]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
Fixes for 5.16
authorSasha Levin <sashal@kernel.org>
Sun, 23 Jan 2022 14:49:14 +0000 (09:49 -0500)
committerSasha Levin <sashal@kernel.org>
Sun, 23 Jan 2022 14:49:14 +0000 (09:49 -0500)
Signed-off-by: Sasha Levin <sashal@kernel.org>
753 files changed:
queue-5.16/acpi-battery-add-the-thinkpad-not-charging-quirk.patch [new file with mode: 0644]
queue-5.16/acpi-change-acpi_device_always_present-into-acpi_dev.patch [new file with mode: 0644]
queue-5.16/acpi-cppc-check-present-cpus-for-determining-_cpc-is.patch [new file with mode: 0644]
queue-5.16/acpi-ec-rework-flushing-of-ec-work-while-suspended-t.patch [new file with mode: 0644]
queue-5.16/acpi-scan-create-platform-device-for-bcm4752-and-lnv.patch [new file with mode: 0644]
queue-5.16/acpi-x86-add-not-present-quirk-for-the-pci0.sdhb.brc.patch [new file with mode: 0644]
queue-5.16/acpi-x86-allow-specifying-acpi_device_override_statu.patch [new file with mode: 0644]
queue-5.16/acpi-x86-drop-pwm2-device-on-lenovo-yoga-book-from-a.patch [new file with mode: 0644]
queue-5.16/acpica-actypes.h-expand-the-acpi_access_-definitions.patch [new file with mode: 0644]
queue-5.16/acpica-executer-fix-the-refclass_refof-case-in-acpi_.patch [new file with mode: 0644]
queue-5.16/acpica-fix-wrong-interpretation-of-pcc-address.patch [new file with mode: 0644]
queue-5.16/acpica-hardware-do-not-flush-cpu-cache-when-entering.patch [new file with mode: 0644]
queue-5.16/acpica-utilities-avoid-deleting-the-same-object-twic.patch [new file with mode: 0644]
queue-5.16/alsa-hda-add-missing-rwsem-around-snd_ctl_remove-cal.patch [new file with mode: 0644]
queue-5.16/alsa-hda-cs8409-fix-jack-detection-after-resume.patch [new file with mode: 0644]
queue-5.16/alsa-hda-cs8409-increase-delay-during-jack-detection.patch [new file with mode: 0644]
queue-5.16/alsa-hda-fix-potential-deadlock-at-codec-unbinding.patch [new file with mode: 0644]
queue-5.16/alsa-hda-make-proper-use-of-timecounter.patch [new file with mode: 0644]
queue-5.16/alsa-jack-add-missing-rwsem-around-snd_ctl_remove-ca.patch [new file with mode: 0644]
queue-5.16/alsa-oss-fix-compile-error-when-oss_debug-is-enabled.patch [new file with mode: 0644]
queue-5.16/alsa-pcm-add-missing-rwsem-around-snd_ctl_remove-cal.patch [new file with mode: 0644]
queue-5.16/alsa-seq-set-upper-limit-of-processed-events.patch [new file with mode: 0644]
queue-5.16/alsa-usb-audio-drop-superfluous-0-in-presonus-studio.patch [new file with mode: 0644]
queue-5.16/amdgpu-pm-make-sysfs-pm-attributes-as-read-only-for-.patch [new file with mode: 0644]
queue-5.16/amt-fix-wrong-return-type-of-amt_send_membership_upd.patch [new file with mode: 0644]
queue-5.16/ar5523-fix-null-ptr-deref-with-unexpected-wdcmsg_tar.patch [new file with mode: 0644]
queue-5.16/arm-9159-1-decompressor-avoid-unpredictable-nop-enco.patch [new file with mode: 0644]
queue-5.16/arm-dts-armada-38x-add-generic-compatible-to-uart-no.patch [new file with mode: 0644]
queue-5.16/arm-dts-gemini-nas4220-b-fis-index-block-with-128-ki.patch [new file with mode: 0644]
queue-5.16/arm-dts-omap3-n900-fix-lp5523-for-multi-color.patch [new file with mode: 0644]
queue-5.16/arm-dts-qcom-sdx55-fix-ipa-interconnect-definitions.patch [new file with mode: 0644]
queue-5.16/arm-dts-stm32-fix-dtbs_check-warning-on-ili9341-dts-.patch [new file with mode: 0644]
queue-5.16/arm-imx-rename-debug_imx21_imx27_uart-to-debug_imx27.patch [new file with mode: 0644]
queue-5.16/arm-shmobile-rcar-gen2-add-missing-of_node_put.patch [new file with mode: 0644]
queue-5.16/arm64-clear_page-shouldn-t-use-dc-zva-when-dczid_el0.patch [new file with mode: 0644]
queue-5.16/arm64-dts-amlogic-fix-spi-nor-flash-node-name-for-od.patch [new file with mode: 0644]
queue-5.16/arm64-dts-amlogic-meson-g12-fix-gpu-operating-point-.patch [new file with mode: 0644]
queue-5.16/arm64-dts-ls1028a-qds-move-rtc-node-to-the-correct-i.patch [new file with mode: 0644]
queue-5.16/arm64-dts-marvell-cn9130-add-gpio-and-spi-aliases.patch [new file with mode: 0644]
queue-5.16/arm64-dts-marvell-cn9130-enable-cp0-gpio-controllers.patch [new file with mode: 0644]
queue-5.16/arm64-dts-meson-gxbb-wetek-fix-hdmi-in-early-boot.patch [new file with mode: 0644]
queue-5.16/arm64-dts-meson-gxbb-wetek-fix-missing-gpio-binding.patch [new file with mode: 0644]
queue-5.16/arm64-dts-qcom-c630-fix-soundcard-setup.patch [new file with mode: 0644]
queue-5.16/arm64-dts-qcom-ipq6018-fix-gpio-ranges-property.patch [new file with mode: 0644]
queue-5.16/arm64-dts-qcom-msm8916-fix-mmc-controller-aliases.patch [new file with mode: 0644]
queue-5.16/arm64-dts-qcom-sc7280-fix-incorrect-clock-name.patch [new file with mode: 0644]
queue-5.16/arm64-dts-qcom-sc7280-fix-interrupt-map-parent-addre.patch [new file with mode: 0644]
queue-5.16/arm64-dts-qcom-sm-68-350-use-interrupts-extended-wit.patch [new file with mode: 0644]
queue-5.16/arm64-dts-qcom-sm8350-shorten-camera-thermal-bottom-.patch [new file with mode: 0644]
queue-5.16/arm64-dts-renesas-cat875-add-rx-tx-delays.patch [new file with mode: 0644]
queue-5.16/arm64-dts-renesas-fix-thermal-bindings.patch [new file with mode: 0644]
queue-5.16/arm64-dts-rockchip-fix-bluetooth-on-rock-pi-4-boards.patch [new file with mode: 0644]
queue-5.16/arm64-dts-ti-j7200-main-fix-dtbs_check-serdes_ln_ctr.patch [new file with mode: 0644]
queue-5.16/arm64-dts-ti-j721e-main-fix-dtbs_check-in-serdes_ln_.patch [new file with mode: 0644]
queue-5.16/arm64-dts-ti-k3-am642-fix-the-l2-cache-sets.patch [new file with mode: 0644]
queue-5.16/arm64-dts-ti-k3-j7200-correct-the-d-cache-sets-info.patch [new file with mode: 0644]
queue-5.16/arm64-dts-ti-k3-j7200-fix-the-l2-cache-sets.patch [new file with mode: 0644]
queue-5.16/arm64-dts-ti-k3-j721e-correct-cache-sets-info.patch [new file with mode: 0644]
queue-5.16/arm64-dts-ti-k3-j721e-fix-the-l2-cache-sets.patch [new file with mode: 0644]
queue-5.16/arm64-mte-dc-gva-gzva-shouldn-t-be-used-when-dczid_e.patch [new file with mode: 0644]
queue-5.16/arm64-tegra-adjust-length-of-ccplex-cluster-mmio-reg.patch [new file with mode: 0644]
queue-5.16/arm64-tegra-remove-non-existent-tegra194-reset.patch [new file with mode: 0644]
queue-5.16/asoc-amd-fix-dependency-for-spi-master.patch [new file with mode: 0644]
queue-5.16/asoc-codecs-wcd938x-add-snd_soc_wcd938_sdw-to-codec-.patch [new file with mode: 0644]
queue-5.16/asoc-cs42l42-report-initial-jack-state.patch [new file with mode: 0644]
queue-5.16/asoc-fsl_asrc-refine-the-check-of-available-clock-di.patch [new file with mode: 0644]
queue-5.16/asoc-fsl_mqs-fix-module_alias.patch [new file with mode: 0644]
queue-5.16/asoc-imx-card-fix-mclk-calculation-issue-for-akcodec.patch [new file with mode: 0644]
queue-5.16/asoc-imx-card-improve-the-sound-quality-for-low-rate.patch [new file with mode: 0644]
queue-5.16/asoc-imx-card-need-special-setting-for-ak4497-on-i.m.patch [new file with mode: 0644]
queue-5.16/asoc-imx-hdmi-add-put_device-after-of_find_device_by.patch [new file with mode: 0644]
queue-5.16/asoc-intel-catpt-test-dmaengine_submit-result-before.patch [new file with mode: 0644]
queue-5.16/asoc-intel-sof_sdw-fix-jack-detection-on-hp-spectre-.patch [new file with mode: 0644]
queue-5.16/asoc-mediatek-check-for-error-clk-pointer.patch [new file with mode: 0644]
queue-5.16/asoc-mediatek-mt8173-fix-device_node-leak.patch [new file with mode: 0644]
queue-5.16/asoc-mediatek-mt8183-fix-device_node-leak.patch [new file with mode: 0644]
queue-5.16/asoc-mediatek-mt8192-mt6359-fix-device_node-leak.patch [new file with mode: 0644]
queue-5.16/asoc-mediatek-mt8195-correct-default-value.patch [new file with mode: 0644]
queue-5.16/asoc-mediatek-mt8195-correct-pcmif-be-dai-control-fl.patch [new file with mode: 0644]
queue-5.16/asoc-rt5663-handle-device_property_read_u32_array-er.patch [new file with mode: 0644]
queue-5.16/asoc-samsung-idma-check-of-ioremap-return-value.patch [new file with mode: 0644]
queue-5.16/asoc-sof-intel-fix-build-issue-related-to-codec_prob.patch [new file with mode: 0644]
queue-5.16/asoc-sof-intel-hda-add-quirks-for-hdaudio-dma-positi.patch [new file with mode: 0644]
queue-5.16/asoc-sof-ipc-add-null-pointer-check-for-substream-ru.patch [new file with mode: 0644]
queue-5.16/asoc-test-component-fix-null-pointer-dereference.patch [new file with mode: 0644]
queue-5.16/asoc-uniphier-drop-selecting-non-existing-snd_soc_un.patch [new file with mode: 0644]
queue-5.16/ath10k-drop-beacon-and-probe-response-which-leak-fro.patch [new file with mode: 0644]
queue-5.16/ath10k-fix-the-mtu-size-on-qca9377-sdio.patch [new file with mode: 0644]
queue-5.16/ath10k-fix-tx-hanging.patch [new file with mode: 0644]
queue-5.16/ath11k-add-hw_param-for-wakeup_mhi.patch [new file with mode: 0644]
queue-5.16/ath11k-allocate-dst-ring-descriptors-from-cacheable-.patch [new file with mode: 0644]
queue-5.16/ath11k-avoid-deadlock-by-change-ieee80211_queue_work.patch [new file with mode: 0644]
queue-5.16/ath11k-avoid-false-deadlock-warning-reported-by-lock.patch [new file with mode: 0644]
queue-5.16/ath11k-avoid-null-ptr-access-during-mgmt-tx-cleanup.patch [new file with mode: 0644]
queue-5.16/ath11k-clear-the-keys-properly-via-disable_key.patch [new file with mode: 0644]
queue-5.16/ath11k-enable-ieee80211_vht_ext_nss_bw_capable-if-ns.patch [new file with mode: 0644]
queue-5.16/ath11k-fix-a-null-pointer-dereference-in-ath11k_mac_.patch [new file with mode: 0644]
queue-5.16/ath11k-fix-crash-caused-by-uninitialized-tx-ring.patch [new file with mode: 0644]
queue-5.16/ath11k-fix-deleting-uninitialized-kernel-timer-durin.patch [new file with mode: 0644]
queue-5.16/ath11k-fix-etsi-regd-with-weather-radar-overlap.patch [new file with mode: 0644]
queue-5.16/ath11k-fix-mon-status-ring-rx-tlv-processing.patch [new file with mode: 0644]
queue-5.16/ath11k-fix-napi-related-hang.patch [new file with mode: 0644]
queue-5.16/ath11k-fix-qmi-file-type-enum-value.patch [new file with mode: 0644]
queue-5.16/ath11k-fix-unexpected-return-buffer-manager-error-fo.patch [new file with mode: 0644]
queue-5.16/ath11k-reset-rsn-wpa-present-state-for-open-bss.patch [new file with mode: 0644]
queue-5.16/ath11k-send-ppdu_stats_cfg-with-proper-pdev-mask-to-.patch [new file with mode: 0644]
queue-5.16/ath11k-set-correct-nl80211_feature_dynamic_smps-for-.patch [new file with mode: 0644]
queue-5.16/ath11k-use-host-ce-parameters-for-ce-interrupts-conf.patch [new file with mode: 0644]
queue-5.16/ath9k-fix-out-of-bound-memcpy-in-ath9k_hif_usb_rx_st.patch [new file with mode: 0644]
queue-5.16/ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_.patch [new file with mode: 0644]
queue-5.16/ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_.patch-21350 [new file with mode: 0644]
queue-5.16/audit-ensure-userspace-is-penalized-the-same-as-the-.patch [new file with mode: 0644]
queue-5.16/ax25-uninitialized-variable-in-ax25_setsockopt.patch [new file with mode: 0644]
queue-5.16/backlight-qcom-wled-fix-off-by-one-maximum-with-defa.patch [new file with mode: 0644]
queue-5.16/backlight-qcom-wled-override-default-length-with-qco.patch [new file with mode: 0644]
queue-5.16/backlight-qcom-wled-pass-number-of-elements-to-read-.patch [new file with mode: 0644]
queue-5.16/backlight-qcom-wled-respect-enabled-strings-in-set_b.patch [new file with mode: 0644]
queue-5.16/backlight-qcom-wled-use-cpu_to_le16-macro-to-perform.patch [new file with mode: 0644]
queue-5.16/backlight-qcom-wled-validate-enabled-string-indices-.patch [new file with mode: 0644]
queue-5.16/batman-adv-allow-netlink-usage-in-unprivileged-conta.patch [new file with mode: 0644]
queue-5.16/bfq-do-not-let-waker-requests-skip-proper-accounting.patch [new file with mode: 0644]
queue-5.16/binder-avoid-potential-data-leakage-when-copying-txn.patch [new file with mode: 0644]
queue-5.16/binder-fix-handling-of-error-during-copy.patch [new file with mode: 0644]
queue-5.16/block-check-minor-range-in-device_add_disk.patch [new file with mode: 0644]
queue-5.16/block-fix-error-unwinding-in-device_add_disk.patch [new file with mode: 0644]
queue-5.16/block-null_blk-only-set-set-nr_maps-as-3-if-active-p.patch [new file with mode: 0644]
queue-5.16/bluetooth-btintel-add-missing-quirks-and-msft-ext-fo.patch [new file with mode: 0644]
queue-5.16/bluetooth-btmtksdio-fix-resume-failure.patch [new file with mode: 0644]
queue-5.16/bluetooth-btusb-handle-download_firmware-failure-cas.patch [new file with mode: 0644]
queue-5.16/bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch [new file with mode: 0644]
queue-5.16/bluetooth-fix-debugfs-entry-leak-in-hci_register_dev.patch [new file with mode: 0644]
queue-5.16/bluetooth-fix-memory-leak-of-hci-device.patch [new file with mode: 0644]
queue-5.16/bluetooth-fix-removing-adv-when-processing-cmd-compl.patch [new file with mode: 0644]
queue-5.16/bluetooth-fix-uninitialized-variables-notify_evt.patch [new file with mode: 0644]
queue-5.16/bluetooth-hci_bcm-check-for-error-irq.patch [new file with mode: 0644]
queue-5.16/bluetooth-hci_qca-fix-null-vs-is_err_or_null-check-i.patch [new file with mode: 0644]
queue-5.16/bluetooth-hci_qca-stop-ibs-timer-during-bt-off.patch [new file with mode: 0644]
queue-5.16/bluetooth-hci_sock-fix-endian-bug-in-hci_sock_setsoc.patch [new file with mode: 0644]
queue-5.16/bluetooth-hci_sock-purge-socket-queues-in-the-destru.patch [new file with mode: 0644]
queue-5.16/bluetooth-hci_vhci-fix-to-set-the-force_wakeup-value.patch [new file with mode: 0644]
queue-5.16/bluetooth-l2cap-fix-not-initializing-sk_peer_pid.patch [new file with mode: 0644]
queue-5.16/bluetooth-l2cap-fix-using-wrong-mode.patch [new file with mode: 0644]
queue-5.16/bluetooth-l2cap-uninitialized-variables-in-l2cap_soc.patch [new file with mode: 0644]
queue-5.16/bluetooth-mgmt-fix-experimental-feature-changed-even.patch [new file with mode: 0644]
queue-5.16/bluetooth-mgmt-use-hci_dev_test_and_-set-clear-_flag.patch [new file with mode: 0644]
queue-5.16/bluetooth-stop-proccessing-malicious-adv-data.patch [new file with mode: 0644]
queue-5.16/bluetooth-vhci-set-hci_quirk_valid_le_states.patch [new file with mode: 0644]
queue-5.16/bluetooth-virtio_bt-fix-memory-leak-in-virtbt_rx_han.patch [new file with mode: 0644]
queue-5.16/bnxt_en-use-firmware-provided-max-timeout-for-messag.patch [new file with mode: 0644]
queue-5.16/bpf-add-missing-map_get_next_key-method-to-bloom-fil.patch [new file with mode: 0644]
queue-5.16/bpf-adjust-btf-log-size-limit.patch [new file with mode: 0644]
queue-5.16/bpf-arm64-use-emit_addr_mov_i64-for-bpf_pseudo_func.patch [new file with mode: 0644]
queue-5.16/bpf-change-value-of-max_tail_call_cnt-from-32-to-33.patch [new file with mode: 0644]
queue-5.16/bpf-disallow-bpf_log_kernel-log-level-for-bpf-bpf_bt.patch [new file with mode: 0644]
queue-5.16/bpf-do-not-warn-in-bpf_warn_invalid_xdp_action.patch [new file with mode: 0644]
queue-5.16/bpf-don-t-promote-bogus-looking-registers-after-null.patch [new file with mode: 0644]
queue-5.16/bpf-fix-so_rcvbuf-so_sndbuf-handling-in-_bpf_setsock.patch [new file with mode: 0644]
queue-5.16/bpf-fix-the-test_task_vma-selftest-to-support-output.patch [new file with mode: 0644]
queue-5.16/bpf-fix-verifier-support-for-validation-of-async-cal.patch [new file with mode: 0644]
queue-5.16/bpf-remove-config-check-to-enable-bpf-support-for-br.patch [new file with mode: 0644]
queue-5.16/bpf-selftests-fix-namespace-mount-setup-in-tc_redire.patch [new file with mode: 0644]
queue-5.16/bpf-sockmap-fix-double-bpf_prog_put-on-error-case-in.patch [new file with mode: 0644]
queue-5.16/bpf-sockmap-fix-return-codes-from-tcp_bpf_recvmsg_pa.patch [new file with mode: 0644]
queue-5.16/bpftool-enable-line-buffering-for-stdout.patch [new file with mode: 0644]
queue-5.16/bpftool-fix-memory-leak-in-prog_dump.patch [new file with mode: 0644]
queue-5.16/btrfs-remove-bug_on-eie-in-find_parent_nodes.patch [new file with mode: 0644]
queue-5.16/btrfs-remove-bug_on-in-find_parent_nodes.patch [new file with mode: 0644]
queue-5.16/can-do-not-increase-rx-statistics-when-generating-a-.patch [new file with mode: 0644]
queue-5.16/can-flexcan-add-more-quirks-to-describe-rx-path-capa.patch [new file with mode: 0644]
queue-5.16/can-flexcan-allow-to-change-quirks-at-runtime.patch [new file with mode: 0644]
queue-5.16/can-flexcan-rename-rx-modes.patch [new file with mode: 0644]
queue-5.16/can-mcp251xfd-add-missing-newline-to-printed-strings.patch [new file with mode: 0644]
queue-5.16/can-rcar_canfd-rcar_canfd_channel_probe-make-sure-we.patch [new file with mode: 0644]
queue-5.16/can-softing-softing_startstop-fix-set-but-not-used-v.patch [new file with mode: 0644]
queue-5.16/can-xilinx_can-xcan_probe-check-for-error-irq.patch [new file with mode: 0644]
queue-5.16/cgroup-trace-event-cgroup-id-fields-should-be-u64.patch [new file with mode: 0644]
queue-5.16/char-mwave-adjust-io-port-register-size.patch [new file with mode: 0644]
queue-5.16/clk-bcm-2835-pick-the-closest-clock-rate.patch [new file with mode: 0644]
queue-5.16/clk-bcm-2835-remove-rounding-up-the-dividers.patch [new file with mode: 0644]
queue-5.16/clk-bm1880-remove-kfrees-on-static-allocations.patch [new file with mode: 0644]
queue-5.16/clk-imx8mn-fix-imx8mn_clko1_sels.patch [new file with mode: 0644]
queue-5.16/clk-meson-gxbb-fix-the-sdm_en-bit-for-mpll0-on-gxbb.patch [new file with mode: 0644]
queue-5.16/clk-qcom-gcc-sc7280-mark-gcc_cfg_noc_lpass_clk-alway.patch [new file with mode: 0644]
queue-5.16/clk-renesas-rzg2l-check-return-value-of-pm_genpd_ini.patch [new file with mode: 0644]
queue-5.16/clk-renesas-rzg2l-propagate-return-value-of_genpd_ad.patch [new file with mode: 0644]
queue-5.16/clk-samsung-exynos850-register-clocks-early.patch [new file with mode: 0644]
queue-5.16/clk-stm32-fix-ltdc-s-clock-turn-off-by-clk_disable_u.patch [new file with mode: 0644]
queue-5.16/clocksource-avoid-accidental-unstable-marking-of-clo.patch [new file with mode: 0644]
queue-5.16/counter-104-quad-8-fix-persistent-enabled-events-bug.patch [new file with mode: 0644]
queue-5.16/cpufreq-fix-initialization-of-min-and-max-frequency-.patch [new file with mode: 0644]
queue-5.16/cpufreq-intel_pstate-update-cpuinfo.max_freq-on-hwp_.patch [new file with mode: 0644]
queue-5.16/cpufreq-qcom-cpufreq-hw-update-offline-cpus-per-cpu-.patch [new file with mode: 0644]
queue-5.16/cpufreq-qcom-hw-fix-probable-nested-interrupt-handli.patch [new file with mode: 0644]
queue-5.16/crypto-atmel-aes-reestablish-the-correct-tfm-context.patch [new file with mode: 0644]
queue-5.16/crypto-caam-save-caam-memory-to-support-crypto-engin.patch [new file with mode: 0644]
queue-5.16/crypto-ccp-move-sev_init-retry-for-corrupted-data.patch [new file with mode: 0644]
queue-5.16/crypto-hisilicon-hpre-fix-memory-leak-in-hpre_curve2.patch [new file with mode: 0644]
queue-5.16/crypto-hisilicon-qm-fix-deadlock-for-remove-driver.patch [new file with mode: 0644]
queue-5.16/crypto-hisilicon-qm-fix-incorrect-return-value-of-hi.patch [new file with mode: 0644]
queue-5.16/crypto-jitter-consider-32-lsb-for-apt.patch [new file with mode: 0644]
queue-5.16/crypto-keembay-ocs-ecc-fix-error-return-code-in-kmb_.patch [new file with mode: 0644]
queue-5.16/crypto-octeontx2-prevent-underflow-in-get_cores_bmap.patch [new file with mode: 0644]
queue-5.16/crypto-qat-fix-undetected-pfvf-timeout-in-ack-loop.patch [new file with mode: 0644]
queue-5.16/crypto-qce-fix-uaf-on-qce_aead_register_one.patch [new file with mode: 0644]
queue-5.16/crypto-qce-fix-uaf-on-qce_ahash_register_one.patch [new file with mode: 0644]
queue-5.16/crypto-qce-fix-uaf-on-qce_skcipher_register_one.patch [new file with mode: 0644]
queue-5.16/crypto-stm32-cryp-check-early-input-data.patch [new file with mode: 0644]
queue-5.16/crypto-stm32-cryp-fix-bugs-and-crash-in-tests.patch [new file with mode: 0644]
queue-5.16/crypto-stm32-cryp-fix-ctr-counter-carry.patch [new file with mode: 0644]
queue-5.16/crypto-stm32-cryp-fix-double-pm-exit.patch [new file with mode: 0644]
queue-5.16/crypto-stm32-cryp-fix-lrw-chaining-mode.patch [new file with mode: 0644]
queue-5.16/crypto-stm32-cryp-fix-xts-and-race-condition-in-cryp.patch [new file with mode: 0644]
queue-5.16/crypto-stm32-revert-broken-pm_runtime_resume_and_get.patch [new file with mode: 0644]
queue-5.16/cxl-core-remove-cxld_const_init-in-cxl_decoder_alloc.patch [new file with mode: 0644]
queue-5.16/debugfs-lockdown-allow-reading-debugfs-files-that-ar.patch [new file with mode: 0644]
queue-5.16/dm-btree-add-a-defensive-bounds-check-to-insert_at.patch [new file with mode: 0644]
queue-5.16/dm-fix-alloc_dax-error-handling-in-alloc_dev.patch [new file with mode: 0644]
queue-5.16/dm-make-the-dax-support-depend-on-config_fs_dax.patch [new file with mode: 0644]
queue-5.16/dm-space-map-common-add-bounds-check-to-sm_ll_lookup.patch [new file with mode: 0644]
queue-5.16/dma-buf-cma_heap-fix-mutex-locking-section.patch [new file with mode: 0644]
queue-5.16/dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch [new file with mode: 0644]
queue-5.16/drivers-firmware-add-missing-platform_device_put-in-.patch [new file with mode: 0644]
queue-5.16/drm-amd-amdgpu-fix-gmc-bo-pin-count-leak-in-sriov.patch [new file with mode: 0644]
queue-5.16/drm-amd-amdgpu-fix-psp-tmr-bo-pin-count-leak-in-srio.patch [new file with mode: 0644]
queue-5.16/drm-amd-display-add-else-to-avoid-double-destroy-clk.patch [new file with mode: 0644]
queue-5.16/drm-amd-display-check-top_pipe_to_program-pointer.patch [new file with mode: 0644]
queue-5.16/drm-amd-display-fix-bug-in-debugfs-crc_win_update-en.patch [new file with mode: 0644]
queue-5.16/drm-amd-display-fix-dereference-before-null-check.patch [new file with mode: 0644]
queue-5.16/drm-amd-display-fix-out-of-bounds-access-on-dnc31-st.patch [new file with mode: 0644]
queue-5.16/drm-amd-display-invalid-parameter-check-in-dmub_hpd_.patch [new file with mode: 0644]
queue-5.16/drm-amd-display-use-oriented-source-size-when-checki.patch [new file with mode: 0644]
queue-5.16/drm-amdgpu-display-set-vblank_disable_immediate-for-.patch [new file with mode: 0644]
queue-5.16/drm-amdgpu-don-t-inherit-gem-object-vmas-in-child-pr.patch [new file with mode: 0644]
queue-5.16/drm-amdgpu-fix-a-null-pointer-dereference-in-amdgpu_.patch [new file with mode: 0644]
queue-5.16/drm-amdgpu-fix-amdgpu_ras_mca_query_error_status-sco.patch [new file with mode: 0644]
queue-5.16/drm-amdgpu-fixup-bad-vram-size-on-gmc-v8.patch [new file with mode: 0644]
queue-5.16/drm-amdgpu-use-spin_lock_irqsave-to-avoid-deadlock-b.patch [new file with mode: 0644]
queue-5.16/drm-amdkfd-check-for-null-pointer-after-calling-kmem.patch [new file with mode: 0644]
queue-5.16/drm-amdkfd-fix-error-handling-in-svm_range_add.patch [new file with mode: 0644]
queue-5.16/drm-atomic-check-new_crtc_state-active-to-determine-.patch [new file with mode: 0644]
queue-5.16/drm-bridge-display-connector-fix-an-uninitialized-po.patch [new file with mode: 0644]
queue-5.16/drm-bridge-dw-hdmi-handle-eld-when-drm_bridge_attach.patch [new file with mode: 0644]
queue-5.16/drm-bridge-megachips-ensure-both-bridges-are-probed-.patch [new file with mode: 0644]
queue-5.16/drm-bridge-sn65dsi83-fix-bridge-removal.patch [new file with mode: 0644]
queue-5.16/drm-bridge-ti-sn65dsi86-set-max-register-for-regmap.patch [new file with mode: 0644]
queue-5.16/drm-dp-don-t-read-back-backlight-mode-in-drm_edp_bac.patch [new file with mode: 0644]
queue-5.16/drm-etnaviv-consider-completed-fence-seqno-in-hang-c.patch [new file with mode: 0644]
queue-5.16/drm-fix-null-ptr-deref-in-drm_dev_init_release.patch [new file with mode: 0644]
queue-5.16/drm-i915-don-t-call-free_mmap_offset-when-purging.patch [new file with mode: 0644]
queue-5.16/drm-i915-pxp-hold-rpm-wakelock-during-pxp-unbind.patch [new file with mode: 0644]
queue-5.16/drm-lima-fix-warning-when-config_debug_sg-y-config_d.patch [new file with mode: 0644]
queue-5.16/drm-msm-dp-displayport-driver-need-algorithm-rationa.patch [new file with mode: 0644]
queue-5.16/drm-msm-dpu-fix-safe-status-debugfs-file.patch [new file with mode: 0644]
queue-5.16/drm-msm-dsi-fix-initialization-in-the-bonded-dsi-cas.patch [new file with mode: 0644]
queue-5.16/drm-msm-gpu-don-t-allow-zero-fence_id.patch [new file with mode: 0644]
queue-5.16/drm-nouveau-pmu-gm200-avoid-touching-pmu-outside-of-.patch [new file with mode: 0644]
queue-5.16/drm-panel-delete-panel-on-mipi_dsi_attach-failure.patch [new file with mode: 0644]
queue-5.16/drm-panel-innolux-p079zca-delete-panel-on-attach-fai.patch [new file with mode: 0644]
queue-5.16/drm-panel-kingdisplay-kd097d04-delete-panel-on-attac.patch [new file with mode: 0644]
queue-5.16/drm-panel-orientation-quirks-add-quirk-for-the-lenov.patch [new file with mode: 0644]
queue-5.16/drm-radeon-radeon_kms-fix-a-null-pointer-dereference.patch [new file with mode: 0644]
queue-5.16/drm-rcar-du-add-dsi-support-to-rcar_du_output_name.patch [new file with mode: 0644]
queue-5.16/drm-rcar-du-crtc-support-external-dsi-dot-clock.patch [new file with mode: 0644]
queue-5.16/drm-rcar-du-fix-crtc-timings-when-cmm-is-used.patch [new file with mode: 0644]
queue-5.16/drm-return-error-codes-from-struct-drm_driver.gem_cr.patch [new file with mode: 0644]
queue-5.16/drm-rockchip-dsi-disable-pll-clock-on-bind-error.patch [new file with mode: 0644]
queue-5.16/drm-rockchip-dsi-fix-unbalanced-clock-on-probe-error.patch [new file with mode: 0644]
queue-5.16/drm-rockchip-dsi-hold-pm-runtime-across-bind-unbind.patch [new file with mode: 0644]
queue-5.16/drm-sched-avoid-lockdep-spalt-on-killing-a-processes.patch [new file with mode: 0644]
queue-5.16/drm-sun4i-dw-hdmi-fix-missing-put_device-call-in-sun.patch [new file with mode: 0644]
queue-5.16/drm-tegra-gr2d-explicitly-control-module-reset.patch [new file with mode: 0644]
queue-5.16/drm-tegra-vic-fix-dma-api-misuse.patch [new file with mode: 0644]
queue-5.16/drm-vboxvideo-fix-a-null-vs-is_err-check.patch [new file with mode: 0644]
queue-5.16/drm-vc4-crtc-make-sure-the-hdmi-controller-is-powere.patch [new file with mode: 0644]
queue-5.16/drm-vc4-hdmi-enable-the-scrambler-on-reconnection.patch [new file with mode: 0644]
queue-5.16/drm-vc4-hdmi-make-sure-the-controller-is-powered-in-.patch [new file with mode: 0644]
queue-5.16/drm-vc4-hdmi-make-sure-the-controller-is-powered-up-.patch [new file with mode: 0644]
queue-5.16/drm-vc4-hdmi-move-the-hsm-clock-enable-to-runtime_pm.patch [new file with mode: 0644]
queue-5.16/drm-vc4-hdmi-rework-the-pre_crtc_configure-error-han.patch [new file with mode: 0644]
queue-5.16/drm-vc4-hdmi-set-a-default-hsm-rate.patch [new file with mode: 0644]
queue-5.16/drm-virtio-fix-another-potential-integer-overflow-on.patch [new file with mode: 0644]
queue-5.16/drm-virtio-fix-potential-integer-overflow-on-shift-o.patch [new file with mode: 0644]
queue-5.16/drm-vmwgfx-fail-to-initialize-on-broken-configs.patch [new file with mode: 0644]
queue-5.16/drm-vmwgfx-introduce-a-new-placement-for-mob-page-ta.patch [new file with mode: 0644]
queue-5.16/drm-vmwgfx-release-ttm-memory-if-probe-fails.patch [new file with mode: 0644]
queue-5.16/drm-vmwgfx-remove-the-deprecated-lower-mem-limit.patch [new file with mode: 0644]
queue-5.16/dt-bindings-thermal-fix-definition-of-cooling-maps-c.patch [new file with mode: 0644]
queue-5.16/edac-synopsys-use-the-quirk-for-version-instead-of-d.patch [new file with mode: 0644]
queue-5.16/efi-apply-memblock-cap-after-memblock_add.patch [new file with mode: 0644]
queue-5.16/ethernet-renesas-use-div64_ul-instead-of-do_div.patch [new file with mode: 0644]
queue-5.16/ext4-avoid-trim-error-on-fs-with-small-groups.patch [new file with mode: 0644]
queue-5.16/floppy-add-max-size-check-for-user-space-request.patch [new file with mode: 0644]
queue-5.16/floppy-fix-hang-in-watchdog-when-disk-is-ejected.patch [new file with mode: 0644]
queue-5.16/fs-dlm-don-t-call-kernel_getpeername-in-error_report.patch [new file with mode: 0644]
queue-5.16/fs-dlm-filter-user-dlm-messages-for-kernel-locks.patch [new file with mode: 0644]
queue-5.16/fs-dlm-fix-build-with-config_ipv6-disabled.patch [new file with mode: 0644]
queue-5.16/fsl-fman-check-for-null-pointer-after-calling-devm_i.patch [new file with mode: 0644]
queue-5.16/gpio-aspeed-convert-aspeed_gpio.lock-to-raw_spinlock.patch [new file with mode: 0644]
queue-5.16/gpio-aspeed-sgpio-convert-aspeed_sgpio.lock-to-raw_s.patch [new file with mode: 0644]
queue-5.16/gpiolib-acpi-do-not-set-the-irq-type-if-the-irq-is-a.patch [new file with mode: 0644]
queue-5.16/gpu-host1x-select-config_dma_shared_buffer.patch [new file with mode: 0644]
queue-5.16/habanalabs-change-wait-for-interrupt-timeout-to-64-b.patch [new file with mode: 0644]
queue-5.16/habanalabs-skip-read-fw-errors-if-dynamic-descriptor.patch [new file with mode: 0644]
queue-5.16/hid-apple-do-not-reset-quirks-when-the-fn-key-is-not.patch [new file with mode: 0644]
queue-5.16/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch [new file with mode: 0644]
queue-5.16/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-15288 [new file with mode: 0644]
queue-5.16/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-31258 [new file with mode: 0644]
queue-5.16/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-6488 [new file with mode: 0644]
queue-5.16/hid-i2c-hid-of-expose-the-touchscreen-inverted-prope.patch [new file with mode: 0644]
queue-5.16/hid-magicmouse-report-battery-level-over-usb.patch [new file with mode: 0644]
queue-5.16/hid-quirks-allow-inverting-the-absolute-x-y-values.patch [new file with mode: 0644]
queue-5.16/hsi-core-fix-return-freed-object-in-hsi_new_client.patch [new file with mode: 0644]
queue-5.16/hugetlbfs-fix-off-by-one-error-in-hugetlb_vmdelete_l.patch [new file with mode: 0644]
queue-5.16/hwmon-mr75203-fix-wrong-power-up-delay-value.patch [new file with mode: 0644]
queue-5.16/i2c-designware-pci-fix-to-change-data-types-of-hcnt-.patch [new file with mode: 0644]
queue-5.16/i2c-i801-don-t-silently-correct-invalid-transfer-siz.patch [new file with mode: 0644]
queue-5.16/i2c-mpc-correct-i2c-reset-procedure.patch [new file with mode: 0644]
queue-5.16/i3c-fix-incorrect-address-slot-lookup-on-64-bit.patch [new file with mode: 0644]
queue-5.16/i3c-master-dw-check-return-of-dw_i3c_master_get_free.patch [new file with mode: 0644]
queue-5.16/i3c-master-mipi-i3c-hci-fix-a-potentially-infinite-l.patch [new file with mode: 0644]
queue-5.16/igc-af_xdp-zero-copy-metadata-adjust-breaks-skbs-on-.patch [new file with mode: 0644]
queue-5.16/iio-chemical-sunrise_co2-set-val-parameter-only-on-s.patch [new file with mode: 0644]
queue-5.16/input-ti_am335x_tsc-fix-stepconfig-setup-for-z2.patch [new file with mode: 0644]
queue-5.16/input-ti_am335x_tsc-set-adcrefm-for-x-configuration.patch [new file with mode: 0644]
queue-5.16/interconnect-qcom-rpm-prevent-integer-overflow-in-ra.patch [new file with mode: 0644]
queue-5.16/io_uring-remove-double-poll-on-poll-update.patch [new file with mode: 0644]
queue-5.16/iommu-amd-remove-useless-irq-affinity-notifier.patch [new file with mode: 0644]
queue-5.16/iommu-amd-restore-ga-log-tail-pointer-on-host-resume.patch [new file with mode: 0644]
queue-5.16/iommu-amd-x2apic-mode-mask-unmask-interrupts-on-susp.patch [new file with mode: 0644]
queue-5.16/iommu-amd-x2apic-mode-re-enable-after-resume.patch [new file with mode: 0644]
queue-5.16/iommu-amd-x2apic-mode-setup-the-intx-registers-on-ma.patch [new file with mode: 0644]
queue-5.16/iommu-arm-smmu-qcom-fix-ttbr0-read.patch [new file with mode: 0644]
queue-5.16/iommu-extend-mutex-lock-scope-in-iommu_probe_device.patch [new file with mode: 0644]
queue-5.16/iommu-io-pgtable-arm-fix-table-descriptor-paddr-form.patch [new file with mode: 0644]
queue-5.16/iommu-iova-fix-race-between-fq-timeout-and-teardown.patch [new file with mode: 0644]
queue-5.16/irqchip-gic-v4-disable-redistributors-view-of-the-vp.patch [new file with mode: 0644]
queue-5.16/iwlwifi-acpi-fix-wgds-rev-3-size.patch [new file with mode: 0644]
queue-5.16/iwlwifi-don-t-pass-actual-wgds-revision-number-in-ta.patch [new file with mode: 0644]
queue-5.16/iwlwifi-fix-leaks-bad-data-after-failed-firmware-loa.patch [new file with mode: 0644]
queue-5.16/iwlwifi-mvm-avoid-clearing-a-just-saved-session-prot.patch [new file with mode: 0644]
queue-5.16/iwlwifi-mvm-fix-32-bit-build-in-ftm.patch [new file with mode: 0644]
queue-5.16/iwlwifi-mvm-fix-aux-roc-removal.patch [new file with mode: 0644]
queue-5.16/iwlwifi-mvm-fix-calculation-of-frame-length.patch [new file with mode: 0644]
queue-5.16/iwlwifi-mvm-perform-6ghz-passive-scan-after-suspend.patch [new file with mode: 0644]
queue-5.16/iwlwifi-mvm-set-protected-flag-only-for-ndp-ranging.patch [new file with mode: 0644]
queue-5.16/iwlwifi-mvm-synchronize-with-fw-after-multicast-comm.patch [new file with mode: 0644]
queue-5.16/iwlwifi-mvm-test-roc-running-status-bits-before-remo.patch [new file with mode: 0644]
queue-5.16/iwlwifi-mvm-use-div_s64-instead-of-do_div-in-iwl_mvm.patch [new file with mode: 0644]
queue-5.16/iwlwifi-pcie-make-sure-prph_info-is-set-when-treatin.patch [new file with mode: 0644]
queue-5.16/iwlwifi-recognize-missing-pnvm-data-and-then-log-fil.patch [new file with mode: 0644]
queue-5.16/iwlwifi-remove-module-loading-failure-message.patch [new file with mode: 0644]
queue-5.16/jffs2-gc-deadlock-reading-a-page-that-is-used-in-jff.patch [new file with mode: 0644]
queue-5.16/kasan-fix-quarantine-conflicting-with-init_on_free.patch [new file with mode: 0644]
queue-5.16/kernel-locking-use-a-pointer-in-ww_mutex_trylock.patch [new file with mode: 0644]
queue-5.16/kunit-don-t-crash-if-no-parameters-are-generated.patch [new file with mode: 0644]
queue-5.16/kunit-tool-fix-json-output-for-skipped-tests.patch [new file with mode: 0644]
queue-5.16/kvm-ppc-book3s-suppress-failed-alloc-warning-in-h_co.patch [new file with mode: 0644]
queue-5.16/kvm-ppc-book3s-suppress-warnings-when-allocating-too.patch [new file with mode: 0644]
queue-5.16/kvm-risc-v-avoid-spurious-virtual-interrupts-after-c.patch [new file with mode: 0644]
queue-5.16/kvm-s390-ensure-kvm_arch_no_poll-is-read-once-when-b.patch [new file with mode: 0644]
queue-5.16/kvm-vmx-don-t-unblock-vcpu-w-posted-irq-if-irqs-are-.patch [new file with mode: 0644]
queue-5.16/kvm-vmx-read-posted-interrupt-control-exactly-once-p.patch [new file with mode: 0644]
queue-5.16/kvm-x86-ensure-that-dirty-pdptrs-are-loaded.patch [new file with mode: 0644]
queue-5.16/kvm-x86-exit-to-userspace-if-emulation-prepared-a-co.patch [new file with mode: 0644]
queue-5.16/kvm-x86-handle-32-bit-wrap-of-eip-for-emultype_skip-.patch [new file with mode: 0644]
queue-5.16/leds-lp55xx-initialise-output-direction-from-dts.patch [new file with mode: 0644]
queue-5.16/lib-logic_iomem-fix-32-bit-build.patch [new file with mode: 0644]
queue-5.16/lib-logic_iomem-fix-operation-on-32-bit.patch [new file with mode: 0644]
queue-5.16/lib-mpi-add-the-return-value-check-of-kcalloc.patch [new file with mode: 0644]
queue-5.16/libbpf-accommodate-dwarf-compiler-bug-with-duplicate.patch [new file with mode: 0644]
queue-5.16/libbpf-add-bool-skipped-to-struct-bpf_map.patch [new file with mode: 0644]
queue-5.16/libbpf-clean-gen_loader-s-attach-kind.patch [new file with mode: 0644]
queue-5.16/libbpf-detect-corrupted-elf-symbols-section.patch [new file with mode: 0644]
queue-5.16/libbpf-fix-gen_loader-assumption-on-number-of-progra.patch [new file with mode: 0644]
queue-5.16/libbpf-fix-glob_syms-memory-leak-in-bpf_linker.patch [new file with mode: 0644]
queue-5.16/libbpf-fix-non-c89-loop-variable-declaration-in-gen_.patch [new file with mode: 0644]
queue-5.16/libbpf-fix-potential-misaligned-memory-access-in-btf.patch [new file with mode: 0644]
queue-5.16/libbpf-fix-section-counting-logic.patch [new file with mode: 0644]
queue-5.16/libbpf-fix-using-invalidated-memory-in-bpf_linker.patch [new file with mode: 0644]
queue-5.16/libbpf-free-up-resources-used-by-inner-map-definitio.patch [new file with mode: 0644]
queue-5.16/libbpf-improve-sanity-checking-during-btf-fix-up.patch [new file with mode: 0644]
queue-5.16/libbpf-load-global-data-maps-lazily-on-legacy-kernel.patch [new file with mode: 0644]
queue-5.16/libbpf-silence-uninitialized-warning-error-in-btf_du.patch [new file with mode: 0644]
queue-5.16/libbpf-use-probe_name-for-legacy-kprobe.patch [new file with mode: 0644]
queue-5.16/libbpf-validate-that-.btf-and-.btf.ext-sections-cont.patch [new file with mode: 0644]
queue-5.16/mac80211-allow-non-standard-vht-mcs-10-11.patch [new file with mode: 0644]
queue-5.16/mailbox-change-mailbox-mpfs-compatible-string.patch [new file with mode: 0644]
queue-5.16/mailbox-fix-gce_num-of-mt8192-driver-data.patch [new file with mode: 0644]
queue-5.16/mailbox-imx-fix-an-is_err-vs-null-bug.patch [new file with mode: 0644]
queue-5.16/mailbox-pcc-avoid-using-the-uninitialized-variable-d.patch [new file with mode: 0644]
queue-5.16/mailbox-pcc-handle-all-pcc-subtypes-correctly-in-pcc.patch [new file with mode: 0644]
queue-5.16/mctp-test-update-refcount-checking-in-route-fragment.patch [new file with mode: 0644]
queue-5.16/media-aspeed-fix-mode-detect-always-time-out-at-2nd-.patch [new file with mode: 0644]
queue-5.16/media-aspeed-update-signal-status-immediately-to-ens.patch [new file with mode: 0644]
queue-5.16/media-atomisp-add-missing-media_device_cleanup-in-at.patch [new file with mode: 0644]
queue-5.16/media-atomisp-add-null-check-for-asd-obtained-from-a.patch [new file with mode: 0644]
queue-5.16/media-atomisp-check-before-deference-asd-variable.patch [new file with mode: 0644]
queue-5.16/media-atomisp-do-not-use-err-var-when-checking-port-.patch [new file with mode: 0644]
queue-5.16/media-atomisp-fix-enum-formats-logic.patch [new file with mode: 0644]
queue-5.16/media-atomisp-fix-ifdefs-in-sh_css.c.patch [new file with mode: 0644]
queue-5.16/media-atomisp-fix-inverted-error-check-for-ia_css_mi.patch [new file with mode: 0644]
queue-5.16/media-atomisp-fix-inverted-logic-in-buffers_needed.patch [new file with mode: 0644]
queue-5.16/media-atomisp-fix-punit_ddr_dvfs_enable-argument-for.patch [new file with mode: 0644]
queue-5.16/media-atomisp-fix-try_fmt-logic.patch [new file with mode: 0644]
queue-5.16/media-atomisp-fix-uninitialized-bug-in-gmin_get_pmic.patch [new file with mode: 0644]
queue-5.16/media-atomisp-fix-variable-dereferenced-before-check.patch [new file with mode: 0644]
queue-5.16/media-atomisp-handle-errors-at-sh_css_create_isp_par.patch [new file with mode: 0644]
queue-5.16/media-atomisp-ov2680-fix-ov2680_set_fmt-clobbering-t.patch [new file with mode: 0644]
queue-5.16/media-atomisp-set-per-device-s-default-mode.patch [new file with mode: 0644]
queue-5.16/media-b2c2-add-missing-check-in-flexcop_pci_isr.patch [new file with mode: 0644]
queue-5.16/media-coda-fix-coda960-jpeg-encoder-buffer-overflow.patch [new file with mode: 0644]
queue-5.16/media-coda-imx-vdoa-handle-dma_set_coherent_mask-err.patch [new file with mode: 0644]
queue-5.16/media-dib8000-fix-a-memleak-in-dib8000_init.patch [new file with mode: 0644]
queue-5.16/media-dmxdev-fix-uaf-when-dvb_register_device-fails.patch [new file with mode: 0644]
queue-5.16/media-dw2102-fix-use-after-free.patch [new file with mode: 0644]
queue-5.16/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch [new file with mode: 0644]
queue-5.16/media-hantro-fix-probe-func-error-path.patch [new file with mode: 0644]
queue-5.16/media-hantro-hook-up-rk3399-jpeg-encoder-output.patch [new file with mode: 0644]
queue-5.16/media-i2c-imx274-fix-s_frame_interval-runtime-resume.patch [new file with mode: 0644]
queue-5.16/media-i2c-ov8865-fix-lockdep-error.patch [new file with mode: 0644]
queue-5.16/media-i2c-re-order-runtime-pm-initialisation.patch [new file with mode: 0644]
queue-5.16/media-igorplugusb-receiver-overflow-should-be-report.patch [new file with mode: 0644]
queue-5.16/media-imx-pxp-initialize-the-spinlock-prior-to-using.patch [new file with mode: 0644]
queue-5.16/media-ipu3-cio2-fix-error-code-in-cio2_bridge_connec.patch [new file with mode: 0644]
queue-5.16/media-m920x-don-t-use-stack-on-usb-reads.patch [new file with mode: 0644]
queue-5.16/media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch [new file with mode: 0644]
queue-5.16/media-mtk-vcodec-call-v4l2_m2m_ctx_release-first-whe.patch [new file with mode: 0644]
queue-5.16/media-mtk-vcodec-fix-an-error-handling-path-in-mtk_v.patch [new file with mode: 0644]
queue-5.16/media-rcar-csi2-correct-the-selection-of-hsfreqrange.patch [new file with mode: 0644]
queue-5.16/media-rcar-vin-update-format-alignment-constraints.patch [new file with mode: 0644]
queue-5.16/media-rockchip-rkisp1-use-device-name-for-debugfs-su.patch [new file with mode: 0644]
queue-5.16/media-saa7146-hexium_gemini-fix-a-null-pointer-deref.patch [new file with mode: 0644]
queue-5.16/media-saa7146-hexium_orion-fix-a-null-pointer-derefe.patch [new file with mode: 0644]
queue-5.16/media-saa7146-mxb-fix-a-null-pointer-dereference-in-.patch [new file with mode: 0644]
queue-5.16/media-si2157-fix-warm-tuner-state-detection.patch [new file with mode: 0644]
queue-5.16/media-si470x-i2c-fix-possible-memory-leak-in-si470x_.patch [new file with mode: 0644]
queue-5.16/media-uvcvideo-avoid-invalid-memory-access.patch [new file with mode: 0644]
queue-5.16/media-uvcvideo-avoid-returning-invalid-controls.patch [new file with mode: 0644]
queue-5.16/media-uvcvideo-fix-memory-leak-of-object-map-on-erro.patch [new file with mode: 0644]
queue-5.16/media-uvcvideo-increase-uvc_ctrl_control_timeout-to-.patch [new file with mode: 0644]
queue-5.16/media-venus-avoid-calling-core_clk_setrate-concurren.patch [new file with mode: 0644]
queue-5.16/media-venus-core-fix-a-potential-null-pointer-derefe.patch [new file with mode: 0644]
queue-5.16/media-venus-core-fix-a-resource-leak-in-the-error-ha.patch [new file with mode: 0644]
queue-5.16/media-venus-correct-low-power-frequency-calculation-.patch [new file with mode: 0644]
queue-5.16/media-videobuf2-fix-the-size-printk-format.patch [new file with mode: 0644]
queue-5.16/memory-renesas-rpc-if-return-error-in-case-devm_iore.patch [new file with mode: 0644]
queue-5.16/mfd-atmel-flexcom-remove-ifdef-config_pm_sleep.patch [new file with mode: 0644]
queue-5.16/mfd-atmel-flexcom-use-.resume_noirq.patch [new file with mode: 0644]
queue-5.16/mfd-intel_soc_pmic-use-cpu-id-check-instead-of-_hrv-.patch [new file with mode: 0644]
queue-5.16/mips-add-sys_has_cpu_mips64_r5-config-for-mips-relea.patch [new file with mode: 0644]
queue-5.16/mips-bcm63xx-add-support-for-clk_set_parent.patch [new file with mode: 0644]
queue-5.16/mips-compressed-fix-build-with-zstd-compression.patch [new file with mode: 0644]
queue-5.16/mips-fix-kconfig-reference-to-phys_addr_t_64bit.patch [new file with mode: 0644]
queue-5.16/mips-fix-local_-add-sub-_return-on-mips64.patch [new file with mode: 0644]
queue-5.16/mips-lantiq-add-support-for-clk_set_parent.patch [new file with mode: 0644]
queue-5.16/mips-loongson64-use-three-arguments-for-slti.patch [new file with mode: 0644]
queue-5.16/mips-octeon-add-put_device-after-of_find_device_by_n.patch [new file with mode: 0644]
queue-5.16/mips-octeon-fix-build-errors-using-clang.patch [new file with mode: 0644]
queue-5.16/misc-at25-make-driver-of-independent-again.patch [new file with mode: 0644]
queue-5.16/misc-lattice-ecp3-config-fix-task-hung-when-firmware.patch [new file with mode: 0644]
queue-5.16/mlxsw-pci-add-shutdown-method-in-pci-driver.patch [new file with mode: 0644]
queue-5.16/mlxsw-pci-avoid-flow-control-for-emad-packets.patch [new file with mode: 0644]
queue-5.16/mm-defer-kmemleak-object-creation-of-module_alloc.patch [new file with mode: 0644]
queue-5.16/mm-page_isolation-unset-migratetype-directly-for-non.patch [new file with mode: 0644]
queue-5.16/mmc-core-fixup-storing-of-ocr-for-mmc_quirk_nonstd_s.patch [new file with mode: 0644]
queue-5.16/mmc-meson-mx-sdhc-add-irq-check.patch [new file with mode: 0644]
queue-5.16/mmc-meson-mx-sdio-add-irq-check.patch [new file with mode: 0644]
queue-5.16/mmc-mtk-sd-use-readl_poll_timeout-instead-of-open-co.patch [new file with mode: 0644]
queue-5.16/mmc-omap_hsmmc-revert-special-init-for-wl1251.patch [new file with mode: 0644]
queue-5.16/mmc-sdhci-pci-gli-gl9755-support-for-cd-wp-inversion.patch [new file with mode: 0644]
queue-5.16/mmc-tmio-reinit-card-irqs-in-reset-routine.patch [new file with mode: 0644]
queue-5.16/mptcp-check-reclaim-amount-before-reducing-allocatio.patch [new file with mode: 0644]
queue-5.16/mptcp-fix-a-dss-option-writing-error.patch [new file with mode: 0644]
queue-5.16/mptcp-fix-opt-size-when-sending-dss-mp_fail.patch [new file with mode: 0644]
queue-5.16/mptcp-fix-per-socket-endpoint-accounting.patch [new file with mode: 0644]
queue-5.16/mt76-connac-align-mcu_ext-definitions-with-7915-driv.patch [new file with mode: 0644]
queue-5.16/mt76-connac-fix-a-theoretical-null-pointer-dereferen.patch [new file with mode: 0644]
queue-5.16/mt76-connac-fix-last_chan-configuration-in-mt76_conn.patch [new file with mode: 0644]
queue-5.16/mt76-connac-introduce-mcu_ext-macros.patch [new file with mode: 0644]
queue-5.16/mt76-connac-introduce-mcu_uni_cmd-macro.patch [new file with mode: 0644]
queue-5.16/mt76-connac-remove-mcu_fw_prefix-bit.patch [new file with mode: 0644]
queue-5.16/mt76-debugfs-fix-queue-reporting-for-mt76-usb.patch [new file with mode: 0644]
queue-5.16/mt76-do-not-pass-the-received-frame-with-decryption-.patch [new file with mode: 0644]
queue-5.16/mt76-fix-possible-oob-issue-in-mt76_calculate_defaul.patch [new file with mode: 0644]
queue-5.16/mt76-mt7615-fix-possible-deadlock-while-mt7615_regis.patch [new file with mode: 0644]
queue-5.16/mt76-mt7615-improve-wmm-index-allocation.patch [new file with mode: 0644]
queue-5.16/mt76-mt7915-fix-smps-operation-fail.patch [new file with mode: 0644]
queue-5.16/mt76-mt7921-drop-offload_flags-overwritten.patch [new file with mode: 0644]
queue-5.16/mt76-mt7921-fix-a-possible-race-enabling-disabling-r.patch [new file with mode: 0644]
queue-5.16/mt76-mt7921-fix-mt7921e-reset-failure.patch [new file with mode: 0644]
queue-5.16/mt76-mt7921-fix-network-buffer-leak-by-txs-missing.patch [new file with mode: 0644]
queue-5.16/mt76-mt7921-fix-possible-null-pointer-dereference-in.patch [new file with mode: 0644]
queue-5.16/mt76-mt7921-fix-possible-resume-failure.patch [new file with mode: 0644]
queue-5.16/mt76-mt7921-move-mt76_connac_mcu_set_hif_suspend-to-.patch [new file with mode: 0644]
queue-5.16/mt76-mt7921-use-correct-iftype-data-on-6ghz-cap-init.patch [new file with mode: 0644]
queue-5.16/mt76-mt7921s-fix-possible-kernel-crash-due-to-invali.patch [new file with mode: 0644]
queue-5.16/mt76-mt7921s-fix-suspend-error-with-enlarging-mcu-ti.patch [new file with mode: 0644]
queue-5.16/mt76-mt7921s-fix-the-device-cannot-sleep-deeply-in-s.patch [new file with mode: 0644]
queue-5.16/mtd-core-provide-unique-name-for-nvmem-device.patch [new file with mode: 0644]
queue-5.16/mtd-hyperbus-rpc-if-check-return-value-of-rpcif_sw_i.patch [new file with mode: 0644]
queue-5.16/mtd-hyperbus-rpc-if-fix-bug-in-rpcif_hb_remove.patch [new file with mode: 0644]
queue-5.16/mtd-spi-nor-fix-mtd-size-for-s3an-flashes.patch [new file with mode: 0644]
queue-5.16/mtd-spi-nor-get-rid-of-nor-page_size.patch [new file with mode: 0644]
queue-5.16/mwifiex-fix-possible-abba-deadlock.patch [new file with mode: 0644]
queue-5.16/mwifiex-fix-skb_over_panic-in-mwifiex_usb_recv.patch [new file with mode: 0644]
queue-5.16/mxser-don-t-throttle-manually.patch [new file with mode: 0644]
queue-5.16/mxser-increase-buf_overrun-if-tty_insert_flip_char-f.patch [new file with mode: 0644]
queue-5.16/mxser-keep-only-tty-test-in-isr.patch [new file with mode: 0644]
queue-5.16/net-bonding-debug-avoid-printing-debug-logs-when-bon.patch [new file with mode: 0644]
queue-5.16/net-dsa-fix-incorrect-function-pointer-check-for-mrp.patch [new file with mode: 0644]
queue-5.16/net-dsa-hellcreek-add-missing-ptp-via-udp-rules.patch [new file with mode: 0644]
queue-5.16/net-dsa-hellcreek-add-stp-forwarding-rule.patch [new file with mode: 0644]
queue-5.16/net-dsa-hellcreek-allow-ptp-p2p-measurements-on-bloc.patch [new file with mode: 0644]
queue-5.16/net-dsa-hellcreek-fix-insertion-of-static-fdb-entrie.patch [new file with mode: 0644]
queue-5.16/net-dsa-rtl8365mb-set-rgmii-rx-delay-in-steps-of-0.3.patch [new file with mode: 0644]
queue-5.16/net-ethernet-mtk_eth_soc-fix-return-values-and-refac.patch [new file with mode: 0644]
queue-5.16/net-fix-sof_timestamping_bind_phc-to-work-with-multi.patch [new file with mode: 0644]
queue-5.16/net-gemini-allow-any-rgmii-interface-mode.patch [new file with mode: 0644]
queue-5.16/net-lantiq-fix-missing-free_netdev-on-error-in-ltq_e.patch [new file with mode: 0644]
queue-5.16/net-mcs7830-handle-usb-read-errors-properly.patch [new file with mode: 0644]
queue-5.16/net-mdio-demote-probed-message-to-debug-print.patch [new file with mode: 0644]
queue-5.16/net-mlx5-dr-fix-error-flow-in-creating-matcher.patch [new file with mode: 0644]
queue-5.16/net-mlx5-fix-access-to-sf_dev_table-on-allocation-fa.patch [new file with mode: 0644]
queue-5.16/net-mlx5-set-command-entry-semaphore-up-once-got-ind.patch [new file with mode: 0644]
queue-5.16/net-mlx5-update-log_max_qp-value-to-fw-max-capabilit.patch [new file with mode: 0644]
queue-5.16/net-mlx5e-don-t-block-routes-with-nexthop-objects-in.patch [new file with mode: 0644]
queue-5.16/net-mlx5e-fix-matching-on-modified-inner-ip_ecn-bits.patch [new file with mode: 0644]
queue-5.16/net-mlx5e-fix-nullptr-on-deleting-mirroring-rule.patch [new file with mode: 0644]
queue-5.16/net-mlx5e-fix-page-dma-map-unmap-attributes.patch [new file with mode: 0644]
queue-5.16/net-mlx5e-fix-wrong-usage-of-fib_info_nh-when-routes.patch [new file with mode: 0644]
queue-5.16/net-mlx5e-sync-vxlan-udp-ports-during-uplink-represe.patch [new file with mode: 0644]
queue-5.16/net-mlx5e-unblock-setting-vid-0-for-vf-in-case-pf-is.patch [new file with mode: 0644]
queue-5.16/net-mscc-ocelot-fix-incorrect-balancing-with-down-la.patch [new file with mode: 0644]
queue-5.16/net-openvswitch-fix-ct_state-nat-flags-for-conns-arr.patch [new file with mode: 0644]
queue-5.16/net-phy-marvell-configure-rgmii-delays-for-88e1118.patch [new file with mode: 0644]
queue-5.16/net-phy-prefer-1000baset-over-1000basekx.patch [new file with mode: 0644]
queue-5.16/net-smc-reset-conn-lgr-when-link-group-registration-.patch [new file with mode: 0644]
queue-5.16/net-stmmac-add-platform-level-debug-register-dump-fe.patch [new file with mode: 0644]
queue-5.16/net-sysfs-update-the-queue-counts-in-the-unregistrat.patch [new file with mode: 0644]
queue-5.16/net-xfrm-ipsec-tunnel-mode-fix-inner_ipproto-setting.patch [new file with mode: 0644]
queue-5.16/netfilter-bridge-add-support-for-pppoe-filtering.patch [new file with mode: 0644]
queue-5.16/netfilter-egress-avoid-a-lockdep-splat.patch [new file with mode: 0644]
queue-5.16/netfilter-ipt_clusterip-fix-refcount-leak-in-cluster.patch [new file with mode: 0644]
queue-5.16/netfilter-nft_payload-do-not-update-layer-4-checksum.patch [new file with mode: 0644]
queue-5.16/netfilter-nft_set_pipapo-allocate-pcpu-scratch-maps-.patch [new file with mode: 0644]
queue-5.16/netrom-fix-api-breakage-in-nr_setsockopt.patch [new file with mode: 0644]
queue-5.16/nfsd-fix-crash-on-copy_notify-with-special-stateid.patch [new file with mode: 0644]
queue-5.16/nfsd-fix-verifier-returned-in-stable-writes.patch [new file with mode: 0644]
queue-5.16/ntb_hw_switchtec-fix-bug-with-more-than-32-partition.patch [new file with mode: 0644]
queue-5.16/ntb_hw_switchtec-fix-pff-ioread-to-read-into-mmio_pa.patch [new file with mode: 0644]
queue-5.16/null_blk-allow-zero-poll-queues.patch [new file with mode: 0644]
queue-5.16/nvmem-core-set-size-for-sysfs-bin-file.patch [new file with mode: 0644]
queue-5.16/octeontx2-af-fix-interrupt-name-strings.patch [new file with mode: 0644]
queue-5.16/octeontx2-af-increment-ptp-refcount-before-use.patch [new file with mode: 0644]
queue-5.16/octeontx2-nicvf-free-vf-ptp-resources.patch [new file with mode: 0644]
queue-5.16/of-base-fix-phandle-argument-length-mismatch-error-m.patch [new file with mode: 0644]
queue-5.16/of-fdt-aggregate-the-processing-of-linux-usable-memo.patch [new file with mode: 0644]
queue-5.16/of-fdt-don-t-worry-about-non-memory-region-overlap-f.patch [new file with mode: 0644]
queue-5.16/of-unittest-64-bit-dma-address-test-requires-arch-su.patch [new file with mode: 0644]
queue-5.16/of-unittest-fix-warning-on-powerpc-frame-size-warnin.patch [new file with mode: 0644]
queue-5.16/openrisc-add-clone3-abi-wrapper.patch [new file with mode: 0644]
queue-5.16/parisc-avoid-calling-faulthandler_disabled-twice.patch [new file with mode: 0644]
queue-5.16/pci-aardvark-fix-checking-for-mem-resource-type.patch [new file with mode: 0644]
queue-5.16/pci-apple-fix-refclk1-enable-poll-logic.patch [new file with mode: 0644]
queue-5.16/pci-dwc-do-not-remap-invalid-res.patch [new file with mode: 0644]
queue-5.16/pci-mediatek-gen3-disable-dvfsrc-voltage-request.patch [new file with mode: 0644]
queue-5.16/pci-msi-fix-pci_irq_vector-pci_irq_get_affinity.patch [new file with mode: 0644]
queue-5.16/pci-mt7621-add-missing-module_license.patch [new file with mode: 0644]
queue-5.16/pci-mvebu-check-for-errors-from-pci_bridge_emul_init.patch [new file with mode: 0644]
queue-5.16/pci-mvebu-do-not-modify-pci-io-type-bits-in-conf_wri.patch [new file with mode: 0644]
queue-5.16/pci-mvebu-fix-configuring-secondary-bus-of-pcie-root.patch [new file with mode: 0644]
queue-5.16/pci-mvebu-fix-support-for-bus-mastering-and-pci_comm.patch [new file with mode: 0644]
queue-5.16/pci-mvebu-fix-support-for-devcap2-devctl2-and-lnkctl.patch [new file with mode: 0644]
queue-5.16/pci-mvebu-fix-support-for-pci_bridge_ctl_bus_reset-o.patch [new file with mode: 0644]
queue-5.16/pci-mvebu-fix-support-for-pci_exp_devctl-on-emulated.patch [new file with mode: 0644]
queue-5.16/pci-mvebu-fix-support-for-pci_exp_rtsta-on-emulated-.patch [new file with mode: 0644]
queue-5.16/pci-mvebu-setup-pcie-controller-to-root-complex-mode.patch [new file with mode: 0644]
queue-5.16/pci-qcom-fix-an-error-handling-path-in-qcom_pcie_pro.patch [new file with mode: 0644]
queue-5.16/pci-rcar-check-if-device-is-runtime-suspended-instea.patch [new file with mode: 0644]
queue-5.16/pcmcia-fix-setting-of-kthread-task-states.patch [new file with mode: 0644]
queue-5.16/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch [new file with mode: 0644]
queue-5.16/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch-11962 [new file with mode: 0644]
queue-5.16/perf-arm-cmn-fix-cpu-hotplug-unregistration.patch [new file with mode: 0644]
queue-5.16/phy-cadence-sierra-fix-to-get-correct-parent-for-mux.patch [new file with mode: 0644]
queue-5.16/phy-mediatek-fix-missing-check-in-mtk_mipi_tx_probe.patch [new file with mode: 0644]
queue-5.16/phy-phy-mtk-tphy-add-support-efuse-setting.patch [new file with mode: 0644]
queue-5.16/phy-uniphier-usb3ss-fix-unintended-writing-zeros-to-.patch [new file with mode: 0644]
queue-5.16/pinctrl-apple-return-an-error-if-pinmux-is-missing-i.patch [new file with mode: 0644]
queue-5.16/pinctrl-mediatek-add-a-check-for-error-in-mtk_pincon.patch [new file with mode: 0644]
queue-5.16/pinctrl-mediatek-uninitialized-variable-in-mtk_pctrl.patch [new file with mode: 0644]
queue-5.16/platform-x86-wmi-fix-driver-notify-vs-probe-race.patch [new file with mode: 0644]
queue-5.16/platform-x86-wmi-replace-read_takes_no_args-with-a-f.patch [new file with mode: 0644]
queue-5.16/pm-avs-qcom-cpr-use-div64_ul-instead-of-do_div.patch [new file with mode: 0644]
queue-5.16/pm-runtime-add-safety-net-to-supplier-device-release.patch [new file with mode: 0644]
queue-5.16/power-reset-mt6397-check-for-null-res-pointer.patch [new file with mode: 0644]
queue-5.16/powerpc-32s-fix-shift-out-of-bounds-in-kasan-init.patch [new file with mode: 0644]
queue-5.16/powerpc-40x-map-32mbytes-of-memory-at-startup.patch [new file with mode: 0644]
queue-5.16/powerpc-64s-mask-nip-before-checking-against-srr0.patch [new file with mode: 0644]
queue-5.16/powerpc-64s-use-emit_warn_entry-for-srr-debug-warnin.patch [new file with mode: 0644]
queue-5.16/powerpc-6xx-add-missing-of_node_put.patch [new file with mode: 0644]
queue-5.16/powerpc-avoid-discarding-flags-in-system_call_except.patch [new file with mode: 0644]
queue-5.16/powerpc-btext-add-missing-of_node_put.patch [new file with mode: 0644]
queue-5.16/powerpc-cell-add-missing-of_node_put.patch [new file with mode: 0644]
queue-5.16/powerpc-fadump-fix-inaccurate-cpu-state-info-in-vmco.patch [new file with mode: 0644]
queue-5.16/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch [new file with mode: 0644]
queue-5.16/powerpc-modules-don-t-warn-on-first-module-allocatio.patch [new file with mode: 0644]
queue-5.16/powerpc-perf-fix-pmu-callbacks-to-clear-pending-pmi-.patch [new file with mode: 0644]
queue-5.16/powerpc-powermac-add-additional-missing-lockdep_regi.patch [new file with mode: 0644]
queue-5.16/powerpc-powermac-add-missing-lockdep_register_key.patch [new file with mode: 0644]
queue-5.16/powerpc-powernv-add-missing-of_node_put.patch [new file with mode: 0644]
queue-5.16/powerpc-prom_init-fix-improper-check-of-prom_getprop.patch [new file with mode: 0644]
queue-5.16/powerpc-smp-move-setup_profiling_timer-under-config_.patch [new file with mode: 0644]
queue-5.16/powerpc-watchdog-fix-missed-watchdog-reset-due-to-me.patch [new file with mode: 0644]
queue-5.16/powerpc-xive-add-missing-null-check-after-calling-km.patch [new file with mode: 0644]
queue-5.16/ppp-ensure-minimum-packet-size-in-ppp_write.patch [new file with mode: 0644]
queue-5.16/psi-fix-psi_mem_full-state-when-tasks-are-in-memstal.patch [new file with mode: 0644]
queue-5.16/random-do-not-throw-away-excess-input-to-crng_fast_l.patch [new file with mode: 0644]
queue-5.16/rcu-avoid-alloc_pages-when-recording-stack.patch [new file with mode: 0644]
queue-5.16/rcu-exp-mark-current-cpu-as-exp-qs-in-ipi-loop-secon.patch [new file with mode: 0644]
queue-5.16/rcutorture-avoid-soft-lockup-during-cpu-stall.patch [new file with mode: 0644]
queue-5.16/rdma-bnxt_re-scan-the-whole-bitmap-when-checking-if-.patch [new file with mode: 0644]
queue-5.16/rdma-cma-let-cma_resolve_ib_dev-continue-search-even.patch [new file with mode: 0644]
queue-5.16/rdma-core-let-ib_find_gid-continue-search-even-after.patch [new file with mode: 0644]
queue-5.16/rdma-cxgb4-set-queue-pair-state-when-being-queried.patch [new file with mode: 0644]
queue-5.16/rdma-hns-validate-the-pkey-index.patch [new file with mode: 0644]
queue-5.16/rdma-qedr-fix-reporting-max_-send-recv-_wr-attrs.patch [new file with mode: 0644]
queue-5.16/rdma-rtrs-clt-fix-the-initial-value-of-min_latency.patch [new file with mode: 0644]
queue-5.16/regmap-call-regmap_debugfs_exit-prior-to-_init.patch [new file with mode: 0644]
queue-5.16/regulator-da9121-prevent-current-limit-change-when-e.patch [new file with mode: 0644]
queue-5.16/regulator-qcom-labibb-ocp-interrupts-are-not-a-failu.patch [new file with mode: 0644]
queue-5.16/regulator-qcom_smd-align-probe-function-with-rpmh-re.patch [new file with mode: 0644]
queue-5.16/revert-net-mlx5e-block-offload-of-outer-header-csum-.patch [new file with mode: 0644]
queue-5.16/revert-net-mlx5e-block-offload-of-outer-header-csum-.patch-11122 [new file with mode: 0644]
queue-5.16/revert-nfsd-skip-some-unnecessary-stats-in-the-v4-ca.patch [new file with mode: 0644]
queue-5.16/rocker-fix-a-sleeping-in-atomic-bug.patch [new file with mode: 0644]
queue-5.16/rsi-fix-out-of-bounds-read-in-rsi_read_pkt.patch [new file with mode: 0644]
queue-5.16/rsi-fix-use-after-free-in-rsi_rx_done_handler.patch [new file with mode: 0644]
queue-5.16/rtw88-8822c-update-rx-settings-to-prevent-potential-.patch [new file with mode: 0644]
queue-5.16/rtw88-add-quirk-to-disable-pci-caps-on-hp-250-g7-not.patch [new file with mode: 0644]
queue-5.16/rtw88-disable-pcie-aspm-while-doing-napi-poll-on-882.patch [new file with mode: 0644]
queue-5.16/rtw89-don-t-kick-off-tx-dma-if-failed-to-write-skb.patch [new file with mode: 0644]
queue-5.16/rtw89-fix-potentially-access-out-of-range-of-rf-regi.patch [new file with mode: 0644]
queue-5.16/samples-bpf-clean-up-samples-bpf-build-failes.patch [new file with mode: 0644]
queue-5.16/samples-bpf-fix-unknown-warning-group-build-warning-.patch [new file with mode: 0644]
queue-5.16/samples-bpf-fix-xdp_sample_user.o-linking-with-clang.patch [new file with mode: 0644]
queue-5.16/sched-fair-fix-detection-of-per-cpu-kthreads-waking-.patch [new file with mode: 0644]
queue-5.16/sched-fair-fix-per-cpu-kthread-and-wakee-stacking-fo.patch [new file with mode: 0644]
queue-5.16/sched-rt-try-to-restart-rt-period-timer-when-rt-runt.patch [new file with mode: 0644]
queue-5.16/scripts-sphinx-pre-install-fix-ctex-support-on-debia.patch [new file with mode: 0644]
queue-5.16/scsi-block-pm-always-set-request-queue-runtime-activ.patch [new file with mode: 0644]
queue-5.16/scsi-core-fix-scsi_device_max_queue_depth.patch [new file with mode: 0644]
queue-5.16/scsi-hisi_sas-prevent-parallel-flr-and-controller-re.patch [new file with mode: 0644]
queue-5.16/scsi-lpfc-fix-leaked-lpfc_dmabuf-mbox-allocations-wi.patch [new file with mode: 0644]
queue-5.16/scsi-lpfc-trigger-sli4-firmware-dump-before-doing-dr.patch [new file with mode: 0644]
queue-5.16/scsi-mpi3mr-fixes-around-reply-request-queues.patch [new file with mode: 0644]
queue-5.16/scsi-pm80xx-update-warn_on-check-in-pm8001_mpi_build.patch [new file with mode: 0644]
queue-5.16/scsi-sr-don-t-use-gfp_dma.patch [new file with mode: 0644]
queue-5.16/scsi-ufs-fix-a-kernel-crash-during-shutdown.patch [new file with mode: 0644]
queue-5.16/scsi-ufs-fix-race-conditions-related-to-driver-data.patch [new file with mode: 0644]
queue-5.16/selftests-bpf-destroy-xdp-link-correctly.patch [new file with mode: 0644]
queue-5.16/selftests-bpf-fix-bpf_object-leak-in-skb_ctx-selftes.patch [new file with mode: 0644]
queue-5.16/selftests-bpf-fix-memory-leaks-in-btf_type_c_dump-he.patch [new file with mode: 0644]
queue-5.16/selftests-bpf-fix-xdpxceiver-failures-for-no-hugepag.patch [new file with mode: 0644]
queue-5.16/selftests-clone3-clone3-add-case-clone3_args_no_test.patch [new file with mode: 0644]
queue-5.16/selftests-ftrace-make-kprobe-profile-testcase-descri.patch [new file with mode: 0644]
queue-5.16/selftests-harness-avoid-false-negatives-if-test-has-.patch [new file with mode: 0644]
queue-5.16/selftests-powerpc-add-a-test-of-sigreturning-to-the-.patch [new file with mode: 0644]
queue-5.16/selftests-powerpc-spectre_v2-return-skip-code-when-m.patch [new file with mode: 0644]
queue-5.16/selftests-vm-make-charge_reserved_hugetlb.sh-work-wi.patch [new file with mode: 0644]
queue-5.16/selinux-fix-potential-memleak-in-selinux_add_opt.patch [new file with mode: 0644]
queue-5.16/serial-8250_bcm7271-propagate-error-codes-from-brcmu.patch [new file with mode: 0644]
queue-5.16/serial-8250_dw-add-starfive-jh7100-quirk.patch [new file with mode: 0644]
queue-5.16/serial-amba-pl011-do-not-request-memory-region-twice.patch [new file with mode: 0644]
queue-5.16/serial-core-keep-mctrl-register-state-and-cached-cop.patch [new file with mode: 0644]
queue-5.16/serial-liteuart-fix-module_alias.patch [new file with mode: 0644]
queue-5.16/serial-pl010-drop-cr-register-reset-on-set_termios.patch [new file with mode: 0644]
queue-5.16/serial-pl011-drop-cr-register-reset-on-set_termios.patch [new file with mode: 0644]
queue-5.16/serial-stm32-move-tx-dma-terminate-dma-to-shutdown.patch [new file with mode: 0644]
queue-5.16/series
queue-5.16/signal-in-get_signal-test-for-signal_group_exit-ever.patch [new file with mode: 0644]
queue-5.16/soc-imx-gpcv2-keep-i.mx8mm-vpu-h1-bus-clock-active.patch [new file with mode: 0644]
queue-5.16/soc-imx-gpcv2-synchronously-suspend-mix-domains.patch [new file with mode: 0644]
queue-5.16/soc-ti-pruss-fix-referenced-node-in-error-message.patch [new file with mode: 0644]
queue-5.16/software-node-fix-wrong-node-passed-to-find-nargs_pr.patch [new file with mode: 0644]
queue-5.16/spi-fix-incorrect-cs_setup-delay-handling.patch [new file with mode: 0644]
queue-5.16/spi-hisi-kunpeng-fix-the-debugfs-directory-name-inco.patch [new file with mode: 0644]
queue-5.16/spi-qcom-geni-handle-timeout-for-gpi-mode.patch [new file with mode: 0644]
queue-5.16/spi-qcom-geni-set-the-error-code-for-gpi-transfer.patch [new file with mode: 0644]
queue-5.16/spi-spi-meson-spifc-add-missing-pm_runtime_disable-i.patch [new file with mode: 0644]
queue-5.16/staging-greybus-audio-check-null-pointer.patch [new file with mode: 0644]
queue-5.16/staging-rtl8192e-return-error-code-from-rtllib_softm.patch [new file with mode: 0644]
queue-5.16/staging-rtl8192e-rtllib_module-fix-error-handle-case.patch [new file with mode: 0644]
queue-5.16/sunrpc-fix-sockaddr-handling-in-svcsock_accept_class.patch [new file with mode: 0644]
queue-5.16/sunrpc-fix-sockaddr-handling-in-the-svc_xprt_create_.patch [new file with mode: 0644]
queue-5.16/tee-fix-put-order-in-teedev_close_context.patch [new file with mode: 0644]
queue-5.16/thermal-drivers-imx-implement-runtime-pm-support.patch [new file with mode: 0644]
queue-5.16/thermal-drivers-imx8mm-enable-adc-when-enabling-moni.patch [new file with mode: 0644]
queue-5.16/thunderbolt-runtime-pm-activate-both-ends-of-the-dev.patch [new file with mode: 0644]
queue-5.16/tools-resolve_btf_ids-close-elf-file-on-error.patch [new file with mode: 0644]
queue-5.16/tpm-add-request_locality-before-write-tpm_int_enable.patch [new file with mode: 0644]
queue-5.16/tpm_tis-fix-an-error-handling-path-in-tpm_tis_core_i.patch [new file with mode: 0644]
queue-5.16/tracing-do-not-let-synth_events-block-other-dyn_even.patch [new file with mode: 0644]
queue-5.16/tracing-probes-check-the-return-value-of-kstrndup-fo.patch [new file with mode: 0644]
queue-5.16/tracing-uprobes-check-the-return-value-of-kstrdup-fo.patch [new file with mode: 0644]
queue-5.16/tty-serial-atmel-call-dma_async_issue_pending.patch [new file with mode: 0644]
queue-5.16/tty-serial-atmel-check-return-code-of-dmaengine_subm.patch [new file with mode: 0644]
queue-5.16/tty-serial-imx-disable-ucr4_oren-in-.stop_rx-instead.patch [new file with mode: 0644]
queue-5.16/tty-serial-uartlite-allow-64-bit-address.patch [new file with mode: 0644]
queue-5.16/udf-fix-error-handling-in-udf_new_inode.patch [new file with mode: 0644]
queue-5.16/uio-uio_dmem_genirq-catch-the-exception.patch [new file with mode: 0644]
queue-5.16/um-fix-ndelay-udelay-defines.patch [new file with mode: 0644]
queue-5.16/um-registers-rename-function-names-to-avoid-conflict.patch [new file with mode: 0644]
queue-5.16/um-rename-set_signals-to-um_set_signals.patch [new file with mode: 0644]
queue-5.16/um-virt-pci-fix-32-bit-compile.patch [new file with mode: 0644]
queue-5.16/um-virtio_uml-fix-time-travel-external-time-propagat.patch [new file with mode: 0644]
queue-5.16/usb-dwc2-do-not-gate-off-the-hardware-if-it-does-not.patch [new file with mode: 0644]
queue-5.16/usb-dwc2-gadget-initialize-max_speed-from-params.patch [new file with mode: 0644]
queue-5.16/usb-dwc3-meson-g12a-fix-shared-reset-control-use.patch [new file with mode: 0644]
queue-5.16/usb-dwc3-qcom-fix-null-vs-is_err-checking-in-dwc3_qc.patch [new file with mode: 0644]
queue-5.16/usb-ehci_brcm_hub_control-improve-port-index-sanitiz.patch [new file with mode: 0644]
queue-5.16/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch [new file with mode: 0644]
queue-5.16/usb-gadget-f_fs-use-stream_open-for-endpoint-files.patch [new file with mode: 0644]
queue-5.16/usb-gadget-u_audio-fix-calculations-for-small-binter.patch [new file with mode: 0644]
queue-5.16/usb-gadget-u_audio-subdevice-0-for-capture-ctls.patch [new file with mode: 0644]
queue-5.16/usb-hub-add-delay-for-superspeed-hub-resume-to-let-l.patch [new file with mode: 0644]
queue-5.16/usb-uhci-add-aspeed-ast2600-uhci-support.patch [new file with mode: 0644]
queue-5.16/w1-misuse-of-get_user-put_user-reported-by-sparse.patch [new file with mode: 0644]
queue-5.16/wcn36xx-ensure-pairing-of-init_scan-finish_scan-and-.patch [new file with mode: 0644]
queue-5.16/wcn36xx-fix-dma-channel-enable-disable-cycle.patch [new file with mode: 0644]
queue-5.16/wcn36xx-fix-max-channels-retrieval.patch [new file with mode: 0644]
queue-5.16/wcn36xx-fix-rx-bd-rate-mapping-for-5ghz-legacy-rates.patch [new file with mode: 0644]
queue-5.16/wcn36xx-indicate-beacon-not-connection-loss-on-misse.patch [new file with mode: 0644]
queue-5.16/wcn36xx-populate-band-before-determining-rate-on-rx.patch [new file with mode: 0644]
queue-5.16/wcn36xx-put-dxe-block-into-reset-before-freeing-memo.patch [new file with mode: 0644]
queue-5.16/wcn36xx-release-dma-channel-descriptor-allocations.patch [new file with mode: 0644]
queue-5.16/wilc1000-fix-double-free-error-in-probe.patch [new file with mode: 0644]
queue-5.16/wireless-iwlwifi-fix-a-double-free-in-iwl_txq_dyn_al.patch [new file with mode: 0644]
queue-5.16/x86-boot-compressed-move-clang_flags-to-beginning-of.patch [new file with mode: 0644]
queue-5.16/x86-hyperv-properly-deal-with-empty-cpumasks-in-hype.patch [new file with mode: 0644]
queue-5.16/x86-kbuild-enable-config_kallsyms_all-y-in-the-defco.patch [new file with mode: 0644]
queue-5.16/x86-mce-allow-instrumentation-during-task-work-queue.patch [new file with mode: 0644]
queue-5.16/x86-mce-inject-avoid-out-of-bounds-write-when-settin.patch [new file with mode: 0644]
queue-5.16/x86-mce-mark-mce_end-noinstr.patch [new file with mode: 0644]
queue-5.16/x86-mce-mark-mce_panic-noinstr.patch [new file with mode: 0644]
queue-5.16/x86-mce-mark-mce_read_aux-noinstr.patch [new file with mode: 0644]
queue-5.16/x86-mce-prevent-severity-computation-from-being-inst.patch [new file with mode: 0644]
queue-5.16/x86-mm-flush-global-tlb-when-switching-to-trampoline.patch [new file with mode: 0644]
queue-5.16/x86-sched-fix-undefined-reference-to-init_freq_invar.patch [new file with mode: 0644]
queue-5.16/x86-uaccess-move-variable-into-switch-case-statement.patch [new file with mode: 0644]
queue-5.16/xfrm-fix-a-small-bug-in-xfrm_sa_len.patch [new file with mode: 0644]
queue-5.16/xfrm-interface-with-if_id-0-should-return-error.patch [new file with mode: 0644]
queue-5.16/xfrm-rate-limit-sa-mapping-change-message-to-user-sp.patch [new file with mode: 0644]
queue-5.16/xfrm-state-and-policy-should-fail-if-xfrma_if_id-0.patch [new file with mode: 0644]

diff --git a/queue-5.16/acpi-battery-add-the-thinkpad-not-charging-quirk.patch b/queue-5.16/acpi-battery-add-the-thinkpad-not-charging-quirk.patch
new file mode 100644 (file)
index 0000000..f5ad8f8
--- /dev/null
@@ -0,0 +1,85 @@
+From b2ab3af9dfa324e3ba725329834b88adddf60b28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 22:20:14 +0100
+Subject: ACPI: battery: Add the ThinkPad "Not Charging" quirk
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit e96c1197aca628f7d2480a1cc3214912b40b3414 ]
+
+The EC/ACPI firmware on Lenovo ThinkPads used to report a status
+of "Unknown" when the battery is between the charge start and
+charge stop thresholds. On Windows, it reports "Not Charging"
+so the quirk has been added to also report correctly.
+
+Now the "status" attribute returns "Not Charging" when the
+battery on ThinkPads is not physicaly charging.
+
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/battery.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
+index 8afa85d6eb6a7..ead0114f27c9f 100644
+--- a/drivers/acpi/battery.c
++++ b/drivers/acpi/battery.c
+@@ -53,6 +53,7 @@ static int battery_bix_broken_package;
+ static int battery_notification_delay_ms;
+ static int battery_ac_is_broken;
+ static int battery_check_pmic = 1;
++static int battery_quirk_notcharging;
+ static unsigned int cache_time = 1000;
+ module_param(cache_time, uint, 0644);
+ MODULE_PARM_DESC(cache_time, "cache time in milliseconds");
+@@ -217,6 +218,8 @@ static int acpi_battery_get_property(struct power_supply *psy,
+                       val->intval = POWER_SUPPLY_STATUS_CHARGING;
+               else if (acpi_battery_is_charged(battery))
+                       val->intval = POWER_SUPPLY_STATUS_FULL;
++              else if (battery_quirk_notcharging)
++                      val->intval = POWER_SUPPLY_STATUS_NOT_CHARGING;
+               else
+                       val->intval = POWER_SUPPLY_STATUS_UNKNOWN;
+               break;
+@@ -1111,6 +1114,12 @@ battery_do_not_check_pmic_quirk(const struct dmi_system_id *d)
+       return 0;
+ }
++static int __init battery_quirk_not_charging(const struct dmi_system_id *d)
++{
++      battery_quirk_notcharging = 1;
++      return 0;
++}
++
+ static const struct dmi_system_id bat_dmi_table[] __initconst = {
+       {
+               /* NEC LZ750/LS */
+@@ -1155,6 +1164,19 @@ static const struct dmi_system_id bat_dmi_table[] __initconst = {
+                       DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo MIIX 320-10ICR"),
+               },
+       },
++      {
++              /*
++               * On Lenovo ThinkPads the BIOS specification defines
++               * a state when the bits for charging and discharging
++               * are both set to 0. That state is "Not Charging".
++               */
++              .callback = battery_quirk_not_charging,
++              .ident = "Lenovo ThinkPad",
++              .matches = {
++                      DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++                      DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad"),
++              },
++      },
+       {},
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/acpi-change-acpi_device_always_present-into-acpi_dev.patch b/queue-5.16/acpi-change-acpi_device_always_present-into-acpi_dev.patch
new file mode 100644 (file)
index 0000000..19d72a0
--- /dev/null
@@ -0,0 +1,209 @@
+From 638cc5f25668abc5ca26377207e40962baba9db9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 18:05:31 +0100
+Subject: ACPI: Change acpi_device_always_present() into
+ acpi_device_override_status()
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 1a68b346a2c9969c05e80a3b99a9ab160b5655c0 ]
+
+Currently, acpi_bus_get_status() calls acpi_device_always_present() to
+allow platform quirks to override the _STA return to report that a
+device is present (status = ACPI_STA_DEFAULT) independent of the _STA
+return.
+
+In some cases it might also be useful to have the opposite functionality
+and have a platform quirk which marks a device as not present (status = 0)
+to work around ACPI table bugs.
+
+Change acpi_device_always_present() into a more generic
+acpi_device_override_status() function to allow this.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/bus.c       |  4 +--
+ drivers/acpi/x86/utils.c | 64 +++++++++++++++++++++++-----------------
+ include/acpi/acpi_bus.h  |  5 ++--
+ 3 files changed, 42 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c
+index fa923a9292244..dd535b4b9a160 100644
+--- a/drivers/acpi/bus.c
++++ b/drivers/acpi/bus.c
+@@ -98,8 +98,8 @@ int acpi_bus_get_status(struct acpi_device *device)
+       acpi_status status;
+       unsigned long long sta;
+-      if (acpi_device_always_present(device)) {
+-              acpi_set_device_status(device, ACPI_STA_DEFAULT);
++      if (acpi_device_override_status(device, &sta)) {
++              acpi_set_device_status(device, sta);
+               return 0;
+       }
+diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c
+index 3bcac98f6eca6..edb4f3fd93dc3 100644
+--- a/drivers/acpi/x86/utils.c
++++ b/drivers/acpi/x86/utils.c
+@@ -22,54 +22,63 @@
+  * Some BIOS-es (temporarily) hide specific APCI devices to work around Windows
+  * driver bugs. We use DMI matching to match known cases of this.
+  *
+- * We work around this by always reporting ACPI_STA_DEFAULT for these
+- * devices. Note this MUST only be done for devices where this is safe.
++ * Likewise sometimes some not-actually present devices are sometimes
++ * reported as present, which may cause issues.
+  *
+- * This forcing of devices to be present is limited to specific CPU (SoC)
+- * models both to avoid potentially causing trouble on other models and
+- * because some HIDs are re-used on different SoCs for completely
+- * different devices.
++ * We work around this by using the below quirk list to override the status
++ * reported by the _STA method with a fixed value (ACPI_STA_DEFAULT or 0).
++ * Note this MUST only be done for devices where this is safe.
++ *
++ * This status overriding is limited to specific CPU (SoC) models both to
++ * avoid potentially causing trouble on other models and because some HIDs
++ * are re-used on different SoCs for completely different devices.
+  */
+-struct always_present_id {
++struct override_status_id {
+       struct acpi_device_id hid[2];
+       struct x86_cpu_id cpu_ids[2];
+       struct dmi_system_id dmi_ids[2]; /* Optional */
+       const char *uid;
++      unsigned long long status;
+ };
+-#define X86_MATCH(model)      X86_MATCH_INTEL_FAM6_MODEL(model, NULL)
+-
+-#define ENTRY(hid, uid, cpu_models, dmi...) {                         \
++#define ENTRY(status, hid, uid, cpu_model, dmi...) {                  \
+       { { hid, }, {} },                                               \
+-      { cpu_models, {} },                                             \
++      { X86_MATCH_INTEL_FAM6_MODEL(cpu_model, NULL), {} },            \
+       { { .matches = dmi }, {} },                                     \
+       uid,                                                            \
++      status,                                                         \
+ }
+-static const struct always_present_id always_present_ids[] = {
++#define PRESENT_ENTRY_HID(hid, uid, cpu_model, dmi...) \
++      ENTRY(ACPI_STA_DEFAULT, hid, uid, cpu_model, dmi)
++
++#define NOT_PRESENT_ENTRY_HID(hid, uid, cpu_model, dmi...) \
++      ENTRY(0, hid, uid, cpu_model, dmi)
++
++static const struct override_status_id override_status_ids[] = {
+       /*
+        * Bay / Cherry Trail PWM directly poked by GPU driver in win10,
+        * but Linux uses a separate PWM driver, harmless if not used.
+        */
+-      ENTRY("80860F09", "1", X86_MATCH(ATOM_SILVERMONT), {}),
+-      ENTRY("80862288", "1", X86_MATCH(ATOM_AIRMONT), {}),
++      PRESENT_ENTRY_HID("80860F09", "1", ATOM_SILVERMONT, {}),
++      PRESENT_ENTRY_HID("80862288", "1", ATOM_AIRMONT, {}),
+       /*
+        * The INT0002 device is necessary to clear wakeup interrupt sources
+        * on Cherry Trail devices, without it we get nobody cared IRQ msgs.
+        */
+-      ENTRY("INT0002", "1", X86_MATCH(ATOM_AIRMONT), {}),
++      PRESENT_ENTRY_HID("INT0002", "1", ATOM_AIRMONT, {}),
+       /*
+        * On the Dell Venue 11 Pro 7130 and 7139, the DSDT hides
+        * the touchscreen ACPI device until a certain time
+        * after _SB.PCI0.GFX0.LCD.LCD1._ON gets called has passed
+        * *and* _STA has been called at least 3 times since.
+        */
+-      ENTRY("SYNA7500", "1", X86_MATCH(HASWELL_L), {
++      PRESENT_ENTRY_HID("SYNA7500", "1", HASWELL_L, {
+               DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+               DMI_MATCH(DMI_PRODUCT_NAME, "Venue 11 Pro 7130"),
+             }),
+-      ENTRY("SYNA7500", "1", X86_MATCH(HASWELL_L), {
++      PRESENT_ENTRY_HID("SYNA7500", "1", HASWELL_L, {
+               DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+               DMI_MATCH(DMI_PRODUCT_NAME, "Venue 11 Pro 7139"),
+             }),
+@@ -85,19 +94,19 @@ static const struct always_present_id always_present_ids[] = {
+        * was copy-pasted from the GPD win, so it has a disabled KIOX000A
+        * node which we should not enable, thus we also check the BIOS date.
+        */
+-      ENTRY("KIOX000A", "1", X86_MATCH(ATOM_AIRMONT), {
++      PRESENT_ENTRY_HID("KIOX000A", "1", ATOM_AIRMONT, {
+               DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"),
+               DMI_MATCH(DMI_BOARD_NAME, "Default string"),
+               DMI_MATCH(DMI_PRODUCT_NAME, "Default string"),
+               DMI_MATCH(DMI_BIOS_DATE, "02/21/2017")
+             }),
+-      ENTRY("KIOX000A", "1", X86_MATCH(ATOM_AIRMONT), {
++      PRESENT_ENTRY_HID("KIOX000A", "1", ATOM_AIRMONT, {
+               DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"),
+               DMI_MATCH(DMI_BOARD_NAME, "Default string"),
+               DMI_MATCH(DMI_PRODUCT_NAME, "Default string"),
+               DMI_MATCH(DMI_BIOS_DATE, "03/20/2017")
+             }),
+-      ENTRY("KIOX000A", "1", X86_MATCH(ATOM_AIRMONT), {
++      PRESENT_ENTRY_HID("KIOX000A", "1", ATOM_AIRMONT, {
+               DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"),
+               DMI_MATCH(DMI_BOARD_NAME, "Default string"),
+               DMI_MATCH(DMI_PRODUCT_NAME, "Default string"),
+@@ -105,26 +114,27 @@ static const struct always_present_id always_present_ids[] = {
+             }),
+ };
+-bool acpi_device_always_present(struct acpi_device *adev)
++bool acpi_device_override_status(struct acpi_device *adev, unsigned long long *status)
+ {
+       bool ret = false;
+       unsigned int i;
+-      for (i = 0; i < ARRAY_SIZE(always_present_ids); i++) {
+-              if (acpi_match_device_ids(adev, always_present_ids[i].hid))
++      for (i = 0; i < ARRAY_SIZE(override_status_ids); i++) {
++              if (acpi_match_device_ids(adev, override_status_ids[i].hid))
+                       continue;
+               if (!adev->pnp.unique_id ||
+-                  strcmp(adev->pnp.unique_id, always_present_ids[i].uid))
++                  strcmp(adev->pnp.unique_id, override_status_ids[i].uid))
+                       continue;
+-              if (!x86_match_cpu(always_present_ids[i].cpu_ids))
++              if (!x86_match_cpu(override_status_ids[i].cpu_ids))
+                       continue;
+-              if (always_present_ids[i].dmi_ids[0].matches[0].slot &&
+-                  !dmi_check_system(always_present_ids[i].dmi_ids))
++              if (override_status_ids[i].dmi_ids[0].matches[0].slot &&
++                  !dmi_check_system(override_status_ids[i].dmi_ids))
+                       continue;
++              *status = override_status_ids[i].status;
+               ret = true;
+               break;
+       }
+diff --git a/include/acpi/acpi_bus.h b/include/acpi/acpi_bus.h
+index 480f9207a4c6b..d6fe27b695c3d 100644
+--- a/include/acpi/acpi_bus.h
++++ b/include/acpi/acpi_bus.h
+@@ -613,9 +613,10 @@ int acpi_enable_wakeup_device_power(struct acpi_device *dev, int state);
+ int acpi_disable_wakeup_device_power(struct acpi_device *dev);
+ #ifdef CONFIG_X86
+-bool acpi_device_always_present(struct acpi_device *adev);
++bool acpi_device_override_status(struct acpi_device *adev, unsigned long long *status);
+ #else
+-static inline bool acpi_device_always_present(struct acpi_device *adev)
++static inline bool acpi_device_override_status(struct acpi_device *adev,
++                                             unsigned long long *status)
+ {
+       return false;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/acpi-cppc-check-present-cpus-for-determining-_cpc-is.patch b/queue-5.16/acpi-cppc-check-present-cpus-for-determining-_cpc-is.patch
new file mode 100644 (file)
index 0000000..c024bfe
--- /dev/null
@@ -0,0 +1,43 @@
+From 9aa089aee5f95c39a7e8d960c8119425df7ac454 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Dec 2021 09:04:58 +0800
+Subject: ACPI: CPPC: Check present CPUs for determining _CPC is valid
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 2aeca6bd02776d7f56a49a32be0dd184f204d888 ]
+
+As this is a static check, it should be based upon what is currently
+present on the system. This makes probeing more deterministic.
+
+While local APIC flags field (lapic_flags) of cpu core in MADT table is
+0, then the cpu core won't be enabled. In this case, _CPC won't be found
+in this core, and return back to _CPC invalid with walking through
+possible cpus (include disable cpus). This is not expected, so switch to
+check present CPUs instead.
+
+Reported-by: Jinzhou Su <Jinzhou.Su@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Huang Rui <ray.huang@amd.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/cppc_acpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
+index b62c87b8ce4a9..12a156d8283e6 100644
+--- a/drivers/acpi/cppc_acpi.c
++++ b/drivers/acpi/cppc_acpi.c
+@@ -411,7 +411,7 @@ bool acpi_cpc_valid(void)
+       struct cpc_desc *cpc_ptr;
+       int cpu;
+-      for_each_possible_cpu(cpu) {
++      for_each_present_cpu(cpu) {
+               cpc_ptr = per_cpu(cpc_desc_ptr, cpu);
+               if (!cpc_ptr)
+                       return false;
+-- 
+2.34.1
+
diff --git a/queue-5.16/acpi-ec-rework-flushing-of-ec-work-while-suspended-t.patch b/queue-5.16/acpi-ec-rework-flushing-of-ec-work-while-suspended-t.patch
new file mode 100644 (file)
index 0000000..a044299
--- /dev/null
@@ -0,0 +1,218 @@
+From 26711d09cac737c6af65b604d5dc8b296356d570 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 19:36:51 +0100
+Subject: ACPI: EC: Rework flushing of EC work while suspended to idle
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 4a9af6cac050dce2e895ec3205c4615383ad9112 ]
+
+The flushing of pending work in the EC driver uses drain_workqueue()
+to flush the event handling work that can requeue itself via
+advance_transaction(), but this is problematic, because that
+work may also be requeued from the query workqueue.
+
+Namely, if an EC transaction is carried out during the execution of
+a query handler, it involves calling advance_transaction() which
+may queue up the event handling work again.  This causes the kernel
+to complain about attempts to add a work item to the EC event
+workqueue while it is being drained and worst-case it may cause a
+valid event to be skipped.
+
+To avoid this problem, introduce two new counters, events_in_progress
+and queries_in_progress, incremented when a work item is queued on
+the event workqueue or the query workqueue, respectively, and
+decremented at the end of the corresponding work function, and make
+acpi_ec_dispatch_gpe() the workqueues in a loop until the both of
+these counters are zero (or system wakeup is pending) instead of
+calling acpi_ec_flush_work().
+
+At the same time, change __acpi_ec_flush_work() to call
+flush_workqueue() instead of drain_workqueue() to flush the event
+workqueue.
+
+While at it, use the observation that the work item queued in
+acpi_ec_query() cannot be pending at that time, because it is used
+only once, to simplify the code in there.
+
+Additionally, clean up a comment in acpi_ec_query() and adjust white
+space in acpi_ec_event_processor().
+
+Fixes: f0ac20c3f613 ("ACPI: EC: Fix flushing of pending work")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/ec.c       | 57 +++++++++++++++++++++++++++++++----------
+ drivers/acpi/internal.h |  2 ++
+ 2 files changed, 45 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
+index a6366d3f0c786..b9c44e6c5e400 100644
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -166,6 +166,7 @@ struct acpi_ec_query {
+       struct transaction transaction;
+       struct work_struct work;
+       struct acpi_ec_query_handler *handler;
++      struct acpi_ec *ec;
+ };
+ static int acpi_ec_query(struct acpi_ec *ec, u8 *data);
+@@ -452,6 +453,7 @@ static void acpi_ec_submit_query(struct acpi_ec *ec)
+               ec_dbg_evt("Command(%s) submitted/blocked",
+                          acpi_ec_cmd_string(ACPI_EC_COMMAND_QUERY));
+               ec->nr_pending_queries++;
++              ec->events_in_progress++;
+               queue_work(ec_wq, &ec->work);
+       }
+ }
+@@ -518,7 +520,7 @@ static void acpi_ec_enable_event(struct acpi_ec *ec)
+ #ifdef CONFIG_PM_SLEEP
+ static void __acpi_ec_flush_work(void)
+ {
+-      drain_workqueue(ec_wq); /* flush ec->work */
++      flush_workqueue(ec_wq); /* flush ec->work */
+       flush_workqueue(ec_query_wq); /* flush queries */
+ }
+@@ -1103,7 +1105,7 @@ void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
+ }
+ EXPORT_SYMBOL_GPL(acpi_ec_remove_query_handler);
+-static struct acpi_ec_query *acpi_ec_create_query(u8 *pval)
++static struct acpi_ec_query *acpi_ec_create_query(struct acpi_ec *ec, u8 *pval)
+ {
+       struct acpi_ec_query *q;
+       struct transaction *t;
+@@ -1111,11 +1113,13 @@ static struct acpi_ec_query *acpi_ec_create_query(u8 *pval)
+       q = kzalloc(sizeof (struct acpi_ec_query), GFP_KERNEL);
+       if (!q)
+               return NULL;
++
+       INIT_WORK(&q->work, acpi_ec_event_processor);
+       t = &q->transaction;
+       t->command = ACPI_EC_COMMAND_QUERY;
+       t->rdata = pval;
+       t->rlen = 1;
++      q->ec = ec;
+       return q;
+ }
+@@ -1132,13 +1136,21 @@ static void acpi_ec_event_processor(struct work_struct *work)
+ {
+       struct acpi_ec_query *q = container_of(work, struct acpi_ec_query, work);
+       struct acpi_ec_query_handler *handler = q->handler;
++      struct acpi_ec *ec = q->ec;
+       ec_dbg_evt("Query(0x%02x) started", handler->query_bit);
++
+       if (handler->func)
+               handler->func(handler->data);
+       else if (handler->handle)
+               acpi_evaluate_object(handler->handle, NULL, NULL, NULL);
++
+       ec_dbg_evt("Query(0x%02x) stopped", handler->query_bit);
++
++      spin_lock_irq(&ec->lock);
++      ec->queries_in_progress--;
++      spin_unlock_irq(&ec->lock);
++
+       acpi_ec_delete_query(q);
+ }
+@@ -1148,7 +1160,7 @@ static int acpi_ec_query(struct acpi_ec *ec, u8 *data)
+       int result;
+       struct acpi_ec_query *q;
+-      q = acpi_ec_create_query(&value);
++      q = acpi_ec_create_query(ec, &value);
+       if (!q)
+               return -ENOMEM;
+@@ -1170,19 +1182,20 @@ static int acpi_ec_query(struct acpi_ec *ec, u8 *data)
+       }
+       /*
+-       * It is reported that _Qxx are evaluated in a parallel way on
+-       * Windows:
++       * It is reported that _Qxx are evaluated in a parallel way on Windows:
+        * https://bugzilla.kernel.org/show_bug.cgi?id=94411
+        *
+-       * Put this log entry before schedule_work() in order to make
+-       * it appearing before any other log entries occurred during the
+-       * work queue execution.
++       * Put this log entry before queue_work() to make it appear in the log
++       * before any other messages emitted during workqueue handling.
+        */
+       ec_dbg_evt("Query(0x%02x) scheduled", value);
+-      if (!queue_work(ec_query_wq, &q->work)) {
+-              ec_dbg_evt("Query(0x%02x) overlapped", value);
+-              result = -EBUSY;
+-      }
++
++      spin_lock_irq(&ec->lock);
++
++      ec->queries_in_progress++;
++      queue_work(ec_query_wq, &q->work);
++
++      spin_unlock_irq(&ec->lock);
+ err_exit:
+       if (result)
+@@ -1240,6 +1253,10 @@ static void acpi_ec_event_handler(struct work_struct *work)
+       ec_dbg_evt("Event stopped");
+       acpi_ec_check_event(ec);
++
++      spin_lock_irqsave(&ec->lock, flags);
++      ec->events_in_progress--;
++      spin_unlock_irqrestore(&ec->lock, flags);
+ }
+ static void acpi_ec_handle_interrupt(struct acpi_ec *ec)
+@@ -2021,6 +2038,7 @@ void acpi_ec_set_gpe_wake_mask(u8 action)
+ bool acpi_ec_dispatch_gpe(void)
+ {
++      bool work_in_progress;
+       u32 ret;
+       if (!first_ec)
+@@ -2041,8 +2059,19 @@ bool acpi_ec_dispatch_gpe(void)
+       if (ret == ACPI_INTERRUPT_HANDLED)
+               pm_pr_dbg("ACPI EC GPE dispatched\n");
+-      /* Flush the event and query workqueues. */
+-      acpi_ec_flush_work();
++      /* Drain EC work. */
++      do {
++              acpi_ec_flush_work();
++
++              pm_pr_dbg("ACPI EC work flushed\n");
++
++              spin_lock_irq(&first_ec->lock);
++
++              work_in_progress = first_ec->events_in_progress +
++                      first_ec->queries_in_progress > 0;
++
++              spin_unlock_irq(&first_ec->lock);
++      } while (work_in_progress && !pm_wakeup_pending());
+       return false;
+ }
+diff --git a/drivers/acpi/internal.h b/drivers/acpi/internal.h
+index d91b560e88674..54b2be94d23dc 100644
+--- a/drivers/acpi/internal.h
++++ b/drivers/acpi/internal.h
+@@ -183,6 +183,8 @@ struct acpi_ec {
+       struct work_struct work;
+       unsigned long timestamp;
+       unsigned long nr_pending_queries;
++      unsigned int events_in_progress;
++      unsigned int queries_in_progress;
+       bool busy_polling;
+       unsigned int polling_guard;
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/acpi-scan-create-platform-device-for-bcm4752-and-lnv.patch b/queue-5.16/acpi-scan-create-platform-device-for-bcm4752-and-lnv.patch
new file mode 100644 (file)
index 0000000..9921876
--- /dev/null
@@ -0,0 +1,79 @@
+From df5e7b335fedac3e9328df999c3de3f6792c3907 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Dec 2021 12:57:47 +0100
+Subject: ACPI: scan: Create platform device for BCM4752 and LNV4752 ACPI nodes
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit f85196bdd5a50da74670250564740fc852b3c239 ]
+
+BCM4752 and LNV4752 ACPI nodes describe a Broadcom 4752 GPS module
+attached to an UART of the system.
+
+The GPS modules talk a custom protocol which only works with a closed-
+source Android gpsd daemon which knows this protocol.
+
+The ACPI nodes also describe GPIOs to turn the GPS on/off these are
+handled by the net/rfkill/rfkill-gpio.c code. This handling predates the
+addition of enumeration of ACPI instantiated serdevs to the kernel and
+was broken by that addition, because the ACPI scan code now no longer
+instantiates platform_device-s for these nodes.
+
+Rename the i2c_multi_instantiate_ids HID list to ignore_serial_bus_ids
+and add the BCM4752 and LNV4752 HIDs, so that rfkill-gpio gets
+a platform_device to bind to again; and so that a tty cdev for gpsd
+gets created for these.
+
+Fixes: e361d1f85855 ("ACPI / scan: Fix enumeration for special UART devices")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/scan.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
+index 2c80765670bc7..25d9f04f19959 100644
+--- a/drivers/acpi/scan.c
++++ b/drivers/acpi/scan.c
+@@ -1695,6 +1695,7 @@ static bool acpi_device_enumeration_by_parent(struct acpi_device *device)
+ {
+       struct list_head resource_list;
+       bool is_serial_bus_slave = false;
++      static const struct acpi_device_id ignore_serial_bus_ids[] = {
+       /*
+        * These devices have multiple I2cSerialBus resources and an i2c-client
+        * must be instantiated for each, each with its own i2c_device_id.
+@@ -1703,11 +1704,18 @@ static bool acpi_device_enumeration_by_parent(struct acpi_device *device)
+        * drivers/platform/x86/i2c-multi-instantiate.c driver, which knows
+        * which i2c_device_id to use for each resource.
+        */
+-      static const struct acpi_device_id i2c_multi_instantiate_ids[] = {
+               {"BSG1160", },
+               {"BSG2150", },
+               {"INT33FE", },
+               {"INT3515", },
++      /*
++       * HIDs of device with an UartSerialBusV2 resource for which userspace
++       * expects a regular tty cdev to be created (instead of the in kernel
++       * serdev) and which have a kernel driver which expects a platform_dev
++       * such as the rfkill-gpio driver.
++       */
++              {"BCM4752", },
++              {"LNV4752", },
+               {}
+       };
+@@ -1721,8 +1729,7 @@ static bool acpi_device_enumeration_by_parent(struct acpi_device *device)
+            fwnode_property_present(&device->fwnode, "baud")))
+               return true;
+-      /* Instantiate a pdev for the i2c-multi-instantiate drv to bind to */
+-      if (!acpi_match_device_ids(device, i2c_multi_instantiate_ids))
++      if (!acpi_match_device_ids(device, ignore_serial_bus_ids))
+               return false;
+       INIT_LIST_HEAD(&resource_list);
+-- 
+2.34.1
+
diff --git a/queue-5.16/acpi-x86-add-not-present-quirk-for-the-pci0.sdhb.brc.patch b/queue-5.16/acpi-x86-add-not-present-quirk-for-the-pci0.sdhb.brc.patch
new file mode 100644 (file)
index 0000000..13fff1d
--- /dev/null
@@ -0,0 +1,75 @@
+From 4b03f96c0b10bdee51ec23eda5b2544d16bf3e7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 18:05:33 +0100
+Subject: ACPI / x86: Add not-present quirk for the PCI0.SDHB.BRC1 device on
+ the GPD win
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 57d2dbf710d832841872fb15ebb79429cab90fae ]
+
+The GPD win and its sibling the GPD pocket (99% the same electronics in a
+different case) use a PCI wifi card. But the ACPI tables on both variants
+contain a bug where the SDIO MMC controller for SDIO wifi cards is enabled
+despite this. This SDIO MMC controller has a PCI0.SDHB.BRC1 child-device
+which _PS3 method sets a GPIO causing the PCI wifi card to turn off.
+
+At the moment there is a pretty ugly kludge in the sdhci-acpi.c code,
+just to work around the bug in the DSDT of this single design. This can
+be solved cleaner/simply with a quirk overriding the _STA return of the
+broken PCI0.SDHB.BRC1 PCI0.SDHB.BRC1 child with a status value of 0,
+so that its power_manageable flag gets cleared, avoiding this problem.
+
+Note that even though it is not used, the _STA method for the MMC
+controller is deliberately not overridden. If the status of the MMC
+controller were forced to 0 it would never get suspended, which would
+cause these mini-laptops to not reach S0i3 level when suspended.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/x86/utils.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c
+index 190bfc2ab3f26..b3fb428461c6f 100644
+--- a/drivers/acpi/x86/utils.c
++++ b/drivers/acpi/x86/utils.c
+@@ -94,9 +94,10 @@ static const struct override_status_id override_status_ids[] = {
+       /*
+        * The GPD win BIOS dated 20170221 has disabled the accelerometer, the
+        * drivers sometimes cause crashes under Windows and this is how the
+-       * manufacturer has solved this :| Note that the the DMI data is less
+-       * generic then it seems, a board_vendor of "AMI Corporation" is quite
+-       * rare and a board_name of "Default String" also is rare.
++       * manufacturer has solved this :|  The DMI match may not seem unique,
++       * but it is. In the 67000+ DMI decode dumps from linux-hardware.org
++       * only 116 have board_vendor set to "AMI Corporation" and of those 116
++       * only the GPD win and pocket entries' board_name is "Default string".
+        *
+        * Unfortunately the GPD pocket also uses these strings and its BIOS
+        * was copy-pasted from the GPD win, so it has a disabled KIOX000A
+@@ -120,6 +121,19 @@ static const struct override_status_id override_status_ids[] = {
+               DMI_MATCH(DMI_PRODUCT_NAME, "Default string"),
+               DMI_MATCH(DMI_BIOS_DATE, "05/25/2017")
+             }),
++
++      /*
++       * The GPD win/pocket have a PCI wifi card, but its DSDT has the SDIO
++       * mmc controller enabled and that has a child-device which _PS3
++       * method sets a GPIO causing the PCI wifi card to turn off.
++       * See above remark about uniqueness of the DMI match.
++       */
++      NOT_PRESENT_ENTRY_PATH("\\_SB_.PCI0.SDHB.BRC1", ATOM_AIRMONT, {
++              DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"),
++              DMI_EXACT_MATCH(DMI_BOARD_NAME, "Default string"),
++              DMI_EXACT_MATCH(DMI_BOARD_SERIAL, "Default string"),
++              DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Default string"),
++            }),
+ };
+ bool acpi_device_override_status(struct acpi_device *adev, unsigned long long *status)
+-- 
+2.34.1
+
diff --git a/queue-5.16/acpi-x86-allow-specifying-acpi_device_override_statu.patch b/queue-5.16/acpi-x86-allow-specifying-acpi_device_override_statu.patch
new file mode 100644 (file)
index 0000000..fb1e14d
--- /dev/null
@@ -0,0 +1,109 @@
+From 90f83ac72313329ddf31d59bdcc8cfc44424ed8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 18:05:32 +0100
+Subject: ACPI / x86: Allow specifying acpi_device_override_status() quirks by
+ path
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit ba46e42e925b5d09b4e441f8de3db119cc7df58f ]
+
+Not all ACPI-devices have a HID + UID, allow specifying quirks for
+acpi_device_override_status() by path too.
+
+Note this moves the path/HID+UID check to after the CPU + DMI checks
+since the path lookup is somewhat costly.
+
+This way this lookup is only done on devices where the other checks
+match.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/x86/utils.c | 42 ++++++++++++++++++++++++++++++----------
+ 1 file changed, 32 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c
+index edb4f3fd93dc3..190bfc2ab3f26 100644
+--- a/drivers/acpi/x86/utils.c
++++ b/drivers/acpi/x86/utils.c
+@@ -38,22 +38,30 @@ struct override_status_id {
+       struct x86_cpu_id cpu_ids[2];
+       struct dmi_system_id dmi_ids[2]; /* Optional */
+       const char *uid;
++      const char *path;
+       unsigned long long status;
+ };
+-#define ENTRY(status, hid, uid, cpu_model, dmi...) {                  \
++#define ENTRY(status, hid, uid, path, cpu_model, dmi...) {            \
+       { { hid, }, {} },                                               \
+       { X86_MATCH_INTEL_FAM6_MODEL(cpu_model, NULL), {} },            \
+       { { .matches = dmi }, {} },                                     \
+       uid,                                                            \
++      path,                                                           \
+       status,                                                         \
+ }
+ #define PRESENT_ENTRY_HID(hid, uid, cpu_model, dmi...) \
+-      ENTRY(ACPI_STA_DEFAULT, hid, uid, cpu_model, dmi)
++      ENTRY(ACPI_STA_DEFAULT, hid, uid, NULL, cpu_model, dmi)
+ #define NOT_PRESENT_ENTRY_HID(hid, uid, cpu_model, dmi...) \
+-      ENTRY(0, hid, uid, cpu_model, dmi)
++      ENTRY(0, hid, uid, NULL, cpu_model, dmi)
++
++#define PRESENT_ENTRY_PATH(path, cpu_model, dmi...) \
++      ENTRY(ACPI_STA_DEFAULT, "", NULL, path, cpu_model, dmi)
++
++#define NOT_PRESENT_ENTRY_PATH(path, cpu_model, dmi...) \
++      ENTRY(0, "", NULL, path, cpu_model, dmi)
+ static const struct override_status_id override_status_ids[] = {
+       /*
+@@ -120,13 +128,6 @@ bool acpi_device_override_status(struct acpi_device *adev, unsigned long long *s
+       unsigned int i;
+       for (i = 0; i < ARRAY_SIZE(override_status_ids); i++) {
+-              if (acpi_match_device_ids(adev, override_status_ids[i].hid))
+-                      continue;
+-
+-              if (!adev->pnp.unique_id ||
+-                  strcmp(adev->pnp.unique_id, override_status_ids[i].uid))
+-                      continue;
+-
+               if (!x86_match_cpu(override_status_ids[i].cpu_ids))
+                       continue;
+@@ -134,6 +135,27 @@ bool acpi_device_override_status(struct acpi_device *adev, unsigned long long *s
+                   !dmi_check_system(override_status_ids[i].dmi_ids))
+                       continue;
++              if (override_status_ids[i].path) {
++                      struct acpi_buffer path = { ACPI_ALLOCATE_BUFFER, NULL };
++                      bool match;
++
++                      if (acpi_get_name(adev->handle, ACPI_FULL_PATHNAME, &path))
++                              continue;
++
++                      match = strcmp((char *)path.pointer, override_status_ids[i].path) == 0;
++                      kfree(path.pointer);
++
++                      if (!match)
++                              continue;
++              } else {
++                      if (acpi_match_device_ids(adev, override_status_ids[i].hid))
++                              continue;
++
++                      if (!adev->pnp.unique_id ||
++                          strcmp(adev->pnp.unique_id, override_status_ids[i].uid))
++                              continue;
++              }
++
+               *status = override_status_ids[i].status;
+               ret = true;
+               break;
+-- 
+2.34.1
+
diff --git a/queue-5.16/acpi-x86-drop-pwm2-device-on-lenovo-yoga-book-from-a.patch b/queue-5.16/acpi-x86-drop-pwm2-device-on-lenovo-yoga-book-from-a.patch
new file mode 100644 (file)
index 0000000..d0a20ce
--- /dev/null
@@ -0,0 +1,49 @@
+From 343e40717d7b513d1001f35ee266a5c5d6d793fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 18:05:30 +0100
+Subject: ACPI / x86: Drop PWM2 device on Lenovo Yoga Book from always present
+ table
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit d431dfb764b145369be820fcdfd50f2159b9bbc2 ]
+
+It turns out that there is a WMI object which controls the PWM2 device
+used for the keyboard backlight and that WMI object also provides some
+other useful functionality.
+
+The upcoming lenovo-yogabook-wmi driver will offer both backlight
+control and the other functionality, so there no longer is a need
+to have the lpss-pwm driver binding to PWM2 for backlight control;
+and this is now actually undesirable because this will cause both
+the WMI code and the lpss-pwm driver to poke at the same PWM
+controller.
+
+Drop the always-present quirk for the PWM2 ACPI-device, so that the
+ lpss-pwm controller will no longer bind to it.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/x86/utils.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c
+index f22f23933063b..3bcac98f6eca6 100644
+--- a/drivers/acpi/x86/utils.c
++++ b/drivers/acpi/x86/utils.c
+@@ -54,10 +54,6 @@ static const struct always_present_id always_present_ids[] = {
+       ENTRY("80860F09", "1", X86_MATCH(ATOM_SILVERMONT), {}),
+       ENTRY("80862288", "1", X86_MATCH(ATOM_AIRMONT), {}),
+-      /* Lenovo Yoga Book uses PWM2 for keyboard backlight control */
+-      ENTRY("80862289", "2", X86_MATCH(ATOM_AIRMONT), {
+-                      DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X9"),
+-              }),
+       /*
+        * The INT0002 device is necessary to clear wakeup interrupt sources
+        * on Cherry Trail devices, without it we get nobody cared IRQ msgs.
+-- 
+2.34.1
+
diff --git a/queue-5.16/acpica-actypes.h-expand-the-acpi_access_-definitions.patch b/queue-5.16/acpica-actypes.h-expand-the-acpi_access_-definitions.patch
new file mode 100644 (file)
index 0000000..35a6947
--- /dev/null
@@ -0,0 +1,56 @@
+From dc8d10ad3a9333edca3964e8d9d8078cc85ec912 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 16:57:34 +0100
+Subject: ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions
+
+From: Mark Langsdorf <mlangsdo@redhat.com>
+
+[ Upstream commit f81bdeaf816142e0729eea0cc84c395ec9673151 ]
+
+ACPICA commit bc02c76d518135531483dfc276ed28b7ee632ce1
+
+The current ACPI_ACCESS_*_WIDTH defines do not provide a way to
+test that size is small enough to not cause an overflow when
+applied to a 32-bit integer.
+
+Rather than adding more magic numbers, add ACPI_ACCESS_*_SHIFT,
+ACPI_ACCESS_*_MAX, and ACPI_ACCESS_*_DEFAULT #defines and
+redefine ACPI_ACCESS_*_WIDTH in terms of the new #defines.
+
+This was inititally reported on Linux where a size of 102 in
+ACPI_ACCESS_BIT_WIDTH caused an overflow error in the SPCR
+initialization code.
+
+Link: https://github.com/acpica/acpica/commit/bc02c76d
+Signed-off-by: Mark Langsdorf <mlangsdo@redhat.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/acpi/actypes.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/include/acpi/actypes.h b/include/acpi/actypes.h
+index ff8b3c913f217..248242dca28d3 100644
+--- a/include/acpi/actypes.h
++++ b/include/acpi/actypes.h
+@@ -536,8 +536,14 @@ typedef u64 acpi_integer;
+  * Can be used with access_width of struct acpi_generic_address and access_size of
+  * struct acpi_resource_generic_register.
+  */
+-#define ACPI_ACCESS_BIT_WIDTH(size)     (1 << ((size) + 2))
+-#define ACPI_ACCESS_BYTE_WIDTH(size)    (1 << ((size) - 1))
++#define ACPI_ACCESS_BIT_SHIFT         2
++#define ACPI_ACCESS_BYTE_SHIFT                -1
++#define ACPI_ACCESS_BIT_MAX           (31 - ACPI_ACCESS_BIT_SHIFT)
++#define ACPI_ACCESS_BYTE_MAX          (31 - ACPI_ACCESS_BYTE_SHIFT)
++#define ACPI_ACCESS_BIT_DEFAULT               (8 - ACPI_ACCESS_BIT_SHIFT)
++#define ACPI_ACCESS_BYTE_DEFAULT      (8 - ACPI_ACCESS_BYTE_SHIFT)
++#define ACPI_ACCESS_BIT_WIDTH(size)   (1 << ((size) + ACPI_ACCESS_BIT_SHIFT))
++#define ACPI_ACCESS_BYTE_WIDTH(size)  (1 << ((size) + ACPI_ACCESS_BYTE_SHIFT))
+ /*******************************************************************************
+  *
+-- 
+2.34.1
+
diff --git a/queue-5.16/acpica-executer-fix-the-refclass_refof-case-in-acpi_.patch b/queue-5.16/acpica-executer-fix-the-refclass_refof-case-in-acpi_.patch
new file mode 100644 (file)
index 0000000..9eb9863
--- /dev/null
@@ -0,0 +1,57 @@
+From a00f3fe1f3df7e8fb908488be98b74cecb1cd411 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 17:31:05 +0100
+Subject: ACPICA: Executer: Fix the REFCLASS_REFOF case in
+ acpi_ex_opcode_1A_0T_1R()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 24ea5f90ec9548044a6209685c5010edd66ffe8f ]
+
+ACPICA commit d984f12041392fa4156b52e2f7e5c5e7bc38ad9e
+
+If Operand[0] is a reference of the ACPI_REFCLASS_REFOF class,
+acpi_ex_opcode_1A_0T_1R () calls acpi_ns_get_attached_object () to
+obtain return_desc which may require additional resolution with
+the help of acpi_ex_read_data_from_field (). If the latter fails,
+the reference counter of the original return_desc is decremented
+which is incorrect, because acpi_ns_get_attached_object () does not
+increment the reference counter of the object returned by it.
+
+This issue may lead to premature deletion of the attached object
+while it is still attached and a use-after-free and crash in the
+host OS.  For example, this may happen when on evaluation of ref_of()
+a local region field where there is no registered handler for the
+given Operation Region.
+
+Fix it by making acpi_ex_opcode_1A_0T_1R () return Status right away
+after a acpi_ex_read_data_from_field () failure.
+
+Link: https://github.com/acpica/acpica/commit/d984f120
+Link: https://github.com/acpica/acpica/pull/685
+Reported-by: Lenny Szubowicz <lszubowi@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/exoparg1.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/acpica/exoparg1.c b/drivers/acpi/acpica/exoparg1.c
+index b639e930d6429..44b7c350ed5ca 100644
+--- a/drivers/acpi/acpica/exoparg1.c
++++ b/drivers/acpi/acpica/exoparg1.c
+@@ -1007,7 +1007,8 @@ acpi_status acpi_ex_opcode_1A_0T_1R(struct acpi_walk_state *walk_state)
+                                                   (walk_state, return_desc,
+                                                    &temp_desc);
+                                               if (ACPI_FAILURE(status)) {
+-                                                      goto cleanup;
++                                                      return_ACPI_STATUS
++                                                          (status);
+                                               }
+                                               return_desc = temp_desc;
+-- 
+2.34.1
+
diff --git a/queue-5.16/acpica-fix-wrong-interpretation-of-pcc-address.patch b/queue-5.16/acpica-fix-wrong-interpretation-of-pcc-address.patch
new file mode 100644 (file)
index 0000000..563f58d
--- /dev/null
@@ -0,0 +1,86 @@
+From 8b8d60fe2852ca9512bdcf45e83b4a564c654767 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 17:31:54 +0100
+Subject: ACPICA: Fix wrong interpretation of PCC address
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 9a3b8655db1ada31c82189ae13f40eb25da48c35 ]
+
+ACPICA commit 41be6afacfdaec2dba3a5ed368736babc2a7aa5c
+
+With the PCC Opregion in the firmware and we are hitting below kernel crash:
+
+-->8
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
+ Workqueue: pm pm_runtime_work
+ pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : __memcpy+0x54/0x260
+ lr : acpi_ex_write_data_to_field+0xb8/0x194
+ Call trace:
+  __memcpy+0x54/0x260
+  acpi_ex_store_object_to_node+0xa4/0x1d4
+  acpi_ex_store+0x44/0x164
+  acpi_ex_opcode_1A_1T_1R+0x25c/0x508
+  acpi_ds_exec_end_op+0x1b4/0x44c
+  acpi_ps_parse_loop+0x3a8/0x614
+  acpi_ps_parse_aml+0x90/0x2f4
+  acpi_ps_execute_method+0x11c/0x19c
+  acpi_ns_evaluate+0x1ec/0x2b0
+  acpi_evaluate_object+0x170/0x2b0
+  acpi_device_set_power+0x118/0x310
+  acpi_dev_suspend+0xd4/0x180
+  acpi_subsys_runtime_suspend+0x28/0x38
+  __rpm_callback+0x74/0x328
+  rpm_suspend+0x2d8/0x624
+  pm_runtime_work+0xa4/0xb8
+  process_one_work+0x194/0x25c
+  worker_thread+0x260/0x49c
+  kthread+0x14c/0x30c
+  ret_from_fork+0x10/0x20
+ Code: f9000006 f81f80a7 d65f03c0 361000c2 (b9400026)
+ ---[ end trace 24d8a032fa77b68a ]---
+
+The reason for the crash is that the PCC channel index passed via region.address
+in acpi_ex_store_object_to_node is interpreted as the channel subtype
+incorrectly.
+
+Assuming the PCC op_region support is not used by any other type, let us
+remove the subtype check as the AML has no access to the subtype information.
+Once we remove it, the kernel crash disappears and correctly complains about
+missing PCC Opregion handler.
+
+ACPI Error: No handler for Region [PFRM] ((____ptrval____)) [PCC] (20210730/evregion-130)
+ACPI Error: Region PCC (ID=10) has no handler (20210730/exfldio-261)
+ACPI Error: Aborting method \_SB.ETH0._PS3 due to previous error (AE_NOT_EXIST) (20210730/psparse-531)
+
+Link: https://github.com/acpica/acpica/commit/41be6afa
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/exfield.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/drivers/acpi/acpica/exfield.c b/drivers/acpi/acpica/exfield.c
+index 06f3c9df1e22d..8618500f23b39 100644
+--- a/drivers/acpi/acpica/exfield.c
++++ b/drivers/acpi/acpica/exfield.c
+@@ -330,12 +330,7 @@ acpi_ex_write_data_to_field(union acpi_operand_object *source_desc,
+                      obj_desc->field.base_byte_offset,
+                      source_desc->buffer.pointer, data_length);
+-              if ((obj_desc->field.region_obj->region.address ==
+-                   PCC_MASTER_SUBSPACE
+-                   && MASTER_SUBSPACE_COMMAND(obj_desc->field.
+-                                              base_byte_offset))
+-                  || GENERIC_SUBSPACE_COMMAND(obj_desc->field.
+-                                              base_byte_offset)) {
++              if (MASTER_SUBSPACE_COMMAND(obj_desc->field.base_byte_offset)) {
+                       /* Perform the write */
+-- 
+2.34.1
+
diff --git a/queue-5.16/acpica-hardware-do-not-flush-cpu-cache-when-entering.patch b/queue-5.16/acpica-hardware-do-not-flush-cpu-cache-when-entering.patch
new file mode 100644 (file)
index 0000000..3ab059d
--- /dev/null
@@ -0,0 +1,82 @@
+From b5128e2eed3a7c49014ba89b0480683e99ab5cb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 17:33:51 +0100
+Subject: ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+[ Upstream commit 1d4e0b3abb168b2ee1eca99c527cffa1b80b6161 ]
+
+ACPICA commit 3dd7e1f3996456ef81bfe14cba29860e8d42949e
+
+According to ACPI 6.4, Section 16.2, the CPU cache flushing is
+required on entering to S1, S2, and S3, but the ACPICA code
+flushes the CPU cache regardless of the sleep state.
+
+Blind cache flush on entering S5 causes problems for TDX.
+
+Flushing happens with WBINVD that is not supported in the TDX
+environment.
+
+TDX only supports S5 and adjusting ACPICA code to conform to the
+spec more strictly fixes the issue.
+
+Link: https://github.com/acpica/acpica/commit/3dd7e1f3
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+[ rjw: Subject and changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/hwesleep.c  | 4 +++-
+ drivers/acpi/acpica/hwsleep.c   | 4 +++-
+ drivers/acpi/acpica/hwxfsleep.c | 2 --
+ 3 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/acpi/acpica/hwesleep.c b/drivers/acpi/acpica/hwesleep.c
+index 808fdf54aeebf..7ee2939c08cd4 100644
+--- a/drivers/acpi/acpica/hwesleep.c
++++ b/drivers/acpi/acpica/hwesleep.c
+@@ -104,7 +104,9 @@ acpi_status acpi_hw_extended_sleep(u8 sleep_state)
+       /* Flush caches, as per ACPI specification */
+-      ACPI_FLUSH_CPU_CACHE();
++      if (sleep_state < ACPI_STATE_S4) {
++              ACPI_FLUSH_CPU_CACHE();
++      }
+       status = acpi_os_enter_sleep(sleep_state, sleep_control, 0);
+       if (status == AE_CTRL_TERMINATE) {
+diff --git a/drivers/acpi/acpica/hwsleep.c b/drivers/acpi/acpica/hwsleep.c
+index 34a3825f25d37..5efa3d8e483e0 100644
+--- a/drivers/acpi/acpica/hwsleep.c
++++ b/drivers/acpi/acpica/hwsleep.c
+@@ -110,7 +110,9 @@ acpi_status acpi_hw_legacy_sleep(u8 sleep_state)
+       /* Flush caches, as per ACPI specification */
+-      ACPI_FLUSH_CPU_CACHE();
++      if (sleep_state < ACPI_STATE_S4) {
++              ACPI_FLUSH_CPU_CACHE();
++      }
+       status = acpi_os_enter_sleep(sleep_state, pm1a_control, pm1b_control);
+       if (status == AE_CTRL_TERMINATE) {
+diff --git a/drivers/acpi/acpica/hwxfsleep.c b/drivers/acpi/acpica/hwxfsleep.c
+index e4cde23a29061..ba77598ee43e8 100644
+--- a/drivers/acpi/acpica/hwxfsleep.c
++++ b/drivers/acpi/acpica/hwxfsleep.c
+@@ -162,8 +162,6 @@ acpi_status acpi_enter_sleep_state_s4bios(void)
+               return_ACPI_STATUS(status);
+       }
+-      ACPI_FLUSH_CPU_CACHE();
+-
+       status = acpi_hw_write_port(acpi_gbl_FADT.smi_command,
+                                   (u32)acpi_gbl_FADT.s4_bios_request, 8);
+       if (ACPI_FAILURE(status)) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/acpica-utilities-avoid-deleting-the-same-object-twic.patch b/queue-5.16/acpica-utilities-avoid-deleting-the-same-object-twic.patch
new file mode 100644 (file)
index 0000000..42c4eff
--- /dev/null
@@ -0,0 +1,48 @@
+From 78ab789478f7a0826627ad110ce3c3988a6d53cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 17:29:45 +0100
+Subject: ACPICA: Utilities: Avoid deleting the same object twice in a row
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 1cdfe9e346b4c5509ffe19ccde880fd259d9f7a3 ]
+
+ACPICA commit c11af67d8f7e3d381068ce7771322f2b5324d687
+
+If original_count is 0 in acpi_ut_update_ref_count (),
+acpi_ut_delete_internal_obj () is invoked for the target object, which is
+incorrect, because that object has been deleted once already and the
+memory allocated to store it may have been reclaimed and allocated
+for a different purpose by the host OS.  Moreover, a confusing debug
+message following the "Reference Count is already zero, cannot
+decrement" warning is printed in that case.
+
+To fix this issue, make acpi_ut_update_ref_count () return after finding
+that original_count is 0 and printing the above warning.
+
+Link: https://github.com/acpica/acpica/commit/c11af67d
+Link: https://github.com/acpica/acpica/pull/652
+Reported-by: Mark Asselstine <mark.asselstine@windriver.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/utdelete.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c
+index e5ba9795ec696..8d7736d2d2699 100644
+--- a/drivers/acpi/acpica/utdelete.c
++++ b/drivers/acpi/acpica/utdelete.c
+@@ -422,6 +422,7 @@ acpi_ut_update_ref_count(union acpi_operand_object *object, u32 action)
+                       ACPI_WARNING((AE_INFO,
+                                     "Obj %p, Reference Count is already zero, cannot decrement\n",
+                                     object));
++                      return;
+               }
+               ACPI_DEBUG_PRINT_RAW((ACPI_DB_ALLOCATIONS,
+-- 
+2.34.1
+
diff --git a/queue-5.16/alsa-hda-add-missing-rwsem-around-snd_ctl_remove-cal.patch b/queue-5.16/alsa-hda-add-missing-rwsem-around-snd_ctl_remove-cal.patch
new file mode 100644 (file)
index 0000000..7063033
--- /dev/null
@@ -0,0 +1,40 @@
+From 52581ed36459a52a5f9d53f812d286bbb0327841 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 08:13:14 +0100
+Subject: ALSA: hda: Add missing rwsem around snd_ctl_remove() calls
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 80bd64af75b4bb11c0329bc66c35da2ddfb66d88 ]
+
+snd_ctl_remove() has to be called with card->controls_rwsem held (when
+called after the card instantiation).  This patch add the missing
+rwsem calls around it.
+
+Fixes: d13bd412dce2 ("ALSA: hda - Manage kcontrol lists")
+Link: https://lore.kernel.org/r/20211116071314.15065-3-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_codec.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
+index 0c4a337c9fc0d..eda70814369bd 100644
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -1727,8 +1727,11 @@ void snd_hda_ctls_clear(struct hda_codec *codec)
+ {
+       int i;
+       struct hda_nid_item *items = codec->mixers.list;
++
++      down_write(&codec->card->controls_rwsem);
+       for (i = 0; i < codec->mixers.used; i++)
+               snd_ctl_remove(codec->card, items[i].kctl);
++      up_write(&codec->card->controls_rwsem);
+       snd_array_free(&codec->mixers);
+       snd_array_free(&codec->nids);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/alsa-hda-cs8409-fix-jack-detection-after-resume.patch b/queue-5.16/alsa-hda-cs8409-fix-jack-detection-after-resume.patch
new file mode 100644 (file)
index 0000000..11311f5
--- /dev/null
@@ -0,0 +1,91 @@
+From 4c65421529413f1b621d8c3174d5193e3a027ed0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Dec 2021 14:44:32 +0100
+Subject: ALSA: hda/cs8409: Fix Jack detection after resume
+
+From: Christian A. Ehrhardt <lk@c--e.de>
+
+[ Upstream commit 57f234248ff925d88caedf4019ec84e6ecb83909 ]
+
+The suspend code unconditionally sets ->hp_jack_in and ->mic_jack_in
+to zero but without reporting this status change to the HDA core.
+To compensate for this, always assume a status change on the
+first unsol event after boot or resume.
+
+Fixes: 424e531b47f8 ("ALSA: hda/cs8409: Ensure Type Detection is only run on startup when necessary")
+Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
+Link: https://lore.kernel.org/r/20211231134432.atwmuzeceqiklcoa@cae.in-ulm.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_cs8409-tables.c | 3 +++
+ sound/pci/hda/patch_cs8409.c        | 5 ++++-
+ sound/pci/hda/patch_cs8409.h        | 1 +
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_cs8409-tables.c b/sound/pci/hda/patch_cs8409-tables.c
+index 0fb0a428428b4..df0b4522babf7 100644
+--- a/sound/pci/hda/patch_cs8409-tables.c
++++ b/sound/pci/hda/patch_cs8409-tables.c
+@@ -252,6 +252,7 @@ struct sub_codec cs8409_cs42l42_codec = {
+       .init_seq_num = ARRAY_SIZE(cs42l42_init_reg_seq),
+       .hp_jack_in = 0,
+       .mic_jack_in = 0,
++      .force_status_change = 1,
+       .paged = 1,
+       .suspended = 1,
+       .no_type_dect = 0,
+@@ -443,6 +444,7 @@ struct sub_codec dolphin_cs42l42_0 = {
+       .init_seq_num = ARRAY_SIZE(dolphin_c0_init_reg_seq),
+       .hp_jack_in = 0,
+       .mic_jack_in = 0,
++      .force_status_change = 1,
+       .paged = 1,
+       .suspended = 1,
+       .no_type_dect = 0,
+@@ -456,6 +458,7 @@ struct sub_codec dolphin_cs42l42_1 = {
+       .init_seq_num = ARRAY_SIZE(dolphin_c1_init_reg_seq),
+       .hp_jack_in = 0,
+       .mic_jack_in = 0,
++      .force_status_change = 1,
+       .paged = 1,
+       .suspended = 1,
+       .no_type_dect = 1,
+diff --git a/sound/pci/hda/patch_cs8409.c b/sound/pci/hda/patch_cs8409.c
+index bf5d7f0c6ba55..aff2b5abb81ea 100644
+--- a/sound/pci/hda/patch_cs8409.c
++++ b/sound/pci/hda/patch_cs8409.c
+@@ -636,7 +636,9 @@ static void cs42l42_run_jack_detect(struct sub_codec *cs42l42)
+ static int cs42l42_handle_tip_sense(struct sub_codec *cs42l42, unsigned int reg_ts_status)
+ {
+-      int status_changed = 0;
++      int status_changed = cs42l42->force_status_change;
++
++      cs42l42->force_status_change = 0;
+       /* TIP_SENSE INSERT/REMOVE */
+       switch (reg_ts_status) {
+@@ -791,6 +793,7 @@ static void cs42l42_suspend(struct sub_codec *cs42l42)
+       cs42l42->last_page = 0;
+       cs42l42->hp_jack_in = 0;
+       cs42l42->mic_jack_in = 0;
++      cs42l42->force_status_change = 1;
+       /* Put CS42L42 into Reset */
+       gpio_data = snd_hda_codec_read(codec, CS8409_PIN_AFG, 0, AC_VERB_GET_GPIO_DATA, 0);
+diff --git a/sound/pci/hda/patch_cs8409.h b/sound/pci/hda/patch_cs8409.h
+index ade2b838590cf..d0b725c7285b6 100644
+--- a/sound/pci/hda/patch_cs8409.h
++++ b/sound/pci/hda/patch_cs8409.h
+@@ -305,6 +305,7 @@ struct sub_codec {
+       unsigned int hp_jack_in:1;
+       unsigned int mic_jack_in:1;
++      unsigned int force_status_change:1;
+       unsigned int suspended:1;
+       unsigned int paged:1;
+       unsigned int last_page;
+-- 
+2.34.1
+
diff --git a/queue-5.16/alsa-hda-cs8409-increase-delay-during-jack-detection.patch b/queue-5.16/alsa-hda-cs8409-increase-delay-during-jack-detection.patch
new file mode 100644 (file)
index 0000000..89154bd
--- /dev/null
@@ -0,0 +1,42 @@
+From 6b478aaaedb29f479745017333963f7b04522486 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Dec 2021 14:12:21 +0100
+Subject: ALSA: hda/cs8409: Increase delay during jack detection
+
+From: Christian A. Ehrhardt <lk@c--e.de>
+
+[ Upstream commit 8cd07657177006b67cc1610e4466cc75ad781c05 ]
+
+Commit c8b4f0865e82 reduced delays related to cs42l42 jack
+detection. However, the change was too aggressive. As a result
+internal speakers on DELL Inspirion 3501 are not detected.
+
+Increase the delay in cs42l42_run_jack_detect() a bit.
+
+Fixes: c8b4f0865e82 ("ALSA: hda/cs8409: Remove unnecessary delays")
+Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
+Link: https://lore.kernel.org/r/20211231131221.itwotyfk5qomn7n6@cae.in-ulm.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_cs8409.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/hda/patch_cs8409.c b/sound/pci/hda/patch_cs8409.c
+index 039b9f2f8e947..bf5d7f0c6ba55 100644
+--- a/sound/pci/hda/patch_cs8409.c
++++ b/sound/pci/hda/patch_cs8409.c
+@@ -628,8 +628,8 @@ static void cs42l42_run_jack_detect(struct sub_codec *cs42l42)
+       cs8409_i2c_write(cs42l42, 0x1b74, 0x07);
+       cs8409_i2c_write(cs42l42, 0x131b, 0xFD);
+       cs8409_i2c_write(cs42l42, 0x1120, 0x80);
+-      /* Wait ~100us*/
+-      usleep_range(100, 200);
++      /* Wait ~20ms*/
++      usleep_range(20000, 25000);
+       cs8409_i2c_write(cs42l42, 0x111f, 0x77);
+       cs8409_i2c_write(cs42l42, 0x1120, 0xc0);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/alsa-hda-fix-potential-deadlock-at-codec-unbinding.patch b/queue-5.16/alsa-hda-fix-potential-deadlock-at-codec-unbinding.patch
new file mode 100644 (file)
index 0000000..3d2bbd1
--- /dev/null
@@ -0,0 +1,217 @@
+From 9077e1cd3eb38caac01715d145de5abcb66c2d46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 08:24:59 +0100
+Subject: ALSA: hda: Fix potential deadlock at codec unbinding
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 7206998f578d5553989bc01ea2e544b622e79539 ]
+
+When a codec is unbound dynamically via sysfs while its stream is in
+use, we may face a potential deadlock at the proc remove or a UAF.
+This happens since the hda_pcm is managed by a linked list, as it
+handles the hda_pcm object release via kref.
+
+When a PCM is opened at the unbinding time, the release of hda_pcm
+gets delayed and it ends up with the close of the PCM stream releasing
+the associated hda_pcm object of its own.  The hda_pcm destructor
+contains the PCM device release that includes the removal of procfs
+entries.  And, this removal has the sync of the close of all in-use
+files -- which would never finish because it's called from the PCM
+file descriptor itself, i.e. it's trying to shoot its foot.
+
+For addressing the deadlock above, this patch changes the way to
+manage and release the hda_pcm object.  The kref of hda_pcm is
+dropped, and instead a simple refcount is introduced in hda_codec for
+keeping the track of the active PCM streams, and at each PCM open and
+close, this refcount is adjusted accordingly.  At unbinding, the
+driver calls snd_device_disconnect() for each PCM stream, then
+synchronizes with the refcount finish, and finally releases the object
+resources.
+
+Fixes: bbbc7e8502c9 ("ALSA: hda - Allocate hda_pcm objects dynamically")
+Link: https://lore.kernel.org/r/20211116072459.18930-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/sound/hda_codec.h |  8 +++++---
+ sound/pci/hda/hda_bind.c  |  5 +++++
+ sound/pci/hda/hda_codec.c | 42 ++++++++++++++++++++++++---------------
+ sound/pci/hda/hda_local.h |  1 +
+ 4 files changed, 37 insertions(+), 19 deletions(-)
+
+diff --git a/include/sound/hda_codec.h b/include/sound/hda_codec.h
+index 0e45963bb767f..82d9daa178517 100644
+--- a/include/sound/hda_codec.h
++++ b/include/sound/hda_codec.h
+@@ -8,7 +8,7 @@
+ #ifndef __SOUND_HDA_CODEC_H
+ #define __SOUND_HDA_CODEC_H
+-#include <linux/kref.h>
++#include <linux/refcount.h>
+ #include <linux/mod_devicetable.h>
+ #include <sound/info.h>
+ #include <sound/control.h>
+@@ -166,8 +166,8 @@ struct hda_pcm {
+       bool own_chmap;         /* codec driver provides own channel maps */
+       /* private: */
+       struct hda_codec *codec;
+-      struct kref kref;
+       struct list_head list;
++      unsigned int disconnected:1;
+ };
+ /* codec information */
+@@ -187,6 +187,8 @@ struct hda_codec {
+       /* PCM to create, set by patch_ops.build_pcms callback */
+       struct list_head pcm_list_head;
++      refcount_t pcm_ref;
++      wait_queue_head_t remove_sleep;
+       /* codec specific info */
+       void *spec;
+@@ -420,7 +422,7 @@ void snd_hda_codec_cleanup_for_unbind(struct hda_codec *codec);
+ static inline void snd_hda_codec_pcm_get(struct hda_pcm *pcm)
+ {
+-      kref_get(&pcm->kref);
++      refcount_inc(&pcm->codec->pcm_ref);
+ }
+ void snd_hda_codec_pcm_put(struct hda_pcm *pcm);
+diff --git a/sound/pci/hda/hda_bind.c b/sound/pci/hda/hda_bind.c
+index 1c8bffc3eec6e..7153bd53e1893 100644
+--- a/sound/pci/hda/hda_bind.c
++++ b/sound/pci/hda/hda_bind.c
+@@ -156,6 +156,11 @@ static int hda_codec_driver_remove(struct device *dev)
+               return codec->bus->core.ext_ops->hdev_detach(&codec->core);
+       }
++      refcount_dec(&codec->pcm_ref);
++      snd_hda_codec_disconnect_pcms(codec);
++      wait_event(codec->remove_sleep, !refcount_read(&codec->pcm_ref));
++      snd_power_sync_ref(codec->bus->card);
++
+       if (codec->patch_ops.free)
+               codec->patch_ops.free(codec);
+       snd_hda_codec_cleanup_for_unbind(codec);
+diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
+index eda70814369bd..7016b48227bf2 100644
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -703,20 +703,10 @@ get_hda_cvt_setup(struct hda_codec *codec, hda_nid_t nid)
+ /*
+  * PCM device
+  */
+-static void release_pcm(struct kref *kref)
+-{
+-      struct hda_pcm *pcm = container_of(kref, struct hda_pcm, kref);
+-
+-      if (pcm->pcm)
+-              snd_device_free(pcm->codec->card, pcm->pcm);
+-      clear_bit(pcm->device, pcm->codec->bus->pcm_dev_bits);
+-      kfree(pcm->name);
+-      kfree(pcm);
+-}
+-
+ void snd_hda_codec_pcm_put(struct hda_pcm *pcm)
+ {
+-      kref_put(&pcm->kref, release_pcm);
++      if (refcount_dec_and_test(&pcm->codec->pcm_ref))
++              wake_up(&pcm->codec->remove_sleep);
+ }
+ EXPORT_SYMBOL_GPL(snd_hda_codec_pcm_put);
+@@ -731,7 +721,6 @@ struct hda_pcm *snd_hda_codec_pcm_new(struct hda_codec *codec,
+               return NULL;
+       pcm->codec = codec;
+-      kref_init(&pcm->kref);
+       va_start(args, fmt);
+       pcm->name = kvasprintf(GFP_KERNEL, fmt, args);
+       va_end(args);
+@@ -741,6 +730,7 @@ struct hda_pcm *snd_hda_codec_pcm_new(struct hda_codec *codec,
+       }
+       list_add_tail(&pcm->list, &codec->pcm_list_head);
++      refcount_inc(&codec->pcm_ref);
+       return pcm;
+ }
+ EXPORT_SYMBOL_GPL(snd_hda_codec_pcm_new);
+@@ -748,15 +738,31 @@ EXPORT_SYMBOL_GPL(snd_hda_codec_pcm_new);
+ /*
+  * codec destructor
+  */
++void snd_hda_codec_disconnect_pcms(struct hda_codec *codec)
++{
++      struct hda_pcm *pcm;
++
++      list_for_each_entry(pcm, &codec->pcm_list_head, list) {
++              if (pcm->disconnected)
++                      continue;
++              if (pcm->pcm)
++                      snd_device_disconnect(codec->card, pcm->pcm);
++              snd_hda_codec_pcm_put(pcm);
++              pcm->disconnected = 1;
++      }
++}
++
+ static void codec_release_pcms(struct hda_codec *codec)
+ {
+       struct hda_pcm *pcm, *n;
+       list_for_each_entry_safe(pcm, n, &codec->pcm_list_head, list) {
+-              list_del_init(&pcm->list);
++              list_del(&pcm->list);
+               if (pcm->pcm)
+-                      snd_device_disconnect(codec->card, pcm->pcm);
+-              snd_hda_codec_pcm_put(pcm);
++                      snd_device_free(pcm->codec->card, pcm->pcm);
++              clear_bit(pcm->device, pcm->codec->bus->pcm_dev_bits);
++              kfree(pcm->name);
++              kfree(pcm);
+       }
+ }
+@@ -769,6 +775,7 @@ void snd_hda_codec_cleanup_for_unbind(struct hda_codec *codec)
+               codec->registered = 0;
+       }
++      snd_hda_codec_disconnect_pcms(codec);
+       cancel_delayed_work_sync(&codec->jackpoll_work);
+       if (!codec->in_freeing)
+               snd_hda_ctls_clear(codec);
+@@ -792,6 +799,7 @@ void snd_hda_codec_cleanup_for_unbind(struct hda_codec *codec)
+       remove_conn_list(codec);
+       snd_hdac_regmap_exit(&codec->core);
+       codec->configured = 0;
++      refcount_set(&codec->pcm_ref, 1); /* reset refcount */
+ }
+ EXPORT_SYMBOL_GPL(snd_hda_codec_cleanup_for_unbind);
+@@ -958,6 +966,8 @@ int snd_hda_codec_device_new(struct hda_bus *bus, struct snd_card *card,
+       snd_array_init(&codec->verbs, sizeof(struct hda_verb *), 8);
+       INIT_LIST_HEAD(&codec->conn_list);
+       INIT_LIST_HEAD(&codec->pcm_list_head);
++      refcount_set(&codec->pcm_ref, 1);
++      init_waitqueue_head(&codec->remove_sleep);
+       INIT_DELAYED_WORK(&codec->jackpoll_work, hda_jackpoll_work);
+       codec->depop_delay = -1;
+diff --git a/sound/pci/hda/hda_local.h b/sound/pci/hda/hda_local.h
+index d22c96eb2f8fb..8621f576446b8 100644
+--- a/sound/pci/hda/hda_local.h
++++ b/sound/pci/hda/hda_local.h
+@@ -137,6 +137,7 @@ int __snd_hda_add_vmaster(struct hda_codec *codec, char *name,
+ int snd_hda_codec_reset(struct hda_codec *codec);
+ void snd_hda_codec_register(struct hda_codec *codec);
+ void snd_hda_codec_cleanup_for_unbind(struct hda_codec *codec);
++void snd_hda_codec_disconnect_pcms(struct hda_codec *codec);
+ #define snd_hda_regmap_sync(codec)    snd_hdac_regmap_sync(&(codec)->core)
+-- 
+2.34.1
+
diff --git a/queue-5.16/alsa-hda-make-proper-use-of-timecounter.patch b/queue-5.16/alsa-hda-make-proper-use-of-timecounter.patch
new file mode 100644 (file)
index 0000000..33ab2c2
--- /dev/null
@@ -0,0 +1,123 @@
+From 05f8f8b664ec8987313dc818407e0f63cb717c39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Nov 2021 23:40:01 +0100
+Subject: ALSA: hda: Make proper use of timecounter
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 6dd21ad81bf96478db3403b1bbe251c0612d0431 ]
+
+HDA uses a timecounter to read a hardware clock running at 24 MHz. The
+conversion factor is set with a mult value of 125 and a shift value of 0,
+which is not converting the hardware clock to nanoseconds, it is converting
+to 1/3 nanoseconds because the conversion factor from 24Mhz to nanoseconds
+is 125/3. The usage sites divide the "nanoseconds" value returned by
+timecounter_read() by 3 to get a real nanoseconds value.
+
+There is a lengthy comment in azx_timecounter_init() explaining this
+choice. That comment makes blatantly wrong assumptions about how
+timecounters work and what can overflow.
+
+The comment says:
+
+     * Applying the 1/3 factor as part of the multiplication
+     * requires at least 20 bits for a decent precision, however
+     * overflows occur after about 4 hours or less, not a option.
+
+timecounters operate on time deltas between two readouts of a clock and use
+the mult/shift pair to calculate a precise nanoseconds value:
+
+    delta_nsec = (delta_clock * mult) >> shift;
+
+The fractional part is also taken into account and preserved to prevent
+accumulated rounding errors. For details see cyclecounter_cyc2ns().
+
+The mult/shift pair has to be chosen so that the multiplication of the
+maximum expected delta value does not result in a 64bit overflow. As the
+counter wraps around on 32bit, the maximum observable delta between two
+reads is (1 << 32) - 1 which is about 178.9 seconds.
+
+That in turn means the maximum multiplication factor which fits into an u32
+will not cause a 64bit overflow ever because it's guaranteed that:
+
+     ((1 << 32) - 1) ^ 2 < (1 << 64)
+
+The resulting correct multiplication factor is 2796202667 and the shift
+value is 26, i.e. 26 bit precision. The overflow of the multiplication
+would happen exactly at a clock readout delta of 6597069765 which is way
+after the wrap around of the hardware clock at around 274.8 seconds which
+is off from the claimed 4 hours by more than an order of magnitude.
+
+If the counter ever wraps around the last read value then the calculation
+is off by the number of wrap arounds times 178.9 seconds because the
+overflow cannot be observed.
+
+Use clocks_calc_mult_shift(), which calculates the most accurate mult/shift
+pair based on the given clock frequency, and remove the bogus comment along
+with the divisions at the readout sites.
+
+Fixes: 5d890f591d15 ("ALSA: hda: support for wallclock timestamps")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/871r35kwji.ffs@tglx
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/hdac_stream.c           | 14 ++++----------
+ sound/pci/hda/hda_controller.c    |  1 -
+ sound/soc/intel/skylake/skl-pcm.c |  1 -
+ 3 files changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/sound/hda/hdac_stream.c b/sound/hda/hdac_stream.c
+index 9867555883c34..aa7955fdf68a0 100644
+--- a/sound/hda/hdac_stream.c
++++ b/sound/hda/hdac_stream.c
+@@ -534,17 +534,11 @@ static void azx_timecounter_init(struct hdac_stream *azx_dev,
+       cc->mask = CLOCKSOURCE_MASK(32);
+       /*
+-       * Converting from 24 MHz to ns means applying a 125/3 factor.
+-       * To avoid any saturation issues in intermediate operations,
+-       * the 125 factor is applied first. The division is applied
+-       * last after reading the timecounter value.
+-       * Applying the 1/3 factor as part of the multiplication
+-       * requires at least 20 bits for a decent precision, however
+-       * overflows occur after about 4 hours or less, not a option.
++       * Calculate the optimal mult/shift values. The counter wraps
++       * around after ~178.9 seconds.
+        */
+-
+-      cc->mult = 125; /* saturation after 195 years */
+-      cc->shift = 0;
++      clocks_calc_mult_shift(&cc->mult, &cc->shift, 24000000,
++                             NSEC_PER_SEC, 178);
+       nsec = 0; /* audio time is elapsed time since trigger */
+       timecounter_init(tc, cc, nsec);
+diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c
+index 930ae4002a818..75dcb14ff20ad 100644
+--- a/sound/pci/hda/hda_controller.c
++++ b/sound/pci/hda/hda_controller.c
+@@ -504,7 +504,6 @@ static int azx_get_time_info(struct snd_pcm_substream *substream,
+               snd_pcm_gettime(substream->runtime, system_ts);
+               nsec = timecounter_read(&azx_dev->core.tc);
+-              nsec = div_u64(nsec, 3); /* can be optimized */
+               if (audio_tstamp_config->report_delay)
+                       nsec = azx_adjust_codec_delay(substream, nsec);
+diff --git a/sound/soc/intel/skylake/skl-pcm.c b/sound/soc/intel/skylake/skl-pcm.c
+index 9ecaf6a1e8475..e4aa366d356eb 100644
+--- a/sound/soc/intel/skylake/skl-pcm.c
++++ b/sound/soc/intel/skylake/skl-pcm.c
+@@ -1251,7 +1251,6 @@ static int skl_platform_soc_get_time_info(
+               snd_pcm_gettime(substream->runtime, system_ts);
+               nsec = timecounter_read(&hstr->tc);
+-              nsec = div_u64(nsec, 3); /* can be optimized */
+               if (audio_tstamp_config->report_delay)
+                       nsec = skl_adjust_codec_delay(substream, nsec);
+-- 
+2.34.1
+
diff --git a/queue-5.16/alsa-jack-add-missing-rwsem-around-snd_ctl_remove-ca.patch b/queue-5.16/alsa-jack-add-missing-rwsem-around-snd_ctl_remove-ca.patch
new file mode 100644 (file)
index 0000000..109bfac
--- /dev/null
@@ -0,0 +1,42 @@
+From 0a59f5035e4fc6cc202607b88255225a0f7fb7f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 08:13:12 +0100
+Subject: ALSA: jack: Add missing rwsem around snd_ctl_remove() calls
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 06764dc931848c3a9bc01a63bbf76a605408bb54 ]
+
+snd_ctl_remove() has to be called with card->controls_rwsem held (when
+called after the card instantiation).  This patch add the missing
+rwsem calls around it.
+
+Fixes: 9058cbe1eed2 ("ALSA: jack: implement kctl creating for jack devices")
+Link: https://lore.kernel.org/r/20211116071314.15065-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/jack.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/core/jack.c b/sound/core/jack.c
+index 537df1e98f8ac..d1e3055f2b6a5 100644
+--- a/sound/core/jack.c
++++ b/sound/core/jack.c
+@@ -62,10 +62,13 @@ static int snd_jack_dev_free(struct snd_device *device)
+       struct snd_card *card = device->card;
+       struct snd_jack_kctl *jack_kctl, *tmp_jack_kctl;
++      down_write(&card->controls_rwsem);
+       list_for_each_entry_safe(jack_kctl, tmp_jack_kctl, &jack->kctl_list, list) {
+               list_del_init(&jack_kctl->list);
+               snd_ctl_remove(card, jack_kctl->kctl);
+       }
++      up_write(&card->controls_rwsem);
++
+       if (jack->private_free)
+               jack->private_free(jack);
+-- 
+2.34.1
+
diff --git a/queue-5.16/alsa-oss-fix-compile-error-when-oss_debug-is-enabled.patch b/queue-5.16/alsa-oss-fix-compile-error-when-oss_debug-is-enabled.patch
new file mode 100644 (file)
index 0000000..650ff3c
--- /dev/null
@@ -0,0 +1,41 @@
+From 654707f530b149ecbaa5fb2f20907614f457924d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 16:58:54 +0800
+Subject: ALSA: oss: fix compile error when OSS_DEBUG is enabled
+
+From: Bixuan Cui <cuibixuan@linux.alibaba.com>
+
+[ Upstream commit 8e7daf318d97f25e18b2fc7eb5909e34cd903575 ]
+
+Fix compile error when OSS_DEBUG is enabled:
+    sound/core/oss/pcm_oss.c: In function 'snd_pcm_oss_set_trigger':
+    sound/core/oss/pcm_oss.c:2055:10: error: 'substream' undeclared (first
+    use in this function); did you mean 'csubstream'?
+      pcm_dbg(substream->pcm, "pcm_oss: trigger = 0x%x\n", trigger);
+              ^
+
+Fixes: 61efcee8608c ("ALSA: oss: Use standard printk helpers")
+Signed-off-by: Bixuan Cui <cuibixuan@linux.alibaba.com>
+Link: https://lore.kernel.org/r/1638349134-110369-1-git-send-email-cuibixuan@linux.alibaba.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/oss/pcm_oss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
+index 20a0a4771b9a8..3ee9edf858156 100644
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -2065,7 +2065,7 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr
+       int err, cmd;
+ #ifdef OSS_DEBUG
+-      pcm_dbg(substream->pcm, "pcm_oss: trigger = 0x%x\n", trigger);
++      pr_debug("pcm_oss: trigger = 0x%x\n", trigger);
+ #endif
+       
+       psubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_PLAYBACK];
+-- 
+2.34.1
+
diff --git a/queue-5.16/alsa-pcm-add-missing-rwsem-around-snd_ctl_remove-cal.patch b/queue-5.16/alsa-pcm-add-missing-rwsem-around-snd_ctl_remove-cal.patch
new file mode 100644 (file)
index 0000000..c5a5686
--- /dev/null
@@ -0,0 +1,41 @@
+From 36ac3b5b1f0e573e8927b92774ee313379d1857f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 08:13:13 +0100
+Subject: ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 5471e9762e1af4b7df057a96bfd46cc250979b88 ]
+
+snd_ctl_remove() has to be called with card->controls_rwsem held (when
+called after the card instantiation).  This patch add the missing
+rwsem calls around it.
+
+Fixes: a8ff48cb7083 ("ALSA: pcm: Free chmap at PCM free callback, too")
+Link: https://lore.kernel.org/r/20211116071314.15065-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/pcm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sound/core/pcm.c b/sound/core/pcm.c
+index 6fd3677685d70..ba4a987ed1c62 100644
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -810,7 +810,11 @@ EXPORT_SYMBOL(snd_pcm_new_internal);
+ static void free_chmap(struct snd_pcm_str *pstr)
+ {
+       if (pstr->chmap_kctl) {
+-              snd_ctl_remove(pstr->pcm->card, pstr->chmap_kctl);
++              struct snd_card *card = pstr->pcm->card;
++
++              down_write(&card->controls_rwsem);
++              snd_ctl_remove(card, pstr->chmap_kctl);
++              up_write(&card->controls_rwsem);
+               pstr->chmap_kctl = NULL;
+       }
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/alsa-seq-set-upper-limit-of-processed-events.patch b/queue-5.16/alsa-seq-set-upper-limit-of-processed-events.patch
new file mode 100644 (file)
index 0000000..c7d73ba
--- /dev/null
@@ -0,0 +1,87 @@
+From 388ec262d8d28c1acecc0d65f1286f248d989ccf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 17:51:46 +0100
+Subject: ALSA: seq: Set upper limit of processed events
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 6fadb494a638d8b8a55864ecc6ac58194f03f327 ]
+
+Currently ALSA sequencer core tries to process the queued events as
+much as possible when they become dispatchable.  If applications try
+to queue too massive events to be processed at the very same timing,
+the sequencer core would still try to process such all events, either
+in the interrupt context or via some notifier; in either away, it
+might be a cause of RCU stall or such problems.
+
+As a potential workaround for those problems, this patch adds the
+upper limit of the amount of events to be processed.  The remaining
+events are processed in the next batch, so they won't be lost.
+
+For the time being, it's limited up to 1000 events per queue, which
+should be high enough for any normal usages.
+
+Reported-by: Zqiang <qiang.zhang1211@gmail.com>
+Reported-by: syzbot+bb950e68b400ab4f65f8@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20211102033222.3849-1-qiang.zhang1211@gmail.com
+Link: https://lore.kernel.org/r/20211207165146.2888-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_queue.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
+index d6c02dea976c8..bc933104c3eea 100644
+--- a/sound/core/seq/seq_queue.c
++++ b/sound/core/seq/seq_queue.c
+@@ -235,12 +235,15 @@ struct snd_seq_queue *snd_seq_queue_find_name(char *name)
+ /* -------------------------------------------------------- */
++#define MAX_CELL_PROCESSES_IN_QUEUE   1000
++
+ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop)
+ {
+       unsigned long flags;
+       struct snd_seq_event_cell *cell;
+       snd_seq_tick_time_t cur_tick;
+       snd_seq_real_time_t cur_time;
++      int processed = 0;
+       if (q == NULL)
+               return;
+@@ -263,6 +266,8 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop)
+               if (!cell)
+                       break;
+               snd_seq_dispatch_event(cell, atomic, hop);
++              if (++processed >= MAX_CELL_PROCESSES_IN_QUEUE)
++                      goto out; /* the rest processed at the next batch */
+       }
+       /* Process time queue... */
+@@ -272,14 +277,19 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop)
+               if (!cell)
+                       break;
+               snd_seq_dispatch_event(cell, atomic, hop);
++              if (++processed >= MAX_CELL_PROCESSES_IN_QUEUE)
++                      goto out; /* the rest processed at the next batch */
+       }
++ out:
+       /* free lock */
+       spin_lock_irqsave(&q->check_lock, flags);
+       if (q->check_again) {
+               q->check_again = 0;
+-              spin_unlock_irqrestore(&q->check_lock, flags);
+-              goto __again;
++              if (processed < MAX_CELL_PROCESSES_IN_QUEUE) {
++                      spin_unlock_irqrestore(&q->check_lock, flags);
++                      goto __again;
++              }
+       }
+       q->check_blocked = 0;
+       spin_unlock_irqrestore(&q->check_lock, flags);
+-- 
+2.34.1
+
diff --git a/queue-5.16/alsa-usb-audio-drop-superfluous-0-in-presonus-studio.patch b/queue-5.16/alsa-usb-audio-drop-superfluous-0-in-presonus-studio.patch
new file mode 100644 (file)
index 0000000..e0ca80d
--- /dev/null
@@ -0,0 +1,64 @@
+From f8d37619ef190fb2ef5f17bda048de6cd93b1215 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Dec 2021 09:38:33 +0100
+Subject: ALSA: usb-audio: Drop superfluous '0' in Presonus Studio 1810c's ID
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 1e583aef12aa74afd37c1418255cc4b74e023236 ]
+
+The vendor ID of Presonus Studio 1810c had a superfluous '0' in its
+USB ID.  Drop it.
+
+Fixes: 8dc5efe3d17c ("ALSA: usb-audio: Add support for Presonus Studio 1810c")
+Link: https://lore.kernel.org/r/20211202083833.17784-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/format.c       | 2 +-
+ sound/usb/mixer_quirks.c | 2 +-
+ sound/usb/quirks.c       | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sound/usb/format.c b/sound/usb/format.c
+index f5e676a51b30d..405dc0bf6678c 100644
+--- a/sound/usb/format.c
++++ b/sound/usb/format.c
+@@ -375,7 +375,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip,
+               for (rate = min; rate <= max; rate += res) {
+                       /* Filter out invalid rates on Presonus Studio 1810c */
+-                      if (chip->usb_id == USB_ID(0x0194f, 0x010c) &&
++                      if (chip->usb_id == USB_ID(0x194f, 0x010c) &&
+                           !s1810c_valid_sample_rate(fp, rate))
+                               goto skip_rate;
+diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
+index 823b6b8de942d..d48729e6a3b0a 100644
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -3254,7 +3254,7 @@ int snd_usb_mixer_apply_create_quirk(struct usb_mixer_interface *mixer)
+               err = snd_rme_controls_create(mixer);
+               break;
+-      case USB_ID(0x0194f, 0x010c): /* Presonus Studio 1810c */
++      case USB_ID(0x194f, 0x010c): /* Presonus Studio 1810c */
+               err = snd_sc1810_init_mixer(mixer);
+               break;
+       case USB_ID(0x2a39, 0x3fb0): /* RME Babyface Pro FS */
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 64e1c20311ed4..ab9f3da49941f 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1290,7 +1290,7 @@ int snd_usb_apply_interface_quirk(struct snd_usb_audio *chip,
+       if (chip->usb_id == USB_ID(0x0763, 0x2012))
+               return fasttrackpro_skip_setting_quirk(chip, iface, altno);
+       /* presonus studio 1810c: skip altsets incompatible with device_setup */
+-      if (chip->usb_id == USB_ID(0x0194f, 0x010c))
++      if (chip->usb_id == USB_ID(0x194f, 0x010c))
+               return s1810c_skip_setting_quirk(chip, iface, altno);
+-- 
+2.34.1
+
diff --git a/queue-5.16/amdgpu-pm-make-sysfs-pm-attributes-as-read-only-for-.patch b/queue-5.16/amdgpu-pm-make-sysfs-pm-attributes-as-read-only-for-.patch
new file mode 100644 (file)
index 0000000..a87d7e6
--- /dev/null
@@ -0,0 +1,55 @@
+From b2093ec25724410135ff46c485291e95ee246592 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 20:57:53 +0800
+Subject: amdgpu/pm: Make sysfs pm attributes as read-only for VFs
+
+From: Marina Nikolic <Marina.Nikolic@amd.com>
+
+[ Upstream commit 11c9cc95f818f0f187e9b579a7f136f532b42445 ]
+
+== Description ==
+Setting values of pm attributes through sysfs
+should not be allowed in SRIOV mode.
+These calls will not be processed by FW anyway,
+but error handling on sysfs level should be improved.
+
+== Changes ==
+This patch prohibits performing of all set commands
+in SRIOV mode on sysfs level.
+It offers better error handling as calls that are
+not allowed will not be propagated further.
+
+== Test ==
+Writing to any sysfs file in passthrough mode will succeed.
+Writing to any sysfs file in ONEVF mode will yield error:
+"calling process does not have sufficient permission to execute a command".
+
+Signed-off-by: Marina Nikolic <Marina.Nikolic@amd.com>
+Acked-by: Evan Quan <evan.quan@amd.com>
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/amdgpu_pm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/pm/amdgpu_pm.c b/drivers/gpu/drm/amd/pm/amdgpu_pm.c
+index 41472ed992530..f8370d54100e8 100644
+--- a/drivers/gpu/drm/amd/pm/amdgpu_pm.c
++++ b/drivers/gpu/drm/amd/pm/amdgpu_pm.c
+@@ -2123,6 +2123,12 @@ static int default_attr_update(struct amdgpu_device *adev, struct amdgpu_device_
+               }
+       }
++      /* setting should not be allowed from VF */
++      if (amdgpu_sriov_vf(adev)) {
++              dev_attr->attr.mode &= ~S_IWUGO;
++              dev_attr->store = NULL;
++      }
++
+ #undef DEVICE_ATTR_IS
+       return 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/amt-fix-wrong-return-type-of-amt_send_membership_upd.patch b/queue-5.16/amt-fix-wrong-return-type-of-amt_send_membership_upd.patch
new file mode 100644 (file)
index 0000000..dbe9c24
--- /dev/null
@@ -0,0 +1,38 @@
+From 779ecc7fcf900f140ffe591e7f99064a2bf30574 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Jan 2022 16:37:02 +0000
+Subject: amt: fix wrong return type of amt_send_membership_update()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit dd3ca4c5184ea98e40acb8eb293d85b88ea04ee2 ]
+
+amt_send_membership_update() would return -1 but it's return type is bool.
+So, it should be used TRUE instead of -1.
+
+Fixes: cbc21dc1cfe9 ("amt: add data plane of amt interface")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Link: https://lore.kernel.org/r/20220109163702.6331-1-ap420073@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/amt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/amt.c b/drivers/net/amt.c
+index b732ee9a50ef9..d3a9dda6c7286 100644
+--- a/drivers/net/amt.c
++++ b/drivers/net/amt.c
+@@ -1106,7 +1106,7 @@ static bool amt_send_membership_query(struct amt_dev *amt,
+       rt = ip_route_output_key(amt->net, &fl4);
+       if (IS_ERR(rt)) {
+               netdev_dbg(amt->dev, "no route to %pI4\n", &tunnel->ip4);
+-              return -1;
++              return true;
+       }
+       amtmq           = skb_push(skb, sizeof(*amtmq));
+-- 
+2.34.1
+
diff --git a/queue-5.16/ar5523-fix-null-ptr-deref-with-unexpected-wdcmsg_tar.patch b/queue-5.16/ar5523-fix-null-ptr-deref-with-unexpected-wdcmsg_tar.patch
new file mode 100644 (file)
index 0000000..9b50c3d
--- /dev/null
@@ -0,0 +1,63 @@
+From 86b2ef3d2f6004cfdb7cbea8cc4dac1f81fc2777 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 18:37:49 -0400
+Subject: ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply
+
+From: Zekun Shen <bruceshenzk@gmail.com>
+
+[ Upstream commit ae80b6033834342601e99f74f6a62ff5092b1cee ]
+
+Unexpected WDCMSG_TARGET_START replay can lead to null-ptr-deref
+when ar->tx_cmd->odata is NULL. The patch adds a null check to
+prevent such case.
+
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ ar5523_cmd+0x46a/0x581 [ar5523]
+ ar5523_probe.cold+0x1b7/0x18da [ar5523]
+ ? ar5523_cmd_rx_cb+0x7a0/0x7a0 [ar5523]
+ ? __pm_runtime_set_status+0x54a/0x8f0
+ ? _raw_spin_trylock_bh+0x120/0x120
+ ? pm_runtime_barrier+0x220/0x220
+ ? __pm_runtime_resume+0xb1/0xf0
+ usb_probe_interface+0x25b/0x710
+ really_probe+0x209/0x5d0
+ driver_probe_device+0xc6/0x1b0
+ device_driver_attach+0xe2/0x120
+
+I found the bug using a custome USBFuzz port. It's a research work
+to fuzz USB stack/drivers. I modified it to fuzz ath9k driver only,
+providing hand-crafted usb descriptors to QEMU.
+
+After fixing the code (fourth byte in usb packet) to WDCMSG_TARGET_START,
+I got the null-ptr-deref bug. I believe the bug is triggerable whenever
+cmd->odata is NULL. After patching, I tested with the same input and no
+longer see the KASAN report.
+
+This was NOT tested on a real device.
+
+Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/YXsmPQ3awHFLuAj2@10-18-43-117.dynapool.wireless.nyu.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ar5523/ar5523.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
+index 0e9bad33fac85..141c1b5a7b1f3 100644
+--- a/drivers/net/wireless/ath/ar5523/ar5523.c
++++ b/drivers/net/wireless/ath/ar5523/ar5523.c
+@@ -153,6 +153,10 @@ static void ar5523_cmd_rx_cb(struct urb *urb)
+                       ar5523_err(ar, "Invalid reply to WDCMSG_TARGET_START");
+                       return;
+               }
++              if (!cmd->odata) {
++                      ar5523_err(ar, "Unexpected WDCMSG_TARGET_START reply");
++                      return;
++              }
+               memcpy(cmd->odata, hdr + 1, sizeof(u32));
+               cmd->olen = sizeof(u32);
+               cmd->res = 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm-9159-1-decompressor-avoid-unpredictable-nop-enco.patch b/queue-5.16/arm-9159-1-decompressor-avoid-unpredictable-nop-enco.patch
new file mode 100644 (file)
index 0000000..388990c
--- /dev/null
@@ -0,0 +1,100 @@
+From 34ba07859ba8c4301fd304221639d1649d03d7ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 16:28:43 +0100
+Subject: ARM: 9159/1: decompressor: Avoid UNPREDICTABLE NOP encoding
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+[ Upstream commit a92882a4d270fbcc021ee6848de5e48b7f0d27f3 ]
+
+In the decompressor's head.S we need to start with an instruction that
+is some kind of NOP, but also mimics as the PE/COFF header, when the
+kernel is linked as an UEFI application. The clever solution here is
+"tstne r0, #0x4d000", which in the worst case just clobbers the
+condition flags, and bears the magic "MZ" signature in the lowest 16 bits.
+
+However the encoding used (0x13105a4d) is actually not valid, since bits
+[15:12] are supposed to be 0 (written as "(0)" in the ARM ARM).
+Violating this is UNPREDICTABLE, and *can* trigger an UNDEFINED
+exception. Common Cortex cores seem to ignore those bits, but QEMU
+chooses to trap, so the code goes fishing because of a missing exception
+handler at this point. We are just saved by the fact that commonly (with
+-kernel or when running from U-Boot) the "Z" bit is set, so the
+instruction is never executed. See [0] for more details.
+
+To make things more robust and avoid UNPREDICTABLE behaviour in the
+kernel code, lets replace this with a "two-instruction NOP":
+The first instruction is an exclusive OR, the effect of which the second
+instruction reverts. This does not leave any trace, neither in a
+register nor in the condition flags. Also it's a perfectly valid
+encoding. Kudos to Peter Maydell for coming up with this gem.
+
+[0] https://lore.kernel.org/qemu-devel/YTPIdbUCmwagL5%2FD@os.inf.tu-dresden.de/T/
+
+Link: https://lore.kernel.org/linux-arm-kernel/20210908162617.104962-1-andre.przywara@arm.com/T/
+
+Fixes: 81a0bc39ea19 ("ARM: add UEFI stub support")
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Reported-by: Adam Lackorzynski <adam@l4re.org>
+Suggested-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/compressed/efi-header.S | 22 ++++++++++++++--------
+ arch/arm/boot/compressed/head.S       |  3 ++-
+ 2 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/arch/arm/boot/compressed/efi-header.S b/arch/arm/boot/compressed/efi-header.S
+index c0e7a745103e2..230030c130853 100644
+--- a/arch/arm/boot/compressed/efi-header.S
++++ b/arch/arm/boot/compressed/efi-header.S
+@@ -9,16 +9,22 @@
+ #include <linux/sizes.h>
+               .macro  __nop
+-#ifdef CONFIG_EFI_STUB
+-              @ This is almost but not quite a NOP, since it does clobber the
+-              @ condition flags. But it is the best we can do for EFI, since
+-              @ PE/COFF expects the magic string "MZ" at offset 0, while the
+-              @ ARM/Linux boot protocol expects an executable instruction
+-              @ there.
+-              .inst   MZ_MAGIC | (0x1310 << 16)       @ tstne r0, #0x4d000
+-#else
+  AR_CLASS(    mov     r0, r0          )
+   M_CLASS(    nop.w                   )
++              .endm
++
++              .macro __initial_nops
++#ifdef CONFIG_EFI_STUB
++              @ This is a two-instruction NOP, which happens to bear the
++              @ PE/COFF signature "MZ" in the first two bytes, so the kernel
++              @ is accepted as an EFI binary. Booting via the UEFI stub
++              @ will not execute those instructions, but the ARM/Linux
++              @ boot protocol does, so we need some NOPs here.
++              .inst   MZ_MAGIC | (0xe225 << 16)       @ eor r5, r5, 0x4d000
++              eor     r5, r5, 0x4d000                 @ undo previous insn
++#else
++              __nop
++              __nop
+ #endif
+               .endm
+diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S
+index b1cb1972361b8..bf79f2f78d232 100644
+--- a/arch/arm/boot/compressed/head.S
++++ b/arch/arm/boot/compressed/head.S
+@@ -203,7 +203,8 @@ start:
+                * were patching the initial instructions of the kernel, i.e
+                * had started to exploit this "patch area".
+                */
+-              .rept   7
++              __initial_nops
++              .rept   5
+               __nop
+               .endr
+ #ifndef CONFIG_THUMB2_KERNEL
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm-dts-armada-38x-add-generic-compatible-to-uart-no.patch b/queue-5.16/arm-dts-armada-38x-add-generic-compatible-to-uart-no.patch
new file mode 100644 (file)
index 0000000..9f590f5
--- /dev/null
@@ -0,0 +1,51 @@
+From d2585474f0b3ba151854a337536e4b7152c3c0d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Nov 2021 17:46:04 +0100
+Subject: ARM: dts: armada-38x: Add generic compatible to UART nodes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+[ Upstream commit 62480772263ab6b52e758f2346c70a526abd1d28 ]
+
+Add generic compatible string "ns16550a" to serial port nodes of Armada
+38x.
+
+This makes it possible to use earlycon.
+
+Fixes: 0d3d96ab0059 ("ARM: mvebu: add Device Tree description of the Armada 380/385 SoCs")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/armada-38x.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/armada-38x.dtsi b/arch/arm/boot/dts/armada-38x.dtsi
+index 9b1a24cc5e91f..df3c8d1d8f641 100644
+--- a/arch/arm/boot/dts/armada-38x.dtsi
++++ b/arch/arm/boot/dts/armada-38x.dtsi
+@@ -168,7 +168,7 @@
+                       };
+                       uart0: serial@12000 {
+-                              compatible = "marvell,armada-38x-uart";
++                              compatible = "marvell,armada-38x-uart", "ns16550a";
+                               reg = <0x12000 0x100>;
+                               reg-shift = <2>;
+                               interrupts = <GIC_SPI 12 IRQ_TYPE_LEVEL_HIGH>;
+@@ -178,7 +178,7 @@
+                       };
+                       uart1: serial@12100 {
+-                              compatible = "marvell,armada-38x-uart";
++                              compatible = "marvell,armada-38x-uart", "ns16550a";
+                               reg = <0x12100 0x100>;
+                               reg-shift = <2>;
+                               interrupts = <GIC_SPI 13 IRQ_TYPE_LEVEL_HIGH>;
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm-dts-gemini-nas4220-b-fis-index-block-with-128-ki.patch b/queue-5.16/arm-dts-gemini-nas4220-b-fis-index-block-with-128-ki.patch
new file mode 100644 (file)
index 0000000..79d9eba
--- /dev/null
@@ -0,0 +1,65 @@
+From 2ace3fa938674c92305b84f04554ac72dfa839a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Dec 2021 01:43:34 +0100
+Subject: ARM: dts: gemini: NAS4220-B: fis-index-block with 128 KiB sectors
+
+From: Christian Lamparter <chunkeey@gmail.com>
+
+[ Upstream commit 4754eab7e5a78bdefe7a960c5c260c95ebbb5fa6 ]
+
+Steven Maddox reported in the OpenWrt bugzilla, that his
+RaidSonic IB-NAS4220-B was no longer booting with the new
+OpenWrt 21.02 (uses linux 5.10's device-tree). However, it was
+working with the previous OpenWrt 19.07 series (uses 4.14).
+
+|[    5.548038] No RedBoot partition table detected in 30000000.flash
+|[    5.618553] Searching for RedBoot partition table in 30000000.flash at offset 0x0
+|[    5.739093] No RedBoot partition table detected in 30000000.flash
+|...
+|[    7.039504] Waiting for root device /dev/mtdblock3...
+
+The provided bootlog shows that the RedBoot partition parser was
+looking for the partition table "at offset 0x0". Which is strange
+since the comment in the device-tree says it should be at 0xfe0000.
+
+Further digging on the internet led to a review site that took
+some useful PCB pictures of their review unit back in February 2009.
+Their picture shows a Spansion S29GL128N11TFI01 flash chip.
+
+>From Spansion's Datasheet:
+"S29GL128N: One hundred twenty-eight 64 Kword (128 Kbyte) sectors"
+Steven also provided a "cat /sys/class/mtd/mtd0/erasesize" from his
+unit: "131072".
+
+With the 128 KiB Sector/Erasesize in mind. This patch changes the
+fis-index-block property to (0xfe0000 / 0x20000) = 0x7f.
+
+Fixes: b5a923f8c739 ("ARM: dts: gemini: Switch to redboot partition parsing")
+Reported-by: Steven Maddox <s.maddox@lantizia.me.uk>
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Tested-by: Steven Maddox <s.maddox@lantizia.me.uk>
+Link: https://lore.kernel.org/r/20211206004334.4169408-1-linus.walleij@linaro.org'
+Bugzilla: https://bugs.openwrt.org/index.php?do=details&task_id=4137
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/gemini-nas4220b.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/gemini-nas4220b.dts b/arch/arm/boot/dts/gemini-nas4220b.dts
+index 13112a8a5dd88..6544c730340fa 100644
+--- a/arch/arm/boot/dts/gemini-nas4220b.dts
++++ b/arch/arm/boot/dts/gemini-nas4220b.dts
+@@ -84,7 +84,7 @@
+                       partitions {
+                               compatible = "redboot-fis";
+                               /* Eraseblock at 0xfe0000 */
+-                              fis-index-block = <0x1fc>;
++                              fis-index-block = <0x7f>;
+                       };
+               };
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm-dts-omap3-n900-fix-lp5523-for-multi-color.patch b/queue-5.16/arm-dts-omap3-n900-fix-lp5523-for-multi-color.patch
new file mode 100644 (file)
index 0000000..ca8161c
--- /dev/null
@@ -0,0 +1,141 @@
+From a1c6b033c4c5922902b1537654f0cd94f604d9d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Dec 2021 23:40:06 +0100
+Subject: ARM: dts: omap3-n900: Fix lp5523 for multi color
+
+From: Sicelo A. Mhlongo <absicsz@gmail.com>
+
+[ Upstream commit e9af026a3b24f59d7af4609f73e0ef60a4d6d516 ]
+
+Since the LED multicolor framework support was added in commit
+92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx")
+LEDs on this platform stopped working.
+
+Fixes: 92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx")
+Fixes: ac219bf3c9bd ("leds: lp55xx: Convert to use GPIO descriptors")
+Signed-off-by: Merlijn Wajer <merlijn@wizzup.org>
+Signed-off-by: Sicelo A. Mhlongo <absicsz@gmail.com>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/omap3-n900.dts | 50 +++++++++++++++++++++++++-------
+ 1 file changed, 40 insertions(+), 10 deletions(-)
+
+diff --git a/arch/arm/boot/dts/omap3-n900.dts b/arch/arm/boot/dts/omap3-n900.dts
+index 32335d4ce478b..d40c3d2c4914e 100644
+--- a/arch/arm/boot/dts/omap3-n900.dts
++++ b/arch/arm/boot/dts/omap3-n900.dts
+@@ -8,6 +8,7 @@
+ #include "omap34xx.dtsi"
+ #include <dt-bindings/input/input.h>
++#include <dt-bindings/leds/common.h>
+ /*
+  * Default secure signed bootloader (Nokia X-Loader) does not enable L3 firewall
+@@ -630,63 +631,92 @@
+       };
+       lp5523: lp5523@32 {
++              #address-cells = <1>;
++              #size-cells = <0>;
+               compatible = "national,lp5523";
+               reg = <0x32>;
+               clock-mode = /bits/ 8 <0>; /* LP55XX_CLOCK_AUTO */
+-              enable-gpio = <&gpio2 9 GPIO_ACTIVE_HIGH>; /* 41 */
++              enable-gpios = <&gpio2 9 GPIO_ACTIVE_HIGH>; /* 41 */
+-              chan0 {
++              led@0 {
++                      reg = <0>;
+                       chan-name = "lp5523:kb1";
+                       led-cur = /bits/ 8 <50>;
+                       max-cur = /bits/ 8 <100>;
++                      color = <LED_COLOR_ID_WHITE>;
++                      function = LED_FUNCTION_KBD_BACKLIGHT;
+               };
+-              chan1 {
++              led@1 {
++                      reg = <1>;
+                       chan-name = "lp5523:kb2";
+                       led-cur = /bits/ 8 <50>;
+                       max-cur = /bits/ 8 <100>;
++                      color = <LED_COLOR_ID_WHITE>;
++                      function = LED_FUNCTION_KBD_BACKLIGHT;
+               };
+-              chan2 {
++              led@2 {
++                      reg = <2>;
+                       chan-name = "lp5523:kb3";
+                       led-cur = /bits/ 8 <50>;
+                       max-cur = /bits/ 8 <100>;
++                      color = <LED_COLOR_ID_WHITE>;
++                      function = LED_FUNCTION_KBD_BACKLIGHT;
+               };
+-              chan3 {
++              led@3 {
++                      reg = <3>;
+                       chan-name = "lp5523:kb4";
+                       led-cur = /bits/ 8 <50>;
+                       max-cur = /bits/ 8 <100>;
++                      color = <LED_COLOR_ID_WHITE>;
++                      function = LED_FUNCTION_KBD_BACKLIGHT;
+               };
+-              chan4 {
++              led@4 {
++                      reg = <4>;
+                       chan-name = "lp5523:b";
+                       led-cur = /bits/ 8 <50>;
+                       max-cur = /bits/ 8 <100>;
++                      color = <LED_COLOR_ID_BLUE>;
++                      function = LED_FUNCTION_STATUS;
+               };
+-              chan5 {
++              led@5 {
++                      reg = <5>;
+                       chan-name = "lp5523:g";
+                       led-cur = /bits/ 8 <50>;
+                       max-cur = /bits/ 8 <100>;
++                      color = <LED_COLOR_ID_GREEN>;
++                      function = LED_FUNCTION_STATUS;
+               };
+-              chan6 {
++              led@6 {
++                      reg = <6>;
+                       chan-name = "lp5523:r";
+                       led-cur = /bits/ 8 <50>;
+                       max-cur = /bits/ 8 <100>;
++                      color = <LED_COLOR_ID_RED>;
++                      function = LED_FUNCTION_STATUS;
+               };
+-              chan7 {
++              led@7 {
++                      reg = <7>;
+                       chan-name = "lp5523:kb5";
+                       led-cur = /bits/ 8 <50>;
+                       max-cur = /bits/ 8 <100>;
++                      color = <LED_COLOR_ID_WHITE>;
++                      function = LED_FUNCTION_KBD_BACKLIGHT;
+               };
+-              chan8 {
++              led@8 {
++                      reg = <8>;
+                       chan-name = "lp5523:kb6";
+                       led-cur = /bits/ 8 <50>;
+                       max-cur = /bits/ 8 <100>;
++                      color = <LED_COLOR_ID_WHITE>;
++                      function = LED_FUNCTION_KBD_BACKLIGHT;
+               };
+       };
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm-dts-qcom-sdx55-fix-ipa-interconnect-definitions.patch b/queue-5.16/arm-dts-qcom-sdx55-fix-ipa-interconnect-definitions.patch
new file mode 100644 (file)
index 0000000..b8135ac
--- /dev/null
@@ -0,0 +1,47 @@
+From df24c8b55ea96e1219d22ee2f9183958bdbf6fe3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Dec 2021 16:31:22 -0600
+Subject: ARM: dts: qcom: sdx55: fix IPA interconnect definitions
+
+From: Alex Elder <elder@linaro.org>
+
+[ Upstream commit c0d6316c238b1bd743108bd4b08eda364f47c7c9 ]
+
+The first two interconnects defined for IPA on the SDX55 SoC are
+really two parts of what should be represented as a single path
+between IPA and system memory.
+
+Fix this by combining the "memory-a" and "memory-b" interconnects
+into a single "memory" interconnect.
+
+Reported-by: David Heidelberg <david@ixit.cz>
+Tested-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Alex Elder <elder@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/qcom-sdx55.dtsi | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/boot/dts/qcom-sdx55.dtsi b/arch/arm/boot/dts/qcom-sdx55.dtsi
+index 44526ad9d210b..eee2f63b9bbab 100644
+--- a/arch/arm/boot/dts/qcom-sdx55.dtsi
++++ b/arch/arm/boot/dts/qcom-sdx55.dtsi
+@@ -333,12 +333,10 @@
+                       clocks = <&rpmhcc RPMH_IPA_CLK>;
+                       clock-names = "core";
+-                      interconnects = <&system_noc MASTER_IPA &system_noc SLAVE_SNOC_MEM_NOC_GC>,
+-                                      <&mem_noc MASTER_SNOC_GC_MEM_NOC &mc_virt SLAVE_EBI_CH0>,
++                      interconnects = <&system_noc MASTER_IPA &mc_virt SLAVE_EBI_CH0>,
+                                       <&system_noc MASTER_IPA &system_noc SLAVE_OCIMEM>,
+                                       <&mem_noc MASTER_AMPSS_M0 &system_noc SLAVE_IPA_CFG>;
+-                      interconnect-names = "memory-a",
+-                                           "memory-b",
++                      interconnect-names = "memory",
+                                            "imem",
+                                            "config";
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm-dts-stm32-fix-dtbs_check-warning-on-ili9341-dts-.patch b/queue-5.16/arm-dts-stm32-fix-dtbs_check-warning-on-ili9341-dts-.patch
new file mode 100644 (file)
index 0000000..06f2ce7
--- /dev/null
@@ -0,0 +1,44 @@
+From f3d432c227807485e64f3aa33b01b1af50eda1d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Jul 2021 11:44:02 +0800
+Subject: ARM: dts: stm32: fix dtbs_check warning on ili9341 dts binding on
+ stm32f429 disco
+
+From: Dillon Min <dillon.minfei@gmail.com>
+
+[ Upstream commit b046049e59dca5e5830dc75ed16acf7657a95161 ]
+
+Since the compatible string defined from ilitek,ili9341.yaml is
+"st,sf-tc240t-9370-t", "ilitek,ili9341"
+
+so, append "ilitek,ili9341" to avoid the below dtbs_check warning.
+
+arch/arm/boot/dts/stm32f429-disco.dt.yaml: display@1: compatible:
+['st,sf-tc240t-9370-t'] is too short
+
+Fixes: a726e2f000ec ("ARM: dts: stm32: enable ltdc binding with ili9341, gyro l3gd20 on stm32429-disco board")
+Signed-off-by: Dillon Min <dillon.minfei@gmail.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/stm32f429-disco.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/stm32f429-disco.dts b/arch/arm/boot/dts/stm32f429-disco.dts
+index 075ac57d0bf4a..6435e099c6326 100644
+--- a/arch/arm/boot/dts/stm32f429-disco.dts
++++ b/arch/arm/boot/dts/stm32f429-disco.dts
+@@ -192,7 +192,7 @@
+       display: display@1{
+               /* Connect panel-ilitek-9341 to ltdc */
+-              compatible = "st,sf-tc240t-9370-t";
++              compatible = "st,sf-tc240t-9370-t", "ilitek,ili9341";
+               reg = <1>;
+               spi-3wire;
+               spi-max-frequency = <10000000>;
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm-imx-rename-debug_imx21_imx27_uart-to-debug_imx27.patch b/queue-5.16/arm-imx-rename-debug_imx21_imx27_uart-to-debug_imx27.patch
new file mode 100644 (file)
index 0000000..56afc7d
--- /dev/null
@@ -0,0 +1,121 @@
+From 43ed4aa88c80e05fbe3bc499513696d39bb6202c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 16:19:33 +0200
+Subject: ARM: imx: rename DEBUG_IMX21_IMX27_UART to DEBUG_IMX27_UART
+
+From: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+
+[ Upstream commit b0100bce4ff82ec1ccd3c1f3d339fd2df6a81784 ]
+
+Since commit 4b563a066611 ("ARM: imx: Remove imx21 support"), the config
+DEBUG_IMX21_IMX27_UART is really only debug support for IMX27.
+
+So, rename this option to DEBUG_IMX27_UART and adjust dependencies in
+Kconfig and rename the definitions to IMX27 as further clean-up.
+
+This issue was discovered with ./scripts/checkkconfigsymbols.py, which
+reported that DEBUG_IMX21_IMX27_UART depends on the non-existing config
+SOC_IMX21.
+
+Signed-off-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/Kconfig.debug            | 14 +++++++-------
+ arch/arm/include/debug/imx-uart.h | 18 +++++++++---------
+ 2 files changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
+index 98436702e0c7e..644875d73ba15 100644
+--- a/arch/arm/Kconfig.debug
++++ b/arch/arm/Kconfig.debug
+@@ -410,12 +410,12 @@ choice
+                 Say Y here if you want kernel low-level debugging support
+                 on i.MX25.
+-      config DEBUG_IMX21_IMX27_UART
+-              bool "i.MX21 and i.MX27 Debug UART"
+-              depends on SOC_IMX21 || SOC_IMX27
++      config DEBUG_IMX27_UART
++              bool "i.MX27 Debug UART"
++              depends on SOC_IMX27
+               help
+                 Say Y here if you want kernel low-level debugging support
+-                on i.MX21 or i.MX27.
++                on i.MX27.
+       config DEBUG_IMX28_UART
+               bool "i.MX28 Debug UART"
+@@ -1481,7 +1481,7 @@ config DEBUG_IMX_UART_PORT
+       int "i.MX Debug UART Port Selection"
+       depends on DEBUG_IMX1_UART || \
+                  DEBUG_IMX25_UART || \
+-                 DEBUG_IMX21_IMX27_UART || \
++                 DEBUG_IMX27_UART || \
+                  DEBUG_IMX31_UART || \
+                  DEBUG_IMX35_UART || \
+                  DEBUG_IMX50_UART || \
+@@ -1540,12 +1540,12 @@ config DEBUG_LL_INCLUDE
+       default "debug/icedcc.S" if DEBUG_ICEDCC
+       default "debug/imx.S" if DEBUG_IMX1_UART || \
+                                DEBUG_IMX25_UART || \
+-                               DEBUG_IMX21_IMX27_UART || \
++                               DEBUG_IMX27_UART || \
+                                DEBUG_IMX31_UART || \
+                                DEBUG_IMX35_UART || \
+                                DEBUG_IMX50_UART || \
+                                DEBUG_IMX51_UART || \
+-                               DEBUG_IMX53_UART ||\
++                               DEBUG_IMX53_UART || \
+                                DEBUG_IMX6Q_UART || \
+                                DEBUG_IMX6SL_UART || \
+                                DEBUG_IMX6SX_UART || \
+diff --git a/arch/arm/include/debug/imx-uart.h b/arch/arm/include/debug/imx-uart.h
+index c8eb83d4b8964..3edbb3c5b42bf 100644
+--- a/arch/arm/include/debug/imx-uart.h
++++ b/arch/arm/include/debug/imx-uart.h
+@@ -11,13 +11,6 @@
+ #define IMX1_UART_BASE_ADDR(n)        IMX1_UART##n##_BASE_ADDR
+ #define IMX1_UART_BASE(n)     IMX1_UART_BASE_ADDR(n)
+-#define IMX21_UART1_BASE_ADDR 0x1000a000
+-#define IMX21_UART2_BASE_ADDR 0x1000b000
+-#define IMX21_UART3_BASE_ADDR 0x1000c000
+-#define IMX21_UART4_BASE_ADDR 0x1000d000
+-#define IMX21_UART_BASE_ADDR(n)       IMX21_UART##n##_BASE_ADDR
+-#define IMX21_UART_BASE(n)    IMX21_UART_BASE_ADDR(n)
+-
+ #define IMX25_UART1_BASE_ADDR 0x43f90000
+ #define IMX25_UART2_BASE_ADDR 0x43f94000
+ #define IMX25_UART3_BASE_ADDR 0x5000c000
+@@ -26,6 +19,13 @@
+ #define IMX25_UART_BASE_ADDR(n)       IMX25_UART##n##_BASE_ADDR
+ #define IMX25_UART_BASE(n)    IMX25_UART_BASE_ADDR(n)
++#define IMX27_UART1_BASE_ADDR 0x1000a000
++#define IMX27_UART2_BASE_ADDR 0x1000b000
++#define IMX27_UART3_BASE_ADDR 0x1000c000
++#define IMX27_UART4_BASE_ADDR 0x1000d000
++#define IMX27_UART_BASE_ADDR(n)       IMX27_UART##n##_BASE_ADDR
++#define IMX27_UART_BASE(n)    IMX27_UART_BASE_ADDR(n)
++
+ #define IMX31_UART1_BASE_ADDR 0x43f90000
+ #define IMX31_UART2_BASE_ADDR 0x43f94000
+ #define IMX31_UART3_BASE_ADDR 0x5000c000
+@@ -112,10 +112,10 @@
+ #ifdef CONFIG_DEBUG_IMX1_UART
+ #define UART_PADDR    IMX_DEBUG_UART_BASE(IMX1)
+-#elif defined(CONFIG_DEBUG_IMX21_IMX27_UART)
+-#define UART_PADDR    IMX_DEBUG_UART_BASE(IMX21)
+ #elif defined(CONFIG_DEBUG_IMX25_UART)
+ #define UART_PADDR    IMX_DEBUG_UART_BASE(IMX25)
++#elif defined(CONFIG_DEBUG_IMX27_UART)
++#define UART_PADDR    IMX_DEBUG_UART_BASE(IMX27)
+ #elif defined(CONFIG_DEBUG_IMX31_UART)
+ #define UART_PADDR    IMX_DEBUG_UART_BASE(IMX31)
+ #elif defined(CONFIG_DEBUG_IMX35_UART)
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm-shmobile-rcar-gen2-add-missing-of_node_put.patch b/queue-5.16/arm-shmobile-rcar-gen2-add-missing-of_node_put.patch
new file mode 100644 (file)
index 0000000..80d0c14
--- /dev/null
@@ -0,0 +1,52 @@
+From c328a4e24d8bbc97b6f1b2a0b05232563abc0f11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Oct 2021 21:45:03 -0400
+Subject: ARM: shmobile: rcar-gen2: Add missing of_node_put()
+
+From: Wan Jiabing <wanjiabing@vivo.com>
+
+[ Upstream commit 85744f2d938c5f3cfc44cb6533c157469634da93 ]
+
+Fix following coccicheck warning:
+./arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c:156:1-33: Function
+for_each_matching_node_and_match should have of_node_put() before break
+and goto.
+
+Early exits from for_each_matching_node_and_match() should decrement the
+node reference counter.
+
+Signed-off-by: Wan Jiabing <wanjiabing@vivo.com>
+Link: https://lore.kernel.org/r/20211018014503.7598-1-wanjiabing@vivo.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c b/arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c
+index ee949255ced3f..09ef73b99dd86 100644
+--- a/arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c
++++ b/arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c
+@@ -154,8 +154,10 @@ static int __init rcar_gen2_regulator_quirk(void)
+               return -ENODEV;
+       for_each_matching_node_and_match(np, rcar_gen2_quirk_match, &id) {
+-              if (!of_device_is_available(np))
++              if (!of_device_is_available(np)) {
++                      of_node_put(np);
+                       break;
++              }
+               ret = of_property_read_u32(np, "reg", &addr);
+               if (ret)        /* Skip invalid entry and continue */
+@@ -164,6 +166,7 @@ static int __init rcar_gen2_regulator_quirk(void)
+               quirk = kzalloc(sizeof(*quirk), GFP_KERNEL);
+               if (!quirk) {
+                       ret = -ENOMEM;
++                      of_node_put(np);
+                       goto err_mem;
+               }
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-clear_page-shouldn-t-use-dc-zva-when-dczid_el0.patch b/queue-5.16/arm64-clear_page-shouldn-t-use-dc-zva-when-dczid_el0.patch
new file mode 100644 (file)
index 0000000..262d182
--- /dev/null
@@ -0,0 +1,54 @@
+From 5515b846ae37c8aea8d5bdc21357b8aa1ca6132c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Dec 2021 16:47:35 -0800
+Subject: arm64: clear_page() shouldn't use DC ZVA when DCZID_EL0.DZP == 1
+
+From: Reiji Watanabe <reijiw@google.com>
+
+[ Upstream commit f0616abd4e67143b45b04b565839148458857347 ]
+
+Currently, clear_page() uses DC ZVA instruction unconditionally.  But it
+should make sure that DCZID_EL0.DZP, which indicates whether or not use
+of DC ZVA instruction is prohibited, is zero when using the instruction.
+Use STNP instead when DCZID_EL0.DZP == 1.
+
+Fixes: f27bb139c387 ("arm64: Miscellaneous library functions")
+Signed-off-by: Reiji Watanabe <reijiw@google.com>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/20211206004736.1520989-2-reijiw@google.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/lib/clear_page.S | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/arch/arm64/lib/clear_page.S b/arch/arm64/lib/clear_page.S
+index b84b179edba3a..1fd5d790ab800 100644
+--- a/arch/arm64/lib/clear_page.S
++++ b/arch/arm64/lib/clear_page.S
+@@ -16,6 +16,7 @@
+  */
+ SYM_FUNC_START_PI(clear_page)
+       mrs     x1, dczid_el0
++      tbnz    x1, #4, 2f      /* Branch if DC ZVA is prohibited */
+       and     w1, w1, #0xf
+       mov     x2, #4
+       lsl     x1, x2, x1
+@@ -25,5 +26,14 @@ SYM_FUNC_START_PI(clear_page)
+       tst     x0, #(PAGE_SIZE - 1)
+       b.ne    1b
+       ret
++
++2:    stnp    xzr, xzr, [x0]
++      stnp    xzr, xzr, [x0, #16]
++      stnp    xzr, xzr, [x0, #32]
++      stnp    xzr, xzr, [x0, #48]
++      add     x0, x0, #64
++      tst     x0, #(PAGE_SIZE - 1)
++      b.ne    2b
++      ret
+ SYM_FUNC_END_PI(clear_page)
+ EXPORT_SYMBOL(clear_page)
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-amlogic-fix-spi-nor-flash-node-name-for-od.patch b/queue-5.16/arm64-dts-amlogic-fix-spi-nor-flash-node-name-for-od.patch
new file mode 100644 (file)
index 0000000..f5a7b0c
--- /dev/null
@@ -0,0 +1,38 @@
+From d51f43b0553fc05fb97426d82990974195db8405 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 20:28:13 +0200
+Subject: arm64: dts: amlogic: Fix SPI NOR flash node name for ODROID N2/N2+
+
+From: Alexander Stein <alexander.stein@mailbox.org>
+
+[ Upstream commit 95d35256b564aca33fb661eac77dc94bfcffc8df ]
+
+Fix the schema warning: "spi-flash@0: $nodename:0: 'spi-flash@0' does
+ not match '^flash(@.*)?$'" from jedec,spi-nor.yaml
+
+Fixes: a084eaf3096c ("arm64: dts: meson-g12b-odroid-n2: add SPIFC controller node")
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Alexander Stein <alexander.stein@mailbox.org>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://lore.kernel.org/r/20211026182813.900775-3-alexander.stein@mailbox.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi
+index e8a00a2f88128..3e968b2441918 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi
+@@ -609,7 +609,7 @@
+       pinctrl-0 = <&nor_pins>;
+       pinctrl-names = "default";
+-      mx25u64: spi-flash@0 {
++      mx25u64: flash@0 {
+               #address-cells = <1>;
+               #size-cells = <1>;
+               compatible = "mxicy,mx25u6435f", "jedec,spi-nor";
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-amlogic-meson-g12-fix-gpu-operating-point-.patch b/queue-5.16/arm64-dts-amlogic-meson-g12-fix-gpu-operating-point-.patch
new file mode 100644 (file)
index 0000000..2419f2a
--- /dev/null
@@ -0,0 +1,43 @@
+From be8402bf86801d2141aec359c6107a069ad0fc63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 20:28:12 +0200
+Subject: arm64: dts: amlogic: meson-g12: Fix GPU operating point table node
+ name
+
+From: Alexander Stein <alexander.stein@mailbox.org>
+
+[ Upstream commit bb98a6fd0b0e227cefb2ba91cea2b55455f203b7 ]
+
+Starting with commit 94274f20f6bf ("dt-bindings: opp: Convert to DT
+schema") the opp node name has a mandatory pattern. This change
+fixes the dtbs_check warning:
+gpu-opp-table: $nodename:0: 'gpu-opp-table' does not match
+'^opp-table(-[a-z0-9]+)?$'
+Put the 'gpu' part at the end to match the pattern.
+
+Fixes: 916a0edc43f0 ("arm64: dts: amlogic: meson-g12: add the Mali OPP table and use DVFS")
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Alexander Stein <alexander.stein@mailbox.org>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://lore.kernel.org/r/20211026182813.900775-2-alexander.stein@mailbox.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi
+index 00c6f53290d43..428449d98c0ae 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi
+@@ -58,7 +58,7 @@
+               secure-monitor = <&sm>;
+       };
+-      gpu_opp_table: gpu-opp-table {
++      gpu_opp_table: opp-table-gpu {
+               compatible = "operating-points-v2";
+               opp-124999998 {
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-ls1028a-qds-move-rtc-node-to-the-correct-i.patch b/queue-5.16/arm64-dts-ls1028a-qds-move-rtc-node-to-the-correct-i.patch
new file mode 100644 (file)
index 0000000..52b79e3
--- /dev/null
@@ -0,0 +1,54 @@
+From d229ea213c498b5dbf6d01891996c2e8280139d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 03:32:38 -0600
+Subject: arm64: dts: ls1028a-qds: move rtc node to the correct i2c bus
+
+From: Biwen Li <biwen.li@nxp.com>
+
+[ Upstream commit cbe9d948eadfe352ad45495a7cc5bf20a1b29d90 ]
+
+The i2c rtc is on i2c2 bus not i2c1 bus, so fix it in dts.
+
+Signed-off-by: Biwen Li <biwen.li@nxp.com>
+Signed-off-by: Li Yang <leoyang.lil@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/fsl-ls1028a-qds.dts | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/fsl-ls1028a-qds.dts b/arch/arm64/boot/dts/freescale/fsl-ls1028a-qds.dts
+index 6e2a1da662fb4..4597848598df0 100644
+--- a/arch/arm64/boot/dts/freescale/fsl-ls1028a-qds.dts
++++ b/arch/arm64/boot/dts/freescale/fsl-ls1028a-qds.dts
+@@ -272,11 +272,6 @@
+                               vcc-supply = <&sb_3v3>;
+                       };
+-                      rtc@51 {
+-                              compatible = "nxp,pcf2129";
+-                              reg = <0x51>;
+-                      };
+-
+                       eeprom@56 {
+                               compatible = "atmel,24c512";
+                               reg = <0x56>;
+@@ -318,6 +313,15 @@
+ };
++&i2c1 {
++      status = "okay";
++
++      rtc@51 {
++              compatible = "nxp,pcf2129";
++              reg = <0x51>;
++      };
++};
++
+ &enetc_port1 {
+       phy-handle = <&qds_phy1>;
+       phy-mode = "rgmii-id";
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-marvell-cn9130-add-gpio-and-spi-aliases.patch b/queue-5.16/arm64-dts-marvell-cn9130-add-gpio-and-spi-aliases.patch
new file mode 100644 (file)
index 0000000..1215a9e
--- /dev/null
@@ -0,0 +1,48 @@
+From 08a293e060e4d30af85af45db16f37652bf21f32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 14:44:02 +0100
+Subject: arm64: dts: marvell: cn9130: add GPIO and SPI aliases
+
+From: Robert Marko <robert.marko@sartura.hr>
+
+[ Upstream commit effd42600b987c1e95f946b14fefc1c7639e7439 ]
+
+CN9130 has one CP115 built in, which like the CP110 has 2 GPIO and 2 SPI
+controllers built-in.
+
+However, unlike the Armada 7k and 8k the SoC DTSI doesn't add the required
+aliases as both the Orion SPI driver and MVEBU GPIO drivers require the
+aliases to be present.
+
+So add the required aliases for GPIO and SPI controllers.
+
+Fixes: 6b8970bd8d7a ("arm64: dts: marvell: Add support for Marvell CN9130 SoC support")
+
+Signed-off-by: Robert Marko <robert.marko@sartura.hr>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/marvell/cn9130.dtsi | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/marvell/cn9130.dtsi b/arch/arm64/boot/dts/marvell/cn9130.dtsi
+index a2b7e5ec979d3..71769ac7f0585 100644
+--- a/arch/arm64/boot/dts/marvell/cn9130.dtsi
++++ b/arch/arm64/boot/dts/marvell/cn9130.dtsi
+@@ -11,6 +11,13 @@
+       model = "Marvell Armada CN9130 SoC";
+       compatible = "marvell,cn9130", "marvell,armada-ap807-quad",
+                    "marvell,armada-ap807";
++
++      aliases {
++              gpio1 = &cp0_gpio1;
++              gpio2 = &cp0_gpio2;
++              spi1 = &cp0_spi0;
++              spi2 = &cp0_spi1;
++      };
+ };
+ /*
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-marvell-cn9130-enable-cp0-gpio-controllers.patch b/queue-5.16/arm64-dts-marvell-cn9130-enable-cp0-gpio-controllers.patch
new file mode 100644 (file)
index 0000000..f658e3d
--- /dev/null
@@ -0,0 +1,46 @@
+From 95d1737aad039cbd4852dfd296dc56b18c7a2096 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 14:44:03 +0100
+Subject: arm64: dts: marvell: cn9130: enable CP0 GPIO controllers
+
+From: Robert Marko <robert.marko@sartura.hr>
+
+[ Upstream commit 0734f8311ce72c9041e5142769eff2083889c172 ]
+
+CN9130 has a built-in CP115 which has 2 GPIO controllers, but unlike in
+Armada 7k and 8k both are left disabled by the SoC DTSI.
+
+This first of all makes no sense as they are always present due to being
+SoC built-in and its an issue as boards like CN9130-CRB use the CPO GPIO2
+pins for regulators and SD card support without enabling them first.
+
+So, enable both of them like Armada 7k and 8k do.
+
+Fixes: 6b8970bd8d7a ("arm64: dts: marvell: Add support for Marvell CN9130 SoC support")
+
+Signed-off-by: Robert Marko <robert.marko@sartura.hr>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/marvell/cn9130.dtsi | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/marvell/cn9130.dtsi b/arch/arm64/boot/dts/marvell/cn9130.dtsi
+index 71769ac7f0585..327b04134134f 100644
+--- a/arch/arm64/boot/dts/marvell/cn9130.dtsi
++++ b/arch/arm64/boot/dts/marvell/cn9130.dtsi
+@@ -42,3 +42,11 @@
+ #undef CP11X_PCIE0_BASE
+ #undef CP11X_PCIE1_BASE
+ #undef CP11X_PCIE2_BASE
++
++&cp0_gpio1 {
++      status = "okay";
++};
++
++&cp0_gpio2 {
++      status = "okay";
++};
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-meson-gxbb-wetek-fix-hdmi-in-early-boot.patch b/queue-5.16/arm64-dts-meson-gxbb-wetek-fix-hdmi-in-early-boot.patch
new file mode 100644 (file)
index 0000000..23f9f5a
--- /dev/null
@@ -0,0 +1,46 @@
+From dd3ab837cb048f7fffc2de43809b66d7f1b87c6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Oct 2021 05:25:20 +0000
+Subject: arm64: dts: meson-gxbb-wetek: fix HDMI in early boot
+
+From: Christian Hewitt <christianshewitt@gmail.com>
+
+[ Upstream commit 8182a35868db5f053111d5d9d4da8fcb3f99259d ]
+
+Mark the VDDIO_AO18 regulator always-on and set hdmi-supply for the hdmi_tx
+node to ensure HDMI is powered in the early stages of boot.
+
+Fixes: fb72c03e0e32 ("ARM64: dts: meson-gxbb-wetek: add a wetek specific dtsi to cleanup hub and play2")
+
+Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://lore.kernel.org/r/20211012052522.30873-2-christianshewitt@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi b/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi
+index a350fee1264d7..8e2af986cebaf 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi
+@@ -64,6 +64,7 @@
+               regulator-name = "VDDIO_AO18";
+               regulator-min-microvolt = <1800000>;
+               regulator-max-microvolt = <1800000>;
++              regulator-always-on;
+       };
+       vcc_3v3: regulator-vcc_3v3 {
+@@ -161,6 +162,7 @@
+       status = "okay";
+       pinctrl-0 = <&hdmi_hpd_pins>, <&hdmi_i2c_pins>;
+       pinctrl-names = "default";
++      hdmi-supply = <&vddio_ao18>;
+ };
+ &hdmi_tx_tmds_port {
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-meson-gxbb-wetek-fix-missing-gpio-binding.patch b/queue-5.16/arm64-dts-meson-gxbb-wetek-fix-missing-gpio-binding.patch
new file mode 100644 (file)
index 0000000..e16f99e
--- /dev/null
@@ -0,0 +1,39 @@
+From 08ea4f7a0b04b7c138fbb7f7941b18cdce32fa3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Oct 2021 05:25:21 +0000
+Subject: arm64: dts: meson-gxbb-wetek: fix missing GPIO binding
+
+From: Christian Hewitt <christianshewitt@gmail.com>
+
+[ Upstream commit c019abb2feba3cbbd7cf7178f8e6499c4fa6fced ]
+
+The absence of this binding appears to be harmless in Linux but it breaks
+Ethernet support in mainline u-boot. So add the binding (which is present
+in all other u-boot supported GXBB device-trees).
+
+Fixes: fb72c03e0e32 ("ARM64: dts: meson-gxbb-wetek: add a wetek specific dtsi to cleanup hub and play2")
+
+Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://lore.kernel.org/r/20211012052522.30873-3-christianshewitt@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi b/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi
+index 8e2af986cebaf..a4d34398da358 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-gxbb-wetek.dtsi
+@@ -6,6 +6,7 @@
+  */
+ #include "meson-gxbb.dtsi"
++#include <dt-bindings/gpio/gpio.h>
+ / {
+       aliases {
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-qcom-c630-fix-soundcard-setup.patch b/queue-5.16/arm64-dts-qcom-c630-fix-soundcard-setup.patch
new file mode 100644 (file)
index 0000000..bb0e789
--- /dev/null
@@ -0,0 +1,89 @@
+From 5806b52d74e1c45070a8ed106a868fd9f49eabcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Dec 2021 17:53:41 +0000
+Subject: arm64: dts: qcom: c630: Fix soundcard setup
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit c02b360ca67ebeb9de07b47b2fe53f964c2561d1 ]
+
+Currently Soundcard has 1 rx device for headset and SoundWire Speaker Playback.
+
+This setup has issues, ex if we try to play on headset the audio stream is
+also sent to SoundWire Speakers and we will hear sound in both headsets and speakers.
+
+Make a separate device for Speakers and Headset so that the streams are
+different and handled properly.
+
+Fixes: 45021d35fcb2 ("arm64: dts: qcom: c630: Enable audio support")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Tested-by: Steev Klimaszewski <steev@kali.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20211209175342.20386-2-srinivas.kandagatla@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/qcom/sdm850-lenovo-yoga-c630.dts | 27 +++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts b/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts
+index d6b2ba4396f68..2e882a977e2c4 100644
+--- a/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts
++++ b/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts
+@@ -523,6 +523,10 @@
+       dai@1 {
+               reg = <1>;
+       };
++
++      dai@2 {
++              reg = <2>;
++      };
+ };
+ &sound {
+@@ -535,6 +539,7 @@
+               "SpkrLeft IN", "SPK1 OUT",
+               "SpkrRight IN", "SPK2 OUT",
+               "MM_DL1",  "MultiMedia1 Playback",
++              "MM_DL3",  "MultiMedia3 Playback",
+               "MultiMedia2 Capture", "MM_UL2";
+       mm1-dai-link {
+@@ -551,6 +556,13 @@
+               };
+       };
++      mm3-dai-link {
++              link-name = "MultiMedia3";
++              cpu {
++                      sound-dai = <&q6asmdai  MSM_FRONTEND_DAI_MULTIMEDIA3>;
++              };
++      };
++
+       slim-dai-link {
+               link-name = "SLIM Playback";
+               cpu {
+@@ -580,6 +592,21 @@
+                       sound-dai = <&wcd9340 1>;
+               };
+       };
++
++      slim-wcd-dai-link {
++              link-name = "SLIM WCD Playback";
++              cpu {
++                      sound-dai = <&q6afedai SLIMBUS_1_RX>;
++              };
++
++              platform {
++                      sound-dai = <&q6routing>;
++              };
++
++              codec {
++                      sound-dai =  <&wcd9340 2>;
++              };
++      };
+ };
+ &tlmm {
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-qcom-ipq6018-fix-gpio-ranges-property.patch b/queue-5.16/arm64-dts-qcom-ipq6018-fix-gpio-ranges-property.patch
new file mode 100644 (file)
index 0000000..8230519
--- /dev/null
@@ -0,0 +1,41 @@
+From 3af206c5e3e5e81d8ca1723f36c5c82f3e0d9ad2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 09:27:10 +0200
+Subject: arm64: dts: qcom: ipq6018: Fix gpio-ranges property
+
+From: Baruch Siach <baruch@tkos.co.il>
+
+[ Upstream commit 72cb4c48a46a7cfa58eb5842c0d3672ddd5bd9ad ]
+
+There must be three parameters in gpio-ranges property. Fixes this not
+very helpful error message:
+
+  OF: /soc/pinctrl@1000000: (null) = 3 found 3
+
+Fixes: 1e8277854b49 ("arm64: dts: Add ipq6018 SoC and CP01 board support")
+Cc: Sricharan R <sricharan@codeaurora.org>
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/8a744cfd96aff5754bfdcf7298d208ddca5b319a.1638862030.git.baruch@tkos.co.il
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/ipq6018.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/ipq6018.dtsi b/arch/arm64/boot/dts/qcom/ipq6018.dtsi
+index 933b56103a464..66ec5615651d4 100644
+--- a/arch/arm64/boot/dts/qcom/ipq6018.dtsi
++++ b/arch/arm64/boot/dts/qcom/ipq6018.dtsi
+@@ -220,7 +220,7 @@
+                       interrupts = <GIC_SPI 208 IRQ_TYPE_LEVEL_HIGH>;
+                       gpio-controller;
+                       #gpio-cells = <2>;
+-                      gpio-ranges = <&tlmm 0 80>;
++                      gpio-ranges = <&tlmm 0 0 80>;
+                       interrupt-controller;
+                       #interrupt-cells = <2>;
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-qcom-msm8916-fix-mmc-controller-aliases.patch b/queue-5.16/arm64-dts-qcom-msm8916-fix-mmc-controller-aliases.patch
new file mode 100644 (file)
index 0000000..f5fd4e7
--- /dev/null
@@ -0,0 +1,40 @@
+From b9db3ba01a9681538cf3de5f7ae6e066b58c56f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 05:05:59 +0300
+Subject: arm64: dts: qcom: msm8916: fix MMC controller aliases
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit b0293c19d42f6d6951c2fab9a47fed50baf2c14d ]
+
+Change sdhcN aliases to mmcN to make them actually work. Currently the
+board uses non-standard aliases sdhcN, which do not work, resulting in
+mmc0 and mmc1 hosts randomly changing indices between boots.
+
+Fixes: c4da5a561627 ("arm64: dts: qcom: Add msm8916 sdhci configuration nodes")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20211201020559.1611890-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8916.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+index c1c42f26b61e0..8be601275e9b4 100644
+--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+@@ -19,8 +19,8 @@
+       #size-cells = <2>;
+       aliases {
+-              sdhc1 = &sdhc_1; /* SDC1 eMMC slot */
+-              sdhc2 = &sdhc_2; /* SDC2 SD card slot */
++              mmc0 = &sdhc_1; /* SDC1 eMMC slot */
++              mmc1 = &sdhc_2; /* SDC2 SD card slot */
+       };
+       chosen { };
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-qcom-sc7280-fix-incorrect-clock-name.patch b/queue-5.16/arm64-dts-qcom-sc7280-fix-incorrect-clock-name.patch
new file mode 100644 (file)
index 0000000..d984978
--- /dev/null
@@ -0,0 +1,38 @@
+From 5e365e0dc679da71c135492b55a662dd8f7d27d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 16:31:46 +0530
+Subject: arm64: dts: qcom: sc7280: Fix incorrect clock name
+
+From: Prasad Malisetty <pmaliset@codeaurora.org>
+
+[ Upstream commit fa09b2248714c64644576d8064e9bd292a504a0e ]
+
+Replace pcie_1_pipe-clk clock name with pcie_1_pipe_clk
+To match with dt binding.
+
+Fixes: ab7772de8612 ("arm64: dts: qcom: SC7280: Add rpmhcc clock controller node")
+Signed-off-by: Prasad Malisetty <pmaliset@codeaurora.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/1637060508-30375-2-git-send-email-pmaliset@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sc7280.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sc7280.dtsi b/arch/arm64/boot/dts/qcom/sc7280.dtsi
+index 365a2e04e285b..cb94b877d6246 100644
+--- a/arch/arm64/boot/dts/qcom/sc7280.dtsi
++++ b/arch/arm64/boot/dts/qcom/sc7280.dtsi
+@@ -576,7 +576,7 @@
+                                <&rpmhcc RPMH_CXO_CLK_A>, <&sleep_clk>,
+                                <0>, <0>, <0>, <0>, <0>, <0>;
+                       clock-names = "bi_tcxo", "bi_tcxo_ao", "sleep_clk",
+-                                    "pcie_0_pipe_clk", "pcie_1_pipe-clk",
++                                    "pcie_0_pipe_clk", "pcie_1_pipe_clk",
+                                     "ufs_phy_rx_symbol_0_clk", "ufs_phy_rx_symbol_1_clk",
+                                     "ufs_phy_tx_symbol_0_clk",
+                                     "usb3_phy_wrapper_gcc_usb30_pipe_clk";
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-qcom-sc7280-fix-interrupt-map-parent-addre.patch b/queue-5.16/arm64-dts-qcom-sc7280-fix-interrupt-map-parent-addre.patch
new file mode 100644 (file)
index 0000000..11f04ed
--- /dev/null
@@ -0,0 +1,44 @@
+From 8d9ac19f8996dd3008cb95d69232a9b387c0d178 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 16:31:48 +0530
+Subject: arm64: dts: qcom: sc7280: Fix 'interrupt-map' parent address cells
+
+From: Prasad Malisetty <pmaliset@codeaurora.org>
+
+[ Upstream commit 66b788133030f0c69a0ecc7f72f7939b119c9a69 ]
+
+Update interrupt-map parent address cells for sc7280
+Similar to existing Qcom SoCs.
+
+Fixes: 92e0ee9f8 ("arm64: dts: qcom: sc7280: Add PCIe and PHY related nodes")
+Signed-off-by: Prasad Malisetty <pmaliset@codeaurora.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/1637060508-30375-4-git-send-email-pmaliset@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sc7280.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sc7280.dtsi b/arch/arm64/boot/dts/qcom/sc7280.dtsi
+index cb94b877d6246..6e27a1beaa33a 100644
+--- a/arch/arm64/boot/dts/qcom/sc7280.dtsi
++++ b/arch/arm64/boot/dts/qcom/sc7280.dtsi
+@@ -1592,10 +1592,10 @@
+                       interrupt-names = "msi";
+                       #interrupt-cells = <1>;
+                       interrupt-map-mask = <0 0 0 0x7>;
+-                      interrupt-map = <0 0 0 1 &intc 0 434 IRQ_TYPE_LEVEL_HIGH>,
+-                                      <0 0 0 2 &intc 0 435 IRQ_TYPE_LEVEL_HIGH>,
+-                                      <0 0 0 3 &intc 0 438 IRQ_TYPE_LEVEL_HIGH>,
+-                                      <0 0 0 4 &intc 0 439 IRQ_TYPE_LEVEL_HIGH>;
++                      interrupt-map = <0 0 0 1 &intc 0 0 0 434 IRQ_TYPE_LEVEL_HIGH>,
++                                      <0 0 0 2 &intc 0 0 0 435 IRQ_TYPE_LEVEL_HIGH>,
++                                      <0 0 0 3 &intc 0 0 0 438 IRQ_TYPE_LEVEL_HIGH>,
++                                      <0 0 0 4 &intc 0 0 0 439 IRQ_TYPE_LEVEL_HIGH>;
+                       clocks = <&gcc GCC_PCIE_1_PIPE_CLK>,
+                                <&gcc GCC_PCIE_1_PIPE_CLK_SRC>,
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-qcom-sm-68-350-use-interrupts-extended-wit.patch b/queue-5.16/arm64-dts-qcom-sm-68-350-use-interrupts-extended-wit.patch
new file mode 100644 (file)
index 0000000..00e1c22
--- /dev/null
@@ -0,0 +1,69 @@
+From 41701e5e95ee78be1b86be74988412a00aed3c76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Nov 2021 02:27:44 +0100
+Subject: arm64: dts: qcom: sm[68]350: Use interrupts-extended with pdc
+ interrupts
+
+From: Konrad Dybcio <konrad.dybcio@somainline.org>
+
+[ Upstream commit 9e7f7b65c7f04c5cfda97d6bd0d452a49e60f24e ]
+
+Using interrupts = <&pdc X Y> makes the interrupt framework interpret this as
+the &pdc-nth range of the main interrupt controller (GIC). Fix it.
+
+Signed-off-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20211114012755.112226-5-konrad.dybcio@somainline.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm6350.dtsi | 4 ++--
+ arch/arm64/boot/dts/qcom/sm8350.dtsi | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm6350.dtsi b/arch/arm64/boot/dts/qcom/sm6350.dtsi
+index 973e18fe3b674..cd55797facf69 100644
+--- a/arch/arm64/boot/dts/qcom/sm6350.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm6350.dtsi
+@@ -631,7 +631,7 @@
+                       reg = <0 0x0c263000 0 0x1ff>, /* TM */
+                             <0 0x0c222000 0 0x8>; /* SROT */
+                       #qcom,sensors = <16>;
+-                      interrupts = <&pdc 26 IRQ_TYPE_LEVEL_HIGH>,
++                      interrupts-extended = <&pdc 26 IRQ_TYPE_LEVEL_HIGH>,
+                                    <&pdc 28 IRQ_TYPE_LEVEL_HIGH>;
+                       interrupt-names = "uplow", "critical";
+                       #thermal-sensor-cells = <1>;
+@@ -642,7 +642,7 @@
+                       reg = <0 0x0c265000 0 0x1ff>, /* TM */
+                             <0 0x0c223000 0 0x8>; /* SROT */
+                       #qcom,sensors = <16>;
+-                      interrupts = <&pdc 27 IRQ_TYPE_LEVEL_HIGH>,
++                      interrupts-extended = <&pdc 27 IRQ_TYPE_LEVEL_HIGH>,
+                                    <&pdc 29 IRQ_TYPE_LEVEL_HIGH>;
+                       interrupt-names = "uplow", "critical";
+                       #thermal-sensor-cells = <1>;
+diff --git a/arch/arm64/boot/dts/qcom/sm8350.dtsi b/arch/arm64/boot/dts/qcom/sm8350.dtsi
+index d134280e29390..a8c040c564096 100644
+--- a/arch/arm64/boot/dts/qcom/sm8350.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8350.dtsi
+@@ -910,7 +910,7 @@
+                       reg = <0 0x0c263000 0 0x1ff>, /* TM */
+                             <0 0x0c222000 0 0x8>; /* SROT */
+                       #qcom,sensors = <15>;
+-                      interrupts = <&pdc 26 IRQ_TYPE_LEVEL_HIGH>,
++                      interrupts-extended = <&pdc 26 IRQ_TYPE_LEVEL_HIGH>,
+                                    <&pdc 28 IRQ_TYPE_LEVEL_HIGH>;
+                       interrupt-names = "uplow", "critical";
+                       #thermal-sensor-cells = <1>;
+@@ -921,7 +921,7 @@
+                       reg = <0 0x0c265000 0 0x1ff>, /* TM */
+                             <0 0x0c223000 0 0x8>; /* SROT */
+                       #qcom,sensors = <14>;
+-                      interrupts = <&pdc 27 IRQ_TYPE_LEVEL_HIGH>,
++                      interrupts-extended = <&pdc 27 IRQ_TYPE_LEVEL_HIGH>,
+                                    <&pdc 29 IRQ_TYPE_LEVEL_HIGH>;
+                       interrupt-names = "uplow", "critical";
+                       #thermal-sensor-cells = <1>;
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-qcom-sm8350-shorten-camera-thermal-bottom-.patch b/queue-5.16/arm64-dts-qcom-sm8350-shorten-camera-thermal-bottom-.patch
new file mode 100644 (file)
index 0000000..1774a92
--- /dev/null
@@ -0,0 +1,37 @@
+From 039981d09b421ad66e9707eed447295c0c686646 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Nov 2021 02:27:45 +0100
+Subject: arm64: dts: qcom: sm8350: Shorten camera-thermal-bottom name
+
+From: Konrad Dybcio <konrad.dybcio@somainline.org>
+
+[ Upstream commit f52dd33943ca5f84ae76890f352f6d9e12512c3f ]
+
+Thermal zone names should not be longer than 20 names, which is indicated by
+a message at boot. Change "camera-thermal-bottom" to "cam-thermal-bottom" to
+fix it.
+
+Signed-off-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20211114012755.112226-6-konrad.dybcio@somainline.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8350.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8350.dtsi b/arch/arm64/boot/dts/qcom/sm8350.dtsi
+index a8c040c564096..c13858cf50dd2 100644
+--- a/arch/arm64/boot/dts/qcom/sm8350.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8350.dtsi
+@@ -2447,7 +2447,7 @@
+                       };
+               };
+-              camera-thermal-bottom {
++              cam-thermal-bottom {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-renesas-cat875-add-rx-tx-delays.patch b/queue-5.16/arm64-dts-renesas-cat875-add-rx-tx-delays.patch
new file mode 100644 (file)
index 0000000..3e82d7d
--- /dev/null
@@ -0,0 +1,42 @@
+From d392cd1439ede58a9d4787625324be87ebdc3b69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 14:28:30 +0000
+Subject: arm64: dts: renesas: cat875: Add rx/tx delays
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit e1a9faddffe7e555304dc2e3284c84fbee0679ee ]
+
+The CAT875 sub board from Silicon Linux uses a Realtek PHY.
+
+The phy driver commit bbc4d71d63549bcd003 ("net: phy: realtek: fix
+rtl8211e rx/tx delay config") introduced NFS mount failures.  Now it
+needs both rx/tx delays for the NFS mount to work.
+
+This patch fixes the NFS mount failure issue by adding "rgmii-id" mode
+to the avb device node.
+
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Fixes: bbc4d71d63549bcd ("net: phy: realtek: fix rtl8211e rx/tx delay config")
+Link: https://lore.kernel.org/r/20211115142830.12651-1-biju.das.jz@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/cat875.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/renesas/cat875.dtsi b/arch/arm64/boot/dts/renesas/cat875.dtsi
+index a69d24e9c61db..8c9da8b4bd60b 100644
+--- a/arch/arm64/boot/dts/renesas/cat875.dtsi
++++ b/arch/arm64/boot/dts/renesas/cat875.dtsi
+@@ -18,6 +18,7 @@
+       pinctrl-names = "default";
+       renesas,no-ether-link;
+       phy-handle = <&phy0>;
++      phy-mode = "rgmii-id";
+       status = "okay";
+       phy0: ethernet-phy@0 {
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-renesas-fix-thermal-bindings.patch b/queue-5.16/arm64-dts-renesas-fix-thermal-bindings.patch
new file mode 100644 (file)
index 0000000..c22725a
--- /dev/null
@@ -0,0 +1,327 @@
+From 6a6ee3a0711ecb6db06010e529d4431a14ead816 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Nov 2021 22:40:25 +0000
+Subject: arm64: dts: renesas: Fix thermal bindings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+
+[ Upstream commit 82ce79391d0ec25ec8aaae3c0617b71048ff0836 ]
+
+The binding node names for the thermal zones are not successfully
+validated by the dt-schemas.
+
+Fix the validation by changing from sensor-thermalN or thermal-sensor-N
+to sensorN-thermal.  Provide node labels of the form sensorN_thermal to
+ensure consistency with the other platform implementations.
+
+Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Link: https://lore.kernel.org/r/20211104224033.3997504-1-kieran.bingham+renesas@ideasonboard.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r8a774a1.dtsi |  6 +++---
+ arch/arm64/boot/dts/renesas/r8a774b1.dtsi |  6 +++---
+ arch/arm64/boot/dts/renesas/r8a774e1.dtsi |  6 +++---
+ arch/arm64/boot/dts/renesas/r8a77951.dtsi |  6 +++---
+ arch/arm64/boot/dts/renesas/r8a77960.dtsi |  6 +++---
+ arch/arm64/boot/dts/renesas/r8a77961.dtsi |  6 +++---
+ arch/arm64/boot/dts/renesas/r8a77965.dtsi |  6 +++---
+ arch/arm64/boot/dts/renesas/r8a77980.dtsi |  4 ++--
+ arch/arm64/boot/dts/renesas/r8a779a0.dtsi | 10 +++++-----
+ 9 files changed, 28 insertions(+), 28 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r8a774a1.dtsi b/arch/arm64/boot/dts/renesas/r8a774a1.dtsi
+index 6f4fffacfca21..e70aa5a087402 100644
+--- a/arch/arm64/boot/dts/renesas/r8a774a1.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a774a1.dtsi
+@@ -2784,7 +2784,7 @@
+       };
+       thermal-zones {
+-              sensor_thermal1: sensor-thermal1 {
++              sensor1_thermal: sensor1-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 0>;
+@@ -2799,7 +2799,7 @@
+                       };
+               };
+-              sensor_thermal2: sensor-thermal2 {
++              sensor2_thermal: sensor2-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 1>;
+@@ -2814,7 +2814,7 @@
+                       };
+               };
+-              sensor_thermal3: sensor-thermal3 {
++              sensor3_thermal: sensor3-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 2>;
+diff --git a/arch/arm64/boot/dts/renesas/r8a774b1.dtsi b/arch/arm64/boot/dts/renesas/r8a774b1.dtsi
+index 0f7bdfc90a0dc..6c5694fa66900 100644
+--- a/arch/arm64/boot/dts/renesas/r8a774b1.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a774b1.dtsi
+@@ -2629,7 +2629,7 @@
+       };
+       thermal-zones {
+-              sensor_thermal1: sensor-thermal1 {
++              sensor1_thermal: sensor1-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 0>;
+@@ -2644,7 +2644,7 @@
+                       };
+               };
+-              sensor_thermal2: sensor-thermal2 {
++              sensor2_thermal: sensor2-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 1>;
+@@ -2659,7 +2659,7 @@
+                       };
+               };
+-              sensor_thermal3: sensor-thermal3 {
++              sensor3_thermal: sensor3-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 2>;
+diff --git a/arch/arm64/boot/dts/renesas/r8a774e1.dtsi b/arch/arm64/boot/dts/renesas/r8a774e1.dtsi
+index 379a1300272ba..62209ab6deb9a 100644
+--- a/arch/arm64/boot/dts/renesas/r8a774e1.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a774e1.dtsi
+@@ -2904,7 +2904,7 @@
+       };
+       thermal-zones {
+-              sensor_thermal1: sensor-thermal1 {
++              sensor1_thermal: sensor1-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 0>;
+@@ -2919,7 +2919,7 @@
+                       };
+               };
+-              sensor_thermal2: sensor-thermal2 {
++              sensor2_thermal: sensor2-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 1>;
+@@ -2934,7 +2934,7 @@
+                       };
+               };
+-              sensor_thermal3: sensor-thermal3 {
++              sensor3_thermal: sensor3-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 2>;
+diff --git a/arch/arm64/boot/dts/renesas/r8a77951.dtsi b/arch/arm64/boot/dts/renesas/r8a77951.dtsi
+index 1768a3e6bb8da..193d81be40fc4 100644
+--- a/arch/arm64/boot/dts/renesas/r8a77951.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a77951.dtsi
+@@ -3375,7 +3375,7 @@
+       };
+       thermal-zones {
+-              sensor_thermal1: sensor-thermal1 {
++              sensor1_thermal: sensor1-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 0>;
+@@ -3390,7 +3390,7 @@
+                       };
+               };
+-              sensor_thermal2: sensor-thermal2 {
++              sensor2_thermal: sensor2-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 1>;
+@@ -3405,7 +3405,7 @@
+                       };
+               };
+-              sensor_thermal3: sensor-thermal3 {
++              sensor3_thermal: sensor3-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 2>;
+diff --git a/arch/arm64/boot/dts/renesas/r8a77960.dtsi b/arch/arm64/boot/dts/renesas/r8a77960.dtsi
+index 2bd8169735d35..b526e4f0ee6a8 100644
+--- a/arch/arm64/boot/dts/renesas/r8a77960.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a77960.dtsi
+@@ -2972,7 +2972,7 @@
+       };
+       thermal-zones {
+-              sensor_thermal1: sensor-thermal1 {
++              sensor1_thermal: sensor1-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 0>;
+@@ -2987,7 +2987,7 @@
+                       };
+               };
+-              sensor_thermal2: sensor-thermal2 {
++              sensor2_thermal: sensor2-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 1>;
+@@ -3002,7 +3002,7 @@
+                       };
+               };
+-              sensor_thermal3: sensor-thermal3 {
++              sensor3_thermal: sensor3-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 2>;
+diff --git a/arch/arm64/boot/dts/renesas/r8a77961.dtsi b/arch/arm64/boot/dts/renesas/r8a77961.dtsi
+index 86d59e7e1a876..b1a00f5df4311 100644
+--- a/arch/arm64/boot/dts/renesas/r8a77961.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a77961.dtsi
+@@ -2730,7 +2730,7 @@
+       };
+       thermal-zones {
+-              sensor_thermal1: sensor-thermal1 {
++              sensor1_thermal: sensor1-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 0>;
+@@ -2745,7 +2745,7 @@
+                       };
+               };
+-              sensor_thermal2: sensor-thermal2 {
++              sensor2_thermal: sensor2-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 1>;
+@@ -2760,7 +2760,7 @@
+                       };
+               };
+-              sensor_thermal3: sensor-thermal3 {
++              sensor3_thermal: sensor3-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 2>;
+diff --git a/arch/arm64/boot/dts/renesas/r8a77965.dtsi b/arch/arm64/boot/dts/renesas/r8a77965.dtsi
+index 08df75606430b..f9679a4dd85fa 100644
+--- a/arch/arm64/boot/dts/renesas/r8a77965.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a77965.dtsi
+@@ -2784,7 +2784,7 @@
+       };
+       thermal-zones {
+-              sensor_thermal1: sensor-thermal1 {
++              sensor1_thermal: sensor1-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 0>;
+@@ -2799,7 +2799,7 @@
+                       };
+               };
+-              sensor_thermal2: sensor-thermal2 {
++              sensor2_thermal: sensor2-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 1>;
+@@ -2814,7 +2814,7 @@
+                       };
+               };
+-              sensor_thermal3: sensor-thermal3 {
++              sensor3_thermal: sensor3-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 2>;
+diff --git a/arch/arm64/boot/dts/renesas/r8a77980.dtsi b/arch/arm64/boot/dts/renesas/r8a77980.dtsi
+index 6347d15e66b64..21fe602bd25af 100644
+--- a/arch/arm64/boot/dts/renesas/r8a77980.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a77980.dtsi
+@@ -1580,7 +1580,7 @@
+       };
+       thermal-zones {
+-              thermal-sensor-1 {
++              sensor1_thermal: sensor1-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 0>;
+@@ -1599,7 +1599,7 @@
+                       };
+               };
+-              thermal-sensor-2 {
++              sensor2_thermal: sensor2-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 1>;
+diff --git a/arch/arm64/boot/dts/renesas/r8a779a0.dtsi b/arch/arm64/boot/dts/renesas/r8a779a0.dtsi
+index 43bf2cbfbd8f7..770a23b769d86 100644
+--- a/arch/arm64/boot/dts/renesas/r8a779a0.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a779a0.dtsi
+@@ -2607,7 +2607,7 @@
+       };
+       thermal-zones {
+-              sensor_thermal1: sensor-thermal1 {
++              sensor1_thermal: sensor1-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 0>;
+@@ -2621,7 +2621,7 @@
+                       };
+               };
+-              sensor_thermal2: sensor-thermal2 {
++              sensor2_thermal: sensor2-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 1>;
+@@ -2635,7 +2635,7 @@
+                       };
+               };
+-              sensor_thermal3: sensor-thermal3 {
++              sensor3_thermal: sensor3-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 2>;
+@@ -2649,7 +2649,7 @@
+                       };
+               };
+-              sensor_thermal4: sensor-thermal4 {
++              sensor4_thermal: sensor4-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 3>;
+@@ -2663,7 +2663,7 @@
+                       };
+               };
+-              sensor_thermal5: sensor-thermal5 {
++              sensor5_thermal: sensor5-thermal {
+                       polling-delay-passive = <250>;
+                       polling-delay = <1000>;
+                       thermal-sensors = <&tsc 4>;
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-rockchip-fix-bluetooth-on-rock-pi-4-boards.patch b/queue-5.16/arm64-dts-rockchip-fix-bluetooth-on-rock-pi-4-boards.patch
new file mode 100644 (file)
index 0000000..dccf6a7
--- /dev/null
@@ -0,0 +1,103 @@
+From 86ad65c6c395c4e49015e634fa4c6b32aee700d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 19:53:59 +0530
+Subject: arm64: dts: rockchip: Fix Bluetooth on ROCK Pi 4 boards
+
+From: Jagan Teki <jagan@amarulasolutions.com>
+
+[ Upstream commit f471b1b2db0819917c54099ab68349ad6a7e9e19 ]
+
+This patch fixes the Bluetooth on ROCK Pi 4 boards.
+
+ROCK Pi 4 boards has BCM4345C5 and now it is supported
+on Mainline Linux, brcm,bcm43438-bt still working but
+observed the BT Audio issues with latest test.
+
+So, use the BCM4345C5 compatible and its associated
+properties like clock-names as lpo and max-speed.
+
+Attach vbat and vddio supply rails as well.
+
+Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
+Link: https://lore.kernel.org/r/20211112142359.320798-1-jagan@amarulasolutions.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4b-plus.dts | 7 +++++--
+ arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4b.dts      | 7 +++++--
+ arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4c.dts      | 7 +++++--
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4b-plus.dts b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4b-plus.dts
+index dfad13d2ab249..5bd2b8db3d51a 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4b-plus.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4b-plus.dts
+@@ -35,13 +35,16 @@
+       status = "okay";
+       bluetooth {
+-              compatible = "brcm,bcm43438-bt";
++              compatible = "brcm,bcm4345c5";
+               clocks = <&rk808 1>;
+-              clock-names = "ext_clock";
++              clock-names = "lpo";
+               device-wakeup-gpios = <&gpio2 RK_PD3 GPIO_ACTIVE_HIGH>;
+               host-wakeup-gpios = <&gpio0 RK_PA4 GPIO_ACTIVE_HIGH>;
+               shutdown-gpios = <&gpio0 RK_PB1 GPIO_ACTIVE_HIGH>;
++              max-speed = <1500000>;
+               pinctrl-names = "default";
+               pinctrl-0 = <&bt_host_wake_l &bt_wake_l &bt_enable_h>;
++              vbat-supply = <&vcc3v3_sys>;
++              vddio-supply = <&vcc_1v8>;
+       };
+ };
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4b.dts b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4b.dts
+index 6c63e617063c9..cf48746a3ad81 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4b.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4b.dts
+@@ -34,13 +34,16 @@
+       status = "okay";
+       bluetooth {
+-              compatible = "brcm,bcm43438-bt";
++              compatible = "brcm,bcm4345c5";
+               clocks = <&rk808 1>;
+-              clock-names = "ext_clock";
++              clock-names = "lpo";
+               device-wakeup-gpios = <&gpio2 RK_PD3 GPIO_ACTIVE_HIGH>;
+               host-wakeup-gpios = <&gpio0 RK_PA4 GPIO_ACTIVE_HIGH>;
+               shutdown-gpios = <&gpio0 RK_PB1 GPIO_ACTIVE_HIGH>;
++              max-speed = <1500000>;
+               pinctrl-names = "default";
+               pinctrl-0 = <&bt_host_wake_l &bt_wake_l &bt_enable_h>;
++              vbat-supply = <&vcc3v3_sys>;
++              vddio-supply = <&vcc_1v8>;
+       };
+ };
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4c.dts b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4c.dts
+index 99169bcd51c03..57ddf55ee6930 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4c.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4c.dts
+@@ -35,14 +35,17 @@
+       status = "okay";
+       bluetooth {
+-              compatible = "brcm,bcm43438-bt";
++              compatible = "brcm,bcm4345c5";
+               clocks = <&rk808 1>;
+-              clock-names = "ext_clock";
++              clock-names = "lpo";
+               device-wakeup-gpios = <&gpio2 RK_PD3 GPIO_ACTIVE_HIGH>;
+               host-wakeup-gpios = <&gpio0 RK_PA4 GPIO_ACTIVE_HIGH>;
+               shutdown-gpios = <&gpio0 RK_PB1 GPIO_ACTIVE_HIGH>;
++              max-speed = <1500000>;
+               pinctrl-names = "default";
+               pinctrl-0 = <&bt_host_wake_l &bt_wake_l &bt_enable_h>;
++              vbat-supply = <&vcc3v3_sys>;
++              vddio-supply = <&vcc_1v8>;
+       };
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-ti-j7200-main-fix-dtbs_check-serdes_ln_ctr.patch b/queue-5.16/arm64-dts-ti-j7200-main-fix-dtbs_check-serdes_ln_ctr.patch
new file mode 100644 (file)
index 0000000..295c00c
--- /dev/null
@@ -0,0 +1,37 @@
+From 62f9e8ce742d05e1cde32c13f2295e7cbde53df1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 14:15:54 +0530
+Subject: arm64: dts: ti: j7200-main: Fix 'dtbs_check' serdes_ln_ctrl node
+
+From: Kishon Vijay Abraham I <kishon@ti.com>
+
+[ Upstream commit 4d3984906397581dc0ccb6a02bf16b6ff82c9192 ]
+
+Fix 'dtbs_check' in serdes_ln_ctrl (serdes-ln-ctrl@4080) node by
+changing the node name to mux-controller@4080.
+
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Reviewed-by: Aswath Govindraju <a-govindraju@ti.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Link: https://lore.kernel.org/r/20211126084555.17797-2-kishon@ti.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j7200-main.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi b/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi
+index d60ef4f7dd0b7..05a627ad6cdc4 100644
+--- a/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi
+@@ -32,7 +32,7 @@
+               #size-cells = <1>;
+               ranges = <0x00 0x00 0x00100000 0x1c000>;
+-              serdes_ln_ctrl: serdes-ln-ctrl@4080 {
++              serdes_ln_ctrl: mux-controller@4080 {
+                       compatible = "mmio-mux";
+                       #mux-control-cells = <1>;
+                       mux-reg-masks = <0x4080 0x3>, <0x4084 0x3>, /* SERDES0 lane0/1 select */
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-ti-j721e-main-fix-dtbs_check-in-serdes_ln_.patch b/queue-5.16/arm64-dts-ti-j721e-main-fix-dtbs_check-in-serdes_ln_.patch
new file mode 100644 (file)
index 0000000..51f9a73
--- /dev/null
@@ -0,0 +1,37 @@
+From 521a55776a965233cdd7627b6bf6dd06cae14259 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 14:15:55 +0530
+Subject: arm64: dts: ti: j721e-main: Fix 'dtbs_check' in serdes_ln_ctrl node
+
+From: Kishon Vijay Abraham I <kishon@ti.com>
+
+[ Upstream commit 3f92a5be6084b77f764a8bbb881ac0d12cb9e863 ]
+
+Fix 'dtbs_check' in serdes_ln_ctrl (mux@4080) node by changing the node
+name to mux-controller@4080.
+
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Reviewed-by: Aswath Govindraju <a-govindraju@ti.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Link: https://lore.kernel.org/r/20211126084555.17797-3-kishon@ti.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j721e-main.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
+index 08c8d1b47dcd9..e85c89eebfa31 100644
+--- a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
+@@ -42,7 +42,7 @@
+               #size-cells = <1>;
+               ranges = <0x0 0x0 0x00100000 0x1c000>;
+-              serdes_ln_ctrl: mux@4080 {
++              serdes_ln_ctrl: mux-controller@4080 {
+                       compatible = "mmio-mux";
+                       reg = <0x00004080 0x50>;
+                       #mux-control-cells = <1>;
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-ti-k3-am642-fix-the-l2-cache-sets.patch b/queue-5.16/arm64-dts-ti-k3-am642-fix-the-l2-cache-sets.patch
new file mode 100644 (file)
index 0000000..1cfa7d7
--- /dev/null
@@ -0,0 +1,46 @@
+From 90f3a947403a8d357a60887b378291baf9f0f54e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 22:36:35 -0600
+Subject: arm64: dts: ti: k3-am642: Fix the L2 cache sets
+
+From: Nishanth Menon <nm@ti.com>
+
+[ Upstream commit a27a93bf70045be54b594fa8482959ffb84166d7 ]
+
+A53's L2 cache[1] on AM642[2] is 256KB. A53's L2 is fixed line length
+of 64 bytes and 16-way set-associative cache structure.
+
+256KB of L2 / 64 (line length) = 4096 ways
+4096 ways / 16 = 256 sets
+
+Fix the l2 cache-sets.
+
+[1] https://developer.arm.com/documentation/ddi0500/j/Level-2-Memory-System/About-the-L2-memory-system?lang=en
+[2] https://www.ti.com/lit/pdf/spruim2
+
+Fixes: 8abae9389bdb ("arm64: dts: ti: Add support for AM642 SoC")
+Reported-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Reviewed-by: Pratyush Yadav <p.yadav@ti.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Link: https://lore.kernel.org/r/20211113043635.4296-1-nm@ti.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-am642.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-am642.dtsi b/arch/arm64/boot/dts/ti/k3-am642.dtsi
+index e2b397c884018..8a76f4821b11b 100644
+--- a/arch/arm64/boot/dts/ti/k3-am642.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-am642.dtsi
+@@ -60,6 +60,6 @@
+               cache-level = <2>;
+               cache-size = <0x40000>;
+               cache-line-size = <64>;
+-              cache-sets = <512>;
++              cache-sets = <256>;
+       };
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-ti-k3-j7200-correct-the-d-cache-sets-info.patch b/queue-5.16/arm64-dts-ti-k3-j7200-correct-the-d-cache-sets-info.patch
new file mode 100644 (file)
index 0000000..23ad8cc
--- /dev/null
@@ -0,0 +1,58 @@
+From 9f8002fa59cdc47700d24bca22bbc069c4d290aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 22:26:40 -0600
+Subject: arm64: dts: ti: k3-j7200: Correct the d-cache-sets info
+
+From: Nishanth Menon <nm@ti.com>
+
+[ Upstream commit a172c86931709d6663318609d71a811333bdf4b0 ]
+
+A72 Cluster (chapter 1.3.1 [1]) has 48KB Icache, 32KB Dcache and 1MB L2 Cache
+ - ICache is 3-way set-associative
+ - Dcache is 2-way set-associative
+ - Line size are 64bytes
+
+32KB (Dcache)/64 (fixed line length of 64 bytes) = 512 ways
+512 ways / 2 (Dcache is 2-way per set) = 256 sets.
+
+So, correct the d-cache-sets info.
+
+[1] https://www.ti.com/lit/pdf/spruiu1
+
+Fixes: d361ed88455f ("arm64: dts: ti: Add support for J7200 SoC")
+Reported-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Reviewed-by: Pratyush Yadav <p.yadav@ti.com>
+Reviewed-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Link: https://lore.kernel.org/r/20211113042640.30955-1-nm@ti.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j7200.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j7200.dtsi b/arch/arm64/boot/dts/ti/k3-j7200.dtsi
+index a99a4d305b7ec..64fef4e67d76a 100644
+--- a/arch/arm64/boot/dts/ti/k3-j7200.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-j7200.dtsi
+@@ -62,7 +62,7 @@
+                       i-cache-sets = <256>;
+                       d-cache-size = <0x8000>;
+                       d-cache-line-size = <64>;
+-                      d-cache-sets = <128>;
++                      d-cache-sets = <256>;
+                       next-level-cache = <&L2_0>;
+               };
+@@ -76,7 +76,7 @@
+                       i-cache-sets = <256>;
+                       d-cache-size = <0x8000>;
+                       d-cache-line-size = <64>;
+-                      d-cache-sets = <128>;
++                      d-cache-sets = <256>;
+                       next-level-cache = <&L2_0>;
+               };
+       };
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-ti-k3-j7200-fix-the-l2-cache-sets.patch b/queue-5.16/arm64-dts-ti-k3-j7200-fix-the-l2-cache-sets.patch
new file mode 100644 (file)
index 0000000..c87711f
--- /dev/null
@@ -0,0 +1,47 @@
+From a1286611f5f992392db6c63e4becfe6fddf41119 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 22:36:38 -0600
+Subject: arm64: dts: ti: k3-j7200: Fix the L2 cache sets
+
+From: Nishanth Menon <nm@ti.com>
+
+[ Upstream commit d0c826106f3fc11ff97285102b576b65576654ae ]
+
+A72's L2 cache[1] on J7200[2] is 1MB. A72's L2 is fixed line length of
+64 bytes and 16-way set-associative cache structure.
+
+1MB of L2 / 64 (line length) = 16384 ways
+16384 ways / 16 = 1024 sets
+
+Fix the l2 cache-sets.
+
+[1] https://developer.arm.com/documentation/100095/0003/Level-2-Memory-System/About-the-L2-memory-system
+[2] https://www.ti.com/lit/pdf/spruiu1
+
+Fixes: d361ed88455f ("arm64: dts: ti: Add support for J7200 SoC")
+Reported-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Reviewed-by: Pratyush Yadav <p.yadav@ti.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Link: https://lore.kernel.org/r/20211113043638.4358-1-nm@ti.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j7200.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j7200.dtsi b/arch/arm64/boot/dts/ti/k3-j7200.dtsi
+index 47567cb260c2b..a99a4d305b7ec 100644
+--- a/arch/arm64/boot/dts/ti/k3-j7200.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-j7200.dtsi
+@@ -86,7 +86,7 @@
+               cache-level = <2>;
+               cache-size = <0x100000>;
+               cache-line-size = <64>;
+-              cache-sets = <2048>;
++              cache-sets = <1024>;
+               next-level-cache = <&msmc_l3>;
+       };
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-ti-k3-j721e-correct-cache-sets-info.patch b/queue-5.16/arm64-dts-ti-k3-j721e-correct-cache-sets-info.patch
new file mode 100644 (file)
index 0000000..d29a826
--- /dev/null
@@ -0,0 +1,51 @@
+From 3f319c95e94e5034c6562aff3f88e62f3a559cd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 14:31:55 +0800
+Subject: arm64: dts: ti: k3-j721e: correct cache-sets info
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 7a0df1f969c14939f60a7f9a6af72adcc314675f ]
+
+A72 Cluster has 48KB Icache, 32KB Dcache and 1MB L2 Cache
+ - ICache is 3-way set-associative
+ - Dcache is 2-way set-associative
+ - Line size are 64bytes
+
+So correct the cache-sets info.
+
+Fixes: 2d87061e70dea ("arm64: dts: ti: Add Support for J721E SoC")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Link: https://lore.kernel.org/r/20211112063155.3485777-1-peng.fan@oss.nxp.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j721e.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j721e.dtsi b/arch/arm64/boot/dts/ti/k3-j721e.dtsi
+index 214359e7288b2..a5967ba139d7e 100644
+--- a/arch/arm64/boot/dts/ti/k3-j721e.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-j721e.dtsi
+@@ -64,7 +64,7 @@
+                       i-cache-sets = <256>;
+                       d-cache-size = <0x8000>;
+                       d-cache-line-size = <64>;
+-                      d-cache-sets = <128>;
++                      d-cache-sets = <256>;
+                       next-level-cache = <&L2_0>;
+               };
+@@ -78,7 +78,7 @@
+                       i-cache-sets = <256>;
+                       d-cache-size = <0x8000>;
+                       d-cache-line-size = <64>;
+-                      d-cache-sets = <128>;
++                      d-cache-sets = <256>;
+                       next-level-cache = <&L2_0>;
+               };
+       };
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-dts-ti-k3-j721e-fix-the-l2-cache-sets.patch b/queue-5.16/arm64-dts-ti-k3-j721e-fix-the-l2-cache-sets.patch
new file mode 100644 (file)
index 0000000..a5fc0c1
--- /dev/null
@@ -0,0 +1,47 @@
+From 4dd6f7ac9e83bd578fa22e68e15a5857b713238e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 22:36:39 -0600
+Subject: arm64: dts: ti: k3-j721e: Fix the L2 cache sets
+
+From: Nishanth Menon <nm@ti.com>
+
+[ Upstream commit e9ba3a5bc6fdc2c796c69fdaf5ed6c9957cf9f9d ]
+
+A72's L2 cache[1] on J721e[2] is 1MB. A72's L2 is fixed line length of
+64 bytes and 16-way set-associative cache structure.
+
+1MB of L2 / 64 (line length) = 16384 ways
+16384 ways / 16 = 1024 sets
+
+Fix the l2 cache-sets.
+
+[1] https://developer.arm.com/documentation/100095/0003/Level-2-Memory-System/About-the-L2-memory-system
+[2] http://www.ti.com/lit/pdf/spruil1
+
+Fixes: 2d87061e70de ("arm64: dts: ti: Add Support for J721E SoC")
+Reported-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Reviewed-by: Pratyush Yadav <p.yadav@ti.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Link: https://lore.kernel.org/r/20211113043639.4413-1-nm@ti.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j721e.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j721e.dtsi b/arch/arm64/boot/dts/ti/k3-j721e.dtsi
+index a5967ba139d7e..4a3872fce5339 100644
+--- a/arch/arm64/boot/dts/ti/k3-j721e.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-j721e.dtsi
+@@ -88,7 +88,7 @@
+               cache-level = <2>;
+               cache-size = <0x100000>;
+               cache-line-size = <64>;
+-              cache-sets = <2048>;
++              cache-sets = <1024>;
+               next-level-cache = <&msmc_l3>;
+       };
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-mte-dc-gva-gzva-shouldn-t-be-used-when-dczid_e.patch b/queue-5.16/arm64-mte-dc-gva-gzva-shouldn-t-be-used-when-dczid_e.patch
new file mode 100644 (file)
index 0000000..d810684
--- /dev/null
@@ -0,0 +1,86 @@
+From e5714e13ace6c29f1556314ba73c4f0ec72062d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Dec 2021 16:47:36 -0800
+Subject: arm64: mte: DC {GVA,GZVA} shouldn't be used when DCZID_EL0.DZP == 1
+
+From: Reiji Watanabe <reijiw@google.com>
+
+[ Upstream commit 685e2564daa1493053fcd7f1dbed38b35ee2f3cb ]
+
+Currently, mte_set_mem_tag_range() and mte_zero_clear_page_tags() use
+DC {GVA,GZVA} unconditionally.  But, they should make sure that
+DCZID_EL0.DZP, which indicates whether or not use of those instructions
+is prohibited, is zero when using those instructions.
+Use ST{G,ZG,Z2G} instead when DCZID_EL0.DZP == 1.
+
+Fixes: 013bb59dbb7c ("arm64: mte: handle tags zeroing at page allocation time")
+Fixes: 3d0cca0b02ac ("kasan: speed up mte_set_mem_tag_range")
+Signed-off-by: Reiji Watanabe <reijiw@google.com>
+Link: https://lore.kernel.org/r/20211206004736.1520989-3-reijiw@google.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/mte-kasan.h | 8 +++++---
+ arch/arm64/lib/mte.S               | 8 +++++++-
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/include/asm/mte-kasan.h b/arch/arm64/include/asm/mte-kasan.h
+index 478b9bcf69ad1..e4704a403237e 100644
+--- a/arch/arm64/include/asm/mte-kasan.h
++++ b/arch/arm64/include/asm/mte-kasan.h
+@@ -84,10 +84,12 @@ static inline void __dc_gzva(u64 p)
+ static inline void mte_set_mem_tag_range(void *addr, size_t size, u8 tag,
+                                        bool init)
+ {
+-      u64 curr, mask, dczid_bs, end1, end2, end3;
++      u64 curr, mask, dczid, dczid_bs, dczid_dzp, end1, end2, end3;
+       /* Read DC G(Z)VA block size from the system register. */
+-      dczid_bs = 4ul << (read_cpuid(DCZID_EL0) & 0xf);
++      dczid = read_cpuid(DCZID_EL0);
++      dczid_bs = 4ul << (dczid & 0xf);
++      dczid_dzp = (dczid >> 4) & 1;
+       curr = (u64)__tag_set(addr, tag);
+       mask = dczid_bs - 1;
+@@ -106,7 +108,7 @@ static inline void mte_set_mem_tag_range(void *addr, size_t size, u8 tag,
+        */
+ #define SET_MEMTAG_RANGE(stg_post, dc_gva)            \
+       do {                                            \
+-              if (size >= 2 * dczid_bs) {             \
++              if (!dczid_dzp && size >= 2 * dczid_bs) {\
+                       do {                            \
+                               curr = stg_post(curr);  \
+                       } while (curr < end1);          \
+diff --git a/arch/arm64/lib/mte.S b/arch/arm64/lib/mte.S
+index e83643b3995f4..f531dcb95174a 100644
+--- a/arch/arm64/lib/mte.S
++++ b/arch/arm64/lib/mte.S
+@@ -43,17 +43,23 @@ SYM_FUNC_END(mte_clear_page_tags)
+  *    x0 - address to the beginning of the page
+  */
+ SYM_FUNC_START(mte_zero_clear_page_tags)
++      and     x0, x0, #(1 << MTE_TAG_SHIFT) - 1       // clear the tag
+       mrs     x1, dczid_el0
++      tbnz    x1, #4, 2f      // Branch if DC GZVA is prohibited
+       and     w1, w1, #0xf
+       mov     x2, #4
+       lsl     x1, x2, x1
+-      and     x0, x0, #(1 << MTE_TAG_SHIFT) - 1       // clear the tag
+ 1:    dc      gzva, x0
+       add     x0, x0, x1
+       tst     x0, #(PAGE_SIZE - 1)
+       b.ne    1b
+       ret
++
++2:    stz2g   x0, [x0], #(MTE_GRANULE_SIZE * 2)
++      tst     x0, #(PAGE_SIZE - 1)
++      b.ne    2b
++      ret
+ SYM_FUNC_END(mte_zero_clear_page_tags)
+ /*
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-tegra-adjust-length-of-ccplex-cluster-mmio-reg.patch b/queue-5.16/arm64-tegra-adjust-length-of-ccplex-cluster-mmio-reg.patch
new file mode 100644 (file)
index 0000000..a3b17c8
--- /dev/null
@@ -0,0 +1,35 @@
+From e6d2fc4db18286e64442a16e42f3b18705175b6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 14:28:29 +0100
+Subject: arm64: tegra: Adjust length of CCPLEX cluster MMIO region
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit 2b14cbd643feea5fc17c6e8bead4e71088c69acd ]
+
+The Tegra186 CCPLEX cluster register region is 4 MiB is length, not 4
+MiB - 1. This was likely presumed to be the "limit" rather than length.
+Fix it up.
+
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/nvidia/tegra186.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/nvidia/tegra186.dtsi b/arch/arm64/boot/dts/nvidia/tegra186.dtsi
+index 9ac4f0140700f..8ab83b4ac0373 100644
+--- a/arch/arm64/boot/dts/nvidia/tegra186.dtsi
++++ b/arch/arm64/boot/dts/nvidia/tegra186.dtsi
+@@ -1199,7 +1199,7 @@
+       ccplex@e000000 {
+               compatible = "nvidia,tegra186-ccplex-cluster";
+-              reg = <0x0 0x0e000000 0x0 0x3fffff>;
++              reg = <0x0 0x0e000000 0x0 0x400000>;
+               nvidia,bpmp = <&bpmp>;
+       };
+-- 
+2.34.1
+
diff --git a/queue-5.16/arm64-tegra-remove-non-existent-tegra194-reset.patch b/queue-5.16/arm64-tegra-remove-non-existent-tegra194-reset.patch
new file mode 100644 (file)
index 0000000..56ff707
--- /dev/null
@@ -0,0 +1,40 @@
+From e2f82bf8d93110e69b832ef219faed7e14f67789 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Dec 2021 17:23:51 +0530
+Subject: arm64: tegra: Remove non existent Tegra194 reset
+
+From: Sameer Pujar <spujar@nvidia.com>
+
+[ Upstream commit 146b3a77af8091cabbd1decc51d67799e69682d2 ]
+
+Tegra194 does not really have "hda2codec_2x" related reset. Hence drop
+this entry to reflect actual HW.
+
+Fixes: 4878cc0c9fab ("arm64: tegra: Add HDA controller on Tegra194")
+Signed-off-by: Sameer Pujar <spujar@nvidia.com>
+Link: https://lore.kernel.org/r/1640260431-11613-4-git-send-email-spujar@nvidia.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/nvidia/tegra194.dtsi | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/nvidia/tegra194.dtsi b/arch/arm64/boot/dts/nvidia/tegra194.dtsi
+index 851e049b3519c..dcc0e55d6bdbb 100644
+--- a/arch/arm64/boot/dts/nvidia/tegra194.dtsi
++++ b/arch/arm64/boot/dts/nvidia/tegra194.dtsi
+@@ -976,9 +976,8 @@
+                                <&bpmp TEGRA194_CLK_HDA2CODEC_2X>;
+                       clock-names = "hda", "hda2hdmi", "hda2codec_2x";
+                       resets = <&bpmp TEGRA194_RESET_HDA>,
+-                               <&bpmp TEGRA194_RESET_HDA2HDMICODEC>,
+-                               <&bpmp TEGRA194_RESET_HDA2CODEC_2X>;
+-                      reset-names = "hda", "hda2hdmi", "hda2codec_2x";
++                               <&bpmp TEGRA194_RESET_HDA2HDMICODEC>;
++                      reset-names = "hda", "hda2hdmi";
+                       power-domains = <&bpmp TEGRA194_POWER_DOMAIN_DISP>;
+                       interconnects = <&mc TEGRA194_MEMORY_CLIENT_HDAR &emc>,
+                                       <&mc TEGRA194_MEMORY_CLIENT_HDAW &emc>;
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-amd-fix-dependency-for-spi-master.patch b/queue-5.16/asoc-amd-fix-dependency-for-spi-master.patch
new file mode 100644 (file)
index 0000000..3ac6a3c
--- /dev/null
@@ -0,0 +1,38 @@
+From 2c2465a989285792dc39618d9b529a54e2189998 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 18:00:03 +0000
+Subject: ASoC: amd: Fix dependency for SPI master
+
+From: Lucas Tanure <tanureal@opensource.cirrus.com>
+
+[ Upstream commit 19a628d8f1a6c16263d8037a918427207c8a95a0 ]
+
+Set SPI_MASTER as dependency as is using CS35L41 SPI driver
+
+Fixes: 96792fdd77cd1 ("ASoC: amd: enable vangogh platform machine driver build")
+
+Signed-off-by: Lucas Tanure <tanureal@opensource.cirrus.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/r/20211201180004.1402156-1-tanureal@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/amd/Kconfig b/sound/soc/amd/Kconfig
+index 2c6af3f8f2961..ff535370e525a 100644
+--- a/sound/soc/amd/Kconfig
++++ b/sound/soc/amd/Kconfig
+@@ -68,7 +68,7 @@ config SND_SOC_AMD_VANGOGH_MACH
+       tristate "AMD Vangogh support for NAU8821 CS35L41"
+       select SND_SOC_NAU8821
+       select SND_SOC_CS35L41_SPI
+-      depends on SND_SOC_AMD_ACP5x && I2C
++      depends on SND_SOC_AMD_ACP5x && I2C && SPI_MASTER
+       help
+         This option enables machine driver for Vangogh platform
+         using NAU8821 and CS35L41 codecs.
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-codecs-wcd938x-add-snd_soc_wcd938_sdw-to-codec-.patch b/queue-5.16/asoc-codecs-wcd938x-add-snd_soc_wcd938_sdw-to-codec-.patch
new file mode 100644 (file)
index 0000000..62de363
--- /dev/null
@@ -0,0 +1,45 @@
+From ea6bfbfcacc16943597dbff42dd5542449e99c85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 10:51:58 +0100
+Subject: ASoC: codecs: wcd938x: add SND_SOC_WCD938_SDW to codec list instead
+
+From: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+
+[ Upstream commit 2039cc1da4bee1fd0df644e26b28ed769cd32a81 ]
+
+Commit 045442228868 ("ASoC: codecs: wcd938x: add audio routing and
+Kconfig") adds SND_SOC_WCD937X, which does not exist, and
+SND_SOC_WCD938X, which seems not really to be the intended config to be
+selected, but only a supporting config symbol to the actual config
+SND_SOC_WCD938X_SDW for the codec.
+
+Add SND_SOC_WCD938_SDW to the list instead of SND_SOC_WCD93{7,8}X.
+
+The issue was identified with ./scripts/checkkconfigsymbols.py.
+
+Fixes: 045442228868 ("ASoC: codecs: wcd938x: add audio routing and Kconfig")
+Signed-off-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Link: https://lore.kernel.org/r/20211125095158.8394-3-lukas.bulwahn@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/Kconfig | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/Kconfig b/sound/soc/codecs/Kconfig
+index 326f2d611ad4e..3a610ba183ffb 100644
+--- a/sound/soc/codecs/Kconfig
++++ b/sound/soc/codecs/Kconfig
+@@ -241,8 +241,7 @@ config SND_SOC_ALL_CODECS
+       imply SND_SOC_UDA1380
+       imply SND_SOC_WCD9335
+       imply SND_SOC_WCD934X
+-      imply SND_SOC_WCD937X
+-      imply SND_SOC_WCD938X
++      imply SND_SOC_WCD938X_SDW
+       imply SND_SOC_LPASS_RX_MACRO
+       imply SND_SOC_LPASS_TX_MACRO
+       imply SND_SOC_WL1273
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-cs42l42-report-initial-jack-state.patch b/queue-5.16/asoc-cs42l42-report-initial-jack-state.patch
new file mode 100644 (file)
index 0000000..da1bf04
--- /dev/null
@@ -0,0 +1,109 @@
+From 2d83614328b4270c2721d4155eb3a984fd0f0924 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Nov 2021 12:48:54 +0000
+Subject: ASoC: cs42l42: Report initial jack state
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit fdd535283779ec9f9c35fda352585c629121214f ]
+
+When a jack handler is registered in cs42l42_set_jack() the
+initial state should be reported if an attached headphone/headset
+has already been detected.
+
+The jack detect sequence takes around 1 second: typically long
+enough for the machine driver to probe and register the jack handler
+in time to receive the first report from the interrupt handler. So
+it is possible on some systems that the correct initial state was seen
+simply because of lucky timing. Modular builds were more likely to
+miss the reporting of the initial state.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 4ca239f33737 ("ASoC: cs42l42: Always enable TS_PLUG and TS_UNPLUG interrupts")
+Link: https://lore.kernel.org/r/20211119124854.58939-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 22 ++++++++++++++++++++++
+ sound/soc/codecs/cs42l42.h |  2 ++
+ 2 files changed, 24 insertions(+)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 27a1c4c73074f..a63fba4e6c9c2 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -521,8 +521,25 @@ static int cs42l42_set_jack(struct snd_soc_component *component, struct snd_soc_
+ {
+       struct cs42l42_private *cs42l42 = snd_soc_component_get_drvdata(component);
++      /* Prevent race with interrupt handler */
++      mutex_lock(&cs42l42->jack_detect_mutex);
+       cs42l42->jack = jk;
++      if (jk) {
++              switch (cs42l42->hs_type) {
++              case CS42L42_PLUG_CTIA:
++              case CS42L42_PLUG_OMTP:
++                      snd_soc_jack_report(jk, SND_JACK_HEADSET, SND_JACK_HEADSET);
++                      break;
++              case CS42L42_PLUG_HEADPHONE:
++                      snd_soc_jack_report(jk, SND_JACK_HEADPHONE, SND_JACK_HEADPHONE);
++                      break;
++              default:
++                      break;
++              }
++      }
++      mutex_unlock(&cs42l42->jack_detect_mutex);
++
+       return 0;
+ }
+@@ -1611,6 +1628,8 @@ static irqreturn_t cs42l42_irq_thread(int irq, void *data)
+               CS42L42_M_DETECT_FT_MASK |
+               CS42L42_M_HSBIAS_HIZ_MASK);
++      mutex_lock(&cs42l42->jack_detect_mutex);
++
+       /* Check auto-detect status */
+       if ((~masks[5]) & irq_params_table[5].mask) {
+               if (stickies[5] & CS42L42_HSDET_AUTO_DONE_MASK) {
+@@ -1689,6 +1708,8 @@ static irqreturn_t cs42l42_irq_thread(int irq, void *data)
+               }
+       }
++      mutex_unlock(&cs42l42->jack_detect_mutex);
++
+       return IRQ_HANDLED;
+ }
+@@ -2033,6 +2054,7 @@ static int cs42l42_i2c_probe(struct i2c_client *i2c_client,
+       cs42l42->dev = &i2c_client->dev;
+       i2c_set_clientdata(i2c_client, cs42l42);
++      mutex_init(&cs42l42->jack_detect_mutex);
+       cs42l42->regmap = devm_regmap_init_i2c(i2c_client, &cs42l42_regmap);
+       if (IS_ERR(cs42l42->regmap)) {
+diff --git a/sound/soc/codecs/cs42l42.h b/sound/soc/codecs/cs42l42.h
+index f45bcc9a3a62f..02128ebf8989a 100644
+--- a/sound/soc/codecs/cs42l42.h
++++ b/sound/soc/codecs/cs42l42.h
+@@ -12,6 +12,7 @@
+ #ifndef __CS42L42_H__
+ #define __CS42L42_H__
++#include <linux/mutex.h>
+ #include <sound/jack.h>
+ #define CS42L42_PAGE_REGISTER 0x00    /* Page Select Register */
+@@ -838,6 +839,7 @@ struct  cs42l42_private {
+       struct gpio_desc *reset_gpio;
+       struct completion pdn_done;
+       struct snd_soc_jack *jack;
++      struct mutex jack_detect_mutex;
+       int pll_config;
+       int bclk;
+       u32 sclk;
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-fsl_asrc-refine-the-check-of-available-clock-di.patch b/queue-5.16/asoc-fsl_asrc-refine-the-check-of-available-clock-di.patch
new file mode 100644 (file)
index 0000000..eb10216
--- /dev/null
@@ -0,0 +1,159 @@
+From 0aaf64159a90e572af8cd4f40b302ed266494d66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 19:08:03 +0800
+Subject: ASoC: fsl_asrc: refine the check of available clock divider
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit 320386343451ab6a3577e0ee200dac56a6182944 ]
+
+According to RM, the clock divider range is from 1 to 8, clock
+prescaling ratio may be any power of 2 from 1 to 128.
+So the supported divider is not all the value between
+1 and 1024, just limited value in that range.
+
+Create table for the supported divder and add function to
+check the clock divider is available by comparing with
+the table.
+
+Fixes: d0250cf4f2ab ("ASoC: fsl_asrc: Add an option to select internal ratio mode")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://lore.kernel.org/r/1641380883-20709-1-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_asrc.c | 69 +++++++++++++++++++++++++++++++++-------
+ 1 file changed, 58 insertions(+), 11 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_asrc.c b/sound/soc/fsl/fsl_asrc.c
+index 24b41881a68f8..d7d1536a4f377 100644
+--- a/sound/soc/fsl/fsl_asrc.c
++++ b/sound/soc/fsl/fsl_asrc.c
+@@ -19,6 +19,7 @@
+ #include "fsl_asrc.h"
+ #define IDEAL_RATIO_DECIMAL_DEPTH 26
++#define DIVIDER_NUM  64
+ #define pair_err(fmt, ...) \
+       dev_err(&asrc->pdev->dev, "Pair %c: " fmt, 'A' + index, ##__VA_ARGS__)
+@@ -101,6 +102,55 @@ static unsigned char clk_map_imx8qxp[2][ASRC_CLK_MAP_LEN] = {
+       },
+ };
++/*
++ * According to RM, the divider range is 1 ~ 8,
++ * prescaler is power of 2 from 1 ~ 128.
++ */
++static int asrc_clk_divider[DIVIDER_NUM] = {
++      1,  2,  4,  8,  16,  32,  64,  128,  /* divider = 1 */
++      2,  4,  8, 16,  32,  64, 128,  256,  /* divider = 2 */
++      3,  6, 12, 24,  48,  96, 192,  384,  /* divider = 3 */
++      4,  8, 16, 32,  64, 128, 256,  512,  /* divider = 4 */
++      5, 10, 20, 40,  80, 160, 320,  640,  /* divider = 5 */
++      6, 12, 24, 48,  96, 192, 384,  768,  /* divider = 6 */
++      7, 14, 28, 56, 112, 224, 448,  896,  /* divider = 7 */
++      8, 16, 32, 64, 128, 256, 512, 1024,  /* divider = 8 */
++};
++
++/*
++ * Check if the divider is available for internal ratio mode
++ */
++static bool fsl_asrc_divider_avail(int clk_rate, int rate, int *div)
++{
++      u32 rem, i;
++      u64 n;
++
++      if (div)
++              *div = 0;
++
++      if (clk_rate == 0 || rate == 0)
++              return false;
++
++      n = clk_rate;
++      rem = do_div(n, rate);
++
++      if (div)
++              *div = n;
++
++      if (rem != 0)
++              return false;
++
++      for (i = 0; i < DIVIDER_NUM; i++) {
++              if (n == asrc_clk_divider[i])
++                      break;
++      }
++
++      if (i == DIVIDER_NUM)
++              return false;
++
++      return true;
++}
++
+ /**
+  * fsl_asrc_sel_proc - Select the pre-processing and post-processing options
+  * @inrate: input sample rate
+@@ -330,12 +380,12 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate)
+       enum asrc_word_width input_word_width;
+       enum asrc_word_width output_word_width;
+       u32 inrate, outrate, indiv, outdiv;
+-      u32 clk_index[2], div[2], rem[2];
++      u32 clk_index[2], div[2];
+       u64 clk_rate;
+       int in, out, channels;
+       int pre_proc, post_proc;
+       struct clk *clk;
+-      bool ideal;
++      bool ideal, div_avail;
+       if (!config) {
+               pair_err("invalid pair config\n");
+@@ -415,8 +465,7 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate)
+       clk = asrc_priv->asrck_clk[clk_index[ideal ? OUT : IN]];
+       clk_rate = clk_get_rate(clk);
+-      rem[IN] = do_div(clk_rate, inrate);
+-      div[IN] = (u32)clk_rate;
++      div_avail = fsl_asrc_divider_avail(clk_rate, inrate, &div[IN]);
+       /*
+        * The divider range is [1, 1024], defined by the hardware. For non-
+@@ -425,7 +474,7 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate)
+        * only result in different converting speeds. So remainder does not
+        * matter, as long as we keep the divider within its valid range.
+        */
+-      if (div[IN] == 0 || (!ideal && (div[IN] > 1024 || rem[IN] != 0))) {
++      if (div[IN] == 0 || (!ideal && !div_avail)) {
+               pair_err("failed to support input sample rate %dHz by asrck_%x\n",
+                               inrate, clk_index[ideal ? OUT : IN]);
+               return -EINVAL;
+@@ -436,13 +485,12 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate)
+       clk = asrc_priv->asrck_clk[clk_index[OUT]];
+       clk_rate = clk_get_rate(clk);
+       if (ideal && use_ideal_rate)
+-              rem[OUT] = do_div(clk_rate, IDEAL_RATIO_RATE);
++              div_avail = fsl_asrc_divider_avail(clk_rate, IDEAL_RATIO_RATE, &div[OUT]);
+       else
+-              rem[OUT] = do_div(clk_rate, outrate);
+-      div[OUT] = clk_rate;
++              div_avail = fsl_asrc_divider_avail(clk_rate, outrate, &div[OUT]);
+       /* Output divider has the same limitation as the input one */
+-      if (div[OUT] == 0 || (!ideal && (div[OUT] > 1024 || rem[OUT] != 0))) {
++      if (div[OUT] == 0 || (!ideal && !div_avail)) {
+               pair_err("failed to support output sample rate %dHz by asrck_%x\n",
+                               outrate, clk_index[OUT]);
+               return -EINVAL;
+@@ -621,8 +669,7 @@ static void fsl_asrc_select_clk(struct fsl_asrc_priv *asrc_priv,
+                       clk_index = asrc_priv->clk_map[j][i];
+                       clk_rate = clk_get_rate(asrc_priv->asrck_clk[clk_index]);
+                       /* Only match a perfect clock source with no remainder */
+-                      if (clk_rate != 0 && (clk_rate / rate[j]) <= 1024 &&
+-                          (clk_rate % rate[j]) == 0)
++                      if (fsl_asrc_divider_avail(clk_rate, rate[j], NULL))
+                               break;
+               }
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-fsl_mqs-fix-module_alias.patch b/queue-5.16/asoc-fsl_mqs-fix-module_alias.patch
new file mode 100644 (file)
index 0000000..75cb8d7
--- /dev/null
@@ -0,0 +1,33 @@
+From aaa77aa30407f835921ceba24e30d6ec9f040b34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 13:22:16 +0000
+Subject: ASoC: fsl_mqs: fix MODULE_ALIAS
+
+From: Alyssa Ross <hi@alyssa.is>
+
+[ Upstream commit 9f3d45318dd9e739ed62e4218839a7a824d3cced ]
+
+modprobe can't handle spaces in aliases.
+
+Fixes: 9e28f6532c61 ("ASoC: fsl_mqs: Add MQS component driver")
+Signed-off-by: Alyssa Ross <hi@alyssa.is>
+Link: https://lore.kernel.org/r/20220104132218.1690103-1-hi@alyssa.is
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_mqs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/fsl/fsl_mqs.c b/sound/soc/fsl/fsl_mqs.c
+index 27b4536dce443..ceaecbe3a25e4 100644
+--- a/sound/soc/fsl/fsl_mqs.c
++++ b/sound/soc/fsl/fsl_mqs.c
+@@ -337,4 +337,4 @@ module_platform_driver(fsl_mqs_driver);
+ MODULE_AUTHOR("Shengjiu Wang <Shengjiu.Wang@nxp.com>");
+ MODULE_DESCRIPTION("MQS codec driver");
+ MODULE_LICENSE("GPL v2");
+-MODULE_ALIAS("platform: fsl-mqs");
++MODULE_ALIAS("platform:fsl-mqs");
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-imx-card-fix-mclk-calculation-issue-for-akcodec.patch b/queue-5.16/asoc-imx-card-fix-mclk-calculation-issue-for-akcodec.patch
new file mode 100644 (file)
index 0000000..4f241aa
--- /dev/null
@@ -0,0 +1,56 @@
+From 582b5579eda01495771c876f7d33d8a395bdc589 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 18:40:34 +0800
+Subject: ASoC: imx-card: Fix mclk calculation issue for akcodec
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit f331ae5fa59fbfb748317b290648fc3f1a50d932 ]
+
+Transfer the refined slots and slot_width to akcodec_get_mclk_rate()
+for mclk calculation, otherwise the mclk frequency does not match
+with the slots and slot_width for S16_LE format, because the default
+slot_width is 32.
+
+Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://lore.kernel.org/r/1641292835-19085-3-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/imx-card.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/fsl/imx-card.c b/sound/soc/fsl/imx-card.c
+index 96ac1e465fade..84a8dcdee9316 100644
+--- a/sound/soc/fsl/imx-card.c
++++ b/sound/soc/fsl/imx-card.c
+@@ -247,13 +247,14 @@ static bool codec_is_akcodec(unsigned int type)
+ }
+ static unsigned long akcodec_get_mclk_rate(struct snd_pcm_substream *substream,
+-                                         struct snd_pcm_hw_params *params)
++                                         struct snd_pcm_hw_params *params,
++                                         int slots, int slot_width)
+ {
+       struct snd_soc_pcm_runtime *rtd = substream->private_data;
+       struct imx_card_data *data = snd_soc_card_get_drvdata(rtd->card);
+       const struct imx_card_plat_data *plat_data = data->plat_data;
+       struct dai_link_data *link_data = &data->link_data[rtd->num];
+-      unsigned int width = link_data->slots * link_data->slot_width;
++      unsigned int width = slots * slot_width;
+       unsigned int rate = params_rate(params);
+       int i;
+@@ -349,7 +350,7 @@ static int imx_aif_hw_params(struct snd_pcm_substream *substream,
+       /* Set MCLK freq */
+       if (codec_is_akcodec(plat_data->type))
+-              mclk_freq = akcodec_get_mclk_rate(substream, params);
++              mclk_freq = akcodec_get_mclk_rate(substream, params, slots, slot_width);
+       else
+               mclk_freq = params_rate(params) * slots * slot_width;
+       /* Use the maximum freq from DSD512 (512*44100 = 22579200) */
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-imx-card-improve-the-sound-quality-for-low-rate.patch b/queue-5.16/asoc-imx-card-improve-the-sound-quality-for-low-rate.patch
new file mode 100644 (file)
index 0000000..5c84fed
--- /dev/null
@@ -0,0 +1,62 @@
+From 1bc5f78f9d6641719e40b4dc68482bcc331aaa2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 18:40:35 +0800
+Subject: ASoC: imx-card: improve the sound quality for low rate
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit 3969341813eb56d2dfc39bb64229359a6ae3c195 ]
+
+According to RM, on auto mode:
+For codec AK4458 and AK4497, the lowest ratio of MLCK/FS is 256
+if sample rate is 8kHz-48kHz,
+For codec AK5558, the lowest ratio of MLCK/FS is 512 if sample
+rate is 8kHz-48kHz.
+
+With these setting the sound quality for 8kHz-48kHz can be improved.
+
+Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://lore.kernel.org/r/1641292835-19085-4-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/imx-card.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/fsl/imx-card.c b/sound/soc/fsl/imx-card.c
+index 84a8dcdee9316..c7503a5f7cfbc 100644
+--- a/sound/soc/fsl/imx-card.c
++++ b/sound/soc/fsl/imx-card.c
+@@ -120,7 +120,7 @@ struct imx_card_data {
+ static struct imx_akcodec_fs_mul ak4458_fs_mul[] = {
+       /* Normal, < 32kHz */
+-      { .rmin = 8000,   .rmax = 24000,  .wmin = 1024, .wmax = 1024, },
++      { .rmin = 8000,   .rmax = 24000,  .wmin = 256,  .wmax = 1024, },
+       /* Normal, 32kHz */
+       { .rmin = 32000,  .rmax = 32000,  .wmin = 256,  .wmax = 1024, },
+       /* Normal */
+@@ -151,8 +151,8 @@ static struct imx_akcodec_fs_mul ak4497_fs_mul[] = {
+        * Table 7      - mapping multiplier and speed mode
+        * Tables 8 & 9 - mapping speed mode and LRCK fs
+        */
+-      { .rmin = 8000,   .rmax = 32000,  .wmin = 1024, .wmax = 1024, }, /* Normal, <= 32kHz */
+-      { .rmin = 44100,  .rmax = 48000,  .wmin = 512,  .wmax = 512, }, /* Normal */
++      { .rmin = 8000,   .rmax = 32000,  .wmin = 256,  .wmax = 1024, }, /* Normal, <= 32kHz */
++      { .rmin = 44100,  .rmax = 48000,  .wmin = 256,  .wmax = 512, }, /* Normal */
+       { .rmin = 88200,  .rmax = 96000,  .wmin = 256,  .wmax = 256, }, /* Double */
+       { .rmin = 176400, .rmax = 192000, .wmin = 128,  .wmax = 128, }, /* Quad */
+       { .rmin = 352800, .rmax = 384000, .wmin = 128,  .wmax = 128, }, /* Oct */
+@@ -164,7 +164,7 @@ static struct imx_akcodec_fs_mul ak4497_fs_mul[] = {
+  * (Table 4 from datasheet)
+  */
+ static struct imx_akcodec_fs_mul ak5558_fs_mul[] = {
+-      { .rmin = 8000,   .rmax = 32000,  .wmin = 1024, .wmax = 1024, },
++      { .rmin = 8000,   .rmax = 32000,  .wmin = 512,  .wmax = 1024, },
+       { .rmin = 44100,  .rmax = 48000,  .wmin = 512,  .wmax = 512, },
+       { .rmin = 88200,  .rmax = 96000,  .wmin = 256,  .wmax = 256, },
+       { .rmin = 176400, .rmax = 192000, .wmin = 128,  .wmax = 128, },
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-imx-card-need-special-setting-for-ak4497-on-i.m.patch b/queue-5.16/asoc-imx-card-need-special-setting-for-ak4497-on-i.m.patch
new file mode 100644 (file)
index 0000000..6f9caeb
--- /dev/null
@@ -0,0 +1,55 @@
+From f720ce887b29d168309f1dcb959f3de83d712b59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 18:40:33 +0800
+Subject: ASoC: imx-card: Need special setting for ak4497 on i.MX8MQ
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit 3349b3d0c63b8b6fcca58156d72407f0b2e101ac ]
+
+The SAI on i.MX8MQ don't support one2one ratio for mclk:bclk, so
+the mclk frequency exceeds the supported range of codec for
+the case that sample rate is larger than 705kHZ and format is
+S32_LE. Update the supported width for such case.
+
+Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://lore.kernel.org/r/1641292835-19085-2-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/imx-card.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/fsl/imx-card.c b/sound/soc/fsl/imx-card.c
+index 6f06afd23b16a..96ac1e465fade 100644
+--- a/sound/soc/fsl/imx-card.c
++++ b/sound/soc/fsl/imx-card.c
+@@ -553,8 +553,23 @@ static int imx_card_parse_of(struct imx_card_data *data)
+                       link_data->cpu_sysclk_id = FSL_SAI_CLK_MAST1;
+                       /* sai may support mclk/bclk = 1 */
+-                      if (of_find_property(np, "fsl,mclk-equal-bclk", NULL))
++                      if (of_find_property(np, "fsl,mclk-equal-bclk", NULL)) {
+                               link_data->one2one_ratio = true;
++                      } else {
++                              int i;
++
++                              /*
++                               * i.MX8MQ don't support one2one ratio, then
++                               * with ak4497 only 16bit case is supported.
++                               */
++                              for (i = 0; i < ARRAY_SIZE(ak4497_fs_mul); i++) {
++                                      if (ak4497_fs_mul[i].rmin == 705600 &&
++                                          ak4497_fs_mul[i].rmax == 768000) {
++                                              ak4497_fs_mul[i].wmin = 32;
++                                              ak4497_fs_mul[i].wmax = 32;
++                                      }
++                              }
++                      }
+               }
+               link->cpus->of_node = args.np;
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-imx-hdmi-add-put_device-after-of_find_device_by.patch b/queue-5.16/asoc-imx-hdmi-add-put_device-after-of_find_device_by.patch
new file mode 100644 (file)
index 0000000..62bfaba
--- /dev/null
@@ -0,0 +1,39 @@
+From 2d36bde38e09313d3b752e00234c96fcbb4cdcc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Nov 2021 00:29:10 +0000
+Subject: ASoC: imx-hdmi: add put_device() after of_find_device_by_node()
+
+From: Ye Guojin <ye.guojin@zte.com.cn>
+
+[ Upstream commit f670b274f7f6f4b2722d7f08d0fddf606a727e92 ]
+
+This was found by coccicheck:
+./sound/soc/fsl/imx-hdmi.c,209,1-7,ERROR  missing put_device; call
+of_find_device_by_node on line 119, but without a corresponding object
+release within this function.
+
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Signed-off-by: Ye Guojin <ye.guojin@zte.com.cn>
+Link: https://lore.kernel.org/r/20211110002910.134915-1-ye.guojin@zte.com.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/imx-hdmi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/fsl/imx-hdmi.c b/sound/soc/fsl/imx-hdmi.c
+index f10359a288005..929f69b758af4 100644
+--- a/sound/soc/fsl/imx-hdmi.c
++++ b/sound/soc/fsl/imx-hdmi.c
+@@ -145,6 +145,8 @@ static int imx_hdmi_probe(struct platform_device *pdev)
+       data->dai.capture_only = false;
+       data->dai.init = imx_hdmi_init;
++      put_device(&cpu_pdev->dev);
++
+       if (of_node_name_eq(cpu_np, "sai")) {
+               data->cpu_priv.sysclk_id[1] = FSL_SAI_CLK_MAST1;
+               data->cpu_priv.sysclk_id[0] = FSL_SAI_CLK_MAST1;
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-intel-catpt-test-dmaengine_submit-result-before.patch b/queue-5.16/asoc-intel-catpt-test-dmaengine_submit-result-before.patch
new file mode 100644 (file)
index 0000000..09058aa
--- /dev/null
@@ -0,0 +1,65 @@
+From d4ddde598837cb1d6359cb5af66a79c75f5e07f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Dec 2021 12:57:39 +0100
+Subject: ASoC: Intel: catpt: Test dmaengine_submit() result before moving on
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 2a9a72e290d4a4741e673f86b9fba9bfb319786d ]
+
+After calling dmaengine_submit(), the submitted transfer descriptor
+belongs to the DMA engine. Pointer to that descriptor may no longer be
+valid after the call and should be tested before awaiting transfer
+completion.
+
+Reported-by: Kevin Tian <kevin.tian@intel.com>
+Suggested-by: Dave Jiang <dave.jiang@intel.com>
+Fixes: 4fac9b31d0b9 ("ASoC: Intel: Add catpt base members")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://lore.kernel.org/r/20211216115743.2130622-2-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/catpt/dsp.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/intel/catpt/dsp.c b/sound/soc/intel/catpt/dsp.c
+index 9c5fd18f2600f..346bec0003066 100644
+--- a/sound/soc/intel/catpt/dsp.c
++++ b/sound/soc/intel/catpt/dsp.c
+@@ -65,6 +65,7 @@ static int catpt_dma_memcpy(struct catpt_dev *cdev, struct dma_chan *chan,
+ {
+       struct dma_async_tx_descriptor *desc;
+       enum dma_status status;
++      int ret;
+       desc = dmaengine_prep_dma_memcpy(chan, dst_addr, src_addr, size,
+                                        DMA_CTRL_ACK);
+@@ -77,13 +78,22 @@ static int catpt_dma_memcpy(struct catpt_dev *cdev, struct dma_chan *chan,
+       catpt_updatel_shim(cdev, HMDC,
+                          CATPT_HMDC_HDDA(CATPT_DMA_DEVID, chan->chan_id),
+                          CATPT_HMDC_HDDA(CATPT_DMA_DEVID, chan->chan_id));
+-      dmaengine_submit(desc);
++
++      ret = dma_submit_error(dmaengine_submit(desc));
++      if (ret) {
++              dev_err(cdev->dev, "submit tx failed: %d\n", ret);
++              goto clear_hdda;
++      }
++
+       status = dma_wait_for_async_tx(desc);
++      ret = (status == DMA_COMPLETE) ? 0 : -EPROTO;
++
++clear_hdda:
+       /* regardless of status, disable access to HOST memory in demand mode */
+       catpt_updatel_shim(cdev, HMDC,
+                          CATPT_HMDC_HDDA(CATPT_DMA_DEVID, chan->chan_id), 0);
+-      return (status == DMA_COMPLETE) ? 0 : -EPROTO;
++      return ret;
+ }
+ int catpt_dma_memcpy_todsp(struct catpt_dev *cdev, struct dma_chan *chan,
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-intel-sof_sdw-fix-jack-detection-on-hp-spectre-.patch b/queue-5.16/asoc-intel-sof_sdw-fix-jack-detection-on-hp-spectre-.patch
new file mode 100644 (file)
index 0000000..5802d4a
--- /dev/null
@@ -0,0 +1,66 @@
+From 4c3ade2f4db50dec265397c23f308e530de4937f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Oct 2021 10:18:16 +0800
+Subject: ASoC: Intel: sof_sdw: fix jack detection on HP Spectre x360
+ convertible
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit 0527b19fa4f390a6054612e1fa1dd4f8efc96739 ]
+
+Tests on device show the JD2 mode does not work at all, the 'Headphone
+Jack' and 'Headset Mic Jack' are shown as 'on' always.
+
+JD1 seems to be the better option, with at least a change between the
+two cases.
+
+Jack not plugged-in:
+[root@fedora ~]# amixer -Dhw:0 cget numid=12
+numid=12,iface=CARD,name='Headphone Jack'
+  ; type=BOOLEAN,access=r-------,values=1
+  : values=off
+[root@fedora ~]# amixer -Dhw:0 cget numid=13
+numid=13,iface=CARD,name='Headset Mic Jack'
+  ; type=BOOLEAN,access=r-------,values=1
+  : values=off
+
+Jack plugged-in:
+[root@fedora ~]# amixer -Dhw:0 cget numid=13
+numid=13,iface=CARD,name='Headset Mic Jack'
+  ; type=BOOLEAN,access=r-------,values=1
+  : values=on
+[root@fedora ~]# amixer -Dhw:0 cget numid=13
+numid=13,iface=CARD,name='Headset Mic Jack'
+  ; type=BOOLEAN,access=r-------,values=1
+  : values=on
+
+The 'Headset Mic Jack' is updated with a delay which seems normal with
+additional calibration needed.
+
+Fixes: d92e279dee56 ('ASoC: Intel: sof_sdw: add quirk for HP Spectre x360 convertible')
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Link: https://lore.kernel.org/r/20211027021824.24776-3-yung-chuan.liao@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/sof_sdw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/intel/boards/sof_sdw.c b/sound/soc/intel/boards/sof_sdw.c
+index 77219c3f8766c..54eefaff62a7e 100644
+--- a/sound/soc/intel/boards/sof_sdw.c
++++ b/sound/soc/intel/boards/sof_sdw.c
+@@ -188,7 +188,7 @@ static const struct dmi_system_id sof_sdw_quirk_table[] = {
+               },
+               .driver_data = (void *)(SOF_SDW_TGL_HDMI |
+                                       SOF_SDW_PCH_DMIC |
+-                                      RT711_JD2),
++                                      RT711_JD1),
+       },
+       {
+               /* NUC15 'Bishop County' LAPBC510 and LAPBC710 skews */
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-mediatek-check-for-error-clk-pointer.patch b/queue-5.16/asoc-mediatek-check-for-error-clk-pointer.patch
new file mode 100644 (file)
index 0000000..21d13a6
--- /dev/null
@@ -0,0 +1,68 @@
+From d6593bdf103c35c2a8471dcda92480d1f3f1b7c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 09:51:57 +0800
+Subject: ASoC: mediatek: Check for error clk pointer
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 9de2b9286a6dd16966959b3cb34fc2ddfd39213e ]
+
+Yes, you are right and now the return code depending on the
+init_clks().
+
+Fixes: 6078c651947a ("soc: mediatek: Refine scpsys to support multiple platform")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20211222015157.1025853-1-jiasheng@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/mediatek/mtk-scpsys.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/soc/mediatek/mtk-scpsys.c b/drivers/soc/mediatek/mtk-scpsys.c
+index ca75b14931ec9..670cc82d17dc2 100644
+--- a/drivers/soc/mediatek/mtk-scpsys.c
++++ b/drivers/soc/mediatek/mtk-scpsys.c
+@@ -411,12 +411,17 @@ out:
+       return ret;
+ }
+-static void init_clks(struct platform_device *pdev, struct clk **clk)
++static int init_clks(struct platform_device *pdev, struct clk **clk)
+ {
+       int i;
+-      for (i = CLK_NONE + 1; i < CLK_MAX; i++)
++      for (i = CLK_NONE + 1; i < CLK_MAX; i++) {
+               clk[i] = devm_clk_get(&pdev->dev, clk_names[i]);
++              if (IS_ERR(clk[i]))
++                      return PTR_ERR(clk[i]);
++      }
++
++      return 0;
+ }
+ static struct scp *init_scp(struct platform_device *pdev,
+@@ -426,7 +431,7 @@ static struct scp *init_scp(struct platform_device *pdev,
+ {
+       struct genpd_onecell_data *pd_data;
+       struct resource *res;
+-      int i, j;
++      int i, j, ret;
+       struct scp *scp;
+       struct clk *clk[CLK_MAX];
+@@ -481,7 +486,9 @@ static struct scp *init_scp(struct platform_device *pdev,
+       pd_data->num_domains = num;
+-      init_clks(pdev, clk);
++      ret = init_clks(pdev, clk);
++      if (ret)
++              return ERR_PTR(ret);
+       for (i = 0; i < num; i++) {
+               struct scp_domain *scpd = &scp->domains[i];
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-mediatek-mt8173-fix-device_node-leak.patch b/queue-5.16/asoc-mediatek-mt8173-fix-device_node-leak.patch
new file mode 100644 (file)
index 0000000..9361a98
--- /dev/null
@@ -0,0 +1,78 @@
+From 25d6c0ffe36fecdea8c1848f7fa1f9e4bdc56d5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Dec 2021 14:47:16 +0800
+Subject: ASoC: mediatek: mt8173: fix device_node leak
+
+From: Tzung-Bi Shih <tzungbi@google.com>
+
+[ Upstream commit 493433785df0075afc0c106ab65f10a605d0b35d ]
+
+Fixes the device_node leak.
+
+Signed-off-by: Tzung-Bi Shih <tzungbi@google.com>
+Link: https://lore.kernel.org/r/20211224064719.2031210-2-tzungbi@google.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/mediatek/mt8173/mt8173-max98090.c      | 3 +++
+ sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c | 2 ++
+ sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c | 2 ++
+ sound/soc/mediatek/mt8173/mt8173-rt5650.c        | 2 ++
+ 4 files changed, 9 insertions(+)
+
+diff --git a/sound/soc/mediatek/mt8173/mt8173-max98090.c b/sound/soc/mediatek/mt8173/mt8173-max98090.c
+index fc94314bfc02f..3bdd4931316cd 100644
+--- a/sound/soc/mediatek/mt8173/mt8173-max98090.c
++++ b/sound/soc/mediatek/mt8173/mt8173-max98090.c
+@@ -180,6 +180,9 @@ static int mt8173_max98090_dev_probe(struct platform_device *pdev)
+       if (ret)
+               dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n",
+                       __func__, ret);
++
++      of_node_put(codec_node);
++      of_node_put(platform_node);
+       return ret;
+ }
+diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c
+index 0f28dc2217c09..390da5bf727eb 100644
+--- a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c
++++ b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c
+@@ -218,6 +218,8 @@ static int mt8173_rt5650_rt5514_dev_probe(struct platform_device *pdev)
+       if (ret)
+               dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n",
+                       __func__, ret);
++
++      of_node_put(platform_node);
+       return ret;
+ }
+diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c
+index 077c6ee067806..c8e4e85e10575 100644
+--- a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c
++++ b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c
+@@ -285,6 +285,8 @@ static int mt8173_rt5650_rt5676_dev_probe(struct platform_device *pdev)
+       if (ret)
+               dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n",
+                       __func__, ret);
++
++      of_node_put(platform_node);
+       return ret;
+ }
+diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650.c b/sound/soc/mediatek/mt8173/mt8173-rt5650.c
+index 2cbf679f5c74b..d8cf0802813a0 100644
+--- a/sound/soc/mediatek/mt8173/mt8173-rt5650.c
++++ b/sound/soc/mediatek/mt8173/mt8173-rt5650.c
+@@ -323,6 +323,8 @@ static int mt8173_rt5650_dev_probe(struct platform_device *pdev)
+       if (ret)
+               dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n",
+                       __func__, ret);
++
++      of_node_put(platform_node);
+       return ret;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-mediatek-mt8183-fix-device_node-leak.patch b/queue-5.16/asoc-mediatek-mt8183-fix-device_node-leak.patch
new file mode 100644 (file)
index 0000000..482edfb
--- /dev/null
@@ -0,0 +1,58 @@
+From c0bcde8ae402a843f036b95df289c270e4912d1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Dec 2021 14:47:17 +0800
+Subject: ASoC: mediatek: mt8183: fix device_node leak
+
+From: Tzung-Bi Shih <tzungbi@google.com>
+
+[ Upstream commit cb006006fe6221f092fadaffd3f219288304c9ad ]
+
+Fixes the device_node leak.
+
+Signed-off-by: Tzung-Bi Shih <tzungbi@google.com>
+Link: https://lore.kernel.org/r/20211224064719.2031210-3-tzungbi@google.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c         | 6 +++++-
+ sound/soc/mediatek/mt8183/mt8183-mt6358-ts3a227-max98357.c | 7 ++++++-
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c b/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c
+index a4d26a6fc8492..bda103211e0bd 100644
+--- a/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c
++++ b/sound/soc/mediatek/mt8183/mt8183-da7219-max98357.c
+@@ -781,7 +781,11 @@ static int mt8183_da7219_max98357_dev_probe(struct platform_device *pdev)
+               return ret;
+       }
+-      return devm_snd_soc_register_card(&pdev->dev, card);
++      ret = devm_snd_soc_register_card(&pdev->dev, card);
++
++      of_node_put(platform_node);
++      of_node_put(hdmi_codec);
++      return ret;
+ }
+ #ifdef CONFIG_OF
+diff --git a/sound/soc/mediatek/mt8183/mt8183-mt6358-ts3a227-max98357.c b/sound/soc/mediatek/mt8183/mt8183-mt6358-ts3a227-max98357.c
+index aeb1af86047ef..9f0bf15fe465e 100644
+--- a/sound/soc/mediatek/mt8183/mt8183-mt6358-ts3a227-max98357.c
++++ b/sound/soc/mediatek/mt8183/mt8183-mt6358-ts3a227-max98357.c
+@@ -780,7 +780,12 @@ mt8183_mt6358_ts3a227_max98357_dev_probe(struct platform_device *pdev)
+                                __func__, ret);
+       }
+-      return devm_snd_soc_register_card(&pdev->dev, card);
++      ret = devm_snd_soc_register_card(&pdev->dev, card);
++
++      of_node_put(platform_node);
++      of_node_put(ec_codec);
++      of_node_put(hdmi_codec);
++      return ret;
+ }
+ #ifdef CONFIG_OF
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-mediatek-mt8192-mt6359-fix-device_node-leak.patch b/queue-5.16/asoc-mediatek-mt8192-mt6359-fix-device_node-leak.patch
new file mode 100644 (file)
index 0000000..27283b5
--- /dev/null
@@ -0,0 +1,42 @@
+From a7a8fd55c1b0654f2e880d0e9475cba14223e445 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 12:00:28 +0800
+Subject: ASoC: mediatek: mt8192-mt6359: fix device_node leak
+
+From: Tzung-Bi Shih <tzungbi@google.com>
+
+[ Upstream commit 4e28491a7a198c668437f2be8a91a76aa52f20eb ]
+
+The of_parse_phandle() document:
+    >>> Use of_node_put() on it when done.
+
+The driver didn't call of_node_put().  Fixes the leak.
+
+Signed-off-by: Tzung-Bi Shih <tzungbi@google.com>
+Link: https://lore.kernel.org/r/20211214040028.2992627-1-tzungbi@google.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c b/sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c
+index a606133951b70..24a5d0adec1ba 100644
+--- a/sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c
++++ b/sound/soc/mediatek/mt8192/mt8192-mt6359-rt1015-rt5682.c
+@@ -1172,7 +1172,11 @@ static int mt8192_mt6359_dev_probe(struct platform_device *pdev)
+               return ret;
+       }
+-      return devm_snd_soc_register_card(&pdev->dev, card);
++      ret = devm_snd_soc_register_card(&pdev->dev, card);
++
++      of_node_put(platform_node);
++      of_node_put(hdmi_codec);
++      return ret;
+ }
+ #ifdef CONFIG_OF
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-mediatek-mt8195-correct-default-value.patch b/queue-5.16/asoc-mediatek-mt8195-correct-default-value.patch
new file mode 100644 (file)
index 0000000..ef1e1cf
--- /dev/null
@@ -0,0 +1,42 @@
+From a59a92c0c1a8b5e1b0fcf1193bb9edcc26ac500b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Dec 2021 10:24:24 +0800
+Subject: ASoC: mediatek: mt8195: correct default value
+
+From: Trevor Wu <trevor.wu@mediatek.com>
+
+[ Upstream commit 30e693ee82d20361f2caacca3b68c79e1a7cb16c ]
+
+mt8195_cg_patch is used to reset the default value of audio cg, so the
+register value could be consistent with CCF reference count.
+Nevertheless, AUDIO_TOP_CON1[1:0] is used to control an internal mux,
+and it's expected to keep the default value 0.
+
+This patch corrects the default value in case an unexpected behavior
+happens in the future.
+
+Fixes: 6746cc8582599 ("ASoC: mediatek: mt8195: add platform driver")
+Signed-off-by: Trevor Wu <trevor.wu@mediatek.com>
+Link: https://lore.kernel.org/r/20211216022424.28470-1-trevor.wu@mediatek.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/mediatek/mt8195/mt8195-afe-pcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c b/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c
+index 2bb05a828e8d2..15b4cae2524c1 100644
+--- a/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c
++++ b/sound/soc/mediatek/mt8195/mt8195-afe-pcm.c
+@@ -3028,7 +3028,7 @@ static const struct reg_sequence mt8195_afe_reg_defaults[] = {
+ static const struct reg_sequence mt8195_cg_patch[] = {
+       { AUDIO_TOP_CON0, 0xfffffffb },
+-      { AUDIO_TOP_CON1, 0xfffffffa },
++      { AUDIO_TOP_CON1, 0xfffffff8 },
+ };
+ static int mt8195_afe_init_registers(struct mtk_base_afe *afe)
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-mediatek-mt8195-correct-pcmif-be-dai-control-fl.patch b/queue-5.16/asoc-mediatek-mt8195-correct-pcmif-be-dai-control-fl.patch
new file mode 100644 (file)
index 0000000..b131751
--- /dev/null
@@ -0,0 +1,166 @@
+From e220ff280dae19d187d337a56538a8b87221e1d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Dec 2021 16:47:30 +0800
+Subject: ASoC: mediatek: mt8195: correct pcmif BE dai control flow
+
+From: Trevor Wu <trevor.wu@mediatek.com>
+
+[ Upstream commit 2355028c0c54c03afb66c589347f1dc9f6fe2e38 ]
+
+Originally, the conditions for preventing reentry are not correct.
+dai->component->active is not the state specifically for pcmif dai, so it
+is not a correct condition to indicate the status of pcmif dai.
+On the other hand, snd_soc_dai_stream_actvie() in prepare ops for both
+playback and capture possibly return true at the first entry when these
+two streams are opened at the same time.
+
+In the patch, I refer to the implementation in mt8192-dai-pcm.c.
+Clock and enabling bit for PCMIF are managed by DAPM, and the condition
+for prepare ops is replaced by the status of dai widget.
+
+Fixes: 1f95c019115c ("ASoC: mediatek: mt8195: support pcm in platform driver")
+Signed-off-by: Trevor Wu <trevor.wu@mediatek.com>
+Link: https://lore.kernel.org/r/20211230084731.31372-2-trevor.wu@mediatek.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/mediatek/mt8195/mt8195-dai-pcm.c | 73 +++++++---------------
+ sound/soc/mediatek/mt8195/mt8195-reg.h     |  1 +
+ 2 files changed, 22 insertions(+), 52 deletions(-)
+
+diff --git a/sound/soc/mediatek/mt8195/mt8195-dai-pcm.c b/sound/soc/mediatek/mt8195/mt8195-dai-pcm.c
+index 5d10d2c4c991c..151914c873acd 100644
+--- a/sound/soc/mediatek/mt8195/mt8195-dai-pcm.c
++++ b/sound/soc/mediatek/mt8195/mt8195-dai-pcm.c
+@@ -80,8 +80,15 @@ static const struct snd_soc_dapm_widget mtk_dai_pcm_widgets[] = {
+                          mtk_dai_pcm_o001_mix,
+                          ARRAY_SIZE(mtk_dai_pcm_o001_mix)),
++      SND_SOC_DAPM_SUPPLY("PCM_EN", PCM_INTF_CON1,
++                          PCM_INTF_CON1_PCM_EN_SHIFT, 0, NULL, 0),
++
+       SND_SOC_DAPM_INPUT("PCM1_INPUT"),
+       SND_SOC_DAPM_OUTPUT("PCM1_OUTPUT"),
++
++      SND_SOC_DAPM_CLOCK_SUPPLY("aud_asrc11"),
++      SND_SOC_DAPM_CLOCK_SUPPLY("aud_asrc12"),
++      SND_SOC_DAPM_CLOCK_SUPPLY("aud_pcmif"),
+ };
+ static const struct snd_soc_dapm_route mtk_dai_pcm_routes[] = {
+@@ -97,22 +104,18 @@ static const struct snd_soc_dapm_route mtk_dai_pcm_routes[] = {
+       {"PCM1 Playback", NULL, "O000"},
+       {"PCM1 Playback", NULL, "O001"},
++      {"PCM1 Playback", NULL, "PCM_EN"},
++      {"PCM1 Playback", NULL, "aud_asrc12"},
++      {"PCM1 Playback", NULL, "aud_pcmif"},
++
++      {"PCM1 Capture", NULL, "PCM_EN"},
++      {"PCM1 Capture", NULL, "aud_asrc11"},
++      {"PCM1 Capture", NULL, "aud_pcmif"},
++
+       {"PCM1_OUTPUT", NULL, "PCM1 Playback"},
+       {"PCM1 Capture", NULL, "PCM1_INPUT"},
+ };
+-static void mtk_dai_pcm_enable(struct mtk_base_afe *afe)
+-{
+-      regmap_update_bits(afe->regmap, PCM_INTF_CON1,
+-                         PCM_INTF_CON1_PCM_EN, PCM_INTF_CON1_PCM_EN);
+-}
+-
+-static void mtk_dai_pcm_disable(struct mtk_base_afe *afe)
+-{
+-      regmap_update_bits(afe->regmap, PCM_INTF_CON1,
+-                         PCM_INTF_CON1_PCM_EN, 0x0);
+-}
+-
+ static int mtk_dai_pcm_configure(struct snd_pcm_substream *substream,
+                                struct snd_soc_dai *dai)
+ {
+@@ -207,54 +210,22 @@ static int mtk_dai_pcm_configure(struct snd_pcm_substream *substream,
+ }
+ /* dai ops */
+-static int mtk_dai_pcm_startup(struct snd_pcm_substream *substream,
+-                             struct snd_soc_dai *dai)
+-{
+-      struct mtk_base_afe *afe = snd_soc_dai_get_drvdata(dai);
+-      struct mt8195_afe_private *afe_priv = afe->platform_priv;
+-
+-      if (dai->component->active)
+-              return 0;
+-
+-      mt8195_afe_enable_clk(afe, afe_priv->clk[MT8195_CLK_AUD_ASRC11]);
+-      mt8195_afe_enable_clk(afe, afe_priv->clk[MT8195_CLK_AUD_ASRC12]);
+-      mt8195_afe_enable_clk(afe, afe_priv->clk[MT8195_CLK_AUD_PCMIF]);
+-
+-      return 0;
+-}
+-
+-static void mtk_dai_pcm_shutdown(struct snd_pcm_substream *substream,
+-                               struct snd_soc_dai *dai)
+-{
+-      struct mtk_base_afe *afe = snd_soc_dai_get_drvdata(dai);
+-      struct mt8195_afe_private *afe_priv = afe->platform_priv;
+-
+-      if (dai->component->active)
+-              return;
+-
+-      mtk_dai_pcm_disable(afe);
+-
+-      mt8195_afe_disable_clk(afe, afe_priv->clk[MT8195_CLK_AUD_PCMIF]);
+-      mt8195_afe_disable_clk(afe, afe_priv->clk[MT8195_CLK_AUD_ASRC12]);
+-      mt8195_afe_disable_clk(afe, afe_priv->clk[MT8195_CLK_AUD_ASRC11]);
+-}
+-
+ static int mtk_dai_pcm_prepare(struct snd_pcm_substream *substream,
+                              struct snd_soc_dai *dai)
+ {
+-      struct mtk_base_afe *afe = snd_soc_dai_get_drvdata(dai);
+-      int ret = 0;
++      int ret;
+-      if (snd_soc_dai_stream_active(dai, SNDRV_PCM_STREAM_PLAYBACK) &&
+-          snd_soc_dai_stream_active(dai, SNDRV_PCM_STREAM_CAPTURE))
++      dev_dbg(dai->dev, "%s(), id %d, stream %d, widget active p %d, c %d\n",
++              __func__, dai->id, substream->stream,
++              dai->playback_widget->active, dai->capture_widget->active);
++
++      if (dai->playback_widget->active || dai->capture_widget->active)
+               return 0;
+       ret = mtk_dai_pcm_configure(substream, dai);
+       if (ret)
+               return ret;
+-      mtk_dai_pcm_enable(afe);
+-
+       return 0;
+ }
+@@ -316,8 +287,6 @@ static int mtk_dai_pcm_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
+ }
+ static const struct snd_soc_dai_ops mtk_dai_pcm_ops = {
+-      .startup        = mtk_dai_pcm_startup,
+-      .shutdown       = mtk_dai_pcm_shutdown,
+       .prepare        = mtk_dai_pcm_prepare,
+       .set_fmt        = mtk_dai_pcm_set_fmt,
+ };
+diff --git a/sound/soc/mediatek/mt8195/mt8195-reg.h b/sound/soc/mediatek/mt8195/mt8195-reg.h
+index d06f9cf85a4ec..d3871353db415 100644
+--- a/sound/soc/mediatek/mt8195/mt8195-reg.h
++++ b/sound/soc/mediatek/mt8195/mt8195-reg.h
+@@ -2550,6 +2550,7 @@
+ #define PCM_INTF_CON1_PCM_FMT(x)       (((x) & 0x3) << 1)
+ #define PCM_INTF_CON1_PCM_FMT_MASK     (0x3 << 1)
+ #define PCM_INTF_CON1_PCM_EN           BIT(0)
++#define PCM_INTF_CON1_PCM_EN_SHIFT     0
+ /* PCM_INTF_CON2 */
+ #define PCM_INTF_CON2_CLK_DOMAIN_SEL(x)   (((x) & 0x3) << 23)
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-rt5663-handle-device_property_read_u32_array-er.patch b/queue-5.16/asoc-rt5663-handle-device_property_read_u32_array-er.patch
new file mode 100644 (file)
index 0000000..c4450fb
--- /dev/null
@@ -0,0 +1,65 @@
+From b7d424741006e08ef3a4b627432eedbb2c8ec8d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Dec 2021 11:15:50 +0800
+Subject: ASoC: rt5663: Handle device_property_read_u32_array error codes
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 2167c0b205960607fb136b4bb3c556a62be1569a ]
+
+The return value of device_property_read_u32_array() is not always 0.
+To catch the exception in case that devm_kzalloc failed and the
+rt5663->imp_table was NULL, which caused the failure of
+device_property_read_u32_array.
+
+Fixes: 450f0f6a8fb4 ("ASoC: rt5663: Add the manual offset field to compensate the DC offset")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20211215031550.70702-1-jiasheng@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5663.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/rt5663.c b/sound/soc/codecs/rt5663.c
+index 0389b2bb360e2..2138f62e6af5d 100644
+--- a/sound/soc/codecs/rt5663.c
++++ b/sound/soc/codecs/rt5663.c
+@@ -3461,6 +3461,7 @@ static void rt5663_calibrate(struct rt5663_priv *rt5663)
+ static int rt5663_parse_dp(struct rt5663_priv *rt5663, struct device *dev)
+ {
+       int table_size;
++      int ret;
+       device_property_read_u32(dev, "realtek,dc_offset_l_manual",
+               &rt5663->pdata.dc_offset_l_manual);
+@@ -3477,9 +3478,11 @@ static int rt5663_parse_dp(struct rt5663_priv *rt5663, struct device *dev)
+               table_size = sizeof(struct impedance_mapping_table) *
+                       rt5663->pdata.impedance_sensing_num;
+               rt5663->imp_table = devm_kzalloc(dev, table_size, GFP_KERNEL);
+-              device_property_read_u32_array(dev,
++              ret = device_property_read_u32_array(dev,
+                       "realtek,impedance_sensing_table",
+                       (u32 *)rt5663->imp_table, table_size);
++              if (ret)
++                      return ret;
+       }
+       return 0;
+@@ -3504,8 +3507,11 @@ static int rt5663_i2c_probe(struct i2c_client *i2c,
+       if (pdata)
+               rt5663->pdata = *pdata;
+-      else
+-              rt5663_parse_dp(rt5663, &i2c->dev);
++      else {
++              ret = rt5663_parse_dp(rt5663, &i2c->dev);
++              if (ret)
++                      return ret;
++      }
+       for (i = 0; i < ARRAY_SIZE(rt5663->supplies); i++)
+               rt5663->supplies[i].supply = rt5663_supply_names[i];
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-samsung-idma-check-of-ioremap-return-value.patch b/queue-5.16/asoc-samsung-idma-check-of-ioremap-return-value.patch
new file mode 100644 (file)
index 0000000..7314eca
--- /dev/null
@@ -0,0 +1,40 @@
+From a13e9612273498af62d51d53a1441826d11a3ad4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Dec 2021 11:40:26 +0800
+Subject: ASoC: samsung: idma: Check of ioremap return value
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 3ecb46755eb85456b459a1a9f952c52986bce8ec ]
+
+Because of the potential failure of the ioremap(), the buf->area could
+be NULL.
+Therefore, we need to check it and return -ENOMEM in order to transfer
+the error.
+
+Fixes: f09aecd50f39 ("ASoC: SAMSUNG: Add I2S0 internal dma driver")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Link: https://lore.kernel.org/r/20211228034026.1659385-1-jiasheng@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/samsung/idma.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/samsung/idma.c b/sound/soc/samsung/idma.c
+index 66bcc2f97544b..c3f1b054e2389 100644
+--- a/sound/soc/samsung/idma.c
++++ b/sound/soc/samsung/idma.c
+@@ -360,6 +360,8 @@ static int preallocate_idma_buffer(struct snd_pcm *pcm, int stream)
+       buf->addr = idma.lp_tx_addr;
+       buf->bytes = idma_hardware.buffer_bytes_max;
+       buf->area = (unsigned char * __force)ioremap(buf->addr, buf->bytes);
++      if (!buf->area)
++              return -ENOMEM;
+       return 0;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-sof-intel-fix-build-issue-related-to-codec_prob.patch b/queue-5.16/asoc-sof-intel-fix-build-issue-related-to-codec_prob.patch
new file mode 100644 (file)
index 0000000..312ae6b
--- /dev/null
@@ -0,0 +1,45 @@
+From 8e5fa7a557f8e7ef7a07bc12e425d742168c5def Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Dec 2021 17:47:21 +0200
+Subject: ASoC: SOF: Intel: fix build issue related to CODEC_PROBE_ENTRIES
+
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+
+[ Upstream commit 9a83dfcc5ae8230fbf12b63e281d5bb8450ec0e7 ]
+
+Fix following error:
+sound/soc/sof/intel/hda-codec.c:132:35: error: use of undeclared identifier 'CODEC_PROBE_RETRIES'
+
+Found with config: i386-randconfig-r033-20211202
+(https://download.01.org/0day-ci/archive/20211203/202112031943.Twg19fWT-lkp@intel.com/config)
+
+Fixes: 046aede2f847 ("ASoC: SOF: Intel: Retry codec probing if it fails")
+Reported-by: kernel test robot <lkp@intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Link: https://lore.kernel.org/r/20211203154721.923496-1-kai.vehmanen@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/intel/hda-codec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/intel/hda-codec.c b/sound/soc/sof/intel/hda-codec.c
+index 13cd96e6724a4..2f3f4a733d9e6 100644
+--- a/sound/soc/sof/intel/hda-codec.c
++++ b/sound/soc/sof/intel/hda-codec.c
+@@ -20,9 +20,10 @@
+ #include "../../codecs/hdac_hda.h"
+ #endif /* CONFIG_SND_SOC_SOF_HDA_AUDIO_CODEC */
++#define CODEC_PROBE_RETRIES   3
++
+ #if IS_ENABLED(CONFIG_SND_SOC_SOF_HDA_AUDIO_CODEC)
+ #define IDISP_VID_INTEL       0x80860000
+-#define CODEC_PROBE_RETRIES 3
+ /* load the legacy HDA codec driver */
+ static int request_codec_module(struct hda_codec *codec)
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-sof-intel-hda-add-quirks-for-hdaudio-dma-positi.patch b/queue-5.16/asoc-sof-intel-hda-add-quirks-for-hdaudio-dma-positi.patch
new file mode 100644 (file)
index 0000000..d18c371
--- /dev/null
@@ -0,0 +1,188 @@
+From 3fa989abd3da6018d946da94ab7173d29e8acff8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 13:39:45 -0600
+Subject: ASoC: SOF: Intel: hda: add quirks for HDAudio DMA position
+ information
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit 288fad2f71fa0b989c075d4984879c26d47cfb06 ]
+
+The code inherited from the Skylake driver does not seem to follow any
+known hardware recommendations.
+
+The only two recommended options are
+a) use DPIB registers if VC1 traffic is not allowed
+b) use DPIB DDR update if VC1 traffic is used
+
+In all of SOF-based updated, VC1 is not supported so we can 'safely'
+move to using DPIB registers only.
+
+This patch keeps the legacy code, in case there was an undocumented
+issue lost to history, and adds the DPIB DDR update for additional
+debug.
+
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://lore.kernel.org/r/20211207193947.71080-6-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/intel/hda-pcm.c | 86 +++++++++++++++++++++++++----------
+ sound/soc/sof/intel/hda.c     |  9 +++-
+ sound/soc/sof/intel/hda.h     |  6 +++
+ 3 files changed, 75 insertions(+), 26 deletions(-)
+
+diff --git a/sound/soc/sof/intel/hda-pcm.c b/sound/soc/sof/intel/hda-pcm.c
+index cc8ddef37f37b..41cb60955f5c1 100644
+--- a/sound/soc/sof/intel/hda-pcm.c
++++ b/sound/soc/sof/intel/hda-pcm.c
+@@ -172,38 +172,74 @@ snd_pcm_uframes_t hda_dsp_pcm_pointer(struct snd_sof_dev *sdev,
+               goto found;
+       }
+-      /*
+-       * DPIB/posbuf position mode:
+-       * For Playback, Use DPIB register from HDA space which
+-       * reflects the actual data transferred.
+-       * For Capture, Use the position buffer for pointer, as DPIB
+-       * is not accurate enough, its update may be completed
+-       * earlier than the data written to DDR.
+-       */
+-      if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
++      switch (sof_hda_position_quirk) {
++      case SOF_HDA_POSITION_QUIRK_USE_SKYLAKE_LEGACY:
++              /*
++               * This legacy code, inherited from the Skylake driver,
++               * mixes DPIB registers and DPIB DDR updates and
++               * does not seem to follow any known hardware recommendations.
++               * It's not clear e.g. why there is a different flow
++               * for capture and playback, the only information that matters is
++               * what traffic class is used, and on all SOF-enabled platforms
++               * only VC0 is supported so the work-around was likely not necessary
++               * and quite possibly wrong.
++               */
++
++              /* DPIB/posbuf position mode:
++               * For Playback, Use DPIB register from HDA space which
++               * reflects the actual data transferred.
++               * For Capture, Use the position buffer for pointer, as DPIB
++               * is not accurate enough, its update may be completed
++               * earlier than the data written to DDR.
++               */
++              if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
++                      pos = snd_sof_dsp_read(sdev, HDA_DSP_HDA_BAR,
++                                             AZX_REG_VS_SDXDPIB_XBASE +
++                                             (AZX_REG_VS_SDXDPIB_XINTERVAL *
++                                              hstream->index));
++              } else {
++                      /*
++                       * For capture stream, we need more workaround to fix the
++                       * position incorrect issue:
++                       *
++                       * 1. Wait at least 20us before reading position buffer after
++                       * the interrupt generated(IOC), to make sure position update
++                       * happens on frame boundary i.e. 20.833uSec for 48KHz.
++                       * 2. Perform a dummy Read to DPIB register to flush DMA
++                       * position value.
++                       * 3. Read the DMA Position from posbuf. Now the readback
++                       * value should be >= period boundary.
++                       */
++                      usleep_range(20, 21);
++                      snd_sof_dsp_read(sdev, HDA_DSP_HDA_BAR,
++                                       AZX_REG_VS_SDXDPIB_XBASE +
++                                       (AZX_REG_VS_SDXDPIB_XINTERVAL *
++                                        hstream->index));
++                      pos = snd_hdac_stream_get_pos_posbuf(hstream);
++              }
++              break;
++      case SOF_HDA_POSITION_QUIRK_USE_DPIB_REGISTERS:
++              /*
++               * In case VC1 traffic is disabled this is the recommended option
++               */
+               pos = snd_sof_dsp_read(sdev, HDA_DSP_HDA_BAR,
+                                      AZX_REG_VS_SDXDPIB_XBASE +
+                                      (AZX_REG_VS_SDXDPIB_XINTERVAL *
+                                       hstream->index));
+-      } else {
++              break;
++      case SOF_HDA_POSITION_QUIRK_USE_DPIB_DDR_UPDATE:
+               /*
+-               * For capture stream, we need more workaround to fix the
+-               * position incorrect issue:
+-               *
+-               * 1. Wait at least 20us before reading position buffer after
+-               * the interrupt generated(IOC), to make sure position update
+-               * happens on frame boundary i.e. 20.833uSec for 48KHz.
