Fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.14/alsa-ac97-fix-possible-memory-leak-in-snd_ac97_dev_r.patch b/queue-4.14/alsa-ac97-fix-possible-memory-leak-in-snd_ac97_dev_r.patch
new file mode 100644 (file)
index 0000000..7edaccd
--- /dev/null
+++ b/queue-4.14/alsa-ac97-fix-possible-memory-leak-in-snd_ac97_dev_r.patch
@@ -0,0 +1,37 @@
+From 4383121fa7d382d7934d1d9d9166e044599033c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Oct 2022 17:30:25 +0800
+Subject: ALSA: ac97: fix possible memory leak in snd_ac97_dev_register()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 4881bda5ea05c8c240fc8afeaa928e2bc43f61fa ]
+
+If device_register() fails in snd_ac97_dev_register(), it should
+call put_device() to give up reference, or the name allocated in
+dev_set_name() is leaked.
+
+Fixes: 0ca06a00e206 ("[ALSA] AC97 bus interface for ad-hoc drivers")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221019093025.1179475-1-yangyingliang@huawei.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/ac97/ac97_codec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c
+index 1cb2a1ecf3cf..d5dfc7349e70 100644
+--- a/sound/pci/ac97/ac97_codec.c
++++ b/sound/pci/ac97/ac97_codec.c
+@@ -1965,6 +1965,7 @@ static int snd_ac97_dev_register(struct snd_device *device)
+                    snd_ac97_get_short_name(ac97));
+       if ((err = device_register(&ac97->dev)) < 0) {
+               ac97_err(ac97, "Can't register ac97 bus\n");
++              put_device(&ac97->dev);
+               ac97->dev.bus = NULL;
+               return err;
+       }
+-- 
+2.35.1
+

diff --git a/queue-4.14/alsa-aoa-fix-i2s-device-accounting.patch b/queue-4.14/alsa-aoa-fix-i2s-device-accounting.patch
new file mode 100644 (file)
index 0000000..b0dfed0
--- /dev/null
+++ b/queue-4.14/alsa-aoa-fix-i2s-device-accounting.patch
@@ -0,0 +1,49 @@
+From 238ac5c47aca16f8c75077489b0b9798aef05415 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 08:52:33 +0200
+Subject: ALSA: aoa: Fix I2S device accounting
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit f1fae475f10a26b7e34da4ff2e2f19b7feb3548e ]
+
+i2sbus_add_dev() is supposed to return the number of probed devices,
+i.e. either 1 or 0.  However, i2sbus_add_dev() has one error handling
+that returns -ENODEV; this will screw up the accumulation number
+counted in the caller, i2sbus_probe().
+
+Fix the return value to 0 and add the comment for better understanding
+for readers.
+
+Fixes: f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa")
+Link: https://lore.kernel.org/r/20221027065233.13292-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/aoa/soundbus/i2sbus/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/aoa/soundbus/i2sbus/core.c b/sound/aoa/soundbus/i2sbus/core.c
+index c016df586992..2811e1f1e2fa 100644
+--- a/sound/aoa/soundbus/i2sbus/core.c
++++ b/sound/aoa/soundbus/i2sbus/core.c
+@@ -148,6 +148,7 @@ static int i2sbus_get_and_fixup_rsrc(struct device_node *np, int index,
+       return rc;
+ }
+ 
++/* Returns 1 if added, 0 for otherwise; don't return a negative value! */
+ /* FIXME: look at device node refcounting */
+ static int i2sbus_add_dev(struct macio_dev *macio,
+                         struct i2sbus_control *control,
+@@ -213,7 +214,7 @@ static int i2sbus_add_dev(struct macio_dev *macio,
+        * either as the second one in that case is just a modem. */
+       if (!ok) {
+               kfree(dev);
+-              return -ENODEV;
++              return 0;
+       }
+ 
+       mutex_init(&dev->lock);
+-- 
+2.35.1
+

diff --git a/queue-4.14/alsa-aoa-i2sbus-fix-possible-memory-leak-in-i2sbus_a.patch b/queue-4.14/alsa-aoa-i2sbus-fix-possible-memory-leak-in-i2sbus_a.patch
new file mode 100644 (file)
index 0000000..e6cd2f5
--- /dev/null
+++ b/queue-4.14/alsa-aoa-i2sbus-fix-possible-memory-leak-in-i2sbus_a.patch
@@ -0,0 +1,42 @@
+From 8520500a1d35c000ede5bdd57dabc3fd1125cba3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 09:34:38 +0800
+Subject: ALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 4a4c8482e370d697738a78dcd7bf2780832cb712 ]
+
+dev_set_name() in soundbus_add_one() allocates memory for name, it need be
+freed when of_device_register() fails, call soundbus_dev_put() to give up
+the reference that hold in device_initialize(), so that it can be freed in
+kobject_cleanup() when the refcount hit to 0. And other resources are also
+freed in i2sbus_release_dev(), so it can return 0 directly.
+
+Fixes: f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221027013438.991920-1-yangyingliang@huawei.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/aoa/soundbus/i2sbus/core.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/aoa/soundbus/i2sbus/core.c b/sound/aoa/soundbus/i2sbus/core.c
+index 000b58522106..c016df586992 100644
+--- a/sound/aoa/soundbus/i2sbus/core.c
++++ b/sound/aoa/soundbus/i2sbus/core.c
+@@ -302,6 +302,10 @@ static int i2sbus_add_dev(struct macio_dev *macio,
+ 
+       if (soundbus_add_one(&dev->sound)) {
+               printk(KERN_DEBUG "i2sbus: device registration error!\n");
++              if (dev->sound.ofdev.dev.kobj.state_initialized) {
++                      soundbus_dev_put(&dev->sound);
++                      return 0;
++              }
+               goto err;
+       }
+ 
+-- 
+2.35.1
+

diff --git a/queue-4.14/amd-xgbe-add-the-bit-rate-quirk-for-molex-cables.patch b/queue-4.14/amd-xgbe-add-the-bit-rate-quirk-for-molex-cables.patch
new file mode 100644 (file)
index 0000000..021d79b
--- /dev/null
+++ b/queue-4.14/amd-xgbe-add-the-bit-rate-quirk-for-molex-cables.patch
@@ -0,0 +1,61 @@
+From 4b0e33e17b9d77e8b19f5d1bcb83886ea8c73196 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Oct 2022 12:12:15 +0530
+Subject: amd-xgbe: add the bit rate quirk for Molex cables
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 170a9e341a3b02c0b2ea0df16ef14a33a4f41de8 ]
+
+The offset 12 (bit-rate) of EEPROM SFP DAC (passive) cables is expected
+to be in the range 0x64 to 0x68. However, the 5 meter and 7 meter Molex
+passive cables have the rate ceiling 0x78 at offset 12.
+
+Add a quirk for Molex passive cables to extend the rate ceiling to 0x78.
+
+Fixes: abf0a1c2b26a ("amd-xgbe: Add support for SFP+ modules")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+index d432489c093a..3ccdac464cf5 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -237,6 +237,7 @@ enum xgbe_sfp_speed {
+ #define XGBE_SFP_BASE_BR_1GBE_MAX             0x0d
+ #define XGBE_SFP_BASE_BR_10GBE_MIN            0x64
+ #define XGBE_SFP_BASE_BR_10GBE_MAX            0x68
++#define XGBE_MOLEX_SFP_BASE_BR_10GBE_MAX      0x78
+ 
+ #define XGBE_SFP_BASE_CU_CABLE_LEN            18
+ 
+@@ -273,6 +274,8 @@ struct xgbe_sfp_eeprom {
+ #define XGBE_BEL_FUSE_VENDOR  "BEL-FUSE        "
+ #define XGBE_BEL_FUSE_PARTNO  "1GBT-SFP06      "
+ 
++#define XGBE_MOLEX_VENDOR     "Molex Inc.      "
++
+ struct xgbe_sfp_ascii {
+       union {
+               char vendor[XGBE_SFP_BASE_VENDOR_NAME_LEN + 1];
+@@ -840,7 +843,11 @@ static bool xgbe_phy_sfp_bit_rate(struct xgbe_sfp_eeprom *sfp_eeprom,
+               break;
+       case XGBE_SFP_SPEED_10000:
+               min = XGBE_SFP_BASE_BR_10GBE_MIN;
+-              max = XGBE_SFP_BASE_BR_10GBE_MAX;
++              if (memcmp(&sfp_eeprom->base[XGBE_SFP_BASE_VENDOR_NAME],
++                         XGBE_MOLEX_VENDOR, XGBE_SFP_BASE_VENDOR_NAME_LEN) == 0)
++                      max = XGBE_MOLEX_SFP_BASE_BR_10GBE_MAX;
++              else
++                      max = XGBE_SFP_BASE_BR_10GBE_MAX;
+               break;
+       default:
+               return false;
+-- 
+2.35.1
+

diff --git a/queue-4.14/amd-xgbe-fix-the-sfp-compliance-codes-check-for-dac-.patch b/queue-4.14/amd-xgbe-fix-the-sfp-compliance-codes-check-for-dac-.patch
new file mode 100644 (file)
index 0000000..0566968
--- /dev/null
+++ b/queue-4.14/amd-xgbe-fix-the-sfp-compliance-codes-check-for-dac-.patch
@@ -0,0 +1,54 @@
+From 782c7a23b0c841b8176c9f009bc62932a5403d0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Oct 2022 12:12:14 +0530
+Subject: amd-xgbe: fix the SFP compliance codes check for DAC cables
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 09c5f6bf11ac98874339e55f4f5f79a9dbc9b375 ]
+
+The current XGBE code assumes that offset 6 of EEPROM SFP DAC (passive)
+cables is NULL. However, some cables (the 5 meter and 7 meter Molex
+passive cables) have non-zero data at offset 6. Fix the logic by moving
+the passive cable check above the active checks, so as not to be
+improperly identified as an active cable. This will fix the issue for
+any passive cable that advertises 1000Base-CX in offset 6.
+
+Fixes: abf0a1c2b26a ("amd-xgbe: Add support for SFP+ modules")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+index 4a4370a470fd..d432489c093a 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -1095,7 +1095,10 @@ static void xgbe_phy_sfp_parse_eeprom(struct xgbe_prv_data *pdata)
+       }
+ 
+       /* Determine the type of SFP */
+-      if (sfp_base[XGBE_SFP_BASE_10GBE_CC] & XGBE_SFP_BASE_10GBE_CC_SR)
++      if (phy_data->sfp_cable == XGBE_SFP_CABLE_PASSIVE &&
++          xgbe_phy_sfp_bit_rate(sfp_eeprom, XGBE_SFP_SPEED_10000))
++              phy_data->sfp_base = XGBE_SFP_BASE_10000_CR;
++      else if (sfp_base[XGBE_SFP_BASE_10GBE_CC] & XGBE_SFP_BASE_10GBE_CC_SR)
+               phy_data->sfp_base = XGBE_SFP_BASE_10000_SR;
+       else if (sfp_base[XGBE_SFP_BASE_10GBE_CC] & XGBE_SFP_BASE_10GBE_CC_LR)
+               phy_data->sfp_base = XGBE_SFP_BASE_10000_LR;
+@@ -1111,9 +1114,6 @@ static void xgbe_phy_sfp_parse_eeprom(struct xgbe_prv_data *pdata)
+               phy_data->sfp_base = XGBE_SFP_BASE_1000_CX;
+       else if (sfp_base[XGBE_SFP_BASE_1GBE_CC] & XGBE_SFP_BASE_1GBE_CC_T)
+               phy_data->sfp_base = XGBE_SFP_BASE_1000_T;
+-      else if ((phy_data->sfp_cable == XGBE_SFP_CABLE_PASSIVE) &&
+-               xgbe_phy_sfp_bit_rate(sfp_eeprom, XGBE_SFP_SPEED_10000))
+-              phy_data->sfp_base = XGBE_SFP_BASE_10000_CR;
+ 
+       switch (phy_data->sfp_base) {
+       case XGBE_SFP_BASE_1000_T:
+-- 
+2.35.1
+

