From: Sasha Levin Date: Mon, 17 Oct 2022 02:10:17 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v5.4.219~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=15d7b650ea9b43f5d340a3ed609442d049360c29;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/acpi-video-add-toshiba-satellite-portege-z830-quirk.patch b/queue-5.4/acpi-video-add-toshiba-satellite-portege-z830-quirk.patch new file mode 100644 index 00000000000..9cfe05b3c51 --- /dev/null +++ b/queue-5.4/acpi-video-add-toshiba-satellite-portege-z830-quirk.patch @@ -0,0 +1,59 @@ +From 7567f56c5f508d45b1c83b604fa888e635cf5d96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 20:49:50 +0200 +Subject: ACPI: video: Add Toshiba Satellite/Portege Z830 quirk + +From: Arvid Norlander + +[ Upstream commit 574160b8548deff8b80b174f03201e94ab8431e2 ] + +Toshiba Satellite Z830 needs the quirk video_disable_backlight_sysfs_if +for proper backlight control after suspend/resume cycles. + +Toshiba Portege Z830 is simply the same laptop rebranded for certain +markets (I looked through the manual to other language sections to confirm +this) and thus also needs this quirk. + +Thanks to Hans de Goede for suggesting this fix. + +Link: https://www.spinics.net/lists/platform-driver-x86/msg34394.html +Suggested-by: Hans de Goede +Signed-off-by: Arvid Norlander +Reviewed-by: Hans de Goede +Tested-by: Arvid Norlander +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_video.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c +index 81cd47d29932..bf18efd49a25 100644 +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -498,6 +498,22 @@ static const struct dmi_system_id video_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "SATELLITE R830"), + }, + }, ++ { ++ .callback = video_disable_backlight_sysfs_if, ++ .ident = "Toshiba Satellite Z830", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "SATELLITE Z830"), ++ }, ++ }, ++ { ++ .callback = video_disable_backlight_sysfs_if, ++ .ident = "Toshiba Portege Z830", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE Z830"), ++ }, ++ }, + /* + * Some machine's _DOD IDs don't have bit 31(Device ID Scheme) set + * but the IDs actually follow the Device ID Scheme. +-- +2.35.1 + diff --git a/queue-5.4/alsa-dmaengine-increment-buffer-pointer-atomically.patch b/queue-5.4/alsa-dmaengine-increment-buffer-pointer-atomically.patch new file mode 100644 index 00000000000..e7f94e70940 --- /dev/null +++ b/queue-5.4/alsa-dmaengine-increment-buffer-pointer-atomically.patch @@ -0,0 +1,49 @@ +From 6cb58dee4bb95854680bfab4870ac984c39ca34b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 18:58:13 +0200 +Subject: ALSA: dmaengine: increment buffer pointer atomically + +From: Andreas Pape + +[ Upstream commit d1c442019594692c64a70a86ad88eb5b6db92216 ] + +Setting pointer and afterwards checking for wraparound leads +to the possibility of returning the inconsistent pointer position. + +This patch increments buffer pointer atomically to avoid this issue. + +Fixes: e7f73a1613567a ("ASoC: Add dmaengine PCM helper functions") +Signed-off-by: Andreas Pape +Signed-off-by: Eugeniu Rosca +Link: https://lore.kernel.org/r/1664211493-11789-1-git-send-email-erosca@de.adit-jv.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_dmaengine.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/sound/core/pcm_dmaengine.c b/sound/core/pcm_dmaengine.c +index 89a05926ac73..5d9a24ca6f3e 100644 +--- a/sound/core/pcm_dmaengine.c ++++ b/sound/core/pcm_dmaengine.c +@@ -130,12 +130,14 @@ EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_set_config_from_dai_data); + + static void dmaengine_pcm_dma_complete(void *arg) + { ++ unsigned int new_pos; + struct snd_pcm_substream *substream = arg; + struct dmaengine_pcm_runtime_data *prtd = substream_to_prtd(substream); + +- prtd->pos += snd_pcm_lib_period_bytes(substream); +- if (prtd->pos >= snd_pcm_lib_buffer_bytes(substream)) +- prtd->pos = 0; ++ new_pos = prtd->pos + snd_pcm_lib_period_bytes(substream); ++ if (new_pos >= snd_pcm_lib_buffer_bytes(substream)) ++ new_pos = 0; ++ prtd->pos = new_pos; + + snd_pcm_period_elapsed(substream); + } +-- +2.35.1 + diff --git a/queue-5.4/alsa-hda-beep-simplify-keep-power-at-enable-behavior.patch b/queue-5.4/alsa-hda-beep-simplify-keep-power-at-enable-behavior.patch new file mode 100644 index 00000000000..eb137d56f46 --- /dev/null +++ b/queue-5.4/alsa-hda-beep-simplify-keep-power-at-enable-behavior.patch @@ -0,0 +1,135 @@ +From e826978a2716001693e6ea6940f38b67dcd4bc09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 11:23:06 +0200 +Subject: ALSA: hda: beep: Simplify keep-power-at-enable behavior + +From: Takashi Iwai + +[ Upstream commit 4c8d695cb9bc5f6fd298a586602947b2fc099a64 ] + +The recent fix for IDT codecs to keep the power up while the beep is +enabled can be better integrated into the beep helper code. +This patch cleans up the code with refactoring. + +Fixes: 414d38ba8710 ("ALSA: hda/sigmatel: Keep power up while beep is enabled") +Link: https://lore.kernel.org/r/20220906092306.26183-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_beep.c | 15 +++++++++++++-- + sound/pci/hda/hda_beep.h | 1 + + sound/pci/hda/patch_sigmatel.c | 25 ++----------------------- + 3 files changed, 16 insertions(+), 25 deletions(-) + +diff --git a/sound/pci/hda/hda_beep.c b/sound/pci/hda/hda_beep.c +index c6e1e03a5e4d..5a50b6c1d604 100644 +--- a/sound/pci/hda/hda_beep.c ++++ b/sound/pci/hda/hda_beep.c +@@ -118,6 +118,12 @@ static int snd_hda_beep_event(struct input_dev *dev, unsigned int type, + return 0; + } + ++static void turn_on_beep(struct hda_beep *beep) ++{ ++ if (beep->keep_power_at_enable) ++ snd_hda_power_up_pm(beep->codec); ++} ++ + static void turn_off_beep(struct hda_beep *beep) + { + cancel_work_sync(&beep->beep_work); +@@ -125,6 +131,8 @@ static void turn_off_beep(struct hda_beep *beep) + /* turn off beep */ + generate_tone(beep, 0); + } ++ if (beep->keep_power_at_enable) ++ snd_hda_power_down_pm(beep->codec); + } + + /** +@@ -140,7 +148,9 @@ int snd_hda_enable_beep_device(struct hda_codec *codec, int enable) + enable = !!enable; + if (beep->enabled != enable) { + beep->enabled = enable; +- if (!enable) ++ if (enable) ++ turn_on_beep(beep); ++ else + turn_off_beep(beep); + return 1; + } +@@ -167,7 +177,8 @@ static int beep_dev_disconnect(struct snd_device *device) + input_unregister_device(beep->dev); + else + input_free_device(beep->dev); +- turn_off_beep(beep); ++ if (beep->enabled) ++ turn_off_beep(beep); + return 0; + } + +diff --git a/sound/pci/hda/hda_beep.h b/sound/pci/hda/hda_beep.h +index a25358a4807a..db76e3ddba65 100644 +--- a/sound/pci/hda/hda_beep.h ++++ b/sound/pci/hda/hda_beep.h +@@ -25,6 +25,7 @@ struct hda_beep { + unsigned int enabled:1; + unsigned int linear_tone:1; /* linear tone for IDT/STAC codec */ + unsigned int playing:1; ++ unsigned int keep_power_at_enable:1; /* set by driver */ + struct work_struct beep_work; /* scheduled task for beep event */ + struct mutex mutex; + void (*power_hook)(struct hda_beep *beep, bool on); +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c +index 04a89171327d..e42a6c5c1ba3 100644 +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -4302,6 +4302,8 @@ static int stac_parse_auto_config(struct hda_codec *codec) + if (codec->beep) { + /* IDT/STAC codecs have linear beep tone parameter */ + codec->beep->linear_tone = spec->linear_tone_beep; ++ /* keep power up while beep is enabled */ ++ codec->beep->keep_power_at_enable = 1; + /* if no beep switch is available, make its own one */ + caps = query_amp_caps(codec, nid, HDA_OUTPUT); + if (!(caps & AC_AMPCAP_MUTE)) { +@@ -4442,28 +4444,6 @@ static int stac_suspend(struct hda_codec *codec) + stac_shutup(codec); + return 0; + } +- +-static int stac_check_power_status(struct hda_codec *codec, hda_nid_t nid) +-{ +-#ifdef CONFIG_SND_HDA_INPUT_BEEP +- struct sigmatel_spec *spec = codec->spec; +-#endif +- int ret = snd_hda_gen_check_power_status(codec, nid); +- +-#ifdef CONFIG_SND_HDA_INPUT_BEEP +- if (nid == spec->gen.beep_nid && codec->beep) { +- if (codec->beep->enabled != spec->beep_power_on) { +- spec->beep_power_on = codec->beep->enabled; +- if (spec->beep_power_on) +- snd_hda_power_up_pm(codec); +- else +- snd_hda_power_down_pm(codec); +- } +- ret |= spec->beep_power_on; +- } +-#endif +- return ret; +-} + #else + #define stac_suspend NULL + #endif /* CONFIG_PM */ +@@ -4476,7 +4456,6 @@ static const struct hda_codec_ops stac_patch_ops = { + .unsol_event = snd_hda_jack_unsol_event, + #ifdef CONFIG_PM + .suspend = stac_suspend, +- .check_power_status = stac_check_power_status, + #endif + .reboot_notify = stac_shutup, + }; +-- +2.35.1 + diff --git a/queue-5.4/alsa-hda-hdmi-don-t-skip-notification-handling-durin.patch b/queue-5.4/alsa-hda-hdmi-don-t-skip-notification-handling-durin.patch new file mode 100644 index 00000000000..d1bc73b0875 --- /dev/null +++ b/queue-5.4/alsa-hda-hdmi-don-t-skip-notification-handling-durin.patch @@ -0,0 +1,63 @@ +From 1a7e960d768861b387cd8a32952f5074974f10e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Oct 2022 09:48:10 +0200 +Subject: ALSA: hda/hdmi: Don't skip notification handling during PM operation + +From: Takashi Iwai + +[ Upstream commit 5226c7b9784eee215e3914f440b3c2e1764f67a8 ] + +The HDMI driver skips the notification handling from the graphics +driver when the codec driver is being in the PM operation. This +behavior was introduced by the commit eb399d3c99d8 ("ALSA: hda - Skip +ELD notification during PM process"). This skip may cause a problem, +as we may miss the ELD update when the connection/disconnection +happens right at the runtime-PM operation of the audio codec. + +Although this workaround was valid at that time, it's no longer true; +the fix was required just because the ELD update procedure needed to +wake up the audio codec, which had lead to a runtime-resume during a +runtime-suspend. Meanwhile, the ELD update procedure doesn't need a +codec wake up any longer since the commit 788d441a164c ("ALSA: hda - +Use component ops for i915 HDMI/DP audio jack handling"); i.e. there +is no much reason for skipping the notification. + +Let's drop those checks for addressing the missing notification. + +Fixes: 788d441a164c ("ALSA: hda - Use component ops for i915 HDMI/DP audio jack handling") +Reported-by: Brent Lu +Link: https://lore.kernel.org/r/20220927135807.4097052-1-brent.lu@intel.com +Link: https://lore.kernel.org/r/20221001074809.7461-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_hdmi.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 169e74299987..091a7fe85451 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2570,9 +2570,6 @@ static void generic_acomp_pin_eld_notify(void *audio_ptr, int port, int dev_id) + */ + if (codec->core.dev.power.power_state.event == PM_EVENT_SUSPEND) + return; +- /* ditto during suspend/resume process itself */ +- if (snd_hdac_is_in_pm(&codec->core)) +- return; + + check_presence_and_report(codec, pin_nid, dev_id); + } +@@ -2775,9 +2772,6 @@ static void intel_pin_eld_notify(void *audio_ptr, int port, int pipe) + */ + if (codec->core.dev.power.power_state.event == PM_EVENT_SUSPEND) + return; +- /* ditto during suspend/resume process itself */ +- if (snd_hdac_is_in_pm(&codec->core)) +- return; + + snd_hdac_i915_set_bclk(&codec->bus->core); + check_presence_and_report(codec, pin_nid, dev_id); +-- +2.35.1 + diff --git a/queue-5.4/alsa-usb-audio-add-quirk-to-enable-avid-mbox-3-suppo.patch b/queue-5.4/alsa-usb-audio-add-quirk-to-enable-avid-mbox-3-suppo.patch new file mode 100644 index 00000000000..72bc62e6524 --- /dev/null +++ b/queue-5.4/alsa-usb-audio-add-quirk-to-enable-avid-mbox-3-suppo.patch @@ -0,0 +1,430 @@ +From a19e69f9947a2a0d5e183dca22b3c842ff6e3fa7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 17:14:33 -0300 +Subject: ALSA: usb-audio: Add quirk to enable Avid Mbox 3 support + +From: Conner Knox + +[ Upstream commit b01104fc62b6194c852124f6c6df1c0a5c031fc1 ] + +Add support for Avid Mbox3 USB audio interface at 48kHz + +Signed-off-by: Conner Knox +Link: https://lore.kernel.org/r/20220818201433.16360-1-mbarriolinares@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/quirks-table.h | 76 ++++++++++ + sound/usb/quirks.c | 302 +++++++++++++++++++++++++++++++++++++++ + 2 files changed, 378 insertions(+) + +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index c29ccdf9e8bc..79c97bde81fd 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3175,6 +3175,82 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"), + } + } + }, ++/* DIGIDESIGN MBOX 3 */ ++{ ++ USB_DEVICE(0x0dba, 0x5000), ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { ++ .vendor_name = "Digidesign", ++ .product_name = "Mbox 3", ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_COMPOSITE, ++ .data = (const struct snd_usb_audio_quirk[]) { ++ { ++ .ifnum = 0, ++ .type = QUIRK_IGNORE_INTERFACE ++ }, ++ { ++ .ifnum = 1, ++ .type = QUIRK_IGNORE_INTERFACE ++ }, ++ { ++ .ifnum = 2, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S24_3LE, ++ .channels = 4, ++ .iface = 2, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .attributes = 0x00, ++ .endpoint = 0x01, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC | ++ USB_ENDPOINT_SYNC_ASYNC, ++ .rates = SNDRV_PCM_RATE_48000, ++ .rate_min = 48000, ++ .rate_max = 48000, ++ .nr_rates = 1, ++ .rate_table = (unsigned int[]) { ++ 48000 ++ } ++ } ++ }, ++ { ++ .ifnum = 3, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S24_3LE, ++ .channels = 4, ++ .iface = 3, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .endpoint = 0x81, ++ .attributes = 0x00, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC | ++ USB_ENDPOINT_SYNC_ASYNC, ++ .maxpacksize = 0x009c, ++ .rates = SNDRV_PCM_RATE_48000, ++ .rate_min = 48000, ++ .rate_max = 48000, ++ .nr_rates = 1, ++ .rate_table = (unsigned int[]) { ++ 48000 ++ } ++ } ++ }, ++ { ++ .ifnum = 4, ++ .type = QUIRK_MIDI_FIXED_ENDPOINT, ++ .data = &(const struct snd_usb_midi_endpoint_info) { ++ .out_cables = 0x0001, ++ .in_cables = 0x0001 ++ } ++ }, ++ { ++ .ifnum = -1 ++ } ++ } ++ } ++}, + { + /* Tascam US122 MKII - playback-only support */ + .match_flags = USB_DEVICE_ID_MATCH_DEVICE, +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 72223545abfd..1d317ae2929d 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1018,6 +1018,304 @@ static int snd_usb_axefx3_boot_quirk(struct usb_device *dev) + return 0; + } + ++static void mbox3_setup_48_24_magic(struct usb_device *dev) ++{ ++ /* The Mbox 3 is "little endian" */ ++ /* max volume is: 0x0000. */ ++ /* min volume is: 0x0080 (shown in little endian form) */ ++ ++ ++ /* Load 48000Hz rate into buffer */ ++ u8 com_buff[4] = {0x80, 0xbb, 0x00, 0x00}; ++ ++ /* Set 48000Hz sample rate */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 0x01, 0x21, 0x0100, 0x0001, &com_buff, 4); //Is this really needed? ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 0x01, 0x21, 0x0100, 0x8101, &com_buff, 4); ++ ++ /* Deactivate Tuner */ ++ /* on = 0x01*/ ++ /* off = 0x00*/ ++ com_buff[0] = 0x00; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 0x01, 0x21, 0x0003, 0x2001, &com_buff, 1); ++ ++ /* Set clock source to Internal (as opposed to S/PDIF) */ ++ com_buff[0] = 0x01; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0100, 0x8001, &com_buff, 1); ++ ++ /* Mute the hardware loopbacks to start the device in a known state. */ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* Analogue input 1 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0110, 0x4001, &com_buff, 2); ++ /* Analogue input 1 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0111, 0x4001, &com_buff, 2); ++ /* Analogue input 2 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0114, 0x4001, &com_buff, 2); ++ /* Analogue input 2 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0115, 0x4001, &com_buff, 2); ++ /* Analogue input 3 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0118, 0x4001, &com_buff, 2); ++ /* Analogue input 3 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0119, 0x4001, &com_buff, 2); ++ /* Analogue input 4 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x011c, 0x4001, &com_buff, 2); ++ /* Analogue input 4 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x011d, 0x4001, &com_buff, 2); ++ ++ /* Set software sends to output */ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x00; ++ /* Analogue software return 1 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0100, 0x4001, &com_buff, 2); ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* Analogue software return 1 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0101, 0x4001, &com_buff, 2); ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* Analogue software return 2 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0104, 0x4001, &com_buff, 2); ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x00; ++ /* Analogue software return 2 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0105, 0x4001, &com_buff, 2); ++ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* Analogue software return 3 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0108, 0x4001, &com_buff, 2); ++ /* Analogue software return 3 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0109, 0x4001, &com_buff, 2); ++ /* Analogue software return 4 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x010c, 0x4001, &com_buff, 2); ++ /* Analogue software return 4 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x010d, 0x4001, &com_buff, 2); ++ ++ /* Return to muting sends */ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* Analogue fx return left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0120, 0x4001, &com_buff, 2); ++ /* Analogue fx return right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0121, 0x4001, &com_buff, 2); ++ ++ /* Analogue software input 1 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0100, 0x4201, &com_buff, 2); ++ /* Analogue software input 2 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0101, 0x4201, &com_buff, 2); ++ /* Analogue software input 3 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0102, 0x4201, &com_buff, 2); ++ /* Analogue software input 4 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0103, 0x4201, &com_buff, 2); ++ /* Analogue input 1 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0104, 0x4201, &com_buff, 2); ++ /* Analogue input 2 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0105, 0x4201, &com_buff, 2); ++ /* Analogue input 3 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0106, 0x4201, &com_buff, 2); ++ /* Analogue input 4 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0107, 0x4201, &com_buff, 2); ++ ++ /* Toggle allowing host control */ ++ com_buff[0] = 0x02; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 3, 0x21, 0x0000, 0x2001, &com_buff, 1); ++ ++ /* Do not dim fx returns */ ++ com_buff[0] = 0x00; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 3, 0x21, 0x0002, 0x2001, &com_buff, 1); ++ ++ /* Do not set fx returns to mono */ ++ com_buff[0] = 0x00; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 3, 0x21, 0x0001, 0x2001, &com_buff, 1); ++ ++ /* Mute the S/PDIF hardware loopback ++ * same odd volume logic here as above ++ */ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* S/PDIF hardware input 1 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0112, 0x4001, &com_buff, 2); ++ /* S/PDIF hardware input 1 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0113, 0x4001, &com_buff, 2); ++ /* S/PDIF hardware input 2 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0116, 0x4001, &com_buff, 2); ++ /* S/PDIF hardware input 2 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0117, 0x4001, &com_buff, 2); ++ /* S/PDIF hardware input 3 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x011a, 0x4001, &com_buff, 2); ++ /* S/PDIF hardware input 3 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x011b, 0x4001, &com_buff, 2); ++ /* S/PDIF hardware input 4 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x011e, 0x4001, &com_buff, 2); ++ /* S/PDIF hardware input 4 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x011f, 0x4001, &com_buff, 2); ++ /* S/PDIF software return 1 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0102, 0x4001, &com_buff, 2); ++ /* S/PDIF software return 1 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0103, 0x4001, &com_buff, 2); ++ /* S/PDIF software return 2 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0106, 0x4001, &com_buff, 2); ++ /* S/PDIF software return 2 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0107, 0x4001, &com_buff, 2); ++ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x00; ++ /* S/PDIF software return 3 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x010a, 0x4001, &com_buff, 2); ++ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* S/PDIF software return 3 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x010b, 0x4001, &com_buff, 2); ++ /* S/PDIF software return 4 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x010e, 0x4001, &com_buff, 2); ++ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x00; ++ /* S/PDIF software return 4 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x010f, 0x4001, &com_buff, 2); ++ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* S/PDIF fx returns left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0122, 0x4001, &com_buff, 2); ++ /* S/PDIF fx returns right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0123, 0x4001, &com_buff, 2); ++ ++ /* Set the dropdown "Effect" to the first option */ ++ /* Room1 = 0x00 */ ++ /* Room2 = 0x01 */ ++ /* Room3 = 0x02 */ ++ /* Hall 1 = 0x03 */ ++ /* Hall 2 = 0x04 */ ++ /* Plate = 0x05 */ ++ /* Delay = 0x06 */ ++ /* Echo = 0x07 */ ++ com_buff[0] = 0x00; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0200, 0x4301, &com_buff, 1); /* max is 0xff */ ++ /* min is 0x00 */ ++ ++ ++ /* Set the effect duration to 0 */ ++ /* max is 0xffff */ ++ /* min is 0x0000 */ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x00; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0400, 0x4301, &com_buff, 2); ++ ++ /* Set the effect volume and feedback to 0 */ ++ /* max is 0xff */ ++ /* min is 0x00 */ ++ com_buff[0] = 0x00; ++ /* feedback: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0500, 0x4301, &com_buff, 1); ++ /* volume: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0300, 0x4301, &com_buff, 1); ++ ++ /* Set soft button hold duration */ ++ /* 0x03 = 250ms */ ++ /* 0x05 = 500ms DEFAULT */ ++ /* 0x08 = 750ms */ ++ /* 0x0a = 1sec */ ++ com_buff[0] = 0x05; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 3, 0x21, 0x0005, 0x2001, &com_buff, 1); ++ ++ /* Use dim LEDs for button of state */ ++ com_buff[0] = 0x00; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 3, 0x21, 0x0004, 0x2001, &com_buff, 1); ++} ++ ++#define MBOX3_DESCRIPTOR_SIZE 464 ++ ++static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) ++{ ++ struct usb_host_config *config = dev->actconfig; ++ int err; ++ int descriptor_size; ++ ++ descriptor_size = le16_to_cpu(get_cfg_desc(config)->wTotalLength); ++ ++ if (descriptor_size != MBOX3_DESCRIPTOR_SIZE) { ++ dev_err(&dev->dev, "Invalid descriptor size=%d.\n", descriptor_size); ++ return -ENODEV; ++ } ++ ++ dev_dbg(&dev->dev, "device initialised!\n"); ++ ++ err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, ++ &dev->descriptor, sizeof(dev->descriptor)); ++ config = dev->actconfig; ++ if (err < 0) ++ dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); ++ ++ err = usb_reset_configuration(dev); ++ if (err < 0) ++ dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); ++ dev_dbg(&dev->dev, "mbox3_boot: new boot length = %d\n", ++ le16_to_cpu(get_cfg_desc(config)->wTotalLength)); ++ ++ mbox3_setup_48_24_magic(dev); ++ dev_info(&dev->dev, "Digidesign Mbox 3: 24bit 48kHz"); ++ ++ return 0; /* Successful boot */ ++} + + #define MICROBOOK_BUF_SIZE 128 + +@@ -1304,6 +1602,10 @@ int snd_usb_apply_boot_quirk(struct usb_device *dev, + case USB_ID(0x0dba, 0x3000): + /* Digidesign Mbox 2 */ + return snd_usb_mbox2_boot_quirk(dev); ++ case USB_ID(0x0dba, 0x5000): ++ /* Digidesign Mbox 3 */ ++ return snd_usb_mbox3_boot_quirk(dev); ++ + + case USB_ID(0x1235, 0x0010): /* Focusrite Novation Saffire 6 USB */ + case USB_ID(0x1235, 0x0018): /* Focusrite Novation Twitch */ +-- +2.35.1 + diff --git a/queue-5.4/arm-9247-1-mm-set-readonly-for-mt_memory_ro-with-arm.patch b/queue-5.4/arm-9247-1-mm-set-readonly-for-mt_memory_ro-with-arm.patch new file mode 100644 index 00000000000..6ce936513c6 --- /dev/null +++ b/queue-5.4/arm-9247-1-mm-set-readonly-for-mt_memory_ro-with-arm.patch @@ -0,0 +1,46 @@ +From d165cff547164fd592482684ac1d7563a74c84b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 12:10:49 +0100 +Subject: ARM: 9247/1: mm: set readonly for MT_MEMORY_RO with ARM_LPAE + +From: Wang Kefeng + +[ Upstream commit 14ca1a4690750bb54e1049e49f3140ef48958a6e ] + +MT_MEMORY_RO is introduced by commit 598f0a99fa8a ("ARM: 9210/1: +Mark the FDT_FIXED sections as shareable"), which is a readonly +memory type for FDT area, but there are some different between +ARM_LPAE and non-ARM_LPAE, we need to setup PMD_SECT_AP2 and +L_PMD_SECT_RDONLY for MT_MEMORY_RO when ARM_LAPE enabled. + +non-ARM_LPAE 0xff800000-0xffa00000 2M PGD KERNEL ro NX SHD +ARM_LPAE 0xff800000-0xffc00000 4M PMD RW NX SHD +ARM_LPAE+fix 0xff800000-0xffc00000 4M PMD ro NX SHD + +Fixes: 598f0a99fa8a ("ARM: 9210/1: Mark the FDT_FIXED sections as shareable") +Signed-off-by: Kefeng Wang +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mm/mmu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c +index 463cbb0631be..5becec790379 100644 +--- a/arch/arm/mm/mmu.c ++++ b/arch/arm/mm/mmu.c +@@ -320,7 +320,11 @@ static struct mem_type mem_types[] __ro_after_init = { + .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | + L_PTE_XN | L_PTE_RDONLY, + .prot_l1 = PMD_TYPE_TABLE, ++#ifdef CONFIG_ARM_LPAE ++ .prot_sect = PMD_TYPE_SECT | L_PMD_SECT_RDONLY | PMD_SECT_AP2, ++#else + .prot_sect = PMD_TYPE_SECT, ++#endif + .domain = DOMAIN_KERNEL, + }, + [MT_ROM] = { +-- +2.35.1 + diff --git a/queue-5.4/arm-drop-cmdline_-dependency-on-atags.patch b/queue-5.4/arm-drop-cmdline_-dependency-on-atags.patch new file mode 100644 index 00000000000..eea899cdc23 --- /dev/null +++ b/queue-5.4/arm-drop-cmdline_-dependency-on-atags.patch @@ -0,0 +1,45 @@ +From d9521870b2bdcba563a0ef5a90867a92c66d4c2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 15:28:26 +0200 +Subject: ARM: Drop CMDLINE_* dependency on ATAGS + +From: Geert Uytterhoeven + +[ Upstream commit 136f4b1ec7c962ee37a787e095fd37b058d72bd3 ] + +On arm32, the configuration options to specify the kernel command line +type depend on ATAGS. However, the actual CMDLINE cofiguration option +does not depend on ATAGS, and the code that handles this is not specific +to ATAGS (see drivers/of/fdt.c:early_init_dt_scan_chosen()). + +Hence users who desire to override the kernel command line on arm32 must +enable support for ATAGS, even on a pure-DT system. Other architectures +(arm64, loongarch, microblaze, nios2, powerpc, and riscv) do not impose +such a restriction. + +Hence drop the dependency on ATAGS. + +Fixes: bd51e2f595580fb6 ("ARM: 7506/1: allow for ATAGS to be configured out when DT support is selected") +Signed-off-by: Geert Uytterhoeven +Acked-by: Ard Biesheuvel +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index a4364cce85f8..a70696a95b79 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -1837,7 +1837,6 @@ config CMDLINE + choice + prompt "Kernel command line type" if CMDLINE != "" + default CMDLINE_FROM_BOOTLOADER +- depends on ATAGS + + config CMDLINE_FROM_BOOTLOADER + bool "Use bootloader kernel arguments if available" +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-exynos-correct-s5k6a3-reset-polarity-on-mida.patch b/queue-5.4/arm-dts-exynos-correct-s5k6a3-reset-polarity-on-mida.patch new file mode 100644 index 00000000000..0ee62e920bf --- /dev/null +++ b/queue-5.4/arm-dts-exynos-correct-s5k6a3-reset-polarity-on-mida.patch @@ -0,0 +1,42 @@ +From a6215efbc54d414b4dfdb35a31157f0c1affc1eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 12:43:53 +0200 +Subject: ARM: dts: exynos: correct s5k6a3 reset polarity on Midas family + +From: Dmitry Torokhov + +[ Upstream commit 3ba2d4bb9592bf7a6a3fe3dbe711ecfc3d004bab ] + +According to s5k6a3 driver code, the reset line for the chip appears to +be active low. This also matches the typical polarity of reset lines in +general. Let's fix it up as having correct polarity in DTS is important +when the driver will be switched over to gpiod API. + +Fixes: b4fec64758ab ("ARM: dts: Add camera device nodes for Exynos4412 TRATS2 board") +Signed-off-by: Dmitry Torokhov +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20220913164104.203957-1-dmitry.torokhov@gmail.com +Link: https://lore.kernel.org/r/20220926104354.118578-2-krzysztof.kozlowski@linaro.org' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos4412-midas.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos4412-midas.dtsi b/arch/arm/boot/dts/exynos4412-midas.dtsi +index fedb21377c66..3538739c7901 100644 +--- a/arch/arm/boot/dts/exynos4412-midas.dtsi ++++ b/arch/arm/boot/dts/exynos4412-midas.dtsi +@@ -534,7 +534,7 @@ + clocks = <&camera 1>; + clock-names = "extclk"; + samsung,camclk-out = <1>; +- gpios = <&gpm1 6 GPIO_ACTIVE_HIGH>; ++ gpios = <&gpm1 6 GPIO_ACTIVE_LOW>; + + port { + is_s5k6a3_ep: endpoint { +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-exynos-fix-polarity-of-vbus-gpio-of-origen.patch b/queue-5.4/arm-dts-exynos-fix-polarity-of-vbus-gpio-of-origen.patch new file mode 100644 index 00000000000..ea8e87cf29c --- /dev/null +++ b/queue-5.4/arm-dts-exynos-fix-polarity-of-vbus-gpio-of-origen.patch @@ -0,0 +1,39 @@ +From 4ed2c870f26c6ab96aeefc629d4fa950c1647266 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 15:05:03 -0700 +Subject: ARM: dts: exynos: fix polarity of VBUS GPIO of Origen + +From: Dmitry Torokhov + +[ Upstream commit a08137bd1e0a7ce951dce9ce4a83e39d379b6e1b ] + +EHCI Oxynos (drivers/usb/host/ehci-exynos.c) drives VBUS GPIO high when +trying to power up the bus, therefore the GPIO in DTS must be marked as +"active high". This will be important when EHCI driver is converted to +gpiod API that respects declared polarities. + +Fixes: 4e8991def565 ("ARM: dts: exynos: Enable AX88760 USB hub on Origen board") +Signed-off-by: Dmitry Torokhov +Link: https://lore.kernel.org/r/20220927220504.3744878-1-dmitry.torokhov@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos4412-origen.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos4412-origen.dts b/arch/arm/boot/dts/exynos4412-origen.dts +index ecd14b283a6b..c6678c120cbd 100644 +--- a/arch/arm/boot/dts/exynos4412-origen.dts ++++ b/arch/arm/boot/dts/exynos4412-origen.dts +@@ -86,7 +86,7 @@ + }; + + &ehci { +- samsung,vbus-gpio = <&gpx3 5 1>; ++ samsung,vbus-gpio = <&gpx3 5 GPIO_ACTIVE_HIGH>; + status = "okay"; + phys = <&exynos_usbphy 2>, <&exynos_usbphy 3>; + phy-names = "hsic0", "hsic1"; +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-imx6dl-add-missing-properties-for-sram.patch b/queue-5.4/arm-dts-imx6dl-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..cf10112a4da --- /dev/null +++ b/queue-5.4/arm-dts-imx6dl-add-missing-properties-for-sram.patch @@ -0,0 +1,38 @@ +From 3b96a87e047b78dcdcd73ebfc3b1d54a5a7024e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:32 +0200 +Subject: ARM: dts: imx6dl: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit f5848b95633d598bacf0500e0108dc5961af88c0 ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@900000: '#address-cells' is a required property +sram@900000: '#size-cells' is a required property +sram@900000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6dl.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6dl.dtsi b/arch/arm/boot/dts/imx6dl.dtsi +index 2ed10310a7b7..4bde98033ff4 100644 +--- a/arch/arm/boot/dts/imx6dl.dtsi ++++ b/arch/arm/boot/dts/imx6dl.dtsi +@@ -81,6 +81,9 @@ + ocram: sram@900000 { + compatible = "mmio-sram"; + reg = <0x00900000 0x20000>; ++ ranges = <0 0x00900000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6QDL_CLK_OCRAM>; + }; + +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-imx6q-add-missing-properties-for-sram.patch b/queue-5.4/arm-dts-imx6q-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..02bc72398af --- /dev/null +++ b/queue-5.4/arm-dts-imx6q-add-missing-properties-for-sram.patch @@ -0,0 +1,38 @@ +From 088c3896f3beb1bb403aecaee2253a47fb545927 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:31 +0200 +Subject: ARM: dts: imx6q: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit b11d083c5dcec7c42fe982c854706d404ddd3a5f ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@900000: '#address-cells' is a required property +sram@900000: '#size-cells' is a required property +sram@900000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6q.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6q.dtsi b/arch/arm/boot/dts/imx6q.dtsi +index d038f4117024..013080e709f8 100644 +--- a/arch/arm/boot/dts/imx6q.dtsi ++++ b/arch/arm/boot/dts/imx6q.dtsi +@@ -158,6 +158,9 @@ + ocram: sram@900000 { + compatible = "mmio-sram"; + reg = <0x00900000 0x40000>; ++ ranges = <0 0x00900000 0x40000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6QDL_CLK_OCRAM>; + }; + +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-imx6qp-add-missing-properties-for-sram.patch b/queue-5.4/arm-dts-imx6qp-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..fdde3e63b36 --- /dev/null +++ b/queue-5.4/arm-dts-imx6qp-add-missing-properties-for-sram.patch @@ -0,0 +1,47 @@ +From 6b12b44f47efef001219f64688a5eda179c885bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:33 +0200 +Subject: ARM: dts: imx6qp: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit 088fe5237435ee2f7ed4450519b2ef58b94c832f ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@940000: '#address-cells' is a required property +sram@940000: '#size-cells' is a required property +sram@940000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qp.dtsi | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6qp.dtsi b/arch/arm/boot/dts/imx6qp.dtsi +index d91f92f944c5..3633383db706 100644 +--- a/arch/arm/boot/dts/imx6qp.dtsi ++++ b/arch/arm/boot/dts/imx6qp.dtsi +@@ -9,12 +9,18 @@ + ocram2: sram@940000 { + compatible = "mmio-sram"; + reg = <0x00940000 0x20000>; ++ ranges = <0 0x00940000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6QDL_CLK_OCRAM>; + }; + + ocram3: sram@960000 { + compatible = "mmio-sram"; + reg = <0x00960000 0x20000>; ++ ranges = <0 0x00960000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6QDL_CLK_OCRAM>; + }; + +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-imx6sl-add-missing-properties-for-sram.patch b/queue-5.4/arm-dts-imx6sl-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..b005138ca7a --- /dev/null +++ b/queue-5.4/arm-dts-imx6sl-add-missing-properties-for-sram.patch @@ -0,0 +1,38 @@ +From dd6b888762edb34bca4a4165b4bde234a81ad26e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:34 +0200 +Subject: ARM: dts: imx6sl: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit 60c9213a1d9941a8b33db570796c3f9be8984974 ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@900000: '#address-cells' is a required property +sram@900000: '#size-cells' is a required property +sram@900000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sl.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6sl.dtsi b/arch/arm/boot/dts/imx6sl.dtsi +index 540880f0413f..852f66944c7d 100644 +--- a/arch/arm/boot/dts/imx6sl.dtsi ++++ b/arch/arm/boot/dts/imx6sl.dtsi +@@ -121,6 +121,9 @@ + ocram: sram@900000 { + compatible = "mmio-sram"; + reg = <0x00900000 0x20000>; ++ ranges = <0 0x00900000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6SL_CLK_OCRAM>; + }; + +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-imx6sll-add-missing-properties-for-sram.patch b/queue-5.4/arm-dts-imx6sll-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..a425378163a --- /dev/null +++ b/queue-5.4/arm-dts-imx6sll-add-missing-properties-for-sram.patch @@ -0,0 +1,38 @@ +From a45e5a70207f3b86819a524477369915f0aafd89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:35 +0200 +Subject: ARM: dts: imx6sll: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit 7492a83ed9b7a151e2dd11d64b06da7a7f0fa7f9 ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@900000: '#address-cells' is a required property +sram@900000: '#size-cells' is a required property +sram@900000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sll.