+-               * 2. Perform a dummy Read to DPIB register to flush DMA
+-               * position value.
+-               * 3. Read the DMA Position from posbuf. Now the readback
+-               * value should be >= period boundary.
++               * This is the recommended option when VC1 is enabled.
++               * While this isn't needed for SOF platforms it's added for
++               * consistency and debug.
+                */
+-              usleep_range(20, 21);
+-              snd_sof_dsp_read(sdev, HDA_DSP_HDA_BAR,
+-                               AZX_REG_VS_SDXDPIB_XBASE +
+-                               (AZX_REG_VS_SDXDPIB_XINTERVAL *
+-                                hstream->index));
+               pos = snd_hdac_stream_get_pos_posbuf(hstream);
++              break;
++      default:
++              dev_err_once(sdev->dev, "hda_position_quirk value %d not supported\n",
++                           sof_hda_position_quirk);
++              pos = 0;
++              break;
+       }
+       if (pos >= hstream->bufsize)
+diff --git a/sound/soc/sof/intel/hda.c b/sound/soc/sof/intel/hda.c
+index 2c0d4d06ab364..25200a0e1dc9d 100644
+--- a/sound/soc/sof/intel/hda.c
++++ b/sound/soc/sof/intel/hda.c
+@@ -440,6 +440,10 @@ MODULE_PARM_DESC(use_msi, "SOF HDA use PCI MSI mode");
+ #define hda_use_msi   (1)
+ #endif
++int sof_hda_position_quirk = SOF_HDA_POSITION_QUIRK_USE_DPIB_REGISTERS;
++module_param_named(position_quirk, sof_hda_position_quirk, int, 0444);
++MODULE_PARM_DESC(position_quirk, "SOF HDaudio position quirk");
++
+ static char *hda_model;
+ module_param(hda_model, charp, 0444);
+ MODULE_PARM_DESC(hda_model, "Use the given HDA board model.");
+@@ -618,7 +622,10 @@ static int hda_init(struct snd_sof_dev *sdev)
+       /* HDA bus init */
+       sof_hda_bus_init(bus, &pci->dev);
+-      bus->use_posbuf = 1;
++      if (sof_hda_position_quirk == SOF_HDA_POSITION_QUIRK_USE_DPIB_REGISTERS)
++              bus->use_posbuf = 0;
++      else
++              bus->use_posbuf = 1;
+       bus->bdl_pos_adj = 0;
+       bus->sync_write = 1;
+diff --git a/sound/soc/sof/intel/hda.h b/sound/soc/sof/intel/hda.h
+index 1195018a1f4f5..dba4733ccf9ae 100644
+--- a/sound/soc/sof/intel/hda.h
++++ b/sound/soc/sof/intel/hda.h
+@@ -738,4 +738,10 @@ struct sof_ipc_dai_config;
+ int hda_ctrl_dai_widget_setup(struct snd_soc_dapm_widget *w);
+ int hda_ctrl_dai_widget_free(struct snd_soc_dapm_widget *w);
++#define SOF_HDA_POSITION_QUIRK_USE_SKYLAKE_LEGACY     (0) /* previous implementation */
++#define SOF_HDA_POSITION_QUIRK_USE_DPIB_REGISTERS     (1) /* recommended if VC0 only */
++#define SOF_HDA_POSITION_QUIRK_USE_DPIB_DDR_UPDATE    (2) /* recommended with VC0 or VC1 */
++
++extern int sof_hda_position_quirk;
++
+ #endif
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-sof-ipc-add-null-pointer-check-for-substream-ru.patch b/queue-5.16/asoc-sof-ipc-add-null-pointer-check-for-substream-ru.patch
new file mode 100644 (file)
index 0000000..2fa654d
--- /dev/null
@@ -0,0 +1,42 @@
+From c3230473e6c83710773e8382b761289e2c685356 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Dec 2021 17:24:21 -0600
+Subject: ASoC: SOF: ipc: Add null pointer check for substream->runtime
+
+From: Ajit Kumar Pandey <AjitKumar.Pandey@amd.com>
+
+[ Upstream commit 182b682b9ab1348e07ea1bf9d8f2505cc67f9237 ]
+
+When pcm stream is stopped "substream->runtime" pointer will be set
+to NULL by ALSA core. In case host received an ipc msg from firmware
+of type IPC_STREAM_POSITION after pcm stream is stopped, there will
+be kernel NULL pointer exception in ipc_period_elapsed(). This patch
+fixes it by adding NULL pointer check for "substream->runtime".
+
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Signed-off-by: Ajit Kumar Pandey <AjitKumar.Pandey@amd.com>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20211216232422.345164-3-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/ipc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/ipc.c b/sound/soc/sof/ipc.c
+index e6c53c6c470e4..ca30c506a0fd6 100644
+--- a/sound/soc/sof/ipc.c
++++ b/sound/soc/sof/ipc.c
+@@ -547,7 +547,8 @@ static void ipc_period_elapsed(struct snd_sof_dev *sdev, u32 msg_id)
+       if (spcm->pcm.compress)
+               snd_sof_compr_fragment_elapsed(stream->cstream);
+-      else if (!stream->substream->runtime->no_period_wakeup)
++      else if (stream->substream->runtime &&
++               !stream->substream->runtime->no_period_wakeup)
+               /* only inform ALSA for period_wakeup mode */
+               snd_sof_pcm_period_elapsed(stream->substream);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-test-component-fix-null-pointer-dereference.patch b/queue-5.16/asoc-test-component-fix-null-pointer-dereference.patch
new file mode 100644 (file)
index 0000000..a2262da
--- /dev/null
@@ -0,0 +1,46 @@
+From eb44dc6806dfe70a32746c95bb9a323653f38b67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Dec 2021 01:42:00 +0500
+Subject: ASoC: test-component: fix null pointer dereference.
+
+From: Ameer Hamza <amhamza.mgc@gmail.com>
+
+[ Upstream commit c686316ec1210d43653c91e104c1e4cd0156dc89 ]
+
+Dereferncing of_id pointer will result in exception in current
+implementation since of_match_device() will assign it to NULL.
+Adding NULL check for protection.
+
+Signed-off-by: Ameer Hamza <amhamza.mgc@gmail.com>
+Link: https://lore.kernel.org/r/20211205204200.7852-1-amhamza.mgc@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/generic/test-component.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/generic/test-component.c b/sound/soc/generic/test-component.c
+index 85385a771d807..8fc97d3ff0110 100644
+--- a/sound/soc/generic/test-component.c
++++ b/sound/soc/generic/test-component.c
+@@ -532,13 +532,16 @@ static int test_driver_probe(struct platform_device *pdev)
+       struct device_node *node = dev->of_node;
+       struct device_node *ep;
+       const struct of_device_id *of_id = of_match_device(test_of_match, &pdev->dev);
+-      const struct test_adata *adata = of_id->data;
++      const struct test_adata *adata;
+       struct snd_soc_component_driver *cdriv;
+       struct snd_soc_dai_driver *ddriv;
+       struct test_dai_name *dname;
+       struct test_priv *priv;
+       int num, ret, i;
++      if (!of_id)
++              return -EINVAL;
++      adata = of_id->data;
+       num = of_graph_get_endpoint_count(node);
+       if (!num) {
+               dev_err(dev, "no port exits\n");
+-- 
+2.34.1
+
diff --git a/queue-5.16/asoc-uniphier-drop-selecting-non-existing-snd_soc_un.patch b/queue-5.16/asoc-uniphier-drop-selecting-non-existing-snd_soc_un.patch
new file mode 100644 (file)
index 0000000..53b01c4
--- /dev/null
@@ -0,0 +1,53 @@
+From ef6de367e8a8a465538b52fde539f94ed4bbe8db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 10:51:57 +0100
+Subject: ASoC: uniphier: drop selecting non-existing SND_SOC_UNIPHIER_AIO_DMA
+
+From: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+
+[ Upstream commit 49f893253ab43566e34332a969324531fea463f6 ]
+
+Commit f37fe2f9987b ("ASoC: uniphier: add support for UniPhier AIO common
+driver") adds configs SND_SOC_UNIPHIER_{LD11,PXS2}, which select the
+non-existing config SND_SOC_UNIPHIER_AIO_DMA.
+
+Hence, ./scripts/checkkconfigsymbols.py warns:
+
+  SND_SOC_UNIPHIER_AIO_DMA
+  Referencing files: sound/soc/uniphier/Kconfig
+
+Probably, there is actually no further config intended to be selected
+here. So, just drop selecting the non-existing config.
+
+Fixes: f37fe2f9987b ("ASoC: uniphier: add support for UniPhier AIO common driver")
+Signed-off-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Link: https://lore.kernel.org/r/20211125095158.8394-2-lukas.bulwahn@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/uniphier/Kconfig | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/sound/soc/uniphier/Kconfig b/sound/soc/uniphier/Kconfig
+index aa3592ee1358b..ddfa6424c656b 100644
+--- a/sound/soc/uniphier/Kconfig
++++ b/sound/soc/uniphier/Kconfig
+@@ -23,7 +23,6 @@ config SND_SOC_UNIPHIER_LD11
+       tristate "UniPhier LD11/LD20 Device Driver"
+       depends on SND_SOC_UNIPHIER
+       select SND_SOC_UNIPHIER_AIO
+-      select SND_SOC_UNIPHIER_AIO_DMA
+       help
+         This adds ASoC driver for Socionext UniPhier LD11/LD20
+         input and output that can be used with other codecs.
+@@ -34,7 +33,6 @@ config SND_SOC_UNIPHIER_PXS2
+       tristate "UniPhier PXs2 Device Driver"
+       depends on SND_SOC_UNIPHIER
+       select SND_SOC_UNIPHIER_AIO
+-      select SND_SOC_UNIPHIER_AIO_DMA
+       help
+         This adds ASoC driver for Socionext UniPhier PXs2
+         input and output that can be used with other codecs.
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath10k-drop-beacon-and-probe-response-which-leak-fro.patch b/queue-5.16/ath10k-drop-beacon-and-probe-response-which-leak-fro.patch
new file mode 100644 (file)
index 0000000..6b714ed
--- /dev/null
@@ -0,0 +1,77 @@
+From 0f24d7da3c3a459c1af476b6a6130db70b26798a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Dec 2021 01:17:52 -0500
+Subject: ath10k: drop beacon and probe response which leak from other channel
+
+From: Wen Gong <quic_wgong@quicinc.com>
+
+[ Upstream commit 3bf2537ec2e33310b431b53fd84be8833736c256 ]
+
+When scan request on channel 1, it also receive beacon from other
+channels, and the beacon also indicate to mac80211 and wpa_supplicant,
+and then the bss info appears in radio measurement report of radio
+measurement sent from wpa_supplicant, thus lead RRM case fail.
+
+This is to drop the beacon and probe response which is not the same
+channel of scanning.
+
+Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049
+
+Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20211208061752.16564-1-quic_wgong@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi.c | 27 ++++++++++++++++++++++++++-
+ 1 file changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
+index 7c1c2658cb5f8..4733fd7fb169e 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi.c
++++ b/drivers/net/wireless/ath/ath10k/wmi.c
+@@ -2611,9 +2611,30 @@ int ath10k_wmi_event_mgmt_rx(struct ath10k *ar, struct sk_buff *skb)
+               ath10k_mac_handle_beacon(ar, skb);
+       if (ieee80211_is_beacon(hdr->frame_control) ||
+-          ieee80211_is_probe_resp(hdr->frame_control))
++          ieee80211_is_probe_resp(hdr->frame_control)) {
++              struct ieee80211_mgmt *mgmt = (void *)skb->data;
++              u8 *ies;
++              int ies_ch;
++
+               status->boottime_ns = ktime_get_boottime_ns();
++              if (!ar->scan_channel)
++                      goto drop;
++
++              ies = mgmt->u.beacon.variable;
++
++              ies_ch = cfg80211_get_ies_channel_number(mgmt->u.beacon.variable,
++                                                       skb_tail_pointer(skb) - ies,
++                                                       sband->band);
++
++              if (ies_ch > 0 && ies_ch != channel) {
++                      ath10k_dbg(ar, ATH10K_DBG_MGMT,
++                                 "channel mismatched ds channel %d scan channel %d\n",
++                                 ies_ch, channel);
++                      goto drop;
++              }
++      }
++
+       ath10k_dbg(ar, ATH10K_DBG_MGMT,
+                  "event mgmt rx skb %pK len %d ftype %02x stype %02x\n",
+                  skb, skb->len,
+@@ -2627,6 +2648,10 @@ int ath10k_wmi_event_mgmt_rx(struct ath10k *ar, struct sk_buff *skb)
+       ieee80211_rx_ni(ar->hw, skb);
+       return 0;
++
++drop:
++      dev_kfree_skb(skb);
++      return 0;
+ }
+ static int freq_to_idx(struct ath10k *ar, int freq)
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath10k-fix-the-mtu-size-on-qca9377-sdio.patch b/queue-5.16/ath10k-fix-the-mtu-size-on-qca9377-sdio.patch
new file mode 100644 (file)
index 0000000..1e26eb6
--- /dev/null
@@ -0,0 +1,215 @@
+From 919f89b9da299515bbcb235c44c55f0355699aa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Nov 2021 10:10:47 -0300
+Subject: ath10k: Fix the MTU size on QCA9377 SDIO
+
+From: Fabio Estevam <festevam@denx.de>
+
+[ Upstream commit 09b8cd69edcf2be04a781e1781e98e52a775c9ad ]
+
+On an imx6dl-pico-pi board with a QCA9377 SDIO chip, simply trying to
+connect via ssh to another machine causes:
+
+[   55.824159] ath10k_sdio mmc1:0001:1: failed to transmit packet, dropping: -12
+[   55.832169] ath10k_sdio mmc1:0001:1: failed to submit frame: -12
+[   55.838529] ath10k_sdio mmc1:0001:1: failed to push frame: -12
+[   55.905863] ath10k_sdio mmc1:0001:1: failed to transmit packet, dropping: -12
+[   55.913650] ath10k_sdio mmc1:0001:1: failed to submit frame: -12
+[   55.919887] ath10k_sdio mmc1:0001:1: failed to push frame: -12
+
+, leading to an ssh connection failure.
+
+One user inspected the size of frames on Wireshark and reported
+the followig:
+
+"I was able to narrow the issue down to the mtu. If I set the mtu for
+the wlan0 device to 1486 instead of 1500, the issue does not happen.
+
+The size of frames that I see on Wireshark is exactly 1500 after
+setting it to 1486."
+
+Clearing the HI_ACS_FLAGS_ALT_DATA_CREDIT_SIZE avoids the problem and
+the ssh command works successfully after that.
+
+Introduce a 'credit_size_workaround' field to ath10k_hw_params for
+the QCA9377 SDIO, so that the HI_ACS_FLAGS_ALT_DATA_CREDIT_SIZE
+is not set in this case.
+
+Tested with QCA9377 SDIO with firmware WLAN.TF.1.1.1-00061-QCATFSWPZ-1.
+
+Fixes: 2f918ea98606 ("ath10k: enable alt data of TX path for sdio")
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20211124131047.713756-1-festevam@denx.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/core.c | 19 ++++++++++++++++++-
+ drivers/net/wireless/ath/ath10k/hw.h   |  3 +++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c
+index 5935e0973d146..5e3b4d10c1a95 100644
+--- a/drivers/net/wireless/ath/ath10k/core.c
++++ b/drivers/net/wireless/ath/ath10k/core.c
+@@ -89,6 +89,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .rri_on_ddr = false,
+               .hw_filter_reset_required = true,
+               .fw_diag_ce_download = false,
++              .credit_size_workaround = false,
+               .tx_stats_over_pktlog = true,
+               .dynamic_sar_support = false,
+       },
+@@ -124,6 +125,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .rri_on_ddr = false,
+               .hw_filter_reset_required = true,
+               .fw_diag_ce_download = false,
++              .credit_size_workaround = false,
+               .tx_stats_over_pktlog = true,
+               .dynamic_sar_support = false,
+       },
+@@ -160,6 +162,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .rri_on_ddr = false,
+               .hw_filter_reset_required = true,
+               .fw_diag_ce_download = false,
++              .credit_size_workaround = false,
+               .tx_stats_over_pktlog = false,
+               .dynamic_sar_support = false,
+       },
+@@ -190,6 +193,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .num_wds_entries = 0x20,
+               .uart_pin_workaround = true,
+               .tx_stats_over_pktlog = false,
++              .credit_size_workaround = false,
+               .bmi_large_size_download = true,
+               .supports_peer_stats_info = true,
+               .dynamic_sar_support = true,
+@@ -226,6 +230,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .rri_on_ddr = false,
+               .hw_filter_reset_required = true,
+               .fw_diag_ce_download = false,
++              .credit_size_workaround = false,
+               .tx_stats_over_pktlog = false,
+               .dynamic_sar_support = false,
+       },
+@@ -261,6 +266,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .rri_on_ddr = false,
+               .hw_filter_reset_required = true,
+               .fw_diag_ce_download = false,
++              .credit_size_workaround = false,
+               .tx_stats_over_pktlog = false,
+               .dynamic_sar_support = false,
+       },
+@@ -296,6 +302,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .rri_on_ddr = false,
+               .hw_filter_reset_required = true,
+               .fw_diag_ce_download = false,
++              .credit_size_workaround = false,
+               .tx_stats_over_pktlog = false,
+               .dynamic_sar_support = false,
+       },
+@@ -334,6 +341,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .rri_on_ddr = false,
+               .hw_filter_reset_required = true,
+               .fw_diag_ce_download = true,
++              .credit_size_workaround = false,
+               .tx_stats_over_pktlog = false,
+               .supports_peer_stats_info = true,
+               .dynamic_sar_support = true,
+@@ -376,6 +384,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .rri_on_ddr = false,
+               .hw_filter_reset_required = true,
+               .fw_diag_ce_download = false,
++              .credit_size_workaround = false,
+               .tx_stats_over_pktlog = false,
+               .dynamic_sar_support = false,
+       },
+@@ -424,6 +433,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .rri_on_ddr = false,
+               .hw_filter_reset_required = true,
+               .fw_diag_ce_download = false,
++              .credit_size_workaround = false,
+               .tx_stats_over_pktlog = false,
+               .dynamic_sar_support = false,
+       },
+@@ -469,6 +479,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .rri_on_ddr = false,
+               .hw_filter_reset_required = true,
+               .fw_diag_ce_download = false,
++              .credit_size_workaround = false,
+               .tx_stats_over_pktlog = false,
+               .dynamic_sar_support = false,
+       },
+@@ -504,6 +515,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .rri_on_ddr = false,
+               .hw_filter_reset_required = true,
+               .fw_diag_ce_download = false,
++              .credit_size_workaround = false,
+               .tx_stats_over_pktlog = false,
+               .dynamic_sar_support = false,
+       },
+@@ -541,6 +553,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .rri_on_ddr = false,
+               .hw_filter_reset_required = true,
+               .fw_diag_ce_download = true,
++              .credit_size_workaround = false,
+               .tx_stats_over_pktlog = false,
+               .dynamic_sar_support = false,
+       },
+@@ -570,6 +583,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .ast_skid_limit = 0x10,
+               .num_wds_entries = 0x20,
+               .uart_pin_workaround = true,
++              .credit_size_workaround = true,
+               .dynamic_sar_support = false,
+       },
+       {
+@@ -611,6 +625,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .rri_on_ddr = false,
+               .hw_filter_reset_required = true,
+               .fw_diag_ce_download = false,
++              .credit_size_workaround = false,
+               .tx_stats_over_pktlog = false,
+               .dynamic_sar_support = false,
+       },
+@@ -639,6 +654,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+               .rri_on_ddr = true,
+               .hw_filter_reset_required = false,
+               .fw_diag_ce_download = false,
++              .credit_size_workaround = false,
+               .tx_stats_over_pktlog = false,
+               .dynamic_sar_support = true,
+       },
+@@ -714,6 +730,7 @@ static void ath10k_send_suspend_complete(struct ath10k *ar)
+ static int ath10k_init_sdio(struct ath10k *ar, enum ath10k_firmware_mode mode)
+ {
++      bool mtu_workaround = ar->hw_params.credit_size_workaround;
+       int ret;
+       u32 param = 0;
+@@ -731,7 +748,7 @@ static int ath10k_init_sdio(struct ath10k *ar, enum ath10k_firmware_mode mode)
+       param |= HI_ACS_FLAGS_SDIO_REDUCE_TX_COMPL_SET;
+-      if (mode == ATH10K_FIRMWARE_MODE_NORMAL)
++      if (mode == ATH10K_FIRMWARE_MODE_NORMAL && !mtu_workaround)
+               param |= HI_ACS_FLAGS_ALT_DATA_CREDIT_SIZE;
+       else
+               param &= ~HI_ACS_FLAGS_ALT_DATA_CREDIT_SIZE;
+diff --git a/drivers/net/wireless/ath/ath10k/hw.h b/drivers/net/wireless/ath/ath10k/hw.h
+index 6b03c7787e36a..591ef7416b613 100644
+--- a/drivers/net/wireless/ath/ath10k/hw.h
++++ b/drivers/net/wireless/ath/ath10k/hw.h
+@@ -618,6 +618,9 @@ struct ath10k_hw_params {
+        */
+       bool uart_pin_workaround;
++      /* Workaround for the credit size calculation */
++      bool credit_size_workaround;
++
+       /* tx stats support over pktlog */
+       bool tx_stats_over_pktlog;
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath10k-fix-tx-hanging.patch b/queue-5.16/ath10k-fix-tx-hanging.patch
new file mode 100644 (file)
index 0000000..04b8888
--- /dev/null
@@ -0,0 +1,56 @@
+From e18d8b911c6a2333ef4b587caca0bfd2982d5670 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 May 2021 15:58:06 +0700
+Subject: ath10k: Fix tx hanging
+
+From: Sebastian Gottschall <s.gottschall@dd-wrt.com>
+
+[ Upstream commit e8a91863eba3966a447d2daa1526082d52b5db2a ]
+
+While running stress tests in roaming scenarios (switching ap's every 5
+seconds, we discovered a issue which leads to tx hangings of exactly 5
+seconds while or after scanning for new accesspoints. We found out that
+this hanging is triggered by ath10k_mac_wait_tx_complete since the
+empty_tx_wq was not wake when the num_tx_pending counter reaches zero.
+To fix this, we simply move the wake_up call to htt_tx_dec_pending,
+since this call was missed on several locations within the ath10k code.
+
+Signed-off-by: Sebastian Gottschall <s.gottschall@dd-wrt.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20210505085806.11474-1-s.gottschall@dd-wrt.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/htt_tx.c | 3 +++
+ drivers/net/wireless/ath/ath10k/txrx.c   | 2 --
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/htt_tx.c b/drivers/net/wireless/ath/ath10k/htt_tx.c
+index d6b8bdcef4160..b793eac2cfac8 100644
+--- a/drivers/net/wireless/ath/ath10k/htt_tx.c
++++ b/drivers/net/wireless/ath/ath10k/htt_tx.c
+@@ -147,6 +147,9 @@ void ath10k_htt_tx_dec_pending(struct ath10k_htt *htt)
+       htt->num_pending_tx--;
+       if (htt->num_pending_tx == htt->max_num_pending_tx - 1)
+               ath10k_mac_tx_unlock(htt->ar, ATH10K_TX_PAUSE_Q_FULL);
++
++      if (htt->num_pending_tx == 0)
++              wake_up(&htt->empty_tx_wq);
+ }
+ int ath10k_htt_tx_inc_pending(struct ath10k_htt *htt)
+diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c
+index 7c9ea0c073d8b..6f8b642188941 100644
+--- a/drivers/net/wireless/ath/ath10k/txrx.c
++++ b/drivers/net/wireless/ath/ath10k/txrx.c
+@@ -82,8 +82,6 @@ int ath10k_txrx_tx_unref(struct ath10k_htt *htt,
+       flags = skb_cb->flags;
+       ath10k_htt_tx_free_msdu_id(htt, tx_done->msdu_id);
+       ath10k_htt_tx_dec_pending(htt);
+-      if (htt->num_pending_tx == 0)
+-              wake_up(&htt->empty_tx_wq);
+       spin_unlock_bh(&htt->tx_lock);
+       rcu_read_lock();
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-add-hw_param-for-wakeup_mhi.patch b/queue-5.16/ath11k-add-hw_param-for-wakeup_mhi.patch
new file mode 100644 (file)
index 0000000..edf1358
--- /dev/null
@@ -0,0 +1,151 @@
+From c6added49403e5d59aece665ed34e1c274cbde9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 09:39:41 +0200
+Subject: ath11k: add hw_param for wakeup_mhi
+
+From: Seevalamuthu Mariappan <quic_seevalam@quicinc.com>
+
+[ Upstream commit 081e2d6476e30399433b509684d5da4d1844e430 ]
+
+Wakeup mhi is needed before pci_read/write only for QCA6390 and WCN6855. Since
+wakeup & release mhi is enabled for all hardwares, below mhi assert is seen in
+QCN9074 when doing 'rmmod ath11k_pci':
+
+       Kernel panic - not syncing: dev_wake != 0
+       CPU: 2 PID: 13535 Comm: procd Not tainted 4.4.60 #1
+       Hardware name: Generic DT based system
+       [<80316dac>] (unwind_backtrace) from [<80313700>] (show_stack+0x10/0x14)
+       [<80313700>] (show_stack) from [<805135dc>] (dump_stack+0x7c/0x9c)
+       [<805135dc>] (dump_stack) from [<8032136c>] (panic+0x84/0x1f8)
+       [<8032136c>] (panic) from [<80549b24>] (mhi_pm_disable_transition+0x3b8/0x5b8)
+       [<80549b24>] (mhi_pm_disable_transition) from [<80549ddc>] (mhi_power_down+0xb8/0x100)
+       [<80549ddc>] (mhi_power_down) from [<7f5242b0>] (ath11k_mhi_op_status_cb+0x284/0x3ac [ath11k_pci])
+       [E][__mhi_device_get_sync] Did not enter M0 state, cur_state:RESET pm_state:SHUTDOWN Process
+       [E][__mhi_device_get_sync] Did not enter M0 state, cur_state:RESET pm_state:SHUTDOWN Process
+       [E][__mhi_device_get_sync] Did not enter M0 state, cur_state:RESET pm_state:SHUTDOWN Process
+       [<7f5242b0>] (ath11k_mhi_op_status_cb [ath11k_pci]) from [<7f524878>] (ath11k_mhi_stop+0x10/0x20 [ath11k_pci])
+       [<7f524878>] (ath11k_mhi_stop [ath11k_pci]) from [<7f525b94>] (ath11k_pci_power_down+0x54/0x90 [ath11k_pci])
+       [<7f525b94>] (ath11k_pci_power_down [ath11k_pci]) from [<8056b2a8>] (pci_device_shutdown+0x30/0x44)
+       [<8056b2a8>] (pci_device_shutdown) from [<805cfa0c>] (device_shutdown+0x124/0x174)
+       [<805cfa0c>] (device_shutdown) from [<8033aaa4>] (kernel_restart+0xc/0x50)
+       [<8033aaa4>] (kernel_restart) from [<8033ada8>] (SyS_reboot+0x178/0x1ec)
+       [<8033ada8>] (SyS_reboot) from [<80301b80>] (ret_fast_syscall+0x0/0x34)
+
+Hence, disable wakeup/release mhi using hw_param for other hardwares.
+
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.5.0.1-01060-QCAHKSWPL_SILICONZ-1
+
+Fixes: a05bd8513335 ("ath11k: read and write registers below unwindowed address")
+Signed-off-by: Seevalamuthu Mariappan <quic_seevalam@quicinc.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1636702019-26142-1-git-send-email-quic_seevalam@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.c |  5 +++++
+ drivers/net/wireless/ath/ath11k/hw.h   |  1 +
+ drivers/net/wireless/ath/ath11k/pci.c  | 12 ++++++++----
+ 3 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
+index 280f1c6411aeb..638dc97669df2 100644
+--- a/drivers/net/wireless/ath/ath11k/core.c
++++ b/drivers/net/wireless/ath/ath11k/core.c
+@@ -84,6 +84,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+               .hal_params = &ath11k_hw_hal_params_ipq8074,
+               .supports_dynamic_smps_6ghz = false,
+               .alloc_cacheable_memory = true,
++              .wakeup_mhi = false,
+       },
+       {
+               .hw_rev = ATH11K_HW_IPQ6018_HW10,
+@@ -135,6 +136,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+               .hal_params = &ath11k_hw_hal_params_ipq8074,
+               .supports_dynamic_smps_6ghz = false,
+               .alloc_cacheable_memory = true,
++              .wakeup_mhi = false,
+       },
+       {
+               .name = "qca6390 hw2.0",
+@@ -185,6 +187,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+               .hal_params = &ath11k_hw_hal_params_qca6390,
+               .supports_dynamic_smps_6ghz = false,
+               .alloc_cacheable_memory = false,
++              .wakeup_mhi = true,
+       },
+       {
+               .name = "qcn9074 hw1.0",
+@@ -235,6 +238,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+               .hal_params = &ath11k_hw_hal_params_ipq8074,
+               .supports_dynamic_smps_6ghz = true,
+               .alloc_cacheable_memory = true,
++              .wakeup_mhi = false,
+       },
+       {
+               .name = "wcn6855 hw2.0",
+@@ -285,6 +289,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+               .hal_params = &ath11k_hw_hal_params_qca6390,
+               .supports_dynamic_smps_6ghz = false,
+               .alloc_cacheable_memory = false,
++              .wakeup_mhi = true,
+       },
+ };
+diff --git a/drivers/net/wireless/ath/ath11k/hw.h b/drivers/net/wireless/ath/ath11k/hw.h
+index de9e9546f2ec6..aa93f0619f936 100644
+--- a/drivers/net/wireless/ath/ath11k/hw.h
++++ b/drivers/net/wireless/ath/ath11k/hw.h
+@@ -178,6 +178,7 @@ struct ath11k_hw_params {
+       const struct ath11k_hw_hal_params *hal_params;
+       bool supports_dynamic_smps_6ghz;
+       bool alloc_cacheable_memory;
++      bool wakeup_mhi;
+ };
+ struct ath11k_hw_ops {
+diff --git a/drivers/net/wireless/ath/ath11k/pci.c b/drivers/net/wireless/ath/ath11k/pci.c
+index 3d353e7c9d5c2..fadded5ef84b2 100644
+--- a/drivers/net/wireless/ath/ath11k/pci.c
++++ b/drivers/net/wireless/ath/ath11k/pci.c
+@@ -182,7 +182,8 @@ void ath11k_pci_write32(struct ath11k_base *ab, u32 offset, u32 value)
+       /* for offset beyond BAR + 4K - 32, may
+        * need to wakeup MHI to access.
+        */
+-      if (test_bit(ATH11K_PCI_FLAG_INIT_DONE, &ab_pci->flags) &&
++      if (ab->hw_params.wakeup_mhi &&
++          test_bit(ATH11K_PCI_FLAG_INIT_DONE, &ab_pci->flags) &&
+           offset >= ACCESS_ALWAYS_OFF)
+               mhi_device_get_sync(ab_pci->mhi_ctrl->mhi_dev);
+@@ -206,7 +207,8 @@ void ath11k_pci_write32(struct ath11k_base *ab, u32 offset, u32 value)
+               }
+       }
+-      if (test_bit(ATH11K_PCI_FLAG_INIT_DONE, &ab_pci->flags) &&
++      if (ab->hw_params.wakeup_mhi &&
++          test_bit(ATH11K_PCI_FLAG_INIT_DONE, &ab_pci->flags) &&
+           offset >= ACCESS_ALWAYS_OFF)
+               mhi_device_put(ab_pci->mhi_ctrl->mhi_dev);
+ }
+@@ -219,7 +221,8 @@ u32 ath11k_pci_read32(struct ath11k_base *ab, u32 offset)
+       /* for offset beyond BAR + 4K - 32, may
+        * need to wakeup MHI to access.
+        */
+-      if (test_bit(ATH11K_PCI_FLAG_INIT_DONE, &ab_pci->flags) &&
++      if (ab->hw_params.wakeup_mhi &&
++          test_bit(ATH11K_PCI_FLAG_INIT_DONE, &ab_pci->flags) &&
+           offset >= ACCESS_ALWAYS_OFF)
+               mhi_device_get_sync(ab_pci->mhi_ctrl->mhi_dev);
+@@ -243,7 +246,8 @@ u32 ath11k_pci_read32(struct ath11k_base *ab, u32 offset)
+               }
+       }
+-      if (test_bit(ATH11K_PCI_FLAG_INIT_DONE, &ab_pci->flags) &&
++      if (ab->hw_params.wakeup_mhi &&
++          test_bit(ATH11K_PCI_FLAG_INIT_DONE, &ab_pci->flags) &&
+           offset >= ACCESS_ALWAYS_OFF)
+               mhi_device_put(ab_pci->mhi_ctrl->mhi_dev);
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-allocate-dst-ring-descriptors-from-cacheable-.patch b/queue-5.16/ath11k-allocate-dst-ring-descriptors-from-cacheable-.patch
new file mode 100644 (file)
index 0000000..84c951b
--- /dev/null
@@ -0,0 +1,247 @@
+From 6cd1d9ff3c58d88f1d4126b15ec1ad5c68633904 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 11:01:26 +0200
+Subject: ath11k: allocate dst ring descriptors from cacheable memory
+
+From: P Praneesh <ppranees@codeaurora.org>
+
+[ Upstream commit 6452f0a3d5651bb7edfd9c709e78973aaa4d3bfc ]
+
+tcl_data and reo_dst rings are currently being allocated using
+dma_allocate_coherent() which is non cacheable.
+
+Allocating ring memory from cacheable memory area allows cached descriptor
+access and prefetch next descriptors to optimize CPU usage during
+descriptor processing on NAPI. Based on the hardware param we can enable
+or disable this feature for the corresponding platform.
+
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.4.0.1.r2-00012-QCAHKSWPL_SILICONZ-1
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01695-QCAHKSWPL_SILICONZ-1
+
+Co-developed-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
+Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
+Co-developed-by: Sriram R <srirrama@codeaurora.org>
+Signed-off-by: Sriram R <srirrama@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: P Praneesh <ppranees@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1630560820-21905-3-git-send-email-ppranees@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.c |  5 ++++
+ drivers/net/wireless/ath/ath11k/dp.c   | 38 ++++++++++++++++++++++----
+ drivers/net/wireless/ath/ath11k/dp.h   |  1 +
+ drivers/net/wireless/ath/ath11k/hal.c  | 28 +++++++++++++++++--
+ drivers/net/wireless/ath/ath11k/hal.h  |  1 +
+ drivers/net/wireless/ath/ath11k/hw.h   |  1 +
+ 6 files changed, 67 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
+index 7ee2ccc49c747..280f1c6411aeb 100644
+--- a/drivers/net/wireless/ath/ath11k/core.c
++++ b/drivers/net/wireless/ath/ath11k/core.c
+@@ -83,6 +83,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+               .max_tx_ring = DP_TCL_NUM_RING_MAX,
+               .hal_params = &ath11k_hw_hal_params_ipq8074,
+               .supports_dynamic_smps_6ghz = false,
++              .alloc_cacheable_memory = true,
+       },
+       {
+               .hw_rev = ATH11K_HW_IPQ6018_HW10,
+@@ -133,6 +134,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+               .max_tx_ring = DP_TCL_NUM_RING_MAX,
+               .hal_params = &ath11k_hw_hal_params_ipq8074,
+               .supports_dynamic_smps_6ghz = false,
++              .alloc_cacheable_memory = true,
+       },
+       {
+               .name = "qca6390 hw2.0",
+@@ -182,6 +184,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+               .max_tx_ring = DP_TCL_NUM_RING_MAX_QCA6390,
+               .hal_params = &ath11k_hw_hal_params_qca6390,
+               .supports_dynamic_smps_6ghz = false,
++              .alloc_cacheable_memory = false,
+       },
+       {
+               .name = "qcn9074 hw1.0",
+@@ -231,6 +234,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+               .max_tx_ring = DP_TCL_NUM_RING_MAX,
+               .hal_params = &ath11k_hw_hal_params_ipq8074,
+               .supports_dynamic_smps_6ghz = true,
++              .alloc_cacheable_memory = true,
+       },
+       {
+               .name = "wcn6855 hw2.0",
+@@ -280,6 +284,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+               .max_tx_ring = DP_TCL_NUM_RING_MAX_QCA6390,
+               .hal_params = &ath11k_hw_hal_params_qca6390,
+               .supports_dynamic_smps_6ghz = false,
++              .alloc_cacheable_memory = false,
+       },
+ };
+diff --git a/drivers/net/wireless/ath/ath11k/dp.c b/drivers/net/wireless/ath/ath11k/dp.c
+index 8baaeeb8cf821..8058b56028ded 100644
+--- a/drivers/net/wireless/ath/ath11k/dp.c
++++ b/drivers/net/wireless/ath/ath11k/dp.c
+@@ -101,8 +101,11 @@ void ath11k_dp_srng_cleanup(struct ath11k_base *ab, struct dp_srng *ring)
+       if (!ring->vaddr_unaligned)
+               return;
+-      dma_free_coherent(ab->dev, ring->size, ring->vaddr_unaligned,
+-                        ring->paddr_unaligned);
++      if (ring->cached)
++              kfree(ring->vaddr_unaligned);
++      else
++              dma_free_coherent(ab->dev, ring->size, ring->vaddr_unaligned,
++                                ring->paddr_unaligned);
+       ring->vaddr_unaligned = NULL;
+ }
+@@ -222,6 +225,7 @@ int ath11k_dp_srng_setup(struct ath11k_base *ab, struct dp_srng *ring,
+       int entry_sz = ath11k_hal_srng_get_entrysize(ab, type);
+       int max_entries = ath11k_hal_srng_get_max_entries(ab, type);
+       int ret;
++      bool cached = false;
+       if (max_entries < 0 || entry_sz < 0)
+               return -EINVAL;
+@@ -230,9 +234,28 @@ int ath11k_dp_srng_setup(struct ath11k_base *ab, struct dp_srng *ring,
+               num_entries = max_entries;
+       ring->size = (num_entries * entry_sz) + HAL_RING_BASE_ALIGN - 1;
+-      ring->vaddr_unaligned = dma_alloc_coherent(ab->dev, ring->size,
+-                                                 &ring->paddr_unaligned,
+-                                                 GFP_KERNEL);
++
++      if (ab->hw_params.alloc_cacheable_memory) {
++              /* Allocate the reo dst and tx completion rings from cacheable memory */
++              switch (type) {
++              case HAL_REO_DST:
++                      cached = true;
++                      break;
++              default:
++                      cached = false;
++              }
++
++              if (cached) {
++                      ring->vaddr_unaligned = kzalloc(ring->size, GFP_KERNEL);
++                      ring->paddr_unaligned = virt_to_phys(ring->vaddr_unaligned);
++              }
++      }
++
++      if (!cached)
++              ring->vaddr_unaligned = dma_alloc_coherent(ab->dev, ring->size,
++                                                         &ring->paddr_unaligned,
++                                                         GFP_KERNEL);
++
+       if (!ring->vaddr_unaligned)
+               return -ENOMEM;
+@@ -292,6 +315,11 @@ int ath11k_dp_srng_setup(struct ath11k_base *ab, struct dp_srng *ring,
+               return -EINVAL;
+       }
++      if (cached) {
++              params.flags |= HAL_SRNG_FLAGS_CACHED;
++              ring->cached = 1;
++      }
++
+       ret = ath11k_hal_srng_setup(ab, type, ring_num, mac_id, &params);
+       if (ret < 0) {
+               ath11k_warn(ab, "failed to setup srng: %d ring_id %d\n",
+diff --git a/drivers/net/wireless/ath/ath11k/dp.h b/drivers/net/wireless/ath/ath11k/dp.h
+index f524d19aca349..a4c36a9be338a 100644
+--- a/drivers/net/wireless/ath/ath11k/dp.h
++++ b/drivers/net/wireless/ath/ath11k/dp.h
+@@ -64,6 +64,7 @@ struct dp_srng {
+       dma_addr_t paddr;
+       int size;
+       u32 ring_id;
++      u8 cached;
+ };
+ struct dp_rxdma_ring {
+diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c
+index eaa0edca55761..f04edafbd0f15 100644
+--- a/drivers/net/wireless/ath/ath11k/hal.c
++++ b/drivers/net/wireless/ath/ath11k/hal.c
+@@ -627,6 +627,21 @@ u32 *ath11k_hal_srng_dst_peek(struct ath11k_base *ab, struct hal_srng *srng)
+       return NULL;
+ }
++static void ath11k_hal_srng_prefetch_desc(struct ath11k_base *ab,
++                                        struct hal_srng *srng)
++{
++      u32 *desc;
++
++      /* prefetch only if desc is available */
++      desc = ath11k_hal_srng_dst_peek(ab, srng);
++      if (likely(desc)) {
++              dma_sync_single_for_cpu(ab->dev, virt_to_phys(desc),
++                                      (srng->entry_size * sizeof(u32)),
++                                      DMA_FROM_DEVICE);
++              prefetch(desc);
++      }
++}
++
+ u32 *ath11k_hal_srng_dst_get_next_entry(struct ath11k_base *ab,
+                                       struct hal_srng *srng)
+ {
+@@ -642,6 +657,10 @@ u32 *ath11k_hal_srng_dst_get_next_entry(struct ath11k_base *ab,
+       srng->u.dst_ring.tp = (srng->u.dst_ring.tp + srng->entry_size) %
+                             srng->ring_size;
++      /* Try to prefetch the next descriptor in the ring */
++      if (srng->flags & HAL_SRNG_FLAGS_CACHED)
++              ath11k_hal_srng_prefetch_desc(ab, srng);
++
+       return desc;
+ }
+@@ -775,11 +794,16 @@ void ath11k_hal_srng_access_begin(struct ath11k_base *ab, struct hal_srng *srng)
+ {
+       lockdep_assert_held(&srng->lock);
+-      if (srng->ring_dir == HAL_SRNG_DIR_SRC)
++      if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
+               srng->u.src_ring.cached_tp =
+                       *(volatile u32 *)srng->u.src_ring.tp_addr;
+-      else
++      } else {
+               srng->u.dst_ring.cached_hp = *srng->u.dst_ring.hp_addr;
++
++              /* Try to prefetch the next descriptor in the ring */
++              if (srng->flags & HAL_SRNG_FLAGS_CACHED)
++                      ath11k_hal_srng_prefetch_desc(ab, srng);
++      }
+ }
+ /* Update cached ring head/tail pointers to HW. ath11k_hal_srng_access_begin()
+diff --git a/drivers/net/wireless/ath/ath11k/hal.h b/drivers/net/wireless/ath/ath11k/hal.h
+index 35ed3a14e200a..0f4f9ce74354b 100644
+--- a/drivers/net/wireless/ath/ath11k/hal.h
++++ b/drivers/net/wireless/ath/ath11k/hal.h
+@@ -513,6 +513,7 @@ enum hal_srng_dir {
+ #define HAL_SRNG_FLAGS_DATA_TLV_SWAP          0x00000020
+ #define HAL_SRNG_FLAGS_LOW_THRESH_INTR_EN     0x00010000
+ #define HAL_SRNG_FLAGS_MSI_INTR                       0x00020000
++#define HAL_SRNG_FLAGS_CACHED                   0x20000000
+ #define HAL_SRNG_FLAGS_LMAC_RING              0x80000000
+ #define HAL_SRNG_TLV_HDR_TAG          GENMASK(9, 1)
+diff --git a/drivers/net/wireless/ath/ath11k/hw.h b/drivers/net/wireless/ath/ath11k/hw.h
+index 6dcac596e3fe5..de9e9546f2ec6 100644
+--- a/drivers/net/wireless/ath/ath11k/hw.h
++++ b/drivers/net/wireless/ath/ath11k/hw.h
+@@ -177,6 +177,7 @@ struct ath11k_hw_params {
+       u8 max_tx_ring;
+       const struct ath11k_hw_hal_params *hal_params;
+       bool supports_dynamic_smps_6ghz;
++      bool alloc_cacheable_memory;
+ };
+ struct ath11k_hw_ops {
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-avoid-deadlock-by-change-ieee80211_queue_work.patch b/queue-5.16/ath11k-avoid-deadlock-by-change-ieee80211_queue_work.patch
new file mode 100644 (file)
index 0000000..7d36e15
--- /dev/null
@@ -0,0 +1,205 @@
+From 3b6bf4c11e8228237e34ee6230df8ea162835c49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 17:23:36 +0200
+Subject: ath11k: avoid deadlock by change ieee80211_queue_work for
+ regd_update_work
+
+From: Wen Gong <quic_wgong@quicinc.com>
+
+[ Upstream commit ed05c7cf1286d7e31e7623bce55ff135723591bf ]
+
+When enable debug config, it print below warning while shut down wlan
+interface shuh as run "ifconfig wlan0 down".
+
+The reason is because ar->regd_update_work is ran once, and it is will
+call wiphy_lock(ar->hw->wiphy) in function ath11k_regd_update() which
+is running in workqueue of ieee80211_local queued by ieee80211_queue_work().
+Another thread from "ifconfig wlan0 down" will also accuqire the lock
+by wiphy_lock(sdata->local->hw.wiphy) in function ieee80211_stop(), and
+then it call ieee80211_stop_device() to flush_workqueue(local->workqueue),
+this will wait the workqueue of ieee80211_local finished. Then deadlock
+will happen easily if the two thread run meanwhile.
+
+Below warning disappeared after this change.
+
+[  914.088798] ath11k_pci 0000:05:00.0: mac remove interface (vdev 0)
+[  914.088806] ath11k_pci 0000:05:00.0: mac stop 11d scan
+[  914.088810] ath11k_pci 0000:05:00.0: mac stop 11d vdev id 0
+[  914.088827] ath11k_pci 0000:05:00.0: htc ep 2 consumed 1 credits (total 0)
+[  914.088841] ath11k_pci 0000:05:00.0: send 11d scan stop vdev id 0
+[  914.088849] ath11k_pci 0000:05:00.0: htc insufficient credits ep 2 required 1 available 0
+[  914.088856] ath11k_pci 0000:05:00.0: htc insufficient credits ep 2 required 1 available 0
+[  914.096434] ath11k_pci 0000:05:00.0: rx ce pipe 2 len 16
+[  914.096442] ath11k_pci 0000:05:00.0: htc ep 2 got 1 credits (total 1)
+[  914.096481] ath11k_pci 0000:05:00.0: htc ep 2 consumed 1 credits (total 0)
+[  914.096491] ath11k_pci 0000:05:00.0: WMI vdev delete id 0
+[  914.111598] ath11k_pci 0000:05:00.0: rx ce pipe 2 len 16
+[  914.111628] ath11k_pci 0000:05:00.0: htc ep 2 got 1 credits (total 1)
+[  914.114659] ath11k_pci 0000:05:00.0: rx ce pipe 2 len 20
+[  914.114742] ath11k_pci 0000:05:00.0: htc rx completion ep 2 skb         pK-error
+[  914.115977] ath11k_pci 0000:05:00.0: vdev delete resp for vdev id 0
+[  914.116685] ath11k_pci 0000:05:00.0: vdev 00:03:7f:29:61:11 deleted, vdev_id 0
+
+[  914.117583] ======================================================
+[  914.117592] WARNING: possible circular locking dependency detected
+[  914.117600] 5.16.0-rc1-wt-ath+ #1 Tainted: G           OE
+[  914.117611] ------------------------------------------------------
+[  914.117618] ifconfig/2805 is trying to acquire lock:
+[  914.117628] ffff9c00a62bb548 ((wq_completion)phy0){+.+.}-{0:0}, at: flush_workqueue+0x87/0x470
+[  914.117674]
+               but task is already holding lock:
+[  914.117682] ffff9c00baea07d0 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: ieee80211_stop+0x38/0x180 [mac80211]
+[  914.117872]
+               which lock already depends on the new lock.
+
+[  914.117880]
+               the existing dependency chain (in reverse order) is:
+[  914.117888]
+               -> #3 (&rdev->wiphy.mtx){+.+.}-{4:4}:
+[  914.117910]        __mutex_lock+0xa0/0x9c0
+[  914.117930]        mutex_lock_nested+0x1b/0x20
+[  914.117944]        reg_process_self_managed_hints+0x3a/0xb0 [cfg80211]
+[  914.118093]        wiphy_regulatory_register+0x47/0x80 [cfg80211]
+[  914.118229]        wiphy_register+0x84f/0x9c0 [cfg80211]
+[  914.118353]        ieee80211_register_hw+0x6b1/0xd90 [mac80211]
+[  914.118486]        ath11k_mac_register+0x6af/0xb60 [ath11k]
+[  914.118550]        ath11k_core_qmi_firmware_ready+0x383/0x4a0 [ath11k]
+[  914.118598]        ath11k_qmi_driver_event_work+0x347/0x4a0 [ath11k]
+[  914.118656]        process_one_work+0x228/0x670
+[  914.118669]        worker_thread+0x4d/0x440
+[  914.118680]        kthread+0x16d/0x1b0
+[  914.118697]        ret_from_fork+0x22/0x30
+[  914.118714]
+               -> #2 (rtnl_mutex){+.+.}-{4:4}:
+[  914.118736]        __mutex_lock+0xa0/0x9c0
+[  914.118751]        mutex_lock_nested+0x1b/0x20
+[  914.118767]        rtnl_lock+0x17/0x20
+[  914.118783]        ath11k_regd_update+0x15a/0x260 [ath11k]
+[  914.118841]        ath11k_regd_update_work+0x15/0x20 [ath11k]
+[  914.118897]        process_one_work+0x228/0x670
+[  914.118909]        worker_thread+0x4d/0x440
+[  914.118920]        kthread+0x16d/0x1b0
+[  914.118934]        ret_from_fork+0x22/0x30
+[  914.118948]
+               -> #1 ((work_completion)(&ar->regd_update_work)){+.+.}-{0:0}:
+[  914.118972]        process_one_work+0x1fa/0x670
+[  914.118984]        worker_thread+0x4d/0x440
+[  914.118996]        kthread+0x16d/0x1b0
+[  914.119010]        ret_from_fork+0x22/0x30
+[  914.119023]
+               -> #0 ((wq_completion)phy0){+.+.}-{0:0}:
+[  914.119045]        __lock_acquire+0x146d/0x1cf0
+[  914.119057]        lock_acquire+0x19b/0x360
+[  914.119067]        flush_workqueue+0xae/0x470
+[  914.119084]        ieee80211_stop_device+0x3b/0x50 [mac80211]
+[  914.119260]        ieee80211_do_stop+0x5d7/0x830 [mac80211]
+[  914.119409]        ieee80211_stop+0x45/0x180 [mac80211]
+[  914.119557]        __dev_close_many+0xb3/0x120
+[  914.119573]        __dev_change_flags+0xc3/0x1d0
+[  914.119590]        dev_change_flags+0x29/0x70
+[  914.119605]        devinet_ioctl+0x653/0x810
+[  914.119620]        inet_ioctl+0x193/0x1e0
+[  914.119631]        sock_do_ioctl+0x4d/0xf0
+[  914.119649]        sock_ioctl+0x262/0x340
+[  914.119665]        __x64_sys_ioctl+0x96/0xd0
+[  914.119678]        do_syscall_64+0x3d/0xd0
+[  914.119694]        entry_SYSCALL_64_after_hwframe+0x44/0xae
+[  914.119709]
+               other info that might help us debug this:
+
+[  914.119717] Chain exists of:
+                 (wq_completion)phy0 --> rtnl_mutex --> &rdev->wiphy.mtx
+
+[  914.119745]  Possible unsafe locking scenario:
+
+[  914.119752]        CPU0                    CPU1
+[  914.119758]        ----                    ----
+[  914.119765]   lock(&rdev->wiphy.mtx);
+[  914.119778]                                lock(rtnl_mutex);
+[  914.119792]                                lock(&rdev->wiphy.mtx);
+[  914.119807]   lock((wq_completion)phy0);
+[  914.119819]
+                *** DEADLOCK ***
+
+[  914.119827] 2 locks held by ifconfig/2805:
+[  914.119837]  #0: ffffffffba3dc010 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock+0x17/0x20
+[  914.119872]  #1: ffff9c00baea07d0 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: ieee80211_stop+0x38/0x180 [mac80211]
+[  914.120039]
+               stack backtrace:
+[  914.120048] CPU: 0 PID: 2805 Comm: ifconfig Tainted: G           OE     5.16.0-rc1-wt-ath+ #1
+[  914.120064] Hardware name: LENOVO 418065C/418065C, BIOS 83ET63WW (1.33 ) 07/29/2011
+[  914.120074] Call Trace:
+[  914.120084]  <TASK>
+[  914.120094]  dump_stack_lvl+0x73/0xa4
+[  914.120119]  dump_stack+0x10/0x12
+[  914.120135]  print_circular_bug.isra.44+0x221/0x2e0
+[  914.120165]  check_noncircular+0x106/0x150
+[  914.120203]  __lock_acquire+0x146d/0x1cf0
+[  914.120215]  ? __lock_acquire+0x146d/0x1cf0
+[  914.120245]  lock_acquire+0x19b/0x360
+[  914.120259]  ? flush_workqueue+0x87/0x470
+[  914.120286]  ? lockdep_init_map_type+0x6b/0x250
+[  914.120310]  flush_workqueue+0xae/0x470
+[  914.120327]  ? flush_workqueue+0x87/0x470
+[  914.120344]  ? lockdep_hardirqs_on+0xd7/0x150
+[  914.120391]  ieee80211_stop_device+0x3b/0x50 [mac80211]
+[  914.120565]  ? ieee80211_stop_device+0x3b/0x50 [mac80211]
+[  914.120736]  ieee80211_do_stop+0x5d7/0x830 [mac80211]
+[  914.120906]  ieee80211_stop+0x45/0x180 [mac80211]
+[  914.121060]  __dev_close_many+0xb3/0x120
+[  914.121081]  __dev_change_flags+0xc3/0x1d0
+[  914.121109]  dev_change_flags+0x29/0x70
+[  914.121131]  devinet_ioctl+0x653/0x810
+[  914.121149]  ? __might_fault+0x77/0x80
+[  914.121179]  inet_ioctl+0x193/0x1e0
+[  914.121194]  ? inet_ioctl+0x193/0x1e0
+[  914.121218]  ? __might_fault+0x77/0x80
+[  914.121238]  ? _copy_to_user+0x68/0x80
+[  914.121266]  sock_do_ioctl+0x4d/0xf0
+[  914.121283]  ? inet_stream_connect+0x60/0x60
+[  914.121297]  ? sock_do_ioctl+0x4d/0xf0
+[  914.121329]  sock_ioctl+0x262/0x340
+[  914.121347]  ? sock_ioctl+0x262/0x340
+[  914.121362]  ? exit_to_user_mode_prepare+0x13b/0x280
+[  914.121388]  ? syscall_enter_from_user_mode+0x20/0x50
+[  914.121416]  __x64_sys_ioctl+0x96/0xd0
+[  914.121430]  ? br_ioctl_call+0x90/0x90
+[  914.121445]  ? __x64_sys_ioctl+0x96/0xd0
+[  914.121465]  do_syscall_64+0x3d/0xd0
+[  914.121482]  entry_SYSCALL_64_after_hwframe+0x44/0xae
+[  914.121497] RIP: 0033:0x7f0ed051737b
+[  914.121513] Code: 0f 1e fa 48 8b 05 15 3b 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e5 3a 0d 00 f7 d8 64 89 01 48
+[  914.121527] RSP: 002b:00007fff7be38b98 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+[  914.121544] RAX: ffffffffffffffda RBX: 00007fff7be38ba0 RCX: 00007f0ed051737b
+[  914.121555] RDX: 00007fff7be38ba0 RSI: 0000000000008914 RDI: 0000000000000004
+[  914.121566] RBP: 00007fff7be38c60 R08: 000000000000000a R09: 0000000000000001
+[  914.121576] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000fffffffe
+[  914.121586] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000
+[  914.121620]  </TASK>
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1
+
+Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20211201071745.17746-2-quic_wgong@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/wmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index 621a63d6c8c6d..c3699bd0452c9 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -5912,7 +5912,7 @@ static int ath11k_reg_chan_list_event(struct ath11k_base *ab, struct sk_buff *sk
+               ar = ab->pdevs[pdev_idx].ar;
+               kfree(ab->new_regd[pdev_idx]);
+               ab->new_regd[pdev_idx] = regd;
+-              ieee80211_queue_work(ar->hw, &ar->regd_update_work);
++              queue_work(ab->workqueue, &ar->regd_update_work);
+       } else {
+               /* This regd would be applied during mac registration and is
+                * held constant throughout for regd intersection purpose
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-avoid-false-deadlock-warning-reported-by-lock.patch b/queue-5.16/ath11k-avoid-false-deadlock-warning-reported-by-lock.patch
new file mode 100644 (file)
index 0000000..47ea01d
--- /dev/null
@@ -0,0 +1,181 @@
+From 0e3e56aa42dd7ae8bbe08844224b1418166ed423 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Dec 2021 09:19:49 +0800
+Subject: ath11k: Avoid false DEADLOCK warning reported by lockdep
+
+From: Baochen Qiang <quic_bqiang@quicinc.com>
+
+[ Upstream commit 767c94caf0efad136157110787fe221b74cb5c8a ]
+
+With CONFIG_LOCKDEP=y and CONFIG_DEBUG_SPINLOCK=y, lockdep reports
+below warning:
+
+[  166.059415] ============================================
+[  166.059416] WARNING: possible recursive locking detected
+[  166.059418] 5.15.0-wt-ath+ #10 Tainted: G        W  O
+[  166.059420] --------------------------------------------
+[  166.059421] kworker/0:2/116 is trying to acquire lock:
+[  166.059423] ffff9905f2083160 (&srng->lock){+.-.}-{2:2}, at: ath11k_hal_reo_cmd_send+0x20/0x490 [ath11k]
+[  166.059440]
+               but task is already holding lock:
+[  166.059442] ffff9905f2083230 (&srng->lock){+.-.}-{2:2}, at: ath11k_dp_process_reo_status+0x95/0x2d0 [ath11k]
+[  166.059491]
+               other info that might help us debug this:
+[  166.059492]  Possible unsafe locking scenario:
+
+[  166.059493]        CPU0
+[  166.059494]        ----
+[  166.059495]   lock(&srng->lock);
+[  166.059498]   lock(&srng->lock);
+[  166.059500]
+                *** DEADLOCK ***
+
+[  166.059501]  May be due to missing lock nesting notation
+
+[  166.059502] 3 locks held by kworker/0:2/116:
+[  166.059504]  #0: ffff9905c0081548 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1f6/0x660
+[  166.059511]  #1: ffff9d2400a5fe68 ((debug_obj_work).work){+.+.}-{0:0}, at: process_one_work+0x1f6/0x660
+[  166.059517]  #2: ffff9905f2083230 (&srng->lock){+.-.}-{2:2}, at: ath11k_dp_process_reo_status+0x95/0x2d0 [ath11k]
+[  166.059532]
+               stack backtrace:
+[  166.059534] CPU: 0 PID: 116 Comm: kworker/0:2 Kdump: loaded Tainted: G        W  O      5.15.0-wt-ath+ #10
+[  166.059537] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0059.2019.1112.1124 11/12/2019
+[  166.059539] Workqueue: events free_obj_work
+[  166.059543] Call Trace:
+[  166.059545]  <IRQ>
+[  166.059547]  dump_stack_lvl+0x56/0x7b
+[  166.059552]  __lock_acquire+0xb9a/0x1a50
+[  166.059556]  lock_acquire+0x1e2/0x330
+[  166.059560]  ? ath11k_hal_reo_cmd_send+0x20/0x490 [ath11k]
+[  166.059571]  _raw_spin_lock_bh+0x33/0x70
+[  166.059574]  ? ath11k_hal_reo_cmd_send+0x20/0x490 [ath11k]
+[  166.059584]  ath11k_hal_reo_cmd_send+0x20/0x490 [ath11k]
+[  166.059594]  ath11k_dp_tx_send_reo_cmd+0x3f/0x130 [ath11k]
+[  166.059605]  ath11k_dp_rx_tid_del_func+0x221/0x370 [ath11k]
+[  166.059618]  ath11k_dp_process_reo_status+0x22f/0x2d0 [ath11k]
+[  166.059632]  ? ath11k_dp_service_srng+0x2ea/0x2f0 [ath11k]
+[  166.059643]  ath11k_dp_service_srng+0x2ea/0x2f0 [ath11k]
+[  166.059655]  ath11k_pci_ext_grp_napi_poll+0x1c/0x70 [ath11k_pci]
+[  166.059659]  __napi_poll+0x28/0x230
+[  166.059664]  net_rx_action+0x285/0x310
+[  166.059668]  __do_softirq+0xe6/0x4d2
+[  166.059672]  irq_exit_rcu+0xd2/0xf0
+[  166.059675]  common_interrupt+0xa5/0xc0
+[  166.059678]  </IRQ>
+[  166.059679]  <TASK>
+[  166.059680]  asm_common_interrupt+0x1e/0x40
+[  166.059683] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70
+[  166.059686] Code: 83 c7 18 e8 2a 95 43 ff 48 89 ef e8 22 d2 43 ff 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> 63 2e 40 ff 65 8b 05 8c 59 97 5c 85 c0 74 0a 5b 5d c3 e8 00 6a
+[  166.059689] RSP: 0018:ffff9d2400a5fca0 EFLAGS: 00000206
+[  166.059692] RAX: 0000000000000002 RBX: 0000000000000200 RCX: 0000000000000006
+[  166.059694] RDX: 0000000000000000 RSI: ffffffffa404879b RDI: 0000000000000001
+[  166.059696] RBP: ffff9905c0053000 R08: 0000000000000001 R09: 0000000000000001
+[  166.059698] R10: ffff9d2400a5fc50 R11: 0000000000000001 R12: ffffe186c41e2840
+[  166.059700] R13: 0000000000000001 R14: ffff9905c78a1c68 R15: 0000000000000001
+[  166.059704]  free_debug_processing+0x257/0x3d0
+[  166.059708]  ? free_obj_work+0x1f5/0x250
+[  166.059712]  __slab_free+0x374/0x5a0
+[  166.059718]  ? kmem_cache_free+0x2e1/0x370
+[  166.059721]  ? free_obj_work+0x1f5/0x250
+[  166.059724]  kmem_cache_free+0x2e1/0x370
+[  166.059727]  free_obj_work+0x1f5/0x250
+[  166.059731]  process_one_work+0x28b/0x660
+[  166.059735]  ? process_one_work+0x660/0x660
+[  166.059738]  worker_thread+0x37/0x390
+[  166.059741]  ? process_one_work+0x660/0x660
+[  166.059743]  kthread+0x176/0x1a0
+[  166.059746]  ? set_kthread_struct+0x40/0x40
+[  166.059749]  ret_from_fork+0x22/0x30
+[  166.059754]  </TASK>
+
+Since these two lockes are both initialized in ath11k_hal_srng_setup,
+they are assigned with the same key. As a result lockdep suspects that
+the task is trying to acquire the same lock (due to same key) while
+already holding it, and thus reports the DEADLOCK warning. However as
+they are different spinlock instances, the warning is false positive.
+
+On the other hand, even no dead lock indeed, this is a major issue for
+upstream regression testing as it disables lockdep functionality.
+
+Fix it by assigning separate lock class key for each srng->lock.
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1
+Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20211209011949.151472-1-quic_bqiang@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/hal.c | 22 ++++++++++++++++++++++
+ drivers/net/wireless/ath/ath11k/hal.h |  2 ++
+ 2 files changed, 24 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c
+index f04edafbd0f15..1832d13654a87 100644
+--- a/drivers/net/wireless/ath/ath11k/hal.c
++++ b/drivers/net/wireless/ath/ath11k/hal.c
+@@ -971,6 +971,7 @@ int ath11k_hal_srng_setup(struct ath11k_base *ab, enum hal_ring_type type,
+       srng->msi_data = params->msi_data;
+       srng->initialized = 1;
+       spin_lock_init(&srng->lock);
++      lockdep_set_class(&srng->lock, hal->srng_key + ring_id);
+       for (i = 0; i < HAL_SRNG_NUM_REG_GRP; i++) {
+               srng->hwreg_base[i] = srng_config->reg_start[i] +
+@@ -1257,6 +1258,24 @@ static int ath11k_hal_srng_create_config(struct ath11k_base *ab)
+       return 0;
+ }
++static void ath11k_hal_register_srng_key(struct ath11k_base *ab)
++{
++      struct ath11k_hal *hal = &ab->hal;
++      u32 ring_id;
++
++      for (ring_id = 0; ring_id < HAL_SRNG_RING_ID_MAX; ring_id++)
++              lockdep_register_key(hal->srng_key + ring_id);
++}
++
++static void ath11k_hal_unregister_srng_key(struct ath11k_base *ab)
++{
++      struct ath11k_hal *hal = &ab->hal;
++      u32 ring_id;
++
++      for (ring_id = 0; ring_id < HAL_SRNG_RING_ID_MAX; ring_id++)
++              lockdep_unregister_key(hal->srng_key + ring_id);
++}
++
+ int ath11k_hal_srng_init(struct ath11k_base *ab)
+ {
+       struct ath11k_hal *hal = &ab->hal;
+@@ -1276,6 +1295,8 @@ int ath11k_hal_srng_init(struct ath11k_base *ab)
+       if (ret)
+               goto err_free_cont_rdp;
++      ath11k_hal_register_srng_key(ab);
++
+       return 0;
+ err_free_cont_rdp:
+@@ -1290,6 +1311,7 @@ void ath11k_hal_srng_deinit(struct ath11k_base *ab)
+ {
+       struct ath11k_hal *hal = &ab->hal;
++      ath11k_hal_unregister_srng_key(ab);
+       ath11k_hal_free_cont_rdp(ab);
+       ath11k_hal_free_cont_wrp(ab);
+       kfree(hal->srng_config);
+diff --git a/drivers/net/wireless/ath/ath11k/hal.h b/drivers/net/wireless/ath/ath11k/hal.h
+index 0f4f9ce74354b..a7d9b4c551ada 100644
+--- a/drivers/net/wireless/ath/ath11k/hal.h
++++ b/drivers/net/wireless/ath/ath11k/hal.h
+@@ -902,6 +902,8 @@ struct ath11k_hal {
+       /* shadow register configuration */
+       u32 shadow_reg_addr[HAL_SHADOW_NUM_REGS];
+       int num_shadow_reg_configured;
++
++      struct lock_class_key srng_key[HAL_SRNG_RING_ID_MAX];
+ };
+ u32 ath11k_hal_reo_qdesc_size(u32 ba_window_size, u8 tid);
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-avoid-null-ptr-access-during-mgmt-tx-cleanup.patch b/queue-5.16/ath11k-avoid-null-ptr-access-during-mgmt-tx-cleanup.patch
new file mode 100644 (file)
index 0000000..b2c2a0b
--- /dev/null
@@ -0,0 +1,119 @@
+From 2c0048f6646f3b4d7c09f7bbc90b0b9c019083cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 15:00:14 +0530
+Subject: ath11k: Avoid NULL ptr access during mgmt tx cleanup
+
+From: Sriram R <quic_srirrama@quicinc.com>
+
+[ Upstream commit a93789ae541c7d5c1c2a4942013adb6bcc5e2848 ]
+
+Currently 'ar' reference is not added in skb_cb during
+WMI mgmt tx. Though this is generally not used during tx completion
+callbacks, on interface removal the remaining idr cleanup callback
+uses the ar ptr from skb_cb from mgmt txmgmt_idr. Hence
+fill them during tx call for proper usage.
+
+Also free the skb which is missing currently in these
+callbacks.
+
+Crash_info:
+
+[19282.489476] Unable to handle kernel NULL pointer dereference at virtual address 00000000
+[19282.489515] pgd = 91eb8000
+[19282.496702] [00000000] *pgd=00000000
+[19282.502524] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+[19282.783728] PC is at ath11k_mac_vif_txmgmt_idr_remove+0x28/0xd8 [ath11k]
+[19282.789170] LR is at idr_for_each+0xa0/0xc8
+
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-00729-QCAHKSWPL_SILICONZ-3 v2
+Signed-off-by: Sriram R <quic_srirrama@quicinc.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1637832614-13831-1-git-send-email-quic_srirrama@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 35 +++++++++++++++------------
+ 1 file changed, 20 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index cb41c3e5708cb..a7400ade7a0cf 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -1,6 +1,7 @@
+ // SPDX-License-Identifier: BSD-3-Clause-Clear
+ /*
+  * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
++ * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.
+  */
+ #include <net/mac80211.h>
+@@ -4935,23 +4936,32 @@ static int __ath11k_set_antenna(struct ath11k *ar, u32 tx_ant, u32 rx_ant)
+       return 0;
+ }
+-int ath11k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx)
++static void ath11k_mac_tx_mgmt_free(struct ath11k *ar, int buf_id)
+ {
+-      struct sk_buff *msdu = skb;
++      struct sk_buff *msdu;
+       struct ieee80211_tx_info *info;
+-      struct ath11k *ar = ctx;
+-      struct ath11k_base *ab = ar->ab;
+       spin_lock_bh(&ar->txmgmt_idr_lock);
+-      idr_remove(&ar->txmgmt_idr, buf_id);
++      msdu = idr_remove(&ar->txmgmt_idr, buf_id);
+       spin_unlock_bh(&ar->txmgmt_idr_lock);
+-      dma_unmap_single(ab->dev, ATH11K_SKB_CB(msdu)->paddr, msdu->len,
++
++      if (!msdu)
++              return;
++
++      dma_unmap_single(ar->ab->dev, ATH11K_SKB_CB(msdu)->paddr, msdu->len,
+                        DMA_TO_DEVICE);
+       info = IEEE80211_SKB_CB(msdu);
+       memset(&info->status, 0, sizeof(info->status));
+       ieee80211_free_txskb(ar->hw, msdu);
++}
++
++int ath11k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx)
++{
++      struct ath11k *ar = ctx;
++
++      ath11k_mac_tx_mgmt_free(ar, buf_id);
+       return 0;
+ }
+@@ -4960,17 +4970,10 @@ static int ath11k_mac_vif_txmgmt_idr_remove(int buf_id, void *skb, void *ctx)
+ {
+       struct ieee80211_vif *vif = ctx;
+       struct ath11k_skb_cb *skb_cb = ATH11K_SKB_CB((struct sk_buff *)skb);
+-      struct sk_buff *msdu = skb;
+       struct ath11k *ar = skb_cb->ar;
+-      struct ath11k_base *ab = ar->ab;
+-      if (skb_cb->vif == vif) {
+-              spin_lock_bh(&ar->txmgmt_idr_lock);
+-              idr_remove(&ar->txmgmt_idr, buf_id);
+-              spin_unlock_bh(&ar->txmgmt_idr_lock);
+-              dma_unmap_single(ab->dev, skb_cb->paddr, msdu->len,
+-                               DMA_TO_DEVICE);
+-      }
++      if (skb_cb->vif == vif)
++              ath11k_mac_tx_mgmt_free(ar, buf_id);
+       return 0;
+ }
+@@ -4985,6 +4988,8 @@ static int ath11k_mac_mgmt_tx_wmi(struct ath11k *ar, struct ath11k_vif *arvif,
+       int buf_id;
+       int ret;
++      ATH11K_SKB_CB(skb)->ar = ar;
++
+       spin_lock_bh(&ar->txmgmt_idr_lock);
+       buf_id = idr_alloc(&ar->txmgmt_idr, skb, 0,
+                          ATH11K_TX_MGMT_NUM_PENDING_MAX, GFP_ATOMIC);
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-clear-the-keys-properly-via-disable_key.patch b/queue-5.16/ath11k-clear-the-keys-properly-via-disable_key.patch
new file mode 100644 (file)
index 0000000..32ea214
--- /dev/null
@@ -0,0 +1,64 @@
+From 6ef20da1dc847969e881d5741ec9e03700644979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 11:04:40 +0100
+Subject: ath11k: clear the keys properly via DISABLE_KEY
+
+From: Karthikeyan Kathirvel <kathirve@codeaurora.org>
+
+[ Upstream commit 436a4e88659842a7cf634d7cc088c8f2cc94ebf5 ]
+
+DISABLE_KEY sets the key_len to 0, firmware will not delete the keys if
+key_len is 0. Changing from security mode to open mode will cause mcast
+to be still encrypted without vdev restart.
+
+Set the proper key_len for DISABLE_KEY cmd to clear the keys in
+firmware.
+
+Tested-on: IPQ6018 hw1.0 AHB WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Reported-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Karthikeyan Kathirvel <kathirve@codeaurora.org>
+[sven@narfation.org: split into separate patches, clean up commit message]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211115100441.33771-1-sven@narfation.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 4 +---
+ drivers/net/wireless/ath/ath11k/wmi.c | 3 ++-
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 1cc55602787bb..cdee7545e876a 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -3316,9 +3316,7 @@ static int ath11k_install_key(struct ath11k_vif *arvif,
+               return 0;
+       if (cmd == DISABLE_KEY) {
+-              /* TODO: Check if FW expects  value other than NONE for del */
+-              /* arg.key_cipher = WMI_CIPHER_NONE; */
+-              arg.key_len = 0;
++              arg.key_cipher = WMI_CIPHER_NONE;
+               arg.key_data = NULL;
+               goto install;
+       }
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index 04238c29419b5..621a63d6c8c6d 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -1689,7 +1689,8 @@ int ath11k_wmi_vdev_install_key(struct ath11k *ar,
+       tlv = (struct wmi_tlv *)(skb->data + sizeof(*cmd));
+       tlv->header = FIELD_PREP(WMI_TLV_TAG, WMI_TAG_ARRAY_BYTE) |
+                     FIELD_PREP(WMI_TLV_LEN, key_len_aligned);
+-      memcpy(tlv->value, (u8 *)arg->key_data, key_len_aligned);
++      if (arg->key_data)
++              memcpy(tlv->value, (u8 *)arg->key_data, key_len_aligned);
+       ret = ath11k_wmi_cmd_send(wmi, skb, WMI_VDEV_INSTALL_KEY_CMDID);
+       if (ret) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-enable-ieee80211_vht_ext_nss_bw_capable-if-ns.patch b/queue-5.16/ath11k-enable-ieee80211_vht_ext_nss_bw_capable-if-ns.patch
new file mode 100644 (file)
index 0000000..2fbd9e5
--- /dev/null
@@ -0,0 +1,57 @@
+From 5fc2e9801f3ce2e8e4e83d31f768266530b3aeae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 03:37:04 -0400
+Subject: ath11k: enable IEEE80211_VHT_EXT_NSS_BW_CAPABLE if NSS ratio enabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wen Gong <wgong@codeaurora.org>
+
+[ Upstream commit 78406044bdd0cc8987bc082b76867c63ab1c6af8 ]
+
+When NSS ratio enabled reported by firmware, SUPPORTS_VHT_EXT_NSS_BW
+is set in ath11k, meanwhile IEEE80211_VHT_EXT_NSS_BW_CAPABLE also
+need to be set, otherwise it is invalid because spec in IEEE Std
+802.11™‐2020 as below.
+
+Table 9-273-Supported VHT-MCS and NSS Set subfields, it has subfield
+VHT Extended NSS BW Capable, its definition is:
+Indicates whether the STA is capable of interpreting the Extended NSS
+BW Support subfield of the VHT Capabilities Information field.
+
+dmesg have a message without this patch:
+
+ieee80211 phy0: copying sband (band 1) due to VHT EXT NSS BW flag
+
+It means mac80211 will set IEEE80211_VHT_EXT_NSS_BW_CAPABLE if ath11k not
+set it in ieee80211_register_hw(). So it is better to set it in ath11k.
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1
+
+Signed-off-by: Wen Gong <wgong@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211013073704.15888-1-wgong@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 5d49a7ea51fae..cb41c3e5708cb 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -4566,6 +4566,10 @@ ath11k_create_vht_cap(struct ath11k *ar, u32 rate_cap_tx_chainmask,
+       vht_cap.vht_supported = 1;
+       vht_cap.cap = ar->pdev->cap.vht_cap;
++      if (ar->pdev->cap.nss_ratio_enabled)
++              vht_cap.vht_mcs.tx_highest |=
++                      cpu_to_le16(IEEE80211_VHT_EXT_NSS_BW_CAPABLE);
++
+       ath11k_set_vht_txbf_cap(ar, &vht_cap.cap);
+       rxmcs_map = 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-fix-a-null-pointer-dereference-in-ath11k_mac_.patch b/queue-5.16/ath11k-fix-a-null-pointer-dereference-in-ath11k_mac_.patch
new file mode 100644 (file)
index 0000000..f8f657b
--- /dev/null
@@ -0,0 +1,59 @@
+From fc62a0f78df3282a835133efc90fd88fecc6704d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Dec 2021 11:53:07 +0200
+Subject: ath11k: Fix a NULL pointer dereference in ath11k_mac_op_hw_scan()
+
+From: Zhou Qingyang <zhou1615@umn.edu>
+
+[ Upstream commit eccd25136386a04ebf46a64f3a34e8e0fab6d9e1 ]
+
+In ath11k_mac_op_hw_scan(), the return value of kzalloc() is directly
+used in memcpy(), which may lead to a NULL pointer dereference on
+failure of kzalloc().
+
+Fix this bug by adding a check of arg.extraie.ptr.
+
+This bug was found by a static analyzer. The analysis employs
+differential checking to identify inconsistent security operations
+(e.g., checks or kfrees) between two code paths and confirms that the
+inconsistent operations are not recovered in the current function or
+the callers, so they constitute bugs.
+
+Note that, as a bug found by static analysis, it can be a false
+positive or hard to trigger. Multiple researchers have cross-reviewed
+the bug.
+
+Builds with CONFIG_ATH11K=m show no new warnings, and our static
+analyzer no longer warns about this code.
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20211202155348.71315-1-zhou1615@umn.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 67be109eda910..5d49a7ea51fae 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -3241,9 +3241,12 @@ static int ath11k_mac_op_hw_scan(struct ieee80211_hw *hw,
+       arg.scan_id = ATH11K_SCAN_ID;
+       if (req->ie_len) {
++              arg.extraie.ptr = kmemdup(req->ie, req->ie_len, GFP_KERNEL);
++              if (!arg.extraie.ptr) {
++                      ret = -ENOMEM;
++                      goto exit;
++              }
+               arg.extraie.len = req->ie_len;
+-              arg.extraie.ptr = kzalloc(req->ie_len, GFP_KERNEL);
+-              memcpy(arg.extraie.ptr, req->ie, req->ie_len);
+       }
+       if (req->n_ssids) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-fix-crash-caused-by-uninitialized-tx-ring.patch b/queue-5.16/ath11k-fix-crash-caused-by-uninitialized-tx-ring.patch
new file mode 100644 (file)
index 0000000..9ed6899
--- /dev/null
@@ -0,0 +1,80 @@
+From 07b9efcc15597d0b7734622e95fb3522fbe2034d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 09:16:05 +0800
+Subject: ath11k: Fix crash caused by uninitialized TX ring
+
+From: Baochen Qiang <bqiang@codeaurora.org>
+
+[ Upstream commit 273703ebdb01b6c5f1aaf4b98fb57b177609055c ]
+
+Commit 31582373a4a8 ("ath11k: Change number of TCL rings to one for
+QCA6390") avoids initializing the other entries of dp->tx_ring cause
+the corresponding TX rings on QCA6390/WCN6855 are not used, but leaves
+those ring masks in ath11k_hw_ring_mask_qca6390.tx unchanged. Normally
+this is OK because we will only get interrupts from the first TX ring
+on these chips and thus only the first entry of dp->tx_ring is involved.
+
+In case of one MSI vector, all DP rings share the same IRQ. For each
+interrupt, all rings have to be checked, which means the other entries
+of dp->tx_ring are involved. However since they are not initialized,
+system crashes.
+
+Fix this issue by simply removing those ring masks.
+
+crash stack:
+[  102.907438] BUG: kernel NULL pointer dereference, address: 0000000000000028
+[  102.907447] #PF: supervisor read access in kernel mode
+[  102.907451] #PF: error_code(0x0000) - not-present page
+[  102.907453] PGD 1081f0067 P4D 1081f0067 PUD 1081f1067 PMD 0
+[  102.907460] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI
+[  102.907465] CPU: 0 PID: 3511 Comm: apt-check Kdump: loaded Tainted: G            E     5.15.0-rc4-wt-ath+ #20
+[  102.907470] Hardware name: AMD Celadon-RN/Celadon-RN, BIOS RCD1005E 10/08/2020
+[  102.907472] RIP: 0010:ath11k_dp_tx_completion_handler+0x201/0x830 [ath11k]
+[  102.907497] Code: 3c 24 4e 8d ac 37 10 04 00 00 4a 8d bc 37 68 04 00 00 48 89 3c 24 48 63 c8 89 83 84 18 00 00 48 c1 e1 05 48 03 8b 78 18 00 00 <8b> 51 08 89 d6 83 e6 07 89 74 24 24 83 fe 03 74 04 85 f6 75 63 41
+[  102.907501] RSP: 0000:ffff9b7340003e08 EFLAGS: 00010202
+[  102.907505] RAX: 0000000000000001 RBX: ffff8e21530c0100 RCX: 0000000000000020
+[  102.907508] RDX: 0000000000000000 RSI: 00000000fffffe00 RDI: ffff8e21530c1938
+[  102.907511] RBP: ffff8e21530c0000 R08: 0000000000000001 R09: 0000000000000000
+[  102.907513] R10: ffff8e2145534c10 R11: 0000000000000001 R12: ffff8e21530c2938
+[  102.907515] R13: ffff8e21530c18e0 R14: 0000000000000100 R15: ffff8e21530c2978
+[  102.907518] FS:  00007f5d4297e740(0000) GS:ffff8e243d600000(0000) knlGS:0000000000000000
+[  102.907521] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  102.907524] CR2: 0000000000000028 CR3: 00000001034ea000 CR4: 0000000000350ef0
+[  102.907527] Call Trace:
+[  102.907531]  <IRQ>
+[  102.907537]  ath11k_dp_service_srng+0x5c/0x2f0 [ath11k]
+[  102.907556]  ath11k_pci_ext_grp_napi_poll+0x21/0x70 [ath11k_pci]
+[  102.907562]  __napi_poll+0x2c/0x160
+[  102.907570]  net_rx_action+0x251/0x310
+[  102.907576]  __do_softirq+0x107/0x2fc
+[  102.907585]  irq_exit_rcu+0x74/0x90
+[  102.907593]  common_interrupt+0x83/0xa0
+[  102.907600]  </IRQ>
+[  102.907601]  asm_common_interrupt+0x1e/0x40
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1
+
+Signed-off-by: Baochen Qiang <bqiang@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211026011605.58615-1-quic_bqiang@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/hw.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/hw.c b/drivers/net/wireless/ath/ath11k/hw.c
+index da35fcf5bc560..2f0b526188e45 100644
+--- a/drivers/net/wireless/ath/ath11k/hw.c
++++ b/drivers/net/wireless/ath/ath11k/hw.c
+@@ -1061,8 +1061,6 @@ const struct ath11k_hw_ring_mask ath11k_hw_ring_mask_ipq8074 = {
+ const struct ath11k_hw_ring_mask ath11k_hw_ring_mask_qca6390 = {
+       .tx  = {
+               ATH11K_TX_RING_MASK_0,
+-              ATH11K_TX_RING_MASK_1,
+-              ATH11K_TX_RING_MASK_2,
+       },
+       .rx_mon_status = {
+               0, 0, 0, 0,
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-fix-deleting-uninitialized-kernel-timer-durin.patch b/queue-5.16/ath11k-fix-deleting-uninitialized-kernel-timer-durin.patch
new file mode 100644 (file)
index 0000000..d0be9df
--- /dev/null
@@ -0,0 +1,98 @@
+From d5ac9f1098292a6403b4e4ed040f898255185b5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Dec 2021 23:07:01 +0530
+Subject: ath11k: Fix deleting uninitialized kernel timer during fragment cache
+ flush
+
+From: Rameshkumar Sundaram <quic_ramess@quicinc.com>
+
+[ Upstream commit ba53ee7f7f38cf0592b8be1dcdabaf8f7535f8c1 ]
+
+frag_timer will be created & initialized for stations when
+they associate and will be deleted during every key installation
+while flushing old fragments.
+
+For AP interface self peer will be created and Group keys
+will be installed for this peer, but there will be no real
+Station entry & hence frag_timer won't be created and
+initialized, deleting such uninitialized kernel timers causes below
+warnings and backtraces printed with CONFIG_DEBUG_OBJECTS_TIMERS
+enabled.
+
+[ 177.828008] ODEBUG: assert_init not available (active state 0) object type: timer_list hint: 0x0
+[ 177.836833] WARNING: CPU: 3 PID: 188 at lib/debugobjects.c:508 debug_print_object+0xb0/0xf0
+[ 177.845185] Modules linked in: ath11k_pci ath11k qmi_helpers qrtr_mhi qrtr ns mhi
+[ 177.852679] CPU: 3 PID: 188 Comm: hostapd Not tainted 5.14.0-rc3-32919-g4034139e1838-dirty #14
+[ 177.865805] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--)
+[ 177.871804] pc : debug_print_object+0xb0/0xf0
+[ 177.876155] lr : debug_print_object+0xb0/0xf0
+[ 177.880505] sp : ffffffc01169b5a0
+[ 177.883810] x29: ffffffc01169b5a0 x28: ffffff80081c2320 x27: ffffff80081c4078
+[ 177.890942] x26: ffffff8003fe8f28 x25: ffffff8003de9890 x24: ffffffc01134d738
+[ 177.898075] x23: ffffffc010948f20 x22: ffffffc010b2d2e0 x21: ffffffc01169b628
+[ 177.905206] x20: ffffffc01134d700 x19: ffffffc010c80d98 x18: 00000000000003f6
+[ 177.912339] x17: 203a657079742074 x16: 63656a626f202930 x15: 0000000000000152
+[ 177.919471] x14: 0000000000000152 x13: 00000000ffffffea x12: ffffffc010d732e0
+[ 177.926603] x11: 0000000000000003 x10: ffffffc010d432a0 x9 : ffffffc010d432f8
+[ 177.933735] x8 : 000000000002ffe8 x7 : c0000000ffffdfff x6 : 0000000000000001
+[ 177.940866] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000ffffffff
+[ 177.947997] x2 : ffffffc010c93240 x1 : ffffff80023624c0 x0 : 0000000000000054
+[ 177.955130] Call trace:
+[ 177.957567] debug_print_object+0xb0/0xf0
+[ 177.961570] debug_object_assert_init+0x124/0x178
+[ 177.966269] try_to_del_timer_sync+0x1c/0x70
+[ 177.970536] del_timer_sync+0x30/0x50
+[ 177.974192] ath11k_peer_frags_flush+0x34/0x68 [ath11k]
+[ 177.979439] ath11k_mac_op_set_key+0x1e4/0x338 [ath11k]
+[ 177.984673] ieee80211_key_enable_hw_accel+0xc8/0x3d0
+[ 177.989722] ieee80211_key_replace+0x360/0x740
+[ 177.994160] ieee80211_key_link+0x16c/0x210
+[ 177.998337] ieee80211_add_key+0x138/0x338
+[ 178.002426] nl80211_new_key+0xfc/0x258
+[ 178.006257] genl_family_rcv_msg_doit.isra.17+0xd8/0x120
+[ 178.011565] genl_rcv_msg+0xd8/0x1c8
+[ 178.015134] netlink_rcv_skb+0x38/0xf8
+[ 178.018877] genl_rcv+0x34/0x48
+[ 178.022012] netlink_unicast+0x174/0x230
+[ 178.025928] netlink_sendmsg+0x188/0x388
+[ 178.029845] ____sys_sendmsg+0x218/0x250
+[ 178.033763] ___sys_sendmsg+0x68/0x90
+[ 178.037418] __sys_sendmsg+0x44/0x88
+[ 178.040988] __arm64_sys_sendmsg+0x20/0x28
+[ 178.045077] invoke_syscall.constprop.5+0x54/0xe0
+[ 178.049776] do_el0_svc+0x74/0xc0
+[ 178.053084] el0_svc+0x10/0x18
+[ 178.056133] el0t_64_sync_handler+0x88/0xb0
+[ 178.060310] el0t_64_sync+0x148/0x14c
+[ 178.063966] ---[ end trace 8a5cf0bf9d34a058 ]---
+
+Add changes to not to delete frag timer for peers during
+group key installation.
+
+Tested on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01092-QCAHKSWPL_SILICONZ-1
+
+Fixes: c3944a562102 ("ath11k: Clear the fragment cache during key install")
+Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/1639071421-25078-1-git-send-email-quic_ramess@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 821332cbeb5de..67be109eda910 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -3452,7 +3452,7 @@ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+       /* flush the fragments cache during key (re)install to
+        * ensure all frags in the new frag list belong to the same key.
+        */
+-      if (peer && cmd == SET_KEY)
++      if (peer && sta && cmd == SET_KEY)
+               ath11k_peer_frags_flush(ar, peer);
+       spin_unlock_bh(&ab->base_lock);
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-fix-etsi-regd-with-weather-radar-overlap.patch b/queue-5.16/ath11k-fix-etsi-regd-with-weather-radar-overlap.patch
new file mode 100644 (file)
index 0000000..1da0190
--- /dev/null
@@ -0,0 +1,240 @@
+From c96438bfe050b3639bd577c59c1d04bfea1afe5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 11:29:55 +0200
+Subject: ath11k: Fix ETSI regd with weather radar overlap
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit 086c921a354089f209318501038d43c98d3f409f ]
+
+Some ETSI countries have a small overlap in the wireless-regdb with an ETSI
+channel (5590-5650). A good example is Australia:
+
+  country AU: DFS-ETSI
+       (2400 - 2483.5 @ 40), (36)
+       (5150 - 5250 @ 80), (23), NO-OUTDOOR, AUTO-BW
+       (5250 - 5350 @ 80), (20), NO-OUTDOOR, AUTO-BW, DFS
+       (5470 - 5600 @ 80), (27), DFS
+       (5650 - 5730 @ 80), (27), DFS
+       (5730 - 5850 @ 80), (36)
+       (57000 - 66000 @ 2160), (43), NO-OUTDOOR
+
+If the firmware (or the BDF) is shipped with these rules then there is only
+a 10 MHz overlap with the weather radar:
+
+* below: 5470 - 5590
+* weather radar: 5590 - 5600
+* above: (none for the rule "5470 - 5600 @ 80")
+
+There are several wrong assumption in the ath11k code:
+
+* there is always a valid range below the weather radar
+  (actually: there could be no range below the weather radar range OR range
+   could be smaller than 20 MHz)
+* intersected range in the weather radar range is valid
+  (actually: the range could be smaller than 20 MHz)
+* range above weather radar is either empty or valid
+  (actually: the range could be smaller than 20 MHz)
+
+These wrong assumption will lead in this example to a rule
+
+  (5590 - 5600 @ 20), (N/A, 27), (600000 ms), DFS, AUTO-BW
+
+which is invalid according to is_valid_reg_rule() because the freq_diff is
+only 10 MHz but the max_bandwidth is set to 20 MHz. Which results in a
+rejection like:
+
+  WARNING: at backports-20210222_001-4.4.60-b157d2276/net/wireless/reg.c:3984
+  [...]
+  Call trace:
+  [<ffffffbffc3d2e50>] reg_get_max_bandwidth+0x300/0x3a8 [cfg80211]
+  [<ffffffbffc3d3d0c>] regulatory_set_wiphy_regd_sync+0x3c/0x98 [cfg80211]
+  [<ffffffbffc651598>] ath11k_regd_update+0x1a8/0x210 [ath11k]
+  [<ffffffbffc652108>] ath11k_regd_update_work+0x18/0x20 [ath11k]
+  [<ffffffc0000a93e0>] process_one_work+0x1f8/0x340
+  [<ffffffc0000a9784>] worker_thread+0x25c/0x448
+  [<ffffffc0000aedc8>] kthread+0xd0/0xd8
+  [<ffffffc000085550>] ret_from_fork+0x10/0x40
+  ath11k c000000.wifi: failed to perform regd update : -22
+  Invalid regulatory domain detected
+
+To avoid this, the algorithm has to be changed slightly. Instead of
+splitting a rule which overlaps with the weather radar range into 3 pieces
+and accepting the first two parts blindly, it must actually be checked for
+each piece whether it is a valid range. And only if it is valid, add it to
+the output array.
+
+When these checks are in place, the processed rules for AU would end up as
+
+  country AU: DFS-ETSI
+          (2400 - 2483 @ 40), (N/A, 36), (N/A)
+          (5150 - 5250 @ 80), (6, 23), (N/A), NO-OUTDOOR, AUTO-BW
+          (5250 - 5350 @ 80), (6, 20), (0 ms), NO-OUTDOOR, DFS, AUTO-BW
+          (5470 - 5590 @ 80), (6, 27), (0 ms), DFS, AUTO-BW
+          (5650 - 5730 @ 80), (6, 27), (0 ms), DFS, AUTO-BW
+          (5730 - 5850 @ 80), (6, 36), (N/A), AUTO-BW
+
+and will be accepted by the wireless regulatory code.
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211112153116.1214421-1-sven@narfation.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/reg.c | 103 ++++++++++++++------------
+ 1 file changed, 56 insertions(+), 47 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/reg.c b/drivers/net/wireless/ath/ath11k/reg.c
+index a66b5bdd21679..8606170ba80d5 100644
+--- a/drivers/net/wireless/ath/ath11k/reg.c
++++ b/drivers/net/wireless/ath/ath11k/reg.c
+@@ -456,6 +456,9 @@ ath11k_reg_adjust_bw(u16 start_freq, u16 end_freq, u16 max_bw)
+ {
+       u16 bw;
++      if (end_freq <= start_freq)
++              return 0;
++
+       bw = end_freq - start_freq;
+       bw = min_t(u16, bw, max_bw);
+@@ -463,8 +466,10 @@ ath11k_reg_adjust_bw(u16 start_freq, u16 end_freq, u16 max_bw)
+               bw = 80;
+       else if (bw >= 40 && bw < 80)
+               bw = 40;
+-      else if (bw < 40)
++      else if (bw >= 20 && bw < 40)
+               bw = 20;
++      else
++              bw = 0;
+       return bw;
+ }
+@@ -488,73 +493,77 @@ ath11k_reg_update_weather_radar_band(struct ath11k_base *ab,
+                                    struct cur_reg_rule *reg_rule,
+                                    u8 *rule_idx, u32 flags, u16 max_bw)
+ {
++      u32 start_freq;
+       u32 end_freq;
+       u16 bw;
+       u8 i;
+       i = *rule_idx;
++      /* there might be situations when even the input rule must be dropped */
++      i--;
++
++      /* frequencies below weather radar */
+       bw = ath11k_reg_adjust_bw(reg_rule->start_freq,
+                                 ETSI_WEATHER_RADAR_BAND_LOW, max_bw);
++      if (bw > 0) {
++              i++;
+-      ath11k_reg_update_rule(regd->reg_rules + i, reg_rule->start_freq,
+-                             ETSI_WEATHER_RADAR_BAND_LOW, bw,
+-                             reg_rule->ant_gain, reg_rule->reg_power,
+-                             flags);
++              ath11k_reg_update_rule(regd->reg_rules + i,
++                                     reg_rule->start_freq,
++                                     ETSI_WEATHER_RADAR_BAND_LOW, bw,
++                                     reg_rule->ant_gain, reg_rule->reg_power,
++                                     flags);
+-      ath11k_dbg(ab, ATH11K_DBG_REG,
+-                 "\t%d. (%d - %d @ %d) (%d, %d) (%d ms) (FLAGS %d)\n",
+-                 i + 1, reg_rule->start_freq, ETSI_WEATHER_RADAR_BAND_LOW,
+-                 bw, reg_rule->ant_gain, reg_rule->reg_power,
+-                 regd->reg_rules[i].dfs_cac_ms,
+-                 flags);
+-
+-      if (reg_rule->end_freq > ETSI_WEATHER_RADAR_BAND_HIGH)
+-              end_freq = ETSI_WEATHER_RADAR_BAND_HIGH;
+-      else
+-              end_freq = reg_rule->end_freq;
++              ath11k_dbg(ab, ATH11K_DBG_REG,
++                         "\t%d. (%d - %d @ %d) (%d, %d) (%d ms) (FLAGS %d)\n",
++                         i + 1, reg_rule->start_freq,
++                         ETSI_WEATHER_RADAR_BAND_LOW, bw, reg_rule->ant_gain,
++                         reg_rule->reg_power, regd->reg_rules[i].dfs_cac_ms,
++                         flags);
++      }
+-      bw = ath11k_reg_adjust_bw(ETSI_WEATHER_RADAR_BAND_LOW, end_freq,
+-                                max_bw);
++      /* weather radar frequencies */
++      start_freq = max_t(u32, reg_rule->start_freq,
++                         ETSI_WEATHER_RADAR_BAND_LOW);
++      end_freq = min_t(u32, reg_rule->end_freq, ETSI_WEATHER_RADAR_BAND_HIGH);
+-      i++;
++      bw = ath11k_reg_adjust_bw(start_freq, end_freq, max_bw);
++      if (bw > 0) {
++              i++;
+-      ath11k_reg_update_rule(regd->reg_rules + i,
+-                             ETSI_WEATHER_RADAR_BAND_LOW, end_freq, bw,
+-                             reg_rule->ant_gain, reg_rule->reg_power,
+-                             flags);
++              ath11k_reg_update_rule(regd->reg_rules + i, start_freq,
++                                     end_freq, bw, reg_rule->ant_gain,
++                                     reg_rule->reg_power, flags);
+-      regd->reg_rules[i].dfs_cac_ms = ETSI_WEATHER_RADAR_BAND_CAC_TIMEOUT;
++              regd->reg_rules[i].dfs_cac_ms = ETSI_WEATHER_RADAR_BAND_CAC_TIMEOUT;
+-      ath11k_dbg(ab, ATH11K_DBG_REG,
+-                 "\t%d. (%d - %d @ %d) (%d, %d) (%d ms) (FLAGS %d)\n",
+-                 i + 1, ETSI_WEATHER_RADAR_BAND_LOW, end_freq,
+-                 bw, reg_rule->ant_gain, reg_rule->reg_power,
+-                 regd->reg_rules[i].dfs_cac_ms,
+-                 flags);
+-
+-      if (end_freq == reg_rule->end_freq) {
+-              regd->n_reg_rules--;
+-              *rule_idx = i;
+-              return;
++              ath11k_dbg(ab, ATH11K_DBG_REG,
++                         "\t%d. (%d - %d @ %d) (%d, %d) (%d ms) (FLAGS %d)\n",
++                         i + 1, start_freq, end_freq, bw,
++                         reg_rule->ant_gain, reg_rule->reg_power,
++                         regd->reg_rules[i].dfs_cac_ms, flags);
+       }
++      /* frequencies above weather radar */
+       bw = ath11k_reg_adjust_bw(ETSI_WEATHER_RADAR_BAND_HIGH,
+                                 reg_rule->end_freq, max_bw);
++      if (bw > 0) {
++              i++;
+-      i++;
+-
+-      ath11k_reg_update_rule(regd->reg_rules + i, ETSI_WEATHER_RADAR_BAND_HIGH,
+-                             reg_rule->end_freq, bw,
+-                             reg_rule->ant_gain, reg_rule->reg_power,
+-                             flags);
++              ath11k_reg_update_rule(regd->reg_rules + i,
++                                     ETSI_WEATHER_RADAR_BAND_HIGH,
++                                     reg_rule->end_freq, bw,
++                                     reg_rule->ant_gain, reg_rule->reg_power,
++                                     flags);
+-      ath11k_dbg(ab, ATH11K_DBG_REG,
+-                 "\t%d. (%d - %d @ %d) (%d, %d) (%d ms) (FLAGS %d)\n",
+-                 i + 1, ETSI_WEATHER_RADAR_BAND_HIGH, reg_rule->end_freq,
+-                 bw, reg_rule->ant_gain, reg_rule->reg_power,
+-                 regd->reg_rules[i].dfs_cac_ms,
+-                 flags);
++              ath11k_dbg(ab, ATH11K_DBG_REG,
++                         "\t%d. (%d - %d @ %d) (%d, %d) (%d ms) (FLAGS %d)\n",
++                         i + 1, ETSI_WEATHER_RADAR_BAND_HIGH,
++                         reg_rule->end_freq, bw, reg_rule->ant_gain,
++                         reg_rule->reg_power, regd->reg_rules[i].dfs_cac_ms,
++                         flags);
++      }
+       *rule_idx = i;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-fix-mon-status-ring-rx-tlv-processing.patch b/queue-5.16/ath11k-fix-mon-status-ring-rx-tlv-processing.patch
new file mode 100644 (file)
index 0000000..58f2bd0
--- /dev/null
@@ -0,0 +1,75 @@
+From b2d8852614545143a74ec33ed16425cc557345e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 13:13:58 +0200
+Subject: ath11k: Fix mon status ring rx tlv processing
+
+From: Anilkumar Kolli <akolli@codeaurora.org>
+
+[ Upstream commit 09f16f7390f302937409738d6cb6ce99b265f455 ]
+
+In HE monitor capture, HAL_TLV_STATUS_PPDU_DONE is received
+on processing multiple skb. Do not clear the ppdu_info
+till the HAL_TLV_STATUS_PPDU_DONE is received.
+
+This fixes below warning and packet drops in monitor mode.
+ "Rate marked as an HE rate but data is invalid: MCS: 6, NSS: 0"
+ WARNING: at
+ PC is at ieee80211_rx_napi+0x624/0x840 [mac80211]
+
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01693-QCAHKSWPL_SILICONZ-1
+
+Signed-off-by: Anilkumar Kolli <akolli@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1637249433-10316-1-git-send-email-akolli@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/dp_rx.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
+index 22b6b6a470d4c..621372c568d2c 100644
+--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
+@@ -3064,10 +3064,10 @@ int ath11k_dp_rx_process_mon_status(struct ath11k_base *ab, int mac_id,
+       if (!num_buffs_reaped)
+               goto exit;
+-      while ((skb = __skb_dequeue(&skb_list))) {
+-              memset(&ppdu_info, 0, sizeof(ppdu_info));
+-              ppdu_info.peer_id = HAL_INVALID_PEERID;
++      memset(&ppdu_info, 0, sizeof(ppdu_info));
++      ppdu_info.peer_id = HAL_INVALID_PEERID;
++      while ((skb = __skb_dequeue(&skb_list))) {
+               if (ath11k_debugfs_is_pktlog_lite_mode_enabled(ar)) {
+                       log_type = ATH11K_PKTLOG_TYPE_LITE_RX;
+                       rx_buf_sz = DP_RX_BUFFER_SIZE_LITE;
+@@ -3095,10 +3095,7 @@ int ath11k_dp_rx_process_mon_status(struct ath11k_base *ab, int mac_id,
+                       ath11k_dbg(ab, ATH11K_DBG_DATA,
+                                  "failed to find the peer with peer_id %d\n",
+                                  ppdu_info.peer_id);
+-                      spin_unlock_bh(&ab->base_lock);
+-                      rcu_read_unlock();
+-                      dev_kfree_skb_any(skb);
+-                      continue;
++                      goto next_skb;
+               }
+               arsta = (struct ath11k_sta *)peer->sta->drv_priv;
+@@ -3107,10 +3104,13 @@ int ath11k_dp_rx_process_mon_status(struct ath11k_base *ab, int mac_id,
+               if (ath11k_debugfs_is_pktlog_peer_valid(ar, peer->addr))
+                       trace_ath11k_htt_rxdesc(ar, skb->data, log_type, rx_buf_sz);
++next_skb:
+               spin_unlock_bh(&ab->base_lock);
+               rcu_read_unlock();
+               dev_kfree_skb_any(skb);
++              memset(&ppdu_info, 0, sizeof(ppdu_info));
++              ppdu_info.peer_id = HAL_INVALID_PEERID;
+       }
+ exit:
+       return num_buffs_reaped;
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-fix-napi-related-hang.patch b/queue-5.16/ath11k-fix-napi-related-hang.patch
new file mode 100644 (file)
index 0000000..b5005f0
--- /dev/null
@@ -0,0 +1,109 @@
+From 91c457dcecdc642ec523962d5483e54d2d12d6e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Sep 2020 12:52:54 -0700
+Subject: ath11k: Fix napi related hang
+
+From: Ben Greear <greearb@candelatech.com>
+
+[ Upstream commit d943fdad7589653065be0e20aadc6dff37725ed4 ]
+
+Similar to the same bug in ath10k, a napi disable w/out it being enabled
+will hang forever.  I believe I saw this while trying rmmod after driver
+had some failure on startup.  Fix it by keeping state on whether napi is
+enabled or not.
+
+And, remove un-used napi pointer in ath11k driver base struct.
+
+Signed-off-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20200903195254.29379-1-greearb@candelatech.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/ahb.c  | 12 +++++++++---
+ drivers/net/wireless/ath/ath11k/core.h |  2 +-
+ drivers/net/wireless/ath/ath11k/pci.c  | 12 +++++++++---
+ 3 files changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/ahb.c b/drivers/net/wireless/ath/ath11k/ahb.c
+index 096c502cce387..3fb0aa0008259 100644
+--- a/drivers/net/wireless/ath/ath11k/ahb.c
++++ b/drivers/net/wireless/ath/ath11k/ahb.c
+@@ -175,8 +175,11 @@ static void __ath11k_ahb_ext_irq_disable(struct ath11k_base *ab)
+               ath11k_ahb_ext_grp_disable(irq_grp);
+-              napi_synchronize(&irq_grp->napi);
+-              napi_disable(&irq_grp->napi);
++              if (irq_grp->napi_enabled) {
++                      napi_synchronize(&irq_grp->napi);
++                      napi_disable(&irq_grp->napi);
++                      irq_grp->napi_enabled = false;
++              }
+       }
+ }
+@@ -300,7 +303,10 @@ static void ath11k_ahb_ext_irq_enable(struct ath11k_base *ab)
+       for (i = 0; i < ATH11K_EXT_IRQ_GRP_NUM_MAX; i++) {
+               struct ath11k_ext_irq_grp *irq_grp = &ab->ext_irq_grp[i];
+-              napi_enable(&irq_grp->napi);
++              if (!irq_grp->napi_enabled) {
++                      napi_enable(&irq_grp->napi);
++                      irq_grp->napi_enabled = true;
++              }
+               ath11k_ahb_ext_grp_enable(irq_grp);
+       }
+ }
+diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
+index 31d234a51c79b..62ceee363fea0 100644
+--- a/drivers/net/wireless/ath/ath11k/core.h
++++ b/drivers/net/wireless/ath/ath11k/core.h
+@@ -136,6 +136,7 @@ struct ath11k_ext_irq_grp {
+       u32 num_irq;
+       u32 grp_id;
+       u64 timestamp;
++      bool napi_enabled;
+       struct napi_struct napi;
+       struct net_device napi_ndev;
+ };
+@@ -713,7 +714,6 @@ struct ath11k_base {
+       u32 wlan_init_status;
+       int irq_num[ATH11K_IRQ_NUM_MAX];
+       struct ath11k_ext_irq_grp ext_irq_grp[ATH11K_EXT_IRQ_GRP_NUM_MAX];
+-      struct napi_struct *napi;
+       struct ath11k_targ_cap target_caps;
+       u32 ext_service_bitmap[WMI_SERVICE_EXT_BM_SIZE];
+       bool pdevs_macaddr_valid;
+diff --git a/drivers/net/wireless/ath/ath11k/pci.c b/drivers/net/wireless/ath/ath11k/pci.c
+index fadded5ef84b2..ae4dc8781e28f 100644
+--- a/drivers/net/wireless/ath/ath11k/pci.c
++++ b/drivers/net/wireless/ath/ath11k/pci.c
+@@ -638,8 +638,11 @@ static void __ath11k_pci_ext_irq_disable(struct ath11k_base *sc)
+               ath11k_pci_ext_grp_disable(irq_grp);
+-              napi_synchronize(&irq_grp->napi);
+-              napi_disable(&irq_grp->napi);
++              if (irq_grp->napi_enabled) {
++                      napi_synchronize(&irq_grp->napi);
++                      napi_disable(&irq_grp->napi);
++                      irq_grp->napi_enabled = false;
++              }
+       }
+ }
+@@ -658,7 +661,10 @@ static void ath11k_pci_ext_irq_enable(struct ath11k_base *ab)
+       for (i = 0; i < ATH11K_EXT_IRQ_GRP_NUM_MAX; i++) {
+               struct ath11k_ext_irq_grp *irq_grp = &ab->ext_irq_grp[i];
+-              napi_enable(&irq_grp->napi);
++              if (!irq_grp->napi_enabled) {
++                      napi_enable(&irq_grp->napi);
++                      irq_grp->napi_enabled = true;
++              }
+               ath11k_pci_ext_grp_enable(irq_grp);
+       }
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-fix-qmi-file-type-enum-value.patch b/queue-5.16/ath11k-fix-qmi-file-type-enum-value.patch
new file mode 100644 (file)
index 0000000..e40cbc2
--- /dev/null
@@ -0,0 +1,42 @@
+From d26b8e349ca401125f645f1ea3bc7004235eabec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 16:15:54 +0530
+Subject: ath11k: Fix QMI file type enum value
+
+From: Seevalamuthu Mariappan <quic_seevalam@quicinc.com>
+
+[ Upstream commit 18ae1ab04525507ae5528245a6df004cacd0d39a ]
+
+bdf_type for caldata in QMI_WLANFW_BDF_DOWNLOAD_REQ_V01 is wrongly
+sent as 1. But, expected bdf_type value for caldata and EEPROM is 2 and 3
+respectively. It leads to firmware crash. Fix ath11k_qmi_file_type enum
+values.
+
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-00192-QCAHKSWPL_SILICONZ-1
+
+Fixes: 336e7b53c82f ("ath11k: clean up BDF download functions")
+Signed-off-by: Seevalamuthu Mariappan <quic_seevalam@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/1638182754-18408-1-git-send-email-quic_seevalam@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/qmi.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/qmi.h b/drivers/net/wireless/ath/ath11k/qmi.h
+index 3bb0f9ef79968..d9e95b7007653 100644
+--- a/drivers/net/wireless/ath/ath11k/qmi.h
++++ b/drivers/net/wireless/ath/ath11k/qmi.h
+@@ -41,7 +41,7 @@ struct ath11k_base;
+ enum ath11k_qmi_file_type {
+       ATH11K_QMI_FILE_TYPE_BDF_GOLDEN,
+-      ATH11K_QMI_FILE_TYPE_CALDATA,
++      ATH11K_QMI_FILE_TYPE_CALDATA = 2,
+       ATH11K_QMI_FILE_TYPE_EEPROM,
+       ATH11K_QMI_MAX_FILE_TYPE,
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-fix-unexpected-return-buffer-manager-error-fo.patch b/queue-5.16/ath11k-fix-unexpected-return-buffer-manager-error-fo.patch
new file mode 100644 (file)
index 0000000..bead81d
--- /dev/null
@@ -0,0 +1,69 @@
+From 14e7d97ccd3931e2f9fc8ddc5e62d45ce42fd303 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 09:35:35 +0800
+Subject: ath11k: Fix unexpected return buffer manager error for QCA6390
+
+From: Baochen Qiang <quic_bqiang@quicinc.com>
+
+[ Upstream commit 71c748b5e01e3e28838a8e26a8966fb5adb03df7 ]
+
+We are seeing below error on QCA6390:
+...
+[70211.671189] ath11k_pci 0000:72:00.0: failed to parse rx error in wbm_rel ring desc -22
+[70212.696154] ath11k_pci 0000:72:00.0: failed to parse rx error in wbm_rel ring desc -22
+[70213.092941] ath11k_pci 0000:72:00.0: failed to parse rx error in wbm_rel ring desc -22
+...
+
+The reason is that, with commit 734223d78428 ("ath11k: change return
+buffer manager for QCA6390"), ath11k expects the return buffer manager
+(RBM) field of descriptor configured as HAL_RX_BUF_RBM_SW1_BM when
+parsing error frames from WBM2SW3_RELEASE ring. This is a wrong change
+cause the RBM field is set as HAL_RX_BUF_RBM_SW3_BM.
+
+The same issue also applies to REO2TCL ring though we have not got any
+error reported.
+
+Fix it by changing RBM from HAL_RX_BUF_RBM_SW1_BM to HAL_RX_BUF_RBM_SW3_BM
+for these two rings.
+
+Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
+
+Fixes: 734223d78428 ("ath11k: change return buffer manager for QCA6390")
+Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20211222013536.582527-1-quic_bqiang@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/dp_rx.c  | 2 +-
+ drivers/net/wireless/ath/ath11k/hal_rx.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
+index c5320847b80a7..22b6b6a470d4c 100644
+--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
+@@ -3800,7 +3800,7 @@ int ath11k_dp_process_rx_err(struct ath11k_base *ab, struct napi_struct *napi,
+               ath11k_hal_rx_msdu_link_info_get(link_desc_va, &num_msdus, msdu_cookies,
+                                                &rbm);
+               if (rbm != HAL_RX_BUF_RBM_WBM_IDLE_DESC_LIST &&
+-                  rbm != ab->hw_params.hal_params->rx_buf_rbm) {
++                  rbm != HAL_RX_BUF_RBM_SW3_BM) {
+                       ab->soc_stats.invalid_rbm++;
+                       ath11k_warn(ab, "invalid return buffer manager %d\n", rbm);
+                       ath11k_dp_rx_link_desc_return(ab, desc,
+diff --git a/drivers/net/wireless/ath/ath11k/hal_rx.c b/drivers/net/wireless/ath/ath11k/hal_rx.c
+index 329c404cfa80d..922926246db7a 100644
+--- a/drivers/net/wireless/ath/ath11k/hal_rx.c
++++ b/drivers/net/wireless/ath/ath11k/hal_rx.c
+@@ -374,7 +374,7 @@ int ath11k_hal_wbm_desc_parse_err(struct ath11k_base *ab, void *desc,
+       ret_buf_mgr = FIELD_GET(BUFFER_ADDR_INFO1_RET_BUF_MGR,
+                               wbm_desc->buf_addr_info.info1);
+-      if (ret_buf_mgr != ab->hw_params.hal_params->rx_buf_rbm) {
++      if (ret_buf_mgr != HAL_RX_BUF_RBM_SW3_BM) {
+               ab->soc_stats.invalid_rbm++;
+               return -EINVAL;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-reset-rsn-wpa-present-state-for-open-bss.patch b/queue-5.16/ath11k-reset-rsn-wpa-present-state-for-open-bss.patch
new file mode 100644 (file)
index 0000000..90104e3
--- /dev/null
@@ -0,0 +1,59 @@
+From 6b55b76f2014b2256cc6c11d3adf349f6c4227a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 11:04:41 +0100
+Subject: ath11k: reset RSN/WPA present state for open BSS
+
+From: Karthikeyan Kathirvel <kathirve@codeaurora.org>
+
+[ Upstream commit 64bc3aa02ae78b1fcb1b850e0eb1f0622002bfaa ]
+
+The ath11k driver is caching the information about RSN/WPA IE in the
+configured beacon template. The cached information is used during
+associations to figure out whether 4-way PKT/2-way GTK peer flags need to
+be set or not.
+
+But the code never cleared the state when no such IE was found. This can
+for example happen when moving from an WPA/RSN to an open setup. The
+(seemingly connected) peer was then not able to communicate over the
+link because the firmware assumed a different (encryption enabled) state
+for the peer.
+
+Tested-on: IPQ6018 hw1.0 AHB WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1
+
+Fixes: 01e34233c645 ("ath11k: fix wmi peer flags in peer assoc command")
+Cc: Venkateswara Naralasetty <vnaralas@codeaurora.org>
+Reported-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Karthikeyan Kathirvel <kathirve@codeaurora.org>
+[sven@narfation.org: split into separate patches, clean up commit message]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211115100441.33771-2-sven@narfation.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index cdee7545e876a..9ed7eb09bdb70 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -1137,11 +1137,15 @@ static int ath11k_mac_setup_bcn_tmpl(struct ath11k_vif *arvif)
+       if (cfg80211_find_ie(WLAN_EID_RSN, ies, (skb_tail_pointer(bcn) - ies)))
+               arvif->rsnie_present = true;
++      else
++              arvif->rsnie_present = false;
+       if (cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT,
+                                   WLAN_OUI_TYPE_MICROSOFT_WPA,
+                                   ies, (skb_tail_pointer(bcn) - ies)))
+               arvif->wpaie_present = true;
++      else
++              arvif->wpaie_present = false;
+       ret = ath11k_wmi_bcn_tmpl(ar, arvif->vdev_id, &offs, bcn);
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-send-ppdu_stats_cfg-with-proper-pdev-mask-to-.patch b/queue-5.16/ath11k-send-ppdu_stats_cfg-with-proper-pdev-mask-to-.patch
new file mode 100644 (file)
index 0000000..de552fa
--- /dev/null
@@ -0,0 +1,68 @@
+From a86856d6a09622cc1051777cb7a44cd5adc81f9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Nov 2021 17:10:48 +0200
+Subject: ath11k: Send PPDU_STATS_CFG with proper pdev mask to firmware
+
+From: Rameshkumar Sundaram <ramess@codeaurora.org>
+
+[ Upstream commit 16a2c3d5406f95ef6139de52669c60a39443f5f7 ]
+
+HTT_PPDU_STATS_CFG_PDEV_ID bit mask for target FW PPDU stats request message
+was set as bit 8 to 15. Bit 8 is reserved for soc stats and pdev id starts from
+bit 9. Hence change the bitmask as bit 9 to 15 and fill the proper pdev id in
+the request message.
+
+In commit 701e48a43e15 ("ath11k: add packet log support for QCA6390"), both
+HTT_PPDU_STATS_CFG_PDEV_ID and pdev_mask were changed, but this pdev_mask
+calculation is not valid for platforms which has multiple pdevs with 1 rxdma
+per pdev, as this is writing same value(i.e. 2) for all pdevs.  Hence fixed it
+to consider pdev_idx as well, to make it compatible for both single and multi
+pd cases.
+
+Tested on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01092-QCAHKSWPL_SILICONZ-1
+Tested on: IPQ6018 hw1.0 WLAN.HK.2.5.0.1-01067-QCAHKSWPL_SILICONZ-1
+
+Fixes: 701e48a43e15 ("ath11k: add packet log support for QCA6390")
+
+Co-developed-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
+Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
+Signed-off-by: Rameshkumar Sundaram <ramess@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210721212029.142388-10-jouni@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/dp.h    | 3 ++-
+ drivers/net/wireless/ath/ath11k/dp_tx.c | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/dp.h b/drivers/net/wireless/ath/ath11k/dp.h
+index 4794ca04f2136..f524d19aca349 100644
+--- a/drivers/net/wireless/ath/ath11k/dp.h
++++ b/drivers/net/wireless/ath/ath11k/dp.h
+@@ -517,7 +517,8 @@ struct htt_ppdu_stats_cfg_cmd {
+ } __packed;
+ #define HTT_PPDU_STATS_CFG_MSG_TYPE           GENMASK(7, 0)
+-#define HTT_PPDU_STATS_CFG_PDEV_ID            GENMASK(15, 8)
++#define HTT_PPDU_STATS_CFG_SOC_STATS          BIT(8)
++#define HTT_PPDU_STATS_CFG_PDEV_ID            GENMASK(15, 9)
+ #define HTT_PPDU_STATS_CFG_TLV_TYPE_BITMASK   GENMASK(31, 16)
+ enum htt_ppdu_stats_tag_type {
+diff --git a/drivers/net/wireless/ath/ath11k/dp_tx.c b/drivers/net/wireless/ath/ath11k/dp_tx.c
+index 879fb2a9dc0c6..10b76f6f710b0 100644
+--- a/drivers/net/wireless/ath/ath11k/dp_tx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_tx.c
+@@ -903,7 +903,7 @@ int ath11k_dp_tx_htt_h2t_ppdu_stats_req(struct ath11k *ar, u32 mask)
+               cmd->msg = FIELD_PREP(HTT_PPDU_STATS_CFG_MSG_TYPE,
+                                     HTT_H2T_MSG_TYPE_PPDU_STATS_CFG);
+-              pdev_mask = 1 << (i + 1);
++              pdev_mask = 1 << (ar->pdev_idx + i);
+               cmd->msg |= FIELD_PREP(HTT_PPDU_STATS_CFG_PDEV_ID, pdev_mask);
+               cmd->msg |= FIELD_PREP(HTT_PPDU_STATS_CFG_TLV_TYPE_BITMASK, mask);
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-set-correct-nl80211_feature_dynamic_smps-for-.patch b/queue-5.16/ath11k-set-correct-nl80211_feature_dynamic_smps-for-.patch
new file mode 100644 (file)
index 0000000..4369880
--- /dev/null
@@ -0,0 +1,107 @@
+From 556954b9196bf2780ad4008dd5d08f81e8dc0b76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 10:46:28 +0300
+Subject: ath11k: set correct NL80211_FEATURE_DYNAMIC_SMPS for WCN6855
+
+From: Wen Gong <wgong@codeaurora.org>
+
+[ Upstream commit 82c434c103408842a87404e873992b7698b6df2b ]
+
+Commit 6f4d70308e5e ("ath11k: support SMPS configuration for 6 GHz") changed
+"if (ht_cap & WMI_HT_CAP_DYNAMIC_SMPS)" to "if (ht_cap &
+WMI_HT_CAP_DYNAMIC_SMPS || ar->supports_6ghz)" which means
+NL80211_FEATURE_DYNAMIC_SMPS is enabled for all chips which support 6 GHz.
+However, WCN6855 supports 6 GHz but it does not support feature
+NL80211_FEATURE_DYNAMIC_SMPS, and this can lead to MU-MIMO test failures for
+WCN6855.
+
+Disable NL80211_FEATURE_DYNAMIC_SMPS for WCN6855 since its ht_cap does not
+support WMI_HT_CAP_DYNAMIC_SMPS. Enable the feature only on QCN9074 as that's
+the only other device supporting 6 GHz band.
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1
+
+Signed-off-by: Wen Gong <wgong@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210914163726.38604-3-jouni@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.c | 5 +++++
+ drivers/net/wireless/ath/ath11k/hw.h   | 1 +
+ drivers/net/wireless/ath/ath11k/mac.c  | 3 ++-
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
+index b5a2af3ffc3e1..7ee2ccc49c747 100644
+--- a/drivers/net/wireless/ath/ath11k/core.c
++++ b/drivers/net/wireless/ath/ath11k/core.c
+@@ -82,6 +82,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+               .fix_l1ss = true,
+               .max_tx_ring = DP_TCL_NUM_RING_MAX,
+               .hal_params = &ath11k_hw_hal_params_ipq8074,
++              .supports_dynamic_smps_6ghz = false,
+       },
+       {
+               .hw_rev = ATH11K_HW_IPQ6018_HW10,
+@@ -131,6 +132,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+               .fix_l1ss = true,
+               .max_tx_ring = DP_TCL_NUM_RING_MAX,
+               .hal_params = &ath11k_hw_hal_params_ipq8074,
++              .supports_dynamic_smps_6ghz = false,
+       },
+       {
+               .name = "qca6390 hw2.0",
+@@ -179,6 +181,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+               .fix_l1ss = true,
+               .max_tx_ring = DP_TCL_NUM_RING_MAX_QCA6390,
+               .hal_params = &ath11k_hw_hal_params_qca6390,
++              .supports_dynamic_smps_6ghz = false,
+       },
+       {
+               .name = "qcn9074 hw1.0",
+@@ -227,6 +230,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+               .fix_l1ss = true,
+               .max_tx_ring = DP_TCL_NUM_RING_MAX,
+               .hal_params = &ath11k_hw_hal_params_ipq8074,
++              .supports_dynamic_smps_6ghz = true,
+       },
+       {
+               .name = "wcn6855 hw2.0",
+@@ -275,6 +279,7 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
+               .fix_l1ss = false,
+               .max_tx_ring = DP_TCL_NUM_RING_MAX_QCA6390,
+               .hal_params = &ath11k_hw_hal_params_qca6390,
++              .supports_dynamic_smps_6ghz = false,
+       },
+ };
+diff --git a/drivers/net/wireless/ath/ath11k/hw.h b/drivers/net/wireless/ath/ath11k/hw.h
+index 19223d36846e8..6dcac596e3fe5 100644
+--- a/drivers/net/wireless/ath/ath11k/hw.h
++++ b/drivers/net/wireless/ath/ath11k/hw.h
+@@ -176,6 +176,7 @@ struct ath11k_hw_params {
+       bool fix_l1ss;
+       u8 max_tx_ring;
+       const struct ath11k_hw_hal_params *hal_params;
++      bool supports_dynamic_smps_6ghz;
+ };
+ struct ath11k_hw_ops {
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 9ed7eb09bdb70..821332cbeb5de 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -7674,7 +7674,8 @@ static int __ath11k_mac_register(struct ath11k *ar)
+        * for each band for a dual band capable radio. It will be tricky to
+        * handle it when the ht capability different for each band.
+        */
+-      if (ht_cap & WMI_HT_CAP_DYNAMIC_SMPS || ar->supports_6ghz)
++      if (ht_cap & WMI_HT_CAP_DYNAMIC_SMPS ||
++          (ar->supports_6ghz && ab->hw_params.supports_dynamic_smps_6ghz))
+               ar->hw->wiphy->features |= NL80211_FEATURE_DYNAMIC_SMPS;
+       ar->hw->wiphy->max_scan_ssids = WLAN_SCAN_PARAMS_MAX_SSID;
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath11k-use-host-ce-parameters-for-ce-interrupts-conf.patch b/queue-5.16/ath11k-use-host-ce-parameters-for-ce-interrupts-conf.patch
new file mode 100644 (file)
index 0000000..cd540b8
--- /dev/null
@@ -0,0 +1,78 @@
+From b5de35977eb4a6cc92a21906e12bde90cc06fcc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Nov 2021 19:11:31 +0200
+Subject: ath11k: Use host CE parameters for CE interrupts configuration
+
+From: Anilkumar Kolli <akolli@codeaurora.org>
+
+[ Upstream commit b689f091aafd1a874b2f88137934276ab0fca480 ]
+
+CE interrupt configuration uses host ce parameters to assign/free
+interrupts. Use host ce parameters to enable/disable interrupts.
+This patch fixes below BUG,
+
+BUG: KASAN: global-out-of-bounds in 0xffffffbffdfb035c at addr
+ffffffbffde6eeac
+ Read of size 4 by task kworker/u8:2/132
+ Address belongs to variable ath11k_core_qmi_firmware_ready+0x1b0/0x5bc [ath11k]
+
+OOB is due to ath11k_ahb_ce_irqs_enable() iterates ce_count(which is 12)
+times and accessing 12th element in target_ce_config
+(which has only 11 elements) from ath11k_ahb_ce_irq_enable().
+
+With this change host ce configs are used to enable/disable interrupts.
+
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-00471-QCAHKSWPL_SILICONZ-1
+
+Fixes: 967c1d1131fa ("ath11k: move target ce configs to hw_params")
+Signed-off-by: Anilkumar Kolli <akolli@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1637249558-12793-1-git-send-email-akolli@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/ahb.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/ahb.c b/drivers/net/wireless/ath/ath11k/ahb.c
+index 8c9c781afc3e5..096c502cce387 100644
+--- a/drivers/net/wireless/ath/ath11k/ahb.c
++++ b/drivers/net/wireless/ath/ath11k/ahb.c
+@@ -206,13 +206,13 @@ static void ath11k_ahb_clearbit32(struct ath11k_base *ab, u8 bit, u32 offset)
+ static void ath11k_ahb_ce_irq_enable(struct ath11k_base *ab, u16 ce_id)
+ {
+-      const struct ce_pipe_config *ce_config;
++      const struct ce_attr *ce_attr;
+-      ce_config = &ab->hw_params.target_ce_config[ce_id];
+-      if (__le32_to_cpu(ce_config->pipedir) & PIPEDIR_OUT)
++      ce_attr = &ab->hw_params.host_ce_config[ce_id];
++      if (ce_attr->src_nentries)
+               ath11k_ahb_setbit32(ab, ce_id, CE_HOST_IE_ADDRESS);
+-      if (__le32_to_cpu(ce_config->pipedir) & PIPEDIR_IN) {
++      if (ce_attr->dest_nentries) {
+               ath11k_ahb_setbit32(ab, ce_id, CE_HOST_IE_2_ADDRESS);
+               ath11k_ahb_setbit32(ab, ce_id + CE_HOST_IE_3_SHIFT,
+                                   CE_HOST_IE_3_ADDRESS);
+@@ -221,13 +221,13 @@ static void ath11k_ahb_ce_irq_enable(struct ath11k_base *ab, u16 ce_id)
+ static void ath11k_ahb_ce_irq_disable(struct ath11k_base *ab, u16 ce_id)
+ {
+-      const struct ce_pipe_config *ce_config;
++      const struct ce_attr *ce_attr;
+-      ce_config = &ab->hw_params.target_ce_config[ce_id];
+-      if (__le32_to_cpu(ce_config->pipedir) & PIPEDIR_OUT)
++      ce_attr = &ab->hw_params.host_ce_config[ce_id];
++      if (ce_attr->src_nentries)
+               ath11k_ahb_clearbit32(ab, ce_id, CE_HOST_IE_ADDRESS);
+-      if (__le32_to_cpu(ce_config->pipedir) & PIPEDIR_IN) {
++      if (ce_attr->dest_nentries) {
+               ath11k_ahb_clearbit32(ab, ce_id, CE_HOST_IE_2_ADDRESS);
+               ath11k_ahb_clearbit32(ab, ce_id + CE_HOST_IE_3_SHIFT,
+                                     CE_HOST_IE_3_ADDRESS);
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath9k-fix-out-of-bound-memcpy-in-ath9k_hif_usb_rx_st.patch b/queue-5.16/ath9k-fix-out-of-bound-memcpy-in-ath9k_hif_usb_rx_st.patch
new file mode 100644 (file)
index 0000000..b2076a7
--- /dev/null
@@ -0,0 +1,90 @@
+From 181cdb11bc678192e51837790703c84cbd15d878 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 18:21:42 -0400
+Subject: ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream
+
+From: Zekun Shen <bruceshenzk@gmail.com>
+
+[ Upstream commit 6ce708f54cc8d73beca213cec66ede5ce100a781 ]
+
+Large pkt_len can lead to out-out-bound memcpy. Current
+ath9k_hif_usb_rx_stream allows combining the content of two urb
+inputs to one pkt. The first input can indicate the size of the
+pkt. Any remaining size is saved in hif_dev->rx_remain_len.
+While processing the next input, memcpy is used with rx_remain_len.
+
+4-byte pkt_len can go up to 0xffff, while a single input is 0x4000
+maximum in size (MAX_RX_BUF_SIZE). Thus, the patch adds a check for
+pkt_len which must not exceed 2 * MAX_RX_BUG_SIZE.
+
+BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc]
+Read of size 46393 at addr ffff888018798000 by task kworker/0:1/23
+
+CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 5.6.0 #63
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
+BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
+Workqueue: events request_firmware_work_func
+Call Trace:
+ <IRQ>
+ dump_stack+0x76/0xa0
+ print_address_description.constprop.0+0x16/0x200
+ ? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc]
+ ? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc]
+ __kasan_report.cold+0x37/0x7c
+ ? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc]
+ kasan_report+0xe/0x20
+ check_memory_region+0x15a/0x1d0
+ memcpy+0x20/0x50
+ ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc]
+ ? hif_usb_mgmt_cb+0x2d9/0x2d9 [ath9k_htc]
+ ? _raw_spin_lock_irqsave+0x7b/0xd0
+ ? _raw_spin_trylock_bh+0x120/0x120
+ ? __usb_unanchor_urb+0x12f/0x210
+ __usb_hcd_giveback_urb+0x1e4/0x380
+ usb_giveback_urb_bh+0x241/0x4f0
+ ? __hrtimer_run_queues+0x316/0x740
+ ? __usb_hcd_giveback_urb+0x380/0x380
+ tasklet_action_common.isra.0+0x135/0x330
+ __do_softirq+0x18c/0x634
+ irq_exit+0x114/0x140
+ smp_apic_timer_interrupt+0xde/0x380
+ apic_timer_interrupt+0xf/0x20
+
+I found the bug using a custome USBFuzz port. It's a research work
+to fuzz USB stack/drivers. I modified it to fuzz ath9k driver only,
+providing hand-crafted usb descriptors to QEMU.
+
+After fixing the value of pkt_tag to ATH_USB_RX_STREAM_MODE_TAG in QEMU
+emulation, I found the KASAN report. The bug is triggerable whenever
+pkt_len is above two MAX_RX_BUG_SIZE. I used the same input that crashes
+to test the driver works when applying the patch.
+
+Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/YXsidrRuK6zBJicZ@10-18-43-117.dynapool.wireless.nyu.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/hif_usb.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
+index 860da13bfb6ac..f06eec99de688 100644
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -590,6 +590,13 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev,
+                       return;
+               }
++              if (pkt_len > 2 * MAX_RX_BUF_SIZE) {
++                      dev_err(&hif_dev->udev->dev,
++                              "ath9k_htc: invalid pkt_len (%x)\n", pkt_len);
++                      RX_STAT_INC(skb_dropped);
++                      return;
++              }
++
+               pad_len = 4 - (pkt_len & 0x3);
+               if (pad_len == 4)
+                       pad_len = 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_.patch b/queue-5.16/ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_.patch
new file mode 100644 (file)
index 0000000..cb6f9f6
--- /dev/null
@@ -0,0 +1,74 @@
+From b775f1e28d85dc3242940ba368cb7e9270b3b2f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Sep 2021 22:06:23 +0900
+Subject: ath9k_htc: fix NULL pointer dereference at ath9k_htc_rxep()
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+[ Upstream commit b0ec7e55fce65f125bd1d7f02e2dc4de62abee34 ]
+
+syzbot is reporting lockdep warning followed by kernel panic at
+ath9k_htc_rxep() [1], for ath9k_htc_rxep() depends on ath9k_rx_init()
+being already completed.
+
+Since ath9k_htc_rxep() is set by ath9k_htc_connect_svc(WMI_BEACON_SVC)
+ from ath9k_init_htc_services(), it is possible that ath9k_htc_rxep() is
+called via timer interrupt before ath9k_rx_init() from ath9k_init_device()
+is called.
+
+Since we can't call ath9k_init_device() before ath9k_init_htc_services(),
+let's hold ath9k_htc_rxep() no-op until ath9k_rx_init() completes.
+
+Link: https://syzkaller.appspot.com/bug?extid=4d2d56175b934b9a7bf9 [1]
+Reported-by: syzbot <syzbot+4d2d56175b934b9a7bf9@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Tested-by: syzbot <syzbot+4d2d56175b934b9a7bf9@syzkaller.appspotmail.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/2b88f416-b2cb-7a18-d688-951e6dc3fe92@i-love.sakura.ne.jp
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc.h          | 1 +
+ drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 8 ++++++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h
+index 0a1634238e673..4f71e962279af 100644
+--- a/drivers/net/wireless/ath/ath9k/htc.h
++++ b/drivers/net/wireless/ath/ath9k/htc.h
+@@ -281,6 +281,7 @@ struct ath9k_htc_rxbuf {
+ struct ath9k_htc_rx {
+       struct list_head rxbuf;
+       spinlock_t rxbuflock;
++      bool initialized;
+ };
+ #define ATH9K_HTC_TX_CLEANUP_INTERVAL 50 /* ms */
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+index 8e69e8989f6d3..e7a21eaf3a68d 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+@@ -1130,6 +1130,10 @@ void ath9k_htc_rxep(void *drv_priv, struct sk_buff *skb,
+       struct ath9k_htc_rxbuf *rxbuf = NULL, *tmp_buf = NULL;
+       unsigned long flags;
++      /* Check if ath9k_rx_init() completed. */
++      if (!data_race(priv->rx.initialized))
++              goto err;
++
+       spin_lock_irqsave(&priv->rx.rxbuflock, flags);
+       list_for_each_entry(tmp_buf, &priv->rx.rxbuf, list) {
+               if (!tmp_buf->in_process) {
+@@ -1185,6 +1189,10 @@ int ath9k_rx_init(struct ath9k_htc_priv *priv)
+               list_add_tail(&rxbuf->list, &priv->rx.rxbuf);
+       }
++      /* Allow ath9k_htc_rxep() to operate. */
++      smp_wmb();
++      priv->rx.initialized = true;
++
+       return 0;
+ err:
+-- 
+2.34.1
+
diff --git a/queue-5.16/ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_.patch-21350 b/queue-5.16/ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_.patch-21350
new file mode 100644 (file)
index 0000000..4258804
--- /dev/null
@@ -0,0 +1,81 @@
+From c8f3522437304fd1951634fbf4a334bcb0e6ba31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Sep 2021 22:06:26 +0900
+Subject: ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+[ Upstream commit 8b3046abc99eefe11438090bcc4ec3a3994b55d0 ]
+
+syzbot is reporting lockdep warning at ath9k_wmi_event_tasklet() followed
+by kernel panic at get_htc_epid_queue() from ath9k_htc_tx_get_packet() from
+ath9k_htc_txstatus() [1], for ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID)
+depends on spin_lock_init() from ath9k_init_priv() being already completed.
+
+Since ath9k_wmi_event_tasklet() is set by ath9k_init_wmi() from
+ath9k_htc_probe_device(), it is possible that ath9k_wmi_event_tasklet() is
+called via tasklet interrupt before spin_lock_init() from ath9k_init_priv()
+ from ath9k_init_device() from ath9k_htc_probe_device() is called.
+
+Let's hold ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) no-op until
+ath9k_tx_init() completes.
+
+Link: https://syzkaller.appspot.com/bug?extid=31d54c60c5b254d6f75b [1]
+Reported-by: syzbot <syzbot+31d54c60c5b254d6f75b@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Tested-by: syzbot <syzbot+31d54c60c5b254d6f75b@syzkaller.appspotmail.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/77b76ac8-2bee-6444-d26c-8c30858b8daa@i-love.sakura.ne.jp
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc.h          | 1 +
+ drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 5 +++++
+ drivers/net/wireless/ath/ath9k/wmi.c          | 4 ++++
+ 3 files changed, 10 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h
+index 4f71e962279af..6b45e63fae4ba 100644
+--- a/drivers/net/wireless/ath/ath9k/htc.h
++++ b/drivers/net/wireless/ath/ath9k/htc.h
+@@ -306,6 +306,7 @@ struct ath9k_htc_tx {
+       DECLARE_BITMAP(tx_slot, MAX_TX_BUF_NUM);
+       struct timer_list cleanup_timer;
+       spinlock_t tx_lock;
++      bool initialized;
+ };
+ struct ath9k_htc_tx_ctl {
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+index e7a21eaf3a68d..6a850a0bfa8ad 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+@@ -813,6 +813,11 @@ int ath9k_tx_init(struct ath9k_htc_priv *priv)
+       skb_queue_head_init(&priv->tx.data_vi_queue);
+       skb_queue_head_init(&priv->tx.data_vo_queue);
+       skb_queue_head_init(&priv->tx.tx_failed);
++
++      /* Allow ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) to operate. */
++      smp_wmb();
++      priv->tx.initialized = true;
++
+       return 0;
+ }
+diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
+index fe29ad4b9023c..f315c54bd3ac0 100644
+--- a/drivers/net/wireless/ath/ath9k/wmi.c
++++ b/drivers/net/wireless/ath/ath9k/wmi.c
+@@ -169,6 +169,10 @@ void ath9k_wmi_event_tasklet(struct tasklet_struct *t)
+                                            &wmi->drv_priv->fatal_work);
+                       break;
+               case WMI_TXSTATUS_EVENTID:
++                      /* Check if ath9k_tx_init() completed. */
++                      if (!data_race(priv->tx.initialized))
++                              break;
++
+                       spin_lock_bh(&priv->tx.tx_lock);
+                       if (priv->tx.flags & ATH9K_HTC_OP_TX_DRAIN) {
+                               spin_unlock_bh(&priv->tx.tx_lock);
+-- 
+2.34.1
+
diff --git a/queue-5.16/audit-ensure-userspace-is-penalized-the-same-as-the-.patch b/queue-5.16/audit-ensure-userspace-is-penalized-the-same-as-the-.patch
new file mode 100644 (file)
index 0000000..c13ec5f
--- /dev/null
@@ -0,0 +1,71 @@
+From 1eb8987201114dfbd5bbb5fe15bd78670b9c2739 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Dec 2021 15:45:20 -0500
+Subject: audit: ensure userspace is penalized the same as the kernel when
+ under pressure
+
+From: Paul Moore <paul@paul-moore.com>
+
+[ Upstream commit 8f110f530635af44fff1f4ee100ecef0bac62510 ]
+
+Due to the audit control mutex necessary for serializing audit
+userspace messages we haven't been able to block/penalize userspace
+processes that attempt to send audit records while the system is
+under audit pressure.  The result is that privileged userspace
+applications have a priority boost with respect to audit as they are
+not bound by the same audit queue throttling as the other tasks on
+the system.
+
+This patch attempts to restore some balance to the system when under
+audit pressure by blocking these privileged userspace tasks after
+they have finished their audit processing, and dropped the audit
+control mutex, but before they return to userspace.
+
+Reported-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Tested-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/audit.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/audit.c b/kernel/audit.c
+index 4cebadb5f30db..eab7282668ab9 100644
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1540,6 +1540,20 @@ static void audit_receive(struct sk_buff  *skb)
+               nlh = nlmsg_next(nlh, &len);
+       }
+       audit_ctl_unlock();
++
++      /* can't block with the ctrl lock, so penalize the sender now */
++      if (audit_backlog_limit &&
++          (skb_queue_len(&audit_queue) > audit_backlog_limit)) {
++              DECLARE_WAITQUEUE(wait, current);
++
++              /* wake kauditd to try and flush the queue */
++              wake_up_interruptible(&kauditd_wait);
++
++              add_wait_queue_exclusive(&audit_backlog_wait, &wait);
++              set_current_state(TASK_UNINTERRUPTIBLE);
++              schedule_timeout(audit_backlog_wait_time);
++              remove_wait_queue(&audit_backlog_wait, &wait);
++      }
+ }
+ /* Log information about who is connecting to the audit multicast socket */
+@@ -1824,7 +1838,9 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
+        *    task_tgid_vnr() since auditd_pid is set in audit_receive_msg()
+        *    using a PID anchored in the caller's namespace
+        * 2. generator holding the audit_cmd_mutex - we don't want to block
+-       *    while holding the mutex */
++       *    while holding the mutex, although we do penalize the sender
++       *    later in audit_receive() when it is safe to block
++       */
+       if (!(auditd_test_task(current) || audit_ctl_owner_current())) {
+               long stime = audit_backlog_wait_time;
+-- 
+2.34.1
+
diff --git a/queue-5.16/ax25-uninitialized-variable-in-ax25_setsockopt.patch b/queue-5.16/ax25-uninitialized-variable-in-ax25_setsockopt.patch
new file mode 100644 (file)
index 0000000..3aad637
--- /dev/null
@@ -0,0 +1,75 @@
+From 20daf9b04c1358f1bb7e2dfc3df812d045c8ce7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 10:13:12 +0300
+Subject: ax25: uninitialized variable in ax25_setsockopt()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 9371937092d5fd502032c1bb4475b36b39b1f1b3 ]
+
+The "opt" variable is unsigned long but we only copy 4 bytes from
+the user so the lower 4 bytes are uninitialized.
+
+I have changed the integer overflow checks from ULONG to UINT as well.
+This is a slight API change but I don't expect it to break anything.
+
+Fixes: a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ax25/af_ax25.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index cfca99e295b80..02f43f3e2c564 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -536,7 +536,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname,
+       ax25_cb *ax25;
+       struct net_device *dev;
+       char devname[IFNAMSIZ];
+-      unsigned long opt;
++      unsigned int opt;
+       int res = 0;
+       if (level != SOL_AX25)
+@@ -568,7 +568,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname,
+               break;
+       case AX25_T1:
+-              if (opt < 1 || opt > ULONG_MAX / HZ) {
++              if (opt < 1 || opt > UINT_MAX / HZ) {
+                       res = -EINVAL;
+                       break;
+               }
+@@ -577,7 +577,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname,
+               break;
+       case AX25_T2:
+-              if (opt < 1 || opt > ULONG_MAX / HZ) {
++              if (opt < 1 || opt > UINT_MAX / HZ) {
+                       res = -EINVAL;
+                       break;
+               }
+@@ -593,7 +593,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname,
+               break;
+       case AX25_T3:
+-              if (opt < 1 || opt > ULONG_MAX / HZ) {
++              if (opt < 1 || opt > UINT_MAX / HZ) {
+                       res = -EINVAL;
+                       break;
+               }
+@@ -601,7 +601,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname,
+               break;
+       case AX25_IDLE:
+-              if (opt > ULONG_MAX / (60 * HZ)) {
++              if (opt > UINT_MAX / (60 * HZ)) {
+                       res = -EINVAL;
+                       break;
+               }
+-- 
+2.34.1
+
diff --git a/queue-5.16/backlight-qcom-wled-fix-off-by-one-maximum-with-defa.patch b/queue-5.16/backlight-qcom-wled-fix-off-by-one-maximum-with-defa.patch
new file mode 100644 (file)
index 0000000..89d6100
--- /dev/null
@@ -0,0 +1,133 @@
+From 32fcd97fe81207fa91e3f28dec89768d0838f220 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 21:34:54 +0100
+Subject: backlight: qcom-wled: Fix off-by-one maximum with default num_strings
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 5ada78b26f935f8751852dffa24f6b545b1d2517 ]
+
+When not specifying num-strings in the DT the default is used, but +1 is
+added to it which turns WLED3 into 4 and WLED4/5 into 5 strings instead
+of 3 and 4 respectively, causing out-of-bounds reads and register
+read/writes.  This +1 exists for a deficiency in the DT parsing code,
+and is simply omitted entirely - solving this oob issue - by parsing the
+property separately much like qcom,enabled-strings.
+
+This also enables more stringent checks on the maximum value when
+qcom,enabled-strings is provided in the DT, by parsing num-strings after
+enabled-strings to allow it to check against (and in a subsequent patch
+override) the length of enabled-strings: it is invalid to set
+num-strings higher than that.
+The DT currently utilizes it to get around an incorrect fixed read of
+four elements from that array (has been addressed in a prior patch) by
+setting a lower num-strings where desired.
+
+Fixes: 93c64f1ea1e8 ("leds: add Qualcomm PM8941 WLED driver")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-By: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Link: https://lore.kernel.org/r/20211115203459.1634079-5-marijn.suijten@somainline.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/qcom-wled.c | 48 ++++++++++-------------------
+ 1 file changed, 16 insertions(+), 32 deletions(-)
+
+diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c
+index d413b913fef32..dbcbeda655192 100644
+--- a/drivers/video/backlight/qcom-wled.c
++++ b/drivers/video/backlight/qcom-wled.c
+@@ -1256,21 +1256,6 @@ static const struct wled_var_cfg wled5_ovp_cfg = {
+       .size = 16,
+ };
+-static u32 wled3_num_strings_values_fn(u32 idx)
+-{
+-      return idx + 1;
+-}
+-
+-static const struct wled_var_cfg wled3_num_strings_cfg = {
+-      .fn = wled3_num_strings_values_fn,
+-      .size = 3,
+-};
+-
+-static const struct wled_var_cfg wled4_num_strings_cfg = {
+-      .fn = wled3_num_strings_values_fn,
+-      .size = 4,
+-};
+-
+ static u32 wled3_switch_freq_values_fn(u32 idx)
+ {
+       return 19200 / (2 * (1 + idx));
+@@ -1344,11 +1329,6 @@ static int wled_configure(struct wled *wled)
+                       .val_ptr = &cfg->switch_freq,
+                       .cfg = &wled3_switch_freq_cfg,
+               },
+-              {
+-                      .name = "qcom,num-strings",
+-                      .val_ptr = &cfg->num_strings,
+-                      .cfg = &wled3_num_strings_cfg,
+-              },
+       };
+       const struct wled_u32_opts wled4_opts[] = {
+@@ -1372,11 +1352,6 @@ static int wled_configure(struct wled *wled)
+                       .val_ptr = &cfg->switch_freq,
+                       .cfg = &wled3_switch_freq_cfg,
+               },
+-              {
+-                      .name = "qcom,num-strings",
+-                      .val_ptr = &cfg->num_strings,
+-                      .cfg = &wled4_num_strings_cfg,
+-              },
+       };
+       const struct wled_u32_opts wled5_opts[] = {
+@@ -1400,11 +1375,6 @@ static int wled_configure(struct wled *wled)
+                       .val_ptr = &cfg->switch_freq,
+                       .cfg = &wled3_switch_freq_cfg,
+               },
+-              {
+-                      .name = "qcom,num-strings",
+-                      .val_ptr = &cfg->num_strings,
+-                      .cfg = &wled4_num_strings_cfg,
+-              },
+               {
+                       .name = "qcom,modulator-sel",
+                       .val_ptr = &cfg->mod_sel,
+@@ -1523,8 +1493,6 @@ static int wled_configure(struct wled *wled)
+                       *bool_opts[i].val_ptr = true;
+       }
+-      cfg->num_strings = cfg->num_strings + 1;
+-
+       string_len = of_property_count_elems_of_size(dev->of_node,
+                                                    "qcom,enabled-strings",
+                                                    sizeof(u32));
+@@ -1555,6 +1523,22 @@ static int wled_configure(struct wled *wled)
+               }
+       }
++      rc = of_property_read_u32(dev->of_node, "qcom,num-strings", &val);
++      if (!rc) {
++              if (val < 1 || val > wled->max_string_count) {
++                      dev_err(dev, "qcom,num-strings must be between 1 and %d\n",
++                              wled->max_string_count);
++                      return -EINVAL;
++              }
++
++              if (string_len > 0 && val > string_len) {
++                      dev_err(dev, "qcom,num-strings exceeds qcom,enabled-strings\n");
++                      return -EINVAL;
++              }
++
++              cfg->num_strings = val;
++      }
++
+       return 0;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/backlight-qcom-wled-override-default-length-with-qco.patch b/queue-5.16/backlight-qcom-wled-override-default-length-with-qco.patch
new file mode 100644 (file)
index 0000000..818bbd0
--- /dev/null
@@ -0,0 +1,65 @@
+From 85ab2453bee2d271ee67506af2736472c23d9628 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 21:34:55 +0100
+Subject: backlight: qcom-wled: Override default length with
+ qcom,enabled-strings
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 2b4b49602f9feca7b7a84eaa33ad9e666c8aa695 ]
+
+The length of qcom,enabled-strings as property array is enough to
+determine the number of strings to be enabled, without needing to set
+qcom,num-strings to override the default number of strings when less
+than the default (which is also the maximum) is provided in DT.
+
+This also introduces an extra warning when qcom,num-strings is set,
+denoting that it is not necessary to set both anymore.  It is usually
+more concise to set just qcom,num-length when a zero-based, contiguous
+range of strings is needed (the majority of the cases), or to only set
+qcom,enabled-strings when a specific set of indices is desired.
+
+Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Link: https://lore.kernel.org/r/20211115203459.1634079-6-marijn.suijten@somainline.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/qcom-wled.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c
+index dbcbeda655192..c057368e5056e 100644
+--- a/drivers/video/backlight/qcom-wled.c
++++ b/drivers/video/backlight/qcom-wled.c
+@@ -1521,6 +1521,8 @@ static int wled_configure(struct wled *wled)
+                               return -EINVAL;
+                       }
+               }
++
++              cfg->num_strings = string_len;
+       }
+       rc = of_property_read_u32(dev->of_node, "qcom,num-strings", &val);
+@@ -1531,9 +1533,13 @@ static int wled_configure(struct wled *wled)
+                       return -EINVAL;
+               }
+-              if (string_len > 0 && val > string_len) {
+-                      dev_err(dev, "qcom,num-strings exceeds qcom,enabled-strings\n");
+-                      return -EINVAL;
++              if (string_len > 0) {
++                      dev_warn(dev, "Only one of qcom,num-strings or qcom,enabled-strings"
++                                    " should be set\n");
++                      if (val > string_len) {
++                              dev_err(dev, "qcom,num-strings exceeds qcom,enabled-strings\n");
++                              return -EINVAL;
++                      }
+               }
+               cfg->num_strings = val;
+-- 
+2.34.1
+
diff --git a/queue-5.16/backlight-qcom-wled-pass-number-of-elements-to-read-.patch b/queue-5.16/backlight-qcom-wled-pass-number-of-elements-to-read-.patch
new file mode 100644 (file)
index 0000000..bc7676e
--- /dev/null
@@ -0,0 +1,56 @@
+From 39f1beaf1c32ed9cb2da7636a6e2a9c5bdc96364 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 21:34:52 +0100
+Subject: backlight: qcom-wled: Pass number of elements to read to
+ read_u32_array
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit e29e24bdabfeddbf8b1a4ecac1af439a85150438 ]
+
+of_property_read_u32_array takes the number of elements to read as last
+argument. This does not always need to be 4 (sizeof(u32)) but should
+instead be the size of the array in DT as read just above with
+of_property_count_elems_of_size.
+
+To not make such an error go unnoticed again the driver now bails
+accordingly when of_property_read_u32_array returns an error.
+Surprisingly the indentation of newlined arguments is lining up again
+after prepending `rc = `.
+
+Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Link: https://lore.kernel.org/r/20211115203459.1634079-3-marijn.suijten@somainline.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/qcom-wled.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c
+index 8a42ed89c59c9..d413b913fef32 100644
+--- a/drivers/video/backlight/qcom-wled.c
++++ b/drivers/video/backlight/qcom-wled.c
+@@ -1535,10 +1535,15 @@ static int wled_configure(struct wled *wled)
+                       return -EINVAL;
+               }
+-              of_property_read_u32_array(dev->of_node,
++              rc = of_property_read_u32_array(dev->of_node,
+                                               "qcom,enabled-strings",
+                                               wled->cfg.enabled_strings,
+-                                              sizeof(u32));
++                                              string_len);
++              if (rc) {
++                      dev_err(dev, "Failed to read %d elements from qcom,enabled-strings: %d\n",
++                              string_len, rc);
++                      return rc;
++              }
+               for (i = 0; i < string_len; ++i) {
+                       if (wled->cfg.enabled_strings[i] >= wled->max_string_count) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/backlight-qcom-wled-respect-enabled-strings-in-set_b.patch b/queue-5.16/backlight-qcom-wled-respect-enabled-strings-in-set_b.patch
new file mode 100644 (file)
index 0000000..ad13083
--- /dev/null
@@ -0,0 +1,135 @@
+From b7fff5b479b04a9e53986ac7e87aeadea2982da4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 21:34:59 +0100
+Subject: backlight: qcom-wled: Respect enabled-strings in set_brightness
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit ec961cf3241153e0f27d850f1bf0f172e7d27a21 ]
+
+The hardware is capable of controlling any non-contiguous sequence of
+LEDs specified in the DT using qcom,enabled-strings as u32
+array, and this also follows from the DT-bindings documentation.  The
+numbers specified in this array represent indices of the LED strings
+that are to be enabled and disabled.
+
+Its value is appropriately used to setup and enable string modules, but
+completely disregarded in the set_brightness paths which only iterate
+over the number of strings linearly.
+Take an example where only string 2 is enabled with
+qcom,enabled_strings=<2>: this string is appropriately enabled but
+subsequent brightness changes would have only touched the zero'th
+brightness register because num_strings is 1 here.  This is simply
+addressed by looking up the string for this index in the enabled_strings
+array just like the other codepaths that iterate over num_strings.
+
+Likewise enabled_strings is now also used in the autodetection path for
+consistent behaviour: when a list of strings is specified in DT only
+those strings will be probed for autodetection, analogous to how the
+number of strings that need to be probed is already bound by
+qcom,num-strings.  After all autodetection uses the set_brightness
+helpers to set an initial value, which could otherwise end up changing
+brightness on a different set of strings.
+
+Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3")
+Fixes: 03b2b5e86986 ("backlight: qcom-wled: Add support for WLED4 peripheral")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Link: https://lore.kernel.org/r/20211115203459.1634079-10-marijn.suijten@somainline.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/qcom-wled.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c
+index 5306b06044b4f..f12c76d6e61de 100644
+--- a/drivers/video/backlight/qcom-wled.c
++++ b/drivers/video/backlight/qcom-wled.c
+@@ -237,7 +237,7 @@ static int wled3_set_brightness(struct wled *wled, u16 brightness)
+       for (i = 0;  i < wled->cfg.num_strings; ++i) {
+               rc = regmap_bulk_write(wled->regmap, wled->ctrl_addr +
+-                                     WLED3_SINK_REG_BRIGHT(i),
++                                     WLED3_SINK_REG_BRIGHT(wled->cfg.enabled_strings[i]),
+                                      &v, sizeof(v));
+               if (rc < 0)
+                       return rc;
+@@ -260,7 +260,7 @@ static int wled4_set_brightness(struct wled *wled, u16 brightness)
+       for (i = 0;  i < wled->cfg.num_strings; ++i) {
+               rc = regmap_bulk_write(wled->regmap, wled->sink_addr +
+-                                     WLED4_SINK_REG_BRIGHT(i),
++                                     WLED4_SINK_REG_BRIGHT(wled->cfg.enabled_strings[i]),
+                                      &v, sizeof(v));
+               if (rc < 0)
+                       return rc;
+@@ -571,7 +571,7 @@ unlock_mutex:
+ static void wled_auto_string_detection(struct wled *wled)
+ {
+-      int rc = 0, i, delay_time_us;
++      int rc = 0, i, j, delay_time_us;
+       u32 sink_config = 0;
+       u8 sink_test = 0, sink_valid = 0, val;
+       bool fault_set;
+@@ -618,14 +618,15 @@ static void wled_auto_string_detection(struct wled *wled)
+       /* Iterate through the strings one by one */
+       for (i = 0; i < wled->cfg.num_strings; i++) {
+-              sink_test = BIT((WLED4_SINK_REG_CURR_SINK_SHFT + i));
++              j = wled->cfg.enabled_strings[i];
++              sink_test = BIT((WLED4_SINK_REG_CURR_SINK_SHFT + j));
+               /* Enable feedback control */
+               rc = regmap_write(wled->regmap, wled->ctrl_addr +
+-                                WLED3_CTRL_REG_FEEDBACK_CONTROL, i + 1);
++                                WLED3_CTRL_REG_FEEDBACK_CONTROL, j + 1);
+               if (rc < 0) {
+                       dev_err(wled->dev, "Failed to enable feedback for SINK %d rc = %d\n",
+-                              i + 1, rc);
++                              j + 1, rc);
+                       goto failed_detect;
+               }
+@@ -634,7 +635,7 @@ static void wled_auto_string_detection(struct wled *wled)
+                                 WLED4_SINK_REG_CURR_SINK, sink_test);
+               if (rc < 0) {
+                       dev_err(wled->dev, "Failed to configure SINK %d rc=%d\n",
+-                              i + 1, rc);
++                              j + 1, rc);
+                       goto failed_detect;
+               }
+@@ -661,7 +662,7 @@ static void wled_auto_string_detection(struct wled *wled)
+               if (fault_set)
+                       dev_dbg(wled->dev, "WLED OVP fault detected with SINK %d\n",
+-                              i + 1);
++                              j + 1);
+               else
+                       sink_valid |= sink_test;
+@@ -701,15 +702,16 @@ static void wled_auto_string_detection(struct wled *wled)
+       /* Enable valid sinks */
+       if (wled->version == 4) {
+               for (i = 0; i < wled->cfg.num_strings; i++) {
++                      j = wled->cfg.enabled_strings[i];
+                       if (sink_config &
+-                          BIT(WLED4_SINK_REG_CURR_SINK_SHFT + i))
++                          BIT(WLED4_SINK_REG_CURR_SINK_SHFT + j))
+                               val = WLED4_SINK_REG_STR_MOD_MASK;
+                       else
+                               /* Disable modulator_en for unused sink */
+                               val = 0;
+                       rc = regmap_write(wled->regmap, wled->sink_addr +
+-                                        WLED4_SINK_REG_STR_MOD_EN(i), val);
++                                        WLED4_SINK_REG_STR_MOD_EN(j), val);
+                       if (rc < 0) {
+                               dev_err(wled->dev, "Failed to configure MODULATOR_EN rc=%d\n",
+                                       rc);
+-- 
+2.34.1
+
diff --git a/queue-5.16/backlight-qcom-wled-use-cpu_to_le16-macro-to-perform.patch b/queue-5.16/backlight-qcom-wled-use-cpu_to_le16-macro-to-perform.patch
new file mode 100644 (file)
index 0000000..572a557
--- /dev/null
@@ -0,0 +1,96 @@
+From 43bed949bc2302231405e551e4fbca2c31ef10a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 21:34:53 +0100
+Subject: backlight: qcom-wled: Use cpu_to_le16 macro to perform conversion
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 0a139358548968b2ff308257b4fbeec7badcc3e1 ]
+
+The kernel already provides appropriate primitives to perform endianness
+conversion which should be used in favour of manual bit-wrangling.
+
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Link: https://lore.kernel.org/r/20211115203459.1634079-4-marijn.suijten@somainline.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/qcom-wled.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c
+index c057368e5056e..5306b06044b4f 100644
+--- a/drivers/video/backlight/qcom-wled.c
++++ b/drivers/video/backlight/qcom-wled.c
+@@ -231,14 +231,14 @@ struct wled {
+ static int wled3_set_brightness(struct wled *wled, u16 brightness)
+ {
+       int rc, i;
+-      u8 v[2];
++      __le16 v;
+-      v[0] = brightness & 0xff;
+-      v[1] = (brightness >> 8) & 0xf;
++      v = cpu_to_le16(brightness & WLED3_SINK_REG_BRIGHT_MAX);
+       for (i = 0;  i < wled->cfg.num_strings; ++i) {
+               rc = regmap_bulk_write(wled->regmap, wled->ctrl_addr +
+-                                     WLED3_SINK_REG_BRIGHT(i), v, 2);
++                                     WLED3_SINK_REG_BRIGHT(i),
++                                     &v, sizeof(v));
+               if (rc < 0)
+                       return rc;
+       }
+@@ -250,18 +250,18 @@ static int wled4_set_brightness(struct wled *wled, u16 brightness)
+ {
+       int rc, i;
+       u16 low_limit = wled->max_brightness * 4 / 1000;
+-      u8 v[2];
++      __le16 v;
+       /* WLED4's lower limit of operation is 0.4% */
+       if (brightness > 0 && brightness < low_limit)
+               brightness = low_limit;
+-      v[0] = brightness & 0xff;
+-      v[1] = (brightness >> 8) & 0xf;
++      v = cpu_to_le16(brightness & WLED3_SINK_REG_BRIGHT_MAX);
+       for (i = 0;  i < wled->cfg.num_strings; ++i) {
+               rc = regmap_bulk_write(wled->regmap, wled->sink_addr +
+-                                     WLED4_SINK_REG_BRIGHT(i), v, 2);
++                                     WLED4_SINK_REG_BRIGHT(i),
++                                     &v, sizeof(v));
+               if (rc < 0)
+                       return rc;
+       }
+@@ -273,21 +273,20 @@ static int wled5_set_brightness(struct wled *wled, u16 brightness)
+ {
+       int rc, offset;
+       u16 low_limit = wled->max_brightness * 1 / 1000;
+-      u8 v[2];
++      __le16 v;
+       /* WLED5's lower limit is 0.1% */
+       if (brightness < low_limit)
+               brightness = low_limit;
+-      v[0] = brightness & 0xff;
+-      v[1] = (brightness >> 8) & 0x7f;
++      v = cpu_to_le16(brightness & WLED5_SINK_REG_BRIGHT_MAX_15B);
+       offset = (wled->cfg.mod_sel == MOD_A) ?
+                 WLED5_SINK_REG_MOD_A_BRIGHTNESS_LSB :
+                 WLED5_SINK_REG_MOD_B_BRIGHTNESS_LSB;
+       rc = regmap_bulk_write(wled->regmap, wled->sink_addr + offset,
+-                             v, 2);
++                             &v, sizeof(v));
+       return rc;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/backlight-qcom-wled-validate-enabled-string-indices-.patch b/queue-5.16/backlight-qcom-wled-validate-enabled-string-indices-.patch
new file mode 100644 (file)
index 0000000..21a8e05
--- /dev/null
@@ -0,0 +1,60 @@
+From 483444f6df49d1c56dd397598c0e74eee46a3e8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 21:34:51 +0100
+Subject: backlight: qcom-wled: Validate enabled string indices in DT
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit c05b21ebc5bce3ecc78c2c71afd76d92c790a2ac ]
+
+The strings passed in DT may possibly cause out-of-bounds register
+accesses and should be validated before use.
+
+Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Link: https://lore.kernel.org/r/20211115203459.1634079-2-marijn.suijten@somainline.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/qcom-wled.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c
+index d094299c2a485..8a42ed89c59c9 100644
+--- a/drivers/video/backlight/qcom-wled.c
++++ b/drivers/video/backlight/qcom-wled.c
+@@ -1528,12 +1528,28 @@ static int wled_configure(struct wled *wled)
+       string_len = of_property_count_elems_of_size(dev->of_node,
+                                                    "qcom,enabled-strings",
+                                                    sizeof(u32));
+-      if (string_len > 0)
++      if (string_len > 0) {
++              if (string_len > wled->max_string_count) {
++                      dev_err(dev, "Cannot have more than %d strings\n",
++                              wled->max_string_count);
++                      return -EINVAL;
++              }
++
+               of_property_read_u32_array(dev->of_node,
+                                               "qcom,enabled-strings",
+                                               wled->cfg.enabled_strings,
+                                               sizeof(u32));
++              for (i = 0; i < string_len; ++i) {
++                      if (wled->cfg.enabled_strings[i] >= wled->max_string_count) {
++                              dev_err(dev,
++                                      "qcom,enabled-strings index %d at %d is out of bounds\n",
++                                      wled->cfg.enabled_strings[i], i);
++                              return -EINVAL;
++                      }
++              }
++      }
++
+       return 0;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/batman-adv-allow-netlink-usage-in-unprivileged-conta.patch b/queue-5.16/batman-adv-allow-netlink-usage-in-unprivileged-conta.patch
new file mode 100644 (file)
index 0000000..bc6c4d1
--- /dev/null
@@ -0,0 +1,174 @@
+From 47238e02a40d5a9c8c68c7d4d11f0eb554deed6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Oct 2021 22:30:12 +0100
+Subject: batman-adv: allow netlink usage in unprivileged containers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+
+[ Upstream commit 9057d6c23e7388ee9d037fccc9a7bc8557ce277b ]
+
+Currently, creating a batman-adv interface in an unprivileged LXD
+container and attaching secondary interfaces to it with "ip" or "batctl"
+works fine. However all batctl debug and configuration commands
+fail:
+
+  root@container:~# batctl originators
+  Error received: Operation not permitted
+  root@container:~# batctl orig_interval
+  1000
+  root@container:~# batctl orig_interval 2000
+  root@container:~# batctl orig_interval
+  1000
+
+To fix this change the generic netlink permissions from GENL_ADMIN_PERM
+to GENL_UNS_ADMIN_PERM. This way a batman-adv interface is fully
+maintainable as root from within a user namespace, from an unprivileged
+container.
+
+All except one batman-adv netlink setting are per interface and do not
+leak information or change settings from the host system and are
+therefore save to retrieve or modify as root from within an unprivileged
+container.
+
+"batctl routing_algo" / BATADV_CMD_GET_ROUTING_ALGOS is the only
+exception: It provides the batman-adv kernel module wide default routing
+algorithm. However it is read-only from netlink and an unprivileged
+container is still not allowed to modify
+/sys/module/batman_adv/parameters/routing_algo. Instead it is advised to
+use the newly introduced "batctl if create routing_algo RA_NAME" /
+IFLA_BATADV_ALGO_NAME to set the routing algorithm on interface
+creation, which already works fine in an unprivileged container.
+
+Cc: Tycho Andersen <tycho@tycho.pizza>
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/netlink.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/net/batman-adv/netlink.c b/net/batman-adv/netlink.c
+index 29276284d281c..00875e1d8c44c 100644
+--- a/net/batman-adv/netlink.c
++++ b/net/batman-adv/netlink.c
+@@ -1368,21 +1368,21 @@ static const struct genl_small_ops batadv_netlink_ops[] = {
+       {
+               .cmd = BATADV_CMD_TP_METER,
+               .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+-              .flags = GENL_ADMIN_PERM,
++              .flags = GENL_UNS_ADMIN_PERM,
+               .doit = batadv_netlink_tp_meter_start,
+               .internal_flags = BATADV_FLAG_NEED_MESH,
+       },
+       {
+               .cmd = BATADV_CMD_TP_METER_CANCEL,
+               .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+-              .flags = GENL_ADMIN_PERM,
++              .flags = GENL_UNS_ADMIN_PERM,
+               .doit = batadv_netlink_tp_meter_cancel,
+               .internal_flags = BATADV_FLAG_NEED_MESH,
+       },
+       {
+               .cmd = BATADV_CMD_GET_ROUTING_ALGOS,
+               .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+-              .flags = GENL_ADMIN_PERM,
++              .flags = GENL_UNS_ADMIN_PERM,
+               .dumpit = batadv_algo_dump,
+       },
+       {
+@@ -1397,68 +1397,68 @@ static const struct genl_small_ops batadv_netlink_ops[] = {
+       {
+               .cmd = BATADV_CMD_GET_TRANSTABLE_LOCAL,
+               .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+-              .flags = GENL_ADMIN_PERM,
++              .flags = GENL_UNS_ADMIN_PERM,
+               .dumpit = batadv_tt_local_dump,
+       },
+       {
+               .cmd = BATADV_CMD_GET_TRANSTABLE_GLOBAL,
+               .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+-              .flags = GENL_ADMIN_PERM,
++              .flags = GENL_UNS_ADMIN_PERM,
+               .dumpit = batadv_tt_global_dump,
+       },
+       {
+               .cmd = BATADV_CMD_GET_ORIGINATORS,
+               .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+-              .flags = GENL_ADMIN_PERM,
++              .flags = GENL_UNS_ADMIN_PERM,
+               .dumpit = batadv_orig_dump,
+       },
+       {
+               .cmd = BATADV_CMD_GET_NEIGHBORS,
+               .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+-              .flags = GENL_ADMIN_PERM,
++              .flags = GENL_UNS_ADMIN_PERM,
+               .dumpit = batadv_hardif_neigh_dump,
+       },
+       {
+               .cmd = BATADV_CMD_GET_GATEWAYS,
+               .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+-              .flags = GENL_ADMIN_PERM,
++              .flags = GENL_UNS_ADMIN_PERM,
+               .dumpit = batadv_gw_dump,
+       },
+       {
+               .cmd = BATADV_CMD_GET_BLA_CLAIM,
+               .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+-              .flags = GENL_ADMIN_PERM,
++              .flags = GENL_UNS_ADMIN_PERM,
+               .dumpit = batadv_bla_claim_dump,
+       },
+       {
+               .cmd = BATADV_CMD_GET_BLA_BACKBONE,
+               .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+-              .flags = GENL_ADMIN_PERM,
++              .flags = GENL_UNS_ADMIN_PERM,
+               .dumpit = batadv_bla_backbone_dump,
+       },
+       {
+               .cmd = BATADV_CMD_GET_DAT_CACHE,
+               .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+-              .flags = GENL_ADMIN_PERM,
++              .flags = GENL_UNS_ADMIN_PERM,
+               .dumpit = batadv_dat_cache_dump,
+       },
+       {
+               .cmd = BATADV_CMD_GET_MCAST_FLAGS,
+               .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+-              .flags = GENL_ADMIN_PERM,
++              .flags = GENL_UNS_ADMIN_PERM,
+               .dumpit = batadv_mcast_flags_dump,
+       },
+       {
+               .cmd = BATADV_CMD_SET_MESH,
+               .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+-              .flags = GENL_ADMIN_PERM,
++              .flags = GENL_UNS_ADMIN_PERM,
+               .doit = batadv_netlink_set_mesh,
+               .internal_flags = BATADV_FLAG_NEED_MESH,
+       },
+       {
+               .cmd = BATADV_CMD_SET_HARDIF,
+               .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+-              .flags = GENL_ADMIN_PERM,
++              .flags = GENL_UNS_ADMIN_PERM,
+               .doit = batadv_netlink_set_hardif,
+               .internal_flags = BATADV_FLAG_NEED_MESH |
+                                 BATADV_FLAG_NEED_HARDIF,
+@@ -1474,7 +1474,7 @@ static const struct genl_small_ops batadv_netlink_ops[] = {
+       {
+               .cmd = BATADV_CMD_SET_VLAN,
+               .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+-              .flags = GENL_ADMIN_PERM,
++              .flags = GENL_UNS_ADMIN_PERM,
+               .doit = batadv_netlink_set_vlan,
+               .internal_flags = BATADV_FLAG_NEED_MESH |
+                                 BATADV_FLAG_NEED_VLAN,
+-- 
+2.34.1
+
diff --git a/queue-5.16/bfq-do-not-let-waker-requests-skip-proper-accounting.patch b/queue-5.16/bfq-do-not-let-waker-requests-skip-proper-accounting.patch
new file mode 100644 (file)
index 0000000..1325812
--- /dev/null
@@ -0,0 +1,136 @@
+From 33eea32266355d9166d1dff6f8f2b99efc35febf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 14:36:41 +0100
+Subject: bfq: Do not let waker requests skip proper accounting
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit c65e6fd460b4df796ecd6ea22e132076ed1f2820 ]
+
+Commit 7cc4ffc55564 ("block, bfq: put reqs of waker and woken in
+dispatch list") added a condition to bfq_insert_request() which added
+waker's requests directly to dispatch list. The rationale was that
+completing waker's IO is needed to get more IO for the current queue.
+Although this rationale is valid, there is a hole in it. The waker does
+not necessarily serve the IO only for the current queue and maybe it's
+current IO is not needed for current queue to make progress. Furthermore
+injecting IO like this completely bypasses any service accounting within
+bfq and thus we do not properly track how much service is waker's queue
+getting or that the waker is actually doing any IO. Depending on the
+conditions this can result in the waker getting too much or too few
+service.
+
+Consider for example the following job file:
+
+[global]
+directory=/mnt/repro/
+rw=write
+size=8g
+time_based
+runtime=30
+ramp_time=10
+blocksize=1m
+direct=0
+ioengine=sync
+
+[slowwriter]
+numjobs=1
+prioclass=2
+prio=7
+fsync=200
+
+[fastwriter]
+numjobs=1
+prioclass=2
+prio=0
+fsync=200
+
+Despite processes have very different IO priorities, they get the same
+about of service. The reason is that bfq identifies these processes as
+having waker-wakee relationship and once that happens, IO from
+fastwriter gets injected during slowwriter's time slice. As a result bfq
+is not aware that fastwriter has any IO to do and constantly schedules
+only slowwriter's queue. Thus fastwriter is forced to compete with
+slowwriter's IO all the time instead of getting its share of time based
+on IO priority.
+
+Drop the special injection condition from bfq_insert_request(). As a
+result, requests will be tracked and queued in a normal way and on next
+dispatch bfq_select_queue() can decide whether the waker's inserted
+requests should be injected during the current queue's timeslice or not.
+
+Fixes: 7cc4ffc55564 ("block, bfq: put reqs of waker and woken in dispatch list")
+Acked-by: Paolo Valente <paolo.valente@linaro.org>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20211125133645.27483-8-jack@suse.cz
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 44 +-------------------------------------------
+ 1 file changed, 1 insertion(+), 43 deletions(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index fec18118dc309..30918b0e81c02 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -5991,48 +5991,7 @@ static void bfq_insert_request(struct blk_mq_hw_ctx *hctx, struct request *rq,
+       spin_lock_irq(&bfqd->lock);
+       bfqq = bfq_init_rq(rq);
+-
+-      /*
+-       * Reqs with at_head or passthrough flags set are to be put
+-       * directly into dispatch list. Additional case for putting rq
+-       * directly into the dispatch queue: the only active
+-       * bfq_queues are bfqq and either its waker bfq_queue or one
+-       * of its woken bfq_queues. The rationale behind this
+-       * additional condition is as follows:
+-       * - consider a bfq_queue, say Q1, detected as a waker of
+-       *   another bfq_queue, say Q2
+-       * - by definition of a waker, Q1 blocks the I/O of Q2, i.e.,
+-       *   some I/O of Q1 needs to be completed for new I/O of Q2
+-       *   to arrive.  A notable example of waker is journald
+-       * - so, Q1 and Q2 are in any respect the queues of two
+-       *   cooperating processes (or of two cooperating sets of
+-       *   processes): the goal of Q1's I/O is doing what needs to
+-       *   be done so that new Q2's I/O can finally be
+-       *   issued. Therefore, if the service of Q1's I/O is delayed,
+-       *   then Q2's I/O is delayed too.  Conversely, if Q2's I/O is
+-       *   delayed, the goal of Q1's I/O is hindered.
+-       * - as a consequence, if some I/O of Q1/Q2 arrives while
+-       *   Q2/Q1 is the only queue in service, there is absolutely
+-       *   no point in delaying the service of such an I/O. The
+-       *   only possible result is a throughput loss
+-       * - so, when the above condition holds, the best option is to
+-       *   have the new I/O dispatched as soon as possible
+-       * - the most effective and efficient way to attain the above
+-       *   goal is to put the new I/O directly in the dispatch
+-       *   list
+-       * - as an additional restriction, Q1 and Q2 must be the only
+-       *   busy queues for this commit to put the I/O of Q2/Q1 in
+-       *   the dispatch list.  This is necessary, because, if also
+-       *   other queues are waiting for service, then putting new
+-       *   I/O directly in the dispatch list may evidently cause a
+-       *   violation of service guarantees for the other queues
+-       */
+-      if (!bfqq ||
+-          (bfqq != bfqd->in_service_queue &&
+-           bfqd->in_service_queue != NULL &&
+-           bfq_tot_busy_queues(bfqd) == 1 + bfq_bfqq_busy(bfqq) &&
+-           (bfqq->waker_bfqq == bfqd->in_service_queue ||
+-            bfqd->in_service_queue->waker_bfqq == bfqq)) || at_head) {
++      if (!bfqq || at_head) {
+               if (at_head)
+                       list_add(&rq->queuelist, &bfqd->dispatch);
+               else
+@@ -6059,7 +6018,6 @@ static void bfq_insert_request(struct blk_mq_hw_ctx *hctx, struct request *rq,
+        * merge).
+        */
+       cmd_flags = rq->cmd_flags;
+-
+       spin_unlock_irq(&bfqd->lock);
+       bfq_update_insert_stats(q, bfqq, idle_timer_disabled,
+-- 
+2.34.1
+
diff --git a/queue-5.16/binder-avoid-potential-data-leakage-when-copying-txn.patch b/queue-5.16/binder-avoid-potential-data-leakage-when-copying-txn.patch
new file mode 100644 (file)
index 0000000..8faccee
--- /dev/null
@@ -0,0 +1,231 @@
+From ef052af34a087b2ca4c6c100048d767cdd9779ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 10:51:50 -0800
+Subject: binder: avoid potential data leakage when copying txn
+
+From: Todd Kjos <tkjos@google.com>
+
+[ Upstream commit 6d98eb95b450a75adb4516a1d33652dc78d2b20c ]
+
+Transactions are copied from the sender to the target
+first and objects like BINDER_TYPE_PTR and BINDER_TYPE_FDA
+are then fixed up. This means there is a short period where
+the sender's version of these objects are visible to the
+target prior to the fixups.
+
+Instead of copying all of the data first, copy data only
+after any needed fixups have been applied.
+
+Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
+Reviewed-by: Martijn Coenen <maco@android.com>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Link: https://lore.kernel.org/r/20211130185152.437403-3-tkjos@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/android/binder.c | 94 ++++++++++++++++++++++++++++++----------
+ 1 file changed, 70 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/android/binder.c b/drivers/android/binder.c
+index 7d29d3d931a79..99ae919255f4d 100644
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -1608,15 +1608,21 @@ static void binder_cleanup_transaction(struct binder_transaction *t,
+ /**
+  * binder_get_object() - gets object and checks for valid metadata
+  * @proc:     binder_proc owning the buffer
++ * @u:                sender's user pointer to base of buffer
+  * @buffer:   binder_buffer that we're parsing.
+  * @offset:   offset in the @buffer at which to validate an object.
+  * @object:   struct binder_object to read into
+  *
+- * Return:    If there's a valid metadata object at @offset in @buffer, the
++ * Copy the binder object at the given offset into @object. If @u is
++ * provided then the copy is from the sender's buffer. If not, then
++ * it is copied from the target's @buffer.
++ *
++ * Return:    If there's a valid metadata object at @offset, the
+  *            size of that object. Otherwise, it returns zero. The object
+  *            is read into the struct binder_object pointed to by @object.
+  */
+ static size_t binder_get_object(struct binder_proc *proc,
++                              const void __user *u,
+                               struct binder_buffer *buffer,
+                               unsigned long offset,
+                               struct binder_object *object)
+@@ -1626,10 +1632,16 @@ static size_t binder_get_object(struct binder_proc *proc,
+       size_t object_size = 0;
+       read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
+-      if (offset > buffer->data_size || read_size < sizeof(*hdr) ||
+-          binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
+-                                        offset, read_size))
++      if (offset > buffer->data_size || read_size < sizeof(*hdr))
+               return 0;
++      if (u) {
++              if (copy_from_user(object, u + offset, read_size))
++                      return 0;
++      } else {
++              if (binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
++                                                offset, read_size))
++                      return 0;
++      }
+       /* Ok, now see if we read a complete object. */
+       hdr = &object->hdr;
+@@ -1702,7 +1714,7 @@ static struct binder_buffer_object *binder_validate_ptr(
+                                         b, buffer_offset,
+                                         sizeof(object_offset)))
+               return NULL;
+-      object_size = binder_get_object(proc, b, object_offset, object);
++      object_size = binder_get_object(proc, NULL, b, object_offset, object);
+       if (!object_size || object->hdr.type != BINDER_TYPE_PTR)
+               return NULL;
+       if (object_offsetp)
+@@ -1767,7 +1779,8 @@ static bool binder_validate_fixup(struct binder_proc *proc,
+               unsigned long buffer_offset;
+               struct binder_object last_object;
+               struct binder_buffer_object *last_bbo;
+-              size_t object_size = binder_get_object(proc, b, last_obj_offset,
++              size_t object_size = binder_get_object(proc, NULL, b,
++                                                     last_obj_offset,
+                                                      &last_object);
+               if (object_size != sizeof(*last_bbo))
+                       return false;
+@@ -1882,7 +1895,7 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
+               if (!binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
+                                                  buffer, buffer_offset,
+                                                  sizeof(object_offset)))
+-                      object_size = binder_get_object(proc, buffer,
++                      object_size = binder_get_object(proc, NULL, buffer,
+                                                       object_offset, &object);
+               if (object_size == 0) {
+                       pr_err("transaction release %d bad object at offset %lld, size %zd\n",
+@@ -2455,6 +2468,7 @@ static void binder_transaction(struct binder_proc *proc,
+       binder_size_t off_start_offset, off_end_offset;
+       binder_size_t off_min;
+       binder_size_t sg_buf_offset, sg_buf_end_offset;
++      binder_size_t user_offset = 0;
+       struct binder_proc *target_proc = NULL;
+       struct binder_thread *target_thread = NULL;
+       struct binder_node *target_node = NULL;
+@@ -2469,6 +2483,8 @@ static void binder_transaction(struct binder_proc *proc,
+       int t_debug_id = atomic_inc_return(&binder_last_id);
+       char *secctx = NULL;
+       u32 secctx_sz = 0;
++      const void __user *user_buffer = (const void __user *)
++                              (uintptr_t)tr->data.ptr.buffer;
+       e = binder_transaction_log_add(&binder_transaction_log);
+       e->debug_id = t_debug_id;
+@@ -2780,19 +2796,6 @@ static void binder_transaction(struct binder_proc *proc,
+       t->buffer->clear_on_free = !!(t->flags & TF_CLEAR_BUF);
+       trace_binder_transaction_alloc_buf(t->buffer);
+-      if (binder_alloc_copy_user_to_buffer(
+-                              &target_proc->alloc,
+-                              t->buffer, 0,
+-                              (const void __user *)
+-                                      (uintptr_t)tr->data.ptr.buffer,
+-                              tr->data_size)) {
+-              binder_user_error("%d:%d got transaction with invalid data ptr\n",
+-                              proc->pid, thread->pid);
+-              return_error = BR_FAILED_REPLY;
+-              return_error_param = -EFAULT;
+-              return_error_line = __LINE__;
+-              goto err_copy_data_failed;
+-      }
+       if (binder_alloc_copy_user_to_buffer(
+                               &target_proc->alloc,
+                               t->buffer,
+@@ -2837,6 +2840,7 @@ static void binder_transaction(struct binder_proc *proc,
+               size_t object_size;
+               struct binder_object object;
+               binder_size_t object_offset;
++              binder_size_t copy_size;
+               if (binder_alloc_copy_from_buffer(&target_proc->alloc,
+                                                 &object_offset,
+@@ -2848,8 +2852,27 @@ static void binder_transaction(struct binder_proc *proc,
+                       return_error_line = __LINE__;
+                       goto err_bad_offset;
+               }
+-              object_size = binder_get_object(target_proc, t->buffer,
+-                                              object_offset, &object);
++
++              /*
++               * Copy the source user buffer up to the next object
++               * that will be processed.
++               */
++              copy_size = object_offset - user_offset;
++              if (copy_size && (user_offset > object_offset ||
++                              binder_alloc_copy_user_to_buffer(
++                                      &target_proc->alloc,
++                                      t->buffer, user_offset,
++                                      user_buffer + user_offset,
++                                      copy_size))) {
++                      binder_user_error("%d:%d got transaction with invalid data ptr\n",
++                                      proc->pid, thread->pid);
++                      return_error = BR_FAILED_REPLY;
++                      return_error_param = -EFAULT;
++                      return_error_line = __LINE__;
++                      goto err_copy_data_failed;
++              }
++              object_size = binder_get_object(target_proc, user_buffer,
++                              t->buffer, object_offset, &object);
+               if (object_size == 0 || object_offset < off_min) {
+                       binder_user_error("%d:%d got transaction with invalid offset (%lld, min %lld max %lld) or object.\n",
+                                         proc->pid, thread->pid,
+@@ -2861,6 +2884,11 @@ static void binder_transaction(struct binder_proc *proc,
+                       return_error_line = __LINE__;
+                       goto err_bad_offset;
+               }
++              /*
++               * Set offset to the next buffer fragment to be
++               * copied
++               */
++              user_offset = object_offset + object_size;
+               hdr = &object.hdr;
+               off_min = object_offset + object_size;
+@@ -2956,9 +2984,14 @@ static void binder_transaction(struct binder_proc *proc,
+                       }
+                       ret = binder_translate_fd_array(fda, parent, t, thread,
+                                                       in_reply_to);
+-                      if (ret < 0) {
++                      if (!ret)
++                              ret = binder_alloc_copy_to_buffer(&target_proc->alloc,
++                                                                t->buffer,
++                                                                object_offset,
++                                                                fda, sizeof(*fda));
++                      if (ret) {
+                               return_error = BR_FAILED_REPLY;
+-                              return_error_param = ret;
++                              return_error_param = ret > 0 ? -EINVAL : ret;
+                               return_error_line = __LINE__;
+                               goto err_translate_failed;
+                       }
+@@ -3028,6 +3061,19 @@ static void binder_transaction(struct binder_proc *proc,
+                       goto err_bad_object_type;
+               }
+       }
++      /* Done processing objects, copy the rest of the buffer */
++      if (binder_alloc_copy_user_to_buffer(
++                              &target_proc->alloc,
++                              t->buffer, user_offset,
++                              user_buffer + user_offset,
++                              tr->data_size - user_offset)) {
++              binder_user_error("%d:%d got transaction with invalid data ptr\n",
++                              proc->pid, thread->pid);
++              return_error = BR_FAILED_REPLY;
++              return_error_param = -EFAULT;
++              return_error_line = __LINE__;
++              goto err_copy_data_failed;
++      }
+       if (t->buffer->oneway_spam_suspect)
+               tcomplete->type = BINDER_WORK_TRANSACTION_ONEWAY_SPAM_SUSPECT;
+       else
+-- 
+2.34.1
+
diff --git a/queue-5.16/binder-fix-handling-of-error-during-copy.patch b/queue-5.16/binder-fix-handling-of-error-during-copy.patch
new file mode 100644 (file)
index 0000000..20fd8cf
--- /dev/null
@@ -0,0 +1,47 @@
+From 4da51e5358389c6c70cd24ba94ee2b5453eb02e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 10:51:49 -0800
+Subject: binder: fix handling of error during copy
+
+From: Todd Kjos <tkjos@google.com>
+
+[ Upstream commit fe6b1869243f23a485a106c214bcfdc7aa0ed593 ]
+
+If a memory copy function fails to copy the whole buffer,
+a positive integar with the remaining bytes is returned.
+In binder_translate_fd_array() this can result in an fd being
+skipped due to the failed copy, but the loop continues
+processing fds since the early return condition expects a
+negative integer on error.
+
+Fix by returning "ret > 0 ? -EINVAL : ret" to handle this case.
+
+Fixes: bb4a2e48d510 ("binder: return errors from buffer copy functions")
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Link: https://lore.kernel.org/r/20211130185152.437403-2-tkjos@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/android/binder.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/android/binder.c b/drivers/android/binder.c
+index c75fb600740cc..7d29d3d931a79 100644
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2269,8 +2269,8 @@ static int binder_translate_fd_array(struct binder_fd_array_object *fda,
+               if (!ret)
+                       ret = binder_translate_fd(fd, offset, t, thread,
+                                                 in_reply_to);
+-              if (ret < 0)
+-                      return ret;
++              if (ret)
++                      return ret > 0 ? -EINVAL : ret;
+       }
+       return 0;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/block-check-minor-range-in-device_add_disk.patch b/queue-5.16/block-check-minor-range-in-device_add_disk.patch
new file mode 100644 (file)
index 0000000..94cc944
--- /dev/null
@@ -0,0 +1,43 @@
+From 7f007de832aee2e56b82d7c4788eff3a6901a11a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Dec 2021 23:51:25 +0900
+Subject: block: check minor range in device_add_disk()
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+[ Upstream commit e338924bd05d6e71574bc13e310c89e10e49a8a5 ]
+
+ioctl(fd, LOOP_CTL_ADD, 1048576) causes
+
+  sysfs: cannot create duplicate filename '/dev/block/7:0'
+
+message because such request is treated as if ioctl(fd, LOOP_CTL_ADD, 0)
+due to MINORMASK == 1048575. Verify that all minor numbers for that device
+fit in the minor range.
+
+Reported-by: wangyangbo <wangyangbo@uniontech.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/b1b19379-23ee-5379-0eb5-94bf5f79f1b4@i-love.sakura.ne.jp
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/genhd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index 596e43764846b..5308e0920fa6f 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -425,6 +425,8 @@ int __must_check device_add_disk(struct device *parent, struct gendisk *disk,
+                               DISK_MAX_PARTS);
+                       disk->minors = DISK_MAX_PARTS;
+               }
++              if (disk->first_minor + disk->minors > MINORMASK + 1)
++                      return -EINVAL;
+       } else {
+               if (WARN_ON(disk->minors))
+                       return -EINVAL;
+-- 
+2.34.1
+
diff --git a/queue-5.16/block-fix-error-unwinding-in-device_add_disk.patch b/queue-5.16/block-fix-error-unwinding-in-device_add_disk.patch
new file mode 100644 (file)
index 0000000..157f3c5
--- /dev/null
@@ -0,0 +1,67 @@
+From 9d3a6ed9104256bc6c354a9c0b83333a909cab7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Dec 2021 17:18:51 +0100
+Subject: block: fix error unwinding in device_add_disk
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 99d8690aae4b2f0d1d90075de355ac087f820a66 ]
+
+One device_add is called disk->ev will be freed by disk_release, so we
+should free it twice.  Fix this by allocating disk->ev after device_add
+so that the extra local unwinding can be removed entirely.
+
+Based on an earlier patch from Tetsuo Handa.
+
+Reported-by: syzbot <syzbot+28a66a9fbc621c939000@syzkaller.appspotmail.com>
+Tested-by: syzbot <syzbot+28a66a9fbc621c939000@syzkaller.appspotmail.com>
+Fixes: 83cbce9574462c6b ("block: add error handling for device_add_disk / add_disk")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20211221161851.788424-1-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/genhd.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index 30362aeacac4b..596e43764846b 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -437,10 +437,6 @@ int __must_check device_add_disk(struct device *parent, struct gendisk *disk,
+               disk->flags |= GENHD_FL_EXT_DEVT;
+       }
+-      ret = disk_alloc_events(disk);
+-      if (ret)
+-              goto out_free_ext_minor;
+-
+       /* delay uevents, until we scanned partition table */
+       dev_set_uevent_suppress(ddev, 1);
+@@ -451,7 +447,12 @@ int __must_check device_add_disk(struct device *parent, struct gendisk *disk,
+               ddev->devt = MKDEV(disk->major, disk->first_minor);
+       ret = device_add(ddev);
+       if (ret)
+-              goto out_disk_release_events;
++              goto out_free_ext_minor;
++
++      ret = disk_alloc_events(disk);
++      if (ret)
++              goto out_device_del;
++
+       if (!sysfs_deprecated) {
+               ret = sysfs_create_link(block_depr, &ddev->kobj,
+                                       kobject_name(&ddev->kobj));
+@@ -539,8 +540,6 @@ out_del_block_link:
+               sysfs_remove_link(block_depr, dev_name(ddev));
+ out_device_del:
+       device_del(ddev);
+-out_disk_release_events:
+-      disk_release_events(disk);
+ out_free_ext_minor:
+       if (disk->major == BLOCK_EXT_MAJOR)
+               blk_free_ext_minor(disk->first_minor);
+-- 
+2.34.1
+
diff --git a/queue-5.16/block-null_blk-only-set-set-nr_maps-as-3-if-active-p.patch b/queue-5.16/block-null_blk-only-set-set-nr_maps-as-3-if-active-p.patch
new file mode 100644 (file)
index 0000000..f09f8d4
--- /dev/null
@@ -0,0 +1,43 @@
+From 212e6cb8e3d2e8d25b263746dac4b11564ea07b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Dec 2021 09:08:31 +0800
+Subject: block: null_blk: only set set->nr_maps as 3 if active poll_queues is
+ > 0
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 19768f80cf23834e65482f1667ff54192d469fee ]
+
+It isn't correct to set set->nr_maps as 3 if g_poll_queues is > 0 since
+we can change it via configfs for null_blk device created there, so only
+set it as 3 if active poll_queues is > 0.
+
+Fixes divide zero exception reported by Shinichiro.
+
+Fixes: 2bfdbe8b7ebd ("null_blk: allow zero poll queues")
+Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Link: https://lore.kernel.org/r/20211224010831.1521805-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/null_blk/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c
+index fc1317060db54..e23aac1a83f73 100644
+--- a/drivers/block/null_blk/main.c
++++ b/drivers/block/null_blk/main.c
+@@ -1891,7 +1891,7 @@ static int null_init_tag_set(struct nullb *nullb, struct blk_mq_tag_set *set)
+       if (g_shared_tag_bitmap)
+               set->flags |= BLK_MQ_F_TAG_HCTX_SHARED;
+       set->driver_data = nullb;
+-      if (g_poll_queues)
++      if (poll_queues)
+               set->nr_maps = 3;
+       else
+               set->nr_maps = 1;
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-btintel-add-missing-quirks-and-msft-ext-fo.patch b/queue-5.16/bluetooth-btintel-add-missing-quirks-and-msft-ext-fo.patch
new file mode 100644 (file)
index 0000000..0c77e6e
--- /dev/null
@@ -0,0 +1,68 @@
+From a03f68798d24a897d8b71529a1e555f15a5ab469 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Dec 2021 23:32:14 -0800
+Subject: Bluetooth: btintel: Add missing quirks and msft ext for legacy
+ bootloader
+
+From: Tedd Ho-Jeong An <tedd.an@intel.com>
+
+[ Upstream commit 3547a008c8962df2175db1e78b80f27e027ec549 ]
+
+This patch add missing HCI quirks and MSFT extension for legacy
+bootloader when it is running in the operational firmware.
+
+Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btintel.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
+index b11567b0fd9ab..851a0c9b8fae5 100644
+--- a/drivers/bluetooth/btintel.c
++++ b/drivers/bluetooth/btintel.c
+@@ -2493,10 +2493,14 @@ static int btintel_setup_combined(struct hci_dev *hdev)
+       case 0x12:      /* ThP */
+       case 0x13:      /* HrP */
+       case 0x14:      /* CcP */
+-              /* Some legacy bootloader devices from JfP supports both old
+-               * and TLV based HCI_Intel_Read_Version command. But we don't
+-               * want to use the TLV based setup routines for those legacy
+-               * bootloader device.
++              /* Some legacy bootloader devices starting from JfP,
++               * the operational firmware supports both old and TLV based
++               * HCI_Intel_Read_Version command based on the command
++               * parameter.
++               *
++               * For upgrading firmware case, the TLV based version cannot
++               * be used because the firmware filename for legacy bootloader
++               * is based on the old format.
+                *
+                * Also, it is not easy to convert TLV based version from the
+                * legacy version format.
+@@ -2508,6 +2512,20 @@ static int btintel_setup_combined(struct hci_dev *hdev)
+               err = btintel_read_version(hdev, &ver);
+               if (err)
+                       return err;
++
++              /* Apply the device specific HCI quirks
++               *
++               * All Legacy bootloader devices support WBS
++               */
++              set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks);
++
++              /* Valid LE States quirk for JfP/ThP familiy */
++              if (ver.hw_variant == 0x11 || ver.hw_variant == 0x12)
++                      set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
++
++              /* Setup MSFT Extension support */
++              btintel_set_msft_opcode(hdev, ver.hw_variant);
++
+               err = btintel_bootloader_setup(hdev, &ver);
+               break;
+       case 0x17:
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-btmtksdio-fix-resume-failure.patch b/queue-5.16/bluetooth-btmtksdio-fix-resume-failure.patch
new file mode 100644 (file)
index 0000000..71510ac
--- /dev/null
@@ -0,0 +1,39 @@
+From 065afd1bff4e0b483c1e7e6d1b41885622c77238 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Dec 2021 02:02:47 +0800
+Subject: Bluetooth: btmtksdio: fix resume failure
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit 561ae1d46a8ddcbc13162d5771f5ed6c8249e730 ]
+
+btmtksdio have to rely on MMC_PM_KEEP_POWER in pm_flags to avoid that
+SDIO power is being shut off during the device is in suspend. That fixes
+the SDIO command fails to access the bus after the device is resumed.
+
+Fixes: 7f3c563c575e7 ("Bluetooth: btmtksdio: Add runtime PM support to SDIO based Bluetooth")
+Co-developed-by: Mark-yw Chen <mark-yw.chen@mediatek.com>
+Signed-off-by: Mark-yw Chen <mark-yw.chen@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btmtksdio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/btmtksdio.c b/drivers/bluetooth/btmtksdio.c
+index 9872ef18f9fea..1cbdeca1fdc4a 100644
+--- a/drivers/bluetooth/btmtksdio.c
++++ b/drivers/bluetooth/btmtksdio.c
+@@ -1042,6 +1042,8 @@ static int btmtksdio_runtime_suspend(struct device *dev)
+       if (!bdev)
+               return 0;
++      sdio_set_host_pm_flags(func, MMC_PM_KEEP_POWER);
++
+       sdio_claim_host(bdev->func);
+       sdio_writel(bdev->func, C_FW_OWN_REQ_SET, MTK_REG_CHLPCR, &err);
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-btusb-handle-download_firmware-failure-cas.patch b/queue-5.16/bluetooth-btusb-handle-download_firmware-failure-cas.patch
new file mode 100644 (file)
index 0000000..49a570f
--- /dev/null
@@ -0,0 +1,41 @@
+From 395902bf5aa2028c9275a13f566c3eab284feb6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 01:33:42 +0800
+Subject: Bluetooth: btusb: Handle download_firmware failure cases
+
+From: Mark Chen <mark-yw.chen@mediatek.com>
+
+[ Upstream commit 00c0ee9850b7b0cb7c40b8daba806ae2245e59d4 ]
+
+For Mediatek chipset, it can not enabled if there are something wrong
+in btmtk_setup_firmware_79xx(). Thus, the process must be terminated
+and returned error code.
+
+Fixes: fc342c4dc4087 ("Bluetooth: btusb: Add protocol support for MediaTek MT7921U USB devices")
+Co-developed-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Mark Chen <mark-yw.chen@mediatek.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index c923c38658baa..a766660603634 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -2895,6 +2895,10 @@ static int btusb_mtk_setup(struct hci_dev *hdev)
+                       "mediatek/BT_RAM_CODE_MT%04x_1_%x_hdr.bin",
+                        dev_id & 0xffff, (fw_version & 0xff) + 1);
+               err = btusb_mtk_setup_firmware_79xx(hdev, fw_bin_name);
++              if (err < 0) {
++                      bt_dev_err(hdev, "Failed to set up firmware (%d)", err);
++                      return err;
++              }
+               /* It's Device EndPoint Reset Option Register */
+               btusb_mtk_uhw_reg_write(data, MTK_EP_RST_OPT, MTK_EP_RST_IN_OUT_OPT);
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch b/queue-5.16/bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch
new file mode 100644 (file)
index 0000000..1b91189
--- /dev/null
@@ -0,0 +1,54 @@
+From 1f5c803790c50ad15a14156f1ed65bd3d49e5b2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 21:10:12 +0800
+Subject: Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 2a7ca7459d905febf519163bd9e3eed894de6bb7 ]
+
+I got a kernel BUG report when doing fault injection test:
+
+------------[ cut here ]------------
+kernel BUG at lib/list_debug.c:45!
+...
+RIP: 0010:__list_del_entry_valid.cold+0x12/0x4d
+...
+Call Trace:
+ proto_unregister+0x83/0x220
+ cmtp_cleanup_sockets+0x37/0x40 [cmtp]
+ cmtp_exit+0xe/0x1f [cmtp]
+ do_syscall_64+0x35/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+If cmtp_init_sockets() in cmtp_init() fails, cmtp_init() still returns
+success. This will cause a kernel bug when accessing uncreated ctmp
+related data when the module exits.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/cmtp/core.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
+index 0a2d78e811cf5..83eb84e8e688f 100644
+--- a/net/bluetooth/cmtp/core.c
++++ b/net/bluetooth/cmtp/core.c
+@@ -501,9 +501,7 @@ static int __init cmtp_init(void)
+ {
+       BT_INFO("CMTP (CAPI Emulation) ver %s", VERSION);
+-      cmtp_init_sockets();
+-
+-      return 0;
++      return cmtp_init_sockets();
+ }
+ static void __exit cmtp_exit(void)
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-fix-debugfs-entry-leak-in-hci_register_dev.patch b/queue-5.16/bluetooth-fix-debugfs-entry-leak-in-hci_register_dev.patch
new file mode 100644 (file)
index 0000000..6d59a17
--- /dev/null
@@ -0,0 +1,40 @@
+From de0ad1e84d423ccd9c3e2714510a43302192731c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 16:55:46 +0800
+Subject: Bluetooth: Fix debugfs entry leak in hci_register_dev()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 5a4bb6a8e981d3d0d492aa38412ee80b21033177 ]
+
+Fault injection test report debugfs entry leak as follows:
+
+debugfs: Directory 'hci0' with parent 'bluetooth' already present!
+
+When register_pm_notifier() failed in hci_register_dev(), the debugfs
+create by debugfs_create_dir() do not removed in the error handing path.
+
+Add the remove debugfs code to fix it.
+
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 2cf77d76c50be..6c00ce302f095 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -3883,6 +3883,7 @@ int hci_register_dev(struct hci_dev *hdev)
+       return id;
+ err_wqueue:
++      debugfs_remove_recursive(hdev->debugfs);
+       destroy_workqueue(hdev->workqueue);
+       destroy_workqueue(hdev->req_workqueue);
+ err:
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-fix-memory-leak-of-hci-device.patch b/queue-5.16/bluetooth-fix-memory-leak-of-hci-device.patch
new file mode 100644 (file)
index 0000000..441c580
--- /dev/null
@@ -0,0 +1,66 @@
+From 60ead507d743c61b983fd1d3c00b5294641cdbb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 16:55:01 +0800
+Subject: Bluetooth: Fix memory leak of hci device
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 75d9b8559ac36e059238ee4f8e33cd86086586ba ]
+
+Fault injection test reported memory leak of hci device as follows:
+
+unreferenced object 0xffff88800b858000 (size 8192):
+  comm "kworker/0:2", pid 167, jiffies 4294955747 (age 557.148s)
+  hex dump (first 32 bytes):
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+    00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de  .............N..
+  backtrace:
+    [<0000000070eb1059>] kmem_cache_alloc_trace mm/slub.c:3208
+    [<00000000015eb521>] hci_alloc_dev_priv include/linux/slab.h:591
+    [<00000000dcfc1e21>] bpa10x_probe include/net/bluetooth/hci_core.h:1240
+    [<000000005d3028c7>] usb_probe_interface drivers/usb/core/driver.c:397
+    [<00000000cbac9243>] really_probe drivers/base/dd.c:517
+    [<0000000024cab3f0>] __driver_probe_device drivers/base/dd.c:751
+    [<00000000202135cb>] driver_probe_device drivers/base/dd.c:782
+    [<000000000761f2bc>] __device_attach_driver drivers/base/dd.c:899
+    [<00000000f7d63134>] bus_for_each_drv drivers/base/bus.c:427
+    [<00000000c9551f0b>] __device_attach drivers/base/dd.c:971
+    [<000000007f79bd16>] bus_probe_device drivers/base/bus.c:487
+    [<000000007bb8b95a>] device_add drivers/base/core.c:3364
+    [<000000009564d9ea>] usb_set_configuration drivers/usb/core/message.c:2171
+    [<00000000e4657087>] usb_generic_driver_probe drivers/usb/core/generic.c:239
+    [<0000000071ede518>] usb_probe_device drivers/usb/core/driver.c:294
+    [<00000000cbac9243>] really_probe drivers/base/dd.c:517
+
+hci_alloc_dev() do not init the device's flag. And hci_free_dev()
+using put_device() to free the memory allocated for this device,
+but it calls just put_device(dev) only in case of HCI_UNREGISTER
+flag is set, So any error handing before hci_register_dev() success
+will cause memory leak.
+
+To avoid this behaviour we can using kfree() to release dev before
+hci_register_dev() success.
+
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sysfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
+index 7827639ecf5c3..4e3e0451b08c1 100644
+--- a/net/bluetooth/hci_sysfs.c
++++ b/net/bluetooth/hci_sysfs.c
+@@ -86,6 +86,8 @@ static void bt_host_release(struct device *dev)
+       if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
+               hci_release_dev(hdev);
++      else
++              kfree(hdev);
+       module_put(THIS_MODULE);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-fix-removing-adv-when-processing-cmd-compl.patch b/queue-5.16/bluetooth-fix-removing-adv-when-processing-cmd-compl.patch
new file mode 100644 (file)
index 0000000..e43b2ce
--- /dev/null
@@ -0,0 +1,47 @@
+From f265b2833c65b0ad4f7433cff253dbc40a615e07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 19:17:25 +0800
+Subject: Bluetooth: Fix removing adv when processing cmd complete
+
+From: Archie Pusaka <apusaka@chromium.org>
+
+[ Upstream commit 2128939fe2e771645dd88e1938c27fdf96bd1cd0 ]
+
+If we remove one instance of adv using Set Extended Adv Enable, there
+is a possibility of issue occurs when processing the Command Complete
+event. Especially, the adv_info might not be found since we already
+remove it in hci_req_clear_adv_instance() -> hci_remove_adv_instance().
+If that's the case, we will mistakenly proceed to remove all adv
+instances instead of just one single instance.
+
+This patch fixes the issue by checking the content of the HCI command
+instead of checking whether the adv_info is found.
+
+Signed-off-by: Archie Pusaka <apusaka@chromium.org>
+Reviewed-by: Sonny Sasaka <sonnysasaka@chromium.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 6eba439487749..8882c6dfb48f4 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -1326,8 +1326,10 @@ static void hci_cc_le_set_ext_adv_enable(struct hci_dev *hdev,
+                                          &conn->le_conn_timeout,
+                                          conn->conn_timeout);
+       } else {
+-              if (adv) {
+-                      adv->enabled = false;
++              if (cp->num_of_sets) {
++                      if (adv)
++                              adv->enabled = false;
++
+                       /* If just one instance was disabled check if there are
+                        * any other instance enabled before clearing HCI_LE_ADV
+                        */
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-fix-uninitialized-variables-notify_evt.patch b/queue-5.16/bluetooth-fix-uninitialized-variables-notify_evt.patch
new file mode 100644 (file)
index 0000000..3ff4ff6
--- /dev/null
@@ -0,0 +1,96 @@
+From e28a3371ff7dc8695fcc42bde76e53baa8465a50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 09:17:17 +0800
+Subject: Bluetooth: fix uninitialized variables notify_evt
+
+From: Jackie Liu <liuyun01@kylinos.cn>
+
+[ Upstream commit a27c519a816437ec92f0ffa3adbc168c2c08725b ]
+
+Coverity Scan report:
+
+[...]
+*** CID 1493985:  Uninitialized variables  (UNINIT)
+/net/bluetooth/hci_event.c: 4535 in hci_sync_conn_complete_evt()
+4529
+4530           /* Notify only in case of SCO over HCI transport data path which
+4531            * is zero and non-zero value shall be non-HCI transport data path
+4532            */
+4533           if (conn->codec.data_path == 0) {
+4534                   if (hdev->notify)
+>>>     CID 1493985:  Uninitialized variables  (UNINIT)
+>>>     Using uninitialized value "notify_evt" when calling "*hdev->notify".
+4535                           hdev->notify(hdev, notify_evt);
+4536           }
+4537
+4538           hci_connect_cfm(conn, ev->status);
+4539           if (ev->status)
+4540                   hci_conn_del(conn);
+[...]
+
+Although only btusb uses air_mode, and he only handles HCI_NOTIFY_ENABLE_SCO_CVSD
+and HCI_NOTIFY_ENABLE_SCO_TRANSP, there is still a very small chance that
+ev->air_mode is not equal to 0x2 and 0x3, but notify_evt is initialized to
+HCI_NOTIFY_ENABLE_SCO_CVSD or HCI_NOTIFY_ENABLE_SCO_TRANSP. the context is
+maybe not correct.
+
+Let us directly use the required function instead of re-initializing it,
+so as to restore the original logic and make the code more correct.
+
+Addresses-Coverity: ("Uninitialized variables")
+Fixes: f4f9fa0c07bb ("Bluetooth: Allow usb to auto-suspend when SCO use        non-HCI transport")
+Suggested-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 23 +++++++++--------------
+ 1 file changed, 9 insertions(+), 14 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 59f0691d907f6..6eba439487749 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -4445,7 +4445,6 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
+ {
+       struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
+       struct hci_conn *conn;
+-      unsigned int notify_evt;
+       BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
+@@ -4517,22 +4516,18 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
+       }
+       bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
+-
+-      switch (ev->air_mode) {
+-      case 0x02:
+-              notify_evt = HCI_NOTIFY_ENABLE_SCO_CVSD;
+-              break;
+-      case 0x03:
+-              notify_evt = HCI_NOTIFY_ENABLE_SCO_TRANSP;
+-              break;
+-      }
+-
+       /* Notify only in case of SCO over HCI transport data path which
+        * is zero and non-zero value shall be non-HCI transport data path
+        */
+-      if (conn->codec.data_path == 0) {
+-              if (hdev->notify)
+-                      hdev->notify(hdev, notify_evt);
++      if (conn->codec.data_path == 0 && hdev->notify) {
++              switch (ev->air_mode) {
++              case 0x02:
++                      hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
++                      break;
++              case 0x03:
++                      hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
++                      break;
++              }
+       }
+       hci_connect_cfm(conn, ev->status);
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-hci_bcm-check-for-error-irq.patch b/queue-5.16/bluetooth-hci_bcm-check-for-error-irq.patch
new file mode 100644 (file)
index 0000000..ee99cbb
--- /dev/null
@@ -0,0 +1,46 @@
+From 6257a71b84792444944434634f2b18293540aeca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Dec 2021 10:53:18 +0800
+Subject: Bluetooth: hci_bcm: Check for error irq
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit b38cd3b42fba66cc538edb9cf77e07881f43f8e2 ]
+
+For the possible failure of the platform_get_irq(), the returned irq
+could be error number and will finally cause the failure of the
+request_irq().
+Consider that platform_get_irq() can now in certain cases return
+-EPROBE_DEFER, and the consequences of letting request_irq() effectively
+convert that into -EINVAL, even at probe time rather than later on.
+So it might be better to check just now.
+
+Fixes: 0395ffc1ee05 ("Bluetooth: hci_bcm: Add PM for BCM devices")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_bcm.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c
+index ef54afa293574..7abf99f0ee399 100644
+--- a/drivers/bluetooth/hci_bcm.c
++++ b/drivers/bluetooth/hci_bcm.c
+@@ -1188,7 +1188,12 @@ static int bcm_probe(struct platform_device *pdev)
+               return -ENOMEM;
+       dev->dev = &pdev->dev;
+-      dev->irq = platform_get_irq(pdev, 0);
++
++      ret = platform_get_irq(pdev, 0);
++      if (ret < 0)
++              return ret;
++
++      dev->irq = ret;
+       /* Initialize routing field to an unused value */
+       dev->pcm_int_params[0] = 0xff;
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-hci_qca-fix-null-vs-is_err_or_null-check-i.patch b/queue-5.16/bluetooth-hci_qca-fix-null-vs-is_err_or_null-check-i.patch
new file mode 100644 (file)
index 0000000..14c5672
--- /dev/null
@@ -0,0 +1,56 @@
+From 0394ef7442d01a124529b92dedef9025ce937895 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Dec 2021 08:02:49 +0000
+Subject: Bluetooth: hci_qca: Fix NULL vs IS_ERR_OR_NULL check in
+ qca_serdev_probe
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 6845667146a28c09b5dfc401c1ad112374087944 ]
+
+The function devm_gpiod_get_index() return error pointers on error.
+Thus devm_gpiod_get_index_optional() could return NULL and error pointers.
+The same as devm_gpiod_get_optional() function. Using IS_ERR_OR_NULL()
+check to catch error pointers.
+
+Fixes: 77131dfe ("Bluetooth: hci_qca: Replace devm_gpiod_get() with devm_gpiod_get_optional()")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_qca.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
+index 9e99311038ae8..f6e91fb432a3b 100644
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -2059,14 +2059,14 @@ static int qca_serdev_probe(struct serdev_device *serdev)
+               qcadev->bt_en = devm_gpiod_get_optional(&serdev->dev, "enable",
+                                              GPIOD_OUT_LOW);
+-              if (!qcadev->bt_en && data->soc_type == QCA_WCN6750) {
++              if (IS_ERR_OR_NULL(qcadev->bt_en) && data->soc_type == QCA_WCN6750) {
+                       dev_err(&serdev->dev, "failed to acquire BT_EN gpio\n");
+                       power_ctrl_enabled = false;
+               }
+               qcadev->sw_ctrl = devm_gpiod_get_optional(&serdev->dev, "swctrl",
+                                              GPIOD_IN);
+-              if (!qcadev->sw_ctrl && data->soc_type == QCA_WCN6750)
++              if (IS_ERR_OR_NULL(qcadev->sw_ctrl) && data->soc_type == QCA_WCN6750)
+                       dev_warn(&serdev->dev, "failed to acquire SW_CTRL gpio\n");
+               qcadev->susclk = devm_clk_get_optional(&serdev->dev, NULL);
+@@ -2088,7 +2088,7 @@ static int qca_serdev_probe(struct serdev_device *serdev)
+               qcadev->bt_en = devm_gpiod_get_optional(&serdev->dev, "enable",
+                                              GPIOD_OUT_LOW);
+-              if (!qcadev->bt_en) {
++              if (IS_ERR_OR_NULL(qcadev->bt_en)) {
+                       dev_warn(&serdev->dev, "failed to acquire enable gpio\n");
+                       power_ctrl_enabled = false;
+               }
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-hci_qca-stop-ibs-timer-during-bt-off.patch b/queue-5.16/bluetooth-hci_qca-stop-ibs-timer-during-bt-off.patch
new file mode 100644 (file)
index 0000000..2b54d95
--- /dev/null
@@ -0,0 +1,38 @@
+From e08878ebde0c6582de656b5709a3deb77c507548 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 12:59:05 +0530
+Subject: Bluetooth: hci_qca: Stop IBS timer during BT OFF
+
+From: Panicker Harish <quic_pharish@quicinc.com>
+
+[ Upstream commit df1e5c51492fd93ffc293acdcc6f00698d19fedc ]
+
+The IBS timers are not stopped properly once BT OFF is triggered.
+we could see IBS commands being sent along with version command,
+so stopped IBS timers while Bluetooth is off.
+
+Fixes: 3e4be65eb82c ("Bluetooth: hci_qca: Add poweroff support during hci down for wcn3990")
+Signed-off-by: Panicker Harish <quic_pharish@quicinc.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_qca.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
+index dd768a8ed7cbb..9e99311038ae8 100644
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -1928,6 +1928,9 @@ static int qca_power_off(struct hci_dev *hdev)
+       hu->hdev->hw_error = NULL;
+       hu->hdev->cmd_timeout = NULL;
++      del_timer_sync(&qca->wake_retrans_timer);
++      del_timer_sync(&qca->tx_idle_timer);
++
+       /* Stop sending shutdown command if soc crashes. */
+       if (soc_type != QCA_ROME
+               && qca->memdump_state == QCA_MEMDUMP_IDLE) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-hci_sock-fix-endian-bug-in-hci_sock_setsoc.patch b/queue-5.16/bluetooth-hci_sock-fix-endian-bug-in-hci_sock_setsoc.patch
new file mode 100644 (file)
index 0000000..36a9281
--- /dev/null
@@ -0,0 +1,46 @@
+From 90fa248459a69b143bf56680e542c86ea2334b4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 10:17:27 +0300
+Subject: Bluetooth: hci_sock: fix endian bug in hci_sock_setsockopt()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit b9f9dbad0bd1c302d357fdd327c398f51f5fc2b1 ]
+
+This copies a u16 into the high bits of an int, which works on a big
+endian system but not on a little endian system.
+
+Fixes: 09572fca7223 ("Bluetooth: hci_sock: Add support for BT_{SND,RCV}BUF")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sock.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
+index d0dad1fafe079..f2506e656f3e4 100644
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -1915,7 +1915,8 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
+                              sockptr_t optval, unsigned int len)
+ {
+       struct sock *sk = sock->sk;
+-      int err = 0, opt = 0;
++      int err = 0;
++      u16 opt;
+       BT_DBG("sk %p, opt %d", sk, optname);
+@@ -1941,7 +1942,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
+                       goto done;
+               }
+-              if (copy_from_sockptr(&opt, optval, sizeof(u16))) {
++              if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
+                       err = -EFAULT;
+                       break;
+               }
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-hci_sock-purge-socket-queues-in-the-destru.patch b/queue-5.16/bluetooth-hci_sock-purge-socket-queues-in-the-destru.patch
new file mode 100644 (file)
index 0000000..3b19641
--- /dev/null
@@ -0,0 +1,64 @@
+From 44faae29a0b9a1ef40d4fe0f067bca75ad75db96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Oct 2021 03:04:24 +0800
+Subject: Bluetooth: hci_sock: purge socket queues in the destruct() callback
+
+From: Nguyen Dinh Phi <phind.uet@gmail.com>
+
+[ Upstream commit 709fca500067524381e28a5f481882930eebac88 ]
+
+The receive path may take the socket right before hci_sock_release(),
+but it may enqueue the packets to the socket queues after the call to
+skb_queue_purge(), therefore the socket can be destroyed without clear
+its queues completely.
+
+Moving these skb_queue_purge() to the hci_sock_destruct() will fix this
+issue, because nothing is referencing the socket at this point.
+
+Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
+Reported-by: syzbot+4c4ffd1e1094dae61035@syzkaller.appspotmail.com
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sock.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
+index f2506e656f3e4..33b3c0ffc3399 100644
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -889,10 +889,6 @@ static int hci_sock_release(struct socket *sock)
+       }
+       sock_orphan(sk);
+-
+-      skb_queue_purge(&sk->sk_receive_queue);
+-      skb_queue_purge(&sk->sk_write_queue);
+-
+       release_sock(sk);
+       sock_put(sk);
+       return 0;
+@@ -2059,6 +2055,12 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
+       return err;
+ }
++static void hci_sock_destruct(struct sock *sk)
++{
++      skb_queue_purge(&sk->sk_receive_queue);
++      skb_queue_purge(&sk->sk_write_queue);
++}
++
+ static const struct proto_ops hci_sock_ops = {
+       .family         = PF_BLUETOOTH,
+       .owner          = THIS_MODULE,
+@@ -2112,6 +2114,7 @@ static int hci_sock_create(struct net *net, struct socket *sock, int protocol,
+       sock->state = SS_UNCONNECTED;
+       sk->sk_state = BT_OPEN;
++      sk->sk_destruct = hci_sock_destruct;
+       bt_sock_link(&hci_sk_list, sk);
+       return 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-hci_vhci-fix-to-set-the-force_wakeup-value.patch b/queue-5.16/bluetooth-hci_vhci-fix-to-set-the-force_wakeup-value.patch
new file mode 100644 (file)
index 0000000..09dc9a6
--- /dev/null
@@ -0,0 +1,36 @@
+From aeb547437fbd02e8dcf93e0d6593465f78103214 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Oct 2021 10:01:26 -0700
+Subject: Bluetooth: hci_vhci: Fix to set the force_wakeup value
+
+From: Tedd Ho-Jeong An <tedd.an@intel.com>
+
+[ Upstream commit 8b89637dbac2d73d9f3dadf91b4a7dcdb1fc23af ]
+
+This patch sets the wakeup state of the vhci driver when the
+force_wakeup is updated.
+
+Fixes: 60edfad4fd0b6 ("Bluetooth: hci_vhci: Add force_prevent_wake entry")
+Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_vhci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
+index b45db0db347c6..5fd91106e853d 100644
+--- a/drivers/bluetooth/hci_vhci.c
++++ b/drivers/bluetooth/hci_vhci.c
+@@ -176,6 +176,8 @@ static ssize_t force_wakeup_write(struct file *file,
+       if (data->wakeup == enable)
+               return -EALREADY;
++      data->wakeup = enable;
++
+       return count;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-l2cap-fix-not-initializing-sk_peer_pid.patch b/queue-5.16/bluetooth-l2cap-fix-not-initializing-sk_peer_pid.patch
new file mode 100644 (file)
index 0000000..16b34c2
--- /dev/null
@@ -0,0 +1,68 @@
+From a806c23bb8cc95c5d129e7f53f642948ff642462 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Oct 2021 13:26:25 -0700
+Subject: Bluetooth: L2CAP: Fix not initializing sk_peer_pid
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit f5ff291098f70a70b344df1e388596755c3c8315 ]
+
+In order to group sockets being connected using L2CAP_MODE_EXT_FLOWCTL
+the pid is used but sk_peer_pid was not being initialized as it is
+currently only done for af_unix.
+
+Fixes: b48596d1dc25 ("Bluetooth: L2CAP: Add get_peer_pid callback")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 160c016a5dfb9..4574c5cb1b596 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -172,6 +172,21 @@ done:
+       return err;
+ }
++static void l2cap_sock_init_pid(struct sock *sk)
++{
++      struct l2cap_chan *chan = l2cap_pi(sk)->chan;
++
++      /* Only L2CAP_MODE_EXT_FLOWCTL ever need to access the PID in order to
++       * group the channels being requested.
++       */
++      if (chan->mode != L2CAP_MODE_EXT_FLOWCTL)
++              return;
++
++      spin_lock(&sk->sk_peer_lock);
++      sk->sk_peer_pid = get_pid(task_tgid(current));
++      spin_unlock(&sk->sk_peer_lock);
++}
++
+ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
+                             int alen, int flags)
+ {
+@@ -243,6 +258,8 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
+       if (chan->psm && bdaddr_type_is_le(chan->src_type) && !chan->mode)
+               chan->mode = L2CAP_MODE_LE_FLOWCTL;
++      l2cap_sock_init_pid(sk);
++
+       err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
+                                &la.l2_bdaddr, la.l2_bdaddr_type);
+       if (err)
+@@ -298,6 +315,8 @@ static int l2cap_sock_listen(struct socket *sock, int backlog)
+               goto done;
+       }
++      l2cap_sock_init_pid(sk);
++
+       sk->sk_max_ack_backlog = backlog;
+       sk->sk_ack_backlog = 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-l2cap-fix-using-wrong-mode.patch b/queue-5.16/bluetooth-l2cap-fix-using-wrong-mode.patch
new file mode 100644 (file)
index 0000000..d10a1ae
--- /dev/null
@@ -0,0 +1,54 @@
+From c09b1630d54d8a273d5f38455e3fda108bb2c564 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Dec 2021 15:35:48 -0800
+Subject: Bluetooth: L2CAP: Fix using wrong mode
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 30d57722732d9736554f85f75f9d7ad5402d192e ]
+
+If user has a set to use SOCK_STREAM the socket would default to
+L2CAP_MODE_ERTM which later needs to be adjusted if the destination
+address is LE which doesn't support such mode.
+
+Fixes: 15f02b9105625 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 4574c5cb1b596..251017c69ab7f 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -161,7 +161,11 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
+               break;
+       }
+-      if (chan->psm && bdaddr_type_is_le(chan->src_type))
++      /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
++       * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
++       */
++      if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
++          chan->mode != L2CAP_MODE_EXT_FLOWCTL)
+               chan->mode = L2CAP_MODE_LE_FLOWCTL;
+       chan->state = BT_BOUND;
+@@ -255,7 +259,11 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
+                       return -EINVAL;
+       }
+-      if (chan->psm && bdaddr_type_is_le(chan->src_type) && !chan->mode)
++      /* Use L2CAP_MODE_LE_FLOWCTL (CoC) in case of LE address and
++       * L2CAP_MODE_EXT_FLOWCTL (ECRED) has not been set.
++       */
++      if (chan->psm && bdaddr_type_is_le(chan->src_type) &&
++          chan->mode != L2CAP_MODE_EXT_FLOWCTL)
+               chan->mode = L2CAP_MODE_LE_FLOWCTL;
+       l2cap_sock_init_pid(sk);
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-l2cap-uninitialized-variables-in-l2cap_soc.patch b/queue-5.16/bluetooth-l2cap-uninitialized-variables-in-l2cap_soc.patch
new file mode 100644 (file)
index 0000000..ce6dbd0
--- /dev/null
@@ -0,0 +1,74 @@
+From 9d82bb9ea9baeda65fcb40d749fa693827d4c2a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 10:16:44 +0300
+Subject: Bluetooth: L2CAP: uninitialized variables in l2cap_sock_setsockopt()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 2b70d4f9b20635ac328836e50d183632e1930f94 ]
+
+The "opt" variable is a u32, but on some paths only the top bytes
+were initialized and the others contained random stack data.
+
+Fixes: a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 251017c69ab7f..d2c6785205992 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -903,6 +903,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
+       struct l2cap_conn *conn;
+       int len, err = 0;
+       u32 opt;
++      u16 mtu;
++      u8 mode;
+       BT_DBG("sk %p", sk);
+@@ -1085,16 +1087,16 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
+                       break;
+               }
+-              if (copy_from_sockptr(&opt, optval, sizeof(u16))) {
++              if (copy_from_sockptr(&mtu, optval, sizeof(u16))) {
+                       err = -EFAULT;
+                       break;
+               }
+               if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
+                   sk->sk_state == BT_CONNECTED)
+-                      err = l2cap_chan_reconfigure(chan, opt);
++                      err = l2cap_chan_reconfigure(chan, mtu);
+               else
+-                      chan->imtu = opt;
++                      chan->imtu = mtu;
+               break;
+@@ -1116,14 +1118,14 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
+                       break;
+               }
+-              if (copy_from_sockptr(&opt, optval, sizeof(u8))) {
++              if (copy_from_sockptr(&mode, optval, sizeof(u8))) {
+                       err = -EFAULT;
+                       break;
+               }
+-              BT_DBG("opt %u", opt);
++              BT_DBG("mode %u", mode);
+-              err = l2cap_set_mode(chan, opt);
++              err = l2cap_set_mode(chan, mode);
+               if (err)
+                       break;
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-mgmt-fix-experimental-feature-changed-even.patch b/queue-5.16/bluetooth-mgmt-fix-experimental-feature-changed-even.patch
new file mode 100644 (file)
index 0000000..23b07fb
--- /dev/null
@@ -0,0 +1,86 @@
+From f078ea5954c7640259282aa3862bbaf1fdf4f073 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Oct 2021 09:32:28 -0700
+Subject: Bluetooth: mgmt: Fix Experimental Feature Changed event
+
+From: Tedd Ho-Jeong An <tedd.an@intel.com>
+
+[ Upstream commit b15bfa4df63529150df9ff0585675f728436e0c1 ]
+
+This patch fixes the controller index in the Experimental Features
+Changed event for the offload_codec and the quality_report features to
+use the actual hdev index instead of non-controller index(0xffff) so the
+client can receive the event and know which controller the event is for.
+
+Fixes: ad93315183285 ("Bluetooth: Add offload feature under experimental flag")
+Fixes: ae7d925b5c043 ("Bluetooth: Support the quality report events")
+Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 3e5283607b97c..44683443300ce 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -3927,7 +3927,9 @@ static int exp_debug_feature_changed(bool enabled, struct sock *skip)
+ }
+ #endif
+-static int exp_quality_report_feature_changed(bool enabled, struct sock *skip)
++static int exp_quality_report_feature_changed(bool enabled,
++                                            struct hci_dev *hdev,
++                                            struct sock *skip)
+ {
+       struct mgmt_ev_exp_feature_changed ev;
+@@ -3935,7 +3937,7 @@ static int exp_quality_report_feature_changed(bool enabled, struct sock *skip)
+       memcpy(ev.uuid, quality_report_uuid, 16);
+       ev.flags = cpu_to_le32(enabled ? BIT(0) : 0);
+-      return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, NULL,
++      return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, hdev,
+                                 &ev, sizeof(ev),
+                                 HCI_MGMT_EXP_FEATURE_EVENTS, skip);
+ }
+@@ -4156,14 +4158,15 @@ static int set_quality_report_func(struct sock *sk, struct hci_dev *hdev,
+                               &rp, sizeof(rp));
+       if (changed)
+-              exp_quality_report_feature_changed(val, sk);
++              exp_quality_report_feature_changed(val, hdev, sk);
+ unlock_quality_report:
+       hci_req_sync_unlock(hdev);
+       return err;
+ }
+-static int exp_offload_codec_feature_changed(bool enabled, struct sock *skip)
++static int exp_offload_codec_feature_changed(bool enabled, struct hci_dev *hdev,
++                                           struct sock *skip)
+ {
+       struct mgmt_ev_exp_feature_changed ev;
+@@ -4171,7 +4174,7 @@ static int exp_offload_codec_feature_changed(bool enabled, struct sock *skip)
+       memcpy(ev.uuid, offload_codecs_uuid, 16);
+       ev.flags = cpu_to_le32(enabled ? BIT(0) : 0);
+-      return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, NULL,
++      return mgmt_limited_event(MGMT_EV_EXP_FEATURE_CHANGED, hdev,
+                                 &ev, sizeof(ev),
+                                 HCI_MGMT_EXP_FEATURE_EVENTS, skip);
+ }
+@@ -4229,7 +4232,7 @@ static int set_offload_codec_func(struct sock *sk, struct hci_dev *hdev,
+                               &rp, sizeof(rp));
+       if (changed)
+-              exp_offload_codec_feature_changed(val, sk);
++              exp_offload_codec_feature_changed(val, hdev, sk);
+       return err;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-mgmt-use-hci_dev_test_and_-set-clear-_flag.patch b/queue-5.16/bluetooth-mgmt-use-hci_dev_test_and_-set-clear-_flag.patch
new file mode 100644 (file)
index 0000000..c74d8a2
--- /dev/null
@@ -0,0 +1,61 @@
+From b08f94b494f654c5b960bdfbc05cf7c6389cfc5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 11:49:49 -0800
+Subject: Bluetooth: MGMT: Use hci_dev_test_and_{set,clear}_flag
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 6f59f991b4e735323f099ac6490e725ae8c750a5 ]
+
+This make use of hci_dev_test_and_{set,clear}_flag instead of doing 2
+operations in a row.
+
+Fixes: cbbdfa6f33198 ("Bluetooth: Enable controller RPA resolution using Experimental feature")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 44683443300ce..c068d05e9616f 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -3969,10 +3969,10 @@ static int set_zero_key_func(struct sock *sk, struct hci_dev *hdev,
+ #endif
+       if (hdev && use_ll_privacy(hdev) && !hdev_is_powered(hdev)) {
+-              bool changed = hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY);
+-
+-              hci_dev_clear_flag(hdev, HCI_ENABLE_LL_PRIVACY);
++              bool changed;
++              changed = hci_dev_test_and_clear_flag(hdev,
++                                                    HCI_ENABLE_LL_PRIVACY);
+               if (changed)
+                       exp_ll_privacy_feature_changed(false, hdev, sk);
+       }
+@@ -4067,15 +4067,15 @@ static int set_rpa_resolution_func(struct sock *sk, struct hci_dev *hdev,
+       val = !!cp->param[0];
+       if (val) {
+-              changed = !hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY);
+-              hci_dev_set_flag(hdev, HCI_ENABLE_LL_PRIVACY);
++              changed = !hci_dev_test_and_set_flag(hdev,
++                                                   HCI_ENABLE_LL_PRIVACY);
+               hci_dev_clear_flag(hdev, HCI_ADVERTISING);
+               /* Enable LL privacy + supported settings changed */
+               flags = BIT(0) | BIT(1);
+       } else {
+-              changed = hci_dev_test_flag(hdev, HCI_ENABLE_LL_PRIVACY);
+-              hci_dev_clear_flag(hdev, HCI_ENABLE_LL_PRIVACY);
++              changed = hci_dev_test_and_clear_flag(hdev,
++                                                    HCI_ENABLE_LL_PRIVACY);
+               /* Disable LL privacy + supported settings changed */
+               flags = BIT(1);
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-stop-proccessing-malicious-adv-data.patch b/queue-5.16/bluetooth-stop-proccessing-malicious-adv-data.patch
new file mode 100644 (file)
index 0000000..b192073
--- /dev/null
@@ -0,0 +1,54 @@
+From c2698d539bc42a48940f26a1e22aab333d0fd135 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Nov 2021 10:12:12 +0300
+Subject: Bluetooth: stop proccessing malicious adv data
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 3a56ef719f0b9682afb8a86d64b2399e36faa4e6 ]
+
+Syzbot reported slab-out-of-bounds read in hci_le_adv_report_evt(). The
+problem was in missing validaion check.
+
+We should check if data is not malicious and we can read next data block.
+If we won't check ptr validness, code can read a way beyond skb->end and
+it can cause problems, of course.
+
+Fixes: e95beb414168 ("Bluetooth: hci_le_adv_report_evt code refactoring")
+Reported-and-tested-by: syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 7d0db1ca12482..59f0691d907f6 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5825,7 +5825,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
+               struct hci_ev_le_advertising_info *ev = ptr;
+               s8 rssi;
+-              if (ev->length <= HCI_MAX_AD_LENGTH) {
++              if (ev->length <= HCI_MAX_AD_LENGTH &&
++                  ev->data + ev->length <= skb_tail_pointer(skb)) {
+                       rssi = ev->data[ev->length];
+                       process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
+                                          ev->bdaddr_type, NULL, 0, rssi,
+@@ -5835,6 +5836,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
+               }
+               ptr += sizeof(*ev) + ev->length + 1;
++
++              if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) {
++                      bt_dev_err(hdev, "Malicious advertising data. Stopping processing");
++                      break;
++              }
+       }
+       hci_dev_unlock(hdev);
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-vhci-set-hci_quirk_valid_le_states.patch b/queue-5.16/bluetooth-vhci-set-hci_quirk_valid_le_states.patch
new file mode 100644 (file)
index 0000000..c45448a
--- /dev/null
@@ -0,0 +1,35 @@
+From 59b4b131fe7ebc054cc167b6abdb990f74af60f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 12:22:01 -0800
+Subject: Bluetooth: vhci: Set HCI_QUIRK_VALID_LE_STATES
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit cfb4c313be670fd4bd09650216620fa4514cdb93 ]
+
+This set HCI_QUIRK_VALID_LE_STATES quirk which is required for the likes
+of experimental LE simultaneous roles.
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_vhci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
+index 5fd91106e853d..95af01bdd02a2 100644
+--- a/drivers/bluetooth/hci_vhci.c
++++ b/drivers/bluetooth/hci_vhci.c
+@@ -239,6 +239,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
+       if (opcode & 0x80)
+               set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
++      set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
++
+       if (hci_register_dev(hdev) < 0) {
+               BT_ERR("Can't register HCI device");
+               hci_free_dev(hdev);
+-- 
+2.34.1
+
diff --git a/queue-5.16/bluetooth-virtio_bt-fix-memory-leak-in-virtbt_rx_han.patch b/queue-5.16/bluetooth-virtio_bt-fix-memory-leak-in-virtbt_rx_han.patch
new file mode 100644 (file)
index 0000000..b211e0a
--- /dev/null
@@ -0,0 +1,38 @@
+From 9068f94bba67ce65954c30f051fc5d479ae0cd62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 10:14:44 +0200
+Subject: Bluetooth: virtio_bt: fix memory leak in virtbt_rx_handle()
+
+From: Soenke Huster <soenke.huster@eknoes.de>
+
+[ Upstream commit 1d0688421449718c6c5f46e458a378c9b530ba18 ]
+
+On the reception of packets with an invalid packet type, the memory of
+the allocated socket buffers is never freed. Add a default case that frees
+these to avoid a memory leak.
+
+Fixes: afd2daa26c7a ("Bluetooth: Add support for virtio transport driver")
+Signed-off-by: Soenke Huster <soenke.huster@eknoes.de>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/virtio_bt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/bluetooth/virtio_bt.c b/drivers/bluetooth/virtio_bt.c
+index 57908ce4fae85..076e4942a3f0e 100644
+--- a/drivers/bluetooth/virtio_bt.c
++++ b/drivers/bluetooth/virtio_bt.c
+@@ -202,6 +202,9 @@ static void virtbt_rx_handle(struct virtio_bluetooth *vbt, struct sk_buff *skb)
+               hci_skb_pkt_type(skb) = pkt_type;
+               hci_recv_frame(vbt->hdev, skb);
+               break;
++      default:
++              kfree_skb(skb);
++              break;
+       }
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/bnxt_en-use-firmware-provided-max-timeout-for-messag.patch b/queue-5.16/bnxt_en-use-firmware-provided-max-timeout-for-messag.patch
new file mode 100644 (file)
index 0000000..5fef658
--- /dev/null
@@ -0,0 +1,152 @@
+From e1fb83c250f350f255b2d9eac4c694e3bbfcc64f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Jan 2022 18:54:44 -0500
+Subject: bnxt_en: use firmware provided max timeout for messages
+
+From: Edwin Peer <edwin.peer@broadcom.com>
+
+[ Upstream commit bce9a0b7900836df223ab638090df0cb8430d9e8 ]
+
+Some older devices cannot accommodate the 40 seconds timeout
+cap for long running commands (such as NVRAM commands) due to
+hardware limitations. Allow these devices to request more time for
+these long running commands, but print a warning, since the longer
+timeout may cause the hung task watchdog to trigger. In the case of a
+firmware update operation, this is preferable to failing outright.
+
+v2: Use bp->hwrm_cmd_max_timeout directly without the constants.
+
+Fixes: 881d8353b05e ("bnxt_en: Add an upper bound for all firmware command timeouts.")
+Signed-off-by: Edwin Peer <edwin.peer@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c          | 6 ++++++
+ drivers/net/ethernet/broadcom/bnxt/bnxt.h          | 3 ++-
+ drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 4 ++--
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c  | 9 +++------
+ drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c     | 2 +-
+ drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h     | 3 +--
+ 6 files changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index c04ea83188e22..7eaf74e5b2929 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -8008,6 +8008,12 @@ static int bnxt_hwrm_ver_get(struct bnxt *bp)
+       bp->hwrm_cmd_timeout = le16_to_cpu(resp->def_req_timeout);
+       if (!bp->hwrm_cmd_timeout)
+               bp->hwrm_cmd_timeout = DFLT_HWRM_CMD_TIMEOUT;
++      bp->hwrm_cmd_max_timeout = le16_to_cpu(resp->max_req_timeout) * 1000;
++      if (!bp->hwrm_cmd_max_timeout)
++              bp->hwrm_cmd_max_timeout = HWRM_CMD_MAX_TIMEOUT;
++      else if (bp->hwrm_cmd_max_timeout > HWRM_CMD_MAX_TIMEOUT)
++              netdev_warn(bp->dev, "Device requests max timeout of %d seconds, may trigger hung task watchdog\n",
++                          bp->hwrm_cmd_max_timeout / 1000);
+       if (resp->hwrm_intf_maj_8b >= 1) {
+               bp->hwrm_max_req_len = le16_to_cpu(resp->max_req_win_len);
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+index 4c9507d82fd0d..6bacd5fae6ba5 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+@@ -1985,7 +1985,8 @@ struct bnxt {
+       u16                     hwrm_max_req_len;
+       u16                     hwrm_max_ext_req_len;
+-      int                     hwrm_cmd_timeout;
++      unsigned int            hwrm_cmd_timeout;
++      unsigned int            hwrm_cmd_max_timeout;
+       struct mutex            hwrm_cmd_lock;  /* serialize hwrm messages */
+       struct hwrm_ver_get_output      ver_resp;
+ #define FW_VER_STR_LEN                32
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c
+index d3cb2f21946da..c067898820360 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c
+@@ -32,7 +32,7 @@ static int bnxt_hwrm_dbg_dma_data(struct bnxt *bp, void *msg,
+               return -ENOMEM;
+       }
+-      hwrm_req_timeout(bp, msg, HWRM_COREDUMP_TIMEOUT);
++      hwrm_req_timeout(bp, msg, bp->hwrm_cmd_max_timeout);
+       cmn_resp = hwrm_req_hold(bp, msg);
+       resp = cmn_resp;
+@@ -125,7 +125,7 @@ static int bnxt_hwrm_dbg_coredump_initiate(struct bnxt *bp, u16 component_id,
+       if (rc)
+               return rc;
+-      hwrm_req_timeout(bp, req, HWRM_COREDUMP_TIMEOUT);
++      hwrm_req_timeout(bp, req, bp->hwrm_cmd_max_timeout);
+       req->component_id = cpu_to_le16(component_id);
+       req->segment_id = cpu_to_le16(segment_id);
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+index 8188d55722e4b..7307df49c1313 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+@@ -31,9 +31,6 @@
+ #include "bnxt_nvm_defs.h"    /* NVRAM content constant and structure defs */
+ #include "bnxt_fw_hdr.h"      /* Firmware hdr constant and structure defs */
+ #include "bnxt_coredump.h"
+-#define FLASH_NVRAM_TIMEOUT   ((HWRM_CMD_TIMEOUT) * 100)
+-#define FLASH_PACKAGE_TIMEOUT ((HWRM_CMD_TIMEOUT) * 200)
+-#define INSTALL_PACKAGE_TIMEOUT       ((HWRM_CMD_TIMEOUT) * 200)
+ static u32 bnxt_get_msglevel(struct net_device *dev)
+ {
+@@ -2169,7 +2166,7 @@ static int bnxt_flash_nvram(struct net_device *dev, u16 dir_type,
+               req->host_src_addr = cpu_to_le64(dma_handle);
+       }
+-      hwrm_req_timeout(bp, req, FLASH_NVRAM_TIMEOUT);
++      hwrm_req_timeout(bp, req, bp->hwrm_cmd_max_timeout);
+       req->dir_type = cpu_to_le16(dir_type);
+       req->dir_ordinal = cpu_to_le16(dir_ordinal);
+       req->dir_ext = cpu_to_le16(dir_ext);
+@@ -2515,8 +2512,8 @@ int bnxt_flash_package_from_fw_obj(struct net_device *dev, const struct firmware
+               return rc;
+       }
+-      hwrm_req_timeout(bp, modify, FLASH_PACKAGE_TIMEOUT);
+-      hwrm_req_timeout(bp, install, INSTALL_PACKAGE_TIMEOUT);
++      hwrm_req_timeout(bp, modify, bp->hwrm_cmd_max_timeout);
++      hwrm_req_timeout(bp, install, bp->hwrm_cmd_max_timeout);
+       hwrm_req_hold(bp, modify);
+       modify->host_src_addr = cpu_to_le64(dma_handle);
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c
+index bb7327b82d0b2..8171f4912fa01 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c
+@@ -496,7 +496,7 @@ static int __hwrm_send(struct bnxt *bp, struct bnxt_hwrm_ctx *ctx)
+       }
+       /* Limit timeout to an upper limit */
+-      timeout = min_t(uint, ctx->timeout, HWRM_CMD_MAX_TIMEOUT);
++      timeout = min(ctx->timeout, bp->hwrm_cmd_max_timeout ?: HWRM_CMD_MAX_TIMEOUT);
+       /* convert timeout to usec */
+       timeout *= 1000;
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h
+index 4d17f0d5363bb..9a9fc4e8041b6 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.h
+@@ -58,11 +58,10 @@ void hwrm_update_token(struct bnxt *bp, u16 seq, enum bnxt_hwrm_wait_state s);
+ #define BNXT_HWRM_MAX_REQ_LEN         (bp->hwrm_max_req_len)
+ #define BNXT_HWRM_SHORT_REQ_LEN               sizeof(struct hwrm_short_input)
+-#define HWRM_CMD_MAX_TIMEOUT          40000
++#define HWRM_CMD_MAX_TIMEOUT          40000U
+ #define SHORT_HWRM_CMD_TIMEOUT                20
+ #define HWRM_CMD_TIMEOUT              (bp->hwrm_cmd_timeout)
+ #define HWRM_RESET_TIMEOUT            ((HWRM_CMD_TIMEOUT) * 4)
+-#define HWRM_COREDUMP_TIMEOUT         ((HWRM_CMD_TIMEOUT) * 12)
+ #define BNXT_HWRM_TARGET              0xffff
+ #define BNXT_HWRM_NO_CMPL_RING                -1
+ #define BNXT_HWRM_REQ_MAX_SIZE                128
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpf-add-missing-map_get_next_key-method-to-bloom-fil.patch b/queue-5.16/bpf-add-missing-map_get_next_key-method-to-bloom-fil.patch
new file mode 100644 (file)
index 0000000..d845005
--- /dev/null
@@ -0,0 +1,49 @@
+From f2b4732fcc38d617bf3e073cf8c777b8e0f61761 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Dec 2021 19:20:02 +0800
+Subject: bpf: Add missing map_get_next_key method to bloom filter map.
+
+From: Haimin Zhang <tcs_kernel@tencent.com>
+
+[ Upstream commit 3ccdcee28415c4226de05438b4d89eb5514edf73 ]
+
+Without it, kernel crashes in map_get_next_key().
+
+Fixes: 9330986c0300 ("bpf: Add bloom filter map implementation")
+Reported-by: TCS Robot <tcs_robot@tencent.com>
+Signed-off-by: Haimin Zhang <tcs_kernel@tencent.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Joanne Koong <joannekoong@fb.com>
+Link: https://lore.kernel.org/bpf/1640776802-22421-1-git-send-email-tcs.kernel@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/bloom_filter.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/kernel/bpf/bloom_filter.c b/kernel/bpf/bloom_filter.c
+index 277a05e9c9849..b141a1346f72d 100644
+--- a/kernel/bpf/bloom_filter.c
++++ b/kernel/bpf/bloom_filter.c
+@@ -82,6 +82,11 @@ static int bloom_map_delete_elem(struct bpf_map *map, void *value)
+       return -EOPNOTSUPP;
+ }
++static int bloom_map_get_next_key(struct bpf_map *map, void *key, void *next_key)
++{
++      return -EOPNOTSUPP;
++}
++
+ static struct bpf_map *bloom_map_alloc(union bpf_attr *attr)
+ {
+       u32 bitset_bytes, bitset_mask, nr_hash_funcs, nr_bits;
+@@ -192,6 +197,7 @@ const struct bpf_map_ops bloom_filter_map_ops = {
+       .map_meta_equal = bpf_map_meta_equal,
+       .map_alloc = bloom_map_alloc,
+       .map_free = bloom_map_free,
++      .map_get_next_key = bloom_map_get_next_key,
+       .map_push_elem = bloom_map_push_elem,
+       .map_peek_elem = bloom_map_peek_elem,
+       .map_pop_elem = bloom_map_pop_elem,
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpf-adjust-btf-log-size-limit.patch b/queue-5.16/bpf-adjust-btf-log-size-limit.patch
new file mode 100644 (file)
index 0000000..3560858
--- /dev/null
@@ -0,0 +1,37 @@
+From 2f35b6f2d7d8e7de49a0c35e6c164efa009a98c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 10:10:29 -0800
+Subject: bpf: Adjust BTF log size limit.
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+[ Upstream commit c5a2d43e998a821701029f23e25b62f9188e93ff ]
+
+Make BTF log size limit to be the same as the verifier log size limit.
+Otherwise tools that progressively increase log size and use the same log
+for BTF loading and program loading will be hitting hard to debug EINVAL.
+
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20211201181040.23337-7-alexei.starovoitov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/btf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index 9bdb03767db57..0cb1ceb91ca96 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -4460,7 +4460,7 @@ static struct btf *btf_parse(bpfptr_t btf_data, u32 btf_data_size,
+               log->len_total = log_size;
+               /* log attributes have to be sane */
+-              if (log->len_total < 128 || log->len_total > UINT_MAX >> 8 ||
++              if (log->len_total < 128 || log->len_total > UINT_MAX >> 2 ||
+                   !log->level || !log->ubuf) {
+                       err = -EINVAL;
+                       goto errout;
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpf-arm64-use-emit_addr_mov_i64-for-bpf_pseudo_func.patch b/queue-5.16/bpf-arm64-use-emit_addr_mov_i64-for-bpf_pseudo_func.patch
new file mode 100644 (file)
index 0000000..371d802
--- /dev/null
@@ -0,0 +1,59 @@
+From c3542ffe75b75a0b2345da58a46c2c36e49ed0c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Dec 2021 23:10:18 +0800
+Subject: bpf, arm64: Use emit_addr_mov_i64() for BPF_PSEUDO_FUNC
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit e4a41c2c1fa916547e63440c73a51a5eb06247af ]
+
+The following error is reported when running "./test_progs -t for_each"
+under arm64:
+
+  bpf_jit: multi-func JIT bug 58 != 56
+  [...]
+  JIT doesn't support bpf-to-bpf calls
+
+The root cause is the size of BPF_PSEUDO_FUNC instruction increases
+from 2 to 3 after the address of called bpf-function is settled and
+there are two bpf-to-bpf calls in test_pkt_access. The generated
+instructions are shown below:
+
+  0x48:  21 00 C0 D2    movz x1, #0x1, lsl #32
+  0x4c:  21 00 80 F2    movk x1, #0x1
+
+  0x48:  E1 3F C0 92    movn x1, #0x1ff, lsl #32
+  0x4c:  41 FE A2 F2    movk x1, #0x17f2, lsl #16
+  0x50:  81 70 9F F2    movk x1, #0xfb84
+
+Fixing it by using emit_addr_mov_i64() for BPF_PSEUDO_FUNC, so
+the size of jited image will not change.
+
+Fixes: 69c087ba6225 ("bpf: Add bpf_for_each_map_elem() helper")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20211231151018.3781550-1-houtao1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/net/bpf_jit_comp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
+index 3a8a7140a9bfb..c2d95aa1d294c 100644
+--- a/arch/arm64/net/bpf_jit_comp.c
++++ b/arch/arm64/net/bpf_jit_comp.c
+@@ -791,7 +791,10 @@ emit_cond_jmp:
+               u64 imm64;
+               imm64 = (u64)insn1.imm << 32 | (u32)imm;
+-              emit_a64_mov_i64(dst, imm64, ctx);
++              if (bpf_pseudo_func(insn))
++                      emit_addr_mov_i64(dst, imm64, ctx);
++              else
++                      emit_a64_mov_i64(dst, imm64, ctx);
+               return 1;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpf-change-value-of-max_tail_call_cnt-from-32-to-33.patch b/queue-5.16/bpf-change-value-of-max_tail_call_cnt-from-32-to-33.patch
new file mode 100644 (file)
index 0000000..02fde42
--- /dev/null
@@ -0,0 +1,447 @@
+From 6e37c6b5cfe5363ce6f9658bf760f173fe40d95e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 09:30:00 +0800
+Subject: bpf: Change value of MAX_TAIL_CALL_CNT from 32 to 33
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+[ Upstream commit ebf7f6f0a6cdcc17a3da52b81e4b3a98c4005028 ]
+
+In the current code, the actual max tail call count is 33 which is greater
+than MAX_TAIL_CALL_CNT (defined as 32). The actual limit is not consistent
+with the meaning of MAX_TAIL_CALL_CNT and thus confusing at first glance.
+We can see the historical evolution from commit 04fd61ab36ec ("bpf: allow
+bpf programs to tail-call other bpf programs") and commit f9dabe016b63
+("bpf: Undo off-by-one in interpreter tail call count limit"). In order
+to avoid changing existing behavior, the actual limit is 33 now, this is
+reasonable.
+
+After commit 874be05f525e ("bpf, tests: Add tail call test suite"), we can
+see there exists failed testcase.
+
+On all archs when CONFIG_BPF_JIT_ALWAYS_ON is not set:
+ # echo 0 > /proc/sys/net/core/bpf_jit_enable
+ # modprobe test_bpf
+ # dmesg | grep -w FAIL
+ Tail call error path, max count reached jited:0 ret 34 != 33 FAIL
+
+On some archs:
+ # echo 1 > /proc/sys/net/core/bpf_jit_enable
+ # modprobe test_bpf
+ # dmesg | grep -w FAIL
+ Tail call error path, max count reached jited:1 ret 34 != 33 FAIL
+
+Although the above failed testcase has been fixed in commit 18935a72eb25
+("bpf/tests: Fix error in tail call limit tests"), it would still be good
+to change the value of MAX_TAIL_CALL_CNT from 32 to 33 to make the code
+more readable.
+
+The 32-bit x86 JIT was using a limit of 32, just fix the wrong comments and
+limit to 33 tail calls as the constant MAX_TAIL_CALL_CNT updated. For the
+mips64 JIT, use "ori" instead of "addiu" as suggested by Johan Almbladh.
+For the riscv JIT, use RV_REG_TCC directly to save one register move as
+suggested by Björn Töpel. For the other implementations, no function changes,
+it does not change the current limit 33, the new value of MAX_TAIL_CALL_CNT
+can reflect the actual max tail call count, the related tail call testcases
+in test_bpf module and selftests can work well for the interpreter and the
+JIT.
+
+Here are the test results on x86_64:
+
+ # uname -m
+ x86_64
+ # echo 0 > /proc/sys/net/core/bpf_jit_enable
+ # modprobe test_bpf test_suite=test_tail_calls
+ # dmesg | tail -1
+ test_bpf: test_tail_calls: Summary: 8 PASSED, 0 FAILED, [0/8 JIT'ed]
+ # rmmod test_bpf
+ # echo 1 > /proc/sys/net/core/bpf_jit_enable
+ # modprobe test_bpf test_suite=test_tail_calls
+ # dmesg | tail -1
+ test_bpf: test_tail_calls: Summary: 8 PASSED, 0 FAILED, [8/8 JIT'ed]
+ # rmmod test_bpf
+ # ./test_progs -t tailcalls
+ #142 tailcalls:OK
+ Summary: 1/11 PASSED, 0 SKIPPED, 0 FAILED
+
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Acked-by: Björn Töpel <bjorn@kernel.org>
+Acked-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://lore.kernel.org/bpf/1636075800-3264-1-git-send-email-yangtiezhu@loongson.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/net/bpf_jit_32.c         |  5 +++--
+ arch/arm64/net/bpf_jit_comp.c     |  5 +++--
+ arch/mips/net/bpf_jit_comp32.c    |  3 +--
+ arch/mips/net/bpf_jit_comp64.c    |  2 +-
+ arch/powerpc/net/bpf_jit_comp32.c |  4 ++--
+ arch/powerpc/net/bpf_jit_comp64.c |  4 ++--
+ arch/riscv/net/bpf_jit_comp32.c   |  6 ++----
+ arch/riscv/net/bpf_jit_comp64.c   |  7 +++----
+ arch/s390/net/bpf_jit_comp.c      |  6 +++---
+ arch/sparc/net/bpf_jit_comp_64.c  |  2 +-
+ arch/x86/net/bpf_jit_comp.c       | 10 +++++-----
+ arch/x86/net/bpf_jit_comp32.c     |  4 ++--
+ include/linux/bpf.h               |  2 +-
+ include/uapi/linux/bpf.h          |  2 +-
+ kernel/bpf/core.c                 |  3 ++-
+ lib/test_bpf.c                    |  4 ++--
+ tools/include/uapi/linux/bpf.h    |  2 +-
+ 17 files changed, 35 insertions(+), 36 deletions(-)
+
+diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
+index eeb6dc0ecf463..e59b41e9ab0c1 100644
+--- a/arch/arm/net/bpf_jit_32.c
++++ b/arch/arm/net/bpf_jit_32.c
+@@ -1199,7 +1199,8 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
+       /* tmp2[0] = array, tmp2[1] = index */
+-      /* if (tail_call_cnt > MAX_TAIL_CALL_CNT)
++      /*
++       * if (tail_call_cnt >= MAX_TAIL_CALL_CNT)
+        *      goto out;
+        * tail_call_cnt++;
+        */
+@@ -1208,7 +1209,7 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
+       tc = arm_bpf_get_reg64(tcc, tmp, ctx);
+       emit(ARM_CMP_I(tc[0], hi), ctx);
+       _emit(ARM_COND_EQ, ARM_CMP_I(tc[1], lo), ctx);
+-      _emit(ARM_COND_HI, ARM_B(jmp_offset), ctx);
++      _emit(ARM_COND_CS, ARM_B(jmp_offset), ctx);
+       emit(ARM_ADDS_I(tc[1], tc[1], 1), ctx);
+       emit(ARM_ADC_I(tc[0], tc[0], 0), ctx);
+       arm_bpf_put_reg64(tcc, tmp, ctx);
+diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
+index c2d95aa1d294c..1090a957b3abc 100644
+--- a/arch/arm64/net/bpf_jit_comp.c
++++ b/arch/arm64/net/bpf_jit_comp.c
+@@ -287,13 +287,14 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
+       emit(A64_CMP(0, r3, tmp), ctx);
+       emit(A64_B_(A64_COND_CS, jmp_offset), ctx);
+-      /* if (tail_call_cnt > MAX_TAIL_CALL_CNT)
++      /*
++       * if (tail_call_cnt >= MAX_TAIL_CALL_CNT)
+        *     goto out;
+        * tail_call_cnt++;
+        */
+       emit_a64_mov_i64(tmp, MAX_TAIL_CALL_CNT, ctx);
+       emit(A64_CMP(1, tcc, tmp), ctx);
+-      emit(A64_B_(A64_COND_HI, jmp_offset), ctx);
++      emit(A64_B_(A64_COND_CS, jmp_offset), ctx);
+       emit(A64_ADD_I(1, tcc, tcc, 1), ctx);
+       /* prog = array->ptrs[index];
+diff --git a/arch/mips/net/bpf_jit_comp32.c b/arch/mips/net/bpf_jit_comp32.c
+index bd996ede12f8e..044b11b65bcac 100644
+--- a/arch/mips/net/bpf_jit_comp32.c
++++ b/arch/mips/net/bpf_jit_comp32.c
+@@ -1381,8 +1381,7 @@ void build_prologue(struct jit_context *ctx)
+        * 16-byte area in the parent's stack frame. On a tail call, the
+        * calling function jumps into the prologue after these instructions.
+        */
+-      emit(ctx, ori, MIPS_R_T9, MIPS_R_ZERO,
+-           min(MAX_TAIL_CALL_CNT + 1, 0xffff));
++      emit(ctx, ori, MIPS_R_T9, MIPS_R_ZERO, min(MAX_TAIL_CALL_CNT, 0xffff));
+       emit(ctx, sw, MIPS_R_T9, 0, MIPS_R_SP);
+       /*
+diff --git a/arch/mips/net/bpf_jit_comp64.c b/arch/mips/net/bpf_jit_comp64.c
+index 815ade7242278..6475828ffb36d 100644
+--- a/arch/mips/net/bpf_jit_comp64.c
++++ b/arch/mips/net/bpf_jit_comp64.c
+@@ -552,7 +552,7 @@ void build_prologue(struct jit_context *ctx)
+        * On a tail call, the calling function jumps into the prologue
+        * after this instruction.
+        */
+-      emit(ctx, addiu, tc, MIPS_R_ZERO, min(MAX_TAIL_CALL_CNT + 1, 0xffff));
++      emit(ctx, ori, tc, MIPS_R_ZERO, min(MAX_TAIL_CALL_CNT, 0xffff));
+       /* === Entry-point for tail calls === */
+diff --git a/arch/powerpc/net/bpf_jit_comp32.c b/arch/powerpc/net/bpf_jit_comp32.c
+index 0da31d41d4131..8a4faa05f9e41 100644
+--- a/arch/powerpc/net/bpf_jit_comp32.c
++++ b/arch/powerpc/net/bpf_jit_comp32.c
+@@ -221,13 +221,13 @@ static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 o
+       PPC_BCC(COND_GE, out);
+       /*
+-       * if (tail_call_cnt > MAX_TAIL_CALL_CNT)
++       * if (tail_call_cnt >= MAX_TAIL_CALL_CNT)
+        *   goto out;
+        */
+       EMIT(PPC_RAW_CMPLWI(_R0, MAX_TAIL_CALL_CNT));
+       /* tail_call_cnt++; */
+       EMIT(PPC_RAW_ADDIC(_R0, _R0, 1));
+-      PPC_BCC(COND_GT, out);
++      PPC_BCC(COND_GE, out);
+       /* prog = array->ptrs[index]; */
+       EMIT(PPC_RAW_RLWINM(_R3, b2p_index, 2, 0, 29));
+diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
+index 8b5157ccfebae..8571aafcc9e1e 100644
+--- a/arch/powerpc/net/bpf_jit_comp64.c
++++ b/arch/powerpc/net/bpf_jit_comp64.c
+@@ -228,12 +228,12 @@ static int bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32 o
+       PPC_BCC(COND_GE, out);
+       /*
+-       * if (tail_call_cnt > MAX_TAIL_CALL_CNT)
++       * if (tail_call_cnt >= MAX_TAIL_CALL_CNT)
+        *   goto out;
+        */
+       PPC_BPF_LL(b2p[TMP_REG_1], 1, bpf_jit_stack_tailcallcnt(ctx));
+       EMIT(PPC_RAW_CMPLWI(b2p[TMP_REG_1], MAX_TAIL_CALL_CNT));
+-      PPC_BCC(COND_GT, out);
++      PPC_BCC(COND_GE, out);
+       /*
+        * tail_call_cnt++;
+diff --git a/arch/riscv/net/bpf_jit_comp32.c b/arch/riscv/net/bpf_jit_comp32.c
+index e6497424cbf60..529a83b85c1c9 100644
+--- a/arch/riscv/net/bpf_jit_comp32.c
++++ b/arch/riscv/net/bpf_jit_comp32.c
+@@ -799,11 +799,10 @@ static int emit_bpf_tail_call(int insn, struct rv_jit_context *ctx)
+       emit_bcc(BPF_JGE, lo(idx_reg), RV_REG_T1, off, ctx);
+       /*
+-       * temp_tcc = tcc - 1;
+-       * if (tcc < 0)
++       * if (--tcc < 0)
+        *   goto out;
+        */
+-      emit(rv_addi(RV_REG_T1, RV_REG_TCC, -1), ctx);
++      emit(rv_addi(RV_REG_TCC, RV_REG_TCC, -1), ctx);
+       off = ninsns_rvoff(tc_ninsn - (ctx->ninsns - start_insn));
+       emit_bcc(BPF_JSLT, RV_REG_TCC, RV_REG_ZERO, off, ctx);
+@@ -829,7 +828,6 @@ static int emit_bpf_tail_call(int insn, struct rv_jit_context *ctx)
+       if (is_12b_check(off, insn))
+               return -1;
+       emit(rv_lw(RV_REG_T0, off, RV_REG_T0), ctx);
+-      emit(rv_addi(RV_REG_TCC, RV_REG_T1, 0), ctx);
+       /* Epilogue jumps to *(t0 + 4). */
+       __build_epilogue(true, ctx);
+       return 0;
+diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c
+index f2a779c7e225d..603630b6f3c5b 100644
+--- a/arch/riscv/net/bpf_jit_comp64.c
++++ b/arch/riscv/net/bpf_jit_comp64.c
+@@ -327,12 +327,12 @@ static int emit_bpf_tail_call(int insn, struct rv_jit_context *ctx)
+       off = ninsns_rvoff(tc_ninsn - (ctx->ninsns - start_insn));
+       emit_branch(BPF_JGE, RV_REG_A2, RV_REG_T1, off, ctx);
+-      /* if (TCC-- < 0)
++      /* if (--TCC < 0)
+        *     goto out;
+        */
+-      emit_addi(RV_REG_T1, tcc, -1, ctx);
++      emit_addi(RV_REG_TCC, tcc, -1, ctx);
+       off = ninsns_rvoff(tc_ninsn - (ctx->ninsns - start_insn));
+-      emit_branch(BPF_JSLT, tcc, RV_REG_ZERO, off, ctx);
++      emit_branch(BPF_JSLT, RV_REG_TCC, RV_REG_ZERO, off, ctx);
+       /* prog = array->ptrs[index];
+        * if (!prog)
+@@ -352,7 +352,6 @@ static int emit_bpf_tail_call(int insn, struct rv_jit_context *ctx)
+       if (is_12b_check(off, insn))
+               return -1;
+       emit_ld(RV_REG_T3, off, RV_REG_T2, ctx);
+-      emit_mv(RV_REG_TCC, RV_REG_T1, ctx);
+       __build_epilogue(true, ctx);
+       return 0;
+ }
+diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
+index 233cc9bcd6527..9ff2bd83aad70 100644
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -1369,7 +1369,7 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp,
+                                jit->prg);
+               /*
+-               * if (tail_call_cnt++ > MAX_TAIL_CALL_CNT)
++               * if (tail_call_cnt++ >= MAX_TAIL_CALL_CNT)
+                *         goto out;
+                */
+@@ -1381,9 +1381,9 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp,
+               EMIT4_IMM(0xa7080000, REG_W0, 1);
+               /* laal %w1,%w0,off(%r15) */
+               EMIT6_DISP_LH(0xeb000000, 0x00fa, REG_W1, REG_W0, REG_15, off);
+-              /* clij %w1,MAX_TAIL_CALL_CNT,0x2,out */
++              /* clij %w1,MAX_TAIL_CALL_CNT-1,0x2,out */
+               patch_2_clij = jit->prg;
+-              EMIT6_PCREL_RIEC(0xec000000, 0x007f, REG_W1, MAX_TAIL_CALL_CNT,
++              EMIT6_PCREL_RIEC(0xec000000, 0x007f, REG_W1, MAX_TAIL_CALL_CNT - 1,
+                                2, jit->prg);
+               /*
+diff --git a/arch/sparc/net/bpf_jit_comp_64.c b/arch/sparc/net/bpf_jit_comp_64.c
+index 9a2f20cbd48b7..0bfe1c72a0c9e 100644
+--- a/arch/sparc/net/bpf_jit_comp_64.c
++++ b/arch/sparc/net/bpf_jit_comp_64.c
+@@ -867,7 +867,7 @@ static void emit_tail_call(struct jit_ctx *ctx)
+       emit(LD32 | IMMED | RS1(SP) | S13(off) | RD(tmp), ctx);
+       emit_cmpi(tmp, MAX_TAIL_CALL_CNT, ctx);
+ #define OFFSET2 13
+-      emit_branch(BGU, ctx->idx, ctx->idx + OFFSET2, ctx);
++      emit_branch(BGEU, ctx->idx, ctx->idx + OFFSET2, ctx);
+       emit_nop(ctx);
+       emit_alu_K(ADD, tmp, 1, ctx);
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index bafe36e69227d..b87d98efd2240 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -412,7 +412,7 @@ static void emit_indirect_jump(u8 **pprog, int reg, u8 *ip)
+  * ... bpf_tail_call(void *ctx, struct bpf_array *array, u64 index) ...
+  *   if (index >= array->map.max_entries)
+  *     goto out;
+- *   if (++tail_call_cnt > MAX_TAIL_CALL_CNT)
++ *   if (tail_call_cnt++ >= MAX_TAIL_CALL_CNT)
+  *     goto out;
+  *   prog = array->ptrs[index];
+  *   if (prog == NULL)
+@@ -446,14 +446,14 @@ static void emit_bpf_tail_call_indirect(u8 **pprog, bool *callee_regs_used,
+       EMIT2(X86_JBE, offset);                   /* jbe out */
+       /*
+-       * if (tail_call_cnt > MAX_TAIL_CALL_CNT)
++       * if (tail_call_cnt++ >= MAX_TAIL_CALL_CNT)
+        *      goto out;
+        */
+       EMIT2_off32(0x8B, 0x85, tcc_off);         /* mov eax, dword ptr [rbp - tcc_off] */
+       EMIT3(0x83, 0xF8, MAX_TAIL_CALL_CNT);     /* cmp eax, MAX_TAIL_CALL_CNT */
+       offset = ctx->tail_call_indirect_label - (prog + 2 - start);
+-      EMIT2(X86_JA, offset);                    /* ja out */
++      EMIT2(X86_JAE, offset);                   /* jae out */
+       EMIT3(0x83, 0xC0, 0x01);                  /* add eax, 1 */
+       EMIT2_off32(0x89, 0x85, tcc_off);         /* mov dword ptr [rbp - tcc_off], eax */
+@@ -504,14 +504,14 @@ static void emit_bpf_tail_call_direct(struct bpf_jit_poke_descriptor *poke,
+       int offset;
+       /*
+-       * if (tail_call_cnt > MAX_TAIL_CALL_CNT)
++       * if (tail_call_cnt++ >= MAX_TAIL_CALL_CNT)
+        *      goto out;
+        */
+       EMIT2_off32(0x8B, 0x85, tcc_off);             /* mov eax, dword ptr [rbp - tcc_off] */
+       EMIT3(0x83, 0xF8, MAX_TAIL_CALL_CNT);         /* cmp eax, MAX_TAIL_CALL_CNT */
+       offset = ctx->tail_call_direct_label - (prog + 2 - start);
+-      EMIT2(X86_JA, offset);                        /* ja out */
++      EMIT2(X86_JAE, offset);                       /* jae out */
+       EMIT3(0x83, 0xC0, 0x01);                      /* add eax, 1 */
+       EMIT2_off32(0x89, 0x85, tcc_off);             /* mov dword ptr [rbp - tcc_off], eax */
+diff --git a/arch/x86/net/bpf_jit_comp32.c b/arch/x86/net/bpf_jit_comp32.c
+index da9b7cfa46329..429a89c5468b5 100644
+--- a/arch/x86/net/bpf_jit_comp32.c
++++ b/arch/x86/net/bpf_jit_comp32.c
+@@ -1323,7 +1323,7 @@ static void emit_bpf_tail_call(u8 **pprog, u8 *ip)
+       EMIT2(IA32_JBE, jmp_label(jmp_label1, 2));
+       /*
+-       * if (tail_call_cnt > MAX_TAIL_CALL_CNT)
++       * if (tail_call_cnt++ >= MAX_TAIL_CALL_CNT)
+        *     goto out;
+        */
+       lo = (u32)MAX_TAIL_CALL_CNT;
+@@ -1337,7 +1337,7 @@ static void emit_bpf_tail_call(u8 **pprog, u8 *ip)
+       /* cmp ecx,lo */
+       EMIT3(0x83, add_1reg(0xF8, IA32_ECX), lo);
+-      /* ja out */
++      /* jae out */
+       EMIT2(IA32_JAE, jmp_label(jmp_label1, 2));
+       /* add eax,0x1 */
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 755f38e893be1..9f20b0f539f78 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -1082,7 +1082,7 @@ struct bpf_array {
+ };
+ #define BPF_COMPLEXITY_LIMIT_INSNS      1000000 /* yes. 1M insns */
+-#define MAX_TAIL_CALL_CNT 32
++#define MAX_TAIL_CALL_CNT 33
+ #define BPF_F_ACCESS_MASK     (BPF_F_RDONLY |         \
+                                BPF_F_RDONLY_PROG |    \
+diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
+index ba5af15e25f5c..b12cfceddb6e9 100644
+--- a/include/uapi/linux/bpf.h
++++ b/include/uapi/linux/bpf.h
+@@ -1744,7 +1744,7 @@ union bpf_attr {
+  *            if the maximum number of tail calls has been reached for this
+  *            chain of programs. This limit is defined in the kernel by the
+  *            macro **MAX_TAIL_CALL_CNT** (not accessible to user space),
+- *            which is currently set to 32.
++ *            which is currently set to 33.
+  *    Return
+  *            0 on success, or a negative error in case of failure.
+  *
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index 2405e39d800fe..b52dc845ecea3 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -1574,7 +1574,8 @@ select_insn:
+               if (unlikely(index >= array->map.max_entries))
+                       goto out;
+-              if (unlikely(tail_call_cnt > MAX_TAIL_CALL_CNT))
++
++              if (unlikely(tail_call_cnt >= MAX_TAIL_CALL_CNT))
+                       goto out;
+               tail_call_cnt++;
+diff --git a/lib/test_bpf.c b/lib/test_bpf.c
+index adae39567264f..0c5cb2d6436a4 100644
+--- a/lib/test_bpf.c
++++ b/lib/test_bpf.c
+@@ -14683,7 +14683,7 @@ static struct tail_call_test tail_call_tests[] = {
+                       BPF_EXIT_INSN(),
+               },
+               .flags = FLAG_NEED_STATE | FLAG_RESULT_IN_STATE,
+-              .result = (MAX_TAIL_CALL_CNT + 1 + 1) * MAX_TESTRUNS,
++              .result = (MAX_TAIL_CALL_CNT + 1) * MAX_TESTRUNS,
+       },
+       {
+               "Tail call count preserved across function calls",
+@@ -14705,7 +14705,7 @@ static struct tail_call_test tail_call_tests[] = {
+               },
+               .stack_depth = 8,
+               .flags = FLAG_NEED_STATE | FLAG_RESULT_IN_STATE,
+-              .result = (MAX_TAIL_CALL_CNT + 1 + 1) * MAX_TESTRUNS,
++              .result = (MAX_TAIL_CALL_CNT + 1) * MAX_TESTRUNS,
+       },
+       {
+               "Tail call error path, NULL target",
+diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
+index ba5af15e25f5c..b12cfceddb6e9 100644
+--- a/tools/include/uapi/linux/bpf.h
++++ b/tools/include/uapi/linux/bpf.h
+@@ -1744,7 +1744,7 @@ union bpf_attr {
+  *            if the maximum number of tail calls has been reached for this
+  *            chain of programs. This limit is defined in the kernel by the
+  *            macro **MAX_TAIL_CALL_CNT** (not accessible to user space),
+- *            which is currently set to 32.
++ *            which is currently set to 33.
+  *    Return
+  *            0 on success, or a negative error in case of failure.
+  *
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpf-disallow-bpf_log_kernel-log-level-for-bpf-bpf_bt.patch b/queue-5.16/bpf-disallow-bpf_log_kernel-log-level-for-bpf-bpf_bt.patch
new file mode 100644 (file)
index 0000000..ac56e36
--- /dev/null
@@ -0,0 +1,81 @@
+From 87ca398ed5f1ba17c17aabe1b20e1af06ceb345e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Dec 2021 13:30:01 +0800
+Subject: bpf: Disallow BPF_LOG_KERNEL log level for bpf(BPF_BTF_LOAD)
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit 866de407444398bc8140ea70de1dba5f91cc34ac ]
+
+BPF_LOG_KERNEL is only used internally, so disallow bpf_btf_load()
+to set log level as BPF_LOG_KERNEL. The same checking has already
+been done in bpf_check(), so factor out a helper to check the
+validity of log attributes and use it in both places.
+
+Fixes: 8580ac9404f6 ("bpf: Process in-kernel BTF")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/bpf/20211203053001.740945-1-houtao1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf_verifier.h | 7 +++++++
+ kernel/bpf/btf.c             | 3 +--
+ kernel/bpf/verifier.c        | 6 +++---
+ 3 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
+index c8a78e830fcab..182b16a910849 100644
+--- a/include/linux/bpf_verifier.h
++++ b/include/linux/bpf_verifier.h
+@@ -396,6 +396,13 @@ static inline bool bpf_verifier_log_needed(const struct bpf_verifier_log *log)
+                log->level == BPF_LOG_KERNEL);
+ }
++static inline bool
++bpf_verifier_log_attr_valid(const struct bpf_verifier_log *log)
++{
++      return log->len_total >= 128 && log->len_total <= UINT_MAX >> 2 &&
++             log->level && log->ubuf && !(log->level & ~BPF_LOG_MASK);
++}
++
+ #define BPF_MAX_SUBPROGS 256
+ struct bpf_subprog_info {
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index 0cb1ceb91ca96..5e037070cb656 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -4460,8 +4460,7 @@ static struct btf *btf_parse(bpfptr_t btf_data, u32 btf_data_size,
+               log->len_total = log_size;
+               /* log attributes have to be sane */
+-              if (log->len_total < 128 || log->len_total > UINT_MAX >> 2 ||
+-                  !log->level || !log->ubuf) {
++              if (!bpf_verifier_log_attr_valid(log)) {
+                       err = -EINVAL;
+                       goto errout;
+               }
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 4e51bf3f9603a..8ebabae31a431 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -13960,11 +13960,11 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, bpfptr_t uattr)
+               log->ubuf = (char __user *) (unsigned long) attr->log_buf;
+               log->len_total = attr->log_size;
+-              ret = -EINVAL;
+               /* log attributes have to be sane */
+-              if (log->len_total < 128 || log->len_total > UINT_MAX >> 2 ||
+-                  !log->level || !log->ubuf || log->level & ~BPF_LOG_MASK)
++              if (!bpf_verifier_log_attr_valid(log)) {
++                      ret = -EINVAL;
+                       goto err_unlock;
++              }
+       }
+       if (IS_ERR(btf_vmlinux)) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpf-do-not-warn-in-bpf_warn_invalid_xdp_action.patch b/queue-5.16/bpf-do-not-warn-in-bpf_warn_invalid_xdp_action.patch
new file mode 100644 (file)
index 0000000..b46aa29
--- /dev/null
@@ -0,0 +1,51 @@
+From 230b6ccb4d2d8d97b28d6ac3efbcf9f965bc26bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 11:08:06 +0100
+Subject: bpf: Do not WARN in bpf_warn_invalid_xdp_action()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 2cbad989033bff0256675c38f96f5faab852af4b ]
+
+The WARN_ONCE() in bpf_warn_invalid_xdp_action() can be triggered by
+any bugged program, and even attaching a correct program to a NIC
+not supporting the given action.
+
+The resulting splat, beyond polluting the logs, fouls automated tools:
+e.g. a syzkaller reproducers using an XDP program returning an
+unsupported action will never pass validation.
+
+Replace the WARN_ONCE with a less intrusive pr_warn_once().
+
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/bpf/016ceec56e4817ebb2a9e35ce794d5c917df572c.1638189075.git.pabeni@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 31147a4cfab30..5b82a817f65a6 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -8187,9 +8187,9 @@ void bpf_warn_invalid_xdp_action(u32 act)
+ {
+       const u32 act_max = XDP_REDIRECT;
+-      WARN_ONCE(1, "%s XDP return value %u, expect packet loss!\n",
+-                act > act_max ? "Illegal" : "Driver unsupported",
+-                act);
++      pr_warn_once("%s XDP return value %u, expect packet loss!\n",
++                   act > act_max ? "Illegal" : "Driver unsupported",
++                   act);
+ }
+ EXPORT_SYMBOL_GPL(bpf_warn_invalid_xdp_action);
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpf-don-t-promote-bogus-looking-registers-after-null.patch b/queue-5.16/bpf-don-t-promote-bogus-looking-registers-after-null.patch
new file mode 100644 (file)
index 0000000..32ac6fd
--- /dev/null
@@ -0,0 +1,53 @@
+From 6ac78bfd9b7f13e6859b6f02449bdf3a9fea6d4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 11:35:13 -0800
+Subject: bpf: Don't promote bogus looking registers after null check.
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit e60b0d12a95dcf16a63225cead4541567f5cb517 ]
+
+If we ever get to a point again where we convert a bogus looking <ptr>_or_null
+typed register containing a non-zero fixed or variable offset, then lets not
+reset these bounds to zero since they are not and also don't promote the register
+to a <ptr> type, but instead leave it as <ptr>_or_null. Converting to a unknown
+register could be an avenue as well, but then if we run into this case it would
+allow to leak a kernel pointer this way.
+
+Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 8ebabae31a431..45d5e71cd64e6 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -8961,15 +8961,15 @@ static void mark_ptr_or_null_reg(struct bpf_func_state *state,
+ {
+       if (reg_type_may_be_null(reg->type) && reg->id == id &&
+           !WARN_ON_ONCE(!reg->id)) {
+-              /* Old offset (both fixed and variable parts) should
+-               * have been known-zero, because we don't allow pointer
+-               * arithmetic on pointers that might be NULL.
+-               */
+               if (WARN_ON_ONCE(reg->smin_value || reg->smax_value ||
+                                !tnum_equals_const(reg->var_off, 0) ||
+                                reg->off)) {
+-                      __mark_reg_known_zero(reg);
+-                      reg->off = 0;
++                      /* Old offset (both fixed and variable parts) should
++                       * have been known-zero, because we don't allow pointer
++                       * arithmetic on pointers that might be NULL. If we
++                       * see this happening, don't convert the register.
++                       */
++                      return;
+               }
+               if (is_null) {
+                       reg->type = SCALAR_VALUE;
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpf-fix-so_rcvbuf-so_sndbuf-handling-in-_bpf_setsock.patch b/queue-5.16/bpf-fix-so_rcvbuf-so_sndbuf-handling-in-_bpf_setsock.patch
new file mode 100644 (file)
index 0000000..726c1b7
--- /dev/null
@@ -0,0 +1,46 @@
+From 5aaf2c22c237366838c0d2f6d34f288e0ef2f1cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 10:31:48 +0900
+Subject: bpf: Fix SO_RCVBUF/SO_SNDBUF handling in _bpf_setsockopt().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+
+[ Upstream commit 04c350b1ae6bdb12b84009a4d0bf5ab4e621c47b ]
+
+The commit 4057765f2dee ("sock: consistent handling of extreme
+SO_SNDBUF/SO_RCVBUF values") added a change to prevent underflow
+in setsockopt() around SO_SNDBUF/SO_RCVBUF.
+
+This patch adds the same change to _bpf_setsockopt().
+
+Fixes: 4057765f2dee ("sock: consistent handling of extreme SO_SNDBUF/SO_RCVBUF values")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20220104013153.97906-2-kuniyu@amazon.co.jp
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 6102f093d59a5..31147a4cfab30 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -4742,12 +4742,14 @@ static int _bpf_setsockopt(struct sock *sk, int level, int optname,
+               switch (optname) {
+               case SO_RCVBUF:
+                       val = min_t(u32, val, sysctl_rmem_max);
++                      val = min_t(int, val, INT_MAX / 2);
+                       sk->sk_userlocks |= SOCK_RCVBUF_LOCK;
+                       WRITE_ONCE(sk->sk_rcvbuf,
+                                  max_t(int, val * 2, SOCK_MIN_RCVBUF));
+                       break;
+               case SO_SNDBUF:
+                       val = min_t(u32, val, sysctl_wmem_max);
++                      val = min_t(int, val, INT_MAX / 2);
+                       sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
+                       WRITE_ONCE(sk->sk_sndbuf,
+                                  max_t(int, val * 2, SOCK_MIN_SNDBUF));
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpf-fix-the-test_task_vma-selftest-to-support-output.patch b/queue-5.16/bpf-fix-the-test_task_vma-selftest-to-support-output.patch
new file mode 100644 (file)
index 0000000..cbbe9b2
--- /dev/null
@@ -0,0 +1,74 @@
+From abeada6cb3b9364beeae7e22c8c90cd1d7a81029 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 20:18:11 +0200
+Subject: bpf: Fix the test_task_vma selftest to support output shorter than 1
+ kB
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+[ Upstream commit da54ab14953c38d98cb3e34c564c06c3739394b2 ]
+
+The test for bpf_iter_task_vma assumes that the output will be longer
+than 1 kB, as the comment above the loop says. Due to this assumption,
+the loop becomes infinite if the output turns to be shorter than 1 kB.
+The return value of read_fd_into_buffer is 0 when the end of file was
+reached, and len isn't being increased any more.
+
+This commit adds a break on EOF to handle short output correctly. For
+the reference, this is the contents that I get when running test_progs
+under vmtest.sh, and it's shorter than 1 kB:
+
+00400000-00401000 r--p 00000000 fe:00 25867     /root/bpf/test_progs
+00401000-00674000 r-xp 00001000 fe:00 25867     /root/bpf/test_progs
+00674000-0095f000 r--p 00274000 fe:00 25867     /root/bpf/test_progs
+0095f000-00983000 r--p 0055e000 fe:00 25867     /root/bpf/test_progs
+00983000-00a8a000 rw-p 00582000 fe:00 25867     /root/bpf/test_progs
+00a8a000-0484e000 rw-p 00000000 00:00 0
+7f6c64000000-7f6c64021000 rw-p 00000000 00:00 0
+7f6c64021000-7f6c68000000 ---p 00000000 00:00 0
+7f6c6ac8f000-7f6c6ac90000 r--s 00000000 00:0d 8032
+anon_inode:bpf-map
+7f6c6ac90000-7f6c6ac91000 ---p 00000000 00:00 0
+7f6c6ac91000-7f6c6b491000 rw-p 00000000 00:00 0
+7f6c6b491000-7f6c6b492000 r--s 00000000 00:0d 8032
+anon_inode:bpf-map
+7f6c6b492000-7f6c6b493000 rw-s 00000000 00:0d 8032
+anon_inode:bpf-map
+7ffc1e23d000-7ffc1e25e000 rw-p 00000000 00:00 0
+7ffc1e3b8000-7ffc1e3bc000 r--p 00000000 00:00 0
+7ffc1e3bc000-7ffc1e3bd000 r-xp 00000000 00:00 0
+7fffffffe000-7ffffffff000 --xp 00000000 00:00 0
+
+Fixes: e8168840e16c ("selftests/bpf: Add test for bpf_iter_task_vma")
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20211130181811.594220-1-maximmi@nvidia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/bpf_iter.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_iter.c b/tools/testing/selftests/bpf/prog_tests/bpf_iter.c
+index 9454331aaf85f..ea6823215e9c0 100644
+--- a/tools/testing/selftests/bpf/prog_tests/bpf_iter.c
++++ b/tools/testing/selftests/bpf/prog_tests/bpf_iter.c
+@@ -1206,13 +1206,14 @@ static void test_task_vma(void)
+               goto out;
+       /* Read CMP_BUFFER_SIZE (1kB) from bpf_iter. Read in small chunks
+-       * to trigger seq_file corner cases. The expected output is much
+-       * longer than 1kB, so the while loop will terminate.
++       * to trigger seq_file corner cases.
+        */
+       len = 0;
+       while (len < CMP_BUFFER_SIZE) {
+               err = read_fd_into_buffer(iter_fd, task_vma_output + len,
+                                         min(read_size, CMP_BUFFER_SIZE - len));
++              if (!err)
++                      break;
+               if (CHECK(err < 0, "read_iter_fd", "read_iter_fd failed\n"))
+                       goto out;
+               len += err;
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpf-fix-verifier-support-for-validation-of-async-cal.patch b/queue-5.16/bpf-fix-verifier-support-for-validation-of-async-cal.patch
new file mode 100644 (file)
index 0000000..a703a72
--- /dev/null
@@ -0,0 +1,55 @@
+From 057db85409a8c827143680b02c210f64a3649604 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 16:01:50 -0500
+Subject: bpf: Fix verifier support for validation of async callbacks
+
+From: Kris Van Hees <kris.van.hees@oracle.com>
+
+[ Upstream commit a5bebc4f00dee47113eed48098c68e88b5ba70e8 ]
+
+Commit bfc6bb74e4f1 ("bpf: Implement verifier support for validation of async callbacks.")
+added support for BPF_FUNC_timer_set_callback to
+the __check_func_call() function.  The test in __check_func_call() is
+flaweed because it can mis-interpret a regular BPF-to-BPF pseudo-call
+as a BPF_FUNC_timer_set_callback callback call.
+
+Consider the conditional in the code:
+
+       if (insn->code == (BPF_JMP | BPF_CALL) &&
+           insn->imm == BPF_FUNC_timer_set_callback) {
+
+The BPF_FUNC_timer_set_callback has value 170.  This means that if you
+have a BPF program that contains a pseudo-call with an instruction delta
+of 170, this conditional will be found to be true by the verifier, and
+it will interpret the pseudo-call as a callback.  This leads to a mess
+with the verification of the program because it makes the wrong
+assumptions about the nature of this call.
+
+Solution: include an explicit check to ensure that insn->src_reg == 0.
+This ensures that calls cannot be mis-interpreted as an async callback
+call.
+
+Fixes: bfc6bb74e4f1 ("bpf: Implement verifier support for validation of async callbacks.")
+Signed-off-by: Kris Van Hees <kris.van.hees@oracle.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20220105210150.GH1559@oracle.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 45d5e71cd64e6..d48000b90eb8a 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5965,6 +5965,7 @@ static int __check_func_call(struct bpf_verifier_env *env, struct bpf_insn *insn
+       }
+       if (insn->code == (BPF_JMP | BPF_CALL) &&
++          insn->src_reg == 0 &&
+           insn->imm == BPF_FUNC_timer_set_callback) {
+               struct bpf_verifier_state *async_cb;
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpf-remove-config-check-to-enable-bpf-support-for-br.patch b/queue-5.16/bpf-remove-config-check-to-enable-bpf-support-for-br.patch
new file mode 100644 (file)
index 0000000..b307caa
--- /dev/null
@@ -0,0 +1,96 @@
+From d9462e1d9a2ce2bdf3f3cca6c8d5c68067548e19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Dec 2021 13:03:15 +0530
+Subject: bpf: Remove config check to enable bpf support for branch records
+
+From: Kajol Jain <kjain@linux.ibm.com>
+
+[ Upstream commit db52f57211b4e45f0ebb274e2c877b211dc18591 ]
+
+Branch data available to BPF programs can be very useful to get stack traces
+out of userspace application.
+
+Commit fff7b64355ea ("bpf: Add bpf_read_branch_records() helper") added BPF
+support to capture branch records in x86. Enable this feature also for other
+architectures as well by removing checks specific to x86.
+
+If an architecture doesn't support branch records, bpf_read_branch_records()
+still has appropriate checks and it will return an -EINVAL in that scenario.
+Based on UAPI helper doc in include/uapi/linux/bpf.h, unsupported architectures
+should return -ENOENT in such case. Hence, update the appropriate check to
+return -ENOENT instead.
+
+Selftest 'perf_branches' result on power9 machine which has the branch stacks
+support:
+
+ - Before this patch:
+
+  [command]# ./test_progs -t perf_branches
+   #88/1 perf_branches/perf_branches_hw:FAIL
+   #88/2 perf_branches/perf_branches_no_hw:OK
+   #88 perf_branches:FAIL
+  Summary: 0/1 PASSED, 0 SKIPPED, 1 FAILED
+
+ - After this patch:
+
+  [command]# ./test_progs -t perf_branches
+   #88/1 perf_branches/perf_branches_hw:OK
+   #88/2 perf_branches/perf_branches_no_hw:OK
+   #88 perf_branches:OK
+  Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED
+
+Selftest 'perf_branches' result on power9 machine which doesn't have branch
+stack report:
+
+ - After this patch:
+
+  [command]# ./test_progs -t perf_branches
+   #88/1 perf_branches/perf_branches_hw:SKIP
+   #88/2 perf_branches/perf_branches_no_hw:OK
+   #88 perf_branches:OK
+  Summary: 1/1 PASSED, 1 SKIPPED, 0 FAILED
+
+Fixes: fff7b64355eac ("bpf: Add bpf_read_branch_records() helper")
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20211206073315.77432-1-kjain@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/bpf_trace.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index ae9755037b7ee..e36d184615fb7 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -1400,9 +1400,6 @@ static const struct bpf_func_proto bpf_perf_prog_read_value_proto = {
+ BPF_CALL_4(bpf_read_branch_records, struct bpf_perf_event_data_kern *, ctx,
+          void *, buf, u32, size, u64, flags)
+ {
+-#ifndef CONFIG_X86
+-      return -ENOENT;
+-#else
+       static const u32 br_entry_size = sizeof(struct perf_branch_entry);
+       struct perf_branch_stack *br_stack = ctx->data->br_stack;
+       u32 to_copy;
+@@ -1411,7 +1408,7 @@ BPF_CALL_4(bpf_read_branch_records, struct bpf_perf_event_data_kern *, ctx,
+               return -EINVAL;
+       if (unlikely(!br_stack))
+-              return -EINVAL;
++              return -ENOENT;
+       if (flags & BPF_F_GET_BRANCH_RECORDS_SIZE)
+               return br_stack->nr * br_entry_size;
+@@ -1423,7 +1420,6 @@ BPF_CALL_4(bpf_read_branch_records, struct bpf_perf_event_data_kern *, ctx,
+       memcpy(buf, br_stack->entries, to_copy);
+       return to_copy;
+-#endif
+ }
+ static const struct bpf_func_proto bpf_read_branch_records_proto = {
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpf-selftests-fix-namespace-mount-setup-in-tc_redire.patch b/queue-5.16/bpf-selftests-fix-namespace-mount-setup-in-tc_redire.patch
new file mode 100644 (file)
index 0000000..cdc47a3
--- /dev/null
@@ -0,0 +1,65 @@
+From 0583e3c5bafd77137524ac9739f2e81442b231ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 13:10:30 +0100
+Subject: bpf/selftests: Fix namespace mount setup in tc_redirect
+
+From: Jiri Olsa <jolsa@redhat.com>
+
+[ Upstream commit 5e22dd18626726028a93ff1350a8a71a00fd843d ]
+
+The tc_redirect umounts /sys in the new namespace, which can be
+mounted as shared and cause global umount. The lazy umount also
+takes down mounted trees under /sys like debugfs, which won't be
+available after sysfs mounts again and could cause fails in other
+tests.
+
+  # cat /proc/self/mountinfo | grep debugfs
+  34 23 0:7 / /sys/kernel/debug rw,nosuid,nodev,noexec,relatime shared:14 - debugfs debugfs rw
+  # cat /proc/self/mountinfo | grep sysfs
+  23 86 0:22 / /sys rw,nosuid,nodev,noexec,relatime shared:2 - sysfs sysfs rw
+  # mount | grep debugfs
+  debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime)
+
+  # ./test_progs -t tc_redirect
+  #164 tc_redirect:OK
+  Summary: 1/4 PASSED, 0 SKIPPED, 0 FAILED
+
+  # mount | grep debugfs
+  # cat /proc/self/mountinfo | grep debugfs
+  # cat /proc/self/mountinfo | grep sysfs
+  25 86 0:22 / /sys rw,relatime shared:2 - sysfs sysfs rw
+
+Making the sysfs private under the new namespace so the umount won't
+trigger the global sysfs umount.
+
+Reported-by: Hangbin Liu <haliu@redhat.com>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Jussi Maki <joamaki@gmail.com>
+Link: https://lore.kernel.org/bpf/20220104121030.138216-1-jolsa@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/tc_redirect.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/tc_redirect.c b/tools/testing/selftests/bpf/prog_tests/tc_redirect.c
+index 4b18b73df10b6..c2426df58e172 100644
+--- a/tools/testing/selftests/bpf/prog_tests/tc_redirect.c
++++ b/tools/testing/selftests/bpf/prog_tests/tc_redirect.c
+@@ -105,6 +105,13 @@ static int setns_by_fd(int nsfd)
+       if (!ASSERT_OK(err, "unshare"))
+               return err;
++      /* Make our /sys mount private, so the following umount won't
++       * trigger the global umount in case it's shared.
++       */
++      err = mount("none", "/sys", NULL, MS_PRIVATE, NULL);
++      if (!ASSERT_OK(err, "remount private /sys"))
++              return err;
++
+       err = umount2("/sys", MNT_DETACH);
+       if (!ASSERT_OK(err, "umount2 /sys"))
+               return err;
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpf-sockmap-fix-double-bpf_prog_put-on-error-case-in.patch b/queue-5.16/bpf-sockmap-fix-double-bpf_prog_put-on-error-case-in.patch
new file mode 100644 (file)
index 0000000..e214c2b
--- /dev/null
@@ -0,0 +1,120 @@
+From e6def44e623d125a70890b87244d038fc338ed43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 13:46:45 -0800
+Subject: bpf, sockmap: Fix double bpf_prog_put on error case in map_link
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 218d747a4142f281a256687bb513a135c905867b ]
+
+sock_map_link() is called to update a sockmap entry with a sk. But, if the
+sock_map_init_proto() call fails then we return an error to the map_update
+op against the sockmap. In the error path though we need to cleanup psock
+and dec the refcnt on any programs associated with the map, because we
+refcnt them early in the update process to ensure they are pinned for the
+psock. (This avoids a race where user deletes programs while also updating
+the map with new socks.)
+
+In current code we do the prog refcnt dec explicitely by calling
+bpf_prog_put() when the program was found in the map. But, after commit
+'38207a5e81230' in this error path we've already done the prog to psock
+assignment so the programs have a reference from the psock as well. This
+then causes the psock tear down logic, invoked by sk_psock_put() in the
+error path, to similarly call bpf_prog_put on the programs there.
+
+To be explicit this logic does the prog->psock assignment:
+
+  if (msg_*)
+    psock_set_prog(...)
+
+Then the error path under the out_progs label does a similar check and
+dec with:
+
+  if (msg_*)
+     bpf_prog_put(...)
+
+And the teardown logic sk_psock_put() does ...
+
+  psock_set_prog(msg_*, NULL)
+
+... triggering another bpf_prog_put(...). Then KASAN gives us this splat,
+found by syzbot because we've created an inbalance between bpf_prog_inc and
+bpf_prog_put calling put twice on the program.
+
+  BUG: KASAN: vmalloc-out-of-bounds in __bpf_prog_put kernel/bpf/syscall.c:1812 [inline]
+  BUG: KASAN: vmalloc-out-of-bounds in __bpf_prog_put kernel/bpf/syscall.c:1812 [inline] kernel/bpf/syscall.c:1829
+  BUG: KASAN: vmalloc-out-of-bounds in bpf_prog_put+0x8c/0x4f0 kernel/bpf/syscall.c:1829 kernel/bpf/syscall.c:1829
+  Read of size 8 at addr ffffc90000e76038 by task syz-executor020/3641
+
+To fix clean up error path so it doesn't try to do the bpf_prog_put in the
+error path once progs are assigned then it relies on the normal psock
+tear down logic to do complete cleanup.
+
+For completness we also cover the case whereh sk_psock_init_strp() fails,
+but this is not expected because it indicates an incorrect socket type
+and should be caught earlier.
+
+Fixes: 38207a5e8123 ("bpf, sockmap: Attach map progs to psock early for feature probes")
+Reported-by: syzbot+bb73e71cf4b8fd376a4f@syzkaller.appspotmail.com
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20220104214645.290900-1-john.fastabend@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock_map.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/net/core/sock_map.c b/net/core/sock_map.c
+index 4ca4b11f4e5ff..687c81386518c 100644
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -292,15 +292,23 @@ static int sock_map_link(struct bpf_map *map, struct sock *sk)
+       if (skb_verdict)
+               psock_set_prog(&psock->progs.skb_verdict, skb_verdict);
++      /* msg_* and stream_* programs references tracked in psock after this
++       * point. Reference dec and cleanup will occur through psock destructor
++       */
+       ret = sock_map_init_proto(sk, psock);
+-      if (ret < 0)
+-              goto out_drop;
++      if (ret < 0) {
++              sk_psock_put(sk, psock);
++              goto out;
++      }
+       write_lock_bh(&sk->sk_callback_lock);
+       if (stream_parser && stream_verdict && !psock->saved_data_ready) {
+               ret = sk_psock_init_strp(sk, psock);
+-              if (ret)
+-                      goto out_unlock_drop;
++              if (ret) {
++                      write_unlock_bh(&sk->sk_callback_lock);
++                      sk_psock_put(sk, psock);
++                      goto out;
++              }
+               sk_psock_start_strp(sk, psock);
+       } else if (!stream_parser && stream_verdict && !psock->saved_data_ready) {
+               sk_psock_start_verdict(sk,psock);
+@@ -309,10 +317,6 @@ static int sock_map_link(struct bpf_map *map, struct sock *sk)
+       }
+       write_unlock_bh(&sk->sk_callback_lock);
+       return 0;
+-out_unlock_drop:
+-      write_unlock_bh(&sk->sk_callback_lock);
+-out_drop:
+-      sk_psock_put(sk, psock);
+ out_progs:
+       if (skb_verdict)
+               bpf_prog_put(skb_verdict);
+@@ -325,6 +329,7 @@ out_put_stream_parser:
+ out_put_stream_verdict:
+       if (stream_verdict)
+               bpf_prog_put(stream_verdict);
++out:
+       return ret;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpf-sockmap-fix-return-codes-from-tcp_bpf_recvmsg_pa.patch b/queue-5.16/bpf-sockmap-fix-return-codes-from-tcp_bpf_recvmsg_pa.patch
new file mode 100644 (file)
index 0000000..da76db5
--- /dev/null
@@ -0,0 +1,92 @@
+From b078935dfa0fb05f0f39c31e7c0c354da7940dd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 12:59:18 -0800
+Subject: bpf, sockmap: Fix return codes from tcp_bpf_recvmsg_parser()
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 5b2c5540b8110eea0d67a78fb0ddb9654c58daeb ]
+
+Applications can be confused slightly because we do not always return the
+same error code as expected, e.g. what the TCP stack normally returns. For
+example on a sock err sk->sk_err instead of returning the sock_error we
+return EAGAIN. This usually means the application will 'try again'
+instead of aborting immediately. Another example, when a shutdown event
+is received we should immediately abort instead of waiting for data when
+the user provides a timeout.
+
+These tend to not be fatal, applications usually recover, but introduces
+bogus errors to the user or introduces unexpected latency. Before
+'c5d2177a72a16' we fell back to the TCP stack when no data was available
+so we managed to catch many of the cases here, although with the extra
+latency cost of calling tcp_msg_wait_data() first.
+
+To fix lets duplicate the error handling in TCP stack into tcp_bpf so
+that we get the same error codes.
+
+These were found in our CI tests that run applications against sockmap
+and do longer lived testing, at least compared to test_sockmap that
+does short-lived ping/pong tests, and in some of our test clusters
+we deploy.
+
+Its non-trivial to do these in a shorter form CI tests that would be
+appropriate for BPF selftests, but we are looking into it so we can
+ensure this keeps working going forward. As a preview one idea is to
+pull in the packetdrill testing which catches some of this.
+
+Fixes: c5d2177a72a16 ("bpf, sockmap: Fix race in ingress receive verdict with redirect to self")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20220104205918.286416-1-john.fastabend@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index f70aa0932bd6c..9b9b02052fd36 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -196,12 +196,39 @@ msg_bytes_ready:
+               long timeo;
+               int data;
++              if (sock_flag(sk, SOCK_DONE))
++                      goto out;
++
++              if (sk->sk_err) {
++                      copied = sock_error(sk);
++                      goto out;
++              }
++
++              if (sk->sk_shutdown & RCV_SHUTDOWN)
++                      goto out;
++
++              if (sk->sk_state == TCP_CLOSE) {
++                      copied = -ENOTCONN;
++                      goto out;
++              }
++
+               timeo = sock_rcvtimeo(sk, nonblock);
++              if (!timeo) {
++                      copied = -EAGAIN;
++                      goto out;
++              }
++
++              if (signal_pending(current)) {
++                      copied = sock_intr_errno(timeo);
++                      goto out;
++              }
++
+               data = tcp_msg_wait_data(sk, psock, timeo);
+               if (data && !sk_psock_queue_empty(psock))
+                       goto msg_bytes_ready;
+               copied = -EAGAIN;
+       }
++out:
+       release_sock(sk);
+       sk_psock_put(sk, psock);
+       return copied;
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpftool-enable-line-buffering-for-stdout.patch b/queue-5.16/bpftool-enable-line-buffering-for-stdout.patch
new file mode 100644 (file)
index 0000000..9610696
--- /dev/null
@@ -0,0 +1,41 @@
+From 893ae0f16413d7c26b49857dca5e8f4f6f82b525 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Dec 2021 22:45:28 +0100
+Subject: bpftool: Enable line buffering for stdout
+
+From: Paul Chaignon <paul@isovalent.com>
+
+[ Upstream commit 1a1a0b0364ad291bd8e509da104ac8b5b1afec5d ]
+
+The output of bpftool prog tracelog is currently buffered, which is
+inconvenient when piping the output into other commands. A simple
+tracelog | grep will typically not display anything. This patch fixes it
+by enabling line buffering on stdout for the whole bpftool binary.
+
+Fixes: 30da46b5dc3a ("tools: bpftool: add a command to dump the trace pipe")
+Signed-off-by: Quentin Monnet <quentin@isovalent.com>
+Signed-off-by: Paul Chaignon <paul@isovalent.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20211220214528.GA11706@Mem
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c
+index 28237d7cef67f..8fbcff9d557d9 100644
+--- a/tools/bpf/bpftool/main.c
++++ b/tools/bpf/bpftool/main.c
+@@ -400,6 +400,8 @@ int main(int argc, char **argv)
+       };
+       int opt, ret;
++      setlinebuf(stdout);
++
+       last_do_help = do_help;
+       pretty_output = false;
+       json_output = false;
+-- 
+2.34.1
+
diff --git a/queue-5.16/bpftool-fix-memory-leak-in-prog_dump.patch b/queue-5.16/bpftool-fix-memory-leak-in-prog_dump.patch
new file mode 100644 (file)
index 0000000..a97ae0e
--- /dev/null
@@ -0,0 +1,82 @@
+From 62866a912f0598c3e8bada0112207bb9dc37aa2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Nov 2021 11:46:27 +0000
+Subject: bpftool: Fix memory leak in prog_dump()
+
+From: Quentin Monnet <quentin@isovalent.com>
+
+[ Upstream commit ebbd7f64a3fbe9e0f235e39fc244ee9735e2a52a ]
+
+Following the extraction of prog_dump() from do_dump(), the struct btf
+allocated in prog_dump() is no longer freed on error; the struct
+bpf_prog_linfo is not freed at all. Make sure we release them before
+exiting the function.
+
+Fixes: ec2025095cf6 ("bpftool: Match several programs with same tag")
+Signed-off-by: Quentin Monnet <quentin@isovalent.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20211110114632.24537-2-quentin@isovalent.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/prog.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
+index 515d229526026..6ccd17b8eb560 100644
+--- a/tools/bpf/bpftool/prog.c
++++ b/tools/bpf/bpftool/prog.c
+@@ -639,8 +639,8 @@ prog_dump(struct bpf_prog_info *info, enum dump_mode mode,
+       char func_sig[1024];
+       unsigned char *buf;
+       __u32 member_len;
++      int fd, err = -1;
+       ssize_t n;
+-      int fd;
+       if (mode == DUMP_JITED) {
+               if (info->jited_prog_len == 0 || !info->jited_prog_insns) {
+@@ -679,7 +679,7 @@ prog_dump(struct bpf_prog_info *info, enum dump_mode mode,
+               if (fd < 0) {
+                       p_err("can't open file %s: %s", filepath,
+                             strerror(errno));
+-                      return -1;
++                      goto exit_free;
+               }
+               n = write(fd, buf, member_len);
+@@ -687,7 +687,7 @@ prog_dump(struct bpf_prog_info *info, enum dump_mode mode,
+               if (n != (ssize_t)member_len) {
+                       p_err("error writing output file: %s",
+                             n < 0 ? strerror(errno) : "short write");
+-                      return -1;
++                      goto exit_free;
+               }
+               if (json_output)
+@@ -701,7 +701,7 @@ prog_dump(struct bpf_prog_info *info, enum dump_mode mode,
+                                                    info->netns_ino,
+                                                    &disasm_opt);
+                       if (!name)
+-                              return -1;
++                              goto exit_free;
+               }
+               if (info->nr_jited_func_lens && info->jited_func_lens) {
+@@ -796,9 +796,12 @@ prog_dump(struct bpf_prog_info *info, enum dump_mode mode,
+               kernel_syms_destroy(&dd);
+       }
+-      btf__free(btf);
++      err = 0;
+-      return 0;
++exit_free:
++      btf__free(btf);
++      bpf_prog_linfo__free(prog_linfo);
++      return err;
+ }
+ static int do_dump(int argc, char **argv)
+-- 
+2.34.1
+
diff --git a/queue-5.16/btrfs-remove-bug_on-eie-in-find_parent_nodes.patch b/queue-5.16/btrfs-remove-bug_on-eie-in-find_parent_nodes.patch
new file mode 100644 (file)
index 0000000..5ec8230
--- /dev/null
@@ -0,0 +1,54 @@
+From d235a32cfd16d50ac5726987ecfaa6bfe1837216 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 16:45:35 -0400
+Subject: btrfs: remove BUG_ON(!eie) in find_parent_nodes
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 9f05c09d6baef789726346397438cca4ec43c3ee ]
+
+If we're looking for leafs that point to a data extent we want to record
+the extent items that point at our bytenr.  At this point we have the
+reference and we know for a fact that this leaf should have a reference
+to our bytenr.  However if there's some sort of corruption we may not
+find any references to our leaf, and thus could end up with eie == NULL.
+Replace this BUG_ON() with an ASSERT() and then return -EUCLEAN for the
+mortals.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/backref.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c
+index 6b4b0f105a572..8b090c40daf77 100644
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -1365,10 +1365,18 @@ again:
+                               goto out;
+                       if (!ret && extent_item_pos) {
+                               /*
+-                               * we've recorded that parent, so we must extend
+-                               * its inode list here
++                               * We've recorded that parent, so we must extend
++                               * its inode list here.
++                               *
++                               * However if there was corruption we may not
++                               * have found an eie, return an error in this
++                               * case.
+                                */
+-                              BUG_ON(!eie);
++                              ASSERT(eie);
++                              if (!eie) {
++                                      ret = -EUCLEAN;
++                                      goto out;
++                              }
+                               while (eie->next)
+                                       eie = eie->next;
+                               eie->next = ref->inode_list;
+-- 
+2.34.1
+
diff --git a/queue-5.16/btrfs-remove-bug_on-in-find_parent_nodes.patch b/queue-5.16/btrfs-remove-bug_on-in-find_parent_nodes.patch
new file mode 100644 (file)
index 0000000..475b13e
--- /dev/null
@@ -0,0 +1,42 @@
+From 3cb55289737de3c6e360f8984c318970f7d74552 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 16:45:34 -0400
+Subject: btrfs: remove BUG_ON() in find_parent_nodes()
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit fcba0120edf88328524a4878d1d6f4ad39f2ec81 ]
+
+We search for an extent entry with .offset = -1, which shouldn't be a
+thing, but corruption happens.  Add an ASSERT() for the developers,
+return -EUCLEAN for mortals.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/backref.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c
+index f735b8798ba12..6b4b0f105a572 100644
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -1214,7 +1214,12 @@ again:
+       ret = btrfs_search_slot(NULL, fs_info->extent_root, &key, path, 0, 0);
+       if (ret < 0)
+               goto out;
+-      BUG_ON(ret == 0);
++      if (ret == 0) {
++              /* This shouldn't happen, indicates a bug or fs corruption. */
++              ASSERT(ret != 0);
++              ret = -EUCLEAN;
++              goto out;
++      }
+ #ifdef CONFIG_BTRFS_FS_RUN_SANITY_TESTS
+       if (trans && likely(trans->type != __TRANS_DUMMY) &&
+-- 
+2.34.1
+
diff --git a/queue-5.16/can-do-not-increase-rx-statistics-when-generating-a-.patch b/queue-5.16/can-do-not-increase-rx-statistics-when-generating-a-.patch
new file mode 100644 (file)
index 0000000..50c4f95
--- /dev/null
@@ -0,0 +1,639 @@
+From 62416ce9ff0f378f9d3d71d33e6496898cad8827 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 21:15:27 +0900
+Subject: can: do not increase rx statistics when generating a CAN rx error
+ message frame
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+[ Upstream commit 676068db69b847f06fe054fca15bf6b107bd24da ]
+
+The CAN error message frames (i.e. error skb) are an interface
+specific to socket CAN. The payload of the CAN error message frames
+does not correspond to any actual data sent on the wire. Only an error
+flag and a delimiter are transmitted when an error occurs (c.f. ISO
+11898-1 section 10.4.4.2 "Error flag").
+
+For this reason, it makes no sense to increment the rx_packets and
+rx_bytes fields of struct net_device_stats because no actual payload
+were transmitted on the wire.
+
+This patch fixes all the CAN drivers.
+
+Link: https://lore.kernel.org/all/20211207121531.42941-2-mailhol.vincent@wanadoo.fr
+CC: Marc Kleine-Budde <mkl@pengutronix.de>
+CC: Nicolas Ferre <nicolas.ferre@microchip.com>
+CC: Alexandre Belloni <alexandre.belloni@bootlin.com>
+CC: Ludovic Desroches <ludovic.desroches@microchip.com>
+CC: Chandrasekar Ramakrishnan <rcsekar@samsung.com>
+CC: Maxime Ripard <mripard@kernel.org>
+CC: Chen-Yu Tsai <wens@csie.org>
+CC: Jernej Skrabec <jernej.skrabec@gmail.com>
+CC: Appana Durga Kedareswara rao <appana.durga.rao@xilinx.com>
+CC: Naga Sureshkumar Relli <naga.sureshkumar.relli@xilinx.com>
+CC: Michal Simek <michal.simek@xilinx.com>
+CC: Stephane Grosjean <s.grosjean@peak-system.com>
+Tested-by: Jimmy Assarsson <extja@kvaser.com> # kvaser
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Acked-by: Stefan Mätje <stefan.maetje@esd.eu> # esd_usb2
+Tested-by: Stefan Mätje <stefan.maetje@esd.eu> # esd_usb2
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/at91_can.c                        | 6 ------
+ drivers/net/can/c_can/c_can_main.c                | 5 -----
+ drivers/net/can/cc770/cc770.c                     | 3 ---
+ drivers/net/can/dev/dev.c                         | 4 ----
+ drivers/net/can/dev/rx-offload.c                  | 6 ++++--
+ drivers/net/can/ifi_canfd/ifi_canfd.c             | 5 -----
+ drivers/net/can/kvaser_pciefd.c                   | 5 -----
+ drivers/net/can/m_can/m_can.c                     | 7 -------
+ drivers/net/can/mscan/mscan.c                     | 9 +++++----
+ drivers/net/can/pch_can.c                         | 3 ---
+ drivers/net/can/peak_canfd/peak_canfd.c           | 4 ----
+ drivers/net/can/rcar/rcar_can.c                   | 6 +-----
+ drivers/net/can/rcar/rcar_canfd.c                 | 4 ----
+ drivers/net/can/sja1000/sja1000.c                 | 2 --
+ drivers/net/can/sun4i_can.c                       | 7 ++-----
+ drivers/net/can/usb/ems_usb.c                     | 2 --
+ drivers/net/can/usb/esd_usb2.c                    | 2 --
+ drivers/net/can/usb/etas_es58x/es58x_core.c       | 7 -------
+ drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c  | 2 --
+ drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 8 --------
+ drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c  | 4 ----
+ drivers/net/can/usb/peak_usb/pcan_usb.c           | 2 --
+ drivers/net/can/usb/peak_usb/pcan_usb_fd.c        | 3 ---
+ drivers/net/can/usb/peak_usb/pcan_usb_pro.c       | 2 --
+ drivers/net/can/usb/ucan.c                        | 6 ++++--
+ drivers/net/can/usb/usb_8dev.c                    | 2 --
+ drivers/net/can/xilinx_can.c                      | 9 +--------
+ 27 files changed, 17 insertions(+), 108 deletions(-)
+
+diff --git a/drivers/net/can/at91_can.c b/drivers/net/can/at91_can.c
+index 3aea32c9b108f..3cd872cf9be66 100644
+--- a/drivers/net/can/at91_can.c
++++ b/drivers/net/can/at91_can.c
+@@ -553,8 +553,6 @@ static void at91_rx_overflow_err(struct net_device *dev)
+       cf->can_id |= CAN_ERR_CRTL;
+       cf->data[1] = CAN_ERR_CRTL_RX_OVERFLOW;
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       netif_receive_skb(skb);
+ }
+@@ -779,8 +777,6 @@ static int at91_poll_err(struct net_device *dev, int quota, u32 reg_sr)
+       at91_poll_err_frame(dev, cf, reg_sr);
+-      dev->stats.rx_packets++;
+-      dev->stats.rx_bytes += cf->len;
+       netif_receive_skb(skb);
+       return 1;
+@@ -1037,8 +1033,6 @@ static void at91_irq_err(struct net_device *dev)
+       at91_irq_err_state(dev, cf, new_state);
+-      dev->stats.rx_packets++;
+-      dev->stats.rx_bytes += cf->len;
+       netif_rx(skb);
+       priv->can.state = new_state;
+diff --git a/drivers/net/can/c_can/c_can_main.c b/drivers/net/can/c_can/c_can_main.c
+index 52671d1ea17d5..670754a129846 100644
+--- a/drivers/net/can/c_can/c_can_main.c
++++ b/drivers/net/can/c_can/c_can_main.c
+@@ -920,7 +920,6 @@ static int c_can_handle_state_change(struct net_device *dev,
+       unsigned int reg_err_counter;
+       unsigned int rx_err_passive;
+       struct c_can_priv *priv = netdev_priv(dev);
+-      struct net_device_stats *stats = &dev->stats;
+       struct can_frame *cf;
+       struct sk_buff *skb;
+       struct can_berr_counter bec;
+@@ -996,8 +995,6 @@ static int c_can_handle_state_change(struct net_device *dev,
+               break;
+       }
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       netif_receive_skb(skb);
+       return 1;
+@@ -1064,8 +1061,6 @@ static int c_can_handle_bus_err(struct net_device *dev,
+               break;
+       }
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       netif_receive_skb(skb);
+       return 1;
+ }
+diff --git a/drivers/net/can/cc770/cc770.c b/drivers/net/can/cc770/cc770.c
+index f8a130f594e2e..a5fd8ccedec21 100644
+--- a/drivers/net/can/cc770/cc770.c
++++ b/drivers/net/can/cc770/cc770.c
+@@ -499,7 +499,6 @@ static void cc770_rx(struct net_device *dev, unsigned int mo, u8 ctrl1)
+ static int cc770_err(struct net_device *dev, u8 status)
+ {
+       struct cc770_priv *priv = netdev_priv(dev);
+-      struct net_device_stats *stats = &dev->stats;
+       struct can_frame *cf;
+       struct sk_buff *skb;
+       u8 lec;
+@@ -571,8 +570,6 @@ static int cc770_err(struct net_device *dev, u8 status)
+       }
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       netif_rx(skb);
+       return 0;
+diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c
+index e3d840b81357d..4845ae6456e19 100644
+--- a/drivers/net/can/dev/dev.c
++++ b/drivers/net/can/dev/dev.c
+@@ -136,7 +136,6 @@ EXPORT_SYMBOL_GPL(can_change_state);
+ static void can_restart(struct net_device *dev)
+ {
+       struct can_priv *priv = netdev_priv(dev);
+-      struct net_device_stats *stats = &dev->stats;
+       struct sk_buff *skb;
+       struct can_frame *cf;
+       int err;
+@@ -155,9 +154,6 @@ static void can_restart(struct net_device *dev)
+       cf->can_id |= CAN_ERR_RESTARTED;
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+-
+       netif_rx_ni(skb);
+ restart:
+diff --git a/drivers/net/can/dev/rx-offload.c b/drivers/net/can/dev/rx-offload.c
+index 37b0cc65237b7..7dbf46b9ca5dd 100644
+--- a/drivers/net/can/dev/rx-offload.c
++++ b/drivers/net/can/dev/rx-offload.c
+@@ -54,8 +54,10 @@ static int can_rx_offload_napi_poll(struct napi_struct *napi, int quota)
+               struct can_frame *cf = (struct can_frame *)skb->data;
+               work_done++;
+-              stats->rx_packets++;
+-              stats->rx_bytes += cf->len;
++              if (!(cf->can_id & CAN_ERR_FLAG)) {
++                      stats->rx_packets++;
++                      stats->rx_bytes += cf->len;
++              }
+               netif_receive_skb(skb);
+       }
+diff --git a/drivers/net/can/ifi_canfd/ifi_canfd.c b/drivers/net/can/ifi_canfd/ifi_canfd.c
+index 5bb957a26bc69..e8318e984bf2f 100644
+--- a/drivers/net/can/ifi_canfd/ifi_canfd.c
++++ b/drivers/net/can/ifi_canfd/ifi_canfd.c
+@@ -430,8 +430,6 @@ static int ifi_canfd_handle_lec_err(struct net_device *ndev)
+              priv->base + IFI_CANFD_INTERRUPT);
+       writel(IFI_CANFD_ERROR_CTR_ER_ENABLE, priv->base + IFI_CANFD_ERROR_CTR);
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       netif_receive_skb(skb);
+       return 1;
+@@ -456,7 +454,6 @@ static int ifi_canfd_handle_state_change(struct net_device *ndev,
+                                        enum can_state new_state)
+ {
+       struct ifi_canfd_priv *priv = netdev_priv(ndev);
+-      struct net_device_stats *stats = &ndev->stats;
+       struct can_frame *cf;
+       struct sk_buff *skb;
+       struct can_berr_counter bec;
+@@ -522,8 +519,6 @@ static int ifi_canfd_handle_state_change(struct net_device *ndev,
+               break;
+       }
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       netif_receive_skb(skb);
+       return 1;
+diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c
+index eb74cdf26b88c..ab672c92ab078 100644
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -1310,9 +1310,6 @@ static int kvaser_pciefd_rx_error_frame(struct kvaser_pciefd_can *can,
+       cf->data[6] = bec.txerr;
+       cf->data[7] = bec.rxerr;
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+-
+       netif_rx(skb);
+       return 0;
+ }
+@@ -1510,8 +1507,6 @@ static void kvaser_pciefd_handle_nack_packet(struct kvaser_pciefd_can *can,
+       if (skb) {
+               cf->can_id |= CAN_ERR_BUSERROR;
+-              stats->rx_bytes += cf->len;
+-              stats->rx_packets++;
+               netif_rx(skb);
+       } else {
+               stats->rx_dropped++;
+diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
+index c2a8421e7845c..30d94cb43113d 100644
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -647,9 +647,6 @@ static int m_can_handle_lec_err(struct net_device *dev,
+               break;
+       }
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+-
+       if (cdev->is_peripheral)
+               timestamp = m_can_get_timestamp(cdev);
+@@ -706,7 +703,6 @@ static int m_can_handle_state_change(struct net_device *dev,
+                                    enum can_state new_state)
+ {
+       struct m_can_classdev *cdev = netdev_priv(dev);
+-      struct net_device_stats *stats = &dev->stats;
+       struct can_frame *cf;
+       struct sk_buff *skb;
+       struct can_berr_counter bec;
+@@ -771,9 +767,6 @@ static int m_can_handle_state_change(struct net_device *dev,
+               break;
+       }
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+-
+       if (cdev->is_peripheral)
+               timestamp = m_can_get_timestamp(cdev);
+diff --git a/drivers/net/can/mscan/mscan.c b/drivers/net/can/mscan/mscan.c
+index fa32e418eb296..9e1cce0260da6 100644
+--- a/drivers/net/can/mscan/mscan.c
++++ b/drivers/net/can/mscan/mscan.c
+@@ -401,13 +401,14 @@ static int mscan_rx_poll(struct napi_struct *napi, int quota)
+                       continue;
+               }
+-              if (canrflg & MSCAN_RXF)
++              if (canrflg & MSCAN_RXF) {
+                       mscan_get_rx_frame(dev, frame);
+-              else if (canrflg & MSCAN_ERR_IF)
++                      stats->rx_packets++;
++                      stats->rx_bytes += frame->len;
++              } else if (canrflg & MSCAN_ERR_IF) {
+                       mscan_get_err_frame(dev, frame, canrflg);
++              }
+-              stats->rx_packets++;
+-              stats->rx_bytes += frame->len;
+               work_done++;
+               netif_receive_skb(skb);
+       }
+diff --git a/drivers/net/can/pch_can.c b/drivers/net/can/pch_can.c
+index 964c8a09226a9..6b45840db1f9b 100644
+--- a/drivers/net/can/pch_can.c
++++ b/drivers/net/can/pch_can.c
+@@ -561,9 +561,6 @@ static void pch_can_error(struct net_device *ndev, u32 status)
+       priv->can.state = state;
+       netif_receive_skb(skb);
+-
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+ }
+ static irqreturn_t pch_can_interrupt(int irq, void *dev_id)
+diff --git a/drivers/net/can/peak_canfd/peak_canfd.c b/drivers/net/can/peak_canfd/peak_canfd.c
+index d08718e98e110..d5b8bc6d29804 100644
+--- a/drivers/net/can/peak_canfd/peak_canfd.c
++++ b/drivers/net/can/peak_canfd/peak_canfd.c
+@@ -409,8 +409,6 @@ static int pucan_handle_status(struct peak_canfd_priv *priv,
+               return -ENOMEM;
+       }
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       pucan_netif_rx(skb, msg->ts_low, msg->ts_high);
+       return 0;
+@@ -438,8 +436,6 @@ static int pucan_handle_cache_critical(struct peak_canfd_priv *priv)
+       cf->data[6] = priv->bec.txerr;
+       cf->data[7] = priv->bec.rxerr;
+-      stats->rx_bytes += cf->len;
+-      stats->rx_packets++;
+       netif_rx(skb);
+       return 0;
+diff --git a/drivers/net/can/rcar/rcar_can.c b/drivers/net/can/rcar/rcar_can.c
+index 8999ec9455ec2..f408ed9a6ccd1 100644
+--- a/drivers/net/can/rcar/rcar_can.c
++++ b/drivers/net/can/rcar/rcar_can.c
+@@ -223,7 +223,6 @@ static void tx_failure_cleanup(struct net_device *ndev)
+ static void rcar_can_error(struct net_device *ndev)
+ {
+       struct rcar_can_priv *priv = netdev_priv(ndev);
+-      struct net_device_stats *stats = &ndev->stats;
+       struct can_frame *cf;
+       struct sk_buff *skb;
+       u8 eifr, txerr = 0, rxerr = 0;
+@@ -362,11 +361,8 @@ static void rcar_can_error(struct net_device *ndev)
+               }
+       }
+-      if (skb) {
+-              stats->rx_packets++;
+-              stats->rx_bytes += cf->len;
++      if (skb)
+               netif_rx(skb);
+-      }
+ }
+ static void rcar_can_tx_done(struct net_device *ndev)
+diff --git a/drivers/net/can/rcar/rcar_canfd.c b/drivers/net/can/rcar/rcar_canfd.c
+index 388521e70837f..137eea4c7bad8 100644
+--- a/drivers/net/can/rcar/rcar_canfd.c
++++ b/drivers/net/can/rcar/rcar_canfd.c
+@@ -1033,8 +1033,6 @@ static void rcar_canfd_error(struct net_device *ndev, u32 cerfl,
+       /* Clear channel error interrupts that are handled */
+       rcar_canfd_write(priv->base, RCANFD_CERFL(ch),
+                        RCANFD_CERFL_ERR(~cerfl));
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       netif_rx(skb);
+ }
+@@ -1174,8 +1172,6 @@ static void rcar_canfd_state_change(struct net_device *ndev,
+               rx_state = txerr <= rxerr ? state : 0;
+               can_change_state(ndev, cf, tx_state, rx_state);
+-              stats->rx_packets++;
+-              stats->rx_bytes += cf->len;
+               netif_rx(skb);
+       }
+ }
+diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c
+index 3fad546467461..a65546ca94610 100644
+--- a/drivers/net/can/sja1000/sja1000.c
++++ b/drivers/net/can/sja1000/sja1000.c
+@@ -487,8 +487,6 @@ static int sja1000_err(struct net_device *dev, uint8_t isrc, uint8_t status)
+                       can_bus_off(dev);
+       }
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       netif_rx(skb);
+       return 0;
+diff --git a/drivers/net/can/sun4i_can.c b/drivers/net/can/sun4i_can.c
+index 54aa7c25c4de1..599174098883d 100644
+--- a/drivers/net/can/sun4i_can.c
++++ b/drivers/net/can/sun4i_can.c
+@@ -622,13 +622,10 @@ static int sun4i_can_err(struct net_device *dev, u8 isrc, u8 status)
+                       can_bus_off(dev);
+       }
+-      if (likely(skb)) {
+-              stats->rx_packets++;
+-              stats->rx_bytes += cf->len;
++      if (likely(skb))
+               netif_rx(skb);
+-      } else {
++      else
+               return -ENOMEM;
+-      }
+       return 0;
+ }
+diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c
+index 2b5302e724353..7cf65936d02e5 100644
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -397,8 +397,6 @@ static void ems_usb_rx_err(struct ems_usb *dev, struct ems_cpc_msg *msg)
+               stats->rx_errors++;
+       }
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       netif_rx(skb);
+ }
+diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c
+index c6068a251fbed..5f6915a27b3d9 100644
+--- a/drivers/net/can/usb/esd_usb2.c
++++ b/drivers/net/can/usb/esd_usb2.c
+@@ -293,8 +293,6 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv,
+               priv->bec.txerr = txerr;
+               priv->bec.rxerr = rxerr;
+-              stats->rx_packets++;
+-              stats->rx_bytes += cf->len;
+               netif_rx(skb);
+       }
+ }
+diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c
+index 24627ab146261..fb07c33ba0c3c 100644
+--- a/drivers/net/can/usb/etas_es58x/es58x_core.c
++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c
+@@ -849,13 +849,6 @@ int es58x_rx_err_msg(struct net_device *netdev, enum es58x_err error,
+               break;
+       }
+-      /* driver/net/can/dev.c:can_restart() takes in account error
+-       * messages in the RX stats. Doing the same here for
+-       * consistency.
+-       */
+-      netdev->stats.rx_packets++;
+-      netdev->stats.rx_bytes += CAN_ERR_DLC;
+-
+       if (cf) {
+               if (cf->data[1])
+                       cf->can_id |= CAN_ERR_CRTL;
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+index 0cc0fc866a2a9..3e682ef43f8ef 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+@@ -279,8 +279,6 @@ int kvaser_usb_can_rx_over_error(struct net_device *netdev)
+       cf->can_id |= CAN_ERR_CRTL;
+       cf->data[1] = CAN_ERR_CRTL_RX_OVERFLOW;
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       netif_rx(skb);
+       return 0;
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
+index dcee8dc828ecc..3398da323126c 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
+@@ -869,7 +869,6 @@ static void kvaser_usb_hydra_update_state(struct kvaser_usb_net_priv *priv,
+       struct net_device *netdev = priv->netdev;
+       struct can_frame *cf;
+       struct sk_buff *skb;
+-      struct net_device_stats *stats;
+       enum can_state new_state, old_state;
+       old_state = priv->can.state;
+@@ -919,9 +918,6 @@ static void kvaser_usb_hydra_update_state(struct kvaser_usb_net_priv *priv,
+       cf->data[6] = bec->txerr;
+       cf->data[7] = bec->rxerr;
+-      stats = &netdev->stats;
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       netif_rx(skb);
+ }
+@@ -1074,8 +1070,6 @@ kvaser_usb_hydra_error_frame(struct kvaser_usb_net_priv *priv,
+       cf->data[6] = bec.txerr;
+       cf->data[7] = bec.rxerr;
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       netif_rx(skb);
+       priv->bec.txerr = bec.txerr;
+@@ -1109,8 +1103,6 @@ static void kvaser_usb_hydra_one_shot_fail(struct kvaser_usb_net_priv *priv,
+       }
+       stats->tx_errors++;
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       netif_rx(skb);
+ }
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+index f7af1bf5ab46d..5434b7386a51e 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+@@ -641,8 +641,6 @@ static void kvaser_usb_leaf_tx_acknowledge(const struct kvaser_usb *dev,
+               if (skb) {
+                       cf->can_id |= CAN_ERR_RESTARTED;
+-                      stats->rx_packets++;
+-                      stats->rx_bytes += cf->len;
+                       netif_rx(skb);
+               } else {
+                       netdev_err(priv->netdev,
+@@ -843,8 +841,6 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev,
+       cf->data[6] = es->txerr;
+       cf->data[7] = es->rxerr;
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       netif_rx(skb);
+ }
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb.c b/drivers/net/can/usb/peak_usb/pcan_usb.c
+index 8762187527669..21b06a7385959 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb.c
+@@ -520,8 +520,6 @@ static int pcan_usb_decode_error(struct pcan_usb_msg_context *mc, u8 n,
+                                    &hwts->hwtstamp);
+       }
+-      mc->netdev->stats.rx_packets++;
+-      mc->netdev->stats.rx_bytes += cf->len;
+       netif_rx(skb);
+       return 0;
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+index 6bd12549f1014..185f5a98d2177 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+@@ -577,9 +577,6 @@ static int pcan_usb_fd_decode_status(struct pcan_usb_fd_if *usb_if,
+       if (!skb)
+               return -ENOMEM;
+-      netdev->stats.rx_packets++;
+-      netdev->stats.rx_bytes += cf->len;
+-
+       peak_usb_netif_rx_64(skb, le32_to_cpu(sm->ts_low),
+                            le32_to_cpu(sm->ts_high));
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
+index 858ab22708fcd..f6d19879bf404 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
+@@ -660,8 +660,6 @@ static int pcan_usb_pro_handle_error(struct pcan_usb_pro_interface *usb_if,
+       hwts = skb_hwtstamps(skb);
+       peak_usb_get_ts_time(&usb_if->time_ref, le32_to_cpu(er->ts32), &hwts->hwtstamp);
+-      netdev->stats.rx_packets++;
+-      netdev->stats.rx_bytes += can_frame->len;
+       netif_rx(skb);
+       return 0;
+diff --git a/drivers/net/can/usb/ucan.c b/drivers/net/can/usb/ucan.c
+index 1679cbe45ded2..d582c39fc8d0e 100644
+--- a/drivers/net/can/usb/ucan.c
++++ b/drivers/net/can/usb/ucan.c
+@@ -621,8 +621,10 @@ static void ucan_rx_can_msg(struct ucan_priv *up, struct ucan_message_in *m)
+               memcpy(cf->data, m->msg.can_msg.data, cf->len);
+       /* don't count error frames as real packets */
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
++      if (!(cf->can_id & CAN_ERR_FLAG)) {
++              stats->rx_packets++;
++              stats->rx_bytes += cf->len;
++      }
+       /* pass it to Linux */
+       netif_rx(skb);
+diff --git a/drivers/net/can/usb/usb_8dev.c b/drivers/net/can/usb/usb_8dev.c
+index d1b83bd1b3cb9..040324362b260 100644
+--- a/drivers/net/can/usb/usb_8dev.c
++++ b/drivers/net/can/usb/usb_8dev.c
+@@ -449,8 +449,6 @@ static void usb_8dev_rx_err_msg(struct usb_8dev_priv *priv,
+       priv->bec.txerr = txerr;
+       priv->bec.rxerr = rxerr;
+-      stats->rx_packets++;
+-      stats->rx_bytes += cf->len;
+       netif_rx(skb);
+ }
+diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c
+index af4a2adc85983..e0525541b32a7 100644
+--- a/drivers/net/can/xilinx_can.c
++++ b/drivers/net/can/xilinx_can.c
+@@ -965,13 +965,8 @@ static void xcan_update_error_state_after_rxtx(struct net_device *ndev)
+               xcan_set_error_state(ndev, new_state, skb ? cf : NULL);
+-              if (skb) {
+-                      struct net_device_stats *stats = &ndev->stats;
+-
+-                      stats->rx_packets++;
+-                      stats->rx_bytes += cf->len;
++              if (skb)
+                       netif_rx(skb);
+-              }
+       }
+ }
+@@ -1095,8 +1090,6 @@ static void xcan_err_interrupt(struct net_device *ndev, u32 isr)
+               if (skb) {
+                       skb_cf->can_id |= cf.can_id;
+                       memcpy(skb_cf->data, cf.data, CAN_ERR_DLC);
+-                      stats->rx_packets++;
+-                      stats->rx_bytes += CAN_ERR_DLC;
+                       netif_rx(skb);
+               }
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/can-flexcan-add-more-quirks-to-describe-rx-path-capa.patch b/queue-5.16/can-flexcan-add-more-quirks-to-describe-rx-path-capa.patch
new file mode 100644 (file)
index 0000000..3c7e581
--- /dev/null
@@ -0,0 +1,165 @@
+From c65d05d0a9110006e7778f45b1b0e2772499ccf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 14:29:15 +0100
+Subject: can: flexcan: add more quirks to describe RX path capabilities
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit c5c88591040ee7d84d037328eed9019d3ffab821 ]
+
+Most flexcan IP cores support 2 RX modes:
+- FIFO
+- mailbox
+
+Some IP core versions cannot receive CAN RTR messages via mailboxes.