diff --git a/queue-4.14/arc-iounmap-arg-is-volatile.patch b/queue-4.14/arc-iounmap-arg-is-volatile.patch
new file mode 100644 (file)
index 0000000..c256bab
--- /dev/null
+++ b/queue-4.14/arc-iounmap-arg-is-volatile.patch
@@ -0,0 +1,59 @@
+From b692605da1c7c5f12f6d009d89d2c2bfa5aba013 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Oct 2022 19:28:46 -0700
+Subject: arc: iounmap() arg is volatile
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit c44f15c1c09481d50fd33478ebb5b8284f8f5edb ]
+
+Add 'volatile' to iounmap()'s argument to prevent build warnings.
+This make it the same as other major architectures.
+
+Placates these warnings: (12 such warnings)
+
+../drivers/video/fbdev/riva/fbdev.c: In function 'rivafb_probe':
+../drivers/video/fbdev/riva/fbdev.c:2067:42: error: passing argument 1 of 'iounmap' discards 'volatile' qualifier from pointer target type [-Werror=discarded-qualifiers]
+ 2067 |                 iounmap(default_par->riva.PRAMIN);
+
+Fixes: 1162b0701b14b ("ARC: I/O and DMA Mappings")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Vineet Gupta <vgupta@kernel.org>
+Cc: linux-snps-arc@lists.infradead.org
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Vineet Gupta <vgupta@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/include/asm/io.h | 2 +-
+ arch/arc/mm/ioremap.c     | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arc/include/asm/io.h b/arch/arc/include/asm/io.h
+index 2f39d9b3886e..19d0cab60a39 100644
+--- a/arch/arc/include/asm/io.h
++++ b/arch/arc/include/asm/io.h
+@@ -35,7 +35,7 @@ static inline void ioport_unmap(void __iomem *addr)
+ {
+ }
+ 
+-extern void iounmap(const void __iomem *addr);
++extern void iounmap(const volatile void __iomem *addr);
+ 
+ #define ioremap_nocache(phy, sz)      ioremap(phy, sz)
+ #define ioremap_wc(phy, sz)           ioremap(phy, sz)
+diff --git a/arch/arc/mm/ioremap.c b/arch/arc/mm/ioremap.c
+index 9881bd740ccc..0719b1280ef8 100644
+--- a/arch/arc/mm/ioremap.c
++++ b/arch/arc/mm/ioremap.c
+@@ -95,7 +95,7 @@ void __iomem *ioremap_prot(phys_addr_t paddr, unsigned long size,
+ EXPORT_SYMBOL(ioremap_prot);
+ 
+ 
+-void iounmap(const void __iomem *addr)
++void iounmap(const volatile void __iomem *addr)
+ {
+       /* weird double cast to handle phys_addr_t > 32 bits */
+       if (arc_uncached_addr_space((phys_addr_t)(u32)addr))
+-- 
+2.35.1
+

diff --git a/queue-4.14/can-mscan-mpc5xxx-mpc5xxx_can_probe-add-missing-put_.patch b/queue-4.14/can-mscan-mpc5xxx-mpc5xxx_can_probe-add-missing-put_.patch
new file mode 100644 (file)
index 0000000..f915acd
--- /dev/null
+++ b/queue-4.14/can-mscan-mpc5xxx-mpc5xxx_can_probe-add-missing-put_.patch
@@ -0,0 +1,60 @@
+From ede96c902524d5264ec539523da43d9cef650496 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 19:48:07 +0800
+Subject: can: mscan: mpc5xxx: mpc5xxx_can_probe(): add missing put_clock() in
+ error path
+
+From: Dongliang Mu <dzm91@hust.edu.cn>
+
+[ Upstream commit 3e5b3418827cefb5e1cc658806f02965791b8f07 ]
+
+The commit 1149108e2fbf ("can: mscan: improve clock API use") only
+adds put_clock() in mpc5xxx_can_remove() function, forgetting to add
+put_clock() in the error handling code.
+
+Fix this bug by adding put_clock() in the error handling code.
+
+Fixes: 1149108e2fbf ("can: mscan: improve clock API use")
+Signed-off-by: Dongliang Mu <dzm91@hust.edu.cn>
+Link: https://lore.kernel.org/all/20221024133828.35881-1-mkl@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/mscan/mpc5xxx_can.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/can/mscan/mpc5xxx_can.c b/drivers/net/can/mscan/mpc5xxx_can.c
+index 2949a381a94d..21993ba7ae2a 100644
+--- a/drivers/net/can/mscan/mpc5xxx_can.c
++++ b/drivers/net/can/mscan/mpc5xxx_can.c
+@@ -336,14 +336,14 @@ static int mpc5xxx_can_probe(struct platform_device *ofdev)
+                                              &mscan_clksrc);
+       if (!priv->can.clock.freq) {
+               dev_err(&ofdev->dev, "couldn't get MSCAN clock properties\n");
+-              goto exit_free_mscan;
++              goto exit_put_clock;
+       }
+ 
+       err = register_mscandev(dev, mscan_clksrc);
+       if (err) {
+               dev_err(&ofdev->dev, "registering %s failed (err=%d)\n",
+                       DRV_NAME, err);
+-              goto exit_free_mscan;
++              goto exit_put_clock;
+       }
+ 
+       dev_info(&ofdev->dev, "MSCAN at 0x%p, irq %d, clock %d Hz\n",
+@@ -351,7 +351,9 @@ static int mpc5xxx_can_probe(struct platform_device *ofdev)
+ 
+       return 0;
+ 
+-exit_free_mscan:
++exit_put_clock:
++      if (data->put_clock)
++              data->put_clock(ofdev);
+       free_candev(dev);
+ exit_dispose_irq:
+       irq_dispose_mapping(irq);
+-- 
+2.35.1
+

diff --git a/queue-4.14/drm-msm-fix-return-type-of-mdp4_lvds_connector_mode_.patch b/queue-4.14/drm-msm-fix-return-type-of-mdp4_lvds_connector_mode_.patch
new file mode 100644 (file)
index 0000000..32e9bd7
--- /dev/null
+++ b/queue-4.14/drm-msm-fix-return-type-of-mdp4_lvds_connector_mode_.patch
@@ -0,0 +1,54 @@
+From bdf54739eb0e634bbe13716c01c8b8ed53f716a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 13:55:48 -0700
+Subject: drm/msm: Fix return type of mdp4_lvds_connector_mode_valid
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit 0b33a33bd15d5bab73b87152b220a8d0153a4587 ]
+
+The mode_valid field in drm_connector_helper_funcs is expected to be of
+type:
+enum drm_mode_status (* mode_valid) (struct drm_connector *connector,
+                                     struct drm_display_mode *mode);
+
+The mismatched return type breaks forward edge kCFI since the underlying
+function definition does not match the function hook definition.
+
+The return type of mdp4_lvds_connector_mode_valid should be changed from
+int to enum drm_mode_status.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1703
+Cc: llvm@lists.linux.dev
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Fixes: 3e87599b68e7 ("drm/msm/mdp4: add LVDS panel support")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Patchwork: https://patchwork.freedesktop.org/patch/502878/
+Link: https://lore.kernel.org/r/20220913205551.155128-1-nhuck@google.com
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/mdp/mdp4/mdp4_lvds_connector.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/mdp/mdp4/mdp4_lvds_connector.c b/drivers/gpu/drm/msm/mdp/mdp4/mdp4_lvds_connector.c
+index e3b1c86b7aae..5c932b3fb831 100644
+--- a/drivers/gpu/drm/msm/mdp/mdp4/mdp4_lvds_connector.c
++++ b/drivers/gpu/drm/msm/mdp/mdp4/mdp4_lvds_connector.c
+@@ -71,8 +71,9 @@ static int mdp4_lvds_connector_get_modes(struct drm_connector *connector)
+       return ret;
+ }
+ 
+-static int mdp4_lvds_connector_mode_valid(struct drm_connector *connector,
+-                               struct drm_display_mode *mode)
++static enum drm_mode_status
++mdp4_lvds_connector_mode_valid(struct drm_connector *connector,
++                             struct drm_display_mode *mode)
+ {
+       struct mdp4_lvds_connector *mdp4_lvds_connector =
+                       to_mdp4_lvds_connector(connector);
+-- 
+2.35.1
+

