From: Sasha Levin Date: Mon, 5 Jun 2023 11:26:30 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v4.14.317~96 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=052becb5e89041ed43e0164c9632b48d07709098;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/acpi-resource-add-irq-override-quirk-for-lg-ultrapc-.patch b/queue-5.15/acpi-resource-add-irq-override-quirk-for-lg-ultrapc-.patch new file mode 100644 index 00000000000..237a47c48a3 --- /dev/null +++ b/queue-5.15/acpi-resource-add-irq-override-quirk-for-lg-ultrapc-.patch @@ -0,0 +1,58 @@ +From 042ce89d52c1f16c34b012bdc185c8c48d8d5877 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 18:03:07 +0000 +Subject: ACPI: resource: Add IRQ override quirk for LG UltraPC 17U70P +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rubén Gómez + +[ Upstream commit 71a485624c4cbb144169852d7bb8ca8c0667d7a3 ] + +Add an ACPI IRQ override quirk for LG UltraPC 17U70P to address the +internal keyboard problem on it. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=213031 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216983 +Signed-off-by: Rubén Gómez Agudo +[ rjw: Subject, changelog, white space damage fixes ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index 803dc6afa6d69..b0c7ae50a8d79 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -470,6 +470,17 @@ static const struct dmi_system_id maingear_laptop[] = { + { } + }; + ++static const struct dmi_system_id lg_laptop[] = { ++ { ++ .ident = "LG Electronics 17U70P", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LG Electronics"), ++ DMI_MATCH(DMI_BOARD_NAME, "17U70P"), ++ }, ++ }, ++ { } ++}; ++ + struct irq_override_cmp { + const struct dmi_system_id *system; + unsigned char irq; +@@ -486,6 +497,7 @@ static const struct irq_override_cmp override_table[] = { + { lenovo_laptop, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, + { tongfang_gm_rg, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true }, + { maingear_laptop, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true }, ++ { lg_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, + }; + + static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity, +-- +2.39.2 + diff --git a/queue-5.15/af_packet-do-not-use-read_once-in-packet_bind.patch b/queue-5.15/af_packet-do-not-use-read_once-in-packet_bind.patch new file mode 100644 index 00000000000..94aa92065eb --- /dev/null +++ b/queue-5.15/af_packet-do-not-use-read_once-in-packet_bind.patch @@ -0,0 +1,64 @@ +From d458d0af68a6c01b6f3fc620631726eeac7d2fa0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 15:43:42 +0000 +Subject: af_packet: do not use READ_ONCE() in packet_bind() + +From: Eric Dumazet + +[ Upstream commit 6ffc57ea004234d9373c57b204fd10370a69f392 ] + +A recent patch added READ_ONCE() in packet_bind() and packet_bind_spkt() + +This is better handled by reading pkt_sk(sk)->num later +in packet_do_bind() while appropriate lock is held. + +READ_ONCE() in writers are often an evidence of something being wrong. + +Fixes: 822b5a1c17df ("af_packet: Fix data-races of pkt_sk(sk)->num.") +Signed-off-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Reviewed-by: Jiri Pirko +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230526154342.2533026-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 05a0b1d8c3721..ccf84ce41fd71 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3159,6 +3159,9 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex, + + lock_sock(sk); + spin_lock(&po->bind_lock); ++ if (!proto) ++ proto = po->num; ++ + rcu_read_lock(); + + if (po->fanout) { +@@ -3259,7 +3262,7 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr, + memcpy(name, uaddr->sa_data, sizeof(uaddr->sa_data)); + name[sizeof(uaddr->sa_data)] = 0; + +- return packet_do_bind(sk, name, 0, READ_ONCE(pkt_sk(sk)->num)); ++ return packet_do_bind(sk, name, 0, 0); + } + + static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) +@@ -3276,8 +3279,7 @@ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len + if (sll->sll_family != AF_PACKET) + return -EINVAL; + +- return packet_do_bind(sk, NULL, sll->sll_ifindex, +- sll->sll_protocol ? : READ_ONCE(pkt_sk(sk)->num)); ++ return packet_do_bind(sk, NULL, sll->sll_ifindex, sll->sll_protocol); + } + + static struct proto packet_proto = { +-- +2.39.2 + diff --git a/queue-5.15/af_packet-fix-data-races-of-pkt_sk-sk-num.patch b/queue-5.15/af_packet-fix-data-races-of-pkt_sk-sk-num.patch new file mode 100644 index 00000000000..944c84c33d5 --- /dev/null +++ b/queue-5.15/af_packet-fix-data-races-of-pkt_sk-sk-num.patch @@ -0,0 +1,98 @@ +From 7d2951c6a73e643724ff37ed09b2dc7eb17596c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 May 2023 16:29:34 -0700 +Subject: af_packet: Fix data-races of pkt_sk(sk)->num. + +From: Kuniyuki Iwashima + +[ Upstream commit 822b5a1c17df7e338b9f05d1cfe5764e37c7f74f ] + +syzkaller found a data race of pkt_sk(sk)->num. + +The value is changed under lock_sock() and po->bind_lock, so we +need READ_ONCE() to access pkt_sk(sk)->num without these locks in +packet_bind_spkt(), packet_bind(), and sk_diag_fill(). + +Note that WRITE_ONCE() is already added by commit c7d2ef5dd4b0 +("net/packet: annotate accesses to po->bind"). + +BUG: KCSAN: data-race in packet_bind / packet_do_bind + +write (marked) to 0xffff88802ffd1cee of 2 bytes by task 7322 on cpu 0: + packet_do_bind+0x446/0x640 net/packet/af_packet.c:3236 + packet_bind+0x99/0xe0 net/packet/af_packet.c:3321 + __sys_bind+0x19b/0x1e0 net/socket.c:1803 + __do_sys_bind net/socket.c:1814 [inline] + __se_sys_bind net/socket.c:1812 [inline] + __x64_sys_bind+0x40/0x50 net/socket.c:1812 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +read to 0xffff88802ffd1cee of 2 bytes by task 7318 on cpu 1: + packet_bind+0xbf/0xe0 net/packet/af_packet.c:3322 + __sys_bind+0x19b/0x1e0 net/socket.c:1803 + __do_sys_bind net/socket.c:1814 [inline] + __se_sys_bind net/socket.c:1812 [inline] + __x64_sys_bind+0x40/0x50 net/socket.c:1812 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +value changed: 0x0300 -> 0x0000 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 7318 Comm: syz-executor.4 Not tainted 6.3.0-13380-g7fddb5b5300c #4 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + +Fixes: 96ec6327144e ("packet: Diag core and basic socket info dumping") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230524232934.50950-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 4 ++-- + net/packet/diag.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index ce484305be881..05a0b1d8c3721 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3259,7 +3259,7 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr, + memcpy(name, uaddr->sa_data, sizeof(uaddr->sa_data)); + name[sizeof(uaddr->sa_data)] = 0; + +- return packet_do_bind(sk, name, 0, pkt_sk(sk)->num); ++ return packet_do_bind(sk, name, 0, READ_ONCE(pkt_sk(sk)->num)); + } + + static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) +@@ -3277,7 +3277,7 @@ static int packet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len + return -EINVAL; + + return packet_do_bind(sk, NULL, sll->sll_ifindex, +- sll->sll_protocol ? : pkt_sk(sk)->num); ++ sll->sll_protocol ? : READ_ONCE(pkt_sk(sk)->num)); + } + + static struct proto packet_proto = { +diff --git a/net/packet/diag.c b/net/packet/diag.c +index d704c7bf51b20..a68a84574c739 100644 +--- a/net/packet/diag.c ++++ b/net/packet/diag.c +@@ -143,7 +143,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, + rp = nlmsg_data(nlh); + rp->pdiag_family = AF_PACKET; + rp->pdiag_type = sk->sk_type; +- rp->pdiag_num = ntohs(po->num); ++ rp->pdiag_num = ntohs(READ_ONCE(po->num)); + rp->pdiag_ino = sk_ino; + sock_diag_save_cookie(sk, rp->pdiag_cookie); + +-- +2.39.2 + diff --git a/queue-5.15/alsa-hda-glenfly-add-hd-audio-pci-ids-and-hdmi-codec.patch b/queue-5.15/alsa-hda-glenfly-add-hd-audio-pci-ids-and-hdmi-codec.patch new file mode 100644 index 00000000000..acb8ed274cf --- /dev/null +++ b/queue-5.15/alsa-hda-glenfly-add-hd-audio-pci-ids-and-hdmi-codec.patch @@ -0,0 +1,145 @@ +From 7b79bec40e829ecf4c49a923bd8c80fb44db86be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 09:30:59 +0800 +Subject: ALSA: hda: Glenfly: add HD Audio PCI IDs and HDMI Codec Vendor IDs. + +From: jasontao + +[ Upstream commit c51e431052e2eacfb23fbf6b39bc6c8770d9827a ] + +Add a set of HD Audio PCI IDS, and the HDMI codec vendor IDs for +Glenfly Gpus. + +- In default_bdl_pos_adj, set bdl to 128 as Glenfly Gpus have hardware +limitation, need to increase hdac interrupt interval. +- In azx_first_init, enable polling mode for Glenfly Gpu. When the codec +complete the command, it sends interrupt and writes response entries to +memory, howerver, the write requests sometimes are not actually +synchronized to memory when driver handle hdac interrupt on Glenfly Gpus. +If the RIRB status is not updated in the interrupt handler, +azx_rirb_get_response keeps trying to recevie a response from rirb until +1s timeout. Enabling polling mode for Glenfly Gpu can fix the issue. +- In patch_gf_hdmi, set Glenlfy Gpu Codec's no_sticky_stream as it need +driver to do actual clean-ups for the linked codec when switch from one +codec to another. + +Signed-off-by: jasontao +Signed-off-by: Reaper Li +Link: https://lore.kernel.org/r/20230426013059.4329-1-reaperlioc@glenfly.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 21 +++++++++++++++++++++ + sound/pci/hda/patch_hdmi.c | 22 ++++++++++++++++++++++ + 2 files changed, 43 insertions(+) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 5fce1ca8a393a..1379ac07df350 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -230,6 +230,7 @@ enum { + AZX_DRIVER_ATI, + AZX_DRIVER_ATIHDMI, + AZX_DRIVER_ATIHDMI_NS, ++ AZX_DRIVER_GFHDMI, + AZX_DRIVER_VIA, + AZX_DRIVER_SIS, + AZX_DRIVER_ULI, +@@ -352,6 +353,7 @@ static const char * const driver_short_names[] = { + [AZX_DRIVER_ATI] = "HDA ATI SB", + [AZX_DRIVER_ATIHDMI] = "HDA ATI HDMI", + [AZX_DRIVER_ATIHDMI_NS] = "HDA ATI HDMI", ++ [AZX_DRIVER_GFHDMI] = "HDA GF HDMI", + [AZX_DRIVER_VIA] = "HDA VIA VT82xx", + [AZX_DRIVER_SIS] = "HDA SIS966", + [AZX_DRIVER_ULI] = "HDA ULI M5461", +@@ -1742,6 +1744,12 @@ static int default_bdl_pos_adj(struct azx *chip) + } + + switch (chip->driver_type) { ++ /* ++ * increase the bdl size for Glenfly Gpus for hardware ++ * limitation on hdac interrupt interval ++ */ ++ case AZX_DRIVER_GFHDMI: ++ return 128; + case AZX_DRIVER_ICH: + case AZX_DRIVER_PCH: + return 1; +@@ -1857,6 +1865,12 @@ static int azx_first_init(struct azx *chip) + pci_write_config_dword(pci, PCI_BASE_ADDRESS_1, 0); + } + #endif ++ /* ++ * Fix response write request not synced to memory when handle ++ * hdac interrupt on Glenfly Gpus ++ */ ++ if (chip->driver_type == AZX_DRIVER_GFHDMI) ++ bus->polling_mode = 1; + + err = pcim_iomap_regions(pci, 1 << 0, "ICH HD audio"); + if (err < 0) +@@ -1957,6 +1971,7 @@ static int azx_first_init(struct azx *chip) + chip->playback_streams = ATIHDMI_NUM_PLAYBACK; + chip->capture_streams = ATIHDMI_NUM_CAPTURE; + break; ++ case AZX_DRIVER_GFHDMI: + case AZX_DRIVER_GENERIC: + default: + chip->playback_streams = ICH6_NUM_PLAYBACK; +@@ -2694,6 +2709,12 @@ static const struct pci_device_id azx_ids[] = { + { PCI_DEVICE(0x1002, 0xab38), + .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS | + AZX_DCAPS_PM_RUNTIME }, ++ /* GLENFLY */ ++ { PCI_DEVICE(0x6766, PCI_ANY_ID), ++ .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8, ++ .class_mask = 0xffffff, ++ .driver_data = AZX_DRIVER_GFHDMI | AZX_DCAPS_POSFIX_LPIB | ++ AZX_DCAPS_NO_MSI | AZX_DCAPS_NO_64BIT }, + /* VIA VT8251/VT8237A */ + { PCI_DEVICE(0x1106, 0x3288), .driver_data = AZX_DRIVER_VIA }, + /* VIA GFX VT7122/VX900 */ +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 8ed5a499af4bb..3cd3b5c49e45e 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -4298,6 +4298,22 @@ static int patch_via_hdmi(struct hda_codec *codec) + return patch_simple_hdmi(codec, VIAHDMI_CVT_NID, VIAHDMI_PIN_NID); + } + ++static int patch_gf_hdmi(struct hda_codec *codec) ++{ ++ int err; ++ ++ err = patch_generic_hdmi(codec); ++ if (err) ++ return err; ++ ++ /* ++ * Glenfly GPUs have two codecs, stream switches from one codec to ++ * another, need to do actual clean-ups in codec_cleanup_stream ++ */ ++ codec->no_sticky_stream = 1; ++ return 0; ++} ++ + /* + * patch entries + */ +@@ -4392,6 +4408,12 @@ HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi), + HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch), + HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch), ++HDA_CODEC_ENTRY(0x67663d82, "Arise 82 HDMI/DP", patch_gf_hdmi), ++HDA_CODEC_ENTRY(0x67663d83, "Arise 83 HDMI/DP", patch_gf_hdmi), ++HDA_CODEC_ENTRY(0x67663d84, "Arise 84 HDMI/DP", patch_gf_hdmi), ++HDA_CODEC_ENTRY(0x67663d85, "Arise 85 HDMI/DP", patch_gf_hdmi), ++HDA_CODEC_ENTRY(0x67663d86, "Arise 86 HDMI/DP", patch_gf_hdmi), ++HDA_CODEC_ENTRY(0x67663d87, "Arise 87 HDMI/DP", patch_gf_hdmi), + HDA_CODEC_ENTRY(0x11069f80, "VX900 HDMI/DP", patch_via_hdmi), + HDA_CODEC_ENTRY(0x11069f81, "VX900 HDMI/DP", patch_via_hdmi), + HDA_CODEC_ENTRY(0x11069f84, "VX11 HDMI/DP", patch_generic_hdmi), +-- +2.39.2 + diff --git a/queue-5.15/alsa-oss-avoid-missing-prototype-warnings.patch b/queue-5.15/alsa-oss-avoid-missing-prototype-warnings.patch new file mode 100644 index 00000000000..1f324fa13c2 --- /dev/null +++ b/queue-5.15/alsa-oss-avoid-missing-prototype-warnings.patch @@ -0,0 +1,64 @@ +From 399ba1dd4e2bd11ed8f585d0afbaaef5a45772f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 21:50:42 +0200 +Subject: ALSA: oss: avoid missing-prototype warnings + +From: Arnd Bergmann + +[ Upstream commit 040b5a046a9e18098580d3ccd029e2318fca7859 ] + +Two functions are defined and used in pcm_oss.c but also optionally +used from io.c, with an optional prototype. If CONFIG_SND_PCM_OSS_PLUGINS +is disabled, this causes a warning as the functions are not static +and have no prototype: + +sound/core/oss/pcm_oss.c:1235:19: error: no previous prototype for 'snd_pcm_oss_write3' [-Werror=missing-prototypes] +sound/core/oss/pcm_oss.c:1266:19: error: no previous prototype for 'snd_pcm_oss_read3' [-Werror=missing-prototypes] + +Avoid this by making the prototypes unconditional. + +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230516195046.550584-2-arnd@kernel.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/oss/pcm_plugin.h | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/sound/core/oss/pcm_plugin.h b/sound/core/oss/pcm_plugin.h +index 46e273bd4a786..50a6b50f5db4c 100644 +--- a/sound/core/oss/pcm_plugin.h ++++ b/sound/core/oss/pcm_plugin.h +@@ -141,6 +141,14 @@ int snd_pcm_area_copy(const struct snd_pcm_channel_area *src_channel, + + void *snd_pcm_plug_buf_alloc(struct snd_pcm_substream *plug, snd_pcm_uframes_t size); + void snd_pcm_plug_buf_unlock(struct snd_pcm_substream *plug, void *ptr); ++#else ++ ++static inline snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t drv_size) { return drv_size; } ++static inline snd_pcm_sframes_t snd_pcm_plug_slave_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t clt_size) { return clt_size; } ++static inline int snd_pcm_plug_slave_format(int format, const struct snd_mask *format_mask) { return format; } ++ ++#endif ++ + snd_pcm_sframes_t snd_pcm_oss_write3(struct snd_pcm_substream *substream, + const char *ptr, snd_pcm_uframes_t size, + int in_kernel); +@@ -151,14 +159,6 @@ snd_pcm_sframes_t snd_pcm_oss_writev3(struct snd_pcm_substream *substream, + snd_pcm_sframes_t snd_pcm_oss_readv3(struct snd_pcm_substream *substream, + void **bufs, snd_pcm_uframes_t frames); + +-#else +- +-static inline snd_pcm_sframes_t snd_pcm_plug_client_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t drv_size) { return drv_size; } +-static inline snd_pcm_sframes_t snd_pcm_plug_slave_size(struct snd_pcm_substream *handle, snd_pcm_uframes_t clt_size) { return clt_size; } +-static inline int snd_pcm_plug_slave_format(int format, const struct snd_mask *format_mask) { return format; } +- +-#endif +- + #ifdef PLUGIN_DEBUG + #define pdprintf(fmt, args...) printk(KERN_DEBUG "plugin: " fmt, ##args) + #else +-- +2.39.2 + diff --git a/queue-5.15/amd-xgbe-fix-the-false-linkup-in-xgbe_phy_status.patch b/queue-5.15/amd-xgbe-fix-the-false-linkup-in-xgbe_phy_status.patch new file mode 100644 index 00000000000..e57f9d78fa1 --- /dev/null +++ b/queue-5.15/amd-xgbe-fix-the-false-linkup-in-xgbe_phy_status.patch @@ -0,0 +1,71 @@ +From 6cfe423cbdddf3503003a212dd495f29b7de4812 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 23:56:12 +0530 +Subject: amd-xgbe: fix the false linkup in xgbe_phy_status + +From: Raju Rangoju + +[ Upstream commit dc362e20cd6ab7a93d1b09669730c406f0910c35 ] + +In the event of a change in XGBE mode, the current auto-negotiation +needs to be reset and the AN cycle needs to be re-triggerred. However, +the current code ignores the return value of xgbe_set_mode(), leading to +false information as the link is declared without checking the status +register. + +Fix this by propagating the mode switch status information to +xgbe_phy_status(). + +Fixes: e57f7a3feaef ("amd-xgbe: Prepare for working with more than one type of phy") +Co-developed-by: Sudheesh Mavila +Signed-off-by: Sudheesh Mavila +Reviewed-by: Simon Horman +Acked-by: Shyam Sundar S K +Signed-off-by: Raju Rangoju +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +index 43fdd111235a6..ca7372369b3e6 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +@@ -1312,7 +1312,7 @@ static enum xgbe_mode xgbe_phy_status_aneg(struct xgbe_prv_data *pdata) + return pdata->phy_if.phy_impl.an_outcome(pdata); + } + +-static void xgbe_phy_status_result(struct xgbe_prv_data *pdata) ++static bool xgbe_phy_status_result(struct xgbe_prv_data *pdata) + { + struct ethtool_link_ksettings *lks = &pdata->phy.lks; + enum xgbe_mode mode; +@@ -1347,8 +1347,13 @@ static void xgbe_phy_status_result(struct xgbe_prv_data *pdata) + + pdata->phy.duplex = DUPLEX_FULL; + +- if (xgbe_set_mode(pdata, mode) && pdata->an_again) ++ if (!xgbe_set_mode(pdata, mode)) ++ return false; ++ ++ if (pdata->an_again) + xgbe_phy_reconfig_aneg(pdata); ++ ++ return true; + } + + static void xgbe_phy_status(struct xgbe_prv_data *pdata) +@@ -1378,7 +1383,8 @@ static void xgbe_phy_status(struct xgbe_prv_data *pdata) + return; + } + +- xgbe_phy_status_result(pdata); ++ if (xgbe_phy_status_result(pdata)) ++ return; + + if (test_bit(XGBE_LINK_INIT, &pdata->dev_state)) + clear_bit(XGBE_LINK_INIT, &pdata->dev_state); +-- +2.39.2 + diff --git a/queue-5.15/arm-9295-1-unwind-fix-unwind-abort-for-uleb128-case.patch b/queue-5.15/arm-9295-1-unwind-fix-unwind-abort-for-uleb128-case.patch new file mode 100644 index 00000000000..a9c0436bb48 --- /dev/null +++ b/queue-5.15/arm-9295-1-unwind-fix-unwind-abort-for-uleb128-case.patch @@ -0,0 +1,93 @@ +From d253b09d79b09c1cd6f16768feb5b9fb442dbc2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 10:17:07 +0100 +Subject: ARM: 9295/1: unwind:fix unwind abort for uleb128 case + +From: Haibo Li + +[ Upstream commit fa3eeb638de0c1a9d2d860e5b48259facdd65176 ] + +When unwind instruction is 0xb2,the subsequent instructions +are uleb128 bytes. +For now,it uses only the first uleb128 byte in code. + +For vsp increments of 0x204~0x400,use one uleb128 byte like below: +0xc06a00e4 : 0x80b27fac + Compact model index: 0 + 0xb2 0x7f vsp = vsp + 1024 + 0xac pop {r4, r5, r6, r7, r8, r14} + +For vsp increments larger than 0x400,use two uleb128 bytes like below: +0xc06a00e4 : @0xc0cc9e0c + Compact model index: 1 + 0xb2 0x81 0x01 vsp = vsp + 1032 + 0xac pop {r4, r5, r6, r7, r8, r14} +The unwind works well since the decoded uleb128 byte is also 0x81. + +For vsp increments larger than 0x600,use two uleb128 bytes like below: +0xc06a00e4 : @0xc0cc9e0c + Compact model index: 1 + 0xb2 0x81 0x02 vsp = vsp + 1544 + 0xac pop {r4, r5, r6, r7, r8, r14} +In this case,the decoded uleb128 result is 0x101(vsp=0x204+(0x101<<2)). +While the uleb128 used in code is 0x81(vsp=0x204+(0x81<<2)). +The unwind aborts at this frame since it gets incorrect vsp. + +To fix this,add uleb128 decode to cover all the above case. + +Signed-off-by: Haibo Li +Reviewed-by: Linus Walleij +Reviewed-by: Alexandre Mergnat +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/unwind.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/kernel/unwind.c b/arch/arm/kernel/unwind.c +index 59fdf257bf8be..d91ed8e4310c2 100644 +--- a/arch/arm/kernel/unwind.c ++++ b/arch/arm/kernel/unwind.c +@@ -301,6 +301,29 @@ static int unwind_exec_pop_subset_r0_to_r3(struct unwind_ctrl_block *ctrl, + return URC_OK; + } + ++static unsigned long unwind_decode_uleb128(struct unwind_ctrl_block *ctrl) ++{ ++ unsigned long bytes = 0; ++ unsigned long insn; ++ unsigned long result = 0; ++ ++ /* ++ * unwind_get_byte() will advance `ctrl` one instruction at a time, so ++ * loop until we get an instruction byte where bit 7 is not set. ++ * ++ * Note: This decodes a maximum of 4 bytes to output 28 bits data where ++ * max is 0xfffffff: that will cover a vsp increment of 1073742336, hence ++ * it is sufficient for unwinding the stack. ++ */ ++ do { ++ insn = unwind_get_byte(ctrl); ++ result |= (insn & 0x7f) << (bytes * 7); ++ bytes++; ++ } while (!!(insn & 0x80) && (bytes != sizeof(result))); ++ ++ return result; ++} ++ + /* + * Execute the current unwind instruction. + */ +@@ -354,7 +377,7 @@ static int unwind_exec_insn(struct unwind_ctrl_block *ctrl) + if (ret) + goto error; + } else if (insn == 0xb2) { +- unsigned long uleb128 = unwind_get_byte(ctrl); ++ unsigned long uleb128 = unwind_decode_uleb128(ctrl); + + ctrl->vrs[SP] += 0x204 + (uleb128 << 2); + } else { +-- +2.39.2 + diff --git a/queue-5.15/arm-dts-stm32-add-pin-map-for-can-controller-on-stm3.patch b/queue-5.15/arm-dts-stm32-add-pin-map-for-can-controller-on-stm3.patch new file mode 100644 index 00000000000..46f1e625378 --- /dev/null +++ b/queue-5.15/arm-dts-stm32-add-pin-map-for-can-controller-on-stm3.patch @@ -0,0 +1,115 @@ +From 43b81e94fc8de7b929d5d174bbec791c6e550b90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 22:45:38 +0200 +Subject: ARM: dts: stm32: add pin map for CAN controller on stm32f7 + +From: Dario Binacchi + +[ Upstream commit 011644249686f2675e142519cd59e81e04cfc231 ] + +Add pin configurations for using CAN controller on stm32f7. + +Signed-off-by: Dario Binacchi +Link: https://lore.kernel.org/all/20230427204540.3126234-4-dario.binacchi@amarulasolutions.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32f7-pinctrl.dtsi | 82 ++++++++++++++++++++++++++ + 1 file changed, 82 insertions(+) + +diff --git a/arch/arm/boot/dts/stm32f7-pinctrl.dtsi b/arch/arm/boot/dts/stm32f7-pinctrl.dtsi +index 1cf8a23c26448..7f40b34401a9d 100644 +--- a/arch/arm/boot/dts/stm32f7-pinctrl.dtsi ++++ b/arch/arm/boot/dts/stm32f7-pinctrl.dtsi +@@ -284,6 +284,88 @@ + slew-rate = <2>; + }; + }; ++ ++ can1_pins_a: can1-0 { ++ pins1 { ++ pinmux = ; /* CAN1_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN1_RX */ ++ bias-pull-up; ++ }; ++ }; ++ ++ can1_pins_b: can1-1 { ++ pins1 { ++ pinmux = ; /* CAN1_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN1_RX */ ++ bias-pull-up; ++ }; ++ }; ++ ++ can1_pins_c: can1-2 { ++ pins1 { ++ pinmux = ; /* CAN1_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN1_RX */ ++ bias-pull-up; ++ ++ }; ++ }; ++ ++ can1_pins_d: can1-3 { ++ pins1 { ++ pinmux = ; /* CAN1_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN1_RX */ ++ bias-pull-up; ++ ++ }; ++ }; ++ ++ can2_pins_a: can2-0 { ++ pins1 { ++ pinmux = ; /* CAN2_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN2_RX */ ++ bias-pull-up; ++ }; ++ }; ++ ++ can2_pins_b: can2-1 { ++ pins1 { ++ pinmux = ; /* CAN2_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN2_RX */ ++ bias-pull-up; ++ }; ++ }; ++ ++ can3_pins_a: can3-0 { ++ pins1 { ++ pinmux = ; /* CAN3_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN3_RX */ ++ bias-pull-up; ++ }; ++ }; ++ ++ can3_pins_b: can3-1 { ++ pins1 { ++ pinmux = ; /* CAN3_TX */ ++ }; ++ pins2 { ++ pinmux = ; /* CAN3_RX */ ++ bias-pull-up; ++ }; ++ }; + }; + }; + }; +-- +2.39.2 + diff --git a/queue-5.15/arm64-mm-mark-private-vm_fault_x-defines-as-vm_fault.patch b/queue-5.15/arm64-mm-mark-private-vm_fault_x-defines-as-vm_fault.patch new file mode 100644 index 00000000000..1aa35af9f62 --- /dev/null +++ b/queue-5.15/arm64-mm-mark-private-vm_fault_x-defines-as-vm_fault.patch @@ -0,0 +1,54 @@ +From a4c1458377ec1053a1a8d0f4a1a9992c854af7b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 May 2023 23:19:06 +0800 +Subject: arm64/mm: mark private VM_FAULT_X defines as vm_fault_t + +From: Min-Hua Chen + +[ Upstream commit d91d580878064b880f3574ac35b98d8b70ee8620 ] + +This patch fixes several sparse warnings for fault.c: + +arch/arm64/mm/fault.c:493:24: sparse: warning: incorrect type in return expression (different base types) +arch/arm64/mm/fault.c:493:24: sparse: expected restricted vm_fault_t +arch/arm64/mm/fault.c:493:24: sparse: got int +arch/arm64/mm/fault.c:501:32: sparse: warning: incorrect type in return expression (different base types) +arch/arm64/mm/fault.c:501:32: sparse: expected restricted vm_fault_t +arch/arm64/mm/fault.c:501:32: sparse: got int +arch/arm64/mm/fault.c:503:32: sparse: warning: incorrect type in return expression (different base types) +arch/arm64/mm/fault.c:503:32: sparse: expected restricted vm_fault_t +arch/arm64/mm/fault.c:503:32: sparse: got int +arch/arm64/mm/fault.c:511:24: sparse: warning: incorrect type in return expression (different base types) +arch/arm64/mm/fault.c:511:24: sparse: expected restricted vm_fault_t +arch/arm64/mm/fault.c:511:24: sparse: got int +arch/arm64/mm/fault.c:670:13: sparse: warning: restricted vm_fault_t degrades to integer +arch/arm64/mm/fault.c:670:13: sparse: warning: restricted vm_fault_t degrades to integer +arch/arm64/mm/fault.c:713:39: sparse: warning: restricted vm_fault_t degrades to integer + +Reported-by: kernel test robot +Signed-off-by: Min-Hua Chen +Link: https://lore.kernel.org/r/20230502151909.128810-1-minhuadotchen@gmail.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/fault.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c +index 97a93ee756a2e..6327620397142 100644 +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -473,8 +473,8 @@ static void do_bad_area(unsigned long far, unsigned long esr, + } + } + +-#define VM_FAULT_BADMAP 0x010000 +-#define VM_FAULT_BADACCESS 0x020000 ++#define VM_FAULT_BADMAP ((__force vm_fault_t)0x010000) ++#define VM_FAULT_BADACCESS ((__force vm_fault_t)0x020000) + + static vm_fault_t __do_page_fault(struct mm_struct *mm, unsigned long addr, + unsigned int mm_flags, unsigned long vm_flags, +-- +2.39.2 + diff --git a/queue-5.15/arm64-vdso-pass-void-to-virt_to_page.patch b/queue-5.15/arm64-vdso-pass-void-to-virt_to_page.patch new file mode 100644 index 00000000000..2f16501f919 --- /dev/null +++ b/queue-5.15/arm64-vdso-pass-void-to-virt_to_page.patch @@ -0,0 +1,42 @@ +From 4ebce61f9a679bb1cf931a6d1489ad8fe7ec18cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 08:48:11 +0200 +Subject: arm64: vdso: Pass (void *) to virt_to_page() + +From: Linus Walleij + +[ Upstream commit b0abde80620f42d1ceb3de5e4c1a49cdd5628229 ] + +Like the other calls in this function virt_to_page() expects +a pointer, not an integer. + +However since many architectures implement virt_to_pfn() as +a macro, this function becomes polymorphic and accepts both a +(unsigned long) and a (void *). + +Fix this up with an explicit cast. + +Signed-off-by: Linus Walleij +Link: http://lists.infradead.org/pipermail/linux-arm-kernel/2023-May/832583.html +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/vdso.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c +index a61fc4f989b37..55dd15c9745da 100644 +--- a/arch/arm64/kernel/vdso.c ++++ b/arch/arm64/kernel/vdso.c +@@ -314,7 +314,7 @@ static int aarch32_alloc_kuser_vdso_page(void) + + memcpy((void *)(vdso_page + 0x1000 - kuser_sz), __kuser_helper_start, + kuser_sz); +- aarch32_vectors_page = virt_to_page(vdso_page); ++ aarch32_vectors_page = virt_to_page((void *)vdso_page); + return 0; + } + +-- +2.39.2 + diff --git a/queue-5.15/asoc-dt-bindings-adjust-sound-dai-cells-on-ti-s-sing.patch b/queue-5.15/asoc-dt-bindings-adjust-sound-dai-cells-on-ti-s-sing.patch new file mode 100644 index 00000000000..6dabb2fdae8 --- /dev/null +++ b/queue-5.15/asoc-dt-bindings-adjust-sound-dai-cells-on-ti-s-sing.patch @@ -0,0 +1,101 @@ +From 9088393c6e9e9e2a476224eca9a9a9eb3af17519 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 17:34:12 +0200 +Subject: ASoC: dt-bindings: Adjust #sound-dai-cells on TI's single-DAI codecs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin Povišer + +[ Upstream commit efb2bfd7b3d210c479b9361c176d7426e5eb8663 ] + +A bunch of TI's codecs have binding schemas which force #sound-dai-cells +to one despite those codecs only having a single DAI. Allow for bindings +with zero DAI cells and deprecate the former non-zero value. + +Signed-off-by: Martin Povišer +--- + Documentation/devicetree/bindings/sound/tas2562.yaml | 6 ++++-- + Documentation/devicetree/bindings/sound/tas2764.yaml | 6 ++++-- + Documentation/devicetree/bindings/sound/tas2770.yaml | 6 ++++-- + 3 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/Documentation/devicetree/bindings/sound/tas2562.yaml b/Documentation/devicetree/bindings/sound/tas2562.yaml +index acd4bbe697315..4adaf92233c8e 100644 +--- a/Documentation/devicetree/bindings/sound/tas2562.yaml ++++ b/Documentation/devicetree/bindings/sound/tas2562.yaml +@@ -52,7 +52,9 @@ properties: + description: TDM TX current sense time slot. + + '#sound-dai-cells': +- const: 1 ++ # The codec has a single DAI, the #sound-dai-cells=<1>; case is left in for backward ++ # compatibility but is deprecated. ++ enum: [0, 1] + + required: + - compatible +@@ -69,7 +71,7 @@ examples: + codec: codec@4c { + compatible = "ti,tas2562"; + reg = <0x4c>; +- #sound-dai-cells = <1>; ++ #sound-dai-cells = <0>; + interrupt-parent = <&gpio1>; + interrupts = <14>; + shutdown-gpios = <&gpio1 15 0>; +diff --git a/Documentation/devicetree/bindings/sound/tas2764.yaml b/Documentation/devicetree/bindings/sound/tas2764.yaml +index 5bf8c76ecda11..1ffe1a01668fe 100644 +--- a/Documentation/devicetree/bindings/sound/tas2764.yaml ++++ b/Documentation/devicetree/bindings/sound/tas2764.yaml +@@ -46,7 +46,9 @@ properties: + description: TDM TX voltage sense time slot. + + '#sound-dai-cells': +- const: 1 ++ # The codec has a single DAI, the #sound-dai-cells=<1>; case is left in for backward ++ # compatibility but is deprecated. ++ enum: [0, 1] + + required: + - compatible +@@ -63,7 +65,7 @@ examples: + codec: codec@38 { + compatible = "ti,tas2764"; + reg = <0x38>; +- #sound-dai-cells = <1>; ++ #sound-dai-cells = <0>; + interrupt-parent = <&gpio1>; + interrupts = <14>; + reset-gpios = <&gpio1 15 0>; +diff --git a/Documentation/devicetree/bindings/sound/tas2770.yaml b/Documentation/devicetree/bindings/sound/tas2770.yaml +index 027bebf4e8cf5..aceba9ed813ef 100644 +--- a/Documentation/devicetree/bindings/sound/tas2770.yaml ++++ b/Documentation/devicetree/bindings/sound/tas2770.yaml +@@ -54,7 +54,9 @@ properties: + - 1 # Falling edge + + '#sound-dai-cells': +- const: 1 ++ # The codec has a single DAI, the #sound-dai-cells=<1>; case is left in for backward ++ # compatibility but is deprecated. ++ enum: [0, 1] + + required: + - compatible +@@ -71,7 +73,7 @@ examples: + codec: codec@41 { + compatible = "ti,tas2770"; + reg = <0x41>; +- #sound-dai-cells = <1>; ++ #sound-dai-cells = <0>; + interrupt-parent = <&gpio1>; + interrupts = <14>; + reset-gpio = <&gpio1 15 0>; +-- +2.39.2 + diff --git a/queue-5.15/asoc-dwc-limit-the-number-of-overrun-messages.patch b/queue-5.15/asoc-dwc-limit-the-number-of-overrun-messages.patch new file mode 100644 index 00000000000..ef45d9a782b --- /dev/null +++ b/queue-5.15/asoc-dwc-limit-the-number-of-overrun-messages.patch @@ -0,0 +1,44 @@ +From f5f446b3db9a30cb31b079229d71f65566a2bc5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 09:28:20 +0300 +Subject: ASoC: dwc: limit the number of overrun messages + +From: Maxim Kochetkov + +[ Upstream commit ab6ecfbf40fccf74b6ec2ba7ed6dd2fc024c3af2 ] + +On slow CPU (FPGA/QEMU emulated) printing overrun messages from +interrupt handler to uart console may leads to more overrun errors. +So use dev_err_ratelimited to limit the number of error messages. + +Signed-off-by: Maxim Kochetkov +--- + sound/soc/dwc/dwc-i2s.