5791 ++ return err;
5792 +
5793 + if (env->prog->aux->stack_depth < -off)
5794 + env->prog->aux->stack_depth = -off;
5795 +
5796 +- if (t == BPF_WRITE) {
5797 +- if (!env->allow_ptr_leaks &&
5798 +- state->stack_slot_type[MAX_BPF_STACK + off] == STACK_SPILL &&
5799 +- size != BPF_REG_SIZE) {
5800 +- verbose("attempt to corrupt spilled pointer on stack\n");
5801 +- return -EACCES;
5802 +- }
5803 ++ if (t == BPF_WRITE)
5804 + err = check_stack_write(env, state, off, size,
5805 + value_regno, insn_idx);
5806 +- } else {
5807 ++ else
5808 + err = check_stack_read(state, off, size, value_regno);
5809 +- }
5810 + } else if (reg->type == PTR_TO_PACKET) {
5811 + if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) {
5812 + verbose("cannot write into packet\n");
5813 +@@ -1258,7 +1378,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
5814 + }
5815 + err = check_packet_access(env, regno, off, size);
5816 + if (!err && t == BPF_READ && value_regno >= 0)
5817 +- mark_reg_unknown(state->regs, value_regno);
5818 ++ mark_reg_unknown(regs, value_regno);
5819 + } else {
5820 + verbose("R%d invalid mem access '%s'\n",
5821 + regno, reg_type_str[reg->type]);
5822 +@@ -1266,9 +1386,9 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
5823 + }
5824 +
5825 + if (!err && size < BPF_REG_SIZE && value_regno >= 0 && t == BPF_READ &&
5826 +- state->regs[value_regno].type == SCALAR_VALUE) {
5827 ++ regs[value_regno].type == SCALAR_VALUE) {
5828 + /* b/h/w load zero-extends, mark upper bits as known 0 */
5829 +- coerce_reg_to_size(&state->regs[value_regno], size);
5830 ++ coerce_reg_to_size(&regs[value_regno], size);
5831 + }
5832 + return err;
5833 + }
5834 +@@ -1333,9 +1453,9 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
5835 + int access_size, bool zero_size_allowed,
5836 + struct bpf_call_arg_meta *meta)
5837 + {
5838 +- struct bpf_verifier_state *state = &env->cur_state;
5839 ++ struct bpf_verifier_state *state = env->cur_state;
5840 + struct bpf_reg_state *regs = state->regs;
5841 +- int off, i;
5842 ++ int off, i, slot, spi;
5843 +
5844 + if (regs[regno].type != PTR_TO_STACK) {
5845 + /* Allow zero-byte read from NULL, regardless of pointer type */
5846 +@@ -1376,7 +1496,11 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
5847 + }
5848 +
5849 + for (i = 0; i < access_size; i++) {
5850 +- if (state->stack_slot_type[MAX_BPF_STACK + off + i] != STACK_MISC) {
5851 ++ slot = -(off + i) - 1;
5852 ++ spi = slot / BPF_REG_SIZE;
5853 ++ if (state->allocated_stack <= slot ||
5854 ++ state->stack[spi].slot_type[slot % BPF_REG_SIZE] !=
5855 ++ STACK_MISC) {
5856 + verbose("invalid indirect read from stack off %d+%d size %d\n",
5857 + off, i, access_size);
5858 + return -EACCES;
5859 +@@ -1389,7 +1513,7 @@ static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,
5860 + int access_size, bool zero_size_allowed,
5861 + struct bpf_call_arg_meta *meta)
5862 + {
5863 +- struct bpf_reg_state *regs = env->cur_state.regs, *reg = &regs[regno];
5864 ++ struct bpf_reg_state *regs = cur_regs(env), *reg = &regs[regno];
5865 +
5866 + switch (reg->type) {
5867 + case PTR_TO_PACKET:
5868 +@@ -1406,7 +1530,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno,
5869 + enum bpf_arg_type arg_type,
5870 + struct bpf_call_arg_meta *meta)
5871 + {
5872 +- struct bpf_reg_state *regs = env->cur_state.regs, *reg = &regs[regno];
5873 ++ struct bpf_reg_state *regs = cur_regs(env), *reg = &regs[regno];
5874 + enum bpf_reg_type expected_type, type = reg->type;
5875 + int err = 0;
5876 +
5877 +@@ -1678,7 +1802,7 @@ static int check_raw_mode(const struct bpf_func_proto *fn)
5878 + */
5879 + static void clear_all_pkt_pointers(struct bpf_verifier_env *env)
5880 + {
5881 +- struct bpf_verifier_state *state = &env->cur_state;
5882 ++ struct bpf_verifier_state *state = env->cur_state;
5883 + struct bpf_reg_state *regs = state->regs, *reg;
5884 + int i;
5885 +
5886 +@@ -1687,10 +1811,10 @@ static void clear_all_pkt_pointers(struct bpf_verifier_env *env)
5887 + regs[i].type == PTR_TO_PACKET_END)
5888 + mark_reg_unknown(regs, i);
5889 +
5890 +- for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) {
5891 +- if (state->stack_slot_type[i] != STACK_SPILL)
5892 ++ for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {
5893 ++ if (state->stack[i].slot_type[0] != STACK_SPILL)
5894 + continue;
5895 +- reg = &state->spilled_regs[i / BPF_REG_SIZE];
5896 ++ reg = &state->stack[i].spilled_ptr;
5897 + if (reg->type != PTR_TO_PACKET &&
5898 + reg->type != PTR_TO_PACKET_END)
5899 + continue;
5900 +@@ -1700,9 +1824,8 @@ static void clear_all_pkt_pointers(struct bpf_verifier_env *env)
5901 +
5902 + static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx)
5903 + {
5904 +- struct bpf_verifier_state *state = &env->cur_state;
5905 + const struct bpf_func_proto *fn = NULL;
5906 +- struct bpf_reg_state *regs = state->regs;
5907 ++ struct bpf_reg_state *regs;
5908 + struct bpf_call_arg_meta meta;
5909 + bool changes_data;
5910 + int i, err;
5911 +@@ -1776,6 +1899,7 @@ static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx)
5912 + return err;
5913 + }
5914 +
5915 ++ regs = cur_regs(env);
5916 + /* reset caller saved regs */
5917 + for (i = 0; i < CALLER_SAVED_REGS; i++) {
5918 + mark_reg_not_init(regs, caller_saved[i]);
5919 +@@ -1880,6 +2004,125 @@ static bool check_reg_sane_offset(struct bpf_verifier_env *env,
5920 + return true;
5921 + }
5922 +
5923 ++static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env)
5924 ++{
5925 ++ return &env->insn_aux_data[env->insn_idx];
5926 ++}
5927 ++
5928 ++static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
5929 ++ u32 *ptr_limit, u8 opcode, bool off_is_neg)
5930 ++{
5931 ++ bool mask_to_left = (opcode == BPF_ADD && off_is_neg) ||
5932 ++ (opcode == BPF_SUB && !off_is_neg);
5933 ++ u32 off;
5934 ++
5935 ++ switch (ptr_reg->type) {
5936 ++ case PTR_TO_STACK:
5937 ++ off = ptr_reg->off + ptr_reg->var_off.value;
5938 ++ if (mask_to_left)
5939 ++ *ptr_limit = MAX_BPF_STACK + off;
5940 ++ else
5941 ++ *ptr_limit = -off;
5942 ++ return 0;
5943 ++ case PTR_TO_MAP_VALUE:
5944 ++ if (mask_to_left) {
5945 ++ *ptr_limit = ptr_reg->umax_value + ptr_reg->off;
5946 ++ } else {
5947 ++ off = ptr_reg->smin_value + ptr_reg->off;
5948 ++ *ptr_limit = ptr_reg->map_ptr->value_size - off;
5949 ++ }
5950 ++ return 0;
5951 ++ default:
5952 ++ return -EINVAL;
5953 ++ }
5954 ++}
5955 ++
5956 ++static bool can_skip_alu_sanitation(const struct bpf_verifier_env *env,
5957 ++ const struct bpf_insn *insn)
5958 ++{
5959 ++ return env->allow_ptr_leaks || BPF_SRC(insn->code) == BPF_K;
5960 ++}
5961 ++
5962 ++static int update_alu_sanitation_state(struct bpf_insn_aux_data *aux,
5963 ++ u32 alu_state, u32 alu_limit)
5964 ++{
5965 ++ /* If we arrived here from different branches with different
5966 ++ * state or limits to sanitize, then this won't work.