diff --git a/queue-4.14/i40e-fix-ethtool-rx-flow-hash-setting-for-x722.patch b/queue-4.14/i40e-fix-ethtool-rx-flow-hash-setting-for-x722.patch
new file mode 100644 (file)
index 0000000..5a21123
--- /dev/null
+++ b/queue-4.14/i40e-fix-ethtool-rx-flow-hash-setting-for-x722.patch
@@ -0,0 +1,129 @@
+From b6ccb75fd3c4c3e47107c71b94178f2eaaf73c69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 03:05:24 -0700
+Subject: i40e: Fix ethtool rx-flow-hash setting for X722
+
+From: Slawomir Laba <slawomirx.laba@intel.com>
+
+[ Upstream commit 54b5af5a438076082d482cab105b1bd484ab5074 ]
+
+When enabling flow type for RSS hash via ethtool:
+
+ethtool -N $pf rx-flow-hash tcp4|tcp6|udp4|udp6 s|d
+
+the driver would fail to setup this setting on X722
+device since it was using the mask on the register
+dedicated for X710 devices.
+
+Apply a different mask on the register when setting the
+RSS hash for the X722 device.
+
+When displaying the flow types enabled via ethtool:
+
+ethtool -n $pf rx-flow-hash tcp4|tcp6|udp4|udp6
+
+the driver would print wrong values for X722 device.
+
+Fix this issue by testing masks for X722 device in
+i40e_get_rss_hash_opts function.
+
+Fixes: eb0dd6e4a3b3 ("i40e: Allow RSS Hash set with less than four parameters")
+Signed-off-by: Slawomir Laba <slawomirx.laba@intel.com>
+Signed-off-by: Michal Jaron <michalx.jaron@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20221024100526.1874914-1-jacob.e.keller@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/intel/i40e/i40e_ethtool.c    | 31 ++++++++++++++-----
+ drivers/net/ethernet/intel/i40e/i40e_type.h   |  4 +++
+ 2 files changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+index 21648dab13e0..615558bb545a 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -2375,10 +2375,17 @@ static int i40e_get_rss_hash_opts(struct i40e_pf *pf, struct ethtool_rxnfc *cmd)
+ 
+               if (cmd->flow_type == TCP_V4_FLOW ||
+                   cmd->flow_type == UDP_V4_FLOW) {
+-                      if (i_set & I40E_L3_SRC_MASK)
+-                              cmd->data |= RXH_IP_SRC;
+-                      if (i_set & I40E_L3_DST_MASK)
+-                              cmd->data |= RXH_IP_DST;
++                      if (hw->mac.type == I40E_MAC_X722) {
++                              if (i_set & I40E_X722_L3_SRC_MASK)
++                                      cmd->data |= RXH_IP_SRC;
++                              if (i_set & I40E_X722_L3_DST_MASK)
++                                      cmd->data |= RXH_IP_DST;
++                      } else {
++                              if (i_set & I40E_L3_SRC_MASK)
++                                      cmd->data |= RXH_IP_SRC;
++                              if (i_set & I40E_L3_DST_MASK)
++                                      cmd->data |= RXH_IP_DST;
++                      }
+               } else if (cmd->flow_type == TCP_V6_FLOW ||
+                         cmd->flow_type == UDP_V6_FLOW) {
+                       if (i_set & I40E_L3_V6_SRC_MASK)
+@@ -2683,12 +2690,15 @@ static int i40e_get_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd,
+ 
+ /**
+  * i40e_get_rss_hash_bits - Read RSS Hash bits from register
++ * @hw: hw structure
+  * @nfc: pointer to user request
+  * @i_setc bits currently set
+  *
+  * Returns value of bits to be set per user request
+  **/
+-static u64 i40e_get_rss_hash_bits(struct ethtool_rxnfc *nfc, u64 i_setc)
++static u64 i40e_get_rss_hash_bits(struct i40e_hw *hw,
++                                struct ethtool_rxnfc *nfc,
++                                u64 i_setc)
+ {
+       u64 i_set = i_setc;
+       u64 src_l3 = 0, dst_l3 = 0;
+@@ -2707,8 +2717,13 @@ static u64 i40e_get_rss_hash_bits(struct ethtool_rxnfc *nfc, u64 i_setc)
+               dst_l3 = I40E_L3_V6_DST_MASK;
+       } else if (nfc->flow_type == TCP_V4_FLOW ||
+                 nfc->flow_type == UDP_V4_FLOW) {
+-              src_l3 = I40E_L3_SRC_MASK;
+-              dst_l3 = I40E_L3_DST_MASK;
++              if (hw->mac.type == I40E_MAC_X722) {
++                      src_l3 = I40E_X722_L3_SRC_MASK;
++                      dst_l3 = I40E_X722_L3_DST_MASK;
++              } else {
++                      src_l3 = I40E_L3_SRC_MASK;
++                      dst_l3 = I40E_L3_DST_MASK;
++              }
+       } else {
+               /* Any other flow type are not supported here */
+               return i_set;
+@@ -2823,7 +2838,7 @@ static int i40e_set_rss_hash_opt(struct i40e_pf *pf, struct ethtool_rxnfc *nfc)
+                                              flow_pctype)) |
+                       ((u64)i40e_read_rx_ctl(hw, I40E_GLQF_HASH_INSET(1,
+                                              flow_pctype)) << 32);
+-              i_set = i40e_get_rss_hash_bits(nfc, i_setc);
++              i_set = i40e_get_rss_hash_bits(&pf->hw, nfc, i_setc);
+               i40e_write_rx_ctl(hw, I40E_GLQF_HASH_INSET(0, flow_pctype),
+                                 (u32)i_set);
+               i40e_write_rx_ctl(hw, I40E_GLQF_HASH_INSET(1, flow_pctype),
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_type.h b/drivers/net/ethernet/intel/i40e/i40e_type.h
+index fd4bbdd88b57..8338bd348d26 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_type.h
++++ b/drivers/net/ethernet/intel/i40e/i40e_type.h
+@@ -1433,6 +1433,10 @@ struct i40e_lldp_variables {
+ #define I40E_PFQF_CTL_0_HASHLUTSIZE_512       0x00010000
+ 
+ /* INPUT SET MASK for RSS, flow director, and flexible payload */
++#define I40E_X722_L3_SRC_SHIFT                49
++#define I40E_X722_L3_SRC_MASK         (0x3ULL << I40E_X722_L3_SRC_SHIFT)
++#define I40E_X722_L3_DST_SHIFT                41
++#define I40E_X722_L3_DST_MASK         (0x3ULL << I40E_X722_L3_DST_SHIFT)
+ #define I40E_L3_SRC_SHIFT             47
+ #define I40E_L3_SRC_MASK              (0x3ULL << I40E_L3_SRC_SHIFT)
+ #define I40E_L3_V6_SRC_SHIFT          43
+-- 
+2.35.1
+

