user/sven/linux.git/drivers/of, branch v5.15.73

of: fdt: fix off-by-one error in unflatten_dt_nodes()

2022-09-23T12:15:46Z

[ Upstream commit 2f945a792f67815abca26fa8a5e863ccf3fa1181 ] Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") forgot to fix up the depth check in the loop body in unflatten_dt_nodes() which makes it possible to overflow the nps[] buffer... Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Fixes: 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") Signed-off-by: Sergey Shtylyov Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/7c354554-006f-6b31-c195-cdfe4caee392@omp.ru Signed-off-by: Sasha Levin

of/fdt: declared return type does not match actual return type

2022-08-17T12:23:59Z

[ Upstream commit 7913145afa51bbed9eaf8e5b4ee55fa9884a71e5 ] The commit 649cab56de8e (“of: properly check for error returned by fdt_get_name()”) changed the return value type from bool to int, but forgot to change the return value simultaneously. populate_node was only called in unflatten_dt_nodes, and returns with values greater than or equal to 0 were discarded without further processing. Considering that return 0 usually indicates success, return 0 instead of return true. Fixes: 649cab56de8e (“of: properly check for error returned by fdt_get_name()”) Signed-off-by: Xu Qiang Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220801120506.11461-2-xuqiang36@huawei.com Signed-off-by: Sasha Levin

of: device: Fix missing of_node_put() in of_dma_set_restricted_buffer

2022-08-17T12:23:51Z

[ Upstream commit d17e37c41b7ed38459957a5d2968ba61516fd5c2 ] We should use of_node_put() for the reference 'node' returned by of_parse_phandle() which will increase the refcount. Fixes: fec9b625095f ("of: Add plumbing for restricted DMA pool") Co-authored-by: Miaoqian Lin Signed-off-by: Liang He Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220702014449.263772-1-windhl@126.com Signed-off-by: Sasha Levin

of: check previous kernel's ima-kexec-buffer against memory bounds

2022-08-17T12:23:38Z

[ Upstream commit cbf9c4b9617b6767886a913705ca14b7600c77db ] Presently ima_get_kexec_buffer() doesn't check if the previous kernel's ima-kexec-buffer lies outside the addressable memory range. This can result in a kernel panic if the new kernel is booted with 'mem=X' arg and the ima-kexec-buffer was allocated beyond that range by the previous kernel. The panic is usually of the form below: $ sudo kexec --initrd initrd vmlinux --append='mem=16G' BUG: Unable to handle kernel data access on read at 0xc000c01fff7f0000 Faulting instruction address: 0xc000000000837974 Oops: Kernel access of bad area, sig: 11 [#1] NIP [c000000000837974] ima_restore_measurement_list+0x94/0x6c0 LR [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160 Call Trace: [c00000000371fa80] [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160 [c00000000371fb00] [c0000000020512c4] ima_init+0x80/0x108 [c00000000371fb70] [c0000000020514dc] init_ima+0x4c/0x120 [c00000000371fbf0] [c000000000012240] do_one_initcall+0x60/0x2c0 [c00000000371fcc0] [c000000002004ad0] kernel_init_freeable+0x344/0x3ec [c00000000371fda0] [c0000000000128a4] kernel_init+0x34/0x1b0 [c00000000371fe10] [c00000000000ce64] ret_from_kernel_thread+0x5c/0x64 Instruction dump: f92100b8 f92100c0 90e10090 910100a0 4182050c 282a0017 3bc00000 40810330 7c0802a6 fb610198 7c9b2378 f80101d0 2c090001 40820614 e9240010 ---[ end trace 0000000000000000 ]--- Fix this issue by checking returned PFN range of previous kernel's ima-kexec-buffer with page_is_ram() to ensure correct memory bounds. Fixes: 467d27824920 ("powerpc: ima: get the kexec buffer passed by the previous kernel") Cc: Frank Rowand Cc: Prakhar Srivastava Cc: Lakshmi Ramasubramanian Cc: Thiago Jung Bauermann Cc: Rob Herring Cc: Ritesh Harjani Cc: Robin Murphy Signed-off-by: Vaibhav Jain Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220531041446.3334259-1-vaibhav@linux.ibm.com Signed-off-by: Sasha Levin

of: overlay: do not break notify on NOTIFY_{OK|STOP}

2022-06-09T08:22:50Z

[ Upstream commit 5f756a2eaa4436d7d3dc1e040147f5e992ae34b5 ] We should not break overlay notifications on NOTIFY_{OK|STOP} otherwise we might break on the first fragment. We should only stop notifications if a *real* errno is returned by one of the listeners. Fixes: a1d19bd4cf1fe ("of: overlay: pr_err from return NOTIFY_OK to overlay apply/remove") Signed-off-by: Nuno Sá Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220420130205.89435-1-nuno.sa@analog.com Signed-off-by: Sasha Levin