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/dwc/dwc-i2s.c b/sound/soc/dwc/dwc-i2s.c +index 315ca5c4b057a..14ad8023fcdcb 100644 +--- a/sound/soc/dwc/dwc-i2s.c ++++ b/sound/soc/dwc/dwc-i2s.c +@@ -132,13 +132,13 @@ static irqreturn_t i2s_irq_handler(int irq, void *dev_id) + + /* Error Handling: TX */ + if (isr[i] & ISR_TXFO) { +- dev_err(dev->dev, "TX overrun (ch_id=%d)\n", i); ++ dev_err_ratelimited(dev->dev, "TX overrun (ch_id=%d)\n", i); + irq_valid = true; + } + + /* Error Handling: TX */ + if (isr[i] & ISR_RXFO) { +- dev_err(dev->dev, "RX overrun (ch_id=%d)\n", i); ++ dev_err_ratelimited(dev->dev, "RX overrun (ch_id=%d)\n", i); + irq_valid = true; + } + } +-- +2.39.2 + diff --git a/queue-5.15/asoc-ssm2602-add-workaround-for-playback-distortions.patch b/queue-5.15/asoc-ssm2602-add-workaround-for-playback-distortions.patch new file mode 100644 index 00000000000..67056949c95 --- /dev/null +++ b/queue-5.15/asoc-ssm2602-add-workaround-for-playback-distortions.patch @@ -0,0 +1,140 @@ +From 5f8ef4f95055658ae03afa6c22b0b876431b0c58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 13:30:37 +0200 +Subject: ASoC: ssm2602: Add workaround for playback distortions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paweł Anikiel + +[ Upstream commit f63550e2b165208a2f382afcaf5551df9569e1d4 ] + +Apply a workaround for what appears to be a hardware quirk. + +The problem seems to happen when enabling "whole chip power" (bit D7 +register R6) for the very first time after the chip receives power. If +either "output" (D4) or "DAC" (D3) aren't powered on at that time, +playback becomes very distorted later on. + +This happens on the Google Chameleon v3, as well as on a ZYBO Z7-10: +https://ez.analog.com/audio/f/q-a/543726/solved-ssm2603-right-output-offset-issue/480229 +I suspect this happens only when using an external MCLK signal (which +is the case for both of these boards). + +Here are some experiments run on a Google Chameleon v3. These were run +in userspace using a wrapper around the i2cset utility: +ssmset() { + i2cset -y 0 0x1a $(($1*2)) $2 +} + +For each of the following sequences, we apply power to the ssm2603 +chip, set the configuration registers R0-R5 and R7-R8, run the selected +sequence, and check for distortions on playback. + + ssmset 0x09 0x01 # core + ssmset 0x06 0x07 # chip, out, dac + OK + + ssmset 0x09 0x01 # core + ssmset 0x06 0x87 # out, dac + ssmset 0x06 0x07 # chip + OK + + (disable MCLK) + ssmset 0x09 0x01 # core + ssmset 0x06 0x1f # chip + ssmset 0x06 0x07 # out, dac + (enable MCLK) + OK + + ssmset 0x09 0x01 # core + ssmset 0x06 0x1f # chip + ssmset 0x06 0x07 # out, dac + NOT OK + + ssmset 0x06 0x1f # chip + ssmset 0x09 0x01 # core + ssmset 0x06 0x07 # out, dac + NOT OK + + ssmset 0x09 0x01 # core + ssmset 0x06 0x0f # chip, out + ssmset 0x06 0x07 # dac + NOT OK + + ssmset 0x09 0x01 # core + ssmset 0x06 0x17 # chip, dac + ssmset 0x06 0x07 # out + NOT OK + +For each of the following sequences, we apply power to the ssm2603 +chip, run the selected sequence, issue a reset with R15, configure +R0-R5 and R7-R8, run one of the NOT OK sequences from above, and check +for distortions. + + ssmset 0x09 0x01 # core + ssmset 0x06 0x07 # chip, out, dac + OK + + (disable MCLK) + ssmset 0x09 0x01 # core + ssmset 0x06 0x07 # chip, out, dac + (enable MCLK after reset) + NOT OK + + ssmset 0x09 0x01 # core + ssmset 0x06 0x17 # chip, dac + NOT OK + + ssmset 0x09 0x01 # core + ssmset 0x06 0x0f # chip, out + NOT OK + + ssmset 0x06 0x07 # chip, out, dac + NOT OK + +Signed-off-by: Paweł Anikiel +--- + sound/soc/codecs/ssm2602.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/sound/soc/codecs/ssm2602.c b/sound/soc/codecs/ssm2602.c +index 7964e922b07f6..0a3540c5cdb5c 100644 +--- a/sound/soc/codecs/ssm2602.c ++++ b/sound/soc/codecs/ssm2602.c +@@ -53,6 +53,18 @@ static const struct reg_default ssm2602_reg[SSM2602_CACHEREGNUM] = { + { .reg = 0x09, .def = 0x0000 } + }; + ++/* ++ * ssm2602 register patch ++ * Workaround for playback distortions after power up: activates digital ++ * core, and then powers on output, DAC, and whole chip at the same time ++ */ ++ ++static const struct reg_sequence ssm2602_patch[] = { ++ { SSM2602_ACTIVE, 0x01 }, ++ { SSM2602_PWR, 0x07 }, ++ { SSM2602_RESET, 0x00 }, ++}; ++ + + /*Appending several "None"s just for OSS mixer use*/ + static const char *ssm2602_input_select[] = { +@@ -589,6 +601,9 @@ static int ssm260x_component_probe(struct snd_soc_component *component) + return ret; + } + ++ regmap_register_patch(ssm2602->regmap, ssm2602_patch, ++ ARRAY_SIZE(ssm2602_patch)); ++ + /* set the update bits */ + regmap_update_bits(ssm2602->regmap, SSM2602_LINVOL, + LINVOL_LRIN_BOTH, LINVOL_LRIN_BOTH); +-- +2.39.2 + diff --git a/queue-5.15/atm-hide-unused-procfs-functions.patch b/queue-5.15/atm-hide-unused-procfs-functions.patch new file mode 100644 index 00000000000..f509149c6e7 --- /dev/null +++ b/queue-5.15/atm-hide-unused-procfs-functions.patch @@ -0,0 +1,47 @@ +From 2203171efaa44171c131fd9cc8774c9df3d4472a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 21:45:34 +0200 +Subject: atm: hide unused procfs functions + +From: Arnd Bergmann + +[ Upstream commit fb1b7be9b16c1f4626969ba4e95a97da2a452b41 ] + +When CONFIG_PROC_FS is disabled, the function declarations for some +procfs functions are hidden, but the definitions are still build, +as shown by this compiler warning: + +net/atm/resources.c:403:7: error: no previous prototype for 'atm_dev_seq_start' [-Werror=missing-prototypes] +net/atm/resources.c:409:6: error: no previous prototype for 'atm_dev_seq_stop' [-Werror=missing-prototypes] +net/atm/resources.c:414:7: error: no previous prototype for 'atm_dev_seq_next' [-Werror=missing-prototypes] + +Add another #ifdef to leave these out of the build. + +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230516194625.549249-2-arnd@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/atm/resources.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/atm/resources.c b/net/atm/resources.c +index 2b2d33eeaf200..995d29e7fb138 100644 +--- a/net/atm/resources.c ++++ b/net/atm/resources.c +@@ -400,6 +400,7 @@ int atm_dev_ioctl(unsigned int cmd, void __user *buf, int __user *sioc_len, + return error; + } + ++#ifdef CONFIG_PROC_FS + void *atm_dev_seq_start(struct seq_file *seq, loff_t *pos) + { + mutex_lock(&atm_dev_mutex); +@@ -415,3 +416,4 @@ void *atm_dev_seq_next(struct seq_file *seq, void *v, loff_t *pos) + { + return seq_list_next(v, &atm_devs, pos); + } ++#endif +-- +2.39.2 + diff --git a/queue-5.15/block-rnbd-replace-req_op_flush-with-req_op_write.patch b/queue-5.15/block-rnbd-replace-req_op_flush-with-req_op_write.patch new file mode 100644 index 00000000000..731ac224620 --- /dev/null +++ b/queue-5.15/block-rnbd-replace-req_op_flush-with-req_op_write.patch @@ -0,0 +1,72 @@ +From d42ebad8940b22d8a3f616ed4eb8eb71085faae6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 11:46:31 +0800 +Subject: block/rnbd: replace REQ_OP_FLUSH with REQ_OP_WRITE + +From: Guoqing Jiang + +[ Upstream commit 5e6e08087a4acb4ee3574cea32dbff0f63c7f608 ] + +Since flush bios are implemented as writes with no data and +the preflush flag per Christoph's comment [1]. + +And we need to change it in rnbd accordingly. Otherwise, I +got splatting when create fs from rnbd client. + +[ 464.028545] ------------[ cut here ]------------ +[ 464.028553] WARNING: CPU: 0 PID: 65 at block/blk-core.c:751 submit_bio_noacct+0x32c/0x5d0 +[ ... ] +[ 464.028668] CPU: 0 PID: 65 Comm: kworker/0:1H Tainted: G OE 6.4.0-rc1 #9 +[ 464.028671] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 +[ 464.028673] Workqueue: ib-comp-wq ib_cq_poll_work [ib_core] +[ 464.028717] RIP: 0010:submit_bio_noacct+0x32c/0x5d0 +[ 464.028720] Code: 03 0f 85 51 fe ff ff 48 8b 43 18 8b 88 04 03 00 00 85 c9 0f 85 3f fe ff ff e9 be fd ff ff 0f b6 d0 3c 0d 74 26 83 fa 01 74 21 <0f> 0b b8 0a 00 00 00 e9 56 fd ff ff 4c 89 e7 e8 70 a1 03 00 84 c0 +[ 464.028722] RSP: 0018:ffffaf3680b57c68 EFLAGS: 00010202 +[ 464.028724] RAX: 0000000000060802 RBX: ffffa09dcc18bf00 RCX: 0000000000000000 +[ 464.028726] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffffa09dde081d00 +[ 464.028727] RBP: ffffaf3680b57c98 R08: ffffa09dde081d00 R09: ffffa09e38327200 +[ 464.028729] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa09dde081d00 +[ 464.028730] R13: ffffa09dcb06e1e8 R14: 0000000000000000 R15: 0000000000200000 +[ 464.028733] FS: 0000000000000000(0000) GS:ffffa09e3bc00000(0000) knlGS:0000000000000000 +[ 464.028735] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 464.028736] CR2: 000055a4e8206c40 CR3: 0000000119f06000 CR4: 00000000003506f0 +[ 464.028738] Call Trace: +[ 464.028740] +[ 464.028746] submit_bio+0x1b/0x80 +[ 464.028748] rnbd_srv_rdma_ev+0x50d/0x10c0 [rnbd_server] +[ 464.028754] ? percpu_ref_get_many.constprop.0+0x55/0x140 [rtrs_server] +[ 464.028760] ? __this_cpu_preempt_check+0x13/0x20 +[ 464.028769] process_io_req+0x1dc/0x450 [rtrs_server] +[ 464.028775] rtrs_srv_inv_rkey_done+0x67/0xb0 [rtrs_server] +[ 464.028780] __ib_process_cq+0xbc/0x1f0 [ib_core] +[ 464.028793] ib_cq_poll_work+0x2b/0xa0 [ib_core] +[ 464.028804] process_one_work+0x2a9/0x580 + +[1]. https://lore.kernel.org/all/ZFHgefWofVt24tRl@infradead.org/ + +Signed-off-by: Guoqing Jiang +Reviewed-by: Christoph Hellwig +Reviewed-by: Chaitanya Kulkarni +Link: https://lore.kernel.org/r/20230512034631.28686-1-guoqing.jiang@linux.dev +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/rnbd/rnbd-proto.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/rnbd/rnbd-proto.h b/drivers/block/rnbd/rnbd-proto.h +index c1bc5c0fef71d..e0fe0a9aa3708 100644 +--- a/drivers/block/rnbd/rnbd-proto.h ++++ b/drivers/block/rnbd/rnbd-proto.h +@@ -241,7 +241,7 @@ static inline u32 rnbd_to_bio_flags(u32 rnbd_opf) + bio_opf = REQ_OP_WRITE; + break; + case RNBD_OP_FLUSH: +- bio_opf = REQ_OP_FLUSH | REQ_PREFLUSH; ++ bio_opf = REQ_OP_WRITE | REQ_PREFLUSH; + break; + case RNBD_OP_DISCARD: + bio_opf = REQ_OP_DISCARD; +-- +2.39.2 + diff --git a/queue-5.15/bpf-sockmap-use-stricter-sk-state-checks-in-sk_looku.patch b/queue-5.15/bpf-sockmap-use-stricter-sk-state-checks-in-sk_looku.patch new file mode 100644 index 00000000000..63887d18a3e --- /dev/null +++ b/queue-5.15/bpf-sockmap-use-stricter-sk-state-checks-in-sk_looku.patch @@ -0,0 +1,93 @@ +From 73f99197b24d6a978a0abe975f0239f3c20c13ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 13:47:32 -0700 +Subject: bpf, sockmap: Use stricter sk state checks in sk_lookup_assign + +From: John Fastabend + +[ Upstream commit 40a34121ac1dc52ed9cd34a8f4e48e32517a52fd ] + +In order to fix an issue with sockets in TCP sockmap redirect cases we plan +to allow CLOSE state sockets to exist in the sockmap. However, the check in +bpf_sk_lookup_assign() currently only invalidates sockets in the +TCP_ESTABLISHED case relying on the checks on sockmap insert to ensure we +never SOCK_CLOSE state sockets in the map. + +To prepare for this change we flip the logic in bpf_sk_lookup_assign() to +explicitly test for the accepted cases. Namely, a tcp socket in TCP_LISTEN +or a udp socket in TCP_CLOSE state. This also makes the code more resilent +to future changes. + +Suggested-by: Jakub Sitnicki +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20211103204736.248403-2-john.fastabend@gmail.com +Stable-dep-of: 448a5ce1120c ("udp6: Fix race condition in udp6_sendmsg & connect") +Signed-off-by: Sasha Levin +--- + include/linux/skmsg.h | 12 ++++++++++++ + net/core/filter.c | 6 ++++-- + net/core/sock_map.c | 6 ------ + 3 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h +index 6e18ca234f812..fe2fbf1685494 100644 +--- a/include/linux/skmsg.h ++++ b/include/linux/skmsg.h +@@ -505,6 +505,18 @@ static inline bool sk_psock_strp_enabled(struct sk_psock *psock) + return !!psock->saved_data_ready; + } + ++static inline bool sk_is_tcp(const struct sock *sk) ++{ ++ return sk->sk_type == SOCK_STREAM && ++ sk->sk_protocol == IPPROTO_TCP; ++} ++ ++static inline bool sk_is_udp(const struct sock *sk) ++{ ++ return sk->sk_type == SOCK_DGRAM && ++ sk->sk_protocol == IPPROTO_UDP; ++} ++ + #if IS_ENABLED(CONFIG_NET_SOCK_MSG) + + #define BPF_F_STRPARSER (1UL << 1) +diff --git a/net/core/filter.c b/net/core/filter.c +index 519315a1acf3a..a28c51f4ab232 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -10508,8 +10508,10 @@ BPF_CALL_3(bpf_sk_lookup_assign, struct bpf_sk_lookup_kern *, ctx, + return -EINVAL; + if (unlikely(sk && sk_is_refcounted(sk))) + return -ESOCKTNOSUPPORT; /* reject non-RCU freed sockets */ +- if (unlikely(sk && sk->sk_state == TCP_ESTABLISHED)) +- return -ESOCKTNOSUPPORT; /* reject connected sockets */ ++ if (unlikely(sk && sk_is_tcp(sk) && sk->sk_state != TCP_LISTEN)) ++ return -ESOCKTNOSUPPORT; /* only accept TCP socket in LISTEN */ ++ if (unlikely(sk && sk_is_udp(sk) && sk->sk_state != TCP_CLOSE)) ++ return -ESOCKTNOSUPPORT; /* only accept UDP socket in CLOSE */ + + /* Check if socket is suitable for packet L3/L4 protocol */ + if (sk && sk->sk_protocol != ctx->protocol) +diff --git a/net/core/sock_map.c b/net/core/sock_map.c +index 86b4e8909ad1e..60774b79f2e3a 100644 +--- a/net/core/sock_map.c ++++ b/net/core/sock_map.c +@@ -523,12 +523,6 @@ static bool sock_map_op_okay(const struct bpf_sock_ops_kern *ops) + ops->op == BPF_SOCK_OPS_TCP_LISTEN_CB; + } + +-static bool sk_is_tcp(const struct sock *sk) +-{ +- return sk->sk_type == SOCK_STREAM && +- sk->sk_protocol == IPPROTO_TCP; +-} +- + static bool sock_map_redirect_allowed(const struct sock *sk) + { + if (sk_is_tcp(sk)) +-- +2.39.2 + diff --git a/queue-5.15/btrfs-abort-transaction-when-sibling-keys-check-fail.patch b/queue-5.15/btrfs-abort-transaction-when-sibling-keys-check-fail.patch new file mode 100644 index 00000000000..855b22a837d --- /dev/null +++ b/queue-5.15/btrfs-abort-transaction-when-sibling-keys-check-fail.patch @@ -0,0 +1,56 @@ +From 6ac92e5aa724b434414657914c518b77e8ebe89a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 11:51:35 +0100 +Subject: btrfs: abort transaction when sibling keys check fails for leaves + +From: Filipe Manana + +[ Upstream commit 9ae5afd02a03d4e22a17a9609b19400b77c36273 ] + +If the sibling keys check fails before we move keys from one sibling +leaf to another, we are not aborting the transaction - we leave that to +some higher level caller of btrfs_search_slot() (or anything else that +uses it to insert items into a b+tree). + +This means that the transaction abort will provide a stack trace that +omits the b+tree modification call chain. So change this to immediately +abort the transaction and therefore get a more useful stack trace that +shows us the call chain in the bt+tree modification code. + +It's also important to immediately abort the transaction just in case +some higher level caller is not doing it, as this indicates a very +serious corruption and we should stop the possibility of doing further +damage. + +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index a31986ca9224e..1a19354382b2b 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -2907,6 +2907,7 @@ static int push_leaf_right(struct btrfs_trans_handle *trans, struct btrfs_root + + if (check_sibling_keys(left, right)) { + ret = -EUCLEAN; ++ btrfs_abort_transaction(trans, ret); + btrfs_tree_unlock(right); + free_extent_buffer(right); + return ret; +@@ -3150,6 +3151,7 @@ static int push_leaf_left(struct btrfs_trans_handle *trans, struct btrfs_root + + if (check_sibling_keys(left, right)) { + ret = -EUCLEAN; ++ btrfs_abort_transaction(trans, ret); + goto out; + } + return __push_leaf_left(path, min_data_size, +-- +2.39.2 + diff --git a/queue-5.15/dmaengine-at_xdmac-fix-potential-oops-in-at_xdmac_pr.patch b/queue-5.15/dmaengine-at_xdmac-fix-potential-oops-in-at_xdmac_pr.patch new file mode 100644 index 00000000000..24238c4444d --- /dev/null +++ b/queue-5.15/dmaengine-at_xdmac-fix-potential-oops-in-at_xdmac_pr.patch @@ -0,0 +1,56 @@ +From 17a4d8f9948f2bcfa08f0c9b60e0c6ddff5a291f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 13:32:10 +0300 +Subject: dmaengine: at_xdmac: fix potential Oops in + at_xdmac_prep_interleaved() + +From: Dan Carpenter + +[ Upstream commit 4d43acb145c363626d76f49febb4240c488cd1cf ] + +There are two place if the at_xdmac_interleaved_queue_desc() fails which +could lead to a NULL dereference where "first" is NULL and we call +list_add_tail(&first->desc_node, ...). In the first caller, the return +is not checked so add a check for that. In the next caller, the return +is checked but if it fails on the first iteration through the loop then +it will lead to a NULL pointer dereference. + +Fixes: 4e5385784e69 ("dmaengine: at_xdmac: handle numf > 1") +Fixes: 62b5cb757f1d ("dmaengine: at_xdmac: fix memory leak in interleaved mode") +Signed-off-by: Dan Carpenter +Reviewed-by: Tudor Ambarus +Link: https://lore.kernel.org/r/21282b66-9860-410a-83df-39c17fcf2f1b@kili.mountain +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/at_xdmac.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index b45437aab1434..dd34626df1abc 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -1026,6 +1026,8 @@ at_xdmac_prep_interleaved(struct dma_chan *chan, + NULL, + src_addr, dst_addr, + xt, xt->sgl); ++ if (!first) ++ return NULL; + + /* Length of the block is (BLEN+1) microblocks. */ + for (i = 0; i < xt->numf - 1; i++) +@@ -1056,8 +1058,9 @@ at_xdmac_prep_interleaved(struct dma_chan *chan, + src_addr, dst_addr, + xt, chunk); + if (!desc) { +- list_splice_tail_init(&first->descs_list, +- &atchan->free_descs_list); ++ if (first) ++ list_splice_tail_init(&first->descs_list, ++ &atchan->free_descs_list); + return NULL; + } + +-- +2.39.2 + diff --git a/queue-5.15/dmaengine-at_xdmac-move-the-free-desc-to-the-tail-of.patch b/queue-5.15/dmaengine-at_xdmac-move-the-free-desc-to-the-tail-of.patch new file mode 100644 index 00000000000..bb4cc51b045 --- /dev/null +++ b/queue-5.15/dmaengine-at_xdmac-move-the-free-desc-to-the-tail-of.patch @@ -0,0 +1,103 @@ +From 70938d5c9bba76b993e88559e4097cddff44b4e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 13:01:09 +0200 +Subject: dmaengine: at_xdmac: Move the free desc to the tail of the desc list + +From: Tudor Ambarus + +[ Upstream commit 801db90bf294f647b967e8d99b9ae121bea63d0d ] + +Move the free desc to the tail of the list, so that the sequence of +descriptors is more track-able in case of debug. One would know which +descriptor should come next and could easier catch concurrency over +descriptors for example. virt-dma uses list_splice_tail_init() as well, +follow the core driver. + +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20211215110115.191749-7-tudor.ambarus@microchip.com +Signed-off-by: Vinod Koul +Stable-dep-of: 4d43acb145c3 ("dmaengine: at_xdmac: fix potential Oops in at_xdmac_prep_interleaved()") +Signed-off-by: Sasha Levin +--- + drivers/dma/at_xdmac.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index 80c609aa2a91c..b45437aab1434 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -732,7 +732,8 @@ at_xdmac_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, + if (!desc) { + dev_err(chan2dev(chan), "can't get descriptor\n"); + if (first) +- list_splice_init(&first->descs_list, &atchan->free_descs_list); ++ list_splice_tail_init(&first->descs_list, ++ &atchan->free_descs_list); + goto spin_unlock; + } + +@@ -820,7 +821,8 @@ at_xdmac_prep_dma_cyclic(struct dma_chan *chan, dma_addr_t buf_addr, + if (!desc) { + dev_err(chan2dev(chan), "can't get descriptor\n"); + if (first) +- list_splice_init(&first->descs_list, &atchan->free_descs_list); ++ list_splice_tail_init(&first->descs_list, ++ &atchan->free_descs_list); + spin_unlock_irqrestore(&atchan->lock, irqflags); + return NULL; + } +@@ -1054,8 +1056,8 @@ at_xdmac_prep_interleaved(struct dma_chan *chan, + src_addr, dst_addr, + xt, chunk); + if (!desc) { +- list_splice_init(&first->descs_list, +- &atchan->free_descs_list); ++ list_splice_tail_init(&first->descs_list, ++ &atchan->free_descs_list); + return NULL; + } + +@@ -1135,7 +1137,8 @@ at_xdmac_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dest, dma_addr_t src, + if (!desc) { + dev_err(chan2dev(chan), "can't get descriptor\n"); + if (first) +- list_splice_init(&first->descs_list, &atchan->free_descs_list); ++ list_splice_tail_init(&first->descs_list, ++ &atchan->free_descs_list); + return NULL; + } + +@@ -1311,8 +1314,8 @@ at_xdmac_prep_dma_memset_sg(struct dma_chan *chan, struct scatterlist *sgl, + sg_dma_len(sg), + value); + if (!desc && first) +- list_splice_init(&first->descs_list, +- &atchan->free_descs_list); ++ list_splice_tail_init(&first->descs_list, ++ &atchan->free_descs_list); + + if (!first) + first = desc; +@@ -1709,7 +1712,8 @@ static void at_xdmac_tasklet(struct tasklet_struct *t) + + spin_lock_irq(&atchan->lock); + /* Move the xfer descriptors into the free descriptors list. */ +- list_splice_init(&desc->descs_list, &atchan->free_descs_list); ++ list_splice_tail_init(&desc->descs_list, ++ &atchan->free_descs_list); + at_xdmac_advance_work(atchan); + spin_unlock_irq(&atchan->lock); + } +@@ -1858,7 +1862,8 @@ static int at_xdmac_device_terminate_all(struct dma_chan *chan) + /* Cancel all pending transfers. */ + list_for_each_entry_safe(desc, _desc, &atchan->xfers_list, xfer_node) { + list_del(&desc->xfer_node); +- list_splice_init(&desc->descs_list, &atchan->free_descs_list); ++ list_splice_tail_init(&desc->descs_list, ++ &atchan->free_descs_list); + } + + clear_bit(AT_XDMAC_CHAN_IS_PAUSED, &atchan->status); +-- +2.39.2 + diff --git a/queue-5.15/dmaengine-pl330-rename-_start-to-prevent-build-error.patch b/queue-5.15/dmaengine-pl330-rename-_start-to-prevent-build-error.patch new file mode 100644 index 00000000000..dfe4b1ee58c --- /dev/null +++ b/queue-5.15/dmaengine-pl330-rename-_start-to-prevent-build-error.patch @@ -0,0 +1,85 @@ +From 16bf3675339e09e1be7d015814287adce0f3ba4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 21:53:10 -0700 +Subject: dmaengine: pl330: rename _start to prevent build error + +From: Randy Dunlap + +[ Upstream commit a1a5f2c887252dec161c1e12e04303ca9ba56fa9 ] + +"_start" is used in several arches and proably should be reserved +for ARCH usage. Using it in a driver for a private symbol can cause +a build error when it conflicts with ARCH usage of the same symbol. + +Therefore rename pl330's "_start" to "pl330_start_thread" so that there +is no conflict and no build error. + +drivers/dma/pl330.c:1053:13: error: '_start' redeclared as different kind of symbol + 1053 | static bool _start(struct pl330_thread *thrd) + | ^~~~~~ +In file included from ../include/linux/interrupt.h:21, + from ../drivers/dma/pl330.c:18: +arch/riscv/include/asm/sections.h:11:13: note: previous declaration of '_start' with type 'char[]' + 11 | extern char _start[]; + | ^~~~~~ + +Fixes: b7d861d93945 ("DMA: PL330: Merge PL330 driver into drivers/dma/") +Fixes: ae43b3289186 ("ARM: 8202/1: dmaengine: pl330: Add runtime Power Management support v12") +Signed-off-by: Randy Dunlap +Cc: Jaswinder Singh +Cc: Boojin Kim +Cc: Krzysztof Kozlowski +Cc: Russell King +Cc: Vinod Koul +Cc: dmaengine@vger.kernel.org +Cc: linux-riscv@lists.infradead.org +Link: https://lore.kernel.org/r/20230524045310.27923-1-rdunlap@infradead.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/pl330.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c +index 4ef68ddff75bc..b9bc82d6a1622 100644 +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -1050,7 +1050,7 @@ static bool _trigger(struct pl330_thread *thrd) + return true; + } + +-static bool _start(struct pl330_thread *thrd) ++static bool pl330_start_thread(struct pl330_thread *thrd) + { + switch (_state(thrd)) { + case PL330_STATE_FAULT_COMPLETING: +@@ -1702,7 +1702,7 @@ static int pl330_update(struct pl330_dmac *pl330) + thrd->req_running = -1; + + /* Get going again ASAP */ +- _start(thrd); ++ pl330_start_thread(thrd); + + /* For now, just make a list of callbacks to be done */ + list_add_tail(&descdone->rqd, &pl330->req_done); +@@ -2089,7 +2089,7 @@ static void pl330_tasklet(struct tasklet_struct *t) + } else { + /* Make sure the PL330 Channel thread is active */ + spin_lock(&pch->thread->dmac->lock); +- _start(pch->thread); ++ pl330_start_thread(pch->thread); + spin_unlock(&pch->thread->dmac->lock); + } + +@@ -2107,7 +2107,7 @@ static void pl330_tasklet(struct tasklet_struct *t) + if (power_down) { + pch->active = true; + spin_lock(&pch->thread->dmac->lock); +- _start(pch->thread); ++ pl330_start_thread(pch->thread); + spin_unlock(&pch->thread->dmac->lock); + power_down = false; + } +-- +2.39.2 + diff --git a/queue-5.15/drm-amdgpu-release-gpu-full-access-after-amdgpu_devi.patch b/queue-5.15/drm-amdgpu-release-gpu-full-access-after-amdgpu_devi.patch new file mode 100644 index 00000000000..69f3b7062ea --- /dev/null +++ b/queue-5.15/drm-amdgpu-release-gpu-full-access-after-amdgpu_devi.patch @@ -0,0 +1,118 @@ +From 22ceddfc0b02c5bc7c5ee016e6c248cb1c2da91b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Apr 2023 13:51:19 +0800 +Subject: drm/amdgpu: release gpu full access after + "amdgpu_device_ip_late_init" + +From: Chong Li + +[ Upstream commit 38eecbe086a4e52f54b2bbda8feba65d44addbef ] + +[WHY] + Function "amdgpu_irq_update()" called by "amdgpu_device_ip_late_init()" is an atomic context. + We shouldn't access registers through KIQ since "msleep()" may be called in "amdgpu_kiq_rreg()". + +[HOW] + Move function "amdgpu_virt_release_full_gpu()" after function "amdgpu_device_ip_late_init()", + to ensure that registers be accessed through RLCG instead of KIQ. + +Call Trace: + + show_stack+0x52/0x69 + dump_stack_lvl+0x49/0x6d + dump_stack+0x10/0x18 + __schedule_bug.cold+0x4f/0x6b + __schedule+0x473/0x5d0 + ? __wake_up_klogd.part.0+0x40/0x70 + ? vprintk_emit+0xbe/0x1f0 + schedule+0x68/0x110 + schedule_timeout+0x87/0x160 + ? timer_migration_handler+0xa0/0xa0 + msleep+0x2d/0x50 + amdgpu_kiq_rreg+0x18d/0x1f0 [amdgpu] + amdgpu_device_rreg.part.0+0x59/0xd0 [amdgpu] + amdgpu_device_rreg+0x3a/0x50 [amdgpu] + amdgpu_sriov_rreg+0x3c/0xb0 [amdgpu] + gfx_v10_0_set_gfx_eop_interrupt_state.constprop.0+0x16c/0x190 [amdgpu] + gfx_v10_0_set_eop_interrupt_state+0xa5/0xb0 [amdgpu] + amdgpu_irq_update+0x53/0x80 [amdgpu] + amdgpu_irq_get+0x7c/0xb0 [amdgpu] + amdgpu_fence_driver_hw_init+0x58/0x90 [amdgpu] + amdgpu_device_init.cold+0x16b7/0x2022 [amdgpu] + +Signed-off-by: Chong Li +Reviewed-by: JingWen.Chen2@amd.com +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 32 ++++++++++++---------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index b0d9c47cc3813..9da85ef711e88 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -2509,8 +2509,6 @@ static int amdgpu_device_ip_init(struct amdgpu_device *adev) + amdgpu_fru_get_product_info(adev); + + init_failed: +- if (amdgpu_sriov_vf(adev)) +- amdgpu_virt_release_full_gpu(adev, true); + + return r; + } +@@ -3755,18 +3753,6 @@ int amdgpu_device_init(struct amdgpu_device *adev, + + r = amdgpu_device_ip_init(adev); + if (r) { +- /* failed in exclusive mode due to timeout */ +- if (amdgpu_sriov_vf(adev) && +- !amdgpu_sriov_runtime(adev) && +- amdgpu_virt_mmio_blocked(adev) && +- !amdgpu_virt_wait_reset(adev)) { +- dev_err(adev->dev, "VF exclusive mode timeout\n"); +- /* Don't send request since VF is inactive. */ +- adev->virt.caps &= ~AMDGPU_SRIOV_CAPS_RUNTIME; +- adev->virt.ops = NULL; +- r = -EAGAIN; +- goto release_ras_con; +- } + dev_err(adev->dev, "amdgpu_device_ip_init failed\n"); + amdgpu_vf_error_put(adev, AMDGIM_ERROR_VF_AMDGPU_INIT_FAIL, 0, 0); + goto release_ras_con; +@@ -3845,8 +3831,10 @@ int amdgpu_device_init(struct amdgpu_device *adev, + msecs_to_jiffies(AMDGPU_RESUME_MS)); + } + +- if (amdgpu_sriov_vf(adev)) ++ if (amdgpu_sriov_vf(adev)) { ++ amdgpu_virt_release_full_gpu(adev, true); + flush_delayed_work(&adev->delayed_init_work); ++ } + + r = sysfs_create_files(&adev->dev->kobj, amdgpu_dev_attributes); + if (r) +@@ -3881,6 +3869,20 @@ int amdgpu_device_init(struct amdgpu_device *adev, + return 0; + + release_ras_con: ++ if (amdgpu_sriov_vf(adev)) ++ amdgpu_virt_release_full_gpu(adev, true); ++ ++ /* failed in exclusive mode due to timeout */ ++ if (amdgpu_sriov_vf(adev) && ++ !amdgpu_sriov_runtime(adev) && ++ amdgpu_virt_mmio_blocked(adev) && ++ !amdgpu_virt_wait_reset(adev)) { ++ dev_err(adev->dev, "VF exclusive mode timeout\n"); ++ /* Don't send request since VF is inactive. */ ++ adev->virt.caps &= ~AMDGPU_SRIOV_CAPS_RUNTIME; ++ adev->virt.ops = NULL; ++ r = -EAGAIN; ++ } + amdgpu_release_ras_context(adev); + + failed: +-- +2.39.2 + diff --git a/queue-5.15/drm-amdgpu-skip-disabling-fence-driver-src_irqs-when.patch b/queue-5.15/drm-amdgpu-skip-disabling-fence-driver-src_irqs-when.patch new file mode 100644 index 00000000000..70c1a125bdb --- /dev/null +++ b/queue-5.15/drm-amdgpu-skip-disabling-fence-driver-src_irqs-when.patch @@ -0,0 +1,52 @@ +From 458c3483460e0bc72a6be9ea11feb459675869e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 16:15:27 +0800 +Subject: drm/amdgpu: skip disabling fence driver src_irqs when device is + unplugged + +From: Guchun Chen + +[ Upstream commit c1a322a7a4a96cd0a3dde32ce37af437a78bf8cd ] + +When performing device unbind or halt, we have disabled all irqs at the +very begining like amdgpu_pci_remove or amdgpu_device_halt. So +amdgpu_irq_put for irqs stored in fence driver should not be called +any more, otherwise, below calltrace will arrive. + +[ 139.114088] WARNING: CPU: 2 PID: 1550 at drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c:616 amdgpu_irq_put+0xf6/0x110 [amdgpu] +[ 139.114655] Call Trace: +[ 139.114655] +[ 139.114657] amdgpu_fence_driver_hw_fini+0x93/0x130 [amdgpu] +[ 139.114836] amdgpu_device_fini_hw+0xb6/0x350 [amdgpu] +[ 139.114955] amdgpu_driver_unload_kms+0x51/0x70 [amdgpu] +[ 139.115075] amdgpu_pci_remove+0x63/0x160 [amdgpu] +[ 139.115193] ? __pm_runtime_resume+0x64/0x90 +[ 139.115195] pci_device_remove+0x3a/0xb0 +[ 139.115197] device_remove+0x43/0x70 +[ 139.115198] device_release_driver_internal+0xbd/0x140 + +Signed-off-by: Guchun Chen +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c +index bbd6f7a123033..8599e0ffa8292 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c +@@ -561,7 +561,8 @@ void amdgpu_fence_driver_hw_fini(struct amdgpu_device *adev) + if (r) + amdgpu_fence_driver_force_completion(ring); + +- if (ring->fence_drv.irq_src) ++ if (!drm_dev_is_unplugged(adev_to_drm(adev)) && ++ ring->fence_drv.irq_src) + amdgpu_irq_put(adev, ring->fence_drv.irq_src, + ring->fence_drv.irq_type); + +-- +2.39.2 + diff --git a/queue-5.15/drm-amdgpu-use-the-default-reset-when-loading-or-rel.patch b/queue-5.15/drm-amdgpu-use-the-default-reset-when-loading-or-rel.patch new file mode 100644 index 00000000000..936be705ea2 --- /dev/null +++ b/queue-5.15/drm-amdgpu-use-the-default-reset-when-loading-or-rel.patch @@ -0,0 +1,77 @@ +From cfd0de6689daf9223a7f31905dbbfb664b1bbdc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Apr 2023 17:05:15 +0800 +Subject: drm/amdgpu: Use the default reset when loading or reloading the + driver + +From: lyndonli + +[ Upstream commit 4eea7fb980dc44545a32eec92e2662053b34cd9d ] + +Below call trace and errors are observed when reloading +amdgpu driver with the module parameter reset_method=3. + +It should do a default reset when loading or reloading the +driver, regardless of the module parameter reset_method. + +v2: add comments inside and modify commit messages. + +[ +2.180243] [drm] psp gfx command ID_LOAD_TOC(0x20) failed +and response status is (0x0) +[ +0.000011] [drm:psp_hw_start [amdgpu]] *ERROR* Failed to load toc +[ +0.000890] [drm:psp_hw_start [amdgpu]] *ERROR* PSP tmr init failed! +[ +0.020683] [drm:amdgpu_fill_buffer [amdgpu]] *ERROR* Trying to +clear memory with ring turned off. +[ +0.000003] RIP: 0010:amdgpu_bo_release_notify+0x1ef/0x210 [amdgpu] +[ +0.000004] Call Trace: +[ +0.000003] +[ +0.000008] ttm_bo_release+0x2c4/0x330 [amdttm] +[ +0.000026] amdttm_bo_put+0x3c/0x70 [amdttm] +[ +0.000020] amdgpu_bo_free_kernel+0xe6/0x140 [amdgpu] +[ +0.000728] psp_v11_0_ring_destroy+0x34/0x60 [amdgpu] +[ +0.000826] psp_hw_init+0xe7/0x2f0 [amdgpu] +[ +0.000813] amdgpu_device_fw_loading+0x1ad/0x2d0 [amdgpu] +[ +0.000731] amdgpu_device_init.cold+0x108e/0x2002 [amdgpu] +[ +0.001071] ? do_pci_enable_device+0xe1/0x110 +[ +0.000011] amdgpu_driver_load_kms+0x1a/0x160 [amdgpu] +[ +0.000729] amdgpu_pci_probe+0x179/0x3a0 [amdgpu] + +Signed-off-by: lyndonli +Signed-off-by: Yunxiang Li +Reviewed-by: Feifei Xu +Reviewed-by: Kenneth Feng +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 9da85ef711e88..642acfc9f0b1f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3494,6 +3494,7 @@ int amdgpu_device_init(struct amdgpu_device *adev, + int r, i; + bool px = false; + u32 max_MBps; ++ int tmp; + + adev->shutdown = false; + adev->flags = flags; +@@ -3693,7 +3694,13 @@ int amdgpu_device_init(struct amdgpu_device *adev, + } + } + } else { ++ tmp = amdgpu_reset_method; ++ /* It should do a default reset when loading or reloading the driver, ++ * regardless of the module parameter reset_method. ++ */ ++ amdgpu_reset_method = AMD_RESET_METHOD_NONE; + r = amdgpu_asic_reset(adev); ++ amdgpu_reset_method = tmp; + if (r) { + dev_err(adev->dev, "asic reset on init failed\n"); + goto failed; +-- +2.39.2 + diff --git a/queue-5.15/drm-ast-fix-arm-compatibility.patch b/queue-5.15/drm-ast-fix-arm-compatibility.patch new file mode 100644 index 00000000000..00b48e24936 --- /dev/null +++ b/queue-5.15/drm-ast-fix-arm-compatibility.patch @@ -0,0 +1,45 @@ +From d6bc55452094218c29325d7983b8680563190ac2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 08:33:54 +0800 +Subject: drm/ast: Fix ARM compatibility + +From: Jammy Huang + +[ Upstream commit 4327a6137ed43a091d900b1ac833345d60f32228 ] + +ARM architecture only has 'memory', so all devices are accessed by +MMIO if possible. + +Signed-off-by: Jammy Huang +Reviewed-by: Thomas Zimmermann +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230421003354.27767-1-jammy_huang@aspeedtech.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ast/ast_main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c +index 79a3618679554..754a08c92d3d1 100644 +--- a/drivers/gpu/drm/ast/ast_main.c ++++ b/drivers/gpu/drm/ast/ast_main.c +@@ -423,11 +423,12 @@ struct ast_private *ast_device_create(const struct drm_driver *drv, + return ERR_PTR(-EIO); + + /* +- * If we don't have IO space at all, use MMIO now and +- * assume the chip has MMIO enabled by default (rev 0x20 +- * and higher). ++ * After AST2500, MMIO is enabled by default, and it should be adopted ++ * to be compatible with Arm. + */ +- if (!(pci_resource_flags(pdev, 2) & IORESOURCE_IO)) { ++ if (pdev->revision >= 0x40) { ++ ast->ioregs = ast->regs + AST_IO_MM_OFFSET; ++ } else if (!(pci_resource_flags(pdev, 2) & IORESOURCE_IO)) { + drm_info(dev, "platform has no IO space, trying MMIO\n"); + ast->ioregs = ast->regs + AST_IO_MM_OFFSET; + } +-- +2.39.2 + diff --git a/queue-5.15/drm-msm-be-more-shouty-if-per-process-pgtables-aren-.patch b/queue-5.15/drm-msm-be-more-shouty-if-per-process-pgtables-aren-.patch new file mode 100644 index 00000000000..992f52e59df --- /dev/null +++ b/queue-5.15/drm-msm-be-more-shouty-if-per-process-pgtables-aren-.patch @@ -0,0 +1,42 @@ +From eb780db2bbf15645797db0c57fdad93a018a8b71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 15:20:37 -0700 +Subject: drm/msm: Be more shouty if per-process pgtables aren't working + +From: Rob Clark + +[ Upstream commit 5c054db54c43a5fcb5cc81012361f5e3fac37637 ] + +Otherwise it is not always obvious if a dt or iommu change is causing us +to fall back to global pgtable. + +Signed-off-by: Rob Clark +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/537359/ +Link: https://lore.kernel.org/r/20230516222039.907690-2-robdclark@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_iommu.