From: Sasha Levin Date: Mon, 6 Feb 2023 13:35:48 +0000 (-0500) Subject: Fixes for 5.15 X-Git-Tag: v5.15.93~57 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0d1571f494625372ab5d7410fbe2067b52394b28;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch b/queue-5.15/alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch new file mode 100644 index 00000000000..a2788c5cba6 --- /dev/null +++ b/queue-5.15/alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch @@ -0,0 +1,41 @@ +From eb9d717f061d8d95ce1d07ffc3b373b7f646269f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 00:22:59 -0800 +Subject: ALSA: hda/via: Avoid potential array out-of-bound in + add_secret_dac_path() + +From: Artemii Karasev + +[ Upstream commit b9cee506da2b7920b5ea02ccd8e78a907d0ee7aa ] + +snd_hda_get_connections() can return a negative error code. +It may lead to accessing 'conn' array at a negative index. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Artemii Karasev +Fixes: 30b4503378c9 ("ALSA: hda - Expose secret DAC-AA connection of some VIA codecs") +Link: https://lore.kernel.org/r/20230119082259.3634-1-karasev@ispras.ru +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_via.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/pci/hda/patch_via.c b/sound/pci/hda/patch_via.c +index a188901a83bb..29abc96dc146 100644 +--- a/sound/pci/hda/patch_via.c ++++ b/sound/pci/hda/patch_via.c +@@ -821,6 +821,9 @@ static int add_secret_dac_path(struct hda_codec *codec) + return 0; + nums = snd_hda_get_connections(codec, spec->gen.mixer_nid, conn, + ARRAY_SIZE(conn) - 1); ++ if (nums < 0) ++ return nums; ++ + for (i = 0; i < nums; i++) { + if (get_wcaps_type(get_wcaps(codec, conn[i])) == AC_WID_AUD_OUT) + return 0; +-- +2.39.0 + diff --git a/queue-5.15/arm64-dts-imx8mm-fix-pad-control-for-uart1_dte_rx.patch b/queue-5.15/arm64-dts-imx8mm-fix-pad-control-for-uart1_dte_rx.patch new file mode 100644 index 00000000000..293cf695549 --- /dev/null +++ b/queue-5.15/arm64-dts-imx8mm-fix-pad-control-for-uart1_dte_rx.patch @@ -0,0 +1,43 @@ +From e8e8fc532c760a83dae3231dea745d4972f98be3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jan 2023 22:35:03 +0100 +Subject: arm64: dts: imx8mm: Fix pad control for UART1_DTE_RX +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierluigi Passaro + +[ Upstream commit 47123900f3e4a7f769631d6ec15abf44086276f6 ] + +According section +    8.2.5.313 Select Input Register (IOMUXC_UART1_RXD_SELECT_INPUT) +of  +    i.MX 8M Mini Applications Processor Reference Manual, Rev. 3, 11/2020 +the required setting for this specific pin configuration is "1" + +Signed-off-by: Pierluigi Passaro +Reviewed-by: Fabio Estevam +Fixes: c1c9d41319c3 ("dt-bindings: imx: Add pinctrl binding doc for imx8mm") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h b/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h +index a003e6af3353..56271abfb7e0 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h ++++ b/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h +@@ -601,7 +601,7 @@ + #define MX8MM_IOMUXC_UART1_RXD_GPIO5_IO22 0x234 0x49C 0x000 0x5 0x0 + #define MX8MM_IOMUXC_UART1_RXD_TPSMP_HDATA24 0x234 0x49C 0x000 0x7 0x0 + #define MX8MM_IOMUXC_UART1_TXD_UART1_DCE_TX 0x238 0x4A0 0x000 0x0 0x0 +-#define MX8MM_IOMUXC_UART1_TXD_UART1_DTE_RX 0x238 0x4A0 0x4F4 0x0 0x0 ++#define MX8MM_IOMUXC_UART1_TXD_UART1_DTE_RX 0x238 0x4A0 0x4F4 0x0 0x1 + #define MX8MM_IOMUXC_UART1_TXD_ECSPI3_MOSI 0x238 0x4A0 0x000 0x1 0x0 + #define MX8MM_IOMUXC_UART1_TXD_GPIO5_IO23 0x238 0x4A0 0x000 0x5 0x0 + #define MX8MM_IOMUXC_UART1_TXD_TPSMP_HDATA25 0x238 0x4A0 0x000 0x7 0x0 +-- +2.39.0 + diff --git a/queue-5.15/asoc-intel-boards-fix-spelling-in-comments.patch b/queue-5.15/asoc-intel-boards-fix-spelling-in-comments.patch new file mode 100644 index 00000000000..2f271573a03 --- /dev/null +++ b/queue-5.15/asoc-intel-boards-fix-spelling-in-comments.patch @@ -0,0 +1,270 @@ +From 53b6ca34d253cc567b342ad9b919b15e280a803c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Mar 2022 13:48:57 -0600 +Subject: ASoC: Intel: boards: fix spelling in comments +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +[ Upstream commit f1eebb3bf707b267bd8ed945d00a81c8ca31bd73 ] + +copy/paste spelling issues with platforms and buttons. + +Reviewed-by: Ranjani Sridharan +Reviewed-by: FRED OH +Reviewed-by: Péter Ujfalusi +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20220301194903.60859-3-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Stable-dep-of: 6b1c0bd6fdef ("ASoC: Intel: bytcht_es8316: Drop reference count of ACPI device after use") +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bdw-rt5650.c | 2 +- + sound/soc/intel/boards/bdw-rt5677.c | 2 +- + sound/soc/intel/boards/broadwell.c | 2 +- + sound/soc/intel/boards/bxt_da7219_max98357a.c | 2 +- + sound/soc/intel/boards/bxt_rt298.c | 2 +- + sound/soc/intel/boards/bytcht_cx2072x.c | 2 +- + sound/soc/intel/boards/bytcht_da7213.c | 2 +- + sound/soc/intel/boards/bytcht_es8316.c | 2 +- + sound/soc/intel/boards/bytcr_rt5640.c | 2 +- + sound/soc/intel/boards/bytcr_rt5651.c | 2 +- + sound/soc/intel/boards/cht_bsw_max98090_ti.c | 4 ++-- + sound/soc/intel/boards/cht_bsw_nau8824.c | 4 ++-- + sound/soc/intel/boards/cht_bsw_rt5645.c | 2 +- + sound/soc/intel/boards/cht_bsw_rt5672.c | 2 +- + sound/soc/intel/boards/glk_rt5682_max98357a.c | 2 +- + sound/soc/intel/boards/haswell.c | 2 +- + 16 files changed, 18 insertions(+), 18 deletions(-) + +diff --git a/sound/soc/intel/boards/bdw-rt5650.c b/sound/soc/intel/boards/bdw-rt5650.c +index c5122d3b0e6c..7c8c2557d685 100644 +--- a/sound/soc/intel/boards/bdw-rt5650.c ++++ b/sound/soc/intel/boards/bdw-rt5650.c +@@ -299,7 +299,7 @@ static int bdw_rt5650_probe(struct platform_device *pdev) + if (!bdw_rt5650) + return -ENOMEM; + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + mach = pdev->dev.platform_data; + ret = snd_soc_fixup_dai_links_platform_name(&bdw_rt5650_card, + mach->mach_params.platform); +diff --git a/sound/soc/intel/boards/bdw-rt5677.c b/sound/soc/intel/boards/bdw-rt5677.c +index e01b7a90ca6c..e99094017909 100644 +--- a/sound/soc/intel/boards/bdw-rt5677.c ++++ b/sound/soc/intel/boards/bdw-rt5677.c +@@ -426,7 +426,7 @@ static int bdw_rt5677_probe(struct platform_device *pdev) + if (!bdw_rt5677) + return -ENOMEM; + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + mach = pdev->dev.platform_data; + ret = snd_soc_fixup_dai_links_platform_name(&bdw_rt5677_card, + mach->mach_params.platform); +diff --git a/sound/soc/intel/boards/broadwell.c b/sound/soc/intel/boards/broadwell.c +index 3c3aff9c61cc..f18dcda23e74 100644 +--- a/sound/soc/intel/boards/broadwell.c ++++ b/sound/soc/intel/boards/broadwell.c +@@ -292,7 +292,7 @@ static int broadwell_audio_probe(struct platform_device *pdev) + + broadwell_rt286.dev = &pdev->dev; + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + mach = pdev->dev.platform_data; + ret = snd_soc_fixup_dai_links_platform_name(&broadwell_rt286, + mach->mach_params.platform); +diff --git a/sound/soc/intel/boards/bxt_da7219_max98357a.c b/sound/soc/intel/boards/bxt_da7219_max98357a.c +index e67ddfb8e469..e49c64f54a12 100644 +--- a/sound/soc/intel/boards/bxt_da7219_max98357a.c ++++ b/sound/soc/intel/boards/bxt_da7219_max98357a.c +@@ -825,7 +825,7 @@ static int broxton_audio_probe(struct platform_device *pdev) + } + } + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + mach = pdev->dev.platform_data; + platform_name = mach->mach_params.platform; + +diff --git a/sound/soc/intel/boards/bxt_rt298.c b/sound/soc/intel/boards/bxt_rt298.c +index 47f6b1523ae6..0d1df37ecea0 100644 +--- a/sound/soc/intel/boards/bxt_rt298.c ++++ b/sound/soc/intel/boards/bxt_rt298.c +@@ -628,7 +628,7 @@ static int broxton_audio_probe(struct platform_device *pdev) + card->dev = &pdev->dev; + snd_soc_card_set_drvdata(card, ctx); + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + mach = pdev->dev.platform_data; + platform_name = mach->mach_params.platform; + +diff --git a/sound/soc/intel/boards/bytcht_cx2072x.c b/sound/soc/intel/boards/bytcht_cx2072x.c +index a9e51bbf018c..0fc57db6e92c 100644 +--- a/sound/soc/intel/boards/bytcht_cx2072x.c ++++ b/sound/soc/intel/boards/bytcht_cx2072x.c +@@ -257,7 +257,7 @@ static int snd_byt_cht_cx2072x_probe(struct platform_device *pdev) + byt_cht_cx2072x_dais[dai_index].codecs->name = codec_name; + } + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + ret = snd_soc_fixup_dai_links_platform_name(&byt_cht_cx2072x_card, + mach->mach_params.platform); + if (ret) +diff --git a/sound/soc/intel/boards/bytcht_da7213.c b/sound/soc/intel/boards/bytcht_da7213.c +index a28773fb7892..21b6bebc9a26 100644 +--- a/sound/soc/intel/boards/bytcht_da7213.c ++++ b/sound/soc/intel/boards/bytcht_da7213.c +@@ -260,7 +260,7 @@ static int bytcht_da7213_probe(struct platform_device *pdev) + dailink[dai_index].codecs->name = codec_name; + } + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + platform_name = mach->mach_params.platform; + + ret_val = snd_soc_fixup_dai_links_platform_name(card, platform_name); +diff --git a/sound/soc/intel/boards/bytcht_es8316.c b/sound/soc/intel/boards/bytcht_es8316.c +index 950457bcc28f..78b7e24b0c79 100644 +--- a/sound/soc/intel/boards/bytcht_es8316.c ++++ b/sound/soc/intel/boards/bytcht_es8316.c +@@ -504,7 +504,7 @@ static int snd_byt_cht_es8316_mc_probe(struct platform_device *pdev) + return -ENXIO; + } + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + byt_cht_es8316_card.dev = dev; + platform_name = mach->mach_params.platform; + +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c +index 888e04c57757..7795632cb38f 100644 +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -1733,7 +1733,7 @@ static int snd_byt_rt5640_mc_probe(struct platform_device *pdev) + byt_rt5640_card.long_name = byt_rt5640_long_name; + #endif + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + platform_name = mach->mach_params.platform; + + ret_val = snd_soc_fixup_dai_links_platform_name(&byt_rt5640_card, +diff --git a/sound/soc/intel/boards/bytcr_rt5651.c b/sound/soc/intel/boards/bytcr_rt5651.c +index e94c9124d4f4..31219874c2ae 100644 +--- a/sound/soc/intel/boards/bytcr_rt5651.c ++++ b/sound/soc/intel/boards/bytcr_rt5651.c +@@ -1104,7 +1104,7 @@ static int snd_byt_rt5651_mc_probe(struct platform_device *pdev) + byt_rt5651_card.long_name = byt_rt5651_long_name; + #endif + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + platform_name = mach->mach_params.platform; + + ret_val = snd_soc_fixup_dai_links_platform_name(&byt_rt5651_card, +diff --git a/sound/soc/intel/boards/cht_bsw_max98090_ti.c b/sound/soc/intel/boards/cht_bsw_max98090_ti.c +index 131882378a59..ba6de1e389cd 100644 +--- a/sound/soc/intel/boards/cht_bsw_max98090_ti.c ++++ b/sound/soc/intel/boards/cht_bsw_max98090_ti.c +@@ -296,7 +296,7 @@ static int cht_max98090_headset_init(struct snd_soc_component *component) + int ret; + + /* +- * TI supports 4 butons headset detection ++ * TI supports 4 buttons headset detection + * KEY_MEDIA + * KEY_VOICECOMMAND + * KEY_VOLUMEUP +@@ -558,7 +558,7 @@ static int snd_cht_mc_probe(struct platform_device *pdev) + dev_dbg(dev, "Unable to add GPIO mapping table\n"); + } + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + snd_soc_card_cht.dev = &pdev->dev; + mach = pdev->dev.platform_data; + platform_name = mach->mach_params.platform; +diff --git a/sound/soc/intel/boards/cht_bsw_nau8824.c b/sound/soc/intel/boards/cht_bsw_nau8824.c +index da5a5cbc8759..779b388db85d 100644 +--- a/sound/soc/intel/boards/cht_bsw_nau8824.c ++++ b/sound/soc/intel/boards/cht_bsw_nau8824.c +@@ -100,7 +100,7 @@ static int cht_codec_init(struct snd_soc_pcm_runtime *runtime) + struct snd_soc_component *component = codec_dai->component; + int ret, jack_type; + +- /* NAU88L24 supports 4 butons headset detection ++ /* NAU88L24 supports 4 buttons headset detection + * KEY_PLAYPAUSE + * KEY_VOICECOMMAND + * KEY_VOLUMEUP +@@ -257,7 +257,7 @@ static int snd_cht_mc_probe(struct platform_device *pdev) + return -ENOMEM; + snd_soc_card_set_drvdata(&snd_soc_card_cht, drv); + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + snd_soc_card_cht.dev = &pdev->dev; + mach = pdev->dev.platform_data; + platform_name = mach->mach_params.platform; +diff --git a/sound/soc/intel/boards/cht_bsw_rt5645.c b/sound/soc/intel/boards/cht_bsw_rt5645.c +index 804dbc7911d5..381bf6054047 100644 +--- a/sound/soc/intel/boards/cht_bsw_rt5645.c ++++ b/sound/soc/intel/boards/cht_bsw_rt5645.c +@@ -653,7 +653,7 @@ static int snd_cht_mc_probe(struct platform_device *pdev) + (cht_rt5645_quirk & CHT_RT5645_SSP0_AIF2)) + cht_dailink[dai_index].cpus->dai_name = "ssp0-port"; + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + platform_name = mach->mach_params.platform; + + ret_val = snd_soc_fixup_dai_links_platform_name(card, +diff --git a/sound/soc/intel/boards/cht_bsw_rt5672.c b/sound/soc/intel/boards/cht_bsw_rt5672.c +index 9509b6e161b8..ba96741c7771 100644 +--- a/sound/soc/intel/boards/cht_bsw_rt5672.c ++++ b/sound/soc/intel/boards/cht_bsw_rt5672.c +@@ -483,7 +483,7 @@ static int snd_cht_mc_probe(struct platform_device *pdev) + drv->use_ssp0 = true; + } + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + snd_soc_card_cht.dev = &pdev->dev; + platform_name = mach->mach_params.platform; + +diff --git a/sound/soc/intel/boards/glk_rt5682_max98357a.c b/sound/soc/intel/boards/glk_rt5682_max98357a.c +index 71fe26a1b701..99b3d7642cb7 100644 +--- a/sound/soc/intel/boards/glk_rt5682_max98357a.c ++++ b/sound/soc/intel/boards/glk_rt5682_max98357a.c +@@ -604,7 +604,7 @@ static int geminilake_audio_probe(struct platform_device *pdev) + card->dev = &pdev->dev; + snd_soc_card_set_drvdata(card, ctx); + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + mach = pdev->dev.platform_data; + platform_name = mach->mach_params.platform; + +diff --git a/sound/soc/intel/boards/haswell.c b/sound/soc/intel/boards/haswell.c +index c763bfeb1f38..b5ca3177be6a 100644 +--- a/sound/soc/intel/boards/haswell.c ++++ b/sound/soc/intel/boards/haswell.c +@@ -175,7 +175,7 @@ static int haswell_audio_probe(struct platform_device *pdev) + + haswell_rt5640.dev = &pdev->dev; + +- /* override plaform name, if required */ ++ /* override platform name, if required */ + mach = pdev->dev.platform_data; + ret = snd_soc_fixup_dai_links_platform_name(&haswell_rt5640, + mach->mach_params.platform); +-- +2.39.0 + diff --git a/queue-5.15/asoc-intel-bytcht_es8316-drop-reference-count-of-acp.patch b/queue-5.15/asoc-intel-bytcht_es8316-drop-reference-count-of-acp.patch new file mode 100644 index 00000000000..ad835814b33 --- /dev/null +++ b/queue-5.15/asoc-intel-bytcht_es8316-drop-reference-count-of-acp.patch @@ -0,0 +1,84 @@ +From 1a53764eef777ce803a24949f2771ce947ef4ec6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 13:28:48 +0200 +Subject: ASoC: Intel: bytcht_es8316: Drop reference count of ACPI device after + use + +From: Andy Shevchenko + +[ Upstream commit 6b1c0bd6fdefbf3c3d75680c2708f5423ef72e46 ] + +Theoretically the device might gone if its reference count drops to 0. +This might be the case when we try to find the first physical node of +the ACPI device. We need to keep reference to it until we get a result +of the above mentioned call. Refactor the code to drop the reference +count at the correct place. + +While at it, move to acpi_dev_put() as symmetrical call to the +acpi_dev_get_first_match_dev(). + +Fixes: 3c22a73fb873 ("ASoC: Intel: bytcht_es8316: fix HID handling") +Signed-off-by: Andy Shevchenko +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20230112112852.67714-2-andriy.shevchenko@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcht_es8316.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/intel/boards/bytcht_es8316.c b/sound/soc/intel/boards/bytcht_es8316.c +index 95058398b1be..b5c97d35864a 100644 +--- a/sound/soc/intel/boards/bytcht_es8316.c ++++ b/sound/soc/intel/boards/bytcht_es8316.c +@@ -497,21 +497,28 @@ static int snd_byt_cht_es8316_mc_probe(struct platform_device *pdev) + if (adev) { + snprintf(codec_name, sizeof(codec_name), + "i2c-%s", acpi_dev_name(adev)); +- put_device(&adev->dev); + byt_cht_es8316_dais[dai_index].codecs->name = codec_name; + } else { + dev_err(dev, "Error cannot find '%s' dev\n", mach->id); + return -ENXIO; + } + ++ codec_dev = acpi_get_first_physical_node(adev); ++ acpi_dev_put(adev); ++ if (!codec_dev) ++ return -EPROBE_DEFER; ++ priv->codec_dev = get_device(codec_dev); ++ + /* override platform name, if required */ + byt_cht_es8316_card.dev = dev; + platform_name = mach->mach_params.platform; + + ret = snd_soc_fixup_dai_links_platform_name(&byt_cht_es8316_card, + platform_name); +- if (ret) ++ if (ret) { ++ put_device(codec_dev); + return ret; ++ } + + /* Check for BYTCR or other platform and setup quirks */ + dmi_id = dmi_first_match(byt_cht_es8316_quirk_table); +@@ -539,13 +546,10 @@ static int snd_byt_cht_es8316_mc_probe(struct platform_device *pdev) + + /* get the clock */ + priv->mclk = devm_clk_get(dev, "pmc_plt_clk_3"); +- if (IS_ERR(priv->mclk)) ++ if (IS_ERR(priv->mclk)) { ++ put_device(codec_dev); + return dev_err_probe(dev, PTR_ERR(priv->mclk), "clk_get pmc_plt_clk_3 failed\n"); +- +- codec_dev = acpi_get_first_physical_node(adev); +- if (!codec_dev) +- return -EPROBE_DEFER; +- priv->codec_dev = get_device(codec_dev); ++ } + + if (quirk & BYT_CHT_ES8316_JD_INVERTED) + props[cnt++] = PROPERTY_ENTRY_BOOL("everest,jack-detect-inverted"); +-- +2.39.0 + diff --git a/queue-5.15/asoc-intel-bytcht_es8316-move-comment-to-the-right-p.patch b/queue-5.15/asoc-intel-bytcht_es8316-move-comment-to-the-right-p.patch new file mode 100644 index 00000000000..1002aa0f5de --- /dev/null +++ b/queue-5.15/asoc-intel-bytcht_es8316-move-comment-to-the-right-p.patch @@ -0,0 +1,49 @@ +From 0aaa0b6ba99df14fa9744df4ad931d142cddb577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 13:26:10 -0600 +Subject: ASoC: Intel: bytcht_es8316: move comment to the right place +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +[ Upstream commit fe0596a006081bc963874d4f3d38cd0b1b5e46d4 ] + +Additional code was added and the comment on the speaker GPIO needs to +be moved before we actually try to get the GPIO. + +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Bard Liao +Reviewed-by: Péter Ujfalusi +Link: https://lore.kernel.org/r/20220308192610.392950-21-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Stable-dep-of: 6b1c0bd6fdef ("ASoC: Intel: bytcht_es8316: Drop reference count of ACPI device after use") +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcht_es8316.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/boards/bytcht_es8316.c b/sound/soc/intel/boards/bytcht_es8316.c +index 78b7e24b0c79..95058398b1be 100644 +--- a/sound/soc/intel/boards/bytcht_es8316.c ++++ b/sound/soc/intel/boards/bytcht_es8316.c +@@ -542,7 +542,6 @@ static int snd_byt_cht_es8316_mc_probe(struct platform_device *pdev) + if (IS_ERR(priv->mclk)) + return dev_err_probe(dev, PTR_ERR(priv->mclk), "clk_get pmc_plt_clk_3 failed\n"); + +- /* get speaker enable GPIO */ + codec_dev = acpi_get_first_physical_node(adev); + if (!codec_dev) + return -EPROBE_DEFER; +@@ -568,6 +567,7 @@ static int snd_byt_cht_es8316_mc_probe(struct platform_device *pdev) + } + } + ++ /* get speaker enable GPIO */ + devm_acpi_dev_add_driver_gpios(codec_dev, byt_cht_es8316_gpios); + priv->speaker_en_gpio = + gpiod_get_optional(codec_dev, "speaker-enable", +-- +2.39.0 + diff --git a/queue-5.15/asoc-intel-bytcr_rt5640-drop-reference-count-of-acpi.patch b/queue-5.15/asoc-intel-bytcr_rt5640-drop-reference-count-of-acpi.patch new file mode 100644 index 00000000000..ae25c3996bf --- /dev/null +++ b/queue-5.15/asoc-intel-bytcr_rt5640-drop-reference-count-of-acpi.patch @@ -0,0 +1,68 @@ +From 9463426a50e207af3b25279c5a431d0eb3de2f12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 13:28:50 +0200 +Subject: ASoC: Intel: bytcr_rt5640: Drop reference count of ACPI device after + use + +From: Andy Shevchenko + +[ Upstream commit cbf87bcf46e399e9a5288430d940efbad3551c68 ] + +Theoretically the device might gone if its reference count drops to 0. +This might be the case when we try to find the first physical node of +the ACPI device. We need to keep reference to it until we get a result +of the above mentioned call. Refactor the code to drop the reference +count at the correct place. + +While at it, move to acpi_dev_put() as symmetrical call to the +acpi_dev_get_first_match_dev(). + +Fixes: a232b96dcece ("ASoC: Intel: bytcr_rt5640: use HID translation util") +Signed-off-by: Andy Shevchenko +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20230112112852.67714-4-andriy.shevchenko@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcr_rt5640.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c +index 7795632cb38f..5f6e2bb32440 100644 +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -1561,13 +1561,18 @@ static int snd_byt_rt5640_mc_probe(struct platform_device *pdev) + if (adev) { + snprintf(byt_rt5640_codec_name, sizeof(byt_rt5640_codec_name), + "i2c-%s", acpi_dev_name(adev)); +- put_device(&adev->dev); + byt_rt5640_dais[dai_index].codecs->name = byt_rt5640_codec_name; + } else { + dev_err(&pdev->dev, "Error cannot find '%s' dev\n", mach->id); + return -ENXIO; + } + ++ codec_dev = acpi_get_first_physical_node(adev); ++ acpi_dev_put(adev); ++ if (!codec_dev) ++ return -EPROBE_DEFER; ++ priv->codec_dev = get_device(codec_dev); ++ + /* + * swap SSP0 if bytcr is detected + * (will be overridden if DMI quirk is detected) +@@ -1642,11 +1647,6 @@ static int snd_byt_rt5640_mc_probe(struct platform_device *pdev) + byt_rt5640_quirk = quirk_override; + } + +- codec_dev = acpi_get_first_physical_node(adev); +- if (!codec_dev) +- return -EPROBE_DEFER; +- priv->codec_dev = get_device(codec_dev); +- + if (byt_rt5640_quirk & BYT_RT5640_JD_HP_ELITEP_1000G2) { + acpi_dev_add_driver_gpios(ACPI_COMPANION(priv->codec_dev), + byt_rt5640_hp_elitepad_1000g2_gpios); +-- +2.39.0 + diff --git a/queue-5.15/asoc-intel-bytcr_rt5651-drop-reference-count-of-acpi.patch b/queue-5.15/asoc-intel-bytcr_rt5651-drop-reference-count-of-acpi.patch new file mode 100644 index 00000000000..47d1e6448d7 --- /dev/null +++ b/queue-5.15/asoc-intel-bytcr_rt5651-drop-reference-count-of-acpi.patch @@ -0,0 +1,52 @@ +From c2780e7f9b3e4b29dba217765bb66499207e69ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 13:28:49 +0200 +Subject: ASoC: Intel: bytcr_rt5651: Drop reference count of ACPI device after + use + +From: Andy Shevchenko + +[ Upstream commit 721858823d7cdc8f2a897579b040e935989f6f02 ] + +Theoretically the device might gone if its reference count drops to 0. +This might be the case when we try to find the first physical node of +the ACPI device. We need to keep reference to it until we get a result +of the above mentioned call. Refactor the code to drop the reference +count at the correct place. + +While at it, move to acpi_dev_put() as symmetrical call to the +acpi_dev_get_first_match_dev(). + +Fixes: 02c0a3b3047f ("ASoC: Intel: bytcr_rt5651: add MCLK, quirks and cleanups") +Signed-off-by: Andy Shevchenko +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20230112112852.67714-3-andriy.shevchenko@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcr_rt5651.