From: Greg Kroah-Hartman Date: Sun, 22 Jan 2023 12:59:38 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.14.304~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0366e67cda785fc3618c6206f5ea509f532afbfc;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: bpf-restore-the-ebpf-program-id-for-bpf_audit_unload-and-perf_bpf_event_prog_unload.patch btrfs-do-not-abort-transaction-on-failure-to-write-log-tree-when-syncing-log.patch btrfs-fix-race-between-quota-rescan-and-disable-leading-to-null-pointer-deref.patch cifs-do-not-include-page-data-when-checking-signature.patch mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and-step-setting.patch mmc-sunxi-mmc-fix-clock-refcount-imbalance-during-unbind.patch riscv-dts-sifive-fu740-fix-size-of-pcie-32bit-memory.patch thunderbolt-use-correct-function-to-calculate-maximum-usb3-link-rate.patch --- diff --git a/queue-5.15/bpf-restore-the-ebpf-program-id-for-bpf_audit_unload-and-perf_bpf_event_prog_unload.patch b/queue-5.15/bpf-restore-the-ebpf-program-id-for-bpf_audit_unload-and-perf_bpf_event_prog_unload.patch new file mode 100644 index 00000000000..54b550cfa64 --- /dev/null +++ b/queue-5.15/bpf-restore-the-ebpf-program-id-for-bpf_audit_unload-and-perf_bpf_event_prog_unload.patch @@ -0,0 +1,94 @@ +From ef01f4e25c1760920e2c94f1c232350277ace69b Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Fri, 6 Jan 2023 10:43:59 -0500 +Subject: bpf: restore the ebpf program ID for BPF_AUDIT_UNLOAD and PERF_BPF_EVENT_PROG_UNLOAD + +From: Paul Moore + +commit ef01f4e25c1760920e2c94f1c232350277ace69b upstream. + +When changing the ebpf program put() routines to support being called +from within IRQ context the program ID was reset to zero prior to +calling the perf event and audit UNLOAD record generators, which +resulted in problems as the ebpf program ID was bogus (always zero). +This patch addresses this problem by removing an unnecessary call to +bpf_prog_free_id() in __bpf_prog_offload_destroy() and adjusting +__bpf_prog_put() to only call bpf_prog_free_id() after audit and perf +have finished their bpf program unload tasks in +bpf_prog_put_deferred(). For the record, no one can determine, or +remember, why it was necessary to free the program ID, and remove it +from the IDR, prior to executing bpf_prog_put_deferred(); +regardless, both Stanislav and Alexei agree that the approach in this +patch should be safe. + +It is worth noting that when moving the bpf_prog_free_id() call, the +do_idr_lock parameter was forced to true as the ebpf devs determined +this was the correct as the do_idr_lock should always be true. The +do_idr_lock parameter will be removed in a follow-up patch, but it +was kept here to keep the patch small in an effort to ease any stable +backports. + +I also modified the bpf_audit_prog() logic used to associate the +AUDIT_BPF record with other associated records, e.g. @ctx != NULL. +Instead of keying off the operation, it now keys off the execution +context, e.g. '!in_irg && !irqs_disabled()', which is much more +appropriate and should help better connect the UNLOAD operations with +the associated audit state (other audit records). + +Cc: stable@vger.kernel.org +Fixes: d809e134be7a ("bpf: Prepare bpf_prog_put() to be called from irq context.") +Reported-by: Burn Alting +Reported-by: Jiri Olsa +Suggested-by: Stanislav Fomichev +Suggested-by: Alexei Starovoitov +Signed-off-by: Paul Moore +Acked-by: Stanislav Fomichev +Link: https://lore.kernel.org/r/20230106154400.74211-1-paul@paul-moore.