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_iommu.c b/drivers/gpu/drm/msm/msm_iommu.c +index a54ed354578b5..ef4da3f0cd22d 100644 +--- a/drivers/gpu/drm/msm/msm_iommu.c ++++ b/drivers/gpu/drm/msm/msm_iommu.c +@@ -157,7 +157,12 @@ struct msm_mmu *msm_iommu_pagetable_create(struct msm_mmu *parent) + /* Get the pagetable configuration from the domain */ + if (adreno_smmu->cookie) + ttbr1_cfg = adreno_smmu->get_ttbr1_cfg(adreno_smmu->cookie); +- if (!ttbr1_cfg) ++ ++ /* ++ * If you hit this WARN_ONCE() you are probably missing an entry in ++ * qcom_smmu_impl_of_match[] in arm-smmu-qcom.c ++ */ ++ if (WARN_ONCE(!ttbr1_cfg, "No per-process page tables")) + return ERR_PTR(-ENODEV); + + /* +-- +2.39.2 + diff --git a/queue-5.15/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_prob.patch b/queue-5.15/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_prob.patch new file mode 100644 index 00000000000..a6377adc724 --- /dev/null +++ b/queue-5.15/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_prob.patch @@ -0,0 +1,80 @@ +From 4609bac23b3efd08c3016349ee07cf8dc8ed2b07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 11:08:41 +0800 +Subject: fbdev: imsttfb: Fix use after free bug in imsttfb_probe + +From: Zheng Wang + +[ Upstream commit c75f5a55061091030a13fef71b9995b89bc86213 ] + +A use-after-free bug may occur if init_imstt invokes framebuffer_release +and free the info ptr. The caller, imsttfb_probe didn't notice that and +still keep the ptr as private data in pdev. + +If we remove the driver which will call imsttfb_remove to make cleanup, +UAF happens. + +Fix it by return error code if bad case happens in init_imstt. + +Signed-off-by: Zheng Wang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imsttfb.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/video/fbdev/imsttfb.c b/drivers/video/fbdev/imsttfb.c +index 16f272a508112..1b2fb8ed76237 100644 +--- a/drivers/video/fbdev/imsttfb.c ++++ b/drivers/video/fbdev/imsttfb.c +@@ -1346,7 +1346,7 @@ static const struct fb_ops imsttfb_ops = { + .fb_ioctl = imsttfb_ioctl, + }; + +-static void init_imstt(struct fb_info *info) ++static int init_imstt(struct fb_info *info) + { + struct imstt_par *par = info->par; + __u32 i, tmp, *ip, *end; +@@ -1419,7 +1419,7 @@ static void init_imstt(struct fb_info *info) + || !(compute_imstt_regvals(par, info->var.xres, info->var.yres))) { + printk("imsttfb: %ux%ux%u not supported\n", info->var.xres, info->var.yres, info->var.bits_per_pixel); + framebuffer_release(info); +- return; ++ return -ENODEV; + } + + sprintf(info->fix.id, "IMS TT (%s)", par->ramdac == IBM ? "IBM" : "TVP"); +@@ -1455,12 +1455,13 @@ static void init_imstt(struct fb_info *info) + + if (register_framebuffer(info) < 0) { + framebuffer_release(info); +- return; ++ return -ENODEV; + } + + tmp = (read_reg_le32(par->dc_regs, SSTATUS) & 0x0f00) >> 8; + fb_info(info, "%s frame buffer; %uMB vram; chip version %u\n", + info->fix.id, info->fix.smem_len >> 20, tmp); ++ return 0; + } + + static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent) +@@ -1523,10 +1524,10 @@ static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + if (!par->cmap_regs) + goto error; + info->pseudo_palette = par->palette; +- init_imstt(info); +- +- pci_set_drvdata(pdev, info); +- return 0; ++ ret = init_imstt(info); ++ if (!ret) ++ pci_set_drvdata(pdev, info); ++ return ret; + + error: + if (par->dc_regs) +-- +2.39.2 + diff --git a/queue-5.15/fbdev-modedb-add-1920x1080-at-60-hz-video-mode.patch b/queue-5.15/fbdev-modedb-add-1920x1080-at-60-hz-video-mode.patch new file mode 100644 index 00000000000..58f92b162e2 --- /dev/null +++ b/queue-5.15/fbdev-modedb-add-1920x1080-at-60-hz-video-mode.patch @@ -0,0 +1,36 @@ +From ba7bb9bf3a7b015b8c3602498d96bf4b965d5349 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Apr 2023 23:24:26 +0200 +Subject: fbdev: modedb: Add 1920x1080 at 60 Hz video mode + +From: Helge Deller + +[ Upstream commit c8902258b2b8ecaa1b8d88c312853c5b14c2553d ] + +Add typical resolution for Full-HD monitors. + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/modedb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/video/fbdev/core/modedb.c b/drivers/video/fbdev/core/modedb.c +index 6473e0dfe1464..e78ec7f728463 100644 +--- a/drivers/video/fbdev/core/modedb.c ++++ b/drivers/video/fbdev/core/modedb.c +@@ -257,6 +257,11 @@ static const struct fb_videomode modedb[] = { + { NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3, 0, + FB_VMODE_DOUBLE }, + ++ /* 1920x1080 @ 60 Hz, 67.3 kHz hsync */ ++ { NULL, 60, 1920, 1080, 6734, 148, 88, 36, 4, 44, 5, 0, ++ FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, ++ FB_VMODE_NONINTERLACED }, ++ + /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */ + { NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3, + FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT, +-- +2.39.2 + diff --git a/queue-5.15/fbdev-stifb-fix-info-entry-in-sti_struct-on-error-pa.patch b/queue-5.15/fbdev-stifb-fix-info-entry-in-sti_struct-on-error-pa.patch new file mode 100644 index 00000000000..8eeaec6c5c1 --- /dev/null +++ b/queue-5.15/fbdev-stifb-fix-info-entry-in-sti_struct-on-error-pa.patch @@ -0,0 +1,32 @@ +From 4c7ec112de23b5da86b3899a236b9d3cc121f5ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 11:50:33 +0200 +Subject: fbdev: stifb: Fix info entry in sti_struct on error path + +From: Helge Deller + +[ Upstream commit 0bdf1ad8d10bd4e50a8b1a2c53d15984165f7fea ] + +Minor fix to reset the info field to NULL in case of error. + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/stifb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/fbdev/stifb.c b/drivers/video/fbdev/stifb.c +index ef8a4c5fc6875..63f51783352dc 100644 +--- a/drivers/video/fbdev/stifb.c ++++ b/drivers/video/fbdev/stifb.c +@@ -1413,6 +1413,7 @@ static int __init stifb_init_fb(struct sti_struct *sti, int bpp_pref) + iounmap(info->screen_base); + out_err0: + kfree(fb); ++ sti->info = NULL; + return -ENXIO; + } + +-- +2.39.2 + diff --git a/queue-5.15/gfs2-don-t-deref-jdesc-in-evict.patch b/queue-5.15/gfs2-don-t-deref-jdesc-in-evict.patch new file mode 100644 index 00000000000..9470f3b66d2 --- /dev/null +++ b/queue-5.15/gfs2-don-t-deref-jdesc-in-evict.patch @@ -0,0 +1,66 @@ +From 24cf80fa394c21ccf4498b1945910401961c928c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Apr 2023 12:07:46 -0400 +Subject: gfs2: Don't deref jdesc in evict + +From: Bob Peterson + +[ Upstream commit 504a10d9e46bc37b23d0a1ae2f28973c8516e636 ] + +On corrupt gfs2 file systems the evict code can try to reference the +journal descriptor structure, jdesc, after it has been freed and set to +NULL. The sequence of events is: + +init_journal() +... +fail_jindex: + gfs2_jindex_free(sdp); <------frees journals, sets jdesc = NULL + if (gfs2_holder_initialized(&ji_gh)) + gfs2_glock_dq_uninit(&ji_gh); +fail: + iput(sdp->sd_jindex); <--references jdesc in evict_linked_inode + evict() + gfs2_evict_inode() + evict_linked_inode() + ret = gfs2_trans_begin(sdp, 0, sdp->sd_jdesc->jd_blocks); +<------references the now freed/zeroed sd_jdesc pointer. + +The call to gfs2_trans_begin is done because the truncate_inode_pages +call can cause gfs2 events that require a transaction, such as removing +journaled data (jdata) blocks from the journal. + +This patch fixes the problem by adding a check for sdp->sd_jdesc to +function gfs2_evict_inode. In theory, this should only happen to corrupt +gfs2 file systems, when gfs2 detects the problem, reports it, then tries +to evict all the system inodes it has read in up to that point. + +Reported-by: Yang Lan +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/super.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c +index 775ac3fb10c67..ca6ee1cbccd50 100644 +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -1381,6 +1381,14 @@ static void gfs2_evict_inode(struct inode *inode) + if (inode->i_nlink || sb_rdonly(sb)) + goto out; + ++ /* ++ * In case of an incomplete mount, gfs2_evict_inode() may be called for ++ * system files without having an active journal to write to. In that ++ * case, skip the filesystem evict. ++ */ ++ if (!sdp->sd_jdesc) ++ goto out; ++ + gfs2_holder_mark_uninitialized(&gh); + ret = evict_should_delete(inode, &gh); + if (ret == SHOULD_DEFER_EVICTION) +-- +2.39.2 + diff --git a/queue-5.15/iommu-amd-don-t-block-updates-to-gatag-if-guest-mode.patch b/queue-5.15/iommu-amd-don-t-block-updates-to-gatag-if-guest-mode.patch new file mode 100644 index 00000000000..de8d714c132 --- /dev/null +++ b/queue-5.15/iommu-amd-don-t-block-updates-to-gatag-if-guest-mode.patch @@ -0,0 +1,76 @@ +From 4dd68dcfba5da70f11bfee06aef41f473a79b806 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Apr 2023 21:11:53 +0100 +Subject: iommu/amd: Don't block updates to GATag if guest mode is on + +From: Joao Martins + +[ Upstream commit ed8a2f4ddef2eaaf864ab1efbbca9788187036ab ] + +On KVM GSI routing table updates, specially those where they have vIOMMUs +with interrupt remapping enabled (to boot >255vcpus setups without relying +on KVM_FEATURE_MSI_EXT_DEST_ID), a VMM may update the backing VF MSIs +with a new VCPU affinity. + +On AMD with AVIC enabled, the new vcpu affinity info is updated via: + avic_pi_update_irte() + irq_set_vcpu_affinity() + amd_ir_set_vcpu_affinity() + amd_iommu_{de}activate_guest_mode() + +Where the IRTE[GATag] is updated with the new vcpu affinity. The GATag +contains VM ID and VCPU ID, and is used by IOMMU hardware to signal KVM +(via GALog) when interrupt cannot be delivered due to vCPU is in +blocking state. + +The issue is that amd_iommu_activate_guest_mode() will essentially +only change IRTE fields on transitions from non-guest-mode to guest-mode +and otherwise returns *with no changes to IRTE* on already configured +guest-mode interrupts. To the guest this means that the VF interrupts +remain affined to the first vCPU they were first configured, and guest +will be unable to issue VF interrupts and receive messages like this +from spurious interrupts (e.g. from waking the wrong vCPU in GALog): + +[ 167.759472] __common_interrupt: 3.34 No irq handler for vector +[ 230.680927] mlx5_core 0000:00:02.0: mlx5_cmd_eq_recover:247:(pid +3122): Recovered 1 EQEs on cmd_eq +[ 230.681799] mlx5_core 0000:00:02.0: +wait_func_handle_exec_timeout:1113:(pid 3122): cmd[0]: CREATE_CQ(0x400) +recovered after timeout +[ 230.683266] __common_interrupt: 3.34 No irq handler for vector + +Given the fact that amd_ir_set_vcpu_affinity() uses +amd_iommu_activate_guest_mode() underneath it essentially means that VCPU +affinity changes of IRTEs are nops. Fix it by dropping the check for +guest-mode at amd_iommu_activate_guest_mode(). Same thing is applicable to +amd_iommu_deactivate_guest_mode() although, even if the IRTE doesn't change +underlying DestID on the host, the VFIO IRQ handler will still be able to +poke at the right guest-vCPU. + +Fixes: b9c6ff94e43a ("iommu/amd: Re-factor guest virtual APIC (de-)activation code") +Signed-off-by: Joao Martins +Reviewed-by: Suravee Suthikulpanit +Link: https://lore.kernel.org/r/20230419201154.83880-2-joao.m.martins@oracle.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/iommu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c +index 5ceaaabb4f9da..a91545b9a1cba 100644 +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -3316,8 +3316,7 @@ int amd_iommu_activate_guest_mode(void *data) + struct irte_ga *entry = (struct irte_ga *) ir_data->entry; + u64 valid; + +- if (!AMD_IOMMU_GUEST_IR_VAPIC(amd_iommu_guest_ir) || +- !entry || entry->lo.fields_vapic.guest_mode) ++ if (!AMD_IOMMU_GUEST_IR_VAPIC(amd_iommu_guest_ir) || !entry) + return 0; + + valid = entry->lo.fields_vapic.valid; +-- +2.39.2 + diff --git a/queue-5.15/iommu-rockchip-fix-unwind-goto-issue.patch b/queue-5.15/iommu-rockchip-fix-unwind-goto-issue.patch new file mode 100644 index 00000000000..1b30b58e17f --- /dev/null +++ b/queue-5.15/iommu-rockchip-fix-unwind-goto-issue.patch @@ -0,0 +1,67 @@ +From 076ec8047fca460ee13b3101d07d1f2256301634 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 03:04:21 +0000 +Subject: iommu/rockchip: Fix unwind goto issue + +From: Chao Wang + +[ Upstream commit ec014683c564fb74fc68e8f5e84691d3b3839d24 ] + +Smatch complains that +drivers/iommu/rockchip-iommu.c:1306 rk_iommu_probe() warn: missing unwind goto? + +The rk_iommu_probe function, after obtaining the irq value through +platform_get_irq, directly returns an error if the returned value +is negative, without releasing any resources. + +Fix this by adding a new error handling label "err_pm_disable" and +use a goto statement to redirect to the error handling process. In +order to preserve the original semantics, set err to the value of irq. + +Fixes: 1aa55ca9b14a ("iommu/rockchip: Move irq request past pm_runtime_enable") +Signed-off-by: Chao Wang +Reviewed-by: Dongliang Mu +Reviewed-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20230417030421.2777-1-D202280639@hust.edu.cn +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/rockchip-iommu.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/iommu/rockchip-iommu.c b/drivers/iommu/rockchip-iommu.c +index 823f1a7d8c6e2..e3557f8dc44ea 100644 +--- a/drivers/iommu/rockchip-iommu.c ++++ b/drivers/iommu/rockchip-iommu.c +@@ -1303,20 +1303,22 @@ static int rk_iommu_probe(struct platform_device *pdev) + for (i = 0; i < iommu->num_irq; i++) { + int irq = platform_get_irq(pdev, i); + +- if (irq < 0) +- return irq; ++ if (irq < 0) { ++ err = irq; ++ goto err_pm_disable; ++ } + + err = devm_request_irq(iommu->dev, irq, rk_iommu_irq, + IRQF_SHARED, dev_name(dev), iommu); +- if (err) { +- pm_runtime_disable(dev); +- goto err_remove_sysfs; +- } ++ if (err) ++ goto err_pm_disable; + } + + dma_set_mask_and_coherent(dev, rk_ops->dma_bit_mask); + + return 0; ++err_pm_disable: ++ pm_runtime_disable(dev); + err_remove_sysfs: + iommu_device_sysfs_remove(&iommu->iommu); + err_put_group: +-- +2.39.2 + diff --git a/queue-5.15/mailbox-mailbox-test-fix-a-locking-issue-in-mbox_tes.patch b/queue-5.15/mailbox-mailbox-test-fix-a-locking-issue-in-mbox_tes.patch new file mode 100644 index 00000000000..da3ebc9c9d8 --- /dev/null +++ b/queue-5.15/mailbox-mailbox-test-fix-a-locking-issue-in-mbox_tes.patch @@ -0,0 +1,56 @@ +From 51d5a3796d444ce5b3c7e63561f8df0fc4de7578 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 12:22:09 +0300 +Subject: mailbox: mailbox-test: fix a locking issue in + mbox_test_message_write() + +From: Dan Carpenter + +[ Upstream commit 8fe72b76db79d694858e872370df49676bc3be8c ] + +There was a bug where this code forgot to unlock the tdev->mutex if the +kzalloc() failed. Fix this issue, by moving the allocation outside the +lock. + +Fixes: 2d1e952a2b8e ("mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()") +Signed-off-by: Dan Carpenter +Reviewed-by: Lee Jones +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mailbox-test.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c +index 6dd5b9614452b..abcee58e851c2 100644 +--- a/drivers/mailbox/mailbox-test.c ++++ b/drivers/mailbox/mailbox-test.c +@@ -97,6 +97,7 @@ static ssize_t mbox_test_message_write(struct file *filp, + size_t count, loff_t *ppos) + { + struct mbox_test_device *tdev = filp->private_data; ++ char *message; + void *data; + int ret; + +@@ -112,12 +113,13 @@ static ssize_t mbox_test_message_write(struct file *filp, + return -EINVAL; + } + +- mutex_lock(&tdev->mutex); +- +- tdev->message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL); +- if (!tdev->message) ++ message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL); ++ if (!message) + return -ENOMEM; + ++ mutex_lock(&tdev->mutex); ++ ++ tdev->message = message; + ret = copy_from_user(tdev->message, userbuf, count); + if (ret) { + ret = -EFAULT; +-- +2.39.2 + diff --git a/queue-5.15/mailbox-mailbox-test-fix-potential-double-free-in-mb.patch b/queue-5.15/mailbox-mailbox-test-fix-potential-double-free-in-mb.patch new file mode 100644 index 00000000000..51c2fb6287e --- /dev/null +++ b/queue-5.15/mailbox-mailbox-test-fix-potential-double-free-in-mb.patch @@ -0,0 +1,136 @@ +From 26e495dd80d40345247bc61e9e75602bdcedc792 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Apr 2023 08:27:18 +0100 +Subject: mailbox: mailbox-test: Fix potential double-free in + mbox_test_message_write() + +From: Lee Jones + +[ Upstream commit 2d1e952a2b8e5e92d8d55ac88a7cf7ca5ea591ad ] + +If a user can make copy_from_user() fail, there is a potential for +UAF/DF due to a lack of locking around the allocation, use and freeing +of the data buffers. + +This issue is not theoretical. I managed to author a POC for it: + + BUG: KASAN: double-free in kfree+0x5c/0xac + Free of addr ffff29280be5de00 by task poc/356 + CPU: 1 PID: 356 Comm: poc Not tainted 6.1.0-00001-g961aa6552c04-dirty #20 + Hardware name: linux,dummy-virt (DT) + Call trace: + dump_backtrace.part.0+0xe0/0xf0 + show_stack+0x18/0x40 + dump_stack_lvl+0x64/0x80 + print_report+0x188/0x48c + kasan_report_invalid_free+0xa0/0xc0 + ____kasan_slab_free+0x174/0x1b0 + __kasan_slab_free+0x18/0x24 + __kmem_cache_free+0x130/0x2e0 + kfree+0x5c/0xac + mbox_test_message_write+0x208/0x29c + full_proxy_write+0x90/0xf0 + vfs_write+0x154/0x440 + ksys_write+0xcc/0x180 + __arm64_sys_write+0x44/0x60 + invoke_syscall+0x60/0x190 + el0_svc_common.constprop.0+0x7c/0x160 + do_el0_svc+0x40/0xf0 + el0_svc+0x2c/0x6c + el0t_64_sync_handler+0xf4/0x120 + el0t_64_sync+0x18c/0x190 + + Allocated by task 356: + kasan_save_stack+0x3c/0x70 + kasan_set_track+0x2c/0x40 + kasan_save_alloc_info+0x24/0x34 + __kasan_kmalloc+0xb8/0xc0 + kmalloc_trace+0x58/0x70 + mbox_test_message_write+0x6c/0x29c + full_proxy_write+0x90/0xf0 + vfs_write+0x154/0x440 + ksys_write+0xcc/0x180 + __arm64_sys_write+0x44/0x60 + invoke_syscall+0x60/0x190 + el0_svc_common.constprop.0+0x7c/0x160 + do_el0_svc+0x40/0xf0 + el0_svc+0x2c/0x6c + el0t_64_sync_handler+0xf4/0x120 + el0t_64_sync+0x18c/0x190 + + Freed by task 357: + kasan_save_stack+0x3c/0x70 + kasan_set_track+0x2c/0x40 + kasan_save_free_info+0x38/0x5c + ____kasan_slab_free+0x13c/0x1b0 + __kasan_slab_free+0x18/0x24 + __kmem_cache_free+0x130/0x2e0 + kfree+0x5c/0xac + mbox_test_message_write+0x208/0x29c + full_proxy_write+0x90/0xf0 + vfs_write+0x154/0x440 + ksys_write+0xcc/0x180 + __arm64_sys_write+0x44/0x60 + invoke_syscall+0x60/0x190 + el0_svc_common.constprop.0+0x7c/0x160 + do_el0_svc+0x40/0xf0 + el0_svc+0x2c/0x6c + el0t_64_sync_handler+0xf4/0x120 + el0t_64_sync+0x18c/0x190 + +Signed-off-by: Lee Jones +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mailbox-test.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/mailbox/mailbox-test.c b/drivers/mailbox/mailbox-test.c +index 4555d678fadda..6dd5b9614452b 100644 +--- a/drivers/mailbox/mailbox-test.c ++++ b/drivers/mailbox/mailbox-test.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -38,6 +39,7 @@ struct mbox_test_device { + char *signal; + char *message; + spinlock_t lock; ++ struct mutex mutex; + wait_queue_head_t waitq; + struct fasync_struct *async_queue; + struct dentry *root_debugfs_dir; +@@ -110,6 +112,8 @@ static ssize_t mbox_test_message_write(struct file *filp, + return -EINVAL; + } + ++ mutex_lock(&tdev->mutex); ++ + tdev->message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL); + if (!tdev->message) + return -ENOMEM; +@@ -144,6 +148,8 @@ static ssize_t mbox_test_message_write(struct file *filp, + kfree(tdev->message); + tdev->signal = NULL; + ++ mutex_unlock(&tdev->mutex); ++ + return ret < 0 ? ret : count; + } + +@@ -392,6 +398,7 @@ static int mbox_test_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, tdev); + + spin_lock_init(&tdev->lock); ++ mutex_init(&tdev->mutex); + + if (tdev->rx_channel) { + tdev->rx_buffer = devm_kzalloc(&pdev->dev, +-- +2.39.2 + diff --git a/queue-5.15/media-dvb-core-fix-kernel-warning-for-blocking-opera.patch b/queue-5.15/media-dvb-core-fix-kernel-warning-for-blocking-opera.patch new file mode 100644 index 00000000000..61d7e3a0ce9 --- /dev/null +++ b/queue-5.15/media-dvb-core-fix-kernel-warning-for-blocking-opera.patch @@ -0,0 +1,67 @@ +From 1f97f4bfe05e003bf1aa2fd571a89b52d6ee61e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 16:18:00 +0100 +Subject: media: dvb-core: Fix kernel WARNING for blocking operation in + wait_event*() + +From: Takashi Iwai + +[ Upstream commit b8c75e4a1b325ea0a9433fa8834be97b5836b946 ] + +Using a semaphore in the wait_event*() condition is no good idea. +It hits a kernel WARN_ON() at prepare_to_wait_event() like: + do not call blocking ops when !TASK_RUNNING; state=1 set at + prepare_to_wait_event+0x6d/0x690 + +For avoiding the potential deadlock, rewrite to an open-coded loop +instead. Unlike the loop in wait_event*(), this uses wait_woken() +after the condition check, hence the task state stays consistent. + +CVE-2023-31084 was assigned to this bug. + +Link: https://lore.kernel.org/r/CA+UBctCu7fXn4q41O_3=id1+OdyQ85tZY1x+TkT-6OVBL6KAUw@mail.gmail.com/ + +Link: https://lore.kernel.org/linux-media/20230512151800.1874-1-tiwai@suse.de +Reported-by: Yu Hao +Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-31084 +Signed-off-by: Takashi Iwai +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_frontend.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c +index 09facc78d88aa..fea62bce97468 100644 +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -293,14 +293,22 @@ static int dvb_frontend_get_event(struct dvb_frontend *fe, + } + + if (events->eventw == events->eventr) { +- int ret; ++ struct wait_queue_entry wait; ++ int ret = 0; + + if (flags & O_NONBLOCK) + return -EWOULDBLOCK; + +- ret = wait_event_interruptible(events->wait_queue, +- dvb_frontend_test_event(fepriv, events)); +- ++ init_waitqueue_entry(&wait, current); ++ add_wait_queue(&events->wait_queue, &wait); ++ while (!dvb_frontend_test_event(fepriv, events)) { ++ wait_woken(&wait, TASK_INTERRUPTIBLE, 0); ++ if (signal_pending(current)) { ++ ret = -ERESTARTSYS; ++ break; ++ } ++ } ++ remove_wait_queue(&events->wait_queue, &wait); + if (ret < 0) + return ret; + } +-- +2.39.2 + diff --git a/queue-5.15/media-dvb-core-fix-use-after-free-due-on-race-condit.patch b/queue-5.15/media-dvb-core-fix-use-after-free-due-on-race-condit.patch new file mode 100644 index 00000000000..24df2da94aa --- /dev/null +++ b/queue-5.15/media-dvb-core-fix-use-after-free-due-on-race-condit.patch @@ -0,0 +1,138 @@ +From d482ad87453ef1f140cb558bcf9a1c33bffdf240 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 04:59:23 +0000 +Subject: media: dvb-core: Fix use-after-free due on race condition at dvb_net + +From: Hyunwoo Kim + +[ Upstream commit 4172385b0c9ac366dcab78eda48c26814b87ed1a ] + +A race condition may occur between the .disconnect function, which +is called when the device is disconnected, and the dvb_device_open() +function, which is called when the device node is open()ed. +This results in several types of UAFs. + +The root cause of this is that you use the dvb_device_open() function, +which does not implement a conditional statement +that checks 'dvbnet->exit'. + +So, add 'remove_mutex` to protect 'dvbnet->exit' and use +locked_dvb_net_open() function to check 'dvbnet->exit'. + +[mchehab: fix a checkpatch warning] + +Link: https://lore.kernel.org/linux-media/20221117045925.14297-3-imv4bel@gmail.com +Signed-off-by: Hyunwoo Kim +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_net.c | 38 +++++++++++++++++++++++++++++--- + include/media/dvb_net.h | 4 ++++ + 2 files changed, 39 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_net.c b/drivers/media/dvb-core/dvb_net.c +index dddebea644bb8..c594b1bdfcaa5 100644 +--- a/drivers/media/dvb-core/dvb_net.c ++++ b/drivers/media/dvb-core/dvb_net.c +@@ -1564,15 +1564,43 @@ static long dvb_net_ioctl(struct file *file, + return dvb_usercopy(file, cmd, arg, dvb_net_do_ioctl); + } + ++static int locked_dvb_net_open(struct inode *inode, struct file *file) ++{ ++ struct dvb_device *dvbdev = file->private_data; ++ struct dvb_net *dvbnet = dvbdev->priv; ++ int ret; ++ ++ if (mutex_lock_interruptible(&dvbnet->remove_mutex)) ++ return -ERESTARTSYS; ++ ++ if (dvbnet->exit) { ++ mutex_unlock(&dvbnet->remove_mutex); ++ return -ENODEV; ++ } ++ ++ ret = dvb_generic_open(inode, file); ++ ++ mutex_unlock(&dvbnet->remove_mutex); ++ ++ return ret; ++} ++ + static int dvb_net_close(struct inode *inode, struct file *file) + { + struct dvb_device *dvbdev = file->private_data; + struct dvb_net *dvbnet = dvbdev->priv; + ++ mutex_lock(&dvbnet->remove_mutex); ++ + dvb_generic_release(inode, file); + +- if(dvbdev->users == 1 && dvbnet->exit == 1) ++ if (dvbdev->users == 1 && dvbnet->exit == 1) { ++ mutex_unlock(&dvbnet->remove_mutex); + wake_up(&dvbdev->wait_queue); ++ } else { ++ mutex_unlock(&dvbnet->remove_mutex); ++ } ++ + return 0; + } + +@@ -1580,7 +1608,7 @@ static int dvb_net_close(struct inode *inode, struct file *file) + static const struct file_operations dvb_net_fops = { + .owner = THIS_MODULE, + .unlocked_ioctl = dvb_net_ioctl, +- .open = dvb_generic_open, ++ .open = locked_dvb_net_open, + .release = dvb_net_close, + .llseek = noop_llseek, + }; +@@ -1599,10 +1627,13 @@ void dvb_net_release (struct dvb_net *dvbnet) + { + int i; + ++ mutex_lock(&dvbnet->remove_mutex); + dvbnet->exit = 1; ++ mutex_unlock(&dvbnet->remove_mutex); ++ + if (dvbnet->dvbdev->users < 1) + wait_event(dvbnet->dvbdev->wait_queue, +- dvbnet->dvbdev->users==1); ++ dvbnet->dvbdev->users == 1); + + dvb_unregister_device(dvbnet->dvbdev); + +@@ -1621,6 +1652,7 @@ int dvb_net_init (struct dvb_adapter *adap, struct dvb_net *dvbnet, + int i; + + mutex_init(&dvbnet->ioctl_mutex); ++ mutex_init(&dvbnet->remove_mutex); + dvbnet->demux = dmx; + + for (i=0; i +Date: Thu, 17 Nov 2022 04:59:24 +0000 +Subject: media: dvb-core: Fix use-after-free due to race at + dvb_register_device() + +From: Hyunwoo Kim + +[ Upstream commit 627bb528b086b4136315c25d6a447a98ea9448d3 ] + +dvb_register_device() dynamically allocates fops with kmemdup() +to set the fops->owner. +And these fops are registered in 'file->f_ops' using replace_fops() +in the dvb_device_open() process, and kfree()d in dvb_free_device(). + +However, it is not common to use dynamically allocated fops instead +of 'static const' fops as an argument of replace_fops(), +and UAF may occur. +These UAFs can occur on any dvb type using dvb_register_device(), +such as dvb_dvr, dvb_demux, dvb_frontend, dvb_net, etc. + +So, instead of kfree() the fops dynamically allocated in +dvb_register_device() in dvb_free_device() called during the +.disconnect() process, kfree() it collectively in exit_dvbdev() +called when the dvbdev.c module is removed. + +Link: https://lore.kernel.org/linux-media/20221117045925.14297-4-imv4bel@gmail.com +Signed-off-by: Hyunwoo Kim +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvbdev.c | 84 ++++++++++++++++++++++++--------- + include/media/dvbdev.h | 15 ++++++ + 2 files changed, 78 insertions(+), 21 deletions(-) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index 6e2b7e97da176..2ff8a1b776fb4 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -37,6 +37,7 @@ + #include + + static DEFINE_MUTEX(dvbdev_mutex); ++static LIST_HEAD(dvbdevfops_list); + static int dvbdev_debug; + + module_param(dvbdev_debug, int, 0644); +@@ -462,14 +463,15 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + enum dvb_device_type type, int demux_sink_pads) + { + struct dvb_device *dvbdev; +- struct file_operations *dvbdevfops; ++ struct file_operations *dvbdevfops = NULL; ++ struct dvbdevfops_node *node = NULL, *new_node = NULL; + struct device *clsdev; + int minor; + int id, ret; + + mutex_lock(&dvbdev_register_lock); + +- if ((id = dvbdev_get_free_id (adap, type)) < 0){ ++ if ((id = dvbdev_get_free_id (adap, type)) < 0) { + mutex_unlock(&dvbdev_register_lock); + *pdvbdev = NULL; + pr_err("%s: couldn't find free device id\n", __func__); +@@ -477,18 +479,45 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + } + + *pdvbdev = dvbdev = kzalloc(sizeof(*dvbdev), GFP_KERNEL); +- + if (!dvbdev){ + mutex_unlock(&dvbdev_register_lock); + return -ENOMEM; + } + +- dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); ++ /* ++ * When a device of the same type is probe()d more than once, ++ * the first allocated fops are used. This prevents memory leaks ++ * that can occur when the same device is probe()d repeatedly. ++ */ ++ list_for_each_entry(node, &dvbdevfops_list, list_head) { ++ if (node->fops->owner == adap->module && ++ node->type == type && ++ node->template == template) { ++ dvbdevfops = node->fops; ++ break; ++ } ++ } + +- if (!dvbdevfops){ +- kfree (dvbdev); +- mutex_unlock(&dvbdev_register_lock); +- return -ENOMEM; ++ if (dvbdevfops == NULL) { ++ dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); ++ if (!dvbdevfops) { ++ kfree(dvbdev); ++ mutex_unlock(&dvbdev_register_lock); ++ return -ENOMEM; ++ } ++ ++ new_node = kzalloc(sizeof(struct dvbdevfops_node), GFP_KERNEL); ++ if (!new_node) { ++ kfree(dvbdevfops); ++ kfree(dvbdev); ++ mutex_unlock(&dvbdev_register_lock); ++ return -ENOMEM; ++ } ++ ++ new_node->fops = dvbdevfops; ++ new_node->type = type; ++ new_node->template = template; ++ list_add_tail (&new_node->list_head, &dvbdevfops_list); + } + + memcpy(dvbdev, template, sizeof(struct dvb_device)); +@@ -499,20 +528,20 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + dvbdev->priv = priv; + dvbdev->fops = dvbdevfops; + init_waitqueue_head (&dvbdev->wait_queue); +- + dvbdevfops->owner = adap->module; +- + list_add_tail (&dvbdev->list_head, &adap->device_list); +- + down_write(&minor_rwsem); + #ifdef CONFIG_DVB_DYNAMIC_MINORS + for (minor = 0; minor < MAX_DVB_MINORS; minor++) + if (dvb_minors[minor] == NULL) + break; +- + if (minor == MAX_DVB_MINORS) { ++ if (new_node) { ++ list_del (&new_node->list_head); ++ kfree(dvbdevfops); ++ kfree(new_node); ++ } + list_del (&dvbdev->list_head); +- kfree(dvbdevfops); + kfree(dvbdev); + up_write(&minor_rwsem); + mutex_unlock(&dvbdev_register_lock); +@@ -521,41 +550,47 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + #else + minor = nums2minor(adap->num, type, id); + #endif +- + dvbdev->minor = minor; + dvb_minors[minor] = dvb_device_get(dvbdev); + up_write(&minor_rwsem); +- + ret = dvb_register_media_device(dvbdev, type, minor, demux_sink_pads); + if (ret) { + pr_err("%s: dvb_register_media_device failed to create the mediagraph\n", + __func__); +- ++ if (new_node) { ++ list_del (&new_node->list_head); ++ kfree(dvbdevfops); ++ kfree(new_node); ++ } + dvb_media_device_free(dvbdev); + list_del (&dvbdev->list_head); +- kfree(dvbdevfops); + kfree(dvbdev); + mutex_unlock(&dvbdev_register_lock); + return ret; + } + +- mutex_unlock(&dvbdev_register_lock); +- + clsdev = device_create(dvb_class, adap->device, + MKDEV(DVB_MAJOR, minor), + dvbdev, "dvb%d.%s%d", adap->num, dnames[type], id); + if (IS_ERR(clsdev)) { + pr_err("%s: failed to create device dvb%d.