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/boards/bytcr_rt5651.c b/sound/soc/intel/boards/bytcr_rt5651.c +index 31219874c2ae..93cec4d91627 100644 +--- a/sound/soc/intel/boards/bytcr_rt5651.c ++++ b/sound/soc/intel/boards/bytcr_rt5651.c +@@ -930,7 +930,6 @@ static int snd_byt_rt5651_mc_probe(struct platform_device *pdev) + if (adev) { + snprintf(byt_rt5651_codec_name, sizeof(byt_rt5651_codec_name), + "i2c-%s", acpi_dev_name(adev)); +- put_device(&adev->dev); + byt_rt5651_dais[dai_index].codecs->name = byt_rt5651_codec_name; + } else { + dev_err(&pdev->dev, "Error cannot find '%s' dev\n", mach->id); +@@ -938,6 +937,7 @@ static int snd_byt_rt5651_mc_probe(struct platform_device *pdev) + } + + codec_dev = acpi_get_first_physical_node(adev); ++ acpi_dev_put(adev); + if (!codec_dev) + return -EPROBE_DEFER; + priv->codec_dev = get_device(codec_dev); +-- +2.39.0 + diff --git a/queue-5.15/asoc-intel-bytcr_wm5102-drop-reference-count-of-acpi.patch b/queue-5.15/asoc-intel-bytcr_wm5102-drop-reference-count-of-acpi.patch new file mode 100644 index 00000000000..a0f52182d03 --- /dev/null +++ b/queue-5.15/asoc-intel-bytcr_wm5102-drop-reference-count-of-acpi.patch @@ -0,0 +1,47 @@ +From ea070fbd23728c5cadd5442c5e0888e27627d698 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 13:28:51 +0200 +Subject: ASoC: Intel: bytcr_wm5102: Drop reference count of ACPI device after + use + +From: Andy Shevchenko + +[ Upstream commit c8aa49abdeda2ab587aadb083e670f6aa0236f93 ] + +Theoretically the device might gone if its reference count drops to 0. +This might be the case when we try to find the first physical node of +the ACPI device. We need to keep reference to it until we get a result +of the above mentioned call. Refactor the code to drop the reference +count at the correct place. + +While at it, move to acpi_dev_put() as symmetrical call to the +acpi_dev_get_first_match_dev(). + +Fixes: 9a87fc1e0619 ("ASoC: Intel: bytcr_wm5102: Add machine driver for BYT/WM5102") +Signed-off-by: Andy Shevchenko +Acked-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20230112112852.67714-5-andriy.shevchenko@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/bytcr_wm5102.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/intel/boards/bytcr_wm5102.c b/sound/soc/intel/boards/bytcr_wm5102.c +index bb669d58eb8b..9a4126f19d5f 100644 +--- a/sound/soc/intel/boards/bytcr_wm5102.c ++++ b/sound/soc/intel/boards/bytcr_wm5102.c +@@ -411,9 +411,9 @@ static int snd_byt_wm5102_mc_probe(struct platform_device *pdev) + return -ENOENT; + } + snprintf(codec_name, sizeof(codec_name), "spi-%s", acpi_dev_name(adev)); +- put_device(&adev->dev); + + codec_dev = bus_find_device_by_name(&spi_bus_type, NULL, codec_name); ++ acpi_dev_put(adev); + if (!codec_dev) + return -EPROBE_DEFER; + +-- +2.39.0 + diff --git a/queue-5.15/ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch b/queue-5.15/ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch new file mode 100644 index 00000000000..f12a1409cd6 --- /dev/null +++ b/queue-5.15/ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch @@ -0,0 +1,57 @@ +From 1c0ef79e582dc230622061be0da14ad9fc530ccd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 12:27:41 +0900 +Subject: ata: libata: Fix sata_down_spd_limit() when no link speed is reported + +From: Damien Le Moal + +[ Upstream commit 69f2c9346313ba3d3dfa4091ff99df26c67c9021 ] + +Commit 2dc0b46b5ea3 ("libata: sata_down_spd_limit should return if +driver has not recorded sstatus speed") changed the behavior of +sata_down_spd_limit() to return doing nothing if a drive does not report +a current link speed, to avoid reducing the link speed to the lowest 1.5 +Gbps speed. + +However, the change assumed that a speed was recorded before probing +(e.g. before a suspend/resume) and set in link->sata_spd. This causes +problems with adapters/drives combination failing to establish a link +speed during probe autonegotiation. One example reported of this problem +is an mvebu adapter with a 3Gbps port-multiplier box: autonegotiation +fails, leaving no recorded link speed and no reported current link +speed. Probe retries also fail as no action is taken by sata_set_spd() +after each retry. + +Fix this by returning early in sata_down_spd_limit() only if we do have +a recorded link speed, that is, if link->sata_spd is not 0. With this +fix, a failed probe not leading to a recorded link speed is retried at +the lower 1.5 Gbps speed, with the link speed potentially increased +later on the second revalidate of the device if the device reports +that it supports higher link speeds. + +Reported-by: Marius Dinu +Fixes: 2dc0b46b5ea3 ("libata: sata_down_spd_limit should return if driver has not recorded sstatus speed") +Reviewed-by: Niklas Cassel +Tested-by: Marius Dinu +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index c430cd3cfa17..025260b80a94 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -3076,7 +3076,7 @@ int sata_down_spd_limit(struct ata_link *link, u32 spd_limit) + */ + if (spd > 1) + mask &= (1 << (spd - 1)) - 1; +- else ++ else if (link->sata_spd) + return -EINVAL; + + /* were we already at the bottom? */ +-- +2.39.0 + diff --git a/queue-5.15/block-bfq-fix-uaf-for-bfqq-in-bic_set_bfqq.patch b/queue-5.15/block-bfq-fix-uaf-for-bfqq-in-bic_set_bfqq.patch new file mode 100644 index 00000000000..9c4894b2800 --- /dev/null +++ b/queue-5.15/block-bfq-fix-uaf-for-bfqq-in-bic_set_bfqq.patch @@ -0,0 +1,62 @@ +From 8f6579ae02dcda230ba3a5f52becf8a33bd66509 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 09:41:36 +0800 +Subject: block, bfq: fix uaf for bfqq in bic_set_bfqq() + +From: Yu Kuai + +[ Upstream commit b600de2d7d3a16f9007fad1bdae82a3951a26af2 ] + +After commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'"), +bic->bfqq will be accessed in bic_set_bfqq(), however, in some context +bic->bfqq will be freed, and bic_set_bfqq() is called with the freed +bic->bfqq. + +Fix the problem by always freeing bfqq after bic_set_bfqq(). + +Fixes: 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") +Reported-and-tested-by: Shinichiro Kawasaki +Signed-off-by: Yu Kuai +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230130014136.591038-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-cgroup.c | 2 +- + block/bfq-iosched.c | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c +index 4ac6f59a3679..53e275e377a7 100644 +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -756,8 +756,8 @@ static void *__bfq_bic_change_cgroup(struct bfq_data *bfqd, + * request from the old cgroup. + */ + bfq_put_cooperator(sync_bfqq); +- bfq_release_process_ref(bfqd, sync_bfqq); + bic_set_bfqq(bic, NULL, true); ++ bfq_release_process_ref(bfqd, sync_bfqq); + } + } + } +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 8d967a67318c..f54554906451 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -5359,9 +5359,11 @@ static void bfq_check_ioprio_change(struct bfq_io_cq *bic, struct bio *bio) + + bfqq = bic_to_bfqq(bic, false); + if (bfqq) { +- bfq_release_process_ref(bfqd, bfqq); ++ struct bfq_queue *old_bfqq = bfqq; ++ + bfqq = bfq_get_queue(bfqd, bio, false, bic, true); + bic_set_bfqq(bic, bfqq, false); ++ bfq_release_process_ref(bfqd, old_bfqq); + } + + bfqq = bic_to_bfqq(bic, true); +-- +2.39.0 + diff --git a/queue-5.15/block-bfq-iosched.c-use-false-rather-than-blk_rw_asy.patch b/queue-5.15/block-bfq-iosched.c-use-false-rather-than-blk_rw_asy.patch new file mode 100644 index 00000000000..40340c4cf37 --- /dev/null +++ b/queue-5.15/block-bfq-iosched.c-use-false-rather-than-blk_rw_asy.patch @@ -0,0 +1,53 @@ +From 92cb92d4b60f9b9e53518ea8e3eb6f1d8776ac24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Mar 2022 14:39:16 -0700 +Subject: block/bfq-iosched.c: use "false" rather than "BLK_RW_ASYNC" + +From: NeilBrown + +[ Upstream commit f6bad159f5d5e5b33531aba3d9b860ad8618afe0 ] + +bfq_get_queue() expects a "bool" for the third arg, so pass "false" +rather than "BLK_RW_ASYNC" which will soon be removed. + +Link: https://lkml.kernel.org/r/164549983746.9187.7949730109246767909.stgit@noble.brown +Signed-off-by: NeilBrown +Acked-by: Jens Axboe +Cc: Anna Schumaker +Cc: Chao Yu +Cc: Darrick J. Wong +Cc: Ilya Dryomov +Cc: Jaegeuk Kim +Cc: Jan Kara +Cc: Jeff Layton +Cc: Lars Ellenberg +Cc: Miklos Szeredi +Cc: Paolo Valente +Cc: Philipp Reisner +Cc: Ryusuke Konishi +Cc: Trond Myklebust +Cc: Wu Fengguang +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: b600de2d7d3a ("block, bfq: fix uaf for bfqq in bic_set_bfqq()") +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 85120d7b5cf0..87555dc42651 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -5360,7 +5360,7 @@ static void bfq_check_ioprio_change(struct bfq_io_cq *bic, struct bio *bio) + bfqq = bic_to_bfqq(bic, false); + if (bfqq) { + bfq_release_process_ref(bfqd, bfqq); +- bfqq = bfq_get_queue(bfqd, bio, BLK_RW_ASYNC, bic, true); ++ bfqq = bfq_get_queue(bfqd, bio, false, bic, true); + bic_set_bfqq(bic, bfqq, false); + } + +-- +2.39.0 + diff --git a/queue-5.15/block-bfq-replace-0-1-with-false-true-in-bic-apis.patch b/queue-5.15/block-bfq-replace-0-1-with-false-true-in-bic-apis.patch new file mode 100644 index 00000000000..179d5c00f32 --- /dev/null +++ b/queue-5.15/block-bfq-replace-0-1-with-false-true-in-bic-apis.patch @@ -0,0 +1,79 @@ +From ae4c87b823cf115fcf75217ab0096c6aebb9738f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Dec 2022 11:31:55 +0800 +Subject: block, bfq: replace 0/1 with false/true in bic apis + +From: Yu Kuai + +[ Upstream commit 337366e02b370d2800110fbc99940f6ddddcbdfa ] + +Just to make the code a litter cleaner, there are no functional changes. + +Signed-off-by: Yu Kuai +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20221214033155.3455754-3-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Stable-dep-of: b600de2d7d3a ("block, bfq: fix uaf for bfqq in bic_set_bfqq()") +Signed-off-by: Sasha Levin +--- + block/bfq-cgroup.c | 8 ++++---- + block/bfq-iosched.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c +index a8d0b4c71b05..4ac6f59a3679 100644 +--- a/block/bfq-cgroup.c ++++ b/block/bfq-cgroup.c +@@ -713,15 +713,15 @@ static void *__bfq_bic_change_cgroup(struct bfq_data *bfqd, + struct bfq_io_cq *bic, + struct bfq_group *bfqg) + { +- struct bfq_queue *async_bfqq = bic_to_bfqq(bic, 0); +- struct bfq_queue *sync_bfqq = bic_to_bfqq(bic, 1); ++ struct bfq_queue *async_bfqq = bic_to_bfqq(bic, false); ++ struct bfq_queue *sync_bfqq = bic_to_bfqq(bic, true); + struct bfq_entity *entity; + + if (async_bfqq) { + entity = &async_bfqq->entity; + + if (entity->sched_data != &bfqg->sched_data) { +- bic_set_bfqq(bic, NULL, 0); ++ bic_set_bfqq(bic, NULL, false); + bfq_release_process_ref(bfqd, async_bfqq); + } + } +@@ -757,7 +757,7 @@ static void *__bfq_bic_change_cgroup(struct bfq_data *bfqd, + */ + bfq_put_cooperator(sync_bfqq); + bfq_release_process_ref(bfqd, sync_bfqq); +- bic_set_bfqq(bic, NULL, 1); ++ bic_set_bfqq(bic, NULL, true); + } + } + } +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 87555dc42651..8d967a67318c 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -3046,7 +3046,7 @@ bfq_merge_bfqqs(struct bfq_data *bfqd, struct bfq_io_cq *bic, + /* + * Merge queues (that is, let bic redirect its requests to new_bfqq) + */ +- bic_set_bfqq(bic, new_bfqq, 1); ++ bic_set_bfqq(bic, new_bfqq, true); + bfq_mark_bfqq_coop(new_bfqq); + /* + * new_bfqq now belongs to at least two bics (it is a shared queue): +@@ -6475,7 +6475,7 @@ bfq_split_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq) + return bfqq; + } + +- bic_set_bfqq(bic, NULL, 1); ++ bic_set_bfqq(bic, NULL, true); + + bfq_put_cooperator(bfqq); + +-- +2.39.0 + diff --git a/queue-5.15/bpf-fix-a-possible-task-gone-issue-with-bpf_send_sig.patch b/queue-5.15/bpf-fix-a-possible-task-gone-issue-with-bpf_send_sig.patch new file mode 100644 index 00000000000..8e6db319983 --- /dev/null +++ b/queue-5.15/bpf-fix-a-possible-task-gone-issue-with-bpf_send_sig.patch @@ -0,0 +1,55 @@ +From 93e11619ad069b9c3bf2f50086e79f84e7a63486 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 12:48:15 -0800 +Subject: bpf: Fix a possible task gone issue with bpf_send_signal[_thread]() + helpers + +From: Yonghong Song + +[ Upstream commit bdb7fdb0aca8b96cef9995d3a57e251c2289322f ] + +In current bpf_send_signal() and bpf_send_signal_thread() helper +implementation, irq_work is used to handle nmi context. Hao Sun +reported in [1] that the current task at the entry of the helper +might be gone during irq_work callback processing. To fix the issue, +a reference is acquired for the current task before enqueuing into +the irq_work so that the queued task is still available during +irq_work callback processing. + + [1] https://lore.kernel.org/bpf/20230109074425.12556-1-sunhao.th@gmail.com/ + +Fixes: 8b401f9ed244 ("bpf: implement bpf_send_signal() helper") +Tested-by: Hao Sun +Reported-by: Hao Sun +Signed-off-by: Yonghong Song +Link: https://lore.kernel.org/r/20230118204815.3331855-1-yhs@fb.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 4daf1e044556..b314e71a008c 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -776,6 +776,7 @@ static void do_bpf_send_signal(struct irq_work *entry) + + work = container_of(entry, struct send_signal_irq_work, irq_work); + group_send_sig_info(work->sig, SEND_SIG_PRIV, work->task, work->type); ++ put_task_struct(work->task); + } + + static int bpf_send_signal_common(u32 sig, enum pid_type type) +@@ -812,7 +813,7 @@ static int bpf_send_signal_common(u32 sig, enum pid_type type) + * to the irq_work. The current task may change when queued + * irq works get executed. + */ +- work->task = current; ++ work->task = get_task_struct(current); + work->sig = sig; + work->type = type; + irq_work_queue(&work->irq_work); +-- +2.39.0 + diff --git a/queue-5.15/bpf-fix-to-preserve-reg-parent-live-fields-when-copy.patch b/queue-5.15/bpf-fix-to-preserve-reg-parent-live-fields-when-copy.patch new file mode 100644 index 00000000000..a8f71dd85bf --- /dev/null +++ b/queue-5.15/bpf-fix-to-preserve-reg-parent-live-fields-when-copy.patch @@ -0,0 +1,193 @@ +From 82416eefadb0653207e4c4f945f64a0337577217 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jan 2023 16:22:13 +0200 +Subject: bpf: Fix to preserve reg parent/live fields when copying range info + +From: Eduard Zingerman + +[ Upstream commit 71f656a50176915d6813751188b5758daa8d012b ] + +Register range information is copied in several places. The intent is +to transfer range/id information from one register/stack spill to +another. Currently this is done using direct register assignment, e.g.: + +static void find_equal_scalars(..., struct bpf_reg_state *known_reg) +{ + ... + struct bpf_reg_state *reg; + ... + *reg = *known_reg; + ... +} + +However, such assignments also copy the following bpf_reg_state fields: + +struct bpf_reg_state { + ... + struct bpf_reg_state *parent; + ... + enum bpf_reg_liveness live; + ... +}; + +Copying of these fields is accidental and incorrect, as could be +demonstrated by the following example: + + 0: call ktime_get_ns() + 1: r6 = r0 + 2: call ktime_get_ns() + 3: r7 = r0 + 4: if r0 > r6 goto +1 ; r0 & r6 are unbound thus generated + ; branch states are identical + 5: *(u64 *)(r10 - 8) = 0xdeadbeef ; 64-bit write to fp[-8] + --- checkpoint --- + 6: r1 = 42 ; r1 marked as written + 7: *(u8 *)(r10 - 8) = r1 ; 8-bit write, fp[-8] parent & live + ; overwritten + 8: r2 = *(u64 *)(r10 - 8) + 9: r0 = 0 + 10: exit + +This example is unsafe because 64-bit write to fp[-8] at (5) is +conditional, thus not all bytes of fp[-8] are guaranteed to be set +when it is read at (8). However, currently the example passes +verification. + +First, the execution path 1-10 is examined by verifier. +Suppose that a new checkpoint is created by is_state_visited() at (6). +After checkpoint creation: +- r1.parent points to checkpoint.r1, +- fp[-8].parent points to checkpoint.fp[-8]. +At (6) the r1.live is set to REG_LIVE_WRITTEN. +At (7) the fp[-8].parent is set to r1.parent and fp[-8].live is set to +REG_LIVE_WRITTEN, because of the following code called in +check_stack_write_fixed_off(): + +static void save_register_state(struct bpf_func_state *state, + int spi, struct bpf_reg_state *reg, + int size) +{ + ... + state->stack[spi].spilled_ptr = *reg; // <--- parent & live copied + if (size == BPF_REG_SIZE) + state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; + ... +} + +Note the intent to mark stack spill as written only if 8 bytes are +spilled to a slot, however this intent is spoiled by a 'live' field copy. +At (8) the checkpoint.fp[-8] should be marked as REG_LIVE_READ but +this does not happen: +- fp[-8] in a current state is already marked as REG_LIVE_WRITTEN; +- fp[-8].parent points to checkpoint.r1, parentage chain is used by + mark_reg_read() to mark checkpoint states. +At (10) the verification is finished for path 1-10 and jump 4-6 is +examined. The checkpoint.fp[-8] never gets REG_LIVE_READ mark and this +spill is pruned from the cached states by clean_live_states(). Hence +verifier state obtained via path 1-4,6 is deemed identical to one +obtained via path 1-6 and program marked as safe. + +Note: the example should be executed with BPF_F_TEST_STATE_FREQ flag +set to force creation of intermediate verifier states. + +This commit revisits the locations where bpf_reg_state instances are +copied and replaces the direct copies with a call to a function +copy_register_state(dst, src) that preserves 'parent' and 'live' +fields of the 'dst'. + +Fixes: 679c782de14b ("bpf/verifier: per-register parent pointers") +Signed-off-by: Eduard Zingerman +Link: https://lore.kernel.org/r/20230106142214.1040390-2-eddyz87@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index d2ccf7725e73..1c89c25327c8 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2613,13 +2613,24 @@ static bool __is_pointer_value(bool allow_ptr_leaks, + return reg->type != SCALAR_VALUE; + } + ++/* Copy src state preserving dst->parent and dst->live fields */ ++static void copy_register_state(struct bpf_reg_state *dst, const struct bpf_reg_state *src) ++{ ++ struct bpf_reg_state *parent = dst->parent; ++ enum bpf_reg_liveness live = dst->live; ++ ++ *dst = *src; ++ dst->parent = parent; ++ dst->live = live; ++} ++ + static void save_register_state(struct bpf_func_state *state, + int spi, struct bpf_reg_state *reg, + int size) + { + int i; + +- state->stack[spi].spilled_ptr = *reg; ++ copy_register_state(&state->stack[spi].spilled_ptr, reg); + if (size == BPF_REG_SIZE) + state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; + +@@ -2945,7 +2956,7 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, + */ + s32 subreg_def = state->regs[dst_regno].subreg_def; + +- state->regs[dst_regno] = *reg; ++ copy_register_state(&state->regs[dst_regno], reg); + state->regs[dst_regno].subreg_def = subreg_def; + } else { + for (i = 0; i < size; i++) { +@@ -2972,7 +2983,7 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, + + if (dst_regno >= 0) { + /* restore register state from stack */ +- state->regs[dst_regno] = *reg; ++ copy_register_state(&state->regs[dst_regno], reg); + /* mark reg as written since spilled pointer state likely + * has its liveness marks cleared by is_state_visited() + * which resets stack/reg liveness for state transitions +@@ -6904,7 +6915,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, + */ + if (!ptr_is_dst_reg) { + tmp = *dst_reg; +- *dst_reg = *ptr_reg; ++ copy_register_state(dst_reg, ptr_reg); + } + ret = sanitize_speculative_path(env, NULL, env->insn_idx + 1, + env->insn_idx); +@@ -8160,7 +8171,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) + * to propagate min/max range. + */ + src_reg->id = ++env->id_gen; +- *dst_reg = *src_reg; ++ copy_register_state(dst_reg, src_reg); + dst_reg->live |= REG_LIVE_WRITTEN; + dst_reg->subreg_def = DEF_NOT_SUBREG; + } else { +@@ -8171,7 +8182,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) + insn->src_reg); + return -EACCES; + } else if (src_reg->type == SCALAR_VALUE) { +- *dst_reg = *src_reg; ++ copy_register_state(dst_reg, src_reg); + /* Make sure ID is cleared otherwise + * dst_reg min/max could be incorrectly + * propagated into src_reg by find_equal_scalars() +@@ -8967,7 +8978,7 @@ static void find_equal_scalars(struct bpf_verifier_state *vstate, + + bpf_for_each_reg_in_vstate(vstate, state, reg, ({ + if (reg->type == SCALAR_VALUE && reg->id == known_reg->id) +- *reg = *known_reg; ++ copy_register_state(reg, known_reg); + })); + } + +-- +2.39.0 + diff --git a/queue-5.15/bpf-sockmap-check-for-any-of-tcp_bpf_prots-when-clon.patch b/queue-5.15/bpf-sockmap-check-for-any-of-tcp_bpf_prots-when-clon.patch new file mode 100644 index 00000000000..35ffdf76a96 --- /dev/null +++ b/queue-5.15/bpf-sockmap-check-for-any-of-tcp_bpf_prots-when-clon.patch @@ -0,0 +1,102 @@ +From 19f89205046077c379715cd2ef2a45f856b6ea60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Jan 2023 13:41:44 +0100 +Subject: bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener + +From: Jakub Sitnicki + +[ Upstream commit ddce1e091757d0259107c6c0c7262df201de2b66 ] + +A listening socket linked to a sockmap has its sk_prot overridden. It +points to one of the struct proto variants in tcp_bpf_prots. The variant +depends on the socket's family and which sockmap programs are attached. + +A child socket cloned from a TCP listener initially inherits their sk_prot. +But before cloning is finished, we restore the child's proto to the +listener's original non-tcp_bpf_prots one. This happens in +tcp_create_openreq_child -> tcp_bpf_clone. + +Today, in tcp_bpf_clone we detect if the child's proto should be restored +by checking only for the TCP_BPF_BASE proto variant. This is not +correct. The sk_prot of listening socket linked to a sockmap can point to +to any variant in tcp_bpf_prots. + +If the listeners sk_prot happens to be not the TCP_BPF_BASE variant, then +the child socket unintentionally is left if the inherited sk_prot by +tcp_bpf_clone. + +This leads to issues like infinite recursion on close [1], because the +child state is otherwise not set up for use with tcp_bpf_prot operations. + +Adjust the check in tcp_bpf_clone to detect all of tcp_bpf_prots variants. + +Note that it wouldn't be sufficient to check the socket state when +overriding the sk_prot in tcp_bpf_update_proto in order to always use the +TCP_BPF_BASE variant for listening sockets. Since commit +b8b8315e39ff ("bpf, sockmap: Remove unhash handler for BPF sockmap usage") +it is possible for a socket to transition to TCP_LISTEN state while already +linked to a sockmap, e.g. connect() -> insert into map -> +connect(AF_UNSPEC) -> listen(). + +[1]: https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/ + +Fixes: e80251555f0b ("tcp_bpf: Don't let child socket inherit parent protocol ops on copy") +Reported-by: syzbot+04c21ed96d861dccc5cd@syzkaller.appspotmail.com +Signed-off-by: Jakub Sitnicki +Acked-by: John Fastabend +Link: https://lore.kernel.org/r/20230113-sockmap-fix-v2-2-1e0ee7ac2f90@cloudflare.