5967 ++ */
5968 ++ if (aux->alu_state &&
5969 ++ (aux->alu_state != alu_state ||
5970 ++ aux->alu_limit != alu_limit))
5971 ++ return -EACCES;
5972 ++
5973 ++ /* Corresponding fixup done in fixup_bpf_calls(). */
5974 ++ aux->alu_state = alu_state;
5975 ++ aux->alu_limit = alu_limit;
5976 ++ return 0;
5977 ++}
5978 ++
5979 ++static int sanitize_val_alu(struct bpf_verifier_env *env,
5980 ++ struct bpf_insn *insn)
5981 ++{
5982 ++ struct bpf_insn_aux_data *aux = cur_aux(env);
5983 ++
5984 ++ if (can_skip_alu_sanitation(env, insn))
5985 ++ return 0;
5986 ++
5987 ++ return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0);
5988 ++}
5989 ++
5990 ++static int sanitize_ptr_alu(struct bpf_verifier_env *env,
5991 ++ struct bpf_insn *insn,
5992 ++ const struct bpf_reg_state *ptr_reg,
5993 ++ struct bpf_reg_state *dst_reg,
5994 ++ bool off_is_neg)
5995 ++{
5996 ++ struct bpf_verifier_state *vstate = env->cur_state;
5997 ++ struct bpf_insn_aux_data *aux = cur_aux(env);
5998 ++ bool ptr_is_dst_reg = ptr_reg == dst_reg;
5999 ++ u8 opcode = BPF_OP(insn->code);
6000 ++ u32 alu_state, alu_limit;
6001 ++ struct bpf_reg_state tmp;
6002 ++ bool ret;
6003 ++
6004 ++ if (can_skip_alu_sanitation(env, insn))
6005 ++ return 0;
6006 ++
6007 ++ /* We already marked aux for masking from non-speculative
6008 ++ * paths, thus we got here in the first place. We only care
6009 ++ * to explore bad access from here.
6010 ++ */
6011 ++ if (vstate->speculative)
6012 ++ goto do_sim;
6013 ++
6014 ++ alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0;
6015 ++ alu_state |= ptr_is_dst_reg ?
6016 ++ BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST;
6017 ++
6018 ++ if (retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg))
6019 ++ return 0;
6020 ++ if (update_alu_sanitation_state(aux, alu_state, alu_limit))
6021 ++ return -EACCES;
6022 ++do_sim:
6023 ++ /* Simulate and find potential out-of-bounds access under
6024 ++ * speculative execution from truncation as a result of
6025 ++ * masking when off was not within expected range. If off
6026 ++ * sits in dst, then we temporarily need to move ptr there
6027 ++ * to simulate dst (== 0) +/-= ptr. Needed, for example,
6028 ++ * for cases where we use K-based arithmetic in one direction
6029 ++ * and truncated reg-based in the other in order to explore
6030 ++ * bad access.
6031 ++ */
6032 ++ if (!ptr_is_dst_reg) {
6033 ++ tmp = *dst_reg;
6034 ++ *dst_reg = *ptr_reg;
6035 ++ }
6036 ++ ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
6037 ++ if (!ptr_is_dst_reg && ret)
6038 ++ *dst_reg = tmp;
6039 ++ return !ret ? -EFAULT : 0;
6040 ++}
6041 ++
6042 + /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off.
6043 + * Caller should also handle BPF_MOV case separately.
6044 + * If we return -EACCES, caller may want to try again treating pointer as a
6045 +@@ -1890,14 +2133,15 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
6046 + const struct bpf_reg_state *ptr_reg,
6047 + const struct bpf_reg_state *off_reg)
6048 + {
6049 +- struct bpf_reg_state *regs = env->cur_state.regs, *dst_reg;
6050 ++ struct bpf_reg_state *regs = cur_regs(env), *dst_reg;
6051 + bool known = tnum_is_const(off_reg->var_off);
6052 + s64 smin_val = off_reg->smin_value, smax_val = off_reg->smax_value,
6053 + smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value;
6054 + u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value,
6055 + umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value;
6056 ++ u32 dst = insn->dst_reg, src = insn->src_reg;
6057 + u8 opcode = BPF_OP(insn->code);
6058 +- u32 dst = insn->dst_reg;
6059 ++ int ret;
6060 +
6061 + dst_reg = &regs[dst];
6062 +
6063 +@@ -1949,6 +2193,11 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
6064 +
6065 + switch (opcode) {
6066 + case BPF_ADD:
6067 ++ ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);
6068 ++ if (ret < 0) {
6069 ++ verbose("R%d tried to add from different maps or paths\n", dst);
6070 ++ return ret;
6071 ++ }
6072 + /* We can take a fixed offset as long as it doesn't overflow
6073 + * the s32 'off' field
6074 + */
6075 +@@ -1999,6 +2248,11 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
6076 + }
6077 + break;
6078 + case BPF_SUB:
6079 ++ ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);
6080 ++ if (ret < 0) {
6081 ++ verbose("R%d tried to sub from different maps or paths\n", dst);
6082 ++ return ret;
6083 ++ }
6084 + if (dst_reg == off_reg) {
6085 + /* scalar -= pointer. Creates an unknown scalar */
6086 + if (!env->allow_ptr_leaks)
6087 +@@ -2071,6 +2325,13 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
6088 + verbose("R%d bitwise operator %s on pointer prohibited\n",
6089 + dst, bpf_alu_string[opcode >> 4]);
6090 + return -EACCES;
6091 ++ case PTR_TO_MAP_VALUE:
6092 ++ if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) {
6093 ++ verbose("R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n",
6094 ++ off_reg == dst_reg ? dst : src);
6095 ++ return -EACCES;
6096 ++ }
6097 ++ /* fall-through */
6098 + default:
6099 + /* other operators (e.g. MUL,LSH) produce non-pointer results */
6100 + if (!env->allow_ptr_leaks)
6101 +@@ -2085,6 +2346,25 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
6102 + __update_reg_bounds(dst_reg);
6103 + __reg_deduce_bounds(dst_reg);
6104 + __reg_bound_offset(dst_reg);
6105 ++
6106 ++ /* For unprivileged we require that resulting offset must be in bounds
6107 ++ * in order to be able to sanitize access later on.
6108 ++ */
6109 ++ if (!env->allow_ptr_leaks) {
6110 ++ if (dst_reg->type == PTR_TO_MAP_VALUE &&
6111 ++ check_map_access(env, dst, dst_reg->off, 1)) {
6112 ++ verbose("R%d pointer arithmetic of map value goes out of range, "
6113 ++ "prohibited for !root\n", dst);
6114 ++ return -EACCES;
6115 ++ } else if (dst_reg->type == PTR_TO_STACK &&
6116 ++ check_stack_access(env, dst_reg, dst_reg->off +
6117 ++ dst_reg->var_off.value, 1)) {
6118 ++ verbose("R%d stack pointer arithmetic goes out of range, "
6119 ++ "prohibited for !root\n", dst);
6120 ++ return -EACCES;
6121 ++ }
6122 ++ }
6123 ++
6124 + return 0;
6125 + }
6126 +
6127 +@@ -2097,12 +2377,14 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
6128 + struct bpf_reg_state *dst_reg,
6129 + struct bpf_reg_state src_reg)
6130 + {
6131 +- struct bpf_reg_state *regs = env->cur_state.regs;
6132 ++ struct bpf_reg_state *regs = cur_regs(env);
6133 + u8 opcode = BPF_OP(insn->code);
6134 + bool src_known, dst_known;
6135 + s64 smin_val, smax_val;
6136 + u64 umin_val, umax_val;
6137 + u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;
6138 ++ u32 dst = insn->dst_reg;
6139 ++ int ret;
6140 +
6141 + if (insn_bitness == 32) {
6142 + /* Relevant for 32-bit RSH: Information can propagate towards
6143 +@@ -2137,6 +2419,11 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
6144 +
6145 + switch (opcode) {
6146 + case BPF_ADD:
6147 ++ ret = sanitize_val_alu(env, insn);
6148 ++ if (ret < 0) {
6149 ++ verbose("R%d tried to add from different pointers or scalars\n", dst);
6150 ++ return ret;
6151 ++ }
6152 + if (signed_add_overflows(dst_reg->smin_value, smin_val) ||
6153 + signed_add_overflows(dst_reg->smax_value, smax_val)) {
6154 + dst_reg->smin_value = S64_MIN;
6155 +@@ -2156,6 +2443,11 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
6156 + dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off);
6157 + break;
6158 + case BPF_SUB:
6159 ++ ret = sanitize_val_alu(env, insn);
6160 ++ if (ret < 0) {
6161 ++ verbose("R%d tried to sub from different pointers or scalars\n", dst);
6162 ++ return ret;
6163 ++ }
6164 + if (signed_sub_overflows(dst_reg->smin_value, smax_val) ||
6165 + signed_sub_overflows(dst_reg->smax_value, smin_val)) {
6166 + /* Overflow possible, we know nothing */
6167 +@@ -2345,7 +2637,7 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
6168 + static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
6169 + struct bpf_insn *insn)
6170 + {
