--- /dev/null
+From 5bc9de065b8bb9b8dd8799ecb4592d0403b54281 Mon Sep 17 00:00:00 2001
+From: Ashutosh Dixit <ashutosh.dixit@intel.com>
+Date: Wed, 17 Apr 2024 07:56:46 -0700
+Subject: drm/i915/hwmon: Get rid of devm
+
+From: Ashutosh Dixit <ashutosh.dixit@intel.com>
+
+commit 5bc9de065b8bb9b8dd8799ecb4592d0403b54281 upstream.
+
+When both hwmon and hwmon drvdata (on which hwmon depends) are device
+managed resources, the expectation, on device unbind, is that hwmon will be
+released before drvdata. However, in i915 there are two separate code
+paths, which both release either drvdata or hwmon and either can be
+released before the other. These code paths (for device unbind) are as
+follows (see also the bug referenced below):
+
+Call Trace:
+release_nodes+0x11/0x70
+devres_release_group+0xb2/0x110
+component_unbind_all+0x8d/0xa0
+component_del+0xa5/0x140
+intel_pxp_tee_component_fini+0x29/0x40 [i915]
+intel_pxp_fini+0x33/0x80 [i915]
+i915_driver_remove+0x4c/0x120 [i915]
+i915_pci_remove+0x19/0x30 [i915]
+pci_device_remove+0x32/0xa0
+device_release_driver_internal+0x19c/0x200
+unbind_store+0x9c/0xb0
+
+and
+
+Call Trace:
+release_nodes+0x11/0x70
+devres_release_all+0x8a/0xc0
+device_unbind_cleanup+0x9/0x70
+device_release_driver_internal+0x1c1/0x200
+unbind_store+0x9c/0xb0
+
+This means that in i915, if use devm, we cannot gurantee that hwmon will
+always be released before drvdata. Which means that we have a uaf if hwmon
+sysfs is accessed when drvdata has been released but hwmon hasn't.
+
+The only way out of this seems to be do get rid of devm_ and release/free
+everything explicitly during device unbind.
+
+v2: Change commit message and other minor code changes
+v3: Cleanup from i915_hwmon_register on error (Armin Wolf)
+v4: Eliminate potential static analyzer warning (Rodrigo)
+ Eliminate fetch_and_zero (Jani)
+v5: Restore previous logic for ddat_gt->hwmon_dev error return (Andi)
+
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10366
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240417145646.793223-1-ashutosh.dixit@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/i915_hwmon.c | 46 ++++++++++++++++++++++++++------------
+ 1 file changed, 32 insertions(+), 14 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_hwmon.c
++++ b/drivers/gpu/drm/i915/i915_hwmon.c
+@@ -793,7 +793,7 @@ void i915_hwmon_register(struct drm_i915
+ if (!IS_DGFX(i915))
+ return;
+
+- hwmon = devm_kzalloc(dev, sizeof(*hwmon), GFP_KERNEL);
++ hwmon = kzalloc(sizeof(*hwmon), GFP_KERNEL);
+ if (!hwmon)
+ return;
+
+@@ -819,14 +819,12 @@ void i915_hwmon_register(struct drm_i915
+ hwm_get_preregistration_info(i915);
+
+ /* hwmon_dev points to device hwmon<i> */
+- hwmon_dev = devm_hwmon_device_register_with_info(dev, ddat->name,
+- ddat,
+- &hwm_chip_info,
+- hwm_groups);
+- if (IS_ERR(hwmon_dev)) {
+- i915->hwmon = NULL;
+- return;
+- }
++ hwmon_dev = hwmon_device_register_with_info(dev, ddat->name,
++ ddat,
++ &hwm_chip_info,
++ hwm_groups);
++ if (IS_ERR(hwmon_dev))
++ goto err;
+
+ ddat->hwmon_dev = hwmon_dev;
+
+@@ -839,16 +837,36 @@ void i915_hwmon_register(struct drm_i915
+ if (!hwm_gt_is_visible(ddat_gt, hwmon_energy, hwmon_energy_input, 0))
+ continue;
+
+- hwmon_dev = devm_hwmon_device_register_with_info(dev, ddat_gt->name,
+- ddat_gt,
+- &hwm_gt_chip_info,
+- NULL);
++ hwmon_dev = hwmon_device_register_with_info(dev, ddat_gt->name,
++ ddat_gt,
++ &hwm_gt_chip_info,
++ NULL);
+ if (!IS_ERR(hwmon_dev))
+ ddat_gt->hwmon_dev = hwmon_dev;
+ }
++ return;
++err:
++ i915_hwmon_unregister(i915);
+ }
+
+ void i915_hwmon_unregister(struct drm_i915_private *i915)
+ {
+- fetch_and_zero(&i915->hwmon);
++ struct i915_hwmon *hwmon = i915->hwmon;
++ struct intel_gt *gt;
++ int i;
++
++ if (!hwmon)
++ return;
++
++ for_each_gt(gt, i915, i)
++ if (hwmon->ddat_gt[i].hwmon_dev)
++ hwmon_device_unregister(hwmon->ddat_gt[i].hwmon_dev);
++
++ if (hwmon->ddat.hwmon_dev)
++ hwmon_device_unregister(hwmon->ddat.hwmon_dev);
++
++ mutex_destroy(&hwmon->hwmon_lock);
++
++ kfree(i915->hwmon);
++ i915->hwmon = NULL;
+ }
--- /dev/null
+From bfd546a552e140b0a4c8a21527c39d6d21addb28 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Tue, 28 May 2024 15:06:04 -0700
+Subject: e1000e: move force SMBUS near the end of enable_ulp function
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit bfd546a552e140b0a4c8a21527c39d6d21addb28 upstream.