of: Support more than one crash kernel regions for kexec -s

2022-06-09T08:22:36Z

[ Upstream commit 8af6b91f58341325bf74ecb0389ddc0039091d84 ] When "crashkernel=X,high" is used, there may be two crash regions: high=crashk_res and low=crashk_low_res. But now the syscall kexec_file_load() only add crashk_res into "linux,usable-memory-range", this may cause the second kernel to have no available dma memory. Fix it like kexec-tools does for option -c, add both 'high' and 'low' regions into the dtb. Signed-off-by: Zhen Lei Acked-by: Rob Herring Acked-by: Baoquan He Link: https://lore.kernel.org/r/20220506114402.365-6-thunder.leizhen@huawei.com Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin

of: net: move of_net under net/

2022-03-08T18:12:41Z

[ Upstream commit e330fb14590c5c80f7195c3d8c9b4bcf79e1a5cd ] Rob suggests to move of_net.c from under drivers/of/ somewhere to the networking code. Suggested-by: Rob Herring Signed-off-by: Jakub Kicinski Reviewed-by: Rob Herring Signed-off-by: David S. Miller Signed-off-by: Sasha Levin

of: base: Improve argument length mismatch error

2022-01-27T10:05:19Z

commit 5d05b811b5acb92fc581a7b328b36646c86f5ab9 upstream. The cells_name field of of_phandle_iterator might be NULL. Use the phandle name instead. With this change instead of: OF: /soc/pinctrl@1000000: (null) = 3 found 2 We get: OF: /soc/pinctrl@1000000: phandle pinctrl@1000000 needs 3, found 2 Which is a more helpful messages making DT debugging easier. In this particular example the phandle name looks like duplicate of the same node name. But note that the first node is the parent node (it->parent), while the second is the phandle target (it->node). They happen to be the same in the case that triggered this improvement. See commit 72cb4c48a46a ("arm64: dts: qcom: ipq6018: Fix gpio-ranges property"). Signed-off-by: Baruch Siach Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/f6a68e0088a552ea9dfd4d8e3b5b586d92594738.1640881913.git.baruch@tkos.co.il Signed-off-by: Greg Kroah-Hartman

of/fdt: Don't worry about non-memory region overlap for no-map

2022-01-27T10:04:20Z

[ Upstream commit da17d6905d29ddcdc04b2fdc37ed8cf1e8437cc8 ] In commit 8a5a75e5e9e5 ("of/fdt: Make sure no-map does not remove already reserved regions") we returned -EBUSY when trying to mark regions as no-map when they intersect with reserved memory. The goal was to find bad no-map reserved memory DT nodes that would unmap the kernel text/data sections. The problem is the reserved memory check will still trigger if the DT has a /memreserve/ that completely subsumes the no-map memory carveouts in the reserved memory node _and_ that region is also not part of the memory reg property. For example in sc7180.dtsi we have the following reserved-memory and memory node: memory@80000000 { /* We expect the bootloader to fill in the size */ reg = <0 0x80000000 0 0>; }; smem_mem: memory@80900000 { reg = <0x0 0x80900000 0x0 0x200000>; no-map; }; and the memreserve filled in by the bootloader is /memreserve/ 0x80800000 0x400000; while the /memory node is transformed into memory@80000000 { /* The bootloader fills in the size, and adds another region */ reg = <0 0x80000000 0 0x00800000>, <0 0x80c00000 0 0x7f200000>; }; The smem region is doubly reserved via /memreserve/ and by not being part of the /memory reg property. This leads to the following warning printed at boot. OF: fdt: Reserved memory: failed to reserve memory for node 'memory@80900000': base 0x0000000080900000, size 2 MiB Otherwise nothing really goes wrong because the smem region is not going to be mapped by the kernel's direct linear mapping given that it isn't part of the memory node. Therefore, let's only consider this to be a problem if we're trying to mark a region as no-map and it is actually memory that we're intending to keep out of the kernel's direct mapping but it's already been reserved. Acked-by: Mike Rapoport Cc: Douglas Anderson Cc: Nicolas Boichat Cc: Quentin Perret Cc: Jan Kiszka Fixes: 8a5a75e5e9e5 ("of/fdt: Make sure no-map does not remove already reserved regions") Signed-off-by: Stephen Boyd Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220107194233.2793146-1-swboyd@chromium.org Signed-off-by: Sasha Levin

of: base: Fix phandle argument length mismatch error message

2022-01-27T10:04:20Z

[ Upstream commit 94a4950a4acff39b5847cc1fee4f65e160813493 ] The cell_count field of of_phandle_iterator is the number of cells we expect in the phandle arguments list when cells_name is missing. The error message should show the number of cells we actually see. Fixes: af3be70a3211 ("of: Improve of_phandle_iterator_next() error message") Cc: Florian Fainelli Signed-off-by: Baruch Siach Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/96519ac55be90a63fa44afe01480c30d08535465.1640881913.git.baruch@tkos.co.il Signed-off-by: Sasha Levin