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6sll.dtsi b/arch/arm/boot/dts/imx6sll.dtsi +index 13c7ba7fa6bc..39500b84673b 100644 +--- a/arch/arm/boot/dts/imx6sll.dtsi ++++ b/arch/arm/boot/dts/imx6sll.dtsi +@@ -123,6 +123,9 @@ + ocram: sram@900000 { + compatible = "mmio-sram"; + reg = <0x00900000 0x20000>; ++ ranges = <0 0x00900000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + }; + + intc: interrupt-controller@a01000 { +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-imx6sx-add-missing-properties-for-sram.patch b/queue-5.4/arm-dts-imx6sx-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..eee54efcd46 --- /dev/null +++ b/queue-5.4/arm-dts-imx6sx-add-missing-properties-for-sram.patch @@ -0,0 +1,47 @@ +From 94478053e81274ddbe0f542765683637871ff5af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:36 +0200 +Subject: ARM: dts: imx6sx: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit 415432c008b2bce8138841356ba444631cabaa50 ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@900000: '#address-cells' is a required property +sram@900000: '#size-cells' is a required property +sram@900000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sx.dtsi | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6sx.dtsi b/arch/arm/boot/dts/imx6sx.dtsi +index 531a52c1e987..b3e24d8bd299 100644 +--- a/arch/arm/boot/dts/imx6sx.dtsi ++++ b/arch/arm/boot/dts/imx6sx.dtsi +@@ -163,12 +163,18 @@ + ocram_s: sram@8f8000 { + compatible = "mmio-sram"; + reg = <0x008f8000 0x4000>; ++ ranges = <0 0x008f8000 0x4000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6SX_CLK_OCRAM_S>; + }; + + ocram: sram@900000 { + compatible = "mmio-sram"; + reg = <0x00900000 0x20000>; ++ ranges = <0 0x00900000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6SX_CLK_OCRAM>; + }; + +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-imx7d-sdb-config-the-max-pressure-for-tsc204.patch b/queue-5.4/arm-dts-imx7d-sdb-config-the-max-pressure-for-tsc204.patch new file mode 100644 index 00000000000..b9f48fba845 --- /dev/null +++ b/queue-5.4/arm-dts-imx7d-sdb-config-the-max-pressure-for-tsc204.patch @@ -0,0 +1,60 @@ +From a8682cef06a7e0b2f8b6314f3a2710a6736f5405 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 18:16:22 +0800 +Subject: ARM: dts: imx7d-sdb: config the max pressure for tsc2046 + +From: Haibo Chen + +[ Upstream commit e7c4ebe2f9cd68588eb24ba4ed122e696e2d5272 ] + +Use the general touchscreen method to config the max pressure for +touch tsc2046(data sheet suggest 8 bit pressure), otherwise, for +ABS_PRESSURE, when config the same max and min value, weston will +meet the following issue, + +[17:19:39.183] event1 - ADS7846 Touchscreen: is tagged by udev as: Touchscreen +[17:19:39.183] event1 - ADS7846 Touchscreen: kernel bug: device has min == max on ABS_PRESSURE +[17:19:39.183] event1 - ADS7846 Touchscreen: was rejected +[17:19:39.183] event1 - not using input device '/dev/input/event1' + +This will then cause the APP weston-touch-calibrator can't list touch devices. + +root@imx6ul7d:~# weston-touch-calibrator +could not load cursor 'dnd-move' +could not load cursor 'dnd-copy' +could not load cursor 'dnd-none' +No devices listed. + +And accroding to binding Doc, "ti,x-max", "ti,y-max", "ti,pressure-max" +belong to the deprecated properties, so remove them. Also for "ti,x-min", +"ti,y-min", "ti,x-plate-ohms", the value set in dts equal to the default +value in driver, so are redundant, also remove here. + +Signed-off-by: Haibo Chen +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7d-sdb.dts | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/arch/arm/boot/dts/imx7d-sdb.dts b/arch/arm/boot/dts/imx7d-sdb.dts +index a97cda17e484..363d1f57a608 100644 +--- a/arch/arm/boot/dts/imx7d-sdb.dts ++++ b/arch/arm/boot/dts/imx7d-sdb.dts +@@ -177,12 +177,7 @@ + interrupt-parent = <&gpio2>; + interrupts = <29 0>; + pendown-gpio = <&gpio2 29 GPIO_ACTIVE_HIGH>; +- ti,x-min = /bits/ 16 <0>; +- ti,x-max = /bits/ 16 <0>; +- ti,y-min = /bits/ 16 <0>; +- ti,y-max = /bits/ 16 <0>; +- ti,pressure-max = /bits/ 16 <0>; +- ti,x-plate-ohms = /bits/ 16 <400>; ++ touchscreen-max-pressure = <255>; + wakeup-source; + }; + }; +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-kirkwood-lsxl-fix-serial-line.patch b/queue-5.4/arm-dts-kirkwood-lsxl-fix-serial-line.patch new file mode 100644 index 00000000000..7624b3c070f --- /dev/null +++ b/queue-5.4/arm-dts-kirkwood-lsxl-fix-serial-line.patch @@ -0,0 +1,50 @@ +From d4b095e9b9d65884ea94f235050a9616129ce110 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 02:10:24 +0200 +Subject: ARM: dts: kirkwood: lsxl: fix serial line + +From: Michael Walle + +[ Upstream commit 04eabc6ac10fda9424606d9a7ab6ab9a5d95350a ] + +Commit 327e15428977 ("ARM: dts: kirkwood: consolidate common pinctrl +settings") unknowingly broke the serial output on this board. Before +this commit, the pinmux was still configured by the bootloader and the +kernel didn't reconfigured it again. This was an oversight by the +initial board support where the pinmux for the serial line was never +configured by the kernel. But with this commit, the serial line will be +reconfigured to the wrong pins. This is especially confusing, because +the output still works, but the input doesn't. Presumingly, the input is +reconfigured to MPP10, but the output is connected to both MPP11 and +MPP5. + +Override the pinmux in the board device tree. + +Fixes: 327e15428977 ("ARM: dts: kirkwood: consolidate common pinctrl settings") +Signed-off-by: Michael Walle +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/kirkwood-lsxl.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm/boot/dts/kirkwood-lsxl.dtsi b/arch/arm/boot/dts/kirkwood-lsxl.dtsi +index 7b151acb9984..321a40a98ed2 100644 +--- a/arch/arm/boot/dts/kirkwood-lsxl.dtsi ++++ b/arch/arm/boot/dts/kirkwood-lsxl.dtsi +@@ -10,6 +10,11 @@ + + ocp@f1000000 { + pinctrl: pin-controller@10000 { ++ /* Non-default UART pins */ ++ pmx_uart0: pmx-uart0 { ++ marvell,pins = "mpp4", "mpp5"; ++ }; ++ + pmx_power_hdd: pmx-power-hdd { + marvell,pins = "mpp10"; + marvell,function = "gpo"; +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-kirkwood-lsxl-remove-first-ethernet-port.patch b/queue-5.4/arm-dts-kirkwood-lsxl-remove-first-ethernet-port.patch new file mode 100644 index 00000000000..322c146700c --- /dev/null +++ b/queue-5.4/arm-dts-kirkwood-lsxl-remove-first-ethernet-port.patch @@ -0,0 +1,53 @@ +From ab489d9aba36729a4900c4e734f80230f6ad7c21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 02:10:25 +0200 +Subject: ARM: dts: kirkwood: lsxl: remove first ethernet port + +From: Michael Walle + +[ Upstream commit 2d528eda7c96ce5c70f895854ecd5684bd5d80b9 ] + +Both the Linkstation LS-CHLv2 and the LS-XHL have only one ethernet +port. This has always been wrong, i.e. the board code used to set up +both ports, but the driver will play nice and return -ENODEV if the +assiciated PHY is not found. Nevertheless, it is wrong. Remove it. + +Fixes: 876e23333511 ("ARM: kirkwood: add gigabit ethernet and mvmdio device tree nodes") +Signed-off-by: Michael Walle +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/kirkwood-lsxl.dtsi | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/arch/arm/boot/dts/kirkwood-lsxl.dtsi b/arch/arm/boot/dts/kirkwood-lsxl.dtsi +index 321a40a98ed2..88b70ba1c8fe 100644 +--- a/arch/arm/boot/dts/kirkwood-lsxl.dtsi ++++ b/arch/arm/boot/dts/kirkwood-lsxl.dtsi +@@ -218,22 +218,11 @@ + &mdio { + status = "okay"; + +- ethphy0: ethernet-phy@0 { +- reg = <0>; +- }; +- + ethphy1: ethernet-phy@8 { + reg = <8>; + }; + }; + +-ð0 { +- status = "okay"; +- ethernet0-port@0 { +- phy-handle = <ðphy0>; +- }; +-}; +- + ð1 { + status = "okay"; + ethernet1-port@0 { +-- +2.35.1 + diff --git a/queue-5.4/arm-dts-turris-omnia-fix-mpp26-pin-name-and-comment.patch b/queue-5.4/arm-dts-turris-omnia-fix-mpp26-pin-name-and-comment.patch new file mode 100644 index 00000000000..e1ca66de7ed --- /dev/null +++ b/queue-5.4/arm-dts-turris-omnia-fix-mpp26-pin-name-and-comment.patch @@ -0,0 +1,53 @@ +From ac252733708dd191c8334c4428239b1b59e26dc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 14:56:10 +0200 +Subject: ARM: dts: turris-omnia: Fix mpp26 pin name and comment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit 49e93898f0dc177e645c22d0664813567fd9ec00 ] + +There is a bug in Turris Omnia's schematics, whereupon the MPP[26] pin, +which is routed to CN11 pin header, is documented as SPI CS1, but +MPP[26] pin does not support this function. Instead it controls chip +select 2 if in "spi0" mode. + +Fix the name of the pin node in pinctrl node and fix the comment in SPI +node. + +Fixes: 26ca8b52d6e1 ("ARM: dts: add support for Turris Omnia") +Signed-off-by: Marek Behún +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-385-turris-omnia.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/armada-385-turris-omnia.dts b/arch/arm/boot/dts/armada-385-turris-omnia.dts +index fde4c302f08e..92e08486ec81 100644 +--- a/arch/arm/boot/dts/armada-385-turris-omnia.dts ++++ b/arch/arm/boot/dts/armada-385-turris-omnia.dts +@@ -307,7 +307,7 @@ + marvell,function = "spi0"; + }; + +- spi0cs1_pins: spi0cs1-pins { ++ spi0cs2_pins: spi0cs2-pins { + marvell,pins = "mpp26"; + marvell,function = "spi0"; + }; +@@ -342,7 +342,7 @@ + }; + }; + +- /* MISO, MOSI, SCLK and CS1 are routed to pin header CN11 */ ++ /* MISO, MOSI, SCLK and CS2 are routed to pin header CN11 */ + }; + + &uart0 { +-- +2.35.1 + diff --git a/queue-5.4/arm-orion-fix-include-path.patch b/queue-5.4/arm-orion-fix-include-path.patch new file mode 100644 index 00000000000..87509e50186 --- /dev/null +++ b/queue-5.4/arm-orion-fix-include-path.patch @@ -0,0 +1,39 @@ +From 277deb36b412dbd7a1e734c4524c8b4c60e18a3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Sep 2022 21:55:50 +0200 +Subject: ARM: orion: fix include path + +From: Arnd Bergmann + +[ Upstream commit 63872304bdb3decd5454f4dd210c25395278ed13 ] + +Now that CONFIG_ARCH_MULTIPLATFORM can be disabled anywhere, +there is a build failure for plat-orion: + +arch/arm/plat-orion/irq.c:19:10: fatal error: plat/irq.h: No such file or directory + +Make the include path unconditional. + +Reported-by: kernel test robot +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/plat-orion/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/plat-orion/Makefile b/arch/arm/plat-orion/Makefile +index 4e3f25de13c1..830b0be038c6 100644 +--- a/arch/arm/plat-orion/Makefile ++++ b/arch/arm/plat-orion/Makefile +@@ -2,7 +2,7 @@ + # + # Makefile for the linux kernel. + # +-ccflags-$(CONFIG_ARCH_MULTIPLATFORM) := -I$(srctree)/$(src)/include ++ccflags-y := -I$(srctree)/$(src)/include + + orion-gpio-$(CONFIG_GPIOLIB) += gpio.o + obj-$(CONFIG_PLAT_ORION_LEGACY) += irq.o pcie.o time.o common.o mpp.o +-- +2.35.1 + diff --git a/queue-5.4/arm64-dts-qcom-sdm845-narrow-llcc-address-space.patch b/queue-5.4/arm64-dts-qcom-sdm845-narrow-llcc-address-space.patch new file mode 100644 index 00000000000..64aec16dd61 --- /dev/null +++ b/queue-5.4/arm64-dts-qcom-sdm845-narrow-llcc-address-space.patch @@ -0,0 +1,44 @@ +From d27b2d0c7a068be1e6a3d804b213a0593df0d7ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 13:37:47 +0200 +Subject: arm64: dts: qcom: sdm845: narrow LLCC address space + +From: Krzysztof Kozlowski + +[ Upstream commit 300b5f661eebefb8571841b78091343eb87eca54 ] + +The Last Level Cache Controller (LLCC) device does not need to access +entire LLCC address space. Currently driver uses only hardware info and +status registers which both reside in LLCC0_COMMON range (offset +0x30000, size 0x1000). Narrow the address space to allow binding other +drivers to rest of LLCC address space. + +Cc: Rajendra Nayak +Cc: Sibi Sankar +Reported-by: Steev Klimaszewski +Suggested-by: Sibi Sankar +Signed-off-by: Krzysztof Kozlowski +Tested-by: Steev Klimaszewski +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220728113748.170548-11-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845.dtsi b/arch/arm64/boot/dts/qcom/sdm845.dtsi +index 2287354fef86..76f905c32aee 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi +@@ -1359,7 +1359,7 @@ + + cache-controller@1100000 { + compatible = "qcom,sdm845-llcc"; +- reg = <0 0x01100000 0 0x200000>, <0 0x01300000 0 0x50000>; ++ reg = <0 0x01100000 0 0x31000>, <0 0x01300000 0 0x50000>; + reg-names = "llcc_base", "llcc_broadcast_base"; + interrupts = ; + }; +-- +2.35.1 + diff --git a/queue-5.4/arm64-dts-uniphier-add-usb-device-support-for-pxs3-r.patch b/queue-5.4/arm64-dts-uniphier-add-usb-device-support-for-pxs3-r.patch new file mode 100644 index 00000000000..1d1f0a33ca6 --- /dev/null +++ b/queue-5.4/arm64-dts-uniphier-add-usb-device-support-for-pxs3-r.patch @@ -0,0 +1,162 @@ +From cfc2b10074748f7293fe2baa6d23b31ffc9b9fde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 13:23:18 +0900 +Subject: arm64: dts: uniphier: Add USB-device support for PXs3 reference board + +From: Kunihiko Hayashi + +[ Upstream commit 19fee1a1096d21ab1f1e712148b5417bda2939a2 ] + +PXs3 reference board can change each USB port 0 and 1 to device mode +with jumpers. Prepare devicetree sources for USB port 0 and 1. + +This specifies dr_mode, pinctrl, and some quirks and removes nodes for +unused phys and vbus-supply properties. + +Signed-off-by: Kunihiko Hayashi +Link: https://lore.kernel.org/r/20220913042321.4817-8-hayashi.kunihiko@socionext.com' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/uniphier-pinctrl.dtsi | 10 +++++ + arch/arm64/boot/dts/socionext/Makefile | 4 +- + .../socionext/uniphier-pxs3-ref-gadget0.dts | 41 +++++++++++++++++++ + .../socionext/uniphier-pxs3-ref-gadget1.dts | 40 ++++++++++++++++++ + 4 files changed, 94 insertions(+), 1 deletion(-) + create mode 100644 arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts + create mode 100644 arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts + +diff --git a/arch/arm/boot/dts/uniphier-pinctrl.dtsi b/arch/arm/boot/dts/uniphier-pinctrl.dtsi +index 1fee5ffbfb9c..2c1e0a6b0b6a 100644 +--- a/arch/arm/boot/dts/uniphier-pinctrl.dtsi ++++ b/arch/arm/boot/dts/uniphier-pinctrl.dtsi +@@ -181,11 +181,21 @@ + function = "usb0"; + }; + ++ pinctrl_usb0_device: usb0-device { ++ groups = "usb0_device"; ++ function = "usb0"; ++ }; ++ + pinctrl_usb1: usb1 { + groups = "usb1"; + function = "usb1"; + }; + ++ pinctrl_usb1_device: usb1-device { ++ groups = "usb1_device"; ++ function = "usb1"; ++ }; ++ + pinctrl_usb2: usb2 { + groups = "usb2"; + function = "usb2"; +diff --git a/arch/arm64/boot/dts/socionext/Makefile b/arch/arm64/boot/dts/socionext/Makefile +index d45441249cb5..c922d9303b69 100644 +--- a/arch/arm64/boot/dts/socionext/Makefile ++++ b/arch/arm64/boot/dts/socionext/Makefile +@@ -4,4 +4,6 @@ dtb-$(CONFIG_ARCH_UNIPHIER) += \ + uniphier-ld11-ref.dtb \ + uniphier-ld20-global.dtb \ + uniphier-ld20-ref.dtb \ +- uniphier-pxs3-ref.dtb ++ uniphier-pxs3-ref.dtb \ ++ uniphier-pxs3-ref-gadget0.dtb \ ++ uniphier-pxs3-ref-gadget1.dtb +diff --git a/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts +new file mode 100644 +index 000000000000..7069f51bc120 +--- /dev/null ++++ b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts +@@ -0,0 +1,41 @@ ++// SPDX-License-Identifier: GPL-2.0-or-later OR MIT ++// ++// Device Tree Source for UniPhier PXs3 Reference Board (for USB-Device #0) ++// ++// Copyright (C) 2021 Socionext Inc. ++// Author: Kunihiko Hayashi ++ ++/dts-v1/; ++#include "uniphier-pxs3-ref.dts" ++ ++/ { ++ model = "UniPhier PXs3 Reference Board (USB-Device #0)"; ++}; ++ ++/* I2C3 pinctrl is shared with USB*VBUSIN */ ++&i2c3 { ++ status = "disabled"; ++}; ++ ++&usb0 { ++ status = "okay"; ++ dr_mode = "peripheral"; ++ pinctrl-0 = <&pinctrl_usb0_device>; ++ snps,dis_enblslpm_quirk; ++ snps,dis_u2_susphy_quirk; ++ snps,dis_u3_susphy_quirk; ++ snps,usb2_gadget_lpm_disable; ++ phy-names = "usb2-phy", "usb3-phy"; ++ phys = <&usb0_hsphy0>, <&usb0_ssphy0>; ++}; ++ ++&usb0_hsphy0 { ++ /delete-property/ vbus-supply; ++}; ++ ++&usb0_ssphy0 { ++ /delete-property/ vbus-supply; ++}; ++ ++/delete-node/ &usb0_hsphy1; ++/delete-node/ &usb0_ssphy1; +diff --git a/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts +new file mode 100644 +index 000000000000..a3cfa8113ffb +--- /dev/null ++++ b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts +@@ -0,0 +1,40 @@ ++// SPDX-License-Identifier: GPL-2.0-or-later OR MIT ++// ++// Device Tree Source for UniPhier PXs3 Reference Board (for USB-Device #1) ++// ++// Copyright (C) 2021 Socionext Inc. ++// Author: Kunihiko Hayashi ++ ++/dts-v1/; ++#include "uniphier-pxs3-ref.dts" ++ ++/ { ++ model = "UniPhier PXs3 Reference Board (USB-Device #1)"; ++}; ++ ++/* I2C3 pinctrl is shared with USB*VBUSIN */ ++&i2c3 { ++ status = "disabled"; ++}; ++ ++&usb1 { ++ status = "okay"; ++ dr_mode = "peripheral"; ++ pinctrl-0 = <&pinctrl_usb1_device>; ++ snps,dis_enblslpm_quirk; ++ snps,dis_u2_susphy_quirk; ++ snps,dis_u3_susphy_quirk; ++ snps,usb2_gadget_lpm_disable; ++ phy-names = "usb2-phy", "usb3-phy"; ++ phys = <&usb1_hsphy0>, <&usb1_ssphy0>; ++}; ++ ++&usb1_hsphy0 { ++ /delete-property/ vbus-supply; ++}; ++ ++&usb1_ssphy0 { ++ /delete-property/ vbus-supply; ++}; ++ ++/delete-node/ &usb1_hsphy1; +-- +2.35.1 + diff --git a/queue-5.4/asoc-eureka-tlv320-hold-reference-returned-from-of_f.patch b/queue-5.4/asoc-eureka-tlv320-hold-reference-returned-from-of_f.patch new file mode 100644 index 00000000000..61716cf0d3c --- /dev/null +++ b/queue-5.4/asoc-eureka-tlv320-hold-reference-returned-from-of_f.patch @@ -0,0 +1,69 @@ +From 7de2caf71c85385844d7577c3749b0b4512772a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 21:43:54 +0800 +Subject: ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API + +From: Liang He + +[ Upstream commit bfb735a3ceff0bab6473bac275da96f9b2a06dec ] + +In eukrea_tlv320_probe(), we need to hold the reference returned +from of_find_compatible_node() which has increased the refcount +and then call of_node_put() with it when done. + +Fixes: 66f232908de2 ("ASoC: eukrea-tlv320: Add DT support.") +Co-authored-by: Kelin Wang +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220914134354.3995587-1-windhl@126.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/eukrea-tlv320.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/fsl/eukrea-tlv320.c b/sound/soc/fsl/eukrea-tlv320.c +index 6f3b768489f6..bf3d3f0aa858 100644 +--- a/sound/soc/fsl/eukrea-tlv320.c ++++ b/sound/soc/fsl/eukrea-tlv320.c +@@ -86,7 +86,7 @@ static int eukrea_tlv320_probe(struct platform_device *pdev) + int ret; + int int_port = 0, ext_port; + struct device_node *np = pdev->dev.of_node; +- struct device_node *ssi_np = NULL, *codec_np = NULL; ++ struct device_node *ssi_np = NULL, *codec_np = NULL, *tmp_np = NULL; + + eukrea_tlv320.dev = &pdev->dev; + if (np) { +@@ -143,7 +143,7 @@ static int eukrea_tlv320_probe(struct platform_device *pdev) + } + + if (machine_is_eukrea_cpuimx27() || +- of_find_compatible_node(NULL, NULL, "fsl,imx21-audmux")) { ++ (tmp_np = of_find_compatible_node(NULL, NULL, "fsl,imx21-audmux"))) { + imx_audmux_v1_configure_port(MX27_AUDMUX_HPCR1_SSI0, + IMX_AUDMUX_V1_PCR_SYN | + IMX_AUDMUX_V1_PCR_TFSDIR | +@@ -158,10 +158,11 @@ static int eukrea_tlv320_probe(struct platform_device *pdev) + IMX_AUDMUX_V1_PCR_SYN | + IMX_AUDMUX_V1_PCR_RXDSEL(MX27_AUDMUX_HPCR1_SSI0) + ); ++ of_node_put(tmp_np); + } else if (machine_is_eukrea_cpuimx25sd() || + machine_is_eukrea_cpuimx35sd() || + machine_is_eukrea_cpuimx51sd() || +- of_find_compatible_node(NULL, NULL, "fsl,imx31-audmux")) { ++ (tmp_np = of_find_compatible_node(NULL, NULL, "fsl,imx31-audmux"))) { + if (!np) + ext_port = machine_is_eukrea_cpuimx25sd() ? + 4 : 3; +@@ -178,6 +179,7 @@ static int eukrea_tlv320_probe(struct platform_device *pdev) + IMX_AUDMUX_V2_PTCR_SYN, + IMX_AUDMUX_V2_PDCR_RXDSEL(int_port) + ); ++ of_node_put(tmp_np); + } else { + if (np) { + /* The eukrea,asoc-tlv320 driver was explicitly +-- +2.35.1 + diff --git a/queue-5.4/asoc-rsnd-add-check-for-rsnd_mod_power_on.patch b/queue-5.4/asoc-rsnd-add-check-for-rsnd_mod_power_on.patch new file mode 100644 index 00000000000..54078137e0c --- /dev/null +++ b/queue-5.4/asoc-rsnd-add-check-for-rsnd_mod_power_on.patch @@ -0,0 +1,116 @@ +From 55e3d2ee5ca807759b4bc43303db05d4ad4bada6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 09:30:30 +0800 +Subject: ASoC: rsnd: Add check for rsnd_mod_power_on + +From: Jiasheng Jiang + +[ Upstream commit 376be51caf8871419bbcbb755e1e615d30dc3153 ] + +As rsnd_mod_power_on() can return negative numbers, +it should be better to check the return value and +deal with the exception. + +Fixes: e7d850dd10f4 ("ASoC: rsnd: use mod base common method on SSI-parent") +Signed-off-by: Jiasheng Jiang +Acked-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/20220902013030.3691266-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sh/rcar/ctu.c | 6 +++++- + sound/soc/sh/rcar/dvc.c | 6 +++++- + sound/soc/sh/rcar/mix.c | 6 +++++- + sound/soc/sh/rcar/src.c | 5 ++++- + sound/soc/sh/rcar/ssi.c | 4 +++- + 5 files changed, 22 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/sh/rcar/ctu.c b/sound/soc/sh/rcar/ctu.c +index 7647b3d4c0ba..25a8cfc27433 100644 +--- a/sound/soc/sh/rcar/ctu.c ++++ b/sound/soc/sh/rcar/ctu.c +@@ -171,7 +171,11 @@ static int rsnd_ctu_init(struct rsnd_mod *mod, + struct rsnd_dai_stream *io, + struct rsnd_priv *priv) + { +- rsnd_mod_power_on(mod); ++ int ret; ++ ++ ret = rsnd_mod_power_on(mod); ++ if (ret < 0) ++ return ret; + + rsnd_ctu_activation(mod); + +diff --git a/sound/soc/sh/rcar/dvc.c b/sound/soc/sh/rcar/dvc.c +index 8d91c0eb0880..53b2ad01222b 100644 +--- a/sound/soc/sh/rcar/dvc.c ++++ b/sound/soc/sh/rcar/dvc.c +@@ -186,7 +186,11 @@ static int rsnd_dvc_init(struct rsnd_mod *mod, + struct rsnd_dai_stream *io, + struct rsnd_priv *priv) + { +- rsnd_mod_power_on(mod); ++ int ret; ++ ++ ret = rsnd_mod_power_on(mod); ++ if (ret < 0) ++ return ret; + + rsnd_dvc_activation(mod); + +diff --git a/sound/soc/sh/rcar/mix.c b/sound/soc/sh/rcar/mix.c +index a3e0370f5704..c6fe2595c373 100644 +--- a/sound/soc/sh/rcar/mix.c ++++ b/sound/soc/sh/rcar/mix.c +@@ -146,7 +146,11 @@ static int rsnd_mix_init(struct rsnd_mod *mod, + struct rsnd_dai_stream *io, + struct rsnd_priv *priv) + { +- rsnd_mod_power_on(mod); ++ int ret; ++ ++ ret = rsnd_mod_power_on(mod); ++ if (ret < 0) ++ return ret; + + rsnd_mix_activation(mod); + +diff --git a/sound/soc/sh/rcar/src.c b/sound/soc/sh/rcar/src.c +index 585ffba0244b..fd52e26a3808 100644 +--- a/sound/soc/sh/rcar/src.c ++++ b/sound/soc/sh/rcar/src.c +@@ -454,11 +454,14 @@ static int rsnd_src_init(struct rsnd_mod *mod, + struct rsnd_priv *priv) + { + struct rsnd_src *src = rsnd_mod_to_src(mod); ++ int ret; + + /* reset sync convert_rate */ + src->sync.val = 0; + +- rsnd_mod_power_on(mod); ++ ret = rsnd_mod_power_on(mod); ++ if (ret < 0) ++ return ret; + + rsnd_src_activation(mod); + +diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c +index 09af402ca31f..f8960bad2bd1 100644 +--- a/sound/soc/sh/rcar/ssi.c ++++ b/sound/soc/sh/rcar/ssi.c +@@ -518,7 +518,9 @@ static int rsnd_ssi_init(struct rsnd_mod *mod, + + ssi->usrcnt++; + +- rsnd_mod_power_on(mod); ++ ret = rsnd_mod_power_on(mod); ++ if (ret < 0) ++ return ret; + + rsnd_ssi_config_init(mod, io); + +-- +2.35.1 + diff --git a/queue-5.4/asoc-wm5102-fix-pm-disable-depth-imbalance-in-wm5102.patch b/queue-5.4/asoc-wm5102-fix-pm-disable-depth-imbalance-in-wm5102.patch new file mode 100644 index 00000000000..322d2963409 --- /dev/null +++ b/queue-5.4/asoc-wm5102-fix-pm-disable-depth-imbalance-in-wm5102.patch @@ -0,0 +1,51 @@ +From 874fa438be9e521ffe9a2427c723369dd93badd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 00:01:15 +0800 +Subject: ASoC: wm5102: Fix PM disable depth imbalance in wm5102_probe + +From: Zhang Qilong + +[ Upstream commit fcbb60820cd3008bb44334a0395e5e57ccb77329 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. We fix it by moving +pm_runtime_enable to the endding of wm5102_probe. + +Fixes:93e8791dd34ca ("ASoC: wm5102: Initial driver") + +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20220928160116.125020-4-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm5102.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/wm5102.c b/sound/soc/codecs/wm5102.c +index d6d4b4121369..c5667b149c70 100644 +--- a/sound/soc/codecs/wm5102.c ++++ b/sound/soc/codecs/wm5102.c +@@ -2084,9 +2084,6 @@ static int wm5102_probe(struct platform_device *pdev) + regmap_update_bits(arizona->regmap, wm5102_digital_vu[i], + WM5102_DIG_VU, WM5102_DIG_VU); + +- pm_runtime_enable(&pdev->dev); +- pm_runtime_idle(&pdev->dev); +- + ret = arizona_request_irq(arizona, ARIZONA_IRQ_DSP_IRQ1, + "ADSP2 Compressed IRQ", wm5102_adsp2_irq, + wm5102); +@@ -2119,6 +2116,9 @@ static int wm5102_probe(struct platform_device *pdev) + goto err_spk_irqs; + } + ++ pm_runtime_enable(&pdev->dev); ++ pm_runtime_idle(&pdev->dev); ++ + return ret; + + err_spk_irqs: +-- +2.35.1 + diff --git a/queue-5.4/asoc-wm5110-fix-pm-disable-depth-imbalance-in-wm5110.patch b/queue-5.4/asoc-wm5110-fix-pm-disable-depth-imbalance-in-wm5110.patch new file mode 100644 index 00000000000..ae893985c7c --- /dev/null +++ b/queue-5.4/asoc-wm5110-fix-pm-disable-depth-imbalance-in-wm5110.patch @@ -0,0 +1,51 @@ +From e40d4a95fca733726533025a3ea908af00990f94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 00:01:14 +0800 +Subject: ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probe + +From: Zhang Qilong + +[ Upstream commit 86b46bf1feb83898d89a2b4a8d08d21e9ea277a7 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. We fix it by moving +pm_runtime_enable to the endding of wm5110_probe. + +Fixes:5c6af635fd772 ("ASoC: wm5110: Add audio CODEC driver") + +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20220928160116.125020-3-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm5110.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/wm5110.c b/sound/soc/codecs/wm5110.c +index 06ec3f48c808..bbe9fdfb423c 100644 +--- a/sound/soc/codecs/wm5110.c ++++ b/sound/soc/codecs/wm5110.c +@@ -2452,9 +2452,6 @@ static int wm5110_probe(struct platform_device *pdev) + regmap_update_bits(arizona->regmap, wm5110_digital_vu[i], + WM5110_DIG_VU, WM5110_DIG_VU); + +- pm_runtime_enable(&pdev->dev); +- pm_runtime_idle(&pdev->dev); +- + ret = arizona_request_irq(arizona, ARIZONA_IRQ_DSP_IRQ1, + "ADSP2 Compressed IRQ", wm5110_adsp2_irq, + wm5110); +@@ -2487,6 +2484,9 @@ static int wm5110_probe(struct platform_device *pdev) + goto err_spk_irqs; + } + ++ pm_runtime_enable(&pdev->dev); ++ pm_runtime_idle(&pdev->dev); ++ + return ret; + + err_spk_irqs: +-- +2.35.1 + diff --git a/queue-5.4/asoc-wm8997-fix-pm-disable-depth-imbalance-in-wm8997.patch b/queue-5.4/asoc-wm8997-fix-pm-disable-depth-imbalance-in-wm8997.patch new file mode 100644 index 00000000000..8e458043a39 --- /dev/null +++ b/queue-5.4/asoc-wm8997-fix-pm-disable-depth-imbalance-in-wm8997.patch @@ -0,0 +1,51 @@ +From c401b340d8fc3ed3aec42819caf944e7d0edf787 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 00:01:13 +0800 +Subject: ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe + +From: Zhang Qilong + +[ Upstream commit 41a736ac20602f64773e80f0f5b32cde1830a44a ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. We fix it by moving +pm_runtime_enable to the endding of wm8997_probe + +Fixes:40843aea5a9bd ("ASoC: wm8997: Initial CODEC driver") + +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20220928160116.125020-2-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm8997.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/wm8997.c b/sound/soc/codecs/wm8997.c +index 229f2986cd96..07378714b013 100644 +--- a/sound/soc/codecs/wm8997.c ++++ b/sound/soc/codecs/wm8997.c +@@ -1156,9 +1156,6 @@ static int wm8997_probe(struct platform_device *pdev) + regmap_update_bits(arizona->regmap, wm8997_digital_vu[i], + WM8997_DIG_VU, WM8997_DIG_VU); + +- pm_runtime_enable(&pdev->dev); +- pm_runtime_idle(&pdev->dev); +- + arizona_init_common(arizona); + + ret = arizona_init_vol_limit(arizona); +@@ -1177,6 +1174,9 @@ static int wm8997_probe(struct platform_device *pdev) + goto err_spk_irqs; + } + ++ pm_runtime_enable(&pdev->dev); ++ pm_runtime_idle(&pdev->dev); ++ + return ret; + + err_spk_irqs: +-- +2.35.1 + diff --git a/queue-5.4/ata-fix-ata_id_has_devslp.patch b/queue-5.4/ata-fix-ata_id_has_devslp.patch new file mode 100644 index 00000000000..015146877b0 --- /dev/null +++ b/queue-5.4/ata-fix-ata_id_has_devslp.patch @@ -0,0 +1,57 @@ +From 6716584ddc3998a5caee74e70609f4a183d844f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 14:28:33 +0200 +Subject: ata: fix ata_id_has_devslp() + +From: Niklas Cassel + +[ Upstream commit 9c6e09a434e1317e09b78b3b69cd384022ec9a03 ] + +ACS-5 section +7.13.6.36 Word 78: Serial ATA features supported +states that: + +If word 76 is not 0000h or FFFFh, word 78 reports the features supported +by the device. If this word is not supported, the word shall be cleared +to zero. + +(This text also exists in really old ACS standards, e.g. ACS-3.) + +Additionally, move the macro to the other ATA_ID_FEATURE_SUPP macros +(which already have this check), thus making it more likely that the +next ATA_ID_FEATURE_SUPP macro that is added will include this check. + +Fixes: 65fe1f0f66a5 ("ahci: implement aggressive SATA device sleep support") +Signed-off-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + include/linux/ata.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/linux/ata.h b/include/linux/ata.h +index 734cc646ce35..8b884cd3a232 100644 +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -565,6 +565,10 @@ struct ata_bmdma_prd { + ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ + ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ + ((id)[ATA_ID_FEATURE_SUPP] & (1 << 2))) ++#define ata_id_has_devslp(id) \ ++ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ ++ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ ++ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 8))) + #define ata_id_iordy_disable(id) ((id)[ATA_ID_CAPABILITY] & (1 << 10)) + #define ata_id_has_iordy(id) ((id)[ATA_ID_CAPABILITY] & (1 << 11)) + #define ata_id_u32(id,n) \ +@@ -577,7 +581,6 @@ struct ata_bmdma_prd { + + #define ata_id_cdb_intr(id) (((id)[ATA_ID_CONFIG] & 0x60) == 0x20) + #define ata_id_has_da(id) ((id)[ATA_ID_SATA_CAPABILITY_2] & (1 << 4)) +-#define ata_id_has_devslp(id) ((id)[ATA_ID_FEATURE_SUPP] & (1 << 8)) + #define ata_id_has_ncq_autosense(id) \ + ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7)) + +-- +2.35.1 + diff --git a/queue-5.4/ata-fix-ata_id_has_dipm.patch b/queue-5.4/ata-fix-ata_id_has_dipm.patch new file mode 100644 index 00000000000..e749352befd --- /dev/null +++ b/queue-5.4/ata-fix-ata_id_has_dipm.patch @@ -0,0 +1,76 @@ +From c23720b11903f8ddaa5065f5e2b8beafb6c6b75d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 14:28:35 +0200 +Subject: ata: fix ata_id_has_dipm() + +From: Niklas Cassel + +[ Upstream commit 630624cb1b5826d753ac8e01a0e42de43d66dedf ] + +ACS-5 section +7.13.6.36 Word 78: Serial ATA features supported +states that: + +If word 76 is not 0000h or FFFFh, word 78 reports the features supported +by the device. If this word is not supported, the word shall be cleared +to zero. + +(This text also exists in really old ACS standards, e.g. ACS-3.) + +The problem with ata_id_has_dipm() is that the while it performs a +check against 0 and 0xffff, it performs the check against +ATA_ID_FEATURE_SUPP (word 78), the same word where the feature bit +is stored. + +Fix this by performing the check against ATA_ID_SATA_CAPABILITY +(word 76), like required by the spec. The feature bit check itself +is of course still performed against ATA_ID_FEATURE_SUPP (word 78). + +Additionally, move the macro to the other ATA_ID_FEATURE_SUPP macros +(which already have this check), thus making it more likely that the +next ATA_ID_FEATURE_SUPP macro that is added will include this check. + +Fixes: ca77329fb713 ("[libata] Link power management infrastructure") +Signed-off-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + include/linux/ata.h | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/include/linux/ata.h b/include/linux/ata.h +index 94f7872da983..6d2d31b03b4d 100644 +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -573,6 +573,10 @@ struct ata_bmdma_prd { + ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ + ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ + ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7))) ++#define ata_id_has_dipm(id) \ ++ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ ++ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ ++ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 3))) + #define ata_id_iordy_disable(id) ((id)[ATA_ID_CAPABILITY] & (1 << 10)) + #define ata_id_has_iordy(id) ((id)[ATA_ID_CAPABILITY] & (1 << 11)) + #define ata_id_u32(id,n) \ +@@ -596,17 +600,6 @@ static inline bool ata_id_has_hipm(const u16 *id) + return val & (1 << 9); + } + +-static inline bool ata_id_has_dipm(const u16 *id) +-{ +- u16 val = id[ATA_ID_FEATURE_SUPP]; +- +- if (val == 0 || val == 0xffff) +- return false; +- +- return val & (1 << 3); +-} +- +- + static inline bool ata_id_has_fua(const u16 *id) + { + if ((id[ATA_ID_CFSSE] & 0xC000) != 0x4000) +-- +2.35.1 + diff --git a/queue-5.4/ata-fix-ata_id_has_ncq_autosense.patch b/queue-5.4/ata-fix-ata_id_has_ncq_autosense.patch new file mode 100644 index 00000000000..0325eea591b --- /dev/null +++ b/queue-5.4/ata-fix-ata_id_has_ncq_autosense.patch @@ -0,0 +1,58 @@ +From 7574351978ab9c788b4c40958fb91278e63fe6d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 14:28:34 +0200 +Subject: ata: fix ata_id_has_ncq_autosense() + +From: Niklas Cassel + +[ Upstream commit a5fb6bf853148974dbde092ec1bde553bea5e49f ] + +ACS-5 section +7.13.6.36 Word 78: Serial ATA features supported +states that: + +If word 76 is not 0000h or FFFFh, word 78 reports the features supported +by the device. If this word is not supported, the word shall be cleared +to zero. + +(This text also exists in really old ACS standards, e.g. ACS-3.) + +Additionally, move the macro to the other ATA_ID_FEATURE_SUPP macros +(which already have this check), thus making it more likely that the +next ATA_ID_FEATURE_SUPP macro that is added will include this check. + +Fixes: 5b01e4b9efa0 ("libata: Implement NCQ autosense") +Signed-off-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + include/linux/ata.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/linux/ata.h b/include/linux/ata.h +index 8b884cd3a232..94f7872da983 100644 +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -569,6 +569,10 @@ struct ata_bmdma_prd { + ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ + ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ + ((id)[ATA_ID_FEATURE_SUPP] & (1 << 8))) ++#define ata_id_has_ncq_autosense(id) \ ++ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ ++ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ ++ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7))) + #define ata_id_iordy_disable(id) ((id)[ATA_ID_CAPABILITY] & (1 << 10)) + #define ata_id_has_iordy(id) ((id)[ATA_ID_CAPABILITY] & (1 << 11)) + #define ata_id_u32(id,n) \ +@@ -581,8 +585,6 @@ struct ata_bmdma_prd { + + #define ata_id_cdb_intr(id) (((id)[ATA_ID_CONFIG] & 0x60) == 0x20) + #define ata_id_has_da(id) ((id)[ATA_ID_SATA_CAPABILITY_2] & (1 << 4)) +-#define ata_id_has_ncq_autosense(id) \ +- ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7)) + + static inline bool ata_id_has_hipm(const u16 *id) + { +-- +2.35.1 + diff --git a/queue-5.4/ata-fix-ata_id_sense_reporting_enabled-and-ata_id_ha.patch b/queue-5.4/ata-fix-ata_id_sense_reporting_enabled-and-ata_id_ha.patch new file mode 100644 index 00000000000..6b8add7863a --- /dev/null +++ b/queue-5.4/ata-fix-ata_id_sense_reporting_enabled-and-ata_id_ha.patch @@ -0,0 +1,72 @@ +From 4f38f5accd1abf591d5a4500ed80fec61cff848a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 14:28:32 +0200 +Subject: ata: fix ata_id_sense_reporting_enabled() and + ata_id_has_sense_reporting() + +From: Niklas Cassel + +[ Upstream commit 690aa8c3ae308bc696ec8b1b357b995193927083 ] + +ACS-5 section +7.13.6.41 Words 85..87, 120: Commands and feature sets supported or enabled +states that: + +If bit 15 of word 86 is set to one, bit 14 of word 119 is set to one, +and bit 15 of word 119 is cleared to zero, then word 119 is valid. + +If bit 15 of word 86 is set to one, bit 14 of word 120 is set to one, +and bit 15 of word 120 is cleared to zero, then word 120 is valid. + +(This text also exists in really old ACS standards, e.g. ACS-3.) + +Currently, ata_id_sense_reporting_enabled() and +ata_id_has_sense_reporting() both check bit 15 of word 86, +but neither of them check that bit 14 of word 119 is set to one, +or that bit 15 of word 119 is cleared to zero. + +Additionally, make ata_id_sense_reporting_enabled() return false +if !ata_id_has_sense_reporting(), similar to how e.g. +ata_id_flush_ext_enabled() returns false if !ata_id_has_flush_ext(). + +Fixes: e87fd28cf9a2 ("libata: Implement support for sense data reporting") +Signed-off-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + include/linux/ata.h | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/include/linux/ata.h b/include/linux/ata.h +index 6e67aded28f8..734cc646ce35 100644 +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -770,16 +770,21 @@ static inline bool ata_id_has_read_log_dma_ext(const u16 *id) + + static inline bool ata_id_has_sense_reporting(const u16 *id) + { +- if (!(id[ATA_ID_CFS_ENABLE_2] & (1 << 15))) ++ if (!(id[ATA_ID_CFS_ENABLE_2] & BIT(15))) ++ return false; ++ if ((id[ATA_ID_COMMAND_SET_3] & (BIT(15) | BIT(14))) != BIT(14)) + return false; +- return id[ATA_ID_COMMAND_SET_3] & (1 << 6); ++ return id[ATA_ID_COMMAND_SET_3] & BIT(6); + } + + static inline bool ata_id_sense_reporting_enabled(const u16 *id) + { +- if (!(id[ATA_ID_CFS_ENABLE_2] & (1 << 15))) ++ if (!ata_id_has_sense_reporting(id)) ++ return false; ++ /* ata_id_has_sense_reporting() == true, word 86 must have bit 15 set */ ++ if ((id[ATA_ID_COMMAND_SET_4] & (BIT(15) | BIT(14))) != BIT(14)) + return false; +- return id[ATA_ID_COMMAND_SET_4] & (1 << 6); ++ return id[ATA_ID_COMMAND_SET_4] & BIT(6); + } + + /** +-- +2.35.1 + diff --git a/queue-5.4/ata-libahci_platform-sanity-check-the-dt-child-nodes.patch b/queue-5.4/ata-libahci_platform-sanity-check-the-dt-child-nodes.patch new file mode 100644 index 00000000000..a11ee16827f --- /dev/null +++ b/queue-5.4/ata-libahci_platform-sanity-check-the-dt-child-nodes.patch @@ -0,0 +1,67 @@ +From 9a3fb3cf40516d540ffe381602ecc0da36ebfce4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 22:36:06 +0300 +Subject: ata: libahci_platform: Sanity check the DT child nodes number + +From: Serge Semin + +[ Upstream commit 3c132ea6508b34956e5ed88d04936983ec230601 ] + +Having greater than AHCI_MAX_PORTS (32) ports detected isn't that critical +from the further AHCI-platform initialization point of view since +exceeding the ports upper limit will cause allocating more resources than +will be used afterwards. But detecting too many child DT-nodes doesn't +seem right since it's very unlikely to have it on an ordinary platform. In +accordance with the AHCI specification there can't be more than 32 ports +implemented at least due to having the CAP.NP field of 5 bits wide and the +PI register of dword size. Thus if such situation is found the DTB must +have been corrupted and the data read from it shouldn't be reliable. Let's +consider that as an erroneous situation and halt further resources +allocation. + +Note it's logically more correct to have the nports set only after the +initialization value is checked for being sane. So while at it let's make +sure nports is assigned with a correct value. + +Signed-off-by: Serge Semin +Reviewed-by: Hannes Reinecke +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libahci_platform.