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/util_macros.h | 12 ++++++++++++ + net/ipv4/tcp_bpf.c | 4 ++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/include/linux/util_macros.h b/include/linux/util_macros.h +index 72299f261b25..43db6e47503c 100644 +--- a/include/linux/util_macros.h ++++ b/include/linux/util_macros.h +@@ -38,4 +38,16 @@ + */ + #define find_closest_descending(x, a, as) __find_closest(x, a, as, >=) + ++/** ++ * is_insidevar - check if the @ptr points inside the @var memory range. ++ * @ptr: the pointer to a memory address. ++ * @var: the variable which address and size identify the memory range. ++ * ++ * Evaluates to true if the address in @ptr lies within the memory ++ * range allocated to @var. ++ */ ++#define is_insidevar(ptr, var) \ ++ ((uintptr_t)(ptr) >= (uintptr_t)(var) && \ ++ (uintptr_t)(ptr) < (uintptr_t)(var) + sizeof(var)) ++ + #endif +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index b4b642e3de78..7f34c455651d 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -640,10 +641,9 @@ EXPORT_SYMBOL_GPL(tcp_bpf_update_proto); + */ + void tcp_bpf_clone(const struct sock *sk, struct sock *newsk) + { +- int family = sk->sk_family == AF_INET6 ? TCP_BPF_IPV6 : TCP_BPF_IPV4; + struct proto *prot = newsk->sk_prot; + +- if (prot == &tcp_bpf_prots[family][TCP_BPF_BASE]) ++ if (is_insidevar(prot, tcp_bpf_prots)) + newsk->sk_prot = sk->sk_prot_creator; + } + #endif /* CONFIG_BPF_SYSCALL */ +-- +2.39.0 + diff --git a/queue-5.15/bpf-support-8-byte-scalar-spill-and-refill.patch b/queue-5.15/bpf-support-8-byte-scalar-spill-and-refill.patch new file mode 100644 index 00000000000..e8d533ace5c --- /dev/null +++ b/queue-5.15/bpf-support-8-byte-scalar-spill-and-refill.patch @@ -0,0 +1,219 @@ +From 4ee99b4a7778c070fae3fcba2dd382ef817e811c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Sep 2021 17:49:41 -0700 +Subject: bpf: Support <8-byte scalar spill and refill + +From: Martin KaFai Lau + +[ Upstream commit 354e8f1970f821d4952458f77b1ab6c3eb24d530 ] + +The verifier currently does not save the reg state when +spilling <8byte bounded scalar to the stack. The bpf program +will be incorrectly rejected when this scalar is refilled to +the reg and then used to offset into a packet header. +The later patch has a simplified bpf prog from a real use case +to demonstrate this case. The current work around is +to reparse the packet again such that this offset scalar +is close to where the packet data will be accessed to +avoid the spill. Thus, the header is parsed twice. + +The llvm patch [1] will align the <8bytes spill to +the 8-byte stack address. This can simplify the verifier +support by avoiding to store multiple reg states for +each 8 byte stack slot. + +This patch changes the verifier to save the reg state when +spilling <8bytes scalar to the stack. This reg state saving +is limited to spill aligned to the 8-byte stack address. +The current refill logic has already called coerce_reg_to_size(), +so coerce_reg_to_size() is not called on state->stack[spi].spilled_ptr +during spill. + +When refilling in check_stack_read_fixed_off(), it checks +the refill size is the same as the number of bytes marked with +STACK_SPILL before restoring the reg state. When restoring +the reg state to state->regs[dst_regno], it needs +to avoid the state->regs[dst_regno].subreg_def being +over written because it has been marked by the check_reg_arg() +earlier [check_mem_access() is called after check_reg_arg() in +do_check()]. Reordering check_mem_access() and check_reg_arg() +will need a lot of changes in test_verifier's tests because +of the difference in verifier's error message. Thus, the +patch here is to save the state->regs[dst_regno].subreg_def +first in check_stack_read_fixed_off(). + +There are cases that the verifier needs to scrub the spilled slot +from STACK_SPILL to STACK_MISC. After this patch the spill is not always +in 8 bytes now, so it can no longer assume the other 7 bytes are always +marked as STACK_SPILL. In particular, the scrub needs to avoid marking +an uninitialized byte from STACK_INVALID to STACK_MISC. Otherwise, the +verifier will incorrectly accept bpf program reading uninitialized bytes +from the stack. A new helper scrub_spilled_slot() is created for this +purpose. + +[1]: https://reviews.llvm.org/D109073 + +Signed-off-by: Martin KaFai Lau +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20210922004941.625398-1-kafai@fb.com +Stable-dep-of: 71f656a50176 ("bpf: Fix to preserve reg parent/live fields when copying range info") +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 67 +++++++++++++++++++++++++++++++++---------- + 1 file changed, 52 insertions(+), 15 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 49e51fc0c2f4..d2ccf7725e73 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -614,6 +614,12 @@ static bool is_spilled_reg(const struct bpf_stack_state *stack) + return stack->slot_type[BPF_REG_SIZE - 1] == STACK_SPILL; + } + ++static void scrub_spilled_slot(u8 *stype) ++{ ++ if (*stype != STACK_INVALID) ++ *stype = STACK_MISC; ++} ++ + static void print_verifier_state(struct bpf_verifier_env *env, + const struct bpf_func_state *state) + { +@@ -2608,15 +2614,21 @@ static bool __is_pointer_value(bool allow_ptr_leaks, + } + + static void save_register_state(struct bpf_func_state *state, +- int spi, struct bpf_reg_state *reg) ++ int spi, struct bpf_reg_state *reg, ++ int size) + { + int i; + + state->stack[spi].spilled_ptr = *reg; +- state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; ++ if (size == BPF_REG_SIZE) ++ state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; + +- for (i = 0; i < BPF_REG_SIZE; i++) +- state->stack[spi].slot_type[i] = STACK_SPILL; ++ for (i = BPF_REG_SIZE; i > BPF_REG_SIZE - size; i--) ++ state->stack[spi].slot_type[i - 1] = STACK_SPILL; ++ ++ /* size < 8 bytes spill */ ++ for (; i; i--) ++ scrub_spilled_slot(&state->stack[spi].slot_type[i - 1]); + } + + /* check_stack_{read,write}_fixed_off functions track spill/fill of registers, +@@ -2665,7 +2677,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, + env->insn_aux_data[insn_idx].sanitize_stack_spill = true; + } + +- if (reg && size == BPF_REG_SIZE && register_is_bounded(reg) && ++ if (reg && !(off % BPF_REG_SIZE) && register_is_bounded(reg) && + !register_is_null(reg) && env->bpf_capable) { + if (dst_reg != BPF_REG_FP) { + /* The backtracking logic can only recognize explicit +@@ -2678,7 +2690,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, + if (err) + return err; + } +- save_register_state(state, spi, reg); ++ save_register_state(state, spi, reg, size); + } else if (reg && is_spillable_regtype(reg->type)) { + /* register containing pointer is being spilled into stack */ + if (size != BPF_REG_SIZE) { +@@ -2690,7 +2702,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, + verbose(env, "cannot spill pointers to stack into stack frame of the caller\n"); + return -EINVAL; + } +- save_register_state(state, spi, reg); ++ save_register_state(state, spi, reg, size); + } else { + u8 type = STACK_MISC; + +@@ -2699,7 +2711,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, + /* Mark slots as STACK_MISC if they belonged to spilled ptr. */ + if (is_spilled_reg(&state->stack[spi])) + for (i = 0; i < BPF_REG_SIZE; i++) +- state->stack[spi].slot_type[i] = STACK_MISC; ++ scrub_spilled_slot(&state->stack[spi].slot_type[i]); + + /* only mark the slot as written if all 8 bytes were written + * otherwise read propagation may incorrectly stop too soon +@@ -2905,23 +2917,50 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, + struct bpf_func_state *state = vstate->frame[vstate->curframe]; + int i, slot = -off - 1, spi = slot / BPF_REG_SIZE; + struct bpf_reg_state *reg; +- u8 *stype; ++ u8 *stype, type; + + stype = reg_state->stack[spi].slot_type; + reg = ®_state->stack[spi].spilled_ptr; + + if (is_spilled_reg(®_state->stack[spi])) { + if (size != BPF_REG_SIZE) { ++ u8 scalar_size = 0; ++ + if (reg->type != SCALAR_VALUE) { + verbose_linfo(env, env->insn_idx, "; "); + verbose(env, "invalid size of register fill\n"); + return -EACCES; + } +- if (dst_regno >= 0) { ++ ++ mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64); ++ if (dst_regno < 0) ++ return 0; ++ ++ for (i = BPF_REG_SIZE; i > 0 && stype[i - 1] == STACK_SPILL; i--) ++ scalar_size++; ++ ++ if (!(off % BPF_REG_SIZE) && size == scalar_size) { ++ /* The earlier check_reg_arg() has decided the ++ * subreg_def for this insn. Save it first. ++ */ ++ s32 subreg_def = state->regs[dst_regno].subreg_def; ++ ++ state->regs[dst_regno] = *reg; ++ state->regs[dst_regno].subreg_def = subreg_def; ++ } else { ++ for (i = 0; i < size; i++) { ++ type = stype[(slot - i) % BPF_REG_SIZE]; ++ if (type == STACK_SPILL) ++ continue; ++ if (type == STACK_MISC) ++ continue; ++ verbose(env, "invalid read from stack off %d+%d size %d\n", ++ off, i, size); ++ return -EACCES; ++ } + mark_reg_unknown(env, state->regs, dst_regno); +- state->regs[dst_regno].live |= REG_LIVE_WRITTEN; + } +- mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64); ++ state->regs[dst_regno].live |= REG_LIVE_WRITTEN; + return 0; + } + for (i = 1; i < BPF_REG_SIZE; i++) { +@@ -2952,8 +2991,6 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, + } + mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64); + } else { +- u8 type; +- + for (i = 0; i < size; i++) { + type = stype[(slot - i) % BPF_REG_SIZE]; + if (type == STACK_MISC) +@@ -4559,7 +4596,7 @@ static int check_stack_range_initialized( + if (clobber) { + __mark_reg_unknown(env, &state->stack[spi].spilled_ptr); + for (j = 0; j < BPF_REG_SIZE; j++) +- state->stack[spi].slot_type[j] = STACK_MISC; ++ scrub_spilled_slot(&state->stack[spi].slot_type[j]); + } + goto mark; + } +-- +2.39.0 + diff --git a/queue-5.15/bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch b/queue-5.15/bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch new file mode 100644 index 00000000000..f6fee3e739a --- /dev/null +++ b/queue-5.15/bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch @@ -0,0 +1,46 @@ +From 04ca4177b762194b118b41145336b8f0ec8a7c19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 09:42:00 +0000 +Subject: bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() + +From: Yuan Can + +[ Upstream commit f71eaf2708be7831428eacae7db25d8ec6b8b4c5 ] + +The sunxi_rsb_init() returns the platform_driver_register() directly +without checking its return value, if platform_driver_register() failed, +the sunxi_rsb_bus is not unregistered. +Fix by unregister sunxi_rsb_bus when platform_driver_register() failed. + +Fixes: d787dcdb9c8f ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus") +Signed-off-by: Yuan Can +Reviewed-by: Jernej Skrabec +Link: https://lore.kernel.org/r/20221123094200.12036-1-yuancan@huawei.com +Signed-off-by: Jernej Skrabec +Signed-off-by: Sasha Levin +--- + drivers/bus/sunxi-rsb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c +index 20ed77f2b949..fac8627b04e3 100644 +--- a/drivers/bus/sunxi-rsb.c ++++ b/drivers/bus/sunxi-rsb.c +@@ -861,7 +861,13 @@ static int __init sunxi_rsb_init(void) + return ret; + } + +- return platform_driver_register(&sunxi_rsb_driver); ++ ret = platform_driver_register(&sunxi_rsb_driver); ++ if (ret) { ++ bus_unregister(&sunxi_rsb_bus); ++ return ret; ++ } ++ ++ return 0; + } + module_init(sunxi_rsb_init); + +-- +2.39.0 + diff --git a/queue-5.15/can-j1939-fix-errant-warn_on_once-in-j1939_session_d.patch b/queue-5.15/can-j1939-fix-errant-warn_on_once-in-j1939_session_d.patch new file mode 100644 index 00000000000..58ff2185d5a --- /dev/null +++ b/queue-5.15/can-j1939-fix-errant-warn_on_once-in-j1939_session_d.patch @@ -0,0 +1,77 @@ +From c9058ce614a6b6de47bacdf88657f34a867750b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 17:42:00 +0800 +Subject: can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate + +From: Ziyang Xuan + +[ Upstream commit d0553680f94c49bbe0e39eb50d033ba563b4212d ] + +The conclusion "j1939_session_deactivate() should be called with a +session ref-count of at least 2" is incorrect. In some concurrent +scenarios, j1939_session_deactivate can be called with the session +ref-count less than 2. But there is not any problem because it +will check the session active state before session putting in +j1939_session_deactivate_locked(). + +Here is the concurrent scenario of the problem reported by syzbot +and my reproduction log. + + cpu0 cpu1 + j1939_xtp_rx_eoma +j1939_xtp_rx_abort_one + j1939_session_get_by_addr [kref == 2] +j1939_session_get_by_addr [kref == 3] +j1939_session_deactivate [kref == 2] +j1939_session_put [kref == 1] + j1939_session_completed + j1939_session_deactivate + WARN_ON_ONCE(kref < 2) + +===================================================== +WARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70 +CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 +RIP: 0010:j1939_session_deactivate+0x5f/0x70 +Call Trace: + j1939_session_deactivate_activate_next+0x11/0x28 + j1939_xtp_rx_eoma+0x12a/0x180 + j1939_tp_recv+0x4a2/0x510 + j1939_can_recv+0x226/0x380 + can_rcv_filter+0xf8/0x220 + can_receive+0x102/0x220 + ? process_backlog+0xf0/0x2c0 + can_rcv+0x53/0xf0 + __netif_receive_skb_one_core+0x67/0x90 + ? process_backlog+0x97/0x2c0 + __netif_receive_skb+0x22/0x80 + +Fixes: 0c71437dd50d ("can: j1939: j1939_session_deactivate(): clarify lifetime of session object") +Reported-by: syzbot+9981a614060dcee6eeca@syzkaller.appspotmail.com +Signed-off-by: Ziyang Xuan +Acked-by: Oleksij Rempel +Link: https://lore.kernel.org/all/20210906094200.95868-1-william.xuanziyang@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/j1939/transport.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c +index 55f29c9f9e08..4177e9617070 100644 +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1092,10 +1092,6 @@ static bool j1939_session_deactivate(struct j1939_session *session) + bool active; + + j1939_session_list_lock(priv); +- /* This function should be called with a session ref-count of at +- * least 2. +- */ +- WARN_ON_ONCE(kref_read(&session->kref) < 2); + active = j1939_session_deactivate_locked(session); + j1939_session_list_unlock(priv); + +-- +2.39.0 + diff --git a/queue-5.15/dpaa2-eth-execute-xdp_do_flush-before-napi_complete_.patch b/queue-5.15/dpaa2-eth-execute-xdp_do_flush-before-napi_complete_.patch new file mode 100644 index 00000000000..1e044128a46 --- /dev/null +++ b/queue-5.15/dpaa2-eth-execute-xdp_do_flush-before-napi_complete_.patch @@ -0,0 +1,72 @@ +From a179c24374a651a706cd51f38dff0bcb894b001b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 08:49:01 +0100 +Subject: dpaa2-eth: execute xdp_do_flush() before napi_complete_done() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Magnus Karlsson + +[ Upstream commit a3191c4d86c5d3bd35b00dfde6910b88391436a0 ] + +Make sure that xdp_do_flush() is always executed before +napi_complete_done(). This is important for two reasons. First, a +redirect to an XSKMAP assumes that a call to xdp_do_redirect() from +napi context X on CPU Y will be followed by a xdp_do_flush() from the +same napi context and CPU. This is not guaranteed if the +napi_complete_done() is executed before xdp_do_flush(), as it tells +the napi logic that it is fine to schedule napi context X on another +CPU. Details from a production system triggering this bug using the +veth driver can be found following the first link below. + +The second reason is that the XDP_REDIRECT logic in itself relies on +being inside a single NAPI instance through to the xdp_do_flush() call +for RCU protection of all in-kernel data structures. Details can be +found in the second link below. + +Fixes: d678be1dc1ec ("dpaa2-eth: add XDP_REDIRECT support") +Signed-off-by: Magnus Karlsson +Acked-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com +Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +index 5899139aec97..c48d41093651 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -1597,10 +1597,15 @@ static int dpaa2_eth_poll(struct napi_struct *napi, int budget) + if (rx_cleaned >= budget || + txconf_cleaned >= DPAA2_ETH_TXCONF_PER_NAPI) { + work_done = budget; ++ if (ch->xdp.res & XDP_REDIRECT) ++ xdp_do_flush(); + goto out; + } + } while (store_cleaned); + ++ if (ch->xdp.res & XDP_REDIRECT) ++ xdp_do_flush(); ++ + /* We didn't consume the entire budget, so finish napi and + * re-enable data availability notifications + */ +@@ -1625,9 +1630,7 @@ static int dpaa2_eth_poll(struct napi_struct *napi, int budget) + txc_fq->dq_bytes = 0; + } + +- if (ch->xdp.res & XDP_REDIRECT) +- xdp_do_flush_map(); +- else if (rx_cleaned && ch->xdp.res & XDP_TX) ++ if (rx_cleaned && ch->xdp.res & XDP_TX) + dpaa2_eth_xdp_tx_flush(priv, ch, &priv->fq[flowid]); + + return work_done; +-- +2.39.0 + diff --git a/queue-5.15/dpaa_eth-execute-xdp_do_flush-before-napi_complete_d.patch b/queue-5.15/dpaa_eth-execute-xdp_do_flush-before-napi_complete_d.patch new file mode 100644 index 00000000000..b2ff478abda --- /dev/null +++ b/queue-5.15/dpaa_eth-execute-xdp_do_flush-before-napi_complete_d.patch @@ -0,0 +1,66 @@ +From 21bf972b587e05b3d0b294c7fd301ab688052a52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 08:49:00 +0100 +Subject: dpaa_eth: execute xdp_do_flush() before napi_complete_done() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Magnus Karlsson + +[ Upstream commit b534013798b77f81a36f36dafd59bab9de837619 ] + +Make sure that xdp_do_flush() is always executed before +napi_complete_done(). This is important for two reasons. First, a +redirect to an XSKMAP assumes that a call to xdp_do_redirect() from +napi context X on CPU Y will be followed by a xdp_do_flush() from the +same napi context and CPU. This is not guaranteed if the +napi_complete_done() is executed before xdp_do_flush(), as it tells +the napi logic that it is fine to schedule napi context X on another +CPU. Details from a production system triggering this bug using the +veth driver can be found following the first link below. + +The second reason is that the XDP_REDIRECT logic in itself relies on +being inside a single NAPI instance through to the xdp_do_flush() call +for RCU protection of all in-kernel data structures. Details can be +found in the second link below. + +Fixes: a1e031ffb422 ("dpaa_eth: add XDP_REDIRECT support") +Signed-off-by: Magnus Karlsson +Acked-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com +Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ +Acked-by: Camelia Groza +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +index 685d2d8a3b36..fe5fc2b3406f 100644 +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +@@ -2395,6 +2395,9 @@ static int dpaa_eth_poll(struct napi_struct *napi, int budget) + + cleaned = qman_p_poll_dqrr(np->p, budget); + ++ if (np->xdp_act & XDP_REDIRECT) ++ xdp_do_flush(); ++ + if (cleaned < budget) { + napi_complete_done(napi, cleaned); + qman_p_irqsource_add(np->p, QM_PIRQ_DQRI); +@@ -2402,9 +2405,6 @@ static int dpaa_eth_poll(struct napi_struct *napi, int budget) + qman_p_irqsource_add(np->p, QM_PIRQ_DQRI); + } + +- if (np->xdp_act & XDP_REDIRECT) +- xdp_do_flush(); +- + return cleaned; + } + +-- +2.39.0 + diff --git a/queue-5.15/drm-amd-display-fix-timing-not-changning-when-freesy.patch b/queue-5.15/drm-amd-display-fix-timing-not-changning-when-freesy.patch new file mode 100644 index 00000000000..9406b3f0642 --- /dev/null +++ b/queue-5.15/drm-amd-display-fix-timing-not-changning-when-freesy.patch @@ -0,0 +1,49 @@ +From fce804ccdafd626e10179e89e81cf4927bd5eaec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 14:56:22 -0500 +Subject: drm/amd/display: Fix timing not changning when freesync video is + enabled + +From: Aurabindo Pillai + +[ Upstream commit 4b069553246f993c4221e382d0d0ae34f5ba730e ] + +[Why&How] +Switching between certain modes that are freesync video modes and those +are not freesync video modes result in timing not changing as seen by +the monitor due to incorrect timing being driven. + +The issue is fixed by ensuring that when a non freesync video mode is +set, we reset the freesync status on the crtc. + +Reviewed-by: Nicholas Kazlauskas +Acked-by: Alan Liu +Signed-off-by: Aurabindo Pillai +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index a2d9e0af0654..e9797439bb0e 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -10136,6 +10136,13 @@ static int dm_update_crtc_state(struct amdgpu_display_manager *dm, + if (!dm_old_crtc_state->stream) + goto skip_modeset; + ++ /* Unset freesync video if it was active before */ ++ if (dm_old_crtc_state->freesync_config.state == VRR_STATE_ACTIVE_FIXED) { ++ dm_new_crtc_state->freesync_config.state = VRR_STATE_INACTIVE; ++ dm_new_crtc_state->freesync_config.fixed_refresh_in_uhz = 0; ++ } ++ ++ /* Now check if we should set freesync video mode */ + if (amdgpu_freesync_vid_mode && dm_new_crtc_state->stream && + is_timing_unchanged_for_freesync(new_crtc_state, + old_crtc_state)) { +-- +2.39.0 + diff --git a/queue-5.15/drm-i915-adlp-fix-typo-for-reference-clock.patch b/queue-5.15/drm-i915-adlp-fix-typo-for-reference-clock.patch new file mode 100644 index 00000000000..680cbc6e017 --- /dev/null +++ b/queue-5.15/drm-i915-adlp-fix-typo-for-reference-clock.patch @@ -0,0 +1,40 @@ +From c21d773a96755c6850878c967ba496b50845280a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 15:11:31 +0530 +Subject: drm/i915/adlp: Fix typo for reference clock + +From: Chaitanya Kumar Borah + +[ Upstream commit 47a2bd9d985bfdb55900f313603619fc9234f317 ] + +Fix typo for reference clock from 24400 to 24000. + +Bspec: 55409 +Fixes: 626426ff9ce4 ("drm/i915/adl_p: Add cdclk support for ADL-P") +Reviewed-by: Matt Roper +Signed-off-by: Chaitanya Kumar Borah +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20230112094131.550252-1-chaitanya.kumar.borah@intel.com +(cherry picked from commit 2b6f7e39ccae065abfbe3b6e562ec95ccad09f1e) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_cdclk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_cdclk.c b/drivers/gpu/drm/i915/display/intel_cdclk.c +index 34fa4130d5c4..745ffa7572e8 100644 +--- a/drivers/gpu/drm/i915/display/intel_cdclk.c ++++ b/drivers/gpu/drm/i915/display/intel_cdclk.c +@@ -1269,7 +1269,7 @@ static const struct intel_cdclk_vals adlp_cdclk_table[] = { + { .refclk = 24000, .cdclk = 192000, .divider = 2, .ratio = 16 }, + { .refclk = 24000, .cdclk = 312000, .divider = 2, .ratio = 26 }, + { .refclk = 24000, .cdclk = 552000, .divider = 2, .ratio = 46 }, +- { .refclk = 24400, .cdclk = 648000, .divider = 2, .ratio = 54 }, ++ { .refclk = 24000, .cdclk = 648000, .divider = 2, .ratio = 54 }, + + { .refclk = 38400, .cdclk = 179200, .divider = 3, .ratio = 14 }, + { .refclk = 38400, .cdclk = 192000, .divider = 2, .ratio = 10 }, +-- +2.39.0 + diff --git a/queue-5.15/drm-i915-guc-fix-locking-when-searching-for-a-hung-r.patch b/queue-5.15/drm-i915-guc-fix-locking-when-searching-for-a-hung-r.patch new file mode 100644 index 00000000000..5ebbb487387 --- /dev/null +++ b/queue-5.15/drm-i915-guc-fix-locking-when-searching-for-a-hung-r.patch @@ -0,0 +1,73 @@ +From 7d32f0d007979852e55aa300bee80a36f47122c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 16:28:35 -0800 +Subject: drm/i915/guc: Fix locking when searching for a hung request + +From: John Harrison + +[ Upstream commit 87b04e53daf806945c415e94de9f90943d434aed ] + +intel_guc_find_hung_context() was not acquiring the correct spinlock +before searching the request list. So fix that up. While at it, add +some extra whitespace padding for readability. + +Fixes: dc0dad365c5e ("drm/i915/guc: Fix for error capture after full GPU reset with GuC") +Signed-off-by: John Harrison +Reviewed-by: Daniele Ceraolo Spurio +Acked-by: Tvrtko Ursulin +Cc: Matthew Brost +Cc: Jani Nikula +Cc: Joonas Lahtinen +Cc: Rodrigo Vivi +Cc: Matt Roper +Cc: Umesh Nerlige Ramappa +Cc: Michael Cheng +Cc: Lucas De Marchi +Cc: Tejas Upadhyay +Cc: Chris Wilson +Cc: Bruce Chang +Cc: Alan Previn +Cc: Matthew Auld +Link: https://patchwork.freedesktop.org/patch/msgid/20230127002842.3169194-2-John.C.Harrison@Intel.com +(cherry picked from commit d1c3717501bcf56536e8b8c1bdaf5cd5357f6bb2) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +index 6e09a1cca37b..97b5ba2fc834 100644 +--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c ++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +@@ -2845,6 +2845,8 @@ void intel_guc_find_hung_context(struct intel_engine_cs *engine) + return; + + xa_for_each(&guc->context_lookup, index, ce) { ++ bool found; ++ + if (!intel_context_is_pinned(ce)) + continue; + +@@ -2856,10 +2858,18 @@ void intel_guc_find_hung_context(struct intel_engine_cs *engine) + continue; + } + ++ found = false; ++ spin_lock(&ce->guc_state.lock); + list_for_each_entry(rq, &ce->guc_active.requests, sched.link) { + if (i915_test_request_state(rq) != I915_REQUEST_ACTIVE) + continue; + ++ found = true; ++ break; ++ } ++ spin_unlock(&ce->guc_state.lock); ++ ++ if (found) { + intel_engine_set_hung_context(engine, ce); + + /* Can only cope with one hang at a time... */ +-- +2.39.0 + diff --git a/queue-5.15/drm-vc4-hdmi-make-cec-adapter-name-unique.patch b/queue-5.15/drm-vc4-hdmi-make-cec-adapter-name-unique.patch new file mode 100644 index 00000000000..33859811086 --- /dev/null +++ b/queue-5.15/drm-vc4-hdmi-make-cec-adapter-name-unique.patch @@ -0,0 +1,40 @@ +From 183c01abc5df9dcf58691b974df3f657589db11c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 10:02:19 +0100 +Subject: drm/vc4: hdmi: make CEC adapter name unique + +From: Hans Verkuil + +[ Upstream commit 51128c3f2a7c98055ea1d27e34910dc10977f618 ] + +The bcm2711 has two HDMI outputs, each with their own CEC adapter. +The CEC adapter name has to be unique, but it is currently +hardcoded to "vc4" for both outputs. Change this to use the card_name +from the variant information in order to make the adapter name unique. + +Signed-off-by: Hans Verkuil +Fixes: 15b4511a4af6 ("drm/vc4: add HDMI CEC support") +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/dcf1db75-d9cc-62cc-fa12-baf1b2b3bf31@xs4all.nl +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index 9b3e642a08e1..665f772f9ffc 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -1854,7 +1854,8 @@ static int vc4_hdmi_cec_init(struct vc4_hdmi *vc4_hdmi) + } + + vc4_hdmi->cec_adap = cec_allocate_adapter(&vc4_hdmi_cec_adap_ops, +- vc4_hdmi, "vc4", ++ vc4_hdmi, ++ vc4_hdmi->variant->card_name, + CEC_CAP_DEFAULTS | + CEC_CAP_CONNECTOR_INFO, 1); + ret = PTR_ERR_OR_ZERO(vc4_hdmi->cec_adap); +-- +2.39.0 + diff --git a/queue-5.15/efi-fix-potential-null-deref-in-efi_mem_reserve_pers.patch b/queue-5.15/efi-fix-potential-null-deref-in-efi_mem_reserve_pers.patch new file mode 100644 index 00000000000..59dd3a7ffd1 --- /dev/null +++ b/queue-5.15/efi-fix-potential-null-deref-in-efi_mem_reserve_pers.patch @@ -0,0 +1,42 @@ +From 1a95d5d2f6396a2423cba7b27999abf581be88c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Feb 2023 16:22:13 +0300 +Subject: efi: fix potential NULL deref in efi_mem_reserve_persistent + +From: Anton Gusev + +[ Upstream commit 966d47e1f27c45507c5df82b2a2157e5a4fd3909 ] + +When iterating on a linked list, a result of memremap is dereferenced +without checking it for NULL. + +This patch adds a check that falls back on allocating a new page in +case memremap doesn't succeed. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 18df7577adae ("efi/memreserve: deal with memreserve entries in unmapped memory") +Signed-off-by: Anton Gusev +[ardb: return -ENOMEM instead of breaking out of the loop] +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/efi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c +index a2765d668856..332739f3eded 100644 +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -950,6 +950,8 @@ int __ref efi_mem_reserve_persistent(phys_addr_t addr, u64 size) + /* first try to find a slot in an existing linked list entry */ + for (prsv = efi_memreserve_root->next; prsv; ) { + rsv = memremap(prsv, sizeof(*rsv), MEMREMAP_WB); ++ if (!rsv) ++ return -ENOMEM; + index = atomic_fetch_add_unless(&rsv->count, 1, rsv->size); + if (index < rsv->size) { + rsv->entry[index].base = addr; +-- +2.39.0 + diff --git a/queue-5.15/fix-direction-argument-of-iov_iter_kvec.patch b/queue-5.15/fix-direction-argument-of-iov_iter_kvec.patch new file mode 100644 index 00000000000..0b2c504e6d7 --- /dev/null +++ b/queue-5.15/fix-direction-argument-of-iov_iter_kvec.patch @@ -0,0 +1,54 @@ +From 7696e7e1f03eb87a7024cee89ca56545040acf11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 19:16:56 -0400 +Subject: fix "direction" argument of iov_iter_kvec() + +From: Al Viro + +[ Upstream commit fc02f33787d8dd227b54f263eba983d5b249c032 ] + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/xen/pvcalls-back.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/xen/pvcalls-back.c b/drivers/xen/pvcalls-back.c +index b47fd8435061..e18df9aea531 100644 +--- a/drivers/xen/pvcalls-back.c ++++ b/drivers/xen/pvcalls-back.c +@@ -129,13 +129,13 @@ static bool pvcalls_conn_back_read(void *opaque) + if (masked_prod < masked_cons) { + vec[0].iov_base = data->in + masked_prod; + vec[0].iov_len = wanted; +- iov_iter_kvec(&msg.msg_iter, WRITE, vec, 1, wanted); ++ iov_iter_kvec(&msg.msg_iter, READ, vec, 1, wanted); + } else { + vec[0].iov_base = data->in + masked_prod; + vec[0].iov_len = array_size - masked_prod; + vec[1].iov_base = data->in; + vec[1].iov_len = wanted - vec[0].iov_len; +- iov_iter_kvec(&msg.msg_iter, WRITE, vec, 2, wanted); ++ iov_iter_kvec(&msg.msg_iter, READ, vec, 2, wanted); + } + + atomic_set(&map->read, 0); +@@ -188,13 +188,13 @@ static bool pvcalls_conn_back_write(struct sock_mapping *map) + if (pvcalls_mask(prod, array_size) > pvcalls_mask(cons, array_size)) { + vec[0].iov_base = data->out + pvcalls_mask(cons, array_size); + vec[0].iov_len = size; +- iov_iter_kvec(&msg.msg_iter, READ, vec, 1, size); ++ iov_iter_kvec(&msg.msg_iter, WRITE, vec, 1, size); + } else { + vec[0].iov_base = data->out + pvcalls_mask(cons, array_size); + vec[0].iov_len = array_size - pvcalls_mask(cons, array_size); + vec[1].iov_base = data->out; + vec[1].iov_len = size - vec[0].iov_len; +- iov_iter_kvec(&msg.msg_iter, READ, vec, 2, size); ++ iov_iter_kvec(&msg.msg_iter, WRITE, vec, 2, size); + } + + atomic_set(&map->write, 0); +-- +2.39.0 + diff --git a/queue-5.15/fix-iov_iter_bvec-direction-argument.patch b/queue-5.15/fix-iov_iter_bvec-direction-argument.patch new file mode 100644 index 00000000000..d2a1f47547e --- /dev/null +++ b/queue-5.15/fix-iov_iter_bvec-direction-argument.patch @@ -0,0 +1,40 @@ +From 9f67df9640eb4858ed332da21486558124b57e00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 19:04:18 -0400 +Subject: fix iov_iter_bvec() "direction" argument + +From: Al Viro + +[ Upstream commit b676668d99155e6859d99bbf2df18b3f03851902 ] + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c +index ef4a8e189fba..014860716605 100644 +--- a/drivers/target/target_core_file.c ++++ b/drivers/target/target_core_file.c +@@ -332,7 +332,7 @@ static int fd_do_rw(struct se_cmd *cmd, struct file *fd, + len += sg->length; + } + +- iov_iter_bvec(&iter, READ, bvec, sgl_nents, len); ++ iov_iter_bvec(&iter, is_write, bvec, sgl_nents, len); + if (is_write) + ret = vfs_iter_write(fd, &iter, &pos, 0); + else +@@ -469,7 +469,7 @@ fd_execute_write_same(struct se_cmd *cmd) + len += se_dev->dev_attrib.block_size; + } + +- iov_iter_bvec(&iter, READ, bvec, nolb, len); ++ iov_iter_bvec(&iter, WRITE, bvec, nolb, len); + ret = vfs_iter_write(fd_dev->fd_file, &iter, &pos, 0); + + kfree(bvec); +-- +2.39.0 + diff --git a/queue-5.15/i2c-designware-pci-add-new-pci-ids-for-amd-navi-gpu.patch b/queue-5.15/i2c-designware-pci-add-new-pci-ids-for-amd-navi-gpu.patch new file mode 100644 index 00000000000..fb7f331394b --- /dev/null +++ b/queue-5.15/i2c-designware-pci-add-new-pci-ids-for-amd-navi-gpu.patch @@ -0,0 +1,39 @@ +From cd69e0c918f5dd64b10fe40dabbe5accb2fb2fd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jan 2023 22:39:55 +0530 +Subject: i2c: designware-pci: Add new PCI IDs for AMD NAVI GPU + +From: Basavaraj Natikar + +[ Upstream commit 2ece0930ac5662bccce0ba4c59b84c98d2437200 ] + +Add additional supported PCI IDs for latest AMD NAVI GPU card which +has an integrated Type-C controller and designware I2C with PCI +interface. + +Signed-off-by: Basavaraj Natikar +Tested-by: Sanath S +Reviewed-by: Andy Shevchenko +Acked-by: Jarkko Nikula +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-designware-pcidrv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-designware-pcidrv.c b/drivers/i2c/busses/i2c-designware-pcidrv.c +index 5b45941bcbdd..de8dd3e3333e 100644 +--- a/drivers/i2c/busses/i2c-designware-pcidrv.c ++++ b/drivers/i2c/busses/i2c-designware-pcidrv.c +@@ -398,6 +398,8 @@ static const struct pci_device_id i2_designware_pci_ids[] = { + { PCI_VDEVICE(ATI, 0x73a4), navi_amd }, + { PCI_VDEVICE(ATI, 0x73e4), navi_amd }, + { PCI_VDEVICE(ATI, 0x73c4), navi_amd }, ++ { PCI_VDEVICE(ATI, 0x7444), navi_amd }, ++ { PCI_VDEVICE(ATI, 0x7464), navi_amd }, + { 0,} + }; + MODULE_DEVICE_TABLE(pci, i2_designware_pci_ids); +-- +2.39.0 + diff --git a/queue-5.15/i2c-mxs-suppress-probe-deferral-error-message.patch b/queue-5.15/i2c-mxs-suppress-probe-deferral-error-message.patch new file mode 100644 index 00000000000..4637463ccc6 --- /dev/null +++ b/queue-5.15/i2c-mxs-suppress-probe-deferral-error-message.patch @@ -0,0 +1,44 @@ +From f5c793e823e54e1fc6a477fbe00341f54862bddc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Jan 2023 13:32:29 +0100 +Subject: i2c: mxs: suppress probe-deferral error message + +From: Stefan Wahren + +[ Upstream commit 78a4471fa1a76a8bef4919105de67660a89a1e9b ] + +During boot of I2SE Duckbill the kernel log contains a +confusing error: + + Failed to request dma + +This is caused by i2c-mxs tries to request a not yet available DMA +channel (-EPROBE_DEFER). So suppress this message by using +dev_err_probe(). + +Signed-off-by: Stefan Wahren +Reviewed-by: Fabio Estevam +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-mxs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-mxs.c b/drivers/i2c/busses/i2c-mxs.c +index 68f67d084c63..b353732f593b 100644 +--- a/drivers/i2c/busses/i2c-mxs.c ++++ b/drivers/i2c/busses/i2c-mxs.c +@@ -826,8 +826,8 @@ static int mxs_i2c_probe(struct platform_device *pdev) + /* Setup the DMA */ + i2c->dmach = dma_request_chan(dev, "rx-tx"); + if (IS_ERR(i2c->dmach)) { +- dev_err(dev, "Failed to request dma\n"); +- return PTR_ERR(i2c->dmach); ++ return dev_err_probe(dev, PTR_ERR(i2c->dmach), ++ "Failed to request dma\n"); + } + + platform_set_drvdata(pdev, i2c); +-- +2.39.0 + diff --git a/queue-5.15/i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch b/queue-5.15/i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch new file mode 100644 index 00000000000..32deff9a19e --- /dev/null +++ b/queue-5.15/i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch @@ -0,0 +1,180 @@ +From 8fdcc4fd9f0bba310b5ee5a738b88712b2cc7773 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 22:38:05 -0800 +Subject: i2c: rk3x: fix a bunch of kernel-doc warnings + +From: Randy Dunlap + +[ Upstream commit 0582d984793d30442da88fe458674502bad1ad29 ] + +Fix multiple W=1 kernel-doc warnings in i2c-rk3x.c: + +drivers/i2c/busses/i2c-rk3x.c:83: warning: missing initial short description on line: + * struct i2c_spec_values: +drivers/i2c/busses/i2c-rk3x.c:139: warning: missing initial short description on line: + * struct rk3x_i2c_calced_timings: +drivers/i2c/busses/i2c-rk3x.c:162: warning: missing initial short description on line: + * struct rk3x_i2c_soc_data: +drivers/i2c/busses/i2c-rk3x.c:242: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Generate a START condition, which triggers a REG_INT_START interrupt. +drivers/i2c/busses/i2c-rk3x.c:261: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Generate a STOP condition, which triggers a REG_INT_STOP interrupt. +drivers/i2c/busses/i2c-rk3x.c:304: warning: expecting prototype for Setup a read according to i2c(). Prototype was for rk3x_i2c_prepare_read() instead +drivers/i2c/busses/i2c-rk3x.c:335: warning: expecting prototype for Fill the transmit buffer with data from i2c(). Prototype was for rk3x_i2c_fill_transmit_buf() instead +drivers/i2c/busses/i2c-rk3x.c:535: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Get timing values of I2C specification +drivers/i2c/busses/i2c-rk3x.c:552: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Calculate divider values for desired SCL frequency +drivers/i2c/busses/i2c-rk3x.c:713: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Calculate timing values for desired SCL frequency +drivers/i2c/busses/i2c-rk3x.c:963: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst + * Setup I2C registers for an I2C operation specified by msgs, num. + +Signed-off-by: Randy Dunlap +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-rk3x.c | 44 +++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-rk3x.c b/drivers/i2c/busses/i2c-rk3x.c +index 02ddb237f69a..13c14eb175e9 100644 +--- a/drivers/i2c/busses/i2c-rk3x.c ++++ b/drivers/i2c/busses/i2c-rk3x.c +@@ -80,7 +80,7 @@ enum { + #define DEFAULT_SCL_RATE (100 * 1000) /* Hz */ + + /** +- * struct i2c_spec_values: ++ * struct i2c_spec_values - I2C specification values for various modes + * @min_hold_start_ns: min hold time (repeated) START condition + * @min_low_ns: min LOW period of the SCL clock + * @min_high_ns: min HIGH period of the SCL cloc +@@ -136,7 +136,7 @@ static const struct i2c_spec_values fast_mode_plus_spec = { + }; + + /** +- * struct rk3x_i2c_calced_timings: ++ * struct rk3x_i2c_calced_timings - calculated V1 timings + * @div_low: Divider output for low + * @div_high: Divider output for high + * @tuning: Used to adjust setup/hold data time, +@@ -159,7 +159,7 @@ enum rk3x_i2c_state { + }; + + /** +- * struct rk3x_i2c_soc_data: ++ * struct rk3x_i2c_soc_data - SOC-specific data + * @grf_offset: offset inside the grf regmap for setting the i2c type + * @calc_timings: Callback function for i2c timing information calculated + */ +@@ -239,7 +239,8 @@ static inline void rk3x_i2c_clean_ipd(struct rk3x_i2c *i2c) + } + + /** +- * Generate a START condition, which triggers a REG_INT_START interrupt. ++ * rk3x_i2c_start - Generate a START condition, which triggers a REG_INT_START interrupt. ++ * @i2c: target controller data + */ + static void rk3x_i2c_start(struct rk3x_i2c *i2c) + { +@@ -258,8 +259,8 @@ static void rk3x_i2c_start(struct rk3x_i2c *i2c) + } + + /** +- * Generate a STOP condition, which triggers a REG_INT_STOP interrupt. +- * ++ * rk3x_i2c_stop - Generate a STOP condition, which triggers a REG_INT_STOP interrupt. ++ * @i2c: target controller data + * @error: Error code to return in rk3x_i2c_xfer + */ + static void rk3x_i2c_stop(struct rk3x_i2c *i2c, int error) +@@ -298,7 +299,8 @@ static void rk3x_i2c_stop(struct rk3x_i2c *i2c, int error) + } + + /** +- * Setup a read according to i2c->msg ++ * rk3x_i2c_prepare_read - Setup a read according to i2c->msg ++ * @i2c: target controller data + */ + static void rk3x_i2c_prepare_read(struct rk3x_i2c *i2c) + { +@@ -329,7 +331,8 @@ static void rk3x_i2c_prepare_read(struct rk3x_i2c *i2c) + } + + /** +- * Fill the transmit buffer with data from i2c->msg ++ * rk3x_i2c_fill_transmit_buf - Fill the transmit buffer with data from i2c->msg ++ * @i2c: target controller data + */ + static void rk3x_i2c_fill_transmit_buf(struct rk3x_i2c *i2c) + { +@@ -532,11 +535,10 @@ static irqreturn_t rk3x_i2c_irq(int irqno, void *dev_id) + } + + /** +- * Get timing values of I2C specification +- * ++ * rk3x_i2c_get_spec - Get timing values of I2C specification + * @speed: Desired SCL frequency + * +- * Returns: Matched i2c spec values. ++ * Return: Matched i2c_spec_values. + */ + static const struct i2c_spec_values *rk3x_i2c_get_spec(unsigned int speed) + { +@@ -549,13 +551,12 @@ static const struct i2c_spec_values *rk3x_i2c_get_spec(unsigned int speed) + } + + /** +- * Calculate divider values for desired SCL frequency +- * ++ * rk3x_i2c_v0_calc_timings - Calculate divider values for desired SCL frequency + * @clk_rate: I2C input clock rate + * @t: Known I2C timing information + * @t_calc: Caculated rk3x private timings that would be written into regs + * +- * Returns: 0 on success, -EINVAL if the goal SCL rate is too slow. In that case ++ * Return: %0 on success, -%EINVAL if the goal SCL rate is too slow. In that case + * a best-effort divider value is returned in divs. If the target rate is + * too high, we silently use the highest possible rate. + */ +@@ -710,13 +711,12 @@ static int rk3x_i2c_v0_calc_timings(unsigned long clk_rate, + } + + /** +- * Calculate timing values for desired SCL frequency +- * ++ * rk3x_i2c_v1_calc_timings - Calculate timing values for desired SCL frequency + * @clk_rate: I2C input clock rate + * @t: Known I2C timing information + * @t_calc: Caculated rk3x private timings that would be written into regs + * +- * Returns: 0 on success, -EINVAL if the goal SCL rate is too slow. In that case ++ * Return: %0 on success, -%EINVAL if the goal SCL rate is too slow. In that case + * a best-effort divider value is returned in divs. If the target rate is + * too high, we silently use the highest possible rate. + * The following formulas are v1's method to calculate timings. +@@ -960,14 +960,14 @@ static int rk3x_i2c_clk_notifier_cb(struct notifier_block *nb, unsigned long + } + + /** +- * Setup I2C registers for an I2C operation specified by msgs, num. +- * +- * Must be called with i2c->lock held. +- * ++ * rk3x_i2c_setup - Setup I2C registers for an I2C operation specified by msgs, num. ++ * @i2c: target controller data + * @msgs: I2C msgs to process + * @num: Number of msgs + * +- * returns: Number of I2C msgs processed or negative in case of error ++ * Must be called with i2c->lock held. ++ * ++ * Return: Number of I2C msgs processed or negative in case of error + */ + static int rk3x_i2c_setup(struct rk3x_i2c *i2c, struct i2c_msg *msgs, int num) + { +-- +2.39.0 + diff --git a/queue-5.15/ice-prevent-set_channel-from-changing-queues-while-r.patch b/queue-5.15/ice-prevent-set_channel-from-changing-queues-while-r.patch new file mode 100644 index 00000000000..13ba0de00d0 --- /dev/null +++ b/queue-5.15/ice-prevent-set_channel-from-changing-queues-while-r.patch @@ -0,0 +1,211 @@ +From 186033adc193b3699905e28f3f0e36db0504bd2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 09:19:43 -0800 +Subject: ice: Prevent set_channel from changing queues while RDMA active + +From: Dave Ertman + +[ Upstream commit a6a0974aae4209d039ba81226ded5246eea14961 ] + +The PF controls the set of queues that the RDMA auxiliary_driver requests +resources from. The set_channel command will alter that pool and trigger a +reconfiguration of the VSI, which breaks RDMA functionality. + +Prevent set_channel from executing when RDMA driver bound to auxiliary +device. + +Adding a locked variable to pass down the call chain to avoid double +locking the device_lock. + +Fixes: 348048e724a0 ("ice: Implement iidc operations") +Signed-off-by: Dave Ertman +Tested-by: Gurucharan G (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice.h | 2 +- + drivers/net/ethernet/intel/ice/ice_dcb_lib.c | 23 +++++++++------- + drivers/net/ethernet/intel/ice/ice_dcb_lib.h | 4 +-- + drivers/net/ethernet/intel/ice/ice_ethtool.c | 28 +++++++++++++++++--- + drivers/net/ethernet/intel/ice/ice_main.c | 5 ++-- + 5 files changed, 43 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice.h b/drivers/net/ethernet/intel/ice/ice.h +index 89bca2ed895a..a5bc804dc67a 100644 +--- a/drivers/net/ethernet/intel/ice/ice.h ++++ b/drivers/net/ethernet/intel/ice/ice.h +@@ -641,7 +641,7 @@ void ice_set_ethtool_ops(struct net_device *netdev); + void ice_set_ethtool_safe_mode_ops(struct net_device *netdev); + u16 ice_get_avail_txq_count(struct ice_pf *pf); + u16 ice_get_avail_rxq_count(struct ice_pf *pf); +-int ice_vsi_recfg_qs(struct ice_vsi *vsi, int new_rx, int new_tx); ++int ice_vsi_recfg_qs(struct ice_vsi *vsi, int new_rx, int new_tx, bool locked); + void ice_update_vsi_stats(struct ice_vsi *vsi); + void ice_update_pf_stats(struct ice_pf *pf); + int ice_up(struct ice_vsi *vsi); +diff --git a/drivers/net/ethernet/intel/ice/ice_dcb_lib.c b/drivers/net/ethernet/intel/ice/ice_dcb_lib.c +index 926cf748c5ec..dd4195e964fa 100644 +--- a/drivers/net/ethernet/intel/ice/ice_dcb_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_dcb_lib.c +@@ -355,7 +355,7 @@ int ice_pf_dcb_cfg(struct ice_pf *pf, struct ice_dcbx_cfg *new_cfg, bool locked) + goto out; + } + +- ice_pf_dcb_recfg(pf); ++ ice_pf_dcb_recfg(pf, false); + + out: + ice_ena_vsi(pf_vsi, true); +@@ -644,12 +644,13 @@ static int ice_dcb_noncontig_cfg(struct ice_pf *pf) + /** + * ice_pf_dcb_recfg - Reconfigure all VEBs and VSIs + * @pf: pointer to the PF struct ++ * @locked: is adev device lock held + * + * Assumed caller has already disabled all VSIs before + * calling this function. Reconfiguring DCB based on + * local_dcbx_cfg. + */ +-void ice_pf_dcb_recfg(struct ice_pf *pf) ++void ice_pf_dcb_recfg(struct ice_pf *pf, bool locked) + { + struct ice_dcbx_cfg *dcbcfg = &pf->hw.port_info->qos_cfg.local_dcbx_cfg; + struct iidc_event *event; +@@ -688,14 +689,16 @@ void ice_pf_dcb_recfg(struct ice_pf *pf) + if (vsi->type == ICE_VSI_PF) + ice_dcbnl_set_all(vsi); + } +- /* Notify the AUX drivers that TC change is finished */ +- event = kzalloc(sizeof(*event), GFP_KERNEL); +- if (!event) +- return; ++ if (!locked) { ++ /* Notify the AUX drivers that TC change is finished */ ++ event = kzalloc(sizeof(*event), GFP_KERNEL); ++ if (!event) ++ return; + +- set_bit(IIDC_EVENT_AFTER_TC_CHANGE, event->type); +- ice_send_event_to_aux(pf, event); +- kfree(event); ++ set_bit(IIDC_EVENT_AFTER_TC_CHANGE, event->type); ++ ice_send_event_to_aux(pf, event); ++ kfree(event); ++ } + } + + /** +@@ -943,7 +946,7 @@ ice_dcb_process_lldp_set_mib_change(struct ice_pf *pf, + } + + /* changes in configuration update VSI */ +- ice_pf_dcb_recfg(pf); ++ ice_pf_dcb_recfg(pf, false); + + ice_ena_vsi(pf_vsi, true); + unlock_rtnl: +diff --git a/drivers/net/ethernet/intel/ice/ice_dcb_lib.h b/drivers/net/ethernet/intel/ice/ice_dcb_lib.h +index 261b6e2ed7bc..33a609e92d25 100644 +--- a/drivers/net/ethernet/intel/ice/ice_dcb_lib.h ++++ b/drivers/net/ethernet/intel/ice/ice_dcb_lib.h +@@ -23,7 +23,7 @@ u8 ice_dcb_get_tc(struct ice_vsi *vsi, int queue_index); + int + ice_pf_dcb_cfg(struct ice_pf *pf, struct ice_dcbx_cfg *new_cfg, bool locked); + int ice_dcb_bwchk(struct ice_pf *pf, struct ice_dcbx_cfg *dcbcfg); +-void ice_pf_dcb_recfg(struct ice_pf *pf); ++void ice_pf_dcb_recfg(struct ice_pf *pf, bool locked); + void ice_vsi_cfg_dcb_rings(struct ice_vsi *vsi); + int ice_init_pf_dcb(struct ice_pf *pf, bool locked); + void ice_update_dcb_stats(struct ice_pf *pf); +@@ -113,7 +113,7 @@ ice_is_pfc_causing_hung_q(struct ice_pf __always_unused *pf, + return false; + } + +-static inline void ice_pf_dcb_recfg(struct ice_pf *pf) { } ++static inline void ice_pf_dcb_recfg(struct ice_pf *pf, bool locked) { } + static inline void ice_vsi_cfg_dcb_rings(struct ice_vsi *vsi) { } + static inline void ice_update_dcb_stats(struct ice_pf *pf) { } + static inline void +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index f10d9c377c74..24001035910e 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -3393,7 +3393,9 @@ static int ice_set_channels(struct net_device *dev, struct ethtool_channels *ch) + struct ice_vsi *vsi = np->vsi; + struct ice_pf *pf = vsi->back; + int new_rx = 0, new_tx = 0; ++ bool locked = false; + u32 curr_combined; ++ int ret = 0; + + /* do not support changing channels in Safe Mode */ + if (ice_is_safe_mode(pf)) { +@@ -3442,15 +3444,33 @@ static int ice_set_channels(struct net_device *dev, struct ethtool_channels *ch) + return -EINVAL; + } + +- ice_vsi_recfg_qs(vsi, new_rx, new_tx); ++ if (pf->adev) { ++ mutex_lock(&pf->adev_mutex); ++ device_lock(&pf->adev->dev); ++ locked = true; ++ if (pf->adev->dev.driver) { ++ netdev_err(dev, "Cannot change channels when RDMA is active\n"); ++ ret = -EBUSY; ++ goto adev_unlock; ++ } ++ } ++ ++ ice_vsi_recfg_qs(vsi, new_rx, new_tx, locked); + +- if (!netif_is_rxfh_configured(dev)) +- return ice_vsi_set_dflt_rss_lut(vsi, new_rx); ++ if (!netif_is_rxfh_configured(dev)) { ++ ret = ice_vsi_set_dflt_rss_lut(vsi, new_rx); ++ goto adev_unlock; ++ } + + /* Update rss_size due to change in Rx queues */ + vsi->rss_size = ice_get_valid_rss_size(&pf->hw, new_rx); + +- return 0; ++adev_unlock: ++ if (locked) { ++ device_unlock(&pf->adev->dev); ++ mutex_unlock(&pf->adev_mutex); ++ } ++ return ret; + } + + /** +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index ffbba5f6b7a5..348105aa5cf5 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -3776,12 +3776,13 @@ bool ice_is_wol_supported(struct ice_hw *hw) + * @vsi: VSI being changed + * @new_rx: new number of Rx queues + * @new_tx: new number of Tx queues ++ * @locked: is adev device_lock held + * + * Only change the number of queues if new_tx, or new_rx is non-0. + * + * Returns 0 on success. + */ +-int ice_vsi_recfg_qs(struct ice_vsi *vsi, int new_rx, int new_tx) ++int ice_vsi_recfg_qs(struct ice_vsi *vsi, int new_rx, int new_tx, bool locked) + { + struct ice_pf *pf = vsi->back; + int err = 0, timeout = 50; +@@ -3810,7 +3811,7 @@ int ice_vsi_recfg_qs(struct ice_vsi *vsi, int new_rx, int new_tx) + + ice_vsi_close(vsi); + ice_vsi_rebuild(vsi, false); +- ice_pf_dcb_recfg(pf); ++ ice_pf_dcb_recfg(pf, locked); + ice_vsi_open(vsi); + done: + clear_bit(ICE_CFG_BUSY, pf->state); +-- +2.39.0 + diff --git a/queue-5.15/igc-return-an-error-if-the-mac-type-is-unknown-in-ig.patch b/queue-5.15/igc-return-an-error-if-the-mac-type-is-unknown-in-ig.patch new file mode 100644 index 00000000000..a3f51ff70b3 --- /dev/null +++ b/queue-5.15/igc-return-an-error-if-the-mac-type-is-unknown-in-ig.patch @@ -0,0 +1,76 @@ +From 93ce8b81ba2e60a612223d2de5b141461fd12186 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 13:54:37 -0800 +Subject: igc: return an error if the mac type is unknown in + igc_ptp_systim_to_hwtstamp() + +From: Tom Rix + +[ Upstream commit a2df8463e15c10a8a882090f3d7a760fdb7b189d ] + +clang static analysis reports +drivers/net/ethernet/intel/igc/igc_ptp.c:673:3: warning: The left operand of + '+' is a garbage value [core.UndefinedBinaryOperatorResult] + ktime_add_ns(shhwtstamps.hwtstamp, adjust); + ^ ~~~~~~~~~~~~~~~~~~~~ + +igc_ptp_systim_to_hwtstamp() silently returns without setting the hwtstamp +if the mac type is unknown. This should be treated as an error. + +Fixes: 81b055205e8b ("igc: Add support for RX timestamping") +Signed-off-by: Tom Rix +Reviewed-by: Simon Horman +Acked-by: Sasha Neftin +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230131215437.1528994-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ptp.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index fbde7826927b..743c31659709 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -418,10 +418,12 @@ static int igc_ptp_verify_pin(struct ptp_clock_info *ptp, unsigned int pin, + * + * We need to convert the system time value stored in the RX/TXSTMP registers + * into a hwtstamp which can be used by the upper level timestamping functions. ++ * ++ * Returns 0 on success. + **/ +-static void igc_ptp_systim_to_hwtstamp(struct igc_adapter *adapter, +- struct skb_shared_hwtstamps *hwtstamps, +- u64 systim) ++static int igc_ptp_systim_to_hwtstamp(struct igc_adapter *adapter, ++ struct skb_shared_hwtstamps *hwtstamps, ++ u64 systim) + { + switch (adapter->hw.mac.type) { + case igc_i225: +@@ -431,8 +433,9 @@ static void igc_ptp_systim_to_hwtstamp(struct igc_adapter *adapter, + systim & 0xFFFFFFFF); + break; + default: +- break; ++ return -EINVAL; + } ++ return 0; + } + + /** +@@ -657,7 +660,8 @@ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter) + + regval = rd32(IGC_TXSTMPL); + regval |= (u64)rd32(IGC_TXSTMPH) << 32; +- igc_ptp_systim_to_hwtstamp(adapter, &shhwtstamps, regval); ++ if (igc_ptp_systim_to_hwtstamp(adapter, &shhwtstamps, regval)) ++ return; + + switch (adapter->link_speed) { + case SPEED_10: +-- +2.39.0 + diff --git a/queue-5.15/ip-ip6_gre-fix-changing-addr-gen-mode-not-generating.patch b/queue-5.15/ip-ip6_gre-fix-changing-addr-gen-mode-not-generating.patch new file mode 100644 index 00000000000..6a6abdb551d --- /dev/null +++ b/queue-5.15/ip-ip6_gre-fix-changing-addr-gen-mode-not-generating.patch @@ -0,0 +1,129 @@ +From f02577799d4de25d8de4ef527b68f61c3da410cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 16:46:45 +1300 +Subject: ip/ip6_gre: Fix changing addr gen mode not generating IPv6 link local + address + +From: Thomas Winter + +[ Upstream commit 23ca0c2c93406bdb1150659e720bda1cec1fad04 ] + +For our point-to-point GRE tunnels, they have IN6_ADDR_GEN_MODE_NONE +when they are created then we set IN6_ADDR_GEN_MODE_EUI64 when they +come up to generate the IPv6 link local address for the interface. +Recently we found that they were no longer generating IPv6 addresses. +This issue would also have affected SIT tunnels. + +Commit e5dd729460ca changed the code path so that GRE tunnels +generate an IPv6 address based on the tunnel source address. +It also changed the code path so GRE tunnels don't call addrconf_addr_gen +in addrconf_dev_config which is called by addrconf_sysctl_addr_gen_mode +when the IN6_ADDR_GEN_MODE is changed. + +This patch aims to fix this issue by moving the code in addrconf_notify +which calls the addr gen for GRE and SIT into a separate function +and calling it in the places that expect the IPv6 address to be +generated. + +The previous addrconf_dev_config is renamed to addrconf_eth_config +since it only expected eth type interfaces and follows the +addrconf_gre/sit_config format. + +A part of this changes means that the loopback address will be +attempted to be configured when changing addr_gen_mode for lo. +This should not be a problem because the address should exist anyway +and if does already exist then no error is produced. + +Fixes: e5dd729460ca ("ip/ip6_gre: use the same logic as SIT interfaces when computing v6LL address") +Signed-off-by: Thomas Winter +Reviewed-by: David Ahern +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 49 +++++++++++++++++++++++++-------------------- + 1 file changed, 27 insertions(+), 22 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 8800987fdb40..cc1c94bc5b0e 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3447,6 +3447,30 @@ static void addrconf_gre_config(struct net_device *dev) + } + #endif + ++static void addrconf_init_auto_addrs(struct net_device *dev) ++{ ++ switch (dev->type) { ++#if IS_ENABLED(CONFIG_IPV6_SIT) ++ case ARPHRD_SIT: ++ addrconf_sit_config(dev); ++ break; ++#endif ++#if IS_ENABLED(CONFIG_NET_IPGRE) || IS_ENABLED(CONFIG_IPV6_GRE) ++ case ARPHRD_IP6GRE: ++ case ARPHRD_IPGRE: ++ addrconf_gre_config(dev); ++ break; ++#endif ++ case ARPHRD_LOOPBACK: ++ init_loopback(dev); ++ break; ++ ++ default: ++ addrconf_dev_config(dev); ++ break; ++ } ++} ++ + static int fixup_permanent_addr(struct net *net, + struct inet6_dev *idev, + struct inet6_ifaddr *ifp) +@@ -3611,26 +3635,7 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event, + run_pending = 1; + } + +- switch (dev->type) { +-#if IS_ENABLED(CONFIG_IPV6_SIT) +- case ARPHRD_SIT: +- addrconf_sit_config(dev); +- break; +-#endif +-#if IS_ENABLED(CONFIG_NET_IPGRE) || IS_ENABLED(CONFIG_IPV6_GRE) +- case ARPHRD_IP6GRE: +- case ARPHRD_IPGRE: +- addrconf_gre_config(dev); +- break; +-#endif +- case ARPHRD_LOOPBACK: +- init_loopback(dev); +- break; +- +- default: +- addrconf_dev_config(dev); +- break; +- } ++ addrconf_init_auto_addrs(dev); + + if (!IS_ERR_OR_NULL(idev)) { + if (run_pending) +@@ -6385,7 +6390,7 @@ static int addrconf_sysctl_addr_gen_mode(struct ctl_table *ctl, int write, + + if (idev->cnf.addr_gen_mode != new_val) { + idev->cnf.addr_gen_mode = new_val; +- addrconf_dev_config(idev->dev); ++ addrconf_init_auto_addrs(idev->dev); + } + } else if (&net->ipv6.devconf_all->addr_gen_mode == ctl->data) { + struct net_device *dev; +@@ -6396,7 +6401,7 @@ static int addrconf_sysctl_addr_gen_mode(struct ctl_table *ctl, int write, + if (idev && + idev->cnf.addr_gen_mode != new_val) { + idev->cnf.addr_gen_mode = new_val; +- addrconf_dev_config(idev->dev); ++ addrconf_init_auto_addrs(idev->dev); + } + } + } +-- +2.39.0 + diff --git a/queue-5.15/ip-ip6_gre-fix-non-point-to-point-tunnel-not-generat.patch b/queue-5.15/ip-ip6_gre-fix-non-point-to-point-tunnel-not-generat.patch new file mode 100644 index 00000000000..babe3016bcf --- /dev/null +++ b/queue-5.15/ip-ip6_gre-fix-non-point-to-point-tunnel-not-generat.patch @@ -0,0 +1,62 @@ +From faf6fe8222327cff8c98f5fc0945645d0859ed2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 16:46:46 +1300 +Subject: ip/ip6_gre: Fix non-point-to-point tunnel not generating IPv6 link + local address + +From: Thomas Winter + +[ Upstream commit 30e2291f61f93f7132c060190f8360df52644ec1 ] + +We recently found that our non-point-to-point tunnels were not +generating any IPv6 link local address and instead generating an +IPv6 compat address, breaking IPv6 communication on the tunnel. + +Previously, addrconf_gre_config always would call addrconf_addr_gen +and generate a EUI64 link local address for the tunnel. +Then commit e5dd729460ca changed the code path so that add_v4_addrs +is called but this only generates a compat IPv6 address for +non-point-to-point tunnels. + +I assume the compat address is specifically for SIT tunnels so +have kept that only for SIT - GRE tunnels now always generate link +local addresses. + +Fixes: e5dd729460ca ("ip/ip6_gre: use the same logic as SIT interfaces when computing v6LL address") +Signed-off-by: Thomas Winter +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index cc1c94bc5b0e..6ba34f51c411 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3129,17 +3129,17 @@ static void add_v4_addrs(struct inet6_dev *idev) + offset = sizeof(struct in6_addr) - 4; + memcpy(&addr.s6_addr32[3], idev->dev->dev_addr + offset, 4); + +- if (idev->dev->flags&IFF_POINTOPOINT) { ++ if (!(idev->dev->flags & IFF_POINTOPOINT) && idev->dev->type == ARPHRD_SIT) { ++ scope = IPV6_ADDR_COMPATv4; ++ plen = 96; ++ pflags |= RTF_NONEXTHOP; ++ } else { + if (idev->cnf.addr_gen_mode == IN6_ADDR_GEN_MODE_NONE) + return; + + addr.s6_addr32[0] = htonl(0xfe800000); + scope = IFA_LINK; + plen = 64; +- } else { +- scope = IPV6_ADDR_COMPATv4; +- plen = 96; +- pflags |= RTF_NONEXTHOP; + } + + if (addr.s6_addr32[3]) { +-- +2.39.0 + diff --git a/queue-5.15/net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch b/queue-5.15/net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch new file mode 100644 index 00000000000..243251fe46d --- /dev/null +++ b/queue-5.15/net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch @@ -0,0 +1,110 @@ +From 220b3eabf94a1c2663c8a9ab6ceda4cb008dca7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 00:02:18 +0300 +Subject: net: openvswitch: fix flow memory leak in ovs_flow_cmd_new + +From: Fedor Pchelkin + +[ Upstream commit 0c598aed445eb45b0ee7ba405f7ece99ee349c30 ] + +Syzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is +not freed when an allocation of a key fails. + +BUG: memory leak +unreferenced object 0xffff888116668000 (size 632): + comm "syz-executor231", pid 1090, jiffies 4294844701 (age 18.871s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000defa3494>] kmem_cache_zalloc include/linux/slab.h:654 [inline] + [<00000000defa3494>] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77 + [<00000000c67d8873>] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957 + [<0000000010a539a8>] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739 + [<00000000dff3302d>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] + [<00000000dff3302d>] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800 + [<000000000286dd87>] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515 + [<0000000061fed410>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 + [<000000009dc0f111>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] + [<000000009dc0f111>] netlink_unicast+0x545/0x7f0 net/netlink/af_netlink.c:1339 + [<000000004a5ee816>] netlink_sendmsg+0x8e7/0xde0 net/netlink/af_netlink.c:1934 + [<00000000482b476f>] sock_sendmsg_nosec net/socket.c:651 [inline] + [<00000000482b476f>] sock_sendmsg+0x152/0x190 net/socket.c:671 + [<00000000698574ba>] ____sys_sendmsg+0x70a/0x870 net/socket.c:2356 + [<00000000d28d9e11>] ___sys_sendmsg+0xf3/0x170 net/socket.c:2410 + [<0000000083ba9120>] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439 + [<00000000c00628f8>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 + [<000000004abfdcf4>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +To fix this the patch rearranges the goto labels to reflect the order of +object allocations and adds appropriate goto statements on the error +paths. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 68bb10101e6b ("openvswitch: Fix flow lookup to use unmasked key") +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Eelco Chaudron +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230201210218.361970-1-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/datapath.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index 795a25ecb893..0fc98e89a114 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -977,14 +977,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + key = kzalloc(sizeof(*key), GFP_KERNEL); + if (!key) { + error = -ENOMEM; +- goto err_kfree_key; ++ goto err_kfree_flow; + } + + ovs_match_init(&match, key, false, &mask); + error = ovs_nla_get_match(net, &match, a[OVS_FLOW_ATTR_KEY], + a[OVS_FLOW_ATTR_MASK], log); + if (error) +- goto err_kfree_flow; ++ goto err_kfree_key; + + ovs_flow_mask_key(&new_flow->key, key, true, &mask); + +@@ -992,14 +992,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + error = ovs_nla_get_identifier(&new_flow->id, a[OVS_FLOW_ATTR_UFID], + key, log); + if (error) +- goto err_kfree_flow; ++ goto err_kfree_key; + + /* Validate actions. */ + error = ovs_nla_copy_actions(net, a[OVS_FLOW_ATTR_ACTIONS], + &new_flow->key, &acts, log); + if (error) { + OVS_NLERR(log, "Flow actions may not be safe on all matching packets."); +- goto err_kfree_flow; ++ goto err_kfree_key; + } + + reply = ovs_flow_cmd_alloc_info(acts, &new_flow->id, info, false, +@@ -1099,10 +1099,10 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + kfree_skb(reply); + err_kfree_acts: + ovs_nla_free_flow_actions(acts); +-err_kfree_flow: +- ovs_flow_free(new_flow, false); + err_kfree_key: + kfree(key); ++err_kfree_flow: ++ ovs_flow_free(new_flow, false); + error: + return error; + } +-- +2.39.0 + diff --git a/queue-5.15/net-phy-dp83822-fix-null-pointer-access-on-dp83825-d.patch b/queue-5.15/net-phy-dp83822-fix-null-pointer-access-on-dp83825-d.patch new file mode 100644 index 00000000000..4b044d473ca --- /dev/null +++ b/queue-5.15/net-phy-dp83822-fix-null-pointer-access-on-dp83825-d.patch @@ -0,0 +1,53 @@ +From e0556055f1997f97286b2e713a78027e9b69a0c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 19:23:26 +0100 +Subject: net: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices + +From: Andre Kalb + +[ Upstream commit 422ae7d9c7221e8d4c8526d0f54106307d69d2dc ] + +The probe() function is only used for the DP83822 PHY, leaving the +private data pointer uninitialized for the smaller DP83825/26 models. +While all uses of the private data structure are hidden in 82822 specific +callbacks, configuring the interrupt is shared across all models. +This causes a NULL pointer dereference on the smaller PHYs as it accesses +the private data unchecked. Verifying the pointer avoids that. + +Fixes: 5dc39fd5ef35 ("net: phy: DP83822: Add ability to advertise Fiber connection") +Signed-off-by: Andre Kalb +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/Y9FzniUhUtbaGKU7@pc6682 +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/dp83822.