%s%d (%ld)\n", + __func__, adap->num, dnames[type], id, PTR_ERR(clsdev)); ++ if (new_node) { ++ list_del (&new_node->list_head); ++ kfree(dvbdevfops); ++ kfree(new_node); ++ } + dvb_media_device_free(dvbdev); + list_del (&dvbdev->list_head); +- kfree(dvbdevfops); + kfree(dvbdev); ++ mutex_unlock(&dvbdev_register_lock); + return PTR_ERR(clsdev); + } ++ + dprintk("DVB: register adapter%d/%s%d @ minor: %i (0x%02x)\n", + adap->num, dnames[type], id, minor, minor); + ++ mutex_unlock(&dvbdev_register_lock); + return 0; + } + EXPORT_SYMBOL(dvb_register_device); +@@ -584,7 +619,6 @@ static void dvb_free_device(struct kref *ref) + { + struct dvb_device *dvbdev = container_of(ref, struct dvb_device, ref); + +- kfree (dvbdev->fops); + kfree (dvbdev); + } + +@@ -1090,9 +1124,17 @@ static int __init init_dvbdev(void) + + static void __exit exit_dvbdev(void) + { ++ struct dvbdevfops_node *node, *next; ++ + class_destroy(dvb_class); + cdev_del(&dvb_device_cdev); + unregister_chrdev_region(MKDEV(DVB_MAJOR, 0), MAX_DVB_MINORS); ++ ++ list_for_each_entry_safe(node, next, &dvbdevfops_list, list_head) { ++ list_del (&node->list_head); ++ kfree(node->fops); ++ kfree(node); ++ } + } + + subsys_initcall(init_dvbdev); +diff --git a/include/media/dvbdev.h b/include/media/dvbdev.h +index ac60c9fcfe9a6..34b01ebf32828 100644 +--- a/include/media/dvbdev.h ++++ b/include/media/dvbdev.h +@@ -189,6 +189,21 @@ struct dvb_device { + void *priv; + }; + ++/** ++ * struct dvbdevfops_node - fops nodes registered in dvbdevfops_list ++ * ++ * @fops: Dynamically allocated fops for ->owner registration ++ * @type: type of dvb_device ++ * @template: dvb_device used for registration ++ * @list_head: list_head for dvbdevfops_list ++ */ ++struct dvbdevfops_node { ++ struct file_operations *fops; ++ enum dvb_device_type type; ++ const struct dvb_device *template; ++ struct list_head list_head; ++}; ++ + /** + * dvb_device_get - Increase dvb_device reference + * +-- +2.39.2 + diff --git a/queue-5.15/media-dvb-core-fix-use-after-free-due-to-race-condit.patch b/queue-5.15/media-dvb-core-fix-use-after-free-due-to-race-condit.patch new file mode 100644 index 00000000000..807731c1f7b --- /dev/null +++ b/queue-5.15/media-dvb-core-fix-use-after-free-due-to-race-condit.patch @@ -0,0 +1,129 @@ +From 5aa55984fc0673624d3eb6069d39997e7fb7e12e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 06:33:08 +0000 +Subject: media: dvb-core: Fix use-after-free due to race condition at + dvb_ca_en50221 + +From: Hyunwoo Kim + +[ Upstream commit 280a8ab81733da8bc442253c700a52c4c0886ffd ] + +If the device node of dvb_ca_en50221 is open() and the +device is disconnected, a UAF may occur when calling +close() on the device node. + +The root cause is that wake_up() and wait_event() for +dvbdev->wait_queue are not implemented. + +So implement wait_event() function in dvb_ca_en50221_release() +and add 'remove_mutex' which prevents race condition +for 'ca->exit'. + +[mchehab: fix a checkpatch warning] + +Link: https://lore.kernel.org/linux-media/20221121063308.GA33821@ubuntu +Signed-off-by: Hyunwoo Kim +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_ca_en50221.c | 37 ++++++++++++++++++++++++- + 1 file changed, 36 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c +index b6ca29dfb184a..baf64540dc00a 100644 +--- a/drivers/media/dvb-core/dvb_ca_en50221.c ++++ b/drivers/media/dvb-core/dvb_ca_en50221.c +@@ -151,6 +151,12 @@ struct dvb_ca_private { + + /* mutex serializing ioctls */ + struct mutex ioctl_mutex; ++ ++ /* A mutex used when a device is disconnected */ ++ struct mutex remove_mutex; ++ ++ /* Whether the device is disconnected */ ++ int exit; + }; + + static void dvb_ca_private_free(struct dvb_ca_private *ca) +@@ -1711,12 +1717,22 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file) + + dprintk("%s\n", __func__); + +- if (!try_module_get(ca->pub->owner)) ++ mutex_lock(&ca->remove_mutex); ++ ++ if (ca->exit) { ++ mutex_unlock(&ca->remove_mutex); ++ return -ENODEV; ++ } ++ ++ if (!try_module_get(ca->pub->owner)) { ++ mutex_unlock(&ca->remove_mutex); + return -EIO; ++ } + + err = dvb_generic_open(inode, file); + if (err < 0) { + module_put(ca->pub->owner); ++ mutex_unlock(&ca->remove_mutex); + return err; + } + +@@ -1741,6 +1757,7 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file) + + dvb_ca_private_get(ca); + ++ mutex_unlock(&ca->remove_mutex); + return 0; + } + +@@ -1760,6 +1777,8 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file) + + dprintk("%s\n", __func__); + ++ mutex_lock(&ca->remove_mutex); ++ + /* mark the CA device as closed */ + ca->open = 0; + dvb_ca_en50221_thread_update_delay(ca); +@@ -1770,6 +1789,13 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file) + + dvb_ca_private_put(ca); + ++ if (dvbdev->users == 1 && ca->exit == 1) { ++ mutex_unlock(&ca->remove_mutex); ++ wake_up(&dvbdev->wait_queue); ++ } else { ++ mutex_unlock(&ca->remove_mutex); ++ } ++ + return err; + } + +@@ -1893,6 +1919,7 @@ int dvb_ca_en50221_init(struct dvb_adapter *dvb_adapter, + } + + mutex_init(&ca->ioctl_mutex); ++ mutex_init(&ca->remove_mutex); + + if (signal_pending(current)) { + ret = -EINTR; +@@ -1935,6 +1962,14 @@ void dvb_ca_en50221_release(struct dvb_ca_en50221 *pubca) + + dprintk("%s\n", __func__); + ++ mutex_lock(&ca->remove_mutex); ++ ca->exit = 1; ++ mutex_unlock(&ca->remove_mutex); ++ ++ if (ca->dvbdev->users < 1) ++ wait_event(ca->dvbdev->wait_queue, ++ ca->dvbdev->users == 1); ++ + /* shutdown the thread if there was one */ + kthread_stop(ca->thread); + +-- +2.39.2 + diff --git a/queue-5.15/media-dvb-usb-az6027-fix-three-null-ptr-deref-in-az6.patch b/queue-5.15/media-dvb-usb-az6027-fix-three-null-ptr-deref-in-az6.patch new file mode 100644 index 00000000000..74c72e18f53 --- /dev/null +++ b/queue-5.15/media-dvb-usb-az6027-fix-three-null-ptr-deref-in-az6.patch @@ -0,0 +1,63 @@ +From 99158a6c328b767e3f0ccb0b11ce1c702705035f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 16:56:04 +0000 +Subject: media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer() + +From: Wei Chen + +[ Upstream commit 858e97d7956d17a2cb56a9413468704a4d5abfe1 ] + +In az6027_i2c_xfer, msg is controlled by user. When msg[i].buf is null, +commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in +az6027_i2c_xfer()") fix the null-ptr-deref bug when msg[i].addr is 0x99. +However, null-ptr-deref also happens when msg[i].addr is 0xd0 and 0xc0. +We add check on msg[i].len to prevent null-ptr-deref. + +Link: https://lore.kernel.org/linux-media/20230310165604.3093483-1-harperchen1110@gmail.com +Signed-off-by: Wei Chen +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/az6027.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c +index 32b4ee65c2802..991f4510aaebb 100644 +--- a/drivers/media/usb/dvb-usb/az6027.c ++++ b/drivers/media/usb/dvb-usb/az6027.c +@@ -988,6 +988,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n + /* write/read request */ + if (i + 1 < num && (msg[i + 1].flags & I2C_M_RD)) { + req = 0xB9; ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + index = (((msg[i].buf[0] << 8) & 0xff00) | (msg[i].buf[1] & 0x00ff)); + value = msg[i].addr + (msg[i].len << 8); + length = msg[i + 1].len + 6; +@@ -1001,6 +1005,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n + + /* demod 16bit addr */ + req = 0xBD; ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + index = (((msg[i].buf[0] << 8) & 0xff00) | (msg[i].buf[1] & 0x00ff)); + value = msg[i].addr + (2 << 8); + length = msg[i].len - 2; +@@ -1026,6 +1034,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n + } else { + + req = 0xBD; ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + index = msg[i].buf[0] & 0x00FF; + value = msg[i].addr + (1 << 8); + length = msg[i].len - 1; +-- +2.39.2 + diff --git a/queue-5.15/media-dvb-usb-digitv-fix-null-ptr-deref-in-digitv_i2.patch b/queue-5.15/media-dvb-usb-digitv-fix-null-ptr-deref-in-digitv_i2.patch new file mode 100644 index 00000000000..e7904de1803 --- /dev/null +++ b/queue-5.15/media-dvb-usb-digitv-fix-null-ptr-deref-in-digitv_i2.patch @@ -0,0 +1,44 @@ +From 78a0f3d28dde3dde258b5afc98dc30fc0248bd39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 09:50:08 +0000 +Subject: media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer() + +From: Wei Chen + +[ Upstream commit 9ded5bd2a49ce3015b7c936743eec0a0e6e11f0c ] + +In digitv_i2c_xfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach digitv_i2c_xfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. We add +check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Link: https://lore.kernel.org/linux-media/20230313095008.1039689-1-harperchen1110@gmail.com +Signed-off-by: Wei Chen +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/digitv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb/digitv.c b/drivers/media/usb/dvb-usb/digitv.c +index 4e3b3c064bcfb..e56efebd4f0a1 100644 +--- a/drivers/media/usb/dvb-usb/digitv.c ++++ b/drivers/media/usb/dvb-usb/digitv.c +@@ -63,6 +63,10 @@ static int digitv_i2c_xfer(struct i2c_adapter *adap,struct i2c_msg msg[],int num + warn("more than 2 i2c messages at a time is not handled yet. TODO."); + + for (i = 0; i < num; i++) { ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + /* write/read request */ + if (i+1 < num && (msg[i+1].flags & I2C_M_RD)) { + if (digitv_ctrl_msg(d, USB_READ_COFDM, msg[i].buf[0], NULL, 0, +-- +2.39.2 + diff --git a/queue-5.15/media-dvb-usb-dw2102-fix-uninit-value-in-su3000_read.patch b/queue-5.15/media-dvb-usb-dw2102-fix-uninit-value-in-su3000_read.patch new file mode 100644 index 00000000000..0d2cd570b54 --- /dev/null +++ b/queue-5.15/media-dvb-usb-dw2102-fix-uninit-value-in-su3000_read.patch @@ -0,0 +1,40 @@ +From 07904909aabfdfb505584a72ccfb00de059b6084 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 13:44:16 +0100 +Subject: media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address + +From: Wei Chen + +[ Upstream commit a3fd1ef27aa686d871cefe207bd6168c4b0cd29e ] + +In su3000_read_mac_address, if i2c_transfer fails to execute two +messages, array mac address will not be initialized. Without handling +such error, later in function dvb_usb_adapter_dvb_init, proposed_mac +is accessed before initialization. + +Fix this error by returning a negative value if message execution fails. + +Link: https://lore.kernel.org/linux-media/20230328124416.560889-1-harperchen1110@gmail.com +Signed-off-by: Wei Chen +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dw2102.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c +index ca75ebdc10b37..1ed62a80067c6 100644 +--- a/drivers/media/usb/dvb-usb/dw2102.c ++++ b/drivers/media/usb/dvb-usb/dw2102.c +@@ -946,7 +946,7 @@ static int su3000_read_mac_address(struct dvb_usb_device *d, u8 mac[6]) + for (i = 0; i < 6; i++) { + obuf[1] = 0xf0 + i; + if (i2c_transfer(&d->i2c_adap, msg, 2) != 2) +- break; ++ return -1; + else + mac[i] = ibuf[0]; + } +-- +2.39.2 + diff --git a/queue-5.15/media-dvb-usb-v2-ce6230-fix-null-ptr-deref-in-ce6230.patch b/queue-5.15/media-dvb-usb-v2-ce6230-fix-null-ptr-deref-in-ce6230.patch new file mode 100644 index 00000000000..af04c71e20f --- /dev/null +++ b/queue-5.15/media-dvb-usb-v2-ce6230-fix-null-ptr-deref-in-ce6230.patch @@ -0,0 +1,56 @@ +From f2ce3a7e98403a4b0b7d3ae6f7871830a0726f9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 09:27:51 +0000 +Subject: media: dvb-usb-v2: ce6230: fix null-ptr-deref in + ce6230_i2c_master_xfer() + +From: Wei Chen + +[ Upstream commit dff919090155fb22679869e8469168f270dcd97f ] + +In ce6230_i2c_master_xfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach ce6230_i2c_master_xfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. We add +check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Link: https://lore.kernel.org/linux-media/20230313092751.209496-1-harperchen1110@gmail.com +Signed-off-by: Wei Chen +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/ce6230.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb-v2/ce6230.c b/drivers/media/usb/dvb-usb-v2/ce6230.c +index 44540de1a2066..d3b5cb4a24daf 100644 +--- a/drivers/media/usb/dvb-usb-v2/ce6230.c ++++ b/drivers/media/usb/dvb-usb-v2/ce6230.c +@@ -101,6 +101,10 @@ static int ce6230_i2c_master_xfer(struct i2c_adapter *adap, + if (num > i + 1 && (msg[i+1].flags & I2C_M_RD)) { + if (msg[i].addr == + ce6230_zl10353_config.demod_address) { ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + req.cmd = DEMOD_READ; + req.value = msg[i].addr >> 1; + req.index = msg[i].buf[0]; +@@ -117,6 +121,10 @@ static int ce6230_i2c_master_xfer(struct i2c_adapter *adap, + } else { + if (msg[i].addr == + ce6230_zl10353_config.demod_address) { ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + req.cmd = DEMOD_WRITE; + req.value = msg[i].addr >> 1; + req.index = msg[i].buf[0]; +-- +2.39.2 + diff --git a/queue-5.15/media-dvb-usb-v2-ec168-fix-null-ptr-deref-in-ec168_i.patch b/queue-5.15/media-dvb-usb-v2-ec168-fix-null-ptr-deref-in-ec168_i.patch new file mode 100644 index 00000000000..3d16928fb4d --- /dev/null +++ b/queue-5.15/media-dvb-usb-v2-ec168-fix-null-ptr-deref-in-ec168_i.patch @@ -0,0 +1,65 @@ +From 5b23aa2ca43c0c61f995f8d1ae277baafb30b675 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 08:58:53 +0000 +Subject: media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer() + +From: Wei Chen + +[ Upstream commit a6dcefcc08eca1bf4e3d213c97c3cfb75f377935 ] + +In ec168_i2c_xfer, msg is controlled by user. When msg[i].buf is null +and msg[i].len is zero, former checks on msg[i].buf would be passed. +If accessing msg[i].buf[0] without sanity check, null pointer deref +would happen. We add check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Link: https://lore.kernel.org/linux-media/20230313085853.3252349-1-harperchen1110@gmail.com +Signed-off-by: Wei Chen +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/ec168.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb-v2/ec168.c b/drivers/media/usb/dvb-usb-v2/ec168.c +index 7ed0ab9e429b1..0e4773fc025c9 100644 +--- a/drivers/media/usb/dvb-usb-v2/ec168.c ++++ b/drivers/media/usb/dvb-usb-v2/ec168.c +@@ -115,6 +115,10 @@ static int ec168_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + while (i < num) { + if (num > i + 1 && (msg[i+1].flags & I2C_M_RD)) { + if (msg[i].addr == ec168_ec100_config.demod_address) { ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + req.cmd = READ_DEMOD; + req.value = 0; + req.index = 0xff00 + msg[i].buf[0]; /* reg */ +@@ -131,6 +135,10 @@ static int ec168_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + } + } else { + if (msg[i].addr == ec168_ec100_config.demod_address) { ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + req.cmd = WRITE_DEMOD; + req.value = msg[i].buf[1]; /* val */ + req.index = 0xff00 + msg[i].buf[0]; /* reg */ +@@ -139,6 +147,10 @@ static int ec168_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + ret = ec168_ctrl_msg(d, &req); + i += 1; + } else { ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + req.cmd = WRITE_I2C; + req.value = msg[i].buf[0]; /* val */ + req.index = 0x0100 + msg[i].addr; /* I2C addr */ +-- +2.39.2 + diff --git a/queue-5.15/media-dvb-usb-v2-rtl28xxu-fix-null-ptr-deref-in-rtl2.patch b/queue-5.15/media-dvb-usb-v2-rtl28xxu-fix-null-ptr-deref-in-rtl2.patch new file mode 100644 index 00000000000..8da5ad2f6ef --- /dev/null +++ b/queue-5.15/media-dvb-usb-v2-rtl28xxu-fix-null-ptr-deref-in-rtl2.patch @@ -0,0 +1,84 @@ +From bc4b4d885b193e6e82b8f127409523a96cff90e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 May 2023 15:52:47 +0100 +Subject: media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer + +From: Zhang Shurong + +[ Upstream commit aa4a447b81b84f69c1a89ad899df157f386d7636 ] + +In rtl28xxu_i2c_xfer, msg is controlled by user. When msg[i].buf +is null and msg[i].len is zero, former checks on msg[i].buf would be +passed. Malicious data finally reach rtl28xxu_i2c_xfer. If accessing +msg[i].buf[0] without sanity check, null ptr deref would happen. +We add check on msg[i].len to prevent crash. + +Similar commit: +commit 0ed554fd769a +("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Link: https://lore.kernel.org/linux-media/tencent_3623572106754AC2F266B316798B0F6CCA05@qq.com +Signed-off-by: Zhang Shurong +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +index 795a012d40200..f7884bb56fccf 100644 +--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c ++++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +@@ -176,6 +176,10 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + ret = -EOPNOTSUPP; + goto err_mutex_unlock; + } else if (msg[0].addr == 0x10) { ++ if (msg[0].len < 1 || msg[1].len < 1) { ++ ret = -EOPNOTSUPP; ++ goto err_mutex_unlock; ++ } + /* method 1 - integrated demod */ + if (msg[0].buf[0] == 0x00) { + /* return demod page from driver cache */ +@@ -189,6 +193,10 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + ret = rtl28xxu_ctrl_msg(d, &req); + } + } else if (msg[0].len < 2) { ++ if (msg[0].len < 1) { ++ ret = -EOPNOTSUPP; ++ goto err_mutex_unlock; ++ } + /* method 2 - old I2C */ + req.value = (msg[0].buf[0] << 8) | (msg[0].addr << 1); + req.index = CMD_I2C_RD; +@@ -217,8 +225,16 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + ret = -EOPNOTSUPP; + goto err_mutex_unlock; + } else if (msg[0].addr == 0x10) { ++ if (msg[0].len < 1) { ++ ret = -EOPNOTSUPP; ++ goto err_mutex_unlock; ++ } + /* method 1 - integrated demod */ + if (msg[0].buf[0] == 0x00) { ++ if (msg[0].len < 2) { ++ ret = -EOPNOTSUPP; ++ goto err_mutex_unlock; ++ } + /* save demod page for later demod access */ + dev->page = msg[0].buf[1]; + ret = 0; +@@ -231,6 +247,10 @@ static int rtl28xxu_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + ret = rtl28xxu_ctrl_msg(d, &req); + } + } else if ((msg[0].len < 23) && (!dev->new_i2c_write)) { ++ if (msg[0].len < 1) { ++ ret = -EOPNOTSUPP; ++ goto err_mutex_unlock; ++ } + /* method 2 - old I2C */ + req.value = (msg[0].buf[0] << 8) | (msg[0].addr << 1); + req.index = CMD_I2C_WR; +-- +2.39.2 + diff --git a/queue-5.15/media-dvb_ca_en50221-fix-a-size-write-bug.patch b/queue-5.15/media-dvb_ca_en50221-fix-a-size-write-bug.patch new file mode 100644 index 00000000000..7e84e9239ec --- /dev/null +++ b/queue-5.15/media-dvb_ca_en50221-fix-a-size-write-bug.patch @@ -0,0 +1,118 @@ +From 5a2c5054504b6a8cc92e1a50c00bb208fb62f5f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 13:50:27 +0100 +Subject: media: dvb_ca_en50221: fix a size write bug + +From: YongSu Yoo + +[ Upstream commit a4315e5be7020aac9b24a8151caf4bb85224cd0e ] + +The function of "dvb_ca_en50221_write_data" at source/drivers/media +/dvb-core/dvb_ca_en50221.c is used for two cases. +The first case is for writing APDU data in the function of +"dvb_ca_en50221_io_write" at source/drivers/media/dvb-core/ +dvb_ca_en50221.c. +The second case is for writing the host link buf size on the +Command Register in the function of "dvb_ca_en50221_link_init" +at source/drivers/media/dvb-core/dvb_ca_en50221.c. +In the second case, there exists a bug like following. +In the function of the "dvb_ca_en50221_link_init", +after a TV host calculates the host link buf_size, +the TV host writes the calculated host link buf_size on the +Size Register. +Accroding to the en50221 Spec (the page 60 of +https://dvb.org/wp-content/uploads/2020/02/En50221.V1.pdf), +before this writing operation, the "SW(CMDREG_SW)" flag in the +Command Register should be set. We can see this setting operation +in the function of the "dvb_ca_en50221_link_init" like below. +... + if ((ret = ca->pub->write_cam_control(ca->pub, slot, +CTRLIF_COMMAND, IRQEN | CMDREG_SW)) != 0) + return ret; +... +But, after that, the real writing operation is implemented using +the function of the "dvb_ca_en50221_write_data" in the function of +"dvb_ca_en50221_link_init", and the "dvb_ca_en50221_write_data" +includes the function of "ca->pub->write_cam_control", +and the function of the "ca->pub->write_cam_control" in the +function of the "dvb_ca_en50221_wrte_data" does not include +"CMDREG_SW" flag like below. +... + if ((status = ca->pub->write_cam_control(ca->pub, slot, +CTRLIF_COMMAND, IRQEN | CMDREG_HC)) != 0) +... +In the above source code, we can see only the "IRQEN | CMDREG_HC", +but we cannot see the "CMDREG_SW". +The "CMDREG_SW" flag which was set in the function of the +"dvb_ca_en50221_link_init" was rollbacked by the follwoing function +of the "dvb_ca_en50221_write_data". +This is a bug. and this bug causes that the calculated host link buf_size +is not properly written in the CI module. +Through this patch, we fix this bug. + +Link: https://lore.kernel.org/linux-media/20220818125027.1131-1-yongsuyoo0215@gmail.com +Signed-off-by: YongSu Yoo +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_ca_en50221.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c +index c2d2792227f86..b6ca29dfb184a 100644 +--- a/drivers/media/dvb-core/dvb_ca_en50221.c ++++ b/drivers/media/dvb-core/dvb_ca_en50221.c +@@ -187,7 +187,7 @@ static void dvb_ca_en50221_thread_wakeup(struct dvb_ca_private *ca); + static int dvb_ca_en50221_read_data(struct dvb_ca_private *ca, int slot, + u8 *ebuf, int ecount); + static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot, +- u8 *ebuf, int ecount); ++ u8 *ebuf, int ecount, int size_write_flag); + + /** + * findstr - Safely find needle in haystack. +@@ -370,7 +370,7 @@ static int dvb_ca_en50221_link_init(struct dvb_ca_private *ca, int slot) + ret = dvb_ca_en50221_wait_if_status(ca, slot, STATUSREG_FR, HZ / 10); + if (ret) + return ret; +- ret = dvb_ca_en50221_write_data(ca, slot, buf, 2); ++ ret = dvb_ca_en50221_write_data(ca, slot, buf, 2, CMDREG_SW); + if (ret != 2) + return -EIO; + ret = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_COMMAND, IRQEN); +@@ -778,11 +778,13 @@ static int dvb_ca_en50221_read_data(struct dvb_ca_private *ca, int slot, + * @buf: The data in this buffer is treated as a complete link-level packet to + * be written. + * @bytes_write: Size of ebuf. ++ * @size_write_flag: A flag on Command Register which says whether the link size ++ * information will be writen or not. + * + * return: Number of bytes written, or < 0 on error. + */ + static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot, +- u8 *buf, int bytes_write) ++ u8 *buf, int bytes_write, int size_write_flag) + { + struct dvb_ca_slot *sl = &ca->slot_info[slot]; + int status; +@@ -817,7 +819,7 @@ static int dvb_ca_en50221_write_data(struct dvb_ca_private *ca, int slot, + + /* OK, set HC bit */ + status = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_COMMAND, +- IRQEN | CMDREG_HC); ++ IRQEN | CMDREG_HC | size_write_flag); + if (status) + goto exit; + +@@ -1508,7 +1510,7 @@ static ssize_t dvb_ca_en50221_io_write(struct file *file, + + mutex_lock(&sl->slot_lock); + status = dvb_ca_en50221_write_data(ca, slot, fragbuf, +- fraglen + 2); ++ fraglen + 2, 0); + mutex_unlock(&sl->slot_lock); + if (status == (fraglen + 2)) { + written = 1; +-- +2.39.2 + diff --git a/queue-5.15/media-dvb_demux-fix-a-bug-for-the-continuity-counter.patch b/queue-5.15/media-dvb_demux-fix-a-bug-for-the-continuity-counter.patch new file mode 100644 index 00000000000..21e59998cd4 --- /dev/null +++ b/queue-5.15/media-dvb_demux-fix-a-bug-for-the-continuity-counter.patch @@ -0,0 +1,65 @@ +From f8bd8b56782ae1b086fd4d4758f50876dffda3a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Mar 2023 21:25:19 +0000 +Subject: media: dvb_demux: fix a bug for the continuity counter + +From: YongSu Yoo + +[ Upstream commit 7efb10d8dc70ea3000cc70dca53407c52488acd1 ] + +In dvb_demux.c, some logics exist which compare the expected +continuity counter and the real continuity counter. If they +are not matched each other, both of the expected continuity +counter and the real continuity counter should be printed. +But there exists a bug that the expected continuity counter +is not correctly printed. The expected continuity counter is +replaced with the real countinuity counter + 1 so that +the epected continuity counter is not correclty printed. +This is wrong. This bug is fixed. + +Link: https://lore.kernel.org/linux-media/20230305212519.499-1-yongsuyoo0215@gmail.com + +Signed-off-by: YongSu Yoo +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_demux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_demux.c b/drivers/media/dvb-core/dvb_demux.c +index 5fde1d38b3e34..80b495982f63c 100644 +--- a/drivers/media/dvb-core/dvb_demux.c ++++ b/drivers/media/dvb-core/dvb_demux.c +@@ -125,12 +125,12 @@ static inline int dvb_dmx_swfilter_payload(struct dvb_demux_feed *feed, + + cc = buf[3] & 0x0f; + ccok = ((feed->cc + 1) & 0x0f) == cc; +- feed->cc = cc; + if (!ccok) { + set_buf_flags(feed, DMX_BUFFER_FLAG_DISCONTINUITY_DETECTED); + dprintk_sect_loss("missed packet: %d instead of %d!\n", + cc, (feed->cc + 1) & 0x0f); + } ++ feed->cc = cc; + + if (buf[1] & 0x40) // PUSI ? + feed->peslen = 0xfffa; +@@ -310,7 +310,6 @@ static int dvb_dmx_swfilter_section_packet(struct dvb_demux_feed *feed, + + cc = buf[3] & 0x0f; + ccok = ((feed->cc + 1) & 0x0f) == cc; +- feed->cc = cc; + + if (buf[3] & 0x20) { + /* adaption field present, check for discontinuity_indicator */ +@@ -346,6 +345,7 @@ static int dvb_dmx_swfilter_section_packet(struct dvb_demux_feed *feed, + feed->pusi_seen = false; + dvb_dmx_swfilter_section_new(feed); + } ++ feed->cc = cc; + + if (buf[1] & 0x40) { + /* PUSI=1 (is set), section boundary is here */ +-- +2.39.2 + diff --git a/queue-5.15/media-mn88443x-fix-config_of-error-by-drop-of_match_.patch b/queue-5.15/media-mn88443x-fix-config_of-error-by-drop-of_match_.patch new file mode 100644 index 00000000000..f35b24cdf53 --- /dev/null +++ b/queue-5.15/media-mn88443x-fix-config_of-error-by-drop-of_match_.patch @@ -0,0 +1,44 @@ +From f916c22daf76c3e9e730ccf52586e44711cba6ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Mar 2023 13:13:18 +0000 +Subject: media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID + table +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Kozlowski + +[ Upstream commit ae11c0efaec32fb45130ee9886689f467232eebc ] + +The driver will match mostly by DT table (even thought there is regular +ID table) so there is little benefit in of_match_ptr (this also allows +ACPI matching via PRP0001, even though it might not be relevant here). +This also fixes !CONFIG_OF error: + + drivers/media/dvb-frontends/mn88443x.c:782:34: error: ‘mn88443x_of_match’ defined but not used [-Werror=unused-const-variable=] + +Link: https://lore.kernel.org/linux-media/20230312131318.351173-28-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/mn88443x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/mn88443x.c b/drivers/media/dvb-frontends/mn88443x.c +index fff212c0bf3b5..05894deb8a19a 100644 +--- a/drivers/media/dvb-frontends/mn88443x.c ++++ b/drivers/media/dvb-frontends/mn88443x.c +@@ -800,7 +800,7 @@ MODULE_DEVICE_TABLE(i2c, mn88443x_i2c_id); + static struct i2c_driver mn88443x_driver = { + .driver = { + .name = "mn88443x", +- .of_match_table = of_match_ptr(mn88443x_of_match), ++ .of_match_table = mn88443x_of_match, + }, + .probe = mn88443x_probe, + .remove = mn88443x_remove, +-- +2.39.2 + diff --git a/queue-5.15/media-netup_unidvb-fix-irq-init-by-register-it-at-th.patch b/queue-5.15/media-netup_unidvb-fix-irq-init-by-register-it-at-th.patch new file mode 100644 index 00000000000..9572a315bbd --- /dev/null +++ b/queue-5.15/media-netup_unidvb-fix-irq-init-by-register-it-at-th.patch @@ -0,0 +1,70 @@ +From a9135585ad55c2e399b2f7074702ecd7a70bdd7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 13:45:18 +0000 +Subject: media: netup_unidvb: fix irq init by register it at the end of probe + +From: Wei Chen + +[ Upstream commit e6ad6233592593079db5c8fa592c298e51bc1356 ] + +IRQ handler netup_spi_interrupt() takes spinlock spi->lock. The lock +is initialized in netup_spi_init(). However, irq handler is registered +before initializing the lock. + +Spinlock dma->lock and i2c->lock suffer from the same problem. + +Fix this by registering the irq at the end of probe. + +Link: https://lore.kernel.org/linux-media/20230315134518.1074497-1-harperchen1110@gmail.com +Signed-off-by: Wei Chen +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../media/pci/netup_unidvb/netup_unidvb_core.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +index a71814e2772d1..7c5061953ee82 100644 +--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c ++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +@@ -887,12 +887,7 @@ static int netup_unidvb_initdev(struct pci_dev *pci_dev, + ndev->lmmio0, (u32)pci_resource_len(pci_dev, 0), + ndev->lmmio1, (u32)pci_resource_len(pci_dev, 1), + pci_dev->irq); +- if (request_irq(pci_dev->irq, netup_unidvb_isr, IRQF_SHARED, +- "netup_unidvb", pci_dev) < 0) { +- dev_err(&pci_dev->dev, +- "%s(): can't get IRQ %d\n", __func__, pci_dev->irq); +- goto irq_request_err; +- } ++ + ndev->dma_size = 2 * 188 * + NETUP_DMA_BLOCKS_COUNT * NETUP_DMA_PACKETS_COUNT; + ndev->dma_virt = dma_alloc_coherent(&pci_dev->dev, +@@ -933,6 +928,14 @@ static int netup_unidvb_initdev(struct pci_dev *pci_dev, + dev_err(&pci_dev->dev, "netup_unidvb: DMA setup failed\n"); + goto dma_setup_err; + } ++ ++ if (request_irq(pci_dev->irq, netup_unidvb_isr, IRQF_SHARED, ++ "netup_unidvb", pci_dev) < 0) { ++ dev_err(&pci_dev->dev, ++ "%s(): can't get IRQ %d\n", __func__, pci_dev->irq); ++ goto dma_setup_err; ++ } ++ + dev_info(&pci_dev->dev, + "netup_unidvb: device has been initialized\n"); + return 0; +@@ -951,8 +954,6 @@ static int netup_unidvb_initdev(struct pci_dev *pci_dev, + dma_free_coherent(&pci_dev->dev, ndev->dma_size, + ndev->dma_virt, ndev->dma_phys); + dma_alloc_err: +- free_irq(pci_dev->irq, pci_dev); +-irq_request_err: + iounmap(ndev->lmmio1); + pci_bar1_error: + iounmap(ndev->lmmio0); +-- +2.39.2 + diff --git a/queue-5.15/media-rcar-vin-select-correct-interrupt-mode-for-v4l.patch b/queue-5.15/media-rcar-vin-select-correct-interrupt-mode-for-v4l.patch new file mode 100644 index 00000000000..6d810639696 --- /dev/null +++ b/queue-5.15/media-rcar-vin-select-correct-interrupt-mode-for-v4l.patch @@ -0,0 +1,49 @@ +From 8682243745402ec835e416a3c5d05ae67837b734 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Feb 2023 21:55:34 +0100 +Subject: media: rcar-vin: Select correct interrupt mode for + V4L2_FIELD_ALTERNATE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Söderlund + +[ Upstream commit e10707d5865c90d3dfe4ef589ce02ff4287fef85 ] + +When adding proper support for V4L2_FIELD_ALTERNATE it was missed that +this field format should trigger an interrupt for each field, not just +for the whole frame. Fix this by marking it as progressive in the +capture setup, which will then select the correct interrupt mode. + +Tested on both Gen2 and Gen3 with the result of a doubling of the frame +rate for V4L2_FIELD_ALTERNATE. From a PAL video source the frame rate is +now 50, which is expected for alternate field capture. + +Signed-off-by: Niklas Söderlund +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-vin/rcar-dma.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/media/platform/rcar-vin/rcar-dma.c b/drivers/media/platform/rcar-vin/rcar-dma.c +index 520d044bfb8d5..efebae935720a 100644 +--- a/drivers/media/platform/rcar-vin/rcar-dma.c ++++ b/drivers/media/platform/rcar-vin/rcar-dma.c +@@ -644,11 +644,9 @@ static int rvin_setup(struct rvin_dev *vin) + case V4L2_FIELD_SEQ_TB: + case V4L2_FIELD_SEQ_BT: + case V4L2_FIELD_NONE: +- vnmc = VNMC_IM_ODD_EVEN; +- progressive = true; +- break; + case V4L2_FIELD_ALTERNATE: + vnmc = VNMC_IM_ODD_EVEN; ++ progressive = true; + break; + default: + vnmc = VNMC_IM_ODD; +-- +2.39.2 + diff --git a/queue-5.15/media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch b/queue-5.15/media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch new file mode 100644 index 00000000000..acde9ef86a2 --- /dev/null +++ b/queue-5.15/media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch @@ -0,0 +1,43 @@ +From 0a081cb8d1920fd3fbd0d3786ac510110f217aaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 04:59:25 +0000 +Subject: media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb() + +From: Hyunwoo Kim + +[ Upstream commit 517a281338322ff8293f988771c98aaa7205e457 ] + +Since dvb_frontend_detach() is not called in ttusb_dec_exit_dvb(), +which is called when the device is disconnected, dvb_frontend_free() +is not finally called. + +This causes a memory leak just by repeatedly plugging and +unplugging the device. + +Fix this issue by adding dvb_frontend_detach() to ttusb_dec_exit_dvb(). + +Link: https://lore.kernel.org/linux-media/20221117045925.14297-5-imv4bel@gmail.com +Signed-off-by: Hyunwoo Kim +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/ttusb-dec/ttusb_dec.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c +index 38822cedd93a9..c4474d4c44e28 100644 +--- a/drivers/media/usb/ttusb-dec/ttusb_dec.c ++++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c +@@ -1544,8 +1544,7 @@ static void ttusb_dec_exit_dvb(struct ttusb_dec *dec) + dvb_dmx_release(&dec->demux); + if (dec->fe) { + dvb_unregister_frontend(dec->fe); +- if (dec->fe->ops.release) +- dec->fe->ops.release(dec->fe); ++ dvb_frontend_detach(dec->fe); + } + dvb_unregister_adapter(&dec->adapter); + } +-- +2.39.2 + diff --git a/queue-5.15/media-uvcvideo-don-t-expose-unsupported-formats-to-u.patch b/queue-5.15/media-uvcvideo-don-t-expose-unsupported-formats-to-u.patch new file mode 100644 index 00000000000..4d73b5ed221 --- /dev/null +++ b/queue-5.15/media-uvcvideo-don-t-expose-unsupported-formats-to-u.patch @@ -0,0 +1,81 @@ +From 18b568da34a66c2485bce4d7f56e4e5700a51b34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Apr 2023 10:45:59 +0100 +Subject: media: uvcvideo: Don't expose unsupported formats to userspace + +From: Laurent Pinchart + +[ Upstream commit 81f3affa19d6ab0c32aef46b053838219eef7e71 ] + +When the uvcvideo driver encounters a format descriptor with an unknown +format GUID, it creates a corresponding struct uvc_format instance with +the fcc field set to 0. Since commit 50459f103edf ("media: uvcvideo: +Remove format descriptions"), the driver relies on the V4L2 core to +provide the format description string, which the V4L2 core can't do +without a valid 4CC. This triggers a WARN_ON. + +As a format with a zero 4CC can't be selected, it is unusable for +applications. Ignore the format completely without creating a uvc_format +instance, which fixes the warning. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217252 +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2180107 + +Fixes: 50459f103edf ("media: uvcvideo: Remove format descriptions") +Signed-off-by: Laurent Pinchart +Reviewed-by: Ricardo Ribalda +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_driver.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index 2e7df1de0af9a..b19c75a6f5952 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -530,14 +530,17 @@ static int uvc_parse_format(struct uvc_device *dev, + /* Find the format descriptor from its GUID. */ + fmtdesc = uvc_format_by_guid(&buffer[5]); + +- if (fmtdesc != NULL) { +- format->fcc = fmtdesc->fcc; +- } else { ++ if (!fmtdesc) { ++ /* ++ * Unknown video formats are not fatal errors, the ++ * caller will skip this descriptor. ++ */ + dev_info(&streaming->intf->dev, + "Unknown video format %pUl\n", &buffer[5]); +- format->fcc = 0; ++ return 0; + } + ++ format->fcc = fmtdesc->fcc; + format->bpp = buffer[21]; + + /* Some devices report a format that doesn't match what they +@@ -945,7 +948,7 @@ static int uvc_parse_streaming(struct uvc_device *dev, + interval = (u32 *)&frame[nframes]; + + streaming->format = format; +- streaming->nformats = nformats; ++ streaming->nformats = 0; + + /* Parse the format descriptors. */ + while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE) { +@@ -959,7 +962,10 @@ static int uvc_parse_streaming(struct uvc_device *dev, + &interval, buffer, buflen); + if (ret < 0) + goto error; ++ if (!ret) ++ break; + ++ streaming->nformats++; + frame += format->nframes; + format++; + +-- +2.39.2 + diff --git a/queue-5.15/mtd-rawnand-ingenic-fix-empty-stub-helper-definition.patch b/queue-5.15/mtd-rawnand-ingenic-fix-empty-stub-helper-definition.patch new file mode 100644 index 00000000000..df668ac5871 --- /dev/null +++ b/queue-5.15/mtd-rawnand-ingenic-fix-empty-stub-helper-definition.patch @@ -0,0 +1,67 @@ +From b50ab98535ab19b28442e07255adb96e9291b757 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 22:21:24 +0200 +Subject: mtd: rawnand: ingenic: fix empty stub helper definitions + +From: Arnd Bergmann + +[ Upstream commit 650a8884a364ff2568b51cde9009cfd43cdae6ad ] + +A few functions provide an empty interface definition when +CONFIG_MTD_NAND_INGENIC_ECC is disabled, but they are accidentally +defined as global functions in the header: + +drivers/mtd/nand/raw/ingenic/ingenic_ecc.h:39:5: error: no previous prototype for 'ingenic_ecc_calculate' +drivers/mtd/nand/raw/ingenic/ingenic_ecc.h:46:5: error: no previous prototype for 'ingenic_ecc_correct' +drivers/mtd/nand/raw/ingenic/ingenic_ecc.h:53:6: error: no previous prototype for 'ingenic_ecc_release' +drivers/mtd/nand/raw/ingenic/ingenic_ecc.h:57:21: error: no previous prototype for 'of_ingenic_ecc_get' + +Turn them into 'static inline' definitions instead. + +Fixes: 15de8c6efd0e ("mtd: rawnand: ingenic: Separate top-level and SoC specific code") +Signed-off-by: Arnd Bergmann +Reviewed-by: Paul Cercueil +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230516202133.559488-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/ingenic/ingenic_ecc.