+This patch adds quirks to document this.
+
+This information will be used in a later patch to switch from FIFO to
+more performant mailbox mode at the expense of losing the ability to
+receive RTR messages. This trade off is beneficial in certain use
+cases.
+
+Link: https://lore.kernel.org/all/20220107193105.1699523-5-mkl@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/flexcan.c | 66 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 54 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
+index ba52e70d6a166..57cebc4156616 100644
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -252,6 +252,12 @@
+ #define FLEXCAN_QUIRK_NR_IRQ_3 BIT(12)
+ /* Setup 16 mailboxes */
+ #define FLEXCAN_QUIRK_NR_MB_16 BIT(13)
++/* Device supports RX via mailboxes */
++#define FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX BIT(14)
++/* Device supports RTR reception via mailboxes */
++#define FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX_RTR BIT(15)
++/* Device supports RX via FIFO */
++#define FLEXCAN_QUIRK_SUPPPORT_RX_FIFO BIT(16)
+ /* Structure of the message buffer */
+ struct flexcan_mb {
+@@ -386,59 +392,78 @@ struct flexcan_priv {
+ static const struct flexcan_devtype_data fsl_mcf5441x_devtype_data = {
+       .quirks = FLEXCAN_QUIRK_BROKEN_PERR_STATE |
+-              FLEXCAN_QUIRK_NR_IRQ_3 | FLEXCAN_QUIRK_NR_MB_16,
++              FLEXCAN_QUIRK_NR_IRQ_3 | FLEXCAN_QUIRK_NR_MB_16 |
++              FLEXCAN_QUIRK_SUPPPORT_RX_FIFO,
+ };
+ static const struct flexcan_devtype_data fsl_p1010_devtype_data = {
+       .quirks = FLEXCAN_QUIRK_BROKEN_WERR_STATE |
+               FLEXCAN_QUIRK_BROKEN_PERR_STATE |
+-              FLEXCAN_QUIRK_DEFAULT_BIG_ENDIAN,
++              FLEXCAN_QUIRK_DEFAULT_BIG_ENDIAN |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX |
++              FLEXCAN_QUIRK_SUPPPORT_RX_FIFO,
+ };
+ static const struct flexcan_devtype_data fsl_imx25_devtype_data = {
+       .quirks = FLEXCAN_QUIRK_BROKEN_WERR_STATE |
+-              FLEXCAN_QUIRK_BROKEN_PERR_STATE,
++              FLEXCAN_QUIRK_BROKEN_PERR_STATE |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX |
++              FLEXCAN_QUIRK_SUPPPORT_RX_FIFO,
+ };
+ static const struct flexcan_devtype_data fsl_imx28_devtype_data = {
+-      .quirks = FLEXCAN_QUIRK_BROKEN_PERR_STATE,
++      .quirks = FLEXCAN_QUIRK_BROKEN_PERR_STATE |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX |
++              FLEXCAN_QUIRK_SUPPPORT_RX_FIFO,
+ };
+ static const struct flexcan_devtype_data fsl_imx6q_devtype_data = {
+       .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
+               FLEXCAN_QUIRK_USE_RX_MAILBOX | FLEXCAN_QUIRK_BROKEN_PERR_STATE |
+-              FLEXCAN_QUIRK_SETUP_STOP_MODE_GPR,
++              FLEXCAN_QUIRK_SETUP_STOP_MODE_GPR |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX_RTR,
+ };
+ static const struct flexcan_devtype_data fsl_imx8qm_devtype_data = {
+       .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
+               FLEXCAN_QUIRK_USE_RX_MAILBOX | FLEXCAN_QUIRK_BROKEN_PERR_STATE |
+-              FLEXCAN_QUIRK_SUPPORT_FD | FLEXCAN_QUIRK_SETUP_STOP_MODE_SCFW,
++              FLEXCAN_QUIRK_SUPPORT_FD | FLEXCAN_QUIRK_SETUP_STOP_MODE_SCFW |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX_RTR,
+ };
+ static struct flexcan_devtype_data fsl_imx8mp_devtype_data = {
+       .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
+               FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_USE_RX_MAILBOX |
+               FLEXCAN_QUIRK_BROKEN_PERR_STATE | FLEXCAN_QUIRK_SETUP_STOP_MODE_GPR |
+-              FLEXCAN_QUIRK_SUPPORT_FD | FLEXCAN_QUIRK_SUPPORT_ECC,
++              FLEXCAN_QUIRK_SUPPORT_FD | FLEXCAN_QUIRK_SUPPORT_ECC |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX_RTR,
+ };
+ static const struct flexcan_devtype_data fsl_vf610_devtype_data = {
+       .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
+               FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_USE_RX_MAILBOX |
+-              FLEXCAN_QUIRK_BROKEN_PERR_STATE | FLEXCAN_QUIRK_SUPPORT_ECC,
++              FLEXCAN_QUIRK_BROKEN_PERR_STATE | FLEXCAN_QUIRK_SUPPORT_ECC |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX_RTR,
+ };
+ static const struct flexcan_devtype_data fsl_ls1021a_r2_devtype_data = {
+       .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
+-              FLEXCAN_QUIRK_BROKEN_PERR_STATE | FLEXCAN_QUIRK_USE_RX_MAILBOX,
++              FLEXCAN_QUIRK_BROKEN_PERR_STATE | FLEXCAN_QUIRK_USE_RX_MAILBOX |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX_RTR,
+ };
+ static const struct flexcan_devtype_data fsl_lx2160a_r1_devtype_data = {
+       .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
+               FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_BROKEN_PERR_STATE |
+               FLEXCAN_QUIRK_USE_RX_MAILBOX | FLEXCAN_QUIRK_SUPPORT_FD |
+-              FLEXCAN_QUIRK_SUPPORT_ECC,
++              FLEXCAN_QUIRK_SUPPORT_ECC |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX_RTR,
+ };
+ static const struct can_bittiming_const flexcan_bittiming_const = {
+@@ -2164,8 +2189,25 @@ static int flexcan_probe(struct platform_device *pdev)
+               return -ENODEV;
+       if ((devtype_data->quirks & FLEXCAN_QUIRK_SUPPORT_FD) &&
+-          !(devtype_data->quirks & FLEXCAN_QUIRK_USE_RX_MAILBOX)) {
+-              dev_err(&pdev->dev, "CAN-FD mode doesn't work with FIFO mode!\n");
++          !((devtype_data->quirks &
++             (FLEXCAN_QUIRK_USE_RX_MAILBOX |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX |
++              FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX_RTR |
++              FLEXCAN_QUIRK_SUPPPORT_RX_FIFO)) ==
++            (FLEXCAN_QUIRK_USE_RX_MAILBOX |
++             FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX |
++             FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX_RTR))) {
++              dev_err(&pdev->dev, "CAN-FD mode doesn't work in RX-FIFO mode!\n");
++              return -EINVAL;
++      }
++
++      if ((devtype_data->quirks &
++           (FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX |
++            FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX_RTR)) ==
++          FLEXCAN_QUIRK_SUPPPORT_RX_MAILBOX_RTR) {
++              dev_err(&pdev->dev,
++                      "Quirks (0x%08x) inconsistent: RX_MAILBOX_RX supported but not RX_MAILBOX\n",
++                      devtype_data->quirks);
+               return -EINVAL;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/can-flexcan-allow-to-change-quirks-at-runtime.patch b/queue-5.16/can-flexcan-allow-to-change-quirks-at-runtime.patch
new file mode 100644 (file)
index 0000000..9becd8d
--- /dev/null
@@ -0,0 +1,255 @@
+From a3a4dcafa1e3961a632e8beadf1af4feaabbb791 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 14:20:25 +0100
+Subject: can: flexcan: allow to change quirks at runtime
+
+From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+
+[ Upstream commit 01bb4dccd92b4dc21f6af3312e5696924e371111 ]
+
+This is a preparation patch for the upcoming support to change the
+rx-rtr capability via the ethtool API.
+
+Link: https://lore.kernel.org/all/20220107193105.1699523-3-mkl@pengutronix.de
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/flexcan.c | 54 +++++++++++++++++++--------------------
+ 1 file changed, 27 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
+index 12b60ad95b02a..26bf0a0a72f1d 100644
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -369,7 +369,7 @@ struct flexcan_priv {
+       struct clk *clk_ipg;
+       struct clk *clk_per;
+-      const struct flexcan_devtype_data *devtype_data;
++      struct flexcan_devtype_data devtype_data;
+       struct regulator *reg_xceiver;
+       struct flexcan_stop_mode stm;
+@@ -600,7 +600,7 @@ static inline int flexcan_enter_stop_mode(struct flexcan_priv *priv)
+       priv->write(reg_mcr, &regs->mcr);
+       /* enable stop request */
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_SETUP_STOP_MODE_SCFW) {
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_SETUP_STOP_MODE_SCFW) {
+               ret = flexcan_stop_mode_enable_scfw(priv, true);
+               if (ret < 0)
+                       return ret;
+@@ -619,7 +619,7 @@ static inline int flexcan_exit_stop_mode(struct flexcan_priv *priv)
+       int ret;
+       /* remove stop request */
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_SETUP_STOP_MODE_SCFW) {
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_SETUP_STOP_MODE_SCFW) {
+               ret = flexcan_stop_mode_enable_scfw(priv, false);
+               if (ret < 0)
+                       return ret;
+@@ -1022,7 +1022,7 @@ static struct sk_buff *flexcan_mailbox_read(struct can_rx_offload *offload,
+       mb = flexcan_get_mb(priv, n);
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP) {
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP) {
+               u32 code;
+               do {
+@@ -1087,7 +1087,7 @@ static struct sk_buff *flexcan_mailbox_read(struct can_rx_offload *offload,
+       }
+  mark_as_read:
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP)
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP)
+               flexcan_write64(priv, FLEXCAN_IFLAG_MB(n), &regs->iflag1);
+       else
+               priv->write(FLEXCAN_IFLAG_RX_FIFO_AVAILABLE, &regs->iflag1);
+@@ -1113,7 +1113,7 @@ static irqreturn_t flexcan_irq(int irq, void *dev_id)
+       enum can_state last_state = priv->can.state;
+       /* reception interrupt */
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP) {
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP) {
+               u64 reg_iflag_rx;
+               int ret;
+@@ -1173,7 +1173,7 @@ static irqreturn_t flexcan_irq(int irq, void *dev_id)
+       /* state change interrupt or broken error state quirk fix is enabled */
+       if ((reg_esr & FLEXCAN_ESR_ERR_STATE) ||
+-          (priv->devtype_data->quirks & (FLEXCAN_QUIRK_BROKEN_WERR_STATE |
++          (priv->devtype_data.quirks & (FLEXCAN_QUIRK_BROKEN_WERR_STATE |
+                                          FLEXCAN_QUIRK_BROKEN_PERR_STATE)))
+               flexcan_irq_state(dev, reg_esr);
+@@ -1195,11 +1195,11 @@ static irqreturn_t flexcan_irq(int irq, void *dev_id)
+        * (1): enabled if FLEXCAN_QUIRK_BROKEN_WERR_STATE is enabled
+        */
+       if ((last_state != priv->can.state) &&
+-          (priv->devtype_data->quirks & FLEXCAN_QUIRK_BROKEN_PERR_STATE) &&
++          (priv->devtype_data.quirks & FLEXCAN_QUIRK_BROKEN_PERR_STATE) &&
+           !(priv->can.ctrlmode & CAN_CTRLMODE_BERR_REPORTING)) {
+               switch (priv->can.state) {
+               case CAN_STATE_ERROR_ACTIVE:
+-                      if (priv->devtype_data->quirks &
++                      if (priv->devtype_data.quirks &
+                           FLEXCAN_QUIRK_BROKEN_WERR_STATE)
+                               flexcan_error_irq_enable(priv);
+                       else
+@@ -1423,13 +1423,13 @@ static int flexcan_rx_offload_setup(struct net_device *dev)
+       else
+               priv->mb_size = sizeof(struct flexcan_mb) + CAN_MAX_DLEN;
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_NR_MB_16)
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_NR_MB_16)
+               priv->mb_count = 16;
+       else
+               priv->mb_count = (sizeof(priv->regs->mb[0]) / priv->mb_size) +
+                                (sizeof(priv->regs->mb[1]) / priv->mb_size);
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP)
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP)
+               priv->tx_mb_reserved =
+                       flexcan_get_mb(priv, FLEXCAN_TX_MB_RESERVED_OFF_TIMESTAMP);
+       else
+@@ -1441,7 +1441,7 @@ static int flexcan_rx_offload_setup(struct net_device *dev)
+       priv->offload.mailbox_read = flexcan_mailbox_read;
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP) {
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP) {
+               priv->offload.mb_first = FLEXCAN_RX_MB_OFF_TIMESTAMP_FIRST;
+               priv->offload.mb_last = priv->mb_count - 2;
+@@ -1506,7 +1506,7 @@ static int flexcan_chip_start(struct net_device *dev)
+       if (err)
+               goto out_chip_disable;
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_SUPPORT_ECC)
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_SUPPORT_ECC)
+               flexcan_ram_init(dev);
+       flexcan_set_bittiming(dev);
+@@ -1535,7 +1535,7 @@ static int flexcan_chip_start(struct net_device *dev)
+        * - disable for timestamp mode
+        * - enable for FIFO mode
+        */
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP)
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP)
+               reg_mcr &= ~FLEXCAN_MCR_FEN;
+       else
+               reg_mcr |= FLEXCAN_MCR_FEN;
+@@ -1586,7 +1586,7 @@ static int flexcan_chip_start(struct net_device *dev)
+        * on most Flexcan cores, too. Otherwise we don't get
+        * any error warning or passive interrupts.
+        */
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_BROKEN_WERR_STATE ||
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_BROKEN_WERR_STATE ||
+           priv->can.ctrlmode & CAN_CTRLMODE_BERR_REPORTING)
+               reg_ctrl |= FLEXCAN_CTRL_ERR_MSK;
+       else
+@@ -1599,7 +1599,7 @@ static int flexcan_chip_start(struct net_device *dev)
+       netdev_dbg(dev, "%s: writing ctrl=0x%08x", __func__, reg_ctrl);
+       priv->write(reg_ctrl, &regs->ctrl);
+-      if ((priv->devtype_data->quirks & FLEXCAN_QUIRK_ENABLE_EACEN_RRS)) {
++      if ((priv->devtype_data.quirks & FLEXCAN_QUIRK_ENABLE_EACEN_RRS)) {
+               reg_ctrl2 = priv->read(&regs->ctrl2);
+               reg_ctrl2 |= FLEXCAN_CTRL2_EACEN | FLEXCAN_CTRL2_RRS;
+               priv->write(reg_ctrl2, &regs->ctrl2);
+@@ -1631,7 +1631,7 @@ static int flexcan_chip_start(struct net_device *dev)
+               priv->write(reg_fdctrl, &regs->fdctrl);
+       }
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP) {
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP) {
+               for (i = priv->offload.mb_first; i <= priv->offload.mb_last; i++) {
+                       mb = flexcan_get_mb(priv, i);
+                       priv->write(FLEXCAN_MB_CODE_RX_EMPTY,
+@@ -1659,7 +1659,7 @@ static int flexcan_chip_start(struct net_device *dev)
+       priv->write(0x0, &regs->rx14mask);
+       priv->write(0x0, &regs->rx15mask);
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_DISABLE_RXFG)
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_DISABLE_RXFG)
+               priv->write(0x0, &regs->rxfgmask);
+       /* clear acceptance filters */
+@@ -1673,7 +1673,7 @@ static int flexcan_chip_start(struct net_device *dev)
+        * This also works around errata e5295 which generates false
+        * positive memory errors and put the device in freeze mode.
+        */
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_DISABLE_MECR) {
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_DISABLE_MECR) {
+               /* Follow the protocol as described in "Detection
+                * and Correction of Memory Errors" to write to
+                * MECR register (step 1 - 5)
+@@ -1799,7 +1799,7 @@ static int flexcan_open(struct net_device *dev)
+       if (err)
+               goto out_can_rx_offload_disable;
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_NR_IRQ_3) {
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_NR_IRQ_3) {
+               err = request_irq(priv->irq_boff,
+                                 flexcan_irq, IRQF_SHARED, dev->name, dev);
+               if (err)
+@@ -1845,7 +1845,7 @@ static int flexcan_close(struct net_device *dev)
+       netif_stop_queue(dev);
+       flexcan_chip_interrupts_disable(dev);
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_NR_IRQ_3) {
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_NR_IRQ_3) {
+               free_irq(priv->irq_err, dev);
+               free_irq(priv->irq_boff, dev);
+       }
+@@ -2051,9 +2051,9 @@ static int flexcan_setup_stop_mode(struct platform_device *pdev)
+       priv = netdev_priv(dev);
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_SETUP_STOP_MODE_SCFW)
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_SETUP_STOP_MODE_SCFW)
+               ret = flexcan_setup_stop_mode_scfw(pdev);
+-      else if (priv->devtype_data->quirks & FLEXCAN_QUIRK_SETUP_STOP_MODE_GPR)
++      else if (priv->devtype_data.quirks & FLEXCAN_QUIRK_SETUP_STOP_MODE_GPR)
+               ret = flexcan_setup_stop_mode_gpr(pdev);
+       else
+               /* return 0 directly if doesn't support stop mode feature */
+@@ -2181,9 +2181,10 @@ static int flexcan_probe(struct platform_device *pdev)
+       dev->flags |= IFF_ECHO;
+       priv = netdev_priv(dev);
++      priv->devtype_data = *devtype_data;
+       if (of_property_read_bool(pdev->dev.of_node, "big-endian") ||
+-          devtype_data->quirks & FLEXCAN_QUIRK_DEFAULT_BIG_ENDIAN) {
++          priv->devtype_data.quirks & FLEXCAN_QUIRK_DEFAULT_BIG_ENDIAN) {
+               priv->read = flexcan_read_be;
+               priv->write = flexcan_write_be;
+       } else {
+@@ -2202,10 +2203,9 @@ static int flexcan_probe(struct platform_device *pdev)
+       priv->clk_ipg = clk_ipg;
+       priv->clk_per = clk_per;
+       priv->clk_src = clk_src;
+-      priv->devtype_data = devtype_data;
+       priv->reg_xceiver = reg_xceiver;
+-      if (devtype_data->quirks & FLEXCAN_QUIRK_NR_IRQ_3) {
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_NR_IRQ_3) {
+               priv->irq_boff = platform_get_irq(pdev, 1);
+               if (priv->irq_boff <= 0) {
+                       err = -ENODEV;
+@@ -2218,7 +2218,7 @@ static int flexcan_probe(struct platform_device *pdev)
+               }
+       }
+-      if (priv->devtype_data->quirks & FLEXCAN_QUIRK_SUPPORT_FD) {
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_SUPPORT_FD) {
+               priv->can.ctrlmode_supported |= CAN_CTRLMODE_FD |
+                       CAN_CTRLMODE_FD_NON_ISO;
+               priv->can.bittiming_const = &flexcan_fd_bittiming_const;
+-- 
+2.34.1
+
diff --git a/queue-5.16/can-flexcan-rename-rx-modes.patch b/queue-5.16/can-flexcan-rename-rx-modes.patch
new file mode 100644 (file)
index 0000000..4aae831
--- /dev/null
@@ -0,0 +1,200 @@
+From eb427f2e41807a013944661c3de450f06eb08d86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 12:45:46 +0100
+Subject: can: flexcan: rename RX modes
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 34ea4e1c99f1f177f87e4ae7896caef238dd741a ]
+
+Most flexcan IP cores support 2 RX modes:
+- FIFO
+- mailbox
+
+The names for these modes were chosen to reflect the name of the
+rx-offload mode they are using.
+
+The name of the RX modes should better reflect their difference with
+regards the flexcan IP core. So this patch renames the various
+occurrences of OFF_FIFO to RX_FIFO and OFF_TIMESTAMP to RX_MAILBOX:
+
+| FLEXCAN_TX_MB_RESERVED_OFF_FIFO -> FLEXCAN_TX_MB_RESERVED_RX_FIFO
+| FLEXCAN_TX_MB_RESERVED_OFF_TIMESTAMP -> FLEXCAN_TX_MB_RESERVED_RX_MAILBOX
+| FLEXCAN_QUIRK_USE_OFF_TIMESTAMP -> FLEXCAN_QUIRK_USE_RX_MAILBOX
+
+Link: https://lore.kernel.org/all/20220107193105.1699523-4-mkl@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/flexcan.c | 48 +++++++++++++++++++--------------------
+ 1 file changed, 24 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
+index 26bf0a0a72f1d..ba52e70d6a166 100644
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -173,9 +173,9 @@
+ /* FLEXCAN interrupt flag register (IFLAG) bits */
+ /* Errata ERR005829 step7: Reserve first valid MB */
+-#define FLEXCAN_TX_MB_RESERVED_OFF_FIFO               8
+-#define FLEXCAN_TX_MB_RESERVED_OFF_TIMESTAMP  0
+-#define FLEXCAN_RX_MB_OFF_TIMESTAMP_FIRST     (FLEXCAN_TX_MB_RESERVED_OFF_TIMESTAMP + 1)
++#define FLEXCAN_TX_MB_RESERVED_RX_FIFO        8
++#define FLEXCAN_TX_MB_RESERVED_RX_MAILBOX     0
++#define FLEXCAN_RX_MB_RX_MAILBOX_FIRST        (FLEXCAN_TX_MB_RESERVED_RX_MAILBOX + 1)
+ #define FLEXCAN_IFLAG_MB(x)           BIT_ULL(x)
+ #define FLEXCAN_IFLAG_RX_FIFO_OVERFLOW        BIT(7)
+ #define FLEXCAN_IFLAG_RX_FIFO_WARN    BIT(6)
+@@ -234,8 +234,8 @@
+ #define FLEXCAN_QUIRK_ENABLE_EACEN_RRS  BIT(3)
+ /* Disable non-correctable errors interrupt and freeze mode */
+ #define FLEXCAN_QUIRK_DISABLE_MECR BIT(4)
+-/* Use timestamp based offloading */
+-#define FLEXCAN_QUIRK_USE_OFF_TIMESTAMP BIT(5)
++/* Use mailboxes (not FIFO) for RX path */
++#define FLEXCAN_QUIRK_USE_RX_MAILBOX BIT(5)
+ /* No interrupt for error passive */
+ #define FLEXCAN_QUIRK_BROKEN_PERR_STATE BIT(6)
+ /* default to BE register access */
+@@ -406,38 +406,38 @@ static const struct flexcan_devtype_data fsl_imx28_devtype_data = {
+ static const struct flexcan_devtype_data fsl_imx6q_devtype_data = {
+       .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
+-              FLEXCAN_QUIRK_USE_OFF_TIMESTAMP | FLEXCAN_QUIRK_BROKEN_PERR_STATE |
++              FLEXCAN_QUIRK_USE_RX_MAILBOX | FLEXCAN_QUIRK_BROKEN_PERR_STATE |
+               FLEXCAN_QUIRK_SETUP_STOP_MODE_GPR,
+ };
+ static const struct flexcan_devtype_data fsl_imx8qm_devtype_data = {
+       .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
+-              FLEXCAN_QUIRK_USE_OFF_TIMESTAMP | FLEXCAN_QUIRK_BROKEN_PERR_STATE |
++              FLEXCAN_QUIRK_USE_RX_MAILBOX | FLEXCAN_QUIRK_BROKEN_PERR_STATE |
+               FLEXCAN_QUIRK_SUPPORT_FD | FLEXCAN_QUIRK_SETUP_STOP_MODE_SCFW,
+ };
+ static struct flexcan_devtype_data fsl_imx8mp_devtype_data = {
+       .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
+-              FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_USE_OFF_TIMESTAMP |
++              FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_USE_RX_MAILBOX |
+               FLEXCAN_QUIRK_BROKEN_PERR_STATE | FLEXCAN_QUIRK_SETUP_STOP_MODE_GPR |
+               FLEXCAN_QUIRK_SUPPORT_FD | FLEXCAN_QUIRK_SUPPORT_ECC,
+ };
+ static const struct flexcan_devtype_data fsl_vf610_devtype_data = {
+       .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
+-              FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_USE_OFF_TIMESTAMP |
++              FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_USE_RX_MAILBOX |
+               FLEXCAN_QUIRK_BROKEN_PERR_STATE | FLEXCAN_QUIRK_SUPPORT_ECC,
+ };
+ static const struct flexcan_devtype_data fsl_ls1021a_r2_devtype_data = {
+       .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
+-              FLEXCAN_QUIRK_BROKEN_PERR_STATE | FLEXCAN_QUIRK_USE_OFF_TIMESTAMP,
++              FLEXCAN_QUIRK_BROKEN_PERR_STATE | FLEXCAN_QUIRK_USE_RX_MAILBOX,
+ };
+ static const struct flexcan_devtype_data fsl_lx2160a_r1_devtype_data = {
+       .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
+               FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_BROKEN_PERR_STATE |
+-              FLEXCAN_QUIRK_USE_OFF_TIMESTAMP | FLEXCAN_QUIRK_SUPPORT_FD |
++              FLEXCAN_QUIRK_USE_RX_MAILBOX | FLEXCAN_QUIRK_SUPPORT_FD |
+               FLEXCAN_QUIRK_SUPPORT_ECC,
+ };
+@@ -1022,7 +1022,7 @@ static struct sk_buff *flexcan_mailbox_read(struct can_rx_offload *offload,
+       mb = flexcan_get_mb(priv, n);
+-      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP) {
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_RX_MAILBOX) {
+               u32 code;
+               do {
+@@ -1087,7 +1087,7 @@ static struct sk_buff *flexcan_mailbox_read(struct can_rx_offload *offload,
+       }
+  mark_as_read:
+-      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP)
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_RX_MAILBOX)
+               flexcan_write64(priv, FLEXCAN_IFLAG_MB(n), &regs->iflag1);
+       else
+               priv->write(FLEXCAN_IFLAG_RX_FIFO_AVAILABLE, &regs->iflag1);
+@@ -1113,7 +1113,7 @@ static irqreturn_t flexcan_irq(int irq, void *dev_id)
+       enum can_state last_state = priv->can.state;
+       /* reception interrupt */
+-      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP) {
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_RX_MAILBOX) {
+               u64 reg_iflag_rx;
+               int ret;
+@@ -1429,20 +1429,20 @@ static int flexcan_rx_offload_setup(struct net_device *dev)
+               priv->mb_count = (sizeof(priv->regs->mb[0]) / priv->mb_size) +
+                                (sizeof(priv->regs->mb[1]) / priv->mb_size);
+-      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP)
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_RX_MAILBOX)
+               priv->tx_mb_reserved =
+-                      flexcan_get_mb(priv, FLEXCAN_TX_MB_RESERVED_OFF_TIMESTAMP);
++                      flexcan_get_mb(priv, FLEXCAN_TX_MB_RESERVED_RX_MAILBOX);
+       else
+               priv->tx_mb_reserved =
+-                      flexcan_get_mb(priv, FLEXCAN_TX_MB_RESERVED_OFF_FIFO);
++                      flexcan_get_mb(priv, FLEXCAN_TX_MB_RESERVED_RX_FIFO);
+       priv->tx_mb_idx = priv->mb_count - 1;
+       priv->tx_mb = flexcan_get_mb(priv, priv->tx_mb_idx);
+       priv->tx_mask = FLEXCAN_IFLAG_MB(priv->tx_mb_idx);
+       priv->offload.mailbox_read = flexcan_mailbox_read;
+-      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP) {
+-              priv->offload.mb_first = FLEXCAN_RX_MB_OFF_TIMESTAMP_FIRST;
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_RX_MAILBOX) {
++              priv->offload.mb_first = FLEXCAN_RX_MB_RX_MAILBOX_FIRST;
+               priv->offload.mb_last = priv->mb_count - 2;
+               priv->rx_mask = GENMASK_ULL(priv->offload.mb_last,
+@@ -1532,10 +1532,10 @@ static int flexcan_chip_start(struct net_device *dev)
+       /* MCR
+        *
+        * FIFO:
+-       * - disable for timestamp mode
++       * - disable for mailbox mode
+        * - enable for FIFO mode
+        */
+-      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP)
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_RX_MAILBOX)
+               reg_mcr &= ~FLEXCAN_MCR_FEN;
+       else
+               reg_mcr |= FLEXCAN_MCR_FEN;
+@@ -1631,7 +1631,7 @@ static int flexcan_chip_start(struct net_device *dev)
+               priv->write(reg_fdctrl, &regs->fdctrl);
+       }
+-      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP) {
++      if (priv->devtype_data.quirks & FLEXCAN_QUIRK_USE_RX_MAILBOX) {
+               for (i = priv->offload.mb_first; i <= priv->offload.mb_last; i++) {
+                       mb = flexcan_get_mb(priv, i);
+                       priv->write(FLEXCAN_MB_CODE_RX_EMPTY,
+@@ -1639,7 +1639,7 @@ static int flexcan_chip_start(struct net_device *dev)
+               }
+       } else {
+               /* clear and invalidate unused mailboxes first */
+-              for (i = FLEXCAN_TX_MB_RESERVED_OFF_FIFO; i < priv->mb_count; i++) {
++              for (i = FLEXCAN_TX_MB_RESERVED_RX_FIFO; i < priv->mb_count; i++) {
+                       mb = flexcan_get_mb(priv, i);
+                       priv->write(FLEXCAN_MB_CODE_RX_INACTIVE,
+                                   &mb->can_ctrl);
+@@ -2164,7 +2164,7 @@ static int flexcan_probe(struct platform_device *pdev)
+               return -ENODEV;
+       if ((devtype_data->quirks & FLEXCAN_QUIRK_SUPPORT_FD) &&
+-          !(devtype_data->quirks & FLEXCAN_QUIRK_USE_OFF_TIMESTAMP)) {
++          !(devtype_data->quirks & FLEXCAN_QUIRK_USE_RX_MAILBOX)) {
+               dev_err(&pdev->dev, "CAN-FD mode doesn't work with FIFO mode!\n");
+               return -EINVAL;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/can-mcp251xfd-add-missing-newline-to-printed-strings.patch b/queue-5.16/can-mcp251xfd-add-missing-newline-to-printed-strings.patch
new file mode 100644 (file)
index 0000000..a32fa1e
--- /dev/null
@@ -0,0 +1,44 @@
+From 252040f95771b94c9a17cba34bf5cf7909c541ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 17:05:25 +0200
+Subject: can: mcp251xfd: add missing newline to printed strings
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 3bd9d8ce6f8c5c43ee2f1106021db0f98882cc75 ]
+
+This patch adds the missing newline to printed strings.
+
+Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN")
+Link: https://lore.kernel.org/all/20220105154300.1258636-4-mkl@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
+index e16dc482f3270..63613c186f173 100644
+--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
+@@ -2625,7 +2625,7 @@ static int mcp251xfd_register_chip_detect(struct mcp251xfd_priv *priv)
+       if (!mcp251xfd_is_251X(priv) &&
+           priv->devtype_data.model != devtype_data->model) {
+               netdev_info(ndev,
+-                          "Detected %s, but firmware specifies a %s. Fixing up.",
++                          "Detected %s, but firmware specifies a %s. Fixing up.\n",
+                           __mcp251xfd_get_model_str(devtype_data->model),
+                           mcp251xfd_get_model_str(priv));
+       }
+@@ -2662,7 +2662,7 @@ static int mcp251xfd_register_check_rx_int(struct mcp251xfd_priv *priv)
+               return 0;
+       netdev_info(priv->ndev,
+-                  "RX_INT active after softreset, disabling RX_INT support.");
++                  "RX_INT active after softreset, disabling RX_INT support.\n");
+       devm_gpiod_put(&priv->spi->dev, priv->rx_int);
+       priv->rx_int = NULL;
+-- 
+2.34.1
+
diff --git a/queue-5.16/can-rcar_canfd-rcar_canfd_channel_probe-make-sure-we.patch b/queue-5.16/can-rcar_canfd-rcar_canfd_channel_probe-make-sure-we.patch
new file mode 100644 (file)
index 0000000..011ecf4
--- /dev/null
@@ -0,0 +1,54 @@
+From 51ca8ef58baff7bf8f6d86501c06dd2df4d4ee46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 11:48:00 +0000
+Subject: can: rcar_canfd: rcar_canfd_channel_probe(): make sure we free CAN
+ network device
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 72b1e360572f9fa7d08ee554f1da29abce23f288 ]
+
+Make sure we free CAN network device in the error path. There are
+several jumps to fail label after allocating the CAN network device
+successfully. This patch places the free_candev() under fail label so
+that in failure path a jump to fail label frees the CAN network
+device.
+
+Fixes: 76e9353a80e9 ("can: rcar_canfd: Add support for RZ/G2L family")
+Link: https://lore.kernel.org/all/20220106114801.20563-1-prabhakar.mahadev-lad.rj@bp.renesas.com
+Reported-by: Pavel Machek <pavel@denx.de>
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/rcar/rcar_canfd.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/can/rcar/rcar_canfd.c b/drivers/net/can/rcar/rcar_canfd.c
+index ff9d0f5ae0dd2..388521e70837f 100644
+--- a/drivers/net/can/rcar/rcar_canfd.c
++++ b/drivers/net/can/rcar/rcar_canfd.c
+@@ -1640,8 +1640,7 @@ static int rcar_canfd_channel_probe(struct rcar_canfd_global *gpriv, u32 ch,
+       ndev = alloc_candev(sizeof(*priv), RCANFD_FIFO_DEPTH);
+       if (!ndev) {
+               dev_err(&pdev->dev, "alloc_candev() failed\n");
+-              err = -ENOMEM;
+-              goto fail;
++              return -ENOMEM;
+       }
+       priv = netdev_priv(ndev);
+@@ -1735,8 +1734,8 @@ static int rcar_canfd_channel_probe(struct rcar_canfd_global *gpriv, u32 ch,
+ fail_candev:
+       netif_napi_del(&priv->napi);
+-      free_candev(ndev);
+ fail:
++      free_candev(ndev);
+       return err;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/can-softing-softing_startstop-fix-set-but-not-used-v.patch b/queue-5.16/can-softing-softing_startstop-fix-set-but-not-used-v.patch
new file mode 100644 (file)
index 0000000..bbfc353
--- /dev/null
@@ -0,0 +1,63 @@
+From dd00ae6803ba5ca64987bb10952223d34a3e4749 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Jan 2022 21:57:51 +0100
+Subject: can: softing: softing_startstop(): fix set but not used variable
+ warning
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 370d988cc529598ebaec6487d4f84c2115dc696b ]
+
+In the function softing_startstop() the variable error_reporting is
+assigned but not used. The code that uses this variable is commented
+out. Its stated that the functionality is not finally verified.
+
+To fix the warning:
+
+| drivers/net/can/softing/softing_fw.c:424:9: error: variable 'error_reporting' set but not used [-Werror,-Wunused-but-set-variable]
+
+remove the comment, activate the code, but add a "0 &&" to the if
+expression and rely on the optimizer rather than the preprocessor to
+remove the code.
+
+Link: https://lore.kernel.org/all/20220109103126.1872833-1-mkl@pengutronix.de
+Fixes: 03fd3cf5a179 ("can: add driver for Softing card")
+Cc: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/softing/softing_fw.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/can/softing/softing_fw.c b/drivers/net/can/softing/softing_fw.c
+index 7e15368779931..32286f861a195 100644
+--- a/drivers/net/can/softing/softing_fw.c
++++ b/drivers/net/can/softing/softing_fw.c
+@@ -565,18 +565,19 @@ int softing_startstop(struct net_device *dev, int up)
+               if (ret < 0)
+                       goto failed;
+       }
+-      /* enable_error_frame */
+-      /*
++
++      /* enable_error_frame
++       *
+        * Error reporting is switched off at the moment since
+        * the receiving of them is not yet 100% verified
+        * This should be enabled sooner or later
+-       *
+-      if (error_reporting) {
++       */
++      if (0 && error_reporting) {
+               ret = softing_fct_cmd(card, 51, "enable_error_frame");
+               if (ret < 0)
+                       goto failed;
+       }
+-      */
++
+       /* initialize interface */
+       iowrite16(1, &card->dpram[DPRAM_FCT_PARAM + 2]);
+       iowrite16(1, &card->dpram[DPRAM_FCT_PARAM + 4]);
+-- 
+2.34.1
+
diff --git a/queue-5.16/can-xilinx_can-xcan_probe-check-for-error-irq.patch b/queue-5.16/can-xilinx_can-xcan_probe-check-for-error-irq.patch
new file mode 100644 (file)
index 0000000..c769288
--- /dev/null
@@ -0,0 +1,48 @@
+From fe7c4b1f7949e86ee33523f17a72e466aece5364 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Dec 2021 10:13:24 +0800
+Subject: can: xilinx_can: xcan_probe(): check for error irq
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit c6564c13dae25cd7f8e1de5127b4da4500ee5844 ]
+
+For the possible failure of the platform_get_irq(), the returned irq
+could be error number and will finally cause the failure of the
+request_irq().
+
+Consider that platform_get_irq() can now in certain cases return
+-EPROBE_DEFER, and the consequences of letting request_irq()
+effectively convert that into -EINVAL, even at probe time rather than
+later on. So it might be better to check just now.
+
+Fixes: b1201e44f50b ("can: xilinx CAN controller support")
+Link: https://lore.kernel.org/all/20211224021324.1447494-1-jiasheng@iscas.ac.cn
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/xilinx_can.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c
+index e2b15d29d15eb..af4a2adc85983 100644
+--- a/drivers/net/can/xilinx_can.c
++++ b/drivers/net/can/xilinx_can.c
+@@ -1761,7 +1761,12 @@ static int xcan_probe(struct platform_device *pdev)
+       spin_lock_init(&priv->tx_lock);
+       /* Get IRQ for the device */
+-      ndev->irq = platform_get_irq(pdev, 0);
++      ret = platform_get_irq(pdev, 0);
++      if (ret < 0)
++              goto err_free;
++
++      ndev->irq = ret;
++
+       ndev->flags |= IFF_ECHO;        /* We support local echo */
+       platform_set_drvdata(pdev, ndev);
+-- 
+2.34.1
+
diff --git a/queue-5.16/cgroup-trace-event-cgroup-id-fields-should-be-u64.patch b/queue-5.16/cgroup-trace-event-cgroup-id-fields-should-be-u64.patch
new file mode 100644 (file)
index 0000000..1b04870
--- /dev/null
@@ -0,0 +1,86 @@
+From a908f622e0083053ec43d32090b35c96906e27e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 09:56:58 -0700
+Subject: cgroup: Trace event cgroup id fields should be u64
+
+From: William Kucharski <william.kucharski@oracle.com>
+
+[ Upstream commit e14da77113bb890d7bf9e5d17031bdd476a7ce5e ]
+
+Various trace event fields that store cgroup IDs were declared as
+ints, but cgroup_id(() returns a u64 and the structures and associated
+TP_printk() calls were not updated to reflect this.
+
+Fixes: 743210386c03 ("cgroup: use cgrp->kn->id as the cgroup ID")
+Signed-off-by: William Kucharski <william.kucharski@oracle.com>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/cgroup.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/include/trace/events/cgroup.h b/include/trace/events/cgroup.h
+index 7f42a3de59e6b..dd7d7c9efecdf 100644
+--- a/include/trace/events/cgroup.h
++++ b/include/trace/events/cgroup.h
+@@ -59,8 +59,8 @@ DECLARE_EVENT_CLASS(cgroup,
+       TP_STRUCT__entry(
+               __field(        int,            root                    )
+-              __field(        int,            id                      )
+               __field(        int,            level                   )
++              __field(        u64,            id                      )
+               __string(       path,           path                    )
+       ),
+@@ -71,7 +71,7 @@ DECLARE_EVENT_CLASS(cgroup,
+               __assign_str(path, path);
+       ),
+-      TP_printk("root=%d id=%d level=%d path=%s",
++      TP_printk("root=%d id=%llu level=%d path=%s",
+                 __entry->root, __entry->id, __entry->level, __get_str(path))
+ );
+@@ -126,8 +126,8 @@ DECLARE_EVENT_CLASS(cgroup_migrate,
+       TP_STRUCT__entry(
+               __field(        int,            dst_root                )
+-              __field(        int,            dst_id                  )
+               __field(        int,            dst_level               )
++              __field(        u64,            dst_id                  )
+               __field(        int,            pid                     )
+               __string(       dst_path,       path                    )
+               __string(       comm,           task->comm              )
+@@ -142,7 +142,7 @@ DECLARE_EVENT_CLASS(cgroup_migrate,
+               __assign_str(comm, task->comm);
+       ),
+-      TP_printk("dst_root=%d dst_id=%d dst_level=%d dst_path=%s pid=%d comm=%s",
++      TP_printk("dst_root=%d dst_id=%llu dst_level=%d dst_path=%s pid=%d comm=%s",
+                 __entry->dst_root, __entry->dst_id, __entry->dst_level,
+                 __get_str(dst_path), __entry->pid, __get_str(comm))
+ );
+@@ -171,8 +171,8 @@ DECLARE_EVENT_CLASS(cgroup_event,
+       TP_STRUCT__entry(
+               __field(        int,            root                    )
+-              __field(        int,            id                      )
+               __field(        int,            level                   )
++              __field(        u64,            id                      )
+               __string(       path,           path                    )
+               __field(        int,            val                     )
+       ),
+@@ -185,7 +185,7 @@ DECLARE_EVENT_CLASS(cgroup_event,
+               __entry->val = val;
+       ),
+-      TP_printk("root=%d id=%d level=%d path=%s val=%d",
++      TP_printk("root=%d id=%llu level=%d path=%s val=%d",
+                 __entry->root, __entry->id, __entry->level, __get_str(path),
+                 __entry->val)
+ );
+-- 
+2.34.1
+
diff --git a/queue-5.16/char-mwave-adjust-io-port-register-size.patch b/queue-5.16/char-mwave-adjust-io-port-register-size.patch
new file mode 100644 (file)
index 0000000..c8ba386
--- /dev/null
@@ -0,0 +1,51 @@
+From ca8b6e8387dc96aaa444b1fab2ad9b9c5926a286 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Dec 2021 00:42:06 -0800
+Subject: char/mwave: Adjust io port register size
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit f5912cc19acd7c24b2dbf65a6340bf194244f085 ]
+
+Using MKWORD() on a byte-sized variable results in OOB read. Expand the
+size of the reserved area so both MKWORD and MKBYTE continue to work
+without overflow. Silences this warning on a -Warray-bounds build:
+
+drivers/char/mwave/3780i.h:346:22: error: array subscript 'short unsigned int[0]' is partly outside array bounds of 'DSP_ISA_SLAVE_CONTROL[1]' [-Werror=array-bounds]
+  346 | #define MKWORD(var) (*((unsigned short *)(&var)))
+      |                     ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/char/mwave/3780i.h:356:40: note: in definition of macro 'OutWordDsp'
+  356 | #define OutWordDsp(index,value)   outw(value,usDspBaseIO+index)
+      |                                        ^~~~~
+drivers/char/mwave/3780i.c:373:41: note: in expansion of macro 'MKWORD'
+  373 |         OutWordDsp(DSP_IsaSlaveControl, MKWORD(rSlaveControl));
+      |                                         ^~~~~~
+drivers/char/mwave/3780i.c:358:31: note: while referencing 'rSlaveControl'
+  358 |         DSP_ISA_SLAVE_CONTROL rSlaveControl;
+      |                               ^~~~~~~~~~~~~
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20211203084206.3104326-1-keescook@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/mwave/3780i.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/char/mwave/3780i.h b/drivers/char/mwave/3780i.h
+index 9ccb6b270b071..95164246afd1a 100644
+--- a/drivers/char/mwave/3780i.h
++++ b/drivers/char/mwave/3780i.h
+@@ -68,7 +68,7 @@ typedef struct {
+       unsigned char ClockControl:1;   /* RW: Clock control: 0=normal, 1=stop 3780i clocks */
+       unsigned char SoftReset:1;      /* RW: Soft reset 0=normal, 1=soft reset active */
+       unsigned char ConfigMode:1;     /* RW: Configuration mode, 0=normal, 1=config mode */
+-      unsigned char Reserved:5;       /* 0: Reserved */
++      unsigned short Reserved:13;     /* 0: Reserved */
+ } DSP_ISA_SLAVE_CONTROL;
+-- 
+2.34.1
+
diff --git a/queue-5.16/clk-bcm-2835-pick-the-closest-clock-rate.patch b/queue-5.16/clk-bcm-2835-pick-the-closest-clock-rate.patch
new file mode 100644 (file)
index 0000000..6262db1
--- /dev/null
@@ -0,0 +1,46 @@
+From a0154eda8ddc9769818804d8c2d6d83eb28caa6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Sep 2021 14:54:15 +0200
+Subject: clk: bcm-2835: Pick the closest clock rate
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 5517357a4733d7cf7c17fc79d0530cfa47add372 ]
+
+The driver currently tries to pick the closest rate that is lower than
+the rate being requested.
+
+This causes an issue with clk_set_min_rate() since it actively checks
+for the rounded rate to be above the minimum that was just set.
+
+Let's change the logic a bit to pick the closest rate to the requested
+rate, no matter if it's actually higher or lower.
+
+Fixes: 6d18b8adbe67 ("clk: bcm2835: Support for clock parent selection")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Acked-by: Stephen Boyd <sboyd@kernel.org>
+Reviewed-by: Nicolas Saenz Julienne <nsaenz@kernel.org>
+Tested-by: Nicolas Saenz Julienne <nsaenz@kernel.org> # boot and basic functionality
+Tested-by: Michael Stapelberg <michael@stapelberg.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210922125419.4125779-2-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-bcm2835.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c
+index a254512965eb8..bf97b2b2a63f8 100644
+--- a/drivers/clk/bcm/clk-bcm2835.c
++++ b/drivers/clk/bcm/clk-bcm2835.c
+@@ -1216,7 +1216,7 @@ static int bcm2835_clock_determine_rate(struct clk_hw *hw,
+               rate = bcm2835_clock_choose_div_and_prate(hw, i, req->rate,
+                                                         &div, &prate,
+                                                         &avgrate);
+-              if (rate > best_rate && rate <= req->rate) {
++              if (abs(req->rate - rate) < abs(req->rate - best_rate)) {
+                       best_parent = parent;
+                       best_prate = prate;
+                       best_rate = rate;
+-- 
+2.34.1
+
diff --git a/queue-5.16/clk-bcm-2835-remove-rounding-up-the-dividers.patch b/queue-5.16/clk-bcm-2835-remove-rounding-up-the-dividers.patch
new file mode 100644 (file)
index 0000000..3871d70
--- /dev/null
@@ -0,0 +1,82 @@
+From 5f4a2e2c58574ce9c27cce5799e529fc872a2f1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Sep 2021 14:54:16 +0200
+Subject: clk: bcm-2835: Remove rounding up the dividers
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 8ca011ef4af48a7af7b15afd8a4a44039dd04cea ]
+
+The driver, once it found a divider, tries to round it up by increasing
+the least significant bit of the fractional part by one when the
+round_up argument is set and there's a remainder.
+
+However, since it increases the divider it will actually reduce the
+clock rate below what we were asking for, leading to issues with
+clk_set_min_rate() that will complain that our rounded clock rate is
+below the minimum of the rate.
+
+Since the dividers are fairly precise already, let's remove that part so
+that we can have clk_set_min_rate() working.
+
+This is effectively a revert of 9c95b32ca093 ("clk: bcm2835: add a round
+up ability to the clock divisor").
+
+Fixes: 9c95b32ca093 ("clk: bcm2835: add a round up ability to the clock divisor")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Acked-by: Stephen Boyd <sboyd@kernel.org>
+Reviewed-by: Nicolas Saenz Julienne <nsaenz@kernel.org>
+Tested-by: Nicolas Saenz Julienne <nsaenz@kernel.org> # boot and basic functionality
+Tested-by: Michael Stapelberg <michael@stapelberg.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210922125419.4125779-3-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-bcm2835.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c
+index bf97b2b2a63f8..3667b4d731e71 100644
+--- a/drivers/clk/bcm/clk-bcm2835.c
++++ b/drivers/clk/bcm/clk-bcm2835.c
+@@ -932,8 +932,7 @@ static int bcm2835_clock_is_on(struct clk_hw *hw)
+ static u32 bcm2835_clock_choose_div(struct clk_hw *hw,
+                                   unsigned long rate,
+-                                  unsigned long parent_rate,
+-                                  bool round_up)
++                                  unsigned long parent_rate)
+ {
+       struct bcm2835_clock *clock = bcm2835_clock_from_hw(hw);
+       const struct bcm2835_clock_data *data = clock->data;
+@@ -945,10 +944,6 @@ static u32 bcm2835_clock_choose_div(struct clk_hw *hw,
+       rem = do_div(temp, rate);
+       div = temp;
+-
+-      /* Round up and mask off the unused bits */
+-      if (round_up && ((div & unused_frac_mask) != 0 || rem != 0))
+-              div += unused_frac_mask + 1;
+       div &= ~unused_frac_mask;
+       /* different clamping limits apply for a mash clock */
+@@ -1079,7 +1074,7 @@ static int bcm2835_clock_set_rate(struct clk_hw *hw,
+       struct bcm2835_clock *clock = bcm2835_clock_from_hw(hw);
+       struct bcm2835_cprman *cprman = clock->cprman;
+       const struct bcm2835_clock_data *data = clock->data;
+-      u32 div = bcm2835_clock_choose_div(hw, rate, parent_rate, false);
++      u32 div = bcm2835_clock_choose_div(hw, rate, parent_rate);
+       u32 ctl;
+       spin_lock(&cprman->regs_lock);
+@@ -1130,7 +1125,7 @@ static unsigned long bcm2835_clock_choose_div_and_prate(struct clk_hw *hw,
+       if (!(BIT(parent_idx) & data->set_rate_parent)) {
+               *prate = clk_hw_get_rate(parent);
+-              *div = bcm2835_clock_choose_div(hw, rate, *prate, true);
++              *div = bcm2835_clock_choose_div(hw, rate, *prate);
+               *avgrate = bcm2835_clock_rate_from_divisor(clock, *prate, *div);
+-- 
+2.34.1
+
diff --git a/queue-5.16/clk-bm1880-remove-kfrees-on-static-allocations.patch b/queue-5.16/clk-bm1880-remove-kfrees-on-static-allocations.patch
new file mode 100644 (file)
index 0000000..b4a75a2
--- /dev/null
@@ -0,0 +1,84 @@
+From e0b8d9618b876f73168f9cdd37788f0c24e74939 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Dec 2021 15:42:44 +0000
+Subject: clk: bm1880: remove kfrees on static allocations
+
+From: Conor Dooley <conor.dooley@microchip.com>
+
+[ Upstream commit c861c1be3897845313a0df47804b1db37c7052e1 ]
+
+bm1880_clk_unregister_pll & bm1880_clk_unregister_div both try to
+free statically allocated variables, so remove those kfrees.
+
+For example, if we take L703 kfree(div_hw):
+- div_hw is a bm1880_div_hw_clock pointer
+- in bm1880_clk_register_plls this is pointed to an element of arg1:
+  struct bm1880_div_hw_clock *clks
+- in the probe, where bm1880_clk_register_plls is called arg1 is
+  bm1880_div_clks, defined on L371:
+  static struct bm1880_div_hw_clock bm1880_div_clks[]
+
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Fixes: 1ab4601da55b ("clk: Add common clock driver for BM1880 SoC")
+Link: https://lore.kernel.org/r/20211223154244.1024062-1-conor.dooley@microchip.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-bm1880.c | 20 ++------------------
+ 1 file changed, 2 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/clk/clk-bm1880.c b/drivers/clk/clk-bm1880.c
+index e6d6599d310a1..fad78a22218e8 100644
+--- a/drivers/clk/clk-bm1880.c
++++ b/drivers/clk/clk-bm1880.c
+@@ -522,14 +522,6 @@ static struct clk_hw *bm1880_clk_register_pll(struct bm1880_pll_hw_clock *pll_cl
+       return hw;
+ }
+-static void bm1880_clk_unregister_pll(struct clk_hw *hw)
+-{
+-      struct bm1880_pll_hw_clock *pll_hw = to_bm1880_pll_clk(hw);
+-
+-      clk_hw_unregister(hw);
+-      kfree(pll_hw);
+-}
+-
+ static int bm1880_clk_register_plls(struct bm1880_pll_hw_clock *clks,
+                                   int num_clks,
+                                   struct bm1880_clock_data *data)
+@@ -555,7 +547,7 @@ static int bm1880_clk_register_plls(struct bm1880_pll_hw_clock *clks,
+ err_clk:
+       while (i--)
+-              bm1880_clk_unregister_pll(data->hw_data.hws[clks[i].pll.id]);
++              clk_hw_unregister(data->hw_data.hws[clks[i].pll.id]);
+       return PTR_ERR(hw);
+ }
+@@ -695,14 +687,6 @@ static struct clk_hw *bm1880_clk_register_div(struct bm1880_div_hw_clock *div_cl
+       return hw;
+ }
+-static void bm1880_clk_unregister_div(struct clk_hw *hw)
+-{
+-      struct bm1880_div_hw_clock *div_hw = to_bm1880_div_clk(hw);
+-
+-      clk_hw_unregister(hw);
+-      kfree(div_hw);
+-}
+-
+ static int bm1880_clk_register_divs(struct bm1880_div_hw_clock *clks,
+                                   int num_clks,
+                                   struct bm1880_clock_data *data)
+@@ -729,7 +713,7 @@ static int bm1880_clk_register_divs(struct bm1880_div_hw_clock *clks,
+ err_clk:
+       while (i--)
+-              bm1880_clk_unregister_div(data->hw_data.hws[clks[i].div.id]);
++              clk_hw_unregister(data->hw_data.hws[clks[i].div.id]);
+       return PTR_ERR(hw);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/clk-imx8mn-fix-imx8mn_clko1_sels.patch b/queue-5.16/clk-imx8mn-fix-imx8mn_clko1_sels.patch
new file mode 100644 (file)
index 0000000..ff6028a
--- /dev/null
@@ -0,0 +1,50 @@
+From 5f26962b65c8019db80e22a01e70537c00f8adc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 07:32:02 -0600
+Subject: clk: imx8mn: Fix imx8mn_clko1_sels
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit 570727e9acfac1c2330a01dd5e1272e9c3acec08 ]
+
+When attempting to use sys_pll1_80m as the parent for clko1, the
+system hangs.  This is due to the fact that the source select
+for sys_pll1_80m was incorrectly pointing to m7_alt_pll_clk, which
+doesn't yet exist.
+
+According to Rev 3 of the TRM, The imx8mn_clko1_sels also incorrectly
+references an osc_27m which does not exist, nor does an entry for
+source select bits 010b.  Fix both by inserting a dummy clock into
+the missing space in the table and renaming the incorrectly name clock
+with dummy.
+
+Fixes: 96d6392b54db ("clk: imx: Add support for i.MX8MN clock driver")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Link: https://lore.kernel.org/r/20211117133202.775633-1-aford173@gmail.com
+Signed-off-by: Abel Vesa <abel.vesa@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8mn.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx8mn.c b/drivers/clk/imx/clk-imx8mn.c
+index c55577604e16a..021355a247081 100644
+--- a/drivers/clk/imx/clk-imx8mn.c
++++ b/drivers/clk/imx/clk-imx8mn.c
+@@ -277,9 +277,9 @@ static const char * const imx8mn_pdm_sels[] = {"osc_24m", "sys_pll2_100m", "audi
+ static const char * const imx8mn_dram_core_sels[] = {"dram_pll_out", "dram_alt_root", };
+-static const char * const imx8mn_clko1_sels[] = {"osc_24m", "sys_pll1_800m", "osc_27m",
+-                                               "sys_pll1_200m", "audio_pll2_out", "vpu_pll",
+-                                               "sys_pll1_80m", };
++static const char * const imx8mn_clko1_sels[] = {"osc_24m", "sys_pll1_800m", "dummy",
++                                               "sys_pll1_200m", "audio_pll2_out", "sys_pll2_500m",
++                                               "dummy", "sys_pll1_80m", };
+ static const char * const imx8mn_clko2_sels[] = {"osc_24m", "sys_pll2_200m", "sys_pll1_400m",
+                                                "sys_pll2_166m", "sys_pll3_out", "audio_pll1_out",
+                                                "video_pll1_out", "osc_32k", };
+-- 
+2.34.1
+
diff --git a/queue-5.16/clk-meson-gxbb-fix-the-sdm_en-bit-for-mpll0-on-gxbb.patch b/queue-5.16/clk-meson-gxbb-fix-the-sdm_en-bit-for-mpll0-on-gxbb.patch
new file mode 100644 (file)
index 0000000..39d3fdb
--- /dev/null
@@ -0,0 +1,144 @@
+From 514b835fc3efcb61354f0efefa15db23d2effb7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Oct 2021 14:50:06 +0100
+Subject: clk: meson: gxbb: Fix the SDM_EN bit for MPLL0 on GXBB
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit ff54938dd190d85f740b9bf9dde59b550936b621 ]
+
+There are reports that 48kHz audio does not work on the WeTek Play 2
+(which uses a GXBB SoC), while 44.1kHz audio works fine on the same
+board. There are also reports of 48kHz audio working fine on GXL and
+GXM SoCs, which are using an (almost) identical AIU (audio controller).
+
+Experimenting has shown that MPLL0 is causing this problem. In the .dts
+we have by default:
+       assigned-clocks = <&clkc CLKID_MPLL0>,
+                         <&clkc CLKID_MPLL1>,
+                         <&clkc CLKID_MPLL2>;
+       assigned-clock-rates = <294912000>,
+                              <270950400>,
+                              <393216000>;
+The MPLL0 rate is divisible by 48kHz without remainder and the MPLL1
+rate is divisible by 44.1kHz without remainder. Swapping these two clock
+rates "fixes" 48kHz audio but breaks 44.1kHz audio.
+
+Everything looks normal when looking at the info provided by the common
+clock framework while playing 48kHz audio (via I2S with mclk-fs = 256):
+        mpll_prediv                 1        1        0  2000000000
+           mpll0_div                1        1        0   294909641
+              mpll0                 1        1        0   294909641
+                 cts_amclk_sel       1        1        0   294909641
+                    cts_amclk_div       1        1        0    12287902
+                       cts_amclk       1        1        0    12287902
+
+meson-clk-msr however shows that the actual MPLL0 clock is off by more
+than 38MHz:
+        mp0_out               333322917    +/-10416Hz
+
+The rate seen by meson-clk-msr is very close to what we would get when
+SDM (the fractional part) was ignored:
+  (2000000000Hz * 16384) / ((16384 * 6) = 333.33MHz
+If SDM was considered the we should get close to:
+  (2000000000Hz * 16384) / ((16384 * 6) + 12808) = 294.9MHz
+
+Further experimenting shows that HHI_MPLL_CNTL7[15] does not have any
+effect on the rate of MPLL0 as seen my meson-clk-msr (regardless of
+whether that bit is zero or one the rate is always the same according to
+meson-clk-msr). Using HHI_MPLL_CNTL[25] on the other hand as SDM_EN
+results in SDM being considered for the rate output by the hardware. The
+rate - as seen by meson-clk-msr - matches with what we expect when
+SDM_EN is enabled (fractional part is being considered, resulting in a
+294.9MHz output) or disable (fractional part being ignored, resulting in
+a 333.33MHz output).
+
+Reported-by: Christian Hewitt <christianshewitt@gmail.com>
+Tested-by: Christian Hewitt <christianshewitt@gmail.com>
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20211031135006.1508796-1-martin.blumenstingl@googlemail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/meson/gxbb.c | 44 +++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 41 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/meson/gxbb.c b/drivers/clk/meson/gxbb.c
+index d6eed760327d0..608e0e8ca49a8 100644
+--- a/drivers/clk/meson/gxbb.c
++++ b/drivers/clk/meson/gxbb.c
+@@ -713,6 +713,35 @@ static struct clk_regmap gxbb_mpll_prediv = {
+ };
+ static struct clk_regmap gxbb_mpll0_div = {
++      .data = &(struct meson_clk_mpll_data){
++              .sdm = {
++                      .reg_off = HHI_MPLL_CNTL7,
++                      .shift   = 0,
++                      .width   = 14,
++              },
++              .sdm_en = {
++                      .reg_off = HHI_MPLL_CNTL,
++                      .shift   = 25,
++                      .width   = 1,
++              },
++              .n2 = {
++                      .reg_off = HHI_MPLL_CNTL7,
++                      .shift   = 16,
++                      .width   = 9,
++              },
++              .lock = &meson_clk_lock,
++      },
++      .hw.init = &(struct clk_init_data){
++              .name = "mpll0_div",
++              .ops = &meson_clk_mpll_ops,
++              .parent_hws = (const struct clk_hw *[]) {
++                      &gxbb_mpll_prediv.hw
++              },
++              .num_parents = 1,
++      },
++};
++
++static struct clk_regmap gxl_mpll0_div = {
+       .data = &(struct meson_clk_mpll_data){
+               .sdm = {
+                       .reg_off = HHI_MPLL_CNTL7,
+@@ -749,7 +778,16 @@ static struct clk_regmap gxbb_mpll0 = {
+       .hw.init = &(struct clk_init_data){
+               .name = "mpll0",
+               .ops = &clk_regmap_gate_ops,
+-              .parent_hws = (const struct clk_hw *[]) { &gxbb_mpll0_div.hw },
++              .parent_data = &(const struct clk_parent_data) {
++                      /*
++                       * Note:
++                       * GXL and GXBB have different SDM_EN registers. We
++                       * fallback to the global naming string mechanism so
++                       * mpll0_div picks up the appropriate one.
++                       */
++                      .name = "mpll0_div",
++                      .index = -1,
++              },
+               .num_parents = 1,
+               .flags = CLK_SET_RATE_PARENT,
+       },
+@@ -3044,7 +3082,7 @@ static struct clk_hw_onecell_data gxl_hw_onecell_data = {
+               [CLKID_VAPB_1]              = &gxbb_vapb_1.hw,
+               [CLKID_VAPB_SEL]            = &gxbb_vapb_sel.hw,
+               [CLKID_VAPB]                = &gxbb_vapb.hw,
+-              [CLKID_MPLL0_DIV]           = &gxbb_mpll0_div.hw,
++              [CLKID_MPLL0_DIV]           = &gxl_mpll0_div.hw,
+               [CLKID_MPLL1_DIV]           = &gxbb_mpll1_div.hw,
+               [CLKID_MPLL2_DIV]           = &gxbb_mpll2_div.hw,
+               [CLKID_MPLL_PREDIV]         = &gxbb_mpll_prediv.hw,
+@@ -3439,7 +3477,7 @@ static struct clk_regmap *const gxl_clk_regmaps[] = {
+       &gxbb_mpll0,
+       &gxbb_mpll1,
+       &gxbb_mpll2,
+-      &gxbb_mpll0_div,
++      &gxl_mpll0_div,
+       &gxbb_mpll1_div,
+       &gxbb_mpll2_div,
+       &gxbb_cts_amclk_div,
+-- 
+2.34.1
+
diff --git a/queue-5.16/clk-qcom-gcc-sc7280-mark-gcc_cfg_noc_lpass_clk-alway.patch b/queue-5.16/clk-qcom-gcc-sc7280-mark-gcc_cfg_noc_lpass_clk-alway.patch
new file mode 100644 (file)
index 0000000..64e9f2a
--- /dev/null
@@ -0,0 +1,37 @@
+From 90ce2b084170a77a4e799c5c81107284e46689fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Dec 2021 22:13:56 +0530
+Subject: clk: qcom: gcc-sc7280: Mark gcc_cfg_noc_lpass_clk always enabled
+
+From: Taniya Das <tdas@codeaurora.org>
+
+[ Upstream commit 9c337073d9d81a145434b22f42dc3128ecd17730 ]
+
+The gcc cfg noc lpass clock is required to be always enabled for the
+LPASS core and audio drivers to be functional.
+
+Fixes: a3cc092196ef ("clk: qcom: Add Global Clock controller (GCC) driver for SC7280")
+Signed-off-by: Taniya Das <tdas@codeaurora.org>
+Link: https://lore.kernel.org/r/1640018638-19436-4-git-send-email-tdas@codeaurora.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-sc7280.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/qcom/gcc-sc7280.c b/drivers/clk/qcom/gcc-sc7280.c
+index 8fb6bd69f240e..423627d49719c 100644
+--- a/drivers/clk/qcom/gcc-sc7280.c
++++ b/drivers/clk/qcom/gcc-sc7280.c
+@@ -2917,7 +2917,7 @@ static struct clk_branch gcc_cfg_noc_lpass_clk = {
+               .enable_mask = BIT(0),
+               .hw.init = &(struct clk_init_data){
+                       .name = "gcc_cfg_noc_lpass_clk",
+-                      .ops = &clk_branch2_ops,
++                      .ops = &clk_branch2_aon_ops,
+               },
+       },
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/clk-renesas-rzg2l-check-return-value-of-pm_genpd_ini.patch b/queue-5.16/clk-renesas-rzg2l-check-return-value-of-pm_genpd_ini.patch
new file mode 100644 (file)
index 0000000..f068026
--- /dev/null
@@ -0,0 +1,61 @@
+From 5512aebb26e5a89a17e3105cb493173991614358 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 11:50:58 +0000
+Subject: clk: renesas: rzg2l: Check return value of pm_genpd_init()
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 27527a3d3b162e4512798c058c0e8a216c721187 ]
+
+Make sure we check the return value of pm_genpd_init() which might fail.
+Also add a devres action to remove the power-domain in-case the probe
+callback fails further down in the code flow.
+
+Fixes: ef3c613ccd68a ("clk: renesas: Add CPG core wrapper for RZ/G2L SoC")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Link: https://lore.kernel.org/r/20211117115101.28281-2-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/renesas/rzg2l-cpg.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/renesas/rzg2l-cpg.c b/drivers/clk/renesas/rzg2l-cpg.c
+index 4021f6cabda4b..4f04ff57d468a 100644
+--- a/drivers/clk/renesas/rzg2l-cpg.c
++++ b/drivers/clk/renesas/rzg2l-cpg.c
+@@ -850,10 +850,16 @@ static void rzg2l_cpg_detach_dev(struct generic_pm_domain *unused, struct device
+               pm_clk_destroy(dev);
+ }
++static void rzg2l_cpg_genpd_remove(void *data)
++{
++      pm_genpd_remove(data);
++}
++
+ static int __init rzg2l_cpg_add_clk_domain(struct device *dev)
+ {
+       struct device_node *np = dev->of_node;
+       struct generic_pm_domain *genpd;
++      int ret;
+       genpd = devm_kzalloc(dev, sizeof(*genpd), GFP_KERNEL);
+       if (!genpd)
+@@ -864,7 +870,13 @@ static int __init rzg2l_cpg_add_clk_domain(struct device *dev)
+                      GENPD_FLAG_ACTIVE_WAKEUP;
+       genpd->attach_dev = rzg2l_cpg_attach_dev;
+       genpd->detach_dev = rzg2l_cpg_detach_dev;
+-      pm_genpd_init(genpd, &pm_domain_always_on_gov, false);
++      ret = pm_genpd_init(genpd, &pm_domain_always_on_gov, false);
++      if (ret)
++              return ret;
++
++      ret = devm_add_action_or_reset(dev, rzg2l_cpg_genpd_remove, genpd);
++      if (ret)
++              return ret;
+       of_genpd_add_provider_simple(np, genpd);
+       return 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/clk-renesas-rzg2l-propagate-return-value-of_genpd_ad.patch b/queue-5.16/clk-renesas-rzg2l-propagate-return-value-of_genpd_ad.patch
new file mode 100644 (file)
index 0000000..0c56ae1
--- /dev/null
@@ -0,0 +1,40 @@
+From 0449bb223da575c15b3d084fff55afcfe63ee6b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 11:50:59 +0000
+Subject: clk: renesas: rzg2l: propagate return value
+ of_genpd_add_provider_simple()
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 33748744f15a110a233b6ae0380f476006e770f0 ]
+
+of_genpd_add_provider_simple() might fail, this patch makes sure we check
+the return value of of_genpd_add_provider_simple() by propagating the
+return value to the caller of rzg2l_cpg_add_clk_domain().
+
+Fixes: ef3c613ccd68a ("clk: renesas: Add CPG core wrapper for RZ/G2L SoC")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Link: https://lore.kernel.org/r/20211117115101.28281-3-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/renesas/rzg2l-cpg.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/clk/renesas/rzg2l-cpg.c b/drivers/clk/renesas/rzg2l-cpg.c
+index 4f04ff57d468a..aafd1879ff562 100644
+--- a/drivers/clk/renesas/rzg2l-cpg.c
++++ b/drivers/clk/renesas/rzg2l-cpg.c
+@@ -878,8 +878,7 @@ static int __init rzg2l_cpg_add_clk_domain(struct device *dev)
+       if (ret)
+               return ret;
+-      of_genpd_add_provider_simple(np, genpd);
+-      return 0;
++      return of_genpd_add_provider_simple(np, genpd);
+ }
+ static int __init rzg2l_cpg_probe(struct platform_device *pdev)
+-- 
+2.34.1
+
diff --git a/queue-5.16/clk-samsung-exynos850-register-clocks-early.patch b/queue-5.16/clk-samsung-exynos850-register-clocks-early.patch
new file mode 100644 (file)
index 0000000..355d8e2
--- /dev/null
@@ -0,0 +1,155 @@
+From 6af1fc7bfc32f2408ba47fe2ebecd551e687b2bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 16:42:06 +0200
+Subject: clk: samsung: exynos850: Register clocks early
+
+From: Sam Protsenko <semen.protsenko@linaro.org>
+
+[ Upstream commit bcda841f9bf2cddcf2f000cba96f2e27f6f2bdbf ]
+
+Some clocks must be registered before init calls. For example MCT clock
+(from CMU_PERI) is needed for MCT timer driver, which is registered
+with TIMER_OF_DECLARE(). By the time we get to core_initcall() used for
+clk-exynos850 platform driver init, it's already too late. Inability to
+get "mct" clock in MCT driver leads to kernel panic, as functions
+registered with *_OF_DECLARE() can't do deferred calls. MCT timer driver
+can't be fixed either, as it's acting as a clock source and it's
+essential to register it in start_kernel() -> time_init().
+
+Let's register CMU_PERI clocks early, using CLK_OF_DECLARE(). CMU_TOP
+generates clocks needed for CMU_PERI, but it's already registered early.
+
+While at it, let's cleanup the code a bit, by extracting everything
+related to CMU initialization and registration to the separate function.
+
+Similar issue was discussed at [1] and addressed in commit 1f7db7bbf031
+("clk: renesas: cpg-mssr: Add early clock support"), as well as in
+drivers/clk/mediatek/clk-mt2712.c.
+
+[1] https://patchwork.kernel.org/project/linux-renesas-soc/patch/20180829132954.64862-2-chris.brandt@renesas.com/
+
+Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Link: https://lore.kernel.org/r/20211122144206.23134-1-semen.protsenko@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/samsung/clk-exynos850.c | 70 ++++++++++++++++++++---------
+ 1 file changed, 49 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/clk/samsung/clk-exynos850.c b/drivers/clk/samsung/clk-exynos850.c
+index 2294989e244c5..79cce8ba88831 100644
+--- a/drivers/clk/samsung/clk-exynos850.c
++++ b/drivers/clk/samsung/clk-exynos850.c
+@@ -60,6 +60,43 @@ static void __init exynos850_init_clocks(struct device_node *np,
+       iounmap(reg_base);
+ }
++/**
++ * exynos850_register_cmu - Register specified Exynos850 CMU domain
++ * @dev:      Device object; may be NULL if this function is not being
++ *            called from platform driver probe function
++ * @np:               CMU device tree node
++ * @cmu:      CMU data
++ *
++ * Register specified CMU domain, which includes next steps:
++ *
++ * 1. Enable parent clock of @cmu CMU
++ * 2. Set initial registers configuration for @cmu CMU clocks
++ * 3. Register @cmu CMU clocks using Samsung clock framework API
++ */
++static void __init exynos850_register_cmu(struct device *dev,
++              struct device_node *np, const struct samsung_cmu_info *cmu)
++{
++      /* Keep CMU parent clock running (needed for CMU registers access) */
++      if (cmu->clk_name) {
++              struct clk *parent_clk;
++
++              if (dev)
++                      parent_clk = clk_get(dev, cmu->clk_name);
++              else
++                      parent_clk = of_clk_get_by_name(np, cmu->clk_name);
++
++              if (IS_ERR(parent_clk)) {
++                      pr_err("%s: could not find bus clock %s; err = %ld\n",
++                             __func__, cmu->clk_name, PTR_ERR(parent_clk));
++              } else {
++                      clk_prepare_enable(parent_clk);
++              }
++      }
++
++      exynos850_init_clocks(np, cmu->clk_regs, cmu->nr_clk_regs);
++      samsung_cmu_register_one(np, cmu);
++}
++
+ /* ---- CMU_TOP ------------------------------------------------------------- */
+ /* Register Offset definitions for CMU_TOP (0x120e0000) */
+@@ -347,10 +384,10 @@ static const struct samsung_cmu_info top_cmu_info __initconst = {
+ static void __init exynos850_cmu_top_init(struct device_node *np)
+ {
+-      exynos850_init_clocks(np, top_clk_regs, ARRAY_SIZE(top_clk_regs));
+-      samsung_cmu_register_one(np, &top_cmu_info);
++      exynos850_register_cmu(NULL, np, &top_cmu_info);
+ }
++/* Register CMU_TOP early, as it's a dependency for other early domains */
+ CLK_OF_DECLARE(exynos850_cmu_top, "samsung,exynos850-cmu-top",
+              exynos850_cmu_top_init);
+@@ -615,6 +652,15 @@ static const struct samsung_cmu_info peri_cmu_info __initconst = {
+       .clk_name               = "dout_peri_bus",
+ };
++static void __init exynos850_cmu_peri_init(struct device_node *np)
++{
++      exynos850_register_cmu(NULL, np, &peri_cmu_info);
++}
++
++/* Register CMU_PERI early, as it's needed for MCT timer */
++CLK_OF_DECLARE(exynos850_cmu_peri, "samsung,exynos850-cmu-peri",
++             exynos850_cmu_peri_init);
++
+ /* ---- CMU_CORE ------------------------------------------------------------ */
+ /* Register Offset definitions for CMU_CORE (0x12000000) */
+@@ -779,24 +825,9 @@ static int __init exynos850_cmu_probe(struct platform_device *pdev)
+ {
+       const struct samsung_cmu_info *info;
+       struct device *dev = &pdev->dev;
+-      struct device_node *np = dev->of_node;
+       info = of_device_get_match_data(dev);
+-      exynos850_init_clocks(np, info->clk_regs, info->nr_clk_regs);
+-      samsung_cmu_register_one(np, info);
+-
+-      /* Keep bus clock running, so it's possible to access CMU registers */
+-      if (info->clk_name) {
+-              struct clk *bus_clk;
+-
+-              bus_clk = clk_get(dev, info->clk_name);
+-              if (IS_ERR(bus_clk)) {
+-                      pr_err("%s: could not find bus clock %s; err = %ld\n",
+-                             __func__, info->clk_name, PTR_ERR(bus_clk));
+-              } else {
+-                      clk_prepare_enable(bus_clk);
+-              }
+-      }
++      exynos850_register_cmu(dev, dev->of_node, info);
+       return 0;
+ }
+@@ -806,9 +837,6 @@ static const struct of_device_id exynos850_cmu_of_match[] = {
+       {
+               .compatible = "samsung,exynos850-cmu-hsi",
+               .data = &hsi_cmu_info,
+-      }, {
+-              .compatible = "samsung,exynos850-cmu-peri",
+-              .data = &peri_cmu_info,
+       }, {
+               .compatible = "samsung,exynos850-cmu-core",
+               .data = &core_cmu_info,
+-- 
+2.34.1
+
diff --git a/queue-5.16/clk-stm32-fix-ltdc-s-clock-turn-off-by-clk_disable_u.patch b/queue-5.16/clk-stm32-fix-ltdc-s-clock-turn-off-by-clk_disable_u.patch
new file mode 100644 (file)
index 0000000..5abedd1
--- /dev/null
@@ -0,0 +1,75 @@
+From 4116a8b403d836b45f8a4a5f191ce4f5aea3d07b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 15:11:21 +0800
+Subject: clk: stm32: Fix ltdc's clock turn off by clk_disable_unused() after
+ system enter shell
+
+From: Dillon Min <dillon.minfei@gmail.com>
+
+[ Upstream commit 6fc058a72f3b7b07fc4de6d66ad1f68951b00f6e ]
+
+stm32's clk driver register two ltdc gate clk to clk core by
+clk_hw_register_gate() and clk_hw_register_composite()
+
+first: 'stm32f429_gates[]', clk name is 'ltdc', which no user to use.
+second: 'stm32f429_aux_clk[]', clk name is 'lcd-tft', used by ltdc driver
+
+both of them point to the same offset of stm32's RCC register. after
+kernel enter console, clk core turn off ltdc's clk as 'stm32f429_gates[]'
+is no one to use. but, actually 'stm32f429_aux_clk[]' is in use.
+
+stm32f469/746/769 have the same issue, fix it.
+
+Fixes: daf2d117cbca ("clk: stm32f4: Add lcd-tft clock")
+Link: https://lore.kernel.org/linux-arm-kernel/1590564453-24499-7-git-send-email-dillon.minfei@gmail.com/
+Link: https://lore.kernel.org/lkml/CAPTRvHkf0cK_4ZidM17rPo99gWDmxgqFt4CDUjqFFwkOeQeFDg@mail.gmail.com/
+Signed-off-by: Dillon Min <dillon.minfei@gmail.com>
+Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
+Acked-by: Gabriel Fernandez <gabriel.fernandez@foss.st.com>
+Acked-by: Stephen Boyd <sboyd@kernel.org>
+Link: https://lore.kernel.org/r/1635232282-3992-10-git-send-email-dillon.minfei@gmail.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-stm32f4.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/clk/clk-stm32f4.c b/drivers/clk/clk-stm32f4.c
+index af46176ad0539..473dfe632cc57 100644
+--- a/drivers/clk/clk-stm32f4.c
++++ b/drivers/clk/clk-stm32f4.c
+@@ -129,7 +129,6 @@ static const struct stm32f4_gate_data stm32f429_gates[] __initconst = {
+       { STM32F4_RCC_APB2ENR, 20,      "spi5",         "apb2_div" },
+       { STM32F4_RCC_APB2ENR, 21,      "spi6",         "apb2_div" },
+       { STM32F4_RCC_APB2ENR, 22,      "sai1",         "apb2_div" },
+-      { STM32F4_RCC_APB2ENR, 26,      "ltdc",         "apb2_div" },
+ };
+ static const struct stm32f4_gate_data stm32f469_gates[] __initconst = {
+@@ -211,7 +210,6 @@ static const struct stm32f4_gate_data stm32f469_gates[] __initconst = {
+       { STM32F4_RCC_APB2ENR, 20,      "spi5",         "apb2_div" },
+       { STM32F4_RCC_APB2ENR, 21,      "spi6",         "apb2_div" },
+       { STM32F4_RCC_APB2ENR, 22,      "sai1",         "apb2_div" },
+-      { STM32F4_RCC_APB2ENR, 26,      "ltdc",         "apb2_div" },
+ };
+ static const struct stm32f4_gate_data stm32f746_gates[] __initconst = {
+@@ -286,7 +284,6 @@ static const struct stm32f4_gate_data stm32f746_gates[] __initconst = {
+       { STM32F4_RCC_APB2ENR, 21,      "spi6",         "apb2_div" },
+       { STM32F4_RCC_APB2ENR, 22,      "sai1",         "apb2_div" },
+       { STM32F4_RCC_APB2ENR, 23,      "sai2",         "apb2_div" },
+-      { STM32F4_RCC_APB2ENR, 26,      "ltdc",         "apb2_div" },
+ };
+ static const struct stm32f4_gate_data stm32f769_gates[] __initconst = {
+@@ -364,7 +361,6 @@ static const struct stm32f4_gate_data stm32f769_gates[] __initconst = {
+       { STM32F4_RCC_APB2ENR, 21,      "spi6",         "apb2_div" },
+       { STM32F4_RCC_APB2ENR, 22,      "sai1",         "apb2_div" },
+       { STM32F4_RCC_APB2ENR, 23,      "sai2",         "apb2_div" },
+-      { STM32F4_RCC_APB2ENR, 26,      "ltdc",         "apb2_div" },
+       { STM32F4_RCC_APB2ENR, 30,      "mdio",         "apb2_div" },
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/clocksource-avoid-accidental-unstable-marking-of-clo.patch b/queue-5.16/clocksource-avoid-accidental-unstable-marking-of-clo.patch
new file mode 100644 (file)
index 0000000..e400e7b
--- /dev/null
@@ -0,0 +1,164 @@
+From 19396c430febc0d04377258c4131fb1efc94d9b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 14:14:36 -0500
+Subject: clocksource: Avoid accidental unstable marking of clocksources
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit c86ff8c55b8ae68837b2fa59dc0c203907e9a15f ]
+
+Since commit db3a34e17433 ("clocksource: Retry clock read if long delays
+detected") and commit 2e27e793e280 ("clocksource: Reduce clocksource-skew
+threshold"), it is found that tsc clocksource fallback to hpet can
+sometimes happen on both Intel and AMD systems especially when they are
+running stressful benchmarking workloads. Of the 23 systems tested with
+a v5.14 kernel, 10 of them have switched to hpet clock source during
+the test run.
+
+The result of falling back to hpet is a drastic reduction of performance
+when running benchmarks. For example, the fio performance tests can
+drop up to 70% whereas the iperf3 performance can drop up to 80%.
+
+4 hpet fallbacks happened during bootup. They were:
+
+  [    8.749399] clocksource: timekeeping watchdog on CPU13: hpet read-back delay of 263750ns, attempt 4, marking unstable
+  [   12.044610] clocksource: timekeeping watchdog on CPU19: hpet read-back delay of 186166ns, attempt 4, marking unstable
+  [   17.336941] clocksource: timekeeping watchdog on CPU28: hpet read-back delay of 182291ns, attempt 4, marking unstable
+  [   17.518565] clocksource: timekeeping watchdog on CPU34: hpet read-back delay of 252196ns, attempt 4, marking unstable
+
+Other fallbacks happen when the systems were running stressful
+benchmarks. For example:
+
+  [ 2685.867873] clocksource: timekeeping watchdog on CPU117: hpet read-back delay of 57269ns, attempt 4, marking unstable
+  [46215.471228] clocksource: timekeeping watchdog on CPU8: hpet read-back delay of 61460ns, attempt 4, marking unstable
+
+Commit 2e27e793e280 ("clocksource: Reduce clocksource-skew threshold"),
+changed the skew margin from 100us to 50us. I think this is too small
+and can easily be exceeded when running some stressful workloads on a
+thermally stressed system.  So it is switched back to 100us.
+
+Even a maximum skew margin of 100us may be too small in for some systems
+when booting up especially if those systems are under thermal stress. To
+eliminate the case that the large skew is due to the system being too
+busy slowing down the reading of both the watchdog and the clocksource,
+an extra consecutive read of watchdog clock is being done to check this.
+
+The consecutive watchdog read delay is compared against
+WATCHDOG_MAX_SKEW/2. If the delay exceeds the limit, we assume that
+the system is just too busy. A warning will be printed to the console
+and the clock skew check is skipped for this round.
+
+Fixes: db3a34e17433 ("clocksource: Retry clock read if long delays detected")
+Fixes: 2e27e793e280 ("clocksource: Reduce clocksource-skew threshold")
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/clocksource.c | 50 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 41 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
+index b8a14d2fb5ba6..bcad1a1e5dcf1 100644
+--- a/kernel/time/clocksource.c
++++ b/kernel/time/clocksource.c
+@@ -107,7 +107,7 @@ static u64 suspend_start;
+  * This delay could be due to SMIs, NMIs, or to VCPU preemptions.  Used as
+  * a lower bound for cs->uncertainty_margin values when registering clocks.
+  */
+-#define WATCHDOG_MAX_SKEW (50 * NSEC_PER_USEC)
++#define WATCHDOG_MAX_SKEW (100 * NSEC_PER_USEC)
+ #ifdef CONFIG_CLOCKSOURCE_WATCHDOG
+ static void clocksource_watchdog_work(struct work_struct *work);
+@@ -205,17 +205,24 @@ EXPORT_SYMBOL_GPL(max_cswd_read_retries);
+ static int verify_n_cpus = 8;
+ module_param(verify_n_cpus, int, 0644);
+-static bool cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow)
++enum wd_read_status {
++      WD_READ_SUCCESS,
++      WD_READ_UNSTABLE,
++      WD_READ_SKIP
++};
++
++static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow)
+ {
+       unsigned int nretries;
+-      u64 wd_end, wd_delta;
+-      int64_t wd_delay;
++      u64 wd_end, wd_end2, wd_delta;
++      int64_t wd_delay, wd_seq_delay;
+       for (nretries = 0; nretries <= max_cswd_read_retries; nretries++) {
+               local_irq_disable();
+               *wdnow = watchdog->read(watchdog);
+               *csnow = cs->read(cs);
+               wd_end = watchdog->read(watchdog);
++              wd_end2 = watchdog->read(watchdog);
+               local_irq_enable();
+               wd_delta = clocksource_delta(wd_end, *wdnow, watchdog->mask);
+@@ -226,13 +233,34 @@ static bool cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow)
+                               pr_warn("timekeeping watchdog on CPU%d: %s retried %d times before success\n",
+                                       smp_processor_id(), watchdog->name, nretries);
+                       }
+-                      return true;
++                      return WD_READ_SUCCESS;
+               }
++
++              /*
++               * Now compute delay in consecutive watchdog read to see if
++               * there is too much external interferences that cause
++               * significant delay in reading both clocksource and watchdog.
++               *
++               * If consecutive WD read-back delay > WATCHDOG_MAX_SKEW/2,
++               * report system busy, reinit the watchdog and skip the current
++               * watchdog test.
++               */
++              wd_delta = clocksource_delta(wd_end2, wd_end, watchdog->mask);
++              wd_seq_delay = clocksource_cyc2ns(wd_delta, watchdog->mult, watchdog->shift);
++              if (wd_seq_delay > WATCHDOG_MAX_SKEW/2)
++                      goto skip_test;
+       }
+       pr_warn("timekeeping watchdog on CPU%d: %s read-back delay of %lldns, attempt %d, marking unstable\n",
+               smp_processor_id(), watchdog->name, wd_delay, nretries);
+-      return false;
++      return WD_READ_UNSTABLE;
++
++skip_test:
++      pr_info("timekeeping watchdog on CPU%d: %s wd-wd read-back delay of %lldns\n",
++              smp_processor_id(), watchdog->name, wd_seq_delay);
++      pr_info("wd-%s-wd read-back delay of %lldns, clock-skew test skipped!\n",
++              cs->name, wd_delay);
++      return WD_READ_SKIP;
+ }
+ static u64 csnow_mid;
+@@ -356,6 +384,7 @@ static void clocksource_watchdog(struct timer_list *unused)
+       int next_cpu, reset_pending;
+       int64_t wd_nsec, cs_nsec;
+       struct clocksource *cs;
++      enum wd_read_status read_ret;
+       u32 md;
+       spin_lock(&watchdog_lock);
+@@ -373,9 +402,12 @@ static void clocksource_watchdog(struct timer_list *unused)
+                       continue;
+               }
+-              if (!cs_watchdog_read(cs, &csnow, &wdnow)) {
+-                      /* Clock readout unreliable, so give it up. */
+-                      __clocksource_unstable(cs);
++              read_ret = cs_watchdog_read(cs, &csnow, &wdnow);
++
++              if (read_ret != WD_READ_SUCCESS) {
++                      if (read_ret == WD_READ_UNSTABLE)
++                              /* Clock readout unreliable, so give it up. */
++                              __clocksource_unstable(cs);
+                       continue;
+               }
+-- 
+2.34.1
+
diff --git a/queue-5.16/counter-104-quad-8-fix-persistent-enabled-events-bug.patch b/queue-5.16/counter-104-quad-8-fix-persistent-enabled-events-bug.patch
new file mode 100644 (file)
index 0000000..3137f55
--- /dev/null
@@ -0,0 +1,192 @@
+From b8abb4ba44d257a27e669dd573db3fb4dfcde4e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Dec 2021 17:16:48 +0900
+Subject: counter: 104-quad-8: Fix persistent enabled events bug
+
+From: William Breathitt Gray <vilhelm.gray@gmail.com>
+
+[ Upstream commit c95cc0d95702523f8f361b802c9b7d4eeae07f5d ]
+
+A bug exists if the user executes a COUNTER_ADD_WATCH_IOCTL ioctl call,
+and then executes a COUNTER_DISABLE_EVENTS_IOCTL ioctl call. Disabling
+the events should disable the 104-QUAD-8 interrupts, but because of this
+bug the interrupts are not disabling.
+
+The reason this bug is occurring is because quad8_events_configure() is
+called when COUNTER_DISABLE_EVENTS_IOCTL is handled, but the
+next_irq_trigger[] array has not been cleared before it is checked in
+the loop.
+
+This patch fixes the bug by removing the next_irq_trigger array and
+instead utilizing a different algorithm of walking the events_list list
+for the current requested events. When a COUNTER_DISABLE_EVENTS_IOCTL is
+handled, events_list will be empty and thus all device channels end up
+with interrupts disabled.
+
+Fixes: 7aa2ba0df651 ("counter: 104-quad-8: Add IRQ support for the ACCES 104-QUAD-8")
+Cc: Syed Nayyar Waris <syednwaris@gmail.com>
+Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
+Link: https://lore.kernel.org/r/5fd5731cec1c251acee30eefb7c19160d03c9d39.1640072891.git.vilhelm.gray@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/counter/104-quad-8.c | 82 +++++++++++++++++-------------------
+ 1 file changed, 39 insertions(+), 43 deletions(-)
+
+diff --git a/drivers/counter/104-quad-8.c b/drivers/counter/104-quad-8.c
+index 1cbd60aaed697..a97027db0446d 100644
+--- a/drivers/counter/104-quad-8.c
++++ b/drivers/counter/104-quad-8.c
+@@ -14,6 +14,7 @@
+ #include <linux/interrupt.h>
+ #include <linux/isa.h>
+ #include <linux/kernel.h>
++#include <linux/list.h>
+ #include <linux/module.h>
+ #include <linux/moduleparam.h>
+ #include <linux/types.h>
+@@ -44,7 +45,6 @@ MODULE_PARM_DESC(irq, "ACCES 104-QUAD-8 interrupt line numbers");
+  * @ab_enable:                array of A and B inputs enable configurations
+  * @preset_enable:    array of set_to_preset_on_index attribute configurations
+  * @irq_trigger:      array of current IRQ trigger function configurations
+- * @next_irq_trigger: array of next IRQ trigger function configurations
+  * @synchronous_mode: array of index function synchronous mode configurations
+  * @index_polarity:   array of index function polarity configurations
+  * @cable_fault_enable:       differential encoder cable status enable configurations
+@@ -61,7 +61,6 @@ struct quad8 {
+       unsigned int ab_enable[QUAD8_NUM_COUNTERS];
+       unsigned int preset_enable[QUAD8_NUM_COUNTERS];
+       unsigned int irq_trigger[QUAD8_NUM_COUNTERS];
+-      unsigned int next_irq_trigger[QUAD8_NUM_COUNTERS];
+       unsigned int synchronous_mode[QUAD8_NUM_COUNTERS];
+       unsigned int index_polarity[QUAD8_NUM_COUNTERS];
+       unsigned int cable_fault_enable;
+@@ -390,7 +389,6 @@ static int quad8_action_read(struct counter_device *counter,
+ }
+ enum {
+-      QUAD8_EVENT_NONE = -1,
+       QUAD8_EVENT_CARRY = 0,
+       QUAD8_EVENT_COMPARE = 1,
+       QUAD8_EVENT_CARRY_BORROW = 2,
+@@ -402,34 +400,49 @@ static int quad8_events_configure(struct counter_device *counter)
+       struct quad8 *const priv = counter->priv;
+       unsigned long irq_enabled = 0;
+       unsigned long irqflags;
+-      size_t channel;
++      struct counter_event_node *event_node;
++      unsigned int next_irq_trigger;
+       unsigned long ior_cfg;
+       unsigned long base_offset;
+       spin_lock_irqsave(&priv->lock, irqflags);
+-      /* Enable interrupts for the requested channels, disable for the rest */
+-      for (channel = 0; channel < QUAD8_NUM_COUNTERS; channel++) {
+-              if (priv->next_irq_trigger[channel] == QUAD8_EVENT_NONE)
+-                      continue;
++      list_for_each_entry(event_node, &counter->events_list, l) {
++              switch (event_node->event) {
++              case COUNTER_EVENT_OVERFLOW:
++                      next_irq_trigger = QUAD8_EVENT_CARRY;
++                      break;
++              case COUNTER_EVENT_THRESHOLD:
++                      next_irq_trigger = QUAD8_EVENT_COMPARE;
++                      break;
++              case COUNTER_EVENT_OVERFLOW_UNDERFLOW:
++                      next_irq_trigger = QUAD8_EVENT_CARRY_BORROW;
++                      break;
++              case COUNTER_EVENT_INDEX:
++                      next_irq_trigger = QUAD8_EVENT_INDEX;
++                      break;
++              default:
++                      /* should never reach this path */
++                      spin_unlock_irqrestore(&priv->lock, irqflags);
++                      return -EINVAL;
++              }
+-              if (priv->irq_trigger[channel] != priv->next_irq_trigger[channel]) {
+-                      /* Save new IRQ function configuration */
+-                      priv->irq_trigger[channel] = priv->next_irq_trigger[channel];
++              /* Skip configuration if it is the same as previously set */
++              if (priv->irq_trigger[event_node->channel] == next_irq_trigger)
++                      continue;
+-                      /* Load configuration to I/O Control Register */
+-                      ior_cfg = priv->ab_enable[channel] |
+-                                priv->preset_enable[channel] << 1 |
+-                                priv->irq_trigger[channel] << 3;
+-                      base_offset = priv->base + 2 * channel + 1;
+-                      outb(QUAD8_CTR_IOR | ior_cfg, base_offset);
+-              }
++              /* Save new IRQ function configuration */
++              priv->irq_trigger[event_node->channel] = next_irq_trigger;
+-              /* Reset next IRQ trigger function configuration */
+-              priv->next_irq_trigger[channel] = QUAD8_EVENT_NONE;
++              /* Load configuration to I/O Control Register */
++              ior_cfg = priv->ab_enable[event_node->channel] |
++                        priv->preset_enable[event_node->channel] << 1 |
++                        priv->irq_trigger[event_node->channel] << 3;
++              base_offset = priv->base + 2 * event_node->channel + 1;
++              outb(QUAD8_CTR_IOR | ior_cfg, base_offset);
+               /* Enable IRQ line */
+-              irq_enabled |= BIT(channel);
++              irq_enabled |= BIT(event_node->channel);
+       }
+       outb(irq_enabled, priv->base + QUAD8_REG_INDEX_INTERRUPT);
+@@ -442,35 +455,20 @@ static int quad8_events_configure(struct counter_device *counter)
+ static int quad8_watch_validate(struct counter_device *counter,
+                               const struct counter_watch *watch)
+ {
+-      struct quad8 *const priv = counter->priv;
++      struct counter_event_node *event_node;
+       if (watch->channel > QUAD8_NUM_COUNTERS - 1)
+               return -EINVAL;
+       switch (watch->event) {
+       case COUNTER_EVENT_OVERFLOW:
+-              if (priv->next_irq_trigger[watch->channel] == QUAD8_EVENT_NONE)
+-                      priv->next_irq_trigger[watch->channel] = QUAD8_EVENT_CARRY;
+-              else if (priv->next_irq_trigger[watch->channel] != QUAD8_EVENT_CARRY)
+-                      return -EINVAL;
+-              return 0;
+       case COUNTER_EVENT_THRESHOLD:
+-              if (priv->next_irq_trigger[watch->channel] == QUAD8_EVENT_NONE)
+-                      priv->next_irq_trigger[watch->channel] = QUAD8_EVENT_COMPARE;
+-              else if (priv->next_irq_trigger[watch->channel] != QUAD8_EVENT_COMPARE)
+-                      return -EINVAL;
+-              return 0;
+       case COUNTER_EVENT_OVERFLOW_UNDERFLOW:
+-              if (priv->next_irq_trigger[watch->channel] == QUAD8_EVENT_NONE)
+-                      priv->next_irq_trigger[watch->channel] = QUAD8_EVENT_CARRY_BORROW;
+-              else if (priv->next_irq_trigger[watch->channel] != QUAD8_EVENT_CARRY_BORROW)
+-                      return -EINVAL;
+-              return 0;
+       case COUNTER_EVENT_INDEX:
+-              if (priv->next_irq_trigger[watch->channel] == QUAD8_EVENT_NONE)
+-                      priv->next_irq_trigger[watch->channel] = QUAD8_EVENT_INDEX;
+-              else if (priv->next_irq_trigger[watch->channel] != QUAD8_EVENT_INDEX)
+-                      return -EINVAL;
++              list_for_each_entry(event_node, &counter->next_events_list, l)
++                      if (watch->channel == event_node->channel &&
++                              watch->event != event_node->event)
++                              return -EINVAL;
+               return 0;
+       default:
+               return -EINVAL;
+@@ -1183,8 +1181,6 @@ static int quad8_probe(struct device *dev, unsigned int id)
+               outb(QUAD8_CTR_IOR, base_offset + 1);
+               /* Disable index function; negative index polarity */
+               outb(QUAD8_CTR_IDR, base_offset + 1);
+-              /* Initialize next IRQ trigger function configuration */
+-              priv->next_irq_trigger[i] = QUAD8_EVENT_NONE;
+       }
+       /* Disable Differential Encoder Cable Status for all channels */
+       outb(0xFF, base[id] + QUAD8_DIFF_ENCODER_CABLE_STATUS);
+-- 
+2.34.1
+
diff --git a/queue-5.16/cpufreq-fix-initialization-of-min-and-max-frequency-.patch b/queue-5.16/cpufreq-fix-initialization-of-min-and-max-frequency-.patch
new file mode 100644 (file)
index 0000000..863e923
--- /dev/null
@@ -0,0 +1,54 @@
+From 84504bed99c4221549f5fbe4da67e0d5c3241507 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Dec 2021 20:32:15 +0100
+Subject: cpufreq: Fix initialization of min and max frequency QoS requests
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 521223d8b3ec078f670c7c35a1a04b1b2af07966 ]
+
+The min and max frequency QoS requests in the cpufreq core are
+initialized to whatever the current min and max frequency values are
+at the init time, but if any of these values change later (for
+example, cpuinfo.max_freq is updated by the driver), these initial
+request values will be limiting the CPU frequency unnecessarily
+unless they are changed by user space via sysfs.
+
+To address this, initialize min_freq_req and max_freq_req to
+FREQ_QOS_MIN_DEFAULT_VALUE and FREQ_QOS_MAX_DEFAULT_VALUE,
+respectively, so they don't really limit anything until user
+space updates them.
+
+Reported-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Tested-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index 096c3848fa415..76ffdaf8c8b5e 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1403,7 +1403,7 @@ static int cpufreq_online(unsigned int cpu)
+               ret = freq_qos_add_request(&policy->constraints,
+                                          policy->min_freq_req, FREQ_QOS_MIN,
+-                                         policy->min);
++                                         FREQ_QOS_MIN_DEFAULT_VALUE);
+               if (ret < 0) {
+                       /*
+                        * So we don't call freq_qos_remove_request() for an
+@@ -1423,7 +1423,7 @@ static int cpufreq_online(unsigned int cpu)
+               ret = freq_qos_add_request(&policy->constraints,
+                                          policy->max_freq_req, FREQ_QOS_MAX,
+-                                         policy->max);
++                                         FREQ_QOS_MAX_DEFAULT_VALUE);
+               if (ret < 0) {
+                       policy->max_freq_req = NULL;
+                       goto out_destroy_policy;
+-- 
+2.34.1
+
diff --git a/queue-5.16/cpufreq-intel_pstate-update-cpuinfo.max_freq-on-hwp_.patch b/queue-5.16/cpufreq-intel_pstate-update-cpuinfo.max_freq-on-hwp_.patch
new file mode 100644 (file)
index 0000000..6e96c5a
--- /dev/null
@@ -0,0 +1,88 @@
+From 969ef5923f388678b6940bdf1ace7e8507ec3376 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Dec 2021 20:06:08 +0100
+Subject: cpufreq: intel_pstate: Update cpuinfo.max_freq on HWP_CAP changes
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit dfeeedc1bf5772226bddf51ed3f853e5a6707bf1 ]
+
+With HWP enabled, when the turbo range of performance levels is
+disabled by the platform firmware, the CPU capacity is given by
+the "guaranteed performance" field in MSR_HWP_CAPABILITIES which
+is generally dynamic.  When it changes, the kernel receives an HWP
+notification interrupt handled by notify_hwp_interrupt().
+
+When the "guaranteed performance" value changes in the above
+configuration, the CPU performance scaling needs to be adjusted so
+as to use the new CPU capacity in computations, which means that
+the cpuinfo.max_freq value needs to be updated for that CPU.
+
+Accordingly, modify intel_pstate_notify_work() to read
+MSR_HWP_CAPABILITIES and update cpuinfo.max_freq to reflect the
+new configuration (this update can be carried out even if the
+configuration doesn't actually change, because it simply doesn't
+matter then and it takes less time to update it than to do extra
+checks to decide whether or not a change has really occurred).
+
+Reported-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Tested-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/intel_pstate.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
+index dec2a5649ac1a..676edc580fd4f 100644
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -1124,19 +1124,22 @@ static void intel_pstate_update_policies(void)
+               cpufreq_update_policy(cpu);
+ }
++static void __intel_pstate_update_max_freq(struct cpudata *cpudata,
++                                         struct cpufreq_policy *policy)
++{
++      policy->cpuinfo.max_freq = global.turbo_disabled_mf ?
++                      cpudata->pstate.max_freq : cpudata->pstate.turbo_freq;
++      refresh_frequency_limits(policy);
++}
++
+ static void intel_pstate_update_max_freq(unsigned int cpu)
+ {
+       struct cpufreq_policy *policy = cpufreq_cpu_acquire(cpu);
+-      struct cpudata *cpudata;
+       if (!policy)
+               return;
+-      cpudata = all_cpu_data[cpu];
+-      policy->cpuinfo.max_freq = global.turbo_disabled_mf ?
+-                      cpudata->pstate.max_freq : cpudata->pstate.turbo_freq;
+-
+-      refresh_frequency_limits(policy);
++      __intel_pstate_update_max_freq(all_cpu_data[cpu], policy);
+       cpufreq_cpu_release(policy);
+ }
+@@ -1584,8 +1587,15 @@ static void intel_pstate_notify_work(struct work_struct *work)
+ {
+       struct cpudata *cpudata =
+               container_of(to_delayed_work(work), struct cpudata, hwp_notify_work);
++      struct cpufreq_policy *policy = cpufreq_cpu_acquire(cpudata->cpu);
++
++      if (policy) {
++              intel_pstate_get_hwp_cap(cpudata);
++              __intel_pstate_update_max_freq(cpudata, policy);
++
++              cpufreq_cpu_release(policy);
++      }
+-      cpufreq_update_policy(cpudata->cpu);
+       wrmsrl_on_cpu(cpudata->cpu, MSR_HWP_STATUS, 0);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/cpufreq-qcom-cpufreq-hw-update-offline-cpus-per-cpu-.patch b/queue-5.16/cpufreq-qcom-cpufreq-hw-update-offline-cpus-per-cpu-.patch
new file mode 100644 (file)
index 0000000..558f673
--- /dev/null
@@ -0,0 +1,48 @@
+From 1b28da1c29e2c6d672c3d58e3552381838601241 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Nov 2021 19:57:12 +0000
+Subject: cpufreq: qcom-cpufreq-hw: Update offline CPUs per-cpu thermal
+ pressure
+
+From: Lukasz Luba <lukasz.luba@arm.com>
+
+[ Upstream commit 93d9e6f93e1586fcc97498c764be2e8c8401f4bd ]
+
+The thermal pressure signal gives information to the scheduler about
+reduced CPU capacity due to thermal. It is based on a value stored in
+a per-cpu 'thermal_pressure' variable. The online CPUs will get the
+new value there, while the offline won't. Unfortunately, when the CPU
+is back online, the value read from per-cpu variable might be wrong
+(stale data).  This might affect the scheduler decisions, since it
+sees the CPU capacity differently than what is actually available.
+
+Fix it by making sure that all online+offline CPUs would get the
+proper value in their per-cpu variable when there is throttling
+or throttling is removed.
+
+Fixes: 275157b367f479 ("cpufreq: qcom-cpufreq-hw: Add dcvs interrupt support")
+Reviewed-by: Thara Gopinath <thara.gopinath@linaro.org>
+Signed-off-by: Lukasz Luba <lukasz.luba@arm.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/qcom-cpufreq-hw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/qcom-cpufreq-hw.c b/drivers/cpufreq/qcom-cpufreq-hw.c
+index a2be0df7e1747..0138b2ec406dc 100644
+--- a/drivers/cpufreq/qcom-cpufreq-hw.c
++++ b/drivers/cpufreq/qcom-cpufreq-hw.c
+@@ -304,7 +304,8 @@ static void qcom_lmh_dcvs_notify(struct qcom_cpufreq_data *data)
+       if (capacity > max_capacity)
+               capacity = max_capacity;
+-      arch_set_thermal_pressure(policy->cpus, max_capacity - capacity);
++      arch_set_thermal_pressure(policy->related_cpus,
++                                max_capacity - capacity);
+       /*
+        * In the unlikely case policy is unregistered do not enable
+-- 
+2.34.1
+
diff --git a/queue-5.16/cpufreq-qcom-hw-fix-probable-nested-interrupt-handli.patch b/queue-5.16/cpufreq-qcom-hw-fix-probable-nested-interrupt-handli.patch
new file mode 100644 (file)
index 0000000..5092e58
--- /dev/null
@@ -0,0 +1,45 @@
+From eedc1c3794c2b569bbb30d197e9835bf1e1220b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Nov 2021 17:48:07 +0200
+Subject: cpufreq: qcom-hw: Fix probable nested interrupt handling
+
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+
+[ Upstream commit e0e27c3d4e20dab861566f1c348ae44e4b498630 ]
+
+Re-enabling an interrupt from its own interrupt handler may cause
+an interrupt storm, if there is a pending interrupt and because its
+handling is disabled due to already done entrance into the handler
+above in the stack.
+
+Also, apparently it is improper to lock a mutex in an interrupt contex.
+
+Fixes: 275157b367f4 ("cpufreq: qcom-cpufreq-hw: Add dcvs interrupt support")
+Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/qcom-cpufreq-hw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cpufreq/qcom-cpufreq-hw.c b/drivers/cpufreq/qcom-cpufreq-hw.c
+index 0138b2ec406dc..35d93361fda1a 100644
+--- a/drivers/cpufreq/qcom-cpufreq-hw.c
++++ b/drivers/cpufreq/qcom-cpufreq-hw.c
+@@ -343,9 +343,9 @@ static irqreturn_t qcom_lmh_dcvs_handle_irq(int irq, void *data)
+       /* Disable interrupt and enable polling */
+       disable_irq_nosync(c_data->throttle_irq);
+-      qcom_lmh_dcvs_notify(c_data);
++      schedule_delayed_work(&c_data->throttle_work, 0);
+-      return 0;
++      return IRQ_HANDLED;
+ }
+ static const struct qcom_cpufreq_soc_data qcom_soc_data = {
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-atmel-aes-reestablish-the-correct-tfm-context.patch b/queue-5.16/crypto-atmel-aes-reestablish-the-correct-tfm-context.patch
new file mode 100644 (file)
index 0000000..5430592
--- /dev/null
@@ -0,0 +1,76 @@
+From 2ebefa45ffbed37796d1c79141a118152341734a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Oct 2021 16:30:01 +0300
+Subject: crypto: atmel-aes - Reestablish the correct tfm context at dequeue
+
+From: Tudor Ambarus <tudor.ambarus@microchip.com>
+
+[ Upstream commit 6d48de655917a9d782953eba65de4e3db593ddf0 ]
+
+In case there were more requests from different tfms in the crypto
+queue, only the context of the last initialized tfm was considered.
+
+Fixes: ec2088b66f7a ("crypto: atmel-aes - Allocate aes dev at tfm init time")
+Reported-by: Wolfgang Ocker <weo@reccoware.de>
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/atmel-aes.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
+index 9391ccc03382d..fe05584031914 100644
+--- a/drivers/crypto/atmel-aes.c
++++ b/drivers/crypto/atmel-aes.c
+@@ -960,6 +960,7 @@ static int atmel_aes_handle_queue(struct atmel_aes_dev *dd,
+       ctx = crypto_tfm_ctx(areq->tfm);
+       dd->areq = areq;
++      dd->ctx = ctx;
+       start_async = (areq != new_areq);
+       dd->is_async = start_async;
+@@ -1274,7 +1275,6 @@ static int atmel_aes_init_tfm(struct crypto_skcipher *tfm)
+       crypto_skcipher_set_reqsize(tfm, sizeof(struct atmel_aes_reqctx));
+       ctx->base.dd = dd;
+-      ctx->base.dd->ctx = &ctx->base;
+       ctx->base.start = atmel_aes_start;
+       return 0;
+@@ -1291,7 +1291,6 @@ static int atmel_aes_ctr_init_tfm(struct crypto_skcipher *tfm)
+       crypto_skcipher_set_reqsize(tfm, sizeof(struct atmel_aes_reqctx));
+       ctx->base.dd = dd;
+-      ctx->base.dd->ctx = &ctx->base;
+       ctx->base.start = atmel_aes_ctr_start;
+       return 0;
+@@ -1783,7 +1782,6 @@ static int atmel_aes_gcm_init(struct crypto_aead *tfm)
+       crypto_aead_set_reqsize(tfm, sizeof(struct atmel_aes_reqctx));
+       ctx->base.dd = dd;
+-      ctx->base.dd->ctx = &ctx->base;
+       ctx->base.start = atmel_aes_gcm_start;
+       return 0;
+@@ -1927,7 +1925,6 @@ static int atmel_aes_xts_init_tfm(struct crypto_skcipher *tfm)
+       crypto_skcipher_set_reqsize(tfm, sizeof(struct atmel_aes_reqctx) +
+                                   crypto_skcipher_reqsize(ctx->fallback_tfm));
+       ctx->base.dd = dd;
+-      ctx->base.dd->ctx = &ctx->base;
+       ctx->base.start = atmel_aes_xts_start;
+       return 0;
+@@ -2154,7 +2151,6 @@ static int atmel_aes_authenc_init_tfm(struct crypto_aead *tfm,
+       crypto_aead_set_reqsize(tfm, (sizeof(struct atmel_aes_authenc_reqctx) +
+                                     auth_reqsize));
+       ctx->base.dd = dd;
+-      ctx->base.dd->ctx = &ctx->base;
+       ctx->base.start = atmel_aes_authenc_start;
+       return 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-caam-save-caam-memory-to-support-crypto-engin.patch b/queue-5.16/crypto-caam-save-caam-memory-to-support-crypto-engin.patch
new file mode 100644 (file)
index 0000000..192ffa0
--- /dev/null
@@ -0,0 +1,89 @@
+From 9d87f466b2d5be165377f21a1584e664a3dba67f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 17:02:34 +0530
+Subject: crypto: caam - save caam memory to support crypto engine retry
+ mechanism.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gaurav Jain <gaurav.jain@nxp.com>
+
+[ Upstream commit 087e1d715bccf25dc0e83294576e416b0386ba20 ]
+
+When caam queue is full (-ENOSPC), caam frees descriptor memory.
+crypto-engine checks if retry support is true and h/w queue
+is full(-ENOSPC), then requeue the crypto request.
+During processing the requested descriptor again, caam gives below error.
+(caam_jr 30902000.jr: 40000006: DECO: desc idx 0: Invalid KEY Command).
+
+This patch adds a check to return when caam input ring is full
+and retry support is true. so descriptor memory is not freed
+and requeued request can be processed again.
+
+Fixes: 2d653936eb2cf ("crypto: caam - enable crypto-engine retry mechanism")
+Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/caam/caamalg.c  | 6 ++++++
+ drivers/crypto/caam/caamhash.c | 3 +++
+ drivers/crypto/caam/caampkc.c  | 3 +++
+ 3 files changed, 12 insertions(+)
+
+diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c
+index 8697ae53b0633..d3d8bb0a69900 100644
+--- a/drivers/crypto/caam/caamalg.c
++++ b/drivers/crypto/caam/caamalg.c
+@@ -1533,6 +1533,9 @@ static int aead_do_one_req(struct crypto_engine *engine, void *areq)
+       ret = caam_jr_enqueue(ctx->jrdev, desc, aead_crypt_done, req);
++      if (ret == -ENOSPC && engine->retry_support)
++              return ret;
++
+       if (ret != -EINPROGRESS) {
+               aead_unmap(ctx->jrdev, rctx->edesc, req);
+               kfree(rctx->edesc);
+@@ -1762,6 +1765,9 @@ static int skcipher_do_one_req(struct crypto_engine *engine, void *areq)
+       ret = caam_jr_enqueue(ctx->jrdev, desc, skcipher_crypt_done, req);
++      if (ret == -ENOSPC && engine->retry_support)
++              return ret;
++
+       if (ret != -EINPROGRESS) {
+               skcipher_unmap(ctx->jrdev, rctx->edesc, req);
+               kfree(rctx->edesc);
+diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
+index e8a6d8bc43b5d..36ef738e4a181 100644
+--- a/drivers/crypto/caam/caamhash.c
++++ b/drivers/crypto/caam/caamhash.c
+@@ -765,6 +765,9 @@ static int ahash_do_one_req(struct crypto_engine *engine, void *areq)
+       ret = caam_jr_enqueue(jrdev, desc, state->ahash_op_done, req);
++      if (ret == -ENOSPC && engine->retry_support)
++              return ret;
++
+       if (ret != -EINPROGRESS) {
+               ahash_unmap(jrdev, state->edesc, req, 0);
+               kfree(state->edesc);
+diff --git a/drivers/crypto/caam/caampkc.c b/drivers/crypto/caam/caampkc.c
+index bf6275ffc4aad..8867275767101 100644
+--- a/drivers/crypto/caam/caampkc.c
++++ b/drivers/crypto/caam/caampkc.c
+@@ -380,6 +380,9 @@ static int akcipher_do_one_req(struct crypto_engine *engine, void *areq)
+       ret = caam_jr_enqueue(jrdev, desc, req_ctx->akcipher_op_done, req);
++      if (ret == -ENOSPC && engine->retry_support)
++              return ret;
++
+       if (ret != -EINPROGRESS) {
+               rsa_pub_unmap(jrdev, req_ctx->edesc, req);
+               rsa_io_unmap(jrdev, req_ctx->edesc, req);
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-ccp-move-sev_init-retry-for-corrupted-data.patch b/queue-5.16/crypto-ccp-move-sev_init-retry-for-corrupted-data.patch
new file mode 100644 (file)
index 0000000..b914ad1
--- /dev/null
@@ -0,0 +1,95 @@
+From 9ff6b52ffecf5100843fdf1d7c9f2b3359bdcb3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 15:33:03 -0800
+Subject: crypto: ccp - Move SEV_INIT retry for corrupted data
+
+From: Peter Gonda <pgonda@google.com>
+
+[ Upstream commit e423b9d75e779d921e6adf5ac3d0b59400d6ba7e ]
+
+Move the data corrupted retry of SEV_INIT into the
+__sev_platform_init_locked() function. This is for upcoming INIT_EX
+support as well as helping direct callers of
+__sev_platform_init_locked() which currently do not support the
+retry.
+
+Signed-off-by: Peter Gonda <pgonda@google.com>
+Reviewed-by: Marc Orr <marcorr@google.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Acked-by: Brijesh Singh <brijesh.singh@amd.com>
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: Brijesh Singh <brijesh.singh@amd.com>
+Cc: Marc Orr <marcorr@google.com>
+Cc: Joerg Roedel <jroedel@suse.de>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: David Rientjes <rientjes@google.com>
+Cc: John Allen <john.allen@amd.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: linux-crypto@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/sev-dev.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
+index e09925d86bf36..581a1b13d5c3d 100644
+--- a/drivers/crypto/ccp/sev-dev.c
++++ b/drivers/crypto/ccp/sev-dev.c
+@@ -241,7 +241,7 @@ static int __sev_platform_init_locked(int *error)
+       struct psp_device *psp = psp_master;
+       struct sev_data_init data;
+       struct sev_device *sev;
+-      int rc = 0;
++      int psp_ret, rc = 0;
+       if (!psp || !psp->sev_data)
+               return -ENODEV;
+@@ -266,7 +266,21 @@ static int __sev_platform_init_locked(int *error)
+               data.tmr_len = SEV_ES_TMR_SIZE;
+       }
+-      rc = __sev_do_cmd_locked(SEV_CMD_INIT, &data, error);
++      rc = __sev_do_cmd_locked(SEV_CMD_INIT, &data, &psp_ret);
++      if (rc && psp_ret == SEV_RET_SECURE_DATA_INVALID) {
++              /*
++               * Initialization command returned an integrity check failure
++               * status code, meaning that firmware load and validation of SEV
++               * related persistent data has failed. Retrying the
++               * initialization function should succeed by replacing the state
++               * with a reset state.
++               */
++              dev_dbg(sev->dev, "SEV: retrying INIT command");
++              rc = __sev_do_cmd_locked(SEV_CMD_INIT, &data, &psp_ret);
++      }
++      if (error)
++              *error = psp_ret;
++
+       if (rc)
+               return rc;
+@@ -1091,18 +1105,6 @@ void sev_pci_init(void)
+       /* Initialize the platform */
+       rc = sev_platform_init(&error);
+-      if (rc && (error == SEV_RET_SECURE_DATA_INVALID)) {
+-              /*
+-               * INIT command returned an integrity check failure
+-               * status code, meaning that firmware load and
+-               * validation of SEV related persistent data has
+-               * failed and persistent state has been erased.
+-               * Retrying INIT command here should succeed.
+-               */
+-              dev_dbg(sev->dev, "SEV: retrying INIT command");
+-              rc = sev_platform_init(&error);
+-      }
+-
+       if (rc) {
+               dev_err(sev->dev, "SEV: failed to INIT error %#x\n", error);
+               return;
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-hisilicon-hpre-fix-memory-leak-in-hpre_curve2.patch b/queue-5.16/crypto-hisilicon-hpre-fix-memory-leak-in-hpre_curve2.patch
new file mode 100644 (file)
index 0000000..b619786
--- /dev/null
@@ -0,0 +1,37 @@
+From 8a650304c1a142e448f562355501577264ae8717 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Dec 2021 16:17:19 +0800
+Subject: crypto: hisilicon/hpre - fix memory leak in
+ hpre_curve25519_src_init()
+
+From: Weili Qian <qianweili@huawei.com>
+
+[ Upstream commit 51fa916b81e5f406a74f14a31a3a228c3cc060ad ]
+
+hpre_curve25519_src_init() allocates memory for 'ptr' before calling
+memcmp(). If memcmp() returns 0, the function will return '-EINVAL'
+without freeing memory.
+
+Signed-off-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/hpre/hpre_crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/hisilicon/hpre/hpre_crypto.c b/drivers/crypto/hisilicon/hpre/hpre_crypto.c
+index a032c192ef1d6..7ba7641723a0b 100644
+--- a/drivers/crypto/hisilicon/hpre/hpre_crypto.c
++++ b/drivers/crypto/hisilicon/hpre/hpre_crypto.c
+@@ -1865,7 +1865,7 @@ static int hpre_curve25519_src_init(struct hpre_asym_request *hpre_req,
+        */
+       if (memcmp(ptr, p, ctx->key_sz) == 0) {
+               dev_err(dev, "gx is p!\n");
+-              return -EINVAL;
++              goto err;
+       } else if (memcmp(ptr, p, ctx->key_sz) > 0) {
+               hpre_curve25519_src_modulo_p(ptr);
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-hisilicon-qm-fix-deadlock-for-remove-driver.patch b/queue-5.16/crypto-hisilicon-qm-fix-deadlock-for-remove-driver.patch
new file mode 100644 (file)
index 0000000..9638c7d
--- /dev/null
@@ -0,0 +1,57 @@
+From 52f6c551ce83295cfa9612b7fae335bd066d1c1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Dec 2021 16:56:55 +0800
+Subject: crypto: hisilicon/qm - fix deadlock for remove driver
+
+From: Yang Shen <shenyang39@huawei.com>
+
+[ Upstream commit fc6c01f0cd10b89c4b01dd2940e0b0cda1bd82fb ]
+
+When remove the driver and executing the task occur at the same time,
+the following deadlock will be triggered:
+
+Chain exists of:
+    sva_lock --> uacce_mutex --> &qm->qps_lock
+    Possible unsafe locking scenario:
+               CPU0                    CPU1
+               ----                    ----
+       lock(&qm->qps_lock);
+                                       lock(uacce_mutex);
+                                       lock(&qm->qps_lock);
+       lock(sva_lock);
+
+And the lock 'qps_lock' is used to protect qp. Therefore, it's reasonable
+cycle is to continue until the qp memory is released. So move the release
+lock infront of 'uacce_remove'.
+
+Signed-off-by: Yang Shen <shenyang39@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/qm.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
+index 70b0405494db5..1dc6a27ba0e0d 100644
+--- a/drivers/crypto/hisilicon/qm.c
++++ b/drivers/crypto/hisilicon/qm.c
+@@ -3399,6 +3399,7 @@ void hisi_qm_uninit(struct hisi_qm *qm)
+               dma_free_coherent(dev, qm->qdma.size,
+                                 qm->qdma.va, qm->qdma.dma);
+       }
++      up_write(&qm->qps_lock);
+       qm_irq_unregister(qm);
+       hisi_qm_pci_uninit(qm);
+@@ -3406,8 +3407,6 @@ void hisi_qm_uninit(struct hisi_qm *qm)
+               uacce_remove(qm->uacce);
+               qm->uacce = NULL;
+       }
+-
+-      up_write(&qm->qps_lock);
+ }
+ EXPORT_SYMBOL_GPL(hisi_qm_uninit);
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-hisilicon-qm-fix-incorrect-return-value-of-hi.patch b/queue-5.16/crypto-hisilicon-qm-fix-incorrect-return-value-of-hi.patch
new file mode 100644 (file)
index 0000000..4cfd62a
--- /dev/null
@@ -0,0 +1,37 @@
+From 19ab788e9de6692f843ef23f3d8a6d1dd37539c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Dec 2021 18:43:01 +0800
+Subject: crypto: hisilicon/qm - fix incorrect return value of hisi_qm_resume()
+
+From: Weili Qian <qianweili@huawei.com>
+
+[ Upstream commit 3f9dd4c802b96626e869b2d29c8e401dabadd23e ]
+
+When hisi_qm_resume() returns 0, it indicates that the device has started
+successfully.  If the device fails to start, hisi_qm_resume() needs to
+return the actual error code to the caller instead of 0.
+
+Fixes: d7ea53395b72 ("crypto: hisilicon - add runtime PM ops")
+Signed-off-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/qm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
+index 52d6cca6262e2..70b0405494db5 100644
+--- a/drivers/crypto/hisilicon/qm.c
++++ b/drivers/crypto/hisilicon/qm.c
+@@ -6038,7 +6038,7 @@ int hisi_qm_resume(struct device *dev)
+       if (ret)
+               pci_err(pdev, "failed to start qm(%d)\n", ret);
+-      return 0;
++      return ret;
+ }
+ EXPORT_SYMBOL_GPL(hisi_qm_resume);
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-jitter-consider-32-lsb-for-apt.patch b/queue-5.16/crypto-jitter-consider-32-lsb-for-apt.patch
new file mode 100644 (file)
index 0000000..e32526b
--- /dev/null
@@ -0,0 +1,57 @@
+From bd13927da1ea22c611590ecfd3b5b824a92e5997 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Nov 2021 15:14:20 +0100
+Subject: crypto: jitter - consider 32 LSB for APT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stephan Müller <smueller@chronox.de>
+
+[ Upstream commit 552d03a223eda3df84526ab2c1f4d82e15eaee7a ]
+
+The APT compares the current time stamp with a pre-set value. The
+current code only considered the 4 LSB only. Yet, after reviews by
+mathematicians of the user space Jitter RNG version >= 3.1.0, it was
+concluded that the APT can be calculated on the 32 LSB of the time
+delta. Thi change is applied to the kernel.
+
+This fixes a bug where an AMD EPYC fails this test as its RDTSC value
+contains zeros in the LSB. The most appropriate fix would have been to
+apply a GCD calculation and divide the time stamp by the GCD. Yet, this
+is a significant code change that will be considered for a future
+update. Note, tests showed that constantly the GCD always was 32 on
+these systems, i.e. the 5 LSB were always zero (thus failing the APT
+since it only considered the 4 LSB for its calculation).
+
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/jitterentropy.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/crypto/jitterentropy.c b/crypto/jitterentropy.c
+index 4dc2261cdeefb..788d90749715a 100644
+--- a/crypto/jitterentropy.c
++++ b/crypto/jitterentropy.c
+@@ -265,7 +265,6 @@ static int jent_stuck(struct rand_data *ec, __u64 current_delta)
+ {
+       __u64 delta2 = jent_delta(ec->last_delta, current_delta);
+       __u64 delta3 = jent_delta(ec->last_delta2, delta2);
+-      unsigned int delta_masked = current_delta & JENT_APT_WORD_MASK;
+       ec->last_delta = current_delta;
+       ec->last_delta2 = delta2;
+@@ -274,7 +273,7 @@ static int jent_stuck(struct rand_data *ec, __u64 current_delta)
+        * Insert the result of the comparison of two back-to-back time
+        * deltas.
+        */
+-      jent_apt_insert(ec, delta_masked);
++      jent_apt_insert(ec, current_delta);
+       if (!current_delta || !delta2 || !delta3) {
+               /* RCT with a stuck bit */
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-keembay-ocs-ecc-fix-error-return-code-in-kmb_.patch b/queue-5.16/crypto-keembay-ocs-ecc-fix-error-return-code-in-kmb_.patch
new file mode 100644 (file)
index 0000000..f05e340
--- /dev/null
@@ -0,0 +1,38 @@
+From 36d003f6ec880a62ec0688bf9ce4b7aecab48db0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Nov 2021 14:02:33 +0000
+Subject: crypto: keembay-ocs-ecc - Fix error return code in
+ kmb_ocs_ecc_probe()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 94ad2d19a97efdb603a21fcad0625f466f1cdd0f ]
+
+Fix to return negative error code -ENOMEM from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: c9f608c38009 ("crypto: keembay-ocs-ecc - Add Keem Bay OCS ECC Driver")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Reviewed-by: Daniele Alessandrelli <daniele.alessandrelli@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/keembay/keembay-ocs-ecc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/keembay/keembay-ocs-ecc.c b/drivers/crypto/keembay/keembay-ocs-ecc.c
+index 679e6ae295e0b..5d0785d3f1b55 100644
+--- a/drivers/crypto/keembay/keembay-ocs-ecc.c
++++ b/drivers/crypto/keembay/keembay-ocs-ecc.c
+@@ -930,6 +930,7 @@ static int kmb_ocs_ecc_probe(struct platform_device *pdev)
+       ecc_dev->engine = crypto_engine_alloc_init(dev, 1);
+       if (!ecc_dev->engine) {
+               dev_err(dev, "Could not allocate crypto engine\n");
++              rc = -ENOMEM;
+               goto list_del;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-octeontx2-prevent-underflow-in-get_cores_bmap.patch b/queue-5.16/crypto-octeontx2-prevent-underflow-in-get_cores_bmap.patch
new file mode 100644 (file)
index 0000000..bf18562
--- /dev/null
@@ -0,0 +1,37 @@
+From ed81b62990ad1f5d2e2b6c20ca92fd603b1060d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Dec 2021 10:13:32 +0300
+Subject: crypto: octeontx2 - prevent underflow in get_cores_bmap()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 10371b6212bb682f13247733d6b76b91b2b80f9a ]
+
+If we're going to cap "eng_grp->g->engs_num" upper bounds then we should
+cap the lower bounds as well.
+
+Fixes: 43ac0b824f1c ("crypto: octeontx2 - load microcode and create engine groups")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
+index dff34b3ec09e1..7c1b92aaab398 100644
+--- a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
++++ b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
+@@ -29,7 +29,8 @@ static struct otx2_cpt_bitmap get_cores_bmap(struct device *dev,
+       bool found = false;
+       int i;
+-      if (eng_grp->g->engs_num > OTX2_CPT_MAX_ENGINES) {
++      if (eng_grp->g->engs_num < 0 ||
++          eng_grp->g->engs_num > OTX2_CPT_MAX_ENGINES) {
+               dev_err(dev, "unsupported number of engines %d on octeontx2\n",
+                       eng_grp->g->engs_num);
+               return bmap;
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-qat-fix-undetected-pfvf-timeout-in-ack-loop.patch b/queue-5.16/crypto-qat-fix-undetected-pfvf-timeout-in-ack-loop.patch
new file mode 100644 (file)
index 0000000..9a606f9
--- /dev/null
@@ -0,0 +1,59 @@
+From 6d650d8aa2fdedd362f9c72f570533e9dc3cf137 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 14:30:35 +0000
+Subject: crypto: qat - fix undetected PFVF timeout in ACK loop
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 5002200b4fedd7e90e4fbc2e5c42a4b3351df814 ]
+
+If the remote function did not ACK the reception of a message, the
+function __adf_iov_putmsg() could detect it as a collision.
+
+This was due to the fact that the collision and the timeout checks after
+the ACK loop were in the wrong order. The timeout must be checked at the
+end of the loop, so fix by swapping the order of the two checks.
+
+Fixes: 9b768e8a3909 ("crypto: qat - detect PFVF collision after ACK")
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Co-developed-by: Marco Chiappero <marco.chiappero@intel.com>
+Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+index 59860bdaedb69..99ee17c3d06bf 100644
+--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c
+@@ -107,6 +107,12 @@ static int __adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr)
+               val = ADF_CSR_RD(pmisc_bar_addr, pf2vf_offset);
+       } while ((val & int_bit) && (count++ < ADF_PFVF_MSG_ACK_MAX_RETRY));
++      if (val & int_bit) {
++              dev_dbg(&GET_DEV(accel_dev), "ACK not received from remote\n");
++              val &= ~int_bit;
++              ret = -EIO;
++      }
++
+       if (val != msg) {
+               dev_dbg(&GET_DEV(accel_dev),
+                       "Collision - PFVF CSR overwritten by remote function\n");
+@@ -114,12 +120,6 @@ static int __adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr)
+               goto out;
+       }
+-      if (val & int_bit) {
+-              dev_dbg(&GET_DEV(accel_dev), "ACK not received from remote\n");
+-              val &= ~int_bit;
+-              ret = -EIO;
+-      }
+-
+       /* Finished with the PFVF CSR; relinquish it and leave msg in CSR */
+       ADF_CSR_WR(pmisc_bar_addr, pf2vf_offset, val & ~local_in_use_mask);
+ out:
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-qce-fix-uaf-on-qce_aead_register_one.patch b/queue-5.16/crypto-qce-fix-uaf-on-qce_aead_register_one.patch
new file mode 100644 (file)
index 0000000..3b858bc
--- /dev/null
@@ -0,0 +1,39 @@
+From bd1c9b4c486f2cbd258461c5242f0e8530dc4815 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Nov 2021 06:28:07 -0700
+Subject: crypto: qce - fix uaf on qce_aead_register_one
+
+From: Chengfeng Ye <cyeaa@connect.ust.hk>
+
+[ Upstream commit 4a9dbd021970ffe1b92521328377b699acba7c52 ]
+
+Pointer alg points to sub field of tmpl, it
+is dereferenced after tmpl is freed. Fix
+this by accessing alg before free tmpl.
+
+Fixes: 9363efb4 ("crypto: qce - Add support for AEAD algorithms")
+Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
+Acked-by: Thara Gopinath <thara.gopinath@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qce/aead.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/qce/aead.c b/drivers/crypto/qce/aead.c
+index 290e2446a2f35..97a530171f07a 100644
+--- a/drivers/crypto/qce/aead.c
++++ b/drivers/crypto/qce/aead.c
+@@ -802,8 +802,8 @@ static int qce_aead_register_one(const struct qce_aead_def *def, struct qce_devi
+       ret = crypto_register_aead(alg);
+       if (ret) {
+-              kfree(tmpl);
+               dev_err(qce->dev, "%s registration failed\n", alg->base.cra_name);
++              kfree(tmpl);
+               return ret;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-qce-fix-uaf-on-qce_ahash_register_one.patch b/queue-5.16/crypto-qce-fix-uaf-on-qce_ahash_register_one.patch
new file mode 100644 (file)
index 0000000..984600a
--- /dev/null
@@ -0,0 +1,39 @@
+From 381829d901296c8b312f962b201fabacad876308 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Nov 2021 06:38:31 -0700
+Subject: crypto: qce - fix uaf on qce_ahash_register_one
+
+From: Chengfeng Ye <cyeaa@connect.ust.hk>
+
+[ Upstream commit b4cb4d31631912842eb7dce02b4350cbb7562d5e ]
+
+Pointer base points to sub field of tmpl, it
+is dereferenced after tmpl is freed. Fix
+this by accessing base before free tmpl.
+
+Fixes: ec8f5d8f ("crypto: qce - Qualcomm crypto engine driver")
+Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
+Acked-by: Thara Gopinath <thara.gopinath@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qce/sha.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/qce/sha.c b/drivers/crypto/qce/sha.c
+index 8e6fcf2c21cc0..59159f5e64e52 100644
+--- a/drivers/crypto/qce/sha.c
++++ b/drivers/crypto/qce/sha.c
+@@ -498,8 +498,8 @@ static int qce_ahash_register_one(const struct qce_ahash_def *def,
+       ret = crypto_register_ahash(alg);
+       if (ret) {
+-              kfree(tmpl);
+               dev_err(qce->dev, "%s registration failed\n", base->cra_name);
++              kfree(tmpl);
+               return ret;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-qce-fix-uaf-on-qce_skcipher_register_one.patch b/queue-5.16/crypto-qce-fix-uaf-on-qce_skcipher_register_one.patch
new file mode 100644 (file)
index 0000000..b103d10
--- /dev/null
@@ -0,0 +1,39 @@
+From 60cc019c78b7ef3e7ec96a3472094697e2a90bf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Nov 2021 06:46:42 -0700
+Subject: crypto: qce - fix uaf on qce_skcipher_register_one
+
+From: Chengfeng Ye <cyeaa@connect.ust.hk>
+
+[ Upstream commit e9c195aaeed1b45c9012adbe29dedb6031e85aa8 ]
+
+Pointer alg points to sub field of tmpl, it
+is dereferenced after tmpl is freed. Fix
+this by accessing alg before free tmpl.
+
+Fixes: ec8f5d8f ("crypto: qce - Qualcomm crypto engine driver")
+Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
+Acked-by: Thara Gopinath <thara.gopinath@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qce/skcipher.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/qce/skcipher.c b/drivers/crypto/qce/skcipher.c
+index 8ff10928f581d..3d27cd5210ef5 100644
+--- a/drivers/crypto/qce/skcipher.c
++++ b/drivers/crypto/qce/skcipher.c
+@@ -484,8 +484,8 @@ static int qce_skcipher_register_one(const struct qce_skcipher_def *def,
+       ret = crypto_register_skcipher(alg);
+       if (ret) {
+-              kfree(tmpl);
+               dev_err(qce->dev, "%s registration failed\n", alg->base.cra_name);
++              kfree(tmpl);
+               return ret;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-stm32-cryp-check-early-input-data.patch b/queue-5.16/crypto-stm32-cryp-check-early-input-data.patch
new file mode 100644 (file)
index 0000000..b383ace
--- /dev/null
@@ -0,0 +1,241 @@
+From 10fb52b2ad1d7d9e021a96fce6d84c1f8b4a3665 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 08:54:57 +0100
+Subject: crypto: stm32/cryp - check early input data
+
+From: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
+
+[ Upstream commit 39e6e699c7fb92bdb2617b596ca4a4ea35c5d2a7 ]
+
+Some auto tests failed because driver wasn't returning the expected
+error with some input size/iv value/tag size.
+Now:
+ Return 0 early for empty buffer. (We don't need to start the engine for
+ an empty input buffer).
+ Accept any valid authsize for gcm(aes).
+ Return -EINVAL if iv for ccm(aes) is invalid.
+ Return -EINVAL if buffer size is a not a multiple of algorithm block size.
+
+Fixes: 9e054ec21ef8 ("crypto: stm32 - Support for STM32 CRYP crypto module")
+
+Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/stm32/stm32-cryp.c | 114 +++++++++++++++++++++++++++++-
+ 1 file changed, 113 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c
+index e2bcc4f98b0ae..fd7fb73a4d450 100644
+--- a/drivers/crypto/stm32/stm32-cryp.c
++++ b/drivers/crypto/stm32/stm32-cryp.c
+@@ -799,7 +799,20 @@ static int stm32_cryp_aes_aead_setkey(struct crypto_aead *tfm, const u8 *key,
+ static int stm32_cryp_aes_gcm_setauthsize(struct crypto_aead *tfm,
+                                         unsigned int authsize)
+ {
+-      return authsize == AES_BLOCK_SIZE ? 0 : -EINVAL;
++      switch (authsize) {
++      case 4:
++      case 8:
++      case 12:
++      case 13:
++      case 14:
++      case 15:
++      case 16:
++              break;
++      default:
++              return -EINVAL;
++      }
++
++      return 0;
+ }
+ static int stm32_cryp_aes_ccm_setauthsize(struct crypto_aead *tfm,
+@@ -823,31 +836,61 @@ static int stm32_cryp_aes_ccm_setauthsize(struct crypto_aead *tfm,
+ static int stm32_cryp_aes_ecb_encrypt(struct skcipher_request *req)
+ {
++      if (req->cryptlen % AES_BLOCK_SIZE)
++              return -EINVAL;
++
++      if (req->cryptlen == 0)
++              return 0;
++
+       return stm32_cryp_crypt(req, FLG_AES | FLG_ECB | FLG_ENCRYPT);
+ }
+ static int stm32_cryp_aes_ecb_decrypt(struct skcipher_request *req)
+ {
++      if (req->cryptlen % AES_BLOCK_SIZE)
++              return -EINVAL;
++
++      if (req->cryptlen == 0)
++              return 0;
++
+       return stm32_cryp_crypt(req, FLG_AES | FLG_ECB);
+ }
+ static int stm32_cryp_aes_cbc_encrypt(struct skcipher_request *req)
+ {
++      if (req->cryptlen % AES_BLOCK_SIZE)
++              return -EINVAL;
++
++      if (req->cryptlen == 0)
++              return 0;
++
+       return stm32_cryp_crypt(req, FLG_AES | FLG_CBC | FLG_ENCRYPT);
+ }
+ static int stm32_cryp_aes_cbc_decrypt(struct skcipher_request *req)
+ {
++      if (req->cryptlen % AES_BLOCK_SIZE)
++              return -EINVAL;
++
++      if (req->cryptlen == 0)
++              return 0;
++
+       return stm32_cryp_crypt(req, FLG_AES | FLG_CBC);
+ }
+ static int stm32_cryp_aes_ctr_encrypt(struct skcipher_request *req)
+ {
++      if (req->cryptlen == 0)
++              return 0;
++
+       return stm32_cryp_crypt(req, FLG_AES | FLG_CTR | FLG_ENCRYPT);
+ }
+ static int stm32_cryp_aes_ctr_decrypt(struct skcipher_request *req)
+ {
++      if (req->cryptlen == 0)
++              return 0;
++
+       return stm32_cryp_crypt(req, FLG_AES | FLG_CTR);
+ }
+@@ -861,53 +904,122 @@ static int stm32_cryp_aes_gcm_decrypt(struct aead_request *req)
+       return stm32_cryp_aead_crypt(req, FLG_AES | FLG_GCM);
+ }
++static inline int crypto_ccm_check_iv(const u8 *iv)
++{
++      /* 2 <= L <= 8, so 1 <= L' <= 7. */
++      if (iv[0] < 1 || iv[0] > 7)
++              return -EINVAL;
++
++      return 0;
++}
++
+ static int stm32_cryp_aes_ccm_encrypt(struct aead_request *req)
+ {
++      int err;
++
++      err = crypto_ccm_check_iv(req->iv);
++      if (err)
++              return err;
++
+       return stm32_cryp_aead_crypt(req, FLG_AES | FLG_CCM | FLG_ENCRYPT);
+ }
+ static int stm32_cryp_aes_ccm_decrypt(struct aead_request *req)
+ {
++      int err;
++
++      err = crypto_ccm_check_iv(req->iv);
++      if (err)
++              return err;
++
+       return stm32_cryp_aead_crypt(req, FLG_AES | FLG_CCM);
+ }
+ static int stm32_cryp_des_ecb_encrypt(struct skcipher_request *req)
+ {
++      if (req->cryptlen % DES_BLOCK_SIZE)
++              return -EINVAL;
++
++      if (req->cryptlen == 0)
++              return 0;
++
+       return stm32_cryp_crypt(req, FLG_DES | FLG_ECB | FLG_ENCRYPT);
+ }
+ static int stm32_cryp_des_ecb_decrypt(struct skcipher_request *req)
+ {
++      if (req->cryptlen % DES_BLOCK_SIZE)
++              return -EINVAL;
++
++      if (req->cryptlen == 0)
++              return 0;
++
+       return stm32_cryp_crypt(req, FLG_DES | FLG_ECB);
+ }
+ static int stm32_cryp_des_cbc_encrypt(struct skcipher_request *req)
+ {
++      if (req->cryptlen % DES_BLOCK_SIZE)
++              return -EINVAL;
++
++      if (req->cryptlen == 0)
++              return 0;
++
+       return stm32_cryp_crypt(req, FLG_DES | FLG_CBC | FLG_ENCRYPT);
+ }
+ static int stm32_cryp_des_cbc_decrypt(struct skcipher_request *req)
+ {
++      if (req->cryptlen % DES_BLOCK_SIZE)
++              return -EINVAL;
++
++      if (req->cryptlen == 0)
++              return 0;
++
+       return stm32_cryp_crypt(req, FLG_DES | FLG_CBC);
+ }
+ static int stm32_cryp_tdes_ecb_encrypt(struct skcipher_request *req)
+ {
++      if (req->cryptlen % DES_BLOCK_SIZE)
++              return -EINVAL;
++
++      if (req->cryptlen == 0)
++              return 0;
++
+       return stm32_cryp_crypt(req, FLG_TDES | FLG_ECB | FLG_ENCRYPT);
+ }
+ static int stm32_cryp_tdes_ecb_decrypt(struct skcipher_request *req)
+ {
++      if (req->cryptlen % DES_BLOCK_SIZE)
++              return -EINVAL;
++
++      if (req->cryptlen == 0)
++              return 0;
++
+       return stm32_cryp_crypt(req, FLG_TDES | FLG_ECB);
+ }
+ static int stm32_cryp_tdes_cbc_encrypt(struct skcipher_request *req)
+ {
++      if (req->cryptlen % DES_BLOCK_SIZE)
++              return -EINVAL;
++
++      if (req->cryptlen == 0)
++              return 0;
++
+       return stm32_cryp_crypt(req, FLG_TDES | FLG_CBC | FLG_ENCRYPT);
+ }
+ static int stm32_cryp_tdes_cbc_decrypt(struct skcipher_request *req)
+ {
++      if (req->cryptlen % DES_BLOCK_SIZE)
++              return -EINVAL;
++
++      if (req->cryptlen == 0)
++              return 0;
++
+       return stm32_cryp_crypt(req, FLG_TDES | FLG_CBC);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-stm32-cryp-fix-bugs-and-crash-in-tests.patch b/queue-5.16/crypto-stm32-cryp-fix-bugs-and-crash-in-tests.patch
new file mode 100644 (file)
index 0000000..f939b8e
--- /dev/null
@@ -0,0 +1,1214 @@
+From 666ea02139081758ef7d3a3cd0433833f5001145 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 08:55:00 +0100
+Subject: crypto: stm32/cryp - fix bugs and crash in tests
+
+From: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
+
+[ Upstream commit 4b898d5cfa4d9a0ad5bc82cb5eafdc092394c6a9 ]
+
+Extra crypto manager auto test were crashing or failling due
+to 2 reasons:
+- block in a dead loop (dues to issues in cipher end process management)
+- crash due to read/write unmapped memory (this crash was also reported
+when using openssl afalg engine)
+
+Rework interrupt management, interrupts are masked as soon as they are
+no more used: if input buffer is fully consumed, "Input FIFO not full"
+interrupt is masked and if output buffer is full, "Output FIFO not
+empty" interrupt is masked.
+And crypto request finish when input *and* outpout buffer are fully
+read/write.
+
+About the crash due to unmapped memory, using scatterwalk_copychunks()
+that will map and copy each block fix the issue.
+Using this api and copying full block will also fix unaligned data
+access, avoid early copy of in/out buffer, and make useless the extra
+alignment constraint.
+
+Fixes: 9e054ec21ef8 ("crypto: stm32 - Support for STM32 CRYP crypto module")
+
+Reported-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/stm32/stm32-cryp.c | 790 +++++++++---------------------
+ 1 file changed, 243 insertions(+), 547 deletions(-)
+
+diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c
+index 9943836a5c25c..cd57c5bae3ce9 100644
+--- a/drivers/crypto/stm32/stm32-cryp.c
++++ b/drivers/crypto/stm32/stm32-cryp.c
+@@ -37,7 +37,6 @@
+ /* Mode mask = bits [15..0] */
+ #define FLG_MODE_MASK           GENMASK(15, 0)
+ /* Bit [31..16] status  */
+-#define FLG_CCM_PADDED_WA       BIT(16)
+ /* Registers */
+ #define CRYP_CR                 0x00000000
+@@ -105,8 +104,6 @@
+ /* Misc */
+ #define AES_BLOCK_32            (AES_BLOCK_SIZE / sizeof(u32))
+ #define GCM_CTR_INIT            2
+-#define _walked_in              (cryp->in_walk.offset - cryp->in_sg->offset)
+-#define _walked_out             (cryp->out_walk.offset - cryp->out_sg->offset)
+ #define CRYP_AUTOSUSPEND_DELAY        50
+ struct stm32_cryp_caps {
+@@ -144,21 +141,11 @@ struct stm32_cryp {
+       size_t                  authsize;
+       size_t                  hw_blocksize;
+-      size_t                  total_in;
+-      size_t                  total_in_save;
+-      size_t                  total_out;
+-      size_t                  total_out_save;
++      size_t                  payload_in;
++      size_t                  header_in;
++      size_t                  payload_out;
+-      struct scatterlist      *in_sg;
+       struct scatterlist      *out_sg;
+-      struct scatterlist      *out_sg_save;
+-
+-      struct scatterlist      in_sgl;
+-      struct scatterlist      out_sgl;
+-      bool                    sgs_copied;
+-
+-      int                     in_sg_len;
+-      int                     out_sg_len;
+       struct scatter_walk     in_walk;
+       struct scatter_walk     out_walk;
+@@ -262,6 +249,7 @@ static inline int stm32_cryp_wait_output(struct stm32_cryp *cryp)
+ }
+ static int stm32_cryp_read_auth_tag(struct stm32_cryp *cryp);
++static void stm32_cryp_finish_req(struct stm32_cryp *cryp, int err);
+ static struct stm32_cryp *stm32_cryp_find_dev(struct stm32_cryp_ctx *ctx)
+ {
+@@ -283,103 +271,6 @@ static struct stm32_cryp *stm32_cryp_find_dev(struct stm32_cryp_ctx *ctx)
+       return cryp;
+ }
+-static int stm32_cryp_check_aligned(struct scatterlist *sg, size_t total,
+-                                  size_t align)
+-{
+-      int len = 0;
+-
+-      if (!total)
+-              return 0;
+-
+-      if (!IS_ALIGNED(total, align))
+-              return -EINVAL;
+-
+-      while (sg) {
+-              if (!IS_ALIGNED(sg->offset, sizeof(u32)))
+-                      return -EINVAL;
+-
+-              if (!IS_ALIGNED(sg->length, align))
+-                      return -EINVAL;
+-
+-              len += sg->length;
+-              sg = sg_next(sg);
+-      }
+-
+-      if (len != total)
+-              return -EINVAL;
+-
+-      return 0;
+-}
+-
+-static int stm32_cryp_check_io_aligned(struct stm32_cryp *cryp)
+-{
+-      int ret;
+-
+-      ret = stm32_cryp_check_aligned(cryp->in_sg, cryp->total_in,
+-                                     cryp->hw_blocksize);
+-      if (ret)
+-              return ret;
+-
+-      ret = stm32_cryp_check_aligned(cryp->out_sg, cryp->total_out,
+-                                     cryp->hw_blocksize);
+-
+-      return ret;
+-}
+-
+-static void sg_copy_buf(void *buf, struct scatterlist *sg,
+-                      unsigned int start, unsigned int nbytes, int out)
+-{
+-      struct scatter_walk walk;
+-
+-      if (!nbytes)
+-              return;
+-
+-      scatterwalk_start(&walk, sg);
+-      scatterwalk_advance(&walk, start);
+-      scatterwalk_copychunks(buf, &walk, nbytes, out);
+-      scatterwalk_done(&walk, out, 0);
+-}
+-
+-static int stm32_cryp_copy_sgs(struct stm32_cryp *cryp)
+-{
+-      void *buf_in, *buf_out;
+-      int pages, total_in, total_out;
+-
+-      if (!stm32_cryp_check_io_aligned(cryp)) {
+-              cryp->sgs_copied = 0;
+-              return 0;
+-      }
+-
+-      total_in = ALIGN(cryp->total_in, cryp->hw_blocksize);
+-      pages = total_in ? get_order(total_in) : 1;
+-      buf_in = (void *)__get_free_pages(GFP_ATOMIC, pages);
+-
+-      total_out = ALIGN(cryp->total_out, cryp->hw_blocksize);
+-      pages = total_out ? get_order(total_out) : 1;
+-      buf_out = (void *)__get_free_pages(GFP_ATOMIC, pages);
+-
+-      if (!buf_in || !buf_out) {
+-              dev_err(cryp->dev, "Can't allocate pages when unaligned\n");
+-              cryp->sgs_copied = 0;
+-              return -EFAULT;
+-      }
+-
+-      sg_copy_buf(buf_in, cryp->in_sg, 0, cryp->total_in, 0);
+-
+-      sg_init_one(&cryp->in_sgl, buf_in, total_in);
+-      cryp->in_sg = &cryp->in_sgl;
+-      cryp->in_sg_len = 1;
+-
+-      sg_init_one(&cryp->out_sgl, buf_out, total_out);
+-      cryp->out_sg_save = cryp->out_sg;
+-      cryp->out_sg = &cryp->out_sgl;
+-      cryp->out_sg_len = 1;
+-
+-      cryp->sgs_copied = 1;
+-
+-      return 0;
+-}
+-
+ static void stm32_cryp_hw_write_iv(struct stm32_cryp *cryp, __be32 *iv)
+ {
+       if (!iv)
+@@ -481,16 +372,99 @@ static int stm32_cryp_gcm_init(struct stm32_cryp *cryp, u32 cfg)
+       /* Wait for end of processing */
+       ret = stm32_cryp_wait_enable(cryp);
+-      if (ret)
++      if (ret) {
+               dev_err(cryp->dev, "Timeout (gcm init)\n");
++              return ret;
++      }
+-      return ret;
++      /* Prepare next phase */
++      if (cryp->areq->assoclen) {
++              cfg |= CR_PH_HEADER;
++              stm32_cryp_write(cryp, CRYP_CR, cfg);
++      } else if (stm32_cryp_get_input_text_len(cryp)) {
++              cfg |= CR_PH_PAYLOAD;
++              stm32_cryp_write(cryp, CRYP_CR, cfg);
++      }
++
++      return 0;
++}
++
++static void stm32_crypt_gcmccm_end_header(struct stm32_cryp *cryp)
++{
++      u32 cfg;
++      int err;
++
++      /* Check if whole header written */
++      if (!cryp->header_in) {
++              /* Wait for completion */
++              err = stm32_cryp_wait_busy(cryp);
++              if (err) {
++                      dev_err(cryp->dev, "Timeout (gcm/ccm header)\n");
++                      stm32_cryp_write(cryp, CRYP_IMSCR, 0);
++                      stm32_cryp_finish_req(cryp, err);
++                      return;
++              }
++
++              if (stm32_cryp_get_input_text_len(cryp)) {
++                      /* Phase 3 : payload */
++                      cfg = stm32_cryp_read(cryp, CRYP_CR);
++                      cfg &= ~CR_CRYPEN;
++                      stm32_cryp_write(cryp, CRYP_CR, cfg);
++
++                      cfg &= ~CR_PH_MASK;
++                      cfg |= CR_PH_PAYLOAD | CR_CRYPEN;
++                      stm32_cryp_write(cryp, CRYP_CR, cfg);
++              } else {
++                      /*
++                       * Phase 4 : tag.
++                       * Nothing to read, nothing to write, caller have to
++                       * end request
++                       */
++              }
++      }
++}
++
++static void stm32_cryp_write_ccm_first_header(struct stm32_cryp *cryp)
++{
++      unsigned int i;
++      size_t written;
++      size_t len;
++      u32 alen = cryp->areq->assoclen;
++      u32 block[AES_BLOCK_32] = {0};
++      u8 *b8 = (u8 *)block;
++
++      if (alen <= 65280) {
++              /* Write first u32 of B1 */
++              b8[0] = (alen >> 8) & 0xFF;
++              b8[1] = alen & 0xFF;
++              len = 2;
++      } else {
++              /* Build the two first u32 of B1 */
++              b8[0] = 0xFF;
++              b8[1] = 0xFE;
++              b8[2] = (alen & 0xFF000000) >> 24;
++              b8[3] = (alen & 0x00FF0000) >> 16;
++              b8[4] = (alen & 0x0000FF00) >> 8;
++              b8[5] = alen & 0x000000FF;
++              len = 6;
++      }
++
++      written = min_t(size_t, AES_BLOCK_SIZE - len, alen);
++
++      scatterwalk_copychunks((char *)block + len, &cryp->in_walk, written, 0);
++      for (i = 0; i < AES_BLOCK_32; i++)
++              stm32_cryp_write(cryp, CRYP_DIN, block[i]);
++
++      cryp->header_in -= written;
++
++      stm32_crypt_gcmccm_end_header(cryp);
+ }
+ static int stm32_cryp_ccm_init(struct stm32_cryp *cryp, u32 cfg)
+ {
+       int ret;
+-      u8 iv[AES_BLOCK_SIZE], b0[AES_BLOCK_SIZE];
++      u32 iv_32[AES_BLOCK_32], b0_32[AES_BLOCK_32];
++      u8 *iv = (u8 *)iv_32, *b0 = (u8 *)b0_32;
+       __be32 *bd;
+       u32 *d;
+       unsigned int i, textlen;
+@@ -531,17 +505,30 @@ static int stm32_cryp_ccm_init(struct stm32_cryp *cryp, u32 cfg)
+       /* Wait for end of processing */
+       ret = stm32_cryp_wait_enable(cryp);
+-      if (ret)
++      if (ret) {
+               dev_err(cryp->dev, "Timeout (ccm init)\n");
++              return ret;
++      }
+-      return ret;
++      /* Prepare next phase */
++      if (cryp->areq->assoclen) {
++              cfg |= CR_PH_HEADER | CR_CRYPEN;
++              stm32_cryp_write(cryp, CRYP_CR, cfg);
++
++              /* Write first (special) block (may move to next phase [payload]) */
++              stm32_cryp_write_ccm_first_header(cryp);
++      } else if (stm32_cryp_get_input_text_len(cryp)) {
++              cfg |= CR_PH_PAYLOAD;
++              stm32_cryp_write(cryp, CRYP_CR, cfg);
++      }
++
++      return 0;
+ }
+ static int stm32_cryp_hw_init(struct stm32_cryp *cryp)
+ {
+       int ret;
+       u32 cfg, hw_mode;
+-
+       pm_runtime_resume_and_get(cryp->dev);
+       /* Disable interrupt */
+@@ -605,16 +592,6 @@ static int stm32_cryp_hw_init(struct stm32_cryp *cryp)
+               if (ret)
+                       return ret;
+-              /* Phase 2 : header (authenticated data) */
+-              if (cryp->areq->assoclen) {
+-                      cfg |= CR_PH_HEADER;
+-              } else if (stm32_cryp_get_input_text_len(cryp)) {
+-                      cfg |= CR_PH_PAYLOAD;
+-                      stm32_cryp_write(cryp, CRYP_CR, cfg);
+-              } else {
+-                      cfg |= CR_PH_INIT;
+-              }
+-
+               break;
+       case CR_DES_CBC:
+@@ -633,8 +610,6 @@ static int stm32_cryp_hw_init(struct stm32_cryp *cryp)
+       stm32_cryp_write(cryp, CRYP_CR, cfg);
+-      cryp->flags &= ~FLG_CCM_PADDED_WA;
+-
+       return 0;
+ }
+@@ -647,25 +622,6 @@ static void stm32_cryp_finish_req(struct stm32_cryp *cryp, int err)
+       if (!err && (!(is_gcm(cryp) || is_ccm(cryp) || is_ecb(cryp))))
+               stm32_cryp_get_iv(cryp);
+-      if (cryp->sgs_copied) {
+-              void *buf_in, *buf_out;
+-              int pages, len;
+-
+-              buf_in = sg_virt(&cryp->in_sgl);
+-              buf_out = sg_virt(&cryp->out_sgl);
+-
+-              sg_copy_buf(buf_out, cryp->out_sg_save, 0,
+-                          cryp->total_out_save, 1);
+-
+-              len = ALIGN(cryp->total_in_save, cryp->hw_blocksize);
+-              pages = len ? get_order(len) : 1;
+-              free_pages((unsigned long)buf_in, pages);
+-
+-              len = ALIGN(cryp->total_out_save, cryp->hw_blocksize);
+-              pages = len ? get_order(len) : 1;
+-              free_pages((unsigned long)buf_out, pages);
+-      }
+-
+       pm_runtime_mark_last_busy(cryp->dev);
+       pm_runtime_put_autosuspend(cryp->dev);
+@@ -1029,6 +985,7 @@ static int stm32_cryp_prepare_req(struct skcipher_request *req,
+       struct stm32_cryp_ctx *ctx;
+       struct stm32_cryp *cryp;
+       struct stm32_cryp_reqctx *rctx;
++      struct scatterlist *in_sg;
+       int ret;
+       if (!req && !areq)
+@@ -1054,76 +1011,55 @@ static int stm32_cryp_prepare_req(struct skcipher_request *req,
+       if (req) {
+               cryp->req = req;
+               cryp->areq = NULL;
+-              cryp->total_in = req->cryptlen;
+-              cryp->total_out = cryp->total_in;
++              cryp->header_in = 0;
++              cryp->payload_in = req->cryptlen;
++              cryp->payload_out = req->cryptlen;
++              cryp->authsize = 0;
+       } else {
+               /*
+                * Length of input and output data:
+                * Encryption case:
+-               *  INPUT  =   AssocData  ||   PlainText
++               *  INPUT  = AssocData   ||     PlainText
+                *          <- assoclen ->  <- cryptlen ->
+-               *          <------- total_in ----------->
+                *
+-               *  OUTPUT =   AssocData  ||  CipherText  ||   AuthTag
+-               *          <- assoclen ->  <- cryptlen ->  <- authsize ->
+-               *          <---------------- total_out ----------------->
++               *  OUTPUT = AssocData    ||   CipherText   ||      AuthTag
++               *          <- assoclen ->  <-- cryptlen -->  <- authsize ->
+                *
+                * Decryption case:
+-               *  INPUT  =   AssocData  ||  CipherText  ||  AuthTag
+-               *          <- assoclen ->  <--------- cryptlen --------->
+-               *                                          <- authsize ->
+-               *          <---------------- total_in ------------------>
++               *  INPUT  =  AssocData     ||    CipherTex   ||       AuthTag
++               *          <- assoclen --->  <---------- cryptlen ---------->
+                *
+-               *  OUTPUT =   AssocData  ||   PlainText
+-               *          <- assoclen ->  <- crypten - authsize ->
+-               *          <---------- total_out ----------------->
++               *  OUTPUT = AssocData    ||               PlainText
++               *          <- assoclen ->  <- cryptlen - authsize ->
+                */
+               cryp->areq = areq;
+               cryp->req = NULL;
+               cryp->authsize = crypto_aead_authsize(crypto_aead_reqtfm(areq));
+-              cryp->total_in = areq->assoclen + areq->cryptlen;
+-              if (is_encrypt(cryp))
+-                      /* Append auth tag to output */
+-                      cryp->total_out = cryp->total_in + cryp->authsize;
+-              else
+-                      /* No auth tag in output */
+-                      cryp->total_out = cryp->total_in - cryp->authsize;
++              if (is_encrypt(cryp)) {
++                      cryp->payload_in = areq->cryptlen;
++                      cryp->header_in = areq->assoclen;
++                      cryp->payload_out = areq->cryptlen;
++              } else {
++                      cryp->payload_in = areq->cryptlen - cryp->authsize;
++                      cryp->header_in = areq->assoclen;
++                      cryp->payload_out = cryp->payload_in;
++              }
+       }
+-      cryp->total_in_save = cryp->total_in;
+-      cryp->total_out_save = cryp->total_out;
++      in_sg = req ? req->src : areq->src;
++      scatterwalk_start(&cryp->in_walk, in_sg);
+-      cryp->in_sg = req ? req->src : areq->src;
+       cryp->out_sg = req ? req->dst : areq->dst;
+-      cryp->out_sg_save = cryp->out_sg;
+-
+-      cryp->in_sg_len = sg_nents_for_len(cryp->in_sg, cryp->total_in);
+-      if (cryp->in_sg_len < 0) {
+-              dev_err(cryp->dev, "Cannot get in_sg_len\n");
+-              ret = cryp->in_sg_len;
+-              return ret;
+-      }
+-
+-      cryp->out_sg_len = sg_nents_for_len(cryp->out_sg, cryp->total_out);
+-      if (cryp->out_sg_len < 0) {
+-              dev_err(cryp->dev, "Cannot get out_sg_len\n");
+-              ret = cryp->out_sg_len;
+-              return ret;
+-      }
+-
+-      ret = stm32_cryp_copy_sgs(cryp);
+-      if (ret)
+-              return ret;
+-
+-      scatterwalk_start(&cryp->in_walk, cryp->in_sg);
+       scatterwalk_start(&cryp->out_walk, cryp->out_sg);
+       if (is_gcm(cryp) || is_ccm(cryp)) {
+               /* In output, jump after assoc data */
+-              scatterwalk_advance(&cryp->out_walk, cryp->areq->assoclen);
+-              cryp->total_out -= cryp->areq->assoclen;
++              scatterwalk_copychunks(NULL, &cryp->out_walk, cryp->areq->assoclen, 2);
+       }
++      if (is_ctr(cryp))
++              memset(cryp->last_ctr, 0, sizeof(cryp->last_ctr));
++
+       ret = stm32_cryp_hw_init(cryp);
+       return ret;
+ }
+@@ -1171,8 +1107,7 @@ static int stm32_cryp_aead_one_req(struct crypto_engine *engine, void *areq)
+       if (!cryp)
+               return -ENODEV;
+-      if (unlikely(!cryp->areq->assoclen &&
+-                   !stm32_cryp_get_input_text_len(cryp))) {
++      if (unlikely(!cryp->payload_in && !cryp->header_in)) {
+               /* No input data to process: get tag and finish */
+               stm32_cryp_finish_req(cryp, 0);
+               return 0;
+@@ -1181,43 +1116,10 @@ static int stm32_cryp_aead_one_req(struct crypto_engine *engine, void *areq)
+       return stm32_cryp_cpu_start(cryp);
+ }
+-static u32 *stm32_cryp_next_out(struct stm32_cryp *cryp, u32 *dst,
+-                              unsigned int n)
+-{
+-      scatterwalk_advance(&cryp->out_walk, n);
+-
+-      if (unlikely(cryp->out_sg->length == _walked_out)) {
+-              cryp->out_sg = sg_next(cryp->out_sg);
+-              if (cryp->out_sg) {
+-                      scatterwalk_start(&cryp->out_walk, cryp->out_sg);
+-                      return (sg_virt(cryp->out_sg) + _walked_out);
+-              }
+-      }
+-
+-      return (u32 *)((u8 *)dst + n);
+-}
+-
+-static u32 *stm32_cryp_next_in(struct stm32_cryp *cryp, u32 *src,
+-                             unsigned int n)
+-{
+-      scatterwalk_advance(&cryp->in_walk, n);
+-
+-      if (unlikely(cryp->in_sg->length == _walked_in)) {
+-              cryp->in_sg = sg_next(cryp->in_sg);
+-              if (cryp->in_sg) {
+-                      scatterwalk_start(&cryp->in_walk, cryp->in_sg);
+-                      return (sg_virt(cryp->in_sg) + _walked_in);
+-              }
+-      }
+-
+-      return (u32 *)((u8 *)src + n);
+-}
+-
+ static int stm32_cryp_read_auth_tag(struct stm32_cryp *cryp)
+ {
+-      u32 cfg, size_bit, *dst, d32;
+-      u8 *d8;
+-      unsigned int i, j;
++      u32 cfg, size_bit;
++      unsigned int i;
+       int ret = 0;
+       /* Update Config */
+@@ -1240,7 +1142,7 @@ static int stm32_cryp_read_auth_tag(struct stm32_cryp *cryp)
+               stm32_cryp_write(cryp, CRYP_DIN, size_bit);
+               size_bit = is_encrypt(cryp) ? cryp->areq->cryptlen :
+-                              cryp->areq->cryptlen - AES_BLOCK_SIZE;
++                              cryp->areq->cryptlen - cryp->authsize;
+               size_bit *= 8;
+               if (cryp->caps->swap_final)
+                       size_bit = (__force u32)cpu_to_be32(size_bit);
+@@ -1249,11 +1151,9 @@ static int stm32_cryp_read_auth_tag(struct stm32_cryp *cryp)
+               stm32_cryp_write(cryp, CRYP_DIN, size_bit);
+       } else {
+               /* CCM: write CTR0 */
+-              u8 iv[AES_BLOCK_SIZE];
+-              u32 *iv32 = (u32 *)iv;
+-              __be32 *biv;
+-
+-              biv = (void *)iv;
++              u32 iv32[AES_BLOCK_32];
++              u8 *iv = (u8 *)iv32;
++              __be32 *biv = (__be32 *)iv32;
+               memcpy(iv, cryp->areq->iv, AES_BLOCK_SIZE);
+               memset(iv + AES_BLOCK_SIZE - 1 - iv[0], 0, iv[0] + 1);
+@@ -1275,39 +1175,18 @@ static int stm32_cryp_read_auth_tag(struct stm32_cryp *cryp)
+       }
+       if (is_encrypt(cryp)) {
++              u32 out_tag[AES_BLOCK_32];
++
+               /* Get and write tag */
+-              dst = sg_virt(cryp->out_sg) + _walked_out;
++              for (i = 0; i < AES_BLOCK_32; i++)
++                      out_tag[i] = stm32_cryp_read(cryp, CRYP_DOUT);
+-              for (i = 0; i < AES_BLOCK_32; i++) {
+-                      if (cryp->total_out >= sizeof(u32)) {
+-                              /* Read a full u32 */
+-                              *dst = stm32_cryp_read(cryp, CRYP_DOUT);
+-
+-                              dst = stm32_cryp_next_out(cryp, dst,
+-                                                        sizeof(u32));
+-                              cryp->total_out -= sizeof(u32);
+-                      } else if (!cryp->total_out) {
+-                              /* Empty fifo out (data from input padding) */
+-                              stm32_cryp_read(cryp, CRYP_DOUT);
+-                      } else {
+-                              /* Read less than an u32 */
+-                              d32 = stm32_cryp_read(cryp, CRYP_DOUT);
+-                              d8 = (u8 *)&d32;
+-
+-                              for (j = 0; j < cryp->total_out; j++) {
+-                                      *((u8 *)dst) = *(d8++);
+-                                      dst = stm32_cryp_next_out(cryp, dst, 1);
+-                              }
+-                              cryp->total_out = 0;
+-                      }
+-              }
++              scatterwalk_copychunks(out_tag, &cryp->out_walk, cryp->authsize, 1);
+       } else {
+               /* Get and check tag */
+               u32 in_tag[AES_BLOCK_32], out_tag[AES_BLOCK_32];
+-              scatterwalk_map_and_copy(in_tag, cryp->in_sg,
+-                                       cryp->total_in_save - cryp->authsize,
+-                                       cryp->authsize, 0);
++              scatterwalk_copychunks(in_tag, &cryp->in_walk, cryp->authsize, 0);
+               for (i = 0; i < AES_BLOCK_32; i++)
+                       out_tag[i] = stm32_cryp_read(cryp, CRYP_DOUT);
+@@ -1349,92 +1228,37 @@ static void stm32_cryp_check_ctr_counter(struct stm32_cryp *cryp)
+       cryp->last_ctr[3] = cpu_to_be32(stm32_cryp_read(cryp, CRYP_IV1RR));
+ }
+-static bool stm32_cryp_irq_read_data(struct stm32_cryp *cryp)
++static void stm32_cryp_irq_read_data(struct stm32_cryp *cryp)
+ {
+-      unsigned int i, j;
+-      u32 d32, *dst;
+-      u8 *d8;
+-      size_t tag_size;
+-
+-      /* Do no read tag now (if any) */
+-      if (is_encrypt(cryp) && (is_gcm(cryp) || is_ccm(cryp)))
+-              tag_size = cryp->authsize;
+-      else
+-              tag_size = 0;
+-
+-      dst = sg_virt(cryp->out_sg) + _walked_out;
+-
+-      for (i = 0; i < cryp->hw_blocksize / sizeof(u32); i++) {
+-              if (likely(cryp->total_out - tag_size >= sizeof(u32))) {
+-                      /* Read a full u32 */
+-                      *dst = stm32_cryp_read(cryp, CRYP_DOUT);
++      unsigned int i;
++      u32 block[AES_BLOCK_32];
+-                      dst = stm32_cryp_next_out(cryp, dst, sizeof(u32));
+-                      cryp->total_out -= sizeof(u32);
+-              } else if (cryp->total_out == tag_size) {
+-                      /* Empty fifo out (data from input padding) */
+-                      d32 = stm32_cryp_read(cryp, CRYP_DOUT);
+-              } else {
+-                      /* Read less than an u32 */
+-                      d32 = stm32_cryp_read(cryp, CRYP_DOUT);
+-                      d8 = (u8 *)&d32;
+-
+-                      for (j = 0; j < cryp->total_out - tag_size; j++) {
+-                              *((u8 *)dst) = *(d8++);
+-                              dst = stm32_cryp_next_out(cryp, dst, 1);
+-                      }
+-                      cryp->total_out = tag_size;
+-              }
+-      }
++      for (i = 0; i < cryp->hw_blocksize / sizeof(u32); i++)
++              block[i] = stm32_cryp_read(cryp, CRYP_DOUT);
+-      return !(cryp->total_out - tag_size) || !cryp->total_in;
++      scatterwalk_copychunks(block, &cryp->out_walk, min_t(size_t, cryp->hw_blocksize,
++                                                           cryp->payload_out), 1);
++      cryp->payload_out -= min_t(size_t, cryp->hw_blocksize,
++                                 cryp->payload_out);
+ }
+ static void stm32_cryp_irq_write_block(struct stm32_cryp *cryp)
+ {
+-      unsigned int i, j;
+-      u32 *src;
+-      u8 d8[4];
+-      size_t tag_size;
+-
+-      /* Do no write tag (if any) */
+-      if (is_decrypt(cryp) && (is_gcm(cryp) || is_ccm(cryp)))
+-              tag_size = cryp->authsize;
+-      else
+-              tag_size = 0;
+-
+-      src = sg_virt(cryp->in_sg) + _walked_in;
++      unsigned int i;
++      u32 block[AES_BLOCK_32] = {0};
+-      for (i = 0; i < cryp->hw_blocksize / sizeof(u32); i++) {
+-              if (likely(cryp->total_in - tag_size >= sizeof(u32))) {
+-                      /* Write a full u32 */
+-                      stm32_cryp_write(cryp, CRYP_DIN, *src);
++      scatterwalk_copychunks(block, &cryp->in_walk, min_t(size_t, cryp->hw_blocksize,
++                                                          cryp->payload_in), 0);
++      for (i = 0; i < cryp->hw_blocksize / sizeof(u32); i++)
++              stm32_cryp_write(cryp, CRYP_DIN, block[i]);
+-                      src = stm32_cryp_next_in(cryp, src, sizeof(u32));
+-                      cryp->total_in -= sizeof(u32);
+-              } else if (cryp->total_in == tag_size) {
+-                      /* Write padding data */
+-                      stm32_cryp_write(cryp, CRYP_DIN, 0);
+-              } else {
+-                      /* Write less than an u32 */
+-                      memset(d8, 0, sizeof(u32));
+-                      for (j = 0; j < cryp->total_in - tag_size; j++) {
+-                              d8[j] = *((u8 *)src);
+-                              src = stm32_cryp_next_in(cryp, src, 1);
+-                      }
+-
+-                      stm32_cryp_write(cryp, CRYP_DIN, *(u32 *)d8);
+-                      cryp->total_in = tag_size;
+-              }
+-      }
++      cryp->payload_in -= min_t(size_t, cryp->hw_blocksize, cryp->payload_in);
+ }
+ static void stm32_cryp_irq_write_gcm_padded_data(struct stm32_cryp *cryp)
+ {
+       int err;
+-      u32 cfg, tmp[AES_BLOCK_32];
+-      size_t total_in_ori = cryp->total_in;
+-      struct scatterlist *out_sg_ori = cryp->out_sg;
++      u32 cfg, block[AES_BLOCK_32] = {0};
+       unsigned int i;
+       /* 'Special workaround' procedure described in the datasheet */
+@@ -1459,18 +1283,25 @@ static void stm32_cryp_irq_write_gcm_padded_data(struct stm32_cryp *cryp)
+       /* b) pad and write the last block */
+       stm32_cryp_irq_write_block(cryp);
+-      cryp->total_in = total_in_ori;
++      /* wait end of process */
+       err = stm32_cryp_wait_output(cryp);
+       if (err) {
+-              dev_err(cryp->dev, "Timeout (write gcm header)\n");
++              dev_err(cryp->dev, "Timeout (write gcm last data)\n");
+               return stm32_cryp_finish_req(cryp, err);
+       }
+       /* c) get and store encrypted data */
+-      stm32_cryp_irq_read_data(cryp);
+-      scatterwalk_map_and_copy(tmp, out_sg_ori,
+-                               cryp->total_in_save - total_in_ori,
+-                               total_in_ori, 0);
++      /*
++       * Same code as stm32_cryp_irq_read_data(), but we want to store
++       * block value
++       */
++      for (i = 0; i < cryp->hw_blocksize / sizeof(u32); i++)
++              block[i] = stm32_cryp_read(cryp, CRYP_DOUT);
++
++      scatterwalk_copychunks(block, &cryp->out_walk, min_t(size_t, cryp->hw_blocksize,
++                                                           cryp->payload_out), 1);
++      cryp->payload_out -= min_t(size_t, cryp->hw_blocksize,
++                                 cryp->payload_out);
+       /* d) change mode back to AES GCM */
+       cfg &= ~CR_ALGO_MASK;
+@@ -1483,19 +1314,13 @@ static void stm32_cryp_irq_write_gcm_padded_data(struct stm32_cryp *cryp)
+       stm32_cryp_write(cryp, CRYP_CR, cfg);
+       /* f) write padded data */
+-      for (i = 0; i < AES_BLOCK_32; i++) {
+-              if (cryp->total_in)
+-                      stm32_cryp_write(cryp, CRYP_DIN, tmp[i]);
+-              else
+-                      stm32_cryp_write(cryp, CRYP_DIN, 0);
+-
+-              cryp->total_in -= min_t(size_t, sizeof(u32), cryp->total_in);
+-      }
++      for (i = 0; i < AES_BLOCK_32; i++)
++              stm32_cryp_write(cryp, CRYP_DIN, block[i]);
+       /* g) Empty fifo out */
+       err = stm32_cryp_wait_output(cryp);
+       if (err) {
+-              dev_err(cryp->dev, "Timeout (write gcm header)\n");
++              dev_err(cryp->dev, "Timeout (write gcm padded data)\n");
+               return stm32_cryp_finish_req(cryp, err);
+       }
+@@ -1508,16 +1333,14 @@ static void stm32_cryp_irq_write_gcm_padded_data(struct stm32_cryp *cryp)
+ static void stm32_cryp_irq_set_npblb(struct stm32_cryp *cryp)
+ {
+-      u32 cfg, payload_bytes;
++      u32 cfg;
+       /* disable ip, set NPBLB and reneable ip */
+       cfg = stm32_cryp_read(cryp, CRYP_CR);
+       cfg &= ~CR_CRYPEN;
+       stm32_cryp_write(cryp, CRYP_CR, cfg);
+-      payload_bytes = is_decrypt(cryp) ? cryp->total_in - cryp->authsize :
+-                                         cryp->total_in;
+-      cfg |= (cryp->hw_blocksize - payload_bytes) << CR_NBPBL_SHIFT;
++      cfg |= (cryp->hw_blocksize - cryp->payload_in) << CR_NBPBL_SHIFT;
+       cfg |= CR_CRYPEN;
+       stm32_cryp_write(cryp, CRYP_CR, cfg);
+ }
+@@ -1526,13 +1349,11 @@ static void stm32_cryp_irq_write_ccm_padded_data(struct stm32_cryp *cryp)
+ {
+       int err = 0;
+       u32 cfg, iv1tmp;
+-      u32 cstmp1[AES_BLOCK_32], cstmp2[AES_BLOCK_32], tmp[AES_BLOCK_32];
+-      size_t last_total_out, total_in_ori = cryp->total_in;
+-      struct scatterlist *out_sg_ori = cryp->out_sg;
++      u32 cstmp1[AES_BLOCK_32], cstmp2[AES_BLOCK_32];
++      u32 block[AES_BLOCK_32] = {0};
+       unsigned int i;
+       /* 'Special workaround' procedure described in the datasheet */
+-      cryp->flags |= FLG_CCM_PADDED_WA;
+       /* a) disable ip */
+       stm32_cryp_write(cryp, CRYP_IMSCR, 0);
+@@ -1562,7 +1383,7 @@ static void stm32_cryp_irq_write_ccm_padded_data(struct stm32_cryp *cryp)
+       /* b) pad and write the last block */
+       stm32_cryp_irq_write_block(cryp);
+-      cryp->total_in = total_in_ori;
++      /* wait end of process */
+       err = stm32_cryp_wait_output(cryp);
+       if (err) {
+               dev_err(cryp->dev, "Timeout (wite ccm padded data)\n");
+@@ -1570,13 +1391,16 @@ static void stm32_cryp_irq_write_ccm_padded_data(struct stm32_cryp *cryp)
+       }
+       /* c) get and store decrypted data */
+-      last_total_out = cryp->total_out;
+-      stm32_cryp_irq_read_data(cryp);
++      /*
++       * Same code as stm32_cryp_irq_read_data(), but we want to store
++       * block value
++       */
++      for (i = 0; i < cryp->hw_blocksize / sizeof(u32); i++)
++              block[i] = stm32_cryp_read(cryp, CRYP_DOUT);
+-      memset(tmp, 0, sizeof(tmp));
+-      scatterwalk_map_and_copy(tmp, out_sg_ori,
+-                               cryp->total_out_save - last_total_out,
+-                               last_total_out, 0);
++      scatterwalk_copychunks(block, &cryp->out_walk, min_t(size_t, cryp->hw_blocksize,
++                                                           cryp->payload_out), 1);
++      cryp->payload_out -= min_t(size_t, cryp->hw_blocksize, cryp->payload_out);
+       /* d) Load again CRYP_CSGCMCCMxR */
+       for (i = 0; i < ARRAY_SIZE(cstmp2); i++)
+@@ -1593,10 +1417,10 @@ static void stm32_cryp_irq_write_ccm_padded_data(struct stm32_cryp *cryp)
+       stm32_cryp_write(cryp, CRYP_CR, cfg);
+       /* g) XOR and write padded data */
+-      for (i = 0; i < ARRAY_SIZE(tmp); i++) {
+-              tmp[i] ^= cstmp1[i];
+-              tmp[i] ^= cstmp2[i];
+-              stm32_cryp_write(cryp, CRYP_DIN, tmp[i]);
++      for (i = 0; i < ARRAY_SIZE(block); i++) {
++              block[i] ^= cstmp1[i];
++              block[i] ^= cstmp2[i];
++              stm32_cryp_write(cryp, CRYP_DIN, block[i]);
+       }
+       /* h) wait for completion */
+@@ -1610,30 +1434,34 @@ static void stm32_cryp_irq_write_ccm_padded_data(struct stm32_cryp *cryp)
+ static void stm32_cryp_irq_write_data(struct stm32_cryp *cryp)
+ {
+-      if (unlikely(!cryp->total_in)) {
++      if (unlikely(!cryp->payload_in)) {
+               dev_warn(cryp->dev, "No more data to process\n");
+               return;
+       }
+-      if (unlikely(cryp->total_in < AES_BLOCK_SIZE &&
++      if (unlikely(cryp->payload_in < AES_BLOCK_SIZE &&
+                    (stm32_cryp_get_hw_mode(cryp) == CR_AES_GCM) &&
+                    is_encrypt(cryp))) {
+               /* Padding for AES GCM encryption */
+-              if (cryp->caps->padding_wa)
++              if (cryp->caps->padding_wa) {
+                       /* Special case 1 */
+-                      return stm32_cryp_irq_write_gcm_padded_data(cryp);
++                      stm32_cryp_irq_write_gcm_padded_data(cryp);
++                      return;
++              }
+               /* Setting padding bytes (NBBLB) */
+               stm32_cryp_irq_set_npblb(cryp);
+       }
+-      if (unlikely((cryp->total_in - cryp->authsize < AES_BLOCK_SIZE) &&
++      if (unlikely((cryp->payload_in < AES_BLOCK_SIZE) &&
+                    (stm32_cryp_get_hw_mode(cryp) == CR_AES_CCM) &&
+                    is_decrypt(cryp))) {
+               /* Padding for AES CCM decryption */
+-              if (cryp->caps->padding_wa)
++              if (cryp->caps->padding_wa) {
+                       /* Special case 2 */
+-                      return stm32_cryp_irq_write_ccm_padded_data(cryp);
++                      stm32_cryp_irq_write_ccm_padded_data(cryp);
++                      return;
++              }
+               /* Setting padding bytes (NBBLB) */
+               stm32_cryp_irq_set_npblb(cryp);
+@@ -1645,192 +1473,60 @@ static void stm32_cryp_irq_write_data(struct stm32_cryp *cryp)
+       stm32_cryp_irq_write_block(cryp);
+ }
+-static void stm32_cryp_irq_write_gcm_header(struct stm32_cryp *cryp)
++static void stm32_cryp_irq_write_gcmccm_header(struct stm32_cryp *cryp)
+ {
+-      int err;
+-      unsigned int i, j;
+-      u32 cfg, *src;
+-
+-      src = sg_virt(cryp->in_sg) + _walked_in;
+-
+-      for (i = 0; i < AES_BLOCK_32; i++) {
+-              stm32_cryp_write(cryp, CRYP_DIN, *src);
+-
+-              src = stm32_cryp_next_in(cryp, src, sizeof(u32));
+-              cryp->total_in -= min_t(size_t, sizeof(u32), cryp->total_in);
+-
+-              /* Check if whole header written */
+-              if ((cryp->total_in_save - cryp->total_in) ==
+-                              cryp->areq->assoclen) {
+-                      /* Write padding if needed */
+-                      for (j = i + 1; j < AES_BLOCK_32; j++)
+-                              stm32_cryp_write(cryp, CRYP_DIN, 0);
+-
+-                      /* Wait for completion */
+-                      err = stm32_cryp_wait_busy(cryp);
+-                      if (err) {
+-                              dev_err(cryp->dev, "Timeout (gcm header)\n");
+-                              return stm32_cryp_finish_req(cryp, err);
+-                      }
+-
+-                      if (stm32_cryp_get_input_text_len(cryp)) {
+-                              /* Phase 3 : payload */
+-                              cfg = stm32_cryp_read(cryp, CRYP_CR);
+-                              cfg &= ~CR_CRYPEN;
+-                              stm32_cryp_write(cryp, CRYP_CR, cfg);
+-
+-                              cfg &= ~CR_PH_MASK;
+-                              cfg |= CR_PH_PAYLOAD;
+-                              cfg |= CR_CRYPEN;
+-                              stm32_cryp_write(cryp, CRYP_CR, cfg);
+-                      } else {
+-                              /* Phase 4 : tag */
+-                              stm32_cryp_write(cryp, CRYP_IMSCR, 0);
+-                              stm32_cryp_finish_req(cryp, 0);
+-                      }
+-
+-                      break;
+-              }
+-
+-              if (!cryp->total_in)
+-                      break;
+-      }
+-}
++      unsigned int i;
++      u32 block[AES_BLOCK_32] = {0};
++      size_t written;
+-static void stm32_cryp_irq_write_ccm_header(struct stm32_cryp *cryp)
+-{
+-      int err;
+-      unsigned int i = 0, j, k;
+-      u32 alen, cfg, *src;
+-      u8 d8[4];
+-
+-      src = sg_virt(cryp->in_sg) + _walked_in;
+-      alen = cryp->areq->assoclen;
+-
+-      if (!_walked_in) {
+-              if (cryp->areq->assoclen <= 65280) {
+-                      /* Write first u32 of B1 */
+-                      d8[0] = (alen >> 8) & 0xFF;
+-                      d8[1] = alen & 0xFF;
+-                      d8[2] = *((u8 *)src);
+-                      src = stm32_cryp_next_in(cryp, src, 1);
+-                      d8[3] = *((u8 *)src);
+-                      src = stm32_cryp_next_in(cryp, src, 1);
+-
+-                      stm32_cryp_write(cryp, CRYP_DIN, *(u32 *)d8);
+-                      i++;
+-
+-                      cryp->total_in -= min_t(size_t, 2, cryp->total_in);
+-              } else {
+-                      /* Build the two first u32 of B1 */
+-                      d8[0] = 0xFF;
+-                      d8[1] = 0xFE;
+-                      d8[2] = alen & 0xFF000000;
+-                      d8[3] = alen & 0x00FF0000;
+-
+-                      stm32_cryp_write(cryp, CRYP_DIN, *(u32 *)d8);
+-                      i++;
+-
+-                      d8[0] = alen & 0x0000FF00;
+-                      d8[1] = alen & 0x000000FF;
+-                      d8[2] = *((u8 *)src);
+-                      src = stm32_cryp_next_in(cryp, src, 1);
+-                      d8[3] = *((u8 *)src);
+-                      src = stm32_cryp_next_in(cryp, src, 1);
+-
+-                      stm32_cryp_write(cryp, CRYP_DIN, *(u32 *)d8);
+-                      i++;
+-
+-                      cryp->total_in -= min_t(size_t, 2, cryp->total_in);
+-              }
+-      }
++      written = min_t(size_t, AES_BLOCK_SIZE, cryp->header_in);
+-      /* Write next u32 */
+-      for (; i < AES_BLOCK_32; i++) {
+-              /* Build an u32 */
+-              memset(d8, 0, sizeof(u32));
+-              for (k = 0; k < sizeof(u32); k++) {
+-                      d8[k] = *((u8 *)src);
+-                      src = stm32_cryp_next_in(cryp, src, 1);
+-
+-                      cryp->total_in -= min_t(size_t, 1, cryp->total_in);
+-                      if ((cryp->total_in_save - cryp->total_in) == alen)
+-                              break;
+-              }
++      scatterwalk_copychunks(block, &cryp->in_walk, written, 0);
++      for (i = 0; i < AES_BLOCK_32; i++)
++              stm32_cryp_write(cryp, CRYP_DIN, block[i]);
+-              stm32_cryp_write(cryp, CRYP_DIN, *(u32 *)d8);
+-
+-              if ((cryp->total_in_save - cryp->total_in) == alen) {
+-                      /* Write padding if needed */
+-                      for (j = i + 1; j < AES_BLOCK_32; j++)
+-                              stm32_cryp_write(cryp, CRYP_DIN, 0);
+-
+-                      /* Wait for completion */
+-                      err = stm32_cryp_wait_busy(cryp);
+-                      if (err) {
+-                              dev_err(cryp->dev, "Timeout (ccm header)\n");
+-                              return stm32_cryp_finish_req(cryp, err);
+-                      }
+-
+-                      if (stm32_cryp_get_input_text_len(cryp)) {
+-                              /* Phase 3 : payload */
+-                              cfg = stm32_cryp_read(cryp, CRYP_CR);
+-                              cfg &= ~CR_CRYPEN;
+-                              stm32_cryp_write(cryp, CRYP_CR, cfg);
+-
+-                              cfg &= ~CR_PH_MASK;
+-                              cfg |= CR_PH_PAYLOAD;
+-                              cfg |= CR_CRYPEN;
+-                              stm32_cryp_write(cryp, CRYP_CR, cfg);
+-                      } else {
+-                              /* Phase 4 : tag */
+-                              stm32_cryp_write(cryp, CRYP_IMSCR, 0);
+-                              stm32_cryp_finish_req(cryp, 0);
+-                      }
++      cryp->header_in -= written;
+-                      break;
+-              }
+-      }
++      stm32_crypt_gcmccm_end_header(cryp);
+ }
+ static irqreturn_t stm32_cryp_irq_thread(int irq, void *arg)
+ {
+       struct stm32_cryp *cryp = arg;
+       u32 ph;
++      u32 it_mask = stm32_cryp_read(cryp, CRYP_IMSCR);
+       if (cryp->irq_status & MISR_OUT)
+               /* Output FIFO IRQ: read data */
+-              if (unlikely(stm32_cryp_irq_read_data(cryp))) {
+-                      /* All bytes processed, finish */
+-                      stm32_cryp_write(cryp, CRYP_IMSCR, 0);
+-                      stm32_cryp_finish_req(cryp, 0);
+-                      return IRQ_HANDLED;
+-              }
++              stm32_cryp_irq_read_data(cryp);
+       if (cryp->irq_status & MISR_IN) {
+-              if (is_gcm(cryp)) {
+-                      ph = stm32_cryp_read(cryp, CRYP_CR) & CR_PH_MASK;
+-                      if (unlikely(ph == CR_PH_HEADER))
+-                              /* Write Header */
+-                              stm32_cryp_irq_write_gcm_header(cryp);
+-                      else
+-                              /* Input FIFO IRQ: write data */
+-                              stm32_cryp_irq_write_data(cryp);
+-                      cryp->gcm_ctr++;
+-              } else if (is_ccm(cryp)) {
++              if (is_gcm(cryp) || is_ccm(cryp)) {
+                       ph = stm32_cryp_read(cryp, CRYP_CR) & CR_PH_MASK;
+                       if (unlikely(ph == CR_PH_HEADER))
+                               /* Write Header */
+-                              stm32_cryp_irq_write_ccm_header(cryp);
++                              stm32_cryp_irq_write_gcmccm_header(cryp);
+                       else
+                               /* Input FIFO IRQ: write data */
+                               stm32_cryp_irq_write_data(cryp);
++                      if (is_gcm(cryp))
++                              cryp->gcm_ctr++;
+               } else {
+                       /* Input FIFO IRQ: write data */
+                       stm32_cryp_irq_write_data(cryp);
+               }
+       }
++      /* Mask useless interrupts */
++      if (!cryp->payload_in && !cryp->header_in)
++              it_mask &= ~IMSCR_IN;
++      if (!cryp->payload_out)
++              it_mask &= ~IMSCR_OUT;
++      stm32_cryp_write(cryp, CRYP_IMSCR, it_mask);
++
++      if (!cryp->payload_in && !cryp->header_in && !cryp->payload_out)
++              stm32_cryp_finish_req(cryp, 0);
++
+       return IRQ_HANDLED;
+ }
+@@ -1851,7 +1547,7 @@ static struct skcipher_alg crypto_algs[] = {
+       .base.cra_flags         = CRYPTO_ALG_ASYNC,
+       .base.cra_blocksize     = AES_BLOCK_SIZE,
+       .base.cra_ctxsize       = sizeof(struct stm32_cryp_ctx),
+-      .base.cra_alignmask     = 0xf,
++      .base.cra_alignmask     = 0,
+       .base.cra_module        = THIS_MODULE,
+       .init                   = stm32_cryp_init_tfm,
+@@ -1868,7 +1564,7 @@ static struct skcipher_alg crypto_algs[] = {
+       .base.cra_flags         = CRYPTO_ALG_ASYNC,
+       .base.cra_blocksize     = AES_BLOCK_SIZE,
+       .base.cra_ctxsize       = sizeof(struct stm32_cryp_ctx),
+-      .base.cra_alignmask     = 0xf,
++      .base.cra_alignmask     = 0,
+       .base.cra_module        = THIS_MODULE,
+       .init                   = stm32_cryp_init_tfm,
+@@ -1886,7 +1582,7 @@ static struct skcipher_alg crypto_algs[] = {
+       .base.cra_flags         = CRYPTO_ALG_ASYNC,
+       .base.cra_blocksize     = 1,
+       .base.cra_ctxsize       = sizeof(struct stm32_cryp_ctx),
+-      .base.cra_alignmask     = 0xf,
++      .base.cra_alignmask     = 0,
+       .base.cra_module        = THIS_MODULE,
+       .init                   = stm32_cryp_init_tfm,
+@@ -1904,7 +1600,7 @@ static struct skcipher_alg crypto_algs[] = {
+       .base.cra_flags         = CRYPTO_ALG_ASYNC,
+       .base.cra_blocksize     = DES_BLOCK_SIZE,
+       .base.cra_ctxsize       = sizeof(struct stm32_cryp_ctx),
+-      .base.cra_alignmask     = 0xf,
++      .base.cra_alignmask     = 0,
+       .base.cra_module        = THIS_MODULE,
+       .init                   = stm32_cryp_init_tfm,
+@@ -1921,7 +1617,7 @@ static struct skcipher_alg crypto_algs[] = {
+       .base.cra_flags         = CRYPTO_ALG_ASYNC,
+       .base.cra_blocksize     = DES_BLOCK_SIZE,
+       .base.cra_ctxsize       = sizeof(struct stm32_cryp_ctx),
+-      .base.cra_alignmask     = 0xf,
++      .base.cra_alignmask     = 0,
+       .base.cra_module        = THIS_MODULE,
+       .init                   = stm32_cryp_init_tfm,
+@@ -1939,7 +1635,7 @@ static struct skcipher_alg crypto_algs[] = {
+       .base.cra_flags         = CRYPTO_ALG_ASYNC,
+       .base.cra_blocksize     = DES_BLOCK_SIZE,
+       .base.cra_ctxsize       = sizeof(struct stm32_cryp_ctx),
+-      .base.cra_alignmask     = 0xf,
++      .base.cra_alignmask     = 0,
+       .base.cra_module        = THIS_MODULE,
+       .init                   = stm32_cryp_init_tfm,
+@@ -1956,7 +1652,7 @@ static struct skcipher_alg crypto_algs[] = {
+       .base.cra_flags         = CRYPTO_ALG_ASYNC,
+       .base.cra_blocksize     = DES_BLOCK_SIZE,
+       .base.cra_ctxsize       = sizeof(struct stm32_cryp_ctx),
+-      .base.cra_alignmask     = 0xf,
++      .base.cra_alignmask     = 0,
+       .base.cra_module        = THIS_MODULE,
+       .init                   = stm32_cryp_init_tfm,
+@@ -1986,7 +1682,7 @@ static struct aead_alg aead_algs[] = {
+               .cra_flags              = CRYPTO_ALG_ASYNC,
+               .cra_blocksize          = 1,
+               .cra_ctxsize            = sizeof(struct stm32_cryp_ctx),
+-              .cra_alignmask          = 0xf,
++              .cra_alignmask          = 0,
+               .cra_module             = THIS_MODULE,
+       },
+ },
+@@ -2006,7 +1702,7 @@ static struct aead_alg aead_algs[] = {
+               .cra_flags              = CRYPTO_ALG_ASYNC,
+               .cra_blocksize          = 1,
+               .cra_ctxsize            = sizeof(struct stm32_cryp_ctx),
+-              .cra_alignmask          = 0xf,
++              .cra_alignmask          = 0,
+               .cra_module             = THIS_MODULE,
+       },
+ },
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-stm32-cryp-fix-ctr-counter-carry.patch b/queue-5.16/crypto-stm32-cryp-fix-ctr-counter-carry.patch
new file mode 100644 (file)
index 0000000..9450861
--- /dev/null
@@ -0,0 +1,78 @@
+From 744f9924c2c8efd8ffe8c86763e2f0523126ee1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 08:54:55 +0100
+Subject: crypto: stm32/cryp - fix CTR counter carry
+
+From: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
+
+[ Upstream commit 41c76690b0990efacd15d35cfb4e77318cd80ebb ]
+
+STM32 CRYP hardware doesn't manage CTR counter bigger than max U32, as
+a workaround, at each block the current IV is saved, if the saved IV
+lower u32 is 0xFFFFFFFF, the full IV is manually incremented, and set
+in hardware.
+Fixes: bbb2832620ac ("crypto: stm32 - Fix sparse warnings")
+
+Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/stm32/stm32-cryp.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c
+index 7389a0536ff02..d13b262b36252 100644
+--- a/drivers/crypto/stm32/stm32-cryp.c
++++ b/drivers/crypto/stm32/stm32-cryp.c
+@@ -163,7 +163,7 @@ struct stm32_cryp {
+       struct scatter_walk     in_walk;
+       struct scatter_walk     out_walk;
+-      u32                     last_ctr[4];
++      __be32                  last_ctr[4];
+       u32                     gcm_ctr;
+ };
+@@ -1217,27 +1217,26 @@ static void stm32_cryp_check_ctr_counter(struct stm32_cryp *cryp)
+ {
+       u32 cr;
+-      if (unlikely(cryp->last_ctr[3] == 0xFFFFFFFF)) {
+-              cryp->last_ctr[3] = 0;
+-              cryp->last_ctr[2]++;
+-              if (!cryp->last_ctr[2]) {
+-                      cryp->last_ctr[1]++;
+-                      if (!cryp->last_ctr[1])
+-                              cryp->last_ctr[0]++;
+-              }
++      if (unlikely(cryp->last_ctr[3] == cpu_to_be32(0xFFFFFFFF))) {
++              /*
++               * In this case, we need to increment manually the ctr counter,
++               * as HW doesn't handle the U32 carry.
++               */
++              crypto_inc((u8 *)cryp->last_ctr, sizeof(cryp->last_ctr));
+               cr = stm32_cryp_read(cryp, CRYP_CR);
+               stm32_cryp_write(cryp, CRYP_CR, cr & ~CR_CRYPEN);
+-              stm32_cryp_hw_write_iv(cryp, (__be32 *)cryp->last_ctr);
++              stm32_cryp_hw_write_iv(cryp, cryp->last_ctr);
+               stm32_cryp_write(cryp, CRYP_CR, cr);
+       }
+-      cryp->last_ctr[0] = stm32_cryp_read(cryp, CRYP_IV0LR);
+-      cryp->last_ctr[1] = stm32_cryp_read(cryp, CRYP_IV0RR);
+-      cryp->last_ctr[2] = stm32_cryp_read(cryp, CRYP_IV1LR);
+-      cryp->last_ctr[3] = stm32_cryp_read(cryp, CRYP_IV1RR);
++      /* The IV registers are BE  */
++      cryp->last_ctr[0] = cpu_to_be32(stm32_cryp_read(cryp, CRYP_IV0LR));
++      cryp->last_ctr[1] = cpu_to_be32(stm32_cryp_read(cryp, CRYP_IV0RR));
++      cryp->last_ctr[2] = cpu_to_be32(stm32_cryp_read(cryp, CRYP_IV1LR));
++      cryp->last_ctr[3] = cpu_to_be32(stm32_cryp_read(cryp, CRYP_IV1RR));
+ }
+ static bool stm32_cryp_irq_read_data(struct stm32_cryp *cryp)
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-stm32-cryp-fix-double-pm-exit.patch b/queue-5.16/crypto-stm32-cryp-fix-double-pm-exit.patch
new file mode 100644 (file)
index 0000000..9390e6a
--- /dev/null
@@ -0,0 +1,38 @@
+From 93fa162b158d360d247312b854ea6883095519ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 08:54:58 +0100
+Subject: crypto: stm32/cryp - fix double pm exit
+
+From: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
+
+[ Upstream commit 6c12e742785bf9333faf60bfb96575bdd763448e ]
+
+Delete extraneous lines in probe error handling code: pm was
+disabled twice.
+
+Fixes: 65f9aa36ee47 ("crypto: stm32/cryp - Add power management support")
+
+Reported-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/stm32/stm32-cryp.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c
+index fd7fb73a4d450..061db567908ae 100644
+--- a/drivers/crypto/stm32/stm32-cryp.c
++++ b/drivers/crypto/stm32/stm32-cryp.c
+@@ -2134,8 +2134,6 @@ err_engine1:
+       list_del(&cryp->list);
+       spin_unlock(&cryp_list.lock);
+-      pm_runtime_disable(dev);
+-      pm_runtime_put_noidle(dev);
+       pm_runtime_disable(dev);
+       pm_runtime_put_noidle(dev);
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-stm32-cryp-fix-lrw-chaining-mode.patch b/queue-5.16/crypto-stm32-cryp-fix-lrw-chaining-mode.patch
new file mode 100644 (file)
index 0000000..68e40f7
--- /dev/null
@@ -0,0 +1,41 @@
+From 604cd72ca52706d065e58073c82dadaf38a549aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 08:54:59 +0100
+Subject: crypto: stm32/cryp - fix lrw chaining mode
+
+From: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
+
+[ Upstream commit fa97dc2d48b476ea98199d808d3248d285987e99 ]
+
+This fixes the lrw autotest if lrw uses the CRYP as the AES block cipher
+provider (as ecb(aes)). At end of request, CRYP should not update the IV
+in case of ECB chaining mode. Indeed the ECB chaining mode never uses
+the IV, but the software LRW chaining mode uses the IV field as
+a counter and due to the (unexpected) update done by CRYP while the AES
+block process, the counter get a wrong value when the IV overflow.
+
+Fixes: 5f49f18d27cd ("crypto: stm32/cryp - update to return iv_out")
+
+Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/stm32/stm32-cryp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c
+index 061db567908ae..9943836a5c25c 100644
+--- a/drivers/crypto/stm32/stm32-cryp.c
++++ b/drivers/crypto/stm32/stm32-cryp.c
+@@ -644,7 +644,7 @@ static void stm32_cryp_finish_req(struct stm32_cryp *cryp, int err)
+               /* Phase 4 : output tag */
+               err = stm32_cryp_read_auth_tag(cryp);
+-      if (!err && (!(is_gcm(cryp) || is_ccm(cryp))))
++      if (!err && (!(is_gcm(cryp) || is_ccm(cryp) || is_ecb(cryp))))
+               stm32_cryp_get_iv(cryp);
+       if (cryp->sgs_copied) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-stm32-cryp-fix-xts-and-race-condition-in-cryp.patch b/queue-5.16/crypto-stm32-cryp-fix-xts-and-race-condition-in-cryp.patch
new file mode 100644 (file)
index 0000000..2885a0a
--- /dev/null
@@ -0,0 +1,42 @@
+From 67a171a70b0e16127ea9f886fd894bb33509dc67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 08:54:56 +0100
+Subject: crypto: stm32/cryp - fix xts and race condition in crypto_engine
+ requests
+
+From: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
+
+[ Upstream commit d703c7a994ee34b7fa89baf21631fca0aa9f17fc ]
+
+Don't erase key:
+If key is erased before the crypto_finalize_.*_request() call, some
+pending process will run with a key={ 0 }.
+Moreover if the key is reset at end of request, it breaks xts chaining
+mode, as for last xts block (in case input len is not a multiple of
+block) a new AES request is started without calling again set_key().
+
+Fixes: 9e054ec21ef8 ("crypto: stm32 - Support for STM32 CRYP crypto module")
+
+Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/stm32/stm32-cryp.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c
+index d13b262b36252..e2bcc4f98b0ae 100644
+--- a/drivers/crypto/stm32/stm32-cryp.c
++++ b/drivers/crypto/stm32/stm32-cryp.c
+@@ -674,8 +674,6 @@ static void stm32_cryp_finish_req(struct stm32_cryp *cryp, int err)
+       else
+               crypto_finalize_skcipher_request(cryp->engine, cryp->req,
+                                                  err);
+-
+-      memset(cryp->ctx->key, 0, cryp->ctx->keylen);
+ }
+ static int stm32_cryp_cpu_start(struct stm32_cryp *cryp)
+-- 
+2.34.1
+
diff --git a/queue-5.16/crypto-stm32-revert-broken-pm_runtime_resume_and_get.patch b/queue-5.16/crypto-stm32-revert-broken-pm_runtime_resume_and_get.patch
new file mode 100644 (file)
index 0000000..d2c0fe2
--- /dev/null
@@ -0,0 +1,73 @@
+From d521b9c163b9282333bae32ca67a2b65ef4ddcea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 17:30:41 +1100
+Subject: crypto: stm32 - Revert broken pm_runtime_resume_and_get changes
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 3d6b661330a7954d8136df98160d525eb04dcd6a ]
+
+We should not call pm_runtime_resume_and_get where the reference
+count is expected to be incremented unconditionally.  This patch
+reverts these calls to the original unconditional get_sync call.
+
+Reported-by: Heiner Kallweit <hkallweit1@gmail.com>
+Fixes: 747bf30fd944 ("crypto: stm32/cryp - Fix PM reference leak...")
+Fixes: 1cb3ad701970 ("crypto: stm32/hash - Fix PM reference leak...")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/stm32/stm32-cryp.c | 3 ++-
+ drivers/crypto/stm32/stm32-hash.c | 6 +++---
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c
+index cd57c5bae3ce9..81eb136b6c11d 100644
+--- a/drivers/crypto/stm32/stm32-cryp.c
++++ b/drivers/crypto/stm32/stm32-cryp.c
+@@ -529,7 +529,8 @@ static int stm32_cryp_hw_init(struct stm32_cryp *cryp)
+ {
+       int ret;
+       u32 cfg, hw_mode;
+-      pm_runtime_resume_and_get(cryp->dev);
++
++      pm_runtime_get_sync(cryp->dev);
+       /* Disable interrupt */
+       stm32_cryp_write(cryp, CRYP_IMSCR, 0);
+diff --git a/drivers/crypto/stm32/stm32-hash.c b/drivers/crypto/stm32/stm32-hash.c
+index 389de9e3302d5..d33006d43f761 100644
+--- a/drivers/crypto/stm32/stm32-hash.c
++++ b/drivers/crypto/stm32/stm32-hash.c
+@@ -813,7 +813,7 @@ static void stm32_hash_finish_req(struct ahash_request *req, int err)
+ static int stm32_hash_hw_init(struct stm32_hash_dev *hdev,
+                             struct stm32_hash_request_ctx *rctx)
+ {
+-      pm_runtime_resume_and_get(hdev->dev);
++      pm_runtime_get_sync(hdev->dev);
+       if (!(HASH_FLAGS_INIT & hdev->flags)) {
+               stm32_hash_write(hdev, HASH_CR, HASH_CR_INIT);
+@@ -962,7 +962,7 @@ static int stm32_hash_export(struct ahash_request *req, void *out)
+       u32 *preg;
+       unsigned int i;
+-      pm_runtime_resume_and_get(hdev->dev);
++      pm_runtime_get_sync(hdev->dev);
+       while ((stm32_hash_read(hdev, HASH_SR) & HASH_SR_BUSY))
+               cpu_relax();
+@@ -1000,7 +1000,7 @@ static int stm32_hash_import(struct ahash_request *req, const void *in)
+       preg = rctx->hw_context;
+-      pm_runtime_resume_and_get(hdev->dev);
++      pm_runtime_get_sync(hdev->dev);
+       stm32_hash_write(hdev, HASH_IMR, *preg++);
+       stm32_hash_write(hdev, HASH_STR, *preg++);
+-- 
+2.34.1
+
diff --git a/queue-5.16/cxl-core-remove-cxld_const_init-in-cxl_decoder_alloc.patch b/queue-5.16/cxl-core-remove-cxld_const_init-in-cxl_decoder_alloc.patch
new file mode 100644 (file)
index 0000000..10ccc18
--- /dev/null
@@ -0,0 +1,94 @@
+From b51191359715d6836a2f44c3ab474ffb29b0a0a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Dec 2021 14:36:27 -0700
+Subject: cxl/core: Remove cxld_const_init in cxl_decoder_alloc()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit be185c2988b48db65348d94168c793bdbc8d23c3 ]
+
+Commit 48667f676189 ("cxl/core: Split decoder setup into alloc + add")
+aimed to fix a large stack frame warning but from v5 to v6, it
+introduced a new instance of the warning due to allocating
+cxld_const_init on the stack, which was done due to the use of const on
+the nr_target member of the cxl_decoder struct. With ARCH=arm
+allmodconfig minus CONFIG_KASAN:
+
+GCC 11.2.0:
+
+drivers/cxl/core/bus.c: In function ‘cxl_decoder_alloc’:
+drivers/cxl/core/bus.c:523:1: error: the frame size of 1032 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+  523 | }
+      | ^
+cc1: all warnings being treated as errors
+
+Clang 12.0.1:
+
+drivers/cxl/core/bus.c:486:21: error: stack frame size of 1056 bytes in function 'cxl_decoder_alloc' [-Werror,-Wframe-larger-than=]
+struct cxl_decoder *cxl_decoder_alloc(struct cxl_port *port, int nr_targets)
+                    ^
+1 error generated.
+
+Revert that part of the change, which makes the stack frame of
+cxl_decoder_alloc() much more reasonable.
+
+Fixes: 48667f676189 ("cxl/core: Split decoder setup into alloc + add")
+Link: https://github.com/ClangBuiltLinux/linux/issues/1539
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/r/20211210213627.2477370-1-nathan@kernel.org
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cxl/core/bus.c | 6 ++----
+ drivers/cxl/cxl.h      | 2 +-
+ 2 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/cxl/core/bus.c b/drivers/cxl/core/bus.c
+index ebd061d039508..46ce58376580b 100644
+--- a/drivers/cxl/core/bus.c
++++ b/drivers/cxl/core/bus.c
+@@ -485,9 +485,7 @@ out_unlock:
+ struct cxl_decoder *cxl_decoder_alloc(struct cxl_port *port, int nr_targets)
+ {
+-      struct cxl_decoder *cxld, cxld_const_init = {
+-              .nr_targets = nr_targets,
+-      };
++      struct cxl_decoder *cxld;
+       struct device *dev;
+       int rc = 0;
+@@ -497,13 +495,13 @@ struct cxl_decoder *cxl_decoder_alloc(struct cxl_port *port, int nr_targets)
+       cxld = kzalloc(struct_size(cxld, target, nr_targets), GFP_KERNEL);
+       if (!cxld)
+               return ERR_PTR(-ENOMEM);
+-      memcpy(cxld, &cxld_const_init, sizeof(cxld_const_init));
+       rc = ida_alloc(&port->decoder_ida, GFP_KERNEL);
+       if (rc < 0)
+               goto err;
+       cxld->id = rc;
++      cxld->nr_targets = nr_targets;
+       dev = &cxld->dev;
+       device_initialize(dev);
+       device_set_pm_not_required(dev);
+diff --git a/drivers/cxl/cxl.h b/drivers/cxl/cxl.h
+index 3af704e9b448e..7c2b51746e318 100644
+--- a/drivers/cxl/cxl.h
++++ b/drivers/cxl/cxl.h
+@@ -191,7 +191,7 @@ struct cxl_decoder {
+       int interleave_granularity;
+       enum cxl_decoder_type target_type;
+       unsigned long flags;
+-      const int nr_targets;
++      int nr_targets;
+       struct cxl_dport *target[];
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/debugfs-lockdown-allow-reading-debugfs-files-that-ar.patch b/queue-5.16/debugfs-lockdown-allow-reading-debugfs-files-that-ar.patch
new file mode 100644 (file)
index 0000000..21b334e
--- /dev/null
@@ -0,0 +1,40 @@
+From 401a8a566d68c81ee06b9e8ca9733984a1f52cd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 18:05:05 +0100
+Subject: debugfs: lockdown: Allow reading debugfs files that are not world
+ readable
+
+From: Michal Suchanek <msuchanek@suse.de>
+
+[ Upstream commit 358fcf5ddbec4e6706405847d6a666f5933a6c25 ]
+
+When the kernel is locked down the kernel allows reading only debugfs
+files with mode 444. Mode 400 is also valid but is not allowed.
+
+Make the 444 into a mask.
+
+Fixes: 5496197f9b08 ("debugfs: Restrict debugfs when the kernel is locked down")
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+Link: https://lore.kernel.org/r/20220104170505.10248-1-msuchanek@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/debugfs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
+index 7d162b0efbf03..950c63fa4d0b2 100644
+--- a/fs/debugfs/file.c
++++ b/fs/debugfs/file.c
+@@ -147,7 +147,7 @@ static int debugfs_locked_down(struct inode *inode,
+                              struct file *filp,
+                              const struct file_operations *real_fops)
+ {
+-      if ((inode->i_mode & 07777) == 0444 &&
++      if ((inode->i_mode & 07777 & ~0444) == 0 &&
+           !(filp->f_mode & FMODE_WRITE) &&
+           !real_fops->unlocked_ioctl &&
+           !real_fops->compat_ioctl &&
+-- 
+2.34.1
+
diff --git a/queue-5.16/dm-btree-add-a-defensive-bounds-check-to-insert_at.patch b/queue-5.16/dm-btree-add-a-defensive-bounds-check-to-insert_at.patch
new file mode 100644 (file)
index 0000000..223a802
--- /dev/null
@@ -0,0 +1,45 @@
+From 2b3106bc049760802d446c88a5fcee39ff2ac97b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Dec 2021 13:44:13 +0000
+Subject: dm btree: add a defensive bounds check to insert_at()
+
+From: Joe Thornber <ejt@redhat.com>
+
+[ Upstream commit 85bca3c05b6cca31625437eedf2060e846c4bbad ]
+
+Corrupt metadata could trigger an out of bounds write.
+
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/persistent-data/dm-btree.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c
+index 0703ca7a7d9a4..5ce64e93aae74 100644
+--- a/drivers/md/persistent-data/dm-btree.c
++++ b/drivers/md/persistent-data/dm-btree.c
+@@ -81,14 +81,16 @@ void inc_children(struct dm_transaction_manager *tm, struct btree_node *n,
+ }
+ static int insert_at(size_t value_size, struct btree_node *node, unsigned index,
+-                    uint64_t key, void *value)
+-                    __dm_written_to_disk(value)
++                   uint64_t key, void *value)
++      __dm_written_to_disk(value)
+ {
+       uint32_t nr_entries = le32_to_cpu(node->header.nr_entries);
++      uint32_t max_entries = le32_to_cpu(node->header.max_entries);
+       __le64 key_le = cpu_to_le64(key);
+       if (index > nr_entries ||
+-          index >= le32_to_cpu(node->header.max_entries)) {
++          index >= max_entries ||
++          nr_entries >= max_entries) {
+               DMERR("too many entries in btree node for insert");
+               __dm_unbless_for_disk(value);
+               return -ENOMEM;
+-- 
+2.34.1
+
diff --git a/queue-5.16/dm-fix-alloc_dax-error-handling-in-alloc_dev.patch b/queue-5.16/dm-fix-alloc_dax-error-handling-in-alloc_dev.patch
new file mode 100644 (file)
index 0000000..4ad9f5d
--- /dev/null
@@ -0,0 +1,40 @@
+From 383888701205a2a2fe35a13d4b2491817bea4d61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 11:21:35 +0100
+Subject: dm: fix alloc_dax error handling in alloc_dev
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit d751939235b9b7bc4af15f90a3e99288a8b844a7 ]
+
+Make sure ->dax_dev is NULL on error so that the cleanup path doesn't
+trip over an ERR_PTR.
+
+Reported-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20211129102203.2243509-2-hch@lst.de
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 662742a310cbb..acc84dc1bded5 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1786,8 +1786,10 @@ static struct mapped_device *alloc_dev(int minor)
+       if (IS_ENABLED(CONFIG_DAX_DRIVER)) {
+               md->dax_dev = alloc_dax(md, md->disk->disk_name,
+                                       &dm_dax_ops, 0);
+-              if (IS_ERR(md->dax_dev))
++              if (IS_ERR(md->dax_dev)) {
++                      md->dax_dev = NULL;
+                       goto bad;
++              }
+       }
+       format_dev_t(md->name, MKDEV(_major, minor));
+-- 
+2.34.1
+
diff --git a/queue-5.16/dm-make-the-dax-support-depend-on-config_fs_dax.patch b/queue-5.16/dm-make-the-dax-support-depend-on-config_fs_dax.patch
new file mode 100644 (file)
index 0000000..18baa2d
--- /dev/null
@@ -0,0 +1,127 @@
+From 7454125d3068245671a12c3db5570cd0ce3aeb8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 11:21:36 +0100
+Subject: dm: make the DAX support depend on CONFIG_FS_DAX
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 5d2a228b9e1319ff188f9ea89006fbe575561921 ]
+
+The device mapper DAX support is all hanging off a block device and thus
+can't be used with device dax.  Make it depend on CONFIG_FS_DAX instead
+of CONFIG_DAX_DRIVER.  This also means that bdev_dax_pgoff only needs to
+be built under CONFIG_FS_DAX now.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Mike Snitzer <snitzer@redhat.com>
+Link: https://lore.kernel.org/r/20211129102203.2243509-3-hch@lst.de
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dax/super.c        | 6 ++----
+ drivers/md/dm-linear.c     | 2 +-
+ drivers/md/dm-log-writes.c | 2 +-
+ drivers/md/dm-stripe.c     | 2 +-
+ drivers/md/dm-writecache.c | 2 +-
+ drivers/md/dm.c            | 2 +-
+ 6 files changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/dax/super.c b/drivers/dax/super.c
+index b882cf8106ea3..e20d0cef10a18 100644
+--- a/drivers/dax/super.c
++++ b/drivers/dax/super.c
+@@ -63,7 +63,7 @@ static int dax_host_hash(const char *host)
+       return hashlen_hash(hashlen_string("DAX", host)) % DAX_HASH_SIZE;
+ }
+-#ifdef CONFIG_BLOCK
++#if defined(CONFIG_BLOCK) && defined(CONFIG_FS_DAX)
+ #include <linux/blkdev.h>
+ int bdev_dax_pgoff(struct block_device *bdev, sector_t sector, size_t size,
+@@ -80,7 +80,6 @@ int bdev_dax_pgoff(struct block_device *bdev, sector_t sector, size_t size,
+ }
+ EXPORT_SYMBOL(bdev_dax_pgoff);
+-#if IS_ENABLED(CONFIG_FS_DAX)
+ /**
+  * dax_get_by_host() - temporary lookup mechanism for filesystem-dax
+  * @host: alternate name for the device registered by a dax driver
+@@ -219,8 +218,7 @@ bool dax_supported(struct dax_device *dax_dev, struct block_device *bdev,
+       return ret;
+ }
+ EXPORT_SYMBOL_GPL(dax_supported);
+-#endif /* CONFIG_FS_DAX */
+-#endif /* CONFIG_BLOCK */
++#endif /* CONFIG_BLOCK && CONFIG_FS_DAX */
+ enum dax_device_flags {
+       /* !alive + rcu grace period == no new operations / mappings */
+diff --git a/drivers/md/dm-linear.c b/drivers/md/dm-linear.c
+index 66ba16713f696..0a260c35aeeed 100644
+--- a/drivers/md/dm-linear.c
++++ b/drivers/md/dm-linear.c
+@@ -162,7 +162,7 @@ static int linear_iterate_devices(struct dm_target *ti,
+       return fn(ti, lc->dev, lc->start, ti->len, data);
+ }
+-#if IS_ENABLED(CONFIG_DAX_DRIVER)
++#if IS_ENABLED(CONFIG_FS_DAX)
+ static long linear_dax_direct_access(struct dm_target *ti, pgoff_t pgoff,
+               long nr_pages, void **kaddr, pfn_t *pfn)
+ {
+diff --git a/drivers/md/dm-log-writes.c b/drivers/md/dm-log-writes.c
+index 0b3ef977ceeba..3155875d4e5b0 100644
+--- a/drivers/md/dm-log-writes.c
++++ b/drivers/md/dm-log-writes.c
+@@ -901,7 +901,7 @@ static void log_writes_io_hints(struct dm_target *ti, struct queue_limits *limit
+       limits->io_min = limits->physical_block_size;
+ }
+-#if IS_ENABLED(CONFIG_DAX_DRIVER)
++#if IS_ENABLED(CONFIG_FS_DAX)
+ static int log_dax(struct log_writes_c *lc, sector_t sector, size_t bytes,
+                  struct iov_iter *i)
+ {
+diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c
+index 6660b6b53d5bf..f084607220293 100644
+--- a/drivers/md/dm-stripe.c
++++ b/drivers/md/dm-stripe.c
+@@ -300,7 +300,7 @@ static int stripe_map(struct dm_target *ti, struct bio *bio)
+       return DM_MAPIO_REMAPPED;
+ }
+-#if IS_ENABLED(CONFIG_DAX_DRIVER)
++#if IS_ENABLED(CONFIG_FS_DAX)
+ static long stripe_dax_direct_access(struct dm_target *ti, pgoff_t pgoff,
+               long nr_pages, void **kaddr, pfn_t *pfn)
+ {
+diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c
+index 4b8991cde223d..4f31591d2d25e 100644
+--- a/drivers/md/dm-writecache.c
++++ b/drivers/md/dm-writecache.c
+@@ -38,7 +38,7 @@
+ #define BITMAP_GRANULARITY    PAGE_SIZE
+ #endif
+-#if IS_ENABLED(CONFIG_ARCH_HAS_PMEM_API) && IS_ENABLED(CONFIG_DAX_DRIVER)
++#if IS_ENABLED(CONFIG_ARCH_HAS_PMEM_API) && IS_ENABLED(CONFIG_FS_DAX)
+ #define DM_WRITECACHE_HAS_PMEM
+ #endif
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index acc84dc1bded5..b93fcc91176e5 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1783,7 +1783,7 @@ static struct mapped_device *alloc_dev(int minor)
+       md->disk->private_data = md;
+       sprintf(md->disk->disk_name, "dm-%d", minor);
+-      if (IS_ENABLED(CONFIG_DAX_DRIVER)) {
++      if (IS_ENABLED(CONFIG_FS_DAX)) {
+               md->dax_dev = alloc_dax(md, md->disk->disk_name,
+                                       &dm_dax_ops, 0);
+               if (IS_ERR(md->dax_dev)) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/dm-space-map-common-add-bounds-check-to-sm_ll_lookup.patch b/queue-5.16/dm-space-map-common-add-bounds-check-to-sm_ll_lookup.patch
new file mode 100644 (file)
index 0000000..a2738fa
--- /dev/null
@@ -0,0 +1,37 @@
+From 648d4e4904663c6b655aac353b6bd4864cc039ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Dec 2021 13:49:53 +0000
+Subject: dm space map common: add bounds check to sm_ll_lookup_bitmap()
+
+From: Joe Thornber <ejt@redhat.com>
+
+[ Upstream commit cba23ac158db7f3cd48a923d6861bee2eb7a2978 ]
+
+Corrupted metadata could warrant returning error from sm_ll_lookup_bitmap().
+
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/persistent-data/dm-space-map-common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/md/persistent-data/dm-space-map-common.c b/drivers/md/persistent-data/dm-space-map-common.c
+index 4a6a2a9b4eb49..bfbfa750e0160 100644
+--- a/drivers/md/persistent-data/dm-space-map-common.c
++++ b/drivers/md/persistent-data/dm-space-map-common.c
+@@ -283,6 +283,11 @@ int sm_ll_lookup_bitmap(struct ll_disk *ll, dm_block_t b, uint32_t *result)
+       struct disk_index_entry ie_disk;
+       struct dm_block *blk;
++      if (b >= ll->nr_blocks) {
++              DMERR_LIMIT("metadata block out of bounds");
++              return -EINVAL;
++      }
++
+       b = do_div(index, ll->entries_per_block);
+       r = ll->load_ie(ll, index, &ie_disk);
+       if (r < 0)
+-- 
+2.34.1
+
diff --git a/queue-5.16/dma-buf-cma_heap-fix-mutex-locking-section.patch b/queue-5.16/dma-buf-cma_heap-fix-mutex-locking-section.patch
new file mode 100644 (file)
index 0000000..6614122
--- /dev/null
@@ -0,0 +1,55 @@
+From 85ee9a05f51a6790bc4e08453c45d6521438dabb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 15:35:45 +0800
+Subject: dma-buf: cma_heap: Fix mutex locking section
+
+From: Weizhao Ouyang <o451686892@gmail.com>
+
+[ Upstream commit 54329e6f7beea6af56c1230da293acc97d6a6ee7 ]
+
+Fix cma_heap_buffer mutex locking critical section to protect vmap_cnt
+and vaddr.
+
+Fixes: a5d2d29e24be ("dma-buf: heaps: Move heap-helper logic into the cma_heap implementation")
+Signed-off-by: Weizhao Ouyang <o451686892@gmail.com>
+Acked-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220104073545.124244-1-o451686892@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma-buf/heaps/cma_heap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma-buf/heaps/cma_heap.c b/drivers/dma-buf/heaps/cma_heap.c
+index 0c05b79870f96..83f02bd51dda6 100644
+--- a/drivers/dma-buf/heaps/cma_heap.c
++++ b/drivers/dma-buf/heaps/cma_heap.c
+@@ -124,10 +124,11 @@ static int cma_heap_dma_buf_begin_cpu_access(struct dma_buf *dmabuf,
+       struct cma_heap_buffer *buffer = dmabuf->priv;
+       struct dma_heap_attachment *a;
++      mutex_lock(&buffer->lock);
++
+       if (buffer->vmap_cnt)
+               invalidate_kernel_vmap_range(buffer->vaddr, buffer->len);
+-      mutex_lock(&buffer->lock);
+       list_for_each_entry(a, &buffer->attachments, list) {
+               if (!a->mapped)
+                       continue;
+@@ -144,10 +145,11 @@ static int cma_heap_dma_buf_end_cpu_access(struct dma_buf *dmabuf,
+       struct cma_heap_buffer *buffer = dmabuf->priv;
+       struct dma_heap_attachment *a;
++      mutex_lock(&buffer->lock);
++
+       if (buffer->vmap_cnt)
+               flush_kernel_vmap_range(buffer->vaddr, buffer->len);
+-      mutex_lock(&buffer->lock);
+       list_for_each_entry(a, &buffer->attachments, list) {
+               if (!a->mapped)
+                       continue;
+-- 
+2.34.1
+
diff --git a/queue-5.16/dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch b/queue-5.16/dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch
new file mode 100644 (file)
index 0000000..f9e8f42
--- /dev/null
@@ -0,0 +1,63 @@
+From e7b762301b7ba2ddc756df7e84ee553acaa2444f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 23:21:58 +0100
+Subject: dmaengine: pxa/mmp: stop referencing config->slave_id
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 134c37fa250a87a7e77c80a7c59ae16c462e46e0 ]
+
+The last driver referencing the slave_id on Marvell PXA and MMP platforms
+was the SPI driver, but this stopped doing so a long time ago, so the
+TODO from the earlier patch can no be removed.
+
+Fixes: b729bf34535e ("spi/pxa2xx: Don't use slave_id of dma_slave_config")
+Fixes: 13b3006b8ebd ("dma: mmp_pdma: add filter function")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20211122222203.4103644-7-arnd@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/mmp_pdma.c | 6 ------
+ drivers/dma/pxa_dma.c  | 7 -------
+ 2 files changed, 13 deletions(-)
+
+diff --git a/drivers/dma/mmp_pdma.c b/drivers/dma/mmp_pdma.c
+index a23563cd118b7..5a53d7fcef018 100644
+--- a/drivers/dma/mmp_pdma.c
++++ b/drivers/dma/mmp_pdma.c
+@@ -727,12 +727,6 @@ static int mmp_pdma_config_write(struct dma_chan *dchan,
+       chan->dir = direction;
+       chan->dev_addr = addr;
+-      /* FIXME: drivers should be ported over to use the filter
+-       * function. Once that's done, the following two lines can
+-       * be removed.
+-       */
+-      if (cfg->slave_id)
+-              chan->drcmr = cfg->slave_id;
+       return 0;
+ }
+diff --git a/drivers/dma/pxa_dma.c b/drivers/dma/pxa_dma.c
+index 52d04641e3611..6078cc81892e4 100644
+--- a/drivers/dma/pxa_dma.c
++++ b/drivers/dma/pxa_dma.c
+@@ -909,13 +909,6 @@ static void pxad_get_config(struct pxad_chan *chan,
+               *dcmd |= PXA_DCMD_BURST16;
+       else if (maxburst == 32)
+               *dcmd |= PXA_DCMD_BURST32;
+-
+-      /* FIXME: drivers should be ported over to use the filter
+-       * function. Once that's done, the following two lines can
+-       * be removed.
+-       */
+-      if (chan->cfg.slave_id)
+-              chan->drcmr = chan->cfg.slave_id;
+ }
+ static struct dma_async_tx_descriptor *
+-- 
+2.34.1
+
diff --git a/queue-5.16/drivers-firmware-add-missing-platform_device_put-in-.patch b/queue-5.16/drivers-firmware-add-missing-platform_device_put-in-.patch
new file mode 100644 (file)
index 0000000..1d38b38
--- /dev/null
@@ -0,0 +1,48 @@
+From 6ab32d71931b223f9d8966e7a217c6c6519d9d7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Dec 2021 08:04:25 +0000
+Subject: drivers/firmware: Add missing platform_device_put() in
+ sysfb_create_simplefb
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 0589e8889dce8e0f0ea5bbf757f38865e2a469c1 ]
+
+Add the missing platform_device_put() before return from
+sysfb_create_simplefb() in the error handling case.
+
+Fixes: 8633ef82f101 ("drivers/firmware: consolidate EFI framebuffer setup for all arches")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20211231080431.15385-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/sysfb_simplefb.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/sysfb_simplefb.c b/drivers/firmware/sysfb_simplefb.c
+index b86761904949c..303a491e520d1 100644
+--- a/drivers/firmware/sysfb_simplefb.c
++++ b/drivers/firmware/sysfb_simplefb.c
+@@ -113,12 +113,16 @@ __init int sysfb_create_simplefb(const struct screen_info *si,
+       sysfb_apply_efi_quirks(pd);
+       ret = platform_device_add_resources(pd, &res, 1);
+-      if (ret)
++      if (ret) {
++              platform_device_put(pd);
+               return ret;
++      }
+       ret = platform_device_add_data(pd, mode, sizeof(*mode));
+-      if (ret)
++      if (ret) {
++              platform_device_put(pd);
+               return ret;
++      }
+       return platform_device_add(pd);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amd-amdgpu-fix-gmc-bo-pin-count-leak-in-sriov.patch b/queue-5.16/drm-amd-amdgpu-fix-gmc-bo-pin-count-leak-in-sriov.patch
new file mode 100644 (file)
index 0000000..e8790cb
--- /dev/null
@@ -0,0 +1,68 @@
+From 6ea93c4f7b81e8aa1b4c680d46fe7d8fc459327b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 11:50:39 +0800
+Subject: drm/amd/amdgpu: fix gmc bo pin count leak in SRIOV
+
+From: Jingwen Chen <Jingwen.Chen2@amd.com>
+
+[ Upstream commit 948e7ce01413b71395723aaf846015062aea3a43 ]
+
+[Why]
+gmc bo will be pinned during loading amdgpu and reset in SRIOV while
+only unpinned in unload amdgpu
+
+[How]
+add amdgpu_in_reset and sriov judgement to skip pin bo
+
+v2: fix wrong judgement
+
+Signed-off-by: Jingwen Chen <Jingwen.Chen2@amd.com>
+Reviewed-by: Horace Chen <horace.chen@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c | 4 ++++
+ drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c  | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c
+index 3ec5ff5a6dbe6..61ec6145bbb16 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c
+@@ -992,10 +992,14 @@ static int gmc_v10_0_gart_enable(struct amdgpu_device *adev)
+               return -EINVAL;
+       }
++      if (amdgpu_sriov_vf(adev) && amdgpu_in_reset(adev))
++              goto skip_pin_bo;
++
+       r = amdgpu_gart_table_vram_pin(adev);
+       if (r)
+               return r;
++skip_pin_bo:
+       r = adev->gfxhub.funcs->gart_enable(adev);
+       if (r)
+               return r;
+diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c
+index d84523cf5f759..4420c264c554c 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c
+@@ -1714,10 +1714,14 @@ static int gmc_v9_0_gart_enable(struct amdgpu_device *adev)
+               return -EINVAL;
+       }
++      if (amdgpu_sriov_vf(adev) && amdgpu_in_reset(adev))
++              goto skip_pin_bo;
++
+       r = amdgpu_gart_table_vram_pin(adev);
+       if (r)
+               return r;
++skip_pin_bo:
+       r = adev->gfxhub.funcs->gart_enable(adev);
+       if (r)
+               return r;
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amd-amdgpu-fix-psp-tmr-bo-pin-count-leak-in-srio.patch b/queue-5.16/drm-amd-amdgpu-fix-psp-tmr-bo-pin-count-leak-in-srio.patch
new file mode 100644 (file)
index 0000000..8de9144
--- /dev/null
@@ -0,0 +1,50 @@
+From 51b0bb2149d04e83c72f0decc8ff7b331c71431d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 11:31:16 +0800
+Subject: drm/amd/amdgpu: fix psp tmr bo pin count leak in SRIOV
+
+From: Jingwen Chen <Jingwen.Chen2@amd.com>
+
+[ Upstream commit 85dfc1d692c9434c37842e610be37cd4ae4e0081 ]
+
+[Why]
+psp tmr bo will be pinned during loading amdgpu and reset in SRIOV while
+only unpinned in unload amdgpu
+
+[How]
+add amdgpu_in_reset and sriov judgement to skip pin bo
+
+v2: fix wrong judgement
+
+Signed-off-by: Jingwen Chen <Jingwen.Chen2@amd.com>
+Reviewed-by: Horace Chen <horace.chen@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
+index c641f84649d6b..d011ae7e50a54 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
+@@ -2017,12 +2017,16 @@ static int psp_hw_start(struct psp_context *psp)
+               return ret;
+       }
++      if (amdgpu_sriov_vf(adev) && amdgpu_in_reset(adev))
++              goto skip_pin_bo;
++
+       ret = psp_tmr_init(psp);
+       if (ret) {
+               DRM_ERROR("PSP tmr init failed!\n");
+               return ret;
+       }
++skip_pin_bo:
+       /*
+        * For ASICs with DF Cstate management centralized
+        * to PMFW, TMR setup should be performed after PMFW
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amd-display-add-else-to-avoid-double-destroy-clk.patch b/queue-5.16/drm-amd-display-add-else-to-avoid-double-destroy-clk.patch
new file mode 100644 (file)
index 0000000..9ea3bd9
--- /dev/null
@@ -0,0 +1,40 @@
+From f9cb2f48cbdd8a278ceed08a7178b94d329aecd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 17:59:31 -0500
+Subject: drm/amd/display: add else to avoid double destroy clk_mgr
+
+From: Martin Leung <Martin.Leung@amd.com>
+
+[ Upstream commit 11dff0e871037a6ad978e52f826a2eb7f5fb274a ]
+
+[Why & How]
+when changing some code we accidentally
+changed else if-> if. reverting that.
+
+Reviewed-by: Aric Cyr <Aric.Cyr@amd.com>
+Acked-by: Qingqing Zhuo <qingqing.zhuo@amd.com>
+Signed-off-by: Martin Leung <Martin.Leung@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
+index 26f96ee324729..9200c8ce02ba9 100644
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
+@@ -308,8 +308,7 @@ void dc_destroy_clk_mgr(struct clk_mgr *clk_mgr_base)
+       case FAMILY_NV:
+               if (ASICREV_IS_SIENNA_CICHLID_P(clk_mgr_base->ctx->asic_id.hw_internal_rev)) {
+                       dcn3_clk_mgr_destroy(clk_mgr);
+-              }
+-              if (ASICREV_IS_DIMGREY_CAVEFISH_P(clk_mgr_base->ctx->asic_id.hw_internal_rev)) {
++              } else if (ASICREV_IS_DIMGREY_CAVEFISH_P(clk_mgr_base->ctx->asic_id.hw_internal_rev)) {
+                       dcn3_clk_mgr_destroy(clk_mgr);
+               }
+               if (ASICREV_IS_BEIGE_GOBY_P(clk_mgr_base->ctx->asic_id.hw_internal_rev)) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amd-display-check-top_pipe_to_program-pointer.patch b/queue-5.16/drm-amd-display-check-top_pipe_to_program-pointer.patch
new file mode 100644 (file)
index 0000000..d40c23a
--- /dev/null
@@ -0,0 +1,47 @@
+From 75fef218f71d74c4d740aa6ae37f38a104a8deea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 16:10:19 +0800
+Subject: drm/amd/display: check top_pipe_to_program pointer
+
+From: Yang Li <yang.lee@linux.alibaba.com>
+
+[ Upstream commit a689e8d1f80012f90384ebac9dcfac4201f9f77e ]
+
+Clang static analysis reports this error
+
+drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc.c:2870:7: warning:
+Dereference of null pointer [clang-analyzer-core.NullDereference]
+                if
+(top_pipe_to_program->stream_res.tg->funcs->lock_doublebuffer_enable) {
+                    ^
+
+top_pipe_to_program being NULL is caught as an error
+But then it is used to report the error.
+
+So add a check before using it.
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Yang Li <yang.lee@linux.alibaba.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
+index 0ded4decee05f..f0fbd8ad56229 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
+@@ -2870,7 +2870,8 @@ static void commit_planes_for_stream(struct dc *dc,
+ #endif
+       if ((update_type != UPDATE_TYPE_FAST) && stream->update_flags.bits.dsc_changed)
+-              if (top_pipe_to_program->stream_res.tg->funcs->lock_doublebuffer_enable) {
++              if (top_pipe_to_program &&
++                      top_pipe_to_program->stream_res.tg->funcs->lock_doublebuffer_enable) {
+                       if (should_use_dmub_lock(stream->link)) {
+                               union dmub_hw_lock_flags hw_locks = { 0 };
+                               struct dmub_hw_lock_inst_flags inst_flags = { 0 };
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amd-display-fix-bug-in-debugfs-crc_win_update-en.patch b/queue-5.16/drm-amd-display-fix-bug-in-debugfs-crc_win_update-en.patch
new file mode 100644 (file)
index 0000000..86b2913
--- /dev/null
@@ -0,0 +1,52 @@
+From 7fa94435526a9d9c0140724ccf3d9d0e31aca69f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 15:19:57 +0800
+Subject: drm/amd/display: Fix bug in debugfs crc_win_update entry
+
+From: Wayne Lin <Wayne.Lin@amd.com>
+
+[ Upstream commit 4bef85d4c9491415b7931407b07f24841c1e0390 ]
+
+[Why]
+crc_rd_wrk shouldn't be null in crc_win_update_set(). Current programming
+logic is inconsistent in crc_win_update_set().
+
+[How]
+Initially, return if crc_rd_wrk is NULL. Later on, we can use member of
+crc_rd_wrk safely.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 9a65df193108 ("drm/amd/display: Use PSP TA to read out crc")
+
+Reviewed-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Acked-by: Pavle Kotarac <Pavle.Kotarac@amd.com>
+Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+index 9d43ecb1f692d..f4e829ec8e108 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+@@ -2909,10 +2909,13 @@ static int crc_win_update_set(void *data, u64 val)
+       struct amdgpu_device *adev = drm_to_adev(new_crtc->dev);
+       struct crc_rd_work *crc_rd_wrk = adev->dm.crc_rd_wrk;
++      if (!crc_rd_wrk)
++              return 0;
++
+       if (val) {
+               spin_lock_irq(&adev_to_drm(adev)->event_lock);
+               spin_lock_irq(&crc_rd_wrk->crc_rd_work_lock);
+-              if (crc_rd_wrk && crc_rd_wrk->crtc) {
++              if (crc_rd_wrk->crtc) {
+                       old_crtc = crc_rd_wrk->crtc;
+                       old_acrtc = to_amdgpu_crtc(old_crtc);
+               }
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amd-display-fix-dereference-before-null-check.patch b/queue-5.16/drm-amd-display-fix-dereference-before-null-check.patch
new file mode 100644 (file)
index 0000000..907c450
--- /dev/null
@@ -0,0 +1,48 @@
+From 38d96844740a09a21f8410883288e20b49728f26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Dec 2021 12:16:14 +0100
+Subject: drm/amd/display: fix dereference before NULL check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit f28cad86ada1a7345d7bbd379bef5a8babfa791b ]
+
+The "plane_state" pointer was access before checking if it was NULL.
+
+Avoid a possible NULL pointer dereference by accessing the plane
+address after the check.
+
+Addresses-Coverity-ID: 1493892 ("Dereference before null check")
+Fixes: 3f68c01be9a22 ("drm/amd/display: add cyan_skillfish display support")
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn201/dcn201_hwseq.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn201/dcn201_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn201/dcn201_hwseq.c
+index cfd09b3f705e9..fe22530242d2e 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn201/dcn201_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn201/dcn201_hwseq.c
+@@ -134,11 +134,12 @@ void dcn201_update_plane_addr(const struct dc *dc, struct pipe_ctx *pipe_ctx)
+       PHYSICAL_ADDRESS_LOC addr;
+       struct dc_plane_state *plane_state = pipe_ctx->plane_state;
+       struct dce_hwseq *hws = dc->hwseq;
+-      struct dc_plane_address uma = plane_state->address;
++      struct dc_plane_address uma;
+       if (plane_state == NULL)
+               return;
++      uma = plane_state->address;
+       addr_patched = patch_address_for_sbs_tb_stereo(pipe_ctx, &addr);
+       plane_address_in_gpu_space_to_uma(hws, &uma);
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amd-display-fix-out-of-bounds-access-on-dnc31-st.patch b/queue-5.16/drm-amd-display-fix-out-of-bounds-access-on-dnc31-st.patch
new file mode 100644 (file)
index 0000000..1369ea6
--- /dev/null
@@ -0,0 +1,48 @@
+From a42af763194bec92661698cf9b0d71addc8afe83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 09:46:39 -0500
+Subject: drm/amd/display: Fix out of bounds access on DNC31 stream encoder
+ regs
+
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+
+[ Upstream commit d374d3b493215d637b9e7be12a93f22caf4c1f97 ]
+
+[Why]
+During dcn31_stream_encoder_create, if PHYC/D get remapped to F/G on B0
+then we'll index 5 or 6 into a array of length 5 - leading to an
+access violation on some configs during device creation.
+
+[How]
+Software won't be touching PHYF/PHYG directly, so just extend the
+array to cover all possible engine IDs.
+
+Even if it does by try to access one of these registers by accident
+the offset will be 0 and we'll get a warning during the access.
+
+Fixes: 2fe9a0e1173f ("drm/amd/display: Fix DCN3 B0 DP Alt Mapping")
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
+index 27afbe6ec0fee..f969ff65f802b 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
+@@ -493,7 +493,8 @@ static const struct dcn31_apg_mask apg_mask = {
+       SE_DCN3_REG_LIST(id)\
+ }
+-static const struct dcn10_stream_enc_registers stream_enc_regs[] = {
++/* Some encoders won't be initialized here - but they're logical, not physical. */
++static const struct dcn10_stream_enc_registers stream_enc_regs[ENGINE_ID_COUNT] = {
+       stream_enc_regs(0),
+       stream_enc_regs(1),
+       stream_enc_regs(2),
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amd-display-invalid-parameter-check-in-dmub_hpd_.patch b/queue-5.16/drm-amd-display-invalid-parameter-check-in-dmub_hpd_.patch
new file mode 100644 (file)
index 0000000..685c154
--- /dev/null
@@ -0,0 +1,52 @@
+From e70bec27ce0c7e9b6489aa6fe88ee185f64e59b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Jan 2022 19:42:45 +0100
+Subject: drm/amd/display: invalid parameter check in dmub_hpd_callback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit 978ffac878fd64039f95798b15b430032d2d89d5 ]
+
+The function performs a check on the "adev" input parameter, however, it
+is used before the check.
+
+Initialize the "dev" variable after the sanity check to avoid a possible
+NULL pointer dereference.
+
+Fixes: e27c41d5b0681 ("drm/amd/display: Support for DMUB HPD interrupt handling")
+Addresses-Coverity-ID: 1493909 ("Null pointer dereference")
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 46d38d528468c..3a227e9d8dfcb 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -656,7 +656,7 @@ void dmub_hpd_callback(struct amdgpu_device *adev, struct dmub_notification *not
+       struct drm_connector_list_iter iter;
+       struct dc_link *link;
+       uint8_t link_index = 0;
+-      struct drm_device *dev = adev->dm.ddev;
++      struct drm_device *dev;
+       if (adev == NULL)
+               return;
+@@ -673,6 +673,7 @@ void dmub_hpd_callback(struct amdgpu_device *adev, struct dmub_notification *not
+       link_index = notify->link_index;
+       link = adev->dm.dc->links[link_index];
++      dev = adev->dm.ddev;
+       drm_connector_list_iter_begin(dev, &iter);
+       drm_for_each_connector_iter(connector, &iter) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amd-display-use-oriented-source-size-when-checki.patch b/queue-5.16/drm-amd-display-use-oriented-source-size-when-checki.patch
new file mode 100644 (file)
index 0000000..af38332
--- /dev/null
@@ -0,0 +1,104 @@
+From 84e12cd014ec5ee507e7c01b81840d35cb45dcf8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Dec 2021 14:52:15 +0200
+Subject: drm/amd/display: Use oriented source size when checking cursor
+ scaling
+
+From: Vlad Zahorodnii <vlad.zahorodnii@kde.org>
+
+[ Upstream commit 69cb56290d9d10cdcc461aa2685e67e540507a96 ]
+
+dm_check_crtc_cursor() doesn't take into account plane transforms when
+calculating plane scaling, this can result in false positives.
+
+For example, if there's an output with resolution 3840x2160 and the
+output is rotated 90 degrees, CRTC_W and CRTC_H will be 3840 and 2160,
+respectively, but SRC_W and SRC_H will be 2160 and 3840, respectively.
+
+Since the cursor plane usually has a square buffer attached to it, the
+dm_check_crtc_cursor() will think that there's a scale factor mismatch
+even though there isn't really.
+
+This fixes an issue where kwin fails to use hardware plane transforms.
+
+Changes since version 1:
+- s/orientated/oriented/g
+
+Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Signed-off-by: Vlad Zahorodnii <vlad.zahorodnii@kde.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 35 ++++++++++++++-----
+ 1 file changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index e12f841d1d110..46d38d528468c 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -10662,6 +10662,24 @@ static int dm_update_plane_state(struct dc *dc,
+       return ret;
+ }
++static void dm_get_oriented_plane_size(struct drm_plane_state *plane_state,
++                                     int *src_w, int *src_h)
++{
++      switch (plane_state->rotation & DRM_MODE_ROTATE_MASK) {
++      case DRM_MODE_ROTATE_90:
++      case DRM_MODE_ROTATE_270:
++              *src_w = plane_state->src_h >> 16;
++              *src_h = plane_state->src_w >> 16;
++              break;
++      case DRM_MODE_ROTATE_0:
++      case DRM_MODE_ROTATE_180:
++      default:
++              *src_w = plane_state->src_w >> 16;
++              *src_h = plane_state->src_h >> 16;
++              break;
++      }
++}
++
+ static int dm_check_crtc_cursor(struct drm_atomic_state *state,
+                               struct drm_crtc *crtc,
+                               struct drm_crtc_state *new_crtc_state)
+@@ -10670,6 +10688,8 @@ static int dm_check_crtc_cursor(struct drm_atomic_state *state,
+       struct drm_plane_state *new_cursor_state, *new_underlying_state;
+       int i;
+       int cursor_scale_w, cursor_scale_h, underlying_scale_w, underlying_scale_h;
++      int cursor_src_w, cursor_src_h;
++      int underlying_src_w, underlying_src_h;
+       /* On DCE and DCN there is no dedicated hardware cursor plane. We get a
+        * cursor per pipe but it's going to inherit the scaling and
+@@ -10681,10 +10701,9 @@ static int dm_check_crtc_cursor(struct drm_atomic_state *state,
+               return 0;
+       }
+-      cursor_scale_w = new_cursor_state->crtc_w * 1000 /
+-                       (new_cursor_state->src_w >> 16);
+-      cursor_scale_h = new_cursor_state->crtc_h * 1000 /
+-                       (new_cursor_state->src_h >> 16);
++      dm_get_oriented_plane_size(new_cursor_state, &cursor_src_w, &cursor_src_h);
++      cursor_scale_w = new_cursor_state->crtc_w * 1000 / cursor_src_w;
++      cursor_scale_h = new_cursor_state->crtc_h * 1000 / cursor_src_h;
+       for_each_new_plane_in_state_reverse(state, underlying, new_underlying_state, i) {
+               /* Narrow down to non-cursor planes on the same CRTC as the cursor */
+@@ -10695,10 +10714,10 @@ static int dm_check_crtc_cursor(struct drm_atomic_state *state,
+               if (!new_underlying_state->fb)
+                       continue;
+-              underlying_scale_w = new_underlying_state->crtc_w * 1000 /
+-                                   (new_underlying_state->src_w >> 16);
+-              underlying_scale_h = new_underlying_state->crtc_h * 1000 /
+-                                   (new_underlying_state->src_h >> 16);
++              dm_get_oriented_plane_size(new_underlying_state,
++                                         &underlying_src_w, &underlying_src_h);
++              underlying_scale_w = new_underlying_state->crtc_w * 1000 / underlying_src_w;
++              underlying_scale_h = new_underlying_state->crtc_h * 1000 / underlying_src_h;
+               if (cursor_scale_w != underlying_scale_w ||
+                   cursor_scale_h != underlying_scale_h) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amdgpu-display-set-vblank_disable_immediate-for-.patch b/queue-5.16/drm-amdgpu-display-set-vblank_disable_immediate-for-.patch
new file mode 100644 (file)
index 0000000..cbaf9e5
--- /dev/null
@@ -0,0 +1,50 @@
+From d478d2b71b4f2502dafc788ac6f1b2d529bd7fd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Nov 2021 10:23:25 -0500
+Subject: drm/amdgpu/display: set vblank_disable_immediate for DC
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 92020e81ddbeac351ea4a19bcf01743f32b9c800 ]
+
+Disable vblanks immediately to save power.  I think this was
+missed when we merged DC support.
+
+Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1781
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c           | 1 -
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
+index cc2e0c9cfe0a1..4f3c62adccbde 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
+@@ -333,7 +333,6 @@ int amdgpu_irq_init(struct amdgpu_device *adev)
+       if (!amdgpu_device_has_dc_support(adev)) {
+               if (!adev->enable_virtual_display)
+                       /* Disable vblank IRQs aggressively for power-saving */
+-                      /* XXX: can this be enabled for DC? */
+                       adev_to_drm(adev)->vblank_disable_immediate = true;
+               r = drm_vblank_init(adev_to_drm(adev), adev->mode_info.num_crtc);
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 05f7ffd6a28da..e12f841d1d110 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -1597,6 +1597,9 @@ static int amdgpu_dm_init(struct amdgpu_device *adev)
+       adev_to_drm(adev)->mode_config.cursor_width = adev->dm.dc->caps.max_cursor_size;
+       adev_to_drm(adev)->mode_config.cursor_height = adev->dm.dc->caps.max_cursor_size;
++      /* Disable vblank IRQs aggressively for power-saving */
++      adev_to_drm(adev)->vblank_disable_immediate = true;
++
+       if (drm_vblank_init(adev_to_drm(adev), adev->dm.display_indexes_num)) {
+               DRM_ERROR(
+               "amdgpu: failed to initialize sw for display support.\n");
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amdgpu-don-t-inherit-gem-object-vmas-in-child-pr.patch b/queue-5.16/drm-amdgpu-don-t-inherit-gem-object-vmas-in-child-pr.patch
new file mode 100644 (file)
index 0000000..b850104
--- /dev/null
@@ -0,0 +1,60 @@
+From e022b5582796dff89fcb542f0507dd93307d494c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 15:15:04 -0500
+Subject: drm/amdgpu: Don't inherit GEM object VMAs in child process
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rajneesh Bhardwaj <rajneesh.bhardwaj@amd.com>
+
+[ Upstream commit fbcdbfde87509d523132b59f661a355c731139d0 ]
+
+When an application having open file access to a node forks, its shared
+mappings also get reflected in the address space of child process even
+though it cannot access them with the object permissions applied. With the
+existing permission checks on the gem objects, it might be reasonable to
+also create the VMAs with VM_DONTCOPY flag so a user space application
+doesn't need to explicitly call the madvise(addr, len, MADV_DONTFORK)
+system call to prevent the pages in the mapped range to appear in the
+address space of the child process. It also prevents the memory leaks
+due to additional reference counts on the mapped BOs in the child
+process that prevented freeing the memory in the parent for which we had
+worked around earlier in the user space inside the thunk library.
+
+Additionally, we faced this issue when using CRIU to checkpoint restore
+an application that had such inherited mappings in the child which
+confuse CRIU when it mmaps on restore. Having this flag set for the
+render node VMAs helps. VMAs mapped via KFD already take care of this so
+this is needed only for the render nodes.
+
+To limit the impact of the change to user space consumers such as OpenGL
+etc, limit it to KFD BOs only.
+
+Acked-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: David Yat Sin <david.yatsin@amd.com>
+Signed-off-by: Rajneesh Bhardwaj <rajneesh.bhardwaj@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+index a1e63ba4c54a5..630dc99e49086 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+@@ -264,6 +264,9 @@ static int amdgpu_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_str
+           !(vma->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)))
+               vma->vm_flags &= ~VM_MAYWRITE;
++      if (bo->kfd_bo)
++              vma->vm_flags |= VM_DONTCOPY;
++
+       return drm_gem_ttm_mmap(obj, vma);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amdgpu-fix-a-null-pointer-dereference-in-amdgpu_.patch b/queue-5.16/drm-amdgpu-fix-a-null-pointer-dereference-in-amdgpu_.patch
new file mode 100644 (file)
index 0000000..412ff80
--- /dev/null
@@ -0,0 +1,65 @@
+From 032252d2c7c66512626a8617306db76c888df435 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Dec 2021 00:17:36 +0800
+Subject: drm/amdgpu: Fix a NULL pointer dereference in
+ amdgpu_connector_lcd_native_mode()
+
+From: Zhou Qingyang <zhou1615@umn.edu>
+
+[ Upstream commit b220110e4cd442156f36e1d9b4914bb9e87b0d00 ]
+
+In amdgpu_connector_lcd_native_mode(), the return value of
+drm_mode_duplicate() is assigned to mode, and there is a dereference
+of it in amdgpu_connector_lcd_native_mode(), which will lead to a NULL
+pointer dereference on failure of drm_mode_duplicate().
+
+Fix this bug add a check of mode.
+
+This bug was found by a static analyzer. The analysis employs
+differential checking to identify inconsistent security operations
+(e.g., checks or kfrees) between two code paths and confirms that the
+inconsistent operations are not recovered in the current function or
+the callers, so they constitute bugs.
+
+Note that, as a bug found by static analysis, it can be a false
+positive or hard to trigger. Multiple researchers have cross-reviewed
+the bug.
+
+Builds with CONFIG_DRM_AMDGPU=m show no new warnings, and
+our static analyzer no longer warns about this code.
+
+Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
+Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+index 0de66f59adb8a..df1f9b88a53f9 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+@@ -387,6 +387,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder)
+           native_mode->vdisplay != 0 &&
+           native_mode->clock != 0) {
+               mode = drm_mode_duplicate(dev, native_mode);
++              if (!mode)
++                      return NULL;
++
+               mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
+               drm_mode_set_name(mode);
+@@ -401,6 +404,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder)
+                * simpler.
+                */
+               mode = drm_cvt_mode(dev, native_mode->hdisplay, native_mode->vdisplay, 60, true, false, false);
++              if (!mode)
++                      return NULL;
++
+               mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
+               DRM_DEBUG_KMS("Adding cvt approximation of native panel mode %s\n", mode->name);
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amdgpu-fix-amdgpu_ras_mca_query_error_status-sco.patch b/queue-5.16/drm-amdgpu-fix-amdgpu_ras_mca_query_error_status-sco.patch
new file mode 100644 (file)
index 0000000..a7e224b
--- /dev/null
@@ -0,0 +1,48 @@
+From f77a50206308573eb78daeff5a4876ef5f26cc40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Dec 2021 12:47:19 -0300
+Subject: drm/amdgpu: fix amdgpu_ras_mca_query_error_status scope
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Isabella Basso <isabbasso@riseup.net>
+
+[ Upstream commit 929bb8e200412da36aca4b61209ec26283f9c184 ]
+
+This commit fixes the compile-time warning below:
+
+ warning: no previous prototype for ‘amdgpu_ras_mca_query_error_status’
+ [-Wmissing-prototypes]
+
+Changes since v1:
+- As suggested by Alexander Deucher:
+  1. Make function static instead of adding prototype.
+
+Signed-off-by: Isabella Basso <isabbasso@riseup.net>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+index 08133de21fdd6..26b7a4a0b44b7 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+@@ -867,9 +867,9 @@ static int amdgpu_ras_enable_all_features(struct amdgpu_device *adev,
+ /* feature ctl end */
+-void amdgpu_ras_mca_query_error_status(struct amdgpu_device *adev,
+-                                     struct ras_common_if *ras_block,
+-                                     struct ras_err_data  *err_data)
++static void amdgpu_ras_mca_query_error_status(struct amdgpu_device *adev,
++                                            struct ras_common_if *ras_block,
++                                            struct ras_err_data  *err_data)
+ {
+       switch (ras_block->sub_block_index) {
+       case AMDGPU_RAS_MCA_BLOCK__MP0:
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amdgpu-fixup-bad-vram-size-on-gmc-v8.patch b/queue-5.16/drm-amdgpu-fixup-bad-vram-size-on-gmc-v8.patch
new file mode 100644 (file)
index 0000000..0afb25c
--- /dev/null
@@ -0,0 +1,61 @@
+From e354c825db3a2ddf61d2fbd12d1df2e55b0a5e1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Dec 2021 17:23:37 +0800
+Subject: drm/amdgpu: fixup bad vram size on gmc v8
+
+From: Zongmin Zhou <zhouzongmin@kylinos.cn>
+
+[ Upstream commit 11544d77e3974924c5a9c8a8320b996a3e9b2f8b ]
+
+Some boards(like RX550) seem to have garbage in the upper
+16 bits of the vram size register.  Check for
+this and clamp the size properly.  Fixes
+boards reporting bogus amounts of vram.
+
+after add this patch,the maximum GPU VRAM size is 64GB,
+otherwise only 64GB vram size will be used.
+
+Signed-off-by: Zongmin Zhou<zhouzongmin@kylinos.cn>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
+index 492ebed2915be..63b890f1e8afb 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
+@@ -515,10 +515,10 @@ static void gmc_v8_0_mc_program(struct amdgpu_device *adev)
+ static int gmc_v8_0_mc_init(struct amdgpu_device *adev)
+ {
+       int r;
++      u32 tmp;
+       adev->gmc.vram_width = amdgpu_atombios_get_vram_width(adev);
+       if (!adev->gmc.vram_width) {
+-              u32 tmp;
+               int chansize, numchan;
+               /* Get VRAM informations */
+@@ -562,8 +562,15 @@ static int gmc_v8_0_mc_init(struct amdgpu_device *adev)
+               adev->gmc.vram_width = numchan * chansize;
+       }
+       /* size in MB on si */
+-      adev->gmc.mc_vram_size = RREG32(mmCONFIG_MEMSIZE) * 1024ULL * 1024ULL;
+-      adev->gmc.real_vram_size = RREG32(mmCONFIG_MEMSIZE) * 1024ULL * 1024ULL;
++      tmp = RREG32(mmCONFIG_MEMSIZE);
++      /* some boards may have garbage in the upper 16 bits */
++      if (tmp & 0xffff0000) {
++              DRM_INFO("Probable bad vram size: 0x%08x\n", tmp);
++              if (tmp & 0xffff)
++                      tmp &= 0xffff;
++      }
++      adev->gmc.mc_vram_size = tmp * 1024ULL * 1024ULL;
++      adev->gmc.real_vram_size = adev->gmc.mc_vram_size;
+       if (!(adev->flags & AMD_IS_APU)) {
+               r = amdgpu_device_resize_fb_bar(adev);
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amdgpu-use-spin_lock_irqsave-to-avoid-deadlock-b.patch b/queue-5.16/drm-amdgpu-use-spin_lock_irqsave-to-avoid-deadlock-b.patch
new file mode 100644 (file)
index 0000000..26b96e8
--- /dev/null
@@ -0,0 +1,59 @@
+From 13bfa07ab7a59fffc4267508895982623592ef1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 16:31:20 +0800
+Subject: drm/amdgpu: use spin_lock_irqsave to avoid deadlock by local
+ interrupt
+
+From: Guchun Chen <guchun.chen@amd.com>
+
+[ Upstream commit 2096b74b1da5ca418827b54ac4904493bd9de89c ]
+
+This is observed in SRIOV case with virtual KMS as display.
+
+_raw_spin_lock_irqsave+0x37/0x40
+drm_handle_vblank+0x69/0x350 [drm]
+? try_to_wake_up+0x432/0x5c0
+? amdgpu_vkms_prepare_fb+0x1c0/0x1c0 [amdgpu]
+drm_crtc_handle_vblank+0x17/0x20 [drm]
+amdgpu_vkms_vblank_simulate+0x4d/0x80 [amdgpu]
+__hrtimer_run_queues+0xfb/0x230
+hrtimer_interrupt+0x109/0x220
+__sysvec_apic_timer_interrupt+0x64/0xe0
+asm_call_irq_on_stack+0x12/0x20
+
+Fixes: 84ec374bd580 ("drm/amdgpu: create amdgpu_vkms (v4)")
+Signed-off-by: Guchun Chen <guchun.chen@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Tested-by: Kelly Zytaruk <kelly.zytaruk@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c
+index ac9a8cd21c4b6..7d58bf410be05 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c
+@@ -142,15 +142,16 @@ static void amdgpu_vkms_crtc_atomic_disable(struct drm_crtc *crtc,
+ static void amdgpu_vkms_crtc_atomic_flush(struct drm_crtc *crtc,
+                                         struct drm_atomic_state *state)
+ {
++      unsigned long flags;
+       if (crtc->state->event) {
+-              spin_lock(&crtc->dev->event_lock);
++              spin_lock_irqsave(&crtc->dev->event_lock, flags);
+               if (drm_crtc_vblank_get(crtc) != 0)
+                       drm_crtc_send_vblank_event(crtc, crtc->state->event);
+               else
+                       drm_crtc_arm_vblank_event(crtc, crtc->state->event);
+-              spin_unlock(&crtc->dev->event_lock);
++              spin_unlock_irqrestore(&crtc->dev->event_lock, flags);
+               crtc->state->event = NULL;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amdkfd-check-for-null-pointer-after-calling-kmem.patch b/queue-5.16/drm-amdkfd-check-for-null-pointer-after-calling-kmem.patch
new file mode 100644 (file)
index 0000000..96b5d2d
--- /dev/null
@@ -0,0 +1,41 @@
+From 505f03bb3a1b2bb9375d4cf5d4faddaf202e2268 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 17:09:43 +0800
+Subject: drm/amdkfd: Check for null pointer after calling kmemdup
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit abfaf0eee97925905e742aa3b0b72e04a918fa9e ]
+
+As the possible failure of the allocation, kmemdup() may return NULL
+pointer.
+Therefore, it should be better to check the 'props2' in order to prevent
+the dereference of NULL pointer.
+
+Fixes: 3a87177eb141 ("drm/amdkfd: Add topology support for dGPUs")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
+index cfedfb1e8596c..c33d689f29e8e 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
+@@ -1060,6 +1060,9 @@ static int kfd_parse_subtype_iolink(struct crat_subtype_iolink *iolink,
+                       return -ENODEV;
+               /* same everything but the other direction */
+               props2 = kmemdup(props, sizeof(*props2), GFP_KERNEL);
++              if (!props2)
++                      return -ENOMEM;
++
+               props2->node_from = id_to;
+               props2->node_to = id_from;
+               props2->kobj = NULL;
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-amdkfd-fix-error-handling-in-svm_range_add.patch b/queue-5.16/drm-amdkfd-fix-error-handling-in-svm_range_add.patch
new file mode 100644 (file)
index 0000000..c840d17
--- /dev/null
@@ -0,0 +1,239 @@
+From 740d643ee3993de800eb619fc64954da705f76ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 20:23:14 -0500
+Subject: drm/amdkfd: Fix error handling in svm_range_add
+
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+
+[ Upstream commit 726be40607264b180a2b336c81e1dcff941de618 ]
+
+Add null-pointer check after the last svm_range_new call. This was
+originally reported by Zhou Qingyang <zhou1615@umn.edu> based on a
+static analyzer.
+
+To avoid duplicating the unwinding code from svm_range_handle_overlap,
+I merged the two functions into one.
+
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Cc: Zhou Qingyang <zhou1615@umn.edu>
+Reviewed-by: Philip Yang <Philip.Yang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 138 ++++++++++-----------------
+ 1 file changed, 49 insertions(+), 89 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
+index 3cb4681c5f539..c0b8f4ff80b8a 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
+@@ -943,7 +943,7 @@ svm_range_split(struct svm_range *prange, uint64_t start, uint64_t last,
+ }
+ static int
+-svm_range_split_tail(struct svm_range *prange, struct svm_range *new,
++svm_range_split_tail(struct svm_range *prange,
+                    uint64_t new_last, struct list_head *insert_list)
+ {
+       struct svm_range *tail;
+@@ -955,7 +955,7 @@ svm_range_split_tail(struct svm_range *prange, struct svm_range *new,
+ }
+ static int
+-svm_range_split_head(struct svm_range *prange, struct svm_range *new,
++svm_range_split_head(struct svm_range *prange,
+                    uint64_t new_start, struct list_head *insert_list)
+ {
+       struct svm_range *head;
+@@ -1764,49 +1764,54 @@ static struct svm_range *svm_range_clone(struct svm_range *old)
+ }
+ /**
+- * svm_range_handle_overlap - split overlap ranges
+- * @svms: svm range list header
+- * @new: range added with this attributes
+- * @start: range added start address, in pages
+- * @last: range last address, in pages
+- * @update_list: output, the ranges attributes are updated. For set_attr, this
+- *               will do validation and map to GPUs. For unmap, this will be
+- *               removed and unmap from GPUs
+- * @insert_list: output, the ranges will be inserted into svms, attributes are
+- *               not changes. For set_attr, this will add into svms.
+- * @remove_list:output, the ranges will be removed from svms
+- * @left: the remaining range after overlap, For set_attr, this will be added
+- *        as new range.
++ * svm_range_add - add svm range and handle overlap
++ * @p: the range add to this process svms
++ * @start: page size aligned
++ * @size: page size aligned
++ * @nattr: number of attributes
++ * @attrs: array of attributes
++ * @update_list: output, the ranges need validate and update GPU mapping
++ * @insert_list: output, the ranges need insert to svms
++ * @remove_list: output, the ranges are replaced and need remove from svms
+  *
+- * Total have 5 overlap cases.
++ * Check if the virtual address range has overlap with any existing ranges,
++ * split partly overlapping ranges and add new ranges in the gaps. All changes
++ * should be applied to the range_list and interval tree transactionally. If
++ * any range split or allocation fails, the entire update fails. Therefore any
++ * existing overlapping svm_ranges are cloned and the original svm_ranges left
++ * unchanged.
+  *
+- * This function handles overlap of an address interval with existing
+- * struct svm_ranges for applying new attributes. This may require
+- * splitting existing struct svm_ranges. All changes should be applied to
+- * the range_list and interval tree transactionally. If any split operation
+- * fails, the entire update fails. Therefore the existing overlapping
+- * svm_ranges are cloned and the original svm_ranges left unchanged. If the
+- * transaction succeeds, the modified clones are added and the originals
+- * freed. Otherwise the clones are removed and the old svm_ranges remain.
++ * If the transaction succeeds, the caller can update and insert clones and
++ * new ranges, then free the originals.
+  *
+- * Context: The caller must hold svms->lock
++ * Otherwise the caller can free the clones and new ranges, while the old
++ * svm_ranges remain unchanged.
++ *
++ * Context: Process context, caller must hold svms->lock
++ *
++ * Return:
++ * 0 - OK, otherwise error code
+  */
+ static int
+-svm_range_handle_overlap(struct svm_range_list *svms, struct svm_range *new,
+-                       unsigned long start, unsigned long last,
+-                       struct list_head *update_list,
+-                       struct list_head *insert_list,
+-                       struct list_head *remove_list,
+-                       unsigned long *left)
++svm_range_add(struct kfd_process *p, uint64_t start, uint64_t size,
++            uint32_t nattr, struct kfd_ioctl_svm_attribute *attrs,
++            struct list_head *update_list, struct list_head *insert_list,
++            struct list_head *remove_list)
+ {
++      unsigned long last = start + size - 1UL;
++      struct svm_range_list *svms = &p->svms;
+       struct interval_tree_node *node;
++      struct svm_range new = {0};
+       struct svm_range *prange;
+       struct svm_range *tmp;
+       int r = 0;
++      pr_debug("svms 0x%p [0x%llx 0x%lx]\n", &p->svms, start, last);
++
+       INIT_LIST_HEAD(update_list);
+       INIT_LIST_HEAD(insert_list);
+       INIT_LIST_HEAD(remove_list);
++      svm_range_apply_attrs(p, &new, nattr, attrs);
+       node = interval_tree_iter_first(&svms->objects, start, last);
+       while (node) {
+@@ -1834,14 +1839,14 @@ svm_range_handle_overlap(struct svm_range_list *svms, struct svm_range *new,
+                       if (node->start < start) {
+                               pr_debug("change old range start\n");
+-                              r = svm_range_split_head(prange, new, start,
++                              r = svm_range_split_head(prange, start,
+                                                        insert_list);
+                               if (r)
+                                       goto out;
+                       }
+                       if (node->last > last) {
+                               pr_debug("change old range last\n");
+-                              r = svm_range_split_tail(prange, new, last,
++                              r = svm_range_split_tail(prange, last,
+                                                        insert_list);
+                               if (r)
+                                       goto out;
+@@ -1853,7 +1858,7 @@ svm_range_handle_overlap(struct svm_range_list *svms, struct svm_range *new,
+                       prange = old;
+               }
+-              if (!svm_range_is_same_attrs(prange, new))
++              if (!svm_range_is_same_attrs(prange, &new))
+                       list_add(&prange->update_list, update_list);
+               /* insert a new node if needed */
+@@ -1873,8 +1878,16 @@ svm_range_handle_overlap(struct svm_range_list *svms, struct svm_range *new,
+               start = next_start;
+       }
+-      if (left && start <= last)
+-              *left = last - start + 1;
++      /* add a final range at the end if needed */
++      if (start <= last) {
++              prange = svm_range_new(svms, start, last);
++              if (!prange) {
++                      r = -ENOMEM;
++                      goto out;
++              }
++              list_add(&prange->insert_list, insert_list);
++              list_add(&prange->update_list, update_list);
++      }
+ out:
+       if (r)
+@@ -2894,59 +2907,6 @@ svm_range_is_valid(struct kfd_process *p, uint64_t start, uint64_t size)
+                                 NULL);
+ }
+-/**
+- * svm_range_add - add svm range and handle overlap
+- * @p: the range add to this process svms
+- * @start: page size aligned
+- * @size: page size aligned
+- * @nattr: number of attributes
+- * @attrs: array of attributes
+- * @update_list: output, the ranges need validate and update GPU mapping
+- * @insert_list: output, the ranges need insert to svms
+- * @remove_list: output, the ranges are replaced and need remove from svms
+- *
+- * Check if the virtual address range has overlap with the registered ranges,
+- * split the overlapped range, copy and adjust pages address and vram nodes in
+- * old and new ranges.
+- *
+- * Context: Process context, caller must hold svms->lock
+- *
+- * Return:
+- * 0 - OK, otherwise error code
+- */
+-static int
+-svm_range_add(struct kfd_process *p, uint64_t start, uint64_t size,
+-            uint32_t nattr, struct kfd_ioctl_svm_attribute *attrs,
+-            struct list_head *update_list, struct list_head *insert_list,
+-            struct list_head *remove_list)
+-{
+-      uint64_t last = start + size - 1UL;
+-      struct svm_range_list *svms;
+-      struct svm_range new = {0};
+-      struct svm_range *prange;
+-      unsigned long left = 0;
+-      int r = 0;
+-
+-      pr_debug("svms 0x%p [0x%llx 0x%llx]\n", &p->svms, start, last);
+-
+-      svm_range_apply_attrs(p, &new, nattr, attrs);
+-
+-      svms = &p->svms;
+-
+-      r = svm_range_handle_overlap(svms, &new, start, last, update_list,
+-                                   insert_list, remove_list, &left);
+-      if (r)
+-              return r;
+-
+-      if (left) {
+-              prange = svm_range_new(svms, last - left + 1, last);
+-              list_add(&prange->insert_list, insert_list);
+-              list_add(&prange->update_list, update_list);
+-      }
+-
+-      return 0;
+-}
+-
+ /**
+  * svm_range_best_prefetch_location - decide the best prefetch location
+  * @prange: svm range structure
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-atomic-check-new_crtc_state-active-to-determine-.patch b/queue-5.16/drm-atomic-check-new_crtc_state-active-to-determine-.patch
new file mode 100644 (file)
index 0000000..a72331d
--- /dev/null
@@ -0,0 +1,58 @@
+From cf6450e5f7c4a517afcba8436f475b630b3151ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Dec 2021 12:06:26 +0800
+Subject: drm/atomic: Check new_crtc_state->active to determine if CRTC needs
+ disable in self refresh mode
+
+From: Liu Ying <victor.liu@nxp.com>
+
+[ Upstream commit 69e630016ef4e4a1745310c446f204dc6243e907 ]
+
+Actual hardware state of CRTC is controlled by the member 'active' in
+struct drm_crtc_state instead of the member 'enable', according to the
+kernel doc of the member 'enable'.  In fact, the drm client modeset
+and atomic helpers are using the member 'active' to do the control.
+
+Referencing the member 'enable' of new_crtc_state, the function
+crtc_needs_disable() may fail to reflect if CRTC needs disable in
+self refresh mode, e.g., when the framebuffer emulation will be blanked
+through the client modeset helper with the next commit, the member
+'enable' of new_crtc_state is still true while the member 'active' is
+false, hence the relevant potential encoder and bridges won't be disabled.
+
+So, let's check new_crtc_state->active to determine if CRTC needs disable
+in self refresh mode instead of new_crtc_state->enable.
+
+Fixes: 1452c25b0e60 ("drm: Add helpers to kick off self refresh mode in drivers")
+Cc: Sean Paul <seanpaul@chromium.org>
+Cc: Rob Clark <robdclark@chromium.org>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Maxime Ripard <mripard@kernel.org>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Liu Ying <victor.liu@nxp.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211230040626.646807-1-victor.liu@nxp.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_atomic_helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
+index 2c0c6ec928200..ff2bc9a118011 100644
+--- a/drivers/gpu/drm/drm_atomic_helper.c
++++ b/drivers/gpu/drm/drm_atomic_helper.c
+@@ -1001,7 +1001,7 @@ crtc_needs_disable(struct drm_crtc_state *old_state,
+        * it's in self refresh mode and needs to be fully disabled.
+        */
+       return old_state->active ||
+-             (old_state->self_refresh_active && !new_state->enable) ||
++             (old_state->self_refresh_active && !new_state->active) ||
+              new_state->self_refresh_active;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-bridge-display-connector-fix-an-uninitialized-po.patch b/queue-5.16/drm-bridge-display-connector-fix-an-uninitialized-po.patch
new file mode 100644 (file)
index 0000000..5d376d6
--- /dev/null
@@ -0,0 +1,39 @@
+From 6c4204a7f45b62c816925a54e2a4eeb9965b1fb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 11:08:25 +0300
+Subject: drm/bridge: display-connector: fix an uninitialized pointer in
+ probe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 189723fbe9aca18d6f7d638c59a40288030932b5 ]
+
+The "label" pointer is used for debug output.  The code assumes that it
+is either NULL or valid, but it is never set to NULL.  It is either
+valid or uninitialized.
+
+Fixes: 0c275c30176b ("drm/bridge: Add bridge driver for display connectors")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211013080825.GE6010@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/display-connector.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/display-connector.c b/drivers/gpu/drm/bridge/display-connector.c
+index 05eb759da6fc6..847a0dce7f1d3 100644
+--- a/drivers/gpu/drm/bridge/display-connector.c
++++ b/drivers/gpu/drm/bridge/display-connector.c
+@@ -107,7 +107,7 @@ static int display_connector_probe(struct platform_device *pdev)
+ {
+       struct display_connector *conn;
+       unsigned int type;
+-      const char *label;
++      const char *label = NULL;
+       int ret;
+       conn = devm_kzalloc(&pdev->dev, sizeof(*conn), GFP_KERNEL);
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-bridge-dw-hdmi-handle-eld-when-drm_bridge_attach.patch b/queue-5.16/drm-bridge-dw-hdmi-handle-eld-when-drm_bridge_attach.patch
new file mode 100644 (file)
index 0000000..e3faca3
--- /dev/null
@@ -0,0 +1,146 @@
+From f50eb2e7a9ebaf81297d41ed27ff657233105f86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Oct 2021 15:59:47 +0200
+Subject: drm/bridge: dw-hdmi: handle ELD when DRM_BRIDGE_ATTACH_NO_CONNECTOR
+
+From: Neil Armstrong <narmstrong@baylibre.com>
+
+[ Upstream commit 3f2532d65a571ca02258b547b5b68ab2e9406fdb ]
+
+The current ELD handling takes the internal connector ELD buffer and
+shares it to the I2S and AHB sub-driver.
+
+But with DRM_BRIDGE_ATTACH_NO_CONNECTOR, the connector is created
+elsewhere (or not), and an eventual connector is known only
+if the bridge chain up to a connector is enabled.
+
+The current dw-hdmi code gets the current connector from
+atomic_enable() so use the already stored connector pointer and
+replace the buffer pointer with a callback returning the current
+connector ELD buffer.
+
+Since a connector is not always available, either pass an empty
+ELD to the alsa HDMI driver or don't call snd_pcm_hw_constraint_eld()
+in AHB driver.
+
+Reported-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+[narmstrong: fixed typo in commit log]
+Acked-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211029135947.3022875-1-narmstrong@baylibre.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/synopsys/dw-hdmi-ahb-audio.c | 10 +++++++---
+ drivers/gpu/drm/bridge/synopsys/dw-hdmi-audio.h     |  4 ++--
+ drivers/gpu/drm/bridge/synopsys/dw-hdmi-i2s-audio.c |  9 ++++++++-
+ drivers/gpu/drm/bridge/synopsys/dw-hdmi.c           | 12 ++++++++++--
+ 4 files changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-ahb-audio.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-ahb-audio.c
+index d0db1acf11d73..7d2ed0ed2fe26 100644
+--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-ahb-audio.c
++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-ahb-audio.c
+@@ -320,13 +320,17 @@ static int dw_hdmi_open(struct snd_pcm_substream *substream)
+       struct snd_pcm_runtime *runtime = substream->runtime;
+       struct snd_dw_hdmi *dw = substream->private_data;
+       void __iomem *base = dw->data.base;
++      u8 *eld;
+       int ret;
+       runtime->hw = dw_hdmi_hw;
+-      ret = snd_pcm_hw_constraint_eld(runtime, dw->data.eld);
+-      if (ret < 0)
+-              return ret;
++      eld = dw->data.get_eld(dw->data.hdmi);
++      if (eld) {
++              ret = snd_pcm_hw_constraint_eld(runtime, eld);
++              if (ret < 0)
++                      return ret;
++      }
+       ret = snd_pcm_limit_hw_rates(runtime);
+       if (ret < 0)
+diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-audio.h b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-audio.h
+index cb07dc0da5a70..f72d27208ebef 100644
+--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-audio.h
++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-audio.h
+@@ -9,15 +9,15 @@ struct dw_hdmi_audio_data {
+       void __iomem *base;
+       int irq;
+       struct dw_hdmi *hdmi;
+-      u8 *eld;
++      u8 *(*get_eld)(struct dw_hdmi *hdmi);
+ };
+ struct dw_hdmi_i2s_audio_data {
+       struct dw_hdmi *hdmi;
+-      u8 *eld;
+       void (*write)(struct dw_hdmi *hdmi, u8 val, int offset);
+       u8 (*read)(struct dw_hdmi *hdmi, int offset);
++      u8 *(*get_eld)(struct dw_hdmi *hdmi);
+ };
+ #endif
+diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-i2s-audio.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-i2s-audio.c
+index feb04f127b550..f50b47ac11a82 100644
+--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-i2s-audio.c
++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-i2s-audio.c
+@@ -135,8 +135,15 @@ static int dw_hdmi_i2s_get_eld(struct device *dev, void *data, uint8_t *buf,
+                              size_t len)
+ {
+       struct dw_hdmi_i2s_audio_data *audio = data;
++      u8 *eld;
++
++      eld = audio->get_eld(audio->hdmi);
++      if (eld)
++              memcpy(buf, eld, min_t(size_t, MAX_ELD_BYTES, len));
++      else
++              /* Pass en empty ELD if connector not available */
++              memset(buf, 0, len);
+-      memcpy(buf, audio->eld, min_t(size_t, MAX_ELD_BYTES, len));
+       return 0;
+ }
+diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
+index f08d0fded61f7..e1211a5b334ba 100644
+--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
+@@ -757,6 +757,14 @@ static void hdmi_enable_audio_clk(struct dw_hdmi *hdmi, bool enable)
+       hdmi_writeb(hdmi, hdmi->mc_clkdis, HDMI_MC_CLKDIS);
+ }
++static u8 *hdmi_audio_get_eld(struct dw_hdmi *hdmi)
++{
++      if (!hdmi->curr_conn)
++              return NULL;
++
++      return hdmi->curr_conn->eld;
++}
++
+ static void dw_hdmi_ahb_audio_enable(struct dw_hdmi *hdmi)
+ {
+       hdmi_set_cts_n(hdmi, hdmi->audio_cts, hdmi->audio_n);
+@@ -3431,7 +3439,7 @@ struct dw_hdmi *dw_hdmi_probe(struct platform_device *pdev,
+               audio.base = hdmi->regs;
+               audio.irq = irq;
+               audio.hdmi = hdmi;
+-              audio.eld = hdmi->connector.eld;
++              audio.get_eld = hdmi_audio_get_eld;
+               hdmi->enable_audio = dw_hdmi_ahb_audio_enable;
+               hdmi->disable_audio = dw_hdmi_ahb_audio_disable;
+@@ -3444,7 +3452,7 @@ struct dw_hdmi *dw_hdmi_probe(struct platform_device *pdev,
+               struct dw_hdmi_i2s_audio_data audio;
+               audio.hdmi      = hdmi;
+-              audio.eld       = hdmi->connector.eld;
++              audio.get_eld   = hdmi_audio_get_eld;
+               audio.write     = hdmi_writeb;
+               audio.read      = hdmi_readb;
+               hdmi->enable_audio = dw_hdmi_i2s_audio_enable;
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-bridge-megachips-ensure-both-bridges-are-probed-.patch b/queue-5.16/drm-bridge-megachips-ensure-both-bridges-are-probed-.patch
new file mode 100644 (file)
index 0000000..34812cb
--- /dev/null
@@ -0,0 +1,251 @@
+From ecb5ce3adb108245f572db99a16d8df26e602642 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 10:53:02 +0000
+Subject: drm/bridge: megachips: Ensure both bridges are probed before
+ registration
+
+From: Martyn Welch <martyn.welch@collabora.com>
+
+[ Upstream commit 11632d4aa2b3f126790e81a4415d6c23103cf8bb ]
+
+In the configuration used by the b850v3, the STDP2690 is used to read EDID
+data whilst it's the STDP4028 which can detect when monitors are connected.
+
+This can result in problems at boot with monitors connected when the
+STDP4028 is probed first, a monitor is detected and an attempt is made to
+read the EDID data before the STDP2690 has probed:
+
+[    3.795721] Unable to handle kernel NULL pointer dereference at virtual address 00000018
+[    3.803845] pgd = (ptrval)
+[    3.806581] [00000018] *pgd=00000000
+[    3.810180] Internal error: Oops: 5 [#1] SMP ARM
+[    3.814813] Modules linked in:
+[    3.817879] CPU: 0 PID: 64 Comm: kworker/u4:1 Not tainted 5.15.0 #1
+[    3.824161] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+[    3.830705] Workqueue: events_unbound deferred_probe_work_func
+[    3.836565] PC is at stdp2690_get_edid+0x44/0x19c
+[    3.841286] LR is at ge_b850v3_lvds_get_modes+0x2c/0x5c
+[    3.846526] pc : [<805eae10>]    lr : [<805eb138>]    psr: 80000013
+[    3.852802] sp : 81c359d0  ip : 7dbb550b  fp : 81c35a1c
+[    3.858037] r10: 81c73840  r9 : 81c73894  r8 : 816d9800
+[    3.863270] r7 : 00000000  r6 : 81c34000  r5 : 00000000  r4 : 810c35f0
+[    3.869808] r3 : 80e3e294  r2 : 00000080  r1 : 00000cc0  r0 : 81401180
+[    3.876349] Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
+[    3.883499] Control: 10c5387d  Table: 1000404a  DAC: 00000051
+[    3.889254] Register r0 information: slab kmem_cache start 81401180 pointer offset 0
+[    3.897034] Register r1 information: non-paged memory
+[    3.902097] Register r2 information: non-paged memory
+[    3.907160] Register r3 information: non-slab/vmalloc memory
+[    3.912832] Register r4 information: non-slab/vmalloc memory
+[    3.918503] Register r5 information: NULL pointer
+[    3.923217] Register r6 information: non-slab/vmalloc memory
+[    3.928887] Register r7 information: NULL pointer
+[    3.933601] Register r8 information: slab kmalloc-1k start 816d9800 pointer offset 0 size 1024
+[    3.942244] Register r9 information: slab kmalloc-2k start 81c73800 pointer offset 148 size 2048
+[    3.951058] Register r10 information: slab kmalloc-2k start 81c73800 pointer offset 64 size 2048
+[    3.959873] Register r11 information: non-slab/vmalloc memory
+[    3.965632] Register r12 information: non-paged memory
+[    3.970781] Process kworker/u4:1 (pid: 64, stack limit = 0x(ptrval))
+[    3.977148] Stack: (0x81c359d0 to 0x81c36000)
+[    3.981517] 59c0:                                     80b2b668 80b2b5bc 000002e2 0000034e
+[    3.989712] 59e0: 81c35a8c 816d98e8 81c35a14 7dbb550b 805bfcd0 810c35f0 81c73840 824addc0
+[    3.997906] 5a00: 00001000 816d9800 81c73894 81c73840 81c35a34 81c35a20 805eb138 805eadd8
+[    4.006099] 5a20: 810c35f0 00000045 81c35adc 81c35a38 80594188 805eb118 80d7c788 80dd1848
+[    4.014292] 5a40: 00000000 81c35a50 80dca950 811194d3 80dca7c4 80dca944 80dca91c 816d9800
+[    4.022485] 5a60: 81c34000 81c760a8 816d9800 80c58c98 810c35f0 816d98e8 00001000 00001000
+[    4.030678] 5a80: 00000000 00000000 8017712c 81c60000 00000002 00000001 00000000 00000000
+[    4.038870] 5aa0: 816d9900 816d9900 00000000 7dbb550b 805c700c 00000008 826282c8 826282c8
+[    4.047062] 5ac0: 00001000 81e1ce40 00001000 00000002 81c35bf4 81c35ae0 805d9694 80593fc0
+[    4.055255] 5ae0: 8017a970 80179ad8 00000179 00000000 81c35bcc 81c35b00 80177108 8017a950
+[    4.063447] 5b00: 00000000 81c35b10 81c34000 00000000 81004fd8 81010a38 00000000 00000059
+[    4.071639] 5b20: 816d98d4 81fbb718 00000013 826282c8 8017a940 81c35b40 81134448 00000400
+[    4.079831] 5b40: 00000178 00000000 e063b9c1 00000000 c2000049 00000040 00000000 00000008
+[    4.088024] 5b60: 82628300 82628380 00000000 00000000 81c34000 00000000 81fbb700 82628340
+[    4.096216] 5b80: 826283c0 00001000 00000000 00000010 816d9800 826282c0 801766f8 00000000
+[    4.104408] 5ba0: 00000000 81004fd8 00000049 00000000 00000000 00000001 80dcf940 80178de4
+[    4.112601] 5bc0: 81c35c0c 7dbb550b 80178de4 81fbb700 00000010 00000010 810c35f4 81e1ce40
+[    4.120793] 5be0: 81c40908 0000000c 81c35c64 81c35bf8 805a7f18 805d94a0 81c35c3c 816d9800
+[    4.128985] 5c00: 00000010 81c34000 81c35c2c 81c35c18 8012fce0 805be90c 81c35c3c 81c35c28
+[    4.137178] 5c20: 805be90c 80173210 81fbb600 81fbb6b4 81c35c5c 7dbb550b 81c35c64 81fbb700
+[    4.145370] 5c40: 816d9800 00000010 810c35f4 81e1ce40 81c40908 0000000c 81c35c84 81c35c68
+[    4.153565] 5c60: 805a8c78 805a7ed0 816d9800 81fbb700 00000010 00000000 81c35cac 81c35c88
+[    4.161758] 5c80: 805a8dc4 805a8b68 816d9800 00000000 816d9800 00000000 8179f810 810c42d0
+[    4.169950] 5ca0: 81c35ccc 81c35cb0 805e47b0 805a8d18 824aa240 81e1ea80 81c40908 81126b60
+[    4.178144] 5cc0: 81c35d14 81c35cd0 8060db1c 805e46cc 81c35d14 81c35ce0 80dd90f8 810c4d58
+[    4.186338] 5ce0: 80dd90dc 81fe9740 fffffffe 81fe9740 81e1ea80 00000000 810c4d6c 80c4b95c
+[    4.194531] 5d00: 80dd9a3c 815c6810 81c35d34 81c35d18 8060dc9c 8060d8fc 8246b440 815c6800
+[    4.202724] 5d20: 815c6810 eefd8e00 81c35d44 81c35d38 8060dd80 8060dbec 81c35d6c 81c35d48
+[    4.210918] 5d40: 805e98a4 8060dd70 00000000 815c6810 810c45b0 81126e90 81126e90 80dd9a3c
+[    4.219112] 5d60: 81c35d8c 81c35d70 80619574 805e9808 815c6810 00000000 810c45b0 81126e90
+[    4.227305] 5d80: 81c35db4 81c35d90 806168dc 80619514 80625df0 80623c80 815c6810 810c45b0
+[    4.235498] 5da0: 81c35e6c 815c6810 81c35dec 81c35db8 80616d04 80616800 81c35de4 81c35dc8
+[    4.243691] 5dc0: 808382b0 80b2f444 8116e310 8116e314 81c35e6c 815c6810 00000003 80dd9a3c
+[    4.251884] 5de0: 81c35e14 81c35df0 80616ec8 80616c60 00000001 810c45b0 81c35e6c 815c6810
+[    4.260076] 5e00: 00000001 80dd9a3c 81c35e34 81c35e18 80617338 80616e90 00000000 81c35e6c
+[    4.268269] 5e20: 80617284 81c34000 81c35e64 81c35e38 80614730 80617290 81c35e64 8171a06c
+[    4.276461] 5e40: 81e220b8 7dbb550b 815c6810 81c34000 815c6854 81126e90 81c35e9c 81c35e68
+[    4.284654] 5e60: 8061673c 806146a8 8060f5e0 815c6810 00000001 7dbb550b 00000000 810c5080
+[    4.292847] 5e80: 810c5320 815c6810 81126e90 00000000 81c35eac 81c35ea0 80617554 80616650
+[    4.301040] 5ea0: 81c35ecc 81c35eb0 80615694 80617544 810c5080 810c5080 810c5094 81126e90
+[    4.309233] 5ec0: 81c35efc 81c35ed0 80615c6c 8061560c 80615bc0 810c50c0 817eeb00 81412800
+[    4.317425] 5ee0: 814c3000 00000000 814c300d 81119a60 81c35f3c 81c35f00 80141488 80615bcc
+[    4.325618] 5f00: 81c60000 81c34000 81c35f24 81c35f18 80143078 817eeb00 81412800 817eeb18
+[    4.333811] 5f20: 81412818 81003d00 00000088 81412800 81c35f74 81c35f40 80141a48 80141298
+[    4.342005] 5f40: 81c35f74 81c34000 801481ac 817efa40 817efc00 801417d8 817eeb00 00000000
+[    4.350199] 5f60: 815a7e7c 81c34000 81c35fac 81c35f78 80149b1c 801417e4 817efc20 817efc20
+[    4.358391] 5f80: ffffe000 817efa40 801499a8 00000000 00000000 00000000 00000000 00000000
+[    4.366583] 5fa0: 00000000 81c35fb0 80100130 801499b4 00000000 00000000 00000000 00000000
+[    4.374774] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[    4.382966] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
+[    4.391155] Backtrace:
+[    4.393613] [<805eadcc>] (stdp2690_get_edid) from [<805eb138>] (ge_b850v3_lvds_get_modes+0x2c/0x5c)
+[    4.402691]  r10:81c73840 r9:81c73894 r8:816d9800 r7:00001000 r6:824addc0 r5:81c73840
+[    4.410534]  r4:810c35f0
+[    4.413073] [<805eb10c>] (ge_b850v3_lvds_get_modes) from [<80594188>] (drm_helper_probe_single_connector_modes+0x1d4/0x84c)
+[    4.424240]  r5:00000045 r4:810c35f0
+[    4.427822] [<80593fb4>] (drm_helper_probe_single_connector_modes) from [<805d9694>] (drm_client_modeset_probe+0x200/0x1384)
+[    4.439074]  r10:00000002 r9:00001000 r8:81e1ce40 r7:00001000 r6:826282c8 r5:826282c8
+[    4.446917]  r4:00000008
+[    4.449455] [<805d9494>] (drm_client_modeset_probe) from [<805a7f18>] (__drm_fb_helper_initial_config_and_unlock+0x54/0x5b4)
+[    4.460713]  r10:0000000c r9:81c40908 r8:81e1ce40 r7:810c35f4 r6:00000010 r5:00000010
+[    4.468556]  r4:81fbb700
+[    4.471095] [<805a7ec4>] (__drm_fb_helper_initial_config_and_unlock) from [<805a8c78>] (drm_fbdev_client_hotplug+0x11c/0x1b0)
+[    4.482434]  r10:0000000c r9:81c40908 r8:81e1ce40 r7:810c35f4 r6:00000010 r5:816d9800
+[    4.490276]  r4:81fbb700
+[    4.492814] [<805a8b5c>] (drm_fbdev_client_hotplug) from [<805a8dc4>] (drm_fbdev_generic_setup+0xb8/0x1a4)
+[    4.502494]  r7:00000000 r6:00000010 r5:81fbb700 r4:816d9800
+[    4.508160] [<805a8d0c>] (drm_fbdev_generic_setup) from [<805e47b0>] (imx_drm_bind+0xf0/0x130)
+[    4.516805]  r7:810c42d0 r6:8179f810 r5:00000000 r4:816d9800
+[    4.522474] [<805e46c0>] (imx_drm_bind) from [<8060db1c>] (try_to_bring_up_master+0x22c/0x2f0)
+[    4.531116]  r7:81126b60 r6:81c40908 r5:81e1ea80 r4:824aa240
+[    4.536783] [<8060d8f0>] (try_to_bring_up_master) from [<8060dc9c>] (__component_add+0xbc/0x184)
+[    4.545597]  r10:815c6810 r9:80dd9a3c r8:80c4b95c r7:810c4d6c r6:00000000 r5:81e1ea80
+[    4.553440]  r4:81fe9740
+[    4.555980] [<8060dbe0>] (__component_add) from [<8060dd80>] (component_add+0x1c/0x20)
+[    4.563921]  r7:eefd8e00 r6:815c6810 r5:815c6800 r4:8246b440
+[    4.569589] [<8060dd64>] (component_add) from [<805e98a4>] (dw_hdmi_imx_probe+0xa8/0xe8)
+[    4.577702] [<805e97fc>] (dw_hdmi_imx_probe) from [<80619574>] (platform_probe+0x6c/0xc8)
+[    4.585908]  r9:80dd9a3c r8:81126e90 r7:81126e90 r6:810c45b0 r5:815c6810 r4:00000000
+[    4.593662] [<80619508>] (platform_probe) from [<806168dc>] (really_probe+0xe8/0x460)
+[    4.601524]  r7:81126e90 r6:810c45b0 r5:00000000 r4:815c6810
+[    4.607191] [<806167f4>] (really_probe) from [<80616d04>] (__driver_probe_device+0xb0/0x230)
+[    4.615658]  r7:815c6810 r6:81c35e6c r5:810c45b0 r4:815c6810
+[    4.621326] [<80616c54>] (__driver_probe_device) from [<80616ec8>] (driver_probe_device+0x44/0xe0)
+[    4.630313]  r9:80dd9a3c r8:00000003 r7:815c6810 r6:81c35e6c r5:8116e314 r4:8116e310
+[    4.638068] [<80616e84>] (driver_probe_device) from [<80617338>] (__device_attach_driver+0xb4/0x12c)
+[    4.647227]  r9:80dd9a3c r8:00000001 r7:815c6810 r6:81c35e6c r5:810c45b0 r4:00000001
+[    4.654981] [<80617284>] (__device_attach_driver) from [<80614730>] (bus_for_each_drv+0x94/0xd8)
+[    4.663794]  r7:81c34000 r6:80617284 r5:81c35e6c r4:00000000
+[    4.669461] [<8061469c>] (bus_for_each_drv) from [<8061673c>] (__device_attach+0xf8/0x190)
+[    4.677753]  r7:81126e90 r6:815c6854 r5:81c34000 r4:815c6810
+[    4.683419] [<80616644>] (__device_attach) from [<80617554>] (device_initial_probe+0x1c/0x20)
+[    4.691971]  r8:00000000 r7:81126e90 r6:815c6810 r5:810c5320 r4:810c5080
+[    4.698681] [<80617538>] (device_initial_probe) from [<80615694>] (bus_probe_device+0x94/0x9c)
+[    4.707318] [<80615600>] (bus_probe_device) from [<80615c6c>] (deferred_probe_work_func+0xac/0xf0)
+[    4.716305]  r7:81126e90 r6:810c5094 r5:810c5080 r4:810c5080
+[    4.721973] [<80615bc0>] (deferred_probe_work_func) from [<80141488>] (process_one_work+0x1fc/0x54c)
+[    4.731139]  r10:81119a60 r9:814c300d r8:00000000 r7:814c3000 r6:81412800 r5:817eeb00
+[    4.738981]  r4:810c50c0 r3:80615bc0
+[    4.742563] [<8014128c>] (process_one_work) from [<80141a48>] (worker_thread+0x270/0x570)
+[    4.750765]  r10:81412800 r9:00000088 r8:81003d00 r7:81412818 r6:817eeb18 r5:81412800
+[    4.758608]  r4:817eeb00
+[    4.761147] [<801417d8>] (worker_thread) from [<80149b1c>] (kthread+0x174/0x190)
+[    4.768574]  r10:81c34000 r9:815a7e7c r8:00000000 r7:817eeb00 r6:801417d8 r5:817efc00
+[    4.776417]  r4:817efa40
+[    4.778955] [<801499a8>] (kthread) from [<80100130>] (ret_from_fork+0x14/0x24)
+[    4.786201] Exception stack(0x81c35fb0 to 0x81c35ff8)
+[    4.791266] 5fa0:                                     00000000 00000000 00000000 00000000
+[    4.799459] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[    4.807651] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+[    4.814279]  r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:801499a8
+[    4.822120]  r4:817efa40
+[    4.824664] Code: e3a02080 e593001c e3a01d33 e3a05000 (e5979018)
+
+Split the registration from the STDP4028 probe routine and only perform
+registration once both the STDP4028 and STDP2690 have probed.
+
+Signed-off-by: Martyn Welch <martyn.welch@collabora.com>
+CC: Peter Senna Tschudin <peter.senna@gmail.com>
+CC: Martyn Welch <martyn.welch@collabora.co.uk>
+CC: Neil Armstrong <narmstrong@baylibre.com>
+CC: Robert Foss <robert.foss@linaro.org>
+CC: Laurent Pinchart <Laurent.pinchart@ideasonboard.com>
+CC: Jonas Karlman <jonas@kwiboo.se>
+CC: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/43552c3404e8fdf92d8bc5658fac24e9f03c2c57.1637836606.git.martyn.welch@collabora.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../bridge/megachips-stdpxxxx-ge-b850v3-fw.c  | 40 +++++++++++++------
+ 1 file changed, 28 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
+index d2808c4a6fb1c..cce98bf2a4e73 100644
+--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
++++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
+@@ -306,19 +306,10 @@ out:
+       mutex_unlock(&ge_b850v3_lvds_dev_mutex);
+ }
+-static int stdp4028_ge_b850v3_fw_probe(struct i2c_client *stdp4028_i2c,
+-                                     const struct i2c_device_id *id)
++static int ge_b850v3_register(void)
+ {
++      struct i2c_client *stdp4028_i2c = ge_b850v3_lvds_ptr->stdp4028_i2c;
+       struct device *dev = &stdp4028_i2c->dev;
+-      int ret;
+-
+-      ret = ge_b850v3_lvds_init(dev);
+-
+-      if (ret)
+-              return ret;
+-
+-      ge_b850v3_lvds_ptr->stdp4028_i2c = stdp4028_i2c;
+-      i2c_set_clientdata(stdp4028_i2c, ge_b850v3_lvds_ptr);
+       /* drm bridge initialization */
+       ge_b850v3_lvds_ptr->bridge.funcs = &ge_b850v3_lvds_funcs;
+@@ -343,6 +334,27 @@ static int stdp4028_ge_b850v3_fw_probe(struct i2c_client *stdp4028_i2c,
+                       "ge-b850v3-lvds-dp", ge_b850v3_lvds_ptr);
+ }
++static int stdp4028_ge_b850v3_fw_probe(struct i2c_client *stdp4028_i2c,
++                                     const struct i2c_device_id *id)
++{
++      struct device *dev = &stdp4028_i2c->dev;
++      int ret;
++
++      ret = ge_b850v3_lvds_init(dev);
++
++      if (ret)
++              return ret;
++
++      ge_b850v3_lvds_ptr->stdp4028_i2c = stdp4028_i2c;
++      i2c_set_clientdata(stdp4028_i2c, ge_b850v3_lvds_ptr);
++
++      /* Only register after both bridges are probed */
++      if (!ge_b850v3_lvds_ptr->stdp2690_i2c)
++              return 0;
++
++      return ge_b850v3_register();
++}
++
+ static int stdp4028_ge_b850v3_fw_remove(struct i2c_client *stdp4028_i2c)
+ {
+       ge_b850v3_lvds_remove();
+@@ -386,7 +398,11 @@ static int stdp2690_ge_b850v3_fw_probe(struct i2c_client *stdp2690_i2c,
+       ge_b850v3_lvds_ptr->stdp2690_i2c = stdp2690_i2c;
+       i2c_set_clientdata(stdp2690_i2c, ge_b850v3_lvds_ptr);
+-      return 0;
++      /* Only register after both bridges are probed */
++      if (!ge_b850v3_lvds_ptr->stdp4028_i2c)
++              return 0;
++
++      return ge_b850v3_register();
+ }
+ static int stdp2690_ge_b850v3_fw_remove(struct i2c_client *stdp2690_i2c)
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-bridge-sn65dsi83-fix-bridge-removal.patch b/queue-5.16/drm-bridge-sn65dsi83-fix-bridge-removal.patch
new file mode 100644 (file)
index 0000000..07f57c8
--- /dev/null
@@ -0,0 +1,50 @@
+From 87d64b2dff3cc256c130bab4728e31055e18079f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 17:15:28 +0200
+Subject: drm/bridge: sn65dsi83: Fix bridge removal
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit c05f1a4e2c4b8a217b448828c4e59fb47454dc75 ]
+
+Commit 24417d5b0c00 ("drm/bridge: ti-sn65dsi83: Implement .detach
+callback") moved the unregistration of the bridge DSI device and bridge
+itself to the detach callback.
+
+While this is correct for the DSI device detach and unregistration, the
+bridge is added in the driver probe, and should thus be removed as part
+of its remove callback.
+
+Acked-by: Sam Ravnborg <sam@ravnborg.org>
+Reviewed-by: Marek Vasut <marex@denx.de>
+Fixes: 24417d5b0c00 ("drm/bridge: ti-sn65dsi83: Implement .detach callback")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211025151536.1048186-14-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/ti-sn65dsi83.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi83.c b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
+index ba1160ec6d6e8..07917681782d2 100644
+--- a/drivers/gpu/drm/bridge/ti-sn65dsi83.c
++++ b/drivers/gpu/drm/bridge/ti-sn65dsi83.c
+@@ -297,7 +297,6 @@ static void sn65dsi83_detach(struct drm_bridge *bridge)
+       mipi_dsi_detach(ctx->dsi);
+       mipi_dsi_device_unregister(ctx->dsi);
+-      drm_bridge_remove(&ctx->bridge);
+       ctx->dsi = NULL;
+ }
+@@ -711,6 +710,7 @@ static int sn65dsi83_remove(struct i2c_client *client)
+ {
+       struct sn65dsi83 *ctx = i2c_get_clientdata(client);
++      drm_bridge_remove(&ctx->bridge);
+       of_node_put(ctx->host_node);
+       return 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-bridge-ti-sn65dsi86-set-max-register-for-regmap.patch b/queue-5.16/drm-bridge-ti-sn65dsi86-set-max-register-for-regmap.patch
new file mode 100644 (file)
index 0000000..21f7cf7
--- /dev/null
@@ -0,0 +1,40 @@
+From ab28c175e725b29289939984c2bc02f16e82229b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 16:25:29 -0800
+Subject: drm/bridge: ti-sn65dsi86: Set max register for regmap
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit 0b665d4af35837f0a0ae63135b84a3c187c1db3b ]
+
+Set the maximum register to 0xff so we can dump the registers for this
+device in debugfs.
+
+Fixes: a095f15c00e2 ("drm/bridge: add support for sn65dsi86 bridge driver")
+Cc: Rob Clark <robdclark@chromium.org>
+Cc: Douglas Anderson <dianders@chromium.org>
+Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211215002529.382383-1-swboyd@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/ti-sn65dsi86.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+index 6154bed0af5bf..83d06c16d4d74 100644
+--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+@@ -188,6 +188,7 @@ static const struct regmap_config ti_sn65dsi86_regmap_config = {
+       .val_bits = 8,
+       .volatile_table = &ti_sn_bridge_volatile_table,
+       .cache_type = REGCACHE_NONE,
++      .max_register = 0xFF,
+ };
+ static void ti_sn65dsi86_write_u16(struct ti_sn65dsi86 *pdata,
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-dp-don-t-read-back-backlight-mode-in-drm_edp_bac.patch b/queue-5.16/drm-dp-don-t-read-back-backlight-mode-in-drm_edp_bac.patch
new file mode 100644 (file)
index 0000000..4d58afa
--- /dev/null
@@ -0,0 +1,98 @@
+From 3b14964cb53040fd07bf0828df242bb70ef67299 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 14:33:40 -0400
+Subject: drm/dp: Don't read back backlight mode in drm_edp_backlight_enable()
+
+From: Lyude Paul <lyude@redhat.com>
+
+[ Upstream commit 646596485e1ed2182adf293dfd5aec4a96c46330 ]
+
+As it turns out, apparently some machines will actually leave additional
+backlight functionality like dynamic backlight control on before the OS
+loads. Currently we don't take care to disable unsupported features when
+writing back the backlight mode, which can lead to some rather strange
+looking behavior when adjusting the backlight.
+
+So, let's fix this by just not reading back the current backlight mode on
+initial enable. I don't think there should really be any downsides to this,
+and this will ensure we don't leave any unsupported functionality enabled.
+
+This should fix at least one (but not all) of the issues seen with DPCD
+backlight support on fi-bdw-samus
+
+v5:
+* Just avoid reading back DPCD register - Doug Anderson
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Fixes: 867cf9cd73c3 ("drm/dp: Extract i915's eDP backlight code into DRM helpers")
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211105183342.130810-4-lyude@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_dp_helper.c | 40 ++++++++++-----------------------
+ 1 file changed, 12 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_dp_helper.c b/drivers/gpu/drm/drm_dp_helper.c
+index 4d0d1e8e51fa7..db7db839e42d1 100644
+--- a/drivers/gpu/drm/drm_dp_helper.c
++++ b/drivers/gpu/drm/drm_dp_helper.c
+@@ -3246,27 +3246,13 @@ int drm_edp_backlight_enable(struct drm_dp_aux *aux, const struct drm_edp_backli
+                            const u16 level)
+ {
+       int ret;
+-      u8 dpcd_buf, new_dpcd_buf;
++      u8 dpcd_buf = DP_EDP_BACKLIGHT_CONTROL_MODE_DPCD;
+-      ret = drm_dp_dpcd_readb(aux, DP_EDP_BACKLIGHT_MODE_SET_REGISTER, &dpcd_buf);
+-      if (ret != 1) {
+-              drm_dbg_kms(aux->drm_dev,
+-                          "%s: Failed to read backlight mode: %d\n", aux->name, ret);
+-              return ret < 0 ? ret : -EIO;
+-      }
+-
+-      new_dpcd_buf = dpcd_buf;
+-
+-      if ((dpcd_buf & DP_EDP_BACKLIGHT_CONTROL_MODE_MASK) != DP_EDP_BACKLIGHT_CONTROL_MODE_DPCD) {
+-              new_dpcd_buf &= ~DP_EDP_BACKLIGHT_CONTROL_MODE_MASK;
+-              new_dpcd_buf |= DP_EDP_BACKLIGHT_CONTROL_MODE_DPCD;
+-
+-              if (bl->pwmgen_bit_count) {
+-                      ret = drm_dp_dpcd_writeb(aux, DP_EDP_PWMGEN_BIT_COUNT, bl->pwmgen_bit_count);
+-                      if (ret != 1)
+-                              drm_dbg_kms(aux->drm_dev, "%s: Failed to write aux pwmgen bit count: %d\n",
+-                                          aux->name, ret);
+-              }
++      if (bl->pwmgen_bit_count) {
++              ret = drm_dp_dpcd_writeb(aux, DP_EDP_PWMGEN_BIT_COUNT, bl->pwmgen_bit_count);
++              if (ret != 1)
++                      drm_dbg_kms(aux->drm_dev, "%s: Failed to write aux pwmgen bit count: %d\n",
++                                  aux->name, ret);
+       }
+       if (bl->pwm_freq_pre_divider) {
+@@ -3276,16 +3262,14 @@ int drm_edp_backlight_enable(struct drm_dp_aux *aux, const struct drm_edp_backli
+                                   "%s: Failed to write aux backlight frequency: %d\n",
+                                   aux->name, ret);
+               else
+-                      new_dpcd_buf |= DP_EDP_BACKLIGHT_FREQ_AUX_SET_ENABLE;
++                      dpcd_buf |= DP_EDP_BACKLIGHT_FREQ_AUX_SET_ENABLE;
+       }
+-      if (new_dpcd_buf != dpcd_buf) {
+-              ret = drm_dp_dpcd_writeb(aux, DP_EDP_BACKLIGHT_MODE_SET_REGISTER, new_dpcd_buf);
+-              if (ret != 1) {
+-                      drm_dbg_kms(aux->drm_dev, "%s: Failed to write aux backlight mode: %d\n",
+-                                  aux->name, ret);
+-                      return ret < 0 ? ret : -EIO;
+-              }
++      ret = drm_dp_dpcd_writeb(aux, DP_EDP_BACKLIGHT_MODE_SET_REGISTER, dpcd_buf);
++      if (ret != 1) {
++              drm_dbg_kms(aux->drm_dev, "%s: Failed to write aux backlight mode: %d\n",
++                          aux->name, ret);
++              return ret < 0 ? ret : -EIO;
+       }
+       ret = drm_edp_backlight_set_level(aux, bl, level);
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-etnaviv-consider-completed-fence-seqno-in-hang-c.patch b/queue-5.16/drm-etnaviv-consider-completed-fence-seqno-in-hang-c.patch
new file mode 100644 (file)
index 0000000..3fab41b
--- /dev/null
@@ -0,0 +1,59 @@
+From d492a59e5f7adb8738ae438d30cc4b0e941d4aa2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 01:17:28 +0100
+Subject: drm/etnaviv: consider completed fence seqno in hang check
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+[ Upstream commit cdd156955f946beaa5f3a00d8ccf90e5a197becc ]
+
+Some GPU heavy test programs manage to trigger the hangcheck quite often.
+If there are no other GPU users in the system and the test program
+exhibits a very regular structure in the commandstreams that are being
+submitted, we can end up with two distinct submits managing to trigger
+the hangcheck with the FE in a very similar address range. This leads
+the hangcheck to believe that the GPU is stuck, while in reality the GPU
+is already busy working on a different job. To avoid those spurious
+GPU resets, also remember and consider the last completed fence seqno
+in the hang check.
+
+Reported-by: Joerg Albert <joerg.albert@iav.de>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Christian Gmeiner <christian.gmeiner@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_gpu.h   | 1 +
+ drivers/gpu/drm/etnaviv/etnaviv_sched.c | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.h b/drivers/gpu/drm/etnaviv/etnaviv_gpu.h
+index 1c75c8ed5bcea..85eddd492774d 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.h
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.h
+@@ -130,6 +130,7 @@ struct etnaviv_gpu {
+       /* hang detection */
+       u32 hangcheck_dma_addr;
++      u32 hangcheck_fence;
+       void __iomem *mmio;
+       int irq;
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_sched.c b/drivers/gpu/drm/etnaviv/etnaviv_sched.c
+index 180bb633d5c53..58f593b278c15 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_sched.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_sched.c
+@@ -107,8 +107,10 @@ static enum drm_gpu_sched_stat etnaviv_sched_timedout_job(struct drm_sched_job
+        */
+       dma_addr = gpu_read(gpu, VIVS_FE_DMA_ADDRESS);
+       change = dma_addr - gpu->hangcheck_dma_addr;
+-      if (change < 0 || change > 16) {
++      if (gpu->completed_fence != gpu->hangcheck_fence ||
++          change < 0 || change > 16) {
+               gpu->hangcheck_dma_addr = dma_addr;
++              gpu->hangcheck_fence = gpu->completed_fence;
+               goto out_no_timeout;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-fix-null-ptr-deref-in-drm_dev_init_release.patch b/queue-5.16/drm-fix-null-ptr-deref-in-drm_dev_init_release.patch
new file mode 100644 (file)
index 0000000..75ed309
--- /dev/null
@@ -0,0 +1,86 @@
+From 5d42b208ba4fee9691b643fd8bed79ae5560f5bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 19:41:39 +0800
+Subject: drm: fix null-ptr-deref in drm_dev_init_release()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit acf20ed020ffa4d6cc8347e8d356509b95df3cbe ]
+
+I got a null-ptr-deref report:
+
+[drm:drm_dev_init [drm]] *ERROR* Cannot allocate anonymous inode: -12
+==================================================================
+BUG: KASAN: null-ptr-deref in iput+0x3c/0x4a0
+...
+Call Trace:
+ dump_stack_lvl+0x6c/0x8b
+ kasan_report.cold+0x64/0xdb
+ __asan_load8+0x69/0x90
+ iput+0x3c/0x4a0
+ drm_dev_init_release+0x39/0xb0 [drm]
+ drm_managed_release+0x158/0x2d0 [drm]
+ drm_dev_init+0x3a7/0x4c0 [drm]
+ __devm_drm_dev_alloc+0x55/0xd0 [drm]
+ mi0283qt_probe+0x8a/0x2b5 [mi0283qt]
+ spi_probe+0xeb/0x130
+...
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+If drm_fs_inode_new() fails in drm_dev_init(), dev->anon_inode will point
+to PTR_ERR(...) instead of NULL. This will result in null-ptr-deref when
+drm_fs_inode_free(dev->anon_inode) is called.
+
+drm_dev_init()
+       drm_fs_inode_new() // fail, dev->anon_inode = PTR_ERR(...)
+       drm_managed_release()
+               drm_dev_init_release()
+                       drm_fs_inode_free() // access non-existent anon_inode
+
+Define a temp variable and assign it to dev->anon_inode if the temp
+variable is not PTR_ERR.
+
+Fixes: 2cbf7fc6718b ("drm: Use drmm_ for drm_dev_init cleanup")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211013114139.4042207-1-wanghai38@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_drv.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
+index 7a5097467ba5c..b3a1636d1b984 100644
+--- a/drivers/gpu/drm/drm_drv.c
++++ b/drivers/gpu/drm/drm_drv.c
+@@ -581,6 +581,7 @@ static int drm_dev_init(struct drm_device *dev,
+                       const struct drm_driver *driver,
+                       struct device *parent)
+ {
++      struct inode *inode;
+       int ret;
+       if (!drm_core_init_complete) {
+@@ -617,13 +618,15 @@ static int drm_dev_init(struct drm_device *dev,
+       if (ret)
+               return ret;
+-      dev->anon_inode = drm_fs_inode_new();
+-      if (IS_ERR(dev->anon_inode)) {
+-              ret = PTR_ERR(dev->anon_inode);
++      inode = drm_fs_inode_new();
++      if (IS_ERR(inode)) {
++              ret = PTR_ERR(inode);
+               DRM_ERROR("Cannot allocate anonymous inode: %d\n", ret);
+               goto err;
+       }
++      dev->anon_inode = inode;
++
+       if (drm_core_check_feature(dev, DRIVER_RENDER)) {
+               ret = drm_minor_alloc(dev, DRM_MINOR_RENDER);
+               if (ret)
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-i915-don-t-call-free_mmap_offset-when-purging.patch b/queue-5.16/drm-i915-don-t-call-free_mmap_offset-when-purging.patch
new file mode 100644 (file)
index 0000000..0256e49
--- /dev/null
@@ -0,0 +1,80 @@
+From 6b0d8f01e16ef34638faea352ef955c7870d8a42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 17:49:07 +0000
+Subject: drm/i915: don't call free_mmap_offset when purging
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+[ Upstream commit 4c2602ba8d74c35d550ed3d518809c697de08d88 ]
+
+The TTM backend is in theory the only user here(also purge should only
+be called once we have dropped the pages), where it is setup at object
+creation and is only removed once the object is destroyed. Also
+resetting the node here might be iffy since the ttm fault handler
+uses the stored fake offset to determine the page offset within the pages
+array.
+
+This also blows up in the dontneed-before-mmap test, since the
+expectation is that the vma_node will live on, until the object is
+destroyed:
+
+<2> [749.062902] kernel BUG at drivers/gpu/drm/i915/gem/i915_gem_ttm.c:943!
+<4> [749.062923] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+<4> [749.062928] CPU: 0 PID: 1643 Comm: gem_madvise Tainted: G     U  W         5.16.0-rc8-CI-CI_DRM_11046+ #1
+<4> [749.062933] Hardware name: Gigabyte Technology Co., Ltd. GB-Z390 Garuda/GB-Z390 Garuda-CF, BIOS IG1c 11/19/2019
+<4> [749.062937] RIP: 0010:i915_ttm_mmap_offset.cold.35+0x5b/0x5d [i915]
+<4> [749.063044] Code: 00 48 c7 c2 a0 23 4e a0 48 c7 c7 26 df 4a a0 e8 95 1d d0 e0 bf 01 00 00 00 e8 8b ec cf e0 31 f6 bf 09 00 00 00 e8 5f 30 c0 e0 <0f> 0b 48 c7 c1 24 4b 56 a0 ba 5b 03 00 00 48 c7 c6 c0 23 4e a0 48
+<4> [749.063052] RSP: 0018:ffffc90002ab7d38 EFLAGS: 00010246
+<4> [749.063056] RAX: 0000000000000240 RBX: ffff88811f2e61c0 RCX: 0000000000000006
+<4> [749.063060] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000009
+<4> [749.063063] RBP: ffffc90002ab7e58 R08: 0000000000000001 R09: 0000000000000001
+<4> [749.063067] R10: 000000000123d0f8 R11: ffffc90002ab7b20 R12: ffff888112a1a000
+<4> [749.063071] R13: 0000000000000004 R14: ffff88811f2e61c0 R15: ffff888112a1a000
+<4> [749.063074] FS:  00007f6e5fcad500(0000) GS:ffff8884ad600000(0000) knlGS:0000000000000000
+<4> [749.063078] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+<4> [749.063081] CR2: 00007efd264e39f0 CR3: 0000000115fd6005 CR4: 00000000003706f0
+<4> [749.063085] Call Trace:
+<4> [749.063087]  <TASK>
+<4> [749.063089]  __assign_mmap_offset+0x41/0x300 [i915]
+<4> [749.063171]  __assign_mmap_offset_handle+0x159/0x270 [i915]
+<4> [749.063248]  ? i915_gem_dumb_mmap_offset+0x70/0x70 [i915]
+<4> [749.063325]  drm_ioctl_kernel+0xae/0x140
+<4> [749.063330]  drm_ioctl+0x201/0x3d0
+<4> [749.063333]  ? i915_gem_dumb_mmap_offset+0x70/0x70 [i915]
+<4> [749.063409]  ? do_user_addr_fault+0x200/0x670
+<4> [749.063415]  __x64_sys_ioctl+0x6d/0xa0
+<4> [749.063419]  do_syscall_64+0x3a/0xb0
+<4> [749.063423]  entry_SYSCALL_64_after_hwframe+0x44/0xae
+<4> [749.063428] RIP: 0033:0x7f6e5f100317
+
+Testcase: igt/gem_madvise/dontneed-before-mmap
+Fixes: cf3e3e86d779 ("drm/i915: Use ttm mmap handling for ttm bo's.")
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220106174910.280616-1-matthew.auld@intel.com
+(cherry picked from commit 658a0c632625e1db51837ff754fe18a6a7f2ccf8)
+Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_pages.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_pages.c b/drivers/gpu/drm/i915/gem/i915_gem_pages.c
+index 8eb1c3a6fc9cd..1d3f40abd0258 100644
+--- a/drivers/gpu/drm/i915/gem/i915_gem_pages.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_pages.c
+@@ -160,7 +160,6 @@ retry:
+ /* Immediately discard the backing storage */
+ void i915_gem_object_truncate(struct drm_i915_gem_object *obj)
+ {
+-      drm_gem_free_mmap_offset(&obj->base);
+       if (obj->ops->truncate)
+               obj->ops->truncate(obj);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-i915-pxp-hold-rpm-wakelock-during-pxp-unbind.patch b/queue-5.16/drm-i915-pxp-hold-rpm-wakelock-during-pxp-unbind.patch
new file mode 100644 (file)
index 0000000..4fd4cdb
--- /dev/null
@@ -0,0 +1,105 @@
+From 4eadb0918b05532f057ad8cdc08ac755ea68d78d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 12:02:36 -0800
+Subject: drm/i915/pxp: Hold RPM wakelock during PXP unbind
+
+From: Juston Li <juston.li@intel.com>
+
+[ Upstream commit f9535d28ac93c3cc326f7215fccd0abe1d3a6083 ]
+
+Similar to commit b8d8436840ca ("drm/i915/gt: Hold RPM wakelock during
+PXP suspend") but to fix the same warning for unbind during shutdown:
+
+------------[ cut here ]------------
+RPM wakelock ref not held during HW access
+WARNING: CPU: 0 PID: 4139 at drivers/gpu/drm/i915/intel_runtime_pm.h:115
+gen12_fwtable_write32+0x1b7/0
+Modules linked in: 8021q ccm rfcomm cmac algif_hash algif_skcipher
+af_alg uinput snd_hda_codec_hdmi vf industrialio iwl7000_mac80211
+cros_ec_sensorhub lzo_rle lzo_compress zram iwlwifi cfg80211 joydev
+CPU: 0 PID: 4139 Comm: halt Tainted: G     U  W
+5.10.84 #13 344e11e079c4a03940d949e537eab645f6
+RIP: 0010:gen12_fwtable_write32+0x1b7/0x200
+Code: 48 c7 c7 fc b3 b5 89 31 c0 e8 2c f3 ad ff 0f 0b e9 04 ff ff ff c6
+05 71 e9 1d 01 01 48 c7 c7 d67
+RSP: 0018:ffffa09ec0bb3bb0 EFLAGS: 00010246
+RAX: 12dde97bbd260300 RBX: 00000000000320f0 RCX: ffffffff89e60ea0
+RDX: 0000000000000000 RSI: 00000000ffffdfff RDI: ffffffff89e60e70
+RBP: ffffa09ec0bb3bd8 R08: 0000000000000000 R09: ffffa09ec0bb3950
+R10: 00000000ffffdfff R11: ffffffff89e91160 R12: 0000000000000000
+R13: 0000000028121969 R14: ffff9515c32f0990 R15: 0000000040000000
+FS:  0000790dcf225740(0000) GS:ffff951737800000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000058b25efae147 CR3: 0000000133ea6001 CR4: 0000000000770ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ intel_pxp_fini_hw+0x2f/0x39
+ i915_pxp_tee_component_unbind+0x1c/0x42
+ component_unbind+0x32/0x48
+ component_unbind_all+0x80/0x9d
+ take_down_master+0x24/0x36
+ component_master_del+0x56/0x70
+ mei_pxp_remove+0x2c/0x68
+ mei_cl_device_remove+0x35/0x68
+ device_release_driver_internal+0x100/0x1a1
+ mei_cl_bus_remove_device+0x21/0x79
+ mei_cl_bus_remove_devices+0x3b/0x51
+ mei_stop+0x3b/0xae
+ mei_me_shutdown+0x23/0x58
+ device_shutdown+0x144/0x1d3
+ kernel_power_off+0x13/0x4c
+ __se_sys_reboot+0x1d4/0x1e9
+ do_syscall_64+0x43/0x55
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x790dcf316273
+Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00
+00 89 fa be 69 19 12 28 bf ad8
+RSP: 002b:00007ffca0df9198 EFLAGS: 00000202 ORIG_RAX: 00000000000000a9
+RAX: ffffffffffffffda RBX: 000000004321fedc RCX: 0000790dcf316273
+RDX: 000000004321fedc RSI: 0000000028121969 RDI: 00000000fee1dead
+RBP: 00007ffca0df9200 R08: 0000000000000007 R09: 0000563ce8cd8970
+R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffca0df9308
+R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000003
+---[ end trace 2f501b01b348f114 ]---
+ACPI: Preparing to enter system sleep state S5
+reboot: Power down
+
+Changes since v1:
+ - Rebase to latest drm-tip
+
+Fixes: 0cfab4cb3c4e ("drm/i915/pxp: Enable PXP power management")
+Suggested-by: Lee Shawn C <shawn.c.lee@intel.com>
+Signed-off-by: Juston Li <juston.li@intel.com>
+Reviewed-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
+Signed-off-by: John Harrison <John.C.Harrison@Intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220106200236.489656-2-juston.li@intel.com
+(cherry picked from commit 57ded5fc98b11d76dae505ca3591b61c9dbbbda7)
+Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/pxp/intel_pxp_tee.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/pxp/intel_pxp_tee.c b/drivers/gpu/drm/i915/pxp/intel_pxp_tee.c
+index 49508f31dcb73..d2980370d9297 100644
+--- a/drivers/gpu/drm/i915/pxp/intel_pxp_tee.c
++++ b/drivers/gpu/drm/i915/pxp/intel_pxp_tee.c
+@@ -103,9 +103,12 @@ static int i915_pxp_tee_component_bind(struct device *i915_kdev,
+ static void i915_pxp_tee_component_unbind(struct device *i915_kdev,
+                                         struct device *tee_kdev, void *data)
+ {
++      struct drm_i915_private *i915 = kdev_to_i915(i915_kdev);
+       struct intel_pxp *pxp = i915_dev_to_pxp(i915_kdev);
++      intel_wakeref_t wakeref;
+-      intel_pxp_fini_hw(pxp);
++      with_intel_runtime_pm_if_in_use(&i915->runtime_pm, wakeref)
++              intel_pxp_fini_hw(pxp);
+       mutex_lock(&pxp->tee_mutex);
+       pxp->pxp_component = NULL;
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-lima-fix-warning-when-config_debug_sg-y-config_d.patch b/queue-5.16/drm-lima-fix-warning-when-config_debug_sg-y-config_d.patch
new file mode 100644 (file)
index 0000000..f4e0f84
--- /dev/null
@@ -0,0 +1,39 @@
+From 9af95000babbd641d581eb075cc6709446912a25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Oct 2021 12:16:04 +0800
+Subject: drm/lima: fix warning when CONFIG_DEBUG_SG=y & CONFIG_DMA_API_DEBUG=y
+
+From: Qiang Yu <yuq825@gmail.com>
+
+[ Upstream commit 89636a06fa2ee7826a19c39c19a9bc99ab9340a9 ]
+
+Otherwise get following warning:
+
+DMA-API: lima 1c40000.gpu: mapping sg segment longer than device claims to support [len=4149248] [max=65536]
+
+See: https://gitlab.freedesktop.org/mesa/mesa/-/issues/5496
+
+Reviewed-by: Vasily Khoruzhick <anarsoul@gmail.com>
+Reported-by: Roman Stratiienko <r.stratiienko@gmail.com>
+Signed-off-by: Qiang Yu <yuq825@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211031041604.187216-1-yuq825@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/lima/lima_device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/lima/lima_device.c b/drivers/gpu/drm/lima/lima_device.c
+index f74f8048af8f2..02cef0cea6572 100644
+--- a/drivers/gpu/drm/lima/lima_device.c
++++ b/drivers/gpu/drm/lima/lima_device.c
+@@ -358,6 +358,7 @@ int lima_device_init(struct lima_device *ldev)
+       int err, i;
+       dma_set_coherent_mask(ldev->dev, DMA_BIT_MASK(32));
++      dma_set_max_seg_size(ldev->dev, UINT_MAX);
+       err = lima_clk_init(ldev);
+       if (err)
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-msm-dp-displayport-driver-need-algorithm-rationa.patch b/queue-5.16/drm-msm-dp-displayport-driver-need-algorithm-rationa.patch
new file mode 100644 (file)
index 0000000..a00271b
--- /dev/null
@@ -0,0 +1,41 @@
+From 3d76d8a11b59b83dfde64fafb3c4e6ab4a89181c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Nov 2021 15:09:49 +0800
+Subject: drm/msm/dp: displayPort driver need algorithm rational
+
+From: Jackie Liu <liuyun01@kylinos.cn>
+
+[ Upstream commit 53d22794711ad630f40d59dd726bd260d77d585f ]
+
+Let's select RATIONAL with dp driver. avoid like:
+
+[...]
+x86_64-linux-gnu-ld: drivers/gpu/drm/msm/dp/dp_catalog.o: in function `dp_catalog_ctrl_config_msa':
+dp_catalog.c:(.text+0x57e): undefined reference to `rational_best_approximation'
+
+Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support")
+Reported-by: kernelbot <kernel-bot@kylinos.cn>
+Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
+Link: https://lore.kernel.org/r/20211110070950.3355597-2-liu.yun@linux.dev
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/msm/Kconfig b/drivers/gpu/drm/msm/Kconfig
+index 39197b4beea78..1eae5a9645f41 100644
+--- a/drivers/gpu/drm/msm/Kconfig
++++ b/drivers/gpu/drm/msm/Kconfig
+@@ -65,6 +65,7 @@ config DRM_MSM_HDMI_HDCP
+ config DRM_MSM_DP
+       bool "Enable DisplayPort support in MSM DRM driver"
+       depends on DRM_MSM
++      select RATIONAL
+       default y
+       help
+         Compile in support for DP driver in MSM DRM driver. DP external
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-msm-dpu-fix-safe-status-debugfs-file.patch b/queue-5.16/drm-msm-dpu-fix-safe-status-debugfs-file.patch
new file mode 100644 (file)
index 0000000..2d170d1
--- /dev/null
@@ -0,0 +1,41 @@
+From 87d2f77f78ec72f3f05e1c87bcf5b0c5d2f62c4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Dec 2021 01:26:27 +0300
+Subject: drm/msm/dpu: fix safe status debugfs file
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit f31b0e24d31e18b4503eeaf0032baeacc0beaff6 ]
+
+Make safe_status debugfs fs file actually return safe status rather than
+danger status data.