diff --git a/queue-4.14/i40e-fix-flow-type-by-setting-gl_hash_inset-register.patch b/queue-4.14/i40e-fix-flow-type-by-setting-gl_hash_inset-register.patch
new file mode 100644 (file)
index 0000000..6eeaee4
--- /dev/null
+++ b/queue-4.14/i40e-fix-flow-type-by-setting-gl_hash_inset-register.patch
@@ -0,0 +1,144 @@
+From a294a15f7545c8c5921302a72641a37d1e8491b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 03:05:26 -0700
+Subject: i40e: Fix flow-type by setting GL_HASH_INSET registers
+
+From: Slawomir Laba <slawomirx.laba@intel.com>
+
+[ Upstream commit 3b32c9932853e11d71f9db012d69e92e4669ba23 ]
+
+Fix setting bits for specific flow_type for GLQF_HASH_INSET register.
+In previous version all of the bits were set only in hena register, while
+in inset only one bit was set. In order for this working correctly on all
+types of cards these bits needs to be set correctly for both hena and inset
+registers.
+
+Fixes: eb0dd6e4a3b3 ("i40e: Allow RSS Hash set with less than four parameters")
+Signed-off-by: Slawomir Laba <slawomirx.laba@intel.com>
+Signed-off-by: Michal Jaron <michalx.jaron@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20221024100526.1874914-3-jacob.e.keller@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/intel/i40e/i40e_ethtool.c    | 71 ++++++++++---------
+ 1 file changed, 38 insertions(+), 33 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+index 615558bb545a..0691027e9ce1 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -2741,6 +2741,7 @@ static u64 i40e_get_rss_hash_bits(struct i40e_hw *hw,
+       return i_set;
+ }
+ 
++#define FLOW_PCTYPES_SIZE 64
+ /**
+  * i40e_set_rss_hash_opt - Enable/Disable flow types for RSS hash
+  * @pf: pointer to the physical function struct
+@@ -2753,9 +2754,11 @@ static int i40e_set_rss_hash_opt(struct i40e_pf *pf, struct ethtool_rxnfc *nfc)
+       struct i40e_hw *hw = &pf->hw;
+       u64 hena = (u64)i40e_read_rx_ctl(hw, I40E_PFQF_HENA(0)) |
+                  ((u64)i40e_read_rx_ctl(hw, I40E_PFQF_HENA(1)) << 32);
+-      u8 flow_pctype = 0;
++      DECLARE_BITMAP(flow_pctypes, FLOW_PCTYPES_SIZE);
+       u64 i_set, i_setc;
+ 
++      bitmap_zero(flow_pctypes, FLOW_PCTYPES_SIZE);
++
+       if (pf->flags & I40E_FLAG_MFP_ENABLED) {
+               dev_err(&pf->pdev->dev,
+                       "Change of RSS hash input set is not supported when MFP mode is enabled\n");
+@@ -2771,36 +2774,35 @@ static int i40e_set_rss_hash_opt(struct i40e_pf *pf, struct ethtool_rxnfc *nfc)
+ 
+       switch (nfc->flow_type) {
+       case TCP_V4_FLOW:
+-              flow_pctype = I40E_FILTER_PCTYPE_NONF_IPV4_TCP;
++              set_bit(I40E_FILTER_PCTYPE_NONF_IPV4_TCP, flow_pctypes);
+               if (pf->hw_features & I40E_HW_MULTIPLE_TCP_UDP_RSS_PCTYPE)
+-                      hena |=
+-                        BIT_ULL(I40E_FILTER_PCTYPE_NONF_IPV4_TCP_SYN_NO_ACK);
++                      set_bit(I40E_FILTER_PCTYPE_NONF_IPV4_TCP_SYN_NO_ACK,
++                              flow_pctypes);
+               break;
+       case TCP_V6_FLOW:
+-              flow_pctype = I40E_FILTER_PCTYPE_NONF_IPV6_TCP;
+-              if (pf->hw_features & I40E_HW_MULTIPLE_TCP_UDP_RSS_PCTYPE)
+-                      hena |=
+-                        BIT_ULL(I40E_FILTER_PCTYPE_NONF_IPV4_TCP_SYN_NO_ACK);
++              set_bit(I40E_FILTER_PCTYPE_NONF_IPV6_TCP, flow_pctypes);
+               if (pf->hw_features & I40E_HW_MULTIPLE_TCP_UDP_RSS_PCTYPE)
+-                      hena |=
+-                        BIT_ULL(I40E_FILTER_PCTYPE_NONF_IPV6_TCP_SYN_NO_ACK);
++                      set_bit(I40E_FILTER_PCTYPE_NONF_IPV6_TCP_SYN_NO_ACK,
++                              flow_pctypes);
+               break;
+       case UDP_V4_FLOW:
+-              flow_pctype = I40E_FILTER_PCTYPE_NONF_IPV4_UDP;
+-              if (pf->hw_features & I40E_HW_MULTIPLE_TCP_UDP_RSS_PCTYPE)
+-                      hena |=
+-                        BIT_ULL(I40E_FILTER_PCTYPE_NONF_UNICAST_IPV4_UDP) |
+-                        BIT_ULL(I40E_FILTER_PCTYPE_NONF_MULTICAST_IPV4_UDP);
+-
++              set_bit(I40E_FILTER_PCTYPE_NONF_IPV4_UDP, flow_pctypes);
++              if (pf->hw_features & I40E_HW_MULTIPLE_TCP_UDP_RSS_PCTYPE) {
++                      set_bit(I40E_FILTER_PCTYPE_NONF_UNICAST_IPV4_UDP,
++                              flow_pctypes);
++                      set_bit(I40E_FILTER_PCTYPE_NONF_MULTICAST_IPV4_UDP,
++                              flow_pctypes);
++              }
+               hena |= BIT_ULL(I40E_FILTER_PCTYPE_FRAG_IPV4);
+               break;
+       case UDP_V6_FLOW:
+-              flow_pctype = I40E_FILTER_PCTYPE_NONF_IPV6_UDP;
+-              if (pf->hw_features & I40E_HW_MULTIPLE_TCP_UDP_RSS_PCTYPE)
+-                      hena |=
+-                        BIT_ULL(I40E_FILTER_PCTYPE_NONF_UNICAST_IPV6_UDP) |
+-                        BIT_ULL(I40E_FILTER_PCTYPE_NONF_MULTICAST_IPV6_UDP);
+-
++              set_bit(I40E_FILTER_PCTYPE_NONF_IPV6_UDP, flow_pctypes);
++              if (pf->hw_features & I40E_HW_MULTIPLE_TCP_UDP_RSS_PCTYPE) {
++                      set_bit(I40E_FILTER_PCTYPE_NONF_UNICAST_IPV6_UDP,
++                              flow_pctypes);
++                      set_bit(I40E_FILTER_PCTYPE_NONF_MULTICAST_IPV6_UDP,
++                              flow_pctypes);
++              }
+               hena |= BIT_ULL(I40E_FILTER_PCTYPE_FRAG_IPV6);
+               break;
+       case AH_ESP_V4_FLOW:
+@@ -2833,17 +2835,20 @@ static int i40e_set_rss_hash_opt(struct i40e_pf *pf, struct ethtool_rxnfc *nfc)
+               return -EINVAL;
+       }
+ 
+-      if (flow_pctype) {
+-              i_setc = (u64)i40e_read_rx_ctl(hw, I40E_GLQF_HASH_INSET(0,
+-                                             flow_pctype)) |
+-                      ((u64)i40e_read_rx_ctl(hw, I40E_GLQF_HASH_INSET(1,
+-                                             flow_pctype)) << 32);
+-              i_set = i40e_get_rss_hash_bits(&pf->hw, nfc, i_setc);
+-              i40e_write_rx_ctl(hw, I40E_GLQF_HASH_INSET(0, flow_pctype),
+-                                (u32)i_set);
+-              i40e_write_rx_ctl(hw, I40E_GLQF_HASH_INSET(1, flow_pctype),
+-                                (u32)(i_set >> 32));
+-              hena |= BIT_ULL(flow_pctype);
++      if (bitmap_weight(flow_pctypes, FLOW_PCTYPES_SIZE)) {
++              u8 flow_id;
++
++              for_each_set_bit(flow_id, flow_pctypes, FLOW_PCTYPES_SIZE) {
++                      i_setc = (u64)i40e_read_rx_ctl(hw, I40E_GLQF_HASH_INSET(0, flow_id)) |
++                               ((u64)i40e_read_rx_ctl(hw, I40E_GLQF_HASH_INSET(1, flow_id)) << 32);
++                      i_set = i40e_get_rss_hash_bits(&pf->hw, nfc, i_setc);
++
++                      i40e_write_rx_ctl(hw, I40E_GLQF_HASH_INSET(0, flow_id),
++                                        (u32)i_set);
++                      i40e_write_rx_ctl(hw, I40E_GLQF_HASH_INSET(1, flow_id),
++                                        (u32)(i_set >> 32));
++                      hena |= BIT_ULL(flow_id);
++              }
+       }
+ 
+       i40e_write_rx_ctl(hw, I40E_PFQF_HENA(0), (u32)hena);
+-- 
+2.35.1
+

diff --git a/queue-4.14/kcm-annotate-data-races-around-kcm-rx_psock.patch b/queue-4.14/kcm-annotate-data-races-around-kcm-rx_psock.patch
new file mode 100644 (file)
index 0000000..9f15184
--- /dev/null
+++ b/queue-4.14/kcm-annotate-data-races-around-kcm-rx_psock.patch
@@ -0,0 +1,101 @@
+From 9f129b614105c6c31f3c25766891ada1fe9d56ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Oct 2022 22:45:11 +0000
+Subject: kcm: annotate data-races around kcm->rx_psock
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 15e4dabda11b0fa31d510a915d1a580f47dfc92e ]
+
+kcm->rx_psock can be read locklessly in kcm_rfree().
+Annotate the read and writes accordingly.
+
+We do the same for kcm->rx_wait in the following patch.
+
+syzbot reported:
+BUG: KCSAN: data-race in kcm_rfree / unreserve_rx_kcm
+
+write to 0xffff888123d827b8 of 8 bytes by task 2758 on cpu 1:
+unreserve_rx_kcm+0x72/0x1f0 net/kcm/kcmsock.c:313
+kcm_rcv_strparser+0x2b5/0x3a0 net/kcm/kcmsock.c:373
+__strp_recv+0x64c/0xd20 net/strparser/strparser.c:301
+strp_recv+0x6d/0x80 net/strparser/strparser.c:335
+tcp_read_sock+0x13e/0x5a0 net/ipv4/tcp.c:1703
+strp_read_sock net/strparser/strparser.c:358 [inline]
+do_strp_work net/strparser/strparser.c:406 [inline]
+strp_work+0xe8/0x180 net/strparser/strparser.c:415
+process_one_work+0x3d3/0x720 kernel/workqueue.c:2289
+worker_thread+0x618/0xa70 kernel/workqueue.c:2436
+kthread+0x1a9/0x1e0 kernel/kthread.c:376
+ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
+
+read to 0xffff888123d827b8 of 8 bytes by task 5859 on cpu 0:
+kcm_rfree+0x14c/0x220 net/kcm/kcmsock.c:181
+skb_release_head_state+0x8e/0x160 net/core/skbuff.c:841
+skb_release_all net/core/skbuff.c:852 [inline]
+__kfree_skb net/core/skbuff.c:868 [inline]
+kfree_skb_reason+0x5c/0x260 net/core/skbuff.c:891
+kfree_skb include/linux/skbuff.h:1216 [inline]
+kcm_recvmsg+0x226/0x2b0 net/kcm/kcmsock.c:1161
+____sys_recvmsg+0x16c/0x2e0
+___sys_recvmsg net/socket.c:2743 [inline]
+do_recvmmsg+0x2f1/0x710 net/socket.c:2837
+__sys_recvmmsg net/socket.c:2916 [inline]
+__do_sys_recvmmsg net/socket.c:2939 [inline]
+__se_sys_recvmmsg net/socket.c:2932 [inline]
+__x64_sys_recvmmsg+0xde/0x160 net/socket.c:2932
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0xffff88812971ce00 -> 0x0000000000000000
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 5859 Comm: syz-executor.3 Not tainted 6.0.0-syzkaller-12189-g19d17ab7c68b-dirty #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
+
+Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/kcm/kcmsock.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
+index c364d849e7c3..ce022c2e320e 100644
+--- a/net/kcm/kcmsock.c
++++ b/net/kcm/kcmsock.c
+@@ -180,7 +180,7 @@ static void kcm_rfree(struct sk_buff *skb)
+       /* For reading rx_wait and rx_psock without holding lock */
+       smp_mb__after_atomic();
+ 
+-      if (!kcm->rx_wait && !kcm->rx_psock &&
++      if (!kcm->rx_wait && !READ_ONCE(kcm->rx_psock) &&
+           sk_rmem_alloc_get(sk) < sk->sk_rcvlowat) {
+               spin_lock_bh(&mux->rx_lock);
+               kcm_rcv_ready(kcm);
+@@ -285,7 +285,8 @@ static struct kcm_sock *reserve_rx_kcm(struct kcm_psock *psock,
+       kcm->rx_wait = false;
+ 
+       psock->rx_kcm = kcm;
+-      kcm->rx_psock = psock;
++      /* paired with lockless reads in kcm_rfree() */
++      WRITE_ONCE(kcm->rx_psock, psock);
+ 
+       spin_unlock_bh(&mux->rx_lock);
+ 
+@@ -312,7 +313,8 @@ static void unreserve_rx_kcm(struct kcm_psock *psock,
+       spin_lock_bh(&mux->rx_lock);
+ 
+       psock->rx_kcm = NULL;
+-      kcm->rx_psock = NULL;
++      /* paired with lockless reads in kcm_rfree() */
++      WRITE_ONCE(kcm->rx_psock, NULL);
+ 
+       /* Commit kcm->rx_psock before sk_rmem_alloc_get to sync with
+        * kcm_rfree
+-- 
+2.35.1
+