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c +index 8a963d2a951d..c0ac25b80a1f 100644 +--- a/drivers/ata/libahci_platform.c ++++ b/drivers/ata/libahci_platform.c +@@ -451,14 +451,24 @@ struct ahci_host_priv *ahci_platform_get_resources(struct platform_device *pdev, + } + } + +- hpriv->nports = child_nodes = of_get_child_count(dev->of_node); ++ /* ++ * Too many sub-nodes most likely means having something wrong with ++ * the firmware. ++ */ ++ child_nodes = of_get_child_count(dev->of_node); ++ if (child_nodes > AHCI_MAX_PORTS) { ++ rc = -EINVAL; ++ goto err_out; ++ } + + /* + * If no sub-node was found, we still need to set nports to + * one in order to be able to use the + * ahci_platform_[en|dis]able_[phys|regulators] functions. + */ +- if (!child_nodes) ++ if (child_nodes) ++ hpriv->nports = child_nodes; ++ else + hpriv->nports = 1; + + hpriv->phys = devm_kcalloc(dev, hpriv->nports, sizeof(*hpriv->phys), GFP_KERNEL); +-- +2.35.1 + diff --git a/queue-5.4/bcache-fix-set_at_max_writeback_rate-for-multiple-at.patch b/queue-5.4/bcache-fix-set_at_max_writeback_rate-for-multiple-at.patch new file mode 100644 index 00000000000..e59213c7abc --- /dev/null +++ b/queue-5.4/bcache-fix-set_at_max_writeback_rate-for-multiple-at.patch @@ -0,0 +1,135 @@ +From ddc8f2c81b8995cad67ea4a68ef85e69d62bd330 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 00:16:47 +0800 +Subject: bcache: fix set_at_max_writeback_rate() for multiple attached devices + +From: Coly Li + +[ Upstream commit d2d05b88035d2d51a5bb6c5afec88a0880c73df4 ] + +Inside set_at_max_writeback_rate() the calculation in following if() +check is wrong, + if (atomic_inc_return(&c->idle_counter) < + atomic_read(&c->attached_dev_nr) * 6) + +Because each attached backing device has its own writeback thread +running and increasing c->idle_counter, the counter increates much +faster than expected. The correct calculation should be, + (counter / dev_nr) < dev_nr * 6 +which equals to, + counter < dev_nr * dev_nr * 6 + +This patch fixes the above mistake with correct calculation, and helper +routine idle_counter_exceeded() is added to make code be more clear. + +Reported-by: Mingzhe Zou +Signed-off-by: Coly Li +Acked-by: Mingzhe Zou +Link: https://lore.kernel.org/r/20220919161647.81238-6-colyli@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/writeback.c | 73 +++++++++++++++++++++++++---------- + 1 file changed, 52 insertions(+), 21 deletions(-) + +diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c +index 0b02210ab435..5767ff6c13e3 100644 +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -119,27 +119,61 @@ static void __update_writeback_rate(struct cached_dev *dc) + dc->writeback_rate_target = target; + } + ++static bool idle_counter_exceeded(struct cache_set *c) ++{ ++ int counter, dev_nr; ++ ++ /* ++ * If c->idle_counter is overflow (idel for really long time), ++ * reset as 0 and not set maximum rate this time for code ++ * simplicity. ++ */ ++ counter = atomic_inc_return(&c->idle_counter); ++ if (counter <= 0) { ++ atomic_set(&c->idle_counter, 0); ++ return false; ++ } ++ ++ dev_nr = atomic_read(&c->attached_dev_nr); ++ if (dev_nr == 0) ++ return false; ++ ++ /* ++ * c->idle_counter is increased by writeback thread of all ++ * attached backing devices, in order to represent a rough ++ * time period, counter should be divided by dev_nr. ++ * Otherwise the idle time cannot be larger with more backing ++ * device attached. ++ * The following calculation equals to checking ++ * (counter / dev_nr) < (dev_nr * 6) ++ */ ++ if (counter < (dev_nr * dev_nr * 6)) ++ return false; ++ ++ return true; ++} ++ ++/* ++ * Idle_counter is increased every time when update_writeback_rate() is ++ * called. If all backing devices attached to the same cache set have ++ * identical dc->writeback_rate_update_seconds values, it is about 6 ++ * rounds of update_writeback_rate() on each backing device before ++ * c->at_max_writeback_rate is set to 1, and then max wrteback rate set ++ * to each dc->writeback_rate.rate. ++ * In order to avoid extra locking cost for counting exact dirty cached ++ * devices number, c->attached_dev_nr is used to calculate the idle ++ * throushold. It might be bigger if not all cached device are in write- ++ * back mode, but it still works well with limited extra rounds of ++ * update_writeback_rate(). ++ */ + static bool set_at_max_writeback_rate(struct cache_set *c, + struct cached_dev *dc) + { + /* Don't set max writeback rate if gc is running */ + if (!c->gc_mark_valid) + return false; +- /* +- * Idle_counter is increased everytime when update_writeback_rate() is +- * called. If all backing devices attached to the same cache set have +- * identical dc->writeback_rate_update_seconds values, it is about 6 +- * rounds of update_writeback_rate() on each backing device before +- * c->at_max_writeback_rate is set to 1, and then max wrteback rate set +- * to each dc->writeback_rate.rate. +- * In order to avoid extra locking cost for counting exact dirty cached +- * devices number, c->attached_dev_nr is used to calculate the idle +- * throushold. It might be bigger if not all cached device are in write- +- * back mode, but it still works well with limited extra rounds of +- * update_writeback_rate(). +- */ +- if (atomic_inc_return(&c->idle_counter) < +- atomic_read(&c->attached_dev_nr) * 6) ++ ++ if (!idle_counter_exceeded(c)) + return false; + + if (atomic_read(&c->at_max_writeback_rate) != 1) +@@ -153,13 +187,10 @@ static bool set_at_max_writeback_rate(struct cache_set *c, + dc->writeback_rate_change = 0; + + /* +- * Check c->idle_counter and c->at_max_writeback_rate agagain in case +- * new I/O arrives during before set_at_max_writeback_rate() returns. +- * Then the writeback rate is set to 1, and its new value should be +- * decided via __update_writeback_rate(). ++ * In case new I/O arrives during before ++ * set_at_max_writeback_rate() returns. + */ +- if ((atomic_read(&c->idle_counter) < +- atomic_read(&c->attached_dev_nr) * 6) || ++ if (!idle_counter_exceeded(c) || + !atomic_read(&c->at_max_writeback_rate)) + return false; + +-- +2.35.1 + diff --git a/queue-5.4/bluetooth-hci_sysfs-fix-attempting-to-call-device_ad.patch b/queue-5.4/bluetooth-hci_sysfs-fix-attempting-to-call-device_ad.patch new file mode 100644 index 00000000000..b5d796d5fea --- /dev/null +++ b/queue-5.4/bluetooth-hci_sysfs-fix-attempting-to-call-device_ad.patch @@ -0,0 +1,67 @@ +From a31108e0e61b3c23599f812d59f8cdec2873b8cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 10:56:59 -0700 +Subject: Bluetooth: hci_sysfs: Fix attempting to call device_add multiple + times + +From: Luiz Augusto von Dentz + +[ Upstream commit 448a496f760664d3e2e79466aa1787e6abc922b5 ] + +device_add shall not be called multiple times as stated in its +documentation: + + 'Do not call this routine or device_register() more than once for + any device structure' + +Syzkaller reports a bug as follows [1]: +------------[ cut here ]------------ +kernel BUG at lib/list_debug.c:33! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +[...] +Call Trace: + + __list_add include/linux/list.h:69 [inline] + list_add_tail include/linux/list.h:102 [inline] + kobj_kset_join lib/kobject.c:164 [inline] + kobject_add_internal+0x18f/0x8f0 lib/kobject.c:214 + kobject_add_varg lib/kobject.c:358 [inline] + kobject_add+0x150/0x1c0 lib/kobject.c:410 + device_add+0x368/0x1e90 drivers/base/core.c:3452 + hci_conn_add_sysfs+0x9b/0x1b0 net/bluetooth/hci_sysfs.c:53 + hci_le_cis_estabilished_evt+0x57c/0xae0 net/bluetooth/hci_event.c:6799 + hci_le_meta_evt+0x2b8/0x510 net/bluetooth/hci_event.c:7110 + hci_event_func net/bluetooth/hci_event.c:7440 [inline] + hci_event_packet+0x63d/0xfd0 net/bluetooth/hci_event.c:7495 + hci_rx_work+0xae7/0x1230 net/bluetooth/hci_core.c:4007 + process_one_work+0x991/0x1610 kernel/workqueue.c:2289 + worker_thread+0x665/0x1080 kernel/workqueue.c:2436 + kthread+0x2e4/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + + +Link: https://syzkaller.appspot.com/bug?id=da3246e2d33afdb92d66bc166a0934c5b146404a +Signed-off-by: Luiz Augusto von Dentz +Tested-by: Hawkins Jiawei +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sysfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c +index b69d88b88d2e..ccd2c377bf83 100644 +--- a/net/bluetooth/hci_sysfs.c ++++ b/net/bluetooth/hci_sysfs.c +@@ -48,6 +48,9 @@ void hci_conn_add_sysfs(struct hci_conn *conn) + + BT_DBG("conn %p", conn); + ++ if (device_is_registered(&conn->dev)) ++ return; ++ + dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle); + + if (device_add(&conn->dev) < 0) { +-- +2.35.1 + diff --git a/queue-5.4/bluetooth-l2cap-fix-user-after-free.patch b/queue-5.4/bluetooth-l2cap-fix-user-after-free.patch new file mode 100644 index 00000000000..45c37c8536b --- /dev/null +++ b/queue-5.4/bluetooth-l2cap-fix-user-after-free.patch @@ -0,0 +1,61 @@ +From f697eaf62d7e8834e5117279630f6b8a765774c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 13:27:13 -0700 +Subject: Bluetooth: L2CAP: Fix user-after-free + +From: Luiz Augusto von Dentz + +[ Upstream commit 35fcbc4243aad7e7d020b7c1dfb14bb888b20a4f ] + +This uses l2cap_chan_hold_unless_zero() after calling +__l2cap_get_chan_blah() to prevent the following trace: + +Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref +*kref) +Bluetooth: chan 0000000023c4974d +Bluetooth: parent 00000000ae861c08 +================================================================== +BUG: KASAN: use-after-free in __mutex_waiter_is_first +kernel/locking/mutex.c:191 [inline] +BUG: KASAN: use-after-free in __mutex_lock_common +kernel/locking/mutex.c:671 [inline] +BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400 +kernel/locking/mutex.c:729 +Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389 + +Link: https://lore.kernel.org/lkml/20220622082716.478486-1-lee.jones@linaro.org +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sungwoo Kim +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 442432f89be1..2d28b4e49b7a 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4066,6 +4066,12 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, + } + } + ++ chan = l2cap_chan_hold_unless_zero(chan); ++ if (!chan) { ++ err = -EBADSLT; ++ goto unlock; ++ } ++ + err = 0; + + l2cap_chan_lock(chan); +@@ -4095,6 +4101,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, + } + + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + + unlock: + mutex_unlock(&conn->chan_lock); +-- +2.35.1 + diff --git a/queue-5.4/bluetooth-l2cap-initialize-delayed-works-at-l2cap_ch.patch b/queue-5.4/bluetooth-l2cap-initialize-delayed-works-at-l2cap_ch.patch new file mode 100644 index 00000000000..407bdaad4c7 --- /dev/null +++ b/queue-5.4/bluetooth-l2cap-initialize-delayed-works-at-l2cap_ch.patch @@ -0,0 +1,82 @@ +From 41bf5c42cce9dd940b118da0d451a932f463852c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 00:32:56 +0900 +Subject: Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() + +From: Tetsuo Handa + +[ Upstream commit 2d2cb3066f2c90cd8ca540b36ba7a55e7f2406e0 ] + +syzbot is reporting cancel_delayed_work() without INIT_DELAYED_WORK() at +l2cap_chan_del() [1], for CONF_NOT_COMPLETE flag (which meant to prevent +l2cap_chan_del() from calling cancel_delayed_work()) is cleared by timer +which fires before l2cap_chan_del() is called by closing file descriptor +created by socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP). + +l2cap_bredr_sig_cmd(L2CAP_CONF_REQ) and l2cap_bredr_sig_cmd(L2CAP_CONF_RSP) +are calling l2cap_ertm_init(chan), and they call l2cap_chan_ready() (which +clears CONF_NOT_COMPLETE flag) only when l2cap_ertm_init(chan) succeeded. + +l2cap_sock_init() does not call l2cap_ertm_init(chan), and it instead sets +CONF_NOT_COMPLETE flag by calling l2cap_chan_set_defaults(). However, when +connect() is requested, "command 0x0409 tx timeout" happens after 2 seconds + from connect() request, and CONF_NOT_COMPLETE flag is cleared after 4 +seconds from connect() request, for l2cap_conn_start() from +l2cap_info_timeout() callback scheduled by + + schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT); + +in l2cap_connect() is calling l2cap_chan_ready(). + +Fix this problem by initializing delayed works used by L2CAP_MODE_ERTM +mode as soon as l2cap_chan_create() allocates a channel, like I did in +commit be8597239379f0f5 ("Bluetooth: initialize skb_queue_head at +l2cap_chan_create()"). + +Link: https://syzkaller.appspot.com/bug?extid=83672956c7aa6af698b3 [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 3682d2e1cd7d..442432f89be1 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -60,6 +60,9 @@ static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err); + + static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + struct sk_buff_head *skbs, u8 event); ++static void l2cap_retrans_timeout(struct work_struct *work); ++static void l2cap_monitor_timeout(struct work_struct *work); ++static void l2cap_ack_timeout(struct work_struct *work); + + static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type) + { +@@ -475,6 +478,9 @@ struct l2cap_chan *l2cap_chan_create(void) + write_unlock(&chan_list_lock); + + INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout); ++ INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout); ++ INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout); ++ INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout); + + chan->state = BT_OPEN; + +@@ -3163,10 +3169,6 @@ int l2cap_ertm_init(struct l2cap_chan *chan) + chan->rx_state = L2CAP_RX_STATE_RECV; + chan->tx_state = L2CAP_TX_STATE_XMIT; + +- INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout); +- INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout); +- INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout); +- + skb_queue_head_init(&chan->srej_q); + + err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win); +-- +2.35.1 + diff --git a/queue-5.4/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch b/queue-5.4/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch new file mode 100644 index 00000000000..6128e45fc48 --- /dev/null +++ b/queue-5.4/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch @@ -0,0 +1,40 @@ +From c1baac32d2ccfdab32609a89aa91ff1a0f77651a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 14:28:43 +0800 +Subject: bnx2x: fix potential memory leak in bnx2x_tpa_stop() + +From: Jianglei Nie + +[ Upstream commit b43f9acbb8942b05252be83ac25a81cec70cc192 ] + +bnx2x_tpa_stop() allocates a memory chunk from new_data with +bnx2x_frag_alloc(). The new_data should be freed when gets some error. +But when "pad + len > fp->rx_buf_size" is true, bnx2x_tpa_stop() returns +without releasing the new_data, which will lead to a memory leak. + +We should free the new_data with bnx2x_frag_free() when "pad + len > +fp->rx_buf_size" is true. + +Fixes: 07b0f00964def8af9321cfd6c4a7e84f6362f728 ("bnx2x: fix possible panic under memory stress") +Signed-off-by: Jianglei Nie +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +index 9af8afd7ae89..d8e13ee0601f 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -787,6 +787,7 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp, + BNX2X_ERR("skb_put is about to fail... pad %d len %d rx_buf_size %d\n", + pad, len, fp->rx_buf_size); + bnx2x_panic(); ++ bnx2x_frag_free(fp, new_data); + return; + } + #endif +-- +2.35.1 + diff --git a/queue-5.4/bpf-btf-fix-truncated-last_member_type_id-in-btf_str.patch b/queue-5.4/bpf-btf-fix-truncated-last_member_type_id-in-btf_str.patch new file mode 100644 index 00000000000..101dccc260e --- /dev/null +++ b/queue-5.4/bpf-btf-fix-truncated-last_member_type_id-in-btf_str.patch @@ -0,0 +1,47 @@ +From 6c8f0a37a1b8ce03a202badbea24423f4dd39c08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Sep 2022 11:01:20 +0000 +Subject: bpf: btf: fix truncated last_member_type_id in btf_struct_resolve + +From: Lorenz Bauer + +[ Upstream commit a37a32583e282d8d815e22add29bc1e91e19951a ] + +When trying to finish resolving a struct member, btf_struct_resolve +saves the member type id in a u16 temporary variable. This truncates +the 32 bit type id value if it exceeds UINT16_MAX. + +As a result, structs that have members with type ids > UINT16_MAX and +which need resolution will fail with a message like this: + + [67414] STRUCT ff_device size=120 vlen=12 + effect_owners type_id=67434 bits_offset=960 Member exceeds struct_size + +Fix this by changing the type of last_member_type_id to u32. + +Fixes: a0791f0df7d2 ("bpf: fix BTF limits") +Reviewed-by: Stanislav Fomichev +Signed-off-by: Lorenz Bauer +Link: https://lore.kernel.org/r/20220910110120.339242-1-oss@lmb.io +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/btf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index b03087f110eb..a28bbec8c59f 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -2148,7 +2148,7 @@ static int btf_struct_resolve(struct btf_verifier_env *env, + if (v->next_member) { + const struct btf_type *last_member_type; + const struct btf_member *last_member; +- u16 last_member_type_id; ++ u32 last_member_type_id; + + last_member = btf_type_member(v->t) + v->next_member - 1; + last_member_type_id = last_member->type; +-- +2.35.1 + diff --git a/queue-5.4/bpf-ensure-correct-locking-around-vulnerable-functio.patch b/queue-5.4/bpf-ensure-correct-locking-around-vulnerable-functio.patch new file mode 100644 index 00000000000..8a9a5d0cd8a --- /dev/null +++ b/queue-5.4/bpf-ensure-correct-locking-around-vulnerable-functio.patch @@ -0,0 +1,43 @@ +From fbf4d0249db71590297a12708ec320321334f4db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 14:38:55 +0100 +Subject: bpf: Ensure correct locking around vulnerable function find_vpid() + +From: Lee Jones + +[ Upstream commit 83c10cc362d91c0d8d25e60779ee52fdbbf3894d ] + +The documentation for find_vpid() clearly states: + + "Must be called with the tasklist_lock or rcu_read_lock() held." + +Presently we do neither for find_vpid() instance in bpf_task_fd_query(). +Add proper rcu_read_lock/unlock() to fix the issue. + +Fixes: 41bdc4b40ed6f ("bpf: introduce bpf subcommand BPF_TASK_FD_QUERY") +Signed-off-by: Lee Jones +Signed-off-by: Daniel Borkmann +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20220912133855.1218900-1-lee@kernel.org +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 9ebdcdaa5f16..de788761b708 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -2787,7 +2787,9 @@ static int bpf_task_fd_query(const union bpf_attr *attr, + if (attr->task_fd_query.flags != 0) + return -EINVAL; + ++ rcu_read_lock(); + task = get_pid_task(find_vpid(pid), PIDTYPE_PID); ++ rcu_read_unlock(); + if (!task) + return -ENOENT; + +-- +2.35.1 + diff --git a/queue-5.4/bpftool-clear-errno-after-libcap-s-checks.patch b/queue-5.4/bpftool-clear-errno-after-libcap-s-checks.patch new file mode 100644 index 00000000000..1ea6bbe88a9 --- /dev/null +++ b/queue-5.4/bpftool-clear-errno-after-libcap-s-checks.patch @@ -0,0 +1,70 @@ +From 019be6c4a79e91033814e901dd568488e7dbaa03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 17:22:05 +0100 +Subject: bpftool: Clear errno after libcap's checks + +From: Quentin Monnet + +[ Upstream commit cea558855c39b7f1f02ff50dcf701ca6596bc964 ] + +When bpftool is linked against libcap, the library runs a "constructor" +function to compute the number of capabilities of the running kernel +[0], at the beginning of the execution of the program. As part of this, +it performs multiple calls to prctl(). Some of these may fail, and set +errno to a non-zero value: + + # strace -e prctl ./bpftool version + prctl(PR_CAPBSET_READ, CAP_MAC_OVERRIDE) = 1 + prctl(PR_CAPBSET_READ, 0x30 /* CAP_??? */) = -1 EINVAL (Invalid argument) + prctl(PR_CAPBSET_READ, CAP_CHECKPOINT_RESTORE) = 1 + prctl(PR_CAPBSET_READ, 0x2c /* CAP_??? */) = -1 EINVAL (Invalid argument) + prctl(PR_CAPBSET_READ, 0x2a /* CAP_??? */) = -1 EINVAL (Invalid argument) + prctl(PR_CAPBSET_READ, 0x29 /* CAP_??? */) = -1 EINVAL (Invalid argument) + ** fprintf added at the top of main(): we have errno == 1 + ./bpftool v7.0.0 + using libbpf v1.0 + features: libbfd, libbpf_strict, skeletons + +++ exited with 0 +++ + +This has been addressed in libcap 2.63 [1], but until this version is +available everywhere, we can fix it on bpftool side. + +Let's clean errno at the beginning of the main() function, to make sure +that these checks do not interfere with the batch mode, where we error +out if errno is set after a bpftool command. + + [0] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/tree/libcap/cap_alloc.c?h=libcap-2.65#n20 + [1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=f25a1b7e69f7b33e6afb58b3e38f3450b7d2d9a0 + +Signed-off-by: Quentin Monnet +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20220815162205.45043-1-quentin@isovalent.com +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c +index 4b03983acbef..35984bd354cb 100644 +--- a/tools/bpf/bpftool/main.c ++++ b/tools/bpf/bpftool/main.c +@@ -364,6 +364,16 @@ int main(int argc, char **argv) + + setlinebuf(stdout); + ++#ifdef USE_LIBCAP ++ /* Libcap < 2.63 hooks before main() to compute the number of ++ * capabilities of the running kernel, and doing so it calls prctl() ++ * which may fail and set errno to non-zero. ++ * Let's reset errno to make sure this does not interfere with the ++ * batch mode. ++ */ ++ errno = 0; ++#endif ++ + last_do_help = do_help; + pretty_output = false; + json_output = false; +-- +2.35.1 + diff --git a/queue-5.4/bpftool-fix-a-wrong-type-cast-in-btf_dumper_int.patch b/queue-5.4/bpftool-fix-a-wrong-type-cast-in-btf_dumper_int.patch new file mode 100644 index 00000000000..620acb4588e --- /dev/null +++ b/queue-5.4/bpftool-fix-a-wrong-type-cast-in-btf_dumper_int.patch @@ -0,0 +1,40 @@ +From eed870b8afcd49a4789303d3d363f65a2fa5c712 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 15:59:00 -0700 +Subject: bpftool: Fix a wrong type cast in btf_dumper_int + +From: Lam Thai + +[ Upstream commit 7184aef9c0f7a81db8fd18d183ee42481d89bf35 ] + +When `data` points to a boolean value, casting it to `int *` is problematic +and could lead to a wrong value being passed to `jsonw_bool`. Change the +cast to `bool *` instead. + +Fixes: b12d6ec09730 ("bpf: btf: add btf print functionality") +Signed-off-by: Lam Thai +Signed-off-by: Andrii Nakryiko +Reviewed-by: Quentin Monnet +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20220824225859.9038-1-lamthai@arista.com +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/btf_dumper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/bpf/bpftool/btf_dumper.c b/tools/bpf/bpftool/btf_dumper.c +index 397e5716ab6d..ebb73e447310 100644 +--- a/tools/bpf/bpftool/btf_dumper.c ++++ b/tools/bpf/bpftool/btf_dumper.c +@@ -251,7 +251,7 @@ static int btf_dumper_int(const struct btf_type *t, __u8 bit_offset, + *(char *)data); + break; + case BTF_INT_BOOL: +- jsonw_bool(jw, *(int *)data); ++ jsonw_bool(jw, *(bool *)data); + break; + default: + /* shouldn't happen */ +-- +2.35.1 + diff --git a/queue-5.4/btrfs-scrub-try-to-fix-super-block-errors.patch b/queue-5.4/btrfs-scrub-try-to-fix-super-block-errors.patch new file mode 100644 index 00000000000..7a4b4aeb86a --- /dev/null +++ b/queue-5.4/btrfs-scrub-try-to-fix-super-block-errors.patch @@ -0,0 +1,147 @@ +From 223ac66ad52cc2bca13f9e992284acaa4bc2bc86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 14:53:03 +0800 +Subject: btrfs: scrub: try to fix super block errors + +From: Qu Wenruo + +[ Upstream commit f9eab5f0bba76742af654f33d517bf62a0db8f12 ] + +[BUG] +The following script shows that, although scrub can detect super block +errors, it never tries to fix it: + + mkfs.btrfs -f -d raid1 -m raid1 $dev1 $dev2 + xfs_io -c "pwrite 67108864 4k" $dev2 + + mount $dev1 $mnt + btrfs scrub start -B $dev2 + btrfs scrub start -Br $dev2 + umount $mnt + +The first scrub reports the super error correctly: + + scrub done for f3289218-abd3-41ac-a630-202f766c0859 + Scrub started: Tue Aug 2 14:44:11 2022 + Status: finished + Duration: 0:00:00 + Total to scrub: 1.26GiB + Rate: 0.00B/s + Error summary: super=1 + Corrected: 0 + Uncorrectable: 0 + Unverified: 0 + +But the second read-only scrub still reports the same super error: + + Scrub started: Tue Aug 2 14:44:11 2022 + Status: finished + Duration: 0:00:00 + Total to scrub: 1.26GiB + Rate: 0.00B/s + Error summary: super=1 + Corrected: 0 + Uncorrectable: 0 + Unverified: 0 + +[CAUSE] +The comments already shows that super block can be easily fixed by +committing a transaction: + + /* + * If we find an error in a super block, we just report it. + * They will get written with the next transaction commit + * anyway + */ + +But the truth is, such assumption is not always true, and since scrub +should try to repair every error it found (except for read-only scrub), +we should really actively commit a transaction to fix this. + +[FIX] +Just commit a transaction if we found any super block errors, after +everything else is done. + +We cannot do this just after scrub_supers(), as +btrfs_commit_transaction() will try to pause and wait for the running +scrub, thus we can not call it with scrub_lock hold. + +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/scrub.c | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c +index e5db948daa12..45809f75692e 100644 +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -3849,6 +3849,7 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start, + int ret; + struct btrfs_device *dev; + unsigned int nofs_flag; ++ bool need_commit = false; + + if (btrfs_fs_closing(fs_info)) + return -EAGAIN; +@@ -3961,6 +3962,12 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start, + */ + nofs_flag = memalloc_nofs_save(); + if (!is_dev_replace) { ++ u64 old_super_errors; ++ ++ spin_lock(&sctx->stat_lock); ++ old_super_errors = sctx->stat.super_errors; ++ spin_unlock(&sctx->stat_lock); ++ + btrfs_info(fs_info, "scrub: started on devid %llu", devid); + /* + * by holding device list mutex, we can +@@ -3969,6 +3976,16 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start, + mutex_lock(&fs_info->fs_devices->device_list_mutex); + ret = scrub_supers(sctx, dev); + mutex_unlock(&fs_info->fs_devices->device_list_mutex); ++ ++ spin_lock(&sctx->stat_lock); ++ /* ++ * Super block errors found, but we can not commit transaction ++ * at current context, since btrfs_commit_transaction() needs ++ * to pause the current running scrub (hold by ourselves). ++ */ ++ if (sctx->stat.super_errors > old_super_errors && !sctx->readonly) ++ need_commit = true; ++ spin_unlock(&sctx->stat_lock); + } + + if (!ret) +@@ -3995,6 +4012,25 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start, + scrub_workers_put(fs_info); + scrub_put_ctx(sctx); + ++ /* ++ * We found some super block errors before, now try to force a ++ * transaction commit, as scrub has finished. ++ */ ++ if (need_commit) { ++ struct btrfs_trans_handle *trans; ++ ++ trans = btrfs_start_transaction(fs_info->tree_root, 0); ++ if (IS_ERR(trans)) { ++ ret = PTR_ERR(trans); ++ btrfs_err(fs_info, ++ "scrub: failed to start transaction to fix super block errors: %d", ret); ++ return ret; ++ } ++ ret = btrfs_commit_transaction(trans); ++ if (ret < 0) ++ btrfs_err(fs_info, ++ "scrub: failed to commit transaction to fix super block errors: %d", ret); ++ } + return ret; + out: + scrub_workers_put(fs_info); +-- +2.35.1 + diff --git a/queue-5.4/can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch b/queue-5.4/can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch new file mode 100644 index 00000000000..0a5adc6691e --- /dev/null +++ b/queue-5.4/can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch @@ -0,0 +1,53 @@ +From 65698f0eefc6c4cc92035ec012926e8a22821a87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 09:55:56 +0800 +Subject: can: bcm: check the result of can_send() in bcm_can_tx() + +From: Ziyang Xuan + +[ Upstream commit 3fd7bfd28cfd68ae80a2fe92ea1615722cc2ee6e ] + +If can_send() fail, it should not update frames_abs counter +in bcm_can_tx(). Add the result check for can_send() in bcm_can_tx(). + +Suggested-by: Marc Kleine-Budde +Suggested-by: Oliver Hartkopp +Signed-off-by: Ziyang Xuan +Link: https://lore.kernel.org/all/9851878e74d6d37aee2f1ee76d68361a46f89458.1663206163.git.william.xuanziyang@huawei.com +Acked-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/bcm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/can/bcm.c b/net/can/bcm.c +index 63d81147fb4e..fbf1143a56e1 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -276,6 +276,7 @@ static void bcm_can_tx(struct bcm_op *op) + struct sk_buff *skb; + struct net_device *dev; + struct canfd_frame *cf = op->frames + op->cfsiz * op->currframe; ++ int err; + + /* no target device? => exit */ + if (!op->ifindex) +@@ -300,11 +301,11 @@ static void bcm_can_tx(struct bcm_op *op) + /* send with loopback */ + skb->dev = dev; + can_skb_set_owner(skb, op->sk); +- can_send(skb, 1); ++ err = can_send(skb, 1); ++ if (!err) ++ op->frames_abs++; + +- /* update statistics */ + op->currframe++; +- op->frames_abs++; + + /* reached last frame? */ + if (op->currframe >= op->nframes) +-- +2.35.1 + diff --git a/queue-5.4/can-rx-offload-can_rx_offload_init_queue-fix-typo.patch b/queue-5.4/can-rx-offload-can_rx_offload_init_queue-fix-typo.patch new file mode 100644 index 00000000000..8ee23059736 --- /dev/null +++ b/queue-5.4/can-rx-offload-can_rx_offload_init_queue-fix-typo.patch @@ -0,0 +1,39 @@ +From 2e644dde21c71e9e8bcaefd2bae203acfa6eb870 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Aug 2022 21:38:00 +0200 +Subject: can: rx-offload: can_rx_offload_init_queue(): fix typo +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marc Kleine-Budde + +[ Upstream commit 766108d91246530d31b42765046f7ec2d1e42581 ] + +Fix typo "rounted" -> "rounded". + +Link: https://lore.kernel.org/all/20220811093617.1861938-2-mkl@pengutronix.de +Fixes: d254586c3453 ("can: rx-offload: Add support for HW fifo based irq offloading") +Reported-by: Uwe Kleine-König +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/dev/rx-offload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/dev/rx-offload.c b/drivers/net/can/dev/rx-offload.c +index 7e75a87a8a6a..a7806c687e5b 100644 +--- a/drivers/net/can/dev/rx-offload.c ++++ b/drivers/net/can/dev/rx-offload.c +@@ -332,7 +332,7 @@ static int can_rx_offload_init_queue(struct net_device *dev, struct can_rx_offlo + { + offload->dev = dev; + +- /* Limit queue len to 4x the weight (rounted to next power of two) */ ++ /* Limit queue len to 4x the weight (rounded to next power of two) */ + offload->skb_queue_len_max = 2 << fls(weight); + offload->skb_queue_len_max *= 4; + skb_queue_head_init(&offload->skb_queue); +-- +2.35.1 + diff --git a/queue-5.4/cgroup-cpuset-enable-update_tasks_cpumask-on-top_cpu.patch b/queue-5.4/cgroup-cpuset-enable-update_tasks_cpumask-on-top_cpu.patch new file mode 100644 index 00000000000..738b97ec91f --- /dev/null +++ b/queue-5.4/cgroup-cpuset-enable-update_tasks_cpumask-on-top_cpu.patch @@ -0,0 +1,71 @@ +From 152aba70d94dcb743259dc8dff68379ebedf0be4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 16:57:36 -0400 +Subject: cgroup/cpuset: Enable update_tasks_cpumask() on top_cpuset + +From: Waiman Long + +[ Upstream commit ec5fbdfb99d18482619ac42605cb80fbb56068ee ] + +Previously, update_tasks_cpumask() is not supposed to be called with +top cpuset. With cpuset partition that takes CPUs away from the top +cpuset, adjusting the cpus_mask of the tasks in the top cpuset is +necessary. Percpu kthreads, however, are ignored. + +Fixes: ee8dde0cd2ce ("cpuset: Add new v2 cpuset.sched.partition flag") +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cpuset.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c +index 9ba94a9a67aa..c7f4526ca64e 100644 +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1057,10 +1058,18 @@ static void update_tasks_cpumask(struct cpuset *cs) + { + struct css_task_iter it; + struct task_struct *task; ++ bool top_cs = cs == &top_cpuset; + + css_task_iter_start(&cs->css, 0, &it); +- while ((task = css_task_iter_next(&it))) ++ while ((task = css_task_iter_next(&it))) { ++ /* ++ * Percpu kthreads in top_cpuset are ignored ++ */ ++ if (top_cs && (task->flags & PF_KTHREAD) && ++ kthread_is_per_cpu(task)) ++ continue; + set_cpus_allowed_ptr(task, cs->effective_cpus); ++ } + css_task_iter_end(&it); + } + +@@ -2014,12 +2023,7 @@ static int update_prstate(struct cpuset *cs, int val) + update_flag(CS_CPU_EXCLUSIVE, cs, 0); + } + +- /* +- * Update cpumask of parent's tasks except when it is the top +- * cpuset as some system daemons cannot be mapped to other CPUs. +- */ +- if (parent != &top_cpuset) +- update_tasks_cpumask(parent); ++ update_tasks_cpumask(parent); + + if (parent->child_ecpus_count) + update_sibling_cpumasks(parent, cs, &tmp); +-- +2.35.1 + diff --git a/queue-5.4/clk-ast2600-bclk-comes-from-epll.patch b/queue-5.4/clk-ast2600-bclk-comes-from-epll.patch new file mode 100644 index 00000000000..a97835dbd82 --- /dev/null +++ b/queue-5.4/clk-ast2600-bclk-comes-from-epll.patch @@ -0,0 +1,38 @@ +From 436ce3fe0dc8a6cdd41be3aef966f49d53ee8bd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Apr 2022 13:34:26 +0930 +Subject: clk: ast2600: BCLK comes from EPLL + +From: Joel Stanley + +[ Upstream commit b8c1dc9c00b252b3be853720a71b05ed451ddd9f ] + +This correction was made in the u-boot SDK recently. There are no +in-tree users of this clock so the impact is minimal. + +Fixes: d3d04f6c330a ("clk: Add support for AST2600 SoC") +Link: https://github.com/AspeedTech-BMC/u-boot/commit/8ad54a5ae15f27fea5e894cc2539a20d90019717 +Signed-off-by: Joel Stanley +Link: https://lore.kernel.org/r/20220421040426.171256-1-joel@jms.id.au +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-ast2600.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/clk-ast2600.c b/drivers/clk/clk-ast2600.c +index 48122f574cb6..8a6c6b9c9a6a 100644 +--- a/drivers/clk/clk-ast2600.c ++++ b/drivers/clk/clk-ast2600.c +@@ -579,7 +579,7 @@ static int aspeed_g6_clk_probe(struct platform_device *pdev) + regmap_write(map, 0x308, 0x12000); /* 3x3 = 9 */ + + /* P-Bus (BCLK) clock divider */ +- hw = clk_hw_register_divider_table(dev, "bclk", "hpll", 0, ++ hw = clk_hw_register_divider_table(dev, "bclk", "epll", 0, + scu_g6_base + ASPEED_G6_CLK_SELECTION1, 20, 3, 0, + ast2600_div_table, + &aspeed_g6_clk_lock); +-- +2.35.1 + diff --git a/queue-5.4/clk-bcm2835-fix-bcm2835_clock_rate_from_divisor-decl.patch b/queue-5.4/clk-bcm2835-fix-bcm2835_clock_rate_from_divisor-decl.patch new file mode 100644 index 00000000000..eee6adf4963 --- /dev/null +++ b/queue-5.4/clk-bcm2835-fix-bcm2835_clock_rate_from_divisor-decl.patch @@ -0,0 +1,43 @@ +From ead757ddee57e79b4ca63ef334dd55437dc71cce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 16:10:37 +0200 +Subject: clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration + +From: Stefan Wahren + +[ Upstream commit 0b919a3728691c172312dee99ba654055ccd8c84 ] + +The return value of bcm2835_clock_rate_from_divisor is always unsigned +and also all caller expect this. So fix the declaration accordingly. + +Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the audio domain clocks") +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20220904141037.38816-1-stefan.wahren@i2se.com +Reviewed-by: Ivan T. Ivanov +Reviewed-by: Florian Fainelli +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-bcm2835.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index e637bd6b295b..e650379b3230 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -967,9 +967,9 @@ static u32 bcm2835_clock_choose_div(struct clk_hw *hw, + return div; + } + +-static long bcm2835_clock_rate_from_divisor(struct bcm2835_clock *clock, +- unsigned long parent_rate, +- u32 div) ++static unsigned long bcm2835_clock_rate_from_divisor(struct bcm2835_clock *clock, ++ unsigned long parent_rate, ++ u32 div) + { + const struct bcm2835_clock_data *data = clock->data; + u64 temp; +-- +2.35.1 + diff --git a/queue-5.4/clk-bcm2835-make-peripheral-pllc-critical.patch b/queue-5.4/clk-bcm2835-make-peripheral-pllc-critical.patch new file mode 100644 index 00000000000..c5c78384158 --- /dev/null +++ b/queue-5.4/clk-bcm2835-make-peripheral-pllc-critical.patch @@ -0,0 +1,50 @@ +From 3e3d36eb94eb73943ee9f8f358d18ce174669a27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 10:45:09 +0200 +Subject: clk: bcm2835: Make peripheral PLLC critical +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxime Ripard + +[ Upstream commit 6c5422851d8be8c7451e968fd2e6da41b6109e17 ] + +When testing for a series affecting the VEC, it was discovered that +turning off and on the VEC clock is crashing the system. + +It turns out that, when disabling the VEC clock, it's the only child of +the PLLC-per clock which will also get disabled. The source of the crash +is PLLC-per being disabled. + +It's likely that some other device might not take a clock reference that +it actually needs, but it's unclear which at this point. Let's make +PLLC-per critical so that we don't have that crash. + +Reported-by: Noralf Trønnes +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20220926084509.12233-1-maxime@cerno.tech +Reviewed-by: Stefan Wahren +Acked-by: Noralf Trønnes +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-bcm2835.