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/mtd/nand/raw/ingenic/ingenic_ecc.h b/drivers/mtd/nand/raw/ingenic/ingenic_ecc.h +index 2cda439b5e11b..017868f59f222 100644 +--- a/drivers/mtd/nand/raw/ingenic/ingenic_ecc.h ++++ b/drivers/mtd/nand/raw/ingenic/ingenic_ecc.h +@@ -36,25 +36,25 @@ int ingenic_ecc_correct(struct ingenic_ecc *ecc, + void ingenic_ecc_release(struct ingenic_ecc *ecc); + struct ingenic_ecc *of_ingenic_ecc_get(struct device_node *np); + #else /* CONFIG_MTD_NAND_INGENIC_ECC */ +-int ingenic_ecc_calculate(struct ingenic_ecc *ecc, ++static inline int ingenic_ecc_calculate(struct ingenic_ecc *ecc, + struct ingenic_ecc_params *params, + const u8 *buf, u8 *ecc_code) + { + return -ENODEV; + } + +-int ingenic_ecc_correct(struct ingenic_ecc *ecc, ++static inline int ingenic_ecc_correct(struct ingenic_ecc *ecc, + struct ingenic_ecc_params *params, u8 *buf, + u8 *ecc_code) + { + return -ENODEV; + } + +-void ingenic_ecc_release(struct ingenic_ecc *ecc) ++static inline void ingenic_ecc_release(struct ingenic_ecc *ecc) + { + } + +-struct ingenic_ecc *of_ingenic_ecc_get(struct device_node *np) ++static inline struct ingenic_ecc *of_ingenic_ecc_get(struct device_node *np) + { + return ERR_PTR(-ENODEV); + } +-- +2.39.2 + diff --git a/queue-5.15/mtd-rawnand-marvell-don-t-set-the-nand-frequency-sel.patch b/queue-5.15/mtd-rawnand-marvell-don-t-set-the-nand-frequency-sel.patch new file mode 100644 index 00000000000..740b3886183 --- /dev/null +++ b/queue-5.15/mtd-rawnand-marvell-don-t-set-the-nand-frequency-sel.patch @@ -0,0 +1,44 @@ +From 7fa5bef1371eee8e4256c14a130d503c2775adfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 12:31:53 +1200 +Subject: mtd: rawnand: marvell: don't set the NAND frequency select + +From: Chris Packham + +[ Upstream commit c4d28e30a8d0b979e4029465ab8f312ab6ce2644 ] + +marvell_nfc_setup_interface() uses the frequency retrieved from the +clock associated with the nand interface to determine the timings that +will be used. By changing the NAND frequency select without reflecting +this in the clock configuration this means that the timings calculated +don't correctly meet the requirements of the NAND chip. This hasn't been +an issue up to now because of a different bug that was stopping the +timings being updated after they were initially set. + +Fixes: b25251414f6e ("mtd: rawnand: marvell: Stop implementing ->select_chip()") +Signed-off-by: Chris Packham +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230525003154.2303012-2-chris.packham@alliedtelesis.co.nz +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/marvell_nand.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c +index 95dee54fe079c..9f662d5cf7fac 100644 +--- a/drivers/mtd/nand/raw/marvell_nand.c ++++ b/drivers/mtd/nand/raw/marvell_nand.c +@@ -2885,10 +2885,6 @@ static int marvell_nfc_init(struct marvell_nfc *nfc) + regmap_update_bits(sysctrl_base, GENCONF_CLK_GATING_CTRL, + GENCONF_CLK_GATING_CTRL_ND_GATE, + GENCONF_CLK_GATING_CTRL_ND_GATE); +- +- regmap_update_bits(sysctrl_base, GENCONF_ND_CLK_CTRL, +- GENCONF_ND_CLK_CTRL_EN, +- GENCONF_ND_CLK_CTRL_EN); + } + + /* Configure the DMA if appropriate */ +-- +2.39.2 + diff --git a/queue-5.15/mtd-rawnand-marvell-ensure-timing-values-are-written.patch b/queue-5.15/mtd-rawnand-marvell-ensure-timing-values-are-written.patch new file mode 100644 index 00000000000..3f314222962 --- /dev/null +++ b/queue-5.15/mtd-rawnand-marvell-ensure-timing-values-are-written.patch @@ -0,0 +1,43 @@ +From 0f8a64804f17fa28ca5f6a2bf466ade5b450e3ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 12:31:52 +1200 +Subject: mtd: rawnand: marvell: ensure timing values are written + +From: Chris Packham + +[ Upstream commit 8a6f4d346f3bad9c68b4a87701eb3f7978542d57 ] + +When new timing values are calculated in marvell_nfc_setup_interface() +ensure that they will be applied in marvell_nfc_select_target() by +clearing the selected_chip pointer. + +Fixes: b25251414f6e ("mtd: rawnand: marvell: Stop implementing ->select_chip()") +Suggested-by: Miquel Raynal +Signed-off-by: Chris Packham +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230525003154.2303012-1-chris.packham@alliedtelesis.co.nz +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/marvell_nand.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c +index b248c5f657d56..95dee54fe079c 100644 +--- a/drivers/mtd/nand/raw/marvell_nand.c ++++ b/drivers/mtd/nand/raw/marvell_nand.c +@@ -2443,6 +2443,12 @@ static int marvell_nfc_setup_interface(struct nand_chip *chip, int chipnr, + NDTR1_WAIT_MODE; + } + ++ /* ++ * Reset nfc->selected_chip so the next command will cause the timing ++ * registers to be updated in marvell_nfc_select_target(). ++ */ ++ nfc->selected_chip = NULL; ++ + return 0; + } + +-- +2.39.2 + diff --git a/queue-5.15/nbd-fix-debugfs_create_dir-error-checking.patch b/queue-5.15/nbd-fix-debugfs_create_dir-error-checking.patch new file mode 100644 index 00000000000..d028f18ce6c --- /dev/null +++ b/queue-5.15/nbd-fix-debugfs_create_dir-error-checking.patch @@ -0,0 +1,46 @@ +From 5946b34a156b30e2afe1b1234831330f9fbebec2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 17:05:32 +0400 +Subject: nbd: Fix debugfs_create_dir error checking + +From: Ivan Orlov + +[ Upstream commit 4913cfcf014c95f0437db2df1734472fd3e15098 ] + +The debugfs_create_dir function returns ERR_PTR in case of error, and the +only correct way to check if an error occurred is 'IS_ERR' inline function. +This patch will replace the null-comparison with IS_ERR. + +Signed-off-by: Ivan Orlov +Link: https://lore.kernel.org/r/20230512130533.98709-1-ivan.orlov0322@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 394355f12d4e0..e563aa407e888 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1605,7 +1605,7 @@ static int nbd_dev_dbg_init(struct nbd_device *nbd) + return -EIO; + + dir = debugfs_create_dir(nbd_name(nbd), nbd_dbg_dir); +- if (!dir) { ++ if (IS_ERR(dir)) { + dev_err(nbd_to_dev(nbd), "Failed to create debugfs dir for '%s'\n", + nbd_name(nbd)); + return -EIO; +@@ -1631,7 +1631,7 @@ static int nbd_dbg_init(void) + struct dentry *dbg_dir; + + dbg_dir = debugfs_create_dir("nbd", NULL); +- if (!dbg_dir) ++ if (IS_ERR(dbg_dir)) + return -EIO; + + nbd_dbg_dir = dbg_dir; +-- +2.39.2 + diff --git a/queue-5.15/net-dsa-mv88e6xxx-increase-wait-after-reset-deactiva.patch b/queue-5.15/net-dsa-mv88e6xxx-increase-wait-after-reset-deactiva.patch new file mode 100644 index 00000000000..885e51d70a6 --- /dev/null +++ b/queue-5.15/net-dsa-mv88e6xxx-increase-wait-after-reset-deactiva.patch @@ -0,0 +1,45 @@ +From 45f6f18f186ea06125064fff90b67f4b12ea1c07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 16:52:23 +0200 +Subject: net: dsa: mv88e6xxx: Increase wait after reset deactivation + +From: Andreas Svensson + +[ Upstream commit 3c27f3d53d588618d81d30d6712459a3cc9489b8 ] + +A switch held in reset by default needs to wait longer until we can +reliably detect it. + +An issue was observed when testing on the Marvell 88E6393X (Link Street). +The driver failed to detect the switch on some upstarts. Increasing the +wait time after reset deactivation solves this issue. + +The updated wait time is now also the same as the wait time in the +mv88e6xxx_hardware_reset function. + +Fixes: 7b75e49de424 ("net: dsa: mv88e6xxx: wait after reset deactivation") +Signed-off-by: Andreas Svensson +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230530145223.1223993-1-andreas.svensson@axis.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index b33aee4404de2..ac1560fa29e45 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -6432,7 +6432,7 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev) + goto out; + } + if (chip->reset) +- usleep_range(1000, 2000); ++ usleep_range(10000, 20000); + + err = mv88e6xxx_detect(chip); + if (err) +-- +2.39.2 + diff --git a/queue-5.15/net-mellanox-mlxbf_gige-fix-skb_panic-splat-under-me.patch b/queue-5.15/net-mellanox-mlxbf_gige-fix-skb_panic-splat-under-me.patch new file mode 100644 index 00000000000..698ba07fe14 --- /dev/null +++ b/queue-5.15/net-mellanox-mlxbf_gige-fix-skb_panic-splat-under-me.patch @@ -0,0 +1,56 @@ +From 44bee843faad92350926e1c1c21a32bcfa3db2d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 May 2023 21:49:08 +0200 +Subject: net: mellanox: mlxbf_gige: Fix skb_panic splat under memory pressure + +From: Thomas Bogendoerfer + +[ Upstream commit d68cb7cf1fd0ef4287bc0ecd1ed0b6ae8e05fc70 ] + +Do skb_put() after a new skb has been successfully allocated otherwise +the reused skb leads to skb_panics or incorrect packet sizes. + +Fixes: f92e1869d74e ("Add Mellanox BlueField Gigabit Ethernet driver") +Signed-off-by: Thomas Bogendoerfer +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230524194908.147145-1-tbogendoerfer@suse.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c +index afa3b92a6905f..0d5a41a2ae010 100644 +--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c ++++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c +@@ -245,12 +245,6 @@ static bool mlxbf_gige_rx_packet(struct mlxbf_gige *priv, int *rx_pkts) + + skb = priv->rx_skb[rx_pi_rem]; + +- skb_put(skb, datalen); +- +- skb->ip_summed = CHECKSUM_NONE; /* device did not checksum packet */ +- +- skb->protocol = eth_type_trans(skb, netdev); +- + /* Alloc another RX SKB for this same index */ + rx_skb = mlxbf_gige_alloc_skb(priv, MLXBF_GIGE_DEFAULT_BUF_SZ, + &rx_buf_dma, DMA_FROM_DEVICE); +@@ -259,6 +253,13 @@ static bool mlxbf_gige_rx_packet(struct mlxbf_gige *priv, int *rx_pkts) + priv->rx_skb[rx_pi_rem] = rx_skb; + dma_unmap_single(priv->dev, *rx_wqe_addr, + MLXBF_GIGE_DEFAULT_BUF_SZ, DMA_FROM_DEVICE); ++ ++ skb_put(skb, datalen); ++ ++ skb->ip_summed = CHECKSUM_NONE; /* device did not checksum packet */ ++ ++ skb->protocol = eth_type_trans(skb, netdev); ++ + *rx_wqe_addr = rx_buf_dma; + } else if (rx_cqe & MLXBF_GIGE_RX_CQE_PKT_STATUS_MAC_ERR) { + priv->stats.rx_mac_errors++; +-- +2.39.2 + diff --git a/queue-5.15/net-mlx5-fw_tracer-fix-event-handling.patch b/queue-5.15/net-mlx5-fw_tracer-fix-event-handling.patch new file mode 100644 index 00000000000..28f4ed2ed76 --- /dev/null +++ b/queue-5.15/net-mlx5-fw_tracer-fix-event-handling.patch @@ -0,0 +1,40 @@ +From 7a94519ab85b2ac251e9771561ff510e167b7ecd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Apr 2023 20:41:41 +0300 +Subject: net/mlx5: fw_tracer, Fix event handling + +From: Shay Drory + +[ Upstream commit 341a80de2468f481b1f771683709b5649cbfe513 ] + +mlx5 driver needs to parse traces with event_id inside the range of +first_string_trace and num_string_trace. However, mlx5 is parsing all +events with event_id >= first_string_trace. + +Fix it by checking for the correct range. + +Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling") +Signed-off-by: Shay Drory +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index 05c7c2140909f..958cdb9755598 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -483,7 +483,7 @@ static void poll_trace(struct mlx5_fw_tracer *tracer, + (u64)timestamp_low; + break; + default: +- if (tracer_event->event_id >= tracer->str_db.first_string_trace || ++ if (tracer_event->event_id >= tracer->str_db.first_string_trace && + tracer_event->event_id <= tracer->str_db.first_string_trace + + tracer->str_db.num_string_trace) { + tracer_event->type = TRACER_EVENT_TYPE_STRING; +-- +2.39.2 + diff --git a/queue-5.15/net-mlx5-read-embedded-cpu-after-init-bit-cleared.patch b/queue-5.15/net-mlx5-read-embedded-cpu-after-init-bit-cleared.patch new file mode 100644 index 00000000000..a517a42d800 --- /dev/null +++ b/queue-5.15/net-mlx5-read-embedded-cpu-after-init-bit-cleared.patch @@ -0,0 +1,48 @@ +From 10ae35d7f05ece151778c08e484896d28f92878e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Apr 2023 13:48:13 +0300 +Subject: net/mlx5: Read embedded cpu after init bit cleared + +From: Moshe Shemesh + +[ Upstream commit bbfa4b58997e3d38ba629c9f6fc0bd1c163aaf43 ] + +During driver load it reads embedded_cpu bit from initialization +segment, but the initialization segment is readable only after +initialization bit is cleared. + +Move the call to mlx5_read_embedded_cpu() right after initialization bit +cleared. + +Signed-off-by: Moshe Shemesh +Fixes: 591905ba9679 ("net/mlx5: Introduce Mellanox SmartNIC and modify page management logic") +Reviewed-by: Shay Drory +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index d75facc5c5031..13eceb6016344 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -781,7 +781,6 @@ static int mlx5_pci_init(struct mlx5_core_dev *dev, struct pci_dev *pdev, + } + + mlx5_pci_vsc_init(dev); +- dev->caps.embedded_cpu = mlx5_read_embedded_cpu(dev); + return 0; + + err_clr_master: +@@ -1003,6 +1002,7 @@ static int mlx5_function_setup(struct mlx5_core_dev *dev, bool boot) + goto err_cmd_cleanup; + } + ++ dev->caps.embedded_cpu = mlx5_read_embedded_cpu(dev); + mlx5_cmd_set_state(dev, MLX5_CMDIF_STATE_UP); + + err = mlx5_core_enable_hca(dev, 0); +-- +2.39.2 + diff --git a/queue-5.15/net-mlx5e-don-t-attach-netdev-profile-while-handling.patch b/queue-5.15/net-mlx5e-don-t-attach-netdev-profile-while-handling.patch new file mode 100644 index 00000000000..f615aae7c10 --- /dev/null +++ b/queue-5.15/net-mlx5e-don-t-attach-netdev-profile-while-handling.patch @@ -0,0 +1,106 @@ +From 452d219e600b5eba0b34b63998dd335c4b980064 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 14:39:24 +0300 +Subject: net/mlx5e: Don't attach netdev profile while handling internal error + +From: Dmytro Linkin + +[ Upstream commit bdf274750fca17b289404ef03453c4070725302c ] + +As part of switchdev mode disablement, driver changes port netdevice +profile from uplink to nic. If this process is triggered by health +recovery flow (PCI reset, for ex.) profile attach would fail because all +fw commands aborted when internal error flag is set. As a result, nic +netdevice profile is not attached and driver fails to rollback to uplink +profile, which leave driver in broken state and cause crash later. + +To handle broken state do netdevice profile initialization only instead +of full attachment and release mdev resources on driver suspend as +expected. Actual netdevice attachment is done during driver load. + +Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method") +Signed-off-by: Dmytro Linkin +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 35 ++++++++++++++++--- + 1 file changed, 31 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index ec1c667bd145a..82849bed27f4c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -5008,8 +5008,8 @@ void mlx5e_detach_netdev(struct mlx5e_priv *priv) + } + + static int +-mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mdev, +- const struct mlx5e_profile *new_profile, void *new_ppriv) ++mlx5e_netdev_init_profile(struct net_device *netdev, struct mlx5_core_dev *mdev, ++ const struct mlx5e_profile *new_profile, void *new_ppriv) + { + struct mlx5e_priv *priv = netdev_priv(netdev); + int err; +@@ -5025,6 +5025,25 @@ mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mde + err = new_profile->init(priv->mdev, priv->netdev); + if (err) + goto priv_cleanup; ++ ++ return 0; ++ ++priv_cleanup: ++ mlx5e_priv_cleanup(priv); ++ return err; ++} ++ ++static int ++mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mdev, ++ const struct mlx5e_profile *new_profile, void *new_ppriv) ++{ ++ struct mlx5e_priv *priv = netdev_priv(netdev); ++ int err; ++ ++ err = mlx5e_netdev_init_profile(netdev, mdev, new_profile, new_ppriv); ++ if (err) ++ return err; ++ + err = mlx5e_attach_netdev(priv); + if (err) + goto profile_cleanup; +@@ -5032,7 +5051,6 @@ mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mde + + profile_cleanup: + new_profile->cleanup(priv); +-priv_cleanup: + mlx5e_priv_cleanup(priv); + return err; + } +@@ -5051,6 +5069,12 @@ int mlx5e_netdev_change_profile(struct mlx5e_priv *priv, + priv->profile->cleanup(priv); + mlx5e_priv_cleanup(priv); + ++ if (mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) { ++ mlx5e_netdev_init_profile(netdev, mdev, new_profile, new_ppriv); ++ set_bit(MLX5E_STATE_DESTROYING, &priv->state); ++ return -EIO; ++ } ++ + err = mlx5e_netdev_attach_profile(netdev, mdev, new_profile, new_ppriv); + if (err) { /* roll back to original profile */ + netdev_warn(netdev, "%s: new profile init failed, %d\n", __func__, err); +@@ -5110,8 +5134,11 @@ static int mlx5e_suspend(struct auxiliary_device *adev, pm_message_t state) + struct net_device *netdev = priv->netdev; + struct mlx5_core_dev *mdev = priv->mdev; + +- if (!netif_device_present(netdev)) ++ if (!netif_device_present(netdev)) { ++ if (test_bit(MLX5E_STATE_DESTROYING, &priv->state)) ++ mlx5e_destroy_mdev_resources(mdev); + return -ENODEV; ++ } + + mlx5e_detach_netdev(priv); + mlx5e_destroy_mdev_resources(mdev); +-- +2.39.2 + diff --git a/queue-5.15/net-mlx5e-fix-error-handling-in-mlx5e_refresh_tirs.patch b/queue-5.15/net-mlx5e-fix-error-handling-in-mlx5e_refresh_tirs.patch new file mode 100644 index 00000000000..704e1947c28 --- /dev/null +++ b/queue-5.15/net-mlx5e-fix-error-handling-in-mlx5e_refresh_tirs.patch @@ -0,0 +1,58 @@ +From 7d395bd48b5529f428c2f90318b2511a287b7f36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 23:07:08 -0700 +Subject: net/mlx5e: Fix error handling in mlx5e_refresh_tirs + +From: Saeed Mahameed + +[ Upstream commit b6193d7030e3c59f1d4c75648c9c8fa40cad2bcd ] + +Allocation failure is outside the critical lock section and should +return immediately rather than jumping to the unlock section. + +Also unlock as soon as required and remove the now redundant jump label. + +Fixes: 80a2a9026b24 ("net/mlx5e: Add a lock on tir list") +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_common.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_common.c b/drivers/net/ethernet/mellanox/mlx5/core/en_common.c +index 84eb7201c142e..9a28ea165236b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_common.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_common.c +@@ -140,10 +140,8 @@ int mlx5e_refresh_tirs(struct mlx5e_priv *priv, bool enable_uc_lb, + + inlen = MLX5_ST_SZ_BYTES(modify_tir_in); + in = kvzalloc(inlen, GFP_KERNEL); +- if (!in) { +- err = -ENOMEM; +- goto out; +- } ++ if (!in) ++ return -ENOMEM; + + if (enable_uc_lb) + lb_flags = MLX5_TIRC_SELF_LB_BLOCK_BLOCK_UNICAST; +@@ -161,14 +159,13 @@ int mlx5e_refresh_tirs(struct mlx5e_priv *priv, bool enable_uc_lb, + tirn = tir->tirn; + err = mlx5_core_modify_tir(mdev, tirn, in); + if (err) +- goto out; ++ break; + } ++ mutex_unlock(&mdev->mlx5e_res.hw_objs.td.list_lock); + +-out: + kvfree(in); + if (err) + netdev_err(priv->netdev, "refresh tir(0x%x) failed, %d\n", tirn, err); +- mutex_unlock(&mdev->mlx5e_res.hw_objs.td.list_lock); + + return err; + } +-- +2.39.2 + diff --git a/queue-5.15/net-netlink-fix-netlink_list_memberships-length-repo.patch b/queue-5.15/net-netlink-fix-netlink_list_memberships-length-repo.patch new file mode 100644 index 00000000000..d9d0cecb74a --- /dev/null +++ b/queue-5.15/net-netlink-fix-netlink_list_memberships-length-repo.patch @@ -0,0 +1,40 @@ +From e760384a449a57de015c7b94b67d730d0825f6dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 12:33:35 -0300 +Subject: net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report + +From: Pedro Tammela + +[ Upstream commit f4e4534850a9d18c250a93f8d7fbb51310828110 ] + +The current code for the length calculation wrongly truncates the reported +length of the groups array, causing an under report of the subscribed +groups. To fix this, use 'BITS_TO_BYTES()' which rounds up the +division by 8. + +Fixes: b42be38b2778 ("netlink: add API to retrieve all group memberships") +Signed-off-by: Pedro Tammela +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230529153335.389815-1-pctammela@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 998c736d3ae8b..46c4306ddee7e 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1789,7 +1789,7 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname, + break; + } + } +- if (put_user(ALIGN(nlk->ngroups / 8, sizeof(u32)), optlen)) ++ if (put_user(ALIGN(BITS_TO_BYTES(nlk->ngroups), sizeof(u32)), optlen)) + err = -EFAULT; + netlink_unlock_table(); + return err; +-- +2.39.2 + diff --git a/queue-5.15/net-sched-fix-null-pointer-dereference-in-mq_attach.patch b/queue-5.15/net-sched-fix-null-pointer-dereference-in-mq_attach.patch new file mode 100644 index 00000000000..ad55bdf9ea5 --- /dev/null +++ b/queue-5.15/net-sched-fix-null-pointer-dereference-in-mq_attach.patch @@ -0,0 +1,93 @@ +From 68df02c56c93ae591a0b9031f5a30617bb6389f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 17:37:47 +0800 +Subject: net: sched: fix NULL pointer dereference in mq_attach + +From: Zhengchao Shao + +[ Upstream commit 36eec020fab668719b541f34d97f44e232ffa165 ] + +When use the following command to test: +1)ip link add bond0 type bond +2)ip link set bond0 up +3)tc qdisc add dev bond0 root handle ffff: mq +4)tc qdisc replace dev bond0 parent ffff:fff1 handle ffff: mq + +The kernel reports NULL pointer dereference issue. The stack information +is as follows: +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +Internal error: Oops: 0000000096000006 [#1] SMP +Modules linked in: +pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : mq_attach+0x44/0xa0 +lr : qdisc_graft+0x20c/0x5cc +sp : ffff80000e2236a0 +x29: ffff80000e2236a0 x28: ffff0000c0e59d80 x27: ffff0000c0be19c0 +x26: ffff0000cae3e800 x25: 0000000000000010 x24: 00000000fffffff1 +x23: 0000000000000000 x22: ffff0000cae3e800 x21: ffff0000c9df4000 +x20: ffff0000c9df4000 x19: 0000000000000000 x18: ffff80000a934000 +x17: ffff8000f5b56000 x16: ffff80000bb08000 x15: 0000000000000000 +x14: 0000000000000000 x13: 6b6b6b6b6b6b6b6b x12: 6b6b6b6b00000001 +x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 +x8 : ffff0000c0be0730 x7 : bbbbbbbbbbbbbbbb x6 : 0000000000000008 +x5 : ffff0000cae3e864 x4 : 0000000000000000 x3 : 0000000000000001 +x2 : 0000000000000001 x1 : ffff8000090bc23c x0 : 0000000000000000 +Call trace: +mq_attach+0x44/0xa0 +qdisc_graft+0x20c/0x5cc +tc_modify_qdisc+0x1c4/0x664 +rtnetlink_rcv_msg+0x354/0x440 +netlink_rcv_skb+0x64/0x144 +rtnetlink_rcv+0x28/0x34 +netlink_unicast+0x1e8/0x2a4 +netlink_sendmsg+0x308/0x4a0 +sock_sendmsg+0x64/0xac +____sys_sendmsg+0x29c/0x358 +___sys_sendmsg+0x90/0xd0 +__sys_sendmsg+0x7c/0xd0 +__arm64_sys_sendmsg+0x2c/0x38 +invoke_syscall+0x54/0x114 +el0_svc_common.constprop.1+0x90/0x174 +do_el0_svc+0x3c/0xb0 +el0_svc+0x24/0xec +el0t_64_sync_handler+0x90/0xb4 +el0t_64_sync+0x174/0x178 + +This is because when mq is added for the first time, qdiscs in mq is set +to NULL in mq_attach(). Therefore, when replacing mq after adding mq, we +need to initialize qdiscs in the mq before continuing to graft. Otherwise, +it will couse NULL pointer dereference issue in mq_attach(). And the same +issue will occur in the attach functions of mqprio, taprio and htb. +ffff:fff1 means that the repalce qdisc is ingress. Ingress does not allow +any qdisc to be attached. Therefore, ffff:fff1 is incorrectly used, and +the command should be dropped. + +Fixes: 6ec1c69a8f64 ("net_sched: add classful multiqueue dummy scheduler") +Signed-off-by: Zhengchao Shao +Tested-by: Peilin Ye +Acked-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20230527093747.3583502-1-shaozhengchao@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_api.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index 651dbcfeada62..328db5e1b0eaf 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1599,6 +1599,10 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, + NL_SET_ERR_MSG(extack, "Qdisc parent/child loop detected"); + return -ELOOP; + } ++ if (clid == TC_H_INGRESS) { ++ NL_SET_ERR_MSG(extack, "Ingress cannot graft directly"); ++ return -EINVAL; ++ } + qdisc_refcount_inc(q); + goto graft; + } else { +-- +2.39.2 + diff --git a/queue-5.15/net-sched-flower-fix-possible-oob-write-in-fl_set_ge.patch b/queue-5.15/net-sched-flower-fix-possible-oob-write-in-fl_set_ge.patch new file mode 100644 index 00000000000..4aa3be7157f --- /dev/null +++ b/queue-5.15/net-sched-flower-fix-possible-oob-write-in-fl_set_ge.patch @@ -0,0 +1,43 @@ +From 8fc0abb1c4e2e035bea2d6fa5faf97367895e8f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 18:28:04 +0800 +Subject: net/sched: flower: fix possible OOB write in fl_set_geneve_opt() + +From: Hangyu Hua + +[ Upstream commit 4d56304e5827c8cc8cc18c75343d283af7c4825c ] + +If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total +size is 252 bytes(key->enc_opts.len = 252) then +key->enc_opts.len = opt->length = data_len / 4 = 0 when the third +TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This +bypasses the next bounds check and results in an out-of-bounds. + +Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options") +Signed-off-by: Hangyu Hua +Reviewed-by: Simon Horman +Reviewed-by: Pieter Jansen van Vuuren +Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/cls_flower.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index 32b03a13f9b25..ee137d5c20a4f 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -1092,6 +1092,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key, + if (option_len > sizeof(struct geneve_opt)) + data_len = option_len - sizeof(struct geneve_opt); + ++ if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4) ++ return -ERANGE; ++ + opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len]; + memset(opt, 0xff, option_len); + opt->length = data_len / 4; +-- +2.39.2 + diff --git a/queue-5.15/net-sched-prohibit-regrafting-ingress-or-clsact-qdis.patch b/queue-5.15/net-sched-prohibit-regrafting-ingress-or-clsact-qdis.patch new file mode 100644 index 00000000000..17a7479a4f0 --- /dev/null +++ b/queue-5.15/net-sched-prohibit-regrafting-ingress-or-clsact-qdis.patch @@ -0,0 +1,60 @@ +From 64810f1a3763ac40c8166da596b5f8818ac56286 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 12:54:26 -0700 +Subject: net/sched: Prohibit regrafting ingress or clsact Qdiscs + +From: Peilin Ye + +[ Upstream commit 9de95df5d15baa956c2b70b9e794842e790a8a13 ] + +Currently, after creating an ingress (or clsact) Qdisc and grafting it +under TC_H_INGRESS (TC_H_CLSACT), it is possible to graft it again under +e.g. a TBF Qdisc: + + $ ip link add ifb0 type ifb + $ tc qdisc add dev ifb0 handle 1: root tbf rate 20kbit buffer 1600 limit 3000 + $ tc qdisc add dev ifb0 clsact + $ tc qdisc link dev ifb0 handle ffff: parent 1:1 + $ tc qdisc show dev ifb0 + qdisc tbf 1: root refcnt 2 rate 20Kbit burst 1600b lat 560.0ms + qdisc clsact ffff: parent ffff:fff1 refcnt 2 + ^^^^^^^^ + +clsact's refcount has increased: it is now grafted under both +TC_H_CLSACT and 1:1. + +ingress and clsact Qdiscs should only be used under TC_H_INGRESS +(TC_H_CLSACT). Prohibit regrafting them. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Fixes: 1f211a1b929c ("net, sched: add clsact qdisc") +Tested-by: Pedro Tammela +Acked-by: Jamal Hadi Salim +Reviewed-by: Jamal Hadi Salim +Reviewed-by: Vlad Buslov +Signed-off-by: Peilin Ye +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_api.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index c3f89547d48b0..651dbcfeada62 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1589,6 +1589,11 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, + NL_SET_ERR_MSG(extack, "Invalid qdisc name"); + return -EINVAL; + } ++ if (q->flags & TCQ_F_INGRESS) { ++ NL_SET_ERR_MSG(extack, ++ "Cannot regraft ingress or clsact Qdiscs"); ++ return -EINVAL; ++ } + if (q == p || + (p && check_loop(q, p, 0))) { + NL_SET_ERR_MSG(extack, "Qdisc parent/child loop detected"); +-- +2.39.2 + diff --git a/queue-5.15/net-sched-reserve-tc_h_ingress-tc_h_clsact-for-ingre.patch b/queue-5.15/net-sched-reserve-tc_h_ingress-tc_h_clsact-for-ingre.patch new file mode 100644 index 00000000000..27126e3ddda --- /dev/null +++ b/queue-5.15/net-sched-reserve-tc_h_ingress-tc_h_clsact-for-ingre.patch @@ -0,0 +1,87 @@ +From 4a09d467e25fb5fb07c2966c4bb47cd37595b9a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 12:54:03 -0700 +Subject: net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) + Qdiscs + +From: Peilin Ye + +[ Upstream commit f85fa45d4a9408d98c46c8fa45ba2e3b2f4bf219 ] + +Currently it is possible to add e.g. an HTB Qdisc under ffff:fff1 +(TC_H_INGRESS, TC_H_CLSACT): + + $ ip link add name ifb0 type ifb + $ tc qdisc add dev ifb0 parent ffff:fff1 htb + $ tc qdisc add dev ifb0 clsact + Error: Exclusivity flag on, cannot modify. + $ drgn + ... + >>> ifb0 = netdev_get_by_name(prog, "ifb0") + >>> qdisc = ifb0.ingress_queue.qdisc_sleeping + >>> print(qdisc.ops.id.string_().decode()) + htb + >>> qdisc.flags.value_() # TCQ_F_INGRESS + 2 + +Only allow ingress and clsact Qdiscs under ffff:fff1. Return -EINVAL +for everything else. Make TCQ_F_INGRESS a static flag of ingress and +clsact Qdiscs. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Fixes: 1f211a1b929c ("net, sched: add clsact qdisc") +Tested-by: Pedro Tammela +Acked-by: Jamal Hadi Salim +Reviewed-by: Jamal Hadi Salim +Reviewed-by: Vlad Buslov +Signed-off-by: Peilin Ye +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_api.c | 7 ++++++- + net/sched/sch_ingress.c | 4 ++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index 02f62008e468f..c3f89547d48b0 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1223,7 +1223,12 @@ static struct Qdisc *qdisc_create(struct net_device *dev, + sch->parent = parent; + + if (handle == TC_H_INGRESS) { +- sch->flags |= TCQ_F_INGRESS; ++ if (!(sch->flags & TCQ_F_INGRESS)) { ++ NL_SET_ERR_MSG(extack, ++ "Specified parent ID is reserved for ingress and clsact Qdiscs"); ++ err = -EINVAL; ++ goto err_out3; ++ } + handle = TC_H_MAKE(TC_H_INGRESS, 0); + } else { + if (handle == 0) { +diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c +index 35963929e1178..e43a454993723 100644 +--- a/net/sched/sch_ingress.c ++++ b/net/sched/sch_ingress.c +@@ -140,7 +140,7 @@ static struct Qdisc_ops ingress_qdisc_ops __read_mostly = { + .cl_ops = &ingress_class_ops, + .id = "ingress", + .priv_size = sizeof(struct ingress_sched_data), +- .static_flags = TCQ_F_CPUSTATS, ++ .static_flags = TCQ_F_INGRESS | TCQ_F_CPUSTATS, + .init = ingress_init, + .destroy = ingress_destroy, + .dump = ingress_dump, +@@ -281,7 +281,7 @@ static struct Qdisc_ops clsact_qdisc_ops __read_mostly = { + .cl_ops = &clsact_class_ops, + .id = "clsact", + .priv_size = sizeof(struct clsact_sched_data), +- .static_flags = TCQ_F_CPUSTATS, ++ .static_flags = TCQ_F_INGRESS | TCQ_F_CPUSTATS, + .init = clsact_init, + .destroy = clsact_destroy, + .dump = ingress_dump, +-- +2.39.2 + diff --git a/queue-5.15/net-sched-sch_clsact-only-create-under-tc_h_clsact.patch b/queue-5.15/net-sched-sch_clsact-only-create-under-tc_h_clsact.patch new file mode 100644 index 00000000000..d5b0eb3fe12 --- /dev/null +++ b/queue-5.15/net-sched-sch_clsact-only-create-under-tc_h_clsact.patch @@ -0,0 +1,52 @@ +From 79a7c0515628a09835f53f29f23068b4fdad95d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 12:53:21 -0700 +Subject: net/sched: sch_clsact: Only create under TC_H_CLSACT + +From: Peilin Ye + +[ Upstream commit 5eeebfe6c493192b10d516abfd72742900f2a162 ] + +clsact Qdiscs are only supposed to be created under TC_H_CLSACT (which +equals TC_H_INGRESS). Return -EOPNOTSUPP if 'parent' is not +TC_H_CLSACT. + +Fixes: 1f211a1b929c ("net, sched: add clsact qdisc") +Tested-by: Pedro Tammela +Acked-by: Jamal Hadi Salim +Reviewed-by: Jamal Hadi Salim +Reviewed-by: Vlad Buslov +Signed-off-by: Peilin Ye +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_ingress.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c +index f9ef6deb27709..35963929e1178 100644 +--- a/net/sched/sch_ingress.c ++++ b/net/sched/sch_ingress.c +@@ -225,6 +225,9 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt, + struct net_device *dev = qdisc_dev(sch); + int err; + ++ if (sch->parent != TC_H_CLSACT) ++ return -EOPNOTSUPP; ++ + net_inc_ingress_queue(); + net_inc_egress_queue(); + +@@ -254,6 +257,9 @@ static void clsact_destroy(struct Qdisc *sch) + { + struct clsact_sched_data *q = qdisc_priv(sch); + ++ if (sch->parent != TC_H_CLSACT) ++ return; ++ + tcf_block_put_ext(q->egress_block, sch, &q->egress_block_info); + tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info); + +-- +2.39.2 + diff --git a/queue-5.15/net-sched-sch_ingress-only-create-under-tc_h_ingress.patch b/queue-5.15/net-sched-sch_ingress-only-create-under-tc_h_ingress.patch new file mode 100644 index 00000000000..5905f426369 --- /dev/null +++ b/queue-5.15/net-sched-sch_ingress-only-create-under-tc_h_ingress.patch @@ -0,0 +1,54 @@ +From 94d72a1f42939f988ad0064c30cdaa00ea5f07c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 12:52:55 -0700 +Subject: net/sched: sch_ingress: Only create under TC_H_INGRESS + +From: Peilin Ye + +[ Upstream commit c7cfbd115001f94de9e4053657946a383147e803 ] + +ingress Qdiscs are only supposed to be created under TC_H_INGRESS. +Return -EOPNOTSUPP if 'parent' is not TC_H_INGRESS, similar to +mq_init(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+b53a9c0d1ea4ad62da8b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/r/0000000000006cf87705f79acf1a@google.com/ +Tested-by: Pedro Tammela +Acked-by: Jamal Hadi Salim +Reviewed-by: Jamal Hadi Salim +Reviewed-by: Vlad Buslov +Signed-off-by: Peilin Ye +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_ingress.