diff --git a/queue-4.14/kcm-annotate-data-races-around-kcm-rx_wait.patch b/queue-4.14/kcm-annotate-data-races-around-kcm-rx_wait.patch
new file mode 100644 (file)
index 0000000..20cfdff
--- /dev/null
+++ b/queue-4.14/kcm-annotate-data-races-around-kcm-rx_wait.patch
@@ -0,0 +1,130 @@
+From fc5962c90a6c54c895a6fec19b7301970193e4ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Oct 2022 22:45:12 +0000
+Subject: kcm: annotate data-races around kcm->rx_wait
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0c745b5141a45a076f1cb9772a399f7ebcb0948a ]
+
+kcm->rx_psock can be read locklessly in kcm_rfree().
+Annotate the read and writes accordingly.
+
+syzbot reported:
+
+BUG: KCSAN: data-race in kcm_rcv_strparser / kcm_rfree
+
+write to 0xffff88810784e3d0 of 1 bytes by task 1823 on cpu 1:
+reserve_rx_kcm net/kcm/kcmsock.c:283 [inline]
+kcm_rcv_strparser+0x250/0x3a0 net/kcm/kcmsock.c:363
+__strp_recv+0x64c/0xd20 net/strparser/strparser.c:301
+strp_recv+0x6d/0x80 net/strparser/strparser.c:335
+tcp_read_sock+0x13e/0x5a0 net/ipv4/tcp.c:1703
+strp_read_sock net/strparser/strparser.c:358 [inline]
+do_strp_work net/strparser/strparser.c:406 [inline]
+strp_work+0xe8/0x180 net/strparser/strparser.c:415
+process_one_work+0x3d3/0x720 kernel/workqueue.c:2289
+worker_thread+0x618/0xa70 kernel/workqueue.c:2436
+kthread+0x1a9/0x1e0 kernel/kthread.c:376
+ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
+
+read to 0xffff88810784e3d0 of 1 bytes by task 17869 on cpu 0:
+kcm_rfree+0x121/0x220 net/kcm/kcmsock.c:181
+skb_release_head_state+0x8e/0x160 net/core/skbuff.c:841
+skb_release_all net/core/skbuff.c:852 [inline]
+__kfree_skb net/core/skbuff.c:868 [inline]
+kfree_skb_reason+0x5c/0x260 net/core/skbuff.c:891
+kfree_skb include/linux/skbuff.h:1216 [inline]
+kcm_recvmsg+0x226/0x2b0 net/kcm/kcmsock.c:1161
+____sys_recvmsg+0x16c/0x2e0
+___sys_recvmsg net/socket.c:2743 [inline]
+do_recvmmsg+0x2f1/0x710 net/socket.c:2837
+__sys_recvmmsg net/socket.c:2916 [inline]
+__do_sys_recvmmsg net/socket.c:2939 [inline]
+__se_sys_recvmmsg net/socket.c:2932 [inline]
+__x64_sys_recvmmsg+0xde/0x160 net/socket.c:2932
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0x01 -> 0x00
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 17869 Comm: syz-executor.2 Not tainted 6.1.0-rc1-syzkaller-00010-gbb1a1146467a-dirty #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
+
+Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/kcm/kcmsock.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
+index ce022c2e320e..629103c7337b 100644
+--- a/net/kcm/kcmsock.c
++++ b/net/kcm/kcmsock.c
+@@ -164,7 +164,8 @@ static void kcm_rcv_ready(struct kcm_sock *kcm)
+       /* Buffer limit is okay now, add to ready list */
+       list_add_tail(&kcm->wait_rx_list,
+                     &kcm->mux->kcm_rx_waiters);
+-      kcm->rx_wait = true;
++      /* paired with lockless reads in kcm_rfree() */
++      WRITE_ONCE(kcm->rx_wait, true);
+ }
+ 
+ static void kcm_rfree(struct sk_buff *skb)
+@@ -180,7 +181,7 @@ static void kcm_rfree(struct sk_buff *skb)
+       /* For reading rx_wait and rx_psock without holding lock */
+       smp_mb__after_atomic();
+ 
+-      if (!kcm->rx_wait && !READ_ONCE(kcm->rx_psock) &&
++      if (!READ_ONCE(kcm->rx_wait) && !READ_ONCE(kcm->rx_psock) &&
+           sk_rmem_alloc_get(sk) < sk->sk_rcvlowat) {
+               spin_lock_bh(&mux->rx_lock);
+               kcm_rcv_ready(kcm);
+@@ -239,7 +240,8 @@ static void requeue_rx_msgs(struct kcm_mux *mux, struct sk_buff_head *head)
+               if (kcm_queue_rcv_skb(&kcm->sk, skb)) {
+                       /* Should mean socket buffer full */
+                       list_del(&kcm->wait_rx_list);
+-                      kcm->rx_wait = false;
++                      /* paired with lockless reads in kcm_rfree() */
++                      WRITE_ONCE(kcm->rx_wait, false);
+ 
+                       /* Commit rx_wait to read in kcm_free */
+                       smp_wmb();
+@@ -282,7 +284,8 @@ static struct kcm_sock *reserve_rx_kcm(struct kcm_psock *psock,
+       kcm = list_first_entry(&mux->kcm_rx_waiters,
+                              struct kcm_sock, wait_rx_list);
+       list_del(&kcm->wait_rx_list);
+-      kcm->rx_wait = false;
++      /* paired with lockless reads in kcm_rfree() */
++      WRITE_ONCE(kcm->rx_wait, false);
+ 
+       psock->rx_kcm = kcm;
+       /* paired with lockless reads in kcm_rfree() */
+@@ -1242,7 +1245,8 @@ static void kcm_recv_disable(struct kcm_sock *kcm)
+       if (!kcm->rx_psock) {
+               if (kcm->rx_wait) {
+                       list_del(&kcm->wait_rx_list);
+-                      kcm->rx_wait = false;
++                      /* paired with lockless reads in kcm_rfree() */
++                      WRITE_ONCE(kcm->rx_wait, false);
+               }
+ 
+               requeue_rx_msgs(mux, &kcm->sk.sk_receive_queue);
+@@ -1800,7 +1804,8 @@ static void kcm_done(struct kcm_sock *kcm)
+ 
+       if (kcm->rx_wait) {
+               list_del(&kcm->wait_rx_list);
+-              kcm->rx_wait = false;
++              /* paired with lockless reads in kcm_rfree() */
++              WRITE_ONCE(kcm->rx_wait, false);
+       }
+       /* Move any pending receive messages to other kcm sockets */
+       requeue_rx_msgs(mux, &sk->sk_receive_queue);
+-- 
+2.35.1
+

diff --git a/queue-4.14/media-v4l2-dv-timings-add-sanity-checks-for-blanking.patch b/queue-4.14/media-v4l2-dv-timings-add-sanity-checks-for-blanking.patch
new file mode 100644 (file)
index 0000000..95deae6
--- /dev/null
+++ b/queue-4.14/media-v4l2-dv-timings-add-sanity-checks-for-blanking.patch
@@ -0,0 +1,48 @@
+From b4794b89cf1d4bc9b60425c7dd233a1b78cab9ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 09:00:34 +0100
+Subject: media: v4l2-dv-timings: add sanity checks for blanking values
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 4b6d66a45ed34a15721cb9e11492fa1a24bc83df ]
+
+Add sanity checks to v4l2_valid_dv_timings() to ensure that the provided
+blanking values are reasonable.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: b18787ed1ce3 ([media] v4l2-dv-timings: add new helper module)
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-dv-timings.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/media/v4l2-core/v4l2-dv-timings.c b/drivers/media/v4l2-core/v4l2-dv-timings.c
+index bed6b7db43f5..4353e624a585 100644
+--- a/drivers/media/v4l2-core/v4l2-dv-timings.c
++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c
+@@ -172,6 +172,20 @@ bool v4l2_valid_dv_timings(const struct v4l2_dv_timings *t,
+           (bt->interlaced && !(caps & V4L2_DV_BT_CAP_INTERLACED)) ||
+           (!bt->interlaced && !(caps & V4L2_DV_BT_CAP_PROGRESSIVE)))
+               return false;
++
++      /* sanity checks for the blanking timings */
++      if (!bt->interlaced &&
++          (bt->il_vbackporch || bt->il_vsync || bt->il_vfrontporch))
++              return false;
++      if (bt->hfrontporch > 2 * bt->width ||
++          bt->hsync > 1024 || bt->hbackporch > 1024)
++              return false;
++      if (bt->vfrontporch > 4096 ||
++          bt->vsync > 128 || bt->vbackporch > 4096)
++              return false;
++      if (bt->interlaced && (bt->il_vfrontporch > 4096 ||
++          bt->il_vsync > 128 || bt->il_vbackporch > 4096))
++              return false;
+       return fnc == NULL || fnc(t, fnc_handle);
+ }
+ EXPORT_SYMBOL_GPL(v4l2_valid_dv_timings);
+-- 
+2.35.1
+

diff --git a/queue-4.14/media-videodev2.h-v4l2_dv_bt_blanking_height-should-.patch b/queue-4.14/media-videodev2.h-v4l2_dv_bt_blanking_height-should-.patch
new file mode 100644 (file)
index 0000000..ed89c29
--- /dev/null
+++ b/queue-4.14/media-videodev2.h-v4l2_dv_bt_blanking_height-should-.patch
@@ -0,0 +1,38 @@
+From 80c519950ea4fe72a1977425eb44eb7007398fcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Oct 2022 16:46:17 +0100
+Subject: media: videodev2.h: V4L2_DV_BT_BLANKING_HEIGHT should check
+ 'interlaced'
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 8da7f0976b9071b528c545008de9d10cc81883b1 ]
+
+If it is a progressive (non-interlaced) format, then ignore the
+interlaced timing values.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: 7f68127fa11f ([media] videodev2.h: defines to calculate blanking and frame sizes)
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/videodev2.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h
+index b773e96b4a28..b8fd2c303ed0 100644
+--- a/include/uapi/linux/videodev2.h
++++ b/include/uapi/linux/videodev2.h
+@@ -1392,7 +1392,8 @@ struct v4l2_bt_timings {
+       ((bt)->width + V4L2_DV_BT_BLANKING_WIDTH(bt))
+ #define V4L2_DV_BT_BLANKING_HEIGHT(bt) \
+       ((bt)->vfrontporch + (bt)->vsync + (bt)->vbackporch + \
+-       (bt)->il_vfrontporch + (bt)->il_vsync + (bt)->il_vbackporch)
++       ((bt)->interlaced ? \
++        ((bt)->il_vfrontporch + (bt)->il_vsync + (bt)->il_vbackporch) : 0))
+ #define V4L2_DV_BT_FRAME_HEIGHT(bt) \
+       ((bt)->height + V4L2_DV_BT_BLANKING_HEIGHT(bt))
+ 
+-- 
+2.35.1
+