+
+Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Link: https://lore.kernel.org/r/20211201222633.2476780-3-dmitry.baryshkov@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+index a15b264282809..d25d18a0084d9 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+@@ -73,8 +73,8 @@ static int _dpu_danger_signal_status(struct seq_file *s,
+                                       &status);
+       } else {
+               seq_puts(s, "\nSafe signal status:\n");
+-              if (kms->hw_mdp->ops.get_danger_status)
+-                      kms->hw_mdp->ops.get_danger_status(kms->hw_mdp,
++              if (kms->hw_mdp->ops.get_safe_status)
++                      kms->hw_mdp->ops.get_safe_status(kms->hw_mdp,
+                                       &status);
+       }
+       pm_runtime_put_sync(&kms->pdev->dev);
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-msm-dsi-fix-initialization-in-the-bonded-dsi-cas.patch b/queue-5.16/drm-msm-dsi-fix-initialization-in-the-bonded-dsi-cas.patch
new file mode 100644 (file)
index 0000000..89f3172
--- /dev/null
@@ -0,0 +1,96 @@
+From d1e3cf40692b0c92a037263e0fbd966e90efa001 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 21:01:14 +0300
+Subject: drm/msm/dsi: fix initialization in the bonded DSI case
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 92cb1bedde9dba78d802fe2510949743a2581aed ]
+
+Commit 739b4e7756d3 ("drm/msm/dsi: Fix an error code in
+msm_dsi_modeset_init()") changed msm_dsi_modeset_init() to return an
+error code in case msm_dsi_manager_validate_current_config() returns
+false. However this is not an error case, but a slave DSI of the bonded
+DSI link. In this case msm_dsi_modeset_init() should return 0, but just
+skip connector and bridge initialization.
+
+To reduce possible confusion, drop the
+msm_dsi_manager_validate_current_config() function, and specif 'bonded
+&& !master' condition directly in the msm_dsi_modeset_init().
+
+Fixes: 739b4e7756d3 ("drm/msm/dsi: Fix an error code in msm_dsi_modeset_init()")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Link: https://lore.kernel.org/r/20211125180114.561278-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi.c         | 10 +++++++---
+ drivers/gpu/drm/msm/dsi/dsi.h         |  1 -
+ drivers/gpu/drm/msm/dsi/dsi_manager.c | 17 -----------------
+ 3 files changed, 7 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi.c b/drivers/gpu/drm/msm/dsi/dsi.c
+index 75ae3008b68f4..fc280cc434943 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi.c
++++ b/drivers/gpu/drm/msm/dsi/dsi.c
+@@ -215,9 +215,13 @@ int msm_dsi_modeset_init(struct msm_dsi *msm_dsi, struct drm_device *dev,
+               goto fail;
+       }
+-      if (!msm_dsi_manager_validate_current_config(msm_dsi->id)) {
+-              ret = -EINVAL;
+-              goto fail;
++      if (msm_dsi_is_bonded_dsi(msm_dsi) &&
++          !msm_dsi_is_master_dsi(msm_dsi)) {
++              /*
++               * Do not return an eror here,
++               * Just skip creating encoder/connector for the slave-DSI.
++               */
++              return 0;
+       }
+       msm_dsi->encoder = encoder;
+diff --git a/drivers/gpu/drm/msm/dsi/dsi.h b/drivers/gpu/drm/msm/dsi/dsi.h
+index 569c8ff062ba4..a63666e59d19e 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi.h
++++ b/drivers/gpu/drm/msm/dsi/dsi.h
+@@ -82,7 +82,6 @@ int msm_dsi_manager_cmd_xfer(int id, const struct mipi_dsi_msg *msg);
+ bool msm_dsi_manager_cmd_xfer_trigger(int id, u32 dma_base, u32 len);
+ int msm_dsi_manager_register(struct msm_dsi *msm_dsi);
+ void msm_dsi_manager_unregister(struct msm_dsi *msm_dsi);
+-bool msm_dsi_manager_validate_current_config(u8 id);
+ void msm_dsi_manager_tpg_enable(void);
+ /* msm dsi */
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_manager.c b/drivers/gpu/drm/msm/dsi/dsi_manager.c
+index 20c4d650fd80c..e58ec5c1a4c37 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_manager.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_manager.c
+@@ -649,23 +649,6 @@ fail:
+       return ERR_PTR(ret);
+ }
+-bool msm_dsi_manager_validate_current_config(u8 id)
+-{
+-      bool is_bonded_dsi = IS_BONDED_DSI();
+-
+-      /*
+-       * For bonded DSI, we only have one drm panel. For this
+-       * use case, we register only one bridge/connector.
+-       * Skip bridge/connector initialisation if it is
+-       * slave-DSI for bonded DSI configuration.
+-       */
+-      if (is_bonded_dsi && !IS_MASTER_DSI_LINK(id)) {
+-              DBG("Skip bridge registration for slave DSI->id: %d\n", id);
+-              return false;
+-      }
+-      return true;
+-}
+-
+ /* initialize bridge */
+ struct drm_bridge *msm_dsi_manager_bridge_init(u8 id)
+ {
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-msm-gpu-don-t-allow-zero-fence_id.patch b/queue-5.16/drm-msm-gpu-don-t-allow-zero-fence_id.patch
new file mode 100644 (file)
index 0000000..cdaa839
--- /dev/null
@@ -0,0 +1,39 @@
+From 0f1e25a3237b75ba4a5d740cc0d4e330dec0c7b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 10:23:44 -0800
+Subject: drm/msm/gpu: Don't allow zero fence_id
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit ca3ffcbeb0c866d9b0cb38eaa2bd4416597b5966 ]
+
+Elsewhere we treat zero as "no fence" and __msm_gem_submit_destroy()
+skips removal from fence_idr.  We could alternately change this to use
+negative values for "no fence" but I think it is more clear to not allow
+zero as a valid fence_id.
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Fixes: a61acbbe9cf8 ("drm/msm: Track "seqno" fences by idr")
+Link: https://lore.kernel.org/r/20211129182344.292609-1-robdclark@gmail.com
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
+index 282628d6b72c0..6cfa984dee6ae 100644
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -881,7 +881,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+        * to the underlying fence.
+        */
+       submit->fence_id = idr_alloc_cyclic(&queue->fence_idr,
+-                      submit->user_fence, 0, INT_MAX, GFP_KERNEL);
++                      submit->user_fence, 1, INT_MAX, GFP_KERNEL);
+       if (submit->fence_id < 0) {
+               ret = submit->fence_id = 0;
+               submit->fence_id = 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-nouveau-pmu-gm200-avoid-touching-pmu-outside-of-.patch b/queue-5.16/drm-nouveau-pmu-gm200-avoid-touching-pmu-outside-of-.patch
new file mode 100644 (file)
index 0000000..655d132
--- /dev/null
@@ -0,0 +1,104 @@
+From 1ede8e6876414a1ae1531693c761dcf1cfd34e94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Feb 2021 19:29:52 +1000
+Subject: drm/nouveau/pmu/gm200-: avoid touching PMU outside of
+ DEVINIT/PREOS/ACR
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+[ Upstream commit 1d2271d2fb85e54bfc9630a6c30ac0feb9ffb983 ]
+
+There have been reports of the WFI timing out on some boards, and a
+patch was proposed to just remove it.  This stuff is rather fragile,
+and I believe the WFI might be needed with our FW prior to GM200.
+
+However, we probably should not be touching PMU during init on GPUs
+where we depend on NVIDIA FW, outside of limited circumstances, so
+this should be a somewhat safer change that achieves the desired
+result.
+
+Reported-by: Diego Viola <diego.viola@gmail.com>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Reviewed-by: Karol Herbst <kherbst@redhat.com>
+Signed-off-by: Karol Herbst <kherbst@redhat.com>
+Link: https://gitlab.freedesktop.org/drm/nouveau/-/merge_requests/10
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/nouveau/nvkm/subdev/pmu/base.c    | 37 +++++++++++--------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c
+index 24382875fb4f3..455e95a89259f 100644
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/base.c
+@@ -94,20 +94,13 @@ nvkm_pmu_fini(struct nvkm_subdev *subdev, bool suspend)
+       return 0;
+ }
+-static int
++static void
+ nvkm_pmu_reset(struct nvkm_pmu *pmu)
+ {
+       struct nvkm_device *device = pmu->subdev.device;
+       if (!pmu->func->enabled(pmu))
+-              return 0;
+-
+-      /* Inhibit interrupts, and wait for idle. */
+-      nvkm_wr32(device, 0x10a014, 0x0000ffff);
+-      nvkm_msec(device, 2000,
+-              if (!nvkm_rd32(device, 0x10a04c))
+-                      break;
+-      );
++              return;
+       /* Reset. */
+       if (pmu->func->reset)
+@@ -118,25 +111,37 @@ nvkm_pmu_reset(struct nvkm_pmu *pmu)
+               if (!(nvkm_rd32(device, 0x10a10c) & 0x00000006))
+                       break;
+       );
+-
+-      return 0;
+ }
+ static int
+ nvkm_pmu_preinit(struct nvkm_subdev *subdev)
+ {
+       struct nvkm_pmu *pmu = nvkm_pmu(subdev);
+-      return nvkm_pmu_reset(pmu);
++      nvkm_pmu_reset(pmu);
++      return 0;
+ }
+ static int
+ nvkm_pmu_init(struct nvkm_subdev *subdev)
+ {
+       struct nvkm_pmu *pmu = nvkm_pmu(subdev);
+-      int ret = nvkm_pmu_reset(pmu);
+-      if (ret == 0 && pmu->func->init)
+-              ret = pmu->func->init(pmu);
+-      return ret;
++      struct nvkm_device *device = pmu->subdev.device;
++
++      if (!pmu->func->init)
++              return 0;
++
++      if (pmu->func->enabled(pmu)) {
++              /* Inhibit interrupts, and wait for idle. */
++              nvkm_wr32(device, 0x10a014, 0x0000ffff);
++              nvkm_msec(device, 2000,
++                      if (!nvkm_rd32(device, 0x10a04c))
++                              break;
++              );
++
++              nvkm_pmu_reset(pmu);
++      }
++
++      return pmu->func->init(pmu);
+ }
+ static void *
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-panel-delete-panel-on-mipi_dsi_attach-failure.patch b/queue-5.16/drm-panel-delete-panel-on-mipi_dsi_attach-failure.patch
new file mode 100644 (file)
index 0000000..e1312d2
--- /dev/null
@@ -0,0 +1,172 @@
+From eb3c9488576f49b55792261f9fdbe31a1973319e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Sep 2021 17:33:55 -0700
+Subject: drm/panel: Delete panel on mipi_dsi_attach() failure
+
+From: Brian Norris <briannorris@chromium.org>
+
+[ Upstream commit 9bf7123bb07f98dc76acb5daa91248e6f95713cb ]
+
+Many DSI panel drivers fail to clean up their panel references on
+mipi_dsi_attach() failure, so we're leaving a dangling drm_panel
+reference to freed memory. Clean that up on failure.
+
+Noticed by inspection, after seeing similar problems on other drivers.
+Therefore, I'm not marking Fixes/stable.
+
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210923173336.3.If9e74fa9b1d6eaa9e0e5b95b2b957b992740251c@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-feiyang-fy07024di26a30d.c    | 8 +++++++-
+ drivers/gpu/drm/panel/panel-jdi-lt070me05000.c           | 8 +++++++-
+ drivers/gpu/drm/panel/panel-novatek-nt36672a.c           | 8 +++++++-
+ drivers/gpu/drm/panel/panel-panasonic-vvx10f034n00.c     | 8 +++++++-
+ drivers/gpu/drm/panel/panel-ronbo-rb070d30.c             | 8 +++++++-
+ drivers/gpu/drm/panel/panel-samsung-s6e88a0-ams452ef01.c | 1 +
+ drivers/gpu/drm/panel/panel-samsung-sofef00.c            | 1 +
+ drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c          | 8 +++++++-
+ 8 files changed, 44 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-feiyang-fy07024di26a30d.c b/drivers/gpu/drm/panel/panel-feiyang-fy07024di26a30d.c
+index 581661b506f81..f9c1f7bc8218c 100644
+--- a/drivers/gpu/drm/panel/panel-feiyang-fy07024di26a30d.c
++++ b/drivers/gpu/drm/panel/panel-feiyang-fy07024di26a30d.c
+@@ -227,7 +227,13 @@ static int feiyang_dsi_probe(struct mipi_dsi_device *dsi)
+       dsi->format = MIPI_DSI_FMT_RGB888;
+       dsi->lanes = 4;
+-      return mipi_dsi_attach(dsi);
++      ret = mipi_dsi_attach(dsi);
++      if (ret < 0) {
++              drm_panel_remove(&ctx->panel);
++              return ret;
++      }
++
++      return 0;
+ }
+ static int feiyang_dsi_remove(struct mipi_dsi_device *dsi)
+diff --git a/drivers/gpu/drm/panel/panel-jdi-lt070me05000.c b/drivers/gpu/drm/panel/panel-jdi-lt070me05000.c
+index 733010b5e4f53..3c86ad262d5e0 100644
+--- a/drivers/gpu/drm/panel/panel-jdi-lt070me05000.c
++++ b/drivers/gpu/drm/panel/panel-jdi-lt070me05000.c
+@@ -473,7 +473,13 @@ static int jdi_panel_probe(struct mipi_dsi_device *dsi)
+       if (ret < 0)
+               return ret;
+-      return mipi_dsi_attach(dsi);
++      ret = mipi_dsi_attach(dsi);
++      if (ret < 0) {
++              jdi_panel_del(jdi);
++              return ret;
++      }
++
++      return 0;
+ }
+ static int jdi_panel_remove(struct mipi_dsi_device *dsi)
+diff --git a/drivers/gpu/drm/panel/panel-novatek-nt36672a.c b/drivers/gpu/drm/panel/panel-novatek-nt36672a.c
+index 533cd3934b8b7..839b263fb3c0f 100644
+--- a/drivers/gpu/drm/panel/panel-novatek-nt36672a.c
++++ b/drivers/gpu/drm/panel/panel-novatek-nt36672a.c
+@@ -656,7 +656,13 @@ static int nt36672a_panel_probe(struct mipi_dsi_device *dsi)
+       if (err < 0)
+               return err;
+-      return mipi_dsi_attach(dsi);
++      err = mipi_dsi_attach(dsi);
++      if (err < 0) {
++              drm_panel_remove(&pinfo->base);
++              return err;
++      }
++
++      return 0;
+ }
+ static int nt36672a_panel_remove(struct mipi_dsi_device *dsi)
+diff --git a/drivers/gpu/drm/panel/panel-panasonic-vvx10f034n00.c b/drivers/gpu/drm/panel/panel-panasonic-vvx10f034n00.c
+index 3c20beeb17819..3991f5d950af4 100644
+--- a/drivers/gpu/drm/panel/panel-panasonic-vvx10f034n00.c
++++ b/drivers/gpu/drm/panel/panel-panasonic-vvx10f034n00.c
+@@ -241,7 +241,13 @@ static int wuxga_nt_panel_probe(struct mipi_dsi_device *dsi)
+       if (ret < 0)
+               return ret;
+-      return mipi_dsi_attach(dsi);
++      ret = mipi_dsi_attach(dsi);
++      if (ret < 0) {
++              wuxga_nt_panel_del(wuxga_nt);
++              return ret;
++      }
++
++      return 0;
+ }
+ static int wuxga_nt_panel_remove(struct mipi_dsi_device *dsi)
+diff --git a/drivers/gpu/drm/panel/panel-ronbo-rb070d30.c b/drivers/gpu/drm/panel/panel-ronbo-rb070d30.c
+index a3782830ae3c4..1fb579a574d9f 100644
+--- a/drivers/gpu/drm/panel/panel-ronbo-rb070d30.c
++++ b/drivers/gpu/drm/panel/panel-ronbo-rb070d30.c
+@@ -199,7 +199,13 @@ static int rb070d30_panel_dsi_probe(struct mipi_dsi_device *dsi)
+       dsi->format = MIPI_DSI_FMT_RGB888;
+       dsi->lanes = 4;
+-      return mipi_dsi_attach(dsi);
++      ret = mipi_dsi_attach(dsi);
++      if (ret < 0) {
++              drm_panel_remove(&ctx->panel);
++              return ret;
++      }
++
++      return 0;
+ }
+ static int rb070d30_panel_dsi_remove(struct mipi_dsi_device *dsi)
+diff --git a/drivers/gpu/drm/panel/panel-samsung-s6e88a0-ams452ef01.c b/drivers/gpu/drm/panel/panel-samsung-s6e88a0-ams452ef01.c
+index ea63799ff2a1e..29fde3823212b 100644
+--- a/drivers/gpu/drm/panel/panel-samsung-s6e88a0-ams452ef01.c
++++ b/drivers/gpu/drm/panel/panel-samsung-s6e88a0-ams452ef01.c
+@@ -247,6 +247,7 @@ static int s6e88a0_ams452ef01_probe(struct mipi_dsi_device *dsi)
+       ret = mipi_dsi_attach(dsi);
+       if (ret < 0) {
+               dev_err(dev, "Failed to attach to DSI host: %d\n", ret);
++              drm_panel_remove(&ctx->panel);
+               return ret;
+       }
+diff --git a/drivers/gpu/drm/panel/panel-samsung-sofef00.c b/drivers/gpu/drm/panel/panel-samsung-sofef00.c
+index 8cb1853574bb8..6d107e14fcc55 100644
+--- a/drivers/gpu/drm/panel/panel-samsung-sofef00.c
++++ b/drivers/gpu/drm/panel/panel-samsung-sofef00.c
+@@ -302,6 +302,7 @@ static int sofef00_panel_probe(struct mipi_dsi_device *dsi)
+       ret = mipi_dsi_attach(dsi);
+       if (ret < 0) {
+               dev_err(dev, "Failed to attach to DSI host: %d\n", ret);
++              drm_panel_remove(&ctx->panel);
+               return ret;
+       }
+diff --git a/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c b/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c
+index b937e24dac8e0..25829a0a8e801 100644
+--- a/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c
++++ b/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c
+@@ -296,7 +296,13 @@ static int sharp_nt_panel_probe(struct mipi_dsi_device *dsi)
+       if (ret < 0)
+               return ret;
+-      return mipi_dsi_attach(dsi);
++      ret = mipi_dsi_attach(dsi);
++      if (ret < 0) {
++              sharp_nt_panel_del(sharp_nt);
++              return ret;
++      }
++
++      return 0;
+ }
+ static int sharp_nt_panel_remove(struct mipi_dsi_device *dsi)
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-panel-innolux-p079zca-delete-panel-on-attach-fai.patch b/queue-5.16/drm-panel-innolux-p079zca-delete-panel-on-attach-fai.patch
new file mode 100644 (file)
index 0000000..e23b859
--- /dev/null
@@ -0,0 +1,57 @@
+From 386f4af8bb24a2fc9fb193472d537324ee4e225e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Sep 2021 17:33:54 -0700
+Subject: drm/panel: innolux-p079zca: Delete panel on attach() failure
+
+From: Brian Norris <briannorris@chromium.org>
+
+[ Upstream commit 32a267e9c057e1636e7afdd20599aa5741a73079 ]
+
+If we fail to attach (e.g., because 1 of 2 dual-DSI controllers aren't
+ready), we leave a dangling drm_panel reference to freed memory. Clean
+that up on failure.
+
+This problem exists since the driver's introduction, but is especially
+relevant after refactored for dual-DSI variants.
+
+Fixes: 14c8f2e9f8ea ("drm/panel: add Innolux P079ZCA panel driver")
+Fixes: 7ad4e4636c54 ("drm/panel: p079zca: Refactor panel driver to support multiple panels")
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210923173336.2.I9023cf8811a3abf4964ed84eb681721d8bb489d6@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-innolux-p079zca.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-innolux-p079zca.c b/drivers/gpu/drm/panel/panel-innolux-p079zca.c
+index aea3162253914..f194b62e290ca 100644
+--- a/drivers/gpu/drm/panel/panel-innolux-p079zca.c
++++ b/drivers/gpu/drm/panel/panel-innolux-p079zca.c
+@@ -484,6 +484,7 @@ static void innolux_panel_del(struct innolux_panel *innolux)
+ static int innolux_panel_probe(struct mipi_dsi_device *dsi)
+ {
+       const struct panel_desc *desc;
++      struct innolux_panel *innolux;
+       int err;
+       desc = of_device_get_match_data(&dsi->dev);
+@@ -495,7 +496,14 @@ static int innolux_panel_probe(struct mipi_dsi_device *dsi)
+       if (err < 0)
+               return err;
+-      return mipi_dsi_attach(dsi);
++      err = mipi_dsi_attach(dsi);
++      if (err < 0) {
++              innolux = mipi_dsi_get_drvdata(dsi);
++              innolux_panel_del(innolux);
++              return err;
++      }
++
++      return 0;
+ }
+ static int innolux_panel_remove(struct mipi_dsi_device *dsi)
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-panel-kingdisplay-kd097d04-delete-panel-on-attac.patch b/queue-5.16/drm-panel-kingdisplay-kd097d04-delete-panel-on-attac.patch
new file mode 100644 (file)
index 0000000..12d1f44
--- /dev/null
@@ -0,0 +1,44 @@
+From db3ccdfd8ee3406231ce16cd13147fac36a99bcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Sep 2021 17:33:53 -0700
+Subject: drm/panel: kingdisplay-kd097d04: Delete panel on attach() failure
+
+From: Brian Norris <briannorris@chromium.org>
+
+[ Upstream commit 5f31dbeae8a88f31c3eb4eb526ab4807c40da241 ]
+
+If we fail to attach (e.g., because 1 of 2 dual-DSI controllers aren't
+ready), we leave a dangling drm_panel reference to freed memory. Clean
+that up on failure.
+
+Fixes: 2a994cbed6b2 ("drm/panel: Add Kingdisplay KD097D04 panel driver")
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210923173336.1.Icb4d9dbc1817f4e826361a4f1cea7461541668f0@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c b/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c
+index 86e4213e8bb13..daccb1fd5fdad 100644
+--- a/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c
++++ b/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c
+@@ -406,7 +406,13 @@ static int kingdisplay_panel_probe(struct mipi_dsi_device *dsi)
+       if (err < 0)
+               return err;
+-      return mipi_dsi_attach(dsi);
++      err = mipi_dsi_attach(dsi);
++      if (err < 0) {
++              kingdisplay_panel_del(kingdisplay);
++              return err;
++      }
++
++      return 0;
+ }
+ static int kingdisplay_panel_remove(struct mipi_dsi_device *dsi)
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-panel-orientation-quirks-add-quirk-for-the-lenov.patch b/queue-5.16/drm-panel-orientation-quirks-add-quirk-for-the-lenov.patch
new file mode 100644 (file)
index 0000000..1250b2e
--- /dev/null
@@ -0,0 +1,43 @@
+From ab83f109312bf107007a66c923da41d959e53ab6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Nov 2021 14:02:27 +0100
+Subject: drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Book
+ X91F/L
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit bc30c3b0c8a1904d83d5f0d60fb8650a334b207b ]
+
+The Lenovo Yoga Book X91F/L uses a panel which has been mounted
+90 degrees rotated. Add a quirk for this.
+
+Cc: Yauhen Kharuzhy <jekhor@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Simon Ser <contact@emersion.fr>
+Tested-by: Yauhen Kharuzhy <jekhor@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211106130227.11927-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index a9359878f4ed6..042bb80383c93 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -262,6 +262,12 @@ static const struct dmi_system_id orientation_data[] = {
+                 DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad D330-10IGM"),
+               },
+               .driver_data = (void *)&lcd1200x1920_rightside_up,
++      }, {    /* Lenovo Yoga Book X90F / X91F / X91L */
++              .matches = {
++                /* Non exact match to match all versions */
++                DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X9"),
++              },
++              .driver_data = (void *)&lcd1200x1920_rightside_up,
+       }, {    /* OneGX1 Pro */
+               .matches = {
+                 DMI_EXACT_MATCH(DMI_SYS_VENDOR, "SYSTEM_MANUFACTURER"),
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-radeon-radeon_kms-fix-a-null-pointer-dereference.patch b/queue-5.16/drm-radeon-radeon_kms-fix-a-null-pointer-dereference.patch
new file mode 100644 (file)
index 0000000..e9981d9
--- /dev/null
@@ -0,0 +1,122 @@
+From 5c1f1f6797368533aefdc1f86a80758929131f18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 23:13:10 +0800
+Subject: drm/radeon/radeon_kms: Fix a NULL pointer dereference in
+ radeon_driver_open_kms()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Zhou Qingyang <zhou1615@umn.edu>
+
+[ Upstream commit ab50cb9df8896b39aae65c537a30de2c79c19735 ]
+
+In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to
+vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In
+radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va,
+which could lead to a NULL pointer dereference on failure of
+radeon_vm_bo_add().
+
+Fix this bug by adding a check of vm->ib_bo_va.
+
+This bug was found by a static analyzer. The analysis employs
+differential checking to identify inconsistent security operations
+(e.g., checks or kfrees) between two code paths and confirms that the
+inconsistent operations are not recovered in the current function or
+the callers, so they constitute bugs.
+
+Note that, as a bug found by static analysis, it can be a false
+positive or hard to trigger. Multiple researchers have cross-reviewed
+the bug.
+
+Builds with CONFIG_DRM_RADEON=m show no new warnings,
+and our static analyzer no longer warns about this code.
+
+Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling")
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_kms.c | 36 ++++++++++++++++-------------
+ 1 file changed, 20 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
+index 482fb0ae6cb5d..66aee48fd09d2 100644
+--- a/drivers/gpu/drm/radeon/radeon_kms.c
++++ b/drivers/gpu/drm/radeon/radeon_kms.c
+@@ -648,6 +648,8 @@ void radeon_driver_lastclose_kms(struct drm_device *dev)
+ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
+ {
+       struct radeon_device *rdev = dev->dev_private;
++      struct radeon_fpriv *fpriv;
++      struct radeon_vm *vm;
+       int r;
+       file_priv->driver_priv = NULL;
+@@ -660,8 +662,6 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
+       /* new gpu have virtual address space support */
+       if (rdev->family >= CHIP_CAYMAN) {
+-              struct radeon_fpriv *fpriv;
+-              struct radeon_vm *vm;
+               fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL);
+               if (unlikely(!fpriv)) {
+@@ -672,35 +672,39 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
+               if (rdev->accel_working) {
+                       vm = &fpriv->vm;
+                       r = radeon_vm_init(rdev, vm);
+-                      if (r) {
+-                              kfree(fpriv);
+-                              goto out_suspend;
+-                      }
++                      if (r)
++                              goto out_fpriv;
+                       r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false);
+-                      if (r) {
+-                              radeon_vm_fini(rdev, vm);
+-                              kfree(fpriv);
+-                              goto out_suspend;
+-                      }
++                      if (r)
++                              goto out_vm_fini;
+                       /* map the ib pool buffer read only into
+                        * virtual address space */
+                       vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
+                                                       rdev->ring_tmp_bo.bo);
++                      if (!vm->ib_bo_va) {
++                              r = -ENOMEM;
++                              goto out_vm_fini;
++                      }
++
+                       r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
+                                                 RADEON_VA_IB_OFFSET,
+                                                 RADEON_VM_PAGE_READABLE |
+                                                 RADEON_VM_PAGE_SNOOPED);
+-                      if (r) {
+-                              radeon_vm_fini(rdev, vm);
+-                              kfree(fpriv);
+-                              goto out_suspend;
+-                      }
++                      if (r)
++                              goto out_vm_fini;
+               }
+               file_priv->driver_priv = fpriv;
+       }
++      if (!r)
++              goto out_suspend;
++
++out_vm_fini:
++      radeon_vm_fini(rdev, vm);
++out_fpriv:
++      kfree(fpriv);
+ out_suspend:
+       pm_runtime_mark_last_busy(dev->dev);
+       pm_runtime_put_autosuspend(dev->dev);
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-rcar-du-add-dsi-support-to-rcar_du_output_name.patch b/queue-5.16/drm-rcar-du-add-dsi-support-to-rcar_du_output_name.patch
new file mode 100644 (file)
index 0000000..b8da5b5
--- /dev/null
@@ -0,0 +1,47 @@
+From 20f2e675dcaff90e98240468842e36eec75e1d09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 17:08:45 +0000
+Subject: drm: rcar-du: Add DSI support to rcar_du_output_name
+
+From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+
+[ Upstream commit e0e4c64a64780a8672480618142776de8bf98d07 ]
+
+The DSI output names were not added when the DSI pipeline support was
+introduced.
+
+Add the correct labels for these outputs, and fix the sort order to
+match 'enum rcar_du_output' while we are here.
+
+Fixes: b291fdcf5114 ("drm: rcar-du: Add r8a779a0 device support")
+Suggested-by: Biju Das <biju.das.jz@bp.renesas.com>
+Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rcar-du/rcar_du_drv.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/rcar-du/rcar_du_drv.c b/drivers/gpu/drm/rcar-du/rcar_du_drv.c
+index 5612a9e7a9056..5a8131ef81d5a 100644
+--- a/drivers/gpu/drm/rcar-du/rcar_du_drv.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_drv.c
+@@ -544,10 +544,12 @@ const char *rcar_du_output_name(enum rcar_du_output output)
+       static const char * const names[] = {
+               [RCAR_DU_OUTPUT_DPAD0] = "DPAD0",
+               [RCAR_DU_OUTPUT_DPAD1] = "DPAD1",
+-              [RCAR_DU_OUTPUT_LVDS0] = "LVDS0",
+-              [RCAR_DU_OUTPUT_LVDS1] = "LVDS1",
++              [RCAR_DU_OUTPUT_DSI0] = "DSI0",
++              [RCAR_DU_OUTPUT_DSI1] = "DSI1",
+               [RCAR_DU_OUTPUT_HDMI0] = "HDMI0",
+               [RCAR_DU_OUTPUT_HDMI1] = "HDMI1",
++              [RCAR_DU_OUTPUT_LVDS0] = "LVDS0",
++              [RCAR_DU_OUTPUT_LVDS1] = "LVDS1",
+               [RCAR_DU_OUTPUT_TCON] = "TCON",
+       };
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-rcar-du-crtc-support-external-dsi-dot-clock.patch b/queue-5.16/drm-rcar-du-crtc-support-external-dsi-dot-clock.patch
new file mode 100644 (file)
index 0000000..a4e6dd1
--- /dev/null
@@ -0,0 +1,54 @@
+From d69da765c2637a2b4a188a082bd0a913a079a5b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 09:35:14 +0000
+Subject: drm: rcar-du: crtc: Support external DSI dot clock
+
+From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+
+[ Upstream commit 57b290cb905bec520372ac635d9e9f0548d9d67e ]
+
+On platforms with an external clock, both the group and crtc must be
+handled accordingly to correctly pass through the external clock and
+configure the DU to use the external rate.
+
+The CRTC support was missed while adding the DSI support on the r8a779a0
+which led to the output clocks being incorrectly determined.
+
+Ensure that when a CRTC is routed through the DSI encoder, the external
+clock is used without any further divider being applied.
+
+Fixes: b291fdcf5114 ("drm: rcar-du: Add r8a779a0 device support")
+Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rcar-du/rcar_du_crtc.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
+index 5672830ca184d..5236f917cc68d 100644
+--- a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
+@@ -261,12 +261,13 @@ static void rcar_du_crtc_set_display_timing(struct rcar_du_crtc *rcrtc)
+               rcar_du_group_write(rcrtc->group, DPLLCR, dpllcr);
+               escr = ESCR_DCLKSEL_DCLKIN | div;
+-      } else if (rcdu->info->lvds_clk_mask & BIT(rcrtc->index)) {
++      } else if (rcdu->info->lvds_clk_mask & BIT(rcrtc->index) ||
++                 rcdu->info->dsi_clk_mask & BIT(rcrtc->index)) {
+               /*
+-               * Use the LVDS PLL output as the dot clock when outputting to
+-               * the LVDS encoder on an SoC that supports this clock routing
+-               * option. We use the clock directly in that case, without any
+-               * additional divider.
++               * Use the external LVDS or DSI PLL output as the dot clock when
++               * outputting to the LVDS or DSI encoder on an SoC that supports
++               * this clock routing option. We use the clock directly in that
++               * case, without any additional divider.
+                */
+               escr = ESCR_DCLKSEL_DCLKIN;
+       } else {
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-rcar-du-fix-crtc-timings-when-cmm-is-used.patch b/queue-5.16/drm-rcar-du-fix-crtc-timings-when-cmm-is-used.patch
new file mode 100644 (file)
index 0000000..0a994ac
--- /dev/null
@@ -0,0 +1,82 @@
+From e9cdf314c1980c9730a2f9ab97a1acd5773b3b4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 03:10:46 +0200
+Subject: drm: rcar-du: Fix CRTC timings when CMM is used
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+[ Upstream commit f0ce591dc9a97067c6e783a2eaccd22c5476144d ]
+
+When the CMM is enabled, an offset of 25 pixels must be subtracted from
+the HDS (horizontal display start) and HDE (horizontal display end)
+registers. Fix the timings calculation, and take this into account in
+the mode validation.
+
+This fixes a visible horizontal offset in the image with VGA monitors.
+HDMI monitors seem to be generally more tolerant to incorrect timings,
+but may be affected too.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rcar-du/rcar_du_crtc.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
+index 5236f917cc68d..f361a604337f6 100644
+--- a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
+@@ -215,6 +215,7 @@ static void rcar_du_crtc_set_display_timing(struct rcar_du_crtc *rcrtc)
+       const struct drm_display_mode *mode = &rcrtc->crtc.state->adjusted_mode;
+       struct rcar_du_device *rcdu = rcrtc->dev;
+       unsigned long mode_clock = mode->clock * 1000;
++      unsigned int hdse_offset;
+       u32 dsmr;
+       u32 escr;
+@@ -299,10 +300,15 @@ static void rcar_du_crtc_set_display_timing(struct rcar_du_crtc *rcrtc)
+            | DSMR_DIPM_DISP | DSMR_CSPM;
+       rcar_du_crtc_write(rcrtc, DSMR, dsmr);
++      hdse_offset = 19;
++      if (rcrtc->group->cmms_mask & BIT(rcrtc->index % 2))
++              hdse_offset += 25;
++
+       /* Display timings */
+-      rcar_du_crtc_write(rcrtc, HDSR, mode->htotal - mode->hsync_start - 19);
++      rcar_du_crtc_write(rcrtc, HDSR, mode->htotal - mode->hsync_start -
++                                      hdse_offset);
+       rcar_du_crtc_write(rcrtc, HDER, mode->htotal - mode->hsync_start +
+-                                      mode->hdisplay - 19);
++                                      mode->hdisplay - hdse_offset);
+       rcar_du_crtc_write(rcrtc, HSWR, mode->hsync_end -
+                                       mode->hsync_start - 1);
+       rcar_du_crtc_write(rcrtc, HCR,  mode->htotal - 1);
+@@ -837,6 +843,7 @@ rcar_du_crtc_mode_valid(struct drm_crtc *crtc,
+       struct rcar_du_crtc *rcrtc = to_rcar_crtc(crtc);
+       struct rcar_du_device *rcdu = rcrtc->dev;
+       bool interlaced = mode->flags & DRM_MODE_FLAG_INTERLACE;
++      unsigned int min_sync_porch;
+       unsigned int vbp;
+       if (interlaced && !rcar_du_has(rcdu, RCAR_DU_FEATURE_INTERLACED))
+@@ -844,9 +851,14 @@ rcar_du_crtc_mode_valid(struct drm_crtc *crtc,
+       /*
+        * The hardware requires a minimum combined horizontal sync and back
+-       * porch of 20 pixels and a minimum vertical back porch of 3 lines.
++       * porch of 20 pixels (when CMM isn't used) or 45 pixels (when CMM is
++       * used), and a minimum vertical back porch of 3 lines.
+        */
+-      if (mode->htotal - mode->hsync_start < 20)
++      min_sync_porch = 20;
++      if (rcrtc->group->cmms_mask & BIT(rcrtc->index % 2))
++              min_sync_porch += 25;
++
++      if (mode->htotal - mode->hsync_start < min_sync_porch)
+               return MODE_HBLANK_NARROW;
+       vbp = (mode->vtotal - mode->vsync_end) / (interlaced ? 2 : 1);
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-return-error-codes-from-struct-drm_driver.gem_cr.patch b/queue-5.16/drm-return-error-codes-from-struct-drm_driver.gem_cr.patch
new file mode 100644 (file)
index 0000000..3c98dba
--- /dev/null
@@ -0,0 +1,202 @@
+From 79ab0a3ef5a0c4059da905536946330dd6654a86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 10:52:55 +0100
+Subject: drm: Return error codes from struct drm_driver.gem_create_object
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit 4ff22f487f8c26b99cbe1678344595734c001a39 ]
+
+GEM helper libraries use struct drm_driver.gem_create_object to let
+drivers override GEM object allocation. On failure, the call returns
+NULL.
+
+Change the semantics to make the calls return a pointer-encoded error.
+This aligns the callback with its callers. Fixes the ingenic driver,
+which already returns an error pointer.
+
+Also update the callers to handle the involved types more strictly.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Acked-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211130095255.26710-1-tzimmermann@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_gem_cma_helper.c    | 17 ++++++++++-------
+ drivers/gpu/drm/drm_gem_shmem_helper.c  | 17 ++++++++++-------
+ drivers/gpu/drm/drm_gem_vram_helper.c   |  4 ++--
+ drivers/gpu/drm/lima/lima_gem.c         |  2 +-
+ drivers/gpu/drm/panfrost/panfrost_gem.c |  2 +-
+ drivers/gpu/drm/v3d/v3d_bo.c            |  4 ++--
+ drivers/gpu/drm/vgem/vgem_drv.c         |  2 +-
+ drivers/gpu/drm/virtio/virtgpu_object.c |  2 +-
+ include/drm/drm_drv.h                   |  5 +++--
+ 9 files changed, 31 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_gem_cma_helper.c b/drivers/gpu/drm/drm_gem_cma_helper.c
+index 9d05674550a4f..1e7e8cd64cb58 100644
+--- a/drivers/gpu/drm/drm_gem_cma_helper.c
++++ b/drivers/gpu/drm/drm_gem_cma_helper.c
+@@ -62,18 +62,21 @@ __drm_gem_cma_create(struct drm_device *drm, size_t size, bool private)
+       struct drm_gem_object *gem_obj;
+       int ret = 0;
+-      if (drm->driver->gem_create_object)
++      if (drm->driver->gem_create_object) {
+               gem_obj = drm->driver->gem_create_object(drm, size);
+-      else
+-              gem_obj = kzalloc(sizeof(*cma_obj), GFP_KERNEL);
+-      if (!gem_obj)
+-              return ERR_PTR(-ENOMEM);
++              if (IS_ERR(gem_obj))
++                      return ERR_CAST(gem_obj);
++              cma_obj = to_drm_gem_cma_obj(gem_obj);
++      } else {
++              cma_obj = kzalloc(sizeof(*cma_obj), GFP_KERNEL);
++              if (!cma_obj)
++                      return ERR_PTR(-ENOMEM);
++              gem_obj = &cma_obj->base;
++      }
+       if (!gem_obj->funcs)
+               gem_obj->funcs = &drm_gem_cma_default_funcs;
+-      cma_obj = container_of(gem_obj, struct drm_gem_cma_object, base);
+-
+       if (private) {
+               drm_gem_private_object_init(drm, gem_obj, size);
+diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c
+index bca0de92802ef..fe157bf278347 100644
+--- a/drivers/gpu/drm/drm_gem_shmem_helper.c
++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
+@@ -51,14 +51,17 @@ __drm_gem_shmem_create(struct drm_device *dev, size_t size, bool private)
+       size = PAGE_ALIGN(size);
+-      if (dev->driver->gem_create_object)
++      if (dev->driver->gem_create_object) {
+               obj = dev->driver->gem_create_object(dev, size);
+-      else
+-              obj = kzalloc(sizeof(*shmem), GFP_KERNEL);
+-      if (!obj)
+-              return ERR_PTR(-ENOMEM);
+-
+-      shmem = to_drm_gem_shmem_obj(obj);
++              if (IS_ERR(obj))
++                      return ERR_CAST(obj);
++              shmem = to_drm_gem_shmem_obj(obj);
++      } else {
++              shmem = kzalloc(sizeof(*shmem), GFP_KERNEL);
++              if (!shmem)
++                      return ERR_PTR(-ENOMEM);
++              obj = &shmem->base;
++      }
+       if (!obj->funcs)
+               obj->funcs = &drm_gem_shmem_funcs;
+diff --git a/drivers/gpu/drm/drm_gem_vram_helper.c b/drivers/gpu/drm/drm_gem_vram_helper.c
+index bfa386b981346..3f00192215d11 100644
+--- a/drivers/gpu/drm/drm_gem_vram_helper.c
++++ b/drivers/gpu/drm/drm_gem_vram_helper.c
+@@ -197,8 +197,8 @@ struct drm_gem_vram_object *drm_gem_vram_create(struct drm_device *dev,
+       if (dev->driver->gem_create_object) {
+               gem = dev->driver->gem_create_object(dev, size);
+-              if (!gem)
+-                      return ERR_PTR(-ENOMEM);
++              if (IS_ERR(gem))
++                      return ERR_CAST(gem);
+               gbo = drm_gem_vram_of_gem(gem);
+       } else {
+               gbo = kzalloc(sizeof(*gbo), GFP_KERNEL);
+diff --git a/drivers/gpu/drm/lima/lima_gem.c b/drivers/gpu/drm/lima/lima_gem.c
+index 640acc060467c..54823bd701a4b 100644
+--- a/drivers/gpu/drm/lima/lima_gem.c
++++ b/drivers/gpu/drm/lima/lima_gem.c
+@@ -221,7 +221,7 @@ struct drm_gem_object *lima_gem_create_object(struct drm_device *dev, size_t siz
+       bo = kzalloc(sizeof(*bo), GFP_KERNEL);
+       if (!bo)
+-              return NULL;
++              return ERR_PTR(-ENOMEM);
+       mutex_init(&bo->lock);
+       INIT_LIST_HEAD(&bo->va);
+diff --git a/drivers/gpu/drm/panfrost/panfrost_gem.c b/drivers/gpu/drm/panfrost/panfrost_gem.c
+index 23377481f4e31..39ac031548954 100644
+--- a/drivers/gpu/drm/panfrost/panfrost_gem.c
++++ b/drivers/gpu/drm/panfrost/panfrost_gem.c
+@@ -221,7 +221,7 @@ struct drm_gem_object *panfrost_gem_create_object(struct drm_device *dev, size_t
+       obj = kzalloc(sizeof(*obj), GFP_KERNEL);
+       if (!obj)
+-              return NULL;
++              return ERR_PTR(-ENOMEM);
+       INIT_LIST_HEAD(&obj->mappings.list);
+       mutex_init(&obj->mappings.lock);
+diff --git a/drivers/gpu/drm/v3d/v3d_bo.c b/drivers/gpu/drm/v3d/v3d_bo.c
+index 6a8731ab9d7d0..9a1a92782524c 100644
+--- a/drivers/gpu/drm/v3d/v3d_bo.c
++++ b/drivers/gpu/drm/v3d/v3d_bo.c
+@@ -70,11 +70,11 @@ struct drm_gem_object *v3d_create_object(struct drm_device *dev, size_t size)
+       struct drm_gem_object *obj;
+       if (size == 0)
+-              return NULL;
++              return ERR_PTR(-EINVAL);
+       bo = kzalloc(sizeof(*bo), GFP_KERNEL);
+       if (!bo)
+-              return NULL;
++              return ERR_PTR(-ENOMEM);
+       obj = &bo->base.base;
+       obj->funcs = &v3d_gem_funcs;
+diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c
+index a87eafa89e9f4..c5e3e54577377 100644
+--- a/drivers/gpu/drm/vgem/vgem_drv.c
++++ b/drivers/gpu/drm/vgem/vgem_drv.c
+@@ -97,7 +97,7 @@ static struct drm_gem_object *vgem_gem_create_object(struct drm_device *dev, siz
+       obj = kzalloc(sizeof(*obj), GFP_KERNEL);
+       if (!obj)
+-              return NULL;
++              return ERR_PTR(-ENOMEM);
+       /*
+        * vgem doesn't have any begin/end cpu access ioctls, therefore must use
+diff --git a/drivers/gpu/drm/virtio/virtgpu_object.c b/drivers/gpu/drm/virtio/virtgpu_object.c
+index f648b0e24447b..4749c9303de05 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_object.c
++++ b/drivers/gpu/drm/virtio/virtgpu_object.c
+@@ -140,7 +140,7 @@ struct drm_gem_object *virtio_gpu_create_object(struct drm_device *dev,
+       shmem = kzalloc(sizeof(*shmem), GFP_KERNEL);
+       if (!shmem)
+-              return NULL;
++              return ERR_PTR(-ENOMEM);
+       dshmem = &shmem->base.base;
+       dshmem->base.funcs = &virtio_gpu_shmem_funcs;
+diff --git a/include/drm/drm_drv.h b/include/drm/drm_drv.h
+index 0cd95953cdf55..96c264c4be4fe 100644
+--- a/include/drm/drm_drv.h
++++ b/include/drm/drm_drv.h
+@@ -291,8 +291,9 @@ struct drm_driver {
+       /**
+        * @gem_create_object: constructor for gem objects
+        *
+-       * Hook for allocating the GEM object struct, for use by the CMA and
+-       * SHMEM GEM helpers.
++       * Hook for allocating the GEM object struct, for use by the CMA
++       * and SHMEM GEM helpers. Returns a GEM object on success, or an
++       * ERR_PTR()-encoded error code otherwise.
+        */
+       struct drm_gem_object *(*gem_create_object)(struct drm_device *dev,
+                                                   size_t size);
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-rockchip-dsi-disable-pll-clock-on-bind-error.patch b/queue-5.16/drm-rockchip-dsi-disable-pll-clock-on-bind-error.patch
new file mode 100644 (file)
index 0000000..d131011
--- /dev/null
@@ -0,0 +1,64 @@
+From 50eee9a83a3b7028b0ca0c83e2a68538bf47f42e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 14:35:52 -0700
+Subject: drm/rockchip: dsi: Disable PLL clock on bind error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Brian Norris <briannorris@chromium.org>
+
+[ Upstream commit 5a614570172e1c9f59035d259dd735acd4f1c01b ]
+
+Fix some error handling here noticed in review of other changes.
+
+Fixes: 2d4f7bdafd70 ("drm/rockchip: dsi: migrate to use dw-mipi-dsi bridge driver")
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Reported-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Tested-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210928143413.v3.4.I8bb7a91ecc411d56bc155763faa15f289d7fc074@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
+index 7f3eb2cc85dfb..1bec0d119d6e5 100644
+--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
+@@ -942,7 +942,7 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev,
+       ret = clk_prepare_enable(dsi->grf_clk);
+       if (ret) {
+               DRM_DEV_ERROR(dsi->dev, "Failed to enable grf_clk: %d\n", ret);
+-              goto out_pm_runtime;
++              goto out_pll_clk;
+       }
+       dw_mipi_dsi_rockchip_config(dsi);
+@@ -954,17 +954,19 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev,
+       ret = rockchip_dsi_drm_create_encoder(dsi, drm_dev);
+       if (ret) {
+               DRM_DEV_ERROR(dev, "Failed to create drm encoder\n");
+-              goto out_pm_runtime;
++              goto out_pll_clk;
+       }
+       ret = dw_mipi_dsi_bind(dsi->dmd, &dsi->encoder);
+       if (ret) {
+               DRM_DEV_ERROR(dev, "Failed to bind: %d\n", ret);
+-              goto out_pm_runtime;
++              goto out_pll_clk;
+       }
+       return 0;
++out_pll_clk:
++      clk_disable_unprepare(dsi->pllref_clk);
+ out_pm_runtime:
+       pm_runtime_put(dsi->dev);
+       if (dsi->slave)
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-rockchip-dsi-fix-unbalanced-clock-on-probe-error.patch b/queue-5.16/drm-rockchip-dsi-fix-unbalanced-clock-on-probe-error.patch
new file mode 100644 (file)
index 0000000..cce3ba1
--- /dev/null
@@ -0,0 +1,51 @@
+From 75af9e1f2d6c9cf99870cc778452895a319e0dc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 14:35:51 -0700
+Subject: drm/rockchip: dsi: Fix unbalanced clock on probe error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Brian Norris <briannorris@chromium.org>
+
+[ Upstream commit 251888398753924059f3bb247a44153a2853137f ]
+
+Our probe() function never enabled this clock, so we shouldn't disable
+it if we fail to probe the bridge.
+
+Noted by inspection.
+
+Fixes: 2d4f7bdafd70 ("drm/rockchip: dsi: migrate to use dw-mipi-dsi bridge driver")
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Tested-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210928143413.v3.3.Ie8ceefb51ab6065a1151869b6fcda41a467d4d2c@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
+index a9acbcc420d07..969cdbf18903d 100644
+--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
+@@ -1396,14 +1396,10 @@ static int dw_mipi_dsi_rockchip_probe(struct platform_device *pdev)
+               if (ret != -EPROBE_DEFER)
+                       DRM_DEV_ERROR(dev,
+                                     "Failed to probe dw_mipi_dsi: %d\n", ret);
+-              goto err_clkdisable;
++              return ret;
+       }
+       return 0;
+-
+-err_clkdisable:
+-      clk_disable_unprepare(dsi->pllref_clk);
+-      return ret;
+ }
+ static int dw_mipi_dsi_rockchip_remove(struct platform_device *pdev)
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-rockchip-dsi-hold-pm-runtime-across-bind-unbind.patch b/queue-5.16/drm-rockchip-dsi-hold-pm-runtime-across-bind-unbind.patch
new file mode 100644 (file)
index 0000000..1f938bf
--- /dev/null
@@ -0,0 +1,156 @@
+From df8c61c33e7a9a0f7298b9f812512068e8025504 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 14:35:49 -0700
+Subject: drm/rockchip: dsi: Hold pm-runtime across bind/unbind
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Brian Norris <briannorris@chromium.org>
+
+[ Upstream commit 514db871922f103886ad4d221cf406b4fcc5e74a ]
+
+In commit 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except
+LCDC mux to bind()"), we moved most HW configuration to bind(), but we
+didn't move the runtime PM management. Therefore, depending on initial
+boot state, runtime-PM workqueue delays, and other timing factors, we
+may disable our power domain in between the hardware configuration
+(bind()) and when we enable the display. This can cause us to lose
+hardware state and fail to configure our display. For example:
+
+  dw-mipi-dsi-rockchip ff968000.mipi: failed to write command FIFO
+  panel-innolux-p079zca ff960000.mipi.0: failed to write command 0
+
+or:
+
+  dw-mipi-dsi-rockchip ff968000.mipi: failed to write command FIFO
+  panel-kingdisplay-kd097d04 ff960000.mipi.0: failed write init cmds: -110
+
+We should match the runtime PM to the lifetime of the bind()/unbind()
+cycle.
+
+Tested on Acer Chrometab 10 (RK3399 Gru-Scarlet), with panel drivers
+built either as modules or built-in.
+
+Side notes: it seems one is more likely to see this problem when the
+panel driver is built into the kernel. I've also seen this problem
+bisect down to commits that simply changed Kconfig dependencies, because
+it changed the order in which driver init functions were compiled into
+the kernel, and therefore the ordering and timing of built-in device
+probe.
+
+Fixes: 43c2de1002d2 ("drm/rockchip: dsi: move all lane config except LCDC mux to bind()")
+Link: https://lore.kernel.org/linux-rockchip/9aedfb528600ecf871885f7293ca4207c84d16c1.camel@gmail.com/
+Reported-by: <aleksandr.o.makarov@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Tested-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210928143413.v3.1.Ic2904d37f30013a7f3d8476203ad3733c186827e@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/rockchip/dw-mipi-dsi-rockchip.c   | 37 ++++++++++---------
+ 1 file changed, 19 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
+index 969cdbf18903d..7f3eb2cc85dfb 100644
+--- a/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
++++ b/drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c
+@@ -772,10 +772,6 @@ static void dw_mipi_dsi_encoder_enable(struct drm_encoder *encoder)
+       if (mux < 0)
+               return;
+-      pm_runtime_get_sync(dsi->dev);
+-      if (dsi->slave)
+-              pm_runtime_get_sync(dsi->slave->dev);
+-
+       /*
+        * For the RK3399, the clk of grf must be enabled before writing grf
+        * register. And for RK3288 or other soc, this grf_clk must be NULL,
+@@ -794,20 +790,10 @@ static void dw_mipi_dsi_encoder_enable(struct drm_encoder *encoder)
+       clk_disable_unprepare(dsi->grf_clk);
+ }
+-static void dw_mipi_dsi_encoder_disable(struct drm_encoder *encoder)
+-{
+-      struct dw_mipi_dsi_rockchip *dsi = to_dsi(encoder);
+-
+-      if (dsi->slave)
+-              pm_runtime_put(dsi->slave->dev);
+-      pm_runtime_put(dsi->dev);
+-}
+-
+ static const struct drm_encoder_helper_funcs
+ dw_mipi_dsi_encoder_helper_funcs = {
+       .atomic_check = dw_mipi_dsi_encoder_atomic_check,
+       .enable = dw_mipi_dsi_encoder_enable,
+-      .disable = dw_mipi_dsi_encoder_disable,
+ };
+ static int rockchip_dsi_drm_create_encoder(struct dw_mipi_dsi_rockchip *dsi,
+@@ -937,10 +923,14 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev,
+               put_device(second);
+       }
++      pm_runtime_get_sync(dsi->dev);
++      if (dsi->slave)
++              pm_runtime_get_sync(dsi->slave->dev);
++
+       ret = clk_prepare_enable(dsi->pllref_clk);
+       if (ret) {
+               DRM_DEV_ERROR(dev, "Failed to enable pllref_clk: %d\n", ret);
+-              return ret;
++              goto out_pm_runtime;
+       }
+       /*
+@@ -952,7 +942,7 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev,
+       ret = clk_prepare_enable(dsi->grf_clk);
+       if (ret) {
+               DRM_DEV_ERROR(dsi->dev, "Failed to enable grf_clk: %d\n", ret);
+-              return ret;
++              goto out_pm_runtime;
+       }
+       dw_mipi_dsi_rockchip_config(dsi);
+@@ -964,16 +954,23 @@ static int dw_mipi_dsi_rockchip_bind(struct device *dev,
+       ret = rockchip_dsi_drm_create_encoder(dsi, drm_dev);
+       if (ret) {
+               DRM_DEV_ERROR(dev, "Failed to create drm encoder\n");
+-              return ret;
++              goto out_pm_runtime;
+       }
+       ret = dw_mipi_dsi_bind(dsi->dmd, &dsi->encoder);
+       if (ret) {
+               DRM_DEV_ERROR(dev, "Failed to bind: %d\n", ret);
+-              return ret;
++              goto out_pm_runtime;
+       }
+       return 0;
++
++out_pm_runtime:
++      pm_runtime_put(dsi->dev);
++      if (dsi->slave)
++              pm_runtime_put(dsi->slave->dev);
++
++      return ret;
+ }
+ static void dw_mipi_dsi_rockchip_unbind(struct device *dev,
+@@ -988,6 +985,10 @@ static void dw_mipi_dsi_rockchip_unbind(struct device *dev,
+       dw_mipi_dsi_unbind(dsi->dmd);
+       clk_disable_unprepare(dsi->pllref_clk);
++
++      pm_runtime_put(dsi->dev);
++      if (dsi->slave)
++              pm_runtime_put(dsi->slave->dev);
+ }
+ static const struct component_ops dw_mipi_dsi_rockchip_ops = {
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-sched-avoid-lockdep-spalt-on-killing-a-processes.patch b/queue-5.16/drm-sched-avoid-lockdep-spalt-on-killing-a-processes.patch
new file mode 100644 (file)
index 0000000..82c597f
--- /dev/null
@@ -0,0 +1,127 @@
+From 204e05b3150248c4f7e6ecc8781ae99de16f5012 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 12:24:03 -0400
+Subject: drm/sched: Avoid lockdep spalt on killing a processes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+
+[ Upstream commit 542cff7893a37445f98ece26aeb3c9c1055e9ea4 ]
+
+Probelm:
+Singlaning one sched fence from within another's sched
+fence singal callback generates lockdep splat because
+the both have same lockdep class of their fence->lock
+
+Fix:
+Fix bellow stack by rescheduling to irq work of
+signaling and killing of jobs that left when entity is killed.
+
+[11176.741181]  dump_stack+0x10/0x12
+[11176.741186] __lock_acquire.cold+0x208/0x2df
+[11176.741197]  lock_acquire+0xc6/0x2d0
+[11176.741204]  ? dma_fence_signal+0x28/0x80
+[11176.741212] _raw_spin_lock_irqsave+0x4d/0x70
+[11176.741219]  ? dma_fence_signal+0x28/0x80
+[11176.741225]  dma_fence_signal+0x28/0x80
+[11176.741230] drm_sched_fence_finished+0x12/0x20 [gpu_sched]
+[11176.741240] drm_sched_entity_kill_jobs_cb+0x1c/0x50 [gpu_sched]
+[11176.741248] dma_fence_signal_timestamp_locked+0xac/0x1a0
+[11176.741254]  dma_fence_signal+0x3b/0x80
+[11176.741260] drm_sched_fence_finished+0x12/0x20 [gpu_sched]
+[11176.741268] drm_sched_job_done.isra.0+0x7f/0x1a0 [gpu_sched]
+[11176.741277] drm_sched_job_done_cb+0x12/0x20 [gpu_sched]
+[11176.741284] dma_fence_signal_timestamp_locked+0xac/0x1a0
+[11176.741290]  dma_fence_signal+0x3b/0x80
+[11176.741296] amdgpu_fence_process+0xd1/0x140 [amdgpu]
+[11176.741504] sdma_v4_0_process_trap_irq+0x8c/0xb0 [amdgpu]
+[11176.741731]  amdgpu_irq_dispatch+0xce/0x250 [amdgpu]
+[11176.741954]  amdgpu_ih_process+0x81/0x100 [amdgpu]
+[11176.742174]  amdgpu_irq_handler+0x26/0xa0 [amdgpu]
+[11176.742393] __handle_irq_event_percpu+0x4f/0x2c0
+[11176.742402] handle_irq_event_percpu+0x33/0x80
+[11176.742408]  handle_irq_event+0x39/0x60
+[11176.742414]  handle_edge_irq+0x93/0x1d0
+[11176.742419]  __common_interrupt+0x50/0xe0
+[11176.742426]  common_interrupt+0x80/0x90
+
+Signed-off-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Suggested-by: Daniel Vetter  <daniel.vetter@ffwll.ch>
+Suggested-by: Christian König <christian.koenig@amd.com>
+Tested-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Link: https://www.spinics.net/lists/dri-devel/msg321250.html
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/scheduler/sched_entity.c | 15 ++++++++++++---
+ include/drm/gpu_scheduler.h              | 12 +++++++++++-
+ 2 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c
+index 27e1573af96e2..191c56064f196 100644
+--- a/drivers/gpu/drm/scheduler/sched_entity.c
++++ b/drivers/gpu/drm/scheduler/sched_entity.c
+@@ -190,6 +190,16 @@ long drm_sched_entity_flush(struct drm_sched_entity *entity, long timeout)
+ }
+ EXPORT_SYMBOL(drm_sched_entity_flush);
++static void drm_sched_entity_kill_jobs_irq_work(struct irq_work *wrk)
++{
++      struct drm_sched_job *job = container_of(wrk, typeof(*job), work);
++
++      drm_sched_fence_finished(job->s_fence);
++      WARN_ON(job->s_fence->parent);
++      job->sched->ops->free_job(job);
++}
++
++
+ /* Signal the scheduler finished fence when the entity in question is killed. */
+ static void drm_sched_entity_kill_jobs_cb(struct dma_fence *f,
+                                         struct dma_fence_cb *cb)
+@@ -197,9 +207,8 @@ static void drm_sched_entity_kill_jobs_cb(struct dma_fence *f,
+       struct drm_sched_job *job = container_of(cb, struct drm_sched_job,
+                                                finish_cb);
+-      drm_sched_fence_finished(job->s_fence);
+-      WARN_ON(job->s_fence->parent);
+-      job->sched->ops->free_job(job);
++      init_irq_work(&job->work, drm_sched_entity_kill_jobs_irq_work);
++      irq_work_queue(&job->work);
+ }
+ static struct dma_fence *
+diff --git a/include/drm/gpu_scheduler.h b/include/drm/gpu_scheduler.h
+index f011e4c407f2e..bbc22fad8d802 100644
+--- a/include/drm/gpu_scheduler.h
++++ b/include/drm/gpu_scheduler.h
+@@ -28,6 +28,7 @@
+ #include <linux/dma-fence.h>
+ #include <linux/completion.h>
+ #include <linux/xarray.h>
++#include <linux/irq_work.h>
+ #define MAX_WAIT_SCHED_ENTITY_Q_EMPTY msecs_to_jiffies(1000)
+@@ -286,7 +287,16 @@ struct drm_sched_job {
+       struct list_head                list;
+       struct drm_gpu_scheduler        *sched;
+       struct drm_sched_fence          *s_fence;
+-      struct dma_fence_cb             finish_cb;
++
++      /*
++       * work is used only after finish_cb has been used and will not be
++       * accessed anymore.
++       */
++      union {
++              struct dma_fence_cb             finish_cb;
++              struct irq_work                 work;
++      };
++
+       uint64_t                        id;
+       atomic_t                        karma;
+       enum drm_sched_priority         s_priority;
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-sun4i-dw-hdmi-fix-missing-put_device-call-in-sun.patch b/queue-5.16/drm-sun4i-dw-hdmi-fix-missing-put_device-call-in-sun.patch
new file mode 100644 (file)
index 0000000..256bcaf
--- /dev/null
@@ -0,0 +1,42 @@
+From 66a0360ee04bcc09b5e11e451a84947ed59ff357 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 08:36:32 +0000
+Subject: drm/sun4i: dw-hdmi: Fix missing put_device() call in
+ sun8i_hdmi_phy_get
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit c71af3dae3e34d2fde0c19623cf7f8483321f0e3 ]
+
+The reference taken by 'of_find_device_by_node()' must be released when
+not needed anymore.
+Add the corresponding 'put_device()' in the error handling path.
+
+Fixes: 9bf3797796f5 ("drm/sun4i: dw-hdmi: Make HDMI PHY into a platform device")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220107083633.20843-1-linmq006@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c b/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c
+index b64d93da651d2..5e2b0175df36f 100644
+--- a/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c
++++ b/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c
+@@ -658,8 +658,10 @@ int sun8i_hdmi_phy_get(struct sun8i_dw_hdmi *hdmi, struct device_node *node)
+               return -EPROBE_DEFER;
+       phy = platform_get_drvdata(pdev);
+-      if (!phy)
++      if (!phy) {
++              put_device(&pdev->dev);
+               return -EPROBE_DEFER;
++      }
+       hdmi->phy = phy;
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-tegra-gr2d-explicitly-control-module-reset.patch b/queue-5.16/drm-tegra-gr2d-explicitly-control-module-reset.patch
new file mode 100644 (file)
index 0000000..249102d
--- /dev/null
@@ -0,0 +1,113 @@
+From 11a49c9ebf94999c43b06496fc7adda27c4eae85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jul 2021 16:37:36 +0200
+Subject: drm/tegra: gr2d: Explicitly control module reset
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit 271fca025a6d43f1c18a48543c5aaf31a31e4694 ]
+
+As of commit 4782c0a5dd88 ("clk: tegra: Don't deassert reset on enabling
+clocks"), module resets are no longer automatically deasserted when the
+module clock is enabled. To make sure that the gr2d module continues to
+work, we need to explicitly control the module reset.
+
+Fixes: 4782c0a5dd88 ("clk: tegra: Don't deassert reset on enabling clocks")
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/gr2d.c | 33 +++++++++++++++++++++++++++++++--
+ 1 file changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/tegra/gr2d.c b/drivers/gpu/drm/tegra/gr2d.c
+index de288cba39055..ba3722f1b8651 100644
+--- a/drivers/gpu/drm/tegra/gr2d.c
++++ b/drivers/gpu/drm/tegra/gr2d.c
+@@ -4,9 +4,11 @@
+  */
+ #include <linux/clk.h>
++#include <linux/delay.h>
+ #include <linux/iommu.h>
+ #include <linux/module.h>
+ #include <linux/of_device.h>
++#include <linux/reset.h>
+ #include "drm.h"
+ #include "gem.h"
+@@ -19,6 +21,7 @@ struct gr2d_soc {
+ struct gr2d {
+       struct tegra_drm_client client;
+       struct host1x_channel *channel;
++      struct reset_control *rst;
+       struct clk *clk;
+       const struct gr2d_soc *soc;
+@@ -208,6 +211,12 @@ static int gr2d_probe(struct platform_device *pdev)
+       if (!syncpts)
+               return -ENOMEM;
++      gr2d->rst = devm_reset_control_get(dev, NULL);
++      if (IS_ERR(gr2d->rst)) {
++              dev_err(dev, "cannot get reset\n");
++              return PTR_ERR(gr2d->rst);
++      }
++
+       gr2d->clk = devm_clk_get(dev, NULL);
+       if (IS_ERR(gr2d->clk)) {
+               dev_err(dev, "cannot get clock\n");
+@@ -220,6 +229,14 @@ static int gr2d_probe(struct platform_device *pdev)
+               return err;
+       }
++      usleep_range(2000, 4000);
++
++      err = reset_control_deassert(gr2d->rst);
++      if (err < 0) {
++              dev_err(dev, "failed to deassert reset: %d\n", err);
++              goto disable_clk;
++      }
++
+       INIT_LIST_HEAD(&gr2d->client.base.list);
+       gr2d->client.base.ops = &gr2d_client_ops;
+       gr2d->client.base.dev = dev;
+@@ -234,8 +251,7 @@ static int gr2d_probe(struct platform_device *pdev)
+       err = host1x_client_register(&gr2d->client.base);
+       if (err < 0) {
+               dev_err(dev, "failed to register host1x client: %d\n", err);
+-              clk_disable_unprepare(gr2d->clk);
+-              return err;
++              goto assert_rst;
+       }
+       /* initialize address register map */
+@@ -245,6 +261,13 @@ static int gr2d_probe(struct platform_device *pdev)
+       platform_set_drvdata(pdev, gr2d);
+       return 0;
++
++assert_rst:
++      (void)reset_control_assert(gr2d->rst);
++disable_clk:
++      clk_disable_unprepare(gr2d->clk);
++
++      return err;
+ }
+ static int gr2d_remove(struct platform_device *pdev)
+@@ -259,6 +282,12 @@ static int gr2d_remove(struct platform_device *pdev)
+               return err;
+       }
++      err = reset_control_assert(gr2d->rst);
++      if (err < 0)
++              dev_err(&pdev->dev, "failed to assert reset: %d\n", err);
++
++      usleep_range(2000, 4000);
++
+       clk_disable_unprepare(gr2d->clk);
+       return 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-tegra-vic-fix-dma-api-misuse.patch b/queue-5.16/drm-tegra-vic-fix-dma-api-misuse.patch
new file mode 100644 (file)
index 0000000..08b3a67
--- /dev/null
@@ -0,0 +1,57 @@
+From f759117c75cb9f18ee3db63de038595d98c844da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Dec 2021 17:54:44 +0000
+Subject: drm/tegra: vic: Fix DMA API misuse
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit 5566174cb10a5167d59b0793871cab7990b149b8 ]
+
+Upon failure, dma_alloc_coherent() returns NULL. If that does happen,
+passing some uninitialised stack contents to dma_mapping_error() - which
+belongs to a different API in the first place - has precious little
+chance of detecting it.
+
+Also include the correct header, because the fragile transitive
+inclusion currently providing it is going to break soon.
+
+Fixes: 20e7dce255e9 ("drm/tegra: Remove memory allocation from Falcon library")
+CC: Thierry Reding <thierry.reding@gmail.com>
+CC: Mikko Perttunen <mperttunen@nvidia.com>
+CC: dri-devel@lists.freedesktop.org
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/vic.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/tegra/vic.c b/drivers/gpu/drm/tegra/vic.c
+index c02010ff2b7f2..da4af53719917 100644
+--- a/drivers/gpu/drm/tegra/vic.c
++++ b/drivers/gpu/drm/tegra/vic.c
+@@ -5,6 +5,7 @@
+ #include <linux/clk.h>
+ #include <linux/delay.h>
++#include <linux/dma-mapping.h>
+ #include <linux/host1x.h>
+ #include <linux/iommu.h>
+ #include <linux/module.h>
+@@ -232,10 +233,8 @@ static int vic_load_firmware(struct vic *vic)
+       if (!client->group) {
+               virt = dma_alloc_coherent(vic->dev, size, &iova, GFP_KERNEL);
+-
+-              err = dma_mapping_error(vic->dev, iova);
+-              if (err < 0)
+-                      return err;
++              if (!virt)
++                      return -ENOMEM;
+       } else {
+               virt = tegra_drm_alloc(tegra, size, &iova);
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-vboxvideo-fix-a-null-vs-is_err-check.patch b/queue-5.16/drm-vboxvideo-fix-a-null-vs-is_err-check.patch
new file mode 100644 (file)
index 0000000..7df0eec
--- /dev/null
@@ -0,0 +1,40 @@
+From 125a8a6915800ef464cbefbcb6660fdab52907c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 14:12:33 +0300
+Subject: drm/vboxvideo: fix a NULL vs IS_ERR() check
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit cebbb5c46d0cb0615fd0c62dea9b44273d0a9780 ]
+
+The devm_gen_pool_create() function never returns NULL, it returns
+error pointers.
+
+Fixes: 4cc9b565454b ("drm/vboxvideo: Use devm_gen_pool_create")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211118111233.GA1147@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vboxvideo/vbox_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/vboxvideo/vbox_main.c b/drivers/gpu/drm/vboxvideo/vbox_main.c
+index f28779715ccda..c9e8b3a63c621 100644
+--- a/drivers/gpu/drm/vboxvideo/vbox_main.c
++++ b/drivers/gpu/drm/vboxvideo/vbox_main.c
+@@ -127,8 +127,8 @@ int vbox_hw_init(struct vbox_private *vbox)
+       /* Create guest-heap mem-pool use 2^4 = 16 byte chunks */
+       vbox->guest_pool = devm_gen_pool_create(vbox->ddev.dev, 4, -1,
+                                               "vboxvideo-accel");
+-      if (!vbox->guest_pool)
+-              return -ENOMEM;
++      if (IS_ERR(vbox->guest_pool))
++              return PTR_ERR(vbox->guest_pool);
+       ret = gen_pool_add_virt(vbox->guest_pool,
+                               (unsigned long)vbox->guest_heap,
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-vc4-crtc-make-sure-the-hdmi-controller-is-powere.patch b/queue-5.16/drm-vc4-crtc-make-sure-the-hdmi-controller-is-powere.patch
new file mode 100644 (file)
index 0000000..4bcf060
--- /dev/null
@@ -0,0 +1,89 @@
+From bf3bdc9452e9d20a494eb7e878fd5d681c689a52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Sep 2021 20:50:13 +0200
+Subject: drm/vc4: crtc: Make sure the HDMI controller is powered when
+ disabling
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit bca10db67bdaf15997a5a2a276e7aa9b6eea1393 ]
+
+Since commit 875a4d536842 ("drm/vc4: drv: Disable the CRTC at boot
+time"), during the initial setup of the driver we call into the VC4 HDMI
+controller hooks to make sure the controller is properly disabled.
+
+However, we were never making sure that the device was properly powered
+while doing so. This never resulted in any (reported) issue in practice,
+but since the introduction of commit 4209f03fcb8e ("drm/vc4: hdmi: Warn
+if we access the controller while disabled") we get a loud complaint
+when we do that kind of access.
+
+Let's make sure we have the HDMI controller properly powered while
+disabling it.
+
+Fixes: 875a4d536842 ("drm/vc4: drv: Disable the CRTC at boot time")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Reviewed-by: Nicolas Saenz Julienne <nsaenz@kernel.org>
+Tested-by: Nicolas Saenz Julienne <nsaenz@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210923185013.826679-1-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_crtc.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c
+index 18f5009ce90e3..c0df11e5fcf2b 100644
+--- a/drivers/gpu/drm/vc4/vc4_crtc.c
++++ b/drivers/gpu/drm/vc4/vc4_crtc.c
+@@ -32,6 +32,7 @@
+ #include <linux/clk.h>
+ #include <linux/component.h>
+ #include <linux/of_device.h>
++#include <linux/pm_runtime.h>
+ #include <drm/drm_atomic.h>
+ #include <drm/drm_atomic_helper.h>
+@@ -42,6 +43,7 @@
+ #include <drm/drm_vblank.h>
+ #include "vc4_drv.h"
++#include "vc4_hdmi.h"
+ #include "vc4_regs.h"
+ #define HVS_FIFO_LATENCY_PIX  6
+@@ -496,8 +498,10 @@ int vc4_crtc_disable_at_boot(struct drm_crtc *crtc)
+       enum vc4_encoder_type encoder_type;
+       const struct vc4_pv_data *pv_data;
+       struct drm_encoder *encoder;
++      struct vc4_hdmi *vc4_hdmi;
+       unsigned encoder_sel;
+       int channel;
++      int ret;
+       if (!(of_device_is_compatible(vc4_crtc->pdev->dev.of_node,
+                                     "brcm,bcm2711-pixelvalve2") ||
+@@ -525,7 +529,20 @@ int vc4_crtc_disable_at_boot(struct drm_crtc *crtc)
+       if (WARN_ON(!encoder))
+               return 0;
+-      return vc4_crtc_disable(crtc, encoder, NULL, channel);
++      vc4_hdmi = encoder_to_vc4_hdmi(encoder);
++      ret = pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev);
++      if (ret)
++              return ret;
++
++      ret = vc4_crtc_disable(crtc, encoder, NULL, channel);
++      if (ret)
++              return ret;
++
++      ret = pm_runtime_put(&vc4_hdmi->pdev->dev);
++      if (ret)
++              return ret;
++
++      return 0;
+ }
+ static void vc4_crtc_atomic_disable(struct drm_crtc *crtc,
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-vc4-hdmi-enable-the-scrambler-on-reconnection.patch b/queue-5.16/drm-vc4-hdmi-enable-the-scrambler-on-reconnection.patch
new file mode 100644 (file)
index 0000000..685f553
--- /dev/null
@@ -0,0 +1,50 @@
+From 2f67b5b4155613e193c280d19fa174cae7bf9ab6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 17:29:02 +0200
+Subject: drm/vc4: hdmi: Enable the scrambler on reconnection
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit b7551457c5d0b3505b0be247d47919c1ee30506d ]
+
+If we have a state already and disconnect/reconnect the display, the
+SCDC messages won't be sent again since we didn't go through a disable /
+enable cycle.
+
+In order to fix this, let's call the vc4_hdmi_enable_scrambling function
+in the detect callback if there is a mode and it needs the scrambler to
+be enabled.
+
+Fixes: c85695a2016e ("drm/vc4: hdmi: Enable the scrambler")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Link: https://lore.kernel.org/r/20211025152903.1088803-10-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index 05fd54fbb773e..c000946996edb 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -162,6 +162,8 @@ static void vc4_hdmi_cec_update_clk_div(struct vc4_hdmi *vc4_hdmi)
+ static void vc4_hdmi_cec_update_clk_div(struct vc4_hdmi *vc4_hdmi) {}
+ #endif
++static void vc4_hdmi_enable_scrambling(struct drm_encoder *encoder);
++
+ static enum drm_connector_status
+ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force)
+ {
+@@ -190,6 +192,7 @@ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force)
+                       }
+               }
++              vc4_hdmi_enable_scrambling(&vc4_hdmi->encoder.base.base);
+               pm_runtime_put(&vc4_hdmi->pdev->dev);
+               return connector_status_connected;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-vc4-hdmi-make-sure-the-controller-is-powered-in-.patch b/queue-5.16/drm-vc4-hdmi-make-sure-the-controller-is-powered-in-.patch
new file mode 100644 (file)
index 0000000..223ff56
--- /dev/null
@@ -0,0 +1,56 @@
+From c9ef2fc79b0f39c82525a3fa737582ddd00fe91e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Sep 2021 14:54:19 +0200
+Subject: drm/vc4: hdmi: Make sure the controller is powered in detect
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 0f5251339eda7f7eb7bd4467607ae1d01b24e129 ]
+
+If the HPD GPIO is not available and drm_probe_ddc fails, we end up
+reading the HDMI_HOTPLUG register, but the controller might be powered
+off resulting in a CPU hang. Make sure we have the power domain and the
+HSM clock powered during the detect cycle to prevent the hang from
+happening.
+
+Fixes: 4f6e3d66ac52 ("drm/vc4: Add runtime PM support to the HDMI encoder driver")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Reviewed-by: Nicolas Saenz Julienne <nsaenz@kernel.org>
+Tested-by: Nicolas Saenz Julienne <nsaenz@kernel.org>
+Tested-by: Michael Stapelberg <michael@stapelberg.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210922125419.4125779-6-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index 63b07087d37e8..f7e48bc6cb114 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -168,6 +168,8 @@ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force)
+       struct vc4_hdmi *vc4_hdmi = connector_to_vc4_hdmi(connector);
+       bool connected = false;
++      WARN_ON(pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev));
++
+       if (vc4_hdmi->hpd_gpio &&
+           gpiod_get_value_cansleep(vc4_hdmi->hpd_gpio)) {
+               connected = true;
+@@ -188,10 +190,12 @@ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force)
+                       }
+               }
++              pm_runtime_put(&vc4_hdmi->pdev->dev);
+               return connector_status_connected;
+       }
+       cec_phys_addr_invalidate(vc4_hdmi->cec_adap);
++      pm_runtime_put(&vc4_hdmi->pdev->dev);
+       return connector_status_disconnected;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-vc4-hdmi-make-sure-the-controller-is-powered-up-.patch b/queue-5.16/drm-vc4-hdmi-make-sure-the-controller-is-powered-up-.patch
new file mode 100644 (file)
index 0000000..52e3224
--- /dev/null
@@ -0,0 +1,76 @@
+From 6489ad2c5fc5884fdadafe4c8248471bd950d990 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 15:59:27 +0200
+Subject: drm/vc4: hdmi: Make sure the controller is powered up during bind
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 9c6e4f6ed1d61d5f46946e5c151ceb279eedadb1 ]
+
+In the bind hook, we actually need the device to have the HSM clock
+running during the final part of the display initialisation where we
+reset the controller and initialise the CEC component.
+
+Failing to do so will result in a complete, silent, hang of the CPU.
+
+Fixes: 411efa18e4b0 ("drm/vc4: hdmi: Move the HSM clock enable to runtime_pm")
+Link: https://patchwork.freedesktop.org/patch/msgid/20210819135931.895976-3-maxime@cerno.tech
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index f7e48bc6cb114..29ee9264b0870 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -2191,6 +2191,18 @@ static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data)
+       if (ret)
+               goto err_put_ddc;
++      /*
++       * We need to have the device powered up at this point to call
++       * our reset hook and for the CEC init.
++       */
++      ret = vc4_hdmi_runtime_resume(dev);
++      if (ret)
++              goto err_put_ddc;
++
++      pm_runtime_get_noresume(dev);
++      pm_runtime_set_active(dev);
++      pm_runtime_enable(dev);
++
+       if (vc4_hdmi->variant->reset)
+               vc4_hdmi->variant->reset(vc4_hdmi);
+@@ -2202,8 +2214,6 @@ static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data)
+               clk_prepare_enable(vc4_hdmi->pixel_bvb_clock);
+       }
+-      pm_runtime_enable(dev);
+-
+       drm_simple_encoder_init(drm, encoder, DRM_MODE_ENCODER_TMDS);
+       drm_encoder_helper_add(encoder, &vc4_hdmi_encoder_helper_funcs);
+@@ -2227,6 +2237,8 @@ static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data)
+                            vc4_hdmi_debugfs_regs,
+                            vc4_hdmi);
++      pm_runtime_put_sync(dev);
++
+       return 0;
+ err_free_cec:
+@@ -2237,6 +2249,7 @@ err_destroy_conn:
+       vc4_hdmi_connector_destroy(&vc4_hdmi->connector);
+ err_destroy_encoder:
+       drm_encoder_cleanup(encoder);
++      pm_runtime_put_sync(dev);
+       pm_runtime_disable(dev);
+ err_put_ddc:
+       put_device(&vc4_hdmi->ddc->dev);
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-vc4-hdmi-move-the-hsm-clock-enable-to-runtime_pm.patch b/queue-5.16/drm-vc4-hdmi-move-the-hsm-clock-enable-to-runtime_pm.patch
new file mode 100644 (file)
index 0000000..ee34e0c
--- /dev/null
@@ -0,0 +1,168 @@
+From 4c2f9230ee6d611d2401589610f32fa21d664e9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Sep 2021 14:54:18 +0200
+Subject: drm/vc4: hdmi: Move the HSM clock enable to runtime_pm
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit c86b41214362e8e715e1343e16d5d6af0562db05 ]
+
+In order to access the HDMI controller, we need to make sure the HSM
+clock is enabled. If we were to access it with the clock disabled, the
+CPU would completely hang, resulting in an hard crash.
+
+Since we have different code path that would require it, let's move that
+clock enable / disable to runtime_pm that will take care of the
+reference counting for us.
+
+Since we also want to change the HSM clock rate and it's only valid
+while the clock is disabled, we need to move the clk_set_min_rate() call
+on the HSM clock above pm_runtime_get_and_sync().
+
+Fixes: 4f6e3d66ac52 ("drm/vc4: Add runtime PM support to the HDMI encoder driver")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Reviewed-by: Nicolas Saenz Julienne <nsaenz@kernel.org>
+Tested-by: Nicolas Saenz Julienne <nsaenz@kernel.org>
+Tested-by: Michael Stapelberg <michael@stapelberg.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210922125419.4125779-5-maxime@cerno.tech
+Link: https://lore.kernel.org/linux-arm-kernel/20210924152334.1342630-1-maxime@cerno.tech/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 70 +++++++++++++++++++++-------------
+ 1 file changed, 44 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index 33f61e2f7e6d1..63b07087d37e8 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -628,7 +628,6 @@ static void vc4_hdmi_encoder_post_crtc_powerdown(struct drm_encoder *encoder,
+               vc4_hdmi->variant->phy_disable(vc4_hdmi);
+       clk_disable_unprepare(vc4_hdmi->pixel_bvb_clock);
+-      clk_disable_unprepare(vc4_hdmi->hsm_clock);
+       clk_disable_unprepare(vc4_hdmi->pixel_clock);
+       ret = pm_runtime_put(&vc4_hdmi->pdev->dev);
+@@ -894,28 +893,10 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder,
+               conn_state_to_vc4_hdmi_conn_state(conn_state);
+       struct drm_display_mode *mode = &encoder->crtc->state->adjusted_mode;
+       struct vc4_hdmi *vc4_hdmi = encoder_to_vc4_hdmi(encoder);
+-      unsigned long bvb_rate, pixel_rate, hsm_rate;
++      unsigned long pixel_rate = vc4_conn_state->pixel_rate;
++      unsigned long bvb_rate, hsm_rate;
+       int ret;
+-      ret = pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev);
+-      if (ret < 0) {
+-              DRM_ERROR("Failed to retain power domain: %d\n", ret);
+-              return;
+-      }
+-
+-      pixel_rate = vc4_conn_state->pixel_rate;
+-      ret = clk_set_rate(vc4_hdmi->pixel_clock, pixel_rate);
+-      if (ret) {
+-              DRM_ERROR("Failed to set pixel clock rate: %d\n", ret);
+-              return;
+-      }
+-
+-      ret = clk_prepare_enable(vc4_hdmi->pixel_clock);
+-      if (ret) {
+-              DRM_ERROR("Failed to turn on pixel clock: %d\n", ret);
+-              return;
+-      }
+-
+       /*
+        * As stated in RPi's vc4 firmware "HDMI state machine (HSM) clock must
+        * be faster than pixel clock, infinitesimally faster, tested in
+@@ -939,10 +920,21 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder,
+               return;
+       }
+-      ret = clk_prepare_enable(vc4_hdmi->hsm_clock);
++      ret = pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev);
++      if (ret < 0) {
++              DRM_ERROR("Failed to retain power domain: %d\n", ret);
++              return;
++      }
++
++      ret = clk_set_rate(vc4_hdmi->pixel_clock, pixel_rate);
+       if (ret) {
+-              DRM_ERROR("Failed to turn on HSM clock: %d\n", ret);
+-              clk_disable_unprepare(vc4_hdmi->pixel_clock);
++              DRM_ERROR("Failed to set pixel clock rate: %d\n", ret);
++              return;
++      }
++
++      ret = clk_prepare_enable(vc4_hdmi->pixel_clock);
++      if (ret) {
++              DRM_ERROR("Failed to turn on pixel clock: %d\n", ret);
+               return;
+       }
+@@ -958,7 +950,6 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder,
+       ret = clk_set_min_rate(vc4_hdmi->pixel_bvb_clock, bvb_rate);
+       if (ret) {
+               DRM_ERROR("Failed to set pixel bvb clock rate: %d\n", ret);
+-              clk_disable_unprepare(vc4_hdmi->hsm_clock);
+               clk_disable_unprepare(vc4_hdmi->pixel_clock);
+               return;
+       }
+@@ -966,7 +957,6 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder,
+       ret = clk_prepare_enable(vc4_hdmi->pixel_bvb_clock);
+       if (ret) {
+               DRM_ERROR("Failed to turn on pixel bvb clock: %d\n", ret);
+-              clk_disable_unprepare(vc4_hdmi->hsm_clock);
+               clk_disable_unprepare(vc4_hdmi->pixel_clock);
+               return;
+       }
+@@ -2100,6 +2090,27 @@ static int vc5_hdmi_init_resources(struct vc4_hdmi *vc4_hdmi)
+       return 0;
+ }
++static int __maybe_unused vc4_hdmi_runtime_suspend(struct device *dev)
++{
++      struct vc4_hdmi *vc4_hdmi = dev_get_drvdata(dev);
++
++      clk_disable_unprepare(vc4_hdmi->hsm_clock);
++
++      return 0;
++}
++
++static int vc4_hdmi_runtime_resume(struct device *dev)
++{
++      struct vc4_hdmi *vc4_hdmi = dev_get_drvdata(dev);
++      int ret;
++
++      ret = clk_prepare_enable(vc4_hdmi->hsm_clock);
++      if (ret)
++              return ret;
++
++      return 0;
++}
++
+ static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data)
+ {
+       const struct vc4_hdmi_variant *variant = of_device_get_match_data(dev);
+@@ -2367,11 +2378,18 @@ static const struct of_device_id vc4_hdmi_dt_match[] = {
+       {}
+ };
++static const struct dev_pm_ops vc4_hdmi_pm_ops = {
++      SET_RUNTIME_PM_OPS(vc4_hdmi_runtime_suspend,
++                         vc4_hdmi_runtime_resume,
++                         NULL)
++};
++
+ struct platform_driver vc4_hdmi_driver = {
+       .probe = vc4_hdmi_dev_probe,
+       .remove = vc4_hdmi_dev_remove,
+       .driver = {
+               .name = "vc4_hdmi",
+               .of_match_table = vc4_hdmi_dt_match,
++              .pm = &vc4_hdmi_pm_ops,
+       },
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-vc4-hdmi-rework-the-pre_crtc_configure-error-han.patch b/queue-5.16/drm-vc4-hdmi-rework-the-pre_crtc_configure-error-han.patch
new file mode 100644 (file)
index 0000000..b2a196b
--- /dev/null
@@ -0,0 +1,85 @@
+From 59bbd8b2c63c74da1eba6f53ec90d8ada63fbb1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 15:59:28 +0200
+Subject: drm/vc4: hdmi: Rework the pre_crtc_configure error handling
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit caa51a4c11f1cadba9bcf61ed9e0105711952ce7 ]
+
+Since our pre_crtc_configure hook returned void, we didn't implement a
+goto-based error path handling, leading to errors like failing to put
+back the device in pm_runtime in all the error paths, but also failing
+to disable the pixel clock if clk_set_min_rate on the HSM clock fails.
+
+Move to a goto-based implementation to have an easier consitency.
+
+Fixes: 4f6e3d66ac52 ("drm/vc4: Add runtime PM support to the HDMI encoder driver")
+Link: https://patchwork.freedesktop.org/patch/msgid/20210819135931.895976-4-maxime@cerno.tech
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index 29ee9264b0870..05fd54fbb773e 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -933,15 +933,16 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder,
+       ret = clk_set_rate(vc4_hdmi->pixel_clock, pixel_rate);
+       if (ret) {
+               DRM_ERROR("Failed to set pixel clock rate: %d\n", ret);
+-              return;
++              goto err_put_runtime_pm;
+       }
+       ret = clk_prepare_enable(vc4_hdmi->pixel_clock);
+       if (ret) {
+               DRM_ERROR("Failed to turn on pixel clock: %d\n", ret);
+-              return;
++              goto err_put_runtime_pm;
+       }
++
+       vc4_hdmi_cec_update_clk_div(vc4_hdmi);
+       if (pixel_rate > 297000000)
+@@ -954,15 +955,13 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder,
+       ret = clk_set_min_rate(vc4_hdmi->pixel_bvb_clock, bvb_rate);
+       if (ret) {
+               DRM_ERROR("Failed to set pixel bvb clock rate: %d\n", ret);
+-              clk_disable_unprepare(vc4_hdmi->pixel_clock);
+-              return;
++              goto err_disable_pixel_clock;
+       }
+       ret = clk_prepare_enable(vc4_hdmi->pixel_bvb_clock);
+       if (ret) {
+               DRM_ERROR("Failed to turn on pixel bvb clock: %d\n", ret);
+-              clk_disable_unprepare(vc4_hdmi->pixel_clock);
+-              return;
++              goto err_disable_pixel_clock;
+       }
+       if (vc4_hdmi->variant->phy_init)
+@@ -975,6 +974,15 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder,
+       if (vc4_hdmi->variant->set_timings)
+               vc4_hdmi->variant->set_timings(vc4_hdmi, conn_state, mode);
++
++      return;
++
++err_disable_pixel_clock:
++      clk_disable_unprepare(vc4_hdmi->pixel_clock);
++err_put_runtime_pm:
++      pm_runtime_put(&vc4_hdmi->pdev->dev);
++
++      return;
+ }
+ static void vc4_hdmi_encoder_pre_crtc_enable(struct drm_encoder *encoder,
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-vc4-hdmi-set-a-default-hsm-rate.patch b/queue-5.16/drm-vc4-hdmi-set-a-default-hsm-rate.patch
new file mode 100644 (file)
index 0000000..fe7b009
--- /dev/null
@@ -0,0 +1,61 @@
+From 0e221c2fa05db1489f17e386b16f06f7139aab3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Sep 2021 14:54:17 +0200
+Subject: drm/vc4: hdmi: Set a default HSM rate
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 3e85b81591609bb794bb00cd619b20965b5b38cd ]
+
+When the firmware doesn't setup the HSM rate (such as when booting
+without an HDMI cable plugged in), its rate is 0 and thus any register
+access results in a CPU stall, even though HSM is enabled.
+
+Let's enforce a minimum rate at boot to avoid this issue.
+
+Fixes: 4f6e3d66ac52 ("drm/vc4: Add runtime PM support to the HDMI encoder driver")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Reviewed-by: Nicolas Saenz Julienne <nsaenz@kernel.org>
+Tested-by: Nicolas Saenz Julienne <nsaenz@kernel.org>
+Tested-by: Michael Stapelberg <michael@stapelberg.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210922125419.4125779-4-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index b284623e28634..33f61e2f7e6d1 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -94,6 +94,7 @@
+ # define VC4_HD_M_SW_RST                      BIT(2)
+ # define VC4_HD_M_ENABLE                      BIT(0)
++#define HSM_MIN_CLOCK_FREQ    120000000
+ #define CEC_CLOCK_FREQ 40000
+ #define HDMI_14_MAX_TMDS_CLK   (340 * 1000 * 1000)
+@@ -2162,6 +2163,19 @@ static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data)
+                       vc4_hdmi->disable_4kp60 = true;
+       }
++      /*
++       * If we boot without any cable connected to the HDMI connector,
++       * the firmware will skip the HSM initialization and leave it
++       * with a rate of 0, resulting in a bus lockup when we're
++       * accessing the registers even if it's enabled.
++       *
++       * Let's put a sensible default at runtime_resume so that we
++       * don't end up in this situation.
++       */
++      ret = clk_set_min_rate(vc4_hdmi->hsm_clock, HSM_MIN_CLOCK_FREQ);
++      if (ret)
++              goto err_put_ddc;
++
+       if (vc4_hdmi->variant->reset)
+               vc4_hdmi->variant->reset(vc4_hdmi);
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-virtio-fix-another-potential-integer-overflow-on.patch b/queue-5.16/drm-virtio-fix-another-potential-integer-overflow-on.patch
new file mode 100644 (file)
index 0000000..0e039a3
--- /dev/null
@@ -0,0 +1,41 @@
+From 1813c0934439d3f74cac4c832627369f39b2f83e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Sep 2021 11:27:48 +0100
+Subject: drm/virtio: fix another potential integer overflow on shift of a int
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 74c1bda2f3fa79a93e1c910008649b49b02dc09d ]
+
+The left shift of unsigned int 32 bit integer constant 1 is evaluated
+using 32 bit arithmetic and then assigned to a signed 64 bit integer.
+In the case where value is 32 or more this can lead to an overflow
+(value can be in range 0..MAX_CAPSET_ID (63). Fix this by shifting
+the value 1ULL instead.
+
+Addresses-Coverity: ("Uninitentional integer overflow")
+Fixes: 4fb530e5caf7 ("drm/virtio: implement context init: support init ioctl")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20210930102748.16922-1-colin.king@canonical.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_ioctl.c b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+index 5e8103a197a96..c708bab555c6b 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c
++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+@@ -774,7 +774,7 @@ static int virtio_gpu_context_init_ioctl(struct drm_device *dev,
+                               goto out_unlock;
+                       }
+-                      if ((vgdev->capset_id_mask & (1 << value)) == 0) {
++                      if ((vgdev->capset_id_mask & (1ULL << value)) == 0) {
+                               ret = -EINVAL;
+                               goto out_unlock;
+                       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-virtio-fix-potential-integer-overflow-on-shift-o.patch b/queue-5.16/drm-virtio-fix-potential-integer-overflow-on-shift-o.patch
new file mode 100644 (file)
index 0000000..82b1fcf
--- /dev/null
@@ -0,0 +1,40 @@
+From 94bb46a1947aa3d8574a7ca6758986a1f6136e93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Sep 2021 11:19:41 +0100
+Subject: drm/virtio: fix potential integer overflow on shift of a int
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 8f4502fa284478a5264afa8a5a95511276fa9b80 ]
+
+The left shift of unsigned int 32 bit integer constant 1 is evaluated
+using 32 bit arithmetic and then assigned to a signed 64 bit integer.
+In the case where i is 32 or more this can lead to an overflow. Fix
+this by shifting the value 1ULL instead.
+
+Addresses-Coverity: ("Uninitentional integer overflow")
+Fixes: 8d6b006e1f51 ("drm/virtio: implement context init: handle VIRTGPU_CONTEXT_PARAM_POLL_RINGS_MASK")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20210930101941.16546-1-colin.king@canonical.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_ioctl.c b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+index 3607646d32295..5e8103a197a96 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c
++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+@@ -819,7 +819,7 @@ static int virtio_gpu_context_init_ioctl(struct drm_device *dev,
+       if (vfpriv->ring_idx_mask) {
+               valid_ring_mask = 0;
+               for (i = 0; i < vfpriv->num_rings; i++)
+-                      valid_ring_mask |= 1 << i;
++                      valid_ring_mask |= 1ULL << i;
+               if (~valid_ring_mask & vfpriv->ring_idx_mask) {
+                       ret = -EINVAL;
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-vmwgfx-fail-to-initialize-on-broken-configs.patch b/queue-5.16/drm-vmwgfx-fail-to-initialize-on-broken-configs.patch
new file mode 100644 (file)
index 0000000..c58e3e7
--- /dev/null
@@ -0,0 +1,46 @@
+From e47408a593858d027d302119a5d942cd80ed22e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 15:38:44 -0400
+Subject: drm/vmwgfx: Fail to initialize on broken configs
+
+From: Zack Rusin <zackr@vmware.com>
+
+[ Upstream commit c451af78f301ff5156998d571c37cab329c10051 ]
+
+Some of our hosts have a bug where rescaning a pci bus results in stale
+fifo memory being mapped on the host. This makes any fifo communication
+impossible resulting in various kernel crashes.
+
+Instead of unexpectedly crashing, predictably fail to load the driver
+which will preserve the system.
+
+Fixes: fb1d9738ca05 ("drm/vmwgfx: Add DRM driver for VMware Virtual GPU")
+Signed-off-by: Zack Rusin <zackr@vmware.com>
+Reviewed-by: Martin Krastev <krastevm@vmware.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211105193845.258816-4-zackr@vmware.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_cmd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_cmd.c b/drivers/gpu/drm/vmwgfx/vmwgfx_cmd.c
+index 67db472d3493c..a3bfbb6c3e14a 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_cmd.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cmd.c
+@@ -145,6 +145,13 @@ struct vmw_fifo_state *vmw_fifo_create(struct vmw_private *dev_priv)
+                (unsigned int) max,
+                (unsigned int) min,
+                (unsigned int) fifo->capabilities);
++
++      if (unlikely(min >= max)) {
++              drm_warn(&dev_priv->drm,
++                       "FIFO memory is not usable. Driver failed to initialize.");
++              return ERR_PTR(-ENXIO);
++      }
++
+       return fifo;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-vmwgfx-introduce-a-new-placement-for-mob-page-ta.patch b/queue-5.16/drm-vmwgfx-introduce-a-new-placement-for-mob-page-ta.patch
new file mode 100644 (file)
index 0000000..5652b4c
--- /dev/null
@@ -0,0 +1,365 @@
+From fec6a81b78c2d09d49a3b8f3d884f8268de93eca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 15:38:45 -0400
+Subject: drm/vmwgfx: Introduce a new placement for MOB page tables
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Zack Rusin <zackr@vmware.com>
+
+[ Upstream commit f6be23264bbac88d1e2bb39658e1b8a397e3f46d ]
+
+For larger (bigger than a page) and noncontiguous mobs we have
+to create page tables that allow the host to find the memory.
+Those page tables just used regular system memory. Unfortunately
+in TTM those BO's are not allowed to be busy thus can't be
+fenced and we have to fence those bo's  because we don't want
+to destroy the page tables while the host is still executing
+the command buffers which might be accessing them.
+
+To solve it we introduce a new placement VMW_PL_SYSTEM which
+is very similar to TTM_PL_SYSTEM except that it allows
+fencing. This fixes kernel oops'es during unloading of the driver
+(and pci hot remove/add) which were caused by busy BO's in
+TTM_PL_SYSTEM being present in the delayed deletion list in
+TTM (TTM_PL_SYSTEM manager is destroyed before the delayed
+deletions are executed)
+
+Signed-off-by: Zack Rusin <zackr@vmware.com>
+Reviewed-by: Martin Krastev <krastevm@vmware.com>
+Cc: Christian König <christian.koenig@amd.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211105193845.258816-5-zackr@vmware.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/Makefile               |  2 +-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.c           | 14 ++-
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h           | 12 ++-
+ .../gpu/drm/vmwgfx/vmwgfx_system_manager.c    | 90 +++++++++++++++++++
+ drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c    | 58 ++++++------
+ 5 files changed, 138 insertions(+), 38 deletions(-)
+ create mode 100644 drivers/gpu/drm/vmwgfx/vmwgfx_system_manager.c
+
+diff --git a/drivers/gpu/drm/vmwgfx/Makefile b/drivers/gpu/drm/vmwgfx/Makefile
+index bc323f7d40321..0188a312c38c2 100644
+--- a/drivers/gpu/drm/vmwgfx/Makefile
++++ b/drivers/gpu/drm/vmwgfx/Makefile
+@@ -9,7 +9,7 @@ vmwgfx-y := vmwgfx_execbuf.o vmwgfx_gmr.o vmwgfx_kms.o vmwgfx_drv.o \
+           vmwgfx_cotable.o vmwgfx_so.o vmwgfx_binding.o vmwgfx_msg.o \
+           vmwgfx_simple_resource.o vmwgfx_va.o vmwgfx_blit.o \
+           vmwgfx_validation.o vmwgfx_page_dirty.o vmwgfx_streamoutput.o \
+-            vmwgfx_devcaps.o ttm_object.o ttm_memory.o
++          vmwgfx_devcaps.o ttm_object.o ttm_memory.o vmwgfx_system_manager.o
+ vmwgfx-$(CONFIG_DRM_FBDEV_EMULATION) += vmwgfx_fb.o
+ vmwgfx-$(CONFIG_TRANSPARENT_HUGEPAGE) += vmwgfx_thp.o
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+index 68f46f9e032dd..117a7ad800502 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+@@ -1071,6 +1071,12 @@ static int vmw_driver_load(struct vmw_private *dev_priv, u32 pci_id)
+                                "3D will be disabled.\n");
+                       dev_priv->has_mob = false;
+               }
++              if (vmw_sys_man_init(dev_priv) != 0) {
++                      drm_info(&dev_priv->drm,
++                               "No MOB page table memory available. "
++                               "3D will be disabled.\n");
++                      dev_priv->has_mob = false;
++              }
+       }
+       if (dev_priv->has_mob && (dev_priv->capabilities & SVGA_CAP_DX)) {
+@@ -1121,8 +1127,10 @@ out_no_fifo:
+       vmw_overlay_close(dev_priv);
+       vmw_kms_close(dev_priv);
+ out_no_kms:
+-      if (dev_priv->has_mob)
++      if (dev_priv->has_mob) {
+               vmw_gmrid_man_fini(dev_priv, VMW_PL_MOB);
++              vmw_sys_man_fini(dev_priv);
++      }
+       if (dev_priv->has_gmr)
+               vmw_gmrid_man_fini(dev_priv, VMW_PL_GMR);
+       vmw_devcaps_destroy(dev_priv);
+@@ -1172,8 +1180,10 @@ static void vmw_driver_unload(struct drm_device *dev)
+               vmw_gmrid_man_fini(dev_priv, VMW_PL_GMR);
+       vmw_release_device_early(dev_priv);
+-      if (dev_priv->has_mob)
++      if (dev_priv->has_mob) {
+               vmw_gmrid_man_fini(dev_priv, VMW_PL_MOB);
++              vmw_sys_man_fini(dev_priv);
++      }
+       vmw_devcaps_destroy(dev_priv);
+       vmw_vram_manager_fini(dev_priv);
+       ttm_device_fini(&dev_priv->bdev);
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
+index 858aff99a3fe5..645c18b267e6e 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
+@@ -82,8 +82,9 @@
+                       VMWGFX_NUM_GB_SURFACE +\
+                       VMWGFX_NUM_GB_SCREEN_TARGET)
+-#define VMW_PL_GMR (TTM_PL_PRIV + 0)
+-#define VMW_PL_MOB (TTM_PL_PRIV + 1)
++#define VMW_PL_GMR      (TTM_PL_PRIV + 0)
++#define VMW_PL_MOB      (TTM_PL_PRIV + 1)
++#define VMW_PL_SYSTEM   (TTM_PL_PRIV + 2)
+ #define VMW_RES_CONTEXT ttm_driver_type0
+ #define VMW_RES_SURFACE ttm_driver_type1
+@@ -1039,7 +1040,6 @@ extern struct ttm_placement vmw_vram_placement;
+ extern struct ttm_placement vmw_vram_sys_placement;
+ extern struct ttm_placement vmw_vram_gmr_placement;
+ extern struct ttm_placement vmw_sys_placement;
+-extern struct ttm_placement vmw_evictable_placement;
+ extern struct ttm_placement vmw_srf_placement;
+ extern struct ttm_placement vmw_mob_placement;
+ extern struct ttm_placement vmw_nonfixed_placement;
+@@ -1251,6 +1251,12 @@ int vmw_overlay_num_free_overlays(struct vmw_private *dev_priv);
+ int vmw_gmrid_man_init(struct vmw_private *dev_priv, int type);
+ void vmw_gmrid_man_fini(struct vmw_private *dev_priv, int type);
++/**
++ * System memory manager
++ */
++int vmw_sys_man_init(struct vmw_private *dev_priv);
++void vmw_sys_man_fini(struct vmw_private *dev_priv);
++
+ /**
+  * Prime - vmwgfx_prime.c
+  */
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_system_manager.c b/drivers/gpu/drm/vmwgfx/vmwgfx_system_manager.c
+new file mode 100644
+index 0000000000000..b0005b03a6174
+--- /dev/null
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_system_manager.c
+@@ -0,0 +1,90 @@
++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
++/*
++ * Copyright 2021 VMware, Inc.
++ *
++ * Permission is hereby granted, free of charge, to any person
++ * obtaining a copy of this software and associated documentation
++ * files (the "Software"), to deal in the Software without
++ * restriction, including without limitation the rights to use, copy,
++ * modify, merge, publish, distribute, sublicense, and/or sell copies
++ * of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be
++ * included in all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
++ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
++ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
++ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
++ * SOFTWARE.
++ *
++ */
++
++#include "vmwgfx_drv.h"
++
++#include <drm/ttm/ttm_bo_driver.h>
++#include <drm/ttm/ttm_device.h>
++#include <drm/ttm/ttm_placement.h>
++#include <drm/ttm/ttm_resource.h>
++#include <linux/slab.h>
++
++
++static int vmw_sys_man_alloc(struct ttm_resource_manager *man,
++                           struct ttm_buffer_object *bo,
++                           const struct ttm_place *place,
++                           struct ttm_resource **res)
++{
++      *res = kzalloc(sizeof(**res), GFP_KERNEL);
++      if (!*res)
++              return -ENOMEM;
++
++      ttm_resource_init(bo, place, *res);
++      return 0;
++}
++
++static void vmw_sys_man_free(struct ttm_resource_manager *man,
++                           struct ttm_resource *res)
++{
++      kfree(res);
++}
++
++static const struct ttm_resource_manager_func vmw_sys_manager_func = {
++      .alloc = vmw_sys_man_alloc,
++      .free = vmw_sys_man_free,
++};
++
++int vmw_sys_man_init(struct vmw_private *dev_priv)
++{
++      struct ttm_device *bdev = &dev_priv->bdev;
++      struct ttm_resource_manager *man =
++                      kzalloc(sizeof(*man), GFP_KERNEL);
++
++      if (!man)
++              return -ENOMEM;
++
++      man->use_tt = true;
++      man->func = &vmw_sys_manager_func;
++
++      ttm_resource_manager_init(man, 0);
++      ttm_set_driver_manager(bdev, VMW_PL_SYSTEM, man);
++      ttm_resource_manager_set_used(man, true);
++      return 0;
++}
++
++void vmw_sys_man_fini(struct vmw_private *dev_priv)
++{
++      struct ttm_resource_manager *man = ttm_manager_type(&dev_priv->bdev,
++                                                          VMW_PL_SYSTEM);
++
++      ttm_resource_manager_evict_all(&dev_priv->bdev, man);
++
++      ttm_resource_manager_set_used(man, false);
++      ttm_resource_manager_cleanup(man);
++
++      ttm_set_driver_manager(&dev_priv->bdev, VMW_PL_SYSTEM, NULL);
++      kfree(man);
++}
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c
+index e899a936a42a0..b15228e7dbeb8 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c
+@@ -92,6 +92,13 @@ static const struct ttm_place gmr_vram_placement_flags[] = {
+       }
+ };
++static const struct ttm_place vmw_sys_placement_flags = {
++      .fpfn = 0,
++      .lpfn = 0,
++      .mem_type = VMW_PL_SYSTEM,
++      .flags = 0
++};
++
+ struct ttm_placement vmw_vram_gmr_placement = {
+       .num_placement = 2,
+       .placement = vram_gmr_placement_flags,
+@@ -113,28 +120,11 @@ struct ttm_placement vmw_sys_placement = {
+       .busy_placement = &sys_placement_flags
+ };
+-static const struct ttm_place evictable_placement_flags[] = {
+-      {
+-              .fpfn = 0,
+-              .lpfn = 0,
+-              .mem_type = TTM_PL_SYSTEM,
+-              .flags = 0
+-      }, {
+-              .fpfn = 0,
+-              .lpfn = 0,
+-              .mem_type = TTM_PL_VRAM,
+-              .flags = 0
+-      }, {
+-              .fpfn = 0,
+-              .lpfn = 0,
+-              .mem_type = VMW_PL_GMR,
+-              .flags = 0
+-      }, {
+-              .fpfn = 0,
+-              .lpfn = 0,
+-              .mem_type = VMW_PL_MOB,
+-              .flags = 0
+-      }
++struct ttm_placement vmw_pt_sys_placement = {
++      .num_placement = 1,
++      .placement = &vmw_sys_placement_flags,
++      .num_busy_placement = 1,
++      .busy_placement = &vmw_sys_placement_flags
+ };
+ static const struct ttm_place nonfixed_placement_flags[] = {
+@@ -156,13 +146,6 @@ static const struct ttm_place nonfixed_placement_flags[] = {
+       }
+ };
+-struct ttm_placement vmw_evictable_placement = {
+-      .num_placement = 4,
+-      .placement = evictable_placement_flags,
+-      .num_busy_placement = 1,
+-      .busy_placement = &sys_placement_flags
+-};
+-
+ struct ttm_placement vmw_srf_placement = {
+       .num_placement = 1,
+       .num_busy_placement = 2,
+@@ -484,6 +467,9 @@ static int vmw_ttm_bind(struct ttm_device *bdev,
+                                   &vmw_be->vsgt, ttm->num_pages,
+                                   vmw_be->gmr_id);
+               break;
++      case VMW_PL_SYSTEM:
++              /* Nothing to be done for a system bind */
++              break;
+       default:
+               BUG();
+       }
+@@ -507,6 +493,8 @@ static void vmw_ttm_unbind(struct ttm_device *bdev,
+       case VMW_PL_MOB:
+               vmw_mob_unbind(vmw_be->dev_priv, vmw_be->mob);
+               break;
++      case VMW_PL_SYSTEM:
++              break;
+       default:
+               BUG();
+       }
+@@ -624,6 +612,7 @@ static int vmw_ttm_io_mem_reserve(struct ttm_device *bdev, struct ttm_resource *
+       switch (mem->mem_type) {
+       case TTM_PL_SYSTEM:
++      case VMW_PL_SYSTEM:
+       case VMW_PL_GMR:
+       case VMW_PL_MOB:
+               return 0;
+@@ -670,6 +659,11 @@ static void vmw_swap_notify(struct ttm_buffer_object *bo)
+       (void) ttm_bo_wait(bo, false, false);
+ }
++static bool vmw_memtype_is_system(uint32_t mem_type)
++{
++      return mem_type == TTM_PL_SYSTEM || mem_type == VMW_PL_SYSTEM;
++}
++
+ static int vmw_move(struct ttm_buffer_object *bo,
+                   bool evict,
+                   struct ttm_operation_ctx *ctx,
+@@ -680,7 +674,7 @@ static int vmw_move(struct ttm_buffer_object *bo,
+       struct ttm_resource_manager *new_man = ttm_manager_type(bo->bdev, new_mem->mem_type);
+       int ret;
+-      if (new_man->use_tt && new_mem->mem_type != TTM_PL_SYSTEM) {
++      if (new_man->use_tt && !vmw_memtype_is_system(new_mem->mem_type)) {
+               ret = vmw_ttm_bind(bo->bdev, bo->ttm, new_mem);
+               if (ret)
+                       return ret;
+@@ -689,7 +683,7 @@ static int vmw_move(struct ttm_buffer_object *bo,
+       vmw_move_notify(bo, bo->resource, new_mem);
+       if (old_man->use_tt && new_man->use_tt) {
+-              if (bo->resource->mem_type == TTM_PL_SYSTEM) {
++              if (vmw_memtype_is_system(bo->resource->mem_type)) {
+                       ttm_bo_move_null(bo, new_mem);
+                       return 0;
+               }
+@@ -736,7 +730,7 @@ int vmw_bo_create_and_populate(struct vmw_private *dev_priv,
+       int ret;
+       ret = vmw_bo_create_kernel(dev_priv, bo_size,
+-                                 &vmw_sys_placement,
++                                 &vmw_pt_sys_placement,
+                                  &bo);
+       if (unlikely(ret != 0))
+               return ret;
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-vmwgfx-release-ttm-memory-if-probe-fails.patch b/queue-5.16/drm-vmwgfx-release-ttm-memory-if-probe-fails.patch
new file mode 100644 (file)
index 0000000..ee56924
--- /dev/null
@@ -0,0 +1,80 @@
+From 07d48f741cef524751f7eca75894717b6ea06e73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 15:38:43 -0400
+Subject: drm/vmwgfx: Release ttm memory if probe fails
+
+From: Zack Rusin <zackr@vmware.com>
+
+[ Upstream commit 28b5f3b6121b7db2a44be499cfca0b6b801588b6 ]
+
+The ttm mem global state was leaking if the vmwgfx driver load failed.
+
+In case of a driver load failure we have to make sure we also release
+the ttm mem global state.
+
+Signed-off-by: Zack Rusin <zackr@vmware.com>
+Reviewed-by: Martin Krastev <krastevm@vmware.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211105193845.258816-3-zackr@vmware.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+index bfd71c86faa58..68f46f9e032dd 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+@@ -1617,34 +1617,40 @@ static int vmw_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+       ret = drm_aperture_remove_conflicting_pci_framebuffers(pdev, &driver);
+       if (ret)
+-              return ret;
++              goto out_error;
+       ret = pcim_enable_device(pdev);
+       if (ret)
+-              return ret;
++              goto out_error;
+       vmw = devm_drm_dev_alloc(&pdev->dev, &driver,
+                                struct vmw_private, drm);
+-      if (IS_ERR(vmw))
+-              return PTR_ERR(vmw);
++      if (IS_ERR(vmw)) {
++              ret = PTR_ERR(vmw);
++              goto out_error;
++      }
+       pci_set_drvdata(pdev, &vmw->drm);
+       ret = ttm_mem_global_init(&ttm_mem_glob, &pdev->dev);
+       if (ret)
+-              return ret;
++              goto out_error;
+       ret = vmw_driver_load(vmw, ent->device);
+       if (ret)
+-              return ret;
++              goto out_release;
+       ret = drm_dev_register(&vmw->drm, 0);
+-      if (ret) {
+-              vmw_driver_unload(&vmw->drm);
+-              return ret;
+-      }
++      if (ret)
++              goto out_unload;
+       return 0;
++out_unload:
++      vmw_driver_unload(&vmw->drm);
++out_release:
++      ttm_mem_global_release(&ttm_mem_glob);
++out_error:
++      return ret;
+ }
+ static int __init vmwgfx_init(void)
+-- 
+2.34.1
+
diff --git a/queue-5.16/drm-vmwgfx-remove-the-deprecated-lower-mem-limit.patch b/queue-5.16/drm-vmwgfx-remove-the-deprecated-lower-mem-limit.patch
new file mode 100644 (file)
index 0000000..4d67432
--- /dev/null
@@ -0,0 +1,188 @@
+From ed8dfc592caf2288737fb64d63c56e7f1be097fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 15:38:42 -0400
+Subject: drm/vmwgfx: Remove the deprecated lower mem limit
+
+From: Zack Rusin <zackr@vmware.com>
+
+[ Upstream commit 826c387d015247df396a91eadbaca94f0394853c ]
+
+TTM during the transition to the new page allocator lost the ability
+to constrain the allocations via the lower_mem_limit. The code has
+been unused since the change:
+256dd44bd897 ("drm/ttm: nuke old page allocator")
+and there's no reason to keep it.
+
+Fixes: 256dd44bd897 ("drm/ttm: nuke old page allocator")
+Signed-off-by: Zack Rusin <zackr@vmware.com>
+Reviewed-by: Martin Krastev <krastevm@vmware.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211105193845.258816-2-zackr@vmware.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/ttm_memory.c | 99 +----------------------------
+ drivers/gpu/drm/vmwgfx/ttm_memory.h |  6 +-
+ 2 files changed, 2 insertions(+), 103 deletions(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/ttm_memory.c b/drivers/gpu/drm/vmwgfx/ttm_memory.c
+index 7f7fe35fc21df..326d2d177c8bb 100644
+--- a/drivers/gpu/drm/vmwgfx/ttm_memory.c
++++ b/drivers/gpu/drm/vmwgfx/ttm_memory.c
+@@ -34,7 +34,6 @@
+ #include <linux/mm.h>
+ #include <linux/module.h>
+ #include <linux/slab.h>
+-#include <linux/swap.h>
+ #include <drm/drm_device.h>
+ #include <drm/drm_file.h>
+@@ -173,69 +172,7 @@ static struct kobj_type ttm_mem_zone_kobj_type = {
+       .sysfs_ops = &ttm_mem_zone_ops,
+       .default_attrs = ttm_mem_zone_attrs,
+ };
+-
+-static struct attribute ttm_mem_global_lower_mem_limit = {
+-      .name = "lower_mem_limit",
+-      .mode = S_IRUGO | S_IWUSR
+-};
+-
+-static ssize_t ttm_mem_global_show(struct kobject *kobj,
+-                               struct attribute *attr,
+-                               char *buffer)
+-{
+-      struct ttm_mem_global *glob =
+-              container_of(kobj, struct ttm_mem_global, kobj);
+-      uint64_t val = 0;
+-
+-      spin_lock(&glob->lock);
+-      val = glob->lower_mem_limit;
+-      spin_unlock(&glob->lock);
+-      /* convert from number of pages to KB */
+-      val <<= (PAGE_SHIFT - 10);
+-      return snprintf(buffer, PAGE_SIZE, "%llu\n",
+-                      (unsigned long long) val);
+-}
+-
+-static ssize_t ttm_mem_global_store(struct kobject *kobj,
+-                                struct attribute *attr,
+-                                const char *buffer,
+-                                size_t size)
+-{
+-      int chars;
+-      uint64_t val64;
+-      unsigned long val;
+-      struct ttm_mem_global *glob =
+-              container_of(kobj, struct ttm_mem_global, kobj);
+-
+-      chars = sscanf(buffer, "%lu", &val);
+-      if (chars == 0)
+-              return size;
+-
+-      val64 = val;
+-      /* convert from KB to number of pages */
+-      val64 >>= (PAGE_SHIFT - 10);
+-
+-      spin_lock(&glob->lock);
+-      glob->lower_mem_limit = val64;
+-      spin_unlock(&glob->lock);
+-
+-      return size;
+-}
+-
+-static struct attribute *ttm_mem_global_attrs[] = {
+-      &ttm_mem_global_lower_mem_limit,
+-      NULL
+-};
+-
+-static const struct sysfs_ops ttm_mem_global_ops = {
+-      .show = &ttm_mem_global_show,
+-      .store = &ttm_mem_global_store,
+-};
+-
+-static struct kobj_type ttm_mem_glob_kobj_type = {
+-      .sysfs_ops = &ttm_mem_global_ops,
+-      .default_attrs = ttm_mem_global_attrs,
+-};
++static struct kobj_type ttm_mem_glob_kobj_type = {0};
+ static bool ttm_zones_above_swap_target(struct ttm_mem_global *glob,
+                                       bool from_wq, uint64_t extra)
+@@ -435,11 +372,6 @@ int ttm_mem_global_init(struct ttm_mem_global *glob, struct device *dev)
+       si_meminfo(&si);
+-      spin_lock(&glob->lock);
+-      /* set it as 0 by default to keep original behavior of OOM */
+-      glob->lower_mem_limit = 0;
+-      spin_unlock(&glob->lock);
+-
+       ret = ttm_mem_init_kernel_zone(glob, &si);
+       if (unlikely(ret != 0))
+               goto out_no_zone;
+@@ -526,35 +458,6 @@ void ttm_mem_global_free(struct ttm_mem_global *glob,
+ }
+ EXPORT_SYMBOL(ttm_mem_global_free);
+-/*
+- * check if the available mem is under lower memory limit
+- *
+- * a. if no swap disk at all or free swap space is under swap_mem_limit
+- * but available system mem is bigger than sys_mem_limit, allow TTM
+- * allocation;
+- *
+- * b. if the available system mem is less than sys_mem_limit but free
+- * swap disk is bigger than swap_mem_limit, allow TTM allocation.
+- */
+-bool
+-ttm_check_under_lowerlimit(struct ttm_mem_global *glob,
+-                      uint64_t num_pages,
+-                      struct ttm_operation_ctx *ctx)
+-{
+-      int64_t available;
+-
+-      /* We allow over commit during suspend */
+-      if (ctx->force_alloc)
+-              return false;
+-
+-      available = get_nr_swap_pages() + si_mem_available();
+-      available -= num_pages;
+-      if (available < glob->lower_mem_limit)
+-              return true;
+-
+-      return false;
+-}
+-
+ static int ttm_mem_global_reserve(struct ttm_mem_global *glob,
+                                 struct ttm_mem_zone *single_zone,
+                                 uint64_t amount, bool reserve)
+diff --git a/drivers/gpu/drm/vmwgfx/ttm_memory.h b/drivers/gpu/drm/vmwgfx/ttm_memory.h
+index c50dba7744854..7b0d617ebcb1e 100644
+--- a/drivers/gpu/drm/vmwgfx/ttm_memory.h
++++ b/drivers/gpu/drm/vmwgfx/ttm_memory.h
+@@ -50,8 +50,6 @@
+  * @work: The workqueue callback for the shrink queue.
+  * @lock: Lock to protect the @shrink - and the memory accounting members,
+  * that is, essentially the whole structure with some exceptions.
+- * @lower_mem_limit: include lower limit of swap space and lower limit of
+- * system memory.
+  * @zones: Array of pointers to accounting zones.
+  * @num_zones: Number of populated entries in the @zones array.
+  * @zone_kernel: Pointer to the kernel zone.
+@@ -69,7 +67,6 @@ extern struct ttm_mem_global {
+       struct workqueue_struct *swap_queue;
+       struct work_struct work;
+       spinlock_t lock;
+-      uint64_t lower_mem_limit;
+       struct ttm_mem_zone *zones[TTM_MEM_MAX_ZONES];
+       unsigned int num_zones;
+       struct ttm_mem_zone *zone_kernel;
+@@ -91,6 +88,5 @@ int ttm_mem_global_alloc_page(struct ttm_mem_global *glob,
+ void ttm_mem_global_free_page(struct ttm_mem_global *glob,
+                             struct page *page, uint64_t size);
+ size_t ttm_round_pot(size_t size);
+-bool ttm_check_under_lowerlimit(struct ttm_mem_global *glob, uint64_t num_pages,
+-                              struct ttm_operation_ctx *ctx);
++
+ #endif
+-- 
+2.34.1
+
diff --git a/queue-5.16/dt-bindings-thermal-fix-definition-of-cooling-maps-c.patch b/queue-5.16/dt-bindings-thermal-fix-definition-of-cooling-maps-c.patch
new file mode 100644 (file)
index 0000000..e03f35e
--- /dev/null
@@ -0,0 +1,67 @@
+From 977fb4c1a27296197a707ba343618c3bd3b2d3ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Nov 2021 11:30:45 +0100
+Subject: dt-bindings: thermal: Fix definition of cooling-maps contribution
+ property
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+
+[ Upstream commit 49bcb1506f2e095262c01bda7fd1c0db524c91e2 ]
+
+When converting the thermal-zones bindings to yaml the definition of the
+contribution property changed. The intention is the same, an integer
+value expressing a ratio of a sum on how much cooling is provided by the
+device to the zone. But after the conversion the integer value is
+limited to the range 0 to 100 and expressed as a percentage.
+
+This is problematic for two reasons.
+
+- This do not match how the binding is used. Out of the 18 files that
+  make use of the property only two (ste-dbx5x0.dtsi and
+  ste-hrefv60plus.dtsi) sets it at a value that satisfy the binding,
+  100. The remaining 16 files set the value higher and fail to validate.
+
+- Expressing the value as a percentage instead of a ratio of the sum is
+  confusing as there is nothing to enforce the sum in the zone is not
+  greater then 100.
+
+This patch restore the pre yaml conversion description and removes the
+value limitation allowing the usage of the bindings to validate.
+
+Fixes: 1202a442a31fd2e5 ("dt-bindings: thermal: Add yaml bindings for thermal zones")
+Reported-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Link: https://lore.kernel.org/r/20211109103045.1403686-1-niklas.soderlund+renesas@ragnatech.se
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../devicetree/bindings/thermal/thermal-zones.yaml       | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/thermal/thermal-zones.yaml b/Documentation/devicetree/bindings/thermal/thermal-zones.yaml
+index a07de5ed0ca6a..2d34f3ccb2572 100644
+--- a/Documentation/devicetree/bindings/thermal/thermal-zones.yaml
++++ b/Documentation/devicetree/bindings/thermal/thermal-zones.yaml
+@@ -199,12 +199,11 @@ patternProperties:
+               contribution:
+                 $ref: /schemas/types.yaml#/definitions/uint32
+-                minimum: 0
+-                maximum: 100
+                 description:
+-                  The percentage contribution of the cooling devices at the
+-                  specific trip temperature referenced in this map
+-                  to this thermal zone
++                  The cooling contribution to the thermal zone of the referred
++                  cooling device at the referred trip point. The contribution is
++                  a ratio of the sum of all cooling contributions within a
++                  thermal zone.
+             required:
+               - trip
+-- 
+2.34.1
+
diff --git a/queue-5.16/edac-synopsys-use-the-quirk-for-version-instead-of-d.patch b/queue-5.16/edac-synopsys-use-the-quirk-for-version-instead-of-d.patch
new file mode 100644 (file)
index 0000000..e99e021
--- /dev/null
@@ -0,0 +1,38 @@
+From 3a31ff3f1852711f5a0c819b43c8fa35bc7c6c54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Oct 2021 14:07:06 -0500
+Subject: EDAC/synopsys: Use the quirk for version instead of ddr version
+
+From: Dinh Nguyen <dinguyen@kernel.org>
+
+[ Upstream commit bd1d6da17c296bd005bfa656952710d256e77dd3 ]
+
+Version 2.40a supports DDR_ECC_INTR_SUPPORT for a quirk, so use that
+quirk to determine a call to setup_address_map().
+
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Michal Simek <michal.simek@xilinx.com>
+Link: https://lkml.kernel.org/r/20211012190709.1504152-1-dinguyen@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/synopsys_edac.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/edac/synopsys_edac.c b/drivers/edac/synopsys_edac.c
+index 7d08627e738b3..a5486d86fdd2f 100644
+--- a/drivers/edac/synopsys_edac.c
++++ b/drivers/edac/synopsys_edac.c
+@@ -1352,8 +1352,7 @@ static int mc_probe(struct platform_device *pdev)
+               }
+       }
+-      if (of_device_is_compatible(pdev->dev.of_node,
+-                                  "xlnx,zynqmp-ddrc-2.40a"))
++      if (priv->p_data->quirks & DDR_ECC_INTR_SUPPORT)
+               setup_address_map(priv);
+ #endif
+-- 
+2.34.1
+
diff --git a/queue-5.16/efi-apply-memblock-cap-after-memblock_add.patch b/queue-5.16/efi-apply-memblock-cap-after-memblock_add.patch
new file mode 100644 (file)
index 0000000..71c43aa
--- /dev/null
@@ -0,0 +1,138 @@
+From ba38d6b38a85b1a3d579c21380595f09f70c6592 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Dec 2021 10:13:48 +0800
+Subject: efi: apply memblock cap after memblock_add()
+
+From: Pingfan Liu <kernelfans@gmail.com>
+
+[ Upstream commit b398123bff3bcbc1facb0f29bf6e7b9f1bc55931 ]
+
+On arm64, during kdump kernel saves vmcore, it runs into the following bug:
+...
+[   15.148919] usercopy: Kernel memory exposure attempt detected from SLUB object 'kmem_cache_node' (offset 0, size 4096)!
+[   15.159707] ------------[ cut here ]------------
+[   15.164311] kernel BUG at mm/usercopy.c:99!
+[   15.168482] Internal error: Oops - BUG: 0 [#1] SMP
+[   15.173261] Modules linked in: xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce sbsa_gwdt ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm nvme nvme_core xgene_hwmon i2c_designware_platform i2c_designware_core dm_mirror dm_region_hash dm_log dm_mod overlay squashfs zstd_decompress loop
+[   15.206186] CPU: 0 PID: 542 Comm: cp Not tainted 5.16.0-rc4 #1
+[   15.212006] Hardware name: GIGABYTE R272-P30-JG/MP32-AR0-JG, BIOS F12 (SCP: 1.5.20210426) 05/13/2021
+[   15.221125] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[   15.228073] pc : usercopy_abort+0x9c/0xa0
+[   15.232074] lr : usercopy_abort+0x9c/0xa0
+[   15.236070] sp : ffff8000121abba0
+[   15.239371] x29: ffff8000121abbb0 x28: 0000000000003000 x27: 0000000000000000
+[   15.246494] x26: 0000000080000400 x25: 0000ffff885c7000 x24: 0000000000000000
+[   15.253617] x23: 000007ff80400000 x22: ffff07ff80401000 x21: 0000000000000001
+[   15.260739] x20: 0000000000001000 x19: ffff07ff80400000 x18: ffffffffffffffff
+[   15.267861] x17: 656a626f2042554c x16: 53206d6f72662064 x15: 6574636574656420
+[   15.274983] x14: 74706d6574746120 x13: 2129363930342065 x12: 7a6973202c302074
+[   15.282105] x11: ffffc8b041d1b148 x10: 00000000ffff8000 x9 : ffffc8b04012812c
+[   15.289228] x8 : 00000000ffff7fff x7 : ffffc8b041d1b148 x6 : 0000000000000000
+[   15.296349] x5 : 0000000000000000 x4 : 0000000000007fff x3 : 0000000000000000
+[   15.303471] x2 : 0000000000000000 x1 : ffff07ff8c064800 x0 : 000000000000006b
+[   15.310593] Call trace:
+[   15.313027]  usercopy_abort+0x9c/0xa0
+[   15.316677]  __check_heap_object+0xd4/0xf0
+[   15.320762]  __check_object_size.part.0+0x160/0x1e0
+[   15.325628]  __check_object_size+0x2c/0x40
+[   15.329711]  copy_oldmem_page+0x7c/0x140
+[   15.333623]  read_from_oldmem.part.0+0xfc/0x1c0
+[   15.338142]  __read_vmcore.constprop.0+0x23c/0x350
+[   15.342920]  read_vmcore+0x28/0x34
+[   15.346309]  proc_reg_read+0xb4/0xf0
+[   15.349871]  vfs_read+0xb8/0x1f0
+[   15.353088]  ksys_read+0x74/0x100
+[   15.356390]  __arm64_sys_read+0x28/0x34
+...
+
+This bug introduced by commit b261dba2fdb2 ("arm64: kdump: Remove custom
+linux,usable-memory-range handling"), which moves
+memblock_cap_memory_range() to fdt, but it breaches the rules that
+memblock_cap_memory_range() should come after memblock_add() etc as said
+in commit e888fa7bb882 ("memblock: Check memory add/cap ordering").
+
+As a consequence, the virtual address set up by copy_oldmem_page() does
+not bail out from the test of virt_addr_valid() in check_heap_object(),
+and finally hits the BUG_ON().
+
+Since memblock allocator has no idea about when the memblock is fully
+populated, while efi_init() is aware, so tackling this issue by calling the
+interface early_init_dt_check_for_usable_mem_range() exposed by of/fdt.
+
+Fixes: b261dba2fdb2 ("arm64: kdump: Remove custom linux,usable-memory-range handling")
+Signed-off-by: Pingfan Liu <kernelfans@gmail.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Cc: Zhen Lei <thunder.leizhen@huawei.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: Frank Rowand <frowand.list@gmail.com>
+Cc: Ard Biesheuvel <ardb@kernel.org>
+Cc: Nick Terrell <terrelln@fb.com>
+Cc: linux-arm-kernel@lists.infradead.org
+To: devicetree@vger.kernel.org
+To: linux-efi@vger.kernel.org
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/20211215021348.8766-1-kernelfans@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/efi-init.c | 5 +++++
+ drivers/of/fdt.c                | 2 +-
+ include/linux/of_fdt.h          | 2 ++
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/efi/efi-init.c b/drivers/firmware/efi/efi-init.c
+index b19ce1a83f91a..b2c829e95bd14 100644
+--- a/drivers/firmware/efi/efi-init.c
++++ b/drivers/firmware/efi/efi-init.c
+@@ -235,6 +235,11 @@ void __init efi_init(void)
+       }
+       reserve_regions();
++      /*
++       * For memblock manipulation, the cap should come after the memblock_add().
++       * And now, memblock is fully populated, it is time to do capping.
++       */
++      early_init_dt_check_for_usable_mem_range();
+       efi_esrt_init();
+       efi_mokvar_table_init();
+diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
+index 5a238a933eb29..65af475dfa950 100644
+--- a/drivers/of/fdt.c
++++ b/drivers/of/fdt.c
+@@ -971,7 +971,7 @@ static unsigned long chosen_node_offset = -FDT_ERR_NOTFOUND;
+  * early_init_dt_check_for_usable_mem_range - Decode usable memory range
+  * location from flat tree
+  */
+-static void __init early_init_dt_check_for_usable_mem_range(void)
++void __init early_init_dt_check_for_usable_mem_range(void)
+ {
+       const __be32 *prop;
+       int len;
+diff --git a/include/linux/of_fdt.h b/include/linux/of_fdt.h
+index cf48983d3c867..ad09beb6d13c4 100644
+--- a/include/linux/of_fdt.h
++++ b/include/linux/of_fdt.h
+@@ -62,6 +62,7 @@ extern int early_init_dt_scan_chosen(unsigned long node, const char *uname,
+                                    int depth, void *data);
+ extern int early_init_dt_scan_memory(unsigned long node, const char *uname,
+                                    int depth, void *data);
++extern void early_init_dt_check_for_usable_mem_range(void);
+ extern int early_init_dt_scan_chosen_stdout(void);
+ extern void early_init_fdt_scan_reserved_mem(void);
+ extern void early_init_fdt_reserve_self(void);
+@@ -86,6 +87,7 @@ extern void unflatten_and_copy_device_tree(void);
+ extern void early_init_devtree(void *);
+ extern void early_get_first_memblock_info(void *, phys_addr_t *);
+ #else /* CONFIG_OF_EARLY_FLATTREE */
++static inline void early_init_dt_check_for_usable_mem_range(void) {}
+ static inline int early_init_dt_scan_chosen_stdout(void) { return -ENODEV; }
+ static inline void early_init_fdt_scan_reserved_mem(void) {}
+ static inline void early_init_fdt_reserve_self(void) {}
+-- 
+2.34.1
+
diff --git a/queue-5.16/ethernet-renesas-use-div64_ul-instead-of-do_div.patch b/queue-5.16/ethernet-renesas-use-div64_ul-instead-of-do_div.patch
new file mode 100644 (file)
index 0000000..a3deb35
--- /dev/null
@@ -0,0 +1,56 @@
+From 4643399e93a42af32cf15f91045d5506fd541af0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 17:48:03 +0800
+Subject: ethernet: renesas: Use div64_ul instead of do_div
+
+From: Yang Li <yang.lee@linux.alibaba.com>
+
+[ Upstream commit d9f31aeaa1e5aefa68130878af3c3513d41c1e2d ]
+
+do_div() does a 64-by-32 division. Here the divisor is an
+unsigned long which on some platforms is 64 bit wide. So use
+div64_ul instead of do_div to avoid a possible truncation.
+
+Eliminate the following coccicheck warning:
+./drivers/net/ethernet/renesas/ravb_main.c:2492:1-7: WARNING:
+do_div() does a 64-by-32 division, please consider using div64_ul
+instead.
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Yang Li <yang.lee@linux.alibaba.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/1637228883-100100-1-git-send-email-yang.lee@linux.alibaba.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index b4c597f4040c8..151cce2fe36d5 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -30,8 +30,7 @@
+ #include <linux/spinlock.h>
+ #include <linux/sys_soc.h>
+ #include <linux/reset.h>
+-
+-#include <asm/div64.h>
++#include <linux/math64.h>
+ #include "ravb.h"
+@@ -2488,8 +2487,7 @@ static int ravb_set_gti(struct net_device *ndev)
+       if (!rate)
+               return -EINVAL;
+-      inc = 1000000000ULL << 20;
+-      do_div(inc, rate);
++      inc = div64_ul(1000000000ULL << 20, rate);
+       if (inc < GTI_TIV_MIN || inc > GTI_TIV_MAX) {
+               dev_err(dev, "gti.tiv increment 0x%llx is outside the range 0x%x - 0x%x\n",
+-- 
+2.34.1
+
diff --git a/queue-5.16/ext4-avoid-trim-error-on-fs-with-small-groups.patch b/queue-5.16/ext4-avoid-trim-error-on-fs-with-small-groups.patch
new file mode 100644 (file)
index 0000000..5ab65f2
--- /dev/null
@@ -0,0 +1,72 @@
+From 60ab2f7464c0867366c0f53b5fca969c8e96256d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 16:22:02 +0100
+Subject: ext4: avoid trim error on fs with small groups
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 173b6e383d2a204c9921ffc1eca3b87aa2106c33 ]
+
+A user reported FITRIM ioctl failing for him on ext4 on some devices
+without apparent reason.  After some debugging we've found out that
+these devices (being LVM volumes) report rather large discard
+granularity of 42MB and the filesystem had 1k blocksize and thus group
+size of 8MB. Because ext4 FITRIM implementation puts discard
+granularity into minlen, ext4_trim_fs() declared the trim request as
+invalid. However just silently doing nothing seems to be a more
+appropriate reaction to such combination of parameters since user did
+not specify anything wrong.
+
+CC: Lukas Czerner <lczerner@redhat.com>
+Fixes: 5c2ed62fd447 ("ext4: Adjust minlen with discard_granularity in the FITRIM ioctl")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20211112152202.26614-1-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/ioctl.c   | 2 --
+ fs/ext4/mballoc.c | 8 ++++++++
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
+index 606dee9e08a32..220a4c8178b5e 100644
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -1117,8 +1117,6 @@ resizefs_out:
+                   sizeof(range)))
+                       return -EFAULT;
+-              range.minlen = max((unsigned int)range.minlen,
+-                                 q->limits.discard_granularity);
+               ret = ext4_trim_fs(sb, &range);
+               if (ret < 0)
+                       return ret;
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index 215b7068f548a..9af83b6242ddf 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -6404,6 +6404,7 @@ ext4_trim_all_free(struct super_block *sb, ext4_group_t group,
+  */
+ int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range)
+ {
++      struct request_queue *q = bdev_get_queue(sb->s_bdev);
+       struct ext4_group_info *grp;
+       ext4_group_t group, first_group, last_group;
+       ext4_grpblk_t cnt = 0, first_cluster, last_cluster;
+@@ -6422,6 +6423,13 @@ int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range)
+           start >= max_blks ||
+           range->len < sb->s_blocksize)
+               return -EINVAL;
++      /* No point to try to trim less than discard granularity */
++      if (range->minlen < q->limits.discard_granularity) {
++              minlen = EXT4_NUM_B2C(EXT4_SB(sb),
++                      q->limits.discard_granularity >> sb->s_blocksize_bits);
++              if (minlen > EXT4_CLUSTERS_PER_GROUP(sb))
++                      goto out;
++      }
+       if (end >= max_blks)
+               end = max_blks - 1;
+       if (end <= first_data_blk)
+-- 
+2.34.1
+
diff --git a/queue-5.16/floppy-add-max-size-check-for-user-space-request.patch b/queue-5.16/floppy-add-max-size-check-for-user-space-request.patch
new file mode 100644 (file)
index 0000000..d7f61d5
--- /dev/null
@@ -0,0 +1,82 @@
+From 6f9bf9d9ad16a06d9971c10060220fff7fbfa25e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 21:10:33 +0800
+Subject: floppy: Add max size check for user space request
+
+From: Xiongwei Song <sxwjean@gmail.com>
+
+[ Upstream commit 545a32498c536ee152331cd2e7d2416aa0f20e01 ]
+
+We need to check the max request size that is from user space before
+allocating pages. If the request size exceeds the limit, return -EINVAL.
+This check can avoid the warning below from page allocator.
+
+WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 current_gfp_context include/linux/sched/mm.h:195 [inline]
+WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 __alloc_pages+0x45d/0x500 mm/page_alloc.c:5356
+Modules linked in:
+CPU: 3 PID: 16525 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
+RIP: 0010:__alloc_pages+0x45d/0x500 mm/page_alloc.c:5344
+Code: be c9 00 00 00 48 c7 c7 20 4a 97 89 c6 05 62 32 a7 0b 01 e8 74 9a 42 07 e9 6a ff ff ff 0f 0b e9 a0 fd ff ff 40 80 e5 3f eb 88 <0f> 0b e9 18 ff ff ff 4c 89 ef 44 89 e6 45 31 ed e8 1e 76 ff ff e9
+RSP: 0018:ffffc90023b87850 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 1ffff92004770f0b RCX: dffffc0000000000
+RDX: 0000000000000000 RSI: 0000000000000033 RDI: 0000000000010cc1
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
+R10: ffffffff81bb4686 R11: 0000000000000001 R12: ffffffff902c1960
+R13: 0000000000000033 R14: 0000000000000000 R15: ffff88804cf64a30
+FS:  0000000000000000(0000) GS:ffff88802cd00000(0063) knlGS:00000000f44b4b40
+CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
+CR2: 000000002c921000 CR3: 000000004f507000 CR4: 0000000000150ee0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191
+ __get_free_pages+0x8/0x40 mm/page_alloc.c:5418
+ raw_cmd_copyin drivers/block/floppy.c:3113 [inline]
+ raw_cmd_ioctl drivers/block/floppy.c:3160 [inline]
+ fd_locked_ioctl+0x12e5/0x2820 drivers/block/floppy.c:3528
+ fd_ioctl drivers/block/floppy.c:3555 [inline]
+ fd_compat_ioctl+0x891/0x1b60 drivers/block/floppy.c:3869
+ compat_blkdev_ioctl+0x3b8/0x810 block/ioctl.c:662
+ __do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:972
+ do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
+ __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
+ do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
+ entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
+
+Reported-by: syzbot+23a02c7df2cf2bc93fa2@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20211116131033.27685-1-sxwjean@me.com
+Signed-off-by: Xiongwei Song <sxwjean@gmail.com>
+Signed-off-by: Denis Efremov <efremov@linux.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index 02ba1db5b8046..8026125037ae8 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3081,6 +3081,8 @@ static void raw_cmd_free(struct floppy_raw_cmd **ptr)
+       }
+ }
++#define MAX_LEN (1UL << MAX_ORDER << PAGE_SHIFT)
++
+ static int raw_cmd_copyin(int cmd, void __user *param,
+                                struct floppy_raw_cmd **rcmd)
+ {
+@@ -3108,7 +3110,7 @@ loop:
+       ptr->resultcode = 0;
+       if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
+-              if (ptr->length <= 0)
++              if (ptr->length <= 0 || ptr->length >= MAX_LEN)
+                       return -EINVAL;
+               ptr->kernel_data = (char *)fd_dma_mem_alloc(ptr->length);
+               fallback_on_nodma_alloc(&ptr->kernel_data, ptr->length);
+-- 
+2.34.1
+
diff --git a/queue-5.16/floppy-fix-hang-in-watchdog-when-disk-is-ejected.patch b/queue-5.16/floppy-fix-hang-in-watchdog-when-disk-is-ejected.patch
new file mode 100644 (file)
index 0000000..ae3a917
--- /dev/null
@@ -0,0 +1,52 @@
+From 65a6769a971907f1474ddd407077c09d61ba85a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Sep 2021 09:47:58 +0300
+Subject: floppy: Fix hang in watchdog when disk is ejected
+
+From: Tasos Sahanidis <tasos@tasossah.com>
+
+[ Upstream commit fb48febce7e30baed94dd791e19521abd2c3fd83 ]
+
+When the watchdog detects a disk change, it calls cancel_activity(),
+which in turn tries to cancel the fd_timer delayed work.
+
+In the above scenario, fd_timer_fn is set to fd_watchdog(), meaning
+it is trying to cancel its own work.
+This results in a hang as cancel_delayed_work_sync() is waiting for the
+watchdog (itself) to return, which never happens.
+
+This can be reproduced relatively consistently by attempting to read a
+broken floppy, and ejecting it while IO is being attempted and retried.
+
+To resolve this, this patch calls cancel_delayed_work() instead, which
+cancels the work without waiting for the watchdog to return and finish.
+
+Before this regression was introduced, the code in this section used
+del_timer(), and not del_timer_sync() to delete the watchdog timer.
+
+Link: https://lore.kernel.org/r/399e486c-6540-db27-76aa-7a271b061f76@tasossah.com
+Fixes: 070ad7e793dc ("floppy: convert to delayed work and single-thread wq")
+Signed-off-by: Tasos Sahanidis <tasos@tasossah.com>
+Signed-off-by: Denis Efremov <efremov@linux.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index c4267da716fe6..02ba1db5b8046 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -1015,7 +1015,7 @@ static DECLARE_DELAYED_WORK(fd_timer, fd_timer_workfn);
+ static void cancel_activity(void)
+ {
+       do_floppy = NULL;
+-      cancel_delayed_work_sync(&fd_timer);
++      cancel_delayed_work(&fd_timer);
+       cancel_work_sync(&floppy_work);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/fs-dlm-don-t-call-kernel_getpeername-in-error_report.patch b/queue-5.16/fs-dlm-don-t-call-kernel_getpeername-in-error_report.patch
new file mode 100644 (file)
index 0000000..e2af51a
--- /dev/null
@@ -0,0 +1,144 @@
+From 03c0ec98122a2f2adc1ee088114511213a645404 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 08:57:05 -0500
+Subject: fs: dlm: don't call kernel_getpeername() in error_report()
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 4c3d90570bcc2b338f70f61f01110268e281ca3c ]
+
+In some cases kernel_getpeername() will held the socket lock which is
+already held when the socket layer calls error_report() callback. Since
+commit 9dfc685e0262 ("inet: remove races in inet{6}_getname()") this
+problem becomes more likely because the socket lock will be held always.
+You will see something like:
+
+bob9-u5 login: [  562.316860] BUG: spinlock recursion on CPU#7, swapper/7/0
+[  562.318562]  lock: 0xffff8f2284720088, .magic: dead4ead, .owner: swapper/7/0, .owner_cpu: 7
+[  562.319522] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 5.15.0+ #135
+[  562.320346] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.13.0-2.module+el8.3.0+7353+9de0a3cc 04/01/2014
+[  562.321277] Call Trace:
+[  562.321529]  <IRQ>
+[  562.321734]  dump_stack_lvl+0x33/0x42
+[  562.322282]  do_raw_spin_lock+0x8b/0xc0
+[  562.322674]  lock_sock_nested+0x1e/0x50
+[  562.323057]  inet_getname+0x39/0x110
+[  562.323425]  ? sock_def_readable+0x80/0x80
+[  562.323838]  lowcomms_error_report+0x63/0x260 [dlm]
+[  562.324338]  ? wait_for_completion_interruptible_timeout+0xd2/0x120
+[  562.324949]  ? lock_timer_base+0x67/0x80
+[  562.325330]  ? do_raw_spin_unlock+0x49/0xc0
+[  562.325735]  ? _raw_spin_unlock_irqrestore+0x1e/0x40
+[  562.326218]  ? del_timer+0x54/0x80
+[  562.326549]  sk_error_report+0x12/0x70
+[  562.326919]  tcp_validate_incoming+0x3c8/0x530
+[  562.327347]  ? kvm_clock_read+0x14/0x30
+[  562.327718]  ? ktime_get+0x3b/0xa0
+[  562.328055]  tcp_rcv_established+0x121/0x660
+[  562.328466]  tcp_v4_do_rcv+0x132/0x260
+[  562.328835]  tcp_v4_rcv+0xcea/0xe20
+[  562.329173]  ip_protocol_deliver_rcu+0x35/0x1f0
+[  562.329615]  ip_local_deliver_finish+0x54/0x60
+[  562.330050]  ip_local_deliver+0xf7/0x110
+[  562.330431]  ? inet_rtm_getroute+0x211/0x840
+[  562.330848]  ? ip_protocol_deliver_rcu+0x1f0/0x1f0
+[  562.331310]  ip_rcv+0xe1/0xf0
+[  562.331603]  ? ip_local_deliver+0x110/0x110
+[  562.332011]  __netif_receive_skb_core+0x46a/0x1040
+[  562.332476]  ? inet_gro_receive+0x263/0x2e0
+[  562.332885]  __netif_receive_skb_list_core+0x13b/0x2c0
+[  562.333383]  netif_receive_skb_list_internal+0x1c8/0x2f0
+[  562.333896]  ? update_load_avg+0x7e/0x5e0
+[  562.334285]  gro_normal_list.part.149+0x19/0x40
+[  562.334722]  napi_complete_done+0x67/0x160
+[  562.335134]  virtnet_poll+0x2ad/0x408 [virtio_net]
+[  562.335644]  __napi_poll+0x28/0x140
+[  562.336012]  net_rx_action+0x23d/0x300
+[  562.336414]  __do_softirq+0xf2/0x2ea
+[  562.336803]  irq_exit_rcu+0xc1/0xf0
+[  562.337173]  common_interrupt+0xb9/0xd0
+
+It is and was always forbidden to call kernel_getpeername() in context
+of error_report(). To get rid of the problem we access the destination
+address for the peer over the socket structure. While on it we fix to
+print out the destination port of the inet socket.
+
+Fixes: 1a31833d085a ("DLM: Replace nodeid_to_addr with kernel_getpeername")
+Reported-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lowcomms.c | 42 ++++++++++++++++++++----------------------
+ 1 file changed, 20 insertions(+), 22 deletions(-)
+
+diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c
+index 8f715c620e1f8..7b1c5f05a988b 100644
+--- a/fs/dlm/lowcomms.c
++++ b/fs/dlm/lowcomms.c
+@@ -592,8 +592,8 @@ int dlm_lowcomms_nodes_set_mark(int nodeid, unsigned int mark)
+ static void lowcomms_error_report(struct sock *sk)
+ {
+       struct connection *con;
+-      struct sockaddr_storage saddr;
+       void (*orig_report)(struct sock *) = NULL;
++      struct inet_sock *inet;
+       read_lock_bh(&sk->sk_callback_lock);
+       con = sock2con(sk);
+@@ -601,33 +601,31 @@ static void lowcomms_error_report(struct sock *sk)
+               goto out;
+       orig_report = listen_sock.sk_error_report;
+-      if (kernel_getpeername(sk->sk_socket, (struct sockaddr *)&saddr) < 0) {
+-              printk_ratelimited(KERN_ERR "dlm: node %d: socket error "
+-                                 "sending to node %d, port %d, "
+-                                 "sk_err=%d/%d\n", dlm_our_nodeid(),
+-                                 con->nodeid, dlm_config.ci_tcp_port,
+-                                 sk->sk_err, sk->sk_err_soft);
+-      } else if (saddr.ss_family == AF_INET) {
+-              struct sockaddr_in *sin4 = (struct sockaddr_in *)&saddr;
++      inet = inet_sk(sk);
++      switch (sk->sk_family) {
++      case AF_INET:
+               printk_ratelimited(KERN_ERR "dlm: node %d: socket error "
+-                                 "sending to node %d at %pI4, port %d, "
++                                 "sending to node %d at %pI4, dport %d, "
+                                  "sk_err=%d/%d\n", dlm_our_nodeid(),
+-                                 con->nodeid, &sin4->sin_addr.s_addr,
+-                                 dlm_config.ci_tcp_port, sk->sk_err,
++                                 con->nodeid, &inet->inet_daddr,
++                                 ntohs(inet->inet_dport), sk->sk_err,
+                                  sk->sk_err_soft);
+-      } else {
+-              struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&saddr;
+-
++              break;
++      case AF_INET6:
+               printk_ratelimited(KERN_ERR "dlm: node %d: socket error "
+-                                 "sending to node %d at %u.%u.%u.%u, "
+-                                 "port %d, sk_err=%d/%d\n", dlm_our_nodeid(),
+-                                 con->nodeid, sin6->sin6_addr.s6_addr32[0],
+-                                 sin6->sin6_addr.s6_addr32[1],
+-                                 sin6->sin6_addr.s6_addr32[2],
+-                                 sin6->sin6_addr.s6_addr32[3],
+-                                 dlm_config.ci_tcp_port, sk->sk_err,
++                                 "sending to node %d at %pI6c, "
++                                 "dport %d, sk_err=%d/%d\n", dlm_our_nodeid(),
++                                 con->nodeid, &sk->sk_v6_daddr,
++                                 ntohs(inet->inet_dport), sk->sk_err,
+                                  sk->sk_err_soft);
++              break;
++      default:
++              printk_ratelimited(KERN_ERR "dlm: node %d: socket error "
++                                 "invalid socket family %d set, "
++                                 "sk_err=%d/%d\n", dlm_our_nodeid(),
++                                 sk->sk_family, sk->sk_err, sk->sk_err_soft);
++              goto out;
+       }
+       /* below sendcon only handling */
+-- 
+2.34.1
+
diff --git a/queue-5.16/fs-dlm-filter-user-dlm-messages-for-kernel-locks.patch b/queue-5.16/fs-dlm-filter-user-dlm-messages-for-kernel-locks.patch
new file mode 100644 (file)
index 0000000..a7fd7f4
--- /dev/null
@@ -0,0 +1,118 @@
+From 1c87ef3f4382c317982111c1d89950f3315ecbdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Nov 2021 15:17:24 -0400
+Subject: fs: dlm: filter user dlm messages for kernel locks
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 6c2e3bf68f3e5e5a647aa52be246d5f552d7496d ]
+
+This patch fixes the following crash by receiving a invalid message:
+
+[  160.672220] ==================================================================
+[  160.676206] BUG: KASAN: user-memory-access in dlm_user_add_ast+0xc3/0x370
+[  160.679659] Read of size 8 at addr 00000000deadbeef by task kworker/u32:13/319
+[  160.681447]
+[  160.681824] CPU: 10 PID: 319 Comm: kworker/u32:13 Not tainted 5.14.0-rc2+ #399
+[  160.683472] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.14.0-1.module+el8.6.0+12648+6ede71a5 04/01/2014
+[  160.685574] Workqueue: dlm_recv process_recv_sockets
+[  160.686721] Call Trace:
+[  160.687310]  dump_stack_lvl+0x56/0x6f
+[  160.688169]  ? dlm_user_add_ast+0xc3/0x370
+[  160.689116]  kasan_report.cold.14+0x116/0x11b
+[  160.690138]  ? dlm_user_add_ast+0xc3/0x370
+[  160.690832]  dlm_user_add_ast+0xc3/0x370
+[  160.691502]  _receive_unlock_reply+0x103/0x170
+[  160.692241]  _receive_message+0x11df/0x1ec0
+[  160.692926]  ? rcu_read_lock_sched_held+0xa1/0xd0
+[  160.693700]  ? rcu_read_lock_bh_held+0xb0/0xb0
+[  160.694427]  ? lock_acquire+0x175/0x400
+[  160.695058]  ? do_purge.isra.51+0x200/0x200
+[  160.695744]  ? lock_acquired+0x360/0x5d0
+[  160.696400]  ? lock_contended+0x6a0/0x6a0
+[  160.697055]  ? lock_release+0x21d/0x5e0
+[  160.697686]  ? lock_is_held_type+0xe0/0x110
+[  160.698352]  ? lock_is_held_type+0xe0/0x110
+[  160.699026]  ? ___might_sleep+0x1cc/0x1e0
+[  160.699698]  ? dlm_wait_requestqueue+0x94/0x140
+[  160.700451]  ? dlm_process_requestqueue+0x240/0x240
+[  160.701249]  ? down_write_killable+0x2b0/0x2b0
+[  160.701988]  ? do_raw_spin_unlock+0xa2/0x130
+[  160.702690]  dlm_receive_buffer+0x1a5/0x210
+[  160.703385]  dlm_process_incoming_buffer+0x726/0x9f0
+[  160.704210]  receive_from_sock+0x1c0/0x3b0
+[  160.704886]  ? dlm_tcp_shutdown+0x30/0x30
+[  160.705561]  ? lock_acquire+0x175/0x400
+[  160.706197]  ? rcu_read_lock_sched_held+0xa1/0xd0
+[  160.706941]  ? rcu_read_lock_bh_held+0xb0/0xb0
+[  160.707681]  process_recv_sockets+0x32/0x40
+[  160.708366]  process_one_work+0x55e/0xad0
+[  160.709045]  ? pwq_dec_nr_in_flight+0x110/0x110
+[  160.709820]  worker_thread+0x65/0x5e0
+[  160.710423]  ? process_one_work+0xad0/0xad0
+[  160.711087]  kthread+0x1ed/0x220
+[  160.711628]  ? set_kthread_struct+0x80/0x80
+[  160.712314]  ret_from_fork+0x22/0x30
+
+The issue is that we received a DLM message for a user lock but the
+destination lock is a kernel lock. Note that the address which is trying
+to derefence is 00000000deadbeef, which is in a kernel lock
+lkb->lkb_astparam, this field should never be derefenced by the DLM
+kernel stack. In case of a user lock lkb->lkb_astparam is lkb->lkb_ua
+(memory is shared by a union field). The struct lkb_ua will be handled
+by the DLM kernel stack but on a kernel lock it will contain invalid
+data and ends in most likely crashing the kernel.
+
+It can be reproduced with two cluster nodes.
+
+node 2:
+dlm_tool join test
+echo "862 fooobaar 1 2 1" > /sys/kernel/debug/dlm/test_locks
+echo "862 3 1" > /sys/kernel/debug/dlm/test_waiters
+
+node 1:
+dlm_tool join test
+
+python:
+foo = DLM(h_cmd=3, o_nextcmd=1, h_nodeid=1, h_lockspace=0x77222027, \
+          m_type=7, m_flags=0x1, m_remid=0x862, m_result=0xFFFEFFFE)
+newFile = open("/sys/kernel/debug/dlm/comms/2/rawmsg", "wb")
+newFile.write(bytes(foo))
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lock.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
+index c502c065d0075..28d1f35b11a4d 100644
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -3973,6 +3973,14 @@ static int validate_message(struct dlm_lkb *lkb, struct dlm_message *ms)
+       int from = ms->m_header.h_nodeid;
+       int error = 0;
++      /* currently mixing of user/kernel locks are not supported */
++      if (ms->m_flags & DLM_IFL_USER && ~lkb->lkb_flags & DLM_IFL_USER) {
++              log_error(lkb->lkb_resource->res_ls,
++                        "got user dlm message for a kernel lock");
++              error = -EINVAL;
++              goto out;
++      }
++
+       switch (ms->m_type) {
+       case DLM_MSG_CONVERT:
+       case DLM_MSG_UNLOCK:
+@@ -4001,6 +4009,7 @@ static int validate_message(struct dlm_lkb *lkb, struct dlm_message *ms)
+               error = -EINVAL;
+       }
++out:
+       if (error)
+               log_error(lkb->lkb_resource->res_ls,
+                         "ignore invalid message %d from %d %x %x %x %d",
+-- 
+2.34.1
+
diff --git a/queue-5.16/fs-dlm-fix-build-with-config_ipv6-disabled.patch b/queue-5.16/fs-dlm-fix-build-with-config_ipv6-disabled.patch
new file mode 100644 (file)
index 0000000..4b87039
--- /dev/null
@@ -0,0 +1,49 @@
+From 000100dd823064aa4276a10b24326c525d49918e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 09:20:43 -0500
+Subject: fs: dlm: fix build with CONFIG_IPV6 disabled
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 1b9beda83e27a0c2cd75d1cb743c297c7b36c844 ]
+
+This patch will surround the AF_INET6 case in sk_error_report() of dlm
+with a #if IS_ENABLED(CONFIG_IPV6). The field sk->sk_v6_daddr is not
+defined when CONFIG_IPV6 is disabled. If CONFIG_IPV6 is disabled, the
+socket creation with AF_INET6 should already fail because a runtime
+check if AF_INET6 is registered. However if there is the possibility
+that AF_INET6 is set as sk_family the sk_error_report() callback will
+print then an invalid family type error.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: 4c3d90570bcc ("fs: dlm: don't call kernel_getpeername() in error_report()")
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lowcomms.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c
+index 7b1c5f05a988b..7a8efce1c343e 100644
+--- a/fs/dlm/lowcomms.c
++++ b/fs/dlm/lowcomms.c
+@@ -612,6 +612,7 @@ static void lowcomms_error_report(struct sock *sk)
+                                  ntohs(inet->inet_dport), sk->sk_err,
+                                  sk->sk_err_soft);
+               break;
++#if IS_ENABLED(CONFIG_IPV6)
+       case AF_INET6:
+               printk_ratelimited(KERN_ERR "dlm: node %d: socket error "
+                                  "sending to node %d at %pI6c, "
+@@ -620,6 +621,7 @@ static void lowcomms_error_report(struct sock *sk)
+                                  ntohs(inet->inet_dport), sk->sk_err,
+                                  sk->sk_err_soft);
+               break;
++#endif
+       default:
+               printk_ratelimited(KERN_ERR "dlm: node %d: socket error "
+                                  "invalid socket family %d set, "
+-- 
+2.34.1
+
diff --git a/queue-5.16/fsl-fman-check-for-null-pointer-after-calling-devm_i.patch b/queue-5.16/fsl-fman-check-for-null-pointer-after-calling-devm_i.patch
new file mode 100644 (file)
index 0000000..2031522
--- /dev/null
@@ -0,0 +1,96 @@
+From 4cbabe176135017d649e8bdccf0890fa3bd011a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 18:04:10 +0800
+Subject: fsl/fman: Check for null pointer after calling devm_ioremap
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit d5a73ec96cc57cf67e51b12820fc2354e7ca46f8 ]
+
+As the possible failure of the allocation, the devm_ioremap() may return
+NULL pointer.
+Take tgec_initialization() as an example.
+If allocation fails, the params->base_addr will be NULL pointer and will
+be assigned to tgec->regs in tgec_config().
+Then it will cause the dereference of NULL pointer in set_mac_address(),
+which is called by tgec_init().
+Therefore, it should be better to add the sanity check after the calling
+of the devm_ioremap().
+
+Fixes: 3933961682a3 ("fsl/fman: Add FMan MAC driver")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fman/mac.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fman/mac.c b/drivers/net/ethernet/freescale/fman/mac.c
+index d9fc5c456bf3e..39ae965cd4f64 100644
+--- a/drivers/net/ethernet/freescale/fman/mac.c
++++ b/drivers/net/ethernet/freescale/fman/mac.c
+@@ -94,14 +94,17 @@ static void mac_exception(void *handle, enum fman_mac_exceptions ex)
+               __func__, ex);
+ }
+-static void set_fman_mac_params(struct mac_device *mac_dev,
+-                              struct fman_mac_params *params)
++static int set_fman_mac_params(struct mac_device *mac_dev,
++                             struct fman_mac_params *params)
+ {
+       struct mac_priv_s *priv = mac_dev->priv;
+       params->base_addr = (typeof(params->base_addr))
+               devm_ioremap(priv->dev, mac_dev->res->start,
+                            resource_size(mac_dev->res));
++      if (!params->base_addr)
++              return -ENOMEM;
++
+       memcpy(&params->addr, mac_dev->addr, sizeof(mac_dev->addr));
+       params->max_speed       = priv->max_speed;
+       params->phy_if          = mac_dev->phy_if;
+@@ -112,6 +115,8 @@ static void set_fman_mac_params(struct mac_device *mac_dev,
+       params->event_cb        = mac_exception;
+       params->dev_id          = mac_dev;
+       params->internal_phy_node = priv->internal_phy_node;
++
++      return 0;
+ }
+ static int tgec_initialization(struct mac_device *mac_dev)
+@@ -123,7 +128,9 @@ static int tgec_initialization(struct mac_device *mac_dev)
+       priv = mac_dev->priv;
+-      set_fman_mac_params(mac_dev, &params);
++      err = set_fman_mac_params(mac_dev, &params);
++      if (err)
++              goto _return;
+       mac_dev->fman_mac = tgec_config(&params);
+       if (!mac_dev->fman_mac) {
+@@ -169,7 +176,9 @@ static int dtsec_initialization(struct mac_device *mac_dev)
+       priv = mac_dev->priv;
+-      set_fman_mac_params(mac_dev, &params);
++      err = set_fman_mac_params(mac_dev, &params);
++      if (err)
++              goto _return;
+       mac_dev->fman_mac = dtsec_config(&params);
+       if (!mac_dev->fman_mac) {
+@@ -218,7 +227,9 @@ static int memac_initialization(struct mac_device *mac_dev)
+       priv = mac_dev->priv;
+-      set_fman_mac_params(mac_dev, &params);
++      err = set_fman_mac_params(mac_dev, &params);
++      if (err)
++              goto _return;
+       if (priv->max_speed == SPEED_10000)
+               params.phy_if = PHY_INTERFACE_MODE_XGMII;
+-- 
+2.34.1
+
diff --git a/queue-5.16/gpio-aspeed-convert-aspeed_gpio.lock-to-raw_spinlock.patch b/queue-5.16/gpio-aspeed-convert-aspeed_gpio.lock-to-raw_spinlock.patch
new file mode 100644 (file)
index 0000000..431c750
--- /dev/null
@@ -0,0 +1,258 @@
+From 26d28f987287d6f0387a218c46475cb3a11121a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Dec 2021 18:10:26 +0100
+Subject: gpio: aspeed: Convert aspeed_gpio.lock to raw_spinlock
+
+From: Iwona Winiarska <iwona.winiarska@intel.com>
+
+[ Upstream commit 61a7904b6ace99b1bde0d0e867fa3097f5c8cee2 ]
+
+The gpio-aspeed driver implements an irq_chip which need to be invoked
+from hardirq context. Since spin_lock() can sleep with PREEMPT_RT, it is
+no longer legal to invoke it while interrupts are disabled.
+This also causes lockdep to complain about:
+[    0.649797] [ BUG: Invalid wait context ]
+because aspeed_gpio.lock (spin_lock_t) is taken under irq_desc.lock
+(raw_spinlock_t).
+Let's use of raw_spinlock_t instead of spinlock_t.
+
+Signed-off-by: Iwona Winiarska <iwona.winiarska@intel.com>
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-aspeed.c | 52 +++++++++++++++++++-------------------
+ 1 file changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/gpio/gpio-aspeed.c b/drivers/gpio/gpio-aspeed.c
+index 3c8f20c57695f..318a7d95a1a8b 100644
+--- a/drivers/gpio/gpio-aspeed.c
++++ b/drivers/gpio/gpio-aspeed.c
+@@ -53,7 +53,7 @@ struct aspeed_gpio_config {
+ struct aspeed_gpio {
+       struct gpio_chip chip;
+       struct irq_chip irqc;
+-      spinlock_t lock;
++      raw_spinlock_t lock;
+       void __iomem *base;
+       int irq;
+       const struct aspeed_gpio_config *config;
+@@ -413,14 +413,14 @@ static void aspeed_gpio_set(struct gpio_chip *gc, unsigned int offset,
+       unsigned long flags;
+       bool copro;
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       copro = aspeed_gpio_copro_request(gpio, offset);
+       __aspeed_gpio_set(gc, offset, val);
+       if (copro)
+               aspeed_gpio_copro_release(gpio, offset);
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+ }
+ static int aspeed_gpio_dir_in(struct gpio_chip *gc, unsigned int offset)
+@@ -435,7 +435,7 @@ static int aspeed_gpio_dir_in(struct gpio_chip *gc, unsigned int offset)
+       if (!have_input(gpio, offset))
+               return -ENOTSUPP;
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       reg = ioread32(addr);
+       reg &= ~GPIO_BIT(offset);
+@@ -445,7 +445,7 @@ static int aspeed_gpio_dir_in(struct gpio_chip *gc, unsigned int offset)
+       if (copro)
+               aspeed_gpio_copro_release(gpio, offset);
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+       return 0;
+ }
+@@ -463,7 +463,7 @@ static int aspeed_gpio_dir_out(struct gpio_chip *gc,
+       if (!have_output(gpio, offset))
+               return -ENOTSUPP;
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       reg = ioread32(addr);
+       reg |= GPIO_BIT(offset);
+@@ -474,7 +474,7 @@ static int aspeed_gpio_dir_out(struct gpio_chip *gc,
+       if (copro)
+               aspeed_gpio_copro_release(gpio, offset);
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+       return 0;
+ }
+@@ -492,11 +492,11 @@ static int aspeed_gpio_get_direction(struct gpio_chip *gc, unsigned int offset)
+       if (!have_output(gpio, offset))
+               return GPIO_LINE_DIRECTION_IN;
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       val = ioread32(bank_reg(gpio, bank, reg_dir)) & GPIO_BIT(offset);
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+       return val ? GPIO_LINE_DIRECTION_OUT : GPIO_LINE_DIRECTION_IN;
+ }
+@@ -539,14 +539,14 @@ static void aspeed_gpio_irq_ack(struct irq_data *d)
+       status_addr = bank_reg(gpio, bank, reg_irq_status);
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       copro = aspeed_gpio_copro_request(gpio, offset);
+       iowrite32(bit, status_addr);
+       if (copro)
+               aspeed_gpio_copro_release(gpio, offset);
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+ }
+ static void aspeed_gpio_irq_set_mask(struct irq_data *d, bool set)
+@@ -565,7 +565,7 @@ static void aspeed_gpio_irq_set_mask(struct irq_data *d, bool set)
+       addr = bank_reg(gpio, bank, reg_irq_enable);
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       copro = aspeed_gpio_copro_request(gpio, offset);
+       reg = ioread32(addr);
+@@ -577,7 +577,7 @@ static void aspeed_gpio_irq_set_mask(struct irq_data *d, bool set)
+       if (copro)
+               aspeed_gpio_copro_release(gpio, offset);
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+ }
+ static void aspeed_gpio_irq_mask(struct irq_data *d)
+@@ -629,7 +629,7 @@ static int aspeed_gpio_set_type(struct irq_data *d, unsigned int type)
+               return -EINVAL;
+       }
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       copro = aspeed_gpio_copro_request(gpio, offset);
+       addr = bank_reg(gpio, bank, reg_irq_type0);
+@@ -649,7 +649,7 @@ static int aspeed_gpio_set_type(struct irq_data *d, unsigned int type)
+       if (copro)
+               aspeed_gpio_copro_release(gpio, offset);
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+       irq_set_handler_locked(d, handler);
+@@ -716,7 +716,7 @@ static int aspeed_gpio_reset_tolerance(struct gpio_chip *chip,
+       treg = bank_reg(gpio, to_bank(offset), reg_tolerance);
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       copro = aspeed_gpio_copro_request(gpio, offset);
+       val = readl(treg);
+@@ -730,7 +730,7 @@ static int aspeed_gpio_reset_tolerance(struct gpio_chip *chip,
+       if (copro)
+               aspeed_gpio_copro_release(gpio, offset);
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+       return 0;
+ }
+@@ -856,7 +856,7 @@ static int enable_debounce(struct gpio_chip *chip, unsigned int offset,
+               return rc;
+       }
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       if (timer_allocation_registered(gpio, offset)) {
+               rc = unregister_allocated_timer(gpio, offset);
+@@ -916,7 +916,7 @@ static int enable_debounce(struct gpio_chip *chip, unsigned int offset,
+       configure_timer(gpio, offset, i);
+ out:
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+       return rc;
+ }
+@@ -927,13 +927,13 @@ static int disable_debounce(struct gpio_chip *chip, unsigned int offset)
+       unsigned long flags;
+       int rc;
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       rc = unregister_allocated_timer(gpio, offset);
+       if (!rc)
+               configure_timer(gpio, offset, 0);
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+       return rc;
+ }
+@@ -1015,7 +1015,7 @@ int aspeed_gpio_copro_grab_gpio(struct gpio_desc *desc,
+               return -EINVAL;
+       bindex = offset >> 3;
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       /* Sanity check, this shouldn't happen */
+       if (gpio->cf_copro_bankmap[bindex] == 0xff) {
+@@ -1036,7 +1036,7 @@ int aspeed_gpio_copro_grab_gpio(struct gpio_desc *desc,
+       if (bit)
+               *bit = GPIO_OFFSET(offset);
+  bail:
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+       return rc;
+ }
+ EXPORT_SYMBOL_GPL(aspeed_gpio_copro_grab_gpio);
+@@ -1060,7 +1060,7 @@ int aspeed_gpio_copro_release_gpio(struct gpio_desc *desc)
+               return -EINVAL;
+       bindex = offset >> 3;
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       /* Sanity check, this shouldn't happen */
+       if (gpio->cf_copro_bankmap[bindex] == 0) {
+@@ -1074,7 +1074,7 @@ int aspeed_gpio_copro_release_gpio(struct gpio_desc *desc)
+               aspeed_gpio_change_cmd_source(gpio, bank, bindex,
+                                             GPIO_CMDSRC_ARM);
+  bail:
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+       return rc;
+ }
+ EXPORT_SYMBOL_GPL(aspeed_gpio_copro_release_gpio);
+@@ -1148,7 +1148,7 @@ static int __init aspeed_gpio_probe(struct platform_device *pdev)
+       if (IS_ERR(gpio->base))
+               return PTR_ERR(gpio->base);
+-      spin_lock_init(&gpio->lock);
++      raw_spin_lock_init(&gpio->lock);
+       gpio_id = of_match_node(aspeed_gpio_of_table, pdev->dev.of_node);
+       if (!gpio_id)
+-- 
+2.34.1
+
diff --git a/queue-5.16/gpio-aspeed-sgpio-convert-aspeed_sgpio.lock-to-raw_s.patch b/queue-5.16/gpio-aspeed-sgpio-convert-aspeed_sgpio.lock-to-raw_s.patch
new file mode 100644 (file)
index 0000000..47f010c
--- /dev/null
@@ -0,0 +1,160 @@
+From a0ede20265989263cdc54baafdc7a7b9dc830165 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Dec 2021 18:10:27 +0100
+Subject: gpio: aspeed-sgpio: Convert aspeed_sgpio.lock to raw_spinlock
+
+From: Iwona Winiarska <iwona.winiarska@intel.com>
+
+[ Upstream commit ab39d6988dd53f354130438d8afa5596a2440fed ]
+
+The gpio-aspeed-sgpio driver implements an irq_chip which need to be
+invoked from hardirq context. Since spin_lock() can sleep with
+PREEMPT_RT, it is no longer legal to invoke it while interrupts are
+disabled.
+This also causes lockdep to complain about:
+[   25.919465] [ BUG: Invalid wait context ]
+because aspeed_sgpio.lock (spin_lock_t) is taken under irq_desc.lock
+(raw_spinlock_t).
+Let's use of raw_spinlock_t instead of spinlock_t.
+
+Signed-off-by: Iwona Winiarska <iwona.winiarska@intel.com>
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-aspeed-sgpio.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/gpio/gpio-aspeed-sgpio.c b/drivers/gpio/gpio-aspeed-sgpio.c
+index b3a9b8488f11d..454cefbeecf0e 100644
+--- a/drivers/gpio/gpio-aspeed-sgpio.c
++++ b/drivers/gpio/gpio-aspeed-sgpio.c
+@@ -31,7 +31,7 @@ struct aspeed_sgpio {
+       struct gpio_chip chip;
+       struct irq_chip intc;
+       struct clk *pclk;
+-      spinlock_t lock;
++      raw_spinlock_t lock;
+       void __iomem *base;
+       int irq;
+ };
+@@ -173,12 +173,12 @@ static int aspeed_sgpio_get(struct gpio_chip *gc, unsigned int offset)
+       enum aspeed_sgpio_reg reg;
+       int rc = 0;
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       reg = aspeed_sgpio_is_input(offset) ? reg_val : reg_rdata;
+       rc = !!(ioread32(bank_reg(gpio, bank, reg)) & GPIO_BIT(offset));
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+       return rc;
+ }
+@@ -215,11 +215,11 @@ static void aspeed_sgpio_set(struct gpio_chip *gc, unsigned int offset, int val)
+       struct aspeed_sgpio *gpio = gpiochip_get_data(gc);
+       unsigned long flags;
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       sgpio_set_value(gc, offset, val);
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+ }
+ static int aspeed_sgpio_dir_in(struct gpio_chip *gc, unsigned int offset)
+@@ -236,9 +236,9 @@ static int aspeed_sgpio_dir_out(struct gpio_chip *gc, unsigned int offset, int v
+       /* No special action is required for setting the direction; we'll
+        * error-out in sgpio_set_value if this isn't an output GPIO */
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       rc = sgpio_set_value(gc, offset, val);
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+       return rc;
+ }
+@@ -277,11 +277,11 @@ static void aspeed_sgpio_irq_ack(struct irq_data *d)
+       status_addr = bank_reg(gpio, bank, reg_irq_status);
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       iowrite32(bit, status_addr);
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+ }
+ static void aspeed_sgpio_irq_set_mask(struct irq_data *d, bool set)
+@@ -296,7 +296,7 @@ static void aspeed_sgpio_irq_set_mask(struct irq_data *d, bool set)
+       irqd_to_aspeed_sgpio_data(d, &gpio, &bank, &bit, &offset);
+       addr = bank_reg(gpio, bank, reg_irq_enable);
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       reg = ioread32(addr);
+       if (set)
+@@ -306,7 +306,7 @@ static void aspeed_sgpio_irq_set_mask(struct irq_data *d, bool set)
+       iowrite32(reg, addr);
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+ }
+ static void aspeed_sgpio_irq_mask(struct irq_data *d)
+@@ -355,7 +355,7 @@ static int aspeed_sgpio_set_type(struct irq_data *d, unsigned int type)
+               return -EINVAL;
+       }
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       addr = bank_reg(gpio, bank, reg_irq_type0);
+       reg = ioread32(addr);
+@@ -372,7 +372,7 @@ static int aspeed_sgpio_set_type(struct irq_data *d, unsigned int type)
+       reg = (reg & ~bit) | type2;
+       iowrite32(reg, addr);
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+       irq_set_handler_locked(d, handler);
+@@ -467,7 +467,7 @@ static int aspeed_sgpio_reset_tolerance(struct gpio_chip *chip,
+       reg = bank_reg(gpio, to_bank(offset), reg_tolerance);
+-      spin_lock_irqsave(&gpio->lock, flags);
++      raw_spin_lock_irqsave(&gpio->lock, flags);
+       val = readl(reg);
+@@ -478,7 +478,7 @@ static int aspeed_sgpio_reset_tolerance(struct gpio_chip *chip,
+       writel(val, reg);
+-      spin_unlock_irqrestore(&gpio->lock, flags);
++      raw_spin_unlock_irqrestore(&gpio->lock, flags);
+       return 0;
+ }
+@@ -575,7 +575,7 @@ static int __init aspeed_sgpio_probe(struct platform_device *pdev)
+       iowrite32(FIELD_PREP(ASPEED_SGPIO_CLK_DIV_MASK, sgpio_clk_div) | gpio_cnt_regval |
+                 ASPEED_SGPIO_ENABLE, gpio->base + ASPEED_SGPIO_CTRL);
+-      spin_lock_init(&gpio->lock);
++      raw_spin_lock_init(&gpio->lock);
+       gpio->chip.parent = &pdev->dev;
+       gpio->chip.ngpio = nr_gpios * 2;
+-- 
+2.34.1
+
diff --git a/queue-5.16/gpiolib-acpi-do-not-set-the-irq-type-if-the-irq-is-a.patch b/queue-5.16/gpiolib-acpi-do-not-set-the-irq-type-if-the-irq-is-a.patch
new file mode 100644 (file)
index 0000000..04872eb
--- /dev/null
@@ -0,0 +1,61 @@
+From 1cd70c2c1db0d18276c07a022efdef328488684a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 21:30:10 +0100
+Subject: gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit bdfd6ab8fdccd8b138837efff66f4a1911496378 ]
+
+If the IRQ is already in use, then acpi_dev_gpio_irq_get_by() really
+should not change the type underneath the current owner.
+
+I specifically hit an issue with this an a Chuwi Hi8 Super (CWI509) Bay
+Trail tablet, when the Boot OS selection in the BIOS is set to Android.
+In this case _STA for a MAX17047 ACPI I2C device wrongly returns 0xf and
+the _CRS resources for this device include a GpioInt pointing to a GPIO
+already in use by an _AEI handler, with a different type then specified
+in the _CRS for the MAX17047 device. Leading to the acpi_dev_gpio_irq_get()
+call done by the i2c-core-acpi.c code changing the type breaking the
+_AEI handler.
+
+Now this clearly is a bug in the DSDT of this tablet (in Android mode),
+but in general calling irq_set_irq_type() on an IRQ which already is
+in use seems like a bad idea.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib-acpi.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c
+index 985e8589c58ba..feb8157d2d672 100644
+--- a/drivers/gpio/gpiolib-acpi.c
++++ b/drivers/gpio/gpiolib-acpi.c
+@@ -1056,10 +1056,17 @@ int acpi_dev_gpio_irq_get_by(struct acpi_device *adev, const char *name, int ind
+                       irq_flags = acpi_dev_get_irq_type(info.triggering,
+                                                         info.polarity);
+-                      /* Set type if specified and different than the current one */
+-                      if (irq_flags != IRQ_TYPE_NONE &&
+-                          irq_flags != irq_get_trigger_type(irq))
+-                              irq_set_irq_type(irq, irq_flags);
++                      /*
++                       * If the IRQ is not already in use then set type
++                       * if specified and different than the current one.
++                       */
++                      if (can_request_irq(irq, irq_flags)) {
++                              if (irq_flags != IRQ_TYPE_NONE &&
++                                  irq_flags != irq_get_trigger_type(irq))
++                                      irq_set_irq_type(irq, irq_flags);
++                      } else {
++                              dev_dbg(&adev->dev, "IRQ %d already in use\n", irq);
++                      }
+                       return irq;
+               }
+-- 
+2.34.1
+
diff --git a/queue-5.16/gpu-host1x-select-config_dma_shared_buffer.patch b/queue-5.16/gpu-host1x-select-config_dma_shared_buffer.patch
new file mode 100644 (file)
index 0000000..2eccd9a
--- /dev/null
@@ -0,0 +1,43 @@
+From 1f4dd694fd683ba19ef04a248645b8217d138a35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 11:36:59 +0200
+Subject: gpu: host1x: select CONFIG_DMA_SHARED_BUFFER
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 6c7a388b62366f0de9936db3c1921d7f4e0011bc ]
+
+Linking fails when dma-buf is disabled:
+
+ld.lld: error: undefined symbol: dma_fence_release
+>>> referenced by fence.c
+>>>               gpu/host1x/fence.o:(host1x_syncpt_fence_enable_signaling) in archive drivers/built-in.a
+>>> referenced by fence.c
+>>>               gpu/host1x/fence.o:(host1x_fence_signal) in archive drivers/built-in.a
+>>> referenced by fence.c
+>>>               gpu/host1x/fence.o:(do_fence_timeout) in archive drivers/built-in.a
+
+Fixes: 687db2207b1b ("gpu: host1x: Add DMA fence implementation")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/host1x/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/host1x/Kconfig b/drivers/gpu/host1x/Kconfig
+index 6dab94adf25e5..6815b4db17c1b 100644
+--- a/drivers/gpu/host1x/Kconfig
++++ b/drivers/gpu/host1x/Kconfig
+@@ -2,6 +2,7 @@
+ config TEGRA_HOST1X
+       tristate "NVIDIA Tegra host1x driver"
+       depends on ARCH_TEGRA || (ARM && COMPILE_TEST)
++      select DMA_SHARED_BUFFER
+       select IOMMU_IOVA
+       help
+         Driver for the NVIDIA Tegra host1x hardware.
+-- 
+2.34.1
+
diff --git a/queue-5.16/habanalabs-change-wait-for-interrupt-timeout-to-64-b.patch b/queue-5.16/habanalabs-change-wait-for-interrupt-timeout-to-64-b.patch
new file mode 100644 (file)
index 0000000..b236d17
--- /dev/null
@@ -0,0 +1,96 @@
+From 69bf87ab701d014439db15a076012438516b6be5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Oct 2021 22:38:41 +0300
+Subject: habanalabs: change wait for interrupt timeout to 64 bit
+
+From: Dani Liberman <dliberman@habana.ai>
+
+[ Upstream commit 48f31169830f589e4c7ac475ccc7414951ded3f0 ]
+
+In order to increase maximum wait-for-interrupt timeout, change it
+to 64 bit variable. This wait is used only by newer ASICs, so no
+problem in changing this interface at this time.
+
+Signed-off-by: Dani Liberman <dliberman@habana.ai>
+Reviewed-by: Oded Gabbay <ogabbay@kernel.org>
+Signed-off-by: Oded Gabbay <ogabbay@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../habanalabs/common/command_submission.c    | 22 ++++++++++++++-----
+ include/uapi/misc/habanalabs.h                | 18 +++++++++------
+ 2 files changed, 28 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/misc/habanalabs/common/command_submission.c b/drivers/misc/habanalabs/common/command_submission.c
+index 4c8000fd246cd..9451e4bae05df 100644
+--- a/drivers/misc/habanalabs/common/command_submission.c
++++ b/drivers/misc/habanalabs/common/command_submission.c
+@@ -2765,8 +2765,23 @@ static int hl_cs_wait_ioctl(struct hl_fpriv *hpriv, void *data)
+       return 0;
+ }
++static inline unsigned long hl_usecs64_to_jiffies(const u64 usecs)
++{
++      if (usecs <= U32_MAX)
++              return usecs_to_jiffies(usecs);
++
++      /*
++       * If the value in nanoseconds is larger than 64 bit, use the largest
++       * 64 bit value.
++       */
++      if (usecs >= ((u64)(U64_MAX / NSEC_PER_USEC)))
++              return nsecs_to_jiffies(U64_MAX);
++
++      return nsecs_to_jiffies(usecs * NSEC_PER_USEC);
++}
++
+ static int _hl_interrupt_wait_ioctl(struct hl_device *hdev, struct hl_ctx *ctx,
+-                              u32 timeout_us, u64 user_address,
++                              u64 timeout_us, u64 user_address,
+                               u64 target_value, u16 interrupt_offset,
+                               enum hl_cs_wait_status *status,
+                               u64 *timestamp)
+@@ -2778,10 +2793,7 @@ static int _hl_interrupt_wait_ioctl(struct hl_device *hdev, struct hl_ctx *ctx,
+       long completion_rc;
+       int rc = 0;
+-      if (timeout_us == U32_MAX)
+-              timeout = timeout_us;
+-      else
+-              timeout = usecs_to_jiffies(timeout_us);
++      timeout = hl_usecs64_to_jiffies(timeout_us);
+       hl_ctx_get(hdev, ctx);
+diff --git a/include/uapi/misc/habanalabs.h b/include/uapi/misc/habanalabs.h
+index 00b3095904995..c5760acebdd1d 100644
+--- a/include/uapi/misc/habanalabs.h
++++ b/include/uapi/misc/habanalabs.h
+@@ -911,14 +911,18 @@ struct hl_wait_cs_in {
+        */
+       __u32 flags;
+-      /* Multi CS API info- valid entries in multi-CS array */
+-      __u8 seq_arr_len;
+-      __u8 pad[3];
++      union {
++              struct {
++                      /* Multi CS API info- valid entries in multi-CS array */
++                      __u8 seq_arr_len;
++                      __u8 pad[7];
++              };
+-      /* Absolute timeout to wait for an interrupt in microseconds.
+-       * Relevant only when HL_WAIT_CS_FLAGS_INTERRUPT is set
+-       */
+-      __u32 interrupt_timeout_us;
++              /* Absolute timeout to wait for an interrupt in microseconds.
++               * Relevant only when HL_WAIT_CS_FLAGS_INTERRUPT is set
++               */
++              __u64 interrupt_timeout_us;
++      };
+ };
+ #define HL_WAIT_CS_STATUS_COMPLETED   0
+-- 
+2.34.1
+
diff --git a/queue-5.16/habanalabs-skip-read-fw-errors-if-dynamic-descriptor.patch b/queue-5.16/habanalabs-skip-read-fw-errors-if-dynamic-descriptor.patch
new file mode 100644 (file)
index 0000000..c9e6345
--- /dev/null
@@ -0,0 +1,96 @@
+From 1d55a461724eabb30af064217eeed7503ae9a2bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 12:23:51 +0200
+Subject: habanalabs: skip read fw errors if dynamic descriptor invalid
+
+From: Ohad Sharabi <osharabi@habana.ai>
+
+[ Upstream commit 4fac990f604e6c10538026835a8a30f3c1b6fcf5 ]
+
+Reporting FW errors involves reading of the error registers.
+
+In case we have a corrupted FW descriptor we cannot do that since the
+dynamic scratchpad is potentially corrupted as well and may cause kernel
+crush when attempting access to a corrupted register offset.
+
+Signed-off-by: Ohad Sharabi <osharabi@habana.ai>
+Reviewed-by: Oded Gabbay <ogabbay@kernel.org>
+Signed-off-by: Oded Gabbay <ogabbay@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/habanalabs/common/firmware_if.c | 17 +++++++++++++++--
+ drivers/misc/habanalabs/common/habanalabs.h  |  2 ++
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/misc/habanalabs/common/firmware_if.c b/drivers/misc/habanalabs/common/firmware_if.c
+index 4e68fb9d2a6bd..67a0be4573710 100644
+--- a/drivers/misc/habanalabs/common/firmware_if.c
++++ b/drivers/misc/habanalabs/common/firmware_if.c
+@@ -1703,6 +1703,9 @@ static int hl_fw_dynamic_validate_descriptor(struct hl_device *hdev,
+               return rc;
+       }
++      /* here we can mark the descriptor as valid as the content has been validated */
++      fw_loader->dynamic_loader.fw_desc_valid = true;
++
+       return 0;
+ }
+@@ -1759,7 +1762,13 @@ static int hl_fw_dynamic_read_and_validate_descriptor(struct hl_device *hdev,
+               return rc;
+       }
+-      /* extract address copy the descriptor from */
++      /*
++       * extract address to copy the descriptor from
++       * in addition, as the descriptor value is going to be over-ridden by new data- we mark it
++       * as invalid.
++       * it will be marked again as valid once validated
++       */
++      fw_loader->dynamic_loader.fw_desc_valid = false;
+       src = hdev->pcie_bar[region->bar_id] + region->offset_in_bar +
+                                                       response->ram_offset;
+       memcpy_fromio(fw_desc, src, sizeof(struct lkd_fw_comms_desc));
+@@ -2247,6 +2256,9 @@ static int hl_fw_dynamic_init_cpu(struct hl_device *hdev,
+       dev_info(hdev->dev,
+               "Loading firmware to device, may take some time...\n");
++      /* initialize FW descriptor as invalid */
++      fw_loader->dynamic_loader.fw_desc_valid = false;
++
+       /*
+        * In this stage, "cpu_dyn_regs" contains only LKD's hard coded values!
+        * It will be updated from FW after hl_fw_dynamic_request_descriptor().
+@@ -2333,7 +2345,8 @@ static int hl_fw_dynamic_init_cpu(struct hl_device *hdev,
+       return 0;
+ protocol_err:
+-      fw_read_errors(hdev, le32_to_cpu(dyn_regs->cpu_boot_err0),
++      if (fw_loader->dynamic_loader.fw_desc_valid)
++              fw_read_errors(hdev, le32_to_cpu(dyn_regs->cpu_boot_err0),
+                               le32_to_cpu(dyn_regs->cpu_boot_err1),
+                               le32_to_cpu(dyn_regs->cpu_boot_dev_sts0),
+                               le32_to_cpu(dyn_regs->cpu_boot_dev_sts1));
+diff --git a/drivers/misc/habanalabs/common/habanalabs.h b/drivers/misc/habanalabs/common/habanalabs.h
+index a2002cbf794b5..ba0965667b182 100644
+--- a/drivers/misc/habanalabs/common/habanalabs.h
++++ b/drivers/misc/habanalabs/common/habanalabs.h
+@@ -1010,6 +1010,7 @@ struct fw_response {
+  * @image_region: region to copy the FW image to
+  * @fw_image_size: size of FW image to load
+  * @wait_for_bl_timeout: timeout for waiting for boot loader to respond
++ * @fw_desc_valid: true if FW descriptor has been validated and hence the data can be used
+  */
+ struct dynamic_fw_load_mgr {
+       struct fw_response response;
+@@ -1017,6 +1018,7 @@ struct dynamic_fw_load_mgr {
+       struct pci_mem_region *image_region;
+       size_t fw_image_size;
+       u32 wait_for_bl_timeout;
++      bool fw_desc_valid;
+ };
+ /**
+-- 
+2.34.1
+
diff --git a/queue-5.16/hid-apple-do-not-reset-quirks-when-the-fn-key-is-not.patch b/queue-5.16/hid-apple-do-not-reset-quirks-when-the-fn-key-is-not.patch
new file mode 100644 (file)
index 0000000..4ca4196
--- /dev/null
@@ -0,0 +1,38 @@
+From 4893135ab98813c445428b15e2acae63277f535f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 08:29:53 +0100
+Subject: HID: apple: Do not reset quirks when the Fn key is not found
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit a5fe7864d8ada170f19cc47d176bf8260ffb4263 ]
+
+When a keyboard without a function key is detected, instead of removing
+all quirks, remove only the APPLE_HAS_FN quirk.
+
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-apple.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
+index 2c9c5faa74a97..a4ca5ed00e5f5 100644
+--- a/drivers/hid/hid-apple.c
++++ b/drivers/hid/hid-apple.c
+@@ -428,7 +428,7 @@ static int apple_input_configured(struct hid_device *hdev,
+       if ((asc->quirks & APPLE_HAS_FN) && !asc->fn_found) {
+               hid_info(hdev, "Fn key not found (Apple Wireless Keyboard clone?), disabling Fn key handling\n");
+-              asc->quirks = 0;
++              asc->quirks &= ~APPLE_HAS_FN;
+       }
+       return 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch b/queue-5.16/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch
new file mode 100644 (file)
index 0000000..71aed3c
--- /dev/null
@@ -0,0 +1,62 @@
+From ea4e1e5bf4c9d04dfe510ed78081521616f42dd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 18:29:12 +0100
+Subject: HID: hid-uclogic-params: Invalid parameter check in
+ uclogic_params_init
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit f364c571a5c77e96de2d32062ff019d6b8d2e2bc ]
+
+The function performs a check on its input parameters, however, the
+hdev parameter is used before the check.
+
+Initialize the stack variables after checking the input parameters to
+avoid a possible NULL pointer dereference.
+
+Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module")
+Addresses-Coverity-ID: 1443831 ("Null pointer dereference")
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-uclogic-params.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c
+index adff1bd68d9f8..3c10b858cf74c 100644
+--- a/drivers/hid/hid-uclogic-params.c
++++ b/drivers/hid/hid-uclogic-params.c
+@@ -834,10 +834,10 @@ int uclogic_params_init(struct uclogic_params *params,
+                       struct hid_device *hdev)
+ {
+       int rc;
+-      struct usb_device *udev = hid_to_usb_dev(hdev);
+-      __u8  bNumInterfaces = udev->config->desc.bNumInterfaces;
+-      struct usb_interface *iface = to_usb_interface(hdev->dev.parent);
+-      __u8 bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber;
++      struct usb_device *udev;
++      __u8  bNumInterfaces;
++      struct usb_interface *iface;
++      __u8 bInterfaceNumber;
+       bool found;
+       /* The resulting parameters (noop) */
+       struct uclogic_params p = {0, };
+@@ -848,6 +848,11 @@ int uclogic_params_init(struct uclogic_params *params,
+               goto cleanup;
+       }
++      udev = hid_to_usb_dev(hdev);
++      bNumInterfaces = udev->config->desc.bNumInterfaces;
++      iface = to_usb_interface(hdev->dev.parent);
++      bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber;
++
+       /*
+        * Set replacement report descriptor if the original matches the
+        * specified size. Otherwise keep interface unchanged.
+-- 
+2.34.1
+
diff --git a/queue-5.16/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-15288 b/queue-5.16/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-15288
new file mode 100644 (file)
index 0000000..fc57904
--- /dev/null
@@ -0,0 +1,53 @@
+From 9cf7b95bac55a2a385eb58494590e374efd4f38d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 18:29:13 +0100
+Subject: HID: hid-uclogic-params: Invalid parameter check in
+ uclogic_params_get_str_desc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit 0a94131d6920916ccb6a357037c535533af08819 ]
+
+The function performs a check on the hdev input parameters, however, it
+is used before the check.
+
+Initialize the udev variable after the sanity check to avoid a
+possible NULL pointer dereference.
+
+Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module")
+Addresses-Coverity-ID: 1443827 ("Null pointer dereference")
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-uclogic-params.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c
+index 3c10b858cf74c..3a83e2c39b4fb 100644
+--- a/drivers/hid/hid-uclogic-params.c
++++ b/drivers/hid/hid-uclogic-params.c
+@@ -66,7 +66,7 @@ static int uclogic_params_get_str_desc(__u8 **pbuf, struct hid_device *hdev,
+                                       __u8 idx, size_t len)
+ {
+       int rc;
+-      struct usb_device *udev = hid_to_usb_dev(hdev);
++      struct usb_device *udev;
+       __u8 *buf = NULL;
+       /* Check arguments */
+@@ -75,6 +75,8 @@ static int uclogic_params_get_str_desc(__u8 **pbuf, struct hid_device *hdev,
+               goto cleanup;
+       }
++      udev = hid_to_usb_dev(hdev);
++
+       buf = kmalloc(len, GFP_KERNEL);
+       if (buf == NULL) {
+               rc = -ENOMEM;
+-- 
+2.34.1
+
diff --git a/queue-5.16/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-31258 b/queue-5.16/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-31258
new file mode 100644 (file)
index 0000000..7f1ed5e
--- /dev/null
@@ -0,0 +1,59 @@
+From 059fc61e74220a3beaf1174e2c41a86666535105 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 18:29:14 +0100
+Subject: HID: hid-uclogic-params: Invalid parameter check in
+ uclogic_params_huion_init
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit ff6b548afe4d9d1ff3a0f6ef79e8cbca25d8f905 ]
+
+The function performs a check on its input parameters, however, the
+hdev parameter is used before the check.
+
+Initialize the stack variables after checking the input parameters to
+avoid a possible NULL pointer dereference.
+
+Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module")
+Addresses-Coverity-ID: 1443804 ("Null pointer dereference")
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-uclogic-params.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c
+index 3a83e2c39b4fb..4136837e4d158 100644
+--- a/drivers/hid/hid-uclogic-params.c
++++ b/drivers/hid/hid-uclogic-params.c
+@@ -709,9 +709,9 @@ static int uclogic_params_huion_init(struct uclogic_params *params,
+                                    struct hid_device *hdev)
+ {
+       int rc;
+-      struct usb_device *udev = hid_to_usb_dev(hdev);
+-      struct usb_interface *iface = to_usb_interface(hdev->dev.parent);
+-      __u8 bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber;
++      struct usb_device *udev;
++      struct usb_interface *iface;
++      __u8 bInterfaceNumber;
+       bool found;
+       /* The resulting parameters (noop) */
+       struct uclogic_params p = {0, };
+@@ -725,6 +725,10 @@ static int uclogic_params_huion_init(struct uclogic_params *params,
+               goto cleanup;
+       }
++      udev = hid_to_usb_dev(hdev);
++      iface = to_usb_interface(hdev->dev.parent);
++      bInterfaceNumber = iface->cur_altsetting->desc.bInterfaceNumber;
++
+       /* If it's not a pen interface */
+       if (bInterfaceNumber != 0) {
+               /* TODO: Consider marking the interface invalid */
+-- 
+2.34.1
+
diff --git a/queue-5.16/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-6488 b/queue-5.16/hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-6488
new file mode 100644 (file)
index 0000000..9738c1f
--- /dev/null
@@ -0,0 +1,53 @@
+From b67edd412607eb7241fec488a8e8e70395bb7664 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 18:29:15 +0100
+Subject: HID: hid-uclogic-params: Invalid parameter check in
+ uclogic_params_frame_init_v1_buttonpad
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit aa320fdbbbb482c19100f51461bd0069753ce3d7 ]
+
+The function performs a check on the hdev input parameters, however, it
+is used before the check.
+
+Initialize the udev variable after the sanity check to avoid a
+possible NULL pointer dereference.
+
+Fixes: 9614219e9310e ("HID: uclogic: Extract tablet parameter discovery into a module")
+Addresses-Coverity-ID: 1443763 ("Null pointer dereference")
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-uclogic-params.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c
+index 4136837e4d158..3e70f969fb849 100644
+--- a/drivers/hid/hid-uclogic-params.c
++++ b/drivers/hid/hid-uclogic-params.c
+@@ -452,7 +452,7 @@ static int uclogic_params_frame_init_v1_buttonpad(
+ {
+       int rc;
+       bool found = false;
+-      struct usb_device *usb_dev = hid_to_usb_dev(hdev);
++      struct usb_device *usb_dev;
+       char *str_buf = NULL;
+       const size_t str_len = 16;
+@@ -462,6 +462,8 @@ static int uclogic_params_frame_init_v1_buttonpad(
+               goto cleanup;
+       }
++      usb_dev = hid_to_usb_dev(hdev);
++
+       /*
+        * Enable generic button mode
+        */
+-- 
+2.34.1
+
diff --git a/queue-5.16/hid-i2c-hid-of-expose-the-touchscreen-inverted-prope.patch b/queue-5.16/hid-i2c-hid-of-expose-the-touchscreen-inverted-prope.patch
new file mode 100644 (file)
index 0000000..dd8691d
--- /dev/null
@@ -0,0 +1,140 @@
+From 3d8464e04baa5ded625b93579afd403fa2f0260c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Dec 2021 22:40:44 +1000
+Subject: HID: i2c-hid-of: Expose the touchscreen-inverted properties
+
+From: Alistair Francis <alistair@alistair23.me>
+
+[ Upstream commit b60d3c803d7603432a08aeaf988aff53b3a5ec64 ]
+
+Allow the touchscreen-inverted-x/y device tree properties to control the
+HID_QUIRK_X_INVERT/HID_QUIRK_Y_INVERT quirks for the hid-input device.
+
+Signed-off-by: Alistair Francis <alistair@alistair23.me>
+Acked-by: Rob Herring <robh@kernel.org>
+[bentiss: silence checkpatch warnings]
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Link: https://lore.kernel.org/r/20211208124045.61815-3-alistair@alistair23.me
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../devicetree/bindings/input/hid-over-i2c.txt         |  2 ++
+ drivers/hid/i2c-hid/i2c-hid-acpi.c                     |  2 +-
+ drivers/hid/i2c-hid/i2c-hid-core.c                     |  4 +++-
+ drivers/hid/i2c-hid/i2c-hid-of-goodix.c                |  2 +-
+ drivers/hid/i2c-hid/i2c-hid-of.c                       | 10 +++++++++-
+ drivers/hid/i2c-hid/i2c-hid.h                          |  2 +-
+ 6 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/input/hid-over-i2c.txt b/Documentation/devicetree/bindings/input/hid-over-i2c.txt
+index c76bafaf98d2f..34c43d3bddfd1 100644
+--- a/Documentation/devicetree/bindings/input/hid-over-i2c.txt
++++ b/Documentation/devicetree/bindings/input/hid-over-i2c.txt
+@@ -32,6 +32,8 @@ device-specific compatible properties, which should be used in addition to the
+ - vdd-supply: phandle of the regulator that provides the supply voltage.
+ - post-power-on-delay-ms: time required by the device after enabling its regulators
+   or powering it on, before it is ready for communication.
++- touchscreen-inverted-x: See touchscreen.txt
++- touchscreen-inverted-y: See touchscreen.txt
+ Example:
+diff --git a/drivers/hid/i2c-hid/i2c-hid-acpi.c b/drivers/hid/i2c-hid/i2c-hid-acpi.c
+index a6f0257a26de3..b96ae15e0ad91 100644
+--- a/drivers/hid/i2c-hid/i2c-hid-acpi.c
++++ b/drivers/hid/i2c-hid/i2c-hid-acpi.c
+@@ -111,7 +111,7 @@ static int i2c_hid_acpi_probe(struct i2c_client *client)
+       }
+       return i2c_hid_core_probe(client, &ihid_acpi->ops,
+-                                hid_descriptor_address);
++                                hid_descriptor_address, 0);
+ }
+ static const struct acpi_device_id i2c_hid_acpi_match[] = {
+diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c
+index 517141138b007..4804d71e5293a 100644
+--- a/drivers/hid/i2c-hid/i2c-hid-core.c
++++ b/drivers/hid/i2c-hid/i2c-hid-core.c
+@@ -912,7 +912,7 @@ static void i2c_hid_core_shutdown_tail(struct i2c_hid *ihid)
+ }
+ int i2c_hid_core_probe(struct i2c_client *client, struct i2chid_ops *ops,
+-                     u16 hid_descriptor_address)
++                     u16 hid_descriptor_address, u32 quirks)
+ {
+       int ret;
+       struct i2c_hid *ihid;
+@@ -1009,6 +1009,8 @@ int i2c_hid_core_probe(struct i2c_client *client, struct i2chid_ops *ops,
+               goto err_mem_free;
+       }
++      hid->quirks |= quirks;
++
+       return 0;
+ err_mem_free:
+diff --git a/drivers/hid/i2c-hid/i2c-hid-of-goodix.c b/drivers/hid/i2c-hid/i2c-hid-of-goodix.c
+index 52674149a2750..b4dad66fa954d 100644
+--- a/drivers/hid/i2c-hid/i2c-hid-of-goodix.c
++++ b/drivers/hid/i2c-hid/i2c-hid-of-goodix.c
+@@ -150,7 +150,7 @@ static int i2c_hid_of_goodix_probe(struct i2c_client *client,
+               goodix_i2c_hid_deassert_reset(ihid_goodix, true);
+       mutex_unlock(&ihid_goodix->regulator_mutex);
+-      return i2c_hid_core_probe(client, &ihid_goodix->ops, 0x0001);
++      return i2c_hid_core_probe(client, &ihid_goodix->ops, 0x0001, 0);
+ }
+ static const struct goodix_i2c_hid_timing_data goodix_gt7375p_timing_data = {
+diff --git a/drivers/hid/i2c-hid/i2c-hid-of.c b/drivers/hid/i2c-hid/i2c-hid-of.c
+index 4bf7cea926379..97a27a803f58d 100644
+--- a/drivers/hid/i2c-hid/i2c-hid-of.c
++++ b/drivers/hid/i2c-hid/i2c-hid-of.c
+@@ -21,6 +21,7 @@
+ #include <linux/delay.h>
+ #include <linux/device.h>
++#include <linux/hid.h>
+ #include <linux/i2c.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+@@ -71,6 +72,7 @@ static int i2c_hid_of_probe(struct i2c_client *client,
+       struct device *dev = &client->dev;
+       struct i2c_hid_of *ihid_of;
+       u16 hid_descriptor_address;
++      u32 quirks = 0;
+       int ret;
+       u32 val;
+@@ -105,8 +107,14 @@ static int i2c_hid_of_probe(struct i2c_client *client,
+       if (ret)
+               return ret;
++      if (device_property_read_bool(dev, "touchscreen-inverted-x"))
++              quirks |= HID_QUIRK_X_INVERT;
++
++      if (device_property_read_bool(dev, "touchscreen-inverted-y"))
++              quirks |= HID_QUIRK_Y_INVERT;
++
+       return i2c_hid_core_probe(client, &ihid_of->ops,
+-                                hid_descriptor_address);
++                                hid_descriptor_address, quirks);
+ }
+ static const struct of_device_id i2c_hid_of_match[] = {
+diff --git a/drivers/hid/i2c-hid/i2c-hid.h b/drivers/hid/i2c-hid/i2c-hid.h
+index 05a7827d211af..236cc062d5ef8 100644
+--- a/drivers/hid/i2c-hid/i2c-hid.h
++++ b/drivers/hid/i2c-hid/i2c-hid.h
+@@ -32,7 +32,7 @@ struct i2chid_ops {
+ };
+ int i2c_hid_core_probe(struct i2c_client *client, struct i2chid_ops *ops,
+-                     u16 hid_descriptor_address);
++                     u16 hid_descriptor_address, u32 quirks);
+ int i2c_hid_core_remove(struct i2c_client *client);
+ void i2c_hid_core_shutdown(struct i2c_client *client);
+-- 
+2.34.1
+
diff --git a/queue-5.16/hid-magicmouse-report-battery-level-over-usb.patch b/queue-5.16/hid-magicmouse-report-battery-level-over-usb.patch
new file mode 100644 (file)
index 0000000..ec3a829
--- /dev/null
@@ -0,0 +1,189 @@
+From 3e5de2ad4fba2dea9becd9b827a777fc34274738 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 17:52:08 +0100
+Subject: HID: magicmouse: Report battery level over USB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit 0b91b4e4dae63cd43871fc2012370b86ee588f91 ]
+
+When connected over USB, the Apple Magic Mouse 2 and the Apple Magic
+Trackpad 2 register multiple interfaces, one of them is used to report
+the battery level.
+
+However, unlike when connected over Bluetooth, the battery level is not
+reported automatically and it is required to fetch it manually.
+
+Fix the battery report descriptor and add a timer to fetch the battery
+level.
+
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-magicmouse.c | 94 +++++++++++++++++++++++++++++++++---
+ 1 file changed, 88 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c
+index d7687ce706144..eba1e8087bfd1 100644
+--- a/drivers/hid/hid-magicmouse.c
++++ b/drivers/hid/hid-magicmouse.c
+@@ -57,6 +57,8 @@ MODULE_PARM_DESC(report_undeciphered, "Report undeciphered multi-touch state fie
+ #define MOUSE_REPORT_ID    0x29
+ #define MOUSE2_REPORT_ID   0x12
+ #define DOUBLE_REPORT_ID   0xf7
++#define USB_BATTERY_TIMEOUT_MS 60000
++
+ /* These definitions are not precise, but they're close enough.  (Bits
+  * 0x03 seem to indicate the aspect ratio of the touch, bits 0x70 seem
+  * to be some kind of bit mask -- 0x20 may be a near-field reading,
+@@ -140,6 +142,7 @@ struct magicmouse_sc {
+       struct hid_device *hdev;
+       struct delayed_work work;
++      struct timer_list battery_timer;
+ };
+ static int magicmouse_firm_touch(struct magicmouse_sc *msc)
+@@ -738,6 +741,44 @@ static void magicmouse_enable_mt_work(struct work_struct *work)
+               hid_err(msc->hdev, "unable to request touch data (%d)\n", ret);
+ }
++static int magicmouse_fetch_battery(struct hid_device *hdev)
++{
++#ifdef CONFIG_HID_BATTERY_STRENGTH
++      struct hid_report_enum *report_enum;
++      struct hid_report *report;
++
++      if (!hdev->battery || hdev->vendor != USB_VENDOR_ID_APPLE ||
++          (hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2 &&
++           hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2))
++              return -1;
++
++      report_enum = &hdev->report_enum[hdev->battery_report_type];
++      report = report_enum->report_id_hash[hdev->battery_report_id];
++
++      if (!report || report->maxfield < 1)
++              return -1;
++
++      if (hdev->battery_capacity == hdev->battery_max)
++              return -1;
++
++      hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
++      return 0;
++#else
++      return -1;
++#endif
++}
++
++static void magicmouse_battery_timer_tick(struct timer_list *t)
++{
++      struct magicmouse_sc *msc = from_timer(msc, t, battery_timer);
++      struct hid_device *hdev = msc->hdev;
++
++      if (magicmouse_fetch_battery(hdev) == 0) {
++              mod_timer(&msc->battery_timer,
++                        jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS));
++      }
++}
++
+ static int magicmouse_probe(struct hid_device *hdev,
+       const struct hid_device_id *id)
+ {
+@@ -745,11 +786,6 @@ static int magicmouse_probe(struct hid_device *hdev,
+       struct hid_report *report;
+       int ret;
+-      if (id->vendor == USB_VENDOR_ID_APPLE &&
+-          id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 &&
+-          hdev->type != HID_TYPE_USBMOUSE)
+-              return -ENODEV;
+-
+       msc = devm_kzalloc(&hdev->dev, sizeof(*msc), GFP_KERNEL);
+       if (msc == NULL) {
+               hid_err(hdev, "can't alloc magicmouse descriptor\n");
+@@ -775,6 +811,16 @@ static int magicmouse_probe(struct hid_device *hdev,
+               return ret;
+       }
++      timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0);
++      mod_timer(&msc->battery_timer,
++                jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS));
++      magicmouse_fetch_battery(hdev);
++
++      if (id->vendor == USB_VENDOR_ID_APPLE &&
++          (id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 ||
++           (id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 && hdev->type != HID_TYPE_USBMOUSE)))
++              return 0;
++
+       if (!msc->input) {
+               hid_err(hdev, "magicmouse input not registered\n");
+               ret = -ENOMEM;
+@@ -835,17 +881,52 @@ static void magicmouse_remove(struct hid_device *hdev)
+ {
+       struct magicmouse_sc *msc = hid_get_drvdata(hdev);
+-      if (msc)
++      if (msc) {
+               cancel_delayed_work_sync(&msc->work);
++              del_timer_sync(&msc->battery_timer);
++      }
+       hid_hw_stop(hdev);
+ }
++static __u8 *magicmouse_report_fixup(struct hid_device *hdev, __u8 *rdesc,
++                                   unsigned int *rsize)
++{
++      /*
++       * Change the usage from:
++       *   0x06, 0x00, 0xff, // Usage Page (Vendor Defined Page 1)  0
++       *   0x09, 0x0b,       // Usage (Vendor Usage 0x0b)           3
++       * To:
++       *   0x05, 0x01,       // Usage Page (Generic Desktop)        0
++       *   0x09, 0x02,       // Usage (Mouse)                       2
++       */
++      if (hdev->vendor == USB_VENDOR_ID_APPLE &&
++          (hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 ||
++           hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2) &&
++          *rsize == 83 && rdesc[46] == 0x84 && rdesc[58] == 0x85) {
++              hid_info(hdev,
++                       "fixing up magicmouse battery report descriptor\n");
++              *rsize = *rsize - 1;
++              rdesc = kmemdup(rdesc + 1, *rsize, GFP_KERNEL);
++              if (!rdesc)
++                      return NULL;
++
++              rdesc[0] = 0x05;
++              rdesc[1] = 0x01;
++              rdesc[2] = 0x09;
++              rdesc[3] = 0x02;
++      }
++
++      return rdesc;
++}
++
+ static const struct hid_device_id magic_mice[] = {
+       { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE,
+               USB_DEVICE_ID_APPLE_MAGICMOUSE), .driver_data = 0 },
+       { HID_BLUETOOTH_DEVICE(BT_VENDOR_ID_APPLE,
+               USB_DEVICE_ID_APPLE_MAGICMOUSE2), .driver_data = 0 },
++      { HID_USB_DEVICE(USB_VENDOR_ID_APPLE,
++              USB_DEVICE_ID_APPLE_MAGICMOUSE2), .driver_data = 0 },
+       { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE,
+               USB_DEVICE_ID_APPLE_MAGICTRACKPAD), .driver_data = 0 },
+       { HID_BLUETOOTH_DEVICE(BT_VENDOR_ID_APPLE,
+@@ -861,6 +942,7 @@ static struct hid_driver magicmouse_driver = {
+       .id_table = magic_mice,
+       .probe = magicmouse_probe,
+       .remove = magicmouse_remove,
++      .report_fixup = magicmouse_report_fixup,
+       .raw_event = magicmouse_raw_event,
+       .event = magicmouse_event,
+       .input_mapping = magicmouse_input_mapping,
+-- 
+2.34.1
+
diff --git a/queue-5.16/hid-quirks-allow-inverting-the-absolute-x-y-values.patch b/queue-5.16/hid-quirks-allow-inverting-the-absolute-x-y-values.patch
new file mode 100644 (file)
index 0000000..09ce826
--- /dev/null
@@ -0,0 +1,55 @@
+From aa516f156cd5c0680a7c860976b9ba588369dd7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Dec 2021 22:40:43 +1000
+Subject: HID: quirks: Allow inverting the absolute X/Y values
+
+From: Alistair Francis <alistair@alistair23.me>
+
+[ Upstream commit fd8d135b2c5e88662f2729e034913f183455a667 ]
+
+Add a HID_QUIRK_X_INVERT/HID_QUIRK_Y_INVERT quirk that can be used
+to invert the X/Y values.
+
+Signed-off-by: Alistair Francis <alistair@alistair23.me>
+[bentiss: silence checkpatch warning]
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Link: https://lore.kernel.org/r/20211208124045.61815-2-alistair@alistair23.me
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-input.c | 6 ++++++
+ include/linux/hid.h     | 2 ++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index ca47682cc7307..87fee137ff65e 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -1335,6 +1335,12 @@ void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct
+       input = field->hidinput->input;
++      if (usage->type == EV_ABS &&
++          (((*quirks & HID_QUIRK_X_INVERT) && usage->code == ABS_X) ||
++           ((*quirks & HID_QUIRK_Y_INVERT) && usage->code == ABS_Y))) {
++              value = field->logical_maximum - value;
++      }
++
+       if (usage->hat_min < usage->hat_max || usage->hat_dir) {
+               int hat_dir = usage->hat_dir;
+               if (!hat_dir)
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index f453be385bd47..26742ca14609a 100644
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -349,6 +349,8 @@ struct hid_item {
+ /* BIT(9) reserved for backward compatibility, was NO_INIT_INPUT_REPORTS */
+ #define HID_QUIRK_ALWAYS_POLL                 BIT(10)
+ #define HID_QUIRK_INPUT_PER_APP                       BIT(11)
++#define HID_QUIRK_X_INVERT                    BIT(12)
++#define HID_QUIRK_Y_INVERT                    BIT(13)
+ #define HID_QUIRK_SKIP_OUTPUT_REPORTS         BIT(16)
+ #define HID_QUIRK_SKIP_OUTPUT_REPORT_ID               BIT(17)
+ #define HID_QUIRK_NO_OUTPUT_REPORTS_ON_INTR_EP        BIT(18)
+-- 
+2.34.1
+
diff --git a/queue-5.16/hsi-core-fix-return-freed-object-in-hsi_new_client.patch b/queue-5.16/hsi-core-fix-return-freed-object-in-hsi_new_client.patch
new file mode 100644 (file)
index 0000000..70fd090
--- /dev/null
@@ -0,0 +1,35 @@
+From 7ce2d1e03fb9d8937f2f399109df6a720288e195 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 06:45:07 -0700
+Subject: HSI: core: Fix return freed object in hsi_new_client
+
+From: Chengfeng Ye <cyeaa@connect.ust.hk>
+
+[ Upstream commit a1ee1c08fcd5af03187dcd41dcab12fd5b379555 ]
+
+cl is freed on error of calling device_register, but this
+object is return later, which will cause uaf issue. Fix it
+by return NULL on error.
+
+Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hsi/hsi_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hsi/hsi_core.c b/drivers/hsi/hsi_core.c
+index ec90713564e32..884066109699c 100644
+--- a/drivers/hsi/hsi_core.c
++++ b/drivers/hsi/hsi_core.c
+@@ -102,6 +102,7 @@ struct hsi_client *hsi_new_client(struct hsi_port *port,
+       if (device_register(&cl->device) < 0) {
+               pr_err("hsi: failed to register client: %s\n", info->name);
+               put_device(&cl->device);
++              goto err;
+       }
+       return cl;
+-- 
+2.34.1
+
diff --git a/queue-5.16/hugetlbfs-fix-off-by-one-error-in-hugetlb_vmdelete_l.patch b/queue-5.16/hugetlbfs-fix-off-by-one-error-in-hugetlb_vmdelete_l.patch
new file mode 100644 (file)
index 0000000..e89de54
--- /dev/null
@@ -0,0 +1,63 @@
+From 851ca5f7cb884e7954561d73ea2e30aadd51c7d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jan 2022 14:08:30 -0800
+Subject: hugetlbfs: fix off-by-one error in hugetlb_vmdelete_list()
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit d6aba4c8e20d4d2bf65d589953f6d891c178f3a3 ]
+
+Pass "end - 1" instead of "end" when walking the interval tree in
+hugetlb_vmdelete_list() to fix an inclusive vs.  exclusive bug.  The two
+callers that pass a non-zero "end" treat it as exclusive, whereas the
+interval tree iterator expects an inclusive "last".  E.g.  punching a
+hole in a file that precisely matches the size of a single hugepage,
+with a vma starting right on the boundary, will result in
+unmap_hugepage_range() being called twice, with the second call having
+start==end.
+
+The off-by-one error doesn't cause functional problems as
+__unmap_hugepage_range() turns into a massive nop due to
+short-circuiting its for-loop on "address < end".  But, the mmu_notifier
+invocations to invalid_range_{start,end}() are passed a bogus zero-sized
+range, which may be unexpected behavior for secondary MMUs.
+
+The bug was exposed by commit ed922739c919 ("KVM: Use interval tree to
+do fast hva lookup in memslots"), currently queued in the KVM tree for
+5.17, which added a WARN to detect ranges with start==end.
+
+Link: https://lkml.kernel.org/r/20211228234257.1926057-1-seanjc@google.com
+Fixes: 1bfad99ab425 ("hugetlbfs: hugetlb_vmtruncate_list() needs to take a range to delete")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reported-by: syzbot+4e697fe80a31aa7efe21@syzkaller.appspotmail.com
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hugetlbfs/inode.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
+index 49d2e686be740..a7c6c7498be0b 100644
+--- a/fs/hugetlbfs/inode.c
++++ b/fs/hugetlbfs/inode.c
+@@ -409,10 +409,11 @@ hugetlb_vmdelete_list(struct rb_root_cached *root, pgoff_t start, pgoff_t end)
+       struct vm_area_struct *vma;
+       /*
+-       * end == 0 indicates that the entire range after
+-       * start should be unmapped.
++       * end == 0 indicates that the entire range after start should be
++       * unmapped.  Note, end is exclusive, whereas the interval tree takes
++       * an inclusive "last".
+        */
+-      vma_interval_tree_foreach(vma, root, start, end ? end : ULONG_MAX) {
++      vma_interval_tree_foreach(vma, root, start, end ? end - 1 : ULONG_MAX) {
+               unsigned long v_offset;
+               unsigned long v_end;
+-- 
+2.34.1
+
diff --git a/queue-5.16/hwmon-mr75203-fix-wrong-power-up-delay-value.patch b/queue-5.16/hwmon-mr75203-fix-wrong-power-up-delay-value.patch
new file mode 100644 (file)
index 0000000..43254c5
--- /dev/null
@@ -0,0 +1,39 @@
+From caebc9ab499768bb6a4ba863eee8117d1ac8e043 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Dec 2021 13:22:39 +0300
+Subject: hwmon: (mr75203) fix wrong power-up delay value
+
+From: Arseny Demidov <arsdemal@gmail.com>
+
+[ Upstream commit a8d6d4992ad9d92356619ac372906bd29687bb46 ]
+
+In the file mr75203.c we have a macro named POWER_DELAY_CYCLE_256,
+the correct value should be 0x100. The register ip_tmr is expressed
+in units of IP clk cycles, in accordance with the datasheet.
+Typical power-up delays for Temperature Sensor are 256 cycles i.e. 0x100.
+
+Fixes: 9d823351a337 ("hwmon: Add hardware monitoring driver for Moortec MR75203 PVT controller")
+Signed-off-by: Arseny Demidov <a.demidov@yadro.com>
+Link: https://lore.kernel.org/r/20211219102239.1112-1-a.demidov@yadro.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/mr75203.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/mr75203.c b/drivers/hwmon/mr75203.c
+index 868243dba1ee0..1ba1e31459690 100644
+--- a/drivers/hwmon/mr75203.c
++++ b/drivers/hwmon/mr75203.c
+@@ -93,7 +93,7 @@
+ #define VM_CH_REQ     BIT(21)
+ #define IP_TMR                        0x05
+-#define POWER_DELAY_CYCLE_256 0x80
++#define POWER_DELAY_CYCLE_256 0x100
+ #define POWER_DELAY_CYCLE_64  0x40
+ #define PVT_POLL_DELAY_US     20
+-- 
+2.34.1
+
diff --git a/queue-5.16/i2c-designware-pci-fix-to-change-data-types-of-hcnt-.patch b/queue-5.16/i2c-designware-pci-fix-to-change-data-types-of-hcnt-.patch
new file mode 100644 (file)
index 0000000..ddab899
--- /dev/null
@@ -0,0 +1,45 @@
+From 07664b45e91a1f54ca8694fa0f6cd976e1e595bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Dec 2021 17:12:01 +0200
+Subject: i2c: designware-pci: Fix to change data types of hcnt and lcnt
+ parameters
+
+From: Lakshmi Sowjanya D <lakshmi.sowjanya.d@intel.com>
+
+[ Upstream commit d52097010078c1844348dc0e467305e5f90fd317 ]
+
+The data type of hcnt and lcnt in the struct dw_i2c_dev is of type u16.
+It's better to have same data type in struct dw_scl_sda_cfg as well.
+
+Reported-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Lakshmi Sowjanya D <lakshmi.sowjanya.d@intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-designware-pcidrv.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-designware-pcidrv.c b/drivers/i2c/busses/i2c-designware-pcidrv.c
+index 0f409a4c2da0d..5b45941bcbddc 100644
+--- a/drivers/i2c/busses/i2c-designware-pcidrv.c
++++ b/drivers/i2c/busses/i2c-designware-pcidrv.c
+@@ -39,10 +39,10 @@ enum dw_pci_ctl_id_t {
+ };
+ struct dw_scl_sda_cfg {
+-      u32 ss_hcnt;
+-      u32 fs_hcnt;
+-      u32 ss_lcnt;
+-      u32 fs_lcnt;
++      u16 ss_hcnt;
++      u16 fs_hcnt;
++      u16 ss_lcnt;
++      u16 fs_lcnt;
+       u32 sda_hold;
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/i2c-i801-don-t-silently-correct-invalid-transfer-siz.patch b/queue-5.16/i2c-i801-don-t-silently-correct-invalid-transfer-siz.patch
new file mode 100644 (file)
index 0000000..8cabd2a
--- /dev/null
@@ -0,0 +1,63 @@
+From 20bdaae7ee1029e578f2f1d23c0061a92a51eb18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Nov 2021 22:57:00 +0100
+Subject: i2c: i801: Don't silently correct invalid transfer size
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit effa453168a7eeb8a562ff4edc1dbf9067360a61 ]
+
+If an invalid block size is provided, reject it instead of silently
+changing it to a supported value. Especially critical I see the case of
+a write transfer with block length 0. In this case we have no guarantee
+that the byte we would write is valid. When silently reducing a read to
+32 bytes then we don't return an error and the caller may falsely
+assume that we returned the full requested data.
+
+If this change should break any (broken) caller, then I think we should
+fix the caller.
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-i801.c | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
+index 41446f9cc52da..c87ea470eba98 100644
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -775,6 +775,11 @@ static int i801_block_transaction(struct i801_priv *priv, union i2c_smbus_data *
+       int result = 0;
+       unsigned char hostc;
++      if (read_write == I2C_SMBUS_READ && command == I2C_SMBUS_BLOCK_DATA)
++              data->block[0] = I2C_SMBUS_BLOCK_MAX;
++      else if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX)
++              return -EPROTO;
++
+       if (command == I2C_SMBUS_I2C_BLOCK_DATA) {
+               if (read_write == I2C_SMBUS_WRITE) {
+                       /* set I2C_EN bit in configuration register */
+@@ -788,16 +793,6 @@ static int i801_block_transaction(struct i801_priv *priv, union i2c_smbus_data *
+               }
+       }
+-      if (read_write == I2C_SMBUS_WRITE
+-       || command == I2C_SMBUS_I2C_BLOCK_DATA) {
+-              if (data->block[0] < 1)
+-                      data->block[0] = 1;
+-              if (data->block[0] > I2C_SMBUS_BLOCK_MAX)
+-                      data->block[0] = I2C_SMBUS_BLOCK_MAX;
+-      } else {
+-              data->block[0] = 32;    /* max for SMBus block reads */
+-      }
+-
+       /* Experience has shown that the block buffer can only be used for
+          SMBus (not I2C) block transactions, even though the datasheet
+          doesn't mention this limitation. */
+-- 
+2.34.1
+
diff --git a/queue-5.16/i2c-mpc-correct-i2c-reset-procedure.patch b/queue-5.16/i2c-mpc-correct-i2c-reset-procedure.patch
new file mode 100644 (file)
index 0000000..d1c2602
--- /dev/null
@@ -0,0 +1,70 @@
+From a83b47c288a5970115a5041ba2ed5f6eb80c371c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2017 14:20:33 +0200
+Subject: i2c: mpc: Correct I2C reset procedure
+
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+
+[ Upstream commit ebe82cf92cd4825c3029434cabfcd2f1780e64be ]
+
+Current I2C reset procedure is broken in two ways:
+1) It only generate 1 START instead of 9 STARTs and STOP.
+2) It leaves the bus Busy so every I2C xfer after the first
+   fixup calls the reset routine again, for every xfer there after.
+
+This fixes both errors.
+
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Acked-by: Scott Wood <oss@buserror.net>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-mpc.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-mpc.c b/drivers/i2c/busses/i2c-mpc.c
+index db26cc36e13fe..6c698c10d3cdb 100644
+--- a/drivers/i2c/busses/i2c-mpc.c
++++ b/drivers/i2c/busses/i2c-mpc.c
+@@ -119,23 +119,30 @@ static inline void writeccr(struct mpc_i2c *i2c, u32 x)
+ /* Sometimes 9th clock pulse isn't generated, and slave doesn't release
+  * the bus, because it wants to send ACK.
+  * Following sequence of enabling/disabling and sending start/stop generates
+- * the 9 pulses, so it's all OK.
++ * the 9 pulses, each with a START then ending with STOP, so it's all OK.
+  */
+ static void mpc_i2c_fixup(struct mpc_i2c *i2c)
+ {
+       int k;
+-      u32 delay_val = 1000000 / i2c->real_clk + 1;
+-
+-      if (delay_val < 2)
+-              delay_val = 2;
++      unsigned long flags;
+       for (k = 9; k; k--) {
+               writeccr(i2c, 0);
+-              writeccr(i2c, CCR_MSTA | CCR_MTX | CCR_MEN);
++              writeb(0, i2c->base + MPC_I2C_SR); /* clear any status bits */
++              writeccr(i2c, CCR_MEN | CCR_MSTA); /* START */
++              readb(i2c->base + MPC_I2C_DR); /* init xfer */
++              udelay(15); /* let it hit the bus */
++              local_irq_save(flags); /* should not be delayed further */
++              writeccr(i2c, CCR_MEN | CCR_MSTA | CCR_RSTA); /* delay SDA */
+               readb(i2c->base + MPC_I2C_DR);
+-              writeccr(i2c, CCR_MEN);
+-              udelay(delay_val << 1);
++              if (k != 1)
++                      udelay(5);
++              local_irq_restore(flags);
+       }
++      writeccr(i2c, CCR_MEN); /* Initiate STOP */
++      readb(i2c->base + MPC_I2C_DR);
++      udelay(15); /* Let STOP propagate */
++      writeccr(i2c, 0);
+ }
+ static int i2c_mpc_wait_sr(struct mpc_i2c *i2c, int mask)
+-- 
+2.34.1
+
diff --git a/queue-5.16/i3c-fix-incorrect-address-slot-lookup-on-64-bit.patch b/queue-5.16/i3c-fix-incorrect-address-slot-lookup-on-64-bit.patch
new file mode 100644 (file)
index 0000000..fb994c0
--- /dev/null
@@ -0,0 +1,42 @@
+From d903eb186ef267612d32befdeb05452a6df7dd21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Sep 2021 17:56:00 +0100
+Subject: i3c: fix incorrect address slot lookup on 64-bit
+
+From: Jamie Iles <quic_jiles@quicinc.com>
+
+[ Upstream commit f18f98110f2b179792cb70d85cba697320a3790f ]
+
+The address slot bitmap is an array of unsigned long's which are the
+same size as an int on 32-bit platforms but not 64-bit.  Loading the
+bitmap into an int could result in the incorrect status being returned
+for a slot and slots being reported as the wrong status.
+
+Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure")
+Cc: Boris Brezillon <bbrezillon@kernel.org>
+Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Jamie Iles <quic_jiles@quicinc.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20210922165600.179394-1-quic_jiles@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i3c/master.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
+index c3b4c677b4429..dfe18dcd008d4 100644
+--- a/drivers/i3c/master.c
++++ b/drivers/i3c/master.c
+@@ -343,7 +343,8 @@ struct bus_type i3c_bus_type = {
+ static enum i3c_addr_slot_status
+ i3c_bus_get_addr_slot_status(struct i3c_bus *bus, u16 addr)
+ {
+-      int status, bitpos = addr * 2;
++      unsigned long status;
++      int bitpos = addr * 2;
+       if (addr > I2C_MAX_ADDR)
+               return I3C_ADDR_SLOT_RSVD;
+-- 
+2.34.1
+
diff --git a/queue-5.16/i3c-master-dw-check-return-of-dw_i3c_master_get_free.patch b/queue-5.16/i3c-master-dw-check-return-of-dw_i3c_master_get_free.patch
new file mode 100644 (file)
index 0000000..ec7b322
--- /dev/null
@@ -0,0 +1,45 @@
+From fe60dd9fc41de125b3d96a10bde24fa9f396d30c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Jan 2022 07:09:48 -0800
+Subject: i3c: master: dw: check return of dw_i3c_master_get_free_pos()
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 13462ba1815db5a96891293a9cfaa2451f7bd623 ]
+
+Clang static analysis reports this problem
+dw-i3c-master.c:799:9: warning: The result of the left shift is
+  undefined because the left operand is negative
+                      COMMAND_PORT_DEV_INDEX(pos) |
+                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+pos can be negative because dw_i3c_master_get_free_pos() can return an
+error.  So check for an error.
+
+Fixes: 1dd728f5d4d4 ("i3c: master: Add driver for Synopsys DesignWare IP")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20220108150948.3988790-1-trix@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i3c/master/dw-i3c-master.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
+index 03a368da51b95..51a8608203de7 100644
+--- a/drivers/i3c/master/dw-i3c-master.c
++++ b/drivers/i3c/master/dw-i3c-master.c
+@@ -793,6 +793,10 @@ static int dw_i3c_master_daa(struct i3c_master_controller *m)
+               return -ENOMEM;
+       pos = dw_i3c_master_get_free_pos(master);
++      if (pos < 0) {
++              dw_i3c_master_free_xfer(xfer);
++              return pos;
++      }
+       cmd = &xfer->cmds[0];
+       cmd->cmd_hi = 0x1;
+       cmd->cmd_lo = COMMAND_PORT_DEV_COUNT(master->maxdevs - pos) |
+-- 
+2.34.1
+
diff --git a/queue-5.16/i3c-master-mipi-i3c-hci-fix-a-potentially-infinite-l.patch b/queue-5.16/i3c-master-mipi-i3c-hci-fix-a-potentially-infinite-l.patch
new file mode 100644 (file)
index 0000000..6bea682
--- /dev/null
@@ -0,0 +1,48 @@
+From 5e51c528b3df44ef75368b125dbbbcecaf374e26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 23:05:23 +0100
+Subject: i3c/master/mipi-i3c-hci: Fix a potentially infinite loop in
+ 'hci_dat_v1_get_index()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 3f43926f271287fb1744c9ac9ae1122497f2b0c2 ]
+
+The code in 'hci_dat_v1_get_index()' really looks like a hand coded version
+of 'for_each_set_bit()', except that a +1 is missing when searching for the
+next set bit.
+
+This really looks odd and it seems that it will loop until 'dat_w0_read()'
+returns the expected result.
+
+So use 'for_each_set_bit()' instead. It is less verbose and should be more
+correct.
+
+Fixes: 9ad9a52cce28 ("i3c/master: introduce the mipi-i3c-hci driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Nicolas Pitre <npitre@baylibre.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/0cdf3cb10293ead1acd271fdb8a70369c298c082.1637186628.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i3c/master/mipi-i3c-hci/dat_v1.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/i3c/master/mipi-i3c-hci/dat_v1.c b/drivers/i3c/master/mipi-i3c-hci/dat_v1.c
+index 783e551a2c85a..97bb49ff5b53b 100644
+--- a/drivers/i3c/master/mipi-i3c-hci/dat_v1.c
++++ b/drivers/i3c/master/mipi-i3c-hci/dat_v1.c
+@@ -160,9 +160,7 @@ static int hci_dat_v1_get_index(struct i3c_hci *hci, u8 dev_addr)
+       unsigned int dat_idx;
+       u32 dat_w0;
+-      for (dat_idx = find_first_bit(hci->DAT_data, hci->DAT_entries);
+-           dat_idx < hci->DAT_entries;
+-           dat_idx = find_next_bit(hci->DAT_data, hci->DAT_entries, dat_idx)) {
++      for_each_set_bit(dat_idx, hci->DAT_data, hci->DAT_entries) {
+               dat_w0 = dat_w0_read(dat_idx);
+               if (FIELD_GET(DAT_0_DYNAMIC_ADDRESS, dat_w0) == dev_addr)
+                       return dat_idx;
+-- 
+2.34.1
+
diff --git a/queue-5.16/igc-af_xdp-zero-copy-metadata-adjust-breaks-skbs-on-.patch b/queue-5.16/igc-af_xdp-zero-copy-metadata-adjust-breaks-skbs-on-.patch
new file mode 100644 (file)
index 0000000..87268b0
--- /dev/null
@@ -0,0 +1,48 @@
+From 7bb79b5e389ffa93c1017af43ce2f302071adc4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 21:36:25 +0100
+Subject: igc: AF_XDP zero-copy metadata adjust breaks SKBs on XDP_PASS
+
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+
+[ Upstream commit 4fa8fcd3440101dbacf4fae91de69877ef751977 ]
+
+Driver already implicitly supports XDP metadata access in AF_XDP
+zero-copy mode, as xsk_buff_pool's xp_alloc() naturally set xdp_buff
+data_meta equal data.
+
+This works fine for XDP and AF_XDP, but if a BPF-prog adjust via
+bpf_xdp_adjust_meta() and choose to call XDP_PASS, then igc function
+igc_construct_skb_zc() will construct an invalid SKB packet. The
+function correctly include the xdp->data_meta area in the memcpy, but
+forgot to pull header to take metasize into account.
+
+Fixes: fc9df2a0b520 ("igc: Enable RX via AF_XDP zero-copy")
+Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Tested-by: Nechama Kraus <nechamax.kraus@linux.intel.com>
+Acked-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index d28a80a009537..d83e665b3a4f2 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -2448,8 +2448,10 @@ static struct sk_buff *igc_construct_skb_zc(struct igc_ring *ring,
+       skb_reserve(skb, xdp->data_meta - xdp->data_hard_start);
+       memcpy(__skb_put(skb, totalsize), xdp->data_meta, totalsize);
+-      if (metasize)
++      if (metasize) {
+               skb_metadata_set(skb, metasize);
++              __skb_pull(skb, metasize);
++      }
+       return skb;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/iio-chemical-sunrise_co2-set-val-parameter-only-on-s.patch b/queue-5.16/iio-chemical-sunrise_co2-set-val-parameter-only-on-s.patch
new file mode 100644 (file)
index 0000000..4d1e5f8
--- /dev/null
@@ -0,0 +1,61 @@
+From f5f3288715dbe9c40dfa026bcd42931952954bc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Dec 2021 07:08:33 -0800
+Subject: iio: chemical: sunrise_co2: set val parameter only on success
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 38ac2f038666521f94d4fa37b5a9441cef832ccf ]
+
+Clang static analysis reports this representative warning
+
+sunrise_co2.c:410:9: warning: Assigned value is garbage or undefined
+  *val = value;
+       ^ ~~~~~
+
+The ealier call to sunrise_read_word can fail without setting
+value.  So defer setting val until we know the read was successful.
+
+Fixes: c397894e24f1 ("iio: chemical: Add Senseair Sunrise 006-0-007 driver")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Link: https://lore.kernel.org/r/20211224150833.3278236-1-trix@redhat.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/chemical/sunrise_co2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/chemical/sunrise_co2.c b/drivers/iio/chemical/sunrise_co2.c
+index 233bd0f379c93..8440dc0c77cfe 100644
+--- a/drivers/iio/chemical/sunrise_co2.c
++++ b/drivers/iio/chemical/sunrise_co2.c
+@@ -407,24 +407,24 @@ static int sunrise_read_raw(struct iio_dev *iio_dev,
+                       mutex_lock(&sunrise->lock);
+                       ret = sunrise_read_word(sunrise, SUNRISE_CO2_FILTERED_COMP_REG,
+                                               &value);
+-                      *val = value;
+                       mutex_unlock(&sunrise->lock);
+                       if (ret)
+                               return ret;
++                      *val = value;
+                       return IIO_VAL_INT;
+               case IIO_TEMP:
+                       mutex_lock(&sunrise->lock);
+                       ret = sunrise_read_word(sunrise, SUNRISE_CHIP_TEMPERATURE_REG,
+                                               &value);
+-                      *val = value;
+                       mutex_unlock(&sunrise->lock);
+                       if (ret)
+                               return ret;
++                      *val = value;
+                       return IIO_VAL_INT;
+               default:
+-- 
+2.34.1
+
diff --git a/queue-5.16/input-ti_am335x_tsc-fix-stepconfig-setup-for-z2.patch b/queue-5.16/input-ti_am335x_tsc-fix-stepconfig-setup-for-z2.patch
new file mode 100644 (file)
index 0000000..fb287cd
--- /dev/null
@@ -0,0 +1,41 @@
+From 3d9d5f1539af1582f5f9895b0303283871c838d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Dec 2021 21:14:48 -0800
+Subject: Input: ti_am335x_tsc - fix STEPCONFIG setup for Z2
+
+From: Dario Binacchi <dariobin@libero.it>
+
+[ Upstream commit 6bfeb6c21e1bdc11c328b7d996d20f0f73c6b9b0 ]
+
+The Z2 step configuration doesn't erase the SEL_INP_SWC_3_0 bit-field
+before setting the ADC channel. This way its value could be corrupted by
+the ADC channel selected for the Z1 coordinate.
+
+Fixes: 8c896308feae ("input: ti_am335x_adc: use only FIFO0 and clean up a little")
+Signed-off-by: Dario Binacchi <dariobin@libero.it>
+Link: https://lore.kernel.org/r/20211212125358.14416-3-dariobin@libero.it
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/ti_am335x_tsc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/input/touchscreen/ti_am335x_tsc.c b/drivers/input/touchscreen/ti_am335x_tsc.c
+index fd3ffdd23470b..cfc943423241f 100644
+--- a/drivers/input/touchscreen/ti_am335x_tsc.c
++++ b/drivers/input/touchscreen/ti_am335x_tsc.c
+@@ -196,7 +196,10 @@ static void titsc_step_config(struct titsc *ts_dev)
+                       STEPCONFIG_OPENDLY);
+       end_step++;
+-      config |= STEPCONFIG_INP(ts_dev->inp_yn);
++      config = STEPCONFIG_MODE_HWSYNC |
++                      STEPCONFIG_AVG_16 | ts_dev->bit_yp |
++                      ts_dev->bit_xn | STEPCONFIG_INM_ADCREFM |
++                      STEPCONFIG_INP(ts_dev->inp_yn);
+       titsc_writel(ts_dev, REG_STEPCONFIG(end_step), config);
+       titsc_writel(ts_dev, REG_STEPDELAY(end_step),
+                       STEPCONFIG_OPENDLY);
+-- 
+2.34.1
+
diff --git a/queue-5.16/input-ti_am335x_tsc-set-adcrefm-for-x-configuration.patch b/queue-5.16/input-ti_am335x_tsc-set-adcrefm-for-x-configuration.patch
new file mode 100644 (file)
index 0000000..5e6bd6e
--- /dev/null
@@ -0,0 +1,42 @@
+From 15e96bdf4b44e36e9702a0b7f6b28e6602bcd3c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Dec 2021 21:14:35 -0800
+Subject: Input: ti_am335x_tsc - set ADCREFM for X configuration
+
+From: Dario Binacchi <dariobin@libero.it>
+
+[ Upstream commit 73cca71a903202cddc8279fc76b2da4995da5bea ]
+
+As reported by the STEPCONFIG[1-16] registered field descriptions of the
+TI reference manual, for the ADC "in single ended, SEL_INM_SWC_3_0 must
+be 1xxx".
+
+Unlike the Y and Z coordinates, this bit has not been set for the step
+configuration registers used to sample the X coordinate.
+
+Fixes: 1b8be32e6914 ("Input: add support for TI Touchscreen controller")
+Signed-off-by: Dario Binacchi <dariobin@libero.it>
+Link: https://lore.kernel.org/r/20211212125358.14416-2-dariobin@libero.it
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/ti_am335x_tsc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/input/touchscreen/ti_am335x_tsc.c b/drivers/input/touchscreen/ti_am335x_tsc.c
+index 83e685557a197..fd3ffdd23470b 100644
+--- a/drivers/input/touchscreen/ti_am335x_tsc.c
++++ b/drivers/input/touchscreen/ti_am335x_tsc.c
+@@ -131,7 +131,8 @@ static void titsc_step_config(struct titsc *ts_dev)
+       u32 stepenable;
+       config = STEPCONFIG_MODE_HWSYNC |
+-                      STEPCONFIG_AVG_16 | ts_dev->bit_xp;
++                      STEPCONFIG_AVG_16 | ts_dev->bit_xp |
++                      STEPCONFIG_INM_ADCREFM;
+       switch (ts_dev->wires) {
+       case 4:
+               config |= STEPCONFIG_INP(ts_dev->inp_yp) | ts_dev->bit_xn;
+-- 
+2.34.1
+
diff --git a/queue-5.16/interconnect-qcom-rpm-prevent-integer-overflow-in-ra.patch b/queue-5.16/interconnect-qcom-rpm-prevent-integer-overflow-in-ra.patch
new file mode 100644 (file)
index 0000000..c25b67b
--- /dev/null
@@ -0,0 +1,42 @@
+From f2f3de6d0fdda83f9881d23ddc1b1a46a08954ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Dec 2021 12:45:42 +0100
+Subject: interconnect: qcom: rpm: Prevent integer overflow in rate
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit a7d9436a6c85fcb8843c910fd323dcd7f839bf63 ]
+
+Using icc-rpm on ARM32 currently results in clk_set_rate() errors during
+boot, e.g. "bus clk_set_rate error: -22". This is very similar to commit
+7381e27b1e56 ("interconnect: qcom: msm8974: Prevent integer overflow in rate")
+where the u64 is converted to a signed long during clock rate rounding,
+resulting in an overflow on 32-bit platforms.
+
+Let's fix it similarly by making sure that the rate does not exceed
+LONG_MAX. Such high clock rates will surely result in the maximum
+frequency of the bus anyway.
+
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20211206114542.45325-1-stephan@gerhold.net
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/interconnect/qcom/icc-rpm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/interconnect/qcom/icc-rpm.c b/drivers/interconnect/qcom/icc-rpm.c
+index ef7999a08c8bf..8114295a83129 100644
+--- a/drivers/interconnect/qcom/icc-rpm.c
++++ b/drivers/interconnect/qcom/icc-rpm.c
+@@ -239,6 +239,7 @@ static int qcom_icc_set(struct icc_node *src, struct icc_node *dst)
+       rate = max(sum_bw, max_peak_bw);
+       do_div(rate, qn->buswidth);
++      rate = min_t(u64, rate, LONG_MAX);
+       if (qn->rate == rate)
+               return 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/io_uring-remove-double-poll-on-poll-update.patch b/queue-5.16/io_uring-remove-double-poll-on-poll-update.patch
new file mode 100644 (file)
index 0000000..f343e10
--- /dev/null
@@ -0,0 +1,36 @@
+From 4a394e4013641e4b51d35eadc3c328de572e9528 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Dec 2021 22:08:44 +0000
+Subject: io_uring: remove double poll on poll update
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+[ Upstream commit e840b4baf3cfb37e2ead4f649a45bb78178677ff ]
+
+Before updating a poll request we should remove it from poll queues,
+including the double poll entry.
+
+Fixes: b69de288e913 ("io_uring: allow events and user_data update of running poll requests")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/ac39e7f80152613603b8a6cc29a2b6063ac2434f.1639605189.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index fb2a0cb4aaf83..72496f424c155 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -5928,6 +5928,7 @@ static int io_poll_update(struct io_kiocb *req, unsigned int issue_flags)
+        * update those. For multishot, if we're racing with completion, just
+        * let completion re-add it.
+        */
++      io_poll_remove_double(preq);
+       completing = !__io_poll_remove_one(preq, &preq->poll, false);
+       if (completing && (preq->poll.events & EPOLLONESHOT)) {
+               ret = -EALREADY;
+-- 
+2.34.1
+
diff --git a/queue-5.16/iommu-amd-remove-useless-irq-affinity-notifier.patch b/queue-5.16/iommu-amd-remove-useless-irq-affinity-notifier.patch
new file mode 100644 (file)
index 0000000..8da8e30
--- /dev/null
@@ -0,0 +1,37 @@
+From 4826783234cbe8a8d3311577f7da7c01957b03cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 18:10:38 +0200
+Subject: iommu/amd: Remove useless irq affinity notifier
+
+From: Maxim Levitsky <mlevitsk@redhat.com>
+
+[ Upstream commit 575f5cfb13c84f324f9898383fa4a5694e53c9ef ]
+
+iommu->intcapxt_notify field is no longer used
+after a switch to a separate domain was done
+
+Fixes: d1adcfbb520c ("iommu/amd: Fix IOMMU interrupt generation in X2APIC mode")
+Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20211123161038.48009-6-mlevitsk@redhat.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/amd_iommu_types.h | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h
+index 867535eb0ce97..ffc89c4fb1205 100644
+--- a/drivers/iommu/amd/amd_iommu_types.h
++++ b/drivers/iommu/amd/amd_iommu_types.h
+@@ -645,8 +645,6 @@ struct amd_iommu {
+       /* DebugFS Info */
+       struct dentry *debugfs;
+ #endif
+-      /* IRQ notifier for IntCapXT interrupt */
+-      struct irq_affinity_notify intcapxt_notify;
+ };
+ static inline struct amd_iommu *dev_to_amd_iommu(struct device *dev)
+-- 
+2.34.1
+
diff --git a/queue-5.16/iommu-amd-restore-ga-log-tail-pointer-on-host-resume.patch b/queue-5.16/iommu-amd-restore-ga-log-tail-pointer-on-host-resume.patch
new file mode 100644 (file)
index 0000000..527af00
--- /dev/null
@@ -0,0 +1,95 @@
+From 6ea4ddbca2a06bd1cbce9730446ae68bfffe1b67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 18:10:34 +0200
+Subject: iommu/amd: Restore GA log/tail pointer on host resume
+
+From: Maxim Levitsky <mlevitsk@redhat.com>
+
+[ Upstream commit a8d4a37d1bb93608501d0d0545f902061152669a ]
+
+This will give IOMMU GA log a chance to work after resume
+from s3/s4.
+
+Fixes: 8bda0cfbdc1a6 ("iommu/amd: Detect and initialize guest vAPIC log")
+
+Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20211123161038.48009-2-mlevitsk@redhat.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/init.c | 31 +++++++++++++++----------------
+ 1 file changed, 15 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
+index 1eacd43cb4368..8dae85fcfc2eb 100644
+--- a/drivers/iommu/amd/init.c
++++ b/drivers/iommu/amd/init.c
+@@ -806,16 +806,27 @@ static int iommu_ga_log_enable(struct amd_iommu *iommu)
+ {
+ #ifdef CONFIG_IRQ_REMAP
+       u32 status, i;
++      u64 entry;
+       if (!iommu->ga_log)
+               return -EINVAL;
+-      status = readl(iommu->mmio_base + MMIO_STATUS_OFFSET);
+-
+       /* Check if already running */
+-      if (status & (MMIO_STATUS_GALOG_RUN_MASK))
++      status = readl(iommu->mmio_base + MMIO_STATUS_OFFSET);
++      if (WARN_ON(status & (MMIO_STATUS_GALOG_RUN_MASK)))
+               return 0;
++      entry = iommu_virt_to_phys(iommu->ga_log) | GA_LOG_SIZE_512;
++      memcpy_toio(iommu->mmio_base + MMIO_GA_LOG_BASE_OFFSET,
++                  &entry, sizeof(entry));
++      entry = (iommu_virt_to_phys(iommu->ga_log_tail) &
++               (BIT_ULL(52)-1)) & ~7ULL;
++      memcpy_toio(iommu->mmio_base + MMIO_GA_LOG_TAIL_OFFSET,
++                  &entry, sizeof(entry));
++      writel(0x00, iommu->mmio_base + MMIO_GA_HEAD_OFFSET);
++      writel(0x00, iommu->mmio_base + MMIO_GA_TAIL_OFFSET);
++
++
+       iommu_feature_enable(iommu, CONTROL_GAINT_EN);
+       iommu_feature_enable(iommu, CONTROL_GALOG_EN);
+@@ -825,7 +836,7 @@ static int iommu_ga_log_enable(struct amd_iommu *iommu)
+                       break;
+       }
+-      if (i >= LOOP_TIMEOUT)
++      if (WARN_ON(i >= LOOP_TIMEOUT))
+               return -EINVAL;
+ #endif /* CONFIG_IRQ_REMAP */
+       return 0;
+@@ -834,8 +845,6 @@ static int iommu_ga_log_enable(struct amd_iommu *iommu)
+ static int iommu_init_ga_log(struct amd_iommu *iommu)
+ {
+ #ifdef CONFIG_IRQ_REMAP
+-      u64 entry;
+-
+       if (!AMD_IOMMU_GUEST_IR_VAPIC(amd_iommu_guest_ir))
+               return 0;
+@@ -849,16 +858,6 @@ static int iommu_init_ga_log(struct amd_iommu *iommu)
+       if (!iommu->ga_log_tail)
+               goto err_out;
+-      entry = iommu_virt_to_phys(iommu->ga_log) | GA_LOG_SIZE_512;
+-      memcpy_toio(iommu->mmio_base + MMIO_GA_LOG_BASE_OFFSET,
+-                  &entry, sizeof(entry));
+-      entry = (iommu_virt_to_phys(iommu->ga_log_tail) &
+-               (BIT_ULL(52)-1)) & ~7ULL;
+-      memcpy_toio(iommu->mmio_base + MMIO_GA_LOG_TAIL_OFFSET,
+-                  &entry, sizeof(entry));
+-      writel(0x00, iommu->mmio_base + MMIO_GA_HEAD_OFFSET);
+-      writel(0x00, iommu->mmio_base + MMIO_GA_TAIL_OFFSET);
+-
+       return 0;
+ err_out:
+       free_ga_log(iommu);
+-- 
+2.34.1
+
diff --git a/queue-5.16/iommu-amd-x2apic-mode-mask-unmask-interrupts-on-susp.patch b/queue-5.16/iommu-amd-x2apic-mode-mask-unmask-interrupts-on-susp.patch
new file mode 100644 (file)
index 0000000..b2e3c32
--- /dev/null
@@ -0,0 +1,59 @@
+From f77770bd30e1f06898edbad70eb74031fa5f7427 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 18:10:37 +0200
+Subject: iommu/amd: X2apic mode: mask/unmask interrupts on suspend/resume
+
+From: Maxim Levitsky <mlevitsk@redhat.com>
+
+[ Upstream commit 1980105e3cfc2215c75b4f6b172661d675c467d1 ]
+
+Use IRQCHIP_MASK_ON_SUSPEND to make the core irq code to
+mask the iommu interrupt on suspend and unmask it on the resume.
+
+Since now the unmask function updates the INTX settings,
+that will restore them on resume from s3/s4.
+
+Since IRQCHIP_MASK_ON_SUSPEND is only effective for interrupts
+which are not wakeup sources, remove IRQCHIP_SKIP_SET_WAKE flag
+and instead implement a dummy .irq_set_wake which doesn't allow
+the interrupt to become a wakeup source.
+
+Fixes: 66929812955bb ("iommu/amd: Add support for X2APIC IOMMU interrupts")
+
+Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20211123161038.48009-5-mlevitsk@redhat.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/init.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
+index 9e895bb8086a6..b94822fc2c9f7 100644
+--- a/drivers/iommu/amd/init.c
++++ b/drivers/iommu/amd/init.c
+@@ -2104,6 +2104,11 @@ static int intcapxt_set_affinity(struct irq_data *irqd,
+       return 0;
+ }
++static int intcapxt_set_wake(struct irq_data *irqd, unsigned int on)
++{
++      return on ? -EOPNOTSUPP : 0;
++}
++
+ static struct irq_chip intcapxt_controller = {
+       .name                   = "IOMMU-MSI",
+       .irq_unmask             = intcapxt_unmask_irq,
+@@ -2111,7 +2116,8 @@ static struct irq_chip intcapxt_controller = {
+       .irq_ack                = irq_chip_ack_parent,
+       .irq_retrigger          = irq_chip_retrigger_hierarchy,
+       .irq_set_affinity       = intcapxt_set_affinity,
+-      .flags                  = IRQCHIP_SKIP_SET_WAKE,
++      .irq_set_wake           = intcapxt_set_wake,
++      .flags                  = IRQCHIP_MASK_ON_SUSPEND,
+ };
+ static const struct irq_domain_ops intcapxt_domain_ops = {
+-- 
+2.34.1
+
diff --git a/queue-5.16/iommu-amd-x2apic-mode-re-enable-after-resume.patch b/queue-5.16/iommu-amd-x2apic-mode-re-enable-after-resume.patch
new file mode 100644 (file)
index 0000000..307041c
--- /dev/null
@@ -0,0 +1,47 @@
+From ad532161a96647af5bdcdad0d8ffb67bb9d97a52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 18:10:35 +0200
+Subject: iommu/amd: X2apic mode: re-enable after resume
+
+From: Maxim Levitsky <mlevitsk@redhat.com>
+
+[ Upstream commit 01b297a48a26bcb96769505ac948db4603b72bd1 ]
+
+Otherwise it is guaranteed to not work after the resume...
+
+Fixes: 66929812955bb ("iommu/amd: Add support for X2APIC IOMMU interrupts")
+
+Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20211123161038.48009-3-mlevitsk@redhat.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/init.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
+index 8dae85fcfc2eb..b905604f434e1 100644
+--- a/drivers/iommu/amd/init.c
++++ b/drivers/iommu/amd/init.c
+@@ -2172,7 +2172,6 @@ static int iommu_setup_intcapxt(struct amd_iommu *iommu)
+               return ret;
+       }
+-      iommu_feature_enable(iommu, CONTROL_INTCAPXT_EN);
+       return 0;
+ }
+@@ -2195,6 +2194,10 @@ static int iommu_init_irq(struct amd_iommu *iommu)
+       iommu->int_enabled = true;
+ enable_faults:
++
++      if (amd_iommu_xt_mode == IRQ_REMAP_X2APIC_MODE)
++              iommu_feature_enable(iommu, CONTROL_INTCAPXT_EN);
++
+       iommu_feature_enable(iommu, CONTROL_EVT_INT_EN);
+       if (iommu->ppr_log != NULL)
+-- 
+2.34.1
+
diff --git a/queue-5.16/iommu-amd-x2apic-mode-setup-the-intx-registers-on-ma.patch b/queue-5.16/iommu-amd-x2apic-mode-setup-the-intx-registers-on-ma.patch
new file mode 100644 (file)
index 0000000..ec16184
--- /dev/null
@@ -0,0 +1,128 @@
+From ef7864d63655cbec771c5d04895ba288f77a971f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 18:10:36 +0200
+Subject: iommu/amd: X2apic mode: setup the INTX registers on mask/unmask
+
+From: Maxim Levitsky <mlevitsk@redhat.com>
+
+[ Upstream commit 4691f79d62a637958f7b5f55c232a65399500b7a ]
+
+This is more logically correct and will also allow us to
+to use mask/unmask logic to restore INTX setttings after
+the resume from s3/s4.
+
+Fixes: 66929812955bb ("iommu/amd: Add support for X2APIC IOMMU interrupts")
+
+Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20211123161038.48009-4-mlevitsk@redhat.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/init.c | 65 ++++++++++++++++++++--------------------
+ 1 file changed, 33 insertions(+), 32 deletions(-)
+
+diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
+index b905604f434e1..9e895bb8086a6 100644
+--- a/drivers/iommu/amd/init.c
++++ b/drivers/iommu/amd/init.c
+@@ -2015,48 +2015,18 @@ union intcapxt {
+       };
+ } __attribute__ ((packed));
+-/*
+- * There isn't really any need to mask/unmask at the irqchip level because
+- * the 64-bit INTCAPXT registers can be updated atomically without tearing
+- * when the affinity is being updated.
+- */
+-static void intcapxt_unmask_irq(struct irq_data *data)
+-{
+-}
+-
+-static void intcapxt_mask_irq(struct irq_data *data)
+-{
+-}
+ static struct irq_chip intcapxt_controller;
+ static int intcapxt_irqdomain_activate(struct irq_domain *domain,
+                                      struct irq_data *irqd, bool reserve)
+ {
+-      struct amd_iommu *iommu = irqd->chip_data;
+-      struct irq_cfg *cfg = irqd_cfg(irqd);
+-      union intcapxt xt;
+-
+-      xt.capxt = 0ULL;
+-      xt.dest_mode_logical = apic->dest_mode_logical;
+-      xt.vector = cfg->vector;
+-      xt.destid_0_23 = cfg->dest_apicid & GENMASK(23, 0);
+-      xt.destid_24_31 = cfg->dest_apicid >> 24;
+-
+-      /**
+-       * Current IOMMU implemtation uses the same IRQ for all
+-       * 3 IOMMU interrupts.
+-       */
+-      writeq(xt.capxt, iommu->mmio_base + MMIO_INTCAPXT_EVT_OFFSET);
+-      writeq(xt.capxt, iommu->mmio_base + MMIO_INTCAPXT_PPR_OFFSET);
+-      writeq(xt.capxt, iommu->mmio_base + MMIO_INTCAPXT_GALOG_OFFSET);
+       return 0;
+ }
+ static void intcapxt_irqdomain_deactivate(struct irq_domain *domain,
+                                         struct irq_data *irqd)
+ {
+-      intcapxt_mask_irq(irqd);
+ }
+@@ -2090,6 +2060,38 @@ static void intcapxt_irqdomain_free(struct irq_domain *domain, unsigned int virq
+       irq_domain_free_irqs_top(domain, virq, nr_irqs);
+ }
++
++static void intcapxt_unmask_irq(struct irq_data *irqd)
++{
++      struct amd_iommu *iommu = irqd->chip_data;
++      struct irq_cfg *cfg = irqd_cfg(irqd);
++      union intcapxt xt;
++
++      xt.capxt = 0ULL;
++      xt.dest_mode_logical = apic->dest_mode_logical;
++      xt.vector = cfg->vector;
++      xt.destid_0_23 = cfg->dest_apicid & GENMASK(23, 0);
++      xt.destid_24_31 = cfg->dest_apicid >> 24;
++
++      /**
++       * Current IOMMU implementation uses the same IRQ for all
++       * 3 IOMMU interrupts.
++       */
++      writeq(xt.capxt, iommu->mmio_base + MMIO_INTCAPXT_EVT_OFFSET);
++      writeq(xt.capxt, iommu->mmio_base + MMIO_INTCAPXT_PPR_OFFSET);
++      writeq(xt.capxt, iommu->mmio_base + MMIO_INTCAPXT_GALOG_OFFSET);
++}
++
++static void intcapxt_mask_irq(struct irq_data *irqd)
++{
++      struct amd_iommu *iommu = irqd->chip_data;
++
++      writeq(0, iommu->mmio_base + MMIO_INTCAPXT_EVT_OFFSET);
++      writeq(0, iommu->mmio_base + MMIO_INTCAPXT_PPR_OFFSET);
++      writeq(0, iommu->mmio_base + MMIO_INTCAPXT_GALOG_OFFSET);
++}
++
++
+ static int intcapxt_set_affinity(struct irq_data *irqd,
+                                const struct cpumask *mask, bool force)
+ {
+@@ -2099,8 +2101,7 @@ static int intcapxt_set_affinity(struct irq_data *irqd,
+       ret = parent->chip->irq_set_affinity(parent, mask, force);
+       if (ret < 0 || ret == IRQ_SET_MASK_OK_DONE)
+               return ret;
+-
+-      return intcapxt_irqdomain_activate(irqd->domain, irqd, false);
++      return 0;
+ }
+ static struct irq_chip intcapxt_controller = {
+-- 
+2.34.1
+
diff --git a/queue-5.16/iommu-arm-smmu-qcom-fix-ttbr0-read.patch b/queue-5.16/iommu-arm-smmu-qcom-fix-ttbr0-read.patch
new file mode 100644 (file)
index 0000000..28981d5
--- /dev/null
@@ -0,0 +1,37 @@
+From af80c7fde4dbcff9422dffb259f7d89e86e1f8b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Nov 2021 09:17:23 -0800
+Subject: iommu/arm-smmu-qcom: Fix TTBR0 read
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit c31112fbd4077a51a14ff338038c82e9571dc821 ]
+
+It is a 64b register, lets not lose the upper bits.
+
+Fixes: ab5df7b953d8 ("iommu/arm-smmu-qcom: Add an adreno-smmu-priv callback to get pagefault info")
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20211108171724.470973-1-robdclark@gmail.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+index ca736b065dd0b..40c91dd368a4d 100644
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+@@ -51,7 +51,7 @@ static void qcom_adreno_smmu_get_fault_info(const void *cookie,
+       info->fsynr1 = arm_smmu_cb_read(smmu, cfg->cbndx, ARM_SMMU_CB_FSYNR1);
+       info->far = arm_smmu_cb_readq(smmu, cfg->cbndx, ARM_SMMU_CB_FAR);
+       info->cbfrsynra = arm_smmu_gr1_read(smmu, ARM_SMMU_GR1_CBFRSYNRA(cfg->cbndx));
+-      info->ttbr0 = arm_smmu_cb_read(smmu, cfg->cbndx, ARM_SMMU_CB_TTBR0);
++      info->ttbr0 = arm_smmu_cb_readq(smmu, cfg->cbndx, ARM_SMMU_CB_TTBR0);
+       info->contextidr = arm_smmu_cb_read(smmu, cfg->cbndx, ARM_SMMU_CB_CONTEXTIDR);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/iommu-extend-mutex-lock-scope-in-iommu_probe_device.patch b/queue-5.16/iommu-extend-mutex-lock-scope-in-iommu_probe_device.patch
new file mode 100644 (file)
index 0000000..b578b86
--- /dev/null
@@ -0,0 +1,50 @@
+From fe1f694513ca10efc8d02e632a63cf8f1f2f7ac9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Nov 2021 14:13:49 +0800
+Subject: iommu: Extend mutex lock scope in iommu_probe_device()
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+[ Upstream commit 556f99ac886635e8da15528995f06d1d7028cfca ]
+
+Extend the scope of holding group->mutex so that it can cover the default
+domain check/attachment and direct mappings of reserved regions.
+
+Cc: Ashish Mhetre <amhetre@nvidia.com>
+Fixes: 211ff31b3d33b ("iommu: Fix race condition during default domain allocation")
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/20211108061349.1985579-1-baolu.lu@linux.intel.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
+index dd7863e453a5f..8b86406b71627 100644
+--- a/drivers/iommu/iommu.c
++++ b/drivers/iommu/iommu.c
+@@ -288,11 +288,11 @@ int iommu_probe_device(struct device *dev)
+        */
+       mutex_lock(&group->mutex);
+       iommu_alloc_default_domain(group, dev);
+-      mutex_unlock(&group->mutex);
+       if (group->default_domain) {
+               ret = __iommu_attach_device(group->default_domain, dev);
+               if (ret) {
++                      mutex_unlock(&group->mutex);
+                       iommu_group_put(group);
+                       goto err_release;
+               }
+@@ -300,6 +300,7 @@ int iommu_probe_device(struct device *dev)
+       iommu_create_device_direct_mappings(group, dev);
++      mutex_unlock(&group->mutex);
+       iommu_group_put(group);
+       if (ops->probe_finalize)
+-- 
+2.34.1
+
diff --git a/queue-5.16/iommu-io-pgtable-arm-fix-table-descriptor-paddr-form.patch b/queue-5.16/iommu-io-pgtable-arm-fix-table-descriptor-paddr-form.patch
new file mode 100644 (file)
index 0000000..6be9118
--- /dev/null
@@ -0,0 +1,69 @@
+From c1b545974bba6e4d641b56961824d8c7574aaf01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Nov 2021 12:13:43 +0900
+Subject: iommu/io-pgtable-arm: Fix table descriptor paddr formatting
+
+From: Hector Martin <marcan@marcan.st>
+
+[ Upstream commit 9abe2ac834851a7d0b0756e295cf7a292c45ca53 ]
+
+Table descriptors were being installed without properly formatting the
+address using paddr_to_iopte, which does not match up with the
+iopte_deref in __arm_lpae_map. This is incorrect for the LPAE pte
+format, as it does not handle the high bits properly.
+
+This was found on Apple T6000 DARTs, which require a new pte format
+(different shift); adding support for that to
+paddr_to_iopte/iopte_to_paddr caused it to break badly, as even <48-bit
+addresses would end up incorrect in that case.
+
+Fixes: 6c89928ff7a0 ("iommu/io-pgtable-arm: Support 52-bit physical address")
+Acked-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Link: https://lore.kernel.org/r/20211120031343.88034-1-marcan@marcan.st
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/io-pgtable-arm.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
+index dd9e47189d0d9..94ff319ae8acc 100644
+--- a/drivers/iommu/io-pgtable-arm.c
++++ b/drivers/iommu/io-pgtable-arm.c
+@@ -315,11 +315,12 @@ static int arm_lpae_init_pte(struct arm_lpae_io_pgtable *data,
+ static arm_lpae_iopte arm_lpae_install_table(arm_lpae_iopte *table,
+                                            arm_lpae_iopte *ptep,
+                                            arm_lpae_iopte curr,
+-                                           struct io_pgtable_cfg *cfg)
++                                           struct arm_lpae_io_pgtable *data)
+ {
+       arm_lpae_iopte old, new;
++      struct io_pgtable_cfg *cfg = &data->iop.cfg;
+-      new = __pa(table) | ARM_LPAE_PTE_TYPE_TABLE;
++      new = paddr_to_iopte(__pa(table), data) | ARM_LPAE_PTE_TYPE_TABLE;
+       if (cfg->quirks & IO_PGTABLE_QUIRK_ARM_NS)
+               new |= ARM_LPAE_PTE_NSTABLE;
+@@ -380,7 +381,7 @@ static int __arm_lpae_map(struct arm_lpae_io_pgtable *data, unsigned long iova,
+               if (!cptep)
+                       return -ENOMEM;
+-              pte = arm_lpae_install_table(cptep, ptep, 0, cfg);
++              pte = arm_lpae_install_table(cptep, ptep, 0, data);
+               if (pte)
+                       __arm_lpae_free_pages(cptep, tblsz, cfg);
+       } else if (!cfg->coherent_walk && !(pte & ARM_LPAE_PTE_SW_SYNC)) {
+@@ -592,7 +593,7 @@ static size_t arm_lpae_split_blk_unmap(struct arm_lpae_io_pgtable *data,
+               __arm_lpae_init_pte(data, blk_paddr, pte, lvl, 1, &tablep[i]);
+       }
+-      pte = arm_lpae_install_table(tablep, ptep, blk_pte, cfg);
++      pte = arm_lpae_install_table(tablep, ptep, blk_pte, data);
+       if (pte != blk_pte) {
+               __arm_lpae_free_pages(tablep, tablesz, cfg);
+               /*
+-- 
+2.34.1
+
diff --git a/queue-5.16/iommu-iova-fix-race-between-fq-timeout-and-teardown.patch b/queue-5.16/iommu-iova-fix-race-between-fq-timeout-and-teardown.patch
new file mode 100644 (file)
index 0000000..906d7ec
--- /dev/null
@@ -0,0 +1,53 @@
+From 4b6514c4d2f95966544fce7e9a0f505f07e28eef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Dec 2021 15:30:55 +0000
+Subject: iommu/iova: Fix race between FQ timeout and teardown
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit d7061627d701c90e1cac1e1e60c45292f64f3470 ]
+
+It turns out to be possible for hotplugging out a device to reach the
+stage of tearing down the device's group and default domain before the
+domain's flush queue has drained naturally. At this point, it is then
+possible for the timeout to expire just before the del_timer() call
+in free_iova_flush_queue(), such that we then proceed to free the FQ
+resources while fq_flush_timeout() is still accessing them on another
+CPU. Crashes due to this have been observed in the wild while removing
+NVMe devices.
+
+Close the race window by using del_timer_sync() to safely wait for any
+active timeout handler to finish before we start to free things. We
+already avoid any locking in free_iova_flush_queue() since the FQ is
+supposed to be inactive anyway, so the potential deadlock scenario does
+not apply.
+
+Fixes: 9a005a800ae8 ("iommu/iova: Add flush timer")
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+[ rm: rewrite commit message ]
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/0a365e5b07f14b7344677ad6a9a734966a8422ce.1639753638.git.robin.murphy@arm.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iova.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c
+index 9e8bc802ac053..920fcc27c9a1e 100644
+--- a/drivers/iommu/iova.c
++++ b/drivers/iommu/iova.c
+@@ -83,8 +83,7 @@ static void free_iova_flush_queue(struct iova_domain *iovad)
+       if (!has_iova_flush_queue(iovad))
+               return;
+-      if (timer_pending(&iovad->fq_timer))
+-              del_timer(&iovad->fq_timer);
++      del_timer_sync(&iovad->fq_timer);
+       fq_destroy_all_entries(iovad);
+-- 
+2.34.1
+
diff --git a/queue-5.16/irqchip-gic-v4-disable-redistributors-view-of-the-vp.patch b/queue-5.16/irqchip-gic-v4-disable-redistributors-view-of-the-vp.patch
new file mode 100644 (file)
index 0000000..8d988a1
--- /dev/null
@@ -0,0 +1,63 @@
+From a258b9577e75b4d878ac9cfca0a50b8e72833ae3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Dec 2021 14:32:27 +0000
+Subject: irqchip/gic-v4: Disable redistributors' view of the VPE table at boot
+ time
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit 79a7f77b9b154d572bd9d2f1eecf58c4d018d8e2 ]
+
+Jay Chen reported that using a kdump kernel on a GICv4.1 system
+results in a RAS error being delivered when the secondary kernel
+configures the ITS's view of the new VPE table.
+
+As it turns out, that's because each RD still has a pointer to
+the previous instance of the VPE table, and that particular
+implementation is very upset by seeing two bits of the HW that
+should point to the same table with different values.
+
+To solve this, let's invalidate any reference that any RD has to
+the VPE table when discovering the RDs. The ITS can then be
+programmed as expected.
+
+Reported-by: Jay Chen <jkchen@linux.alibaba.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Link: https://lore.kernel.org/r/20211214064716.21407-1-jkchen@linux.alibaba.com
+Link: https://lore.kernel.org/r/20211216144804.1578566-1-maz@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c
+index daec3309b014d..86397522e7864 100644
+--- a/drivers/irqchip/irq-gic-v3.c
++++ b/drivers/irqchip/irq-gic-v3.c
+@@ -920,6 +920,22 @@ static int __gic_update_rdist_properties(struct redist_region *region,
+ {
+       u64 typer = gic_read_typer(ptr + GICR_TYPER);
++      /* Boot-time cleanip */
++      if ((typer & GICR_TYPER_VLPIS) && (typer & GICR_TYPER_RVPEID)) {
++              u64 val;
++
++              /* Deactivate any present vPE */
++              val = gicr_read_vpendbaser(ptr + SZ_128K + GICR_VPENDBASER);
++              if (val & GICR_VPENDBASER_Valid)
++                      gicr_write_vpendbaser(GICR_VPENDBASER_PendingLast,
++                                            ptr + SZ_128K + GICR_VPENDBASER);
++
++              /* Mark the VPE table as invalid */
++              val = gicr_read_vpropbaser(ptr + SZ_128K + GICR_VPROPBASER);
++              val &= ~GICR_VPROPBASER_4_1_VALID;
++              gicr_write_vpropbaser(val, ptr + SZ_128K + GICR_VPROPBASER);
++      }
++
+       gic_data.rdists.has_vlpis &= !!(typer & GICR_TYPER_VLPIS);
+       /* RVPEID implies some form of DirectLPI, no matter what the doc says... :-/ */
+-- 
+2.34.1
+
diff --git a/queue-5.16/iwlwifi-acpi-fix-wgds-rev-3-size.patch b/queue-5.16/iwlwifi-acpi-fix-wgds-rev-3-size.patch
new file mode 100644 (file)
index 0000000..938e800
--- /dev/null
@@ -0,0 +1,37 @@
+From f04145e33c8dfb8b236f461c33ede743d53359b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Dec 2021 13:10:50 +0200
+Subject: iwlwifi: acpi: fix wgds rev 3 size
+
+From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+
+[ Upstream commit dc276ffd0754e94080565c10b964f3c211879fdd ]
+
+The exact size of WGDS revision 3 was calculated using the wrong
+parameters. Fix it.
+
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211204130722.12c5b0cffe52.I7f342502f628f43a7e000189a699484bcef0f562@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
+index bf431fa4fe81f..2e4590876bc33 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
+@@ -789,7 +789,7 @@ int iwl_sar_get_wgds_table(struct iwl_fw_runtime *fwrt)
+                                * looking up in ACPI
+                                */
+                               if (wifi_pkg->package.count !=
+-                                  min_size + profile_size * num_profiles) {
++                                  hdr_size + profile_size * num_profiles) {
+                                       ret = -EINVAL;
+                                       goto out_free;
+                               }
+-- 
+2.34.1
+
diff --git a/queue-5.16/iwlwifi-don-t-pass-actual-wgds-revision-number-in-ta.patch b/queue-5.16/iwlwifi-don-t-pass-actual-wgds-revision-number-in-ta.patch
new file mode 100644 (file)
index 0000000..d9e9f97
--- /dev/null
@@ -0,0 +1,116 @@
+From a2b798de73ed7bb75ec2c921cc7d526170a1aa48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Dec 2021 12:18:14 +0200
+Subject: iwlwifi: don't pass actual WGDS revision number in table_revision
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+[ Upstream commit ac9952f6954216be72a8bde210e1ef2c949d8ee0 ]
+
+The FW API for PER_CHAIN_LIMIT_OFFSET_CMD is misleading.  The element
+name is table_rev, but it shouldn't actually contain the table
+revision number, but whether we should use the South Korea scheme or
+not.
+
+Fix the driver so that we only set this value to either 0 or 1.  It
+will only be 1 (meaning South Korea) if the ACPI WGDS table revision
+is 1.
+
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Fixes: 664c011b763e ("iwlwifi: acpi: support reading and storing WGDS revision 2")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211219121514.abed3b8119c7.I1fdc2c14577523fcffdfe8fb5902c2d8efde7e09@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/intel/iwlwifi/fw/api/power.h  |  8 ++++----
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c    | 18 +++++++++++++-----
+ 2 files changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/api/power.h b/drivers/net/wireless/intel/iwlwifi/fw/api/power.h
+index 4d671c878bb7a..23e27afe94a23 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/api/power.h
++++ b/drivers/net/wireless/intel/iwlwifi/fw/api/power.h
+@@ -419,7 +419,7 @@ struct iwl_geo_tx_power_profiles_cmd_v1 {
+  * struct iwl_geo_tx_power_profile_cmd_v2 - struct for PER_CHAIN_LIMIT_OFFSET_CMD cmd.
+  * @ops: operations, value from &enum iwl_geo_per_chain_offset_operation
+  * @table: offset profile per band.
+- * @table_revision: BIOS table revision.
++ * @table_revision: 0 for not-South Korea, 1 for South Korea (the name is misleading)
+  */
+ struct iwl_geo_tx_power_profiles_cmd_v2 {
+       __le32 ops;
+@@ -431,7 +431,7 @@ struct iwl_geo_tx_power_profiles_cmd_v2 {
+  * struct iwl_geo_tx_power_profile_cmd_v3 - struct for PER_CHAIN_LIMIT_OFFSET_CMD cmd.
+  * @ops: operations, value from &enum iwl_geo_per_chain_offset_operation
+  * @table: offset profile per band.
+- * @table_revision: BIOS table revision.
++ * @table_revision: 0 for not-South Korea, 1 for South Korea (the name is misleading)
+  */
+ struct iwl_geo_tx_power_profiles_cmd_v3 {
+       __le32 ops;
+@@ -443,7 +443,7 @@ struct iwl_geo_tx_power_profiles_cmd_v3 {
+  * struct iwl_geo_tx_power_profile_cmd_v4 - struct for PER_CHAIN_LIMIT_OFFSET_CMD cmd.
+  * @ops: operations, value from &enum iwl_geo_per_chain_offset_operation
+  * @table: offset profile per band.
+- * @table_revision: BIOS table revision.
++ * @table_revision: 0 for not-South Korea, 1 for South Korea (the name is misleading)
+  */
+ struct iwl_geo_tx_power_profiles_cmd_v4 {
+       __le32 ops;
+@@ -455,7 +455,7 @@ struct iwl_geo_tx_power_profiles_cmd_v4 {
+  * struct iwl_geo_tx_power_profile_cmd_v5 - struct for PER_CHAIN_LIMIT_OFFSET_CMD cmd.
+  * @ops: operations, value from &enum iwl_geo_per_chain_offset_operation
+  * @table: offset profile per band.
+- * @table_revision: BIOS table revision.
++ * @table_revision: 0 for not-South Korea, 1 for South Korea (the name is misleading)
+  */
+ struct iwl_geo_tx_power_profiles_cmd_v5 {
+       __le32 ops;
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+index 863fec150e536..9eb78461f2800 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -820,6 +820,7 @@ static int iwl_mvm_sar_geo_init(struct iwl_mvm *mvm)
+       u16 len;
+       u32 n_bands;
+       u32 n_profiles;
++      u32 sk = 0;
+       int ret;
+       u8 cmd_ver = iwl_fw_lookup_cmd_ver(mvm->fw, PHY_OPS_GROUP,
+                                          PER_CHAIN_LIMIT_OFFSET_CMD,
+@@ -879,19 +880,26 @@ static int iwl_mvm_sar_geo_init(struct iwl_mvm *mvm)
+       if (ret)
+               return 0;
++      /* Only set to South Korea if the table revision is 1 */
++      if (mvm->fwrt.geo_rev == 1)
++              sk = 1;
++
+       /*
+-       * Set the revision on versions that contain it.
++       * Set the table_revision to South Korea (1) or not (0).  The
++       * element name is misleading, as it doesn't contain the table
++       * revision number, but whether the South Korea variation
++       * should be used.
+        * This must be done after calling iwl_sar_geo_init().
+        */
+       if (cmd_ver == 5)
+-              cmd.v5.table_revision = cpu_to_le32(mvm->fwrt.geo_rev);
++              cmd.v5.table_revision = cpu_to_le32(sk);
+       else if (cmd_ver == 4)
+-              cmd.v4.table_revision = cpu_to_le32(mvm->fwrt.geo_rev);
++              cmd.v4.table_revision = cpu_to_le32(sk);
+       else if (cmd_ver == 3)
+-              cmd.v3.table_revision = cpu_to_le32(mvm->fwrt.geo_rev);
++              cmd.v3.table_revision = cpu_to_le32(sk);
+       else if (fw_has_api(&mvm->fwrt.fw->ucode_capa,
+                           IWL_UCODE_TLV_API_SAR_TABLE_VER))
+-              cmd.v2.table_revision = cpu_to_le32(mvm->fwrt.geo_rev);
++              cmd.v2.table_revision = cpu_to_le32(sk);
+       return iwl_mvm_send_cmd_pdu(mvm,
+                                   WIDE_ID(PHY_OPS_GROUP,
+-- 
+2.34.1
+
diff --git a/queue-5.16/iwlwifi-fix-leaks-bad-data-after-failed-firmware-loa.patch b/queue-5.16/iwlwifi-fix-leaks-bad-data-after-failed-firmware-loa.patch
new file mode 100644 (file)
index 0000000..a393445
--- /dev/null
@@ -0,0 +1,69 @@
+From b226edfbd16bff9fb6c3dfaa7a3980f9ed27aa7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Dec 2021 11:12:42 +0200
+Subject: iwlwifi: fix leaks/bad data after failed firmware load
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit ab07506b0454bea606095951e19e72c282bfbb42 ]
+
+If firmware load fails after having loaded some parts of the
+firmware, e.g. the IML image, then this would leak. For the
+host command list we'd end up running into a WARN on the next
+attempt to load another firmware image.
+
+Fix this by calling iwl_dealloc_ucode() on failures, and make
+that also clear the data so we start fresh on the next round.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211210110539.1f742f0eb58a.I1315f22f6aa632d94ae2069f85e1bca5e734dce0@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+index 5cec467b995bb..ad94526a4e1e7 100644
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+@@ -130,6 +130,9 @@ static void iwl_dealloc_ucode(struct iwl_drv *drv)
+       for (i = 0; i < IWL_UCODE_TYPE_MAX; i++)
+               iwl_free_fw_img(drv, drv->fw.img + i);
++
++      /* clear the data for the aborted load case */
++      memset(&drv->fw, 0, sizeof(drv->fw));
+ }
+ static int iwl_alloc_fw_desc(struct iwl_drv *drv, struct fw_desc *desc,
+@@ -1375,6 +1378,7 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
+       int i;
+       bool load_module = false;
+       bool usniffer_images = false;
++      bool failure = true;
+       fw->ucode_capa.max_probe_length = IWL_DEFAULT_MAX_PROBE_LENGTH;
+       fw->ucode_capa.standard_phy_calibration_size =
+@@ -1644,6 +1648,7 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
+                               op->name, err);
+ #endif
+       }
++      failure = false;
+       goto free;
+  try_again:
+@@ -1659,6 +1664,9 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
+       complete(&drv->request_firmware_complete);
+       device_release_driver(drv->trans->dev);
+  free:
++      if (failure)
++              iwl_dealloc_ucode(drv);
++
+       if (pieces) {
+               for (i = 0; i < ARRAY_SIZE(pieces->img); i++)
+                       kfree(pieces->img[i].sec);
+-- 
+2.34.1
+
diff --git a/queue-5.16/iwlwifi-mvm-avoid-clearing-a-just-saved-session-prot.patch b/queue-5.16/iwlwifi-mvm-avoid-clearing-a-just-saved-session-prot.patch
new file mode 100644 (file)
index 0000000..9bfdd87
--- /dev/null
@@ -0,0 +1,59 @@
+From d9ef67e80bc1720df997ab3afdda6c8a04af1626 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Dec 2021 13:10:47 +0200
+Subject: iwlwifi: mvm: avoid clearing a just saved session protection id
+
+From: Shaul Triebitz <shaul.triebitz@intel.com>
+
+[ Upstream commit 8e967c137df3b236d2075f9538cb888129425d1a ]
+
+When scheduling a session protection the id is saved but
+then it may be cleared when calling iwl_mvm_te_clear_data
+(if a previous session protection is currently active).
+Fix it by saving the id after calling iwl_mvm_te_clear_data.
+
+Signed-off-by: Shaul Triebitz <shaul.triebitz@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211204130722.b0743a588d14.I098fef6677d0dab3ef1b6183ed206a10bab01eb2@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/time-event.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+index f93f15357a3f8..b8c645b9880fc 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+@@ -1167,15 +1167,10 @@ void iwl_mvm_schedule_session_protection(struct iwl_mvm *mvm,
+                       cpu_to_le32(FW_CMD_ID_AND_COLOR(mvmvif->id,
+                                                       mvmvif->color)),
+               .action = cpu_to_le32(FW_CTXT_ACTION_ADD),
++              .conf_id = cpu_to_le32(SESSION_PROTECT_CONF_ASSOC),
+               .duration_tu = cpu_to_le32(MSEC_TO_TU(duration)),
+       };
+-      /* The time_event_data.id field is reused to save session
+-       * protection's configuration.
+-       */
+-      mvmvif->time_event_data.id = SESSION_PROTECT_CONF_ASSOC;
+-      cmd.conf_id = cpu_to_le32(mvmvif->time_event_data.id);
+-
+       lockdep_assert_held(&mvm->mutex);
+       spin_lock_bh(&mvm->time_event_lock);
+@@ -1189,6 +1184,11 @@ void iwl_mvm_schedule_session_protection(struct iwl_mvm *mvm,
+       }
+       iwl_mvm_te_clear_data(mvm, te_data);
++      /*
++       * The time_event_data.id field is reused to save session
++       * protection's configuration.
++       */
++      te_data->id = le32_to_cpu(cmd.conf_id);
+       te_data->duration = le32_to_cpu(cmd.duration_tu);
+       te_data->vif = vif;
+       spin_unlock_bh(&mvm->time_event_lock);
+-- 
+2.34.1
+
diff --git a/queue-5.16/iwlwifi-mvm-fix-32-bit-build-in-ftm.patch b/queue-5.16/iwlwifi-mvm-fix-32-bit-build-in-ftm.patch
new file mode 100644 (file)
index 0000000..3b967cc
--- /dev/null
@@ -0,0 +1,40 @@
+From d7ae18080dcc89ee47f323740ffc7c7130d9e882 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Dec 2021 11:14:18 +0200
+Subject: iwlwifi: mvm: fix 32-bit build in FTM
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 8b0f92549f2c2458200935c12a2e2a6e80234cf5 ]
+
+On a 32-bit build, the division here needs to be done
+using do_div(), otherwise the compiler will try to call
+a function that doesn't exist, thus failing to build.
+
+Fixes: b68bd2e3143a ("iwlwifi: mvm: Add FTM initiator RTT smoothing logic")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211219111352.e56cbf614a4d.Ib98004ccd2c7a55fd883a8ea7eebd810f406dec6@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
+index 949fb790f8fb7..3e6c13fc74eb0 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
+@@ -1066,7 +1066,8 @@ static void iwl_mvm_ftm_rtt_smoothing(struct iwl_mvm *mvm,
+       overshoot = IWL_MVM_FTM_INITIATOR_SMOOTH_OVERSHOOT;
+       alpha = IWL_MVM_FTM_INITIATOR_SMOOTH_ALPHA;
+-      rtt_avg = (alpha * rtt + (100 - alpha) * resp->rtt_avg) / 100;
++      rtt_avg = alpha * rtt + (100 - alpha) * resp->rtt_avg;
++      do_div(rtt_avg, 100);
+       IWL_DEBUG_INFO(mvm,
+                      "%pM: prev rtt_avg=%lld, new rtt_avg=%lld, rtt=%lld\n",
+-- 
+2.34.1
+
diff --git a/queue-5.16/iwlwifi-mvm-fix-aux-roc-removal.patch b/queue-5.16/iwlwifi-mvm-fix-aux-roc-removal.patch
new file mode 100644 (file)
index 0000000..81988f9
--- /dev/null
@@ -0,0 +1,59 @@
+From ac947d435cab3229b72b2f20499d86cb337131bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Dec 2021 13:28:31 +0200
+Subject: iwlwifi: mvm: fix AUX ROC removal
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit f0337cb48f3bf5f0bbccc985d8a0a8c4aa4934b7 ]
+
+When IWL_UCODE_TLV_CAPA_SESSION_PROT_CMD is set, removing a time event
+always tries to cancel session protection. However, AUX ROC does
+not use session protection so it was never removed. As a result,
+if the driver tries to allocate another AUX ROC event right after
+cancelling the first one, it will fail with a warning.
+In addition, the time event data passed to iwl_mvm_remove_aux_roc_te()
+is incorrect. Fix it.
+
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211219132536.915e1f69f062.Id837e917f1c2beaca7c1eb33333d622548918a76@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/time-event.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+index b8c645b9880fc..ab06dcda1462a 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+@@ -696,11 +696,14 @@ static bool __iwl_mvm_remove_time_event(struct iwl_mvm *mvm,
+       iwl_mvm_te_clear_data(mvm, te_data);
+       spin_unlock_bh(&mvm->time_event_lock);
+-      /* When session protection is supported, the te_data->id field
++      /* When session protection is used, the te_data->id field
+        * is reused to save session protection's configuration.
++       * For AUX ROC, HOT_SPOT_CMD is used and the te_data->id field is set
++       * to HOT_SPOT_CMD.
+        */
+       if (fw_has_capa(&mvm->fw->ucode_capa,
+-                      IWL_UCODE_TLV_CAPA_SESSION_PROT_CMD)) {
++                      IWL_UCODE_TLV_CAPA_SESSION_PROT_CMD) &&
++          id != HOT_SPOT_CMD) {
+               if (mvmvif && id < SESSION_PROTECT_CONF_MAX_ID) {
+                       /* Session protection is still ongoing. Cancel it */
+                       iwl_mvm_cancel_session_protection(mvm, mvmvif, id);
+@@ -1036,7 +1039,7 @@ void iwl_mvm_stop_roc(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
+                       iwl_mvm_p2p_roc_finished(mvm);
+               } else {
+                       iwl_mvm_remove_aux_roc_te(mvm, mvmvif,
+-                                                &mvmvif->time_event_data);
++                                                &mvmvif->hs_time_event_data);
+                       iwl_mvm_roc_finished(mvm);
+               }
+-- 
+2.34.1
+
diff --git a/queue-5.16/iwlwifi-mvm-fix-calculation-of-frame-length.patch b/queue-5.16/iwlwifi-mvm-fix-calculation-of-frame-length.patch
new file mode 100644 (file)
index 0000000..d3a5ae5
--- /dev/null
@@ -0,0 +1,72 @@
+From 0b2e4e92b6af24de2d4798f244f4b57426b55731 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Dec 2021 12:18:16 +0200
+Subject: iwlwifi: mvm: Fix calculation of frame length
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 40a0b38d7a7f91a6027287e0df54f5f547e8d27e ]
+
+The RADA might include in the Rx frame the MIC and CRC bytes.
+These bytes should be removed for non monitor interfaces and
+should not be passed to mac80211.
+
+Fix the Rx processing to remove the extra bytes on non monitor
+cases.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211219121514.098be12c801e.I1d81733d8a75b84c3b20eb6e0d14ab3405ca6a86@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 27 +++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+index e0601f802628c..1e2a55ccf1926 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+@@ -121,12 +121,39 @@ static int iwl_mvm_create_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
+       struct iwl_rx_mpdu_desc *desc = (void *)pkt->data;
+       unsigned int headlen, fraglen, pad_len = 0;
+       unsigned int hdrlen = ieee80211_hdrlen(hdr->frame_control);
++      u8 mic_crc_len = u8_get_bits(desc->mac_flags1,
++                                   IWL_RX_MPDU_MFLG1_MIC_CRC_LEN_MASK) << 1;
+       if (desc->mac_flags2 & IWL_RX_MPDU_MFLG2_PAD) {
+               len -= 2;
+               pad_len = 2;
+       }
++      /*
++       * For non monitor interface strip the bytes the RADA might not have
++       * removed. As monitor interface cannot exist with other interfaces
++       * this removal is safe.
++       */
++      if (mic_crc_len && !ieee80211_hw_check(mvm->hw, RX_INCLUDES_FCS)) {
++              u32 pkt_flags = le32_to_cpu(pkt->len_n_flags);
++
++              /*
++               * If RADA was not enabled then decryption was not performed so
++               * the MIC cannot be removed.
++               */
++              if (!(pkt_flags & FH_RSCSR_RADA_EN)) {
++                      if (WARN_ON(crypt_len > mic_crc_len))
++                              return -EINVAL;
++
++                      mic_crc_len -= crypt_len;
++              }
++
++              if (WARN_ON(mic_crc_len > len))
++                      return -EINVAL;
++
++              len -= mic_crc_len;
++      }
++
+       /* If frame is small enough to fit in skb->head, pull it completely.
+        * If not, only pull ieee80211_hdr (including crypto if present, and
+        * an additional 8 bytes for SNAP/ethertype, see below) so that
+-- 
+2.34.1
+
diff --git a/queue-5.16/iwlwifi-mvm-perform-6ghz-passive-scan-after-suspend.patch b/queue-5.16/iwlwifi-mvm-perform-6ghz-passive-scan-after-suspend.patch
new file mode 100644 (file)
index 0000000..dafe08a
--- /dev/null
@@ -0,0 +1,64 @@
+From f192aebacff0bd9f2e1390eb12496ce3cbcdb93b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Dec 2021 12:18:20 +0200
+Subject: iwlwifi: mvm: perform 6GHz passive scan after suspend
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit f4745cbb17572209a7fa27a6796ed70e7ada860b ]
+
+The 6GHz passive scan is performed only once every 50 minutes.
+However, in case of suspend/resume, the regulatory information
+is reset, so 6GHz channels may become disabled.
+Fix it by performing a 6GHz passive scan within 60 seconds after
+suspend/resume even if the 50 minutes timeout did not expire yet.
+
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Fixes: e8fe3b41c3a3 ("iwlwifi: mvm: Add support for 6GHz passive scan")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211219121514.6d5c043372cf.I251dd5618a3f0b8febbcca788eb861f1cd6039bc@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 21 ++++++++-----------
+ 1 file changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+index a138b5c4cce84..ab960f86b940c 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+@@ -1924,22 +1924,19 @@ static void iwl_mvm_scan_6ghz_passive_scan(struct iwl_mvm *mvm,
+       }
+       /*
+-       * 6GHz passive scan is allowed while associated in a defined time
+-       * interval following HW reset or resume flow
++       * 6GHz passive scan is allowed in a defined time interval following HW
++       * reset or resume flow, or while not associated and a large interval
++       * has passed since the last 6GHz passive scan.
+        */
+-      if (vif->bss_conf.assoc &&
++      if ((vif->bss_conf.assoc ||
++           time_after(mvm->last_6ghz_passive_scan_jiffies +
++                      (IWL_MVM_6GHZ_PASSIVE_SCAN_TIMEOUT * HZ), jiffies)) &&
+           (time_before(mvm->last_reset_or_resume_time_jiffies +
+                        (IWL_MVM_6GHZ_PASSIVE_SCAN_ASSOC_TIMEOUT * HZ),
+                        jiffies))) {
+-              IWL_DEBUG_SCAN(mvm, "6GHz passive scan: associated\n");
+-              return;
+-      }
+-
+-      /* No need for 6GHz passive scan if not enough time elapsed */
+-      if (time_after(mvm->last_6ghz_passive_scan_jiffies +
+-                     (IWL_MVM_6GHZ_PASSIVE_SCAN_TIMEOUT * HZ), jiffies)) {
+-              IWL_DEBUG_SCAN(mvm,
+-                             "6GHz passive scan: timeout did not expire\n");
++              IWL_DEBUG_SCAN(mvm, "6GHz passive scan: %s\n",
++                             vif->bss_conf.assoc ? "associated" :
++                             "timeout did not expire");
+               return;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/iwlwifi-mvm-set-protected-flag-only-for-ndp-ranging.patch b/queue-5.16/iwlwifi-mvm-set-protected-flag-only-for-ndp-ranging.patch
new file mode 100644 (file)
index 0000000..b109242
--- /dev/null
@@ -0,0 +1,39 @@
+From 238b747203e76d5000a506dd46ce300f520976e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Dec 2021 13:28:26 +0200
+Subject: iwlwifi: mvm: set protected flag only for NDP ranging
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit 6bb2ea37c02db98cb677f978cfcb833ca608c5eb ]
+
+Don't use protected ranging negotiation for FTM ranging as responders
+that support only FTM ranging don't expect the FTM request to be
+protected.
+
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Fixes: 517a5eb9fab2 ("iwlwifi: mvm: when associated with PMF, use protected NDP ranging negotiation")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211219132536.f50ed0e3c6b3.Ibff247ee9d4e6e0a1a2d08a3c8a4bbb37e6829dd@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
+index 3e6c13fc74eb0..9449d1af3c11a 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
+@@ -511,7 +511,7 @@ iwl_mvm_ftm_put_target(struct iwl_mvm *mvm, struct ieee80211_vif *vif,
+               rcu_read_lock();
+               sta = rcu_dereference(mvm->fw_id_to_mac_id[mvmvif->ap_sta_id]);
+-              if (sta->mfp)
++              if (sta->mfp && (peer->ftm.trigger_based || peer->ftm.non_trigger_based))
+                       FTM_PUT_FLAG(PMF);
+               rcu_read_unlock();
+-- 
+2.34.1
+
diff --git a/queue-5.16/iwlwifi-mvm-synchronize-with-fw-after-multicast-comm.patch b/queue-5.16/iwlwifi-mvm-synchronize-with-fw-after-multicast-comm.patch
new file mode 100644 (file)
index 0000000..42c414f
--- /dev/null
@@ -0,0 +1,72 @@
+From 90db3ec6b0c9454235a6e104ad658892a9057468 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Dec 2021 08:35:45 +0200
+Subject: iwlwifi: mvm: synchronize with FW after multicast commands
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit db66abeea3aefed481391ecc564fb7b7fb31d742 ]
+
+If userspace installs a lot of multicast groups very quickly, then
+we may run out of command queue space as we send the updates in an
+asynchronous fashion (due to locking concerns), and the CPU can
+create them faster than the firmware can process them. This is true
+even when mac80211 has a work struct that gets scheduled.
+
+Fix this by synchronizing with the firmware after sending all those
+commands - outside of the iteration we can send a synchronous echo
+command that just has the effect of the CPU waiting for the prior
+asynchronous commands to finish. This also will cause fewer of the
+commands to be sent to the firmware overall, because the work will
+only run once when rescheduled multiple times while it's running.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=213649
+Suggested-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Reported-by: Maximilian Ernestus <maximilian@ernestus.de>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211204083238.51aea5b79ea4.I88a44798efda16e9fe480fb3e94224931d311b29@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/intel/iwlwifi/mvm/mac80211.c   | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+index 897e3b91ddb2f..9c5c10908f013 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -1688,6 +1688,7 @@ static void iwl_mvm_recalc_multicast(struct iwl_mvm *mvm)
+       struct iwl_mvm_mc_iter_data iter_data = {
+               .mvm = mvm,
+       };
++      int ret;
+       lockdep_assert_held(&mvm->mutex);
+@@ -1697,6 +1698,22 @@ static void iwl_mvm_recalc_multicast(struct iwl_mvm *mvm)
+       ieee80211_iterate_active_interfaces_atomic(
+               mvm->hw, IEEE80211_IFACE_ITER_NORMAL,
+               iwl_mvm_mc_iface_iterator, &iter_data);
++
++      /*
++       * Send a (synchronous) ech command so that we wait for the
++       * multiple asynchronous MCAST_FILTER_CMD commands sent by
++       * the interface iterator. Otherwise, we might get here over
++       * and over again (by userspace just sending a lot of these)
++       * and the CPU can send them faster than the firmware can
++       * process them.
++       * Note that the CPU is still faster - but with this we'll
++       * actually send fewer commands overall because the CPU will
++       * not schedule the work in mac80211 as frequently if it's
++       * still running when rescheduled (possibly multiple times).
++       */
++      ret = iwl_mvm_send_cmd_pdu(mvm, ECHO_CMD, 0, 0, NULL);
++      if (ret)
++              IWL_ERR(mvm, "Failed to synchronize multicast groups update\n");
+ }
+ static u64 iwl_mvm_prepare_multicast(struct ieee80211_hw *hw,
+-- 
+2.34.1
+
diff --git a/queue-5.16/iwlwifi-mvm-test-roc-running-status-bits-before-remo.patch b/queue-5.16/iwlwifi-mvm-test-roc-running-status-bits-before-remo.patch
new file mode 100644 (file)
index 0000000..ac60727
--- /dev/null
@@ -0,0 +1,67 @@
+From 81784fda60e1408c916725a8426e2898beb87f10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Dec 2021 12:18:15 +0200
+Subject: iwlwifi: mvm: test roc running status bits before removing the sta
+
+From: Nathan Errera <nathan.errera@intel.com>
+
+[ Upstream commit 998e1aba6e5eb35370eaf30ccc1823426ec11f90 ]
+
+In some cases the sta is being removed twice since we do not test the
+roc aux running before removing it. Start looking at the bit before
+removing the sta.
+
+Signed-off-by: Nathan Errera <nathan.errera@intel.com>
+Fixes: 2c2c3647cde4 ("iwlwifi: mvm: support ADD_STA_CMD_API_S ver 12")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211219121514.d5376ac6bcb0.Ic5f8470ea60c072bde9d1503e5f528b65e301e20@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/intel/iwlwifi/mvm/time-event.c   | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+index e91f8e889df70..f93f15357a3f8 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+@@ -49,14 +49,13 @@ void iwl_mvm_roc_done_wk(struct work_struct *wk)
+       struct iwl_mvm *mvm = container_of(wk, struct iwl_mvm, roc_done_wk);
+       /*
+-       * Clear the ROC_RUNNING /ROC_AUX_RUNNING status bit.
++       * Clear the ROC_RUNNING status bit.
+        * This will cause the TX path to drop offchannel transmissions.
+        * That would also be done by mac80211, but it is racy, in particular
+        * in the case that the time event actually completed in the firmware
+        * (which is handled in iwl_mvm_te_handle_notif).
+        */
+       clear_bit(IWL_MVM_STATUS_ROC_RUNNING, &mvm->status);
+-      clear_bit(IWL_MVM_STATUS_ROC_AUX_RUNNING, &mvm->status);
+       synchronize_net();
+@@ -82,9 +81,19 @@ void iwl_mvm_roc_done_wk(struct work_struct *wk)
+                       mvmvif = iwl_mvm_vif_from_mac80211(mvm->p2p_device_vif);
+                       iwl_mvm_flush_sta(mvm, &mvmvif->bcast_sta, true);
+               }
+-      } else {
++      }
++
++      /*
++       * Clear the ROC_AUX_RUNNING status bit.
++       * This will cause the TX path to drop offchannel transmissions.
++       * That would also be done by mac80211, but it is racy, in particular
++       * in the case that the time event actually completed in the firmware
++       * (which is handled in iwl_mvm_te_handle_notif).
++       */
++      if (test_and_clear_bit(IWL_MVM_STATUS_ROC_AUX_RUNNING, &mvm->status)) {
+               /* do the same in case of hot spot 2.0 */
+               iwl_mvm_flush_sta(mvm, &mvm->aux_sta, true);
++
+               /* In newer version of this command an aux station is added only
+                * in cases of dedicated tx queue and need to be removed in end
+                * of use */
+-- 
+2.34.1
+
diff --git a/queue-5.16/iwlwifi-mvm-use-div_s64-instead-of-do_div-in-iwl_mvm.patch b/queue-5.16/iwlwifi-mvm-use-div_s64-instead-of-do_div-in-iwl_mvm.patch
new file mode 100644 (file)
index 0000000..da5fb55
--- /dev/null
@@ -0,0 +1,56 @@
+From 1a0bb24e461a193589911cc00752dccbd1d91e99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Dec 2021 12:17:57 -0700
+Subject: iwlwifi: mvm: Use div_s64 instead of do_div in
+ iwl_mvm_ftm_rtt_smoothing()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 4ccdcc8ffd955490feec05380223db6a48961eb5 ]
+
+When building ARCH=arm allmodconfig:
+
+drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c: In function ‘iwl_mvm_ftm_rtt_smoothing’:
+./include/asm-generic/div64.h:222:35: error: comparison of distinct pointer types lacks a cast [-Werror]
+  222 |         (void)(((typeof((n)) *)0) == ((uint64_t *)0));  \
+      |                                   ^~
+drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c:1070:9: note: in expansion of macro ‘do_div’
+ 1070 |         do_div(rtt_avg, 100);
+      |         ^~~~~~
+
+do_div() has to be used with an unsigned 64-bit integer dividend but
+rtt_avg is a signed 64-bit integer.
+
+div_s64() expects a signed 64-bit integer dividend and signed 32-bit
+divisor, which fits this scenario, so use that function here to fix the
+warning.
+
+Fixes: 8b0f92549f2c ("iwlwifi: mvm: fix 32-bit build in FTM")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/r/20211227191757.2354329-1-nathan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
+index 9449d1af3c11a..628aee634b2ad 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
+@@ -1066,8 +1066,7 @@ static void iwl_mvm_ftm_rtt_smoothing(struct iwl_mvm *mvm,
+       overshoot = IWL_MVM_FTM_INITIATOR_SMOOTH_OVERSHOOT;
+       alpha = IWL_MVM_FTM_INITIATOR_SMOOTH_ALPHA;
+-      rtt_avg = alpha * rtt + (100 - alpha) * resp->rtt_avg;
+-      do_div(rtt_avg, 100);
++      rtt_avg = div_s64(alpha * rtt + (100 - alpha) * resp->rtt_avg, 100);
+       IWL_DEBUG_INFO(mvm,
+                      "%pM: prev rtt_avg=%lld, new rtt_avg=%lld, rtt=%lld\n",
+-- 
+2.34.1
+
diff --git a/queue-5.16/iwlwifi-pcie-make-sure-prph_info-is-set-when-treatin.patch b/queue-5.16/iwlwifi-pcie-make-sure-prph_info-is-set-when-treatin.patch
new file mode 100644 (file)
index 0000000..649b40e
--- /dev/null
@@ -0,0 +1,45 @@
+From e3e1757642dd1d4f2f9ec1f32dff8d6df1358f7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Dec 2021 13:28:34 +0200
+Subject: iwlwifi: pcie: make sure prph_info is set when treating wakeup IRQ
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+[ Upstream commit 459fc0f2c6b0f6e280bfa0f230c100c9dfe3a199 ]
+
+In some rare cases when the HW is in a bad state, we may get this
+interrupt when prph_info is not set yet.  Then we will try to
+dereference it to check the sleep_notif element, which will cause an
+oops.
+
+Fix that by ignoring the interrupt if prph_info is not set yet.
+
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211219132536.0537aa562313.I183bb336345b9b3da196ba9e596a6f189fbcbd09@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+index 14602d6d6699f..8247014278f30 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
+@@ -2266,7 +2266,12 @@ irqreturn_t iwl_pcie_irq_msix_handler(int irq, void *dev_id)
+               }
+       }
+-      if (inta_hw & MSIX_HW_INT_CAUSES_REG_WAKEUP) {
++      /*
++       * In some rare cases when the HW is in a bad state, we may
++       * get this interrupt too early, when prph_info is still NULL.
++       * So make sure that it's not NULL to prevent crashing.
++       */
++      if (inta_hw & MSIX_HW_INT_CAUSES_REG_WAKEUP && trans_pcie->prph_info) {
+               u32 sleep_notif =
+                       le32_to_cpu(trans_pcie->prph_info->sleep_notif);
+               if (sleep_notif == IWL_D3_SLEEP_STATUS_SUSPEND ||
+-- 
+2.34.1
+
diff --git a/queue-5.16/iwlwifi-recognize-missing-pnvm-data-and-then-log-fil.patch b/queue-5.16/iwlwifi-recognize-missing-pnvm-data-and-then-log-fil.patch
new file mode 100644 (file)
index 0000000..0e85671
--- /dev/null
@@ -0,0 +1,110 @@
+From 64802e0ffd72d3ac9d246c870e26608f0684466e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Dec 2021 09:06:20 +0200
+Subject: iwlwifi: recognize missing PNVM data and then log filename
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+[ Upstream commit 1db385c668d3ccb04ccdb5f0f190fd17b2db29c6 ]
+
+We can detect that a FW SYSASSERT is due to missing PNVM data by
+checking the assertion code.  When this happens, it's is useful for
+the user if we print the filename where the driver is looking for the
+data.
+
+Add the PNVM missing assertion code to the dump list and print out the
+name of the file we're looking for when this happens.
+
+Reported-by: Sam Edwards <CFSworks@gmail.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211210090244.1d8725b7518a.I0c36617a7282bd445cda484d97ac4a83022706ee@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/dump.c | 9 +++++++++
+ drivers/net/wireless/intel/iwlwifi/fw/img.c  | 6 +++---
+ drivers/net/wireless/intel/iwlwifi/fw/img.h  | 4 ++++
+ 3 files changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dump.c b/drivers/net/wireless/intel/iwlwifi/fw/dump.c
+index 016b3a4c5f513..6a37933a02169 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/dump.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/dump.c
+@@ -12,6 +12,7 @@
+ #include "iwl-io.h"
+ #include "iwl-prph.h"
+ #include "iwl-csr.h"
++#include "pnvm.h"
+ /*
+  * Note: This structure is read from the device with IO accesses,
+@@ -147,6 +148,7 @@ static void iwl_fwrt_dump_umac_error_log(struct iwl_fw_runtime *fwrt)
+       struct iwl_trans *trans = fwrt->trans;
+       struct iwl_umac_error_event_table table = {};
+       u32 base = fwrt->trans->dbg.umac_error_event_table;
++      char pnvm_name[MAX_PNVM_NAME];
+       if (!base &&
+           !(fwrt->trans->dbg.error_event_table_tlv_status &
+@@ -164,6 +166,13 @@ static void iwl_fwrt_dump_umac_error_log(struct iwl_fw_runtime *fwrt)
+                       fwrt->trans->status, table.valid);
+       }
++      if ((table.error_id & ~FW_SYSASSERT_CPU_MASK) ==
++          FW_SYSASSERT_PNVM_MISSING) {
++              iwl_pnvm_get_fs_name(trans, pnvm_name, sizeof(pnvm_name));
++              IWL_ERR(fwrt, "PNVM data is missing, please install %s\n",
++                      pnvm_name);
++      }
++
+       IWL_ERR(fwrt, "0x%08X | %s\n", table.error_id,
+               iwl_fw_lookup_assert_desc(table.error_id));
+       IWL_ERR(fwrt, "0x%08X | umac branchlink1\n", table.blink1);
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/img.c b/drivers/net/wireless/intel/iwlwifi/fw/img.c
+index 24a9666736913..530674a35eeb2 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/img.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/img.c
+@@ -1,6 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
+ /*
+- * Copyright(c) 2019 - 2020 Intel Corporation
++ * Copyright(c) 2019 - 2021 Intel Corporation
+  */
+ #include "img.h"
+@@ -49,10 +49,9 @@ u8 iwl_fw_lookup_notif_ver(const struct iwl_fw *fw, u8 grp, u8 cmd, u8 def)
+ }
+ EXPORT_SYMBOL_GPL(iwl_fw_lookup_notif_ver);
+-#define FW_SYSASSERT_CPU_MASK 0xf0000000
+ static const struct {
+       const char *name;
+-      u8 num;
++      u32 num;
+ } advanced_lookup[] = {
+       { "NMI_INTERRUPT_WDG", 0x34 },
+       { "SYSASSERT", 0x35 },
+@@ -73,6 +72,7 @@ static const struct {
+       { "NMI_INTERRUPT_ACTION_PT", 0x7C },
+       { "NMI_INTERRUPT_UNKNOWN", 0x84 },
+       { "NMI_INTERRUPT_INST_ACTION_PT", 0x86 },
++      { "PNVM_MISSING", FW_SYSASSERT_PNVM_MISSING },
+       { "ADVANCED_SYSASSERT", 0 },
+ };
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/img.h b/drivers/net/wireless/intel/iwlwifi/fw/img.h
+index 993bda17fa309..fa7b1780064c2 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/img.h
++++ b/drivers/net/wireless/intel/iwlwifi/fw/img.h
+@@ -279,4 +279,8 @@ u8 iwl_fw_lookup_cmd_ver(const struct iwl_fw *fw, u8 grp, u8 cmd, u8 def);
+ u8 iwl_fw_lookup_notif_ver(const struct iwl_fw *fw, u8 grp, u8 cmd, u8 def);
+ const char *iwl_fw_lookup_assert_desc(u32 num);
++
++#define FW_SYSASSERT_CPU_MASK         0xf0000000
++#define FW_SYSASSERT_PNVM_MISSING     0x0010070d
++
+ #endif  /* __iwl_fw_img_h__ */
+-- 
+2.34.1
+
diff --git a/queue-5.16/iwlwifi-remove-module-loading-failure-message.patch b/queue-5.16/iwlwifi-remove-module-loading-failure-message.patch
new file mode 100644 (file)
index 0000000..945f7e9
--- /dev/null
@@ -0,0 +1,51 @@
+From 75678ebb39436a5e1d2f40cd43805eb7c7a3e6e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Dec 2021 11:12:45 +0200
+Subject: iwlwifi: remove module loading failure message
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 6518f83ffa51131daaf439b66094f684da3fb0ae ]
+
+When CONFIG_DEBUG_TEST_DRIVER_REMOVE is set, iwlwifi crashes
+when the opmode module cannot be loaded, due to completing
+the completion before using drv->dev, which can then already
+be freed.
+
+Fix this by removing the (fairly useless) message. Moving the
+completion later causes a deadlock instead, so that's not an
+option.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/20211210091245.289008-2-luca@coelho.fi
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+index ad94526a4e1e7..f53ce9c086947 100644
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+@@ -1639,15 +1639,8 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
+        * else from proceeding if the module fails to load
+        * or hangs loading.
+        */
+-      if (load_module) {
++      if (load_module)
+               request_module("%s", op->name);
+-#ifdef CONFIG_IWLWIFI_OPMODE_MODULAR
+-              if (err)
+-                      IWL_ERR(drv,
+-                              "failed to load module %s (error %d), is dynamic loading enabled?\n",
+-                              op->name, err);
+-#endif
+-      }
+       failure = false;
+       goto free;
+-- 
+2.34.1
+
diff --git a/queue-5.16/jffs2-gc-deadlock-reading-a-page-that-is-used-in-jff.patch b/queue-5.16/jffs2-gc-deadlock-reading-a-page-that-is-used-in-jff.patch
new file mode 100644 (file)
index 0000000..f57f41a
--- /dev/null
@@ -0,0 +1,133 @@
+From cca7a9e5dbc7e4e2dce58cf99f42b33f24477f30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jul 2017 16:22:38 +1200
+Subject: jffs2: GC deadlock reading a page that is used in jffs2_write_begin()
+
+From: Kyeong Yoo <kyeong.yoo@alliedtelesis.co.nz>
+
+[ Upstream commit aa39cc675799bc92da153af9a13d6f969c348e82 ]
+
+GC task can deadlock in read_cache_page() because it may attempt
+to release a page that is actually allocated by another task in
+jffs2_write_begin().
+The reason is that in jffs2_write_begin() there is a small window
+a cache page is allocated for use but not set Uptodate yet.
+
+This ends up with a deadlock between two tasks:
+1) A task (e.g. file copy)
+   - jffs2_write_begin() locks a cache page
+   - jffs2_write_end() tries to lock "alloc_sem" from
+        jffs2_reserve_space() <-- STUCK
+2) GC task (jffs2_gcd_mtd3)
+   - jffs2_garbage_collect_pass() locks "alloc_sem"
+   - try to lock the same cache page in read_cache_page() <-- STUCK
+
+So to avoid this deadlock, hold "alloc_sem" in jffs2_write_begin()
+while reading data in a cache page.
+
+Signed-off-by: Kyeong Yoo <kyeong.yoo@alliedtelesis.co.nz>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jffs2/file.c | 40 +++++++++++++++++++++++++---------------
+ 1 file changed, 25 insertions(+), 15 deletions(-)
+
+diff --git a/fs/jffs2/file.c b/fs/jffs2/file.c
+index 4fc8cd698d1a4..bd7d58d27bfc6 100644
+--- a/fs/jffs2/file.c
++++ b/fs/jffs2/file.c
+@@ -136,20 +136,15 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
+       struct page *pg;
+       struct inode *inode = mapping->host;
+       struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
++      struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
+       pgoff_t index = pos >> PAGE_SHIFT;
+       uint32_t pageofs = index << PAGE_SHIFT;
+       int ret = 0;
+-      pg = grab_cache_page_write_begin(mapping, index, flags);
+-      if (!pg)
+-              return -ENOMEM;
+-      *pagep = pg;
+-
+       jffs2_dbg(1, "%s()\n", __func__);
+       if (pageofs > inode->i_size) {
+               /* Make new hole frag from old EOF to new page */
+-              struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
+               struct jffs2_raw_inode ri;
+               struct jffs2_full_dnode *fn;
+               uint32_t alloc_len;
+@@ -160,7 +155,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
+               ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len,
+                                         ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
+               if (ret)
+-                      goto out_page;
++                      goto out_err;
+               mutex_lock(&f->sem);
+               memset(&ri, 0, sizeof(ri));
+@@ -190,7 +185,7 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
+                       ret = PTR_ERR(fn);
+                       jffs2_complete_reservation(c);
+                       mutex_unlock(&f->sem);
+-                      goto out_page;
++                      goto out_err;
+               }
+               ret = jffs2_add_full_dnode_to_inode(c, f, fn);
+               if (f->metadata) {
+@@ -205,13 +200,26 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
+                       jffs2_free_full_dnode(fn);
+                       jffs2_complete_reservation(c);
+                       mutex_unlock(&f->sem);
+-                      goto out_page;
++                      goto out_err;
+               }
+               jffs2_complete_reservation(c);
+               inode->i_size = pageofs;
+               mutex_unlock(&f->sem);
+       }
++      /*
++       * While getting a page and reading data in, lock c->alloc_sem until
++       * the page is Uptodate. Otherwise GC task may attempt to read the same
++       * page in read_cache_page(), which causes a deadlock.
++       */
++      mutex_lock(&c->alloc_sem);
++      pg = grab_cache_page_write_begin(mapping, index, flags);
++      if (!pg) {
++              ret = -ENOMEM;
++              goto release_sem;
++      }
++      *pagep = pg;
++
+       /*
+        * Read in the page if it wasn't already present. Cannot optimize away
+        * the whole page write case until jffs2_write_end can handle the
+@@ -221,15 +229,17 @@ static int jffs2_write_begin(struct file *filp, struct address_space *mapping,
+               mutex_lock(&f->sem);
+               ret = jffs2_do_readpage_nolock(inode, pg);
+               mutex_unlock(&f->sem);
+-              if (ret)
+-                      goto out_page;
++              if (ret) {
++                      unlock_page(pg);
++                      put_page(pg);
++                      goto release_sem;
++              }
+       }
+       jffs2_dbg(1, "end write_begin(). pg->flags %lx\n", pg->flags);
+-      return ret;
+-out_page:
+-      unlock_page(pg);
+-      put_page(pg);
++release_sem:
++      mutex_unlock(&c->alloc_sem);
++out_err:
+       return ret;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/kasan-fix-quarantine-conflicting-with-init_on_free.patch b/queue-5.16/kasan-fix-quarantine-conflicting-with-init_on_free.patch
new file mode 100644 (file)
index 0000000..7729396
--- /dev/null
@@ -0,0 +1,63 @@
+From 63f7a8ce353ea125e501a8e3991dd90be7fa9f71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jan 2022 14:05:01 -0800
+Subject: kasan: fix quarantine conflicting with init_on_free
+
+From: Andrey Konovalov <andreyknvl@google.com>
+
+[ Upstream commit 26dca996ea7b1ac7008b6b6063fc88b849e3ac3e ]
+
+KASAN's quarantine might save its metadata inside freed objects.  As
+this happens after the memory is zeroed by the slab allocator when
+init_on_free is enabled, the memory coming out of quarantine is not
+properly zeroed.
+
+This causes lib/test_meminit.c tests to fail with Generic KASAN.
+
+Zero the metadata when the object is removed from quarantine.
+
+Link: https://lkml.kernel.org/r/2805da5df4b57138fdacd671f5d227d58950ba54.1640037083.git.andreyknvl@google.com
+Fixes: 6471384af2a6 ("mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options")
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Reviewed-by: Marco Elver <elver@google.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/kasan/quarantine.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/mm/kasan/quarantine.c b/mm/kasan/quarantine.c
+index d8ccff4c1275e..47ed4fc33a29e 100644
+--- a/mm/kasan/quarantine.c
++++ b/mm/kasan/quarantine.c
+@@ -132,11 +132,22 @@ static void *qlink_to_object(struct qlist_node *qlink, struct kmem_cache *cache)
+ static void qlink_free(struct qlist_node *qlink, struct kmem_cache *cache)
+ {
+       void *object = qlink_to_object(qlink, cache);
++      struct kasan_free_meta *meta = kasan_get_free_meta(cache, object);
+       unsigned long flags;
+       if (IS_ENABLED(CONFIG_SLAB))
+               local_irq_save(flags);
++      /*
++       * If init_on_free is enabled and KASAN's free metadata is stored in
++       * the object, zero the metadata. Otherwise, the object's memory will
++       * not be properly zeroed, as KASAN saves the metadata after the slab
++       * allocator zeroes the object.
++       */
++      if (slab_want_init_on_free(cache) &&
++          cache->kasan_info.free_meta_offset == 0)
++              memzero_explicit(meta, sizeof(*meta));
++
+       /*
+        * As the object now gets freed from the quarantine, assume that its
+        * free track is no longer valid.
+-- 
+2.34.1
+
diff --git a/queue-5.16/kernel-locking-use-a-pointer-in-ww_mutex_trylock.patch b/queue-5.16/kernel-locking-use-a-pointer-in-ww_mutex_trylock.patch
new file mode 100644 (file)
index 0000000..66e81b6
--- /dev/null
@@ -0,0 +1,36 @@
+From 3f6ba040772804252868ad529ef10a07fd7a5836 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Nov 2021 13:27:06 +0100
+Subject: kernel/locking: Use a pointer in ww_mutex_trylock().
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 2202e15b2b1a946ce760d96748cd7477589701ab ]
+
+mutex_acquire_nest() expects a pointer, pass the pointer.
+
+Fixes: 12235da8c80a1 ("kernel/locking: Add context to ww_mutex_trylock()")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20211104122706.frk52zxbjorso2kv@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/ww_rt_mutex.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/locking/ww_rt_mutex.c b/kernel/locking/ww_rt_mutex.c
+index 0e00205cf467a..d1473c624105c 100644
+--- a/kernel/locking/ww_rt_mutex.c
++++ b/kernel/locking/ww_rt_mutex.c
+@@ -26,7 +26,7 @@ int ww_mutex_trylock(struct ww_mutex *lock, struct ww_acquire_ctx *ww_ctx)
+       if (__rt_mutex_trylock(&rtm->rtmutex)) {
+               ww_mutex_set_context_fastpath(lock, ww_ctx);
+-              mutex_acquire_nest(&rtm->dep_map, 0, 1, ww_ctx->dep_map, _RET_IP_);
++              mutex_acquire_nest(&rtm->dep_map, 0, 1, &ww_ctx->dep_map, _RET_IP_);
+               return 1;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/kunit-don-t-crash-if-no-parameters-are-generated.patch b/queue-5.16/kunit-don-t-crash-if-no-parameters-are-generated.patch
new file mode 100644 (file)
index 0000000..47a4ec2
--- /dev/null
@@ -0,0 +1,70 @@
+From 3e73568ff0743a192d9cde3b86c0590b36016a5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Nov 2021 00:30:13 -0700
+Subject: kunit: Don't crash if no parameters are generated
+
+From: David Gow <davidgow@google.com>
+
+[ Upstream commit 37dbb4c7c7442dbfc9b651e4ddd4afe30b26afc9 ]
+
+It's possible that a parameterised test could end up with zero
+parameters. At the moment, the test function will nevertheless be called
+with NULL as the parameter. Instead, don't try to run the test code, and
+just mark the test as SKIPped.
+
+Reported-by: Daniel Latypov <dlatypov@google.com>
+Signed-off-by: David Gow <davidgow@google.com>
+Reviewed-by: Daniel Latypov <dlatypov@google.com>
+Reviewed-by: Brendan Higgins <brendanhiggins@google.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/kunit/test.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/lib/kunit/test.c b/lib/kunit/test.c
+index 3bd741e50a2d3..f96498ede2cc5 100644
+--- a/lib/kunit/test.c
++++ b/lib/kunit/test.c
+@@ -504,16 +504,18 @@ int kunit_run_tests(struct kunit_suite *suite)
+               struct kunit_result_stats param_stats = { 0 };
+               test_case->status = KUNIT_SKIPPED;
+-              if (test_case->generate_params) {
++              if (!test_case->generate_params) {
++                      /* Non-parameterised test. */
++                      kunit_run_case_catch_errors(suite, test_case, &test);
++                      kunit_update_stats(&param_stats, test.status);
++              } else {
+                       /* Get initial param. */
+                       param_desc[0] = '\0';
+                       test.param_value = test_case->generate_params(NULL, param_desc);
+-              }
+-              do {
+-                      kunit_run_case_catch_errors(suite, test_case, &test);
++                      while (test.param_value) {
++                              kunit_run_case_catch_errors(suite, test_case, &test);
+-                      if (test_case->generate_params) {
+                               if (param_desc[0] == '\0') {
+                                       snprintf(param_desc, sizeof(param_desc),
+                                                "param-%d", test.param_index);
+@@ -530,11 +532,11 @@ int kunit_run_tests(struct kunit_suite *suite)
+                               param_desc[0] = '\0';
+                               test.param_value = test_case->generate_params(test.param_value, param_desc);
+                               test.param_index++;
+-                      }
+-                      kunit_update_stats(&param_stats, test.status);
++                              kunit_update_stats(&param_stats, test.status);
++                      }
++              }
+-              } while (test.param_value);
+               kunit_print_test_stats(&test, param_stats);
+-- 
+2.34.1
+
diff --git a/queue-5.16/kunit-tool-fix-json-output-for-skipped-tests.patch b/queue-5.16/kunit-tool-fix-json-output-for-skipped-tests.patch
new file mode 100644 (file)
index 0000000..eca9859
--- /dev/null
@@ -0,0 +1,66 @@
+From 2e218b2d17700668242536cf0bef7642f2b8b731 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Oct 2021 16:24:21 -0700
+Subject: kunit: tool: fix --json output for skipped tests
+
+From: Daniel Latypov <dlatypov@google.com>
+
+[ Upstream commit 9a6bb30a8830bb868b09629f0b9ad5d2b5fbb2f9 ]
+
+Currently, KUnit will report SKIPPED tests as having failed if one uses
+--json.
+
+Add the missing if statement to set the appropriate status ("SKIP").
+See https://api.kernelci.org/schema-test-case.html:
+  "status": {
+      "type": "string",
+      "description": "The status of the execution of this test case",
+      "enum": ["PASS", "FAIL", "SKIP", "ERROR"],
+      "default": "PASS"
+  },
+with this, we now can properly produce all four of the statuses.
+
+Fixes: 5acaf6031f53 ("kunit: tool: Support skipped tests in kunit_tool")
+Signed-off-by: Daniel Latypov <dlatypov@google.com>
+Reviewed-by: David Gow <davidgow@google.com>
+Reviewed-by: Brendan Higgins <brendanhiggins@google.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/kunit/kunit_json.py      | 2 ++
+ tools/testing/kunit/kunit_tool_test.py | 6 ++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/tools/testing/kunit/kunit_json.py b/tools/testing/kunit/kunit_json.py
+index 746bec72b9ac2..b6e66c5d64d14 100644
+--- a/tools/testing/kunit/kunit_json.py
++++ b/tools/testing/kunit/kunit_json.py
+@@ -30,6 +30,8 @@ def _get_group_json(test: Test, def_config: str,
+                       test_case = {"name": subtest.name, "status": "FAIL"}
+                       if subtest.status == TestStatus.SUCCESS:
+                               test_case["status"] = "PASS"
++                      elif subtest.status == TestStatus.SKIPPED:
++                              test_case["status"] = "SKIP"
+                       elif subtest.status == TestStatus.TEST_CRASHED:
+                               test_case["status"] = "ERROR"
+                       test_cases.append(test_case)
+diff --git a/tools/testing/kunit/kunit_tool_test.py b/tools/testing/kunit/kunit_tool_test.py
+index 9c41267314573..34cb0a12ba180 100755
+--- a/tools/testing/kunit/kunit_tool_test.py
++++ b/tools/testing/kunit/kunit_tool_test.py
+@@ -383,6 +383,12 @@ class KUnitJsonTest(unittest.TestCase):
+                       {'name': 'example_simple_test', 'status': 'ERROR'},
+                       result["sub_groups"][1]["test_cases"][0])
++      def test_skipped_test_json(self):
++              result = self._json_for('test_skip_tests.log')
++              self.assertEqual(
++                      {'name': 'example_skip_test', 'status': 'SKIP'},
++                      result["sub_groups"][1]["test_cases"][1])
++
+       def test_no_tests_json(self):
+               result = self._json_for('test_is_test_passed-no_tests_run_with_header.log')
+               self.assertEqual(0, len(result['sub_groups']))
+-- 
+2.34.1
+
diff --git a/queue-5.16/kvm-ppc-book3s-suppress-failed-alloc-warning-in-h_co.patch b/queue-5.16/kvm-ppc-book3s-suppress-failed-alloc-warning-in-h_co.patch
new file mode 100644 (file)
index 0000000..a9e5d7a
--- /dev/null
@@ -0,0 +1,44 @@
+From 5c09bf702bd9b1328e7d07f5d0945d939a03bbf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Sep 2021 18:45:50 +1000
+Subject: KVM: PPC: Book3S: Suppress failed alloc warning in
+ H_COPY_TOFROM_GUEST
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+[ Upstream commit 792020907b11c6f9246c21977cab3bad985ae4b6 ]
+
+H_COPY_TOFROM_GUEST is an hcall for an upper level VM to access its nested
+VMs memory. The userspace can trigger WARN_ON_ONCE(!(gfp & __GFP_NOWARN))
+in __alloc_pages() by constructing a tiny VM which only does
+H_COPY_TOFROM_GUEST with a too big GPR9 (number of bytes to copy).
+
+This silences the warning by adding __GFP_NOWARN.
+
+Spotted by syzkaller.
+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Reviewed-by: Fabiano Rosas <farosas@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210901084550.1658699-1-aik@ozlabs.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/book3s_hv_nested.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kvm/book3s_hv_nested.c b/arch/powerpc/kvm/book3s_hv_nested.c
+index ed8a2c9f56299..89295b52a97c3 100644
+--- a/arch/powerpc/kvm/book3s_hv_nested.c
++++ b/arch/powerpc/kvm/book3s_hv_nested.c
+@@ -582,7 +582,7 @@ long kvmhv_copy_tofrom_guest_nested(struct kvm_vcpu *vcpu)
+       if (eaddr & (0xFFFUL << 52))
+               return H_PARAMETER;
+-      buf = kzalloc(n, GFP_KERNEL);
++      buf = kzalloc(n, GFP_KERNEL | __GFP_NOWARN);
+       if (!buf)
+               return H_NO_MEM;
+-- 
+2.34.1
+
diff --git a/queue-5.16/kvm-ppc-book3s-suppress-warnings-when-allocating-too.patch b/queue-5.16/kvm-ppc-book3s-suppress-warnings-when-allocating-too.patch
new file mode 100644 (file)
index 0000000..3e1ef5c
--- /dev/null
@@ -0,0 +1,53 @@
+From b6bbff36b014a71ab14a46b93267ca1a938e30cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Sep 2021 18:45:12 +1000
+Subject: KVM: PPC: Book3S: Suppress warnings when allocating too big memory
+ slots
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+[ Upstream commit 511d25d6b789fffcb20a3eb71899cf974a31bd9d ]
+
+The userspace can trigger "vmalloc size %lu allocation failure: exceeds
+total pages" via the KVM_SET_USER_MEMORY_REGION ioctl.
+
+This silences the warning by checking the limit before calling vzalloc()
+and returns ENOMEM if failed.
+
+This does not call underlying valloc helpers as __vmalloc_node() is only
+exported when CONFIG_TEST_VMALLOC_MODULE and __vmalloc_node_range() is
+not exported at all.