6171 +- struct bpf_reg_state *regs = env->cur_state.regs, *dst_reg, *src_reg;
6172 ++ struct bpf_reg_state *regs = cur_regs(env), *dst_reg, *src_reg;
6173 + struct bpf_reg_state *ptr_reg = NULL, off_reg = {0};
6174 + u8 opcode = BPF_OP(insn->code);
6175 + int rc;
6176 +@@ -2419,12 +2711,12 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
6177 +
6178 + /* Got here implies adding two SCALAR_VALUEs */
6179 + if (WARN_ON_ONCE(ptr_reg)) {
6180 +- print_verifier_state(&env->cur_state);
6181 ++ print_verifier_state(env->cur_state);
6182 + verbose("verifier internal error: unexpected ptr_reg\n");
6183 + return -EINVAL;
6184 + }
6185 + if (WARN_ON(!src_reg)) {
6186 +- print_verifier_state(&env->cur_state);
6187 ++ print_verifier_state(env->cur_state);
6188 + verbose("verifier internal error: no src_reg\n");
6189 + return -EINVAL;
6190 + }
6191 +@@ -2434,7 +2726,7 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
6192 + /* check validity of 32-bit and 64-bit arithmetic operations */
6193 + static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
6194 + {
6195 +- struct bpf_reg_state *regs = env->cur_state.regs;
6196 ++ struct bpf_reg_state *regs = cur_regs(env);
6197 + u8 opcode = BPF_OP(insn->code);
6198 + int err;
6199 +
6200 +@@ -2661,10 +2953,10 @@ static void find_good_pkt_pointers(struct bpf_verifier_state *state,
6201 + /* keep the maximum range already checked */
6202 + regs[i].range = max(regs[i].range, new_range);
6203 +
6204 +- for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) {
6205 +- if (state->stack_slot_type[i] != STACK_SPILL)
6206 ++ for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {
6207 ++ if (state->stack[i].slot_type[0] != STACK_SPILL)
6208 + continue;
6209 +- reg = &state->spilled_regs[i / BPF_REG_SIZE];
6210 ++ reg = &state->stack[i].spilled_ptr;
6211 + if (reg->type == PTR_TO_PACKET && reg->id == dst_reg->id)
6212 + reg->range = max(reg->range, new_range);
6213 + }
6214 +@@ -2914,17 +3206,17 @@ static void mark_map_regs(struct bpf_verifier_state *state, u32 regno,
6215 + for (i = 0; i < MAX_BPF_REG; i++)
6216 + mark_map_reg(regs, i, id, is_null);
6217 +
6218 +- for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) {
6219 +- if (state->stack_slot_type[i] != STACK_SPILL)
6220 ++ for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {
6221 ++ if (state->stack[i].slot_type[0] != STACK_SPILL)
6222 + continue;
6223 +- mark_map_reg(state->spilled_regs, i / BPF_REG_SIZE, id, is_null);
6224 ++ mark_map_reg(&state->stack[i].spilled_ptr, 0, id, is_null);
6225 + }
6226 + }
6227 +
6228 + static int check_cond_jmp_op(struct bpf_verifier_env *env,
6229 + struct bpf_insn *insn, int *insn_idx)
6230 + {
6231 +- struct bpf_verifier_state *other_branch, *this_branch = &env->cur_state;
6232 ++ struct bpf_verifier_state *other_branch, *this_branch = env->cur_state;
6233 + struct bpf_reg_state *regs = this_branch->regs, *dst_reg;
6234 + u8 opcode = BPF_OP(insn->code);
6235 + int err;
6236 +@@ -2984,7 +3276,8 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
6237 + }
6238 + }
6239 +
6240 +- other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx);
6241 ++ other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx,
6242 ++ false);
6243 + if (!other_branch)
6244 + return -EFAULT;
6245 +
6246 +@@ -3087,7 +3380,7 @@ static struct bpf_map *ld_imm64_to_map_ptr(struct bpf_insn *insn)
6247 + /* verify BPF_LD_IMM64 instruction */
6248 + static int check_ld_imm(struct bpf_verifier_env *env, struct bpf_insn *insn)
6249 + {
6250 +- struct bpf_reg_state *regs = env->cur_state.regs;
6251 ++ struct bpf_reg_state *regs = cur_regs(env);
6252 + int err;
6253 +
6254 + if (BPF_SIZE(insn->code) != BPF_DW) {
6255 +@@ -3148,7 +3441,7 @@ static bool may_access_skb(enum bpf_prog_type type)
6256 + */
6257 + static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn)
6258 + {
6259 +- struct bpf_reg_state *regs = env->cur_state.regs;
6260 ++ struct bpf_reg_state *regs = cur_regs(env);
6261 + u8 mode = BPF_MODE(insn->code);
6262 + int i, err;
6263 +
6264 +@@ -3534,6 +3827,57 @@ static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur,
6265 + return false;
6266 + }
6267 +
6268 ++static bool stacksafe(struct bpf_verifier_state *old,
6269 ++ struct bpf_verifier_state *cur,
6270 ++ struct idpair *idmap)
6271 ++{
6272 ++ int i, spi;
6273 ++
6274 ++ /* if explored stack has more populated slots than current stack
6275 ++ * such stacks are not equivalent
6276 ++ */
6277 ++ if (old->allocated_stack > cur->allocated_stack)
6278 ++ return false;
6279 ++
6280 ++ /* walk slots of the explored stack and ignore any additional
6281 ++ * slots in the current stack, since explored(safe) state
6282 ++ * didn't use them
6283 ++ */
6284 ++ for (i = 0; i < old->allocated_stack; i++) {
6285 ++ spi = i / BPF_REG_SIZE;
6286 ++
6287 ++ if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID)
6288 ++ continue;
6289 ++ if (old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
6290 ++ cur->stack[spi].slot_type[i % BPF_REG_SIZE])
6291 ++ /* Ex: old explored (safe) state has STACK_SPILL in
6292 ++ * this stack slot, but current has has STACK_MISC ->
6293 ++ * this verifier states are not equivalent,
6294 ++ * return false to continue verification of this path
6295 ++ */
6296 ++ return false;
6297 ++ if (i % BPF_REG_SIZE)
6298 ++ continue;
6299 ++ if (old->stack[spi].slot_type[0] != STACK_SPILL)
6300 ++ continue;
6301 ++ if (!regsafe(&old->stack[spi].spilled_ptr,
6302 ++ &cur->stack[spi].spilled_ptr,
6303 ++ idmap))
6304 ++ /* when explored and current stack slot are both storing
6305 ++ * spilled registers, check that stored pointers types
6306 ++ * are the same as well.
6307 ++ * Ex: explored safe path could have stored
6308 ++ * (bpf_reg_state) {.type = PTR_TO_STACK, .off = -8}
6309 ++ * but current path has stored:
6310 ++ * (bpf_reg_state) {.type = PTR_TO_STACK, .off = -16}
6311 ++ * such verifier states are not equivalent.
6312 ++ * return false to continue verification of this path
6313 ++ */
6314 ++ return false;
6315 ++ }
6316 ++ return true;
6317 ++}
6318 ++
6319 + /* compare two verifier states
6320 + *
6321 + * all states stored in state_list are known to be valid, since
6322 +@@ -3568,6 +3912,12 @@ static bool states_equal(struct bpf_verifier_env *env,
6323 + bool ret = false;
6324 + int i;
6325 +
6326 ++ /* Verification state from speculative execution simulation
6327 ++ * must never prune a non-speculative execution one.
6328 ++ */
6329 ++ if (old->speculative && !cur->speculative)
6330 ++ return false;
6331 ++
6332 + idmap = kcalloc(ID_MAP_SIZE, sizeof(struct idpair), GFP_KERNEL);
6333 + /* If we failed to allocate the idmap, just say it's not safe */
6334 + if (!idmap)
6335 +@@ -3578,37 +3928,8 @@ static bool states_equal(struct bpf_verifier_env *env,
6336 + goto out_free;
6337 + }
6338 +
6339 +- for (i = 0; i < MAX_BPF_STACK; i++) {
6340 +- if (old->stack_slot_type[i] == STACK_INVALID)
6341 +- continue;
6342 +- if (old->stack_slot_type[i] != cur->stack_slot_type[i])
6343 +- /* Ex: old explored (safe) state has STACK_SPILL in
6344 +- * this stack slot, but current has has STACK_MISC ->
6345 +- * this verifier states are not equivalent,
6346 +- * return false to continue verification of this path
6347 +- */
6348 +- goto out_free;
6349 +- if (i % BPF_REG_SIZE)
6350 +- continue;
6351 +- if (old->stack_slot_type[i] != STACK_SPILL)
6352 +- continue;
6353 +- if (!regsafe(&old->spilled_regs[i / BPF_REG_SIZE],
6354 +- &cur->spilled_regs[i / BPF_REG_SIZE],
6355 +- idmap))
6356 +- /* when explored and current stack slot are both storing
6357 +- * spilled registers, check that stored pointers types
6358 +- * are the same as well.
6359 +- * Ex: explored safe path could have stored
6360 +- * (bpf_reg_state) {.type = PTR_TO_STACK, .off = -8}
6361 +- * but current path has stored:
6362 +- * (bpf_reg_state) {.type = PTR_TO_STACK, .off = -16}
6363 +- * such verifier states are not equivalent.