diff --git a/queue-4.14/media-vivid-dev-bitmap_cap-wasn-t-freed-in-all-cases.patch b/queue-4.14/media-vivid-dev-bitmap_cap-wasn-t-freed-in-all-cases.patch
new file mode 100644 (file)
index 0000000..b5e6762
--- /dev/null
+++ b/queue-4.14/media-vivid-dev-bitmap_cap-wasn-t-freed-in-all-cases.patch
@@ -0,0 +1,75 @@
+From ff45675dfd2ce1eb820e1d26b895c2617095aaa1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 15:18:46 +0100
+Subject: media: vivid: dev->bitmap_cap wasn't freed in all cases
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 1f65ea411cc7b6ff128d82a3493d7b5648054e6f ]
+
+Whenever the compose width/height values change, the dev->bitmap_cap
+vmalloc'ed array must be freed and dev->bitmap_cap set to NULL.
+
+This was done in some places, but not all. This is only an issue if
+overlay support is enabled and the bitmap clipping is used.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: ef834f7836ec ([media] vivid: add the video capture and output parts)
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vivid/vivid-vid-cap.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c
+index 182d8a2b3c98..459cff1626a6 100644
+--- a/drivers/media/platform/vivid/vivid-vid-cap.c
++++ b/drivers/media/platform/vivid/vivid-vid-cap.c
+@@ -458,6 +458,12 @@ void vivid_update_format_cap(struct vivid_dev *dev, bool keep_controls)
+       tpg_reset_source(&dev->tpg, dev->src_rect.width, dev->src_rect.height, dev->field_cap);
+       dev->crop_cap = dev->src_rect;
+       dev->crop_bounds_cap = dev->src_rect;
++      if (dev->bitmap_cap &&
++          (dev->compose_cap.width != dev->crop_cap.width ||
++           dev->compose_cap.height != dev->crop_cap.height)) {
++              vfree(dev->bitmap_cap);
++              dev->bitmap_cap = NULL;
++      }
+       dev->compose_cap = dev->crop_cap;
+       if (V4L2_FIELD_HAS_T_OR_B(dev->field_cap))
+               dev->compose_cap.height /= 2;
+@@ -886,6 +892,8 @@ int vivid_vid_cap_s_selection(struct file *file, void *fh, struct v4l2_selection
+       struct vivid_dev *dev = video_drvdata(file);
+       struct v4l2_rect *crop = &dev->crop_cap;
+       struct v4l2_rect *compose = &dev->compose_cap;
++      unsigned orig_compose_w = compose->width;
++      unsigned orig_compose_h = compose->height;
+       unsigned factor = V4L2_FIELD_HAS_T_OR_B(dev->field_cap) ? 2 : 1;
+       int ret;
+ 
+@@ -1002,17 +1010,17 @@ int vivid_vid_cap_s_selection(struct file *file, void *fh, struct v4l2_selection
+                       s->r.height /= factor;
+               }
+               v4l2_rect_map_inside(&s->r, &dev->fmt_cap_rect);
+-              if (dev->bitmap_cap && (compose->width != s->r.width ||
+-                                      compose->height != s->r.height)) {
+-                      vfree(dev->bitmap_cap);
+-                      dev->bitmap_cap = NULL;
+-              }
+               *compose = s->r;
+               break;
+       default:
+               return -EINVAL;
+       }
+ 
++      if (dev->bitmap_cap && (compose->width != orig_compose_w ||
++                              compose->height != orig_compose_h)) {
++              vfree(dev->bitmap_cap);
++              dev->bitmap_cap = NULL;
++      }
+       tpg_s_crop_compose(&dev->tpg, crop, compose);
+       return 0;
+ }
+-- 
+2.35.1
+

diff --git a/queue-4.14/media-vivid-s_fbuf-add-more-sanity-checks.patch b/queue-4.14/media-vivid-s_fbuf-add-more-sanity-checks.patch
new file mode 100644 (file)
index 0000000..018d642
--- /dev/null
+++ b/queue-4.14/media-vivid-s_fbuf-add-more-sanity-checks.patch
@@ -0,0 +1,90 @@
+From 1611fa7cdb9c9e977e2cfbe63470d4992aff17d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Oct 2022 15:32:28 +0100
+Subject: media: vivid: s_fbuf: add more sanity checks
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit f8bcaf714abfc94818dff8c0db84d750433984f4 ]
+
+VIDIOC_S_FBUF is by definition a scary ioctl, which is why only root
+can use it. But at least check if the framebuffer parameters match that
+of one of the framebuffer created by vivid, and reject anything else.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: ef834f7836ec ([media] vivid: add the video capture and output parts)
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vivid/vivid-core.c    | 22 ++++++++++++++++++++
+ drivers/media/platform/vivid/vivid-core.h    |  2 ++
+ drivers/media/platform/vivid/vivid-vid-cap.c |  9 +++++++-
+ 3 files changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/vivid/vivid-core.c b/drivers/media/platform/vivid/vivid-core.c
+index 6754e5fcc4c4..c4bbdd5196bf 100644
+--- a/drivers/media/platform/vivid/vivid-core.c
++++ b/drivers/media/platform/vivid/vivid-core.c
+@@ -309,6 +309,28 @@ static int vidioc_g_fbuf(struct file *file, void *fh, struct v4l2_framebuffer *a
+       return vivid_vid_out_g_fbuf(file, fh, a);
+ }
+ 
++/*
++ * Only support the framebuffer of one of the vivid instances.
++ * Anything else is rejected.
++ */
++bool vivid_validate_fb(const struct v4l2_framebuffer *a)
++{
++      struct vivid_dev *dev;
++      int i;
++
++      for (i = 0; i < n_devs; i++) {
++              dev = vivid_devs[i];
++              if (!dev || !dev->video_pbase)
++                      continue;
++              if ((unsigned long)a->base == dev->video_pbase &&
++                  a->fmt.width <= dev->display_width &&
++                  a->fmt.height <= dev->display_height &&
++                  a->fmt.bytesperline <= dev->display_byte_stride)
++                      return true;
++      }
++      return false;
++}
++
+ static int vidioc_s_fbuf(struct file *file, void *fh, const struct v4l2_framebuffer *a)
+ {
+       struct video_device *vdev = video_devdata(file);
+diff --git a/drivers/media/platform/vivid/vivid-core.h b/drivers/media/platform/vivid/vivid-core.h
+index 5cdf95bdc4d1..6de8eb8d2cef 100644
+--- a/drivers/media/platform/vivid/vivid-core.h
++++ b/drivers/media/platform/vivid/vivid-core.h
+@@ -562,4 +562,6 @@ static inline bool vivid_is_hdmi_out(const struct vivid_dev *dev)
+       return dev->output_type[dev->output] == HDMI;
+ }
+ 
++bool vivid_validate_fb(const struct v4l2_framebuffer *a);
++
+ #endif
+diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c
+index c66568e8f388..182d8a2b3c98 100644
+--- a/drivers/media/platform/vivid/vivid-vid-cap.c
++++ b/drivers/media/platform/vivid/vivid-vid-cap.c
+@@ -1255,7 +1255,14 @@ int vivid_vid_cap_s_fbuf(struct file *file, void *fh,
+               return -EINVAL;
+       if (a->fmt.bytesperline < (a->fmt.width * fmt->bit_depth[0]) / 8)
+               return -EINVAL;
+-      if (a->fmt.height * a->fmt.bytesperline < a->fmt.sizeimage)
++      if (a->fmt.bytesperline > a->fmt.sizeimage / a->fmt.height)
++              return -EINVAL;
++
++      /*
++       * Only support the framebuffer of one of the vivid instances.
++       * Anything else is rejected.
++       */
++      if (!vivid_validate_fb(a))
+               return -EINVAL;
+ 
+       dev->fb_vbase_cap = phys_to_virt((unsigned long)a->base);
+-- 
+2.35.1
+

diff --git a/queue-4.14/net-ehea-fix-possible-memory-leak-in-ehea_register_p.patch b/queue-4.14/net-ehea-fix-possible-memory-leak-in-ehea_register_p.patch
new file mode 100644 (file)
index 0000000..4a965b4
--- /dev/null
+++ b/queue-4.14/net-ehea-fix-possible-memory-leak-in-ehea_register_p.patch
@@ -0,0 +1,39 @@
+From 20dd278c0b2a188b02fd11ee1c8e6f3ab8d4a25a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 21:00:11 +0800
+Subject: net: ehea: fix possible memory leak in ehea_register_port()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 0e7ce23a917a9cc83ca3c779fbba836bca3bcf1e ]
+
+If of_device_register() returns error, the of node and the
+name allocated in dev_set_name() is leaked, call put_device()
+to give up the reference that was set in device_initialize(),
+so that of node is put in logical_port_release() and the name
+is freed in kobject_cleanup().
+
+Fixes: 1acf2318dd13 ("ehea: dynamic add / remove port")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221025130011.1071357-1-yangyingliang@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ehea/ehea_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c
+index a754e2ce7730..c3606e8b1192 100644
+--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c
++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c
+@@ -2928,6 +2928,7 @@ static struct device *ehea_register_port(struct ehea_port *port,
+       ret = of_device_register(&port->ofdev);
+       if (ret) {
+               pr_err("failed to register device. ret=%d\n", ret);
++              put_device(&port->ofdev.dev);
+               goto out;
+       }
+ 
+-- 
+2.35.1
+