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/offload.c | 3 --- + kernel/bpf/syscall.c | 6 ++---- + 2 files changed, 2 insertions(+), 7 deletions(-) + +--- a/kernel/bpf/offload.c ++++ b/kernel/bpf/offload.c +@@ -216,9 +216,6 @@ static void __bpf_prog_offload_destroy(s + if (offload->dev_state) + offload->offdev->ops->destroy(prog); + +- /* Make sure BPF_PROG_GET_NEXT_ID can't find this dead program */ +- bpf_prog_free_id(prog, true); +- + list_del_init(&offload->offloads); + kfree(offload); + prog->aux->offload = NULL; +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -1695,7 +1695,7 @@ static void bpf_audit_prog(const struct + return; + if (audit_enabled == AUDIT_OFF) + return; +- if (op == BPF_AUDIT_LOAD) ++ if (!in_irq() && !irqs_disabled()) + ctx = audit_context(); + ab = audit_log_start(ctx, GFP_ATOMIC, AUDIT_BPF); + if (unlikely(!ab)) +@@ -1790,6 +1790,7 @@ static void bpf_prog_put_deferred(struct + prog = aux->prog; + perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_UNLOAD, 0); + bpf_audit_prog(prog, BPF_AUDIT_UNLOAD); ++ bpf_prog_free_id(prog, true); + __bpf_prog_put_noref(prog, true); + } + +@@ -1798,9 +1799,6 @@ static void __bpf_prog_put(struct bpf_pr + struct bpf_prog_aux *aux = prog->aux; + + if (atomic64_dec_and_test(&aux->refcnt)) { +- /* bpf_prog_free_id() must be called first */ +- bpf_prog_free_id(prog, do_idr_lock); +- + if (in_irq() || irqs_disabled()) { + INIT_WORK(&aux->work, bpf_prog_put_deferred); + schedule_work(&aux->work); diff --git a/queue-5.15/btrfs-do-not-abort-transaction-on-failure-to-write-log-tree-when-syncing-log.patch b/queue-5.15/btrfs-do-not-abort-transaction-on-failure-to-write-log-tree-when-syncing-log.patch new file mode 100644 index 00000000000..c8db37b12a9 --- /dev/null +++ b/queue-5.15/btrfs-do-not-abort-transaction-on-failure-to-write-log-tree-when-syncing-log.patch @@ -0,0 +1,70 @@ +From 16199ad9eb6db60a6b10794a09fc1ac6d09312ff Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Tue, 10 Jan 2023 14:56:37 +0000 +Subject: btrfs: do not abort transaction on failure to write log tree when syncing log + +From: Filipe Manana + +commit 16199ad9eb6db60a6b10794a09fc1ac6d09312ff upstream. + +When syncing the log, if we fail to write log tree extent buffers, we mark +the log for a full commit and abort the transaction. However we don't need +to abort the transaction, all we really need to do is to make sure no one +can commit a superblock pointing to new log tree roots. Just because we +got a failure writing extent buffers for a log tree, it does not mean we +will also fail to do a transaction commit. + +One particular case is if due to a bug somewhere, when writing log tree +extent buffers, the tree checker detects some corruption and the writeout +fails because of that. Aborting the transaction can be very disruptive for +a user, specially if the issue happened on a root filesystem. One example +is the scenario in the Link tag below, where an isolated corruption on log +tree leaves was causing transaction aborts when syncing the log. + +Link: https://lore.kernel.org/linux-btrfs/ae169fc6-f504-28f0-a098-6fa6a4dfb612@leemhuis.info/ +CC: stable@vger.kernel.org # 5.15+ +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 9 ++++++++- + fs/btrfs/tree-log.c | 2 -- + 2 files changed, 8 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -380,7 +380,14 @@ error: + btrfs_print_tree(eb, 0); + btrfs_err(fs_info, "block=%llu write time tree block corruption detected", + eb->start); +- WARN_ON(IS_ENABLED(CONFIG_BTRFS_DEBUG)); ++ /* ++ * Be noisy if this is an extent buffer from a log tree. We don't abort ++ * a transaction in case there's a bad log tree extent buffer, we just ++ * fallback to a transaction commit. Still we want to know when there is ++ * a bad log tree extent buffer, as that may signal a bug somewhere. ++ */ ++ WARN_ON(IS_ENABLED(CONFIG_BTRFS_DEBUG) || ++ btrfs_header_owner(eb) == BTRFS_TREE_LOG_OBJECTID); + return ret; + } + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3141,7 +3141,6 @@ int btrfs_sync_log(struct btrfs_trans_ha + ret = 0; + if (ret) { + blk_finish_plug(&plug); +- btrfs_abort_transaction(trans, ret); + btrfs_set_log_full_commit(trans); + mutex_unlock(&root->log_mutex); + goto out; +@@ -3273,7 +3272,6 @@ int btrfs_sync_log(struct btrfs_trans_ha + goto out_wake_log_root; + } else if (ret) { + btrfs_set_log_full_commit(trans); +- btrfs_abort_transaction(trans, ret); + mutex_unlock(&log_root_tree->log_mutex); + goto out_wake_log_root; + } diff --git a/queue-5.15/btrfs-fix-race-between-quota-rescan-and-disable-leading-to-null-pointer-deref.patch b/queue-5.15/btrfs-fix-race-between-quota-rescan-and-disable-leading-to-null-pointer-deref.patch new file mode 100644 index 00000000000..296e6eb4a39 --- /dev/null +++ b/queue-5.15/btrfs-fix-race-between-quota-rescan-and-disable-leading-to-null-pointer-deref.patch @@ -0,0 +1,134 @@ +From b7adbf9ada3513d2092362c8eac5cddc5b651f5c Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Thu, 12 Jan 2023 16:31:08 +0000 +Subject: btrfs: fix race between quota rescan and disable leading to NULL pointer deref + +From: Filipe Manana + +commit b7adbf9ada3513d2092362c8eac5cddc5b651f5c upstream. + +If we have one task trying to start the quota rescan worker while another +one is trying to disable quotas, we can end up hitting a race that results +in the quota rescan worker doing a NULL pointer dereference. The steps for +this are the following: + +1) Quotas are enabled; + +2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan(). + It calls qgroup_rescan_init() which returns 0 (success) and then joins a + transaction and commits it; + +3) Task B calls the quota disable ioctl and enters btrfs_quota_disable(). + It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls + btrfs_qgroup_wait_for_completion(), which returns immediately since the + rescan worker is not yet running. + Then it starts a transaction and locks fs_info->qgroup_ioctl_lock; + +4) Task A queues the rescan worker, by calling btrfs_queue_work(); + +5) The rescan worker starts, and calls rescan_should_stop() at the start + of its while loop, which results in 0 iterations of the loop, since + the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by + task B at step 3); + +6) Task B sets fs_info->quota_root to NULL; + +7) The rescan worker tries to start a transaction and uses + fs_info->quota_root as the root argument for btrfs_start_transaction(). + This results in a NULL pointer dereference down the call chain of + btrfs_start_transaction(). The stack trace is something like the one + reported in Link tag below: + + general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN + KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f] + CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 + Workqueue: btrfs-qgroup-rescan btrfs_work_helper + RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564 + Code: 48 89 fb 48 (...) + RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206 + RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80 + RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 + RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d + R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000 + R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003 + FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402 + btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280 + process_one_work+0x877/0xdb0 kernel/workqueue.c:2289 + worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 + kthread+0x266/0x300 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + + Modules linked in: + +So fix this by having the rescan worker function not attempt to start a +transaction if it didn't do any rescan work. + +Reported-by: syzbot+96977faa68092ad382c4@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-btrfs/000000000000e5454b05f065a803@google.com/ +Fixes: e804861bd4e6 ("btrfs: fix deadlock between quota disable and qgroup rescan worker") +CC: stable@vger.kernel.org # 5.4+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -3286,6 +3286,7 @@ static void btrfs_qgroup_rescan_worker(s + int err = -ENOMEM; + int ret = 0; + bool stopped = false; ++ bool did_leaf_rescans = false; + + path = btrfs_alloc_path(); + if (!path) +@@ -3306,6 +3307,7 @@ static void