6364 +- * return false to continue verification of this path
6365 +- */
6366 +- goto out_free;
6367 +- else
6368 +- continue;
6369 +- }
6370 ++ if (!stacksafe(old, cur, idmap))
6371 ++ goto out_free;
6372 + ret = true;
6373 + out_free:
6374 + kfree(idmap);
6375 +@@ -3644,17 +3965,19 @@ static bool do_propagate_liveness(const struct bpf_verifier_state *state,
6376 + }
6377 + }
6378 + /* ... and stack slots */
6379 +- for (i = 0; i < MAX_BPF_STACK / BPF_REG_SIZE; i++) {
6380 +- if (parent->stack_slot_type[i * BPF_REG_SIZE] != STACK_SPILL)
6381 ++ for (i = 0; i < state->allocated_stack / BPF_REG_SIZE &&
6382 ++ i < parent->allocated_stack / BPF_REG_SIZE; i++) {
6383 ++ if (parent->stack[i].slot_type[0] != STACK_SPILL)
6384 + continue;
6385 +- if (state->stack_slot_type[i * BPF_REG_SIZE] != STACK_SPILL)
6386 ++ if (state->stack[i].slot_type[0] != STACK_SPILL)
6387 + continue;
6388 +- if (parent->spilled_regs[i].live & REG_LIVE_READ)
6389 ++ if (parent->stack[i].spilled_ptr.live & REG_LIVE_READ)
6390 + continue;
6391 +- if (writes && (state->spilled_regs[i].live & REG_LIVE_WRITTEN))
6392 ++ if (writes &&
6393 ++ (state->stack[i].spilled_ptr.live & REG_LIVE_WRITTEN))
6394 + continue;
6395 +- if (state->spilled_regs[i].live & REG_LIVE_READ) {
6396 +- parent->spilled_regs[i].live |= REG_LIVE_READ;
6397 ++ if (state->stack[i].spilled_ptr.live & REG_LIVE_READ) {
6398 ++ parent->stack[i].spilled_ptr.live |= REG_LIVE_READ;
6399 + touched = true;
6400 + }
6401 + }
6402 +@@ -3684,7 +4007,8 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
6403 + {
6404 + struct bpf_verifier_state_list *new_sl;
6405 + struct bpf_verifier_state_list *sl;
6406 +- int i;
6407 ++ struct bpf_verifier_state *cur = env->cur_state;
6408 ++ int i, err;
6409 +
6410 + sl = env->explored_states[insn_idx];
6411 + if (!sl)
6412 +@@ -3694,7 +4018,7 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
6413 + return 0;
6414 +
6415 + while (sl != STATE_LIST_MARK) {
6416 +- if (states_equal(env, &sl->state, &env->cur_state)) {
6417 ++ if (states_equal(env, &sl->state, cur)) {
6418 + /* reached equivalent register/stack state,
6419 + * prune the search.
6420 + * Registers read by the continuation are read by us.
6421 +@@ -3705,7 +4029,7 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
6422 + * they'll be immediately forgotten as we're pruning
6423 + * this state and will pop a new one.
6424 + */
6425 +- propagate_liveness(&sl->state, &env->cur_state);
6426 ++ propagate_liveness(&sl->state, cur);
6427 + return 1;
6428 + }
6429 + sl = sl->next;
6430 +@@ -3717,16 +4041,21 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
6431 + * it will be rejected. Since there are no loops, we won't be
6432 + * seeing this 'insn_idx' instruction again on the way to bpf_exit
6433 + */
6434 +- new_sl = kmalloc(sizeof(struct bpf_verifier_state_list), GFP_USER);
6435 ++ new_sl = kzalloc(sizeof(struct bpf_verifier_state_list), GFP_KERNEL);
6436 + if (!new_sl)
6437 + return -ENOMEM;
6438 +
6439 + /* add new state to the head of linked list */
6440 +- memcpy(&new_sl->state, &env->cur_state, sizeof(env->cur_state));
6441 ++ err = copy_verifier_state(&new_sl->state, cur);
6442 ++ if (err) {
6443 ++ free_verifier_state(&new_sl->state, false);
6444 ++ kfree(new_sl);
6445 ++ return err;
6446 ++ }
6447 + new_sl->next = env->explored_states[insn_idx];
6448 + env->explored_states[insn_idx] = new_sl;
6449 + /* connect new state to parentage chain */
6450 +- env->cur_state.parent = &new_sl->state;
6451 ++ cur->parent = &new_sl->state;
6452 + /* clear write marks in current state: the writes we did are not writes
6453 + * our child did, so they don't screen off its reads from us.
6454 + * (There are no read marks in current state, because reads always mark
6455 +@@ -3734,10 +4063,10 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
6456 + * explored_states can get read marks.)
6457 + */
6458 + for (i = 0; i < BPF_REG_FP; i++)
6459 +- env->cur_state.regs[i].live = REG_LIVE_NONE;
6460 +- for (i = 0; i < MAX_BPF_STACK / BPF_REG_SIZE; i++)
6461 +- if (env->cur_state.stack_slot_type[i * BPF_REG_SIZE] == STACK_SPILL)
6462 +- env->cur_state.spilled_regs[i].live = REG_LIVE_NONE;
6463 ++ cur->regs[i].live = REG_LIVE_NONE;
6464 ++ for (i = 0; i < cur->allocated_stack / BPF_REG_SIZE; i++)
6465 ++ if (cur->stack[i].slot_type[0] == STACK_SPILL)
6466 ++ cur->stack[i].spilled_ptr.live = REG_LIVE_NONE;
6467 + return 0;
6468 + }
6469 +
6470 +@@ -3752,29 +4081,31 @@ static int ext_analyzer_insn_hook(struct bpf_verifier_env *env,
6471 +
6472 + static int do_check(struct bpf_verifier_env *env)
6473 + {
6474 +- struct bpf_verifier_state *state = &env->cur_state;
6475 ++ struct bpf_verifier_state *state;
6476 + struct bpf_insn *insns = env->prog->insnsi;
6477 +- struct bpf_reg_state *regs = state->regs;
6478 ++ struct bpf_reg_state *regs;
6479 + int insn_cnt = env->prog->len;
6480 +- int insn_idx, prev_insn_idx = 0;
6481 + int insn_processed = 0;
6482 + bool do_print_state = false;
6483 +
6484 +- init_reg_state(regs);
6485 ++ state = kzalloc(sizeof(struct bpf_verifier_state), GFP_KERNEL);
6486 ++ if (!state)
6487 ++ return -ENOMEM;
6488 ++ env->cur_state = state;
6489 ++ init_reg_state(state->regs);
6490 + state->parent = NULL;
6491 +- insn_idx = 0;
6492 + for (;;) {
6493 + struct bpf_insn *insn;
6494 + u8 class;
6495 + int err;
6496 +
6497 +- if (insn_idx >= insn_cnt) {
6498 ++ if (env->insn_idx >= insn_cnt) {
6499 + verbose("invalid insn idx %d insn_cnt %d\n",
6500 +- insn_idx, insn_cnt);
6501 ++ env->insn_idx, insn_cnt);
6502 + return -EFAULT;
6503 + }
6504 +
6505 +- insn = &insns[insn_idx];
6506 ++ insn = &insns[env->insn_idx];
6507 + class = BPF_CLASS(insn->code);
6508 +
6509 + if (++insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) {
6510 +@@ -3783,17 +4114,19 @@ static int do_check(struct bpf_verifier_env *env)
6511 + return -E2BIG;
6512 + }
6513 +
6514 +- err = is_state_visited(env, insn_idx);
6515 ++ err = is_state_visited(env, env->insn_idx);
6516 + if (err < 0)
6517 + return err;
6518 + if (err == 1) {
6519 + /* found equivalent state, can prune the search */
6520 + if (log_level) {
6521 + if (do_print_state)
6522 +- verbose("\nfrom %d to %d: safe\n",
6523 +- prev_insn_idx, insn_idx);
6524 ++ verbose("\nfrom %d to %d%s: safe\n",
6525 ++ env->prev_insn_idx, env->insn_idx,
6526 ++ env->cur_state->speculative ?
6527 ++ " (speculative execution)" : "");
6528 + else
6529 +- verbose("%d: safe\n", insn_idx);
6530 ++ verbose("%d: safe\n", env->insn_idx);
6531 + }
6532 + goto process_bpf_exit;
6533 + }
6534 +@@ -3803,24 +4136,27 @@ static int do_check(struct bpf_verifier_env *env)
6535 +
6536 + if (log_level > 1 || (log_level && do_print_state)) {
6537 + if (log_level > 1)
6538 +- verbose("%d:", insn_idx);
6539 ++ verbose("%d:", env->insn_idx);
6540 + else
6541 +- verbose("\nfrom %d to %d:",
6542 +- prev_insn_idx, insn_idx);
6543 +- print_verifier_state(&env->cur_state);
6544 ++ verbose("\nfrom %d to %d%s:",
6545 ++ env->prev_insn_idx, env->insn_idx,
6546 ++ env->cur_state->speculative ?