diff --git a/queue-4.14/net-fix-uaf-issue-in-nfqnl_nf_hook_drop-when-ops_ini.patch b/queue-4.14/net-fix-uaf-issue-in-nfqnl_nf_hook_drop-when-ops_ini.patch
new file mode 100644 (file)
index 0000000..85b6a14
--- /dev/null
+++ b/queue-4.14/net-fix-uaf-issue-in-nfqnl_nf_hook_drop-when-ops_ini.patch
@@ -0,0 +1,121 @@
+From 7dfbf45becd80618a5552e885761eb8a363c77a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Oct 2022 10:42:13 +0800
+Subject: net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit d266935ac43d57586e311a087510fe6a084af742 ]
+
+When the ops_init() interface is invoked to initialize the net, but
+ops->init() fails, data is released. However, the ptr pointer in
+net->gen is invalid. In this case, when nfqnl_nf_hook_drop() is invoked
+to release the net, invalid address access occurs.
+
+The process is as follows:
+setup_net()
+       ops_init()
+               data = kzalloc(...)   ---> alloc "data"
+               net_assign_generic()  ---> assign "date" to ptr in net->gen
+               ...
+               ops->init()           ---> failed
+               ...
+               kfree(data);          ---> ptr in net->gen is invalid
+       ...
+       ops_exit_list()
+               ...
+               nfqnl_nf_hook_drop()
+                       *q = nfnl_queue_pernet(net) ---> q is invalid
+
+The following is the Call Trace information:
+BUG: KASAN: use-after-free in nfqnl_nf_hook_drop+0x264/0x280
+Read of size 8 at addr ffff88810396b240 by task ip/15855
+Call Trace:
+<TASK>
+dump_stack_lvl+0x8e/0xd1
+print_report+0x155/0x454
+kasan_report+0xba/0x1f0
+nfqnl_nf_hook_drop+0x264/0x280
+nf_queue_nf_hook_drop+0x8b/0x1b0
+__nf_unregister_net_hook+0x1ae/0x5a0
+nf_unregister_net_hooks+0xde/0x130
+ops_exit_list+0xb0/0x170
+setup_net+0x7ac/0xbd0
+copy_net_ns+0x2e6/0x6b0
+create_new_namespaces+0x382/0xa50
+unshare_nsproxy_namespaces+0xa6/0x1c0
+ksys_unshare+0x3a4/0x7e0
+__x64_sys_unshare+0x2d/0x40
+do_syscall_64+0x35/0x80
+entry_SYSCALL_64_after_hwframe+0x46/0xb0
+</TASK>
+
+Allocated by task 15855:
+kasan_save_stack+0x1e/0x40
+kasan_set_track+0x21/0x30
+__kasan_kmalloc+0xa1/0xb0
+__kmalloc+0x49/0xb0
+ops_init+0xe7/0x410
+setup_net+0x5aa/0xbd0
+copy_net_ns+0x2e6/0x6b0
+create_new_namespaces+0x382/0xa50
+unshare_nsproxy_namespaces+0xa6/0x1c0
+ksys_unshare+0x3a4/0x7e0
+__x64_sys_unshare+0x2d/0x40
+do_syscall_64+0x35/0x80
+entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+Freed by task 15855:
+kasan_save_stack+0x1e/0x40
+kasan_set_track+0x21/0x30
+kasan_save_free_info+0x2a/0x40
+____kasan_slab_free+0x155/0x1b0
+slab_free_freelist_hook+0x11b/0x220
+__kmem_cache_free+0xa4/0x360
+ops_init+0xb9/0x410
+setup_net+0x5aa/0xbd0
+copy_net_ns+0x2e6/0x6b0
+create_new_namespaces+0x382/0xa50
+unshare_nsproxy_namespaces+0xa6/0x1c0
+ksys_unshare+0x3a4/0x7e0
+__x64_sys_unshare+0x2d/0x40
+do_syscall_64+0x35/0x80
+entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+Fixes: f875bae06533 ("net: Automatically allocate per namespace data.")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/net_namespace.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
+index 34fd852fe3ca..3c90890816b8 100644
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -101,6 +101,7 @@ static int net_assign_generic(struct net *net, unsigned int id, void *data)
+ 
+ static int ops_init(const struct pernet_operations *ops, struct net *net)
+ {
++      struct net_generic *ng;
+       int err = -ENOMEM;
+       void *data = NULL;
+ 
+@@ -119,7 +120,13 @@ static int ops_init(const struct pernet_operations *ops, struct net *net)
+       if (!err)
+               return 0;
+ 
++      if (ops->id && ops->size) {
+ cleanup:
++              ng = rcu_dereference_protected(net->gen,
++                                             lockdep_is_held(&pernet_ops_rwsem));
++              ng->ptr[*ops->id] = NULL;
++      }
++
+       kfree(data);
+ 
+ out:
+-- 
+2.35.1
+

diff --git a/queue-4.14/net-ksz884x-fix-missing-pci_disable_device-on-error-.patch b/queue-4.14/net-ksz884x-fix-missing-pci_disable_device-on-error-.patch
new file mode 100644 (file)
index 0000000..1fd00c5
--- /dev/null
+++ b/queue-4.14/net-ksz884x-fix-missing-pci_disable_device-on-error-.patch
@@ -0,0 +1,39 @@
+From df9f00bcc7273ee56e710eb1d416ad5972468511 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 21:13:38 +0800
+Subject: net: ksz884x: fix missing pci_disable_device() on error in
+ pcidev_init()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 5da6d65590a0698199df44d095e54b0ed1708178 ]
+
+pci_disable_device() need be called while module exiting, switch to use
+pcim_enable(), pci_disable_device() will be called in pcim_release()
+while unbinding device.
+
+Fixes: 8ca86fd83eae ("net: Micrel KSZ8841/2 PCI Ethernet driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221024131338.2848959-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ksz884x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/micrel/ksz884x.c b/drivers/net/ethernet/micrel/ksz884x.c
+index b178e59baa2e..8212f24711bb 100644
+--- a/drivers/net/ethernet/micrel/ksz884x.c
++++ b/drivers/net/ethernet/micrel/ksz884x.c
+@@ -6939,7 +6939,7 @@ static int pcidev_init(struct pci_dev *pdev, const struct pci_device_id *id)
+       char banner[sizeof(version)];
+       struct ksz_switch *sw = NULL;
+ 
+-      result = pci_enable_device(pdev);
++      result = pcim_enable_device(pdev);
+       if (result)
+               return result;
+ 
+-- 
+2.35.1
+

diff --git a/queue-4.14/net-lantiq_etop-don-t-free-skb-when-returning-netdev.patch b/queue-4.14/net-lantiq_etop-don-t-free-skb-when-returning-netdev.patch
new file mode 100644 (file)
index 0000000..b566ce2
--- /dev/null
+++ b/queue-4.14/net-lantiq_etop-don-t-free-skb-when-returning-netdev.patch
@@ -0,0 +1,35 @@
+From f816f991df52ac8fea2ae304cff98f687f98990b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 09:32:24 +0800
+Subject: net: lantiq_etop: don't free skb when returning NETDEV_TX_BUSY
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 9c1eaa27ec599fcc25ed4970c0b73c247d147a2b ]
+
+The ndo_start_xmit() method must not free skb when returning
+NETDEV_TX_BUSY, since caller is going to requeue freed skb.
+
+Fixes: 504d4721ee8e ("MIPS: Lantiq: Add ethernet driver")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/lantiq_etop.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c
+index afc810069440..2a14520e4798 100644
+--- a/drivers/net/ethernet/lantiq_etop.c
++++ b/drivers/net/ethernet/lantiq_etop.c
+@@ -479,7 +479,6 @@ ltq_etop_tx(struct sk_buff *skb, struct net_device *dev)
+       len = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len;
+ 
+       if ((desc->ctl & (LTQ_DMA_OWN | LTQ_DMA_C)) || ch->skb[ch->dma.desc]) {
+-              dev_kfree_skb_any(skb);
+               netdev_err(dev, "tx ring full\n");
+               netif_tx_stop_queue(txq);
+               return NETDEV_TX_BUSY;
+-- 
+2.35.1
+

diff --git a/queue-4.14/openvswitch-switch-from-warn-to-pr_warn.patch b/queue-4.14/openvswitch-switch-from-warn-to-pr_warn.patch
new file mode 100644 (file)
index 0000000..d758bbe
--- /dev/null
+++ b/queue-4.14/openvswitch-switch-from-warn-to-pr_warn.patch
@@ -0,0 +1,42 @@
+From 8617b13cefc8bba2bba91745322ab7e848e432de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 06:50:17 -0400
+Subject: openvswitch: switch from WARN to pr_warn
+
+From: Aaron Conole <aconole@redhat.com>
+
+[ Upstream commit fd954cc1919e35cb92f78671cab6e42d661945a3 ]
+
+As noted by Paolo Abeni, pr_warn doesn't generate any splat and can still
+preserve the warning to the user that feature downgrade occurred.  We
+likely cannot introduce other kinds of checks / enforcement here because
+syzbot can generate different genl versions to the datapath.
+
+Reported-by: syzbot+31cde0bef4bbf8ba2d86@syzkaller.appspotmail.com
+Fixes: 44da5ae5fbea ("openvswitch: Drop user features if old user space attempted to create datapath")
+Cc: Thomas Graf <tgraf@suug.ch>
+Signed-off-by: Aaron Conole <aconole@redhat.com>
+Acked-by: Ilya Maximets <i.maximets@ovn.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/datapath.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
+index 8319628ab428..a57a3755611d 100644
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -1578,7 +1578,8 @@ static void ovs_dp_reset_user_features(struct sk_buff *skb, struct genl_info *in
+       if (IS_ERR(dp))
+               return;
+ 
+-      WARN(dp->user_features, "Dropping previously announced user features\n");
++      pr_warn("%s: Dropping previously announced user features\n",
++              ovs_dp_name(dp));
+       dp->user_features = 0;
+ }
+ 
+-- 
+2.35.1
+

diff --git a/queue-4.14/pm-domains-fix-handling-of-unavailable-disabled-idle.patch b/queue-4.14/pm-domains-fix-handling-of-unavailable-disabled-idle.patch
new file mode 100644 (file)
index 0000000..dc1b021
--- /dev/null
+++ b/queue-4.14/pm-domains-fix-handling-of-unavailable-disabled-idle.patch
@@ -0,0 +1,44 @@
+From f51c80dc1b326bbbcec4abcbb5f212540e9331d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 13:34:32 +0100
+Subject: PM: domains: Fix handling of unavailable/disabled idle states
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit e0c57a5c70c13317238cb19a7ded0eab4a5f7de5 ]
+
+Platforms can provide the information about the availability of each
+idle states via status flag. Platforms may have to disable one or more
+idle states for various reasons like broken firmware or other unmet
+dependencies.
+
+Fix handling of such unavailable/disabled idle states by ignoring them
+while parsing the states.
+
+Fixes: a3381e3a65cb ("PM / domains: Fix up domain-idle-states OF parsing")
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/domain.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c
+index e811f2414889..a64b093a88cf 100644
+--- a/drivers/base/power/domain.c
++++ b/drivers/base/power/domain.c
+@@ -2232,6 +2232,10 @@ static int genpd_iterate_idle_states(struct device_node *dn,
+               np = it.node;
+               if (!of_match_node(idle_state_match, np))
+                       continue;
++
++              if (!of_device_is_available(np))
++                      continue;
++
+               if (states) {
+                       ret = genpd_parse_state(&states[i], np);
+                       if (ret) {
+-- 
+2.35.1
+