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index e650379b3230..b4e6a7923233 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -1756,7 +1756,7 @@ static const struct bcm2835_clk_desc clk_desc_array[] = { + .load_mask = CM_PLLC_LOADPER, + .hold_mask = CM_PLLC_HOLDPER, + .fixed_divider = 1, +- .flags = CLK_SET_RATE_PARENT), ++ .flags = CLK_IS_CRITICAL | CLK_SET_RATE_PARENT), + + /* + * PLLD is the display PLL, used to drive DSI display panels. +-- +2.35.1 + diff --git a/queue-5.4/clk-berlin-add-of_node_put-for-of_get_parent.patch b/queue-5.4/clk-berlin-add-of_node_put-for-of_get_parent.patch new file mode 100644 index 00000000000..04578c1fc99 --- /dev/null +++ b/queue-5.4/clk-berlin-add-of_node_put-for-of_get_parent.patch @@ -0,0 +1,77 @@ +From b8297ebbe2ae1813ec2e4cd2905e32418402ec3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 16:49:00 +0800 +Subject: clk: berlin: Add of_node_put() for of_get_parent() + +From: Liang He + +[ Upstream commit 37c381b812dcbfde9c3f1f3d3e75fdfc1b40d5bc ] + +In berlin2_clock_setup() and berlin2q_clock_setup(), we need to +call of_node_put() for the reference returned by of_get_parent() +which has increased the refcount. We should call *_put() in fail +path or when it is not used anymore. + +Fixes: 26b3b6b959b2 ("clk: berlin: prepare simple-mfd conversion") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220708084900.311684-1-windhl@126.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/berlin/bg2.c | 5 ++++- + drivers/clk/berlin/bg2q.c | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/berlin/bg2.c b/drivers/clk/berlin/bg2.c +index bccdfa00fd37..67a9edbba29c 100644 +--- a/drivers/clk/berlin/bg2.c ++++ b/drivers/clk/berlin/bg2.c +@@ -500,12 +500,15 @@ static void __init berlin2_clock_setup(struct device_node *np) + int n, ret; + + clk_data = kzalloc(struct_size(clk_data, hws, MAX_CLKS), GFP_KERNEL); +- if (!clk_data) ++ if (!clk_data) { ++ of_node_put(parent_np); + return; ++ } + clk_data->num = MAX_CLKS; + hws = clk_data->hws; + + gbase = of_iomap(parent_np, 0); ++ of_node_put(parent_np); + if (!gbase) + return; + +diff --git a/drivers/clk/berlin/bg2q.c b/drivers/clk/berlin/bg2q.c +index e9518d35f262..dd2784bb75b6 100644 +--- a/drivers/clk/berlin/bg2q.c ++++ b/drivers/clk/berlin/bg2q.c +@@ -286,19 +286,23 @@ static void __init berlin2q_clock_setup(struct device_node *np) + int n, ret; + + clk_data = kzalloc(struct_size(clk_data, hws, MAX_CLKS), GFP_KERNEL); +- if (!clk_data) ++ if (!clk_data) { ++ of_node_put(parent_np); + return; ++ } + clk_data->num = MAX_CLKS; + hws = clk_data->hws; + + gbase = of_iomap(parent_np, 0); + if (!gbase) { ++ of_node_put(parent_np); + pr_err("%pOF: Unable to map global base\n", np); + return; + } + + /* BG2Q CPU PLL is not part of global registers */ + cpupll_base = of_iomap(parent_np, 1); ++ of_node_put(parent_np); + if (!cpupll_base) { + pr_err("%pOF: Unable to map cpupll base\n", np); + iounmap(gbase); +-- +2.35.1 + diff --git a/queue-5.4/clk-mediatek-mt8183-mfgcfg-propagate-rate-changes-to.patch b/queue-5.4/clk-mediatek-mt8183-mfgcfg-propagate-rate-changes-to.patch new file mode 100644 index 00000000000..cd53293eb0a --- /dev/null +++ b/queue-5.4/clk-mediatek-mt8183-mfgcfg-propagate-rate-changes-to.patch @@ -0,0 +1,44 @@ +From 9684154c3af6e0168ad2eef4fbd05d9e4beb1f53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 12:11:20 +0200 +Subject: clk: mediatek: mt8183: mfgcfg: Propagate rate changes to parent + +From: Chen-Yu Tsai + +[ Upstream commit 9f94f545f258b15bfa6357eb62e1e307b712851e ] + +The only clock in the MT8183 MFGCFG block feeds the GPU. Propagate its +rate change requests to its parent, so that DVFS for the GPU can work +properly. + +Fixes: acddfc2c261b ("clk: mediatek: Add MT8183 clock support") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20220927101128.44758-3-angelogioacchino.delregno@collabora.com +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mt8183-mfgcfg.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/mediatek/clk-mt8183-mfgcfg.c b/drivers/clk/mediatek/clk-mt8183-mfgcfg.c +index 37b4162c5882..3a33014eee7f 100644 +--- a/drivers/clk/mediatek/clk-mt8183-mfgcfg.c ++++ b/drivers/clk/mediatek/clk-mt8183-mfgcfg.c +@@ -18,9 +18,9 @@ static const struct mtk_gate_regs mfg_cg_regs = { + .sta_ofs = 0x0, + }; + +-#define GATE_MFG(_id, _name, _parent, _shift) \ +- GATE_MTK(_id, _name, _parent, &mfg_cg_regs, _shift, \ +- &mtk_clk_gate_ops_setclr) ++#define GATE_MFG(_id, _name, _parent, _shift) \ ++ GATE_MTK_FLAGS(_id, _name, _parent, &mfg_cg_regs, _shift, \ ++ &mtk_clk_gate_ops_setclr, CLK_SET_RATE_PARENT) + + static const struct mtk_gate mfg_clks[] = { + GATE_MFG(CLK_MFG_BG3D, "mfg_bg3d", "mfg_sel", 0) +-- +2.35.1 + diff --git a/queue-5.4/clk-meson-hold-reference-returned-by-of_get_parent.patch b/queue-5.4/clk-meson-hold-reference-returned-by-of_get_parent.patch new file mode 100644 index 00000000000..73d8f5736fb --- /dev/null +++ b/queue-5.4/clk-meson-hold-reference-returned-by-of_get_parent.patch @@ -0,0 +1,99 @@ +From 8abbfff80d121e71cf1ad0228088b67034931fc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jun 2022 22:10:38 +0800 +Subject: clk: meson: Hold reference returned by of_get_parent() + +From: Liang He + +[ Upstream commit 89ab396d712f7c91fe94f55cff23460426f5fc81 ] + +We should hold the reference returned by of_get_parent() and use it +to call of_node_put() for refcount balance. + +Fixes: 88e2da81241e ("clk: meson: aoclk: refactor common code into dedicated file") +Fixes: 6682bd4d443f ("clk: meson: factorise meson64 peripheral clock controller drivers") +Fixes: bb6eddd1d28c ("clk: meson: meson8b: use the HHI syscon if available") + +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220628141038.168383-1-windhl@126.com +Reviewed-by: Neil Armstrong +Reviewed-by: Martin Blumenstingl +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/meson-aoclk.c | 5 ++++- + drivers/clk/meson/meson-eeclk.c | 5 ++++- + drivers/clk/meson/meson8b.c | 5 ++++- + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/meson/meson-aoclk.c b/drivers/clk/meson/meson-aoclk.c +index bf8bea675d24..6c7110a96194 100644 +--- a/drivers/clk/meson/meson-aoclk.c ++++ b/drivers/clk/meson/meson-aoclk.c +@@ -36,6 +36,7 @@ int meson_aoclkc_probe(struct platform_device *pdev) + struct meson_aoclk_reset_controller *rstc; + struct meson_aoclk_data *data; + struct device *dev = &pdev->dev; ++ struct device_node *np; + struct regmap *regmap; + int ret, clkid; + +@@ -47,7 +48,9 @@ int meson_aoclkc_probe(struct platform_device *pdev) + if (!rstc) + return -ENOMEM; + +- regmap = syscon_node_to_regmap(of_get_parent(dev->of_node)); ++ np = of_get_parent(dev->of_node); ++ regmap = syscon_node_to_regmap(np); ++ of_node_put(np); + if (IS_ERR(regmap)) { + dev_err(dev, "failed to get regmap\n"); + return PTR_ERR(regmap); +diff --git a/drivers/clk/meson/meson-eeclk.c b/drivers/clk/meson/meson-eeclk.c +index a7cb1e7aedc4..18ae38787268 100644 +--- a/drivers/clk/meson/meson-eeclk.c ++++ b/drivers/clk/meson/meson-eeclk.c +@@ -17,6 +17,7 @@ int meson_eeclkc_probe(struct platform_device *pdev) + { + const struct meson_eeclkc_data *data; + struct device *dev = &pdev->dev; ++ struct device_node *np; + struct regmap *map; + int ret, i; + +@@ -25,7 +26,9 @@ int meson_eeclkc_probe(struct platform_device *pdev) + return -EINVAL; + + /* Get the hhi system controller node */ +- map = syscon_node_to_regmap(of_get_parent(dev->of_node)); ++ np = of_get_parent(dev->of_node); ++ map = syscon_node_to_regmap(np); ++ of_node_put(np); + if (IS_ERR(map)) { + dev_err(dev, + "failed to get HHI regmap\n"); +diff --git a/drivers/clk/meson/meson8b.c b/drivers/clk/meson/meson8b.c +index 082178a0f41a..efddf0d152a4 100644 +--- a/drivers/clk/meson/meson8b.c ++++ b/drivers/clk/meson/meson8b.c +@@ -3684,13 +3684,16 @@ static void __init meson8b_clkc_init_common(struct device_node *np, + struct clk_hw_onecell_data *clk_hw_onecell_data) + { + struct meson8b_clk_reset *rstc; ++ struct device_node *parent_np; + const char *notifier_clk_name; + struct clk *notifier_clk; + void __iomem *clk_base; + struct regmap *map; + int i, ret; + +- map = syscon_node_to_regmap(of_get_parent(np)); ++ parent_np = of_get_parent(np); ++ map = syscon_node_to_regmap(parent_np); ++ of_node_put(parent_np); + if (IS_ERR(map)) { + pr_info("failed to get HHI regmap - Trying obsolete regs\n"); + +-- +2.35.1 + diff --git a/queue-5.4/clk-oxnas-hold-reference-returned-by-of_get_parent.patch b/queue-5.4/clk-oxnas-hold-reference-returned-by-of_get_parent.patch new file mode 100644 index 00000000000..0ebafe9a091 --- /dev/null +++ b/queue-5.4/clk-oxnas-hold-reference-returned-by-of_get_parent.patch @@ -0,0 +1,49 @@ +From dee3df947eac0d7f1d0246e03d096e17cd11f9bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jun 2022 22:31:55 +0800 +Subject: clk: oxnas: Hold reference returned by of_get_parent() + +From: Liang He + +[ Upstream commit 1d6aa08c54cd0e005210ab8e3b1e92ede70f8a4f ] + +In oxnas_stdclk_probe(), we need to hold the reference returned by +of_get_parent() and use it to call of_node_put() for refcount +balance. + +Fixes: 0bbd72b4c64f ("clk: Add Oxford Semiconductor OXNAS Standard Clocks") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220628143155.170550-1-windhl@126.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-oxnas.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/clk-oxnas.c b/drivers/clk/clk-oxnas.c +index 78d5ea669fea..2fe36f579ac5 100644 +--- a/drivers/clk/clk-oxnas.c ++++ b/drivers/clk/clk-oxnas.c +@@ -207,7 +207,7 @@ static const struct of_device_id oxnas_stdclk_dt_ids[] = { + + static int oxnas_stdclk_probe(struct platform_device *pdev) + { +- struct device_node *np = pdev->dev.of_node; ++ struct device_node *np = pdev->dev.of_node, *parent_np; + const struct oxnas_stdclk_data *data; + const struct of_device_id *id; + struct regmap *regmap; +@@ -219,7 +219,9 @@ static int oxnas_stdclk_probe(struct platform_device *pdev) + return -ENODEV; + data = id->data; + +- regmap = syscon_node_to_regmap(of_get_parent(np)); ++ parent_np = of_get_parent(np); ++ regmap = syscon_node_to_regmap(parent_np); ++ of_node_put(parent_np); + if (IS_ERR(regmap)) { + dev_err(&pdev->dev, "failed to have parent regmap\n"); + return PTR_ERR(regmap); +-- +2.35.1 + diff --git a/queue-5.4/clk-tegra-fix-refcount-leak-in-tegra114_clock_init.patch b/queue-5.4/clk-tegra-fix-refcount-leak-in-tegra114_clock_init.patch new file mode 100644 index 00000000000..6b5cc804723 --- /dev/null +++ b/queue-5.4/clk-tegra-fix-refcount-leak-in-tegra114_clock_init.patch @@ -0,0 +1,37 @@ +From eb62f4d8c0326bcb10daa071686fbdd1d99f8d20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 18:38:34 +0400 +Subject: clk: tegra: Fix refcount leak in tegra114_clock_init + +From: Miaoqian Lin + +[ Upstream commit db16a80c76ea395766913082b1e3f939dde29b2c ] + +of_find_matching_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 2cb5efefd6f7 ("clk: tegra: Implement clocks for Tegra114") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220523143834.7587-1-linmq006@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra114.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/tegra/clk-tegra114.c b/drivers/clk/tegra/clk-tegra114.c +index 4efcaaf51b3a..586b091651dd 100644 +--- a/drivers/clk/tegra/clk-tegra114.c ++++ b/drivers/clk/tegra/clk-tegra114.c +@@ -1337,6 +1337,7 @@ static void __init tegra114_clock_init(struct device_node *np) + } + + pmc_base = of_iomap(node, 0); ++ of_node_put(node); + if (!pmc_base) { + pr_err("Can't map pmc registers\n"); + WARN_ON(1); +-- +2.35.1 + diff --git a/queue-5.4/clk-tegra-fix-refcount-leak-in-tegra210_clock_init.patch b/queue-5.4/clk-tegra-fix-refcount-leak-in-tegra210_clock_init.patch new file mode 100644 index 00000000000..dce931f5f7a --- /dev/null +++ b/queue-5.4/clk-tegra-fix-refcount-leak-in-tegra210_clock_init.patch @@ -0,0 +1,37 @@ +From 51125deb11c1bcef33d476110c2ba3182bd902ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 18:26:08 +0400 +Subject: clk: tegra: Fix refcount leak in tegra210_clock_init + +From: Miaoqian Lin + +[ Upstream commit 56c78cb1f00a9dde8cd762131ce8f4c5eb046fbb ] + +of_find_matching_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 6b301a059eb2 ("clk: tegra: Add support for Tegra210 clocks") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220523142608.65074-1-linmq006@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra210.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/tegra/clk-tegra210.c b/drivers/clk/tegra/clk-tegra210.c +index df172d5772d7..34155b5b994d 100644 +--- a/drivers/clk/tegra/clk-tegra210.c ++++ b/drivers/clk/tegra/clk-tegra210.c +@@ -3523,6 +3523,7 @@ static void __init tegra210_clock_init(struct device_node *np) + } + + pmc_base = of_iomap(node, 0); ++ of_node_put(node); + if (!pmc_base) { + pr_err("Can't map pmc registers\n"); + WARN_ON(1); +-- +2.35.1 + diff --git a/queue-5.4/clk-tegra20-fix-refcount-leak-in-tegra20_clock_init.patch b/queue-5.4/clk-tegra20-fix-refcount-leak-in-tegra20_clock_init.patch new file mode 100644 index 00000000000..7ba4601e906 --- /dev/null +++ b/queue-5.4/clk-tegra20-fix-refcount-leak-in-tegra20_clock_init.patch @@ -0,0 +1,37 @@ +From e51e02dd863411de5df02603a12a2be862884ea6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 19:28:11 +0400 +Subject: clk: tegra20: Fix refcount leak in tegra20_clock_init + +From: Miaoqian Lin + +[ Upstream commit 4e343bafe03ff68a62f48f8235cf98f2c685468b ] + +of_find_matching_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 37c26a906527 ("clk: tegra: add clock support for Tegra20") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220523152811.19692-1-linmq006@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra20.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/tegra/clk-tegra20.c b/drivers/clk/tegra/clk-tegra20.c +index bcd871134f45..3e0f04f0e16e 100644 +--- a/drivers/clk/tegra/clk-tegra20.c ++++ b/drivers/clk/tegra/clk-tegra20.c +@@ -1151,6 +1151,7 @@ static void __init tegra20_clock_init(struct device_node *np) + } + + pmc_base = of_iomap(node, 0); ++ of_node_put(node); + if (!pmc_base) { + pr_err("Can't map pmc registers\n"); + BUG(); +-- +2.35.1 + diff --git a/queue-5.4/clk-ti-dra7-atl-fix-reference-leak-in-of_dra7_atl_cl.patch b/queue-5.4/clk-ti-dra7-atl-fix-reference-leak-in-of_dra7_atl_cl.patch new file mode 100644 index 00000000000..8701f36bcf7 --- /dev/null +++ b/queue-5.4/clk-ti-dra7-atl-fix-reference-leak-in-of_dra7_atl_cl.patch @@ -0,0 +1,60 @@ +From 2aa6efbd80d6810f644994158d621203f43722ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 07:08:36 +0400 +Subject: clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe + +From: Miaoqian Lin + +[ Upstream commit 9c59a01caba26ec06fefd6ca1f22d5fd1de57d63 ] + +pm_runtime_get_sync() will increment pm usage counter. +Forgetting to putting operation will result in reference leak. +Add missing pm_runtime_put_sync in some error paths. + +Fixes: 9ac33b0ce81f ("CLK: TI: Driver for DRA7 ATL (Audio Tracking Logic)") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220602030838.52057-1-linmq006@gmail.com +Reviewed-by: Tony Lindgren +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/clk-dra7-atl.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/ti/clk-dra7-atl.c b/drivers/clk/ti/clk-dra7-atl.c +index f65e16c4f3c4..62ea790d79f9 100644 +--- a/drivers/clk/ti/clk-dra7-atl.c ++++ b/drivers/clk/ti/clk-dra7-atl.c +@@ -252,14 +252,16 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev) + if (rc) { + pr_err("%s: failed to lookup atl clock %d\n", __func__, + i); +- return -EINVAL; ++ ret = -EINVAL; ++ goto pm_put; + } + + clk = of_clk_get_from_provider(&clkspec); + if (IS_ERR(clk)) { + pr_err("%s: failed to get atl clock %d from provider\n", + __func__, i); +- return PTR_ERR(clk); ++ ret = PTR_ERR(clk); ++ goto pm_put; + } + + cdesc = to_atl_desc(__clk_get_hw(clk)); +@@ -292,8 +294,9 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev) + if (cdesc->enabled) + atl_clk_enable(__clk_get_hw(clk)); + } +- pm_runtime_put_sync(cinfo->dev); + ++pm_put: ++ pm_runtime_put_sync(cinfo->dev); + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.4/clk-zynqmp-fix-stack-out-of-bounds-in-strncpy.patch b/queue-5.4/clk-zynqmp-fix-stack-out-of-bounds-in-strncpy.patch new file mode 100644 index 00000000000..969bb2eb081 --- /dev/null +++ b/queue-5.4/clk-zynqmp-fix-stack-out-of-bounds-in-strncpy.patch @@ -0,0 +1,118 @@ +From f4a73352fe5fa6524e03f81eb2cfa5bc62559177 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 12:31:54 +0530 +Subject: clk: zynqmp: Fix stack-out-of-bounds in strncpy` + +From: Ian Nam + +[ Upstream commit dd80fb2dbf1cd8751efbe4e53e54056f56a9b115 ] + +"BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68" + +Linux-ATF interface is using 16 bytes of SMC payload. In case clock name is +longer than 15 bytes, string terminated NULL character will not be received +by Linux. Add explicit NULL character at last byte to fix issues when clock +name is longer. + +This fixes below bug reported by KASAN: + + ================================================================== + BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68 + Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1 + + CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3 + Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT) + Call trace: + dump_backtrace+0x0/0x1e8 + show_stack+0x14/0x20 + dump_stack+0xd4/0x108 + print_address_description.isra.0+0xbc/0x37c + __kasan_report+0x144/0x198 + kasan_report+0xc/0x18 + __asan_load1+0x5c/0x68 + strncpy+0x30/0x68 + zynqmp_clock_probe+0x238/0x7b8 + platform_drv_probe+0x6c/0xc8 + really_probe+0x14c/0x418 + driver_probe_device+0x74/0x130 + __device_attach_driver+0xc4/0xe8 + bus_for_each_drv+0xec/0x150 + __device_attach+0x160/0x1d8 + device_initial_probe+0x10/0x18 + bus_probe_device+0xe0/0xf0 + device_add+0x528/0x950 + of_device_add+0x5c/0x80 + of_platform_device_create_pdata+0x120/0x168 + of_platform_bus_create+0x244/0x4e0 + of_platform_populate+0x50/0xe8 + zynqmp_firmware_probe+0x370/0x3a8 + platform_drv_probe+0x6c/0xc8 + really_probe+0x14c/0x418 + driver_probe_device+0x74/0x130 + device_driver_attach+0x94/0xa0 + __driver_attach+0x70/0x108 + bus_for_each_dev+0xe4/0x158 + driver_attach+0x30/0x40 + bus_add_driver+0x21c/0x2b8 + driver_register+0xbc/0x1d0 + __platform_driver_register+0x7c/0x88 + zynqmp_firmware_driver_init+0x1c/0x24 + do_one_initcall+0xa4/0x234 + kernel_init_freeable+0x1b0/0x24c + kernel_init+0x10/0x110 + ret_from_fork+0x10/0x18 + + The buggy address belongs to the page: + page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 + raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000 + raw: 0000000000000000 0000000000000000 00000000ffffffff + page dumped because: kasan: bad access detected + + addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame: + zynqmp_clock_probe+0x0/0x7b8 + + this frame has 3 objects: + [32, 44) 'response' + [64, 80) 'ret_payload' + [96, 112) 'name' + + Memory state around the buggy address: + ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2 + >ffff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 + ^ + ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ================================================================== + +Signed-off-by: Ian Nam +Signed-off-by: Shubhrajyoti Datta +Link: https://lore.kernel.org/r/20220510070154.29528-3-shubhrajyoti.datta@xilinx.com +Acked-by: Michal Simek +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/zynqmp/clkc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/clk/zynqmp/clkc.c b/drivers/clk/zynqmp/clkc.c +index 6f057ab9df03..4ef201ac8252 100644 +--- a/drivers/clk/zynqmp/clkc.c ++++ b/drivers/clk/zynqmp/clkc.c +@@ -679,6 +679,13 @@ static void zynqmp_get_clock_info(void) + FIELD_PREP(CLK_ATTR_NODE_INDEX, i); + + zynqmp_pm_clock_get_name(clock[i].clk_id, &name); ++ ++ /* ++ * Terminate with NULL character in case name provided by firmware ++ * is longer and truncated due to size limit. ++ */ ++ name.name[sizeof(name.name) - 1] = '\0'; ++ + if (!strcmp(name.name, RESERVED_CLK_NAME)) + continue; + strncpy(clock[i].clk_name, name.name, MAX_NAME_LEN); +-- +2.35.1 + diff --git a/queue-5.4/clk-zynqmp-pll-rectify-rate-rounding-in-zynqmp_pll_r.patch b/queue-5.4/clk-zynqmp-pll-rectify-rate-rounding-in-zynqmp_pll_r.patch new file mode 100644 index 00000000000..26ef4c7fce9 --- /dev/null +++ b/queue-5.4/clk-zynqmp-pll-rectify-rate-rounding-in-zynqmp_pll_r.patch @@ -0,0 +1,92 @@ +From 4a77b4a4f786c257368e8d273fde1a07ee918f65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 22:20:30 +0800 +Subject: clk: zynqmp: pll: rectify rate rounding in zynqmp_pll_round_rate + +From: Quanyang Wang + +[ Upstream commit 30eaf02149ecc3c5815e45d27187bf09e925071d ] + +The function zynqmp_pll_round_rate is used to find a most appropriate +PLL frequency which the hardware can generate according to the desired +frequency. For example, if the desired frequency is 297MHz, considering +the limited range from PS_PLL_VCO_MIN (1.5GHz) to PS_PLL_VCO_MAX (3.0GHz) +of PLL, zynqmp_pll_round_rate should return 1.872GHz (297MHz * 5). + +There are two problems with the current code of zynqmp_pll_round_rate: + +1) When the rate is below PS_PLL_VCO_MIN, it can't find a correct rate +when the parameter "rate" is an integer multiple of *prate, in other words, +if "f" is zero, zynqmp_pll_round_rate won't return a valid frequency which +is from PS_PLL_VCO_MIN to PS_PLL_VCO_MAX. For example, *prate is 33MHz +and the rate is 660MHz, zynqmp_pll_round_rate will not boost up rate and +just return 660MHz, and this will cause clk_calc_new_rates failure since +zynqmp_pll_round_rate returns an invalid rate out of its boundaries. + +2) Even if the rate is higher than PS_PLL_VCO_MIN, there is still a risk +that zynqmp_pll_round_rate returns an invalid rate because the function +DIV_ROUND_CLOSEST makes some loss in the fractional part. If the parent +clock *prate is 33333333Hz and we want to set the PLL rate to 1.5GHz, +this function will return 1499999985Hz by using the formula below: + value = *prate * DIV_ROUND_CLOSEST(rate, *prate)). +This value is also invalid since it's slightly smaller than PS_PLL_VCO_MIN. +because DIV_ROUND_CLOSEST makes some loss in the fractional part. + +Signed-off-by: Quanyang Wang +Link: https://lore.kernel.org/r/20220826142030.213805-1-quanyang.wang@windriver.com +Reviewed-by: Shubhrajyoti Datta +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/zynqmp/pll.c | 31 +++++++++++++++---------------- + 1 file changed, 15 insertions(+), 16 deletions(-) + +diff --git a/drivers/clk/zynqmp/pll.c b/drivers/clk/zynqmp/pll.c +index 18fee827602a..3a2a694e5bf3 100644 +--- a/drivers/clk/zynqmp/pll.c ++++ b/drivers/clk/zynqmp/pll.c +@@ -98,26 +98,25 @@ static long zynqmp_pll_round_rate(struct clk_hw *hw, unsigned long rate, + unsigned long *prate) + { + u32 fbdiv; +- long rate_div, f; ++ u32 mult, div; + +- /* Enable the fractional mode if needed */ +- rate_div = (rate * FRAC_DIV) / *prate; +- f = rate_div % FRAC_DIV; +- if (f) { +- if (rate > PS_PLL_VCO_MAX) { +- fbdiv = rate / PS_PLL_VCO_MAX; +- rate = rate / (fbdiv + 1); +- } +- if (rate < PS_PLL_VCO_MIN) { +- fbdiv = DIV_ROUND_UP(PS_PLL_VCO_MIN, rate); +- rate = rate * fbdiv; +- } +- return rate; ++ /* Let rate fall inside the range PS_PLL_VCO_MIN ~ PS_PLL_VCO_MAX */ ++ if (rate > PS_PLL_VCO_MAX) { ++ div = DIV_ROUND_UP(rate, PS_PLL_VCO_MAX); ++ rate = rate / div; ++ } ++ if (rate < PS_PLL_VCO_MIN) { ++ mult = DIV_ROUND_UP(PS_PLL_VCO_MIN, rate); ++ rate = rate * mult; + } + + fbdiv = DIV_ROUND_CLOSEST(rate, *prate); +- fbdiv = clamp_t(u32, fbdiv, PLL_FBDIV_MIN, PLL_FBDIV_MAX); +- return *prate * fbdiv; ++ if (fbdiv < PLL_FBDIV_MIN || fbdiv > PLL_FBDIV_MAX) { ++ fbdiv = clamp_t(u32, fbdiv, PLL_FBDIV_MIN, PLL_FBDIV_MAX); ++ rate = *prate * fbdiv; ++ } ++ ++ return rate; + } + + /** +-- +2.35.1 + diff --git a/queue-5.4/crypto-akcipher-default-implementation-for-setting-a.patch b/queue-5.4/crypto-akcipher-default-implementation-for-setting-a.patch new file mode 100644 index 00000000000..c72df8ae597 --- /dev/null +++ b/queue-5.4/crypto-akcipher-default-implementation-for-setting-a.patch @@ -0,0 +1,70 @@ +From c702836c1e64788d6a862483ca3636fa4b95d9a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 19:37:06 +0100 +Subject: crypto: akcipher - default implementation for setting a private key + +From: Ignat Korchagin + +[ Upstream commit bc155c6c188c2f0c5749993b1405673d25a80389 ] + +Changes from v1: + * removed the default implementation from set_pub_key: it is assumed that + an implementation must always have this callback defined as there are + no use case for an algorithm, which doesn't need a public key + +Many akcipher implementations (like ECDSA) support only signature +verifications, so they don't have all callbacks defined. + +Commit 78a0324f4a53 ("crypto: akcipher - default implementations for +request callbacks") introduced default callbacks for sign/verify +operations, which just return an error code. + +However, these are not enough, because before calling sign the caller would +likely call set_priv_key first on the instantiated transform (as the +in-kernel testmgr does). This function does not have a default stub, so the +kernel crashes, when trying to set a private key on an akcipher, which +doesn't support signature generation. + +I've noticed this, when trying to add a KAT vector for ECDSA signature to +the testmgr. + +With this patch the testmgr returns an error in dmesg (as it should) +instead of crashing the kernel NULL ptr dereference. + +Fixes: 78a0324f4a53 ("crypto: akcipher - default implementations for request callbacks") +Signed-off-by: Ignat Korchagin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/akcipher.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/crypto/akcipher.c b/crypto/akcipher.c +index 7d5cf4939423..ceb0c2fb2b24 100644 +--- a/crypto/akcipher.c ++++ b/crypto/akcipher.c +@@ -119,6 +119,12 @@ static int akcipher_default_op(struct akcipher_request *req) + return -ENOSYS; + } + ++static int akcipher_default_set_key(struct crypto_akcipher *tfm, ++ const void *key, unsigned int keylen) ++{ ++ return -ENOSYS; ++} ++ + int crypto_register_akcipher(struct akcipher_alg *alg) + { + struct crypto_alg *base = &alg->base; +@@ -131,6 +137,8 @@ int crypto_register_akcipher(struct akcipher_alg *alg) + alg->encrypt = akcipher_default_op; + if (!alg->decrypt) + alg->decrypt = akcipher_default_op; ++ if (!alg->set_priv_key) ++ alg->set_priv_key = akcipher_default_set_key; + + akcipher_prepare_alg(alg); + return crypto_register_alg(base); +-- +2.35.1 + diff --git a/queue-5.4/crypto-cavium-prevent-integer-overflow-loading-firmw.patch b/queue-5.4/crypto-cavium-prevent-integer-overflow-loading-firmw.patch new file mode 100644 index 00000000000..e549f44a4d5 --- /dev/null +++ b/queue-5.4/crypto-cavium-prevent-integer-overflow-loading-firmw.patch @@ -0,0 +1,56 @@ +From 2ce3d81f37dc81d1d4370301129ab8ea4d099599 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 09:43:27 +0300 +Subject: crypto: cavium - prevent integer overflow loading firmware + +From: Dan Carpenter + +[ Upstream commit 2526d6bf27d15054bb0778b2f7bc6625fd934905 ] + +The "code_length" value comes from the firmware file. If your firmware +is untrusted realistically there is probably very little you can do to +protect yourself. Still we try to limit the damage as much as possible. +Also Smatch marks any data read from the filesystem as untrusted and +prints warnings if it not capped correctly. + +The "ntohl(ucode->code_length) * 2" multiplication can have an +integer overflow. + +Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine") +Signed-off-by: Dan Carpenter +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/cavium/cpt/cptpf_main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/cavium/cpt/cptpf_main.c b/drivers/crypto/cavium/cpt/cptpf_main.c +index 781949027451..d9362199423f 100644 +--- a/drivers/crypto/cavium/cpt/cptpf_main.c ++++ b/drivers/crypto/cavium/cpt/cptpf_main.c +@@ -254,6 +254,7 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae) + const struct firmware *fw_entry; + struct device *dev = &cpt->pdev->dev; + struct ucode_header *ucode; ++ unsigned int code_length; + struct microcode *mcode; + int j, ret = 0; + +@@ -264,11 +265,12 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae) + ucode = (struct ucode_header *)fw_entry->data; + mcode = &cpt->mcode[cpt->next_mc_idx]; + memcpy(mcode->version, (u8 *)fw_entry->data, CPT_UCODE_VERSION_SZ); +- mcode->code_size = ntohl(ucode->code_length) * 2; +- if (!mcode->code_size) { ++ code_length = ntohl(ucode->code_length); ++ if (code_length == 0 || code_length >= INT_MAX / 2) { + ret = -EINVAL; + goto fw_release; + } ++ mcode->code_size = code_length * 2; + + mcode->is_ae = is_ae; + mcode->core_mask = 0ULL; +-- +2.35.1 + diff --git a/queue-5.4/crypto-ccp-release-dma-channels-before-dmaengine-unr.patch b/queue-5.4/crypto-ccp-release-dma-channels-before-dmaengine-unr.patch new file mode 100644 index 00000000000..31d768eabbc --- /dev/null +++ b/queue-5.4/crypto-ccp-release-dma-channels-before-dmaengine-unr.patch @@ -0,0 +1,54 @@ +From 892b9981c9f232d6158b281e0786dc0356d9bac6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 22:47:12 +0800 +Subject: crypto: ccp - Release dma channels before dmaengine unrgister + +From: Koba Ko + +[ Upstream commit 68dbe80f5b510c66c800b9e8055235c5b07e37d1 ] + +A warning is shown during shutdown, + +__dma_async_device_channel_unregister called while 2 clients hold a reference +WARNING: CPU: 15 PID: 1 at drivers/dma/dmaengine.c:1110 __dma_async_device_channel_unregister+0xb7/0xc0 + +Call dma_release_channel for occupied channles before dma_async_device_unregister. + +Fixes: 54cce8ecb925 ("crypto: ccp - ccp_dmaengine_unregister release dma channels") +Reported-by: kernel test robot +Signed-off-by: Koba Ko +Acked-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/ccp-dmaengine.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/ccp/ccp-dmaengine.c b/drivers/crypto/ccp/ccp-dmaengine.c +index b3eea329f840..b9299defb431 100644 +--- a/drivers/crypto/ccp/ccp-dmaengine.c ++++ b/drivers/crypto/ccp/ccp-dmaengine.c +@@ -642,6 +642,10 @@ static void ccp_dma_release(struct ccp_device *ccp) + for (i = 0; i < ccp->cmd_q_count; i++) { + chan = ccp->ccp_dma_chan + i; + dma_chan = &chan->dma_chan; ++ ++ if (dma_chan->client_count) ++ dma_release_channel(dma_chan); ++ + tasklet_kill(&chan->cleanup_tasklet); + list_del_rcu(&dma_chan->device_node); + } +@@ -767,8 +771,8 @@ void ccp_dmaengine_unregister(struct ccp_device *ccp) + if (!dmaengine) + return; + +- dma_async_device_unregister(dma_dev); + ccp_dma_release(ccp); ++ dma_async_device_unregister(dma_dev); + + kmem_cache_destroy(ccp->dma_desc_cache); + kmem_cache_destroy(ccp->dma_cmd_cache); +-- +2.35.1 + diff --git a/queue-5.4/dmaengine-ioat-stop-mod_timer-from-resurrecting-dele.patch b/queue-5.4/dmaengine-ioat-stop-mod_timer-from-resurrecting-dele.patch new file mode 100644 index 00000000000..02268cabb18 --- /dev/null +++ b/queue-5.4/dmaengine-ioat-stop-mod_timer-from-resurrecting-dele.patch @@ -0,0 +1,61 @@ +From 6525e1b1ca020004c6c3375660847234deeeffdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 09:58:42 -0700 +Subject: dmaengine: ioat: stop mod_timer from resurrecting deleted timer in + __cleanup() + +From: Dave Jiang + +[ Upstream commit 898ec89dbb55b8294695ad71694a0684e62b2a73 ] + +User reports observing timer event report channel halted but no error +observed in CHANERR register. The driver finished self-test and released +channel resources. Debug shows that __cleanup() can call +mod_timer() after the timer has been deleted and thus resurrect the +timer. While harmless, it causes suprious error message to be emitted. +Use mod_timer_pending() call to prevent deleted timer from being +resurrected. + +Fixes: 3372de5813e4 ("dmaengine: ioatdma: removal of dma_v3.c and relevant ioat3 references") +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/166360672197.3851724.17040290563764838369.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ioat/dma.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/ioat/dma.c b/drivers/dma/ioat/dma.c +index 8e2a4d1f0be5..997839c2130e 100644 +--- a/drivers/dma/ioat/dma.c ++++ b/drivers/dma/ioat/dma.c +@@ -653,7 +653,7 @@ static void __cleanup(struct ioatdma_chan *ioat_chan, dma_addr_t phys_complete) + if (active - i == 0) { + dev_dbg(to_dev(ioat_chan), "%s: cancel completion timeout\n", + __func__); +- mod_timer(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); ++ mod_timer_pending(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); + } + + /* microsecond delay by sysfs variable per pending descriptor */ +@@ -679,7 +679,7 @@ static void ioat_cleanup(struct ioatdma_chan *ioat_chan) + + if (chanerr & + (IOAT_CHANERR_HANDLE_MASK | IOAT_CHANERR_RECOVER_MASK)) { +- mod_timer(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); ++ mod_timer_pending(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); + ioat_eh(ioat_chan); + } + } +@@ -876,7 +876,7 @@ static void check_active(struct ioatdma_chan *ioat_chan) + } + + if (test_and_clear_bit(IOAT_CHAN_ACTIVE, &ioat_chan->state)) +- mod_timer(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); ++ mod_timer_pending(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); + } + + void ioat_timer_event(struct timer_list *t) +-- +2.35.1 + diff --git a/queue-5.4/drivers-serial-jsm-fix-some-leaks-in-probe.patch b/queue-5.4/drivers-serial-jsm-fix-some-leaks-in-probe.patch new file mode 100644 index 00000000000..894cd0f77dc --- /dev/null +++ b/queue-5.4/drivers-serial-jsm-fix-some-leaks-in-probe.patch @@ -0,0 +1,37 @@ +From 82698f328ffe0c9c6de39fc7f15bc726d72b6731 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 14:22:47 +0300 +Subject: drivers: serial: jsm: fix some leaks in probe + +From: Dan Carpenter + +[ Upstream commit 1d5859ef229e381f4db38dce8ed58e4bf862006b ] + +This error path needs to unwind instead of just returning directly. + +Fixes: 03a8482c17dd ("drivers: serial: jsm: Enable support for Digi Classic adapters") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YyxFh1+lOeZ9WfKO@kili +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/jsm/jsm_driver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/jsm/jsm_driver.c b/drivers/tty/serial/jsm/jsm_driver.c +index 592e51d8944e..07e9be9865c7 100644 +--- a/drivers/tty/serial/jsm/jsm_driver.c ++++ b/drivers/tty/serial/jsm/jsm_driver.c +@@ -212,7 +212,8 @@ static int jsm_probe_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + break; + default: +- return -ENXIO; ++ rc = -ENXIO; ++ goto out_kfree_brd; + } + + rc = request_irq(brd->irq, brd->bd_ops->intr, IRQF_SHARED, "JSM", brd); +-- +2.35.1 + diff --git a/queue-5.4/drm-amd-display-fix-array-bounds-error-in-dc_stream_.patch b/queue-5.4/drm-amd-display-fix-array-bounds-error-in-dc_stream_.patch new file mode 100644 index 00000000000..354100ee382 --- /dev/null +++ b/queue-5.4/drm-amd-display-fix-array-bounds-error-in-dc_stream_.patch @@ -0,0 +1,54 @@ +From 7003c583e1d247137329b96240c27451d5ef3629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 15:01:46 -0400 +Subject: drm/amd/display: fix array-bounds error in + dc_stream_remove_writeback() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hamza Mahfooz + +[ Upstream commit 5d8c3e836fc224dfe633e41f7f2856753b39a905 ] + +Address the following error: +drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c: In function ‘dc_stream_remove_writeback’: +drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:527:55: error: array subscript [0, 0] is outside array bounds of ‘struct dc_writeback_info[1]’ [-Werror=array-bounds] + 527 | stream->writeback_info[j] = stream->writeback_info[i]; + | ~~~~~~~~~~~~~~~~~~~~~~^~~ +In file included from ./drivers/gpu/drm/amd/amdgpu/../display/dc/dc.h:1269, + from ./drivers/gpu/drm/amd/amdgpu/../display/dc/inc/core_types.h:29, + from ./drivers/gpu/drm/amd/amdgpu/../display/dc/basics/dc_common.h:29, + from drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:27: +./drivers/gpu/drm/amd/amdgpu/../display/dc/dc_stream.h:241:34: note: while referencing ‘writeback_info’ + 241 | struct dc_writeback_info writeback_info[MAX_DWB_PIPES]; + | + +Currently, we aren't checking to see if j remains within +writeback_info[]'s bounds. So, add a check to make sure that we aren't +overflowing the buffer. + +Reviewed-by: Aurabindo Pillai +Signed-off-by: Hamza Mahfooz +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c +index bb09243758fe..95d36cb79e28 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c +@@ -458,7 +458,7 @@ bool dc_stream_remove_writeback(struct dc *dc, + } + + /* remove writeback info for disabled writeback pipes from stream */ +- for (i = 0, j = 0; i < stream->num_wb_info; i++) { ++ for (i = 0, j = 0; i < stream->num_wb_info && j < MAX_DWB_PIPES; i++) { + if (stream->writeback_info[i].wb_enabled) { + if (i != j) + /* trim the array */ +-- +2.35.1 + diff --git a/queue-5.4/drm-amd-display-fix-overflow-on-min_i64-definition.patch b/queue-5.4/drm-amd-display-fix-overflow-on-min_i64-definition.patch new file mode 100644 index 00000000000..49065cc4e4e --- /dev/null +++ b/queue-5.4/drm-amd-display-fix-overflow-on-min_i64-definition.patch @@ -0,0 +1,57 @@ +From de5d6a6d407433da969c0d2680dfb7e11512b830 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Aug 2022 17:43:26 -0300 +Subject: drm/amd/display: fix overflow on MIN_I64 definition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Gow + +[ Upstream commit 6ae0632d17759852c07e2d1e0a31c728eb6ba246 ] + +The definition of MIN_I64 in bw_fixed.c can cause gcc to whinge about +integer overflow, because it is treated as a positive value, which is +then negated. The temporary positive value is not necessarily +representable. + +This causes the following warning: +../drivers/gpu/drm/amd/amdgpu/../display/dc/dml/calcs/bw_fixed.c:30:19: +warning: integer overflow in expression ‘-9223372036854775808’ of type +‘long long int’ results in ‘-9223372036854775808’ [-Woverflow] + 30 | (int64_t)(-(1LL << 63)) + | ^ + +Writing out (-MAX_I64 - 1) works instead. + +Signed-off-by: David Gow +Signed-off-by: Tales Aparecida +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/calcs/bw_fixed.