6547 ++ " (speculative execution)" : "");
6548 ++ print_verifier_state(env->cur_state);
6549 + do_print_state = false;
6550 + }
6551 +
6552 + if (log_level) {
6553 +- verbose("%d: ", insn_idx);
6554 ++ verbose("%d: ", env->insn_idx);
6555 + print_bpf_insn(env, insn);
6556 + }
6557 +
6558 +- err = ext_analyzer_insn_hook(env, insn_idx, prev_insn_idx);
6559 ++ err = ext_analyzer_insn_hook(env, env->insn_idx, env->prev_insn_idx);
6560 + if (err)
6561 + return err;
6562 +
6563 +- env->insn_aux_data[insn_idx].seen = true;
6564 ++ regs = cur_regs(env);
6565 ++ env->insn_aux_data[env->insn_idx].seen = true;
6566 + if (class == BPF_ALU || class == BPF_ALU64) {
6567 + err = check_alu_op(env, insn);
6568 + if (err)
6569 +@@ -3845,13 +4181,13 @@ static int do_check(struct bpf_verifier_env *env)
6570 + /* check that memory (src_reg + off) is readable,
6571 + * the state of dst_reg will be updated by this func
6572 + */
6573 +- err = check_mem_access(env, insn_idx, insn->src_reg, insn->off,
6574 +- BPF_SIZE(insn->code), BPF_READ,
6575 +- insn->dst_reg, false);
6576 ++ err = check_mem_access(env, env->insn_idx, insn->src_reg,
6577 ++ insn->off, BPF_SIZE(insn->code),
6578 ++ BPF_READ, insn->dst_reg, false);
6579 + if (err)
6580 + return err;
6581 +
6582 +- prev_src_type = &env->insn_aux_data[insn_idx].ptr_type;
6583 ++ prev_src_type = &env->insn_aux_data[env->insn_idx].ptr_type;
6584 +
6585 + if (*prev_src_type == NOT_INIT) {
6586 + /* saw a valid insn
6587 +@@ -3878,10 +4214,10 @@ static int do_check(struct bpf_verifier_env *env)
6588 + enum bpf_reg_type *prev_dst_type, dst_reg_type;
6589 +
6590 + if (BPF_MODE(insn->code) == BPF_XADD) {
6591 +- err = check_xadd(env, insn_idx, insn);
6592 ++ err = check_xadd(env, env->insn_idx, insn);
6593 + if (err)
6594 + return err;
6595 +- insn_idx++;
6596 ++ env->insn_idx++;
6597 + continue;
6598 + }
6599 +
6600 +@@ -3897,13 +4233,13 @@ static int do_check(struct bpf_verifier_env *env)
6601 + dst_reg_type = regs[insn->dst_reg].type;
6602 +
6603 + /* check that memory (dst_reg + off) is writeable */
6604 +- err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
6605 +- BPF_SIZE(insn->code), BPF_WRITE,
6606 +- insn->src_reg, false);
6607 ++ err = check_mem_access(env, env->insn_idx, insn->dst_reg,
6608 ++ insn->off, BPF_SIZE(insn->code),
6609 ++ BPF_WRITE, insn->src_reg, false);
6610 + if (err)
6611 + return err;
6612 +
6613 +- prev_dst_type = &env->insn_aux_data[insn_idx].ptr_type;
6614 ++ prev_dst_type = &env->insn_aux_data[env->insn_idx].ptr_type;
6615 +
6616 + if (*prev_dst_type == NOT_INIT) {
6617 + *prev_dst_type = dst_reg_type;
6618 +@@ -3932,9 +4268,9 @@ static int do_check(struct bpf_verifier_env *env)
6619 + }
6620 +
6621 + /* check that memory (dst_reg + off) is writeable */
6622 +- err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
6623 +- BPF_SIZE(insn->code), BPF_WRITE,
6624 +- -1, false);
6625 ++ err = check_mem_access(env, env->insn_idx, insn->dst_reg,
6626 ++ insn->off, BPF_SIZE(insn->code),
6627 ++ BPF_WRITE, -1, false);
6628 + if (err)
6629 + return err;
6630 +
6631 +@@ -3950,7 +4286,7 @@ static int do_check(struct bpf_verifier_env *env)
6632 + return -EINVAL;
6633 + }
6634 +
6635 +- err = check_call(env, insn->imm, insn_idx);
6636 ++ err = check_call(env, insn->imm, env->insn_idx);
6637 + if (err)
6638 + return err;
6639 +
6640 +@@ -3963,7 +4299,7 @@ static int do_check(struct bpf_verifier_env *env)
6641 + return -EINVAL;
6642 + }
6643 +
6644 +- insn_idx += insn->off + 1;
6645 ++ env->insn_idx += insn->off + 1;
6646 + continue;
6647 +
6648 + } else if (opcode == BPF_EXIT) {
6649 +@@ -3991,15 +4327,17 @@ static int do_check(struct bpf_verifier_env *env)
6650 + }
6651 +
6652 + process_bpf_exit:
6653 +- insn_idx = pop_stack(env, &prev_insn_idx);
6654 +- if (insn_idx < 0) {
6655 ++ err = pop_stack(env, &env->prev_insn_idx, &env->insn_idx);
6656 ++ if (err < 0) {
6657 ++ if (err != -ENOENT)
6658 ++ return err;
6659 + break;
6660 + } else {
6661 + do_print_state = true;
6662 + continue;
6663 + }
6664 + } else {
6665 +- err = check_cond_jmp_op(env, insn, &insn_idx);
6666 ++ err = check_cond_jmp_op(env, insn, &env->insn_idx);
6667 + if (err)
6668 + return err;
6669 + }
6670 +@@ -4016,8 +4354,8 @@ process_bpf_exit:
6671 + if (err)
6672 + return err;
6673 +
6674 +- insn_idx++;
6675 +- env->insn_aux_data[insn_idx].seen = true;
6676 ++ env->insn_idx++;
6677 ++ env->insn_aux_data[env->insn_idx].seen = true;
6678 + } else {
6679 + verbose("invalid BPF_LD mode\n");
6680 + return -EINVAL;
6681 +@@ -4027,7 +4365,7 @@ process_bpf_exit:
6682 + return -EINVAL;
6683 + }
6684 +
6685 +- insn_idx++;
6686 ++ env->insn_idx++;
6687 + }
6688 +
6689 + verbose("processed %d insns, stack depth %d\n",
6690 +@@ -4402,6 +4740,7 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
6691 + struct bpf_prog *new_prog;
6692 + struct bpf_map *map_ptr;
6693 + int i, cnt, delta = 0;
6694 ++ struct bpf_insn_aux_data *aux;
6695 +
6696 + for (i = 0; i < insn_cnt; i++, insn++) {
6697 + if (insn->code == (BPF_ALU | BPF_MOD | BPF_X) ||
6698 +@@ -4422,6 +4761,58 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
6699 + continue;
6700 + }
6701 +
6702 ++ if (insn->code == (BPF_ALU64 | BPF_ADD | BPF_X) ||
6703 ++ insn->code == (BPF_ALU64 | BPF_SUB | BPF_X)) {
6704 ++ const u8 code_add = BPF_ALU64 | BPF_ADD | BPF_X;
6705 ++ const u8 code_sub = BPF_ALU64 | BPF_SUB | BPF_X;
6706 ++ struct bpf_insn insn_buf[16];
6707 ++ struct bpf_insn *patch = &insn_buf[0];
6708 ++ bool issrc, isneg;
6709 ++ u32 off_reg;
6710 ++
6711 ++ aux = &env->insn_aux_data[i + delta];
6712 ++ if (!aux->alu_state ||
6713 ++ aux->alu_state == BPF_ALU_NON_POINTER)
6714 ++ continue;
6715 ++
6716 ++ isneg = aux->alu_state & BPF_ALU_NEG_VALUE;
6717 ++ issrc = (aux->alu_state & BPF_ALU_SANITIZE) ==
6718 ++ BPF_ALU_SANITIZE_SRC;
6719 ++
6720 ++ off_reg = issrc ? insn->src_reg : insn->dst_reg;
6721 ++ if (isneg)
6722 ++ *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
6723 ++ *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);
6724 ++ *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
6725 ++ *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
6726 ++ *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
6727 ++ *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
6728 ++ if (issrc) {
6729 ++ *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,
6730 ++ off_reg);
6731 ++ insn->src_reg = BPF_REG_AX;
6732 ++ } else {
6733 ++ *patch++ = BPF_ALU64_REG(BPF_AND, off_reg,
6734 ++ BPF_REG_AX);
6735 ++ }
6736 ++ if (isneg)
6737 ++ insn->code = insn->code == code_add ?