diff --git a/queue-4.14/pm-hibernate-allow-hybrid-sleep-to-work-with-s2idle.patch b/queue-4.14/pm-hibernate-allow-hybrid-sleep-to-work-with-s2idle.patch
new file mode 100644 (file)
index 0000000..f9b3bd6
--- /dev/null
+++ b/queue-4.14/pm-hibernate-allow-hybrid-sleep-to-work-with-s2idle.patch
@@ -0,0 +1,43 @@
+From 7215c42e00eb27e8330c7b09e60ea63e89b6493e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Oct 2022 22:50:17 -0500
+Subject: PM: hibernate: Allow hybrid sleep to work with s2idle
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 85850af4fc47132f3f2f0dd698b90f67906600b4 ]
+
+Hybrid sleep is currently hardcoded to only operate with S3 even
+on systems that might not support it.
+
+Instead of assuming this mode is what the user wants to use, for
+hybrid sleep follow the setting of `mem_sleep_current` which
+will respect mem_sleep_default kernel command line and policy
+decisions made by the presence of the FADT low power idle bit.
+
+Fixes: 81d45bdf8913 ("PM / hibernate: Untangle power_down()")
+Reported-and-tested-by: kolAflash <kolAflash@kolahilft.de>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216574
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/hibernate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
+index f4ecb23c9194..e97f2395e15d 100644
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -618,7 +618,7 @@ static void power_down(void)
+       int error;
+ 
+       if (hibernation_mode == HIBERNATION_SUSPEND) {
+-              error = suspend_devices_and_enter(PM_SUSPEND_MEM);
++              error = suspend_devices_and_enter(mem_sleep_current);
+               if (error) {
+                       hibernation_mode = hibernation_ops ?
+                                               HIBERNATION_PLATFORM :
+-- 
+2.35.1
+

diff --git a/queue-4.14/series b/queue-4.14/series
index f2521164967b777cd3e9f2cd9df443f60d7d131f..5799ce8765d87e4d9b6537d23584560c5c179974 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -33,3 +33,28 @@ xen-gntdev-don-t-ignore-kernel-unmapping-error.patch
 xen-gntdev-prevent-leaking-grants.patch
 mm-hugetlb-take-hugetlb_lock-before-decrementing-h-resv_huge_pages.patch
 net-ieee802154-fix-error-return-code-in-dgram_bind.patch
+drm-msm-fix-return-type-of-mdp4_lvds_connector_mode_.patch
+arc-iounmap-arg-is-volatile.patch
+alsa-ac97-fix-possible-memory-leak-in-snd_ac97_dev_r.patch
+x86-unwind-orc-fix-unreliable-stack-dump-with-gcov.patch
+amd-xgbe-fix-the-sfp-compliance-codes-check-for-dac-.patch
+amd-xgbe-add-the-bit-rate-quirk-for-molex-cables.patch
+kcm-annotate-data-races-around-kcm-rx_psock.patch
+kcm-annotate-data-races-around-kcm-rx_wait.patch
+net-fix-uaf-issue-in-nfqnl_nf_hook_drop-when-ops_ini.patch
+net-lantiq_etop-don-t-free-skb-when-returning-netdev.patch
+tcp-fix-indefinite-deferral-of-rto-with-sack-renegin.patch
+can-mscan-mpc5xxx-mpc5xxx_can_probe-add-missing-put_.patch
+pm-hibernate-allow-hybrid-sleep-to-work-with-s2idle.patch
+media-vivid-s_fbuf-add-more-sanity-checks.patch
+media-vivid-dev-bitmap_cap-wasn-t-freed-in-all-cases.patch
+media-v4l2-dv-timings-add-sanity-checks-for-blanking.patch
+media-videodev2.h-v4l2_dv_bt_blanking_height-should-.patch
+i40e-fix-ethtool-rx-flow-hash-setting-for-x722.patch
+i40e-fix-flow-type-by-setting-gl_hash_inset-register.patch
+net-ksz884x-fix-missing-pci_disable_device-on-error-.patch
+pm-domains-fix-handling-of-unavailable-disabled-idle.patch
+alsa-aoa-i2sbus-fix-possible-memory-leak-in-i2sbus_a.patch
+alsa-aoa-fix-i2s-device-accounting.patch
+openvswitch-switch-from-warn-to-pr_warn.patch
+net-ehea-fix-possible-memory-leak-in-ehea_register_p.patch

diff --git a/queue-4.14/tcp-fix-indefinite-deferral-of-rto-with-sack-renegin.patch b/queue-4.14/tcp-fix-indefinite-deferral-of-rto-with-sack-renegin.patch
new file mode 100644 (file)
index 0000000..8369a74
--- /dev/null
+++ b/queue-4.14/tcp-fix-indefinite-deferral-of-rto-with-sack-renegin.patch
@@ -0,0 +1,65 @@
+From 654460225bd21d1096d760c0d4c19e491c399969 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Oct 2022 17:08:21 +0000
+Subject: tcp: fix indefinite deferral of RTO with SACK reneging
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit 3d2af9cce3133b3bc596a9d065c6f9d93419ccfb ]
+
+This commit fixes a bug that can cause a TCP data sender to repeatedly
+defer RTOs when encountering SACK reneging.
+
+The bug is that when we're in fast recovery in a scenario with SACK
+reneging, every time we get an ACK we call tcp_check_sack_reneging()
+and it can note the apparent SACK reneging and rearm the RTO timer for
+srtt/2 into the future. In some SACK reneging scenarios that can
+happen repeatedly until the receive window fills up, at which point
+the sender can't send any more, the ACKs stop arriving, and the RTO
+fires at srtt/2 after the last ACK. But that can take far too long
+(O(10 secs)), since the connection is stuck in fast recovery with a
+low cwnd that cannot grow beyond ssthresh, even if more bandwidth is
+available.
+
+This fix changes the logic in tcp_check_sack_reneging() to only rearm
+the RTO timer if data is cumulatively ACKed, indicating forward
+progress. This avoids this kind of nearly infinite loop of RTO timer
+re-arming. In addition, this meets the goals of
+tcp_check_sack_reneging() in handling Windows TCP behavior that looks
+temporarily like SACK reneging but is not really.
+
+Many thanks to Jakub Kicinski and Neil Spring, who reported this issue
+and provided critical packet traces that enabled root-causing this
+issue. Also, many thanks to Jakub Kicinski for testing this fix.
+
+Fixes: 5ae344c949e7 ("tcp: reduce spurious retransmits due to transient SACK reneging")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Reported-by: Neil Spring <ntspring@fb.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Tested-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/r/20221021170821.1093930-1-ncardwell.kernel@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index eeed79ce8f9f..87095d5ecf95 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -2058,7 +2058,8 @@ void tcp_enter_loss(struct sock *sk)
+  */
+ static bool tcp_check_sack_reneging(struct sock *sk, int flag)
+ {
+-      if (flag & FLAG_SACK_RENEGING) {
++      if (flag & FLAG_SACK_RENEGING &&
++          flag & FLAG_SND_UNA_ADVANCED) {
+               struct tcp_sock *tp = tcp_sk(sk);
+               unsigned long delay = max(usecs_to_jiffies(tp->srtt_us >> 4),
+                                         msecs_to_jiffies(10));
+-- 
+2.35.1
+

diff --git a/queue-4.14/x86-unwind-orc-fix-unreliable-stack-dump-with-gcov.patch b/queue-4.14/x86-unwind-orc-fix-unreliable-stack-dump-with-gcov.patch
new file mode 100644 (file)
index 0000000..6cebd6c
--- /dev/null
+++ b/queue-4.14/x86-unwind-orc-fix-unreliable-stack-dump-with-gcov.patch
@@ -0,0 +1,80 @@
+From d966ca7392482bb2c67c5ec841b2bf27d1282652 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 11:15:06 +0800
+Subject: x86/unwind/orc: Fix unreliable stack dump with gcov
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit 230db82413c091bc16acee72650f48d419cebe49 ]
+
+When a console stack dump is initiated with CONFIG_GCOV_PROFILE_ALL
+enabled, show_trace_log_lvl() gets out of sync with the ORC unwinder,
+causing the stack trace to show all text addresses as unreliable:
+
+  # echo l > /proc/sysrq-trigger
+  [  477.521031] sysrq: Show backtrace of all active CPUs
+  [  477.523813] NMI backtrace for cpu 0
+  [  477.524492] CPU: 0 PID: 1021 Comm: bash Not tainted 6.0.0 #65
+  [  477.525295] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014
+  [  477.526439] Call Trace:
+  [  477.526854]  <TASK>
+  [  477.527216]  ? dump_stack_lvl+0xc7/0x114
+  [  477.527801]  ? dump_stack+0x13/0x1f
+  [  477.528331]  ? nmi_cpu_backtrace.cold+0xb5/0x10d
+  [  477.528998]  ? lapic_can_unplug_cpu+0xa0/0xa0
+  [  477.529641]  ? nmi_trigger_cpumask_backtrace+0x16a/0x1f0
+  [  477.530393]  ? arch_trigger_cpumask_backtrace+0x1d/0x30
+  [  477.531136]  ? sysrq_handle_showallcpus+0x1b/0x30
+  [  477.531818]  ? __handle_sysrq.cold+0x4e/0x1ae
+  [  477.532451]  ? write_sysrq_trigger+0x63/0x80
+  [  477.533080]  ? proc_reg_write+0x92/0x110
+  [  477.533663]  ? vfs_write+0x174/0x530
+  [  477.534265]  ? handle_mm_fault+0x16f/0x500
+  [  477.534940]  ? ksys_write+0x7b/0x170
+  [  477.535543]  ? __x64_sys_write+0x1d/0x30
+  [  477.536191]  ? do_syscall_64+0x6b/0x100
+  [  477.536809]  ? entry_SYSCALL_64_after_hwframe+0x63/0xcd
+  [  477.537609]  </TASK>
+
+This happens when the compiled code for show_stack() has a single word
+on the stack, and doesn't use a tail call to show_stack_log_lvl().
+(CONFIG_GCOV_PROFILE_ALL=y is the only known case of this.)  Then the
+__unwind_start() skip logic hits an off-by-one bug and fails to unwind
+all the way to the intended starting frame.
+
+Fix it by reverting the following commit:
+
+  f1d9a2abff66 ("x86/unwind/orc: Don't skip the first frame for inactive tasks")
+
+The original justification for that commit no longer exists.  That
+original issue was later fixed in a different way, with the following
+commit:
+
+  f2ac57a4c49d ("x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels")
+
+Fixes: f1d9a2abff66 ("x86/unwind/orc: Don't skip the first frame for inactive tasks")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+[jpoimboe: rewrite commit log]
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/unwind_orc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
+index e64c5b78fbfd..350f40f9a0bf 100644
+--- a/arch/x86/kernel/unwind_orc.c
++++ b/arch/x86/kernel/unwind_orc.c
+@@ -579,7 +579,7 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task,
+       /* Otherwise, skip ahead to the user-specified starting frame: */
+       while (!unwind_done(state) &&
+              (!on_stack(&state->stack_info, first_frame, sizeof(long)) ||
+-                      state->sp < (unsigned long)first_frame))
++                      state->sp <= (unsigned long)first_frame))
+               unwind_next_frame(state);
+ 
+       return;
+-- 
+2.35.1
+