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c +index 84838128b9c5b..f9ef6deb27709 100644 +--- a/net/sched/sch_ingress.c ++++ b/net/sched/sch_ingress.c +@@ -80,6 +80,9 @@ static int ingress_init(struct Qdisc *sch, struct nlattr *opt, + struct net_device *dev = qdisc_dev(sch); + int err; + ++ if (sch->parent != TC_H_INGRESS) ++ return -EOPNOTSUPP; ++ + net_inc_ingress_queue(); + + mini_qdisc_pair_init(&q->miniqp, sch, &dev->miniq_ingress); +@@ -101,6 +104,9 @@ static void ingress_destroy(struct Qdisc *sch) + { + struct ingress_sched_data *q = qdisc_priv(sch); + ++ if (sch->parent != TC_H_INGRESS) ++ return; ++ + tcf_block_put_ext(q->block, sch, &q->block_info); + net_dec_ingress_queue(); + } +-- +2.39.2 + diff --git a/queue-5.15/netfilter-conntrack-define-variables-exp_nat_nla_pol.patch b/queue-5.15/netfilter-conntrack-define-variables-exp_nat_nla_pol.patch new file mode 100644 index 00000000000..1c4668cd300 --- /dev/null +++ b/queue-5.15/netfilter-conntrack-define-variables-exp_nat_nla_pol.patch @@ -0,0 +1,63 @@ +From 0d713464084a5538a8d4f8766b54170431edd933 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 10:00:10 -0400 +Subject: netfilter: conntrack: define variables exp_nat_nla_policy and + any_addr with CONFIG_NF_NAT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tom Rix + +[ Upstream commit 224a876e37543eee111bf9b6aa4935080e619335 ] + +gcc with W=1 and ! CONFIG_NF_NAT +net/netfilter/nf_conntrack_netlink.c:3463:32: error: + ‘exp_nat_nla_policy’ defined but not used [-Werror=unused-const-variable=] + 3463 | static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = { + | ^~~~~~~~~~~~~~~~~~ +net/netfilter/nf_conntrack_netlink.c:2979:33: error: + ‘any_addr’ defined but not used [-Werror=unused-const-variable=] + 2979 | static const union nf_inet_addr any_addr; + | ^~~~~~~~ + +These variables use is controlled by CONFIG_NF_NAT, so should their definitions. + +Signed-off-by: Tom Rix +Reviewed-by: Simon Horman +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_netlink.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 0b8b8cb42a8ab..c427f7625a3b5 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -2992,7 +2992,9 @@ static int ctnetlink_exp_dump_mask(struct sk_buff *skb, + return -1; + } + ++#if IS_ENABLED(CONFIG_NF_NAT) + static const union nf_inet_addr any_addr; ++#endif + + static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp) + { +@@ -3471,10 +3473,12 @@ ctnetlink_change_expect(struct nf_conntrack_expect *x, + return 0; + } + ++#if IS_ENABLED(CONFIG_NF_NAT) + static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = { + [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 }, + [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED }, + }; ++#endif + + static int + ctnetlink_parse_expect_nat(const struct nlattr *attr, +-- +2.39.2 + diff --git a/queue-5.15/netrom-fix-info-leak-in-nr_write_internal.patch b/queue-5.15/netrom-fix-info-leak-in-nr_write_internal.patch new file mode 100644 index 00000000000..8a0a8fd0bfe --- /dev/null +++ b/queue-5.15/netrom-fix-info-leak-in-nr_write_internal.patch @@ -0,0 +1,85 @@ +From dac2307ea29195d174f174d0e412fe94126b68b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 May 2023 14:14:56 +0000 +Subject: netrom: fix info-leak in nr_write_internal() + +From: Eric Dumazet + +[ Upstream commit 31642e7089df8fd3f54ca7843f7ee2952978cad1 ] + +Simon Kapadia reported the following issue: + + + +The Online Amateur Radio Community (OARC) has recently been experimenting +with building a nationwide packet network in the UK. +As part of our experimentation, we have been testing out packet on 300bps HF, +and playing with net/rom. For HF packet at this baud rate you really need +to make sure that your MTU is relatively low; AX.25 suggests a PACLEN of 60, +and a net/rom PACLEN of 40 to go with that. +However the Linux net/rom support didn't work with a low PACLEN; +the mkiss module would truncate packets if you set the PACLEN below about 200 or so, e.g.: + +Apr 19 14:00:51 radio kernel: [12985.747310] mkiss: ax1: truncating oversized transmit packet! + +This didn't make any sense to me (if the packets are smaller why would they +be truncated?) so I started investigating. +I looked at the packets using ethereal, and found that many were just huge +compared to what I would expect. +A simple net/rom connection request packet had the request and then a bunch +of what appeared to be random data following it: + + + +Simon provided a patch that I slightly revised: +Not only we must not use skb_tailroom(), we also do +not want to count NR_NETWORK_LEN twice. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Co-Developed-by: Simon Kapadia +Signed-off-by: Simon Kapadia +Signed-off-by: Eric Dumazet +Tested-by: Simon Kapadia +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230524141456.1045467-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netrom/nr_subr.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/netrom/nr_subr.c b/net/netrom/nr_subr.c +index 3f99b432ea707..e2d2af924cff4 100644 +--- a/net/netrom/nr_subr.c ++++ b/net/netrom/nr_subr.c +@@ -123,7 +123,7 @@ void nr_write_internal(struct sock *sk, int frametype) + unsigned char *dptr; + int len, timeout; + +- len = NR_NETWORK_LEN + NR_TRANSPORT_LEN; ++ len = NR_TRANSPORT_LEN; + + switch (frametype & 0x0F) { + case NR_CONNREQ: +@@ -141,7 +141,8 @@ void nr_write_internal(struct sock *sk, int frametype) + return; + } + +- if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL) ++ skb = alloc_skb(NR_NETWORK_LEN + len, GFP_ATOMIC); ++ if (!skb) + return; + + /* +@@ -149,7 +150,7 @@ void nr_write_internal(struct sock *sk, int frametype) + */ + skb_reserve(skb, NR_NETWORK_LEN); + +- dptr = skb_put(skb, skb_tailroom(skb)); ++ dptr = skb_put(skb, len); + + switch (frametype & 0x0F) { + case NR_CONNREQ: +-- +2.39.2 + diff --git a/queue-5.15/nvme-multipath-don-t-call-blk_mark_disk_dead-in-nvme.patch b/queue-5.15/nvme-multipath-don-t-call-blk_mark_disk_dead-in-nvme.patch new file mode 100644 index 00000000000..c562bad9748 --- /dev/null +++ b/queue-5.15/nvme-multipath-don-t-call-blk_mark_disk_dead-in-nvme.patch @@ -0,0 +1,36 @@ +From 42535cab0ce1a054360f5aa69310066470e5a35e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 09:53:45 +0200 +Subject: nvme-multipath: don't call blk_mark_disk_dead in + nvme_mpath_remove_disk + +From: Christoph Hellwig + +[ Upstream commit 1743e5f6000901a11f4e1cd741bfa9136f3ec9b1 ] + +nvme_mpath_remove_disk is called after del_gendisk, at which point a +blk_mark_disk_dead call doesn't make any sense. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 8d97b942de01f..73eddb67f0d24 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -821,7 +821,6 @@ void nvme_mpath_remove_disk(struct nvme_ns_head *head) + { + if (!head->disk) + return; +- blk_mark_disk_dead(head->disk); + /* make sure all pending bios are cleaned up */ + kblockd_schedule_work(&head->requeue_work); + flush_work(&head->requeue_work); +-- +2.39.2 + diff --git a/queue-5.15/nvme-pci-add-nvme_quirk_bogus_nid-for-hs-ssd-future-.patch b/queue-5.15/nvme-pci-add-nvme_quirk_bogus_nid-for-hs-ssd-future-.patch new file mode 100644 index 00000000000..4fbd427e89a --- /dev/null +++ b/queue-5.15/nvme-pci-add-nvme_quirk_bogus_nid-for-hs-ssd-future-.patch @@ -0,0 +1,37 @@ +From 9465e7ef4d6b4c8b585c6073b6a75451329ad19d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 May 2023 18:57:33 +0300 +Subject: nvme-pci: add NVME_QUIRK_BOGUS_NID for HS-SSD-FUTURE 2048G + +From: Sagi Grimberg + +[ Upstream commit 1616d6c3717bae9041a4240d381ec56ccdaafedc ] + +Add a quirk to fix HS-SSD-FUTURE 2048G SSD drives reporting duplicate +nsids. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217384 +Reported-by: Andrey God +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index c3acef6c32917..bfb9ddec9f887 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3403,6 +3403,8 @@ static const struct pci_device_id nvme_id_table[] = { + NVME_QUIRK_IGNORE_DEV_SUBNQN, }, + { PCI_DEVICE(0x10ec, 0x5763), /* TEAMGROUP T-FORCE CARDEA ZERO Z330 SSD */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, ++ { PCI_DEVICE(0x1e4b, 0x1602), /* HS-SSD-FUTURE 2048G */ ++ .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0061), + .driver_data = NVME_QUIRK_DMA_ADDRESS_BITS_48, }, + { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0065), +-- +2.39.2 + diff --git a/queue-5.15/nvme-pci-add-quirk-for-missing-secondary-temperature.patch b/queue-5.15/nvme-pci-add-quirk-for-missing-secondary-temperature.patch new file mode 100644 index 00000000000..5a9742e8c4c --- /dev/null +++ b/queue-5.15/nvme-pci-add-quirk-for-missing-secondary-temperature.patch @@ -0,0 +1,79 @@ +From 6c34757f9d2db6eb4ecf777e058e505f374d9bb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 22:58:54 +0300 +Subject: nvme-pci: add quirk for missing secondary temperature thresholds + +From: Hristo Venev + +[ Upstream commit bd375feeaf3408ed00e08c3bc918d6be15f691ad ] + +On Kingston KC3000 and Kingston FURY Renegade (both have the same PCI +IDs) accessing temp3_{min,max} fails with an invalid field error (note +that there is no problem setting the thresholds for temp1). + +This contradicts the NVM Express Base Specification 2.0b, page 292: + + The over temperature threshold and under temperature threshold + features shall be implemented for all implemented temperature sensors + (i.e., all Temperature Sensor fields that report a non-zero value). + +Define NVME_QUIRK_NO_SECONDARY_TEMP_THRESH that disables the thresholds +for all but the composite temperature and set it for this device. + +Signed-off-by: Hristo Venev +Reviewed-by: Guenter Roeck +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/hwmon.c | 4 +++- + drivers/nvme/host/nvme.h | 5 +++++ + drivers/nvme/host/pci.c | 2 ++ + 3 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/hwmon.c b/drivers/nvme/host/hwmon.c +index 9e6e56c20ec99..316f3e4ca7cc6 100644 +--- a/drivers/nvme/host/hwmon.c ++++ b/drivers/nvme/host/hwmon.c +@@ -163,7 +163,9 @@ static umode_t nvme_hwmon_is_visible(const void *_data, + case hwmon_temp_max: + case hwmon_temp_min: + if ((!channel && data->ctrl->wctemp) || +- (channel && data->log->temp_sensor[channel - 1])) { ++ (channel && data->log->temp_sensor[channel - 1] && ++ !(data->ctrl->quirks & ++ NVME_QUIRK_NO_SECONDARY_TEMP_THRESH))) { + if (data->ctrl->quirks & + NVME_QUIRK_NO_TEMP_THRESH_CHANGE) + return 0444; +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index 39ca48babbe82..590ffa3e1c497 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -149,6 +149,11 @@ enum nvme_quirks { + * Reports garbage in the namespace identifiers (eui64, nguid, uuid). + */ + NVME_QUIRK_BOGUS_NID = (1 << 18), ++ ++ /* ++ * No temperature thresholds for channels other than 0 (Composite). ++ */ ++ NVME_QUIRK_NO_SECONDARY_TEMP_THRESH = (1 << 19), + }; + + /* +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index bfb9ddec9f887..e284511ca6670 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3368,6 +3368,8 @@ static const struct pci_device_id nvme_id_table[] = { + .driver_data = NVME_QUIRK_NO_DEEPEST_PS, }, + { PCI_DEVICE(0x2646, 0x2263), /* KINGSTON A2000 NVMe SSD */ + .driver_data = NVME_QUIRK_NO_DEEPEST_PS, }, ++ { PCI_DEVICE(0x2646, 0x5013), /* Kingston KC3000, Kingston FURY Renegade */ ++ .driver_data = NVME_QUIRK_NO_SECONDARY_TEMP_THRESH, }, + { PCI_DEVICE(0x2646, 0x5018), /* KINGSTON OM8SFP4xxxxP OS21012 NVMe SSD */ + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, + { PCI_DEVICE(0x2646, 0x5016), /* KINGSTON OM3PGP4xxxxP OS21011 NVMe SSD */ +-- +2.39.2 + diff --git a/queue-5.15/nvme-pci-add-quirk-for-teamgroup-mp33-ssd.patch b/queue-5.15/nvme-pci-add-quirk-for-teamgroup-mp33-ssd.patch new file mode 100644 index 00000000000..a83b2e89fdf --- /dev/null +++ b/queue-5.15/nvme-pci-add-quirk-for-teamgroup-mp33-ssd.patch @@ -0,0 +1,37 @@ +From 4548495a9440e15b0cd4419fcff686a7f6b2d5f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 14:32:32 -0700 +Subject: nvme-pci: Add quirk for Teamgroup MP33 SSD + +From: Daniel Smith + +[ Upstream commit 0649728123cf6a5518e154b4e1735fc85ea4f55c ] + +Add a quirk for Teamgroup MP33 that reports duplicate ids for disk. + +Signed-off-by: Daniel Smith +[kch: patch formatting] +Signed-off-by: Chaitanya Kulkarni +Tested-by: Daniel Smith +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index e284511ca6670..d04c06e07fbb2 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3407,6 +3407,8 @@ static const struct pci_device_id nvme_id_table[] = { + .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x1e4b, 0x1602), /* HS-SSD-FUTURE 2048G */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, ++ { PCI_DEVICE(0x10ec, 0x5765), /* TEAMGROUP MP33 2TB SSD */ ++ .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0061), + .driver_data = NVME_QUIRK_DMA_ADDRESS_BITS_48, }, + { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0065), +-- +2.39.2 + diff --git a/queue-5.15/platform-x86-intel_scu_pcidrv-add-back-pci-id-for-me.patch b/queue-5.15/platform-x86-intel_scu_pcidrv-add-back-pci-id-for-me.patch new file mode 100644 index 00000000000..4ee582c4739 --- /dev/null +++ b/queue-5.15/platform-x86-intel_scu_pcidrv-add-back-pci-id-for-me.patch @@ -0,0 +1,39 @@ +From 12f7cc623de8168fd648ab133977ba9c91c7c6f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Apr 2023 17:49:32 +0200 +Subject: platform/x86: intel_scu_pcidrv: Add back PCI ID for Medfield + +From: Julian Winkler + +[ Upstream commit 4a9b6850c794e4394cad99e2b863d75f5bc8e92f ] + +This id was removed in commit b47018a778c1 ("platform/x86: intel_scu_ipc: +Remove Lincroft support"), saying it is only used on Moorestown, +but apparently the same id is also used on Medfield. + +Tested on the Medfield based Motorola RAZR i smartphone. + +Signed-off-by: Julian Winkler +Link: https://lore.kernel.org/r/20230416154932.6579-1-julian.winkler1@web.de +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel_scu_pcidrv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/intel_scu_pcidrv.c b/drivers/platform/x86/intel_scu_pcidrv.c +index 80abc708e4f2f..d904fad499aa5 100644 +--- a/drivers/platform/x86/intel_scu_pcidrv.c ++++ b/drivers/platform/x86/intel_scu_pcidrv.c +@@ -34,6 +34,7 @@ static int intel_scu_pci_probe(struct pci_dev *pdev, + + static const struct pci_device_id pci_ids[] = { + { PCI_VDEVICE(INTEL, 0x080e) }, ++ { PCI_VDEVICE(INTEL, 0x082a) }, + { PCI_VDEVICE(INTEL, 0x08ea) }, + { PCI_VDEVICE(INTEL, 0x0a94) }, + { PCI_VDEVICE(INTEL, 0x11a0) }, +-- +2.39.2 + diff --git a/queue-5.15/rdma-bnxt_re-fix-a-possible-memory-leak.patch b/queue-5.15/rdma-bnxt_re-fix-a-possible-memory-leak.patch new file mode 100644 index 00000000000..dfdb254bc32 --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-fix-a-possible-memory-leak.patch @@ -0,0 +1,59 @@ +From dbb3fcb3f740609272de49139503081fe18ca8f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 01:10:59 -0700 +Subject: RDMA/bnxt_re: Fix a possible memory leak + +From: Kalesh AP + +[ Upstream commit 349e3c0cf239cc01d58a1e6c749e171de014cd6a ] + +Inside bnxt_qplib_create_cq(), when the check for NULL DPI fails, driver +returns directly without freeing the memory allocated inside +bnxt_qplib_alloc_init_hwq() routine. + +Fixed this by moving the check for NULL DPI before invoking +bnxt_qplib_alloc_init_hwq(). + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://lore.kernel.org/r/1684397461-23082-2-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Kashyap Desai +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index bd153aa7e9ab3..b26a89187a192 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -2041,6 +2041,12 @@ int bnxt_qplib_create_cq(struct bnxt_qplib_res *res, struct bnxt_qplib_cq *cq) + u32 pg_sz_lvl; + int rc; + ++ if (!cq->dpi) { ++ dev_err(&rcfw->pdev->dev, ++ "FP: CREATE_CQ failed due to NULL DPI\n"); ++ return -EINVAL; ++ } ++ + hwq_attr.res = res; + hwq_attr.depth = cq->max_wqe; + hwq_attr.stride = sizeof(struct cq_base); +@@ -2052,11 +2058,6 @@ int bnxt_qplib_create_cq(struct bnxt_qplib_res *res, struct bnxt_qplib_cq *cq) + + RCFW_CMD_PREP(req, CREATE_CQ, cmd_flags); + +- if (!cq->dpi) { +- dev_err(&rcfw->pdev->dev, +- "FP: CREATE_CQ failed due to NULL DPI\n"); +- return -EINVAL; +- } + req.dpi = cpu_to_le32(cq->dpi->dpi); + req.cq_handle = cpu_to_le64(cq->cq_handle); + req.cq_size = cpu_to_le32(cq->hwq.max_elements); +-- +2.39.2 + diff --git a/queue-5.15/rdma-bnxt_re-fix-return-value-of-bnxt_re_process_raw.patch b/queue-5.15/rdma-bnxt_re-fix-return-value-of-bnxt_re_process_raw.patch new file mode 100644 index 00000000000..05c7b195471 --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-fix-return-value-of-bnxt_re_process_raw.patch @@ -0,0 +1,42 @@ +From 655fcbf0892f4e1415d9d2fe40ed809c85308daf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 01:11:00 -0700 +Subject: RDMA/bnxt_re: Fix return value of bnxt_re_process_raw_qp_pkt_rx + +From: Kalesh AP + +[ Upstream commit 0fa0d520e2a878cb4c94c4dc84395905d3f14f54 ] + +bnxt_re_process_raw_qp_pkt_rx() always return 0 and ignores the return +value of bnxt_re_post_send_shadow_qp(). + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://lore.kernel.org/r/1684397461-23082-3-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Hongguang Gao +Reviewed-by: Ajit Khaparde +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index b7ec3a3926785..843d0b5d99acd 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -3235,9 +3235,7 @@ static int bnxt_re_process_raw_qp_pkt_rx(struct bnxt_re_qp *gsi_qp, + udwr.remote_qkey = gsi_sqp->qplib_qp.qkey; + + /* post data received in the send queue */ +- rc = bnxt_re_post_send_shadow_qp(rdev, gsi_sqp, swr); +- +- return 0; ++ return bnxt_re_post_send_shadow_qp(rdev, gsi_sqp, swr); + } + + static void bnxt_re_process_res_rawqp1_wc(struct ib_wc *wc, +-- +2.39.2 + diff --git a/queue-5.15/rdma-bnxt_re-fix-the-page_size-used-during-the-mr-cr.patch b/queue-5.15/rdma-bnxt_re-fix-the-page_size-used-during-the-mr-cr.patch new file mode 100644 index 00000000000..40a8545e667 --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-fix-the-page_size-used-during-the-mr-cr.patch @@ -0,0 +1,83 @@ +From 694c1480bbfb26ca116c8df6ad23ede8dd606f3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 May 2023 11:29:29 -0700 +Subject: RDMA/bnxt_re: Fix the page_size used during the MR creation + +From: Selvin Xavier + +[ Upstream commit 08c7f09356e45d093d1867c7a3c6ac6526e2f98b ] + +Driver populates the list of pages used for Memory region wrongly when +page size is more than system page size. This is causing a failure when +some of the applications that creates MR with page size as 2M. Since HW +can support multiple page sizes, pass the correct page size while creating +the MR. + +Also, driver need not adjust the number of pages when HW Queues are +created with user memory. It should work with the number of dma blocks +returned by ib_umem_num_dma_blocks. Fix this calculation also. + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Fixes: f6919d56388c ("RDMA/bnxt_re: Code refactor while populating user MRs") +Link: https://lore.kernel.org/r/1683484169-9539-1-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Kashyap Desai +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 12 ++---------- + drivers/infiniband/hw/bnxt_re/qplib_sp.c | 7 +++---- + 2 files changed, 5 insertions(+), 14 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 44282a8cdd4f2..384d41072c63c 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -215,17 +215,9 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + return -EINVAL; + hwq_attr->sginfo->npages = npages; + } else { +- unsigned long sginfo_num_pages = ib_umem_num_dma_blocks( +- hwq_attr->sginfo->umem, hwq_attr->sginfo->pgsize); +- ++ npages = ib_umem_num_dma_blocks(hwq_attr->sginfo->umem, ++ hwq_attr->sginfo->pgsize); + hwq->is_user = true; +- npages = sginfo_num_pages; +- npages = (npages * PAGE_SIZE) / +- BIT_ULL(hwq_attr->sginfo->pgshft); +- if ((sginfo_num_pages * PAGE_SIZE) % +- BIT_ULL(hwq_attr->sginfo->pgshft)) +- if (!npages) +- npages++; + } + + if (npages == MAX_PBL_LVL_0_PGS) { +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +index 3d9259632eb3d..a161e0d3cb444 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +@@ -680,16 +680,15 @@ int bnxt_qplib_reg_mr(struct bnxt_qplib_res *res, struct bnxt_qplib_mrw *mr, + /* Free the hwq if it already exist, must be a rereg */ + if (mr->hwq.max_elements) + bnxt_qplib_free_hwq(res, &mr->hwq); +- /* Use system PAGE_SIZE */ + hwq_attr.res = res; + hwq_attr.depth = pages; +- hwq_attr.stride = buf_pg_size; ++ hwq_attr.stride = sizeof(dma_addr_t); + hwq_attr.type = HWQ_TYPE_MR; + hwq_attr.sginfo = &sginfo; + hwq_attr.sginfo->umem = umem; + hwq_attr.sginfo->npages = pages; +- hwq_attr.sginfo->pgsize = PAGE_SIZE; +- hwq_attr.sginfo->pgshft = PAGE_SHIFT; ++ hwq_attr.sginfo->pgsize = buf_pg_size; ++ hwq_attr.sginfo->pgshft = ilog2(buf_pg_size); + rc = bnxt_qplib_alloc_init_hwq(&mr->hwq, &hwq_attr); + if (rc) { + dev_err(&res->pdev->dev, +-- +2.39.2 + diff --git a/queue-5.15/rdma-efa-fix-unsupported-page-sizes-in-device.patch b/queue-5.15/rdma-efa-fix-unsupported-page-sizes-in-device.patch new file mode 100644 index 00000000000..4917cc00602 --- /dev/null +++ b/queue-5.15/rdma-efa-fix-unsupported-page-sizes-in-device.patch @@ -0,0 +1,42 @@ +From 78e9b27180bed77018deea2565da4eb0eb3330a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 11:51:03 +0000 +Subject: RDMA/efa: Fix unsupported page sizes in device + +From: Yonatan Nachum + +[ Upstream commit 866422cdddcdf59d8c68e9472d49ba1be29b5fcf ] + +Device uses 4KB size blocks for user pages indirect list while the +driver creates those blocks with the size of PAGE_SIZE of the kernel. On +kernels with PAGE_SIZE different than 4KB (ARM RHEL), this leads to a +failure on register MR with indirect list because of the miss +communication between driver and device. + +Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation") +Link: https://lore.kernel.org/r/20230511115103.13876-1-ynachum@amazon.com +Reviewed-by: Firas Jahjah +Reviewed-by: Michael Margolin +Signed-off-by: Yonatan Nachum +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/efa/efa_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c +index e5f9d90aad5ee..1aab6c3e9f539 100644 +--- a/drivers/infiniband/hw/efa/efa_verbs.c ++++ b/drivers/infiniband/hw/efa/efa_verbs.c +@@ -1334,7 +1334,7 @@ static int pbl_continuous_initialize(struct efa_dev *dev, + */ + static int pbl_indirect_initialize(struct efa_dev *dev, struct pbl_context *pbl) + { +- u32 size_in_pages = DIV_ROUND_UP(pbl->pbl_buf_size_in_bytes, PAGE_SIZE); ++ u32 size_in_pages = DIV_ROUND_UP(pbl->pbl_buf_size_in_bytes, EFA_CHUNK_PAYLOAD_SIZE); + struct scatterlist *sgl; + int sg_dma_cnt, err; + +-- +2.39.2 + diff --git a/queue-5.15/rdma-hns-fix-base-address-table-allocation.patch b/queue-5.15/rdma-hns-fix-base-address-table-allocation.patch new file mode 100644 index 00000000000..80fb1b552ab --- /dev/null +++ b/queue-5.15/rdma-hns-fix-base-address-table-allocation.patch @@ -0,0 +1,103 @@ +From 36415c41519c85009f97a67630a669fb9f58bed8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 17:22:44 +0800 +Subject: RDMA/hns: Fix base address table allocation + +From: Chengchang Tang + +[ Upstream commit 7f3969b14f356dd65fa95b3528eb05c32e68bc06 ] + +For hns, the specification of an entry like resource (E.g. WQE/CQE/EQE) +depends on BT page size, buf page size and hopnum. For user mode, the buf +page size depends on UMEM. Therefore, the actual specification is +controlled by BT page size and hopnum. + +The current BT page size and hopnum are obtained from firmware. This makes +the driver inflexible and introduces unnecessary constraints. Resource +allocation failures occur in many scenarios. + +This patch will calculate whether the BT page size set by firmware is +sufficient before allocating BT, and increase the BT page size if it is +insufficient. + +Fixes: 1133401412a9 ("RDMA/hns: Optimize base address table config flow for qp buffer") +Link: https://lore.kernel.org/r/20230512092245.344442-3-huangjunxian6@hisilicon.com +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_mr.c | 43 +++++++++++++++++++++++++ + 1 file changed, 43 insertions(+) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c +index a593c142cd6ba..12c482f4a1c48 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_mr.c ++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include "hns_roce_device.h" + #include "hns_roce_cmd.h" + #include "hns_roce_hem.h" +@@ -938,6 +939,44 @@ static int mtr_init_buf_cfg(struct hns_roce_dev *hr_dev, + return page_cnt; + } + ++static u64 cal_pages_per_l1ba(unsigned int ba_per_bt, unsigned int hopnum) ++{ ++ return int_pow(ba_per_bt, hopnum - 1); ++} ++ ++static unsigned int cal_best_bt_pg_sz(struct hns_roce_dev *hr_dev, ++ struct hns_roce_mtr *mtr, ++ unsigned int pg_shift) ++{ ++ unsigned long cap = hr_dev->caps.page_size_cap; ++ struct hns_roce_buf_region *re; ++ unsigned int pgs_per_l1ba; ++ unsigned int ba_per_bt; ++ unsigned int ba_num; ++ int i; ++ ++ for_each_set_bit_from(pg_shift, &cap, sizeof(cap) * BITS_PER_BYTE) { ++ if (!(BIT(pg_shift) & cap)) ++ continue; ++ ++ ba_per_bt = BIT(pg_shift) / BA_BYTE_LEN; ++ ba_num = 0; ++ for (i = 0; i < mtr->hem_cfg.region_count; i++) { ++ re = &mtr->hem_cfg.region[i]; ++ if (re->hopnum == 0) ++ continue; ++ ++ pgs_per_l1ba = cal_pages_per_l1ba(ba_per_bt, re->hopnum); ++ ba_num += DIV_ROUND_UP(re->count, pgs_per_l1ba); ++ } ++ ++ if (ba_num <= ba_per_bt) ++ return pg_shift; ++ } ++ ++ return 0; ++} ++ + static int mtr_alloc_mtt(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr, + unsigned int ba_page_shift) + { +@@ -946,6 +985,10 @@ static int mtr_alloc_mtt(struct hns_roce_dev *hr_dev, struct hns_roce_mtr *mtr, + + hns_roce_hem_list_init(&mtr->hem_list); + if (!cfg->is_direct) { ++ ba_page_shift = cal_best_bt_pg_sz(hr_dev, mtr, ba_page_shift); ++ if (!ba_page_shift) ++ return -ERANGE; ++ + ret = hns_roce_hem_list_request(hr_dev, &mtr->hem_list, + cfg->region, cfg->region_count, + ba_page_shift); +-- +2.39.2 + diff --git a/queue-5.15/rdma-hns-modify-the-value-of-long-message-loopback-s.patch b/queue-5.15/rdma-hns-modify-the-value-of-long-message-loopback-s.patch new file mode 100644 index 00000000000..1ff1cbd493d --- /dev/null +++ b/queue-5.15/rdma-hns-modify-the-value-of-long-message-loopback-s.patch @@ -0,0 +1,61 @@ +From 9470b2292e75959406f816bba22116e0c91a4054 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 17:22:45 +0800 +Subject: RDMA/hns: Modify the value of long message loopback slice + +From: Yangyang Li + +[ Upstream commit 56518a603fd2bf74762d176ac980572db84a3e14 ] + +Long message loopback slice is used for achieving traffic balance between +QPs. It prevents the problem that QPs with large traffic occupying the +hardware pipeline for a long time and QPs with small traffic cannot be +scheduled. + +Currently, its maximum value is set to 16K, which means only after a QP +sends 16K will the second QP be scheduled. This value is too large, which +will lead to unbalanced traffic scheduling, and thus it needs to be +modified. + +The setting range of the long message loopback slice is modified to be +from 1024 (the lower limit supported by hardware) to mtu. Actual testing +shows that this value can significantly reduce error in hardware traffic +scheduling. + +This solution is compatible with both HIP08 and HIP09. The modified +lp_pktn_ini has a maximum value of 2 (when mtu is 256), so the range +checking code for lp_pktn_ini is no longer necessary and needs to be +deleted. + +Fixes: 0e60778efb07 ("RDMA/hns: Modify the value of MAX_LP_MSG_LEN to meet hardware compatibility") +Link: https://lore.kernel.org/r/20230512092245.344442-4-huangjunxian6@hisilicon.com +Signed-off-by: Yangyang Li +Signed-off-by: Junxian Huang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 79d92b7899849..8c02b51c8bffc 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -4393,11 +4393,9 @@ static int modify_qp_init_to_rtr(struct ib_qp *ibqp, + mtu = ib_mtu_enum_to_int(ib_mtu); + if (WARN_ON(mtu <= 0)) + return -EINVAL; +-#define MAX_LP_MSG_LEN 16384 +- /* MTU * (2 ^ LP_PKTN_INI) shouldn't be bigger than 16KB */ +- lp_pktn_ini = ilog2(MAX_LP_MSG_LEN / mtu); +- if (WARN_ON(lp_pktn_ini >= 0xF)) +- return -EINVAL; ++#define MIN_LP_MSG_LEN 1024 ++ /* mtu * (2 ^ lp_pktn_ini) should be in the range of 1024 to mtu */ ++ lp_pktn_ini = ilog2(max(mtu, MIN_LP_MSG_LEN) / mtu); + + if (attr_mask & IB_QP_PATH_MTU) { + hr_reg_write(context, QPC_MTU, ib_mtu); +-- +2.39.2 + diff --git a/queue-5.15/rdma-irdma-add-sw-mechanism-to-generate-completions-.patch b/queue-5.15/rdma-irdma-add-sw-mechanism-to-generate-completions-.patch new file mode 100644 index 00000000000..f93823dc577 --- /dev/null +++ b/queue-5.15/rdma-irdma-add-sw-mechanism-to-generate-completions-.patch @@ -0,0 +1,461 @@ +From 8c3ac1290ba3d1ba530f57b06b78dae73a2bf492 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Apr 2022 13:16:24 -0500 +Subject: RDMA/irdma: Add SW mechanism to generate completions on error + +From: Mustafa Ismail + +[ Upstream commit 81091d7696ae71627ff80bbf2c6b0986d2c1cce3 ] + +HW flushes after QP in error state is not reliable. This can lead to + application hang waiting on a completion for outstanding WRs. Implement a +SW mechanism to generate completions for any outstanding WR's after the QP +is modified to error. + +This is accomplished by starting a delayed worker after the QP is modified +to error and the HW flush is performed. The worker will generate +completions that will be returned to the application when it polls the +CQ. This mechanism only applies to Kernel applications. + +Link: https://lore.kernel.org/r/20220425181624.1617-1-shiraz.saleem@intel.com +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Stable-dep-of: c8f304d75f6c ("RDMA/irdma: Prevent QP use after free") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/hw.c | 31 +++--- + drivers/infiniband/hw/irdma/utils.c | 147 ++++++++++++++++++++++++++++ + drivers/infiniband/hw/irdma/verbs.c | 56 ++++++----- + drivers/infiniband/hw/irdma/verbs.h | 13 ++- + 4 files changed, 210 insertions(+), 37 deletions(-) + +diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c +index 3b070cb3c4da7..2159470d7f7f4 100644 +--- a/drivers/infiniband/hw/irdma/hw.c ++++ b/drivers/infiniband/hw/irdma/hw.c +@@ -62,7 +62,7 @@ static void irdma_iwarp_ce_handler(struct irdma_sc_cq *iwcq) + struct irdma_cq *cq = iwcq->back_cq; + + if (!cq->user_mode) +- cq->armed = false; ++ atomic_set(&cq->armed, 0); + if (cq->ibcq.comp_handler) + cq->ibcq.comp_handler(&cq->ibcq, cq->ibcq.cq_context); + } +@@ -2711,24 +2711,29 @@ void irdma_flush_wqes(struct irdma_qp *iwqp, u32 flush_mask) + info.sq = flush_mask & IRDMA_FLUSH_SQ; + info.rq = flush_mask & IRDMA_FLUSH_RQ; + +- if (flush_mask & IRDMA_REFLUSH) { +- if (info.sq) +- iwqp->sc_qp.flush_sq = false; +- if (info.rq) +- iwqp->sc_qp.flush_rq = false; +- } +- + /* Generate userflush errors in CQE */ + info.sq_major_code = IRDMA_FLUSH_MAJOR_ERR; + info.sq_minor_code = FLUSH_GENERAL_ERR; + info.rq_major_code = IRDMA_FLUSH_MAJOR_ERR; + info.rq_minor_code = FLUSH_GENERAL_ERR; + info.userflushcode = true; +- if (flush_code) { +- if (info.sq && iwqp->sc_qp.sq_flush_code) +- info.sq_minor_code = flush_code; +- if (info.rq && iwqp->sc_qp.rq_flush_code) +- info.rq_minor_code = flush_code; ++ ++ if (flush_mask & IRDMA_REFLUSH) { ++ if (info.sq) ++ iwqp->sc_qp.flush_sq = false; ++ if (info.rq) ++ iwqp->sc_qp.flush_rq = false; ++ } else { ++ if (flush_code) { ++ if (info.sq && iwqp->sc_qp.sq_flush_code) ++ info.sq_minor_code = flush_code; ++ if (info.rq && iwqp->sc_qp.rq_flush_code) ++ info.rq_minor_code = flush_code; ++ } ++ if (!iwqp->user_mode) ++ queue_delayed_work(iwqp->iwdev->cleanup_wq, ++ &iwqp->dwork_flush, ++ msecs_to_jiffies(IRDMA_FLUSH_DELAY_MS)); + } + + /* Issue flush */ +diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c +index db7d0a3000699..af4034aabaca5 100644 +--- a/drivers/infiniband/hw/irdma/utils.c ++++ b/drivers/infiniband/hw/irdma/utils.c +@@ -2558,3 +2558,150 @@ bool irdma_cq_empty(struct irdma_cq *iwcq) + + return polarity != ukcq->polarity; + } ++ ++void irdma_remove_cmpls_list(struct irdma_cq *iwcq) ++{ ++ struct irdma_cmpl_gen *cmpl_node; ++ struct list_head *tmp_node, *list_node; ++ ++ list_for_each_safe (list_node, tmp_node, &iwcq->cmpl_generated) { ++ cmpl_node = list_entry(list_node, struct irdma_cmpl_gen, list); ++ list_del(&cmpl_node->list); ++ kfree(cmpl_node); ++ } ++} ++ ++int irdma_generated_cmpls(struct irdma_cq *iwcq, struct irdma_cq_poll_info *cq_poll_info) ++{ ++ struct irdma_cmpl_gen *cmpl; ++ ++ if (list_empty(&iwcq->cmpl_generated)) ++ return -ENOENT; ++ cmpl = list_first_entry_or_null(&iwcq->cmpl_generated, struct irdma_cmpl_gen, list); ++ list_del(&cmpl->list); ++ memcpy(cq_poll_info, &cmpl->cpi, sizeof(*cq_poll_info)); ++ kfree(cmpl); ++ ++ ibdev_dbg(iwcq->ibcq.device, ++ "VERBS: %s: Poll artificially generated completion for QP 0x%X, op %u, wr_id=0x%llx\n", ++ __func__, cq_poll_info->qp_id, cq_poll_info->op_type, ++ cq_poll_info->wr_id); ++ ++ return 0; ++} ++ ++/** ++ * irdma_set_cpi_common_values - fill in values for polling