6738 ++ code_sub : code_add;
6739 ++ *patch++ = *insn;
6740 ++ if (issrc && isneg)
6741 ++ *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
6742 ++ cnt = patch - insn_buf;
6743 ++
6744 ++ new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
6745 ++ if (!new_prog)
6746 ++ return -ENOMEM;
6747 ++
6748 ++ delta += cnt - 1;
6749 ++ env->prog = prog = new_prog;
6750 ++ insn = new_prog->insnsi + i + delta;
6751 ++ continue;
6752 ++ }
6753 ++
6754 + if (insn->code != (BPF_JMP | BPF_CALL))
6755 + continue;
6756 +
6757 +@@ -4557,6 +4948,7 @@ static void free_states(struct bpf_verifier_env *env)
6758 + if (sl)
6759 + while (sl != STATE_LIST_MARK) {
6760 + sln = sl->next;
6761 ++ free_verifier_state(&sl->state, false);
6762 + kfree(sl);
6763 + sl = sln;
6764 + }
6765 +@@ -4633,9 +5025,13 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr)
6766 + env->allow_ptr_leaks = capable(CAP_SYS_ADMIN);
6767 +
6768 + ret = do_check(env);
6769 ++ if (env->cur_state) {
6770 ++ free_verifier_state(env->cur_state, true);
6771 ++ env->cur_state = NULL;
6772 ++ }
6773 +
6774 + skip_full_check:
6775 +- while (pop_stack(env, NULL) >= 0);
6776 ++ while (!pop_stack(env, NULL, NULL));
6777 + free_states(env);
6778 +
6779 + if (ret == 0)
6780 +@@ -4741,9 +5137,13 @@ int bpf_analyzer(struct bpf_prog *prog, const struct bpf_ext_analyzer_ops *ops,
6781 + env->allow_ptr_leaks = capable(CAP_SYS_ADMIN);
6782 +
6783 + ret = do_check(env);
6784 ++ if (env->cur_state) {
6785 ++ free_verifier_state(env->cur_state, true);
6786 ++ env->cur_state = NULL;
6787 ++ }
6788 +
6789 + skip_full_check:
6790 +- while (pop_stack(env, NULL) >= 0);
6791 ++ while (!pop_stack(env, NULL, NULL));
6792 + free_states(env);
6793 +
6794 + mutex_unlock(&bpf_verifier_lock);
6795 +diff --git a/kernel/events/core.c b/kernel/events/core.c
6796 +index 92939b5397df..580616e6fcee 100644
6797 +--- a/kernel/events/core.c
6798 ++++ b/kernel/events/core.c
6799 +@@ -6923,6 +6923,7 @@ static void perf_event_mmap_output(struct perf_event *event,
6800 + struct perf_output_handle handle;
6801 + struct perf_sample_data sample;
6802 + int size = mmap_event->event_id.header.size;
6803 ++ u32 type = mmap_event->event_id.header.type;
6804 + int ret;
6805 +
6806 + if (!perf_event_mmap_match(event, data))
6807 +@@ -6966,6 +6967,7 @@ static void perf_event_mmap_output(struct perf_event *event,
6808 + perf_output_end(&handle);
6809 + out:
6810 + mmap_event->event_id.header.size = size;
6811 ++ mmap_event->event_id.header.type = type;
6812 + }
6813 +
6814 + static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
6815 +diff --git a/kernel/hung_task.c b/kernel/hung_task.c
6816 +index f9aaf4994062..2e4869fa66c9 100644
6817 +--- a/kernel/hung_task.c
6818 ++++ b/kernel/hung_task.c
6819 +@@ -15,6 +15,7 @@
6820 + #include <linux/lockdep.h>
6821 + #include <linux/export.h>
6822 + #include <linux/sysctl.h>
6823 ++#include <linux/suspend.h>
6824 + #include <linux/utsname.h>
6825 + #include <linux/sched/signal.h>
6826 + #include <linux/sched/debug.h>
6827 +@@ -232,6 +233,28 @@ void reset_hung_task_detector(void)
6828 + }
6829 + EXPORT_SYMBOL_GPL(reset_hung_task_detector);
6830 +
6831 ++static bool hung_detector_suspended;
6832 ++
6833 ++static int hungtask_pm_notify(struct notifier_block *self,
6834 ++ unsigned long action, void *hcpu)
6835 ++{
6836 ++ switch (action) {
6837 ++ case PM_SUSPEND_PREPARE:
6838 ++ case PM_HIBERNATION_PREPARE:
6839 ++ case PM_RESTORE_PREPARE:
6840 ++ hung_detector_suspended = true;
6841 ++ break;
6842 ++ case PM_POST_SUSPEND:
6843 ++ case PM_POST_HIBERNATION:
6844 ++ case PM_POST_RESTORE:
6845 ++ hung_detector_suspended = false;
6846 ++ break;
6847 ++ default:
6848 ++ break;
6849 ++ }
6850 ++ return NOTIFY_OK;
6851 ++}
6852 ++
6853 + /*
6854 + * kthread which checks for tasks stuck in D state
6855 + */
6856 +@@ -246,7 +269,8 @@ static int watchdog(void *dummy)
6857 + long t = hung_timeout_jiffies(hung_last_checked, timeout);
6858 +
6859 + if (t <= 0) {
6860 +- if (!atomic_xchg(&reset_hung_task, 0))
6861 ++ if (!atomic_xchg(&reset_hung_task, 0) &&
6862 ++ !hung_detector_suspended)
6863 + check_hung_uninterruptible_tasks(timeout);
6864 + hung_last_checked = jiffies;
6865 + continue;
6866 +@@ -260,6 +284,10 @@ static int watchdog(void *dummy)
6867 + static int __init hung_task_init(void)
6868 + {
6869 + atomic_notifier_chain_register(&panic_notifier_list, &panic_block);
6870 ++
6871 ++ /* Disable hung task detector on suspend */
6872 ++ pm_notifier(hungtask_pm_notify, 0);
6873 ++
6874 + watchdog_task = kthread_run(watchdog, NULL, "khungtaskd");
6875 +
6876 + return 0;
6877 +diff --git a/lib/div64.c b/lib/div64.c
6878 +index 58e2a404097e..a2688b882461 100644
6879 +--- a/lib/div64.c
6880 ++++ b/lib/div64.c
6881 +@@ -103,7 +103,7 @@ u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder)
6882 + quot = div_u64_rem(dividend, divisor, &rem32);
6883 + *remainder = rem32;
6884 + } else {
6885 +- int n = 1 + fls(high);
6886 ++ int n = fls(high);
6887 + quot = div_u64(dividend >> n, divisor >> n);
6888 +
6889 + if (quot != 0)
6890 +@@ -141,7 +141,7 @@ u64 div64_u64(u64 dividend, u64 divisor)
6891 + if (high == 0) {
6892 + quot = div_u64(dividend, divisor);
6893 + } else {
6894 +- int n = 1 + fls(high);
6895 ++ int n = fls(high);
6896 + quot = div_u64(dividend >> n, divisor >> n);
6897 +
6898 + if (quot != 0)
6899 +diff --git a/net/9p/protocol.c b/net/9p/protocol.c
6900 +index 9743837aebc6..766d1ef4640a 100644
6901 +--- a/net/9p/protocol.c
6902 ++++ b/net/9p/protocol.c
6903 +@@ -570,9 +570,10 @@ int p9stat_read(struct p9_client *clnt, char *buf, int len, struct p9_wstat *st)
6904 + if (ret) {
6905 + p9_debug(P9_DEBUG_9P, "<<< p9stat_read failed: %d\n", ret);
6906 + trace_9p_protocol_dump(clnt, &fake_pdu);
6907 ++ return ret;
6908 + }
6909 +
6910 +- return ret;
6911 ++ return fake_pdu.offset;
6912 + }
6913 + EXPORT_SYMBOL(p9stat_read);
6914 +
6915 +diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c
6916 +index af46bc49e1e9..b5f84f428aa6 100644
6917 +--- a/net/appletalk/atalk_proc.c
6918 ++++ b/net/appletalk/atalk_proc.c
6919 +@@ -293,7 +293,7 @@ out_interface:
6920 + goto out;
6921 + }
6922 +
6923 +-void __exit atalk_proc_exit(void)
6924 ++void atalk_proc_exit(void)
6925 + {
6926 + remove_proc_entry("interface", atalk_proc_dir);
6927 + remove_proc_entry("route", atalk_proc_dir);
6928 +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
6929 +index 5d035c1f1156..d1b68cc7da89 100644
6930 +--- a/net/appletalk/ddp.c
6931 ++++ b/net/appletalk/ddp.c
6932 +@@ -1912,12 +1912,16 @@ static const char atalk_err_snap[] __initconst =
6933 + /* Called by proto.c on kernel start up */
6934 + static int __init atalk_init(void)
6935 + {
6936 +- int rc = proto_register(&ddp_proto, 0);
6937 ++ int rc;
6938 +
6939 +- if (rc != 0)
6940 ++ rc = proto_register(&ddp_proto, 0);
6941 ++ if (rc)
6942 + goto out;
6943 +
6944 +- (void)sock_register(&atalk_family_ops);
6945 ++ rc = sock_register(&atalk_family_ops);
6946 ++ if (rc)
6947 ++ goto out_proto;
6948 ++
6949 + ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
6950 + if (!ddp_dl)
6951 + printk(atalk_err_snap);
6952 +@@ -1925,12 +1929,33 @@ static int __init atalk_init(void)
6953 + dev_add_pack(&ltalk_packet_type);
6954 + dev_add_pack(&ppptalk_packet_type);
6955 +
6956 +- register_netdevice_notifier(&ddp_notifier);
6957 ++ rc = register_netdevice_notifier(&ddp_notifier);
6958 ++ if (rc)
6959 ++ goto out_sock;
6960 ++
6961 + aarp_proto_init();
6962 +- atalk_proc_init();
6963 +- atalk_register_sysctl();
6964 ++ rc = atalk_proc_init();
6965 ++ if (rc)
6966 ++ goto out_aarp;
6967 ++
6968 ++ rc = atalk_register_sysctl();
6969 ++ if (rc)
6970 ++ goto out_proc;
6971 + out:
6972 + return rc;
6973 ++out_proc:
6974 ++ atalk_proc_exit();
6975 ++out_aarp:
6976 ++ aarp_cleanup_module();
6977 ++ unregister_netdevice_notifier(&ddp_notifier);
6978 ++out_sock:
6979 ++ dev_remove_pack(&ppptalk_packet_type);
6980 ++ dev_remove_pack(&ltalk_packet_type);
6981 ++ unregister_snap_client(ddp_dl);
6982 ++ sock_unregister(PF_APPLETALK);
6983 ++out_proto:
6984 ++ proto_unregister(&ddp_proto);
6985 ++ goto out;
6986 + }
6987 + module_init(atalk_init);
6988 +
6989 +diff --git a/net/appletalk/sysctl_net_atalk.c b/net/appletalk/sysctl_net_atalk.c
6990 +index c744a853fa5f..d945b7c0176d 100644
6991 +--- a/net/appletalk/sysctl_net_atalk.c
6992 ++++ b/net/appletalk/sysctl_net_atalk.c
6993 +@@ -45,9 +45,12 @@ static struct ctl_table atalk_table[] = {
6994 +
6995 + static struct ctl_table_header *atalk_table_header;
6996 +
6997 +-void atalk_register_sysctl(void)
6998 ++int __init atalk_register_sysctl(void)
6999 + {
7000 + atalk_table_header = register_net_sysctl(&init_net, "net/appletalk", atalk_table);
7001 ++ if (!atalk_table_header)
7002 ++ return -ENOMEM;
7003 ++ return 0;
7004 + }
7005 +
7006 + void atalk_unregister_sysctl(void)
7007 +diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
7008 +index 891f4e7e8ea7..db18c0177b0f 100644
7009 +--- a/net/netfilter/xt_cgroup.c
7010 ++++ b/net/netfilter/xt_cgroup.c
7011 +@@ -66,6 +66,38 @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
7012 + return 0;
7013 + }
7014 +
7015 ++static int cgroup_mt_check_v2(const struct xt_mtchk_param *par)
7016 ++{
7017 ++ struct xt_cgroup_info_v2 *info = par->matchinfo;
7018 ++ struct cgroup *cgrp;
7019 ++
7020 ++ if ((info->invert_path & ~1) || (info->invert_classid & ~1))
7021 ++ return -EINVAL;
7022 ++
7023 ++ if (!info->has_path && !info->has_classid) {
7024 ++ pr_info("xt_cgroup: no path or classid specified\n");
7025 ++ return -EINVAL;
7026 ++ }
7027 ++
7028 ++ if (info->has_path && info->has_classid) {
7029 ++ pr_info_ratelimited("path and classid specified\n");
7030 ++ return -EINVAL;
7031 ++ }
7032 ++
7033 ++ info->priv = NULL;
7034 ++ if (info->has_path) {
7035 ++ cgrp = cgroup_get_from_path(info->path);
7036 ++ if (IS_ERR(cgrp)) {
7037 ++ pr_info_ratelimited("invalid path, errno=%ld\n",
7038 ++ PTR_ERR(cgrp));
7039 ++ return -EINVAL;
7040 ++ }
7041 ++ info->priv = cgrp;
7042 ++ }
7043 ++
7044 ++ return 0;
7045 ++}
7046 ++
7047 + static bool
7048 + cgroup_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
7049 + {
7050 +@@ -95,6 +127,24 @@ static bool cgroup_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
7051 + info->invert_classid;
7052 + }
7053 +
7054 ++static bool cgroup_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
7055 ++{
7056 ++ const struct xt_cgroup_info_v2 *info = par->matchinfo;
7057 ++ struct sock_cgroup_data *skcd = &skb->sk->sk_cgrp_data;
7058 ++ struct cgroup *ancestor = info->priv;
7059 ++ struct sock *sk = skb->sk;
7060 ++
7061 ++ if (!sk || !sk_fullsock(sk) || !net_eq(xt_net(par), sock_net(sk)))
7062 ++ return false;
7063 ++
7064 ++ if (ancestor)
7065 ++ return cgroup_is_descendant(sock_cgroup_ptr(skcd), ancestor) ^
7066 ++ info->invert_path;
7067 ++ else
7068 ++ return (info->classid == sock_cgroup_classid(skcd)) ^
7069 ++ info->invert_classid;
7070 ++}
7071 ++
7072 + static void cgroup_mt_destroy_v1(const struct xt_mtdtor_param *par)
7073 + {
7074 + struct xt_cgroup_info_v1 *info = par->matchinfo;
7075 +@@ -103,6 +153,14 @@ static void cgroup_mt_destroy_v1(const struct xt_mtdtor_param *par)
7076 + cgroup_put(info->priv);
7077 + }
7078 +
7079 ++static void cgroup_mt_destroy_v2(const struct xt_mtdtor_param *par)
7080 ++{
7081 ++ struct xt_cgroup_info_v2 *info = par->matchinfo;
7082 ++
7083 ++ if (info->priv)
7084 ++ cgroup_put(info->priv);
7085 ++}
7086 ++
7087 + static struct xt_match cgroup_mt_reg[] __read_mostly = {
7088 + {
7089 + .name = "cgroup",
7090 +@@ -130,6 +188,20 @@ static struct xt_match cgroup_mt_reg[] __read_mostly = {
7091 + (1 << NF_INET_POST_ROUTING) |
7092 + (1 << NF_INET_LOCAL_IN),
7093 + },
7094 ++ {
7095 ++ .name = "cgroup",
7096 ++ .revision = 2,
7097 ++ .family = NFPROTO_UNSPEC,
7098 ++ .checkentry = cgroup_mt_check_v2,
7099 ++ .match = cgroup_mt_v2,
7100 ++ .matchsize = sizeof(struct xt_cgroup_info_v2),
7101 ++ .usersize = offsetof(struct xt_cgroup_info_v2, priv),
7102 ++ .destroy = cgroup_mt_destroy_v2,
7103 ++ .me = THIS_MODULE,
7104 ++ .hooks = (1 << NF_INET_LOCAL_OUT) |
7105 ++ (1 << NF_INET_POST_ROUTING) |
7106 ++ (1 << NF_INET_LOCAL_IN),
7107 ++ },
7108 + };
7109 +
7110 + static int __init cgroup_mt_init(void)
7111 +diff --git a/sound/drivers/opl3/opl3_voice.h b/sound/drivers/opl3/opl3_voice.h
7112 +index eaef435e0528..abf6c23a721c 100644
7113 +--- a/sound/drivers/opl3/opl3_voice.h
7114 ++++ b/sound/drivers/opl3/opl3_voice.h
7115 +@@ -41,7 +41,7 @@ void snd_opl3_timer_func(unsigned long data);
7116 +
7117 + /* Prototypes for opl3_drums.c */
7118 + void snd_opl3_load_drums(struct snd_opl3 *opl3);
7119 +-void snd_opl3_drum_switch(struct snd_opl3 *opl3, int note, int on_off, int vel, struct snd_midi_channel *chan);
7120 ++void snd_opl3_drum_switch(struct snd_opl3 *opl3, int note, int vel, int on_off, struct snd_midi_channel *chan);
7121 +
7122 + /* Prototypes for opl3_oss.c */
7123 + #if IS_ENABLED(CONFIG_SND_SEQUENCER_OSS)
7124 +diff --git a/sound/isa/sb/sb8.c b/sound/isa/sb/sb8.c
7125 +index d77dcba276b5..1eb8b61a185b 100644
7126 +--- a/sound/isa/sb/sb8.c
7127 ++++ b/sound/isa/sb/sb8.c
7128 +@@ -111,6 +111,10 @@ static int snd_sb8_probe(struct device *pdev, unsigned int dev)
7129 +
7130 + /* block the 0x388 port to avoid PnP conflicts */
7131 + acard->fm_res = request_region(0x388, 4, "SoundBlaster FM");
7132 ++ if (!acard->fm_res) {
7133 ++ err = -EBUSY;
7134 ++ goto _err;
7135 ++ }
7136 +
7137 + if (port[dev] != SNDRV_AUTO_PORT) {
7138 + if ((err = snd_sbdsp_create(card, port[dev], irq[dev],
7139 +diff --git a/sound/pci/echoaudio/echoaudio.c b/sound/pci/echoaudio/echoaudio.c
7140 +index d68f99e076a8..e1f0bcd45c37 100644
7141 +--- a/sound/pci/echoaudio/echoaudio.c
7142 ++++ b/sound/pci/echoaudio/echoaudio.c
7143 +@@ -1953,6 +1953,11 @@ static int snd_echo_create(struct snd_card *card,
7144 + }
7145 + chip->dsp_registers = (volatile u32 __iomem *)
7146 + ioremap_nocache(chip->dsp_registers_phys, sz);
7147 ++ if (!chip->dsp_registers) {
7148 ++ dev_err(chip->card->dev, "ioremap failed\n");
7149 ++ snd_echo_free(chip);
7150 ++ return -ENOMEM;
7151 ++ }
7152 +
7153 + if (request_irq(pci->irq, snd_echo_interrupt, IRQF_SHARED,
7154 + KBUILD_MODNAME, chip)) {
7155 +diff --git a/tools/perf/Documentation/perf-config.txt b/tools/perf/Documentation/perf-config.txt
7156 +index 5b4fff3adc4b..782a8966b721 100644
7157 +--- a/tools/perf/Documentation/perf-config.txt
7158 ++++ b/tools/perf/Documentation/perf-config.txt
7159 +@@ -114,7 +114,7 @@ Given a $HOME/.perfconfig like this:
7160 +
7161 + [report]
7162 + # Defaults
7163 +- sort-order = comm,dso,symbol
7164 ++ sort_order = comm,dso,symbol
7165 + percent-limit = 0
7166 + queue-size = 0
7167 + children = true
7168 +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c
7169 +index 3103a33c13a8..133eb7949321 100644
7170 +--- a/tools/perf/builtin-top.c
7171 ++++ b/tools/perf/builtin-top.c
7172 +@@ -1345,8 +1345,9 @@ int cmd_top(int argc, const char **argv)
7173 + goto out_delete_evlist;
7174 +
7175 + symbol_conf.try_vmlinux_path = (symbol_conf.vmlinux_name == NULL);
7176 +- if (symbol__init(NULL) < 0)
7177 +- return -1;
7178 ++ status = symbol__init(NULL);
7179 ++ if (status < 0)
7180 ++ goto out_delete_evlist;
7181 +
7182 + sort__setup_elide(stdout);
7183 +
7184 +diff --git a/tools/perf/tests/evsel-tp-sched.c b/tools/perf/tests/evsel-tp-sched.c