+
+The commit 861e8086029e ("e1000e: move force SMBUS from enable ulp
+function to avoid PHY loss issue") introduces a regression on
+PCH_MTP_I219_LM18 (PCIID: 0x8086550A). Without the referred commit, the
+ethernet works well after suspend and resume, but after applying the
+commit, the ethernet couldn't work anymore after the resume and the
+dmesg shows that the NIC link changes to 10Mbps (1000Mbps originally):
+
+ [ 43.305084] e1000e 0000:00:1f.6 enp0s31f6: NIC Link is Up 10 Mbps Full Duplex, Flow Control: Rx/Tx
+
+Without the commit, the force SMBUS code will not be executed if
+"return 0" or "goto out" is executed in the enable_ulp(), and in my
+case, the "goto out" is executed since FWSM_FW_VALID is set. But after
+applying the commit, the force SMBUS code will be ran unconditionally.
+
+Here move the force SMBUS code back to enable_ulp() and put it
+immediately ahead of hw->phy.ops.release(hw), this could allow the
+longest settling time as possible for interface in this function and
+doesn't change the original code logic.
+
+The issue was found on a Lenovo laptop with the ethernet hw as below:
+00:1f.6 Ethernet controller [0200]: Intel Corporation Device [8086:550a]
+(rev 20).
+
+And this patch is verified (cable plug and unplug, system suspend
+and resume) on Lenovo laptops with ethernet hw: [8086:550a],
+[8086:550b], [8086:15bb], [8086:15be], [8086:1a1f], [8086:1a1c] and
+[8086:0dc7].
+
+Fixes: 861e8086029e ("e1000e: move force SMBUS from enable ulp function to avoid PHY loss issue")
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Acked-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Tested-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20240528-net-2024-05-28-intel-net-fixes-v1-1-dc8593d2bbc6@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000e/ich8lan.c | 22 ++++++++++++++++++++++
+ drivers/net/ethernet/intel/e1000e/netdev.c | 18 ------------------
+ 2 files changed, 22 insertions(+), 18 deletions(-)
+
+--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+@@ -1225,6 +1225,28 @@ s32 e1000_enable_ulp_lpt_lp(struct e1000
+ }
+
+ release:
++ /* Switching PHY interface always returns MDI error
++ * so disable retry mechanism to avoid wasting time
++ */
++ e1000e_disable_phy_retry(hw);
++
++ /* Force SMBus mode in PHY */
++ ret_val = e1000_read_phy_reg_hv_locked(hw, CV_SMB_CTRL, &phy_reg);
++ if (ret_val) {
++ e1000e_enable_phy_retry(hw);
++ hw->phy.ops.release(hw);
++ goto out;
++ }
++ phy_reg |= CV_SMB_CTRL_FORCE_SMBUS;
++ e1000_write_phy_reg_hv_locked(hw, CV_SMB_CTRL, phy_reg);
++
++ e1000e_enable_phy_retry(hw);
++
++ /* Force SMBus mode in MAC */
++ mac_reg = er32(CTRL_EXT);
++ mac_reg |= E1000_CTRL_EXT_FORCE_SMBUS;
++ ew32(CTRL_EXT, mac_reg);
++
+ hw->phy.ops.release(hw);
+ out:
+ if (ret_val)
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -6623,7 +6623,6 @@ static int __e1000_shutdown(struct pci_d
+ struct e1000_hw *hw = &adapter->hw;
+ u32 ctrl, ctrl_ext, rctl, status, wufc;
+ int retval = 0;
+- u16 smb_ctrl;
+
+ /* Runtime suspend should only enable wakeup for link changes */
+ if (runtime)
+@@ -6697,23 +6696,6 @@ static int __e1000_shutdown(struct pci_d
+ if (retval)
+ return retval;
+ }
+-
+- /* Force SMBUS to allow WOL */
+- /* Switching PHY interface always returns MDI error
+- * so disable retry mechanism to avoid wasting time
+- */
+- e1000e_disable_phy_retry(hw);
+-
+- e1e_rphy(hw, CV_SMB_CTRL, &smb_ctrl);
+- smb_ctrl |= CV_SMB_CTRL_FORCE_SMBUS;
+- e1e_wphy(hw, CV_SMB_CTRL, smb_ctrl);
+-
+- e1000e_enable_phy_retry(hw);
+-
+- /* Force SMBus mode in MAC */
+- ctrl_ext = er32(CTRL_EXT);
+- ctrl_ext |= E1000_CTRL_EXT_FORCE_SMBUS;
+- ew32(CTRL_EXT, ctrl_ext);
+ }
+
+ /* Ensure that the appropriate bits are set in LPI_CTRL
projects / thirdparty / kernel / stable-queue.git / commitdiff