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/calcs/bw_fixed.c b/drivers/gpu/drm/amd/display/dc/calcs/bw_fixed.c +index 6ca288fb5fb9..2d46bc527b21 100644 +--- a/drivers/gpu/drm/amd/display/dc/calcs/bw_fixed.c ++++ b/drivers/gpu/drm/amd/display/dc/calcs/bw_fixed.c +@@ -26,12 +26,12 @@ + #include "bw_fixed.h" + + +-#define MIN_I64 \ +- (int64_t)(-(1LL << 63)) +- + #define MAX_I64 \ + (int64_t)((1ULL << 63) - 1) + ++#define MIN_I64 \ ++ (-MAX_I64 - 1) ++ + #define FRACTIONAL_PART_MASK \ + ((1ULL << BW_FIXED_BITS_PER_FRACTIONAL_PART) - 1) + +-- +2.35.1 + diff --git a/queue-5.4/drm-amdgpu-fix-initial-connector-audio-value.patch b/queue-5.4/drm-amdgpu-fix-initial-connector-audio-value.patch new file mode 100644 index 00000000000..7912c083e8c --- /dev/null +++ b/queue-5.4/drm-amdgpu-fix-initial-connector-audio-value.patch @@ -0,0 +1,64 @@ +From a49108e20debcfca7cce89961166659ec1658c91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 17:24:53 +0800 +Subject: drm/amdgpu: fix initial connector audio value + +From: hongao + +[ Upstream commit 4bb71fce58f30df3f251118291d6b0187ce531e6 ] + +This got lost somewhere along the way, This fixes +audio not working until set_property was called. + +Signed-off-by: hongao +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index 0e1cacf73169..cf80da354ba1 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -1646,10 +1646,12 @@ amdgpu_connector_add(struct amdgpu_device *adev, + adev->mode_info.dither_property, + AMDGPU_FMT_DITHER_DISABLE); + +- if (amdgpu_audio != 0) ++ if (amdgpu_audio != 0) { + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; ++ } + + subpixel_order = SubPixelHorizontalRGB; + connector->interlace_allowed = true; +@@ -1771,6 +1773,7 @@ amdgpu_connector_add(struct amdgpu_device *adev, + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; + } + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.dither_property, +@@ -1824,6 +1827,7 @@ amdgpu_connector_add(struct amdgpu_device *adev, + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; + } + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.dither_property, +@@ -1874,6 +1878,7 @@ amdgpu_connector_add(struct amdgpu_device *adev, + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; + } + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.dither_property, +-- +2.35.1 + diff --git a/queue-5.4/drm-bridge-adv7511-fix-cec-power-down-control-regist.patch b/queue-5.4/drm-bridge-adv7511-fix-cec-power-down-control-regist.patch new file mode 100644 index 00000000000..8fc20956163 --- /dev/null +++ b/queue-5.4/drm-bridge-adv7511-fix-cec-power-down-control-regist.patch @@ -0,0 +1,69 @@ +From d4290e418fca80a364aa8aba9734dd659dbfde59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jun 2022 16:48:53 +0200 +Subject: drm: bridge: adv7511: fix CEC power down control register offset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alvin Å ipraga + +[ Upstream commit 1d22b6033ea113a4c3850dfa2c0770885c81aec8 ] + +The ADV7511_REG_CEC_CTRL = 0xE2 register is part of the main register +map - not the CEC register map. As such, we shouldn't apply an offset to +the register address. Doing so will cause us to address a bogus register +for chips with a CEC register map offset (e.g. ADV7533). + +Fixes: 3b1b975003e4 ("drm: adv7511/33: add HDMI CEC support") +Signed-off-by: Alvin Å ipraga +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20220612144854.2223873-2-alvin@pqrs.dk +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511.h | 5 +---- + drivers/gpu/drm/bridge/adv7511/adv7511_cec.c | 4 ++-- + 2 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511.h b/drivers/gpu/drm/bridge/adv7511/adv7511.h +index 52b2adfdc877..90a721226231 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511.h ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511.h +@@ -384,10 +384,7 @@ void adv7511_cec_irq_process(struct adv7511 *adv7511, unsigned int irq1); + #else + static inline int adv7511_cec_init(struct device *dev, struct adv7511 *adv7511) + { +- unsigned int offset = adv7511->type == ADV7533 ? +- ADV7533_REG_CEC_OFFSET : 0; +- +- regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL + offset, ++ regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL, + ADV7511_CEC_CTRL_POWER_DOWN); + return 0; + } +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c b/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c +index a20a45c0b353..ddd1305b82b2 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c +@@ -316,7 +316,7 @@ int adv7511_cec_init(struct device *dev, struct adv7511 *adv7511) + goto err_cec_alloc; + } + +- regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL + offset, 0); ++ regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL, 0); + /* cec soft reset */ + regmap_write(adv7511->regmap_cec, + ADV7511_REG_CEC_SOFT_RESET + offset, 0x01); +@@ -343,7 +343,7 @@ int adv7511_cec_init(struct device *dev, struct adv7511 *adv7511) + dev_info(dev, "Initializing CEC failed with error %d, disabling CEC\n", + ret); + err_cec_parse_dt: +- regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL + offset, ++ regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL, + ADV7511_CEC_CTRL_POWER_DOWN); + return ret == -EPROBE_DEFER ? ret : 0; + } +-- +2.35.1 + diff --git a/queue-5.4/drm-bridge-megachips-fix-a-null-pointer-dereference-.patch b/queue-5.4/drm-bridge-megachips-fix-a-null-pointer-dereference-.patch new file mode 100644 index 00000000000..ce88c0f1e7e --- /dev/null +++ b/queue-5.4/drm-bridge-megachips-fix-a-null-pointer-dereference-.patch @@ -0,0 +1,52 @@ +From f33c4a828593a6692ec01f11b33978211ab2679a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 15:34:50 +0800 +Subject: drm/bridge: megachips: Fix a null pointer dereference bug + +From: Zheyu Ma + +[ Upstream commit 1ff673333d46d2c1b053ebd0c1c7c7c79e36943e ] + +When removing the module we will get the following warning: + +[ 31.911505] i2c-core: driver [stdp2690-ge-b850v3-fw] unregistered +[ 31.912484] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI +[ 31.913338] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +[ 31.915280] RIP: 0010:drm_bridge_remove+0x97/0x130 +[ 31.921825] Call Trace: +[ 31.922533] stdp4028_ge_b850v3_fw_remove+0x34/0x60 [megachips_stdpxxxx_ge_b850v3_fw] +[ 31.923139] i2c_device_remove+0x181/0x1f0 + +The two bridges (stdp2690, stdp4028) do not probe at the same time, so +the driver does not call ge_b850v3_resgiter() when probing, causing the +driver to try to remove the object that has not been initialized. + +Fix this by checking whether both the bridges are probed. + +Fixes: 11632d4aa2b3 ("drm/bridge: megachips: Ensure both bridges are probed before registration") +Signed-off-by: Zheyu Ma +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20220830073450.1897020-1-zheyuma97@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +index 5302dd90a7a5..b72f6f541d4e 100644 +--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c ++++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +@@ -279,7 +279,9 @@ static void ge_b850v3_lvds_remove(void) + * This check is to avoid both the drivers + * removing the bridge in their remove() function + */ +- if (!ge_b850v3_lvds_ptr) ++ if (!ge_b850v3_lvds_ptr || ++ !ge_b850v3_lvds_ptr->stdp2690_i2c || ++ !ge_b850v3_lvds_ptr->stdp4028_i2c) + goto out; + + drm_bridge_remove(&ge_b850v3_lvds_ptr->bridge); +-- +2.35.1 + diff --git a/queue-5.4/drm-exynos-fix-return-type-for-mixer_mode_valid-and-.patch b/queue-5.4/drm-exynos-fix-return-type-for-mixer_mode_valid-and-.patch new file mode 100644 index 00000000000..8fdf3d4771b --- /dev/null +++ b/queue-5.4/drm-exynos-fix-return-type-for-mixer_mode_valid-and-.patch @@ -0,0 +1,66 @@ +From e84838c4715e250d30827da81790093adbb49cd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 09:31:00 +0900 +Subject: drm/exynos: Fix return type for mixer_mode_valid and hdmi_mode_valid + +From: Nathan Huckleberry + +[ Upstream commit 1261255531088208daeca818e2b486030b5339e5 ] + +The field mode_valid in exynos_drm_crtc_ops is expected to be of type enum +drm_mode_status (*mode_valid)(struct exynos_drm_crtc *crtc, + const struct drm_display_mode *mode); + +Likewise for mode_valid in drm_connector_helper_funcs. + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of mixer_mode_valid and hdmi_mode_valid should be changed +from int to enum drm_mode_status. + +Reported-by: Dan Carpenter +Link: https://protect2.fireeye.com/v1/url?k=3e644738-5fef521d-3e65cc77- +74fe485cbff6-36ad29bf912d3c9f&q=1&e=5cc06174-77dd-4abd-ab50- +155da5711aa3&u=https%3A%2F%2Fgithub.com%2FClangBuiltLinux%2Flinux%2Fissues%2F +1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_hdmi.c | 4 ++-- + drivers/gpu/drm/exynos/exynos_mixer.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_hdmi.c b/drivers/gpu/drm/exynos/exynos_hdmi.c +index 0073a2b3b80a..838a638fb03a 100644 +--- a/drivers/gpu/drm/exynos/exynos_hdmi.c ++++ b/drivers/gpu/drm/exynos/exynos_hdmi.c +@@ -911,8 +911,8 @@ static int hdmi_find_phy_conf(struct hdmi_context *hdata, u32 pixel_clock) + return -EINVAL; + } + +-static int hdmi_mode_valid(struct drm_connector *connector, +- struct drm_display_mode *mode) ++static enum drm_mode_status hdmi_mode_valid(struct drm_connector *connector, ++ struct drm_display_mode *mode) + { + struct hdmi_context *hdata = connector_to_hdmi(connector); + int ret; +diff --git a/drivers/gpu/drm/exynos/exynos_mixer.c b/drivers/gpu/drm/exynos/exynos_mixer.c +index 22f494145411..07c59e647fc2 100644 +--- a/drivers/gpu/drm/exynos/exynos_mixer.c ++++ b/drivers/gpu/drm/exynos/exynos_mixer.c +@@ -1039,7 +1039,7 @@ static void mixer_disable(struct exynos_drm_crtc *crtc) + clear_bit(MXR_BIT_POWERED, &ctx->flags); + } + +-static int mixer_mode_valid(struct exynos_drm_crtc *crtc, ++static enum drm_mode_status mixer_mode_valid(struct exynos_drm_crtc *crtc, + const struct drm_display_mode *mode) + { + struct mixer_context *ctx = crtc->ctx; +-- +2.35.1 + diff --git a/queue-5.4/drm-fix-drm_mipi_dbi-build-errors.patch b/queue-5.4/drm-fix-drm_mipi_dbi-build-errors.patch new file mode 100644 index 00000000000..c9579b7d631 --- /dev/null +++ b/queue-5.4/drm-fix-drm_mipi_dbi-build-errors.patch @@ -0,0 +1,65 @@ +From 84a41c5483797924884c00dd55645cc783748a17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 17:42:43 -0700 +Subject: drm: fix drm_mipi_dbi build errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit eb7de496451bd969e203f02f66585131228ba4ae ] + +drm_mipi_dbi needs lots of DRM_KMS_HELPER support, so select +that Kconfig symbol like it is done is most other uses, and +the way that it was before MIPS_DBI was moved from tinydrm +to its core location. + +Fixes these build errors: + +ld: drivers/gpu/drm/drm_mipi_dbi.o: in function `mipi_dbi_buf_copy': +drivers/gpu/drm/drm_mipi_dbi.c:205: undefined reference to `drm_gem_fb_get_obj' +ld: drivers/gpu/drm/drm_mipi_dbi.c:211: undefined reference to `drm_gem_fb_begin_cpu_access' +ld: drivers/gpu/drm/drm_mipi_dbi.c:215: undefined reference to `drm_gem_fb_vmap' +ld: drivers/gpu/drm/drm_mipi_dbi.c:222: undefined reference to `drm_fb_swab' +ld: drivers/gpu/drm/drm_mipi_dbi.c:224: undefined reference to `drm_fb_memcpy' +ld: drivers/gpu/drm/drm_mipi_dbi.c:227: undefined reference to `drm_fb_xrgb8888_to_rgb565' +ld: drivers/gpu/drm/drm_mipi_dbi.c:235: undefined reference to `drm_gem_fb_vunmap' +ld: drivers/gpu/drm/drm_mipi_dbi.c:237: undefined reference to `drm_gem_fb_end_cpu_access' +ld: drivers/gpu/drm/drm_mipi_dbi.o: in function `mipi_dbi_dev_init_with_formats': +ld: drivers/gpu/drm/drm_mipi_dbi.o:/X64/../drivers/gpu/drm/drm_mipi_dbi.c:469: undefined reference to `drm_gem_fb_create_with_dirty' + +Fixes: 174102f4de23 ("drm/tinydrm: Move mipi-dbi") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Dillon Min +Cc: Linus Walleij +Cc: Sam Ravnborg +Cc: Noralf Trønnes +Cc: Thomas Zimmermann +Cc: Thierry Reding +Cc: dri-devel@lists.freedesktop.org +Cc: David Airlie +Cc: Daniel Vetter +Signed-off-by: Linus Walleij +Link: https://patchwork.freedesktop.org/patch/msgid/20220823004243.11596-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/Kconfig b/drivers/gpu/drm/Kconfig +index 649f17dfcf45..fc6c4f81985e 100644 +--- a/drivers/gpu/drm/Kconfig ++++ b/drivers/gpu/drm/Kconfig +@@ -27,6 +27,7 @@ menuconfig DRM + config DRM_MIPI_DBI + tristate + depends on DRM ++ select DRM_KMS_HELPER + + config DRM_MIPI_DSI + bool +-- +2.35.1 + diff --git a/queue-5.4/drm-mipi-dsi-detach-devices-when-removing-the-host.patch b/queue-5.4/drm-mipi-dsi-detach-devices-when-removing-the-host.patch new file mode 100644 index 00000000000..d4ce81015fc --- /dev/null +++ b/queue-5.4/drm-mipi-dsi-detach-devices-when-removing-the-host.patch @@ -0,0 +1,41 @@ +From c4f2c3fa9d1494c0290598631c4724edd2f4fa67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 19:38:31 +0200 +Subject: drm/mipi-dsi: Detach devices when removing the host + +From: Maxime Ripard + +[ Upstream commit 668a8f17b5290d04ef7343636a5588a0692731a1 ] + +Whenever the MIPI-DSI host is unregistered, the code of +mipi_dsi_host_unregister() loops over every device currently found on that +bus and will unregister it. + +However, it doesn't detach it from the bus first, which leads to all kind +of resource leaks if the host wants to perform some clean up whenever a +device is detached. + +Fixes: 068a00233969 ("drm: Add MIPI DSI bus support") +Acked-by: Thomas Zimmermann +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20220711173939.1132294-2-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_mipi_dsi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index b99f96dcc6f1..bb7f72ade628 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -300,6 +300,7 @@ static int mipi_dsi_remove_device_fn(struct device *dev, void *priv) + { + struct mipi_dsi_device *dsi = to_mipi_dsi_device(dev); + ++ mipi_dsi_detach(dsi); + mipi_dsi_device_unregister(dsi); + + return 0; +-- +2.35.1 + diff --git a/queue-5.4/drm-msm-dpu-index-dpu_kms-hw_vbif-using-vbif_idx.patch b/queue-5.4/drm-msm-dpu-index-dpu_kms-hw_vbif-using-vbif_idx.patch new file mode 100644 index 00000000000..8c89bfb6329 --- /dev/null +++ b/queue-5.4/drm-msm-dpu-index-dpu_kms-hw_vbif-using-vbif_idx.patch @@ -0,0 +1,131 @@ +From 494e73951412fc08d06593842b8ede9a6545a84d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jun 2022 15:57:01 +0300 +Subject: drm/msm/dpu: index dpu_kms->hw_vbif using vbif_idx + +From: Dmitry Baryshkov + +[ Upstream commit 7538f80ae0d98bf51eb89eee5344aec219902d42 ] + +Remove loops over hw_vbif. Instead always VBIF's idx as an index in the +array. This fixes an error in dpu_kms_hw_init(), where we fill +dpu_kms->hw_vbif[i], but check for an error pointer at +dpu_kms->hw_vbif[vbif_idx]. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/489569/ +Link: https://lore.kernel.org/r/20220615125703.24647-1-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 12 ++++------ + drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c | 29 +++++++++++------------- + 2 files changed, 18 insertions(+), 23 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +index c08c67338d73..a74f8ae1a894 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +@@ -596,12 +596,10 @@ static void _dpu_kms_hw_destroy(struct dpu_kms *dpu_kms) + _dpu_kms_mmu_destroy(dpu_kms); + + if (dpu_kms->catalog) { +- for (i = 0; i < dpu_kms->catalog->vbif_count; i++) { +- u32 vbif_idx = dpu_kms->catalog->vbif[i].id; +- +- if ((vbif_idx < VBIF_MAX) && dpu_kms->hw_vbif[vbif_idx]) { +- dpu_hw_vbif_destroy(dpu_kms->hw_vbif[vbif_idx]); +- dpu_kms->hw_vbif[vbif_idx] = NULL; ++ for (i = 0; i < ARRAY_SIZE(dpu_kms->hw_vbif); i++) { ++ if (dpu_kms->hw_vbif[i]) { ++ dpu_hw_vbif_destroy(dpu_kms->hw_vbif[i]); ++ dpu_kms->hw_vbif[i] = NULL; + } + } + } +@@ -899,7 +897,7 @@ static int dpu_kms_hw_init(struct msm_kms *kms) + for (i = 0; i < dpu_kms->catalog->vbif_count; i++) { + u32 vbif_idx = dpu_kms->catalog->vbif[i].id; + +- dpu_kms->hw_vbif[i] = dpu_hw_vbif_init(vbif_idx, ++ dpu_kms->hw_vbif[vbif_idx] = dpu_hw_vbif_init(vbif_idx, + dpu_kms->vbif[vbif_idx], dpu_kms->catalog); + if (IS_ERR_OR_NULL(dpu_kms->hw_vbif[vbif_idx])) { + rc = PTR_ERR(dpu_kms->hw_vbif[vbif_idx]); +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c +index 8d24b79fd400..5e6bb2f306be 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c +@@ -11,6 +11,14 @@ + #include "dpu_hw_vbif.h" + #include "dpu_trace.h" + ++static struct dpu_hw_vbif *dpu_get_vbif(struct dpu_kms *dpu_kms, enum dpu_vbif vbif_idx) ++{ ++ if (vbif_idx < ARRAY_SIZE(dpu_kms->hw_vbif)) ++ return dpu_kms->hw_vbif[vbif_idx]; ++ ++ return NULL; ++} ++ + /** + * _dpu_vbif_wait_for_xin_halt - wait for the xin to halt + * @vbif: Pointer to hardware vbif driver +@@ -148,11 +156,11 @@ static u32 _dpu_vbif_get_ot_limit(struct dpu_hw_vbif *vbif, + void dpu_vbif_set_ot_limit(struct dpu_kms *dpu_kms, + struct dpu_vbif_set_ot_params *params) + { +- struct dpu_hw_vbif *vbif = NULL; ++ struct dpu_hw_vbif *vbif; + struct dpu_hw_mdp *mdp; + bool forced_on = false; + u32 ot_lim; +- int ret, i; ++ int ret; + + if (!dpu_kms) { + DPU_ERROR("invalid arguments\n"); +@@ -160,12 +168,7 @@ void dpu_vbif_set_ot_limit(struct dpu_kms *dpu_kms, + } + mdp = dpu_kms->hw_mdp; + +- for (i = 0; i < ARRAY_SIZE(dpu_kms->hw_vbif); i++) { +- if (dpu_kms->hw_vbif[i] && +- dpu_kms->hw_vbif[i]->idx == params->vbif_idx) +- vbif = dpu_kms->hw_vbif[i]; +- } +- ++ vbif = dpu_get_vbif(dpu_kms, params->vbif_idx); + if (!vbif || !mdp) { + DPU_DEBUG("invalid arguments vbif %d mdp %d\n", + vbif != 0, mdp != 0); +@@ -208,7 +211,7 @@ void dpu_vbif_set_ot_limit(struct dpu_kms *dpu_kms, + void dpu_vbif_set_qos_remap(struct dpu_kms *dpu_kms, + struct dpu_vbif_set_qos_params *params) + { +- struct dpu_hw_vbif *vbif = NULL; ++ struct dpu_hw_vbif *vbif; + struct dpu_hw_mdp *mdp; + bool forced_on = false; + const struct dpu_vbif_qos_tbl *qos_tbl; +@@ -220,13 +223,7 @@ void dpu_vbif_set_qos_remap(struct dpu_kms *dpu_kms, + } + mdp = dpu_kms->hw_mdp; + +- for (i = 0; i < ARRAY_SIZE(dpu_kms->hw_vbif); i++) { +- if (dpu_kms->hw_vbif[i] && +- dpu_kms->hw_vbif[i]->idx == params->vbif_idx) { +- vbif = dpu_kms->hw_vbif[i]; +- break; +- } +- } ++ vbif = dpu_get_vbif(dpu_kms, params->vbif_idx); + + if (!vbif || !vbif->cap) { + DPU_ERROR("invalid vbif %d\n", params->vbif_idx); +-- +2.35.1 + diff --git a/queue-5.4/drm-msm-make-.remove-and-.shutdown-hw-shutdown-consi.patch b/queue-5.4/drm-msm-make-.remove-and-.shutdown-hw-shutdown-consi.patch new file mode 100644 index 00000000000..18d91fe0caf --- /dev/null +++ b/queue-5.4/drm-msm-make-.remove-and-.shutdown-hw-shutdown-consi.patch @@ -0,0 +1,163 @@ +From 59048ddbc15966c1d2c4570114099c43137bcbce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 15:46:12 +0200 +Subject: drm/msm: Make .remove and .shutdown HW shutdown consistent + +From: Javier Martinez Canillas + +[ Upstream commit 0a58d2ae572adaec8d046f8d35b40c2c32ac7468 ] + +Drivers' .remove and .shutdown callbacks are executed on different code +paths. The former is called when a device is removed from the bus, while +the latter is called at system shutdown time to quiesce the device. + +This means that some overlap exists between the two, because both have to +take care of properly shutting down the hardware. But currently the logic +used in these two callbacks isn't consistent in msm drivers, which could +lead to kernel panic. + +For example, on .remove the component is deleted and its .unbind callback +leads to the hardware being shutdown but only if the DRM device has been +marked as registered. + +That check doesn't exist in the .shutdown logic and this can lead to the +driver calling drm_atomic_helper_shutdown() for a DRM device that hasn't +been properly initialized. + +A situation like this can happen if drivers for expected sub-devices fail +to probe, since the .bind callback will never be executed. If that is the +case, drm_atomic_helper_shutdown() will attempt to take mutexes that are +only initialized if drm_mode_config_init() is called during a device bind. + +This bug was attempted to be fixed in commit 623f279c7781 ("drm/msm: fix +shutdown hook in case GPU components failed to bind"), but unfortunately +it still happens in some cases as the one mentioned above, i.e: + + systemd-shutdown[1]: Powering off. + kvm: exiting hardware virtualization + platform wifi-firmware.0: Removing from iommu group 12 + platform video-firmware.0: Removing from iommu group 10 + ------------[ cut here ]------------ + WARNING: CPU: 6 PID: 1 at drivers/gpu/drm/drm_modeset_lock.c:317 drm_modeset_lock_all_ctx+0x3c4/0x3d0 + ... + Hardware name: Google CoachZ (rev3+) (DT) + pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : drm_modeset_lock_all_ctx+0x3c4/0x3d0 + lr : drm_modeset_lock_all_ctx+0x48/0x3d0 + sp : ffff80000805bb80 + x29: ffff80000805bb80 x28: ffff327c00128000 x27: 0000000000000000 + x26: 0000000000000000 x25: 0000000000000001 x24: ffffc95d820ec030 + x23: ffff327c00bbd090 x22: ffffc95d8215eca0 x21: ffff327c039c5800 + x20: ffff327c039c5988 x19: ffff80000805bbe8 x18: 0000000000000034 + x17: 000000040044ffff x16: ffffc95d80cac920 x15: 0000000000000000 + x14: 0000000000000315 x13: 0000000000000315 x12: 0000000000000000 + x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 + x8 : ffff80000805bc28 x7 : 0000000000000000 x6 : 0000000000000000 + x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 + x2 : ffff327c00128000 x1 : 0000000000000000 x0 : ffff327c039c59b0 + Call trace: + drm_modeset_lock_all_ctx+0x3c4/0x3d0 + drm_atomic_helper_shutdown+0x70/0x134 + msm_drv_shutdown+0x30/0x40 + platform_shutdown+0x28/0x40 + device_shutdown+0x148/0x350 + kernel_power_off+0x38/0x80 + __do_sys_reboot+0x288/0x2c0 + __arm64_sys_reboot+0x28/0x34 + invoke_syscall+0x48/0x114 + el0_svc_common.constprop.0+0x44/0xec + do_el0_svc+0x2c/0xc0 + el0_svc+0x2c/0x84 + el0t_64_sync_handler+0x11c/0x150 + el0t_64_sync+0x18c/0x190 + ---[ end trace 0000000000000000 ]--- + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018 + Mem abort info: + ESR = 0x0000000096000004 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x04: level 0 translation fault + Data abort info: + ISV = 0, ISS = 0x00000004 + CM = 0, WnR = 0 + user pgtable: 4k pages, 48-bit VAs, pgdp=000000010eab1000 + [0000000000000018] pgd=0000000000000000, p4d=0000000000000000 + Internal error: Oops: 96000004 [#1] PREEMPT SMP + ... + Hardware name: Google CoachZ (rev3+) (DT) + pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : ww_mutex_lock+0x28/0x32c + lr : drm_modeset_lock_all_ctx+0x1b0/0x3d0 + sp : ffff80000805bb50 + x29: ffff80000805bb50 x28: ffff327c00128000 x27: 0000000000000000 + x26: 0000000000000000 x25: 0000000000000001 x24: 0000000000000018 + x23: ffff80000805bc10 x22: ffff327c039c5ad8 x21: ffff327c039c5800 + x20: ffff80000805bbe8 x19: 0000000000000018 x18: 0000000000000034 + x17: 000000040044ffff x16: ffffc95d80cac920 x15: 0000000000000000 + x14: 0000000000000315 x13: 0000000000000315 x12: 0000000000000000 + x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 + x8 : ffff80000805bc28 x7 : 0000000000000000 x6 : 0000000000000000 + x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 + x2 : ffff327c00128000 x1 : 0000000000000000 x0 : 0000000000000018 + Call trace: + ww_mutex_lock+0x28/0x32c + drm_modeset_lock_all_ctx+0x1b0/0x3d0 + drm_atomic_helper_shutdown+0x70/0x134 + msm_drv_shutdown+0x30/0x40 + platform_shutdown+0x28/0x40 + device_shutdown+0x148/0x350 + kernel_power_off+0x38/0x80 + __do_sys_reboot+0x288/0x2c0 + __arm64_sys_reboot+0x28/0x34 + invoke_syscall+0x48/0x114 + el0_svc_common.constprop.0+0x44/0xec + do_el0_svc+0x2c/0xc0 + el0_svc+0x2c/0x84 + el0t_64_sync_handler+0x11c/0x150 + el0t_64_sync+0x18c/0x190 + Code: aa0103f4 d503201f d2800001 aa0103e3 (c8e37c02) + ---[ end trace 0000000000000000 ]--- + Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b + Kernel Offset: 0x495d77c00000 from 0xffff800008000000 + PHYS_OFFSET: 0xffffcd8500000000 + CPU features: 0x800,00c2a015,19801c82 + Memory Limit: none + ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]--- + +Fixes: 9d5cbf5fe46e ("drm/msm: add shutdown support for display platform_driver") +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Abhinav Kumar +Link: https://patchwork.freedesktop.org/patch/msgid/20220816134612.916527-1-javierm@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_drv.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c +index 407b51cf6790..dfbd2a9d52db 100644 +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -1329,10 +1329,15 @@ static void msm_pdev_shutdown(struct platform_device *pdev) + struct drm_device *drm = platform_get_drvdata(pdev); + struct msm_drm_private *priv = drm ? drm->dev_private : NULL; + +- if (!priv || !priv->kms) +- return; +- +- drm_atomic_helper_shutdown(drm); ++ /* ++ * Shutdown the hw if we're far enough along where things might be on. ++ * If we run this too early, we'll end up panicking in any variety of ++ * places. Since we don't register the drm device until late in ++ * msm_drm_init, drm_dev->registered is used as an indicator that the ++ * shutdown will be successful. ++ */ ++ if (drm && drm->registered) ++ drm_atomic_helper_shutdown(drm); + } + + static const struct of_device_id dt_match[] = { +-- +2.35.1 + diff --git a/queue-5.4/drm-nouveau-nouveau_bo-fix-potential-memory-leak-in-.patch b/queue-5.4/drm-nouveau-nouveau_bo-fix-potential-memory-leak-in-.patch new file mode 100644 index 00000000000..3b32fca133c --- /dev/null +++ b/queue-5.4/drm-nouveau-nouveau_bo-fix-potential-memory-leak-in-.patch @@ -0,0 +1,45 @@ +From 36a31384939cf9add8a250fbb94c95e66f93573e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jul 2022 17:43:06 +0800 +Subject: drm/nouveau/nouveau_bo: fix potential memory leak in + nouveau_bo_alloc() + +From: Jianglei Nie + +[ Upstream commit 6dc548745d5b5102e3c53dc5097296ac270b6c69 ] + +nouveau_bo_alloc() allocates a memory chunk for "nvbo" with kzalloc(). +When some error occurs, "nvbo" should be released. But when +WARN_ON(pi < 0)) equals true, the function return ERR_PTR without +releasing the "nvbo", which will lead to a memory leak. + +We should release the "nvbo" with kfree() if WARN_ON(pi < 0)) equals true. + +Signed-off-by: Jianglei Nie +Signed-off-by: Lyude Paul +Reviewed-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20220705094306.2244103-1-niejianglei2021@163.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_bo.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_bo.c b/drivers/gpu/drm/nouveau/nouveau_bo.c +index f7603be569fc..9f9c70734180 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_bo.c ++++ b/drivers/gpu/drm/nouveau/nouveau_bo.c +@@ -276,8 +276,10 @@ nouveau_bo_alloc(struct nouveau_cli *cli, u64 *size, int *align, u32 flags, + break; + } + +- if (WARN_ON(pi < 0)) ++ if (WARN_ON(pi < 0)) { ++ kfree(nvbo); + return ERR_PTR(-EINVAL); ++ } + + /* Disable compression if suitable settings couldn't be found. */ + if (nvbo->comp && !vmm->page[pi].comp) { +-- +2.35.1 + diff --git a/queue-5.4/drm-omap-dss-fix-refcount-leak-bugs.patch b/queue-5.4/drm-omap-dss-fix-refcount-leak-bugs.patch new file mode 100644 index 00000000000..ca476e7fbea --- /dev/null +++ b/queue-5.4/drm-omap-dss-fix-refcount-leak-bugs.patch @@ -0,0 +1,51 @@ +From 27ab2b163d776f7fef9c9e4dfd931487e3dc6e95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jul 2022 22:43:48 +0800 +Subject: drm/omap: dss: Fix refcount leak bugs + +From: Liang He + +[ Upstream commit 8b42057e62120813ebe9274f508fa785b7cab33a ] + +In dss_init_ports() and __dss_uninit_ports(), we should call +of_node_put() for the reference returned by of_graph_get_port_by_id() +in fail path or when it is not used anymore. + +Fixes: 09bffa6e5192 ("drm: omap: use common OF graph helpers") +Signed-off-by: Liang He +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20220722144348.1306569-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/omapdrm/dss/dss.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/omapdrm/dss/dss.c b/drivers/gpu/drm/omapdrm/dss/dss.c +index ac93dae2a9c8..7f1d0a9afafb 100644 +--- a/drivers/gpu/drm/omapdrm/dss/dss.c ++++ b/drivers/gpu/drm/omapdrm/dss/dss.c +@@ -1173,6 +1173,7 @@ static void __dss_uninit_ports(struct dss_device *dss, unsigned int num_ports) + default: + break; + } ++ of_node_put(port); + } + } + +@@ -1205,11 +1206,13 @@ static int dss_init_ports(struct dss_device *dss) + default: + break; + } ++ of_node_put(port); + } + + return 0; + + error: ++ of_node_put(port); + __dss_uninit_ports(dss, i); + return r; + } +-- +2.35.1 + diff --git a/queue-5.4/drm-panel-orientation-quirks-add-quirk-for-anbernic-.patch b/queue-5.4/drm-panel-orientation-quirks-add-quirk-for-anbernic-.patch new file mode 100644 index 00000000000..a228f32273a --- /dev/null +++ b/queue-5.4/drm-panel-orientation-quirks-add-quirk-for-anbernic-.patch @@ -0,0 +1,41 @@ +From ef37527172e3891433400a6e1bc57fa2e6b4faf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 20:24:03 +0200 +Subject: drm: panel-orientation-quirks: Add quirk for Anbernic Win600 + +From: Maya Matuszczyk + +[ Upstream commit 770e19076065e079a32f33eb11be2057c87f1cde ] + +This device is another x86 gaming handheld, and as (hopefully) there is +only one set of DMI IDs it's using DMI_EXACT_MATCH + +Signed-off-by: Maya Matuszczyk +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20220803182402.1217293-1-maccraft123mc@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index f5ab891731d0..083273736c83 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -128,6 +128,12 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "One S1003"), + }, + .driver_data = (void *)&lcd800x1280_rightside_up, ++ }, { /* Anbernic Win600 */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "Anbernic"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Win600"), ++ }, ++ .driver_data = (void *)&lcd720x1280_rightside_up, + }, { /* Asus T100HA */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +-- +2.35.1 + diff --git a/queue-5.4/drm-prevent-drm_copy_field-to-attempt-copying-a-null.patch b/queue-5.4/drm-prevent-drm_copy_field-to-attempt-copying-a-null.patch new file mode 100644 index 00000000000..466efd1d8cb --- /dev/null +++ b/queue-5.4/drm-prevent-drm_copy_field-to-attempt-copying-a-null.patch @@ -0,0 +1,87 @@ +From 394e64c85d4766790b435e29e48e5fb771a03728 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jul 2022 12:02:14 +0200 +Subject: drm: Prevent drm_copy_field() to attempt copying a NULL pointer + +From: Javier Martinez Canillas + +[ Upstream commit f6ee30407e883042482ad4ad30da5eaba47872ee ] + +There are some struct drm_driver fields that are required by drivers since +drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION. + +But it can be possible that a driver has a bug and did not set some of the +fields, which leads to drm_copy_field() attempting to copy a NULL pointer: + +[ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 +[ +0.010955] Mem abort info: +[ +0.002835] ESR = 0x0000000096000004 +[ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits +[ +0.005395] SET = 0, FnV = 0 +[ +0.003113] EA = 0, S1PTW = 0 +[ +0.003182] FSC = 0x04: level 0 translation fault +[ +0.004964] Data abort info: +[ +0.002919] ISV = 0, ISS = 0x00000004 +[ +0.003886] CM = 0, WnR = 0 +[ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000 +[ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 +[ +0.006925] Internal error: Oops: 96000004 [#1] SMP +... +[ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ +0.007061] pc : __pi_strlen+0x14/0x150 +[ +0.003895] lr : drm_copy_field+0x30/0x1a4 +[ +0.004156] sp : ffff8000094b3a50 +[ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040 +[ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040 +[ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000 +[ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000 +[ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40 +[ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 +[ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8 +[ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141 +[ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 +[ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000 +[ +0.007240] Call trace: +[ +0.002475] __pi_strlen+0x14/0x150 +[ +0.003537] drm_version+0x84/0xac +[ +0.003448] drm_ioctl_kernel+0xa8/0x16c +[ +0.003975] drm_ioctl+0x270/0x580 +[ +0.003448] __arm64_sys_ioctl+0xb8/0xfc +[ +0.003978] invoke_syscall+0x78/0x100 +[ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4 +[ +0.004767] do_el0_svc+0x38/0x4c +[ +0.003357] el0_svc+0x34/0x100 +[ +0.003185] el0t_64_sync_handler+0x11c/0x150 +[ +0.004418] el0t_64_sync+0x190/0x194 +[ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02) +[ +0.006180] ---[ end trace 0000000000000000 ]--- + +Reported-by: Peter Robinson +Signed-off-by: Javier Martinez Canillas +Acked-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20220705100215.572498-3-javierm@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_ioctl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c +index bde71aa67784..5b93150b1141 100644 +--- a/drivers/gpu/drm/drm_ioctl.c ++++ b/drivers/gpu/drm/drm_ioctl.c +@@ -475,6 +475,12 @@ static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value) + { + size_t len; + ++ /* don't attempt to copy a NULL pointer */ ++ if (WARN_ONCE(!value, "BUG: the value to copy was not set!")) { ++ *buf_len = 0; ++ return 0; ++ } ++ + /* don't overflow userbuf */ + len = strlen(value); + if (len > *buf_len) +-- +2.35.1 + diff --git a/queue-5.4/drm-use-size_t-type-for-len-variable-in-drm_copy_fie.patch b/queue-5.4/drm-use-size_t-type-for-len-variable-in-drm_copy_fie.patch new file mode 100644 index 00000000000..325fe99c2f9 --- /dev/null +++ b/queue-5.4/drm-use-size_t-type-for-len-variable-in-drm_copy_fie.patch @@ -0,0 +1,48 @@ +From 6d56a06ae0369b3e55aa263fed6bbfa77cef2b9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jul 2022 12:02:13 +0200 +Subject: drm: Use size_t type for len variable in drm_copy_field() + +From: Javier Martinez Canillas + +[ Upstream commit 94dc3471d1b2b58b3728558d0e3f264e9ce6ff59 ] + +The strlen() function returns a size_t which is an unsigned int on 32-bit +arches and an unsigned long on 64-bit arches. But in the drm_copy_field() +function, the strlen() return value is assigned to an 'int len' variable. + +Later, the len variable is passed as copy_from_user() third argument that +is an unsigned long parameter as well. + +In theory, this can lead to an integer overflow via type conversion. Since +the assignment happens to a signed int lvalue instead of a size_t lvalue. + +In practice though, that's unlikely since the values copied are set by DRM +drivers and not controlled by userspace. But using a size_t for len is the +correct thing to do anyways. + +Signed-off-by: Javier Martinez Canillas +Tested-by: Peter Robinson +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20220705100215.572498-2-javierm@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c +index 76b6676b0106..bde71aa67784 100644 +--- a/drivers/gpu/drm/drm_ioctl.c ++++ b/drivers/gpu/drm/drm_ioctl.c +@@ -473,7 +473,7 @@ EXPORT_SYMBOL(drm_invalid_op); + */ + static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value) + { +- int len; ++ size_t len; + + /* don't overflow userbuf */ + len = strlen(value); +-- +2.35.1 + diff --git a/queue-5.4/drm-vc4-vec-fix-timings-for-vec-modes.patch b/queue-5.4/drm-vc4-vec-fix-timings-for-vec-modes.patch new file mode 100644 index 00000000000..2be1cdb2a38 --- /dev/null +++ b/queue-5.4/drm-vc4-vec-fix-timings-for-vec-modes.patch @@ -0,0 +1,54 @@ +From 5dc5051881276d3959dc4976ba37f616d56dcd0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 15:11:42 +0200 +Subject: drm/vc4: vec: Fix timings for VEC modes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mateusz Kwiatkowski + +[ Upstream commit 30d7565be96b3946c18a1ce3fd538f7946839092 ] + +This commit fixes vertical timings of the VEC (composite output) modes +to accurately represent the 525-line ("NTSC") and 625-line ("PAL") ITU-R +standards. + +Previous timings were actually defined as 502 and 601 lines, resulting +in non-standard 62.69 Hz and 52 Hz signals being generated, +respectively. + +Signed-off-by: Mateusz Kwiatkowski +Acked-by: Noralf Trønnes +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20220728-rpi-analog-tv-properties-v2-28-459522d653a7@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_vec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_vec.c b/drivers/gpu/drm/vc4/vc4_vec.c +index 7402bc768664..0c764fd8399a 100644 +--- a/drivers/gpu/drm/vc4/vc4_vec.c ++++ b/drivers/gpu/drm/vc4/vc4_vec.c +@@ -256,7 +256,7 @@ static void vc4_vec_ntsc_j_mode_set(struct vc4_vec *vec) + static const struct drm_display_mode ntsc_mode = { + DRM_MODE("720x480", DRM_MODE_TYPE_DRIVER, 13500, + 720, 720 + 14, 720 + 14 + 64, 720 + 14 + 64 + 60, 0, +- 480, 480 + 3, 480 + 3 + 3, 480 + 3 + 3 + 16, 0, ++ 480, 480 + 7, 480 + 7 + 6, 525, 0, + DRM_MODE_FLAG_INTERLACE) + }; + +@@ -278,7 +278,7 @@ static void vc4_vec_pal_m_mode_set(struct vc4_vec *vec) + static const struct drm_display_mode pal_mode = { + DRM_MODE("720x576", DRM_MODE_TYPE_DRIVER, 13500, + 720, 720 + 20, 720 + 20 + 64, 720 + 20 + 64 + 60, 0, +- 576, 576 + 2, 576 + 2 + 3, 576 + 2 + 3 + 20, 0, ++ 576, 576 + 4, 576 + 4 + 6, 625, 0, + DRM_MODE_FLAG_INTERLACE) + }; + +-- +2.35.1 + diff --git a/queue-5.4/dyndbg-fix-module.dyndbg-handling.patch b/queue-5.4/dyndbg-fix-module.dyndbg-handling.patch new file mode 100644 index 00000000000..aa441288d38 --- /dev/null +++ b/queue-5.4/dyndbg-fix-module.dyndbg-handling.patch @@ -0,0 +1,52 @@ +From 47cd090dee64bcb35288459bf1fe3a9840cf334a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 15:40:39 -0600 +Subject: dyndbg: fix module.dyndbg handling + +From: Jim Cromie + +[ Upstream commit 85d6b66d31c35158364058ee98fb69ab5bb6a6b1 ] + +For CONFIG_DYNAMIC_DEBUG=N, the ddebug_dyndbg_module_param_cb() +stub-fn is too permissive: + +bash-5.1# modprobe drm JUNKdyndbg +bash-5.1# modprobe drm dyndbgJUNK +[ 42.933220] dyndbg param is supported only in CONFIG_DYNAMIC_DEBUG builds +[ 42.937484] ACPI: bus type drm_connector registered + +This caused no ill effects, because unknown parameters are either +ignored by default with an "unknown parameter" warning, or ignored +because dyndbg allows its no-effect use on non-dyndbg builds. + +But since the code has an explicit feedback message, it should be +issued accurately. Fix with strcmp for exact param-name match. + +Fixes: b48420c1d301 dynamic_debug: make dynamic-debug work for module initialization +Reported-by: Rasmus Villemoes +Acked-by: Jason Baron +Acked-by: Daniel Vetter +Signed-off-by: Jim Cromie +Link: https://lore.kernel.org/r/20220904214134.408619-3-jim.cromie@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + include/linux/dynamic_debug.