7185 +index d0406116c905..926a8e1b5e94 100644
7186 +--- a/tools/perf/tests/evsel-tp-sched.c
7187 ++++ b/tools/perf/tests/evsel-tp-sched.c
7188 +@@ -85,5 +85,6 @@ int test__perf_evsel__tp_sched_test(struct test *test __maybe_unused, int subtes
7189 + if (perf_evsel__test_field(evsel, "target_cpu", 4, true))
7190 + ret = -1;
7191 +
7192 ++ perf_evsel__delete(evsel);
7193 + return ret;
7194 + }
7195 +diff --git a/tools/perf/tests/expr.c b/tools/perf/tests/expr.c
7196 +index 01f0706995a9..9acc1e80b936 100644
7197 +--- a/tools/perf/tests/expr.c
7198 ++++ b/tools/perf/tests/expr.c
7199 +@@ -19,7 +19,7 @@ int test__expr(struct test *t __maybe_unused, int subtest __maybe_unused)
7200 + const char *p;
7201 + const char **other;
7202 + double val;
7203 +- int ret;
7204 ++ int i, ret;
7205 + struct parse_ctx ctx;
7206 + int num_other;
7207 +
7208 +@@ -56,6 +56,9 @@ int test__expr(struct test *t __maybe_unused, int subtest __maybe_unused)
7209 + TEST_ASSERT_VAL("find other", !strcmp(other[1], "BAZ"));
7210 + TEST_ASSERT_VAL("find other", !strcmp(other[2], "BOZO"));
7211 + TEST_ASSERT_VAL("find other", other[3] == NULL);
7212 ++
7213 ++ for (i = 0; i < num_other; i++)
7214 ++ free((void *)other[i]);
7215 + free((void *)other);
7216 +
7217 + return 0;
7218 +diff --git a/tools/perf/tests/openat-syscall-all-cpus.c b/tools/perf/tests/openat-syscall-all-cpus.c
7219 +index c531e6deb104..493ecb611540 100644
7220 +--- a/tools/perf/tests/openat-syscall-all-cpus.c
7221 ++++ b/tools/perf/tests/openat-syscall-all-cpus.c
7222 +@@ -45,7 +45,7 @@ int test__openat_syscall_event_on_all_cpus(struct test *test __maybe_unused, int
7223 + if (IS_ERR(evsel)) {
7224 + tracing_path__strerror_open_tp(errno, errbuf, sizeof(errbuf), "syscalls", "sys_enter_openat");
7225 + pr_debug("%s\n", errbuf);
7226 +- goto out_thread_map_delete;
7227 ++ goto out_cpu_map_delete;
7228 + }
7229 +
7230 + if (perf_evsel__open(evsel, cpus, threads) < 0) {
7231 +@@ -119,6 +119,8 @@ out_close_fd:
7232 + perf_evsel__close_fd(evsel);
7233 + out_evsel_delete:
7234 + perf_evsel__delete(evsel);
7235 ++out_cpu_map_delete:
7236 ++ cpu_map__put(cpus);
7237 + out_thread_map_delete:
7238 + thread_map__put(threads);
7239 + return err;
7240 +diff --git a/tools/perf/util/build-id.c b/tools/perf/util/build-id.c
7241 +index 7f8553630c4d..69910deab6e0 100644
7242 +--- a/tools/perf/util/build-id.c
7243 ++++ b/tools/perf/util/build-id.c
7244 +@@ -185,6 +185,7 @@ char *build_id_cache__linkname(const char *sbuild_id, char *bf, size_t size)
7245 + return bf;
7246 + }
7247 +
7248 ++/* The caller is responsible to free the returned buffer. */
7249 + char *build_id_cache__origname(const char *sbuild_id)
7250 + {
7251 + char *linkname;
7252 +diff --git a/tools/perf/util/config.c b/tools/perf/util/config.c
7253 +index 4b893c622236..a0c9ff27c7bf 100644
7254 +--- a/tools/perf/util/config.c
7255 ++++ b/tools/perf/util/config.c
7256 +@@ -628,11 +628,10 @@ static int collect_config(const char *var, const char *value,
7257 + }
7258 +
7259 + ret = set_value(item, value);
7260 +- return ret;
7261 +
7262 + out_free:
7263 + free(key);
7264 +- return -1;
7265 ++ return ret;
7266 + }
7267 +
7268 + int perf_config_set__collect(struct perf_config_set *set, const char *file_name,
7269 +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
7270 +index 44c2f62b47a3..0cf6f537f980 100644
7271 +--- a/tools/perf/util/evsel.c
7272 ++++ b/tools/perf/util/evsel.c
7273 +@@ -1229,6 +1229,7 @@ void perf_evsel__exit(struct perf_evsel *evsel)
7274 + {
7275 + assert(list_empty(&evsel->node));
7276 + assert(evsel->evlist == NULL);
7277 ++ perf_evsel__free_counts(evsel);
7278 + perf_evsel__free_fd(evsel);
7279 + perf_evsel__free_id(evsel);
7280 + perf_evsel__free_config_terms(evsel);
7281 +diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c
7282 +index 5d420209505e..5b8bc1fd943d 100644
7283 +--- a/tools/perf/util/hist.c
7284 ++++ b/tools/perf/util/hist.c
7285 +@@ -1040,8 +1040,10 @@ int hist_entry_iter__add(struct hist_entry_iter *iter, struct addr_location *al,
7286 +
7287 + err = sample__resolve_callchain(iter->sample, &callchain_cursor, &iter->parent,
7288 + iter->evsel, al, max_stack_depth);
7289 +- if (err)
7290 ++ if (err) {
7291 ++ map__put(alm);
7292 + return err;
7293 ++ }
7294 +
7295 + err = iter->ops->prepare_entry(iter, al);
7296 + if (err)
7297 +diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c
7298 +index d0b92d374ba9..29e2bb304168 100644
7299 +--- a/tools/perf/util/parse-events.c
7300 ++++ b/tools/perf/util/parse-events.c
7301 +@@ -2109,6 +2109,7 @@ static bool is_event_supported(u8 type, unsigned config)
7302 + perf_evsel__delete(evsel);
7303 + }
7304 +
7305 ++ thread_map__put(tmap);
7306 + return ret;
7307 + }
7308 +
7309 +@@ -2179,6 +2180,7 @@ void print_sdt_events(const char *subsys_glob, const char *event_glob,
7310 + printf(" %-50s [%s]\n", buf, "SDT event");
7311 + free(buf);
7312 + }
7313 ++ free(path);
7314 + } else
7315 + printf(" %-50s [%s]\n", nd->s, "SDT event");
7316 + if (nd2) {
7317 +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
7318 +index 7a1b20ec5216..d1b2348db0f9 100644
7319 +--- a/tools/power/x86/turbostat/turbostat.c
7320 ++++ b/tools/power/x86/turbostat/turbostat.c
7321 +@@ -4588,6 +4588,9 @@ int fork_it(char **argv)
7322 + signal(SIGQUIT, SIG_IGN);
7323 + if (waitpid(child_pid, &status, 0) == -1)
7324 + err(status, "waitpid");
7325 ++
7326 ++ if (WIFEXITED(status))
7327 ++ status = WEXITSTATUS(status);
7328 + }
7329 + /*
7330 + * n.b. fork_it() does not check for errors from for_all_cpus()
7331 +diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
7332 +index a0591d06c61b..913539aea645 100644
7333 +--- a/tools/testing/selftests/bpf/test_verifier.c
7334 ++++ b/tools/testing/selftests/bpf/test_verifier.c
7335 +@@ -1860,6 +1860,7 @@ static struct bpf_test tests[] = {
7336 + },
7337 + .result = REJECT,
7338 + .errstr = "invalid stack off=-79992 size=8",
7339 ++ .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
7340 + },
7341 + {
7342 + "PTR_TO_STACK store/load - out of bounds high",
7343 +@@ -2243,6 +2244,8 @@ static struct bpf_test tests[] = {
7344 + BPF_EXIT_INSN(),
7345 + },
7346 + .result = ACCEPT,
7347 ++ .result_unpriv = REJECT,
7348 ++ .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
7349 + },
7350 + {
7351 + "unpriv: cmp of stack pointer",
7352 +@@ -7013,6 +7016,7 @@ static struct bpf_test tests[] = {
7353 + },
7354 + .fixup_map1 = { 3 },
7355 + .errstr = "pointer offset 1073741822",
7356 ++ .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7357 + .result = REJECT
7358 + },
7359 + {
7360 +@@ -7034,6 +7038,7 @@ static struct bpf_test tests[] = {
7361 + },
7362 + .fixup_map1 = { 3 },
7363 + .errstr = "pointer offset -1073741822",
7364 ++ .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7365 + .result = REJECT
7366 + },
7367 + {
7368 +@@ -7203,6 +7208,7 @@ static struct bpf_test tests[] = {
7369 + BPF_EXIT_INSN()
7370 + },
7371 + .errstr = "fp pointer offset 1073741822",
7372 ++ .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
7373 + .result = REJECT
7374 + },
7375 + {
7376 +diff --git a/tools/usb/usbip/libsrc/vhci_driver.c b/tools/usb/usbip/libsrc/vhci_driver.c
7377 +index ed8c9d360c0f..4225d462701d 100644
7378 +--- a/tools/usb/usbip/libsrc/vhci_driver.c
7379 ++++ b/tools/usb/usbip/libsrc/vhci_driver.c
7380 +@@ -150,7 +150,7 @@ static int get_nports(struct udev_device *hc_device)
7381 +
7382 + static int vhci_hcd_filter(const struct dirent *dirent)
7383 + {
7384 +- return strcmp(dirent->d_name, "vhci_hcd") >= 0;
7385 ++ return !strncmp(dirent->d_name, "vhci_hcd.", 9);
7386 + }
7387 +
7388 + static int get_ncontrollers(void)
Report Message
Find on MARC Find on Google Groups