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/phy/dp83822.c b/drivers/net/phy/dp83822.c +index 0b511abb5422..f070aa97c77b 100644 +--- a/drivers/net/phy/dp83822.c ++++ b/drivers/net/phy/dp83822.c +@@ -232,7 +232,8 @@ static int dp83822_config_intr(struct phy_device *phydev) + DP83822_ENERGY_DET_INT_EN | + DP83822_LINK_QUAL_INT_EN); + +- if (!dp83822->fx_enabled) ++ /* Private data pointer is NULL on DP83825/26 */ ++ if (!dp83822 || !dp83822->fx_enabled) + misr_status |= DP83822_ANEG_COMPLETE_INT_EN | + DP83822_DUP_MODE_CHANGE_INT_EN | + DP83822_SPEED_CHANGED_INT_EN; +@@ -252,7 +253,8 @@ static int dp83822_config_intr(struct phy_device *phydev) + DP83822_PAGE_RX_INT_EN | + DP83822_EEE_ERROR_CHANGE_INT_EN); + +- if (!dp83822->fx_enabled) ++ /* Private data pointer is NULL on DP83825/26 */ ++ if (!dp83822 || !dp83822->fx_enabled) + misr_status |= DP83822_ANEG_ERR_INT_EN | + DP83822_WOL_PKT_INT_EN; + +-- +2.39.0 + diff --git a/queue-5.15/net-phy-meson-gxl-add-generic-dummy-stubs-for-mmd-re.patch b/queue-5.15/net-phy-meson-gxl-add-generic-dummy-stubs-for-mmd-re.patch new file mode 100644 index 00000000000..269f3c080c7 --- /dev/null +++ b/queue-5.15/net-phy-meson-gxl-add-generic-dummy-stubs-for-mmd-re.patch @@ -0,0 +1,42 @@ +From ca542c44460589aad35eeddd13e08bd4a2c4686f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 15:14:02 -0800 +Subject: net: phy: meson-gxl: Add generic dummy stubs for MMD register access + +From: Chris Healy + +[ Upstream commit afc2336f89dc0fc0ef25b92366814524b0fd90fb ] + +The Meson G12A Internal PHY does not support standard IEEE MMD extended +register access, therefore add generic dummy stubs to fail the read and +write MMD calls. This is necessary to prevent the core PHY code from +erroneously believing that EEE is supported by this PHY even though this +PHY does not support EEE, as MMD register access returns all FFFFs. + +Fixes: 5c3407abb338 ("net: phy: meson-gxl: add g12a support") +Reviewed-by: Heiner Kallweit +Signed-off-by: Chris Healy +Reviewed-by: Jerome Brunet +Link: https://lore.kernel.org/r/20230130231402.471493-1-cphealy@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/meson-gxl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/phy/meson-gxl.c b/drivers/net/phy/meson-gxl.c +index c49062ad72c6..5e41658b1e2f 100644 +--- a/drivers/net/phy/meson-gxl.c ++++ b/drivers/net/phy/meson-gxl.c +@@ -271,6 +271,8 @@ static struct phy_driver meson_gxl_phy[] = { + .handle_interrupt = meson_gxl_handle_interrupt, + .suspend = genphy_suspend, + .resume = genphy_resume, ++ .read_mmd = genphy_read_mmd_unsupported, ++ .write_mmd = genphy_write_mmd_unsupported, + }, + }; + +-- +2.39.0 + diff --git a/queue-5.15/net-x25-fix-to-not-accept-on-connected-socket.patch b/queue-5.15/net-x25-fix-to-not-accept-on-connected-socket.patch new file mode 100644 index 00000000000..678ed932691 --- /dev/null +++ b/queue-5.15/net-x25-fix-to-not-accept-on-connected-socket.patch @@ -0,0 +1,47 @@ +From 4c9474051a8f987472e9423aa157c384f30219f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 11:43:23 -0800 +Subject: net/x25: Fix to not accept on connected socket + +From: Hyunwoo Kim + +[ Upstream commit f2b0b5210f67c56a3bcdf92ff665fb285d6e0067 ] + +When listen() and accept() are called on an x25 socket +that connect() succeeds, accept() succeeds immediately. +This is because x25_connect() queues the skb to +sk->sk_receive_queue, and x25_accept() dequeues it. + +This creates a child socket with the sk of the parent +x25 socket, which can cause confusion. + +Fix x25_listen() to return -EINVAL if the socket has +already been successfully connect()ed to avoid this issue. + +Signed-off-by: Hyunwoo Kim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/x25/af_x25.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index 3a171828638b..07f6206e7cb4 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -482,6 +482,12 @@ static int x25_listen(struct socket *sock, int backlog) + int rc = -EOPNOTSUPP; + + lock_sock(sk); ++ if (sock->state != SS_UNCONNECTED) { ++ rc = -EINVAL; ++ release_sock(sk); ++ return rc; ++ } ++ + if (sk->sk_state != TCP_LISTEN) { + memset(&x25_sk(sk)->dest_addr, 0, X25_ADDR_LEN); + sk->sk_max_ack_backlog = backlog; +-- +2.39.0 + diff --git a/queue-5.15/netfilter-br_netfilter-disable-sabotage_in-hook-afte.patch b/queue-5.15/netfilter-br_netfilter-disable-sabotage_in-hook-afte.patch new file mode 100644 index 00000000000..df14f4a7983 --- /dev/null +++ b/queue-5.15/netfilter-br_netfilter-disable-sabotage_in-hook-afte.patch @@ -0,0 +1,66 @@ +From b8c9bbc0d27f6af3fe366036c2321d94f5c5125c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 11:39:29 +0100 +Subject: netfilter: br_netfilter: disable sabotage_in hook after first + suppression + +From: Florian Westphal + +[ Upstream commit 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba ] + +When using a xfrm interface in a bridged setup (the outgoing device is +bridged), the incoming packets in the xfrm interface are only tracked +in the outgoing direction. + +$ brctl show +bridge name interfaces +br_eth1 eth1 + +$ conntrack -L +tcp 115 SYN_SENT src=192... dst=192... [UNREPLIED] ... + +If br_netfilter is enabled, the first (encrypted) packet is received onR +eth1, conntrack hooks are called from br_netfilter emulation which +allocates nf_bridge info for this skb. + +If the packet is for local machine, skb gets passed up the ip stack. +The skb passes through ip prerouting a second time. br_netfilter +ip_sabotage_in supresses the re-invocation of the hooks. + +After this, skb gets decrypted in xfrm layer and appears in +network stack a second time (after decryption). + +Then, ip_sabotage_in is called again and suppresses netfilter +hook invocation, even though the bridge layer never called them +for the plaintext incarnation of the packet. + +Free the bridge info after the first suppression to avoid this. + +I was unable to figure out where the regression comes from, as far as i +can see br_netfilter always had this problem; i did not expect that skb +is looped again with different headers. + +Fixes: c4b0e771f906 ("netfilter: avoid using skb->nf_bridge directly") +Reported-and-tested-by: Wolfgang Nothdurft +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/br_netfilter_hooks.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index a718204c4bfd..f3c7cfba31e1 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -871,6 +871,7 @@ static unsigned int ip_sabotage_in(void *priv, + if (nf_bridge && !nf_bridge->in_prerouting && + !netif_is_l3_master(skb->dev) && + !netif_is_l3_slave(skb->dev)) { ++ nf_bridge_info_free(skb); + state->okfn(state->net, state->sk, skb); + return NF_STOLEN; + } +-- +2.39.0 + diff --git a/queue-5.15/netrom-fix-use-after-free-caused-by-accept-on-alread.patch b/queue-5.15/netrom-fix-use-after-free-caused-by-accept-on-alread.patch new file mode 100644 index 00000000000..965ea6c8afd --- /dev/null +++ b/queue-5.15/netrom-fix-use-after-free-caused-by-accept-on-alread.patch @@ -0,0 +1,211 @@ +From 5baf4640fda47f874ac9dd1622eeeea1e24c8a7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 18:32:50 -0800 +Subject: netrom: Fix use-after-free caused by accept on already connected + socket + +From: Hyunwoo Kim + +[ Upstream commit 611792920925fb088ddccbe2783c7f92fdfb6b64 ] + +If you call listen() and accept() on an already connect()ed +AF_NETROM socket, accept() can successfully connect. +This is because when the peer socket sends data to sendmsg, +the skb with its own sk stored in the connected socket's +sk->sk_receive_queue is connected, and nr_accept() dequeues +the skb waiting in the sk->sk_receive_queue. + +As a result, nr_accept() allocates and returns a sock with +the sk of the parent AF_NETROM socket. + +And here use-after-free can happen through complex race conditions: +``` + cpu0 cpu1 + 1. socket_2 = socket(AF_NETROM) + . + . + listen(socket_2) + accepted_socket = accept(socket_2) + 2. socket_1 = socket(AF_NETROM) + nr_create() // sk refcount : 1 + connect(socket_1) + 3. write(accepted_socket) + nr_sendmsg() + nr_output() + nr_kick() + nr_send_iframe() + nr_transmit_buffer() + nr_route_frame() + nr_loopback_queue() + nr_loopback_timer() + nr_rx_frame() + nr_process_rx_frame(sk, skb); // sk : socket_1's sk + nr_state3_machine() + nr_queue_rx_frame() + sock_queue_rcv_skb() + sock_queue_rcv_skb_reason() + __sock_queue_rcv_skb() + __skb_queue_tail(list, skb); // list : socket_1's sk->sk_receive_queue + 4. listen(socket_1) + nr_listen() + uaf_socket = accept(socket_1) + nr_accept() + skb_dequeue(&sk->sk_receive_queue); + 5. close(accepted_socket) + nr_release() + nr_write_internal(sk, NR_DISCREQ) + nr_transmit_buffer() // NR_DISCREQ + nr_route_frame() + nr_loopback_queue() + nr_loopback_timer() + nr_rx_frame() // sk : socket_1's sk + nr_process_rx_frame() // NR_STATE_3 + nr_state3_machine() // NR_DISCREQ + nr_disconnect() + nr_sk(sk)->state = NR_STATE_0; + 6. close(socket_1) // sk refcount : 3 + nr_release() // NR_STATE_0 + sock_put(sk); // sk refcount : 0 + sk_free(sk); + close(uaf_socket) + nr_release() + sock_hold(sk); // UAF +``` + +KASAN report by syzbot: +``` +BUG: KASAN: use-after-free in nr_release+0x66/0x460 net/netrom/af_netrom.c:520 +Write of size 4 at addr ffff8880235d8080 by task syz-executor564/5128 + +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:306 [inline] + print_report+0x15e/0x461 mm/kasan/report.c:417 + kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 + check_region_inline mm/kasan/generic.c:183 [inline] + kasan_check_range+0x141/0x190 mm/kasan/generic.c:189 + instrument_atomic_read_write include/linux/instrumented.h:102 [inline] + atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline] + __refcount_add include/linux/refcount.h:193 [inline] + __refcount_inc include/linux/refcount.h:250 [inline] + refcount_inc include/linux/refcount.h:267 [inline] + sock_hold include/net/sock.h:775 [inline] + nr_release+0x66/0x460 net/netrom/af_netrom.c:520 + __sock_release+0xcd/0x280 net/socket.c:650 + sock_close+0x1c/0x20 net/socket.c:1365 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xaa8/0x2950 kernel/exit.c:867 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 + get_signal+0x21c3/0x2450 kernel/signal.c:2859 + arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f6c19e3c9b9 +Code: Unable to access opcode bytes at 0x7f6c19e3c98f. +RSP: 002b:00007fffd4ba2ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 +RAX: 0000000000000116 RBX: 0000000000000003 RCX: 00007f6c19e3c9b9 +RDX: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000006 +RBP: 0000000000000003 R08: 000000000000000d R09: 000000000000000d +R10: 0000000000000000 R11: 0000000000000246 R12: 000055555566a2c0 +R13: 0000000000000011 R14: 0000000000000000 R15: 0000000000000000 + + +Allocated by task 5128: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:371 [inline] + ____kasan_kmalloc mm/kasan/common.c:330 [inline] + __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 + kasan_kmalloc include/linux/kasan.h:211 [inline] + __do_kmalloc_node mm/slab_common.c:968 [inline] + __kmalloc+0x5a/0xd0 mm/slab_common.c:981 + kmalloc include/linux/slab.h:584 [inline] + sk_prot_alloc+0x140/0x290 net/core/sock.c:2038 + sk_alloc+0x3a/0x7a0 net/core/sock.c:2091 + nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433 + __sock_create+0x359/0x790 net/socket.c:1515 + sock_create net/socket.c:1566 [inline] + __sys_socket_create net/socket.c:1603 [inline] + __sys_socket_create net/socket.c:1588 [inline] + __sys_socket+0x133/0x250 net/socket.c:1636 + __do_sys_socket net/socket.c:1649 [inline] + __se_sys_socket net/socket.c:1647 [inline] + __x64_sys_socket+0x73/0xb0 net/socket.c:1647 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 5128: + kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200 + kasan_slab_free include/linux/kasan.h:177 [inline] + __cache_free mm/slab.c:3394 [inline] + __do_kmem_cache_free mm/slab.c:3580 [inline] + __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587 + sk_prot_free net/core/sock.c:2074 [inline] + __sk_destruct+0x5df/0x750 net/core/sock.c:2166 + sk_destruct net/core/sock.c:2181 [inline] + __sk_free+0x175/0x460 net/core/sock.c:2192 + sk_free+0x7c/0xa0 net/core/sock.c:2203 + sock_put include/net/sock.h:1991 [inline] + nr_release+0x39e/0x460 net/netrom/af_netrom.c:554 + __sock_release+0xcd/0x280 net/socket.c:650 + sock_close+0x1c/0x20 net/socket.c:1365 + __fput+0x27c/0xa90 fs/file_table.c:320 + task_work_run+0x16f/0x270 kernel/task_work.c:179 + exit_task_work include/linux/task_work.h:38 [inline] + do_exit+0xaa8/0x2950 kernel/exit.c:867 + do_group_exit+0xd4/0x2a0 kernel/exit.c:1012 + get_signal+0x21c3/0x2450 kernel/signal.c:2859 + arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306 + exit_to_user_mode_loop kernel/entry/common.c:168 [inline] + exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 + __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] + syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 + do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +``` + +To fix this issue, nr_listen() returns -EINVAL for sockets that +successfully nr_connect(). + +Reported-by: syzbot+caa188bdfc1eeafeb418@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Hyunwoo Kim +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netrom/af_netrom.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index e5c8a295e640..5c04da4cfbad 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -400,6 +400,11 @@ static int nr_listen(struct socket *sock, int backlog) + struct sock *sk = sock->sk; + + lock_sock(sk); ++ if (sock->state != SS_UNCONNECTED) { ++ release_sock(sk); ++ return -EINVAL; ++ } ++ + if (sk->sk_state != TCP_LISTEN) { + memset(&nr_sk(sk)->user_addr, 0, AX25_ADDR_LEN); + sk->sk_max_ack_backlog = backlog; +-- +2.39.0 + diff --git a/queue-5.15/perf-x86-intel-add-emerald-rapids.patch b/queue-5.15/perf-x86-intel-add-emerald-rapids.patch new file mode 100644 index 00000000000..0ff068d702c --- /dev/null +++ b/queue-5.15/perf-x86-intel-add-emerald-rapids.patch @@ -0,0 +1,36 @@ +From 24a3b1154004e52134e987d9e962098f7d11fb1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jan 2023 08:04:46 -0800 +Subject: perf/x86/intel: Add Emerald Rapids + +From: Kan Liang + +[ Upstream commit 6795e558e9cc6123c24e2100a2ebe88e58a792bc ] + +From core PMU's perspective, Emerald Rapids is the same as the Sapphire +Rapids. The only difference is the event list, which will be +supported in the perf tool later. + +Signed-off-by: Kan Liang +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20230106160449.3566477-1-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index f36fda2672e0..b70e1522a27a 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -6109,6 +6109,7 @@ __init int intel_pmu_init(void) + break; + + case INTEL_FAM6_SAPPHIRERAPIDS_X: ++ case INTEL_FAM6_EMERALDRAPIDS_X: + pmem = true; + x86_pmu.late_ack = true; + memcpy(hw_cache_event_ids, spr_hw_cache_event_ids, sizeof(hw_cache_event_ids)); +-- +2.39.0 + diff --git a/queue-5.15/platform-x86-dell-wmi-add-a-keymap-for-key_mute-in-t.patch b/queue-5.15/platform-x86-dell-wmi-add-a-keymap-for-key_mute-in-t.patch new file mode 100644 index 00000000000..4e04d480baf --- /dev/null +++ b/queue-5.15/platform-x86-dell-wmi-add-a-keymap-for-key_mute-in-t.patch @@ -0,0 +1,41 @@ +From 5b627d7fb7738e3668566b3602467a1c5aa3dd86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 20:34:36 +0800 +Subject: platform/x86: dell-wmi: Add a keymap for KEY_MUTE in type 0x0010 + table + +From: Koba Ko + +[ Upstream commit 83bcf3e52e9cfc727df33f1055ef0618c91719d0 ] + +Some platforms send the speaker-mute key from EC. dell-wmi can't +recognize it. + +Add a new keymap for KEY_MUTE in type 0x0010 table. + +Signed-off-by: Koba Ko +Link: https://lore.kernel.org/r/20230117123436.200440-1-koba.ko@canonical.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell/dell-wmi-base.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/platform/x86/dell/dell-wmi-base.c b/drivers/platform/x86/dell/dell-wmi-base.c +index 089c125e18f7..b83d6fa6e39b 100644 +--- a/drivers/platform/x86/dell/dell-wmi-base.c ++++ b/drivers/platform/x86/dell/dell-wmi-base.c +@@ -260,6 +260,9 @@ static const struct key_entry dell_wmi_keymap_type_0010[] = { + { KE_KEY, 0x57, { KEY_BRIGHTNESSDOWN } }, + { KE_KEY, 0x58, { KEY_BRIGHTNESSUP } }, + ++ /*Speaker Mute*/ ++ { KE_KEY, 0x109, { KEY_MUTE} }, ++ + /* Mic mute */ + { KE_KEY, 0x150, { KEY_MICMUTE } }, + +-- +2.39.0 + diff --git a/queue-5.15/platform-x86-gigabyte-wmi-add-support-for-b450m-ds3h.patch b/queue-5.15/platform-x86-gigabyte-wmi-add-support-for-b450m-ds3h.patch new file mode 100644 index 00000000000..ada6b4bc55f --- /dev/null +++ b/queue-5.15/platform-x86-gigabyte-wmi-add-support-for-b450m-ds3h.patch @@ -0,0 +1,41 @@ +From 8e496fe500b8e5f4f95aec435918c28aaa2d01eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 20:39:25 +0530 +Subject: platform/x86: gigabyte-wmi: add support for B450M DS3H WIFI-CF +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kevin Kuriakose + +[ Upstream commit a410429a3b7e748a9db9f357e71e2e085a21c902 ] + +To the best of my knowledge this is the same board as the B450M DS3H-CF, +but with an added WiFi card. Name obtained using dmidecode, tested +with force_load on v6.1.6 + +Signed-off-by: Kevin Kuriakose +Acked-by: Thomas Weißschuh +Link: https://lore.kernel.org/r/20230119150925.31962-1-kevinmkuriakose@gmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/gigabyte-wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/gigabyte-wmi.c b/drivers/platform/x86/gigabyte-wmi.c +index ebd15c1d13ec..0163e912fafe 100644 +--- a/drivers/platform/x86/gigabyte-wmi.c ++++ b/drivers/platform/x86/gigabyte-wmi.c +@@ -141,6 +141,7 @@ static u8 gigabyte_wmi_detect_sensor_usability(struct wmi_device *wdev) + + static const struct dmi_system_id gigabyte_wmi_known_working_platforms[] = { + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B450M DS3H-CF"), ++ DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B450M DS3H WIFI-CF"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B450M S2H V2"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B550 AORUS ELITE AX V2"), + DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B550 AORUS ELITE"), +-- +2.39.0 + diff --git a/queue-5.15/qede-execute-xdp_do_flush-before-napi_complete_done.patch b/queue-5.15/qede-execute-xdp_do_flush-before-napi_complete_done.patch new file mode 100644 index 00000000000..396e2dc6645 --- /dev/null +++ b/queue-5.15/qede-execute-xdp_do_flush-before-napi_complete_done.patch @@ -0,0 +1,66 @@ +From c17b511864ff2e0f322ad13d6ebef96ceca35b07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 08:48:57 +0100 +Subject: qede: execute xdp_do_flush() before napi_complete_done() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Magnus Karlsson + +[ Upstream commit 2ccce20d51faa0178086163ccb6c84a099a87ab4 ] + +Make sure that xdp_do_flush() is always executed before +napi_complete_done(). This is important for two reasons. First, a +redirect to an XSKMAP assumes that a call to xdp_do_redirect() from +napi context X on CPU Y will be followed by a xdp_do_flush() from the +same napi context and CPU. This is not guaranteed if the +napi_complete_done() is executed before xdp_do_flush(), as it tells +the napi logic that it is fine to schedule napi context X on another +CPU. Details from a production system triggering this bug using the +veth driver can be found following the first link below. + +The second reason is that the XDP_REDIRECT logic in itself relies on +being inside a single NAPI instance through to the xdp_do_flush() call +for RCU protection of all in-kernel data structures. Details can be +found in the second link below. + +Fixes: d1b25b79e162b ("qede: add .ndo_xdp_xmit() and XDP_REDIRECT support") +Signed-off-by: Magnus Karlsson +Acked-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com +Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede_fp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c +index 17f895250e04..d67d4e74b326 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c +@@ -1439,6 +1439,10 @@ int qede_poll(struct napi_struct *napi, int budget) + rx_work_done = (likely(fp->type & QEDE_FASTPATH_RX) && + qede_has_rx_work(fp->rxq)) ? + qede_rx_int(fp, budget) : 0; ++ ++ if (fp->xdp_xmit & QEDE_XDP_REDIRECT) ++ xdp_do_flush(); ++ + /* Handle case where we are called by netpoll with a budget of 0 */ + if (rx_work_done < budget || !budget) { + if (!qede_poll_is_more_work(fp)) { +@@ -1458,9 +1462,6 @@ int qede_poll(struct napi_struct *napi, int budget) + qede_update_tx_producer(fp->xdp_tx); + } + +- if (fp->xdp_xmit & QEDE_XDP_REDIRECT) +- xdp_do_flush_map(); +- + return rx_work_done; + } + +-- +2.39.0 + diff --git a/queue-5.15/read-is-data-destination-not-source.patch b/queue-5.15/read-is-data-destination-not-source.patch new file mode 100644 index 00000000000..d3a3134211c --- /dev/null +++ b/queue-5.15/read-is-data-destination-not-source.patch @@ -0,0 +1,31 @@ +From a369734312c3cf572a6d3ccec2f149e01e608955 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 19:01:10 -0400 +Subject: READ is "data destination", not source... + +From: Al Viro + +[ Upstream commit 355d2c2798e9dc39f6714fa7ef8902c0d4c5350b ] + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-clt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +index c644617725a8..54eb6556c63d 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +@@ -967,7 +967,7 @@ static void rtrs_clt_init_req(struct rtrs_clt_io_req *req, + refcount_set(&req->ref, 1); + req->mp_policy = clt_path->clt->mp_policy; + +- iov_iter_kvec(&iter, READ, vec, 1, usr_len); ++ iov_iter_kvec(&iter, WRITE, vec, 1, usr_len); + len = _copy_from_iter(req->iu->buf, usr_len, &iter); + WARN_ON(len != usr_len); + +-- +2.39.0 + diff --git a/queue-5.15/riscv-kprobe-fixup-kernel-panic-when-probing-an-ille.patch b/queue-5.15/riscv-kprobe-fixup-kernel-panic-when-probing-an-ille.patch new file mode 100644 index 00000000000..d6c0e8262ae --- /dev/null +++ b/queue-5.15/riscv-kprobe-fixup-kernel-panic-when-probing-an-ille.patch @@ -0,0 +1,95 @@ +From 532e3184e5769cf28860d72a29059af86883051a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 23:06:04 -0500 +Subject: riscv: kprobe: Fixup kernel panic when probing an illegal position +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guo Ren + +[ Upstream commit 87f48c7ccc73afc78630530d9af51f458f58cab8 ] + +The kernel would panic when probed for an illegal position. eg: + +(CONFIG_RISCV_ISA_C=n) + +echo 'p:hello kernel_clone+0x16 a0=%a0' >> kprobe_events +echo 1 > events/kprobes/hello/enable +cat trace + +Kernel panic - not syncing: stack-protector: Kernel stack +is corrupted in: __do_sys_newfstatat+0xb8/0xb8 +CPU: 0 PID: 111 Comm: sh Not tainted +6.2.0-rc1-00027-g2d398fe49a4d #490 +Hardware name: riscv-virtio,qemu (DT) +Call Trace: +[] dump_backtrace+0x38/0x48 +[] show_stack+0x50/0x68 +[] dump_stack_lvl+0x60/0x84 +[] dump_stack+0x20/0x30 +[] panic+0x160/0x374 +[] generic_handle_arch_irq+0x0/0xa8 +[] sys_newstat+0x0/0x30 +[] sys_clone+0x20/0x30 +[] ret_from_syscall+0x0/0x4 +---[ end Kernel panic - not syncing: stack-protector: +Kernel stack is corrupted in: __do_sys_newfstatat+0xb8/0xb8 ]--- + +That is because the kprobe's ebreak instruction broke the kernel's +original code. The user should guarantee the correction of the probe +position, but it couldn't make the kernel panic. + +This patch adds arch_check_kprobe in arch_prepare_kprobe to prevent an +illegal position (Such as the middle of an instruction). + +Fixes: c22b0bcb1dd0 ("riscv: Add kprobes supported") +Signed-off-by: Guo Ren +Signed-off-by: Guo Ren +Reviewed-by: Björn Töpel +Link: https://lore.kernel.org/r/20230201040604.3390509-1-guoren@kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/probes/kprobes.