+
+Spotted by syzkaller.
+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+[mpe: Use 'size' for the variable rather than 'cb']
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210901084512.1658628-1-aik@ozlabs.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/book3s_hv.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
+index 7b74fc0a986b8..94da0d25eb125 100644
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -4861,8 +4861,12 @@ static int kvmppc_core_prepare_memory_region_hv(struct kvm *kvm,
+       unsigned long npages = mem->memory_size >> PAGE_SHIFT;
+       if (change == KVM_MR_CREATE) {
+-              slot->arch.rmap = vzalloc(array_size(npages,
+-                                        sizeof(*slot->arch.rmap)));
++              unsigned long size = array_size(npages, sizeof(*slot->arch.rmap));
++
++              if ((size >> PAGE_SHIFT) > totalram_pages())
++                      return -ENOMEM;
++
++              slot->arch.rmap = vzalloc(size);
+               if (!slot->arch.rmap)
+                       return -ENOMEM;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/kvm-risc-v-avoid-spurious-virtual-interrupts-after-c.patch b/queue-5.16/kvm-risc-v-avoid-spurious-virtual-interrupts-after-c.patch
new file mode 100644 (file)
index 0000000..1d0c406
--- /dev/null
@@ -0,0 +1,49 @@
+From 026c6a2d5ad52833ce67682c0abccba27e4f2ae0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Dec 2021 11:05:14 +0800
+Subject: KVM: RISC-V: Avoid spurious virtual interrupts after clearing hideleg
+ CSR
+
+From: Vincent Chen <vincent.chen@sifive.com>
+
+[ Upstream commit 33e5b5746cc2336660c8710ba109d9a3923627b5 ]
+
+When the last VM is terminated, the host kernel will invoke function
+hardware_disable_nolock() on each CPU to disable the related virtualization
+functions. Here, RISC-V currently only clears hideleg CSR and hedeleg CSR.
+This behavior will cause the host kernel to receive spurious interrupts if
+hvip CSR has pending interrupts and the corresponding enable bits in vsie
+CSR are asserted. To avoid it, hvip CSR and vsie CSR must be cleared
+before clearing hideleg CSR.
+
+Fixes: 99cdc6c18c2d ("RISC-V: Add initial skeletal KVM support")
+Signed-off-by: Vincent Chen <vincent.chen@sifive.com>
+Reviewed-by: Anup Patel <anup.patel@wdc.com>
+Signed-off-by: Anup Patel <anup.patel@wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kvm/main.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/riscv/kvm/main.c b/arch/riscv/kvm/main.c
+index 421ecf4e6360b..2e5ca43c8c49e 100644
+--- a/arch/riscv/kvm/main.c
++++ b/arch/riscv/kvm/main.c
+@@ -58,6 +58,14 @@ int kvm_arch_hardware_enable(void)
+ void kvm_arch_hardware_disable(void)
+ {
++      /*
++       * After clearing the hideleg CSR, the host kernel will receive
++       * spurious interrupts if hvip CSR has pending interrupts and the
++       * corresponding enable bits in vsie CSR are asserted. To avoid it,
++       * hvip CSR and vsie CSR must be cleared before clearing hideleg CSR.
++       */
++      csr_write(CSR_VSIE, 0);
++      csr_write(CSR_HVIP, 0);
+       csr_write(CSR_HEDELEG, 0);
+       csr_write(CSR_HIDELEG, 0);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/kvm-s390-ensure-kvm_arch_no_poll-is-read-once-when-b.patch b/queue-5.16/kvm-s390-ensure-kvm_arch_no_poll-is-read-once-when-b.patch
new file mode 100644 (file)
index 0000000..bba6684
--- /dev/null
@@ -0,0 +1,78 @@
+From b9abe630362dfba539edfb197e1c3ceb90d62a89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Oct 2021 19:11:56 -0700
+Subject: KVM: s390: Ensure kvm_arch_no_poll() is read once when blocking vCPU
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 6f390916c4fb359507d9ac4bf1b28a4f8abee5c0 ]
+
+Wrap s390's halt_poll_max_steal with READ_ONCE and snapshot the result of
+kvm_arch_no_poll() in kvm_vcpu_block() to avoid a mostly-theoretical,
+largely benign bug on s390 where the result of kvm_arch_no_poll() could
+change due to userspace modifying halt_poll_max_steal while the vCPU is
+blocking.  The bug is largely benign as it will either cause KVM to skip
+updating halt-polling times (no_poll toggles false=>true) or to update
+halt-polling times with a slightly flawed block_ns.
+
+Note, READ_ONCE is unnecessary in the current code, add it in case the
+arch hook is ever inlined, and to provide a hint that userspace can
+change the param at will.
+
+Fixes: 8b905d28ee17 ("KVM: s390: provide kvm_arch_no_poll function")
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20211009021236.4122790-4-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/kvm-s390.c | 2 +-
+ virt/kvm/kvm_main.c      | 5 +++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
+index ef299aad40090..8fc9c79c899b5 100644
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -3449,7 +3449,7 @@ bool kvm_arch_no_poll(struct kvm_vcpu *vcpu)
+ {
+       /* do not poll with more than halt_poll_max_steal percent of steal time */
+       if (S390_lowcore.avg_steal_timer * 100 / (TICK_USEC << 12) >=
+-          halt_poll_max_steal) {
++          READ_ONCE(halt_poll_max_steal)) {
+               vcpu->stat.halt_no_poll_steal++;
+               return true;
+       }
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 72c4e6b393896..5bd62342c482b 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -3153,6 +3153,7 @@ update_halt_poll_stats(struct kvm_vcpu *vcpu, u64 poll_ns, bool waited)
+  */
+ void kvm_vcpu_block(struct kvm_vcpu *vcpu)
+ {
++      bool halt_poll_allowed = !kvm_arch_no_poll(vcpu);
+       ktime_t start, cur, poll_end;
+       bool waited = false;
+       u64 block_ns;
+@@ -3160,7 +3161,7 @@ void kvm_vcpu_block(struct kvm_vcpu *vcpu)
+       kvm_arch_vcpu_blocking(vcpu);
+       start = cur = poll_end = ktime_get();
+-      if (vcpu->halt_poll_ns && !kvm_arch_no_poll(vcpu)) {
++      if (vcpu->halt_poll_ns && halt_poll_allowed) {
+               ktime_t stop = ktime_add_ns(ktime_get(), vcpu->halt_poll_ns);
+               ++vcpu->stat.generic.halt_attempted_poll;
+@@ -3215,7 +3216,7 @@ out:
+       update_halt_poll_stats(
+               vcpu, ktime_to_ns(ktime_sub(poll_end, start)), waited);
+-      if (!kvm_arch_no_poll(vcpu)) {
++      if (halt_poll_allowed) {
+               if (!vcpu_valid_wakeup(vcpu)) {
+                       shrink_halt_poll_ns(vcpu);
+               } else if (vcpu->kvm->max_halt_poll_ns) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/kvm-vmx-don-t-unblock-vcpu-w-posted-irq-if-irqs-are-.patch b/queue-5.16/kvm-vmx-don-t-unblock-vcpu-w-posted-irq-if-irqs-are-.patch
new file mode 100644 (file)
index 0000000..f2a1ac3
--- /dev/null
@@ -0,0 +1,40 @@
+From 6c8e0edcc9df597c45dc02144f56ff2fd0875718 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 09:32:47 -0500
+Subject: KVM: VMX: Don't unblock vCPU w/ Posted IRQ if IRQs are disabled in
+ guest
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+[ Upstream commit 1831fa44df743a7cdffdf1c12c799bf6f3c12b8c ]
+
+Don't configure the wakeup handler when a vCPU is blocking with IRQs
+disabled, in which case any IRQ, posted or otherwise, should not be
+recognized and thus should not wake the vCPU.
+
+Fixes: bf9f6ac8d749 ("KVM: Update Posted-Interrupts Descriptor when vCPU is blocked")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20211009021236.4122790-2-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/posted_intr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/vmx/posted_intr.c b/arch/x86/kvm/vmx/posted_intr.c
+index 21ea58d25771f..696ad48ab5daa 100644
+--- a/arch/x86/kvm/vmx/posted_intr.c
++++ b/arch/x86/kvm/vmx/posted_intr.c
+@@ -147,7 +147,8 @@ int pi_pre_block(struct kvm_vcpu *vcpu)
+       struct pi_desc old, new;
+       struct pi_desc *pi_desc = vcpu_to_pi_desc(vcpu);
+-      if (!vmx_can_use_vtd_pi(vcpu->kvm))
++      if (!vmx_can_use_vtd_pi(vcpu->kvm) ||
++          vmx_interrupt_blocked(vcpu))
+               return 0;
+       WARN_ON(irqs_disabled());
+-- 
+2.34.1
+
diff --git a/queue-5.16/kvm-vmx-read-posted-interrupt-control-exactly-once-p.patch b/queue-5.16/kvm-vmx-read-posted-interrupt-control-exactly-once-p.patch
new file mode 100644 (file)
index 0000000..f72140a
--- /dev/null
@@ -0,0 +1,58 @@
+From e2cad596c3b7b2339519a1bf287a677dbb5de4f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Oct 2021 19:12:19 -0700
+Subject: KVM: VMX: Read Posted Interrupt "control" exactly once per loop
+ iteration
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit cfb0e1306a3790eb055ebf7cdb7b0ee8a23e9b6e ]
+
+Use READ_ONCE() when loading the posted interrupt descriptor control
+field to ensure "old" and "new" have the same base value.  If the
+compiler emits separate loads, and loads into "new" before "old", KVM
+could theoretically drop the ON bit if it were set between the loads.
+
+Fixes: 28b835d60fcc ("KVM: Update Posted-Interrupts Descriptor when vCPU is preempted")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20211009021236.4122790-27-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/posted_intr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx/posted_intr.c b/arch/x86/kvm/vmx/posted_intr.c
+index 696ad48ab5daa..46fb83d6a286e 100644
+--- a/arch/x86/kvm/vmx/posted_intr.c
++++ b/arch/x86/kvm/vmx/posted_intr.c
+@@ -51,7 +51,7 @@ void vmx_vcpu_pi_load(struct kvm_vcpu *vcpu, int cpu)
+       /* The full case.  */
+       do {
+-              old.control = new.control = pi_desc->control;
++              old.control = new.control = READ_ONCE(pi_desc->control);
+               dest = cpu_physical_id(cpu);
+@@ -104,7 +104,7 @@ static void __pi_post_block(struct kvm_vcpu *vcpu)
+       unsigned int dest;
+       do {
+-              old.control = new.control = pi_desc->control;
++              old.control = new.control = READ_ONCE(pi_desc->control);
+               WARN(old.nv != POSTED_INTR_WAKEUP_VECTOR,
+                    "Wakeup handler not enabled while the VCPU is blocked\n");
+@@ -163,7 +163,7 @@ int pi_pre_block(struct kvm_vcpu *vcpu)
+       }
+       do {
+-              old.control = new.control = pi_desc->control;
++              old.control = new.control = READ_ONCE(pi_desc->control);
+               WARN((pi_desc->sn == 1),
+                    "Warning: SN field of posted-interrupts "
+-- 
+2.34.1
+
diff --git a/queue-5.16/kvm-x86-ensure-that-dirty-pdptrs-are-loaded.patch b/queue-5.16/kvm-x86-ensure-that-dirty-pdptrs-are-loaded.patch
new file mode 100644 (file)
index 0000000..ea80759
--- /dev/null
@@ -0,0 +1,54 @@
+From 5b6ba66294f456b518053a35b5219de61300dc4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Nov 2021 20:43:53 +0800
+Subject: KVM: X86: Ensure that dirty PDPTRs are loaded
+
+From: Lai Jiangshan <laijs@linux.alibaba.com>
+
+[ Upstream commit 2c5653caecc4807b8abfe9c41880ac38417be7bf ]
+
+For VMX with EPT, dirty PDPTRs need to be loaded before the next vmentry
+via vmx_load_mmu_pgd()
+
+But not all paths that call load_pdptrs() will cause vmx_load_mmu_pgd()
+to be invoked.  Normally, kvm_mmu_reset_context() is used to cause
+KVM_REQ_LOAD_MMU_PGD, but sometimes it is skipped:
+
+* commit d81135a57aa6("KVM: x86: do not reset mmu if CR0.CD and
+CR0.NW are changed") skips kvm_mmu_reset_context() after load_pdptrs()
+when changing CR0.CD and CR0.NW.
+
+* commit 21823fbda552("KVM: x86: Invalidate all PGDs for the current
+PCID on MOV CR3 w/ flush") skips KVM_REQ_LOAD_MMU_PGD after
+load_pdptrs() when rewriting the CR3 with the same value.
+
+* commit a91a7c709600("KVM: X86: Don't reset mmu context when
+toggling X86_CR4_PGE") skips kvm_mmu_reset_context() after
+load_pdptrs() when changing CR4.PGE.
+
+Fixes: d81135a57aa6 ("KVM: x86: do not reset mmu if CR0.CD and CR0.NW are changed")
+Fixes: 21823fbda552 ("KVM: x86: Invalidate all PGDs for the current PCID on MOV CR3 w/ flush")
+Fixes: a91a7c709600 ("KVM: X86: Don't reset mmu context when toggling X86_CR4_PGE")
+Signed-off-by: Lai Jiangshan <laijs@linux.alibaba.com>
+Message-Id: <20211108124407.12187-2-jiangshanlai@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 0b5c61bb24a17..bb87f43cdc78c 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -830,6 +830,7 @@ int load_pdptrs(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, unsigned long cr3)
+       memcpy(mmu->pdptrs, pdpte, sizeof(mmu->pdptrs));
+       kvm_register_mark_dirty(vcpu, VCPU_EXREG_PDPTR);
++      kvm_make_request(KVM_REQ_LOAD_MMU_PGD, vcpu);
+       vcpu->arch.pdptrs_from_userspace = false;
+       return 1;
+-- 
+2.34.1
+
diff --git a/queue-5.16/kvm-x86-exit-to-userspace-if-emulation-prepared-a-co.patch b/queue-5.16/kvm-x86-exit-to-userspace-if-emulation-prepared-a-co.patch
new file mode 100644 (file)
index 0000000..8d7aa42
--- /dev/null
@@ -0,0 +1,57 @@
+From 8f6dc2a427684780f88e5557a3d433cbda1d3817 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Nov 2021 17:15:32 +0800
+Subject: KVM: x86: Exit to userspace if emulation prepared a completion
+ callback
+
+From: Hou Wenlong <houwenlong93@linux.alibaba.com>
+
+[ Upstream commit adbfb12d4c4517a8adde23a7fc46538953d56eea ]
+
+em_rdmsr() and em_wrmsr() return X86EMUL_IO_NEEDED if MSR accesses
+required an exit to userspace. However, x86_emulate_insn() doesn't return
+X86EMUL_*, so x86_emulate_instruction() doesn't directly act on
+X86EMUL_IO_NEEDED; instead, it looks for other signals to differentiate
+between PIO, MMIO, etc. causing RDMSR/WRMSR emulation not to
+exit to userspace now.
+
+Nevertheless, if the userspace_msr_exit_test testcase in selftests
+is changed to test RDMSR/WRMSR with a forced emulation prefix,
+the test passes.  What happens is that first userspace exit
+information is filled but the userspace exit does not happen.
+Because x86_emulate_instruction() returns 1, the guest retries
+the instruction---but this time RIP has already been adjusted
+past the forced emulation prefix, so the guest executes RDMSR/WRMSR
+and the userspace exit finally happens.
+
+Since the X86EMUL_IO_NEEDED path has provided a complete_userspace_io
+callback, x86_emulate_instruction() can just return 0 if the
+callback is not NULL. Then RDMSR/WRMSR instruction emulation will
+exit to userspace directly, without the RDMSR/WRMSR vmexit.
+
+Fixes: 1ae099540e8c7 ("KVM: x86: Allow deflecting unknown MSR accesses to user space")
+Signed-off-by: Hou Wenlong <houwenlong93@linux.alibaba.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-Id: <56f9df2ee5c05a81155e2be366c9dc1f7adc8817.1635842679.git.houwenlong93@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 5d5a8e75edcb7..00628031de98d 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -8203,6 +8203,9 @@ restart:
+                       writeback = false;
+               r = 0;
+               vcpu->arch.complete_userspace_io = complete_emulated_mmio;
++      } else if (vcpu->arch.complete_userspace_io) {
++              writeback = false;
++              r = 0;
+       } else if (r == EMULATION_RESTART)
+               goto restart;
+       else
+-- 
+2.34.1
+
diff --git a/queue-5.16/kvm-x86-handle-32-bit-wrap-of-eip-for-emultype_skip-.patch b/queue-5.16/kvm-x86-handle-32-bit-wrap-of-eip-for-emultype_skip-.patch
new file mode 100644 (file)
index 0000000..abc0f8f
--- /dev/null
@@ -0,0 +1,48 @@
+From 0e47a8ed92ea427e6a068de70bf7da26d3a98abc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Nov 2021 17:15:29 +0800
+Subject: KVM: x86: Handle 32-bit wrap of EIP for EMULTYPE_SKIP with flat code
+ seg
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 5e854864ee4384736f27a986633bae21731a4e4e ]
+
+Truncate the new EIP to a 32-bit value when handling EMULTYPE_SKIP as the
+decode phase does not truncate _eip.  Wrapping the 32-bit boundary is
+legal if and only if CS is a flat code segment, but that check is
+implicitly handled in the form of limit checks in the decode phase.
+
+Opportunstically prepare for a future fix by storing the result of any
+truncation in "eip" instead of "_eip".
+
+Fixes: 1957aa63be53 ("KVM: VMX: Handle single-step #DB for EMULTYPE_SKIP on EPT misconfig")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-Id: <093eabb1eab2965201c9b018373baf26ff256d85.1635842679.git.houwenlong93@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index bb87f43cdc78c..5d5a8e75edcb7 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -8134,7 +8134,12 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa,
+        * updating interruptibility state and injecting single-step #DBs.
+        */
+       if (emulation_type & EMULTYPE_SKIP) {
+-              kvm_rip_write(vcpu, ctxt->_eip);
++              if (ctxt->mode != X86EMUL_MODE_PROT64)
++                      ctxt->eip = (u32)ctxt->_eip;
++              else
++                      ctxt->eip = ctxt->_eip;
++
++              kvm_rip_write(vcpu, ctxt->eip);
+               if (ctxt->eflags & X86_EFLAGS_RF)
+                       kvm_set_rflags(vcpu, ctxt->eflags & ~X86_EFLAGS_RF);
+               return 1;
+-- 
+2.34.1
+
diff --git a/queue-5.16/leds-lp55xx-initialise-output-direction-from-dts.patch b/queue-5.16/leds-lp55xx-initialise-output-direction-from-dts.patch
new file mode 100644 (file)
index 0000000..63336b7
--- /dev/null
@@ -0,0 +1,51 @@
+From 3f9171dea20fbe3c770819e4b49025ff868ea406 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Dec 2021 23:40:07 +0100
+Subject: leds: lp55xx: initialise output direction from dts
+
+From: Merlijn Wajer <merlijn@wizzup.org>
+
+[ Upstream commit 9e87a8da747bf72365abb79e6f64fcca955b4f56 ]
+
+Commit a5d3d1adc95f ("leds: lp55xx: Initialize enable GPIO direction to
+output") attempts to fix this, but the fix did not work since at least
+for the Nokia N900 the value needs to be set to HIGH, per the device
+tree. So rather than hardcoding the value to a potentially invalid value
+for some devices, let's set direction in lp55xx_init_device.
+
+Fixes: a5d3d1adc95f ("leds: lp55xx: Initialize enable GPIO direction to output")
+Fixes: 92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx")
+Fixes: ac219bf3c9bd ("leds: lp55xx: Convert to use GPIO descriptors")
+Signed-off-by: Merlijn Wajer <merlijn@wizzup.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-lp55xx-common.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/leds/leds-lp55xx-common.c b/drivers/leds/leds-lp55xx-common.c
+index d1657c46ee2f8..9fdfc1b9a1a0c 100644
+--- a/drivers/leds/leds-lp55xx-common.c
++++ b/drivers/leds/leds-lp55xx-common.c
+@@ -439,6 +439,8 @@ int lp55xx_init_device(struct lp55xx_chip *chip)
+               return -EINVAL;
+       if (pdata->enable_gpiod) {
++              gpiod_direction_output(pdata->enable_gpiod, 0);
++
+               gpiod_set_consumer_name(pdata->enable_gpiod, "LP55xx enable");
+               gpiod_set_value(pdata->enable_gpiod, 0);
+               usleep_range(1000, 2000); /* Keep enable down at least 1ms */
+@@ -694,7 +696,7 @@ struct lp55xx_platform_data *lp55xx_of_populate_pdata(struct device *dev,
+       of_property_read_u8(np, "clock-mode", &pdata->clock_mode);
+       pdata->enable_gpiod = devm_gpiod_get_optional(dev, "enable",
+-                                                    GPIOD_OUT_LOW);
++                                                    GPIOD_ASIS);
+       if (IS_ERR(pdata->enable_gpiod))
+               return ERR_CAST(pdata->enable_gpiod);
+-- 
+2.34.1
+
diff --git a/queue-5.16/lib-logic_iomem-fix-32-bit-build.patch b/queue-5.16/lib-logic_iomem-fix-32-bit-build.patch
new file mode 100644 (file)
index 0000000..e53cb9a
--- /dev/null
@@ -0,0 +1,84 @@
+From 7e02ee6c95f9fb694cbd47238cce9da9b6129996 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 20:30:21 +0200
+Subject: lib/logic_iomem: Fix 32-bit build
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 4e84139e14af5ea60772cc4f33d7059aec76e0eb ]
+
+On a 32-bit build, the (unsigned long long) casts throw warnings
+(or errors) due to being to a different integer size. Cast to
+uintptr_t first (with the __force for sparse) and then further
+to get the consistent print on 32 and 64-bit.
+
+Fixes: ca2e334232b6 ("lib: add iomem emulation (logic_iomem)")
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/logic_iomem.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/lib/logic_iomem.c b/lib/logic_iomem.c
+index 9bdfde0c0f86d..54fa601f3300b 100644
+--- a/lib/logic_iomem.c
++++ b/lib/logic_iomem.c
+@@ -79,7 +79,7 @@ static void __iomem *real_ioremap(phys_addr_t offset, size_t size)
+ static void real_iounmap(void __iomem *addr)
+ {
+       WARN(1, "invalid iounmap for addr 0x%llx\n",
+-           (unsigned long long __force)addr);
++           (unsigned long long)(uintptr_t __force)addr);
+ }
+ #endif /* CONFIG_LOGIC_IOMEM_FALLBACK */
+@@ -173,7 +173,7 @@ EXPORT_SYMBOL(iounmap);
+ static u##sz real_raw_read ## op(const volatile void __iomem *addr)   \
+ {                                                                     \
+       WARN(1, "Invalid read" #op " at address %llx\n",                \
+-           (unsigned long long __force)addr);                         \
++           (unsigned long long)(uintptr_t __force)addr);              \
+       return (u ## sz)~0ULL;                                          \
+ }                                                                     \
+                                                                       \
+@@ -181,7 +181,8 @@ static void real_raw_write ## op(u ## sz val,                              \
+                                volatile void __iomem *addr)           \
+ {                                                                     \
+       WARN(1, "Invalid writeq" #op " of 0x%llx at address %llx\n",    \
+-           (unsigned long long)val, (unsigned long long __force)addr);\
++           (unsigned long long)val,                                   \
++           (unsigned long long)(uintptr_t __force)addr);\
+ }                                                                     \
+ MAKE_FALLBACK(b, 8);
+@@ -194,14 +195,14 @@ MAKE_FALLBACK(q, 64);
+ static void real_memset_io(volatile void __iomem *addr, int value, size_t size)
+ {
+       WARN(1, "Invalid memset_io at address 0x%llx\n",
+-           (unsigned long long __force)addr);
++           (unsigned long long)(uintptr_t __force)addr);
+ }
+ static void real_memcpy_fromio(void *buffer, const volatile void __iomem *addr,
+                              size_t size)
+ {
+       WARN(1, "Invalid memcpy_fromio at address 0x%llx\n",
+-           (unsigned long long __force)addr);
++           (unsigned long long)(uintptr_t __force)addr);
+       memset(buffer, 0xff, size);
+ }
+@@ -210,7 +211,7 @@ static void real_memcpy_toio(volatile void __iomem *addr, const void *buffer,
+                            size_t size)
+ {
+       WARN(1, "Invalid memcpy_toio at address 0x%llx\n",
+-           (unsigned long long __force)addr);
++           (unsigned long long)(uintptr_t __force)addr);
+ }
+ #endif /* CONFIG_LOGIC_IOMEM_FALLBACK */
+-- 
+2.34.1
+
diff --git a/queue-5.16/lib-logic_iomem-fix-operation-on-32-bit.patch b/queue-5.16/lib-logic_iomem-fix-operation-on-32-bit.patch
new file mode 100644 (file)
index 0000000..81a138f
--- /dev/null
@@ -0,0 +1,49 @@
+From 3928c9d6260720e37cc02359fc014efe03b82d55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 20:30:22 +0200
+Subject: lib/logic_iomem: Fix operation on 32-bit
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 4e8a5edac5010820e7c5303fc96f5a262e096bb6 ]
+
+On 32-bit, the first entry might be at 0/NULL, but that's
+strange and leads to issues, e.g. where we check "if (ret)".
+Use a IOREMAP_BIAS/IOREMAP_MASK of 0x80000000UL to avoid
+this. This then requires reducing the number of areas (via
+MAX_AREAS), but we still have 128 areas, which is enough.
+
+Fixes: ca2e334232b6 ("lib: add iomem emulation (logic_iomem)")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/logic_iomem.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/logic_iomem.c b/lib/logic_iomem.c
+index 54fa601f3300b..549b22d4bcde1 100644
+--- a/lib/logic_iomem.c
++++ b/lib/logic_iomem.c
+@@ -21,15 +21,15 @@ struct logic_iomem_area {
+ #define AREA_SHIFT    24
+ #define MAX_AREA_SIZE (1 << AREA_SHIFT)
+-#define MAX_AREAS     ((1ULL<<32) / MAX_AREA_SIZE)
++#define MAX_AREAS     ((1U << 31) / MAX_AREA_SIZE)
+ #define AREA_BITS     ((MAX_AREAS - 1) << AREA_SHIFT)
+ #define AREA_MASK     (MAX_AREA_SIZE - 1)
+ #ifdef CONFIG_64BIT
+ #define IOREMAP_BIAS  0xDEAD000000000000UL
+ #define IOREMAP_MASK  0xFFFFFFFF00000000UL
+ #else
+-#define IOREMAP_BIAS  0
+-#define IOREMAP_MASK  0
++#define IOREMAP_BIAS  0x80000000UL
++#define IOREMAP_MASK  0x80000000UL
+ #endif
+ static DEFINE_MUTEX(regions_mtx);
+-- 
+2.34.1
+
diff --git a/queue-5.16/lib-mpi-add-the-return-value-check-of-kcalloc.patch b/queue-5.16/lib-mpi-add-the-return-value-check-of-kcalloc.patch
new file mode 100644 (file)
index 0000000..b705051
--- /dev/null
@@ -0,0 +1,37 @@
+From 8d13b5b93c60a147cf3897b3aa03a87b36c9e3fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Dec 2021 15:03:31 +0800
+Subject: lib/mpi: Add the return value check of kcalloc()
+
+From: Zizhuang Deng <sunsetdzz@gmail.com>
+
+[ Upstream commit dd827abe296fe4249b2f8c9b95f72f814ea8348c ]
+
+Add the return value check of kcalloc() to avoid potential
+NULL ptr dereference.
+
+Fixes: a8ea8bdd9df9 ("lib/mpi: Extend the MPI library")
+Signed-off-by: Zizhuang Deng <sunsetdzz@gmail.com>
+Reviewed-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/mpi/mpi-mod.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/mpi/mpi-mod.c b/lib/mpi/mpi-mod.c
+index 47bc59edd4ff9..54fcc01564d9d 100644
+--- a/lib/mpi/mpi-mod.c
++++ b/lib/mpi/mpi-mod.c
+@@ -40,6 +40,8 @@ mpi_barrett_t mpi_barrett_init(MPI m, int copy)
+       mpi_normalize(m);
+       ctx = kcalloc(1, sizeof(*ctx), GFP_KERNEL);
++      if (!ctx)
++              return NULL;
+       if (copy) {
+               ctx->m = mpi_copy(m);
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-accommodate-dwarf-compiler-bug-with-duplicate.patch b/queue-5.16/libbpf-accommodate-dwarf-compiler-bug-with-duplicate.patch
new file mode 100644 (file)
index 0000000..b2f77f4
--- /dev/null
@@ -0,0 +1,115 @@
+From 8aac668d016d0c4cea8b84a112ad733bde991bb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 11:41:13 -0800
+Subject: libbpf: Accommodate DWARF/compiler bug with duplicated structs
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit efdd3eb8015e7447095f02a26eaabd164cd18004 ]
+
+According to [0], compilers sometimes might produce duplicate DWARF
+definitions for exactly the same struct/union within the same
+compilation unit (CU). We've had similar issues with identical arrays
+and handled them with a similar workaround in 6b6e6b1d09aa ("libbpf:
+Accomodate DWARF/compiler bug with duplicated identical arrays"). Do the
+same for struct/union by ensuring that two structs/unions are exactly
+the same, down to the integer values of field referenced type IDs.
+
+Solving this more generically (allowing referenced types to be
+equivalent, but using different type IDs, all within a single CU)
+requires a huge complexity increase to handle many-to-many mappings
+between canonidal and candidate type graphs. Before we invest in that,
+let's see if this approach handles all the instances of this issue in
+practice. Thankfully it's pretty rare, it seems.
+
+  [0] https://lore.kernel.org/bpf/YXr2NFlJTAhHdZqq@krava/
+
+Reported-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20211117194114.347675-1-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf.c | 45 +++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 41 insertions(+), 4 deletions(-)
+
+diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c
+index c2400804d6bac..dc86259980231 100644
+--- a/tools/lib/bpf/btf.c
++++ b/tools/lib/bpf/btf.c
+@@ -3443,8 +3443,8 @@ static long btf_hash_struct(struct btf_type *t)
+ }
+ /*
+- * Check structural compatibility of two FUNC_PROTOs, ignoring referenced type
+- * IDs. This check is performed during type graph equivalence check and
++ * Check structural compatibility of two STRUCTs/UNIONs, ignoring referenced
++ * type IDs. This check is performed during type graph equivalence check and
+  * referenced types equivalence is checked separately.
+  */
+ static bool btf_shallow_equal_struct(struct btf_type *t1, struct btf_type *t2)
+@@ -3817,6 +3817,31 @@ static int btf_dedup_identical_arrays(struct btf_dedup *d, __u32 id1, __u32 id2)
+       return btf_equal_array(t1, t2);
+ }
++/* Check if given two types are identical STRUCT/UNION definitions */
++static bool btf_dedup_identical_structs(struct btf_dedup *d, __u32 id1, __u32 id2)
++{
++      const struct btf_member *m1, *m2;
++      struct btf_type *t1, *t2;
++      int n, i;
++
++      t1 = btf_type_by_id(d->btf, id1);
++      t2 = btf_type_by_id(d->btf, id2);
++
++      if (!btf_is_composite(t1) || btf_kind(t1) != btf_kind(t2))
++              return false;
++
++      if (!btf_shallow_equal_struct(t1, t2))
++              return false;
++
++      m1 = btf_members(t1);
++      m2 = btf_members(t2);
++      for (i = 0, n = btf_vlen(t1); i < n; i++, m1++, m2++) {
++              if (m1->type != m2->type)
++                      return false;
++      }
++      return true;
++}
++
+ /*
+  * Check equivalence of BTF type graph formed by candidate struct/union (we'll
+  * call it "candidate graph" in this description for brevity) to a type graph
+@@ -3928,6 +3953,8 @@ static int btf_dedup_is_equiv(struct btf_dedup *d, __u32 cand_id,
+       hypot_type_id = d->hypot_map[canon_id];
+       if (hypot_type_id <= BTF_MAX_NR_TYPES) {
++              if (hypot_type_id == cand_id)
++                      return 1;
+               /* In some cases compiler will generate different DWARF types
+                * for *identical* array type definitions and use them for
+                * different fields within the *same* struct. This breaks type
+@@ -3936,8 +3963,18 @@ static int btf_dedup_is_equiv(struct btf_dedup *d, __u32 cand_id,
+                * types within a single CU. So work around that by explicitly
+                * allowing identical array types here.
+                */
+-              return hypot_type_id == cand_id ||
+-                     btf_dedup_identical_arrays(d, hypot_type_id, cand_id);
++              if (btf_dedup_identical_arrays(d, hypot_type_id, cand_id))
++                      return 1;
++              /* It turns out that similar situation can happen with
++               * struct/union sometimes, sigh... Handle the case where
++               * structs/unions are exactly the same, down to the referenced
++               * type IDs. Anything more complicated (e.g., if referenced
++               * types are different, but equivalent) is *way more*
++               * complicated and requires a many-to-many equivalence mapping.
++               */
++              if (btf_dedup_identical_structs(d, hypot_type_id, cand_id))
++                      return 1;
++              return 0;
+       }
+       if (btf_dedup_hypot_map_add(d, canon_id, cand_id))
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-add-bool-skipped-to-struct-bpf_map.patch b/queue-5.16/libbpf-add-bool-skipped-to-struct-bpf_map.patch
new file mode 100644 (file)
index 0000000..f5259c0
--- /dev/null
@@ -0,0 +1,76 @@
+From bec30ec9dfb373105aa4bdc2ec87eaf51e00348c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Dec 2021 17:39:57 +0800
+Subject: libbpf: Add "bool skipped" to struct bpf_map
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shuyi Cheng <chengshuyi@linux.alibaba.com>
+
+[ Upstream commit 229fae38d0fc0d6ff58d57cbeb1432da55e58d4f ]
+
+Fix error: "failed to pin map: Bad file descriptor, path:
+/sys/fs/bpf/_rodata_str1_1."
+
+In the old kernel, the global data map will not be created, see [0]. So
+we should skip the pinning of the global data map to avoid
+bpf_object__pin_maps returning error. Therefore, when the map is not
+created, we mark “map->skipped" as true and then check during relocation
+and during pinning.
+
+Fixes: 16e0c35c6f7a ("libbpf: Load global data maps lazily on legacy kernels")
+Signed-off-by: Shuyi Cheng <chengshuyi@linux.alibaba.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 4050a0f8dad66..fd25e30e70cc2 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -400,6 +400,7 @@ struct bpf_map {
+       char *pin_path;
+       bool pinned;
+       bool reused;
++      bool skipped;
+       __u64 map_extra;
+ };
+@@ -5003,8 +5004,10 @@ bpf_object__create_maps(struct bpf_object *obj)
+                * kernels.
+                */
+               if (bpf_map__is_internal(map) &&
+-                  !kernel_supports(obj, FEAT_GLOBAL_DATA))
++                  !kernel_supports(obj, FEAT_GLOBAL_DATA)) {
++                      map->skipped = true;
+                       continue;
++              }
+               retried = false;
+ retry:
+@@ -5607,8 +5610,7 @@ bpf_object__relocate_data(struct bpf_object *obj, struct bpf_program *prog)
+                       } else {
+                               const struct bpf_map *map = &obj->maps[relo->map_idx];
+-                              if (bpf_map__is_internal(map) &&
+-                                  !kernel_supports(obj, FEAT_GLOBAL_DATA)) {
++                              if (map->skipped) {
+                                       pr_warn("prog '%s': relo #%d: kernel doesn't support global data\n",
+                                               prog->name, i);
+                                       return -ENOTSUP;
+@@ -7733,6 +7735,9 @@ int bpf_object__pin_maps(struct bpf_object *obj, const char *path)
+               char *pin_path = NULL;
+               char buf[PATH_MAX];
++              if (map->skipped)
++                      continue;
++
+               if (path) {
+                       int len;
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-clean-gen_loader-s-attach-kind.patch b/queue-5.16/libbpf-clean-gen_loader-s-attach-kind.patch
new file mode 100644 (file)
index 0000000..957ceec
--- /dev/null
@@ -0,0 +1,43 @@
+From 8d7735c9133c2a376cf7d445d69bee66257684f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 10:10:34 -0800
+Subject: libbpf: Clean gen_loader's attach kind.
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+[ Upstream commit 19250f5fc0c283892a61f3abf9d65e6325f63897 ]
+
+The gen_loader has to clear attach_kind otherwise the programs
+without attach_btf_id will fail load if they follow programs
+with attach_btf_id.
+
+Fixes: 67234743736a ("libbpf: Generate loader program out of BPF ELF file.")
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20211201181040.23337-12-alexei.starovoitov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/gen_loader.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/gen_loader.c b/tools/lib/bpf/gen_loader.c
+index 5aad39e92a7a5..4ac65afc99e50 100644
+--- a/tools/lib/bpf/gen_loader.c
++++ b/tools/lib/bpf/gen_loader.c
+@@ -993,9 +993,11 @@ void bpf_gen__prog_load(struct bpf_gen *gen,
+       debug_ret(gen, "prog_load %s insn_cnt %d", attr.prog_name, attr.insn_cnt);
+       /* successful or not, close btf module FDs used in extern ksyms and attach_btf_obj_fd */
+       cleanup_relos(gen, insns);
+-      if (gen->attach_kind)
++      if (gen->attach_kind) {
+               emit_sys_close_blob(gen,
+                                   attr_field(prog_load_attr, attach_btf_obj_fd));
++              gen->attach_kind = 0;
++      }
+       emit_check_err(gen);
+       /* remember prog_fd in the stack, if successful */
+       emit(gen, BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_7,
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-detect-corrupted-elf-symbols-section.patch b/queue-5.16/libbpf-detect-corrupted-elf-symbols-section.patch
new file mode 100644 (file)
index 0000000..2e5869a
--- /dev/null
@@ -0,0 +1,37 @@
+From 52babf72b5f2b4c39cafaf518c42ffc262d87ae5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 10:32:09 -0700
+Subject: libbpf: Detect corrupted ELF symbols section
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 833907876be55205d0ec153dcd819c014404ee16 ]
+
+Prevent divide-by-zero if ELF is corrupted and has zero sh_entsize.
+Reported by oss-fuzz project.
+
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20211103173213.1376990-2-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 2696f0b7f0acc..1cc0383471f01 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -3556,7 +3556,7 @@ static int bpf_object__collect_externs(struct bpf_object *obj)
+       scn = elf_sec_by_idx(obj, obj->efile.symbols_shndx);
+       sh = elf_sec_hdr(obj, scn);
+-      if (!sh)
++      if (!sh || sh->sh_entsize != sizeof(Elf64_Sym))
+               return -LIBBPF_ERRNO__FORMAT;
+       dummy_var_btf_id = add_dummy_ksym_var(obj->btf);
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-fix-gen_loader-assumption-on-number-of-progra.patch b/queue-5.16/libbpf-fix-gen_loader-assumption-on-number-of-progra.patch
new file mode 100644 (file)
index 0000000..7d817fd
--- /dev/null
@@ -0,0 +1,42 @@
+From 590d65d56c8b0eb5642b6a746a9b80bd7820d65f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Dec 2021 17:16:19 -0800
+Subject: libbpf: Fix gen_loader assumption on number of programs.
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+[ Upstream commit 259172bb6514758ce3be1610c500b51a9f44212a ]
+
+libbpf's obj->nr_programs includes static and global functions. That number
+could be higher than the actual number of bpf programs going be loaded by
+gen_loader. Passing larger nr_programs to bpf_gen__init() doesn't hurt. Those
+exra stack slots will stay as zero. bpf_gen__finish() needs to check that
+actual number of progs that gen_loader saw is less than or equal to
+obj->nr_programs.
+
+Fixes: ba05fd36b851 ("libbpf: Perform map fd cleanup for gen_loader in case of error")
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/gen_loader.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/lib/bpf/gen_loader.c b/tools/lib/bpf/gen_loader.c
+index 4ac65afc99e50..737e7cbe3e547 100644
+--- a/tools/lib/bpf/gen_loader.c
++++ b/tools/lib/bpf/gen_loader.c
+@@ -371,8 +371,9 @@ int bpf_gen__finish(struct bpf_gen *gen, int nr_progs, int nr_maps)
+ {
+       int i;
+-      if (nr_progs != gen->nr_progs || nr_maps != gen->nr_maps) {
+-              pr_warn("progs/maps mismatch\n");
++      if (nr_progs < gen->nr_progs || nr_maps != gen->nr_maps) {
++              pr_warn("nr_progs %d/%d nr_maps %d/%d mismatch\n",
++                      nr_progs, gen->nr_progs, nr_maps, gen->nr_maps);
+               gen->error = -EFAULT;
+               return gen->error;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-fix-glob_syms-memory-leak-in-bpf_linker.patch b/queue-5.16/libbpf-fix-glob_syms-memory-leak-in-bpf_linker.patch
new file mode 100644 (file)
index 0000000..da5d8d6
--- /dev/null
@@ -0,0 +1,35 @@
+From a740b36e3cb801e9743687ee7afd1bec6af19073 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 16:23:17 -0800
+Subject: libbpf: Fix glob_syms memory leak in bpf_linker
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 8cb125566c40b7141d8842c534f0ea5820ee3d5c ]
+
+glob_syms array wasn't freed on bpf_link__free(). Fix that.
+
+Fixes: a46349227cd8 ("libbpf: Add linker extern resolution support for functions and global variables")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20211124002325.1737739-6-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/linker.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
+index f677dccdeae44..94bdd97859285 100644
+--- a/tools/lib/bpf/linker.c
++++ b/tools/lib/bpf/linker.c
+@@ -210,6 +210,7 @@ void bpf_linker__free(struct bpf_linker *linker)
+       }
+       free(linker->secs);
++      free(linker->glob_syms);
+       free(linker);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-fix-non-c89-loop-variable-declaration-in-gen_.patch b/queue-5.16/libbpf-fix-non-c89-loop-variable-declaration-in-gen_.patch
new file mode 100644 (file)
index 0000000..bb451e4
--- /dev/null
@@ -0,0 +1,42 @@
+From 259cf0b6035093bdaa46d763446b22529f1a0fbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 12:10:55 -0700
+Subject: libbpf: Fix non-C89 loop variable declaration in gen_loader.c
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit b8b5cb55f5d3f03cc1479a3768d68173a10359ad ]
+
+Fix the `int i` declaration inside the for statement. This is non-C89
+compliant. See [0] for user report breaking BCC build.
+
+  [0] https://github.com/libbpf/libbpf/issues/403
+
+Fixes: 18f4fccbf314 ("libbpf: Update gen_loader to emit BTF_KIND_FUNC relocations")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Link: https://lore.kernel.org/bpf/20211105191055.3324874-1-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/gen_loader.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/gen_loader.c b/tools/lib/bpf/gen_loader.c
+index 9934851ccde76..5aad39e92a7a5 100644
+--- a/tools/lib/bpf/gen_loader.c
++++ b/tools/lib/bpf/gen_loader.c
+@@ -597,8 +597,9 @@ void bpf_gen__record_extern(struct bpf_gen *gen, const char *name, bool is_weak,
+ static struct ksym_desc *get_ksym_desc(struct bpf_gen *gen, struct ksym_relo_desc *relo)
+ {
+       struct ksym_desc *kdesc;
++      int i;
+-      for (int i = 0; i < gen->nr_ksyms; i++) {
++      for (i = 0; i < gen->nr_ksyms; i++) {
+               if (!strcmp(gen->ksyms[i].name, relo->name)) {
+                       gen->ksyms[i].ref++;
+                       return &gen->ksyms[i];
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-fix-potential-misaligned-memory-access-in-btf.patch b/queue-5.16/libbpf-fix-potential-misaligned-memory-access-in-btf.patch
new file mode 100644 (file)
index 0000000..5709269
--- /dev/null
@@ -0,0 +1,76 @@
+From 53cd885cb44fce495b35c3a7839dd8e0bf951cd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 16:23:14 -0800
+Subject: libbpf: Fix potential misaligned memory access in btf_ext__new()
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 401891a9debaf0a684502f2aaecf53448cee9414 ]
+
+Perform a memory copy before we do the sanity checks of btf_ext_hdr.
+This prevents misaligned memory access if raw btf_ext data is not 4-byte
+aligned ([0]).
+
+While at it, also add missing const qualifier.
+
+  [0] Closes: https://github.com/libbpf/libbpf/issues/391
+
+Fixes: 2993e0515bb4 ("tools/bpf: add support to read .BTF.ext sections")
+Reported-by: Evgeny Vereshchagin <evvers@ya.ru>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20211124002325.1737739-3-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf.c | 10 +++++-----
+ tools/lib/bpf/btf.h |  2 +-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c
+index 7e4c5586bd877..c2400804d6bac 100644
+--- a/tools/lib/bpf/btf.c
++++ b/tools/lib/bpf/btf.c
+@@ -2711,15 +2711,11 @@ void btf_ext__free(struct btf_ext *btf_ext)
+       free(btf_ext);
+ }
+-struct btf_ext *btf_ext__new(__u8 *data, __u32 size)
++struct btf_ext *btf_ext__new(const __u8 *data, __u32 size)
+ {
+       struct btf_ext *btf_ext;
+       int err;
+-      err = btf_ext_parse_hdr(data, size);
+-      if (err)
+-              return libbpf_err_ptr(err);
+-
+       btf_ext = calloc(1, sizeof(struct btf_ext));
+       if (!btf_ext)
+               return libbpf_err_ptr(-ENOMEM);
+@@ -2732,6 +2728,10 @@ struct btf_ext *btf_ext__new(__u8 *data, __u32 size)
+       }
+       memcpy(btf_ext->data, data, size);
++      err = btf_ext_parse_hdr(btf_ext->data, size);
++      if (err)
++              goto done;
++
+       if (btf_ext->hdr->hdr_len < offsetofend(struct btf_ext_header, line_info_len)) {
+               err = -EINVAL;
+               goto done;
+diff --git a/tools/lib/bpf/btf.h b/tools/lib/bpf/btf.h
+index bc005ba3ceec3..17c0a46d8cd22 100644
+--- a/tools/lib/bpf/btf.h
++++ b/tools/lib/bpf/btf.h
+@@ -157,7 +157,7 @@ LIBBPF_API int btf__get_map_kv_tids(const struct btf *btf, const char *map_name,
+                                   __u32 expected_value_size,
+                                   __u32 *key_type_id, __u32 *value_type_id);
+-LIBBPF_API struct btf_ext *btf_ext__new(__u8 *data, __u32 size);
++LIBBPF_API struct btf_ext *btf_ext__new(const __u8 *data, __u32 size);
+ LIBBPF_API void btf_ext__free(struct btf_ext *btf_ext);
+ LIBBPF_API const void *btf_ext__get_raw_data(const struct btf_ext *btf_ext,
+                                            __u32 *size);
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-fix-section-counting-logic.patch b/queue-5.16/libbpf-fix-section-counting-logic.patch
new file mode 100644 (file)
index 0000000..a9cd9f2
--- /dev/null
@@ -0,0 +1,49 @@
+From 79fa76c7f0a5a2f466f48a918ffb7600a395989d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 10:32:12 -0700
+Subject: libbpf: Fix section counting logic
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 0d6988e16a12ebd41d3e268992211b0ceba44ed7 ]
+
+e_shnum does include section #0 and as such is exactly the number of ELF
+sections that we need to allocate memory for to use section indices as
+array indices. Fix the off-by-one error.
+
+This is purely accounting fix, previously we were overallocating one
+too many array items. But no correctness errors otherwise.
+
+Fixes: 25bbbd7a444b ("libbpf: Remove assumptions about uniqueness of .rodata/.data/.bss maps")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20211103173213.1376990-5-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 7c74342bb6680..5367bc8e52073 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -3191,11 +3191,11 @@ static int bpf_object__elf_collect(struct bpf_object *obj)
+       Elf_Scn *scn;
+       Elf64_Shdr *sh;
+-      /* ELF section indices are 1-based, so allocate +1 element to keep
+-       * indexing simple. Also include 0th invalid section into sec_cnt for
+-       * simpler and more traditional iteration logic.
++      /* ELF section indices are 0-based, but sec #0 is special "invalid"
++       * section. e_shnum does include sec #0, so e_shnum is the necessary
++       * size of an array to keep all the sections.
+        */
+-      obj->efile.sec_cnt = 1 + obj->efile.ehdr->e_shnum;
++      obj->efile.sec_cnt = obj->efile.ehdr->e_shnum;
+       obj->efile.secs = calloc(obj->efile.sec_cnt, sizeof(*obj->efile.secs));
+       if (!obj->efile.secs)
+               return -ENOMEM;
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-fix-using-invalidated-memory-in-bpf_linker.patch b/queue-5.16/libbpf-fix-using-invalidated-memory-in-bpf_linker.patch
new file mode 100644 (file)
index 0000000..5f04154
--- /dev/null
@@ -0,0 +1,48 @@
+From 719bbc5ee7a183342b831de5042c14916a19ee2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 16:23:18 -0800
+Subject: libbpf: Fix using invalidated memory in bpf_linker
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 593835377f24ca1bb98008ec1dc3baefe491ad6e ]
+
+add_dst_sec() can invalidate bpf_linker's section index making
+dst_symtab pointer pointing into unallocated memory. Reinitialize
+dst_symtab pointer on each iteration to make sure it's always valid.
+
+Fixes: faf6ed321cf6 ("libbpf: Add BPF static linker APIs")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20211124002325.1737739-7-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/linker.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
+index 94bdd97859285..6923a0ab3b127 100644
+--- a/tools/lib/bpf/linker.c
++++ b/tools/lib/bpf/linker.c
+@@ -2000,7 +2000,7 @@ add_sym:
+ static int linker_append_elf_relos(struct bpf_linker *linker, struct src_obj *obj)
+ {
+       struct src_sec *src_symtab = &obj->secs[obj->symtab_sec_idx];
+-      struct dst_sec *dst_symtab = &linker->secs[linker->symtab_sec_idx];
++      struct dst_sec *dst_symtab;
+       int i, err;
+       for (i = 1; i < obj->sec_cnt; i++) {
+@@ -2033,6 +2033,9 @@ static int linker_append_elf_relos(struct bpf_linker *linker, struct src_obj *ob
+                       return -1;
+               }
++              /* add_dst_sec() above could have invalidated linker->secs */
++              dst_symtab = &linker->secs[linker->symtab_sec_idx];
++
+               /* shdr->sh_link points to SYMTAB */
+               dst_sec->shdr->sh_link = linker->symtab_sec_idx;
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-free-up-resources-used-by-inner-map-definitio.patch b/queue-5.16/libbpf-free-up-resources-used-by-inner-map-definitio.patch
new file mode 100644 (file)
index 0000000..8890281
--- /dev/null
@@ -0,0 +1,41 @@
+From aa38f62365d1d7eab962513a91d4c38259818540 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Nov 2021 08:55:14 -0800
+Subject: libbpf: Free up resources used by inner map definition
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 8f7b239ea8cfdc8e64c875ee417fed41431a1f37 ]
+
+It's not enough to just free(map->inner_map), as inner_map itself can
+have extra memory allocated, like map name.
+
+Fixes: 646f02ffdd49 ("libbpf: Add BTF-defined map-in-map support")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Reviewed-by: Hengqi Chen <hengqi.chen@gmail.com>
+Link: https://lore.kernel.org/bpf/20211107165521.9240-3-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 5367bc8e52073..509f3719409bb 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -9028,7 +9028,10 @@ int bpf_map__set_inner_map_fd(struct bpf_map *map, int fd)
+               pr_warn("error: inner_map_fd already specified\n");
+               return libbpf_err(-EINVAL);
+       }
+-      zfree(&map->inner_map);
++      if (map->inner_map) {
++              bpf_map__destroy(map->inner_map);
++              zfree(&map->inner_map);
++      }
+       map->inner_map_fd = fd;
+       return 0;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-improve-sanity-checking-during-btf-fix-up.patch b/queue-5.16/libbpf-improve-sanity-checking-during-btf-fix-up.patch
new file mode 100644 (file)
index 0000000..527e13d
--- /dev/null
@@ -0,0 +1,45 @@
+From 6224e9f93108bb95e92b86739ac36495b4544c1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 10:32:10 -0700
+Subject: libbpf: Improve sanity checking during BTF fix up
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 88918dc12dc357a06d8d722a684617b1c87a4654 ]
+
+If BTF is corrupted DATASEC's variable type ID might be incorrect.
+Prevent this easy to detect situation with extra NULL check.
+Reported by oss-fuzz project.
+
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20211103173213.1376990-3-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 1cc0383471f01..c7ba5e6ed9cfe 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -2753,13 +2753,12 @@ static int btf_fixup_datasec(struct bpf_object *obj, struct btf *btf,
+       for (i = 0, vsi = btf_var_secinfos(t); i < vars; i++, vsi++) {
+               t_var = btf__type_by_id(btf, vsi->type);
+-              var = btf_var(t_var);
+-
+-              if (!btf_is_var(t_var)) {
++              if (!t_var || !btf_is_var(t_var)) {
+                       pr_debug("Non-VAR type seen in section %s\n", name);
+                       return -EINVAL;
+               }
++              var = btf_var(t_var);
+               if (var->linkage == BTF_VAR_STATIC)
+                       continue;
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-load-global-data-maps-lazily-on-legacy-kernel.patch b/queue-5.16/libbpf-load-global-data-maps-lazily-on-legacy-kernel.patch
new file mode 100644 (file)
index 0000000..1238ec6
--- /dev/null
@@ -0,0 +1,109 @@
+From 95ed45d339b25f1fac4e772b7089edbbd0c58d44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 12:01:04 -0800
+Subject: libbpf: Load global data maps lazily on legacy kernels
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 16e0c35c6f7a2e90d52f3035ecf942af21417b7b ]
+
+Load global data maps lazily, if kernel is too old to support global
+data. Make sure that programs are still correct by detecting if any of
+the to-be-loaded programs have relocation against any of such maps.
+
+This allows to solve the issue ([0]) with bpf_printk() and Clang
+generating unnecessary and unreferenced .rodata.strX.Y sections, but it
+also goes further along the CO-RE lines, allowing to have a BPF object
+in which some code can work on very old kernels and relies only on BPF
+maps explicitly, while other BPF programs might enjoy global variable
+support. If such programs are correctly set to not load at runtime on
+old kernels, bpf_object will load and function correctly now.
+
+  [0] https://lore.kernel.org/bpf/CAK-59YFPU3qO+_pXWOH+c1LSA=8WA1yabJZfREjOEXNHAqgXNg@mail.gmail.com/
+
+Fixes: aed659170a31 ("libbpf: Support multiple .rodata.* and .data.* BPF maps")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/20211123200105.387855-1-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 509f3719409bb..4050a0f8dad66 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -4988,6 +4988,24 @@ bpf_object__create_maps(struct bpf_object *obj)
+       for (i = 0; i < obj->nr_maps; i++) {
+               map = &obj->maps[i];
++              /* To support old kernels, we skip creating global data maps
++               * (.rodata, .data, .kconfig, etc); later on, during program
++               * loading, if we detect that at least one of the to-be-loaded
++               * programs is referencing any global data map, we'll error
++               * out with program name and relocation index logged.
++               * This approach allows to accommodate Clang emitting
++               * unnecessary .rodata.str1.1 sections for string literals,
++               * but also it allows to have CO-RE applications that use
++               * global variables in some of BPF programs, but not others.
++               * If those global variable-using programs are not loaded at
++               * runtime due to bpf_program__set_autoload(prog, false),
++               * bpf_object loading will succeed just fine even on old
++               * kernels.
++               */
++              if (bpf_map__is_internal(map) &&
++                  !kernel_supports(obj, FEAT_GLOBAL_DATA))
++                      continue;
++
+               retried = false;
+ retry:
+               if (map->pin_path) {
+@@ -5587,6 +5605,14 @@ bpf_object__relocate_data(struct bpf_object *obj, struct bpf_program *prog)
+                               insn[0].src_reg = BPF_PSEUDO_MAP_IDX_VALUE;
+                               insn[0].imm = relo->map_idx;
+                       } else {
++                              const struct bpf_map *map = &obj->maps[relo->map_idx];
++
++                              if (bpf_map__is_internal(map) &&
++                                  !kernel_supports(obj, FEAT_GLOBAL_DATA)) {
++                                      pr_warn("prog '%s': relo #%d: kernel doesn't support global data\n",
++                                              prog->name, i);
++                                      return -ENOTSUP;
++                              }
+                               insn[0].src_reg = BPF_PSEUDO_MAP_VALUE;
+                               insn[0].imm = obj->maps[relo->map_idx].fd;
+                       }
+@@ -6121,6 +6147,8 @@ bpf_object__relocate(struct bpf_object *obj, const char *targ_btf_path)
+                */
+               if (prog_is_subprog(obj, prog))
+                       continue;
++              if (!prog->load)
++                      continue;
+               err = bpf_object__relocate_calls(obj, prog);
+               if (err) {
+@@ -6134,6 +6162,8 @@ bpf_object__relocate(struct bpf_object *obj, const char *targ_btf_path)
+               prog = &obj->programs[i];
+               if (prog_is_subprog(obj, prog))
+                       continue;
++              if (!prog->load)
++                      continue;
+               err = bpf_object__relocate_data(obj, prog);
+               if (err) {
+                       pr_warn("prog '%s': failed to relocate data references: %d\n",
+@@ -6915,10 +6945,6 @@ static int bpf_object__sanitize_maps(struct bpf_object *obj)
+       bpf_object__for_each_map(m, obj) {
+               if (!bpf_map__is_internal(m))
+                       continue;
+-              if (!kernel_supports(obj, FEAT_GLOBAL_DATA)) {
+-                      pr_warn("kernel doesn't support global data\n");
+-                      return -ENOTSUP;
+-              }
+               if (!kernel_supports(obj, FEAT_ARRAY_MMAP))
+                       m->def.map_flags ^= BPF_F_MMAPABLE;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-silence-uninitialized-warning-error-in-btf_du.patch b/queue-5.16/libbpf-silence-uninitialized-warning-error-in-btf_du.patch
new file mode 100644 (file)
index 0000000..a2ae82e
--- /dev/null
@@ -0,0 +1,54 @@
+From b4dc1ae15b0b2e35140dec9062f43601f5a93ec5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 10:00:40 +0000
+Subject: libbpf: Silence uninitialized warning/error in
+ btf_dump_dump_type_data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alan Maguire <alan.maguire@oracle.com>
+
+[ Upstream commit 43174f0d4597325cb91f1f1f55263eb6e6101036 ]
+
+When compiling libbpf with gcc 4.8.5, we see:
+
+  CC       staticobjs/btf_dump.o
+btf_dump.c: In function ‘btf_dump_dump_type_data.isra.24’:
+btf_dump.c:2296:5: error: ‘err’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
+  if (err < 0)
+     ^
+cc1: all warnings being treated as errors
+make: *** [staticobjs/btf_dump.o] Error 1
+
+While gcc 4.8.5 is too old to build the upstream kernel, it's possible it
+could be used to build standalone libbpf which suffers from the same problem.
+Silence the error by initializing 'err' to 0.  The warning/error seems to be
+a false positive since err is set early in the function.  Regardless we
+shouldn't prevent libbpf from building for this.
+
+Fixes: 920d16af9b42 ("libbpf: BTF dumper support for typed data")
+Signed-off-by: Alan Maguire <alan.maguire@oracle.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/1638180040-8037-1-git-send-email-alan.maguire@oracle.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf_dump.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c
+index 17db62b5002e8..5cae71600631b 100644
+--- a/tools/lib/bpf/btf_dump.c
++++ b/tools/lib/bpf/btf_dump.c
+@@ -2194,7 +2194,7 @@ static int btf_dump_dump_type_data(struct btf_dump *d,
+                                  __u8 bits_offset,
+                                  __u8 bit_sz)
+ {
+-      int size, err;
++      int size, err = 0;
+       size = btf_dump_type_data_check_overflow(d, t, id, data, bits_offset);
+       if (size < 0)
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-use-probe_name-for-legacy-kprobe.patch b/queue-5.16/libbpf-use-probe_name-for-legacy-kprobe.patch
new file mode 100644 (file)
index 0000000..c8c4deb
--- /dev/null
@@ -0,0 +1,41 @@
+From 31104f1f86871f1f1ac8078424d9825bc9a94f35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Dec 2021 21:07:12 +0800
+Subject: libbpf: Use probe_name for legacy kprobe
+
+From: Qiang Wang <wangqiang.wq.frank@bytedance.com>
+
+[ Upstream commit 71cff670baff5cc6a6eeb0181e2cc55579c5e1e0 ]
+
+Fix a bug in commit 46ed5fc33db9, which wrongly used the
+func_name instead of probe_name to register legacy kprobe.
+
+Fixes: 46ed5fc33db9 ("libbpf: Refactor and simplify legacy kprobe code")
+Co-developed-by: Chengming Zhou <zhouchengming@bytedance.com>
+Signed-off-by: Qiang Wang <wangqiang.wq.frank@bytedance.com>
+Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Tested-by: Hengqi Chen <hengqi.chen@gmail.com>
+Reviewed-by: Hengqi Chen <hengqi.chen@gmail.com>
+Link: https://lore.kernel.org/bpf/20211227130713.66933-1-wangqiang.wq.frank@bytedance.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index fd25e30e70cc2..2696f0b7f0acc 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -9769,7 +9769,7 @@ bpf_program__attach_kprobe_opts(const struct bpf_program *prog,
+               gen_kprobe_legacy_event_name(probe_name, sizeof(probe_name),
+                                            func_name, offset);
+-              legacy_probe = strdup(func_name);
++              legacy_probe = strdup(probe_name);
+               if (!legacy_probe)
+                       return libbpf_err_ptr(-ENOMEM);
+-- 
+2.34.1
+
diff --git a/queue-5.16/libbpf-validate-that-.btf-and-.btf.ext-sections-cont.patch b/queue-5.16/libbpf-validate-that-.btf-and-.btf.ext-sections-cont.patch
new file mode 100644 (file)
index 0000000..b1f5026
--- /dev/null
@@ -0,0 +1,43 @@
+From 0a5fcc947ffa23559574ba76ebbc9e7d71f28911 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 10:32:11 -0700
+Subject: libbpf: Validate that .BTF and .BTF.ext sections contain data
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 62554d52e71797eefa3fc15b54008038837bb2d4 ]
+
+.BTF and .BTF.ext ELF sections should have SHT_PROGBITS type and contain
+data. If they are not, ELF is invalid or corrupted, so bail out.
+Otherwise this can lead to data->d_buf being NULL and SIGSEGV later on.
+Reported by oss-fuzz project.
+
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20211103173213.1376990-4-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index c7ba5e6ed9cfe..96cee9cd8c03c 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -3271,8 +3271,12 @@ static int bpf_object__elf_collect(struct bpf_object *obj)
+               } else if (strcmp(name, MAPS_ELF_SEC) == 0) {
+                       obj->efile.btf_maps_shndx = idx;
+               } else if (strcmp(name, BTF_ELF_SEC) == 0) {
++                      if (sh->sh_type != SHT_PROGBITS)
++                              return -LIBBPF_ERRNO__FORMAT;
+                       btf_data = data;
+               } else if (strcmp(name, BTF_EXT_ELF_SEC) == 0) {
++                      if (sh->sh_type != SHT_PROGBITS)
++                              return -LIBBPF_ERRNO__FORMAT;
+                       btf_ext_data = data;
+               } else if (sh->sh_type == SHT_SYMTAB) {
+                       /* already processed during the first pass above */
+-- 
+2.34.1
+
diff --git a/queue-5.16/mac80211-allow-non-standard-vht-mcs-10-11.patch b/queue-5.16/mac80211-allow-non-standard-vht-mcs-10-11.patch
new file mode 100644 (file)
index 0000000..216dffb
--- /dev/null
@@ -0,0 +1,49 @@
+From ba863f6f743b3ff4d44b89a477a35394138a9baf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Jan 2022 09:36:21 +0800
+Subject: mac80211: allow non-standard VHT MCS-10/11
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit 04be6d337d37400ad5b3d5f27ca87645ee5a18a3 ]
+
+Some AP can possibly try non-standard VHT rate and mac80211 warns and drops
+packets, and leads low TCP throughput.
+
+    Rate marked as a VHT rate but data is invalid: MCS: 10, NSS: 2
+    WARNING: CPU: 1 PID: 7817 at net/mac80211/rx.c:4856 ieee80211_rx_list+0x223/0x2f0 [mac8021
+
+Since commit c27aa56a72b8 ("cfg80211: add VHT rate entries for MCS-10 and MCS-11")
+has added, mac80211 adds this support as well.
+
+After this patch, throughput is good and iw can get the bitrate:
+    rx bitrate:        975.1 MBit/s VHT-MCS 10 80MHz short GI VHT-NSS 2
+or
+    rx bitrate:        1083.3 MBit/s VHT-MCS 11 80MHz short GI VHT-NSS 2
+
+Buglink: https://bugzilla.suse.com/show_bug.cgi?id=1192891
+Reported-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://lore.kernel.org/r/20220103013623.17052-1-pkshih@realtek.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 0544563ede522..d2e8b84ed2836 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -4924,7 +4924,7 @@ void ieee80211_rx_list(struct ieee80211_hw *hw, struct ieee80211_sta *pubsta,
+                               goto drop;
+                       break;
+               case RX_ENC_VHT:
+-                      if (WARN_ONCE(status->rate_idx > 9 ||
++                      if (WARN_ONCE(status->rate_idx > 11 ||
+                                     !status->nss ||
+                                     status->nss > 8,
+                                     "Rate marked as a VHT rate but data is invalid: MCS: %d, NSS: %d\n",
+-- 
+2.34.1
+
diff --git a/queue-5.16/mailbox-change-mailbox-mpfs-compatible-string.patch b/queue-5.16/mailbox-change-mailbox-mpfs-compatible-string.patch
new file mode 100644 (file)
index 0000000..e2198f6
--- /dev/null
@@ -0,0 +1,38 @@
+From 2ef8e5bc6f15f500fd56be0da5b135fdc6a71e64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Dec 2021 09:33:12 +0000
+Subject: mailbox: change mailbox-mpfs compatible string
+
+From: Conor Dooley <conor.dooley@microchip.com>
+
+[ Upstream commit f10b1fc0161cd99e54c5687fcc63368aa255e05e ]
+
+The Polarfire SoC is currently using two different compatible string
+prefixes. Fix this by changing "polarfire-soc-*" strings to "mpfs-*" in
+its system controller in order to match the compatible string used in
+the soc binding and device tree.
+
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/mailbox-mpfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mailbox/mailbox-mpfs.c b/drivers/mailbox/mailbox-mpfs.c
+index 0d6e2231a2c75..4e34854d12389 100644
+--- a/drivers/mailbox/mailbox-mpfs.c
++++ b/drivers/mailbox/mailbox-mpfs.c
+@@ -232,7 +232,7 @@ static int mpfs_mbox_probe(struct platform_device *pdev)
+ }
+ static const struct of_device_id mpfs_mbox_of_match[] = {
+-      {.compatible = "microchip,polarfire-soc-mailbox", },
++      {.compatible = "microchip,mpfs-mailbox", },
+       {},
+ };
+ MODULE_DEVICE_TABLE(of, mpfs_mbox_of_match);
+-- 
+2.34.1
+
diff --git a/queue-5.16/mailbox-fix-gce_num-of-mt8192-driver-data.patch b/queue-5.16/mailbox-fix-gce_num-of-mt8192-driver-data.patch
new file mode 100644 (file)
index 0000000..8c62100
--- /dev/null
@@ -0,0 +1,36 @@
+From c5afef9994b385c5c8283144d0d05463f638e9e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Dec 2021 22:51:55 +0800
+Subject: mailbox: fix gce_num of mt8192 driver data
+
+From: jason-jh.lin <jason-jh.lin@mediatek.com>
+
+[ Upstream commit 35ca43710f792ce183312fdc7e4b2bb0b721a173 ]
+
+Because mt8192 only have 1 gce, the gce_num should be 1.
+
+Fixes: 85dfdbfc13ea ("mailbox: cmdq: add multi-gce clocks support for mt8195")
+Signed-off-by: jason-jh.lin <jason-jh.lin@mediatek.com>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/mtk-cmdq-mailbox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mailbox/mtk-cmdq-mailbox.c b/drivers/mailbox/mtk-cmdq-mailbox.c
+index a8845b162dbfa..9aae13e9e050e 100644
+--- a/drivers/mailbox/mtk-cmdq-mailbox.c
++++ b/drivers/mailbox/mtk-cmdq-mailbox.c
+@@ -658,7 +658,7 @@ static const struct gce_plat gce_plat_v5 = {
+       .thread_nr = 24,
+       .shift = 3,
+       .control_by_sw = true,
+-      .gce_num = 2
++      .gce_num = 1
+ };
+ static const struct gce_plat gce_plat_v6 = {
+-- 
+2.34.1
+
diff --git a/queue-5.16/mailbox-imx-fix-an-is_err-vs-null-bug.patch b/queue-5.16/mailbox-imx-fix-an-is_err-vs-null-bug.patch
new file mode 100644 (file)
index 0000000..1d971ae
--- /dev/null
@@ -0,0 +1,39 @@
+From 47b529ad486c1cb5e2a59ca8ace48b7aee3bc653 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Nov 2021 17:51:26 +0300
+Subject: mailbox: imx: Fix an IS_ERR() vs NULL bug
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 05d06f37196b2e3abeff2b98b785c8803865e646 ]
+
+The devm_kzalloc() function does not return error pointers, it returns
+NULL on failure.
+
+Fixes: 97961f78e8bc ("mailbox: imx: support i.MX8ULP S4 MU")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/imx-mailbox.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mailbox/imx-mailbox.c b/drivers/mailbox/imx-mailbox.c
+index ffe36a6bef9e0..544de2db64531 100644
+--- a/drivers/mailbox/imx-mailbox.c
++++ b/drivers/mailbox/imx-mailbox.c
+@@ -563,8 +563,8 @@ static int imx_mu_probe(struct platform_device *pdev)
+               size = sizeof(struct imx_sc_rpc_msg_max);
+       priv->msg = devm_kzalloc(dev, size, GFP_KERNEL);
+-      if (IS_ERR(priv->msg))
+-              return PTR_ERR(priv->msg);
++      if (!priv->msg)
++              return -ENOMEM;
+       priv->clk = devm_clk_get(dev, NULL);
+       if (IS_ERR(priv->clk)) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/mailbox-pcc-avoid-using-the-uninitialized-variable-d.patch b/queue-5.16/mailbox-pcc-avoid-using-the-uninitialized-variable-d.patch
new file mode 100644 (file)
index 0000000..2393c2d
--- /dev/null
@@ -0,0 +1,43 @@
+From 26a708abb531dc744636450afec5508debec1d37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Dec 2021 08:21:43 +0000
+Subject: mailbox: pcc: Avoid using the uninitialized variable 'dev'
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 960c4056aadcf61983f8eaac159927a052f8cf01 ]
+
+Smatch static checker warns:
+
+  |  drivers/mailbox/pcc.c:292 pcc_mbox_request_channel()
+  |  error: uninitialized symbol 'dev'.
+
+Fix the same by using pr_err instead of dev_err as the variable 'dev'
+is uninitialized at that stage.
+
+Fixes: ce028702ddbc ("mailbox: pcc: Move bulk of PCCT parsing into pcc_mbox_probe")
+Cc: Jassi Brar <jassisinghbrar@gmail.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/pcc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mailbox/pcc.c b/drivers/mailbox/pcc.c
+index 887a3704c12ec..e0a1ab3861f0d 100644
+--- a/drivers/mailbox/pcc.c
++++ b/drivers/mailbox/pcc.c
+@@ -289,7 +289,7 @@ pcc_mbox_request_channel(struct mbox_client *cl, int subspace_id)
+       pchan = chan_info + subspace_id;
+       chan = pchan->chan.mchan;
+       if (IS_ERR(chan) || chan->cl) {
+-              dev_err(dev, "Channel not found for idx: %d\n", subspace_id);
++              pr_err("Channel not found for idx: %d\n", subspace_id);
+               return ERR_PTR(-EBUSY);
+       }
+       dev = chan->mbox->dev;
+-- 
+2.34.1
+
diff --git a/queue-5.16/mailbox-pcc-handle-all-pcc-subtypes-correctly-in-pcc.patch b/queue-5.16/mailbox-pcc-handle-all-pcc-subtypes-correctly-in-pcc.patch
new file mode 100644 (file)
index 0000000..2bbfede
--- /dev/null
@@ -0,0 +1,68 @@
+From b1008eaae7f1b5192837f67ac6165535050beb8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Dec 2021 09:21:46 +0000
+Subject: mailbox: pcc: Handle all PCC subtypes correctly in pcc_mbox_irq
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 7215a7857e796c655ae1184b313556102fa8bc40 ]
+
+Commit c45ded7e1135 ("mailbox: pcc: Add support for PCCT extended PCC
+subspaces(type 3/4)") enabled the type3/4 of PCCT, but the change in
+pcc_mbox_irq breaks the other PCC subtypes.
+
+The kernel reports a warning on an Ampere eMag server
+
+-->8
+ CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc4 #127
+ Hardware name: MiTAC RAPTOR EV-883832-X3-0001/RAPTOR, BIOS 0.14 02/22/2019
+ Call trace:
+  dump_backtrace+0x0/0x200
+  show_stack+0x20/0x30
+  dump_stack_lvl+0x68/0x84
+  dump_stack+0x18/0x34
+  __report_bad_irq+0x54/0x17c
+  note_interrupt+0x330/0x428
+  handle_irq_event_percpu+0x90/0x98
+  handle_irq_event+0x4c/0x148
+  handle_fasteoi_irq+0xc4/0x188
+  generic_handle_domain_irq+0x44/0x68
+  gic_handle_irq+0x84/0x2ec
+  call_on_irq_stack+0x28/0x34
+  do_interrupt_handler+0x88/0x90
+  el1_interrupt+0x48/0xb0
+  el1h_64_irq_handler+0x18/0x28
+  el1h_64_irq+0x7c/0x80
+
+Fixes: c45ded7e1135 ("mailbox: pcc: Add support for PCCT extended PCC subspaces(type 3/4)")
+Reported-by: Justin He <justin.he@arm.com>
+Tested-by: Justin He <justin.he@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/pcc.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mailbox/pcc.c b/drivers/mailbox/pcc.c
+index e0a1ab3861f0d..ed18936b8ce68 100644
+--- a/drivers/mailbox/pcc.c
++++ b/drivers/mailbox/pcc.c
+@@ -241,9 +241,11 @@ static irqreturn_t pcc_mbox_irq(int irq, void *p)
+       if (ret)
+               return IRQ_NONE;
+-      val &= pchan->cmd_complete.status_mask;
+-      if (!val)
+-              return IRQ_NONE;
++      if (val) { /* Ensure GAS exists and value is non-zero */
++              val &= pchan->cmd_complete.status_mask;
++              if (!val)
++                      return IRQ_NONE;
++      }
+       ret = pcc_chan_reg_read(&pchan->error, &val);
+       if (ret)
+-- 
+2.34.1
+
diff --git a/queue-5.16/mctp-test-update-refcount-checking-in-route-fragment.patch b/queue-5.16/mctp-test-update-refcount-checking-in-route-fragment.patch
new file mode 100644 (file)
index 0000000..0a4a22f
--- /dev/null
@@ -0,0 +1,43 @@
+From c03cf0a7f46976652834934475e8061133164ea5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 14:57:23 +0800
+Subject: mctp/test: Update refcount checking in route fragment tests
+
+From: Jeremy Kerr <jk@codeconstruct.com.au>
+
+[ Upstream commit f6ef47e5bdc6f652176e433b02317fc83049f8d7 ]
+
+In 99ce45d5e, we moved a route refcount decrement from
+mctp_do_fragment_route into the caller. This invalidates the assumption
+that the route test makes about refcount behaviour, so the route tests
+fail.
+
+This change fixes the test case to suit the new refcount behaviour.
+
+Fixes: 99ce45d5e7db ("mctp: Implement extended addressing")
+Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/test/route-test.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/net/mctp/test/route-test.c b/net/mctp/test/route-test.c
+index 36fac3daf86a4..86ad15abf8978 100644
+--- a/net/mctp/test/route-test.c
++++ b/net/mctp/test/route-test.c
+@@ -150,11 +150,6 @@ static void mctp_test_fragment(struct kunit *test)
+       rt = mctp_test_create_route(&init_net, NULL, 10, mtu);
+       KUNIT_ASSERT_TRUE(test, rt);
+-      /* The refcount would usually be incremented as part of a route lookup,
+-       * but we're setting the route directly here.
+-       */
+-      refcount_inc(&rt->rt.refs);
+-
+       rc = mctp_do_fragment_route(&rt->rt, skb, mtu, MCTP_TAG_OWNER);
+       KUNIT_EXPECT_FALSE(test, rc);
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-aspeed-fix-mode-detect-always-time-out-at-2nd-.patch b/queue-5.16/media-aspeed-fix-mode-detect-always-time-out-at-2nd-.patch
new file mode 100644 (file)
index 0000000..0fb668d
--- /dev/null
@@ -0,0 +1,56 @@
+From 4039b0f8d5cfdcc5fbad3cee4299ab668990b4e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 08:23:54 +0000
+Subject: media: aspeed: fix mode-detect always time out at 2nd run
+
+From: Jammy Huang <jammy_huang@aspeedtech.com>
+
+[ Upstream commit 62cea52ad4bead0ae4be2cfe1142eb0aae0e9fbd ]
+
+aspeed_video_get_resolution() will try to do res-detect again if the
+timing got in last try is invalid. But it will always time out because
+VE_SEQ_CTRL_TRIG_MODE_DET is only cleared after 1st mode-detect.
+
+To fix the problem, just clear VE_SEQ_CTRL_TRIG_MODE_DET before setting
+it in aspeed_video_enable_mode_detect().
+
+Fixes: d2b4387f3bdf ("media: platform: Add Aspeed Video Engine driver")
+Signed-off-by: Jammy Huang <jammy_huang@aspeedtech.com>
+Acked-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/aspeed-video.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/aspeed-video.c b/drivers/media/platform/aspeed-video.c
+index cad3f97515aef..136383ad0e97c 100644
+--- a/drivers/media/platform/aspeed-video.c
++++ b/drivers/media/platform/aspeed-video.c
+@@ -539,6 +539,10 @@ static void aspeed_video_enable_mode_detect(struct aspeed_video *video)
+       aspeed_video_update(video, VE_INTERRUPT_CTRL, 0,
+                           VE_INTERRUPT_MODE_DETECT);
++      /* Disable mode detect in order to re-trigger */
++      aspeed_video_update(video, VE_SEQ_CTRL,
++                          VE_SEQ_CTRL_TRIG_MODE_DET, 0);
++
+       /* Trigger mode detect */
+       aspeed_video_update(video, VE_SEQ_CTRL, 0, VE_SEQ_CTRL_TRIG_MODE_DET);
+ }
+@@ -824,10 +828,6 @@ static void aspeed_video_get_resolution(struct aspeed_video *video)
+                       return;
+               }
+-              /* Disable mode detect in order to re-trigger */
+-              aspeed_video_update(video, VE_SEQ_CTRL,
+-                                  VE_SEQ_CTRL_TRIG_MODE_DET, 0);
+-
+               aspeed_video_check_and_set_polarity(video);
+               aspeed_video_enable_mode_detect(video);
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-aspeed-update-signal-status-immediately-to-ens.patch b/queue-5.16/media-aspeed-update-signal-status-immediately-to-ens.patch
new file mode 100644 (file)
index 0000000..f24f756
--- /dev/null
@@ -0,0 +1,66 @@
+From f0e233c1e50884c7f4f9ee83becb8b9db72bd77e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Nov 2021 03:12:27 +0000
+Subject: media: aspeed: Update signal status immediately to ensure sane hw
+ state
+
+From: Jammy Huang <jammy_huang@aspeedtech.com>
+
+[ Upstream commit af6d1bde395cac174ee71adcd3fa43f6435c7206 ]
+
+If res-chg, VE_INTERRUPT_MODE_DETECT_WD irq will be raised. But
+v4l2_input_status won't be updated to no-signal immediately until
+aspeed_video_get_resolution() in aspeed_video_resolution_work().
+
+During the period of time, aspeed_video_start_frame() could be called
+because it doesn't know signal becomes unstable now. If it goes with
+aspeed_video_init_regs() of aspeed_video_irq_res_change()
+simultaneously, it will mess up hw state.
+
+To fix this problem, v4l2_input_status is updated to no-signal
+immediately for VE_INTERRUPT_MODE_DETECT_WD irq.
+
+Fixes: d2b4387f3bdf ("media: platform: Add Aspeed Video Engine driver")
+Signed-off-by: Jammy Huang <jammy_huang@aspeedtech.com>
+Acked-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/aspeed-video.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/aspeed-video.c b/drivers/media/platform/aspeed-video.c
+index 136383ad0e97c..7a24daf7165a4 100644
+--- a/drivers/media/platform/aspeed-video.c
++++ b/drivers/media/platform/aspeed-video.c
+@@ -595,6 +595,8 @@ static void aspeed_video_irq_res_change(struct aspeed_video *video, ulong delay)
+       set_bit(VIDEO_RES_CHANGE, &video->flags);
+       clear_bit(VIDEO_FRAME_INPRG, &video->flags);
++      video->v4l2_input_status = V4L2_IN_ST_NO_SIGNAL;
++
+       aspeed_video_off(video);
+       aspeed_video_bufs_done(video, VB2_BUF_STATE_ERROR);
+@@ -1375,7 +1377,6 @@ static void aspeed_video_resolution_work(struct work_struct *work)
+       struct delayed_work *dwork = to_delayed_work(work);
+       struct aspeed_video *video = container_of(dwork, struct aspeed_video,
+                                                 res_work);
+-      u32 input_status = video->v4l2_input_status;
+       aspeed_video_on(video);
+@@ -1388,8 +1389,7 @@ static void aspeed_video_resolution_work(struct work_struct *work)
+       aspeed_video_get_resolution(video);
+       if (video->detected_timings.width != video->active_timings.width ||
+-          video->detected_timings.height != video->active_timings.height ||
+-          input_status != video->v4l2_input_status) {
++          video->detected_timings.height != video->active_timings.height) {
+               static const struct v4l2_event ev = {
+                       .type = V4L2_EVENT_SOURCE_CHANGE,
+                       .u.src_change.changes = V4L2_EVENT_SRC_CH_RESOLUTION,
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-atomisp-add-missing-media_device_cleanup-in-at.patch b/queue-5.16/media-atomisp-add-missing-media_device_cleanup-in-at.patch
new file mode 100644 (file)
index 0000000..d0cb631
--- /dev/null
@@ -0,0 +1,44 @@
+From 9a70512ec0a8763101e18ee341f91e607a906ea6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 01:19:41 +0900
+Subject: media: atomisp: add missing media_device_cleanup() in
+ atomisp_unregister_entities()
+
+From: Tsuchiya Yuto <kitakar@gmail.com>
+
+[ Upstream commit ce3015b7212e96db426d0c36f80fd159c91155d1 ]
+
+After the commit 9832e155f1ed ("[media] media-device: split media
+initialization and registration"), calling media_device_cleanup()
+is needed it seems. However, currently it is missing for the module
+unload path.
+
+Note that for the probe failure path, it is already added in
+atomisp_register_entities().
+
+This patch adds the missing call of media_device_cleanup() in
+atomisp_unregister_entities().
+
+Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
+Signed-off-by: Tsuchiya Yuto <kitakar@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/atomisp/pci/atomisp_v4l2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_v4l2.c b/drivers/staging/media/atomisp/pci/atomisp_v4l2.c
+index 1e324f1f656e5..0511c454e769d 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_v4l2.c
++++ b/drivers/staging/media/atomisp/pci/atomisp_v4l2.c
+@@ -1182,6 +1182,7 @@ static void atomisp_unregister_entities(struct atomisp_device *isp)
+       v4l2_device_unregister(&isp->v4l2_dev);
+       media_device_unregister(&isp->media_dev);
++      media_device_cleanup(&isp->media_dev);
+ }
+ static int atomisp_register_entities(struct atomisp_device *isp)
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-atomisp-add-null-check-for-asd-obtained-from-a.patch b/queue-5.16/media-atomisp-add-null-check-for-asd-obtained-from-a.patch
new file mode 100644 (file)
index 0000000..58f7fd7
--- /dev/null
@@ -0,0 +1,463 @@
+From 9a5ac4eef8985f8497f5489956c322af277029ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 01:23:34 +0900
+Subject: media: atomisp: add NULL check for asd obtained from
+ atomisp_video_pipe
+
+From: Tsuchiya Yuto <kitakar@gmail.com>
+
+[ Upstream commit c10bcb13462e9cf43111d17f1e08b4bb4d4401b0 ]
+
+This is almost a BUG report with RFC patch that just avoids kernel
+oopses. Thus, prefixed with [BUG][RFC].
+
+Here is the kernel log after running `v4l2-compliance -d /dev/video4`
+with this patch applied:
+
+       kern  :err   : [25507.580392] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible)
+       kern  :warn  : [25507.592343] isys dma store at addr(0xcd408) val(0)
+       kern  :err   : [25507.592995] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.593685] atomisp-isp2 0000:00:03.0: atomisp_g_input(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.593719] atomisp-isp2 0000:00:03.0: atomisp_g_parm(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.593727] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC
+       [omitting 42 same messages]
+       kern  :err   : [25507.593976] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.594191] atomisp-isp2 0000:00:03.0: atomisp_g_input(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.594449] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC
+       [omitting 43 same messages]
+       kern  :err   : [25507.594756] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.594779] atomisp-isp2 0000:00:03.0: atomisp_g_ctrl(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.594787] atomisp-isp2 0000:00:03.0: atomisp_s_ctrl(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.594803] atomisp-isp2 0000:00:03.0: atomisp_camera_g_ext_ctrls(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.594880] atomisp-isp2 0000:00:03.0: atomisp_enum_fmt_cap(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.594915] atomisp-isp2 0000:00:03.0: atomisp_g_parm(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.595058] atomisp-isp2 0000:00:03.0: atomisp_try_fmt(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.595089] atomisp-isp2 0000:00:03.0: atomisp_set_fmt(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.595124] atomisp-isp2 0000:00:03.0: atomisp_set_fmt(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.595221] atomisp-isp2 0000:00:03.0: atomisp_set_fmt(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.595241] atomisp-isp2 0000:00:03.0: atomisp_set_fmt(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.601571] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible)
+       kern  :warn  : [25507.607496] isys dma store at addr(0xcd408) val(0)
+       kern  :err   : [25507.608604] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.611988] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible)
+       kern  :warn  : [25507.617420] isys dma store at addr(0xcd408) val(0)
+       kern  :err   : [25507.618429] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.618811] atomisp-isp2 0000:00:03.0: atomisp_g_parm(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.622193] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible)
+       kern  :warn  : [25507.627355] isys dma store at addr(0xcd408) val(0)
+       kern  :err   : [25507.628391] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.631143] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible)
+       kern  :warn  : [25507.635813] isys dma store at addr(0xcd408) val(0)
+       kern  :err   : [25507.636489] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.636504] atomisp-isp2 0000:00:03.0: atomisp_s_input(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.636516] atomisp-isp2 0000:00:03.0: atomisp_set_fmt(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.639111] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible)
+       kern  :warn  : [25507.646152] isys dma store at addr(0xcd408) val(0)
+       kern  :err   : [25507.646831] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.646847] atomisp-isp2 0000:00:03.0: atomisp_s_input(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.650079] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible)
+       kern  :warn  : [25507.657476] isys dma store at addr(0xcd408) val(0)
+       kern  :err   : [25507.658741] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.658759] atomisp-isp2 0000:00:03.0: atomisp_s_input(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.658771] atomisp-isp2 0000:00:03.0: atomisp_set_fmt(): asd is NULL, device is ATOMISP ISP ACC
+       kern  :err   : [25507.660959] atomisp-isp2 0000:00:03.0: can't change power state from D3cold to D0 (config space inaccessible)
+       kern  :warn  : [25507.666665] isys dma store at addr(0xcd408) val(0)
+       kern  :err   : [25507.667397] atomisp-isp2 0000:00:03.0: atomisp_queryctl(): asd is NULL, device is ATOMISP ISP ACC
+
+[mchehab: fix coding style]
+Signed-off-by: Tsuchiya Yuto <kitakar@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../staging/media/atomisp/pci/atomisp_cmd.c   | 73 +++++++++++++++
+ .../staging/media/atomisp/pci/atomisp_fops.c  |  6 ++
+ .../staging/media/atomisp/pci/atomisp_ioctl.c | 90 +++++++++++++++++++
+ 3 files changed, 169 insertions(+)
+
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
+index 366161cff5602..75a531667d743 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
++++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
+@@ -1715,6 +1715,12 @@ void atomisp_wdt_refresh_pipe(struct atomisp_video_pipe *pipe,
+ {
+       unsigned long next;
++      if (!pipe->asd) {
++              dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, pipe->vdev.name);
++              return;
++      }
++
+       if (delay != ATOMISP_WDT_KEEP_CURRENT_DELAY)
+               pipe->wdt_duration = delay;
+@@ -1777,6 +1783,12 @@ void atomisp_wdt_refresh(struct atomisp_sub_device *asd, unsigned int delay)
+ /* ISP2401 */
+ void atomisp_wdt_stop_pipe(struct atomisp_video_pipe *pipe, bool sync)
+ {
++      if (!pipe->asd) {
++              dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, pipe->vdev.name);
++              return;
++      }
++
+       if (!atomisp_is_wdt_running(pipe))
+               return;
+@@ -4109,6 +4121,12 @@ void atomisp_handle_parameter_and_buffer(struct atomisp_video_pipe *pipe)
+       unsigned long irqflags;
+       bool need_to_enqueue_buffer = false;
++      if (!asd) {
++              dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, pipe->vdev.name);
++              return;
++      }
++
+       if (atomisp_is_vf_pipe(pipe))
+               return;
+@@ -4196,6 +4214,12 @@ int atomisp_set_parameters(struct video_device *vdev,
+       struct atomisp_css_params *css_param = &asd->params.css_param;
+       int ret;
++      if (!asd) {
++              dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       if (!asd->stream_env[ATOMISP_INPUT_STREAM_GENERAL].stream) {
+               dev_err(asd->isp->dev, "%s: internal error!\n", __func__);
+               return -EINVAL;
+@@ -4857,6 +4881,12 @@ int atomisp_try_fmt(struct video_device *vdev, struct v4l2_pix_format *f,
+       int source_pad = atomisp_subdev_source_pad(vdev);
+       int ret;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       if (!isp->inputs[asd->input_curr].camera)
+               return -EINVAL;
+@@ -5198,6 +5228,12 @@ static int atomisp_set_fmt_to_isp(struct video_device *vdev,
+       const struct atomisp_in_fmt_conv *fc;
+       int ret, i;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       v4l2_fh_init(&fh.vfh, vdev);
+       isp_sink_crop = atomisp_subdev_get_rect(
+@@ -5494,6 +5530,7 @@ static int atomisp_set_fmt_to_snr(struct video_device *vdev,
+                                 unsigned int dvs_env_w, unsigned int dvs_env_h)
+ {
+       struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd;
++      struct atomisp_video_pipe *pipe = atomisp_to_video_pipe(vdev);
+       const struct atomisp_format_bridge *format;
+       struct v4l2_subdev_pad_config pad_cfg;
+       struct v4l2_subdev_state pad_state = {
+@@ -5512,6 +5549,12 @@ static int atomisp_set_fmt_to_snr(struct video_device *vdev,
+       struct v4l2_subdev_fh fh;
+       int ret;
++      if (!asd) {
++              dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       v4l2_fh_init(&fh.vfh, vdev);
+       stream_index = atomisp_source_pad_to_stream_id(asd, source_pad);
+@@ -5602,6 +5645,12 @@ int atomisp_set_fmt(struct video_device *vdev, struct v4l2_format *f)
+       struct v4l2_subdev_fh fh;
+       int ret;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       if (source_pad >= ATOMISP_SUBDEV_PADS_NUM)
+               return -EINVAL;
+@@ -6034,6 +6083,12 @@ int atomisp_set_fmt_file(struct video_device *vdev, struct v4l2_format *f)
+       struct v4l2_subdev_fh fh;
+       int ret;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       v4l2_fh_init(&fh.vfh, vdev);
+       dev_dbg(isp->dev, "setting fmt %ux%u 0x%x for file inject\n",
+@@ -6359,6 +6414,12 @@ bool atomisp_is_vf_pipe(struct atomisp_video_pipe *pipe)
+ {
+       struct atomisp_sub_device *asd = pipe->asd;
++      if (!asd) {
++              dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, pipe->vdev.name);
++              return false;
++      }
++
+       if (pipe == &asd->video_out_vf)
+               return true;
+@@ -6572,6 +6633,12 @@ static int atomisp_get_pipe_id(struct atomisp_video_pipe *pipe)
+ {
+       struct atomisp_sub_device *asd = pipe->asd;
++      if (!asd) {
++              dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, pipe->vdev.name);
++              return -EINVAL;
++      }
++
+       if (ATOMISP_USE_YUVPP(asd)) {
+               return IA_CSS_PIPE_ID_YUVPP;
+       } else if (asd->vfpp->val == ATOMISP_VFPP_DISABLE_SCALER) {
+@@ -6609,6 +6676,12 @@ int atomisp_get_invalid_frame_num(struct video_device *vdev,
+       struct ia_css_pipe_info p_info;
+       int ret;
++      if (!asd) {
++              dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       if (asd->isp->inputs[asd->input_curr].camera_caps->
+           sensor[asd->sensor_curr].stream_num > 1) {
+               /* External ISP */
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_fops.c b/drivers/staging/media/atomisp/pci/atomisp_fops.c
+index f82bf082aa796..02c19b92bdccb 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_fops.c
++++ b/drivers/staging/media/atomisp/pci/atomisp_fops.c
+@@ -1171,6 +1171,12 @@ static int atomisp_mmap(struct file *file, struct vm_area_struct *vma)
+       u32 origin_size, new_size;
+       int ret;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       if (!(vma->vm_flags & (VM_WRITE | VM_READ)))
+               return -EACCES;
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
+index c8a625667e81e..a57e640fbf791 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
++++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
+@@ -646,6 +646,12 @@ static int atomisp_g_input(struct file *file, void *fh, unsigned int *input)
+       struct atomisp_device *isp = video_get_drvdata(vdev);
+       struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       rt_mutex_lock(&isp->mutex);
+       *input = asd->input_curr;
+       rt_mutex_unlock(&isp->mutex);
+@@ -665,6 +671,12 @@ static int atomisp_s_input(struct file *file, void *fh, unsigned int input)
+       struct v4l2_subdev *motor;
+       int ret;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       rt_mutex_lock(&isp->mutex);
+       if (input >= ATOM_ISP_MAX_INPUTS || input >= isp->input_cnt) {
+               dev_dbg(isp->dev, "input_cnt: %d\n", isp->input_cnt);
+@@ -765,6 +777,12 @@ static int atomisp_enum_fmt_cap(struct file *file, void *fh,
+       unsigned int i, fi = 0;
+       int rval;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       rt_mutex_lock(&isp->mutex);
+       rval = v4l2_subdev_call(isp->inputs[asd->input_curr].camera, pad,
+                               enum_mbus_code, NULL, &code);
+@@ -1027,6 +1045,12 @@ int __atomisp_reqbufs(struct file *file, void *fh,
+       u16 stream_id = atomisp_source_pad_to_stream_id(asd, source_pad);
+       int ret = 0, i = 0;
++      if (!asd) {
++              dev_err(pipe->isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       if (req->count == 0) {
+               mutex_lock(&pipe->capq.vb_lock);
+               if (!list_empty(&pipe->capq.stream))
+@@ -1154,6 +1178,12 @@ static int atomisp_qbuf(struct file *file, void *fh, struct v4l2_buffer *buf)
+       u32 pgnr;
+       int ret = 0;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       rt_mutex_lock(&isp->mutex);
+       if (isp->isp_fatal_error) {
+               ret = -EIO;
+@@ -1389,6 +1419,12 @@ static int atomisp_dqbuf(struct file *file, void *fh, struct v4l2_buffer *buf)
+       struct atomisp_device *isp = video_get_drvdata(vdev);
+       int ret = 0;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       rt_mutex_lock(&isp->mutex);
+       if (isp->isp_fatal_error) {
+@@ -1640,6 +1676,12 @@ static int atomisp_streamon(struct file *file, void *fh,
+       int ret = 0;
+       unsigned long irqflags;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       dev_dbg(isp->dev, "Start stream on pad %d for asd%d\n",
+               atomisp_subdev_source_pad(vdev), asd->index);
+@@ -1901,6 +1943,12 @@ int __atomisp_streamoff(struct file *file, void *fh, enum v4l2_buf_type type)
+       unsigned long flags;
+       bool first_streamoff = false;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       dev_dbg(isp->dev, "Stop stream on pad %d for asd%d\n",
+               atomisp_subdev_source_pad(vdev), asd->index);
+@@ -2150,6 +2198,12 @@ static int atomisp_g_ctrl(struct file *file, void *fh,
+       struct atomisp_device *isp = video_get_drvdata(vdev);
+       int i, ret = -EINVAL;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       for (i = 0; i < ctrls_num; i++) {
+               if (ci_v4l2_controls[i].id == control->id) {
+                       ret = 0;
+@@ -2229,6 +2283,12 @@ static int atomisp_s_ctrl(struct file *file, void *fh,
+       struct atomisp_device *isp = video_get_drvdata(vdev);
+       int i, ret = -EINVAL;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       for (i = 0; i < ctrls_num; i++) {
+               if (ci_v4l2_controls[i].id == control->id) {
+                       ret = 0;
+@@ -2310,6 +2370,12 @@ static int atomisp_queryctl(struct file *file, void *fh,
+       struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd;
+       struct atomisp_device *isp = video_get_drvdata(vdev);
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       switch (qc->id) {
+       case V4L2_CID_FOCUS_ABSOLUTE:
+       case V4L2_CID_FOCUS_RELATIVE:
+@@ -2355,6 +2421,12 @@ static int atomisp_camera_g_ext_ctrls(struct file *file, void *fh,
+       int i;
+       int ret = 0;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       if (!IS_ISP2401)
+               motor = isp->inputs[asd->input_curr].motor;
+       else
+@@ -2466,6 +2538,12 @@ static int atomisp_camera_s_ext_ctrls(struct file *file, void *fh,
+       int i;
+       int ret = 0;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       if (!IS_ISP2401)
+               motor = isp->inputs[asd->input_curr].motor;
+       else
+@@ -2591,6 +2669,12 @@ static int atomisp_g_parm(struct file *file, void *fh,
+       struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd;
+       struct atomisp_device *isp = video_get_drvdata(vdev);
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       if (parm->type != V4L2_BUF_TYPE_VIDEO_CAPTURE) {
+               dev_err(isp->dev, "unsupported v4l2 buf type\n");
+               return -EINVAL;
+@@ -2613,6 +2697,12 @@ static int atomisp_s_parm(struct file *file, void *fh,
+       int rval;
+       int fps;
++      if (!asd) {
++              dev_err(isp->dev, "%s(): asd is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       if (parm->type != V4L2_BUF_TYPE_VIDEO_CAPTURE) {
+               dev_err(isp->dev, "unsupported v4l2 buf type\n");
+               return -EINVAL;
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-atomisp-check-before-deference-asd-variable.patch b/queue-5.16/media-atomisp-check-before-deference-asd-variable.patch
new file mode 100644 (file)
index 0000000..9fe2101
--- /dev/null
@@ -0,0 +1,59 @@
+From 12dda31e5eaaa85c98263213d1301fec412a49f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Nov 2021 12:59:11 +0000
+Subject: media: atomisp: check before deference asd variable
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 71665d816214124d6bc4eb80314ac8f84ecacd78 ]
+
+The asd->isp was referenced before checking if asd is not
+NULL.
+
+This fixes this warning:
+
+       ../drivers/staging/media/atomisp/pci/atomisp_cmd.c:5548 atomisp_set_fmt_to_snr() warn: variable dereferenced before check 'asd' (see line 5540)
+
+While here, avoid getting the pipe pointer twice.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/atomisp/pci/atomisp_cmd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
+index 75a531667d743..1ddb9c815a3cb 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
++++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
+@@ -5529,8 +5529,8 @@ static int atomisp_set_fmt_to_snr(struct video_device *vdev,
+                                 unsigned int padding_w, unsigned int padding_h,
+                                 unsigned int dvs_env_w, unsigned int dvs_env_h)
+ {
+-      struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd;
+       struct atomisp_video_pipe *pipe = atomisp_to_video_pipe(vdev);
++      struct atomisp_sub_device *asd = pipe->asd;
+       const struct atomisp_format_bridge *format;
+       struct v4l2_subdev_pad_config pad_cfg;
+       struct v4l2_subdev_state pad_state = {
+@@ -5541,7 +5541,7 @@ static int atomisp_set_fmt_to_snr(struct video_device *vdev,
+       };
+       struct v4l2_mbus_framefmt *ffmt = &vformat.format;
+       struct v4l2_mbus_framefmt *req_ffmt;
+-      struct atomisp_device *isp = asd->isp;
++      struct atomisp_device *isp;
+       struct atomisp_input_stream_info *stream_info =
+           (struct atomisp_input_stream_info *)ffmt->reserved;
+       u16 stream_index = ATOMISP_INPUT_STREAM_GENERAL;
+@@ -5555,6 +5555,8 @@ static int atomisp_set_fmt_to_snr(struct video_device *vdev,
+               return -EINVAL;
+       }
++      isp = asd->isp;
++
+       v4l2_fh_init(&fh.vfh, vdev);
+       stream_index = atomisp_source_pad_to_stream_id(asd, source_pad);
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-atomisp-do-not-use-err-var-when-checking-port-.patch b/queue-5.16/media-atomisp-do-not-use-err-var-when-checking-port-.patch
new file mode 100644 (file)
index 0000000..e63ebc4
--- /dev/null
@@ -0,0 +1,64 @@
+From 0fafb4383f2cc3f399cb01ac57a2560ded1017be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 01:19:44 +0900
+Subject: media: atomisp: do not use err var when checking port validity for
+ ISP2400
+
+From: Tsuchiya Yuto <kitakar@gmail.com>
+
+[ Upstream commit 9f6b4fa2d2dfbff4b8a57eeb39b1128a6094ee20 ]
+
+Currently, the `port >= N_CSI_PORTS || err` checks for ISP2400 are always
+evaluated as true because the err variable is set to `-EINVAL` on
+declaration but the variable is never used until the evaluation.
+
+Looking at the diff of commit 3c0538fbad9f ("media: atomisp: get rid of
+most checks for ISP2401 version"), the `port >= N_CSI_PORTS` check is
+for ISP2400 and the err variable check is for ISP2401. Fix this issue
+by adding ISP version test there accordingly.
+
+Fixes: 3c0538fbad9f ("media: atomisp: get rid of most checks for ISP2401 version")
+Signed-off-by: Tsuchiya Yuto <kitakar@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/atomisp/pci/sh_css_mipi.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/staging/media/atomisp/pci/sh_css_mipi.c b/drivers/staging/media/atomisp/pci/sh_css_mipi.c
+index 483d40a467c74..65fc93c5d56bc 100644
+--- a/drivers/staging/media/atomisp/pci/sh_css_mipi.c
++++ b/drivers/staging/media/atomisp/pci/sh_css_mipi.c
+@@ -430,7 +430,8 @@ allocate_mipi_frames(struct ia_css_pipe *pipe,
+       assert(port < N_CSI_PORTS);
+-      if (port >= N_CSI_PORTS || err) {
++      if ((!IS_ISP2401 && port >= N_CSI_PORTS) ||
++          (IS_ISP2401 && err)) {
+               ia_css_debug_dtrace(IA_CSS_DEBUG_TRACE_PRIVATE,
+                                   "allocate_mipi_frames(%p) exit: error: port is not correct (port=%d).\n",
+                                   pipe, port);
+@@ -559,7 +560,8 @@ free_mipi_frames(struct ia_css_pipe *pipe)
+               assert(port < N_CSI_PORTS);
+-              if (port >= N_CSI_PORTS || err) {
++              if ((!IS_ISP2401 && port >= N_CSI_PORTS) ||
++                  (IS_ISP2401 && err)) {
+                       ia_css_debug_dtrace(IA_CSS_DEBUG_TRACE_PRIVATE,
+                                           "free_mipi_frames(%p, %d) exit: error: pipe port is not correct.\n",
+                                           pipe, port);
+@@ -670,7 +672,8 @@ send_mipi_frames(struct ia_css_pipe *pipe)
+       assert(port < N_CSI_PORTS);
+-      if (port >= N_CSI_PORTS || err) {
++      if ((!IS_ISP2401 && port >= N_CSI_PORTS) ||
++          (IS_ISP2401 && err)) {
+               IA_CSS_ERROR("send_mipi_frames(%p) exit: invalid port specified (port=%d).\n",
+                            pipe, port);
+               return err;
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-atomisp-fix-enum-formats-logic.patch b/queue-5.16/media-atomisp-fix-enum-formats-logic.patch
new file mode 100644 (file)
index 0000000..6609987
--- /dev/null
@@ -0,0 +1,82 @@
+From c1e76d52ee0f5f5b3735cf4cf784840c8b9e2207 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 09:06:52 +0100
+Subject: media: atomisp: fix enum formats logic
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit fae46cb0531b45c789e39128f676f2bafa3a7b47 ]
+
+Changeset 374d62e7aa50 ("media: v4l2-subdev: Verify v4l2_subdev_call() pad config argument")
+added an extra verification for a pads parameter for enum mbus
+format code.
+
+Such change broke atomisp, because now the V4L2 core
+refuses to enum MBUS formats if the state is empty.
+
+So, add .which field in order to select the active formats,
+in order to make it work again.
+
+While here, improve error messages.
+
+Fixes: 374d62e7aa50 ("media: v4l2-subdev: Verify v4l2_subdev_call() pad config argument")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../staging/media/atomisp/pci/atomisp_ioctl.c | 23 ++++++++++++++-----
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
+index a57e640fbf791..29826f8e4143d 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
++++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
+@@ -773,7 +773,10 @@ static int atomisp_enum_fmt_cap(struct file *file, void *fh,
+       struct video_device *vdev = video_devdata(file);
+       struct atomisp_device *isp = video_get_drvdata(vdev);
+       struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd;
+-      struct v4l2_subdev_mbus_code_enum code = { 0 };
++      struct v4l2_subdev_mbus_code_enum code = {
++              .which = V4L2_SUBDEV_FORMAT_ACTIVE,
++      };
++      struct v4l2_subdev *camera;
+       unsigned int i, fi = 0;
+       int rval;
+@@ -783,14 +786,20 @@ static int atomisp_enum_fmt_cap(struct file *file, void *fh,
+               return -EINVAL;
+       }
++      camera = isp->inputs[asd->input_curr].camera;
++      if(!camera) {
++              dev_err(isp->dev, "%s(): camera is NULL, device is %s\n",
++                      __func__, vdev->name);
++              return -EINVAL;
++      }
++
+       rt_mutex_lock(&isp->mutex);
+-      rval = v4l2_subdev_call(isp->inputs[asd->input_curr].camera, pad,
+-                              enum_mbus_code, NULL, &code);
++
++      rval = v4l2_subdev_call(camera, pad, enum_mbus_code, NULL, &code);
+       if (rval == -ENOIOCTLCMD) {
+               dev_warn(isp->dev,
+-                       "enum_mbus_code pad op not supported. Please fix your sensor driver!\n");
+-              //      rval = v4l2_subdev_call(isp->inputs[asd->input_curr].camera,
+-              //                              video, enum_mbus_fmt, 0, &code.code);
++                       "enum_mbus_code pad op not supported by %s. Please fix your sensor driver!\n",
++                       camera->name);
+       }
+       rt_mutex_unlock(&isp->mutex);
+@@ -820,6 +829,8 @@ static int atomisp_enum_fmt_cap(struct file *file, void *fh,
+               f->pixelformat = format->pixelformat;
+               return 0;
+       }
++      dev_err(isp->dev, "%s(): format for code %x not found.\n",
++              __func__, code.code);
+       return -EINVAL;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-atomisp-fix-ifdefs-in-sh_css.c.patch b/queue-5.16/media-atomisp-fix-ifdefs-in-sh_css.c.patch
new file mode 100644 (file)
index 0000000..51cb94b
--- /dev/null
@@ -0,0 +1,137 @@
+From 4e7dfec9b86b74e3fb9a7e3e5cb8f1630de1c9ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 01:19:47 +0900
+Subject: media: atomisp: fix ifdefs in sh_css.c
+
+From: Tsuchiya Yuto <kitakar@gmail.com>
+
+[ Upstream commit 5a1b2725558f8a3b4cbf0504f53cffae8e163034 ]
+
+ ## `if (pipe->stream->config.mode == IA_CSS_INPUT_MODE_TPG) {` case
+
+The intel-aero atomisp has `#if defined(IS_ISP_2400_SYSTEM)` [1]. It is
+to be defined in the following two places [2]:
+
+  - css/hive_isp_css_common/system_global.h
+  - css/css_2401_csi2p_system/system_global.h
+
+and the former file is to be included on ISP2400 devices, too. So, it
+is to be defined for both ISP2400 and ISP2401 devices.
+
+Because the upstreamed atomisp driver now supports only ISP2400 and
+ISP2401, just remove the ISP version test again. This matches the other
+upstream commits like 3c0538fbad9f ("media: atomisp: get rid of most
+checks for ISP2401 version").
+
+While here, moved the comment for define GP_ISEL_TPG_MODE to the
+appropriate place.
+
+[1] https://github.com/intel-aero/linux-kernel/blob/a1b673258feb915268377275130c5c5df0eafc82/drivers/media/pci/atomisp/css/sh_css.c#L552-L558
+[2] https://github.com/intel-aero/linux-kernel/search?q=IS_ISP_2400_SYSTEM
+
+  ## `isys_stream_descr->polling_mode` case
+
+This does not exist on the intel-aero atomisp. This is because it is
+based on css version irci_stable_candrpv_0415_20150521_0458.
+
+On the other hand, the upstreamed atomisp is based on the following css
+version depending on the ISP version using ifdefs:
+
+  - ISP2400: irci_stable_candrpv_0415_20150521_0458
+  - ISP2401: irci_master_20150911_0724
+
+The `isys_stream_descr->polling_mode` usage was added on updating css
+version to irci_master_20150701_0213 [3].
+
+So, it is not a ISP version specific thing, but css version specific
+thing. Because the upstreamed atomisp driver uses irci_master_20150911_0724
+for ISP2401, re-add the ISP version check for now.
+
+I say "for now" because ISP2401 should eventually use the same css
+version with ISP2400 (i.e., irci_stable_candrpv_0415_20150521_0458)
+
+[3] https://raw.githubusercontent.com/intel/ProductionKernelQuilts/cht-m1stable-2016_ww31/uefi/cht-m1stable/patches/cam-0439-atomisp2-css2401-and-2401_legacy-irci_master_2015070.patch
+    ("atomisp2: css2401 and 2401_legacy-irci_master_20150701_0213")
+    Link to Intel's Android kernel patch.
+
+ ## `coord = &me->config.internal_frame_origin_bqs_on_sctbl;` case
+
+it was added on commit 4f744a573db3 ("media: atomisp: make
+sh_css_sp_init_pipeline() ISP version independent") for ISP2401. Because
+the upstreamed atomisp for the ISP2401 part is based on
+irci_master_20150911_0724, hence the difference.
+
+Because the upstreamed atomisp driver uses irci_master_20150911_0724
+for ISP2401, revert the test back to `if (IS_ISP2401)`.
+
+Fixes: 27333dadef57 ("media: atomisp: adjust some code at sh_css that could be broken")
+Signed-off-by: Tsuchiya Yuto <kitakar@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/atomisp/pci/sh_css.c | 27 +++++++++-------------
+ 1 file changed, 11 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/staging/media/atomisp/pci/sh_css.c b/drivers/staging/media/atomisp/pci/sh_css.c
+index c4b35cbab3737..ba25d0da8b811 100644
+--- a/drivers/staging/media/atomisp/pci/sh_css.c
++++ b/drivers/staging/media/atomisp/pci/sh_css.c
+@@ -522,6 +522,7 @@ ia_css_stream_input_format_bits_per_pixel(struct ia_css_stream *stream)
+       return bpp;
+ }
++/* TODO: move define to proper file in tools */
+ #define GP_ISEL_TPG_MODE 0x90058
+ #if !defined(ISP2401)
+@@ -573,12 +574,8 @@ sh_css_config_input_network(struct ia_css_stream *stream)
+               vblank_cycles = vblank_lines * (width + hblank_cycles);
+               sh_css_sp_configure_sync_gen(width, height, hblank_cycles,
+                                            vblank_cycles);
+-              if (!IS_ISP2401) {
+-                      if (pipe->stream->config.mode == IA_CSS_INPUT_MODE_TPG) {
+-                              /* TODO: move define to proper file in tools */
+-                              ia_css_device_store_uint32(GP_ISEL_TPG_MODE, 0);
+-                      }
+-              }
++              if (pipe->stream->config.mode == IA_CSS_INPUT_MODE_TPG)
++                      ia_css_device_store_uint32(GP_ISEL_TPG_MODE, 0);
+       }
+       ia_css_debug_dtrace(IA_CSS_DEBUG_TRACE_PRIVATE,
+                           "sh_css_config_input_network() leave:\n");
+@@ -1009,16 +1006,14 @@ static bool sh_css_translate_stream_cfg_to_isys_stream_descr(
+        * ia_css_isys_stream_capture_indication() instead of
+        * ia_css_pipeline_sp_wait_for_isys_stream_N() as isp processing of
+        * capture takes longer than getting an ISYS frame
+-       *
+-       * Only 2401 relevant ??
+        */
+-#if 0 // FIXME: NOT USED on Yocto Aero
+-      isys_stream_descr->polling_mode
+-          = early_polling ? INPUT_SYSTEM_POLL_ON_CAPTURE_REQUEST
+-            : INPUT_SYSTEM_POLL_ON_WAIT_FOR_FRAME;
+-      ia_css_debug_dtrace(IA_CSS_DEBUG_TRACE_PRIVATE,
+-                          "sh_css_translate_stream_cfg_to_isys_stream_descr() leave:\n");
+-#endif
++      if (IS_ISP2401) {
++              isys_stream_descr->polling_mode
++                  = early_polling ? INPUT_SYSTEM_POLL_ON_CAPTURE_REQUEST
++                    : INPUT_SYSTEM_POLL_ON_WAIT_FOR_FRAME;
++              ia_css_debug_dtrace(IA_CSS_DEBUG_TRACE_PRIVATE,
++                                  "sh_css_translate_stream_cfg_to_isys_stream_descr() leave:\n");
++      }
+       return rc;
+ }
+@@ -1433,7 +1428,7 @@ static void start_pipe(
+       assert(me); /* all callers are in this file and call with non null argument */
+-      if (!IS_ISP2401) {
++      if (IS_ISP2401) {
+               coord = &me->config.internal_frame_origin_bqs_on_sctbl;
+               params = me->stream->isp_params_configs;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-atomisp-fix-inverted-error-check-for-ia_css_mi.patch b/queue-5.16/media-atomisp-fix-inverted-error-check-for-ia_css_mi.patch
new file mode 100644 (file)
index 0000000..caaa78d
--- /dev/null
@@ -0,0 +1,79 @@
+From 3a401a711a15b12f46e04ef21ed92f1cf0f63abe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 01:19:45 +0900
+Subject: media: atomisp: fix inverted error check for
+ ia_css_mipi_is_source_port_valid()
+
+From: Tsuchiya Yuto <kitakar@gmail.com>
+
+[ Upstream commit d21ce8c2f7bf6d737b60c09f86db141b9e8e47f0 ]
+
+The function ia_css_mipi_is_source_port_valid() returns true if the port
+is valid. So, we can't use the existing err variable as is.
+
+To fix this issue while reusing that variable, invert the return value
+when assigning it to the variable.
+
+Fixes: 3c0538fbad9f ("media: atomisp: get rid of most checks for ISP2401 version")
+Signed-off-by: Tsuchiya Yuto <kitakar@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../staging/media/atomisp/pci/sh_css_mipi.c   | 24 ++++++++++++-------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/staging/media/atomisp/pci/sh_css_mipi.c b/drivers/staging/media/atomisp/pci/sh_css_mipi.c
+index 65fc93c5d56bc..c1f2f6151c5f8 100644
+--- a/drivers/staging/media/atomisp/pci/sh_css_mipi.c
++++ b/drivers/staging/media/atomisp/pci/sh_css_mipi.c
+@@ -423,10 +423,12 @@ allocate_mipi_frames(struct ia_css_pipe *pipe,
+               return 0; /* AM TODO: Check  */
+       }
+-      if (!IS_ISP2401)
++      if (!IS_ISP2401) {
+               port = (unsigned int)pipe->stream->config.source.port.port;
+-      else
+-              err = ia_css_mipi_is_source_port_valid(pipe, &port);
++      } else {
++              /* Returns true if port is valid. So, invert it */
++              err = !ia_css_mipi_is_source_port_valid(pipe, &port);
++      }
+       assert(port < N_CSI_PORTS);
+@@ -553,10 +555,12 @@ free_mipi_frames(struct ia_css_pipe *pipe)
+                       return err;
+               }
+-              if (!IS_ISP2401)
++              if (!IS_ISP2401) {
+                       port = (unsigned int)pipe->stream->config.source.port.port;
+-              else
+-                      err = ia_css_mipi_is_source_port_valid(pipe, &port);
++              } else {
++                      /* Returns true if port is valid. So, invert it */
++                      err = !ia_css_mipi_is_source_port_valid(pipe, &port);
++              }
+               assert(port < N_CSI_PORTS);
+@@ -665,10 +669,12 @@ send_mipi_frames(struct ia_css_pipe *pipe)
+               /* TODO: AM: maybe this should be returning an error. */
+       }
+-      if (!IS_ISP2401)
++      if (!IS_ISP2401) {
+               port = (unsigned int)pipe->stream->config.source.port.port;
+-      else
+-              err = ia_css_mipi_is_source_port_valid(pipe, &port);
++      } else {
++              /* Returns true if port is valid. So, invert it */
++              err = !ia_css_mipi_is_source_port_valid(pipe, &port);
++      }
+       assert(port < N_CSI_PORTS);
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-atomisp-fix-inverted-logic-in-buffers_needed.patch b/queue-5.16/media-atomisp-fix-inverted-logic-in-buffers_needed.patch
new file mode 100644 (file)
index 0000000..1a3f6f3
--- /dev/null
@@ -0,0 +1,49 @@
+From ed3256b5c0a19d9108b7306b7afb0eb51aaf1703 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 01:19:43 +0900
+Subject: media: atomisp: fix inverted logic in buffers_needed()
+
+From: Tsuchiya Yuto <kitakar@gmail.com>
+
+[ Upstream commit e1921cd14640f0f4d1fad5eb8e448c58a536415d ]
+
+When config.mode is IA_CSS_INPUT_MODE_BUFFERED_SENSOR, it rather needs
+buffers. Fix it by inverting the return value.
+
+Fixes: 3c0538fbad9f ("media: atomisp: get rid of most checks for ISP2401 version")
+Signed-off-by: Tsuchiya Yuto <kitakar@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/atomisp/pci/sh_css_mipi.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/media/atomisp/pci/sh_css_mipi.c b/drivers/staging/media/atomisp/pci/sh_css_mipi.c
+index 75489f7d75eec..483d40a467c74 100644
+--- a/drivers/staging/media/atomisp/pci/sh_css_mipi.c
++++ b/drivers/staging/media/atomisp/pci/sh_css_mipi.c
+@@ -374,17 +374,17 @@ static bool buffers_needed(struct ia_css_pipe *pipe)
+ {
+       if (!IS_ISP2401) {
+               if (pipe->stream->config.mode == IA_CSS_INPUT_MODE_BUFFERED_SENSOR)
+-                      return false;
+-              else
+                       return true;
++              else
++                      return false;
+       }
+       if (pipe->stream->config.mode == IA_CSS_INPUT_MODE_BUFFERED_SENSOR ||
+           pipe->stream->config.mode == IA_CSS_INPUT_MODE_TPG ||
+           pipe->stream->config.mode == IA_CSS_INPUT_MODE_PRBS)
+-              return false;
++              return true;
+-      return true;
++      return false;
+ }
+ int
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-atomisp-fix-punit_ddr_dvfs_enable-argument-for.patch b/queue-5.16/media-atomisp-fix-punit_ddr_dvfs_enable-argument-for.patch
new file mode 100644 (file)
index 0000000..9917173
--- /dev/null
@@ -0,0 +1,89 @@
+From 6967977217e5678e2fdcd10cbfb0df40444605d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 01:19:42 +0900
+Subject: media: atomisp: fix punit_ddr_dvfs_enable() argument for mrfld_power
+ up case
+
+From: Tsuchiya Yuto <kitakar@gmail.com>
+
+[ Upstream commit 5bfbf65fcca7325e4d89d289b3c286e11220e386 ]
+
+When comparing with intel-aero atomisp [1], it looks like
+punit_ddr_dvfs_enable() should take `false` as an argument on mrfld_power
+up case.
+
+Code from the intel-aero kernel [1]:
+
+        int atomisp_mrfld_power_down(struct atomisp_device *isp)
+        {
+        [...]
+               /*WA:Enable DVFS*/
+               if (IS_CHT)
+                       punit_ddr_dvfs_enable(true);
+
+        int atomisp_mrfld_power_up(struct atomisp_device *isp)
+        {
+        [...]
+               /*WA for PUNIT, if DVFS enabled, ISP timeout observed*/
+               if (IS_CHT)
+                       punit_ddr_dvfs_enable(false);
+
+This patch fixes the inverted argument as per the intel-aero code, as
+well as its comment. While here, fix space issues for comments in
+atomisp_mrfld_power().
+
+Note that it does not seem to be possible to unify the up/down cases for
+punit_ddr_dvfs_enable(), i.e., we can't do something like the following:
+
+        if (IS_CHT)
+               punit_ddr_dvfs_enable(!enable);
+
+because according to the intel-aero code [1], the DVFS is disabled
+before "writing 0x0 to ISPSSPM0 bit[1:0]" and the DVFS is enabled after
+"writing 0x3 to ISPSSPM0 bit[1:0]".
+
+[1] https://github.com/intel-aero/linux-kernel/blob/a1b673258feb915268377275130c5c5df0eafc82/drivers/media/pci/atomisp/atomisp_driver/atomisp_v4l2.c#L431-L514
+
+Fixes: 0f441fd70b1e ("media: atomisp: simplify the power down/up code")
+Signed-off-by: Tsuchiya Yuto <kitakar@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/atomisp/pci/atomisp_v4l2.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_v4l2.c b/drivers/staging/media/atomisp/pci/atomisp_v4l2.c
+index 0511c454e769d..7982cc143374a 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_v4l2.c
++++ b/drivers/staging/media/atomisp/pci/atomisp_v4l2.c
+@@ -711,15 +711,15 @@ static int atomisp_mrfld_power(struct atomisp_device *isp, bool enable)
+       dev_dbg(isp->dev, "IUNIT power-%s.\n", enable ? "on" : "off");
+-      /*WA:Enable DVFS*/
++      /* WA for P-Unit, if DVFS enabled, ISP timeout observed */
+       if (IS_CHT && enable)
+-              punit_ddr_dvfs_enable(true);
++              punit_ddr_dvfs_enable(false);
+       /*
+        * FIXME:WA for ECS28A, with this sleep, CTS
+        * android.hardware.camera2.cts.CameraDeviceTest#testCameraDeviceAbort
+        * PASS, no impact on other platforms
+-      */
++       */
+       if (IS_BYT && enable)
+               msleep(10);
+@@ -727,7 +727,7 @@ static int atomisp_mrfld_power(struct atomisp_device *isp, bool enable)
+       iosf_mbi_modify(BT_MBI_UNIT_PMC, MBI_REG_READ, MRFLD_ISPSSPM0,
+                       val, MRFLD_ISPSSPM0_ISPSSC_MASK);
+-      /*WA:Enable DVFS*/
++      /* WA:Enable DVFS */
+       if (IS_CHT && !enable)
+               punit_ddr_dvfs_enable(true);
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-atomisp-fix-try_fmt-logic.patch b/queue-5.16/media-atomisp-fix-try_fmt-logic.patch
new file mode 100644 (file)
index 0000000..4d2a0f3
--- /dev/null
@@ -0,0 +1,115 @@
+From e726de4e6b8eee19db6266dc8a2e930b1e6e2a66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Nov 2021 11:45:27 +0000
+Subject: media: atomisp: fix try_fmt logic
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit c9e9094c4e42124af909b2f5f6ded0498e0854ac ]
+
+The internal try_fmt logic is not meant to provide everything
+that the V4L2 API should provide. Also, it doesn't decrement
+the pads that are used only internally by the driver, but aren't
+part of the device's output.
+
+Fix it.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../staging/media/atomisp/pci/atomisp_ioctl.c | 72 ++++++++++++++++++-
+ 1 file changed, 71 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
+index 29826f8e4143d..54624f8814e04 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
++++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
+@@ -863,6 +863,72 @@ static int atomisp_g_fmt_file(struct file *file, void *fh,
+       return 0;
+ }
++static int atomisp_adjust_fmt(struct v4l2_format *f)
++{
++      const struct atomisp_format_bridge *format_bridge;
++      u32 padded_width;
++
++      format_bridge = atomisp_get_format_bridge(f->fmt.pix.pixelformat);
++
++      padded_width = f->fmt.pix.width + pad_w;
++
++      if (format_bridge->planar) {
++              f->fmt.pix.bytesperline = padded_width;
++              f->fmt.pix.sizeimage = PAGE_ALIGN(f->fmt.pix.height *
++                                                DIV_ROUND_UP(format_bridge->depth *
++                                                padded_width, 8));
++      } else {
++              f->fmt.pix.bytesperline = DIV_ROUND_UP(format_bridge->depth *
++                                                    padded_width, 8);
++              f->fmt.pix.sizeimage = PAGE_ALIGN(f->fmt.pix.height * f->fmt.pix.bytesperline);
++      }
++
++      if (f->fmt.pix.field == V4L2_FIELD_ANY)
++              f->fmt.pix.field = V4L2_FIELD_NONE;
++
++      format_bridge = atomisp_get_format_bridge(f->fmt.pix.pixelformat);
++      if (!format_bridge)
++              return -EINVAL;
++
++      /* Currently, raw formats are broken!!! */
++      if (format_bridge->sh_fmt == IA_CSS_FRAME_FORMAT_RAW) {
++              f->fmt.pix.pixelformat = V4L2_PIX_FMT_YUV420;
++
++              format_bridge = atomisp_get_format_bridge(f->fmt.pix.pixelformat);
++              if (!format_bridge)
++                      return -EINVAL;
++      }
++
++      padded_width = f->fmt.pix.width + pad_w;
++
++      if (format_bridge->planar) {
++              f->fmt.pix.bytesperline = padded_width;
++              f->fmt.pix.sizeimage = PAGE_ALIGN(f->fmt.pix.height *
++                                                DIV_ROUND_UP(format_bridge->depth *
++                                                padded_width, 8));
++      } else {
++              f->fmt.pix.bytesperline = DIV_ROUND_UP(format_bridge->depth *
++                                                    padded_width, 8);
++              f->fmt.pix.sizeimage = PAGE_ALIGN(f->fmt.pix.height * f->fmt.pix.bytesperline);
++      }
++
++      if (f->fmt.pix.field == V4L2_FIELD_ANY)
++              f->fmt.pix.field = V4L2_FIELD_NONE;
++
++      /*
++       * FIXME: do we need to setup this differently, depending on the
++       * sensor or the pipeline?
++       */
++      f->fmt.pix.colorspace = V4L2_COLORSPACE_REC709;
++      f->fmt.pix.ycbcr_enc = V4L2_YCBCR_ENC_709;
++      f->fmt.pix.xfer_func = V4L2_XFER_FUNC_709;
++
++      f->fmt.pix.width -= pad_w;
++      f->fmt.pix.height -= pad_h;
++
++      return 0;
++}
++
+ /* This function looks up the closest available resolution. */
+ static int atomisp_try_fmt_cap(struct file *file, void *fh,
+                              struct v4l2_format *f)
+@@ -874,7 +940,11 @@ static int atomisp_try_fmt_cap(struct file *file, void *fh,
+       rt_mutex_lock(&isp->mutex);
+       ret = atomisp_try_fmt(vdev, &f->fmt.pix, NULL);
+       rt_mutex_unlock(&isp->mutex);
+-      return ret;
++
++      if (ret)
++              return ret;
++
++      return atomisp_adjust_fmt(f);
+ }
+ static int atomisp_s_fmt_cap(struct file *file, void *fh,
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-atomisp-fix-uninitialized-bug-in-gmin_get_pmic.patch b/queue-5.16/media-atomisp-fix-uninitialized-bug-in-gmin_get_pmic.patch
new file mode 100644 (file)
index 0000000..d034e75
--- /dev/null
@@ -0,0 +1,38 @@
+From cb6b0cabbc6a936a357754c0d0ee98e787ad6f53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Oct 2021 09:21:50 +0100
+Subject: media: atomisp: fix uninitialized bug in gmin_get_pmic_id_and_addr()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit cb4d67a998e97365afdf34965b069601da1dae60 ]
+
+The "power" pointer is not initialized on the else path and that would
+lead to an Oops.
+
+Link: https://lore.kernel.org/linux-media/20211012082150.GA31086@kili
+Fixes: c30f4cb2d4c7 ("media: atomisp: Refactor PMIC detection to a separate function")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
+index d8c9e31314b2e..62dc06e224765 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
++++ b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c
+@@ -481,7 +481,7 @@ fail:
+ static u8 gmin_get_pmic_id_and_addr(struct device *dev)
+ {
+-      struct i2c_client *power;
++      struct i2c_client *power = NULL;
+       static u8 pmic_i2c_addr;
+       if (pmic_id)
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-atomisp-fix-variable-dereferenced-before-check.patch b/queue-5.16/media-atomisp-fix-variable-dereferenced-before-check.patch
new file mode 100644 (file)
index 0000000..b41bf18
--- /dev/null
@@ -0,0 +1,69 @@
+From 12b12bf30e7aa981e1c95d438f499e31d749bc50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 15:19:04 +0100
+Subject: media: atomisp: fix "variable dereferenced before check 'asd'"
+
+From: Tsuchiya Yuto <kitakar@gmail.com>
+
+[ Upstream commit ac56760a8bbb4e654b2fd54e5de79dd5d72f937d ]
+
+There are two occurrences where the variable 'asd' is dereferenced
+before check. Fix this issue by using the variable after the check.
+
+Link: https://lore.kernel.org/linux-media/20211122074122.GA6581@kili/
+
+Link: https://lore.kernel.org/linux-media/20211201141904.47231-1-kitakar@gmail.com
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Tsuchiya Yuto <kitakar@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/atomisp/pci/atomisp_cmd.c   | 3 ++-
+ drivers/staging/media/atomisp/pci/atomisp_ioctl.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
+index 1ddb9c815a3cb..ef0b0963cf930 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
++++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
+@@ -5224,7 +5224,7 @@ static int atomisp_set_fmt_to_isp(struct video_device *vdev,
+       int (*configure_pp_input)(struct atomisp_sub_device *asd,
+                                 unsigned int width, unsigned int height) =
+                                     configure_pp_input_nop;
+-      u16 stream_index = atomisp_source_pad_to_stream_id(asd, source_pad);
++      u16 stream_index;
+       const struct atomisp_in_fmt_conv *fc;
+       int ret, i;
+@@ -5233,6 +5233,7 @@ static int atomisp_set_fmt_to_isp(struct video_device *vdev,
+                       __func__, vdev->name);
+               return -EINVAL;
+       }
++      stream_index = atomisp_source_pad_to_stream_id(asd, source_pad);
+       v4l2_fh_init(&fh.vfh, vdev);
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
+index 54624f8814e04..b7dda4b96d49c 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
++++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c
+@@ -1123,7 +1123,7 @@ int __atomisp_reqbufs(struct file *file, void *fh,
+       struct ia_css_frame *frame;
+       struct videobuf_vmalloc_memory *vm_mem;
+       u16 source_pad = atomisp_subdev_source_pad(vdev);
+-      u16 stream_id = atomisp_source_pad_to_stream_id(asd, source_pad);
++      u16 stream_id;
+       int ret = 0, i = 0;
+       if (!asd) {
+@@ -1131,6 +1131,7 @@ int __atomisp_reqbufs(struct file *file, void *fh,
+                       __func__, vdev->name);
+               return -EINVAL;
+       }
++      stream_id = atomisp_source_pad_to_stream_id(asd, source_pad);
+       if (req->count == 0) {
+               mutex_lock(&pipe->capq.vb_lock);
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-atomisp-handle-errors-at-sh_css_create_isp_par.patch b/queue-5.16/media-atomisp-handle-errors-at-sh_css_create_isp_par.patch
new file mode 100644 (file)
index 0000000..97c4bcb
--- /dev/null
@@ -0,0 +1,53 @@
+From 9a4e1abd41bfc983d0c44a47c669ff7785eb2628 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Nov 2021 23:04:09 +0000
+Subject: media: atomisp: handle errors at sh_css_create_isp_params()
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 58043dbf6d1ae9deab4f5aa1e039c70112017682 ]
+
+The succ var tracks memory allocation erros on this function.
+
+Fix it, in order to stop this W=1 Werror in clang:
+
+drivers/staging/media/atomisp/pci/sh_css_params.c:2430:7: error: variable 'succ' set but not used [-Werror,-Wunused-but-set-variable]
+        bool succ = true;
+             ^
+
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/atomisp/pci/sh_css_params.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/staging/media/atomisp/pci/sh_css_params.c
+index dbd3bfe3d343c..ccc0078795648 100644
+--- a/drivers/staging/media/atomisp/pci/sh_css_params.c
++++ b/drivers/staging/media/atomisp/pci/sh_css_params.c
+@@ -2431,7 +2431,7 @@ sh_css_create_isp_params(struct ia_css_stream *stream,
+       unsigned int i;
+       struct sh_css_ddr_address_map *ddr_ptrs;
+       struct sh_css_ddr_address_map_size *ddr_ptrs_size;
+-      int err = 0;
++      int err;
+       size_t params_size;
+       struct ia_css_isp_parameters *params =
+       kvmalloc(sizeof(struct ia_css_isp_parameters), GFP_KERNEL);
+@@ -2473,7 +2473,11 @@ sh_css_create_isp_params(struct ia_css_stream *stream,
+       succ &= (ddr_ptrs->macc_tbl != mmgr_NULL);
+       *isp_params_out = params;
+-      return err;
++
++      if (!succ)
++              return -ENOMEM;
++
++      return 0;
+ }
+ static bool
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-atomisp-ov2680-fix-ov2680_set_fmt-clobbering-t.patch b/queue-5.16/media-atomisp-ov2680-fix-ov2680_set_fmt-clobbering-t.patch
new file mode 100644 (file)
index 0000000..3a5e577
--- /dev/null
@@ -0,0 +1,139 @@
+From 91f54a56f129b4ae115ca235f582da16a953f2a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Nov 2021 17:15:48 +0000
+Subject: media: atomisp-ov2680: Fix ov2680_set_fmt() clobbering the exposure
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 4492289c31364d28c2680b43b18883385a5d216c ]
+
+Now that we restore the default or last user set exposure setting on
+power_up() there is no need for the registers written by ov2680_set_fmt()
+to write to the exposure register.
+
+Not doing so fixes the exposure always being reset to the value from
+the res->regs array after a set_fmt().
+
+Link: https://lore.kernel.org/linux-media/20211107171549.267583-11-hdegoede@redhat.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/atomisp/i2c/ov2680.h | 24 ----------------------
+ 1 file changed, 24 deletions(-)
+
+diff --git a/drivers/staging/media/atomisp/i2c/ov2680.h b/drivers/staging/media/atomisp/i2c/ov2680.h
+index 874115f35fcad..798b28e134b64 100644
+--- a/drivers/staging/media/atomisp/i2c/ov2680.h
++++ b/drivers/staging/media/atomisp/i2c/ov2680.h
+@@ -289,8 +289,6 @@ static struct ov2680_reg const ov2680_global_setting[] = {
+  */
+ static struct ov2680_reg const ov2680_QCIF_30fps[] = {
+       {0x3086, 0x01},
+-      {0x3501, 0x24},
+-      {0x3502, 0x40},
+       {0x370a, 0x23},
+       {0x3801, 0xa0},
+       {0x3802, 0x00},
+@@ -334,8 +332,6 @@ static struct ov2680_reg const ov2680_QCIF_30fps[] = {
+  */
+ static struct ov2680_reg const ov2680_CIF_30fps[] = {
+       {0x3086, 0x01},
+-      {0x3501, 0x24},
+-      {0x3502, 0x40},
+       {0x370a, 0x23},
+       {0x3801, 0xa0},
+       {0x3802, 0x00},
+@@ -377,8 +373,6 @@ static struct ov2680_reg const ov2680_CIF_30fps[] = {
+  */
+ static struct ov2680_reg const ov2680_QVGA_30fps[] = {
+       {0x3086, 0x01},
+-      {0x3501, 0x24},
+-      {0x3502, 0x40},
+       {0x370a, 0x23},
+       {0x3801, 0xa0},
+       {0x3802, 0x00},
+@@ -420,8 +414,6 @@ static struct ov2680_reg const ov2680_QVGA_30fps[] = {
+  */
+ static struct ov2680_reg const ov2680_656x496_30fps[] = {
+       {0x3086, 0x01},
+-      {0x3501, 0x24},
+-      {0x3502, 0x40},
+       {0x370a, 0x23},
+       {0x3801, 0xa0},
+       {0x3802, 0x00},
+@@ -463,8 +455,6 @@ static struct ov2680_reg const ov2680_656x496_30fps[] = {
+  */
+ static struct ov2680_reg const ov2680_720x592_30fps[] = {
+       {0x3086, 0x01},
+-      {0x3501, 0x26},
+-      {0x3502, 0x40},
+       {0x370a, 0x23},
+       {0x3801, 0x00}, // X_ADDR_START;
+       {0x3802, 0x00},
+@@ -508,8 +498,6 @@ static struct ov2680_reg const ov2680_720x592_30fps[] = {
+  */
+ static struct ov2680_reg const ov2680_800x600_30fps[] = {
+       {0x3086, 0x01},
+-      {0x3501, 0x26},
+-      {0x3502, 0x40},
+       {0x370a, 0x23},
+       {0x3801, 0x00},
+       {0x3802, 0x00},
+@@ -551,8 +539,6 @@ static struct ov2680_reg const ov2680_800x600_30fps[] = {
+  */
+ static struct ov2680_reg const ov2680_720p_30fps[] = {
+       {0x3086, 0x00},
+-      {0x3501, 0x48},
+-      {0x3502, 0xe0},
+       {0x370a, 0x21},
+       {0x3801, 0xa0},
+       {0x3802, 0x00},
+@@ -594,8 +580,6 @@ static struct ov2680_reg const ov2680_720p_30fps[] = {
+  */
+ static struct ov2680_reg const ov2680_1296x976_30fps[] = {
+       {0x3086, 0x00},
+-      {0x3501, 0x48},
+-      {0x3502, 0xe0},
+       {0x370a, 0x21},
+       {0x3801, 0xa0},
+       {0x3802, 0x00},
+@@ -637,8 +621,6 @@ static struct ov2680_reg const ov2680_1296x976_30fps[] = {
+  */
+ static struct ov2680_reg const ov2680_1456x1096_30fps[] = {
+       {0x3086, 0x00},
+-      {0x3501, 0x48},
+-      {0x3502, 0xe0},
+       {0x370a, 0x21},
+       {0x3801, 0x90},
+       {0x3802, 0x00},
+@@ -682,8 +664,6 @@ static struct ov2680_reg const ov2680_1456x1096_30fps[] = {
+ static struct ov2680_reg const ov2680_1616x916_30fps[] = {
+       {0x3086, 0x00},
+-      {0x3501, 0x48},
+-      {0x3502, 0xe0},
+       {0x370a, 0x21},
+       {0x3801, 0x00},
+       {0x3802, 0x00},
+@@ -726,8 +706,6 @@ static struct ov2680_reg const ov2680_1616x916_30fps[] = {
+ #if 0
+ static struct ov2680_reg const ov2680_1616x1082_30fps[] = {
+       {0x3086, 0x00},
+-      {0x3501, 0x48},
+-      {0x3502, 0xe0},
+       {0x370a, 0x21},
+       {0x3801, 0x00},
+       {0x3802, 0x00},
+@@ -769,8 +747,6 @@ static struct ov2680_reg const ov2680_1616x1082_30fps[] = {
+  */
+ static struct ov2680_reg const ov2680_1616x1216_30fps[] = {
+       {0x3086, 0x00},
+-      {0x3501, 0x48},
+-      {0x3502, 0xe0},
+       {0x370a, 0x21},
+       {0x3801, 0x00},
+       {0x3802, 0x00},
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-atomisp-set-per-device-s-default-mode.patch b/queue-5.16/media-atomisp-set-per-device-s-default-mode.patch
new file mode 100644 (file)
index 0000000..38bf2ec
--- /dev/null
@@ -0,0 +1,158 @@
+From 78472d9e13f2fe1267914ba72dfd8bf7e9475277 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Oct 2021 08:09:39 +0100
+Subject: media: atomisp: set per-device's default mode
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 2c45e343c581091835c9047ed5298518aa133163 ]
+
+The atomisp driver originally used the s_parm command to
+initialize the run_mode type to the driver. So, before start
+setting up the streaming, s_parm should be called.
+
+So, even having 5 "normal" video devices, one meant to be used
+for each type, the run_mode was actually selected when
+s_parm is called.
+
+Without setting the run mode, applications that don't call
+VIDIOC_SET_PARM with a custom atomisp parameters won't work, as
+the pipeline won't be set:
+
+       atomisp-isp2 0000:00:03.0: can't create streams
+       atomisp-isp2 0000:00:03.0: __get_frame_info 1600x1200 (padded to 0) returned -22
+
+However, commit 8a7c5594c020 ("media: v4l2-ioctl: clear fields in s_parm")
+broke support for it, with a good reason, as drivers shoudn't be
+extending the API for their own purposes.
+
+So, as an step to allow generic apps to use this driver, put
+the device's run_mode in preview after open.
+
+After this patch, using v4l2grab starts to work on preview
+mode (/dev/video2):
+
+       $ v4l2grab -f YUYV -x 1600 -y 1200 -d /dev/video2 -n 1 -u
+       $ feh out000.pnm
+
+So, let's just setup the default run_mode that each video devnode
+should assume, setting it at open() time.
+
+Reported-by: Tsuchiya Yuto <kitakar@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/atomisp/pci/atomisp_fops.c  |  5 +++++
+ .../staging/media/atomisp/pci/atomisp_subdev.c    | 15 ++++++++++-----
+ .../staging/media/atomisp/pci/atomisp_subdev.h    |  3 +++
+ drivers/staging/media/atomisp/pci/atomisp_v4l2.c  |  4 +++-
+ drivers/staging/media/atomisp/pci/atomisp_v4l2.h  |  3 ++-
+ 5 files changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_fops.c b/drivers/staging/media/atomisp/pci/atomisp_fops.c
+index 02c19b92bdccb..18fff47bd25d2 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_fops.c
++++ b/drivers/staging/media/atomisp/pci/atomisp_fops.c
+@@ -877,6 +877,11 @@ done:
+       else
+               pipe->users++;
+       rt_mutex_unlock(&isp->mutex);
++
++      /* Ensure that a mode is set */
++      if (asd)
++              v4l2_ctrl_s_ctrl(asd->run_mode, pipe->default_run_mode);
++
+       return 0;
+ css_error:
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_subdev.c b/drivers/staging/media/atomisp/pci/atomisp_subdev.c
+index 12f22ad007c73..ffaf11e0b0ad8 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_subdev.c
++++ b/drivers/staging/media/atomisp/pci/atomisp_subdev.c
+@@ -1164,23 +1164,28 @@ static int isp_subdev_init_entities(struct atomisp_sub_device *asd)
+       atomisp_init_acc_pipe(asd, &asd->video_acc);
+-      ret = atomisp_video_init(&asd->video_in, "MEMORY");
++      ret = atomisp_video_init(&asd->video_in, "MEMORY",
++                               ATOMISP_RUN_MODE_SDV);
+       if (ret < 0)
+               return ret;
+-      ret = atomisp_video_init(&asd->video_out_capture, "CAPTURE");
++      ret = atomisp_video_init(&asd->video_out_capture, "CAPTURE",
++                               ATOMISP_RUN_MODE_STILL_CAPTURE);
+       if (ret < 0)
+               return ret;
+-      ret = atomisp_video_init(&asd->video_out_vf, "VIEWFINDER");
++      ret = atomisp_video_init(&asd->video_out_vf, "VIEWFINDER",
++                               ATOMISP_RUN_MODE_CONTINUOUS_CAPTURE);
+       if (ret < 0)
+               return ret;
+-      ret = atomisp_video_init(&asd->video_out_preview, "PREVIEW");
++      ret = atomisp_video_init(&asd->video_out_preview, "PREVIEW",
++                               ATOMISP_RUN_MODE_PREVIEW);
+       if (ret < 0)
+               return ret;
+-      ret = atomisp_video_init(&asd->video_out_video_capture, "VIDEO");
++      ret = atomisp_video_init(&asd->video_out_video_capture, "VIDEO",
++                               ATOMISP_RUN_MODE_VIDEO);
+       if (ret < 0)
+               return ret;
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_subdev.h b/drivers/staging/media/atomisp/pci/atomisp_subdev.h
+index d6fcfab6352d7..a8d210ea5f8be 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_subdev.h
++++ b/drivers/staging/media/atomisp/pci/atomisp_subdev.h
+@@ -81,6 +81,9 @@ struct atomisp_video_pipe {
+       /* the link list to store per_frame parameters */
+       struct list_head per_frame_params;
++      /* Store here the initial run mode */
++      unsigned int default_run_mode;
++
+       unsigned int buffers_in_css;
+       /* irq_lock is used to protect video buffer state change operations and
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_v4l2.c b/drivers/staging/media/atomisp/pci/atomisp_v4l2.c
+index 7982cc143374a..14c39b8987c95 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_v4l2.c
++++ b/drivers/staging/media/atomisp/pci/atomisp_v4l2.c
+@@ -447,7 +447,8 @@ const struct atomisp_dfs_config dfs_config_cht_soc = {
+       .dfs_table_size = ARRAY_SIZE(dfs_rules_cht_soc),
+ };
+-int atomisp_video_init(struct atomisp_video_pipe *video, const char *name)
++int atomisp_video_init(struct atomisp_video_pipe *video, const char *name,
++                     unsigned int run_mode)
+ {
+       int ret;
+       const char *direction;
+@@ -478,6 +479,7 @@ int atomisp_video_init(struct atomisp_video_pipe *video, const char *name)
+                "ATOMISP ISP %s %s", name, direction);
+       video->vdev.release = video_device_release_empty;
+       video_set_drvdata(&video->vdev, video->isp);
++      video->default_run_mode = run_mode;
+       return 0;
+ }
+diff --git a/drivers/staging/media/atomisp/pci/atomisp_v4l2.h b/drivers/staging/media/atomisp/pci/atomisp_v4l2.h
+index 81bb356b81720..72611b8286a4a 100644
+--- a/drivers/staging/media/atomisp/pci/atomisp_v4l2.h
++++ b/drivers/staging/media/atomisp/pci/atomisp_v4l2.h
+@@ -27,7 +27,8 @@ struct v4l2_device;
+ struct atomisp_device;
+ struct firmware;
+-int atomisp_video_init(struct atomisp_video_pipe *video, const char *name);
++int atomisp_video_init(struct atomisp_video_pipe *video, const char *name,
++                     unsigned int run_mode);
+ void atomisp_acc_init(struct atomisp_acc_pipe *video, const char *name);
+ void atomisp_video_unregister(struct atomisp_video_pipe *video);
+ void atomisp_acc_unregister(struct atomisp_acc_pipe *video);
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-b2c2-add-missing-check-in-flexcop_pci_isr.patch b/queue-5.16/media-b2c2-add-missing-check-in-flexcop_pci_isr.patch
new file mode 100644 (file)
index 0000000..e577b8a
--- /dev/null
@@ -0,0 +1,163 @@
+From 458bcfa567077bf3ae6907592163d529040aef78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 May 2021 10:00:03 +0100
+Subject: media: b2c2: Add missing check in flexcop_pci_isr:
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit b13203032e679674c7c518f52a7ec0801ca3a829 ]
+
+A out-of-bounds bug can be triggered by an interrupt, the reason for
+this bug is the lack of checking of register values.
+
+In flexcop_pci_isr, the driver reads value from a register and uses it as
+a dma address. Finally, this address will be passed to the count parameter
+of find_next_packet. If this value is larger than the size of dma, the
+index of buffer will be out-of-bounds.
+
+Fix this by adding a check after reading the value of the register.
+
+The following KASAN report reveals it:
+
+BUG: KASAN: slab-out-of-bounds in find_next_packet
+drivers/media/dvb-core/dvb_demux.c:528 [inline]
+BUG: KASAN: slab-out-of-bounds in _dvb_dmx_swfilter
+drivers/media/dvb-core/dvb_demux.c:572 [inline]
+BUG: KASAN: slab-out-of-bounds in dvb_dmx_swfilter+0x3fa/0x420
+drivers/media/dvb-core/dvb_demux.c:603
+Read of size 1 at addr ffff8880608c00a0 by task swapper/2/0
+
+CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef #25
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xec/0x156 lib/dump_stack.c:118
+ print_address_description+0x78/0x290 mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report+0x25b/0x380 mm/kasan/report.c:412
+ __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:430
+ find_next_packet drivers/media/dvb-core/dvb_demux.c:528 [inline]
+ _dvb_dmx_swfilter drivers/media/dvb-core/dvb_demux.c:572 [inline]
+ dvb_dmx_swfilter+0x3fa/0x420 drivers/media/dvb-core/dvb_demux.c:603
+ flexcop_pass_dmx_data+0x2e/0x40 drivers/media/common/b2c2/flexcop.c:167
+ flexcop_pci_isr+0x3d1/0x5d0 drivers/media/pci/b2c2/flexcop-pci.c:212
+ __handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149
+ handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189
+ handle_irq_event+0xac/0x140 kernel/irq/handle.c:206
+ handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725
+ generic_handle_irq_desc include/linux/irqdesc.h:155 [inline]
+ handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87
+ do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247
+ common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670
+ </IRQ>
+RIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61
+Code: 00 00 55 be 04 00 00 00 48 c7 c7 00 62 2f 8c 48 89 e5 e8 fb 31
+e8 f8 8b 05 75 4f 8e 03 85 c0 7e 07 0f 00 2d 8a 61 66 00 fb f4 <5d> c3
+90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41
+RSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde
+RAX: 0000000000000000 RBX: ffffffff8bde44c8 RCX: ffffffff88a11285
+RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2f6200
+RBP: ffff88806b71fcc8 R08: fffffbfff185ec40 R09: fffffbfff185ec40
+R10: 0000000000000001 R11: fffffbfff185ec40 R12: 0000000000000002
+R13: ffffffff8be9d6e0 R14: 0000000000000000 R15: 0000000000000000
+ arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]
+ default_idle+0x6f/0x360 arch/x86/kernel/process.c:557
+ arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548
+ default_idle_call+0x3b/0x60 kernel/sched/idle.c:93
+ cpuidle_idle_call kernel/sched/idle.c:153 [inline]
+ do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263
+ cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369
+ start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271
+ secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243
+
+Allocated by task 1:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:553
+ kasan_slab_alloc+0x11/0x20 mm/kasan/kasan.c:490
+ slab_post_alloc_hook mm/slab.h:445 [inline]
+ slab_alloc_node mm/slub.c:2741 [inline]
+ slab_alloc mm/slub.c:2749 [inline]
+ kmem_cache_alloc+0xeb/0x280 mm/slub.c:2754
+ kmem_cache_zalloc include/linux/slab.h:699 [inline]
+ __kernfs_new_node+0xe2/0x6f0 fs/kernfs/dir.c:633
+ kernfs_new_node+0x9a/0x120 fs/kernfs/dir.c:693
+ __kernfs_create_file+0x5f/0x340 fs/kernfs/file.c:992
+ sysfs_add_file_mode_ns+0x22a/0x4e0 fs/sysfs/file.c:306
+ create_files fs/sysfs/group.c:63 [inline]
+ internal_create_group+0x34e/0xc30 fs/sysfs/group.c:147
+ sysfs_create_group fs/sysfs/group.c:173 [inline]
+ sysfs_create_groups+0x9c/0x140 fs/sysfs/group.c:200
+ driver_add_groups+0x3e/0x50 drivers/base/driver.c:129
+ bus_add_driver+0x3a5/0x790 drivers/base/bus.c:684
+ driver_register+0x1cd/0x410 drivers/base/driver.c:170
+ __pci_register_driver+0x197/0x200 drivers/pci/pci-driver.c:1411
+ cx88_audio_pci_driver_init+0x23/0x25 drivers/media/pci/cx88/cx88-alsa.c:
+ 1017
+ do_one_initcall+0xe0/0x610 init/main.c:884
+ do_initcall_level init/main.c:952 [inline]
+ do_initcalls init/main.c:960 [inline]
+ do_basic_setup init/main.c:978 [inline]
+ kernel_init_freeable+0x4d0/0x592 init/main.c:1145
+ kernel_init+0x18/0x190 init/main.c:1062
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
+
+Freed by task 0:
+(stack is not available)
+
+The buggy address belongs to the object at ffff8880608c0000
+ which belongs to the cache kernfs_node_cache of size 160
+The buggy address is located 0 bytes to the right of
+ 160-byte region [ffff8880608c0000, ffff8880608c00a0)
+The buggy address belongs to the page:
+page:ffffea0001823000 count:1 mapcount:0 mapping:ffff88806bed1e00
+index:0x0 compound_mapcount: 0
+flags: 0x100000000008100(slab|head)
+raw: 0100000000008100 dead000000000100 dead000000000200 ffff88806bed1e00
+raw: 0000000000000000 0000000000240024 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8880608bff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff8880608c0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>ffff8880608c0080: 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 00
+                               ^
+ ffff8880608c0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff8880608c0180: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
+==================================================================
+
+Link: https://lore.kernel.org/linux-media/1620723603-30912-1-git-send-email-zheyuma97@gmail.com
+Reported-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/b2c2/flexcop-pci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/pci/b2c2/flexcop-pci.c b/drivers/media/pci/b2c2/flexcop-pci.c
+index 6a4c7cb0ad0f9..486c8ec0fa60d 100644
+--- a/drivers/media/pci/b2c2/flexcop-pci.c
++++ b/drivers/media/pci/b2c2/flexcop-pci.c
+@@ -185,6 +185,8 @@ static irqreturn_t flexcop_pci_isr(int irq, void *dev_id)
+               dma_addr_t cur_addr =
+                       fc->read_ibi_reg(fc,dma1_008).dma_0x8.dma_cur_addr << 2;
+               u32 cur_pos = cur_addr - fc_pci->dma[0].dma_addr0;
++              if (cur_pos > fc_pci->dma[0].size * 2)
++                      goto error;
+               deb_irq("%u irq: %08x cur_addr: %llx: cur_pos: %08x, last_cur_pos: %08x ",
+                               jiffies_to_usecs(jiffies - fc_pci->last_irq),
+@@ -225,6 +227,7 @@ static irqreturn_t flexcop_pci_isr(int irq, void *dev_id)
+               ret = IRQ_NONE;
+       }
++error:
+       spin_unlock_irqrestore(&fc_pci->irq_lock, flags);
+       return ret;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-coda-fix-coda960-jpeg-encoder-buffer-overflow.patch b/queue-5.16/media-coda-fix-coda960-jpeg-encoder-buffer-overflow.patch
new file mode 100644 (file)
index 0000000..7f50927
--- /dev/null
@@ -0,0 +1,95 @@
+From df7294c8e22feaa219f5cb7ca528cb03c0f365e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Nov 2021 11:41:20 +0100
+Subject: media: coda: fix CODA960 JPEG encoder buffer overflow
+
+From: Philipp Zabel <p.zabel@pengutronix.de>
+
+[ Upstream commit 1a59cd88f55068710f6549bee548846661673780 ]
+
+Stop the CODA960 JPEG encoder from overflowing capture buffers.
+The bitstream buffer overflow interrupt doesn't seem to be connected,
+so this has to be handled via timeout instead.
+
+Reported-by: Martin Weber <martin.weber@br-automation.com>
+Fixes: 96f6f62c4656 ("media: coda: jpeg: add CODA960 JPEG encoder support")
+Tested-by: Martin Weber <martin.weber@br-automation.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/coda-common.c |  8 +++++---
+ drivers/media/platform/coda/coda-jpeg.c   | 21 ++++++++++++++++++++-
+ 2 files changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/coda/coda-common.c b/drivers/media/platform/coda/coda-common.c
+index 0e312b0842d7f..9a2640a9c75c6 100644
+--- a/drivers/media/platform/coda/coda-common.c
++++ b/drivers/media/platform/coda/coda-common.c
+@@ -1537,11 +1537,13 @@ static void coda_pic_run_work(struct work_struct *work)
+       if (!wait_for_completion_timeout(&ctx->completion,
+                                        msecs_to_jiffies(1000))) {
+-              dev_err(dev->dev, "CODA PIC_RUN timeout\n");
++              if (ctx->use_bit) {
++                      dev_err(dev->dev, "CODA PIC_RUN timeout\n");
+-              ctx->hold = true;
++                      ctx->hold = true;
+-              coda_hw_reset(ctx);
++                      coda_hw_reset(ctx);
++              }
+               if (ctx->ops->run_timeout)
+                       ctx->ops->run_timeout(ctx);
+diff --git a/drivers/media/platform/coda/coda-jpeg.c b/drivers/media/platform/coda/coda-jpeg.c
+index b11cfbe166dd3..a72f4655e5ad5 100644
+--- a/drivers/media/platform/coda/coda-jpeg.c
++++ b/drivers/media/platform/coda/coda-jpeg.c
+@@ -1127,7 +1127,8 @@ static int coda9_jpeg_prepare_encode(struct coda_ctx *ctx)
+       coda_write(dev, 0, CODA9_REG_JPEG_GBU_BT_PTR);
+       coda_write(dev, 0, CODA9_REG_JPEG_GBU_WD_PTR);
+       coda_write(dev, 0, CODA9_REG_JPEG_GBU_BBSR);
+-      coda_write(dev, 0, CODA9_REG_JPEG_BBC_STRM_CTRL);
++      coda_write(dev, BIT(31) | ((end_addr - start_addr - header_len) / 256),
++                 CODA9_REG_JPEG_BBC_STRM_CTRL);
+       coda_write(dev, 0, CODA9_REG_JPEG_GBU_CTRL);
+       coda_write(dev, 0, CODA9_REG_JPEG_GBU_FF_RPTR);
+       coda_write(dev, 127, CODA9_REG_JPEG_GBU_BBER);
+@@ -1257,6 +1258,23 @@ static void coda9_jpeg_finish_encode(struct coda_ctx *ctx)
+       coda_hw_reset(ctx);
+ }
++static void coda9_jpeg_encode_timeout(struct coda_ctx *ctx)
++{
++      struct coda_dev *dev = ctx->dev;
++      u32 end_addr, wr_ptr;
++
++      /* Handle missing BBC overflow interrupt via timeout */
++      end_addr = coda_read(dev, CODA9_REG_JPEG_BBC_END_ADDR);
++      wr_ptr = coda_read(dev, CODA9_REG_JPEG_BBC_WR_PTR);
++      if (wr_ptr >= end_addr - 256) {
++              v4l2_err(&dev->v4l2_dev, "JPEG too large for capture buffer\n");
++              coda9_jpeg_finish_encode(ctx);
++              return;
++      }
++
++      coda_hw_reset(ctx);
++}
++
+ static void coda9_jpeg_release(struct coda_ctx *ctx)
+ {
+       int i;
+@@ -1276,6 +1294,7 @@ const struct coda_context_ops coda9_jpeg_encode_ops = {
+       .start_streaming = coda9_jpeg_start_encoding,
+       .prepare_run = coda9_jpeg_prepare_encode,
+       .finish_run = coda9_jpeg_finish_encode,
++      .run_timeout = coda9_jpeg_encode_timeout,
+       .release = coda9_jpeg_release,
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-coda-imx-vdoa-handle-dma_set_coherent_mask-err.patch b/queue-5.16/media-coda-imx-vdoa-handle-dma_set_coherent_mask-err.patch
new file mode 100644 (file)
index 0000000..82a3f73
--- /dev/null
@@ -0,0 +1,41 @@
+From bbd3c68235ad2abbad3c3c1480fa2c8aafba45d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Dec 2021 03:22:01 +0100
+Subject: media: coda/imx-vdoa: Handle dma_set_coherent_mask error codes
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 43f0633f89947df57fe0b5025bdd741768007708 ]
+
+The return value of dma_set_coherent_mask() is not always 0.
+To catch the exception in case that dma is not support the mask.
+
+Link: https://lore.kernel.org/linux-media/20211206022201.1639460-1-jiasheng@iscas.ac.cn
+Fixes: b0444f18e0b1 ("[media] coda: add i.MX6 VDOA driver")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/imx-vdoa.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/coda/imx-vdoa.c b/drivers/media/platform/coda/imx-vdoa.c
+index 6996d4571e363..00643f37b3e6f 100644
+--- a/drivers/media/platform/coda/imx-vdoa.c
++++ b/drivers/media/platform/coda/imx-vdoa.c
+@@ -287,7 +287,11 @@ static int vdoa_probe(struct platform_device *pdev)
+       struct resource *res;
+       int ret;
+-      dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
++      ret = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
++      if (ret) {
++              dev_err(&pdev->dev, "DMA enable failed\n");
++              return ret;
++      }
+       vdoa = devm_kzalloc(&pdev->dev, sizeof(*vdoa), GFP_KERNEL);
+       if (!vdoa)
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-dib8000-fix-a-memleak-in-dib8000_init.patch b/queue-5.16/media-dib8000-fix-a-memleak-in-dib8000_init.patch
new file mode 100644 (file)
index 0000000..f95dd45
--- /dev/null
@@ -0,0 +1,55 @@
+From 9df73cd90e011952f27740b4612a55ba6537960b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 16:38:05 +0100
+Subject: media: dib8000: Fix a memleak in dib8000_init()
+
+From: Zhou Qingyang <zhou1615@umn.edu>
+
+[ Upstream commit 8dbdcc7269a83305ee9d677b75064d3530a48ee2 ]
+
+In dib8000_init(), the variable fe is not freed or passed out on the
+failure of dib8000_identify(&state->i2c), which could lead to a memleak.
+
+Fix this bug by adding a kfree of fe in the error path.
+
+This bug was found by a static analyzer. The analysis employs
+differential checking to identify inconsistent security operations
+(e.g., checks or kfrees) between two code paths and confirms that the
+inconsistent operations are not recovered in the current function or
+the callers, so they constitute bugs.
+
+Note that, as a bug found by static analysis, it can be a false
+positive or hard to trigger. Multiple researchers have cross-reviewed
+the bug.
+
+Builds with CONFIG_DVB_DIB8000=m show no new warnings,
+and our static analyzer no longer warns about this code.
+
+Fixes: 77e2c0f5d471 ("V4L/DVB (12900): DiB8000: added support for DiBcom ISDB-T/ISDB-Tsb demodulator DiB8000")
+Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/dib8000.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c
+index bb02354a48b81..d67f2dd997d06 100644
+--- a/drivers/media/dvb-frontends/dib8000.c
++++ b/drivers/media/dvb-frontends/dib8000.c
+@@ -4473,8 +4473,10 @@ static struct dvb_frontend *dib8000_init(struct i2c_adapter *i2c_adap, u8 i2c_ad
+       state->timf_default = cfg->pll->timf;
+-      if (dib8000_identify(&state->i2c) == 0)
++      if (dib8000_identify(&state->i2c) == 0) {
++              kfree(fe);
+               goto error;
++      }
+       dibx000_init_i2c_master(&state->i2c_master, DIB8000, state->i2c.adap, state->i2c.addr);
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-dmxdev-fix-uaf-when-dvb_register_device-fails.patch b/queue-5.16/media-dmxdev-fix-uaf-when-dvb_register_device-fails.patch
new file mode 100644 (file)
index 0000000..dd6931a
--- /dev/null
@@ -0,0 +1,104 @@
+From e24189ace4dc378fba6735aa9006b79c2382a5ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Oct 2021 16:57:41 +0800
+Subject: media: dmxdev: fix UAF when dvb_register_device() fails
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit ab599eb11882f834951c436cc080c3455ba32b9b ]
+
+I got a use-after-free report:
+
+dvbdev: dvb_register_device: failed to create device dvb1.dvr0 (-12)
+...
+==================================================================
+BUG: KASAN: use-after-free in dvb_dmxdev_release+0xce/0x2f0
+...
+Call Trace:
+ dump_stack_lvl+0x6c/0x8b
+ print_address_description.constprop.0+0x48/0x70
+ kasan_report.cold+0x82/0xdb
+ __asan_load4+0x6b/0x90
+ dvb_dmxdev_release+0xce/0x2f0
+...
+Allocated by task 7666:
+ kasan_save_stack+0x23/0x50
+ __kasan_kmalloc+0x83/0xa0
+ kmem_cache_alloc_trace+0x22e/0x470
+ dvb_register_device+0x12f/0x980
+ dvb_dmxdev_init+0x1f3/0x230
+...
+Freed by task 7666:
+ kasan_save_stack+0x23/0x50
+ kasan_set_track+0x20/0x30
+ kasan_set_free_info+0x24/0x40
+ __kasan_slab_free+0xf2/0x130
+ kfree+0xd1/0x5c0
+ dvb_register_device.cold+0x1ac/0x1fa
+ dvb_dmxdev_init+0x1f3/0x230
+...
+
+When dvb_register_device() in dvb_dmxdev_init() fails, dvb_dmxdev_init()
+does not return a failure, and the memory pointed to by dvbdev or
+dvr_dvbdev is invalid at this point. If they are used subsequently, it
+will result in UFA or null-ptr-deref.
+
+If dvb_register_device() in dvb_dmxdev_init() fails, fix the bug by making
+dvb_dmxdev_init() return an error as well.
+
+Link: https://lore.kernel.org/linux-media/20211015085741.1203283-1-wanghai38@huawei.com
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dmxdev.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
+index 5d5a48475a54f..01f288fa37e0e 100644
+--- a/drivers/media/dvb-core/dmxdev.c
++++ b/drivers/media/dvb-core/dmxdev.c
+@@ -1413,7 +1413,7 @@ static const struct dvb_device dvbdev_dvr = {
+ };
+ int dvb_dmxdev_init(struct dmxdev *dmxdev, struct dvb_adapter *dvb_adapter)
+ {
+-      int i;
++      int i, ret;
+       if (dmxdev->demux->open(dmxdev->demux) < 0)
+               return -EUSERS;
+@@ -1432,14 +1432,26 @@ int dvb_dmxdev_init(struct dmxdev *dmxdev, struct dvb_adapter *dvb_adapter)
+                                           DMXDEV_STATE_FREE);
+       }
+-      dvb_register_device(dvb_adapter, &dmxdev->dvbdev, &dvbdev_demux, dmxdev,
++      ret = dvb_register_device(dvb_adapter, &dmxdev->dvbdev, &dvbdev_demux, dmxdev,
+                           DVB_DEVICE_DEMUX, dmxdev->filternum);
+-      dvb_register_device(dvb_adapter, &dmxdev->dvr_dvbdev, &dvbdev_dvr,
++      if (ret < 0)
++              goto err_register_dvbdev;
++
++      ret = dvb_register_device(dvb_adapter, &dmxdev->dvr_dvbdev, &dvbdev_dvr,
+                           dmxdev, DVB_DEVICE_DVR, dmxdev->filternum);
++      if (ret < 0)
++              goto err_register_dvr_dvbdev;
+       dvb_ringbuffer_init(&dmxdev->dvr_buffer, NULL, 8192);
+       return 0;
++
++err_register_dvr_dvbdev:
++      dvb_unregister_device(dmxdev->dvbdev);
++err_register_dvbdev:
++      vfree(dmxdev->filter);
++      dmxdev->filter = NULL;
++      return ret;
+ }
+ EXPORT_SYMBOL(dvb_dmxdev_init);
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-dw2102-fix-use-after-free.patch b/queue-5.16/media-dw2102-fix-use-after-free.patch
new file mode 100644 (file)
index 0000000..256871a
--- /dev/null
@@ -0,0 +1,407 @@
+From fa75bd97573d5def99b9327be940dd27ad7da4b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2019 12:41:47 +0200
+Subject: media: dw2102: Fix use after free
+
+From: Anton Vasilyev <vasilyev@ispras.ru>
+
+[ Upstream commit 589a9f0eb799f77de2c09583bf5bad221fa5d685 ]
+
+dvb_usb_device_init stores parts of properties at d->props
+and d->desc and uses it on dvb_usb_device_exit.
+Free of properties on module probe leads to use after free.
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204597
+
+The patch makes properties static instead of allocated on heap to prevent
+memleak and use after free.
+Also fixes s421_properties.devices initialization to have 2 element
+instead of 6 copied from p7500_properties.
+
+[mchehab: fix function call alignments]
+Link: https://lore.kernel.org/linux-media/20190822104147.4420-1-vasilyev@ispras.ru
+Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
+Fixes: 299c7007e936 ("media: dw2102: Fix memleak on sequence of probes")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dw2102.c | 338 ++++++++++++++++++-----------
+ 1 file changed, 215 insertions(+), 123 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c
+index f0e686b05dc63..ca75ebdc10b37 100644
+--- a/drivers/media/usb/dvb-usb/dw2102.c
++++ b/drivers/media/usb/dvb-usb/dw2102.c
+@@ -2150,46 +2150,153 @@ static struct dvb_usb_device_properties s6x0_properties = {
+       }
+ };
+-static const struct dvb_usb_device_description d1100 = {
+-      "Prof 1100 USB ",
+-      {&dw2102_table[PROF_1100], NULL},
+-      {NULL},
+-};
++static struct dvb_usb_device_properties p1100_properties = {
++      .caps = DVB_USB_IS_AN_I2C_ADAPTER,
++      .usb_ctrl = DEVICE_SPECIFIC,
++      .size_of_priv = sizeof(struct dw2102_state),
++      .firmware = P1100_FIRMWARE,
++      .no_reconnect = 1,
+-static const struct dvb_usb_device_description d660 = {
+-      "TeVii S660 USB",
+-      {&dw2102_table[TEVII_S660], NULL},
+-      {NULL},
+-};
++      .i2c_algo = &s6x0_i2c_algo,
++      .rc.core = {
++              .rc_interval = 150,
++              .rc_codes = RC_MAP_TBS_NEC,
++              .module_name = "dw2102",
++              .allowed_protos   = RC_PROTO_BIT_NEC,
++              .rc_query = prof_rc_query,
++      },
+-static const struct dvb_usb_device_description d480_1 = {
+-      "TeVii S480.1 USB",
+-      {&dw2102_table[TEVII_S480_1], NULL},
+-      {NULL},
++      .generic_bulk_ctrl_endpoint = 0x81,
++      .num_adapters = 1,
++      .download_firmware = dw2102_load_firmware,
++      .read_mac_address = s6x0_read_mac_address,
++      .adapter = {
++              {
++                      .num_frontends = 1,
++                      .fe = {{
++                              .frontend_attach = stv0288_frontend_attach,
++                              .stream = {
++                                      .type = USB_BULK,
++                                      .count = 8,
++                                      .endpoint = 0x82,
++                                      .u = {
++                                              .bulk = {
++                                                      .buffersize = 4096,
++                                              }
++                                      }
++                              },
++                      } },
++              }
++      },
++      .num_device_descs = 1,
++      .devices = {
++              {"Prof 1100 USB ",
++                      {&dw2102_table[PROF_1100], NULL},
++                      {NULL},
++              },
++      }
+ };
+-static const struct dvb_usb_device_description d480_2 = {
+-      "TeVii S480.2 USB",
+-      {&dw2102_table[TEVII_S480_2], NULL},
+-      {NULL},
+-};
++static struct dvb_usb_device_properties s660_properties = {
++      .caps = DVB_USB_IS_AN_I2C_ADAPTER,
++      .usb_ctrl = DEVICE_SPECIFIC,
++      .size_of_priv = sizeof(struct dw2102_state),
++      .firmware = S660_FIRMWARE,
++      .no_reconnect = 1,
+-static const struct dvb_usb_device_description d7500 = {
+-      "Prof 7500 USB DVB-S2",
+-      {&dw2102_table[PROF_7500], NULL},
+-      {NULL},
+-};
++      .i2c_algo = &s6x0_i2c_algo,
++      .rc.core = {
++              .rc_interval = 150,
++              .rc_codes = RC_MAP_TEVII_NEC,
++              .module_name = "dw2102",
++              .allowed_protos   = RC_PROTO_BIT_NEC,
++              .rc_query = dw2102_rc_query,
++      },
+-static const struct dvb_usb_device_description d421 = {
+-      "TeVii S421 PCI",
+-      {&dw2102_table[TEVII_S421], NULL},
+-      {NULL},
++      .generic_bulk_ctrl_endpoint = 0x81,
++      .num_adapters = 1,
++      .download_firmware = dw2102_load_firmware,
++      .read_mac_address = s6x0_read_mac_address,
++      .adapter = {
++              {
++                      .num_frontends = 1,
++                      .fe = {{
++                              .frontend_attach = ds3000_frontend_attach,
++                              .stream = {
++                                      .type = USB_BULK,
++                                      .count = 8,
++                                      .endpoint = 0x82,
++                                      .u = {
++                                              .bulk = {
++                                                      .buffersize = 4096,
++                                              }
++                                      }
++                              },
++                      } },
++              }
++      },
++      .num_device_descs = 3,
++      .devices = {
++              {"TeVii S660 USB",
++                      {&dw2102_table[TEVII_S660], NULL},
++                      {NULL},
++              },
++              {"TeVii S480.1 USB",
++                      {&dw2102_table[TEVII_S480_1], NULL},
++                      {NULL},
++              },
++              {"TeVii S480.2 USB",
++                      {&dw2102_table[TEVII_S480_2], NULL},
++                      {NULL},
++              },
++      }
+ };
+-static const struct dvb_usb_device_description d632 = {
+-      "TeVii S632 USB",
+-      {&dw2102_table[TEVII_S632], NULL},
+-      {NULL},
++static struct dvb_usb_device_properties p7500_properties = {
++      .caps = DVB_USB_IS_AN_I2C_ADAPTER,
++      .usb_ctrl = DEVICE_SPECIFIC,
++      .size_of_priv = sizeof(struct dw2102_state),
++      .firmware = P7500_FIRMWARE,
++      .no_reconnect = 1,
++
++      .i2c_algo = &s6x0_i2c_algo,
++      .rc.core = {
++              .rc_interval = 150,
++              .rc_codes = RC_MAP_TBS_NEC,
++              .module_name = "dw2102",
++              .allowed_protos   = RC_PROTO_BIT_NEC,
++              .rc_query = prof_rc_query,
++      },
++
++      .generic_bulk_ctrl_endpoint = 0x81,
++      .num_adapters = 1,
++      .download_firmware = dw2102_load_firmware,
++      .read_mac_address = s6x0_read_mac_address,
++      .adapter = {
++              {
++                      .num_frontends = 1,
++                      .fe = {{
++                              .frontend_attach = prof_7500_frontend_attach,
++                              .stream = {
++                                      .type = USB_BULK,
++                                      .count = 8,
++                                      .endpoint = 0x82,
++                                      .u = {
++                                              .bulk = {
++                                                      .buffersize = 4096,
++                                              }
++                                      }
++                              },
++                      } },
++              }
++      },
++      .num_device_descs = 1,
++      .devices = {
++              {"Prof 7500 USB DVB-S2",
++                      {&dw2102_table[PROF_7500], NULL},
++                      {NULL},
++              },
++      }
+ };
+ static struct dvb_usb_device_properties su3000_properties = {
+@@ -2273,6 +2380,59 @@ static struct dvb_usb_device_properties su3000_properties = {
+       }
+ };
++static struct dvb_usb_device_properties s421_properties = {
++      .caps = DVB_USB_IS_AN_I2C_ADAPTER,
++      .usb_ctrl = DEVICE_SPECIFIC,
++      .size_of_priv = sizeof(struct dw2102_state),
++      .power_ctrl = su3000_power_ctrl,
++      .num_adapters = 1,
++      .identify_state = su3000_identify_state,
++      .i2c_algo = &su3000_i2c_algo,
++
++      .rc.core = {
++              .rc_interval = 150,
++              .rc_codes = RC_MAP_SU3000,
++              .module_name = "dw2102",
++              .allowed_protos   = RC_PROTO_BIT_RC5,
++              .rc_query = su3000_rc_query,
++      },
++
++      .read_mac_address = su3000_read_mac_address,
++
++      .generic_bulk_ctrl_endpoint = 0x01,
++
++      .adapter = {
++              {
++              .num_frontends = 1,
++              .fe = {{
++                      .streaming_ctrl   = su3000_streaming_ctrl,
++                      .frontend_attach  = m88rs2000_frontend_attach,
++                      .stream = {
++                              .type = USB_BULK,
++                              .count = 8,
++                              .endpoint = 0x82,
++                              .u = {
++                                      .bulk = {
++                                              .buffersize = 4096,
++                                      }
++                              }
++                      }
++              } },
++              }
++      },
++      .num_device_descs = 2,
++      .devices = {
++              { "TeVii S421 PCI",
++                      { &dw2102_table[TEVII_S421], NULL },
++                      { NULL },
++              },
++              { "TeVii S632 USB",
++                      { &dw2102_table[TEVII_S632], NULL },
++                      { NULL },
++              },
++      }
++};
++
+ static struct dvb_usb_device_properties t220_properties = {
+       .caps = DVB_USB_IS_AN_I2C_ADAPTER,
+       .usb_ctrl = DEVICE_SPECIFIC,
+@@ -2390,101 +2550,33 @@ static struct dvb_usb_device_properties tt_s2_4600_properties = {
+ static int dw2102_probe(struct usb_interface *intf,
+               const struct usb_device_id *id)
+ {
+-      int retval = -ENOMEM;
+-      struct dvb_usb_device_properties *p1100;
+-      struct dvb_usb_device_properties *s660;
+-      struct dvb_usb_device_properties *p7500;
+-      struct dvb_usb_device_properties *s421;
+-
+-      p1100 = kmemdup(&s6x0_properties,
+-                      sizeof(struct dvb_usb_device_properties), GFP_KERNEL);
+-      if (!p1100)
+-              goto err0;
+-
+-      /* copy default structure */
+-      /* fill only different fields */
+-      p1100->firmware = P1100_FIRMWARE;
+-      p1100->devices[0] = d1100;
+-      p1100->rc.core.rc_query = prof_rc_query;
+-      p1100->rc.core.rc_codes = RC_MAP_TBS_NEC;
+-      p1100->adapter->fe[0].frontend_attach = stv0288_frontend_attach;
+-
+-      s660 = kmemdup(&s6x0_properties,
+-                     sizeof(struct dvb_usb_device_properties), GFP_KERNEL);
+-      if (!s660)
+-              goto err1;
+-
+-      s660->firmware = S660_FIRMWARE;
+-      s660->num_device_descs = 3;
+-      s660->devices[0] = d660;
+-      s660->devices[1] = d480_1;
+-      s660->devices[2] = d480_2;
+-      s660->adapter->fe[0].frontend_attach = ds3000_frontend_attach;
+-
+-      p7500 = kmemdup(&s6x0_properties,
+-                      sizeof(struct dvb_usb_device_properties), GFP_KERNEL);
+-      if (!p7500)
+-              goto err2;
+-
+-      p7500->firmware = P7500_FIRMWARE;
+-      p7500->devices[0] = d7500;
+-      p7500->rc.core.rc_query = prof_rc_query;
+-      p7500->rc.core.rc_codes = RC_MAP_TBS_NEC;
+-      p7500->adapter->fe[0].frontend_attach = prof_7500_frontend_attach;
+-
+-
+-      s421 = kmemdup(&su3000_properties,
+-                     sizeof(struct dvb_usb_device_properties), GFP_KERNEL);
+-      if (!s421)
+-              goto err3;
+-
+-      s421->num_device_descs = 2;
+-      s421->devices[0] = d421;
+-      s421->devices[1] = d632;
+-      s421->adapter->fe[0].frontend_attach = m88rs2000_frontend_attach;
+-
+-      if (0 == dvb_usb_device_init(intf, &dw2102_properties,
+-                      THIS_MODULE, NULL, adapter_nr) ||
+-          0 == dvb_usb_device_init(intf, &dw2104_properties,
+-                      THIS_MODULE, NULL, adapter_nr) ||
+-          0 == dvb_usb_device_init(intf, &dw3101_properties,
+-                      THIS_MODULE, NULL, adapter_nr) ||
+-          0 == dvb_usb_device_init(intf, &s6x0_properties,
+-                      THIS_MODULE, NULL, adapter_nr) ||
+-          0 == dvb_usb_device_init(intf, p1100,
+-                      THIS_MODULE, NULL, adapter_nr) ||
+-          0 == dvb_usb_device_init(intf, s660,
+-                      THIS_MODULE, NULL, adapter_nr) ||
+-          0 == dvb_usb_device_init(intf, p7500,
+-                      THIS_MODULE, NULL, adapter_nr) ||
+-          0 == dvb_usb_device_init(intf, s421,
+-                      THIS_MODULE, NULL, adapter_nr) ||
+-          0 == dvb_usb_device_init(intf, &su3000_properties,
+-                       THIS_MODULE, NULL, adapter_nr) ||
+-          0 == dvb_usb_device_init(intf, &t220_properties,
+-                       THIS_MODULE, NULL, adapter_nr) ||
+-          0 == dvb_usb_device_init(intf, &tt_s2_4600_properties,
+-                       THIS_MODULE, NULL, adapter_nr)) {
+-
+-              /* clean up copied properties */
+-              kfree(s421);
+-              kfree(p7500);
+-              kfree(s660);
+-              kfree(p1100);
++      if (!(dvb_usb_device_init(intf, &dw2102_properties,
++                                THIS_MODULE, NULL, adapter_nr) &&
++            dvb_usb_device_init(intf, &dw2104_properties,
++                                THIS_MODULE, NULL, adapter_nr) &&
++            dvb_usb_device_init(intf, &dw3101_properties,
++                                THIS_MODULE, NULL, adapter_nr) &&
++            dvb_usb_device_init(intf, &s6x0_properties,
++                                THIS_MODULE, NULL, adapter_nr) &&
++            dvb_usb_device_init(intf, &p1100_properties,
++                                THIS_MODULE, NULL, adapter_nr) &&
++            dvb_usb_device_init(intf, &s660_properties,
++                                THIS_MODULE, NULL, adapter_nr) &&
++            dvb_usb_device_init(intf, &p7500_properties,
++                                THIS_MODULE, NULL, adapter_nr) &&
++            dvb_usb_device_init(intf, &s421_properties,
++                                THIS_MODULE, NULL, adapter_nr) &&
++            dvb_usb_device_init(intf, &su3000_properties,
++                                THIS_MODULE, NULL, adapter_nr) &&
++            dvb_usb_device_init(intf, &t220_properties,
++                                THIS_MODULE, NULL, adapter_nr) &&
++            dvb_usb_device_init(intf, &tt_s2_4600_properties,
++                                THIS_MODULE, NULL, adapter_nr))) {
+               return 0;
+       }
+-      retval = -ENODEV;
+-      kfree(s421);
+-err3:
+-      kfree(p7500);
+-err2:
+-      kfree(s660);
+-err1:
+-      kfree(p1100);
+-err0:
+-      return retval;
++      return -ENODEV;
+ }
+ static void dw2102_disconnect(struct usb_interface *intf)
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch b/queue-5.16/media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch
new file mode 100644 (file)
index 0000000..ad8c687
--- /dev/null
@@ -0,0 +1,81 @@
+From 07ec075fdd65978b8bac8dd34aaa90efa5651979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Nov 2021 09:55:39 +0000
+Subject: media: em28xx: fix memory leak in em28xx_init_dev
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 22be5a10d0b24eec9e45decd15d7e6112b25f080 ]
+
+In the em28xx_init_rev, if em28xx_audio_setup fails, this function fails
+to deallocate the media_dev allocated in the em28xx_media_device_init.
+
+Fix this by adding em28xx_unregister_media_device to free media_dev.
+
+BTW, this patch is tested in my local syzkaller instance, and it can
+prevent the memory leak from occurring again.
+
+CC: Pavel Skripkin <paskripkin@gmail.com>
+Fixes: 37ecc7b1278f ("[media] em28xx: add media controller support")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/em28xx/em28xx-cards.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c
+index b207f34af5c6f..b451ce3cb169a 100644
+--- a/drivers/media/usb/em28xx/em28xx-cards.c
++++ b/drivers/media/usb/em28xx/em28xx-cards.c
+@@ -3630,8 +3630,10 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev,
+       if (dev->is_audio_only) {
+               retval = em28xx_audio_setup(dev);
+-              if (retval)
+-                      return -ENODEV;
++              if (retval) {
++                      retval = -ENODEV;
++                      goto err_deinit_media;
++              }
+               em28xx_init_extension(dev);
+               return 0;
+@@ -3650,7 +3652,7 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev,
+               dev_err(&dev->intf->dev,
+                       "%s: em28xx_i2c_register bus 0 - error [%d]!\n",
+                      __func__, retval);
+-              return retval;
++              goto err_deinit_media;
+       }
+       /* register i2c bus 1 */
+@@ -3666,9 +3668,7 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev,
+                               "%s: em28xx_i2c_register bus 1 - error [%d]!\n",
+                               __func__, retval);
+-                      em28xx_i2c_unregister(dev, 0);
+-
+-                      return retval;
++                      goto err_unreg_i2c;
+               }
+       }
+@@ -3676,6 +3676,12 @@ static int em28xx_init_dev(struct em28xx *dev, struct usb_device *udev,
+       em28xx_card_setup(dev);
+       return 0;
++
++err_unreg_i2c:
++      em28xx_i2c_unregister(dev, 0);
++err_deinit_media:
++      em28xx_unregister_media_device(dev);
++      return retval;
+ }
+ static int em28xx_duplicate_dev(struct em28xx *dev)
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-hantro-fix-probe-func-error-path.patch b/queue-5.16/media-hantro-fix-probe-func-error-path.patch
new file mode 100644 (file)
index 0000000..647ac5e
--- /dev/null
@@ -0,0 +1,51 @@
+From 5eddd8dd7e7b86598b1a37dc6fd5990eed968c95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 19:26:25 +0100
+Subject: media: hantro: Fix probe func error path
+
+From: Jernej Skrabec <jernej.skrabec@gmail.com>
+
+[ Upstream commit 37af43b250fda6162005d47bf7c959c70d52b107 ]
+
+If clocks for some reason couldn't be enabled, probe function returns
+immediately, without disabling PM. This obviously leaves PM ref counters
+unbalanced.
+
+Fix that by jumping to appropriate error path, so effects of PM functions
+are reversed.
+
+Fixes: 775fec69008d ("media: add Rockchip VPU JPEG encoder driver")
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Acked-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
+Reviewed-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/hantro/hantro_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/hantro/hantro_drv.c b/drivers/staging/media/hantro/hantro_drv.c
+index fb82b9297a2ba..0d56db8376e6a 100644
+--- a/drivers/staging/media/hantro/hantro_drv.c
++++ b/drivers/staging/media/hantro/hantro_drv.c
+@@ -960,7 +960,7 @@ static int hantro_probe(struct platform_device *pdev)
+       ret = clk_bulk_prepare(vpu->variant->num_clocks, vpu->clocks);
+       if (ret) {
+               dev_err(&pdev->dev, "Failed to prepare clocks\n");
+-              return ret;
++              goto err_pm_disable;
+       }
+       ret = v4l2_device_register(&pdev->dev, &vpu->v4l2_dev);
+@@ -1016,6 +1016,7 @@ err_v4l2_unreg:
+       v4l2_device_unregister(&vpu->v4l2_dev);
+ err_clk_unprepare:
+       clk_bulk_unprepare(vpu->variant->num_clocks, vpu->clocks);
++err_pm_disable:
+       pm_runtime_dont_use_autosuspend(vpu->dev);
+       pm_runtime_disable(vpu->dev);
+       return ret;
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-hantro-hook-up-rk3399-jpeg-encoder-output.patch b/queue-5.16/media-hantro-hook-up-rk3399-jpeg-encoder-output.patch
new file mode 100644 (file)
index 0000000..0e6aa08
--- /dev/null
@@ -0,0 +1,125 @@
+From 9a82c36c216a776e6ed60724539e5bb5bd7fa3fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Nov 2021 08:46:54 +0100
+Subject: media: hantro: Hook up RK3399 JPEG encoder output
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 230d683ae04894933720425c8dead9508a09ebc3 ]
+
+The JPEG encoder found in the Hantro H1 encoder block only produces a
+raw entropy-encoded scan. The driver is responsible for building a JPEG
+compliant bitstream and placing the entropy-encoded scan in it. Right
+now the driver uses a bounce buffer for the hardware to output the raw
+scan to.
+
+In commit e765dba11ec2 ("hantro: Move hantro_enc_buf_finish to JPEG
+codec_ops.done"), the code that copies the raw scan from the bounce
+buffer to the capture buffer was moved, but was only hooked up for the
+Hantro H1 (then RK3288) variant. The RK3399 variant was broken,
+producing a JPEG bitstream without the scan, and the capture buffer's
+.bytesused field unset.
+
+Fix this by duplicating the code that is executed when the JPEG encoder
+finishes encoding a frame. As the encoded length is read back from
+hardware, and the variants having different register layouts, the
+code is duplicated rather than shared.
+
+Fixes: e765dba11ec2 ("hantro: Move hantro_enc_buf_finish to JPEG codec_ops.done")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Tested-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../staging/media/hantro/hantro_h1_jpeg_enc.c   |  2 +-
+ drivers/staging/media/hantro/hantro_hw.h        |  3 ++-
+ .../media/hantro/rockchip_vpu2_hw_jpeg_enc.c    | 17 +++++++++++++++++
+ drivers/staging/media/hantro/rockchip_vpu_hw.c  |  5 +++--
+ 4 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/media/hantro/hantro_h1_jpeg_enc.c b/drivers/staging/media/hantro/hantro_h1_jpeg_enc.c
+index 56cf261a8e958..9cd713c02a455 100644
+--- a/drivers/staging/media/hantro/hantro_h1_jpeg_enc.c
++++ b/drivers/staging/media/hantro/hantro_h1_jpeg_enc.c
+@@ -140,7 +140,7 @@ int hantro_h1_jpeg_enc_run(struct hantro_ctx *ctx)
+       return 0;
+ }
+-void hantro_jpeg_enc_done(struct hantro_ctx *ctx)
++void hantro_h1_jpeg_enc_done(struct hantro_ctx *ctx)
+ {
+       struct hantro_dev *vpu = ctx->dev;
+       u32 bytesused = vepu_read(vpu, H1_REG_STR_BUF_LIMIT) / 8;
+diff --git a/drivers/staging/media/hantro/hantro_hw.h b/drivers/staging/media/hantro/hantro_hw.h
+index 267a6d33a47b5..60d4602d33ed5 100644
+--- a/drivers/staging/media/hantro/hantro_hw.h
++++ b/drivers/staging/media/hantro/hantro_hw.h
+@@ -239,7 +239,8 @@ int hantro_h1_jpeg_enc_run(struct hantro_ctx *ctx);
+ int rockchip_vpu2_jpeg_enc_run(struct hantro_ctx *ctx);
+ int hantro_jpeg_enc_init(struct hantro_ctx *ctx);
+ void hantro_jpeg_enc_exit(struct hantro_ctx *ctx);
+-void hantro_jpeg_enc_done(struct hantro_ctx *ctx);
++void hantro_h1_jpeg_enc_done(struct hantro_ctx *ctx);
++void rockchip_vpu2_jpeg_enc_done(struct hantro_ctx *ctx);
+ dma_addr_t hantro_h264_get_ref_buf(struct hantro_ctx *ctx,
+                                  unsigned int dpb_idx);
+diff --git a/drivers/staging/media/hantro/rockchip_vpu2_hw_jpeg_enc.c b/drivers/staging/media/hantro/rockchip_vpu2_hw_jpeg_enc.c
+index 991213ce16108..5d9ff420f0b5f 100644
+--- a/drivers/staging/media/hantro/rockchip_vpu2_hw_jpeg_enc.c
++++ b/drivers/staging/media/hantro/rockchip_vpu2_hw_jpeg_enc.c
+@@ -171,3 +171,20 @@ int rockchip_vpu2_jpeg_enc_run(struct hantro_ctx *ctx)
+       return 0;
+ }
++
++void rockchip_vpu2_jpeg_enc_done(struct hantro_ctx *ctx)
++{
++      struct hantro_dev *vpu = ctx->dev;
++      u32 bytesused = vepu_read(vpu, VEPU_REG_STR_BUF_LIMIT) / 8;
++      struct vb2_v4l2_buffer *dst_buf = hantro_get_dst_buf(ctx);
++
++      /*
++       * TODO: Rework the JPEG encoder to eliminate the need
++       * for a bounce buffer.
++       */
++      memcpy(vb2_plane_vaddr(&dst_buf->vb2_buf, 0) +
++             ctx->vpu_dst_fmt->header_size,
++             ctx->jpeg_enc.bounce_buffer.cpu, bytesused);
++      vb2_set_plane_payload(&dst_buf->vb2_buf, 0,
++                            ctx->vpu_dst_fmt->header_size + bytesused);
++}
+diff --git a/drivers/staging/media/hantro/rockchip_vpu_hw.c b/drivers/staging/media/hantro/rockchip_vpu_hw.c
+index d4f52957cc534..0c22039162a00 100644
+--- a/drivers/staging/media/hantro/rockchip_vpu_hw.c
++++ b/drivers/staging/media/hantro/rockchip_vpu_hw.c
+@@ -343,7 +343,7 @@ static const struct hantro_codec_ops rk3066_vpu_codec_ops[] = {
+               .run = hantro_h1_jpeg_enc_run,
+               .reset = rockchip_vpu1_enc_reset,
+               .init = hantro_jpeg_enc_init,
+-              .done = hantro_jpeg_enc_done,
++              .done = hantro_h1_jpeg_enc_done,
+               .exit = hantro_jpeg_enc_exit,
+       },
+       [HANTRO_MODE_H264_DEC] = {
+@@ -371,7 +371,7 @@ static const struct hantro_codec_ops rk3288_vpu_codec_ops[] = {
+               .run = hantro_h1_jpeg_enc_run,
+               .reset = rockchip_vpu1_enc_reset,
+               .init = hantro_jpeg_enc_init,
+-              .done = hantro_jpeg_enc_done,
++              .done = hantro_h1_jpeg_enc_done,
+               .exit = hantro_jpeg_enc_exit,
+       },
+       [HANTRO_MODE_H264_DEC] = {
+@@ -399,6 +399,7 @@ static const struct hantro_codec_ops rk3399_vpu_codec_ops[] = {
+               .run = rockchip_vpu2_jpeg_enc_run,
+               .reset = rockchip_vpu2_enc_reset,
+               .init = hantro_jpeg_enc_init,
++              .done = rockchip_vpu2_jpeg_enc_done,
+               .exit = hantro_jpeg_enc_exit,
+       },
+       [HANTRO_MODE_H264_DEC] = {
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-i2c-imx274-fix-s_frame_interval-runtime-resume.patch b/queue-5.16/media-i2c-imx274-fix-s_frame_interval-runtime-resume.patch
new file mode 100644 (file)
index 0000000..c91fe1f
--- /dev/null
@@ -0,0 +1,77 @@
+From 3c47934d23e9a6241684ce5cee10bec358aae86c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 16:40:09 +0100
+Subject: media: i2c: imx274: fix s_frame_interval runtime resume not requested
+
+From: Eugen Hristev <eugen.hristev@microchip.com>
+
+[ Upstream commit da653498c20ba5b185214d8ae43b4e8e9594f520 ]
+
+pm_runtime_resume_and_get should be called when the s_frame_interval
+is called.
+
+The driver will try to access device registers to configure VMAX, coarse
+time and exposure.
+
+Currently if the runtime is not resumed, this fails:
+ # media-ctl -d /dev/media0 --set-v4l2 '"IMX274 1-001a":0[fmt:SRGGB10_1X10/3840x2
+160@1/10]'
+
+IMX274 1-001a: imx274_binning_goodness: ask 3840x2160, size 3840x2160, goodness 0
+IMX274 1-001a: imx274_binning_goodness: ask 3840x2160, size 1920x1080, goodness -3000
+IMX274 1-001a: imx274_binning_goodness: ask 3840x2160, size 1280x720, goodness -4000
+IMX274 1-001a: imx274_binning_goodness: ask 3840x2160, size 1280x540, goodness -4180
+IMX274 1-001a: __imx274_change_compose: selected 1x1 binning
+IMX274 1-001a: imx274_set_frame_interval: input frame interval = 1 / 10
+IMX274 1-001a: imx274_read_mbreg : addr 0x300e, val=0x1 (2 bytes)
+IMX274 1-001a: imx274_set_frame_interval : register SVR = 1
+IMX274 1-001a: imx274_read_mbreg : addr 0x30f6, val=0x6a8 (2 bytes)
+IMX274 1-001a: imx274_set_frame_interval : register HMAX = 1704
+IMX274 1-001a: imx274_set_frame_length : input length = 2112
+IMX274 1-001a: imx274_write_mbreg : i2c bulk write failed, 30f8 = 884 (3 bytes)
+IMX274 1-001a: imx274_set_frame_length error = -121
+IMX274 1-001a: imx274_set_frame_interval error = -121
+Unable to setup formats: Remote I/O error (121)
+
+The device is not resumed thus the remote I/O error.
+
+Setting the frame interval works at streaming time, because
+pm_runtime_resume_and_get is called at s_stream time before sensor setup.
+The failure happens when only the s_frame_interval is called separately
+independently on streaming time.
+
+Fixes: ad97bc37426c ("media: i2c: imx274: Add IMX274 power on and off sequence")
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/imx274.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/i2c/imx274.c b/drivers/media/i2c/imx274.c
+index 0dce92872176d..4d9b64c61f603 100644
+--- a/drivers/media/i2c/imx274.c
++++ b/drivers/media/i2c/imx274.c
+@@ -1367,6 +1367,10 @@ static int imx274_s_frame_interval(struct v4l2_subdev *sd,
+       int min, max, def;
+       int ret;
++      ret = pm_runtime_resume_and_get(&imx274->client->dev);
++      if (ret < 0)
++              return ret;
++
+       mutex_lock(&imx274->lock);
+       ret = imx274_set_frame_interval(imx274, fi->interval);
+@@ -1398,6 +1402,7 @@ static int imx274_s_frame_interval(struct v4l2_subdev *sd,
+ unlock:
+       mutex_unlock(&imx274->lock);
++      pm_runtime_put(&imx274->client->dev);
+       return ret;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-i2c-ov8865-fix-lockdep-error.patch b/queue-5.16/media-i2c-ov8865-fix-lockdep-error.patch
new file mode 100644 (file)
index 0000000..a41357a
--- /dev/null
@@ -0,0 +1,52 @@
+From 06681eb107ad184b17fdaff1910f2484e10c1fa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 01:00:02 +0100
+Subject: media: i2c: ov8865: Fix lockdep error
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 6e1c9bc9ae96e57bcd8807174f2c0f44f9ef7938 ]
+
+ov8865_state_init() calls ov8865_state_mipi_configure() which uses
+__v4l2_ctrl_s_ctrl[_int64](). This means that sensor->mutex (which
+is also sensor->ctrls.handler.lock) must be locked before calling
+ov8865_state_init().
+
+Note ov8865_state_mipi_configure() is also used in other places where
+the lock is already held so it cannot be changed itself.
+
+This fixes the following lockdep kernel WARN:
+
+[   13.233421] WARNING: CPU: 0 PID: 8 at drivers/media/v4l2-core/v4l2-ctrls-api.c:833 __v4l2_ctrl_s_ctrl+0x4d/0x60 [videodev]
+...
+[   13.234063] Call Trace:
+[   13.234074]  ov8865_state_configure+0x98b/0xc00 [ov8865]
+[   13.234095]  ov8865_probe+0x4b1/0x54c [ov8865]
+[   13.234117]  i2c_device_probe+0x13c/0x2d0
+
+Fixes: 11c0d8fdccc5 ("media: i2c: Add support for the OV8865 image sensor")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov8865.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/i2c/ov8865.c b/drivers/media/i2c/ov8865.c
+index 490832cdb8314..fe064e716ea88 100644
+--- a/drivers/media/i2c/ov8865.c
++++ b/drivers/media/i2c/ov8865.c
+@@ -2891,7 +2891,9 @@ static int ov8865_probe(struct i2c_client *client)
+       if (ret)
+               goto error_mutex;
++      mutex_lock(&sensor->mutex);
+       ret = ov8865_state_init(sensor);
++      mutex_unlock(&sensor->mutex);
+       if (ret)
+               goto error_ctrls;
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-i2c-re-order-runtime-pm-initialisation.patch b/queue-5.16/media-i2c-re-order-runtime-pm-initialisation.patch
new file mode 100644 (file)
index 0000000..a54ed46
--- /dev/null
@@ -0,0 +1,43 @@
+From c92beb57f4ac9fd362a3524c4f19e5bf949efd5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 01:00:01 +0100
+Subject: media: i2c: Re-order runtime pm initialisation
+
+From: Daniel Scally <djrscally@gmail.com>
+
+[ Upstream commit d2484fbf780762f6f9cc3abb7a07ee42dca2eaa3 ]
+
+The kerneldoc for pm_runtime_set_suspended() says:
+
+"It is not valid to call this function for devices with runtime PM
+enabled"
+
+To satisfy that requirement, re-order the calls so that
+pm_runtime_enable() is the last one.
+
+Fixes: 11c0d8fdccc5 ("media: i2c: Add support for the OV8865 image sensor")
+Signed-off-by: Daniel Scally <djrscally@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov8865.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/ov8865.c b/drivers/media/i2c/ov8865.c
+index ce50f3ea87b8e..490832cdb8314 100644
+--- a/drivers/media/i2c/ov8865.c
++++ b/drivers/media/i2c/ov8865.c
+@@ -2897,8 +2897,8 @@ static int ov8865_probe(struct i2c_client *client)
+       /* Runtime PM */
+-      pm_runtime_enable(sensor->dev);
+       pm_runtime_set_suspended(sensor->dev);
++      pm_runtime_enable(sensor->dev);
+       /* V4L2 subdev register */
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-igorplugusb-receiver-overflow-should-be-report.patch b/queue-5.16/media-igorplugusb-receiver-overflow-should-be-report.patch
new file mode 100644 (file)
index 0000000..6c63642
--- /dev/null
@@ -0,0 +1,39 @@
+From d78029ba3d99e26ad55edae5b00a189cde4398d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 23:58:19 +0100
+Subject: media: igorplugusb: receiver overflow should be reported
+
+From: Sean Young <sean@mess.org>
+
+[ Upstream commit 8fede658e7ddb605bbd68ed38067ddb0af033db4 ]
+
+Without this, some IR will be missing mid-stream and we might decode
+something which never really occurred.
+
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/igorplugusb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
+index effaa5751d6c9..3e9988ee785f0 100644
+--- a/drivers/media/rc/igorplugusb.c
++++ b/drivers/media/rc/igorplugusb.c
+@@ -64,9 +64,11 @@ static void igorplugusb_irdata(struct igorplugusb *ir, unsigned len)
+       if (start >= len) {
+               dev_err(ir->dev, "receive overflow invalid: %u", overflow);
+       } else {
+-              if (overflow > 0)
++              if (overflow > 0) {
+                       dev_warn(ir->dev, "receive overflow, at least %u lost",
+                                                               overflow);
++                      ir_raw_event_reset(ir->rc);
++              }
+               do {
+                       rawir.duration = ir->buf_in[i] * 85;
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-imx-pxp-initialize-the-spinlock-prior-to-using.patch b/queue-5.16/media-imx-pxp-initialize-the-spinlock-prior-to-using.patch
new file mode 100644 (file)
index 0000000..699e9f4
--- /dev/null
@@ -0,0 +1,51 @@
+From 44058e4444375e26ad3e7c7788a57926cc255b2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Oct 2021 15:10:14 +0200
+Subject: media: imx-pxp: Initialize the spinlock prior to using it
+
+From: Fabio Estevam <festevam@denx.de>
+
+[ Upstream commit ed2f97ad4b21072f849cf4ae6645d1f2b1d3f550 ]
+
+After devm_request_threaded_irq() is called there is a chance that an
+interrupt may occur before the spinlock is initialized, which will trigger
+a kernel oops.
+
+To prevent that, move the initialization of the spinlock prior to
+requesting the interrupts.
+
+Fixes: 51abcf7fdb70 ("media: imx-pxp: add i.MX Pixel Pipeline driver")
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/imx-pxp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/imx-pxp.c b/drivers/media/platform/imx-pxp.c
+index 723b096fedd10..b7174778db539 100644
+--- a/drivers/media/platform/imx-pxp.c
++++ b/drivers/media/platform/imx-pxp.c
+@@ -1659,6 +1659,8 @@ static int pxp_probe(struct platform_device *pdev)
+       if (irq < 0)
+               return irq;
++      spin_lock_init(&dev->irqlock);
++
+       ret = devm_request_threaded_irq(&pdev->dev, irq, NULL, pxp_irq_handler,
+                       IRQF_ONESHOT, dev_name(&pdev->dev), dev);
+       if (ret < 0) {
+@@ -1676,8 +1678,6 @@ static int pxp_probe(struct platform_device *pdev)
+               goto err_clk;
+       }
+-      spin_lock_init(&dev->irqlock);
+-
+       ret = v4l2_device_register(&pdev->dev, &dev->v4l2_dev);
+       if (ret)
+               goto err_clk;
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-ipu3-cio2-fix-error-code-in-cio2_bridge_connec.patch b/queue-5.16/media-ipu3-cio2-fix-error-code-in-cio2_bridge_connec.patch
new file mode 100644 (file)
index 0000000..f4b1772
--- /dev/null
@@ -0,0 +1,42 @@
+From f76ae2c51894f7a36a4ea51bfddff56a86cf9df3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 08:53:19 +0100
+Subject: media: ipu3-cio2: fix error code in cio2_bridge_connect_sensor()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 85db29d22cc521d9d06de2f5c7832981a55df157 ]
+
+Return -ENODEV if acpi_get_physical_device_location() fails.  Don't
+return success.
+
+Fixes: 485aa3df0dff ("media: ipu3-cio2: Parse sensor orientation and rotation")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Daniel Scally <djrscally@gmail.com>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/intel/ipu3/cio2-bridge.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/intel/ipu3/cio2-bridge.c b/drivers/media/pci/intel/ipu3/cio2-bridge.c
+index 67c467d3c81f9..0b586b4e537ef 100644
+--- a/drivers/media/pci/intel/ipu3/cio2-bridge.c
++++ b/drivers/media/pci/intel/ipu3/cio2-bridge.c
+@@ -238,8 +238,10 @@ static int cio2_bridge_connect_sensor(const struct cio2_sensor_config *cfg,
+                       goto err_put_adev;
+               status = acpi_get_physical_device_location(adev->handle, &sensor->pld);
+-              if (ACPI_FAILURE(status))
++              if (ACPI_FAILURE(status)) {
++                      ret = -ENODEV;
+                       goto err_put_adev;
++              }
+               if (sensor->ssdb.lanes > CIO2_MAX_LANES) {
+                       dev_err(&adev->dev,
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-m920x-don-t-use-stack-on-usb-reads.patch b/queue-5.16/media-m920x-don-t-use-stack-on-usb-reads.patch
new file mode 100644 (file)
index 0000000..3490907
--- /dev/null
@@ -0,0 +1,59 @@
+From ab73d04ced0eba7fef11e01e7acf4925a718d213 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Dec 2021 15:34:19 +0100
+Subject: media: m920x: don't use stack on USB reads
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit a2ab06d7c4d6bfd0b545a768247a70463e977e27 ]
+
+Using stack-allocated pointers for USB message data don't work.
+This driver is almost OK with that, except for the I2C read
+logic.
+
+Fix it by using a temporary read buffer, just like on all other
+calls to m920x_read().
+
+Link: https://lore.kernel.org/all/ccc99e48-de4f-045e-0fe4-61e3118e3f74@mida.se/
+Reported-by: rkardell@mida.se
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/m920x.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/dvb-usb/m920x.c b/drivers/media/usb/dvb-usb/m920x.c
+index 4bb5b82599a79..691e05833db19 100644
+--- a/drivers/media/usb/dvb-usb/m920x.c
++++ b/drivers/media/usb/dvb-usb/m920x.c
+@@ -274,6 +274,13 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu
+                       /* Should check for ack here, if we knew how. */
+               }
+               if (msg[i].flags & I2C_M_RD) {
++                      char *read = kmalloc(1, GFP_KERNEL);
++                      if (!read) {
++                              ret = -ENOMEM;
++                              kfree(read);
++                              goto unlock;
++                      }
++
+                       for (j = 0; j < msg[i].len; j++) {
+                               /* Last byte of transaction?
+                                * Send STOP, otherwise send ACK. */
+@@ -281,9 +288,12 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu
+                               if ((ret = m920x_read(d->udev, M9206_I2C, 0x0,
+                                                     0x20 | stop,
+-                                                    &msg[i].buf[j], 1)) != 0)
++                                                    read, 1)) != 0)
+                                       goto unlock;
++                              msg[i].buf[j] = read[0];
+                       }
++
++                      kfree(read);
+               } else {
+                       for (j = 0; j < msg[i].len; j++) {
+                               /* Last byte of transaction? Then send STOP. */
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch b/queue-5.16/media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch
new file mode 100644 (file)
index 0000000..4512906
--- /dev/null
@@ -0,0 +1,58 @@
+From b0728a704796ce5e709533c2a5cae913067dca16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 13:23:48 +0200
+Subject: media: msi001: fix possible null-ptr-deref in msi001_probe()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 3d5831a40d3464eea158180eb12cbd81c5edfb6a ]
+
+I got a null-ptr-deref report:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000060
+...
+RIP: 0010:v4l2_ctrl_auto_cluster+0x57/0x270
+...
+Call Trace:
+ msi001_probe+0x13b/0x24b [msi001]
+ spi_probe+0xeb/0x130
+...
+ do_syscall_64+0x35/0xb0
+
+In msi001_probe(), if the creation of control for bandwidth_auto
+fails, there will be a null-ptr-deref issue when it is used in
+v4l2_ctrl_auto_cluster().
+
+Check dev->hdl.error before v4l2_ctrl_auto_cluster() to fix this bug.
+
+Link: https://lore.kernel.org/linux-media/20211026112348.2878040-1-wanghai38@huawei.com
+Fixes: 93203dd6c7c4 ("[media] msi001: Mirics MSi001 silicon tuner driver")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/tuners/msi001.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/media/tuners/msi001.c b/drivers/media/tuners/msi001.c
+index 78e6fd600d8ef..44247049a3190 100644
+--- a/drivers/media/tuners/msi001.c
++++ b/drivers/media/tuners/msi001.c
+@@ -442,6 +442,13 @@ static int msi001_probe(struct spi_device *spi)
+                       V4L2_CID_RF_TUNER_BANDWIDTH_AUTO, 0, 1, 1, 1);
+       dev->bandwidth = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops,
+                       V4L2_CID_RF_TUNER_BANDWIDTH, 200000, 8000000, 1, 200000);
++      if (dev->hdl.error) {
++              ret = dev->hdl.error;
++              dev_err(&spi->dev, "Could not initialize controls\n");
++              /* control init failed, free handler */
++              goto err_ctrl_handler_free;
++      }
++
+       v4l2_ctrl_auto_cluster(2, &dev->bandwidth_auto, 0, false);
+       dev->lna_gain = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops,
+                       V4L2_CID_RF_TUNER_LNA_GAIN, 0, 1, 1, 1);
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-mtk-vcodec-call-v4l2_m2m_ctx_release-first-whe.patch b/queue-5.16/media-mtk-vcodec-call-v4l2_m2m_ctx_release-first-whe.patch
new file mode 100644 (file)
index 0000000..7f87e1b
--- /dev/null
@@ -0,0 +1,86 @@
+From f6f73e9711881b41a39140bc9964a712050ca14e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 14:06:30 +0100
+Subject: media: mtk-vcodec: call v4l2_m2m_ctx_release first when file is
+ released
+
+From: Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
+
+[ Upstream commit 9f89c881bffbdffe4060ffaef3489a2830a6dd9c ]
+
+The func v4l2_m2m_ctx_release waits for currently running jobs
+to finish and then stop streaming both queues and frees the buffers.
+All this should be done before the call to mtk_vcodec_enc_release
+which frees the encoder handler. This fixes null-pointer dereference bug:
+
+[  638.028076] Mem abort info:
+[  638.030932]   ESR = 0x96000004
+[  638.033978]   EC = 0x25: DABT (current EL), IL = 32 bits
+[  638.039293]   SET = 0, FnV = 0
+[  638.042338]   EA = 0, S1PTW = 0
+[  638.045474]   FSC = 0x04: level 0 translation fault
+[  638.050349] Data abort info:
+[  638.053224]   ISV = 0, ISS = 0x00000004
+[  638.057055]   CM = 0, WnR = 0
+[  638.060018] user pgtable: 4k pages, 48-bit VAs, pgdp=000000012b6db000
+[  638.066485] [00000000000001a0] pgd=0000000000000000, p4d=0000000000000000
+[  638.073277] Internal error: Oops: 96000004 [#1] SMP
+[  638.078145] Modules linked in: rfkill mtk_vcodec_dec mtk_vcodec_enc uvcvideo mtk_mdp mtk_vcodec_common videobuf2_dma_contig v4l2_h264 cdc_ether v4l2_mem2mem videobuf2_vmalloc usbnet videobuf2_memops videobuf2_v4l2 r8152 videobuf2_common videodev cros_ec_sensors cros_ec_sensors_core industrialio_triggered_buffer kfifo_buf elan_i2c elants_i2c sbs_battery mc cros_usbpd_charger cros_ec_chardev cros_usbpd_logger crct10dif_ce mtk_vpu fuse ip_tables x_tables ipv6
+[  638.118583] CPU: 0 PID: 212 Comm: kworker/u8:5 Not tainted 5.15.0-06427-g58a1d4dcfc74-dirty #109
+[  638.127357] Hardware name: Google Elm (DT)
+[  638.131444] Workqueue: mtk-vcodec-enc mtk_venc_worker [mtk_vcodec_enc]
+[  638.137974] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[  638.144925] pc : vp8_enc_encode+0x34/0x2b0 [mtk_vcodec_enc]
+[  638.150493] lr : venc_if_encode+0xac/0x1b0 [mtk_vcodec_enc]
+[  638.156060] sp : ffff8000124d3c40
+[  638.159364] x29: ffff8000124d3c40 x28: 0000000000000000 x27: 0000000000000000
+[  638.166493] x26: 0000000000000000 x25: ffff0000e7f252d0 x24: ffff8000124d3d58
+[  638.173621] x23: ffff8000124d3d58 x22: ffff8000124d3d60 x21: 0000000000000001
+[  638.180750] x20: ffff80001137e000 x19: 0000000000000000 x18: 0000000000000001
+[  638.187878] x17: 000000040044ffff x16: 00400032b5503510 x15: 0000000000000000
+[  638.195006] x14: ffff8000118536c0 x13: ffff8000ee1da000 x12: 0000000030d4d91d
+[  638.202134] x11: 0000000000000000 x10: 0000000000000980 x9 : ffff8000124d3b20
+[  638.209262] x8 : ffff0000c18d4ea0 x7 : ffff0000c18d44c0 x6 : ffff0000c18d44c0
+[  638.216391] x5 : ffff80000904a3b0 x4 : ffff8000124d3d58 x3 : ffff8000124d3d60
+[  638.223519] x2 : ffff8000124d3d78 x1 : 0000000000000001 x0 : ffff80001137efb8
+[  638.230648] Call trace:
+[  638.233084]  vp8_enc_encode+0x34/0x2b0 [mtk_vcodec_enc]
+[  638.238304]  venc_if_encode+0xac/0x1b0 [mtk_vcodec_enc]
+[  638.243525]  mtk_venc_worker+0x110/0x250 [mtk_vcodec_enc]
+[  638.248918]  process_one_work+0x1f8/0x498
+[  638.252923]  worker_thread+0x140/0x538
+[  638.256664]  kthread+0x148/0x158
+[  638.259884]  ret_from_fork+0x10/0x20
+[  638.263455] Code: f90023f9 2a0103f5 aa0303f6 aa0403f8 (f940d277)
+[  638.269538] ---[ end trace e374fc10f8e181f5 ]---
+
+[gst-master] root@debian:~/gst-build# [  638.019193] Unable to handle kernel NULL pointer dereference at virtual address 00000000000001a0
+Fixes: 4e855a6efa547 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver")
+Signed-off-by: Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c
+index eed67394cf463..f898226fc53e5 100644
+--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c
++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c
+@@ -214,11 +214,11 @@ static int fops_vcodec_release(struct file *file)
+       mtk_v4l2_debug(1, "[%d] encoder", ctx->id);
+       mutex_lock(&dev->dev_mutex);
++      v4l2_m2m_ctx_release(ctx->m2m_ctx);
+       mtk_vcodec_enc_release(ctx);
+       v4l2_fh_del(&ctx->fh);
+       v4l2_fh_exit(&ctx->fh);
+       v4l2_ctrl_handler_free(&ctx->ctrl_hdl);
+-      v4l2_m2m_ctx_release(ctx->m2m_ctx);
+       list_del_init(&ctx->list);
+       kfree(ctx);
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-mtk-vcodec-fix-an-error-handling-path-in-mtk_v.patch b/queue-5.16/media-mtk-vcodec-fix-an-error-handling-path-in-mtk_v.patch
new file mode 100644 (file)
index 0000000..4265dfc
--- /dev/null
@@ -0,0 +1,40 @@
+From 82c2ba9f7ee77339983bb80e0e0df6d6365f3e02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Nov 2021 14:17:51 +0100
+Subject: media: mtk-vcodec: Fix an error handling path in 'mtk_vcodec_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 615c6f28b9ad7efc9bfbef2cafc6a0c5bc0c21e0 ]
+
+In case of error the 'media_device_init()' call is not balanced by a
+corresponding 'media_device_cleanup()' call.
+
+Add it, when needed, as already done in the remove function.
+
+Fixes: 118add98f80e ("media: mtk-vcodec: vdec: add media device if using stateless api")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Tzung-Bi Shih <tzungbi@google.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c
+index e6e6a8203eebf..8277c44209b5b 100644
+--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c
++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c
+@@ -358,6 +358,8 @@ err_media_reg:
+       if (dev->vdec_pdata->uses_stateless_api)
+               v4l2_m2m_unregister_media_controller(dev->m2m_dev_dec);
+ err_reg_cont:
++      if (dev->vdec_pdata->uses_stateless_api)
++              media_device_cleanup(&dev->mdev_dec);
+       destroy_workqueue(dev->decode_workqueue);
+ err_event_workq:
+       v4l2_m2m_release(dev->m2m_dev_dec);
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-rcar-csi2-correct-the-selection-of-hsfreqrange.patch b/queue-5.16/media-rcar-csi2-correct-the-selection-of-hsfreqrange.patch
new file mode 100644 (file)
index 0000000..30cf310
--- /dev/null
@@ -0,0 +1,83 @@
+From 14ba9a7fbba29741a10613edf436b51661a565d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Aug 2021 17:07:54 +0200
+Subject: media: rcar-csi2: Correct the selection of hsfreqrange
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Suresh Udipi <sudipi@jp.adit-jv.com>
+
+[ Upstream commit cee44d4fbacbbdfe62697ec94e76c6e4f726c5df ]
+
+hsfreqrange should be chosen based on the calculated mbps which
+is closer to the default bit rate  and within the range as per
+table[1]. But current calculation always selects first value which
+is greater than or equal to the calculated mbps which may lead
+to chosing a wrong range in some cases.
+
+For example for 360 mbps for H3/M3N
+Existing logic selects
+Calculated value 360Mbps : Default 400Mbps Range [368.125 -433.125 mbps]
+
+This hsfreqrange is out of range.
+
+The logic is changed to get the default value which is closest to the
+calculated value [1]
+
+Calculated value 360Mbps : Default 350Mbps  Range [320.625 -380.625 mpbs]
+
+[1] specs r19uh0105ej0200-r-car-3rd-generation.pdf [Table 25.9]
+
+Please note that According to Renesas in Table 25.9 the range for
+220 default value is corrected as below
+
+ |Range (Mbps)     |  Default  Bit rate (Mbps) |
+ -----------------------------------------------
+ | 197.125-244.125 |     220                   |
+ -----------------------------------------------
+
+Fixes: 769afd212b16 ("media: rcar-csi2: add Renesas R-Car MIPI CSI-2 receiver driver")
+Signed-off-by: Suresh Udipi <sudipi@jp.adit-jv.com>
+Signed-off-by: Kazuyoshi Akiyama <akiyama@nds-osk.co.jp>
+Signed-off-by: Michael Rodin <mrodin@de.adit-jv.com>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rcar-vin/rcar-csi2.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c
+index 11848d0c4a55c..436b7be969202 100644
+--- a/drivers/media/platform/rcar-vin/rcar-csi2.c
++++ b/drivers/media/platform/rcar-vin/rcar-csi2.c
+@@ -542,16 +542,23 @@ static int rcsi2_wait_phy_start(struct rcar_csi2 *priv,
+ static int rcsi2_set_phypll(struct rcar_csi2 *priv, unsigned int mbps)
+ {
+       const struct rcsi2_mbps_reg *hsfreq;
++      const struct rcsi2_mbps_reg *hsfreq_prev = NULL;
+-      for (hsfreq = priv->info->hsfreqrange; hsfreq->mbps != 0; hsfreq++)
++      for (hsfreq = priv->info->hsfreqrange; hsfreq->mbps != 0; hsfreq++) {
+               if (hsfreq->mbps >= mbps)
+                       break;
++              hsfreq_prev = hsfreq;
++      }
+       if (!hsfreq->mbps) {
+               dev_err(priv->dev, "Unsupported PHY speed (%u Mbps)", mbps);
+               return -ERANGE;
+       }
++      if (hsfreq_prev &&
++          ((mbps - hsfreq_prev->mbps) <= (hsfreq->mbps - mbps)))
++              hsfreq = hsfreq_prev;
++
+       rcsi2_write(priv, PHYPLL_REG, PHYPLL_HSFREQRANGE(hsfreq->reg));
+       return 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-rcar-vin-update-format-alignment-constraints.patch b/queue-5.16/media-rcar-vin-update-format-alignment-constraints.patch
new file mode 100644 (file)
index 0000000..f812ceb
--- /dev/null
@@ -0,0 +1,69 @@
+From 4f3b2febb3224029fa25f4289cda9477acf389d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 00:02:57 +0100
+Subject: media: rcar-vin: Update format alignment constraints
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+
+[ Upstream commit da6911f330d40cfe115a37249e47643eff555e82 ]
+
+This change fixes two issues with the size constraints for buffers.
+
+- There is no width alignment constraint for RGB formats. Prior to this
+  change they were treated as YUV and as a result were more restricted
+  than needed. Add a new check to differentiate between the two.
+
+- The minimum width and height supported is 5x2, not 2x4, this is an
+  artifact from the driver's soc-camera days. Fix this incorrect
+  assumption.
+
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rcar-vin/rcar-v4l2.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/rcar-vin/rcar-v4l2.c b/drivers/media/platform/rcar-vin/rcar-v4l2.c
+index a5bfa76fdac6e..2e60b9fce03b0 100644
+--- a/drivers/media/platform/rcar-vin/rcar-v4l2.c
++++ b/drivers/media/platform/rcar-vin/rcar-v4l2.c
+@@ -179,20 +179,27 @@ static void rvin_format_align(struct rvin_dev *vin, struct v4l2_pix_format *pix)
+               break;
+       }
+-      /* HW limit width to a multiple of 32 (2^5) for NV12/16 else 2 (2^1) */
++      /* Hardware limits width alignment based on format. */
+       switch (pix->pixelformat) {
++      /* Multiple of 32 (2^5) for NV12/16. */
+       case V4L2_PIX_FMT_NV12:
+       case V4L2_PIX_FMT_NV16:
+               walign = 5;
+               break;
+-      default:
++      /* Multiple of 2 (2^1) for YUV. */
++      case V4L2_PIX_FMT_YUYV:
++      case V4L2_PIX_FMT_UYVY:
+               walign = 1;
+               break;
++      /* No multiple for RGB. */
++      default:
++              walign = 0;
++              break;
+       }
+       /* Limit to VIN capabilities */
+-      v4l_bound_align_image(&pix->width, 2, vin->info->max_width, walign,
+-                            &pix->height, 4, vin->info->max_height, 2, 0);
++      v4l_bound_align_image(&pix->width, 5, vin->info->max_width, walign,
++                            &pix->height, 2, vin->info->max_height, 0, 0);
+       pix->bytesperline = rvin_format_bytesperline(vin, pix);
+       pix->sizeimage = rvin_format_sizeimage(pix);
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-rockchip-rkisp1-use-device-name-for-debugfs-su.patch b/queue-5.16/media-rockchip-rkisp1-use-device-name-for-debugfs-su.patch
new file mode 100644 (file)
index 0000000..93894fb
--- /dev/null
@@ -0,0 +1,44 @@
+From d11191ddf7471d4aed845c3827d31ad6877e3599 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Oct 2021 19:54:57 +0200
+Subject: media: rockchip: rkisp1: use device name for debugfs subdir name
+
+From: Mikhail Rudenko <mike.rudenko@gmail.com>
+
+[ Upstream commit c2611e479f5d9b05108270e1ab423955486b4457 ]
+
+While testing Rockchip RK3399 with both ISPs enabled, a dmesg error
+was observed:
+```
+[   15.559141] debugfs: Directory 'rkisp1' with parent '/' already present!
+```
+
+Fix it by using the device name for the debugfs subdirectory name
+instead of the driver name, thus preventing name collision.
+
+Link: https://lore.kernel.org/linux-media/20211010175457.438627-1-mike.rudenko@gmail.com
+Signed-off-by: Mikhail Rudenko <mike.rudenko@gmail.com>
+Reviewed-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c b/drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c
+index 50b166c49a03a..3f5cfa7eb9372 100644
+--- a/drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c
++++ b/drivers/media/platform/rockchip/rkisp1/rkisp1-dev.c
+@@ -462,7 +462,7 @@ static void rkisp1_debug_init(struct rkisp1_device *rkisp1)
+ {
+       struct rkisp1_debug *debug = &rkisp1->debug;
+-      debug->debugfs_dir = debugfs_create_dir(RKISP1_DRIVER_NAME, NULL);
++      debug->debugfs_dir = debugfs_create_dir(dev_name(rkisp1->dev), NULL);
+       debugfs_create_ulong("data_loss", 0444, debug->debugfs_dir,
+                            &debug->data_loss);
+       debugfs_create_ulong("outform_size_err", 0444,  debug->debugfs_dir,
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-saa7146-hexium_gemini-fix-a-null-pointer-deref.patch b/queue-5.16/media-saa7146-hexium_gemini-fix-a-null-pointer-deref.patch
new file mode 100644 (file)
index 0000000..03ebef3
--- /dev/null
@@ -0,0 +1,74 @@
+From 2db635ede47a308d12d447356f4ee1a54f7039ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Dec 2021 16:40:30 +0100
+Subject: media: saa7146: hexium_gemini: Fix a NULL pointer dereference in
+ hexium_attach()
+
+From: Zhou Qingyang <zhou1615@umn.edu>
+
+[ Upstream commit 3af86b046933ba513d08399dba0d4d8b50d607d0 ]
+
+In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
+a new memory for dev->vv_data. saa7146_vv_release() will be called on
+failure of saa7146_register_device(). There is a dereference of
+dev->vv_data in saa7146_vv_release(), which could lead to a NULL
+pointer dereference on failure of saa7146_vv_init().
+
+Fix this bug by adding a check of saa7146_vv_init().
+
+This bug was found by a static analyzer. The analysis employs
+differential checking to identify inconsistent security operations
+(e.g., checks or kfrees) between two code paths and confirms that the
+inconsistent operations are not recovered in the current function or
+the callers, so they constitute bugs.
+
+Note that, as a bug found by static analysis, it can be a false
+positive or hard to trigger. Multiple researchers have cross-reviewed
+the bug.
+
+Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings,
+and our static analyzer no longer warns about this code.
+
+Link: https://lore.kernel.org/linux-media/20211203154030.111210-1-zhou1615@umn.edu
+Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/common/saa7146/saa7146_fops.c | 2 +-
+ drivers/media/pci/saa7146/hexium_gemini.c   | 7 ++++++-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/common/saa7146/saa7146_fops.c b/drivers/media/common/saa7146/saa7146_fops.c
+index baf5772c52a96..be32159777142 100644
+--- a/drivers/media/common/saa7146/saa7146_fops.c
++++ b/drivers/media/common/saa7146/saa7146_fops.c
+@@ -521,7 +521,7 @@ int saa7146_vv_init(struct saa7146_dev* dev, struct saa7146_ext_vv *ext_vv)
+               ERR("out of memory. aborting.\n");
+               kfree(vv);
+               v4l2_ctrl_handler_free(hdl);
+-              return -1;
++              return -ENOMEM;
+       }
+       saa7146_video_uops.init(dev,vv);
+diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
+index 2214c74bbbf15..3947701cd6c7e 100644
+--- a/drivers/media/pci/saa7146/hexium_gemini.c
++++ b/drivers/media/pci/saa7146/hexium_gemini.c
+@@ -284,7 +284,12 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
+       hexium_set_input(hexium, 0);
+       hexium->cur_input = 0;
+-      saa7146_vv_init(dev, &vv_data);
++      ret = saa7146_vv_init(dev, &vv_data);
++      if (ret) {
++              i2c_del_adapter(&hexium->i2c_adapter);
++              kfree(hexium);
++              return ret;
++      }
+       vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
+       vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-saa7146-hexium_orion-fix-a-null-pointer-derefe.patch b/queue-5.16/media-saa7146-hexium_orion-fix-a-null-pointer-derefe.patch
new file mode 100644 (file)
index 0000000..bf3b66e
--- /dev/null
@@ -0,0 +1,74 @@
+From f7c84ecddf5f7c95d985cb0bc14cde563fafc412 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 17:25:49 +0100
+Subject: media: saa7146: hexium_orion: Fix a NULL pointer dereference in
+ hexium_attach()
+
+From: Zhou Qingyang <zhou1615@umn.edu>
+
+[ Upstream commit 348df8035301dd212e3cc2860efe4c86cb0d3303 ]
+
+In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
+a new memory for dev->vv_data. In hexium_detach(), saa7146_vv_release()
+will be called and there is a dereference of dev->vv_data in
+saa7146_vv_release(), which could lead to a NULL pointer dereference
+on failure of saa7146_vv_init() according to the following logic.
+
+Both hexium_attach() and hexium_detach() are callback functions of
+the variable 'extension', so there exists a possible call chain directly
+from hexium_attach() to hexium_detach():
+
+hexium_attach(dev, info) -- fail to alloc memory to dev->vv_data
+       |                               in saa7146_vv_init().
+       |
+       |
+hexium_detach() -- a dereference of dev->vv_data in saa7146_vv_release()
+
+Fix this bug by adding a check of saa7146_vv_init().
+
+This bug was found by a static analyzer. The analysis employs
+differential checking to identify inconsistent security operations
+(e.g., checks or kfrees) between two code paths and confirms that the
+inconsistent operations are not recovered in the current function or
+the callers, so they constitute bugs.
+
+Note that, as a bug found by static analysis, it can be a false
+positive or hard to trigger. Multiple researchers have cross-reviewed
+the bug.
+
+Builds with CONFIG_VIDEO_HEXIUM_ORION=m show no new warnings,
+and our static analyzer no longer warns about this code.
+
+Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7146/hexium_orion.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
+index 39d14c179d229..2eb4bee16b71f 100644
+--- a/drivers/media/pci/saa7146/hexium_orion.c
++++ b/drivers/media/pci/saa7146/hexium_orion.c
+@@ -355,10 +355,16 @@ static struct saa7146_ext_vv vv_data;
+ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
+ {
+       struct hexium *hexium = (struct hexium *) dev->ext_priv;
++      int ret;
+       DEB_EE("\n");
+-      saa7146_vv_init(dev, &vv_data);
++      ret = saa7146_vv_init(dev, &vv_data);
++      if (ret) {
++              pr_err("Error in saa7146_vv_init()\n");
++              return ret;
++      }
++
+       vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
+       vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
+       vv_data.vid_ops.vidioc_s_input = vidioc_s_input;
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-saa7146-mxb-fix-a-null-pointer-dereference-in-.patch b/queue-5.16/media-saa7146-mxb-fix-a-null-pointer-dereference-in-.patch
new file mode 100644 (file)
index 0000000..5b24187
--- /dev/null
@@ -0,0 +1,64 @@
+From 1b0d4503b7ef56b7e00a7e6b66a7ffd2d74353bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 17:34:44 +0100
+Subject: media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach()
+
+From: Zhou Qingyang <zhou1615@umn.edu>
+
+[ Upstream commit 0407c49ebe330333478440157c640fffd986f41b ]
+
+In mxb_attach(dev, info), saa7146_vv_init() is called to allocate a
+new memory for dev->vv_data. saa7146_vv_release() will be called on
+failure of mxb_probe(dev). There is a dereference of dev->vv_data
+in saa7146_vv_release(), which could lead to a NULL pointer dereference
+on failure of saa7146_vv_init().
+
+Fix this bug by adding a check of saa7146_vv_init().
+
+This bug was found by a static analyzer. The analysis employs
+differential checking to identify inconsistent security operations
+(e.g., checks or kfrees) between two code paths and confirms that the
+inconsistent operations are not recovered in the current function or
+the callers, so they constitute bugs.
+
+Note that, as a bug found by static analysis, it can be a false
+positive or hard to trigger. Multiple researchers have cross-reviewed
+the bug.
+
+Builds with CONFIG_VIDEO_MXB=m show no new warnings,
+and our static analyzer no longer warns about this code.
+
+Fixes: 03b1930efd3c ("V4L/DVB: saa7146: fix regression of the av7110/budget-av driver")
+Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7146/mxb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/saa7146/mxb.c b/drivers/media/pci/saa7146/mxb.c
+index 73fc901ecf3db..bf0b9b0914cd5 100644
+--- a/drivers/media/pci/saa7146/mxb.c
++++ b/drivers/media/pci/saa7146/mxb.c
+@@ -683,10 +683,16 @@ static struct saa7146_ext_vv vv_data;
+ static int mxb_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
+ {
+       struct mxb *mxb;
++      int ret;
+       DEB_EE("dev:%p\n", dev);
+-      saa7146_vv_init(dev, &vv_data);
++      ret = saa7146_vv_init(dev, &vv_data);
++      if (ret) {
++              ERR("Error in saa7146_vv_init()");
++              return ret;
++      }
++
+       if (mxb_probe(dev)) {
+               saa7146_vv_release(dev);
+               return -1;
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-si2157-fix-warm-tuner-state-detection.patch b/queue-5.16/media-si2157-fix-warm-tuner-state-detection.patch
new file mode 100644 (file)
index 0000000..bb8cc00
--- /dev/null
@@ -0,0 +1,61 @@
+From 332ee3e51a803e8926b0e26df4b2d9887cdc92af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 22:08:43 +0100
+Subject: media: si2157: Fix "warm" tuner state detection
+
+From: Robert Schlabbach <robert_s@gmx.net>
+
+[ Upstream commit a6441ea29cb2c9314654e093a1cd8020b9b851c8 ]
+
+Commit e955f959ac52 ("media: si2157: Better check for running tuner in
+init") completely broke the "warm" tuner detection of the si2157 driver
+due to a simple endian error: The Si2157 CRYSTAL_TRIM property code is
+0x0402 and needs to be transmitted LSB first. However, it was inserted
+MSB first, causing the warm detection to always fail and spam the kernel
+log with tuner initialization messages each time the DVB frontend
+device was closed and reopened:
+
+[  312.215682] si2157 16-0060: found a 'Silicon Labs Si2157-A30'
+[  312.264334] si2157 16-0060: firmware version: 3.0.5
+[  342.248593] si2157 16-0060: found a 'Silicon Labs Si2157-A30'
+[  342.295743] si2157 16-0060: firmware version: 3.0.5
+[  372.328574] si2157 16-0060: found a 'Silicon Labs Si2157-A30'
+[  372.385035] si2157 16-0060: firmware version: 3.0.5
+
+Also, the reinitializations were observed disturb _other_ tuners on
+multi-tuner cards such as the Hauppauge WinTV-QuadHD, leading to missed
+or errored packets when one of the other DVB frontend devices on that
+card was opened.
+
+Fix the order of the property code bytes to make the warm detection work
+again, also reducing the tuner initialization message in the kernel log
+to once per power-on, as well as fixing the interference with other
+tuners.
+
+Link: https://lore.kernel.org/linux-media/trinity-2a86eb9d-6264-4387-95e1-ba7b79a4050f-1638392923493@3c-app-gmx-bap03
+
+Fixes: e955f959ac52 ("media: si2157: Better check for running tuner in init")
+Reported-by: Robert Schlabbach <robert_s@gmx.net>
+Signed-off-by: Robert Schlabbach <robert_s@gmx.net>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/tuners/si2157.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/tuners/si2157.c b/drivers/media/tuners/si2157.c
+index fefb2625f6558..75ddf7ed1faff 100644
+--- a/drivers/media/tuners/si2157.c
++++ b/drivers/media/tuners/si2157.c
+@@ -90,7 +90,7 @@ static int si2157_init(struct dvb_frontend *fe)
+       dev_dbg(&client->dev, "\n");
+       /* Try to get Xtal trim property, to verify tuner still running */
+-      memcpy(cmd.args, "\x15\x00\x04\x02", 4);
++      memcpy(cmd.args, "\x15\x00\x02\x04", 4);
+       cmd.wlen = 4;
+       cmd.rlen = 4;
+       ret = si2157_cmd_execute(client, &cmd);
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-si470x-i2c-fix-possible-memory-leak-in-si470x_.patch b/queue-5.16/media-si470x-i2c-fix-possible-memory-leak-in-si470x_.patch
new file mode 100644 (file)
index 0000000..046c63d
--- /dev/null
@@ -0,0 +1,62 @@
+From 494a901c7b47b7d5bd15f73bff5a07798b747812 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Oct 2021 11:58:55 +0200
+Subject: media: si470x-i2c: fix possible memory leak in si470x_i2c_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit ef054e345ed8c79ce1121a3599b5a2dfd78e57a0 ]
+
+n the 'radio->hdl.error' error handling, ctrl handler allocated by
+v4l2_ctrl_new_std() does not released, and caused memory leak as
+follows:
+
+unreferenced object 0xffff888033d54200 (size 256):
+  comm "i2c-si470x-19", pid 909, jiffies 4294914203 (age 8.072s)
+  hex dump (first 32 bytes):
+    e8 69 11 03 80 88 ff ff 00 46 d5 33 80 88 ff ff  .i.......F.3....
+    10 42 d5 33 80 88 ff ff 10 42 d5 33 80 88 ff ff  .B.3.....B.3....
+  backtrace:
+    [<00000000086bd4ed>] __kmalloc_node+0x1eb/0x360
+    [<00000000bdb68871>] kvmalloc_node+0x66/0x120
+    [<00000000fac74e4c>] v4l2_ctrl_new+0x7b9/0x1c60 [videodev]
+    [<00000000693bf940>] v4l2_ctrl_new_std+0x19b/0x270 [videodev]
+    [<00000000c0cb91bc>] si470x_i2c_probe+0x2d3/0x9a0 [radio_si470x_i2c]
+    [<0000000056a6f01f>] i2c_device_probe+0x4d8/0xbe0
+
+Fix the error handling path to avoid memory leak.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 8c081b6f9a9b ("media: radio: Critical v4l2 registration...")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/radio/si470x/radio-si470x-i2c.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/media/radio/si470x/radio-si470x-i2c.c b/drivers/media/radio/si470x/radio-si470x-i2c.c
+index a972c0705ac79..76d39e2e87706 100644
+--- a/drivers/media/radio/si470x/radio-si470x-i2c.c
++++ b/drivers/media/radio/si470x/radio-si470x-i2c.c
+@@ -368,7 +368,7 @@ static int si470x_i2c_probe(struct i2c_client *client)
+       if (radio->hdl.error) {
+               retval = radio->hdl.error;
+               dev_err(&client->dev, "couldn't register control\n");
+-              goto err_dev;
++              goto err_all;
+       }
+       /* video device initialization */
+@@ -463,7 +463,6 @@ static int si470x_i2c_probe(struct i2c_client *client)
+       return 0;
+ err_all:
+       v4l2_ctrl_handler_free(&radio->hdl);
+-err_dev:
+       v4l2_device_unregister(&radio->v4l2_dev);
+ err_initial:
+       return retval;
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-uvcvideo-avoid-invalid-memory-access.patch b/queue-5.16/media-uvcvideo-avoid-invalid-memory-access.patch
new file mode 100644 (file)
index 0000000..ad6021d
--- /dev/null
@@ -0,0 +1,43 @@
+From 0c955ae138a847bdb3f8c8a447569054ba826621 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 06:22:17 +0100
+Subject: media: uvcvideo: Avoid invalid memory access
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit f0577b1b6394f954903fcc67e12fe9e7001dafd6 ]
+
+If mappings points to an invalid memory, we will be invalid accessing
+it. Solve it by initializing the value of the variable mapping and by
+changing the order in the conditional statement (to avoid accessing
+mapping->id if not needed).
+
+Fix:
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN NOPTI
+
+Fixes: 6350d6a4ed487 ("media: uvcvideo: Set error_idx during ctrl_commit errors")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
+index 30bfe9069a1fb..9a25d60292558 100644
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -1638,7 +1638,7 @@ static int uvc_ctrl_find_ctrl_idx(struct uvc_entity *entity,
+                                 struct v4l2_ext_controls *ctrls,
+                                 struct uvc_control *uvc_control)
+ {
+-      struct uvc_control_mapping *mapping;
++      struct uvc_control_mapping *mapping = NULL;
+       struct uvc_control *ctrl_found;
+       unsigned int i;
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-uvcvideo-avoid-returning-invalid-controls.patch b/queue-5.16/media-uvcvideo-avoid-returning-invalid-controls.patch
new file mode 100644 (file)
index 0000000..e9ad930
--- /dev/null
@@ -0,0 +1,38 @@
+From 6e5c99e0bb173bbf00e3d50172c807e896a335f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 06:22:18 +0100
+Subject: media: uvcvideo: Avoid returning invalid controls
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 414d3b49d9fd4a0bb16a13d929027847fd094f3f ]
+
+If the memory where ctrl_found is placed has the value of uvc_ctrl and
+__uvc_find_control does not find the control we will return an invalid
+index.
+
+Fixes: 6350d6a4ed487 ("media: uvcvideo: Set error_idx during ctrl_commit errors")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
+index 9a25d60292558..b4f6edf968bc0 100644
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -1639,7 +1639,7 @@ static int uvc_ctrl_find_ctrl_idx(struct uvc_entity *entity,
+                                 struct uvc_control *uvc_control)
+ {
+       struct uvc_control_mapping *mapping = NULL;
+-      struct uvc_control *ctrl_found;
++      struct uvc_control *ctrl_found = NULL;
+       unsigned int i;
+       if (!entity)
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-uvcvideo-fix-memory-leak-of-object-map-on-erro.patch b/queue-5.16/media-uvcvideo-fix-memory-leak-of-object-map-on-erro.patch
new file mode 100644 (file)
index 0000000..4cd5258
--- /dev/null
@@ -0,0 +1,46 @@
+From 710c7d02fe639f85b9a40378a634df44b5f702de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Sep 2021 13:49:30 +0200
+Subject: media: uvcvideo: Fix memory leak of object map on error exit path
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 4b065060555b14c7a9b86c013a1c9bee8e8b6fbd ]
+
+Currently when the allocation of map->name fails the error exit path
+does not kfree the previously allocated object map. Fix this by
+setting ret to -ENOMEM and taking the free_map exit error path to
+ensure map is kfree'd.
+
+Addresses-Coverity: ("Resource leak")
+
+Fixes: 70fa906d6fce ("media: uvcvideo: Use control names from framework")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_v4l2.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
+index f4e4aff8ddf77..711556d13d03a 100644
+--- a/drivers/media/usb/uvc/uvc_v4l2.c
++++ b/drivers/media/usb/uvc/uvc_v4l2.c
+@@ -44,8 +44,10 @@ static int uvc_ioctl_ctrl_map(struct uvc_video_chain *chain,
+       if (v4l2_ctrl_get_name(map->id) == NULL) {
+               map->name = kmemdup(xmap->name, sizeof(xmap->name),
+                                   GFP_KERNEL);
+-              if (!map->name)
+-                      return -ENOMEM;
++              if (!map->name) {
++                      ret = -ENOMEM;
++                      goto free_map;
++              }
+       }
+       memcpy(map->entity, xmap->entity, sizeof(map->entity));
+       map->selector = xmap->selector;
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-uvcvideo-increase-uvc_ctrl_control_timeout-to-.patch b/queue-5.16/media-uvcvideo-increase-uvc_ctrl_control_timeout-to-.patch
new file mode 100644 (file)
index 0000000..56003fc
--- /dev/null
@@ -0,0 +1,45 @@
+From 8cc0dacd339c753ca21c68037b1d183f070538a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Nov 2021 09:52:36 +0100
+Subject: media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds.
+
+From: James Hilliard <james.hilliard1@gmail.com>
+
+[ Upstream commit c8ed7d2f614cd8b315981d116c7a2fb01829500d ]
+
+Some uvc devices appear to require the maximum allowed USB timeout
+for GET_CUR/SET_CUR requests.
+
+So lets just bump the UVC control timeout to 5 seconds which is the
+same as the usb ctrl get/set defaults:
+USB_CTRL_GET_TIMEOUT 5000
+USB_CTRL_SET_TIMEOUT 5000
+
+It fixes the following runtime warnings:
+   Failed to query (GET_CUR) UVC control 11 on unit 2: -110 (exp. 1).
+   Failed to query (SET_CUR) UVC control 3 on unit 2: -110 (exp. 2).
+
+Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvcvideo.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h
+index 2e5366143b814..143230b3275b3 100644
+--- a/drivers/media/usb/uvc/uvcvideo.h
++++ b/drivers/media/usb/uvc/uvcvideo.h
+@@ -189,7 +189,7 @@
+ /* Maximum status buffer size in bytes of interrupt URB. */
+ #define UVC_MAX_STATUS_SIZE   16
+-#define UVC_CTRL_CONTROL_TIMEOUT      500
++#define UVC_CTRL_CONTROL_TIMEOUT      5000
+ #define UVC_CTRL_STREAMING_TIMEOUT    5000
+ /* Maximum allowed number of control mappings per device */
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-venus-avoid-calling-core_clk_setrate-concurren.patch b/queue-5.16/media-venus-avoid-calling-core_clk_setrate-concurren.patch
new file mode 100644 (file)
index 0000000..c9a17d5
--- /dev/null
@@ -0,0 +1,210 @@
+From ac9ea6a09c11c691258fd3b19269cbaa7679ad77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Nov 2021 06:48:51 +0100
+Subject: media: venus: avoid calling core_clk_setrate() concurrently during
+ concurrent video sessions
+
+From: Mansur Alisha Shaik <mansur@codeaurora.org>
+
+[ Upstream commit 91f2b7d269e5c885c38c7ffa261f5276bd42f907 ]
+
+In existing implementation, core_clk_setrate() is getting called
+concurrently in concurrent video sessions. Before the previous call to
+core_clk_setrate returns, new call to core_clk_setrate is invoked from
+another video session running concurrently. This results in latest
+calculated frequency being set (higher/lower) instead of actual frequency
+required for that video session. It also results in stability crashes
+mention below. These resources are specific to video core, hence keeping
+under core lock would ensure that they are estimated for all running video
+sessions and called once for the video core.
+
+Crash logs:
+
+[    1.900089] WARNING: CPU: 4 PID: 1 at drivers/opp/debugfs.c:33 opp_debug_remove_one+0x2c/0x48
+[    1.908493] Modules linked in:
+[    1.911524] CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.10.67 #35 f8edb8c30cf2dd6838495dd9ef9be47af7f5f60c
+[    1.921036] Hardware name: Qualcomm Technologies, Inc. sc7280 IDP SKU2 platform (DT)
+[    1.928673] pstate: 60800009 (nZCv daif -PAN +UAO -TCO BTYPE=--)
+[    1.934608] pc : opp_debug_remove_one+0x2c/0x48
+[    1.939080] lr : opp_debug_remove_one+0x2c/0x48
+[    1.943560] sp : ffffffc011d7b7f0
+[    1.946836] pmr_save: 000000e0
+[    1.949854] x29: ffffffc011d7b7f0 x28: ffffffc010733bbc
+[    1.955104] x27: ffffffc010733ba8 x26: ffffff8083cedd00
+[    1.960355] x25: 0000000000000001 x24: 0000000000000000
+[    1.965603] x23: ffffff8083cc2878 x22: ffffff8083ceb900
+[    1.970852] x21: ffffff8083ceb910 x20: ffffff8083cc2800
+[    1.976101] x19: ffffff8083ceb900 x18: 00000000ffff0a10
+[    1.981352] x17: ffffff80837a5620 x16: 00000000000000ec
+[    1.986601] x15: ffffffc010519ad4 x14: 0000000000000003
+[    1.991849] x13: 0000000000000004 x12: 0000000000000001
+[    1.997100] x11: c0000000ffffdfff x10: 00000000ffffffff
+[    2.002348] x9 : d2627c580300dc00 x8 : d2627c580300dc00
+[    2.007596] x7 : 0720072007200720 x6 : ffffff80802ecf00
+[    2.012845] x5 : 0000000000190004 x4 : 0000000000000000
+[    2.018094] x3 : ffffffc011d7b478 x2 : ffffffc011d7b480
+[    2.023343] x1 : 00000000ffffdfff x0 : 0000000000000017
+[    2.028594] Call trace:
+[    2.031022]  opp_debug_remove_one+0x2c/0x48
+[    2.035160]  dev_pm_opp_put+0x94/0xb0
+[    2.038780]  _opp_remove_all+0x7c/0xc8
+[    2.042486]  _opp_remove_all_static+0x54/0x7c
+[    2.046796]  dev_pm_opp_remove_table+0x74/0x98
+[    2.051183]  devm_pm_opp_of_table_release+0x18/0x24
+[    2.056001]  devm_action_release+0x1c/0x28
+[    2.060053]  release_nodes+0x23c/0x2b8
+[    2.063760]  devres_release_group+0xcc/0xd0
+[    2.067900]  component_bind+0xac/0x168
+[    2.071608]  component_bind_all+0x98/0x124
+[    2.075664]  msm_drm_bind+0x1e8/0x678
+[    2.079287]  try_to_bring_up_master+0x60/0x134
+[    2.083674]  component_master_add_with_match+0xd8/0x120
+[    2.088834]  msm_pdev_probe+0x20c/0x2a0
+[    2.092629]  platform_drv_probe+0x9c/0xbc
+[    2.096598]  really_probe+0x11c/0x46c
+[    2.100217]  driver_probe_device+0x8c/0xf0
+[    2.104270]  device_driver_attach+0x54/0x78
+[    2.108407]  __driver_attach+0x48/0x148
+[    2.112201]  bus_for_each_dev+0x88/0xd4
+[    2.115998]  driver_attach+0x2c/0x38
+[    2.119534]  bus_add_driver+0x10c/0x200
+[    2.123330]  driver_register+0x6c/0x104
+[    2.127122]  __platform_driver_register+0x4c/0x58
+[    2.131767]  msm_drm_register+0x6c/0x70
+[    2.135560]  do_one_initcall+0x64/0x23c
+[    2.139357]  do_initcall_level+0xac/0x15c
+[    2.143321]  do_initcalls+0x5c/0x9c
+[    2.146778]  do_basic_setup+0x2c/0x38
+[    2.150401]  kernel_init_freeable+0xf8/0x15c
+[    2.154622]  kernel_init+0x1c/0x11c
+[    2.158079]  ret_from_fork+0x10/0x30
+[    2.161615] ---[ end trace a2cc45a0f784b212 ]---
+
+[    2.166272] Removing OPP: 300000000
+
+Signed-off-by: Mansur Alisha Shaik <mansur@codeaurora.org>
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../media/platform/qcom/venus/pm_helpers.c    | 28 +++++++++----------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/media/platform/qcom/venus/pm_helpers.c b/drivers/media/platform/qcom/venus/pm_helpers.c
+index 184f0cea2fdb8..cb48c5ff3dee2 100644
+--- a/drivers/media/platform/qcom/venus/pm_helpers.c
++++ b/drivers/media/platform/qcom/venus/pm_helpers.c
+@@ -163,14 +163,12 @@ static u32 load_per_type(struct venus_core *core, u32 session_type)
+       struct venus_inst *inst = NULL;
+       u32 mbs_per_sec = 0;
+-      mutex_lock(&core->lock);
+       list_for_each_entry(inst, &core->instances, list) {
+               if (inst->session_type != session_type)
+                       continue;
+               mbs_per_sec += load_per_instance(inst);
+       }
+-      mutex_unlock(&core->lock);
+       return mbs_per_sec;
+ }
+@@ -219,14 +217,12 @@ static int load_scale_bw(struct venus_core *core)
+       struct venus_inst *inst = NULL;
+       u32 mbs_per_sec, avg, peak, total_avg = 0, total_peak = 0;
+-      mutex_lock(&core->lock);
+       list_for_each_entry(inst, &core->instances, list) {
+               mbs_per_sec = load_per_instance(inst);
+               mbs_to_bw(inst, mbs_per_sec, &avg, &peak);
+               total_avg += avg;
+               total_peak += peak;
+       }
+-      mutex_unlock(&core->lock);
+       /*
+        * keep minimum bandwidth vote for "video-mem" path,
+@@ -253,8 +249,9 @@ static int load_scale_v1(struct venus_inst *inst)
+       struct device *dev = core->dev;
+       u32 mbs_per_sec;
+       unsigned int i;
+-      int ret;
++      int ret = 0;
++      mutex_lock(&core->lock);
+       mbs_per_sec = load_per_type(core, VIDC_SESSION_TYPE_ENC) +
+                     load_per_type(core, VIDC_SESSION_TYPE_DEC);
+@@ -279,17 +276,19 @@ set_freq:
+       if (ret) {
+               dev_err(dev, "failed to set clock rate %lu (%d)\n",
+                       freq, ret);
+-              return ret;
++              goto exit;
+       }
+       ret = load_scale_bw(core);
+       if (ret) {
+               dev_err(dev, "failed to set bandwidth (%d)\n",
+                       ret);
+-              return ret;
++              goto exit;
+       }
+-      return 0;
++exit:
++      mutex_unlock(&core->lock);
++      return ret;
+ }
+ static int core_get_v1(struct venus_core *core)
+@@ -1116,13 +1115,13 @@ static int load_scale_v4(struct venus_inst *inst)
+       struct device *dev = core->dev;
+       unsigned long freq = 0, freq_core1 = 0, freq_core2 = 0;
+       unsigned long filled_len = 0;
+-      int i, ret;
++      int i, ret = 0;
+       for (i = 0; i < inst->num_input_bufs; i++)
+               filled_len = max(filled_len, inst->payloads[i]);
+       if (inst->session_type == VIDC_SESSION_TYPE_DEC && !filled_len)
+-              return 0;
++              return ret;
+       freq = calculate_inst_freq(inst, filled_len);
+       inst->clk_data.freq = freq;
+@@ -1138,7 +1137,6 @@ static int load_scale_v4(struct venus_inst *inst)
+                       freq_core2 += inst->clk_data.freq;
+               }
+       }
+-      mutex_unlock(&core->lock);
+       freq = max(freq_core1, freq_core2);
+@@ -1163,17 +1161,19 @@ set_freq:
+       if (ret) {
+               dev_err(dev, "failed to set clock rate %lu (%d)\n",
+                       freq, ret);
+-              return ret;
++              goto exit;
+       }
+       ret = load_scale_bw(core);
+       if (ret) {
+               dev_err(dev, "failed to set bandwidth (%d)\n",
+                       ret);
+-              return ret;
++              goto exit;
+       }
+-      return 0;
++exit:
++      mutex_unlock(&core->lock);
++      return ret;
+ }
+ static const struct venus_pm_ops pm_ops_v4 = {
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-venus-core-fix-a-potential-null-pointer-derefe.patch b/queue-5.16/media-venus-core-fix-a-potential-null-pointer-derefe.patch
new file mode 100644 (file)
index 0000000..8bb0bc5
--- /dev/null
@@ -0,0 +1,43 @@
+From 5d7cd4fd5ee8ce0fde4dae395b9590a52107c623 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 07:14:22 +0200
+Subject: media: venus: core: Fix a potential NULL pointer dereference in an
+ error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit e4debea9be7d5db52bc6a565a4c02c3c6560d093 ]
+
+The normal path of the function makes the assumption that
+'pm_ops->core_power' may be NULL.
+We should make the same assumption in the error handling path or a NULL
+pointer dereference may occur.
+
+Add the missing test before calling 'pm_ops->core_power'
+
+Fixes: 9e8efdb57879 ("media: venus: core: vote for video-mem path")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/venus/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c
+index f5fa81896012d..fd32385485fa6 100644
+--- a/drivers/media/platform/qcom/venus/core.c
++++ b/drivers/media/platform/qcom/venus/core.c
+@@ -473,7 +473,8 @@ static __maybe_unused int venus_runtime_suspend(struct device *dev)
+ err_video_path:
+       icc_set_bw(core->cpucfg_path, kbps_to_icc(1000), 0);
+ err_cpucfg_path:
+-      pm_ops->core_power(core, POWER_ON);
++      if (pm_ops->core_power)
++              pm_ops->core_power(core, POWER_ON);
+       return ret;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-venus-core-fix-a-resource-leak-in-the-error-ha.patch b/queue-5.16/media-venus-core-fix-a-resource-leak-in-the-error-ha.patch
new file mode 100644 (file)
index 0000000..9474592
--- /dev/null
@@ -0,0 +1,61 @@
+From 1a940d28a218dbf704482b491bc8b731a739ef1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 22:05:28 +0200
+Subject: media: venus: core: Fix a resource leak in the error handling path of
+ 'venus_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 8cc7a1b2aca067397a016cdb971a5e6ad9b640c7 ]
+
+A successful 'of_platform_populate()' call should be balanced by a
+corresponding 'of_platform_depopulate()' call in the error handling path
+of the probe, as already done in the remove function.
+
+A successful 'venus_firmware_init()' call should be balanced by a
+corresponding 'venus_firmware_deinit()' call in the error handling path
+of the probe, as already done in the remove function.
+
+Update the error handling path accordingly.
+
+Fixes: f9799fcce4bb ("media: venus: firmware: register separate platform_device for firmware loader")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/venus/core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c
+index fd32385485fa6..877eca1258037 100644
+--- a/drivers/media/platform/qcom/venus/core.c
++++ b/drivers/media/platform/qcom/venus/core.c
+@@ -350,11 +350,11 @@ static int venus_probe(struct platform_device *pdev)
+       ret = venus_firmware_init(core);
+       if (ret)
+-              goto err_runtime_disable;
++              goto err_of_depopulate;
+       ret = venus_boot(core);
+       if (ret)
+-              goto err_runtime_disable;
++              goto err_firmware_deinit;
+       ret = hfi_core_resume(core, true);
+       if (ret)
+@@ -386,6 +386,10 @@ err_dev_unregister:
+       v4l2_device_unregister(&core->v4l2_dev);
+ err_venus_shutdown:
+       venus_shutdown(core);
++err_firmware_deinit:
++      venus_firmware_deinit(core);
++err_of_depopulate:
++      of_platform_depopulate(dev);
+ err_runtime_disable:
+       pm_runtime_put_noidle(dev);
+       pm_runtime_set_suspended(dev);
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-venus-correct-low-power-frequency-calculation-.patch b/queue-5.16/media-venus-correct-low-power-frequency-calculation-.patch
new file mode 100644 (file)
index 0000000..3e2d549
--- /dev/null
@@ -0,0 +1,40 @@
+From 72c1b9123a8d8a1369c74bdc7f418b59e6c42d8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Oct 2021 08:21:12 +0200
+Subject: media: venus: correct low power frequency calculation for encoder
+
+From: Mansur Alisha Shaik <mansur@codeaurora.org>
+
+[ Upstream commit b1f9bb8020783a48151e3a2864fbdc70548566dd ]
+
+In exististing implimentation, in min_loaded_core() for low_power
+vpp frequency value is considering as vpp_freq instead of low_power_freq.
+Fixed this by correcting vpp frequency calculation for encoder.
+
+Fixes: 3cfe5815ce0e (media: venus: Enable low power setting for encoder)
+Signed-off-by: Mansur Alisha Shaik <mansur@codeaurora.org>
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/venus/pm_helpers.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/qcom/venus/pm_helpers.c b/drivers/media/platform/qcom/venus/pm_helpers.c
+index cedc664ba755f..184f0cea2fdb8 100644
+--- a/drivers/media/platform/qcom/venus/pm_helpers.c
++++ b/drivers/media/platform/qcom/venus/pm_helpers.c
+@@ -587,8 +587,8 @@ min_loaded_core(struct venus_inst *inst, u32 *min_coreid, u32 *min_load, bool lo
+               if (inst->session_type == VIDC_SESSION_TYPE_DEC)
+                       vpp_freq = inst_pos->clk_data.vpp_freq;
+               else if (inst->session_type == VIDC_SESSION_TYPE_ENC)
+-                      vpp_freq = low_power ? inst_pos->clk_data.vpp_freq :
+-                              inst_pos->clk_data.low_power_freq;
++                      vpp_freq = low_power ? inst_pos->clk_data.low_power_freq :
++                              inst_pos->clk_data.vpp_freq;
+               else
+                       continue;
+-- 
+2.34.1
+
diff --git a/queue-5.16/media-videobuf2-fix-the-size-printk-format.patch b/queue-5.16/media-videobuf2-fix-the-size-printk-format.patch
new file mode 100644 (file)
index 0000000..c8ad7ca
--- /dev/null
@@ -0,0 +1,50 @@
+From fcfa7b53151a19c3a38e59056d6e0ebbc966cb74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Oct 2021 09:43:19 +0100
+Subject: media: videobuf2: Fix the size printk format
+
+From: Dillon Min <dillon.minfei@gmail.com>
+
+[ Upstream commit c9ee220d76775e42f35d634479c978d9350077d3 ]
+
+Since the type of parameter size is unsigned long,
+it should printk by %lu, instead of %ld, fix it.
+
+Fixes: 7952be9b6ece ("media: drivers/media/common/videobuf2: rename from videobuf")
+Signed-off-by: Dillon Min <dillon.minfei@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/common/videobuf2/videobuf2-dma-contig.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/common/videobuf2/videobuf2-dma-contig.c b/drivers/media/common/videobuf2/videobuf2-dma-contig.c
+index 556e42ba66e55..7c4096e621738 100644
+--- a/drivers/media/common/videobuf2/videobuf2-dma-contig.c
++++ b/drivers/media/common/videobuf2/videobuf2-dma-contig.c
+@@ -257,7 +257,7 @@ static void *vb2_dc_alloc(struct vb2_buffer *vb,
+               ret = vb2_dc_alloc_coherent(buf);
+       if (ret) {
+-              dev_err(dev, "dma alloc of size %ld failed\n", size);
++              dev_err(dev, "dma alloc of size %lu failed\n", size);
+               kfree(buf);
+               return ERR_PTR(-ENOMEM);
+       }
+@@ -298,9 +298,9 @@ static int vb2_dc_mmap(void *buf_priv, struct vm_area_struct *vma)
+       vma->vm_ops->open(vma);
+-      pr_debug("%s: mapped dma addr 0x%08lx at 0x%08lx, size %ld\n",
+-              __func__, (unsigned long)buf->dma_addr, vma->vm_start,
+-              buf->size);
++      pr_debug("%s: mapped dma addr 0x%08lx at 0x%08lx, size %lu\n",
++               __func__, (unsigned long)buf->dma_addr, vma->vm_start,
++               buf->size);
+       return 0;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/memory-renesas-rpc-if-return-error-in-case-devm_iore.patch b/queue-5.16/memory-renesas-rpc-if-return-error-in-case-devm_iore.patch
new file mode 100644 (file)
index 0000000..45ad04a
--- /dev/null
@@ -0,0 +1,41 @@
+From 5e0ff07224390bde8baa0077d08828000ae47c30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 21:56:29 +0100
+Subject: memory: renesas-rpc-if: Return error in case devm_ioremap_resource()
+ fails
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 818fdfa89baac77a8df5a2c30f4fb798cc937aa0 ]
+
+Make sure we return error in case devm_ioremap_resource() fails for dirmap
+resource.
+
+Fixes: ca7d8b980b67 ("memory: add Renesas RPC-IF driver")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Biju Das <biju.das.jz@bp.renesas.com>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20211025205631.21151-6-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/renesas-rpc-if.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/memory/renesas-rpc-if.c b/drivers/memory/renesas-rpc-if.c
+index 7435baad00075..ff8bcbccac637 100644
+--- a/drivers/memory/renesas-rpc-if.c
++++ b/drivers/memory/renesas-rpc-if.c
+@@ -243,7 +243,7 @@ int rpcif_sw_init(struct rpcif *rpc, struct device *dev)
+       res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "dirmap");
+       rpc->dirmap = devm_ioremap_resource(&pdev->dev, res);
+       if (IS_ERR(rpc->dirmap))
+-              rpc->dirmap = NULL;
++              return PTR_ERR(rpc->dirmap);
+       rpc->size = resource_size(res);
+       rpc->rstc = devm_reset_control_get_exclusive(&pdev->dev, NULL);
+-- 
+2.34.1
+
diff --git a/queue-5.16/mfd-atmel-flexcom-remove-ifdef-config_pm_sleep.patch b/queue-5.16/mfd-atmel-flexcom-remove-ifdef-config_pm_sleep.patch
new file mode 100644 (file)
index 0000000..c8797be
--- /dev/null
@@ -0,0 +1,54 @@
+From e16ed7c3689a628e151f546e70f9269acce90e02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 16:51:37 +0300
+Subject: mfd: atmel-flexcom: Remove #ifdef CONFIG_PM_SLEEP
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit 8c0fad75dcaa650e3f3145a2c35847bc6a65cb7f ]
+
+Remove compilation flag and use __maybe_unused and pm_ptr instead.
+
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Link: https://lore.kernel.org/r/20211028135138.3481166-2-claudiu.beznea@microchip.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/atmel-flexcom.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mfd/atmel-flexcom.c b/drivers/mfd/atmel-flexcom.c
+index d2f5c073fdf31..962f66dc8813e 100644
+--- a/drivers/mfd/atmel-flexcom.c
++++ b/drivers/mfd/atmel-flexcom.c
+@@ -87,8 +87,7 @@ static const struct of_device_id atmel_flexcom_of_match[] = {
+ };
+ MODULE_DEVICE_TABLE(of, atmel_flexcom_of_match);
+-#ifdef CONFIG_PM_SLEEP
+-static int atmel_flexcom_resume(struct device *dev)
++static int __maybe_unused atmel_flexcom_resume(struct device *dev)
+ {
+       struct atmel_flexcom *ddata = dev_get_drvdata(dev);
+       int err;
+@@ -105,7 +104,6 @@ static int atmel_flexcom_resume(struct device *dev)
+       return 0;
+ }
+-#endif
+ static SIMPLE_DEV_PM_OPS(atmel_flexcom_pm_ops, NULL,
+                        atmel_flexcom_resume);
+@@ -114,7 +112,7 @@ static struct platform_driver atmel_flexcom_driver = {
+       .probe  = atmel_flexcom_probe,
+       .driver = {
+               .name           = "atmel_flexcom",
+-              .pm             = &atmel_flexcom_pm_ops,
++              .pm             = pm_ptr(&atmel_flexcom_pm_ops),
+               .of_match_table = atmel_flexcom_of_match,
+       },
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/mfd-atmel-flexcom-use-.resume_noirq.patch b/queue-5.16/mfd-atmel-flexcom-use-.resume_noirq.patch
new file mode 100644 (file)
index 0000000..bcf026b
--- /dev/null
@@ -0,0 +1,56 @@
+From 3590a76d66e8209ad768c08cd3e0345a1903fb93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 16:51:38 +0300
+Subject: mfd: atmel-flexcom: Use .resume_noirq
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit 5d051cf94fd5834a1513aa77e542c49fd973988a ]
+
+Flexcom IP embeds 3 other IPs: usart, i2c, spi and selects the operation
+mode (usart, i2c, spi) via mode register (FLEX_MR). On i2c bus there might
+be connected critical devices (like PMIC) which on suspend/resume should
+be suspended/resumed at the end/beginning. i2c uses
+.suspend_noirq/.resume_noirq for this kind of purposes. Align flexcom
+to use .resume_noirq as it should be resumed before the embedded IPs.
+Otherwise the embedded devices might behave badly.
+
+Fixes: 7fdec11015c3 ("atmel_flexcom: Support resuming after a chip reset")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Tested-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Link: https://lore.kernel.org/r/20211028135138.3481166-3-claudiu.beznea@microchip.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/atmel-flexcom.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mfd/atmel-flexcom.c b/drivers/mfd/atmel-flexcom.c
+index 962f66dc8813e..559eb4d352b68 100644
+--- a/drivers/mfd/atmel-flexcom.c
++++ b/drivers/mfd/atmel-flexcom.c
+@@ -87,7 +87,7 @@ static const struct of_device_id atmel_flexcom_of_match[] = {
+ };
+ MODULE_DEVICE_TABLE(of, atmel_flexcom_of_match);
+-static int __maybe_unused atmel_flexcom_resume(struct device *dev)
++static int __maybe_unused atmel_flexcom_resume_noirq(struct device *dev)
+ {
+       struct atmel_flexcom *ddata = dev_get_drvdata(dev);
+       int err;
+@@ -105,8 +105,9 @@ static int __maybe_unused atmel_flexcom_resume(struct device *dev)
+       return 0;
+ }
+-static SIMPLE_DEV_PM_OPS(atmel_flexcom_pm_ops, NULL,
+-                       atmel_flexcom_resume);
++static const struct dev_pm_ops atmel_flexcom_pm_ops = {
++      .resume_noirq = atmel_flexcom_resume_noirq,
++};
+ static struct platform_driver atmel_flexcom_driver = {
+       .probe  = atmel_flexcom_probe,
+-- 
+2.34.1
+
diff --git a/queue-5.16/mfd-intel_soc_pmic-use-cpu-id-check-instead-of-_hrv-.patch b/queue-5.16/mfd-intel_soc_pmic-use-cpu-id-check-instead-of-_hrv-.patch
new file mode 100644 (file)
index 0000000..7291b66
--- /dev/null
@@ -0,0 +1,88 @@
+From 812e34e3876deeb5d88edb07f762aceae11dfc3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Dec 2021 18:48:06 +0100
+Subject: mfd: intel_soc_pmic: Use CPU-id check instead of _HRV check to
+ differentiate variants
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 5b78223f55a0f516a1639dbe11cd4324d4aaee20 ]
+
+The Intel Crystal Cove PMIC has 2 different variants, one for use with
+Bay Trail (BYT) SoCs and one for use with Cherry Trail (CHT) SoCs.
+
+So far we have been using an ACPI _HRV check to differentiate between
+the 2, but at least on the Microsoft Surface 3, which is a CHT device,
+the wrong _HRV value is reported by ACPI.
+
+So instead switch to a CPU-ID check which prevents us from relying on
+the possibly wrong ACPI _HRV value.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reported-by: Tsuchiya Yuto <kitakar@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Link: https://lore.kernel.org/r/20211206174806.197772-2-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/intel_soc_pmic_core.c | 28 +++-------------------------
+ 1 file changed, 3 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/mfd/intel_soc_pmic_core.c b/drivers/mfd/intel_soc_pmic_core.c
+index ddd64f9e3341e..47cb7f00dfcfc 100644
+--- a/drivers/mfd/intel_soc_pmic_core.c
++++ b/drivers/mfd/intel_soc_pmic_core.c
+@@ -14,15 +14,12 @@
+ #include <linux/module.h>
+ #include <linux/mfd/core.h>
+ #include <linux/mfd/intel_soc_pmic.h>
++#include <linux/platform_data/x86/soc.h>
+ #include <linux/pwm.h>
+ #include <linux/regmap.h>
+ #include "intel_soc_pmic_core.h"
+-/* Crystal Cove PMIC shares same ACPI ID between different platforms */
+-#define BYT_CRC_HRV           2
+-#define CHT_CRC_HRV           3
+-
+ /* PWM consumed by the Intel GFX */
+ static struct pwm_lookup crc_pwm_lookup[] = {
+       PWM_LOOKUP("crystal_cove_pwm", 0, "0000:00:02.0", "pwm_pmic_backlight", 0, PWM_POLARITY_NORMAL),
+@@ -34,31 +31,12 @@ static int intel_soc_pmic_i2c_probe(struct i2c_client *i2c,
+       struct device *dev = &i2c->dev;
+       struct intel_soc_pmic_config *config;
+       struct intel_soc_pmic *pmic;
+-      unsigned long long hrv;
+-      acpi_status status;
+       int ret;
+-      /*
+-       * There are 2 different Crystal Cove PMICs a Bay Trail and Cherry
+-       * Trail version, use _HRV to differentiate between the 2.
+-       */
+-      status = acpi_evaluate_integer(ACPI_HANDLE(dev), "_HRV", NULL, &hrv);
+-      if (ACPI_FAILURE(status)) {
+-              dev_err(dev, "Failed to get PMIC hardware revision\n");
+-              return -ENODEV;
+-      }
+-
+-      switch (hrv) {
+-      case BYT_CRC_HRV:
++      if (soc_intel_is_byt())
+               config = &intel_soc_pmic_config_byt_crc;
+-              break;
+-      case CHT_CRC_HRV:
++      else
+               config = &intel_soc_pmic_config_cht_crc;
+-              break;
+-      default:
+-              dev_warn(dev, "Unknown hardware rev %llu, assuming BYT\n", hrv);
+-              config = &intel_soc_pmic_config_byt_crc;
+-      }
+       pmic = devm_kzalloc(dev, sizeof(*pmic), GFP_KERNEL);
+       if (!pmic)
+-- 
+2.34.1
+
diff --git a/queue-5.16/mips-add-sys_has_cpu_mips64_r5-config-for-mips-relea.patch b/queue-5.16/mips-add-sys_has_cpu_mips64_r5-config-for-mips-relea.patch
new file mode 100644 (file)
index 0000000..a6481cd
--- /dev/null
@@ -0,0 +1,52 @@
+From 32b40e09cc140246f3e0620251ac6b3297792e39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Dec 2021 12:16:35 +0100
+Subject: mips: add SYS_HAS_CPU_MIPS64_R5 config for MIPS Release 5 support
+
+From: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+
+[ Upstream commit fd4eb90b164442cb1e9909f7845e12a0835ac699 ]
+
+Commit ab7c01fdc3cf ("mips: Add MIPS Release 5 support") adds the two
+configs CPU_MIPS32_R5 and CPU_MIPS64_R5, which depend on the corresponding
+SYS_HAS_CPU_MIPS32_R5 and SYS_HAS_CPU_MIPS64_R5, respectively.
+
+The config SYS_HAS_CPU_MIPS32_R5 was already introduced with commit
+c5b367835cfc ("MIPS: Add support for XPA."); the config
+SYS_HAS_CPU_MIPS64_R5, however, was never introduced.
+
+Hence, ./scripts/checkkconfigsymbols.py warns:
+
+  SYS_HAS_CPU_MIPS64_R5
+  Referencing files: arch/mips/Kconfig, arch/mips/include/asm/cpu-type.h
+
+Add the definition for config SYS_HAS_CPU_MIPS64_R5 under the assumption
+that SYS_HAS_CPU_MIPS64_R5 follows the same pattern as the existing
+SYS_HAS_CPU_MIPS32_R5 and SYS_HAS_CPU_MIPS64_R6.
+
+Fixes: ab7c01fdc3cf ("mips: Add MIPS Release 5 support")
+Signed-off-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/Kconfig | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
+index 0215dc1529e9a..91ce1c57af005 100644
+--- a/arch/mips/Kconfig
++++ b/arch/mips/Kconfig
+@@ -1907,6 +1907,10 @@ config SYS_HAS_CPU_MIPS64_R1
+ config SYS_HAS_CPU_MIPS64_R2
+       bool
++config SYS_HAS_CPU_MIPS64_R5
++      bool
++      select ARCH_HAS_SYNC_DMA_FOR_CPU if DMA_NONCOHERENT
++
+ config SYS_HAS_CPU_MIPS64_R6
+       bool
+       select ARCH_HAS_SYNC_DMA_FOR_CPU if DMA_NONCOHERENT
+-- 
+2.34.1
+
diff --git a/queue-5.16/mips-bcm63xx-add-support-for-clk_set_parent.patch b/queue-5.16/mips-bcm63xx-add-support-for-clk_set_parent.patch
new file mode 100644 (file)
index 0000000..a484ac0
--- /dev/null
@@ -0,0 +1,48 @@
+From 38272acef7d34213ab1c7428f04cf2d65d11fc64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Dec 2021 16:05:53 -0800
+Subject: mips: bcm63xx: add support for clk_set_parent()
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 6f03055d508ff4feb8db02ba3df9303a1db8d381 ]
+
+The MIPS BMC63XX subarch does not provide/support clk_set_parent().
+This causes build errors in a few drivers, so add a simple implementation
+of that function so that callers of it will build without errors.
+
+Fixes these build errors:
+
+ERROR: modpost: "clk_set_parent" [sound/soc/jz4740/snd-soc-jz4740-i2s.ko] undefined!
+ERROR: modpost: "clk_set_parent" [sound/soc/atmel/snd-soc-atmel-i2s.ko] undefined!
+
+Fixes: e7300d04bd08 ("MIPS: BCM63xx: Add support for the Broadcom BCM63xx family of SOCs." )
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/bcm63xx/clk.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/mips/bcm63xx/clk.c b/arch/mips/bcm63xx/clk.c
+index 1c91064cb448b..6e6756e8fa0a9 100644
+--- a/arch/mips/bcm63xx/clk.c
++++ b/arch/mips/bcm63xx/clk.c
+@@ -387,6 +387,12 @@ struct clk *clk_get_parent(struct clk *clk)
+ }
+ EXPORT_SYMBOL(clk_get_parent);
++int clk_set_parent(struct clk *clk, struct clk *parent)
++{
++      return 0;
++}
++EXPORT_SYMBOL(clk_set_parent);
++
+ unsigned long clk_get_rate(struct clk *clk)
+ {
+       if (!clk)
+-- 
+2.34.1
+
diff --git a/queue-5.16/mips-compressed-fix-build-with-zstd-compression.patch b/queue-5.16/mips-compressed-fix-build-with-zstd-compression.patch
new file mode 100644 (file)
index 0000000..91f7261
--- /dev/null
@@ -0,0 +1,64 @@
+From 108142071b6611ab233f12bbe646981739c8394c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 18:57:22 +0000
+Subject: MIPS: compressed: Fix build with ZSTD compression
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+[ Upstream commit c5c7440fe7f74645940d5c9e2c49cd7efb706a4f ]
+
+Fix the following build issues:
+
+mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `FSE_buildDTable_internal':
+ decompress.c:(.text.FSE_buildDTable_internal+0x2cc): undefined reference to `__clzdi2'
+   mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `BIT_initDStream':
+   decompress.c:(.text.BIT_initDStream+0x7c): undefined reference to `__clzdi2'
+   mips64el-linux-ld: decompress.c:(.text.BIT_initDStream+0x158): undefined reference to `__clzdi2'
+   mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `ZSTD_buildFSETable_body_default.constprop.0':
+ decompress.c:(.text.ZSTD_buildFSETable_body_default.constprop.0+0x2a8): undefined reference to `__clzdi2'
+   mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `FSE_readNCount_body_default':
+ decompress.c:(.text.FSE_readNCount_body_default+0x130): undefined reference to `__ctzdi2'
+ mips64el-linux-ld: decompress.c:(.text.FSE_readNCount_body_default+0x1a4): undefined reference to `__ctzdi2'
+ mips64el-linux-ld: decompress.c:(.text.FSE_readNCount_body_default+0x2e4): undefined reference to `__clzdi2'
+   mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `HUF_readStats_body_default':
+ decompress.c:(.text.HUF_readStats_body_default+0x184): undefined reference to `__clzdi2'
+ mips64el-linux-ld: decompress.c:(.text.HUF_readStats_body_default+0x1b4): undefined reference to `__clzdi2'
+   mips64el-linux-ld: arch/mips/boot/compressed/decompress.o: in function `ZSTD_DCtx_getParameter':
+ decompress.c:(.text.ZSTD_DCtx_getParameter+0x60): undefined reference to `__clzdi2'
+
+Fixes: a510b616131f ("MIPS: Add support for ZSTD-compressed kernels")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Nick Terrell <terrelln@fb.com>
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/boot/compressed/Makefile  | 2 +-
+ arch/mips/boot/compressed/clz_ctz.c | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+ create mode 100644 arch/mips/boot/compressed/clz_ctz.c
+
+diff --git a/arch/mips/boot/compressed/Makefile b/arch/mips/boot/compressed/Makefile
+index f27cf31b41401..38e233f7fd7a4 100644
+--- a/arch/mips/boot/compressed/Makefile
++++ b/arch/mips/boot/compressed/Makefile
+@@ -52,7 +52,7 @@ endif
+ vmlinuzobjs-$(CONFIG_KERNEL_XZ) += $(obj)/ashldi3.o
+-vmlinuzobjs-$(CONFIG_KERNEL_ZSTD) += $(obj)/bswapdi.o $(obj)/ashldi3.o
++vmlinuzobjs-$(CONFIG_KERNEL_ZSTD) += $(obj)/bswapdi.o $(obj)/ashldi3.o $(obj)/clz_ctz.o
+ targets := $(notdir $(vmlinuzobjs-y))
+diff --git a/arch/mips/boot/compressed/clz_ctz.c b/arch/mips/boot/compressed/clz_ctz.c
+new file mode 100644
+index 0000000000000..b4a1b6eb2f8ad
+--- /dev/null
++++ b/arch/mips/boot/compressed/clz_ctz.c
+@@ -0,0 +1,2 @@
++// SPDX-License-Identifier: GPL-2.0-only
++#include "../../../../lib/clz_ctz.c"
+-- 
+2.34.1
+
diff --git a/queue-5.16/mips-fix-kconfig-reference-to-phys_addr_t_64bit.patch b/queue-5.16/mips-fix-kconfig-reference-to-phys_addr_t_64bit.patch
new file mode 100644 (file)
index 0000000..640d42a
--- /dev/null
@@ -0,0 +1,52 @@
+From 16ede3e7da558bde841753e1df89f30ca1d12cb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Dec 2021 12:16:42 +0100
+Subject: mips: fix Kconfig reference to PHYS_ADDR_T_64BIT
+
+From: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+
+[ Upstream commit a670c82d9ca4f1e7385d9d6f26ff41a50fbdd944 ]
+
+Commit d4a451d5fc84 ("arch: remove the ARCH_PHYS_ADDR_T_64BIT config
+symbol") removes config ARCH_PHYS_ADDR_T_64BIT with all instances of that
+config refactored appropriately. Since then, it is recommended to use the
+config PHYS_ADDR_T_64BIT instead.
+
+Commit 171543e75272 ("MIPS: Disallow CPU_SUPPORTS_HUGEPAGES for XPA,EVA")
+introduces the expression "!(32BIT && (ARCH_PHYS_ADDR_T_64BIT || EVA))"
+for config CPU_SUPPORTS_HUGEPAGES, which unintentionally refers to the
+non-existing symbol ARCH_PHYS_ADDR_T_64BIT instead of the intended
+PHYS_ADDR_T_64BIT.
+
+Fix this Kconfig reference to the intended PHYS_ADDR_T_64BIT.
+
+This issue was identified with the script ./scripts/checkkconfigsymbols.py.
+I then reported it on the mailing list and Paul confirmed the mistake in
+the linked email thread.
+
+Link: https://lore.kernel.org/lkml/H8IU3R.H5QVNRA077PT@crapouillou.net/
+Suggested-by: Paul Cercueil <paul@crapouillou.net>
+Fixes: 171543e75272 ("MIPS: Disallow CPU_SUPPORTS_HUGEPAGES for XPA,EVA")
+Signed-off-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
+index 91ce1c57af005..c5826236d913a 100644
+--- a/arch/mips/Kconfig
++++ b/arch/mips/Kconfig
+@@ -2069,7 +2069,7 @@ config CPU_SUPPORTS_ADDRWINCFG
+       bool
+ config CPU_SUPPORTS_HUGEPAGES
+       bool
+-      depends on !(32BIT && (ARCH_PHYS_ADDR_T_64BIT || EVA))
++      depends on !(32BIT && (PHYS_ADDR_T_64BIT || EVA))
+ config MIPS_PGD_C0_CONTEXT
+       bool
+       depends on 64BIT
+-- 
+2.34.1
+
diff --git a/queue-5.16/mips-fix-local_-add-sub-_return-on-mips64.patch b/queue-5.16/mips-fix-local_-add-sub-_return-on-mips64.patch
new file mode 100644 (file)
index 0000000..00bc7b5
--- /dev/null
@@ -0,0 +1,70 @@
+From 1ffe93d5593c720bc9c69578a33e0538e0888dfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Dec 2021 16:44:57 +0800
+Subject: MIPS: fix local_{add,sub}_return on MIPS64
+
+From: Huang Pei <huangpei@loongson.cn>
+
+[ Upstream commit 277c8cb3e8ac199f075bf9576ad286687ed17173 ]
+
+Use "daddu/dsubu" for long int on MIPS64 instead of "addu/subu"
+
+Fixes: 7232311ef14c ("local_t: mips extension")
+Signed-off-by: Huang Pei <huangpei@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/local.h | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/arch/mips/include/asm/local.h b/arch/mips/include/asm/local.h
+index ecda7295ddcd1..3fa6340903882 100644
+--- a/arch/mips/include/asm/local.h
++++ b/arch/mips/include/asm/local.h
+@@ -5,6 +5,7 @@
+ #include <linux/percpu.h>
+ #include <linux/bitops.h>
+ #include <linux/atomic.h>
++#include <asm/asm.h>
+ #include <asm/cmpxchg.h>
+ #include <asm/compiler.h>
+ #include <asm/war.h>
+@@ -39,7 +40,7 @@ static __inline__ long local_add_return(long i, local_t * l)
+               "       .set    arch=r4000                              \n"
+                       __SYNC(full, loongson3_war) "                   \n"
+               "1:"    __LL    "%1, %2         # local_add_return      \n"
+-              "       addu    %0, %1, %3                              \n"
++                      __stringify(LONG_ADDU)  "       %0, %1, %3      \n"
+                       __SC    "%0, %2                                 \n"
+               "       beqzl   %0, 1b                                  \n"
+               "       addu    %0, %1, %3                              \n"
+@@ -55,7 +56,7 @@ static __inline__ long local_add_return(long i, local_t * l)
+               "       .set    "MIPS_ISA_ARCH_LEVEL"                   \n"
+                       __SYNC(full, loongson3_war) "                   \n"
+               "1:"    __LL    "%1, %2         # local_add_return      \n"
+-              "       addu    %0, %1, %3                              \n"
++                      __stringify(LONG_ADDU)  "       %0, %1, %3      \n"
+                       __SC    "%0, %2                                 \n"
+               "       beqz    %0, 1b                                  \n"
+               "       addu    %0, %1, %3                              \n"
+@@ -88,7 +89,7 @@ static __inline__ long local_sub_return(long i, local_t * l)
+               "       .set    arch=r4000                              \n"
+                       __SYNC(full, loongson3_war) "                   \n"
+               "1:"    __LL    "%1, %2         # local_sub_return      \n"
+-              "       subu    %0, %1, %3                              \n"
++                      __stringify(LONG_SUBU)  "       %0, %1, %3      \n"
+                       __SC    "%0, %2                                 \n"
+               "       beqzl   %0, 1b                                  \n"
+               "       subu    %0, %1, %3                              \n"
+@@ -104,7 +105,7 @@ static __inline__ long local_sub_return(long i, local_t * l)
+               "       .set    "MIPS_ISA_ARCH_LEVEL"                   \n"
+                       __SYNC(full, loongson3_war) "                   \n"
+               "1:"    __LL    "%1, %2         # local_sub_return      \n"
+-              "       subu    %0, %1, %3                              \n"
++                      __stringify(LONG_SUBU)  "       %0, %1, %3      \n"
+                       __SC    "%0, %2                                 \n"
+               "       beqz    %0, 1b                                  \n"
+               "       subu    %0, %1, %3                              \n"
+-- 
+2.34.1
+
diff --git a/queue-5.16/mips-lantiq-add-support-for-clk_set_parent.patch b/queue-5.16/mips-lantiq-add-support-for-clk_set_parent.patch
new file mode 100644 (file)
index 0000000..312eb14
--- /dev/null
@@ -0,0 +1,48 @@
+From dbba3f1f5724e5a1a3c231e3c10998e1a2793bcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Dec 2021 16:03:45 -0800
+Subject: mips: lantiq: add support for clk_set_parent()
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 76f66dfd60dc5d2f9dec22d99091fea1035c5d03 ]
+
+Provide a simple implementation of clk_set_parent() in the lantiq
+subarch so that callers of it will build without errors.
+
+Fixes these build errors:
+
+ERROR: modpost: "clk_set_parent" [sound/soc/jz4740/snd-soc-jz4740-i2s.ko] undefined!
+ERROR: modpost: "clk_set_parent" [sound/soc/atmel/snd-soc-atmel-i2s.ko] undefined!
+
+Fixes: 171bb2f19ed6 ("MIPS: Lantiq: Add initial support for Lantiq SoCs")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+--to=linux-mips@vger.kernel.org --cc="John Crispin <john@phrozen.org>" --cc="Jonathan Cameron <jic23@kernel.org>" --cc="Russell King <linux@armlinux.org.uk>" --cc="Andy Shevchenko <andy.shevchenko@gmail.com>" --cc=alsa-devel@alsa-project.org --to="Thomas Bogendoerfer <tsbogend@alpha.franken.de>"
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/lantiq/clk.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/mips/lantiq/clk.c b/arch/mips/lantiq/clk.c
+index 4916cccf378fd..7a623684d9b5e 100644
+--- a/arch/mips/lantiq/clk.c
++++ b/arch/mips/lantiq/clk.c
+@@ -164,6 +164,12 @@ struct clk *clk_get_parent(struct clk *clk)
+ }
+ EXPORT_SYMBOL(clk_get_parent);
++int clk_set_parent(struct clk *clk, struct clk *parent)
++{
++      return 0;
++}
++EXPORT_SYMBOL(clk_set_parent);
++
+ static inline u32 get_counter_resolution(void)
+ {
+       u32 res;
+-- 
+2.34.1
+
diff --git a/queue-5.16/mips-loongson64-use-three-arguments-for-slti.patch b/queue-5.16/mips-loongson64-use-three-arguments-for-slti.patch
new file mode 100644 (file)
index 0000000..e3ad152
--- /dev/null
@@ -0,0 +1,62 @@
+From c484b427b6c7582b9e5b0225642017c4f6d82fae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Dec 2021 09:56:17 -0700
+Subject: MIPS: Loongson64: Use three arguments for slti
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit f2c6c22fa83ab2577619009057b3ebcb5305bb03 ]
+
+LLVM's integrated assembler does not support 'slti <reg>, <imm>':
+
+<instantiation>:16:12: error: invalid operand for instruction
+ slti $12, (0x6300 | 0x0008)
+           ^
+arch/mips/kernel/head.S:86:2: note: while in macro instantiation
+ kernel_entry_setup # cpu specific setup
+ ^
+<instantiation>:16:12: error: invalid operand for instruction
+ slti $12, (0x6300 | 0x0008)
+           ^
+arch/mips/kernel/head.S:150:2: note: while in macro instantiation
+ smp_slave_setup
+ ^
+
+To increase compatibility with LLVM's integrated assembler, use the full
+form of 'slti <reg>, <reg>, <imm>', which matches the rest of
+arch/mips/. This does not result in any change for GNU as.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1526
+Reported-by: Ryutaroh Matsumoto <ryutaroh@ict.e.titech.ac.jp>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/mach-loongson64/kernel-entry-init.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/include/asm/mach-loongson64/kernel-entry-init.h b/arch/mips/include/asm/mach-loongson64/kernel-entry-init.h
+index 13373c5144f89..efb41b3519747 100644
+--- a/arch/mips/include/asm/mach-loongson64/kernel-entry-init.h
++++ b/arch/mips/include/asm/mach-loongson64/kernel-entry-init.h
+@@ -32,7 +32,7 @@
+       nop
+       /* Loongson-3A R2/R3 */
+       andi    t0, (PRID_IMP_MASK | PRID_REV_MASK)
+-      slti    t0, (PRID_IMP_LOONGSON_64C | PRID_REV_LOONGSON3A_R2_0)
++      slti    t0, t0, (PRID_IMP_LOONGSON_64C | PRID_REV_LOONGSON3A_R2_0)
+       bnez    t0, 2f
+       nop
+ 1:
+@@ -63,7 +63,7 @@
+       nop
+       /* Loongson-3A R2/R3 */
+       andi    t0, (PRID_IMP_MASK | PRID_REV_MASK)
+-      slti    t0, (PRID_IMP_LOONGSON_64C | PRID_REV_LOONGSON3A_R2_0)
++      slti    t0, t0, (PRID_IMP_LOONGSON_64C | PRID_REV_LOONGSON3A_R2_0)
+       bnez    t0, 2f
+       nop
+ 1:
+-- 
+2.34.1
+
diff --git a/queue-5.16/mips-octeon-add-put_device-after-of_find_device_by_n.patch b/queue-5.16/mips-octeon-add-put_device-after-of_find_device_by_n.patch
new file mode 100644 (file)
index 0000000..043b0c2
--- /dev/null
@@ -0,0 +1,67 @@
+From ed193a53317cfb818b7e0013385b9dff75a2e479 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 08:10:51 +0000
+Subject: MIPS: OCTEON: add put_device() after of_find_device_by_node()
+
+From: Ye Guojin <ye.guojin@zte.com.cn>
+
+[ Upstream commit 858779df1c0787d3fec827fb705708df9ebdb15b ]
+
+This was found by coccicheck:
+./arch/mips/cavium-octeon/octeon-platform.c, 332, 1-7, ERROR missing
+put_device; call of_find_device_by_node on line 324, but without a
+corresponding object release within this function.
+./arch/mips/cavium-octeon/octeon-platform.c, 395, 1-7, ERROR missing
+put_device; call of_find_device_by_node on line 387, but without a
+corresponding object release within this function.
+./arch/mips/cavium-octeon/octeon-usb.c, 512, 3-9, ERROR missing
+put_device; call of_find_device_by_node on line 515, but without a
+corresponding object release within this function.
+./arch/mips/cavium-octeon/octeon-usb.c, 543, 1-7, ERROR missing
+put_device; call of_find_device_by_node on line 515, but without a
+corresponding object release within this function.
+
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Signed-off-by: Ye Guojin <ye.guojin@zte.com.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/cavium-octeon/octeon-platform.c | 2 ++
+ arch/mips/cavium-octeon/octeon-usb.c      | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/arch/mips/cavium-octeon/octeon-platform.c b/arch/mips/cavium-octeon/octeon-platform.c
+index d56e9b9d2e434..a994022e32c9f 100644
+--- a/arch/mips/cavium-octeon/octeon-platform.c
++++ b/arch/mips/cavium-octeon/octeon-platform.c
+@@ -328,6 +328,7 @@ static int __init octeon_ehci_device_init(void)
+       pd->dev.platform_data = &octeon_ehci_pdata;
+       octeon_ehci_hw_start(&pd->dev);
++      put_device(&pd->dev);
+       return ret;
+ }
+@@ -391,6 +392,7 @@ static int __init octeon_ohci_device_init(void)
+       pd->dev.platform_data = &octeon_ohci_pdata;
+       octeon_ohci_hw_start(&pd->dev);
++      put_device(&pd->dev);
+       return ret;
+ }
+diff --git a/arch/mips/cavium-octeon/octeon-usb.c b/arch/mips/cavium-octeon/octeon-usb.c
+index 6e4d3619137af..4df919d26b082 100644
+--- a/arch/mips/cavium-octeon/octeon-usb.c
++++ b/arch/mips/cavium-octeon/octeon-usb.c
+@@ -537,6 +537,7 @@ static int __init dwc3_octeon_device_init(void)
+                       devm_iounmap(&pdev->dev, base);
+                       devm_release_mem_region(&pdev->dev, res->start,
+                                               resource_size(res));
++                      put_device(&pdev->dev);
+               }
+       } while (node != NULL);
+-- 
+2.34.1
+
diff --git a/queue-5.16/mips-octeon-fix-build-errors-using-clang.patch b/queue-5.16/mips-octeon-fix-build-errors-using-clang.patch
new file mode 100644 (file)
index 0000000..c17d92e
--- /dev/null
@@ -0,0 +1,62 @@
+From 69d6ca99534bd25adcbb4f8d0806a3b6254e99a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Dec 2021 17:50:14 +0800
+Subject: MIPS: Octeon: Fix build errors using clang
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+[ Upstream commit 95339b70677dc6f9a2d669c4716058e71b8dc1c7 ]
+
+A large number of the following errors is reported when compiling
+with clang:
+
+  cvmx-bootinfo.h:326:3: error: adding 'int' to a string does not append to the string [-Werror,-Wstring-plus-int]
+                  ENUM_BRD_TYPE_CASE(CVMX_BOARD_TYPE_NULL)
+                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  cvmx-bootinfo.h:321:20: note: expanded from macro 'ENUM_BRD_TYPE_CASE'
+          case x: return(#x + 16);        /* Skip CVMX_BOARD_TYPE_ */
+                         ~~~^~~~
+  cvmx-bootinfo.h:326:3: note: use array indexing to silence this warning
+  cvmx-bootinfo.h:321:20: note: expanded from macro 'ENUM_BRD_TYPE_CASE'
+          case x: return(#x + 16);        /* Skip CVMX_BOARD_TYPE_ */
+                          ^
+
+Follow the prompts to use the address operator '&' to fix this error.
+
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/octeon/cvmx-bootinfo.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/include/asm/octeon/cvmx-bootinfo.h b/arch/mips/include/asm/octeon/cvmx-bootinfo.h
+index 0e6bf220db618..6c61e0a639249 100644
+--- a/arch/mips/include/asm/octeon/cvmx-bootinfo.h
++++ b/arch/mips/include/asm/octeon/cvmx-bootinfo.h
+@@ -318,7 +318,7 @@ enum cvmx_chip_types_enum {
+ /* Functions to return string based on type */
+ #define ENUM_BRD_TYPE_CASE(x) \
+-      case x: return(#x + 16);        /* Skip CVMX_BOARD_TYPE_ */
++      case x: return (&#x[16]);       /* Skip CVMX_BOARD_TYPE_ */
+ static inline const char *cvmx_board_type_to_string(enum
+                                                   cvmx_board_types_enum type)
+ {
+@@ -410,7 +410,7 @@ static inline const char *cvmx_board_type_to_string(enum
+ }
+ #define ENUM_CHIP_TYPE_CASE(x) \
+-      case x: return(#x + 15);        /* Skip CVMX_CHIP_TYPE */
++      case x: return (&#x[15]);       /* Skip CVMX_CHIP_TYPE */
+ static inline const char *cvmx_chip_type_to_string(enum
+                                                  cvmx_chip_types_enum type)
+ {
+-- 
+2.34.1
+
diff --git a/queue-5.16/misc-at25-make-driver-of-independent-again.patch b/queue-5.16/misc-at25-make-driver-of-independent-again.patch
new file mode 100644 (file)
index 0000000..b200285
--- /dev/null
@@ -0,0 +1,63 @@
+From bc09db1e7e524aa9801d69c7ff68d49ed59ca55e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 23:27:27 +0200
+Subject: misc: at25: Make driver OF independent again
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 5b557298d7d09cce04e0565a535fbca63661724a ]
+
+The commit f60e7074902a ("misc: at25: Make use of device property API")
+made a good job by enabling the driver for non-OF platforms, but the
+recent commit 604288bc6196 ("nvmem: eeprom: at25: fix type compiler warnings")
+brought that back.
+
+Restore greatness of the driver once again.
+
+Fixes: eab61fb1cc2e ("nvmem: eeprom: at25: fram discovery simplification")
+Fixes: fd307a4ad332 ("nvmem: prepare basics for FRAM support")
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20211125212729.86585-2-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/eeprom/at25.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/misc/eeprom/at25.c b/drivers/misc/eeprom/at25.c
+index b38978a3b3ffa..9193b812bc07e 100644
+--- a/drivers/misc/eeprom/at25.c
++++ b/drivers/misc/eeprom/at25.c
+@@ -17,8 +17,6 @@
+ #include <linux/spi/spi.h>
+ #include <linux/spi/eeprom.h>
+ #include <linux/property.h>
+-#include <linux/of.h>
+-#include <linux/of_device.h>
+ #include <linux/math.h>
+ /*
+@@ -380,13 +378,14 @@ static int at25_probe(struct spi_device *spi)
+       int                     sr;
+       u8 id[FM25_ID_LEN];
+       u8 sernum[FM25_SN_LEN];
++      bool is_fram;
+       int i;
+-      const struct of_device_id *match;
+-      bool is_fram = 0;
+-      match = of_match_device(of_match_ptr(at25_of_match), &spi->dev);
+-      if (match && !strcmp(match->compatible, "cypress,fm25"))
+-              is_fram = 1;
++      err = device_property_match_string(&spi->dev, "compatible", "cypress,fm25");
++      if (err >= 0)
++              is_fram = true;
++      else
++              is_fram = false;
+       at25 = devm_kzalloc(&spi->dev, sizeof(struct at25_data), GFP_KERNEL);
+       if (!at25)
+-- 
+2.34.1
+
diff --git a/queue-5.16/misc-lattice-ecp3-config-fix-task-hung-when-firmware.patch b/queue-5.16/misc-lattice-ecp3-config-fix-task-hung-when-firmware.patch
new file mode 100644 (file)
index 0000000..bca37f1
--- /dev/null
@@ -0,0 +1,95 @@
+From 5fe9ad1a98c610041acb54ad69a5996f8ea8b342 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Dec 2021 12:55:22 +0000
+Subject: misc: lattice-ecp3-config: Fix task hung when firmware load failed
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit fcee5ce50bdb21116711e38635e3865594af907e ]
+
+When firmware load failed, kernel report task hung as follows:
+
+INFO: task xrun:5191 blocked for more than 147 seconds.
+      Tainted: G        W         5.16.0-rc5-next-20211220+ #11
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+task:xrun            state:D stack:    0 pid: 5191 ppid:   270 flags:0x00000004
+Call Trace:
+ __schedule+0xc12/0x4b50 kernel/sched/core.c:4986
+ schedule+0xd7/0x260 kernel/sched/core.c:6369 (discriminator 1)
+ schedule_timeout+0x7aa/0xa80 kernel/time/timer.c:1857
+ wait_for_completion+0x181/0x290 kernel/sched/completion.c:85
+ lattice_ecp3_remove+0x32/0x40 drivers/misc/lattice-ecp3-config.c:221
+ spi_remove+0x72/0xb0 drivers/spi/spi.c:409
+
+lattice_ecp3_remove() wait for signals from firmware loading, but when
+load failed, firmware_load() does not send this signal. This cause
+device remove hung. Fix it by sending signal even if load failed.
+
+Fixes: 781551df57c7 ("misc: Add Lattice ECP3 FPGA configuration via SPI")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Link: https://lore.kernel.org/r/20211228125522.3122284-1-weiyongjun1@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/lattice-ecp3-config.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/misc/lattice-ecp3-config.c b/drivers/misc/lattice-ecp3-config.c
+index 0f54730c7ed56..98828030b5a4d 100644
+--- a/drivers/misc/lattice-ecp3-config.c
++++ b/drivers/misc/lattice-ecp3-config.c
+@@ -76,12 +76,12 @@ static void firmware_load(const struct firmware *fw, void *context)
+       if (fw == NULL) {
+               dev_err(&spi->dev, "Cannot load firmware, aborting\n");
+-              return;
++              goto out;
+       }
+       if (fw->size == 0) {
+               dev_err(&spi->dev, "Error: Firmware size is 0!\n");
+-              return;
++              goto out;
+       }
+       /* Fill dummy data (24 stuffing bits for commands) */
+@@ -103,7 +103,7 @@ static void firmware_load(const struct firmware *fw, void *context)
+               dev_err(&spi->dev,
+                       "Error: No supported FPGA detected (JEDEC_ID=%08x)!\n",
+                       jedec_id);
+-              return;
++              goto out;
+       }
+       dev_info(&spi->dev, "FPGA %s detected\n", ecp3_dev[i].name);
+@@ -116,7 +116,7 @@ static void firmware_load(const struct firmware *fw, void *context)
+       buffer = kzalloc(fw->size + 8, GFP_KERNEL);
+       if (!buffer) {
+               dev_err(&spi->dev, "Error: Can't allocate memory!\n");
+-              return;
++              goto out;
+       }
+       /*
+@@ -155,7 +155,7 @@ static void firmware_load(const struct firmware *fw, void *context)
+                       "Error: Timeout waiting for FPGA to clear (status=%08x)!\n",
+                       status);
+               kfree(buffer);
+-              return;
++              goto out;
+       }
+       dev_info(&spi->dev, "Configuring the FPGA...\n");
+@@ -181,7 +181,7 @@ static void firmware_load(const struct firmware *fw, void *context)
+       release_firmware(fw);
+       kfree(buffer);
+-
++out:
+       complete(&data->fw_loaded);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/mlxsw-pci-add-shutdown-method-in-pci-driver.patch b/queue-5.16/mlxsw-pci-add-shutdown-method-in-pci-driver.patch
new file mode 100644 (file)
index 0000000..9d4022c
--- /dev/null
@@ -0,0 +1,96 @@
+From 3b43ed778922617ea14e3721f0379f3f0d1e3224 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 09:54:47 +0200
+Subject: mlxsw: pci: Add shutdown method in PCI driver
+
+From: Danielle Ratson <danieller@nvidia.com>
+
+[ Upstream commit c1020d3cf4752f61a6a413f632ea2ce2370e150d ]
+
+On an arm64 platform with the Spectrum ASIC, after loading and executing
+a new kernel via kexec, the following trace [1] is observed. This seems
+to be caused by the fact that the device is not properly shutdown before
+executing the new kernel.
+
+Fix this by implementing a shutdown method which mirrors the remove
+method, as recommended by the kexec maintainer [2][3].
+
+[1]
+BUG: Bad page state in process devlink pfn:22f73d
+page:fffffe00089dcf40 refcount:-1 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0x2ffff00000000000()
+raw: 2ffff00000000000 0000000000000000 ffffffff089d0201 0000000000000000
+raw: 0000000000000000 0000000000000000 ffffffffffffffff 0000000000000000
+page dumped because: nonzero _refcount
+Modules linked in:
+CPU: 1 PID: 16346 Comm: devlink Tainted: G B 5.8.0-rc6-custom-273020-gac6b365b1bf5 #44
+Hardware name: Marvell Armada 7040 TX4810M (DT)
+Call trace:
+ dump_backtrace+0x0/0x1d0
+ show_stack+0x1c/0x28
+ dump_stack+0xbc/0x118
+ bad_page+0xcc/0xf8
+ check_free_page_bad+0x80/0x88
+ __free_pages_ok+0x3f8/0x418
+ __free_pages+0x38/0x60
+ kmem_freepages+0x200/0x2a8
+ slab_destroy+0x28/0x68
+ slabs_destroy+0x60/0x90
+ ___cache_free+0x1b4/0x358
+ kfree+0xc0/0x1d0
+ skb_free_head+0x2c/0x38
+ skb_release_data+0x110/0x1a0
+ skb_release_all+0x2c/0x38
+ consume_skb+0x38/0x130
+ __dev_kfree_skb_any+0x44/0x50
+ mlxsw_pci_rdq_fini+0x8c/0xb0
+ mlxsw_pci_queue_fini.isra.0+0x28/0x58
+ mlxsw_pci_queue_group_fini+0x58/0x88
+ mlxsw_pci_aqs_fini+0x2c/0x60
+ mlxsw_pci_fini+0x34/0x50
+ mlxsw_core_bus_device_unregister+0x104/0x1d0
+ mlxsw_devlink_core_bus_device_reload_down+0x2c/0x48
+ devlink_reload+0x44/0x158
+ devlink_nl_cmd_reload+0x270/0x290
+ genl_rcv_msg+0x188/0x2f0
+ netlink_rcv_skb+0x5c/0x118
+ genl_rcv+0x3c/0x50
+ netlink_unicast+0x1bc/0x278
+ netlink_sendmsg+0x194/0x390
+ __sys_sendto+0xe0/0x158
+ __arm64_sys_sendto+0x2c/0x38
+ el0_svc_common.constprop.0+0x70/0x168
+ do_el0_svc+0x28/0x88
+ el0_sync_handler+0x88/0x190
+ el0_sync+0x140/0x180
+
+[2]
+https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1195432.html
+
+[3]
+https://patchwork.kernel.org/project/linux-scsi/patch/20170212214920.28866-1-anton@ozlabs.org/#20116693
+
+Cc: Eric Biederman <ebiederm@xmission.com>
+Signed-off-by: Danielle Ratson <danieller@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci.c b/drivers/net/ethernet/mellanox/mlxsw/pci.c
+index a15c95a10bae4..cd3331a077bbf 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/pci.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/pci.c
+@@ -1973,6 +1973,7 @@ int mlxsw_pci_driver_register(struct pci_driver *pci_driver)
+ {
+       pci_driver->probe = mlxsw_pci_probe;
+       pci_driver->remove = mlxsw_pci_remove;
++      pci_driver->shutdown = mlxsw_pci_remove;
+       return pci_register_driver(pci_driver);
+ }
+ EXPORT_SYMBOL(mlxsw_pci_driver_register);
+-- 
+2.34.1
+
diff --git a/queue-5.16/mlxsw-pci-avoid-flow-control-for-emad-packets.patch b/queue-5.16/mlxsw-pci-avoid-flow-control-for-emad-packets.patch
new file mode 100644 (file)
index 0000000..e65483d
--- /dev/null
@@ -0,0 +1,95 @@
+From d6ffcf7002ea919fdf40e4d34499029f7182771c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 12:22:27 +0200
+Subject: mlxsw: pci: Avoid flow control for EMAD packets
+
+From: Danielle Ratson <danieller@nvidia.com>
+
+[ Upstream commit d43e4271747ace01a27a49a97a397cb4219f6487 ]
+
+Locally generated packets ingress the device through its CPU port. When
+the CPU port is congested and there are not enough credits in its
+headroom buffer, packets can be dropped.
+
+While this might be acceptable for data packets that traverse the
+network, configuration packets exchanged between the host and the device
+(EMADs) should not be subjected to this flow control.
+
+The "sdq_lp" bit in the SDQ (Send Descriptor Queue) context allows the
+host to instruct the device to treat packets sent on this queue as
+"local processing" and always process them, regardless of the state of
+the CPU port's headroom.
+
+Add the definition of this bit and set it for the dedicated SDQ reserved
+for the transmission of EMAD packets. This makes the "local processing"
+bit in the WQE (Work Queue Element) redundant, so clear it.
+
+Signed-off-by: Danielle Ratson <danieller@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/cmd.h | 12 ++++++++++++
+ drivers/net/ethernet/mellanox/mlxsw/pci.c |  6 +++++-
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/cmd.h b/drivers/net/ethernet/mellanox/mlxsw/cmd.h
+index 392ce3cb27f72..51b260d54237e 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/cmd.h
++++ b/drivers/net/ethernet/mellanox/mlxsw/cmd.h
+@@ -935,6 +935,18 @@ static inline int mlxsw_cmd_sw2hw_rdq(struct mlxsw_core *mlxsw_core,
+  */
+ MLXSW_ITEM32(cmd_mbox, sw2hw_dq, cq, 0x00, 24, 8);
++enum mlxsw_cmd_mbox_sw2hw_dq_sdq_lp {
++      MLXSW_CMD_MBOX_SW2HW_DQ_SDQ_LP_WQE,
++      MLXSW_CMD_MBOX_SW2HW_DQ_SDQ_LP_IGNORE_WQE,
++};
++
++/* cmd_mbox_sw2hw_dq_sdq_lp
++ * SDQ local Processing
++ * 0: local processing by wqe.lp
++ * 1: local processing (ignoring wqe.lp)
++ */
++MLXSW_ITEM32(cmd_mbox, sw2hw_dq, sdq_lp, 0x00, 23, 1);
++
+ /* cmd_mbox_sw2hw_dq_sdq_tclass
+  * SDQ: CPU Egress TClass
+  * RDQ: Reserved
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci.c b/drivers/net/ethernet/mellanox/mlxsw/pci.c
+index cd3331a077bbf..f91dde4df152b 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/pci.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/pci.c
+@@ -285,6 +285,7 @@ static int mlxsw_pci_sdq_init(struct mlxsw_pci *mlxsw_pci, char *mbox,
+                             struct mlxsw_pci_queue *q)
+ {
+       int tclass;
++      int lp;
+       int i;
+       int err;
+@@ -292,9 +293,12 @@ static int mlxsw_pci_sdq_init(struct mlxsw_pci *mlxsw_pci, char *mbox,
+       q->consumer_counter = 0;
+       tclass = q->num == MLXSW_PCI_SDQ_EMAD_INDEX ? MLXSW_PCI_SDQ_EMAD_TC :
+                                                     MLXSW_PCI_SDQ_CTL_TC;
++      lp = q->num == MLXSW_PCI_SDQ_EMAD_INDEX ? MLXSW_CMD_MBOX_SW2HW_DQ_SDQ_LP_IGNORE_WQE :
++                                                MLXSW_CMD_MBOX_SW2HW_DQ_SDQ_LP_WQE;
+       /* Set CQ of same number of this SDQ. */
+       mlxsw_cmd_mbox_sw2hw_dq_cq_set(mbox, q->num);
++      mlxsw_cmd_mbox_sw2hw_dq_sdq_lp_set(mbox, lp);
+       mlxsw_cmd_mbox_sw2hw_dq_sdq_tclass_set(mbox, tclass);
+       mlxsw_cmd_mbox_sw2hw_dq_log2_dq_sz_set(mbox, 3); /* 8 pages */
+       for (i = 0; i < MLXSW_PCI_AQ_PAGES; i++) {
+@@ -1678,7 +1682,7 @@ static int mlxsw_pci_skb_transmit(void *bus_priv, struct sk_buff *skb,
+       wqe = elem_info->elem;
+       mlxsw_pci_wqe_c_set(wqe, 1); /* always report completion */
+-      mlxsw_pci_wqe_lp_set(wqe, !!tx_info->is_emad);
++      mlxsw_pci_wqe_lp_set(wqe, 0);
+       mlxsw_pci_wqe_type_set(wqe, MLXSW_PCI_WQE_TYPE_ETHERNET);
+       err = mlxsw_pci_wqe_frag_map(mlxsw_pci, wqe, 0, skb->data,
+-- 
+2.34.1
+
diff --git a/queue-5.16/mm-defer-kmemleak-object-creation-of-module_alloc.patch b/queue-5.16/mm-defer-kmemleak-object-creation-of-module_alloc.patch
new file mode 100644 (file)
index 0000000..28d1a72
--- /dev/null
@@ -0,0 +1,227 @@
+From 8ef1210ac368d0c44cbeac0ffcb8611f05794c7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jan 2022 14:04:11 -0800
+Subject: mm: defer kmemleak object creation of module_alloc()
+
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+
+[ Upstream commit 60115fa54ad7b913b7cb5844e6b7ffeb842d55f2 ]
+
+Yongqiang reports a kmemleak panic when module insmod/rmmod with KASAN
+enabled(without KASAN_VMALLOC) on x86[1].
+
+When the module area allocates memory, it's kmemleak_object is created
+successfully, but the KASAN shadow memory of module allocation is not
+ready, so when kmemleak scan the module's pointer, it will panic due to
+no shadow memory with KASAN check.
+
+  module_alloc
+    __vmalloc_node_range
+      kmemleak_vmalloc
+                               kmemleak_scan
+                                 update_checksum
+    kasan_module_alloc
+      kmemleak_ignore
+
+Note, there is no problem if KASAN_VMALLOC enabled, the modules area
+entire shadow memory is preallocated.  Thus, the bug only exits on ARCH
+which supports dynamic allocation of module area per module load, for
+now, only x86/arm64/s390 are involved.
+
+Add a VM_DEFER_KMEMLEAK flags, defer vmalloc'ed object register of
+kmemleak in module_alloc() to fix this issue.
+
+[1] https://lore.kernel.org/all/6d41e2b9-4692-5ec4-b1cd-cbe29ae89739@huawei.com/
+
+[wangkefeng.wang@huawei.com: fix build]
+  Link: https://lkml.kernel.org/r/20211125080307.27225-1-wangkefeng.wang@huawei.com
+[akpm@linux-foundation.org: simplify ifdefs, per Andrey]
+  Link: https://lkml.kernel.org/r/CA+fCnZcnwJHUQq34VuRxpdoY6_XbJCDJ-jopksS5Eia4PijPzw@mail.gmail.com
+
+Link: https://lkml.kernel.org/r/20211124142034.192078-1-wangkefeng.wang@huawei.com
+Fixes: 793213a82de4 ("s390/kasan: dynamic shadow mem allocation for modules")
+Fixes: 39d114ddc682 ("arm64: add KASAN support")
+Fixes: bebf56a1b176 ("kasan: enable instrumentation of global variables")
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reported-by: Yongqiang Liu <liuyongqiang13@huawei.com>
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/module.c | 4 ++--
+ arch/s390/kernel/module.c  | 5 +++--
+ arch/x86/kernel/module.c   | 7 ++++---
+ include/linux/kasan.h      | 4 ++--
+ include/linux/vmalloc.h    | 7 +++++++
+ mm/kasan/shadow.c          | 9 +++++++--
+ mm/vmalloc.c               | 3 ++-
+ 7 files changed, 27 insertions(+), 12 deletions(-)
+
+diff --git a/arch/arm64/kernel/module.c b/arch/arm64/kernel/module.c
+index b5ec010c481f3..309a27553c875 100644
+--- a/arch/arm64/kernel/module.c
++++ b/arch/arm64/kernel/module.c
+@@ -36,7 +36,7 @@ void *module_alloc(unsigned long size)
+               module_alloc_end = MODULES_END;
+       p = __vmalloc_node_range(size, MODULE_ALIGN, module_alloc_base,
+-                              module_alloc_end, gfp_mask, PAGE_KERNEL, 0,
++                              module_alloc_end, gfp_mask, PAGE_KERNEL, VM_DEFER_KMEMLEAK,
+                               NUMA_NO_NODE, __builtin_return_address(0));
+       if (!p && IS_ENABLED(CONFIG_ARM64_MODULE_PLTS) &&
+@@ -58,7 +58,7 @@ void *module_alloc(unsigned long size)
+                               PAGE_KERNEL, 0, NUMA_NO_NODE,
+                               __builtin_return_address(0));
+-      if (p && (kasan_module_alloc(p, size) < 0)) {
++      if (p && (kasan_module_alloc(p, size, gfp_mask) < 0)) {
+               vfree(p);
+               return NULL;
+       }
+diff --git a/arch/s390/kernel/module.c b/arch/s390/kernel/module.c
+index b01ba460b7cad..d52d85367bf73 100644
+--- a/arch/s390/kernel/module.c
++++ b/arch/s390/kernel/module.c
+@@ -37,14 +37,15 @@
+ void *module_alloc(unsigned long size)
+ {
++      gfp_t gfp_mask = GFP_KERNEL;
+       void *p;
+       if (PAGE_ALIGN(size) > MODULES_LEN)
+               return NULL;
+       p = __vmalloc_node_range(size, MODULE_ALIGN, MODULES_VADDR, MODULES_END,
+-                               GFP_KERNEL, PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
++                               gfp_mask, PAGE_KERNEL_EXEC, VM_DEFER_KMEMLEAK, NUMA_NO_NODE,
+                                __builtin_return_address(0));
+-      if (p && (kasan_module_alloc(p, size) < 0)) {
++      if (p && (kasan_module_alloc(p, size, gfp_mask) < 0)) {
+               vfree(p);
+               return NULL;
+       }
+diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c
+index 169fb6f4cd2ee..95fa745e310a5 100644
+--- a/arch/x86/kernel/module.c
++++ b/arch/x86/kernel/module.c
+@@ -67,6 +67,7 @@ static unsigned long int get_module_load_offset(void)
+ void *module_alloc(unsigned long size)
+ {
++      gfp_t gfp_mask = GFP_KERNEL;
+       void *p;
+       if (PAGE_ALIGN(size) > MODULES_LEN)
+@@ -74,10 +75,10 @@ void *module_alloc(unsigned long size)
+       p = __vmalloc_node_range(size, MODULE_ALIGN,
+                                   MODULES_VADDR + get_module_load_offset(),
+-                                  MODULES_END, GFP_KERNEL,
+-                                  PAGE_KERNEL, 0, NUMA_NO_NODE,
++                                  MODULES_END, gfp_mask,
++                                  PAGE_KERNEL, VM_DEFER_KMEMLEAK, NUMA_NO_NODE,
+                                   __builtin_return_address(0));
+-      if (p && (kasan_module_alloc(p, size) < 0)) {
++      if (p && (kasan_module_alloc(p, size, gfp_mask) < 0)) {
+               vfree(p);
+               return NULL;
+       }
+diff --git a/include/linux/kasan.h b/include/linux/kasan.h
+index d8783b6826695..89c99e5e67de5 100644
+--- a/include/linux/kasan.h
++++ b/include/linux/kasan.h
+@@ -474,12 +474,12 @@ static inline void kasan_populate_early_vm_area_shadow(void *start,
+  * allocations with real shadow memory. With KASAN vmalloc, the special
+  * case is unnecessary, as the work is handled in the generic case.
+  */
+-int kasan_module_alloc(void *addr, size_t size);
++int kasan_module_alloc(void *addr, size_t size, gfp_t gfp_mask);
+ void kasan_free_shadow(const struct vm_struct *vm);
+ #else /* (CONFIG_KASAN_GENERIC || CONFIG_KASAN_SW_TAGS) && !CONFIG_KASAN_VMALLOC */
+-static inline int kasan_module_alloc(void *addr, size_t size) { return 0; }
++static inline int kasan_module_alloc(void *addr, size_t size, gfp_t gfp_mask) { return 0; }
+ static inline void kasan_free_shadow(const struct vm_struct *vm) {}
+ #endif /* (CONFIG_KASAN_GENERIC || CONFIG_KASAN_SW_TAGS) && !CONFIG_KASAN_VMALLOC */
+diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h
+index 6e022cc712e61..880227b9f0440 100644
+--- a/include/linux/vmalloc.h
++++ b/include/linux/vmalloc.h
+@@ -28,6 +28,13 @@ struct notifier_block;              /* in notifier.h */
+ #define VM_MAP_PUT_PAGES      0x00000200      /* put pages and free array in vfree */
+ #define VM_NO_HUGE_VMAP               0x00000400      /* force PAGE_SIZE pte mapping */
++#if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \
++      !defined(CONFIG_KASAN_VMALLOC)
++#define VM_DEFER_KMEMLEAK     0x00000800      /* defer kmemleak object creation */
++#else
++#define VM_DEFER_KMEMLEAK     0
++#endif
++
+ /*
+  * VM_KASAN is used slightly differently depending on CONFIG_KASAN_VMALLOC.
+  *
+diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c
+index 4a4929b29a237..94136f84b4497 100644
+--- a/mm/kasan/shadow.c
++++ b/mm/kasan/shadow.c
+@@ -498,7 +498,7 @@ void kasan_release_vmalloc(unsigned long start, unsigned long end,
+ #else /* CONFIG_KASAN_VMALLOC */
+-int kasan_module_alloc(void *addr, size_t size)
++int kasan_module_alloc(void *addr, size_t size, gfp_t gfp_mask)
+ {
+       void *ret;
+       size_t scaled_size;
+@@ -520,9 +520,14 @@ int kasan_module_alloc(void *addr, size_t size)
+                       __builtin_return_address(0));
+       if (ret) {
++              struct vm_struct *vm = find_vm_area(addr);
+               __memset(ret, KASAN_SHADOW_INIT, shadow_size);
+-              find_vm_area(addr)->flags |= VM_KASAN;
++              vm->flags |= VM_KASAN;
+               kmemleak_ignore(ret);
++
++              if (vm->flags & VM_DEFER_KMEMLEAK)
++                      kmemleak_vmalloc(vm, size, gfp_mask);
++
+               return 0;
+       }
+diff --git a/mm/vmalloc.c b/mm/vmalloc.c
+index d2a00ad4e1dd1..bf3c2fe8f5285 100644
+--- a/mm/vmalloc.c
++++ b/mm/vmalloc.c
+@@ -3074,7 +3074,8 @@ again:
+       clear_vm_uninitialized_flag(area);
+       size = PAGE_ALIGN(size);
+-      kmemleak_vmalloc(area, size, gfp_mask);
++      if (!(vm_flags & VM_DEFER_KMEMLEAK))
++              kmemleak_vmalloc(area, size, gfp_mask);
+       return addr;
+-- 
+2.34.1
+
diff --git a/queue-5.16/mm-page_isolation-unset-migratetype-directly-for-non.patch b/queue-5.16/mm-page_isolation-unset-migratetype-directly-for-non.patch
new file mode 100644 (file)
index 0000000..da1c69a
--- /dev/null
@@ -0,0 +1,54 @@
+From 0401eece5ddbbcc2e84c3970a633e0c66ac0436f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jan 2022 14:08:10 -0800
+Subject: mm/page_isolation: unset migratetype directly for non Buddy page
+
+From: Chen Wandun <chenwandun@huawei.com>
+
+[ Upstream commit 721fb891ad0b3956d5c168b2931e3e5e4fb7ca40 ]
+
+In unset_migratetype_isolate(), we can bypass the call to
+move_freepages_block() for non-buddy pages.
+
+It will save a few cpu cycles for some situations such as cma and
+hugetlb when allocating continue pages, in these situation function
+alloc_contig_pages will be called.
+
+alloc_contig_pages
+       __alloc_contig_migrate_range
+       isolate_freepages_range ==> pages has been remove from buddy
+       undo_isolate_page_range
+               unset_migratetype_isolate ==> can directly set migratetype
+
+[osalvador@suse.de: changelog tweak]
+
+Link: https://lkml.kernel.org/r/20211229033649.2760586-1-chenwandun@huawei.com
+Fixes: 3c605096d315 ("mm/page_alloc: restrict max order of merging on isolated pageblock")
+Signed-off-by: Chen Wandun <chenwandun@huawei.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Wang Kefeng <wangkefeng.wang@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/page_isolation.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mm/page_isolation.c b/mm/page_isolation.c
+index f67c4c70f17f6..6a0ddda6b3c53 100644
+--- a/mm/page_isolation.c
++++ b/mm/page_isolation.c
+@@ -115,7 +115,7 @@ static void unset_migratetype_isolate(struct page *page, unsigned migratetype)
+        * onlining - just onlined memory won't immediately be considered for
+        * allocation.
+        */
+-      if (!isolated_page) {
++      if (!isolated_page && PageBuddy(page)) {
+               nr_pages = move_freepages_block(zone, page, migratetype, NULL);
+               __mod_zone_freepage_state(zone, nr_pages, migratetype);
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/mmc-core-fixup-storing-of-ocr-for-mmc_quirk_nonstd_s.patch b/queue-5.16/mmc-core-fixup-storing-of-ocr-for-mmc_quirk_nonstd_s.patch
new file mode 100644 (file)
index 0000000..4baf44a
--- /dev/null
@@ -0,0 +1,57 @@
+From 266dd668ab84b67f2457596b654a5a18347c7646 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Nov 2021 18:17:09 +0100
+Subject: mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+[ Upstream commit 8c3e5b74b9e2146f564905e50ca716591c76d4f1 ]
+
+The mmc core takes a specific path to support initializing of a
+non-standard SDIO card. This is triggered by looking for the card-quirk,
+MMC_QUIRK_NONSTD_SDIO.
+
+In mmc_sdio_init_card() this gets rather messy, as it causes the code to
+bail out earlier, compared to the usual path. This leads to that the OCR
+doesn't get saved properly in card->ocr. Fortunately, only omap_hsmmc has
+been using the MMC_QUIRK_NONSTD_SDIO and is dealing with the issue, by
+assigning a hardcoded value (0x80) to card->ocr from an ->init_card() ops.
+
+To make the behaviour consistent, let's instead rely on the core to save
+the OCR in card->ocr during initialization.
+
+Reported-by: H. Nikolaus Schaller <hns@goldelico.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
+Link: https://lore.kernel.org/r/e7936cff7fc24d187ef2680d3b4edb0ade58f293.1636564631.git.hns@goldelico.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/sdio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/core/sdio.c b/drivers/mmc/core/sdio.c
+index 68edf7a615be5..5447c47157aa5 100644
+--- a/drivers/mmc/core/sdio.c
++++ b/drivers/mmc/core/sdio.c
+@@ -708,6 +708,8 @@ try_again:
+       if (host->ops->init_card)
+               host->ops->init_card(host, card);
++      card->ocr = ocr_card;
++
+       /*
+        * If the host and card support UHS-I mode request the card
+        * to switch to 1.8V signaling level.  No 1.8v signalling if
+@@ -820,7 +822,7 @@ try_again:
+                       goto mismatch;
+               }
+       }
+-      card->ocr = ocr_card;
++
+       mmc_fixup_device(card, sdio_fixup_methods);
+       if (card->type == MMC_TYPE_SD_COMBO) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/mmc-meson-mx-sdhc-add-irq-check.patch b/queue-5.16/mmc-meson-mx-sdhc-add-irq-check.patch
new file mode 100644 (file)
index 0000000..689b343
--- /dev/null
@@ -0,0 +1,44 @@
+From 203e735c99a886f52452b9244745fbfe455b5106 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Dec 2021 23:27:16 +0300
+Subject: mmc: meson-mx-sdhc: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 77bed755e0f06135faccdd3948863703f9a6e640 ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to devm_request_threaded_irq()
+(which takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding
+an original error code. Stop calling devm_request_threaded_irq() with the
+invalid IRQ #s.
+
+Fixes: e4bf1b0970ef ("mmc: host: meson-mx-sdhc: new driver for the Amlogic Meson SDHC host")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Link: https://lore.kernel.org/r/20211217202717.10041-2-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/meson-mx-sdhc-mmc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/mmc/host/meson-mx-sdhc-mmc.c b/drivers/mmc/host/meson-mx-sdhc-mmc.c
+index 8fdd0bbbfa21f..28aa78aa08f3f 100644
+--- a/drivers/mmc/host/meson-mx-sdhc-mmc.c
++++ b/drivers/mmc/host/meson-mx-sdhc-mmc.c
+@@ -854,6 +854,11 @@ static int meson_mx_sdhc_probe(struct platform_device *pdev)
+               goto err_disable_pclk;
+       irq = platform_get_irq(pdev, 0);
++      if (irq < 0) {
++              ret = irq;
++              goto err_disable_pclk;
++      }
++
+       ret = devm_request_threaded_irq(dev, irq, meson_mx_sdhc_irq,
+                                       meson_mx_sdhc_irq_thread, IRQF_ONESHOT,
+                                       NULL, host);
+-- 
+2.34.1
+
diff --git a/queue-5.16/mmc-meson-mx-sdio-add-irq-check.patch b/queue-5.16/mmc-meson-mx-sdio-add-irq-check.patch
new file mode 100644 (file)
index 0000000..1c6cde9
--- /dev/null
@@ -0,0 +1,44 @@
+From f92329a699171397182df3a8a631e3ffa3fb4c67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Dec 2021 23:27:17 +0300
+Subject: mmc: meson-mx-sdio: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 8fc9a77bc64e1f23d07953439817d8402ac9706f ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to devm_request_threaded_irq()
+(which takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding
+an original error code. Stop calling devm_request_threaded_irq() with the
+invalid IRQ #s.
+
+Fixes: ed80a13bb4c4 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoC")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Link: https://lore.kernel.org/r/20211217202717.10041-3-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/meson-mx-sdio.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/mmc/host/meson-mx-sdio.c b/drivers/mmc/host/meson-mx-sdio.c
+index d4a48916bfb67..3a19a05ef55a7 100644
+--- a/drivers/mmc/host/meson-mx-sdio.c
++++ b/drivers/mmc/host/meson-mx-sdio.c
+@@ -662,6 +662,11 @@ static int meson_mx_mmc_probe(struct platform_device *pdev)
+       }
+       irq = platform_get_irq(pdev, 0);
++      if (irq < 0) {
++              ret = irq;
++              goto error_free_mmc;
++      }
++
+       ret = devm_request_threaded_irq(host->controller_dev, irq,
+                                       meson_mx_mmc_irq,
+                                       meson_mx_mmc_irq_thread, IRQF_ONESHOT,
+-- 
+2.34.1
+
diff --git a/queue-5.16/mmc-mtk-sd-use-readl_poll_timeout-instead-of-open-co.patch b/queue-5.16/mmc-mtk-sd-use-readl_poll_timeout-instead-of-open-co.patch
new file mode 100644 (file)
index 0000000..6894480
--- /dev/null
@@ -0,0 +1,177 @@
+From 172f560c24a5a52e1c2f81210ea2849be654b391 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Dec 2021 13:57:44 +0100
+Subject: mmc: mtk-sd: Use readl_poll_timeout instead of open-coded polling
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit ffaea6ebfe9ce06ebb3a54811a47688f2b0893cd ]
+
+Replace all instances of open-coded while loops for polling registers
+with calls to readl_poll_timeout() and, while at it, also fix some
+possible infinite loop instances.