btrfs_qgroup_rescan_worker(s + } + + err = qgroup_rescan_leaf(trans, path); ++ did_leaf_rescans = true; + + if (err > 0) + btrfs_commit_transaction(trans); +@@ -3326,16 +3328,23 @@ out: + mutex_unlock(&fs_info->qgroup_rescan_lock); + + /* +- * only update status, since the previous part has already updated the +- * qgroup info. ++ * Only update status, since the previous part has already updated the ++ * qgroup info, and only if we did any actual work. This also prevents ++ * race with a concurrent quota disable, which has already set ++ * fs_info->quota_root to NULL and cleared BTRFS_FS_QUOTA_ENABLED at ++ * btrfs_quota_disable(). + */ +- trans = btrfs_start_transaction(fs_info->quota_root, 1); +- if (IS_ERR(trans)) { +- err = PTR_ERR(trans); ++ if (did_leaf_rescans) { ++ trans = btrfs_start_transaction(fs_info->quota_root, 1); ++ if (IS_ERR(trans)) { ++ err = PTR_ERR(trans); ++ trans = NULL; ++ btrfs_err(fs_info, ++ "fail to start transaction for status update: %d", ++ err); ++ } ++ } else { + trans = NULL; +- btrfs_err(fs_info, +- "fail to start transaction for status update: %d", +- err); + } + + mutex_lock(&fs_info->qgroup_rescan_lock); diff --git a/queue-5.15/cifs-do-not-include-page-data-when-checking-signature.patch b/queue-5.15/cifs-do-not-include-page-data-when-checking-signature.patch new file mode 100644 index 00000000000..52dbbacdac6 --- /dev/null +++ b/queue-5.15/cifs-do-not-include-page-data-when-checking-signature.patch @@ -0,0 +1,52 @@ +From 30b2b2196d6e4cc24cbec633535a2404f258ce69 Mon Sep 17 00:00:00 2001 +From: Enzo Matsumiya +Date: Wed, 18 Jan 2023 14:06:57 -0300 +Subject: cifs: do not include page data when checking signature + +From: Enzo Matsumiya + +commit 30b2b2196d6e4cc24cbec633535a2404f258ce69 upstream. + +On async reads, page data is allocated before sending. When the +response is received but it has no data to fill (e.g. +STATUS_END_OF_FILE), __calc_signature() will still include the pages in +its computation, leading to an invalid signature check. + +This patch fixes this by not setting the async read smb_rqst page data +(zeroed by default) if its got_bytes is 0. + +This can be reproduced/verified with xfstests generic/465. + +Cc: +Signed-off-by: Enzo Matsumiya +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -3999,12 +3999,15 @@ smb2_readv_callback(struct mid_q_entry * + (struct smb2_sync_hdr *)rdata->iov[0].iov_base; + struct cifs_credits credits = { .value = 0, .instance = 0 }; + struct smb_rqst rqst = { .rq_iov = &rdata->iov[1], +- .rq_nvec = 1, +- .rq_pages = rdata->pages, +- .rq_offset = rdata->page_offset, +- .rq_npages = rdata->nr_pages, +- .rq_pagesz = rdata->pagesz, +- .rq_tailsz = rdata->tailsz }; ++ .rq_nvec = 1, }; ++ ++ if (rdata->got_bytes) { ++ rqst.rq_pages = rdata->pages; ++ rqst.rq_offset = rdata->page_offset; ++ rqst.rq_npages = rdata->nr_pages; ++ rqst.rq_pagesz = rdata->pagesz; ++ rqst.rq_tailsz = rdata->tailsz; ++ } + + WARN_ONCE(rdata->server != mid->server, + "rdata server %p != mid server %p", diff --git a/queue-5.15/mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and-step-setting.patch b/queue-5.15/mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and-step-setting.patch new file mode 100644 index 00000000000..9c5847d0564 --- /dev/null +++ b/queue-5.15/mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and-step-setting.patch @@ -0,0 +1,73 @@ +From 1e336aa0c0250ec84c6f16efac40c9f0138e367d Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Wed, 7 Dec 2022 19:23:15 +0800 +Subject: mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting + +From: Haibo Chen + +commit 1e336aa0c0250ec84c6f16efac40c9f0138e367d upstream. + +Current code logic may be impacted by the setting of ROM/Bootloader, +so unmask these bits first, then setting these bits accordingly. + +Fixes: 2b16cf326b70 ("mmc: sdhci-esdhc-imx: move tuning static configuration into hwinit function") +Signed-off-by: Haibo Chen +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20221207112315.1812222-1-haibo.chen@nxp.