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/arch/riscv/kernel/probes/kprobes.c b/arch/riscv/kernel/probes/kprobes.c +index 00088dc6da4b..125241ce82d6 100644 +--- a/arch/riscv/kernel/probes/kprobes.c ++++ b/arch/riscv/kernel/probes/kprobes.c +@@ -46,6 +46,21 @@ static void __kprobes arch_simulate_insn(struct kprobe *p, struct pt_regs *regs) + post_kprobe_handler(p, kcb, regs); + } + ++static bool __kprobes arch_check_kprobe(struct kprobe *p) ++{ ++ unsigned long tmp = (unsigned long)p->addr - p->offset; ++ unsigned long addr = (unsigned long)p->addr; ++ ++ while (tmp <= addr) { ++ if (tmp == addr) ++ return true; ++ ++ tmp += GET_INSN_LENGTH(*(u16 *)tmp); ++ } ++ ++ return false; ++} ++ + int __kprobes arch_prepare_kprobe(struct kprobe *p) + { + unsigned long probe_addr = (unsigned long)p->addr; +@@ -56,6 +71,9 @@ int __kprobes arch_prepare_kprobe(struct kprobe *p) + return -EINVAL; + } + ++ if (!arch_check_kprobe(p)) ++ return -EILSEQ; ++ + /* copy instruction */ + p->opcode = *p->addr; + +-- +2.39.0 + diff --git a/queue-5.15/scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch b/queue-5.15/scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch new file mode 100644 index 00000000000..7098a5e93c1 --- /dev/null +++ b/queue-5.15/scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch @@ -0,0 +1,68 @@ +From fad06f10c525a76938e6eb872a7c323a040c9ea2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 13:39:37 -0600 +Subject: scsi: iscsi_tcp: Fix UAF during login when accessing the shost + ipaddress + +From: Mike Christie + +[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ] + +If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails, +userspace could be accessing the host's ipaddress attr. If we then free the +session via iscsi_session_teardown() while userspace is still accessing the +session we will hit a use after free bug. + +Set the tcp_sw_host->session after we have completed session creation and +can no longer fail. + +Link: https://lore.kernel.org/r/20230117193937.21244-3-michael.christie@oracle.com +Signed-off-by: Mike Christie +Reviewed-by: Lee Duncan +Acked-by: Ding Hui +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/iscsi_tcp.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c +index 5c19e75c0e2f..594336004190 100644 +--- a/drivers/scsi/iscsi_tcp.c ++++ b/drivers/scsi/iscsi_tcp.c +@@ -848,7 +848,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost, + enum iscsi_host_param param, char *buf) + { + struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost); +- struct iscsi_session *session = tcp_sw_host->session; ++ struct iscsi_session *session; + struct iscsi_conn *conn; + struct iscsi_tcp_conn *tcp_conn; + struct iscsi_sw_tcp_conn *tcp_sw_conn; +@@ -858,6 +858,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost, + + switch (param) { + case ISCSI_HOST_PARAM_IPADDRESS: ++ session = tcp_sw_host->session; + if (!session) + return -ENOTCONN; + +@@ -958,11 +959,13 @@ iscsi_sw_tcp_session_create(struct iscsi_endpoint *ep, uint16_t cmds_max, + if (!cls_session) + goto remove_host; + session = cls_session->dd_data; +- tcp_sw_host = iscsi_host_priv(shost); +- tcp_sw_host->session = session; + + if (iscsi_tcp_r2tpool_alloc(session)) + goto remove_session; ++ ++ /* We are now fully setup so expose the session to sysfs. */ ++ tcp_sw_host = iscsi_host_priv(shost); ++ tcp_sw_host->session = session; + return cls_session; + + remove_session: +-- +2.39.0 + diff --git a/queue-5.15/scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-.patch b/queue-5.15/scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-.patch new file mode 100644 index 00000000000..809066d82d4 --- /dev/null +++ b/queue-5.15/scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-.patch @@ -0,0 +1,230 @@ +From 9c71f864e5c7cf58babf85265d93743e2b34159a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 13:39:36 -0600 +Subject: scsi: iscsi_tcp: Fix UAF during logout when accessing the shost + ipaddress + +From: Mike Christie + +[ Upstream commit 6f1d64b13097e85abda0f91b5638000afc5f9a06 ] + +Bug report and analysis from Ding Hui. + +During iSCSI session logout, if another task accesses the shost ipaddress +attr, we can get a KASAN UAF report like this: + +[ 276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0 +[ 276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088 +[ 276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G E 6.1.0-rc8+ #3 +[ 276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 +[ 276.944470] Call Trace: +[ 276.944943] +[ 276.945397] dump_stack_lvl+0x34/0x48 +[ 276.945887] print_address_description.constprop.0+0x86/0x1e7 +[ 276.946421] print_report+0x36/0x4f +[ 276.947358] kasan_report+0xad/0x130 +[ 276.948234] kasan_check_range+0x35/0x1c0 +[ 276.948674] _raw_spin_lock_bh+0x78/0xe0 +[ 276.949989] iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp] +[ 276.951765] show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi] +[ 276.952185] dev_attr_show+0x3f/0x80 +[ 276.953005] sysfs_kf_seq_show+0x1fb/0x3e0 +[ 276.953401] seq_read_iter+0x402/0x1020 +[ 276.954260] vfs_read+0x532/0x7b0 +[ 276.955113] ksys_read+0xed/0x1c0 +[ 276.955952] do_syscall_64+0x38/0x90 +[ 276.956347] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 276.956769] RIP: 0033:0x7f5d3a679222 +[ 276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 +[ 276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 +[ 276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222 +[ 276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003 +[ 276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000 +[ 276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000 +[ 276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58 +[ 276.960536] +[ 276.961357] Allocated by task 2209: +[ 276.961756] kasan_save_stack+0x1e/0x40 +[ 276.962170] kasan_set_track+0x21/0x30 +[ 276.962557] __kasan_kmalloc+0x7e/0x90 +[ 276.962923] __kmalloc+0x5b/0x140 +[ 276.963308] iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi] +[ 276.963712] iscsi_session_setup+0xda/0xba0 [libiscsi] +[ 276.964078] iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp] +[ 276.964431] iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi] +[ 276.964793] iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi] +[ 276.965153] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] +[ 276.965546] netlink_unicast+0x4d5/0x7b0 +[ 276.965905] netlink_sendmsg+0x78d/0xc30 +[ 276.966236] sock_sendmsg+0xe5/0x120 +[ 276.966576] ____sys_sendmsg+0x5fe/0x860 +[ 276.966923] ___sys_sendmsg+0xe0/0x170 +[ 276.967300] __sys_sendmsg+0xc8/0x170 +[ 276.967666] do_syscall_64+0x38/0x90 +[ 276.968028] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 276.968773] Freed by task 2209: +[ 276.969111] kasan_save_stack+0x1e/0x40 +[ 276.969449] kasan_set_track+0x21/0x30 +[ 276.969789] kasan_save_free_info+0x2a/0x50 +[ 276.970146] __kasan_slab_free+0x106/0x190 +[ 276.970470] __kmem_cache_free+0x133/0x270 +[ 276.970816] device_release+0x98/0x210 +[ 276.971145] kobject_cleanup+0x101/0x360 +[ 276.971462] iscsi_session_teardown+0x3fb/0x530 [libiscsi] +[ 276.971775] iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp] +[ 276.972143] iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi] +[ 276.972485] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] +[ 276.972808] netlink_unicast+0x4d5/0x7b0 +[ 276.973201] netlink_sendmsg+0x78d/0xc30 +[ 276.973544] sock_sendmsg+0xe5/0x120 +[ 276.973864] ____sys_sendmsg+0x5fe/0x860 +[ 276.974248] ___sys_sendmsg+0xe0/0x170 +[ 276.974583] __sys_sendmsg+0xc8/0x170 +[ 276.974891] do_syscall_64+0x38/0x90 +[ 276.975216] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +We can easily reproduce by two tasks: +1. while :; do iscsiadm -m node --login; iscsiadm -m node --logout; done +2. while :; do cat \ +/sys/devices/platform/host*/iscsi_host/host*/ipaddress; done + + iscsid | cat +--------------------------------+--------------------------------------- +|- iscsi_sw_tcp_session_destroy | + |- iscsi_session_teardown | + |- device_release | + |- iscsi_session_release ||- dev_attr_show + |- kfree | |- show_host_param_ + | ISCSI_HOST_PARAM_IPADDRESS + | |- iscsi_sw_tcp_host_get_param + | |- r/w tcp_sw_host->session (UAF) + |- iscsi_host_remove | + |- iscsi_host_free | + +Fix the above bug by splitting the session removal into 2 parts: + + 1. removal from iSCSI class which includes sysfs and removal from host + tracking. + + 2. freeing of session. + +During iscsi_tcp host and session removal we can remove the session from +sysfs then remove the host from sysfs. At this point we know userspace is +not accessing the kernel via sysfs so we can free the session and host. + +Link: https://lore.kernel.org/r/20230117193937.21244-2-michael.christie@oracle.com +Signed-off-by: Mike Christie +Reviewed-by: Lee Duncan +Acked-by: Ding Hui +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/iscsi_tcp.c | 11 +++++++++-- + drivers/scsi/libiscsi.c | 38 +++++++++++++++++++++++++++++++------- + include/scsi/libiscsi.h | 2 ++ + 3 files changed, 42 insertions(+), 9 deletions(-) + +diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c +index 4d2f33087806..5c19e75c0e2f 100644 +--- a/drivers/scsi/iscsi_tcp.c ++++ b/drivers/scsi/iscsi_tcp.c +@@ -982,10 +982,17 @@ static void iscsi_sw_tcp_session_destroy(struct iscsi_cls_session *cls_session) + if (WARN_ON_ONCE(session->leadconn)) + return; + ++ iscsi_session_remove(cls_session); ++ /* ++ * Our get_host_param needs to access the session, so remove the ++ * host from sysfs before freeing the session to make sure userspace ++ * is no longer accessing the callout. ++ */ ++ iscsi_host_remove(shost, false); ++ + iscsi_tcp_r2tpool_free(cls_session->dd_data); +- iscsi_session_teardown(cls_session); + +- iscsi_host_remove(shost, false); ++ iscsi_session_free(cls_session); + iscsi_host_free(shost); + } + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index 73d235540b98..d422e8fd7137 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -3024,17 +3024,32 @@ iscsi_session_setup(struct iscsi_transport *iscsit, struct Scsi_Host *shost, + } + EXPORT_SYMBOL_GPL(iscsi_session_setup); + +-/** +- * iscsi_session_teardown - destroy session, host, and cls_session +- * @cls_session: iscsi session ++/* ++ * issi_session_remove - Remove session from iSCSI class. + */ +-void iscsi_session_teardown(struct iscsi_cls_session *cls_session) ++void iscsi_session_remove(struct iscsi_cls_session *cls_session) + { + struct iscsi_session *session = cls_session->dd_data; +- struct module *owner = cls_session->transport->owner; + struct Scsi_Host *shost = session->host; + + iscsi_remove_session(cls_session); ++ /* ++ * host removal only has to wait for its children to be removed from ++ * sysfs, and iscsi_tcp needs to do iscsi_host_remove before freeing ++ * the session, so drop the session count here. ++ */ ++ iscsi_host_dec_session_cnt(shost); ++} ++EXPORT_SYMBOL_GPL(iscsi_session_remove); ++ ++/** ++ * iscsi_session_free - Free iscsi session and it's resources ++ * @cls_session: iscsi session ++ */ ++void iscsi_session_free(struct iscsi_cls_session *cls_session) ++{ ++ struct iscsi_session *session = cls_session->dd_data; ++ struct module *owner = cls_session->transport->owner; + + iscsi_pool_free(&session->cmdpool); + kfree(session->password); +@@ -3052,10 +3067,19 @@ void iscsi_session_teardown(struct iscsi_cls_session *cls_session) + kfree(session->discovery_parent_type); + + iscsi_free_session(cls_session); +- +- iscsi_host_dec_session_cnt(shost); + module_put(owner); + } ++EXPORT_SYMBOL_GPL(iscsi_session_free); ++ ++/** ++ * iscsi_session_teardown - destroy session and cls_session ++ * @cls_session: iscsi session ++ */ ++void iscsi_session_teardown(struct iscsi_cls_session *cls_session) ++{ ++ iscsi_session_remove(cls_session); ++ iscsi_session_free(cls_session); ++} + EXPORT_SYMBOL_GPL(iscsi_session_teardown); + + /** +diff --git a/include/scsi/libiscsi.h b/include/scsi/libiscsi.h +index 5cf84228b51d..c7ee5279e7fc 100644 +--- a/include/scsi/libiscsi.h ++++ b/include/scsi/libiscsi.h +@@ -414,6 +414,8 @@ extern int iscsi_host_get_max_scsi_cmds(struct Scsi_Host *shost, + extern struct iscsi_cls_session * + iscsi_session_setup(struct iscsi_transport *, struct Scsi_Host *shost, + uint16_t, int, int, uint32_t, unsigned int); ++void iscsi_session_remove(struct iscsi_cls_session *cls_session); ++void iscsi_session_free(struct iscsi_cls_session *cls_session); + extern void iscsi_session_teardown(struct iscsi_cls_session *); + extern void iscsi_session_recovery_timedout(struct iscsi_cls_session *); + extern int iscsi_set_param(struct iscsi_cls_conn *cls_conn, +-- +2.39.0 + diff --git a/queue-5.15/scsi-revert-scsi-core-map-pq-1-pdt-other-values-to-s.patch b/queue-5.15/scsi-revert-scsi-core-map-pq-1-pdt-other-values-to-s.patch new file mode 100644 index 00000000000..9e3151d49b3 --- /dev/null +++ b/queue-5.15/scsi-revert-scsi-core-map-pq-1-pdt-other-values-to-s.patch @@ -0,0 +1,56 @@ +From 60f0d8cf33f8cfc5f306c88341039986088b019a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 22:06:08 -0500 +Subject: scsi: Revert "scsi: core: map PQ=1, PDT=other values to + SCSI_SCAN_TARGET_PRESENT" + +From: Martin K. Petersen + +[ Upstream commit 15600159bcc6abbeae6b33a849bef90dca28b78f ] + +This reverts commit 948e922fc44611ee2de0c89583ca958cb5307d36. + +Not all targets that return PQ=1 and PDT=0 should be ignored. While +the SCSI spec is vague in this department, there appears to be a +critical mass of devices which rely on devices being accessible with +this combination of reported values. + +Fixes: 948e922fc446 ("scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT") +Link: https://lore.kernel.org/r/yq1lelrleqr.fsf@ca-mkp.ca.oracle.com +Acked-by: Bart Van Assche +Acked-by: Martin Wilck +Acked-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_scan.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c +index 9466474ff01b..86c10edbb5f1 100644 +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -1206,8 +1206,7 @@ static int scsi_probe_and_add_lun(struct scsi_target *starget, + * that no LUN is present, so don't add sdev in these cases. + * Two specific examples are: + * 1) NetApp targets: return PQ=1, PDT=0x1f +- * 2) IBM/2145 targets: return PQ=1, PDT=0 +- * 3) USB UFI: returns PDT=0x1f, with the PQ bits being "reserved" ++ * 2) USB UFI: returns PDT=0x1f, with the PQ bits being "reserved" + * in the UFI 1.0 spec (we cannot rely on reserved bits). + * + * References: +@@ -1221,8 +1220,8 @@ static int scsi_probe_and_add_lun(struct scsi_target *starget, + * PDT=00h Direct-access device (floppy) + * PDT=1Fh none (no FDD connected to the requested logical unit) + */ +- if (((result[0] >> 5) == 1 || +- (starget->pdt_1f_for_no_lun && (result[0] & 0x1f) == 0x1f)) && ++ if (((result[0] >> 5) == 1 || starget->pdt_1f_for_no_lun) && ++ (result[0] & 0x1f) == 0x1f && + !scsi_is_wlun(lun)) { + SCSI_LOG_SCAN_BUS(3, sdev_printk(KERN_INFO, sdev, + "scsi scan: peripheral device type" +-- +2.39.0 + diff --git a/queue-5.15/scsi-target-core-fix-warning-on-rt-kernels.patch b/queue-5.15/scsi-target-core-fix-warning-on-rt-kernels.patch new file mode 100644 index 00000000000..eaff4498f69 --- /dev/null +++ b/queue-5.15/scsi-target-core-fix-warning-on-rt-kernels.patch @@ -0,0 +1,40 @@ +From 68f31a80ab2cf67be6a38b131e7f306efd479d76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 13:53:10 +0100 +Subject: scsi: target: core: Fix warning on RT kernels + +From: Maurizio Lombardi + +[ Upstream commit 84ed64b1a7a7fcd507598dee7708c1f225123711 ] + +Calling spin_lock_irqsave() does not disable the interrupts on realtime +kernels, remove the warning and replace assert_spin_locked() with +lockdep_assert_held(). + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230110125310.55884-1-mlombard@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_tmr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c +index bac111456fa1..2b95b4550a63 100644 +--- a/drivers/target/target_core_tmr.c ++++ b/drivers/target/target_core_tmr.c +@@ -73,8 +73,8 @@ static bool __target_check_io_state(struct se_cmd *se_cmd, + { + struct se_session *sess = se_cmd->se_sess; + +- assert_spin_locked(&sess->sess_cmd_lock); +- WARN_ON_ONCE(!irqs_disabled()); ++ lockdep_assert_held(&sess->sess_cmd_lock); ++ + /* + * If command already reached CMD_T_COMPLETE state within + * target_complete_cmd() or CMD_T_FABRIC_STOP due to shutdown, +-- +2.39.0 + diff --git a/queue-5.15/selftests-net-udpgso_bench-fix-racing-bug-between-th.patch b/queue-5.15/selftests-net-udpgso_bench-fix-racing-bug-between-th.patch new file mode 100644 index 00000000000..f45c99d0d8c --- /dev/null +++ b/queue-5.15/selftests-net-udpgso_bench-fix-racing-bug-between-th.patch @@ -0,0 +1,80 @@ +From 7b701bef18774ba7cbd662a119d6f5c6b27f4a43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 00:16:14 +0000 +Subject: selftests: net: udpgso_bench: Fix racing bug between the rx/tx + programs + +From: Andrei Gherzan + +[ Upstream commit dafe93b9ee21028d625dce347118b82659652eff ] + +"udpgro_bench.sh" invokes udpgso_bench_rx/udpgso_bench_tx programs +subsequently and while doing so, there is a chance that the rx one is not +ready to accept socket connections. This racing bug could fail the test +with at least one of the following: + +./udpgso_bench_tx: connect: Connection refused +./udpgso_bench_tx: sendmsg: Connection refused +./udpgso_bench_tx: write: Connection refused + +This change addresses this by making udpgro_bench.sh wait for the rx +program to be ready before firing off the tx one - up to a 10s timeout. + +Fixes: 3a687bef148d ("selftests: udp gso benchmark") +Signed-off-by: Andrei Gherzan +Cc: Paolo Abeni +Cc: Willem de Bruijn +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230201001612.515730-3-andrei.gherzan@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgso_bench.sh | 24 +++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/net/udpgso_bench.sh b/tools/testing/selftests/net/udpgso_bench.sh +index dc932fd65363..640bc43452fa 100755 +--- a/tools/testing/selftests/net/udpgso_bench.sh ++++ b/tools/testing/selftests/net/udpgso_bench.sh +@@ -7,6 +7,7 @@ readonly GREEN='\033[0;92m' + readonly YELLOW='\033[0;33m' + readonly RED='\033[0;31m' + readonly NC='\033[0m' # No Color ++readonly TESTPORT=8000 + + readonly KSFT_PASS=0 + readonly KSFT_FAIL=1 +@@ -56,11 +57,26 @@ trap wake_children EXIT + + run_one() { + local -r args=$@ ++ local nr_socks=0 ++ local i=0 ++ local -r timeout=10 ++ ++ ./udpgso_bench_rx -p "$TESTPORT" & ++ ./udpgso_bench_rx -p "$TESTPORT" -t & ++ ++ # Wait for the above test program to get ready to receive connections. ++ while [ "$i" -lt "$timeout" ]; do ++ nr_socks="$(ss -lnHi | grep -c "\*:${TESTPORT}")" ++ [ "$nr_socks" -eq 2 ] && break ++ i=$((i + 1)) ++ sleep 1 ++ done ++ if [ "$nr_socks" -ne 2 ]; then ++ echo "timed out while waiting for udpgso_bench_rx" ++ exit 1 ++ fi + +- ./udpgso_bench_rx & +- ./udpgso_bench_rx -t & +- +- ./udpgso_bench_tx ${args} ++ ./udpgso_bench_tx -p "$TESTPORT" ${args} + } + + run_in_netns() { +-- +2.39.0 + diff --git a/queue-5.15/selftests-net-udpgso_bench_rx-fix-used-uninitialized.patch b/queue-5.15/selftests-net-udpgso_bench_rx-fix-used-uninitialized.patch new file mode 100644 index 00000000000..54427ec2336 --- /dev/null +++ b/queue-5.15/selftests-net-udpgso_bench_rx-fix-used-uninitialized.patch @@ -0,0 +1,51 @@ +From 720663009b91bb6b69687e65861ec8527490d6cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 00:16:10 +0000 +Subject: selftests: net: udpgso_bench_rx: Fix 'used uninitialized' compiler + warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrei Gherzan + +[ Upstream commit c03c80e3a03ffb4f790901d60797e9810539d946 ] + +This change fixes the following compiler warning: + +/usr/include/x86_64-linux-gnu/bits/error.h:40:5: warning: ‘gso_size’ may +be used uninitialized [-Wmaybe-uninitialized] + 40 | __error_noreturn (__status, __errnum, __format, + __va_arg_pack ()); + | + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + udpgso_bench_rx.c: In function ‘main’: + udpgso_bench_rx.c:253:23: note: ‘gso_size’ was declared here + 253 | int ret, len, gso_size, budget = 256; + +Fixes: 3327a9c46352 ("selftests: add functionals test for UDP GRO") +Signed-off-by: Andrei Gherzan +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230201001612.515730-1-andrei.gherzan@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgso_bench_rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/udpgso_bench_rx.c b/tools/testing/selftests/net/udpgso_bench_rx.c +index 6a193425c367..d0895bd1933f 100644 +--- a/tools/testing/selftests/net/udpgso_bench_rx.c ++++ b/tools/testing/selftests/net/udpgso_bench_rx.c +@@ -250,7 +250,7 @@ static int recv_msg(int fd, char *buf, int len, int *gso_size) + static void do_flush_udp(int fd) + { + static char rbuf[ETH_MAX_MTU]; +- int ret, len, gso_size, budget = 256; ++ int ret, len, gso_size = 0, budget = 256; + + len = cfg_read_all ? sizeof(rbuf) : 0; + while (budget--) { +-- +2.39.0 + diff --git a/queue-5.15/selftests-net-udpgso_bench_rx-tx-stop-when-wrong-cli.patch b/queue-5.15/selftests-net-udpgso_bench_rx-tx-stop-when-wrong-cli.patch new file mode 100644 index 00000000000..d7258dc6caf --- /dev/null +++ b/queue-5.15/selftests-net-udpgso_bench_rx-tx-stop-when-wrong-cli.patch @@ -0,0 +1,55 @@ +From 55423444f45391df5d96df5a6402ad412e1159ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 00:16:12 +0000 +Subject: selftests: net: udpgso_bench_rx/tx: Stop when wrong CLI args are + provided + +From: Andrei Gherzan + +[ Upstream commit db9b47ee9f5f375ab0c5daeb20321c75b4fa657d ] + +Leaving unrecognized arguments buried in the output, can easily hide a +CLI/script typo. Avoid this by exiting when wrong arguments are provided to +the udpgso_bench test programs. + +Fixes: 3a687bef148d ("selftests: udp gso benchmark") +Signed-off-by: Andrei Gherzan +Cc: Willem de Bruijn +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230201001612.515730-2-andrei.gherzan@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgso_bench_rx.c | 2 ++ + tools/testing/selftests/net/udpgso_bench_tx.c | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/net/udpgso_bench_rx.c b/tools/testing/selftests/net/udpgso_bench_rx.c +index d0895bd1933f..4058c7451e70 100644 +--- a/tools/testing/selftests/net/udpgso_bench_rx.c ++++ b/tools/testing/selftests/net/udpgso_bench_rx.c +@@ -336,6 +336,8 @@ static void parse_opts(int argc, char **argv) + cfg_verify = true; + cfg_read_all = true; + break; ++ default: ++ exit(1); + } + } + +diff --git a/tools/testing/selftests/net/udpgso_bench_tx.c b/tools/testing/selftests/net/udpgso_bench_tx.c +index f1fdaa270291..b47b5c32039f 100644 +--- a/tools/testing/selftests/net/udpgso_bench_tx.c ++++ b/tools/testing/selftests/net/udpgso_bench_tx.c +@@ -490,6 +490,8 @@ static void parse_opts(int argc, char **argv) + case 'z': + cfg_zerocopy = true; + break; ++ default: ++ exit(1); + } + } + +-- +2.39.0 + diff --git a/queue-5.15/selftests-net-udpgso_bench_tx-cater-for-pending-data.patch b/queue-5.15/selftests-net-udpgso_bench_tx-cater-for-pending-data.patch new file mode 100644 index 00000000000..2324f198d8f --- /dev/null +++ b/queue-5.15/selftests-net-udpgso_bench_tx-cater-for-pending-data.patch @@ -0,0 +1,135 @@ +From 5e11d5e3c345cc01fe25f7d78cfda23be3361c00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 00:16:16 +0000 +Subject: selftests: net: udpgso_bench_tx: Cater for pending datagrams zerocopy + benchmarking + +From: Andrei Gherzan + +[ Upstream commit 329c9cd769c2e306957df031efff656c40922c76 ] + +The test tool can check that the zerocopy number of completions value is +valid taking into consideration the number of datagram send calls. This can +catch the system into a state where the datagrams are still in the system +(for example in a qdisk, waiting for the network interface to return a +completion notification, etc). + +This change adds a retry logic of computing the number of completions up to +a configurable (via CLI) timeout (default: 2 seconds). + +Fixes: 79ebc3c26010 ("net/udpgso_bench_tx: options to exercise TX CMSG") +Signed-off-by: Andrei Gherzan +Cc: Willem de Bruijn +Cc: Paolo Abeni +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230201001612.515730-4-andrei.gherzan@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgso_bench_tx.c | 34 +++++++++++++++---- + 1 file changed, 27 insertions(+), 7 deletions(-) + +diff --git a/tools/testing/selftests/net/udpgso_bench_tx.c b/tools/testing/selftests/net/udpgso_bench_tx.c +index b47b5c32039f..477392715a9a 100644 +--- a/tools/testing/selftests/net/udpgso_bench_tx.c ++++ b/tools/testing/selftests/net/udpgso_bench_tx.c +@@ -62,6 +62,7 @@ static int cfg_payload_len = (1472 * 42); + static int cfg_port = 8000; + static int cfg_runtime_ms = -1; + static bool cfg_poll; ++static int cfg_poll_loop_timeout_ms = 2000; + static bool cfg_segment; + static bool cfg_sendmmsg; + static bool cfg_tcp; +@@ -235,16 +236,17 @@ static void flush_errqueue_recv(int fd) + } + } + +-static void flush_errqueue(int fd, const bool do_poll) ++static void flush_errqueue(int fd, const bool do_poll, ++ unsigned long poll_timeout, const bool poll_err) + { + if (do_poll) { + struct pollfd fds = {0}; + int ret; + + fds.fd = fd; +- ret = poll(&fds, 1, 500); ++ ret = poll(&fds, 1, poll_timeout); + if (ret == 0) { +- if (cfg_verbose) ++ if ((cfg_verbose) && (poll_err)) + fprintf(stderr, "poll timeout\n"); + } else if (ret < 0) { + error(1, errno, "poll"); +@@ -254,6 +256,20 @@ static void flush_errqueue(int fd, const bool do_poll) + flush_errqueue_recv(fd); + } + ++static void flush_errqueue_retry(int fd, unsigned long num_sends) ++{ ++ unsigned long tnow, tstop; ++ bool first_try = true; ++ ++ tnow = gettimeofday_ms(); ++ tstop = tnow + cfg_poll_loop_timeout_ms; ++ do { ++ flush_errqueue(fd, true, tstop - tnow, first_try); ++ first_try = false; ++ tnow = gettimeofday_ms(); ++ } while ((stat_zcopies != num_sends) && (tnow < tstop)); ++} ++ + static int send_tcp(int fd, char *data) + { + int ret, done = 0, count = 0; +@@ -413,7 +429,8 @@ static int send_udp_segment(int fd, char *data) + + static void usage(const char *filepath) + { +- error(1, 0, "Usage: %s [-46acmHPtTuvz] [-C cpu] [-D dst ip] [-l secs] [-M messagenr] [-p port] [-s sendsize] [-S gsosize]", ++ error(1, 0, "Usage: %s [-46acmHPtTuvz] [-C cpu] [-D dst ip] [-l secs] " ++ "[-L secs] [-M messagenr] [-p port] [-s sendsize] [-S gsosize]", + filepath); + } + +@@ -423,7 +440,7 @@ static void parse_opts(int argc, char **argv) + int max_len, hdrlen; + int c; + +- while ((c = getopt(argc, argv, "46acC:D:Hl:mM:p:s:PS:tTuvz")) != -1) { ++ while ((c = getopt(argc, argv, "46acC:D:Hl:L:mM:p:s:PS:tTuvz")) != -1) { + switch (c) { + case '4': + if (cfg_family != PF_UNSPEC) +@@ -452,6 +469,9 @@ static void parse_opts(int argc, char **argv) + case 'l': + cfg_runtime_ms = strtoul(optarg, NULL, 10) * 1000; + break; ++ case 'L': ++ cfg_poll_loop_timeout_ms = strtoul(optarg, NULL, 10) * 1000; ++ break; + case 'm': + cfg_sendmmsg = true; + break; +@@ -679,7 +699,7 @@ int main(int argc, char **argv) + num_sends += send_udp(fd, buf[i]); + num_msgs++; + if ((cfg_zerocopy && ((num_msgs & 0xF) == 0)) || cfg_tx_tstamp) +- flush_errqueue(fd, cfg_poll); ++ flush_errqueue(fd, cfg_poll, 500, true); + + if (cfg_msg_nr && num_msgs >= cfg_msg_nr) + break; +@@ -698,7 +718,7 @@ int main(int argc, char **argv) + } while (!interrupted && (cfg_runtime_ms == -1 || tnow < tstop)); + + if (cfg_zerocopy || cfg_tx_tstamp) +- flush_errqueue(fd, true); ++ flush_errqueue_retry(fd, num_sends); + + if (close(fd)) + error(1, errno, "close"); +-- +2.39.0 + diff --git a/queue-5.15/series b/queue-5.15/series index e8e31cc7adc..27ba88233c2 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -1 +1,61 @@ firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch +bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch +asoc-intel-boards-fix-spelling-in-comments.patch +asoc-intel-bytcht_es8316-move-comment-to-the-right-p.patch +asoc-intel-bytcht_es8316-drop-reference-count-of-acp.patch +asoc-intel-bytcr_rt5651-drop-reference-count-of-acpi.patch +asoc-intel-bytcr_rt5640-drop-reference-count-of-acpi.patch +asoc-intel-bytcr_wm5102-drop-reference-count-of-acpi.patch +bpf-fix-a-possible-task-gone-issue-with-bpf_send_sig.patch +alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch +bpf-support-8-byte-scalar-spill-and-refill.patch +bpf-fix-to-preserve-reg-parent-live-fields-when-copy.patch +bpf-sockmap-check-for-any-of-tcp_bpf_prots-when-clon.patch +arm64-dts-imx8mm-fix-pad-control-for-uart1_dte_rx.patch +drm-vc4-hdmi-make-cec-adapter-name-unique.patch +scsi-revert-scsi-core-map-pq-1-pdt-other-values-to-s.patch +vhost-net-clear-the-pending-messages-when-the-backen.patch +write-is-data-source-not-destination.patch +read-is-data-destination-not-source.patch +fix-iov_iter_bvec-direction-argument.patch +fix-direction-argument-of-iov_iter_kvec.patch +ice-prevent-set_channel-from-changing-queues-while-r.patch +qede-execute-xdp_do_flush-before-napi_complete_done.patch +virtio-net-execute-xdp_do_flush-before-napi_complete.patch +dpaa_eth-execute-xdp_do_flush-before-napi_complete_d.patch +dpaa2-eth-execute-xdp_do_flush-before-napi_complete_.patch +sfc-correctly-advertise-tunneled-ipv6-segmentation.patch +net-phy-dp83822-fix-null-pointer-access-on-dp83825-d.patch +block-bfq-iosched.c-use-false-rather-than-blk_rw_asy.patch +block-bfq-replace-0-1-with-false-true-in-bic-apis.patch +block-bfq-fix-uaf-for-bfqq-in-bic_set_bfqq.patch +netrom-fix-use-after-free-caused-by-accept-on-alread.patch +drm-i915-guc-fix-locking-when-searching-for-a-hung-r.patch +drm-i915-adlp-fix-typo-for-reference-clock.patch +netfilter-br_netfilter-disable-sabotage_in-hook-afte.patch +squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch +net-phy-meson-gxl-add-generic-dummy-stubs-for-mmd-re.patch +ip-ip6_gre-fix-changing-addr-gen-mode-not-generating.patch +ip-ip6_gre-fix-non-point-to-point-tunnel-not-generat.patch +riscv-kprobe-fixup-kernel-panic-when-probing-an-ille.patch +igc-return-an-error-if-the-mac-type-is-unknown-in-ig.patch +can-j1939-fix-errant-warn_on_once-in-j1939_session_d.patch +ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch +selftests-net-udpgso_bench_rx-fix-used-uninitialized.patch +selftests-net-udpgso_bench_rx-tx-stop-when-wrong-cli.patch +selftests-net-udpgso_bench-fix-racing-bug-between-th.patch +selftests-net-udpgso_bench_tx-cater-for-pending-data.patch +virtio-net-keep-stop-to-follow-mirror-sequence-of-op.patch +net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch +efi-fix-potential-null-deref-in-efi_mem_reserve_pers.patch +i2c-designware-pci-add-new-pci-ids-for-amd-navi-gpu.patch +i2c-mxs-suppress-probe-deferral-error-message.patch +scsi-target-core-fix-warning-on-rt-kernels.patch +perf-x86-intel-add-emerald-rapids.patch +scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-.patch +scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch +i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch +platform-x86-dell-wmi-add-a-keymap-for-key_mute-in-t.patch +platform-x86-gigabyte-wmi-add-support-for-b450m-ds3h.patch +net-x25-fix-to-not-accept-on-connected-socket.patch +drm-amd-display-fix-timing-not-changning-when-freesy.patch diff --git a/queue-5.15/sfc-correctly-advertise-tunneled-ipv6-segmentation.patch b/queue-5.15/sfc-correctly-advertise-tunneled-ipv6-segmentation.patch new file mode 100644 index 00000000000..607f9f38e70 --- /dev/null +++ b/queue-5.15/sfc-correctly-advertise-tunneled-ipv6-segmentation.patch @@ -0,0 +1,53 @@ +From 457d75f21e52b523020121f09818518e61d3fa65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 15:35:13 +0100 +Subject: sfc: correctly advertise tunneled IPv6 segmentation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Íñigo Huguet + +[ Upstream commit ffffd2454a7a1bc9f7242b12c4cc0b05c12692b4 ] + +Recent sfc NICs are TSO capable for some tunnel protocols. However, it +was not working properly because the feature was not advertised in +hw_enc_features, but in hw_features only. + +Setting up a GENEVE tunnel and using iperf3 to send IPv4 and IPv6 traffic +to the tunnel show, with tcpdump, that the IPv4 packets still had ~64k +size but the IPv6 ones had only ~1500 bytes (they had been segmented by +software, not offloaded). With this patch segmentation is offloaded as +expected and the traffic is correctly received at the other end. + +Fixes: 24b2c3751aa3 ("sfc: advertise encapsulated offloads on EF10") +Reported-by: Tianhao Zhao +Signed-off-by: Íñigo Huguet +Acked-by: Martin Habets +Link: https://lore.kernel.org/r/20230125143513.25841-1-ihuguet@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/efx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sfc/efx.c b/drivers/net/ethernet/sfc/efx.c +index 43ef4f529028..b6243f03e953 100644 +--- a/drivers/net/ethernet/sfc/efx.c ++++ b/drivers/net/ethernet/sfc/efx.c +@@ -1005,8 +1005,11 @@ static int efx_pci_probe_post_io(struct efx_nic *efx) + /* Determine netdevice features */ + net_dev->features |= (efx->type->offload_features | NETIF_F_SG | + NETIF_F_TSO | NETIF_F_RXCSUM | NETIF_F_RXALL); +- if (efx->type->offload_features & (NETIF_F_IPV6_CSUM | NETIF_F_HW_CSUM)) ++ if (efx->type->offload_features & (NETIF_F_IPV6_CSUM | NETIF_F_HW_CSUM)) { + net_dev->features |= NETIF_F_TSO6; ++ if (efx_has_cap(efx, TX_TSO_V2_ENCAP)) ++ net_dev->hw_enc_features |= NETIF_F_TSO6; ++ } + /* Check whether device supports TSO */ + if (!efx->type->tso_versions || !efx->type->tso_versions(efx)) + net_dev->features &= ~NETIF_F_ALL_TSO; +-- +2.39.0 + diff --git a/queue-5.15/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch b/queue-5.15/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch new file mode 100644 index 00000000000..5356c09c891 --- /dev/null +++ b/queue-5.15/squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch @@ -0,0 +1,45 @@ +From e8eae9b33527046b0c42da3b8118de8cc03b89ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 13:52:26 +0300 +Subject: squashfs: harden sanity check in squashfs_read_xattr_id_table + +From: Fedor Pchelkin + +[ Upstream commit 72e544b1b28325fe78a4687b980871a7e4101f76 ] + +While mounting a corrupted filesystem, a signed integer '*xattr_ids' can +become less than zero. This leads to the incorrect computation of 'len' +and 'indexes' values which can cause null-ptr-deref in copy_bio_to_actor() +or out-of-bounds accesses in the next sanity checks inside +squashfs_read_xattr_id_table(). + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Link: https://lkml.kernel.org/r/20230117105226.329303-2-pchelkin@ispras.ru +Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup") +Reported-by: +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Cc: Phillip Lougher +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/squashfs/xattr_id.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/squashfs/xattr_id.c b/fs/squashfs/xattr_id.c +index 087cab8c78f4..f6d78cbc3e74 100644 +--- a/fs/squashfs/xattr_id.c ++++ b/fs/squashfs/xattr_id.c +@@ -76,7 +76,7 @@ __le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 table_start, + /* Sanity check values */ + + /* there is always at least one xattr id */ +- if (*xattr_ids == 0) ++ if (*xattr_ids <= 0) + return ERR_PTR(-EINVAL); + + len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids); +-- +2.39.0 + diff --git a/queue-5.15/vhost-net-clear-the-pending-messages-when-the-backen.patch b/queue-5.15/vhost-net-clear-the-pending-messages-when-the-backen.patch new file mode 100644 index 00000000000..8bb9bb878f0 --- /dev/null +++ b/queue-5.15/vhost-net-clear-the-pending-messages-when-the-backen.patch @@ -0,0 +1,83 @@ +From 20ca28cc6a76362ff2b8f4906c7cbcaa4677b788 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 10:15:18 -0500 +Subject: vhost/net: Clear the pending messages when the backend is removed + +From: Eric Auger + +[ Upstream commit 9526f9a2b762af16be94a72aca5d65c677d28f50 ] + +When the vhost iotlb is used along with a guest virtual iommu +and the guest gets rebooted, some MISS messages may have been +recorded just before the reboot and spuriously executed by +the virtual iommu after the reboot. + +As vhost does not have any explicit reset user API, +VHOST_NET_SET_BACKEND looks a reasonable point where to clear +the pending messages, in case the backend is removed. + +Export vhost_clear_msg() and call it in vhost_net_set_backend() +when fd == -1. + +Signed-off-by: Eric Auger +Suggested-by: Jason Wang +Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") +Message-Id: <20230117151518.44725-3-eric.auger@redhat.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vhost/net.c | 3 +++ + drivers/vhost/vhost.c | 3 ++- + drivers/vhost/vhost.h | 1 + + 3 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index 297b5db47454..32148f011200 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -1517,6 +1517,9 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd) + nvq = &n->vqs[index]; + mutex_lock(&vq->mutex); + ++ if (fd == -1) ++ vhost_clear_msg(&n->dev); ++ + /* Verify that ring has been setup correctly. */ + if (!vhost_vq_access_ok(vq)) { + r = -EFAULT; +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index 0a9746bc9228..c0f926a9c298 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -669,7 +669,7 @@ void vhost_dev_stop(struct vhost_dev *dev) + } + EXPORT_SYMBOL_GPL(vhost_dev_stop); + +-static void vhost_clear_msg(struct vhost_dev *dev) ++void vhost_clear_msg(struct vhost_dev *dev) + { + struct vhost_msg_node *node, *n; + +@@ -687,6 +687,7 @@ static void vhost_clear_msg(struct vhost_dev *dev) + + spin_unlock(&dev->iotlb_lock); + } ++EXPORT_SYMBOL_GPL(vhost_clear_msg); + + void vhost_dev_cleanup(struct vhost_dev *dev) + { +diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h +index 638bb640d6b4..f2675c0aa08e 100644 +--- a/drivers/vhost/vhost.h ++++ b/drivers/vhost/vhost.h +@@ -182,6 +182,7 @@ long vhost_dev_ioctl(struct vhost_dev *, unsigned int ioctl, void __user *argp); + long vhost_vring_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp); + bool vhost_vq_access_ok(struct vhost_virtqueue *vq); + bool vhost_log_access_ok(struct vhost_dev *); ++void vhost_clear_msg(struct vhost_dev *dev); + + int vhost_get_vq_desc(struct vhost_virtqueue *, + struct iovec iov[], unsigned int iov_count, +-- +2.39.0 + diff --git a/queue-5.15/virtio-net-execute-xdp_do_flush-before-napi_complete.patch b/queue-5.15/virtio-net-execute-xdp_do_flush-before-napi_complete.patch new file mode 100644 index 00000000000..85b458ef14b --- /dev/null +++ b/queue-5.15/virtio-net-execute-xdp_do_flush-before-napi_complete.patch @@ -0,0 +1,63 @@ +From 562a4bfa473563a152068624093c5f3746c0c7bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jan 2023 08:48:59 +0100 +Subject: virtio-net: execute xdp_do_flush() before napi_complete_done() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Magnus Karlsson + +[ Upstream commit ad7e615f646c9b5b2cf655cdfb9d91a28db4f25a ] + +Make sure that xdp_do_flush() is always executed before +napi_complete_done(). This is important for two reasons. First, a +redirect to an XSKMAP assumes that a call to xdp_do_redirect() from +napi context X on CPU Y will be followed by a xdp_do_flush() from the +same napi context and CPU. This is not guaranteed if the +napi_complete_done() is executed before xdp_do_flush(), as it tells +the napi logic that it is fine to schedule napi context X on another +CPU. Details from a production system triggering this bug using the +veth driver can be found following the first link below. + +The second reason is that the XDP_REDIRECT logic in itself relies on +being inside a single NAPI instance through to the xdp_do_flush() call +for RCU protection of all in-kernel data structures. Details can be +found in the second link below. + +Fixes: 186b3c998c50 ("virtio-net: support XDP_REDIRECT") +Signed-off-by: Magnus Karlsson +Acked-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com +Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/ +Acked-by: Michael S. Tsirkin +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 9222be208aba..a5ec81c76155 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1580,13 +1580,13 @@ static int virtnet_poll(struct napi_struct *napi, int budget) + + received = virtnet_receive(rq, budget, &xdp_xmit); + ++ if (xdp_xmit & VIRTIO_XDP_REDIR) ++ xdp_do_flush(); ++ + /* Out of packets? */ + if (received < budget) + virtqueue_napi_complete(napi, rq->vq, received); + +- if (xdp_xmit & VIRTIO_XDP_REDIR) +- xdp_do_flush(); +- + if (xdp_xmit & VIRTIO_XDP_TX) { + sq = virtnet_xdp_get_sq(vi); + if (virtqueue_kick_prepare(sq->vq) && virtqueue_notify(sq->vq)) { +-- +2.39.0 + diff --git a/queue-5.15/virtio-net-keep-stop-to-follow-mirror-sequence-of-op.patch b/queue-5.15/virtio-net-keep-stop-to-follow-mirror-sequence-of-op.patch new file mode 100644 index 00000000000..03728ce2b17 --- /dev/null +++ b/queue-5.15/virtio-net-keep-stop-to-follow-mirror-sequence-of-op.patch @@ -0,0 +1,44 @@ +From 955e90a2b6e97f6fce4d21391e1cd9cc173d7f6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 18:35:16 +0200 +Subject: virtio-net: Keep stop() to follow mirror sequence of open() + +From: Parav Pandit + +[ Upstream commit 63b114042d8a9c02d9939889177c36dbdb17a588 ] + +Cited commit in fixes tag frees rxq xdp info while RQ NAPI is +still enabled and packet processing may be ongoing. + +Follow the mirror sequence of open() in the stop() callback. +This ensures that when rxq info is unregistered, no rx +packet processing is ongoing. + +Fixes: 754b8a21a96d ("virtio_net: setup xdp_rxq_info") +Acked-by: Michael S. Tsirkin +Reviewed-by: Jiri Pirko +Signed-off-by: Parav Pandit +Link: https://lore.kernel.org/r/20230202163516.12559-1-parav@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index a5ec81c76155..66ca2ea19ba6 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1995,8 +1995,8 @@ static int virtnet_close(struct net_device *dev) + cancel_delayed_work_sync(&vi->refill); + + for (i = 0; i < vi->max_queue_pairs; i++) { +- xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq); + napi_disable(&vi->rq[i].napi); ++ xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq); + virtnet_napi_tx_disable(&vi->sq[i].napi); + } + +-- +2.39.0 + diff --git a/queue-5.15/write-is-data-source-not-destination.patch b/queue-5.15/write-is-data-source-not-destination.patch new file mode 100644 index 00000000000..f7aad5e71f5 --- /dev/null +++ b/queue-5.15/write-is-data-source-not-destination.patch @@ -0,0 +1,49 @@ +From 08a3bb732aa6cb84e9d44acffd30acdf6fe09491 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 18:59:12 -0400 +Subject: WRITE is "data source", not destination... + +From: Al Viro + +[ Upstream commit 974c36fb828aeae7b4f9063f94860ae6c5633efd ] + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/fsi/fsi-sbefifo.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/fsi/fsi-sbefifo.c b/drivers/fsi/fsi-sbefifo.c +index 84cb965bfed5..97045a8d9422 100644 +--- a/drivers/fsi/fsi-sbefifo.c ++++ b/drivers/fsi/fsi-sbefifo.c +@@ -640,7 +640,7 @@ static void sbefifo_collect_async_ffdc(struct sbefifo *sbefifo) + } + ffdc_iov.iov_base = ffdc; + ffdc_iov.iov_len = SBEFIFO_MAX_FFDC_SIZE; +- iov_iter_kvec(&ffdc_iter, WRITE, &ffdc_iov, 1, SBEFIFO_MAX_FFDC_SIZE); ++ iov_iter_kvec(&ffdc_iter, READ, &ffdc_iov, 1, SBEFIFO_MAX_FFDC_SIZE); + cmd[0] = cpu_to_be32(2); + cmd[1] = cpu_to_be32(SBEFIFO_CMD_GET_SBE_FFDC); + rc = sbefifo_do_command(sbefifo, cmd, 2, &ffdc_iter); +@@ -737,7 +737,7 @@ int sbefifo_submit(struct device *dev, const __be32 *command, size_t cmd_len, + rbytes = (*resp_len) * sizeof(__be32); + resp_iov.iov_base = response; + resp_iov.iov_len = rbytes; +- iov_iter_kvec(&resp_iter, WRITE, &resp_iov, 1, rbytes); ++ iov_iter_kvec(&resp_iter, READ, &resp_iov, 1, rbytes); + + /* Perform the command */ + mutex_lock(&sbefifo->lock); +@@ -817,7 +817,7 @@ static ssize_t sbefifo_user_read(struct file *file, char __user *buf, + /* Prepare iov iterator */ + resp_iov.iov_base = buf; + resp_iov.iov_len = len; +- iov_iter_init(&resp_iter, WRITE, &resp_iov, 1, len); ++ iov_iter_init(&resp_iter, READ, &resp_iov, 1, len); + + /* Perform the command */ + mutex_lock(&sbefifo->lock); +-- +2.39.0 +