+
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20211216125748.179602-1-angelogioacchino.delregno@collabora.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mtk-sd.c | 64 ++++++++++++++++++++++++---------------
+ 1 file changed, 39 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c
+index 632775217d35c..d5a9c269d4926 100644
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -636,12 +636,11 @@ static void msdc_reset_hw(struct msdc_host *host)
+       u32 val;
+       sdr_set_bits(host->base + MSDC_CFG, MSDC_CFG_RST);
+-      while (readl(host->base + MSDC_CFG) & MSDC_CFG_RST)
+-              cpu_relax();
++      readl_poll_timeout(host->base + MSDC_CFG, val, !(val & MSDC_CFG_RST), 0, 0);
+       sdr_set_bits(host->base + MSDC_FIFOCS, MSDC_FIFOCS_CLR);
+-      while (readl(host->base + MSDC_FIFOCS) & MSDC_FIFOCS_CLR)
+-              cpu_relax();
++      readl_poll_timeout(host->base + MSDC_FIFOCS, val,
++                         !(val & MSDC_FIFOCS_CLR), 0, 0);
+       val = readl(host->base + MSDC_INT);
+       writel(val, host->base + MSDC_INT);
+@@ -814,8 +813,9 @@ static void msdc_gate_clock(struct msdc_host *host)
+       clk_disable_unprepare(host->h_clk);
+ }
+-static void msdc_ungate_clock(struct msdc_host *host)
++static int msdc_ungate_clock(struct msdc_host *host)
+ {
++      u32 val;
+       int ret;
+       clk_prepare_enable(host->h_clk);
+@@ -825,11 +825,11 @@ static void msdc_ungate_clock(struct msdc_host *host)
+       ret = clk_bulk_prepare_enable(MSDC_NR_CLOCKS, host->bulk_clks);
+       if (ret) {
+               dev_err(host->dev, "Cannot enable pclk/axi/ahb clock gates\n");
+-              return;
++              return ret;
+       }
+-      while (!(readl(host->base + MSDC_CFG) & MSDC_CFG_CKSTB))
+-              cpu_relax();
++      return readl_poll_timeout(host->base + MSDC_CFG, val,
++                                (val & MSDC_CFG_CKSTB), 1, 20000);
+ }
+ static void msdc_set_mclk(struct msdc_host *host, unsigned char timing, u32 hz)
+@@ -840,6 +840,7 @@ static void msdc_set_mclk(struct msdc_host *host, unsigned char timing, u32 hz)
+       u32 div;
+       u32 sclk;
+       u32 tune_reg = host->dev_comp->pad_tune_reg;
++      u32 val;
+       if (!hz) {
+               dev_dbg(host->dev, "set mclk to 0\n");
+@@ -920,8 +921,7 @@ static void msdc_set_mclk(struct msdc_host *host, unsigned char timing, u32 hz)
+       else
+               clk_prepare_enable(clk_get_parent(host->src_clk));
+-      while (!(readl(host->base + MSDC_CFG) & MSDC_CFG_CKSTB))
+-              cpu_relax();
++      readl_poll_timeout(host->base + MSDC_CFG, val, (val & MSDC_CFG_CKSTB), 0, 0);
+       sdr_set_bits(host->base + MSDC_CFG, MSDC_CFG_CKPDN);
+       mmc->actual_clock = sclk;
+       host->mclk = hz;
+@@ -1231,13 +1231,13 @@ static bool msdc_cmd_done(struct msdc_host *host, int events,
+ static inline bool msdc_cmd_is_ready(struct msdc_host *host,
+               struct mmc_request *mrq, struct mmc_command *cmd)
+ {
+-      /* The max busy time we can endure is 20ms */
+-      unsigned long tmo = jiffies + msecs_to_jiffies(20);
++      u32 val;
++      int ret;
+-      while ((readl(host->base + SDC_STS) & SDC_STS_CMDBUSY) &&
+-                      time_before(jiffies, tmo))
+-              cpu_relax();
+-      if (readl(host->base + SDC_STS) & SDC_STS_CMDBUSY) {
++      /* The max busy time we can endure is 20ms */
++      ret = readl_poll_timeout_atomic(host->base + SDC_STS, val,
++                                      !(val & SDC_STS_CMDBUSY), 1, 20000);
++      if (ret) {
+               dev_err(host->dev, "CMD bus busy detected\n");
+               host->error |= REQ_CMD_BUSY;
+               msdc_cmd_done(host, MSDC_INT_CMDTMO, mrq, cmd);
+@@ -1245,12 +1245,10 @@ static inline bool msdc_cmd_is_ready(struct msdc_host *host,
+       }
+       if (mmc_resp_type(cmd) == MMC_RSP_R1B || cmd->data) {
+-              tmo = jiffies + msecs_to_jiffies(20);
+               /* R1B or with data, should check SDCBUSY */
+-              while ((readl(host->base + SDC_STS) & SDC_STS_SDCBUSY) &&
+-                              time_before(jiffies, tmo))
+-                      cpu_relax();
+-              if (readl(host->base + SDC_STS) & SDC_STS_SDCBUSY) {
++              ret = readl_poll_timeout_atomic(host->base + SDC_STS, val,
++                                              !(val & SDC_STS_SDCBUSY), 1, 20000);
++              if (ret) {
+                       dev_err(host->dev, "Controller busy detected\n");
+                       host->error |= REQ_CMD_BUSY;
+                       msdc_cmd_done(host, MSDC_INT_CMDTMO, mrq, cmd);
+@@ -1376,6 +1374,8 @@ static bool msdc_data_xfer_done(struct msdc_host *host, u32 events,
+           (MSDC_INT_XFER_COMPL | MSDC_INT_DATCRCERR | MSDC_INT_DATTMO
+            | MSDC_INT_DMA_BDCSERR | MSDC_INT_DMA_GPDCSERR
+            | MSDC_INT_DMA_PROTECT);
++      u32 val;
++      int ret;
+       spin_lock_irqsave(&host->lock, flags);
+       done = !host->data;
+@@ -1392,8 +1392,14 @@ static bool msdc_data_xfer_done(struct msdc_host *host, u32 events,
+                               readl(host->base + MSDC_DMA_CFG));
+               sdr_set_field(host->base + MSDC_DMA_CTRL, MSDC_DMA_CTRL_STOP,
+                               1);
+-              while (readl(host->base + MSDC_DMA_CFG) & MSDC_DMA_CFG_STS)
+-                      cpu_relax();
++
++              ret = readl_poll_timeout_atomic(host->base + MSDC_DMA_CFG, val,
++                                              !(val & MSDC_DMA_CFG_STS), 1, 20000);
++              if (ret) {
++                      dev_dbg(host->dev, "DMA stop timed out\n");
++                      return false;
++              }
++
+               sdr_clr_bits(host->base + MSDC_INTEN, data_ints_mask);
+               dev_dbg(host->dev, "DMA stop\n");
+@@ -2674,7 +2680,11 @@ static int msdc_drv_probe(struct platform_device *pdev)
+       spin_lock_init(&host->lock);
+       platform_set_drvdata(pdev, mmc);
+-      msdc_ungate_clock(host);
++      ret = msdc_ungate_clock(host);
++      if (ret) {
++              dev_err(&pdev->dev, "Cannot ungate clocks!\n");
++              goto release_mem;
++      }
+       msdc_init_hw(host);
+       if (mmc->caps2 & MMC_CAP2_CQE) {
+@@ -2833,8 +2843,12 @@ static int __maybe_unused msdc_runtime_resume(struct device *dev)
+ {
+       struct mmc_host *mmc = dev_get_drvdata(dev);
+       struct msdc_host *host = mmc_priv(mmc);
++      int ret;
++
++      ret = msdc_ungate_clock(host);
++      if (ret)
++              return ret;
+-      msdc_ungate_clock(host);
+       msdc_restore_reg(host);
+       return 0;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/mmc-omap_hsmmc-revert-special-init-for-wl1251.patch b/queue-5.16/mmc-omap_hsmmc-revert-special-init-for-wl1251.patch
new file mode 100644 (file)
index 0000000..0b379b1
--- /dev/null
@@ -0,0 +1,80 @@
+From e197c453f631e4fce6f91bc50b3be462d8857f57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Nov 2021 18:17:11 +0100
+Subject: mmc: omap_hsmmc: Revert special init for wl1251
+
+From: H. Nikolaus Schaller <hns@goldelico.com>
+
+[ Upstream commit dfb654f1885f05baf506cdfdbc3f7efa1d847d54 ]
+
+Due to recent changes to the mmc core, card quirks can be applied based
+upon a compatible string in child OF node. The quirk needed for wl1251
+(SDIO card) is managed in the core, therefore there is no longer any reason
+to deal with this in omap_hsmmc too, so let's remove it.
+
+Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
+Link: https://lore.kernel.org/r/77d313b97d1e18b0eb7ed2d88d718d960f329bb0.1636564631.git.hns@goldelico.com
+[Ulf: Re-wrote the commit message to make it more clear]
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/omap_hsmmc.c | 36 -----------------------------------
+ 1 file changed, 36 deletions(-)
+
+diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c
+index 9dafcbf969d96..fca30add563e9 100644
+--- a/drivers/mmc/host/omap_hsmmc.c
++++ b/drivers/mmc/host/omap_hsmmc.c
+@@ -1499,41 +1499,6 @@ static void omap_hsmmc_set_ios(struct mmc_host *mmc, struct mmc_ios *ios)
+       omap_hsmmc_set_bus_mode(host);
+ }
+-static void omap_hsmmc_init_card(struct mmc_host *mmc, struct mmc_card *card)
+-{
+-      struct omap_hsmmc_host *host = mmc_priv(mmc);
+-
+-      if (card->type == MMC_TYPE_SDIO || card->type == MMC_TYPE_SD_COMBO) {
+-              struct device_node *np = mmc_dev(mmc)->of_node;
+-
+-              /*
+-               * REVISIT: should be moved to sdio core and made more
+-               * general e.g. by expanding the DT bindings of child nodes
+-               * to provide a mechanism to provide this information:
+-               * Documentation/devicetree/bindings/mmc/mmc-card.yaml
+-               */
+-
+-              np = of_get_compatible_child(np, "ti,wl1251");
+-              if (np) {
+-                      /*
+-                       * We have TI wl1251 attached to MMC3. Pass this
+-                       * information to the SDIO core because it can't be
+-                       * probed by normal methods.
+-                       */
+-
+-                      dev_info(host->dev, "found wl1251\n");
+-                      card->quirks |= MMC_QUIRK_NONSTD_SDIO;
+-                      card->cccr.wide_bus = 1;
+-                      card->cis.vendor = 0x104c;
+-                      card->cis.device = 0x9066;
+-                      card->cis.blksize = 512;
+-                      card->cis.max_dtr = 24000000;
+-                      card->ocr = 0x80;
+-                      of_node_put(np);
+-              }
+-      }
+-}
+-
+ static void omap_hsmmc_enable_sdio_irq(struct mmc_host *mmc, int enable)
+ {
+       struct omap_hsmmc_host *host = mmc_priv(mmc);
+@@ -1660,7 +1625,6 @@ static struct mmc_host_ops omap_hsmmc_ops = {
+       .set_ios = omap_hsmmc_set_ios,
+       .get_cd = mmc_gpio_get_cd,
+       .get_ro = mmc_gpio_get_ro,
+-      .init_card = omap_hsmmc_init_card,
+       .enable_sdio_irq = omap_hsmmc_enable_sdio_irq,
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/mmc-sdhci-pci-gli-gl9755-support-for-cd-wp-inversion.patch b/queue-5.16/mmc-sdhci-pci-gli-gl9755-support-for-cd-wp-inversion.patch
new file mode 100644 (file)
index 0000000..b794099
--- /dev/null
@@ -0,0 +1,64 @@
+From ccbe263385f39d2689065291ae63af93afbb03e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Dec 2021 01:10:44 +0900
+Subject: mmc: sdhci-pci-gli: GL9755: Support for CD/WP inversion on OF
+ platforms
+
+From: Hector Martin <marcan@marcan.st>
+
+[ Upstream commit 189f1d9bc3a5ea3e442e119e4a5deda63da8c462 ]
+
+This is required on some Apple ARM64 laptops using this controller.
+As is typical on DT platforms, pull these quirks from the device tree
+using the standard mmc bindings.
+
+See Documentation/devicetree/bindings/mmc/mmc-controller.yaml
+
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Link: https://lore.kernel.org/r/20211215161045.38843-2-marcan@marcan.st
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-pci-gli.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-pci-gli.c b/drivers/mmc/host/sdhci-pci-gli.c
+index 4fd99c1e82ba3..ad50f16658fe2 100644
+--- a/drivers/mmc/host/sdhci-pci-gli.c
++++ b/drivers/mmc/host/sdhci-pci-gli.c
+@@ -12,6 +12,7 @@
+ #include <linux/pci.h>
+ #include <linux/mmc/mmc.h>
+ #include <linux/delay.h>
++#include <linux/of.h>
+ #include "sdhci.h"
+ #include "sdhci-pci.h"
+ #include "cqhci.h"
+@@ -116,6 +117,8 @@
+ #define PCI_GLI_9755_PECONF   0x44
+ #define   PCI_GLI_9755_LFCLK    GENMASK(14, 12)
+ #define   PCI_GLI_9755_DMACLK   BIT(29)
++#define   PCI_GLI_9755_INVERT_CD  BIT(30)
++#define   PCI_GLI_9755_INVERT_WP  BIT(31)
+ #define PCI_GLI_9755_CFG2          0x48
+ #define   PCI_GLI_9755_CFG2_L1DLY    GENMASK(28, 24)
+@@ -570,6 +573,14 @@ static void gl9755_hw_setting(struct sdhci_pci_slot *slot)
+       gl9755_wt_on(pdev);
+       pci_read_config_dword(pdev, PCI_GLI_9755_PECONF, &value);
++      /*
++       * Apple ARM64 platforms using these chips may have
++       * inverted CD/WP detection.
++       */
++      if (of_property_read_bool(pdev->dev.of_node, "cd-inverted"))
++              value |= PCI_GLI_9755_INVERT_CD;
++      if (of_property_read_bool(pdev->dev.of_node, "wp-inverted"))
++              value |= PCI_GLI_9755_INVERT_WP;
+       value &= ~PCI_GLI_9755_LFCLK;
+       value &= ~PCI_GLI_9755_DMACLK;
+       pci_write_config_dword(pdev, PCI_GLI_9755_PECONF, value);
+-- 
+2.34.1
+
diff --git a/queue-5.16/mmc-tmio-reinit-card-irqs-in-reset-routine.patch b/queue-5.16/mmc-tmio-reinit-card-irqs-in-reset-routine.patch
new file mode 100644 (file)
index 0000000..49ff906
--- /dev/null
@@ -0,0 +1,67 @@
+From 1a3398074f713a1eefa8b9020e3889e7c03d8f10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 13:26:46 +0100
+Subject: mmc: tmio: reinit card irqs in reset routine
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit e315b1f3a170f368da5618f8a598e68880302ed1 ]
+
+Refactor the code so that card detect irqs are always reenabled after a
+reset. This avoids doing it manually all over the code or forgetting to
+do this in the future.
+
+Reported-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+[wsa: added a comment when 'native_hotplug' has to be set]
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/20211103122646.64422-1-wsa+renesas@sang-engineering.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/tmio_mmc_core.c | 15 +++------------
+ 1 file changed, 3 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/mmc/host/tmio_mmc_core.c b/drivers/mmc/host/tmio_mmc_core.c
+index e2affa52ef469..a5850d83908be 100644
+--- a/drivers/mmc/host/tmio_mmc_core.c
++++ b/drivers/mmc/host/tmio_mmc_core.c
+@@ -960,14 +960,8 @@ static void tmio_mmc_set_ios(struct mmc_host *mmc, struct mmc_ios *ios)
+       case MMC_POWER_OFF:
+               tmio_mmc_power_off(host);
+               /* For R-Car Gen2+, we need to reset SDHI specific SCC */
+-              if (host->pdata->flags & TMIO_MMC_MIN_RCAR2) {
+-                      host->reset(host);
+-
+-                      if (host->native_hotplug)
+-                              tmio_mmc_enable_mmc_irqs(host,
+-                                              TMIO_STAT_CARD_REMOVE |
+-                                              TMIO_STAT_CARD_INSERT);
+-              }
++              if (host->pdata->flags & TMIO_MMC_MIN_RCAR2)
++                      tmio_mmc_reset(host);
+               host->set_clock(host, 0);
+               break;
+@@ -1175,6 +1169,7 @@ int tmio_mmc_host_probe(struct tmio_mmc_host *_host)
+       if (mmc_can_gpio_cd(mmc))
+               _host->ops.get_cd = mmc_gpio_get_cd;
++      /* must be set before tmio_mmc_reset() */
+       _host->native_hotplug = !(mmc_can_gpio_cd(mmc) ||
+                                 mmc->caps & MMC_CAP_NEEDS_POLL ||
+                                 !mmc_card_is_removable(mmc));
+@@ -1295,10 +1290,6 @@ int tmio_mmc_host_runtime_resume(struct device *dev)
+       if (host->clk_cache)
+               host->set_clock(host, host->clk_cache);
+-      if (host->native_hotplug)
+-              tmio_mmc_enable_mmc_irqs(host,
+-                              TMIO_STAT_CARD_REMOVE | TMIO_STAT_CARD_INSERT);
+-
+       tmio_mmc_enable_dma(host, true);
+       return 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/mptcp-check-reclaim-amount-before-reducing-allocatio.patch b/queue-5.16/mptcp-check-reclaim-amount-before-reducing-allocatio.patch
new file mode 100644 (file)
index 0000000..22773fd
--- /dev/null
@@ -0,0 +1,96 @@
+From 009a7ec21e39ba056ad35e6d7714863afb873dfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 14:06:38 -0800
+Subject: mptcp: Check reclaim amount before reducing allocation
+
+From: Mat Martineau <mathew.j.martineau@linux.intel.com>
+
+[ Upstream commit 269bda9e7da48eafb599d01c96199caa2f7547e5 ]
+
+syzbot found a page counter underflow that was triggered by MPTCP's
+reclaim code:
+
+page_counter underflow: -4294964789 nr_pages=4294967295
+WARNING: CPU: 2 PID: 3785 at mm/page_counter.c:56 page_counter_cancel+0xcf/0xe0 mm/page_counter.c:56
+Modules linked in:
+CPU: 2 PID: 3785 Comm: kworker/2:6 Not tainted 5.16.0-rc1-syzkaller #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
+Workqueue: events mptcp_worker
+
+RIP: 0010:page_counter_cancel+0xcf/0xe0 mm/page_counter.c:56
+Code: c7 04 24 00 00 00 00 45 31 f6 eb 97 e8 2a 2b b5 ff 4c 89 ea 48 89 ee 48 c7 c7 00 9e b8 89 c6 05 a0 c1 ba 0b 01 e8 95 e4 4b 07 <0f> 0b eb a8 4c 89 e7 e8 25 5a fb ff eb c7 0f 1f 00 41 56 41 55 49
+RSP: 0018:ffffc90002d4f918 EFLAGS: 00010082
+
+RAX: 0000000000000000 RBX: ffff88806a494120 RCX: 0000000000000000
+RDX: ffff8880688c41c0 RSI: ffffffff815e8f28 RDI: fffff520005a9f15
+RBP: ffffffff000009cb R08: 0000000000000000 R09: 0000000000000000
+R10: ffffffff815e2cfe R11: 0000000000000000 R12: ffff88806a494120
+R13: 00000000ffffffff R14: 0000000000000000 R15: 0000000000000001
+FS:  0000000000000000(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b2de21000 CR3: 000000005ad59000 CR4: 0000000000150ee0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ page_counter_uncharge+0x2e/0x60 mm/page_counter.c:160
+ drain_stock+0xc1/0x180 mm/memcontrol.c:2219
+ refill_stock+0x139/0x2f0 mm/memcontrol.c:2271
+ __sk_mem_reduce_allocated+0x24d/0x550 net/core/sock.c:2945
+ __mptcp_rmem_reclaim net/mptcp/protocol.c:167 [inline]
+ __mptcp_mem_reclaim_partial+0x124/0x410 net/mptcp/protocol.c:975
+ mptcp_mem_reclaim_partial net/mptcp/protocol.c:982 [inline]
+ mptcp_alloc_tx_skb net/mptcp/protocol.c:1212 [inline]
+ mptcp_sendmsg_frag+0x18c6/0x2190 net/mptcp/protocol.c:1279
+ __mptcp_push_pending+0x232/0x720 net/mptcp/protocol.c:1545
+ mptcp_release_cb+0xfe/0x200 net/mptcp/protocol.c:2975
+ release_sock+0xb4/0x1b0 net/core/sock.c:3306
+ mptcp_worker+0x51e/0xc10 net/mptcp/protocol.c:2443
+ process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
+ worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
+ kthread+0x405/0x4f0 kernel/kthread.c:327
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
+ </TASK>
+
+__mptcp_mem_reclaim_partial() could call __mptcp_rmem_reclaim() with a
+negative value, which passed that negative value to
+__sk_mem_reduce_allocated() and triggered the splat above.
+
+Check for a reclaim amount that is positive and large enough for
+__mptcp_rmem_reclaim() to actually adjust rmem_fwd_alloc (much like
+the sk_mem_reclaim_partial() code the function is based on).
+
+v2: Use '>' instead of '>=', since SK_MEM_QUANTUM - 1 would get
+right-shifted into nothing by __mptcp_rmem_reclaim.
+
+Fixes: 6511882cdd82 ("mptcp: allocate fwd memory separately on the rx and tx path")
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/252
+Reported-and-tested-by: syzbot+bc9e2d2dbcb347dd215a@syzkaller.appspotmail.com
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/protocol.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
+index 54613f5b75217..0cd55e4c30fab 100644
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -972,7 +972,9 @@ static void __mptcp_mem_reclaim_partial(struct sock *sk)
+       lockdep_assert_held_once(&sk->sk_lock.slock);
+-      __mptcp_rmem_reclaim(sk, reclaimable - 1);
++      if (reclaimable > SK_MEM_QUANTUM)
++              __mptcp_rmem_reclaim(sk, reclaimable - 1);
++
+       sk_mem_reclaim_partial(sk);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/mptcp-fix-a-dss-option-writing-error.patch b/queue-5.16/mptcp-fix-a-dss-option-writing-error.patch
new file mode 100644 (file)
index 0000000..36ff583
--- /dev/null
@@ -0,0 +1,40 @@
+From c38aa05cc7e461712d8b5048640aab02e2b240ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 14:06:37 -0800
+Subject: mptcp: fix a DSS option writing error
+
+From: Geliang Tang <geliang.tang@suse.com>
+
+[ Upstream commit 110b6d1fe98fd7af9893992459b651594d789293 ]
+
+'ptr += 1;' was omitted in the original code.
+
+If the DSS is the last option -- which is what we have most of the
+time -- that's not an issue. But it is if we need to send something else
+after like a RM_ADDR or an MP_PRIO.
+
+Fixes: 1bff1e43a30e ("mptcp: optimize out option generation")
+Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Geliang Tang <geliang.tang@suse.com>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/options.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mptcp/options.c b/net/mptcp/options.c
+index 96c6efdd48bcc..6661b1d6520f1 100644
+--- a/net/mptcp/options.c
++++ b/net/mptcp/options.c
+@@ -1319,6 +1319,7 @@ void mptcp_write_options(__be32 *ptr, const struct tcp_sock *tp,
+                               put_unaligned_be32(mpext->data_len << 16 |
+                                                  TCPOPT_NOP << 8 | TCPOPT_NOP, ptr);
+                       }
++                      ptr += 1;
+               }
+       } else if (OPTIONS_MPTCP_MPC & opts->suboptions) {
+               u8 len, flag = MPTCP_CAP_HMAC_SHA256;
+-- 
+2.34.1
+
diff --git a/queue-5.16/mptcp-fix-opt-size-when-sending-dss-mp_fail.patch b/queue-5.16/mptcp-fix-opt-size-when-sending-dss-mp_fail.patch
new file mode 100644 (file)
index 0000000..cc6a882
--- /dev/null
@@ -0,0 +1,53 @@
+From d0798449028f45219a5a9f1fa7953e55af4a2d04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 14:06:36 -0800
+Subject: mptcp: fix opt size when sending DSS + MP_FAIL
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+[ Upstream commit 04fac2cae9422a3401c172571afbcfdd58fa5c7e ]
+
+When these two options had to be sent -- which is not common -- the DSS
+size was not being taken into account in the remaining size.
+
+Additionally in this situation, the reported size was only the one of
+the MP_FAIL which can cause issue if at the end, we need to write more
+in the TCP options than previously said.
+
+Here we use a dedicated variable for MP_FAIL size to keep the
+WARN_ON_ONCE() just after.
+
+Fixes: c25aeb4e0953 ("mptcp: MP_FAIL suboption sending")
+Acked-and-tested-by: Geliang Tang <geliang.tang@suse.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/options.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/mptcp/options.c b/net/mptcp/options.c
+index fe98e4f475baa..96c6efdd48bcc 100644
+--- a/net/mptcp/options.c
++++ b/net/mptcp/options.c
+@@ -821,10 +821,13 @@ bool mptcp_established_options(struct sock *sk, struct sk_buff *skb,
+       if (mptcp_established_options_mp(sk, skb, snd_data_fin, &opt_size, remaining, opts))
+               ret = true;
+       else if (mptcp_established_options_dss(sk, skb, snd_data_fin, &opt_size, remaining, opts)) {
++              unsigned int mp_fail_size;
++
+               ret = true;
+-              if (mptcp_established_options_mp_fail(sk, &opt_size, remaining, opts)) {
+-                      *size += opt_size;
+-                      remaining -= opt_size;
++              if (mptcp_established_options_mp_fail(sk, &mp_fail_size,
++                                                    remaining - opt_size, opts)) {
++                      *size += opt_size + mp_fail_size;
++                      remaining -= opt_size - mp_fail_size;
+                       return true;
+               }
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/mptcp-fix-per-socket-endpoint-accounting.patch b/queue-5.16/mptcp-fix-per-socket-endpoint-accounting.patch
new file mode 100644 (file)
index 0000000..888619d
--- /dev/null
@@ -0,0 +1,71 @@
+From f82af09e197b84cbf34adcb9f0b4dac021173efd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 16:20:20 -0800
+Subject: mptcp: fix per socket endpoint accounting
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit f7d6a237d7422809d458d754016de2844017cb4d ]
+
+Since full-mesh endpoint support, the reception of a single ADD_ADDR
+option can cause multiple subflows creation. When such option is
+accepted we increment 'add_addr_accepted' by one. When we received
+a paired RM_ADDR option, we deleted all the relevant subflows,
+decrementing 'add_addr_accepted' by one for each of them.
+
+We have a similar issue for 'local_addr_used'
+
+Fix them moving the pm endpoint accounting outside the subflow
+traversal.
+
+Fixes: 1a0d6136c5f0 ("mptcp: local addresses fullmesh")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/pm_netlink.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c
+index f523051f5aef3..65764c8171b37 100644
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -710,6 +710,8 @@ static void mptcp_pm_nl_rm_addr_or_subflow(struct mptcp_sock *msk,
+               return;
+       for (i = 0; i < rm_list->nr; i++) {
++              bool removed = false;
++
+               list_for_each_entry_safe(subflow, tmp, &msk->conn_list, node) {
+                       struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
+                       int how = RCV_SHUTDOWN | SEND_SHUTDOWN;
+@@ -729,15 +731,19 @@ static void mptcp_pm_nl_rm_addr_or_subflow(struct mptcp_sock *msk,
+                       mptcp_close_ssk(sk, ssk, subflow);
+                       spin_lock_bh(&msk->pm.lock);
+-                      if (rm_type == MPTCP_MIB_RMADDR) {
+-                              msk->pm.add_addr_accepted--;
+-                              WRITE_ONCE(msk->pm.accept_addr, true);
+-                      } else if (rm_type == MPTCP_MIB_RMSUBFLOW) {
+-                              msk->pm.local_addr_used--;
+-                      }
++                      removed = true;
+                       msk->pm.subflows--;
+                       __MPTCP_INC_STATS(sock_net(sk), rm_type);
+               }
++              if (!removed)
++                      continue;
++
++              if (rm_type == MPTCP_MIB_RMADDR) {
++                      msk->pm.add_addr_accepted--;
++                      WRITE_ONCE(msk->pm.accept_addr, true);
++              } else if (rm_type == MPTCP_MIB_RMSUBFLOW) {
++                      msk->pm.local_addr_used--;
++              }
+       }
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-connac-align-mcu_ext-definitions-with-7915-driv.patch b/queue-5.16/mt76-connac-align-mcu_ext-definitions-with-7915-driv.patch
new file mode 100644 (file)
index 0000000..d84fa53
--- /dev/null
@@ -0,0 +1,158 @@
+From b38878970c5ac923f0191ffb10630f4590765189 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Dec 2021 14:06:24 +0100
+Subject: mt76: connac: align MCU_EXT definitions with 7915 driver
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 9d8d136cf0b6d5578442f38ea9eefdf67cc84fc4 ]
+
+Align MCU_EXT and MCU_FW definitions between mt76_connac and mt7915
+driver. This is a preliminary patch to reuse mt76_connac in mt7915
+driver.
+
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7615/mcu.c   | 16 ++++++-------
+ .../wireless/mediatek/mt76/mt76_connac_mcu.h  | 24 +++++++++++++++++--
+ .../net/wireless/mediatek/mt76/mt7921/mcu.c   |  2 +-
+ 3 files changed, 31 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+index 397a8bb67ffbf..2232afed72912 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+@@ -176,7 +176,7 @@ int mt7615_mcu_parse_response(struct mt76_dev *mdev, int cmd,
+       if (cmd == MCU_CMD_PATCH_SEM_CONTROL) {
+               skb_pull(skb, sizeof(*rxd) - 4);
+               ret = *skb->data;
+-      } else if (cmd == MCU_EXT_CMD(GET_TEMP)) {
++      } else if (cmd == MCU_EXT_CMD(THERMAL_CTRL)) {
+               skb_pull(skb, sizeof(*rxd));
+               ret = le32_to_cpu(*(__le32 *)skb->data);
+       } else if (cmd == MCU_EXT_QUERY(RF_REG_ACCESS)) {
+@@ -2095,8 +2095,8 @@ int mt7615_mcu_set_fcc5_lpn(struct mt7615_dev *dev, int val)
+               .min_lpn = cpu_to_le16(val),
+       };
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(SET_RDD_TH), &req,
+-                               sizeof(req), true);
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(SET_RADAR_TH),
++                               &req, sizeof(req), true);
+ }
+ int mt7615_mcu_set_pulse_th(struct mt7615_dev *dev,
+@@ -2124,8 +2124,8 @@ int mt7615_mcu_set_pulse_th(struct mt7615_dev *dev,
+ #undef  __req_field
+       };
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(SET_RDD_TH), &req,
+-                               sizeof(req), true);
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(SET_RADAR_TH),
++                               &req, sizeof(req), true);
+ }
+ int mt7615_mcu_set_radar_th(struct mt7615_dev *dev, int index,
+@@ -2171,8 +2171,8 @@ int mt7615_mcu_set_radar_th(struct mt7615_dev *dev, int index,
+ #undef __req_field_u32
+       };
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(SET_RDD_TH), &req,
+-                               sizeof(req), true);
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(SET_RADAR_TH),
++                               &req, sizeof(req), true);
+ }
+ int mt7615_mcu_rdd_send_pattern(struct mt7615_dev *dev)
+@@ -2372,7 +2372,7 @@ int mt7615_mcu_get_temperature(struct mt7615_dev *dev)
+               u8 rsv[3];
+       } req = {};
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(GET_TEMP),
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(THERMAL_CTRL),
+                                &req, sizeof(req), true);
+ }
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
+index 1c7a99bc26261..9dbb6ae9f21da 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
+@@ -516,17 +516,21 @@ enum {
+ enum {
+       MCU_EXT_CMD_EFUSE_ACCESS = 0x01,
+       MCU_EXT_CMD_RF_REG_ACCESS = 0x02,
++      MCU_EXT_CMD_RF_TEST = 0x04,
+       MCU_EXT_CMD_PM_STATE_CTRL = 0x07,
+       MCU_EXT_CMD_CHANNEL_SWITCH = 0x08,
+       MCU_EXT_CMD_SET_TX_POWER_CTRL = 0x11,
+       MCU_EXT_CMD_FW_LOG_2_HOST = 0x13,
++      MCU_EXT_CMD_TXBF_ACTION = 0x1e,
+       MCU_EXT_CMD_EFUSE_BUFFER_MODE = 0x21,
++      MCU_EXT_CMD_THERMAL_PROT = 0x23,
+       MCU_EXT_CMD_STA_REC_UPDATE = 0x25,
+       MCU_EXT_CMD_BSS_INFO_UPDATE = 0x26,
+       MCU_EXT_CMD_EDCA_UPDATE = 0x27,
+       MCU_EXT_CMD_DEV_INFO_UPDATE = 0x2A,
+-      MCU_EXT_CMD_GET_TEMP = 0x2c,
++      MCU_EXT_CMD_THERMAL_CTRL = 0x2c,
+       MCU_EXT_CMD_WTBL_UPDATE = 0x32,
++      MCU_EXT_CMD_SET_DRR_CTRL = 0x36,
+       MCU_EXT_CMD_SET_RDD_CTRL = 0x3a,
+       MCU_EXT_CMD_ATE_CTRL = 0x3d,
+       MCU_EXT_CMD_PROTECT_CTRL = 0x3e,
+@@ -535,13 +539,28 @@ enum {
+       MCU_EXT_CMD_RX_HDR_TRANS = 0x47,
+       MCU_EXT_CMD_MUAR_UPDATE = 0x48,
+       MCU_EXT_CMD_BCN_OFFLOAD = 0x49,
++      MCU_EXT_CMD_RX_AIRTIME_CTRL = 0x4a,
+       MCU_EXT_CMD_SET_RX_PATH = 0x4e,
++      MCU_EXT_CMD_EFUSE_FREE_BLOCK = 0x4f,
+       MCU_EXT_CMD_TX_POWER_FEATURE_CTRL = 0x58,
+       MCU_EXT_CMD_RXDCOC_CAL = 0x59,
++      MCU_EXT_CMD_GET_MIB_INFO = 0x5a,
+       MCU_EXT_CMD_TXDPD_CAL = 0x60,
+       MCU_EXT_CMD_CAL_CACHE = 0x67,
+-      MCU_EXT_CMD_SET_RDD_TH = 0x7c,
++      MCU_EXT_CMD_SET_RADAR_TH = 0x7c,
+       MCU_EXT_CMD_SET_RDD_PATTERN = 0x7d,
++      MCU_EXT_CMD_MWDS_SUPPORT = 0x80,
++      MCU_EXT_CMD_SET_SER_TRIGGER = 0x81,
++      MCU_EXT_CMD_SCS_CTRL = 0x82,
++      MCU_EXT_CMD_TWT_AGRT_UPDATE = 0x94,
++      MCU_EXT_CMD_FW_DBG_CTRL = 0x95,
++      MCU_EXT_CMD_OFFCH_SCAN_CTRL = 0x9a,
++      MCU_EXT_CMD_SET_RDD_TH = 0x9d,
++      MCU_EXT_CMD_MURU_CTRL = 0x9f,
++      MCU_EXT_CMD_SET_SPR = 0xa8,
++      MCU_EXT_CMD_GROUP_PRE_CAL_INFO = 0xab,
++      MCU_EXT_CMD_DPD_PRE_CAL_INFO = 0xac,
++      MCU_EXT_CMD_PHY_STAT_INFO = 0xad,
+ };
+ enum {
+@@ -561,6 +580,7 @@ enum {
+       MCU_CMD_PATCH_START_REQ = MCU_FW_PREFIX | 0x05,
+       MCU_CMD_PATCH_FINISH_REQ = MCU_FW_PREFIX | 0x07,
+       MCU_CMD_PATCH_SEM_CONTROL = MCU_FW_PREFIX | 0x10,
++      MCU_CMD_WA_PARAM = 0xc4,
+       MCU_CMD_EXT_CID = 0xed,
+       MCU_CMD_FW_SCATTER = MCU_FW_PREFIX | 0xee,
+       MCU_CMD_RESTART_DL_REQ = MCU_FW_PREFIX | 0xef,
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+index 50f0c13f1c41e..51650e9e1845a 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+@@ -182,7 +182,7 @@ int mt7921_mcu_parse_response(struct mt76_dev *mdev, int cmd,
+       if (cmd == MCU_CMD_PATCH_SEM_CONTROL) {
+               skb_pull(skb, sizeof(*rxd) - 4);
+               ret = *skb->data;
+-      } else if (cmd == MCU_EXT_CMD(GET_TEMP)) {
++      } else if (cmd == MCU_EXT_CMD(THERMAL_CTRL)) {
+               skb_pull(skb, sizeof(*rxd) + 4);
+               ret = le32_to_cpu(*(__le32 *)skb->data);
+       } else if (cmd == MCU_EXT_CMD(EFUSE_ACCESS)) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-connac-fix-a-theoretical-null-pointer-dereferen.patch b/queue-5.16/mt76-connac-fix-a-theoretical-null-pointer-dereferen.patch
new file mode 100644 (file)
index 0000000..02116ab
--- /dev/null
@@ -0,0 +1,46 @@
+From 640556602924a3a5987a8a3a15b9874ca55ad8b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 13:49:41 +0100
+Subject: mt76: connac: fix a theoretical NULL pointer dereference in
+ mt76_connac_get_phy_mode
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit c9dbeac4988f6d4c4211b3747ec9c9c75ea87967 ]
+
+Even if it is not a real bug since mt76_connac_get_phy_mode runs just
+for mt7921 where only STA is supported, fix a theoretical NULL pointer
+dereference if new added modes do not support HE
+
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+index a5857a788da50..7733c8fad2413 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+@@ -1180,7 +1180,7 @@ mt76_connac_get_phy_mode(struct mt76_phy *phy, struct ieee80211_vif *vif,
+               if (ht_cap->ht_supported)
+                       mode |= PHY_MODE_GN;
+-              if (he_cap->has_he)
++              if (he_cap && he_cap->has_he)
+                       mode |= PHY_MODE_AX_24G;
+       } else if (band == NL80211_BAND_5GHZ || band == NL80211_BAND_6GHZ) {
+               mode |= PHY_MODE_A;
+@@ -1191,7 +1191,7 @@ mt76_connac_get_phy_mode(struct mt76_phy *phy, struct ieee80211_vif *vif,
+               if (vht_cap->vht_supported)
+                       mode |= PHY_MODE_AC;
+-              if (he_cap->has_he) {
++              if (he_cap && he_cap->has_he) {
+                       if (band == NL80211_BAND_6GHZ)
+                               mode |= PHY_MODE_AX_6G;
+                       else
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-connac-fix-last_chan-configuration-in-mt76_conn.patch b/queue-5.16/mt76-connac-fix-last_chan-configuration-in-mt76_conn.patch
new file mode 100644 (file)
index 0000000..24ea70c
--- /dev/null
@@ -0,0 +1,50 @@
+From d0ee4817a6dc604ee320adbb1c019d362c798536 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 10:36:15 +0100
+Subject: mt76: connac: fix last_chan configuration in
+ mt76_connac_mcu_rate_txpower_band
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 73c7c0443685d8d152c3451e7305a2c2bc47b32e ]
+
+last_ch configuration must not be dependent on the current configured band
+but it is defined by hw capabilities since the fw always expects the
+following order:
+- 2GHz
+- 5GHz
+- 6GHz
+
+Fixes: 9b2ea8eee42a1 ("mt76: connac: set 6G phymode in single-sku support")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+index 61c4c86e79c88..b15bbd650a90c 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+@@ -2008,12 +2008,12 @@ mt76_connac_mcu_rate_txpower_band(struct mt76_phy *phy,
+       }
+       batch_size = DIV_ROUND_UP(n_chan, batch_len);
+-      if (!phy->cap.has_5ghz)
+-              last_ch = chan_list_2ghz[n_chan - 1];
+-      else if (phy->cap.has_6ghz)
+-              last_ch = chan_list_6ghz[n_chan - 1];
++      if (phy->cap.has_6ghz)
++              last_ch = chan_list_6ghz[ARRAY_SIZE(chan_list_6ghz) - 1];
++      else if (phy->cap.has_5ghz)
++              last_ch = chan_list_5ghz[ARRAY_SIZE(chan_list_5ghz) - 1];
+       else
+-              last_ch = chan_list_5ghz[n_chan - 1];
++              last_ch = chan_list_2ghz[ARRAY_SIZE(chan_list_2ghz) - 1];
+       for (i = 0; i < batch_size; i++) {
+               struct mt76_connac_tx_power_limit_tlv tx_power_tlv = {};
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-connac-introduce-mcu_ext-macros.patch b/queue-5.16/mt76-connac-introduce-mcu_ext-macros.patch
new file mode 100644 (file)
index 0000000..1344b3a
--- /dev/null
@@ -0,0 +1,743 @@
+From b6cab49c4ee796e4a1d96c1ad83b9e0fea8f97a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Dec 2021 14:06:23 +0100
+Subject: mt76: connac: introduce MCU_EXT macros
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit e6d2070d9d64aad04c12424865cfd9684ba64bea ]
+
+Introduce MCU_EXT_CMD and MCU_EXT_QUERY macros in mt76_connac module.
+This is a preliminary patch to reuse mt76_connac module in mt7915
+driver.
+
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7615/main.c  |   4 +-
+ .../net/wireless/mediatek/mt76/mt7615/mcu.c   | 154 ++++++++----------
+ .../wireless/mediatek/mt76/mt7615/testmode.c  |   4 +-
+ .../wireless/mediatek/mt76/mt76_connac_mcu.c  |   4 +-
+ .../wireless/mediatek/mt76/mt76_connac_mcu.h  |  16 +-
+ .../net/wireless/mediatek/mt76/mt7921/main.c  |   4 +-
+ .../net/wireless/mediatek/mt76/mt7921/mcu.c   |  76 +++------
+ 7 files changed, 113 insertions(+), 149 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/main.c b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
+index 890d9b07e1563..24c23d4951432 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
+@@ -73,7 +73,7 @@ static int mt7615_start(struct ieee80211_hw *hw)
+                       goto out;
+       }
+-      ret = mt7615_mcu_set_chan_info(phy, MCU_EXT_CMD_SET_RX_PATH);
++      ret = mt7615_mcu_set_chan_info(phy, MCU_EXT_CMD(SET_RX_PATH));
+       if (ret)
+               goto out;
+@@ -331,7 +331,7 @@ int mt7615_set_channel(struct mt7615_phy *phy)
+                       goto out;
+       }
+-      ret = mt7615_mcu_set_chan_info(phy, MCU_EXT_CMD_CHANNEL_SWITCH);
++      ret = mt7615_mcu_set_chan_info(phy, MCU_EXT_CMD(CHANNEL_SWITCH));
+       if (ret)
+               goto out;
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+index 25f9cbe2cd610..397a8bb67ffbf 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+@@ -87,7 +87,7 @@ struct mt7663_fw_buf {
+ void mt7615_mcu_fill_msg(struct mt7615_dev *dev, struct sk_buff *skb,
+                        int cmd, int *wait_seq)
+ {
+-      int txd_len, mcu_cmd = cmd & MCU_CMD_MASK;
++      int txd_len, mcu_cmd = FIELD_GET(__MCU_CMD_FIELD_ID, cmd);
+       struct mt7615_uni_txd *uni_txd;
+       struct mt7615_mcu_txd *mcu_txd;
+       u8 seq, q_idx, pkt_fmt;
+@@ -142,28 +142,17 @@ void mt7615_mcu_fill_msg(struct mt7615_dev *dev, struct sk_buff *skb,
+       mcu_txd->s2d_index = MCU_S2D_H2N;
+       mcu_txd->pkt_type = MCU_PKT_ID;
+       mcu_txd->seq = seq;
++      mcu_txd->cid = mcu_cmd;
++      mcu_txd->ext_cid = FIELD_GET(__MCU_CMD_FIELD_EXT_ID, cmd);
+-      switch (cmd & ~MCU_CMD_MASK) {
+-      case MCU_FW_PREFIX:
+-              mcu_txd->set_query = MCU_Q_NA;
+-              mcu_txd->cid = mcu_cmd;
+-              break;
+-      case MCU_CE_PREFIX:
+-              if (cmd & MCU_QUERY_MASK)
++      if (mcu_txd->ext_cid || (cmd & MCU_CE_PREFIX)) {
++              if (cmd & __MCU_CMD_FIELD_QUERY)
+                       mcu_txd->set_query = MCU_Q_QUERY;
+               else
+                       mcu_txd->set_query = MCU_Q_SET;
+-              mcu_txd->cid = mcu_cmd;
+-              break;
+-      default:
+-              mcu_txd->cid = MCU_CMD_EXT_CID;
+-              if (cmd & MCU_QUERY_PREFIX)
+-                      mcu_txd->set_query = MCU_Q_QUERY;
+-              else
+-                      mcu_txd->set_query = MCU_Q_SET;
+-              mcu_txd->ext_cid = mcu_cmd;
+-              mcu_txd->ext_cid_ack = 1;
+-              break;
++              mcu_txd->ext_cid_ack = !!mcu_txd->ext_cid;
++      } else {
++              mcu_txd->set_query = MCU_Q_NA;
+       }
+ }
+ EXPORT_SYMBOL_GPL(mt7615_mcu_fill_msg);
+@@ -184,42 +173,32 @@ int mt7615_mcu_parse_response(struct mt76_dev *mdev, int cmd,
+       if (seq != rxd->seq)
+               return -EAGAIN;
+-      switch (cmd) {
+-      case MCU_CMD_PATCH_SEM_CONTROL:
++      if (cmd == MCU_CMD_PATCH_SEM_CONTROL) {
+               skb_pull(skb, sizeof(*rxd) - 4);
+               ret = *skb->data;
+-              break;
+-      case MCU_EXT_CMD_GET_TEMP:
++      } else if (cmd == MCU_EXT_CMD(GET_TEMP)) {
+               skb_pull(skb, sizeof(*rxd));
+               ret = le32_to_cpu(*(__le32 *)skb->data);
+-              break;
+-      case MCU_EXT_CMD_RF_REG_ACCESS | MCU_QUERY_PREFIX:
++      } else if (cmd == MCU_EXT_QUERY(RF_REG_ACCESS)) {
+               skb_pull(skb, sizeof(*rxd));
+               ret = le32_to_cpu(*(__le32 *)&skb->data[8]);
+-              break;
+-      case MCU_UNI_CMD_DEV_INFO_UPDATE:
+-      case MCU_UNI_CMD_BSS_INFO_UPDATE:
+-      case MCU_UNI_CMD_STA_REC_UPDATE:
+-      case MCU_UNI_CMD_HIF_CTRL:
+-      case MCU_UNI_CMD_OFFLOAD:
+-      case MCU_UNI_CMD_SUSPEND: {
++      } else if (cmd == MCU_UNI_CMD_DEV_INFO_UPDATE ||
++                 cmd == MCU_UNI_CMD_BSS_INFO_UPDATE ||
++                 cmd == MCU_UNI_CMD_STA_REC_UPDATE ||
++                 cmd == MCU_UNI_CMD_HIF_CTRL ||
++                 cmd == MCU_UNI_CMD_OFFLOAD ||
++                 cmd == MCU_UNI_CMD_SUSPEND) {
+               struct mt7615_mcu_uni_event *event;
+               skb_pull(skb, sizeof(*rxd));
+               event = (struct mt7615_mcu_uni_event *)skb->data;
+               ret = le32_to_cpu(event->status);
+-              break;
+-      }
+-      case MCU_CMD_REG_READ: {
++      } else if (cmd == MCU_CMD_REG_READ) {
+               struct mt7615_mcu_reg_event *event;
+               skb_pull(skb, sizeof(*rxd));
+               event = (struct mt7615_mcu_reg_event *)skb->data;
+               ret = (int)le32_to_cpu(event->val);
+-              break;
+-      }
+-      default:
+-              break;
+       }
+       return ret;
+@@ -253,8 +232,7 @@ u32 mt7615_rf_rr(struct mt7615_dev *dev, u32 wf, u32 reg)
+               .address = cpu_to_le32(reg),
+       };
+-      return mt76_mcu_send_msg(&dev->mt76,
+-                               MCU_EXT_CMD_RF_REG_ACCESS | MCU_QUERY_PREFIX,
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_QUERY(RF_REG_ACCESS),
+                                &req, sizeof(req), true);
+ }
+@@ -270,8 +248,8 @@ int mt7615_rf_wr(struct mt7615_dev *dev, u32 wf, u32 reg, u32 val)
+               .data = cpu_to_le32(val),
+       };
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_RF_REG_ACCESS, &req,
+-                               sizeof(req), false);
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(RF_REG_ACCESS),
++                               &req, sizeof(req), false);
+ }
+ void mt7622_trigger_hif_int(struct mt7615_dev *dev, bool en)
+@@ -658,8 +636,8 @@ mt7615_mcu_muar_config(struct mt7615_dev *dev, struct ieee80211_vif *vif,
+       if (enable)
+               ether_addr_copy(req.addr, addr);
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_MUAR_UPDATE, &req,
+-                               sizeof(req), true);
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(MUAR_UPDATE),
++                               &req, sizeof(req), true);
+ }
+ static int
+@@ -702,7 +680,7 @@ mt7615_mcu_add_dev(struct mt7615_phy *phy, struct ieee80211_vif *vif,
+               return mt7615_mcu_muar_config(dev, vif, false, enable);
+       memcpy(data.tlv.omac_addr, vif->addr, ETH_ALEN);
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_DEV_INFO_UPDATE,
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(DEV_INFO_UPDATE),
+                                &data, sizeof(data), true);
+ }
+@@ -771,7 +749,7 @@ mt7615_mcu_add_beacon_offload(struct mt7615_dev *dev,
+       dev_kfree_skb(skb);
+ out:
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_BCN_OFFLOAD, &req,
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(BCN_OFFLOAD), &req,
+                                sizeof(req), true);
+ }
+@@ -802,8 +780,8 @@ mt7615_mcu_ctrl_pm_state(struct mt7615_dev *dev, int band, int state)
+               .band_idx = band,
+       };
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_PM_STATE_CTRL, &req,
+-                               sizeof(req), true);
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(PM_STATE_CTRL),
++                               &req, sizeof(req), true);
+ }
+ static int
+@@ -944,7 +922,7 @@ mt7615_mcu_add_bss(struct mt7615_phy *phy, struct ieee80211_vif *vif,
+               mt7615_mcu_bss_ext_tlv(skb, mvif);
+       return mt76_mcu_skb_send_msg(&dev->mt76, skb,
+-                                   MCU_EXT_CMD_BSS_INFO_UPDATE, true);
++                                   MCU_EXT_CMD(BSS_INFO_UPDATE), true);
+ }
+ static int
+@@ -966,8 +944,8 @@ mt7615_mcu_wtbl_tx_ba(struct mt7615_dev *dev,
+       mt76_connac_mcu_wtbl_ba_tlv(&dev->mt76, skb, params, enable, true,
+                                   NULL, wtbl_hdr);
+-      err = mt76_mcu_skb_send_msg(&dev->mt76, skb, MCU_EXT_CMD_WTBL_UPDATE,
+-                                  true);
++      err = mt76_mcu_skb_send_msg(&dev->mt76, skb,
++                                  MCU_EXT_CMD(WTBL_UPDATE), true);
+       if (err < 0)
+               return err;
+@@ -979,7 +957,7 @@ mt7615_mcu_wtbl_tx_ba(struct mt7615_dev *dev,
+       mt76_connac_mcu_sta_ba_tlv(skb, params, enable, true);
+       return mt76_mcu_skb_send_msg(&dev->mt76, skb,
+-                                   MCU_EXT_CMD_STA_REC_UPDATE, true);
++                                   MCU_EXT_CMD(STA_REC_UPDATE), true);
+ }
+ static int
+@@ -1001,7 +979,7 @@ mt7615_mcu_wtbl_rx_ba(struct mt7615_dev *dev,
+       mt76_connac_mcu_sta_ba_tlv(skb, params, enable, false);
+       err = mt76_mcu_skb_send_msg(&dev->mt76, skb,
+-                                  MCU_EXT_CMD_STA_REC_UPDATE, true);
++                                  MCU_EXT_CMD(STA_REC_UPDATE), true);
+       if (err < 0 || !enable)
+               return err;
+@@ -1014,8 +992,8 @@ mt7615_mcu_wtbl_rx_ba(struct mt7615_dev *dev,
+       mt76_connac_mcu_wtbl_ba_tlv(&dev->mt76, skb, params, enable, false,
+                                   NULL, wtbl_hdr);
+-      return mt76_mcu_skb_send_msg(&dev->mt76, skb, MCU_EXT_CMD_WTBL_UPDATE,
+-                                   true);
++      return mt76_mcu_skb_send_msg(&dev->mt76, skb,
++                                   MCU_EXT_CMD(WTBL_UPDATE), true);
+ }
+ static int
+@@ -1057,7 +1035,7 @@ mt7615_mcu_wtbl_sta_add(struct mt7615_phy *phy, struct ieee80211_vif *vif,
+                                                  NULL, wtbl_hdr);
+       }
+-      cmd = enable ? MCU_EXT_CMD_WTBL_UPDATE : MCU_EXT_CMD_STA_REC_UPDATE;
++      cmd = enable ? MCU_EXT_CMD(WTBL_UPDATE) : MCU_EXT_CMD(STA_REC_UPDATE);
+       skb = enable ? wskb : sskb;
+       err = mt76_mcu_skb_send_msg(&dev->mt76, skb, cmd, true);
+@@ -1068,7 +1046,7 @@ mt7615_mcu_wtbl_sta_add(struct mt7615_phy *phy, struct ieee80211_vif *vif,
+               return err;
+       }
+-      cmd = enable ? MCU_EXT_CMD_STA_REC_UPDATE : MCU_EXT_CMD_WTBL_UPDATE;
++      cmd = enable ? MCU_EXT_CMD(STA_REC_UPDATE) : MCU_EXT_CMD(WTBL_UPDATE);
+       skb = enable ? sskb : wskb;
+       return mt76_mcu_skb_send_msg(&dev->mt76, skb, cmd, true);
+@@ -1090,8 +1068,8 @@ mt7615_mcu_wtbl_update_hdr_trans(struct mt7615_dev *dev,
+       mt76_connac_mcu_wtbl_hdr_trans_tlv(skb, vif, &msta->wcid, NULL,
+                                          wtbl_hdr);
+-      return mt76_mcu_skb_send_msg(&dev->mt76, skb, MCU_EXT_CMD_WTBL_UPDATE,
+-                                   true);
++      return mt76_mcu_skb_send_msg(&dev->mt76, skb,
++                                   MCU_EXT_CMD(WTBL_UPDATE), true);
+ }
+ static const struct mt7615_mcu_ops wtbl_update_ops = {
+@@ -1136,7 +1114,7 @@ mt7615_mcu_sta_ba(struct mt7615_dev *dev,
+                                   sta_wtbl, wtbl_hdr);
+       return mt76_mcu_skb_send_msg(&dev->mt76, skb,
+-                                   MCU_EXT_CMD_STA_REC_UPDATE, true);
++                                   MCU_EXT_CMD(STA_REC_UPDATE), true);
+ }
+ static int
+@@ -1179,7 +1157,7 @@ mt7615_mcu_add_sta(struct mt7615_phy *phy, struct ieee80211_vif *vif,
+                  struct ieee80211_sta *sta, bool enable)
+ {
+       return __mt7615_mcu_add_sta(phy->mt76, vif, sta, enable,
+-                                  MCU_EXT_CMD_STA_REC_UPDATE, false);
++                                  MCU_EXT_CMD(STA_REC_UPDATE), false);
+ }
+ static int
+@@ -1191,7 +1169,7 @@ mt7615_mcu_sta_update_hdr_trans(struct mt7615_dev *dev,
+       return mt76_connac_mcu_sta_update_hdr_trans(&dev->mt76,
+                                                   vif, &msta->wcid,
+-                                                  MCU_EXT_CMD_STA_REC_UPDATE);
++                                                  MCU_EXT_CMD(STA_REC_UPDATE));
+ }
+ static const struct mt7615_mcu_ops sta_update_ops = {
+@@ -1694,8 +1672,8 @@ int mt7615_mcu_fw_log_2_host(struct mt7615_dev *dev, u8 ctrl)
+               .ctrl_val = ctrl
+       };
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_FW_LOG_2_HOST, &data,
+-                               sizeof(data), true);
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(FW_LOG_2_HOST),
++                               &data, sizeof(data), true);
+ }
+ static int mt7615_mcu_cal_cache_apply(struct mt7615_dev *dev)
+@@ -1707,7 +1685,7 @@ static int mt7615_mcu_cal_cache_apply(struct mt7615_dev *dev)
+               .cache_enable = true
+       };
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_CAL_CACHE, &data,
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(CAL_CACHE), &data,
+                                sizeof(data), false);
+ }
+@@ -1977,7 +1955,7 @@ int mt7615_mcu_set_eeprom(struct mt7615_dev *dev)
+       skb_put_data(skb, eep + offset, eep_len);
+       return mt76_mcu_skb_send_msg(&dev->mt76, skb,
+-                                   MCU_EXT_CMD_EFUSE_BUFFER_MODE, true);
++                                   MCU_EXT_CMD(EFUSE_BUFFER_MODE), true);
+ }
+ int mt7615_mcu_set_wmm(struct mt7615_dev *dev, u8 queue,
+@@ -2013,8 +1991,8 @@ int mt7615_mcu_set_wmm(struct mt7615_dev *dev, u8 queue,
+       if (params->cw_max)
+               req.cw_max = cpu_to_le16(fls(params->cw_max));
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_EDCA_UPDATE, &req,
+-                               sizeof(req), true);
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(EDCA_UPDATE),
++                               &req, sizeof(req), true);
+ }
+ int mt7615_mcu_set_dbdc(struct mt7615_dev *dev)
+@@ -2072,7 +2050,7 @@ int mt7615_mcu_set_dbdc(struct mt7615_dev *dev)
+       ADD_DBDC_ENTRY(DBDC_TYPE_MGMT, 1, 1);
+ out:
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_DBDC_CTRL, &req,
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(DBDC_CTRL), &req,
+                                sizeof(req), true);
+ }
+@@ -2082,8 +2060,8 @@ int mt7615_mcu_del_wtbl_all(struct mt7615_dev *dev)
+               .operation = WTBL_RESET_ALL,
+       };
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_WTBL_UPDATE, &req,
+-                               sizeof(req), true);
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(WTBL_UPDATE),
++                               &req, sizeof(req), true);
+ }
+ int mt7615_mcu_rdd_cmd(struct mt7615_dev *dev,
+@@ -2103,8 +2081,8 @@ int mt7615_mcu_rdd_cmd(struct mt7615_dev *dev,
+               .val = val,
+       };
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_SET_RDD_CTRL, &req,
+-                               sizeof(req), true);
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(SET_RDD_CTRL),
++                               &req, sizeof(req), true);
+ }
+ int mt7615_mcu_set_fcc5_lpn(struct mt7615_dev *dev, int val)
+@@ -2117,7 +2095,7 @@ int mt7615_mcu_set_fcc5_lpn(struct mt7615_dev *dev, int val)
+               .min_lpn = cpu_to_le16(val),
+       };
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_SET_RDD_TH, &req,
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(SET_RDD_TH), &req,
+                                sizeof(req), true);
+ }
+@@ -2146,7 +2124,7 @@ int mt7615_mcu_set_pulse_th(struct mt7615_dev *dev,
+ #undef  __req_field
+       };
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_SET_RDD_TH, &req,
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(SET_RDD_TH), &req,
+                                sizeof(req), true);
+ }
+@@ -2193,7 +2171,7 @@ int mt7615_mcu_set_radar_th(struct mt7615_dev *dev, int index,
+ #undef __req_field_u32
+       };
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_SET_RDD_TH, &req,
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(SET_RDD_TH), &req,
+                                sizeof(req), true);
+ }
+@@ -2225,7 +2203,7 @@ int mt7615_mcu_rdd_send_pattern(struct mt7615_dev *dev)
+               req.pattern[i].start_time = cpu_to_le32(ts);
+       }
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_SET_RDD_PATTERN,
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(SET_RDD_PATTERN),
+                                &req, sizeof(req), false);
+ }
+@@ -2394,8 +2372,8 @@ int mt7615_mcu_get_temperature(struct mt7615_dev *dev)
+               u8 rsv[3];
+       } req = {};
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_GET_TEMP, &req,
+-                               sizeof(req), true);
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(GET_TEMP),
++                               &req, sizeof(req), true);
+ }
+ int mt7615_mcu_set_test_param(struct mt7615_dev *dev, u8 param, bool test_mode,
+@@ -2415,8 +2393,8 @@ int mt7615_mcu_set_test_param(struct mt7615_dev *dev, u8 param, bool test_mode,
+               .value = cpu_to_le32(val),
+       };
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_ATE_CTRL, &req,
+-                               sizeof(req), false);
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(ATE_CTRL),
++                               &req, sizeof(req), false);
+ }
+ int mt7615_mcu_set_sku_en(struct mt7615_phy *phy, bool enable)
+@@ -2434,8 +2412,8 @@ int mt7615_mcu_set_sku_en(struct mt7615_phy *phy, bool enable)
+       };
+       return mt76_mcu_send_msg(&dev->mt76,
+-                               MCU_EXT_CMD_TX_POWER_FEATURE_CTRL, &req,
+-                               sizeof(req), true);
++                               MCU_EXT_CMD(TX_POWER_FEATURE_CTRL),
++                               &req, sizeof(req), true);
+ }
+ static int mt7615_find_freq_idx(const u16 *freqs, int n_freqs, u16 cur)
+@@ -2574,7 +2552,7 @@ again:
+ out:
+       req.center_freq = cpu_to_le16(center_freq);
+-      ret = mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_RXDCOC_CAL, &req,
++      ret = mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(RXDCOC_CAL), &req,
+                               sizeof(req), true);
+       if ((chandef->width == NL80211_CHAN_WIDTH_80P80 ||
+@@ -2695,8 +2673,8 @@ again:
+ out:
+       req.center_freq = cpu_to_le16(center_freq);
+-      ret = mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_TXDPD_CAL, &req,
+-                              sizeof(req), true);
++      ret = mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(TXDPD_CAL),
++                              &req, sizeof(req), true);
+       if ((chandef->width == NL80211_CHAN_WIDTH_80P80 ||
+            chandef->width == NL80211_CHAN_WIDTH_160) && !req.is_freq2) {
+@@ -2724,7 +2702,7 @@ int mt7615_mcu_set_rx_hdr_trans_blacklist(struct mt7615_dev *dev)
+               .etype = cpu_to_le16(ETH_P_PAE),
+       };
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_RX_HDR_TRANS,
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(RX_HDR_TRANS),
+                                &req, sizeof(req), false);
+ }
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/testmode.c b/drivers/net/wireless/mediatek/mt76/mt7615/testmode.c
+index 59d99264f5e5f..e5544f4e69797 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/testmode.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/testmode.c
+@@ -91,7 +91,7 @@ mt7615_tm_set_tx_power(struct mt7615_phy *phy)
+       }
+       return mt76_mcu_skb_send_msg(&dev->mt76, skb,
+-                                   MCU_EXT_CMD_SET_TX_POWER_CTRL, false);
++                                   MCU_EXT_CMD(SET_TX_POWER_CTRL), false);
+ }
+ static void
+@@ -229,7 +229,7 @@ mt7615_tm_set_tx_frames(struct mt7615_phy *phy, bool en)
+       struct ieee80211_tx_info *info;
+       struct sk_buff *skb = phy->mt76->test.tx_skb;
+-      mt7615_mcu_set_chan_info(phy, MCU_EXT_CMD_SET_RX_PATH);
++      mt7615_mcu_set_chan_info(phy, MCU_EXT_CMD(SET_RX_PATH));
+       mt7615_tm_set_tx_antenna(phy, en);
+       mt7615_tm_set_rx_enable(dev, !en);
+       if (!en || !skb)
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+index b15bbd650a90c..f603c6fab583a 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+@@ -176,7 +176,7 @@ int mt76_connac_mcu_set_mac_enable(struct mt76_dev *dev, int band, bool enable,
+               .band = band,
+       };
+-      return mt76_mcu_send_msg(dev, MCU_EXT_CMD_MAC_INIT_CTRL, &req_mac,
++      return mt76_mcu_send_msg(dev, MCU_EXT_CMD(MAC_INIT_CTRL), &req_mac,
+                                sizeof(req_mac), true);
+ }
+ EXPORT_SYMBOL_GPL(mt76_connac_mcu_set_mac_enable);
+@@ -218,7 +218,7 @@ int mt76_connac_mcu_set_rts_thresh(struct mt76_dev *dev, u32 val, u8 band)
+               .pkt_thresh = cpu_to_le32(0x2),
+       };
+-      return mt76_mcu_send_msg(dev, MCU_EXT_CMD_PROTECT_CTRL, &req,
++      return mt76_mcu_send_msg(dev, MCU_EXT_CMD(PROTECT_CTRL), &req,
+                                sizeof(req), true);
+ }
+ EXPORT_SYMBOL_GPL(mt76_connac_mcu_set_rts_thresh);
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
+index 4e2c9dafd7765..1c7a99bc26261 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
+@@ -499,11 +499,19 @@ enum {
+ #define MCU_FW_PREFIX                         BIT(31)
+ #define MCU_UNI_PREFIX                                BIT(30)
+ #define MCU_CE_PREFIX                         BIT(29)
+-#define MCU_QUERY_PREFIX                      BIT(28)
+ #define MCU_CMD_MASK                          ~(MCU_FW_PREFIX | MCU_UNI_PREFIX |      \
+-                                                MCU_CE_PREFIX | MCU_QUERY_PREFIX)
++                                                MCU_CE_PREFIX)
+-#define MCU_QUERY_MASK                                BIT(16)
++#define __MCU_CMD_FIELD_ID                    GENMASK(7, 0)
++#define __MCU_CMD_FIELD_EXT_ID                        GENMASK(15, 8)
++#define __MCU_CMD_FIELD_QUERY                 BIT(16)
++
++#define MCU_CMD(_t)                           FIELD_PREP(__MCU_CMD_FIELD_ID,          \
++                                                         MCU_CMD_##_t)
++#define MCU_EXT_CMD(_t)                               (MCU_CMD(EXT_CID) | \
++                                               FIELD_PREP(__MCU_CMD_FIELD_EXT_ID,     \
++                                                          MCU_EXT_CMD_##_t))
++#define MCU_EXT_QUERY(_t)                     (MCU_EXT_CMD(_t) | __MCU_CMD_FIELD_QUERY)
+ enum {
+       MCU_EXT_CMD_EFUSE_ACCESS = 0x01,
+@@ -575,7 +583,7 @@ enum {
+       MCU_CMD_GET_NIC_CAPAB = MCU_CE_PREFIX | 0x8a,
+       MCU_CMD_SET_MU_EDCA_PARMS = MCU_CE_PREFIX | 0xb0,
+       MCU_CMD_REG_WRITE = MCU_CE_PREFIX | 0xc0,
+-      MCU_CMD_REG_READ = MCU_CE_PREFIX | MCU_QUERY_MASK | 0xc0,
++      MCU_CMD_REG_READ = MCU_CE_PREFIX | __MCU_CMD_FIELD_QUERY | 0xc0,
+       MCU_CMD_CHIP_CONFIG = MCU_CE_PREFIX | 0xca,
+       MCU_CMD_FWLOG_2_HOST = MCU_CE_PREFIX | 0xc5,
+       MCU_CMD_GET_WTBL = MCU_CE_PREFIX | 0xcd,
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+index 21e745fddc9c3..e7c9cb66a3543 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+@@ -221,7 +221,7 @@ int __mt7921_start(struct mt7921_phy *phy)
+       if (err)
+               return err;
+-      err = mt7921_mcu_set_chan_info(phy, MCU_EXT_CMD_SET_RX_PATH);
++      err = mt7921_mcu_set_chan_info(phy, MCU_EXT_CMD(SET_RX_PATH));
+       if (err)
+               return err;
+@@ -363,7 +363,7 @@ static int mt7921_set_channel(struct mt7921_phy *phy)
+       mt76_set_channel(phy->mt76);
+-      ret = mt7921_mcu_set_chan_info(phy, MCU_EXT_CMD_CHANNEL_SWITCH);
++      ret = mt7921_mcu_set_chan_info(phy, MCU_EXT_CMD(CHANNEL_SWITCH));
+       if (ret)
+               goto out;
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+index 6ada1ebe7d68b..50f0c13f1c41e 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+@@ -179,24 +179,20 @@ int mt7921_mcu_parse_response(struct mt76_dev *mdev, int cmd,
+       if (seq != rxd->seq)
+               return -EAGAIN;
+-      switch (cmd) {
+-      case MCU_CMD_PATCH_SEM_CONTROL:
++      if (cmd == MCU_CMD_PATCH_SEM_CONTROL) {
+               skb_pull(skb, sizeof(*rxd) - 4);
+               ret = *skb->data;
+-              break;
+-      case MCU_EXT_CMD_GET_TEMP:
++      } else if (cmd == MCU_EXT_CMD(GET_TEMP)) {
+               skb_pull(skb, sizeof(*rxd) + 4);
+               ret = le32_to_cpu(*(__le32 *)skb->data);
+-              break;
+-      case MCU_EXT_CMD_EFUSE_ACCESS:
++      } else if (cmd == MCU_EXT_CMD(EFUSE_ACCESS)) {
+               ret = mt7921_mcu_parse_eeprom(mdev, skb);
+-              break;
+-      case MCU_UNI_CMD_DEV_INFO_UPDATE:
+-      case MCU_UNI_CMD_BSS_INFO_UPDATE:
+-      case MCU_UNI_CMD_STA_REC_UPDATE:
+-      case MCU_UNI_CMD_HIF_CTRL:
+-      case MCU_UNI_CMD_OFFLOAD:
+-      case MCU_UNI_CMD_SUSPEND: {
++      } else if (cmd == MCU_UNI_CMD_DEV_INFO_UPDATE ||
++                 cmd == MCU_UNI_CMD_BSS_INFO_UPDATE ||
++                 cmd == MCU_UNI_CMD_STA_REC_UPDATE ||
++                 cmd == MCU_UNI_CMD_HIF_CTRL ||
++                 cmd == MCU_UNI_CMD_OFFLOAD ||
++                 cmd == MCU_UNI_CMD_SUSPEND) {
+               struct mt7921_mcu_uni_event *event;
+               skb_pull(skb, sizeof(*rxd));
+@@ -205,19 +201,14 @@ int mt7921_mcu_parse_response(struct mt76_dev *mdev, int cmd,
+               /* skip invalid event */
+               if (mcu_cmd != event->cid)
+                       ret = -EAGAIN;
+-              break;
+-      }
+-      case MCU_CMD_REG_READ: {
++      } else if (cmd == MCU_CMD_REG_READ) {
+               struct mt7921_mcu_reg_event *event;
+               skb_pull(skb, sizeof(*rxd));
+               event = (struct mt7921_mcu_reg_event *)skb->data;
+               ret = (int)le32_to_cpu(event->val);
+-              break;
+-      }
+-      default:
++      } else {
+               skb_pull(skb, sizeof(struct mt7921_mcu_rxd));
+-              break;
+       }
+       return ret;
+@@ -228,7 +219,7 @@ int mt7921_mcu_fill_message(struct mt76_dev *mdev, struct sk_buff *skb,
+                           int cmd, int *wait_seq)
+ {
+       struct mt7921_dev *dev = container_of(mdev, struct mt7921_dev, mt76);
+-      int txd_len, mcu_cmd = cmd & MCU_CMD_MASK;
++      int txd_len, mcu_cmd = FIELD_GET(__MCU_CMD_FIELD_ID, cmd);
+       struct mt7921_uni_txd *uni_txd;
+       struct mt7921_mcu_txd *mcu_txd;
+       __le32 *txd;
+@@ -283,34 +274,20 @@ int mt7921_mcu_fill_message(struct mt76_dev *mdev, struct sk_buff *skb,
+                                              MT_TX_MCU_PORT_RX_Q0));
+       mcu_txd->pkt_type = MCU_PKT_ID;
+       mcu_txd->seq = seq;
++      mcu_txd->cid = mcu_cmd;
++      mcu_txd->s2d_index = MCU_S2D_H2N;
++      mcu_txd->ext_cid = FIELD_GET(__MCU_CMD_FIELD_EXT_ID, cmd);
+-      switch (cmd & ~MCU_CMD_MASK) {
+-      case MCU_FW_PREFIX:
+-              mcu_txd->set_query = MCU_Q_NA;
+-              mcu_txd->cid = mcu_cmd;
+-              break;
+-      case MCU_CE_PREFIX:
+-              if (cmd & MCU_QUERY_MASK)
+-                      mcu_txd->set_query = MCU_Q_QUERY;
+-              else
+-                      mcu_txd->set_query = MCU_Q_SET;
+-              mcu_txd->cid = mcu_cmd;
+-              break;
+-      default:
+-              mcu_txd->cid = MCU_CMD_EXT_CID;
+-              if (cmd & MCU_QUERY_PREFIX || cmd == MCU_EXT_CMD_EFUSE_ACCESS)
++      if (mcu_txd->ext_cid || (cmd & MCU_CE_PREFIX)) {
++              if (cmd & __MCU_CMD_FIELD_QUERY)
+                       mcu_txd->set_query = MCU_Q_QUERY;
+               else
+                       mcu_txd->set_query = MCU_Q_SET;
+-              mcu_txd->ext_cid = mcu_cmd;
+-              mcu_txd->ext_cid_ack = 1;
+-              break;
++              mcu_txd->ext_cid_ack = !!mcu_txd->ext_cid;
++      } else {
++              mcu_txd->set_query = MCU_Q_NA;
+       }
+-      mcu_txd->s2d_index = MCU_S2D_H2N;
+-      WARN_ON(cmd == MCU_EXT_CMD_EFUSE_ACCESS &&
+-              mcu_txd->set_query != MCU_Q_QUERY);
+-
+ exit:
+       if (wait_seq)
+               *wait_seq = seq;
+@@ -997,8 +974,8 @@ int mt7921_mcu_set_tx(struct mt7921_dev *dev, struct ieee80211_vif *vif)
+                       e->cw_max = cpu_to_le16(10);
+       }
+-      ret = mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_EDCA_UPDATE, &req,
+-                              sizeof(req), true);
++      ret = mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(EDCA_UPDATE),
++                              &req, sizeof(req), true);
+       if (ret)
+               return ret;
+@@ -1070,7 +1047,7 @@ int mt7921_mcu_set_chan_info(struct mt7921_phy *phy, int cmd)
+       else
+               req.switch_reason = CH_SWITCH_NORMAL;
+-      if (cmd == MCU_EXT_CMD_CHANNEL_SWITCH)
++      if (cmd == MCU_EXT_CMD(CHANNEL_SWITCH))
+               req.rx_streams = hweight8(req.rx_streams);
+       if (chandef->width == NL80211_CHAN_WIDTH_80P80) {
+@@ -1093,7 +1070,7 @@ int mt7921_mcu_set_eeprom(struct mt7921_dev *dev)
+               .format = EE_FORMAT_WHOLE,
+       };
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD_EFUSE_BUFFER_MODE,
++      return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(EFUSE_BUFFER_MODE),
+                                &req, sizeof(req), true);
+ }
+ EXPORT_SYMBOL_GPL(mt7921_mcu_set_eeprom);
+@@ -1108,8 +1085,9 @@ int mt7921_mcu_get_eeprom(struct mt7921_dev *dev, u32 offset)
+       int ret;
+       u8 *buf;
+-      ret = mt76_mcu_send_and_get_msg(&dev->mt76, MCU_EXT_CMD_EFUSE_ACCESS, &req,
+-                                      sizeof(req), true, &skb);
++      ret = mt76_mcu_send_and_get_msg(&dev->mt76,
++                                      MCU_EXT_QUERY(EFUSE_ACCESS),
++                                      &req, sizeof(req), true, &skb);
+       if (ret)
+               return ret;
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-connac-introduce-mcu_uni_cmd-macro.patch b/queue-5.16/mt76-connac-introduce-mcu_uni_cmd-macro.patch
new file mode 100644 (file)
index 0000000..4bd41ff
--- /dev/null
@@ -0,0 +1,424 @@
+From ab23ced7d0ec8188b958e452ecd167f606ca251e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Dec 2021 14:06:26 +0100
+Subject: mt76: connac: introduce MCU_UNI_CMD macro
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 5472240245793c13e9986c61dd34c697296deed4 ]
+
+Similar to MCU_EXT_CMD, introduce MCU_UNI_CMD for unified commands
+
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7615/mcu.c   | 26 +++++------
+ .../wireless/mediatek/mt76/mt76_connac_mcu.c  | 44 ++++++++++---------
+ .../wireless/mediatek/mt76/mt76_connac_mcu.h  | 19 ++++----
+ .../net/wireless/mediatek/mt76/mt7921/main.c  |  2 +-
+ .../net/wireless/mediatek/mt76/mt7921/mcu.c   | 36 +++++++--------
+ 5 files changed, 64 insertions(+), 63 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+index 2232afed72912..fcbcfc9f5a04f 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+@@ -103,7 +103,7 @@ void mt7615_mcu_fill_msg(struct mt7615_dev *dev, struct sk_buff *skb,
+       if (wait_seq)
+               *wait_seq = seq;
+-      txd_len = cmd & MCU_UNI_PREFIX ? sizeof(*uni_txd) : sizeof(*mcu_txd);
++      txd_len = cmd & __MCU_CMD_FIELD_UNI ? sizeof(*uni_txd) : sizeof(*mcu_txd);
+       txd = (__le32 *)skb_push(skb, txd_len);
+       if (cmd != MCU_CMD_FW_SCATTER) {
+@@ -124,7 +124,7 @@ void mt7615_mcu_fill_msg(struct mt7615_dev *dev, struct sk_buff *skb,
+             FIELD_PREP(MT_TXD1_PKT_FMT, pkt_fmt);
+       txd[1] = cpu_to_le32(val);
+-      if (cmd & MCU_UNI_PREFIX) {
++      if (cmd & __MCU_CMD_FIELD_UNI) {
+               uni_txd = (struct mt7615_uni_txd *)txd;
+               uni_txd->len = cpu_to_le16(skb->len - sizeof(uni_txd->txd));
+               uni_txd->option = MCU_CMD_UNI_EXT_ACK;
+@@ -182,12 +182,12 @@ int mt7615_mcu_parse_response(struct mt76_dev *mdev, int cmd,
+       } else if (cmd == MCU_EXT_QUERY(RF_REG_ACCESS)) {
+               skb_pull(skb, sizeof(*rxd));
+               ret = le32_to_cpu(*(__le32 *)&skb->data[8]);
+-      } else if (cmd == MCU_UNI_CMD_DEV_INFO_UPDATE ||
+-                 cmd == MCU_UNI_CMD_BSS_INFO_UPDATE ||
+-                 cmd == MCU_UNI_CMD_STA_REC_UPDATE ||
+-                 cmd == MCU_UNI_CMD_HIF_CTRL ||
+-                 cmd == MCU_UNI_CMD_OFFLOAD ||
+-                 cmd == MCU_UNI_CMD_SUSPEND) {
++      } else if (cmd == MCU_UNI_CMD(DEV_INFO_UPDATE) ||
++                 cmd == MCU_UNI_CMD(BSS_INFO_UPDATE) ||
++                 cmd == MCU_UNI_CMD(STA_REC_UPDATE) ||
++                 cmd == MCU_UNI_CMD(HIF_CTRL) ||
++                 cmd == MCU_UNI_CMD(OFFLOAD) ||
++                 cmd == MCU_UNI_CMD(SUSPEND)) {
+               struct mt7615_mcu_uni_event *event;
+               skb_pull(skb, sizeof(*rxd));
+@@ -1263,7 +1263,7 @@ mt7615_mcu_uni_add_beacon_offload(struct mt7615_dev *dev,
+       dev_kfree_skb(skb);
+ out:
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_UNI_CMD_BSS_INFO_UPDATE,
++      return mt76_mcu_send_msg(&dev->mt76, MCU_UNI_CMD(BSS_INFO_UPDATE),
+                                &req, sizeof(req), true);
+ }
+@@ -1292,7 +1292,7 @@ mt7615_mcu_uni_add_sta(struct mt7615_phy *phy, struct ieee80211_vif *vif,
+                      struct ieee80211_sta *sta, bool enable)
+ {
+       return __mt7615_mcu_add_sta(phy->mt76, vif, sta, enable,
+-                                  MCU_UNI_CMD_STA_REC_UPDATE, true);
++                                  MCU_UNI_CMD(STA_REC_UPDATE), true);
+ }
+ static int
+@@ -1326,7 +1326,7 @@ mt7615_mcu_uni_rx_ba(struct mt7615_dev *dev,
+       mt76_connac_mcu_sta_ba_tlv(skb, params, enable, false);
+       err = mt76_mcu_skb_send_msg(&dev->mt76, skb,
+-                                  MCU_UNI_CMD_STA_REC_UPDATE, true);
++                                  MCU_UNI_CMD(STA_REC_UPDATE), true);
+       if (err < 0 || !enable)
+               return err;
+@@ -1347,7 +1347,7 @@ mt7615_mcu_uni_rx_ba(struct mt7615_dev *dev,
+                                   sta_wtbl, wtbl_hdr);
+       return mt76_mcu_skb_send_msg(&dev->mt76, skb,
+-                                   MCU_UNI_CMD_STA_REC_UPDATE, true);
++                                   MCU_UNI_CMD(STA_REC_UPDATE), true);
+ }
+ static int
+@@ -1359,7 +1359,7 @@ mt7615_mcu_sta_uni_update_hdr_trans(struct mt7615_dev *dev,
+       return mt76_connac_mcu_sta_update_hdr_trans(&dev->mt76,
+                                                   vif, &msta->wcid,
+-                                                  MCU_UNI_CMD_STA_REC_UPDATE);
++                                                  MCU_UNI_CMD(STA_REC_UPDATE));
+ }
+ static const struct mt7615_mcu_ops uni_update_ops = {
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+index f603c6fab583a..a5857a788da50 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+@@ -1071,7 +1071,7 @@ int mt76_connac_mcu_uni_add_dev(struct mt76_phy *phy,
+       memcpy(dev_req.tlv.omac_addr, vif->addr, ETH_ALEN);
+-      cmd = enable ? MCU_UNI_CMD_DEV_INFO_UPDATE : MCU_UNI_CMD_BSS_INFO_UPDATE;
++      cmd = enable ? MCU_UNI_CMD(DEV_INFO_UPDATE) : MCU_UNI_CMD(BSS_INFO_UPDATE);
+       data = enable ? (void *)&dev_req : (void *)&basic_req;
+       len = enable ? sizeof(dev_req) : sizeof(basic_req);
+@@ -1079,7 +1079,7 @@ int mt76_connac_mcu_uni_add_dev(struct mt76_phy *phy,
+       if (err < 0)
+               return err;
+-      cmd = enable ? MCU_UNI_CMD_BSS_INFO_UPDATE : MCU_UNI_CMD_DEV_INFO_UPDATE;
++      cmd = enable ? MCU_UNI_CMD(BSS_INFO_UPDATE) : MCU_UNI_CMD(DEV_INFO_UPDATE);
+       data = enable ? (void *)&basic_req : (void *)&dev_req;
+       len = enable ? sizeof(basic_req) : sizeof(dev_req);
+@@ -1131,7 +1131,8 @@ int mt76_connac_mcu_sta_ba(struct mt76_dev *dev, struct mt76_vif *mvif,
+       mt76_connac_mcu_wtbl_ba_tlv(dev, skb, params, enable, tx, sta_wtbl,
+                                   wtbl_hdr);
+-      ret = mt76_mcu_skb_send_msg(dev, skb, MCU_UNI_CMD_STA_REC_UPDATE, true);
++      ret = mt76_mcu_skb_send_msg(dev, skb,
++                                  MCU_UNI_CMD(STA_REC_UPDATE), true);
+       if (ret)
+               return ret;
+@@ -1141,8 +1142,8 @@ int mt76_connac_mcu_sta_ba(struct mt76_dev *dev, struct mt76_vif *mvif,
+       mt76_connac_mcu_sta_ba_tlv(skb, params, enable, tx);
+-      return mt76_mcu_skb_send_msg(dev, skb, MCU_UNI_CMD_STA_REC_UPDATE,
+-                                   true);
++      return mt76_mcu_skb_send_msg(dev, skb,
++                                   MCU_UNI_CMD(STA_REC_UPDATE), true);
+ }
+ EXPORT_SYMBOL_GPL(mt76_connac_mcu_sta_ba);
+@@ -1352,7 +1353,7 @@ int mt76_connac_mcu_uni_add_bss(struct mt76_phy *phy,
+       basic_req.basic.sta_idx = cpu_to_le16(wcid->idx);
+       basic_req.basic.conn_state = !enable;
+-      err = mt76_mcu_send_msg(mdev, MCU_UNI_CMD_BSS_INFO_UPDATE, &basic_req,
++      err = mt76_mcu_send_msg(mdev, MCU_UNI_CMD(BSS_INFO_UPDATE), &basic_req,
+                               sizeof(basic_req), true);
+       if (err < 0)
+               return err;
+@@ -1390,7 +1391,7 @@ int mt76_connac_mcu_uni_add_bss(struct mt76_phy *phy,
+               mt76_connac_mcu_uni_bss_he_tlv(phy, vif,
+                                              (struct tlv *)&he_req.he);
+-              err = mt76_mcu_send_msg(mdev, MCU_UNI_CMD_BSS_INFO_UPDATE,
++              err = mt76_mcu_send_msg(mdev, MCU_UNI_CMD(BSS_INFO_UPDATE),
+                                       &he_req, sizeof(he_req), true);
+               if (err < 0)
+                       return err;
+@@ -1428,7 +1429,7 @@ int mt76_connac_mcu_uni_add_bss(struct mt76_phy *phy,
+       else if (rlm_req.rlm.control_channel > rlm_req.rlm.center_chan)
+               rlm_req.rlm.sco = 3; /* SCB */
+-      return mt76_mcu_send_msg(mdev, MCU_UNI_CMD_BSS_INFO_UPDATE, &rlm_req,
++      return mt76_mcu_send_msg(mdev, MCU_UNI_CMD(BSS_INFO_UPDATE), &rlm_req,
+                                sizeof(rlm_req), true);
+ }
+ EXPORT_SYMBOL_GPL(mt76_connac_mcu_uni_add_bss);
+@@ -2143,7 +2144,7 @@ int mt76_connac_mcu_update_arp_filter(struct mt76_dev *dev,
+               memcpy(addr, &info->arp_addr_list[i], sizeof(__be32));
+       }
+-      return mt76_mcu_skb_send_msg(dev, skb, MCU_UNI_CMD_OFFLOAD, true);
++      return mt76_mcu_skb_send_msg(dev, skb, MCU_UNI_CMD(OFFLOAD), true);
+ }
+ EXPORT_SYMBOL_GPL(mt76_connac_mcu_update_arp_filter);
+@@ -2249,7 +2250,8 @@ int mt76_connac_mcu_update_gtk_rekey(struct ieee80211_hw *hw,
+       memcpy(gtk_tlv->kck, key->kck, NL80211_KCK_LEN);
+       memcpy(gtk_tlv->replay_ctr, key->replay_ctr, NL80211_REPLAY_CTR_LEN);
+-      return mt76_mcu_skb_send_msg(phy->dev, skb, MCU_UNI_CMD_OFFLOAD, true);
++      return mt76_mcu_skb_send_msg(phy->dev, skb,
++                                   MCU_UNI_CMD(OFFLOAD), true);
+ }
+ EXPORT_SYMBOL_GPL(mt76_connac_mcu_update_gtk_rekey);
+@@ -2275,8 +2277,8 @@ mt76_connac_mcu_set_arp_filter(struct mt76_dev *dev, struct ieee80211_vif *vif,
+               },
+       };
+-      return mt76_mcu_send_msg(dev, MCU_UNI_CMD_OFFLOAD, &req, sizeof(req),
+-                               true);
++      return mt76_mcu_send_msg(dev, MCU_UNI_CMD(OFFLOAD), &req,
++                               sizeof(req), true);
+ }
+ static int
+@@ -2301,8 +2303,8 @@ mt76_connac_mcu_set_gtk_rekey(struct mt76_dev *dev, struct ieee80211_vif *vif,
+               },
+       };
+-      return mt76_mcu_send_msg(dev, MCU_UNI_CMD_OFFLOAD, &req, sizeof(req),
+-                               true);
++      return mt76_mcu_send_msg(dev, MCU_UNI_CMD(OFFLOAD), &req,
++                               sizeof(req), true);
+ }
+ static int
+@@ -2331,8 +2333,8 @@ mt76_connac_mcu_set_suspend_mode(struct mt76_dev *dev,
+               },
+       };
+-      return mt76_mcu_send_msg(dev, MCU_UNI_CMD_SUSPEND, &req, sizeof(req),
+-                               true);
++      return mt76_mcu_send_msg(dev, MCU_UNI_CMD(SUSPEND), &req,
++                               sizeof(req), true);
+ }
+ static int
+@@ -2366,7 +2368,7 @@ mt76_connac_mcu_set_wow_pattern(struct mt76_dev *dev,
+       memcpy(ptlv->pattern, pattern->pattern, pattern->pattern_len);
+       memcpy(ptlv->mask, pattern->mask, DIV_ROUND_UP(pattern->pattern_len, 8));
+-      return mt76_mcu_skb_send_msg(dev, skb, MCU_UNI_CMD_SUSPEND, true);
++      return mt76_mcu_skb_send_msg(dev, skb, MCU_UNI_CMD(SUSPEND), true);
+ }
+ static int
+@@ -2418,8 +2420,8 @@ mt76_connac_mcu_set_wow_ctrl(struct mt76_phy *phy, struct ieee80211_vif *vif,
+       else if (mt76_is_sdio(dev))
+               req.wow_ctrl_tlv.wakeup_hif = WOW_GPIO;
+-      return mt76_mcu_send_msg(dev, MCU_UNI_CMD_SUSPEND, &req, sizeof(req),
+-                               true);
++      return mt76_mcu_send_msg(dev, MCU_UNI_CMD(SUSPEND), &req,
++                               sizeof(req), true);
+ }
+ int mt76_connac_mcu_set_hif_suspend(struct mt76_dev *dev, bool suspend)
+@@ -2452,8 +2454,8 @@ int mt76_connac_mcu_set_hif_suspend(struct mt76_dev *dev, bool suspend)
+       else if (mt76_is_sdio(dev))
+               req.hdr.hif_type = 0;
+-      return mt76_mcu_send_msg(dev, MCU_UNI_CMD_HIF_CTRL, &req, sizeof(req),
+-                               true);
++      return mt76_mcu_send_msg(dev, MCU_UNI_CMD(HIF_CTRL), &req,
++                               sizeof(req), true);
+ }
+ EXPORT_SYMBOL_GPL(mt76_connac_mcu_set_hif_suspend);
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
+index b3cd6ca815278..5c5fab9154e59 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
+@@ -496,13 +496,13 @@ enum {
+ #define MCU_CMD_UNI_EXT_ACK                   (MCU_CMD_ACK | MCU_CMD_UNI | \
+                                                MCU_CMD_QUERY)
+-#define MCU_UNI_PREFIX                                BIT(30)
+ #define MCU_CE_PREFIX                         BIT(29)
+-#define MCU_CMD_MASK                          ~(MCU_UNI_PREFIX | MCU_CE_PREFIX)
++#define MCU_CMD_MASK                          ~(MCU_CE_PREFIX)
+ #define __MCU_CMD_FIELD_ID                    GENMASK(7, 0)
+ #define __MCU_CMD_FIELD_EXT_ID                        GENMASK(15, 8)
+ #define __MCU_CMD_FIELD_QUERY                 BIT(16)
++#define __MCU_CMD_FIELD_UNI                   BIT(17)
+ #define MCU_CMD(_t)                           FIELD_PREP(__MCU_CMD_FIELD_ID,          \
+                                                          MCU_CMD_##_t)
+@@ -510,6 +510,9 @@ enum {
+                                                FIELD_PREP(__MCU_CMD_FIELD_EXT_ID,     \
+                                                           MCU_EXT_CMD_##_t))
+ #define MCU_EXT_QUERY(_t)                     (MCU_EXT_CMD(_t) | __MCU_CMD_FIELD_QUERY)
++#define MCU_UNI_CMD(_t)                               (__MCU_CMD_FIELD_UNI |                  \
++                                               FIELD_PREP(__MCU_CMD_FIELD_ID,         \
++                                                          MCU_UNI_CMD_##_t))
+ enum {
+       MCU_EXT_CMD_EFUSE_ACCESS = 0x01,
+@@ -562,12 +565,12 @@ enum {
+ };
+ enum {
+-      MCU_UNI_CMD_DEV_INFO_UPDATE = MCU_UNI_PREFIX | 0x01,
+-      MCU_UNI_CMD_BSS_INFO_UPDATE = MCU_UNI_PREFIX | 0x02,
+-      MCU_UNI_CMD_STA_REC_UPDATE = MCU_UNI_PREFIX | 0x03,
+-      MCU_UNI_CMD_SUSPEND = MCU_UNI_PREFIX | 0x05,
+-      MCU_UNI_CMD_OFFLOAD = MCU_UNI_PREFIX | 0x06,
+-      MCU_UNI_CMD_HIF_CTRL = MCU_UNI_PREFIX | 0x07,
++      MCU_UNI_CMD_DEV_INFO_UPDATE = 0x01,
++      MCU_UNI_CMD_BSS_INFO_UPDATE = 0x02,
++      MCU_UNI_CMD_STA_REC_UPDATE = 0x03,
++      MCU_UNI_CMD_SUSPEND = 0x05,
++      MCU_UNI_CMD_OFFLOAD = 0x06,
++      MCU_UNI_CMD_HIF_CTRL = 0x07,
+ };
+ enum {
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+index e7c9cb66a3543..8c55562c1a8d9 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+@@ -1316,7 +1316,7 @@ static void mt7921_sta_set_decap_offload(struct ieee80211_hw *hw,
+               clear_bit(MT_WCID_FLAG_HDR_TRANS, &msta->wcid.flags);
+       mt76_connac_mcu_sta_update_hdr_trans(&dev->mt76, vif, &msta->wcid,
+-                                           MCU_UNI_CMD_STA_REC_UPDATE);
++                                           MCU_UNI_CMD(STA_REC_UPDATE));
+ }
+ static int mt7921_set_sar_specs(struct ieee80211_hw *hw,
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+index 51650e9e1845a..e741db152c0d2 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+@@ -187,12 +187,12 @@ int mt7921_mcu_parse_response(struct mt76_dev *mdev, int cmd,
+               ret = le32_to_cpu(*(__le32 *)skb->data);
+       } else if (cmd == MCU_EXT_CMD(EFUSE_ACCESS)) {
+               ret = mt7921_mcu_parse_eeprom(mdev, skb);
+-      } else if (cmd == MCU_UNI_CMD_DEV_INFO_UPDATE ||
+-                 cmd == MCU_UNI_CMD_BSS_INFO_UPDATE ||
+-                 cmd == MCU_UNI_CMD_STA_REC_UPDATE ||
+-                 cmd == MCU_UNI_CMD_HIF_CTRL ||
+-                 cmd == MCU_UNI_CMD_OFFLOAD ||
+-                 cmd == MCU_UNI_CMD_SUSPEND) {
++      } else if (cmd == MCU_UNI_CMD(DEV_INFO_UPDATE) ||
++                 cmd == MCU_UNI_CMD(BSS_INFO_UPDATE) ||
++                 cmd == MCU_UNI_CMD(STA_REC_UPDATE) ||
++                 cmd == MCU_UNI_CMD(HIF_CTRL) ||
++                 cmd == MCU_UNI_CMD(OFFLOAD) ||
++                 cmd == MCU_UNI_CMD(SUSPEND)) {
+               struct mt7921_mcu_uni_event *event;
+               skb_pull(skb, sizeof(*rxd));
+@@ -226,16 +226,12 @@ int mt7921_mcu_fill_message(struct mt76_dev *mdev, struct sk_buff *skb,
+       u32 val;
+       u8 seq;
+-      switch (cmd) {
+-      case MCU_UNI_CMD_HIF_CTRL:
+-      case MCU_UNI_CMD_SUSPEND:
+-      case MCU_UNI_CMD_OFFLOAD:
++      if (cmd == MCU_UNI_CMD(HIF_CTRL) ||
++          cmd == MCU_UNI_CMD(SUSPEND) ||
++          cmd == MCU_UNI_CMD(OFFLOAD))
+               mdev->mcu.timeout = HZ / 3;
+-              break;
+-      default:
++      else
+               mdev->mcu.timeout = 3 * HZ;
+-              break;
+-      }
+       seq = ++dev->mt76.mcu.msg_seq & 0xf;
+       if (!seq)
+@@ -244,7 +240,7 @@ int mt7921_mcu_fill_message(struct mt76_dev *mdev, struct sk_buff *skb,
+       if (cmd == MCU_CMD_FW_SCATTER)
+               goto exit;
+-      txd_len = cmd & MCU_UNI_PREFIX ? sizeof(*uni_txd) : sizeof(*mcu_txd);
++      txd_len = cmd & __MCU_CMD_FIELD_UNI ? sizeof(*uni_txd) : sizeof(*mcu_txd);
+       txd = (__le32 *)skb_push(skb, txd_len);
+       val = FIELD_PREP(MT_TXD0_TX_BYTES, skb->len) |
+@@ -256,7 +252,7 @@ int mt7921_mcu_fill_message(struct mt76_dev *mdev, struct sk_buff *skb,
+             FIELD_PREP(MT_TXD1_HDR_FORMAT, MT_HDR_FORMAT_CMD);
+       txd[1] = cpu_to_le32(val);
+-      if (cmd & MCU_UNI_PREFIX) {
++      if (cmd & __MCU_CMD_FIELD_UNI) {
+               uni_txd = (struct mt7921_uni_txd *)txd;
+               uni_txd->len = cpu_to_le16(skb->len - sizeof(uni_txd->txd));
+               uni_txd->option = MCU_CMD_UNI_EXT_ACK;
+@@ -544,7 +540,7 @@ int mt7921_mcu_add_key(struct mt7921_dev *dev, struct ieee80211_vif *vif,
+               return ret;
+       return mt76_mcu_skb_send_msg(&dev->mt76, skb,
+-                                   MCU_UNI_CMD_STA_REC_UPDATE, true);
++                                   MCU_UNI_CMD(STA_REC_UPDATE), true);
+ }
+ int mt7921_mcu_uni_tx_ba(struct mt7921_dev *dev,
+@@ -1132,7 +1128,7 @@ int mt7921_mcu_uni_bss_ps(struct mt7921_dev *dev, struct ieee80211_vif *vif)
+       if (vif->type != NL80211_IFTYPE_STATION)
+               return -EOPNOTSUPP;
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_UNI_CMD_BSS_INFO_UPDATE,
++      return mt76_mcu_send_msg(&dev->mt76, MCU_UNI_CMD(BSS_INFO_UPDATE),
+                                &ps_req, sizeof(ps_req), true);
+ }
+@@ -1168,7 +1164,7 @@ mt7921_mcu_uni_bss_bcnft(struct mt7921_dev *dev, struct ieee80211_vif *vif,
+       if (vif->type != NL80211_IFTYPE_STATION)
+               return 0;
+-      return mt76_mcu_send_msg(&dev->mt76, MCU_UNI_CMD_BSS_INFO_UPDATE,
++      return mt76_mcu_send_msg(&dev->mt76, MCU_UNI_CMD(BSS_INFO_UPDATE),
+                                &bcnft_req, sizeof(bcnft_req), true);
+ }
+@@ -1223,7 +1219,7 @@ int mt7921_mcu_sta_update(struct mt7921_dev *dev, struct ieee80211_sta *sta,
+               .sta = sta,
+               .vif = vif,
+               .enable = enable,
+-              .cmd = MCU_UNI_CMD_STA_REC_UPDATE,
++              .cmd = MCU_UNI_CMD(STA_REC_UPDATE),
+               .state = state,
+               .offload_fw = true,
+               .rcpi = to_rcpi(rssi),
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-connac-remove-mcu_fw_prefix-bit.patch b/queue-5.16/mt76-connac-remove-mcu_fw_prefix-bit.patch
new file mode 100644 (file)
index 0000000..a1bfcda
--- /dev/null
@@ -0,0 +1,64 @@
+From f65bfbe99646a40b2e89b21b247cb8af54ae6ea4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Dec 2021 14:06:25 +0100
+Subject: mt76: connac: remove MCU_FW_PREFIX bit
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 7159eb828d21ad8fb3c1c1782a286a658ba6bf66 ]
+
+Get rid of MCU_FW_PREFIX bit since it is no longer used
+
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/mediatek/mt76/mt76_connac_mcu.h  | 20 +++++++++----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
+index 9dbb6ae9f21da..b3cd6ca815278 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
+@@ -496,11 +496,9 @@ enum {
+ #define MCU_CMD_UNI_EXT_ACK                   (MCU_CMD_ACK | MCU_CMD_UNI | \
+                                                MCU_CMD_QUERY)
+-#define MCU_FW_PREFIX                         BIT(31)
+ #define MCU_UNI_PREFIX                                BIT(30)
+ #define MCU_CE_PREFIX                         BIT(29)
+-#define MCU_CMD_MASK                          ~(MCU_FW_PREFIX | MCU_UNI_PREFIX |      \
+-                                                MCU_CE_PREFIX)
++#define MCU_CMD_MASK                          ~(MCU_UNI_PREFIX | MCU_CE_PREFIX)
+ #define __MCU_CMD_FIELD_ID                    GENMASK(7, 0)
+ #define __MCU_CMD_FIELD_EXT_ID                        GENMASK(15, 8)
+@@ -573,17 +571,17 @@ enum {
+ };
+ enum {
+-      MCU_CMD_TARGET_ADDRESS_LEN_REQ = MCU_FW_PREFIX | 0x01,
+-      MCU_CMD_FW_START_REQ = MCU_FW_PREFIX | 0x02,
++      MCU_CMD_TARGET_ADDRESS_LEN_REQ = 0x01,
++      MCU_CMD_FW_START_REQ = 0x02,
+       MCU_CMD_INIT_ACCESS_REG = 0x3,
+-      MCU_CMD_NIC_POWER_CTRL = MCU_FW_PREFIX | 0x4,
+-      MCU_CMD_PATCH_START_REQ = MCU_FW_PREFIX | 0x05,
+-      MCU_CMD_PATCH_FINISH_REQ = MCU_FW_PREFIX | 0x07,
+-      MCU_CMD_PATCH_SEM_CONTROL = MCU_FW_PREFIX | 0x10,
++      MCU_CMD_NIC_POWER_CTRL = 0x4,
++      MCU_CMD_PATCH_START_REQ = 0x05,
++      MCU_CMD_PATCH_FINISH_REQ = 0x07,
++      MCU_CMD_PATCH_SEM_CONTROL = 0x10,
+       MCU_CMD_WA_PARAM = 0xc4,
+       MCU_CMD_EXT_CID = 0xed,
+-      MCU_CMD_FW_SCATTER = MCU_FW_PREFIX | 0xee,
+-      MCU_CMD_RESTART_DL_REQ = MCU_FW_PREFIX | 0xef,
++      MCU_CMD_FW_SCATTER = 0xee,
++      MCU_CMD_RESTART_DL_REQ = 0xef,
+ };
+ /* offload mcu commands */
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-debugfs-fix-queue-reporting-for-mt76-usb.patch b/queue-5.16/mt76-debugfs-fix-queue-reporting-for-mt76-usb.patch
new file mode 100644 (file)
index 0000000..61ad903
--- /dev/null
@@ -0,0 +1,36 @@
+From bc11095bddcda9af4a40ba17971439faa41a21e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Nov 2021 11:03:52 +0100
+Subject: mt76: debugfs: fix queue reporting for mt76-usb
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit eae7df016c30468e09481a75b1339f0ab5ece222 ]
+
+Fix number of rx-queued frames reported by mt76_usb driver.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: 2d8be76c1674 ("mt76: debugfs: improve queue node readability")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/debugfs.c b/drivers/net/wireless/mediatek/mt76/debugfs.c
+index b8bcf22a07fd8..47e9911ee9fe6 100644
+--- a/drivers/net/wireless/mediatek/mt76/debugfs.c
++++ b/drivers/net/wireless/mediatek/mt76/debugfs.c
+@@ -82,7 +82,7 @@ static int mt76_rx_queues_read(struct seq_file *s, void *data)
+               queued = mt76_is_usb(dev) ? q->ndesc - q->queued : q->queued;
+               seq_printf(s, " %9d | %9d | %9d | %9d |\n",
+-                         i, q->queued, q->head, q->tail);
++                         i, queued, q->head, q->tail);
+       }
+       return 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-do-not-pass-the-received-frame-with-decryption-.patch b/queue-5.16/mt76-do-not-pass-the-received-frame-with-decryption-.patch
new file mode 100644 (file)
index 0000000..72eeb6f
--- /dev/null
@@ -0,0 +1,115 @@
+From 6ea9db24ceeec2a029b2619b622c55ee6ce4e98b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Nov 2021 14:37:06 +0800
+Subject: mt76: do not pass the received frame with decryption error
+
+From: Xing Song <xing.song@mediatek.com>
+
+[ Upstream commit dd28dea52ad9376d2b243a8981726646e1f60b1a ]
+
+MAC80211 doesn't care any decryption error in 802.3 path, so received
+frame will be dropped if HW tell us that the cipher configuration is not
+matched as well as the header has been translated to 802.3. This case only
+appears when IEEE80211_FCTL_PROTECTED is 0 and cipher suit is not none in
+the corresponding HW entry.
+
+The received frame is only reported to monitor interface if HW decryption
+block tell us there is ICV error or CCMP/BIP/WPI MIC error. Note in this
+case the reported frame is decrypted 802.11 frame and the payload may be
+malformed due to mismatched key.
+
+Signed-off-by: Xing Song <xing.song@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7603/mac.c | 4 ++++
+ drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 9 ++++++++-
+ drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 9 ++++++++-
+ drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 9 ++++++++-
+ 4 files changed, 28 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7603/mac.c b/drivers/net/wireless/mediatek/mt76/mt7603/mac.c
+index fe03e31989bb1..a9ac61b9f854a 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7603/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7603/mac.c
+@@ -525,6 +525,10 @@ mt7603_mac_fill_rx(struct mt7603_dev *dev, struct sk_buff *skb)
+       if (rxd2 & MT_RXD2_NORMAL_TKIP_MIC_ERR)
+               status->flag |= RX_FLAG_MMIC_ERROR;
++      /* ICV error or CCMP/BIP/WPI MIC error */
++      if (rxd2 & MT_RXD2_NORMAL_ICV_ERR)
++              status->flag |= RX_FLAG_ONLY_MONITOR;
++
+       if (FIELD_GET(MT_RXD2_NORMAL_SEC_MODE, rxd2) != 0 &&
+           !(rxd2 & (MT_RXD2_NORMAL_CLM | MT_RXD2_NORMAL_CM))) {
+               status->flag |= RX_FLAG_DECRYPTED;
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+index 423f69015e3ec..c79abce543f3b 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+@@ -286,9 +286,16 @@ static int mt7615_mac_fill_rx(struct mt7615_dev *dev, struct sk_buff *skb)
+       if (rxd2 & MT_RXD2_NORMAL_AMSDU_ERR)
+               return -EINVAL;
++      hdr_trans = rxd1 & MT_RXD1_NORMAL_HDR_TRANS;
++      if (hdr_trans && (rxd2 & MT_RXD2_NORMAL_CM))
++              return -EINVAL;
++
++      /* ICV error or CCMP/BIP/WPI MIC error */
++      if (rxd2 & MT_RXD2_NORMAL_ICV_ERR)
++              status->flag |= RX_FLAG_ONLY_MONITOR;
++
+       unicast = (rxd1 & MT_RXD1_NORMAL_ADDR_TYPE) == MT_RXD1_NORMAL_U2M;
+       idx = FIELD_GET(MT_RXD2_NORMAL_WLAN_IDX, rxd2);
+-      hdr_trans = rxd1 & MT_RXD1_NORMAL_HDR_TRANS;
+       status->wcid = mt7615_rx_get_wcid(dev, idx, unicast);
+       if (status->wcid) {
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+index 809dc18e5083c..38d66411444a1 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+@@ -426,9 +426,16 @@ mt7915_mac_fill_rx(struct mt7915_dev *dev, struct sk_buff *skb)
+       if (rxd2 & MT_RXD2_NORMAL_AMSDU_ERR)
+               return -EINVAL;
++      hdr_trans = rxd2 & MT_RXD2_NORMAL_HDR_TRANS;
++      if (hdr_trans && (rxd1 & MT_RXD1_NORMAL_CM))
++              return -EINVAL;
++
++      /* ICV error or CCMP/BIP/WPI MIC error */
++      if (rxd1 & MT_RXD1_NORMAL_ICV_ERR)
++              status->flag |= RX_FLAG_ONLY_MONITOR;
++
+       unicast = FIELD_GET(MT_RXD3_NORMAL_ADDR_TYPE, rxd3) == MT_RXD3_NORMAL_U2M;
+       idx = FIELD_GET(MT_RXD1_NORMAL_WLAN_IDX, rxd1);
+-      hdr_trans = rxd2 & MT_RXD2_NORMAL_HDR_TRANS;
+       status->wcid = mt7915_rx_get_wcid(dev, idx, unicast);
+       if (status->wcid) {
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+index 321d9f1d3f865..7228b34c66436 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+@@ -428,10 +428,17 @@ mt7921_mac_fill_rx(struct mt7921_dev *dev, struct sk_buff *skb)
+       if (rxd2 & MT_RXD2_NORMAL_AMSDU_ERR)
+               return -EINVAL;
++      hdr_trans = rxd2 & MT_RXD2_NORMAL_HDR_TRANS;
++      if (hdr_trans && (rxd1 & MT_RXD1_NORMAL_CM))
++              return -EINVAL;
++
++      /* ICV error or CCMP/BIP/WPI MIC error */
++      if (rxd1 & MT_RXD1_NORMAL_ICV_ERR)
++              status->flag |= RX_FLAG_ONLY_MONITOR;
++
+       chfreq = FIELD_GET(MT_RXD3_NORMAL_CH_FREQ, rxd3);
+       unicast = FIELD_GET(MT_RXD3_NORMAL_ADDR_TYPE, rxd3) == MT_RXD3_NORMAL_U2M;
+       idx = FIELD_GET(MT_RXD1_NORMAL_WLAN_IDX, rxd1);
+-      hdr_trans = rxd2 & MT_RXD2_NORMAL_HDR_TRANS;
+       status->wcid = mt7921_rx_get_wcid(dev, idx, unicast);
+       if (status->wcid) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-fix-possible-oob-issue-in-mt76_calculate_defaul.patch b/queue-5.16/mt76-fix-possible-oob-issue-in-mt76_calculate_defaul.patch
new file mode 100644 (file)
index 0000000..21b831c
--- /dev/null
@@ -0,0 +1,50 @@
+From 48286a038cff9d8d1ab06978c9755cdc23aa9480 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 11:42:06 +0100
+Subject: mt76: fix possible OOB issue in mt76_calculate_default_rate
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit d4f3d1c4d3c2bcce76a96a6562170664b25112f0 ]
+
+Cap max offset value to ARRAY_SIZE(mt76_rates) - 1 in
+mt76_calculate_default_rate routine in order to avoid possible Out Of
+Bound accesses.
+
+Fixes: 33920b2bf0483 ("mt76: add support for setting mcast rate")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mac80211.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c
+index 62807dc311c19..b0869ff86c49f 100644
+--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
+@@ -1494,7 +1494,6 @@ EXPORT_SYMBOL_GPL(mt76_init_queue);
+ u16 mt76_calculate_default_rate(struct mt76_phy *phy, int rateidx)
+ {
+       int offset = 0;
+-      struct ieee80211_rate *rate;
+       if (phy->chandef.chan->band != NL80211_BAND_2GHZ)
+               offset = 4;
+@@ -1503,9 +1502,11 @@ u16 mt76_calculate_default_rate(struct mt76_phy *phy, int rateidx)
+       if (rateidx < 0)
+               rateidx = 0;
+-      rate = &mt76_rates[offset + rateidx];
++      rateidx += offset;
++      if (rateidx >= ARRAY_SIZE(mt76_rates))
++              rateidx = offset;
+-      return rate->hw_value;
++      return mt76_rates[rateidx].hw_value;
+ }
+ EXPORT_SYMBOL_GPL(mt76_calculate_default_rate);
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-mt7615-fix-possible-deadlock-while-mt7615_regis.patch b/queue-5.16/mt76-mt7615-fix-possible-deadlock-while-mt7615_regis.patch
new file mode 100644 (file)
index 0000000..6c5432f
--- /dev/null
@@ -0,0 +1,51 @@
+From 1622f4da132c927afd68a289a95bcab7b376f251 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Nov 2021 10:01:13 +0800
+Subject: mt76: mt7615: fix possible deadlock while mt7615_register_ext_phy()
+
+From: Peter Chiu <chui-hao.chiu@mediatek.com>
+
+[ Upstream commit 8c55516de3f9b76b9d9444e7890682ec2efc809f ]
+
+ieee80211_register_hw() is called with rtnl_lock held, and this could be
+caused lockdep from a work item that's on a workqueue that is flushed
+with the rtnl held.
+
+Move mt7615_register_ext_phy() outside the init_work().
+
+Signed-off-by: Peter Chiu <chui-hao.chiu@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/pci_init.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/pci_init.c b/drivers/net/wireless/mediatek/mt76/mt7615/pci_init.c
+index a2465b49ecd0c..87b4aa52ee0f9 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/pci_init.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/pci_init.c
+@@ -28,8 +28,6 @@ static void mt7615_pci_init_work(struct work_struct *work)
+               return;
+       mt7615_init_work(dev);
+-      if (dev->dbdc_support)
+-              mt7615_register_ext_phy(dev);
+ }
+ static int mt7615_init_hardware(struct mt7615_dev *dev)
+@@ -160,6 +158,12 @@ int mt7615_register_device(struct mt7615_dev *dev)
+       mt7615_init_txpower(dev, &dev->mphy.sband_2g.sband);
+       mt7615_init_txpower(dev, &dev->mphy.sband_5g.sband);
++      if (dev->dbdc_support) {
++              ret = mt7615_register_ext_phy(dev);
++              if (ret)
++                      return ret;
++      }
++
+       return mt7615_init_debugfs(dev);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-mt7615-improve-wmm-index-allocation.patch b/queue-5.16/mt76-mt7615-improve-wmm-index-allocation.patch
new file mode 100644 (file)
index 0000000..9dcf1ad
--- /dev/null
@@ -0,0 +1,45 @@
+From f4c2b7fc4882b634ed3c087dbb86f84e26aad021 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 10:42:12 +0100
+Subject: mt76: mt7615: improve wmm index allocation
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 70fb028707c8871ef9e56b3ffa3d895e14956cc4 ]
+
+Typically all AP interfaces on a PHY will share the same WMM settings, while
+sta/mesh interfaces will usually inherit the settings from a remote device.
+In order minimize the likelihood of conflicting WMM settings, make all AP
+interfaces share one slot, and all non-AP interfaces another one.
+
+This also fixes running multiple AP interfaces on MT7613, which only has 3
+WMM slots.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/main.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/main.c b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
+index 24c23d4951432..1fdcada157d6b 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
+@@ -211,11 +211,9 @@ static int mt7615_add_interface(struct ieee80211_hw *hw,
+       mvif->mt76.omac_idx = idx;
+       mvif->mt76.band_idx = ext_phy;
+-      if (mt7615_ext_phy(dev))
+-              mvif->mt76.wmm_idx = ext_phy * (MT7615_MAX_WMM_SETS / 2) +
+-                              mvif->mt76.idx % (MT7615_MAX_WMM_SETS / 2);
+-      else
+-              mvif->mt76.wmm_idx = mvif->mt76.idx % MT7615_MAX_WMM_SETS;
++      mvif->mt76.wmm_idx = vif->type != NL80211_IFTYPE_AP;
++      if (ext_phy)
++              mvif->mt76.wmm_idx += 2;
+       dev->mt76.vif_mask |= BIT(mvif->mt76.idx);
+       dev->omac_mask |= BIT_ULL(mvif->mt76.omac_idx);
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-mt7915-fix-smps-operation-fail.patch b/queue-5.16/mt76-mt7915-fix-smps-operation-fail.patch
new file mode 100644 (file)
index 0000000..071a1c7
--- /dev/null
@@ -0,0 +1,164 @@
+From 195ed959b3fc5633a8b320a3f675ef9904dbe656 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 03:45:31 +0800
+Subject: mt76: mt7915: fix SMPS operation fail
+
+From: Ryder Lee <ryder.lee@mediatek.com>
+
+[ Upstream commit 8f05835425ce3f669e4b6d7c2c39a9aa22e1506c ]
+
+TGn fails sending SM power save mode action frame to the AP to switch
+from dynamic SMPS mode to static mode.
+
+Reported-by: Fang Zhao <fang.zhao@mediatek.com>
+Signed-off-by: Fang Zhao <fang.zhao@mediatek.com>
+Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7915/mcu.c   | 81 ++++++++++++-------
+ .../net/wireless/mediatek/mt76/mt7915/mcu.h   |  8 ++
+ 2 files changed, 61 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+index 852d5d97c70b1..8215b3d79bbdc 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+@@ -1752,33 +1752,6 @@ int mt7915_mcu_sta_update_hdr_trans(struct mt7915_dev *dev,
+                                    true);
+ }
+-int mt7915_mcu_add_smps(struct mt7915_dev *dev, struct ieee80211_vif *vif,
+-                      struct ieee80211_sta *sta)
+-{
+-      struct mt7915_vif *mvif = (struct mt7915_vif *)vif->drv_priv;
+-      struct mt7915_sta *msta = (struct mt7915_sta *)sta->drv_priv;
+-      struct wtbl_req_hdr *wtbl_hdr;
+-      struct tlv *sta_wtbl;
+-      struct sk_buff *skb;
+-
+-      skb = mt7915_mcu_alloc_sta_req(dev, mvif, msta,
+-                                     MT7915_STA_UPDATE_MAX_SIZE);
+-      if (IS_ERR(skb))
+-              return PTR_ERR(skb);
+-
+-      sta_wtbl = mt7915_mcu_add_tlv(skb, STA_REC_WTBL, sizeof(struct tlv));
+-
+-      wtbl_hdr = mt7915_mcu_alloc_wtbl_req(dev, msta, WTBL_SET, sta_wtbl,
+-                                           &skb);
+-      if (IS_ERR(wtbl_hdr))
+-              return PTR_ERR(wtbl_hdr);
+-
+-      mt7915_mcu_wtbl_smps_tlv(skb, sta, sta_wtbl, wtbl_hdr);
+-
+-      return mt76_mcu_skb_send_msg(&dev->mt76, skb,
+-                                   MCU_EXT_CMD(STA_REC_UPDATE), true);
+-}
+-
+ static inline bool
+ mt7915_is_ebf_supported(struct mt7915_phy *phy, struct ieee80211_vif *vif,
+                       struct ieee80211_sta *sta, bool bfee)
+@@ -2049,6 +2022,21 @@ mt7915_mcu_sta_bfee_tlv(struct mt7915_dev *dev, struct sk_buff *skb,
+       bfee->fb_identity_matrix = (nrow == 1 && tx_ant == 2);
+ }
++static enum mcu_mmps_mode
++mt7915_mcu_get_mmps_mode(enum ieee80211_smps_mode smps)
++{
++      switch (smps) {
++      case IEEE80211_SMPS_OFF:
++              return MCU_MMPS_DISABLE;
++      case IEEE80211_SMPS_STATIC:
++              return MCU_MMPS_STATIC;
++      case IEEE80211_SMPS_DYNAMIC:
++              return MCU_MMPS_DYNAMIC;
++      default:
++              return MCU_MMPS_DISABLE;
++      }
++}
++
+ int mt7915_mcu_set_fixed_rate_ctrl(struct mt7915_dev *dev,
+                                  struct ieee80211_vif *vif,
+                                  struct ieee80211_sta *sta,
+@@ -2076,7 +2064,11 @@ int mt7915_mcu_set_fixed_rate_ctrl(struct mt7915_dev *dev,
+       case RATE_PARAM_FIXED_MCS:
+       case RATE_PARAM_FIXED_GI:
+       case RATE_PARAM_FIXED_HE_LTF:
+-              ra->phy = *phy;
++              if (phy)
++                      ra->phy = *phy;
++              break;
++      case RATE_PARAM_MMPS_UPDATE:
++              ra->mmps_mode = mt7915_mcu_get_mmps_mode(sta->smps_mode);
+               break;
+       default:
+               break;
+@@ -2087,6 +2079,39 @@ int mt7915_mcu_set_fixed_rate_ctrl(struct mt7915_dev *dev,
+                                    MCU_EXT_CMD(STA_REC_UPDATE), true);
+ }
++int mt7915_mcu_add_smps(struct mt7915_dev *dev, struct ieee80211_vif *vif,
++                      struct ieee80211_sta *sta)
++{
++      struct mt7915_vif *mvif = (struct mt7915_vif *)vif->drv_priv;
++      struct mt7915_sta *msta = (struct mt7915_sta *)sta->drv_priv;
++      struct wtbl_req_hdr *wtbl_hdr;
++      struct tlv *sta_wtbl;
++      struct sk_buff *skb;
++      int ret;
++
++      skb = mt7915_mcu_alloc_sta_req(dev, mvif, msta,
++                                     MT7915_STA_UPDATE_MAX_SIZE);
++      if (IS_ERR(skb))
++              return PTR_ERR(skb);
++
++      sta_wtbl = mt7915_mcu_add_tlv(skb, STA_REC_WTBL, sizeof(struct tlv));
++
++      wtbl_hdr = mt7915_mcu_alloc_wtbl_req(dev, msta, WTBL_SET, sta_wtbl,
++                                           &skb);
++      if (IS_ERR(wtbl_hdr))
++              return PTR_ERR(wtbl_hdr);
++
++      mt7915_mcu_wtbl_smps_tlv(skb, sta, sta_wtbl, wtbl_hdr);
++
++      ret = mt76_mcu_skb_send_msg(&dev->mt76, skb,
++                                  MCU_EXT_CMD(STA_REC_UPDATE), true);
++      if (ret)
++              return ret;
++
++      return mt7915_mcu_set_fixed_rate_ctrl(dev, vif, sta, NULL,
++                                            RATE_PARAM_MMPS_UPDATE);
++}
++
+ static int
+ mt7915_mcu_add_rate_ctrl_fixed(struct mt7915_dev *dev,
+                              struct ieee80211_vif *vif,
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.h b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.h
+index 1f5a64ba9b59d..628e90d0c394e 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.h
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.h
+@@ -365,6 +365,13 @@ enum {
+       MCU_PHY_STATE_OFDMLQ_CNINFO,
+ };
++enum mcu_mmps_mode {
++      MCU_MMPS_STATIC,
++      MCU_MMPS_DYNAMIC,
++      MCU_MMPS_RSV,
++      MCU_MMPS_DISABLE,
++};
++
+ #define STA_TYPE_STA                  BIT(0)
+ #define STA_TYPE_AP                   BIT(1)
+ #define STA_TYPE_ADHOC                        BIT(2)
+@@ -960,6 +967,7 @@ struct sta_rec_ra_fixed {
+ enum {
+       RATE_PARAM_FIXED = 3,
++      RATE_PARAM_MMPS_UPDATE = 5,
+       RATE_PARAM_FIXED_HE_LTF = 7,
+       RATE_PARAM_FIXED_MCS,
+       RATE_PARAM_FIXED_GI = 11,
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-mt7921-drop-offload_flags-overwritten.patch b/queue-5.16/mt76-mt7921-drop-offload_flags-overwritten.patch
new file mode 100644 (file)
index 0000000..97905ca
--- /dev/null
@@ -0,0 +1,44 @@
+From 7c8ab2cfd59b83a7e3fa5588e9142847e2175d20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Oct 2021 06:29:58 +0800
+Subject: mt76: mt7921: drop offload_flags overwritten
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit 2363b6a646b65a207345b9a9024dff0eff3fec44 ]
+
+offload_flags have to be dropped for mt7921 because mt76.omac_idx 0 would
+always run as station mode that would cause Tx encapsulation setting
+is not applied to mac80211.
+
+Also, drop IEEE80211_OFFLOAD_ENCAP_4ADDR too because it is not really
+being supported.
+
+Fixes: e0f9fdda81bd ("mt76: mt7921: add ieee80211_ops")
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/main.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+index 633c6d2a57acd..b144f5491798a 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+@@ -318,12 +318,6 @@ static int mt7921_add_interface(struct ieee80211_hw *hw,
+               mtxq->wcid = &mvif->sta.wcid;
+       }
+-      if (vif->type != NL80211_IFTYPE_AP &&
+-          (!mvif->mt76.omac_idx || mvif->mt76.omac_idx > 3))
+-              vif->offload_flags = 0;
+-
+-      vif->offload_flags |= IEEE80211_OFFLOAD_ENCAP_4ADDR;
+-
+ out:
+       mt7921_mutex_release(dev);
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-mt7921-fix-a-possible-race-enabling-disabling-r.patch b/queue-5.16/mt76-mt7921-fix-a-possible-race-enabling-disabling-r.patch
new file mode 100644 (file)
index 0000000..e356454
--- /dev/null
@@ -0,0 +1,82 @@
+From f0e2ee19f1ce211754de6269a93b35cd9b30b784 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Dec 2021 14:57:09 +0100
+Subject: mt76: mt7921: fix a possible race enabling/disabling runtime-pm
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit d430dffbe9dd30759f3c64b65bf85b0245c8d8ab ]
+
+Fix a possible race enabling/disabling runtime-pm between
+mt7921_pm_set() and mt7921_poll_rx() since mt7921_pm_wake_work()
+always schedules rx-napi callback and it will trigger
+mt7921_pm_power_save_work routine putting chip to in low-power state
+during mt7921_pm_set processing.
+
+Suggested-by: Deren Wu <deren.wu@mediatek.com>
+Tested-by: Deren Wu <deren.wu@mediatek.com>
+Fixes: 1d8efc741df8 ("mt76: mt7921: introduce Runtime PM support")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/0f3e075a2033dc05f09dab4059e5be8cbdccc239.1640094847.git.lorenzo@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c |  3 ---
+ drivers/net/wireless/mediatek/mt76/mt7921/debugfs.c  | 12 +++++++++---
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
+index af43bcb545781..306e9eaea9177 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
+@@ -7,9 +7,6 @@ int mt76_connac_pm_wake(struct mt76_phy *phy, struct mt76_connac_pm *pm)
+ {
+       struct mt76_dev *dev = phy->dev;
+-      if (!pm->enable)
+-              return 0;
+-
+       if (mt76_is_usb(dev))
+               return 0;
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/debugfs.c b/drivers/net/wireless/mediatek/mt76/mt7921/debugfs.c
+index 7cdfdf83529f6..86fd7292b229f 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/debugfs.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/debugfs.c
+@@ -276,7 +276,7 @@ mt7921_pm_set(void *data, u64 val)
+       struct mt7921_dev *dev = data;
+       struct mt76_connac_pm *pm = &dev->pm;
+-      mt7921_mutex_acquire(dev);
++      mutex_lock(&dev->mt76.mutex);
+       if (val == pm->enable)
+               goto out;
+@@ -285,7 +285,11 @@ mt7921_pm_set(void *data, u64 val)
+               pm->stats.last_wake_event = jiffies;
+               pm->stats.last_doze_event = jiffies;
+       }
+-      pm->enable = val;
++      /* make sure the chip is awake here and ps_work is scheduled
++       * just at end of the this routine.
++       */
++      pm->enable = false;
++      mt76_connac_pm_wake(&dev->mphy, pm);
+       ieee80211_iterate_active_interfaces(mt76_hw(dev),
+                                           IEEE80211_IFACE_ITER_RESUME_ALL,
+@@ -293,8 +297,10 @@ mt7921_pm_set(void *data, u64 val)
+       mt76_connac_mcu_set_deep_sleep(&dev->mt76, pm->ds_enable);
++      pm->enable = val;
++      mt76_connac_power_save_sched(&dev->mphy, pm);
+ out:
+-      mt7921_mutex_release(dev);
++      mutex_unlock(&dev->mt76.mutex);
+       return 0;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-mt7921-fix-mt7921e-reset-failure.patch b/queue-5.16/mt76-mt7921-fix-mt7921e-reset-failure.patch
new file mode 100644 (file)
index 0000000..43d532a
--- /dev/null
@@ -0,0 +1,67 @@
+From ac267e4d578b4b5cebc7dcdd3228c7487028fd71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 08:05:16 +0800
+Subject: mt76: mt7921: fix MT7921E reset failure
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit 0efaf31dec572d3aac4316c6d952e06d1c33adc4 ]
+
+There is a missing mt7921e_driver_own in the MT7921E reset procedure
+since the mt7921 mcu.c has been refactored for MT7921S, that will
+result in MT7921E reset failure, so add it back now.
+
+Fixes: dfc7743de1eb ("mt76: mt7921: refactor mcu.c to be bus independent")
+Reported-by: YN Chen <YN.Chen@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h  | 1 +
+ drivers/net/wireless/mediatek/mt76/mt7921/pci_mac.c | 4 ++++
+ drivers/net/wireless/mediatek/mt76/mt7921/pci_mcu.c | 2 +-
+ 3 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h b/drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h
+index e9c7c3a195076..d6b823713ba33 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h
+@@ -446,6 +446,7 @@ int mt7921_mcu_restart(struct mt76_dev *dev);
+ void mt7921e_queue_rx_skb(struct mt76_dev *mdev, enum mt76_rxq_id q,
+                         struct sk_buff *skb);
++int mt7921e_driver_own(struct mt7921_dev *dev);
+ int mt7921e_mac_reset(struct mt7921_dev *dev);
+ int mt7921e_mcu_init(struct mt7921_dev *dev);
+ int mt7921s_wfsys_reset(struct mt7921_dev *dev);
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/pci_mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/pci_mac.c
+index f9547d27356e1..85286cc9add14 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/pci_mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci_mac.c
+@@ -321,6 +321,10 @@ int mt7921e_mac_reset(struct mt7921_dev *dev)
+               MT_INT_MCU_CMD);
+       mt76_wr(dev, MT_PCIE_MAC_INT_ENABLE, 0xff);
++      err = mt7921e_driver_own(dev);
++      if (err)
++              return err;
++
+       err = mt7921_run_firmware(dev);
+       if (err)
+               goto out;
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/pci_mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/pci_mcu.c
+index 583a89a34734a..7b34c7f2ab3a6 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/pci_mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci_mcu.c
+@@ -4,7 +4,7 @@
+ #include "mt7921.h"
+ #include "mcu.h"
+-static int mt7921e_driver_own(struct mt7921_dev *dev)
++int mt7921e_driver_own(struct mt7921_dev *dev)
+ {
+       u32 reg = mt7921_reg_map_l1(dev, MT_TOP_LPCR_HOST_BAND0);
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-mt7921-fix-network-buffer-leak-by-txs-missing.patch b/queue-5.16/mt76-mt7921-fix-network-buffer-leak-by-txs-missing.patch
new file mode 100644 (file)
index 0000000..d5491d6
--- /dev/null
@@ -0,0 +1,118 @@
+From d37827ebb2c223db7524165e2975614d8c3c73be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Dec 2021 22:59:55 +0800
+Subject: mt76: mt7921: fix network buffer leak by txs missing
+
+From: Deren Wu <deren.wu@mediatek.com>
+
+[ Upstream commit e0bf699ad8e52330d848144a9624a067ad588bd6 ]
+
+TXS in mt7921 may be forwared to tx_done event. Should try to catch
+TXS information in tx_done event as well.
+
+Signed-off-by: Deren Wu <deren.wu@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7921/mac.c   |  2 +-
+ .../net/wireless/mediatek/mt76/mt7921/mcu.c   | 14 ++++++++++
+ .../net/wireless/mediatek/mt76/mt7921/mcu.h   | 27 +++++++++++++++++++
+ .../wireless/mediatek/mt76/mt7921/mt7921.h    |  1 +
+ 4 files changed, 43 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+index 7228b34c66436..fc21a78b37c49 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+@@ -1072,7 +1072,7 @@ out:
+       return !!skb;
+ }
+-static void mt7921_mac_add_txs(struct mt7921_dev *dev, void *data)
++void mt7921_mac_add_txs(struct mt7921_dev *dev, void *data)
+ {
+       struct mt7921_sta *msta = NULL;
+       struct mt76_wcid *wcid;
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+index 1cc1c32ca258e..484a8c57b862e 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+@@ -391,6 +391,17 @@ mt7921_mcu_low_power_event(struct mt7921_dev *dev, struct sk_buff *skb)
+       trace_lp_event(dev, event->state);
+ }
++static void
++mt7921_mcu_tx_done_event(struct mt7921_dev *dev, struct sk_buff *skb)
++{
++      struct mt7921_mcu_tx_done_event *event;
++
++      skb_pull(skb, sizeof(struct mt7921_mcu_rxd));
++      event = (struct mt7921_mcu_tx_done_event *)skb->data;
++
++      mt7921_mac_add_txs(dev, event->txs);
++}
++
+ static void
+ mt7921_mcu_rx_unsolicited_event(struct mt7921_dev *dev, struct sk_buff *skb)
+ {
+@@ -418,6 +429,9 @@ mt7921_mcu_rx_unsolicited_event(struct mt7921_dev *dev, struct sk_buff *skb)
+       case MCU_EVENT_LP_INFO:
+               mt7921_mcu_low_power_event(dev, skb);
+               break;
++      case MCU_EVENT_TX_DONE:
++              mt7921_mcu_tx_done_event(dev, skb);
++              break;
+       default:
+               break;
+       }
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.h b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.h
+index edc0c73f8c01c..68cb0ce013dbd 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.h
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.h
+@@ -91,6 +91,33 @@ enum {
+       MCU_EVENT_COREDUMP = 0xf0,
+ };
++struct mt7921_mcu_tx_done_event {
++      u8 pid;
++      u8 status;
++      __le16 seq;
++
++      u8 wlan_idx;
++      u8 tx_cnt;
++      __le16 tx_rate;
++
++      u8 flag;
++      u8 tid;
++      u8 rsp_rate;
++      u8 mcs;
++
++      u8 bw;
++      u8 tx_pwr;
++      u8 reason;
++      u8 rsv0[1];
++
++      __le32 delay;
++      __le32 timestamp;
++      __le32 applied_flag;
++      u8 txs[28];
++
++      u8 rsv1[32];
++} __packed;
++
+ /* ext event table */
+ enum {
+       MCU_EXT_EVENT_RATE_REPORT = 0x87,
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h b/drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h
+index d6b823713ba33..96647801850a5 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mt7921.h
+@@ -464,4 +464,5 @@ int mt7921s_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
+                          struct mt76_tx_info *tx_info);
+ void mt7921s_tx_complete_skb(struct mt76_dev *mdev, struct mt76_queue_entry *e);
+ bool mt7921s_tx_status_data(struct mt76_dev *mdev, u8 *update);
++void mt7921_mac_add_txs(struct mt7921_dev *dev, void *data);
+ #endif
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-mt7921-fix-possible-null-pointer-dereference-in.patch b/queue-5.16/mt76-mt7921-fix-possible-null-pointer-dereference-in.patch
new file mode 100644 (file)
index 0000000..d0ec5ab
--- /dev/null
@@ -0,0 +1,37 @@
+From c2f04c874313be99a3902fc6cfd4ddb0715dea9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 11:50:27 +0100
+Subject: mt76: mt7921: fix possible NULL pointer dereference in
+ mt7921_mac_write_txwi
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit ec2ebc1c5a5ce49538fa78108c53eaf722eee908 ]
+
+Fix a possible NULL pointer deference issue in mt7921_mac_write_txwi
+routine if vif is NULL.
+
+Fixes: 33920b2bf0483 ("mt76: add support for setting mcast rate")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+index db3302b1576a0..321d9f1d3f865 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+@@ -903,7 +903,7 @@ void mt7921_mac_write_txwi(struct mt7921_dev *dev, __le32 *txwi,
+               mt7921_mac_write_txwi_80211(dev, txwi, skb, key);
+       if (txwi[2] & cpu_to_le32(MT_TXD2_FIX_RATE)) {
+-              int rateidx = ffs(vif->bss_conf.basic_rates) - 1;
++              int rateidx = vif ? ffs(vif->bss_conf.basic_rates) - 1 : 0;
+               u16 rate, mode;
+               /* hardware won't add HTC for mgmt/ctrl frame */
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-mt7921-fix-possible-resume-failure.patch b/queue-5.16/mt76-mt7921-fix-possible-resume-failure.patch
new file mode 100644 (file)
index 0000000..d6ac53e
--- /dev/null
@@ -0,0 +1,58 @@
+From fd3e22e60e74916f32575f0447be01ddb54702ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Dec 2021 05:25:35 +0800
+Subject: mt76: mt7921: fix possible resume failure
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit 5375001bb4ce22801bf3bb566cc3e67d2d3a5dc0 ]
+
+Fix the possible resume failure due to mt76_connac_mcu_set_hif_suspend
+timeout.
+
+That is because clearing the flag pm->suspended too early opened up a race
+window, where mt7921_poll_tx/rx scheduled a ps_work to put the device in
+doze mode, that is unexpected for the device is being resumed from the
+suspend state and would make the remaining MCU comamnds in resume handler
+failed to execute.
+
+Fixes: ffa1bf97425b ("mt76: mt7921: introduce PM support")
+Co-developed-by: YN Chen <YN.Chen@mediatek.com>
+Signed-off-by: YN Chen <YN.Chen@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
+index c29dde23d4ab1..40186e6cd865e 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
+@@ -313,7 +313,6 @@ static int mt7921_pci_resume(struct pci_dev *pdev)
+       struct mt76_connac_pm *pm = &dev->pm;
+       int i, err;
+-      pm->suspended = false;
+       err = pci_set_power_state(pdev, PCI_D0);
+       if (err)
+               return err;
+@@ -351,7 +350,13 @@ static int mt7921_pci_resume(struct pci_dev *pdev)
+       if (!pm->ds_enable)
+               mt76_connac_mcu_set_deep_sleep(&dev->mt76, false);
+-      return mt76_connac_mcu_set_hif_suspend(mdev, false);
++      err = mt76_connac_mcu_set_hif_suspend(mdev, false);
++      if (err)
++              return err;
++
++      pm->suspended = false;
++
++      return err;
+ }
+ #endif /* CONFIG_PM */
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-mt7921-move-mt76_connac_mcu_set_hif_suspend-to-.patch b/queue-5.16/mt76-mt7921-move-mt76_connac_mcu_set_hif_suspend-to-.patch
new file mode 100644 (file)
index 0000000..65e37f2
--- /dev/null
@@ -0,0 +1,182 @@
+From 0b89858f7fedc45295a76d6bee653c30d162963f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Nov 2021 07:22:10 +0800
+Subject: mt76: mt7921: move mt76_connac_mcu_set_hif_suspend to bus-related
+ files
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit 6906aa93eb93d54a42ce1902f00d6ea04ecb039b ]
+
+This is a preliminary patch for the following patch
+("mt76: mt7921s: fix the device cannot sleep deeply in suspend).
+
+mt76_connac_mcu_set_hif_suspend eventually would be handled in each
+bus-level suspend/resume handler in either mt7921/sdio.c or mt7921/pci.c
+depending on what type of the bus the device is running on. We can move
+mt76_connac_mcu_set_hif_suspend to bus-related files to simplify the logic.
+
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7921/main.c   | 13 ++-----------
+ .../net/wireless/mediatek/mt76/mt7921/pci.c    | 18 +++++-------------
+ .../net/wireless/mediatek/mt76/mt7921/sdio.c   | 18 +++++-------------
+ 3 files changed, 12 insertions(+), 37 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+index b144f5491798a..e022251b40069 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+@@ -1232,7 +1232,6 @@ static int mt7921_suspend(struct ieee80211_hw *hw,
+ {
+       struct mt7921_dev *dev = mt7921_hw_dev(hw);
+       struct mt7921_phy *phy = mt7921_hw_phy(hw);
+-      int err;
+       cancel_delayed_work_sync(&phy->scan_work);
+       cancel_delayed_work_sync(&phy->mt76->mac_work);
+@@ -1250,25 +1249,18 @@ static int mt7921_suspend(struct ieee80211_hw *hw,
+                                           mt76_connac_mcu_set_suspend_iter,
+                                           &dev->mphy);
+-      err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, true);
+-
+       mt7921_mutex_release(dev);
+-      return err;
++      return 0;
+ }
+ static int mt7921_resume(struct ieee80211_hw *hw)
+ {
+       struct mt7921_dev *dev = mt7921_hw_dev(hw);
+       struct mt7921_phy *phy = mt7921_hw_phy(hw);
+-      int err;
+       mt7921_mutex_acquire(dev);
+-      err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, false);
+-      if (err < 0)
+-              goto out;
+-
+       set_bit(MT76_STATE_RUNNING, &phy->mt76->state);
+       clear_bit(MT76_STATE_SUSPEND, &phy->mt76->state);
+       ieee80211_iterate_active_interfaces(hw,
+@@ -1278,11 +1270,10 @@ static int mt7921_resume(struct ieee80211_hw *hw)
+       ieee80211_queue_delayed_work(hw, &phy->mt76->mac_work,
+                                    MT7921_WATCHDOG_TIME);
+-out:
+       mt7921_mutex_release(dev);
+-      return err;
++      return 0;
+ }
+ static void mt7921_set_wakeup(struct ieee80211_hw *hw, bool enabled)
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
+index 305b63fa1a8a9..c29dde23d4ab1 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
+@@ -235,7 +235,6 @@ static int mt7921_pci_suspend(struct pci_dev *pdev, pm_message_t state)
+       struct mt76_dev *mdev = pci_get_drvdata(pdev);
+       struct mt7921_dev *dev = container_of(mdev, struct mt7921_dev, mt76);
+       struct mt76_connac_pm *pm = &dev->pm;
+-      bool hif_suspend;
+       int i, err;
+       pm->suspended = true;
+@@ -246,12 +245,9 @@ static int mt7921_pci_suspend(struct pci_dev *pdev, pm_message_t state)
+       if (err < 0)
+               goto restore_suspend;
+-      hif_suspend = !test_bit(MT76_STATE_SUSPEND, &dev->mphy.state);
+-      if (hif_suspend) {
+-              err = mt76_connac_mcu_set_hif_suspend(mdev, true);
+-              if (err)
+-                      goto restore_suspend;
+-      }
++      err = mt76_connac_mcu_set_hif_suspend(mdev, true);
++      if (err)
++              goto restore_suspend;
+       /* always enable deep sleep during suspend to reduce
+        * power consumption
+@@ -302,8 +298,7 @@ restore_napi:
+       if (!pm->ds_enable)
+               mt76_connac_mcu_set_deep_sleep(&dev->mt76, false);
+-      if (hif_suspend)
+-              mt76_connac_mcu_set_hif_suspend(mdev, false);
++      mt76_connac_mcu_set_hif_suspend(mdev, false);
+ restore_suspend:
+       pm->suspended = false;
+@@ -356,10 +351,7 @@ static int mt7921_pci_resume(struct pci_dev *pdev)
+       if (!pm->ds_enable)
+               mt76_connac_mcu_set_deep_sleep(&dev->mt76, false);
+-      if (!test_bit(MT76_STATE_SUSPEND, &dev->mphy.state))
+-              err = mt76_connac_mcu_set_hif_suspend(mdev, false);
+-
+-      return err;
++      return mt76_connac_mcu_set_hif_suspend(mdev, false);
+ }
+ #endif /* CONFIG_PM */
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
+index ddf0eeb8b6889..5fee489c7a998 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
+@@ -203,7 +203,6 @@ static int mt7921s_suspend(struct device *__dev)
+       struct mt7921_dev *dev = sdio_get_drvdata(func);
+       struct mt76_connac_pm *pm = &dev->pm;
+       struct mt76_dev *mdev = &dev->mt76;
+-      bool hif_suspend;
+       int err;
+       pm->suspended = true;
+@@ -214,12 +213,9 @@ static int mt7921s_suspend(struct device *__dev)
+       if (err < 0)
+               goto restore_suspend;
+-      hif_suspend = !test_bit(MT76_STATE_SUSPEND, &dev->mphy.state);
+-      if (hif_suspend) {
+-              err = mt76_connac_mcu_set_hif_suspend(mdev, true);
+-              if (err)
+-                      goto restore_suspend;
+-      }
++      err = mt76_connac_mcu_set_hif_suspend(mdev, true);
++      if (err)
++              goto restore_suspend;
+       /* always enable deep sleep during suspend to reduce
+        * power consumption
+@@ -253,8 +249,7 @@ restore_worker:
+       if (!pm->ds_enable)
+               mt76_connac_mcu_set_deep_sleep(mdev, false);
+-      if (hif_suspend)
+-              mt76_connac_mcu_set_hif_suspend(mdev, false);
++      mt76_connac_mcu_set_hif_suspend(mdev, false);
+ restore_suspend:
+       pm->suspended = false;
+@@ -285,10 +280,7 @@ static int mt7921s_resume(struct device *__dev)
+       if (!pm->ds_enable)
+               mt76_connac_mcu_set_deep_sleep(mdev, false);
+-      if (!test_bit(MT76_STATE_SUSPEND, &dev->mphy.state))
+-              err = mt76_connac_mcu_set_hif_suspend(mdev, false);
+-
+-      return err;
++      return mt76_connac_mcu_set_hif_suspend(mdev, false);
+ }
+ static const struct dev_pm_ops mt7921s_pm_ops = {
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-mt7921-use-correct-iftype-data-on-6ghz-cap-init.patch b/queue-5.16/mt76-mt7921-use-correct-iftype-data-on-6ghz-cap-init.patch
new file mode 100644 (file)
index 0000000..5fae277
--- /dev/null
@@ -0,0 +1,37 @@
+From d6836c19964c22758bdc4b60055fa01ada44f44e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Nov 2021 00:53:16 +0800
+Subject: mt76: mt7921: use correct iftype data on 6GHz cap init
+
+From: Shayne Chen <shayne.chen@mediatek.com>
+
+[ Upstream commit 00ff52346d74c38787ff8b4acde8c5671d9b7fe2 ]
+
+Set 6GHz cap to iftype data which is matched to the type of
+current interface.
+
+Fixes: 50ac15a511e3 ("mt76: mt7921: add 6GHz support")
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+index 0b2a6b7f22eae..21e745fddc9c3 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+@@ -166,7 +166,7 @@ mt7921_init_he_caps(struct mt7921_phy *phy, enum nl80211_band band,
+                       if (vht_cap->cap & IEEE80211_VHT_CAP_RX_ANTENNA_PATTERN)
+                               cap |= IEEE80211_HE_6GHZ_CAP_RX_ANTPAT_CONS;
+-                      data->he_6ghz_capa.capa = cpu_to_le16(cap);
++                      data[idx].he_6ghz_capa.capa = cpu_to_le16(cap);
+               }
+               idx++;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-mt7921s-fix-possible-kernel-crash-due-to-invali.patch b/queue-5.16/mt76-mt7921s-fix-possible-kernel-crash-due-to-invali.patch
new file mode 100644 (file)
index 0000000..a02fa1d
--- /dev/null
@@ -0,0 +1,57 @@
+From ff8f316e5464db2695cab28a8ab7c5e51196f34f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 07:05:28 +0800
+Subject: mt76: mt7921s: fix possible kernel crash due to invalid Rx count
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit 2b7f3574ca9a7ff4a6b4ec1ae4dfdfde481ac80b ]
+
+Return the proper error code when out-of-range the Rx aggregation count
+are reported from the hardware that would create the unreasonable extreme
+large Rx buffer.
+
+[  100.873810]  show_stack+0x20/0x2c
+[  100.873823]  dump_stack+0xc4/0x140
+[  100.873839]  bad_page+0x110/0x114
+[  100.873854]  check_new_pages+0xf8/0xfc
+[  100.873869]  rmqueue+0x5a0/0x640
+[  100.873884]  get_page_from_freelist+0x124/0x20c
+[  100.873898]  __alloc_pages_nodemask+0x114/0x2a4
+[  100.873918]  mt76s_rx_run_queue+0xd4/0x2e4 [mt76_sdio 8280a88a0c8c9cf203f16e194f99ac293bdbb2f5]
+[  100.873938]  mt76s_rx_handler+0xd4/0x2a0 [mt76_sdio 8280a88a0c8c9cf203f16e194f99ac293bdbb2f5]
+[  100.873957]  mt76s_txrx_worker+0xac/0x17c [mt76_sdio 8280a88a0c8c9cf203f16e194f99ac293bdbb2f5]
+[  100.873977]  mt7921s_txrx_worker+0x5c/0xd8 [mt7921s d0bdbc018082dbc8dc1407614be3c2e7bd64423b]
+[  100.874003]  __mt76_worker_fn+0xe8/0x170 [mt76 b80af3483a8f9d48e916c12d8dbfaa0d3cd15337]
+[  100.874018]  kthread+0x148/0x3ac
+[  100.874032]  ret_from_fork+0x10/0x30
+[  100.874067] Kernel Offset: 0x1fe2000000 from 0xffffffc010000000
+[  100.874079] PHYS_OFFSET: 0xffffffe800000000
+[  100.874090] CPU features: 0x0240002,2188200c
+
+Fixes: 48fab5bbef40 ("mt76: mt7921: introduce mt7921s support")
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/sdio.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
+index 5c88b6b8d0979..84be229a899da 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
+@@ -62,6 +62,10 @@ static int mt7921s_parse_intr(struct mt76_dev *dev, struct mt76s_intr *intr)
+       if (err < 0)
+               return err;
++      if (irq_data->rx.num[0] > 16 ||
++          irq_data->rx.num[1] > 128)
++              return -EINVAL;
++
+       intr->isr = irq_data->isr;
+       intr->rec_mb = irq_data->rec_mb;
+       intr->tx.wtqcr = irq_data->tx.wtqcr;
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-mt7921s-fix-suspend-error-with-enlarging-mcu-ti.patch b/queue-5.16/mt76-mt7921s-fix-suspend-error-with-enlarging-mcu-ti.patch
new file mode 100644 (file)
index 0000000..82e5448
--- /dev/null
@@ -0,0 +1,42 @@
+From 5e0aaad97ab770a02e53f70c43e2b5d3d33d880e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Dec 2021 05:25:37 +0800
+Subject: mt76: mt7921s: fix suspend error with enlarging mcu timeout value
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit 1bb42a354d8ca2888c7c2fcbf0add410176a33dc ]
+
+Fix the false positive suspend error that may occur on mt7921s
+with enlarging mcu timeout value.
+
+The reason why we have to enlarge mcu timeout from HZ / 3 to HZ is
+we should consider the additional overhead caused by running
+concurrently with btmtksdio (a MT7921 bluetooth SDIO driver) that
+would compete for the same SDIO bus in process context to complete
+the suspend procedure.
+
+Fixes: 48fab5bbef40 ("mt76: mt7921: introduce mt7921s support")
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+index e741db152c0d2..1cc1c32ca258e 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+@@ -229,7 +229,7 @@ int mt7921_mcu_fill_message(struct mt76_dev *mdev, struct sk_buff *skb,
+       if (cmd == MCU_UNI_CMD(HIF_CTRL) ||
+           cmd == MCU_UNI_CMD(SUSPEND) ||
+           cmd == MCU_UNI_CMD(OFFLOAD))
+-              mdev->mcu.timeout = HZ / 3;
++              mdev->mcu.timeout = HZ;
+       else
+               mdev->mcu.timeout = 3 * HZ;
+-- 
+2.34.1
+
diff --git a/queue-5.16/mt76-mt7921s-fix-the-device-cannot-sleep-deeply-in-s.patch b/queue-5.16/mt76-mt7921s-fix-the-device-cannot-sleep-deeply-in-s.patch
new file mode 100644 (file)
index 0000000..97c812c
--- /dev/null
@@ -0,0 +1,181 @@
+From c28d34549b485decd33afe2aacfb5c0bab50fda5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Nov 2021 07:22:11 +0800
+Subject: mt76: mt7921s: fix the device cannot sleep deeply in suspend
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit 5ad4faca7690a88b4529238c757b6b8ead8056ec ]
+
+According to the MT7921S firmware, the cmd MCU_UNI_CMD_HIF_CTRL have to
+be last MCU command to execute in suspend handler and all data traffic
+have to be stopped before the cmd MCU_UNI_CMD_HIF_CTRL starts as well
+in order that mt7921 can successfully fall into the deep sleep mode.
+
+Where we reuse the flag MT76_STATE_SUSPEND and avoid creating
+another global flag to stop all of the traffic onto the SDIO bus.
+
+Fixes: 48fab5bbef40 ("mt76: mt7921: introduce mt7921s support")
+Reported-by: Leon Yen <leon.yen@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/mediatek/mt76/mt76_connac_mcu.c  |  2 +-
+ .../net/wireless/mediatek/mt76/mt7921/main.c  |  3 --
+ .../net/wireless/mediatek/mt76/mt7921/sdio.c  | 34 ++++++++++++-------
+ drivers/net/wireless/mediatek/mt76/sdio.c     |  3 +-
+ .../net/wireless/mediatek/mt76/sdio_txrx.c    |  3 +-
+ 5 files changed, 27 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+index 26b4b875dcc02..61c4c86e79c88 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+@@ -2461,7 +2461,7 @@ void mt76_connac_mcu_set_suspend_iter(void *priv, u8 *mac,
+                                     struct ieee80211_vif *vif)
+ {
+       struct mt76_phy *phy = priv;
+-      bool suspend = test_bit(MT76_STATE_SUSPEND, &phy->state);
++      bool suspend = !test_bit(MT76_STATE_RUNNING, &phy->state);
+       struct ieee80211_hw *hw = phy->hw;
+       struct cfg80211_wowlan *wowlan = hw->wiphy->wowlan_config;
+       int i;
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+index e022251b40069..0b2a6b7f22eae 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+@@ -1242,8 +1242,6 @@ static int mt7921_suspend(struct ieee80211_hw *hw,
+       mt7921_mutex_acquire(dev);
+       clear_bit(MT76_STATE_RUNNING, &phy->mt76->state);
+-
+-      set_bit(MT76_STATE_SUSPEND, &phy->mt76->state);
+       ieee80211_iterate_active_interfaces(hw,
+                                           IEEE80211_IFACE_ITER_RESUME_ALL,
+                                           mt76_connac_mcu_set_suspend_iter,
+@@ -1262,7 +1260,6 @@ static int mt7921_resume(struct ieee80211_hw *hw)
+       mt7921_mutex_acquire(dev);
+       set_bit(MT76_STATE_RUNNING, &phy->mt76->state);
+-      clear_bit(MT76_STATE_SUSPEND, &phy->mt76->state);
+       ieee80211_iterate_active_interfaces(hw,
+                                           IEEE80211_IFACE_ITER_RESUME_ALL,
+                                           mt76_connac_mcu_set_suspend_iter,
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
+index 5fee489c7a998..5c88b6b8d0979 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
+@@ -206,6 +206,8 @@ static int mt7921s_suspend(struct device *__dev)
+       int err;
+       pm->suspended = true;
++      set_bit(MT76_STATE_SUSPEND, &mdev->phy.state);
++
+       cancel_delayed_work_sync(&pm->ps_work);
+       cancel_work_sync(&pm->wake_work);
+@@ -213,10 +215,6 @@ static int mt7921s_suspend(struct device *__dev)
+       if (err < 0)
+               goto restore_suspend;
+-      err = mt76_connac_mcu_set_hif_suspend(mdev, true);
+-      if (err)
+-              goto restore_suspend;
+-
+       /* always enable deep sleep during suspend to reduce
+        * power consumption
+        */
+@@ -224,34 +222,45 @@ static int mt7921s_suspend(struct device *__dev)
+       mt76_txq_schedule_all(&dev->mphy);
+       mt76_worker_disable(&mdev->tx_worker);
+-      mt76_worker_disable(&mdev->sdio.txrx_worker);
+       mt76_worker_disable(&mdev->sdio.status_worker);
+-      mt76_worker_disable(&mdev->sdio.net_worker);
+       cancel_work_sync(&mdev->sdio.stat_work);
+       clear_bit(MT76_READING_STATS, &dev->mphy.state);
+-
+       mt76_tx_status_check(mdev, true);
+-      err = mt7921_mcu_fw_pmctrl(dev);
++      mt76_worker_schedule(&mdev->sdio.txrx_worker);
++      wait_event_timeout(dev->mt76.sdio.wait,
++                         mt76s_txqs_empty(&dev->mt76), 5 * HZ);
++
++      /* It is supposed that SDIO bus is idle at the point */
++      err = mt76_connac_mcu_set_hif_suspend(mdev, true);
+       if (err)
+               goto restore_worker;
++      mt76_worker_disable(&mdev->sdio.txrx_worker);
++      mt76_worker_disable(&mdev->sdio.net_worker);
++
++      err = mt7921_mcu_fw_pmctrl(dev);
++      if (err)
++              goto restore_txrx_worker;
++
+       sdio_set_host_pm_flags(func, MMC_PM_KEEP_POWER);
+       return 0;
++restore_txrx_worker:
++      mt76_worker_enable(&mdev->sdio.net_worker);
++      mt76_worker_enable(&mdev->sdio.txrx_worker);
++      mt76_connac_mcu_set_hif_suspend(mdev, false);
++
+ restore_worker:
+       mt76_worker_enable(&mdev->tx_worker);
+-      mt76_worker_enable(&mdev->sdio.txrx_worker);
+       mt76_worker_enable(&mdev->sdio.status_worker);
+-      mt76_worker_enable(&mdev->sdio.net_worker);
+       if (!pm->ds_enable)
+               mt76_connac_mcu_set_deep_sleep(mdev, false);
+-      mt76_connac_mcu_set_hif_suspend(mdev, false);
+-
+ restore_suspend:
++      clear_bit(MT76_STATE_SUSPEND, &mdev->phy.state);
+       pm->suspended = false;
+       return err;
+@@ -266,6 +275,7 @@ static int mt7921s_resume(struct device *__dev)
+       int err;
+       pm->suspended = false;
++      clear_bit(MT76_STATE_SUSPEND, &mdev->phy.state);
+       err = mt7921_mcu_drv_pmctrl(dev);
+       if (err < 0)
+diff --git a/drivers/net/wireless/mediatek/mt76/sdio.c b/drivers/net/wireless/mediatek/mt76/sdio.c
+index c99acc21225e1..b0bc7be0fb1fc 100644
+--- a/drivers/net/wireless/mediatek/mt76/sdio.c
++++ b/drivers/net/wireless/mediatek/mt76/sdio.c
+@@ -479,7 +479,8 @@ static void mt76s_status_worker(struct mt76_worker *w)
+                       resched = true;
+               if (dev->drv->tx_status_data &&
+-                  !test_and_set_bit(MT76_READING_STATS, &dev->phy.state))
++                  !test_and_set_bit(MT76_READING_STATS, &dev->phy.state) &&
++                  !test_bit(MT76_STATE_SUSPEND, &dev->phy.state))
+                       queue_work(dev->wq, &dev->sdio.stat_work);
+       } while (nframes > 0);
+diff --git a/drivers/net/wireless/mediatek/mt76/sdio_txrx.c b/drivers/net/wireless/mediatek/mt76/sdio_txrx.c
+index 649a56790b89d..801590a0a334f 100644
+--- a/drivers/net/wireless/mediatek/mt76/sdio_txrx.c
++++ b/drivers/net/wireless/mediatek/mt76/sdio_txrx.c
+@@ -317,7 +317,8 @@ void mt76s_txrx_worker(struct mt76_sdio *sdio)
+               if (ret > 0)
+                       nframes += ret;
+-              if (test_bit(MT76_MCU_RESET, &dev->phy.state)) {
++              if (test_bit(MT76_MCU_RESET, &dev->phy.state) ||
++                  test_bit(MT76_STATE_SUSPEND, &dev->phy.state)) {
+                       if (!mt76s_txqs_empty(dev))
+                               continue;
+                       else
+-- 
+2.34.1
+
diff --git a/queue-5.16/mtd-core-provide-unique-name-for-nvmem-device.patch b/queue-5.16/mtd-core-provide-unique-name-for-nvmem-device.patch
new file mode 100644 (file)
index 0000000..f8addac
--- /dev/null
@@ -0,0 +1,75 @@
+From 02d541ece474418e2ba21623280f678f6eda196a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Nov 2021 14:48:43 +0100
+Subject: mtd: core: provide unique name for nvmem device
+
+From: Michael Walle <michael@walle.cc>
+
+[ Upstream commit c048b60d39e109c201d31ed5ad3a4f939064d6c4 ]
+
+If there is more than one mtd device which supports OTP, there will
+be a kernel warning about duplicated sysfs entries and the probing will
+fail. This is because the nvmem device name is not unique. Make it
+unique by prepending the name of the mtd. E.g. before the name was
+"user-otp", now it will be "mtd0-user-otp".
+
+For reference the kernel splash is:
+[    4.665531] sysfs: cannot create duplicate filename '/bus/nvmem/devices/user-otp'
+[    4.673056] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.0-next-20211101+ #1296
+[    4.680565] Hardware name: Kontron SMARC-sAL28 (Single PHY) on SMARC Eval 2.0 carrier (DT)
+[    4.688856] Call trace:
+[    4.691303]  dump_backtrace+0x0/0x1bc
+[    4.694984]  show_stack+0x24/0x30
+[    4.698306]  dump_stack_lvl+0x68/0x84
+[    4.701980]  dump_stack+0x18/0x34
+[    4.705302]  sysfs_warn_dup+0x70/0x90
+[    4.708973]  sysfs_do_create_link_sd+0x144/0x150
+[    4.713603]  sysfs_create_link+0x2c/0x50
+[    4.717535]  bus_add_device+0x74/0x120
+[    4.721293]  device_add+0x330/0x890
+[    4.724791]  device_register+0x2c/0x40
+[    4.728550]  nvmem_register+0x240/0x9f0
+[    4.732398]  mtd_otp_nvmem_register+0xb0/0x10c
+[    4.736854]  mtd_device_parse_register+0x28c/0x2b4
+[    4.741659]  spi_nor_probe+0x20c/0x2e0
+[    4.745418]  spi_mem_probe+0x78/0xbc
+[    4.749001]  spi_probe+0x90/0xf0
+[    4.752237]  really_probe.part.0+0xa4/0x320
+..
+[    4.873936] mtd mtd1: Failed to register OTP NVMEM device
+[    4.894468] spi-nor: probe of spi0.0 failed with error -17
+
+Fixes: 4b361cfa8624 ("mtd: core: add OTP nvmem provider support")
+Signed-off-by: Michael Walle <michael@walle.cc>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20211104134843.2642800-1-michael@walle.cc
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/mtdcore.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c
+index 9186268d361b4..fc0bed14bfb10 100644
+--- a/drivers/mtd/mtdcore.c
++++ b/drivers/mtd/mtdcore.c
+@@ -825,8 +825,7 @@ static struct nvmem_device *mtd_otp_nvmem_register(struct mtd_info *mtd,
+       /* OTP nvmem will be registered on the physical device */
+       config.dev = mtd->dev.parent;
+-      /* just reuse the compatible as name */
+-      config.name = compatible;
++      config.name = kasprintf(GFP_KERNEL, "%s-%s", dev_name(&mtd->dev), compatible);
+       config.id = NVMEM_DEVID_NONE;
+       config.owner = THIS_MODULE;
+       config.type = NVMEM_TYPE_OTP;
+@@ -842,6 +841,7 @@ static struct nvmem_device *mtd_otp_nvmem_register(struct mtd_info *mtd,
+               nvmem = NULL;
+       of_node_put(np);
++      kfree(config.name);
+       return nvmem;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/mtd-hyperbus-rpc-if-check-return-value-of-rpcif_sw_i.patch b/queue-5.16/mtd-hyperbus-rpc-if-check-return-value-of-rpcif_sw_i.patch
new file mode 100644 (file)
index 0000000..ec05ddf
--- /dev/null
@@ -0,0 +1,42 @@
+From 373cf4b6594f17d0e4262d9425b1a55daaa02bf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 21:56:28 +0100
+Subject: mtd: hyperbus: rpc-if: Check return value of rpcif_sw_init()
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 981387ed06b96908223a607f5fba6efa42728fc2 ]
+
+rpcif_sw_init() can fail so make sure we check the return value
+of it and on error exit rpcif_hb_probe() callback with error code.
+
+Fixes: 5de15b610f78 ("mtd: hyperbus: add Renesas RPC-IF driver")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Reviewed-by: Biju Das <biju.das.jz@bp.renesas.com>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20211025205631.21151-5-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/hyperbus/rpc-if.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/hyperbus/rpc-if.c b/drivers/mtd/hyperbus/rpc-if.c
+index ecb050ba95cdf..367b0d72bf622 100644
+--- a/drivers/mtd/hyperbus/rpc-if.c
++++ b/drivers/mtd/hyperbus/rpc-if.c
+@@ -124,7 +124,9 @@ static int rpcif_hb_probe(struct platform_device *pdev)
+       if (!hyperbus)
+               return -ENOMEM;
+-      rpcif_sw_init(&hyperbus->rpc, pdev->dev.parent);
++      error = rpcif_sw_init(&hyperbus->rpc, pdev->dev.parent);
++      if (error)
++              return error;
+       platform_set_drvdata(pdev, hyperbus);
+-- 
+2.34.1
+
diff --git a/queue-5.16/mtd-hyperbus-rpc-if-fix-bug-in-rpcif_hb_remove.patch b/queue-5.16/mtd-hyperbus-rpc-if-fix-bug-in-rpcif_hb_remove.patch
new file mode 100644 (file)
index 0000000..e58a82d
--- /dev/null
@@ -0,0 +1,97 @@
+From b6ab93e1c7fc72e66d717f248590b33529c7152a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 16:49:35 -0400
+Subject: mtd: hyperbus: rpc-if: fix bug in rpcif_hb_remove
+
+From: George G. Davis <davis.george@siemens.com>
+
+[ Upstream commit baaf965f94308301d2dc554d72a87d7432cd5ce6 ]
+
+The following KASAN BUG is observed when testing the rpc-if driver on
+rcar-gen3:
+
+root@rcar-gen3:~# modprobe -r rpc-if
+[  101.930146] ==================================================================
+[  101.937408] BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x518/0x25d0
+[  101.944240] Read of size 8 at addr ffff0004c5be2750 by task modprobe/664
+[  101.950959]
+[  101.952466] CPU: 2 PID: 664 Comm: modprobe Not tainted 5.14.0-rc1-00342-g1a1464d7aa31 #1
+[  101.960578] Hardware name: Renesas H3ULCB board based on r8a77951 (DT)
+[  101.967120] Call trace:
+[  101.969580]  dump_backtrace+0x0/0x2c0
+[  101.973275]  show_stack+0x1c/0x30
+[  101.976616]  dump_stack_lvl+0x9c/0xd8
+[  101.980301]  print_address_description.constprop.0+0x74/0x2b8
+[  101.986071]  kasan_report+0x1f4/0x26c
+[  101.989757]  __asan_load8+0x98/0xd4
+[  101.993266]  __lock_acquire+0x518/0x25d0
+[  101.997215]  lock_acquire.part.0+0x18c/0x360
+[  102.001506]  lock_acquire+0x74/0x90
+[  102.005013]  _raw_spin_lock_irq+0x98/0x130
+[  102.009131]  __pm_runtime_disable+0x30/0x210
+[  102.013427]  rpcif_hb_remove+0x5c/0x70 [rpc_if]
+[  102.018001]  platform_remove+0x40/0x80
+[  102.021771]  __device_release_driver+0x234/0x350
+[  102.026412]  driver_detach+0x158/0x20c
+[  102.030179]  bus_remove_driver+0xa0/0x140
+[  102.034212]  driver_unregister+0x48/0x80
+[  102.038153]  platform_driver_unregister+0x18/0x24
+[  102.042879]  rpcif_platform_driver_exit+0x1c/0x34 [rpc_if]
+[  102.048400]  __arm64_sys_delete_module+0x210/0x310
+[  102.053212]  invoke_syscall+0x60/0x190
+[  102.056986]  el0_svc_common+0x12c/0x144
+[  102.060844]  do_el0_svc+0x88/0xac
+[  102.064181]  el0_svc+0x24/0x3c
+[  102.067257]  el0t_64_sync_handler+0x1a8/0x1b0
+[  102.071634]  el0t_64_sync+0x198/0x19c
+[  102.075315]
+[  102.076815] Allocated by task 628:
+[  102.080781]
+[  102.082280] Last potentially related work creation:
+[  102.087524]
+[  102.089022] The buggy address belongs to the object at ffff0004c5be2000
+[  102.089022]  which belongs to the cache kmalloc-2k of size 2048
+[  102.101555] The buggy address is located 1872 bytes inside of
+[  102.101555]  2048-byte region [ffff0004c5be2000, ffff0004c5be2800)
+[  102.113486] The buggy address belongs to the page:
+[  102.118409]
+[  102.119908] Memory state around the buggy address:
+[  102.124711]  ffff0004c5be2600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[  102.131947]  ffff0004c5be2680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[  102.139181] >ffff0004c5be2700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[  102.146412]                                                  ^
+[  102.152257]  ffff0004c5be2780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[  102.159491]  ffff0004c5be2800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[  102.166723] ==================================================================
+
+The above bug is caused by use of the wrong pointer in the
+rpcif_disable_rpm() call. Fix the bug by using the correct pointer.
+
+Fixes: 5de15b610f78 ("mtd: hyperbus: add Renesas RPC-IF driver")
+Signed-off-by: George G. Davis <davis.george@siemens.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Link: https://lore.kernel.org/r/20210716204935.25859-1-george_davis@mentor.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/hyperbus/rpc-if.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/hyperbus/rpc-if.c b/drivers/mtd/hyperbus/rpc-if.c
+index 367b0d72bf622..dc164c18f8429 100644
+--- a/drivers/mtd/hyperbus/rpc-if.c
++++ b/drivers/mtd/hyperbus/rpc-if.c
+@@ -152,9 +152,9 @@ static int rpcif_hb_remove(struct platform_device *pdev)
+ {
+       struct rpcif_hyperbus *hyperbus = platform_get_drvdata(pdev);
+       int error = hyperbus_unregister_device(&hyperbus->hbdev);
+-      struct rpcif *rpc = dev_get_drvdata(pdev->dev.parent);
+-      rpcif_disable_rpm(rpc);
++      rpcif_disable_rpm(&hyperbus->rpc);
++
+       return error;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/mtd-spi-nor-fix-mtd-size-for-s3an-flashes.patch b/queue-5.16/mtd-spi-nor-fix-mtd-size-for-s3an-flashes.patch
new file mode 100644 (file)
index 0000000..305d240
--- /dev/null
@@ -0,0 +1,44 @@
+From 241c57b39e7b510a83bd728153e713de7e237cb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 16:02:41 +0200
+Subject: mtd: spi-nor: Fix mtd size for s3an flashes
+
+From: Tudor Ambarus <tudor.ambarus@microchip.com>
+
+[ Upstream commit f656b419d41aabafb6b526abc3988dfbf2e5c1ba ]
+
+As it was before the blamed commit, s3an_nor_scan() was called
+after mtd size was set with params->size, and it overwrote the mtd
+size value with '8 * nor->page_size * nor->info->n_sectors' when
+XSR_PAGESIZE was set. With the introduction of
+s3an_post_sfdp_fixups(), we missed to update the mtd size for the
+s3an flashes. Fix the mtd size by updating both nor->params->size,
+(which will update the mtd_info size later on) and nor->mtd.size
+(which is used in spi_nor_set_addr_width()).
+
+Fixes: 641edddb4f43 ("mtd: spi-nor: Add s3an_post_sfdp_fixups()")
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Reviewed-by: Pratyush Yadav <p.yadav@ti.com>
+Link: https://lore.kernel.org/r/20211207140254.87681-2-tudor.ambarus@microchip.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/spi-nor/xilinx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/spi-nor/xilinx.c b/drivers/mtd/spi-nor/xilinx.c
+index 0658e47564bac..0ac1d681e84d5 100644
+--- a/drivers/mtd/spi-nor/xilinx.c
++++ b/drivers/mtd/spi-nor/xilinx.c
+@@ -69,7 +69,8 @@ static int xilinx_nor_setup(struct spi_nor *nor,
+               page_size = (nor->params->page_size == 264) ? 256 : 512;
+               nor->params->page_size = page_size;
+               nor->mtd.writebufsize = page_size;
+-              nor->mtd.size = 8 * page_size * nor->info->n_sectors;
++              nor->params->size = 8 * page_size * nor->info->n_sectors;
++              nor->mtd.size = nor->params->size;
+               nor->mtd.erasesize = 8 * page_size;
+       } else {
+               /* Flash in Default addressing mode */
+-- 
+2.34.1
+
diff --git a/queue-5.16/mtd-spi-nor-get-rid-of-nor-page_size.patch b/queue-5.16/mtd-spi-nor-get-rid-of-nor-page_size.patch
new file mode 100644 (file)
index 0000000..d74f875
--- /dev/null
@@ -0,0 +1,154 @@
+From 2cab901d8590f3e1b811136569950852d08ba5b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Oct 2021 20:26:12 +0300
+Subject: mtd: spi-nor: Get rid of nor->page_size
+
+From: Tudor Ambarus <tudor.ambarus@microchip.com>
+
+[ Upstream commit 5854d4a6cc356ba3e16d8593ac1c089a32d1759c ]
+
+nor->page_size duplicated what nor->params->page_size indicates
+for no good reason. page_size is a flash parameter of fixed value
+and it is better suited to be found in nor->params->page_size.
+
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Reviewed-by: Pratyush Yadav <p.yadav@ti.com>
+Reviewed-by: Michael Walle <michael@walle.cc>
+Link: https://lore.kernel.org/r/20211029172633.886453-5-tudor.ambarus@microchip.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/spi-nor/core.c   | 19 +++++++++----------
+ drivers/mtd/spi-nor/xilinx.c | 17 ++++++++++-------
+ include/linux/mtd/spi-nor.h  |  2 --
+ 3 files changed, 19 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c
+index cc08bd707378f..fa66dfed002d2 100644
+--- a/drivers/mtd/spi-nor/core.c
++++ b/drivers/mtd/spi-nor/core.c
+@@ -1952,6 +1952,7 @@ static int spi_nor_write(struct mtd_info *mtd, loff_t to, size_t len,
+       struct spi_nor *nor = mtd_to_spi_nor(mtd);
+       size_t page_offset, page_remain, i;
+       ssize_t ret;
++      u32 page_size = nor->params->page_size;
+       dev_dbg(nor->dev, "to 0x%08x, len %zd\n", (u32)to, len);
+@@ -1968,16 +1969,15 @@ static int spi_nor_write(struct mtd_info *mtd, loff_t to, size_t len,
+                * calculated with an AND operation. On the other cases we
+                * need to do a modulus operation (more expensive).
+                */
+-              if (is_power_of_2(nor->page_size)) {
+-                      page_offset = addr & (nor->page_size - 1);
++              if (is_power_of_2(page_size)) {
++                      page_offset = addr & (page_size - 1);
+               } else {
+                       uint64_t aux = addr;
+-                      page_offset = do_div(aux, nor->page_size);
++                      page_offset = do_div(aux, page_size);
+               }
+               /* the size of data remaining on the first page */
+-              page_remain = min_t(size_t,
+-                                  nor->page_size - page_offset, len - i);
++              page_remain = min_t(size_t, page_size - page_offset, len - i);
+               addr = spi_nor_convert_addr(nor, addr);
+@@ -3094,7 +3094,7 @@ int spi_nor_scan(struct spi_nor *nor, const char *name,
+        * We need the bounce buffer early to read/write registers when going
+        * through the spi-mem layer (buffers have to be DMA-able).
+        * For spi-mem drivers, we'll reallocate a new buffer if
+-       * nor->page_size turns out to be greater than PAGE_SIZE (which
++       * nor->params->page_size turns out to be greater than PAGE_SIZE (which
+        * shouldn't happen before long since NOR pages are usually less
+        * than 1KB) after spi_nor_scan() returns.
+        */
+@@ -3171,8 +3171,7 @@ int spi_nor_scan(struct spi_nor *nor, const char *name,
+               mtd->flags |= MTD_NO_ERASE;
+       mtd->dev.parent = dev;
+-      nor->page_size = nor->params->page_size;
+-      mtd->writebufsize = nor->page_size;
++      mtd->writebufsize = nor->params->page_size;
+       if (of_property_read_bool(np, "broken-flash-reset"))
+               nor->flags |= SNOR_F_BROKEN_RESET;
+@@ -3341,8 +3340,8 @@ static int spi_nor_probe(struct spi_mem *spimem)
+        * and add this logic so that if anyone ever adds support for such
+        * a NOR we don't end up with buffer overflows.
+        */
+-      if (nor->page_size > PAGE_SIZE) {
+-              nor->bouncebuf_size = nor->page_size;
++      if (nor->params->page_size > PAGE_SIZE) {
++              nor->bouncebuf_size = nor->params->page_size;
+               devm_kfree(nor->dev, nor->bouncebuf);
+               nor->bouncebuf = devm_kmalloc(nor->dev,
+                                             nor->bouncebuf_size,
+diff --git a/drivers/mtd/spi-nor/xilinx.c b/drivers/mtd/spi-nor/xilinx.c
+index 1138bdbf41998..0658e47564bac 100644
+--- a/drivers/mtd/spi-nor/xilinx.c
++++ b/drivers/mtd/spi-nor/xilinx.c
+@@ -28,11 +28,12 @@ static const struct flash_info xilinx_parts[] = {
+  */
+ static u32 s3an_convert_addr(struct spi_nor *nor, u32 addr)
+ {
++      u32 page_size = nor->params->page_size;
+       u32 offset, page;
+-      offset = addr % nor->page_size;
+-      page = addr / nor->page_size;
+-      page <<= (nor->page_size > 512) ? 10 : 9;
++      offset = addr % page_size;
++      page = addr / page_size;
++      page <<= (page_size > 512) ? 10 : 9;
+       return page | offset;
+ }
+@@ -40,6 +41,7 @@ static u32 s3an_convert_addr(struct spi_nor *nor, u32 addr)
+ static int xilinx_nor_setup(struct spi_nor *nor,
+                           const struct spi_nor_hwcaps *hwcaps)
+ {
++      u32 page_size;
+       int ret;
+       ret = spi_nor_xread_sr(nor, nor->bouncebuf);
+@@ -64,10 +66,11 @@ static int xilinx_nor_setup(struct spi_nor *nor,
+        */
+       if (nor->bouncebuf[0] & XSR_PAGESIZE) {
+               /* Flash in Power of 2 mode */
+-              nor->page_size = (nor->page_size == 264) ? 256 : 512;
+-              nor->mtd.writebufsize = nor->page_size;
+-              nor->mtd.size = 8 * nor->page_size * nor->info->n_sectors;
+-              nor->mtd.erasesize = 8 * nor->page_size;
++              page_size = (nor->params->page_size == 264) ? 256 : 512;
++              nor->params->page_size = page_size;
++              nor->mtd.writebufsize = page_size;
++              nor->mtd.size = 8 * page_size * nor->info->n_sectors;
++              nor->mtd.erasesize = 8 * page_size;
+       } else {
+               /* Flash in Default addressing mode */
+               nor->params->convert_addr = s3an_convert_addr;
+diff --git a/include/linux/mtd/spi-nor.h b/include/linux/mtd/spi-nor.h
+index f67457748ed84..fc90fce26e337 100644
+--- a/include/linux/mtd/spi-nor.h
++++ b/include/linux/mtd/spi-nor.h
+@@ -371,7 +371,6 @@ struct spi_nor_flash_parameter;
+  * @bouncebuf_size:   size of the bounce buffer
+  * @info:             SPI NOR part JEDEC MFR ID and other info
+  * @manufacturer:     SPI NOR manufacturer
+- * @page_size:                the page size of the SPI NOR
+  * @addr_width:               number of address bytes
+  * @erase_opcode:     the opcode for erasing a sector
+  * @read_opcode:      the read opcode
+@@ -401,7 +400,6 @@ struct spi_nor {
+       size_t                  bouncebuf_size;
+       const struct flash_info *info;
+       const struct spi_nor_manufacturer *manufacturer;
+-      u32                     page_size;
+       u8                      addr_width;
+       u8                      erase_opcode;
+       u8                      read_opcode;
+-- 
+2.34.1
+
diff --git a/queue-5.16/mwifiex-fix-possible-abba-deadlock.patch b/queue-5.16/mwifiex-fix-possible-abba-deadlock.patch
new file mode 100644 (file)
index 0000000..676b026
--- /dev/null
@@ -0,0 +1,82 @@
+From 96e907a8d9d072ff89d1756d8dc2297a268257ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 16:47:34 -0800
+Subject: mwifiex: Fix possible ABBA deadlock
+
+From: Brian Norris <briannorris@chromium.org>
+
+[ Upstream commit 1b8bb8919ef81bfc8873d223b9361f1685f2106d ]
+
+Quoting Jia-Ju Bai <baijiaju1990@gmail.com>:
+
+  mwifiex_dequeue_tx_packet()
+     spin_lock_bh(&priv->wmm.ra_list_spinlock); --> Line 1432 (Lock A)
+     mwifiex_send_addba()
+       spin_lock_bh(&priv->sta_list_spinlock); --> Line 608 (Lock B)
+
+  mwifiex_process_sta_tx_pause()
+     spin_lock_bh(&priv->sta_list_spinlock); --> Line 398 (Lock B)
+     mwifiex_update_ralist_tx_pause()
+       spin_lock_bh(&priv->wmm.ra_list_spinlock); --> Line 941 (Lock A)
+
+Similar report for mwifiex_process_uap_tx_pause().
+
+While the locking expectations in this driver are a bit unclear, the
+Fixed commit only intended to protect the sta_ptr, so we can drop the
+lock as soon as we're done with it.
+
+IIUC, this deadlock cannot actually happen, because command event
+processing (which calls mwifiex_process_sta_tx_pause()) is
+sequentialized with TX packet processing (e.g.,
+mwifiex_dequeue_tx_packet()) via the main loop (mwifiex_main_process()).
+But it's good not to leave this potential issue lurking.
+
+Fixes: f0f7c2275fb9 ("mwifiex: minor cleanups w/ sta_list_spinlock in cfg80211.c")
+Cc: Douglas Anderson <dianders@chromium.org>
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Link: https://lore.kernel.org/linux-wireless/0e495b14-efbb-e0da-37bd-af6bd677ee2c@gmail.com/
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/YaV0pllJ5p/EuUat@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/sta_event.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/sta_event.c b/drivers/net/wireless/marvell/mwifiex/sta_event.c
+index 68c63268e2e6b..2b2e6e0166e14 100644
+--- a/drivers/net/wireless/marvell/mwifiex/sta_event.c
++++ b/drivers/net/wireless/marvell/mwifiex/sta_event.c
+@@ -365,10 +365,12 @@ static void mwifiex_process_uap_tx_pause(struct mwifiex_private *priv,
+               sta_ptr = mwifiex_get_sta_entry(priv, tp->peermac);
+               if (sta_ptr && sta_ptr->tx_pause != tp->tx_pause) {
+                       sta_ptr->tx_pause = tp->tx_pause;
++                      spin_unlock_bh(&priv->sta_list_spinlock);
+                       mwifiex_update_ralist_tx_pause(priv, tp->peermac,
+                                                      tp->tx_pause);
++              } else {
++                      spin_unlock_bh(&priv->sta_list_spinlock);
+               }
+-              spin_unlock_bh(&priv->sta_list_spinlock);
+       }
+ }
+@@ -400,11 +402,13 @@ static void mwifiex_process_sta_tx_pause(struct mwifiex_private *priv,
+                       sta_ptr = mwifiex_get_sta_entry(priv, tp->peermac);
+                       if (sta_ptr && sta_ptr->tx_pause != tp->tx_pause) {
+                               sta_ptr->tx_pause = tp->tx_pause;
++                              spin_unlock_bh(&priv->sta_list_spinlock);
+                               mwifiex_update_ralist_tx_pause(priv,
+                                                              tp->peermac,
+                                                              tp->tx_pause);
++                      } else {
++                              spin_unlock_bh(&priv->sta_list_spinlock);
+                       }
+-                      spin_unlock_bh(&priv->sta_list_spinlock);
+               }
+       }
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/mwifiex-fix-skb_over_panic-in-mwifiex_usb_recv.patch b/queue-5.16/mwifiex-fix-skb_over_panic-in-mwifiex_usb_recv.patch
new file mode 100644 (file)
index 0000000..cdf0b2b
--- /dev/null
@@ -0,0 +1,68 @@
+From 1e3181cbaf7b4d1b5778c54d4d9e5c7cea79da3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Oct 2021 22:42:50 -0400
+Subject: mwifiex: Fix skb_over_panic in mwifiex_usb_recv()
+
+From: Zekun Shen <bruceshenzk@gmail.com>
+
+[ Upstream commit 04d80663f67ccef893061b49ec8a42ff7045ae84 ]
+
+Currently, with an unknown recv_type, mwifiex_usb_recv
+just return -1 without restoring the skb. Next time
+mwifiex_usb_rx_complete is invoked with the same skb,
+calling skb_put causes skb_over_panic.
+
+The bug is triggerable with a compromised/malfunctioning
+usb device. After applying the patch, skb_over_panic
+no longer shows up with the same input.
+
+Attached is the panic report from fuzzing.
+skbuff: skb_over_panic: text:000000003bf1b5fa
+ len:2048 put:4 head:00000000dd6a115b data:000000000a9445d8
+ tail:0x844 end:0x840 dev:<NULL>
+kernel BUG at net/core/skbuff.c:109!
+invalid opcode: 0000 [#1] SMP KASAN NOPTI
+CPU: 0 PID: 198 Comm: in:imklog Not tainted 5.6.0 #60
+RIP: 0010:skb_panic+0x15f/0x161
+Call Trace:
+ <IRQ>
+ ? mwifiex_usb_rx_complete+0x26b/0xfcd [mwifiex_usb]
+ skb_put.cold+0x24/0x24
+ mwifiex_usb_rx_complete+0x26b/0xfcd [mwifiex_usb]
+ __usb_hcd_giveback_urb+0x1e4/0x380
+ usb_giveback_urb_bh+0x241/0x4f0
+ ? __hrtimer_run_queues+0x316/0x740
+ ? __usb_hcd_giveback_urb+0x380/0x380
+ tasklet_action_common.isra.0+0x135/0x330
+ __do_softirq+0x18c/0x634
+ irq_exit+0x114/0x140
+ smp_apic_timer_interrupt+0xde/0x380
+ apic_timer_interrupt+0xf/0x20
+ </IRQ>
+
+Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
+Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/YX4CqjfRcTa6bVL+@Zekuns-MBP-16.fios-router.home
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c
+index 9736aa0ab7fd4..8f01fcbe93961 100644
+--- a/drivers/net/wireless/marvell/mwifiex/usb.c
++++ b/drivers/net/wireless/marvell/mwifiex/usb.c
+@@ -130,7 +130,8 @@ static int mwifiex_usb_recv(struct mwifiex_adapter *adapter,
+               default:
+                       mwifiex_dbg(adapter, ERROR,
+                                   "unknown recv_type %#x\n", recv_type);
+-                      return -1;
++                      ret = -1;
++                      goto exit_restore_skb;
+               }
+               break;
+       case MWIFIEX_USB_EP_DATA:
+-- 
+2.34.1
+
diff --git a/queue-5.16/mxser-don-t-throttle-manually.patch b/queue-5.16/mxser-don-t-throttle-manually.patch
new file mode 100644 (file)
index 0000000..fff4381
--- /dev/null
@@ -0,0 +1,161 @@
+From a92974ebb2590cec18bced9b302b34d1ff706bec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 08:31:20 +0100
+Subject: mxser: don't throttle manually
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+[ Upstream commit c6693e6e07805f1b7822b13a5b482bf2b6a1f312 ]
+
+First, checking tty->receive_room to signalize whether there is enough space
+in the tty buffers does not make much sense. Provided the tty buffers
+are in tty_port and those are not checked at all.
+
+Second, if the rx path is throttled, with CRTSCTS, RTS is deasserted,
+but is never asserted again. This leads to port "lockup", not accepting
+any more input.
+
+So:
+1) stty -F /dev/ttyMI0 crtscts # the mxser port
+2) stty -F /dev/ttyS6 crtscts # the connected port
+3) cat /dev/ttyMI0
+4) "write in a loop" to /dev/ttyS6
+5) cat from 3) produces the bytes from 4)
+6) killall -STOP cat (the 3)'s one)
+7) wait for RTS to drop on /dev/ttyMI0
+8) killall -CONT cat (again the 3)'s one)
+
+cat erroneously produces no more output now (i.e. no data sent from
+ttyS6 to ttyMI can be seen).
+
+Note that the step 7) is performed twice: once from n_tty by
+tty_throttle_safe(), once by mxser_stoprx() from the receive path. Then
+after step 7), n_tty correctly unthrottles the input, but mxser calls
+mxser_stoprx() again as there is still only a little space in n_tty
+buffers (tty->receive_room mentioned at the beginning), but the device's
+FIFO is/can be already filled.
+
+After this patch, the output is correctly resumed, i.e. n_tty both
+throttles and unthrottles without interfering with mxser's attempts.
+
+This allows us to get rid of the non-standard ldisc_stop_rx flag from
+struct mxser_port.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20211118073125.12283-15-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/mxser.c | 36 ++++++------------------------------
+ 1 file changed, 6 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/tty/mxser.c b/drivers/tty/mxser.c
+index 27caa2f9ba79b..3b5d193b7f245 100644
+--- a/drivers/tty/mxser.c
++++ b/drivers/tty/mxser.c
+@@ -251,8 +251,6 @@ struct mxser_port {
+       u8 MCR;                 /* Modem control register */
+       u8 FCR;                 /* FIFO control register */
+-      bool ldisc_stop_rx;
+-
+       struct async_icount icount; /* kernel counters for 4 input interrupts */
+       unsigned int timeout;
+@@ -1323,11 +1321,14 @@ static int mxser_get_icount(struct tty_struct *tty,
+       return 0;
+ }
+-static void mxser_stoprx(struct tty_struct *tty)
++/*
++ * This routine is called by the upper-layer tty layer to signal that
++ * incoming characters should be throttled.
++ */
++static void mxser_throttle(struct tty_struct *tty)
+ {
+       struct mxser_port *info = tty->driver_data;
+-      info->ldisc_stop_rx = true;
+       if (I_IXOFF(tty)) {
+               if (info->board->must_hwid) {
+                       info->IER &= ~MOXA_MUST_RECV_ISR;
+@@ -1346,21 +1347,11 @@ static void mxser_stoprx(struct tty_struct *tty)
+       }
+ }
+-/*
+- * This routine is called by the upper-layer tty layer to signal that
+- * incoming characters should be throttled.
+- */
+-static void mxser_throttle(struct tty_struct *tty)
+-{
+-      mxser_stoprx(tty);
+-}
+-
+ static void mxser_unthrottle(struct tty_struct *tty)
+ {
+       struct mxser_port *info = tty->driver_data;
+       /* startrx */
+-      info->ldisc_stop_rx = false;
+       if (I_IXOFF(tty)) {
+               if (info->x_char)
+                       info->x_char = 0;
+@@ -1543,9 +1534,6 @@ static bool mxser_receive_chars_new(struct tty_struct *tty,
+       if (hwid == MOXA_MUST_MU150_HWID)
+               gdl &= MOXA_MUST_GDL_MASK;
+-      if (gdl >= tty->receive_room && !port->ldisc_stop_rx)
+-              mxser_stoprx(tty);
+-
+       while (gdl--) {
+               u8 ch = inb(port->ioaddr + UART_RX);
+               tty_insert_flip_char(&port->port, ch, 0);
+@@ -1558,10 +1546,8 @@ static u8 mxser_receive_chars_old(struct tty_struct *tty,
+                               struct mxser_port *port, u8 status)
+ {
+       enum mxser_must_hwid hwid = port->board->must_hwid;
+-      int recv_room = tty->receive_room;
+       int ignored = 0;
+       int max = 256;
+-      int cnt = 0;
+       u8 ch;
+       do {
+@@ -1596,14 +1582,8 @@ static u8 mxser_receive_chars_old(struct tty_struct *tty,
+                                       port->icount.overrun++;
+                               }
+                       }
+-                      tty_insert_flip_char(&port->port, ch, flag);
+-                      cnt++;
+-                      if (cnt >= recv_room) {
+-                              if (!port->ldisc_stop_rx)
+-                                      mxser_stoprx(tty);
++                      if (!tty_insert_flip_char(&port->port, ch, flag))
+                               break;
+-                      }
+-
+               }
+               if (hwid)
+@@ -1618,9 +1598,6 @@ static u8 mxser_receive_chars_old(struct tty_struct *tty,
+ static u8 mxser_receive_chars(struct tty_struct *tty,
+               struct mxser_port *port, u8 status)
+ {
+-      if (tty->receive_room == 0 && !port->ldisc_stop_rx)
+-              mxser_stoprx(tty);
+-
+       if (!mxser_receive_chars_new(tty, port, status))
+               status = mxser_receive_chars_old(tty, port, status);
+@@ -1833,7 +1810,6 @@ static void mxser_initbrd(struct mxser_board *brd, bool high_baud)
+               tty_port_init(&info->port);
+               info->port.ops = &mxser_port_ops;
+               info->board = brd;
+-              info->ldisc_stop_rx = false;
+               /* Enhance mode enabled here */
+               if (brd->must_hwid != MOXA_OTHER_UART)
+-- 
+2.34.1
+
diff --git a/queue-5.16/mxser-increase-buf_overrun-if-tty_insert_flip_char-f.patch b/queue-5.16/mxser-increase-buf_overrun-if-tty_insert_flip_char-f.patch
new file mode 100644 (file)
index 0000000..7db154e
--- /dev/null
@@ -0,0 +1,49 @@
+From 6e5f8e98d27e32e575d1634c64cb747ca9e62108 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 08:31:22 +0100
+Subject: mxser: increase buf_overrun if tty_insert_flip_char() fails
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+[ Upstream commit eb68ac0462bffc2ceb63b3a76737d6c9f186e6de ]
+
+mxser doesn't increase port->icount.buf_overrun at all. Do so if overrun
+happens, so that it can be read from the stats.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20211118073125.12283-17-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/mxser.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/mxser.c b/drivers/tty/mxser.c
+index 3b5d193b7f245..39458b42df7b0 100644
+--- a/drivers/tty/mxser.c
++++ b/drivers/tty/mxser.c
+@@ -1536,7 +1536,8 @@ static bool mxser_receive_chars_new(struct tty_struct *tty,
+       while (gdl--) {
+               u8 ch = inb(port->ioaddr + UART_RX);
+-              tty_insert_flip_char(&port->port, ch, 0);
++              if (!tty_insert_flip_char(&port->port, ch, 0))
++                      port->icount.buf_overrun++;
+       }
+       return true;
+@@ -1582,8 +1583,10 @@ static u8 mxser_receive_chars_old(struct tty_struct *tty,
+                                       port->icount.overrun++;
+                               }
+                       }
+-                      if (!tty_insert_flip_char(&port->port, ch, flag))
++                      if (!tty_insert_flip_char(&port->port, ch, flag)) {
++                              port->icount.buf_overrun++;
+                               break;
++                      }
+               }
+               if (hwid)
+-- 
+2.34.1
+
diff --git a/queue-5.16/mxser-keep-only-tty-test-in-isr.patch b/queue-5.16/mxser-keep-only-tty-test-in-isr.patch
new file mode 100644 (file)
index 0000000..c67890b
--- /dev/null
@@ -0,0 +1,69 @@
+From a50ceaa6d10058a77008d586f9bacedeab8e7e16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 08:31:09 +0100
+Subject: mxser: keep only !tty test in ISR
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+[ Upstream commit 274ab58dc2b460cc474ffc7ccfcede4b2be1a3f5 ]
+
+The others are superfluous with tty refcounting in place now. And they
+are racy in fact:
+* tty_port_initialized() reports false for a small moment after
+  interrupts are enabled.
+* closing is 1 while the port is still alive.
+
+The queues are flushed later during close anyway. So there is no need
+for this special handling. Actually, the ISR should not flush the
+queues. It should behave as every other driver, just queue the chars
+into tty buffer and go on. But this will be changed later. There is
+still a lot code depending on having tty in ISR (and not only tty_port).
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20211118073125.12283-4-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/mxser.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/tty/mxser.c b/drivers/tty/mxser.c
+index 93a95a135a71a..27caa2f9ba79b 100644
+--- a/drivers/tty/mxser.c
++++ b/drivers/tty/mxser.c
+@@ -262,7 +262,6 @@ struct mxser_port {
+       unsigned int xmit_head;
+       unsigned int xmit_tail;
+       unsigned int xmit_cnt;
+-      int closing;
+       spinlock_t slock;
+ };
+@@ -918,7 +917,6 @@ static void mxser_close(struct tty_struct *tty, struct file *filp)
+               return;
+       if (tty_port_close_start(port, tty, filp) == 0)
+               return;
+-      info->closing = 1;
+       mutex_lock(&port->mutex);
+       mxser_close_port(port);
+       mxser_flush_buffer(tty);
+@@ -927,7 +925,6 @@ static void mxser_close(struct tty_struct *tty, struct file *filp)
+       mxser_shutdown_port(port);
+       tty_port_set_initialized(port, 0);
+       mutex_unlock(&port->mutex);
+-      info->closing = 0;
+       /* Right now the tty_port set is done outside of the close_end helper
+          as we don't yet have everyone using refcounts */     
+       tty_port_close_end(port, tty);
+@@ -1683,7 +1680,7 @@ static bool mxser_port_isr(struct mxser_port *port)
+       iir &= MOXA_MUST_IIR_MASK;
+       tty = tty_port_tty_get(&port->port);
+-      if (!tty || port->closing || !tty_port_initialized(&port->port)) {
++      if (!tty) {
+               status = inb(port->ioaddr + UART_LSR);
+               outb(port->FCR | UART_FCR_CLEAR_RCVR | UART_FCR_CLEAR_XMIT,
+                               port->ioaddr + UART_FCR);
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-bonding-debug-avoid-printing-debug-logs-when-bon.patch b/queue-5.16/net-bonding-debug-avoid-printing-debug-logs-when-bon.patch
new file mode 100644 (file)
index 0000000..d1bde21
--- /dev/null
@@ -0,0 +1,71 @@
+From e0151469135b6a70bbf56b7f1b4370228b32dfff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Dec 2021 11:17:09 +0530
+Subject: net: bonding: debug: avoid printing debug logs when bond is not
+ notifying peers
+
+From: Suresh Kumar <surkumar@redhat.com>
+
+[ Upstream commit fee32de284ac277ba434a2d59f8ce46528ff3946 ]
+
+Currently "bond_should_notify_peers: slave ..." messages are printed whenever
+"bond_should_notify_peers" function is called.
+
++++
+Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25
+Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25
+Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25
+Dec 12 12:33:26 node1 kernel: bond0: (slave enp0s25): Received LACPDU on port 1
+Dec 12 12:33:26 node1 kernel: bond0: (slave enp0s25): Rx Machine: Port=1, Last State=6, Curr State=6
+Dec 12 12:33:26 node1 kernel: bond0: (slave enp0s25): partner sync=1
+Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25
+Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25
+Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25
+...
+Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25
+Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25
+Dec 12 12:33:30 node1 kernel: bond0: (slave enp4s3): Received LACPDU on port 2
+Dec 12 12:33:30 node1 kernel: bond0: (slave enp4s3): Rx Machine: Port=2, Last State=6, Curr State=6
+Dec 12 12:33:30 node1 kernel: bond0: (slave enp4s3): partner sync=1
+Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25
+Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25
+Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25
++++
+
+This is confusing and can also clutter up debug logs.
+Print logs only when the peer notification happens.
+
+Signed-off-by: Suresh Kumar <suresh2514@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index ff8da720a33a7..0ac964359fbfe 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1096,9 +1096,6 @@ static bool bond_should_notify_peers(struct bonding *bond)
+       slave = rcu_dereference(bond->curr_active_slave);
+       rcu_read_unlock();
+-      netdev_dbg(bond->dev, "bond_should_notify_peers: slave %s\n",
+-                 slave ? slave->dev->name : "NULL");
+-
+       if (!slave || !bond->send_peer_notif ||
+           bond->send_peer_notif %
+           max(1, bond->params.peer_notif_delay) != 0 ||
+@@ -1106,6 +1103,9 @@ static bool bond_should_notify_peers(struct bonding *bond)
+           test_bit(__LINK_STATE_LINKWATCH_PENDING, &slave->dev->state))
+               return false;
++      netdev_dbg(bond->dev, "bond_should_notify_peers: slave %s\n",
++                 slave ? slave->dev->name : "NULL");
++
+       return true;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-dsa-fix-incorrect-function-pointer-check-for-mrp.patch b/queue-5.16/net-dsa-fix-incorrect-function-pointer-check-for-mrp.patch
new file mode 100644 (file)
index 0000000..b71d283
--- /dev/null
@@ -0,0 +1,54 @@
+From 7e663cc570ef7039a607a6931e9807726a592058 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 15:18:11 +0200
+Subject: net: dsa: fix incorrect function pointer check for MRP ring roles
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit ff91e1b68490b97c18c649b769618815eb945f11 ]
+
+The cross-chip notifier boilerplate code meant to check the presence of
+ds->ops->port_mrp_add_ring_role before calling it, but checked
+ds->ops->port_mrp_add instead, before calling
+ds->ops->port_mrp_add_ring_role.
+
+Therefore, a driver which implements one operation but not the other
+would trigger a NULL pointer dereference.
+
+There isn't any such driver in DSA yet, so there is no reason to
+backport the change. Issue found through code inspection.
+
+Cc: Horatiu Vultur <horatiu.vultur@microchip.com>
+Fixes: c595c4330da0 ("net: dsa: add MRP support")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/switch.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/dsa/switch.c b/net/dsa/switch.c
+index bb155a16d4540..80816f7e1f996 100644
+--- a/net/dsa/switch.c
++++ b/net/dsa/switch.c
+@@ -675,7 +675,7 @@ static int
+ dsa_switch_mrp_add_ring_role(struct dsa_switch *ds,
+                            struct dsa_notifier_mrp_ring_role_info *info)
+ {
+-      if (!ds->ops->port_mrp_add)
++      if (!ds->ops->port_mrp_add_ring_role)
+               return -EOPNOTSUPP;
+       if (ds->index == info->sw_index)
+@@ -689,7 +689,7 @@ static int
+ dsa_switch_mrp_del_ring_role(struct dsa_switch *ds,
+                            struct dsa_notifier_mrp_ring_role_info *info)
+ {
+-      if (!ds->ops->port_mrp_del)
++      if (!ds->ops->port_mrp_del_ring_role)
+               return -EOPNOTSUPP;
+       if (ds->index == info->sw_index)
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-dsa-hellcreek-add-missing-ptp-via-udp-rules.patch b/queue-5.16/net-dsa-hellcreek-add-missing-ptp-via-udp-rules.patch
new file mode 100644 (file)
index 0000000..a7f5262
--- /dev/null
@@ -0,0 +1,122 @@
+From 3e4b5cae9c71789578dcdc337ce83c6ed5960217 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 14:45:08 +0100
+Subject: net: dsa: hellcreek: Add missing PTP via UDP rules
+
+From: Kurt Kanzenbach <kurt@linutronix.de>
+
+[ Upstream commit 6cf01e451599da630ff1af529d61c5e4db4550ab ]
+
+The switch supports PTP for UDP transport too. Therefore, add the missing static
+FDB entries to ensure correct forwarding of these packets.
+
+Fixes: ddd56dfe52c9 ("net: dsa: hellcreek: Add PTP clock support")
+Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/hirschmann/hellcreek.c | 64 ++++++++++++++++++++++++--
+ 1 file changed, 60 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/dsa/hirschmann/hellcreek.c b/drivers/net/dsa/hirschmann/hellcreek.c
+index 40ce8c0c9167a..b2bab460d2e98 100644
+--- a/drivers/net/dsa/hirschmann/hellcreek.c
++++ b/drivers/net/dsa/hirschmann/hellcreek.c
+@@ -1052,7 +1052,7 @@ static void hellcreek_setup_tc_identity_mapping(struct hellcreek *hellcreek)
+ static int hellcreek_setup_fdb(struct hellcreek *hellcreek)
+ {
+-      static struct hellcreek_fdb_entry ptp = {
++      static struct hellcreek_fdb_entry l2_ptp = {
+               /* MAC: 01-1B-19-00-00-00 */
+               .mac          = { 0x01, 0x1b, 0x19, 0x00, 0x00, 0x00 },
+               .portmask     = 0x03,   /* Management ports */
+@@ -1063,7 +1063,29 @@ static int hellcreek_setup_fdb(struct hellcreek *hellcreek)
+               .reprio_tc    = 6,      /* TC: 6 as per IEEE 802.1AS */
+               .reprio_en    = 1,
+       };
+-      static struct hellcreek_fdb_entry p2p = {
++      static struct hellcreek_fdb_entry udp4_ptp = {
++              /* MAC: 01-00-5E-00-01-81 */
++              .mac          = { 0x01, 0x00, 0x5e, 0x00, 0x01, 0x81 },
++              .portmask     = 0x03,   /* Management ports */
++              .age          = 0,
++              .is_obt       = 0,
++              .pass_blocked = 0,
++              .is_static    = 1,
++              .reprio_tc    = 6,
++              .reprio_en    = 1,
++      };
++      static struct hellcreek_fdb_entry udp6_ptp = {
++              /* MAC: 33-33-00-00-01-81 */
++              .mac          = { 0x33, 0x33, 0x00, 0x00, 0x01, 0x81 },
++              .portmask     = 0x03,   /* Management ports */
++              .age          = 0,
++              .is_obt       = 0,
++              .pass_blocked = 0,
++              .is_static    = 1,
++              .reprio_tc    = 6,
++              .reprio_en    = 1,
++      };
++      static struct hellcreek_fdb_entry l2_p2p = {
+               /* MAC: 01-80-C2-00-00-0E */
+               .mac          = { 0x01, 0x80, 0xc2, 0x00, 0x00, 0x0e },
+               .portmask     = 0x03,   /* Management ports */
+@@ -1074,6 +1096,28 @@ static int hellcreek_setup_fdb(struct hellcreek *hellcreek)
+               .reprio_tc    = 6,      /* TC: 6 as per IEEE 802.1AS */
+               .reprio_en    = 1,
+       };
++      static struct hellcreek_fdb_entry udp4_p2p = {
++              /* MAC: 01-00-5E-00-00-6B */
++              .mac          = { 0x01, 0x00, 0x5e, 0x00, 0x00, 0x6b },
++              .portmask     = 0x03,   /* Management ports */
++              .age          = 0,
++              .is_obt       = 0,
++              .pass_blocked = 1,
++              .is_static    = 1,
++              .reprio_tc    = 6,
++              .reprio_en    = 1,
++      };
++      static struct hellcreek_fdb_entry udp6_p2p = {
++              /* MAC: 33-33-00-00-00-6B */
++              .mac          = { 0x33, 0x33, 0x00, 0x00, 0x00, 0x6b },
++              .portmask     = 0x03,   /* Management ports */
++              .age          = 0,
++              .is_obt       = 0,
++              .pass_blocked = 1,
++              .is_static    = 1,
++              .reprio_tc    = 6,
++              .reprio_en    = 1,
++      };
+       static struct hellcreek_fdb_entry stp = {
+               /* MAC: 01-80-C2-00-00-00 */
+               .mac          = { 0x01, 0x80, 0xc2, 0x00, 0x00, 0x00 },
+@@ -1088,10 +1132,22 @@ static int hellcreek_setup_fdb(struct hellcreek *hellcreek)
+       int ret;
+       mutex_lock(&hellcreek->reg_lock);
+-      ret = __hellcreek_fdb_add(hellcreek, &ptp);
++      ret = __hellcreek_fdb_add(hellcreek, &l2_ptp);
++      if (ret)
++              goto out;
++      ret = __hellcreek_fdb_add(hellcreek, &udp4_ptp);
++      if (ret)
++              goto out;
++      ret = __hellcreek_fdb_add(hellcreek, &udp6_ptp);
++      if (ret)
++              goto out;
++      ret = __hellcreek_fdb_add(hellcreek, &l2_p2p);
++      if (ret)
++              goto out;
++      ret = __hellcreek_fdb_add(hellcreek, &udp4_p2p);
+       if (ret)
+               goto out;
+-      ret = __hellcreek_fdb_add(hellcreek, &p2p);
++      ret = __hellcreek_fdb_add(hellcreek, &udp6_p2p);
+       if (ret)
+               goto out;
+       ret = __hellcreek_fdb_add(hellcreek, &stp);
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-dsa-hellcreek-add-stp-forwarding-rule.patch b/queue-5.16/net-dsa-hellcreek-add-stp-forwarding-rule.patch
new file mode 100644 (file)
index 0000000..c6df2a1
--- /dev/null
@@ -0,0 +1,57 @@
+From c5e5f1c947162f957294a348b31f418f27e20c64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 14:45:06 +0100
+Subject: net: dsa: hellcreek: Add STP forwarding rule
+
+From: Kurt Kanzenbach <kurt@linutronix.de>
+
+[ Upstream commit b7ade35eb53a2455f737a623c24e4b24455b2271 ]
+
+Treat STP as management traffic. STP traffic is designated for the CPU port
+only. In addition, STP traffic has to pass blocked ports.
+
+Fixes: e4b27ebc780f ("net: dsa: Add DSA driver for Hirschmann Hellcreek switches")
+Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/hirschmann/hellcreek.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/net/dsa/hirschmann/hellcreek.c b/drivers/net/dsa/hirschmann/hellcreek.c
+index bb1a24c8078be..b488990b5b06e 100644
+--- a/drivers/net/dsa/hirschmann/hellcreek.c
++++ b/drivers/net/dsa/hirschmann/hellcreek.c
+@@ -1074,6 +1074,17 @@ static int hellcreek_setup_fdb(struct hellcreek *hellcreek)
+               .reprio_tc    = 6,      /* TC: 6 as per IEEE 802.1AS */
+               .reprio_en    = 1,
+       };
++      static struct hellcreek_fdb_entry stp = {
++              /* MAC: 01-80-C2-00-00-00 */
++              .mac          = { 0x01, 0x80, 0xc2, 0x00, 0x00, 0x00 },
++              .portmask     = 0x03,   /* Management ports */
++              .age          = 0,
++              .is_obt       = 0,
++              .pass_blocked = 1,
++              .is_static    = 1,
++              .reprio_tc    = 6,
++              .reprio_en    = 1,
++      };
+       int ret;
+       mutex_lock(&hellcreek->reg_lock);
+@@ -1081,6 +1092,9 @@ static int hellcreek_setup_fdb(struct hellcreek *hellcreek)
+       if (ret)
+               goto out;
+       ret = __hellcreek_fdb_add(hellcreek, &p2p);
++      if (ret)
++              goto out;
++      ret = __hellcreek_fdb_add(hellcreek, &stp);
+ out:
+       mutex_unlock(&hellcreek->reg_lock);
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-dsa-hellcreek-allow-ptp-p2p-measurements-on-bloc.patch b/queue-5.16/net-dsa-hellcreek-allow-ptp-p2p-measurements-on-bloc.patch
new file mode 100644 (file)
index 0000000..620f2f6
--- /dev/null
@@ -0,0 +1,38 @@
+From 9a1545629944cb92d20f65d4f2711f80dc73a4ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 14:45:07 +0100
+Subject: net: dsa: hellcreek: Allow PTP P2P measurements on blocked ports
+
+From: Kurt Kanzenbach <kurt@linutronix.de>
+
+[ Upstream commit cad1798d2d0811ded37d1e946c6796102e58013b ]
+
+Allow PTP peer delay measurements on blocked ports by STP. In case of topology
+changes the PTP stack can directly start with the correct delays.
+
+Fixes: ddd56dfe52c9 ("net: dsa: hellcreek: Add PTP clock support")
+Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/hirschmann/hellcreek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/hirschmann/hellcreek.c b/drivers/net/dsa/hirschmann/hellcreek.c
+index b488990b5b06e..40ce8c0c9167a 100644
+--- a/drivers/net/dsa/hirschmann/hellcreek.c
++++ b/drivers/net/dsa/hirschmann/hellcreek.c
+@@ -1069,7 +1069,7 @@ static int hellcreek_setup_fdb(struct hellcreek *hellcreek)
+               .portmask     = 0x03,   /* Management ports */
+               .age          = 0,
+               .is_obt       = 0,
+-              .pass_blocked = 0,
++              .pass_blocked = 1,
+               .is_static    = 1,
+               .reprio_tc    = 6,      /* TC: 6 as per IEEE 802.1AS */
+               .reprio_en    = 1,
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-dsa-hellcreek-fix-insertion-of-static-fdb-entrie.patch b/queue-5.16/net-dsa-hellcreek-fix-insertion-of-static-fdb-entrie.patch
new file mode 100644 (file)
index 0000000..d7180fe
--- /dev/null
@@ -0,0 +1,50 @@
+From f3afdeea1aa2f3fbcee2d50609be96389e084e08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 14:45:05 +0100
+Subject: net: dsa: hellcreek: Fix insertion of static FDB entries
+
+From: Kurt Kanzenbach <kurt@linutronix.de>
+
+[ Upstream commit 4db4c3ea56978086ca367a355e440de17d534827 ]
+
+The insertion of static FDB entries ignores the pass_blocked bit. That bit is
+evaluated with regards to STP. Add the missing functionality.
+
+Fixes: e4b27ebc780f ("net: dsa: Add DSA driver for Hirschmann Hellcreek switches")
+Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/hirschmann/hellcreek.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/hirschmann/hellcreek.c b/drivers/net/dsa/hirschmann/hellcreek.c
+index 4e0b53d94b525..bb1a24c8078be 100644
+--- a/drivers/net/dsa/hirschmann/hellcreek.c
++++ b/drivers/net/dsa/hirschmann/hellcreek.c
+@@ -710,8 +710,9 @@ static int __hellcreek_fdb_add(struct hellcreek *hellcreek,
+       u16 meta = 0;
+       dev_dbg(hellcreek->dev, "Add static FDB entry: MAC=%pM, MASK=0x%02x, "
+-              "OBT=%d, REPRIO_EN=%d, PRIO=%d\n", entry->mac, entry->portmask,
+-              entry->is_obt, entry->reprio_en, entry->reprio_tc);
++              "OBT=%d, PASS_BLOCKED=%d, REPRIO_EN=%d, PRIO=%d\n", entry->mac,
++              entry->portmask, entry->is_obt, entry->pass_blocked,
++              entry->reprio_en, entry->reprio_tc);
+       /* Add mac address */
+       hellcreek_write(hellcreek, entry->mac[1] | (entry->mac[0] << 8), HR_FDBWDH);
+@@ -722,6 +723,8 @@ static int __hellcreek_fdb_add(struct hellcreek *hellcreek,
+       meta |= entry->portmask << HR_FDBWRM0_PORTMASK_SHIFT;
+       if (entry->is_obt)
+               meta |= HR_FDBWRM0_OBT;
++      if (entry->pass_blocked)
++              meta |= HR_FDBWRM0_PASS_BLOCKED;
+       if (entry->reprio_en) {
+               meta |= HR_FDBWRM0_REPRIO_EN;
+               meta |= entry->reprio_tc << HR_FDBWRM0_REPRIO_TC_SHIFT;
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-dsa-rtl8365mb-set-rgmii-rx-delay-in-steps-of-0.3.patch b/queue-5.16/net-dsa-rtl8365mb-set-rgmii-rx-delay-in-steps-of-0.3.patch
new file mode 100644 (file)
index 0000000..d3117bc
--- /dev/null
@@ -0,0 +1,78 @@
+From 7b612ac183ebe86e4ce25d6cefb63074794dfec2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 11:30:19 +0100
+Subject: net: dsa: rtl8365mb: set RGMII RX delay in steps of 0.3 ns
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alvin Šipraga <alsi@bang-olufsen.dk>
+
+[ Upstream commit ef136837aaf6f37f2dec78551671a6883f868d69 ]
+
+A contact at Realtek has clarified what exactly the units of RGMII RX
+delay are. The answer is that the unit of RX delay is "about 0.3 ns".
+Take this into account when parsing rx-internal-delay-ps by
+approximating the closest step value. Delays of more than 2.1 ns are
+rejected.
+
+This obviously contradicts the previous assumption in the driver that a
+step value of 4 was "about 2 ns", but Realtek also points out that it is
+easy to find more than one RX delay step value which makes RGMII work.
+
+Fixes: 4af2950c50c8 ("net: dsa: realtek-smi: add rtl8365mb subdriver for RTL8365MB-VC")
+Cc: Arınç ÜNAL <arinc.unal@arinc9.com>
+Signed-off-by: Alvin Šipraga <alsi@bang-olufsen.dk>
+Acked-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/rtl8365mb.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/dsa/rtl8365mb.c b/drivers/net/dsa/rtl8365mb.c
+index 078ca4cd71605..48c0e3e466001 100644
+--- a/drivers/net/dsa/rtl8365mb.c
++++ b/drivers/net/dsa/rtl8365mb.c
+@@ -767,7 +767,8 @@ static int rtl8365mb_ext_config_rgmii(struct realtek_smi *smi, int port,
+        *     0 = no delay, 1 = 2 ns delay
+        *   RX delay:
+        *     0 = no delay, 7 = maximum delay
+-       *     No units are specified, but there are a total of 8 steps.
++       *     Each step is approximately 0.3 ns, so the maximum delay is about
++       *     2.1 ns.
+        *
+        * The vendor driver also states that this must be configured *before*
+        * forcing the external interface into a particular mode, which is done
+@@ -778,10 +779,6 @@ static int rtl8365mb_ext_config_rgmii(struct realtek_smi *smi, int port,
+        * specified. We ignore the detail of the RGMII interface mode
+        * (RGMII_{RXID, TXID, etc.}), as this is considered to be a PHY-only
+        * property.
+-       *
+-       * For the RX delay, we assume that a register value of 4 corresponds to
+-       * 2 ns. But this is just an educated guess, so ignore all other values
+-       * to avoid too much confusion.
+        */
+       if (!of_property_read_u32(dn, "tx-internal-delay-ps", &val)) {
+               val = val / 1000; /* convert to ns */
+@@ -794,13 +791,13 @@ static int rtl8365mb_ext_config_rgmii(struct realtek_smi *smi, int port,
+       }
+       if (!of_property_read_u32(dn, "rx-internal-delay-ps", &val)) {
+-              val = val / 1000; /* convert to ns */
++              val = DIV_ROUND_CLOSEST(val, 300); /* convert to 0.3 ns step */
+-              if (val == 0 || val == 2)
+-                      rx_delay = val * 2;
++              if (val <= 7)
++                      rx_delay = val;
+               else
+                       dev_warn(smi->dev,
+-                               "EXT port RX delay must be 0 to 2 ns\n");
++                               "EXT port RX delay must be 0 to 2.1 ns\n");
+       }
+       ret = regmap_update_bits(
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-ethernet-mtk_eth_soc-fix-return-values-and-refac.patch b/queue-5.16/net-ethernet-mtk_eth_soc-fix-return-values-and-refac.patch
new file mode 100644 (file)
index 0000000..9a509d2
--- /dev/null
@@ -0,0 +1,137 @@
+From 9a3023fe8f528bd1e9b1882bc51afc00dad431ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 12:06:22 +0000
+Subject: net: ethernet: mtk_eth_soc: fix return values and refactor MDIO ops
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit eda80b249df7bbc7b3dd13907343a3e59bfc57fd ]
+
+Instead of returning -1 (-EPERM) when MDIO bus is stuck busy
+while writing or 0xffff if it happens while reading, return the
+appropriate -ETIMEDOUT. Also fix return type to int instead of u32.
+Refactor functions to use bitfield helpers instead of having various
+masking and shifting constants in the code, which also results in the
+register definitions in the header file being more obviously related
+to what is stated in the MediaTek's Reference Manual.
+
+Fixes: 656e705243fd0 ("net-next: mediatek: add support for MT7623 ethernet")
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 53 ++++++++++++---------
+ drivers/net/ethernet/mediatek/mtk_eth_soc.h | 16 +++++--
+ 2 files changed, 41 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 75d67d1b5f6b2..ab023d3ca81f9 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -91,46 +91,53 @@ static int mtk_mdio_busy_wait(struct mtk_eth *eth)
+       }
+       dev_err(eth->dev, "mdio: MDIO timeout\n");
+-      return -1;
++      return -ETIMEDOUT;
+ }
+-static u32 _mtk_mdio_write(struct mtk_eth *eth, u32 phy_addr,
+-                         u32 phy_register, u32 write_data)
++static int _mtk_mdio_write(struct mtk_eth *eth, u32 phy_addr, u32 phy_reg,
++                         u32 write_data)
+ {
+-      if (mtk_mdio_busy_wait(eth))
+-              return -1;
++      int ret;
+-      write_data &= 0xffff;
++      ret = mtk_mdio_busy_wait(eth);
++      if (ret < 0)
++              return ret;
+-      mtk_w32(eth, PHY_IAC_ACCESS | PHY_IAC_START | PHY_IAC_WRITE |
+-              (phy_register << PHY_IAC_REG_SHIFT) |
+-              (phy_addr << PHY_IAC_ADDR_SHIFT) | write_data,
++      mtk_w32(eth, PHY_IAC_ACCESS |
++                   PHY_IAC_START_C22 |
++                   PHY_IAC_CMD_WRITE |
++                   PHY_IAC_REG(phy_reg) |
++                   PHY_IAC_ADDR(phy_addr) |
++                   PHY_IAC_DATA(write_data),
+               MTK_PHY_IAC);
+-      if (mtk_mdio_busy_wait(eth))
+-              return -1;
++      ret = mtk_mdio_busy_wait(eth);
++      if (ret < 0)
++              return ret;
+       return 0;
+ }
+-static u32 _mtk_mdio_read(struct mtk_eth *eth, int phy_addr, int phy_reg)
++static int _mtk_mdio_read(struct mtk_eth *eth, u32 phy_addr, u32 phy_reg)
+ {
+-      u32 d;
++      int ret;
+-      if (mtk_mdio_busy_wait(eth))
+-              return 0xffff;
++      ret = mtk_mdio_busy_wait(eth);
++      if (ret < 0)
++              return ret;
+-      mtk_w32(eth, PHY_IAC_ACCESS | PHY_IAC_START | PHY_IAC_READ |
+-              (phy_reg << PHY_IAC_REG_SHIFT) |
+-              (phy_addr << PHY_IAC_ADDR_SHIFT),
++      mtk_w32(eth, PHY_IAC_ACCESS |
++                   PHY_IAC_START_C22 |
++                   PHY_IAC_CMD_C22_READ |
++                   PHY_IAC_REG(phy_reg) |
++                   PHY_IAC_ADDR(phy_addr),
+               MTK_PHY_IAC);
+-      if (mtk_mdio_busy_wait(eth))
+-              return 0xffff;
+-
+-      d = mtk_r32(eth, MTK_PHY_IAC) & 0xffff;
++      ret = mtk_mdio_busy_wait(eth);
++      if (ret < 0)
++              return ret;
+-      return d;
++      return mtk_r32(eth, MTK_PHY_IAC) & PHY_IAC_DATA_MASK;
+ }
+ static int mtk_mdio_write(struct mii_bus *bus, int phy_addr,
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+index 5ef70dd8b49c6..f2d90639d7ed1 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+@@ -341,11 +341,17 @@
+ /* PHY Indirect Access Control registers */
+ #define MTK_PHY_IAC           0x10004
+ #define PHY_IAC_ACCESS                BIT(31)
+-#define PHY_IAC_READ          BIT(19)
+-#define PHY_IAC_WRITE         BIT(18)
+-#define PHY_IAC_START         BIT(16)
+-#define PHY_IAC_ADDR_SHIFT    20
+-#define PHY_IAC_REG_SHIFT     25
++#define PHY_IAC_REG_MASK      GENMASK(29, 25)
++#define PHY_IAC_REG(x)                FIELD_PREP(PHY_IAC_REG_MASK, (x))
++#define PHY_IAC_ADDR_MASK     GENMASK(24, 20)
++#define PHY_IAC_ADDR(x)               FIELD_PREP(PHY_IAC_ADDR_MASK, (x))
++#define PHY_IAC_CMD_MASK      GENMASK(19, 18)
++#define PHY_IAC_CMD_WRITE     FIELD_PREP(PHY_IAC_CMD_MASK, 1)
++#define PHY_IAC_CMD_C22_READ  FIELD_PREP(PHY_IAC_CMD_MASK, 2)
++#define PHY_IAC_START_MASK    GENMASK(17, 16)
++#define PHY_IAC_START_C22     FIELD_PREP(PHY_IAC_START_MASK, 1)
++#define PHY_IAC_DATA_MASK     GENMASK(15, 0)
++#define PHY_IAC_DATA(x)               FIELD_PREP(PHY_IAC_DATA_MASK, (x))
+ #define PHY_IAC_TIMEOUT               HZ
+ #define MTK_MAC_MISC          0x1000c
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-fix-sof_timestamping_bind_phc-to-work-with-multi.patch b/queue-5.16/net-fix-sof_timestamping_bind_phc-to-work-with-multi.patch
new file mode 100644 (file)
index 0000000..5c02fa6
--- /dev/null
@@ -0,0 +1,130 @@
+From b290b1e7aa58fb9736dde66a263b7b96ad0a0dea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 11:33:26 +0100
+Subject: net: fix SOF_TIMESTAMPING_BIND_PHC to work with multiple sockets
+
+From: Miroslav Lichvar <mlichvar@redhat.com>
+
+[ Upstream commit 007747a984ea5e895b7d8b056b24ebf431e1e71d ]
+
+When multiple sockets using the SOF_TIMESTAMPING_BIND_PHC flag received
+a packet with a hardware timestamp (e.g. multiple PTP instances in
+different PTP domains using the UDPv4/v6 multicast or L2 transport),
+the timestamps received on some sockets were corrupted due to repeated
+conversion of the same timestamp (by the same or different vclocks).
+
+Fix ptp_convert_timestamp() to not modify the shared skb timestamp
+and return the converted timestamp as a ktime_t instead. If the
+conversion fails, return 0 to not confuse the application with
+timestamps corresponding to an unexpected PHC.
+
+Fixes: d7c088265588 ("net: socket: support hardware timestamp conversion to PHC bound")
+Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
+Cc: Yangbo Lu <yangbo.lu@nxp.com>
+Cc: Richard Cochran <richardcochran@gmail.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ptp/ptp_vclock.c         | 10 +++++-----
+ include/linux/ptp_clock_kernel.h | 12 +++++++-----
+ net/socket.c                     |  9 ++++++---
+ 3 files changed, 18 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/ptp/ptp_vclock.c b/drivers/ptp/ptp_vclock.c
+index baee0379482bc..ab1d233173e13 100644
+--- a/drivers/ptp/ptp_vclock.c
++++ b/drivers/ptp/ptp_vclock.c
+@@ -185,8 +185,8 @@ out:
+ }
+ EXPORT_SYMBOL(ptp_get_vclocks_index);
+-void ptp_convert_timestamp(struct skb_shared_hwtstamps *hwtstamps,
+-                         int vclock_index)
++ktime_t ptp_convert_timestamp(const struct skb_shared_hwtstamps *hwtstamps,
++                            int vclock_index)
+ {
+       char name[PTP_CLOCK_NAME_LEN] = "";
+       struct ptp_vclock *vclock;
+@@ -198,12 +198,12 @@ void ptp_convert_timestamp(struct skb_shared_hwtstamps *hwtstamps,
+       snprintf(name, PTP_CLOCK_NAME_LEN, "ptp%d", vclock_index);
+       dev = class_find_device_by_name(ptp_class, name);
+       if (!dev)
+-              return;
++              return 0;
+       ptp = dev_get_drvdata(dev);
+       if (!ptp->is_virtual_clock) {
+               put_device(dev);
+-              return;
++              return 0;
+       }
+       vclock = info_to_vclock(ptp->info);
+@@ -215,7 +215,7 @@ void ptp_convert_timestamp(struct skb_shared_hwtstamps *hwtstamps,
+       spin_unlock_irqrestore(&vclock->lock, flags);
+       put_device(dev);
+-      hwtstamps->hwtstamp = ns_to_ktime(ns);
++      return ns_to_ktime(ns);
+ }
+ EXPORT_SYMBOL(ptp_convert_timestamp);
+ #endif
+diff --git a/include/linux/ptp_clock_kernel.h b/include/linux/ptp_clock_kernel.h
+index 2e5565067355b..554454cb86931 100644
+--- a/include/linux/ptp_clock_kernel.h
++++ b/include/linux/ptp_clock_kernel.h
+@@ -351,15 +351,17 @@ int ptp_get_vclocks_index(int pclock_index, int **vclock_index);
+  *
+  * @hwtstamps:    skb_shared_hwtstamps structure pointer
+  * @vclock_index: phc index of ptp vclock.
++ *
++ * Returns converted timestamp, or 0 on error.
+  */
+-void ptp_convert_timestamp(struct skb_shared_hwtstamps *hwtstamps,
+-                         int vclock_index);
++ktime_t ptp_convert_timestamp(const struct skb_shared_hwtstamps *hwtstamps,
++                            int vclock_index);
+ #else
+ static inline int ptp_get_vclocks_index(int pclock_index, int **vclock_index)
+ { return 0; }
+-static inline void ptp_convert_timestamp(struct skb_shared_hwtstamps *hwtstamps,
+-                                       int vclock_index)
+-{ }
++static inline ktime_t ptp_convert_timestamp(const struct skb_shared_hwtstamps *hwtstamps,
++                                          int vclock_index)
++{ return 0; }
+ #endif
+diff --git a/net/socket.c b/net/socket.c
+index 7f64a6eccf63f..5053eb0100e48 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -829,6 +829,7 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
+       int empty = 1, false_tstamp = 0;
+       struct skb_shared_hwtstamps *shhwtstamps =
+               skb_hwtstamps(skb);
++      ktime_t hwtstamp;
+       /* Race occurred between timestamp enabling and packet
+          receiving.  Fill in the current time for now. */
+@@ -877,10 +878,12 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
+           (sk->sk_tsflags & SOF_TIMESTAMPING_RAW_HARDWARE) &&
+           !skb_is_swtx_tstamp(skb, false_tstamp)) {
+               if (sk->sk_tsflags & SOF_TIMESTAMPING_BIND_PHC)
+-                      ptp_convert_timestamp(shhwtstamps, sk->sk_bind_phc);
++                      hwtstamp = ptp_convert_timestamp(shhwtstamps,
++                                                       sk->sk_bind_phc);
++              else
++                      hwtstamp = shhwtstamps->hwtstamp;
+-              if (ktime_to_timespec64_cond(shhwtstamps->hwtstamp,
+-                                           tss.ts + 2)) {
++              if (ktime_to_timespec64_cond(hwtstamp, tss.ts + 2)) {
+                       empty = 0;
+                       if ((sk->sk_tsflags & SOF_TIMESTAMPING_OPT_PKTINFO) &&
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-gemini-allow-any-rgmii-interface-mode.patch b/queue-5.16/net-gemini-allow-any-rgmii-interface-mode.patch
new file mode 100644 (file)
index 0000000..fd6a6d8
--- /dev/null
@@ -0,0 +1,71 @@
+From c58517f330df6e0b2d653cec466fac8a8df126fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 16:38:31 +0000
+Subject: net: gemini: allow any RGMII interface mode
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit 4e4f325a0a55907b14f579e6b1a38c53755e3de2 ]
+
+The four RGMII interface modes take care of the required RGMII delay
+configuration at the PHY and should not be limited by the network MAC
+driver. Sadly, gemini was only permitting RGMII mode with no delays,
+which would require the required delay to be inserted via PCB tracking
+or by the MAC.
+
+However, there are designs that require the PHY to add the delay, which
+is impossible without Gemini permitting the other three PHY interface
+modes. Fix the driver to allow these.
+
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Tested-by: Corentin Labbe <clabbe.montjoie@gmail.com>
+Link: https://lore.kernel.org/r/E1n4mpT-002PLd-Ha@rmk-PC.armlinux.org.uk
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cortina/gemini.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
+index 941f175fb911e..0ff40a9b06cec 100644
+--- a/drivers/net/ethernet/cortina/gemini.c
++++ b/drivers/net/ethernet/cortina/gemini.c
+@@ -305,21 +305,21 @@ static void gmac_speed_set(struct net_device *netdev)
+       switch (phydev->speed) {
+       case 1000:
+               status.bits.speed = GMAC_SPEED_1000;
+-              if (phydev->interface == PHY_INTERFACE_MODE_RGMII)
++              if (phy_interface_mode_is_rgmii(phydev->interface))
+                       status.bits.mii_rmii = GMAC_PHY_RGMII_1000;
+               netdev_dbg(netdev, "connect %s to RGMII @ 1Gbit\n",
+                          phydev_name(phydev));
+               break;
+       case 100:
+               status.bits.speed = GMAC_SPEED_100;
+-              if (phydev->interface == PHY_INTERFACE_MODE_RGMII)
++              if (phy_interface_mode_is_rgmii(phydev->interface))
+                       status.bits.mii_rmii = GMAC_PHY_RGMII_100_10;
+               netdev_dbg(netdev, "connect %s to RGMII @ 100 Mbit\n",
+                          phydev_name(phydev));
+               break;
+       case 10:
+               status.bits.speed = GMAC_SPEED_10;
+-              if (phydev->interface == PHY_INTERFACE_MODE_RGMII)
++              if (phy_interface_mode_is_rgmii(phydev->interface))
+                       status.bits.mii_rmii = GMAC_PHY_RGMII_100_10;
+               netdev_dbg(netdev, "connect %s to RGMII @ 10 Mbit\n",
+                          phydev_name(phydev));
+@@ -389,6 +389,9 @@ static int gmac_setup_phy(struct net_device *netdev)
+               status.bits.mii_rmii = GMAC_PHY_GMII;
+               break;
+       case PHY_INTERFACE_MODE_RGMII:
++      case PHY_INTERFACE_MODE_RGMII_ID:
++      case PHY_INTERFACE_MODE_RGMII_TXID:
++      case PHY_INTERFACE_MODE_RGMII_RXID:
+               netdev_dbg(netdev,
+                          "RGMII: set GMAC0 and GMAC1 to MII/RGMII mode\n");
+               status.bits.mii_rmii = GMAC_PHY_RGMII_100_10;
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-lantiq-fix-missing-free_netdev-on-error-in-ltq_e.patch b/queue-5.16/net-lantiq-fix-missing-free_netdev-on-error-in-ltq_e.patch
new file mode 100644 (file)
index 0000000..c1f35a8
--- /dev/null
@@ -0,0 +1,43 @@
+From 58b4246433b6aaf34acaff573d5e0833323f4fd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 11:38:37 +0800
+Subject: net: lantiq: fix missing free_netdev() on error in ltq_etop_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 2680ce7fc9939221da16e86a2e73cc1df563c82c ]
+
+Add the missing free_netdev() before return from ltq_etop_probe()
+in the error handling case.
+
+Fixes: 14d4e308e0aa ("net: lantiq: configure the burst length in ethernet drivers")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/lantiq_etop.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c
+index 072391c494ce4..14059e11710ad 100644
+--- a/drivers/net/ethernet/lantiq_etop.c
++++ b/drivers/net/ethernet/lantiq_etop.c
+@@ -687,13 +687,13 @@ ltq_etop_probe(struct platform_device *pdev)
+       err = device_property_read_u32(&pdev->dev, "lantiq,tx-burst-length", &priv->tx_burst_len);
+       if (err < 0) {
+               dev_err(&pdev->dev, "unable to read tx-burst-length property\n");
+-              return err;
++              goto err_free;
+       }
+       err = device_property_read_u32(&pdev->dev, "lantiq,rx-burst-length", &priv->rx_burst_len);
+       if (err < 0) {
+               dev_err(&pdev->dev, "unable to read rx-burst-length property\n");
+-              return err;
++              goto err_free;
+       }
+       for (i = 0; i < MAX_DMA_CHAN; i++) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-mcs7830-handle-usb-read-errors-properly.patch b/queue-5.16/net-mcs7830-handle-usb-read-errors-properly.patch
new file mode 100644 (file)
index 0000000..c73be47
--- /dev/null
@@ -0,0 +1,56 @@
+From 9d00121d667d254ea870c2e8cd902a6bcadf6424 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 01:57:16 +0300
+Subject: net: mcs7830: handle usb read errors properly
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit d668769eb9c52b150753f1653f7f5a0aeb8239d2 ]
+
+Syzbot reported uninit value in mcs7830_bind(). The problem was in
+missing validation check for bytes read via usbnet_read_cmd().
+
+usbnet_read_cmd() internally calls usb_control_msg(), that returns
+number of bytes read. Code should validate that requested number of bytes
+was actually read.
+
+So, this patch adds missing size validation check inside
+mcs7830_get_reg() to prevent uninit value bugs
+
+Reported-and-tested-by: syzbot+003c0a286b9af5412510@syzkaller.appspotmail.com
+Fixes: 2a36d7083438 ("USB: driver for mcs7830 (aka DeLOCK) USB ethernet adapter")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20220106225716.7425-1-paskripkin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/mcs7830.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/mcs7830.c b/drivers/net/usb/mcs7830.c
+index 326cc4e749d80..fdda0616704ea 100644
+--- a/drivers/net/usb/mcs7830.c
++++ b/drivers/net/usb/mcs7830.c
+@@ -108,8 +108,16 @@ static const char driver_name[] = "MOSCHIP usb-ethernet driver";
+ static int mcs7830_get_reg(struct usbnet *dev, u16 index, u16 size, void *data)
+ {
+-      return usbnet_read_cmd(dev, MCS7830_RD_BREQ, MCS7830_RD_BMREQ,
+-                              0x0000, index, data, size);
++      int ret;
++
++      ret = usbnet_read_cmd(dev, MCS7830_RD_BREQ, MCS7830_RD_BMREQ,
++                            0x0000, index, data, size);
++      if (ret < 0)
++              return ret;
++      else if (ret < size)
++              return -ENODATA;
++
++      return ret;
+ }
+ static int mcs7830_set_reg(struct usbnet *dev, u16 index, u16 size, const void *data)
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-mdio-demote-probed-message-to-debug-print.patch b/queue-5.16/net-mdio-demote-probed-message-to-debug-print.patch
new file mode 100644 (file)
index 0000000..0357f14
--- /dev/null
@@ -0,0 +1,40 @@
+From 59d978880b8f3e173edced1c9d578fa53d43f34d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Jan 2022 11:40:24 -0800
+Subject: net: mdio: Demote probed message to debug print
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 7590fc6f80ac2cbf23e6b42b668bbeded070850b ]
+
+On systems with large numbers of MDIO bus/muxes the message indicating
+that a given MDIO bus has been successfully probed is repeated for as
+many buses we have, which can eat up substantial boot time for no
+reason, demote to a debug print.
+
+Reported-by: Maxime Bizon <mbizon@freebox.fr>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20220103194024.2620-1-f.fainelli@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mdio_bus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
+index c198722e4871d..3f7b93d5c76fe 100644
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -594,7 +594,7 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner)
+       mdiobus_setup_mdiodev_from_board_info(bus, mdiobus_create_device);
+       bus->state = MDIOBUS_REGISTERED;
+-      pr_info("%s: probed\n", bus->name);
++      dev_dbg(&bus->dev, "probed\n");
+       return 0;
+ error:
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-mlx5-dr-fix-error-flow-in-creating-matcher.patch b/queue-5.16/net-mlx5-dr-fix-error-flow-in-creating-matcher.patch
new file mode 100644 (file)
index 0000000..dd6907f
--- /dev/null
@@ -0,0 +1,107 @@
+From 83f7f078c688e6dd8b3d9bca41c06fb4edbe97c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 12:56:18 +0200
+Subject: net/mlx5: DR, Fix error flow in creating matcher
+
+From: Yevgeny Kliteynik <kliteyn@nvidia.com>
+
+[ Upstream commit 84dfac39c61fde04126e23723138128b50cd036f ]
+
+The error code of nic matcher init functions wasn't checked.
+This patch improves the matcher init function and fix error flow bug:
+the handling of match parameter is moved into a separate function
+and error flow is simplified.
+
+Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/steering/dr_matcher.c  | 53 +++++++++++--------
+ 1 file changed, 32 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c
+index 793365242e852..3d0cdc36a91ab 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_matcher.c
+@@ -872,13 +872,12 @@ uninit_nic_rx:
+       return ret;
+ }
+-static int dr_matcher_init(struct mlx5dr_matcher *matcher,
+-                         struct mlx5dr_match_parameters *mask)
++static int dr_matcher_copy_param(struct mlx5dr_matcher *matcher,
++                               struct mlx5dr_match_parameters *mask)
+ {
++      struct mlx5dr_domain *dmn = matcher->tbl->dmn;
+       struct mlx5dr_match_parameters consumed_mask;
+-      struct mlx5dr_table *tbl = matcher->tbl;
+-      struct mlx5dr_domain *dmn = tbl->dmn;
+-      int i, ret;
++      int i, ret = 0;
+       if (matcher->match_criteria >= DR_MATCHER_CRITERIA_MAX) {
+               mlx5dr_err(dmn, "Invalid match criteria attribute\n");
+@@ -898,10 +897,36 @@ static int dr_matcher_init(struct mlx5dr_matcher *matcher,
+               consumed_mask.match_sz = mask->match_sz;
+               memcpy(consumed_mask.match_buf, mask->match_buf, mask->match_sz);
+               mlx5dr_ste_copy_param(matcher->match_criteria,
+-                                    &matcher->mask, &consumed_mask,
+-                                    true);
++                                    &matcher->mask, &consumed_mask, true);
++
++              /* Check that all mask data was consumed */
++              for (i = 0; i < consumed_mask.match_sz; i++) {
++                      if (!((u8 *)consumed_mask.match_buf)[i])
++                              continue;
++
++                      mlx5dr_dbg(dmn,
++                                 "Match param mask contains unsupported parameters\n");
++                      ret = -EOPNOTSUPP;
++                      break;
++              }
++
++              kfree(consumed_mask.match_buf);
+       }
++      return ret;
++}
++
++static int dr_matcher_init(struct mlx5dr_matcher *matcher,
++                         struct mlx5dr_match_parameters *mask)
++{
++      struct mlx5dr_table *tbl = matcher->tbl;
++      struct mlx5dr_domain *dmn = tbl->dmn;
++      int ret;
++
++      ret = dr_matcher_copy_param(matcher, mask);
++      if (ret)
++              return ret;
++
+       switch (dmn->type) {
+       case MLX5DR_DOMAIN_TYPE_NIC_RX:
+               matcher->rx.nic_tbl = &tbl->rx;
+@@ -919,22 +944,8 @@ static int dr_matcher_init(struct mlx5dr_matcher *matcher,
+       default:
+               WARN_ON(true);
+               ret = -EINVAL;
+-              goto free_consumed_mask;
+-      }
+-
+-      /* Check that all mask data was consumed */
+-      for (i = 0; i < consumed_mask.match_sz; i++) {
+-              if (!((u8 *)consumed_mask.match_buf)[i])
+-                      continue;
+-
+-              mlx5dr_dbg(dmn, "Match param mask contains unsupported parameters\n");
+-              ret = -EOPNOTSUPP;
+-              goto free_consumed_mask;
+       }
+-      ret =  0;
+-free_consumed_mask:
+-      kfree(consumed_mask.match_buf);
+       return ret;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-mlx5-fix-access-to-sf_dev_table-on-allocation-fa.patch b/queue-5.16/net-mlx5-fix-access-to-sf_dev_table-on-allocation-fa.patch
new file mode 100644 (file)
index 0000000..2a23ea7
--- /dev/null
@@ -0,0 +1,44 @@
+From a410d70451da00a526c864b9ee89897af11104ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Dec 2021 08:54:08 +0200
+Subject: net/mlx5: Fix access to sf_dev_table on allocation failure
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit a1c7c49c2091926962f8c1c866d386febffec5d8 ]
+
+Even when SF devices are supported, the SF device table allocation
+can still fail.
+In such case mlx5_sf_dev_supported still reports true, but SF device
+table is invalid. This can result in NULL table access.
+
+Hence, fix it by adding NULL table check.
+
+Fixes: 1958fc2f0712 ("net/mlx5: SF, Add auxiliary device driver")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Parav Pandit <parav@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c
+index f37db7cc32a65..7da012ff0d419 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c
+@@ -30,10 +30,7 @@ bool mlx5_sf_dev_allocated(const struct mlx5_core_dev *dev)
+ {
+       struct mlx5_sf_dev_table *table = dev->priv.sf_dev_table;
+-      if (!mlx5_sf_dev_supported(dev))
+-              return false;
+-
+-      return !xa_empty(&table->devices);
++      return table && !xa_empty(&table->devices);
+ }
+ static ssize_t sfnum_show(struct device *dev, struct device_attribute *attr, char *buf)
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-mlx5-set-command-entry-semaphore-up-once-got-ind.patch b/queue-5.16/net-mlx5-set-command-entry-semaphore-up-once-got-ind.patch
new file mode 100644 (file)
index 0000000..c95b2cb
--- /dev/null
@@ -0,0 +1,72 @@
+From e1683d8df2eb292689043d18cf5d67cda9e6f249 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Dec 2021 12:07:49 +0200
+Subject: net/mlx5: Set command entry semaphore up once got index free
+
+From: Moshe Shemesh <moshe@nvidia.com>
+
+[ Upstream commit 8e715cd613a1e872b9d918e912d90b399785761a ]
+
+Avoid a race where command work handler may fail to allocate command
+entry index, by holding the command semaphore down till command entry
+index is being freed.
+
+Fixes: 410bd754cd73 ("net/mlx5: Add retry mechanism to the command entry index allocation")
+Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Eran Ben Elisha <eranbe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index a46284ca51720..f588503157d04 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -148,8 +148,12 @@ static void cmd_ent_put(struct mlx5_cmd_work_ent *ent)
+       if (!refcount_dec_and_test(&ent->refcnt))
+               return;
+-      if (ent->idx >= 0)
+-              cmd_free_index(ent->cmd, ent->idx);
++      if (ent->idx >= 0) {
++              struct mlx5_cmd *cmd = ent->cmd;
++
++              cmd_free_index(cmd, ent->idx);
++              up(ent->page_queue ? &cmd->pages_sem : &cmd->sem);
++      }
+       cmd_free_ent(ent);
+ }
+@@ -1602,8 +1606,6 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force
+       vector = vec & 0xffffffff;
+       for (i = 0; i < (1 << cmd->log_sz); i++) {
+               if (test_bit(i, &vector)) {
+-                      struct semaphore *sem;
+-
+                       ent = cmd->ent_arr[i];
+                       /* if we already completed the command, ignore it */
+@@ -1626,10 +1628,6 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force
+                           dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR)
+                               cmd_ent_put(ent);
+-                      if (ent->page_queue)
+-                              sem = &cmd->pages_sem;
+-                      else
+-                              sem = &cmd->sem;
+                       ent->ts2 = ktime_get_ns();
+                       memcpy(ent->out->first.data, ent->lay->out, sizeof(ent->lay->out));
+                       dump_command(dev, ent, 0);
+@@ -1683,7 +1681,6 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force
+                                */
+                               complete(&ent->done);
+                       }
+-                      up(sem);
+               }
+       }
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-mlx5-update-log_max_qp-value-to-fw-max-capabilit.patch b/queue-5.16/net-mlx5-update-log_max_qp-value-to-fw-max-capabilit.patch
new file mode 100644 (file)
index 0000000..0d25ef1
--- /dev/null
@@ -0,0 +1,65 @@
+From 934d39f27582a90462e9ce261e939da74c36b22b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 14:50:11 +0200
+Subject: net/mlx5: Update log_max_qp value to FW max capability
+
+From: Maher Sanalla <msanalla@nvidia.com>
+
+[ Upstream commit f79a609ea6bf54ad2d2c24e4de4524288b221666 ]
+
+log_max_qp in driver's default profile #2 was set to 18, but FW actually
+supports 17 at the most - a situation that led to the concerning print
+when the driver is loaded:
+"log_max_qp value in current profile is 18, changing to HCA capabaility
+limit (17)"
+
+The expected behavior from mlx5_profile #2 is to match the maximum FW
+capability in regards to log_max_qp. Thus, log_max_qp in profile #2 is
+initialized to a defined static value (0xff) - which basically means that
+when loading this profile, log_max_qp value  will be what the currently
+installed FW supports at most.
+
+Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
+Reviewed-by: Maor Gottlieb <maorg@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index 65083496f9131..6e381111f1d2f 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -98,6 +98,8 @@ enum {
+       MLX5_ATOMIC_REQ_MODE_HOST_ENDIANNESS = 0x1,
+ };
++#define LOG_MAX_SUPPORTED_QPS 0xff
++
+ static struct mlx5_profile profile[] = {
+       [0] = {
+               .mask           = 0,
+@@ -109,7 +111,7 @@ static struct mlx5_profile profile[] = {
+       [2] = {
+               .mask           = MLX5_PROF_MASK_QP_SIZE |
+                                 MLX5_PROF_MASK_MR_CACHE,
+-              .log_max_qp     = 18,
++              .log_max_qp     = LOG_MAX_SUPPORTED_QPS,
+               .mr_cache[0]    = {
+                       .size   = 500,
+                       .limit  = 250
+@@ -507,7 +509,9 @@ static int handle_hca_cap(struct mlx5_core_dev *dev, void *set_ctx)
+                to_fw_pkey_sz(dev, 128));
+       /* Check log_max_qp from HCA caps to set in current profile */
+-      if (MLX5_CAP_GEN_MAX(dev, log_max_qp) < prof->log_max_qp) {
++      if (prof->log_max_qp == LOG_MAX_SUPPORTED_QPS) {
++              prof->log_max_qp = MLX5_CAP_GEN_MAX(dev, log_max_qp);
++      } else if (MLX5_CAP_GEN_MAX(dev, log_max_qp) < prof->log_max_qp) {
+               mlx5_core_warn(dev, "log_max_qp value in current profile is %d, changing it to HCA capability limit (%d)\n",
+                              prof->log_max_qp,
+                              MLX5_CAP_GEN_MAX(dev, log_max_qp));
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-mlx5e-don-t-block-routes-with-nexthop-objects-in.patch b/queue-5.16/net-mlx5e-don-t-block-routes-with-nexthop-objects-in.patch
new file mode 100644 (file)
index 0000000..2cc4f8e
--- /dev/null
@@ -0,0 +1,48 @@
+From b4e7046ed4e3b5d087e802f07c7277b10a6bddf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Dec 2021 11:20:10 +0200
+Subject: net/mlx5e: Don't block routes with nexthop objects in SW
+
+From: Maor Dickman <maord@nvidia.com>
+
+[ Upstream commit 9e72a55a3c9d54b38a704bb7292d984574a81d9d ]
+
+Routes with nexthop objects is currently not supported by multipath offload
+and any attempts to use it is blocked, however this also block adding SW
+routes with nexthop.
+
+Resolve this by returning NOTIFY_DONE instead of an error which will allow such
+a route to be created in SW but not offloaded.
+
+This fix also solve an issue which block adding such routes on different devices
+due to missing check if the route FIB device is one of multipath devices.
+
+Fixes: 6a87afc072c3 ("mlx5: Fail attempts to use routes with nexthop objects")
+Signed-off-by: Maor Dickman <maord@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c
+index bf4d3cbefa633..1ca01a5b6cdd8 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c
+@@ -268,10 +268,8 @@ static int mlx5_lag_fib_event(struct notifier_block *nb,
+               fen_info = container_of(info, struct fib_entry_notifier_info,
+                                       info);
+               fi = fen_info->fi;
+-              if (fi->nh) {
+-                      NL_SET_ERR_MSG_MOD(info->extack, "IPv4 route with nexthop objects is not supported");
+-                      return notifier_from_errno(-EINVAL);
+-              }
++              if (fi->nh)
++                      return NOTIFY_DONE;
+               fib_dev = fib_info_nh(fen_info->fi, 0)->fib_nh_dev;
+               if (fib_dev != ldev->pf[MLX5_LAG_P1].netdev &&
+                   fib_dev != ldev->pf[MLX5_LAG_P2].netdev) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-mlx5e-fix-matching-on-modified-inner-ip_ecn-bits.patch b/queue-5.16/net-mlx5e-fix-matching-on-modified-inner-ip_ecn-bits.patch
new file mode 100644 (file)
index 0000000..50643b6
--- /dev/null
@@ -0,0 +1,198 @@
+From 1fba30b5ba13d53bd497ed10b91e5d6d1caad18c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 10:55:56 +0300
+Subject: net/mlx5e: Fix matching on modified inner ip_ecn bits
+
+From: Paul Blakey <paulb@nvidia.com>
+
+[ Upstream commit b6dfff21a170af5c695ebaa153b7f5e297ddca03 ]
+
+Tunnel device follows RFC 6040, and during decapsulation inner
+ip_ecn might change depending on inner and outer ip_ecn as follows:
+
+ +---------+----------------------------------------+
+ |Arriving |         Arriving Outer Header          |
+ |   Inner +---------+---------+---------+----------+
+ |  Header | Not-ECT | ECT(0)  | ECT(1)  |   CE     |
+ +---------+---------+---------+---------+----------+
+ | Not-ECT | Not-ECT | Not-ECT | Not-ECT | <drop>   |
+ |  ECT(0) |  ECT(0) | ECT(0)  | ECT(1)  |   CE*    |
+ |  ECT(1) |  ECT(1) | ECT(1)  | ECT(1)* |   CE*    |
+ |    CE   |   CE    |  CE     | CE      |   CE     |
+ +---------+---------+---------+---------+----------+
+
+Cells marked above are changed from original inner packet ip_ecn value.
+
+Tc then matches on the modified inner ip_ecn, but hw offload which
+matches the inner ip_ecn value before decap, will fail.
+
+Fix that by mapping all the cases of outer and inner ip_ecn matching,
+and only supporting cases where we know inner wouldn't be changed by
+decap, or in the outer ip_ecn=CE case, inner ip_ecn didn't matter.
+
+Fixes: bcef735c59f2 ("net/mlx5e: Offload TC matching on tos/ttl for ip tunnels")
+Signed-off-by: Paul Blakey <paulb@nvidia.com>
+Reviewed-by: Oz Shlomo <ozsh@nvidia.com>
+Reviewed-by: Eli Cohen <elic@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_tc.c   | 120 +++++++++++++++++-
+ 1 file changed, 116 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+index 5e454a14428f2..9b3adaccc9beb 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -1949,6 +1949,111 @@ u8 mlx5e_tc_get_ip_version(struct mlx5_flow_spec *spec, bool outer)
+       return ip_version;
+ }
++/* Tunnel device follows RFC 6040, see include/net/inet_ecn.h.
++ * And changes inner ip_ecn depending on inner and outer ip_ecn as follows:
++ *      +---------+----------------------------------------+
++ *      |Arriving |         Arriving Outer Header          |
++ *      |   Inner +---------+---------+---------+----------+
++ *      |  Header | Not-ECT | ECT(0)  | ECT(1)  |   CE     |
++ *      +---------+---------+---------+---------+----------+
++ *      | Not-ECT | Not-ECT | Not-ECT | Not-ECT | <drop>   |
++ *      |  ECT(0) |  ECT(0) | ECT(0)  | ECT(1)  |   CE*    |
++ *      |  ECT(1) |  ECT(1) | ECT(1)  | ECT(1)* |   CE*    |
++ *      |    CE   |   CE    |  CE     | CE      |   CE     |
++ *      +---------+---------+---------+---------+----------+
++ *
++ * Tc matches on inner after decapsulation on tunnel device, but hw offload matches
++ * the inner ip_ecn value before hardware decap action.
++ *
++ * Cells marked are changed from original inner packet ip_ecn value during decap, and
++ * so matching those values on inner ip_ecn before decap will fail.
++ *
++ * The following helper allows offload when inner ip_ecn won't be changed by outer ip_ecn,
++ * except for the outer ip_ecn = CE, where in all cases inner ip_ecn will be changed to CE,
++ * and such we can drop the inner ip_ecn=CE match.
++ */
++
++static int mlx5e_tc_verify_tunnel_ecn(struct mlx5e_priv *priv,
++                                    struct flow_cls_offload *f,
++                                    bool *match_inner_ecn)
++{
++      u8 outer_ecn_mask = 0, outer_ecn_key = 0, inner_ecn_mask = 0, inner_ecn_key = 0;
++      struct flow_rule *rule = flow_cls_offload_flow_rule(f);
++      struct netlink_ext_ack *extack = f->common.extack;
++      struct flow_match_ip match;
++
++      *match_inner_ecn = true;
++
++      if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ENC_IP)) {
++              flow_rule_match_enc_ip(rule, &match);
++              outer_ecn_key = match.key->tos & INET_ECN_MASK;
++              outer_ecn_mask = match.mask->tos & INET_ECN_MASK;
++      }
++
++      if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_IP)) {
++              flow_rule_match_ip(rule, &match);
++              inner_ecn_key = match.key->tos & INET_ECN_MASK;
++              inner_ecn_mask = match.mask->tos & INET_ECN_MASK;
++      }
++
++      if (outer_ecn_mask != 0 && outer_ecn_mask != INET_ECN_MASK) {
++              NL_SET_ERR_MSG_MOD(extack, "Partial match on enc_tos ecn bits isn't supported");
++              netdev_warn(priv->netdev, "Partial match on enc_tos ecn bits isn't supported");
++              return -EOPNOTSUPP;
++      }
++
++      if (!outer_ecn_mask) {
++              if (!inner_ecn_mask)
++                      return 0;
++
++              NL_SET_ERR_MSG_MOD(extack,
++                                 "Matching on tos ecn bits without also matching enc_tos ecn bits isn't supported");
++              netdev_warn(priv->netdev,
++                          "Matching on tos ecn bits without also matching enc_tos ecn bits isn't supported");
++              return -EOPNOTSUPP;
++      }
++
++      if (inner_ecn_mask && inner_ecn_mask != INET_ECN_MASK) {
++              NL_SET_ERR_MSG_MOD(extack,
++                                 "Partial match on tos ecn bits with match on enc_tos ecn bits isn't supported");
++              netdev_warn(priv->netdev,
++                          "Partial match on tos ecn bits with match on enc_tos ecn bits isn't supported");
++              return -EOPNOTSUPP;
++      }
++
++      if (!inner_ecn_mask)
++              return 0;
++
++      /* Both inner and outer have full mask on ecn */
++
++      if (outer_ecn_key == INET_ECN_ECT_1) {
++              /* inner ecn might change by DECAP action */
++
++              NL_SET_ERR_MSG_MOD(extack, "Match on enc_tos ecn = ECT(1) isn't supported");
++              netdev_warn(priv->netdev, "Match on enc_tos ecn = ECT(1) isn't supported");
++              return -EOPNOTSUPP;
++      }
++
++      if (outer_ecn_key != INET_ECN_CE)
++              return 0;
++
++      if (inner_ecn_key != INET_ECN_CE) {
++              /* Can't happen in software, as packet ecn will be changed to CE after decap */
++              NL_SET_ERR_MSG_MOD(extack,
++                                 "Match on tos enc_tos ecn = CE while match on tos ecn != CE isn't supported");
++              netdev_warn(priv->netdev,
++                          "Match on tos enc_tos ecn = CE while match on tos ecn != CE isn't supported");
++              return -EOPNOTSUPP;
++      }
++
++      /* outer ecn = CE, inner ecn = CE, as decap will change inner ecn to CE in anycase,
++       * drop match on inner ecn
++       */
++      *match_inner_ecn = false;
++
++      return 0;
++}
++
+ static int parse_tunnel_attr(struct mlx5e_priv *priv,
+                            struct mlx5e_tc_flow *flow,
+                            struct mlx5_flow_spec *spec,
+@@ -2144,6 +2249,7 @@ static int __parse_cls_flower(struct mlx5e_priv *priv,
+       struct flow_rule *rule = flow_cls_offload_flow_rule(f);
+       struct flow_dissector *dissector = rule->match.dissector;
+       enum fs_flow_table_type fs_type;
++      bool match_inner_ecn = true;
+       u16 addr_type = 0;
+       u8 ip_proto = 0;
+       u8 *match_level;
+@@ -2197,6 +2303,10 @@ static int __parse_cls_flower(struct mlx5e_priv *priv,
+                       headers_c = get_match_inner_headers_criteria(spec);
+                       headers_v = get_match_inner_headers_value(spec);
+               }
++
++              err = mlx5e_tc_verify_tunnel_ecn(priv, f, &match_inner_ecn);
++              if (err)
++                      return err;
+       }
+       err = mlx5e_flower_parse_meta(filter_dev, f);
+@@ -2420,10 +2530,12 @@ static int __parse_cls_flower(struct mlx5e_priv *priv,
+               struct flow_match_ip match;
+               flow_rule_match_ip(rule, &match);
+-              MLX5_SET(fte_match_set_lyr_2_4, headers_c, ip_ecn,
+-                       match.mask->tos & 0x3);
+-              MLX5_SET(fte_match_set_lyr_2_4, headers_v, ip_ecn,
+-                       match.key->tos & 0x3);
++              if (match_inner_ecn) {
++                      MLX5_SET(fte_match_set_lyr_2_4, headers_c, ip_ecn,
++                               match.mask->tos & 0x3);
++                      MLX5_SET(fte_match_set_lyr_2_4, headers_v, ip_ecn,
++                               match.key->tos & 0x3);
++              }
+               MLX5_SET(fte_match_set_lyr_2_4, headers_c, ip_dscp,
+                        match.mask->tos >> 2);
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-mlx5e-fix-nullptr-on-deleting-mirroring-rule.patch b/queue-5.16/net-mlx5e-fix-nullptr-on-deleting-mirroring-rule.patch
new file mode 100644 (file)
index 0000000..d5fecaf
--- /dev/null
@@ -0,0 +1,115 @@
+From 581c7a717df450c5fd3dd0809cd9bdcea2402a9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Nov 2021 09:37:26 +0200
+Subject: net/mlx5e: Fix nullptr on deleting mirroring rule
+
+From: Dima Chumak <dchumak@nvidia.com>
+
+[ Upstream commit de31854ece175e12ff3c35d07f340988823aed34 ]
+
+Deleting a Tc rule with multiple outputs, one of which is internal port,
+like this one:
+
+  tc filter del dev enp8s0f0_0 ingress protocol ip pref 5 flower \
+      dst_mac 0c:42:a1:d1:d0:88 \
+      src_mac e4:ea:09:08:00:02 \
+      action tunnel_key  set \
+          src_ip 0.0.0.0 \
+          dst_ip 7.7.7.8 \
+          id 8 \
+          dst_port 4789 \
+      action mirred egress mirror dev vxlan_sys_4789 pipe \
+      action mirred egress redirect dev enp8s0f0_1
+
+Triggers a call trace:
+
+  BUG: kernel NULL pointer dereference, address: 0000000000000230
+  RIP: 0010:del_sw_hw_rule+0x2b/0x1f0 [mlx5_core]
+  Call Trace:
+   tree_remove_node+0x16/0x30 [mlx5_core]
+   mlx5_del_flow_rules+0x51/0x160 [mlx5_core]
+   __mlx5_eswitch_del_rule+0x4b/0x170 [mlx5_core]
+   mlx5e_tc_del_fdb_flow+0x295/0x550 [mlx5_core]
+   mlx5e_flow_put+0x1f/0x70 [mlx5_core]
+   mlx5e_delete_flower+0x286/0x390 [mlx5_core]
+   tc_setup_cb_destroy+0xac/0x170
+   fl_hw_destroy_filter+0x94/0xc0 [cls_flower]
+   __fl_delete+0x15e/0x170 [cls_flower]
+   fl_delete+0x36/0x80 [cls_flower]
+   tc_del_tfilter+0x3a6/0x6e0
+   rtnetlink_rcv_msg+0xe5/0x360
+   ? rtnl_calcit.isra.0+0x110/0x110
+   netlink_rcv_skb+0x46/0x110
+   netlink_unicast+0x16b/0x200
+   netlink_sendmsg+0x202/0x3d0
+   sock_sendmsg+0x33/0x40
+   ____sys_sendmsg+0x1c3/0x200
+   ? copy_msghdr_from_user+0xd6/0x150
+   ___sys_sendmsg+0x88/0xd0
+   ? ___sys_recvmsg+0x88/0xc0
+   ? do_futex+0x10c/0x460
+   __sys_sendmsg+0x59/0xa0
+   do_syscall_64+0x48/0x140
+   entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fix by disabling offloading for flows matching
+esw_is_chain_src_port_rewrite() which have more than one output.
+
+Fixes: 10742efc20a4 ("net/mlx5e: VF tunnel TX traffic offloading")
+Signed-off-by: Dima Chumak <dchumak@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/eswitch_offloads.c     | 28 ++++++++++---------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+index 32bc08a399256..ccb66428aeb5b 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+@@ -295,26 +295,28 @@ esw_setup_chain_src_port_rewrite(struct mlx5_flow_destination *dest,
+                                int *i)
+ {
+       struct mlx5_esw_flow_attr *esw_attr = attr->esw_attr;
+-      int j, err;
++      int err;
+       if (!(attr->flags & MLX5_ESW_ATTR_FLAG_SRC_REWRITE))
+               return -EOPNOTSUPP;
+-      for (j = esw_attr->split_count; j < esw_attr->out_count; j++, (*i)++) {
+-              err = esw_setup_chain_dest(dest, flow_act, chains, attr->dest_chain, 1, 0, *i);
+-              if (err)
+-                      goto err_setup_chain;
++      /* flow steering cannot handle more than one dest with the same ft
++       * in a single flow
++       */
++      if (esw_attr->out_count - esw_attr->split_count > 1)
++              return -EOPNOTSUPP;
+-              if (esw_attr->dests[j].pkt_reformat) {
+-                      flow_act->action |= MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT;
+-                      flow_act->pkt_reformat = esw_attr->dests[j].pkt_reformat;
+-              }
++      err = esw_setup_chain_dest(dest, flow_act, chains, attr->dest_chain, 1, 0, *i);
++      if (err)
++              return err;
++
++      if (esw_attr->dests[esw_attr->split_count].pkt_reformat) {
++              flow_act->action |= MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT;
++              flow_act->pkt_reformat = esw_attr->dests[esw_attr->split_count].pkt_reformat;
+       }
+-      return 0;
++      (*i)++;
+-err_setup_chain:
+-      esw_put_dest_tables_loop(esw, attr, esw_attr->split_count, j);
+-      return err;
++      return 0;
+ }
+ static void esw_cleanup_chain_src_port_rewrite(struct mlx5_eswitch *esw,
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-mlx5e-fix-page-dma-map-unmap-attributes.patch b/queue-5.16/net-mlx5e-fix-page-dma-map-unmap-attributes.patch
new file mode 100644 (file)
index 0000000..079e121
--- /dev/null
@@ -0,0 +1,76 @@
+From 97906efabfa84c9a74eb585cec06b0790be0f6d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Dec 2021 14:38:28 +0200
+Subject: net/mlx5e: Fix page DMA map/unmap attributes
+
+From: Aya Levin <ayal@nvidia.com>
+
+[ Upstream commit 0b7cfa4082fbf550595bc0e40f05614bd83bf0cd ]
+
+Driver initiates DMA sync, hence it may skip CPU sync. Add
+DMA_ATTR_SKIP_CPU_SYNC as input attribute both to dma_map_page and
+dma_unmap_page to avoid redundant sync with the CPU.
+When forcing the device to work with SWIOTLB, the extra sync might cause
+data corruption. The driver unmaps the whole page while the hardware
+used just a part of the bounce buffer. So syncing overrides the entire
+page with bounce buffer that only partially contains real data.
+
+Fixes: bc77b240b3c5 ("net/mlx5e: Add fragmented memory support for RX multi packet WQE")
+Fixes: db05815b36cb ("net/mlx5e: Add XSK zero-copy support")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Gal Pressman <gal@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/xsk/pool.c | 4 ++--
+ drivers/net/ethernet/mellanox/mlx5/core/en_rx.c       | 7 ++++---
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/pool.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/pool.c
+index 7b562d2c8a196..279cd8f4e79f7 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/pool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xsk/pool.c
+@@ -11,13 +11,13 @@ static int mlx5e_xsk_map_pool(struct mlx5e_priv *priv,
+ {
+       struct device *dev = mlx5_core_dma_dev(priv->mdev);
+-      return xsk_pool_dma_map(pool, dev, 0);
++      return xsk_pool_dma_map(pool, dev, DMA_ATTR_SKIP_CPU_SYNC);
+ }
+ static void mlx5e_xsk_unmap_pool(struct mlx5e_priv *priv,
+                                struct xsk_buff_pool *pool)
+ {
+-      return xsk_pool_dma_unmap(pool, 0);
++      return xsk_pool_dma_unmap(pool, DMA_ATTR_SKIP_CPU_SYNC);
+ }
+ static int mlx5e_xsk_get_pools(struct mlx5e_xsk *xsk)
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+index 793511d5ee4cd..dfc6604b9538b 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+@@ -278,8 +278,8 @@ static inline int mlx5e_page_alloc_pool(struct mlx5e_rq *rq,
+       if (unlikely(!dma_info->page))
+               return -ENOMEM;
+-      dma_info->addr = dma_map_page(rq->pdev, dma_info->page, 0,
+-                                    PAGE_SIZE, rq->buff.map_dir);
++      dma_info->addr = dma_map_page_attrs(rq->pdev, dma_info->page, 0, PAGE_SIZE,
++                                          rq->buff.map_dir, DMA_ATTR_SKIP_CPU_SYNC);
+       if (unlikely(dma_mapping_error(rq->pdev, dma_info->addr))) {
+               page_pool_recycle_direct(rq->page_pool, dma_info->page);
+               dma_info->page = NULL;
+@@ -300,7 +300,8 @@ static inline int mlx5e_page_alloc(struct mlx5e_rq *rq,
+ void mlx5e_page_dma_unmap(struct mlx5e_rq *rq, struct mlx5e_dma_info *dma_info)
+ {
+-      dma_unmap_page(rq->pdev, dma_info->addr, PAGE_SIZE, rq->buff.map_dir);
++      dma_unmap_page_attrs(rq->pdev, dma_info->addr, PAGE_SIZE, rq->buff.map_dir,
++                           DMA_ATTR_SKIP_CPU_SYNC);
+ }
+ void mlx5e_page_release_dynamic(struct mlx5e_rq *rq,
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-mlx5e-fix-wrong-usage-of-fib_info_nh-when-routes.patch b/queue-5.16/net-mlx5e-fix-wrong-usage-of-fib_info_nh-when-routes.patch
new file mode 100644 (file)
index 0000000..378cae5
--- /dev/null
@@ -0,0 +1,84 @@
+From 241d86ae6891626eaf427d15aa1ceb44a5ecf906 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Dec 2021 16:10:41 +0200
+Subject: net/mlx5e: Fix wrong usage of fib_info_nh when routes with nexthop
+ objects are used
+
+From: Maor Dickman <maord@nvidia.com>
+
+[ Upstream commit 885751eb1b01d276e38f57d78c583e4ce006c5ed ]
+
+Creating routes with nexthop objects while in switchdev mode leads to access to
+un-allocated memory and trigger bellow call trace due to hitting WARN_ON.
+This is caused due to illegal usage of fib_info_nh in TC tunnel FIB event handling to
+resolve the FIB device while fib_info built in with nexthop.
+
+Fixed by ignoring attempts to use nexthop objects with routes until support can be
+properly added.
+
+WARNING: CPU: 1 PID: 1724 at include/net/nexthop.h:468 mlx5e_tc_tun_fib_event+0x448/0x570 [mlx5_core]
+CPU: 1 PID: 1724 Comm: ip Not tainted 5.15.0_for_upstream_min_debug_2021_11_09_02_04 #1
+RIP: 0010:mlx5e_tc_tun_fib_event+0x448/0x570 [mlx5_core]
+RSP: 0018:ffff8881349f7910 EFLAGS: 00010202
+RAX: ffff8881492f1980 RBX: ffff8881349f79e8 RCX: 0000000000000000
+RDX: ffff8881349f79e8 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffff8881349f7950 R08: 00000000000000fe R09: 0000000000000001
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811e9d0000
+R13: ffff88810eb62000 R14: ffff888106710268 R15: 0000000000000018
+FS:  00007f1d5ca6e800(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffedba44ff8 CR3: 0000000129808004 CR4: 0000000000370ea0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ atomic_notifier_call_chain+0x42/0x60
+ call_fib_notifiers+0x21/0x40
+ fib_table_insert+0x479/0x6d0
+ ? try_charge_memcg+0x480/0x6d0
+ inet_rtm_newroute+0x65/0xb0
+ rtnetlink_rcv_msg+0x2af/0x360
+ ? page_add_file_rmap+0x13/0x130
+ ? do_set_pte+0xcd/0x120
+ ? rtnl_calcit.isra.0+0x120/0x120
+ netlink_rcv_skb+0x4e/0xf0
+ netlink_unicast+0x1ee/0x2b0
+ netlink_sendmsg+0x22e/0x460
+ sock_sendmsg+0x33/0x40
+ ____sys_sendmsg+0x1d1/0x1f0
+ ___sys_sendmsg+0xab/0xf0
+ ? __mod_memcg_lruvec_state+0x40/0x60
+ ? __mod_lruvec_page_state+0x95/0xd0
+ ? page_add_new_anon_rmap+0x4e/0xf0
+ ? __handle_mm_fault+0xec6/0x1470
+ __sys_sendmsg+0x51/0x90
+ ? internal_get_user_pages_fast+0x480/0xa10
+ do_syscall_64+0x3d/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: 8914add2c9e5 ("net/mlx5e: Handle FIB events to update tunnel endpoint device")
+Signed-off-by: Maor Dickman <maord@nvidia.com>
+Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
+index 042b1abe1437f..62cbd15ffc341 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
+@@ -1579,6 +1579,8 @@ mlx5e_init_fib_work_ipv4(struct mlx5e_priv *priv,
+       struct net_device *fib_dev;
+       fen_info = container_of(info, struct fib_entry_notifier_info, info);
++      if (fen_info->fi->nh)
++              return NULL;
+       fib_dev = fib_info_nh(fen_info->fi, 0)->fib_nh_dev;
+       if (!fib_dev || fib_dev->netdev_ops != &mlx5e_netdev_ops ||
+           fen_info->dst_len != 32)
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-mlx5e-sync-vxlan-udp-ports-during-uplink-represe.patch b/queue-5.16/net-mlx5e-sync-vxlan-udp-ports-during-uplink-represe.patch
new file mode 100644 (file)
index 0000000..8d86230
--- /dev/null
@@ -0,0 +1,59 @@
+From be00c9fa24190b194c47958350f2eb7be72f5f4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Jan 2022 15:04:18 +0200
+Subject: net/mlx5e: Sync VXLAN udp ports during uplink representor profile
+ change
+
+From: Maor Dickman <maord@nvidia.com>
+
+[ Upstream commit 07f6dc4024ea1d2314b9c8b81fd4e492864fcca1 ]
+
+Currently during NIC profile disablement all VXLAN udp ports offloaded to the
+HW are flushed and during its enablement the driver send notification to
+the stack to inform the core that the entire UDP tunnel port state has been
+lost, uplink representor doesn't have the same behavior which can cause
+VXLAN udp ports offload to be in bad state while moving between modes while
+VXLAN interface exist.
+
+Fixed by aligning the uplink representor profile behavior to the NIC behavior.
+
+Fixes: 84db66124714 ("net/mlx5e: Move set vxlan nic info to profile init")
+Signed-off-by: Maor Dickman <maord@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+index 48895d79796a8..c0df4b1115b72 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -50,6 +50,7 @@
+ #include "fs_core.h"
+ #include "lib/mlx5.h"
+ #include "lib/devcom.h"
++#include "lib/vxlan.h"
+ #define CREATE_TRACE_POINTS
+ #include "diag/en_rep_tracepoint.h"
+ #include "en_accel/ipsec.h"
+@@ -1027,6 +1028,7 @@ static void mlx5e_uplink_rep_enable(struct mlx5e_priv *priv)
+       rtnl_lock();
+       if (netif_running(netdev))
+               mlx5e_open(netdev);
++      udp_tunnel_nic_reset_ntf(priv->netdev);
+       netif_device_attach(netdev);
+       rtnl_unlock();
+ }
+@@ -1048,6 +1050,7 @@ static void mlx5e_uplink_rep_disable(struct mlx5e_priv *priv)
+       mlx5_notifier_unregister(mdev, &priv->events_nb);
+       mlx5e_rep_tc_disable(priv);
+       mlx5_lag_remove_netdev(mdev, priv->netdev);
++      mlx5_vxlan_reset_to_default(mdev->vxlan);
+ }
+ static MLX5E_DEFINE_STATS_GRP(sw_rep, 0);
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-mlx5e-unblock-setting-vid-0-for-vf-in-case-pf-is.patch b/queue-5.16/net-mlx5e-unblock-setting-vid-0-for-vf-in-case-pf-is.patch
new file mode 100644 (file)
index 0000000..91ca44d
--- /dev/null
@@ -0,0 +1,46 @@
+From 8a84cb3c60c91b93a5aab28769a7d2d7e4b5b1de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Dec 2021 14:03:01 +0200
+Subject: net/mlx5e: Unblock setting vid 0 for VF in case PF isn't eswitch
+ manager
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maor Dickman <maord@nvidia.com>
+
+[ Upstream commit 7846665d3504812acaebf920d1141851379a7f37 ]
+
+When using libvirt to passthrough VF to VM it will always set the VF vlan
+to 0 even if user didn’t request it, this will cause libvirt to fail to
+boot in case the PF isn't eswitch owner.
+
+Example of such case is the DPU host PF which isn't eswitch manager, so
+any attempt to passthrough VF of it using libvirt will fail.
+
+Fix it by not returning error in case set VF vlan is called with vid 0.
+
+Signed-off-by: Maor Dickman <maord@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/esw/legacy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/legacy.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/legacy.c
+index df277a6cddc0b..0c4c743ca31e1 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/legacy.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/legacy.c
+@@ -431,7 +431,7 @@ int mlx5_eswitch_set_vport_vlan(struct mlx5_eswitch *esw,
+       int err = 0;
+       if (!mlx5_esw_allowed(esw))
+-              return -EPERM;
++              return vlan ? -EPERM : 0;
+       if (vlan || qos)
+               set_flags = SET_VLAN_STRIP | SET_VLAN_INSERT;
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-mscc-ocelot-fix-incorrect-balancing-with-down-la.patch b/queue-5.16/net-mscc-ocelot-fix-incorrect-balancing-with-down-la.patch
new file mode 100644 (file)
index 0000000..647cea0
--- /dev/null
@@ -0,0 +1,202 @@
+From 5d3f9b0f8839da32c987a2ce723504e1565d081b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 18:43:32 +0200
+Subject: net: mscc: ocelot: fix incorrect balancing with down LAG ports
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit a14e6b69f393d651913edcbe4ec0dec27b8b4b40 ]
+
+Assuming the test setup described here:
+https://patchwork.kernel.org/project/netdevbpf/cover/20210205130240.4072854-1-vladimir.oltean@nxp.com/
+(swp1 and swp2 are in bond0, and bond0 is in a bridge with swp0)
+
+it can be seen that when swp1 goes down (on either board A or B), then
+traffic that should go through that port isn't forwarded anywhere.
+
+A dump of the PGID table shows the following:
+
+PGID_DST[0] = ports 0
+PGID_DST[1] = ports 1
+PGID_DST[2] = ports 2
+PGID_DST[3] = ports 3
+PGID_DST[4] = ports 4
+PGID_DST[5] = ports 5
+PGID_DST[6] = no ports
+PGID_AGGR[0] = ports 0, 1, 2, 3, 4, 5
+PGID_AGGR[1] = ports 0, 1, 2, 3, 4, 5
+PGID_AGGR[2] = ports 0, 1, 2, 3, 4, 5
+PGID_AGGR[3] = ports 0, 1, 2, 3, 4, 5
+PGID_AGGR[4] = ports 0, 1, 2, 3, 4, 5
+PGID_AGGR[5] = ports 0, 1, 2, 3, 4, 5
+PGID_AGGR[6] = ports 0, 1, 2, 3, 4, 5
+PGID_AGGR[7] = ports 0, 1, 2, 3, 4, 5
+PGID_AGGR[8] = ports 0, 1, 2, 3, 4, 5
+PGID_AGGR[9] = ports 0, 1, 2, 3, 4, 5
+PGID_AGGR[10] = ports 0, 1, 2, 3, 4, 5
+PGID_AGGR[11] = ports 0, 1, 2, 3, 4, 5
+PGID_AGGR[12] = ports 0, 1, 2, 3, 4, 5
+PGID_AGGR[13] = ports 0, 1, 2, 3, 4, 5
+PGID_AGGR[14] = ports 0, 1, 2, 3, 4, 5
+PGID_AGGR[15] = ports 0, 1, 2, 3, 4, 5
+PGID_SRC[0] = ports 1, 2
+PGID_SRC[1] = ports 0
+PGID_SRC[2] = ports 0
+PGID_SRC[3] = no ports
+PGID_SRC[4] = no ports
+PGID_SRC[5] = no ports
+PGID_SRC[6] = ports 0, 1, 2, 3, 4, 5
+
+Whereas a "good" PGID configuration for that setup should have looked
+like this:
+
+PGID_DST[0] = ports 0
+PGID_DST[1] = ports 1, 2
+PGID_DST[2] = ports 1, 2
+PGID_DST[3] = ports 3
+PGID_DST[4] = ports 4
+PGID_DST[5] = ports 5
+PGID_DST[6] = no ports
+PGID_AGGR[0] = ports 0, 2, 3, 4, 5
+PGID_AGGR[1] = ports 0, 2, 3, 4, 5
+PGID_AGGR[2] = ports 0, 2, 3, 4, 5
+PGID_AGGR[3] = ports 0, 2, 3, 4, 5
+PGID_AGGR[4] = ports 0, 2, 3, 4, 5
+PGID_AGGR[5] = ports 0, 2, 3, 4, 5
+PGID_AGGR[6] = ports 0, 2, 3, 4, 5
+PGID_AGGR[7] = ports 0, 2, 3, 4, 5
+PGID_AGGR[8] = ports 0, 2, 3, 4, 5
+PGID_AGGR[9] = ports 0, 2, 3, 4, 5
+PGID_AGGR[10] = ports 0, 2, 3, 4, 5
+PGID_AGGR[11] = ports 0, 2, 3, 4, 5
+PGID_AGGR[12] = ports 0, 2, 3, 4, 5
+PGID_AGGR[13] = ports 0, 2, 3, 4, 5
+PGID_AGGR[14] = ports 0, 2, 3, 4, 5
+PGID_AGGR[15] = ports 0, 2, 3, 4, 5
+PGID_SRC[0] = ports 1, 2
+PGID_SRC[1] = ports 0
+PGID_SRC[2] = ports 0
+PGID_SRC[3] = no ports
+PGID_SRC[4] = no ports
+PGID_SRC[5] = no ports
+PGID_SRC[6] = ports 0, 1, 2, 3, 4, 5
+
+In other words, in the "bad" configuration, the attempt is to remove the
+inactive swp1 from the destination ports via PGID_DST. But when a MAC
+table entry is learned, it is learned towards PGID_DST 1, because that
+is the logical port id of the LAG itself (it is equal to the lowest
+numbered member port). So when swp1 becomes inactive, if we set
+PGID_DST[1] to contain just swp1 and not swp2, the packet will not have
+any chance to reach the destination via swp2.
+
+The "correct" way to remove swp1 as a destination is via PGID_AGGR
+(remove swp1 from the aggregation port groups for all aggregation
+codes). This means that PGID_DST[1] and PGID_DST[2] must still contain
+both swp1 and swp2. This makes the MAC table still treat packets
+destined towards the single-port LAG as "multicast", and the inactive
+ports are removed via the aggregation code tables.
+
+The change presented here is a design one: the ocelot_get_bond_mask()
+function used to take an "only_active_ports" argument. We don't need
+that. The only call site that specifies only_active_ports=true,
+ocelot_set_aggr_pgids(), must retrieve the entire bonding mask, because
+it must program that into PGID_DST. Additionally, it must also clear the
+inactive ports from the bond mask here, which it can't do if bond_mask
+just contains the active ports:
+
+       ac = ocelot_read_rix(ocelot, ANA_PGID_PGID, i);
+       ac &= ~bond_mask;  <---- here
+       /* Don't do division by zero if there was no active
+        * port. Just make all aggregation codes zero.
+        */
+       if (num_active_ports)
+               ac |= BIT(aggr_idx[i % num_active_ports]);
+       ocelot_write_rix(ocelot, ac, ANA_PGID_PGID, i);
+
+So it becomes the responsibility of ocelot_set_aggr_pgids() to take
+ocelot_port->lag_tx_active into consideration when populating the
+aggr_idx array.
+
+Fixes: 23ca3b727ee6 ("net: mscc: ocelot: rebalance LAGs on link up/down events")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://lore.kernel.org/r/20220107164332.402133-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot.c | 26 +++++++++++---------------
+ 1 file changed, 11 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c
+index 1e4ad953cffbc..d1e883666951c 100644
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -1688,8 +1688,7 @@ int ocelot_get_ts_info(struct ocelot *ocelot, int port,
+ }
+ EXPORT_SYMBOL(ocelot_get_ts_info);
+-static u32 ocelot_get_bond_mask(struct ocelot *ocelot, struct net_device *bond,
+-                              bool only_active_ports)
++static u32 ocelot_get_bond_mask(struct ocelot *ocelot, struct net_device *bond)
+ {
+       u32 mask = 0;
+       int port;
+@@ -1700,12 +1699,8 @@ static u32 ocelot_get_bond_mask(struct ocelot *ocelot, struct net_device *bond,
+               if (!ocelot_port)
+                       continue;
+-              if (ocelot_port->bond == bond) {
+-                      if (only_active_ports && !ocelot_port->lag_tx_active)
+-                              continue;
+-
++              if (ocelot_port->bond == bond)
+                       mask |= BIT(port);
+-              }
+       }
+       return mask;
+@@ -1792,10 +1787,8 @@ void ocelot_apply_bridge_fwd_mask(struct ocelot *ocelot)
+                       mask = ocelot_get_bridge_fwd_mask(ocelot, port, bridge);
+                       mask |= cpu_fwd_mask;
+                       mask &= ~BIT(port);
+-                      if (bond) {
+-                              mask &= ~ocelot_get_bond_mask(ocelot, bond,
+-                                                            false);
+-                      }
++                      if (bond)
++                              mask &= ~ocelot_get_bond_mask(ocelot, bond);
+               } else {
+                       /* Standalone ports forward only to DSA tag_8021q CPU
+                        * ports (if those exist), or to the hardware CPU port
+@@ -2112,13 +2105,17 @@ static void ocelot_set_aggr_pgids(struct ocelot *ocelot)
+               if (!bond || (visited & BIT(lag)))
+                       continue;
+-              bond_mask = ocelot_get_bond_mask(ocelot, bond, true);
++              bond_mask = ocelot_get_bond_mask(ocelot, bond);
+               for_each_set_bit(port, &bond_mask, ocelot->num_phys_ports) {
++                      struct ocelot_port *ocelot_port = ocelot->ports[port];
++
+                       // Destination mask
+                       ocelot_write_rix(ocelot, bond_mask,
+                                        ANA_PGID_PGID, port);
+-                      aggr_idx[num_active_ports++] = port;
++
++                      if (ocelot_port->lag_tx_active)
++                              aggr_idx[num_active_ports++] = port;
+               }
+               for_each_aggr_pgid(ocelot, i) {
+@@ -2167,8 +2164,7 @@ static void ocelot_setup_logical_port_ids(struct ocelot *ocelot)
+               bond = ocelot_port->bond;
+               if (bond) {
+-                      int lag = __ffs(ocelot_get_bond_mask(ocelot, bond,
+-                                                           false));
++                      int lag = __ffs(ocelot_get_bond_mask(ocelot, bond));
+                       ocelot_rmw_gix(ocelot,
+                                      ANA_PORT_PORT_CFG_PORTID_VAL(lag),
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-openvswitch-fix-ct_state-nat-flags-for-conns-arr.patch b/queue-5.16/net-openvswitch-fix-ct_state-nat-flags-for-conns-arr.patch
new file mode 100644 (file)
index 0000000..cfc38cb
--- /dev/null
@@ -0,0 +1,142 @@
+From 2609bc2af8c77dda64cd33d90d092c298133a68c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 17:38:04 +0200
+Subject: net: openvswitch: Fix ct_state nat flags for conns arriving from tc
+
+From: Paul Blakey <paulb@nvidia.com>
+
+[ Upstream commit 6f022c2ddbcefaee79502ce5386dfe351d457070 ]
+
+Netfilter conntrack maintains NAT flags per connection indicating
+whether NAT was configured for the connection. Openvswitch maintains
+NAT flags on the per packet flow key ct_state field, indicating
+whether NAT was actually executed on the packet.
+
+When a packet misses from tc to ovs the conntrack NAT flags are set.
+However, NAT was not necessarily executed on the packet because the
+connection's state might still be in NEW state. As such, openvswitch
+wrongly assumes that NAT was executed and sets an incorrect flow key
+NAT flags.
+
+Fix this, by flagging to openvswitch which NAT was actually done in
+act_ct via tc_skb_ext and tc_skb_cb to the openvswitch module, so
+the packet flow key NAT flags will be correctly set.
+
+Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
+Signed-off-by: Paul Blakey <paulb@nvidia.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://lore.kernel.org/r/20220106153804.26451-1-paulb@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skbuff.h  |  4 +++-
+ include/net/pkt_sched.h |  4 +++-
+ net/openvswitch/flow.c  | 16 +++++++++++++---
+ net/sched/act_ct.c      |  6 ++++++
+ net/sched/cls_api.c     |  2 ++
+ 5 files changed, 27 insertions(+), 5 deletions(-)
+
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index 4507d77d6941f..60ab0c2fe5674 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -287,7 +287,9 @@ struct tc_skb_ext {
+       __u32 chain;
+       __u16 mru;
+       __u16 zone;
+-      bool post_ct;
++      u8 post_ct:1;
++      u8 post_ct_snat:1;
++      u8 post_ct_dnat:1;
+ };
+ #endif
+diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h
+index 9e71691c491b7..9e7b21c0b3a6d 100644
+--- a/include/net/pkt_sched.h
++++ b/include/net/pkt_sched.h
+@@ -197,7 +197,9 @@ struct tc_skb_cb {
+       struct qdisc_skb_cb qdisc_cb;
+       u16 mru;
+-      bool post_ct;
++      u8 post_ct:1;
++      u8 post_ct_snat:1;
++      u8 post_ct_dnat:1;
+       u16 zone; /* Only valid if post_ct = true */
+ };
+diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
+index 6d262d9aa10ea..02096f2ec6784 100644
+--- a/net/openvswitch/flow.c
++++ b/net/openvswitch/flow.c
+@@ -859,7 +859,7 @@ int ovs_flow_key_extract(const struct ip_tunnel_info *tun_info,
+ #if IS_ENABLED(CONFIG_NET_TC_SKB_EXT)
+       struct tc_skb_ext *tc_ext;
+ #endif
+-      bool post_ct = false;
++      bool post_ct = false, post_ct_snat = false, post_ct_dnat = false;
+       int res, err;
+       u16 zone = 0;
+@@ -900,6 +900,8 @@ int ovs_flow_key_extract(const struct ip_tunnel_info *tun_info,
+               key->recirc_id = tc_ext ? tc_ext->chain : 0;
+               OVS_CB(skb)->mru = tc_ext ? tc_ext->mru : 0;
+               post_ct = tc_ext ? tc_ext->post_ct : false;
++              post_ct_snat = post_ct ? tc_ext->post_ct_snat : false;
++              post_ct_dnat = post_ct ? tc_ext->post_ct_dnat : false;
+               zone = post_ct ? tc_ext->zone : 0;
+       } else {
+               key->recirc_id = 0;
+@@ -911,8 +913,16 @@ int ovs_flow_key_extract(const struct ip_tunnel_info *tun_info,
+       err = key_extract(skb, key);
+       if (!err) {
+               ovs_ct_fill_key(skb, key, post_ct);   /* Must be after key_extract(). */
+-              if (post_ct && !skb_get_nfct(skb))
+-                      key->ct_zone = zone;
++              if (post_ct) {
++                      if (!skb_get_nfct(skb)) {
++                              key->ct_zone = zone;
++                      } else {
++                              if (!post_ct_dnat)
++                                      key->ct_state &= ~OVS_CS_F_DST_NAT;
++                              if (!post_ct_snat)
++                                      key->ct_state &= ~OVS_CS_F_SRC_NAT;
++                      }
++              }
+       }
+       return err;
+ }
+diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
+index ab3591408419f..2a17eb77c9049 100644
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -839,6 +839,12 @@ static int ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct,
+       }
+       err = nf_nat_packet(ct, ctinfo, hooknum, skb);
++      if (err == NF_ACCEPT) {
++              if (maniptype == NF_NAT_MANIP_SRC)
++                      tc_skb_cb(skb)->post_ct_snat = 1;
++              if (maniptype == NF_NAT_MANIP_DST)
++                      tc_skb_cb(skb)->post_ct_dnat = 1;
++      }
+ out:
+       return err;
+ }
+diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
+index 35c74bdde848e..cc9409aa755eb 100644
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -1625,6 +1625,8 @@ int tcf_classify(struct sk_buff *skb,
+               ext->chain = last_executed_chain;
+               ext->mru = cb->mru;
+               ext->post_ct = cb->post_ct;
++              ext->post_ct_snat = cb->post_ct_snat;
++              ext->post_ct_dnat = cb->post_ct_dnat;
+               ext->zone = cb->zone;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-phy-marvell-configure-rgmii-delays-for-88e1118.patch b/queue-5.16/net-phy-marvell-configure-rgmii-delays-for-88e1118.patch
new file mode 100644 (file)
index 0000000..5ce88df
--- /dev/null
@@ -0,0 +1,55 @@
+From f43ca3abf76f8ec7f06c616f8983697fcc2d5a9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 16:38:19 +0000
+Subject: net: phy: marvell: configure RGMII delays for 88E1118
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit f22725c95ececb703c3f741e8f946d23705630b7 ]
+
+Corentin Labbe reports that the SSI 1328 does not work when allowing
+the PHY to operate at gigabit speeds, but does work with the generic
+PHY driver.
+
+This appears to be because m88e1118_config_init() writes a fixed value
+to the MSCR register, claiming that this is to enable 1G speeds.
+However, this always sets bits 4 and 5, enabling RGMII transmit and
+receive delays. The suspicion is that the original board this was
+added for required the delays to make 1G speeds work.
+
+Add the necessary configuration for RGMII delays for the 88E1118 to
+bring this into line with the requirements for RGMII support, and thus
+make the SSI 1328 work.
+
+Corentin Labbe has tested this on gemini-ssi1328 and gemini-ns2502.
+
+Reported-by: Corentin Labbe <clabbe.montjoie@gmail.com>
+Tested-by: Corentin Labbe <clabbe.montjoie@gmail.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/marvell.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c
+index 4fcfca4e17021..b02491f7dd957 100644
+--- a/drivers/net/phy/marvell.c
++++ b/drivers/net/phy/marvell.c
+@@ -1242,6 +1242,12 @@ static int m88e1118_config_init(struct phy_device *phydev)
+       if (err < 0)
+               return err;
++      if (phy_interface_is_rgmii(phydev)) {
++              err = m88e1121_config_aneg_rgmii_delays(phydev);
++              if (err < 0)
++                      return err;
++      }
++
+       /* Adjust LED Control */
+       if (phydev->dev_flags & MARVELL_PHY_M1118_DNS323_LEDS)
+               err = phy_write(phydev, 0x10, 0x1100);
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-phy-prefer-1000baset-over-1000basekx.patch b/queue-5.16/net-phy-prefer-1000baset-over-1000basekx.patch
new file mode 100644 (file)
index 0000000..a6fb30a
--- /dev/null
@@ -0,0 +1,58 @@
+From 712ed78206cf72397243ee13c7fe5b36e986e7e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Dec 2021 11:36:30 +0000
+Subject: net: phy: prefer 1000baseT over 1000baseKX
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit f20f94f7f52c4685c81754f489ffcc72186e8bdb ]
+
+The PHY settings table is supposed to be sorted by descending match
+priority - in other words, earlier entries are preferred over later
+entries.
+
+The order of 1000baseKX/Full and 1000baseT/Full is such that we
+prefer 1000baseKX/Full over 1000baseT/Full, but 1000baseKX/Full is
+a lot rarer than 1000baseT/Full, and thus is much less likely to
+be preferred.
+
+This causes phylink problems - it means a fixed link specifying a
+speed of 1G and full duplex gets an ethtool linkmode of 1000baseKX/Full
+rather than 1000baseT/Full as would be expected - and since we offer
+userspace a software emulation of a conventional copper PHY, we want
+to offer copper modes in preference to anything else. However, we do
+still want to allow the rarer modes as well.
+
+Hence, let's reorder these two modes to prefer copper.
+
+Tested-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reported-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/E1muvFO-00F6jY-1K@rmk-PC.armlinux.org.uk
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/phy-core.c b/drivers/net/phy/phy-core.c
+index 2870c33b8975d..271fc01f7f7fd 100644
+--- a/drivers/net/phy/phy-core.c
++++ b/drivers/net/phy/phy-core.c
+@@ -162,11 +162,11 @@ static const struct phy_setting settings[] = {
+       PHY_SETTING(   2500, FULL,   2500baseT_Full             ),
+       PHY_SETTING(   2500, FULL,   2500baseX_Full             ),
+       /* 1G */
+-      PHY_SETTING(   1000, FULL,   1000baseKX_Full            ),
+       PHY_SETTING(   1000, FULL,   1000baseT_Full             ),
+       PHY_SETTING(   1000, HALF,   1000baseT_Half             ),
+       PHY_SETTING(   1000, FULL,   1000baseT1_Full            ),
+       PHY_SETTING(   1000, FULL,   1000baseX_Full             ),
++      PHY_SETTING(   1000, FULL,   1000baseKX_Full            ),
+       /* 100M */
+       PHY_SETTING(    100, FULL,    100baseT_Full             ),
+       PHY_SETTING(    100, FULL,    100baseT1_Full            ),
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-smc-reset-conn-lgr-when-link-group-registration-.patch b/queue-5.16/net-smc-reset-conn-lgr-when-link-group-registration-.patch
new file mode 100644 (file)
index 0000000..a7839d4
--- /dev/null
@@ -0,0 +1,122 @@
+From d827ed68873c533b8d60c474c9bd7b111f4ea49b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 20:42:08 +0800
+Subject: net/smc: Reset conn->lgr when link group registration fails
+
+From: Wen Gu <guwen@linux.alibaba.com>
+
+[ Upstream commit 36595d8ad46d9e4c41cc7c48c4405b7c3322deac ]
+
+SMC connections might fail to be registered in a link group due to
+unable to find a usable link during its creation. As a result,
+smc_conn_create() will return a failure and most resources related
+to the connection won't be applied or initialized, such as
+conn->abort_work or conn->lnk.
+
+If smc_conn_free() is invoked later, it will try to access the
+uninitialized resources related to the connection, thus causing
+a warning or crash.
+
+This patch tries to fix this by resetting conn->lgr to NULL if an
+abnormal exit occurs in smc_lgr_register_conn(), thus avoiding the
+access to uninitialized resources in smc_conn_free().
+
+Meanwhile, the new created link group should be terminated if smc
+connections can't be registered in it. So smc_lgr_cleanup_early() is
+modified to take care of link group only and invoked to terminate
+unusable link group by smc_conn_create(). The call to smc_conn_free()
+is moved out from smc_lgr_cleanup_early() to smc_conn_abort().
+
+Fixes: 56bc3b2094b4 ("net/smc: assign link to a new connection")
+Suggested-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Wen Gu <guwen@linux.alibaba.com>
+Acked-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c   |  8 +++++---
+ net/smc/smc_core.c | 12 +++++++-----
+ net/smc/smc_core.h |  2 +-
+ 3 files changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 1c9289f56dc47..211cd91b6c408 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -632,10 +632,12 @@ static int smc_connect_decline_fallback(struct smc_sock *smc, int reason_code,
+ static void smc_conn_abort(struct smc_sock *smc, int local_first)
+ {
++      struct smc_connection *conn = &smc->conn;
++      struct smc_link_group *lgr = conn->lgr;
++
++      smc_conn_free(conn);
+       if (local_first)
+-              smc_lgr_cleanup_early(&smc->conn);
+-      else
+-              smc_conn_free(&smc->conn);
++              smc_lgr_cleanup_early(lgr);
+ }
+ /* check if there is a rdma device available for this connection. */
+diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
+index a6849362f4ddd..c9a8092c4ac96 100644
+--- a/net/smc/smc_core.c
++++ b/net/smc/smc_core.c
+@@ -171,8 +171,10 @@ static int smc_lgr_register_conn(struct smc_connection *conn, bool first)
+       if (!conn->lgr->is_smcd) {
+               rc = smcr_lgr_conn_assign_link(conn, first);
+-              if (rc)
++              if (rc) {
++                      conn->lgr = NULL;
+                       return rc;
++              }
+       }
+       /* find a new alert_token_local value not yet used by some connection
+        * in this link group
+@@ -622,15 +624,13 @@ int smcd_nl_get_lgr(struct sk_buff *skb, struct netlink_callback *cb)
+       return skb->len;
+ }
+-void smc_lgr_cleanup_early(struct smc_connection *conn)
++void smc_lgr_cleanup_early(struct smc_link_group *lgr)
+ {
+-      struct smc_link_group *lgr = conn->lgr;
+       spinlock_t *lgr_lock;
+       if (!lgr)
+               return;
+-      smc_conn_free(conn);
+       smc_lgr_list_head(lgr, &lgr_lock);
+       spin_lock_bh(lgr_lock);
+       /* do not use this link group for new connections */
+@@ -1832,8 +1832,10 @@ create:
+               write_lock_bh(&lgr->conns_lock);
+               rc = smc_lgr_register_conn(conn, true);
+               write_unlock_bh(&lgr->conns_lock);
+-              if (rc)
++              if (rc) {
++                      smc_lgr_cleanup_early(lgr);
+                       goto out;
++              }
+       }
+       conn->local_tx_ctrl.common.type = SMC_CDC_MSG_TYPE;
+       conn->local_tx_ctrl.len = SMC_WR_TX_SIZE;
+diff --git a/net/smc/smc_core.h b/net/smc/smc_core.h
+index d63b08274197e..73d0c35d3eb77 100644
+--- a/net/smc/smc_core.h
++++ b/net/smc/smc_core.h
+@@ -468,7 +468,7 @@ static inline void smc_set_pci_values(struct pci_dev *pci_dev,
+ struct smc_sock;
+ struct smc_clc_msg_accept_confirm;
+-void smc_lgr_cleanup_early(struct smc_connection *conn);
++void smc_lgr_cleanup_early(struct smc_link_group *lgr);
+ void smc_lgr_terminate_sched(struct smc_link_group *lgr);
+ void smcr_port_add(struct smc_ib_device *smcibdev, u8 ibport);
+ void smcr_port_err(struct smc_ib_device *smcibdev, u8 ibport);
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-stmmac-add-platform-level-debug-register-dump-fe.patch b/queue-5.16/net-stmmac-add-platform-level-debug-register-dump-fe.patch
new file mode 100644 (file)
index 0000000..39972a2
--- /dev/null
@@ -0,0 +1,101 @@
+From d9e1865d057b0e2ec376ff0b4db774d23f4bbd11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 01:28:54 +0530
+Subject: net: stmmac: Add platform level debug register dump feature
+
+From: Bhupesh Sharma <bhupesh.sharma@linaro.org>
+
+[ Upstream commit 4047b9db1aa7512a10ba3560a3f63821c8c40235 ]
+
+dwmac-qcom-ethqos currently exposes a mechanism to dump rgmii registers
+after the 'stmmac_dvr_probe()' returns. However with commit
+5ec55823438e ("net: stmmac: add clocks management for gmac driver"),
+we now let 'pm_runtime_put()' disable the clocks before returning from
+'stmmac_dvr_probe()'.
+
+This causes a crash when 'rgmii_dump()' register dumps are enabled,
+as the clocks are already off.
+
+Since other dwmac drivers (possible future users as well) might
+require a similar register dump feature, introduce a platform level
+callback to allow the same.
+
+This fixes the crash noticed while enabling rgmii_dump() dumps in
+dwmac-qcom-ethqos driver as well. It also allows future changes
+to keep a invoking the register dump callback from the correct
+place inside 'stmmac_dvr_probe()'.
+
+Fixes: 5ec55823438e ("net: stmmac: add clocks management for gmac driver")
+Cc: Joakim Zhang <qiangqing.zhang@nxp.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Bhupesh Sharma <bhupesh.sharma@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c | 7 ++++---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c       | 3 +++
+ include/linux/stmmac.h                                  | 1 +
+ 3 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c
+index 5c74b6279d690..6b1d9e8879f46 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c
+@@ -113,8 +113,10 @@ static void rgmii_updatel(struct qcom_ethqos *ethqos,
+       rgmii_writel(ethqos, temp, offset);
+ }
+-static void rgmii_dump(struct qcom_ethqos *ethqos)
++static void rgmii_dump(void *priv)
+ {
++      struct qcom_ethqos *ethqos = priv;
++
+       dev_dbg(&ethqos->pdev->dev, "Rgmii register dump\n");
+       dev_dbg(&ethqos->pdev->dev, "RGMII_IO_MACRO_CONFIG: %x\n",
+               rgmii_readl(ethqos, RGMII_IO_MACRO_CONFIG));
+@@ -499,6 +501,7 @@ static int qcom_ethqos_probe(struct platform_device *pdev)
+       plat_dat->bsp_priv = ethqos;
+       plat_dat->fix_mac_speed = ethqos_fix_mac_speed;
++      plat_dat->dump_debug_regs = rgmii_dump;
+       plat_dat->has_gmac4 = 1;
+       plat_dat->pmt = 1;
+       plat_dat->tso_en = of_property_read_bool(np, "snps,tso");
+@@ -507,8 +510,6 @@ static int qcom_ethqos_probe(struct platform_device *pdev)
+       if (ret)
+               goto err_clk;
+-      rgmii_dump(ethqos);
+-
+       return ret;
+ err_clk:
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 8ded4be08b001..e81a79845d425 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -7094,6 +7094,9 @@ int stmmac_dvr_probe(struct device *device,
+       stmmac_init_fs(ndev);
+ #endif
++      if (priv->plat->dump_debug_regs)
++              priv->plat->dump_debug_regs(priv->plat->bsp_priv);
++
+       /* Let pm_runtime_put() disable the clocks.
+        * If CONFIG_PM is not enabled, the clocks will stay powered.
+        */
+diff --git a/include/linux/stmmac.h b/include/linux/stmmac.h
+index a6f03b36fc4f7..1450397fc0bcd 100644
+--- a/include/linux/stmmac.h
++++ b/include/linux/stmmac.h
+@@ -233,6 +233,7 @@ struct plat_stmmacenet_data {
+       int (*clks_config)(void *priv, bool enabled);
+       int (*crosststamp)(ktime_t *device, struct system_counterval_t *system,
+                          void *ctx);
++      void (*dump_debug_regs)(void *priv);
+       void *bsp_priv;
+       struct clk *stmmac_clk;
+       struct clk *pclk;
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-sysfs-update-the-queue-counts-in-the-unregistrat.patch b/queue-5.16/net-sysfs-update-the-queue-counts-in-the-unregistrat.patch
new file mode 100644 (file)
index 0000000..43a67a2
--- /dev/null
@@ -0,0 +1,38 @@
+From 42b9f64751f937bec25b6eb25bab7c5f2fc560b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 15:57:24 +0100
+Subject: net-sysfs: update the queue counts in the unregistration path
+
+From: Antoine Tenart <atenart@kernel.org>
+
+[ Upstream commit d7dac083414eb5bb99a6d2ed53dc2c1b405224e5 ]
+
+When updating Rx and Tx queue kobjects, the queue count should always be
+updated to match the queue kobjects count. This was not done in the net
+device unregistration path, fix it. Tracking all queue count updates
+will allow in a following up patch to detect illegal updates.
+
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/net-sysfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
+index 9c01c642cf9ef..d7f9ee830d34c 100644
+--- a/net/core/net-sysfs.c
++++ b/net/core/net-sysfs.c
+@@ -1820,6 +1820,9 @@ static void remove_queue_kobjects(struct net_device *dev)
+       net_rx_queue_update_kobjects(dev, real_rx, 0);
+       netdev_queue_update_kobjects(dev, real_tx, 0);
++
++      dev->real_num_rx_queues = 0;
++      dev->real_num_tx_queues = 0;
+ #ifdef CONFIG_SYSFS
+       kset_unregister(dev->queues_kset);
+ #endif
+-- 
+2.34.1
+
diff --git a/queue-5.16/net-xfrm-ipsec-tunnel-mode-fix-inner_ipproto-setting.patch b/queue-5.16/net-xfrm-ipsec-tunnel-mode-fix-inner_ipproto-setting.patch
new file mode 100644 (file)
index 0000000..735d1ab
--- /dev/null
@@ -0,0 +1,85 @@
+From c0202f324c0c6020ae4ceee4cbc41e6cba3ac6d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Jan 2022 13:19:29 +0200
+Subject: net/xfrm: IPsec tunnel mode fix inner_ipproto setting in sec_path
+
+From: Raed Salem <raeds@nvidia.com>
+
+[ Upstream commit 45a98ef4922def8c679ca7c454403d1957fe70e7 ]
+
+The inner_ipproto saves the inner IP protocol of the plain
+text packet. This allows vendor's IPsec feature making offload
+decision at skb's features_check and configuring hardware at
+ndo_start_xmit, current code implenetation did not handle the
+case where IPsec is used in tunnel mode.
+
+Fix by handling the case when IPsec is used in tunnel mode by
+reading the protocol of the plain text packet IP protocol.
+
+Fixes: fa4535238fb5 ("net/xfrm: Add inner_ipproto into sec_path")
+Signed-off-by: Raed Salem <raeds@nvidia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_output.c | 30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
+index 229544bc70c21..4dc4a7bbe51cf 100644
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -647,10 +647,12 @@ static int xfrm_output_gso(struct net *net, struct sock *sk, struct sk_buff *skb
+  * This requires hardware to know the inner packet type to calculate
+  * the inner header checksum. Save inner ip protocol here to avoid
+  * traversing the packet in the vendor's xmit code.
+- * If the encap type is IPIP, just save skb->inner_ipproto. Otherwise,
+- * get the ip protocol from the IP header.
++ * For IPsec tunnel mode save the ip protocol from the IP header of the
++ * plain text packet. Otherwise If the encap type is IPIP, just save
++ * skb->inner_ipproto in any other case get the ip protocol from the IP
++ * header.
+  */
+-static void xfrm_get_inner_ipproto(struct sk_buff *skb)
++static void xfrm_get_inner_ipproto(struct sk_buff *skb, struct xfrm_state *x)
+ {
+       struct xfrm_offload *xo = xfrm_offload(skb);
+       const struct ethhdr *eth;
+@@ -658,6 +660,25 @@ static void xfrm_get_inner_ipproto(struct sk_buff *skb)
+       if (!xo)
+               return;
++      if (x->outer_mode.encap == XFRM_MODE_TUNNEL) {
++              switch (x->outer_mode.family) {
++              case AF_INET:
++                      xo->inner_ipproto = ip_hdr(skb)->protocol;
++                      break;
++              case AF_INET6:
++                      xo->inner_ipproto = ipv6_hdr(skb)->nexthdr;
++                      break;
++              default:
++                      break;
++              }
++
++              return;
++      }
++
++      /* non-Tunnel Mode */
++      if (!skb->encapsulation)
++              return;
++
+       if (skb->inner_protocol_type == ENCAP_TYPE_IPPROTO) {
+               xo->inner_ipproto = skb->inner_ipproto;
+               return;
+@@ -712,8 +733,7 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb)
+               sp->xvec[sp->len++] = x;
+               xfrm_state_hold(x);
+-              if (skb->encapsulation)
+-                      xfrm_get_inner_ipproto(skb);
++              xfrm_get_inner_ipproto(skb, x);
+               skb->encapsulation = 1;
+               if (skb_is_gso(skb)) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/netfilter-bridge-add-support-for-pppoe-filtering.patch b/queue-5.16/netfilter-bridge-add-support-for-pppoe-filtering.patch
new file mode 100644 (file)
index 0000000..647a14e
--- /dev/null
@@ -0,0 +1,77 @@
+From e53d606f444eba1481cbb4619e0fee7d3a72d571 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 12:50:31 +0100
+Subject: netfilter: bridge: add support for pppoe filtering
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 28b78ecffea8078d81466b2e01bb5a154509f1ba ]
+
+This makes 'bridge-nf-filter-pppoe-tagged' sysctl work for
+bridged traffic.
+
+Looking at the original commit it doesn't appear this ever worked:
+
+ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb,
+[..]
+        if (skb->protocol == htons(ETH_P_8021Q)) {
+                skb_pull(skb, VLAN_HLEN);
+                skb->network_header += VLAN_HLEN;
++       } else if (skb->protocol == htons(ETH_P_PPP_SES)) {
++               skb_pull(skb, PPPOE_SES_HLEN);
++               skb->network_header += PPPOE_SES_HLEN;
+        }
+ [..]
+       NF_HOOK(... POST_ROUTING, ...)
+
+... but the adjusted offsets are never restored.
+
+The alternative would be to rip this code out for good,
+but otoh we'd have to keep this anyway for the vlan handling
+(which works because vlan tag info is in the skb, not the packet
+ payload).
+
+Reported-and-tested-by: Amish Chana <amish@3g.co.za>
+Fixes: 516299d2f5b6f97 ("[NETFILTER]: bridge-nf: filter bridged IPv4/IPv6 encapsulated in pppoe traffic")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netfilter_hooks.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index b5af68c105a83..4fd882686b04d 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -743,6 +743,9 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
+       if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu)
+               mtu = nf_bridge->frag_max_size;
++      nf_bridge_update_protocol(skb);
++      nf_bridge_push_encap_header(skb);
++
+       if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) {
+               nf_bridge_info_free(skb);
+               return br_dev_queue_push_xmit(net, sk, skb);
+@@ -760,8 +763,6 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
+               IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
+-              nf_bridge_update_protocol(skb);
+-
+               data = this_cpu_ptr(&brnf_frag_data_storage);
+               if (skb_vlan_tag_present(skb)) {
+@@ -789,8 +790,6 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
+               IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
+-              nf_bridge_update_protocol(skb);
+-
+               data = this_cpu_ptr(&brnf_frag_data_storage);
+               data->encap_size = nf_bridge_encap_header_len(skb);
+               data->size = ETH_HLEN + data->encap_size;
+-- 
+2.34.1
+
diff --git a/queue-5.16/netfilter-egress-avoid-a-lockdep-splat.patch b/queue-5.16/netfilter-egress-avoid-a-lockdep-splat.patch
new file mode 100644 (file)
index 0000000..88ad0b5
--- /dev/null
@@ -0,0 +1,42 @@
+From 16d9cdc3519b1bfb5dc77758e3f2e86281f1236a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 15:46:16 +0100
+Subject: netfilter: egress: avoid a lockdep splat
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 6316136ec6e3dd1c302f7e7289a9ee46ecc610ae ]
+
+include/linux/netfilter_netdev.h:97 suspicious rcu_dereference_check() usage!
+2 locks held by sd-resolve/1100:
+ 0: ..(rcu_read_lock_bh){1:3}, at: ip_finish_output2
+ 1: ..(rcu_read_lock_bh){1:3}, at: __dev_queue_xmit
+ __dev_queue_xmit+0 ..
+
+The helper has two callers, one uses rcu_read_lock, the other
+rcu_read_lock_bh().  Annotate the dereference to reflect this.
+
+Fixes: 42df6e1d221dd ("netfilter: Introduce egress hook")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netfilter_netdev.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/netfilter_netdev.h b/include/linux/netfilter_netdev.h
+index b71b57a83bb4f..b4dd96e4dc8dc 100644
+--- a/include/linux/netfilter_netdev.h
++++ b/include/linux/netfilter_netdev.h
+@@ -94,7 +94,7 @@ static inline struct sk_buff *nf_hook_egress(struct sk_buff *skb, int *rc,
+               return skb;
+ #endif
+-      e = rcu_dereference(dev->nf_hooks_egress);
++      e = rcu_dereference_check(dev->nf_hooks_egress, rcu_read_lock_bh_held());
+       if (!e)
+               return skb;
+-- 
+2.34.1
+
diff --git a/queue-5.16/netfilter-ipt_clusterip-fix-refcount-leak-in-cluster.patch b/queue-5.16/netfilter-ipt_clusterip-fix-refcount-leak-in-cluster.patch
new file mode 100644 (file)
index 0000000..c28233d
--- /dev/null
@@ -0,0 +1,48 @@
+From f2a50d4d64bd7341d40ca006b26ce346e5c0295f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Dec 2021 10:48:12 +0800
+Subject: netfilter: ipt_CLUSTERIP: fix refcount leak in clusterip_tg_check()
+
+From: Xin Xiong <xiongx18@fudan.edu.cn>
+
+[ Upstream commit d94a69cb2cfa77294921aae9afcfb866e723a2da ]
+
+The issue takes place in one error path of clusterip_tg_check(). When
+memcmp() returns nonzero, the function simply returns the error code,
+forgetting to decrease the reference count of a clusterip_config
+object, which is bumped earlier by clusterip_config_find_get(). This
+may incur reference count leak.
+
+Fix this issue by decrementing the refcount of the object in specific
+error path.
+
+Fixes: 06aa151ad1fc74 ("netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set")
+Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
+index 8fd1aba8af31c..b518f20c9a244 100644
+--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
+@@ -520,8 +520,11 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
+                       if (IS_ERR(config))
+                               return PTR_ERR(config);
+               }
+-      } else if (memcmp(&config->clustermac, &cipinfo->clustermac, ETH_ALEN))
++      } else if (memcmp(&config->clustermac, &cipinfo->clustermac, ETH_ALEN)) {
++              clusterip_config_entry_put(config);
++              clusterip_config_put(config);
+               return -EINVAL;
++      }
+       ret = nf_ct_netns_get(par->net, par->family);
+       if (ret < 0) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/netfilter-nft_payload-do-not-update-layer-4-checksum.patch b/queue-5.16/netfilter-nft_payload-do-not-update-layer-4-checksum.patch
new file mode 100644 (file)
index 0000000..1ff4a5f
--- /dev/null
@@ -0,0 +1,38 @@
+From 8b1ecccbe819a6a36f4335fbdfb3050489747e89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 16:09:57 +0100
+Subject: netfilter: nft_payload: do not update layer 4 checksum when mangling
+ fragments
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 4e1860a3863707e8177329c006d10f9e37e097a8 ]
+
+IP fragments do not come with the transport header, hence skip bogus
+layer 4 checksum updates.
+
+Fixes: 1814096980bb ("netfilter: nft_payload: layer 4 checksum adjustment for pseudoheader fields")
+Reported-and-tested-by: Steffen Weinreich <steve@weinreich.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_payload.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
+index bd689938a2e0c..58e96a0fe0b4c 100644
+--- a/net/netfilter/nft_payload.c
++++ b/net/netfilter/nft_payload.c
+@@ -546,6 +546,9 @@ static int nft_payload_l4csum_offset(const struct nft_pktinfo *pkt,
+                                    struct sk_buff *skb,
+                                    unsigned int *l4csum_offset)
+ {
++      if (pkt->fragoff)
++              return -1;
++
+       switch (pkt->tprot) {
+       case IPPROTO_TCP:
+               *l4csum_offset = offsetof(struct tcphdr, check);
+-- 
+2.34.1
+
diff --git a/queue-5.16/netfilter-nft_set_pipapo-allocate-pcpu-scratch-maps-.patch b/queue-5.16/netfilter-nft_set_pipapo-allocate-pcpu-scratch-maps-.patch
new file mode 100644 (file)
index 0000000..489ab1f
--- /dev/null
@@ -0,0 +1,58 @@
+From c5dc3f9316398d23c6a7d721e773689af6478835 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 14:19:54 +0100
+Subject: netfilter: nft_set_pipapo: allocate pcpu scratch maps on clone
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 23c54263efd7cb605e2f7af72717a2a951999217 ]
+
+This is needed in case a new transaction is made that doesn't insert any
+new elements into an already existing set.
+
+Else, after second 'nft -f ruleset.txt', lookups in such a set will fail
+because ->lookup() encounters raw_cpu_ptr(m->scratch) == NULL.
+
+For the initial rule load, insertion of elements takes care of the
+allocation, but for rule reloads this isn't guaranteed: we might not
+have additions to the set.
+
+Fixes: 3c4287f62044a90e ("nf_tables: Add set type for arbitrary concatenation of ranges")
+Reported-by: etkaar <lists.netfilter.org@prvy.eu>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
+index dce866d93feed..2c8051d8cca69 100644
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -1290,6 +1290,11 @@ static struct nft_pipapo_match *pipapo_clone(struct nft_pipapo_match *old)
+       if (!new->scratch_aligned)
+               goto out_scratch;
+ #endif
++      for_each_possible_cpu(i)
++              *per_cpu_ptr(new->scratch, i) = NULL;
++
++      if (pipapo_realloc_scratch(new, old->bsize_max))
++              goto out_scratch_realloc;
+       rcu_head_init(&new->rcu);
+@@ -1334,6 +1339,9 @@ out_lt:
+               kvfree(dst->lt);
+               dst--;
+       }
++out_scratch_realloc:
++      for_each_possible_cpu(i)
++              kfree(*per_cpu_ptr(new->scratch, i));
+ #ifdef NFT_PIPAPO_ALIGN
+       free_percpu(new->scratch_aligned);
+ #endif
+-- 
+2.34.1
+
diff --git a/queue-5.16/netrom-fix-api-breakage-in-nr_setsockopt.patch b/queue-5.16/netrom-fix-api-breakage-in-nr_setsockopt.patch
new file mode 100644 (file)
index 0000000..4650e8e
--- /dev/null
@@ -0,0 +1,78 @@
+From a0d1c97680b1560e9e6d04e9e1fe4c45b320b7a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 10:12:10 +0300
+Subject: netrom: fix api breakage in nr_setsockopt()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit dc35616e6c2907b0c0c391a205802d8880f7fd85 ]
+
+This needs to copy an unsigned int from user space instead of a long to
+avoid breaking user space with an API change.
+
+I have updated all the integer overflow checks from ULONG to UINT as
+well.  This is a slight API change but I do not expect it to affect
+anything in real life.
+
+Fixes: 3087a6f36ee0 ("netrom: fix copying in user data in nr_setsockopt")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index f1ba7dd3d253d..fa9dc2ba39418 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -298,7 +298,7 @@ static int nr_setsockopt(struct socket *sock, int level, int optname,
+ {
+       struct sock *sk = sock->sk;
+       struct nr_sock *nr = nr_sk(sk);
+-      unsigned long opt;
++      unsigned int opt;
+       if (level != SOL_NETROM)
+               return -ENOPROTOOPT;
+@@ -306,18 +306,18 @@ static int nr_setsockopt(struct socket *sock, int level, int optname,
+       if (optlen < sizeof(unsigned int))
+               return -EINVAL;
+-      if (copy_from_sockptr(&opt, optval, sizeof(unsigned long)))
++      if (copy_from_sockptr(&opt, optval, sizeof(opt)))
+               return -EFAULT;
+       switch (optname) {
+       case NETROM_T1:
+-              if (opt < 1 || opt > ULONG_MAX / HZ)
++              if (opt < 1 || opt > UINT_MAX / HZ)
+                       return -EINVAL;
+               nr->t1 = opt * HZ;
+               return 0;
+       case NETROM_T2:
+-              if (opt < 1 || opt > ULONG_MAX / HZ)
++              if (opt < 1 || opt > UINT_MAX / HZ)
+                       return -EINVAL;
+               nr->t2 = opt * HZ;
+               return 0;
+@@ -329,13 +329,13 @@ static int nr_setsockopt(struct socket *sock, int level, int optname,
+               return 0;
+       case NETROM_T4:
+-              if (opt < 1 || opt > ULONG_MAX / HZ)
++              if (opt < 1 || opt > UINT_MAX / HZ)
+                       return -EINVAL;
+               nr->t4 = opt * HZ;
+               return 0;
+       case NETROM_IDLE:
+-              if (opt > ULONG_MAX / (60 * HZ))
++              if (opt > UINT_MAX / (60 * HZ))
+                       return -EINVAL;
+               nr->idle = opt * 60 * HZ;
+               return 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/nfsd-fix-crash-on-copy_notify-with-special-stateid.patch b/queue-5.16/nfsd-fix-crash-on-copy_notify-with-special-stateid.patch
new file mode 100644 (file)
index 0000000..b231303
--- /dev/null
@@ -0,0 +1,56 @@
+From dd295fedb3ffabef3c1b6c4152774c1af2b50d54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 14:15:03 -0500
+Subject: nfsd: fix crash on COPY_NOTIFY with special stateid
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+[ Upstream commit 074b07d94e0bb6ddce5690a9b7e2373088e8b33a ]
+
+RTM says "If the special ONE stateid is passed to
+nfs4_preprocess_stateid_op(), it returns status=0 but does not set
+*cstid. nfsd4_copy_notify() depends on stid being set if status=0, and
+thus can crash if the client sends the right COPY_NOTIFY RPC."
+
+RFC 7862 says "The cna_src_stateid MUST refer to either open or locking
+states provided earlier by the server.  If it is invalid, then the
+operation MUST fail."
+
+The RFC doesn't specify an error, and the choice doesn't matter much as
+this is clearly illegal client behavior, but bad_stateid seems
+reasonable.
+
+Simplest is just to guarantee that nfs4_preprocess_stateid_op, called
+with non-NULL cstid, errors out if it can't return a stateid.
+
+Reported-by: rtm@csail.mit.edu
+Fixes: 624322f1adc5 ("NFSD add COPY_NOTIFY operation")
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Reviewed-by: Olga Kornievskaia <kolga@netapp.com>
+Tested-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4state.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index 1956d377d1a60..b94b3bb2b8a6e 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -6040,7 +6040,11 @@ nfs4_preprocess_stateid_op(struct svc_rqst *rqstp,
+               *nfp = NULL;
+       if (ZERO_STATEID(stateid) || ONE_STATEID(stateid)) {
+-              status = check_special_stateids(net, fhp, stateid, flags);
++              if (cstid)
++                      status = nfserr_bad_stateid;
++              else
++                      status = check_special_stateids(net, fhp, stateid,
++                                                                      flags);
+               goto done;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/nfsd-fix-verifier-returned-in-stable-writes.patch b/queue-5.16/nfsd-fix-verifier-returned-in-stable-writes.patch
new file mode 100644 (file)
index 0000000..7a5a65e
--- /dev/null
@@ -0,0 +1,69 @@
+From abb6e11c7ef15025612ae469379c0f5d0c14a40b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Dec 2021 12:35:43 -0500
+Subject: NFSD: Fix verifier returned in stable WRITEs
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit f11ad7aa653130b71e2e89bed207f387718216d5 ]
+
+RFC 8881 explains the purpose of the write verifier this way:
+
+> The final portion of the result is the field writeverf. This field
+> is the write verifier and is a cookie that the client can use to
+> determine whether a server has changed instance state (e.g., server
+> restart) between a call to WRITE and a subsequent call to either
+> WRITE or COMMIT.
+
+But then it says:
+
+> This cookie MUST be unchanged during a single instance of the
+> NFSv4.1 server and MUST be unique between instances of the NFSv4.1
+> server. If the cookie changes, then the client MUST assume that
+> any data written with an UNSTABLE4 value for committed and an old
+> writeverf in the reply has been lost and will need to be
+> recovered.
+
+RFC 1813 has similar language for NFSv3. NFSv2 does not have a write
+verifier since it doesn't implement the COMMIT procedure.
+
+Since commit 19e0663ff9bc ("nfsd: Ensure sampling of the write
+verifier is atomic with the write"), the Linux NFS server has
+returned a boot-time-based verifier for UNSTABLE WRITEs, but a zero
+verifier for FILE_SYNC and DATA_SYNC WRITEs. FILE_SYNC and DATA_SYNC
+WRITEs are not followed up with a COMMIT, so there's no need for
+clients to compare verifiers for stable writes.
+
+However, by returning a different verifier for stable and unstable
+writes, the above commit puts the Linux NFS server a step farther
+out of compliance with the first MUST above. At least one NFS client
+(FreeBSD) noticed the difference, making this a potential
+regression.
+
+Reported-by: Rick Macklem <rmacklem@uoguelph.ca>
+Link: https://lore.kernel.org/linux-nfs/YQXPR0101MB096857EEACF04A6DF1FC6D9BDD749@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM/T/
+Fixes: 19e0663ff9bc ("nfsd: Ensure sampling of the write verifier is atomic with the write")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/vfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
+index c99857689e2c2..7f2472e4b88f9 100644
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -987,6 +987,10 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct nfsd_file *nf,
+       iov_iter_kvec(&iter, WRITE, vec, vlen, *cnt);
+       if (flags & RWF_SYNC) {
+               down_write(&nf->nf_rwsem);
++              if (verf)
++                      nfsd_copy_boot_verifier(verf,
++                                      net_generic(SVC_NET(rqstp),
++                                      nfsd_net_id));
+               host_err = vfs_iter_write(file, &iter, &pos, flags);
+               if (host_err < 0)
+                       nfsd_reset_boot_verifier(net_generic(SVC_NET(rqstp),
+-- 
+2.34.1
+
diff --git a/queue-5.16/ntb_hw_switchtec-fix-bug-with-more-than-32-partition.patch b/queue-5.16/ntb_hw_switchtec-fix-bug-with-more-than-32-partition.patch
new file mode 100644 (file)
index 0000000..c4fdbf2
--- /dev/null
@@ -0,0 +1,74 @@
+From 67afabd11c14748080011fae207dfbb063719a12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Dec 2021 17:23:30 -0800
+Subject: ntb_hw_switchtec: Fix bug with more than 32 partitions
+
+From: Wesley Sheng <wesley.sheng@microchip.com>
+
+[ Upstream commit 7ff351c86b6b258f387502ab2c9b9d04f82c1c3d ]
+
+Switchtec could support as mush as 48 partitions, but ffs & fls are
+for 32 bit argument, in case of partition index larger than 31, the
+current code could not parse the peer partition index correctly.
+Change to the 64 bit version __ffs64 & fls64 accordingly to fix this
+bug.
+
+Fixes: 3df54c870f52 ("ntb_hw_switchtec: Allow using Switchtec NTB in multi-partition setups")
+Signed-off-by: Wesley Sheng <wesley.sheng@microchip.com>
+Signed-off-by: Kelvin Cao <kelvin.cao@microchip.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
+index 6603c77c0a848..ec9cb6c81edae 100644
+--- a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
++++ b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
+@@ -840,7 +840,6 @@ static int switchtec_ntb_init_sndev(struct switchtec_ntb *sndev)
+       u64 tpart_vec;
+       int self;
+       u64 part_map;
+-      int bit;
+       sndev->ntb.pdev = sndev->stdev->pdev;
+       sndev->ntb.topo = NTB_TOPO_SWITCH;
+@@ -861,29 +860,28 @@ static int switchtec_ntb_init_sndev(struct switchtec_ntb *sndev)
+       part_map = ioread64(&sndev->mmio_ntb->ep_map);
+       part_map &= ~(1 << sndev->self_partition);
+-      if (!ffs(tpart_vec)) {
++      if (!tpart_vec) {
+               if (sndev->stdev->partition_count != 2) {
+                       dev_err(&sndev->stdev->dev,
+                               "ntb target partition not defined\n");
+                       return -ENODEV;
+               }
+-              bit = ffs(part_map);
+-              if (!bit) {
++              if (!part_map) {
+                       dev_err(&sndev->stdev->dev,
+                               "peer partition is not NT partition\n");
+                       return -ENODEV;
+               }
+-              sndev->peer_partition = bit - 1;
++              sndev->peer_partition = __ffs64(part_map);
+       } else {
+-              if (ffs(tpart_vec) != fls(tpart_vec)) {
++              if (__ffs64(tpart_vec) != (fls64(tpart_vec) - 1)) {
+                       dev_err(&sndev->stdev->dev,
+                               "ntb driver only supports 1 pair of 1-1 ntb mapping\n");
+                       return -ENODEV;
+               }
+-              sndev->peer_partition = ffs(tpart_vec) - 1;
++              sndev->peer_partition = __ffs64(tpart_vec);
+               if (!(part_map & (1ULL << sndev->peer_partition))) {
+                       dev_err(&sndev->stdev->dev,
+                               "ntb target partition is not NT partition\n");
+-- 
+2.34.1
+
diff --git a/queue-5.16/ntb_hw_switchtec-fix-pff-ioread-to-read-into-mmio_pa.patch b/queue-5.16/ntb_hw_switchtec-fix-pff-ioread-to-read-into-mmio_pa.patch
new file mode 100644 (file)
index 0000000..8893260
--- /dev/null
@@ -0,0 +1,40 @@
+From 7abb4df9f21e3706801a770f71a94e133ac649c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Dec 2021 17:23:29 -0800
+Subject: ntb_hw_switchtec: Fix pff ioread to read into mmio_part_cfg_all
+
+From: Jeremy Pallotta <jmpallotta@gmail.com>
+
+[ Upstream commit 32c3d375b0ed84b6acb51ae5ebef35ff0d649d85 ]
+
+Array mmio_part_cfg_all holds the partition configuration of all
+partitions, with partition number as index. Fix this by reading into
+mmio_part_cfg_all for pff.
+
+Fixes: 0ee28f26f378 ("NTB: switchtec_ntb: Add link management")
+Signed-off-by: Jeremy Pallotta <jmpallotta@gmail.com>
+Signed-off-by: Kelvin Cao <kelvin.cao@microchip.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
+index 4c6eb61a6ac62..6603c77c0a848 100644
+--- a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
++++ b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
+@@ -419,8 +419,8 @@ static void switchtec_ntb_part_link_speed(struct switchtec_ntb *sndev,
+                                         enum ntb_width *width)
+ {
+       struct switchtec_dev *stdev = sndev->stdev;
+-
+-      u32 pff = ioread32(&stdev->mmio_part_cfg[partition].vep_pff_inst_id);
++      u32 pff =
++              ioread32(&stdev->mmio_part_cfg_all[partition].vep_pff_inst_id);
+       u32 linksta = ioread32(&stdev->mmio_pff_csr[pff].pci_cap_region[13]);
+       if (speed)
+-- 
+2.34.1
+
diff --git a/queue-5.16/null_blk-allow-zero-poll-queues.patch b/queue-5.16/null_blk-allow-zero-poll-queues.patch
new file mode 100644 (file)
index 0000000..766700d
--- /dev/null
@@ -0,0 +1,53 @@
+From d8a464907dc1c9d6c78f9ef2bb9758e5ed194d9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Dec 2021 10:39:35 +0800
+Subject: null_blk: allow zero poll queues
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 2bfdbe8b7ebd17b5331071071a910fbabc64b436 ]
+
+There isn't any reason to not allow zero poll queues from user
+viewpoint.
+
+Also sometimes we need to compare io poll between poll mode and irq
+mode, so not allowing poll queues is bad.
+
+Fixes: 15dfc662ef31 ("null_blk: Fix handling of submit_queues and poll_queues attributes")
+Cc: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20211203023935.3424042-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/null_blk/main.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c
+index 323af5c9c8026..fc1317060db54 100644
+--- a/drivers/block/null_blk/main.c
++++ b/drivers/block/null_blk/main.c
+@@ -340,9 +340,9 @@ static int nullb_update_nr_hw_queues(struct nullb_device *dev,
+               return 0;
+       /*
+-       * Make sure at least one queue exists for each of submit and poll.
++       * Make sure at least one submit queue exists.