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -107,6 +107,7 @@ + #define ESDHC_TUNING_START_TAP_DEFAULT 0x1 + #define ESDHC_TUNING_START_TAP_MASK 0x7f + #define ESDHC_TUNING_CMD_CRC_CHECK_DISABLE (1 << 7) ++#define ESDHC_TUNING_STEP_DEFAULT 0x1 + #define ESDHC_TUNING_STEP_MASK 0x00070000 + #define ESDHC_TUNING_STEP_SHIFT 16 + +@@ -1346,7 +1347,7 @@ static void sdhci_esdhc_imx_hwinit(struc + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct pltfm_imx_data *imx_data = sdhci_pltfm_priv(pltfm_host); + struct cqhci_host *cq_host = host->mmc->cqe_private; +- int tmp; ++ u32 tmp; + + if (esdhc_is_usdhc(imx_data)) { + /* +@@ -1399,17 +1400,24 @@ static void sdhci_esdhc_imx_hwinit(struc + + if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING) { + tmp = readl(host->ioaddr + ESDHC_TUNING_CTRL); +- tmp |= ESDHC_STD_TUNING_EN | +- ESDHC_TUNING_START_TAP_DEFAULT; +- if (imx_data->boarddata.tuning_start_tap) { +- tmp &= ~ESDHC_TUNING_START_TAP_MASK; ++ tmp |= ESDHC_STD_TUNING_EN; ++ ++ /* ++ * ROM code or bootloader may config the start tap ++ * and step, unmask them first. ++ */ ++ tmp &= ~(ESDHC_TUNING_START_TAP_MASK | ESDHC_TUNING_STEP_MASK); ++ if (imx_data->boarddata.tuning_start_tap) + tmp |= imx_data->boarddata.tuning_start_tap; +- } ++ else ++ tmp |= ESDHC_TUNING_START_TAP_DEFAULT; + + if (imx_data->boarddata.tuning_step) { +- tmp &= ~ESDHC_TUNING_STEP_MASK; + tmp |= imx_data->boarddata.tuning_step + << ESDHC_TUNING_STEP_SHIFT; ++ } else { ++ tmp |= ESDHC_TUNING_STEP_DEFAULT ++ << ESDHC_TUNING_STEP_SHIFT; + } + + /* Disable the CMD CRC check for tuning, if not, need to diff --git a/queue-5.15/mmc-sunxi-mmc-fix-clock-refcount-imbalance-during-unbind.patch b/queue-5.15/mmc-sunxi-mmc-fix-clock-refcount-imbalance-during-unbind.patch new file mode 100644 index 00000000000..44b70221088 --- /dev/null +++ b/queue-5.15/mmc-sunxi-mmc-fix-clock-refcount-imbalance-during-unbind.patch @@ -0,0 +1,41 @@ +From 8509419758f2cc28dd05370385af0d91573b76b4 Mon Sep 17 00:00:00 2001 +From: Samuel Holland +Date: Tue, 9 Aug 2022 21:25:09 -0500 +Subject: mmc: sunxi-mmc: Fix clock refcount imbalance during unbind + +From: Samuel Holland + +commit 8509419758f2cc28dd05370385af0d91573b76b4 upstream. + +If the controller is suspended by runtime PM, the clock is already +disabled, so do not try to disable it again during removal. Use +pm_runtime_disable() to flush any pending runtime PM transitions. + +Fixes: 9a8e1e8cc2c0 ("mmc: sunxi: Add runtime_pm support") +Signed-off-by: Samuel Holland +Acked-by: Jernej Skrabec +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220810022509.43743-1-samuel@sholland.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sunxi-mmc.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/host/sunxi-mmc.c ++++ b/drivers/mmc/host/sunxi-mmc.c +@@ -1483,9 +1483,11 @@ static int sunxi_mmc_remove(struct platf + struct sunxi_mmc_host *host = mmc_priv(mmc); + + mmc_remove_host(mmc); +- pm_runtime_force_suspend(&pdev->dev); +- disable_irq(host->irq); +- sunxi_mmc_disable(host); ++ pm_runtime_disable(&pdev->dev); ++ if (!pm_runtime_status_suspended(&pdev->dev)) { ++ disable_irq(host->irq); ++ sunxi_mmc_disable(host); ++ } + dma_free_coherent(&pdev->dev, PAGE_SIZE, host->sg_cpu, host->sg_dma); + mmc_free_host(mmc); + diff --git a/queue-5.15/riscv-dts-sifive-fu740-fix-size-of-pcie-32bit-memory.patch b/queue-5.15/riscv-dts-sifive-fu740-fix-size-of-pcie-32bit-memory.patch new file mode 100644 index 00000000000..61edb902876 --- /dev/null +++ b/queue-5.15/riscv-dts-sifive-fu740-fix-size-of-pcie-32bit-memory.patch @@ -0,0 +1,44 @@ +From 43d5f5d63699724d47f0d9e0eae516a260d232b4 Mon Sep 17 00:00:00 2001 +From: Ben Dooks +Date: Fri, 6 Jan 2023 13:44:56 +0000 +Subject: riscv: dts: sifive: fu740: fix size of pcie 32bit memory + +From: Ben Dooks + +commit 43d5f5d63699724d47f0d9e0eae516a260d232b4 