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/dynamic_debug.h b/include/linux/dynamic_debug.h +index 4cf02ecd67de..65575143c89f 100644 +--- a/include/linux/dynamic_debug.h ++++ b/include/linux/dynamic_debug.h +@@ -191,7 +191,7 @@ static inline int ddebug_remove_module(const char *mod) + static inline int ddebug_dyndbg_module_param_cb(char *param, char *val, + const char *modname) + { +- if (strstr(param, "dyndbg")) { ++ if (!strcmp(param, "dyndbg")) { + /* avoid pr_warn(), which wants pr_fmt() fully defined */ + printk(KERN_WARNING "dyndbg param is supported only in " + "CONFIG_DYNAMIC_DEBUG builds\n"); +-- +2.35.1 + diff --git a/queue-5.4/dyndbg-let-query-modname-override-actual-module-name.patch b/queue-5.4/dyndbg-let-query-modname-override-actual-module-name.patch new file mode 100644 index 00000000000..38732e6c166 --- /dev/null +++ b/queue-5.4/dyndbg-let-query-modname-override-actual-module-name.patch @@ -0,0 +1,80 @@ +From 77ee5d2169e32de8db8a13358939c7d06c48fcab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 15:40:44 -0600 +Subject: dyndbg: let query-modname override actual module name + +From: Jim Cromie + +[ Upstream commit e75ef56f74965f426dd819a41336b640ffdd8fbc ] + +dyndbg's control-parser: ddebug_parse_query(), requires that search +terms: module, func, file, lineno, are used only once in a query; a +thing cannot be named both foo and bar. + +The cited commit added an overriding module modname, taken from the +module loader, which is authoritative. So it set query.module 1st, +which disallowed its use in the query-string. + +But now, its useful to allow a module-load to enable classes across a +whole (or part of) a subsystem at once. + + # enable (dynamic-debug in) drm only + modprobe drm dyndbg="class DRM_UT_CORE +p" + + # get drm_helper too + modprobe drm dyndbg="class DRM_UT_CORE module drm* +p" + + # get everything that knows DRM_UT_CORE + modprobe drm dyndbg="class DRM_UT_CORE module * +p" + + # also for boot-args: + drm.dyndbg="class DRM_UT_CORE module * +p" + +So convert the override into a default, by filling it only when/after +the query-string omitted the module. + +NB: the query class FOO handling is forthcoming. + +Fixes: 8e59b5cfb9a6 dynamic_debug: add modname arg to exec_query callchain +Acked-by: Jason Baron +Acked-by: Daniel Vetter +Signed-off-by: Jim Cromie +Link: https://lore.kernel.org/r/20220904214134.408619-8-jim.cromie@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/dynamic_debug.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c +index ccf05719b1ad..c9e1960fefc8 100644 +--- a/lib/dynamic_debug.c ++++ b/lib/dynamic_debug.c +@@ -329,10 +329,6 @@ static int ddebug_parse_query(char *words[], int nwords, + } + memset(query, 0, sizeof(*query)); + +- if (modname) +- /* support $modname.dyndbg= */ +- query->module = modname; +- + for (i = 0; i < nwords; i += 2) { + if (!strcmp(words[i], "func")) { + rc = check_set(&query->function, words[i+1], "func"); +@@ -381,6 +377,13 @@ static int ddebug_parse_query(char *words[], int nwords, + if (rc) + return rc; + } ++ if (!query->module && modname) ++ /* ++ * support $modname.dyndbg=, when ++ * not given in the query itself ++ */ ++ query->module = modname; ++ + vpr_info_dq(query, "parsed"); + return 0; + } +-- +2.35.1 + diff --git a/queue-5.4/f2fs-fix-race-condition-on-setting-fi_no_extent-flag.patch b/queue-5.4/f2fs-fix-race-condition-on-setting-fi_no_extent-flag.patch new file mode 100644 index 00000000000..0f64b9e7131 --- /dev/null +++ b/queue-5.4/f2fs-fix-race-condition-on-setting-fi_no_extent-flag.patch @@ -0,0 +1,55 @@ +From b77f4bb7395f49521926cd0cff29322360424dc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 12:59:17 +0800 +Subject: f2fs: fix race condition on setting FI_NO_EXTENT flag + +From: Zhang Qilong + +[ Upstream commit 07725adc55c0a414c10acb5c8c86cea34b95ddef ] + +The following scenarios exist. +process A: process B: +->f2fs_drop_extent_tree ->f2fs_update_extent_cache_range + ->f2fs_update_extent_tree_range + ->write_lock + ->set_inode_flag + ->is_inode_flag_set + ->__free_extent_tree // Shouldn't + // have been + // cleaned up + // here + ->write_lock + +In this case, the "FI_NO_EXTENT" flag is set between +f2fs_update_extent_tree_range and is_inode_flag_set +by other process. it leads to clearing the whole exten +tree which should not have happened. And we fix it by +move the setting it to the range of write_lock. + +Fixes:5f281fab9b9a3 ("f2fs: disable extent_cache for fcollapse/finsert inodes") +Signed-off-by: Zhang Qilong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/extent_cache.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c +index e60078460ad1..05b17a741ccc 100644 +--- a/fs/f2fs/extent_cache.c ++++ b/fs/f2fs/extent_cache.c +@@ -729,9 +729,8 @@ void f2fs_drop_extent_tree(struct inode *inode) + if (!f2fs_may_extent_tree(inode)) + return; + +- set_inode_flag(inode, FI_NO_EXTENT); +- + write_lock(&et->lock); ++ set_inode_flag(inode, FI_NO_EXTENT); + __free_extent_tree(sbi, et); + if (et->largest.len) { + et->largest.len = 0; +-- +2.35.1 + diff --git a/queue-5.4/firmware-google-test-spinlock-on-panic-path-to-avoid.patch b/queue-5.4/firmware-google-test-spinlock-on-panic-path-to-avoid.patch new file mode 100644 index 00000000000..c236027186a --- /dev/null +++ b/queue-5.4/firmware-google-test-spinlock-on-panic-path-to-avoid.patch @@ -0,0 +1,59 @@ +From 8af14754e6a5c28020436456a65f8ab839316b94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 17:07:55 -0300 +Subject: firmware: google: Test spinlock on panic path to avoid lockups + +From: Guilherme G. Piccoli + +[ Upstream commit 3e081438b8e639cc76ef1a5ce0c1bd8a154082c7 ] + +Currently the gsmi driver registers a panic notifier as well as +reboot and die notifiers. The callbacks registered are called in +atomic and very limited context - for instance, panic disables +preemption and local IRQs, also all secondary CPUs (not executing +the panic path) are shutdown. + +With that said, taking a spinlock in this scenario is a dangerous +invitation for lockup scenarios. So, fix that by checking if the +spinlock is free to acquire in the panic notifier callback - if not, +bail-out and avoid a potential hang. + +Fixes: 74c5b31c6618 ("driver: Google EFI SMI") +Cc: Andrew Morton +Cc: Ard Biesheuvel +Cc: David Gow +Cc: Greg Kroah-Hartman +Cc: Julius Werner +Cc: Petr Mladek +Reviewed-by: Evan Green +Signed-off-by: Guilherme G. Piccoli +Link: https://lore.kernel.org/r/20220909200755.189679-1-gpiccoli@igalia.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/firmware/google/gsmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/firmware/google/gsmi.c b/drivers/firmware/google/gsmi.c +index edaa4e5d84ad..517fb57d07d2 100644 +--- a/drivers/firmware/google/gsmi.c ++++ b/drivers/firmware/google/gsmi.c +@@ -679,6 +679,15 @@ static struct notifier_block gsmi_die_notifier = { + static int gsmi_panic_callback(struct notifier_block *nb, + unsigned long reason, void *arg) + { ++ ++ /* ++ * Panic callbacks are executed with all other CPUs stopped, ++ * so we must not attempt to spin waiting for gsmi_dev.lock ++ * to be released. ++ */ ++ if (spin_is_locked(&gsmi_dev.lock)) ++ return NOTIFY_DONE; ++ + gsmi_shutdown_reason(GSMI_SHUTDOWN_PANIC); + return NOTIFY_DONE; + } +-- +2.35.1 + diff --git a/queue-5.4/fsi-core-check-error-number-after-calling-ida_simple.patch b/queue-5.4/fsi-core-check-error-number-after-calling-ida_simple.patch new file mode 100644 index 00000000000..b0fef510ebb --- /dev/null +++ b/queue-5.4/fsi-core-check-error-number-after-calling-ida_simple.patch @@ -0,0 +1,41 @@ +From ee1a0006e1fbc5c29b07f6b9fdc4572055156345 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jan 2022 15:34:11 +0800 +Subject: fsi: core: Check error number after calling ida_simple_get + +From: Jiasheng Jiang + +[ Upstream commit 35af9fb49bc5c6d61ef70b501c3a56fe161cce3e ] + +If allocation fails, the ida_simple_get() will return error number. +So master->idx could be error number and be used in dev_set_name(). +Therefore, it should be better to check it and return error if fails, +like the ida_simple_get() in __fsi_get_new_minor(). + +Fixes: 09aecfab93b8 ("drivers/fsi: Add fsi master definition") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Eddie James +Link: https://lore.kernel.org/r/20220111073411.614138-1-jiasheng@iscas.ac.cn +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + drivers/fsi/fsi-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c +index cb980a60af0e..09e571578232 100644 +--- a/drivers/fsi/fsi-core.c ++++ b/drivers/fsi/fsi-core.c +@@ -1271,6 +1271,9 @@ int fsi_master_register(struct fsi_master *master) + + mutex_init(&master->scan_lock); + master->idx = ida_simple_get(&master_ida, 0, INT_MAX, GFP_KERNEL); ++ if (master->idx < 0) ++ return master->idx; ++ + dev_set_name(&master->dev, "fsi%d", master->idx); + + rc = device_register(&master->dev); +-- +2.35.1 + diff --git a/queue-5.4/fsi-master-ast-cf-fix-missing-of_node_put-in-fsi_mas.patch b/queue-5.4/fsi-master-ast-cf-fix-missing-of_node_put-in-fsi_mas.patch new file mode 100644 index 00000000000..6c08e56f1fc --- /dev/null +++ b/queue-5.4/fsi-master-ast-cf-fix-missing-of_node_put-in-fsi_mas.patch @@ -0,0 +1,43 @@ +From 9c0a6b26564fa9d940d986ca54de0afffe380b88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 08:59:11 +0000 +Subject: fsi: master-ast-cf: Fix missing of_node_put in fsi_master_acf_probe + +From: Lv Ruyi + +[ Upstream commit 182d98e00e4745fe253cb0c24c63bbac253464a2 ] + +of_parse_phandle returns node pointer with refcount incremented, use +of_node_put() on it when done. + +Reported-by: Zeal Robot +Signed-off-by: Lv Ruyi +Link: https://lore.kernel.org/r/20220407085911.2491719-1-lv.ruyi@zte.com.cn +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + drivers/fsi/fsi-master-ast-cf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/fsi/fsi-master-ast-cf.c b/drivers/fsi/fsi-master-ast-cf.c +index 04d10ea8d343..1d39e435bfd1 100644 +--- a/drivers/fsi/fsi-master-ast-cf.c ++++ b/drivers/fsi/fsi-master-ast-cf.c +@@ -1324,12 +1324,14 @@ static int fsi_master_acf_probe(struct platform_device *pdev) + } + master->cvic = devm_of_iomap(&pdev->dev, np, 0, NULL); + if (IS_ERR(master->cvic)) { ++ of_node_put(np); + rc = PTR_ERR(master->cvic); + dev_err(&pdev->dev, "Error %d mapping CVIC\n", rc); + goto err_free; + } + rc = of_property_read_u32(np, "copro-sw-interrupts", + &master->cvic_sw_irq); ++ of_node_put(np); + if (rc) { + dev_err(&pdev->dev, "Can't find coprocessor SW interrupt\n"); + goto err_free; +-- +2.35.1 + diff --git a/queue-5.4/hid-roccat-fix-use-after-free-in-roccat_read.patch b/queue-5.4/hid-roccat-fix-use-after-free-in-roccat_read.patch new file mode 100644 index 00000000000..0e4e0d1b95f --- /dev/null +++ b/queue-5.4/hid-roccat-fix-use-after-free-in-roccat_read.patch @@ -0,0 +1,108 @@ +From b766094528cc379fa94b93cbc7b17f3a9cb954b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 12:31:15 -0700 +Subject: HID: roccat: Fix use-after-free in roccat_read() + +From: Hyunwoo Kim + +[ Upstream commit cacdb14b1c8d3804a3a7d31773bc7569837b71a4 ] + +roccat_report_event() is responsible for registering +roccat-related reports in struct roccat_device. + +int roccat_report_event(int minor, u8 const *data) +{ + struct roccat_device *device; + struct roccat_reader *reader; + struct roccat_report *report; + uint8_t *new_value; + + device = devices[minor]; + + new_value = kmemdup(data, device->report_size, GFP_ATOMIC); + if (!new_value) + return -ENOMEM; + + report = &device->cbuf[device->cbuf_end]; + + /* passing NULL is safe */ + kfree(report->value); + ... + +The registered report is stored in the struct roccat_device member +"struct roccat_report cbuf[ROCCAT_CBUF_SIZE];". +If more reports are received than the "ROCCAT_CBUF_SIZE" value, +kfree() the saved report from cbuf[0] and allocates a new reprot. +Since there is no lock when this kfree() is performed, +kfree() can be performed even while reading the saved report. + +static ssize_t roccat_read(struct file *file, char __user *buffer, + size_t count, loff_t *ppos) +{ + struct roccat_reader *reader = file->private_data; + struct roccat_device *device = reader->device; + struct roccat_report *report; + ssize_t retval = 0, len; + DECLARE_WAITQUEUE(wait, current); + + mutex_lock(&device->cbuf_lock); + + ... + + report = &device->cbuf[reader->cbuf_start]; + /* + * If report is larger than requested amount of data, rest of report + * is lost! + */ + len = device->report_size > count ? count : device->report_size; + + if (copy_to_user(buffer, report->value, len)) { + retval = -EFAULT; + goto exit_unlock; + } + ... + +The roccat_read() function receives the device->cbuf report and +delivers it to the user through copy_to_user(). +If the N+ROCCAT_CBUF_SIZE th report is received while copying of +the Nth report->value is in progress, the pointer that copy_to_user() +is working on is kfree()ed and UAF read may occur. (race condition) + +Since the device node of this driver does not set separate permissions, +this is not a security vulnerability, but because it is used for +requesting screen display of profile or dpi settings, +a user using the roccat device can apply udev to this device node or +There is a possibility to use it by giving. + +Signed-off-by: Hyunwoo Kim +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-roccat.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c +index 26373b82fe81..6da80e442fdd 100644 +--- a/drivers/hid/hid-roccat.c ++++ b/drivers/hid/hid-roccat.c +@@ -257,6 +257,8 @@ int roccat_report_event(int minor, u8 const *data) + if (!new_value) + return -ENOMEM; + ++ mutex_lock(&device->cbuf_lock); ++ + report = &device->cbuf[device->cbuf_end]; + + /* passing NULL is safe */ +@@ -276,6 +278,8 @@ int roccat_report_event(int minor, u8 const *data) + reader->cbuf_start = (reader->cbuf_start + 1) % ROCCAT_CBUF_SIZE; + } + ++ mutex_unlock(&device->cbuf_lock); ++ + wake_up_interruptible(&device->wait); + return 0; + } +-- +2.35.1 + diff --git a/queue-5.4/hid-topre-add-driver-fixing-report-descriptor.patch b/queue-5.4/hid-topre-add-driver-fixing-report-descriptor.patch new file mode 100644 index 00000000000..bda33abc39b --- /dev/null +++ b/queue-5.4/hid-topre-add-driver-fixing-report-descriptor.patch @@ -0,0 +1,139 @@ +From 7e62b8dc1be82283773f4b3acefd2c875019a12f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Sep 2022 20:36:13 -0400 +Subject: hid: topre: Add driver fixing report descriptor + +From: Harry Stern + +[ Upstream commit a109d5c45b3d6728b9430716b915afbe16eef27c ] + +The Topre REALFORCE R2 firmware incorrectly reports that interface +descriptor number 1, input report descriptor 2's events are array events +rather than variable events. That particular report descriptor is used +to report keypresses when there are more than 6 keys held at a time. +This bug prevents events from this interface from being registered +properly, so only 6 keypresses (from a different interface) can be +registered at once, rather than full n-key rollover. + +This commit fixes the bug by setting the correct value in a report_fixup +function. + +The original bug report can be found here: +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/804 + +Thanks to Benjamin Tissoires for diagnosing the issue with the report +descriptor. + +Signed-off-by: Harry Stern +Signed-off-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/20220911003614.297613-1-harry@harrystern.net +Signed-off-by: Sasha Levin +--- + drivers/hid/Kconfig | 6 +++++ + drivers/hid/Makefile | 1 + + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-topre.c | 49 +++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 59 insertions(+) + create mode 100644 drivers/hid/hid-topre.c + +diff --git a/drivers/hid/Kconfig b/drivers/hid/Kconfig +index 5169a38ee47a..56315a0be78a 100644 +--- a/drivers/hid/Kconfig ++++ b/drivers/hid/Kconfig +@@ -992,6 +992,12 @@ config HID_TOPSEED + Say Y if you have a TopSeed Cyberlink or BTC Emprex or Conceptronic + CLLRCMCE remote control. + ++config HID_TOPRE ++ tristate "Topre REALFORCE keyboards" ++ depends on HID ++ help ++ Say Y for N-key rollover support on Topre REALFORCE R2 108 key keyboards. ++ + config HID_THINGM + tristate "ThingM blink(1) USB RGB LED" + depends on HID +diff --git a/drivers/hid/Makefile b/drivers/hid/Makefile +index 0c03308cfb08..bb618c74c442 100644 +--- a/drivers/hid/Makefile ++++ b/drivers/hid/Makefile +@@ -110,6 +110,7 @@ obj-$(CONFIG_HID_GREENASIA) += hid-gaff.o + obj-$(CONFIG_HID_THRUSTMASTER) += hid-tmff.o + obj-$(CONFIG_HID_TIVO) += hid-tivo.o + obj-$(CONFIG_HID_TOPSEED) += hid-topseed.o ++obj-$(CONFIG_HID_TOPRE) += hid-topre.o + obj-$(CONFIG_HID_TWINHAN) += hid-twinhan.o + obj-$(CONFIG_HID_U2FZERO) += hid-u2fzero.o + hid-uclogic-objs := hid-uclogic-core.o \ +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index c587a77d493c..fbceead99b3c 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1156,6 +1156,9 @@ + #define USB_DEVICE_ID_TIVO_SLIDE 0x1201 + #define USB_DEVICE_ID_TIVO_SLIDE_PRO 0x1203 + ++#define USB_VENDOR_ID_TOPRE 0x0853 ++#define USB_DEVICE_ID_TOPRE_REALFORCE_R2_108 0x0148 ++ + #define USB_VENDOR_ID_TOPSEED 0x0766 + #define USB_DEVICE_ID_TOPSEED_CYBERLINK 0x0204 + +diff --git a/drivers/hid/hid-topre.c b/drivers/hid/hid-topre.c +new file mode 100644 +index 000000000000..88a91cdad5f8 +--- /dev/null ++++ b/drivers/hid/hid-topre.c +@@ -0,0 +1,49 @@ ++// SPDX-License-Identifier: GPL-2.0+ ++/* ++ * HID driver for Topre REALFORCE Keyboards ++ * ++ * Copyright (c) 2022 Harry Stern ++ * ++ * Based on the hid-macally driver ++ */ ++ ++#include ++#include ++ ++#include "hid-ids.h" ++ ++MODULE_AUTHOR("Harry Stern "); ++MODULE_DESCRIPTION("REALFORCE R2 Keyboard driver"); ++MODULE_LICENSE("GPL"); ++ ++/* ++ * Fix the REALFORCE R2's non-boot interface's report descriptor to match the ++ * events it's actually sending. It claims to send array events but is instead ++ * sending variable events. ++ */ ++static __u8 *topre_report_fixup(struct hid_device *hdev, __u8 *rdesc, ++ unsigned int *rsize) ++{ ++ if (*rsize >= 119 && rdesc[69] == 0x29 && rdesc[70] == 0xe7 && ++ rdesc[71] == 0x81 && rdesc[72] == 0x00) { ++ hid_info(hdev, ++ "fixing up Topre REALFORCE keyboard report descriptor\n"); ++ rdesc[72] = 0x02; ++ } ++ return rdesc; ++} ++ ++static const struct hid_device_id topre_id_table[] = { ++ { HID_USB_DEVICE(USB_VENDOR_ID_TOPRE, ++ USB_DEVICE_ID_TOPRE_REALFORCE_R2_108) }, ++ { } ++}; ++MODULE_DEVICE_TABLE(hid, topre_id_table); ++ ++static struct hid_driver topre_driver = { ++ .name = "topre", ++ .id_table = topre_id_table, ++ .report_fixup = topre_report_fixup, ++}; ++ ++module_hid_driver(topre_driver); +-- +2.35.1 + diff --git a/queue-5.4/hsi-omap_ssi-fix-refcount-leak-in-ssi_probe.patch b/queue-5.4/hsi-omap_ssi-fix-refcount-leak-in-ssi_probe.patch new file mode 100644 index 00000000000..69c34f68d2c --- /dev/null +++ b/queue-5.4/hsi-omap_ssi-fix-refcount-leak-in-ssi_probe.patch @@ -0,0 +1,36 @@ +From 40b1b2bfe232ca3882c5b3d6d0b70d7cc723d0bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Apr 2022 08:52:32 +0000 +Subject: HSI: omap_ssi: Fix refcount leak in ssi_probe + +From: Miaoqian Lin + +[ Upstream commit 9a2ea132df860177b33c9fd421b26c4e9a0a9396 ] + +When returning or breaking early from a +for_each_available_child_of_node() loop, we need to explicitly call +of_node_put() on the child node to possibly release the node. + +Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver") +Signed-off-by: Miaoqian Lin +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/controllers/omap_ssi_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c +index f36036be7f03..5aa6955b609f 100644 +--- a/drivers/hsi/controllers/omap_ssi_core.c ++++ b/drivers/hsi/controllers/omap_ssi_core.c +@@ -524,6 +524,7 @@ static int ssi_probe(struct platform_device *pd) + if (!childpdev) { + err = -ENODEV; + dev_err(&pd->dev, "failed to create ssi controller port\n"); ++ of_node_put(child); + goto out3; + } + } +-- +2.35.1 + diff --git a/queue-5.4/hsi-omap_ssi_port-fix-dma_map_sg-error-check.patch b/queue-5.4/hsi-omap_ssi_port-fix-dma_map_sg-error-check.patch new file mode 100644 index 00000000000..5a2d7fac2a9 --- /dev/null +++ b/queue-5.4/hsi-omap_ssi_port-fix-dma_map_sg-error-check.patch @@ -0,0 +1,55 @@ +From 08600046e8839f9ee47837bd02f95cea273b38ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 12:12:27 +0200 +Subject: HSI: omap_ssi_port: Fix dma_map_sg error check + +From: Jack Wang + +[ Upstream commit 551e325bbd3fb8b5a686ac1e6cf76e5641461cf2 ] + +dma_map_sg return 0 on error, in case of error return -EIO +to caller. + +Cc: Sebastian Reichel +Cc: linux-kernel@vger.kernel.org (open list) +Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver") +Signed-off-by: Jack Wang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/controllers/omap_ssi_port.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/hsi/controllers/omap_ssi_port.c b/drivers/hsi/controllers/omap_ssi_port.c +index a0cb5be246e1..b9495b720f1b 100644 +--- a/drivers/hsi/controllers/omap_ssi_port.c ++++ b/drivers/hsi/controllers/omap_ssi_port.c +@@ -230,10 +230,10 @@ static int ssi_start_dma(struct hsi_msg *msg, int lch) + if (msg->ttype == HSI_MSG_READ) { + err = dma_map_sg(&ssi->device, msg->sgt.sgl, msg->sgt.nents, + DMA_FROM_DEVICE); +- if (err < 0) { ++ if (!err) { + dev_dbg(&ssi->device, "DMA map SG failed !\n"); + pm_runtime_put_autosuspend(omap_port->pdev); +- return err; ++ return -EIO; + } + csdp = SSI_DST_BURST_4x32_BIT | SSI_DST_MEMORY_PORT | + SSI_SRC_SINGLE_ACCESS0 | SSI_SRC_PERIPHERAL_PORT | +@@ -247,10 +247,10 @@ static int ssi_start_dma(struct hsi_msg *msg, int lch) + } else { + err = dma_map_sg(&ssi->device, msg->sgt.sgl, msg->sgt.nents, + DMA_TO_DEVICE); +- if (err < 0) { ++ if (!err) { + dev_dbg(&ssi->device, "DMA map SG failed !\n"); + pm_runtime_put_autosuspend(omap_port->pdev); +- return err; ++ return -EIO; + } + csdp = SSI_SRC_BURST_4x32_BIT | SSI_SRC_MEMORY_PORT | + SSI_DST_SINGLE_ACCESS0 | SSI_DST_PERIPHERAL_PORT | +-- +2.35.1 + diff --git a/queue-5.4/hsi-ssi_protocol-fix-potential-resource-leak-in-ssip.patch b/queue-5.4/hsi-ssi_protocol-fix-potential-resource-leak-in-ssip.patch new file mode 100644 index 00000000000..5794a8c3c19 --- /dev/null +++ b/queue-5.4/hsi-ssi_protocol-fix-potential-resource-leak-in-ssip.patch @@ -0,0 +1,37 @@ +From b7d090fa689a4bbcd5359583613729591f7daab1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 15:48:01 +0800 +Subject: HSI: ssi_protocol: fix potential resource leak in ssip_pn_open() + +From: Jianglei Nie + +[ Upstream commit b28dbcb379e6a7f80262c2732a57681b1ee548ca ] + +ssip_pn_open() claims the HSI client's port with hsi_claim_port(). When +hsi_register_port_event() gets some error and returns a negetive value, +the HSI client's port should be released with hsi_release_port(). + +Fix it by calling hsi_release_port() when hsi_register_port_event() fails. + +Signed-off-by: Jianglei Nie +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/clients/ssi_protocol.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hsi/clients/ssi_protocol.c b/drivers/hsi/clients/ssi_protocol.c +index 365b5d5967ac..01a2e861c399 100644 +--- a/drivers/hsi/clients/ssi_protocol.c ++++ b/drivers/hsi/clients/ssi_protocol.c +@@ -931,6 +931,7 @@ static int ssip_pn_open(struct net_device *dev) + if (err < 0) { + dev_err(&cl->device, "Register HSI port event failed (%d)\n", + err); ++ hsi_release_port(cl); + return err; + } + dev_dbg(&cl->device, "Configuring SSI port\n"); +-- +2.35.1 + diff --git a/queue-5.4/ib-rdmavt-add-__init-__exit-annotations-to-module-in.patch b/queue-5.4/ib-rdmavt-add-__init-__exit-annotations-to-module-in.patch new file mode 100644 index 00000000000..ed98a6f96ad --- /dev/null +++ b/queue-5.4/ib-rdmavt-add-__init-__exit-annotations-to-module-in.patch @@ -0,0 +1,45 @@ +From 8d003506fdf6984b45fd36d42514af1526ec960d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 17:14:57 +0800 +Subject: IB/rdmavt: Add __init/__exit annotations to module init/exit funcs + +From: Xiu Jianfeng + +[ Upstream commit 78657a445ca7603024348781c921f8ecaee10a49 ] + +Add missing __init/__exit annotations to module init/exit funcs. + +Fixes: 0194621b2253 ("IB/rdmavt: Create module framework and handle driver registration") +Link: https://lore.kernel.org/r/20220924091457.52446-1-xiujianfeng@huawei.com +Signed-off-by: Xiu Jianfeng +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rdmavt/vt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rdmavt/vt.c b/drivers/infiniband/sw/rdmavt/vt.c +index 833f3f1b87f5..f69fffa6e613 100644 +--- a/drivers/infiniband/sw/rdmavt/vt.c ++++ b/drivers/infiniband/sw/rdmavt/vt.c +@@ -57,7 +57,7 @@ + MODULE_LICENSE("Dual BSD/GPL"); + MODULE_DESCRIPTION("RDMA Verbs Transport Library"); + +-static int rvt_init(void) ++static int __init rvt_init(void) + { + int ret = rvt_driver_cq_init(); + +@@ -68,7 +68,7 @@ static int rvt_init(void) + } + module_init(rvt_init); + +-static void rvt_cleanup(void) ++static void __exit rvt_cleanup(void) + { + rvt_cq_exit(); + } +-- +2.35.1 + diff --git a/queue-5.4/iio-abi-fix-wrong-format-of-differential-capacitance.patch b/queue-5.4/iio-abi-fix-wrong-format-of-differential-capacitance.patch new file mode 100644 index 00000000000..00e546a44fa --- /dev/null +++ b/queue-5.4/iio-abi-fix-wrong-format-of-differential-capacitance.patch @@ -0,0 +1,36 @@ +From 076e184f4f37c8856a71be1ef2cdbe9a577cb38b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jun 2022 13:29:23 +0100 +Subject: iio: ABI: Fix wrong format of differential capacitance channel ABI. + +From: Jonathan Cameron + +[ Upstream commit 1efc41035f1841acf0af2bab153158e27ce94f10 ] + +in_ only occurs once in these attributes. + +Fixes: 0baf29d658c7 ("staging:iio:documentation Add abi docs for capacitance adcs.") +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220626122938.582107-3-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-bus-iio | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/ABI/testing/sysfs-bus-iio b/Documentation/ABI/testing/sysfs-bus-iio +index c3767d4d01a6..4d873e813949 100644 +--- a/Documentation/ABI/testing/sysfs-bus-iio ++++ b/Documentation/ABI/testing/sysfs-bus-iio +@@ -138,7 +138,7 @@ Description: + Raw capacitance measurement from channel Y. Units after + application of scale and offset are nanofarads. + +-What: /sys/.../iio:deviceX/in_capacitanceY-in_capacitanceZ_raw ++What: /sys/.../iio:deviceX/in_capacitanceY-capacitanceZ_raw + KernelVersion: 3.2 + Contact: linux-iio@vger.kernel.org + Description: +-- +2.35.1 + diff --git a/queue-5.4/iio-adc-at91-sama5d2_adc-check-return-status-for-pre.patch b/queue-5.4/iio-adc-at91-sama5d2_adc-check-return-status-for-pre.patch new file mode 100644 index 00000000000..a663c46a71a --- /dev/null +++ b/queue-5.4/iio-adc-at91-sama5d2_adc-check-return-status-for-pre.patch @@ -0,0 +1,53 @@ +From a4c3d584049d4d334d27eb7c41f05c169a1ecbb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 13:28:38 +0300 +Subject: iio: adc: at91-sama5d2_adc: check return status for pressure and + touch + +From: Claudiu Beznea + +[ Upstream commit d84ace944a3b24529798dbae1340dea098473155 ] + +Check return status of at91_adc_read_position() and +at91_adc_read_pressure() in at91_adc_read_info_raw(). + +Fixes: 6794e23fa3fe ("iio: adc: at91-sama5d2_adc: add support for oversampling resolution") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220803102855.2191070-3-claudiu.beznea@microchip.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/at91-sama5d2_adc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c +index 090cc1e8b4ea..20ef858d65c7 100644 +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -1323,8 +1323,10 @@ static int at91_adc_read_info_raw(struct iio_dev *indio_dev, + *val = tmp_val; + mutex_unlock(&st->lock); + iio_device_release_direct_mode(indio_dev); ++ if (ret > 0) ++ ret = at91_adc_adjust_val_osr(st, val); + +- return at91_adc_adjust_val_osr(st, val); ++ return ret; + } + if (chan->type == IIO_PRESSURE) { + ret = iio_device_claim_direct_mode(indio_dev); +@@ -1337,8 +1339,10 @@ static int at91_adc_read_info_raw(struct iio_dev *indio_dev, + *val = tmp_val; + mutex_unlock(&st->lock); + iio_device_release_direct_mode(indio_dev); ++ if (ret > 0) ++ ret = at91_adc_adjust_val_osr(st, val); + +- return at91_adc_adjust_val_osr(st, val); ++ return ret; + } + + /* in this case we have a voltage channel */ +-- +2.35.1 + diff --git a/queue-5.4/iio-adc-at91-sama5d2_adc-fix-at91_sama5d2_mr_trackti.patch b/queue-5.4/iio-adc-at91-sama5d2_adc-fix-at91_sama5d2_mr_trackti.patch new file mode 100644 index 00000000000..0ae7e2ebe24 --- /dev/null +++ b/queue-5.4/iio-adc-at91-sama5d2_adc-fix-at91_sama5d2_mr_trackti.patch @@ -0,0 +1,38 @@ +From 3b79fbdb1dba89fb2eeaabe7926d3024ae361f8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 13:28:37 +0300 +Subject: iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX + +From: Claudiu Beznea + +[ Upstream commit bb73d5d9164c57c4bb916739a98e5cd8e0a5ed8c ] + +All ADC HW versions handled by this driver (SAMA5D2, SAM9X60, SAMA7G5) +have MR.TRACKTIM on 4 bits. Fix AT91_SAMA5D2_MR_TRACKTIM_MAX to reflect +this. + +Fixes: 27e177190891 ("iio:adc:at91_adc8xx: introduce new atmel adc driver") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220803102855.2191070-2-claudiu.beznea@microchip.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/at91-sama5d2_adc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c +index 8854da453669..090cc1e8b4ea 100644 +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -73,7 +73,7 @@ + #define AT91_SAMA5D2_MR_ANACH BIT(23) + /* Tracking Time */ + #define AT91_SAMA5D2_MR_TRACKTIM(v) ((v) << 24) +-#define AT91_SAMA5D2_MR_TRACKTIM_MAX 0xff ++#define AT91_SAMA5D2_MR_TRACKTIM_MAX 0xf + /* Transfer Time */ + #define AT91_SAMA5D2_MR_TRANSFER(v) ((v) << 28) + #define AT91_SAMA5D2_MR_TRANSFER_MAX 0x3 +-- +2.35.1 + diff --git a/queue-5.4/iio-adc-at91-sama5d2_adc-lock-around-oversampling-an.patch b/queue-5.4/iio-adc-at91-sama5d2_adc-lock-around-oversampling-an.patch new file mode 100644 index 00000000000..df6cceea68d --- /dev/null +++ b/queue-5.4/iio-adc-at91-sama5d2_adc-lock-around-oversampling-an.patch @@ -0,0 +1,79 @@ +From 66a32a6f6dda2ca9778db1258409fa9b55edb297 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 13:28:39 +0300 +Subject: iio: adc: at91-sama5d2_adc: lock around oversampling and sample freq + +From: Claudiu Beznea + +[ Upstream commit 9780a23ed5a0a0a63683e078f576719a98d4fb70 ] + +.read_raw()/.write_raw() could be called asynchronously from user space +or other in kernel drivers. Without locking on st->lock these could be +called asynchronously while there is a conversion in progress. Read will +be harmless but changing registers while conversion is in progress may +lead to inconsistent results. Thus, to avoid this lock st->lock. + +Fixes: 27e177190891 ("iio:adc:at91_adc8xx: introduce new atmel adc driver") +Fixes: 6794e23fa3fe ("iio: adc: at91-sama5d2_adc: add support for oversampling resolution") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220803102855.2191070-4-claudiu.beznea@microchip.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/at91-sama5d2_adc.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c +index 20ef858d65c7..734762084968 100644 +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -1321,10 +1321,10 @@ static int at91_adc_read_info_raw(struct iio_dev *indio_dev, + ret = at91_adc_read_position(st, chan->channel, + &tmp_val); + *val = tmp_val; +- mutex_unlock(&st->lock); +- iio_device_release_direct_mode(indio_dev); + if (ret > 0) + ret = at91_adc_adjust_val_osr(st, val); ++ mutex_unlock(&st->lock); ++ iio_device_release_direct_mode(indio_dev); + + return ret; + } +@@ -1337,10 +1337,10 @@ static int at91_adc_read_info_raw(struct iio_dev *indio_dev, + ret = at91_adc_read_pressure(st, chan->channel, + &tmp_val); + *val = tmp_val; +- mutex_unlock(&st->lock); +- iio_device_release_direct_mode(indio_dev); + if (ret > 0) + ret = at91_adc_adjust_val_osr(st, val); ++ mutex_unlock(&st->lock); ++ iio_device_release_direct_mode(indio_dev); + + return ret; + } +@@ -1433,16 +1433,20 @@ static int at91_adc_write_raw(struct iio_dev *indio_dev, + /* if no change, optimize out */ + if (val == st->oversampling_ratio) + return 0; ++ mutex_lock(&st->lock); + st->oversampling_ratio = val; + /* update ratio */ + at91_adc_config_emr(st); ++ mutex_unlock(&st->lock); + return 0; + case IIO_CHAN_INFO_SAMP_FREQ: + if (val < st->soc_info.min_sample_rate || + val > st->soc_info.max_sample_rate) + return -EINVAL; + ++ mutex_lock(&st->lock); + at91_adc_setup_samp_freq(indio_dev, val); ++ mutex_unlock(&st->lock); + return 0; + default: + return -EINVAL; +-- +2.35.1 + diff --git a/queue-5.4/iio-inkern-only-release-the-device-node-when-done-wi.patch b/queue-5.4/iio-inkern-only-release-the-device-node-when-done-wi.patch new file mode 100644 index 00000000000..eb9830d9c0f --- /dev/null +++ b/queue-5.4/iio-inkern-only-release-the-device-node-when-done-wi.patch @@ -0,0 +1,60 @@ +From 4c9506feff2c20666dd6032e6f073c5e3c395d9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 14:28:49 +0200 +Subject: iio: inkern: only release the device node when done with it +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +[ Upstream commit 79c3e84874c7d14f04ad58313b64955a0d2e9437 ] + +'of_node_put()' can potentially release the memory pointed to by +'iiospec.np' which would leave us with an invalid pointer (and we would +still pass it in 'of_xlate()'). Note that it is not guaranteed for the +of_node lifespan to be attached to the device (to which is attached) +lifespan so that there is (even though very unlikely) the possibility +for the node to be freed while the device is still around. Thus, as there +are indeed some of_xlate users which do access the node, a race is indeed +possible. + +As such, we can only release the node after we are done with it. + +Fixes: 17d82b47a215d ("iio: Add OF support") +Signed-off-by: Nuno Sá +Link: https://lore.kernel.org/r/20220715122903.332535-2-nuno.sa@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/inkern.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c +index ca0fe902a7db..d00f3045557c 100644 +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -136,9 +136,10 @@ static int __of_iio_channel_get(struct iio_channel *channel, + + idev = bus_find_device(&iio_bus_type, NULL, iiospec.np, + iio_dev_node_match); +- of_node_put(iiospec.np); +- if (idev == NULL) ++ if (idev == NULL) { ++ of_node_put(iiospec.np); + return -EPROBE_DEFER; ++ } + + indio_dev = dev_to_iio_dev(idev); + channel->indio_dev = indio_dev; +@@ -146,6 +147,7 @@ static int __of_iio_channel_get(struct iio_channel *channel, + index = indio_dev->info->of_xlate(indio_dev, &iiospec); + else + index = __of_iio_simple_xlate(indio_dev, &iiospec); ++ of_node_put(iiospec.np); + if (index < 0) + goto err_put; + channel->channel = &indio_dev->channels[index]; +-- +2.35.1 + diff --git a/queue-5.4/iommu-iova-fix-module-config-properly.patch b/queue-5.4/iommu-iova-fix-module-config-properly.patch new file mode 100644 index 00000000000..2d5664b311a --- /dev/null +++ b/queue-5.4/iommu-iova-fix-module-config-properly.patch @@ -0,0 +1,43 @@ +From 52ebbd2f82ca3db4302122dd054a2597c0ef5165 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 12:47:20 +0100 +Subject: iommu/iova: Fix module config properly + +From: Robin Murphy + +[ Upstream commit 4f58330fcc8482aa90674e1f40f601e82f18ed4a ] + +IOMMU_IOVA is intended to be an optional library for users to select as +and when they desire. Since it can be a module now, this means that +built-in code which has chosen not to select it should not fail to link +if it happens to have selected as a module by someone else. Replace +IS_ENABLED() with IS_REACHABLE() to do the right thing. + +CC: Thierry Reding +Reported-by: John Garry +Fixes: 15bbdec3931e ("iommu: Make the iova library a module") +Signed-off-by: Robin Murphy +Reviewed-by: Thierry Reding +Link: https://lore.kernel.org/r/548c2f683ca379aface59639a8f0cccc3a1ac050.1663069227.git.robin.murphy@arm.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + include/linux/iova.