+        */
+-      if (!submit_queues || !poll_queues)
++      if (!submit_queues)
+               return -EINVAL;
+       /*
+@@ -1918,8 +1918,6 @@ static int null_validate_conf(struct nullb_device *dev)
+       if (dev->poll_queues > g_poll_queues)
+               dev->poll_queues = g_poll_queues;
+-      else if (dev->poll_queues == 0)
+-              dev->poll_queues = 1;
+       dev->prev_poll_queues = dev->poll_queues;
+       dev->queue_mode = min_t(unsigned int, dev->queue_mode, NULL_Q_MQ);
+-- 
+2.34.1
+
diff --git a/queue-5.16/nvmem-core-set-size-for-sysfs-bin-file.patch b/queue-5.16/nvmem-core-set-size-for-sysfs-bin-file.patch
new file mode 100644 (file)
index 0000000..1879947
--- /dev/null
@@ -0,0 +1,37 @@
+From 33505aa1179e7e55589d58f819dc34873b650073 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 13:39:09 +0000
+Subject: nvmem: core: set size for sysfs bin file
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 86192251033308bb42f1e9813c962989d8ed07ec ]
+
+For some reason we never set the size for nvmem sysfs binary file.
+Set this.
+
+Reported-by: Gilles BULOZ <gilles.buloz@kontron.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20211130133909.6154-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvmem/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
+index e765d3d0542e5..23a38dcf0fc4d 100644
+--- a/drivers/nvmem/core.c
++++ b/drivers/nvmem/core.c
+@@ -312,6 +312,8 @@ static umode_t nvmem_bin_attr_is_visible(struct kobject *kobj,
+       struct device *dev = kobj_to_dev(kobj);
+       struct nvmem_device *nvmem = to_nvmem_device(dev);
++      attr->size = nvmem->size;
++
+       return nvmem_bin_attr_get_umode(nvmem);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/octeontx2-af-fix-interrupt-name-strings.patch b/queue-5.16/octeontx2-af-fix-interrupt-name-strings.patch
new file mode 100644 (file)
index 0000000..b0f42cb
--- /dev/null
@@ -0,0 +1,61 @@
+From e0658d5cb2138ff90e8b22e16d8450503fbd6300 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 12:25:05 +0530
+Subject: octeontx2-af: Fix interrupt name strings
+
+From: Sunil Goutham <sgoutham@marvell.com>
+
+[ Upstream commit 6dc9a23e29061e50c36523270de60039ccf536fa ]
+
+Fixed interrupt name string logic which currently results
+in wrong memory location being accessed while dumping
+/proc/interrupts.
+
+Fixes: 4826090719d4 ("octeontx2-af: Enable CPT HW interrupts")
+Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Link: https://lore.kernel.org/r/1641538505-28367-1-git-send-email-sbhatta@marvell.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c     | 5 ++---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +-
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c
+index 45357deecabbf..a73a8017e0ee9 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cpt.c
+@@ -172,14 +172,13 @@ static int cpt_10k_register_interrupts(struct rvu_block *block, int off)
+ {
+       struct rvu *rvu = block->rvu;
+       int blkaddr = block->addr;
+-      char irq_name[16];
+       int i, ret;
+       for (i = CPT_10K_AF_INT_VEC_FLT0; i < CPT_10K_AF_INT_VEC_RVU; i++) {
+-              snprintf(irq_name, sizeof(irq_name), "CPTAF FLT%d", i);
++              sprintf(&rvu->irq_name[(off + i) * NAME_SIZE], "CPTAF FLT%d", i);
+               ret = rvu_cpt_do_register_interrupt(block, off + i,
+                                                   rvu_cpt_af_flt_intr_handler,
+-                                                  irq_name);
++                                                  &rvu->irq_name[(off + i) * NAME_SIZE]);
+               if (ret)
+                       goto err;
+               rvu_write64(rvu, blkaddr, CPT_AF_FLTX_INT_ENA_W1S(i), 0x1);
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
+index 70bacd38a6d9d..d0ab8f233a029 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
+@@ -41,7 +41,7 @@ static bool rvu_common_request_irq(struct rvu *rvu, int offset,
+       struct rvu_devlink *rvu_dl = rvu->rvu_dl;
+       int rc;
+-      sprintf(&rvu->irq_name[offset * NAME_SIZE], name);
++      sprintf(&rvu->irq_name[offset * NAME_SIZE], "%s", name);
+       rc = request_irq(pci_irq_vector(rvu->pdev, offset), fn, 0,
+                        &rvu->irq_name[offset * NAME_SIZE], rvu_dl);
+       if (rc)
+-- 
+2.34.1
+
diff --git a/queue-5.16/octeontx2-af-increment-ptp-refcount-before-use.patch b/queue-5.16/octeontx2-af-increment-ptp-refcount-before-use.patch
new file mode 100644 (file)
index 0000000..11577ef
--- /dev/null
@@ -0,0 +1,37 @@
+From f19371f6cdc7b0dee36646bd00ecbca22967b621 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 12:00:29 +0530
+Subject: octeontx2-af: Increment ptp refcount before use
+
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+
+[ Upstream commit 93440f4888cf049dbd22b41aaf94d2e2153b3eb8 ]
+
+Before using the ptp pci device by AF driver increment
+the reference count of it.
+
+Fixes: a8b90c9d26d6 ("octeontx2-af: Add PTP device id for CN10K and 95O silcons")
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/ptp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/ptp.c b/drivers/net/ethernet/marvell/octeontx2/af/ptp.c
+index d6321de3cc171..e682b7bfde640 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/ptp.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/ptp.c
+@@ -60,6 +60,8 @@ struct ptp *ptp_get(void)
+       /* Check driver is bound to PTP block */
+       if (!ptp)
+               ptp = ERR_PTR(-EPROBE_DEFER);
++      else
++              pci_dev_get(ptp->pdev);
+       return ptp;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/octeontx2-nicvf-free-vf-ptp-resources.patch b/queue-5.16/octeontx2-nicvf-free-vf-ptp-resources.patch
new file mode 100644 (file)
index 0000000..3690b3a
--- /dev/null
@@ -0,0 +1,55 @@
+From abfa403c8ebfb71fc29e1e34920b267473567453 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 12:00:30 +0530
+Subject: octeontx2-nicvf: Free VF PTP resources.
+
+From: Rakesh Babu Saladi <rsaladi2@marvell.com>
+
+[ Upstream commit eabd0f88b0d2d433c5dfe88218d4ce1c11ef04b8 ]
+
+When a VF is removed respective PTP resources are not
+being freed currently. This patch fixes it.
+
+Fixes: 43510ef4ddad ("octeontx2-nicvf: Add PTP hardware clock support to NIX VF")
+Signed-off-by: Rakesh Babu Saladi <rsaladi2@marvell.com>
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
+index 78944ad3492ff..d75f3a78fabf1 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
+@@ -684,7 +684,7 @@ static int otx2vf_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+       err = register_netdev(netdev);
+       if (err) {
+               dev_err(dev, "Failed to register netdevice\n");
+-              goto err_detach_rsrc;
++              goto err_ptp_destroy;
+       }
+       err = otx2_wq_init(vf);
+@@ -709,6 +709,8 @@ static int otx2vf_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ err_unreg_netdev:
+       unregister_netdev(netdev);
++err_ptp_destroy:
++      otx2_ptp_destroy(vf);
+ err_detach_rsrc:
+       if (test_bit(CN10K_LMTST, &vf->hw.cap_flag))
+               qmem_free(vf->dev, vf->dync_lmt);
+@@ -742,6 +744,7 @@ static void otx2vf_remove(struct pci_dev *pdev)
+       unregister_netdev(netdev);
+       if (vf->otx2_wq)
+               destroy_workqueue(vf->otx2_wq);
++      otx2_ptp_destroy(vf);
+       otx2vf_disable_mbox_intr(vf);
+       otx2_detach_resources(&vf->mbox);
+       if (test_bit(CN10K_LMTST, &vf->hw.cap_flag))
+-- 
+2.34.1
+
diff --git a/queue-5.16/of-base-fix-phandle-argument-length-mismatch-error-m.patch b/queue-5.16/of-base-fix-phandle-argument-length-mismatch-error-m.patch
new file mode 100644 (file)
index 0000000..35e58bd
--- /dev/null
@@ -0,0 +1,42 @@
+From 338df9aa6096e8cb2e810cbaa2ba9fb02342875c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Dec 2021 18:31:52 +0200
+Subject: of: base: Fix phandle argument length mismatch error message
+
+From: Baruch Siach <baruch@tkos.co.il>
+
+[ Upstream commit 94a4950a4acff39b5847cc1fee4f65e160813493 ]
+
+The cell_count field of of_phandle_iterator is the number of cells we
+expect in the phandle arguments list when cells_name is missing. The
+error message should show the number of cells we actually see.
+
+Fixes: af3be70a3211 ("of: Improve of_phandle_iterator_next() error message")
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/96519ac55be90a63fa44afe01480c30d08535465.1640881913.git.baruch@tkos.co.il
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/base.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/of/base.c b/drivers/of/base.c
+index 61de453b885cb..81b956ab2348e 100644
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -1349,9 +1349,9 @@ int of_phandle_iterator_next(struct of_phandle_iterator *it)
+                * property data length
+                */
+               if (it->cur + count > it->list_end) {
+-                      pr_err("%pOF: %s = %d found %d\n",
++                      pr_err("%pOF: %s = %d found %td\n",
+                              it->parent, it->cells_name,
+-                             count, it->cell_count);
++                             count, it->list_end - it->cur);
+                       goto err;
+               }
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/of-fdt-aggregate-the-processing-of-linux-usable-memo.patch b/queue-5.16/of-fdt-aggregate-the-processing-of-linux-usable-memo.patch
new file mode 100644 (file)
index 0000000..bd5e1c1
--- /dev/null
@@ -0,0 +1,99 @@
+From fa56193ac9c0cb54afb1580824c3304c4a5ed0af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 12:01:56 +0800
+Subject: of: fdt: Aggregate the processing of "linux,usable-memory-range"
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 8347b41748c3019157312fbe7f8a6792ae396eb7 ]
+
+Currently, we parse the "linux,usable-memory-range" property in
+early_init_dt_scan_chosen(), to obtain the specified memory range of the
+crash kernel. We then reserve the required memory after
+early_init_dt_scan_memory() has identified all available physical memory.
+Because the two pieces of code are separated far, the readability and
+maintainability are reduced. So bring them together.
+
+Suggested-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+(change the prototype of early_init_dt_check_for_usable_mem_range(), in
+order to use it outside)
+Signed-off-by: Pingfan Liu <kernelfans@gmail.com>
+Tested-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Acked-by: John Donnelly <john.p.donnelly@oracle.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: linux-arm-kernel@lists.infradead.org
+To: devicetree@vger.kernel.org
+To: linux-efi@vger.kernel.org
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/fdt.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
+index bdca35284cebd..5a238a933eb29 100644
+--- a/drivers/of/fdt.c
++++ b/drivers/of/fdt.c
+@@ -965,18 +965,22 @@ static void __init early_init_dt_check_for_elfcorehdr(unsigned long node)
+                elfcorehdr_addr, elfcorehdr_size);
+ }
+-static phys_addr_t cap_mem_addr;
+-static phys_addr_t cap_mem_size;
++static unsigned long chosen_node_offset = -FDT_ERR_NOTFOUND;
+ /**
+  * early_init_dt_check_for_usable_mem_range - Decode usable memory range
+  * location from flat tree
+- * @node: reference to node containing usable memory range location ('chosen')
+  */
+-static void __init early_init_dt_check_for_usable_mem_range(unsigned long node)
++static void __init early_init_dt_check_for_usable_mem_range(void)
+ {
+       const __be32 *prop;
+       int len;
++      phys_addr_t cap_mem_addr;
++      phys_addr_t cap_mem_size;
++      unsigned long node = chosen_node_offset;
++
++      if ((long)node < 0)
++              return;
+       pr_debug("Looking for usable-memory-range property... ");
+@@ -989,6 +993,8 @@ static void __init early_init_dt_check_for_usable_mem_range(unsigned long node)
+       pr_debug("cap_mem_start=%pa cap_mem_size=%pa\n", &cap_mem_addr,
+                &cap_mem_size);
++
++      memblock_cap_memory_range(cap_mem_addr, cap_mem_size);
+ }
+ #ifdef CONFIG_SERIAL_EARLYCON
+@@ -1137,9 +1143,10 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
+           (strcmp(uname, "chosen") != 0 && strcmp(uname, "chosen@0") != 0))
+               return 0;
++      chosen_node_offset = node;
++
+       early_init_dt_check_for_initrd(node);
+       early_init_dt_check_for_elfcorehdr(node);
+-      early_init_dt_check_for_usable_mem_range(node);
+       /* Retrieve command line */
+       p = of_get_flat_dt_prop(node, "bootargs", &l);
+@@ -1275,7 +1282,7 @@ void __init early_init_dt_scan_nodes(void)
+       of_scan_flat_dt(early_init_dt_scan_memory, NULL);
+       /* Handle linux,usable-memory-range property */
+-      memblock_cap_memory_range(cap_mem_addr, cap_mem_size);
++      early_init_dt_check_for_usable_mem_range();
+ }
+ bool __init early_init_dt_scan(void *params)
+-- 
+2.34.1
+
diff --git a/queue-5.16/of-fdt-don-t-worry-about-non-memory-region-overlap-f.patch b/queue-5.16/of-fdt-don-t-worry-about-non-memory-region-overlap-f.patch
new file mode 100644 (file)
index 0000000..9e91b09
--- /dev/null
@@ -0,0 +1,91 @@
+From 9cdb89745b3933f8bcffbbbdca8824c259dda292 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 11:42:32 -0800
+Subject: of/fdt: Don't worry about non-memory region overlap for no-map
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit da17d6905d29ddcdc04b2fdc37ed8cf1e8437cc8 ]
+
+In commit 8a5a75e5e9e5 ("of/fdt: Make sure no-map does not remove
+already reserved regions") we returned -EBUSY when trying to mark
+regions as no-map when they intersect with reserved memory. The goal was
+to find bad no-map reserved memory DT nodes that would unmap the kernel
+text/data sections.
+
+The problem is the reserved memory check will still trigger if the DT
+has a /memreserve/ that completely subsumes the no-map memory carveouts
+in the reserved memory node _and_ that region is also not part of the
+memory reg property. For example in sc7180.dtsi we have the following
+reserved-memory and memory node:
+
+      memory@80000000 {
+          /* We expect the bootloader to fill in the size */
+          reg = <0 0x80000000 0 0>;
+      };
+
+      smem_mem: memory@80900000 {
+              reg = <0x0 0x80900000 0x0 0x200000>;
+              no-map;
+      };
+
+and the memreserve filled in by the bootloader is
+
+      /memreserve/ 0x80800000 0x400000;
+
+while the /memory node is transformed into
+
+      memory@80000000 {
+          /* The bootloader fills in the size, and adds another region */
+          reg = <0 0x80000000 0 0x00800000>,
+                <0 0x80c00000 0 0x7f200000>;
+      };
+
+The smem region is doubly reserved via /memreserve/ and by not being
+part of the /memory reg property. This leads to the following warning
+printed at boot.
+
+ OF: fdt: Reserved memory: failed to reserve memory for node 'memory@80900000': base 0x0000000080900000, size 2 MiB
+
+Otherwise nothing really goes wrong because the smem region is not going
+to be mapped by the kernel's direct linear mapping given that it isn't
+part of the memory node. Therefore, let's only consider this to be a
+problem if we're trying to mark a region as no-map and it is actually
+memory that we're intending to keep out of the kernel's direct mapping
+but it's already been reserved.
+
+Acked-by: Mike Rapoport <rppt@kernel.org>
+Cc: Douglas Anderson <dianders@chromium.org>
+Cc: Nicolas Boichat <drinkcat@chromium.org>
+Cc: Quentin Perret <qperret@google.com>
+Cc: Jan Kiszka <jan.kiszka@siemens.com>
+Fixes: 8a5a75e5e9e5 ("of/fdt: Make sure no-map does not remove already reserved regions")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/20220107194233.2793146-1-swboyd@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/fdt.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
+index 65af475dfa950..7e868e5995b7e 100644
+--- a/drivers/of/fdt.c
++++ b/drivers/of/fdt.c
+@@ -482,9 +482,11 @@ static int __init early_init_dt_reserve_memory_arch(phys_addr_t base,
+       if (nomap) {
+               /*
+                * If the memory is already reserved (by another region), we
+-               * should not allow it to be marked nomap.
++               * should not allow it to be marked nomap, but don't worry
++               * if the region isn't memory as it won't be mapped.
+                */
+-              if (memblock_is_region_reserved(base, size))
++              if (memblock_overlaps_region(&memblock.memory, base, size) &&
++                  memblock_is_region_reserved(base, size))
+                       return -EBUSY;
+               return memblock_mark_nomap(base, size);
+-- 
+2.34.1
+
diff --git a/queue-5.16/of-unittest-64-bit-dma-address-test-requires-arch-su.patch b/queue-5.16/of-unittest-64-bit-dma-address-test-requires-arch-su.patch
new file mode 100644 (file)
index 0000000..6558495
--- /dev/null
@@ -0,0 +1,40 @@
+From a11f74e0ec0571907773c462c9578b6a90d0b6af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Dec 2021 16:18:52 -0600
+Subject: of: unittest: 64 bit dma address test requires arch support
+
+From: Frank Rowand <frank.rowand@sony.com>
+
+[ Upstream commit 9fd4cf5d3571b27d746b8ead494a3f051485b679 ]
+
+If an architecture does not support 64 bit dma addresses then testing
+for an expected dma address >= 0x100000000 will fail.
+
+Fixes: e0d072782c73 ("dma-mapping: introduce DMA range map, supplanting dma_pfn_offset")
+Signed-off-by: Frank Rowand <frank.rowand@sony.com>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/20211212221852.233295-1-frowand.list@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/unittest.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
+index 02c5cd06ad19c..35af4fedc15de 100644
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -942,8 +942,9 @@ static void __init of_unittest_parse_dma_ranges(void)
+ {
+       of_unittest_dma_ranges_one("/testcase-data/address-tests/device@70000000",
+               0x0, 0x20000000);
+-      of_unittest_dma_ranges_one("/testcase-data/address-tests/bus@80000000/device@1000",
+-              0x100000000, 0x20000000);
++      if (IS_ENABLED(CONFIG_ARCH_DMA_ADDR_T_64BIT))
++              of_unittest_dma_ranges_one("/testcase-data/address-tests/bus@80000000/device@1000",
++                      0x100000000, 0x20000000);
+       of_unittest_dma_ranges_one("/testcase-data/address-tests/pci@90000000",
+               0x80000000, 0x20000000);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/of-unittest-fix-warning-on-powerpc-frame-size-warnin.patch b/queue-5.16/of-unittest-fix-warning-on-powerpc-frame-size-warnin.patch
new file mode 100644 (file)
index 0000000..21e7708
--- /dev/null
@@ -0,0 +1,69 @@
+From acaeeb65ed3dc3937977326e76ff0eab4d7874af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Dec 2021 13:46:35 -0500
+Subject: of: unittest: fix warning on PowerPC frame size warning
+
+From: Jim Quinlan <jim2101024@gmail.com>
+
+[ Upstream commit a8d61a9112ad0c9216ab45d050991e07bc4f3408 ]
+
+The struct device variable "dev_bogus" was triggering this warning
+on a PowerPC build:
+
+    drivers/of/unittest.c: In function 'of_unittest_dma_ranges_one.constprop':
+    [...] >> The frame size of 1424 bytes is larger than 1024 bytes
+             [-Wframe-larger-than=]
+
+This variable is now dynamically allocated.
+
+Fixes: e0d072782c734 ("dma-mapping: introduce DMA range map, supplanting dma_pfn_offset")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Jim Quinlan <jim2101024@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Frank Rowand <frank.rowand@sony.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/20211210184636.7273-2-jim2101024@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/unittest.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
+index 481ba8682ebf4..02c5cd06ad19c 100644
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -911,11 +911,18 @@ static void __init of_unittest_dma_ranges_one(const char *path,
+       if (!rc) {
+               phys_addr_t     paddr;
+               dma_addr_t      dma_addr;
+-              struct device   dev_bogus;
++              struct device   *dev_bogus;
+-              dev_bogus.dma_range_map = map;
+-              paddr = dma_to_phys(&dev_bogus, expect_dma_addr);
+-              dma_addr = phys_to_dma(&dev_bogus, expect_paddr);
++              dev_bogus = kzalloc(sizeof(struct device), GFP_KERNEL);
++              if (!dev_bogus) {
++                      unittest(0, "kzalloc() failed\n");
++                      kfree(map);
++                      return;
++              }
++
++              dev_bogus->dma_range_map = map;
++              paddr = dma_to_phys(dev_bogus, expect_dma_addr);
++              dma_addr = phys_to_dma(dev_bogus, expect_paddr);
+               unittest(paddr == expect_paddr,
+                        "of_dma_get_range: wrong phys addr %pap (expecting %llx) on node %pOF\n",
+@@ -925,6 +932,7 @@ static void __init of_unittest_dma_ranges_one(const char *path,
+                        &dma_addr, expect_dma_addr, np);
+               kfree(map);
++              kfree(dev_bogus);
+       }
+       of_node_put(np);
+ #endif
+-- 
+2.34.1
+
diff --git a/queue-5.16/openrisc-add-clone3-abi-wrapper.patch b/queue-5.16/openrisc-add-clone3-abi-wrapper.patch
new file mode 100644 (file)
index 0000000..dae4064
--- /dev/null
@@ -0,0 +1,63 @@
+From 6e09acca1d9c78ed1321c99dedf83e83148324c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Dec 2021 07:10:18 +0900
+Subject: openrisc: Add clone3 ABI wrapper
+
+From: Stafford Horne <shorne@gmail.com>
+
+[ Upstream commit 433fe39f674d58bc7a3e8254a5d2ffc290b7e04e ]
+
+Like fork and clone the clone3 syscall needs a wrapper to save callee
+saved registers, which is required by the OpenRISC ABI.  This came up
+after auditing code following a discussion with Rob Landley and Arnd
+Bergmann [0].
+
+Tested with the clone3 kselftests and there were no issues.
+
+[0] https://lore.kernel.org/all/41206fc7-f8ce-98aa-3718-ba3e1431e320@landley.net/T/#m9c0cdb2703813b9df4da04cf6b30de1f1aa89944
+
+Fixes: 07e83dfbe16c ("openrisc: Enable the clone3 syscall")
+Cc: Rob Landley <rob@landley.net>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/openrisc/include/asm/syscalls.h | 2 ++
+ arch/openrisc/kernel/entry.S         | 5 +++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/arch/openrisc/include/asm/syscalls.h b/arch/openrisc/include/asm/syscalls.h
+index 3a7eeae6f56a8..aa1c7e98722e3 100644
+--- a/arch/openrisc/include/asm/syscalls.h
++++ b/arch/openrisc/include/asm/syscalls.h
+@@ -22,9 +22,11 @@ asmlinkage long sys_or1k_atomic(unsigned long type, unsigned long *v1,
+ asmlinkage long __sys_clone(unsigned long clone_flags, unsigned long newsp,
+                       void __user *parent_tid, void __user *child_tid, int tls);
++asmlinkage long __sys_clone3(struct clone_args __user *uargs, size_t size);
+ asmlinkage long __sys_fork(void);
+ #define sys_clone __sys_clone
++#define sys_clone3 __sys_clone3
+ #define sys_fork __sys_fork
+ #endif /* __ASM_OPENRISC_SYSCALLS_H */
+diff --git a/arch/openrisc/kernel/entry.S b/arch/openrisc/kernel/entry.S
+index 59c6d3aa7081e..dc5b45e9e72b5 100644
+--- a/arch/openrisc/kernel/entry.S
++++ b/arch/openrisc/kernel/entry.S
+@@ -1170,6 +1170,11 @@ ENTRY(__sys_clone)
+       l.j     _fork_save_extra_regs_and_call
+        l.nop
++ENTRY(__sys_clone3)
++      l.movhi r29,hi(sys_clone3)
++      l.j     _fork_save_extra_regs_and_call
++       l.ori  r29,r29,lo(sys_clone3)
++
+ ENTRY(__sys_fork)
+       l.movhi r29,hi(sys_fork)
+       l.ori   r29,r29,lo(sys_fork)
+-- 
+2.34.1
+
diff --git a/queue-5.16/parisc-avoid-calling-faulthandler_disabled-twice.patch b/queue-5.16/parisc-avoid-calling-faulthandler_disabled-twice.patch
new file mode 100644 (file)
index 0000000..b795aca
--- /dev/null
@@ -0,0 +1,53 @@
+From 21226058aaf26dbd3f88fb0ba88c20640ed07099 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 16:52:26 +0000
+Subject: parisc: Avoid calling faulthandler_disabled() twice
+
+From: John David Anglin <dave.anglin@bell.net>
+
+[ Upstream commit 9e9d4b460f23bab61672eae397417d03917d116c ]
+
+In handle_interruption(), we call faulthandler_disabled() to check whether the
+fault handler is not disabled. If the fault handler is disabled, we immediately
+call do_page_fault(). It then calls faulthandler_disabled(). If disabled,
+do_page_fault() attempts to fixup the exception by jumping to no_context:
+
+no_context:
+
+        if (!user_mode(regs) && fixup_exception(regs)) {
+                return;
+        }
+
+        parisc_terminate("Bad Address (null pointer deref?)", regs, code, address);
+
+Apart from the error messages, the two blocks of code perform the same
+function.
+
+We can avoid two calls to faulthandler_disabled() by a simple revision
+to the code in handle_interruption().
+
+Note: I didn't try to fix the formatting of this code block.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/kernel/traps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c
+index 892b7fc8f3c45..eb41fece19104 100644
+--- a/arch/parisc/kernel/traps.c
++++ b/arch/parisc/kernel/traps.c
+@@ -785,7 +785,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs)
+            * unless pagefault_disable() was called before.
+            */
+-          if (fault_space == 0 && !faulthandler_disabled())
++          if (faulthandler_disabled() || fault_space == 0)
+           {
+               /* Clean up and return if in exception table. */
+               if (fixup_exception(regs))
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-aardvark-fix-checking-for-mem-resource-type.patch b/queue-5.16/pci-aardvark-fix-checking-for-mem-resource-type.patch
new file mode 100644 (file)
index 0000000..f60e10d
--- /dev/null
@@ -0,0 +1,53 @@
+From cbc2b4787ae02cc6da5e6d29376b2cab16746af5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 17:01:47 +0100
+Subject: PCI: aardvark: Fix checking for MEM resource type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 2070b2ddea89f5b604fac3d27ade5cb6d19a5706 ]
+
+IORESOURCE_MEM_64 is not a resource type but a type flag.
+
+Remove incorrect check for type IORESOURCE_MEM_64.
+
+Link: https://lore.kernel.org/r/20211125160148.26029-2-kabel@kernel.org
+Fixes: 64f160e19e92 ("PCI: aardvark: Configure PCIe resources from 'ranges' DT property")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-aardvark.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pci/controller/pci-aardvark.c b/drivers/pci/controller/pci-aardvark.c
+index c3b725afa11fd..e3001b3b32930 100644
+--- a/drivers/pci/controller/pci-aardvark.c
++++ b/drivers/pci/controller/pci-aardvark.c
+@@ -1535,8 +1535,7 @@ static int advk_pcie_probe(struct platform_device *pdev)
+                * only PIO for issuing configuration transfers which does
+                * not use PCIe window configuration.
+                */
+-              if (type != IORESOURCE_MEM && type != IORESOURCE_MEM_64 &&
+-                  type != IORESOURCE_IO)
++              if (type != IORESOURCE_MEM && type != IORESOURCE_IO)
+                       continue;
+               /*
+@@ -1544,8 +1543,7 @@ static int advk_pcie_probe(struct platform_device *pdev)
+                * configuration is set to transparent memory access so it
+                * does not need window configuration.
+                */
+-              if ((type == IORESOURCE_MEM || type == IORESOURCE_MEM_64) &&
+-                  entry->offset == 0)
++              if (type == IORESOURCE_MEM && entry->offset == 0)
+                       continue;
+               /*
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-apple-fix-refclk1-enable-poll-logic.patch b/queue-5.16/pci-apple-fix-refclk1-enable-poll-logic.patch
new file mode 100644 (file)
index 0000000..80fb351
--- /dev/null
@@ -0,0 +1,51 @@
+From b75bb1c29c0f1fd920ca67d746407a79bb3abadd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 23:00:44 +0900
+Subject: PCI: apple: Fix REFCLK1 enable/poll logic
+
+From: Hector Martin <marcan@marcan.st>
+
+[ Upstream commit 75d36df6807838f3c826c21c0fa51cdc079667d1 ]
+
+REFCLK1 has req/ack bits that need to be programmed, just like REFCLK0.
+
+Link: https://lore.kernel.org/r/20211117140044.193865-1-marcan@marcan.st
+Fixes: 1e33888fbe44 ("PCI: apple: Add initial hardware bring-up")
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-apple.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-apple.c b/drivers/pci/controller/pcie-apple.c
+index b090924b41fee..537ac9fe2e842 100644
+--- a/drivers/pci/controller/pcie-apple.c
++++ b/drivers/pci/controller/pcie-apple.c
+@@ -42,8 +42,9 @@
+ #define   CORE_FABRIC_STAT_MASK               0x001F001F
+ #define CORE_LANE_CFG(port)           (0x84000 + 0x4000 * (port))
+ #define   CORE_LANE_CFG_REFCLK0REQ    BIT(0)
+-#define   CORE_LANE_CFG_REFCLK1               BIT(1)
++#define   CORE_LANE_CFG_REFCLK1REQ    BIT(1)
+ #define   CORE_LANE_CFG_REFCLK0ACK    BIT(2)
++#define   CORE_LANE_CFG_REFCLK1ACK    BIT(3)
+ #define   CORE_LANE_CFG_REFCLKEN      (BIT(9) | BIT(10))
+ #define CORE_LANE_CTL(port)           (0x84004 + 0x4000 * (port))
+ #define   CORE_LANE_CTL_CFGACC                BIT(15)
+@@ -482,9 +483,9 @@ static int apple_pcie_setup_refclk(struct apple_pcie *pcie,
+       if (res < 0)
+               return res;
+-      rmw_set(CORE_LANE_CFG_REFCLK1, pcie->base + CORE_LANE_CFG(port->idx));
++      rmw_set(CORE_LANE_CFG_REFCLK1REQ, pcie->base + CORE_LANE_CFG(port->idx));
+       res = readl_relaxed_poll_timeout(pcie->base + CORE_LANE_CFG(port->idx),
+-                                       stat, stat & CORE_LANE_CFG_REFCLK1,
++                                       stat, stat & CORE_LANE_CFG_REFCLK1ACK,
+                                        100, 50000);
+       if (res < 0)
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-dwc-do-not-remap-invalid-res.patch b/queue-5.16/pci-dwc-do-not-remap-invalid-res.patch
new file mode 100644 (file)
index 0000000..cdb4954
--- /dev/null
@@ -0,0 +1,49 @@
+From 5910e2a45ef3449554d1763eeb895a21ae501623 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Nov 2021 11:02:43 -0700
+Subject: PCI: dwc: Do not remap invalid res
+
+From: Tim Harvey <tharvey@gateworks.com>
+
+[ Upstream commit 6e5ebc96ec651b67131f816d7e3bf286c635e749 ]
+
+On imx6 and perhaps others when pcie probes you get a:
+imx6q-pcie 33800000.pcie: invalid resource
+
+This occurs because the atu is not specified in the DT and as such it
+should not be remapped.
+
+Link: https://lore.kernel.org/r/20211101180243.23761-1-tharvey@gateworks.com
+Fixes: 281f1f99cf3a ("PCI: dwc: Detect number of iATU windows")
+Signed-off-by: Tim Harvey <tharvey@gateworks.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Acked-by: Richard Zhu <hongxing.zhu@nxp.com>
+Cc: Richard Zhu <hongxing.zhu@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pcie-designware.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pci/controller/dwc/pcie-designware.c b/drivers/pci/controller/dwc/pcie-designware.c
+index 850b4533f4ef5..d92c8a25094fa 100644
+--- a/drivers/pci/controller/dwc/pcie-designware.c
++++ b/drivers/pci/controller/dwc/pcie-designware.c
+@@ -672,10 +672,11 @@ void dw_pcie_iatu_detect(struct dw_pcie *pci)
+               if (!pci->atu_base) {
+                       struct resource *res =
+                               platform_get_resource_byname(pdev, IORESOURCE_MEM, "atu");
+-                      if (res)
++                      if (res) {
+                               pci->atu_size = resource_size(res);
+-                      pci->atu_base = devm_ioremap_resource(dev, res);
+-                      if (IS_ERR(pci->atu_base))
++                              pci->atu_base = devm_ioremap_resource(dev, res);
++                      }
++                      if (!pci->atu_base || IS_ERR(pci->atu_base))
+                               pci->atu_base = pci->dbi_base + DEFAULT_DBI_ATU_OFFSET;
+               }
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-mediatek-gen3-disable-dvfsrc-voltage-request.patch b/queue-5.16/pci-mediatek-gen3-disable-dvfsrc-voltage-request.patch
new file mode 100644 (file)
index 0000000..103798b
--- /dev/null
@@ -0,0 +1,59 @@
+From e954731e011f2deb62992b72ccd7e487bca4ca87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Oct 2021 14:36:02 +0800
+Subject: PCI: mediatek-gen3: Disable DVFSRC voltage request
+
+From: Jianjun Wang <jianjun.wang@mediatek.com>
+
+[ Upstream commit ab344fd43f2958726d17d651c0cb692c67dca382 ]
+
+When the DVFSRC (dynamic voltage and frequency scaling resource collector)
+feature is not implemented, the PCIe hardware will assert a voltage request
+signal when exit from the L1 PM Substates to request a specific Vcore
+voltage, but cannot receive the voltage ready signal, which will cause
+the link to fail to exit the L1 PM Substates.
+
+Disable DVFSRC voltage request by default, we need to find a common way to
+enable it in the future.
+
+Link: https://lore.kernel.org/r/20211015063602.29058-1-jianjun.wang@mediatek.com
+Fixes: d3bf75b579b9 ("PCI: mediatek-gen3: Add MediaTek Gen3 driver for MT8192")
+Tested-by: Qizhong Cheng <qizhong.cheng@mediatek.com>
+Signed-off-by: Jianjun Wang <jianjun.wang@mediatek.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Tzung-Bi Shih <tzungbi@google.com>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-mediatek-gen3.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/pci/controller/pcie-mediatek-gen3.c b/drivers/pci/controller/pcie-mediatek-gen3.c
+index 17c59b0d6978b..21207df680ccf 100644
+--- a/drivers/pci/controller/pcie-mediatek-gen3.c
++++ b/drivers/pci/controller/pcie-mediatek-gen3.c
+@@ -79,6 +79,9 @@
+ #define PCIE_ICMD_PM_REG              0x198
+ #define PCIE_TURN_OFF_LINK            BIT(4)
++#define PCIE_MISC_CTRL_REG            0x348
++#define PCIE_DISABLE_DVFSRC_VLT_REQ   BIT(1)
++
+ #define PCIE_TRANS_TABLE_BASE_REG     0x800
+ #define PCIE_ATR_SRC_ADDR_MSB_OFFSET  0x4
+ #define PCIE_ATR_TRSL_ADDR_LSB_OFFSET 0x8
+@@ -297,6 +300,11 @@ static int mtk_pcie_startup_port(struct mtk_pcie_port *port)
+       val &= ~PCIE_INTX_ENABLE;
+       writel_relaxed(val, port->base + PCIE_INT_ENABLE_REG);
++      /* Disable DVFSRC voltage request */
++      val = readl_relaxed(port->base + PCIE_MISC_CTRL_REG);
++      val |= PCIE_DISABLE_DVFSRC_VLT_REQ;
++      writel_relaxed(val, port->base + PCIE_MISC_CTRL_REG);
++
+       /* Assert all reset signals */
+       val = readl_relaxed(port->base + PCIE_RST_CTRL_REG);
+       val |= PCIE_MAC_RSTB | PCIE_PHY_RSTB | PCIE_BRG_RSTB | PCIE_PE_RSTB;
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-msi-fix-pci_irq_vector-pci_irq_get_affinity.patch b/queue-5.16/pci-msi-fix-pci_irq_vector-pci_irq_get_affinity.patch
new file mode 100644 (file)
index 0000000..e3e985b
--- /dev/null
@@ -0,0 +1,97 @@
+From 191eef20b774a6d29fd9fd79e296c148842dff54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Dec 2021 23:27:26 +0100
+Subject: PCI/MSI: Fix pci_irq_vector()/pci_irq_get_affinity()
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 29bbc35e29d9b6347780dcacde2deb4b39344167 ]
+
+pci_irq_vector() and pci_irq_get_affinity() use the list position to find the
+MSI-X descriptor at a given index. That's correct for the normal case where
+the entry number is the same as the list position.
+
+But it's wrong for cases where MSI-X was allocated with an entries array
+describing sparse entry numbers into the hardware message descriptor
+table. That's inconsistent at best.
+
+Make it always check the entry number because that's what the zero base
+index really means. This change won't break existing users which use a
+sparse entries array for allocation because these users retrieve the Linux
+interrupt number from the entries array after allocation and none of them
+uses pci_irq_vector() or pci_irq_get_affinity().
+
+Fixes: aff171641d18 ("PCI: Provide sensible IRQ vector alloc/free routines")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Link: https://lore.kernel.org/r/20211206210223.929792157@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/msi.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/pci/msi.c b/drivers/pci/msi.c
+index d84cf30bb2790..8465221be6d21 100644
+--- a/drivers/pci/msi.c
++++ b/drivers/pci/msi.c
+@@ -1194,19 +1194,24 @@ EXPORT_SYMBOL(pci_free_irq_vectors);
+ /**
+  * pci_irq_vector - return Linux IRQ number of a device vector
+- * @dev: PCI device to operate on
+- * @nr: device-relative interrupt vector index (0-based).
++ * @dev:      PCI device to operate on
++ * @nr:               Interrupt vector index (0-based)
++ *
++ * @nr has the following meanings depending on the interrupt mode:
++ *   MSI-X:   The index in the MSI-X vector table
++ *   MSI:     The index of the enabled MSI vectors
++ *   INTx:    Must be 0
++ *
++ * Return: The Linux interrupt number or -EINVAl if @nr is out of range.
+  */
+ int pci_irq_vector(struct pci_dev *dev, unsigned int nr)
+ {
+       if (dev->msix_enabled) {
+               struct msi_desc *entry;
+-              int i = 0;
+               for_each_pci_msi_entry(entry, dev) {
+-                      if (i == nr)
++                      if (entry->msi_attrib.entry_nr == nr)
+                               return entry->irq;
+-                      i++;
+               }
+               WARN_ON_ONCE(1);
+               return -EINVAL;
+@@ -1230,17 +1235,22 @@ EXPORT_SYMBOL(pci_irq_vector);
+  * pci_irq_get_affinity - return the affinity of a particular MSI vector
+  * @dev:      PCI device to operate on
+  * @nr:               device-relative interrupt vector index (0-based).
++ *
++ * @nr has the following meanings depending on the interrupt mode:
++ *   MSI-X:   The index in the MSI-X vector table
++ *   MSI:     The index of the enabled MSI vectors
++ *   INTx:    Must be 0
++ *
++ * Return: A cpumask pointer or NULL if @nr is out of range
+  */
+ const struct cpumask *pci_irq_get_affinity(struct pci_dev *dev, int nr)
+ {
+       if (dev->msix_enabled) {
+               struct msi_desc *entry;
+-              int i = 0;
+               for_each_pci_msi_entry(entry, dev) {
+-                      if (i == nr)
++                      if (entry->msi_attrib.entry_nr == nr)
+                               return &entry->affinity->mask;
+-                      i++;
+               }
+               WARN_ON_ONCE(1);
+               return NULL;
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-mt7621-add-missing-module_license.patch b/queue-5.16/pci-mt7621-add-missing-module_license.patch
new file mode 100644 (file)
index 0000000..d7aa165
--- /dev/null
@@ -0,0 +1,43 @@
+From 4b6bc149e058cd981935ce0f9d9e4462aa329d48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 11:49:23 +0100
+Subject: PCI: mt7621: Add missing MODULE_LICENSE()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sergio Paracuellos <sergio.paracuellos@gmail.com>
+
+[ Upstream commit e4b1cd02dc8d7967a79edccd510724831e5cdee8 ]
+
+The MT7621 PCIe host controller driver can be built as a module, but it
+lacks a MODULE_LICENSE(), which causes a build error:
+
+  ERROR: modpost: missing MODULE_LICENSE() in drivers/pci/controller/pcie-mt7621.o
+
+Add MODULE_LICENSE() to the driver.
+
+Fixes: 2bdd5238e756 ("PCI: mt7621: Add MediaTek MT7621 PCIe host controller driver")
+Link: https://lore.kernel.org/r/20211207104924.21327-5-sergio.paracuellos@gmail.com
+Signed-off-by: Yanteng Si <siyanteng@loongson.cn>
+Signed-off-by: Sergio Paracuellos <sergio.paracuellos@gmail.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Krzysztof Wilczyński <kw@linux.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-mt7621.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pci/controller/pcie-mt7621.c b/drivers/pci/controller/pcie-mt7621.c
+index b60dfb45ef7bd..73b91315c1656 100644
+--- a/drivers/pci/controller/pcie-mt7621.c
++++ b/drivers/pci/controller/pcie-mt7621.c
+@@ -598,3 +598,5 @@ static struct platform_driver mt7621_pci_driver = {
+       },
+ };
+ builtin_platform_driver(mt7621_pci_driver);
++
++MODULE_LICENSE("GPL v2");
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-mvebu-check-for-errors-from-pci_bridge_emul_init.patch b/queue-5.16/pci-mvebu-check-for-errors-from-pci_bridge_emul_init.patch
new file mode 100644 (file)
index 0000000..853cc1c
--- /dev/null
@@ -0,0 +1,68 @@
+From ebb7ff622e8dbffb16f4e004168f1232823aefc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 13:45:52 +0100
+Subject: PCI: mvebu: Check for errors from pci_bridge_emul_init() call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 5d18d702e5c9309f4195653475c7a7fdde4ca71f ]
+
+Function pci_bridge_emul_init() may fail so correctly check for errors.
+
+Link: https://lore.kernel.org/r/20211125124605.25915-3-pali@kernel.org
+Fixes: 1f08673eef12 ("PCI: mvebu: Convert to PCI emulated bridge config space")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-mvebu.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c
+index ed13e81cd691d..e6d63ad4d23b8 100644
+--- a/drivers/pci/controller/pci-mvebu.c
++++ b/drivers/pci/controller/pci-mvebu.c
+@@ -570,7 +570,7 @@ static struct pci_bridge_emul_ops mvebu_pci_bridge_emul_ops = {
+  * Initialize the configuration space of the PCI-to-PCI bridge
+  * associated with the given PCIe interface.
+  */
+-static void mvebu_pci_bridge_emul_init(struct mvebu_pcie_port *port)
++static int mvebu_pci_bridge_emul_init(struct mvebu_pcie_port *port)
+ {
+       struct pci_bridge_emul *bridge = &port->bridge;
+@@ -589,7 +589,7 @@ static void mvebu_pci_bridge_emul_init(struct mvebu_pcie_port *port)
+       bridge->data = port;
+       bridge->ops = &mvebu_pci_bridge_emul_ops;
+-      pci_bridge_emul_init(bridge, PCI_BRIDGE_EMUL_NO_PREFETCHABLE_BAR);
++      return pci_bridge_emul_init(bridge, PCI_BRIDGE_EMUL_NO_PREFETCHABLE_BAR);
+ }
+ static inline struct mvebu_pcie *sys_to_pcie(struct pci_sys_data *sys)
+@@ -1112,9 +1112,18 @@ static int mvebu_pcie_probe(struct platform_device *pdev)
+                       continue;
+               }
++              ret = mvebu_pci_bridge_emul_init(port);
++              if (ret < 0) {
++                      dev_err(dev, "%s: cannot init emulated bridge\n",
++                              port->name);
++                      devm_iounmap(dev, port->base);
++                      port->base = NULL;
++                      mvebu_pcie_powerdown(port);
++                      continue;
++              }
++
+               mvebu_pcie_setup_hw(port);
+               mvebu_pcie_set_local_dev_nr(port, 1);
+-              mvebu_pci_bridge_emul_init(port);
+       }
+       pcie->nports = i;
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-mvebu-do-not-modify-pci-io-type-bits-in-conf_wri.patch b/queue-5.16/pci-mvebu-do-not-modify-pci-io-type-bits-in-conf_wri.patch
new file mode 100644 (file)
index 0000000..3c379ba
--- /dev/null
@@ -0,0 +1,51 @@
+From f3e34cd5a5eab4e84145f41cd5f9310d10c33d45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 13:45:57 +0100
+Subject: PCI: mvebu: Do not modify PCI IO type bits in conf_write
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 2cf150216e5b5619d7c25180ccf2cc8ac7bebc13 ]
+
+PCI IO type bits are already initialized in mvebu_pci_bridge_emul_init()
+function and only when IO support is enabled. These type bits are read-only
+and pci-bridge-emul.c code already does not allow to modify them from upper
+layers.
+
+When IO support is disabled then all IO registers should be read-only and
+return zeros. Therefore do not modify PCI IO type bits in
+mvebu_pci_bridge_emul_base_conf_write() callback.
+
+Link: https://lore.kernel.org/r/20211125124605.25915-8-pali@kernel.org
+Fixes: 1f08673eef12 ("PCI: mvebu: Convert to PCI emulated bridge config space")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-mvebu.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c
+index e6d63ad4d23b8..beae555b06bbc 100644
+--- a/drivers/pci/controller/pci-mvebu.c
++++ b/drivers/pci/controller/pci-mvebu.c
+@@ -497,13 +497,6 @@ mvebu_pci_bridge_emul_base_conf_write(struct pci_bridge_emul *bridge,
+       }
+       case PCI_IO_BASE:
+-              /*
+-               * We keep bit 1 set, it is a read-only bit that
+-               * indicates we support 32 bits addressing for the
+-               * I/O
+-               */
+-              conf->iobase |= PCI_IO_RANGE_TYPE_32;
+-              conf->iolimit |= PCI_IO_RANGE_TYPE_32;
+               mvebu_pcie_handle_iobase_change(port);
+               break;
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-mvebu-fix-configuring-secondary-bus-of-pcie-root.patch b/queue-5.16/pci-mvebu-fix-configuring-secondary-bus-of-pcie-root.patch
new file mode 100644 (file)
index 0000000..9a7ab55
--- /dev/null
@@ -0,0 +1,178 @@
+From 2c81e6eb5c2c167c386b63ec7ee7eb6d66241015 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 13:46:01 +0100
+Subject: PCI: mvebu: Fix configuring secondary bus of PCIe Root Port via
+ emulated bridge
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 91a8d79fc797d3486ae978beebdfc55261c7d65b ]
+
+It looks like that mvebu PCIe controller has for each PCIe link fully
+independent PCIe host bridge and so every PCIe Root Port is isolated not
+only on its own bus but also isolated from each others. But in past device
+tree structure was defined to put all PCIe Root Ports (as PCI Bridge
+devices) into one root bus 0 and this bus is emulated by pci-mvebu.c
+driver.
+
+Probably reason for this decision was incorrect understanding of PCIe
+topology of these Armada SoCs and also reason of misunderstanding how is
+PCIe controller generating Type 0 and Type 1 config requests (it is fully
+different compared to other drivers). Probably incorrect setup leaded to
+very surprised things like having PCIe Root Port (PCI Bridge device, with
+even incorrect Device Class set to Memory Controller) and the PCIe device
+behind the Root Port on the same PCI bus, which obviously was needed to
+somehow hack (as these two devices cannot be in reality on the same bus).
+
+Properly set mvebu local bus number and mvebu local device number based on
+PCI Bridge secondary bus number configuration. Also correctly report
+configured secondary bus number in config space. And explain in driver
+comment why this setup is correct.
+
+Link: https://lore.kernel.org/r/20211125124605.25915-12-pali@kernel.org
+Fixes: 1f08673eef12 ("PCI: mvebu: Convert to PCI emulated bridge config space")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-mvebu.c | 99 +++++++++++++++++++++++++++++-
+ 1 file changed, 97 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c
+index 326527f2d6f41..abed58db56877 100644
+--- a/drivers/pci/controller/pci-mvebu.c
++++ b/drivers/pci/controller/pci-mvebu.c
+@@ -125,6 +125,11 @@ static bool mvebu_pcie_link_up(struct mvebu_pcie_port *port)
+       return !(mvebu_readl(port, PCIE_STAT_OFF) & PCIE_STAT_LINK_DOWN);
+ }
++static u8 mvebu_pcie_get_local_bus_nr(struct mvebu_pcie_port *port)
++{
++      return (mvebu_readl(port, PCIE_STAT_OFF) & PCIE_STAT_BUS) >> 8;
++}
++
+ static void mvebu_pcie_set_local_bus_nr(struct mvebu_pcie_port *port, int nr)
+ {
+       u32 stat;
+@@ -437,6 +442,20 @@ mvebu_pci_bridge_emul_base_conf_read(struct pci_bridge_emul *bridge,
+               *value = mvebu_readl(port, PCIE_CMD_OFF);
+               break;
++      case PCI_PRIMARY_BUS: {
++              /*
++               * From the whole 32bit register we support reading from HW only
++               * secondary bus number which is mvebu local bus number.
++               * Other bits are retrieved only from emulated config buffer.
++               */
++              __le32 *cfgspace = (__le32 *)&bridge->conf;
++              u32 val = le32_to_cpu(cfgspace[PCI_PRIMARY_BUS / 4]);
++              val &= ~0xff00;
++              val |= mvebu_pcie_get_local_bus_nr(port) << 8;
++              *value = val;
++              break;
++      }
++
+       default:
+               return PCI_BRIDGE_EMUL_NOT_HANDLED;
+       }
+@@ -520,7 +539,8 @@ mvebu_pci_bridge_emul_base_conf_write(struct pci_bridge_emul *bridge,
+               break;
+       case PCI_PRIMARY_BUS:
+-              mvebu_pcie_set_local_bus_nr(port, conf->secondary_bus);
++              if (mask & 0xff00)
++                      mvebu_pcie_set_local_bus_nr(port, conf->secondary_bus);
+               break;
+       default:
+@@ -1127,8 +1147,83 @@ static int mvebu_pcie_probe(struct platform_device *pdev)
+                       continue;
+               }
++              /*
++               * PCIe topology exported by mvebu hw is quite complicated. In
++               * reality has something like N fully independent host bridges
++               * where each host bridge has one PCIe Root Port (which acts as
++               * PCI Bridge device). Each host bridge has its own independent
++               * internal registers, independent access to PCI config space,
++               * independent interrupt lines, independent window and memory
++               * access configuration. But additionally there is some kind of
++               * peer-to-peer support between PCIe devices behind different
++               * host bridges limited just to forwarding of memory and I/O
++               * transactions (forwarding of error messages and config cycles
++               * is not supported). So we could say there are N independent
++               * PCIe Root Complexes.
++               *
++               * For this kind of setup DT should have been structured into
++               * N independent PCIe controllers / host bridges. But instead
++               * structure in past was defined to put PCIe Root Ports of all
++               * host bridges into one bus zero, like in classic multi-port
++               * Root Complex setup with just one host bridge.
++               *
++               * This means that pci-mvebu.c driver provides "virtual" bus 0
++               * on which registers all PCIe Root Ports (PCI Bridge devices)
++               * specified in DT by their BDF addresses and virtually routes
++               * PCI config access of each PCI bridge device to specific PCIe
++               * host bridge.
++               *
++               * Normally PCI Bridge should choose between Type 0 and Type 1
++               * config requests based on primary and secondary bus numbers
++               * configured on the bridge itself. But because mvebu PCI Bridge
++               * does not have registers for primary and secondary bus numbers
++               * in its config space, it determinates type of config requests
++               * via its own custom way.
++               *
++               * There are two options how mvebu determinate type of config
++               * request.
++               *
++               * 1. If Secondary Bus Number Enable bit is not set or is not
++               * available (applies for pre-XP PCIe controllers) then Type 0
++               * is used if target bus number equals Local Bus Number (bits
++               * [15:8] in register 0x1a04) and target device number differs
++               * from Local Device Number (bits [20:16] in register 0x1a04).
++               * Type 1 is used if target bus number differs from Local Bus
++               * Number. And when target bus number equals Local Bus Number
++               * and target device equals Local Device Number then request is
++               * routed to Local PCI Bridge (PCIe Root Port).
++               *
++               * 2. If Secondary Bus Number Enable bit is set (bit 7 in
++               * register 0x1a2c) then mvebu hw determinate type of config
++               * request like compliant PCI Bridge based on primary bus number
++               * which is configured via Local Bus Number (bits [15:8] in
++               * register 0x1a04) and secondary bus number which is configured
++               * via Secondary Bus Number (bits [7:0] in register 0x1a2c).
++               * Local PCI Bridge (PCIe Root Port) is available on primary bus
++               * as device with Local Device Number (bits [20:16] in register
++               * 0x1a04).
++               *
++               * Secondary Bus Number Enable bit is disabled by default and
++               * option 2. is not available on pre-XP PCIe controllers. Hence
++               * this driver always use option 1.
++               *
++               * Basically it means that primary and secondary buses shares
++               * one virtual number configured via Local Bus Number bits and
++               * Local Device Number bits determinates if accessing primary
++               * or secondary bus. Set Local Device Number to 1 and redirect
++               * all writes of PCI Bridge Secondary Bus Number register to
++               * Local Bus Number (bits [15:8] in register 0x1a04).
++               *
++               * So when accessing devices on buses behind secondary bus
++               * number it would work correctly. And also when accessing
++               * device 0 at secondary bus number via config space would be
++               * correctly routed to secondary bus. Due to issues described
++               * in mvebu_pcie_setup_hw(), PCI Bridges at primary bus (zero)
++               * are not accessed directly via PCI config space but rarher
++               * indirectly via kernel emulated PCI bridge driver.
++               */
+               mvebu_pcie_setup_hw(port);
+-              mvebu_pcie_set_local_dev_nr(port, 1);
++              mvebu_pcie_set_local_dev_nr(port, 0);
+       }
+       pcie->nports = i;
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-mvebu-fix-support-for-bus-mastering-and-pci_comm.patch b/queue-5.16/pci-mvebu-fix-support-for-bus-mastering-and-pci_comm.patch
new file mode 100644 (file)
index 0000000..16558ff
--- /dev/null
@@ -0,0 +1,139 @@
+From ac9db9aad40fffcd068c9c628c77d17c07ea4614 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 13:45:56 +0100
+Subject: PCI: mvebu: Fix support for bus mastering and PCI_COMMAND on emulated
+ bridge
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit e42b85583719adb87ab88dc7bcd41b38011f7d11 ]
+
+According to PCI specifications bits [0:2] of Command Register, this should
+be by default disabled on reset. So explicitly disable these bits at early
+beginning of driver initialization.
+
+Also remove code which unconditionally enables all 3 bits and let kernel
+code (via pci_set_master() function) to handle bus mastering of PCI Bridge
+via emulated PCI_COMMAND on emulated bridge.
+
+Adjust existing functions mvebu_pcie_handle_iobase_change() and
+mvebu_pcie_handle_membase_change() to handle PCI_IO_BASE and PCI_MEM_BASE
+registers correctly even when bus mastering on emulated bridge is disabled.
+
+Link: https://lore.kernel.org/r/20211125124605.25915-7-pali@kernel.org
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-mvebu.c | 52 ++++++++++++++++++------------
+ 1 file changed, 32 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c
+index beae555b06bbc..326527f2d6f41 100644
+--- a/drivers/pci/controller/pci-mvebu.c
++++ b/drivers/pci/controller/pci-mvebu.c
+@@ -215,16 +215,14 @@ static void mvebu_pcie_setup_hw(struct mvebu_pcie_port *port)
+ {
+       u32 cmd, mask;
+-      /* Point PCIe unit MBUS decode windows to DRAM space. */
+-      mvebu_pcie_setup_wins(port);
+-
+-      /* Master + slave enable. */
++      /* Disable Root Bridge I/O space, memory space and bus mastering. */
+       cmd = mvebu_readl(port, PCIE_CMD_OFF);
+-      cmd |= PCI_COMMAND_IO;
+-      cmd |= PCI_COMMAND_MEMORY;
+-      cmd |= PCI_COMMAND_MASTER;
++      cmd &= ~(PCI_COMMAND_IO | PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER);
+       mvebu_writel(port, cmd, PCIE_CMD_OFF);
++      /* Point PCIe unit MBUS decode windows to DRAM space. */
++      mvebu_pcie_setup_wins(port);
++
+       /* Enable interrupt lines A-D. */
+       mask = mvebu_readl(port, PCIE_MASK_OFF);
+       mask |= PCIE_MASK_ENABLE_INTS;
+@@ -371,8 +369,7 @@ static void mvebu_pcie_handle_iobase_change(struct mvebu_pcie_port *port)
+       /* Are the new iobase/iolimit values invalid? */
+       if (conf->iolimit < conf->iobase ||
+-          conf->iolimitupper < conf->iobaseupper ||
+-          !(conf->command & PCI_COMMAND_IO)) {
++          conf->iolimitupper < conf->iobaseupper) {
+               mvebu_pcie_set_window(port, port->io_target, port->io_attr,
+                                     &desired, &port->iowin);
+               return;
+@@ -409,8 +406,7 @@ static void mvebu_pcie_handle_membase_change(struct mvebu_pcie_port *port)
+       struct pci_bridge_emul_conf *conf = &port->bridge.conf;
+       /* Are the new membase/memlimit values invalid? */
+-      if (conf->memlimit < conf->membase ||
+-          !(conf->command & PCI_COMMAND_MEMORY)) {
++      if (conf->memlimit < conf->membase) {
+               mvebu_pcie_set_window(port, port->mem_target, port->mem_attr,
+                                     &desired, &port->memwin);
+               return;
+@@ -430,6 +426,24 @@ static void mvebu_pcie_handle_membase_change(struct mvebu_pcie_port *port)
+                             &port->memwin);
+ }
++static pci_bridge_emul_read_status_t
++mvebu_pci_bridge_emul_base_conf_read(struct pci_bridge_emul *bridge,
++                                   int reg, u32 *value)
++{
++      struct mvebu_pcie_port *port = bridge->data;
++
++      switch (reg) {
++      case PCI_COMMAND:
++              *value = mvebu_readl(port, PCIE_CMD_OFF);
++              break;
++
++      default:
++              return PCI_BRIDGE_EMUL_NOT_HANDLED;
++      }
++
++      return PCI_BRIDGE_EMUL_HANDLED;
++}
++
+ static pci_bridge_emul_read_status_t
+ mvebu_pci_bridge_emul_pcie_conf_read(struct pci_bridge_emul *bridge,
+                                    int reg, u32 *value)
+@@ -484,17 +498,14 @@ mvebu_pci_bridge_emul_base_conf_write(struct pci_bridge_emul *bridge,
+       switch (reg) {
+       case PCI_COMMAND:
+-      {
+-              if (!mvebu_has_ioport(port))
+-                      conf->command &= ~PCI_COMMAND_IO;
+-
+-              if ((old ^ new) & PCI_COMMAND_IO)
+-                      mvebu_pcie_handle_iobase_change(port);
+-              if ((old ^ new) & PCI_COMMAND_MEMORY)
+-                      mvebu_pcie_handle_membase_change(port);
++              if (!mvebu_has_ioport(port)) {
++                      conf->command = cpu_to_le16(
++                              le16_to_cpu(conf->command) & ~PCI_COMMAND_IO);
++                      new &= ~PCI_COMMAND_IO;
++              }
++              mvebu_writel(port, new, PCIE_CMD_OFF);
+               break;
+-      }
+       case PCI_IO_BASE:
+               mvebu_pcie_handle_iobase_change(port);
+@@ -554,6 +565,7 @@ mvebu_pci_bridge_emul_pcie_conf_write(struct pci_bridge_emul *bridge,
+ }
+ static struct pci_bridge_emul_ops mvebu_pci_bridge_emul_ops = {
++      .read_base = mvebu_pci_bridge_emul_base_conf_read,
+       .write_base = mvebu_pci_bridge_emul_base_conf_write,
+       .read_pcie = mvebu_pci_bridge_emul_pcie_conf_read,
+       .write_pcie = mvebu_pci_bridge_emul_pcie_conf_write,
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-mvebu-fix-support-for-devcap2-devctl2-and-lnkctl.patch b/queue-5.16/pci-mvebu-fix-support-for-devcap2-devctl2-and-lnkctl.patch
new file mode 100644 (file)
index 0000000..968f628
--- /dev/null
@@ -0,0 +1,72 @@
+From 0e0f775adeaaaffc48120db0e17520ea5aaa78e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 13:46:05 +0100
+Subject: PCI: mvebu: Fix support for DEVCAP2, DEVCTL2 and LNKCTL2 registers on
+ emulated bridge
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 4ab34548c55fbbb3898306a47dfaccd4860e1ccb ]
+
+Armada XP and new hardware supports access to DEVCAP2, DEVCTL2 and LNKCTL2
+configuration registers of PCIe core via PCIE_CAP_PCIEXP. So export them
+via emulated software root bridge.
+
+Pre-XP hardware does not support these registers and returns zeros.
+
+Link: https://lore.kernel.org/r/20211125124605.25915-16-pali@kernel.org
+Fixes: 1f08673eef12 ("PCI: mvebu: Convert to PCI emulated bridge config space")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-mvebu.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c
+index 618c34e8879ec..ffcbb8d1d09d5 100644
+--- a/drivers/pci/controller/pci-mvebu.c
++++ b/drivers/pci/controller/pci-mvebu.c
+@@ -524,6 +524,18 @@ mvebu_pci_bridge_emul_pcie_conf_read(struct pci_bridge_emul *bridge,
+               *value = mvebu_readl(port, PCIE_RC_RTSTA);
+               break;
++      case PCI_EXP_DEVCAP2:
++              *value = mvebu_readl(port, PCIE_CAP_PCIEXP + PCI_EXP_DEVCAP2);
++              break;
++
++      case PCI_EXP_DEVCTL2:
++              *value = mvebu_readl(port, PCIE_CAP_PCIEXP + PCI_EXP_DEVCTL2);
++              break;
++
++      case PCI_EXP_LNKCTL2:
++              *value = mvebu_readl(port, PCIE_CAP_PCIEXP + PCI_EXP_LNKCTL2);
++              break;
++
+       default:
+               return PCI_BRIDGE_EMUL_NOT_HANDLED;
+       }
+@@ -615,6 +627,17 @@ mvebu_pci_bridge_emul_pcie_conf_write(struct pci_bridge_emul *bridge,
+               if (new & PCI_EXP_RTSTA_PME)
+                       mvebu_writel(port, ~PCIE_INT_PM_PME, PCIE_INT_CAUSE_OFF);
+               break;
++
++      case PCI_EXP_DEVCTL2:
++              mvebu_writel(port, new, PCIE_CAP_PCIEXP + PCI_EXP_DEVCTL2);
++              break;
++
++      case PCI_EXP_LNKCTL2:
++              mvebu_writel(port, new, PCIE_CAP_PCIEXP + PCI_EXP_LNKCTL2);
++              break;
++
++      default:
++              break;
+       }
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-mvebu-fix-support-for-pci_bridge_ctl_bus_reset-o.patch b/queue-5.16/pci-mvebu-fix-support-for-pci_bridge_ctl_bus_reset-o.patch
new file mode 100644 (file)
index 0000000..c55e9a8
--- /dev/null
@@ -0,0 +1,85 @@
+From 718234fc072207b14eb3f6301ed91426f1151e64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 13:46:02 +0100
+Subject: PCI: mvebu: Fix support for PCI_BRIDGE_CTL_BUS_RESET on emulated
+ bridge
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit d75404cc08832206f173668bd35391c581fea121 ]
+
+Hardware supports PCIe Hot Reset via PCIE_CTRL_OFF register. Use it for
+implementing PCI_BRIDGE_CTL_BUS_RESET bit of PCI_BRIDGE_CONTROL register on
+emulated bridge.
+
+With this change the function pci_reset_secondary_bus() starts working and
+can reset connected PCIe card.
+
+Link: https://lore.kernel.org/r/20211125124605.25915-13-pali@kernel.org
+Fixes: 1f08673eef12 ("PCI: mvebu: Convert to PCI emulated bridge config space")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-mvebu.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c
+index f279471e340ee..aaf6a226f6dba 100644
+--- a/drivers/pci/controller/pci-mvebu.c
++++ b/drivers/pci/controller/pci-mvebu.c
+@@ -56,6 +56,7 @@
+ #define PCIE_CTRL_OFF         0x1a00
+ #define  PCIE_CTRL_X1_MODE            0x0001
+ #define  PCIE_CTRL_RC_MODE            BIT(1)
++#define  PCIE_CTRL_MASTER_HOT_RESET   BIT(24)
+ #define PCIE_STAT_OFF         0x1a04
+ #define  PCIE_STAT_BUS                  0xff00
+ #define  PCIE_STAT_DEV                  0x1f0000
+@@ -462,6 +463,22 @@ mvebu_pci_bridge_emul_base_conf_read(struct pci_bridge_emul *bridge,
+               break;
+       }
++      case PCI_INTERRUPT_LINE: {
++              /*
++               * From the whole 32bit register we support reading from HW only
++               * one bit: PCI_BRIDGE_CTL_BUS_RESET.
++               * Other bits are retrieved only from emulated config buffer.
++               */
++              __le32 *cfgspace = (__le32 *)&bridge->conf;
++              u32 val = le32_to_cpu(cfgspace[PCI_INTERRUPT_LINE / 4]);
++              if (mvebu_readl(port, PCIE_CTRL_OFF) & PCIE_CTRL_MASTER_HOT_RESET)
++                      val |= PCI_BRIDGE_CTL_BUS_RESET << 16;
++              else
++                      val &= ~(PCI_BRIDGE_CTL_BUS_RESET << 16);
++              *value = val;
++              break;
++      }
++
+       default:
+               return PCI_BRIDGE_EMUL_NOT_HANDLED;
+       }
+@@ -549,6 +566,17 @@ mvebu_pci_bridge_emul_base_conf_write(struct pci_bridge_emul *bridge,
+                       mvebu_pcie_set_local_bus_nr(port, conf->secondary_bus);
+               break;
++      case PCI_INTERRUPT_LINE:
++              if (mask & (PCI_BRIDGE_CTL_BUS_RESET << 16)) {
++                      u32 ctrl = mvebu_readl(port, PCIE_CTRL_OFF);
++                      if (new & (PCI_BRIDGE_CTL_BUS_RESET << 16))
++                              ctrl |= PCIE_CTRL_MASTER_HOT_RESET;
++                      else
++                              ctrl &= ~PCIE_CTRL_MASTER_HOT_RESET;
++                      mvebu_writel(port, ctrl, PCIE_CTRL_OFF);
++              }
++              break;
++
+       default:
+               break;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-mvebu-fix-support-for-pci_exp_devctl-on-emulated.patch b/queue-5.16/pci-mvebu-fix-support-for-pci_exp_devctl-on-emulated.patch
new file mode 100644 (file)
index 0000000..ecaf41f
--- /dev/null
@@ -0,0 +1,57 @@
+From 75c7ec9b5ea742fbcc69a41ca73fd051afa4d725 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 13:46:03 +0100
+Subject: PCI: mvebu: Fix support for PCI_EXP_DEVCTL on emulated bridge
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit ecae073e393e65ee7be7ebf3fdd5258ab99f1636 ]
+
+Comment in Armada 370 functional specification is misleading.
+PCI_EXP_DEVCTL_*RE bits are supported and configures receiving of error
+interrupts.
+
+Link: https://lore.kernel.org/r/20211125124605.25915-14-pali@kernel.org
+Fixes: 1f08673eef12 ("PCI: mvebu: Convert to PCI emulated bridge config space")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-mvebu.c | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c
+index aaf6a226f6dba..0052e83c95de9 100644
+--- a/drivers/pci/controller/pci-mvebu.c
++++ b/drivers/pci/controller/pci-mvebu.c
+@@ -498,9 +498,7 @@ mvebu_pci_bridge_emul_pcie_conf_read(struct pci_bridge_emul *bridge,
+               break;
+       case PCI_EXP_DEVCTL:
+-              *value = mvebu_readl(port, PCIE_CAP_PCIEXP + PCI_EXP_DEVCTL) &
+-                               ~(PCI_EXP_DEVCTL_URRE | PCI_EXP_DEVCTL_FERE |
+-                                 PCI_EXP_DEVCTL_NFERE | PCI_EXP_DEVCTL_CERE);
++              *value = mvebu_readl(port, PCIE_CAP_PCIEXP + PCI_EXP_DEVCTL);
+               break;
+       case PCI_EXP_LNKCAP:
+@@ -590,13 +588,6 @@ mvebu_pci_bridge_emul_pcie_conf_write(struct pci_bridge_emul *bridge,
+       switch (reg) {
+       case PCI_EXP_DEVCTL:
+-              /*
+-               * Armada370 data says these bits must always
+-               * be zero when in root complex mode.
+-               */
+-              new &= ~(PCI_EXP_DEVCTL_URRE | PCI_EXP_DEVCTL_FERE |
+-                       PCI_EXP_DEVCTL_NFERE | PCI_EXP_DEVCTL_CERE);
+-
+               mvebu_writel(port, new, PCIE_CAP_PCIEXP + PCI_EXP_DEVCTL);
+               break;
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-mvebu-fix-support-for-pci_exp_rtsta-on-emulated-.patch b/queue-5.16/pci-mvebu-fix-support-for-pci_exp_rtsta-on-emulated-.patch
new file mode 100644 (file)
index 0000000..b6691b1
--- /dev/null
@@ -0,0 +1,57 @@
+From 9f4cf6602aab62f04e1d23d46d21550177977e2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 13:46:04 +0100
+Subject: PCI: mvebu: Fix support for PCI_EXP_RTSTA on emulated bridge
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 838ff44a398ff47fe9b924961d91aee325821220 ]
+
+PME Status bit in Root Status Register (PCIE_RC_RTSTA_OFF) is read-only and
+can be cleared only by writing 0b to the Interrupt Cause RW0C register
+(PCIE_INT_CAUSE_OFF).
+
+Link: https://lore.kernel.org/r/20211125124605.25915-15-pali@kernel.org
+Fixes: 1f08673eef12 ("PCI: mvebu: Convert to PCI emulated bridge config space")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-mvebu.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c
+index 0052e83c95de9..618c34e8879ec 100644
+--- a/drivers/pci/controller/pci-mvebu.c
++++ b/drivers/pci/controller/pci-mvebu.c
+@@ -51,6 +51,8 @@
+        PCIE_CONF_FUNC(PCI_FUNC(devfn)) | PCIE_CONF_REG(where) | \
+        PCIE_CONF_ADDR_EN)
+ #define PCIE_CONF_DATA_OFF    0x18fc
++#define PCIE_INT_CAUSE_OFF    0x1900
++#define  PCIE_INT_PM_PME              BIT(28)
+ #define PCIE_MASK_OFF         0x1910
+ #define  PCIE_MASK_ENABLE_INTS          0x0f000000
+ #define PCIE_CTRL_OFF         0x1a00
+@@ -604,7 +606,14 @@ mvebu_pci_bridge_emul_pcie_conf_write(struct pci_bridge_emul *bridge,
+               break;
+       case PCI_EXP_RTSTA:
+-              mvebu_writel(port, new, PCIE_RC_RTSTA);
++              /*
++               * PME Status bit in Root Status Register (PCIE_RC_RTSTA)
++               * is read-only and can be cleared only by writing 0b to the
++               * Interrupt Cause RW0C register (PCIE_INT_CAUSE_OFF). So
++               * clear PME via Interrupt Cause.
++               */
++              if (new & PCI_EXP_RTSTA_PME)
++                      mvebu_writel(port, ~PCIE_INT_PM_PME, PCIE_INT_CAUSE_OFF);
+               break;
+       }
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-mvebu-setup-pcie-controller-to-root-complex-mode.patch b/queue-5.16/pci-mvebu-setup-pcie-controller-to-root-complex-mode.patch
new file mode 100644 (file)
index 0000000..4a690be
--- /dev/null
@@ -0,0 +1,52 @@
+From 5242c79cfd357fd22f0f9de63d7d9fff48cdc50c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 13:45:59 +0100
+Subject: PCI: mvebu: Setup PCIe controller to Root Complex mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit df08ac016124bd88b8598ac0599d7b89c0642774 ]
+
+This driver operates only in Root Complex mode, so ensure that hardware is
+properly configured in Root Complex mode.
+
+Link: https://lore.kernel.org/r/20211125124605.25915-10-pali@kernel.org
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-mvebu.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c
+index abed58db56877..f279471e340ee 100644
+--- a/drivers/pci/controller/pci-mvebu.c
++++ b/drivers/pci/controller/pci-mvebu.c
+@@ -55,6 +55,7 @@
+ #define  PCIE_MASK_ENABLE_INTS          0x0f000000
+ #define PCIE_CTRL_OFF         0x1a00
+ #define  PCIE_CTRL_X1_MODE            0x0001
++#define  PCIE_CTRL_RC_MODE            BIT(1)
+ #define PCIE_STAT_OFF         0x1a04
+ #define  PCIE_STAT_BUS                  0xff00
+ #define  PCIE_STAT_DEV                  0x1f0000
+@@ -218,7 +219,12 @@ static void mvebu_pcie_setup_wins(struct mvebu_pcie_port *port)
+ static void mvebu_pcie_setup_hw(struct mvebu_pcie_port *port)
+ {
+-      u32 cmd, mask;
++      u32 ctrl, cmd, mask;
++
++      /* Setup PCIe controller to Root Complex mode. */
++      ctrl = mvebu_readl(port, PCIE_CTRL_OFF);
++      ctrl |= PCIE_CTRL_RC_MODE;
++      mvebu_writel(port, ctrl, PCIE_CTRL_OFF);
+       /* Disable Root Bridge I/O space, memory space and bus mastering. */
+       cmd = mvebu_readl(port, PCIE_CMD_OFF);
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-qcom-fix-an-error-handling-path-in-qcom_pcie_pro.patch b/queue-5.16/pci-qcom-fix-an-error-handling-path-in-qcom_pcie_pro.patch
new file mode 100644 (file)
index 0000000..561841e
--- /dev/null
@@ -0,0 +1,58 @@
+From dd2705f0271eab1b1a8ea3b51bd055ac7c05b767 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Nov 2021 18:44:52 +0100
+Subject: PCI: qcom: Fix an error handling path in 'qcom_pcie_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 4e0e90539bb0e6c0ca3768c642df9eed2118a8bb ]
+
+If 'of_device_get_match_data()' fails, previous 'pm_runtime_get_sync()/
+pm_runtime_enable()' should be undone.
+
+To fix it, the easiest is to move this block of code before the memory
+allocations and the pm_runtime_xxx calls.
+
+Link: https://lore.kernel.org/r/4d03c636193f64907c8dacb17fa71ed05fd5f60c.1636220582.git.christophe.jaillet@wanadoo.fr
+Fixes: b89ff410253d ("PCI: qcom: Replace ops with struct pcie_cfg in pcie match data")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pcie-qcom.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c
+index 1c3d1116bb60c..baae67f71ba82 100644
+--- a/drivers/pci/controller/dwc/pcie-qcom.c
++++ b/drivers/pci/controller/dwc/pcie-qcom.c
+@@ -1534,6 +1534,12 @@ static int qcom_pcie_probe(struct platform_device *pdev)
+       const struct qcom_pcie_cfg *pcie_cfg;
+       int ret;
++      pcie_cfg = of_device_get_match_data(dev);
++      if (!pcie_cfg || !pcie_cfg->ops) {
++              dev_err(dev, "Invalid platform data\n");
++              return -EINVAL;
++      }
++
+       pcie = devm_kzalloc(dev, sizeof(*pcie), GFP_KERNEL);
+       if (!pcie)
+               return -ENOMEM;
+@@ -1553,12 +1559,6 @@ static int qcom_pcie_probe(struct platform_device *pdev)
+       pcie->pci = pci;
+-      pcie_cfg = of_device_get_match_data(dev);
+-      if (!pcie_cfg || !pcie_cfg->ops) {
+-              dev_err(dev, "Invalid platform data\n");
+-              return -EINVAL;
+-      }
+-
+       pcie->ops = pcie_cfg->ops;
+       pcie->pipe_clk_need_muxing = pcie_cfg->pipe_clk_need_muxing;
+-- 
+2.34.1
+
diff --git a/queue-5.16/pci-rcar-check-if-device-is-runtime-suspended-instea.patch b/queue-5.16/pci-rcar-check-if-device-is-runtime-suspended-instea.patch
new file mode 100644 (file)
index 0000000..0521430
--- /dev/null
@@ -0,0 +1,74 @@
+From b91773ccf40db94a49bcf1ee5774f06c9fa3400d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 21:46:41 +0100
+Subject: PCI: rcar: Check if device is runtime suspended instead of
+ __clk_is_enabled()
+
+From: Marek Vasut <marek.vasut+renesas@gmail.com>
+
+[ Upstream commit d2a14b54989e9ccea8401895fdfbc213bd1f56af ]
+
+Replace __clk_is_enabled() with pm_runtime_suspended(),
+as __clk_is_enabled() was checking the wrong bus clock
+and caused the following build error too:
+  arm-linux-gnueabi-ld: drivers/pci/controller/pcie-rcar-host.o: in function `rcar_pcie_aarch32_abort_handler':
+  pcie-rcar-host.c:(.text+0xdd0): undefined reference to `__clk_is_enabled'
+
+Link: https://lore.kernel.org/r/20211115204641.12941-1-marek.vasut@gmail.com
+Fixes: a115b1bd3af0 ("PCI: rcar: Add L1 link state fix into data abort hook")
+Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: Stephen Boyd <sboyd@kernel.org>
+Cc: Wolfram Sang <wsa@the-dreams.de>
+Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Cc: linux-renesas-soc@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-rcar-host.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-rcar-host.c b/drivers/pci/controller/pcie-rcar-host.c
+index e12c2d8be05a3..780e60159993c 100644
+--- a/drivers/pci/controller/pcie-rcar-host.c
++++ b/drivers/pci/controller/pcie-rcar-host.c
+@@ -50,10 +50,10 @@ struct rcar_msi {
+  */
+ static void __iomem *pcie_base;
+ /*
+- * Static copy of bus clock pointer, so we can check whether the clock
+- * is enabled or not.
++ * Static copy of PCIe device pointer, so we can check whether the
++ * device is runtime suspended or not.
+  */
+-static struct clk *pcie_bus_clk;
++static struct device *pcie_dev;
+ #endif
+ /* Structure representing the PCIe interface */
+@@ -792,7 +792,7 @@ static int rcar_pcie_get_resources(struct rcar_pcie_host *host)
+ #ifdef CONFIG_ARM
+       /* Cache static copy for L1 link state fixup hook on aarch32 */
+       pcie_base = pcie->base;
+-      pcie_bus_clk = host->bus_clk;
++      pcie_dev = pcie->dev;
+ #endif
+       return 0;
+@@ -1062,7 +1062,7 @@ static int rcar_pcie_aarch32_abort_handler(unsigned long addr,
+       spin_lock_irqsave(&pmsr_lock, flags);
+-      if (!pcie_base || !__clk_is_enabled(pcie_bus_clk)) {
++      if (!pcie_base || pm_runtime_suspended(pcie_dev)) {
+               ret = 1;
+               goto unlock_exit;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/pcmcia-fix-setting-of-kthread-task-states.patch b/queue-5.16/pcmcia-fix-setting-of-kthread-task-states.patch
new file mode 100644 (file)
index 0000000..f1a0b60
--- /dev/null
@@ -0,0 +1,55 @@
+From cf96274df398e99d5258e0500387724ad4290af8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Jan 2022 10:02:51 +0100
+Subject: pcmcia: fix setting of kthread task states
+
+From: Dominik Brodowski <linux@dominikbrodowski.net>
+
+[ Upstream commit fbb3485f1f931102d8ba606f1c28123f5b48afa3 ]
+
+We need to set TASK_INTERRUPTIBLE before calling kthread_should_stop().
+Otherwise, kthread_stop() might see that the pccardd thread is still
+in TASK_RUNNING state and fail to wake it up.
+
+Additionally, we only need to set the state back to TASK_RUNNING if
+kthread_should_stop() breaks the loop.
+
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Fixes: d3046ba809ce ("pcmcia: fix a boot time warning in pcmcia cs code")
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pcmcia/cs.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pcmcia/cs.c b/drivers/pcmcia/cs.c
+index e211e2619680c..f70197154a362 100644
+--- a/drivers/pcmcia/cs.c
++++ b/drivers/pcmcia/cs.c
+@@ -666,18 +666,16 @@ static int pccardd(void *__skt)
+               if (events || sysfs_events)
+                       continue;
++              set_current_state(TASK_INTERRUPTIBLE);
+               if (kthread_should_stop())
+                       break;
+-              set_current_state(TASK_INTERRUPTIBLE);
+-
+               schedule();
+-              /* make sure we are running */
+-              __set_current_state(TASK_RUNNING);
+-
+               try_to_freeze();
+       }
++      /* make sure we are running before we exit */
++      __set_current_state(TASK_RUNNING);
+       /* shut down socket, if a device is still present */
+       if (skt->state & SOCKET_PRESENT) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch b/queue-5.16/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch
new file mode 100644 (file)
index 0000000..359529a
--- /dev/null
@@ -0,0 +1,56 @@
+From 2a0ea0538f11e1dba9ace4a92c7024dee4846ebb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 00:59:23 +0800
+Subject: pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in
+ __nonstatic_find_io_region()
+
+From: Zhou Qingyang <zhou1615@umn.edu>
+
+[ Upstream commit ca0fe0d7c35c97528bdf621fdca75f13157c27af ]
+
+In __nonstatic_find_io_region(), pcmcia_make_resource() is assigned to
+res and used in pci_bus_alloc_resource(). There is a dereference of res
+in pci_bus_alloc_resource(), which could lead to a NULL pointer
+dereference on failure of pcmcia_make_resource().
+
+Fix this bug by adding a check of res.
+
+This bug was found by a static analyzer. The analysis employs
+differential checking to identify inconsistent security operations
+(e.g., checks or kfrees) between two code paths and confirms that the
+inconsistent operations are not recovered in the current function or
+the callers, so they constitute bugs.
+
+Note that, as a bug found by static analysis, it can be a false
+positive or hard to trigger. Multiple researchers have cross-reviewed
+the bug.
+
+Builds with CONFIG_PCCARD_NONSTATIC=y show no new warnings,
+and our static analyzer no longer warns about this code.
+
+Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module")
+Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
+[linux@dominikbrodowski.net: Fix typo in commit message]
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pcmcia/rsrc_nonstatic.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c
+index bb15a8bdbaab5..827ca6e9ee54a 100644
+--- a/drivers/pcmcia/rsrc_nonstatic.c
++++ b/drivers/pcmcia/rsrc_nonstatic.c
+@@ -690,6 +690,9 @@ static struct resource *__nonstatic_find_io_region(struct pcmcia_socket *s,
+       unsigned long min = base;
+       int ret;
++      if (!res)
++              return NULL;
++
+       data.mask = align - 1;
+       data.offset = base & data.mask;
+       data.map = &s_data->io_db;
+-- 
+2.34.1
+
diff --git a/queue-5.16/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch-11962 b/queue-5.16/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch-11962
new file mode 100644 (file)
index 0000000..59b1014
--- /dev/null
@@ -0,0 +1,55 @@
+From 13190d933f608c8eee95c4c39e0beee8fe589888 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 02:11:40 +0800
+Subject: pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in
+ nonstatic_find_mem_region()
+
+From: Zhou Qingyang <zhou1615@umn.edu>
+
+[ Upstream commit 977d2e7c63c3d04d07ba340b39987742e3241554 ]
+
+In nonstatic_find_mem_region(), pcmcia_make_resource() is assigned to
+res and used in pci_bus_alloc_resource(). There a dereference of res
+in pci_bus_alloc_resource(), which could lead to a NULL pointer
+dereference on failure of pcmcia_make_resource().
+
+Fix this bug by adding a check of res.
+
+This bug was found by a static analyzer. The analysis employs
+differential checking to identify inconsistent security operations
+(e.g., checks or kfrees) between two code paths and confirms that the
+inconsistent operations are not recovered in the current function or
+the callers, so they constitute bugs.
+
+Note that, as a bug found by static analysis, it can be a false
+positive or hard to trigger. Multiple researchers have cross-reviewed
+the bug.
+
+Builds with CONFIG_PCCARD_NONSTATIC=y show no new warnings,
+and our static analyzer no longer warns about this code.
+
+Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module")
+Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pcmcia/rsrc_nonstatic.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c
+index 827ca6e9ee54a..1cac528707111 100644
+--- a/drivers/pcmcia/rsrc_nonstatic.c
++++ b/drivers/pcmcia/rsrc_nonstatic.c
+@@ -812,6 +812,9 @@ static struct resource *nonstatic_find_mem_region(u_long base, u_long num,
+       unsigned long min, max;
+       int ret, i, j;
++      if (!res)
++              return NULL;
++
+       low = low || !(s->features & SS_CAP_PAGE_REGS);
+       data.mask = align - 1;
+-- 
+2.34.1
+
diff --git a/queue-5.16/perf-arm-cmn-fix-cpu-hotplug-unregistration.patch b/queue-5.16/perf-arm-cmn-fix-cpu-hotplug-unregistration.patch
new file mode 100644 (file)
index 0000000..29140b2
--- /dev/null
@@ -0,0 +1,50 @@
+From 4cdcc47473f1d703540c4ed623a1f81189fc311f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Dec 2021 11:44:50 +0000
+Subject: perf/arm-cmn: Fix CPU hotplug unregistration
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit 56c7c6eaf3eb8ac1ec40d56096c0f2b27250da5f ]
+
+Attempting to migrate the PMU context after we've unregistered the PMU
+device, or especially if we never successfully registered it in the
+first place, is a woefully bad idea. It's also fundamentally pointless
+anyway. Make sure to unregister an instance from the hotplug handler
+*without* invoking the teardown callback.
+
+Fixes: 0ba64770a2f2 ("perf: Add Arm CMN-600 PMU driver")
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/2c221d745544774e4b07583b65b5d4d94f7e0fe4.1638530442.git.robin.murphy@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm-cmn.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c
+index bc3cba5f8c5dc..400eb7f579dce 100644
+--- a/drivers/perf/arm-cmn.c
++++ b/drivers/perf/arm-cmn.c
+@@ -1561,7 +1561,8 @@ static int arm_cmn_probe(struct platform_device *pdev)
+       err = perf_pmu_register(&cmn->pmu, name, -1);
+       if (err)
+-              cpuhp_state_remove_instance(arm_cmn_hp_state, &cmn->cpuhp_node);
++              cpuhp_state_remove_instance_nocalls(arm_cmn_hp_state, &cmn->cpuhp_node);
++
+       return err;
+ }
+@@ -1572,7 +1573,7 @@ static int arm_cmn_remove(struct platform_device *pdev)
+       writel_relaxed(0, cmn->dtc[0].base + CMN_DT_DTC_CTL);
+       perf_pmu_unregister(&cmn->pmu);
+-      cpuhp_state_remove_instance(arm_cmn_hp_state, &cmn->cpuhp_node);
++      cpuhp_state_remove_instance_nocalls(arm_cmn_hp_state, &cmn->cpuhp_node);
+       return 0;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/phy-cadence-sierra-fix-to-get-correct-parent-for-mux.patch b/queue-5.16/phy-cadence-sierra-fix-to-get-correct-parent-for-mux.patch
new file mode 100644 (file)
index 0000000..ecc9d17
--- /dev/null
@@ -0,0 +1,94 @@
+From 3bdc58069f6c155f8146baf0d393c40a2d1466f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Dec 2021 07:01:33 +0100
+Subject: phy: cadence: Sierra: Fix to get correct parent for mux clocks
+
+From: Swapnil Jakhade <sjakhade@cadence.com>
+
+[ Upstream commit da08aab940092a050a4fb2857ed9479d2b0e03c4 ]
+
+Fix get_parent() callback to return the correct index of the parent for
+PLL_CMNLC1 clock. Add a separate table of register values corresponding
+to the parent index for PLL_CMNLC1. Update set_parent() callback
+accordingly.
+
+Fixes: 28081b72859f ("phy: cadence: Sierra: Model PLL_CMNLC and PLL_CMNLC1 as clocks (mux clocks)")
+Signed-off-by: Swapnil Jakhade <sjakhade@cadence.com>
+Reviewed-by: Aswath Govindraju <a-govindraju@ti.com>
+Link: https://lore.kernel.org/r/20211223060137.9252-12-sjakhade@cadence.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/cadence/phy-cadence-sierra.c | 31 ++++++++++++++++++++----
+ 1 file changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/phy/cadence/phy-cadence-sierra.c b/drivers/phy/cadence/phy-cadence-sierra.c
+index e93818e3991fd..3e2d096d54fd7 100644
+--- a/drivers/phy/cadence/phy-cadence-sierra.c
++++ b/drivers/phy/cadence/phy-cadence-sierra.c
+@@ -215,7 +215,10 @@ static const int pll_mux_parent_index[][SIERRA_NUM_CMN_PLLC_PARENTS] = {
+       [CMN_PLLLC1] = { PLL1_REFCLK, PLL0_REFCLK },
+ };
+-static u32 cdns_sierra_pll_mux_table[] = { 0, 1 };
++static u32 cdns_sierra_pll_mux_table[][SIERRA_NUM_CMN_PLLC_PARENTS] = {
++      [CMN_PLLLC] = { 0, 1 },
++      [CMN_PLLLC1] = { 1, 0 },
++};
+ struct cdns_sierra_inst {
+       struct phy *phy;
+@@ -436,11 +439,25 @@ static const struct phy_ops ops = {
+ static u8 cdns_sierra_pll_mux_get_parent(struct clk_hw *hw)
+ {
+       struct cdns_sierra_pll_mux *mux = to_cdns_sierra_pll_mux(hw);
++      struct regmap_field *plllc1en_field = mux->plllc1en_field;
++      struct regmap_field *termen_field = mux->termen_field;
+       struct regmap_field *field = mux->pfdclk_sel_preg;
+       unsigned int val;
++      int index;
+       regmap_field_read(field, &val);
+-      return clk_mux_val_to_index(hw, cdns_sierra_pll_mux_table, 0, val);
++
++      if (strstr(clk_hw_get_name(hw), clk_names[CDNS_SIERRA_PLL_CMNLC1])) {
++              index = clk_mux_val_to_index(hw, cdns_sierra_pll_mux_table[CMN_PLLLC1], 0, val);
++              if (index == 1) {
++                      regmap_field_write(plllc1en_field, 1);
++                      regmap_field_write(termen_field, 1);
++              }
++      } else {
++              index = clk_mux_val_to_index(hw, cdns_sierra_pll_mux_table[CMN_PLLLC], 0, val);
++      }
++
++      return index;
+ }
+ static int cdns_sierra_pll_mux_set_parent(struct clk_hw *hw, u8 index)
+@@ -458,7 +475,11 @@ static int cdns_sierra_pll_mux_set_parent(struct clk_hw *hw, u8 index)
+               ret |= regmap_field_write(termen_field, 1);
+       }
+-      val = cdns_sierra_pll_mux_table[index];
++      if (strstr(clk_hw_get_name(hw), clk_names[CDNS_SIERRA_PLL_CMNLC1]))
++              val = cdns_sierra_pll_mux_table[CMN_PLLLC1][index];
++      else
++              val = cdns_sierra_pll_mux_table[CMN_PLLLC][index];
++
+       ret |= regmap_field_write(field, val);
+       return ret;
+@@ -496,8 +517,8 @@ static int cdns_sierra_pll_mux_register(struct cdns_sierra_phy *sp,
+       for (i = 0; i < num_parents; i++) {
+               clk = sp->input_clks[pll_mux_parent_index[clk_index][i]];
+               if (IS_ERR_OR_NULL(clk)) {
+-                      dev_err(dev, "No parent clock for derived_refclk\n");
+-                      return PTR_ERR(clk);
++                      dev_err(dev, "No parent clock for PLL mux clocks\n");
++                      return IS_ERR(clk) ? PTR_ERR(clk) : -ENOENT;
+               }
+               parent_names[i] = __clk_get_name(clk);
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/phy-mediatek-fix-missing-check-in-mtk_mipi_tx_probe.patch b/queue-5.16/phy-mediatek-fix-missing-check-in-mtk_mipi_tx_probe.patch
new file mode 100644 (file)
index 0000000..b35a471
--- /dev/null
@@ -0,0 +1,37 @@
+From 980c9e19fd886c01dee5fe30d6fddbefb6ff8249 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Dec 2021 08:21:03 +0000
+Subject: phy: mediatek: Fix missing check in mtk_mipi_tx_probe
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 399c91c3f30531593e5ff6ca7b53f47092128669 ]
+
+The of_device_get_match_data() function may return NULL.
+Add check to prevent potential null dereference.
+
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20211224082103.7658-1-linmq006@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/mediatek/phy-mtk-mipi-dsi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/phy/mediatek/phy-mtk-mipi-dsi.c b/drivers/phy/mediatek/phy-mtk-mipi-dsi.c
+index 28ad9403c4414..67b005d5b9e35 100644
+--- a/drivers/phy/mediatek/phy-mtk-mipi-dsi.c
++++ b/drivers/phy/mediatek/phy-mtk-mipi-dsi.c
+@@ -146,6 +146,8 @@ static int mtk_mipi_tx_probe(struct platform_device *pdev)
+               return -ENOMEM;
+       mipi_tx->driver_data = of_device_get_match_data(dev);
++      if (!mipi_tx->driver_data)
++              return -ENODEV;
+       mipi_tx->regs = devm_platform_ioremap_resource(pdev, 0);
+       if (IS_ERR(mipi_tx->regs))
+-- 
+2.34.1
+
diff --git a/queue-5.16/phy-phy-mtk-tphy-add-support-efuse-setting.patch b/queue-5.16/phy-phy-mtk-tphy-add-support-efuse-setting.patch
new file mode 100644 (file)
index 0000000..5297532
--- /dev/null
@@ -0,0 +1,278 @@
+From d49a343ef3f6e85140edd0c8d895e7aa2aed30a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Dec 2021 16:27:59 +0800
+Subject: phy: phy-mtk-tphy: add support efuse setting
+
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+
+[ Upstream commit 6f2b033cb883f64ad084a75f13634242c7e179a6 ]
+
+Due to some SoCs have a bit shift issue that will drop a bit for usb3
+phy or pcie phy, fix it by adding software efuse reading and setting,
+but only support it optionally for version 2/3.
+
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Link: https://lore.kernel.org/r/20211218082802.5256-2-chunfeng.yun@mediatek.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/mediatek/phy-mtk-tphy.c | 162 ++++++++++++++++++++++++++++
+ 1 file changed, 162 insertions(+)
+
+diff --git a/drivers/phy/mediatek/phy-mtk-tphy.c b/drivers/phy/mediatek/phy-mtk-tphy.c
+index cdcef865fe9e5..98a942c607a67 100644
+--- a/drivers/phy/mediatek/phy-mtk-tphy.c
++++ b/drivers/phy/mediatek/phy-mtk-tphy.c
+@@ -12,6 +12,7 @@
+ #include <linux/iopoll.h>
+ #include <linux/mfd/syscon.h>
+ #include <linux/module.h>
++#include <linux/nvmem-consumer.h>
+ #include <linux/of_address.h>
+ #include <linux/of_device.h>
+ #include <linux/phy/phy.h>
+@@ -41,6 +42,9 @@
+ #define SSUSB_SIFSLV_V2_U3PHYD                0x200
+ #define SSUSB_SIFSLV_V2_U3PHYA                0x400
++#define U3P_MISC_REG1         0x04
++#define MR1_EFUSE_AUTO_LOAD_DIS               BIT(6)
++
+ #define U3P_USBPHYACR0                0x000
+ #define PA0_RG_U2PLL_FORCE_ON         BIT(15)
+ #define PA0_USB20_PLL_PREDIV          GENMASK(7, 6)
+@@ -133,6 +137,8 @@
+ #define P3C_RG_SWRST_U3_PHYD_FORCE_EN BIT(24)
+ #define U3P_U3_PHYA_REG0      0x000
++#define P3A_RG_IEXT_INTR              GENMASK(15, 10)
++#define P3A_RG_IEXT_INTR_VAL(x)               ((0x3f & (x)) << 10)
+ #define P3A_RG_CLKDRV_OFF             GENMASK(3, 2)
+ #define P3A_RG_CLKDRV_OFF_VAL(x)      ((0x3 & (x)) << 2)
+@@ -187,6 +193,19 @@
+ #define P3D_RG_FWAKE_TH               GENMASK(21, 16)
+ #define P3D_RG_FWAKE_TH_VAL(x)        ((0x3f & (x)) << 16)
++#define U3P_U3_PHYD_IMPCAL0           0x010
++#define P3D_RG_FORCE_TX_IMPEL         BIT(31)
++#define P3D_RG_TX_IMPEL                       GENMASK(28, 24)
++#define P3D_RG_TX_IMPEL_VAL(x)                ((0x1f & (x)) << 24)
++
++#define U3P_U3_PHYD_IMPCAL1           0x014
++#define P3D_RG_FORCE_RX_IMPEL         BIT(31)
++#define P3D_RG_RX_IMPEL                       GENMASK(28, 24)
++#define P3D_RG_RX_IMPEL_VAL(x)                ((0x1f & (x)) << 24)
++
++#define U3P_U3_PHYD_RSV                       0x054
++#define P3D_RG_EFUSE_AUTO_LOAD_DIS    BIT(12)
++
+ #define U3P_U3_PHYD_CDR1              0x05c
+ #define P3D_RG_CDR_BIR_LTD1           GENMASK(28, 24)
+ #define P3D_RG_CDR_BIR_LTD1_VAL(x)    ((0x1f & (x)) << 24)
+@@ -307,6 +326,11 @@ struct mtk_phy_pdata {
+        * 48M PLL, fix it by switching PLL to 26M from default 48M
+        */
+       bool sw_pll_48m_to_26m;
++      /*
++       * Some SoCs (e.g. mt8195) drop a bit when use auto load efuse,
++       * support sw way, also support it for v2/v3 optionally.
++       */
++      bool sw_efuse_supported;
+       enum mtk_phy_version version;
+ };
+@@ -336,6 +360,10 @@ struct mtk_phy_instance {
+       struct regmap *type_sw;
+       u32 type_sw_reg;
+       u32 type_sw_index;
++      u32 efuse_sw_en;
++      u32 efuse_intr;
++      u32 efuse_tx_imp;
++      u32 efuse_rx_imp;
+       int eye_src;
+       int eye_vrt;
+       int eye_term;
+@@ -1040,6 +1068,130 @@ static int phy_type_set(struct mtk_phy_instance *instance)
+       return 0;
+ }
++static int phy_efuse_get(struct mtk_tphy *tphy, struct mtk_phy_instance *instance)
++{
++      struct device *dev = &instance->phy->dev;
++      int ret = 0;
++
++      /* tphy v1 doesn't support sw efuse, skip it */
++      if (!tphy->pdata->sw_efuse_supported) {
++              instance->efuse_sw_en = 0;
++              return 0;
++      }
++
++      /* software efuse is optional */
++      instance->efuse_sw_en = device_property_read_bool(dev, "nvmem-cells");
++      if (!instance->efuse_sw_en)
++              return 0;
++
++      switch (instance->type) {
++      case PHY_TYPE_USB2:
++              ret = nvmem_cell_read_variable_le_u32(dev, "intr", &instance->efuse_intr);
++              if (ret) {
++                      dev_err(dev, "fail to get u2 intr efuse, %d\n", ret);
++                      break;
++              }
++
++              /* no efuse, ignore it */
++              if (!instance->efuse_intr) {
++                      dev_warn(dev, "no u2 intr efuse, but dts enable it\n");
++                      instance->efuse_sw_en = 0;
++                      break;
++              }
++
++              dev_dbg(dev, "u2 efuse - intr %x\n", instance->efuse_intr);
++              break;
++
++      case PHY_TYPE_USB3:
++      case PHY_TYPE_PCIE:
++              ret = nvmem_cell_read_variable_le_u32(dev, "intr", &instance->efuse_intr);
++              if (ret) {
++                      dev_err(dev, "fail to get u3 intr efuse, %d\n", ret);
++                      break;
++              }
++
++              ret = nvmem_cell_read_variable_le_u32(dev, "rx_imp", &instance->efuse_rx_imp);
++              if (ret) {
++                      dev_err(dev, "fail to get u3 rx_imp efuse, %d\n", ret);
++                      break;
++              }
++
++              ret = nvmem_cell_read_variable_le_u32(dev, "tx_imp", &instance->efuse_tx_imp);
++              if (ret) {
++                      dev_err(dev, "fail to get u3 tx_imp efuse, %d\n", ret);
++                      break;
++              }
++
++              /* no efuse, ignore it */
++              if (!instance->efuse_intr &&
++                  !instance->efuse_rx_imp &&
++                  !instance->efuse_rx_imp) {
++                      dev_warn(dev, "no u3 intr efuse, but dts enable it\n");
++                      instance->efuse_sw_en = 0;
++                      break;
++              }
++
++              dev_dbg(dev, "u3 efuse - intr %x, rx_imp %x, tx_imp %x\n",
++                      instance->efuse_intr, instance->efuse_rx_imp,instance->efuse_tx_imp);
++              break;
++      default:
++              dev_err(dev, "no sw efuse for type %d\n", instance->type);
++              ret = -EINVAL;
++      }
++
++      return ret;
++}
++
++static void phy_efuse_set(struct mtk_phy_instance *instance)
++{
++      struct device *dev = &instance->phy->dev;
++      struct u2phy_banks *u2_banks = &instance->u2_banks;
++      struct u3phy_banks *u3_banks = &instance->u3_banks;
++      u32 tmp;
++
++      if (!instance->efuse_sw_en)
++              return;
++
++      switch (instance->type) {
++      case PHY_TYPE_USB2:
++              tmp = readl(u2_banks->misc + U3P_MISC_REG1);
++              tmp |= MR1_EFUSE_AUTO_LOAD_DIS;
++              writel(tmp, u2_banks->misc + U3P_MISC_REG1);
++
++              tmp = readl(u2_banks->com + U3P_USBPHYACR1);
++              tmp &= ~PA1_RG_INTR_CAL;
++              tmp |= PA1_RG_INTR_CAL_VAL(instance->efuse_intr);
++              writel(tmp, u2_banks->com + U3P_USBPHYACR1);
++              break;
++      case PHY_TYPE_USB3:
++      case PHY_TYPE_PCIE:
++              tmp = readl(u3_banks->phyd + U3P_U3_PHYD_RSV);
++              tmp |= P3D_RG_EFUSE_AUTO_LOAD_DIS;
++              writel(tmp, u3_banks->phyd + U3P_U3_PHYD_RSV);
++
++              tmp = readl(u3_banks->phyd + U3P_U3_PHYD_IMPCAL0);
++              tmp &= ~P3D_RG_TX_IMPEL;
++              tmp |= P3D_RG_TX_IMPEL_VAL(instance->efuse_tx_imp);
++              tmp |= P3D_RG_FORCE_TX_IMPEL;
++              writel(tmp, u3_banks->phyd + U3P_U3_PHYD_IMPCAL0);
++
++              tmp = readl(u3_banks->phyd + U3P_U3_PHYD_IMPCAL1);
++              tmp &= ~P3D_RG_RX_IMPEL;
++              tmp |= P3D_RG_RX_IMPEL_VAL(instance->efuse_rx_imp);
++              tmp |= P3D_RG_FORCE_RX_IMPEL;
++              writel(tmp, u3_banks->phyd + U3P_U3_PHYD_IMPCAL1);
++
++              tmp = readl(u3_banks->phya + U3P_U3_PHYA_REG0);
++              tmp &= ~P3A_RG_IEXT_INTR;
++              tmp |= P3A_RG_IEXT_INTR_VAL(instance->efuse_intr);
++              writel(tmp, u3_banks->phya + U3P_U3_PHYA_REG0);
++              break;
++      default:
++              dev_warn(dev, "no sw efuse for type %d\n", instance->type);
++              break;
++      }
++}
++
+ static int mtk_phy_init(struct phy *phy)
+ {
+       struct mtk_phy_instance *instance = phy_get_drvdata(phy);
+@@ -1050,6 +1202,8 @@ static int mtk_phy_init(struct phy *phy)
+       if (ret)
+               return ret;
++      phy_efuse_set(instance);
++
+       switch (instance->type) {
+       case PHY_TYPE_USB2:
+               u2_phy_instance_init(tphy, instance);
+@@ -1134,6 +1288,7 @@ static struct phy *mtk_phy_xlate(struct device *dev,
+       struct mtk_phy_instance *instance = NULL;
+       struct device_node *phy_np = args->np;
+       int index;
++      int ret;
+       if (args->args_count != 1) {
+               dev_err(dev, "invalid number of cells in 'phy' property\n");
+@@ -1174,6 +1329,10 @@ static struct phy *mtk_phy_xlate(struct device *dev,
+               return ERR_PTR(-EINVAL);
+       }
++      ret = phy_efuse_get(tphy, instance);
++      if (ret)
++              return ERR_PTR(ret);
++
+       phy_parse_property(tphy, instance);
+       phy_type_set(instance);
+@@ -1196,10 +1355,12 @@ static const struct mtk_phy_pdata tphy_v1_pdata = {
+ static const struct mtk_phy_pdata tphy_v2_pdata = {
+       .avoid_rx_sen_degradation = false,
++      .sw_efuse_supported = true,
+       .version = MTK_PHY_V2,
+ };
+ static const struct mtk_phy_pdata tphy_v3_pdata = {
++      .sw_efuse_supported = true,
+       .version = MTK_PHY_V3,
+ };
+@@ -1210,6 +1371,7 @@ static const struct mtk_phy_pdata mt8173_pdata = {
+ static const struct mtk_phy_pdata mt8195_pdata = {
+       .sw_pll_48m_to_26m = true,
++      .sw_efuse_supported = true,
+       .version = MTK_PHY_V3,
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/phy-uniphier-usb3ss-fix-unintended-writing-zeros-to-.patch b/queue-5.16/phy-uniphier-usb3ss-fix-unintended-writing-zeros-to-.patch
new file mode 100644 (file)
index 0000000..e7d76e0
--- /dev/null
@@ -0,0 +1,61 @@
+From 0eb69504f2ad3f2a7016e436c76d2d21ba03aa83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 14:19:29 +0900
+Subject: phy: uniphier-usb3ss: fix unintended writing zeros to PHY register
+
+From: Ryuta NAKANISHI <nakanishi.ryuta@socionext.com>
+
+[ Upstream commit 898c7a9ec81620125f2463714a0f4dea18ad6e54 ]
+
+Similar to commit 4a90bbb478db ("phy: uniphier-pcie: Fix updating phy
+parameters"), in function uniphier_u3ssphy_set_param(), unintentionally
+write zeros to other fields when writing PHY registers.
+
+Fixes: 5ab43d0f8697 ("phy: socionext: add USB3 PHY driver for UniPhier SoC")
+Signed-off-by: Ryuta NAKANISHI <nakanishi.ryuta@socionext.com>
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Link: https://lore.kernel.org/r/1640150369-4134-1-git-send-email-hayashi.kunihiko@socionext.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/socionext/phy-uniphier-usb3ss.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/phy/socionext/phy-uniphier-usb3ss.c b/drivers/phy/socionext/phy-uniphier-usb3ss.c
+index 6700645bcbe6b..3b5ffc16a6947 100644
+--- a/drivers/phy/socionext/phy-uniphier-usb3ss.c
++++ b/drivers/phy/socionext/phy-uniphier-usb3ss.c
+@@ -22,11 +22,13 @@
+ #include <linux/reset.h>
+ #define SSPHY_TESTI           0x0
+-#define SSPHY_TESTO           0x4
+ #define TESTI_DAT_MASK                GENMASK(13, 6)
+ #define TESTI_ADR_MASK                GENMASK(5, 1)
+ #define TESTI_WR_EN           BIT(0)
++#define SSPHY_TESTO           0x4
++#define TESTO_DAT_MASK                GENMASK(7, 0)
++
+ #define PHY_F(regno, msb, lsb) { (regno), (msb), (lsb) }
+ #define CDR_CPD_TRIM  PHY_F(7, 3, 0)  /* RxPLL charge pump current */
+@@ -84,12 +86,12 @@ static void uniphier_u3ssphy_set_param(struct uniphier_u3ssphy_priv *priv,
+       val  = FIELD_PREP(TESTI_DAT_MASK, 1);
+       val |= FIELD_PREP(TESTI_ADR_MASK, p->field.reg_no);
+       uniphier_u3ssphy_testio_write(priv, val);
+-      val = readl(priv->base + SSPHY_TESTO);
++      val = readl(priv->base + SSPHY_TESTO) & TESTO_DAT_MASK;
+       /* update value */
+-      val &= ~FIELD_PREP(TESTI_DAT_MASK, field_mask);
++      val &= ~field_mask;
+       data = field_mask & (p->value << p->field.lsb);
+-      val  = FIELD_PREP(TESTI_DAT_MASK, data);
++      val  = FIELD_PREP(TESTI_DAT_MASK, data | val);
+       val |= FIELD_PREP(TESTI_ADR_MASK, p->field.reg_no);
+       uniphier_u3ssphy_testio_write(priv, val);
+       uniphier_u3ssphy_testio_write(priv, val | TESTI_WR_EN);
+-- 
+2.34.1
+
diff --git a/queue-5.16/pinctrl-apple-return-an-error-if-pinmux-is-missing-i.patch b/queue-5.16/pinctrl-apple-return-an-error-if-pinmux-is-missing-i.patch
new file mode 100644 (file)
index 0000000..ed71fdb
--- /dev/null
@@ -0,0 +1,38 @@
+From 88621ee4a579b74bafd458dff53bf289f5bff9e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Nov 2021 16:56:42 +0000
+Subject: pinctrl: apple: return an error if pinmux is missing in the DT
+
+From: Joey Gouly <joey.gouly@arm.com>
+
+[ Upstream commit 839930ca1bd0c79cdf370d11462ef4a81b664e44 ]
+
+If of_property_count_u32_elems returned 0, return -EINVAL to indicate
+a failure. Previously this would return 0.
+
+Fixes: a0f160ffcb83 ("pinctrl: add pinctrl/GPIO driver for Apple SoCs")
+Signed-off-by: Joey Gouly <joey.gouly@arm.com>
+Suggested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20211121165642.27883-12-joey.gouly@arm.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-apple-gpio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-apple-gpio.c b/drivers/pinctrl/pinctrl-apple-gpio.c
+index a7861079a6502..c772e31d21223 100644
+--- a/drivers/pinctrl/pinctrl-apple-gpio.c
++++ b/drivers/pinctrl/pinctrl-apple-gpio.c
+@@ -114,7 +114,7 @@ static int apple_gpio_dt_node_to_map(struct pinctrl_dev *pctldev,
+               dev_err(pctl->dev,
+                       "missing or empty pinmux property in node %pOFn.\n",
+                       node);
+-              return ret;
++              return ret ? ret : -EINVAL;
+       }
+       num_pins = ret;
+-- 
+2.34.1
+
diff --git a/queue-5.16/pinctrl-mediatek-add-a-check-for-error-in-mtk_pincon.patch b/queue-5.16/pinctrl-mediatek-add-a-check-for-error-in-mtk_pincon.patch
new file mode 100644 (file)
index 0000000..20a21d1
--- /dev/null
@@ -0,0 +1,41 @@
+From ea0506908fabe65a74b9412e7e20296c1403f0ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Nov 2021 17:08:36 +0300
+Subject: pinctrl: mediatek: add a check for error in
+ mtk_pinconf_bias_get_rsel()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 9f9d17c228c89e38ed612500126daf626270be9a ]
+
+All the other mtk_hw_get_value() calls have a check for "if (err)" so
+we can add one here as well.  This silences a Smatch warning:
+
+    drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c:819 mtk_pinconf_bias_get_rsel()
+    error: uninitialized symbol 'pd'.
+
+Fixes: fb34a9ae383a ("pinctrl: mediatek: support rsel feature")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20211127140836.GB24002@kili
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
+index 53779822348da..e1ae3beb9f72b 100644
+--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
++++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
+@@ -815,6 +815,8 @@ static int mtk_pinconf_bias_get_rsel(struct mtk_pinctrl *hw,
+               goto out;
+       err = mtk_hw_get_value(hw, desc, PINCTRL_PIN_REG_PD, &pd);
++      if (err)
++              goto out;
+       if (pu == 0 && pd == 0) {
+               *pullup = 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/pinctrl-mediatek-uninitialized-variable-in-mtk_pctrl.patch b/queue-5.16/pinctrl-mediatek-uninitialized-variable-in-mtk_pctrl.patch
new file mode 100644 (file)
index 0000000..ac0f1d6
--- /dev/null
@@ -0,0 +1,40 @@
+From a5e5dbbcbab63daf0e9682866d6a2b5fa7e280a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Nov 2021 17:07:50 +0300
+Subject: pinctrl: mediatek: uninitialized variable in mtk_pctrl_show_one_pin()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 67bbbcb49b968a93251de7b23616d5aff5d3a726 ]
+
+The "try_all_type" variable is not set if (hw->soc->pull_type) is false
+leading to the following Smatch warning:
+
+    drivers/pinctrl/mediatek/pinctrl-paris.c:599 mtk_pctrl_show_one_pin()
+    error: uninitialized symbol 'try_all_type'.
+
+Fixes: fb34a9ae383a ("pinctrl: mediatek: support rsel feature")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20211127140750.GA24002@kili
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mediatek/pinctrl-paris.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/mediatek/pinctrl-paris.c b/drivers/pinctrl/mediatek/pinctrl-paris.c
+index d4e02c5d74a89..4c6f6d967b18a 100644
+--- a/drivers/pinctrl/mediatek/pinctrl-paris.c
++++ b/drivers/pinctrl/mediatek/pinctrl-paris.c
+@@ -581,7 +581,7 @@ ssize_t mtk_pctrl_show_one_pin(struct mtk_pinctrl *hw,
+ {
+       int pinmux, pullup, pullen, len = 0, r1 = -1, r0 = -1, rsel = -1;
+       const struct mtk_pin_desc *desc;
+-      u32 try_all_type;
++      u32 try_all_type = 0;
+       if (gpio >= hw->soc->npins)
+               return -EINVAL;
+-- 
+2.34.1
+
diff --git a/queue-5.16/platform-x86-wmi-fix-driver-notify-vs-probe-race.patch b/queue-5.16/platform-x86-wmi-fix-driver-notify-vs-probe-race.patch
new file mode 100644 (file)
index 0000000..31a7118
--- /dev/null
@@ -0,0 +1,69 @@
+From 3e38d4c51cf7db4a0af120b9c3445ba65ae189fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Nov 2021 20:00:28 +0100
+Subject: platform/x86: wmi: Fix driver->notify() vs ->probe() race
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 9918878676a5f9e99b98679f04b9e6c0f5426b0a ]
+
+The driver core sets struct device->driver before calling out
+to the bus' probe() method, this leaves a window where an ACPI
+notify may happen on the WMI object before the driver's
+probe() method has completed running, causing e.g. the
+driver's notify() callback to get called with drvdata
+not yet being set leading to a NULL pointer deref.
+
+At a check for this to the WMI core, ensuring that the notify()
+callback is not called before the driver is ready.
+
+Fixes: 1686f5444546 ("platform/x86: wmi: Incorporate acpi_install_notify_handler")
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20211128190031.405620-2-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/wmi.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
+index 46178e03aecad..02aba274c4bc2 100644
+--- a/drivers/platform/x86/wmi.c
++++ b/drivers/platform/x86/wmi.c
+@@ -59,6 +59,7 @@ static_assert(__alignof__(struct guid_block) == 1);
+ enum {        /* wmi_block flags */
+       WMI_READ_TAKES_NO_ARGS,
++      WMI_PROBED,
+ };
+ struct wmi_block {
+@@ -1008,6 +1009,7 @@ static int wmi_dev_probe(struct device *dev)
+               }
+       }
++      set_bit(WMI_PROBED, &wblock->flags);
+       return 0;
+ probe_misc_failure:
+@@ -1025,6 +1027,8 @@ static void wmi_dev_remove(struct device *dev)
+       struct wmi_block *wblock = dev_to_wblock(dev);
+       struct wmi_driver *wdriver = drv_to_wdrv(dev->driver);
++      clear_bit(WMI_PROBED, &wblock->flags);
++
+       if (wdriver->filter_callback) {
+               misc_deregister(&wblock->char_dev);
+               kfree(wblock->char_dev.name);
+@@ -1322,7 +1326,7 @@ static void acpi_wmi_notify_handler(acpi_handle handle, u32 event,
+               return;
+       /* If a driver is bound, then notify the driver. */
+-      if (wblock->dev.dev.driver) {
++      if (test_bit(WMI_PROBED, &wblock->flags) && wblock->dev.dev.driver) {
+               struct wmi_driver *driver = drv_to_wdrv(wblock->dev.dev.driver);
+               struct acpi_buffer evdata = { ACPI_ALLOCATE_BUFFER, NULL };
+               acpi_status status;
+-- 
+2.34.1
+
diff --git a/queue-5.16/platform-x86-wmi-replace-read_takes_no_args-with-a-f.patch b/queue-5.16/platform-x86-wmi-replace-read_takes_no_args-with-a-f.patch
new file mode 100644 (file)
index 0000000..a460b80
--- /dev/null
@@ -0,0 +1,70 @@
+From f5cfae354f07d493fee8e97b84da6c111a04ac4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Nov 2021 20:00:27 +0100
+Subject: platform/x86: wmi: Replace read_takes_no_args with a flags field
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit a90b38c58667142ecff2521481ed44286d46b140 ]
+
+Replace the wmi_block.read_takes_no_args bool field with
+an unsigned long flags field, used together with test_bit()
+and friends.
+
+This is a preparation patch for fixing a driver->notify() vs ->probe()
+race, which requires atomic flag handling.
+
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20211128190031.405620-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/wmi.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
+index c34341f4da763..46178e03aecad 100644
+--- a/drivers/platform/x86/wmi.c
++++ b/drivers/platform/x86/wmi.c
+@@ -57,6 +57,10 @@ static_assert(sizeof(typeof_member(struct guid_block, guid)) == 16);
+ static_assert(sizeof(struct guid_block) == 20);
+ static_assert(__alignof__(struct guid_block) == 1);
++enum {        /* wmi_block flags */
++      WMI_READ_TAKES_NO_ARGS,
++};
++
+ struct wmi_block {
+       struct wmi_device dev;
+       struct list_head list;
+@@ -67,8 +71,7 @@ struct wmi_block {
+       wmi_notify_handler handler;
+       void *handler_data;
+       u64 req_buf_size;
+-
+-      bool read_takes_no_args;
++      unsigned long flags;
+ };
+@@ -367,7 +370,7 @@ static acpi_status __query_block(struct wmi_block *wblock, u8 instance,
+       wq_params[0].type = ACPI_TYPE_INTEGER;
+       wq_params[0].integer.value = instance;
+-      if (instance == 0 && wblock->read_takes_no_args)
++      if (instance == 0 && test_bit(WMI_READ_TAKES_NO_ARGS, &wblock->flags))
+               input.count = 0;
+       /*
+@@ -1113,7 +1116,7 @@ static int wmi_create_device(struct device *wmi_bus_dev,
+        * laptops, WQxx may not be a method at all.)
+        */
+       if (info->type != ACPI_TYPE_METHOD || info->param_count == 0)
+-              wblock->read_takes_no_args = true;
++              set_bit(WMI_READ_TAKES_NO_ARGS, &wblock->flags);
+       kfree(info);
+-- 
+2.34.1
+
diff --git a/queue-5.16/pm-avs-qcom-cpr-use-div64_ul-instead-of-do_div.patch b/queue-5.16/pm-avs-qcom-cpr-use-div64_ul-instead-of-do_div.patch
new file mode 100644 (file)
index 0000000..18a9c6b
--- /dev/null
@@ -0,0 +1,38 @@
+From 7da0468e177bc381fb3d91cc7ff5c1002a85c20c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 01:43:11 +0000
+Subject: PM: AVS: qcom-cpr: Use div64_ul instead of do_div
+
+From: Changcheng Deng <deng.changcheng@zte.com.cn>
+
+[ Upstream commit 92c550f9ffd2884bb5def52b5c0485a35e452784 ]
+
+do_div() does a 64-by-32 division. Here the divisor is an unsigned long
+which on some platforms is 64 bit wide. So use div64_ul instead of do_div
+to avoid a possible truncation.
+
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Signed-off-by: Changcheng Deng <deng.changcheng@zte.com.cn>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20211125014311.45942-1-deng.changcheng@zte.com.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/cpr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/qcom/cpr.c b/drivers/soc/qcom/cpr.c
+index 1d818a8ba2089..e9b854ed1bdfd 100644
+--- a/drivers/soc/qcom/cpr.c
++++ b/drivers/soc/qcom/cpr.c
+@@ -1010,7 +1010,7 @@ static int cpr_interpolate(const struct corner *corner, int step_volt,
+               return corner->uV;
+       temp = f_diff * (uV_high - uV_low);
+-      do_div(temp, f_high - f_low);
++      temp = div64_ul(temp, f_high - f_low);
+       /*
+        * max_volt_scale has units of uV/MHz while freq values
+-- 
+2.34.1
+
diff --git a/queue-5.16/pm-runtime-add-safety-net-to-supplier-device-release.patch b/queue-5.16/pm-runtime-add-safety-net-to-supplier-device-release.patch
new file mode 100644 (file)
index 0000000..5c19410
--- /dev/null
@@ -0,0 +1,137 @@
+From 272dfc85bfe8fcde3cc83be54a4e54a06284d53b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Dec 2021 17:10:13 +0100
+Subject: PM: runtime: Add safety net to supplier device release
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit d1579e61192e0e686faa4208500ef4c3b529b16c ]
+
+Because refcount_dec_not_one() returns true if the target refcount
+becomes saturated, it is generally unsafe to use its return value as
+a loop termination condition, but that is what happens when a device
+link's supplier device is released during runtime PM suspend
+operations and on device link removal.
+
+To address this, introduce pm_runtime_release_supplier() to be used
+in the above cases which will check the supplier device's runtime
+PM usage counter in addition to the refcount_dec_not_one() return
+value, so the loop can be terminated in case the rpm_active refcount
+value becomes invalid, and update the code in question to use it as
+appropriate.
+
+This change is not expected to have any visible functional impact.
+
+Reported-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/core.c          |  3 +--
+ drivers/base/power/runtime.c | 41 ++++++++++++++++++++++++++----------
+ include/linux/pm_runtime.h   |  3 +++
+ 3 files changed, 34 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/base/core.c b/drivers/base/core.c
+index fd034d7424472..b191bd17de891 100644
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -485,8 +485,7 @@ static void device_link_release_fn(struct work_struct *work)
+       /* Ensure that all references to the link object have been dropped. */
+       device_link_synchronize_removal();
+-      while (refcount_dec_not_one(&link->rpm_active))
+-              pm_runtime_put(link->supplier);
++      pm_runtime_release_supplier(link, true);
+       put_device(link->consumer);
+       put_device(link->supplier);
+diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
+index d504cd4ab3cbf..38c2e1892a00e 100644
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -305,19 +305,40 @@ static int rpm_get_suppliers(struct device *dev)
+       return 0;
+ }
++/**
++ * pm_runtime_release_supplier - Drop references to device link's supplier.
++ * @link: Target device link.
++ * @check_idle: Whether or not to check if the supplier device is idle.
++ *
++ * Drop all runtime PM references associated with @link to its supplier device
++ * and if @check_idle is set, check if that device is idle (and so it can be
++ * suspended).
++ */
++void pm_runtime_release_supplier(struct device_link *link, bool check_idle)
++{
++      struct device *supplier = link->supplier;
++
++      /*
++       * The additional power.usage_count check is a safety net in case
++       * the rpm_active refcount becomes saturated, in which case
++       * refcount_dec_not_one() would return true forever, but it is not
++       * strictly necessary.
++       */
++      while (refcount_dec_not_one(&link->rpm_active) &&
++             atomic_read(&supplier->power.usage_count) > 0)
++              pm_runtime_put_noidle(supplier);
++
++      if (check_idle)
++              pm_request_idle(supplier);
++}
++
+ static void __rpm_put_suppliers(struct device *dev, bool try_to_suspend)
+ {
+       struct device_link *link;
+       list_for_each_entry_rcu(link, &dev->links.suppliers, c_node,
+-                              device_links_read_lock_held()) {
+-
+-              while (refcount_dec_not_one(&link->rpm_active))
+-                      pm_runtime_put_noidle(link->supplier);
+-
+-              if (try_to_suspend)
+-                      pm_request_idle(link->supplier);
+-      }
++                              device_links_read_lock_held())
++              pm_runtime_release_supplier(link, try_to_suspend);
+ }
+ static void rpm_put_suppliers(struct device *dev)
+@@ -1772,9 +1793,7 @@ void pm_runtime_drop_link(struct device_link *link)
+               return;
+       pm_runtime_drop_link_count(link->consumer);
+-
+-      while (refcount_dec_not_one(&link->rpm_active))
+-              pm_runtime_put(link->supplier);
++      pm_runtime_release_supplier(link, true);
+ }
+ static bool pm_runtime_need_not_resume(struct device *dev)
+diff --git a/include/linux/pm_runtime.h b/include/linux/pm_runtime.h
+index eddd66d426caf..016de5776b6db 100644
+--- a/include/linux/pm_runtime.h
++++ b/include/linux/pm_runtime.h
+@@ -58,6 +58,7 @@ extern void pm_runtime_get_suppliers(struct device *dev);
+ extern void pm_runtime_put_suppliers(struct device *dev);
+ extern void pm_runtime_new_link(struct device *dev);
+ extern void pm_runtime_drop_link(struct device_link *link);
++extern void pm_runtime_release_supplier(struct device_link *link, bool check_idle);
+ extern int devm_pm_runtime_enable(struct device *dev);
+@@ -283,6 +284,8 @@ static inline void pm_runtime_get_suppliers(struct device *dev) {}
+ static inline void pm_runtime_put_suppliers(struct device *dev) {}
+ static inline void pm_runtime_new_link(struct device *dev) {}
+ static inline void pm_runtime_drop_link(struct device_link *link) {}
++static inline void pm_runtime_release_supplier(struct device_link *link,
++                                             bool check_idle) {}
+ #endif /* !CONFIG_PM */
+-- 
+2.34.1
+
diff --git a/queue-5.16/power-reset-mt6397-check-for-null-res-pointer.patch b/queue-5.16/power-reset-mt6397-check-for-null-res-pointer.patch
new file mode 100644 (file)
index 0000000..acecff8
--- /dev/null
@@ -0,0 +1,38 @@
+From 3e5b70e72b3d092dd14a87426c939654a200bc6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Dec 2021 16:38:11 +0800
+Subject: power: reset: mt6397: Check for null res pointer
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 1c1348bf056dee665760a3bd1cd30b0be7554fc2 ]
+
+The return value of platform_get_resource() needs to be checked.
+To avoid use of error pointer in case that there is no suitable
+resource.
+
+Fixes: d28c74c10751 ("power: reset: add driver for mt6323 poweroff")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/reset/mt6323-poweroff.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/power/reset/mt6323-poweroff.c b/drivers/power/reset/mt6323-poweroff.c
+index 0532803e6cbc4..d90e76fcb9383 100644
+--- a/drivers/power/reset/mt6323-poweroff.c
++++ b/drivers/power/reset/mt6323-poweroff.c
+@@ -57,6 +57,9 @@ static int mt6323_pwrc_probe(struct platform_device *pdev)
+               return -ENOMEM;
+       res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++      if (!res)
++              return -EINVAL;
++
+       pwrc->base = res->start;
+       pwrc->regmap = mt6397_chip->regmap;
+       pwrc->dev = &pdev->dev;
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-32s-fix-shift-out-of-bounds-in-kasan-init.patch b/queue-5.16/powerpc-32s-fix-shift-out-of-bounds-in-kasan-init.patch
new file mode 100644 (file)
index 0000000..0ac84aa
--- /dev/null
@@ -0,0 +1,56 @@
+From 681a6c7bea2a1d54913a9b5d2e05ef377c2705ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 09:42:37 +0100
+Subject: powerpc/32s: Fix shift-out-of-bounds in KASAN init
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit af11dee4361b3519981fa04d014873f9d9edd6ac ]
+
+================================================================================
+UBSAN: shift-out-of-bounds in arch/powerpc/mm/kasan/book3s_32.c:22:23
+shift exponent -1 is negative
+CPU: 0 PID: 0 Comm: swapper Not tainted 5.15.5-gentoo-PowerMacG4 #9
+Call Trace:
+[c214be60] [c0ba0048] dump_stack_lvl+0x80/0xb0 (unreliable)
+[c214be80] [c0b99288] ubsan_epilogue+0x10/0x5c
+[c214be90] [c0b98fe0] __ubsan_handle_shift_out_of_bounds+0x94/0x138
+[c214bf00] [c1c0f010] kasan_init_region+0xd8/0x26c
+[c214bf30] [c1c0ed84] kasan_init+0xc0/0x198
+[c214bf70] [c1c08024] setup_arch+0x18/0x54c
+[c214bfc0] [c1c037f0] start_kernel+0x90/0x33c
+[c214bff0] [00003610] 0x3610
+================================================================================
+
+This happens when the directly mapped memory is a power of 2.
+
+Fix it by checking the shift and set the result to 0 when shift is -1
+
+Fixes: 7974c4732642 ("powerpc/32s: Implement dedicated kasan_init_region()")
+Reported-by: Erhard Furtner <erhard_f@mailbox.org>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215169
+Link: https://lore.kernel.org/r/15cbc3439d4ad988b225e2119ec99502a5cc6ad3.1638261744.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/kasan/book3s_32.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/mm/kasan/book3s_32.c b/arch/powerpc/mm/kasan/book3s_32.c
+index 202bd260a0095..35b287b0a8da4 100644
+--- a/arch/powerpc/mm/kasan/book3s_32.c
++++ b/arch/powerpc/mm/kasan/book3s_32.c
+@@ -19,7 +19,8 @@ int __init kasan_init_region(void *start, size_t size)
+       block = memblock_alloc(k_size, k_size_base);
+       if (block && k_size_base >= SZ_128K && k_start == ALIGN(k_start, k_size_base)) {
+-              int k_size_more = 1 << (ffs(k_size - k_size_base) - 1);
++              int shift = ffs(k_size - k_size_base);
++              int k_size_more = shift ? 1 << (shift - 1) : 0;
+               setbat(-1, k_start, __pa(block), k_size_base, PAGE_KERNEL);
+               if (k_size_more >= SZ_128K)
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-40x-map-32mbytes-of-memory-at-startup.patch b/queue-5.16/powerpc-40x-map-32mbytes-of-memory-at-startup.patch
new file mode 100644 (file)
index 0000000..fb115e5
--- /dev/null
@@ -0,0 +1,57 @@
+From 699937bf19abfed5ec0065bfa4338a52395537d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 17:12:39 +0200
+Subject: powerpc/40x: Map 32Mbytes of memory at startup
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 06e7cbc29e97b4713b4ea6def04ae8501a7d1a59 ]
+
+As reported by Carlo, 16Mbytes is not enough with modern kernels
+that tend to be a bit big, so map another 16M page at boot.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/89b5f974a7fa5011206682cd092e2c905530ff46.1632755552.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/head_40x.S | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/head_40x.S b/arch/powerpc/kernel/head_40x.S
+index 7d72ee5ab387c..e783860bea838 100644
+--- a/arch/powerpc/kernel/head_40x.S
++++ b/arch/powerpc/kernel/head_40x.S
+@@ -27,6 +27,7 @@
+ #include <linux/init.h>
+ #include <linux/pgtable.h>
++#include <linux/sizes.h>
+ #include <asm/processor.h>
+ #include <asm/page.h>
+ #include <asm/mmu.h>
+@@ -650,7 +651,7 @@ start_here:
+       b       .               /* prevent prefetch past rfi */
+ /* Set up the initial MMU state so we can do the first level of
+- * kernel initialization.  This maps the first 16 MBytes of memory 1:1
++ * kernel initialization.  This maps the first 32 MBytes of memory 1:1
+  * virtual to physical and more importantly sets the cache mode.
+  */
+ initial_mmu:
+@@ -687,6 +688,12 @@ initial_mmu:
+       tlbwe   r4,r0,TLB_DATA          /* Load the data portion of the entry */
+       tlbwe   r3,r0,TLB_TAG           /* Load the tag portion of the entry */
++      li      r0,62                   /* TLB slot 62 */
++      addis   r4,r4,SZ_16M@h
++      addis   r3,r3,SZ_16M@h
++      tlbwe   r4,r0,TLB_DATA          /* Load the data portion of the entry */
++      tlbwe   r3,r0,TLB_TAG           /* Load the tag portion of the entry */
++
+       isync
+       /* Establish the exception vector base
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-64s-mask-nip-before-checking-against-srr0.patch b/queue-5.16/powerpc-64s-mask-nip-before-checking-against-srr0.patch
new file mode 100644 (file)
index 0000000..2a08555
--- /dev/null
@@ -0,0 +1,49 @@
+From 95050a6be411c92c2fb5266a086e64f441b7243b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 00:50:59 +1100
+Subject: powerpc/64s: Mask NIP before checking against SRR0
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit 314f6c23dd8d417281eb9e8a516dd98036f2e7b3 ]
+
+When CONFIG_PPC_RFI_SRR_DEBUG=y we check that NIP and SRR0 match when
+returning from interrupts. This can trigger falsely if NIP has either of
+its two low bits set via sigreturn or ptrace, while SRR0 has its low two
+bits masked in hardware.
+
+As a quick fix make sure to mask the low bits before doing the check.
+
+Fixes: 59dc5bfca0cb ("powerpc/64s: avoid reloading (H)SRR registers if they are still valid")
+Reported-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Link: https://lore.kernel.org/r/20211221135101.2085547-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/interrupt_64.S | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/kernel/interrupt_64.S b/arch/powerpc/kernel/interrupt_64.S
+index ec950b08a8dcc..894588b2381e5 100644
+--- a/arch/powerpc/kernel/interrupt_64.S
++++ b/arch/powerpc/kernel/interrupt_64.S
+@@ -30,6 +30,7 @@ COMPAT_SYS_CALL_TABLE:
+       .ifc \srr,srr
+       mfspr   r11,SPRN_SRR0
+       ld      r12,_NIP(r1)
++      clrrdi  r12,r12,2
+ 100:  tdne    r11,r12
+       EMIT_BUG_ENTRY 100b,__FILE__,__LINE__,(BUGFLAG_WARNING | BUGFLAG_ONCE)
+       mfspr   r11,SPRN_SRR1
+@@ -39,6 +40,7 @@ COMPAT_SYS_CALL_TABLE:
+       .else
+       mfspr   r11,SPRN_HSRR0
+       ld      r12,_NIP(r1)
++      clrrdi  r12,r12,2
+ 100:  tdne    r11,r12
+       EMIT_BUG_ENTRY 100b,__FILE__,__LINE__,(BUGFLAG_WARNING | BUGFLAG_ONCE)
+       mfspr   r11,SPRN_HSRR1
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-64s-use-emit_warn_entry-for-srr-debug-warnin.patch b/queue-5.16/powerpc-64s-use-emit_warn_entry-for-srr-debug-warnin.patch
new file mode 100644 (file)
index 0000000..a041bdc
--- /dev/null
@@ -0,0 +1,81 @@
+From 677fee4171997bf5fad5a6ceb7b14692eee05a85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 00:51:00 +1100
+Subject: powerpc/64s: Use EMIT_WARN_ENTRY for SRR debug warnings
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit fd1eaaaaa6864b5fb8f99880fcefb49760b8fe4e ]
+
+When CONFIG_PPC_RFI_SRR_DEBUG=y we check the SRR values before returning
+from interrupts. This is done in asm using EMIT_BUG_ENTRY, and passing
+BUGFLAG_WARNING.
+
+However that fails to create an exception table entry for the warning,
+and so do_program_check() fails the exception table search and proceeds
+to call _exception(), resulting in an oops like:
+
+  Oops: Exception in kernel mode, sig: 5 [#1]
+  LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
+  Modules linked in:
+  CPU: 2 PID: 1204 Comm: sigreturn_unali Tainted: P                  5.16.0-rc2-00194-g91ca3d4f77c5 #12
+  NIP:  c00000000000c5b0 LR: 0000000000000000 CTR: 0000000000000000
+  ...
+  NIP [c00000000000c5b0] system_call_common+0x150/0x268
+  LR [0000000000000000] 0x0
+  Call Trace:
+  [c00000000db73e10] [c00000000000c558] system_call_common+0xf8/0x268 (unreliable)
+  ...
+  Instruction dump:
+  7cc803a6 888d0931 2c240000 4082001c 38800000 988d0931 e8810170 e8a10178
+  7c9a03a6 7cbb03a6 7d7a02a6 e9810170 <7f0b6088> 7d7b02a6 e9810178 7f0b6088
+
+We should instead use EMIT_WARN_ENTRY, which creates an exception table
+entry for the warning, allowing the warning to be correctly recognised,
+and the code to resume after printing the warning.
+
+Note however that because this warning is buried deep in the interrupt
+return path, we are not able to recover from it (due to MSR_RI being
+clear), so we still end up in die() with an unrecoverable exception.
+
+Fixes: 59dc5bfca0cb ("powerpc/64s: avoid reloading (H)SRR registers if they are still valid")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20211221135101.2085547-2-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/interrupt_64.S | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/kernel/interrupt_64.S b/arch/powerpc/kernel/interrupt_64.S
+index 894588b2381e5..4b1ff94e67eb4 100644
+--- a/arch/powerpc/kernel/interrupt_64.S
++++ b/arch/powerpc/kernel/interrupt_64.S
+@@ -32,21 +32,21 @@ COMPAT_SYS_CALL_TABLE:
+       ld      r12,_NIP(r1)
+       clrrdi  r12,r12,2
+ 100:  tdne    r11,r12
+-      EMIT_BUG_ENTRY 100b,__FILE__,__LINE__,(BUGFLAG_WARNING | BUGFLAG_ONCE)
++      EMIT_WARN_ENTRY 100b,__FILE__,__LINE__,(BUGFLAG_WARNING | BUGFLAG_ONCE)
+       mfspr   r11,SPRN_SRR1
+       ld      r12,_MSR(r1)
+ 100:  tdne    r11,r12
+-      EMIT_BUG_ENTRY 100b,__FILE__,__LINE__,(BUGFLAG_WARNING | BUGFLAG_ONCE)
++      EMIT_WARN_ENTRY 100b,__FILE__,__LINE__,(BUGFLAG_WARNING | BUGFLAG_ONCE)
+       .else
+       mfspr   r11,SPRN_HSRR0
+       ld      r12,_NIP(r1)
+       clrrdi  r12,r12,2
+ 100:  tdne    r11,r12
+-      EMIT_BUG_ENTRY 100b,__FILE__,__LINE__,(BUGFLAG_WARNING | BUGFLAG_ONCE)
++      EMIT_WARN_ENTRY 100b,__FILE__,__LINE__,(BUGFLAG_WARNING | BUGFLAG_ONCE)
+       mfspr   r11,SPRN_HSRR1
+       ld      r12,_MSR(r1)
+ 100:  tdne    r11,r12
+-      EMIT_BUG_ENTRY 100b,__FILE__,__LINE__,(BUGFLAG_WARNING | BUGFLAG_ONCE)
++      EMIT_WARN_ENTRY 100b,__FILE__,__LINE__,(BUGFLAG_WARNING | BUGFLAG_ONCE)
+       .endif
+ #endif
+ .endm
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-6xx-add-missing-of_node_put.patch b/queue-5.16/powerpc-6xx-add-missing-of_node_put.patch
new file mode 100644 (file)
index 0000000..69a057c
--- /dev/null
@@ -0,0 +1,64 @@
+From 9aaff9ff3409482024b36a860f71bb0a2facffc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Nov 2015 20:33:19 +0000
+Subject: powerpc/6xx: add missing of_node_put
+
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+
+[ Upstream commit f6e82647ff71d427d4148964b71f239fba9d7937 ]
+
+for_each_compatible_node performs an of_node_get on each iteration, so
+a break out of the loop requires an of_node_put.
+
+A simplified version of the semantic patch that fixes this problem is as
+follows (http://coccinelle.lip6.fr):
+
+// <smpl>
+@@
+expression e;
+local idexpression n;
+@@
+
+@@
+local idexpression n;
+expression e;
+@@
+
+ for_each_compatible_node(n,...) {
+   ...
+(
+   of_node_put(n);
+|
+   e = n
+|
++  of_node_put(n);
+?  break;
+)
+   ...
+ }
+... when != n
+// </smpl>
+
+Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1448051604-25256-2-git-send-email-Julia.Lawall@lip6.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/embedded6xx/hlwd-pic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c
+index 15396333a90bd..a4b020e4b6af0 100644
+--- a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c
++++ b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c
+@@ -214,6 +214,7 @@ void hlwd_pic_probe(void)
+                       irq_set_chained_handler(cascade_virq,
+                                               hlwd_pic_irq_cascade);
+                       hlwd_irq_host = host;
++                      of_node_put(np);
+                       break;
+               }
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-avoid-discarding-flags-in-system_call_except.patch b/queue-5.16/powerpc-avoid-discarding-flags-in-system_call_except.patch
new file mode 100644 (file)
index 0000000..c943f74
--- /dev/null
@@ -0,0 +1,60 @@
+From c0a901af0ea33de70bea656077f2182126372b51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 13:06:51 +0000
+Subject: powerpc: Avoid discarding flags in system_call_exception()
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 08b0af5b2affbe7419853e8dd1330e4b3fe27125 ]
+
+Some thread flags can be set remotely, and so even when IRQs are disabled,
+the flags can change under our feet. Thus, when setting flags we must use
+an atomic operation rather than a plain read-modify-write sequence, as a
+plain read-modify-write may discard flags which are concurrently set by a
+remote thread, e.g.
+
+       // task A                       // task B
+       tmp = A->thread_info.flags;
+                                       set_tsk_thread_flag(A, NEWFLAG_B);
+       tmp |= NEWFLAG_A;
+       A->thread_info.flags = tmp;
+
+arch/powerpc/kernel/interrupt.c's system_call_exception() sets
+_TIF_RESTOREALL in the thread info flags with a read-modify-write, which
+may result in other flags being discarded.
+
+Elsewhere in the file it uses clear_bits() to atomically remove flag bits,
+so use set_bits() here for consistency with those.
+
+There may be reasons (e.g. instrumentation) that prevent the use of
+set_thread_flag() and clear_thread_flag() here, which would otherwise be
+preferable.
+
+Fixes: ae7aaecc3f2f78b7 ("powerpc/64s: system call rfscv workaround for TM bugs")
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Eirik Fuller <efuller@redhat.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Link: https://lore.kernel.org/r/20211129130653.2037928-10-mark.rutland@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/interrupt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/interrupt.c b/arch/powerpc/kernel/interrupt.c
+index 835b626cd4760..df048e331cbfe 100644
+--- a/arch/powerpc/kernel/interrupt.c
++++ b/arch/powerpc/kernel/interrupt.c
+@@ -148,7 +148,7 @@ notrace long system_call_exception(long r3, long r4, long r5,
+        */
+       if (IS_ENABLED(CONFIG_PPC_TRANSACTIONAL_MEM) &&
+                       unlikely(MSR_TM_TRANSACTIONAL(regs->msr)))
+-              current_thread_info()->flags |= _TIF_RESTOREALL;
++              set_bits(_TIF_RESTOREALL, &current_thread_info()->flags);
+       /*
+        * If the system call was made with a transaction active, doom it and
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-btext-add-missing-of_node_put.patch b/queue-5.16/powerpc-btext-add-missing-of_node_put.patch
new file mode 100644 (file)
index 0000000..848b42c
--- /dev/null
@@ -0,0 +1,63 @@
+From 941f2e6e7fc5da0c7ae732a8aac6e8a071ac55e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Nov 2015 20:33:23 +0000
+Subject: powerpc/btext: add missing of_node_put
+
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+
+[ Upstream commit a1d2b210ffa52d60acabbf7b6af3ef7e1e69cda0 ]
+
+for_each_node_by_type performs an of_node_get on each iteration, so
+a break out of the loop requires an of_node_put.
+
+A simplified version of the semantic patch that fixes this problem is as
+follows (http://coccinelle.lip6.fr):
+
+// <smpl>
+@@
+local idexpression n;
+expression e;
+@@
+
+ for_each_node_by_type(n,...) {
+   ...
+(
+   of_node_put(n);
+|
+   e = n
+|
++  of_node_put(n);
+?  break;
+)
+   ...
+ }
+... when != n
+// </smpl>
+
+Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1448051604-25256-6-git-send-email-Julia.Lawall@lip6.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/btext.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/btext.c b/arch/powerpc/kernel/btext.c
+index 803c2a45b22ac..1cffb5e7c38d6 100644
+--- a/arch/powerpc/kernel/btext.c
++++ b/arch/powerpc/kernel/btext.c
+@@ -241,8 +241,10 @@ int __init btext_find_display(int allow_nonstdout)
+                       rc = btext_initialize(np);
+                       printk("result: %d\n", rc);
+               }
+-              if (rc == 0)
++              if (rc == 0) {
++                      of_node_put(np);
+                       break;
++              }
+       }
+       return rc;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-cell-add-missing-of_node_put.patch b/queue-5.16/powerpc-cell-add-missing-of_node_put.patch
new file mode 100644 (file)
index 0000000..12d029a
--- /dev/null
@@ -0,0 +1,57 @@
+From 3e647ead553d595c69e69f5c93c2e218b2a8f088 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Nov 2015 21:33:24 +0100
+Subject: powerpc/cell: add missing of_node_put
+
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+
+[ Upstream commit a841fd009e51c8c0a8f07c942e9ab6bb48da8858 ]
+
+for_each_node_by_name performs an of_node_get on each iteration, so
+a break out of the loop requires an of_node_put.
+
+A simplified version of the semantic patch that fixes this problem is as
+follows (http://coccinelle.lip6.fr):
+
+// <smpl>
+@@
+expression e,e1;
+local idexpression n;
+@@
+
+ for_each_node_by_name(n, e1) {
+   ... when != of_node_put(n)
+       when != e = n
+(
+   return n;
+|
++  of_node_put(n);
+?  return ...;
+)
+   ...
+ }
+// </smpl>
+
+Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1448051604-25256-7-git-send-email-Julia.Lawall@lip6.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/cell/iommu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/platforms/cell/iommu.c b/arch/powerpc/platforms/cell/iommu.c
+index fa08699aedeb8..d32f24de84798 100644
+--- a/arch/powerpc/platforms/cell/iommu.c
++++ b/arch/powerpc/platforms/cell/iommu.c
+@@ -977,6 +977,7 @@ static int __init cell_iommu_fixed_mapping_init(void)
+                       if (hbase < dbase || (hend > (dbase + dsize))) {
+                               pr_debug("iommu: hash window doesn't fit in"
+                                        "real DMA window\n");
++                              of_node_put(np);
+                               return -1;
+                       }
+               }
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-fadump-fix-inaccurate-cpu-state-info-in-vmco.patch b/queue-5.16/powerpc-fadump-fix-inaccurate-cpu-state-info-in-vmco.patch
new file mode 100644 (file)
index 0000000..261aa27
--- /dev/null
@@ -0,0 +1,133 @@
+From 905375ff80dab502aac7b1f73bc32019ca25b0b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 16:07:19 +0530
+Subject: powerpc/fadump: Fix inaccurate CPU state info in vmcore generated
+ with panic
+
+From: Hari Bathini <hbathini@linux.ibm.com>
+
+[ Upstream commit 06e629c25daa519be620a8c17359ae8fc7a2e903 ]
+
+In panic path, fadump is triggered via a panic notifier function.
+Before calling panic notifier functions, smp_send_stop() gets called,
+which stops all CPUs except the panic'ing CPU. Commit 8389b37dffdc
+("powerpc: stop_this_cpu: remove the cpu from the online map.") and
+again commit bab26238bbd4 ("powerpc: Offline CPU in stop_this_cpu()")
+started marking CPUs as offline while stopping them. So, if a kernel
+has either of the above commits, vmcore captured with fadump via panic
+path would not process register data for all CPUs except the panic'ing
+CPU. Sample output of crash-utility with such vmcore:
+
+  # crash vmlinux vmcore
+  ...
+        KERNEL: vmlinux
+      DUMPFILE: vmcore  [PARTIAL DUMP]
+          CPUS: 1
+          DATE: Wed Nov 10 09:56:34 EST 2021
+        UPTIME: 00:00:42
+  LOAD AVERAGE: 2.27, 0.69, 0.24
+         TASKS: 183
+      NODENAME: XXXXXXXXX
+       RELEASE: 5.15.0+
+       VERSION: #974 SMP Wed Nov 10 04:18:19 CST 2021
+       MACHINE: ppc64le  (2500 Mhz)
+        MEMORY: 8 GB
+         PANIC: "Kernel panic - not syncing: sysrq triggered crash"
+           PID: 3394
+       COMMAND: "bash"
+          TASK: c0000000150a5f80  [THREAD_INFO: c0000000150a5f80]
+           CPU: 1
+         STATE: TASK_RUNNING (PANIC)
+
+  crash> p -x __cpu_online_mask
+  __cpu_online_mask = $1 = {
+    bits = {0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}
+  }
+  crash>
+  crash>
+  crash> p -x __cpu_active_mask
+  __cpu_active_mask = $2 = {
+    bits = {0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}
+  }
+  crash>
+
+While this has been the case since fadump was introduced, the issue
+was not identified for two probable reasons:
+
+  - In general, the bulk of the vmcores analyzed were from crash
+    due to exception.
+
+  - The above did change since commit 8341f2f222d7 ("sysrq: Use
+    panic() to force a crash") started using panic() instead of
+    deferencing NULL pointer to force a kernel crash. But then
+    commit de6e5d38417e ("powerpc: smp_send_stop do not offline
+    stopped CPUs") stopped marking CPUs as offline till kernel
+    commit bab26238bbd4 ("powerpc: Offline CPU in stop_this_cpu()")
+    reverted that change.
+
+To ensure post processing register data of all other CPUs happens
+as intended, let panic() function take the crash friendly path (read
+crash_smp_send_stop()) with the help of crash_kexec_post_notifiers
+option. Also, as register data for all CPUs is captured by f/w, skip
+IPI callbacks here for fadump, to avoid any complications in finding
+the right backtraces.
+
+Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20211207103719.91117-2-hbathini@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/fadump.c |  8 ++++++++
+ arch/powerpc/kernel/smp.c    | 10 ++++++++++
+ 2 files changed, 18 insertions(+)
+
+diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
+index b7ceb041743c9..60f5fc14aa235 100644
+--- a/arch/powerpc/kernel/fadump.c
++++ b/arch/powerpc/kernel/fadump.c
+@@ -1641,6 +1641,14 @@ int __init setup_fadump(void)
+       else if (fw_dump.reserve_dump_area_size)
+               fw_dump.ops->fadump_init_mem_struct(&fw_dump);
++      /*
++       * In case of panic, fadump is triggered via ppc_panic_event()
++       * panic notifier. Setting crash_kexec_post_notifiers to 'true'
++       * lets panic() function take crash friendly path before panic
++       * notifiers are invoked.
++       */
++      crash_kexec_post_notifiers = true;
++
+       return 1;
+ }
+ subsys_initcall(setup_fadump);
+diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c
+index 7201fdcf02f1c..c338f9d8ab37a 100644
+--- a/arch/powerpc/kernel/smp.c
++++ b/arch/powerpc/kernel/smp.c
+@@ -61,6 +61,7 @@
+ #include <asm/cpu_has_feature.h>
+ #include <asm/ftrace.h>
+ #include <asm/kup.h>
++#include <asm/fadump.h>
+ #ifdef DEBUG
+ #include <asm/udbg.h>
+@@ -638,6 +639,15 @@ void crash_smp_send_stop(void)
+ {
+       static bool stopped = false;
++      /*
++       * In case of fadump, register data for all CPUs is captured by f/w
++       * on ibm,os-term rtas call. Skip IPI callbacks to other CPUs before
++       * this rtas call to avoid tricky post processing of those CPUs'
++       * backtraces.
++       */
++      if (should_fadump_crash())
++              return;
++
+       if (stopped)
+               return;
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch b/queue-5.16/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch
new file mode 100644 (file)
index 0000000..3f69e5d
--- /dev/null
@@ -0,0 +1,76 @@
+From fbc123b3cf7ce8f88a8aa405a2108a4fac1b7903 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 16:07:18 +0530
+Subject: powerpc: handle kdump appropriately with crash_kexec_post_notifiers
+ option
+
+From: Hari Bathini <hbathini@linux.ibm.com>
+
+[ Upstream commit 219572d2fc4135b5ce65c735d881787d48b10e71 ]
+
+Kdump can be triggered after panic_notifers since commit f06e5153f4ae2
+("kernel/panic.c: add "crash_kexec_post_notifiers" option for kdump
+after panic_notifers") introduced crash_kexec_post_notifiers option.
+But using this option would mean smp_send_stop(), that marks all other
+CPUs as offline, gets called before kdump is triggered. As a result,
+kdump routines fail to save other CPUs' registers. To fix this, kdump
+friendly crash_smp_send_stop() function was introduced with kernel
+commit 0ee59413c967 ("x86/panic: replace smp_send_stop() with kdump
+friendly version in panic path"). Override this kdump friendly weak
+function to handle crash_kexec_post_notifiers option appropriately
+on powerpc.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
+[Fixed signature of crash_stop_this_cpu() - reported by lkp@intel.com]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20211207103719.91117-1-hbathini@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/smp.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c
+index aee3a7119f977..7201fdcf02f1c 100644
+--- a/arch/powerpc/kernel/smp.c
++++ b/arch/powerpc/kernel/smp.c
+@@ -620,6 +620,36 @@ void crash_send_ipi(void (*crash_ipi_callback)(struct pt_regs *))
+ }
+ #endif
++#ifdef CONFIG_NMI_IPI
++static void crash_stop_this_cpu(struct pt_regs *regs)
++#else
++static void crash_stop_this_cpu(void *dummy)
++#endif
++{
++      /*
++       * Just busy wait here and avoid marking CPU as offline to ensure
++       * register data is captured appropriately.
++       */
++      while (1)
++              cpu_relax();
++}
++
++void crash_smp_send_stop(void)
++{
++      static bool stopped = false;
++
++      if (stopped)
++              return;
++
++      stopped = true;
++
++#ifdef CONFIG_NMI_IPI
++      smp_send_nmi_ipi(NMI_IPI_ALL_OTHERS, crash_stop_this_cpu, 1000000);
++#else
++      smp_call_function(crash_stop_this_cpu, NULL, 0);
++#endif /* CONFIG_NMI_IPI */
++}
++
+ #ifdef CONFIG_NMI_IPI
+ static void nmi_stop_this_cpu(struct pt_regs *regs)
+ {
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-modules-don-t-warn-on-first-module-allocatio.patch b/queue-5.16/powerpc-modules-don-t-warn-on-first-module-allocatio.patch
new file mode 100644 (file)
index 0000000..63fe343
--- /dev/null
@@ -0,0 +1,84 @@
+From 3800b689457a89754a8811dfc523de79abd6c7fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 11:10:43 +0100
+Subject: powerpc/modules: Don't WARN on first module allocation attempt
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit f1797e4de1146009c888bcf8b6bb6648d55394f1 ]
+
+module_alloc() first tries to allocate module text within 24 bits direct
+jump from kernel text, and tries a wider allocation if first one fails.
+
+When first allocation fails the following is observed in kernel logs:
+
+  vmap allocation for size 2400256 failed: use vmalloc=<size> to increase size
+  systemd-udevd: vmalloc error: size 2395133, vm_struct allocation failed, mode:0xcc0(GFP_KERNEL), nodemask=(null)
+  CPU: 0 PID: 127 Comm: systemd-udevd Tainted: G        W         5.15.5-gentoo-PowerMacG4 #9
+  Call Trace:
+  [e2a53a50] [c0ba0048] dump_stack_lvl+0x80/0xb0 (unreliable)
+  [e2a53a70] [c0540128] warn_alloc+0x11c/0x2b4
+  [e2a53b50] [c0531be8] __vmalloc_node_range+0xd8/0x64c
+  [e2a53c10] [c00338c0] module_alloc+0xa0/0xac
+  [e2a53c40] [c027a368] load_module+0x2ae0/0x8148
+  [e2a53e30] [c027fc78] sys_finit_module+0xfc/0x130
+  [e2a53f30] [c0035098] ret_from_syscall+0x0/0x28
+  ...
+
+Add __GFP_NOWARN flag to first allocation so that no warning appears
+when it fails.
+
+Reported-by: Erhard Furtner <erhard_f@mailbox.org>
+Fixes: 2ec13df16704 ("powerpc/modules: Load modules closer to kernel text")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/93c9b84d6ec76aaf7b4f03468e22433a6d308674.1638267035.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/module.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/arch/powerpc/kernel/module.c b/arch/powerpc/kernel/module.c
+index ed04a3ba66fe8..40a583e9d3c70 100644
+--- a/arch/powerpc/kernel/module.c
++++ b/arch/powerpc/kernel/module.c
+@@ -90,16 +90,17 @@ int module_finalize(const Elf_Ehdr *hdr,
+ }
+ static __always_inline void *
+-__module_alloc(unsigned long size, unsigned long start, unsigned long end)
++__module_alloc(unsigned long size, unsigned long start, unsigned long end, bool nowarn)
+ {
+       pgprot_t prot = strict_module_rwx_enabled() ? PAGE_KERNEL : PAGE_KERNEL_EXEC;
++      gfp_t gfp = GFP_KERNEL | (nowarn ? __GFP_NOWARN : 0);
+       /*
+        * Don't do huge page allocations for modules yet until more testing
+        * is done. STRICT_MODULE_RWX may require extra work to support this
+        * too.
+        */
+-      return __vmalloc_node_range(size, 1, start, end, GFP_KERNEL, prot,
++      return __vmalloc_node_range(size, 1, start, end, gfp, prot,
+                                   VM_FLUSH_RESET_PERMS | VM_NO_HUGE_VMAP,
+                                   NUMA_NO_NODE, __builtin_return_address(0));
+ }
+@@ -114,13 +115,13 @@ void *module_alloc(unsigned long size)
+       /* First try within 32M limit from _etext to avoid branch trampolines */
+       if (MODULES_VADDR < PAGE_OFFSET && MODULES_END > limit)
+-              ptr = __module_alloc(size, limit, MODULES_END);
++              ptr = __module_alloc(size, limit, MODULES_END, true);
+       if (!ptr)
+-              ptr = __module_alloc(size, MODULES_VADDR, MODULES_END);
++              ptr = __module_alloc(size, MODULES_VADDR, MODULES_END, false);
+       return ptr;
+ #else
+-      return __module_alloc(size, VMALLOC_START, VMALLOC_END);
++      return __module_alloc(size, VMALLOC_START, VMALLOC_END, false);
+ #endif
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-perf-fix-pmu-callbacks-to-clear-pending-pmi-.patch b/queue-5.16/powerpc-perf-fix-pmu-callbacks-to-clear-pending-pmi-.patch
new file mode 100644 (file)
index 0000000..ee4a204
--- /dev/null
@@ -0,0 +1,275 @@
+From a90b031693b13fc7c3934214e13a379eeb661227 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 01:48:29 -0400
+Subject: powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting
+ an overflown PMC
+
+From: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+
+[ Upstream commit 2c9ac51b850d84ee496b0a5d832ce66d411ae552 ]
+
+Running perf fuzzer showed below in dmesg logs:
+  "Can't find PMC that caused IRQ"
+
+This means a PMU exception happened, but none of the PMC's (Performance
+Monitor Counter) were found to be overflown. There are some corner cases
+that clears the PMCs after PMI gets masked. In such cases, the perf
+interrupt handler will not find the active PMC values that had caused
+the overflow and thus leads to this message while replaying.
+
+Case 1: PMU Interrupt happens during replay of other interrupts and
+counter values gets cleared by PMU callbacks before replay:
+
+During replay of interrupts like timer, __do_irq() and doorbell
+exception, we conditionally enable interrupts via may_hard_irq_enable().
+This could potentially create a window to generate a PMI. Since irq soft
+mask is set to ALL_DISABLED, the PMI will get masked here. We could get
+IPIs run before perf interrupt is replayed and the PMU events could
+be deleted or stopped. This will change the PMU SPR values and resets
+the counters. Snippet of ftrace log showing PMU callbacks invoked in
+__do_irq():
+
+  <idle>-0 [051] dns. 132025441306354: __do_irq <-call_do_irq
+  <idle>-0 [051] dns. 132025441306430: irq_enter <-__do_irq
+  <idle>-0 [051] dns. 132025441306503: irq_enter_rcu <-__do_irq
+  <idle>-0 [051] dnH. 132025441306599: xive_get_irq <-__do_irq
+  <<>>
+  <idle>-0 [051] dnH. 132025441307770: generic_smp_call_function_single_interrupt <-smp_ipi_demux_relaxed
+  <idle>-0 [051] dnH. 132025441307839: flush_smp_call_function_queue <-smp_ipi_demux_relaxed
+  <idle>-0 [051] dnH. 132025441308057: _raw_spin_lock <-event_function
+  <idle>-0 [051] dnH. 132025441308206: power_pmu_disable <-perf_pmu_disable
+  <idle>-0 [051] dnH. 132025441308337: power_pmu_del <-event_sched_out
+  <idle>-0 [051] dnH. 132025441308407: power_pmu_read <-power_pmu_del
+  <idle>-0 [051] dnH. 132025441308477: read_pmc <-power_pmu_read
+  <idle>-0 [051] dnH. 132025441308590: isa207_disable_pmc <-power_pmu_del
+  <idle>-0 [051] dnH. 132025441308663: write_pmc <-power_pmu_del
+  <idle>-0 [051] dnH. 132025441308787: power_pmu_event_idx <-perf_event_update_userpage
+  <idle>-0 [051] dnH. 132025441308859: rcu_read_unlock_strict <-perf_event_update_userpage
+  <idle>-0 [051] dnH. 132025441308975: power_pmu_enable <-perf_pmu_enable
+  <<>>
+  <idle>-0 [051] dnH. 132025441311108: irq_exit <-__do_irq
+  <idle>-0 [051] dns. 132025441311319: performance_monitor_exception <-replay_soft_interrupts
+
+Case 2: PMI's masked during local_* operations, example local_add(). If
+the local_add() operation happens within a local_irq_save(), replay of
+PMI will be during local_irq_restore(). Similar to case 1, this could
+also create a window before replay where PMU events gets deleted or
+stopped.
+
+Fix it by updating the PMU callback function power_pmu_disable() to
+check for pending perf interrupt. If there is an overflown PMC and
+pending perf interrupt indicated in paca, clear the PMI bit in paca to
+drop that sample. Clearing of PMI bit is done in power_pmu_disable()
+since disable is invoked before any event gets deleted/stopped. With
+this fix, if there are more than one event running in the PMU, there is
+a chance that we clear the PMI bit for the event which is not getting
+deleted/stopped. The other events may still remain active. Hence to make
+sure we don't drop valid sample in such cases, another check is added in
+power_pmu_enable. This checks if there is an overflown PMC found among
+the active events and if so enable back the PMI bit. Two new helper
+functions are introduced to clear/set the PMI, ie
+clear_pmi_irq_pending() and set_pmi_irq_pending(). Helper function
+pmi_irq_pending() is introduced to give a warning if there is pending
+PMI bit in paca, but no PMC is overflown.
+
+Also there are corner cases which result in performance monitor
+interrupts being triggered during power_pmu_disable(). This happens
+since PMXE bit is not cleared along with disabling of other MMCR0 bits
+in the pmu_disable. Such PMI's could leave the PMU running and could
+trigger PMI again which will set MMCR0 PMAO bit. This could lead to
+spurious interrupts in some corner cases. Example, a timer after
+power_pmu_del() which will re-enable interrupts and triggers a PMI again
+since PMAO bit is still set. But fails to find valid overflow since PMC
+was cleared in power_pmu_del(). Fix that by disabling PMXE along with
+disabling of other MMCR0 bits in power_pmu_disable().
+
+We can't just replay PMI any time. Hence this approach is preferred
+rather than replaying PMI before resetting overflown PMC. Patch also
+documents core-book3s on a race condition which can trigger these PMC
+messages during idle path in PowerNV.
+
+Fixes: f442d004806e ("powerpc/64s: Add support to mask perf interrupts and replay them")
+Reported-by: Nageswara R Sastry <nasastry@in.ibm.com>
+Suggested-by: Nicholas Piggin <npiggin@gmail.com>
+Suggested-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Signed-off-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com>
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+[mpe: Make pmi_irq_pending() return bool, reflow/reword some comments]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1626846509-1350-2-git-send-email-atrajeev@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/hw_irq.h | 40 +++++++++++++++++++++
+ arch/powerpc/perf/core-book3s.c   | 58 ++++++++++++++++++++++++++++++-
+ 2 files changed, 97 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/include/asm/hw_irq.h b/arch/powerpc/include/asm/hw_irq.h
+index 21cc571ea9c2d..5c98a950eca0d 100644
+--- a/arch/powerpc/include/asm/hw_irq.h
++++ b/arch/powerpc/include/asm/hw_irq.h
+@@ -224,6 +224,42 @@ static inline bool arch_irqs_disabled(void)
+       return arch_irqs_disabled_flags(arch_local_save_flags());
+ }
++static inline void set_pmi_irq_pending(void)
++{
++      /*
++       * Invoked from PMU callback functions to set PMI bit in the paca.
++       * This has to be called with irq's disabled (via hard_irq_disable()).
++       */
++      if (IS_ENABLED(CONFIG_PPC_IRQ_SOFT_MASK_DEBUG))
++              WARN_ON_ONCE(mfmsr() & MSR_EE);
++
++      get_paca()->irq_happened |= PACA_IRQ_PMI;
++}
++
++static inline void clear_pmi_irq_pending(void)
++{
++      /*
++       * Invoked from PMU callback functions to clear the pending PMI bit
++       * in the paca.
++       */
++      if (IS_ENABLED(CONFIG_PPC_IRQ_SOFT_MASK_DEBUG))
++              WARN_ON_ONCE(mfmsr() & MSR_EE);
++
++      get_paca()->irq_happened &= ~PACA_IRQ_PMI;
++}
++
++static inline bool pmi_irq_pending(void)
++{
++      /*
++       * Invoked from PMU callback functions to check if there is a pending
++       * PMI bit in the paca.
++       */
++      if (get_paca()->irq_happened & PACA_IRQ_PMI)
++              return true;
++
++      return false;
++}
++
+ #ifdef CONFIG_PPC_BOOK3S
+ /*
+  * To support disabling and enabling of irq with PMI, set of
+@@ -408,6 +444,10 @@ static inline void do_hard_irq_enable(void)
+       BUILD_BUG();
+ }
++static inline void clear_pmi_irq_pending(void) { }
++static inline void set_pmi_irq_pending(void) { }
++static inline bool pmi_irq_pending(void) { return false; }
++
+ static inline void irq_soft_mask_regs_set_state(struct pt_regs *regs, unsigned long val)
+ {
+ }
+diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c
+index 73e62e9b179bc..bef6b1abce702 100644
+--- a/arch/powerpc/perf/core-book3s.c
++++ b/arch/powerpc/perf/core-book3s.c
+@@ -857,6 +857,19 @@ static void write_pmc(int idx, unsigned long val)
+       }
+ }
++static int any_pmc_overflown(struct cpu_hw_events *cpuhw)
++{
++      int i, idx;
++
++      for (i = 0; i < cpuhw->n_events; i++) {
++              idx = cpuhw->event[i]->hw.idx;
++              if ((idx) && ((int)read_pmc(idx) < 0))
++                      return idx;
++      }
++
++      return 0;
++}
++
+ /* Called from sysrq_handle_showregs() */
+ void perf_event_print_debug(void)
+ {
+@@ -1281,11 +1294,13 @@ static void power_pmu_disable(struct pmu *pmu)
+               /*
+                * Set the 'freeze counters' bit, clear EBE/BHRBA/PMCC/PMAO/FC56
++               * Also clear PMXE to disable PMI's getting triggered in some
++               * corner cases during PMU disable.
+                */
+               val  = mmcr0 = mfspr(SPRN_MMCR0);
+               val |= MMCR0_FC;
+               val &= ~(MMCR0_EBE | MMCR0_BHRBA | MMCR0_PMCC | MMCR0_PMAO |
+-                       MMCR0_FC56);
++                       MMCR0_PMXE | MMCR0_FC56);
+               /* Set mmcr0 PMCCEXT for p10 */
+               if (ppmu->flags & PPMU_ARCH_31)
+                       val |= MMCR0_PMCCEXT;
+@@ -1299,6 +1314,23 @@ static void power_pmu_disable(struct pmu *pmu)
+               mb();
+               isync();
++              /*
++               * Some corner cases could clear the PMU counter overflow
++               * while a masked PMI is pending. One such case is when
++               * a PMI happens during interrupt replay and perf counter
++               * values are cleared by PMU callbacks before replay.
++               *
++               * If any PMC corresponding to the active PMU events are
++               * overflown, disable the interrupt by clearing the paca
++               * bit for PMI since we are disabling the PMU now.
++               * Otherwise provide a warning if there is PMI pending, but
++               * no counter is found overflown.
++               */
++              if (any_pmc_overflown(cpuhw))
++                      clear_pmi_irq_pending();
++              else
++                      WARN_ON(pmi_irq_pending());
++
+               val = mmcra = cpuhw->mmcr.mmcra;
+               /*
+@@ -1390,6 +1422,15 @@ static void power_pmu_enable(struct pmu *pmu)
+        * (possibly updated for removal of events).
+        */
+       if (!cpuhw->n_added) {
++              /*
++               * If there is any active event with an overflown PMC
++               * value, set back PACA_IRQ_PMI which would have been
++               * cleared in power_pmu_disable().
++               */
++              hard_irq_disable();
++              if (any_pmc_overflown(cpuhw))
++                      set_pmi_irq_pending();
++
+               mtspr(SPRN_MMCRA, cpuhw->mmcr.mmcra & ~MMCRA_SAMPLE_ENABLE);
+               mtspr(SPRN_MMCR1, cpuhw->mmcr.mmcr1);
+               if (ppmu->flags & PPMU_ARCH_31)
+@@ -2337,6 +2378,14 @@ static void __perf_event_interrupt(struct pt_regs *regs)
+                               break;
+                       }
+               }
++
++              /*
++               * Clear PACA_IRQ_PMI in case it was set by
++               * set_pmi_irq_pending() when PMU was enabled
++               * after accounting for interrupts.
++               */
++              clear_pmi_irq_pending();
++
+               if (!active)
+                       /* reset non active counters that have overflowed */
+                       write_pmc(i + 1, 0);
+@@ -2356,6 +2405,13 @@ static void __perf_event_interrupt(struct pt_regs *regs)
+                       }
+               }
+       }
++
++      /*
++       * During system wide profling or while specific CPU is monitored for an
++       * event, some corner cases could cause PMC to overflow in idle path. This
++       * will trigger a PMI after waking up from idle. Since counter values are _not_
++       * saved/restored in idle path, can lead to below "Can't find PMC" message.
++       */
+       if (unlikely(!found) && !arch_irq_disabled_regs(regs))
+               printk_ratelimited(KERN_WARNING "Can't find PMC that caused IRQ\n");
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-powermac-add-additional-missing-lockdep_regi.patch b/queue-5.16/powerpc-powermac-add-additional-missing-lockdep_regi.patch
new file mode 100644 (file)
index 0000000..43c8b25
--- /dev/null
@@ -0,0 +1,53 @@
+From 991c19c330e93cdd56fe19571f4c668dc53f5b88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Dec 2021 17:36:52 +0000
+Subject: powerpc/powermac: Add additional missing lockdep_register_key()
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit b149d5d45ac9171ed699a256f026c8ebef901112 ]
+
+Commit df1f679d19ed ("powerpc/powermac: Add missing
+lockdep_register_key()") fixed a problem that was causing a WARNING.
+
+There are two other places in the same file with the same problem
+originating from commit 9e607f72748d ("i2c_powermac: shut up lockdep
+warning").
+
+Add missing lockdep_register_key()
+
+Fixes: 9e607f72748d ("i2c_powermac: shut up lockdep warning")
+Reported-by: Erhard Furtner <erhard_f@mailbox.org>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Depends-on: df1f679d19ed ("powerpc/powermac: Add missing lockdep_register_key()")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=200055
+Link: https://lore.kernel.org/r/2c7e421874e21b2fb87813d768cf662f630c2ad4.1638984999.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powermac/low_i2c.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/platforms/powermac/low_i2c.c b/arch/powerpc/platforms/powermac/low_i2c.c
+index f77a59b5c2e1a..09bfe4b8f25aa 100644
+--- a/arch/powerpc/platforms/powermac/low_i2c.c
++++ b/arch/powerpc/platforms/powermac/low_i2c.c
+@@ -810,6 +810,7 @@ static void __init pmu_i2c_probe(void)
+               bus->hostdata = bus + 1;
+               bus->xfer = pmu_i2c_xfer;
+               mutex_init(&bus->mutex);
++              lockdep_register_key(&bus->lock_key);
+               lockdep_set_class(&bus->mutex, &bus->lock_key);
+               bus->flags = pmac_i2c_multibus;
+               list_add(&bus->link, &pmac_i2c_busses);
+@@ -933,6 +934,7 @@ static void __init smu_i2c_probe(void)
+               bus->hostdata = bus + 1;
+               bus->xfer = smu_i2c_xfer;
+               mutex_init(&bus->mutex);
++              lockdep_register_key(&bus->lock_key);
+               lockdep_set_class(&bus->mutex, &bus->lock_key);
+               bus->flags = 0;
+               list_add(&bus->link, &pmac_i2c_busses);
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-powermac-add-missing-lockdep_register_key.patch b/queue-5.16/powerpc-powermac-add-missing-lockdep_register_key.patch
new file mode 100644 (file)
index 0000000..be16767
--- /dev/null
@@ -0,0 +1,61 @@
+From 7f58ec5f512f760a362dc0281780592245ba7042 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 10:32:42 +0100
+Subject: powerpc/powermac: Add missing lockdep_register_key()
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit df1f679d19edb9eeb67cc2f96b29375f21991945 ]
+
+KeyWest i2c @0xf8001003 irq 42 /uni-n@f8000000/i2c@f8001000
+BUG: key c2d00cbc has not been registered!
+------------[ cut here ]------------
+DEBUG_LOCKS_WARN_ON(1)
+WARNING: CPU: 0 PID: 1 at kernel/locking/lockdep.c:4801 lockdep_init_map_type+0x4c0/0xb4c
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.5-gentoo-PowerMacG4 #9
+NIP:  c01a9428 LR: c01a9428 CTR: 00000000
+REGS: e1033cf0 TRAP: 0700   Not tainted  (5.15.5-gentoo-PowerMacG4)
+MSR:  00029032 <EE,ME,IR,DR,RI>  CR: 24002002  XER: 00000000
+
+GPR00: c01a9428 e1033db0 c2d1cf20 00000016 00000004 00000001 c01c0630 e1033a73
+GPR08: 00000000 00000000 00000000 e1033db0 24002004 00000000 f8729377 00000003
+GPR16: c1829a9c 00000000 18305357 c1416fc0 c1416f80 c006ac60 c2d00ca8 c1416f00
+GPR24: 00000000 c21586f0 c2160000 00000000 c2d00cbc c2170000 c216e1a0 c2160000
+NIP [c01a9428] lockdep_init_map_type+0x4c0/0xb4c
+LR [c01a9428] lockdep_init_map_type+0x4c0/0xb4c
+Call Trace:
+[e1033db0] [c01a9428] lockdep_init_map_type+0x4c0/0xb4c (unreliable)
+[e1033df0] [c1c177b8] kw_i2c_add+0x334/0x424
+[e1033e20] [c1c18294] pmac_i2c_init+0x9ec/0xa9c
+[e1033e80] [c1c1a790] smp_core99_probe+0xbc/0x35c
+[e1033eb0] [c1c03cb0] kernel_init_freeable+0x190/0x5a4
+[e1033f10] [c000946c] kernel_init+0x28/0x154
+[e1033f30] [c0035148] ret_from_kernel_thread+0x14/0x1c
+
+Add missing lockdep_register_key()
+
+Reported-by: Erhard Furtner <erhard_f@mailbox.org>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/69e4f55565bb45ebb0843977801b245af0c666fe.1638264741.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powermac/low_i2c.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/platforms/powermac/low_i2c.c b/arch/powerpc/platforms/powermac/low_i2c.c
+index 09bfe4b8f25aa..df89d916236d9 100644
+--- a/arch/powerpc/platforms/powermac/low_i2c.c
++++ b/arch/powerpc/platforms/powermac/low_i2c.c
+@@ -582,6 +582,7 @@ static void __init kw_i2c_add(struct pmac_i2c_host_kw *host,
+       bus->close = kw_i2c_close;
+       bus->xfer = kw_i2c_xfer;
+       mutex_init(&bus->mutex);
++      lockdep_register_key(&bus->lock_key);
+       lockdep_set_class(&bus->mutex, &bus->lock_key);
+       if (controller == busnode)
+               bus->flags = pmac_i2c_multibus;
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-powernv-add-missing-of_node_put.patch b/queue-5.16/powerpc-powernv-add-missing-of_node_put.patch
new file mode 100644 (file)
index 0000000..cc7cd40
--- /dev/null
@@ -0,0 +1,59 @@
+From a49f9db16dacb092a9af92511a89213da1772b8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Nov 2015 20:33:21 +0000
+Subject: powerpc/powernv: add missing of_node_put
+
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+
+[ Upstream commit 7d405a939ca960162eb30c1475759cb2fdf38f8c ]
+
+for_each_compatible_node performs an of_node_get on each iteration, so
+a break out of the loop requires an of_node_put.
+
+A simplified version of the semantic patch that fixes this problem is as
+follows (http://coccinelle.lip6.fr):
+
+// <smpl>
+@@
+local idexpression n;
+expression e;
+@@
+
+ for_each_compatible_node(n,...) {
+   ...
+(
+   of_node_put(n);
+|
+   e = n
+|
++  of_node_put(n);
+?  break;
+)
+   ...
+ }
+... when != n
+// </smpl>
+
+Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1448051604-25256-4-git-send-email-Julia.Lawall@lip6.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powernv/opal-lpc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/platforms/powernv/opal-lpc.c b/arch/powerpc/platforms/powernv/opal-lpc.c
+index 1e5d51db40f84..5390c888db162 100644
+--- a/arch/powerpc/platforms/powernv/opal-lpc.c
++++ b/arch/powerpc/platforms/powernv/opal-lpc.c
+@@ -396,6 +396,7 @@ void __init opal_lpc_init(void)
+               if (!of_get_property(np, "primary", NULL))
+                       continue;
+               opal_lpc_chip_id = of_get_ibm_chip_id(np);
++              of_node_put(np);
+               break;
+       }
+       if (opal_lpc_chip_id < 0)
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-prom_init-fix-improper-check-of-prom_getprop.patch b/queue-5.16/powerpc-prom_init-fix-improper-check-of-prom_getprop.patch
new file mode 100644 (file)
index 0000000..6b4e483
--- /dev/null
@@ -0,0 +1,37 @@
+From cde1173a507696495a9aac4048f5b49cc97614ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Nov 2021 17:12:18 +0800
+Subject: powerpc/prom_init: Fix improper check of prom_getprop()
+
+From: Peiwei Hu <jlu.hpw@foxmail.com>
+
+[ Upstream commit 869fb7e5aecbc163003f93f36dcc26d0554319f6 ]
+
+prom_getprop() can return PROM_ERROR. Binary operator can not identify
+it.
+
+Fixes: 94d2dde738a5 ("[POWERPC] Efika: prune fixups and make them more carefull")
+Signed-off-by: Peiwei Hu <jlu.hpw@foxmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/tencent_BA28CC6897B7C95A92EB8C580B5D18589105@qq.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/prom_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c
+index 18b04b08b9833..f845065c860e3 100644
+--- a/arch/powerpc/kernel/prom_init.c
++++ b/arch/powerpc/kernel/prom_init.c
+@@ -2991,7 +2991,7 @@ static void __init fixup_device_tree_efika_add_phy(void)
+       /* Check if the phy-handle property exists - bail if it does */
+       rv = prom_getprop(node, "phy-handle", prop, sizeof(prop));
+-      if (!rv)
++      if (rv <= 0)
+               return;
+       /*
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-smp-move-setup_profiling_timer-under-config_.patch b/queue-5.16/powerpc-smp-move-setup_profiling_timer-under-config_.patch
new file mode 100644 (file)
index 0000000..8cadcfd
--- /dev/null
@@ -0,0 +1,44 @@
+From a3cced6c36988bc2eda14dd60611ed429faa063a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Nov 2021 20:32:53 +1100
+Subject: powerpc/smp: Move setup_profiling_timer() under CONFIG_PROFILING
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit a4ac0d249a5db80e79d573db9e4ad29354b643a8 ]
+
+setup_profiling_timer() is only needed when CONFIG_PROFILING is enabled.
+
+Fixes the following W=1 warning when CONFIG_PROFILING=n:
+  linux/arch/powerpc/kernel/smp.c:1638:5: error: no previous prototype for ‘setup_profiling_timer’
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20211124093254.1054750-5-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/smp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c
+index c23ee842c4c33..aee3a7119f977 100644
+--- a/arch/powerpc/kernel/smp.c
++++ b/arch/powerpc/kernel/smp.c
+@@ -1635,10 +1635,12 @@ void start_secondary(void *unused)
+       BUG();
+ }
++#ifdef CONFIG_PROFILING
+ int setup_profiling_timer(unsigned int multiplier)
+ {
+       return 0;
+ }
++#endif
+ static void fixup_topology(void)
+ {
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-watchdog-fix-missed-watchdog-reset-due-to-me.patch b/queue-5.16/powerpc-watchdog-fix-missed-watchdog-reset-due-to-me.patch
new file mode 100644 (file)
index 0000000..a0d28cb
--- /dev/null
@@ -0,0 +1,111 @@
+From daa53f02c19218d551ee065366bdc265d9a1c7d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Nov 2021 12:50:53 +1000
+Subject: powerpc/watchdog: Fix missed watchdog reset due to memory ordering
+ race
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit 5dad4ba68a2483fc80d70b9dc90bbe16e1f27263 ]
+
+It is possible for all CPUs to miss the pending cpumask becoming clear,
+and then nobody resetting it, which will cause the lockup detector to
+stop working. It will eventually expire, but watchdog_smp_panic will
+avoid doing anything if the pending mask is clear and it will never be
+reset.
+
+Order the cpumask clear vs the subsequent test to close this race.
+
+Add an extra check for an empty pending mask when the watchdog fires and
+finds its bit still clear, to try to catch any other possible races or
+bugs here and keep the watchdog working. The extra test in
+arch_touch_nmi_watchdog is required to prevent the new warning from
+firing off.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Laurent Dufour <ldufour@linux.ibm.com>
+Debugged-by: Laurent Dufour <ldufour@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20211110025056.2084347-2-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/watchdog.c | 41 +++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/watchdog.c b/arch/powerpc/kernel/watchdog.c
+index 3fa6d240bade2..ad94a2c6b7337 100644
+--- a/arch/powerpc/kernel/watchdog.c
++++ b/arch/powerpc/kernel/watchdog.c
+@@ -135,6 +135,10 @@ static void set_cpumask_stuck(const struct cpumask *cpumask, u64 tb)
+ {
+       cpumask_or(&wd_smp_cpus_stuck, &wd_smp_cpus_stuck, cpumask);
+       cpumask_andnot(&wd_smp_cpus_pending, &wd_smp_cpus_pending, cpumask);
++      /*
++       * See wd_smp_clear_cpu_pending()
++       */
++      smp_mb();
+       if (cpumask_empty(&wd_smp_cpus_pending)) {
+               wd_smp_last_reset_tb = tb;
+               cpumask_andnot(&wd_smp_cpus_pending,
+@@ -221,13 +225,44 @@ static void wd_smp_clear_cpu_pending(int cpu, u64 tb)
+                       cpumask_clear_cpu(cpu, &wd_smp_cpus_stuck);
+                       wd_smp_unlock(&flags);
++              } else {
++                      /*
++                       * The last CPU to clear pending should have reset the
++                       * watchdog so we generally should not find it empty
++                       * here if our CPU was clear. However it could happen
++                       * due to a rare race with another CPU taking the
++                       * last CPU out of the mask concurrently.
++                       *
++                       * We can't add a warning for it. But just in case
++                       * there is a problem with the watchdog that is causing
++                       * the mask to not be reset, try to kick it along here.
++                       */
++                      if (unlikely(cpumask_empty(&wd_smp_cpus_pending)))
++                              goto none_pending;
+               }
+               return;
+       }
++
+       cpumask_clear_cpu(cpu, &wd_smp_cpus_pending);
++
++      /*
++       * Order the store to clear pending with the load(s) to check all
++       * words in the pending mask to check they are all empty. This orders
++       * with the same barrier on another CPU. This prevents two CPUs
++       * clearing the last 2 pending bits, but neither seeing the other's
++       * store when checking if the mask is empty, and missing an empty
++       * mask, which ends with a false positive.
++       */
++      smp_mb();
+       if (cpumask_empty(&wd_smp_cpus_pending)) {
+               unsigned long flags;
++none_pending:
++              /*
++               * Double check under lock because more than one CPU could see
++               * a clear mask with the lockless check after clearing their
++               * pending bits.
++               */
+               wd_smp_lock(&flags);
+               if (cpumask_empty(&wd_smp_cpus_pending)) {
+                       wd_smp_last_reset_tb = tb;
+@@ -318,8 +353,12 @@ void arch_touch_nmi_watchdog(void)
+ {
+       unsigned long ticks = tb_ticks_per_usec * wd_timer_period_ms * 1000;
+       int cpu = smp_processor_id();
+-      u64 tb = get_tb();
++      u64 tb;
++      if (!cpumask_test_cpu(cpu, &watchdog_cpumask))
++              return;
++
++      tb = get_tb();
+       if (tb - per_cpu(wd_timer_tb, cpu) >= ticks) {
+               per_cpu(wd_timer_tb, cpu) = tb;
+               wd_smp_clear_cpu_pending(cpu, tb);
+-- 
+2.34.1
+
diff --git a/queue-5.16/powerpc-xive-add-missing-null-check-after-calling-km.patch b/queue-5.16/powerpc-xive-add-missing-null-check-after-calling-km.patch
new file mode 100644 (file)
index 0000000..8b859b2
--- /dev/null
@@ -0,0 +1,44 @@
+From 291a21c3f7985d30778e09976099a6adb28b771d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Dec 2021 20:54:02 +0700
+Subject: powerpc/xive: Add missing null check after calling kmalloc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ammar Faizi <ammarfaizi2@gmail.com>
+
+[ Upstream commit 18dbfcdedc802f9500b2c29794f22a31d27639c0 ]
+
+Commit 930914b7d528fc ("powerpc/xive: Add a debugfs file to dump
+internal XIVE state") forgot to add a null check.
+
+Add it.
+
+Fixes: 930914b7d528fc6b0249bffc00564100bcf6ef75 ("powerpc/xive: Add a debugfs file to dump internal XIVE state")
+Signed-off-by: Ammar Faizi <ammarfaizi2@gmail.com>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20211226135314.251221-1-ammar.faizi@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/sysdev/xive/spapr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/powerpc/sysdev/xive/spapr.c b/arch/powerpc/sysdev/xive/spapr.c
+index f143b6f111ac0..1179632560b8d 100644
+--- a/arch/powerpc/sysdev/xive/spapr.c
++++ b/arch/powerpc/sysdev/xive/spapr.c
+@@ -653,6 +653,9 @@ static int xive_spapr_debug_show(struct seq_file *m, void *private)
+       struct xive_irq_bitmap *xibm;
+       char *buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
++      if (!buf)
++              return -ENOMEM;
++
+       list_for_each_entry(xibm, &xive_irq_bitmaps, list) {
+               memset(buf, 0, PAGE_SIZE);
+               bitmap_print_to_pagebuf(true, buf, xibm->bitmap, xibm->count);
+-- 
+2.34.1
+
diff --git a/queue-5.16/ppp-ensure-minimum-packet-size-in-ppp_write.patch b/queue-5.16/ppp-ensure-minimum-packet-size-in-ppp_write.patch
new file mode 100644 (file)
index 0000000..4a453b1
--- /dev/null
@@ -0,0 +1,104 @@
+From 7fa34042fda6ce7a4d60b263832c66b1035cf474 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 03:48:42 -0800
+Subject: ppp: ensure minimum packet size in ppp_write()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 44073187990d5629804ce0627525f6ea5cfef171 ]
+
+It seems pretty clear ppp layer assumed user space
+would always be kind to provide enough data
+in their write() to a ppp device.
+
+This patch makes sure user provides at least
+2 bytes.
+
+It adds PPP_PROTO_LEN macro that could replace
+in net-next many occurrences of hard-coded 2 value.
+
+I replaced only one occurrence to ease backports
+to stable kernels.
+
+The bug manifests in the following report:
+
+BUG: KMSAN: uninit-value in ppp_send_frame+0x28d/0x27c0 drivers/net/ppp/ppp_generic.c:1740
+ ppp_send_frame+0x28d/0x27c0 drivers/net/ppp/ppp_generic.c:1740
+ __ppp_xmit_process+0x23e/0x4b0 drivers/net/ppp/ppp_generic.c:1640
+ ppp_xmit_process+0x1fe/0x480 drivers/net/ppp/ppp_generic.c:1661
+ ppp_write+0x5cb/0x5e0 drivers/net/ppp/ppp_generic.c:513
+ do_iter_write+0xb0c/0x1500 fs/read_write.c:853
+ vfs_writev fs/read_write.c:924 [inline]
+ do_writev+0x645/0xe00 fs/read_write.c:967
+ __do_sys_writev fs/read_write.c:1040 [inline]
+ __se_sys_writev fs/read_write.c:1037 [inline]
+ __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slab.h:524 [inline]
+ slab_alloc_node mm/slub.c:3251 [inline]
+ __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
+ kmalloc_reserve net/core/skbuff.c:354 [inline]
+ __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
+ alloc_skb include/linux/skbuff.h:1126 [inline]
+ ppp_write+0x11d/0x5e0 drivers/net/ppp/ppp_generic.c:501
+ do_iter_write+0xb0c/0x1500 fs/read_write.c:853
+ vfs_writev fs/read_write.c:924 [inline]
+ do_writev+0x645/0xe00 fs/read_write.c:967
+ __do_sys_writev fs/read_write.c:1040 [inline]
+ __se_sys_writev fs/read_write.c:1037 [inline]
+ __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: linux-ppp@vger.kernel.org
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_generic.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index 1180a0e2445fb..3ab24988198fe 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -69,6 +69,8 @@
+ #define MPHDRLEN      6       /* multilink protocol header length */
+ #define MPHDRLEN_SSN  4       /* ditto with short sequence numbers */
++#define PPP_PROTO_LEN 2
++
+ /*
+  * An instance of /dev/ppp can be associated with either a ppp
+  * interface unit or a ppp channel.  In both cases, file->private_data
+@@ -497,6 +499,9 @@ static ssize_t ppp_write(struct file *file, const char __user *buf,
+       if (!pf)
+               return -ENXIO;
++      /* All PPP packets should start with the 2-byte protocol */
++      if (count < PPP_PROTO_LEN)
++              return -EINVAL;
+       ret = -ENOMEM;
+       skb = alloc_skb(count + pf->hdrlen, GFP_KERNEL);
+       if (!skb)
+@@ -1764,7 +1769,7 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
+       }
+       ++ppp->stats64.tx_packets;
+-      ppp->stats64.tx_bytes += skb->len - 2;
++      ppp->stats64.tx_bytes += skb->len - PPP_PROTO_LEN;
+       switch (proto) {
+       case PPP_IP:
+-- 
+2.34.1
+
diff --git a/queue-5.16/psi-fix-psi_mem_full-state-when-tasks-are-in-memstal.patch b/queue-5.16/psi-fix-psi_mem_full-state-when-tasks-are-in-memstal.patch
new file mode 100644 (file)
index 0000000..cb511f5
--- /dev/null
@@ -0,0 +1,221 @@
+From aa7dbda1bcfce1a73afbe172c0d369d5e8d3f448 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Nov 2021 21:33:12 +0000
+Subject: psi: Fix PSI_MEM_FULL state when tasks are in memstall and doing
+ reclaim
+
+From: Brian Chen <brianchen118@gmail.com>
+
+[ Upstream commit cb0e52b7748737b2cf6481fdd9b920ce7e1ebbdf ]
+
+We've noticed cases where tasks in a cgroup are stalled on memory but
+there is little memory FULL pressure since tasks stay on the runqueue
+in reclaim.
+
+A simple example involves a single threaded program that keeps leaking
+and touching large amounts of memory. It runs in a cgroup with swap
+enabled, memory.high set at 10M and cpu.max ratio set at 5%. Though
+there is significant CPU pressure and memory SOME, there is barely any
+memory FULL since the task enters reclaim and stays on the runqueue.
+However, this memory-bound task is effectively stalled on memory and
+we expect memory FULL to match memory SOME in this scenario.
+
+The code is confused about memstall && running, thinking there is a
+stalled task and a productive task when there's only one task: a
+reclaimer that's counted as both. To fix this, we redefine the
+condition for PSI_MEM_FULL to check that all running tasks are in an
+active memstall instead of checking that there are no running tasks.
+
+        case PSI_MEM_FULL:
+-               return unlikely(tasks[NR_MEMSTALL] && !tasks[NR_RUNNING]);
++               return unlikely(tasks[NR_MEMSTALL] &&
++                       tasks[NR_RUNNING] == tasks[NR_MEMSTALL_RUNNING]);
+
+This will capture reclaimers. It will also capture tasks that called
+psi_memstall_enter() and are about to sleep, but this should be
+negligible noise.
+
+Signed-off-by: Brian Chen <brianchen118@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Link: https://lore.kernel.org/r/20211110213312.310243-1-brianchen118@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/psi_types.h | 13 ++++++++++-
+ kernel/sched/psi.c        | 45 ++++++++++++++++++++++++---------------
+ kernel/sched/stats.h      |  5 ++++-
+ 3 files changed, 44 insertions(+), 19 deletions(-)
+
+diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h
+index 0a23300d49af7..0819c82dba920 100644
+--- a/include/linux/psi_types.h
++++ b/include/linux/psi_types.h
+@@ -21,7 +21,17 @@ enum psi_task_count {
+        * don't have to special case any state tracking for it.
+        */
+       NR_ONCPU,
+-      NR_PSI_TASK_COUNTS = 4,
++      /*
++       * For IO and CPU stalls the presence of running/oncpu tasks
++       * in the domain means a partial rather than a full stall.
++       * For memory it's not so simple because of page reclaimers:
++       * they are running/oncpu while representing a stall. To tell
++       * whether a domain has productivity left or not, we need to
++       * distinguish between regular running (i.e. productive)
++       * threads and memstall ones.
++       */
++      NR_MEMSTALL_RUNNING,
++      NR_PSI_TASK_COUNTS = 5,
+ };
+ /* Task state bitmasks */
+@@ -29,6 +39,7 @@ enum psi_task_count {
+ #define TSK_MEMSTALL  (1 << NR_MEMSTALL)
+ #define TSK_RUNNING   (1 << NR_RUNNING)
+ #define TSK_ONCPU     (1 << NR_ONCPU)
++#define TSK_MEMSTALL_RUNNING  (1 << NR_MEMSTALL_RUNNING)
+ /* Resources that workloads could be stalled on */
+ enum psi_res {
+diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c
+index 1652f2bb54b79..69b19d3af690f 100644
+--- a/kernel/sched/psi.c
++++ b/kernel/sched/psi.c
+@@ -34,13 +34,19 @@
+  * delayed on that resource such that nobody is advancing and the CPU
+  * goes idle. This leaves both workload and CPU unproductive.
+  *
+- * Naturally, the FULL state doesn't exist for the CPU resource at the
+- * system level, but exist at the cgroup level, means all non-idle tasks
+- * in a cgroup are delayed on the CPU resource which used by others outside
+- * of the cgroup or throttled by the cgroup cpu.max configuration.
+- *
+  *    SOME = nr_delayed_tasks != 0
+- *    FULL = nr_delayed_tasks != 0 && nr_running_tasks == 0
++ *    FULL = nr_delayed_tasks != 0 && nr_productive_tasks == 0
++ *
++ * What it means for a task to be productive is defined differently
++ * for each resource. For IO, productive means a running task. For
++ * memory, productive means a running task that isn't a reclaimer. For
++ * CPU, productive means an oncpu task.
++ *
++ * Naturally, the FULL state doesn't exist for the CPU resource at the
++ * system level, but exist at the cgroup level. At the cgroup level,
++ * FULL means all non-idle tasks in the cgroup are delayed on the CPU
++ * resource which is being used by others outside of the cgroup or
++ * throttled by the cgroup cpu.max configuration.
+  *
+  * The percentage of wallclock time spent in those compound stall
+  * states gives pressure numbers between 0 and 100 for each resource,
+@@ -81,13 +87,13 @@
+  *
+  *    threads = min(nr_nonidle_tasks, nr_cpus)
+  *       SOME = min(nr_delayed_tasks / threads, 1)
+- *       FULL = (threads - min(nr_running_tasks, threads)) / threads
++ *       FULL = (threads - min(nr_productive_tasks, threads)) / threads
+  *
+  * For the 257 number crunchers on 256 CPUs, this yields:
+  *
+  *    threads = min(257, 256)
+  *       SOME = min(1 / 256, 1)             = 0.4%
+- *       FULL = (256 - min(257, 256)) / 256 = 0%
++ *       FULL = (256 - min(256, 256)) / 256 = 0%
+  *
+  * For the 1 out of 4 memory-delayed tasks, this yields:
+  *
+@@ -112,7 +118,7 @@
+  * For each runqueue, we track:
+  *
+  *       tSOME[cpu] = time(nr_delayed_tasks[cpu] != 0)
+- *       tFULL[cpu] = time(nr_delayed_tasks[cpu] && !nr_running_tasks[cpu])
++ *       tFULL[cpu] = time(nr_delayed_tasks[cpu] && !nr_productive_tasks[cpu])
+  *    tNONIDLE[cpu] = time(nr_nonidle_tasks[cpu] != 0)
+  *
+  * and then periodically aggregate:
+@@ -233,7 +239,8 @@ static bool test_state(unsigned int *tasks, enum psi_states state)
+       case PSI_MEM_SOME:
+               return unlikely(tasks[NR_MEMSTALL]);
+       case PSI_MEM_FULL:
+-              return unlikely(tasks[NR_MEMSTALL] && !tasks[NR_RUNNING]);
++              return unlikely(tasks[NR_MEMSTALL] &&
++                      tasks[NR_RUNNING] == tasks[NR_MEMSTALL_RUNNING]);
+       case PSI_CPU_SOME:
+               return unlikely(tasks[NR_RUNNING] > tasks[NR_ONCPU]);
+       case PSI_CPU_FULL:
+@@ -710,10 +717,11 @@ static void psi_group_change(struct psi_group *group, int cpu,
+               if (groupc->tasks[t]) {
+                       groupc->tasks[t]--;
+               } else if (!psi_bug) {
+-                      printk_deferred(KERN_ERR "psi: task underflow! cpu=%d t=%d tasks=[%u %u %u %u] clear=%x set=%x\n",
++                      printk_deferred(KERN_ERR "psi: task underflow! cpu=%d t=%d tasks=[%u %u %u %u %u] clear=%x set=%x\n",
+                                       cpu, t, groupc->tasks[0],
+                                       groupc->tasks[1], groupc->tasks[2],
+-                                      groupc->tasks[3], clear, set);
++                                      groupc->tasks[3], groupc->tasks[4],
++                                      clear, set);
+                       psi_bug = 1;
+               }
+       }
+@@ -854,12 +862,15 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next,
+               int clear = TSK_ONCPU, set = 0;
+               /*
+-               * When we're going to sleep, psi_dequeue() lets us handle
+-               * TSK_RUNNING and TSK_IOWAIT here, where we can combine it
+-               * with TSK_ONCPU and save walking common ancestors twice.
++               * When we're going to sleep, psi_dequeue() lets us
++               * handle TSK_RUNNING, TSK_MEMSTALL_RUNNING and
++               * TSK_IOWAIT here, where we can combine it with
++               * TSK_ONCPU and save walking common ancestors twice.
+                */
+               if (sleep) {
+                       clear |= TSK_RUNNING;
++                      if (prev->in_memstall)
++                              clear |= TSK_MEMSTALL_RUNNING;
+                       if (prev->in_iowait)
+                               set |= TSK_IOWAIT;
+               }
+@@ -908,7 +919,7 @@ void psi_memstall_enter(unsigned long *flags)
+       rq = this_rq_lock_irq(&rf);
+       current->in_memstall = 1;
+-      psi_task_change(current, 0, TSK_MEMSTALL);
++      psi_task_change(current, 0, TSK_MEMSTALL | TSK_MEMSTALL_RUNNING);
+       rq_unlock_irq(rq, &rf);
+ }
+@@ -937,7 +948,7 @@ void psi_memstall_leave(unsigned long *flags)
+       rq = this_rq_lock_irq(&rf);
+       current->in_memstall = 0;
+-      psi_task_change(current, TSK_MEMSTALL, 0);
++      psi_task_change(current, TSK_MEMSTALL | TSK_MEMSTALL_RUNNING, 0);
+       rq_unlock_irq(rq, &rf);
+ }
+diff --git a/kernel/sched/stats.h b/kernel/sched/stats.h
+index cfb0893a83d45..3a3c826dd83a7 100644
+--- a/kernel/sched/stats.h
++++ b/kernel/sched/stats.h
+@@ -118,6 +118,9 @@ static inline void psi_enqueue(struct task_struct *p, bool wakeup)
+       if (static_branch_likely(&psi_disabled))
+               return;
++      if (p->in_memstall)
++              set |= TSK_MEMSTALL_RUNNING;
++
+       if (!wakeup || p->sched_psi_wake_requeue) {
+               if (p->in_memstall)
+                       set |= TSK_MEMSTALL;
+@@ -148,7 +151,7 @@ static inline void psi_dequeue(struct task_struct *p, bool sleep)
+               return;
+       if (p->in_memstall)
+-              clear |= TSK_MEMSTALL;
++              clear |= (TSK_MEMSTALL | TSK_MEMSTALL_RUNNING);
+       psi_task_change(p, clear, 0);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/random-do-not-throw-away-excess-input-to-crng_fast_l.patch b/queue-5.16/random-do-not-throw-away-excess-input-to-crng_fast_l.patch
new file mode 100644 (file)
index 0000000..5d5e583
--- /dev/null
@@ -0,0 +1,95 @@
+From 626c45cd4e0fb0b79d5b9c81efad9134b0960438 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Dec 2021 22:10:05 +0100
+Subject: random: do not throw away excess input to crng_fast_load
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+[ Upstream commit 73c7733f122e8d0107f88655a12011f68f69e74b ]
+
+When crng_fast_load() is called by add_hwgenerator_randomness(), we
+currently will advance to crng_init==1 once we've acquired 64 bytes, and
+then throw away the rest of the buffer. Usually, that is not a problem:
+When add_hwgenerator_randomness() gets called via EFI or DT during
+setup_arch(), there won't be any IRQ randomness. Therefore, the 64 bytes
+passed by EFI exactly matches what is needed to advance to crng_init==1.
+Usually, DT seems to pass 64 bytes as well -- with one notable exception
+being kexec, which hands over 128 bytes of entropy to the kexec'd kernel.
+In that case, we'll advance to crng_init==1 once 64 of those bytes are
+consumed by crng_fast_load(), but won't continue onward feeding in bytes
+to progress to crng_init==2. This commit fixes the issue by feeding
+any leftover bytes into the next phase in add_hwgenerator_randomness().
+
+[linux@dominikbrodowski.net: rewrite commit message]
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/random.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 7470ee24db2f9..a27ae3999ff32 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -912,12 +912,14 @@ static struct crng_state *select_crng(void)
+ /*
+  * crng_fast_load() can be called by code in the interrupt service
+- * path.  So we can't afford to dilly-dally.
++ * path.  So we can't afford to dilly-dally. Returns the number of
++ * bytes processed from cp.
+  */
+-static int crng_fast_load(const char *cp, size_t len)
++static size_t crng_fast_load(const char *cp, size_t len)
+ {
+       unsigned long flags;
+       char *p;
++      size_t ret = 0;
+       if (!spin_trylock_irqsave(&primary_crng.lock, flags))
+               return 0;
+@@ -928,7 +930,7 @@ static int crng_fast_load(const char *cp, size_t len)
+       p = (unsigned char *) &primary_crng.state[4];
+       while (len > 0 && crng_init_cnt < CRNG_INIT_CNT_THRESH) {
+               p[crng_init_cnt % CHACHA_KEY_SIZE] ^= *cp;
+-              cp++; crng_init_cnt++; len--;
++              cp++; crng_init_cnt++; len--; ret++;
+       }
+       spin_unlock_irqrestore(&primary_crng.lock, flags);
+       if (crng_init_cnt >= CRNG_INIT_CNT_THRESH) {
+@@ -936,7 +938,7 @@ static int crng_fast_load(const char *cp, size_t len)
+               crng_init = 1;
+               pr_notice("fast init done\n");
+       }
+-      return 1;
++      return ret;
+ }
+ /*
+@@ -1287,7 +1289,7 @@ void add_interrupt_randomness(int irq, int irq_flags)
+       if (unlikely(crng_init == 0)) {
+               if ((fast_pool->count >= 64) &&
+                   crng_fast_load((char *) fast_pool->pool,
+-                                 sizeof(fast_pool->pool))) {
++                                 sizeof(fast_pool->pool)) > 0) {
+                       fast_pool->count = 0;
+                       fast_pool->last = now;
+               }
+@@ -2295,8 +2297,11 @@ void add_hwgenerator_randomness(const char *buffer, size_t count,
+       struct entropy_store *poolp = &input_pool;
+       if (unlikely(crng_init == 0)) {
+-              crng_fast_load(buffer, count);
+-              return;
++              size_t ret = crng_fast_load(buffer, count);
++              count -= ret;
++              buffer += ret;
++              if (!count || crng_init == 0)
++                      return;
+       }
+       /* Suspend writing if we're above the trickle threshold.
+-- 
+2.34.1
+
diff --git a/queue-5.16/rcu-avoid-alloc_pages-when-recording-stack.patch b/queue-5.16/rcu-avoid-alloc_pages-when-recording-stack.patch
new file mode 100644 (file)
index 0000000..6188275
--- /dev/null
@@ -0,0 +1,105 @@
+From ec416921a5cb6d537410452329da1dcc56503226 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 07:23:02 +0800
+Subject: rcu: Avoid alloc_pages() when recording stack
+
+From: Jun Miao <jun.miao@intel.com>
+
+[ Upstream commit 300c0c5e721834f484b03fa3062602dd8ff48413 ]
+
+The default kasan_record_aux_stack() calls stack_depot_save() with GFP_NOWAIT,
+which in turn can then call alloc_pages(GFP_NOWAIT, ...).  In general, however,
+it is not even possible to use either GFP_ATOMIC nor GFP_NOWAIT in certain
+non-preemptive contexts/RT kernel including raw_spin_locks (see gfp.h and ab00db216c9c7).
+Fix it by instructing stackdepot to not expand stack storage via alloc_pages()
+in case it runs out by using kasan_record_aux_stack_noalloc().
+
+Jianwei Hu reported:
+BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:969
+in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 15319, name: python3
+INFO: lockdep is turned off.
+irq event stamp: 0
+  hardirqs last  enabled at (0): [<0000000000000000>] 0x0
+  hardirqs last disabled at (0): [<ffffffff856c8b13>] copy_process+0xaf3/0x2590
+  softirqs last  enabled at (0): [<ffffffff856c8b13>] copy_process+0xaf3/0x2590
+  softirqs last disabled at (0): [<0000000000000000>] 0x0
+  CPU: 6 PID: 15319 Comm: python3 Tainted: G        W  O 5.15-rc7-preempt-rt #1
+  Hardware name: Supermicro SYS-E300-9A-8C/A2SDi-8C-HLN4F, BIOS 1.1b 12/17/2018
+  Call Trace:
+    show_stack+0x52/0x58
+    dump_stack+0xa1/0xd6
+    ___might_sleep.cold+0x11c/0x12d
+    rt_spin_lock+0x3f/0xc0
+    rmqueue+0x100/0x1460
+    rmqueue+0x100/0x1460
+    mark_usage+0x1a0/0x1a0
+    ftrace_graph_ret_addr+0x2a/0xb0
+    rmqueue_pcplist.constprop.0+0x6a0/0x6a0
+     __kasan_check_read+0x11/0x20
+     __zone_watermark_ok+0x114/0x270
+     get_page_from_freelist+0x148/0x630
+     is_module_text_address+0x32/0xa0
+     __alloc_pages_nodemask+0x2f6/0x790
+     __alloc_pages_slowpath.constprop.0+0x12d0/0x12d0
+     create_prof_cpu_mask+0x30/0x30
+     alloc_pages_current+0xb1/0x150
+     stack_depot_save+0x39f/0x490
+     kasan_save_stack+0x42/0x50
+     kasan_save_stack+0x23/0x50
+     kasan_record_aux_stack+0xa9/0xc0
+     __call_rcu+0xff/0x9c0
+     call_rcu+0xe/0x10
+     put_object+0x53/0x70
+     __delete_object+0x7b/0x90
+     kmemleak_free+0x46/0x70
+     slab_free_freelist_hook+0xb4/0x160
+     kfree+0xe5/0x420
+     kfree_const+0x17/0x30
+     kobject_cleanup+0xaa/0x230
+     kobject_put+0x76/0x90
+     netdev_queue_update_kobjects+0x17d/0x1f0
+     ... ...
+     ksys_write+0xd9/0x180
+     __x64_sys_write+0x42/0x50
+     do_syscall_64+0x38/0x50
+     entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Links: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/include/linux/kasan.h?id=7cb3007ce2da27ec02a1a3211941e7fe6875b642
+Fixes: 84109ab58590 ("rcu: Record kvfree_call_rcu() call stack for KASAN")
+Fixes: 26e760c9a7c8 ("rcu: kasan: record and print call_rcu() call stack")
+Reported-by: Jianwei Hu <jianwei.hu@windriver.com>
+Reviewed-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
+Acked-by: Marco Elver <elver@google.com>
+Tested-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: Jun Miao <jun.miao@intel.com>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
+index ef8d36f580fc3..906b6887622d3 100644
+--- a/kernel/rcu/tree.c
++++ b/kernel/rcu/tree.c
+@@ -2982,7 +2982,7 @@ __call_rcu(struct rcu_head *head, rcu_callback_t func)
+       head->func = func;
+       head->next = NULL;
+       local_irq_save(flags);
+-      kasan_record_aux_stack(head);
++      kasan_record_aux_stack_noalloc(head);
+       rdp = this_cpu_ptr(&rcu_data);
+       /* Add the callback to our list. */
+@@ -3547,7 +3547,7 @@ void kvfree_call_rcu(struct rcu_head *head, rcu_callback_t func)
+               return;
+       }
+-      kasan_record_aux_stack(ptr);
++      kasan_record_aux_stack_noalloc(ptr);
+       success = add_ptr_to_bulk_krc_lock(&krcp, &flags, ptr, !head);
+       if (!success) {
+               run_page_cache_worker(krcp);
+-- 
+2.34.1
+
diff --git a/queue-5.16/rcu-exp-mark-current-cpu-as-exp-qs-in-ipi-loop-secon.patch b/queue-5.16/rcu-exp-mark-current-cpu-as-exp-qs-in-ipi-loop-secon.patch
new file mode 100644 (file)
index 0000000..991c467
--- /dev/null
@@ -0,0 +1,61 @@
+From 54958bbf779aea3020305a834f59a4a4aa3305df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 17:21:08 +0100
+Subject: rcu/exp: Mark current CPU as exp-QS in IPI loop second pass
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+[ Upstream commit 81f6d49cce2d2fe507e3fddcc4a6db021d9c2e7b ]
+
+Expedited RCU grace periods invoke sync_rcu_exp_select_node_cpus(), which
+takes two passes over the leaf rcu_node structure's CPUs.  The first
+pass gathers up the current CPU and CPUs that are in dynticks idle mode.
+The workqueue will report a quiescent state on their behalf later.
+The second pass sends IPIs to the rest of the CPUs, but excludes the
+current CPU, incorrectly assuming it has been included in the first
+pass's list of CPUs.
+
+Unfortunately the current CPU may have changed between the first and
+second pass, due to the fact that the various rcu_node structures'
+->lock fields have been dropped, thus momentarily enabling preemption.
+This means that if the second pass's CPU was not on the first pass's
+list, it will be ignored completely.  There will be no IPI sent to
+it, and there will be no reporting of quiescent states on its behalf.
+Unfortunately, the expedited grace period will nevertheless be waiting
+for that CPU to report a quiescent state, but with that CPU having no
+reason to believe that such a report is needed.
+
+The result will be an expedited grace period stall.
+
+Fix this by no longer excluding the current CPU from consideration during
+the second pass.
+
+Fixes: b9ad4d6ed18e ("rcu: Avoid self-IPI in sync_rcu_exp_select_node_cpus()")
+Reviewed-by: Neeraj Upadhyay <quic_neeraju@quicinc.com>
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Cc: Uladzislau Rezki <urezki@gmail.com>
+Cc: Neeraj Upadhyay <quic_neeraju@quicinc.com>
+Cc: Boqun Feng <boqun.feng@gmail.com>
+Cc: Josh Triplett <josh@joshtriplett.org>
+Cc: Joel Fernandes <joel@joelfernandes.org>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree_exp.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h
+index f3947c49eee71..9e58e77b992ed 100644
+--- a/kernel/rcu/tree_exp.h
++++ b/kernel/rcu/tree_exp.h
+@@ -387,6 +387,7 @@ retry_ipi:
+                       continue;
+               }
+               if (get_cpu() == cpu) {
++                      mask_ofl_test |= mask;
+                       put_cpu();
+                       continue;
+               }
+-- 
+2.34.1
+
diff --git a/queue-5.16/rcutorture-avoid-soft-lockup-during-cpu-stall.patch b/queue-5.16/rcutorture-avoid-soft-lockup-during-cpu-stall.patch
new file mode 100644 (file)
index 0000000..6d87909
--- /dev/null
@@ -0,0 +1,55 @@
+From 4da65840d9447115f5ff84b978dd76d9c1a70f94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Nov 2021 11:37:45 -0300
+Subject: rcutorture: Avoid soft lockup during cpu stall
+
+From: Wander Lairson Costa <wander@redhat.com>
+
+[ Upstream commit 5ff7c9f9d7e3e0f6db5b81945fa11b69d62f433a ]
+
+If we use the module stall_cpu option, we may get a soft lockup warning
+in case we also don't pass the stall_cpu_block option.
+
+Introduce the stall_no_softlockup option to avoid a soft lockup on
+cpu stall even if we don't use the stall_cpu_block option.
+
+Signed-off-by: Wander Lairson Costa <wander@redhat.com>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/rcutorture.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
+index 8b410d982990c..05e4d6c28d1f5 100644
+--- a/kernel/rcu/rcutorture.c
++++ b/kernel/rcu/rcutorture.c
+@@ -46,6 +46,7 @@
+ #include <linux/oom.h>
+ #include <linux/tick.h>
+ #include <linux/rcupdate_trace.h>
++#include <linux/nmi.h>
+ #include "rcu.h"
+@@ -109,6 +110,8 @@ torture_param(int, shutdown_secs, 0, "Shutdown time (s), <= zero to disable.");
+ torture_param(int, stall_cpu, 0, "Stall duration (s), zero to disable.");
+ torture_param(int, stall_cpu_holdoff, 10,
+            "Time to wait before starting stall (s).");
++torture_param(bool, stall_no_softlockup, false,
++           "Avoid softlockup warning during cpu stall.");
+ torture_param(int, stall_cpu_irqsoff, 0, "Disable interrupts while stalling.");
+ torture_param(int, stall_cpu_block, 0, "Sleep while stalling.");
+ torture_param(int, stall_gp_kthread, 0,
+@@ -2052,6 +2055,8 @@ static int rcu_torture_stall(void *args)
+ #else
+                               schedule_timeout_uninterruptible(HZ);
+ #endif
++                      } else if (stall_no_softlockup) {
++                              touch_softlockup_watchdog();
+                       }
+               if (stall_cpu_irqsoff)
+                       local_irq_enable();
+-- 
+2.34.1
+
diff --git a/queue-5.16/rdma-bnxt_re-scan-the-whole-bitmap-when-checking-if-.patch b/queue-5.16/rdma-bnxt_re-scan-the-whole-bitmap-when-checking-if-.patch
new file mode 100644 (file)
index 0000000..5fa4733
--- /dev/null
@@ -0,0 +1,70 @@
+From 4fe3bdfca55de2646c2c7bdcc62074b8d0e037ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 09:59:04 +0100
+Subject: RDMA/bnxt_re: Scan the whole bitmap when checking if "disabling RCFW
+ with pending cmd-bit"
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit a917dfb66c0a1fa1caacf3d71edcafcab48e6ff0 ]
+
+The 'cmdq->cmdq_bitmap' bitmap is 'rcfw->cmdq_depth' bits long.  The size
+stored in 'cmdq->bmap_size' is the size of the bitmap in bytes.
+
+Remove this erroneous 'bmap_size' and use 'rcfw->cmdq_depth' directly in
+'bnxt_qplib_disable_rcfw_channel()'. Otherwise some error messages may be
+missing.
+
+Other uses of 'cmdq_bitmap' already take into account 'rcfw->cmdq_depth'
+directly.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Link: https://lore.kernel.org/r/47ed717c3070a1d0f53e7b4c768a4fd11caf365d.1636707421.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 6 ++----
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 1 -
+ 2 files changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+index 3de854727460e..19a0778d38a2d 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+@@ -618,8 +618,6 @@ int bnxt_qplib_alloc_rcfw_channel(struct bnxt_qplib_res *res,
+       if (!cmdq->cmdq_bitmap)
+               goto fail;
+-      cmdq->bmap_size = bmap_size;
+-
+       /* Allocate one extra to hold the QP1 entries */
+       rcfw->qp_tbl_size = qp_tbl_sz + 1;
+       rcfw->qp_tbl = kcalloc(rcfw->qp_tbl_size, sizeof(struct bnxt_qplib_qp_node),
+@@ -667,8 +665,8 @@ void bnxt_qplib_disable_rcfw_channel(struct bnxt_qplib_rcfw *rcfw)
+       iounmap(cmdq->cmdq_mbox.reg.bar_reg);
+       iounmap(creq->creq_db.reg.bar_reg);
+-      indx = find_first_bit(cmdq->cmdq_bitmap, cmdq->bmap_size);
+-      if (indx != cmdq->bmap_size)
++      indx = find_first_bit(cmdq->cmdq_bitmap, rcfw->cmdq_depth);
++      if (indx != rcfw->cmdq_depth)
+               dev_err(&rcfw->pdev->dev,
+                       "disabling RCFW with pending cmd-bit %lx\n", indx);
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h
+index 82faa4e4cda84..0a3d8e7da3d42 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h
+@@ -152,7 +152,6 @@ struct bnxt_qplib_cmdq_ctx {
+       wait_queue_head_t               waitq;
+       unsigned long                   flags;
+       unsigned long                   *cmdq_bitmap;
+-      u32                             bmap_size;
+       u32                             seq_num;
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/rdma-cma-let-cma_resolve_ib_dev-continue-search-even.patch b/queue-5.16/rdma-cma-let-cma_resolve_ib_dev-continue-search-even.patch
new file mode 100644 (file)
index 0000000..765a4ac
--- /dev/null
@@ -0,0 +1,66 @@
+From 68302630b7442e7dfc4f595594789e057c7feefa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Dec 2021 15:16:07 +0200
+Subject: RDMA/cma: Let cma_resolve_ib_dev() continue search even after empty
+ entry
+
+From: Avihai Horon <avihaih@nvidia.com>
+
+[ Upstream commit 20679094a0161c94faf77e373fa3f7428a8e14bd ]
+
+Currently, when cma_resolve_ib_dev() searches for a matching GID it will
+stop searching after encountering the first empty GID table entry. This
+behavior is wrong since neither IB nor RoCE spec enforce tightly packed
+GID tables.
+
+For example, when the matching valid GID entry exists at index N, and if a
+GID entry is empty at index N-1, cma_resolve_ib_dev() will fail to find
+the matching valid entry.
+
+Fix it by making cma_resolve_ib_dev() continue searching even after
+encountering missing entries.
+
+Fixes: f17df3b0dede ("RDMA/cma: Add support for AF_IB to rdma_resolve_addr()")
+Link: https://lore.kernel.org/r/b7346307e3bb396c43d67d924348c6c496493991.1639055490.git.leonro@nvidia.com
+Signed-off-by: Avihai Horon <avihaih@nvidia.com>
+Reviewed-by: Mark Zhang <markzhang@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index 835ac54d4a24c..a3834ef691910 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -766,6 +766,7 @@ static int cma_resolve_ib_dev(struct rdma_id_private *id_priv)
+       unsigned int p;
+       u16 pkey, index;
+       enum ib_port_state port_state;
++      int ret;
+       int i;
+       cma_dev = NULL;
+@@ -784,9 +785,14 @@ static int cma_resolve_ib_dev(struct rdma_id_private *id_priv)
+                       if (ib_get_cached_port_state(cur_dev->device, p, &port_state))
+                               continue;
+-                      for (i = 0; !rdma_query_gid(cur_dev->device,
+-                                                  p, i, &gid);
+-                           i++) {
++
++                      for (i = 0; i < cur_dev->device->port_data[p].immutable.gid_tbl_len;
++                           ++i) {
++                              ret = rdma_query_gid(cur_dev->device, p, i,
++                                                   &gid);
++                              if (ret)
++                                      continue;
++
+                               if (!memcmp(&gid, dgid, sizeof(gid))) {
+                                       cma_dev = cur_dev;
+                                       sgid = gid;
+-- 
+2.34.1
+
diff --git a/queue-5.16/rdma-core-let-ib_find_gid-continue-search-even-after.patch b/queue-5.16/rdma-core-let-ib_find_gid-continue-search-even-after.patch
new file mode 100644 (file)
index 0000000..93d94ab
--- /dev/null
@@ -0,0 +1,47 @@
+From cf37a5739c69015e518ca243d96148421bf00a81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Dec 2021 15:16:06 +0200
+Subject: RDMA/core: Let ib_find_gid() continue search even after empty entry
+
+From: Avihai Horon <avihaih@nvidia.com>
+
+[ Upstream commit 483d805191a23191f8294bbf9b4e94836f5d92e4 ]
+
+Currently, ib_find_gid() will stop searching after encountering the first
+empty GID table entry. This behavior is wrong since neither IB nor RoCE
+spec enforce tightly packed GID tables.
+
+For example, when a valid GID entry exists at index N, and if a GID entry
+is empty at index N-1, ib_find_gid() will fail to find the valid entry.
+
+Fix it by making ib_find_gid() continue searching even after encountering
+missing entries.
+
+Fixes: 5eb620c81ce3 ("IB/core: Add helpers for uncached GID and P_Key searches")
+Link: https://lore.kernel.org/r/e55d331b96cecfc2cf19803d16e7109ea966882d.1639055490.git.leonro@nvidia.com
+Signed-off-by: Avihai Horon <avihaih@nvidia.com>
+Reviewed-by: Mark Zhang <markzhang@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/device.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
+index 22a4adda7981d..a311df07b1bdb 100644
+--- a/drivers/infiniband/core/device.c
++++ b/drivers/infiniband/core/device.c
+@@ -2461,7 +2461,8 @@ int ib_find_gid(struct ib_device *device, union ib_gid *gid,
+                    ++i) {
+                       ret = rdma_query_gid(device, port, i, &tmp_gid);
+                       if (ret)
+-                              return ret;
++                              continue;
++
+                       if (!memcmp(&tmp_gid, gid, sizeof *gid)) {
+                               *port_num = port;
+                               if (index)
+-- 
+2.34.1
+
diff --git a/queue-5.16/rdma-cxgb4-set-queue-pair-state-when-being-queried.patch b/queue-5.16/rdma-cxgb4-set-queue-pair-state-when-being-queried.patch
new file mode 100644 (file)
index 0000000..c16255c
--- /dev/null
@@ -0,0 +1,37 @@
+From 72b2f95afdd526d78d4289f22d5f4be9b7bdf505 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Dec 2021 17:25:30 +0200
+Subject: RDMA/cxgb4: Set queue pair state when being queried
+
+From: Kamal Heib <kamalheib1@gmail.com>
+
+[ Upstream commit e375b9c92985e409c4bb95dd43d34915ea7f5e28 ]
+
+The API for ib_query_qp requires the driver to set cur_qp_state on return,
+add the missing set.
+
+Fixes: 67bbc05512d8 ("RDMA/cxgb4: Add query_qp support")
+Link: https://lore.kernel.org/r/20211220152530.60399-1-kamalheib1@gmail.com
+Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/qp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c
+index d20b4ef2c853d..ffbd9a89981e7 100644
+--- a/drivers/infiniband/hw/cxgb4/qp.c
++++ b/drivers/infiniband/hw/cxgb4/qp.c
+@@ -2460,6 +2460,7 @@ int c4iw_ib_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr,
+       memset(attr, 0, sizeof(*attr));
+       memset(init_attr, 0, sizeof(*init_attr));
+       attr->qp_state = to_ib_qp_state(qhp->attr.state);
++      attr->cur_qp_state = to_ib_qp_state(qhp->attr.state);
+       init_attr->cap.max_send_wr = qhp->attr.sq_num_entries;
+       init_attr->cap.max_recv_wr = qhp->attr.rq_num_entries;
+       init_attr->cap.max_send_sge = qhp->attr.sq_max_sges;
+-- 
+2.34.1
+
diff --git a/queue-5.16/rdma-hns-validate-the-pkey-index.patch b/queue-5.16/rdma-hns-validate-the-pkey-index.patch
new file mode 100644 (file)
index 0000000..fdbe584
--- /dev/null
@@ -0,0 +1,37 @@
+From daea9fdb5f6c6b1324477ebba1b2a6be29464862 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 16:59:54 +0200
+Subject: RDMA/hns: Validate the pkey index
+
+From: Kamal Heib <kamalheib1@gmail.com>
+
+[ Upstream commit 2a67fcfa0db6b4075515bd23497750849b88850f ]
+
+Before query pkey, make sure that the queried index is valid.
+
+Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
+Link: https://lore.kernel.org/r/20211117145954.123893-1-kamalheib1@gmail.com
+Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
+index 4194b626f3c65..8233bec053ee3 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_main.c
++++ b/drivers/infiniband/hw/hns/hns_roce_main.c
+@@ -270,6 +270,9 @@ static enum rdma_link_layer hns_roce_get_link_layer(struct ib_device *device,
+ static int hns_roce_query_pkey(struct ib_device *ib_dev, u32 port, u16 index,
+                              u16 *pkey)
+ {
++      if (index > 0)
++              return -EINVAL;
++
+       *pkey = PKEY_ID;
+       return 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/rdma-qedr-fix-reporting-max_-send-recv-_wr-attrs.patch b/queue-5.16/rdma-qedr-fix-reporting-max_-send-recv-_wr-attrs.patch
new file mode 100644 (file)
index 0000000..a833861
--- /dev/null
@@ -0,0 +1,49 @@
+From 4e86387df53945297399e4880fa52eed8fb6c32a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Dec 2021 22:13:14 +0200
+Subject: RDMA/qedr: Fix reporting max_{send/recv}_wr attrs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kamal Heib <kamalheib1@gmail.com>
+
+[ Upstream commit b1a4da64bfc189510e08df1ccb1c589e667dc7a3 ]
+
+Fix the wrongly reported max_send_wr and max_recv_wr attributes for user
+QP by making sure to save their valuse on QP creation, so when query QP is
+called the attributes will be reported correctly.
+
+Fixes: cecbcddf6461 ("qedr: Add support for QP verbs")
+Link: https://lore.kernel.org/r/20211206201314.124947-1-kamalheib1@gmail.com
+Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
+Acked-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/qedr/verbs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c
+index 9100009f0a23d..a53476653b0d9 100644
+--- a/drivers/infiniband/hw/qedr/verbs.c
++++ b/drivers/infiniband/hw/qedr/verbs.c
+@@ -1931,6 +1931,7 @@ static int qedr_create_user_qp(struct qedr_dev *dev,
+       /* db offset was calculated in copy_qp_uresp, now set in the user q */
+       if (qedr_qp_has_sq(qp)) {
+               qp->usq.db_addr = ctx->dpi_addr + uresp.sq_db_offset;
++              qp->sq.max_wr = attrs->cap.max_send_wr;
+               rc = qedr_db_recovery_add(dev, qp->usq.db_addr,
+                                         &qp->usq.db_rec_data->db_data,
+                                         DB_REC_WIDTH_32B,
+@@ -1941,6 +1942,7 @@ static int qedr_create_user_qp(struct qedr_dev *dev,
+       if (qedr_qp_has_rq(qp)) {
+               qp->urq.db_addr = ctx->dpi_addr + uresp.rq_db_offset;
++              qp->rq.max_wr = attrs->cap.max_recv_wr;
+               rc = qedr_db_recovery_add(dev, qp->urq.db_addr,
+                                         &qp->urq.db_rec_data->db_data,
+                                         DB_REC_WIDTH_32B,
+-- 
+2.34.1
+
diff --git a/queue-5.16/rdma-rtrs-clt-fix-the-initial-value-of-min_latency.patch b/queue-5.16/rdma-rtrs-clt-fix-the-initial-value-of-min_latency.patch
new file mode 100644 (file)
index 0000000..8b3f49a
--- /dev/null
@@ -0,0 +1,38 @@
+From 9eb2752fb005277f134debecb19014f08164d76e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Nov 2021 09:10:40 +0100
+Subject: RDMA/rtrs-clt: Fix the initial value of min_latency
+
+From: Jack Wang <jinpu.wang@ionos.com>
+
+[ Upstream commit 925cac6358677d3d64f9b25f205eeb3d31c9f7f8 ]
+
+The type of min_latency is ktime_t, so use KTIME_MAX to initialize the
+initial value.
+
+Fixes: dc3b66a0ce70 ("RDMA/rtrs-clt: Add a minimum latency multipath policy")
+Link: https://lore.kernel.org/r/20211124081040.19533-1-jinpu.wang@ionos.com
+Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
+Reviewed-by: Guoqing Jiang <Guoqing.Jiang@linux.dev>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-clt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+index 15c0077dd27eb..e39709dee179d 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+@@ -867,7 +867,7 @@ static struct rtrs_clt_sess *get_next_path_min_latency(struct path_it *it)
+       struct rtrs_clt_sess *min_path = NULL;
+       struct rtrs_clt *clt = it->clt;
+       struct rtrs_clt_sess *sess;
+-      ktime_t min_latency = INT_MAX;
++      ktime_t min_latency = KTIME_MAX;
+       ktime_t latency;
+       list_for_each_entry_rcu(sess, &clt->paths_list, s.entry) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/regmap-call-regmap_debugfs_exit-prior-to-_init.patch b/queue-5.16/regmap-call-regmap_debugfs_exit-prior-to-_init.patch
new file mode 100644 (file)
index 0000000..8fc3ceb
--- /dev/null
@@ -0,0 +1,61 @@
+From 03afeae600a59fa265669b176f0b23d568cbeec4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 13:33:07 -0300
+Subject: regmap: Call regmap_debugfs_exit() prior to _init()
+
+From: Fabio Estevam <festevam@denx.de>
+
+[ Upstream commit 530792efa6cb86f5612ff093333fec735793b582 ]
+
+Since commit cffa4b2122f5 ("regmap: debugfs: Fix a memory leak when
+calling regmap_attach_dev"), the following debugfs error is seen
+on i.MX boards:
+
+debugfs: Directory 'dummy-iomuxc-gpr@20e0000' with parent 'regmap' already present!
+
+In the attempt to fix the memory leak, the above commit added a NULL check
+for map->debugfs_name. For the first debufs entry, map->debugfs_name is NULL
+and then the new name is allocated via kasprintf().
+
+For the second debugfs entry, map->debugfs_name() is no longer NULL, so
+it will keep using the old entry name and the duplicate name error is seen.
+
+Quoting Mark Brown:
+
+"That means that if the device gets freed we'll end up with the old debugfs
+file hanging around pointing at nothing.
+...
+To be more explicit this means we need a call to regmap_debugfs_exit()
+which will clean up all the existing debugfs stuff before we loose
+references to it."
+
+Call regmap_debugfs_exit() prior to regmap_debugfs_init() to fix
+the problem.
+
+Tested on i.MX6Q and i.MX6SX boards.
+
+Fixes: cffa4b2122f5 ("regmap: debugfs: Fix a memory leak when calling regmap_attach_dev")
+Suggested-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Link: https://lore.kernel.org/r/20220107163307.335404-1-festevam@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
+index 21a0c2562ec06..f7811641ed5ae 100644
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -647,6 +647,7 @@ int regmap_attach_dev(struct device *dev, struct regmap *map,
+       if (ret)
+               return ret;
++      regmap_debugfs_exit(map);
+       regmap_debugfs_init(map);
+       /* Add a devres resource for dev_get_regmap() */
+-- 
+2.34.1
+
diff --git a/queue-5.16/regulator-da9121-prevent-current-limit-change-when-e.patch b/queue-5.16/regulator-da9121-prevent-current-limit-change-when-e.patch
new file mode 100644 (file)
index 0000000..5d621b3
--- /dev/null
@@ -0,0 +1,39 @@
+From 8dccdcc38a91f20c6175a6ec6540376e8b7c259c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 22:10:12 +0000
+Subject: regulator: da9121: Prevent current limit change when enabled
+
+From: Adam Ward <Adam.Ward.opensource@diasemi.com>
+
+[ Upstream commit 24f0853228f3b98f1ef08d5824376c69bb8124d2 ]
+
+Prevent changing current limit when enabled as a precaution against
+possibile instability due to tight integration with switching cycle
+
+Signed-off-by: Adam Ward <Adam.Ward.opensource@diasemi.com>
+Link: https://lore.kernel.org/r/52ee682476004a1736c1e0293358987319c1c415.1638223185.git.Adam.Ward.opensource@diasemi.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/da9121-regulator.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/regulator/da9121-regulator.c b/drivers/regulator/da9121-regulator.c
+index e669250902580..0a4fd449c27d1 100644
+--- a/drivers/regulator/da9121-regulator.c
++++ b/drivers/regulator/da9121-regulator.c
+@@ -253,6 +253,11 @@ static int da9121_set_current_limit(struct regulator_dev *rdev,
+               goto error;
+       }
++      if (rdev->desc->ops->is_enabled(rdev)) {
++              ret = -EBUSY;
++              goto error;
++      }
++
+       ret = da9121_ceiling_selector(rdev, min_ua, max_ua, &sel);
+       if (ret < 0)
+               goto error;
+-- 
+2.34.1
+
diff --git a/queue-5.16/regulator-qcom-labibb-ocp-interrupts-are-not-a-failu.patch b/queue-5.16/regulator-qcom-labibb-ocp-interrupts-are-not-a-failu.patch
new file mode 100644 (file)
index 0000000..91f8d49
--- /dev/null
@@ -0,0 +1,41 @@
+From cd9923f536a4e89df2644ff19f486ed5bfdc05c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Dec 2021 12:34:50 +0100
+Subject: regulator: qcom-labibb: OCP interrupts are not a failure while
+ disabled
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit d27bb69dc83f00f86a830298c967052cded6e784 ]
+
+Receiving the Over-Current Protection interrupt while the regulator is
+disabled does not count as unhandled/failure (IRQ_NONE, or 0 as it were)
+but a "fake event", usually due to inrush as the is regulator about to
+be enabled.
+
+Fixes: 390af53e0411 ("regulator: qcom-labibb: Implement short-circuit and over-current IRQs")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Link: https://lore.kernel.org/r/20211224113450.107958-1-marijn.suijten@somainline.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/qcom-labibb-regulator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/qcom-labibb-regulator.c b/drivers/regulator/qcom-labibb-regulator.c
+index b3da0dc58782f..639b71eb41ffe 100644
+--- a/drivers/regulator/qcom-labibb-regulator.c
++++ b/drivers/regulator/qcom-labibb-regulator.c
+@@ -260,7 +260,7 @@ static irqreturn_t qcom_labibb_ocp_isr(int irq, void *chip)
+       /* If the regulator is not enabled, this is a fake event */
+       if (!ops->is_enabled(vreg->rdev))
+-              return 0;
++              return IRQ_HANDLED;
+       /* If we tried to recover for too many times it's not getting better */
+       if (vreg->ocp_irq_count > LABIBB_MAX_OCP_COUNT)
+-- 
+2.34.1
+
diff --git a/queue-5.16/regulator-qcom_smd-align-probe-function-with-rpmh-re.patch b/queue-5.16/regulator-qcom_smd-align-probe-function-with-rpmh-re.patch
new file mode 100644 (file)
index 0000000..0c90073
--- /dev/null
@@ -0,0 +1,171 @@
+From c77991740bc5b9bc2f29c8eaa8a358529baacdd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Dec 2021 03:34:42 +0100
+Subject: regulator: qcom_smd: Align probe function with rpmh-regulator
+
+From: Konrad Dybcio <konrad.dybcio@somainline.org>
+
+[ Upstream commit 14e2976fbabdacb01335d7f91eeebbc89c67ddb1 ]
+
+The RPMh regulator driver is much newer and gets more attention, which in
+consequence makes it do a few things better. Update qcom_smd-regulator's
+probe function to mimic what rpmh-regulator does to address a couple of
+issues:
+
+- Probe defer now works correctly, before it used to, well,
+  kinda just die.. This fixes reliable probing on (at least) PM8994,
+  because Linux apparently cannot deal with supply map dependencies yet..
+
+- Regulator data is now matched more sanely: regulator data is matched
+  against each individual regulator node name and throwing an -EINVAL if
+  data is missing, instead of just assuming everything is fine and
+  iterating over all subsequent array members.
+
+- status = "disabled" will now work for disabling individual regulators in
+  DT. Previously it didn't seem to do much if anything at all.
+
+Signed-off-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Link: https://lore.kernel.org/r/20211230023442.1123424-1-konrad.dybcio@somainline.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/qcom_smd-regulator.c | 100 +++++++++++++++++--------
+ 1 file changed, 70 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/regulator/qcom_smd-regulator.c b/drivers/regulator/qcom_smd-regulator.c
+index 8bac024dde8b4..9fc666107a06c 100644
+--- a/drivers/regulator/qcom_smd-regulator.c
++++ b/drivers/regulator/qcom_smd-regulator.c
+@@ -9,6 +9,7 @@
+ #include <linux/of_device.h>
+ #include <linux/platform_device.h>
+ #include <linux/regulator/driver.h>
++#include <linux/regulator/of_regulator.h>
+ #include <linux/soc/qcom/smd-rpm.h>
+ struct qcom_rpm_reg {
+@@ -1239,52 +1240,91 @@ static const struct of_device_id rpm_of_match[] = {
+ };
+ MODULE_DEVICE_TABLE(of, rpm_of_match);
+-static int rpm_reg_probe(struct platform_device *pdev)
++/**
++ * rpm_regulator_init_vreg() - initialize all attributes of a qcom_smd-regulator
++ * @vreg:             Pointer to the individual qcom_smd-regulator resource
++ * @dev:              Pointer to the top level qcom_smd-regulator PMIC device
++ * @node:             Pointer to the individual qcom_smd-regulator resource
++ *                    device node
++ * @rpm:              Pointer to the rpm bus node
++ * @pmic_rpm_data:    Pointer to a null-terminated array of qcom_smd-regulator
++ *                    resources defined for the top level PMIC device
++ *
++ * Return: 0 on success, errno on failure
++ */
++static int rpm_regulator_init_vreg(struct qcom_rpm_reg *vreg, struct device *dev,
++                                 struct device_node *node, struct qcom_smd_rpm *rpm,
++                                 const struct rpm_regulator_data *pmic_rpm_data)
+ {
+-      const struct rpm_regulator_data *reg;
+-      const struct of_device_id *match;
+-      struct regulator_config config = { };
++      struct regulator_config config = {};
++      const struct rpm_regulator_data *rpm_data;
+       struct regulator_dev *rdev;
++      int ret;
++
++      for (rpm_data = pmic_rpm_data; rpm_data->name; rpm_data++)
++              if (of_node_name_eq(node, rpm_data->name))
++                      break;
++
++      if (!rpm_data->name) {
++              dev_err(dev, "Unknown regulator %pOFn\n", node);
++              return -EINVAL;
++      }
++
++      vreg->dev       = dev;
++      vreg->rpm       = rpm;
++      vreg->type      = rpm_data->type;
++      vreg->id        = rpm_data->id;
++
++      memcpy(&vreg->desc, rpm_data->desc, sizeof(vreg->desc));
++      vreg->desc.name = rpm_data->name;
++      vreg->desc.supply_name = rpm_data->supply;
++      vreg->desc.owner = THIS_MODULE;
++      vreg->desc.type = REGULATOR_VOLTAGE;
++      vreg->desc.of_match = rpm_data->name;
++
++      config.dev              = dev;
++      config.of_node          = node;
++      config.driver_data      = vreg;
++
++      rdev = devm_regulator_register(dev, &vreg->desc, &config);
++      if (IS_ERR(rdev)) {
++              ret = PTR_ERR(rdev);
++              dev_err(dev, "%pOFn: devm_regulator_register() failed, ret=%d\n", node, ret);
++              return ret;
++      }
++
++      return 0;
++}
++
++static int rpm_reg_probe(struct platform_device *pdev)
++{
++      struct device *dev = &pdev->dev;
++      const struct rpm_regulator_data *vreg_data;
++      struct device_node *node;
+       struct qcom_rpm_reg *vreg;
+       struct qcom_smd_rpm *rpm;
++      int ret;
+       rpm = dev_get_drvdata(pdev->dev.parent);
+       if (!rpm) {
+-              dev_err(&pdev->dev, "unable to retrieve handle to rpm\n");
++              dev_err(&pdev->dev, "Unable to retrieve handle to rpm\n");
+               return -ENODEV;
+       }
+-      match = of_match_device(rpm_of_match, &pdev->dev);
+-      if (!match) {
+-              dev_err(&pdev->dev, "failed to match device\n");
++      vreg_data = of_device_get_match_data(dev);
++      if (!vreg_data)
+               return -ENODEV;
+-      }
+-      for (reg = match->data; reg->name; reg++) {
++      for_each_available_child_of_node(dev->of_node, node) {
+               vreg = devm_kzalloc(&pdev->dev, sizeof(*vreg), GFP_KERNEL);
+               if (!vreg)
+                       return -ENOMEM;
+-              vreg->dev = &pdev->dev;
+-              vreg->type = reg->type;
+-              vreg->id = reg->id;
+-              vreg->rpm = rpm;
+-
+-              memcpy(&vreg->desc, reg->desc, sizeof(vreg->desc));
+-
+-              vreg->desc.id = -1;
+-              vreg->desc.owner = THIS_MODULE;
+-              vreg->desc.type = REGULATOR_VOLTAGE;
+-              vreg->desc.name = reg->name;
+-              vreg->desc.supply_name = reg->supply;
+-              vreg->desc.of_match = reg->name;
+-
+-              config.dev = &pdev->dev;
+-              config.driver_data = vreg;
+-              rdev = devm_regulator_register(&pdev->dev, &vreg->desc, &config);
+-              if (IS_ERR(rdev)) {
+-                      dev_err(&pdev->dev, "failed to register %s\n", reg->name);
+-                      return PTR_ERR(rdev);
++              ret = rpm_regulator_init_vreg(vreg, dev, node, rpm, vreg_data);
++
++              if (ret < 0) {
++                      of_node_put(node);
++                      return ret;
+               }
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/revert-net-mlx5e-block-offload-of-outer-header-csum-.patch b/queue-5.16/revert-net-mlx5e-block-offload-of-outer-header-csum-.patch
new file mode 100644 (file)
index 0000000..eadcf27
--- /dev/null
@@ -0,0 +1,51 @@
+From c30ecbd70234e904868c023f6c41fda09b776a74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Oct 2021 11:47:41 +0300
+Subject: Revert "net/mlx5e: Block offload of outer header csum for UDP
+ tunnels"
+
+From: Aya Levin <ayal@nvidia.com>
+
+[ Upstream commit 64050cdad0983ad8060e33c3f4b5aee2366bcebd ]
+
+This reverts commit 6d6727dddc7f93fcc155cb8d0c49c29ae0e71122.
+
+Although the NIC doesn't support offload of outer header CSUM, using
+gso_partial_features allows offloading the tunnel's segmentation. The
+driver relies on the stack CSUM calculation of the outer header. For
+this, NETIF_F_GSO_UDP_TUNNEL_CSUM must be a member of the device's
+features.
+
+Fixes: 6d6727dddc7f ("net/mlx5e: Block offload of outer header csum for UDP tunnels")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Gal Pressman <gal@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 41379844eee1f..de8acd3217c18 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -4789,9 +4789,13 @@ static void mlx5e_build_nic_netdev(struct net_device *netdev)
+       }
+       if (mlx5_vxlan_allowed(mdev->vxlan) || mlx5_geneve_tx_allowed(mdev)) {
+-              netdev->hw_features     |= NETIF_F_GSO_UDP_TUNNEL;
+-              netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL;
+-              netdev->vlan_features |= NETIF_F_GSO_UDP_TUNNEL;
++              netdev->hw_features     |= NETIF_F_GSO_UDP_TUNNEL |
++                                         NETIF_F_GSO_UDP_TUNNEL_CSUM;
++              netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL |
++                                         NETIF_F_GSO_UDP_TUNNEL_CSUM;
++              netdev->gso_partial_features = NETIF_F_GSO_UDP_TUNNEL_CSUM;
++              netdev->vlan_features |= NETIF_F_GSO_UDP_TUNNEL |
++                                       NETIF_F_GSO_UDP_TUNNEL_CSUM;
+       }
+       if (mlx5e_tunnel_proto_supported_tx(mdev, IPPROTO_GRE)) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/revert-net-mlx5e-block-offload-of-outer-header-csum-.patch-11122 b/queue-5.16/revert-net-mlx5e-block-offload-of-outer-header-csum-.patch-11122
new file mode 100644 (file)
index 0000000..474436b
--- /dev/null
@@ -0,0 +1,48 @@
+From 35baa4e51398a0baa77392a49c41fb5a1dd810e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Oct 2021 16:52:23 +0300
+Subject: Revert "net/mlx5e: Block offload of outer header csum for GRE tunnel"
+
+From: Aya Levin <ayal@nvidia.com>
+
+[ Upstream commit 01c3fd113ef50490ffd43f78f347ef6bb008510b ]
+
+This reverts commit 54e1217b90486c94b26f24dcee1ee5ef5372f832.
+
+Although the NIC doesn't support offload of outer header CSUM, using
+gso_partial_features allows offloading the tunnel's segmentation. The
+driver relies on the stack CSUM calculation of the outer header. For
+this, NETIF_F_GSO_GRE_CSUM must be a member of the device's features.
+
+Fixes: 54e1217b9048 ("net/mlx5e: Block offload of outer header csum for GRE tunnel")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Gal Pressman <gal@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index de8acd3217c18..d92b82cdfd4e1 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -4799,9 +4799,12 @@ static void mlx5e_build_nic_netdev(struct net_device *netdev)
+       }
+       if (mlx5e_tunnel_proto_supported_tx(mdev, IPPROTO_GRE)) {
+-              netdev->hw_features     |= NETIF_F_GSO_GRE;
+-              netdev->hw_enc_features |= NETIF_F_GSO_GRE;
+-              netdev->gso_partial_features |= NETIF_F_GSO_GRE;
++              netdev->hw_features     |= NETIF_F_GSO_GRE |
++                                         NETIF_F_GSO_GRE_CSUM;
++              netdev->hw_enc_features |= NETIF_F_GSO_GRE |
++                                         NETIF_F_GSO_GRE_CSUM;
++              netdev->gso_partial_features |= NETIF_F_GSO_GRE |
++                                              NETIF_F_GSO_GRE_CSUM;
+       }
+       if (mlx5e_tunnel_proto_supported_tx(mdev, IPPROTO_IPIP)) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/revert-nfsd-skip-some-unnecessary-stats-in-the-v4-ca.patch b/queue-5.16/revert-nfsd-skip-some-unnecessary-stats-in-the-v4-ca.patch
new file mode 100644 (file)
index 0000000..93f0a65
--- /dev/null
@@ -0,0 +1,141 @@
+From 26b44c4f897ca4260b1e7382feedfcc938ffa631 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Dec 2021 14:22:28 -0500
+Subject: Revert "nfsd: skip some unnecessary stats in the v4 case"
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 58f258f65267542959487dbe8b5641754411843d ]
+
+On the wire, I observed NFSv4 OPEN(CREATE) operations sometimes
+returning a reasonable-looking value in the cinfo.before field and
+zero in the cinfo.after field.
+
+RFC 8881 Section 10.8.1 says:
+> When a client is making changes to a given directory, it needs to
+> determine whether there have been changes made to the directory by
+> other clients.  It does this by using the change attribute as
+> reported before and after the directory operation in the associated
+> change_info4 value returned for the operation.
+
+and
+
+> ... The post-operation change
+> value needs to be saved as the basis for future change_info4
+> comparisons.
+
+A good quality client implementation therefore saves the zero
+cinfo.after value. During a subsequent OPEN operation, it will
+receive a different non-zero value in the cinfo.before field for
+that directory, and it will incorrectly believe the directory has
+changed, triggering an undesirable directory cache invalidation.
+
+There are filesystem types where fs_supports_change_attribute()
+returns false, tmpfs being one. On NFSv4 mounts, this means the
+fh_getattr() call site in fill_pre_wcc() and fill_post_wcc() is
+never invoked. Subsequently, nfsd4_change_attribute() is invoked
+with an uninitialized @stat argument.
+
+In fill_pre_wcc(), @stat contains stale stack garbage, which is
+then placed on the wire. In fill_post_wcc(), ->fh_post_wc is all
+zeroes, so zero is placed on the wire. Both of these values are
+meaningless.
+
+This fix can be applied immediately to stable kernels. Once there
+are more regression tests in this area, this optimization can be
+attempted again.
+
+Fixes: 428a23d2bf0c ("nfsd: skip some unnecessary stats in the v4 case")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs3xdr.c | 44 +++++++++++++++++---------------------------
+ 1 file changed, 17 insertions(+), 27 deletions(-)
+
+diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
+index c3ac1b6aa3aaa..84088581bbe09 100644
+--- a/fs/nfsd/nfs3xdr.c
++++ b/fs/nfsd/nfs3xdr.c
+@@ -487,11 +487,6 @@ neither:
+       return true;
+ }
+-static bool fs_supports_change_attribute(struct super_block *sb)
+-{
+-      return sb->s_flags & SB_I_VERSION || sb->s_export_op->fetch_iversion;
+-}
+-
+ /*
+  * Fill in the pre_op attr for the wcc data
+  */
+@@ -500,26 +495,24 @@ void fill_pre_wcc(struct svc_fh *fhp)
+       struct inode    *inode;
+       struct kstat    stat;
+       bool v4 = (fhp->fh_maxsize == NFS4_FHSIZE);
++      __be32 err;
+       if (fhp->fh_no_wcc || fhp->fh_pre_saved)
+               return;
+       inode = d_inode(fhp->fh_dentry);
+-      if (fs_supports_change_attribute(inode->i_sb) || !v4) {
+-              __be32 err = fh_getattr(fhp, &stat);
+-
+-              if (err) {
+-                      /* Grab the times from inode anyway */
+-                      stat.mtime = inode->i_mtime;
+-                      stat.ctime = inode->i_ctime;
+-                      stat.size  = inode->i_size;
+-              }
+-              fhp->fh_pre_mtime = stat.mtime;
+-              fhp->fh_pre_ctime = stat.ctime;
+-              fhp->fh_pre_size  = stat.size;
++      err = fh_getattr(fhp, &stat);
++      if (err) {
++              /* Grab the times from inode anyway */
++              stat.mtime = inode->i_mtime;
++              stat.ctime = inode->i_ctime;
++              stat.size  = inode->i_size;
+       }
+       if (v4)
+               fhp->fh_pre_change = nfsd4_change_attribute(&stat, inode);
++      fhp->fh_pre_mtime = stat.mtime;
++      fhp->fh_pre_ctime = stat.ctime;
++      fhp->fh_pre_size  = stat.size;
+       fhp->fh_pre_saved = true;
+ }
+@@ -530,6 +523,7 @@ void fill_post_wcc(struct svc_fh *fhp)
+ {
+       bool v4 = (fhp->fh_maxsize == NFS4_FHSIZE);
+       struct inode *inode = d_inode(fhp->fh_dentry);
++      __be32 err;
+       if (fhp->fh_no_wcc)
+               return;
+@@ -537,16 +531,12 @@ void fill_post_wcc(struct svc_fh *fhp)
+       if (fhp->fh_post_saved)
+               printk("nfsd: inode locked twice during operation.\n");
+-      fhp->fh_post_saved = true;
+-
+-      if (fs_supports_change_attribute(inode->i_sb) || !v4) {
+-              __be32 err = fh_getattr(fhp, &fhp->fh_post_attr);
+-
+-              if (err) {
+-                      fhp->fh_post_saved = false;
+-                      fhp->fh_post_attr.ctime = inode->i_ctime;
+-              }
+-      }
++      err = fh_getattr(fhp, &fhp->fh_post_attr);
++      if (err) {
++              fhp->fh_post_saved = false;
++              fhp->fh_post_attr.ctime = inode->i_ctime;
++      } else
++              fhp->fh_post_saved = true;
+       if (v4)
+               fhp->fh_post_change =
+                       nfsd4_change_attribute(&fhp->fh_post_attr, inode);
+-- 
+2.34.1
+
diff --git a/queue-5.16/rocker-fix-a-sleeping-in-atomic-bug.patch b/queue-5.16/rocker-fix-a-sleeping-in-atomic-bug.patch
new file mode 100644 (file)
index 0000000..2f4211b
--- /dev/null
@@ -0,0 +1,38 @@
+From 90e260071c8fd64db714784b5fcd4139acee3d3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 14:57:54 +0300
+Subject: rocker: fix a sleeping in atomic bug
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 43d012123122cc69feacab55b71369f386c19566 ]
+
+This code is holding the &ofdpa->flow_tbl_lock spinlock so it is not
+allowed to sleep.  That means we have to pass the OFDPA_OP_FLAG_NOWAIT
+flag to ofdpa_flow_tbl_del().
+
+Fixes: 936bd486564a ("rocker: use FIB notifications instead of switchdev calls")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/rocker/rocker_ofdpa.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/rocker/rocker_ofdpa.c b/drivers/net/ethernet/rocker/rocker_ofdpa.c
+index 3e1ca7a8d0295..bc70c6abd6a5b 100644
+--- a/drivers/net/ethernet/rocker/rocker_ofdpa.c
++++ b/drivers/net/ethernet/rocker/rocker_ofdpa.c
+@@ -2783,7 +2783,8 @@ static void ofdpa_fib4_abort(struct rocker *rocker)
+               if (!ofdpa_port)
+                       continue;
+               nh->fib_nh_flags &= ~RTNH_F_OFFLOAD;
+-              ofdpa_flow_tbl_del(ofdpa_port, OFDPA_OP_FLAG_REMOVE,
++              ofdpa_flow_tbl_del(ofdpa_port,
++                                 OFDPA_OP_FLAG_REMOVE | OFDPA_OP_FLAG_NOWAIT,
+                                  flow_entry);
+       }
+       spin_unlock_irqrestore(&ofdpa->flow_tbl_lock, flags);
+-- 
+2.34.1
+
diff --git a/queue-5.16/rsi-fix-out-of-bounds-read-in-rsi_read_pkt.patch b/queue-5.16/rsi-fix-out-of-bounds-read-in-rsi_read_pkt.patch
new file mode 100644 (file)
index 0000000..bb17a52
--- /dev/null
@@ -0,0 +1,108 @@
+From c1291c145757b41f91bf11799e2be2e1120a7885 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Oct 2021 16:19:23 -0400
+Subject: rsi: Fix out-of-bounds read in rsi_read_pkt()
+
+From: Zekun Shen <bruceshenzk@gmail.com>
+
+[ Upstream commit f1cb3476e48b60c450ec3a1d7da0805bffc6e43a ]
+
+rsi_get_* functions rely on an offset variable from usb
+input. The size of usb input is RSI_MAX_RX_USB_PKT_SIZE(3000),
+while 2-byte offset can be up to 0xFFFF. Thus a large offset
+can cause out-of-bounds read.
+
+The patch adds a bound checking condition when rcv_pkt_len is 0,
+indicating it's USB. It's unclear whether this is triggerable
+from other type of bus. The following check might help in that case.
+offset > rcv_pkt_len - FRAME_DESC_SZ
+
+The bug is trigerrable with conpromised/malfunctioning USB devices.
+I tested the patch with the crashing input and got no more bug report.
+
+Attached is the KASAN report from fuzzing.
+
+BUG: KASAN: slab-out-of-bounds in rsi_read_pkt+0x42e/0x500 [rsi_91x]
+Read of size 2 at addr ffff888019439fdb by task RX-Thread/227
+
+CPU: 0 PID: 227 Comm: RX-Thread Not tainted 5.6.0 #66
+Call Trace:
+ dump_stack+0x76/0xa0
+ print_address_description.constprop.0+0x16/0x200
+ ? rsi_read_pkt+0x42e/0x500 [rsi_91x]
+ ? rsi_read_pkt+0x42e/0x500 [rsi_91x]
+ __kasan_report.cold+0x37/0x7c
+ ? rsi_read_pkt+0x42e/0x500 [rsi_91x]
+ kasan_report+0xe/0x20
+ rsi_read_pkt+0x42e/0x500 [rsi_91x]
+ rsi_usb_rx_thread+0x1b1/0x2fc [rsi_usb]
+ ? rsi_probe+0x16a0/0x16a0 [rsi_usb]
+ ? _raw_spin_lock_irqsave+0x7b/0xd0
+ ? _raw_spin_trylock_bh+0x120/0x120
+ ? __wake_up_common+0x10b/0x520
+ ? rsi_probe+0x16a0/0x16a0 [rsi_usb]
+ kthread+0x2b5/0x3b0
+ ? kthread_create_on_node+0xd0/0xd0
+ ret_from_fork+0x22/0x40
+
+Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
+Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/YXxXS4wgu2OsmlVv@10-18-43-117.dynapool.wireless.nyu.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_main.c | 4 ++++
+ drivers/net/wireless/rsi/rsi_91x_usb.c  | 1 -
+ drivers/net/wireless/rsi/rsi_usb.h      | 2 ++
+ 3 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/rsi/rsi_91x_main.c b/drivers/net/wireless/rsi/rsi_91x_main.c
+index f1bf71e6c6081..5d1490fc32db4 100644
+--- a/drivers/net/wireless/rsi/rsi_91x_main.c
++++ b/drivers/net/wireless/rsi/rsi_91x_main.c
+@@ -23,6 +23,7 @@
+ #include "rsi_common.h"
+ #include "rsi_coex.h"
+ #include "rsi_hal.h"
++#include "rsi_usb.h"
+ u32 rsi_zone_enabled = /* INFO_ZONE |
+                       INIT_ZONE |
+@@ -168,6 +169,9 @@ int rsi_read_pkt(struct rsi_common *common, u8 *rx_pkt, s32 rcv_pkt_len)
+               frame_desc = &rx_pkt[index];
+               actual_length = *(u16 *)&frame_desc[0];
+               offset = *(u16 *)&frame_desc[2];
++              if (!rcv_pkt_len && offset >
++                      RSI_MAX_RX_USB_PKT_SIZE - FRAME_DESC_SZ)
++                      goto fail;
+               queueno = rsi_get_queueno(frame_desc, offset);
+               length = rsi_get_length(frame_desc, offset);
+diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c
+index 3cca1823c458a..66fe386ec9cc6 100644
+--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
+@@ -330,7 +330,6 @@ static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num, gfp_t mem_flags)
+       struct sk_buff *skb;
+       u8 dword_align_bytes = 0;
+-#define RSI_MAX_RX_USB_PKT_SIZE       3000
+       skb = dev_alloc_skb(RSI_MAX_RX_USB_PKT_SIZE);
+       if (!skb)
+               return -ENOMEM;
+diff --git a/drivers/net/wireless/rsi/rsi_usb.h b/drivers/net/wireless/rsi/rsi_usb.h
+index 254d19b664123..961851748bc4c 100644
+--- a/drivers/net/wireless/rsi/rsi_usb.h
++++ b/drivers/net/wireless/rsi/rsi_usb.h
+@@ -44,6 +44,8 @@
+ #define RSI_USB_BUF_SIZE           4096
+ #define RSI_USB_CTRL_BUF_SIZE      0x04
++#define RSI_MAX_RX_USB_PKT_SIZE       3000
++
+ struct rx_usb_ctrl_block {
+       u8 *data;
+       struct urb *rx_urb;
+-- 
+2.34.1
+
diff --git a/queue-5.16/rsi-fix-use-after-free-in-rsi_rx_done_handler.patch b/queue-5.16/rsi-fix-use-after-free-in-rsi_rx_done_handler.patch
new file mode 100644 (file)
index 0000000..239f287
--- /dev/null
@@ -0,0 +1,88 @@
+From fe462aa4d7cefcf57d39107c199dfc9fb090f467 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Oct 2021 15:49:03 -0400
+Subject: rsi: Fix use-after-free in rsi_rx_done_handler()
+
+From: Zekun Shen <bruceshenzk@gmail.com>
+
+[ Upstream commit b07e3c6ebc0c20c772c0f54042e430acec2945c3 ]
+
+When freeing rx_cb->rx_skb, the pointer is not set to NULL,
+a later rsi_rx_done_handler call will try to read the freed
+address.
+This bug will very likley lead to double free, although
+detected early as use-after-free bug.
+
+The bug is triggerable with a compromised/malfunctional usb
+device. After applying the patch, the same input no longer
+triggers the use-after-free.
+
+Attached is the kasan report from fuzzing.
+
+BUG: KASAN: use-after-free in rsi_rx_done_handler+0x354/0x430 [rsi_usb]
+Read of size 4 at addr ffff8880188e5930 by task modprobe/231
+Call Trace:
+ <IRQ>
+ dump_stack+0x76/0xa0
+ print_address_description.constprop.0+0x16/0x200
+ ? rsi_rx_done_handler+0x354/0x430 [rsi_usb]
+ ? rsi_rx_done_handler+0x354/0x430 [rsi_usb]
+ __kasan_report.cold+0x37/0x7c
+ ? dma_direct_unmap_page+0x90/0x110
+ ? rsi_rx_done_handler+0x354/0x430 [rsi_usb]
+ kasan_report+0xe/0x20
+ rsi_rx_done_handler+0x354/0x430 [rsi_usb]
+ __usb_hcd_giveback_urb+0x1e4/0x380
+ usb_giveback_urb_bh+0x241/0x4f0
+ ? __usb_hcd_giveback_urb+0x380/0x380
+ ? apic_timer_interrupt+0xa/0x20
+ tasklet_action_common.isra.0+0x135/0x330
+ __do_softirq+0x18c/0x634
+ ? handle_irq_event+0xcd/0x157
+ ? handle_edge_irq+0x1eb/0x7b0
+ irq_exit+0x114/0x140
+ do_IRQ+0x91/0x1e0
+ common_interrupt+0xf/0xf
+ </IRQ>
+
+Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
+Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/YXxQL/vIiYcZUu/j@10-18-43-117.dynapool.wireless.nyu.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_usb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c
+index 6821ea9918956..3cca1823c458a 100644
+--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
+@@ -269,8 +269,12 @@ static void rsi_rx_done_handler(struct urb *urb)
+       struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev *)rx_cb->data;
+       int status = -EINVAL;
++      if (!rx_cb->rx_skb)
++              return;
++
+       if (urb->status) {
+               dev_kfree_skb(rx_cb->rx_skb);
++              rx_cb->rx_skb = NULL;
+               return;
+       }
+@@ -294,8 +298,10 @@ out:
+       if (rsi_rx_urb_submit(dev->priv, rx_cb->ep_num, GFP_ATOMIC))
+               rsi_dbg(ERR_ZONE, "%s: Failed in urb submission", __func__);
+-      if (status)
++      if (status) {
+               dev_kfree_skb(rx_cb->rx_skb);
++              rx_cb->rx_skb = NULL;
++      }
+ }
+ static void rsi_rx_urb_kill(struct rsi_hw *adapter, u8 ep_num)
+-- 
+2.34.1
+
diff --git a/queue-5.16/rtw88-8822c-update-rx-settings-to-prevent-potential-.patch b/queue-5.16/rtw88-8822c-update-rx-settings-to-prevent-potential-.patch
new file mode 100644 (file)
index 0000000..0259fde
--- /dev/null
@@ -0,0 +1,79 @@
+From a9b242ea72d9dcb36821cf83d2c1351beb836343 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Dec 2021 09:27:08 +0800
+Subject: rtw88: 8822c: update rx settings to prevent potential hw deadlock
+
+From: Po-Hao Huang <phhuang@realtek.com>
+
+[ Upstream commit c1afb26727d9e507d3e17a9890e7aaf7fc85cd55 ]
+
+These settings enables mac to detect and recover when rx fifo
+circuit deadlock occurs. Previous version missed this, so we fix it.
+
+Signed-off-by: Po-Hao Huang <phhuang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20211217012708.8623-1-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/main.c     | 2 +-
+ drivers/net/wireless/realtek/rtw88/rtw8821c.h | 2 +-
+ drivers/net/wireless/realtek/rtw88/rtw8822b.c | 2 +-
+ drivers/net/wireless/realtek/rtw88/rtw8822c.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
+index a0d4d6e31fb49..dbf1ce3daeb8e 100644
+--- a/drivers/net/wireless/realtek/rtw88/main.c
++++ b/drivers/net/wireless/realtek/rtw88/main.c
+@@ -1868,7 +1868,7 @@ int rtw_core_init(struct rtw_dev *rtwdev)
+       /* default rx filter setting */
+       rtwdev->hal.rcr = BIT_APP_FCS | BIT_APP_MIC | BIT_APP_ICV |
+-                        BIT_HTC_LOC_CTRL | BIT_APP_PHYSTS |
++                        BIT_PKTCTL_DLEN | BIT_HTC_LOC_CTRL | BIT_APP_PHYSTS |
+                         BIT_AB | BIT_AM | BIT_APM;
+       ret = rtw_load_firmware(rtwdev, RTW_NORMAL_FW);
+diff --git a/drivers/net/wireless/realtek/rtw88/rtw8821c.h b/drivers/net/wireless/realtek/rtw88/rtw8821c.h
+index 112faa60f653e..d9fbddd7b0f35 100644
+--- a/drivers/net/wireless/realtek/rtw88/rtw8821c.h
++++ b/drivers/net/wireless/realtek/rtw88/rtw8821c.h
+@@ -131,7 +131,7 @@ _rtw_write32s_mask(struct rtw_dev *rtwdev, u32 addr, u32 mask, u32 data)
+ #define WLAN_TX_FUNC_CFG2             0x30
+ #define WLAN_MAC_OPT_NORM_FUNC1               0x98
+ #define WLAN_MAC_OPT_LB_FUNC1         0x80
+-#define WLAN_MAC_OPT_FUNC2            0x30810041
++#define WLAN_MAC_OPT_FUNC2            0xb0810041
+ #define WLAN_SIFS_CFG (WLAN_SIFS_CCK_CONT_TX | \
+                       (WLAN_SIFS_OFDM_CONT_TX << BIT_SHIFT_SIFS_OFDM_CTX) | \
+diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822b.c b/drivers/net/wireless/realtek/rtw88/rtw8822b.c
+index c409c8c29ec8b..e870ad7518342 100644
+--- a/drivers/net/wireless/realtek/rtw88/rtw8822b.c
++++ b/drivers/net/wireless/realtek/rtw88/rtw8822b.c
+@@ -205,7 +205,7 @@ static void rtw8822b_phy_set_param(struct rtw_dev *rtwdev)
+ #define WLAN_TX_FUNC_CFG2             0x30
+ #define WLAN_MAC_OPT_NORM_FUNC1               0x98
+ #define WLAN_MAC_OPT_LB_FUNC1         0x80
+-#define WLAN_MAC_OPT_FUNC2            0x30810041
++#define WLAN_MAC_OPT_FUNC2            0xb0810041
+ #define WLAN_SIFS_CFG (WLAN_SIFS_CCK_CONT_TX | \
+                       (WLAN_SIFS_OFDM_CONT_TX << BIT_SHIFT_SIFS_OFDM_CTX) | \
+diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822c.c b/drivers/net/wireless/realtek/rtw88/rtw8822c.c
+index 46b881e8e4feb..0e1c5d95d4649 100644
+--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c
++++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c
+@@ -1962,7 +1962,7 @@ static void rtw8822c_phy_set_param(struct rtw_dev *rtwdev)
+ #define WLAN_TX_FUNC_CFG2             0x30
+ #define WLAN_MAC_OPT_NORM_FUNC1               0x98
+ #define WLAN_MAC_OPT_LB_FUNC1         0x80
+-#define WLAN_MAC_OPT_FUNC2            0x30810041
++#define WLAN_MAC_OPT_FUNC2            0xb0810041
+ #define WLAN_MAC_INT_MIG_CFG          0x33330000
+ #define WLAN_SIFS_CFG (WLAN_SIFS_CCK_CONT_TX | \
+-- 
+2.34.1
+
diff --git a/queue-5.16/rtw88-add-quirk-to-disable-pci-caps-on-hp-250-g7-not.patch b/queue-5.16/rtw88-add-quirk-to-disable-pci-caps-on-hp-250-g7-not.patch
new file mode 100644 (file)
index 0000000..3888202
--- /dev/null
@@ -0,0 +1,44 @@
+From d7e29e7b5161d0975b8465dab282d44bda56c320 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Nov 2021 13:24:37 +0800
+Subject: rtw88: add quirk to disable pci caps on HP 250 G7 Notebook PC
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit c81edb8dddaa36c4defa26240cc19127f147283f ]
+
+8821CE causes random freezes on HP 250 G7 Notebook PC. Add a quirk
+to disable pci ASPM capability.
+
+Reported-by: rtl8821cerfe2 <rtl8821cerfe2@protonmail.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211119052437.8671-1-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/pci.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/pci.c b/drivers/net/wireless/realtek/rtw88/pci.c
+index a7a6ebfaa203c..3b367c9085eba 100644
+--- a/drivers/net/wireless/realtek/rtw88/pci.c
++++ b/drivers/net/wireless/realtek/rtw88/pci.c
+@@ -1738,6 +1738,15 @@ static const struct dmi_system_id rtw88_pci_quirks[] = {
+               },
+               .driver_data = (void *)BIT(QUIRK_DIS_PCI_CAP_ASPM),
+       },
++      {
++              .callback = disable_pci_caps,
++              .ident = "HP HP 250 G7 Notebook PC",
++              .matches = {
++                      DMI_MATCH(DMI_SYS_VENDOR, "HP"),
++                      DMI_MATCH(DMI_PRODUCT_NAME, "HP 250 G7 Notebook PC"),
++              },
++              .driver_data = (void *)BIT(QUIRK_DIS_PCI_CAP_ASPM),
++      },
+       {}
+ };
+-- 
+2.34.1
+
diff --git a/queue-5.16/rtw88-disable-pcie-aspm-while-doing-napi-poll-on-882.patch b/queue-5.16/rtw88-disable-pcie-aspm-while-doing-napi-poll-on-882.patch
new file mode 100644 (file)
index 0000000..8bcaa5c
--- /dev/null
@@ -0,0 +1,178 @@
+From 672219690fedc9af394430846747f66bda9dc74f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Dec 2021 19:46:34 +0800
+Subject: rtw88: Disable PCIe ASPM while doing NAPI poll on 8821CE
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 24f5e38a13b5ae2b6105cda8bb47c19108e62a9a ]
+
+Many Intel based platforms face system random freeze after commit
+9e2fd29864c5 ("rtw88: add napi support").
+
+The commit itself shouldn't be the culprit. My guess is that the 8821CE
+only leaves ASPM L1 for a short period when IRQ is raised. Since IRQ is
+masked during NAPI polling, the PCIe link stays at L1 and makes RX DMA
+extremely slow. Eventually the RX ring becomes messed up:
+[ 1133.194697] rtw_8821ce 0000:02:00.0: pci bus timeout, check dma status
+
+Since the 8821CE hardware may fail to leave ASPM L1, manually do it in
+the driver to resolve the issue.
+
+Fixes: 9e2fd29864c5 ("rtw88: add napi support")
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215131
+BugLink: https://bugs.launchpad.net/bugs/1927808
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Acked-by: Jian-Hong Pan <jhp@endlessos.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20211215114635.333767-1-kai.heng.feng@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/pci.c | 70 +++++++-----------------
+ drivers/net/wireless/realtek/rtw88/pci.h |  2 +
+ 2 files changed, 21 insertions(+), 51 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/pci.c b/drivers/net/wireless/realtek/rtw88/pci.c
+index 3b367c9085eba..08cf66141889b 100644
+--- a/drivers/net/wireless/realtek/rtw88/pci.c
++++ b/drivers/net/wireless/realtek/rtw88/pci.c
+@@ -2,7 +2,6 @@
+ /* Copyright(c) 2018-2019  Realtek Corporation
+  */
+-#include <linux/dmi.h>
+ #include <linux/module.h>
+ #include <linux/pci.h>
+ #include "main.h"
+@@ -1409,7 +1408,11 @@ static void rtw_pci_link_ps(struct rtw_dev *rtwdev, bool enter)
+        * throughput. This is probably because the ASPM behavior slightly
+        * varies from different SOC.
+        */
+-      if (rtwpci->link_ctrl & PCI_EXP_LNKCTL_ASPM_L1)
++      if (!(rtwpci->link_ctrl & PCI_EXP_LNKCTL_ASPM_L1))
++              return;
++
++      if ((enter && atomic_dec_if_positive(&rtwpci->link_usage) == 0) ||
++          (!enter && atomic_inc_return(&rtwpci->link_usage) == 1))
+               rtw_pci_aspm_set(rtwdev, enter);
+ }
+@@ -1658,6 +1661,9 @@ static int rtw_pci_napi_poll(struct napi_struct *napi, int budget)
+                                             priv);
+       int work_done = 0;
++      if (rtwpci->rx_no_aspm)
++              rtw_pci_link_ps(rtwdev, false);
++
+       while (work_done < budget) {
+               u32 work_done_once;
+@@ -1681,6 +1687,8 @@ static int rtw_pci_napi_poll(struct napi_struct *napi, int budget)
+               if (rtw_pci_get_hw_rx_ring_nr(rtwdev, rtwpci))
+                       napi_schedule(napi);
+       }
++      if (rtwpci->rx_no_aspm)
++              rtw_pci_link_ps(rtwdev, true);
+       return work_done;
+ }
+@@ -1702,59 +1710,13 @@ static void rtw_pci_napi_deinit(struct rtw_dev *rtwdev)
+       netif_napi_del(&rtwpci->napi);
+ }
+-enum rtw88_quirk_dis_pci_caps {
+-      QUIRK_DIS_PCI_CAP_MSI,
+-      QUIRK_DIS_PCI_CAP_ASPM,
+-};
+-
+-static int disable_pci_caps(const struct dmi_system_id *dmi)
+-{
+-      uintptr_t dis_caps = (uintptr_t)dmi->driver_data;
+-
+-      if (dis_caps & BIT(QUIRK_DIS_PCI_CAP_MSI))
+-              rtw_disable_msi = true;
+-      if (dis_caps & BIT(QUIRK_DIS_PCI_CAP_ASPM))
+-              rtw_pci_disable_aspm = true;
+-
+-      return 1;
+-}
+-
+-static const struct dmi_system_id rtw88_pci_quirks[] = {
+-      {
+-              .callback = disable_pci_caps,
+-              .ident = "Protempo Ltd L116HTN6SPW",
+-              .matches = {
+-                      DMI_MATCH(DMI_SYS_VENDOR, "Protempo Ltd"),
+-                      DMI_MATCH(DMI_PRODUCT_NAME, "L116HTN6SPW"),
+-              },
+-              .driver_data = (void *)BIT(QUIRK_DIS_PCI_CAP_ASPM),
+-      },
+-      {
+-              .callback = disable_pci_caps,
+-              .ident = "HP HP Pavilion Laptop 14-ce0xxx",
+-              .matches = {
+-                      DMI_MATCH(DMI_SYS_VENDOR, "HP"),
+-                      DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion Laptop 14-ce0xxx"),
+-              },
+-              .driver_data = (void *)BIT(QUIRK_DIS_PCI_CAP_ASPM),
+-      },
+-      {
+-              .callback = disable_pci_caps,
+-              .ident = "HP HP 250 G7 Notebook PC",
+-              .matches = {
+-                      DMI_MATCH(DMI_SYS_VENDOR, "HP"),
+-                      DMI_MATCH(DMI_PRODUCT_NAME, "HP 250 G7 Notebook PC"),
+-              },
+-              .driver_data = (void *)BIT(QUIRK_DIS_PCI_CAP_ASPM),
+-      },
+-      {}
+-};
+-
+ int rtw_pci_probe(struct pci_dev *pdev,
+                 const struct pci_device_id *id)
+ {
++      struct pci_dev *bridge = pci_upstream_bridge(pdev);
+       struct ieee80211_hw *hw;
+       struct rtw_dev *rtwdev;
++      struct rtw_pci *rtwpci;
+       int drv_data_size;
+       int ret;
+@@ -1772,6 +1734,9 @@ int rtw_pci_probe(struct pci_dev *pdev,
+       rtwdev->hci.ops = &rtw_pci_ops;
+       rtwdev->hci.type = RTW_HCI_TYPE_PCIE;
++      rtwpci = (struct rtw_pci *)rtwdev->priv;
++      atomic_set(&rtwpci->link_usage, 1);
++
+       ret = rtw_core_init(rtwdev);
+       if (ret)
+               goto err_release_hw;
+@@ -1800,7 +1765,10 @@ int rtw_pci_probe(struct pci_dev *pdev,
+               goto err_destroy_pci;
+       }
+-      dmi_check_system(rtw88_pci_quirks);
++      /* Disable PCIe ASPM L1 while doing NAPI poll for 8821CE */
++      if (pdev->device == 0xc821 && bridge->vendor == PCI_VENDOR_ID_INTEL)
++              rtwpci->rx_no_aspm = true;
++
+       rtw_pci_phy_cfg(rtwdev);
+       ret = rtw_register_hw(rtwdev, hw);
+diff --git a/drivers/net/wireless/realtek/rtw88/pci.h b/drivers/net/wireless/realtek/rtw88/pci.h
+index 66f78eb7757c5..0c37efd8c66fa 100644
+--- a/drivers/net/wireless/realtek/rtw88/pci.h
++++ b/drivers/net/wireless/realtek/rtw88/pci.h
+@@ -223,6 +223,8 @@ struct rtw_pci {
+       struct rtw_pci_tx_ring tx_rings[RTK_MAX_TX_QUEUE_NUM];
+       struct rtw_pci_rx_ring rx_rings[RTK_MAX_RX_QUEUE_NUM];
+       u16 link_ctrl;
++      atomic_t link_usage;
++      bool rx_no_aspm;
+       DECLARE_BITMAP(flags, NUM_OF_RTW_PCI_FLAGS);
+       void __iomem *mmap;
+-- 
+2.34.1
+
diff --git a/queue-5.16/rtw89-don-t-kick-off-tx-dma-if-failed-to-write-skb.patch b/queue-5.16/rtw89-don-t-kick-off-tx-dma-if-failed-to-write-skb.patch
new file mode 100644 (file)
index 0000000..348491a
--- /dev/null
@@ -0,0 +1,41 @@
+From de82d18f5e6e0de6415f9439d16baed553e9076b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 17:38:16 +0800
+Subject: rtw89: don't kick off TX DMA if failed to write skb
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit a58fdb7c843a37d6598204c6513961feefdadc6a ]
+
+This is found by Smatch static checker warning:
+       drivers/net/wireless/realtek/rtw89/mac80211.c:31 rtw89_ops_tx()
+       error: uninitialized symbol 'qsel'.
+
+The warning is because 'qsel' isn't filled by rtw89_core_tx_write() due to
+failed to write. The way to fix it is to avoid kicking off TX DMA, so add
+'return' to the failure case.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20211201093816.13806-1-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/mac80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/mac80211.c b/drivers/net/wireless/realtek/rtw89/mac80211.c
+index 16dc6fb7dbb0b..e9d61e55e2d92 100644
+--- a/drivers/net/wireless/realtek/rtw89/mac80211.c
++++ b/drivers/net/wireless/realtek/rtw89/mac80211.c
+@@ -27,6 +27,7 @@ static void rtw89_ops_tx(struct ieee80211_hw *hw,
+       if (ret) {
+               rtw89_err(rtwdev, "failed to transmit skb: %d\n", ret);
+               ieee80211_free_txskb(hw, skb);
++              return;
+       }
+       rtw89_core_tx_kick_off(rtwdev, qsel);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/rtw89-fix-potentially-access-out-of-range-of-rf-regi.patch b/queue-5.16/rtw89-fix-potentially-access-out-of-range-of-rf-regi.patch
new file mode 100644 (file)
index 0000000..84153c4
--- /dev/null
@@ -0,0 +1,89 @@
+From 82f9f37d7d8cc32248e59b9e91153a8790f8e3e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Nov 2021 13:57:29 +0800
+Subject: rtw89: fix potentially access out of range of RF register array
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit 30101812a09b37bc8aa409a83f603d4c072198f2 ]
+
+The RF register array is used to help firmware to restore RF settings.
+The original code can potentially access out of range, if the size is
+between (RTW89_H2C_RF_PAGE_SIZE * RTW89_H2C_RF_PAGE_NUM + 1) to
+((RTW89_H2C_RF_PAGE_SIZE + 1) * RTW89_H2C_RF_PAGE_NUM). Fortunately,
+current used size doesn't fall into the wrong case, and the size will not
+change if we don't update RF parameter.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211119055729.12826-1-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/phy.c | 33 ++++++++++++++----------
+ 1 file changed, 19 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/phy.c b/drivers/net/wireless/realtek/rtw89/phy.c
+index ab134856baac7..d75e9de8df7c6 100644
+--- a/drivers/net/wireless/realtek/rtw89/phy.c
++++ b/drivers/net/wireless/realtek/rtw89/phy.c
+@@ -654,6 +654,12 @@ rtw89_phy_cofig_rf_reg_store(struct rtw89_dev *rtwdev,
+       u16 idx = info->curr_idx % RTW89_H2C_RF_PAGE_SIZE;
+       u8 page = info->curr_idx / RTW89_H2C_RF_PAGE_SIZE;
++      if (page >= RTW89_H2C_RF_PAGE_NUM) {
++              rtw89_warn(rtwdev, "RF parameters exceed size. path=%d, idx=%d",
++                         rf_path, info->curr_idx);
++              return;
++      }
++
+       info->rtw89_phy_config_rf_h2c[page][idx] =
+               cpu_to_le32((reg->addr << 20) | reg->data);
+       info->curr_idx++;
+@@ -662,30 +668,29 @@ rtw89_phy_cofig_rf_reg_store(struct rtw89_dev *rtwdev,
+ static int rtw89_phy_config_rf_reg_fw(struct rtw89_dev *rtwdev,
+                                     struct rtw89_fw_h2c_rf_reg_info *info)
+ {
+-      u16 page = info->curr_idx / RTW89_H2C_RF_PAGE_SIZE;
+-      u16 len = (info->curr_idx % RTW89_H2C_RF_PAGE_SIZE) * 4;
++      u16 remain = info->curr_idx;
++      u16 len = 0;
+       u8 i;
+       int ret = 0;
+-      if (page > RTW89_H2C_RF_PAGE_NUM) {
++      if (remain > RTW89_H2C_RF_PAGE_NUM * RTW89_H2C_RF_PAGE_SIZE) {
+               rtw89_warn(rtwdev,
+-                         "rf reg h2c total page num %d larger than %d (RTW89_H2C_RF_PAGE_NUM)\n",
+-                         page, RTW89_H2C_RF_PAGE_NUM);
+-              return -EINVAL;
++                         "rf reg h2c total len %d larger than %d\n",
++                         remain, RTW89_H2C_RF_PAGE_NUM * RTW89_H2C_RF_PAGE_SIZE);
++              ret = -EINVAL;
++              goto out;
+       }
+-      for (i = 0; i < page; i++) {
+-              ret = rtw89_fw_h2c_rf_reg(rtwdev, info,
+-                                        RTW89_H2C_RF_PAGE_SIZE * 4, i);
++      for (i = 0; i < RTW89_H2C_RF_PAGE_NUM && remain; i++, remain -= len) {
++              len = remain > RTW89_H2C_RF_PAGE_SIZE ? RTW89_H2C_RF_PAGE_SIZE : remain;
++              ret = rtw89_fw_h2c_rf_reg(rtwdev, info, len * 4, i);
+               if (ret)
+-                      return ret;
++                      goto out;
+       }
+-      ret = rtw89_fw_h2c_rf_reg(rtwdev, info, len, i);
+-      if (ret)
+-              return ret;
++out:
+       info->curr_idx = 0;
+-      return 0;
++      return ret;
+ }
+ static void rtw89_phy_config_rf_reg(struct rtw89_dev *rtwdev,
+-- 
+2.34.1
+
diff --git a/queue-5.16/samples-bpf-clean-up-samples-bpf-build-failes.patch b/queue-5.16/samples-bpf-clean-up-samples-bpf-build-failes.patch
new file mode 100644 (file)
index 0000000..a90218c
--- /dev/null
@@ -0,0 +1,101 @@
+From 11aa1d7bbdf8e12a5e934390b377b67c7c8a824e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 15:28:22 -0800
+Subject: samples/bpf: Clean up samples/bpf build failes
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 527024f7aeb683ce7ef49b07ef7ce9ecf015288d ]
+
+Remove xdp_samples_user.o rule redefinition which generates Makefile
+warning and instead override TPROGS_CFLAGS. This seems to work fine when
+building inside selftests/bpf.
+
+That was one big head-scratcher before I found that generic
+Makefile.target hid this surprising specialization for for xdp_samples_user.o.
+
+Main change is to use actual locally installed libbpf headers.
+
+Also drop printk macro re-definition (not even used!).
+
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20211201232824.3166325-8-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/Makefile            | 13 ++++++++++++-
+ samples/bpf/Makefile.target     | 11 -----------
+ samples/bpf/lwt_len_hist_kern.c |  7 -------
+ 3 files changed, 12 insertions(+), 19 deletions(-)
+
+diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
+index a886dff1ba899..6ae62b1dc9388 100644
+--- a/samples/bpf/Makefile
++++ b/samples/bpf/Makefile
+@@ -328,7 +328,7 @@ $(BPF_SAMPLES_PATH)/*.c: verify_target_bpf $(LIBBPF)
+ $(src)/*.c: verify_target_bpf $(LIBBPF)
+ libbpf_hdrs: $(LIBBPF)
+-$(obj)/$(TRACE_HELPERS): | libbpf_hdrs
++$(obj)/$(TRACE_HELPERS) $(obj)/$(CGROUP_HELPERS) $(obj)/$(XDP_SAMPLE): | libbpf_hdrs
+ .PHONY: libbpf_hdrs
+@@ -343,6 +343,17 @@ $(obj)/hbm_out_kern.o: $(src)/hbm.h $(src)/hbm_kern.h
+ $(obj)/hbm.o: $(src)/hbm.h
+ $(obj)/hbm_edt_kern.o: $(src)/hbm.h $(src)/hbm_kern.h
++# Override includes for xdp_sample_user.o because $(srctree)/usr/include in
++# TPROGS_CFLAGS causes conflicts
++XDP_SAMPLE_CFLAGS += -Wall -O2 -lm \
++                   -I$(src)/../../tools/include \
++                   -I$(src)/../../tools/include/uapi \
++                   -I$(LIBBPF_INCLUDE) \
++                   -I$(src)/../../tools/testing/selftests/bpf
++
++$(obj)/$(XDP_SAMPLE): TPROGS_CFLAGS = $(XDP_SAMPLE_CFLAGS)
++$(obj)/$(XDP_SAMPLE): $(src)/xdp_sample_user.h $(src)/xdp_sample_shared.h
++
+ -include $(BPF_SAMPLES_PATH)/Makefile.target
+ VMLINUX_BTF_PATHS ?= $(abspath $(if $(O),$(O)/vmlinux))                               \
+diff --git a/samples/bpf/Makefile.target b/samples/bpf/Makefile.target
+index 5a368affa0386..7621f55e2947d 100644
+--- a/samples/bpf/Makefile.target
++++ b/samples/bpf/Makefile.target
+@@ -73,14 +73,3 @@ quiet_cmd_tprog-cobjs       = CC  $@
+       cmd_tprog-cobjs = $(CC) $(tprogc_flags) -c -o $@ $<
+ $(tprog-cobjs): $(obj)/%.o: $(src)/%.c FORCE
+       $(call if_changed_dep,tprog-cobjs)
+-
+-# Override includes for xdp_sample_user.o because $(srctree)/usr/include in
+-# TPROGS_CFLAGS causes conflicts
+-XDP_SAMPLE_CFLAGS += -Wall -O2 -lm \
+-                   -I./tools/include \
+-                   -I./tools/include/uapi \
+-                   -I./tools/lib \
+-                   -I./tools/testing/selftests/bpf
+-$(obj)/xdp_sample_user.o: $(src)/xdp_sample_user.c \
+-      $(src)/xdp_sample_user.h $(src)/xdp_sample_shared.h
+-      $(CC) $(XDP_SAMPLE_CFLAGS) -c -o $@ $<
+diff --git a/samples/bpf/lwt_len_hist_kern.c b/samples/bpf/lwt_len_hist_kern.c
+index 9ed63e10e1709..1fa14c54963a1 100644
+--- a/samples/bpf/lwt_len_hist_kern.c
++++ b/samples/bpf/lwt_len_hist_kern.c
+@@ -16,13 +16,6 @@
+ #include <uapi/linux/in.h>
+ #include <bpf/bpf_helpers.h>
+-# define printk(fmt, ...)                                             \
+-              ({                                                      \
+-                      char ____fmt[] = fmt;                           \
+-                      bpf_trace_printk(____fmt, sizeof(____fmt),      \
+-                                   ##__VA_ARGS__);                    \
+-              })
+-
+ struct bpf_elf_map {
+       __u32 type;
+       __u32 size_key;
+-- 
+2.34.1
+
diff --git a/queue-5.16/samples-bpf-fix-unknown-warning-group-build-warning-.patch b/queue-5.16/samples-bpf-fix-unknown-warning-group-build-warning-.patch
new file mode 100644 (file)
index 0000000..0ea90d9
--- /dev/null
@@ -0,0 +1,49 @@
+From b5cfc1d435305c910237c5c735a4e91ba1057170 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Dec 2021 20:50:04 +0100
+Subject: samples: bpf: Fix 'unknown warning group' build warning on Clang
+
+From: Alexander Lobakin <alexandr.lobakin@intel.com>
+
+[ Upstream commit 6f670d06e47c774bc065aaa84a527a4838f34bd8 ]
+
+Clang doesn't have 'stringop-truncation' group like GCC does, and
+complains about it when building samples which use xdp_sample_user
+infra:
+
+ samples/bpf/xdp_sample_user.h:48:32: warning: unknown warning group '-Wstringop-truncation', ignored [-Wunknown-warning-option]
+ #pragma GCC diagnostic ignored "-Wstringop-truncation"
+                                ^
+[ repeat ]
+
+Those are harmless, but avoidable when guarding it with ifdef.
+I could guard push/pop as well, but this would require one more
+ifdef cruft around a single line which I don't think is reasonable.
+
+Fixes: 156f886cf697 ("samples: bpf: Add basic infrastructure for XDP samples")
+Signed-off-by: Alexander Lobakin <alexandr.lobakin@intel.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Link: https://lore.kernel.org/bpf/20211203195004.5803-3-alexandr.lobakin@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/xdp_sample_user.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/samples/bpf/xdp_sample_user.h b/samples/bpf/xdp_sample_user.h
+index d97465ff8c62c..5f44b877ecf5f 100644
+--- a/samples/bpf/xdp_sample_user.h
++++ b/samples/bpf/xdp_sample_user.h
+@@ -45,7 +45,9 @@ const char *get_driver_name(int ifindex);
+ int get_mac_addr(int ifindex, void *mac_addr);
+ #pragma GCC diagnostic push
++#ifndef __clang__
+ #pragma GCC diagnostic ignored "-Wstringop-truncation"
++#endif
+ __attribute__((unused))
+ static inline char *safe_strncpy(char *dst, const char *src, size_t size)
+ {
+-- 
+2.34.1
+
diff --git a/queue-5.16/samples-bpf-fix-xdp_sample_user.o-linking-with-clang.patch b/queue-5.16/samples-bpf-fix-xdp_sample_user.o-linking-with-clang.patch
new file mode 100644 (file)
index 0000000..341d127
--- /dev/null
@@ -0,0 +1,72 @@
+From a1b1e4c7f43bae0d2e0a4f3307680a34854548e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Dec 2021 20:50:03 +0100
+Subject: samples: bpf: Fix xdp_sample_user.o linking with Clang
+
+From: Alexander Lobakin <alexandr.lobakin@intel.com>
+
+[ Upstream commit e64fbcaa7a666f16329b1c67af15ea501bc84586 ]
+
+Clang (13) doesn't get the jokes about specifying libraries to link in
+cclags of individual .o objects:
+
+clang-13: warning: -lm: 'linker' input unused [-Wunused-command-line-argument]
+[ ... ]
+  LD  samples/bpf/xdp_redirect_cpu
+  LD  samples/bpf/xdp_redirect_map_multi
+  LD  samples/bpf/xdp_redirect_map
+  LD  samples/bpf/xdp_redirect
+  LD  samples/bpf/xdp_monitor
+/usr/bin/ld: samples/bpf/xdp_sample_user.o: in function `sample_summary_print':
+xdp_sample_user.c:(.text+0x84c): undefined reference to `floor'
+/usr/bin/ld: xdp_sample_user.c:(.text+0x870): undefined reference to `ceil'
+/usr/bin/ld: xdp_sample_user.c:(.text+0x8cf): undefined reference to `floor'
+/usr/bin/ld: xdp_sample_user.c:(.text+0x8f3): undefined reference to `ceil'
+[ more ]
+
+Specify '-lm' as ldflags for all xdp_sample_user.o users in the main
+Makefile and remove it from ccflags of ^ in Makefile.target -- just
+like it's done for all other samples. This works with all compilers.
+
+Fixes: 6e1051a54e31 ("samples: bpf: Convert xdp_monitor to XDP samples helper")
+Fixes: b926c55d856c ("samples: bpf: Convert xdp_redirect to XDP samples helper")
+Fixes: e531a220cc59 ("samples: bpf: Convert xdp_redirect_cpu to XDP samples helper")
+Fixes: bbe65865aa05 ("samples: bpf: Convert xdp_redirect_map to XDP samples helper")
+Fixes: 594a116b2aa1 ("samples: bpf: Convert xdp_redirect_map_multi to XDP samples helper")
+Signed-off-by: Alexander Lobakin <alexandr.lobakin@intel.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Link: https://lore.kernel.org/bpf/20211203195004.5803-2-alexandr.lobakin@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/Makefile | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
+index 6ae62b1dc9388..38638845db9d7 100644
+--- a/samples/bpf/Makefile
++++ b/samples/bpf/Makefile
+@@ -215,6 +215,11 @@ TPROGS_LDFLAGS := -L$(SYSROOT)/usr/lib
+ endif
+ TPROGS_LDLIBS                 += $(LIBBPF) -lelf -lz
++TPROGLDLIBS_xdp_monitor               += -lm
++TPROGLDLIBS_xdp_redirect      += -lm
++TPROGLDLIBS_xdp_redirect_cpu  += -lm
++TPROGLDLIBS_xdp_redirect_map  += -lm
++TPROGLDLIBS_xdp_redirect_map_multi += -lm
+ TPROGLDLIBS_tracex4           += -lrt
+ TPROGLDLIBS_trace_output      += -lrt
+ TPROGLDLIBS_map_perf_test     += -lrt
+@@ -345,7 +350,7 @@ $(obj)/hbm_edt_kern.o: $(src)/hbm.h $(src)/hbm_kern.h
+ # Override includes for xdp_sample_user.o because $(srctree)/usr/include in
+ # TPROGS_CFLAGS causes conflicts
+-XDP_SAMPLE_CFLAGS += -Wall -O2 -lm \
++XDP_SAMPLE_CFLAGS += -Wall -O2 \
+                    -I$(src)/../../tools/include \
+                    -I$(src)/../../tools/include/uapi \
+                    -I$(LIBBPF_INCLUDE) \
+-- 
+2.34.1
+
diff --git a/queue-5.16/sched-fair-fix-detection-of-per-cpu-kthreads-waking-.patch b/queue-5.16/sched-fair-fix-detection-of-per-cpu-kthreads-waking-.patch
new file mode 100644 (file)
index 0000000..5807c49
--- /dev/null
@@ -0,0 +1,48 @@
+From 2a89a740459534137b7dc9b3fdef1427f57d881c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 14:34:50 +0000
+Subject: sched/fair: Fix detection of per-CPU kthreads waking a task
+
+From: Vincent Donnefort <vincent.donnefort@arm.com>
+
+[ Upstream commit 8b4e74ccb582797f6f0b0a50372ebd9fd2372a27 ]
+
+select_idle_sibling() has a special case for tasks woken up by a per-CPU
+kthread, where the selected CPU is the previous one. However, the current
+condition for this exit path is incomplete. A task can wake up from an
+interrupt context (e.g. hrtimer), while a per-CPU kthread is running. A
+such scenario would spuriously trigger the special case described above.
+Also, a recent change made the idle task like a regular per-CPU kthread,
+hence making that situation more likely to happen
+(is_per_cpu_kthread(swapper) being true now).
+
+Checking for task context makes sure select_idle_sibling() will not
+interpret a wake up from any other context as a wake up by a per-CPU
+kthread.
+
+Fixes: 52262ee567ad ("sched/fair: Allow a per-CPU kthread waking a task to stack on the same CPU, to fix XFS performance regression")
+Signed-off-by: Vincent Donnefort <vincent.donnefort@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Reviewed-by: Valentin Schneider <valentin.schneider@arm.com>
+Link: https://lore.kernel.org/r/20211201143450.479472-1-vincent.donnefort@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 6e476f6d94351..97d89516fbea2 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -6398,6 +6398,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target)
+        * pattern is IO completions.
+        */
+       if (is_per_cpu_kthread(current) &&
++          in_task() &&
+           prev == smp_processor_id() &&
+           this_rq()->nr_running <= 1) {
+               return prev;
+-- 
+2.34.1
+
diff --git a/queue-5.16/sched-fair-fix-per-cpu-kthread-and-wakee-stacking-fo.patch b/queue-5.16/sched-fair-fix-per-cpu-kthread-and-wakee-stacking-fo.patch
new file mode 100644 (file)
index 0000000..1aa07cf
--- /dev/null
@@ -0,0 +1,47 @@
+From 4eca925be5c805c6085377863d378ad9332aefcb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 17:31:15 +0000
+Subject: sched/fair: Fix per-CPU kthread and wakee stacking for asym CPU
+ capacity
+
+From: Vincent Donnefort <vincent.donnefort@arm.com>
+
+[ Upstream commit 014ba44e8184e1acf93e0cbb7089ee847802f8f0 ]
+
+select_idle_sibling() has a special case for tasks woken up by a per-CPU
+kthread where the selected CPU is the previous one. For asymmetric CPU
+capacity systems, the assumption was that the wakee couldn't have a
+bigger utilization during task placement than it used to have during the
+last activation. That was not considering uclamp.min which can completely
+change between two task activations and as a consequence mandates the
+fitness criterion asym_fits_capacity(), even for the exit path described
+above.
+
+Fixes: b4c9c9f15649 ("sched/fair: Prefer prev cpu in asymmetric wakeup path")
+Signed-off-by: Vincent Donnefort <vincent.donnefort@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Valentin Schneider <valentin.schneider@arm.com>
+Reviewed-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Link: https://lkml.kernel.org/r/20211129173115.4006346-1-vincent.donnefort@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 97d89516fbea2..f2cf047b25e56 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -6400,7 +6400,8 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target)
+       if (is_per_cpu_kthread(current) &&
+           in_task() &&
+           prev == smp_processor_id() &&
+-          this_rq()->nr_running <= 1) {
++          this_rq()->nr_running <= 1 &&
++          asym_fits_capacity(task_util, prev)) {
+               return prev;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/sched-rt-try-to-restart-rt-period-timer-when-rt-runt.patch b/queue-5.16/sched-rt-try-to-restart-rt-period-timer-when-rt-runt.patch
new file mode 100644 (file)
index 0000000..26a6fb7
--- /dev/null
@@ -0,0 +1,99 @@
+From ebe8c4893fd2627585430bb121e3b2d5f1e44d12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Dec 2021 03:36:18 +0000
+Subject: sched/rt: Try to restart rt period timer when rt runtime exceeded
+
+From: Li Hua <hucool.lihua@huawei.com>
+
+[ Upstream commit 9b58e976b3b391c0cf02e038d53dd0478ed3013c ]
+
+When rt_runtime is modified from -1 to a valid control value, it may
+cause the task to be throttled all the time. Operations like the following
+will trigger the bug. E.g:
+
+  1. echo -1 > /proc/sys/kernel/sched_rt_runtime_us
+  2. Run a FIFO task named A that executes while(1)
+  3. echo 950000 > /proc/sys/kernel/sched_rt_runtime_us
+
+When rt_runtime is -1, The rt period timer will not be activated when task
+A enqueued. And then the task will be throttled after setting rt_runtime to
+950,000. The task will always be throttled because the rt period timer is
+not activated.
+
+Fixes: d0b27fa77854 ("sched: rt-group: synchonised bandwidth period")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Li Hua <hucool.lihua@huawei.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20211203033618.11895-1-hucool.lihua@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/rt.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
+index b48baaba2fc2e..7b4f4fbbb4048 100644
+--- a/kernel/sched/rt.c
++++ b/kernel/sched/rt.c
+@@ -52,11 +52,8 @@ void init_rt_bandwidth(struct rt_bandwidth *rt_b, u64 period, u64 runtime)
+       rt_b->rt_period_timer.function = sched_rt_period_timer;
+ }
+-static void start_rt_bandwidth(struct rt_bandwidth *rt_b)
++static inline void do_start_rt_bandwidth(struct rt_bandwidth *rt_b)
+ {
+-      if (!rt_bandwidth_enabled() || rt_b->rt_runtime == RUNTIME_INF)
+-              return;
+-
+       raw_spin_lock(&rt_b->rt_runtime_lock);
+       if (!rt_b->rt_period_active) {
+               rt_b->rt_period_active = 1;
+@@ -75,6 +72,14 @@ static void start_rt_bandwidth(struct rt_bandwidth *rt_b)
+       raw_spin_unlock(&rt_b->rt_runtime_lock);
+ }
++static void start_rt_bandwidth(struct rt_bandwidth *rt_b)
++{
++      if (!rt_bandwidth_enabled() || rt_b->rt_runtime == RUNTIME_INF)
++              return;
++
++      do_start_rt_bandwidth(rt_b);
++}
++
+ void init_rt_rq(struct rt_rq *rt_rq)
+ {
+       struct rt_prio_array *array;
+@@ -1031,13 +1036,17 @@ static void update_curr_rt(struct rq *rq)
+       for_each_sched_rt_entity(rt_se) {
+               struct rt_rq *rt_rq = rt_rq_of_se(rt_se);
++              int exceeded;
+               if (sched_rt_runtime(rt_rq) != RUNTIME_INF) {
+                       raw_spin_lock(&rt_rq->rt_runtime_lock);
+                       rt_rq->rt_time += delta_exec;
+-                      if (sched_rt_runtime_exceeded(rt_rq))
++                      exceeded = sched_rt_runtime_exceeded(rt_rq);
++                      if (exceeded)
+                               resched_curr(rq);
+                       raw_spin_unlock(&rt_rq->rt_runtime_lock);
++                      if (exceeded)
++                              do_start_rt_bandwidth(sched_rt_bandwidth(rt_rq));
+               }
+       }
+ }
+@@ -2911,8 +2920,12 @@ static int sched_rt_global_validate(void)
+ static void sched_rt_do_global(void)
+ {
++      unsigned long flags;
++
++      raw_spin_lock_irqsave(&def_rt_bandwidth.rt_runtime_lock, flags);
+       def_rt_bandwidth.rt_runtime = global_rt_runtime();
+       def_rt_bandwidth.rt_period = ns_to_ktime(global_rt_period());
++      raw_spin_unlock_irqrestore(&def_rt_bandwidth.rt_runtime_lock, flags);
+ }
+ int sched_rt_handler(struct ctl_table *table, int write, void *buffer,
+-- 
+2.34.1
+
diff --git a/queue-5.16/scripts-sphinx-pre-install-fix-ctex-support-on-debia.patch b/queue-5.16/scripts-sphinx-pre-install-fix-ctex-support-on-debia.patch
new file mode 100644 (file)
index 0000000..76eb127
--- /dev/null
@@ -0,0 +1,39 @@
+From 9138b475d8a6e44bffcda7ab1af8b65b386f0b00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 01:41:02 +0100
+Subject: scripts: sphinx-pre-install: Fix ctex support on Debian
+
+From: Mauro Carvalho Chehab <mchehab@kernel.org>
+
+[ Upstream commit 87d6576ddf8ac25f36597bc93ca17f6628289c16 ]
+
+The name of the package with ctexhook.sty is different on
+Debian/Ubuntu.
+
+Reported-by: Akira Yokosawa <akiyks@gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Tested-by: Akira Yokosawa <akiyks@gmail.com>
+Link: https://lore.kernel.org/r/63882425609a2820fac78f5e94620abeb7ed5f6f.1641429634.git.mchehab@kernel.org
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/sphinx-pre-install | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/sphinx-pre-install b/scripts/sphinx-pre-install
+index 288e86a9d1e58..61a79ce705ccf 100755
+--- a/scripts/sphinx-pre-install
++++ b/scripts/sphinx-pre-install
+@@ -369,6 +369,9 @@ sub give_debian_hints()
+       );
+       if ($pdf) {
++              check_missing_file(["/usr/share/texlive/texmf-dist/tex/latex/ctex/ctexhook.sty"],
++                                 "texlive-lang-chinese", 2);
++
+               check_missing_file(["/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf"],
+                                  "fonts-dejavu", 2);
+-- 
+2.34.1
+
diff --git a/queue-5.16/scsi-block-pm-always-set-request-queue-runtime-activ.patch b/queue-5.16/scsi-block-pm-always-set-request-queue-runtime-activ.patch
new file mode 100644 (file)
index 0000000..25bec4a
--- /dev/null
@@ -0,0 +1,121 @@
+From 045ae3b8a69bbbff825e250b80f3a8b86403e54e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Dec 2021 19:21:26 +0800
+Subject: scsi: block: pm: Always set request queue runtime active in
+ blk_post_runtime_resume()
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+[ Upstream commit 6e1fcab00a23f7fe9f4fe9704905a790efa1eeab ]
+
+John Garry reported a deadlock that occurs when trying to access a
+runtime-suspended SATA device.  For obscure reasons, the rescan procedure
+causes the link to be hard-reset, which disconnects the device.
+
+The rescan tries to carry out a runtime resume when accessing the device.
+scsi_rescan_device() holds the SCSI device lock and won't release it until
+it can put commands onto the device's block queue.  This can't happen until
+the queue is successfully runtime-resumed or the device is unregistered.
+But the runtime resume fails because the device is disconnected, and
+__scsi_remove_device() can't do the unregistration because it can't get the
+device lock.
+
+The best way to resolve this deadlock appears to be to allow the block
+queue to start running again even after an unsuccessful runtime resume.
+The idea is that the driver or the SCSI error handler will need to be able
+to use the queue to resolve the runtime resume failure.
+
+This patch removes the err argument to blk_post_runtime_resume() and makes
+the routine act as though the resume was successful always.  This fixes the
+deadlock.
+
+Link: https://lore.kernel.org/r/1639999298-244569-4-git-send-email-chenxiang66@hisilicon.com
+Fixes: e27829dc92e5 ("scsi: serialize ->rescan against ->remove")
+Reported-and-tested-by: John Garry <john.garry@huawei.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-pm.c         | 22 +++++++---------------
+ drivers/scsi/scsi_pm.c |  2 +-
+ include/linux/blk-pm.h |  2 +-
+ 3 files changed, 9 insertions(+), 17 deletions(-)
+
+diff --git a/block/blk-pm.c b/block/blk-pm.c
+index 17bd020268d42..2dad62cc15727 100644
+--- a/block/blk-pm.c
++++ b/block/blk-pm.c
+@@ -163,27 +163,19 @@ EXPORT_SYMBOL(blk_pre_runtime_resume);
+ /**
+  * blk_post_runtime_resume - Post runtime resume processing
+  * @q: the queue of the device
+- * @err: return value of the device's runtime_resume function
+  *
+  * Description:
+- *    Update the queue's runtime status according to the return value of the
+- *    device's runtime_resume function. If the resume was successful, call
+- *    blk_set_runtime_active() to do the real work of restarting the queue.
++ *    For historical reasons, this routine merely calls blk_set_runtime_active()
++ *    to do the real work of restarting the queue.  It does this regardless of
++ *    whether the device's runtime-resume succeeded; even if it failed the
++ *    driver or error handler will need to communicate with the device.
+  *
+  *    This function should be called near the end of the device's
+  *    runtime_resume callback.
+  */
+-void blk_post_runtime_resume(struct request_queue *q, int err)
++void blk_post_runtime_resume(struct request_queue *q)
+ {
+-      if (!q->dev)
+-              return;
+-      if (!err) {
+-              blk_set_runtime_active(q);
+-      } else {
+-              spin_lock_irq(&q->queue_lock);
+-              q->rpm_status = RPM_SUSPENDED;
+-              spin_unlock_irq(&q->queue_lock);
+-      }
++      blk_set_runtime_active(q);
+ }
+ EXPORT_SYMBOL(blk_post_runtime_resume);
+@@ -201,7 +193,7 @@ EXPORT_SYMBOL(blk_post_runtime_resume);
+  * runtime PM status and re-enable peeking requests from the queue. It
+  * should be called before first request is added to the queue.
+  *
+- * This function is also called by blk_post_runtime_resume() for successful
++ * This function is also called by blk_post_runtime_resume() for
+  * runtime resumes.  It does everything necessary to restart the queue.
+  */
+ void blk_set_runtime_active(struct request_queue *q)
+diff --git a/drivers/scsi/scsi_pm.c b/drivers/scsi/scsi_pm.c
+index b5a858c29488a..f06ca9d2a597d 100644
+--- a/drivers/scsi/scsi_pm.c
++++ b/drivers/scsi/scsi_pm.c
+@@ -181,7 +181,7 @@ static int sdev_runtime_resume(struct device *dev)
+       blk_pre_runtime_resume(sdev->request_queue);
+       if (pm && pm->runtime_resume)
+               err = pm->runtime_resume(dev);
+-      blk_post_runtime_resume(sdev->request_queue, err);
++      blk_post_runtime_resume(sdev->request_queue);
+       return err;
+ }
+diff --git a/include/linux/blk-pm.h b/include/linux/blk-pm.h
+index b80c65aba2493..2580e05a8ab67 100644
+--- a/include/linux/blk-pm.h
++++ b/include/linux/blk-pm.h
+@@ -14,7 +14,7 @@ extern void blk_pm_runtime_init(struct request_queue *q, struct device *dev);
+ extern int blk_pre_runtime_suspend(struct request_queue *q);
+ extern void blk_post_runtime_suspend(struct request_queue *q, int err);
+ extern void blk_pre_runtime_resume(struct request_queue *q);
+-extern void blk_post_runtime_resume(struct request_queue *q, int err);
++extern void blk_post_runtime_resume(struct request_queue *q);
+ extern void blk_set_runtime_active(struct request_queue *q);
+ #else
+ static inline void blk_pm_runtime_init(struct request_queue *q,
+-- 
+2.34.1
+
diff --git a/queue-5.16/scsi-core-fix-scsi_device_max_queue_depth.patch b/queue-5.16/scsi-core-fix-scsi_device_max_queue_depth.patch
new file mode 100644 (file)
index 0000000..43a9405
--- /dev/null
@@ -0,0 +1,51 @@
+From 37a8a5defac0c11f28e21858c51573253f9220e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Dec 2021 15:19:34 -0800
+Subject: scsi: core: Fix scsi_device_max_queue_depth()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 4bc3bffc1a885eb5cb259e4a25146a4c7b1034e3 ]
+
+The comment above scsi_device_max_queue_depth() and also the description of
+commit ca4453213951 ("scsi: core: Make sure sdev->queue_depth is <=
+max(shost->can_queue, 1024)") contradict the implementation of the function
+scsi_device_max_queue_depth(). Additionally, the maximum queue depth of a
+SCSI LUN never exceeds host->can_queue. Fix scsi_device_max_queue_depth()
+by changing max_t() into min_t().
+
+Link: https://lore.kernel.org/r/20211203231950.193369-2-bvanassche@acm.org
+Fixes: ca4453213951 ("scsi: core: Make sure sdev->queue_depth is <= max(shost->can_queue, 1024)")
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: Sumanesh Samanta <sumanesh.samanta@broadcom.com>
+Tested-by: Bean Huo <beanhuo@micron.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
+index f6af1562cba49..10e5bffc34aaf 100644
+--- a/drivers/scsi/scsi.c
++++ b/drivers/scsi/scsi.c
+@@ -201,11 +201,11 @@ void scsi_finish_command(struct scsi_cmnd *cmd)
+ /*
+- * 1024 is big enough for saturating the fast scsi LUN now
++ * 1024 is big enough for saturating fast SCSI LUNs.
+  */
+ int scsi_device_max_queue_depth(struct scsi_device *sdev)
+ {
+-      return max_t(int, sdev->host->can_queue, 1024);
++      return min_t(int, sdev->host->can_queue, 1024);
+ }
+ /**
+-- 
+2.34.1
+
diff --git a/queue-5.16/scsi-hisi_sas-prevent-parallel-flr-and-controller-re.patch b/queue-5.16/scsi-hisi_sas-prevent-parallel-flr-and-controller-re.patch
new file mode 100644 (file)
index 0000000..026bb01
--- /dev/null
@@ -0,0 +1,97 @@
+From fc218aa6b5c523b55aa321d4860fdaafb88cc868 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Dec 2021 22:37:39 +0800
+Subject: scsi: hisi_sas: Prevent parallel FLR and controller reset
+
+From: Qi Liu <liuqi115@huawei.com>
+
+[ Upstream commit 16775db613c2bdea09705dcb876942c0641a1098 ]
+
+If we issue a controller reset command during executing a FLR a hung task
+may be found:
+
+ Call trace:
+  __switch_to+0x158/0x1cc
+  __schedule+0x2e8/0x85c
+  schedule+0x7c/0x110
+  schedule_timeout+0x190/0x1cc
+  __down+0x7c/0xd4
+  down+0x5c/0x7c
+  hisi_sas_task_exec+0x510/0x680 [hisi_sas_main]
+  hisi_sas_queue_command+0x24/0x30 [hisi_sas_main]
+  smp_execute_task_sg+0xf4/0x23c [libsas]
+  sas_smp_phy_control+0x110/0x1e0 [libsas]
+  transport_sas_phy_reset+0xc8/0x190 [libsas]
+  phy_reset_work+0x2c/0x40 [libsas]
+  process_one_work+0x1dc/0x48c
+  worker_thread+0x15c/0x464
+  kthread+0x160/0x170
+  ret_from_fork+0x10/0x18
+
+This is a race condition which occurs when the FLR completes first.
+
+Here the host HISI_SAS_RESETTING_BIT flag out gets of sync as
+HISI_SAS_RESETTING_BIT is not always cleared with the hisi_hba.sem held, so
+now only set/unset HISI_SAS_RESETTING_BIT under hisi_hba.sem .
+
+Link: https://lore.kernel.org/r/1639579061-179473-7-git-send-email-john.garry@huawei.com
+Signed-off-by: Qi Liu <liuqi115@huawei.com>
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hisi_sas/hisi_sas_main.c  | 8 +++++---
+ drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 1 +
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
+index f206c433de325..8a13bc08d6575 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
+@@ -1581,7 +1581,6 @@ void hisi_sas_controller_reset_prepare(struct hisi_hba *hisi_hba)
+ {
+       struct Scsi_Host *shost = hisi_hba->shost;
+-      down(&hisi_hba->sem);
+       hisi_hba->phy_state = hisi_hba->hw->get_phys_state(hisi_hba);
+       scsi_block_requests(shost);
+@@ -1606,9 +1605,9 @@ void hisi_sas_controller_reset_done(struct hisi_hba *hisi_hba)
+       if (hisi_hba->reject_stp_links_msk)
+               hisi_sas_terminate_stp_reject(hisi_hba);
+       hisi_sas_reset_init_all_devices(hisi_hba);
+-      up(&hisi_hba->sem);
+       scsi_unblock_requests(shost);
+       clear_bit(HISI_SAS_RESETTING_BIT, &hisi_hba->flags);
++      up(&hisi_hba->sem);
+       hisi_sas_rescan_topology(hisi_hba, hisi_hba->phy_state);
+ }
+@@ -1619,8 +1618,11 @@ static int hisi_sas_controller_prereset(struct hisi_hba *hisi_hba)
+       if (!hisi_hba->hw->soft_reset)
+               return -1;
+-      if (test_and_set_bit(HISI_SAS_RESETTING_BIT, &hisi_hba->flags))
++      down(&hisi_hba->sem);
++      if (test_and_set_bit(HISI_SAS_RESETTING_BIT, &hisi_hba->flags)) {
++              up(&hisi_hba->sem);
+               return -1;
++      }
+       if (hisi_sas_debugfs_enable && hisi_hba->debugfs_itct[0].itct)
+               hisi_hba->hw->debugfs_snapshot_regs(hisi_hba);
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+index 0ef6c21bf0811..11a44d9dd9b2d 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+@@ -4848,6 +4848,7 @@ static void hisi_sas_reset_prepare_v3_hw(struct pci_dev *pdev)
+       int rc;
+       dev_info(dev, "FLR prepare\n");
++      down(&hisi_hba->sem);
+       set_bit(HISI_SAS_RESETTING_BIT, &hisi_hba->flags);
+       hisi_sas_controller_reset_prepare(hisi_hba);
+-- 
+2.34.1
+
diff --git a/queue-5.16/scsi-lpfc-fix-leaked-lpfc_dmabuf-mbox-allocations-wi.patch b/queue-5.16/scsi-lpfc-fix-leaked-lpfc_dmabuf-mbox-allocations-wi.patch
new file mode 100644 (file)
index 0000000..4e945fc
--- /dev/null
@@ -0,0 +1,121 @@
+From c082c9c9283cb509924acdf268a0646f45406d9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Dec 2021 16:26:36 -0800
+Subject: scsi: lpfc: Fix leaked lpfc_dmabuf mbox allocations with NPIV
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit f0d3919697492950f57a26a1093aee53880d669d ]
+
+During rmmod testing, messages appeared indicating lpfc_mbuf_pool entries
+were still busy. This situation was only seen doing rmmod after at least 1
+vport (NPIV) instance was created and destroyed. The number of messages
+scaled with the number of vports created.
+
+When a vport is created, it can receive a PLOGI from another initiator
+Nport.  When this happens, the driver prepares to ack the PLOGI and
+prepares an RPI for registration (via mbx cmd) which includes an mbuf
+allocation. During the unsolicited PLOGI processing and after the RPI
+preparation, the driver recognizes it is one of the vport instances and
+decides to reject the PLOGI. During the LS_RJT preparation for the PLOGI,
+the mailbox struct allocated for RPI registration is freed, but the mbuf
+that was also allocated is not released.
+
+Fix by freeing the mbuf with the mailbox struct in the LS_RJT path.
+
+As part of the code review to figure the issue out a couple of other areas
+where found that also would not have released the mbuf. Those are cleaned
+up as well.
+
+Link: https://lore.kernel.org/r/20211204002644.116455-2-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c       | 6 +++++-
+ drivers/scsi/lpfc/lpfc_init.c      | 8 ++++++--
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 6 ++++++
+ 3 files changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
+index e83453bea2aee..5c10416c1c75a 100644
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -6899,6 +6899,7 @@ static int
+ lpfc_get_rdp_info(struct lpfc_hba *phba, struct lpfc_rdp_context *rdp_context)
+ {
+       LPFC_MBOXQ_t *mbox = NULL;
++      struct lpfc_dmabuf *mp;
+       int rc;
+       mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+@@ -6914,8 +6915,11 @@ lpfc_get_rdp_info(struct lpfc_hba *phba, struct lpfc_rdp_context *rdp_context)
+       mbox->mbox_cmpl = lpfc_mbx_cmpl_rdp_page_a0;
+       mbox->ctx_ndlp = (struct lpfc_rdp_context *)rdp_context;
+       rc = lpfc_sli_issue_mbox(phba, mbox, MBX_NOWAIT);
+-      if (rc == MBX_NOT_FINISHED)
++      if (rc == MBX_NOT_FINISHED) {
++              mp = (struct lpfc_dmabuf *)mbox->ctx_buf;
++              lpfc_mbuf_free(phba, mp->virt, mp->phys);
+               goto issue_mbox_fail;
++      }
+       return 0;
+diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
+index ba17a8f740a95..7628b0634c57a 100644
+--- a/drivers/scsi/lpfc/lpfc_init.c
++++ b/drivers/scsi/lpfc/lpfc_init.c
+@@ -5373,8 +5373,10 @@ lpfc_sli4_async_link_evt(struct lpfc_hba *phba,
+        */
+       if (!(phba->hba_flag & HBA_FCOE_MODE)) {
+               rc = lpfc_sli_issue_mbox(phba, pmb, MBX_NOWAIT);
+-              if (rc == MBX_NOT_FINISHED)
++              if (rc == MBX_NOT_FINISHED) {
++                      lpfc_mbuf_free(phba, mp->virt, mp->phys);
+                       goto out_free_dmabuf;
++              }
+               return;
+       }
+       /*
+@@ -6337,8 +6339,10 @@ lpfc_sli4_async_fc_evt(struct lpfc_hba *phba, struct lpfc_acqe_fc_la *acqe_fc)
+       }
+       rc = lpfc_sli_issue_mbox(phba, pmb, MBX_NOWAIT);
+-      if (rc == MBX_NOT_FINISHED)
++      if (rc == MBX_NOT_FINISHED) {
++              lpfc_mbuf_free(phba, mp->virt, mp->phys);
+               goto out_free_dmabuf;
++      }
+       return;
+ out_free_dmabuf:
+diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
+index 27263f02ab9f6..7d717a4ac14d1 100644
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -322,6 +322,7 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
+ {
+       struct lpfc_hba    *phba = vport->phba;
+       struct lpfc_dmabuf *pcmd;
++      struct lpfc_dmabuf *mp;
+       uint64_t nlp_portwwn = 0;
+       uint32_t *lp;
+       IOCB_t *icmd;
+@@ -571,6 +572,11 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
+                * a default RPI.
+                */
+               if (phba->sli_rev == LPFC_SLI_REV4) {
++                      mp = (struct lpfc_dmabuf *)login_mbox->ctx_buf;
++                      if (mp) {
++                              lpfc_mbuf_free(phba, mp->virt, mp->phys);
++                              kfree(mp);
++                      }
+                       mempool_free(login_mbox, phba->mbox_mem_pool);
+                       login_mbox = NULL;
+               } else {
+-- 
+2.34.1
+
diff --git a/queue-5.16/scsi-lpfc-trigger-sli4-firmware-dump-before-doing-dr.patch b/queue-5.16/scsi-lpfc-trigger-sli4-firmware-dump-before-doing-dr.patch
new file mode 100644 (file)
index 0000000..d47279d
--- /dev/null
@@ -0,0 +1,188 @@
+From 0ca16f2eeab926bc6cab6b4c7b581380b25dd656 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Dec 2021 16:26:40 -0800
+Subject: scsi: lpfc: Trigger SLI4 firmware dump before doing driver cleanup
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 7dd2e2a923173d637c272e483966be8e96a72b64 ]
+
+Extraneous teardown routines are present in the firmware dump path causing
+altered states in firmware captures.
+
+When a firmware dump is requested via sysfs, trigger the dump immediately
+without tearing down structures and changing adapter state.
+
+The driver shall rely on pre-existing firmware error state clean up
+handlers to restore the adapter.
+
+Link: https://lore.kernel.org/r/20211204002644.116455-6-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc.h         |  2 +-
+ drivers/scsi/lpfc/lpfc_attr.c    | 62 ++++++++++++++++++++------------
+ drivers/scsi/lpfc/lpfc_hbadisc.c |  8 ++++-
+ drivers/scsi/lpfc/lpfc_sli.c     |  6 ----
+ 4 files changed, 48 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
+index 2f8e6d0a926fe..54c58392fd5d0 100644
+--- a/drivers/scsi/lpfc/lpfc.h
++++ b/drivers/scsi/lpfc/lpfc.h
+@@ -1023,7 +1023,6 @@ struct lpfc_hba {
+ #define HBA_DEVLOSS_TMO         0x2000 /* HBA in devloss timeout */
+ #define HBA_RRQ_ACTIVE                0x4000 /* process the rrq active list */
+ #define HBA_IOQ_FLUSH         0x8000 /* FCP/NVME I/O queues being flushed */
+-#define HBA_FW_DUMP_OP                0x10000 /* Skips fn reset before FW dump */
+ #define HBA_RECOVERABLE_UE    0x20000 /* Firmware supports recoverable UE */
+ #define HBA_FORCED_LINK_SPEED 0x40000 /*
+                                        * Firmware supports Forced Link Speed
+@@ -1040,6 +1039,7 @@ struct lpfc_hba {
+ #define HBA_HBEAT_TMO         0x8000000 /* HBEAT initiated after timeout */
+ #define HBA_FLOGI_OUTSTANDING 0x10000000 /* FLOGI is outstanding */
++      struct completion *fw_dump_cmpl; /* cmpl event tracker for fw_dump */
+       uint32_t fcp_ring_in_use; /* When polling test if intr-hndlr active*/
+       struct lpfc_dmabuf slim2p;
+diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
+index dd4c51b6ef4e2..7a7f17d71811b 100644
+--- a/drivers/scsi/lpfc/lpfc_attr.c
++++ b/drivers/scsi/lpfc/lpfc_attr.c
+@@ -1709,25 +1709,25 @@ lpfc_sli4_pdev_reg_request(struct lpfc_hba *phba, uint32_t opcode)
+       before_fc_flag = phba->pport->fc_flag;
+       sriov_nr_virtfn = phba->cfg_sriov_nr_virtfn;
+-      /* Disable SR-IOV virtual functions if enabled */
+-      if (phba->cfg_sriov_nr_virtfn) {
+-              pci_disable_sriov(pdev);
+-              phba->cfg_sriov_nr_virtfn = 0;
+-      }
++      if (opcode == LPFC_FW_DUMP) {
++              init_completion(&online_compl);
++              phba->fw_dump_cmpl = &online_compl;
++      } else {
++              /* Disable SR-IOV virtual functions if enabled */
++              if (phba->cfg_sriov_nr_virtfn) {
++                      pci_disable_sriov(pdev);
++                      phba->cfg_sriov_nr_virtfn = 0;
++              }
+-      if (opcode == LPFC_FW_DUMP)
+-              phba->hba_flag |= HBA_FW_DUMP_OP;
++              status = lpfc_do_offline(phba, LPFC_EVT_OFFLINE);
+-      status = lpfc_do_offline(phba, LPFC_EVT_OFFLINE);
++              if (status != 0)
++                      return status;
+-      if (status != 0) {
+-              phba->hba_flag &= ~HBA_FW_DUMP_OP;
+-              return status;
++              /* wait for the device to be quiesced before firmware reset */
++              msleep(100);
+       }
+-      /* wait for the device to be quiesced before firmware reset */
+-      msleep(100);
+-
+       reg_val = readl(phba->sli4_hba.conf_regs_memmap_p +
+                       LPFC_CTL_PDEV_CTL_OFFSET);
+@@ -1756,24 +1756,42 @@ lpfc_sli4_pdev_reg_request(struct lpfc_hba *phba, uint32_t opcode)
+               lpfc_printf_log(phba, KERN_ERR, LOG_SLI,
+                               "3153 Fail to perform the requested "
+                               "access: x%x\n", reg_val);
++              if (phba->fw_dump_cmpl)
++                      phba->fw_dump_cmpl = NULL;
+               return rc;
+       }
+       /* keep the original port state */
+-      if (before_fc_flag & FC_OFFLINE_MODE)
+-              goto out;
+-
+-      init_completion(&online_compl);
+-      job_posted = lpfc_workq_post_event(phba, &status, &online_compl,
+-                                         LPFC_EVT_ONLINE);
+-      if (!job_posted)
++      if (before_fc_flag & FC_OFFLINE_MODE) {
++              if (phba->fw_dump_cmpl)
++                      phba->fw_dump_cmpl = NULL;
+               goto out;
++      }
+-      wait_for_completion(&online_compl);
++      /* Firmware dump will trigger an HA_ERATT event, and
++       * lpfc_handle_eratt_s4 routine already handles bringing the port back
++       * online.
++       */
++      if (opcode == LPFC_FW_DUMP) {
++              wait_for_completion(phba->fw_dump_cmpl);
++      } else  {
++              init_completion(&online_compl);
++              job_posted = lpfc_workq_post_event(phba, &status, &online_compl,
++                                                 LPFC_EVT_ONLINE);
++              if (!job_posted)
++                      goto out;
++              wait_for_completion(&online_compl);
++      }
+ out:
+       /* in any case, restore the virtual functions enabled as before */
+       if (sriov_nr_virtfn) {
++              /* If fw_dump was performed, first disable to clean up */
++              if (opcode == LPFC_FW_DUMP) {
++                      pci_disable_sriov(pdev);
++                      phba->cfg_sriov_nr_virtfn = 0;
++              }
++
+               sriov_err =
+                       lpfc_sli_probe_sriov_nr_virtfn(phba, sriov_nr_virtfn);
+               if (!sriov_err)
+diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
+index 9fe6e5b386ce3..5e54ec503f18b 100644
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -869,10 +869,16 @@ lpfc_work_done(struct lpfc_hba *phba)
+       if (phba->pci_dev_grp == LPFC_PCI_DEV_OC)
+               lpfc_sli4_post_async_mbox(phba);
+-      if (ha_copy & HA_ERATT)
++      if (ha_copy & HA_ERATT) {
+               /* Handle the error attention event */
+               lpfc_handle_eratt(phba);
++              if (phba->fw_dump_cmpl) {
++                      complete(phba->fw_dump_cmpl);
++                      phba->fw_dump_cmpl = NULL;
++              }
++      }
++
+       if (ha_copy & HA_MBATT)
+               lpfc_sli_handle_mb_event(phba);
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 5dedb3de271d8..513a78d08b1d5 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -5046,12 +5046,6 @@ lpfc_sli4_brdreset(struct lpfc_hba *phba)
+       phba->fcf.fcf_flag = 0;
+       spin_unlock_irq(&phba->hbalock);
+-      /* SLI4 INTF 2: if FW dump is being taken skip INIT_PORT */
+-      if (phba->hba_flag & HBA_FW_DUMP_OP) {
+-              phba->hba_flag &= ~HBA_FW_DUMP_OP;
+-              return rc;
+-      }
+-
+       /* Now physically reset the device */
+       lpfc_printf_log(phba, KERN_INFO, LOG_INIT,
+                       "0389 Performing PCI function reset!\n");
+-- 
+2.34.1
+
diff --git a/queue-5.16/scsi-mpi3mr-fixes-around-reply-request-queues.patch b/queue-5.16/scsi-mpi3mr-fixes-around-reply-request-queues.patch
new file mode 100644 (file)
index 0000000..52ce8c8
--- /dev/null
@@ -0,0 +1,62 @@
+From 76f6722a566999b84505de5fed157648b93f8bd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Dec 2021 19:41:58 +0530
+Subject: scsi: mpi3mr: Fixes around reply request queues
+
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+
+[ Upstream commit 243bcc8efdb1f44b1a1d415e6821a246714c68ce ]
+
+Set reply queue depth of 1K for B0 and 4K for A0.
+
+While freeing the segmented request queues use the actual queue depth that
+is used while creating them.
+
+Link: https://lore.kernel.org/r/20211220141159.16117-25-sreekanth.reddy@broadcom.com
+Signed-off-by: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpi3mr/mpi3mr.h    | 3 ++-
+ drivers/scsi/mpi3mr/mpi3mr_fw.c | 4 +++-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/mpi3mr/mpi3mr.h b/drivers/scsi/mpi3mr/mpi3mr.h
+index 9787b53a2b598..2cc42432bd0c0 100644
+--- a/drivers/scsi/mpi3mr/mpi3mr.h
++++ b/drivers/scsi/mpi3mr/mpi3mr.h
+@@ -79,7 +79,8 @@ extern int prot_mask;
+ /* Operational queue management definitions */
+ #define MPI3MR_OP_REQ_Q_QD            512
+-#define MPI3MR_OP_REP_Q_QD            4096
++#define MPI3MR_OP_REP_Q_QD            1024
++#define MPI3MR_OP_REP_Q_QD4K          4096
+ #define MPI3MR_OP_REQ_Q_SEG_SIZE      4096
+ #define MPI3MR_OP_REP_Q_SEG_SIZE      4096
+ #define MPI3MR_MAX_SEG_LIST_SIZE      4096
+diff --git a/drivers/scsi/mpi3mr/mpi3mr_fw.c b/drivers/scsi/mpi3mr/mpi3mr_fw.c
+index aa5d877df6f83..2daf633ea2955 100644
+--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
+@@ -1278,7 +1278,7 @@ static void mpi3mr_free_op_req_q_segments(struct mpi3mr_ioc *mrioc, u16 q_idx)
+                       mrioc->op_reply_qinfo[q_idx].q_segment_list = NULL;
+               }
+       } else
+-              size = mrioc->req_qinfo[q_idx].num_requests *
++              size = mrioc->req_qinfo[q_idx].segment_qd *
+                   mrioc->facts.op_req_sz;
+       for (j = 0; j < mrioc->req_qinfo[q_idx].num_segments; j++) {
+@@ -1565,6 +1565,8 @@ static int mpi3mr_create_op_reply_q(struct mpi3mr_ioc *mrioc, u16 qidx)
+       reply_qid = qidx + 1;
+       op_reply_q->num_replies = MPI3MR_OP_REP_Q_QD;
++      if (!mrioc->pdev->revision)
++              op_reply_q->num_replies = MPI3MR_OP_REP_Q_QD4K;
+       op_reply_q->ci = 0;
+       op_reply_q->ephase = 1;
+       atomic_set(&op_reply_q->pend_ios, 0);
+-- 
+2.34.1
+
diff --git a/queue-5.16/scsi-pm80xx-update-warn_on-check-in-pm8001_mpi_build.patch b/queue-5.16/scsi-pm80xx-update-warn_on-check-in-pm8001_mpi_build.patch
new file mode 100644 (file)
index 0000000..d6622a7
--- /dev/null
@@ -0,0 +1,42 @@
+From 1275a2ba0f5af29e07e8666d2803b19b3a8bec47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Nov 2021 16:28:24 -0700
+Subject: scsi: pm80xx: Update WARN_ON check in pm8001_mpi_build_cmd()
+
+From: Igor Pylypiv <ipylypiv@google.com>
+
+[ Upstream commit 606c54ae975ad3af540b505b46b55a687501711f ]
+
+Starting from commit 05c6c029a44d ("scsi: pm80xx: Increase number of
+supported queues") driver initializes only max_q_num queues.  Do not use an
+invalid queue if the WARN_ON condition is true.