info struct ++ * @cpi: resulting structure of cq_poll_info type ++ * @qp: QPair ++ * @qp_num: id of the QP ++ */ ++static void irdma_set_cpi_common_values(struct irdma_cq_poll_info *cpi, ++ struct irdma_qp_uk *qp, u32 qp_num) ++{ ++ cpi->comp_status = IRDMA_COMPL_STATUS_FLUSHED; ++ cpi->error = true; ++ cpi->major_err = IRDMA_FLUSH_MAJOR_ERR; ++ cpi->minor_err = FLUSH_GENERAL_ERR; ++ cpi->qp_handle = (irdma_qp_handle)(uintptr_t)qp; ++ cpi->qp_id = qp_num; ++} ++ ++static inline void irdma_comp_handler(struct irdma_cq *cq) ++{ ++ if (!cq->ibcq.comp_handler) ++ return; ++ if (atomic_cmpxchg(&cq->armed, 1, 0)) ++ cq->ibcq.comp_handler(&cq->ibcq, cq->ibcq.cq_context); ++} ++ ++void irdma_generate_flush_completions(struct irdma_qp *iwqp) ++{ ++ struct irdma_qp_uk *qp = &iwqp->sc_qp.qp_uk; ++ struct irdma_ring *sq_ring = &qp->sq_ring; ++ struct irdma_ring *rq_ring = &qp->rq_ring; ++ struct irdma_cmpl_gen *cmpl; ++ __le64 *sw_wqe; ++ u64 wqe_qword; ++ u32 wqe_idx; ++ bool compl_generated = false; ++ unsigned long flags1; ++ ++ spin_lock_irqsave(&iwqp->iwscq->lock, flags1); ++ if (irdma_cq_empty(iwqp->iwscq)) { ++ unsigned long flags2; ++ ++ spin_lock_irqsave(&iwqp->lock, flags2); ++ while (IRDMA_RING_MORE_WORK(*sq_ring)) { ++ cmpl = kzalloc(sizeof(*cmpl), GFP_ATOMIC); ++ if (!cmpl) { ++ spin_unlock_irqrestore(&iwqp->lock, flags2); ++ spin_unlock_irqrestore(&iwqp->iwscq->lock, flags1); ++ return; ++ } ++ ++ wqe_idx = sq_ring->tail; ++ irdma_set_cpi_common_values(&cmpl->cpi, qp, qp->qp_id); ++ ++ cmpl->cpi.wr_id = qp->sq_wrtrk_array[wqe_idx].wrid; ++ sw_wqe = qp->sq_base[wqe_idx].elem; ++ get_64bit_val(sw_wqe, 24, &wqe_qword); ++ cmpl->cpi.op_type = (u8)FIELD_GET(IRDMAQPSQ_OPCODE, IRDMAQPSQ_OPCODE); ++ /* remove the SQ WR by moving SQ tail*/ ++ IRDMA_RING_SET_TAIL(*sq_ring, ++ sq_ring->tail + qp->sq_wrtrk_array[sq_ring->tail].quanta); ++ ++ ibdev_dbg(iwqp->iwscq->ibcq.device, ++ "DEV: %s: adding wr_id = 0x%llx SQ Completion to list qp_id=%d\n", ++ __func__, cmpl->cpi.wr_id, qp->qp_id); ++ list_add_tail(&cmpl->list, &iwqp->iwscq->cmpl_generated); ++ compl_generated = true; ++ } ++ spin_unlock_irqrestore(&iwqp->lock, flags2); ++ spin_unlock_irqrestore(&iwqp->iwscq->lock, flags1); ++ if (compl_generated) ++ irdma_comp_handler(iwqp->iwrcq); ++ } else { ++ spin_unlock_irqrestore(&iwqp->iwscq->lock, flags1); ++ mod_delayed_work(iwqp->iwdev->cleanup_wq, &iwqp->dwork_flush, ++ msecs_to_jiffies(IRDMA_FLUSH_DELAY_MS)); ++ } ++ ++ spin_lock_irqsave(&iwqp->iwrcq->lock, flags1); ++ if (irdma_cq_empty(iwqp->iwrcq)) { ++ unsigned long flags2; ++ ++ spin_lock_irqsave(&iwqp->lock, flags2); ++ while (IRDMA_RING_MORE_WORK(*rq_ring)) { ++ cmpl = kzalloc(sizeof(*cmpl), GFP_ATOMIC); ++ if (!cmpl) { ++ spin_unlock_irqrestore(&iwqp->lock, flags2); ++ spin_unlock_irqrestore(&iwqp->iwrcq->lock, flags1); ++ return; ++ } ++ ++ wqe_idx = rq_ring->tail; ++ irdma_set_cpi_common_values(&cmpl->cpi, qp, qp->qp_id); ++ ++ cmpl->cpi.wr_id = qp->rq_wrid_array[wqe_idx]; ++ cmpl->cpi.op_type = IRDMA_OP_TYPE_REC; ++ /* remove the RQ WR by moving RQ tail */ ++ IRDMA_RING_SET_TAIL(*rq_ring, rq_ring->tail + 1); ++ ibdev_dbg(iwqp->iwrcq->ibcq.device, ++ "DEV: %s: adding wr_id = 0x%llx RQ Completion to list qp_id=%d, wqe_idx=%d\n", ++ __func__, cmpl->cpi.wr_id, qp->qp_id, ++ wqe_idx); ++ list_add_tail(&cmpl->list, &iwqp->iwrcq->cmpl_generated); ++ ++ compl_generated = true; ++ } ++ spin_unlock_irqrestore(&iwqp->lock, flags2); ++ spin_unlock_irqrestore(&iwqp->iwrcq->lock, flags1); ++ if (compl_generated) ++ irdma_comp_handler(iwqp->iwrcq); ++ } else { ++ spin_unlock_irqrestore(&iwqp->iwrcq->lock, flags1); ++ mod_delayed_work(iwqp->iwdev->cleanup_wq, &iwqp->dwork_flush, ++ msecs_to_jiffies(IRDMA_FLUSH_DELAY_MS)); ++ } ++} +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index 27f22d595a5dc..e4c5fe4aa806a 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -506,6 +506,9 @@ static int irdma_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata) + if (iwqp->iwarp_state == IRDMA_QP_STATE_RTS) + irdma_modify_qp_to_err(&iwqp->sc_qp); + ++ if (!iwqp->user_mode) ++ cancel_delayed_work_sync(&iwqp->dwork_flush); ++ + irdma_qp_rem_ref(&iwqp->ibqp); + wait_for_completion(&iwqp->free_qp); + irdma_free_lsmm_rsrc(iwqp); +@@ -761,6 +764,14 @@ static int irdma_validate_qp_attrs(struct ib_qp_init_attr *init_attr, + return 0; + } + ++static void irdma_flush_worker(struct work_struct *work) ++{ ++ struct delayed_work *dwork = to_delayed_work(work); ++ struct irdma_qp *iwqp = container_of(dwork, struct irdma_qp, dwork_flush); ++ ++ irdma_generate_flush_completions(iwqp); ++} ++ + /** + * irdma_create_qp - create qp + * @ibqp: ptr of qp +@@ -882,6 +893,7 @@ static int irdma_create_qp(struct ib_qp *ibqp, + init_info.qp_uk_init_info.abi_ver = iwpd->sc_pd.abi_ver; + irdma_setup_virt_qp(iwdev, iwqp, &init_info); + } else { ++ INIT_DELAYED_WORK(&iwqp->dwork_flush, irdma_flush_worker); + init_info.qp_uk_init_info.abi_ver = IRDMA_ABI_VER; + err_code = irdma_setup_kmode_qp(iwdev, iwqp, &init_info, init_attr); + } +@@ -1371,11 +1383,11 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr, + } + if (iwqp->ibqp_state > IB_QPS_RTS && + !iwqp->flush_issued) { +- iwqp->flush_issued = 1; + spin_unlock_irqrestore(&iwqp->lock, flags); + irdma_flush_wqes(iwqp, IRDMA_FLUSH_SQ | + IRDMA_FLUSH_RQ | + IRDMA_FLUSH_WAIT); ++ iwqp->flush_issued = 1; + } else { + spin_unlock_irqrestore(&iwqp->lock, flags); + } +@@ -1728,6 +1740,8 @@ static int irdma_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata) + unsigned long flags; + + spin_lock_irqsave(&iwcq->lock, flags); ++ if (!list_empty(&iwcq->cmpl_generated)) ++ irdma_remove_cmpls_list(iwcq); + if (!list_empty(&iwcq->resize_list)) + irdma_process_resize_list(iwcq, iwdev, NULL); + spin_unlock_irqrestore(&iwcq->lock, flags); +@@ -1936,6 +1950,7 @@ static int irdma_create_cq(struct ib_cq *ibcq, + cq->back_cq = iwcq; + spin_lock_init(&iwcq->lock); + INIT_LIST_HEAD(&iwcq->resize_list); ++ INIT_LIST_HEAD(&iwcq->cmpl_generated); + info.dev = dev; + ukinfo->cq_size = max(entries, 4); + ukinfo->cq_id = cq_num; +@@ -3046,15 +3061,12 @@ static int irdma_post_send(struct ib_qp *ibqp, + unsigned long flags; + bool inv_stag; + struct irdma_ah *ah; +- bool reflush = false; + + iwqp = to_iwqp(ibqp); + ukqp = &iwqp->sc_qp.qp_uk; + dev = &iwqp->iwdev->rf->sc_dev; + + spin_lock_irqsave(&iwqp->lock, flags); +- if (iwqp->flush_issued && ukqp->sq_flush_complete) +- reflush = true; + while (ib_wr) { + memset(&info, 0, sizeof(info)); + inv_stag = false; +@@ -3227,15 +3239,14 @@ static int irdma_post_send(struct ib_qp *ibqp, + ib_wr = ib_wr->next; + } + +- if (!iwqp->flush_issued && iwqp->hw_iwarp_state <= IRDMA_QP_STATE_RTS) { +- irdma_uk_qp_post_wr(ukqp); ++ if (!iwqp->flush_issued) { ++ if (iwqp->hw_iwarp_state <= IRDMA_QP_STATE_RTS) ++ irdma_uk_qp_post_wr(ukqp); + spin_unlock_irqrestore(&iwqp->lock, flags); +- } else if (reflush) { +- ukqp->sq_flush_complete = false; +- spin_unlock_irqrestore(&iwqp->lock, flags); +- irdma_flush_wqes(iwqp, IRDMA_FLUSH_SQ | IRDMA_REFLUSH); + } else { + spin_unlock_irqrestore(&iwqp->lock, flags); ++ mod_delayed_work(iwqp->iwdev->cleanup_wq, &iwqp->dwork_flush, ++ msecs_to_jiffies(IRDMA_FLUSH_DELAY_MS)); + } + if (err) + *bad_wr = ib_wr; +@@ -3260,14 +3271,11 @@ static int irdma_post_recv(struct ib_qp *ibqp, + enum irdma_status_code ret = 0; + unsigned long flags; + int err = 0; +- bool reflush = false; + + iwqp = to_iwqp(ibqp); + ukqp = &iwqp->sc_qp.qp_uk; + + spin_lock_irqsave(&iwqp->lock, flags); +- if (iwqp->flush_issued && ukqp->rq_flush_complete) +- reflush = true; + while (ib_wr) { + post_recv.num_sges = ib_wr->num_sge; + post_recv.wr_id = ib_wr->wr_id; +@@ -3288,13 +3296,10 @@ static int irdma_post_recv(struct ib_qp *ibqp, + } + + out: +- if (reflush) { +- ukqp->rq_flush_complete = false; +- spin_unlock_irqrestore(&iwqp->lock, flags); +- irdma_flush_wqes(iwqp, IRDMA_FLUSH_RQ | IRDMA_REFLUSH); +- } else { +- spin_unlock_irqrestore(&iwqp->lock, flags); +- } ++ spin_unlock_irqrestore(&iwqp->lock, flags); ++ if (iwqp->flush_issued) ++ mod_delayed_work(iwqp->iwdev->cleanup_wq, &iwqp->dwork_flush, ++ msecs_to_jiffies(IRDMA_FLUSH_DELAY_MS)); + + if (err) + *bad_wr = ib_wr; +@@ -3508,6 +3513,11 @@ static int __irdma_poll_cq(struct irdma_cq *iwcq, int num_entries, struct ib_wc + /* check the current CQ for new cqes */ + while (npolled < num_entries) { + ret = irdma_poll_one(ukcq, cur_cqe, entry + npolled); ++ if (ret == -ENOENT) { ++ ret = irdma_generated_cmpls(iwcq, cur_cqe); ++ if (!ret) ++ irdma_process_cqe(entry + npolled, cur_cqe); ++ } + if (!ret) { + ++npolled; + cq_new_cqe = true; +@@ -3589,13 +3599,13 @@ static int irdma_req_notify_cq(struct ib_cq *ibcq, + if (iwcq->last_notify == IRDMA_CQ_COMPL_SOLICITED && notify_flags != IB_CQ_SOLICITED) + promo_event = true; + +- if (!iwcq->armed || promo_event) { +- iwcq->armed = true; ++ if (!atomic_cmpxchg(&iwcq->armed, 0, 1) || promo_event) { + iwcq->last_notify = cq_notify; + irdma_uk_cq_request_notification(ukcq, cq_notify); + } + +- if ((notify_flags & IB_CQ_REPORT_MISSED_EVENTS) && !irdma_cq_empty(iwcq)) ++ if ((notify_flags & IB_CQ_REPORT_MISSED_EVENTS) && ++ (!irdma_cq_empty(iwcq) || !list_empty(&iwcq->cmpl_generated))) + ret = 1; + spin_unlock_irqrestore(&iwcq->lock, flags); + +diff --git a/drivers/infiniband/hw/irdma/verbs.h b/drivers/infiniband/hw/irdma/verbs.h +index d0fdef8d09ead..5af3c8e9b3941 100644 +--- a/drivers/infiniband/hw/irdma/verbs.h ++++ b/drivers/infiniband/hw/irdma/verbs.h +@@ -4,6 +4,7 @@ + #define IRDMA_VERBS_H + + #define IRDMA_MAX_SAVED_PHY_PGADDR 4 ++#define IRDMA_FLUSH_DELAY_MS 20 + + #define IRDMA_PKEY_TBL_SZ 1 + #define IRDMA_DEFAULT_PKEY 0xFFFF +@@ -110,7 +111,7 @@ struct irdma_cq { + u16 cq_size; + u16 cq_num; + bool user_mode; +- bool armed; ++ atomic_t armed; + enum irdma_cmpl_notify last_notify; + u32 polled_cmpls; + u32 cq_mem_size; +@@ -121,6 +122,12 @@ struct irdma_cq { + struct irdma_pbl *iwpbl_shadow; + struct list_head resize_list; + struct irdma_cq_poll_info cur_cqe; ++ struct list_head cmpl_generated; ++}; ++ ++struct irdma_cmpl_gen { ++ struct list_head list; ++ struct irdma_cq_poll_info cpi; + }; + + struct disconn_work { +@@ -161,6 +168,7 @@ struct irdma_qp { + refcount_t refcnt; + struct iw_cm_id *cm_id; + struct irdma_cm_node *cm_node; ++ struct delayed_work dwork_flush; + struct ib_mr *lsmm_mr; + atomic_t hw_mod_qp_pend; + enum ib_qp_state ibqp_state; +@@ -224,4 +232,7 @@ int irdma_ib_register_device(struct irdma_device *iwdev); + void irdma_ib_unregister_device(struct irdma_device *iwdev); + void irdma_ib_dealloc_device(struct ib_device *ibdev); + void irdma_ib_qp_event(struct irdma_qp *iwqp, enum irdma_qp_event_type event); ++void irdma_generate_flush_completions(struct irdma_qp *iwqp); ++void irdma_remove_cmpls_list(struct irdma_cq *iwcq); ++int irdma_generated_cmpls(struct irdma_cq *iwcq, struct irdma_cq_poll_info *cq_poll_info); + #endif /* IRDMA_VERBS_H */ +-- +2.39.2 + diff --git a/queue-5.15/rdma-irdma-fix-local-invalidate-fencing.patch b/queue-5.15/rdma-irdma-fix-local-invalidate-fencing.patch new file mode 100644 index 00000000000..a5ba87a7745 --- /dev/null +++ b/queue-5.15/rdma-irdma-fix-local-invalidate-fencing.patch @@ -0,0 +1,38 @@ +From 4f16a1e33c6f730152732abb2acc5cc17021c156 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 10:56:54 -0500 +Subject: RDMA/irdma: Fix Local Invalidate fencing + +From: Mustafa Ismail + +[ Upstream commit 5842d1d9c1b0d17e0c29eae65ae1f245f83682dd ] + +If the local invalidate fence is indicated in the WR, only the read fence +is currently being set in WQE. Fix this to set both the read and local +fence in the WQE. + +Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") +Link: https://lore.kernel.org/r/20230522155654.1309-4-shiraz.saleem@intel.com +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/verbs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index 7745740e737a3..60cf83c4119e7 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -3196,6 +3196,7 @@ static int irdma_post_send(struct ib_qp *ibqp, + break; + case IB_WR_LOCAL_INV: + info.op_type = IRDMA_OP_TYPE_INV_STAG; ++ info.local_fence = info.read_fence; + info.op.inv_local_stag.target_stag = ib_wr->ex.invalidate_rkey; + ret = irdma_uk_stag_local_invalidate(ukqp, &info, true); + if (ret) +-- +2.39.2 + diff --git a/queue-5.15/rdma-irdma-prevent-qp-use-after-free.patch b/queue-5.15/rdma-irdma-prevent-qp-use-after-free.patch new file mode 100644 index 00000000000..d719d7081e6 --- /dev/null +++ b/queue-5.15/rdma-irdma-prevent-qp-use-after-free.patch @@ -0,0 +1,57 @@ +From 56adeff866f05b2524f45a1107a442f1f69c05c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 10:56:53 -0500 +Subject: RDMA/irdma: Prevent QP use after free + +From: Mustafa Ismail + +[ Upstream commit c8f304d75f6c6cc679a73f89591f9a915da38f09 ] + +There is a window where the poll cq may use a QP that has been freed. +This can happen if a CQE is polled before irdma_clean_cqes() can clear the +CQE's related to the QP and the destroy QP races to free the QP memory. +then the QP structures are used in irdma_poll_cq. Fix this by moving the +clearing of CQE's before the reference is removed and the QP is destroyed. + +Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") +Link: https://lore.kernel.org/r/20230522155654.1309-3-shiraz.saleem@intel.com +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/verbs.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index e4c5fe4aa806a..7745740e737a3 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -509,11 +509,6 @@ static int irdma_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata) + if (!iwqp->user_mode) + cancel_delayed_work_sync(&iwqp->dwork_flush); + +- irdma_qp_rem_ref(&iwqp->ibqp); +- wait_for_completion(&iwqp->free_qp); +- irdma_free_lsmm_rsrc(iwqp); +- irdma_cqp_qp_destroy_cmd(&iwdev->rf->sc_dev, &iwqp->sc_qp); +- + if (!iwqp->user_mode) { + if (iwqp->iwscq) { + irdma_clean_cqes(iwqp, iwqp->iwscq); +@@ -521,6 +516,12 @@ static int irdma_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata) + irdma_clean_cqes(iwqp, iwqp->iwrcq); + } + } ++ ++ irdma_qp_rem_ref(&iwqp->ibqp); ++ wait_for_completion(&iwqp->free_qp); ++ irdma_free_lsmm_rsrc(iwqp); ++ irdma_cqp_qp_destroy_cmd(&iwdev->rf->sc_dev, &iwqp->sc_qp); ++ + irdma_remove_push_mmap_entries(iwqp); + irdma_free_qp_rsrc(iwqp); + +-- +2.39.2 + diff --git a/queue-5.15/riscv-fix-unused-variable-warning-when-builtin_dtb-i.patch b/queue-5.15/riscv-fix-unused-variable-warning-when-builtin_dtb-i.patch new file mode 100644 index 00000000000..7c7f777a096 --- /dev/null +++ b/queue-5.15/riscv-fix-unused-variable-warning-when-builtin_dtb-i.patch @@ -0,0 +1,49 @@ +From 5c8a0d129c43362ab31a16735a2f7e29bdd886fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 15:13:11 +0200 +Subject: riscv: Fix unused variable warning when BUILTIN_DTB is set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexandre Ghiti + +[ Upstream commit 33d418da6f476b15e4510e0a590062583f63cd36 ] + +commit ef69d2559fe9 ("riscv: Move early dtb mapping into the fixmap +region") wrongly moved the #ifndef CONFIG_BUILTIN_DTB surrounding the pa +variable definition in create_fdt_early_page_table(), so move it back to +its right place to quiet the following warning: + +../arch/riscv/mm/init.c: In function ‘create_fdt_early_page_table’: +../arch/riscv/mm/init.c:925:12: warning: unused variable ‘pa’ [-Wunused-variable] + 925 | uintptr_t pa = dtb_pa & ~(PMD_SIZE - 1); + +Fixes: ef69d2559fe9 ("riscv: Move early dtb mapping into the fixmap region") +Signed-off-by: Alexandre Ghiti +Reviewed-by: Conor Dooley +Link: https://lore.kernel.org/r/20230519131311.391960-1-alexghiti@rivosinc.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/mm/init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c +index d8f37034c092d..0afcd4ae7eed1 100644 +--- a/arch/riscv/mm/init.c ++++ b/arch/riscv/mm/init.c +@@ -572,9 +572,9 @@ static void __init create_kernel_page_table(pgd_t *pgdir, bool early) + static void __init create_fdt_early_page_table(uintptr_t fix_fdt_va, + uintptr_t dtb_pa) + { ++#ifndef CONFIG_BUILTIN_DTB + uintptr_t pa = dtb_pa & ~(PMD_SIZE - 1); + +-#ifndef CONFIG_BUILTIN_DTB + /* Make sure the fdt fixmap address is always aligned on PMD size */ + BUILD_BUG_ON(FIX_FDT % (PMD_SIZE / PAGE_SIZE)); + +-- +2.39.2 + diff --git a/queue-5.15/rtnetlink-call-validate_linkmsg-in-rtnl_create_link.patch b/queue-5.15/rtnetlink-call-validate_linkmsg-in-rtnl_create_link.patch new file mode 100644 index 00000000000..2a1bcc2b1ea --- /dev/null +++ b/queue-5.15/rtnetlink-call-validate_linkmsg-in-rtnl_create_link.patch @@ -0,0 +1,64 @@ +From 4890ad06c5e8d0e2b5d16c337bc83b039bbcb035 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 12:01:42 -0400 +Subject: rtnetlink: call validate_linkmsg in rtnl_create_link + +From: Xin Long + +[ Upstream commit b0ad3c179059089d809b477a1d445c1183a7b8fe ] + +validate_linkmsg() was introduced by commit 1840bb13c22f5b ("[RTNL]: +Validate hardware and broadcast address attribute for RTM_NEWLINK") +to validate tb[IFLA_ADDRESS/BROADCAST] for existing links. The same +check should also be done for newly created links. + +This patch adds validate_linkmsg() call in rtnl_create_link(), to +avoid the invalid address set when creating some devices like: + + # ip link add dummy0 type dummy + # ip link add link dummy0 name mac0 address 01:02 type macsec + +Fixes: 0e06877c6fdb ("[RTNETLINK]: rtnl_link: allow specifying initial device address") +Signed-off-by: Xin Long +Reviewed-by: Simon Horman +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 8c85e93daa739..bc187289bf64b 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3155,6 +3155,7 @@ struct net_device *rtnl_create_link(struct net *net, const char *ifname, + struct net_device *dev; + unsigned int num_tx_queues = 1; + unsigned int num_rx_queues = 1; ++ int err; + + if (tb[IFLA_NUM_TX_QUEUES]) + num_tx_queues = nla_get_u32(tb[IFLA_NUM_TX_QUEUES]); +@@ -3190,13 +3191,18 @@ struct net_device *rtnl_create_link(struct net *net, const char *ifname, + if (!dev) + return ERR_PTR(-ENOMEM); + ++ err = validate_linkmsg(dev, tb, extack); ++ if (err < 0) { ++ free_netdev(dev); ++ return ERR_PTR(err); ++ } ++ + dev_net_set(dev, net); + dev->rtnl_link_ops = ops; + dev->rtnl_link_state = RTNL_LINK_INITIALIZING; + + if (tb[IFLA_MTU]) { + u32 mtu = nla_get_u32(tb[IFLA_MTU]); +- int err; + + err = dev_validate_mtu(dev, mtu, extack); + if (err) { +-- +2.39.2 + diff --git a/queue-5.15/s390-pkey-zeroize-key-blobs.patch b/queue-5.15/s390-pkey-zeroize-key-blobs.patch new file mode 100644 index 00000000000..b622731a1e5 --- /dev/null +++ b/queue-5.15/s390-pkey-zeroize-key-blobs.patch @@ -0,0 +1,52 @@ +From beff784dcfa8625f64e65100cf16b5f136de20b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Apr 2023 14:34:10 +0200 +Subject: s390/pkey: zeroize key blobs + +From: Holger Dengler + +[ Upstream commit 844cf829e5f33e00b279230470c8c93b58b8c16f ] + +Key blobs for the IOCTLs PKEY_KBLOB2PROTK[23] may contain clear key +material. Zeroize the copies of these keys in kernel memory after +creating the protected key. + +Reviewed-by: Harald Freudenberger +Signed-off-by: Holger Dengler +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/pkey_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c +index cf23ce1b11465..83b335f962c89 100644 +--- a/drivers/s390/crypto/pkey_api.c ++++ b/drivers/s390/crypto/pkey_api.c +@@ -1286,6 +1286,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, + return PTR_ERR(kkey); + rc = pkey_keyblob2pkey(kkey, ktp.keylen, &ktp.protkey); + DEBUG_DBG("%s pkey_keyblob2pkey()=%d\n", __func__, rc); ++ memzero_explicit(kkey, ktp.keylen); + kfree(kkey); + if (rc) + break; +@@ -1419,6 +1420,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, + kkey, ktp.keylen, &ktp.protkey); + DEBUG_DBG("%s pkey_keyblob2pkey2()=%d\n", __func__, rc); + kfree(apqns); ++ memzero_explicit(kkey, ktp.keylen); + kfree(kkey); + if (rc) + break; +@@ -1545,6 +1547,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, + protkey, &protkeylen); + DEBUG_DBG("%s pkey_keyblob2pkey3()=%d\n", __func__, rc); + kfree(apqns); ++ memzero_explicit(kkey, ktp.keylen); + kfree(kkey); + if (rc) { + kfree(protkey); +-- +2.39.2 + diff --git a/queue-5.15/s390-topology-honour-nr_cpu_ids-when-adding-cpus.patch b/queue-5.15/s390-topology-honour-nr_cpu_ids-when-adding-cpus.patch new file mode 100644 index 00000000000..e6f8cf97f8f --- /dev/null +++ b/queue-5.15/s390-topology-honour-nr_cpu_ids-when-adding-cpus.patch @@ -0,0 +1,89 @@ +From 0b6cc18b680e105cf8c74cf339fbb049bcf24fb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:21:48 +0200 +Subject: s390/topology: honour nr_cpu_ids when adding CPUs + +From: Alexander Gordeev + +[ Upstream commit a33239be2d38ff5a44427db1707c08787508d34a ] + +When SMT thread CPUs are added to CPU masks the nr_cpu_ids +limit is not checked and could be exceeded. This leads to +a warning for example if CONFIG_DEBUG_PER_CPU_MAPS is set +and the command line parameter nr_cpus is set to 1. + +Reviewed-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/topology.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/arch/s390/kernel/topology.c b/arch/s390/kernel/topology.c +index 58f8291950cbf..1f4f37a26c26d 100644 +--- a/arch/s390/kernel/topology.c ++++ b/arch/s390/kernel/topology.c +@@ -96,7 +96,7 @@ static void cpu_group_map(cpumask_t *dst, struct mask_info *info, unsigned int c + static void cpu_thread_map(cpumask_t *dst, unsigned int cpu) + { + static cpumask_t mask; +- int i; ++ unsigned int max_cpu; + + cpumask_clear(&mask); + if (!cpumask_test_cpu(cpu, &cpu_setup_mask)) +@@ -105,9 +105,10 @@ static void cpu_thread_map(cpumask_t *dst, unsigned int cpu) + if (topology_mode != TOPOLOGY_MODE_HW) + goto out; + cpu -= cpu % (smp_cpu_mtid + 1); +- for (i = 0; i <= smp_cpu_mtid; i++) { +- if (cpumask_test_cpu(cpu + i, &cpu_setup_mask)) +- cpumask_set_cpu(cpu + i, &mask); ++ max_cpu = min(cpu + smp_cpu_mtid, nr_cpu_ids - 1); ++ for (; cpu <= max_cpu; cpu++) { ++ if (cpumask_test_cpu(cpu, &cpu_setup_mask)) ++ cpumask_set_cpu(cpu, &mask); + } + out: + cpumask_copy(dst, &mask); +@@ -124,25 +125,26 @@ static void add_cpus_to_mask(struct topology_core *tl_core, + unsigned int core; + + for_each_set_bit(core, &tl_core->mask, TOPOLOGY_CORE_BITS) { +- unsigned int rcore; +- int lcpu, i; ++ unsigned int max_cpu, rcore; ++ int cpu; + + rcore = TOPOLOGY_CORE_BITS - 1 - core + tl_core->origin; +- lcpu = smp_find_processor_id(rcore << smp_cpu_mt_shift); +- if (lcpu < 0) ++ cpu = smp_find_processor_id(rcore << smp_cpu_mt_shift); ++ if (cpu < 0) + continue; +- for (i = 0; i <= smp_cpu_mtid; i++) { +- topo = &cpu_topology[lcpu + i]; ++ max_cpu = min(cpu + smp_cpu_mtid, nr_cpu_ids - 1); ++ for (; cpu <= max_cpu; cpu++) { ++ topo = &cpu_topology[cpu]; + topo->drawer_id = drawer->id; + topo->book_id = book->id; + topo->socket_id = socket->id; + topo->core_id = rcore; +- topo->thread_id = lcpu + i; ++ topo->thread_id = cpu; + topo->dedicated = tl_core->d; +- cpumask_set_cpu(lcpu + i, &drawer->mask); +- cpumask_set_cpu(lcpu + i, &book->mask); +- cpumask_set_cpu(lcpu + i, &socket->mask); +- smp_cpu_set_polarization(lcpu + i, tl_core->pp); ++ cpumask_set_cpu(cpu, &drawer->mask); ++ cpumask_set_cpu(cpu, &book->mask); ++ cpumask_set_cpu(cpu, &socket->mask); ++ smp_cpu_set_polarization(cpu, tl_core->pp); + } + } + } +-- +2.39.2 + diff --git a/queue-5.15/scsi-core-decrease-scsi_device-s-iorequest_cnt-if-di.patch b/queue-5.15/scsi-core-decrease-scsi_device-s-iorequest_cnt-if-di.patch new file mode 100644 index 00000000000..600f71418d6 --- /dev/null +++ b/queue-5.15/scsi-core-decrease-scsi_device-s-iorequest_cnt-if-di.patch @@ -0,0 +1,51 @@ +From 07ea8c01c22672692d89fab198d313c3d518b420 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 15:01:56 +0800 +Subject: scsi: core: Decrease scsi_device's iorequest_cnt if dispatch failed + +From: Wenchao Hao + +[ Upstream commit 09e797c8641f6ad435c33ae24c223351197ea29a ] + +If scsi_dispatch_cmd() failed, the SCSI command was not sent to the target, +scsi_queue_rq() would return BLK_STS_RESOURCE and the related request would +be requeued. The timeout of this request would not fire, no one would +increase iodone_cnt. + +The above flow would result the iodone_cnt smaller than iorequest_cnt. So +decrease the iorequest_cnt if dispatch failed to workaround the issue. + +Signed-off-by: Wenchao Hao +Reported-by: Ming Lei +Closes: https://lore.kernel.org/r/ZF+zB+bB7iqe0wGd@ovpn-8-17.pek2.redhat.com +Link: https://lore.kernel.org/r/20230515070156.1790181-3-haowenchao2@huawei.com +Reviewed-by: Ming Lei +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index ef4361b2d1423..5525e6ffee537 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -1476,6 +1476,7 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd) + */ + SCSI_LOG_MLQUEUE(3, scmd_printk(KERN_INFO, cmd, + "queuecommand : device blocked\n")); ++ atomic_dec(&cmd->device->iorequest_cnt); + return SCSI_MLQUEUE_DEVICE_BUSY; + } + +@@ -1508,6 +1509,7 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd) + trace_scsi_dispatch_cmd_start(cmd); + rtn = host->hostt->queuecommand(host, cmd); + if (rtn) { ++ atomic_dec(&cmd->device->iorequest_cnt); + trace_scsi_dispatch_cmd_error(cmd, rtn); + if (rtn != SCSI_MLQUEUE_DEVICE_BUSY && + rtn != SCSI_MLQUEUE_TARGET_BUSY) +-- +2.39.2 + diff --git a/queue-5.15/series b/queue-5.15/series index e69de29bb2d..38996f5db1b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -0,0 +1,98 @@ +rdma-bnxt_re-fix-the-page_size-used-during-the-mr-cr.patch +rdma-efa-fix-unsupported-page-sizes-in-device.patch +rdma-hns-fix-base-address-table-allocation.patch +rdma-hns-modify-the-value-of-long-message-loopback-s.patch +dmaengine-at_xdmac-move-the-free-desc-to-the-tail-of.patch +dmaengine-at_xdmac-fix-potential-oops-in-at_xdmac_pr.patch +rdma-bnxt_re-fix-a-possible-memory-leak.patch +rdma-bnxt_re-fix-return-value-of-bnxt_re_process_raw.patch +iommu-rockchip-fix-unwind-goto-issue.patch +iommu-amd-don-t-block-updates-to-gatag-if-guest-mode.patch +dmaengine-pl330-rename-_start-to-prevent-build-error.patch +riscv-fix-unused-variable-warning-when-builtin_dtb-i.patch +net-mlx5-fw_tracer-fix-event-handling.patch +net-mlx5e-don-t-attach-netdev-profile-while-handling.patch +net-mellanox-mlxbf_gige-fix-skb_panic-splat-under-me.patch +netrom-fix-info-leak-in-nr_write_internal.patch +af_packet-fix-data-races-of-pkt_sk-sk-num.patch +amd-xgbe-fix-the-false-linkup-in-xgbe_phy_status.patch +mtd-rawnand-ingenic-fix-empty-stub-helper-definition.patch +rdma-irdma-add-sw-mechanism-to-generate-completions-.patch +rdma-irdma-prevent-qp-use-after-free.patch +rdma-irdma-fix-local-invalidate-fencing.patch +af_packet-do-not-use-read_once-in-packet_bind.patch +tcp-deny-tcp_disconnect-when-threads-are-waiting.patch +tcp-return-user_mss-for-tcp_maxseg-in-close-listen-s.patch +net-sched-sch_ingress-only-create-under-tc_h_ingress.patch +net-sched-sch_clsact-only-create-under-tc_h_clsact.patch +net-sched-reserve-tc_h_ingress-tc_h_clsact-for-ingre.patch +net-sched-prohibit-regrafting-ingress-or-clsact-qdis.patch +net-sched-fix-null-pointer-dereference-in-mq_attach.patch +net-netlink-fix-netlink_list_memberships-length-repo.patch +tcp-remove-sk_-tr-x_skb_cache.patch +bpf-sockmap-use-stricter-sk-state-checks-in-sk_looku.patch +udp6-fix-race-condition-in-udp6_sendmsg-connect.patch +net-mlx5e-fix-error-handling-in-mlx5e_refresh_tirs.patch +net-mlx5-read-embedded-cpu-after-init-bit-cleared.patch +net-sched-flower-fix-possible-oob-write-in-fl_set_ge.patch +net-dsa-mv88e6xxx-increase-wait-after-reset-deactiva.patch +mtd-rawnand-marvell-ensure-timing-values-are-written.patch +mtd-rawnand-marvell-don-t-set-the-nand-frequency-sel.patch +rtnetlink-call-validate_linkmsg-in-rtnl_create_link.patch +drm-amdgpu-release-gpu-full-access-after-amdgpu_devi.patch +watchdog-menz069_wdt-fix-watchdog-initialisation.patch +alsa-hda-glenfly-add-hd-audio-pci-ids-and-hdmi-codec.patch +drm-amdgpu-use-the-default-reset-when-loading-or-rel.patch +mailbox-mailbox-test-fix-potential-double-free-in-mb.patch +drm-ast-fix-arm-compatibility.patch +btrfs-abort-transaction-when-sibling-keys-check-fail.patch +arm-9295-1-unwind-fix-unwind-abort-for-uleb128-case.patch +media-rcar-vin-select-correct-interrupt-mode-for-v4l.patch +platform-x86-intel_scu_pcidrv-add-back-pci-id-for-me.patch +gfs2-don-t-deref-jdesc-in-evict.patch +fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_prob.patch +fbdev-modedb-add-1920x1080-at-60-hz-video-mode.patch +fbdev-stifb-fix-info-entry-in-sti_struct-on-error-pa.patch +nbd-fix-debugfs_create_dir-error-checking.patch +block-rnbd-replace-req_op_flush-with-req_op_write.patch +nvme-pci-add-nvme_quirk_bogus_nid-for-hs-ssd-future-.patch +nvme-pci-add-quirk-for-missing-secondary-temperature.patch +asoc-dwc-limit-the-number-of-overrun-messages.patch +um-harddog-fix-modular-build.patch +xfrm-check-if_id-in-inbound-policy-secpath-match.patch +asoc-dt-bindings-adjust-sound-dai-cells-on-ti-s-sing.patch +asoc-ssm2602-add-workaround-for-playback-distortions.patch +media-dvb_demux-fix-a-bug-for-the-continuity-counter.patch +media-dvb-usb-az6027-fix-three-null-ptr-deref-in-az6.patch +media-dvb-usb-v2-ec168-fix-null-ptr-deref-in-ec168_i.patch +media-dvb-usb-v2-ce6230-fix-null-ptr-deref-in-ce6230.patch +media-dvb-usb-v2-rtl28xxu-fix-null-ptr-deref-in-rtl2.patch +media-dvb-usb-digitv-fix-null-ptr-deref-in-digitv_i2.patch +media-dvb-usb-dw2102-fix-uninit-value-in-su3000_read.patch +media-netup_unidvb-fix-irq-init-by-register-it-at-th.patch +media-dvb_ca_en50221-fix-a-size-write-bug.patch +media-ttusb-dec-fix-memory-leak-in-ttusb_dec_exit_dv.patch +media-mn88443x-fix-config_of-error-by-drop-of_match_.patch +media-dvb-core-fix-use-after-free-due-on-race-condit.patch +media-dvb-core-fix-use-after-free-due-to-race-at-dvb.patch +media-dvb-core-fix-kernel-warning-for-blocking-opera.patch +media-dvb-core-fix-use-after-free-due-to-race-condit.patch +s390-pkey-zeroize-key-blobs.patch +s390-topology-honour-nr_cpu_ids-when-adding-cpus.patch +acpi-resource-add-irq-override-quirk-for-lg-ultrapc-.patch +wifi-rtl8xxxu-fix-authentication-timeout-due-to-inco.patch +arm-dts-stm32-add-pin-map-for-can-controller-on-stm3.patch +arm64-mm-mark-private-vm_fault_x-defines-as-vm_fault.patch +arm64-vdso-pass-void-to-virt_to_page.patch +wifi-mac80211-simplify-chanctx-allocation.patch +scsi-core-decrease-scsi_device-s-iorequest_cnt-if-di.patch +wifi-b43-fix-incorrect-__packed-annotation.patch +netfilter-conntrack-define-variables-exp_nat_nla_pol.patch +nvme-multipath-don-t-call-blk_mark_disk_dead-in-nvme.patch +alsa-oss-avoid-missing-prototype-warnings.patch +drm-msm-be-more-shouty-if-per-process-pgtables-aren-.patch +atm-hide-unused-procfs-functions.patch +drm-amdgpu-skip-disabling-fence-driver-src_irqs-when.patch +nvme-pci-add-quirk-for-teamgroup-mp33-ssd.patch +mailbox-mailbox-test-fix-a-locking-issue-in-mbox_tes.patch +media-uvcvideo-don-t-expose-unsupported-formats-to-u.patch diff --git a/queue-5.15/tcp-deny-tcp_disconnect-when-threads-are-waiting.patch b/queue-5.15/tcp-deny-tcp_disconnect-when-threads-are-waiting.patch new file mode 100644 index 00000000000..75ef4cf7232 --- /dev/null +++ b/queue-5.15/tcp-deny-tcp_disconnect-when-threads-are-waiting.patch @@ -0,0 +1,186 @@ +From 76776454def423ec7e008d0e699f2f189667fa2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 16:34:58 +0000 +Subject: tcp: deny tcp_disconnect() when threads are waiting + +From: Eric Dumazet + +[ Upstream commit 4faeee0cf8a5d88d63cdbc3bab124fb0e6aed08c ] + +Historically connect(AF_UNSPEC) has been abused by syzkaller +and other fuzzers to trigger various bugs. + +A recent one triggers a divide-by-zero [1], and Paolo Abeni +was able to diagnose the issue. + +tcp_recvmsg_locked() has tests about sk_state being not TCP_LISTEN +and TCP REPAIR mode being not used. + +Then later if socket lock is released in sk_wait_data(), +another thread can call connect(AF_UNSPEC), then make this +socket a TCP listener. + +When recvmsg() is resumed, it can eventually call tcp_cleanup_rbuf() +and attempt a divide by 0 in tcp_rcv_space_adjust() [1] + +This patch adds a new socket field, counting number of threads +blocked in sk_wait_event() and inet_wait_for_connect(). + +If this counter is not zero, tcp_disconnect() returns an error. + +This patch adds code in blocking socket system calls, thus should +not hurt performance of non blocking ones. + +Note that we probably could revert commit 499350a5a6e7 ("tcp: +initialize rcv_mss to TCP_MIN_MSS instead of 0") to restore +original tcpi_rcv_mss meaning (was 0 if no payload was ever +received on a socket) + +[1] +divide error: 0000 [#1] PREEMPT SMP KASAN +CPU: 0 PID: 13832 Comm: syz-executor.5 Not tainted 6.3.0-rc4-syzkaller-00224-g00c7b5f4ddc5 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 +RIP: 0010:tcp_rcv_space_adjust+0x36e/0x9d0 net/ipv4/tcp_input.c:740 +Code: 00 00 00 00 fc ff df 4c 89 64 24 48 8b 44 24 04 44 89 f9 41 81 c7 80 03 00 00 c1 e1 04 44 29 f0 48 63 c9 48 01 e9 48 0f af c1 <49> f7 f6 48 8d 04 41 48 89 44 24 40 48 8b 44 24 30 48 c1 e8 03 48 +RSP: 0018:ffffc900033af660 EFLAGS: 00010206 +RAX: 4a66b76cbade2c48 RBX: ffff888076640cc0 RCX: 00000000c334e4ac +RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000001 +RBP: 00000000c324e86c R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880766417f8 +R13: ffff888028fbb980 R14: 0000000000000000 R15: 0000000000010344 +FS: 00007f5bffbfe700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b32f25000 CR3: 000000007ced0000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +tcp_recvmsg_locked+0x100e/0x22e0 net/ipv4/tcp.c:2616 +tcp_recvmsg+0x117/0x620 net/ipv4/tcp.c:2681 +inet6_recvmsg+0x114/0x640 net/ipv6/af_inet6.c:670 +sock_recvmsg_nosec net/socket.c:1017 [inline] +sock_recvmsg+0xe2/0x160 net/socket.c:1038 +____sys_recvmsg+0x210/0x5a0 net/socket.c:2720 +___sys_recvmsg+0xf2/0x180 net/socket.c:2762 +do_recvmmsg+0x25e/0x6e0 net/socket.c:2856 +__sys_recvmmsg net/socket.c:2935 [inline] +__do_sys_recvmmsg net/socket.c:2958 [inline] +__se_sys_recvmmsg net/socket.c:2951 [inline] +__x64_sys_recvmmsg+0x20f/0x260 net/socket.c:2951 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f5c0108c0f9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f5bffbfe168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b +RAX: ffffffffffffffda RBX: 00007f5c011ac050 RCX: 00007f5c0108c0f9 +RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000003 +RBP: 00007f5c010e7b39 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f5c012cfb1f R14: 00007f5bffbfe300 R15: 0000000000022000 + + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Reported-by: Paolo Abeni +Diagnosed-by: Paolo Abeni +Signed-off-by: Eric Dumazet +Tested-by: Paolo Abeni +Link: https://lore.kernel.org/r/20230526163458.2880232-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 4 ++++ + net/ipv4/af_inet.c | 2 ++ + net/ipv4/inet_connection_sock.c | 1 + + net/ipv4/tcp.c | 6 ++++++ + 4 files changed, 13 insertions(+) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 0309d2311487d..104d80d850e41 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -334,6 +334,7 @@ struct bpf_local_storage; + * @sk_cgrp_data: cgroup data for this cgroup + * @sk_memcg: this socket's memory cgroup association + * @sk_write_pending: a write to stream socket waits to start ++ * @sk_wait_pending: number of threads blocked on this socket + * @sk_state_change: callback to indicate change in the state of the sock + * @sk_data_ready: callback to indicate there is data to be processed + * @sk_write_space: callback to indicate there is bf sending space available +@@ -418,6 +419,7 @@ struct sock { + unsigned int sk_napi_id; + #endif + int sk_rcvbuf; ++ int sk_wait_pending; + + struct sk_filter __rcu *sk_filter; + union { +@@ -1115,6 +1117,7 @@ static inline void sock_rps_reset_rxhash(struct sock *sk) + + #define sk_wait_event(__sk, __timeo, __condition, __wait) \ + ({ int __rc; \ ++ __sk->sk_wait_pending++; \ + release_sock(__sk); \ + __rc = __condition; \ + if (!