upstream. + +The 32-bit memory resource is needed for non-prefetchable memory +allocations on the PCIe bus, however with some cards (such as the +SM768) the system fails to allocate memory from this. + +Checking the allocation against the datasheet, it looks like there +has been a mis-calcualation of the resource for the first memory +region (0x0060090000..0x0070ffffff) which in the data-sheet for +the fu740 (v1p2) is from 0x0060000000..0x007fffffff. Changing +this to allocate from 0x0060090000..0x007fffffff fixes the probing +issues. + +Fixes: ae80d5148085 ("riscv: dts: Add PCIe support for the SiFive FU740-C000 SoC") +Cc: Paul Walmsley +Cc: Greentime Hu +Signed-off-by: Ben Dooks +Cc: stable@vger.kernel.org +Tested-by: Ron Economos # from IRC +Reviewed-by: Conor Dooley +Signed-off-by: Conor Dooley +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/boot/dts/sifive/fu740-c000.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/boot/dts/sifive/fu740-c000.dtsi ++++ b/arch/riscv/boot/dts/sifive/fu740-c000.dtsi +@@ -328,7 +328,7 @@ + bus-range = <0x0 0xff>; + ranges = <0x81000000 0x0 0x60080000 0x0 0x60080000 0x0 0x10000>, /* I/O */ + <0x82000000 0x0 0x60090000 0x0 0x60090000 0x0 0xff70000>, /* mem */ +- <0x82000000 0x0 0x70000000 0x0 0x70000000 0x0 0x1000000>, /* mem */ ++ <0x82000000 0x0 0x70000000 0x0 0x70000000 0x0 0x10000000>, /* mem */ + <0xc3000000 0x20 0x00000000 0x20 0x00000000 0x20 0x00000000>; /* mem prefetchable */ + num-lanes = <0x8>; + interrupts = <56>, <57>, <58>, <59>, <60>, <61>, <62>, <63>, <64>; diff --git a/queue-5.15/series b/queue-5.15/series index 84e2784e896..7dd2fbe507c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -60,3 +60,11 @@ misc-fastrpc-fix-use-after-free-race-condition-for-maps.patch usb-core-hub-disable-autosuspend-for-ti-tusb8041.patch comedi-adv_pci1760-fix-pwm-instruction-handling.patch acpi-prm-check-whether-efi-runtime-is-available.patch +mmc-sunxi-mmc-fix-clock-refcount-imbalance-during-unbind.patch +mmc-sdhci-esdhc-imx-correct-the-tuning-start-tap-and-step-setting.patch +btrfs-do-not-abort-transaction-on-failure-to-write-log-tree-when-syncing-log.patch +btrfs-fix-race-between-quota-rescan-and-disable-leading-to-null-pointer-deref.patch +cifs-do-not-include-page-data-when-checking-signature.patch +thunderbolt-use-correct-function-to-calculate-maximum-usb3-link-rate.patch +riscv-dts-sifive-fu740-fix-size-of-pcie-32bit-memory.patch +bpf-restore-the-ebpf-program-id-for-bpf_audit_unload-and-perf_bpf_event_prog_unload.patch diff --git a/queue-5.15/thunderbolt-use-correct-function-to-calculate-maximum-usb3-link-rate.patch b/queue-5.15/thunderbolt-use-correct-function-to-calculate-maximum-usb3-link-rate.patch new file mode 100644 index 00000000000..75fe2065397 --- /dev/null +++ b/queue-5.15/thunderbolt-use-correct-function-to-calculate-maximum-usb3-link-rate.patch @@ -0,0 +1,33 @@ +From e8ff07fb33026c5c1bb5b81293496faba5d68059 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Fri, 20 May 2022 13:35:19 +0300 +Subject: thunderbolt: Use correct function to calculate maximum USB3 link rate + +From: Mika Westerberg + +commit e8ff07fb33026c5c1bb5b81293496faba5d68059 upstream. + +We need to take minimum of both sides of the USB3 link into consideration, +not just the downstream port. Fix this by calling tb_usb3_max_link_rate() +instead. + +Fixes: 0bd680cd900c ("thunderbolt: Add USB3 bandwidth management") +Cc: stable@vger.kernel.org +Acked-by: Yehezkel Bernat +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/thunderbolt/tunnel.c ++++ b/drivers/thunderbolt/tunnel.c +@@ -1262,7 +1262,7 @@ static void tb_usb3_reclaim_available_ba + return; + } else if (!ret) { + /* Use maximum link rate if the link valid is not set */ +- ret = usb4_usb3_port_max_link_rate(tunnel->src_port); ++ ret = tb_usb3_max_link_rate(tunnel->dst_port, tunnel->src_port); + if (ret < 0) { + tb_tunnel_warn(tunnel, "failed to read maximum link rate\n"); + return;