+
+Link: https://lore.kernel.org/r/20211101232825.2350233-4-ipylypiv@google.com
+Fixes: 7640e1eb8c5d ("scsi: pm80xx: Make mpi_build_cmd locking consistent")
+Reviewed-by: Vishakha Channapattan <vishakhavc@google.com>
+Acked-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Igor Pylypiv <ipylypiv@google.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/pm8001/pm8001_hwi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c
+index 124cb69740c67..4390c8b9170cd 100644
+--- a/drivers/scsi/pm8001/pm8001_hwi.c
++++ b/drivers/scsi/pm8001/pm8001_hwi.c
+@@ -1325,7 +1325,9 @@ int pm8001_mpi_build_cmd(struct pm8001_hba_info *pm8001_ha,
+       int q_index = circularQ - pm8001_ha->inbnd_q_tbl;
+       int rv;
+-      WARN_ON(q_index >= PM8001_MAX_INB_NUM);
++      if (WARN_ON(q_index >= pm8001_ha->max_q_num))
++              return -EINVAL;
++
+       spin_lock_irqsave(&circularQ->iq_lock, flags);
+       rv = pm8001_mpi_msg_free_get(circularQ, pm8001_ha->iomb_size,
+                       &pMessage);
+-- 
+2.34.1
+
diff --git a/queue-5.16/scsi-sr-don-t-use-gfp_dma.patch b/queue-5.16/scsi-sr-don-t-use-gfp_dma.patch
new file mode 100644 (file)
index 0000000..d5c4547
--- /dev/null
@@ -0,0 +1,61 @@
+From e4031fa3b761d70095478159a94e8b137d8c4946 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 10:08:42 +0100
+Subject: scsi: sr: Don't use GFP_DMA
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit d94d94969a4ba07a43d62429c60372320519c391 ]
+
+The allocated buffers are used as a command payload, for which the block
+layer and/or DMA API do the proper bounce buffering if needed.
+
+Link: https://lore.kernel.org/r/20211222090842.920724-1-hch@lst.de
+Reported-by: Baoquan He <bhe@redhat.com>
+Reviewed-by: Baoquan He <bhe@redhat.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sr.c        | 2 +-
+ drivers/scsi/sr_vendor.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
+index 8e4af111c0787..f5a2eed543452 100644
+--- a/drivers/scsi/sr.c
++++ b/drivers/scsi/sr.c
+@@ -856,7 +856,7 @@ static void get_capabilities(struct scsi_cd *cd)
+       /* allocate transfer buffer */
+-      buffer = kmalloc(512, GFP_KERNEL | GFP_DMA);
++      buffer = kmalloc(512, GFP_KERNEL);
+       if (!buffer) {
+               sr_printk(KERN_ERR, cd, "out of memory.\n");
+               return;
+diff --git a/drivers/scsi/sr_vendor.c b/drivers/scsi/sr_vendor.c
+index 1f988a1b9166f..a61635326ae0a 100644
+--- a/drivers/scsi/sr_vendor.c
++++ b/drivers/scsi/sr_vendor.c
+@@ -131,7 +131,7 @@ int sr_set_blocklength(Scsi_CD *cd, int blocklength)
+       if (cd->vendor == VENDOR_TOSHIBA)
+               density = (blocklength > 2048) ? 0x81 : 0x83;
+-      buffer = kmalloc(512, GFP_KERNEL | GFP_DMA);
++      buffer = kmalloc(512, GFP_KERNEL);
+       if (!buffer)
+               return -ENOMEM;
+@@ -179,7 +179,7 @@ int sr_cd_check(struct cdrom_device_info *cdi)
+       if (cd->cdi.mask & CDC_MULTI_SESSION)
+               return 0;
+-      buffer = kmalloc(512, GFP_KERNEL | GFP_DMA);
++      buffer = kmalloc(512, GFP_KERNEL);
+       if (!buffer)
+               return -ENOMEM;
+-- 
+2.34.1
+
diff --git a/queue-5.16/scsi-ufs-fix-a-kernel-crash-during-shutdown.patch b/queue-5.16/scsi-ufs-fix-a-kernel-crash-during-shutdown.patch
new file mode 100644 (file)
index 0000000..8fb06e6
--- /dev/null
@@ -0,0 +1,85 @@
+From 79bff167b90d0e609eb79e8e3d06f5993cb444a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Dec 2021 15:19:47 -0800
+Subject: scsi: ufs: Fix a kernel crash during shutdown
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 3489c34bd02b73a72646037d673a122a53cee174 ]
+
+Fix the following kernel crash:
+
+Unable to handle kernel paging request at virtual address ffffffc91e735000
+Call trace:
+ __queue_work+0x26c/0x624
+ queue_work_on+0x6c/0xf0
+ ufshcd_hold+0x12c/0x210
+ __ufshcd_wl_suspend+0xc0/0x400
+ ufshcd_wl_shutdown+0xb8/0xcc
+ device_shutdown+0x184/0x224
+ kernel_restart+0x4c/0x124
+ __arm64_sys_reboot+0x194/0x264
+ el0_svc_common+0xc8/0x1d4
+ do_el0_svc+0x30/0x8c
+ el0_svc+0x20/0x30
+ el0_sync_handler+0x84/0xe4
+ el0_sync+0x1bc/0x1c0
+
+Fix this crash by ungating the clock before destroying the work queue on
+which clock gating work is queued.
+
+Link: https://lore.kernel.org/r/20211203231950.193369-15-bvanassche@acm.org
+Tested-by: Bean Huo <beanhuo@micron.com>
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 4394081806978..c94377aa82739 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -1666,7 +1666,8 @@ int ufshcd_hold(struct ufs_hba *hba, bool async)
+       bool flush_result;
+       unsigned long flags;
+-      if (!ufshcd_is_clkgating_allowed(hba))
++      if (!ufshcd_is_clkgating_allowed(hba) ||
++          !hba->clk_gating.is_initialized)
+               goto out;
+       spin_lock_irqsave(hba->host->host_lock, flags);
+       hba->clk_gating.active_reqs++;
+@@ -1826,7 +1827,7 @@ static void __ufshcd_release(struct ufs_hba *hba)
+       if (hba->clk_gating.active_reqs || hba->clk_gating.is_suspended ||
+           hba->ufshcd_state != UFSHCD_STATE_OPERATIONAL ||
+-          hba->outstanding_tasks ||
++          hba->outstanding_tasks || !hba->clk_gating.is_initialized ||
+           hba->active_uic_cmd || hba->uic_async_done ||
+           hba->clk_gating.state == CLKS_OFF)
+               return;
+@@ -1961,11 +1962,15 @@ static void ufshcd_exit_clk_gating(struct ufs_hba *hba)
+ {
+       if (!hba->clk_gating.is_initialized)
+               return;
++
+       ufshcd_remove_clk_gating_sysfs(hba);
+-      cancel_work_sync(&hba->clk_gating.ungate_work);
+-      cancel_delayed_work_sync(&hba->clk_gating.gate_work);
+-      destroy_workqueue(hba->clk_gating.clk_gating_workq);
++
++      /* Ungate the clock if necessary. */
++      ufshcd_hold(hba, false);
+       hba->clk_gating.is_initialized = false;
++      ufshcd_release(hba);
++
++      destroy_workqueue(hba->clk_gating.clk_gating_workq);
+ }
+ /* Must be called with host lock acquired */
+-- 
+2.34.1
+
diff --git a/queue-5.16/scsi-ufs-fix-race-conditions-related-to-driver-data.patch b/queue-5.16/scsi-ufs-fix-race-conditions-related-to-driver-data.patch
new file mode 100644 (file)
index 0000000..cd97dc3
--- /dev/null
@@ -0,0 +1,87 @@
+From 89fb3a17fe14b68f9a01715a6e80bf2b39498555 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Dec 2021 15:19:39 -0800
+Subject: scsi: ufs: Fix race conditions related to driver data
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 21ad0e49085deb22c094f91f9da57319a97188e4 ]
+
+The driver data pointer must be set before any callbacks are registered
+that use that pointer. Hence move the initialization of that pointer from
+after the ufshcd_init() call to inside ufshcd_init().
+
+Link: https://lore.kernel.org/r/20211203231950.193369-7-bvanassche@acm.org
+Fixes: 3b1d05807a9a ("[SCSI] ufs: Segregate PCI Specific Code")
+Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
+Tested-by: Bean Huo <beanhuo@micron.com>
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/tc-dwc-g210-pci.c | 1 -
+ drivers/scsi/ufs/ufshcd-pci.c      | 2 --
+ drivers/scsi/ufs/ufshcd-pltfrm.c   | 2 --
+ drivers/scsi/ufs/ufshcd.c          | 7 +++++++
+ 4 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/ufs/tc-dwc-g210-pci.c b/drivers/scsi/ufs/tc-dwc-g210-pci.c
+index 679289e1a78e6..7b08e2e07cc5f 100644
+--- a/drivers/scsi/ufs/tc-dwc-g210-pci.c
++++ b/drivers/scsi/ufs/tc-dwc-g210-pci.c
+@@ -110,7 +110,6 @@ tc_dwc_g210_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+               return err;
+       }
+-      pci_set_drvdata(pdev, hba);
+       pm_runtime_put_noidle(&pdev->dev);
+       pm_runtime_allow(&pdev->dev);
+diff --git a/drivers/scsi/ufs/ufshcd-pci.c b/drivers/scsi/ufs/ufshcd-pci.c
+index f725248ba57f4..f76692053ca17 100644
+--- a/drivers/scsi/ufs/ufshcd-pci.c
++++ b/drivers/scsi/ufs/ufshcd-pci.c
+@@ -538,8 +538,6 @@ ufshcd_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+               return err;
+       }
+-      pci_set_drvdata(pdev, hba);
+-
+       hba->vops = (struct ufs_hba_variant_ops *)id->driver_data;
+       err = ufshcd_init(hba, mmio_base, pdev->irq);
+diff --git a/drivers/scsi/ufs/ufshcd-pltfrm.c b/drivers/scsi/ufs/ufshcd-pltfrm.c
+index eaeae83b999fd..8b16bbbcb806c 100644
+--- a/drivers/scsi/ufs/ufshcd-pltfrm.c
++++ b/drivers/scsi/ufs/ufshcd-pltfrm.c
+@@ -361,8 +361,6 @@ int ufshcd_pltfrm_init(struct platform_device *pdev,
+               goto dealloc_host;
+       }
+-      platform_set_drvdata(pdev, hba);
+-
+       pm_runtime_set_active(&pdev->dev);
+       pm_runtime_enable(&pdev->dev);
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 13c09dbd99b92..4394081806978 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -9486,6 +9486,13 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq)
+       struct device *dev = hba->dev;
+       char eh_wq_name[sizeof("ufs_eh_wq_00")];
++      /*
++       * dev_set_drvdata() must be called before any callbacks are registered
++       * that use dev_get_drvdata() (frequency scaling, clock scaling, hwmon,
++       * sysfs).
++       */
++      dev_set_drvdata(dev, hba);
++
+       if (!mmio_base) {
+               dev_err(hba->dev,
+               "Invalid memory reference for mmio_base is NULL\n");
+-- 
+2.34.1
+
diff --git a/queue-5.16/selftests-bpf-destroy-xdp-link-correctly.patch b/queue-5.16/selftests-bpf-destroy-xdp-link-correctly.patch
new file mode 100644 (file)
index 0000000..6cdf526
--- /dev/null
@@ -0,0 +1,39 @@
+From 231b557926b9485a489f6489ee3e5ddd3404b50f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Nov 2021 08:55:20 -0800
+Subject: selftests/bpf: Destroy XDP link correctly
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit f91231eeeed752119f49eb6620cae44ec745a007 ]
+
+bpf_link__detach() was confused with bpf_link__destroy() and leaves
+leaked FD in the process. Fix the problem.
+
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Reviewed-by: Hengqi Chen <hengqi.chen@gmail.com>
+Link: https://lore.kernel.org/bpf/20211107165521.9240-9-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/migrate_reuseport.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/migrate_reuseport.c b/tools/testing/selftests/bpf/prog_tests/migrate_reuseport.c
+index 7589c03fd26be..eb2feaac81fe2 100644
+--- a/tools/testing/selftests/bpf/prog_tests/migrate_reuseport.c
++++ b/tools/testing/selftests/bpf/prog_tests/migrate_reuseport.c
+@@ -204,8 +204,8 @@ static int pass_ack(struct migrate_reuseport_test_case *test_case)
+ {
+       int err;
+-      err = bpf_link__detach(test_case->link);
+-      if (!ASSERT_OK(err, "bpf_link__detach"))
++      err = bpf_link__destroy(test_case->link);
++      if (!ASSERT_OK(err, "bpf_link__destroy"))
+               return -1;
+       test_case->link = NULL;
+-- 
+2.34.1
+
diff --git a/queue-5.16/selftests-bpf-fix-bpf_object-leak-in-skb_ctx-selftes.patch b/queue-5.16/selftests-bpf-fix-bpf_object-leak-in-skb_ctx-selftes.patch
new file mode 100644 (file)
index 0000000..2d1a73e
--- /dev/null
@@ -0,0 +1,36 @@
+From 767bcfcc46e6206e7d5f699bcc2e5a2a61ca2cd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Nov 2021 08:55:21 -0800
+Subject: selftests/bpf: Fix bpf_object leak in skb_ctx selftest
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 8c7a95520184b6677ca6075e12df9c208d57d088 ]
+
+skb_ctx selftest didn't close bpf_object implicitly allocated by
+bpf_prog_test_load() helper. Fix the problem by explicitly calling
+bpf_object__close() at the end of the test.
+
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Reviewed-by: Hengqi Chen <hengqi.chen@gmail.com>
+Link: https://lore.kernel.org/bpf/20211107165521.9240-10-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/skb_ctx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/skb_ctx.c b/tools/testing/selftests/bpf/prog_tests/skb_ctx.c
+index c437e6ba8fe20..db4d72563aaeb 100644
+--- a/tools/testing/selftests/bpf/prog_tests/skb_ctx.c
++++ b/tools/testing/selftests/bpf/prog_tests/skb_ctx.c
+@@ -111,4 +111,6 @@ void test_skb_ctx(void)
+                  "ctx_out_mark",
+                  "skb->mark == %u, expected %d\n",
+                  skb.mark, 10);
++
++      bpf_object__close(obj);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/selftests-bpf-fix-memory-leaks-in-btf_type_c_dump-he.patch b/queue-5.16/selftests-bpf-fix-memory-leaks-in-btf_type_c_dump-he.patch
new file mode 100644 (file)
index 0000000..8ef372a
--- /dev/null
@@ -0,0 +1,54 @@
+From ea2d3e1cbda83752a4da331f7e27b115a23c2a57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Nov 2021 08:55:15 -0800
+Subject: selftests/bpf: Fix memory leaks in btf_type_c_dump() helper
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 8ba285874913da21ca39a46376e9cc5ce0f45f94 ]
+
+Free up memory and resources used by temporary allocated memstream and
+btf_dump instance.
+
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Reviewed-by: Hengqi Chen <hengqi.chen@gmail.com>
+Link: https://lore.kernel.org/bpf/20211107165521.9240-4-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/btf_helpers.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/btf_helpers.c b/tools/testing/selftests/bpf/btf_helpers.c
+index b5b6b013a245e..3d1a748d09d81 100644
+--- a/tools/testing/selftests/bpf/btf_helpers.c
++++ b/tools/testing/selftests/bpf/btf_helpers.c
+@@ -251,18 +251,23 @@ const char *btf_type_c_dump(const struct btf *btf)
+       d = btf_dump__new(btf, NULL, &opts, btf_dump_printf);
+       if (libbpf_get_error(d)) {
+               fprintf(stderr, "Failed to create btf_dump instance: %ld\n", libbpf_get_error(d));
+-              return NULL;
++              goto err_out;
+       }
+       for (i = 1; i < btf__type_cnt(btf); i++) {
+               err = btf_dump__dump_type(d, i);
+               if (err) {
+                       fprintf(stderr, "Failed to dump type [%d]: %d\n", i, err);
+-                      return NULL;
++                      goto err_out;
+               }
+       }
++      btf_dump__free(d);
+       fflush(buf_file);
+       fclose(buf_file);
+       return buf;
++err_out:
++      btf_dump__free(d);
++      fclose(buf_file);
++      return NULL;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/selftests-bpf-fix-xdpxceiver-failures-for-no-hugepag.patch b/queue-5.16/selftests-bpf-fix-xdpxceiver-failures-for-no-hugepag.patch
new file mode 100644 (file)
index 0000000..463ccd7
--- /dev/null
@@ -0,0 +1,56 @@
+From 2178b743d60c0c7f10aae52dfcb9f1be6d845fea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 18:06:13 +0530
+Subject: selftests/bpf: Fix xdpxceiver failures for no hugepages
+
+From: Tirthendu Sarkar <tirthendu.sarkar@intel.com>
+
+[ Upstream commit dd7f091fd22b1dce6c20e8f7769aa068ed88ac6d ]
+
+xsk_configure_umem() needs hugepages to work in unaligned mode. So when
+hugepages are not configured, 'unaligned' tests should be skipped which
+is determined by the helper function hugepages_present(). This function
+erroneously returns true with MAP_NORESERVE flag even when no hugepages
+are configured. The removal of this flag fixes the issue.
+
+The test TEST_TYPE_UNALIGNED_INV_DESC also needs to be skipped when
+there are no hugepages. However, this was not skipped as there was no
+check for presence of hugepages and hence was failing. The check to skip
+the test has now been added.
+
+Fixes: a4ba98dd0c69 (selftests: xsk: Add test for unaligned mode)
+Signed-off-by: Tirthendu Sarkar <tirthendu.sarkar@intel.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20211117123613.22288-1-tirthendu.sarkar@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/xdpxceiver.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/xdpxceiver.c b/tools/testing/selftests/bpf/xdpxceiver.c
+index 6c7cf8aadc792..621342ec30c48 100644
+--- a/tools/testing/selftests/bpf/xdpxceiver.c
++++ b/tools/testing/selftests/bpf/xdpxceiver.c
+@@ -1219,7 +1219,7 @@ static bool hugepages_present(struct ifobject *ifobject)
+       void *bufs;
+       bufs = mmap(NULL, mmap_sz, PROT_READ | PROT_WRITE,
+-                  MAP_PRIVATE | MAP_ANONYMOUS | MAP_NORESERVE | MAP_HUGETLB, -1, 0);
++                  MAP_PRIVATE | MAP_ANONYMOUS | MAP_HUGETLB, -1, 0);
+       if (bufs == MAP_FAILED)
+               return false;
+@@ -1366,6 +1366,10 @@ static void run_pkt_test(struct test_spec *test, enum test_mode mode, enum test_
+               testapp_invalid_desc(test);
+               break;
+       case TEST_TYPE_UNALIGNED_INV_DESC:
++              if (!hugepages_present(test->ifobj_tx)) {
++                      ksft_test_result_skip("No 2M huge pages present.\n");
++                      return;
++              }
+               test_spec_set_name(test, "UNALIGNED_INV_DESC");
+               test->ifobj_tx->umem->unaligned_mode = true;
+               test->ifobj_rx->umem->unaligned_mode = true;
+-- 
+2.34.1
+
diff --git a/queue-5.16/selftests-clone3-clone3-add-case-clone3_args_no_test.patch b/queue-5.16/selftests-clone3-clone3-add-case-clone3_args_no_test.patch
new file mode 100644 (file)
index 0000000..a4d9745
--- /dev/null
@@ -0,0 +1,47 @@
+From 24ff2f9220f7b66914e4da928b6b39e4f44ee63e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 21:13:50 +0100
+Subject: selftests: clone3: clone3: add case CLONE3_ARGS_NO_TEST
+
+From: Anders Roxell <anders.roxell@linaro.org>
+
+[ Upstream commit a531b0c23c0fc68ad758cc31a74cf612a4dafeb0 ]
+
+Building selftests/clone3 with clang warns about enumeration not handled
+in switch case:
+
+clone3.c:54:10: warning: enumeration value 'CLONE3_ARGS_NO_TEST' not handled in switch [-Wswitch]
+        switch (test_mode) {
+                ^
+
+Add the missing switch case with a comment.
+
+Fixes: 17a810699c18 ("selftests: add tests for clone3()")
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/clone3/clone3.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/testing/selftests/clone3/clone3.c b/tools/testing/selftests/clone3/clone3.c
+index 42be3b9258301..076cf4325f783 100644
+--- a/tools/testing/selftests/clone3/clone3.c
++++ b/tools/testing/selftests/clone3/clone3.c
+@@ -52,6 +52,12 @@ static int call_clone3(uint64_t flags, size_t size, enum test_mode test_mode)
+               size = sizeof(struct __clone_args);
+       switch (test_mode) {
++      case CLONE3_ARGS_NO_TEST:
++              /*
++               * Uses default 'flags' and 'SIGCHLD'
++               * assignment.
++               */
++              break;
+       case CLONE3_ARGS_ALL_0:
+               args.flags = 0;
+               args.exit_signal = 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/selftests-ftrace-make-kprobe-profile-testcase-descri.patch b/queue-5.16/selftests-ftrace-make-kprobe-profile-testcase-descri.patch
new file mode 100644 (file)
index 0000000..159bf46
--- /dev/null
@@ -0,0 +1,41 @@
+From 61102102cf8978588bae707738676146c39dcbd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Nov 2021 13:25:46 +0100
+Subject: selftests/ftrace: make kprobe profile testcase description unique
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit e5992f373c6eed6d09e5858e9623df1259b3ce30 ]
+
+Commit 32f6e5da83c7 ("selftests/ftrace: Add kprobe profile testcase")
+added a new kprobes testcase, but has a description which does not
+describe what the test case is doing and is duplicating the description
+of another test case.
+
+Therefore change the test case description, so it is unique and then
+allows easily to tell which test case actually passed or failed.
+
+Reported-by: Alexander Egorenkov <egorenar@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/ftrace/test.d/kprobe/profile.tc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/profile.tc b/tools/testing/selftests/ftrace/test.d/kprobe/profile.tc
+index 98166fa3eb91c..34fb89b0c61fa 100644
+--- a/tools/testing/selftests/ftrace/test.d/kprobe/profile.tc
++++ b/tools/testing/selftests/ftrace/test.d/kprobe/profile.tc
+@@ -1,6 +1,6 @@
+ #!/bin/sh
+ # SPDX-License-Identifier: GPL-2.0
+-# description: Kprobe dynamic event - adding and removing
++# description: Kprobe profile
+ # requires: kprobe_events
+ ! grep -q 'myevent' kprobe_profile
+-- 
+2.34.1
+
diff --git a/queue-5.16/selftests-harness-avoid-false-negatives-if-test-has-.patch b/queue-5.16/selftests-harness-avoid-false-negatives-if-test-has-.patch
new file mode 100644 (file)
index 0000000..4dc99aa
--- /dev/null
@@ -0,0 +1,40 @@
+From 6af071441b460dc3f9bda6c5e1aa6b473e5a383c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Nov 2021 14:39:16 -0800
+Subject: selftests: harness: avoid false negatives if test has no ASSERTs
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 3abedf4646fdc0036fcb8ebbc3b600667167fafe ]
+
+Test can fail either immediately when ASSERT() failed or at the
+end if one or more EXPECT() was not met. The exact return code
+is decided based on the number of successful ASSERT()s.
+
+If test has no ASSERT()s, however, the return code will be 0,
+as if the test did not fail. Start counting ASSERT()s from 1.
+
+Fixes: 369130b63178 ("selftests: Enhance kselftest_harness.h to print which assert failed")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kselftest_harness.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h
+index ae0f0f33b2a6e..79a182cfa43ad 100644
+--- a/tools/testing/selftests/kselftest_harness.h
++++ b/tools/testing/selftests/kselftest_harness.h
+@@ -969,7 +969,7 @@ void __run_test(struct __fixture_metadata *f,
+       t->passed = 1;
+       t->skip = 0;
+       t->trigger = 0;
+-      t->step = 0;
++      t->step = 1;
+       t->no_print = 0;
+       memset(t->results->reason, 0, sizeof(t->results->reason));
+-- 
+2.34.1
+
diff --git a/queue-5.16/selftests-powerpc-add-a-test-of-sigreturning-to-the-.patch b/queue-5.16/selftests-powerpc-add-a-test-of-sigreturning-to-the-.patch
new file mode 100644 (file)
index 0000000..f54de2d
--- /dev/null
@@ -0,0 +1,187 @@
+From 30a786bb2d4677f7425bc2dfe71e37a26ce5d295 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Dec 2021 22:59:44 +1100
+Subject: selftests/powerpc: Add a test of sigreturning to the kernel
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit a8968521cfdc3e339fe69473d6632e0aa8d7202a ]
+
+We have a general signal fuzzer, sigfuz, which can modify the MSR & NIP
+before sigreturn. But the chance of it hitting a kernel address and also
+clearing MSR_PR is fairly slim.
+
+So add a specific test of sigreturn to a kernel address, both with and
+without attempting to clear MSR_PR (which the kernel must block).
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20211209115944.4062384-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/powerpc/signal/.gitignore       |   1 +
+ .../testing/selftests/powerpc/signal/Makefile |   1 +
+ .../powerpc/signal/sigreturn_kernel.c         | 132 ++++++++++++++++++
+ 3 files changed, 134 insertions(+)
+ create mode 100644 tools/testing/selftests/powerpc/signal/sigreturn_kernel.c
+
+diff --git a/tools/testing/selftests/powerpc/signal/.gitignore b/tools/testing/selftests/powerpc/signal/.gitignore
+index ce3375cd8e73e..8f6c816099a48 100644
+--- a/tools/testing/selftests/powerpc/signal/.gitignore
++++ b/tools/testing/selftests/powerpc/signal/.gitignore
+@@ -4,3 +4,4 @@ signal_tm
+ sigfuz
+ sigreturn_vdso
+ sig_sc_double_restart
++sigreturn_kernel
+diff --git a/tools/testing/selftests/powerpc/signal/Makefile b/tools/testing/selftests/powerpc/signal/Makefile
+index d6ae54663aed7..84e201572466d 100644
+--- a/tools/testing/selftests/powerpc/signal/Makefile
++++ b/tools/testing/selftests/powerpc/signal/Makefile
+@@ -1,5 +1,6 @@
+ # SPDX-License-Identifier: GPL-2.0
+ TEST_GEN_PROGS := signal signal_tm sigfuz sigreturn_vdso sig_sc_double_restart
++TEST_GEN_PROGS += sigreturn_kernel
+ CFLAGS += -maltivec
+ $(OUTPUT)/signal_tm: CFLAGS += -mhtm
+diff --git a/tools/testing/selftests/powerpc/signal/sigreturn_kernel.c b/tools/testing/selftests/powerpc/signal/sigreturn_kernel.c
+new file mode 100644
+index 0000000000000..0a1b6e591eeed
+--- /dev/null
++++ b/tools/testing/selftests/powerpc/signal/sigreturn_kernel.c
+@@ -0,0 +1,132 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * Test that we can't sigreturn to kernel addresses, or to kernel mode.
++ */
++
++#define _GNU_SOURCE
++
++#include <stdio.h>
++#include <signal.h>
++#include <stdlib.h>
++#include <sys/types.h>
++#include <sys/wait.h>
++#include <unistd.h>
++
++#include "utils.h"
++
++#define MSR_PR (1ul << 14)
++
++static volatile unsigned long long sigreturn_addr;
++static volatile unsigned long long sigreturn_msr_mask;
++
++static void sigusr1_handler(int signo, siginfo_t *si, void *uc_ptr)
++{
++      ucontext_t *uc = (ucontext_t *)uc_ptr;
++
++      if (sigreturn_addr)
++              UCONTEXT_NIA(uc) = sigreturn_addr;
++
++      if (sigreturn_msr_mask)
++              UCONTEXT_MSR(uc) &= sigreturn_msr_mask;
++}
++
++static pid_t fork_child(void)
++{
++      pid_t pid;
++
++      pid = fork();
++      if (pid == 0) {
++              raise(SIGUSR1);
++              exit(0);
++      }
++
++      return pid;
++}
++
++static int expect_segv(pid_t pid)
++{
++      int child_ret;
++
++      waitpid(pid, &child_ret, 0);
++      FAIL_IF(WIFEXITED(child_ret));
++      FAIL_IF(!WIFSIGNALED(child_ret));
++      FAIL_IF(WTERMSIG(child_ret) != 11);
++
++      return 0;
++}
++
++int test_sigreturn_kernel(void)
++{
++      struct sigaction act;
++      int child_ret, i;
++      pid_t pid;
++
++      act.sa_sigaction = sigusr1_handler;
++      act.sa_flags = SA_SIGINFO;
++      sigemptyset(&act.sa_mask);
++
++      FAIL_IF(sigaction(SIGUSR1, &act, NULL));
++
++      for (i = 0; i < 2; i++) {
++              // Return to kernel
++              sigreturn_addr = 0xcull << 60;
++              pid = fork_child();
++              expect_segv(pid);
++
++              // Return to kernel virtual
++              sigreturn_addr = 0xc008ull << 48;
++              pid = fork_child();
++              expect_segv(pid);
++
++              // Return out of range
++              sigreturn_addr = 0xc010ull << 48;
++              pid = fork_child();
++              expect_segv(pid);
++
++              // Return to no-man's land, just below PAGE_OFFSET
++              sigreturn_addr = (0xcull << 60) - (64 * 1024);
++              pid = fork_child();
++              expect_segv(pid);
++
++              // Return to no-man's land, above TASK_SIZE_4PB
++              sigreturn_addr = 0x1ull << 52;
++              pid = fork_child();
++              expect_segv(pid);
++
++              // Return to 0xd space
++              sigreturn_addr = 0xdull << 60;
++              pid = fork_child();
++              expect_segv(pid);
++
++              // Return to 0xe space
++              sigreturn_addr = 0xeull << 60;
++              pid = fork_child();
++              expect_segv(pid);
++
++              // Return to 0xf space
++              sigreturn_addr = 0xfull << 60;
++              pid = fork_child();
++              expect_segv(pid);
++
++              // Attempt to set PR=0 for 2nd loop (should be blocked by kernel)
++              sigreturn_msr_mask = ~MSR_PR;
++      }
++
++      printf("All children killed as expected\n");
++
++      // Don't change address, just MSR, should return to user as normal
++      sigreturn_addr = 0;
++      sigreturn_msr_mask = ~MSR_PR;
++      pid = fork_child();
++      waitpid(pid, &child_ret, 0);
++      FAIL_IF(!WIFEXITED(child_ret));
++      FAIL_IF(WIFSIGNALED(child_ret));
++      FAIL_IF(WEXITSTATUS(child_ret) != 0);
++
++      return 0;
++}
++
++int main(void)
++{
++      return test_harness(test_sigreturn_kernel, "sigreturn_kernel");
++}
+-- 
+2.34.1
+
diff --git a/queue-5.16/selftests-powerpc-spectre_v2-return-skip-code-when-m.patch b/queue-5.16/selftests-powerpc-spectre_v2-return-skip-code-when-m.patch
new file mode 100644 (file)
index 0000000..3749003
--- /dev/null
@@ -0,0 +1,43 @@
+From 6af4f4e2b33c1f66b81da52326cef53e7fce5110 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Dec 2021 10:05:57 -0300
+Subject: selftests/powerpc/spectre_v2: Return skip code when miss_percent is
+ high
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+[ Upstream commit 3c42e9542050d49610077e083c7c3f5fd5e26820 ]
+
+A mis-match between reported and actual mitigation is not restricted to the
+Vulnerable case. The guest might also report the mitigation as "Software
+count cache flush" and the host will still mitigate with branch cache
+disabled.
+
+So, instead of skipping depending on the detected mitigation, simply skip
+whenever the detected miss_percent is the expected one for a fully
+mitigated system, that is, above 95%.
+
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20211207130557.40566-1-cascardo@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/powerpc/security/spectre_v2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/powerpc/security/spectre_v2.c b/tools/testing/selftests/powerpc/security/spectre_v2.c
+index adc2b7294e5fd..83647b8277e7d 100644
+--- a/tools/testing/selftests/powerpc/security/spectre_v2.c
++++ b/tools/testing/selftests/powerpc/security/spectre_v2.c
+@@ -193,7 +193,7 @@ int spectre_v2_test(void)
+                        * We are not vulnerable and reporting otherwise, so
+                        * missing such a mismatch is safe.
+                        */
+-                      if (state == VULNERABLE)
++                      if (miss_percent > 95)
+                               return 4;
+                       return 1;
+-- 
+2.34.1
+
diff --git a/queue-5.16/selftests-vm-make-charge_reserved_hugetlb.sh-work-wi.patch b/queue-5.16/selftests-vm-make-charge_reserved_hugetlb.sh-work-wi.patch
new file mode 100644 (file)
index 0000000..3bfe110
--- /dev/null
@@ -0,0 +1,165 @@
+From 2bd4bcedd09b8a3f4150673e7062dc91d345f7e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jan 2022 14:07:58 -0800
+Subject: selftests/vm: make charge_reserved_hugetlb.sh work with existing
+ cgroup setting
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit 209376ed2a8431ccb4c40fdcef11194fc1e749b0 ]
+
+The hugetlb cgroup reservation test charge_reserved_hugetlb.sh assume
+that no cgroup filesystems are mounted before running the test.  That is
+not true in many cases.  As a result, the test fails to run.  Fix that
+by querying the current cgroup mount setting and using the existing
+cgroup setup instead before attempting to freshly mount a cgroup
+filesystem.
+
+Similar change is also made for hugetlb_reparenting_test.sh as well,
+though it still has problem if cgroup v2 isn't used.
+
+The patched test scripts were run on a centos 8 based system to verify
+that they ran properly.
+
+Link: https://lkml.kernel.org/r/20220106201359.1646575-1-longman@redhat.com
+Fixes: 29750f71a9b4 ("hugetlb_cgroup: add hugetlb_cgroup reservation tests")
+Signed-off-by: Waiman Long <longman@redhat.com>
+Acked-by: Mina Almasry <almasrymina@google.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/vm/charge_reserved_hugetlb.sh   | 34 +++++++++++--------
+ .../selftests/vm/hugetlb_reparenting_test.sh  | 21 +++++++-----
+ .../selftests/vm/write_hugetlb_memory.sh      |  2 +-
+ 3 files changed, 34 insertions(+), 23 deletions(-)
+
+diff --git a/tools/testing/selftests/vm/charge_reserved_hugetlb.sh b/tools/testing/selftests/vm/charge_reserved_hugetlb.sh
+index fe8fcfb334e06..a5cb4b09a46c4 100644
+--- a/tools/testing/selftests/vm/charge_reserved_hugetlb.sh
++++ b/tools/testing/selftests/vm/charge_reserved_hugetlb.sh
+@@ -24,19 +24,23 @@ if [[ "$1" == "-cgroup-v2" ]]; then
+   reservation_usage_file=rsvd.current
+ fi
+-cgroup_path=/dev/cgroup/memory
+-if [[ ! -e $cgroup_path ]]; then
+-  mkdir -p $cgroup_path
+-  if [[ $cgroup2 ]]; then
++if [[ $cgroup2 ]]; then
++  cgroup_path=$(mount -t cgroup2 | head -1 | awk -e '{print $3}')
++  if [[ -z "$cgroup_path" ]]; then
++    cgroup_path=/dev/cgroup/memory
+     mount -t cgroup2 none $cgroup_path
+-  else
++    do_umount=1
++  fi
++  echo "+hugetlb" >$cgroup_path/cgroup.subtree_control
++else
++  cgroup_path=$(mount -t cgroup | grep ",hugetlb" | awk -e '{print $3}')
++  if [[ -z "$cgroup_path" ]]; then
++    cgroup_path=/dev/cgroup/memory
+     mount -t cgroup memory,hugetlb $cgroup_path
++    do_umount=1
+   fi
+ fi
+-
+-if [[ $cgroup2 ]]; then
+-  echo "+hugetlb" >/dev/cgroup/memory/cgroup.subtree_control
+-fi
++export cgroup_path
+ function cleanup() {
+   if [[ $cgroup2 ]]; then
+@@ -108,7 +112,7 @@ function setup_cgroup() {
+ function wait_for_hugetlb_memory_to_get_depleted() {
+   local cgroup="$1"
+-  local path="/dev/cgroup/memory/$cgroup/hugetlb.${MB}MB.$reservation_usage_file"
++  local path="$cgroup_path/$cgroup/hugetlb.${MB}MB.$reservation_usage_file"
+   # Wait for hugetlbfs memory to get depleted.
+   while [ $(cat $path) != 0 ]; do
+     echo Waiting for hugetlb memory to get depleted.
+@@ -121,7 +125,7 @@ function wait_for_hugetlb_memory_to_get_reserved() {
+   local cgroup="$1"
+   local size="$2"
+-  local path="/dev/cgroup/memory/$cgroup/hugetlb.${MB}MB.$reservation_usage_file"
++  local path="$cgroup_path/$cgroup/hugetlb.${MB}MB.$reservation_usage_file"
+   # Wait for hugetlbfs memory to get written.
+   while [ $(cat $path) != $size ]; do
+     echo Waiting for hugetlb memory reservation to reach size $size.
+@@ -134,7 +138,7 @@ function wait_for_hugetlb_memory_to_get_written() {
+   local cgroup="$1"
+   local size="$2"
+-  local path="/dev/cgroup/memory/$cgroup/hugetlb.${MB}MB.$fault_usage_file"
++  local path="$cgroup_path/$cgroup/hugetlb.${MB}MB.$fault_usage_file"
+   # Wait for hugetlbfs memory to get written.
+   while [ $(cat $path) != $size ]; do
+     echo Waiting for hugetlb memory to reach size $size.
+@@ -574,5 +578,7 @@ for populate in "" "-o"; do
+   done     # populate
+ done       # method
+-umount $cgroup_path
+-rmdir $cgroup_path
++if [[ $do_umount ]]; then
++  umount $cgroup_path
++  rmdir $cgroup_path
++fi
+diff --git a/tools/testing/selftests/vm/hugetlb_reparenting_test.sh b/tools/testing/selftests/vm/hugetlb_reparenting_test.sh
+index 4a9a3afe9fd4d..bf2d2a684edfd 100644
+--- a/tools/testing/selftests/vm/hugetlb_reparenting_test.sh
++++ b/tools/testing/selftests/vm/hugetlb_reparenting_test.sh
+@@ -18,19 +18,24 @@ if [[ "$1" == "-cgroup-v2" ]]; then
+   usage_file=current
+ fi
+-CGROUP_ROOT='/dev/cgroup/memory'
+-MNT='/mnt/huge/'
+-if [[ ! -e $CGROUP_ROOT ]]; then
+-  mkdir -p $CGROUP_ROOT
+-  if [[ $cgroup2 ]]; then
++if [[ $cgroup2 ]]; then
++  CGROUP_ROOT=$(mount -t cgroup2 | head -1 | awk -e '{print $3}')
++  if [[ -z "$CGROUP_ROOT" ]]; then
++    CGROUP_ROOT=/dev/cgroup/memory
+     mount -t cgroup2 none $CGROUP_ROOT
+-    sleep 1
+-    echo "+hugetlb +memory" >$CGROUP_ROOT/cgroup.subtree_control
+-  else
++    do_umount=1
++  fi
++  echo "+hugetlb +memory" >$CGROUP_ROOT/cgroup.subtree_control
++else
++  CGROUP_ROOT=$(mount -t cgroup | grep ",hugetlb" | awk -e '{print $3}')
++  if [[ -z "$CGROUP_ROOT" ]]; then
++    CGROUP_ROOT=/dev/cgroup/memory
+     mount -t cgroup memory,hugetlb $CGROUP_ROOT
++    do_umount=1
+   fi
+ fi
++MNT='/mnt/huge/'
+ function get_machine_hugepage_size() {
+   hpz=$(grep -i hugepagesize /proc/meminfo)
+diff --git a/tools/testing/selftests/vm/write_hugetlb_memory.sh b/tools/testing/selftests/vm/write_hugetlb_memory.sh
+index d3d0d108924d4..70a02301f4c27 100644
+--- a/tools/testing/selftests/vm/write_hugetlb_memory.sh
++++ b/tools/testing/selftests/vm/write_hugetlb_memory.sh
+@@ -14,7 +14,7 @@ want_sleep=$8
+ reserve=$9
+ echo "Putting task in cgroup '$cgroup'"
+-echo $$ > /dev/cgroup/memory/"$cgroup"/cgroup.procs
++echo $$ > ${cgroup_path:-/dev/cgroup/memory}/"$cgroup"/cgroup.procs
+ echo "Method is $method"
+-- 
+2.34.1
+
diff --git a/queue-5.16/selinux-fix-potential-memleak-in-selinux_add_opt.patch b/queue-5.16/selinux-fix-potential-memleak-in-selinux_add_opt.patch
new file mode 100644 (file)
index 0000000..346c85f
--- /dev/null
@@ -0,0 +1,63 @@
+From 24cf738ad1233a7a4e7588f26d4917fed59a6cfc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Dec 2021 04:03:58 -0800
+Subject: selinux: fix potential memleak in selinux_add_opt()
+
+From: Bernard Zhao <bernard@vivo.com>
+
+[ Upstream commit 2e08df3c7c4e4e74e3dd5104c100f0bf6288aaa8 ]
+
+This patch try to fix potential memleak in error branch.
+
+Fixes: ba6418623385 ("selinux: new helper - selinux_add_opt()")
+Signed-off-by: Bernard Zhao <bernard@vivo.com>
+[PM: tweak the subject line, add Fixes tag]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/selinux/hooks.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index dde4ecc0cd186..49b4f59db35e7 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -988,18 +988,22 @@ out:
+ static int selinux_add_opt(int token, const char *s, void **mnt_opts)
+ {
+       struct selinux_mnt_opts *opts = *mnt_opts;
++      bool is_alloc_opts = false;
+       if (token == Opt_seclabel)      /* eaten and completely ignored */
+               return 0;
++      if (!s)
++              return -ENOMEM;
++
+       if (!opts) {
+               opts = kzalloc(sizeof(struct selinux_mnt_opts), GFP_KERNEL);
+               if (!opts)
+                       return -ENOMEM;
+               *mnt_opts = opts;
++              is_alloc_opts = true;
+       }
+-      if (!s)
+-              return -ENOMEM;
++
+       switch (token) {
+       case Opt_context:
+               if (opts->context || opts->defcontext)
+@@ -1024,6 +1028,10 @@ static int selinux_add_opt(int token, const char *s, void **mnt_opts)
+       }
+       return 0;
+ Einval:
++      if (is_alloc_opts) {
++              kfree(opts);
++              *mnt_opts = NULL;
++      }
+       pr_warn(SEL_MOUNT_FAIL_MSG);
+       return -EINVAL;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/serial-8250_bcm7271-propagate-error-codes-from-brcmu.patch b/queue-5.16/serial-8250_bcm7271-propagate-error-codes-from-brcmu.patch
new file mode 100644 (file)
index 0000000..e35e057
--- /dev/null
@@ -0,0 +1,69 @@
+From aeb170b5572656a67372c6c258d1469f0330132c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Dec 2021 14:29:09 +0000
+Subject: serial: 8250_bcm7271: Propagate error codes from brcmuart_probe()
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit c195438f1e84de8fa46b4f5264d12379bee6e9a1 ]
+
+In case of failures brcmuart_probe() always returned -ENODEV, this
+isn't correct for example platform_get_irq_byname() may return
+-EPROBE_DEFER to handle such cases propagate error codes in
+brcmuart_probe() in case of failures.
+
+Fixes: 41a469482de25 ("serial: 8250: Add new 8250-core based Broadcom STB driver")
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Link: https://lore.kernel.org/r/20211224142917.6966-4-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_bcm7271.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_bcm7271.c b/drivers/tty/serial/8250/8250_bcm7271.c
+index 5163d60756b73..0877cf24f7de0 100644
+--- a/drivers/tty/serial/8250/8250_bcm7271.c
++++ b/drivers/tty/serial/8250/8250_bcm7271.c
+@@ -1076,14 +1076,18 @@ static int brcmuart_probe(struct platform_device *pdev)
+               priv->rx_bufs = dma_alloc_coherent(dev,
+                                                  priv->rx_size,
+                                                  &priv->rx_addr, GFP_KERNEL);
+-              if (!priv->rx_bufs)
++              if (!priv->rx_bufs) {
++                      ret = -EINVAL;
+                       goto err;
++              }
+               priv->tx_size = UART_XMIT_SIZE;
+               priv->tx_buf = dma_alloc_coherent(dev,
+                                                 priv->tx_size,
+                                                 &priv->tx_addr, GFP_KERNEL);
+-              if (!priv->tx_buf)
++              if (!priv->tx_buf) {
++                      ret = -EINVAL;
+                       goto err;
++              }
+       }
+       ret = serial8250_register_8250_port(&up);
+@@ -1097,6 +1101,7 @@ static int brcmuart_probe(struct platform_device *pdev)
+       if (priv->dma_enabled) {
+               dma_irq = platform_get_irq_byname(pdev,  "dma");
+               if (dma_irq < 0) {
++                      ret = dma_irq;
+                       dev_err(dev, "no IRQ resource info\n");
+                       goto err1;
+               }
+@@ -1116,7 +1121,7 @@ err1:
+ err:
+       brcmuart_free_bufs(dev, priv);
+       brcmuart_arbitration(priv, 0);
+-      return -ENODEV;
++      return ret;
+ }
+ static int brcmuart_remove(struct platform_device *pdev)
+-- 
+2.34.1
+
diff --git a/queue-5.16/serial-8250_dw-add-starfive-jh7100-quirk.patch b/queue-5.16/serial-8250_dw-add-starfive-jh7100-quirk.patch
new file mode 100644 (file)
index 0000000..145defe
--- /dev/null
@@ -0,0 +1,50 @@
+From 61ad2d4e53c90ae15d44d645d63059eae259884e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 16:01:17 +0100
+Subject: serial: 8250_dw: Add StarFive JH7100 quirk
+
+From: Emil Renner Berthing <kernel@esmil.dk>
+
+[ Upstream commit 57dcb6ec85d59e04285b7dcf10924bb819c8e46f ]
+
+On the StarFive JH7100 RISC-V SoC the UART core clocks can't be set to
+exactly 16 * 115200Hz and many other common bitrates. Trying this will
+only result in a higher input clock, but low enough that the UART's
+internal divisor can't come close enough to the baud rate target.
+So rather than try to set the input clock it's better to skip the
+clk_set_rate call and rely solely on the UART's internal divisor.
+
+Signed-off-by: Emil Renner Berthing <kernel@esmil.dk>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/r/20211116150119.2171-15-kernel@esmil.dk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_dw.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c
+index 53f57c3b9f42c..1769808031c52 100644
+--- a/drivers/tty/serial/8250/8250_dw.c
++++ b/drivers/tty/serial/8250/8250_dw.c
+@@ -414,6 +414,8 @@ static void dw8250_quirks(struct uart_port *p, struct dw8250_data *data)
+               if (of_device_is_compatible(np, "marvell,armada-38x-uart"))
+                       p->serial_out = dw8250_serial_out38x;
++              if (of_device_is_compatible(np, "starfive,jh7100-uart"))
++                      p->set_termios = dw8250_do_set_termios;
+       } else if (acpi_dev_present("APMC0D08", NULL, -1)) {
+               p->iotype = UPIO_MEM32;
+@@ -696,6 +698,7 @@ static const struct of_device_id dw8250_of_match[] = {
+       { .compatible = "cavium,octeon-3860-uart" },
+       { .compatible = "marvell,armada-38x-uart" },
+       { .compatible = "renesas,rzn1-uart" },
++      { .compatible = "starfive,jh7100-uart" },
+       { /* Sentinel */ }
+ };
+ MODULE_DEVICE_TABLE(of, dw8250_of_match);
+-- 
+2.34.1
+
diff --git a/queue-5.16/serial-amba-pl011-do-not-request-memory-region-twice.patch b/queue-5.16/serial-amba-pl011-do-not-request-memory-region-twice.patch
new file mode 100644 (file)
index 0000000..62aa293
--- /dev/null
@@ -0,0 +1,106 @@
+From c85a77f9c7b499e738bb163904ac0bb0f34496d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 18:42:38 +0100
+Subject: serial: amba-pl011: do not request memory region twice
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lino Sanfilippo <LinoSanfilippo@gmx.de>
+
+[ Upstream commit d1180405c7b5c7a1c6bde79d5fc24fe931430737 ]
+
+With commit 3873e2d7f63a ("drivers: PL011: refactor pl011_probe()") the
+function devm_ioremap() called from pl011_setup_port() was replaced with
+devm_ioremap_resource(). Since this function not only remaps but also
+requests the ports io memory region it now collides with the .config_port()
+callback which requests the same region at uart port registration.
+
+Since devm_ioremap_resource() already claims the memory successfully, the
+request in .config_port() fails.
+
+Later at uart port deregistration the attempt to release the unclaimed
+memory also fails. The failure results in a “Trying to free nonexistent
+resource" warning.
+
+Fix these issues by removing the callbacks that implement the redundant
+memory allocation/release. Also make sure that changing the drivers io
+memory base address via TIOCSSERIAL is not allowed any more.
+
+Fixes: 3873e2d7f63a ("drivers: PL011: refactor pl011_probe()")
+Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
+Link: https://lore.kernel.org/r/20211129174238.8333-1-LinoSanfilippo@gmx.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/amba-pl011.c | 27 +++------------------------
+ 1 file changed, 3 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c
+index 52518a606c06a..b831d4d64c0a2 100644
+--- a/drivers/tty/serial/amba-pl011.c
++++ b/drivers/tty/serial/amba-pl011.c
+@@ -2183,32 +2183,13 @@ static const char *pl011_type(struct uart_port *port)
+       return uap->port.type == PORT_AMBA ? uap->type : NULL;
+ }
+-/*
+- * Release the memory region(s) being used by 'port'
+- */
+-static void pl011_release_port(struct uart_port *port)
+-{
+-      release_mem_region(port->mapbase, SZ_4K);
+-}
+-
+-/*
+- * Request the memory region(s) being used by 'port'
+- */
+-static int pl011_request_port(struct uart_port *port)
+-{
+-      return request_mem_region(port->mapbase, SZ_4K, "uart-pl011")
+-                      != NULL ? 0 : -EBUSY;
+-}
+-
+ /*
+  * Configure/autoconfigure the port.
+  */
+ static void pl011_config_port(struct uart_port *port, int flags)
+ {
+-      if (flags & UART_CONFIG_TYPE) {
++      if (flags & UART_CONFIG_TYPE)
+               port->type = PORT_AMBA;
+-              pl011_request_port(port);
+-      }
+ }
+ /*
+@@ -2223,6 +2204,8 @@ static int pl011_verify_port(struct uart_port *port, struct serial_struct *ser)
+               ret = -EINVAL;
+       if (ser->baud_base < 9600)
+               ret = -EINVAL;
++      if (port->mapbase != (unsigned long) ser->iomem_base)
++              ret = -EINVAL;
+       return ret;
+ }
+@@ -2275,8 +2258,6 @@ static const struct uart_ops amba_pl011_pops = {
+       .flush_buffer   = pl011_dma_flush_buffer,
+       .set_termios    = pl011_set_termios,
+       .type           = pl011_type,
+-      .release_port   = pl011_release_port,
+-      .request_port   = pl011_request_port,
+       .config_port    = pl011_config_port,
+       .verify_port    = pl011_verify_port,
+ #ifdef CONFIG_CONSOLE_POLL
+@@ -2306,8 +2287,6 @@ static const struct uart_ops sbsa_uart_pops = {
+       .shutdown       = sbsa_uart_shutdown,
+       .set_termios    = sbsa_uart_set_termios,
+       .type           = pl011_type,
+-      .release_port   = pl011_release_port,
+-      .request_port   = pl011_request_port,
+       .config_port    = pl011_config_port,
+       .verify_port    = pl011_verify_port,
+ #ifdef CONFIG_CONSOLE_POLL
+-- 
+2.34.1
+
diff --git a/queue-5.16/serial-core-keep-mctrl-register-state-and-cached-cop.patch b/queue-5.16/serial-core-keep-mctrl-register-state-and-cached-cop.patch
new file mode 100644 (file)
index 0000000..a0af89c
--- /dev/null
@@ -0,0 +1,53 @@
+From f65951f65f69232906defa200f311c9f865f06f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Jan 2022 18:52:44 +0100
+Subject: serial: core: Keep mctrl register state and cached copy in sync
+
+From: Lukas Wunner <lukas@wunner.de>
+
+[ Upstream commit 93a770b7e16772530196674ffc79bb13fa927dc6 ]
+
+struct uart_port contains a cached copy of the Modem Control signals.
+It is used to skip register writes in uart_update_mctrl() if the new
+signal state equals the old signal state.  It also avoids a register
+read to obtain the current state of output signals.
+
+When a uart_port is registered, uart_configure_port() changes signal
+state but neglects to keep the cached copy in sync.  That may cause
+a subsequent register write to be incorrectly skipped.  Fix it before
+it trips somebody up.
+
+This behavior has been present ever since the serial core was introduced
+in 2002:
+https://git.kernel.org/history/history/c/33c0d1b0c3eb
+
+So far it was never an issue because the cached copy is initialized to 0
+by kzalloc() and when uart_configure_port() is executed, at most DTR has
+been set by uart_set_options() or sunsu_console_setup().  Therefore,
+a stable designation seems unnecessary.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Link: https://lore.kernel.org/r/bceeaba030b028ed810272d55d5fc6f3656ddddb.1641129752.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/serial_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
+index 61e3dd0222af1..9e7e624a6c9db 100644
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -2393,7 +2393,8 @@ uart_configure_port(struct uart_driver *drv, struct uart_state *state,
+                * We probably don't need a spinlock around this, but
+                */
+               spin_lock_irqsave(&port->lock, flags);
+-              port->ops->set_mctrl(port, port->mctrl & TIOCM_DTR);
++              port->mctrl &= TIOCM_DTR;
++              port->ops->set_mctrl(port, port->mctrl);
+               spin_unlock_irqrestore(&port->lock, flags);
+               /*
+-- 
+2.34.1
+
diff --git a/queue-5.16/serial-liteuart-fix-module_alias.patch b/queue-5.16/serial-liteuart-fix-module_alias.patch
new file mode 100644 (file)
index 0000000..0a70977
--- /dev/null
@@ -0,0 +1,33 @@
+From 32acce041488b09d482a6f70fa773f90e5700a2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 13:10:28 +0000
+Subject: serial: liteuart: fix MODULE_ALIAS
+
+From: Alyssa Ross <hi@alyssa.is>
+
+[ Upstream commit 556172fabd226ba14b70c1740d0826a4717473dc ]
+
+modprobe can't handle spaces in aliases.
+
+Fixes: 1da81e5562fa ("drivers/tty/serial: add LiteUART driver")
+Signed-off-by: Alyssa Ross <hi@alyssa.is>
+Link: https://lore.kernel.org/r/20220104131030.1674733-1-hi@alyssa.is
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/liteuart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/liteuart.c b/drivers/tty/serial/liteuart.c
+index 2941659e52747..7f74bf7bdcff8 100644
+--- a/drivers/tty/serial/liteuart.c
++++ b/drivers/tty/serial/liteuart.c
+@@ -436,4 +436,4 @@ module_exit(liteuart_exit);
+ MODULE_AUTHOR("Antmicro <www.antmicro.com>");
+ MODULE_DESCRIPTION("LiteUART serial driver");
+ MODULE_LICENSE("GPL v2");
+-MODULE_ALIAS("platform: liteuart");
++MODULE_ALIAS("platform:liteuart");
+-- 
+2.34.1
+
diff --git a/queue-5.16/serial-pl010-drop-cr-register-reset-on-set_termios.patch b/queue-5.16/serial-pl010-drop-cr-register-reset-on-set_termios.patch
new file mode 100644 (file)
index 0000000..501b04d
--- /dev/null
@@ -0,0 +1,58 @@
+From ee3f77aa9a560ba693b64a08e4be3dc68bcdf74e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Jan 2022 18:42:44 +0100
+Subject: serial: pl010: Drop CR register reset on set_termios
+
+From: Lukas Wunner <lukas@wunner.de>
+
+[ Upstream commit 08a0c6dff91c965e39905cf200d22db989203ccb ]
+
+pl010_set_termios() briefly resets the CR register to zero.
+
+Where does this register write come from?
+
+The PL010 driver's IRQ handler ambauart_int() originally modified the CR
+register without holding the port spinlock.  ambauart_set_termios() also
+modified that register.  To prevent concurrent read-modify-writes by the
+IRQ handler and to prevent transmission while changing baudrate,
+ambauart_set_termios() had to disable interrupts.  That is achieved by
+writing zero to the CR register.
+
+However in 2004 the PL010 driver was amended to acquire the port
+spinlock in the IRQ handler, obviating the need to disable interrupts in
+->set_termios():
+https://git.kernel.org/history/history/c/157c0342e591
+
+That rendered the CR register write obsolete.  Drop it.
+
+Cc: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Link: https://lore.kernel.org/r/fcaff16e5b1abb4cc3da5a2879ac13f278b99ed0.1641128728.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/amba-pl010.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/tty/serial/amba-pl010.c b/drivers/tty/serial/amba-pl010.c
+index e744b953ca346..47654073123d6 100644
+--- a/drivers/tty/serial/amba-pl010.c
++++ b/drivers/tty/serial/amba-pl010.c
+@@ -446,14 +446,11 @@ pl010_set_termios(struct uart_port *port, struct ktermios *termios,
+       if ((termios->c_cflag & CREAD) == 0)
+               uap->port.ignore_status_mask |= UART_DUMMY_RSR_RX;
+-      /* first, disable everything */
+       old_cr = readb(uap->port.membase + UART010_CR) & ~UART010_CR_MSIE;
+       if (UART_ENABLE_MS(port, termios->c_cflag))
+               old_cr |= UART010_CR_MSIE;
+-      writel(0, uap->port.membase + UART010_CR);
+-
+       /* Set baud rate */
+       quot -= 1;
+       writel((quot & 0xf00) >> 8, uap->port.membase + UART010_LCRM);
+-- 
+2.34.1
+
diff --git a/queue-5.16/serial-pl011-drop-cr-register-reset-on-set_termios.patch b/queue-5.16/serial-pl011-drop-cr-register-reset-on-set_termios.patch
new file mode 100644 (file)
index 0000000..88bfa10
--- /dev/null
@@ -0,0 +1,62 @@
+From ed7865433f4773f10988efe9c60ef3ed8caf68d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Jan 2022 18:45:44 +0100
+Subject: serial: pl011: Drop CR register reset on set_termios
+
+From: Lukas Wunner <lukas@wunner.de>
+
+[ Upstream commit e368cc656fd6d0075f1c3ab9676e2001451e3e04 ]
+
+pl011_set_termios() briefly resets the CR register to zero, thereby
+glitching DTR/RTS signals.  With rs485 this may result in the bus being
+occupied for no reason.
+
+Where does this register write originate from?
+
+The PL011 driver was forked from the PL010 driver in 2004:
+https://git.kernel.org/history/history/c/157c0342e591
+
+Until this commit, the PL010 driver's IRQ handler ambauart_int()
+modified the CR register without holding the port spinlock.
+
+ambauart_set_termios() also modified that register.  To prevent
+concurrent read-modify-writes by the IRQ handler and to prevent
+transmission while changing baudrate, ambauart_set_termios() had to
+disable interrupts.  On the PL010, that is achieved by writing zero to
+the CR register.
+
+However, on the PL011, interrupts are disabled in the IMSC register,
+not in the CR register.
+
+Additionally, the commit amended both the PL010 and PL011 driver to
+acquire the port spinlock in the IRQ handler, obviating the need to
+disable interrupts in ->set_termios().
+
+So the CR register write is obsolete for two reasons.  Drop it.
+
+Cc: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Link: https://lore.kernel.org/r/f49f945375f5ccb979893c49f1129f51651ac738.1641129062.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/amba-pl011.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c
+index b831d4d64c0a2..6ec34260d6b18 100644
+--- a/drivers/tty/serial/amba-pl011.c
++++ b/drivers/tty/serial/amba-pl011.c
+@@ -2105,9 +2105,7 @@ pl011_set_termios(struct uart_port *port, struct ktermios *termios,
+       if (port->rs485.flags & SER_RS485_ENABLED)
+               termios->c_cflag &= ~CRTSCTS;
+-      /* first, disable everything */
+       old_cr = pl011_read(uap, REG_CR);
+-      pl011_write(0, uap, REG_CR);
+       if (termios->c_cflag & CRTSCTS) {
+               if (old_cr & UART011_CR_RTS)
+-- 
+2.34.1
+
diff --git a/queue-5.16/serial-stm32-move-tx-dma-terminate-dma-to-shutdown.patch b/queue-5.16/serial-stm32-move-tx-dma-terminate-dma-to-shutdown.patch
new file mode 100644 (file)
index 0000000..cbce52f
--- /dev/null
@@ -0,0 +1,51 @@
+From 6eaf6ba70fe2856096b35127ef8f195373f63f2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 19:24:42 +0100
+Subject: serial: stm32: move tx dma terminate DMA to shutdown
+
+From: Valentin Caron <valentin.caron@foss.st.com>
+
+[ Upstream commit 56a23f9319e86e1d62a109896e2c7e52c414e67d ]
+
+Terminate DMA transaction and clear CR3_DMAT when shutdown is requested,
+instead of when remove is requested. If DMA transfer is not stopped in
+shutdown ops, driver will fail to start a new DMA transfer after next
+startup ops.
+
+Fixes: 3489187204eb ("serial: stm32: adding dma support")
+Signed-off-by: Erwan Le Ray <erwan.leray@foss.st.com>
+Signed-off-by: Valentin Caron <valentin.caron@foss.st.com>
+Link: https://lore.kernel.org/r/20220104182445.4195-2-valentin.caron@foss.st.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/stm32-usart.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c
+index 3244e7f6818ca..6cfc3bec67492 100644
+--- a/drivers/tty/serial/stm32-usart.c
++++ b/drivers/tty/serial/stm32-usart.c
+@@ -883,6 +883,11 @@ static void stm32_usart_shutdown(struct uart_port *port)
+       u32 val, isr;
+       int ret;
++      if (stm32_port->tx_dma_busy) {
++              dmaengine_terminate_async(stm32_port->tx_ch);
++              stm32_usart_clr_bits(port, ofs->cr3, USART_CR3_DMAT);
++      }
++
+       /* Disable modem control interrupts */
+       stm32_usart_disable_ms(port);
+@@ -1570,7 +1575,6 @@ static int stm32_usart_serial_remove(struct platform_device *pdev)
+       writel_relaxed(cr3, port->membase + ofs->cr3);
+       if (stm32_port->tx_ch) {
+-              dmaengine_terminate_async(stm32_port->tx_ch);
+               stm32_usart_of_dma_tx_remove(stm32_port, pdev);
+               dma_release_channel(stm32_port->tx_ch);
+       }
+-- 
+2.34.1
+
index 6c5c37ac442e8cafd5579742bc1a6c73759e09ee..f56e15b6809c18895e2f175f28bb02d4c018bd2b 100644 (file)
@@ -15,3 +15,755 @@ nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch
 mtd-rawnand-gpmi-add-err007117-protection-for-nfc_apply_timings.patch
 mtd-rawnand-gpmi-remove-explicit-default-gpmi-clock-setting-for-i.mx6.patch
 mtd-fixed-breaking-list-in-__mtd_del_partition.patch
+bluetooth-hci_vhci-fix-to-set-the-force_wakeup-value.patch
+bluetooth-mgmt-fix-experimental-feature-changed-even.patch
+bluetooth-l2cap-fix-not-initializing-sk_peer_pid.patch
+drm-bridge-display-connector-fix-an-uninitialized-po.patch
+drm-fix-null-ptr-deref-in-drm_dev_init_release.patch
+drm-panel-kingdisplay-kd097d04-delete-panel-on-attac.patch
+drm-panel-innolux-p079zca-delete-panel-on-attach-fai.patch
+drm-rockchip-dsi-fix-unbalanced-clock-on-probe-error.patch
+drm-rockchip-dsi-hold-pm-runtime-across-bind-unbind.patch
+drm-rockchip-dsi-disable-pll-clock-on-bind-error.patch
+bluetooth-virtio_bt-fix-memory-leak-in-virtbt_rx_han.patch
+bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch
+clk-bcm-2835-pick-the-closest-clock-rate.patch
+clk-bcm-2835-remove-rounding-up-the-dividers.patch
+drm-vc4-hdmi-set-a-default-hsm-rate.patch
+drm-vc4-hdmi-move-the-hsm-clock-enable-to-runtime_pm.patch
+drm-vc4-hdmi-make-sure-the-controller-is-powered-in-.patch
+drm-vc4-hdmi-make-sure-the-controller-is-powered-up-.patch
+drm-vc4-hdmi-rework-the-pre_crtc_configure-error-han.patch
+drm-vc4-crtc-make-sure-the-hdmi-controller-is-powere.patch
+drm-bridge-sn65dsi83-fix-bridge-removal.patch
+drm-virtio-fix-potential-integer-overflow-on-shift-o.patch
+drm-virtio-fix-another-potential-integer-overflow-on.patch
+wcn36xx-ensure-pairing-of-init_scan-finish_scan-and-.patch
+wcn36xx-indicate-beacon-not-connection-loss-on-misse.patch
+libbpf-fix-section-counting-logic.patch
+drm-vc4-hdmi-enable-the-scrambler-on-reconnection.patch
+libbpf-fix-non-c89-loop-variable-declaration-in-gen_.patch
+libbpf-free-up-resources-used-by-inner-map-definitio.patch
+wcn36xx-fix-dma-channel-enable-disable-cycle.patch
+wcn36xx-release-dma-channel-descriptor-allocations.patch
+wcn36xx-put-dxe-block-into-reset-before-freeing-memo.patch
+wcn36xx-populate-band-before-determining-rate-on-rx.patch
+wcn36xx-fix-rx-bd-rate-mapping-for-5ghz-legacy-rates.patch
+ath11k-send-ppdu_stats_cfg-with-proper-pdev-mask-to-.patch
+bpftool-fix-memory-leak-in-prog_dump.patch
+mtd-hyperbus-rpc-if-check-return-value-of-rpcif_sw_i.patch
+media-videobuf2-fix-the-size-printk-format.patch
+media-ipu3-cio2-fix-error-code-in-cio2_bridge_connec.patch
+media-atomisp-add-missing-media_device_cleanup-in-at.patch
+media-atomisp-fix-punit_ddr_dvfs_enable-argument-for.patch
+media-atomisp-fix-inverted-logic-in-buffers_needed.patch
+media-atomisp-do-not-use-err-var-when-checking-port-.patch
+media-atomisp-fix-inverted-error-check-for-ia_css_mi.patch
+media-atomisp-fix-ifdefs-in-sh_css.c.patch
+media-atomisp-add-null-check-for-asd-obtained-from-a.patch
+media-atomisp-fix-enum-formats-logic.patch
+media-atomisp-fix-uninitialized-bug-in-gmin_get_pmic.patch
+media-aspeed-fix-mode-detect-always-time-out-at-2nd-.patch
+media-em28xx-fix-memory-leak-in-em28xx_init_dev.patch
+media-aspeed-update-signal-status-immediately-to-ens.patch
+arm64-dts-amlogic-meson-g12-fix-gpu-operating-point-.patch
+arm64-dts-amlogic-fix-spi-nor-flash-node-name-for-od.patch
+arm64-dts-meson-gxbb-wetek-fix-hdmi-in-early-boot.patch
+arm64-dts-meson-gxbb-wetek-fix-missing-gpio-binding.patch
+fs-dlm-don-t-call-kernel_getpeername-in-error_report.patch
+memory-renesas-rpc-if-return-error-in-case-devm_iore.patch
+bluetooth-stop-proccessing-malicious-adv-data.patch
+bluetooth-fix-uninitialized-variables-notify_evt.patch
+ath11k-fix-etsi-regd-with-weather-radar-overlap.patch
+ath11k-clear-the-keys-properly-via-disable_key.patch
+ath11k-reset-rsn-wpa-present-state-for-open-bss.patch
+spi-hisi-kunpeng-fix-the-debugfs-directory-name-inco.patch
+tee-fix-put-order-in-teedev_close_context.patch
+kernel-locking-use-a-pointer-in-ww_mutex_trylock.patch
+fs-dlm-fix-build-with-config_ipv6-disabled.patch
+drm-dp-don-t-read-back-backlight-mode-in-drm_edp_bac.patch
+selftests-bpf-fix-xdpxceiver-failures-for-no-hugepag.patch
+mctp-test-update-refcount-checking-in-route-fragment.patch
+drm-vboxvideo-fix-a-null-vs-is_err-check.patch
+ath11k-set-correct-nl80211_feature_dynamic_smps-for-.patch
+ath11k-allocate-dst-ring-descriptors-from-cacheable-.patch
+ath11k-add-hw_param-for-wakeup_mhi.patch
+arm64-dts-renesas-cat875-add-rx-tx-delays.patch
+media-dmxdev-fix-uaf-when-dvb_register_device-fails.patch
+crypto-atmel-aes-reestablish-the-correct-tfm-context.patch
+crypto-keembay-ocs-ecc-fix-error-return-code-in-kmb_.patch
+crypto-qce-fix-uaf-on-qce_aead_register_one.patch
+crypto-qce-fix-uaf-on-qce_ahash_register_one.patch
+crypto-qce-fix-uaf-on-qce_skcipher_register_one.patch
+arm64-dts-qcom-sc7280-fix-incorrect-clock-name.patch
+arm64-dts-qcom-sc7280-fix-interrupt-map-parent-addre.patch
+mtd-hyperbus-rpc-if-fix-bug-in-rpcif_hb_remove.patch
+cpufreq-qcom-cpufreq-hw-update-offline-cpus-per-cpu-.patch
+soc-imx-gpcv2-keep-i.mx8mm-vpu-h1-bus-clock-active.patch
+cpufreq-qcom-hw-fix-probable-nested-interrupt-handli.patch
+arm-dts-stm32-fix-dtbs_check-warning-on-ili9341-dts-.patch
+libbpf-load-global-data-maps-lazily-on-legacy-kernel.patch
+tools-resolve_btf_ids-close-elf-file-on-error.patch
+libbpf-fix-potential-misaligned-memory-access-in-btf.patch
+libbpf-fix-glob_syms-memory-leak-in-bpf_linker.patch
+libbpf-fix-using-invalidated-memory-in-bpf_linker.patch
+crypto-qat-fix-undetected-pfvf-timeout-in-ack-loop.patch
+ath11k-use-host-ce-parameters-for-ce-interrupts-conf.patch
+arm64-dts-ti-k3-j721e-correct-cache-sets-info.patch
+tty-serial-atmel-check-return-code-of-dmaengine_subm.patch
+tty-serial-atmel-call-dma_async_issue_pending.patch
+pinctrl-apple-return-an-error-if-pinmux-is-missing-i.patch
+net-dsa-rtl8365mb-set-rgmii-rx-delay-in-steps-of-0.3.patch
+mfd-atmel-flexcom-remove-ifdef-config_pm_sleep.patch
+mfd-atmel-flexcom-use-.resume_noirq.patch
+bfq-do-not-let-waker-requests-skip-proper-accounting.patch
+libbpf-silence-uninitialized-warning-error-in-btf_du.patch
+media-i2c-imx274-fix-s_frame_interval-runtime-resume.patch
+media-i2c-re-order-runtime-pm-initialisation.patch
+media-i2c-ov8865-fix-lockdep-error.patch
+media-rcar-csi2-correct-the-selection-of-hsfreqrange.patch
+media-imx-pxp-initialize-the-spinlock-prior-to-using.patch
+media-si470x-i2c-fix-possible-memory-leak-in-si470x_.patch
+media-mtk-vcodec-fix-an-error-handling-path-in-mtk_v.patch
+media-mtk-vcodec-call-v4l2_m2m_ctx_release-first-whe.patch
+media-hantro-hook-up-rk3399-jpeg-encoder-output.patch
+media-coda-fix-coda960-jpeg-encoder-buffer-overflow.patch
+media-venus-correct-low-power-frequency-calculation-.patch
+media-venus-core-fix-a-potential-null-pointer-derefe.patch
+media-venus-core-fix-a-resource-leak-in-the-error-ha.patch
+net-stmmac-add-platform-level-debug-register-dump-fe.patch
+net-lantiq-fix-missing-free_netdev-on-error-in-ltq_e.patch
+thermal-drivers-imx-implement-runtime-pm-support.patch
+igc-af_xdp-zero-copy-metadata-adjust-breaks-skbs-on-.patch
+netfilter-bridge-add-support-for-pppoe-filtering.patch
+powerpc-avoid-discarding-flags-in-system_call_except.patch
+rcu-avoid-alloc_pages-when-recording-stack.patch
+arm64-dts-qcom-msm8916-fix-mmc-controller-aliases.patch
+drm-vmwgfx-remove-the-deprecated-lower-mem-limit.patch
+drm-vmwgfx-fail-to-initialize-on-broken-configs.patch
+cgroup-trace-event-cgroup-id-fields-should-be-u64.patch
+acpi-ec-rework-flushing-of-ec-work-while-suspended-t.patch
+pinctrl-mediatek-uninitialized-variable-in-mtk_pctrl.patch
+pinctrl-mediatek-add-a-check-for-error-in-mtk_pincon.patch
+thermal-drivers-imx8mm-enable-adc-when-enabling-moni.patch
+drm-amdgpu-fix-a-null-pointer-dereference-in-amdgpu_.patch
+drm-radeon-radeon_kms-fix-a-null-pointer-dereference.patch
+libbpf-clean-gen_loader-s-attach-kind.patch
+null_blk-allow-zero-poll-queues.patch
+crypto-caam-save-caam-memory-to-support-crypto-engin.patch
+arm64-dts-ti-k3-am642-fix-the-l2-cache-sets.patch
+arm64-dts-ti-k3-j7200-fix-the-l2-cache-sets.patch
+arm64-dts-ti-k3-j721e-fix-the-l2-cache-sets.patch
+arm64-dts-ti-k3-j7200-correct-the-d-cache-sets-info.patch
+tty-serial-uartlite-allow-64-bit-address.patch
+serial-amba-pl011-do-not-request-memory-region-twice.patch
+mtd-core-provide-unique-name-for-nvmem-device.patch
+floppy-fix-hang-in-watchdog-when-disk-is-ejected.patch
+staging-rtl8192e-return-error-code-from-rtllib_softm.patch
+staging-rtl8192e-rtllib_module-fix-error-handle-case.patch
+bluetooth-btmtksdio-fix-resume-failure.patch
+bpf-fix-the-test_task_vma-selftest-to-support-output.patch
+sched-fair-fix-detection-of-per-cpu-kthreads-waking-.patch
+sched-fair-fix-per-cpu-kthread-and-wakee-stacking-fo.patch
+bpf-adjust-btf-log-size-limit.patch
+bpf-disallow-bpf_log_kernel-log-level-for-bpf-bpf_bt.patch
+bpf-remove-config-check-to-enable-bpf-support-for-br.patch
+drm-rcar-du-add-dsi-support-to-rcar_du_output_name.patch
+drm-rcar-du-crtc-support-external-dsi-dot-clock.patch
+arm64-clear_page-shouldn-t-use-dc-zva-when-dczid_el0.patch
+arm64-mte-dc-gva-gzva-shouldn-t-be-used-when-dczid_e.patch
+platform-x86-wmi-replace-read_takes_no_args-with-a-f.patch
+platform-x86-wmi-fix-driver-notify-vs-probe-race.patch
+samples-bpf-clean-up-samples-bpf-build-failes.patch
+samples-bpf-fix-xdp_sample_user.o-linking-with-clang.patch
+samples-bpf-fix-unknown-warning-group-build-warning-.patch
+media-uvcvideo-fix-memory-leak-of-object-map-on-erro.patch
+media-uvcvideo-avoid-invalid-memory-access.patch
+media-uvcvideo-avoid-returning-invalid-controls.patch
+media-dib8000-fix-a-memleak-in-dib8000_init.patch
+media-saa7146-mxb-fix-a-null-pointer-dereference-in-.patch
+media-si2157-fix-warm-tuner-state-detection.patch
+wireless-iwlwifi-fix-a-double-free-in-iwl_txq_dyn_al.patch
+sched-rt-try-to-restart-rt-period-timer-when-rt-runt.patch
+mtd-spi-nor-get-rid-of-nor-page_size.patch
+mtd-spi-nor-fix-mtd-size-for-s3an-flashes.patch
+ath10k-fix-the-mtu-size-on-qca9377-sdio.patch
+ath11k-fix-qmi-file-type-enum-value.patch
+bluetooth-mgmt-use-hci_dev_test_and_-set-clear-_flag.patch
+bluetooth-btusb-handle-download_firmware-failure-cas.patch
+drm-amd-display-fix-bug-in-debugfs-crc_win_update-en.patch
+drm-amd-display-fix-out-of-bounds-access-on-dnc31-st.patch
+drm-msm-gpu-don-t-allow-zero-fence_id.patch
+drm-msm-dp-displayport-driver-need-algorithm-rationa.patch
+rcu-exp-mark-current-cpu-as-exp-qs-in-ipi-loop-secon.patch
+wcn36xx-fix-max-channels-retrieval.patch
+drm-msm-dsi-fix-initialization-in-the-bonded-dsi-cas.patch
+mwifiex-fix-possible-abba-deadlock.patch
+xfrm-fix-a-small-bug-in-xfrm_sa_len.patch
+x86-uaccess-move-variable-into-switch-case-statement.patch
+libbpf-add-bool-skipped-to-struct-bpf_map.patch
+selftests-clone3-clone3-add-case-clone3_args_no_test.patch
+selftests-harness-avoid-false-negatives-if-test-has-.patch
+crypto-stm32-cryp-fix-ctr-counter-carry.patch
+crypto-stm32-cryp-fix-xts-and-race-condition-in-cryp.patch
+crypto-stm32-cryp-check-early-input-data.patch
+crypto-stm32-cryp-fix-double-pm-exit.patch
+crypto-stm32-cryp-fix-lrw-chaining-mode.patch
+crypto-stm32-cryp-fix-bugs-and-crash-in-tests.patch
+crypto-stm32-revert-broken-pm_runtime_resume_and_get.patch
+crypto-hisilicon-qm-fix-incorrect-return-value-of-hi.patch
+libbpf-fix-gen_loader-assumption-on-number-of-progra.patch
+ath11k-fix-deleting-uninitialized-kernel-timer-durin.patch
+spi-fix-incorrect-cs_setup-delay-handling.patch
+kunit-tool-fix-json-output-for-skipped-tests.patch
+arm-dts-gemini-nas4220-b-fis-index-block-with-128-ki.patch
+perf-arm-cmn-fix-cpu-hotplug-unregistration.patch
+media-dw2102-fix-use-after-free.patch
+media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch
+media-coda-imx-vdoa-handle-dma_set_coherent_mask-err.patch
+ath11k-fix-a-null-pointer-dereference-in-ath11k_mac_.patch
+net-dsa-hellcreek-fix-insertion-of-static-fdb-entrie.patch
+net-dsa-hellcreek-add-stp-forwarding-rule.patch
+net-dsa-hellcreek-allow-ptp-p2p-measurements-on-bloc.patch
+net-dsa-hellcreek-add-missing-ptp-via-udp-rules.patch
+arm64-dts-qcom-c630-fix-soundcard-setup.patch
+arm64-dts-qcom-ipq6018-fix-gpio-ranges-property.patch
+drm-msm-dpu-fix-safe-status-debugfs-file.patch
+drm-bridge-ti-sn65dsi86-set-max-register-for-regmap.patch
+gpu-host1x-select-config_dma_shared_buffer.patch
+drm-tegra-gr2d-explicitly-control-module-reset.patch
+drm-tegra-vic-fix-dma-api-misuse.patch
+media-hantro-fix-probe-func-error-path.patch
+xfrm-interface-with-if_id-0-should-return-error.patch
+xfrm-state-and-policy-should-fail-if-xfrma_if_id-0.patch
+arm-9159-1-decompressor-avoid-unpredictable-nop-enco.patch
+usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch
+arm64-dts-marvell-cn9130-add-gpio-and-spi-aliases.patch
+arm64-dts-marvell-cn9130-enable-cp0-gpio-controllers.patch
+arm-dts-armada-38x-add-generic-compatible-to-uart-no.patch
+mt76-mt7921-drop-offload_flags-overwritten.patch
+mt76-mt7921-fix-mt7921e-reset-failure.patch
+mt76-debugfs-fix-queue-reporting-for-mt76-usb.patch
+mt76-fix-possible-oob-issue-in-mt76_calculate_defaul.patch
+mt76-mt7921-fix-possible-null-pointer-dereference-in.patch
+mt76-mt7921-move-mt76_connac_mcu_set_hif_suspend-to-.patch
+mt76-mt7921s-fix-the-device-cannot-sleep-deeply-in-s.patch
+mt76-mt7921-use-correct-iftype-data-on-6ghz-cap-init.patch
+mt76-mt7921s-fix-possible-kernel-crash-due-to-invali.patch
+mt76-connac-fix-last_chan-configuration-in-mt76_conn.patch
+mt76-mt7921-fix-possible-resume-failure.patch
+mt76-connac-introduce-mcu_ext-macros.patch
+mt76-connac-align-mcu_ext-definitions-with-7915-driv.patch
+mt76-connac-remove-mcu_fw_prefix-bit.patch
+mt76-connac-introduce-mcu_uni_cmd-macro.patch
+mt76-mt7921s-fix-suspend-error-with-enlarging-mcu-ti.patch
+wilc1000-fix-double-free-error-in-probe.patch
+rtw88-add-quirk-to-disable-pci-caps-on-hp-250-g7-not.patch
+rtw88-disable-pcie-aspm-while-doing-napi-poll-on-882.patch
+iwlwifi-mvm-fix-32-bit-build-in-ftm.patch
+iwlwifi-don-t-pass-actual-wgds-revision-number-in-ta.patch
+iwlwifi-mvm-test-roc-running-status-bits-before-remo.patch
+iwlwifi-mvm-perform-6ghz-passive-scan-after-suspend.patch
+iwlwifi-mvm-set-protected-flag-only-for-ndp-ranging.patch
+mmc-meson-mx-sdhc-add-irq-check.patch
+mmc-meson-mx-sdio-add-irq-check.patch
+block-fix-error-unwinding-in-device_add_disk.patch
+selinux-fix-potential-memleak-in-selinux_add_opt.patch
+um-fix-ndelay-udelay-defines.patch
+um-rename-set_signals-to-um_set_signals.patch
+um-virt-pci-fix-32-bit-compile.patch
+lib-logic_iomem-fix-32-bit-build.patch
+lib-logic_iomem-fix-operation-on-32-bit.patch
+um-virtio_uml-fix-time-travel-external-time-propagat.patch
+bluetooth-l2cap-fix-using-wrong-mode.patch
+bpftool-enable-line-buffering-for-stdout.patch
+backlight-qcom-wled-validate-enabled-string-indices-.patch
+backlight-qcom-wled-pass-number-of-elements-to-read-.patch
+backlight-qcom-wled-fix-off-by-one-maximum-with-defa.patch
+backlight-qcom-wled-override-default-length-with-qco.patch
+backlight-qcom-wled-use-cpu_to_le16-macro-to-perform.patch
+backlight-qcom-wled-respect-enabled-strings-in-set_b.patch
+software-node-fix-wrong-node-passed-to-find-nargs_pr.patch
+ath11k-fix-unexpected-return-buffer-manager-error-fo.patch
+mt76-mt7921-fix-a-possible-race-enabling-disabling-r.patch
+bluetooth-hci_qca-stop-ibs-timer-during-bt-off.patch
+x86-boot-compressed-move-clang_flags-to-beginning-of.patch
+crypto-octeontx2-prevent-underflow-in-get_cores_bmap.patch
+block-null_blk-only-set-set-nr_maps-as-3-if-active-p.patch
+regulator-qcom-labibb-ocp-interrupts-are-not-a-failu.patch
+hwmon-mr75203-fix-wrong-power-up-delay-value.patch
+x86-mce-inject-avoid-out-of-bounds-write-when-settin.patch
+io_uring-remove-double-poll-on-poll-update.patch
+bpf-add-missing-map_get_next_key-method-to-bloom-fil.patch
+serial-8250_bcm7271-propagate-error-codes-from-brcmu.patch
+drm-amd-display-fix-dereference-before-null-check.patch
+acpi-scan-create-platform-device-for-bcm4752-and-lnv.patch
+pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch
+pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch-11962
+power-reset-mt6397-check-for-null-res-pointer.patch
+net-xfrm-ipsec-tunnel-mode-fix-inner_ipproto-setting.patch
+net-ethernet-mtk_eth_soc-fix-return-values-and-refac.patch
+net-dsa-fix-incorrect-function-pointer-check-for-mrp.patch
+netfilter-ipt_clusterip-fix-refcount-leak-in-cluster.patch
+bpf-arm64-use-emit_addr_mov_i64-for-bpf_pseudo_func.patch
+bpf-sockmap-fix-return-codes-from-tcp_bpf_recvmsg_pa.patch
+bpf-sockmap-fix-double-bpf_prog_put-on-error-case-in.patch
+bpf-don-t-promote-bogus-looking-registers-after-null.patch
+bpf-fix-verifier-support-for-validation-of-async-cal.patch
+bpf-fix-so_rcvbuf-so_sndbuf-handling-in-_bpf_setsock.patch
+libbpf-use-probe_name-for-legacy-kprobe.patch
+netfilter-nft_payload-do-not-update-layer-4-checksum.patch
+netfilter-nft_set_pipapo-allocate-pcpu-scratch-maps-.patch
+net-fix-sof_timestamping_bind_phc-to-work-with-multi.patch
+ppp-ensure-minimum-packet-size-in-ppp_write.patch
+rocker-fix-a-sleeping-in-atomic-bug.patch
+staging-greybus-audio-check-null-pointer.patch
+fsl-fman-check-for-null-pointer-after-calling-devm_i.patch
+bluetooth-hci_bcm-check-for-error-irq.patch
+bluetooth-hci_qca-fix-null-vs-is_err_or_null-check-i.patch
+net-smc-reset-conn-lgr-when-link-group-registration-.patch
+usb-dwc3-qcom-fix-null-vs-is_err-checking-in-dwc3_qc.patch
+usb-dwc2-do-not-gate-off-the-hardware-if-it-does-not.patch
+usb-dwc2-gadget-initialize-max_speed-from-params.patch
+usb-gadget-u_audio-fix-calculations-for-small-binter.patch
+usb-gadget-u_audio-subdevice-0-for-capture-ctls.patch
+hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch
+hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-15288
+hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-31258
+hid-hid-uclogic-params-invalid-parameter-check-in-uc.patch-6488
+debugfs-lockdown-allow-reading-debugfs-files-that-ar.patch
+drivers-firmware-add-missing-platform_device_put-in-.patch
+serial-liteuart-fix-module_alias.patch
+serial-stm32-move-tx-dma-terminate-dma-to-shutdown.patch
+spi-qcom-geni-set-the-error-code-for-gpi-transfer.patch
+spi-qcom-geni-handle-timeout-for-gpi-mode.patch
+x86-sched-fix-undefined-reference-to-init_freq_invar.patch
+net-mlx5e-fix-page-dma-map-unmap-attributes.patch
+net-mlx5e-fix-nullptr-on-deleting-mirroring-rule.patch
+net-mlx5e-fix-wrong-usage-of-fib_info_nh-when-routes.patch
+net-mlx5e-don-t-block-routes-with-nexthop-objects-in.patch
+revert-net-mlx5e-block-offload-of-outer-header-csum-.patch
+revert-net-mlx5e-block-offload-of-outer-header-csum-.patch-11122
+net-mlx5e-fix-matching-on-modified-inner-ip_ecn-bits.patch
+net-mlx5-fix-access-to-sf_dev_table-on-allocation-fa.patch
+net-mlx5e-sync-vxlan-udp-ports-during-uplink-represe.patch
+net-mlx5-set-command-entry-semaphore-up-once-got-ind.patch
+lib-mpi-add-the-return-value-check-of-kcalloc.patch
+bluetooth-l2cap-uninitialized-variables-in-l2cap_soc.patch
+bluetooth-hci_sock-fix-endian-bug-in-hci_sock_setsoc.patch
+mptcp-fix-per-socket-endpoint-accounting.patch
+mptcp-fix-opt-size-when-sending-dss-mp_fail.patch
+mptcp-fix-a-dss-option-writing-error.patch
+mptcp-check-reclaim-amount-before-reducing-allocatio.patch
+spi-spi-meson-spifc-add-missing-pm_runtime_disable-i.patch
+octeontx2-af-increment-ptp-refcount-before-use.patch
+octeontx2-nicvf-free-vf-ptp-resources.patch
+ax25-uninitialized-variable-in-ax25_setsockopt.patch
+netrom-fix-api-breakage-in-nr_setsockopt.patch
+regmap-call-regmap_debugfs_exit-prior-to-_init.patch
+net-mscc-ocelot-fix-incorrect-balancing-with-down-la.patch
+octeontx2-af-fix-interrupt-name-strings.patch
+can-mcp251xfd-add-missing-newline-to-printed-strings.patch
+tpm-add-request_locality-before-write-tpm_int_enable.patch
+tpm_tis-fix-an-error-handling-path-in-tpm_tis_core_i.patch
+can-softing-softing_startstop-fix-set-but-not-used-v.patch
+can-xilinx_can-xcan_probe-check-for-error-irq.patch
+can-rcar_canfd-rcar_canfd_channel_probe-make-sure-we.patch
+pcmcia-fix-setting-of-kthread-task-states.patch
+netfilter-egress-avoid-a-lockdep-splat.patch
+net-openvswitch-fix-ct_state-nat-flags-for-conns-arr.patch
+iwlwifi-mvm-use-div_s64-instead-of-do_div-in-iwl_mvm.patch
+bnxt_en-use-firmware-provided-max-timeout-for-messag.patch
+net-mcs7830-handle-usb-read-errors-properly.patch
+amt-fix-wrong-return-type-of-amt_send_membership_upd.patch
+ext4-avoid-trim-error-on-fs-with-small-groups.patch
+asoc-intel-sof_sdw-fix-jack-detection-on-hp-spectre-.patch
+alsa-jack-add-missing-rwsem-around-snd_ctl_remove-ca.patch
+alsa-pcm-add-missing-rwsem-around-snd_ctl_remove-cal.patch
+alsa-hda-add-missing-rwsem-around-snd_ctl_remove-cal.patch
+alsa-hda-fix-potential-deadlock-at-codec-unbinding.patch
+rdma-bnxt_re-scan-the-whole-bitmap-when-checking-if-.patch
+rdma-hns-validate-the-pkey-index.patch
+scsi-pm80xx-update-warn_on-check-in-pm8001_mpi_build.patch
+clk-renesas-rzg2l-check-return-value-of-pm_genpd_ini.patch
+clk-renesas-rzg2l-propagate-return-value-of_genpd_ad.patch
+clk-imx8mn-fix-imx8mn_clko1_sels.patch
+asoc-cs42l42-report-initial-jack-state.patch
+powerpc-prom_init-fix-improper-check-of-prom_getprop.patch
+asoc-uniphier-drop-selecting-non-existing-snd_soc_un.patch
+asoc-codecs-wcd938x-add-snd_soc_wcd938_sdw-to-codec-.patch
+rdma-rtrs-clt-fix-the-initial-value-of-min_latency.patch
+alsa-hda-make-proper-use-of-timecounter.patch
+dt-bindings-thermal-fix-definition-of-cooling-maps-c.patch
+powerpc-perf-fix-pmu-callbacks-to-clear-pending-pmi-.patch
+powerpc-modules-don-t-warn-on-first-module-allocatio.patch
+powerpc-32s-fix-shift-out-of-bounds-in-kasan-init.patch
+clocksource-avoid-accidental-unstable-marking-of-clo.patch
+alsa-oss-fix-compile-error-when-oss_debug-is-enabled.patch
+alsa-usb-audio-drop-superfluous-0-in-presonus-studio.patch
+asoc-amd-fix-dependency-for-spi-master.patch
+misc-at25-make-driver-of-independent-again.patch
+char-mwave-adjust-io-port-register-size.patch
+binder-fix-handling-of-error-during-copy.patch
+binder-avoid-potential-data-leakage-when-copying-txn.patch
+openrisc-add-clone3-abi-wrapper.patch
+uio-uio_dmem_genirq-catch-the-exception.patch
+iommu-extend-mutex-lock-scope-in-iommu_probe_device.patch
+iommu-io-pgtable-arm-fix-table-descriptor-paddr-form.patch
+asoc-sof-intel-fix-build-issue-related-to-codec_prob.patch
+scsi-core-fix-scsi_device_max_queue_depth.patch
+scsi-ufs-fix-race-conditions-related-to-driver-data.patch
+rdma-qedr-fix-reporting-max_-send-recv-_wr-attrs.patch
+pci-msi-fix-pci_irq_vector-pci_irq_get_affinity.patch
+powerpc-powermac-add-additional-missing-lockdep_regi.patch
+iommu-arm-smmu-qcom-fix-ttbr0-read.patch
+rdma-core-let-ib_find_gid-continue-search-even-after.patch
+rdma-cma-let-cma_resolve_ib_dev-continue-search-even.patch
+asoc-rt5663-handle-device_property_read_u32_array-er.patch
+of-unittest-fix-warning-on-powerpc-frame-size-warnin.patch
+of-unittest-64-bit-dma-address-test-requires-arch-su.patch
+clk-stm32-fix-ltdc-s-clock-turn-off-by-clk_disable_u.patch
+mips-add-sys_has_cpu_mips64_r5-config-for-mips-relea.patch
+mips-fix-kconfig-reference-to-phys_addr_t_64bit.patch
+dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch
+iommu-amd-restore-ga-log-tail-pointer-on-host-resume.patch
+iommu-amd-x2apic-mode-re-enable-after-resume.patch
+iommu-amd-x2apic-mode-setup-the-intx-registers-on-ma.patch
+iommu-amd-x2apic-mode-mask-unmask-interrupts-on-susp.patch
+iommu-amd-remove-useless-irq-affinity-notifier.patch
+asoc-intel-catpt-test-dmaengine_submit-result-before.patch
+iommu-iova-fix-race-between-fq-timeout-and-teardown.patch
+asoc-mediatek-mt8195-correct-default-value.patch
+counter-104-quad-8-fix-persistent-enabled-events-bug.patch
+of-fdt-aggregate-the-processing-of-linux-usable-memo.patch
+efi-apply-memblock-cap-after-memblock_add.patch
+scsi-block-pm-always-set-request-queue-runtime-activ.patch
+phy-uniphier-usb3ss-fix-unintended-writing-zeros-to-.patch
+asoc-mediatek-check-for-error-clk-pointer.patch
+powerpc-64s-mask-nip-before-checking-against-srr0.patch
+powerpc-64s-use-emit_warn_entry-for-srr-debug-warnin.patch
+phy-cadence-sierra-fix-to-get-correct-parent-for-mux.patch
+iio-chemical-sunrise_co2-set-val-parameter-only-on-s.patch
+asoc-samsung-idma-check-of-ioremap-return-value.patch
+misc-lattice-ecp3-config-fix-task-hung-when-firmware.patch
+asoc-mediatek-mt8195-correct-pcmif-be-dai-control-fl.patch
+arm64-tegra-remove-non-existent-tegra194-reset.patch
+mips-lantiq-add-support-for-clk_set_parent.patch
+mips-bcm63xx-add-support-for-clk_set_parent.patch
+powerpc-xive-add-missing-null-check-after-calling-km.patch
+asoc-fsl_mqs-fix-module_alias.patch
+alsa-hda-cs8409-increase-delay-during-jack-detection.patch
+alsa-hda-cs8409-fix-jack-detection-after-resume.patch
+cxl-core-remove-cxld_const_init-in-cxl_decoder_alloc.patch
+mips-fix-local_-add-sub-_return-on-mips64.patch
+rdma-cxgb4-set-queue-pair-state-when-being-queried.patch
+clk-qcom-gcc-sc7280-mark-gcc_cfg_noc_lpass_clk-alway.patch
+asoc-imx-card-need-special-setting-for-ak4497-on-i.m.patch
+asoc-imx-card-fix-mclk-calculation-issue-for-akcodec.patch
+asoc-imx-card-improve-the-sound-quality-for-low-rate.patch
+asoc-fsl_asrc-refine-the-check-of-available-clock-di.patch
+clk-bm1880-remove-kfrees-on-static-allocations.patch
+of-base-fix-phandle-argument-length-mismatch-error-m.patch
+of-fdt-don-t-worry-about-non-memory-region-overlap-f.patch
+mips-compressed-fix-build-with-zstd-compression.patch
+mailbox-fix-gce_num-of-mt8192-driver-data.patch
+mailbox-imx-fix-an-is_err-vs-null-bug.patch
+mailbox-pcc-avoid-using-the-uninitialized-variable-d.patch
+mailbox-pcc-handle-all-pcc-subtypes-correctly-in-pcc.patch
+arm-dts-omap3-n900-fix-lp5523-for-multi-color.patch
+leds-lp55xx-initialise-output-direction-from-dts.patch
+bluetooth-hci_sock-purge-socket-queues-in-the-destru.patch
+bluetooth-fix-debugfs-entry-leak-in-hci_register_dev.patch
+bluetooth-fix-memory-leak-of-hci-device.patch
+drm-panel-delete-panel-on-mipi_dsi_attach-failure.patch
+bluetooth-fix-removing-adv-when-processing-cmd-compl.patch
+drm-sched-avoid-lockdep-spalt-on-killing-a-processes.patch
+fs-dlm-filter-user-dlm-messages-for-kernel-locks.patch
+libbpf-detect-corrupted-elf-symbols-section.patch
+libbpf-improve-sanity-checking-during-btf-fix-up.patch
+libbpf-validate-that-.btf-and-.btf.ext-sections-cont.patch
+drm-lima-fix-warning-when-config_debug_sg-y-config_d.patch
+selftests-bpf-fix-memory-leaks-in-btf_type_c_dump-he.patch
+selftests-bpf-destroy-xdp-link-correctly.patch
+selftests-bpf-fix-bpf_object-leak-in-skb_ctx-selftes.patch
+ar5523-fix-null-ptr-deref-with-unexpected-wdcmsg_tar.patch
+drm-bridge-dw-hdmi-handle-eld-when-drm_bridge_attach.patch
+drm-nouveau-pmu-gm200-avoid-touching-pmu-outside-of-.patch
+media-atomisp-fix-try_fmt-logic.patch
+media-atomisp-set-per-device-s-default-mode.patch
+media-atomisp-ov2680-fix-ov2680_set_fmt-clobbering-t.patch
+media-atomisp-check-before-deference-asd-variable.patch
+arm-shmobile-rcar-gen2-add-missing-of_node_put.patch
+ath11k-enable-ieee80211_vht_ext_nss_bw_capable-if-ns.patch
+batman-adv-allow-netlink-usage-in-unprivileged-conta.patch
+bpf-change-value-of-max_tail_call_cnt-from-32-to-33.patch
+media-atomisp-handle-errors-at-sh_css_create_isp_par.patch
+ath11k-fix-crash-caused-by-uninitialized-tx-ring.patch
+usb-dwc3-meson-g12a-fix-shared-reset-control-use.patch
+usb-ehci_brcm_hub_control-improve-port-index-sanitiz.patch
+usb-gadget-f_fs-use-stream_open-for-endpoint-files.patch
+psi-fix-psi_mem_full-state-when-tasks-are-in-memstal.patch
+drm-panel-orientation-quirks-add-quirk-for-the-lenov.patch
+hid-magicmouse-report-battery-level-over-usb.patch
+hid-apple-do-not-reset-quirks-when-the-fn-key-is-not.patch
+media-b2c2-add-missing-check-in-flexcop_pci_isr.patch
+libbpf-accommodate-dwarf-compiler-bug-with-duplicate.patch
+ethernet-renesas-use-div64_ul-instead-of-do_div.patch
+edac-synopsys-use-the-quirk-for-version-instead-of-d.patch
+arm64-dts-qcom-sm-68-350-use-interrupts-extended-wit.patch
+arm64-dts-qcom-sm8350-shorten-camera-thermal-bottom-.patch
+soc-imx-gpcv2-synchronously-suspend-mix-domains.patch
+arm-imx-rename-debug_imx21_imx27_uart-to-debug_imx27.patch
+ath11k-fix-mon-status-ring-rx-tlv-processing.patch
+drm-amd-display-check-top_pipe_to_program-pointer.patch
+drm-amdgpu-display-set-vblank_disable_immediate-for-.patch
+soc-ti-pruss-fix-referenced-node-in-error-message.patch
+mlxsw-pci-add-shutdown-method-in-pci-driver.patch
+drm-amd-display-add-else-to-avoid-double-destroy-clk.patch
+drm-bridge-megachips-ensure-both-bridges-are-probed-.patch
+mxser-keep-only-tty-test-in-isr.patch
+mxser-don-t-throttle-manually.patch
+mxser-increase-buf_overrun-if-tty_insert_flip_char-f.patch
+serial-8250_dw-add-starfive-jh7100-quirk.patch
+tty-serial-imx-disable-ucr4_oren-in-.stop_rx-instead.patch
+gpiolib-acpi-do-not-set-the-irq-type-if-the-irq-is-a.patch
+hsi-core-fix-return-freed-object-in-hsi_new_client.patch
+crypto-jitter-consider-32-lsb-for-apt.patch
+rtw89-fix-potentially-access-out-of-range-of-rf-regi.patch
+mwifiex-fix-skb_over_panic-in-mwifiex_usb_recv.patch
+rsi-fix-use-after-free-in-rsi_rx_done_handler.patch
+rsi-fix-out-of-bounds-read-in-rsi_read_pkt.patch
+ath11k-avoid-null-ptr-access-during-mgmt-tx-cleanup.patch
+media-venus-avoid-calling-core_clk_setrate-concurren.patch
+regulator-da9121-prevent-current-limit-change-when-e.patch
+drm-vmwgfx-release-ttm-memory-if-probe-fails.patch
+drm-vmwgfx-introduce-a-new-placement-for-mob-page-ta.patch
+acpi-x86-drop-pwm2-device-on-lenovo-yoga-book-from-a.patch
+acpi-change-acpi_device_always_present-into-acpi_dev.patch
+acpi-x86-allow-specifying-acpi_device_override_statu.patch
+acpi-x86-add-not-present-quirk-for-the-pci0.sdhb.brc.patch
+drm-return-error-codes-from-struct-drm_driver.gem_cr.patch
+drm-amd-display-use-oriented-source-size-when-checki.patch
+arm64-dts-ti-j7200-main-fix-dtbs_check-serdes_ln_ctr.patch
+arm64-dts-ti-j721e-main-fix-dtbs_check-in-serdes_ln_.patch
+usb-uhci-add-aspeed-ast2600-uhci-support.patch
+floppy-add-max-size-check-for-user-space-request.patch
+x86-mm-flush-global-tlb-when-switching-to-trampoline.patch
+drm-rcar-du-fix-crtc-timings-when-cmm-is-used.patch
+media-uvcvideo-increase-uvc_ctrl_control_timeout-to-.patch
+media-rcar-vin-update-format-alignment-constraints.patch
+media-saa7146-hexium_orion-fix-a-null-pointer-derefe.patch
+media-atomisp-fix-variable-dereferenced-before-check.patch
+media-m920x-don-t-use-stack-on-usb-reads.patch
+thunderbolt-runtime-pm-activate-both-ends-of-the-dev.patch
+arm64-dts-renesas-fix-thermal-bindings.patch
+iwlwifi-mvm-synchronize-with-fw-after-multicast-comm.patch
+iwlwifi-mvm-avoid-clearing-a-just-saved-session-prot.patch
+iwlwifi-acpi-fix-wgds-rev-3-size.patch
+rcutorture-avoid-soft-lockup-during-cpu-stall.patch
+ath11k-avoid-deadlock-by-change-ieee80211_queue_work.patch
+ath10k-fix-tx-hanging.patch
+rtw89-don-t-kick-off-tx-dma-if-failed-to-write-skb.patch
+net-sysfs-update-the-queue-counts-in-the-unregistrat.patch
+ath10k-drop-beacon-and-probe-response-which-leak-fro.patch
+net-phy-prefer-1000baset-over-1000basekx.patch
+gpio-aspeed-convert-aspeed_gpio.lock-to-raw_spinlock.patch
+gpio-aspeed-sgpio-convert-aspeed_sgpio.lock-to-raw_s.patch
+selftests-ftrace-make-kprobe-profile-testcase-descri.patch
+arm64-dts-rockchip-fix-bluetooth-on-rock-pi-4-boards.patch
+ath11k-avoid-false-deadlock-warning-reported-by-lock.patch
+arm-dts-qcom-sdx55-fix-ipa-interconnect-definitions.patch
+x86-mce-allow-instrumentation-during-task-work-queue.patch
+x86-mce-prevent-severity-computation-from-being-inst.patch
+x86-mce-mark-mce_panic-noinstr.patch
+x86-mce-mark-mce_end-noinstr.patch
+x86-mce-mark-mce_read_aux-noinstr.patch
+net-bonding-debug-avoid-printing-debug-logs-when-bon.patch
+kunit-don-t-crash-if-no-parameters-are-generated.patch
+bpf-do-not-warn-in-bpf_warn_invalid_xdp_action.patch
+drm-amdkfd-fix-error-handling-in-svm_range_add.patch
+drm-amdgpu-fix-amdgpu_ras_mca_query_error_status-sco.patch
+hid-quirks-allow-inverting-the-absolute-x-y-values.patch
+hid-i2c-hid-of-expose-the-touchscreen-inverted-prope.patch
+media-igorplugusb-receiver-overflow-should-be-report.patch
+media-rockchip-rkisp1-use-device-name-for-debugfs-su.patch
+media-saa7146-hexium_gemini-fix-a-null-pointer-deref.patch
+mmc-tmio-reinit-card-irqs-in-reset-routine.patch
+mmc-core-fixup-storing-of-ocr-for-mmc_quirk_nonstd_s.patch
+mmc-omap_hsmmc-revert-special-init-for-wl1251.patch
+drm-amd-amdgpu-fix-psp-tmr-bo-pin-count-leak-in-srio.patch
+drm-amd-amdgpu-fix-gmc-bo-pin-count-leak-in-sriov.patch
+audit-ensure-userspace-is-penalized-the-same-as-the-.patch
+arm64-dts-ls1028a-qds-move-rtc-node-to-the-correct-i.patch
+arm64-tegra-adjust-length-of-ccplex-cluster-mmio-reg.patch
+crypto-ccp-move-sev_init-retry-for-corrupted-data.patch
+crypto-hisilicon-hpre-fix-memory-leak-in-hpre_curve2.patch
+crypto-hisilicon-qm-fix-deadlock-for-remove-driver.patch
+pm-runtime-add-safety-net-to-supplier-device-release.patch
+cpufreq-fix-initialization-of-min-and-max-frequency-.patch
+usb-hub-add-delay-for-superspeed-hub-resume-to-let-l.patch
+mt76-mt7615-fix-possible-deadlock-while-mt7615_regis.patch
+mt76-mt7915-fix-smps-operation-fail.patch
+mt76-connac-fix-a-theoretical-null-pointer-dereferen.patch
+mt76-do-not-pass-the-received-frame-with-decryption-.patch
+mt76-mt7615-improve-wmm-index-allocation.patch
+mt76-mt7921-fix-network-buffer-leak-by-txs-missing.patch
+ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_.patch
+ath9k_htc-fix-null-pointer-dereference-at-ath9k_htc_.patch-21350
+ath9k-fix-out-of-bound-memcpy-in-ath9k_hif_usb_rx_st.patch
+rtw88-8822c-update-rx-settings-to-prevent-potential-.patch
+pm-avs-qcom-cpr-use-div64_ul-instead-of-do_div.patch
+iwlwifi-recognize-missing-pnvm-data-and-then-log-fil.patch
+iwlwifi-fix-leaks-bad-data-after-failed-firmware-loa.patch
+iwlwifi-remove-module-loading-failure-message.patch
+iwlwifi-mvm-fix-calculation-of-frame-length.patch
+iwlwifi-mvm-fix-aux-roc-removal.patch
+iwlwifi-pcie-make-sure-prph_info-is-set-when-treatin.patch
+mmc-sdhci-pci-gli-gl9755-support-for-cd-wp-inversion.patch
+block-check-minor-range-in-device_add_disk.patch
+um-registers-rename-function-names-to-avoid-conflict.patch
+ath11k-fix-napi-related-hang.patch
+bluetooth-btintel-add-missing-quirks-and-msft-ext-fo.patch
+cpufreq-intel_pstate-update-cpuinfo.max_freq-on-hwp_.patch
+bluetooth-vhci-set-hci_quirk_valid_le_states.patch
+xfrm-rate-limit-sa-mapping-change-message-to-user-sp.patch
+drm-etnaviv-consider-completed-fence-seqno-in-hang-c.patch
+jffs2-gc-deadlock-reading-a-page-that-is-used-in-jff.patch
+acpica-actypes.h-expand-the-acpi_access_-definitions.patch
+acpica-utilities-avoid-deleting-the-same-object-twic.patch
+acpica-executer-fix-the-refclass_refof-case-in-acpi_.patch
+acpica-fix-wrong-interpretation-of-pcc-address.patch
+acpica-hardware-do-not-flush-cpu-cache-when-entering.patch
+mmc-mtk-sd-use-readl_poll_timeout-instead-of-open-co.patch
+drm-amdgpu-don-t-inherit-gem-object-vmas-in-child-pr.patch
+drm-amdgpu-fixup-bad-vram-size-on-gmc-v8.patch
+mfd-intel_soc_pmic-use-cpu-id-check-instead-of-_hrv-.patch
+amdgpu-pm-make-sysfs-pm-attributes-as-read-only-for-.patch
+acpi-battery-add-the-thinkpad-not-charging-quirk.patch
+acpi-cppc-check-present-cpus-for-determining-_cpc-is.patch
+net-mlx5-dr-fix-error-flow-in-creating-matcher.patch
+btrfs-remove-bug_on-in-find_parent_nodes.patch
+btrfs-remove-bug_on-eie-in-find_parent_nodes.patch
+net-mdio-demote-probed-message-to-debug-print.patch
+mac80211-allow-non-standard-vht-mcs-10-11.patch
+dm-btree-add-a-defensive-bounds-check-to-insert_at.patch
+dm-space-map-common-add-bounds-check-to-sm_ll_lookup.patch
+can-do-not-increase-rx-statistics-when-generating-a-.patch
+bpf-selftests-fix-namespace-mount-setup-in-tc_redire.patch
+mlxsw-pci-avoid-flow-control-for-emad-packets.patch
+net-phy-marvell-configure-rgmii-delays-for-88e1118.patch
+net-gemini-allow-any-rgmii-interface-mode.patch
+regulator-qcom_smd-align-probe-function-with-rpmh-re.patch
+serial-pl010-drop-cr-register-reset-on-set_termios.patch
+serial-pl011-drop-cr-register-reset-on-set_termios.patch
+serial-core-keep-mctrl-register-state-and-cached-cop.patch
+random-do-not-throw-away-excess-input-to-crng_fast_l.patch
+net-mlx5-update-log_max_qp-value-to-fw-max-capabilit.patch
+net-mlx5e-unblock-setting-vid-0-for-vf-in-case-pf-is.patch
+parisc-avoid-calling-faulthandler_disabled-twice.patch
+scripts-sphinx-pre-install-fix-ctex-support-on-debia.patch
+can-flexcan-allow-to-change-quirks-at-runtime.patch
+can-flexcan-rename-rx-modes.patch
+can-flexcan-add-more-quirks-to-describe-rx-path-capa.patch
+x86-kbuild-enable-config_kallsyms_all-y-in-the-defco.patch
+clk-samsung-exynos850-register-clocks-early.patch
+powerpc-6xx-add-missing-of_node_put.patch
+powerpc-powernv-add-missing-of_node_put.patch
+powerpc-cell-add-missing-of_node_put.patch
+powerpc-btext-add-missing-of_node_put.patch
+powerpc-watchdog-fix-missed-watchdog-reset-due-to-me.patch
+asoc-imx-hdmi-add-put_device-after-of_find_device_by.patch
+i2c-i801-don-t-silently-correct-invalid-transfer-siz.patch
+powerpc-smp-move-setup_profiling_timer-under-config_.patch
+i2c-mpc-correct-i2c-reset-procedure.patch
+clk-meson-gxbb-fix-the-sdm_en-bit-for-mpll0-on-gxbb.patch
+powerpc-powermac-add-missing-lockdep_register_key.patch
+kvm-ppc-book3s-suppress-warnings-when-allocating-too.patch
+kvm-ppc-book3s-suppress-failed-alloc-warning-in-h_co.patch
+w1-misuse-of-get_user-put_user-reported-by-sparse.patch
+nvmem-core-set-size-for-sysfs-bin-file.patch
+dm-fix-alloc_dax-error-handling-in-alloc_dev.patch
+dm-make-the-dax-support-depend-on-config_fs_dax.patch
+asoc-test-component-fix-null-pointer-dereference.patch
+interconnect-qcom-rpm-prevent-integer-overflow-in-ra.patch
+scsi-ufs-fix-a-kernel-crash-during-shutdown.patch
+scsi-lpfc-fix-leaked-lpfc_dmabuf-mbox-allocations-wi.patch
+scsi-lpfc-trigger-sli4-firmware-dump-before-doing-dr.patch
+alsa-seq-set-upper-limit-of-processed-events.patch
+mips-loongson64-use-three-arguments-for-slti.patch
+powerpc-40x-map-32mbytes-of-memory-at-startup.patch
+selftests-powerpc-spectre_v2-return-skip-code-when-m.patch
+powerpc-handle-kdump-appropriately-with-crash_kexec_.patch
+powerpc-fadump-fix-inaccurate-cpu-state-info-in-vmco.patch
+asoc-sof-intel-hda-add-quirks-for-hdaudio-dma-positi.patch
+udf-fix-error-handling-in-udf_new_inode.patch
+mips-octeon-add-put_device-after-of_find_device_by_n.patch
+irqchip-gic-v4-disable-redistributors-view-of-the-vp.patch
+i2c-designware-pci-fix-to-change-data-types-of-hcnt-.patch
+scsi-hisi_sas-prevent-parallel-flr-and-controller-re.patch
+asoc-sof-ipc-add-null-pointer-check-for-substream-ru.patch
+selftests-powerpc-add-a-test-of-sigreturning-to-the-.patch
+mips-octeon-fix-build-errors-using-clang.patch
+scsi-sr-don-t-use-gfp_dma.patch
+scsi-mpi3mr-fixes-around-reply-request-queues.patch
+asoc-mediatek-mt8192-mt6359-fix-device_node-leak.patch
+phy-phy-mtk-tphy-add-support-efuse-setting.patch
+asoc-mediatek-mt8173-fix-device_node-leak.patch
+asoc-mediatek-mt8183-fix-device_node-leak.patch
+habanalabs-change-wait-for-interrupt-timeout-to-64-b.patch
+habanalabs-skip-read-fw-errors-if-dynamic-descriptor.patch
+phy-mediatek-fix-missing-check-in-mtk_mipi_tx_probe.patch
+mailbox-change-mailbox-mpfs-compatible-string.patch
+signal-in-get_signal-test-for-signal_group_exit-ever.patch
+pci-mediatek-gen3-disable-dvfsrc-voltage-request.patch
+pci-qcom-fix-an-error-handling-path-in-qcom_pcie_pro.patch
+pci-rcar-check-if-device-is-runtime-suspended-instea.patch
+pci-dwc-do-not-remap-invalid-res.patch
+pci-aardvark-fix-checking-for-mem-resource-type.patch
+pci-apple-fix-refclk1-enable-poll-logic.patch
+kvm-vmx-don-t-unblock-vcpu-w-posted-irq-if-irqs-are-.patch
+kvm-s390-ensure-kvm_arch_no_poll-is-read-once-when-b.patch
+kvm-vmx-read-posted-interrupt-control-exactly-once-p.patch
+kvm-x86-ensure-that-dirty-pdptrs-are-loaded.patch
+kvm-x86-handle-32-bit-wrap-of-eip-for-emultype_skip-.patch
+kvm-x86-exit-to-userspace-if-emulation-prepared-a-co.patch
+i3c-fix-incorrect-address-slot-lookup-on-64-bit.patch
+i3c-master-mipi-i3c-hci-fix-a-potentially-infinite-l.patch
+tracing-do-not-let-synth_events-block-other-dyn_even.patch
+input-ti_am335x_tsc-set-adcrefm-for-x-configuration.patch
+input-ti_am335x_tsc-fix-stepconfig-setup-for-z2.patch
+pci-mvebu-check-for-errors-from-pci_bridge_emul_init.patch
+pci-mvebu-do-not-modify-pci-io-type-bits-in-conf_wri.patch
+pci-mvebu-fix-support-for-bus-mastering-and-pci_comm.patch
+pci-mvebu-fix-configuring-secondary-bus-of-pcie-root.patch
+pci-mvebu-setup-pcie-controller-to-root-complex-mode.patch
+pci-mvebu-fix-support-for-pci_bridge_ctl_bus_reset-o.patch
+pci-mvebu-fix-support-for-pci_exp_devctl-on-emulated.patch
+pci-mvebu-fix-support-for-pci_exp_rtsta-on-emulated-.patch
+pci-mvebu-fix-support-for-devcap2-devctl2-and-lnkctl.patch
+kvm-risc-v-avoid-spurious-virtual-interrupts-after-c.patch
+nfsd-fix-verifier-returned-in-stable-writes.patch
+revert-nfsd-skip-some-unnecessary-stats-in-the-v4-ca.patch
+nfsd-fix-crash-on-copy_notify-with-special-stateid.patch
+x86-hyperv-properly-deal-with-empty-cpumasks-in-hype.patch
+drm-i915-pxp-hold-rpm-wakelock-during-pxp-unbind.patch
+drm-i915-don-t-call-free_mmap_offset-when-purging.patch
+sunrpc-fix-sockaddr-handling-in-the-svc_xprt_create_.patch
+sunrpc-fix-sockaddr-handling-in-svcsock_accept_class.patch
+drm-sun4i-dw-hdmi-fix-missing-put_device-call-in-sun.patch
+drm-atomic-check-new_crtc_state-active-to-determine-.patch
+ntb_hw_switchtec-fix-pff-ioread-to-read-into-mmio_pa.patch
+ntb_hw_switchtec-fix-bug-with-more-than-32-partition.patch
+drm-amd-display-invalid-parameter-check-in-dmub_hpd_.patch
+drm-amdkfd-check-for-null-pointer-after-calling-kmem.patch
+drm-amdgpu-use-spin_lock_irqsave-to-avoid-deadlock-b.patch
+pci-mt7621-add-missing-module_license.patch
+i3c-master-dw-check-return-of-dw_i3c_master_get_free.patch
+dma-buf-cma_heap-fix-mutex-locking-section.patch
+tracing-uprobes-check-the-return-value-of-kstrdup-fo.patch
+tracing-probes-check-the-return-value-of-kstrndup-fo.patch
+mm-defer-kmemleak-object-creation-of-module_alloc.patch
+kasan-fix-quarantine-conflicting-with-init_on_free.patch
+selftests-vm-make-charge_reserved_hugetlb.sh-work-wi.patch
+mm-page_isolation-unset-migratetype-directly-for-non.patch
+hugetlbfs-fix-off-by-one-error-in-hugetlb_vmdelete_l.patch
diff --git a/queue-5.16/signal-in-get_signal-test-for-signal_group_exit-ever.patch b/queue-5.16/signal-in-get_signal-test-for-signal_group_exit-ever.patch
new file mode 100644 (file)
index 0000000..9ec3eb4
--- /dev/null
@@ -0,0 +1,72 @@
+From 941dda7bced6d631ef5286e2a82795eede94fb75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 11:55:57 -0600
+Subject: signal: In get_signal test for signal_group_exit every time through
+ the loop
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+[ Upstream commit e7f7c99ba911f56bc338845c1cd72954ba591707 ]
+
+Recently while investigating a problem with rr and signals I noticed
+that siglock is dropped in ptrace_signal and get_signal does not jump
+to relock.
+
+Looking farther to see if the problem is anywhere else I see that
+do_signal_stop also returns if signal_group_exit is true.  I believe
+that test can now never be true, but it is a bit hard to trace
+through and be certain.
+
+Testing signal_group_exit is not expensive, so move the test for
+signal_group_exit into the for loop inside of get_signal to ensure
+the test is never skipped improperly.
+
+This has been a potential problem since I added the test for
+signal_group_exit was added.
+
+Fixes: 35634ffa1751 ("signal: Always notice exiting tasks")
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Link: https://lkml.kernel.org/r/875yssekcd.fsf_-_@email.froward.int.ebiederm.org
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/signal.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index dfcee3888b00e..cf97b9c4d665a 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2684,19 +2684,19 @@ relock:
+               goto relock;
+       }
+-      /* Has this task already been marked for death? */
+-      if (signal_group_exit(signal)) {
+-              ksig->info.si_signo = signr = SIGKILL;
+-              sigdelset(&current->pending.signal, SIGKILL);
+-              trace_signal_deliver(SIGKILL, SEND_SIG_NOINFO,
+-                              &sighand->action[SIGKILL - 1]);
+-              recalc_sigpending();
+-              goto fatal;
+-      }
+-
+       for (;;) {
+               struct k_sigaction *ka;
++              /* Has this task already been marked for death? */
++              if (signal_group_exit(signal)) {
++                      ksig->info.si_signo = signr = SIGKILL;
++                      sigdelset(&current->pending.signal, SIGKILL);
++                      trace_signal_deliver(SIGKILL, SEND_SIG_NOINFO,
++                              &sighand->action[SIGKILL - 1]);
++                      recalc_sigpending();
++                      goto fatal;
++              }
++
+               if (unlikely(current->jobctl & JOBCTL_STOP_PENDING) &&
+                   do_signal_stop(0))
+                       goto relock;
+-- 
+2.34.1
+
diff --git a/queue-5.16/soc-imx-gpcv2-keep-i.mx8mm-vpu-h1-bus-clock-active.patch b/queue-5.16/soc-imx-gpcv2-keep-i.mx8mm-vpu-h1-bus-clock-active.patch
new file mode 100644 (file)
index 0000000..16d05ad
--- /dev/null
@@ -0,0 +1,36 @@
+From d16dfcc47e09e942ffb62d19f21a553bd66f18ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Nov 2021 13:39:16 -0600
+Subject: soc: imx: gpcv2: keep i.MX8MM VPU-H1 bus clock active
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit 8361b8b29f9389084b679db854cf733375c64763 ]
+
+Enable the vpu-h1 clock when the domain is active because reading
+or writing to the VPU-H1 IP block cause the system to hang.
+
+Fixes: 656ade7aa42a ("soc: imx: gpcv2: keep i.MX8M* bus clocks enabled")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/imx/gpcv2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/soc/imx/gpcv2.c b/drivers/soc/imx/gpcv2.c
+index b8d52d8d29dbb..7b6dfa33dcb9f 100644
+--- a/drivers/soc/imx/gpcv2.c
++++ b/drivers/soc/imx/gpcv2.c
+@@ -734,6 +734,7 @@ static const struct imx_pgc_domain imx8mm_pgc_domains[] = {
+                       .map = IMX8MM_VPUH1_A53_DOMAIN,
+               },
+               .pgc   = BIT(IMX8MM_PGC_VPUH1),
++              .keep_clocks = true,
+       },
+       [IMX8MM_POWER_DOMAIN_DISPMIX] = {
+-- 
+2.34.1
+
diff --git a/queue-5.16/soc-imx-gpcv2-synchronously-suspend-mix-domains.patch b/queue-5.16/soc-imx-gpcv2-synchronously-suspend-mix-domains.patch
new file mode 100644 (file)
index 0000000..3a6937f
--- /dev/null
@@ -0,0 +1,45 @@
+From 2ad2a2a5d7222503c759b0c45828f8d473468f27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Oct 2021 23:05:47 +0200
+Subject: soc: imx: gpcv2: Synchronously suspend MIX domains
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit f756f435f7dd823f2d4bd593ce1bf3168def1308 ]
+
+In case the following power domain sequence happens, iMX8M Mini always hangs:
+  gpumix:on -> gpu:on -> gpu:off -> gpu:on
+This is likely due to another quirk of the GPC block. This situation can be
+prevented by always synchronously powering off both the domain and MIX domain.
+Make it so. This turns the aforementioned sequence into:
+  gpumix:on -> gpu:on -> gpu:off -> gpumix:off -> gpumix:on -> gpu:on
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Frieder Schrempf <frieder.schrempf@kontron.de>
+Cc: Lucas Stach <l.stach@pengutronix.de>
+Cc: NXP Linux Team <linux-imx@nxp.com>
+Cc: Peng Fan <peng.fan@nxp.com>
+Cc: Shawn Guo <shawnguo@kernel.org>
+Acked-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/imx/gpcv2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/imx/gpcv2.c b/drivers/soc/imx/gpcv2.c
+index 7b6dfa33dcb9f..8176380b02e6e 100644
+--- a/drivers/soc/imx/gpcv2.c
++++ b/drivers/soc/imx/gpcv2.c
+@@ -377,7 +377,7 @@ static int imx_pgc_power_down(struct generic_pm_domain *genpd)
+               }
+       }
+-      pm_runtime_put(domain->dev);
++      pm_runtime_put_sync_suspend(domain->dev);
+       return 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/soc-ti-pruss-fix-referenced-node-in-error-message.patch b/queue-5.16/soc-ti-pruss-fix-referenced-node-in-error-message.patch
new file mode 100644 (file)
index 0000000..2d735b0
--- /dev/null
@@ -0,0 +1,36 @@
+From c7f9e428078a540fa760c6a7f645bc0095365cd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 20:08:28 +0200
+Subject: soc: ti: pruss: fix referenced node in error message
+
+From: Jan Kiszka <jan.kiszka@siemens.com>
+
+[ Upstream commit 8aa35e0bb5eaa42bac415ad0847985daa7b4890c ]
+
+So far, "(null)" is reported for the node that is missing clocks.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Acked-by: Suman Anna <s-anna@ti.com>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Link: https://lore.kernel.org/r/d6e24953-ea89-fd1c-6e16-7a0142118054@siemens.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/ti/pruss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/ti/pruss.c b/drivers/soc/ti/pruss.c
+index 49da387d77494..b36779309e49b 100644
+--- a/drivers/soc/ti/pruss.c
++++ b/drivers/soc/ti/pruss.c
+@@ -129,7 +129,7 @@ static int pruss_clk_init(struct pruss *pruss, struct device_node *cfg_node)
+       clks_np = of_get_child_by_name(cfg_node, "clocks");
+       if (!clks_np) {
+-              dev_err(dev, "%pOF is missing its 'clocks' node\n", clks_np);
++              dev_err(dev, "%pOF is missing its 'clocks' node\n", cfg_node);
+               return -ENODEV;
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/software-node-fix-wrong-node-passed-to-find-nargs_pr.patch b/queue-5.16/software-node-fix-wrong-node-passed-to-find-nargs_pr.patch
new file mode 100644 (file)
index 0000000..4227fe2
--- /dev/null
@@ -0,0 +1,43 @@
+From e86b07fa5322674b22ea592f38d23ea6d9df3431 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Dec 2021 22:05:33 +0100
+Subject: software node: fix wrong node passed to find nargs_prop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Léger <clement.leger@bootlin.com>
+
+[ Upstream commit c5fc5ba8b6b7bebc05e45036a33405b4c5036c2f ]
+
+nargs_prop refers to a property located in the reference that is found
+within the nargs property. Use the correct reference node in call to
+property_entry_read_int_array() to retrieve the correct nargs value.
+
+Fixes: b06184acf751 ("software node: Add software_node_get_reference_args()")
+Signed-off-by: Clément Léger <clement.leger@bootlin.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Daniel Scally <djrscally@gmail.com>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/swnode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c
+index 4debcea4fb12d..0a482212c7e8e 100644
+--- a/drivers/base/swnode.c
++++ b/drivers/base/swnode.c
+@@ -529,7 +529,7 @@ software_node_get_reference_args(const struct fwnode_handle *fwnode,
+               return -ENOENT;
+       if (nargs_prop) {
+-              error = property_entry_read_int_array(swnode->node->properties,
++              error = property_entry_read_int_array(ref->node->properties,
+                                                     nargs_prop, sizeof(u32),
+                                                     &nargs_prop_val, 1);
+               if (error)
+-- 
+2.34.1
+
diff --git a/queue-5.16/spi-fix-incorrect-cs_setup-delay-handling.patch b/queue-5.16/spi-fix-incorrect-cs_setup-delay-handling.patch
new file mode 100644 (file)
index 0000000..a809aca
--- /dev/null
@@ -0,0 +1,67 @@
+From df1034c3647afb29a5b2e9d37fba5e59003000cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Dec 2021 02:05:34 +0900
+Subject: spi: Fix incorrect cs_setup delay handling
+
+From: Hector Martin <marcan@marcan.st>
+
+[ Upstream commit 95c07247399536f83b89dc60cfe7b279d17e69f6 ]
+
+Move the cs_setup delay to the end of spi_set_cs.
+
+From include/linux/spi/spi.h:
+
+ * @cs_setup: delay to be introduced by the controller after CS is
+   asserted
+
+The cs_setup delay needs to happen *after* CS is asserted, that is, at
+the end of spi_set_cs, not at the beginning. Otherwise we're just
+delaying before the SPI transaction starts at all, which isn't very
+useful.
+
+No drivers use this right now, but that is likely to change soon with an
+upcoming Apple SPI HID transport driver.
+
+Fixes: 25093bdeb6bc ("spi: implement SW control for CS times")
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Link: https://lore.kernel.org/r/20211210170534.177139-1-marcan@marcan.st
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
+index fdd530b150a7a..8ba87b7f8f1a8 100644
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -947,12 +947,9 @@ static void spi_set_cs(struct spi_device *spi, bool enable, bool force)
+       spi->controller->last_cs_enable = enable;
+       spi->controller->last_cs_mode_high = spi->mode & SPI_CS_HIGH;
+-      if (spi->cs_gpiod || gpio_is_valid(spi->cs_gpio) ||
+-          !spi->controller->set_cs_timing) {
+-              if (activate)
+-                      spi_delay_exec(&spi->cs_setup, NULL);
+-              else
+-                      spi_delay_exec(&spi->cs_hold, NULL);
++      if ((spi->cs_gpiod || gpio_is_valid(spi->cs_gpio) ||
++          !spi->controller->set_cs_timing) && !activate) {
++              spi_delay_exec(&spi->cs_hold, NULL);
+       }
+       if (spi->mode & SPI_CS_HIGH)
+@@ -994,7 +991,9 @@ static void spi_set_cs(struct spi_device *spi, bool enable, bool force)
+       if (spi->cs_gpiod || gpio_is_valid(spi->cs_gpio) ||
+           !spi->controller->set_cs_timing) {
+-              if (!activate)
++              if (activate)
++                      spi_delay_exec(&spi->cs_setup, NULL);
++              else
+                       spi_delay_exec(&spi->cs_inactive, NULL);
+       }
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/spi-hisi-kunpeng-fix-the-debugfs-directory-name-inco.patch b/queue-5.16/spi-hisi-kunpeng-fix-the-debugfs-directory-name-inco.patch
new file mode 100644 (file)
index 0000000..3f1d098
--- /dev/null
@@ -0,0 +1,84 @@
+From c91165219f65db43434d930cb556dff7b3059507 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 09:21:19 +0800
+Subject: spi: hisi-kunpeng: Fix the debugfs directory name incorrect
+
+From: oujiefeng <oujiefeng@huawei.com>
+
+[ Upstream commit 40fafc8eca3f0d41b9dade5c10afb2dad723aad7 ]
+
+Change the debugfs directory name from hisi_spi65535 to hisi_spi0.
+
+Fixes: 2b2142f247eb ("spi: hisi-kunpeng: Add debugfs support")
+Signed-off-by: oujiefeng <oujiefeng@huawei.com>
+Signed-off-by: Jay Fang <f.fangjian@huawei.com>
+Link: https://lore.kernel.org/r/20211117012119.55558-1-f.fangjian@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-hisi-kunpeng.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/spi/spi-hisi-kunpeng.c b/drivers/spi/spi-hisi-kunpeng.c
+index 58b823a16fc4d..525cc0143a305 100644
+--- a/drivers/spi/spi-hisi-kunpeng.c
++++ b/drivers/spi/spi-hisi-kunpeng.c
+@@ -127,7 +127,6 @@ struct hisi_spi {
+       void __iomem            *regs;
+       int                     irq;
+       u32                     fifo_len; /* depth of the FIFO buffer */
+-      u16                     bus_num;
+       /* Current message transfer state info */
+       const void              *tx;
+@@ -165,7 +164,10 @@ static int hisi_spi_debugfs_init(struct hisi_spi *hs)
+ {
+       char name[32];
+-      snprintf(name, 32, "hisi_spi%d", hs->bus_num);
++      struct spi_controller *master;
++
++      master = container_of(hs->dev, struct spi_controller, dev);
++      snprintf(name, 32, "hisi_spi%d", master->bus_num);
+       hs->debugfs = debugfs_create_dir(name, NULL);
+       if (!hs->debugfs)
+               return -ENOMEM;
+@@ -467,7 +469,6 @@ static int hisi_spi_probe(struct platform_device *pdev)
+       hs = spi_controller_get_devdata(master);
+       hs->dev = dev;
+       hs->irq = irq;
+-      hs->bus_num = pdev->id;
+       hs->regs = devm_platform_ioremap_resource(pdev, 0);
+       if (IS_ERR(hs->regs))
+@@ -490,7 +491,7 @@ static int hisi_spi_probe(struct platform_device *pdev)
+       master->use_gpio_descriptors = true;
+       master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LOOP;
+       master->bits_per_word_mask = SPI_BPW_RANGE_MASK(4, 32);
+-      master->bus_num = hs->bus_num;
++      master->bus_num = pdev->id;
+       master->setup = hisi_spi_setup;
+       master->cleanup = hisi_spi_cleanup;
+       master->transfer_one = hisi_spi_transfer_one;
+@@ -506,15 +507,15 @@ static int hisi_spi_probe(struct platform_device *pdev)
+               return ret;
+       }
+-      if (hisi_spi_debugfs_init(hs))
+-              dev_info(dev, "failed to create debugfs dir\n");
+-
+       ret = spi_register_controller(master);
+       if (ret) {
+               dev_err(dev, "failed to register spi master, ret=%d\n", ret);
+               return ret;
+       }
++      if (hisi_spi_debugfs_init(hs))
++              dev_info(dev, "failed to create debugfs dir\n");
++
+       dev_info(dev, "hw version:0x%x max-freq:%u kHz\n",
+               readl(hs->regs + HISI_SPI_VERSION),
+               master->max_speed_hz / 1000);
+-- 
+2.34.1
+
diff --git a/queue-5.16/spi-qcom-geni-handle-timeout-for-gpi-mode.patch b/queue-5.16/spi-qcom-geni-handle-timeout-for-gpi-mode.patch
new file mode 100644 (file)
index 0000000..f752551
--- /dev/null
@@ -0,0 +1,71 @@
+From 3b61c27dde72e8a02b350b927acd0f59b946ba36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Jan 2022 12:41:18 +0530
+Subject: spi: qcom: geni: handle timeout for gpi mode
+
+From: Vinod Koul <vkoul@kernel.org>
+
+[ Upstream commit f8039ea55d4ccac2238a247a574f0acb3bc1dc4b ]
+
+We missed adding handle_err for gpi mode, so add a new function
+spi_geni_handle_err() which would call handle_fifo_timeout() or newly
+added handle_gpi_timeout() based on mode
+
+Fixes: b59c122484ec ("spi: spi-geni-qcom: Add support for GPI dma")
+Reported-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Link: https://lore.kernel.org/r/20220103071118.27220-2-vkoul@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-geni-qcom.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-geni-qcom.c b/drivers/spi/spi-geni-qcom.c
+index 69e71aac85129..079d0cb783ee3 100644
+--- a/drivers/spi/spi-geni-qcom.c
++++ b/drivers/spi/spi-geni-qcom.c
+@@ -168,6 +168,30 @@ static void handle_fifo_timeout(struct spi_master *spi,
+       }
+ }
++static void handle_gpi_timeout(struct spi_master *spi, struct spi_message *msg)
++{
++      struct spi_geni_master *mas = spi_master_get_devdata(spi);
++
++      dmaengine_terminate_sync(mas->tx);
++      dmaengine_terminate_sync(mas->rx);
++}
++
++static void spi_geni_handle_err(struct spi_master *spi, struct spi_message *msg)
++{
++      struct spi_geni_master *mas = spi_master_get_devdata(spi);
++
++      switch (mas->cur_xfer_mode) {
++      case GENI_SE_FIFO:
++              handle_fifo_timeout(spi, msg);
++              break;
++      case GENI_GPI_DMA:
++              handle_gpi_timeout(spi, msg);
++              break;
++      default:
++              dev_err(mas->dev, "Abort on Mode:%d not supported", mas->cur_xfer_mode);
++      }
++}
++
+ static bool spi_geni_is_abort_still_pending(struct spi_geni_master *mas)
+ {
+       struct geni_se *se = &mas->se;
+@@ -926,7 +950,7 @@ static int spi_geni_probe(struct platform_device *pdev)
+       spi->can_dma = geni_can_dma;
+       spi->dma_map_dev = dev->parent;
+       spi->auto_runtime_pm = true;
+-      spi->handle_err = handle_fifo_timeout;
++      spi->handle_err = spi_geni_handle_err;
+       spi->use_gpio_descriptors = true;
+       init_completion(&mas->cs_done);
+-- 
+2.34.1
+
diff --git a/queue-5.16/spi-qcom-geni-set-the-error-code-for-gpi-transfer.patch b/queue-5.16/spi-qcom-geni-set-the-error-code-for-gpi-transfer.patch
new file mode 100644 (file)
index 0000000..17f56fe
--- /dev/null
@@ -0,0 +1,56 @@
+From 26d4349f540036dab16c883a2d961899fc438a2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Jan 2022 12:41:17 +0530
+Subject: spi: qcom: geni: set the error code for gpi transfer
+
+From: Vinod Koul <vkoul@kernel.org>
+
+[ Upstream commit 74b86d6af81be73bb74995ebeba74417e84b6b6f ]
+
+Before we invoke spi_finalize_current_transfer() in
+spi_gsi_callback_result() we should set the spi->cur_msg->status as
+appropriate (0 for success, error otherwise).
+
+The helps to return error on transfer and not wait till it timesout on
+error
+
+Fixes: b59c122484ec ("spi: spi-geni-qcom: Add support for GPI dma")
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20220103071118.27220-1-vkoul@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-geni-qcom.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-geni-qcom.c b/drivers/spi/spi-geni-qcom.c
+index e2affaee4e769..69e71aac85129 100644
+--- a/drivers/spi/spi-geni-qcom.c
++++ b/drivers/spi/spi-geni-qcom.c
+@@ -350,17 +350,21 @@ spi_gsi_callback_result(void *cb, const struct dmaengine_result *result)
+ {
+       struct spi_master *spi = cb;
++      spi->cur_msg->status = -EIO;
+       if (result->result != DMA_TRANS_NOERROR) {
+               dev_err(&spi->dev, "DMA txn failed: %d\n", result->result);
++              spi_finalize_current_transfer(spi);
+               return;
+       }
+       if (!result->residue) {
++              spi->cur_msg->status = 0;
+               dev_dbg(&spi->dev, "DMA txn completed\n");
+-              spi_finalize_current_transfer(spi);
+       } else {
+               dev_err(&spi->dev, "DMA xfer has pending: %d\n", result->residue);
+       }
++
++      spi_finalize_current_transfer(spi);
+ }
+ static int setup_gsi_xfer(struct spi_transfer *xfer, struct spi_geni_master *mas,
+-- 
+2.34.1
+
diff --git a/queue-5.16/spi-spi-meson-spifc-add-missing-pm_runtime_disable-i.patch b/queue-5.16/spi-spi-meson-spifc-add-missing-pm_runtime_disable-i.patch
new file mode 100644 (file)
index 0000000..981507a
--- /dev/null
@@ -0,0 +1,38 @@
+From 21c90cb8c2d7395938762917246403fb5f6b33ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jan 2022 07:54:24 +0000
+Subject: spi: spi-meson-spifc: Add missing pm_runtime_disable() in
+ meson_spifc_probe
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 69c1b87516e327a60b39f96b778fe683259408bf ]
+
+If the probe fails, we should use pm_runtime_disable() to balance
+pm_runtime_enable().
+Add missing pm_runtime_disable() for meson_spifc_probe.
+
+Fixes: c3e4bc5434d2 ("spi: meson: Add support for Amlogic Meson SPIFC")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220107075424.7774-1-linmq006@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-meson-spifc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-meson-spifc.c b/drivers/spi/spi-meson-spifc.c
+index 8eca6f24cb799..c8ed7815c4ba6 100644
+--- a/drivers/spi/spi-meson-spifc.c
++++ b/drivers/spi/spi-meson-spifc.c
+@@ -349,6 +349,7 @@ static int meson_spifc_probe(struct platform_device *pdev)
+       return 0;
+ out_clk:
+       clk_disable_unprepare(spifc->clk);
++      pm_runtime_disable(spifc->dev);
+ out_err:
+       spi_master_put(master);
+       return ret;
+-- 
+2.34.1
+
diff --git a/queue-5.16/staging-greybus-audio-check-null-pointer.patch b/queue-5.16/staging-greybus-audio-check-null-pointer.patch
new file mode 100644 (file)
index 0000000..b1112f4
--- /dev/null
@@ -0,0 +1,91 @@
+From 173ae8d18c4fac642f449425fba1846370a12c13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 23:06:28 +0800
+Subject: staging: greybus: audio: Check null pointer
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 2e81948177d769106754085c3e03534e6cc1f623 ]
+
+As the possible alloc failure of devm_kcalloc(), it could return null
+pointer.
+Therefore, 'strings' should be checked and return NULL if alloc fails to
+prevent the dereference of the NULL pointer.
+Also, the caller should also deal with the return value of the
+gb_generate_enum_strings() and return -ENOMEM if returns NULL.
+Moreover, because the memory allocated with devm_kzalloc() will be
+freed automatically when the last reference to the device is dropped,
+the 'gbe' in gbaudio_tplg_create_enum_kctl() and
+gbaudio_tplg_create_enum_ctl() do not need to free manually.
+But the 'control' in gbaudio_tplg_create_widget() and
+gbaudio_tplg_process_kcontrols() has a specially error handle to
+cleanup.
+So it should be better to cleanup 'control' when fails.
+
+Fixes: e65579e335da ("greybus: audio: topology: Enable enumerated control support")
+Reviewed-by: Alex Elder <elder@linaro.org>
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20220104150628.1987906-1-jiasheng@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/greybus/audio_topology.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/staging/greybus/audio_topology.c b/drivers/staging/greybus/audio_topology.c
+index 7f7d558b76d04..62d7674852bec 100644
+--- a/drivers/staging/greybus/audio_topology.c
++++ b/drivers/staging/greybus/audio_topology.c
+@@ -147,6 +147,9 @@ static const char **gb_generate_enum_strings(struct gbaudio_module_info *gb,
+       items = le32_to_cpu(gbenum->items);
+       strings = devm_kcalloc(gb->dev, items, sizeof(char *), GFP_KERNEL);
++      if (!strings)
++              return NULL;
++
+       data = gbenum->names;
+       for (i = 0; i < items; i++) {
+@@ -655,6 +658,8 @@ static int gbaudio_tplg_create_enum_kctl(struct gbaudio_module_info *gb,
+       /* since count=1, and reg is dummy */
+       gbe->items = le32_to_cpu(gb_enum->items);
+       gbe->texts = gb_generate_enum_strings(gb, gb_enum);
++      if (!gbe->texts)
++              return -ENOMEM;
+       /* debug enum info */
+       dev_dbg(gb->dev, "Max:%d, name_length:%d\n", gbe->items,
+@@ -862,6 +867,8 @@ static int gbaudio_tplg_create_enum_ctl(struct gbaudio_module_info *gb,
+       /* since count=1, and reg is dummy */
+       gbe->items = le32_to_cpu(gb_enum->items);
+       gbe->texts = gb_generate_enum_strings(gb, gb_enum);
++      if (!gbe->texts)
++              return -ENOMEM;
+       /* debug enum info */
+       dev_dbg(gb->dev, "Max:%d, name_length:%d\n", gbe->items,
+@@ -1072,6 +1079,10 @@ static int gbaudio_tplg_create_widget(struct gbaudio_module_info *module,
+                       csize += le16_to_cpu(gbenum->names_length);
+                       control->texts = (const char * const *)
+                               gb_generate_enum_strings(module, gbenum);
++                      if (!control->texts) {
++                              ret = -ENOMEM;
++                              goto error;
++                      }
+                       control->items = le32_to_cpu(gbenum->items);
+               } else {
+                       csize = sizeof(struct gb_audio_control);
+@@ -1181,6 +1192,10 @@ static int gbaudio_tplg_process_kcontrols(struct gbaudio_module_info *module,
+                       csize += le16_to_cpu(gbenum->names_length);
+                       control->texts = (const char * const *)
+                               gb_generate_enum_strings(module, gbenum);
++                      if (!control->texts) {
++                              ret = -ENOMEM;
++                              goto error;
++                      }
+                       control->items = le32_to_cpu(gbenum->items);
+               } else {
+                       csize = sizeof(struct gb_audio_control);
+-- 
+2.34.1
+
diff --git a/queue-5.16/staging-rtl8192e-return-error-code-from-rtllib_softm.patch b/queue-5.16/staging-rtl8192e-return-error-code-from-rtllib_softm.patch
new file mode 100644 (file)
index 0000000..77e368d
--- /dev/null
@@ -0,0 +1,71 @@
+From d4226092f885da059a55eeff59e3fceee1c230a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Dec 2021 11:07:02 +0800
+Subject: staging: rtl8192e: return error code from rtllib_softmac_init()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 68bf78ff59a0891eb1239948e94ce10f73a9dd30 ]
+
+If it fails to allocate 'dot11d_info', rtllib_softmac_init()
+should return error code. And remove unneccessary error message.
+
+Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com>")
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20211202030704.2425621-2-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8192e/rtllib.h         | 2 +-
+ drivers/staging/rtl8192e/rtllib_softmac.c | 6 ++++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/staging/rtl8192e/rtllib.h b/drivers/staging/rtl8192e/rtllib.h
+index c6f8b772335c1..c985e4ebc545a 100644
+--- a/drivers/staging/rtl8192e/rtllib.h
++++ b/drivers/staging/rtl8192e/rtllib.h
+@@ -1980,7 +1980,7 @@ void SendDisassociation(struct rtllib_device *ieee, bool deauth, u16 asRsn);
+ void rtllib_softmac_xmit(struct rtllib_txb *txb, struct rtllib_device *ieee);
+ void rtllib_start_ibss(struct rtllib_device *ieee);
+-void rtllib_softmac_init(struct rtllib_device *ieee);
++int rtllib_softmac_init(struct rtllib_device *ieee);
+ void rtllib_softmac_free(struct rtllib_device *ieee);
+ void rtllib_disassociate(struct rtllib_device *ieee);
+ void rtllib_stop_scan(struct rtllib_device *ieee);
+diff --git a/drivers/staging/rtl8192e/rtllib_softmac.c b/drivers/staging/rtl8192e/rtllib_softmac.c
+index d2726d01c7573..503d33be71d99 100644
+--- a/drivers/staging/rtl8192e/rtllib_softmac.c
++++ b/drivers/staging/rtl8192e/rtllib_softmac.c
+@@ -2952,7 +2952,7 @@ void rtllib_start_protocol(struct rtllib_device *ieee)
+       }
+ }
+-void rtllib_softmac_init(struct rtllib_device *ieee)
++int rtllib_softmac_init(struct rtllib_device *ieee)
+ {
+       int i;
+@@ -2963,7 +2963,8 @@ void rtllib_softmac_init(struct rtllib_device *ieee)
+               ieee->seq_ctrl[i] = 0;
+       ieee->dot11d_info = kzalloc(sizeof(struct rt_dot11d_info), GFP_ATOMIC);
+       if (!ieee->dot11d_info)
+-              netdev_err(ieee->dev, "Can't alloc memory for DOT11D\n");
++              return -ENOMEM;
++
+       ieee->LinkDetectInfo.SlotIndex = 0;
+       ieee->LinkDetectInfo.SlotNum = 2;
+       ieee->LinkDetectInfo.NumRecvBcnInPeriod = 0;
+@@ -3029,6 +3030,7 @@ void rtllib_softmac_init(struct rtllib_device *ieee)
+       tasklet_setup(&ieee->ps_task, rtllib_sta_ps);
++      return 0;
+ }
+ void rtllib_softmac_free(struct rtllib_device *ieee)
+-- 
+2.34.1
+
diff --git a/queue-5.16/staging-rtl8192e-rtllib_module-fix-error-handle-case.patch b/queue-5.16/staging-rtl8192e-rtllib_module-fix-error-handle-case.patch
new file mode 100644 (file)
index 0000000..578a200
--- /dev/null
@@ -0,0 +1,72 @@
+From 2a09e9cb61ce9d4c8f49afb1807f6ba64e579b25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Dec 2021 11:07:03 +0800
+Subject: staging: rtl8192e: rtllib_module: fix error handle case in
+ alloc_rtllib()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit e730cd57ac2dfe94bca0f14a3be8e1b21de41a9c ]
+
+Some variables are leaked in the error handling in alloc_rtllib(), free
+the variables in the error path.
+
+Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com>")
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20211202030704.2425621-3-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8192e/rtllib_module.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/rtl8192e/rtllib_module.c b/drivers/staging/rtl8192e/rtllib_module.c
+index 64d9feee1f392..f00ac94b2639b 100644
+--- a/drivers/staging/rtl8192e/rtllib_module.c
++++ b/drivers/staging/rtl8192e/rtllib_module.c
+@@ -88,7 +88,7 @@ struct net_device *alloc_rtllib(int sizeof_priv)
+       err = rtllib_networks_allocate(ieee);
+       if (err) {
+               pr_err("Unable to allocate beacon storage: %d\n", err);
+-              goto failed;
++              goto free_netdev;
+       }
+       rtllib_networks_initialize(ieee);
+@@ -121,11 +121,13 @@ struct net_device *alloc_rtllib(int sizeof_priv)
+       ieee->hwsec_active = 0;
+       memset(ieee->swcamtable, 0, sizeof(struct sw_cam_table) * 32);
+-      rtllib_softmac_init(ieee);
++      err = rtllib_softmac_init(ieee);
++      if (err)
++              goto free_crypt_info;
+       ieee->pHTInfo = kzalloc(sizeof(struct rt_hi_throughput), GFP_KERNEL);
+       if (!ieee->pHTInfo)
+-              return NULL;
++              goto free_softmac;
+       HTUpdateDefaultSetting(ieee);
+       HTInitializeHTInfo(ieee);
+@@ -141,8 +143,14 @@ struct net_device *alloc_rtllib(int sizeof_priv)
+       return dev;
+- failed:
++free_softmac:
++      rtllib_softmac_free(ieee);
++free_crypt_info:
++      lib80211_crypt_info_free(&ieee->crypt_info);
++      rtllib_networks_free(ieee);
++free_netdev:
+       free_netdev(dev);
++
+       return NULL;
+ }
+ EXPORT_SYMBOL(alloc_rtllib);
+-- 
+2.34.1
+
diff --git a/queue-5.16/sunrpc-fix-sockaddr-handling-in-svcsock_accept_class.patch b/queue-5.16/sunrpc-fix-sockaddr-handling-in-svcsock_accept_class.patch
new file mode 100644 (file)
index 0000000..6702755
--- /dev/null
@@ -0,0 +1,50 @@
+From 0b88405e21d26272bfaba56b549fcba9ba94fd82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Jan 2022 16:59:54 -0500
+Subject: SUNRPC: Fix sockaddr handling in svcsock_accept_class trace points
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 16720861675393a35974532b3c837d9fd7bfe08c ]
+
+Avoid potentially hazardous memory copying and the needless use of
+"%pIS" -- in the kernel, an RPC service listener is always bound to
+ANYADDR. Having the network namespace is helpful when recording
+errors, though.
+
+Fixes: a0469f46faab ("SUNRPC: Replace dprintk call sites in TCP state change callouts")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/sunrpc.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/include/trace/events/sunrpc.h b/include/trace/events/sunrpc.h
+index 52288f1c1b52d..7b5dcff84cf27 100644
+--- a/include/trace/events/sunrpc.h
++++ b/include/trace/events/sunrpc.h
+@@ -2147,17 +2147,17 @@ DECLARE_EVENT_CLASS(svcsock_accept_class,
+       TP_STRUCT__entry(
+               __field(long, status)
+               __string(service, service)
+-              __array(unsigned char, addr, sizeof(struct sockaddr_in6))
++              __field(unsigned int, netns_ino)
+       ),
+       TP_fast_assign(
+               __entry->status = status;
+               __assign_str(service, service);
+-              memcpy(__entry->addr, &xprt->xpt_local, sizeof(__entry->addr));
++              __entry->netns_ino = xprt->xpt_net->ns.inum;
+       ),
+-      TP_printk("listener=%pISpc service=%s status=%ld",
+-              __entry->addr, __get_str(service), __entry->status
++      TP_printk("addr=listener service=%s status=%ld",
++              __get_str(service), __entry->status
+       )
+ );
+-- 
+2.34.1
+
diff --git a/queue-5.16/sunrpc-fix-sockaddr-handling-in-the-svc_xprt_create_.patch b/queue-5.16/sunrpc-fix-sockaddr-handling-in-the-svc_xprt_create_.patch
new file mode 100644 (file)
index 0000000..927e7f0
--- /dev/null
@@ -0,0 +1,86 @@
+From 3fcd5cf273d119bae36134cf58576b8cff131b92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Jan 2022 13:26:51 -0500
+Subject: SUNRPC: Fix sockaddr handling in the svc_xprt_create_error trace
+ point
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit dc6c6fb3d639756a532bcc47d4a9bf9f3965881b ]
+
+While testing, I got an unexpected KASAN splat:
+
+Jan 08 13:50:27 oracle-102.nfsv4.dev kernel: BUG: KASAN: stack-out-of-bounds in trace_event_raw_event_svc_xprt_create_err+0x190/0x210 [sunrpc]
+Jan 08 13:50:27 oracle-102.nfsv4.dev kernel: Read of size 28 at addr ffffc9000008f728 by task mount.nfs/4628
+
+The memcpy() in the TP_fast_assign section of this trace point
+copies the size of the destination buffer in order that the buffer
+won't be overrun.
+
+In other similar trace points, the source buffer for this memcpy is
+a "struct sockaddr_storage" so the actual length of the source
+buffer is always long enough to prevent the memcpy from reading
+uninitialized or unallocated memory.
+
+However, for this trace point, the source buffer can be as small as
+a "struct sockaddr_in". For AF_INET sockaddrs, the memcpy() reads
+memory that follows the source buffer, which is not always valid
+memory.
+
+To avoid copying past the end of the passed-in sockaddr, make the
+source address's length available to the memcpy(). It would be a
+little nicer if the tracing infrastructure was more friendly about
+storing socket addresses that are not AF_INET, but I could not find
+a way to make printk("%pIS") work with a dynamic array.
+
+Reported-by: KASAN
+Fixes: 4b8f380e46e4 ("SUNRPC: Tracepoint to record errors in svc_xpo_create()")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/sunrpc.h | 5 +++--
+ net/sunrpc/svc_xprt.c         | 2 +-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/include/trace/events/sunrpc.h b/include/trace/events/sunrpc.h
+index 3a99358c262b4..52288f1c1b52d 100644
+--- a/include/trace/events/sunrpc.h
++++ b/include/trace/events/sunrpc.h
+@@ -1744,10 +1744,11 @@ TRACE_EVENT(svc_xprt_create_err,
+               const char *program,
+               const char *protocol,
+               struct sockaddr *sap,
++              size_t salen,
+               const struct svc_xprt *xprt
+       ),
+-      TP_ARGS(program, protocol, sap, xprt),
++      TP_ARGS(program, protocol, sap, salen, xprt),
+       TP_STRUCT__entry(
+               __field(long, error)
+@@ -1760,7 +1761,7 @@ TRACE_EVENT(svc_xprt_create_err,
+               __entry->error = PTR_ERR(xprt);
+               __assign_str(program, program);
+               __assign_str(protocol, protocol);
+-              memcpy(__entry->addr, sap, sizeof(__entry->addr));
++              memcpy(__entry->addr, sap, min(salen, sizeof(__entry->addr)));
+       ),
+       TP_printk("addr=%pISpc program=%s protocol=%s error=%ld",
+diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
+index 1e99ba1b9d723..008f1b05a7a9f 100644
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -243,7 +243,7 @@ static struct svc_xprt *__svc_xpo_create(struct svc_xprt_class *xcl,
+       xprt = xcl->xcl_ops->xpo_create(serv, net, sap, len, flags);
+       if (IS_ERR(xprt))
+               trace_svc_xprt_create_err(serv->sv_program->pg_name,
+-                                        xcl->xcl_name, sap, xprt);
++                                        xcl->xcl_name, sap, len, xprt);
+       return xprt;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/tee-fix-put-order-in-teedev_close_context.patch b/queue-5.16/tee-fix-put-order-in-teedev_close_context.patch
new file mode 100644 (file)
index 0000000..07e99ff
--- /dev/null
@@ -0,0 +1,41 @@
+From ddb0ba2f7bfbf25b8d62865720524e0b2b23639e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 22:23:50 +0200
+Subject: tee: fix put order in teedev_close_context()
+
+From: Jens Wiklander <jens.wiklander@linaro.org>
+
+[ Upstream commit f18397ab3ae23e8e43bba9986e66af6d4497f2ad ]
+
+Prior to this patch was teedev_close_context() calling tee_device_put()
+before teedev_ctx_put() leading to teedev_ctx_release() accessing
+ctx->teedev just after the reference counter was decreased on the
+teedev. Fix this by calling teedev_ctx_put() before tee_device_put().
+
+Fixes: 217e0250cccb ("tee: use reference counting for tee_context")
+Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tee/tee_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c
+index 2b37bc408fc3d..85102d12d7169 100644
+--- a/drivers/tee/tee_core.c
++++ b/drivers/tee/tee_core.c
+@@ -98,8 +98,10 @@ void teedev_ctx_put(struct tee_context *ctx)
+ static void teedev_close_context(struct tee_context *ctx)
+ {
+-      tee_device_put(ctx->teedev);
++      struct tee_device *teedev = ctx->teedev;
++
+       teedev_ctx_put(ctx);
++      tee_device_put(teedev);
+ }
+ static int tee_open(struct inode *inode, struct file *filp)
+-- 
+2.34.1
+
diff --git a/queue-5.16/thermal-drivers-imx-implement-runtime-pm-support.patch b/queue-5.16/thermal-drivers-imx-implement-runtime-pm-support.patch
new file mode 100644 (file)
index 0000000..eb83145
--- /dev/null
@@ -0,0 +1,308 @@
+From 99403ba577dc61ee93e391e58c86a2f06b8160c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 11:34:26 +0100
+Subject: thermal/drivers/imx: Implement runtime PM support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 4cf2ddf16e175ee18c5c29865c32da7d6269cf44 ]
+
+Starting with commit d92ed2c9d3ff ("thermal: imx: Use driver's local
+data to decide whether to run a measurement") this driver stared using
+irq_enabled flag to make decision to power on/off the thermal
+core. This triggered a regression, where after reaching critical
+temperature, alarm IRQ handler set irq_enabled to false, disabled
+thermal core and was not able read temperature and disable cooling
+sequence.
+
+In case the cooling device is "CPU/GPU freq", the system will run with
+reduce performance until next reboot.
+
+To solve this issue, we need to move all parts implementing hand made
+runtime power management and let it handle actual runtime PM framework.
+
+Fixes: d92ed2c9d3ff ("thermal: imx: Use driver's local data to decide whether to run a measurement")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Tested-by: Petr Beneš <petr.benes@ysoft.com>
+Link: https://lore.kernel.org/r/20211117103426.81813-1-o.rempel@pengutronix.de
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/imx_thermal.c | 145 +++++++++++++++++++++-------------
+ 1 file changed, 91 insertions(+), 54 deletions(-)
+
+diff --git a/drivers/thermal/imx_thermal.c b/drivers/thermal/imx_thermal.c
+index 2c7473d86a59b..16663373b6829 100644
+--- a/drivers/thermal/imx_thermal.c
++++ b/drivers/thermal/imx_thermal.c
+@@ -15,6 +15,7 @@
+ #include <linux/regmap.h>
+ #include <linux/thermal.h>
+ #include <linux/nvmem-consumer.h>
++#include <linux/pm_runtime.h>
+ #define REG_SET               0x4
+ #define REG_CLR               0x8
+@@ -194,6 +195,7 @@ static struct thermal_soc_data thermal_imx7d_data = {
+ };
+ struct imx_thermal_data {
++      struct device *dev;
+       struct cpufreq_policy *policy;
+       struct thermal_zone_device *tz;
+       struct thermal_cooling_device *cdev;
+@@ -252,44 +254,15 @@ static int imx_get_temp(struct thermal_zone_device *tz, int *temp)
+       const struct thermal_soc_data *soc_data = data->socdata;
+       struct regmap *map = data->tempmon;
+       unsigned int n_meas;
+-      bool wait, run_measurement;
+       u32 val;
++      int ret;
+-      run_measurement = !data->irq_enabled;
+-      if (!run_measurement) {
+-              /* Check if a measurement is currently in progress */
+-              regmap_read(map, soc_data->temp_data, &val);
+-              wait = !(val & soc_data->temp_valid_mask);
+-      } else {
+-              /*
+-               * Every time we measure the temperature, we will power on the
+-               * temperature sensor, enable measurements, take a reading,
+-               * disable measurements, power off the temperature sensor.
+-               */
+-              regmap_write(map, soc_data->sensor_ctrl + REG_CLR,
+-                          soc_data->power_down_mask);
+-              regmap_write(map, soc_data->sensor_ctrl + REG_SET,
+-                          soc_data->measure_temp_mask);
+-
+-              wait = true;
+-      }
+-
+-      /*
+-       * According to the temp sensor designers, it may require up to ~17us
+-       * to complete a measurement.
+-       */
+-      if (wait)
+-              usleep_range(20, 50);
++      ret = pm_runtime_resume_and_get(data->dev);
++      if (ret < 0)
++              return ret;
+       regmap_read(map, soc_data->temp_data, &val);
+-      if (run_measurement) {
+-              regmap_write(map, soc_data->sensor_ctrl + REG_CLR,
+-                           soc_data->measure_temp_mask);
+-              regmap_write(map, soc_data->sensor_ctrl + REG_SET,
+-                           soc_data->power_down_mask);
+-      }
+-
+       if ((val & soc_data->temp_valid_mask) == 0) {
+               dev_dbg(&tz->device, "temp measurement never finished\n");
+               return -EAGAIN;
+@@ -328,6 +301,8 @@ static int imx_get_temp(struct thermal_zone_device *tz, int *temp)
+               enable_irq(data->irq);
+       }
++      pm_runtime_put(data->dev);
++
+       return 0;
+ }
+@@ -335,24 +310,16 @@ static int imx_change_mode(struct thermal_zone_device *tz,
+                          enum thermal_device_mode mode)
+ {
+       struct imx_thermal_data *data = tz->devdata;
+-      struct regmap *map = data->tempmon;
+-      const struct thermal_soc_data *soc_data = data->socdata;
+       if (mode == THERMAL_DEVICE_ENABLED) {
+-              regmap_write(map, soc_data->sensor_ctrl + REG_CLR,
+-                           soc_data->power_down_mask);
+-              regmap_write(map, soc_data->sensor_ctrl + REG_SET,
+-                           soc_data->measure_temp_mask);
++              pm_runtime_get(data->dev);
+               if (!data->irq_enabled) {
+                       data->irq_enabled = true;
+                       enable_irq(data->irq);
+               }
+       } else {
+-              regmap_write(map, soc_data->sensor_ctrl + REG_CLR,
+-                           soc_data->measure_temp_mask);
+-              regmap_write(map, soc_data->sensor_ctrl + REG_SET,
+-                           soc_data->power_down_mask);
++              pm_runtime_put(data->dev);
+               if (data->irq_enabled) {
+                       disable_irq(data->irq);
+@@ -393,6 +360,11 @@ static int imx_set_trip_temp(struct thermal_zone_device *tz, int trip,
+                            int temp)
+ {
+       struct imx_thermal_data *data = tz->devdata;
++      int ret;
++
++      ret = pm_runtime_resume_and_get(data->dev);
++      if (ret < 0)
++              return ret;
+       /* do not allow changing critical threshold */
+       if (trip == IMX_TRIP_CRITICAL)
+@@ -406,6 +378,8 @@ static int imx_set_trip_temp(struct thermal_zone_device *tz, int trip,
+       imx_set_alarm_temp(data, temp);
++      pm_runtime_put(data->dev);
++
+       return 0;
+ }
+@@ -681,6 +655,8 @@ static int imx_thermal_probe(struct platform_device *pdev)
+       if (!data)
+               return -ENOMEM;
++      data->dev = &pdev->dev;
++
+       map = syscon_regmap_lookup_by_phandle(pdev->dev.of_node, "fsl,tempmon");
+       if (IS_ERR(map)) {
+               ret = PTR_ERR(map);
+@@ -800,6 +776,16 @@ static int imx_thermal_probe(struct platform_device *pdev)
+                    data->socdata->power_down_mask);
+       regmap_write(map, data->socdata->sensor_ctrl + REG_SET,
+                    data->socdata->measure_temp_mask);
++      /* After power up, we need a delay before first access can be done. */
++      usleep_range(20, 50);
++
++      /* the core was configured and enabled just before */
++      pm_runtime_set_active(&pdev->dev);
++      pm_runtime_enable(data->dev);
++
++      ret = pm_runtime_resume_and_get(data->dev);
++      if (ret < 0)
++              goto disable_runtime_pm;
+       data->irq_enabled = true;
+       ret = thermal_zone_device_enable(data->tz);
+@@ -814,10 +800,15 @@ static int imx_thermal_probe(struct platform_device *pdev)
+               goto thermal_zone_unregister;
+       }
++      pm_runtime_put(data->dev);
++
+       return 0;
+ thermal_zone_unregister:
+       thermal_zone_device_unregister(data->tz);
++disable_runtime_pm:
++      pm_runtime_put_noidle(data->dev);
++      pm_runtime_disable(data->dev);
+ clk_disable:
+       clk_disable_unprepare(data->thermal_clk);
+ legacy_cleanup:
+@@ -829,13 +820,9 @@ legacy_cleanup:
+ static int imx_thermal_remove(struct platform_device *pdev)
+ {
+       struct imx_thermal_data *data = platform_get_drvdata(pdev);
+-      struct regmap *map = data->tempmon;
+-      /* Disable measurements */
+-      regmap_write(map, data->socdata->sensor_ctrl + REG_SET,
+-                   data->socdata->power_down_mask);
+-      if (!IS_ERR(data->thermal_clk))
+-              clk_disable_unprepare(data->thermal_clk);
++      pm_runtime_put_noidle(data->dev);
++      pm_runtime_disable(data->dev);
+       thermal_zone_device_unregister(data->tz);
+       imx_thermal_unregister_legacy_cooling(data);
+@@ -858,29 +845,79 @@ static int __maybe_unused imx_thermal_suspend(struct device *dev)
+       ret = thermal_zone_device_disable(data->tz);
+       if (ret)
+               return ret;
++
++      return pm_runtime_force_suspend(data->dev);
++}
++
++static int __maybe_unused imx_thermal_resume(struct device *dev)
++{
++      struct imx_thermal_data *data = dev_get_drvdata(dev);
++      int ret;
++
++      ret = pm_runtime_force_resume(data->dev);
++      if (ret)
++              return ret;
++      /* Enabled thermal sensor after resume */
++      return thermal_zone_device_enable(data->tz);
++}
++
++static int __maybe_unused imx_thermal_runtime_suspend(struct device *dev)
++{
++      struct imx_thermal_data *data = dev_get_drvdata(dev);
++      const struct thermal_soc_data *socdata = data->socdata;
++      struct regmap *map = data->tempmon;
++      int ret;
++
++      ret = regmap_write(map, socdata->sensor_ctrl + REG_CLR,
++                         socdata->measure_temp_mask);
++      if (ret)
++              return ret;
++
++      ret = regmap_write(map, socdata->sensor_ctrl + REG_SET,
++                         socdata->power_down_mask);
++      if (ret)
++              return ret;
++
+       clk_disable_unprepare(data->thermal_clk);
+       return 0;
+ }
+-static int __maybe_unused imx_thermal_resume(struct device *dev)
++static int __maybe_unused imx_thermal_runtime_resume(struct device *dev)
+ {
+       struct imx_thermal_data *data = dev_get_drvdata(dev);
++      const struct thermal_soc_data *socdata = data->socdata;
++      struct regmap *map = data->tempmon;
+       int ret;
+       ret = clk_prepare_enable(data->thermal_clk);
+       if (ret)
+               return ret;
+-      /* Enabled thermal sensor after resume */
+-      ret = thermal_zone_device_enable(data->tz);
++
++      ret = regmap_write(map, socdata->sensor_ctrl + REG_CLR,
++                         socdata->power_down_mask);
++      if (ret)
++              return ret;
++
++      ret = regmap_write(map, socdata->sensor_ctrl + REG_SET,
++                         socdata->measure_temp_mask);
+       if (ret)
+               return ret;
++      /*
++       * According to the temp sensor designers, it may require up to ~17us
++       * to complete a measurement.
++       */
++      usleep_range(20, 50);
++
+       return 0;
+ }
+-static SIMPLE_DEV_PM_OPS(imx_thermal_pm_ops,
+-                       imx_thermal_suspend, imx_thermal_resume);
++static const struct dev_pm_ops imx_thermal_pm_ops = {
++      SET_SYSTEM_SLEEP_PM_OPS(imx_thermal_suspend, imx_thermal_resume)
++      SET_RUNTIME_PM_OPS(imx_thermal_runtime_suspend,
++                         imx_thermal_runtime_resume, NULL)
++};
+ static struct platform_driver imx_thermal = {
+       .driver = {
+-- 
+2.34.1
+
diff --git a/queue-5.16/thermal-drivers-imx8mm-enable-adc-when-enabling-moni.patch b/queue-5.16/thermal-drivers-imx8mm-enable-adc-when-enabling-moni.patch
new file mode 100644 (file)
index 0000000..8f5dd3d
--- /dev/null
@@ -0,0 +1,53 @@
+From 99590c99a63ca88ea95e0254b4fd277fc4dd5e62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 12:42:25 +0100
+Subject: thermal/drivers/imx8mm: Enable ADC when enabling monitor
+
+From: Paul Gerber <Paul.Gerber@tq-group.com>
+
+[ Upstream commit 3de89d8842a2b5d3dd22ebf97dd561ae0a330948 ]
+
+The i.MX 8MP has a ADC_PD bit in the TMU_TER register that controls the
+operating mode of the ADC:
+* 0 means normal operating mode
+* 1 means power down mode
+
+When enabling/disabling the TMU, the ADC operating mode must be set
+accordingly.
+
+i.MX 8M Mini & Nano are lacking this bit.
+
+Signed-off-by: Paul Gerber <Paul.Gerber@tq-group.com>
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Fixes: 2b8f1f0337c5 ("thermal: imx8mm: Add i.MX8MP support")
+Link: https://lore.kernel.org/r/20211122114225.196280-1-alexander.stein@ew.tq-group.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/imx8mm_thermal.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/thermal/imx8mm_thermal.c b/drivers/thermal/imx8mm_thermal.c
+index 7442e013738f8..af666bd9e8d4d 100644
+--- a/drivers/thermal/imx8mm_thermal.c
++++ b/drivers/thermal/imx8mm_thermal.c
+@@ -21,6 +21,7 @@
+ #define TPS                   0x4
+ #define TRITSR                        0x20    /* TMU immediate temp */
++#define TER_ADC_PD            BIT(30)
+ #define TER_EN                        BIT(31)
+ #define TRITSR_TEMP0_VAL_MASK 0xff
+ #define TRITSR_TEMP1_VAL_MASK 0xff0000
+@@ -113,6 +114,8 @@ static void imx8mm_tmu_enable(struct imx8mm_tmu *tmu, bool enable)
+       val = readl_relaxed(tmu->base + TER);
+       val = enable ? (val | TER_EN) : (val & ~TER_EN);
++      if (tmu->socdata->version == TMU_VER2)
++              val = enable ? (val & ~TER_ADC_PD) : (val | TER_ADC_PD);
+       writel_relaxed(val, tmu->base + TER);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/thunderbolt-runtime-pm-activate-both-ends-of-the-dev.patch b/queue-5.16/thunderbolt-runtime-pm-activate-both-ends-of-the-dev.patch
new file mode 100644 (file)
index 0000000..78093f8
--- /dev/null
@@ -0,0 +1,74 @@
+From 6927e1f7677a36cee2a8b2f9c396a9bcc292a9a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Nov 2021 16:07:11 +0200
+Subject: thunderbolt: Runtime PM activate both ends of the device link
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+[ Upstream commit f3380cac0c0b3a6f49ab161e2a057c363962f48d ]
+
+If protocol tunnels are already up when the driver is loaded, for
+instance if the boot firmware implements connection manager of its own,
+runtime PM reference count of the consumer devices behind the tunnel
+might have been increased already before the device link is created but
+the supplier device runtime PM reference count is not. This leads to a
+situation where the supplier (the Thunderbolt driver) can runtime
+suspend even if it should not because the corresponding protocol tunnel
+needs to be up causing the devices to be removed from the corresponding
+native bus.
+
+Prevent this from happening by making both sides of the link runtime PM
+active briefly. The pm_runtime_put() for the consumer (PCIe
+root/downstream port, xHCI) then allows it to runtime suspend again but
+keeps the supplier runtime resumed the whole time it is runtime active.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thunderbolt/acpi.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/thunderbolt/acpi.c b/drivers/thunderbolt/acpi.c
+index b67e72d5644b3..7c9597a339295 100644
+--- a/drivers/thunderbolt/acpi.c
++++ b/drivers/thunderbolt/acpi.c
+@@ -7,6 +7,7 @@
+  */
+ #include <linux/acpi.h>
++#include <linux/pm_runtime.h>
+ #include "tb.h"
+@@ -74,8 +75,18 @@ static acpi_status tb_acpi_add_link(acpi_handle handle, u32 level, void *data,
+                pci_pcie_type(pdev) == PCI_EXP_TYPE_DOWNSTREAM))) {
+               const struct device_link *link;
++              /*
++               * Make them both active first to make sure the NHI does
++               * not runtime suspend before the consumer. The
++               * pm_runtime_put() below then allows the consumer to
++               * runtime suspend again (which then allows NHI runtime
++               * suspend too now that the device link is established).
++               */
++              pm_runtime_get_sync(&pdev->dev);
++
+               link = device_link_add(&pdev->dev, &nhi->pdev->dev,
+                                      DL_FLAG_AUTOREMOVE_SUPPLIER |
++                                     DL_FLAG_RPM_ACTIVE |
+                                      DL_FLAG_PM_RUNTIME);
+               if (link) {
+                       dev_dbg(&nhi->pdev->dev, "created link from %s\n",
+@@ -84,6 +95,8 @@ static acpi_status tb_acpi_add_link(acpi_handle handle, u32 level, void *data,
+                       dev_warn(&nhi->pdev->dev, "device link creation from %s failed\n",
+                                dev_name(&pdev->dev));
+               }
++
++              pm_runtime_put(&pdev->dev);
+       }
+ out_put:
+-- 
+2.34.1
+
diff --git a/queue-5.16/tools-resolve_btf_ids-close-elf-file-on-error.patch b/queue-5.16/tools-resolve_btf_ids-close-elf-file-on-error.patch
new file mode 100644 (file)
index 0000000..c46eade
--- /dev/null
@@ -0,0 +1,46 @@
+From e78ab803a4841c525b1e4783eea58897bb954d4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 16:23:13 -0800
+Subject: tools/resolve_btf_ids: Close ELF file on error
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 1144ab9bdf3430e1b5b3f22741e5283841951add ]
+
+Fix one case where we don't do explicit clean up.
+
+Fixes: fbbb68de80a4 ("bpf: Add resolve_btfids tool to resolve BTF IDs in ELF object")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20211124002325.1737739-2-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/resolve_btfids/main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/bpf/resolve_btfids/main.c b/tools/bpf/resolve_btfids/main.c
+index 73409e27be01f..5d26f3c6f918e 100644
+--- a/tools/bpf/resolve_btfids/main.c
++++ b/tools/bpf/resolve_btfids/main.c
+@@ -168,7 +168,7 @@ static struct btf_id *btf_id__find(struct rb_root *root, const char *name)
+       return NULL;
+ }
+-static struct btf_id*
++static struct btf_id *
+ btf_id__add(struct rb_root *root, char *name, bool unique)
+ {
+       struct rb_node **p = &root->rb_node;
+@@ -732,7 +732,8 @@ int main(int argc, const char **argv)
+       if (obj.efile.idlist_shndx == -1 ||
+           obj.efile.symbols_shndx == -1) {
+               pr_debug("Cannot find .BTF_ids or symbols sections, nothing to do\n");
+-              return 0;
++              err = 0;
++              goto out;
+       }
+       if (symbols_collect(&obj))
+-- 
+2.34.1
+
diff --git a/queue-5.16/tpm-add-request_locality-before-write-tpm_int_enable.patch b/queue-5.16/tpm-add-request_locality-before-write-tpm_int_enable.patch
new file mode 100644 (file)
index 0000000..0fdbdb4
--- /dev/null
@@ -0,0 +1,44 @@
+From 5400a2f198c2393d8cb1d9ebd5b86f5a9dbf6ed1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 06:25:56 +0000
+Subject: tpm: add request_locality before write TPM_INT_ENABLE
+
+From: Chen Jun <chenjun102@huawei.com>
+
+[ Upstream commit 0ef333f5ba7f24f5d8478425c163d3097f1c7afd ]
+
+Locality is not appropriately requested before writing the int mask.
+Add the missing boilerplate.
+
+Fixes: e6aef069b6e9 ("tpm_tis: convert to using locality callbacks")
+Signed-off-by: Chen Jun <chenjun102@huawei.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm_tis_core.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
+index b2659a4c40168..e2df1098a812f 100644
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -994,7 +994,15 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq,
+       intmask |= TPM_INTF_CMD_READY_INT | TPM_INTF_LOCALITY_CHANGE_INT |
+                  TPM_INTF_DATA_AVAIL_INT | TPM_INTF_STS_VALID_INT;
+       intmask &= ~TPM_GLOBAL_INT_ENABLE;
++
++      rc = request_locality(chip, 0);
++      if (rc < 0) {
++              rc = -ENODEV;
++              goto out_err;
++      }
++
+       tpm_tis_write32(priv, TPM_INT_ENABLE(priv->locality), intmask);
++      release_locality(chip, 0);
+       rc = tpm_chip_start(chip);
+       if (rc)
+-- 
+2.34.1
+
diff --git a/queue-5.16/tpm_tis-fix-an-error-handling-path-in-tpm_tis_core_i.patch b/queue-5.16/tpm_tis-fix-an-error-handling-path-in-tpm_tis_core_i.patch
new file mode 100644 (file)
index 0000000..94fc946
--- /dev/null
@@ -0,0 +1,44 @@
+From 9c8ab98c2757ea4e7c422ec3fa96cefa3e01e0c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Nov 2021 17:42:04 +0100
+Subject: tpm_tis: Fix an error handling path in 'tpm_tis_core_init()'
+
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit e96d52822f5ac0a25de78f95cd23421bcbc93584 ]
+
+Commit 79ca6f74dae0 ("tpm: fix Atmel TPM crash caused by too frequent
+queries") has moved some code around without updating the error handling
+path.
+
+This is now pointless to 'goto out_err' when neither 'clk_enable()' nor
+'ioremap()' have been called yet.
+
+Make a direct return instead to avoid undoing things that have not been
+done.
+
+Fixes: 79ca6f74dae0 ("tpm: fix Atmel TPM crash caused by too frequent queries")
+Signed-off-by: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm_tis_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c
+index e2df1098a812f..36d1ad8f479d7 100644
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -952,7 +952,7 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq,
+       rc = tpm_tis_read32(priv, TPM_DID_VID(0), &vendor);
+       if (rc < 0)
+-              goto out_err;
++              return rc;
+       priv->manufacturer_id = vendor;
+-- 
+2.34.1
+
diff --git a/queue-5.16/tracing-do-not-let-synth_events-block-other-dyn_even.patch b/queue-5.16/tracing-do-not-let-synth_events-block-other-dyn_even.patch
new file mode 100644 (file)
index 0000000..e8c6a1c
--- /dev/null
@@ -0,0 +1,60 @@
+From 0d0b4d6b44056a54d3d619f237b6a29f9ae9af8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Sep 2021 15:38:21 -0700
+Subject: tracing: Do not let synth_events block other dyn_event systems during
+ create
+
+From: Beau Belgrave <beaub@linux.microsoft.com>
+
+[ Upstream commit 4f67cca70c0f615e9cfe6ac42244f3416ec60877 ]
+
+synth_events is returning -EINVAL if the dyn_event create command does
+not contain ' \t'. This prevents other systems from getting called back.
+synth_events needs to return -ECANCELED in these cases when the command
+is not targeting the synth_event system.
+
+Link: https://lore.kernel.org/linux-trace-devel/20210930223821.11025-1-beaub@linux.microsoft.com
+
+Fixes: c9e759b1e8456 ("tracing: Rework synthetic event command parsing")
+Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Beau Belgrave <beaub@linux.microsoft.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events_synth.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c
+index ca9c13b2ecf4b..4b5a637d3ec00 100644
+--- a/kernel/trace/trace_events_synth.c
++++ b/kernel/trace/trace_events_synth.c
+@@ -2054,6 +2054,13 @@ static int create_synth_event(const char *raw_command)
+       last_cmd_set(raw_command);
++      name = raw_command;
++
++      /* Don't try to process if not our system */
++      if (name[0] != 's' || name[1] != ':')
++              return -ECANCELED;
++      name += 2;
++
+       p = strpbrk(raw_command, " \t");
+       if (!p) {
+               synth_err(SYNTH_ERR_INVALID_CMD, 0);
+@@ -2062,12 +2069,6 @@ static int create_synth_event(const char *raw_command)
+       fields = skip_spaces(p);
+-      name = raw_command;
+-
+-      if (name[0] != 's' || name[1] != ':')
+-              return -ECANCELED;
+-      name += 2;
+-
+       /* This interface accepts group name prefix */
+       if (strchr(name, '/')) {
+               len = str_has_prefix(name, SYNTH_SYSTEM "/");
+-- 
+2.34.1
+
diff --git a/queue-5.16/tracing-probes-check-the-return-value-of-kstrndup-fo.patch b/queue-5.16/tracing-probes-check-the-return-value-of-kstrndup-fo.patch
new file mode 100644 (file)
index 0000000..c9a3a81
--- /dev/null
@@ -0,0 +1,40 @@
+From 6f4fccc03fd86bf7f8f51509516ad6425e482d98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 10:26:46 +0800
+Subject: tracing/probes: check the return value of kstrndup() for pbuf
+
+From: Xiaoke Wang <xkernel.wang@foxmail.com>
+
+[ Upstream commit 1c1857d400355e96f0fe8b32adc6fa7594d03b52 ]
+
+kstrndup() is a memory allocation-related function, it returns NULL when
+some internal memory errors happen. It is better to check the return
+value of it so to catch the memory error in time.
+
+Link: https://lkml.kernel.org/r/tencent_4D6E270731456EB88712ED7F13883C334906@qq.com
+
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Fixes: a42e3c4de964 ("tracing/probe: Add immediate string parameter support")
+Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_probe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
+index 3ed2a3f372972..bb4605b60de79 100644
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -356,6 +356,8 @@ static int __parse_imm_string(char *str, char **pbuf, int offs)
+               return -EINVAL;
+       }
+       *pbuf = kstrndup(str, len - 1, GFP_KERNEL);
++      if (!*pbuf)
++              return -ENOMEM;
+       return 0;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/tracing-uprobes-check-the-return-value-of-kstrdup-fo.patch b/queue-5.16/tracing-uprobes-check-the-return-value-of-kstrdup-fo.patch
new file mode 100644 (file)
index 0000000..11985f2
--- /dev/null
@@ -0,0 +1,43 @@
+From 51fbab3289f6bb583cdcce411121faaf1f3d0222 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 09:28:02 +0800
+Subject: tracing/uprobes: Check the return value of kstrdup() for tu->filename
+
+From: Xiaoke Wang <xkernel.wang@foxmail.com>
+
+[ Upstream commit 8c7224245557707c613f130431cafbaaa4889615 ]
+
+kstrdup() returns NULL when some internal memory errors happen, it is
+better to check the return value of it so to catch the memory error in
+time.
+
+Link: https://lkml.kernel.org/r/tencent_3C2E330722056D7891D2C83F29C802734B06@qq.com
+
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Fixes: 33ea4b24277b ("perf/core: Implement the 'perf_uprobe' PMU")
+Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_uprobe.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
+index f5f0039d31e5a..78ec1c16ccf4b 100644
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -1619,6 +1619,11 @@ create_local_trace_uprobe(char *name, unsigned long offs,
+       tu->path = path;
+       tu->ref_ctr_offset = ref_ctr_offset;
+       tu->filename = kstrdup(name, GFP_KERNEL);
++      if (!tu->filename) {
++              ret = -ENOMEM;
++              goto error;
++      }
++
+       init_trace_event_call(tu);
+       ptype = is_ret_probe(tu) ? PROBE_PRINT_RETURN : PROBE_PRINT_NORMAL;
+-- 
+2.34.1
+
diff --git a/queue-5.16/tty-serial-atmel-call-dma_async_issue_pending.patch b/queue-5.16/tty-serial-atmel-call-dma_async_issue_pending.patch
new file mode 100644 (file)
index 0000000..3cc10f0
--- /dev/null
@@ -0,0 +1,50 @@
+From 53724472b830401161c052512869a848ef02390d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 11:00:18 +0200
+Subject: tty: serial: atmel: Call dma_async_issue_pending()
+
+From: Tudor Ambarus <tudor.ambarus@microchip.com>
+
+[ Upstream commit 4f4b9b5895614eb2e2b5f4cab7858f44bd113e1b ]
+
+The driver wrongly assummed that tx_submit() will start the transfer,
+which is not the case, now that the at_xdmac driver is fixed. tx_submit
+is supposed to push the current transaction descriptor to a pending queue,
+waiting for issue_pending to be called. issue_pending must start the
+transfer, not tx_submit.
+
+Fixes: 34df42f59a60 ("serial: at91: add rx dma support")
+Fixes: 08f738be88bb ("serial: at91: add tx dma support")
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Link: https://lore.kernel.org/r/20211125090028.786832-4-tudor.ambarus@microchip.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/atmel_serial.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c
+index 376f7a9c2868a..269b4500e9e78 100644
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -1009,6 +1009,8 @@ static void atmel_tx_dma(struct uart_port *port)
+                               atmel_port->cookie_tx);
+                       return;
+               }
++
++              dma_async_issue_pending(chan);
+       }
+       if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
+@@ -1269,6 +1271,8 @@ static int atmel_prepare_rx_dma(struct uart_port *port)
+               goto chan_err;
+       }
++      dma_async_issue_pending(atmel_port->chan_rx);
++
+       return 0;
+ chan_err:
+-- 
+2.34.1
+
diff --git a/queue-5.16/tty-serial-atmel-check-return-code-of-dmaengine_subm.patch b/queue-5.16/tty-serial-atmel-check-return-code-of-dmaengine_subm.patch
new file mode 100644 (file)
index 0000000..e39721b
--- /dev/null
@@ -0,0 +1,59 @@
+From 6f7126979ac799b3f63fe144b013da833f3df9dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 11:00:17 +0200
+Subject: tty: serial: atmel: Check return code of dmaengine_submit()
+
+From: Tudor Ambarus <tudor.ambarus@microchip.com>
+
+[ Upstream commit 1e67bd2b8cb90b66e89562598e9c2046246832d3 ]
+
+The tx_submit() method of struct dma_async_tx_descriptor is entitled
+to do sanity checks and return errors if encountered. It's not the
+case for the DMA controller drivers that this client is using
+(at_h/xdmac), because they currently don't do sanity checks and always
+return a positive cookie at tx_submit() method. In case the controller
+drivers will implement sanity checks and return errors, print a message
+so that the client will be informed that something went wrong at
+tx_submit() level.
+
+Fixes: 08f738be88bb ("serial: at91: add tx dma support")
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Acked-by: Richard Genoud <richard.genoud@gmail.com>
+Link: https://lore.kernel.org/r/20211125090028.786832-3-tudor.ambarus@microchip.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/atmel_serial.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c
+index 2c99a47a25357..376f7a9c2868a 100644
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -1004,6 +1004,11 @@ static void atmel_tx_dma(struct uart_port *port)
+               desc->callback = atmel_complete_tx_dma;
+               desc->callback_param = atmel_port;
+               atmel_port->cookie_tx = dmaengine_submit(desc);
++              if (dma_submit_error(atmel_port->cookie_tx)) {
++                      dev_err(port->dev, "dma_submit_error %d\n",
++                              atmel_port->cookie_tx);
++                      return;
++              }
+       }
+       if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
+@@ -1258,6 +1263,11 @@ static int atmel_prepare_rx_dma(struct uart_port *port)
+       desc->callback_param = port;
+       atmel_port->desc_rx = desc;
+       atmel_port->cookie_rx = dmaengine_submit(desc);
++      if (dma_submit_error(atmel_port->cookie_rx)) {
++              dev_err(port->dev, "dma_submit_error %d\n",
++                      atmel_port->cookie_rx);
++              goto chan_err;
++      }
+       return 0;
+-- 
+2.34.1
+
diff --git a/queue-5.16/tty-serial-imx-disable-ucr4_oren-in-.stop_rx-instead.patch b/queue-5.16/tty-serial-imx-disable-ucr4_oren-in-.stop_rx-instead.patch
new file mode 100644 (file)
index 0000000..179969e
--- /dev/null
@@ -0,0 +1,70 @@
+From 7d7c9b39cf54871cffc81e977d4318ff5f562900 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 10:03:49 +0800
+Subject: tty: serial: imx: disable UCR4_OREN in .stop_rx() instead of
+ .shutdown()
+
+From: Fugang Duan <fugang.duan@nxp.com>
+
+[ Upstream commit 028e083832b06fdeeb290e1e57dc1f6702c4c215 ]
+
+The UCR4_OREN should be disabled before disabling the uart receiver in
+.stop_rx() instead of in the .shutdown().
+
+Otherwise, if we have the overrun error during the receiver disable
+process, the overrun interrupt will keep trigging until we disable the
+OREN interrupt in the .shutdown(), because the ORE status can only be
+cleared when read the rx FIFO or reset the controller.  Although the
+called time between the receiver disable and OREN disable in .shutdown()
+is very short, there is still the risk of endless interrupt during this
+short period of time. So here change to disable OREN before the receiver
+been disabled in .stop_rx().
+
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
+Link: https://lore.kernel.org/r/20211125020349.4980-1-sherry.sun@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/imx.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c
+index 90f82e6c54e46..6f7f382d0b1fa 100644
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -486,18 +486,21 @@ static void imx_uart_stop_tx(struct uart_port *port)
+ static void imx_uart_stop_rx(struct uart_port *port)
+ {
+       struct imx_port *sport = (struct imx_port *)port;
+-      u32 ucr1, ucr2;
++      u32 ucr1, ucr2, ucr4;
+       ucr1 = imx_uart_readl(sport, UCR1);
+       ucr2 = imx_uart_readl(sport, UCR2);
++      ucr4 = imx_uart_readl(sport, UCR4);
+       if (sport->dma_is_enabled) {
+               ucr1 &= ~(UCR1_RXDMAEN | UCR1_ATDMAEN);
+       } else {
+               ucr1 &= ~UCR1_RRDYEN;
+               ucr2 &= ~UCR2_ATEN;
++              ucr4 &= ~UCR4_OREN;
+       }
+       imx_uart_writel(sport, ucr1, UCR1);
++      imx_uart_writel(sport, ucr4, UCR4);
+       ucr2 &= ~UCR2_RXEN;
+       imx_uart_writel(sport, ucr2, UCR2);
+@@ -1544,7 +1547,7 @@ static void imx_uart_shutdown(struct uart_port *port)
+       imx_uart_writel(sport, ucr1, UCR1);
+       ucr4 = imx_uart_readl(sport, UCR4);
+-      ucr4 &= ~(UCR4_OREN | UCR4_TCEN);
++      ucr4 &= ~UCR4_TCEN;
+       imx_uart_writel(sport, ucr4, UCR4);
+       spin_unlock_irqrestore(&sport->port.lock, flags);
+-- 
+2.34.1
+
diff --git a/queue-5.16/tty-serial-uartlite-allow-64-bit-address.patch b/queue-5.16/tty-serial-uartlite-allow-64-bit-address.patch
new file mode 100644 (file)
index 0000000..da420bb
--- /dev/null
@@ -0,0 +1,39 @@
+From e473cddf2caf0b2d41ff17cb016839cc937aac65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 12:23:02 -0800
+Subject: tty: serial: uartlite: allow 64 bit address
+
+From: Lizhi Hou <lizhi.hou@xilinx.com>
+
+[ Upstream commit 3672fb65155530b5eea6225685c75329b6debec3 ]
+
+The base address of uartlite registers could be 64 bit address which is from
+device resource. When ulite_probe() calls ulite_assign(), this 64 bit
+address is casted to 32-bit. The fix is to replace "u32" type with
+"phys_addr_t" type for the base address in ulite_assign() argument list.
+
+Fixes: 8fa7b6100693 ("[POWERPC] Uartlite: Separate the bus binding from the driver proper")
+Signed-off-by: Lizhi Hou <lizhi.hou@xilinx.com>
+Link: https://lore.kernel.org/r/20211129202302.1319033-1-lizhi.hou@xilinx.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/uartlite.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/uartlite.c b/drivers/tty/serial/uartlite.c
+index d3d9566e5dbdf..e1fa52d31474f 100644
+--- a/drivers/tty/serial/uartlite.c
++++ b/drivers/tty/serial/uartlite.c
+@@ -626,7 +626,7 @@ static struct uart_driver ulite_uart_driver = {
+  *
+  * Returns: 0 on success, <0 otherwise
+  */
+-static int ulite_assign(struct device *dev, int id, u32 base, int irq,
++static int ulite_assign(struct device *dev, int id, phys_addr_t base, int irq,
+                       struct uartlite_data *pdata)
+ {
+       struct uart_port *port;
+-- 
+2.34.1
+
diff --git a/queue-5.16/udf-fix-error-handling-in-udf_new_inode.patch b/queue-5.16/udf-fix-error-handling-in-udf_new_inode.patch
new file mode 100644 (file)
index 0000000..e9e938d
--- /dev/null
@@ -0,0 +1,45 @@
+From d833e590bd2db22351bf56cfc73dfdb7533e8b05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Dec 2021 11:04:29 +0100
+Subject: udf: Fix error handling in udf_new_inode()
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit f05f2429eec60851b98bdde213de31dab697c01b ]
+
+When memory allocation of iinfo or block allocation fails, already
+allocated struct udf_inode_info gets freed with iput() and
+udf_evict_inode() may look at inode fields which are not properly
+initialized. Fix it by marking inode bad before dropping reference to it
+in udf_new_inode().
+
+Reported-by: syzbot+9ca499bb57a2b9e4c652@syzkaller.appspotmail.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/ialloc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/udf/ialloc.c b/fs/udf/ialloc.c
+index 2ecf0e87660e3..b5d611cee749c 100644
+--- a/fs/udf/ialloc.c
++++ b/fs/udf/ialloc.c
+@@ -77,6 +77,7 @@ struct inode *udf_new_inode(struct inode *dir, umode_t mode)
+                                       GFP_KERNEL);
+       }
+       if (!iinfo->i_data) {
++              make_bad_inode(inode);
+               iput(inode);
+               return ERR_PTR(-ENOMEM);
+       }
+@@ -86,6 +87,7 @@ struct inode *udf_new_inode(struct inode *dir, umode_t mode)
+                             dinfo->i_location.partitionReferenceNum,
+                             start, &err);
+       if (err) {
++              make_bad_inode(inode);
+               iput(inode);
+               return ERR_PTR(err);
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/uio-uio_dmem_genirq-catch-the-exception.patch b/queue-5.16/uio-uio_dmem_genirq-catch-the-exception.patch
new file mode 100644 (file)
index 0000000..68634c5
--- /dev/null
@@ -0,0 +1,41 @@
+From a49d3cbe866c53f38d3e20489c9404a6dc72b3c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Dec 2021 08:03:26 +0800
+Subject: uio: uio_dmem_genirq: Catch the Exception
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit eec91694f927d1026974444eb6a3adccd4f1cbc2 ]
+
+The return value of dma_set_coherent_mask() is not always 0.
+To catch the exception in case that dma is not support the mask.
+
+Fixes: 0a0c3b5a24bd ("Add new uio device for dynamic memory allocation")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20211204000326.1592687-1-jiasheng@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/uio/uio_dmem_genirq.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c
+index 6b5cfa5b06733..1106f33764047 100644
+--- a/drivers/uio/uio_dmem_genirq.c
++++ b/drivers/uio/uio_dmem_genirq.c
+@@ -188,7 +188,11 @@ static int uio_dmem_genirq_probe(struct platform_device *pdev)
+               return -ENOMEM;
+       }
+-      dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
++      ret = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
++      if (ret) {
++              dev_err(&pdev->dev, "DMA enable failed\n");
++              return ret;
++      }
+       priv->uioinfo = uioinfo;
+       spin_lock_init(&priv->lock);
+-- 
+2.34.1
+
diff --git a/queue-5.16/um-fix-ndelay-udelay-defines.patch b/queue-5.16/um-fix-ndelay-udelay-defines.patch
new file mode 100644 (file)
index 0000000..e6d363b
--- /dev/null
@@ -0,0 +1,46 @@
+From c0d3116dd28a0d7c325ad2e94baa8d4878e7c8fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Aug 2021 09:27:53 +0200
+Subject: um: fix ndelay/udelay defines
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 5f8539e2ff962e25b57742ca7106456403abbc94 ]
+
+Many places in the kernel use 'udelay' as an identifier, and
+are broken with the current "#define udelay um_udelay". Fix
+this by adding an argument to the macro, and do the same to
+'ndelay' as well, just in case.
+
+Fixes: 0bc8fb4dda2b ("um: Implement ndelay/udelay in time-travel mode")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/include/asm/delay.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/um/include/asm/delay.h b/arch/um/include/asm/delay.h
+index 56fc2b8f2dd01..e79b2ab6f40c8 100644
+--- a/arch/um/include/asm/delay.h
++++ b/arch/um/include/asm/delay.h
+@@ -14,7 +14,7 @@ static inline void um_ndelay(unsigned long nsecs)
+       ndelay(nsecs);
+ }
+ #undef ndelay
+-#define ndelay um_ndelay
++#define ndelay(n) um_ndelay(n)
+ static inline void um_udelay(unsigned long usecs)
+ {
+@@ -26,5 +26,5 @@ static inline void um_udelay(unsigned long usecs)
+       udelay(usecs);
+ }
+ #undef udelay
+-#define udelay um_udelay
++#define udelay(n) um_udelay(n)
+ #endif /* __UM_DELAY_H */
+-- 
+2.34.1
+
diff --git a/queue-5.16/um-registers-rename-function-names-to-avoid-conflict.patch b/queue-5.16/um-registers-rename-function-names-to-avoid-conflict.patch
new file mode 100644 (file)
index 0000000..30e2a0a
--- /dev/null
@@ -0,0 +1,104 @@
+From 0ba91132c9733c718c2fc3d65123f56652645259 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Sep 2021 23:12:52 -0700
+Subject: um: registers: Rename function names to avoid conflicts and build
+ problems
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 077b7320942b64b0da182aefd83c374462a65535 ]
+
+The function names init_registers() and restore_registers() are used
+in several net/ethernet/ and gpu/drm/ drivers for other purposes (not
+calls to UML functions), so rename them.
+
+This fixes multiple build errors.
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Jeff Dike <jdike@addtoit.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Cc: linux-um@lists.infradead.org
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/include/shared/registers.h | 4 ++--
+ arch/um/os-Linux/registers.c       | 4 ++--
+ arch/um/os-Linux/start_up.c        | 2 +-
+ arch/x86/um/syscalls_64.c          | 3 ++-
+ 4 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/arch/um/include/shared/registers.h b/arch/um/include/shared/registers.h
+index 0c50fa6e8a55b..fbb709a222839 100644
+--- a/arch/um/include/shared/registers.h
++++ b/arch/um/include/shared/registers.h
+@@ -16,8 +16,8 @@ extern int restore_fp_registers(int pid, unsigned long *fp_regs);
+ extern int save_fpx_registers(int pid, unsigned long *fp_regs);
+ extern int restore_fpx_registers(int pid, unsigned long *fp_regs);
+ extern int save_registers(int pid, struct uml_pt_regs *regs);
+-extern int restore_registers(int pid, struct uml_pt_regs *regs);
+-extern int init_registers(int pid);
++extern int restore_pid_registers(int pid, struct uml_pt_regs *regs);
++extern int init_pid_registers(int pid);
+ extern void get_safe_registers(unsigned long *regs, unsigned long *fp_regs);
+ extern unsigned long get_thread_reg(int reg, jmp_buf *buf);
+ extern int get_fp_registers(int pid, unsigned long *regs);
+diff --git a/arch/um/os-Linux/registers.c b/arch/um/os-Linux/registers.c
+index 2d9270508e156..b123955be7acc 100644
+--- a/arch/um/os-Linux/registers.c
++++ b/arch/um/os-Linux/registers.c
+@@ -21,7 +21,7 @@ int save_registers(int pid, struct uml_pt_regs *regs)
+       return 0;
+ }
+-int restore_registers(int pid, struct uml_pt_regs *regs)
++int restore_pid_registers(int pid, struct uml_pt_regs *regs)
+ {
+       int err;
+@@ -36,7 +36,7 @@ int restore_registers(int pid, struct uml_pt_regs *regs)
+ static unsigned long exec_regs[MAX_REG_NR];
+ static unsigned long exec_fp_regs[FP_SIZE];
+-int init_registers(int pid)
++int init_pid_registers(int pid)
+ {
+       int err;
+diff --git a/arch/um/os-Linux/start_up.c b/arch/um/os-Linux/start_up.c
+index 8a72c99994eb1..e3ee4db58b40d 100644
+--- a/arch/um/os-Linux/start_up.c
++++ b/arch/um/os-Linux/start_up.c
+@@ -368,7 +368,7 @@ void __init os_early_checks(void)
+       check_tmpexec();
+       pid = start_ptraced_child();
+-      if (init_registers(pid))
++      if (init_pid_registers(pid))
+               fatal("Failed to initialize default registers");
+       stop_ptraced_child(pid, 1, 1);
+ }
+diff --git a/arch/x86/um/syscalls_64.c b/arch/x86/um/syscalls_64.c
+index 58f51667e2e4b..8249685b40960 100644
+--- a/arch/x86/um/syscalls_64.c
++++ b/arch/x86/um/syscalls_64.c
+@@ -11,6 +11,7 @@
+ #include <linux/uaccess.h>
+ #include <asm/prctl.h> /* XXX This should get the constants from libc */
+ #include <os.h>
++#include <registers.h>
+ long arch_prctl(struct task_struct *task, int option,
+               unsigned long __user *arg2)
+@@ -35,7 +36,7 @@ long arch_prctl(struct task_struct *task, int option,
+       switch (option) {
+       case ARCH_SET_FS:
+       case ARCH_SET_GS:
+-              ret = restore_registers(pid, &current->thread.regs.regs);
++              ret = restore_pid_registers(pid, &current->thread.regs.regs);
+               if (ret)
+                       return ret;
+               break;
+-- 
+2.34.1
+
diff --git a/queue-5.16/um-rename-set_signals-to-um_set_signals.patch b/queue-5.16/um-rename-set_signals-to-um_set_signals.patch
new file mode 100644 (file)
index 0000000..095b5c9
--- /dev/null
@@ -0,0 +1,166 @@
+From f709924a66bc2cb12d81f9f4fb2e5d2c29df21fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Aug 2021 09:11:15 +0200
+Subject: um: rename set_signals() to um_set_signals()
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit bbe33504d4a7fdab9011211e55e262c869b3f6cc ]
+
+Rename set_signals() as there's at least one driver that
+uses the same name and can now be built on UM due to PCI
+support, and thus we can get symbol conflicts.
+
+Also rename set_signals_trace() to be consistent.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: 68f5d3f3b654 ("um: add PCI over virtio emulation driver")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/include/asm/irqflags.h   | 4 ++--
+ arch/um/include/shared/longjmp.h | 2 +-
+ arch/um/include/shared/os.h      | 4 ++--
+ arch/um/kernel/ksyms.c           | 2 +-
+ arch/um/os-Linux/sigio.c         | 6 +++---
+ arch/um/os-Linux/signal.c        | 8 ++++----
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/arch/um/include/asm/irqflags.h b/arch/um/include/asm/irqflags.h
+index dab5744e9253d..1e69ef5bc35e0 100644
+--- a/arch/um/include/asm/irqflags.h
++++ b/arch/um/include/asm/irqflags.h
+@@ -3,7 +3,7 @@
+ #define __UM_IRQFLAGS_H
+ extern int signals_enabled;
+-int set_signals(int enable);
++int um_set_signals(int enable);
+ void block_signals(void);
+ void unblock_signals(void);
+@@ -16,7 +16,7 @@ static inline unsigned long arch_local_save_flags(void)
+ #define arch_local_irq_restore arch_local_irq_restore
+ static inline void arch_local_irq_restore(unsigned long flags)
+ {
+-      set_signals(flags);
++      um_set_signals(flags);
+ }
+ #define arch_local_irq_enable arch_local_irq_enable
+diff --git a/arch/um/include/shared/longjmp.h b/arch/um/include/shared/longjmp.h
+index bdb2869b72b31..8863319039f3d 100644
+--- a/arch/um/include/shared/longjmp.h
++++ b/arch/um/include/shared/longjmp.h
+@@ -18,7 +18,7 @@ extern void longjmp(jmp_buf, int);
+       enable = *(volatile int *)&signals_enabled;     \
+       n = setjmp(*buf);                               \
+       if(n != 0)                                      \
+-              set_signals_trace(enable);              \
++              um_set_signals_trace(enable);           \
+       n; })
+ #endif
+diff --git a/arch/um/include/shared/os.h b/arch/um/include/shared/os.h
+index 96d400387c93e..03ffbdddcc480 100644
+--- a/arch/um/include/shared/os.h
++++ b/arch/um/include/shared/os.h
+@@ -238,8 +238,8 @@ extern void send_sigio_to_self(void);
+ extern int change_sig(int signal, int on);
+ extern void block_signals(void);
+ extern void unblock_signals(void);
+-extern int set_signals(int enable);
+-extern int set_signals_trace(int enable);
++extern int um_set_signals(int enable);
++extern int um_set_signals_trace(int enable);
+ extern int os_is_signal_stack(void);
+ extern void deliver_alarm(void);
+ extern void register_pm_wake_signal(void);
+diff --git a/arch/um/kernel/ksyms.c b/arch/um/kernel/ksyms.c
+index b1e5634398d09..3a85bde3e1734 100644
+--- a/arch/um/kernel/ksyms.c
++++ b/arch/um/kernel/ksyms.c
+@@ -6,7 +6,7 @@
+ #include <linux/module.h>
+ #include <os.h>
+-EXPORT_SYMBOL(set_signals);
++EXPORT_SYMBOL(um_set_signals);
+ EXPORT_SYMBOL(signals_enabled);
+ EXPORT_SYMBOL(os_stat_fd);
+diff --git a/arch/um/os-Linux/sigio.c b/arch/um/os-Linux/sigio.c
+index 6597ea1986ffa..9e71794839e87 100644
+--- a/arch/um/os-Linux/sigio.c
++++ b/arch/um/os-Linux/sigio.c
+@@ -132,7 +132,7 @@ static void update_thread(void)
+       int n;
+       char c;
+-      flags = set_signals_trace(0);
++      flags = um_set_signals_trace(0);
+       CATCH_EINTR(n = write(sigio_private[0], &c, sizeof(c)));
+       if (n != sizeof(c)) {
+               printk(UM_KERN_ERR "update_thread : write failed, err = %d\n",
+@@ -147,7 +147,7 @@ static void update_thread(void)
+               goto fail;
+       }
+-      set_signals_trace(flags);
++      um_set_signals_trace(flags);
+       return;
+  fail:
+       /* Critical section start */
+@@ -161,7 +161,7 @@ static void update_thread(void)
+       close(write_sigio_fds[0]);
+       close(write_sigio_fds[1]);
+       /* Critical section end */
+-      set_signals_trace(flags);
++      um_set_signals_trace(flags);
+ }
+ int __add_sigio_fd(int fd)
+diff --git a/arch/um/os-Linux/signal.c b/arch/um/os-Linux/signal.c
+index 6cf098c23a394..24a403a70a020 100644
+--- a/arch/um/os-Linux/signal.c
++++ b/arch/um/os-Linux/signal.c
+@@ -94,7 +94,7 @@ void sig_handler(int sig, struct siginfo *si, mcontext_t *mc)
+       sig_handler_common(sig, si, mc);
+-      set_signals_trace(enabled);
++      um_set_signals_trace(enabled);
+ }
+ static void timer_real_alarm_handler(mcontext_t *mc)
+@@ -126,7 +126,7 @@ void timer_alarm_handler(int sig, struct siginfo *unused_si, mcontext_t *mc)
+       signals_active &= ~SIGALRM_MASK;
+-      set_signals_trace(enabled);
++      um_set_signals_trace(enabled);
+ }
+ void deliver_alarm(void) {
+@@ -348,7 +348,7 @@ void unblock_signals(void)
+       }
+ }
+-int set_signals(int enable)
++int um_set_signals(int enable)
+ {
+       int ret;
+       if (signals_enabled == enable)
+@@ -362,7 +362,7 @@ int set_signals(int enable)
+       return ret;
+ }
+-int set_signals_trace(int enable)
++int um_set_signals_trace(int enable)
+ {
+       int ret;
+       if (signals_enabled == enable)
+-- 
+2.34.1
+
diff --git a/queue-5.16/um-virt-pci-fix-32-bit-compile.patch b/queue-5.16/um-virt-pci-fix-32-bit-compile.patch
new file mode 100644 (file)
index 0000000..b55bd96
--- /dev/null
@@ -0,0 +1,56 @@
+From cfe101a24441b2cfbc804c6869ccc01f539f8659 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 20:30:20 +0200
+Subject: um: virt-pci: Fix 32-bit compile
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit d73820df6437b5d0a57be53faf39db46a0264b3a ]
+
+There were a few 32-bit compile warnings that of course
+turned into errors with -Werror, fix the 32-bit build.
+
+Fixes: 68f5d3f3b654 ("um: add PCI over virtio emulation driver")
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/virt-pci.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/um/drivers/virt-pci.c b/arch/um/drivers/virt-pci.c
+index c080666330234..0ab58016db22f 100644
+--- a/arch/um/drivers/virt-pci.c
++++ b/arch/um/drivers/virt-pci.c
+@@ -181,15 +181,15 @@ static unsigned long um_pci_cfgspace_read(void *priv, unsigned int offset,
+       /* buf->data is maximum size - we may only use parts of it */
+       struct um_pci_message_buffer *buf;
+       u8 *data;
+-      unsigned long ret = ~0ULL;
++      unsigned long ret = ULONG_MAX;
+       if (!dev)
+-              return ~0ULL;
++              return ULONG_MAX;
+       buf = get_cpu_var(um_pci_msg_bufs);
+       data = buf->data;
+-      memset(data, 0xff, sizeof(data));
++      memset(buf->data, 0xff, sizeof(buf->data));
+       switch (size) {
+       case 1:
+@@ -304,7 +304,7 @@ static unsigned long um_pci_bar_read(void *priv, unsigned int offset,
+       /* buf->data is maximum size - we may only use parts of it */
+       struct um_pci_message_buffer *buf;
+       u8 *data;
+-      unsigned long ret = ~0ULL;
++      unsigned long ret = ULONG_MAX;
+       buf = get_cpu_var(um_pci_msg_bufs);
+       data = buf->data;
+-- 
+2.34.1
+
diff --git a/queue-5.16/um-virtio_uml-fix-time-travel-external-time-propagat.patch b/queue-5.16/um-virtio_uml-fix-time-travel-external-time-propagat.patch
new file mode 100644 (file)
index 0000000..a1cbb28
--- /dev/null
@@ -0,0 +1,59 @@
+From 00a9dfe8452871d3417f530c544159d6018bce9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 13:09:22 +0200
+Subject: um: virtio_uml: Fix time-travel external time propagation
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 85e73968a040c642fd38f6cba5b73b61f5d0f052 ]
+
+When creating an external event, the current time needs to
+be propagated to other participants of a simulation. This
+is done in the places here where we kick a virtq etc.
+
+However, it must be done for _all_ external events, and
+that includes making the initial socket connection and
+later closing it. Call time_travel_propagate_time() to do
+this before making or closing the socket connection.
+
+Apparently, at least for the initial connection creation,
+due to the remote side in my use cases using microseconds
+(rather than nanoseconds), this wasn't a problem yet; only
+started failing between 5.14-rc1 and 5.15-rc1 (didn't test
+others much), or possibly depending on the configuration,
+where more delays happen before the virtio devices are
+initialized.
+
+Fixes: 88ce64249233 ("um: Implement time-travel=ext")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/virtio_uml.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/um/drivers/virtio_uml.c b/arch/um/drivers/virtio_uml.c
+index d51e445df7976..7755cb4ff9fc6 100644
+--- a/arch/um/drivers/virtio_uml.c
++++ b/arch/um/drivers/virtio_uml.c
+@@ -1090,6 +1090,8 @@ static void virtio_uml_release_dev(struct device *d)
+                       container_of(d, struct virtio_device, dev);
+       struct virtio_uml_device *vu_dev = to_virtio_uml_device(vdev);
++      time_travel_propagate_time();
++
+       /* might not have been opened due to not negotiating the feature */
+       if (vu_dev->req_fd >= 0) {
+               um_free_irq(vu_dev->irq, vu_dev);
+@@ -1136,6 +1138,8 @@ static int virtio_uml_probe(struct platform_device *pdev)
+       vu_dev->pdev = pdev;
+       vu_dev->req_fd = -1;
++      time_travel_propagate_time();
++
+       do {
+               rc = os_connect_socket(pdata->socket_path);
+       } while (rc == -EINTR);
+-- 
+2.34.1
+
diff --git a/queue-5.16/usb-dwc2-do-not-gate-off-the-hardware-if-it-does-not.patch b/queue-5.16/usb-dwc2-do-not-gate-off-the-hardware-if-it-does-not.patch
new file mode 100644 (file)
index 0000000..c674c42
--- /dev/null
@@ -0,0 +1,46 @@
+From 10611078bb5218cf69a8610e50543b30ca59176b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 07:59:22 -0600
+Subject: usb: dwc2: do not gate off the hardware if it does not support clock
+ gating
+
+From: Dinh Nguyen <dinguyen@kernel.org>
+
+[ Upstream commit 34146c68083f1aef6709196b3dc888c1ceffd357 ]
+
+We should not be clearing the HCD_FLAG_HW_ACCESSIBLE bit if the hardware
+does not support clock gating.
+
+Fixes: 50fb0c128b6e ("usb: dwc2: Add clock gating entering flow by system suspend")
+Acked-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Link: https://lore.kernel.org/r/20220104135922.734776-1-dinguyen@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/hcd.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c
+index 13c779a28e94f..f63a27d11fac8 100644
+--- a/drivers/usb/dwc2/hcd.c
++++ b/drivers/usb/dwc2/hcd.c
+@@ -4399,11 +4399,12 @@ static int _dwc2_hcd_suspend(struct usb_hcd *hcd)
+                * If not hibernation nor partial power down are supported,
+                * clock gating is used to save power.
+                */
+-              if (!hsotg->params.no_clock_gating)
++              if (!hsotg->params.no_clock_gating) {
+                       dwc2_host_enter_clock_gating(hsotg);
+-              /* After entering suspend, hardware is not accessible */
+-              clear_bit(HCD_FLAG_HW_ACCESSIBLE, &hcd->flags);
++                      /* After entering suspend, hardware is not accessible */
++                      clear_bit(HCD_FLAG_HW_ACCESSIBLE, &hcd->flags);
++              }
+               break;
+       default:
+               goto skip_power_saving;
+-- 
+2.34.1
+
diff --git a/queue-5.16/usb-dwc2-gadget-initialize-max_speed-from-params.patch b/queue-5.16/usb-dwc2-gadget-initialize-max_speed-from-params.patch
new file mode 100644 (file)
index 0000000..445b5e3
--- /dev/null
@@ -0,0 +1,58 @@
+From 0fcdcd37476910b9c4a6a48a7eeeaa0c489a0577 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 11:57:31 +0000
+Subject: usb: dwc2: gadget: initialize max_speed from params
+
+From: John Keeping <john@metanate.com>
+
+[ Upstream commit 92ef98a4caacad6d4a1490dda45d81ae5ccf5bc9 ]
+
+DWC2 may be paired with a full-speed PHY which is not capable of
+high-speed operation.  Report this correctly to the gadget core by
+setting max_speed from the core parameters.
+
+Prior to commit 5324bad66f09f ("usb: dwc2: gadget: implement
+udc_set_speed()") this didn't cause the hardware to be configured
+incorrectly, although the speed may have been reported incorrectly.  But
+after that commit params.speed is updated based on a value passed in by
+the gadget core which may set it to a faster speed than is supported by
+the hardware.  Initialising the max_speed parameter ensures the speed
+passed to dwc2_gadget_set_speed() will be one supported by the hardware.
+
+Fixes: 5324bad66f09f ("usb: dwc2: gadget: implement udc_set_speed()")
+Acked-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Signed-off-by: John Keeping <john@metanate.com>
+Link: https://lore.kernel.org/r/20220106115731.1473909-1-john@metanate.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/gadget.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
+index ab8d7dad9f567..43cf49c4e5e59 100644
+--- a/drivers/usb/dwc2/gadget.c
++++ b/drivers/usb/dwc2/gadget.c
+@@ -4974,7 +4974,18 @@ int dwc2_gadget_init(struct dwc2_hsotg *hsotg)
+               hsotg->params.g_np_tx_fifo_size);
+       dev_dbg(dev, "RXFIFO size: %d\n", hsotg->params.g_rx_fifo_size);
+-      hsotg->gadget.max_speed = USB_SPEED_HIGH;
++      switch (hsotg->params.speed) {
++      case DWC2_SPEED_PARAM_LOW:
++              hsotg->gadget.max_speed = USB_SPEED_LOW;
++              break;
++      case DWC2_SPEED_PARAM_FULL:
++              hsotg->gadget.max_speed = USB_SPEED_FULL;
++              break;
++      default:
++              hsotg->gadget.max_speed = USB_SPEED_HIGH;
++              break;
++      }
++
+       hsotg->gadget.ops = &dwc2_hsotg_gadget_ops;
+       hsotg->gadget.name = dev_name(dev);
+       hsotg->gadget.otg_caps = &hsotg->params.otg_caps;
+-- 
+2.34.1
+
diff --git a/queue-5.16/usb-dwc3-meson-g12a-fix-shared-reset-control-use.patch b/queue-5.16/usb-dwc3-meson-g12a-fix-shared-reset-control-use.patch
new file mode 100644 (file)
index 0000000..6ee93cc
--- /dev/null
@@ -0,0 +1,97 @@
+From 2bfabea03ae3db0bafb3814f19135957aaab670d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 17:28:26 +0100
+Subject: usb: dwc3: meson-g12a: fix shared reset control use
+
+From: Amjad Ouled-Ameur <aouledameur@baylibre.com>
+
+[ Upstream commit 4ce3b45704d5ef46fb4b28083c8aba6716fabf3b ]
+
+reset_control_(de)assert() calls are called on a shared reset line when
+reset_control_reset has been used. This is not allowed by the reset
+framework.
+
+Use reset_control_rearm() call in suspend() and remove() as a way to state
+that the resource is no longer used, hence the shared reset line
+may be triggered again by other devices. Use reset_control_rearm() also in
+case probe fails after reset() has been called.
+
+reset_control_rearm() keeps use of triggered_count sane in the reset
+framework, use of reset_control_reset() on shared reset line should be
+balanced with reset_control_rearm().
+
+Signed-off-by: Amjad Ouled-Ameur <aouledameur@baylibre.com>
+Reported-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20211112162827.128319-3-aouledameur@baylibre.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-meson-g12a.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/dwc3/dwc3-meson-g12a.c b/drivers/usb/dwc3/dwc3-meson-g12a.c
+index d0f9b7c296b0d..bd814df3bf8b8 100644
+--- a/drivers/usb/dwc3/dwc3-meson-g12a.c
++++ b/drivers/usb/dwc3/dwc3-meson-g12a.c
+@@ -755,16 +755,16 @@ static int dwc3_meson_g12a_probe(struct platform_device *pdev)
+       ret = dwc3_meson_g12a_get_phys(priv);
+       if (ret)
+-              goto err_disable_clks;
++              goto err_rearm;
+       ret = priv->drvdata->setup_regmaps(priv, base);
+       if (ret)
+-              goto err_disable_clks;
++              goto err_rearm;
+       if (priv->vbus) {
+               ret = regulator_enable(priv->vbus);
+               if (ret)
+-                      goto err_disable_clks;
++                      goto err_rearm;
+       }
+       /* Get dr_mode */
+@@ -825,6 +825,9 @@ err_disable_regulator:
+       if (priv->vbus)
+               regulator_disable(priv->vbus);
++err_rearm:
++      reset_control_rearm(priv->reset);
++
+ err_disable_clks:
+       clk_bulk_disable_unprepare(priv->drvdata->num_clks,
+                                  priv->drvdata->clks);
+@@ -852,6 +855,8 @@ static int dwc3_meson_g12a_remove(struct platform_device *pdev)
+       pm_runtime_put_noidle(dev);
+       pm_runtime_set_suspended(dev);
++      reset_control_rearm(priv->reset);
++
+       clk_bulk_disable_unprepare(priv->drvdata->num_clks,
+                                  priv->drvdata->clks);
+@@ -892,7 +897,7 @@ static int __maybe_unused dwc3_meson_g12a_suspend(struct device *dev)
+               phy_exit(priv->phys[i]);
+       }
+-      reset_control_assert(priv->reset);
++      reset_control_rearm(priv->reset);
+       return 0;
+ }
+@@ -902,7 +907,9 @@ static int __maybe_unused dwc3_meson_g12a_resume(struct device *dev)
+       struct dwc3_meson_g12a *priv = dev_get_drvdata(dev);
+       int i, ret;
+-      reset_control_deassert(priv->reset);
++      ret = reset_control_reset(priv->reset);
++      if (ret)
++              return ret;
+       ret = priv->drvdata->usb_init(priv);
+       if (ret)
+-- 
+2.34.1
+
diff --git a/queue-5.16/usb-dwc3-qcom-fix-null-vs-is_err-checking-in-dwc3_qc.patch b/queue-5.16/usb-dwc3-qcom-fix-null-vs-is_err-checking-in-dwc3_qc.patch
new file mode 100644 (file)
index 0000000..bc2b976
--- /dev/null
@@ -0,0 +1,44 @@
+From a6e932ade4fc64c7f8321303407ba464ec29c89a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 11:18:23 +0000
+Subject: usb: dwc3: qcom: Fix NULL vs IS_ERR checking in dwc3_qcom_probe
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit b52fe2dbb3e655eb1483000adfab68a219549e13 ]
+
+Since the acpi_create_platform_device() function may return error
+pointers, dwc3_qcom_create_urs_usb_platdev() function may return error
+pointers too. Using IS_ERR_OR_NULL() to check the return value to fix this.
+
+Fixes: c25c210f590e ("usb: dwc3: qcom: add URS Host support for sdm845 ACPI boot")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20211222111823.22887-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-qcom.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c
+index 3cb01cdd02c29..b81a9e1c13153 100644
+--- a/drivers/usb/dwc3/dwc3-qcom.c
++++ b/drivers/usb/dwc3/dwc3-qcom.c
+@@ -769,9 +769,12 @@ static int dwc3_qcom_probe(struct platform_device *pdev)
+               if (qcom->acpi_pdata->is_urs) {
+                       qcom->urs_usb = dwc3_qcom_create_urs_usb_platdev(dev);
+-                      if (!qcom->urs_usb) {
++                      if (IS_ERR_OR_NULL(qcom->urs_usb)) {
+                               dev_err(dev, "failed to create URS USB platdev\n");
+-                              return -ENODEV;
++                              if (!qcom->urs_usb)
++                                      return -ENODEV;
++                              else
++                                      return PTR_ERR(qcom->urs_usb);
+                       }
+               }
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/usb-ehci_brcm_hub_control-improve-port-index-sanitiz.patch b/queue-5.16/usb-ehci_brcm_hub_control-improve-port-index-sanitiz.patch
new file mode 100644 (file)
index 0000000..76bb515
--- /dev/null
@@ -0,0 +1,45 @@
+From 619c06a339bba27c30905f4eef6831ca2c2691e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Nov 2021 11:53:20 -0500
+Subject: USB: ehci_brcm_hub_control: Improve port index sanitizing
+
+From: Haimin Zhang <tcs.kernel@gmail.com>
+
+[ Upstream commit 9933698f6119886c110750e67c10ac66f12b730f ]
+
+Due to (wIndex & 0xff) - 1 can get an integer greater than 15, this
+can cause array index to be out of bounds since the size of array
+port_status is 15. This change prevents a possible out-of-bounds
+pointer computation by forcing the use of a valid port number.
+
+Reported-by: TCS Robot <tcs_robot@tencent.com>
+Signed-off-by: Haimin Zhang <tcs.kernel@gmail.com>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20211113165320.GA59686@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/ehci-brcm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/ehci-brcm.c b/drivers/usb/host/ehci-brcm.c
+index d3626bfa966b4..6a0f64c9e5e88 100644
+--- a/drivers/usb/host/ehci-brcm.c
++++ b/drivers/usb/host/ehci-brcm.c
+@@ -62,8 +62,12 @@ static int ehci_brcm_hub_control(
+       u32 __iomem     *status_reg;
+       unsigned long flags;
+       int retval, irq_disabled = 0;
++      u32 temp;
+-      status_reg = &ehci->regs->port_status[(wIndex & 0xff) - 1];
++      temp = (wIndex & 0xff) - 1;
++      if (temp >= HCS_N_PORTS_MAX)    /* Avoid index-out-of-bounds warning */
++              temp = 0;
++      status_reg = &ehci->regs->port_status[temp];
+       /*
+        * RESUME is cleared when GetPortStatus() is called 20ms after start
+-- 
+2.34.1
+
diff --git a/queue-5.16/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch b/queue-5.16/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch
new file mode 100644 (file)
index 0000000..f1db7fe
--- /dev/null
@@ -0,0 +1,52 @@
+From 5e113e87372fddca6577c5678c2e5ed1063bda34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Dec 2021 16:34:28 +0800
+Subject: usb: ftdi-elan: fix memory leak on device disconnect
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 1646566b5e0c556f779180a8514e521ac735de1e ]
+
+'ftdi' is alloced when probe device, but not free on device disconnect,
+this cause a memory leak as follows:
+
+unreferenced object 0xffff88800d584000 (size 8400):
+  comm "kworker/0:2", pid 3809, jiffies 4295453055 (age 13.784s)
+  hex dump (first 32 bytes):
+    00 40 58 0d 80 88 ff ff 00 40 58 0d 80 88 ff ff  .@X......@X.....
+    00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de  .............N..
+  backtrace:
+    [<000000000d47f947>] kmalloc_order_trace+0x19/0x110 mm/slab_common.c:960
+    [<000000008548ac68>] ftdi_elan_probe+0x8c/0x880 drivers/usb/misc/ftdi-elan.c:2647
+    [<000000007f73e422>] usb_probe_interface+0x31b/0x800 drivers/usb/core/driver.c:396
+    [<00000000fe8d07fc>] really_probe+0x299/0xc30 drivers/base/dd.c:517
+    [<0000000005da7d32>] __driver_probe_device+0x357/0x500 drivers/base/dd.c:751
+    [<000000003c2c9579>] driver_probe_device+0x4e/0x140 drivers/base/dd.c:781
+
+Fix it by freeing 'ftdi' after nobody use it.
+
+Fixes: a5c66e4b2418 ("USB: ftdi-elan: client driver for ELAN Uxxx adapters")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Link: https://lore.kernel.org/r/20211217083428.2441-1-weiyongjun1@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/ftdi-elan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/misc/ftdi-elan.c b/drivers/usb/misc/ftdi-elan.c
+index e5a8fcdbb78e7..6c38c62d29b26 100644
+--- a/drivers/usb/misc/ftdi-elan.c
++++ b/drivers/usb/misc/ftdi-elan.c
+@@ -202,6 +202,7 @@ static void ftdi_elan_delete(struct kref *kref)
+       mutex_unlock(&ftdi_module_lock);
+       kfree(ftdi->bulk_in_buffer);
+       ftdi->bulk_in_buffer = NULL;
++      kfree(ftdi);
+ }
+ static void ftdi_elan_put_kref(struct usb_ftdi *ftdi)
+-- 
+2.34.1
+
diff --git a/queue-5.16/usb-gadget-f_fs-use-stream_open-for-endpoint-files.patch b/queue-5.16/usb-gadget-f_fs-use-stream_open-for-endpoint-files.patch
new file mode 100644 (file)
index 0000000..829020a
--- /dev/null
@@ -0,0 +1,65 @@
+From fcb983b72464b146ee228c4e737ae307e738a3da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 15:54:40 +0530
+Subject: usb: gadget: f_fs: Use stream_open() for endpoint files
+
+From: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
+
+[ Upstream commit c76ef96fc00eb398c8fc836b0eb2f82bcc619dc7 ]
+
+Function fs endpoint file operations are synchronized via an interruptible
+mutex wait. However we see threads that do ep file operations concurrently
+are getting blocked for the mutex lock in __fdget_pos(). This is an
+uninterruptible wait and we see hung task warnings and kernel panic
+if hung_task_panic systcl is enabled if host does not send/receive
+the data for long time.
+
+The reason for threads getting blocked in __fdget_pos() is due to
+the file position protection introduced by the commit 9c225f2655e3
+("vfs: atomic f_pos accesses as per POSIX"). Since function fs
+endpoint files does not have the notion of the file position, switch
+to the stream mode. This will bypass the file position mutex and
+threads will be blocked in interruptible state for the function fs
+mutex.
+
+It should not affects user space as we are only changing the task state
+changes the task state from UNINTERRUPTIBLE to INTERRUPTIBLE while waiting
+for the USB transfers to be finished. However there is a slight change to
+the O_NONBLOCK behavior. Earlier threads that are using O_NONBLOCK are also
+getting blocked inside fdget_pos(). Now they reach to function fs and error
+code is returned. The non blocking behavior is actually honoured now.
+
+Reviewed-by: John Keeping <john@metanate.com>
+Signed-off-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
+Link: https://lore.kernel.org/r/1636712682-1226-1-git-send-email-quic_pkondeti@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index a7e069b185448..25ad1e97a4585 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -614,7 +614,7 @@ static int ffs_ep0_open(struct inode *inode, struct file *file)
+       file->private_data = ffs;
+       ffs_data_opened(ffs);
+-      return 0;
++      return stream_open(inode, file);
+ }
+ static int ffs_ep0_release(struct inode *inode, struct file *file)
+@@ -1154,7 +1154,7 @@ ffs_epfile_open(struct inode *inode, struct file *file)
+       file->private_data = epfile;
+       ffs_data_opened(epfile->ffs);
+-      return 0;
++      return stream_open(inode, file);
+ }
+ static int ffs_aio_cancel(struct kiocb *kiocb)
+-- 
+2.34.1
+
diff --git a/queue-5.16/usb-gadget-u_audio-fix-calculations-for-small-binter.patch b/queue-5.16/usb-gadget-u_audio-fix-calculations-for-small-binter.patch
new file mode 100644 (file)
index 0000000..4939095
--- /dev/null
@@ -0,0 +1,111 @@
+From f4c0a4a4986c4471cb76b68e15a9df55704d75aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jan 2022 18:32:42 +0000
+Subject: usb: gadget: u_audio: fix calculations for small bInterval
+
+From: John Keeping <john@metanate.com>
+
+[ Upstream commit f2f69bf65df12176843ca11eab99949ba69e128b ]
+
+If bInterval is 1, then p_interval is 8000 and p_interval_mil is 8E9,
+which is too big for a 32-bit value.  While the storage is indeed
+64-bit, this value is used as the divisor in do_div() which will
+truncate it into a uint32_t leading to incorrect calculated values.
+
+Switch back to keeping the base value in struct snd_uac_chip which fits
+easily into an int, meaning that the division can be done in two steps
+with the divisor fitting safely into a uint32_t on both steps.
+
+Fixes: 6fec018a7e70 ("usb: gadget: u_audio.c: Adding Playback Pitch ctl for sync playback")
+Tested-by: Pavel Hofman <pavel.hofman@ivitera.com>
+Signed-off-by: John Keeping <john@metanate.com>
+Link: https://lore.kernel.org/r/20220104183243.718258-1-john@metanate.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/u_audio.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c
+index c46400be54641..4fb05f9576a67 100644
+--- a/drivers/usb/gadget/function/u_audio.c
++++ b/drivers/usb/gadget/function/u_audio.c
+@@ -76,8 +76,8 @@ struct snd_uac_chip {
+       struct snd_pcm *pcm;
+       /* pre-calculated values for playback iso completion */
+-      unsigned long long p_interval_mil;
+       unsigned long long p_residue_mil;
++      unsigned int p_interval;
+       unsigned int p_framesize;
+ };
+@@ -194,21 +194,24 @@ static void u_audio_iso_complete(struct usb_ep *ep, struct usb_request *req)
+                * If there is a residue from this division, add it to the
+                * residue accumulator.
+                */
++              unsigned long long p_interval_mil = uac->p_interval * 1000000ULL;
++
+               pitched_rate_mil = (unsigned long long)
+                               params->p_srate * prm->pitch;
+               div_result = pitched_rate_mil;
+-              do_div(div_result, uac->p_interval_mil);
++              do_div(div_result, uac->p_interval);
++              do_div(div_result, 1000000);
+               frames = (unsigned int) div_result;
+               pr_debug("p_srate %d, pitch %d, interval_mil %llu, frames %d\n",
+-                              params->p_srate, prm->pitch, uac->p_interval_mil, frames);
++                              params->p_srate, prm->pitch, p_interval_mil, frames);
+               p_pktsize = min_t(unsigned int,
+                                       uac->p_framesize * frames,
+                                       ep->maxpacket);
+               if (p_pktsize < ep->maxpacket) {
+-                      residue_frames_mil = pitched_rate_mil - frames * uac->p_interval_mil;
++                      residue_frames_mil = pitched_rate_mil - frames * p_interval_mil;
+                       p_pktsize_residue_mil = uac->p_framesize * residue_frames_mil;
+               } else
+                       p_pktsize_residue_mil = 0;
+@@ -222,11 +225,11 @@ static void u_audio_iso_complete(struct usb_ep *ep, struct usb_request *req)
+                * size and decrease the accumulator.
+                */
+               div_result = uac->p_residue_mil;
+-              do_div(div_result, uac->p_interval_mil);
++              do_div(div_result, uac->p_interval);
++              do_div(div_result, 1000000);
+               if ((unsigned int) div_result >= uac->p_framesize) {
+                       req->length += uac->p_framesize;
+-                      uac->p_residue_mil -= uac->p_framesize *
+-                                         uac->p_interval_mil;
++                      uac->p_residue_mil -= uac->p_framesize * p_interval_mil;
+                       pr_debug("increased req length to %d\n", req->length);
+               }
+               pr_debug("remains uac->p_residue_mil %llu\n", uac->p_residue_mil);
+@@ -591,7 +594,7 @@ int u_audio_start_playback(struct g_audio *audio_dev)
+       unsigned int factor;
+       const struct usb_endpoint_descriptor *ep_desc;
+       int req_len, i;
+-      unsigned int p_interval, p_pktsize;
++      unsigned int p_pktsize;
+       ep = audio_dev->in_ep;
+       prm = &uac->p_prm;
+@@ -612,11 +615,10 @@ int u_audio_start_playback(struct g_audio *audio_dev)
+       /* pre-compute some values for iso_complete() */
+       uac->p_framesize = params->p_ssize *
+                           num_channels(params->p_chmask);
+-      p_interval = factor / (1 << (ep_desc->bInterval - 1));
+-      uac->p_interval_mil = (unsigned long long) p_interval * 1000000;
++      uac->p_interval = factor / (1 << (ep_desc->bInterval - 1));
+       p_pktsize = min_t(unsigned int,
+                               uac->p_framesize *
+-                                      (params->p_srate / p_interval),
++                                      (params->p_srate / uac->p_interval),
+                               ep->maxpacket);
+       req_len = p_pktsize;
+-- 
+2.34.1
+
diff --git a/queue-5.16/usb-gadget-u_audio-subdevice-0-for-capture-ctls.patch b/queue-5.16/usb-gadget-u_audio-subdevice-0-for-capture-ctls.patch
new file mode 100644 (file)
index 0000000..454a904
--- /dev/null
@@ -0,0 +1,46 @@
+From 6c93823d579ecf1d2667bb358e3352bc99868b91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 11:46:43 +0100
+Subject: usb: gadget: u_audio: Subdevice 0 for capture ctls
+
+From: Pavel Hofman <pavel.hofman@ivitera.com>
+
+[ Upstream commit 601a5bc1aeef772ab1f47582fd322957799f5ab5 ]
+
+Both capture and playback alsa devices use subdevice 0. Yet capture-side
+ctls are defined for subdevice 1. The patch sets subdevice 0 for them.
+
+Fixes: 02de698ca812 ("usb: gadget: u_audio: add bi-directional volume and mute support")
+Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com>
+Link: https://lore.kernel.org/r/20220105104643.90125-1-pavel.hofman@ivitera.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/u_audio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/u_audio.c b/drivers/usb/gadget/function/u_audio.c
+index 4fb05f9576a67..4561d7a183ff4 100644
+--- a/drivers/usb/gadget/function/u_audio.c
++++ b/drivers/usb/gadget/function/u_audio.c
+@@ -1147,7 +1147,7 @@ int g_audio_setup(struct g_audio *g_audio, const char *pcm_name,
+                       }
+                       kctl->id.device = pcm->device;
+-                      kctl->id.subdevice = i;
++                      kctl->id.subdevice = 0;
+                       err = snd_ctl_add(card, kctl);
+                       if (err < 0)
+@@ -1170,7 +1170,7 @@ int g_audio_setup(struct g_audio *g_audio, const char *pcm_name,
+                       }
+                       kctl->id.device = pcm->device;
+-                      kctl->id.subdevice = i;
++                      kctl->id.subdevice = 0;
+                       kctl->tlv.c = u_audio_volume_tlv;
+-- 
+2.34.1
+
diff --git a/queue-5.16/usb-hub-add-delay-for-superspeed-hub-resume-to-let-l.patch b/queue-5.16/usb-hub-add-delay-for-superspeed-hub-resume-to-let-l.patch
new file mode 100644 (file)
index 0000000..bff5fb2
--- /dev/null
@@ -0,0 +1,97 @@
+From 178ef1b72ca5421ff0db3f1f976c24a45c6e1acc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Dec 2021 20:01:06 +0800
+Subject: usb: hub: Add delay for SuperSpeed hub resume to let links transit to
+ U0
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 00558586382891540c59c9febc671062425a6e47 ]
+
+When a new USB device gets plugged to nested hubs, the affected hub,
+which connects to usb 2-1.4-port2, doesn't report there's any change,
+hence the nested hubs go back to runtime suspend like nothing happened:
+[  281.032951] usb usb2: usb wakeup-resume
+[  281.032959] usb usb2: usb auto-resume
+[  281.032974] hub 2-0:1.0: hub_resume
+[  281.033011] usb usb2-port1: status 0263 change 0000
+[  281.033077] hub 2-0:1.0: state 7 ports 4 chg 0000 evt 0000
+[  281.049797] usb 2-1: usb wakeup-resume
+[  281.069800] usb 2-1: Waited 0ms for CONNECT
+[  281.069810] usb 2-1: finish resume
+[  281.070026] hub 2-1:1.0: hub_resume
+[  281.070250] usb 2-1-port4: status 0203 change 0000
+[  281.070272] usb usb2-port1: resume, status 0
+[  281.070282] hub 2-1:1.0: state 7 ports 4 chg 0010 evt 0000
+[  281.089813] usb 2-1.4: usb wakeup-resume
+[  281.109792] usb 2-1.4: Waited 0ms for CONNECT
+[  281.109801] usb 2-1.4: finish resume
+[  281.109991] hub 2-1.4:1.0: hub_resume
+[  281.110147] usb 2-1.4-port2: status 0263 change 0000
+[  281.110234] usb 2-1-port4: resume, status 0
+[  281.110239] usb 2-1-port4: status 0203, change 0000, 10.0 Gb/s
+[  281.110266] hub 2-1.4:1.0: state 7 ports 4 chg 0000 evt 0000
+[  281.110426] hub 2-1.4:1.0: hub_suspend
+[  281.110565] usb 2-1.4: usb auto-suspend, wakeup 1
+[  281.130998] hub 2-1:1.0: hub_suspend
+[  281.137788] usb 2-1: usb auto-suspend, wakeup 1
+[  281.142935] hub 2-0:1.0: state 7 ports 4 chg 0000 evt 0000
+[  281.177828] usb 2-1: usb wakeup-resume
+[  281.197839] usb 2-1: Waited 0ms for CONNECT
+[  281.197850] usb 2-1: finish resume
+[  281.197984] hub 2-1:1.0: hub_resume
+[  281.198203] usb 2-1-port4: status 0203 change 0000
+[  281.198228] usb usb2-port1: resume, status 0
+[  281.198237] hub 2-1:1.0: state 7 ports 4 chg 0010 evt 0000
+[  281.217835] usb 2-1.4: usb wakeup-resume
+[  281.237834] usb 2-1.4: Waited 0ms for CONNECT
+[  281.237845] usb 2-1.4: finish resume
+[  281.237990] hub 2-1.4:1.0: hub_resume
+[  281.238067] usb 2-1.4-port2: status 0263 change 0000
+[  281.238148] usb 2-1-port4: resume, status 0
+[  281.238152] usb 2-1-port4: status 0203, change 0000, 10.0 Gb/s
+[  281.238166] hub 2-1.4:1.0: state 7 ports 4 chg 0000 evt 0000
+[  281.238385] hub 2-1.4:1.0: hub_suspend
+[  281.238523] usb 2-1.4: usb auto-suspend, wakeup 1
+[  281.258076] hub 2-1:1.0: hub_suspend
+[  281.265744] usb 2-1: usb auto-suspend, wakeup 1
+[  281.285976] hub 2-0:1.0: hub_suspend
+[  281.285988] usb usb2: bus auto-suspend, wakeup 1
+
+USB 3.2 spec, 9.2.5.4 "Changing Function Suspend State" says that "If
+the link is in a non-U0 state, then the device must transition the link
+to U0 prior to sending the remote wake message", but the hub only
+transits the link to U0 after signaling remote wakeup.
+
+So be more forgiving and use a 20ms delay to let the link transit to U0
+for remote wakeup.
+
+Suggested-by: Alan Stern <stern@rowland.harvard.edu>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Link: https://lore.kernel.org/r/20211215120108.336597-1-kai.heng.feng@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/hub.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 3bc4a86c3d0a5..ac6c5ccfe1cb7 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -1110,7 +1110,10 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
+               } else {
+                       hub_power_on(hub, true);
+               }
+-      }
++      /* Give some time on remote wakeup to let links to transit to U0 */
++      } else if (hub_is_superspeed(hub->hdev))
++              msleep(20);
++
+  init2:
+       /*
+-- 
+2.34.1
+
diff --git a/queue-5.16/usb-uhci-add-aspeed-ast2600-uhci-support.patch b/queue-5.16/usb-uhci-add-aspeed-ast2600-uhci-support.patch
new file mode 100644 (file)
index 0000000..adff285
--- /dev/null
@@ -0,0 +1,36 @@
+From 58aeac961171278a7e81ed82454042d76ff650c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 18:00:21 +0800
+Subject: usb: uhci: add aspeed ast2600 uhci support
+
+From: Neal Liu <neal_liu@aspeedtech.com>
+
+[ Upstream commit 554abfe2eadec97d12c71d4a69da1518478f69eb ]
+
+Enable ast2600 uhci quirks.
+
+Signed-off-by: Neal Liu <neal_liu@aspeedtech.com>
+Link: https://lore.kernel.org/r/20211126100021.2331024-1-neal_liu@aspeedtech.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/uhci-platform.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/uhci-platform.c b/drivers/usb/host/uhci-platform.c
+index 70dbd95c3f063..be9e9db7cad10 100644
+--- a/drivers/usb/host/uhci-platform.c
++++ b/drivers/usb/host/uhci-platform.c
+@@ -113,7 +113,8 @@ static int uhci_hcd_platform_probe(struct platform_device *pdev)
+                               num_ports);
+               }
+               if (of_device_is_compatible(np, "aspeed,ast2400-uhci") ||
+-                  of_device_is_compatible(np, "aspeed,ast2500-uhci")) {
++                  of_device_is_compatible(np, "aspeed,ast2500-uhci") ||
++                  of_device_is_compatible(np, "aspeed,ast2600-uhci")) {
+                       uhci->is_aspeed = 1;
+                       dev_info(&pdev->dev,
+                                "Enabled Aspeed implementation workarounds\n");
+-- 
+2.34.1
+
diff --git a/queue-5.16/w1-misuse-of-get_user-put_user-reported-by-sparse.patch b/queue-5.16/w1-misuse-of-get_user-put_user-reported-by-sparse.patch
new file mode 100644 (file)
index 0000000..36e3a62
--- /dev/null
@@ -0,0 +1,86 @@
+From dc00ef6aaabda26234f028d95abd87ac6ad56455 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 18:06:46 +0100
+Subject: w1: Misuse of get_user()/put_user() reported by sparse
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 33dc3e3e99e626ce51f462d883b05856c6c30b1d ]
+
+sparse warnings: (new ones prefixed by >>)
+>> drivers/w1/slaves/w1_ds28e04.c:342:13: sparse: sparse: incorrect type in initializer (different address spaces) @@     expected char [noderef] __user *_pu_addr @@     got char *buf @@
+   drivers/w1/slaves/w1_ds28e04.c:342:13: sparse:     expected char [noderef] __user *_pu_addr
+   drivers/w1/slaves/w1_ds28e04.c:342:13: sparse:     got char *buf
+>> drivers/w1/slaves/w1_ds28e04.c:356:13: sparse: sparse: incorrect type in initializer (different address spaces) @@     expected char const [noderef] __user *_gu_addr @@     got char const *buf @@
+   drivers/w1/slaves/w1_ds28e04.c:356:13: sparse:     expected char const [noderef] __user *_gu_addr
+   drivers/w1/slaves/w1_ds28e04.c:356:13: sparse:     got char const *buf
+
+The buffer buf is a failsafe buffer in kernel space, it's not user
+memory hence doesn't deserve the use of get_user() or put_user().
+
+Access 'buf' content directly.
+
+Link: https://lore.kernel.org/lkml/202111190526.K5vb7NWC-lkp@intel.com/T/
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Link: https://lore.kernel.org/r/d14ed8d71ad4372e6839ae427f91441d3ba0e94d.1637946316.git.christophe.leroy@csgroup.eu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/w1/slaves/w1_ds28e04.c | 26 ++++++--------------------
+ 1 file changed, 6 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/w1/slaves/w1_ds28e04.c b/drivers/w1/slaves/w1_ds28e04.c
+index e4f336111edc6..6cef6e2edb892 100644
+--- a/drivers/w1/slaves/w1_ds28e04.c
++++ b/drivers/w1/slaves/w1_ds28e04.c
+@@ -32,7 +32,7 @@ static int w1_strong_pullup = 1;
+ module_param_named(strong_pullup, w1_strong_pullup, int, 0);
+ /* enable/disable CRC checking on DS28E04-100 memory accesses */
+-static char w1_enable_crccheck = 1;
++static bool w1_enable_crccheck = true;
+ #define W1_EEPROM_SIZE                512
+ #define W1_PAGE_COUNT         16
+@@ -339,32 +339,18 @@ static BIN_ATTR_RW(pio, 1);
+ static ssize_t crccheck_show(struct device *dev, struct device_attribute *attr,
+                            char *buf)
+ {
+-      if (put_user(w1_enable_crccheck + 0x30, buf))
+-              return -EFAULT;
+-
+-      return sizeof(w1_enable_crccheck);
++      return sysfs_emit(buf, "%d\n", w1_enable_crccheck);
+ }
+ static ssize_t crccheck_store(struct device *dev, struct device_attribute *attr,
+                             const char *buf, size_t count)
+ {
+-      char val;
+-
+-      if (count != 1 || !buf)
+-              return -EINVAL;
++      int err = kstrtobool(buf, &w1_enable_crccheck);
+-      if (get_user(val, buf))
+-              return -EFAULT;
++      if (err)
++              return err;
+-      /* convert to decimal */
+-      val = val - 0x30;
+-      if (val != 0 && val != 1)
+-              return -EINVAL;
+-
+-      /* set the new value */
+-      w1_enable_crccheck = val;
+-
+-      return sizeof(w1_enable_crccheck);
++      return count;
+ }
+ static DEVICE_ATTR_RW(crccheck);
+-- 
+2.34.1
+
diff --git a/queue-5.16/wcn36xx-ensure-pairing-of-init_scan-finish_scan-and-.patch b/queue-5.16/wcn36xx-ensure-pairing-of-init_scan-finish_scan-and-.patch
new file mode 100644 (file)
index 0000000..1755e42
--- /dev/null
@@ -0,0 +1,201 @@
+From a2adbaab1fcf8bb68994e501aae2b922071b26bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Oct 2021 10:03:05 -0700
+Subject: wcn36xx: ensure pairing of init_scan/finish_scan and
+ start_scan/end_scan
+
+From: Benjamin Li <benl@squareup.com>
+
+[ Upstream commit 8f1ba8b0ee2679f0b3d22d2a5c1bc70c436fd872 ]
+
+An SMD capture from the downstream prima driver on WCN3680B shows the
+following command sequence for connected scans:
+
+- init_scan_req
+    - start_scan_req, channel 1
+    - end_scan_req, channel 1
+    - start_scan_req, channel 2
+    - ...
+    - end_scan_req, channel 3
+- finish_scan_req
+- init_scan_req
+    - start_scan_req, channel 4
+    - ...
+    - end_scan_req, channel 6
+- finish_scan_req
+- ...
+    - end_scan_req, channel 165
+- finish_scan_req
+
+Upstream currently never calls wcn36xx_smd_end_scan, and in some cases[1]
+still sends finish_scan_req twice in a row or before init_scan_req. A
+typical connected scan looks like this:
+
+- init_scan_req
+    - start_scan_req, channel 1
+- finish_scan_req
+- init_scan_req
+    - start_scan_req, channel 2
+- ...
+    - start_scan_req, channel 165
+- finish_scan_req
+- finish_scan_req
+
+This patch cleans up scanning so that init/finish and start/end are always
+paired together and correctly nested.
+
+- init_scan_req
+    - start_scan_req, channel 1
+    - end_scan_req, channel 1
+- finish_scan_req
+- init_scan_req
+    - start_scan_req, channel 2
+    - end_scan_req, channel 2
+- ...
+    - start_scan_req, channel 165
+    - end_scan_req, channel 165
+- finish_scan_req
+
+Note that upstream will not do batching of 3 active-probe scans before
+returning to the operating channel, and this patch does not change that.
+To match downstream in this aspect, adjust IEEE80211_PROBE_DELAY and/or
+the 125ms max off-channel time in ieee80211_scan_state_decision.
+
+[1]: commit d195d7aac09b ("wcn36xx: Ensure finish scan is not requested
+before start scan") addressed one case of finish_scan_req being sent
+without a preceding init_scan_req (the case of the operating channel
+coinciding with the first scan channel); two other cases are:
+1) if SW scan is started and aborted immediately, without scanning any
+   channels, we send a finish_scan_req without ever sending init_scan_req,
+   and
+2) as SW scan logic always returns us to the operating channel before
+   calling wcn36xx_sw_scan_complete, finish_scan_req is always sent twice
+   at the end of a SW scan
+
+Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware")
+Signed-off-by: Benjamin Li <benl@squareup.com>
+Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211027170306.555535-4-benl@squareup.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/main.c    | 34 +++++++++++++++++-----
+ drivers/net/wireless/ath/wcn36xx/smd.c     |  4 +++
+ drivers/net/wireless/ath/wcn36xx/wcn36xx.h |  1 +
+ 3 files changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c
+index b04533bbc3a45..0747c27f3bd75 100644
+--- a/drivers/net/wireless/ath/wcn36xx/main.c
++++ b/drivers/net/wireless/ath/wcn36xx/main.c
+@@ -402,6 +402,7 @@ static void wcn36xx_change_opchannel(struct wcn36xx *wcn, int ch)
+ static int wcn36xx_config(struct ieee80211_hw *hw, u32 changed)
+ {
+       struct wcn36xx *wcn = hw->priv;
++      int ret;
+       wcn36xx_dbg(WCN36XX_DBG_MAC, "mac config changed 0x%08x\n", changed);
+@@ -417,17 +418,31 @@ static int wcn36xx_config(struct ieee80211_hw *hw, u32 changed)
+                        * want to receive/transmit regular data packets, then
+                        * simply stop the scan session and exit PS mode.
+                        */
+-                      wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN,
+-                                              wcn->sw_scan_vif);
+-                      wcn->sw_scan_channel = 0;
++                      if (wcn->sw_scan_channel)
++                              wcn36xx_smd_end_scan(wcn, wcn->sw_scan_channel);
++                      if (wcn->sw_scan_init) {
++                              wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN,
++                                                      wcn->sw_scan_vif);
++                      }
+               } else if (wcn->sw_scan) {
+                       /* A scan is ongoing, do not change the operating
+                        * channel, but start a scan session on the channel.
+                        */
+-                      wcn36xx_smd_init_scan(wcn, HAL_SYS_MODE_SCAN,
+-                                            wcn->sw_scan_vif);
++                      if (wcn->sw_scan_channel)
++                              wcn36xx_smd_end_scan(wcn, wcn->sw_scan_channel);
++                      if (!wcn->sw_scan_init) {
++                              /* This can fail if we are unable to notify the
++                               * operating channel.
++                               */
++                              ret = wcn36xx_smd_init_scan(wcn,
++                                                          HAL_SYS_MODE_SCAN,
++                                                          wcn->sw_scan_vif);
++                              if (ret) {
++                                      mutex_unlock(&wcn->conf_mutex);
++                                      return -EIO;
++                              }
++                      }
+                       wcn36xx_smd_start_scan(wcn, ch);
+-                      wcn->sw_scan_channel = ch;
+               } else {
+                       wcn36xx_change_opchannel(wcn, ch);
+               }
+@@ -722,7 +737,12 @@ static void wcn36xx_sw_scan_complete(struct ieee80211_hw *hw,
+       struct wcn36xx *wcn = hw->priv;
+       /* ensure that any scan session is finished */
+-      wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN, wcn->sw_scan_vif);
++      if (wcn->sw_scan_channel)
++              wcn36xx_smd_end_scan(wcn, wcn->sw_scan_channel);
++      if (wcn->sw_scan_init) {
++              wcn36xx_smd_finish_scan(wcn, HAL_SYS_MODE_SCAN,
++                                      wcn->sw_scan_vif);
++      }
+       wcn->sw_scan = false;
+       wcn->sw_scan_opchannel = 0;
+ }
+diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c
+index ed45e2cf039be..e44506e4f1d5f 100644
+--- a/drivers/net/wireless/ath/wcn36xx/smd.c
++++ b/drivers/net/wireless/ath/wcn36xx/smd.c
+@@ -722,6 +722,7 @@ int wcn36xx_smd_init_scan(struct wcn36xx *wcn, enum wcn36xx_hal_sys_mode mode,
+               wcn36xx_err("hal_init_scan response failed err=%d\n", ret);
+               goto out;
+       }
++      wcn->sw_scan_init = true;
+ out:
+       mutex_unlock(&wcn->hal_mutex);
+       return ret;
+@@ -752,6 +753,7 @@ int wcn36xx_smd_start_scan(struct wcn36xx *wcn, u8 scan_channel)
+               wcn36xx_err("hal_start_scan response failed err=%d\n", ret);
+               goto out;
+       }
++      wcn->sw_scan_channel = scan_channel;
+ out:
+       mutex_unlock(&wcn->hal_mutex);
+       return ret;
+@@ -782,6 +784,7 @@ int wcn36xx_smd_end_scan(struct wcn36xx *wcn, u8 scan_channel)
+               wcn36xx_err("hal_end_scan response failed err=%d\n", ret);
+               goto out;
+       }
++      wcn->sw_scan_channel = 0;
+ out:
+       mutex_unlock(&wcn->hal_mutex);
+       return ret;
+@@ -823,6 +826,7 @@ int wcn36xx_smd_finish_scan(struct wcn36xx *wcn,
+               wcn36xx_err("hal_finish_scan response failed err=%d\n", ret);
+               goto out;
+       }
++      wcn->sw_scan_init = false;
+ out:
+       mutex_unlock(&wcn->hal_mutex);
+       return ret;
+diff --git a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h
+index 1c8d918137da2..fbd0558c2c196 100644
+--- a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h
++++ b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h
+@@ -248,6 +248,7 @@ struct wcn36xx {
+       struct cfg80211_scan_request *scan_req;
+       bool                    sw_scan;
+       u8                      sw_scan_opchannel;
++      bool                    sw_scan_init;
+       u8                      sw_scan_channel;
+       struct ieee80211_vif    *sw_scan_vif;
+       struct mutex            scan_lock;
+-- 
+2.34.1
+
diff --git a/queue-5.16/wcn36xx-fix-dma-channel-enable-disable-cycle.patch b/queue-5.16/wcn36xx-fix-dma-channel-enable-disable-cycle.patch
new file mode 100644 (file)
index 0000000..f28fd0f
--- /dev/null
@@ -0,0 +1,125 @@
+From 3eaf9ad82612d27ac85b4e1b57bfafe242834a6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 12:21:50 +0000
+Subject: wcn36xx: Fix DMA channel enable/disable cycle
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+[ Upstream commit 89dcb1da611d9b3ff0728502d58372fdaae9ebff ]
+
+Right now we have a broken sequence where we enable DMA channel interrupts
+which can be left enabled and never disabled if we hit an error path.
+
+Worse still when we unload the driver, the DMA channel interrupt bits are
+left intact. About the only saving grace here is that we do remember to
+disable the wcnss interrupt when unload the driver.
+
+Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware")
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211105122152.1580542-2-bryan.odonoghue@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/dxe.c | 38 ++++++++++++++++++--------
+ 1 file changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/dxe.c b/drivers/net/wireless/ath/wcn36xx/dxe.c
+index aff04ef662663..0c4f63f1312f8 100644
+--- a/drivers/net/wireless/ath/wcn36xx/dxe.c
++++ b/drivers/net/wireless/ath/wcn36xx/dxe.c
+@@ -272,6 +272,21 @@ static int wcn36xx_dxe_enable_ch_int(struct wcn36xx *wcn, u16 wcn_ch)
+       return 0;
+ }
++static void wcn36xx_dxe_disable_ch_int(struct wcn36xx *wcn, u16 wcn_ch)
++{
++      int reg_data = 0;
++
++      wcn36xx_dxe_read_register(wcn,
++                                WCN36XX_DXE_INT_MASK_REG,
++                                &reg_data);
++
++      reg_data &= ~wcn_ch;
++
++      wcn36xx_dxe_write_register(wcn,
++                                 WCN36XX_DXE_INT_MASK_REG,
++                                 (int)reg_data);
++}
++
+ static int wcn36xx_dxe_fill_skb(struct device *dev,
+                               struct wcn36xx_dxe_ctl *ctl,
+                               gfp_t gfp)
+@@ -869,7 +884,6 @@ int wcn36xx_dxe_init(struct wcn36xx *wcn)
+               WCN36XX_DXE_WQ_TX_L);
+       wcn36xx_dxe_read_register(wcn, WCN36XX_DXE_REG_CH_EN, &reg_data);
+-      wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_TX_L);
+       /***************************************/
+       /* Init descriptors for TX HIGH channel */
+@@ -893,9 +907,6 @@ int wcn36xx_dxe_init(struct wcn36xx *wcn)
+       wcn36xx_dxe_read_register(wcn, WCN36XX_DXE_REG_CH_EN, &reg_data);
+-      /* Enable channel interrupts */
+-      wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_TX_H);
+-
+       /***************************************/
+       /* Init descriptors for RX LOW channel */
+       /***************************************/
+@@ -905,7 +916,6 @@ int wcn36xx_dxe_init(struct wcn36xx *wcn)
+               goto out_err_rxl_ch;
+       }
+-
+       /* For RX we need to preallocated buffers */
+       wcn36xx_dxe_ch_alloc_skb(wcn, &wcn->dxe_rx_l_ch);
+@@ -928,9 +938,6 @@ int wcn36xx_dxe_init(struct wcn36xx *wcn)
+               WCN36XX_DXE_REG_CTL_RX_L,
+               WCN36XX_DXE_CH_DEFAULT_CTL_RX_L);
+-      /* Enable channel interrupts */
+-      wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_L);
+-
+       /***************************************/
+       /* Init descriptors for RX HIGH channel */
+       /***************************************/
+@@ -962,15 +969,18 @@ int wcn36xx_dxe_init(struct wcn36xx *wcn)
+               WCN36XX_DXE_REG_CTL_RX_H,
+               WCN36XX_DXE_CH_DEFAULT_CTL_RX_H);
+-      /* Enable channel interrupts */
+-      wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_H);
+-
+       ret = wcn36xx_dxe_request_irqs(wcn);
+       if (ret < 0)
+               goto out_err_irq;
+       timer_setup(&wcn->tx_ack_timer, wcn36xx_dxe_tx_timer, 0);
++      /* Enable channel interrupts */
++      wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_TX_L);
++      wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_TX_H);
++      wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_L);
++      wcn36xx_dxe_enable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_H);
++
+       return 0;
+ out_err_irq:
+@@ -987,6 +997,12 @@ out_err_txh_ch:
+ void wcn36xx_dxe_deinit(struct wcn36xx *wcn)
+ {
++      /* Disable channel interrupts */
++      wcn36xx_dxe_disable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_H);
++      wcn36xx_dxe_disable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_L);
++      wcn36xx_dxe_disable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_TX_H);
++      wcn36xx_dxe_disable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_TX_L);
++
+       free_irq(wcn->tx_irq, wcn);
+       free_irq(wcn->rx_irq, wcn);
+       del_timer(&wcn->tx_ack_timer);
+-- 
+2.34.1
+
diff --git a/queue-5.16/wcn36xx-fix-max-channels-retrieval.patch b/queue-5.16/wcn36xx-fix-max-channels-retrieval.patch
new file mode 100644 (file)
index 0000000..36ea237
--- /dev/null
@@ -0,0 +1,48 @@
+From af33cba14bbeb783823e8a4578e9ce5ec290917d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Dec 2021 10:02:12 +0100
+Subject: wcn36xx: Fix max channels retrieval
+
+From: Loic Poulain <loic.poulain@linaro.org>
+
+[ Upstream commit 09cab4308bf9b8076ee4a3c56015daf9ef9cb23e ]
+
+Kernel test robot reported:drivers/net/wireless/ath/wcn36xx/smd.c:943:33:
+   sparse: sparse: cast truncates bits from constant value (780 becomes 80)
+
+The 'channels' field is not a simple u8 array but an array of
+channel_params. Using sizeof for retrieving the max number of
+channels is then wrong.
+
+In practice, it was not an issue, because the sizeof returned
+value is 780, which is truncated in min_t (u8) to 80, which is
+the value we expect...
+
+Fix that properly using ARRAY_SIZE instead of sizeof.
+
+Fixes: d707f812bb05 ("wcn36xx: Channel list update before hardware scan")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/1638435732-14657-1-git-send-email-loic.poulain@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/smd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c
+index d3285a504429d..bb07740149456 100644
+--- a/drivers/net/wireless/ath/wcn36xx/smd.c
++++ b/drivers/net/wireless/ath/wcn36xx/smd.c
+@@ -944,7 +944,7 @@ int wcn36xx_smd_update_channel_list(struct wcn36xx *wcn, struct cfg80211_scan_re
+       INIT_HAL_MSG((*msg_body), WCN36XX_HAL_UPDATE_CHANNEL_LIST_REQ);
+-      msg_body->num_channel = min_t(u8, req->n_channels, sizeof(msg_body->channels));
++      msg_body->num_channel = min_t(u8, req->n_channels, ARRAY_SIZE(msg_body->channels));
+       for (i = 0; i < msg_body->num_channel; i++) {
+               struct wcn36xx_hal_channel_param *param = &msg_body->channels[i];
+               u32 min_power = WCN36XX_HAL_DEFAULT_MIN_POWER;
+-- 
+2.34.1
+
diff --git a/queue-5.16/wcn36xx-fix-rx-bd-rate-mapping-for-5ghz-legacy-rates.patch b/queue-5.16/wcn36xx-fix-rx-bd-rate-mapping-for-5ghz-legacy-rates.patch
new file mode 100644 (file)
index 0000000..1f83997
--- /dev/null
@@ -0,0 +1,52 @@
+From f8746380496448534fa1191db13a82082f10f2e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 18:05:48 -0700
+Subject: wcn36xx: fix RX BD rate mapping for 5GHz legacy rates
+
+From: Benjamin Li <benl@squareup.com>
+
+[ Upstream commit cfdf6b19e750f7de8ae71a26932f63b52e3bf74c ]
+
+The linear mapping between the BD rate field and the driver's 5GHz
+legacy rates table (wcn_5ghz_rates) does not only apply for the latter
+four rates -- it applies to all eight rates.
+
+Fixes: 6ea131acea98 ("wcn36xx: Fix warning due to bad rate_idx")
+Signed-off-by: Benjamin Li <benl@squareup.com>
+Tested-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211104010548.1107405-3-benl@squareup.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/txrx.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c
+index f0a9f069a92a9..dd58dde8c8363 100644
+--- a/drivers/net/wireless/ath/wcn36xx/txrx.c
++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c
+@@ -272,7 +272,6 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb)
+       const struct wcn36xx_rate *rate;
+       struct ieee80211_hdr *hdr;
+       struct wcn36xx_rx_bd *bd;
+-      struct ieee80211_supported_band *sband;
+       u16 fc, sn;
+       /*
+@@ -350,12 +349,11 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb)
+               status.enc_flags = rate->encoding_flags;
+               status.bw = rate->bw;
+               status.rate_idx = rate->mcs_or_legacy_index;
+-              sband = wcn->hw->wiphy->bands[status.band];
+               status.nss = 1;
+               if (status.band == NL80211_BAND_5GHZ &&
+                   status.encoding == RX_ENC_LEGACY &&
+-                  status.rate_idx >= sband->n_bitrates) {
++                  status.rate_idx >= 4) {
+                       /* no dsss rates in 5Ghz rates table */
+                       status.rate_idx -= 4;
+               }
+-- 
+2.34.1
+
diff --git a/queue-5.16/wcn36xx-indicate-beacon-not-connection-loss-on-misse.patch b/queue-5.16/wcn36xx-indicate-beacon-not-connection-loss-on-misse.patch
new file mode 100644 (file)
index 0000000..7996808
--- /dev/null
@@ -0,0 +1,51 @@
+From 51ac9cbb4d9555067f6637268c8a7d8d19bceba6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 00:25:29 +0100
+Subject: wcn36xx: Indicate beacon not connection loss on MISSED_BEACON_IND
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+[ Upstream commit 588b45c88ae130fe373a8c50edaf54735c3f4fe3 ]
+
+Firmware can trigger a missed beacon indication, this is not the same as a
+lost signal.
+
+Flag to Linux the missed beacon and let the WiFi stack decide for itself if
+the link is up or down by sending its own probe to determine this.
+
+We should only be signalling the link is lost when the firmware indicates
+
+Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware")
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211027232529.657764-1-bryan.odonoghue@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/smd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c
+index e44506e4f1d5f..d3285a504429d 100644
+--- a/drivers/net/wireless/ath/wcn36xx/smd.c
++++ b/drivers/net/wireless/ath/wcn36xx/smd.c
+@@ -2736,7 +2736,7 @@ static int wcn36xx_smd_missed_beacon_ind(struct wcn36xx *wcn,
+                       wcn36xx_dbg(WCN36XX_DBG_HAL, "beacon missed bss_index %d\n",
+                                   tmp->bss_index);
+                       vif = wcn36xx_priv_to_vif(tmp);
+-                      ieee80211_connection_loss(vif);
++                      ieee80211_beacon_loss(vif);
+               }
+               return 0;
+       }
+@@ -2751,7 +2751,7 @@ static int wcn36xx_smd_missed_beacon_ind(struct wcn36xx *wcn,
+                       wcn36xx_dbg(WCN36XX_DBG_HAL, "beacon missed bss_index %d\n",
+                                   rsp->bss_index);
+                       vif = wcn36xx_priv_to_vif(tmp);
+-                      ieee80211_connection_loss(vif);
++                      ieee80211_beacon_loss(vif);
+                       return 0;
+               }
+       }
+-- 
+2.34.1
+
diff --git a/queue-5.16/wcn36xx-populate-band-before-determining-rate-on-rx.patch b/queue-5.16/wcn36xx-populate-band-before-determining-rate-on-rx.patch
new file mode 100644 (file)
index 0000000..1a6a029
--- /dev/null
@@ -0,0 +1,126 @@
+From 56a14ea936e9c67a8539aa44a7654282389cee39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 18:05:47 -0700
+Subject: wcn36xx: populate band before determining rate on RX
+
+From: Benjamin Li <benl@squareup.com>
+
+[ Upstream commit c9c5608fafe4dae975c9644c7d14c51ad3b0ed73 ]
+
+status.band is used in determination of status.rate -- for 5GHz on legacy
+rates there is a linear shift between the BD descriptor's rate field and
+the wcn36xx driver's rate table (wcn_5ghz_rates).
+
+We have a special clause to populate status.band for hardware scan offload
+frames. However, this block occurs after status.rate is already populated.
+Correctly handle this dependency by moving the band block before the rate
+block.
+
+This patch addresses kernel warnings & missing scan results for 5GHz APs
+that send their beacons/probe responses at the higher four legacy rates
+(24-54 Mbps), when using hardware scan offload:
+
+  ------------[ cut here ]------------
+  WARNING: CPU: 0 PID: 0 at net/mac80211/rx.c:4532 ieee80211_rx_napi+0x744/0x8d8
+  Modules linked in: wcn36xx [...]
+  CPU: 0 PID: 0 Comm: swapper/0 Tainted: G        W         4.19.107-g73909fa #1
+  Hardware name: Square, Inc. T2 (all variants) (DT)
+  Call trace:
+  dump_backtrace+0x0/0x148
+  show_stack+0x14/0x1c
+  dump_stack+0xb8/0xf0
+  __warn+0x2ac/0x2d8
+  warn_slowpath_null+0x44/0x54
+  ieee80211_rx_napi+0x744/0x8d8
+  ieee80211_tasklet_handler+0xa4/0xe0
+  tasklet_action_common+0xe0/0x118
+  tasklet_action+0x20/0x28
+  __do_softirq+0x108/0x1ec
+  irq_exit+0xd4/0xd8
+  __handle_domain_irq+0x84/0xbc
+  gic_handle_irq+0x4c/0xb8
+  el1_irq+0xe8/0x190
+  lpm_cpuidle_enter+0x220/0x260
+  cpuidle_enter_state+0x114/0x1c0
+  cpuidle_enter+0x34/0x48
+  do_idle+0x150/0x268
+  cpu_startup_entry+0x20/0x24
+  rest_init+0xd4/0xe0
+  start_kernel+0x398/0x430
+  ---[ end trace ae28cb759352b403 ]---
+
+Fixes: 8a27ca394782 ("wcn36xx: Correct band/freq reporting on RX")
+Signed-off-by: Benjamin Li <benl@squareup.com>
+Tested-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211104010548.1107405-2-benl@squareup.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/txrx.c | 37 +++++++++++++------------
+ 1 file changed, 19 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c
+index 75951ccbc840e..f0a9f069a92a9 100644
+--- a/drivers/net/wireless/ath/wcn36xx/txrx.c
++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c
+@@ -314,8 +314,6 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb)
+       fc = __le16_to_cpu(hdr->frame_control);
+       sn = IEEE80211_SEQ_TO_SN(__le16_to_cpu(hdr->seq_ctrl));
+-      status.freq = WCN36XX_CENTER_FREQ(wcn);
+-      status.band = WCN36XX_BAND(wcn);
+       status.mactime = 10;
+       status.signal = -get_rssi0(bd);
+       status.antenna = 1;
+@@ -327,6 +325,25 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb)
+       wcn36xx_dbg(WCN36XX_DBG_RX, "status.flags=%x\n", status.flag);
++      if (bd->scan_learn) {
++              /* If packet originate from hardware scanning, extract the
++               * band/channel from bd descriptor.
++               */
++              u8 hwch = (bd->reserved0 << 4) + bd->rx_ch;
++
++              if (bd->rf_band != 1 && hwch <= sizeof(ab_rx_ch_map) && hwch >= 1) {
++                      status.band = NL80211_BAND_5GHZ;
++                      status.freq = ieee80211_channel_to_frequency(ab_rx_ch_map[hwch - 1],
++                                                                   status.band);
++              } else {
++                      status.band = NL80211_BAND_2GHZ;
++                      status.freq = ieee80211_channel_to_frequency(hwch, status.band);
++              }
++      } else {
++              status.band = WCN36XX_BAND(wcn);
++              status.freq = WCN36XX_CENTER_FREQ(wcn);
++      }
++
+       if (bd->rate_id < ARRAY_SIZE(wcn36xx_rate_table)) {
+               rate = &wcn36xx_rate_table[bd->rate_id];
+               status.encoding = rate->encoding;
+@@ -353,22 +370,6 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb)
+           ieee80211_is_probe_resp(hdr->frame_control))
+               status.boottime_ns = ktime_get_boottime_ns();
+-      if (bd->scan_learn) {
+-              /* If packet originates from hardware scanning, extract the
+-               * band/channel from bd descriptor.
+-               */
+-              u8 hwch = (bd->reserved0 << 4) + bd->rx_ch;
+-
+-              if (bd->rf_band != 1 && hwch <= sizeof(ab_rx_ch_map) && hwch >= 1) {
+-                      status.band = NL80211_BAND_5GHZ;
+-                      status.freq = ieee80211_channel_to_frequency(ab_rx_ch_map[hwch - 1],
+-                                                                   status.band);
+-              } else {
+-                      status.band = NL80211_BAND_2GHZ;
+-                      status.freq = ieee80211_channel_to_frequency(hwch, status.band);
+-              }
+-      }
+-
+       memcpy(IEEE80211_SKB_RXCB(skb), &status, sizeof(status));
+       if (ieee80211_is_beacon(hdr->frame_control)) {
+-- 
+2.34.1
+
diff --git a/queue-5.16/wcn36xx-put-dxe-block-into-reset-before-freeing-memo.patch b/queue-5.16/wcn36xx-put-dxe-block-into-reset-before-freeing-memo.patch
new file mode 100644 (file)
index 0000000..df35203
--- /dev/null
@@ -0,0 +1,49 @@
+From b33c3d57deda43842fe9b5d525c0945e1173a156 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 12:21:52 +0000
+Subject: wcn36xx: Put DXE block into reset before freeing memory
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+[ Upstream commit ed04ea76e69e7194f7489cebe23a32a68f39218d ]
+
+When deiniting the DXE hardware we should reset the block to ensure there
+is no spurious DMA write transaction from the downstream WCNSS to upstream
+MSM at a skbuff address we will have released.
+
+Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware")
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211105122152.1580542-4-bryan.odonoghue@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/dxe.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/dxe.c b/drivers/net/wireless/ath/wcn36xx/dxe.c
+index 017c7d78072ba..e1a35c2eadb6c 100644
+--- a/drivers/net/wireless/ath/wcn36xx/dxe.c
++++ b/drivers/net/wireless/ath/wcn36xx/dxe.c
+@@ -997,6 +997,8 @@ out_err_txh_ch:
+ void wcn36xx_dxe_deinit(struct wcn36xx *wcn)
+ {
++      int reg_data = 0;
++
+       /* Disable channel interrupts */
+       wcn36xx_dxe_disable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_H);
+       wcn36xx_dxe_disable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_L);
+@@ -1012,6 +1014,10 @@ void wcn36xx_dxe_deinit(struct wcn36xx *wcn)
+               wcn->tx_ack_skb = NULL;
+       }
++      /* Put the DXE block into reset before freeing memory */
++      reg_data = WCN36XX_DXE_REG_RESET;
++      wcn36xx_dxe_write_register(wcn, WCN36XX_DXE_REG_CSR_RESET, reg_data);
++
+       wcn36xx_dxe_ch_free_skbs(wcn, &wcn->dxe_rx_l_ch);
+       wcn36xx_dxe_ch_free_skbs(wcn, &wcn->dxe_rx_h_ch);
+-- 
+2.34.1
+
diff --git a/queue-5.16/wcn36xx-release-dma-channel-descriptor-allocations.patch b/queue-5.16/wcn36xx-release-dma-channel-descriptor-allocations.patch
new file mode 100644 (file)
index 0000000..f031850
--- /dev/null
@@ -0,0 +1,38 @@
+From 7a0f7936968ff35b84c7ee4e755ec190e7c1c4f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 12:21:51 +0000
+Subject: wcn36xx: Release DMA channel descriptor allocations
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+[ Upstream commit 3652096e5263ad67604b0323f71d133485f410e5 ]
+
+When unloading the driver we are not releasing the DMA descriptors which we
+previously allocated.
+
+Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware")
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211105122152.1580542-3-bryan.odonoghue@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/dxe.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/dxe.c b/drivers/net/wireless/ath/wcn36xx/dxe.c
+index 0c4f63f1312f8..017c7d78072ba 100644
+--- a/drivers/net/wireless/ath/wcn36xx/dxe.c
++++ b/drivers/net/wireless/ath/wcn36xx/dxe.c
+@@ -1014,4 +1014,9 @@ void wcn36xx_dxe_deinit(struct wcn36xx *wcn)
+       wcn36xx_dxe_ch_free_skbs(wcn, &wcn->dxe_rx_l_ch);
+       wcn36xx_dxe_ch_free_skbs(wcn, &wcn->dxe_rx_h_ch);
++
++      wcn36xx_dxe_deinit_descs(wcn->dev, &wcn->dxe_tx_l_ch);
++      wcn36xx_dxe_deinit_descs(wcn->dev, &wcn->dxe_tx_h_ch);
++      wcn36xx_dxe_deinit_descs(wcn->dev, &wcn->dxe_rx_l_ch);
++      wcn36xx_dxe_deinit_descs(wcn->dev, &wcn->dxe_rx_h_ch);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/wilc1000-fix-double-free-error-in-probe.patch b/queue-5.16/wilc1000-fix-double-free-error-in-probe.patch
new file mode 100644 (file)
index 0000000..9ee304b
--- /dev/null
@@ -0,0 +1,78 @@
+From 6c80839e0571a6de960d000b1d6a10306c549dc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Dec 2021 18:03:12 +0300
+Subject: wilc1000: fix double free error in probe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 4894edacfa93d7046bec4fc61fc402ac6a2ac9e8 ]
+
+Smatch complains that there is a double free in probe:
+
+drivers/net/wireless/microchip/wilc1000/spi.c:186 wilc_bus_probe() error: double free of 'spi_priv'
+drivers/net/wireless/microchip/wilc1000/sdio.c:163 wilc_sdio_probe() error: double free of 'sdio_priv'
+
+The problem is that wilc_netdev_cleanup() function frees "wilc->bus_data".
+That's confusing and a layering violation.  Leave the frees in probe(),
+delete the free in wilc_netdev_cleanup(), and add some new frees to the
+remove() functions.
+
+Fixes: dc8b338f3bcd ("wilc1000: use goto labels on error path")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20211217150311.GC16611@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/microchip/wilc1000/netdev.c | 1 -
+ drivers/net/wireless/microchip/wilc1000/sdio.c   | 2 ++
+ drivers/net/wireless/microchip/wilc1000/spi.c    | 2 ++
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/microchip/wilc1000/netdev.c b/drivers/net/wireless/microchip/wilc1000/netdev.c
+index 690572e01a2a7..b5fe2a7cd8dcc 100644
+--- a/drivers/net/wireless/microchip/wilc1000/netdev.c
++++ b/drivers/net/wireless/microchip/wilc1000/netdev.c
+@@ -905,7 +905,6 @@ void wilc_netdev_cleanup(struct wilc *wilc)
+       wilc_wlan_cfg_deinit(wilc);
+       wlan_deinit_locks(wilc);
+-      kfree(wilc->bus_data);
+       wiphy_unregister(wilc->wiphy);
+       wiphy_free(wilc->wiphy);
+ }
+diff --git a/drivers/net/wireless/microchip/wilc1000/sdio.c b/drivers/net/wireless/microchip/wilc1000/sdio.c
+index 26ebf66643425..ec595dbd89592 100644
+--- a/drivers/net/wireless/microchip/wilc1000/sdio.c
++++ b/drivers/net/wireless/microchip/wilc1000/sdio.c
+@@ -167,9 +167,11 @@ free:
+ static void wilc_sdio_remove(struct sdio_func *func)
+ {
+       struct wilc *wilc = sdio_get_drvdata(func);
++      struct wilc_sdio *sdio_priv = wilc->bus_data;
+       clk_disable_unprepare(wilc->rtc_clk);
+       wilc_netdev_cleanup(wilc);
++      kfree(sdio_priv);
+ }
+ static int wilc_sdio_reset(struct wilc *wilc)
+diff --git a/drivers/net/wireless/microchip/wilc1000/spi.c b/drivers/net/wireless/microchip/wilc1000/spi.c
+index 640850f989dd9..d8e893f4dab4f 100644
+--- a/drivers/net/wireless/microchip/wilc1000/spi.c
++++ b/drivers/net/wireless/microchip/wilc1000/spi.c
+@@ -190,9 +190,11 @@ free:
+ static int wilc_bus_remove(struct spi_device *spi)
+ {
+       struct wilc *wilc = spi_get_drvdata(spi);
++      struct wilc_spi *spi_priv = wilc->bus_data;
+       clk_disable_unprepare(wilc->rtc_clk);
+       wilc_netdev_cleanup(wilc);
++      kfree(spi_priv);
+       return 0;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/wireless-iwlwifi-fix-a-double-free-in-iwl_txq_dyn_al.patch b/queue-5.16/wireless-iwlwifi-fix-a-double-free-in-iwl_txq_dyn_al.patch
new file mode 100644 (file)
index 0000000..c65583b
--- /dev/null
@@ -0,0 +1,43 @@
+From 995cec649d5189028189ebe8eb99621dac1e25c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Apr 2021 22:47:55 -0700
+Subject: wireless: iwlwifi: Fix a double free in iwl_txq_dyn_alloc_dma
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit f973795a8d19cbf3d03807704eb7c6ff65788d5a ]
+
+In iwl_txq_dyn_alloc_dma, txq->tfds is freed at first time by:
+iwl_txq_alloc()->goto err_free_tfds->dma_free_coherent(). But
+it forgot to set txq->tfds to NULL.
+
+Then the txq->tfds is freed again in iwl_txq_dyn_alloc_dma by:
+goto error->iwl_txq_gen2_free_memory()->dma_free_coherent().
+
+My patch sets txq->tfds to NULL after the first free to avoid the
+double free.
+
+Fixes: 0cd1ad2d7fd41 ("iwlwifi: move all bus-independent TX functions to common code")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Link: https://lore.kernel.org/r/20210403054755.4781-1-lyl2019@mail.ustc.edu.cn
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/queue/tx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/queue/tx.c b/drivers/net/wireless/intel/iwlwifi/queue/tx.c
+index 451b060693501..0f3526b0c5b00 100644
+--- a/drivers/net/wireless/intel/iwlwifi/queue/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/queue/tx.c
+@@ -1072,6 +1072,7 @@ int iwl_txq_alloc(struct iwl_trans *trans, struct iwl_txq *txq, int slots_num,
+       return 0;
+ err_free_tfds:
+       dma_free_coherent(trans->dev, tfd_sz, txq->tfds, txq->dma_addr);
++      txq->tfds = NULL;
+ error:
+       if (txq->entries && cmd_queue)
+               for (i = 0; i < slots_num; i++)
+-- 
+2.34.1
+
diff --git a/queue-5.16/x86-boot-compressed-move-clang_flags-to-beginning-of.patch b/queue-5.16/x86-boot-compressed-move-clang_flags-to-beginning-of.patch
new file mode 100644 (file)
index 0000000..1ab4022
--- /dev/null
@@ -0,0 +1,69 @@
+From b61bb08d73281fd6b9383669157cb8a1bdd057c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 09:30:41 -0700
+Subject: x86/boot/compressed: Move CLANG_FLAGS to beginning of KBUILD_CFLAGS
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 5fe392ff9d1f7254a1fbb3f72d9893088e4d23eb ]
+
+When cross compiling i386_defconfig on an arm64 host with clang, there
+are a few instances of '-Waddress-of-packed-member' and
+'-Wgnu-variable-sized-type-not-at-end' in arch/x86/boot/compressed/,
+which should both be disabled with the cc-disable-warning calls in that
+directory's Makefile, which indicates that cc-disable-warning is failing
+at the point of testing these flags.
+
+The cc-disable-warning calls fail because at the point that the flags
+are tested, KBUILD_CFLAGS has '-march=i386' without $(CLANG_FLAGS),
+which has the '--target=' flag to tell clang what architecture it is
+targeting. Without the '--target=' flag, the host architecture (arm64)
+is used and i386 is not a valid value for '-march=' in that case. This
+error can be seen by adding some logging to try-run:
+
+  clang-14: error: the clang compiler does not support '-march=i386'
+
+Invoking the compiler has to succeed prior to calling cc-option or
+cc-disable-warning in order to accurately test whether or not the flag
+is supported; if it doesn't, the requested flag can never be added to
+the compiler flags. Move $(CLANG_FLAGS) to the beginning of KBUILD_FLAGS
+so that any new flags that might be added in the future can be
+accurately tested.
+
+Fixes: d5cbd80e302d ("x86/boot: Add $(CLANG_FLAGS) to compressed KBUILD_CFLAGS")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lore.kernel.org/r/20211222163040.1961481-1-nathan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/boot/compressed/Makefile | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
+index 431bf7f846c3c..e118136460518 100644
+--- a/arch/x86/boot/compressed/Makefile
++++ b/arch/x86/boot/compressed/Makefile
+@@ -28,7 +28,11 @@ KCOV_INSTRUMENT             := n
+ targets := vmlinux vmlinux.bin vmlinux.bin.gz vmlinux.bin.bz2 vmlinux.bin.lzma \
+       vmlinux.bin.xz vmlinux.bin.lzo vmlinux.bin.lz4 vmlinux.bin.zst
+-KBUILD_CFLAGS := -m$(BITS) -O2
++# CLANG_FLAGS must come before any cc-disable-warning or cc-option calls in
++# case of cross compiling, as it has the '--target=' flag, which is needed to
++# avoid errors with '-march=i386', and future flags may depend on the target to
++# be valid.
++KBUILD_CFLAGS := -m$(BITS) -O2 $(CLANG_FLAGS)
+ KBUILD_CFLAGS += -fno-strict-aliasing -fPIE
+ KBUILD_CFLAGS += -Wundef
+ KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
+@@ -47,7 +51,6 @@ KBUILD_CFLAGS += -D__DISABLE_EXPORTS
+ # Disable relocation relaxation in case the link is not PIE.
+ KBUILD_CFLAGS += $(call as-option,-Wa$(comma)-mrelax-relocations=no)
+ KBUILD_CFLAGS += -include $(srctree)/include/linux/hidden.h
+-KBUILD_CFLAGS += $(CLANG_FLAGS)
+ # sev.c indirectly inludes inat-table.h which is generated during
+ # compilation and stored in $(objtree). Add the directory to the includes so
+-- 
+2.34.1
+
diff --git a/queue-5.16/x86-hyperv-properly-deal-with-empty-cpumasks-in-hype.patch b/queue-5.16/x86-hyperv-properly-deal-with-empty-cpumasks-in-hype.patch
new file mode 100644 (file)
index 0000000..d322528
--- /dev/null
@@ -0,0 +1,141 @@
+From 8f499bc4f110466623ff61b0a5bfa95c96d69df8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 10:46:11 +0100
+Subject: x86/hyperv: Properly deal with empty cpumasks in
+ hyperv_flush_tlb_multi()
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+[ Upstream commit 51500b71d500f251037ed339047a4d9e7d7e295b ]
+
+KASAN detected the following issue:
+
+ BUG: KASAN: slab-out-of-bounds in hyperv_flush_tlb_multi+0xf88/0x1060
+ Read of size 4 at addr ffff8880011ccbc0 by task kcompactd0/33
+
+ CPU: 1 PID: 33 Comm: kcompactd0 Not tainted 5.14.0-39.el9.x86_64+debug #1
+ Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine,
+     BIOS Hyper-V UEFI Release v4.0 12/17/2019
+ Call Trace:
+  dump_stack_lvl+0x57/0x7d
+  print_address_description.constprop.0+0x1f/0x140
+  ? hyperv_flush_tlb_multi+0xf88/0x1060
+  __kasan_report.cold+0x7f/0x11e
+  ? hyperv_flush_tlb_multi+0xf88/0x1060
+  kasan_report+0x38/0x50
+  hyperv_flush_tlb_multi+0xf88/0x1060
+  flush_tlb_mm_range+0x1b1/0x200
+  ptep_clear_flush+0x10e/0x150
+...
+ Allocated by task 0:
+  kasan_save_stack+0x1b/0x40
+  __kasan_kmalloc+0x7c/0x90
+  hv_common_init+0xae/0x115
+  hyperv_init+0x97/0x501
+  apic_intr_mode_init+0xb3/0x1e0
+  x86_late_time_init+0x92/0xa2
+  start_kernel+0x338/0x3eb
+  secondary_startup_64_no_verify+0xc2/0xcb
+
+ The buggy address belongs to the object at ffff8880011cc800
+  which belongs to the cache kmalloc-1k of size 1024
+ The buggy address is located 960 bytes inside of
+  1024-byte region [ffff8880011cc800, ffff8880011ccc00)
+
+'hyperv_flush_tlb_multi+0xf88/0x1060' points to
+hv_cpu_number_to_vp_number() and '960 bytes' means we're trying to get
+VP_INDEX for CPU#240. 'nr_cpus' here is exactly 240 so we're trying to
+access past hv_vp_index's last element. This can (and will) happen
+when 'cpus' mask is empty and cpumask_last() will return '>=nr_cpus'.
+
+Commit ad0a6bad4475 ("x86/hyperv: check cpu mask after interrupt has
+been disabled") tried to deal with empty cpumask situation but
+apparently didn't fully fix the issue.
+
+'cpus' cpumask which is passed to hyperv_flush_tlb_multi() is
+'mm_cpumask(mm)' (which is '&mm->cpu_bitmap'). This mask changes every
+time the particular mm is scheduled/unscheduled on some CPU (see
+switch_mm_irqs_off()), disabling IRQs on the CPU which is performing remote
+TLB flush has zero influence on whether the particular process can get
+scheduled/unscheduled on _other_ CPUs so e.g. in the case where the mm was
+scheduled on one other CPU and got unscheduled during
+hyperv_flush_tlb_multi()'s execution will lead to cpumask becoming empty.
+
+It doesn't seem that there's a good way to protect 'mm_cpumask(mm)'
+from changing during hyperv_flush_tlb_multi()'s execution. It would be
+possible to copy it in the very beginning of the function but this is a
+waste. It seems we can deal with changing cpumask just fine.
+
+When 'cpus' cpumask changes during hyperv_flush_tlb_multi()'s
+execution, there are two possible issues:
+- 'Under-flushing': we will not flush TLB on a CPU which got added to
+the mask while hyperv_flush_tlb_multi() was already running. This is
+not a problem as this is equal to mm getting scheduled on that CPU
+right after TLB flush.
+- 'Over-flushing': we may flush TLB on a CPU which is already cleared
+from the mask. First, extra TLB flush preserves correctness. Second,
+Hyper-V's TLB flush hypercall takes 'mm->pgd' argument so Hyper-V may
+avoid the flush if CR3 doesn't match.
+
+Fix the immediate issue with cpumask_last()/hv_cpu_number_to_vp_number()
+and remove the pointless cpumask_empty() check from the beginning of the
+function as it really doesn't protect anything. Also, avoid the hypercall
+altogether when 'flush->processor_mask' ends up being empty.
+
+Fixes: ad0a6bad4475 ("x86/hyperv: check cpu mask after interrupt has been disabled")
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Link: https://lore.kernel.org/r/20220106094611.1404218-1-vkuznets@redhat.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/hyperv/mmu.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/arch/x86/hyperv/mmu.c b/arch/x86/hyperv/mmu.c
+index bd13736d0c054..0ad2378fe6ad7 100644
+--- a/arch/x86/hyperv/mmu.c
++++ b/arch/x86/hyperv/mmu.c
+@@ -68,15 +68,6 @@ static void hyperv_flush_tlb_multi(const struct cpumask *cpus,
+       local_irq_save(flags);
+-      /*
+-       * Only check the mask _after_ interrupt has been disabled to avoid the
+-       * mask changing under our feet.
+-       */
+-      if (cpumask_empty(cpus)) {
+-              local_irq_restore(flags);
+-              return;
+-      }
+-
+       flush_pcpu = (struct hv_tlb_flush **)
+                    this_cpu_ptr(hyperv_pcpu_input_arg);
+@@ -115,7 +106,9 @@ static void hyperv_flush_tlb_multi(const struct cpumask *cpus,
+                * must. We will also check all VP numbers when walking the
+                * supplied CPU set to remain correct in all cases.
+                */
+-              if (hv_cpu_number_to_vp_number(cpumask_last(cpus)) >= 64)
++              cpu = cpumask_last(cpus);
++
++              if (cpu < nr_cpumask_bits && hv_cpu_number_to_vp_number(cpu) >= 64)
+                       goto do_ex_hypercall;
+               for_each_cpu(cpu, cpus) {
+@@ -131,6 +124,12 @@ static void hyperv_flush_tlb_multi(const struct cpumask *cpus,
+                       __set_bit(vcpu, (unsigned long *)
+                                 &flush->processor_mask);
+               }
++
++              /* nothing to flush if 'processor_mask' ends up being empty */
++              if (!flush->processor_mask) {
++                      local_irq_restore(flags);
++                      return;
++              }
+       }
+       /*
+-- 
+2.34.1
+
diff --git a/queue-5.16/x86-kbuild-enable-config_kallsyms_all-y-in-the-defco.patch b/queue-5.16/x86-kbuild-enable-config_kallsyms_all-y-in-the-defco.patch
new file mode 100644 (file)
index 0000000..c10cc24
--- /dev/null
@@ -0,0 +1,45 @@
+From ffdae8d3b442af01a4e7259cf6666bd7ac94bad3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jan 2022 01:35:58 +0100
+Subject: x86/kbuild: Enable CONFIG_KALLSYMS_ALL=y in the defconfigs
+
+From: Ingo Molnar <mingo@kernel.org>
+
+[ Upstream commit b6aa86cff44cf099299d3a5e66348cb709cd7964 ]
+
+Most distro kernels have this option enabled, to improve debug output.
+
+Lockdep also selects it.
+
+Enable this in the defconfig kernel as well, to make it more
+representative of what people are using on x86.
+
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/YdTn7gssoMVDMgMw@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/configs/i386_defconfig   | 1 +
+ arch/x86/configs/x86_64_defconfig | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig
+index e81885384f604..99398cbdae434 100644
+--- a/arch/x86/configs/i386_defconfig
++++ b/arch/x86/configs/i386_defconfig
+@@ -262,3 +262,4 @@ CONFIG_BLK_DEV_IO_TRACE=y
+ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
+ CONFIG_EARLY_PRINTK_DBGP=y
+ CONFIG_DEBUG_BOOT_PARAMS=y
++CONFIG_KALLSYMS_ALL=y
+diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig
+index e8a7a0af2bdaa..d7298b104a456 100644
+--- a/arch/x86/configs/x86_64_defconfig
++++ b/arch/x86/configs/x86_64_defconfig
+@@ -258,3 +258,4 @@ CONFIG_BLK_DEV_IO_TRACE=y
+ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
+ CONFIG_EARLY_PRINTK_DBGP=y
+ CONFIG_DEBUG_BOOT_PARAMS=y
++CONFIG_KALLSYMS_ALL=y
+-- 
+2.34.1
+
diff --git a/queue-5.16/x86-mce-allow-instrumentation-during-task-work-queue.patch b/queue-5.16/x86-mce-allow-instrumentation-during-task-work-queue.patch
new file mode 100644 (file)
index 0000000..4038935
--- /dev/null
@@ -0,0 +1,52 @@
+From 67d48d34660dfc5c163dd4f0a4baa2bb6779b6a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 09:07:19 +0200
+Subject: x86/mce: Allow instrumentation during task work queueing
+
+From: Borislav Petkov <bp@suse.de>
+
+[ Upstream commit 4fbce464db81a42f9a57ee242d6150ec7f996415 ]
+
+Fixes
+
+  vmlinux.o: warning: objtool: do_machine_check()+0xdb1: call to queue_task_work() leaves .noinstr.text section
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lore.kernel.org/r/20211208111343.8130-6-bp@alien8.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mce/core.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c
+index 6ed365337a3b1..70ec5685906b2 100644
+--- a/arch/x86/kernel/cpu/mce/core.c
++++ b/arch/x86/kernel/cpu/mce/core.c
+@@ -1454,6 +1454,14 @@ noinstr void do_machine_check(struct pt_regs *regs)
+       if (worst != MCE_AR_SEVERITY && !kill_current_task)
+               goto out;
++      /*
++       * Enable instrumentation around the external facilities like
++       * task_work_add() (via queue_task_work()), fixup_exception() etc.
++       * For now, that is. Fixing this properly would need a lot more involved
++       * reorganization.
++       */
++      instrumentation_begin();
++
+       /* Fault was in user mode and we need to take some action */
+       if ((m.cs & 3) == 3) {
+               /* If this triggers there is no way to recover. Die hard. */
+@@ -1482,6 +1490,9 @@ noinstr void do_machine_check(struct pt_regs *regs)
+               if (m.kflags & MCE_IN_KERNEL_COPYIN)
+                       queue_task_work(&m, msg, kill_me_never);
+       }
++
++      instrumentation_end();
++
+ out:
+       mce_wrmsrl(MSR_IA32_MCG_STATUS, 0);
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/x86-mce-inject-avoid-out-of-bounds-write-when-settin.patch b/queue-5.16/x86-mce-inject-avoid-out-of-bounds-write-when-settin.patch
new file mode 100644 (file)
index 0000000..e709876
--- /dev/null
@@ -0,0 +1,55 @@
+From dd79f198eca7966e858eda442b8bd3323b94368c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Dec 2021 22:02:49 +0100
+Subject: x86/mce/inject: Avoid out-of-bounds write when setting flags
+
+From: Zhang Zixun <zhang133010@icloud.com>
+
+[ Upstream commit de768416b203ac84e02a757b782a32efb388476f ]
+
+A contrived zero-length write, for example, by using write(2):
+
+  ...
+  ret = write(fd, str, 0);
+  ...
+
+to the "flags" file causes:
+
+  BUG: KASAN: stack-out-of-bounds in flags_write
+  Write of size 1 at addr ffff888019be7ddf by task writefile/3787
+
+  CPU: 4 PID: 3787 Comm: writefile Not tainted 5.16.0-rc7+ #12
+  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
+
+due to accessing buf one char before its start.
+
+Prevent such out-of-bounds access.
+
+  [ bp: Productize into a proper patch. Link below is the next best
+    thing because the original mail didn't get archived on lore. ]
+
+Fixes: 0451d14d0561 ("EDAC, mce_amd_inj: Modify flags attribute to use string arguments")
+Signed-off-by: Zhang Zixun <zhang133010@icloud.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lore.kernel.org/linux-edac/YcnePfF1OOqoQwrX@zn.tnic/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mce/inject.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/mce/inject.c b/arch/x86/kernel/cpu/mce/inject.c
+index 0bfc14041bbb4..b63b548497c14 100644
+--- a/arch/x86/kernel/cpu/mce/inject.c
++++ b/arch/x86/kernel/cpu/mce/inject.c
+@@ -350,7 +350,7 @@ static ssize_t flags_write(struct file *filp, const char __user *ubuf,
+       char buf[MAX_FLAG_OPT_SIZE], *__buf;
+       int err;
+-      if (cnt > MAX_FLAG_OPT_SIZE)
++      if (!cnt || cnt > MAX_FLAG_OPT_SIZE)
+               return -EINVAL;
+       if (copy_from_user(&buf, ubuf, cnt))
+-- 
+2.34.1
+
diff --git a/queue-5.16/x86-mce-mark-mce_end-noinstr.patch b/queue-5.16/x86-mce-mark-mce_end-noinstr.patch
new file mode 100644 (file)
index 0000000..daf1433
--- /dev/null
@@ -0,0 +1,66 @@
+From ba0620cfbdca77023c08508b04783074f411ac9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Nov 2021 16:43:33 +0100
+Subject: x86/mce: Mark mce_end() noinstr
+
+From: Borislav Petkov <bp@suse.de>
+
+[ Upstream commit b4813539d37fa31fed62cdfab7bd2dd8929c5b2e ]
+
+It is called by the #MC handler which is noinstr.
+
+Fixes
+
+  vmlinux.o: warning: objtool: do_machine_check()+0xbd6: call to memset() leaves .noinstr.text section
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lore.kernel.org/r/20211208111343.8130-9-bp@alien8.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mce/core.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c
+index 9a52ec55e0555..75095986e5eff 100644
+--- a/arch/x86/kernel/cpu/mce/core.c
++++ b/arch/x86/kernel/cpu/mce/core.c
+@@ -1063,10 +1063,13 @@ static int mce_start(int *no_way_out)
+  * Synchronize between CPUs after main scanning loop.
+  * This invokes the bulk of the Monarch processing.
+  */
+-static int mce_end(int order)
++static noinstr int mce_end(int order)
+ {
+-      int ret = -1;
+       u64 timeout = (u64)mca_cfg.monarch_timeout * NSEC_PER_USEC;
++      int ret = -1;
++
++      /* Allow instrumentation around external facilities. */
++      instrumentation_begin();
+       if (!timeout)
+               goto reset;
+@@ -1110,7 +1113,8 @@ static int mce_end(int order)
+               /*
+                * Don't reset anything. That's done by the Monarch.
+                */
+-              return 0;
++              ret = 0;
++              goto out;
+       }
+       /*
+@@ -1126,6 +1130,10 @@ reset:
+        * Let others run again.
+        */
+       atomic_set(&mce_executing, 0);
++
++out:
++      instrumentation_end();
++
+       return ret;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/x86-mce-mark-mce_panic-noinstr.patch b/queue-5.16/x86-mce-mark-mce_panic-noinstr.patch
new file mode 100644 (file)
index 0000000..ca0ab78
--- /dev/null
@@ -0,0 +1,69 @@
+From a38306891985da217a0e174149415a70ca561ab2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Nov 2021 13:39:35 +0100
+Subject: x86/mce: Mark mce_panic() noinstr
+
+From: Borislav Petkov <bp@suse.de>
+
+[ Upstream commit 3c7ce80a818fa7950be123cac80cd078e5ac1013 ]
+
+And allow instrumentation inside it because it does calls to other
+facilities which will not be tagged noinstr.
+
+Fixes
+
+  vmlinux.o: warning: objtool: do_machine_check()+0xc73: call to mce_panic() leaves .noinstr.text section
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lore.kernel.org/r/20211208111343.8130-8-bp@alien8.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mce/core.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c
+index 70ec5685906b2..9a52ec55e0555 100644
+--- a/arch/x86/kernel/cpu/mce/core.c
++++ b/arch/x86/kernel/cpu/mce/core.c
+@@ -267,11 +267,17 @@ static void wait_for_panic(void)
+       panic("Panicing machine check CPU died");
+ }
+-static void mce_panic(const char *msg, struct mce *final, char *exp)
++static noinstr void mce_panic(const char *msg, struct mce *final, char *exp)
+ {
+-      int apei_err = 0;
+       struct llist_node *pending;
+       struct mce_evt_llist *l;
++      int apei_err = 0;
++
++      /*
++       * Allow instrumentation around external facilities usage. Not that it
++       * matters a whole lot since the machine is going to panic anyway.
++       */
++      instrumentation_begin();
+       if (!fake_panic) {
+               /*
+@@ -286,7 +292,7 @@ static void mce_panic(const char *msg, struct mce *final, char *exp)
+       } else {
+               /* Don't log too much for fake panic */
+               if (atomic_inc_return(&mce_fake_panicked) > 1)
+-                      return;
++                      goto out;
+       }
+       pending = mce_gen_pool_prepare_records();
+       /* First print corrected ones that are still unlogged */
+@@ -324,6 +330,9 @@ static void mce_panic(const char *msg, struct mce *final, char *exp)
+               panic(msg);
+       } else
+               pr_emerg(HW_ERR "Fake kernel panic: %s\n", msg);
++
++out:
++      instrumentation_end();
+ }
+ /* Support code for software error injection */
+-- 
+2.34.1
+
diff --git a/queue-5.16/x86-mce-mark-mce_read_aux-noinstr.patch b/queue-5.16/x86-mce-mark-mce_read_aux-noinstr.patch
new file mode 100644 (file)
index 0000000..e106e8c
--- /dev/null
@@ -0,0 +1,36 @@
+From 5b46daba19fdda7527dd9d7af412efd2a7d0ee76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Nov 2021 11:14:48 +0100
+Subject: x86/mce: Mark mce_read_aux() noinstr
+
+From: Borislav Petkov <bp@suse.de>
+
+[ Upstream commit db6c996d6ce45dfb44891f0824a65ecec216f47a ]
+
+Fixes
+
+  vmlinux.o: warning: objtool: do_machine_check()+0x681: call to mce_read_aux() leaves .noinstr.text section
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lore.kernel.org/r/20211208111343.8130-10-bp@alien8.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mce/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c
+index 75095986e5eff..69fd51a29278f 100644
+--- a/arch/x86/kernel/cpu/mce/core.c
++++ b/arch/x86/kernel/cpu/mce/core.c
+@@ -645,7 +645,7 @@ static struct notifier_block mce_default_nb = {
+ /*
+  * Read ADDR and MISC registers.
+  */
+-static void mce_read_aux(struct mce *m, int i)
++static noinstr void mce_read_aux(struct mce *m, int i)
+ {
+       if (m->status & MCI_STATUS_MISCV)
+               m->misc = mce_rdmsrl(mca_msr_reg(i, MCA_MISC));
+-- 
+2.34.1
+
diff --git a/queue-5.16/x86-mce-prevent-severity-computation-from-being-inst.patch b/queue-5.16/x86-mce-prevent-severity-computation-from-being-inst.patch
new file mode 100644 (file)
index 0000000..0969dad
--- /dev/null
@@ -0,0 +1,103 @@
+From e1dba4ca803f39abf86145e3dcef403a54b01a1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Oct 2021 09:47:50 +0200
+Subject: x86/mce: Prevent severity computation from being instrumented
+
+From: Borislav Petkov <bp@suse.de>
+
+[ Upstream commit 0a5b288e85bbef5227bb6397e31fcf1d7ba9142a ]
+
+Mark all the MCE severity computation logic noinstr and allow
+instrumentation when it "calls out".
+
+Fixes
+
+  vmlinux.o: warning: objtool: do_machine_check()+0xc5d: call to mce_severity() leaves .noinstr.text section
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lore.kernel.org/r/20211208111343.8130-7-bp@alien8.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mce/severity.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/mce/severity.c b/arch/x86/kernel/cpu/mce/severity.c
+index bb019a594a2c9..171a1495111b1 100644
+--- a/arch/x86/kernel/cpu/mce/severity.c
++++ b/arch/x86/kernel/cpu/mce/severity.c
+@@ -263,24 +263,36 @@ static bool is_copy_from_user(struct pt_regs *regs)
+  * distinguish an exception taken in user from from one
+  * taken in the kernel.
+  */
+-static int error_context(struct mce *m, struct pt_regs *regs)
++static noinstr int error_context(struct mce *m, struct pt_regs *regs)
+ {
++      int fixup_type;
++      bool copy_user;
++
+       if ((m->cs & 3) == 3)
+               return IN_USER;
++
+       if (!mc_recoverable(m->mcgstatus))
+               return IN_KERNEL;
+-      switch (ex_get_fixup_type(m->ip)) {
++      /* Allow instrumentation around external facilities usage. */
++      instrumentation_begin();
++      fixup_type = ex_get_fixup_type(m->ip);
++      copy_user  = is_copy_from_user(regs);
++      instrumentation_end();
++
++      switch (fixup_type) {
+       case EX_TYPE_UACCESS:
+       case EX_TYPE_COPY:
+-              if (!regs || !is_copy_from_user(regs))
++              if (!regs || !copy_user)
+                       return IN_KERNEL;
+               m->kflags |= MCE_IN_KERNEL_COPYIN;
+               fallthrough;
++
+       case EX_TYPE_FAULT_MCE_SAFE:
+       case EX_TYPE_DEFAULT_MCE_SAFE:
+               m->kflags |= MCE_IN_KERNEL_RECOV;
+               return IN_KERNEL_RECOV;
++
+       default:
+               return IN_KERNEL;
+       }
+@@ -317,8 +329,8 @@ static int mce_severity_amd_smca(struct mce *m, enum context err_ctx)
+  * See AMD Error Scope Hierarchy table in a newer BKDG. For example
+  * 49125_15h_Models_30h-3Fh_BKDG.pdf, section "RAS Features"
+  */
+-static int mce_severity_amd(struct mce *m, struct pt_regs *regs, int tolerant,
+-                          char **msg, bool is_excp)
++static noinstr int mce_severity_amd(struct mce *m, struct pt_regs *regs, int tolerant,
++                                  char **msg, bool is_excp)
+ {
+       enum context ctx = error_context(m, regs);
+@@ -370,8 +382,8 @@ static int mce_severity_amd(struct mce *m, struct pt_regs *regs, int tolerant,
+       return MCE_KEEP_SEVERITY;
+ }
+-static int mce_severity_intel(struct mce *m, struct pt_regs *regs,
+-                            int tolerant, char **msg, bool is_excp)
++static noinstr int mce_severity_intel(struct mce *m, struct pt_regs *regs,
++                                    int tolerant, char **msg, bool is_excp)
+ {
+       enum exception excp = (is_excp ? EXCP_CONTEXT : NO_EXCP);
+       enum context ctx = error_context(m, regs);
+@@ -407,8 +419,8 @@ static int mce_severity_intel(struct mce *m, struct pt_regs *regs,
+       }
+ }
+-int mce_severity(struct mce *m, struct pt_regs *regs, int tolerant, char **msg,
+-               bool is_excp)
++int noinstr mce_severity(struct mce *m, struct pt_regs *regs, int tolerant, char **msg,
++                       bool is_excp)
+ {
+       if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
+           boot_cpu_data.x86_vendor == X86_VENDOR_HYGON)
+-- 
+2.34.1
+
diff --git a/queue-5.16/x86-mm-flush-global-tlb-when-switching-to-trampoline.patch b/queue-5.16/x86-mm-flush-global-tlb-when-switching-to-trampoline.patch
new file mode 100644 (file)
index 0000000..d9e0809
--- /dev/null
@@ -0,0 +1,103 @@
+From bd8914c348c748c4532d058588621a51626056e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Dec 2021 16:32:25 +0100
+Subject: x86/mm: Flush global TLB when switching to trampoline page-table
+
+From: Joerg Roedel <jroedel@suse.de>
+
+[ Upstream commit 71d5049b053876afbde6c3273250b76935494ab2 ]
+
+Move the switching code into a function so that it can be re-used and
+add a global TLB flush. This makes sure that usage of memory which is
+not mapped in the trampoline page-table is reliably caught.
+
+Also move the clearing of CR4.PCIDE before the CR3 switch because the
+cr4_clear_bits() function will access data not mapped into the
+trampoline page-table.
+
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lore.kernel.org/r/20211202153226.22946-4-joro@8bytes.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/realmode.h |  1 +
+ arch/x86/kernel/reboot.c        | 12 ++----------
+ arch/x86/realmode/init.c        | 26 ++++++++++++++++++++++++++
+ 3 files changed, 29 insertions(+), 10 deletions(-)
+
+diff --git a/arch/x86/include/asm/realmode.h b/arch/x86/include/asm/realmode.h
+index 5db5d083c8732..331474b150f16 100644
+--- a/arch/x86/include/asm/realmode.h
++++ b/arch/x86/include/asm/realmode.h
+@@ -89,6 +89,7 @@ static inline void set_real_mode_mem(phys_addr_t mem)
+ }
+ void reserve_real_mode(void);
++void load_trampoline_pgtable(void);
+ #endif /* __ASSEMBLY__ */
+diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
+index 0a40df66a40de..fa700b46588e0 100644
+--- a/arch/x86/kernel/reboot.c
++++ b/arch/x86/kernel/reboot.c
+@@ -113,17 +113,9 @@ void __noreturn machine_real_restart(unsigned int type)
+       spin_unlock(&rtc_lock);
+       /*
+-       * Switch back to the initial page table.
++       * Switch to the trampoline page table.
+        */
+-#ifdef CONFIG_X86_32
+-      load_cr3(initial_page_table);
+-#else
+-      write_cr3(real_mode_header->trampoline_pgd);
+-
+-      /* Exiting long mode will fail if CR4.PCIDE is set. */
+-      if (boot_cpu_has(X86_FEATURE_PCID))
+-              cr4_clear_bits(X86_CR4_PCIDE);
+-#endif
++      load_trampoline_pgtable();
+       /* Jump to the identity-mapped low memory code */
+ #ifdef CONFIG_X86_32
+diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c
+index 38d24d2ab38b3..c5e29db02a469 100644
+--- a/arch/x86/realmode/init.c
++++ b/arch/x86/realmode/init.c
+@@ -17,6 +17,32 @@ u32 *trampoline_cr4_features;
+ /* Hold the pgd entry used on booting additional CPUs */
+ pgd_t trampoline_pgd_entry;
++void load_trampoline_pgtable(void)
++{
++#ifdef CONFIG_X86_32
++      load_cr3(initial_page_table);
++#else
++      /*
++       * This function is called before exiting to real-mode and that will
++       * fail with CR4.PCIDE still set.
++       */
++      if (boot_cpu_has(X86_FEATURE_PCID))
++              cr4_clear_bits(X86_CR4_PCIDE);
++
++      write_cr3(real_mode_header->trampoline_pgd);
++#endif
++
++      /*
++       * The CR3 write above will not flush global TLB entries.
++       * Stale, global entries from previous page tables may still be
++       * present.  Flush those stale entries.
++       *
++       * This ensures that memory accessed while running with
++       * trampoline_pgd is *actually* mapped into trampoline_pgd.
++       */
++      __flush_tlb_all();
++}
++
+ void __init reserve_real_mode(void)
+ {
+       phys_addr_t mem;
+-- 
+2.34.1
+
diff --git a/queue-5.16/x86-sched-fix-undefined-reference-to-init_freq_invar.patch b/queue-5.16/x86-sched-fix-undefined-reference-to-init_freq_invar.patch
new file mode 100644 (file)
index 0000000..666b559
--- /dev/null
@@ -0,0 +1,51 @@
+From 93e9e9efbf0bc97b8b28fc6dcb60ff1c510937f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jan 2022 15:43:06 +0800
+Subject: x86, sched: Fix undefined reference to init_freq_invariance_cppc()
+ build error
+
+From: Huang Rui <ray.huang@amd.com>
+
+[ Upstream commit 6c4ab1b86dac3954d15c00c1a6396d60a1023fab ]
+
+The init_freq_invariance_cppc function is implemented in smpboot and depends on
+CONFIG_SMP.
+
+  MODPOST vmlinux.symvers
+  MODINFO modules.builtin.modinfo
+  GEN     modules.builtin
+  LD      .tmp_vmlinux.kallsyms1
+ld: drivers/acpi/cppc_acpi.o: in function `acpi_cppc_processor_probe':
+/home/ray/brahma3/linux/drivers/acpi/cppc_acpi.c:819: undefined reference to `init_freq_invariance_cppc'
+make: *** [Makefile:1161: vmlinux] Error 1
+
+See https://lore.kernel.org/lkml/484af487-7511-647e-5c5b-33d4429acdec@infradead.org/.
+
+Fixes: 41ea667227ba ("x86, sched: Calculate frequency invariance for AMD systems")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Huang Rui <ray.huang@amd.com>
+[ rjw: Subject edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/topology.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/topology.h b/arch/x86/include/asm/topology.h
+index cc164777e6619..2f0b6be8eaabc 100644
+--- a/arch/x86/include/asm/topology.h
++++ b/arch/x86/include/asm/topology.h
+@@ -221,7 +221,7 @@ static inline void arch_set_max_freq_ratio(bool turbo_disabled)
+ }
+ #endif
+-#ifdef CONFIG_ACPI_CPPC_LIB
++#if defined(CONFIG_ACPI_CPPC_LIB) && defined(CONFIG_SMP)
+ void init_freq_invariance_cppc(void);
+ #define init_freq_invariance_cppc init_freq_invariance_cppc
+ #endif
+-- 
+2.34.1
+
diff --git a/queue-5.16/x86-uaccess-move-variable-into-switch-case-statement.patch b/queue-5.16/x86-uaccess-move-variable-into-switch-case-statement.patch
new file mode 100644 (file)
index 0000000..1cf6237
--- /dev/null
@@ -0,0 +1,49 @@
+From 04b1ac8af7dc4dd230a8e8a24ffb046e9a9cafa1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Dec 2021 20:34:56 -0800
+Subject: x86/uaccess: Move variable into switch case statement
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 61646ca83d3889696f2772edaff122dd96a2935e ]
+
+When building with automatic stack variable initialization, GCC 12
+complains about variables defined outside of switch case statements.
+Move the variable into the case that uses it, which silences the warning:
+
+./arch/x86/include/asm/uaccess.h:317:23: warning: statement will never be executed [-Wswitch-unreachable]
+  317 |         unsigned char x_u8__; \
+      |                       ^~~~~~
+
+Fixes: 865c50e1d279 ("x86/uaccess: utilize CONFIG_CC_HAS_ASM_GOTO_OUTPUT")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20211209043456.1377875-1-keescook@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/uaccess.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
+index 33a68407def3f..8ab9e79abb2b4 100644
+--- a/arch/x86/include/asm/uaccess.h
++++ b/arch/x86/include/asm/uaccess.h
+@@ -314,11 +314,12 @@ do {                                                                     \
+ do {                                                                  \
+       __chk_user_ptr(ptr);                                            \
+       switch (size) {                                                 \
+-      unsigned char x_u8__;                                           \
+-      case 1:                                                         \
++      case 1: {                                                       \
++              unsigned char x_u8__;                                   \
+               __get_user_asm(x_u8__, ptr, "b", "=q", label);          \
+               (x) = x_u8__;                                           \
+               break;                                                  \
++      }                                                               \
+       case 2:                                                         \
+               __get_user_asm(x, ptr, "w", "=r", label);               \
+               break;                                                  \
+-- 
+2.34.1
+
diff --git a/queue-5.16/xfrm-fix-a-small-bug-in-xfrm_sa_len.patch b/queue-5.16/xfrm-fix-a-small-bug-in-xfrm_sa_len.patch
new file mode 100644 (file)
index 0000000..8dce6cc
--- /dev/null
@@ -0,0 +1,38 @@
+From d801c193c77f8f53caa827c088726bec10cba673 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Dec 2021 12:20:19 -0800
+Subject: xfrm: fix a small bug in xfrm_sa_len()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7770a39d7c63faec6c4f33666d49a8cb664d0482 ]
+
+copy_user_offload() will actually push a struct struct xfrm_user_offload,
+which is different than (struct xfrm_state *)->xso
+(struct xfrm_state_offload)
+
+Fixes: d77e38e612a01 ("xfrm: Add an IPsec hardware offloading API")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 7c36cc1f3d79c..0a2d2bae28316 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -3058,7 +3058,7 @@ static inline unsigned int xfrm_sa_len(struct xfrm_state *x)
+       if (x->props.extra_flags)
+               l += nla_total_size(sizeof(x->props.extra_flags));
+       if (x->xso.dev)
+-               l += nla_total_size(sizeof(x->xso));
++               l += nla_total_size(sizeof(struct xfrm_user_offload));
+       if (x->props.smark.v | x->props.smark.m) {
+               l += nla_total_size(sizeof(x->props.smark.v));
+               l += nla_total_size(sizeof(x->props.smark.m));
+-- 
+2.34.1
+
diff --git a/queue-5.16/xfrm-interface-with-if_id-0-should-return-error.patch b/queue-5.16/xfrm-interface-with-if_id-0-should-return-error.patch
new file mode 100644 (file)
index 0000000..d1f5fe9
--- /dev/null
@@ -0,0 +1,69 @@
+From 1c014f5d6737b42552c7452f15ff53259252d086 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Dec 2021 11:34:30 +0100
+Subject: xfrm: interface with if_id 0 should return error
+
+From: Antony Antony <antony.antony@secunet.com>
+
+[ Upstream commit 8dce43919566f06e865f7e8949f5c10d8c2493f5 ]
+
+xfrm interface if_id = 0 would cause xfrm policy lookup errors since
+Commit 9f8550e4bd9d.
+
+Now explicitly fail to create an xfrm interface when if_id = 0
+
+With this commit:
+ ip link add ipsec0  type xfrm dev lo  if_id 0
+ Error: if_id must be non zero.
+
+v1->v2 change:
+ - add Fixes: tag
+
+Fixes: 9f8550e4bd9d ("xfrm: fix disable_xfrm sysctl when used on xfrm interfaces")
+Signed-off-by: Antony Antony <antony.antony@secunet.com>
+Reviewed-by: Eyal Birger <eyal.birger@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_interface.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
+index 41de46b5ffa94..57448fc519fcd 100644
+--- a/net/xfrm/xfrm_interface.c
++++ b/net/xfrm/xfrm_interface.c
+@@ -637,11 +637,16 @@ static int xfrmi_newlink(struct net *src_net, struct net_device *dev,
+                       struct netlink_ext_ack *extack)
+ {
+       struct net *net = dev_net(dev);
+-      struct xfrm_if_parms p;
++      struct xfrm_if_parms p = {};
+       struct xfrm_if *xi;
+       int err;
+       xfrmi_netlink_parms(data, &p);
++      if (!p.if_id) {
++              NL_SET_ERR_MSG(extack, "if_id must be non zero");
++              return -EINVAL;
++      }
++
+       xi = xfrmi_locate(net, &p);
+       if (xi)
+               return -EEXIST;
+@@ -666,7 +671,12 @@ static int xfrmi_changelink(struct net_device *dev, struct nlattr *tb[],
+ {
+       struct xfrm_if *xi = netdev_priv(dev);
+       struct net *net = xi->net;
+-      struct xfrm_if_parms p;
++      struct xfrm_if_parms p = {};
++
++      if (!p.if_id) {
++              NL_SET_ERR_MSG(extack, "if_id must be non zero");
++              return -EINVAL;
++      }
+       xfrmi_netlink_parms(data, &p);
+       xi = xfrmi_locate(net, &p);
+-- 
+2.34.1
+
diff --git a/queue-5.16/xfrm-rate-limit-sa-mapping-change-message-to-user-sp.patch b/queue-5.16/xfrm-rate-limit-sa-mapping-change-message-to-user-sp.patch
new file mode 100644 (file)
index 0000000..e7657be
--- /dev/null
@@ -0,0 +1,211 @@
+From 867d6e0495e7b4f9c7171c79bc2d20c6174fe92d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 14:11:18 +0100
+Subject: xfrm: rate limit SA mapping change message to user space
+
+From: Antony Antony <antony.antony@secunet.com>
+
+[ Upstream commit 4e484b3e969b52effd95c17f7a86f39208b2ccf4 ]
+
+Kernel generates mapping change message, XFRM_MSG_MAPPING,
+when a source port chage is detected on a input state with UDP
+encapsulation set.  Kernel generates a message for each IPsec packet
+with new source port.  For a high speed flow per packet mapping change
+message can be excessive, and can overload the user space listener.
+
+Introduce rate limiting for XFRM_MSG_MAPPING message to the user space.
+
+The rate limiting is configurable via netlink, when adding a new SA or
+updating it. Use the new attribute XFRMA_MTIMER_THRESH in seconds.
+
+v1->v2 change:
+       update xfrm_sa_len()
+
+v2->v3 changes:
+       use u32 insted unsigned long to reduce size of struct xfrm_state
+       fix xfrm_ompat size Reported-by: kernel test robot <lkp@intel.com>
+       accept XFRM_MSG_MAPPING only when XFRMA_ENCAP is present
+
+Co-developed-by: Thomas Egerer <thomas.egerer@secunet.com>
+Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
+Signed-off-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h        |  5 +++++
+ include/uapi/linux/xfrm.h |  1 +
+ net/xfrm/xfrm_compat.c    |  6 ++++--
+ net/xfrm/xfrm_state.c     | 23 ++++++++++++++++++++++-
+ net/xfrm/xfrm_user.c      | 18 +++++++++++++++++-
+ 5 files changed, 49 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 2308210793a01..2589e4c0501bd 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -200,6 +200,11 @@ struct xfrm_state {
+       struct xfrm_algo_aead   *aead;
+       const char              *geniv;
++      /* mapping change rate limiting */
++      __be16 new_mapping_sport;
++      u32 new_mapping;        /* seconds */
++      u32 mapping_maxage;     /* seconds for input SA */
++
+       /* Data for encapsulator */
+       struct xfrm_encap_tmpl  *encap;
+       struct sock __rcu       *encap_sk;
+diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
+index eda0426ec4c2b..4e29d78518902 100644
+--- a/include/uapi/linux/xfrm.h
++++ b/include/uapi/linux/xfrm.h
+@@ -313,6 +313,7 @@ enum xfrm_attr_type_t {
+       XFRMA_SET_MARK,         /* __u32 */
+       XFRMA_SET_MARK_MASK,    /* __u32 */
+       XFRMA_IF_ID,            /* __u32 */
++      XFRMA_MTIMER_THRESH,    /* __u32 in seconds for input SA */
+       __XFRMA_MAX
+ #define XFRMA_OUTPUT_MARK XFRMA_SET_MARK      /* Compatibility */
+diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c
+index 2bf2693901631..a0f62fa02e06e 100644
+--- a/net/xfrm/xfrm_compat.c
++++ b/net/xfrm/xfrm_compat.c
+@@ -127,6 +127,7 @@ static const struct nla_policy compat_policy[XFRMA_MAX+1] = {
+       [XFRMA_SET_MARK]        = { .type = NLA_U32 },
+       [XFRMA_SET_MARK_MASK]   = { .type = NLA_U32 },
+       [XFRMA_IF_ID]           = { .type = NLA_U32 },
++      [XFRMA_MTIMER_THRESH]   = { .type = NLA_U32 },
+ };
+ static struct nlmsghdr *xfrm_nlmsg_put_compat(struct sk_buff *skb,
+@@ -274,9 +275,10 @@ static int xfrm_xlate64_attr(struct sk_buff *dst, const struct nlattr *src)
+       case XFRMA_SET_MARK:
+       case XFRMA_SET_MARK_MASK:
+       case XFRMA_IF_ID:
++      case XFRMA_MTIMER_THRESH:
+               return xfrm_nla_cpy(dst, src, nla_len(src));
+       default:
+-              BUILD_BUG_ON(XFRMA_MAX != XFRMA_IF_ID);
++              BUILD_BUG_ON(XFRMA_MAX != XFRMA_MTIMER_THRESH);
+               pr_warn_once("unsupported nla_type %d\n", src->nla_type);
+               return -EOPNOTSUPP;
+       }
+@@ -431,7 +433,7 @@ static int xfrm_xlate32_attr(void *dst, const struct nlattr *nla,
+       int err;
+       if (type > XFRMA_MAX) {
+-              BUILD_BUG_ON(XFRMA_MAX != XFRMA_IF_ID);
++              BUILD_BUG_ON(XFRMA_MAX != XFRMA_MTIMER_THRESH);
+               NL_SET_ERR_MSG(extack, "Bad attribute");
+               return -EOPNOTSUPP;
+       }
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index a2f4001221d16..78d51399a0f4b 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -1593,6 +1593,9 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig,
+       x->km.seq = orig->km.seq;
+       x->replay = orig->replay;
+       x->preplay = orig->preplay;
++      x->mapping_maxage = orig->mapping_maxage;
++      x->new_mapping = 0;
++      x->new_mapping_sport = 0;
+       return x;
+@@ -2242,7 +2245,7 @@ int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
+ }
+ EXPORT_SYMBOL(km_query);
+-int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
++static int __km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
+ {
+       int err = -EINVAL;
+       struct xfrm_mgr *km;
+@@ -2257,6 +2260,24 @@ int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
+       rcu_read_unlock();
+       return err;
+ }
++
++int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
++{
++      int ret = 0;
++
++      if (x->mapping_maxage) {
++              if ((jiffies / HZ - x->new_mapping) > x->mapping_maxage ||
++                  x->new_mapping_sport != sport) {
++                      x->new_mapping_sport = sport;
++                      x->new_mapping = jiffies / HZ;
++                      ret = __km_new_mapping(x, ipaddr, sport);
++              }
++      } else {
++              ret = __km_new_mapping(x, ipaddr, sport);
++      }
++
++      return ret;
++}
+ EXPORT_SYMBOL(km_new_mapping);
+ void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid)
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index b571892fe10f5..c60441be883a8 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -282,6 +282,10 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
+       err = 0;
++      if (attrs[XFRMA_MTIMER_THRESH])
++              if (!attrs[XFRMA_ENCAP])
++                      err = -EINVAL;
++
+ out:
+       return err;
+ }
+@@ -521,6 +525,7 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
+       struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
+       struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
+       struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
++      struct nlattr *mt = attrs[XFRMA_MTIMER_THRESH];
+       if (re) {
+               struct xfrm_replay_state_esn *replay_esn;
+@@ -552,6 +557,9 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
+       if (rt)
+               x->replay_maxdiff = nla_get_u32(rt);
++
++      if (mt)
++              x->mapping_maxage = nla_get_u32(mt);
+ }
+ static void xfrm_smark_init(struct nlattr **attrs, struct xfrm_mark *m)
+@@ -1029,8 +1037,13 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
+               if (ret)
+                       goto out;
+       }
+-      if (x->security)
++      if (x->security) {
+               ret = copy_sec_ctx(x->security, skb);
++              if (ret)
++                      goto out;
++      }
++      if (x->mapping_maxage)
++              ret = nla_put_u32(skb, XFRMA_MTIMER_THRESH, x->mapping_maxage);
+ out:
+       return ret;
+ }
+@@ -3084,6 +3097,9 @@ static inline unsigned int xfrm_sa_len(struct xfrm_state *x)
+       /* Must count x->lastused as it may become non-zero behind our back. */
+       l += nla_total_size_64bit(sizeof(u64));
++      if (x->mapping_maxage)
++              l += nla_total_size(sizeof(x->mapping_maxage));
++
+       return l;
+ }
+-- 
+2.34.1
+
diff --git a/queue-5.16/xfrm-state-and-policy-should-fail-if-xfrma_if_id-0.patch b/queue-5.16/xfrm-state-and-policy-should-fail-if-xfrma_if_id-0.patch
new file mode 100644 (file)
index 0000000..0230895
--- /dev/null
@@ -0,0 +1,84 @@
+From 7d97512fbc6a56ab9c6e3a4786eba3ee896b3555 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Dec 2021 11:35:00 +0100
+Subject: xfrm: state and policy should fail if XFRMA_IF_ID 0
+
+From: Antony Antony <antony.antony@secunet.com>
+
+[ Upstream commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 ]
+
+xfrm ineterface does not allow xfrm if_id = 0
+fail to create or update xfrm state and policy.
+
+With this commit:
+ ip xfrm policy add src 192.0.2.1 dst 192.0.2.2 dir out if_id 0
+ RTNETLINK answers: Invalid argument
+
+ ip xfrm state add src 192.0.2.1 dst 192.0.2.2 proto esp spi 1 \
+            reqid 1 mode tunnel aead 'rfc4106(gcm(aes))' \
+            0x1111111111111111111111111111111111111111 96 if_id 0
+ RTNETLINK answers: Invalid argument
+
+v1->v2 change:
+ - add Fixes: tag
+
+Fixes: 9f8550e4bd9d ("xfrm: fix disable_xfrm sysctl when used on xfrm interfaces")
+Signed-off-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 0a2d2bae28316..b571892fe10f5 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -621,8 +621,13 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
+       xfrm_smark_init(attrs, &x->props.smark);
+-      if (attrs[XFRMA_IF_ID])
++      if (attrs[XFRMA_IF_ID]) {
+               x->if_id = nla_get_u32(attrs[XFRMA_IF_ID]);
++              if (!x->if_id) {
++                      err = -EINVAL;
++                      goto error;
++              }
++      }
+       err = __xfrm_init_state(x, false, attrs[XFRMA_OFFLOAD_DEV]);
+       if (err)
+@@ -1413,8 +1418,13 @@ static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh,
+       mark = xfrm_mark_get(attrs, &m);
+-      if (attrs[XFRMA_IF_ID])
++      if (attrs[XFRMA_IF_ID]) {
+               if_id = nla_get_u32(attrs[XFRMA_IF_ID]);
++              if (!if_id) {
++                      err = -EINVAL;
++                      goto out_noput;
++              }
++      }
+       if (p->info.seq) {
+               x = xfrm_find_acq_byseq(net, mark, p->info.seq);
+@@ -1727,8 +1737,13 @@ static struct xfrm_policy *xfrm_policy_construct(struct net *net, struct xfrm_us
+       xfrm_mark_get(attrs, &xp->mark);
+-      if (attrs[XFRMA_IF_ID])
++      if (attrs[XFRMA_IF_ID]) {
+               xp->if_id = nla_get_u32(attrs[XFRMA_IF_ID]);
++              if (!xp->if_id) {
++                      err = -EINVAL;
++                      goto error;
++              }
++      }
+       return xp;
+  error:
+-- 
+2.34.1
+