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/iova.h b/include/linux/iova.h +index a0637abffee8..6c19b09e9663 100644 +--- a/include/linux/iova.h ++++ b/include/linux/iova.h +@@ -132,7 +132,7 @@ static inline unsigned long iova_pfn(struct iova_domain *iovad, dma_addr_t iova) + return iova >> iova_shift(iovad); + } + +-#if IS_ENABLED(CONFIG_IOMMU_IOVA) ++#if IS_REACHABLE(CONFIG_IOMMU_IOVA) + int iova_cache_get(void); + void iova_cache_put(void); + +-- +2.35.1 + diff --git a/queue-5.4/iommu-omap-fix-buffer-overflow-in-debugfs.patch b/queue-5.4/iommu-omap-fix-buffer-overflow-in-debugfs.patch new file mode 100644 index 00000000000..6be6647afc7 --- /dev/null +++ b/queue-5.4/iommu-omap-fix-buffer-overflow-in-debugfs.patch @@ -0,0 +1,53 @@ +From 8b69f23c486679c4c561418f4f9617b98cd9c9d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 17:32:39 +0300 +Subject: iommu/omap: Fix buffer overflow in debugfs + +From: Dan Carpenter + +[ Upstream commit 184233a5202786b20220acd2d04ddf909ef18f29 ] + +There are two issues here: + +1) The "len" variable needs to be checked before the very first write. + Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a + buffer overflow. +2) The snprintf() function returns the number of bytes that *would* have + been copied if there were enough space. But we want to know the + number of bytes which were *actually* copied so use scnprintf() + instead. + +Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules") +Signed-off-by: Dan Carpenter +Reviewed-by: Robin Murphy +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/YuvYh1JbE3v+abd5@kili +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/omap-iommu-debug.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c +index a99afb5d9011..259f65291d90 100644 +--- a/drivers/iommu/omap-iommu-debug.c ++++ b/drivers/iommu/omap-iommu-debug.c +@@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj) + ssize_t bytes; \ + const char *str = "%20s: %08x\n"; \ + const int maxcol = 32; \ +- bytes = snprintf(p, maxcol, str, __stringify(name), \ ++ if (len < maxcol) \ ++ goto out; \ ++ bytes = scnprintf(p, maxcol, str, __stringify(name), \ + iommu_read_reg(obj, MMU_##name)); \ + p += bytes; \ + len -= bytes; \ +- if (len < maxcol) \ +- goto out; \ + } while (0) + + static ssize_t +-- +2.35.1 + diff --git a/queue-5.4/kbuild-remove-the-target-in-signal-traps-when-interr.patch b/queue-5.4/kbuild-remove-the-target-in-signal-traps-when-interr.patch new file mode 100644 index 00000000000..009c905478f --- /dev/null +++ b/queue-5.4/kbuild-remove-the-target-in-signal-traps-when-interr.patch @@ -0,0 +1,172 @@ +From 32b494a950ab28165c284b85d2a3ba54f712412b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Aug 2022 09:48:09 +0900 +Subject: kbuild: remove the target in signal traps when interrupted + +From: Masahiro Yamada + +[ Upstream commit a7f3257da8a86b96fb9bf1bba40ae0bbd7f1885a ] + +When receiving some signal, GNU Make automatically deletes the target if +it has already been changed by the interrupted recipe. + +If the target is possibly incomplete due to interruption, it must be +deleted so that it will be remade from scratch on the next run of make. +Otherwise, the target would remain corrupted permanently because its +timestamp had already been updated. + +Thanks to this behavior of Make, you can stop the build any time by +pressing Ctrl-C, and just run 'make' to resume it. + +Kbuild also relies on this feature, but it is equivalently important +for any build systems that make decisions based on timestamps (if you +want to support Ctrl-C reliably). + +However, this does not always work as claimed; Make immediately dies +with Ctrl-C if its stderr goes into a pipe. + + [Test Makefile] + + foo: + echo hello > $@ + sleep 3 + echo world >> $@ + + [Test Result] + + $ make # hit Ctrl-C + echo hello > foo + sleep 3 + ^Cmake: *** Deleting file 'foo' + make: *** [Makefile:3: foo] Interrupt + + $ make 2>&1 | cat # hit Ctrl-C + echo hello > foo + sleep 3 + ^C$ # 'foo' is often left-over + +The reason is because SIGINT is sent to the entire process group. +In this example, SIGINT kills 'cat', and 'make' writes the message to +the closed pipe, then dies with SIGPIPE before cleaning the target. + +A typical bad scenario (as reported by [1], [2]) is to save build log +by using the 'tee' command: + + $ make 2>&1 | tee log + +This can be problematic for any build systems based on Make, so I hope +it will be fixed in GNU Make. The maintainer of GNU Make stated this is +a long-standing issue and difficult to fix [3]. It has not been fixed +yet as of writing. + +So, we cannot rely on Make cleaning the target. We can do it by +ourselves, in signal traps. + +As far as I understand, Make takes care of SIGHUP, SIGINT, SIGQUIT, and +SITERM for the target removal. I added the traps for them, and also for +SIGPIPE just in case cmd_* rule prints something to stdout or stderr +(but I did not observe an actual case where SIGPIPE was triggered). + +[Note 1] + +The trap handler might be worth explaining. + + rm -f $@; trap - $(sig); kill -s $(sig) $$ + +This lets the shell kill itself by the signal it caught, so the parent +process can tell the child has exited on the signal. Generally, this is +a proper manner for handling signals, in case the calling program (like +Bash) may monitor WIFSIGNALED() and WTERMSIG() for WCE although this may +not be a big deal here because GNU Make handles SIGHUP, SIGINT, SIGQUIT +in WUE and SIGTERM in IUE. + + IUE - Immediate Unconditional Exit + WUE - Wait and Unconditional Exit + WCE - Wait and Cooperative Exit + +For details, see "Proper handling of SIGINT/SIGQUIT" [4]. + +[Note 2] + +Reverting 392885ee82d3 ("kbuild: let fixdep directly write to .*.cmd +files") would directly address [1], but it only saves if_changed_dep. +As reported in [2], all commands that use redirection can potentially +leave an empty (i.e. broken) target. + +[Note 3] + +Another (even safer) approach might be to always write to a temporary +file, and rename it to $@ at the end of the recipe. + + > $(tmp-target) + mv $(tmp-target) $@ + +It would require a lot of Makefile changes, and result in ugly code, +so I did not take it. + +[Note 4] + +A little more thoughts about a pattern rule with multiple targets (or +a grouped target). + + %.x %.y: %.z + + +When interrupted, GNU Make deletes both %.x and %.y, while this solution +only deletes $@. Probably, this is not a big deal. The next run of make +will execute the rule again to create $@ along with the other files. + +[1]: https://lore.kernel.org/all/YLeot94yAaM4xbMY@gmail.com/ +[2]: https://lore.kernel.org/all/20220510221333.2770571-1-robh@kernel.org/ +[3]: https://lists.gnu.org/archive/html/help-make/2021-06/msg00001.html +[4]: https://www.cons.org/cracauer/sigint.html + +Fixes: 392885ee82d3 ("kbuild: let fixdep directly write to .*.cmd files") +Reported-by: Ingo Molnar +Reported-by: Rob Herring +Signed-off-by: Masahiro Yamada +Tested-by: Ingo Molnar +Reviewed-by: Nicolas Schier +Signed-off-by: Sasha Levin +--- + scripts/Kbuild.include | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include +index b14a7d4a2f05..5d247d8f1e04 100644 +--- a/scripts/Kbuild.include ++++ b/scripts/Kbuild.include +@@ -187,8 +187,29 @@ echo-cmd = $(if $($(quiet)cmd_$(1)),\ + quiet_redirect := + silent_redirect := exec >/dev/null; + ++# Delete the target on interruption ++# ++# GNU Make automatically deletes the target if it has already been changed by ++# the interrupted recipe. So, you can safely stop the build by Ctrl-C (Make ++# will delete incomplete targets), and resume it later. ++# ++# However, this does not work when the stderr is piped to another program, like ++# $ make >&2 | tee log ++# Make dies with SIGPIPE before cleaning the targets. ++# ++# To address it, we clean the target in signal traps. ++# ++# Make deletes the target when it catches SIGHUP, SIGINT, SIGQUIT, SIGTERM. ++# So, we cover them, and also SIGPIPE just in case. ++# ++# Of course, this is unneeded for phony targets. ++delete-on-interrupt = \ ++ $(if $(filter-out $(PHONY), $@), \ ++ $(foreach sig, HUP INT QUIT TERM PIPE, \ ++ trap 'rm -f $@; trap - $(sig); kill -s $(sig) $$$$' $(sig);)) ++ + # printing commands +-cmd = @set -e; $(echo-cmd) $($(quiet)redirect) $(cmd_$(1)) ++cmd = @set -e; $(echo-cmd) $($(quiet)redirect) $(delete-on-interrupt) $(cmd_$(1)) + + ### + # if_changed - execute command if any prerequisite is newer than +-- +2.35.1 + diff --git a/queue-5.4/libbpf-fix-overrun-in-netlink-attribute-iteration.patch b/queue-5.4/libbpf-fix-overrun-in-netlink-attribute-iteration.patch new file mode 100644 index 00000000000..1801e676479 --- /dev/null +++ b/queue-5.4/libbpf-fix-overrun-in-netlink-attribute-iteration.patch @@ -0,0 +1,38 @@ +From fe15cee82c08ece892fd13db6fb5ed2823ae56d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 17:07:08 +0800 +Subject: libbpf: Fix overrun in netlink attribute iteration + +From: Xin Liu + +[ Upstream commit 51e05a8cf8eb34da7473823b7f236a77adfef0b4 ] + +I accidentally found that a change in commit 1045b03e07d8 ("netlink: fix +overrun in attribute iteration") was not synchronized to the function +`nla_ok` in tools/lib/bpf/nlattr.c, I think it is necessary to modify, +this patch will do it. + +Signed-off-by: Xin Liu +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20220930090708.62394-1-liuxin350@huawei.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/nlattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c +index 1e69c0c8d413..faa6256d857a 100644 +--- a/tools/lib/bpf/nlattr.c ++++ b/tools/lib/bpf/nlattr.c +@@ -31,7 +31,7 @@ static struct nlattr *nla_next(const struct nlattr *nla, int *remaining) + + static int nla_ok(const struct nlattr *nla, int remaining) + { +- return remaining >= sizeof(*nla) && ++ return remaining >= (int)sizeof(*nla) && + nla->nla_len >= sizeof(*nla) && + nla->nla_len <= remaining; + } +-- +2.35.1 + diff --git a/queue-5.4/mailbox-bcm-ferxrm-mailbox-fix-error-check-for-dma_m.patch b/queue-5.4/mailbox-bcm-ferxrm-mailbox-fix-error-check-for-dma_m.patch new file mode 100644 index 00000000000..604f460f56c --- /dev/null +++ b/queue-5.4/mailbox-bcm-ferxrm-mailbox-fix-error-check-for-dma_m.patch @@ -0,0 +1,47 @@ +From b08a51444e852276d5d0e1aadacf375bae9e0cec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 12:13:35 +0200 +Subject: mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg + +From: Jack Wang + +[ Upstream commit 6b207ce8a96a71e966831e3a13c38143ba9a73c1 ] + +dma_map_sg return 0 on error, fix the error check, and return -EIO +to caller. + +Fixes: dbc049eee730 ("mailbox: Add driver for Broadcom FlexRM ring manager") +Signed-off-by: Jack Wang +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/bcm-flexrm-mailbox.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/mailbox/bcm-flexrm-mailbox.c b/drivers/mailbox/bcm-flexrm-mailbox.c +index 8ee9db274802..f7191dbef6fa 100644 +--- a/drivers/mailbox/bcm-flexrm-mailbox.c ++++ b/drivers/mailbox/bcm-flexrm-mailbox.c +@@ -632,15 +632,15 @@ static int flexrm_spu_dma_map(struct device *dev, struct brcm_message *msg) + + rc = dma_map_sg(dev, msg->spu.src, sg_nents(msg->spu.src), + DMA_TO_DEVICE); +- if (rc < 0) +- return rc; ++ if (!rc) ++ return -EIO; + + rc = dma_map_sg(dev, msg->spu.dst, sg_nents(msg->spu.dst), + DMA_FROM_DEVICE); +- if (rc < 0) { ++ if (!rc) { + dma_unmap_sg(dev, msg->spu.src, sg_nents(msg->spu.src), + DMA_TO_DEVICE); +- return rc; ++ return -EIO; + } + + return 0; +-- +2.35.1 + diff --git a/queue-5.4/md-raid5-ensure-stripe_fill-happens-on-non-read-io-w.patch b/queue-5.4/md-raid5-ensure-stripe_fill-happens-on-non-read-io-w.patch new file mode 100644 index 00000000000..e1d7732521c --- /dev/null +++ b/queue-5.4/md-raid5-ensure-stripe_fill-happens-on-non-read-io-w.patch @@ -0,0 +1,48 @@ +From 8b1a1a05aeec8003577acfbad1367d564a196087 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 09:46:27 -0600 +Subject: md/raid5: Ensure stripe_fill happens on non-read IO with journal + +From: Logan Gunthorpe + +[ Upstream commit e2eed85bc75138a9eeb63863d20f8904ac42a577 ] + +When doing degrade/recover tests using the journal a kernel BUG +is hit at drivers/md/raid5.c:4381 in handle_parity_checks5(): + + BUG_ON(!test_bit(R5_UPTODATE, &dev->flags)); + +This was found to occur because handle_stripe_fill() was skipped +for stripes in the journal due to a condition in that function. +Thus blocks were not fetched and R5_UPTODATE was not set when +the code reached handle_parity_checks5(). + +To fix this, don't skip handle_stripe_fill() unless the stripe is +for read. + +Fixes: 07e83364845e ("md/r5cache: shift complex rmw from read path to write path") +Link: https://lore.kernel.org/linux-raid/e05c4239-41a9-d2f7-3cfa-4aa9d2cea8c1@deltatee.com/ +Suggested-by: Song Liu +Signed-off-by: Logan Gunthorpe +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index fe99e8cdc026..a7753e859ea9 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -3728,7 +3728,7 @@ static void handle_stripe_fill(struct stripe_head *sh, + * back cache (prexor with orig_page, and then xor with + * page) in the read path + */ +- if (s->injournal && s->failed) { ++ if (s->to_read && s->injournal && s->failed) { + if (test_bit(STRIPE_R5C_CACHING, &sh->state)) + r5c_make_stripe_write_out(sh); + goto out; +-- +2.35.1 + diff --git a/queue-5.4/md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch b/queue-5.4/md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch new file mode 100644 index 00000000000..f5be0fb3564 --- /dev/null +++ b/queue-5.4/md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch @@ -0,0 +1,145 @@ +From 5fbdb0733629c69ab2cf30098826be470f014a2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 10:28:37 -0600 +Subject: md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d + +From: Logan Gunthorpe + +[ Upstream commit 5e2cf333b7bd5d3e62595a44d598a254c697cd74 ] + +A complicated deadlock exists when using the journal and an elevated +group_thrtead_cnt. It was found with loop devices, but its not clear +whether it can be seen with real disks. The deadlock can occur simply +by writing data with an fio script. + +When the deadlock occurs, multiple threads will hang in different ways: + + 1) The group threads will hang in the blk-wbt code with bios waiting to + be submitted to the block layer: + + io_schedule+0x70/0xb0 + rq_qos_wait+0x153/0x210 + wbt_wait+0x115/0x1b0 + io_schedule+0x70/0xb0 + rq_qos_wait+0x153/0x210 + wbt_wait+0x115/0x1b0 + __rq_qos_throttle+0x38/0x60 + blk_mq_submit_bio+0x589/0xcd0 + wbt_wait+0x115/0x1b0 + __rq_qos_throttle+0x38/0x60 + blk_mq_submit_bio+0x589/0xcd0 + __submit_bio+0xe6/0x100 + submit_bio_noacct_nocheck+0x42e/0x470 + submit_bio_noacct+0x4c2/0xbb0 + ops_run_io+0x46b/0x1a30 + handle_stripe+0xcd3/0x36b0 + handle_active_stripes.constprop.0+0x6f6/0xa60 + raid5_do_work+0x177/0x330 + + Or: + io_schedule+0x70/0xb0 + rq_qos_wait+0x153/0x210 + wbt_wait+0x115/0x1b0 + __rq_qos_throttle+0x38/0x60 + blk_mq_submit_bio+0x589/0xcd0 + __submit_bio+0xe6/0x100 + submit_bio_noacct_nocheck+0x42e/0x470 + submit_bio_noacct+0x4c2/0xbb0 + flush_deferred_bios+0x136/0x170 + raid5_do_work+0x262/0x330 + + 2) The r5l_reclaim thread will hang in the same way, submitting a + bio to the block layer: + + io_schedule+0x70/0xb0 + rq_qos_wait+0x153/0x210 + wbt_wait+0x115/0x1b0 + __rq_qos_throttle+0x38/0x60 + blk_mq_submit_bio+0x589/0xcd0 + __submit_bio+0xe6/0x100 + submit_bio_noacct_nocheck+0x42e/0x470 + submit_bio_noacct+0x4c2/0xbb0 + submit_bio+0x3f/0xf0 + md_super_write+0x12f/0x1b0 + md_update_sb.part.0+0x7c6/0xff0 + md_update_sb+0x30/0x60 + r5l_do_reclaim+0x4f9/0x5e0 + r5l_reclaim_thread+0x69/0x30b + + However, before hanging, the MD_SB_CHANGE_PENDING flag will be + set for sb_flags in r5l_write_super_and_discard_space(). This + flag will never be cleared because the submit_bio() call never + returns. + + 3) Due to the MD_SB_CHANGE_PENDING flag being set, handle_stripe() + will do no processing on any pending stripes and re-set + STRIPE_HANDLE. This will cause the raid5d thread to enter an + infinite loop, constantly trying to handle the same stripes + stuck in the queue. + + The raid5d thread has a blk_plug that holds a number of bios + that are also stuck waiting seeing the thread is in a loop + that never schedules. These bios have been accounted for by + blk-wbt thus preventing the other threads above from + continuing when they try to submit bios. --Deadlock. + +To fix this, add the same wait_event() that is used in raid5_do_work() +to raid5d() such that if MD_SB_CHANGE_PENDING is set, the thread will +schedule and wait until the flag is cleared. The schedule action will +flush the plug which will allow the r5l_reclaim thread to continue, +thus preventing the deadlock. + +However, md_check_recovery() calls can also clear MD_SB_CHANGE_PENDING +from the same thread and can thus deadlock if the thread is put to +sleep. So avoid waiting if md_check_recovery() is being called in the +loop. + +It's not clear when the deadlock was introduced, but the similar +wait_event() call in raid5_do_work() was added in 2017 by this +commit: + + 16d997b78b15 ("md/raid5: simplfy delaying of writes while metadata + is updated.") + +Link: https://lore.kernel.org/r/7f3b87b6-b52a-f737-51d7-a4eec5c44112@deltatee.com +Signed-off-by: Logan Gunthorpe +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index a7753e859ea9..d0c3f49c8c16 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -36,6 +36,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -6334,7 +6335,18 @@ static void raid5d(struct md_thread *thread) + spin_unlock_irq(&conf->device_lock); + md_check_recovery(mddev); + spin_lock_irq(&conf->device_lock); ++ ++ /* ++ * Waiting on MD_SB_CHANGE_PENDING below may deadlock ++ * seeing md_check_recovery() is needed to clear ++ * the flag when using mdmon. ++ */ ++ continue; + } ++ ++ wait_event_lock_irq(mddev->sb_wait, ++ !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags), ++ conf->device_lock); + } + pr_debug("%d stripes handled\n", handled); + +-- +2.35.1 + diff --git a/queue-5.4/media-cx88-fix-a-null-ptr-deref-bug-in-buffer_prepar.patch b/queue-5.4/media-cx88-fix-a-null-ptr-deref-bug-in-buffer_prepar.patch new file mode 100644 index 00000000000..210f47bb79e --- /dev/null +++ b/queue-5.4/media-cx88-fix-a-null-ptr-deref-bug-in-buffer_prepar.patch @@ -0,0 +1,141 @@ +From 48a24637ba39fd0f3e0cd32c9c575a66d1e94ae3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 04:23:38 +0200 +Subject: media: cx88: Fix a null-ptr-deref bug in buffer_prepare() + +From: Zheyu Ma + +[ Upstream commit 2b064d91440b33fba5b452f2d1b31f13ae911d71 ] + +When the driver calls cx88_risc_buffer() to prepare the buffer, the +function call may fail, resulting in a empty buffer and null-ptr-deref +later in buffer_queue(). + +The following log can reveal it: + +[ 41.822762] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI +[ 41.824488] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +[ 41.828027] RIP: 0010:buffer_queue+0xc2/0x500 +[ 41.836311] Call Trace: +[ 41.836945] __enqueue_in_driver+0x141/0x360 +[ 41.837262] vb2_start_streaming+0x62/0x4a0 +[ 41.838216] vb2_core_streamon+0x1da/0x2c0 +[ 41.838516] __vb2_init_fileio+0x981/0xbc0 +[ 41.839141] __vb2_perform_fileio+0xbf9/0x1120 +[ 41.840072] vb2_fop_read+0x20e/0x400 +[ 41.840346] v4l2_read+0x215/0x290 +[ 41.840603] vfs_read+0x162/0x4c0 + +Fix this by checking the return value of cx88_risc_buffer() + +[hverkuil: fix coding style issues] + +Signed-off-by: Zheyu Ma +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx88/cx88-vbi.c | 9 +++--- + drivers/media/pci/cx88/cx88-video.c | 43 +++++++++++++++-------------- + 2 files changed, 26 insertions(+), 26 deletions(-) + +diff --git a/drivers/media/pci/cx88/cx88-vbi.c b/drivers/media/pci/cx88/cx88-vbi.c +index 58489ea0c1da..7cf2271866d0 100644 +--- a/drivers/media/pci/cx88/cx88-vbi.c ++++ b/drivers/media/pci/cx88/cx88-vbi.c +@@ -144,11 +144,10 @@ static int buffer_prepare(struct vb2_buffer *vb) + return -EINVAL; + vb2_set_plane_payload(vb, 0, size); + +- cx88_risc_buffer(dev->pci, &buf->risc, sgt->sgl, +- 0, VBI_LINE_LENGTH * lines, +- VBI_LINE_LENGTH, 0, +- lines); +- return 0; ++ return cx88_risc_buffer(dev->pci, &buf->risc, sgt->sgl, ++ 0, VBI_LINE_LENGTH * lines, ++ VBI_LINE_LENGTH, 0, ++ lines); + } + + static void buffer_finish(struct vb2_buffer *vb) +diff --git a/drivers/media/pci/cx88/cx88-video.c b/drivers/media/pci/cx88/cx88-video.c +index b8abcd550604..547e18da1ad7 100644 +--- a/drivers/media/pci/cx88/cx88-video.c ++++ b/drivers/media/pci/cx88/cx88-video.c +@@ -433,6 +433,7 @@ static int queue_setup(struct vb2_queue *q, + + static int buffer_prepare(struct vb2_buffer *vb) + { ++ int ret; + struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb); + struct cx8800_dev *dev = vb->vb2_queue->drv_priv; + struct cx88_core *core = dev->core; +@@ -447,35 +448,35 @@ static int buffer_prepare(struct vb2_buffer *vb) + + switch (core->field) { + case V4L2_FIELD_TOP: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, 0, UNSET, +- buf->bpl, 0, core->height); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, 0, UNSET, ++ buf->bpl, 0, core->height); + break; + case V4L2_FIELD_BOTTOM: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, UNSET, 0, +- buf->bpl, 0, core->height); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, UNSET, 0, ++ buf->bpl, 0, core->height); + break; + case V4L2_FIELD_SEQ_TB: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, +- 0, buf->bpl * (core->height >> 1), +- buf->bpl, 0, +- core->height >> 1); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, ++ 0, buf->bpl * (core->height >> 1), ++ buf->bpl, 0, ++ core->height >> 1); + break; + case V4L2_FIELD_SEQ_BT: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, +- buf->bpl * (core->height >> 1), 0, +- buf->bpl, 0, +- core->height >> 1); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, ++ buf->bpl * (core->height >> 1), 0, ++ buf->bpl, 0, ++ core->height >> 1); + break; + case V4L2_FIELD_INTERLACED: + default: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, 0, buf->bpl, +- buf->bpl, buf->bpl, +- core->height >> 1); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, 0, buf->bpl, ++ buf->bpl, buf->bpl, ++ core->height >> 1); + break; + } + dprintk(2, +@@ -483,7 +484,7 @@ static int buffer_prepare(struct vb2_buffer *vb) + buf, buf->vb.vb2_buf.index, __func__, + core->width, core->height, dev->fmt->depth, dev->fmt->fourcc, + (unsigned long)buf->risc.dma); +- return 0; ++ return ret; + } + + static void buffer_finish(struct vb2_buffer *vb) +-- +2.35.1 + diff --git a/queue-5.4/media-exynos4-is-fimc-is-add-of_node_put-when-breaki.patch b/queue-5.4/media-exynos4-is-fimc-is-add-of_node_put-when-breaki.patch new file mode 100644 index 00000000000..616364fe148 --- /dev/null +++ b/queue-5.4/media-exynos4-is-fimc-is-add-of_node_put-when-breaki.patch @@ -0,0 +1,38 @@ +From dacb7d21b1e38397e095ec08195a6cf74e35c2c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jul 2022 16:30:03 +0200 +Subject: media: exynos4-is: fimc-is: Add of_node_put() when breaking out of + loop + +From: Liang He + +[ Upstream commit 211f8304fa21aaedc2c247f0c9d6c7f1aaa61ad7 ] + +In fimc_is_register_subdevs(), we need to call of_node_put() for +the reference 'i2c_bus' when breaking out of the +for_each_compatible_node() which has increased the refcount. + +Fixes: 9a761e436843 ("[media] exynos4-is: Add Exynos4x12 FIMC-IS driver") +Signed-off-by: Liang He +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/fimc-is.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/exynos4-is/fimc-is.c b/drivers/media/platform/exynos4-is/fimc-is.c +index 9bb14bb2e498..c78c2a7f03fa 100644 +--- a/drivers/media/platform/exynos4-is/fimc-is.c ++++ b/drivers/media/platform/exynos4-is/fimc-is.c +@@ -214,6 +214,7 @@ static int fimc_is_register_subdevs(struct fimc_is *is) + + if (ret < 0 || index >= FIMC_IS_SENSORS_NUM) { + of_node_put(child); ++ of_node_put(i2c_bus); + return ret; + } + index++; +-- +2.35.1 + diff --git a/queue-5.4/media-tm6000-fix-unused-value-in-vidioc_try_fmt_vid_.patch b/queue-5.4/media-tm6000-fix-unused-value-in-vidioc_try_fmt_vid_.patch new file mode 100644 index 00000000000..4100d83a74c --- /dev/null +++ b/queue-5.4/media-tm6000-fix-unused-value-in-vidioc_try_fmt_vid_.patch @@ -0,0 +1,46 @@ +From a46b1abb1a9af88e5ee5642bed1c667f29b2961e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 18:12:36 +0800 +Subject: media: tm6000: Fix unused value in vidioc_try_fmt_vid_cap() + +From: Zeng Jingxiang + +[ Upstream commit d682869daa23938b5e8919db45c4b5b227749712 ] + +Coverity warns of an unused value: + +assigned_value: Assign the value of the variable f->fmt.pix.field +to field here, but that stored value is overwritten. +before it can be used. +919 field = f->fmt.pix.field; +920 + +value_overwrite: Overwriting previous write to field with +the value of V4L2_FIELD_INTERLACED. +921 field = V4L2_FIELD_INTERLACED; + +Fixes: ed57256f6fe8 ("[media] tm6000: fix G/TRY_FMT") +Signed-off-by: Zeng Jingxiang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/tm6000/tm6000-video.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/media/usb/tm6000/tm6000-video.c b/drivers/media/usb/tm6000/tm6000-video.c +index 8874b0b922ee..3ea7617f1fe9 100644 +--- a/drivers/media/usb/tm6000/tm6000-video.c ++++ b/drivers/media/usb/tm6000/tm6000-video.c +@@ -918,8 +918,6 @@ static int vidioc_try_fmt_vid_cap(struct file *file, void *priv, + return -EINVAL; + } + +- field = f->fmt.pix.field; +- + field = V4L2_FIELD_INTERLACED; + + tm6000_get_std_res(dev); +-- +2.35.1 + diff --git a/queue-5.4/media-xilinx-vipp-fix-refcount-leak-in-xvip_graph_dm.patch b/queue-5.4/media-xilinx-vipp-fix-refcount-leak-in-xvip_graph_dm.patch new file mode 100644 index 00000000000..91f036b9255 --- /dev/null +++ b/queue-5.4/media-xilinx-vipp-fix-refcount-leak-in-xvip_graph_dm.patch @@ -0,0 +1,56 @@ +From 582b0f4375e95bcf63f09c2cab5fc8d8ef21814f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 06:25:14 +0200 +Subject: media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init + +From: Miaoqian Lin + +[ Upstream commit 1c78f19c3a0ea312a8178a6bfd8934eb93e9b10a ] + +of_get_child_by_name() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: df3305156f98 ("[media] v4l: xilinx: Add Xilinx Video IP core") +Signed-off-by: Miaoqian Lin +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/xilinx/xilinx-vipp.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/xilinx/xilinx-vipp.c b/drivers/media/platform/xilinx/xilinx-vipp.c +index cc2856efea59..f2b0c490187c 100644 +--- a/drivers/media/platform/xilinx/xilinx-vipp.c ++++ b/drivers/media/platform/xilinx/xilinx-vipp.c +@@ -472,7 +472,7 @@ static int xvip_graph_dma_init(struct xvip_composite_device *xdev) + { + struct device_node *ports; + struct device_node *port; +- int ret; ++ int ret = 0; + + ports = of_get_child_by_name(xdev->dev->of_node, "ports"); + if (ports == NULL) { +@@ -482,13 +482,14 @@ static int xvip_graph_dma_init(struct xvip_composite_device *xdev) + + for_each_child_of_node(ports, port) { + ret = xvip_graph_dma_init_one(xdev, port); +- if (ret < 0) { ++ if (ret) { + of_node_put(port); +- return ret; ++ break; + } + } + +- return 0; ++ of_node_put(ports); ++ return ret; + } + + static void xvip_graph_cleanup(struct xvip_composite_device *xdev) +-- +2.35.1 + diff --git a/queue-5.4/memory-of-fix-refcount-leak-bug-in-of_get_ddr_timing.patch b/queue-5.4/memory-of-fix-refcount-leak-bug-in-of_get_ddr_timing.patch new file mode 100644 index 00000000000..bb64c6784f0 --- /dev/null +++ b/queue-5.4/memory-of-fix-refcount-leak-bug-in-of_get_ddr_timing.patch @@ -0,0 +1,37 @@ +From a5951fb6a301463f72da97797834c617981c9734 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 16:56:39 +0800 +Subject: memory: of: Fix refcount leak bug in of_get_ddr_timings() + +From: Liang He + +[ Upstream commit 05215fb32010d4afb68fbdbb4d237df6e2d4567b ] + +We should add the of_node_put() when breaking out of +for_each_child_of_node() as it will automatically increase +and decrease the refcount. + +Fixes: e6b42eb6a66c ("memory: emif: add device tree support to emif driver") +Signed-off-by: Liang He +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220719085640.1210583-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/memory/of_memory.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/memory/of_memory.c b/drivers/memory/of_memory.c +index 46539b27a3fb..835754304a7f 100644 +--- a/drivers/memory/of_memory.c ++++ b/drivers/memory/of_memory.c +@@ -132,6 +132,7 @@ const struct lpddr2_timings *of_get_ddr_timings(struct device_node *np_ddr, + for_each_child_of_node(np_ddr, np_tim) { + if (of_device_is_compatible(np_tim, tim_compat)) { + if (of_do_get_timings(np_tim, &timings[i])) { ++ of_node_put(np_tim); + devm_kfree(dev, timings); + goto default_timings; + } +-- +2.35.1 + diff --git a/queue-5.4/memory-pl353-smc-fix-refcount-leak-bug-in-pl353_smc_.patch b/queue-5.4/memory-pl353-smc-fix-refcount-leak-bug-in-pl353_smc_.patch new file mode 100644 index 00000000000..5a3149a3015 --- /dev/null +++ b/queue-5.4/memory-pl353-smc-fix-refcount-leak-bug-in-pl353_smc_.patch @@ -0,0 +1,41 @@ +From 831abb2c9af66a9bcddac9878e7d8050b4481f0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Jul 2022 11:13:24 +0800 +Subject: memory: pl353-smc: Fix refcount leak bug in pl353_smc_probe() + +From: Liang He + +[ Upstream commit 61b3c876c1cbdb1efd1f52a1f348580e6e14efb6 ] + +The break of for_each_available_child_of_node() needs a +corresponding of_node_put() when the reference 'child' is not +used anymore. Here we do not need to call of_node_put() in +fail path as '!match' means no break. + +While the of_platform_device_create() will created a new +reference by 'child' but it has considered the refcounting. + +Fixes: fee10bd22678 ("memory: pl353: Add driver for arm pl353 static memory controller") +Signed-off-by: Liang He +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220716031324.447680-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/memory/pl353-smc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/memory/pl353-smc.c b/drivers/memory/pl353-smc.c +index cc01979780d8..322d7ead0031 100644 +--- a/drivers/memory/pl353-smc.c ++++ b/drivers/memory/pl353-smc.c +@@ -416,6 +416,7 @@ static int pl353_smc_probe(struct amba_device *adev, const struct amba_id *id) + if (init) + init(adev, child); + of_platform_device_create(child, NULL, &adev->dev); ++ of_node_put(child); + + return 0; + +-- +2.35.1 + diff --git a/queue-5.4/mfd-fsl-imx25-fix-an-error-handling-path-in-mx25_tsa.patch b/queue-5.4/mfd-fsl-imx25-fix-an-error-handling-path-in-mx25_tsa.patch new file mode 100644 index 00000000000..dbf1af5d02f --- /dev/null +++ b/queue-5.4/mfd-fsl-imx25-fix-an-error-handling-path-in-mx25_tsa.patch @@ -0,0 +1,82 @@ +From 63c0eeeb6b478f282b4d05390b3c80ceb992b43f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jul 2022 14:06:23 +0200 +Subject: mfd: fsl-imx25: Fix an error handling path in mx25_tsadc_setup_irq() + +From: Christophe JAILLET + +[ Upstream commit 3fa9e4cfb55da512ebfd57336fde468830719298 ] + +If devm_of_platform_populate() fails, some resources need to be +released. + +Introduce a mx25_tsadc_unset_irq() function that undoes +mx25_tsadc_setup_irq() and call it both from the new error handling path +of the probe and in the remove function. + +Fixes: a55196eff6d6 ("mfd: fsl-imx25: Use devm_of_platform_populate()") +Signed-off-by: Christophe JAILLET +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/d404e04828fc06bcfddf81f9f3e9b4babbe35415.1659269156.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/mfd/fsl-imx25-tsadc.c | 32 ++++++++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 8 deletions(-) + +diff --git a/drivers/mfd/fsl-imx25-tsadc.c b/drivers/mfd/fsl-imx25-tsadc.c +index a016b39fe9b0..95103b2cc471 100644 +--- a/drivers/mfd/fsl-imx25-tsadc.c ++++ b/drivers/mfd/fsl-imx25-tsadc.c +@@ -84,6 +84,19 @@ static int mx25_tsadc_setup_irq(struct platform_device *pdev, + return 0; + } + ++static int mx25_tsadc_unset_irq(struct platform_device *pdev) ++{ ++ struct mx25_tsadc *tsadc = platform_get_drvdata(pdev); ++ int irq = platform_get_irq(pdev, 0); ++ ++ if (irq) { ++ irq_set_chained_handler_and_data(irq, NULL, NULL); ++ irq_domain_remove(tsadc->domain); ++ } ++ ++ return 0; ++} ++ + static void mx25_tsadc_setup_clk(struct platform_device *pdev, + struct mx25_tsadc *tsadc) + { +@@ -171,18 +184,21 @@ static int mx25_tsadc_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, tsadc); + +- return devm_of_platform_populate(dev); ++ ret = devm_of_platform_populate(dev); ++ if (ret) ++ goto err_irq; ++ ++ return 0; ++ ++err_irq: ++ mx25_tsadc_unset_irq(pdev); ++ ++ return ret; + } + + static int mx25_tsadc_remove(struct platform_device *pdev) + { +- struct mx25_tsadc *tsadc = platform_get_drvdata(pdev); +- int irq = platform_get_irq(pdev, 0); +- +- if (irq) { +- irq_set_chained_handler_and_data(irq, NULL, NULL); +- irq_domain_remove(tsadc->domain); +- } ++ mx25_tsadc_unset_irq(pdev); + + return 0; + } +-- +2.35.1 + diff --git a/queue-5.4/mfd-fsl-imx25-fix-check-for-platform_get_irq-errors.patch b/queue-5.4/mfd-fsl-imx25-fix-check-for-platform_get_irq-errors.patch new file mode 100644 index 00000000000..6c59771eeb7 --- /dev/null +++ b/queue-5.4/mfd-fsl-imx25-fix-check-for-platform_get_irq-errors.patch @@ -0,0 +1,49 @@ +From a156878d646b44b378546b0e17fe6fcae3265329 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Aug 2022 13:53:05 +0300 +Subject: mfd: fsl-imx25: Fix check for platform_get_irq() errors + +From: Dan Carpenter + +[ Upstream commit 75db7907355ca5e2ff606e9dd3e86b6c3a455fe2 ] + +The mx25_tsadc_remove() function assumes all non-zero returns are success +but the platform_get_irq() function returns negative on error and +positive non-zero values on success. It never returns zero, but if it +did then treat that as a success. + +Fixes: 18f773937968 ("mfd: fsl-imx25: Clean up irq settings during removal") +Signed-off-by: Dan Carpenter +Reviewed-by: Martin Kaiser +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/YvTfkbVQWYKMKS/t@kili +Signed-off-by: Sasha Levin +--- + drivers/mfd/fsl-imx25-tsadc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mfd/fsl-imx25-tsadc.c b/drivers/mfd/fsl-imx25-tsadc.c +index 95103b2cc471..5f1f6f3a0696 100644 +--- a/drivers/mfd/fsl-imx25-tsadc.c ++++ b/drivers/mfd/fsl-imx25-tsadc.c +@@ -69,7 +69,7 @@ static int mx25_tsadc_setup_irq(struct platform_device *pdev, + int irq; + + irq = platform_get_irq(pdev, 0); +- if (irq <= 0) ++ if (irq < 0) + return irq; + + tsadc->domain = irq_domain_add_simple(np, 2, 0, &mx25_tsadc_domain_ops, +@@ -89,7 +89,7 @@ static int mx25_tsadc_unset_irq(struct platform_device *pdev) + struct mx25_tsadc *tsadc = platform_get_drvdata(pdev); + int irq = platform_get_irq(pdev, 0); + +- if (irq) { ++ if (irq >= 0) { + irq_set_chained_handler_and_data(irq, NULL, NULL); + irq_domain_remove(tsadc->domain); + } +-- +2.35.1 + diff --git a/queue-5.4/mfd-intel_soc_pmic-fix-an-error-handling-path-in-int.patch b/queue-5.4/mfd-intel_soc_pmic-fix-an-error-handling-path-in-int.patch new file mode 100644 index 00000000000..fa70be4084c --- /dev/null +++ b/queue-5.4/mfd-intel_soc_pmic-fix-an-error-handling-path-in-int.patch @@ -0,0 +1,42 @@ +From e8b7f644a3b06d1810d1b0781e9f52570aea823f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 14:42:02 +0300 +Subject: mfd: intel_soc_pmic: Fix an error handling path in + intel_soc_pmic_i2c_probe() + +From: Christophe JAILLET + +[ Upstream commit 48749cabba109397b4e7dd556e85718ec0ec114d ] + +The commit in Fixes: has added a pwm_add_table() call in the probe() and +a pwm_remove_table() call in the remove(), but forget to update the error +handling path of the probe. + +Add the missing pwm_remove_table() call. + +Fixes: a3aa9a93df9f ("mfd: intel_soc_pmic_core: ADD PWM lookup table for CRC PMIC based PWM") +Signed-off-by: Christophe JAILLET +Signed-off-by: Andy Shevchenko +Reviewed-by: Hans de Goede +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20220801114211.36267-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/intel_soc_pmic_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/intel_soc_pmic_core.c b/drivers/mfd/intel_soc_pmic_core.c +index c9f35378d391..4d9b2ad9b086 100644 +--- a/drivers/mfd/intel_soc_pmic_core.c ++++ b/drivers/mfd/intel_soc_pmic_core.c +@@ -111,6 +111,7 @@ static int intel_soc_pmic_i2c_probe(struct i2c_client *i2c, + return 0; + + err_del_irq_chip: ++ pwm_remove_table(crc_pwm_lookup, ARRAY_SIZE(crc_pwm_lookup)); + regmap_del_irq_chip(pmic->irq, pmic->irq_chip_data); + return ret; + } +-- +2.35.1 + diff --git a/queue-5.4/mfd-lp8788-fix-an-error-handling-path-in-lp8788_irq_.patch b/queue-5.4/mfd-lp8788-fix-an-error-handling-path-in-lp8788_irq_.patch new file mode 100644 index 00000000000..d94c67cc0c5 --- /dev/null +++ b/queue-5.4/mfd-lp8788-fix-an-error-handling-path-in-lp8788_irq_.patch @@ -0,0 +1,48 @@ +From f9de0a28e72db0b7bc98c3e79945521afb74e071 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jul 2022 11:55:38 +0200 +Subject: mfd: lp8788: Fix an error handling path in lp8788_irq_init() and + lp8788_irq_init() + +From: Christophe JAILLET + +[ Upstream commit 557244f6284f30613f2d61f14b579303165876c3 ] + +In lp8788_irq_init(), if an error occurs after a successful +irq_domain_add_linear() call, it must be undone by a corresponding +irq_domain_remove() call. + +irq_domain_remove() should also be called in lp8788_irq_exit() for the same +reason. + +Fixes: eea6b7cc53aa ("mfd: Add lp8788 mfd driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/bcd5a72c9c1c383dd6324680116426e32737655a.1659261275.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/mfd/lp8788-irq.