__rc) { \ +@@ -1124,6 +1127,7 @@ static inline void sock_rps_reset_rxhash(struct sock *sk) + } \ + sched_annotate_sleep(); \ + lock_sock(__sk); \ ++ __sk->sk_wait_pending--; \ + __rc = __condition; \ + __rc; \ + }) +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 7fa1b0a45176f..e46b11507edc2 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -587,6 +587,7 @@ static long inet_wait_for_connect(struct sock *sk, long timeo, int writebias) + + add_wait_queue(sk_sleep(sk), &wait); + sk->sk_write_pending += writebias; ++ sk->sk_wait_pending++; + + /* Basic assumption: if someone sets sk->sk_err, he _must_ + * change state of the socket from TCP_SYN_*. +@@ -602,6 +603,7 @@ static long inet_wait_for_connect(struct sock *sk, long timeo, int writebias) + } + remove_wait_queue(sk_sleep(sk), &wait); + sk->sk_write_pending -= writebias; ++ sk->sk_wait_pending--; + return timeo; + } + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 29ec42c1f5d09..4fb0506430774 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -963,6 +963,7 @@ struct sock *inet_csk_clone_lock(const struct sock *sk, + if (newsk) { + struct inet_connection_sock *newicsk = inet_csk(newsk); + ++ newsk->sk_wait_pending = 0; + inet_sk_set_state(newsk, TCP_SYN_RECV); + newicsk->icsk_bind_hash = NULL; + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index b91ddd2a2f96d..682503227effe 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2972,6 +2972,12 @@ int tcp_disconnect(struct sock *sk, int flags) + int old_state = sk->sk_state; + u32 seq; + ++ /* Deny disconnect if other threads are blocked in sk_wait_event() ++ * or inet_wait_for_connect(). ++ */ ++ if (sk->sk_wait_pending) ++ return -EBUSY; ++ + if (old_state != TCP_CLOSE) + tcp_set_state(sk, TCP_CLOSE); + +-- +2.39.2 + diff --git a/queue-5.15/tcp-remove-sk_-tr-x_skb_cache.patch b/queue-5.15/tcp-remove-sk_-tr-x_skb_cache.patch new file mode 100644 index 00000000000..c25ec997c31 --- /dev/null +++ b/queue-5.15/tcp-remove-sk_-tr-x_skb_cache.patch @@ -0,0 +1,294 @@ +From a838f15e78adc8752ce13a6661ccef7216e20478 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Sep 2021 19:26:43 +0200 +Subject: tcp: remove sk_{tr}x_skb_cache + +From: Eric Dumazet + +[ Upstream commit d8b81175e412c7abebdb5b37d8a84d5fd19b1aad ] + +This reverts the following patches : + +- commit 2e05fcae83c4 ("tcp: fix compile error if !CONFIG_SYSCTL") +- commit 4f661542a402 ("tcp: fix zerocopy and notsent_lowat issues") +- commit 472c2e07eef0 ("tcp: add one skb cache for tx") +- commit 8b27dae5a2e8 ("tcp: add one skb cache for rx") + +Having a cache of one skb (in each direction) per TCP socket is fragile, +since it can cause a significant increase of memory needs, +and not good enough for high speed flows anyway where more than one skb +is needed. + +We want instead to add a generic infrastructure, with more flexible +per-cpu caches, for alien NUMA nodes. + +Acked-by: Paolo Abeni +Acked-by: Mat Martineau +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Stable-dep-of: 448a5ce1120c ("udp6: Fix race condition in udp6_sendmsg & connect") +Signed-off-by: Sasha Levin +--- + Documentation/networking/ip-sysctl.rst | 8 -------- + include/net/sock.h | 19 ------------------- + net/ipv4/af_inet.c | 4 ---- + net/ipv4/sysctl_net_ipv4.c | 12 ------------ + net/ipv4/tcp.c | 26 -------------------------- + net/ipv4/tcp_ipv4.c | 6 ------ + net/ipv6/tcp_ipv6.c | 6 ------ + 7 files changed, 81 deletions(-) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index 7890b395e629b..a4d0082bd3b90 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -991,14 +991,6 @@ tcp_challenge_ack_limit - INTEGER + in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks) + Default: 1000 + +-tcp_rx_skb_cache - BOOLEAN +- Controls a per TCP socket cache of one skb, that might help +- performance of some workloads. This might be dangerous +- on systems with a lot of TCP sockets, since it increases +- memory usage. +- +- Default: 0 (disabled) +- + UDP variables + ============= + +diff --git a/include/net/sock.h b/include/net/sock.h +index 104d80d850e41..d0683b3c57456 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -261,7 +261,6 @@ struct bpf_local_storage; + * @sk_dst_cache: destination cache + * @sk_dst_pending_confirm: need to confirm neighbour + * @sk_policy: flow policy +- * @sk_rx_skb_cache: cache copy of recently accessed RX skb + * @sk_receive_queue: incoming packets + * @sk_wmem_alloc: transmit queue bytes committed + * @sk_tsq_flags: TCP Small Queues flags +@@ -328,7 +327,6 @@ struct bpf_local_storage; + * @sk_peek_off: current peek_offset value + * @sk_send_head: front of stuff to transmit + * @tcp_rtx_queue: TCP re-transmit queue [union with @sk_send_head] +- * @sk_tx_skb_cache: cache copy of recently accessed TX skb + * @sk_security: used by security modules + * @sk_mark: generic packet mark + * @sk_cgrp_data: cgroup data for this cgroup +@@ -394,7 +392,6 @@ struct sock { + atomic_t sk_drops; + int sk_rcvlowat; + struct sk_buff_head sk_error_queue; +- struct sk_buff *sk_rx_skb_cache; + struct sk_buff_head sk_receive_queue; + /* + * The backlog queue is special, it is always used with +@@ -447,7 +444,6 @@ struct sock { + struct sk_buff *sk_send_head; + struct rb_root tcp_rtx_queue; + }; +- struct sk_buff *sk_tx_skb_cache; + struct sk_buff_head sk_write_queue; + __s32 sk_peek_off; + int sk_write_pending; +@@ -1596,18 +1592,10 @@ static inline void sk_mem_uncharge(struct sock *sk, int size) + __sk_mem_reclaim(sk, 1 << 20); + } + +-DECLARE_STATIC_KEY_FALSE(tcp_tx_skb_cache_key); + static inline void sk_wmem_free_skb(struct sock *sk, struct sk_buff *skb) + { + sk_wmem_queued_add(sk, -skb->truesize); + sk_mem_uncharge(sk, skb->truesize); +- if (static_branch_unlikely(&tcp_tx_skb_cache_key) && +- !sk->sk_tx_skb_cache && !skb_cloned(skb)) { +- skb_ext_reset(skb); +- skb_zcopy_clear(skb, true); +- sk->sk_tx_skb_cache = skb; +- return; +- } + __kfree_skb(skb); + } + +@@ -2667,7 +2655,6 @@ static inline void skb_setup_tx_timestamp(struct sk_buff *skb, __u16 tsflags) + &skb_shinfo(skb)->tskey); + } + +-DECLARE_STATIC_KEY_FALSE(tcp_rx_skb_cache_key); + /** + * sk_eat_skb - Release a skb if it is no longer needed + * @sk: socket to eat this skb from +@@ -2679,12 +2666,6 @@ DECLARE_STATIC_KEY_FALSE(tcp_rx_skb_cache_key); + static inline void sk_eat_skb(struct sock *sk, struct sk_buff *skb) + { + __skb_unlink(skb, &sk->sk_receive_queue); +- if (static_branch_unlikely(&tcp_rx_skb_cache_key) && +- !sk->sk_rx_skb_cache) { +- sk->sk_rx_skb_cache = skb; +- skb_orphan(skb); +- return; +- } + __kfree_skb(skb); + } + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index e46b11507edc2..4d1c55723ad56 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -133,10 +133,6 @@ void inet_sock_destruct(struct sock *sk) + struct inet_sock *inet = inet_sk(sk); + + __skb_queue_purge(&sk->sk_receive_queue); +- if (sk->sk_rx_skb_cache) { +- __kfree_skb(sk->sk_rx_skb_cache); +- sk->sk_rx_skb_cache = NULL; +- } + __skb_queue_purge(&sk->sk_error_queue); + + sk_mem_reclaim(sk); +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 1f22e72074fdc..1aa3ecaf456c7 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -540,18 +540,6 @@ static struct ctl_table ipv4_table[] = { + .extra1 = &sysctl_fib_sync_mem_min, + .extra2 = &sysctl_fib_sync_mem_max, + }, +- { +- .procname = "tcp_rx_skb_cache", +- .data = &tcp_rx_skb_cache_key.key, +- .mode = 0644, +- .proc_handler = proc_do_static_key, +- }, +- { +- .procname = "tcp_tx_skb_cache", +- .data = &tcp_tx_skb_cache_key.key, +- .mode = 0644, +- .proc_handler = proc_do_static_key, +- }, + { } + }; + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index fc0fa1f2ca9b1..bd7930b2be278 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -325,11 +325,6 @@ struct tcp_splice_state { + unsigned long tcp_memory_pressure __read_mostly; + EXPORT_SYMBOL_GPL(tcp_memory_pressure); + +-DEFINE_STATIC_KEY_FALSE(tcp_rx_skb_cache_key); +-EXPORT_SYMBOL(tcp_rx_skb_cache_key); +- +-DEFINE_STATIC_KEY_FALSE(tcp_tx_skb_cache_key); +- + void tcp_enter_memory_pressure(struct sock *sk) + { + unsigned long val; +@@ -866,18 +861,6 @@ struct sk_buff *sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp, + { + struct sk_buff *skb; + +- if (likely(!size)) { +- skb = sk->sk_tx_skb_cache; +- if (skb) { +- skb->truesize = SKB_TRUESIZE(skb_end_offset(skb)); +- sk->sk_tx_skb_cache = NULL; +- pskb_trim(skb, 0); +- INIT_LIST_HEAD(&skb->tcp_tsorted_anchor); +- skb_shinfo(skb)->tx_flags = 0; +- memset(TCP_SKB_CB(skb), 0, sizeof(struct tcp_skb_cb)); +- return skb; +- } +- } + /* The TCP header must be at least 32-bit aligned. */ + size = ALIGN(size, 4); + +@@ -2952,11 +2935,6 @@ void tcp_write_queue_purge(struct sock *sk) + sk_wmem_free_skb(sk, skb); + } + tcp_rtx_queue_purge(sk); +- skb = sk->sk_tx_skb_cache; +- if (skb) { +- __kfree_skb(skb); +- sk->sk_tx_skb_cache = NULL; +- } + INIT_LIST_HEAD(&tcp_sk(sk)->tsorted_sent_queue); + sk_mem_reclaim(sk); + tcp_clear_all_retrans_hints(tcp_sk(sk)); +@@ -2999,10 +2977,6 @@ int tcp_disconnect(struct sock *sk, int flags) + + tcp_clear_xmit_timers(sk); + __skb_queue_purge(&sk->sk_receive_queue); +- if (sk->sk_rx_skb_cache) { +- __kfree_skb(sk->sk_rx_skb_cache); +- sk->sk_rx_skb_cache = NULL; +- } + WRITE_ONCE(tp->copied_seq, tp->rcv_nxt); + tp->urg_data = 0; + tcp_write_queue_purge(sk); +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index db05ab4287e30..45d12484552fc 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -1975,7 +1975,6 @@ static void tcp_v4_fill_cb(struct sk_buff *skb, const struct iphdr *iph, + int tcp_v4_rcv(struct sk_buff *skb) + { + struct net *net = dev_net(skb->dev); +- struct sk_buff *skb_to_free; + int sdif = inet_sdif(skb); + int dif = inet_iif(skb); + const struct iphdr *iph; +@@ -2124,17 +2123,12 @@ int tcp_v4_rcv(struct sk_buff *skb) + tcp_segs_in(tcp_sk(sk), skb); + ret = 0; + if (!sock_owned_by_user(sk)) { +- skb_to_free = sk->sk_rx_skb_cache; +- sk->sk_rx_skb_cache = NULL; + ret = tcp_v4_do_rcv(sk, skb); + } else { + if (tcp_add_backlog(sk, skb)) + goto discard_and_relse; +- skb_to_free = NULL; + } + bh_unlock_sock(sk); +- if (skb_to_free) +- __kfree_skb(skb_to_free); + + put_and_return: + if (refcounted) +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index b6f5a4474d8bc..7b81ab2b57011 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1626,7 +1626,6 @@ static void tcp_v6_fill_cb(struct sk_buff *skb, const struct ipv6hdr *hdr, + + INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff *skb) + { +- struct sk_buff *skb_to_free; + int sdif = inet6_sdif(skb); + int dif = inet6_iif(skb); + const struct tcphdr *th; +@@ -1762,17 +1761,12 @@ INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff *skb) + tcp_segs_in(tcp_sk(sk), skb); + ret = 0; + if (!sock_owned_by_user(sk)) { +- skb_to_free = sk->sk_rx_skb_cache; +- sk->sk_rx_skb_cache = NULL; + ret = tcp_v6_do_rcv(sk, skb); + } else { + if (tcp_add_backlog(sk, skb)) + goto discard_and_relse; +- skb_to_free = NULL; + } + bh_unlock_sock(sk); +- if (skb_to_free) +- __kfree_skb(skb_to_free); + put_and_return: + if (refcounted) + sock_put(sk); +-- +2.39.2 + diff --git a/queue-5.15/tcp-return-user_mss-for-tcp_maxseg-in-close-listen-s.patch b/queue-5.15/tcp-return-user_mss-for-tcp_maxseg-in-close-listen-s.patch new file mode 100644 index 00000000000..633ef012f2e --- /dev/null +++ b/queue-5.15/tcp-return-user_mss-for-tcp_maxseg-in-close-listen-s.patch @@ -0,0 +1,50 @@ +From 0a9bb9c75ef3ffba213531bab8b79bca1e28e742 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 12:03:17 +0800 +Subject: tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss + set + +From: Cambda Zhu + +[ Upstream commit 34dfde4ad87b84d21278a7e19d92b5b2c68e6c4d ] + +This patch replaces the tp->mss_cache check in getting TCP_MAXSEG +with tp->rx_opt.user_mss check for CLOSE/LISTEN sock. Since +tp->mss_cache is initialized with TCP_MSS_DEFAULT, checking if +it's zero is probably a bug. + +With this change, getting TCP_MAXSEG before connecting will return +default MSS normally, and return user_mss if user_mss is set. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Jack Yang +Suggested-by: Eric Dumazet +Link: https://lore.kernel.org/netdev/CANn89i+3kL9pYtkxkwxwNMzvC_w3LNUum_2=3u+UyLBmGmifHA@mail.gmail.com/#t +Signed-off-by: Cambda Zhu +Link: https://lore.kernel.org/netdev/14D45862-36EA-4076-974C-EA67513C92F6@linux.alibaba.com/ +Reviewed-by: Jason Xing +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230527040317.68247-1-cambda@linux.alibaba.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 682503227effe..fc0fa1f2ca9b1 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3967,7 +3967,8 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + switch (optname) { + case TCP_MAXSEG: + val = tp->mss_cache; +- if (!val && ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) ++ if (tp->rx_opt.user_mss && ++ ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) + val = tp->rx_opt.user_mss; + if (tp->repair) + val = tp->rx_opt.mss_clamp; +-- +2.39.2 + diff --git a/queue-5.15/udp6-fix-race-condition-in-udp6_sendmsg-connect.patch b/queue-5.15/udp6-fix-race-condition-in-udp6_sendmsg-connect.patch new file mode 100644 index 00000000000..73d8b056fd8 --- /dev/null +++ b/queue-5.15/udp6-fix-race-condition-in-udp6_sendmsg-connect.patch @@ -0,0 +1,63 @@ +From 0e38e27488dc8be38c0cd6c95933fba0639c4e56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 14:39:41 +0300 +Subject: udp6: Fix race condition in udp6_sendmsg & connect + +From: Vladislav Efanov + +[ Upstream commit 448a5ce1120c5bdbce1f1ccdabcd31c7d029f328 ] + +Syzkaller got the following report: +BUG: KASAN: use-after-free in sk_setup_caps+0x621/0x690 net/core/sock.c:2018 +Read of size 8 at addr ffff888027f82780 by task syz-executor276/3255 + +The function sk_setup_caps (called by ip6_sk_dst_store_flow-> +ip6_dst_store) referenced already freed memory as this memory was +freed by parallel task in udpv6_sendmsg->ip6_sk_dst_lookup_flow-> +sk_dst_check. + + task1 (connect) task2 (udp6_sendmsg) + sk_setup_caps->sk_dst_set | + | sk_dst_check-> + | sk_dst_set + | dst_release + sk_setup_caps references | + to already freed dst_entry| + +The reason for this race condition is: sk_setup_caps() keeps using +the dst after transferring the ownership to the dst cache. + +Found by Linux Verification Center (linuxtesting.org) with syzkaller. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Vladislav Efanov +Signed-off-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index ff7e8fc80731d..93fb3d64f48ee 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2165,7 +2165,6 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst) + { + u32 max_segs = 1; + +- sk_dst_set(sk, dst); + sk->sk_route_caps = dst->dev->features | sk->sk_route_forced_caps; + if (sk->sk_route_caps & NETIF_F_GSO) + sk->sk_route_caps |= NETIF_F_GSO_SOFTWARE; +@@ -2180,6 +2179,7 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst) + } + } + sk->sk_gso_max_segs = max_segs; ++ sk_dst_set(sk, dst); + } + EXPORT_SYMBOL_GPL(sk_setup_caps); + +-- +2.39.2 + diff --git a/queue-5.15/um-harddog-fix-modular-build.patch b/queue-5.15/um-harddog-fix-modular-build.patch new file mode 100644 index 00000000000..6560cd88fed --- /dev/null +++ b/queue-5.15/um-harddog-fix-modular-build.patch @@ -0,0 +1,134 @@ +From f304885ede50977ccf1f684285cb79d84663790c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 10:38:37 +0200 +Subject: um: harddog: fix modular build + +From: Johannes Berg + +[ Upstream commit 73a23d7710331a530e972903318528b75e5a5f58 ] + +Since we no longer (want to) export any libc symbols the +_user portions of any drivers need to be built into image +rather than the module. I missed this for the watchdog. +Fix the watchdog accordingly. + +Reported-by: kernel test robot +Signed-off-by: Johannes Berg +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/Makefile | 4 +++- + arch/um/drivers/harddog.h | 9 +++++++++ + arch/um/drivers/harddog_kern.c | 7 +------ + arch/um/drivers/harddog_user.c | 1 + + arch/um/drivers/harddog_user_exp.c | 9 +++++++++ + 5 files changed, 23 insertions(+), 7 deletions(-) + create mode 100644 arch/um/drivers/harddog.h + create mode 100644 arch/um/drivers/harddog_user_exp.c + +diff --git a/arch/um/drivers/Makefile b/arch/um/drivers/Makefile +index 803666e85414a..cd1a58bb3e9cd 100644 +--- a/arch/um/drivers/Makefile ++++ b/arch/um/drivers/Makefile +@@ -16,7 +16,8 @@ mconsole-objs := mconsole_kern.o mconsole_user.o + hostaudio-objs := hostaudio_kern.o + ubd-objs := ubd_kern.o ubd_user.o + port-objs := port_kern.o port_user.o +-harddog-objs := harddog_kern.o harddog_user.o ++harddog-objs := harddog_kern.o ++harddog-builtin-$(CONFIG_UML_WATCHDOG) := harddog_user.o harddog_user_exp.o + rtc-objs := rtc_kern.o rtc_user.o + + LDFLAGS_pcap.o = $(shell $(CC) $(KBUILD_CFLAGS) -print-file-name=libpcap.a) +@@ -60,6 +61,7 @@ obj-$(CONFIG_PTY_CHAN) += pty.o + obj-$(CONFIG_TTY_CHAN) += tty.o + obj-$(CONFIG_XTERM_CHAN) += xterm.o xterm_kern.o + obj-$(CONFIG_UML_WATCHDOG) += harddog.o ++obj-y += $(harddog-builtin-y) $(harddog-builtin-m) + obj-$(CONFIG_BLK_DEV_COW_COMMON) += cow_user.o + obj-$(CONFIG_UML_RANDOM) += random.o + obj-$(CONFIG_VIRTIO_UML) += virtio_uml.o +diff --git a/arch/um/drivers/harddog.h b/arch/um/drivers/harddog.h +new file mode 100644 +index 0000000000000..6d9ea60e7133e +--- /dev/null ++++ b/arch/um/drivers/harddog.h +@@ -0,0 +1,9 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef UM_WATCHDOG_H ++#define UM_WATCHDOG_H ++ ++int start_watchdog(int *in_fd_ret, int *out_fd_ret, char *sock); ++void stop_watchdog(int in_fd, int out_fd); ++int ping_watchdog(int fd); ++ ++#endif /* UM_WATCHDOG_H */ +diff --git a/arch/um/drivers/harddog_kern.c b/arch/um/drivers/harddog_kern.c +index e6d4f43deba82..60d1c6cab8a95 100644 +--- a/arch/um/drivers/harddog_kern.c ++++ b/arch/um/drivers/harddog_kern.c +@@ -47,6 +47,7 @@ + #include + #include + #include "mconsole.h" ++#include "harddog.h" + + MODULE_LICENSE("GPL"); + +@@ -60,8 +61,6 @@ static int harddog_out_fd = -1; + * Allow only one person to hold it open + */ + +-extern int start_watchdog(int *in_fd_ret, int *out_fd_ret, char *sock); +- + static int harddog_open(struct inode *inode, struct file *file) + { + int err = -EBUSY; +@@ -92,8 +91,6 @@ static int harddog_open(struct inode *inode, struct file *file) + return err; + } + +-extern void stop_watchdog(int in_fd, int out_fd); +- + static int harddog_release(struct inode *inode, struct file *file) + { + /* +@@ -112,8 +109,6 @@ static int harddog_release(struct inode *inode, struct file *file) + return 0; + } + +-extern int ping_watchdog(int fd); +- + static ssize_t harddog_write(struct file *file, const char __user *data, size_t len, + loff_t *ppos) + { +diff --git a/arch/um/drivers/harddog_user.c b/arch/um/drivers/harddog_user.c +index 070468d22e394..9ed89304975ed 100644 +--- a/arch/um/drivers/harddog_user.c ++++ b/arch/um/drivers/harddog_user.c +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include "harddog.h" + + struct dog_data { + int stdin_fd; +diff --git a/arch/um/drivers/harddog_user_exp.c b/arch/um/drivers/harddog_user_exp.c +new file mode 100644 +index 0000000000000..c74d4b815d143 +--- /dev/null ++++ b/arch/um/drivers/harddog_user_exp.c +@@ -0,0 +1,9 @@ ++// SPDX-License-Identifier: GPL-2.0 ++#include ++#include "harddog.h" ++ ++#if IS_MODULE(CONFIG_UML_WATCHDOG) ++EXPORT_SYMBOL(start_watchdog); ++EXPORT_SYMBOL(stop_watchdog); ++EXPORT_SYMBOL(ping_watchdog); ++#endif +-- +2.39.2 + diff --git a/queue-5.15/watchdog-menz069_wdt-fix-watchdog-initialisation.patch b/queue-5.15/watchdog-menz069_wdt-fix-watchdog-initialisation.patch new file mode 100644 index 00000000000..792996054e3 --- /dev/null +++ b/queue-5.15/watchdog-menz069_wdt-fix-watchdog-initialisation.patch @@ -0,0 +1,71 @@ +From 5a5575a3db9c170d17e37a002ec977b328fe32ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 19:25:30 +0200 +Subject: watchdog: menz069_wdt: fix watchdog initialisation + +From: Johannes Thumshirn + +[ Upstream commit 87b22656ca6a896d0378e9e60ffccb0c82f48b08 ] + +Doing a 'cat /dev/watchdog0' with menz069_wdt as watchdog0 will result in +a NULL pointer dereference. + +This happens because we're passing the wrong pointer to +watchdog_register_device(). Fix this by getting rid of the static +watchdog_device structure and use the one embedded into the driver's +per-instance private data. + +Signed-off-by: Johannes Thumshirn +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20230418172531.177349-2-jth@kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/menz69_wdt.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/drivers/watchdog/menz69_wdt.c b/drivers/watchdog/menz69_wdt.c +index 8973f98bc6a56..bca0938f3429f 100644 +--- a/drivers/watchdog/menz69_wdt.c ++++ b/drivers/watchdog/menz69_wdt.c +@@ -98,14 +98,6 @@ static const struct watchdog_ops men_z069_ops = { + .set_timeout = men_z069_wdt_set_timeout, + }; + +-static struct watchdog_device men_z069_wdt = { +- .info = &men_z069_info, +- .ops = &men_z069_ops, +- .timeout = MEN_Z069_DEFAULT_TIMEOUT, +- .min_timeout = 1, +- .max_timeout = MEN_Z069_WDT_COUNTER_MAX / MEN_Z069_TIMER_FREQ, +-}; +- + static int men_z069_probe(struct mcb_device *dev, + const struct mcb_device_id *id) + { +@@ -125,15 +117,19 @@ static int men_z069_probe(struct mcb_device *dev, + goto release_mem; + + drv->mem = mem; ++ drv->wdt.info = &men_z069_info; ++ drv->wdt.ops = &men_z069_ops; ++ drv->wdt.timeout = MEN_Z069_DEFAULT_TIMEOUT; ++ drv->wdt.min_timeout = 1; ++ drv->wdt.max_timeout = MEN_Z069_WDT_COUNTER_MAX / MEN_Z069_TIMER_FREQ; + +- drv->wdt = men_z069_wdt; + watchdog_init_timeout(&drv->wdt, 0, &dev->dev); + watchdog_set_nowayout(&drv->wdt, nowayout); + watchdog_set_drvdata(&drv->wdt, drv); + drv->wdt.parent = &dev->dev; + mcb_set_drvdata(dev, drv); + +- return watchdog_register_device(&men_z069_wdt); ++ return watchdog_register_device(&drv->wdt); + + release_mem: + mcb_release_mem(mem); +-- +2.39.2 + diff --git a/queue-5.15/wifi-b43-fix-incorrect-__packed-annotation.patch b/queue-5.15/wifi-b43-fix-incorrect-__packed-annotation.patch new file mode 100644 index 00000000000..04bf995d198 --- /dev/null +++ b/queue-5.15/wifi-b43-fix-incorrect-__packed-annotation.patch @@ -0,0 +1,69 @@ +From dd9053ce91f41327fa9532db815c8dd00649dc5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 20:34:22 +0200 +Subject: wifi: b43: fix incorrect __packed annotation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +[ Upstream commit 212457ccbd60dba34f965e4ffbe62f0e4f970538 ] + +clang warns about an unpacked structure inside of a packed one: + +drivers/net/wireless/broadcom/b43/b43.h:654:4: error: field data within 'struct b43_iv' is less aligned than 'union (unnamed union at /home/arnd/arm-soc/drivers/net/wireless/broadcom/b43/b43.h:651:2)' and is usually due to 'struct b43_iv' being packed, which can lead to unaligned accesses [-Werror,-Wunaligned-access] + +The problem here is that the anonymous union has the default alignment +from its members, apparently because the original author mixed up the +placement of the __packed attribute by placing it next to the struct +member rather than the union definition. As the struct itself is +also marked as __packed, there is no need to mark its members, so just +move the annotation to the inner type instead. + +As Michael noted, the same problem is present in b43legacy, so +change both at the same time. + +Acked-by: Michael Büsch +Reported-by: kernel test robot +Reviewed-by: Simon Horman +Tested-by: Larry Finger +Link: https://lore.kernel.org/oe-kbuild-all/202305160749.ay1HAoyP-lkp@intel.com/ +Signed-off-by: Arnd Bergmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230516183442.536589-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/b43.h | 2 +- + drivers/net/wireless/broadcom/b43legacy/b43legacy.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/b43/b43.h b/drivers/net/wireless/broadcom/b43/b43.h +index 9fc7c088a539e..67b4bac048e58 100644 +--- a/drivers/net/wireless/broadcom/b43/b43.h ++++ b/drivers/net/wireless/broadcom/b43/b43.h +@@ -651,7 +651,7 @@ struct b43_iv { + union { + __be16 d16; + __be32 d32; +- } data __packed; ++ } __packed data; + } __packed; + + +diff --git a/drivers/net/wireless/broadcom/b43legacy/b43legacy.h b/drivers/net/wireless/broadcom/b43legacy/b43legacy.h +index 6b0cec467938f..f49365d14619f 100644 +--- a/drivers/net/wireless/broadcom/b43legacy/b43legacy.h ++++ b/drivers/net/wireless/broadcom/b43legacy/b43legacy.h +@@ -379,7 +379,7 @@ struct b43legacy_iv { + union { + __be16 d16; + __be32 d32; +- } data __packed; ++ } __packed data; + } __packed; + + #define B43legacy_PHYMODE(phytype) (1 << (phytype)) +-- +2.39.2 + diff --git a/queue-5.15/wifi-mac80211-simplify-chanctx-allocation.patch b/queue-5.15/wifi-mac80211-simplify-chanctx-allocation.patch new file mode 100644 index 00000000000..79bc7a18e8c --- /dev/null +++ b/queue-5.15/wifi-mac80211-simplify-chanctx-allocation.patch @@ -0,0 +1,38 @@ +From 155659cd268179ff9bc42ec9dc664b93c4b672a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:45:02 +0300 +Subject: wifi: mac80211: simplify chanctx allocation + +From: Johannes Berg + +[ Upstream commit 860e1b43da94551cd1e73adc36b3c64cc3e5dc01 ] + +There's no need to call ieee80211_recalc_chanctx_min_def() +since it cannot and won't call the driver anyway; just use +_ieee80211_recalc_chanctx_min_def() instead. + +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230504134511.828474-3-gregory.greenman@intel.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/chan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c +index 63e15f583e0a6..f32d8d07d6a30 100644 +--- a/net/mac80211/chan.c ++++ b/net/mac80211/chan.c +@@ -563,7 +563,7 @@ ieee80211_alloc_chanctx(struct ieee80211_local *local, + ctx->conf.rx_chains_dynamic = 1; + ctx->mode = mode; + ctx->conf.radar_enabled = false; +- ieee80211_recalc_chanctx_min_def(local, ctx); ++ _ieee80211_recalc_chanctx_min_def(local, ctx); + + return ctx; + } +-- +2.39.2 + diff --git a/queue-5.15/wifi-rtl8xxxu-fix-authentication-timeout-due-to-inco.patch b/queue-5.15/wifi-rtl8xxxu-fix-authentication-timeout-due-to-inco.patch new file mode 100644 index 00000000000..1fe51073339 --- /dev/null +++ b/queue-5.15/wifi-rtl8xxxu-fix-authentication-timeout-due-to-inco.patch @@ -0,0 +1,73 @@ +From 8677cdd797460c8e3adb83351b2842d13acce73f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 09:20:55 +0800 +Subject: wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value + +From: Yun Lu + +[ Upstream commit 20429444e653ee8242dfbf815c0c37866beb371b ] + +When using rtl8192cu with rtl8xxxu driver to connect wifi, there is a +probability of failure, which shows "authentication with ... timed out". +Through debugging, it was found that the RCR register has been inexplicably +modified to an incorrect value, resulting in the nic not being able to +receive authenticated frames. + +To fix this problem, add regrcr in rtl8xxxu_priv struct, and store +the RCR value every time the register is written, and use it the next +time the register need to be modified. + +Signed-off-by: Yun Lu +Link: https://lore.kernel.org/all/20230427020512.1221062-1-luyun_611@163.com +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230512012055.2990472-1-luyun_611@163.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 1 + + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 4 +++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h +index cd3ff9847ced3..079fdbf838efc 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h +@@ -1346,6 +1346,7 @@ struct rtl8xxxu_priv { + u32 rege9c; + u32 regeb4; + u32 regebc; ++ u32 regrcr; + int next_mbox; + int nr_out_eps; + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 8873070135a01..be93ffa5086a2 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -4045,6 +4045,7 @@ static int rtl8xxxu_init_device(struct ieee80211_hw *hw) + RCR_ACCEPT_MGMT_FRAME | RCR_HTC_LOC_CTRL | + RCR_APPEND_PHYSTAT | RCR_APPEND_ICV | RCR_APPEND_MIC; + rtl8xxxu_write32(priv, REG_RCR, val32); ++ priv->regrcr = val32; + + /* + * Accept all multicast +@@ -6000,7 +6001,7 @@ static void rtl8xxxu_configure_filter(struct ieee80211_hw *hw, + unsigned int *total_flags, u64 multicast) + { + struct rtl8xxxu_priv *priv = hw->priv; +- u32 rcr = rtl8xxxu_read32(priv, REG_RCR); ++ u32 rcr = priv->regrcr; + + dev_dbg(&priv->udev->dev, "%s: changed_flags %08x, total_flags %08x\n", + __func__, changed_flags, *total_flags); +@@ -6046,6 +6047,7 @@ static void rtl8xxxu_configure_filter(struct ieee80211_hw *hw, + */ + + rtl8xxxu_write32(priv, REG_RCR, rcr); ++ priv->regrcr = rcr; + + *total_flags &= (FIF_ALLMULTI | FIF_FCSFAIL | FIF_BCN_PRBRESP_PROMISC | + FIF_CONTROL | FIF_OTHER_BSS | FIF_PSPOLL | +-- +2.39.2 + diff --git a/queue-5.15/xfrm-check-if_id-in-inbound-policy-secpath-match.patch b/queue-5.15/xfrm-check-if_id-in-inbound-policy-secpath-match.patch new file mode 100644 index 00000000000..d1213a1eb0b --- /dev/null +++ b/queue-5.15/xfrm-check-if_id-in-inbound-policy-secpath-match.patch @@ -0,0 +1,79 @@ +From f40dcfa1243beabf1063ade4cc5332dd74772bcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 01:14:14 +0000 +Subject: xfrm: Check if_id in inbound policy/secpath match + +From: Benedict Wong + +[ Upstream commit 8680407b6f8f5fba59e8f1d63c869abc280f04df ] + +This change ensures that if configured in the policy, the if_id set in +the policy and secpath states match during the inbound policy check. +Without this, there is potential for ambiguity where entries in the +secpath differing by only the if_id could be mismatched. + +Notably, this is checked in the outbound direction when resolving +templates to SAs, but not on the inbound path when matching SAs and +policies. + +Test: Tested against Android kernel unit tests & CTS +Signed-off-by: Benedict Wong +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_policy.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index c15ef8003caa9..3e28a84ab9227 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3238,7 +3238,7 @@ xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl) + + static inline int + xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, +- unsigned short family) ++ unsigned short family, u32 if_id) + { + if (xfrm_state_kern(x)) + return tmpl->optional && !xfrm_state_addr_cmp(tmpl, x, tmpl->encap_family); +@@ -3249,7 +3249,8 @@ xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, + (tmpl->allalgs || (tmpl->aalgos & (1<props.aalgo)) || + !(xfrm_id_proto_match(tmpl->id.proto, IPSEC_PROTO_ANY))) && + !(x->props.mode != XFRM_MODE_TRANSPORT && +- xfrm_state_addr_cmp(tmpl, x, family)); ++ xfrm_state_addr_cmp(tmpl, x, family)) && ++ (if_id == 0 || if_id == x->if_id); + } + + /* +@@ -3261,7 +3262,7 @@ xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, + */ + static inline int + xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int start, +- unsigned short family) ++ unsigned short family, u32 if_id) + { + int idx = start; + +@@ -3271,7 +3272,7 @@ xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int star + } else + start = -1; + for (; idx < sp->len; idx++) { +- if (xfrm_state_ok(tmpl, sp->xvec[idx], family)) ++ if (xfrm_state_ok(tmpl, sp->xvec[idx], family, if_id)) + return ++idx; + if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) { + if (start == -1) +@@ -3648,7 +3649,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, + * are implied between each two transformations. + */ + for (i = xfrm_nr-1, k = 0; i >= 0; i--) { +- k = xfrm_policy_ok(tpp[i], sp, k, family); ++ k = xfrm_policy_ok(tpp[i], sp, k, family, if_id); + if (k < 0) { + if (k < -1) + /* "-2 - errored_index" returned */ +-- +2.39.2 +