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mfd/lp8788-irq.c b/drivers/mfd/lp8788-irq.c +index 348439a3fbbd..39006297f3d2 100644 +--- a/drivers/mfd/lp8788-irq.c ++++ b/drivers/mfd/lp8788-irq.c +@@ -175,6 +175,7 @@ int lp8788_irq_init(struct lp8788 *lp, int irq) + IRQF_TRIGGER_FALLING | IRQF_ONESHOT, + "lp8788-irq", irqd); + if (ret) { ++ irq_domain_remove(lp->irqdm); + dev_err(lp->dev, "failed to create a thread for IRQ_N\n"); + return ret; + } +@@ -188,4 +189,6 @@ void lp8788_irq_exit(struct lp8788 *lp) + { + if (lp->irq) + free_irq(lp->irq, lp->irqdm); ++ if (lp->irqdm) ++ irq_domain_remove(lp->irqdm); + } +-- +2.35.1 + diff --git a/queue-5.4/mfd-lp8788-fix-an-error-handling-path-in-lp8788_prob.patch b/queue-5.4/mfd-lp8788-fix-an-error-handling-path-in-lp8788_prob.patch new file mode 100644 index 00000000000..cd24bf6188c --- /dev/null +++ b/queue-5.4/mfd-lp8788-fix-an-error-handling-path-in-lp8788_prob.patch @@ -0,0 +1,50 @@ +From d05ad12c3a8fc903721eea44061562e06ab598b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jul 2022 11:55:27 +0200 +Subject: mfd: lp8788: Fix an error handling path in lp8788_probe() + +From: Christophe JAILLET + +[ Upstream commit becfdcd75126b20b8ec10066c5e85b34f8994ad5 ] + +Should an error occurs in mfd_add_devices(), some resources need to be +released, as already done in the .remove() function. + +Add an error handling path and a lp8788_irq_exit() call to undo a previous +lp8788_irq_init(). + +Fixes: eea6b7cc53aa ("mfd: Add lp8788 mfd driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/18398722da9df9490722d853e4797350189ae79b.1659261275.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/mfd/lp8788.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/mfd/lp8788.c b/drivers/mfd/lp8788.c +index 768d556b3fe9..5c3d642c8e3a 100644 +--- a/drivers/mfd/lp8788.c ++++ b/drivers/mfd/lp8788.c +@@ -195,8 +195,16 @@ static int lp8788_probe(struct i2c_client *cl, const struct i2c_device_id *id) + if (ret) + return ret; + +- return mfd_add_devices(lp->dev, -1, lp8788_devs, +- ARRAY_SIZE(lp8788_devs), NULL, 0, NULL); ++ ret = mfd_add_devices(lp->dev, -1, lp8788_devs, ++ ARRAY_SIZE(lp8788_devs), NULL, 0, NULL); ++ if (ret) ++ goto err_exit_irq; ++ ++ return 0; ++ ++err_exit_irq: ++ lp8788_irq_exit(lp); ++ return ret; + } + + static int lp8788_remove(struct i2c_client *cl) +-- +2.35.1 + diff --git a/queue-5.4/mfd-sm501-add-check-for-platform_driver_register.patch b/queue-5.4/mfd-sm501-add-check-for-platform_driver_register.patch new file mode 100644 index 00000000000..f71258d5a9e --- /dev/null +++ b/queue-5.4/mfd-sm501-add-check-for-platform_driver_register.patch @@ -0,0 +1,43 @@ +From 658ce340a62b805e0a208ff44a2bdc409709ea70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 17:11:12 +0800 +Subject: mfd: sm501: Add check for platform_driver_register() + +From: Jiasheng Jiang + +[ Upstream commit 8325a6c24ad78b8c1acc3c42b098ee24105d68e5 ] + +As platform_driver_register() can return error numbers, +it should be better to check platform_driver_register() +and deal with the exception. + +Fixes: b6d6454fdb66 ("[PATCH] mfd: SM501 core driver") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20220913091112.1739138-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/mfd/sm501.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c +index bbcde58e2a11..aab8d8910319 100644 +--- a/drivers/mfd/sm501.c ++++ b/drivers/mfd/sm501.c +@@ -1733,7 +1733,12 @@ static struct platform_driver sm501_plat_driver = { + + static int __init sm501_base_init(void) + { +- platform_driver_register(&sm501_plat_driver); ++ int ret; ++ ++ ret = platform_driver_register(&sm501_plat_driver); ++ if (ret < 0) ++ return ret; ++ + return pci_register_driver(&sm501_pci_driver); + } + +-- +2.35.1 + diff --git a/queue-5.4/mips-bcm47xx-cast-memcmp-of-function-to-void.patch b/queue-5.4/mips-bcm47xx-cast-memcmp-of-function-to-void.patch new file mode 100644 index 00000000000..bd449a5e7ad --- /dev/null +++ b/queue-5.4/mips-bcm47xx-cast-memcmp-of-function-to-void.patch @@ -0,0 +1,62 @@ +From f7bbb3b92c302c93fe2d718f92443fbfae74dc92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 16:05:56 -0700 +Subject: MIPS: BCM47XX: Cast memcmp() of function to (void *) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit 0dedcf6e3301836eb70cfa649052e7ce4fcd13ba ] + +Clang is especially sensitive about argument type matching when using +__overloaded functions (like memcmp(), etc). Help it see that function +pointers are just "void *". Avoids this error: + +arch/mips/bcm47xx/prom.c:89:8: error: no matching function for call to 'memcmp' + if (!memcmp(prom_init, prom_init + mem, 32)) + ^~~~~~ +include/linux/string.h:156:12: note: candidate function not viable: no known conversion from 'void (void)' to 'const void *' for 1st argument extern int memcmp(const void *,const void *,__kernel_size_t); + +Cc: Hauke Mehrtens +Cc: "Rafał Miłecki" +Cc: Thomas Bogendoerfer +Cc: linux-mips@vger.kernel.org +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: llvm@lists.linux.dev +Reported-by: kernel test robot +Link: https://lore.kernel.org/lkml/202209080652.sz2d68e5-lkp@intel.com +Signed-off-by: Kees Cook +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/bcm47xx/prom.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/bcm47xx/prom.c b/arch/mips/bcm47xx/prom.c +index 135a5407f015..d26d9a6f6ee7 100644 +--- a/arch/mips/bcm47xx/prom.c ++++ b/arch/mips/bcm47xx/prom.c +@@ -85,7 +85,7 @@ static __init void prom_init_mem(void) + pr_debug("Assume 128MB RAM\n"); + break; + } +- if (!memcmp(prom_init, prom_init + mem, 32)) ++ if (!memcmp((void *)prom_init, (void *)prom_init + mem, 32)) + break; + } + lowmem = mem; +@@ -162,7 +162,7 @@ void __init bcm47xx_prom_highmem_init(void) + + off = EXTVBASE + __pa(off); + for (extmem = 128 << 20; extmem < 512 << 20; extmem <<= 1) { +- if (!memcmp(prom_init, (void *)(off + extmem), 16)) ++ if (!memcmp((void *)prom_init, (void *)(off + extmem), 16)) + break; + } + extmem -= lowmem; +-- +2.35.1 + diff --git a/queue-5.4/misc-ocxl-fix-possible-refcount-leak-in-afu_ioctl.patch b/queue-5.4/misc-ocxl-fix-possible-refcount-leak-in-afu_ioctl.patch new file mode 100644 index 00000000000..5994f2e074e --- /dev/null +++ b/queue-5.4/misc-ocxl-fix-possible-refcount-leak-in-afu_ioctl.patch @@ -0,0 +1,38 @@ +From dd3708206b6b84e519de395054d9d74babb8d8b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 16:26:00 +0800 +Subject: misc: ocxl: fix possible refcount leak in afu_ioctl() + +From: Hangyu Hua + +[ Upstream commit c3b69ba5114c860d730870c03ab4ee45276e5e35 ] + +eventfd_ctx_put need to be called to put the refcount that gotten by +eventfd_ctx_fdget when ocxl_irq_set_handler fails. + +Fixes: 060146614643 ("ocxl: move event_fd handling to frontend") +Acked-by: Frederic Barrat +Signed-off-by: Hangyu Hua +Link: https://lore.kernel.org/r/20220824082600.36159-1-hbh25y@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/ocxl/file.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/misc/ocxl/file.c b/drivers/misc/ocxl/file.c +index c742ab02ae18..e094809b54ff 100644 +--- a/drivers/misc/ocxl/file.c ++++ b/drivers/misc/ocxl/file.c +@@ -259,6 +259,8 @@ static long afu_ioctl(struct file *file, unsigned int cmd, + if (IS_ERR(ev_ctx)) + return PTR_ERR(ev_ctx); + rc = ocxl_irq_set_handler(ctx, irq_id, irq_handler, irq_free, ev_ctx); ++ if (rc) ++ eventfd_ctx_put(ev_ctx); + break; + + case OCXL_IOCTL_GET_METADATA: +-- +2.35.1 + diff --git a/queue-5.4/misdn-fix-use-after-free-bugs-in-l1oip-timer-handler.patch b/queue-5.4/misdn-fix-use-after-free-bugs-in-l1oip-timer-handler.patch new file mode 100644 index 00000000000..cabf52040b1 --- /dev/null +++ b/queue-5.4/misdn-fix-use-after-free-bugs-in-l1oip-timer-handler.patch @@ -0,0 +1,97 @@ +From 4522617fa13d179425dc20afc0ac2ea87ab75cef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 21:39:38 +0800 +Subject: mISDN: fix use-after-free bugs in l1oip timer handlers + +From: Duoming Zhou + +[ Upstream commit 2568a7e0832ee30b0a351016d03062ab4e0e0a3f ] + +The l1oip_cleanup() traverses the l1oip_ilist and calls +release_card() to cleanup module and stack. However, +release_card() calls del_timer() to delete the timers +such as keep_tl and timeout_tl. If the timer handler is +running, the del_timer() will not stop it and result in +UAF bugs. One of the processes is shown below: + + (cleanup routine) | (timer handler) +release_card() | l1oip_timeout() + ... | + del_timer() | ... + ... | + kfree(hc) //FREE | + | hc->timeout_on = 0 //USE + +Fix by calling del_timer_sync() in release_card(), which +makes sure the timer handlers have finished before the +resources, such as l1oip and so on, have been deallocated. + +What's more, the hc->workq and hc->socket_thread can kick +those timers right back in. We add a bool flag to show +if card is released. Then, check this flag in hc->workq +and hc->socket_thread. + +Fixes: 3712b42d4b1b ("Add layer1 over IP support") +Signed-off-by: Duoming Zhou +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/l1oip.h | 1 + + drivers/isdn/mISDN/l1oip_core.c | 13 +++++++------ + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/isdn/mISDN/l1oip.h b/drivers/isdn/mISDN/l1oip.h +index 7ea10db20e3a..48133d022812 100644 +--- a/drivers/isdn/mISDN/l1oip.h ++++ b/drivers/isdn/mISDN/l1oip.h +@@ -59,6 +59,7 @@ struct l1oip { + int bundle; /* bundle channels in one frm */ + int codec; /* codec to use for transmis. */ + int limit; /* limit number of bchannels */ ++ bool shutdown; /* if card is released */ + + /* timer */ + struct timer_list keep_tl; +diff --git a/drivers/isdn/mISDN/l1oip_core.c b/drivers/isdn/mISDN/l1oip_core.c +index b57dcb834594..aec4f2a69c3b 100644 +--- a/drivers/isdn/mISDN/l1oip_core.c ++++ b/drivers/isdn/mISDN/l1oip_core.c +@@ -275,7 +275,7 @@ l1oip_socket_send(struct l1oip *hc, u8 localcodec, u8 channel, u32 chanmask, + p = frame; + + /* restart timer */ +- if (time_before(hc->keep_tl.expires, jiffies + 5 * HZ)) ++ if (time_before(hc->keep_tl.expires, jiffies + 5 * HZ) && !hc->shutdown) + mod_timer(&hc->keep_tl, jiffies + L1OIP_KEEPALIVE * HZ); + else + hc->keep_tl.expires = jiffies + L1OIP_KEEPALIVE * HZ; +@@ -601,7 +601,9 @@ l1oip_socket_parse(struct l1oip *hc, struct sockaddr_in *sin, u8 *buf, int len) + goto multiframe; + + /* restart timer */ +- if (time_before(hc->timeout_tl.expires, jiffies + 5 * HZ) || !hc->timeout_on) { ++ if ((time_before(hc->timeout_tl.expires, jiffies + 5 * HZ) || ++ !hc->timeout_on) && ++ !hc->shutdown) { + hc->timeout_on = 1; + mod_timer(&hc->timeout_tl, jiffies + L1OIP_TIMEOUT * HZ); + } else /* only adjust timer */ +@@ -1232,11 +1234,10 @@ release_card(struct l1oip *hc) + { + int ch; + +- if (timer_pending(&hc->keep_tl)) +- del_timer(&hc->keep_tl); ++ hc->shutdown = true; + +- if (timer_pending(&hc->timeout_tl)) +- del_timer(&hc->timeout_tl); ++ del_timer_sync(&hc->keep_tl); ++ del_timer_sync(&hc->timeout_tl); + + cancel_work_sync(&hc->workq); + +-- +2.35.1 + diff --git a/queue-5.4/mmc-au1xmmc-fix-an-error-handling-path-in-au1xmmc_pr.patch b/queue-5.4/mmc-au1xmmc-fix-an-error-handling-path-in-au1xmmc_pr.patch new file mode 100644 index 00000000000..12cf1b61c5a --- /dev/null +++ b/queue-5.4/mmc-au1xmmc-fix-an-error-handling-path-in-au1xmmc_pr.patch @@ -0,0 +1,41 @@ +From be036fe82a67985466d06523ac4dacb237b1b42a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 09:33:57 +0200 +Subject: mmc: au1xmmc: Fix an error handling path in au1xmmc_probe() + +From: Christophe JAILLET + +[ Upstream commit 5cbedf52608cc3cbc1c2a9a861fb671620427a20 ] + +If clk_prepare_enable() fails, there is no point in calling +clk_disable_unprepare() in the error handling path. + +Move the out_clk label at the right place. + +Fixes: b6507596dfd6 ("MIPS: Alchemy: au1xmmc: use clk framework") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/21d99886d07fa7fcbec74992657dabad98c935c4.1661412818.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/au1xmmc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/au1xmmc.c b/drivers/mmc/host/au1xmmc.c +index bc8aeb47a7b4..9c4a67f4195e 100644 +--- a/drivers/mmc/host/au1xmmc.c ++++ b/drivers/mmc/host/au1xmmc.c +@@ -1116,8 +1116,9 @@ static int au1xmmc_probe(struct platform_device *pdev) + if (host->platdata && host->platdata->cd_setup && + !(mmc->caps & MMC_CAP_NEEDS_POLL)) + host->platdata->cd_setup(mmc, 0); +-out_clk: ++ + clk_disable_unprepare(host->clk); ++out_clk: + clk_put(host->clk); + out_irq: + free_irq(host->irq, host); +-- +2.35.1 + diff --git a/queue-5.4/mmc-sdhci-msm-add-compatible-string-check-for-sdm670.patch b/queue-5.4/mmc-sdhci-msm-add-compatible-string-check-for-sdm670.patch new file mode 100644 index 00000000000..ca34f1fb969 --- /dev/null +++ b/queue-5.4/mmc-sdhci-msm-add-compatible-string-check-for-sdm670.patch @@ -0,0 +1,38 @@ +From 9922f663dd17e7126191435a6755aa2f06bebdc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 21:43:22 -0400 +Subject: mmc: sdhci-msm: add compatible string check for sdm670 + +From: Richard Acayan + +[ Upstream commit 4de95950d970c71a9e82a24573bb7a44fd95baa1 ] + +The Snapdragon 670 has the same quirk as Snapdragon 845 (needing to +restore the dll config). Add a compatible string check to detect the need +for this. + +Signed-off-by: Richard Acayan +Reviewed-by: Bhupesh Sharma +Acked-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220923014322.33620-3-mailingradian@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-msm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c +index 8ab963055238..5e6f6c951fd4 100644 +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -1755,6 +1755,7 @@ static const struct sdhci_msm_variant_info sdm845_sdhci_var = { + static const struct of_device_id sdhci_msm_dt_match[] = { + {.compatible = "qcom,sdhci-msm-v4", .data = &sdhci_msm_mci_var}, + {.compatible = "qcom,sdhci-msm-v5", .data = &sdhci_msm_v5_var}, ++ {.compatible = "qcom,sdm670-sdhci", .data = &sdm845_sdhci_var}, + {.compatible = "qcom,sdm845-sdhci", .data = &sdm845_sdhci_var}, + {}, + }; +-- +2.35.1 + diff --git a/queue-5.4/mmc-wmt-sdmmc-fix-an-error-handling-path-in-wmt_mci_.patch b/queue-5.4/mmc-wmt-sdmmc-fix-an-error-handling-path-in-wmt_mci_.patch new file mode 100644 index 00000000000..91f11ecb857 --- /dev/null +++ b/queue-5.4/mmc-wmt-sdmmc-fix-an-error-handling-path-in-wmt_mci_.patch @@ -0,0 +1,48 @@ +From 876b21b854b4690e0b3c86c01da67935fd0ffc5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 21:06:40 +0200 +Subject: mmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe() + +From: Christophe JAILLET + +[ Upstream commit cb58188ad90a61784a56a64f5107faaf2ad323e7 ] + +A dma_free_coherent() call is missing in the error handling path of the +probe, as already done in the remove function. + +Fixes: 3a96dff0f828 ("mmc: SD/MMC Host Controller for Wondermedia WM8505/WM8650") +Signed-off-by: Christophe JAILLET +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/53fc6ffa5d1c428fefeae7d313cf4a669c3a1e98.1663873255.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/wmt-sdmmc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/wmt-sdmmc.c b/drivers/mmc/host/wmt-sdmmc.c +index 2c4ba1fa4bbf..d774068dba30 100644 +--- a/drivers/mmc/host/wmt-sdmmc.c ++++ b/drivers/mmc/host/wmt-sdmmc.c +@@ -849,7 +849,7 @@ static int wmt_mci_probe(struct platform_device *pdev) + if (IS_ERR(priv->clk_sdmmc)) { + dev_err(&pdev->dev, "Error getting clock\n"); + ret = PTR_ERR(priv->clk_sdmmc); +- goto fail5; ++ goto fail5_and_a_half; + } + + ret = clk_prepare_enable(priv->clk_sdmmc); +@@ -866,6 +866,9 @@ static int wmt_mci_probe(struct platform_device *pdev) + return 0; + fail6: + clk_put(priv->clk_sdmmc); ++fail5_and_a_half: ++ dma_free_coherent(&pdev->dev, mmc->max_blk_count * 16, ++ priv->dma_desc_buffer, priv->dma_desc_device_addr); + fail5: + free_irq(dma_irq, priv); + fail4: +-- +2.35.1 + diff --git a/queue-5.4/mtd-devices-docg3-check-the-return-value-of-devm_ior.patch b/queue-5.4/mtd-devices-docg3-check-the-return-value-of-devm_ior.patch new file mode 100644 index 00000000000..e4dcd53e898 --- /dev/null +++ b/queue-5.4/mtd-devices-docg3-check-the-return-value-of-devm_ior.patch @@ -0,0 +1,46 @@ +From 0ef826399d44b84910e2ba230ecdb4cfe8372cf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jul 2022 17:16:44 +0800 +Subject: mtd: devices: docg3: check the return value of devm_ioremap() in the + probe + +From: William Dean + +[ Upstream commit 26e784433e6c65735cd6d93a8db52531970d9a60 ] + +The function devm_ioremap() in docg3_probe() can fail, so +its return value should be checked. + +Fixes: 82402aeb8c81e ("mtd: docg3: Use devm_*() functions") +Reported-by: Hacash Robot +Signed-off-by: William Dean +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220722091644.2937953-1-williamsukatube@163.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/devices/docg3.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c +index eb0f4600efd1..40f9b6dffe3d 100644 +--- a/drivers/mtd/devices/docg3.c ++++ b/drivers/mtd/devices/docg3.c +@@ -1975,9 +1975,14 @@ static int __init docg3_probe(struct platform_device *pdev) + dev_err(dev, "No I/O memory resource defined\n"); + return ret; + } +- base = devm_ioremap(dev, ress->start, DOC_IOSPACE_SIZE); + + ret = -ENOMEM; ++ base = devm_ioremap(dev, ress->start, DOC_IOSPACE_SIZE); ++ if (!base) { ++ dev_err(dev, "devm_ioremap dev failed\n"); ++ return ret; ++ } ++ + cascade = devm_kcalloc(dev, DOC_MAX_NBFLOORS, sizeof(*cascade), + GFP_KERNEL); + if (!cascade) +-- +2.35.1 + diff --git a/queue-5.4/mtd-rawnand-meson-fix-bit-map-use-in-meson_nfc_ecc_c.patch b/queue-5.4/mtd-rawnand-meson-fix-bit-map-use-in-meson_nfc_ecc_c.patch new file mode 100644 index 00000000000..eaaf90754ef --- /dev/null +++ b/queue-5.4/mtd-rawnand-meson-fix-bit-map-use-in-meson_nfc_ecc_c.patch @@ -0,0 +1,49 @@ +From a64d526557fcbe8bdf553cd805c26cdc256a1c3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 10:12:12 +0300 +Subject: mtd: rawnand: meson: fix bit map use in meson_nfc_ecc_correct() + +From: Dan Carpenter + +[ Upstream commit 3e4ad3212cf22687410b1e8f4e68feec50646113 ] + +The meson_nfc_ecc_correct() function accidentally does a right shift +instead of a left shift so it only works for BIT(0). Also use +BIT_ULL() because "correct_bitmap" is a u64 and we want to avoid +shift wrapping bugs. + +Fixes: 8fae856c5350 ("mtd: rawnand: meson: add support for Amlogic NAND flash controller") +Signed-off-by: Dan Carpenter +Acked-by: Liang Yang +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/YuI2zF1hP65+LE7r@kili +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/meson_nand.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/meson_nand.c b/drivers/mtd/nand/raw/meson_nand.c +index 28dc26e1a20a..a65aadb54af6 100644 +--- a/drivers/mtd/nand/raw/meson_nand.c ++++ b/drivers/mtd/nand/raw/meson_nand.c +@@ -454,7 +454,7 @@ static int meson_nfc_ecc_correct(struct nand_chip *nand, u32 *bitflips, + if (ECC_ERR_CNT(*info) != ECC_UNCORRECTABLE) { + mtd->ecc_stats.corrected += ECC_ERR_CNT(*info); + *bitflips = max_t(u32, *bitflips, ECC_ERR_CNT(*info)); +- *correct_bitmap |= 1 >> i; ++ *correct_bitmap |= BIT_ULL(i); + continue; + } + if ((nand->options & NAND_NEED_SCRAMBLING) && +@@ -800,7 +800,7 @@ static int meson_nfc_read_page_hwecc(struct nand_chip *nand, u8 *buf, + u8 *data = buf + i * ecc->size; + u8 *oob = nand->oob_poi + i * (ecc->bytes + 2); + +- if (correct_bitmap & (1 << i)) ++ if (correct_bitmap & BIT_ULL(i)) + continue; + ret = nand_check_erased_ecc_chunk(data, ecc->size, + oob, ecc->bytes + 2, +-- +2.35.1 + diff --git a/queue-5.4/nbd-fix-hung-when-signal-interrupts-nbd_start_device.patch b/queue-5.4/nbd-fix-hung-when-signal-interrupts-nbd_start_device.patch new file mode 100644 index 00000000000..9ba2d96d347 --- /dev/null +++ b/queue-5.4/nbd-fix-hung-when-signal-interrupts-nbd_start_device.patch @@ -0,0 +1,69 @@ +From f0e7108a7f280860d75cbe860932c429df5428ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 01:35:02 +0900 +Subject: nbd: Fix hung when signal interrupts nbd_start_device_ioctl() + +From: Shigeru Yoshida + +[ Upstream commit 1de7c3cf48fc41cd95adb12bd1ea9033a917798a ] + +syzbot reported hung task [1]. The following program is a simplified +version of the reproducer: + +int main(void) +{ + int sv[2], fd; + + if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0) + return 1; + if ((fd = open("/dev/nbd0", 0)) < 0) + return 1; + if (ioctl(fd, NBD_SET_SIZE_BLOCKS, 0x81) < 0) + return 1; + if (ioctl(fd, NBD_SET_SOCK, sv[0]) < 0) + return 1; + if (ioctl(fd, NBD_DO_IT) < 0) + return 1; + return 0; +} + +When signal interrupt nbd_start_device_ioctl() waiting the condition +atomic_read(&config->recv_threads) == 0, the task can hung because it +waits the completion of the inflight IOs. + +This patch fixes the issue by clearing queue, not just shutdown, when +signal interrupt nbd_start_device_ioctl(). + +Link: https://syzkaller.appspot.com/bug?id=7d89a3ffacd2b83fdd39549bc4d8e0a89ef21239 [1] +Reported-by: syzbot+38e6c55d4969a14c1534@syzkaller.appspotmail.com +Signed-off-by: Shigeru Yoshida +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20220907163502.577561-1-syoshida@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 09323b0510f0..610dc6a36a9d 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1327,10 +1327,12 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd, struct block_device *b + mutex_unlock(&nbd->config_lock); + ret = wait_event_interruptible(config->recv_wq, + atomic_read(&config->recv_threads) == 0); +- if (ret) ++ if (ret) { + sock_shutdown(nbd); +- flush_workqueue(nbd->recv_workq); ++ nbd_clear_que(nbd); ++ } + ++ flush_workqueue(nbd->recv_workq); + mutex_lock(&nbd->config_lock); + nbd_bdev_reset(bdev); + /* user requested, ignore socket errors */ +-- +2.35.1 + diff --git a/queue-5.4/net-davicom-fix-return-type-of-dm9000_start_xmit.patch b/queue-5.4/net-davicom-fix-return-type-of-dm9000_start_xmit.patch new file mode 100644 index 00000000000..db242b63d3d --- /dev/null +++ b/queue-5.4/net-davicom-fix-return-type-of-dm9000_start_xmit.patch @@ -0,0 +1,46 @@ +From 34a59242ea2b78adf1519c2b4b23435ba907ba91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 12:47:19 -0700 +Subject: net: davicom: Fix return type of dm9000_start_xmit + +From: Nathan Huckleberry + +[ Upstream commit 0191580b000d50089a0b351f7cdbec4866e3d0d2 ] + +The ndo_start_xmit field in net_device_ops is expected to be of type +netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev). + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of dm9000_start_xmit should be changed from int to +netdev_tx_t. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20220912194722.809525-1-nhuck@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/davicom/dm9000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/davicom/dm9000.c b/drivers/net/ethernet/davicom/dm9000.c +index 1d5d8984b49a..2dcf85ae5eb3 100644 +--- a/drivers/net/ethernet/davicom/dm9000.c ++++ b/drivers/net/ethernet/davicom/dm9000.c +@@ -1017,7 +1017,7 @@ static void dm9000_send_packet(struct net_device *dev, + * Hardware start transmission. + * Send a packet to media from the upper layer. + */ +-static int ++static netdev_tx_t + dm9000_start_xmit(struct sk_buff *skb, struct net_device *dev) + { + unsigned long flags; +-- +2.35.1 + diff --git a/queue-5.4/net-ethernet-ti-davinci_emac-fix-return-type-of-emac.patch b/queue-5.4/net-ethernet-ti-davinci_emac-fix-return-type-of-emac.patch new file mode 100644 index 00000000000..2f17067eeae --- /dev/null +++ b/queue-5.4/net-ethernet-ti-davinci_emac-fix-return-type-of-emac.patch @@ -0,0 +1,46 @@ +From 6f2d47ef70edcfac829a10f666669edc02dc6821 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 12:50:19 -0700 +Subject: net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit + +From: Nathan Huckleberry + +[ Upstream commit 5972ca946098487c5155fe13654743f9010f5ed5 ] + +The ndo_start_xmit field in net_device_ops is expected to be of type +netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev). + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of emac_dev_xmit should be changed from int to +netdev_tx_t. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20220912195023.810319-1-nhuck@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/davinci_emac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c +index fac59032bf83..47a7c40f576e 100644 +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -941,7 +941,7 @@ static void emac_tx_handler(void *token, int len, int status) + * + * Returns success(NETDEV_TX_OK) or error code (typically out of desc's) + */ +-static int emac_dev_xmit(struct sk_buff *skb, struct net_device *ndev) ++static netdev_tx_t emac_dev_xmit(struct sk_buff *skb, struct net_device *ndev) + { + struct device *emac_dev = &ndev->dev; + int ret_code; +-- +2.35.1 + diff --git a/queue-5.4/net-fs_enet-fix-wrong-check-in-do_pd_setup.patch b/queue-5.4/net-fs_enet-fix-wrong-check-in-do_pd_setup.patch new file mode 100644 index 00000000000..b2245514738 --- /dev/null +++ b/queue-5.4/net-fs_enet-fix-wrong-check-in-do_pd_setup.patch @@ -0,0 +1,36 @@ +From 673a1b3b03d4024b2a11af06c0212479f0c7ad46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 13:55:13 +0000 +Subject: net: fs_enet: Fix wrong check in do_pd_setup + +From: Zheng Yongjun + +[ Upstream commit ec3f06b542a960806a81345042e4eee3f8c5dec4 ] + +Should check of_iomap return value 'fep->fec.fecp' instead of 'fep->fcc.fccp' + +Fixes: 976de6a8c304 ("fs_enet: Be an of_platform device when CONFIG_PPC_CPM_NEW_BINDING is set.") +Signed-off-by: Zheng Yongjun +Reviewed-by: Christophe Leroy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fs_enet/mac-fec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fs_enet/mac-fec.c b/drivers/net/ethernet/freescale/fs_enet/mac-fec.c +index 99fe2c210d0f..61f4b6e50d29 100644 +--- a/drivers/net/ethernet/freescale/fs_enet/mac-fec.c ++++ b/drivers/net/ethernet/freescale/fs_enet/mac-fec.c +@@ -98,7 +98,7 @@ static int do_pd_setup(struct fs_enet_private *fep) + return -EINVAL; + + fep->fec.fecp = of_iomap(ofdev->dev.of_node, 0); +- if (!fep->fcc.fccp) ++ if (!fep->fec.fecp) + return -EINVAL; + + return 0; +-- +2.35.1 + diff --git a/queue-5.4/net-ftmac100-fix-endianness-related-issues-from-spar.patch b/queue-5.4/net-ftmac100-fix-endianness-related-issues-from-spar.patch new file mode 100644 index 00000000000..d76013a4f5a --- /dev/null +++ b/queue-5.4/net-ftmac100-fix-endianness-related-issues-from-spar.patch @@ -0,0 +1,67 @@ +From 557abb8d72f5dc6dd475769b190279224dc7f16f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 14:37:49 +0300 +Subject: net: ftmac100: fix endianness-related issues from 'sparse' + +From: Sergei Antonov + +[ Upstream commit 9df696b3b3a4c96c3219eb87c7bf03fb50e490b8 ] + +Sparse found a number of endianness-related issues of these kinds: + +.../ftmac100.c:192:32: warning: restricted __le32 degrades to integer + +.../ftmac100.c:208:23: warning: incorrect type in assignment (different base types) +.../ftmac100.c:208:23: expected unsigned int rxdes0 +.../ftmac100.c:208:23: got restricted __le32 [usertype] + +.../ftmac100.c:249:23: warning: invalid assignment: &= +.../ftmac100.c:249:23: left side has type unsigned int +.../ftmac100.c:249:23: right side has type restricted __le32 + +.../ftmac100.c:527:16: warning: cast to restricted __le32 + +Change type of some fields from 'unsigned int' to '__le32' to fix it. + +Signed-off-by: Sergei Antonov +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220902113749.1408562-1-saproj@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/faraday/ftmac100.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/faraday/ftmac100.h b/drivers/net/ethernet/faraday/ftmac100.h +index fe986f1673fc..8af32f9070f4 100644 +--- a/drivers/net/ethernet/faraday/ftmac100.h ++++ b/drivers/net/ethernet/faraday/ftmac100.h +@@ -122,9 +122,9 @@ + * Transmit descriptor, aligned to 16 bytes + */ + struct ftmac100_txdes { +- unsigned int txdes0; +- unsigned int txdes1; +- unsigned int txdes2; /* TXBUF_BADR */ ++ __le32 txdes0; ++ __le32 txdes1; ++ __le32 txdes2; /* TXBUF_BADR */ + unsigned int txdes3; /* not used by HW */ + } __attribute__ ((aligned(16))); + +@@ -143,9 +143,9 @@ struct ftmac100_txdes { + * Receive descriptor, aligned to 16 bytes + */ + struct ftmac100_rxdes { +- unsigned int rxdes0; +- unsigned int rxdes1; +- unsigned int rxdes2; /* RXBUF_BADR */ ++ __le32 rxdes0; ++ __le32 rxdes1; ++ __le32 rxdes2; /* RXBUF_BADR */ + unsigned int rxdes3; /* not used by HW */ + } __attribute__ ((aligned(16))); + +-- +2.35.1 + diff --git a/queue-5.4/net-ieee802154-reject-zero-sized-raw_sendmsg.patch b/queue-5.4/net-ieee802154-reject-zero-sized-raw_sendmsg.patch new file mode 100644 index 00000000000..88970c8d11f --- /dev/null +++ b/queue-5.4/net-ieee802154-reject-zero-sized-raw_sendmsg.patch @@ -0,0 +1,40 @@ +From e1a5a0f1fe9c9fb80008c4e348c3693a8c69b539 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Oct 2022 01:43:44 +0900 +Subject: net/ieee802154: reject zero-sized raw_sendmsg() + +From: Tetsuo Handa + +[ Upstream commit 3a4d061c699bd3eedc80dc97a4b2a2e1af83c6f5 ] + +syzbot is hitting skb_assert_len() warning at raw_sendmsg() for ieee802154 +socket. What commit dc633700f00f726e ("net/af_packet: check len when +min_header_len equals to 0") does also applies to ieee802154 socket. + +Link: https://syzkaller.appspot.com/bug?extid=5ea725c25d06fb9114c4 +Reported-by: syzbot +Fixes: fd1894224407c484 ("bpf: Don't redirect packets with invalid pkt_len") +Signed-off-by: Tetsuo Handa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ieee802154/socket.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c +index a92b11999e5f..72637d5994d8 100644 +--- a/net/ieee802154/socket.c ++++ b/net/ieee802154/socket.c +@@ -252,6 +252,9 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) + return -EOPNOTSUPP; + } + ++ if (!size) ++ return -EINVAL; ++ + lock_sock(sk); + if (!sk->sk_bound_dev_if) + dev = dev_getfirstbyhwtype(sock_net(sk), ARPHRD_IEEE802154); +-- +2.35.1 + diff --git a/queue-5.4/net-if-sock-is-dead-don-t-access-sock-s-sk_wq-in-sk_.patch b/queue-5.4/net-if-sock-is-dead-don-t-access-sock-s-sk_wq-in-sk_.patch new file mode 100644 index 00000000000..14718c36ad8 --- /dev/null +++ b/queue-5.4/net-if-sock-is-dead-don-t-access-sock-s-sk_wq-in-sk_.patch @@ -0,0 +1,107 @@ +From 8add3a5044cdd2641758058f0edbf109b59b98ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 21:37:54 +0800 +Subject: net: If sock is dead don't access sock's sk_wq in + sk_stream_wait_memory + +From: Liu Jian + +[ Upstream commit 3f8ef65af927db247418d4e1db49164d7a158fc5 ] + +Fixes the below NULL pointer dereference: + + [...] + [ 14.471200] Call Trace: + [ 14.471562] + [ 14.471882] lock_acquire+0x245/0x2e0 + [ 14.472416] ? remove_wait_queue+0x12/0x50 + [ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50 + [ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50 + [ 14.474318] ? remove_wait_queue+0x12/0x50 + [ 14.474907] remove_wait_queue+0x12/0x50 + [ 14.475480] sk_stream_wait_memory+0x20d/0x340 + [ 14.476127] ? do_wait_intr_irq+0x80/0x80 + [ 14.476704] do_tcp_sendpages+0x287/0x600 + [ 14.477283] tcp_bpf_push+0xab/0x260 + [ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500 + [ 14.478461] ? __local_bh_enable_ip+0x77/0xe0 + [ 14.479096] tcp_bpf_send_verdict+0x105/0x470 + [ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0 + [ 14.480311] sock_sendmsg+0x2d/0x40 + [ 14.480822] ____sys_sendmsg+0x1b4/0x1c0 + [ 14.481390] ? copy_msghdr_from_user+0x62/0x80 + [ 14.482048] ___sys_sendmsg+0x78/0xb0 + [ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150 + [ 14.483215] ? __do_fault+0x2a/0x1a0 + [ 14.483738] ? do_fault+0x15e/0x5d0 + [ 14.484246] ? __handle_mm_fault+0x56b/0x1040 + [ 14.484874] ? lock_is_held_type+0xdf/0x130 + [ 14.485474] ? find_held_lock+0x2d/0x90 + [ 14.486046] ? __sys_sendmsg+0x41/0x70 + [ 14.486587] __sys_sendmsg+0x41/0x70 + [ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350 + [ 14.487822] do_syscall_64+0x34/0x80 + [ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd + [...] + +The test scenario has the following flow: + +thread1 thread2 +----------- --------------- + tcp_bpf_sendmsg + tcp_bpf_send_verdict + tcp_bpf_sendmsg_redir sock_close + tcp_bpf_push_locked __sock_release + tcp_bpf_push //inet_release + do_tcp_sendpages sock->ops->release + sk_stream_wait_memory // tcp_close + sk_wait_event sk->sk_prot->close + release_sock(__sk); + *** + lock_sock(sk); + __tcp_close + sock_orphan(sk) + sk->sk_wq = NULL + release_sock + **** + lock_sock(__sk); + remove_wait_queue(sk_sleep(sk), &wait); + sk_sleep(sk) + //NULL pointer dereference + &rcu_dereference_raw(sk->sk_wq)->wait + +While waiting for memory in thread1, the socket is released with its wait +queue because thread2 has closed it. This caused by tcp_bpf_send_verdict +didn't increase the f_count of psock->sk_redir->sk_socket->file in thread1. + +We should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory +before accessing the wait queue. + +Suggested-by: Jakub Sitnicki +Signed-off-by: Liu Jian +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Cc: Eric Dumazet +Link: https://lore.kernel.org/bpf/20220823133755.314697-2-liujian56@huawei.com +Signed-off-by: Sasha Levin +--- + net/core/stream.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/stream.c b/net/core/stream.c +index a166a32b411f..a61130504827 100644 +--- a/net/core/stream.c ++++ b/net/core/stream.c +@@ -159,7 +159,8 @@ int sk_stream_wait_memory(struct sock *sk, long *timeo_p) + *timeo_p = current_timeo; + } + out: +- remove_wait_queue(sk_sleep(sk), &wait); ++ if (!sock_flag(sk, SOCK_DEAD)) ++ remove_wait_queue(sk_sleep(sk), &wait); + return err; + + do_error: +-- +2.35.1 + diff --git a/queue-5.4/net-korina-fix-return-type-of-korina_send_packet.patch b/queue-5.4/net-korina-fix-return-type-of-korina_send_packet.patch new file mode 100644 index 00000000000..05f9c482d7f --- /dev/null +++ b/queue-5.4/net-korina-fix-return-type-of-korina_send_packet.patch @@ -0,0 +1,47 @@ +From 563722f87daaa993bec92ded6021f05b50690190 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 14:43:40 -0700 +Subject: net: korina: Fix return type of korina_send_packet + +From: Nathan Huckleberry + +[ Upstream commit 106c67ce46f3c82dd276e983668a91d6ed631173 ] + +The ndo_start_xmit field in net_device_ops is expected to be of type +netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev). + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of korina_send_packet should be changed from int to +netdev_tx_t. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20220912214344.928925-1-nhuck@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/korina.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c +index 9f804e2aba35..d1bd56f6eecb 100644 +--- a/drivers/net/ethernet/korina.c ++++ b/drivers/net/ethernet/korina.c +@@ -196,7 +196,8 @@ static void korina_chain_rx(struct korina_private *lp, + } + + /* transmit packet */ +-static int korina_send_packet(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t korina_send_packet(struct sk_buff *skb, ++ struct net_device *dev) + { + struct korina_private *lp = netdev_priv(dev); + unsigned long flags; +-- +2.35.1 + diff --git a/queue-5.4/net-lantiq_etop-fix-return-type-for-implementation-o.patch b/queue-5.4/net-lantiq_etop-fix-return-type-for-implementation-o.patch new file mode 100644 index 00000000000..84d9ea0eb51 --- /dev/null +++ b/queue-5.4/net-lantiq_etop-fix-return-type-for-implementation-o.patch @@ -0,0 +1,41 @@ +From e172ed56763f15546ef23cbe758ce9506aa88657 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 16:15:21 +0800 +Subject: net: lantiq_etop: Fix return type for implementation of + ndo_start_xmit + +From: GUO Zihua + +[ Upstream commit c8ef3c94bda0e21123202d057d4a299698fa0ed9 ] + +Since Linux now supports CFI, it will be a good idea to fix mismatched +return type for implementation of hooks. Otherwise this might get +cought out by CFI and cause a panic. + +ltq_etop_tx() would return either NETDEV_TX_BUSY or NETDEV_TX_OK, so +change the return type to netdev_tx_t directly. + +Signed-off-by: GUO Zihua +Link: https://lore.kernel.org/r/20220902081521.59867-1-guozihua@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/lantiq_etop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c +index 6e73ffe6f928..46fd128a16a1 100644 +--- a/drivers/net/ethernet/lantiq_etop.c ++++ b/drivers/net/ethernet/lantiq_etop.c +@@ -451,7 +451,7 @@ ltq_etop_stop(struct net_device *dev) + return 0; + } + +-static int ++static netdev_tx_t + ltq_etop_tx(struct sk_buff *skb, struct net_device *dev) + { + int queue = skb_get_queue_mapping(skb); +-- +2.35.1 + diff --git a/queue-5.4/net-mvpp2-fix-mvpp2-debugfs-leak.patch b/queue-5.4/net-mvpp2-fix-mvpp2-debugfs-leak.patch new file mode 100644 index 00000000000..9373649feac --- /dev/null +++ b/queue-5.4/net-mvpp2-fix-mvpp2-debugfs-leak.patch @@ -0,0 +1,107 @@ +From 96aaf45cb7fa00d2f1406e7e71fe372c2e2ff3f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Oct 2022 17:19:27 +0100 +Subject: net: mvpp2: fix mvpp2 debugfs leak + +From: Russell King (Oracle) + +[ Upstream commit 0152dfee235e87660f52a117fc9f70dc55956bb4 ] + +When mvpp2 is unloaded, the driver specific debugfs directory is not +removed, which technically leads to a memory leak. However, this +directory is only created when the first device is probed, so the +hardware is present. Removing the module is only something a developer +would to when e.g. testing out changes, so the module would be +reloaded. So this memory leak is minor. + +The original attempt in commit fe2c9c61f668 ("net: mvpp2: debugfs: fix +memory leak when using debugfs_lookup()") that was labelled as a memory +leak fix was not, it fixed a refcount leak, but in doing so created a +problem when the module is reloaded - the directory already exists, but +mvpp2_root is NULL, so we lose all debugfs entries. This fix has been +reverted. + +This is the alternative fix, where we remove the offending directory +whenever the driver is unloaded. + +Fixes: 21da57a23125 ("net: mvpp2: add a debugfs interface for the Header Parser") +Signed-off-by: Russell King (Oracle) +Reviewed-by: Greg Kroah-Hartman +Reviewed-by: Marcin Wojtas +Link: https://lore.kernel.org/r/E1ofOAB-00CzkG-UO@rmk-PC.armlinux.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 1 + + drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c | 10 ++++++++-- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 13 ++++++++++++- + 3 files changed, 21 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +index 543a310ec102..cf45b9210c15 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +@@ -1202,5 +1202,6 @@ u32 mvpp2_read(struct mvpp2 *priv, u32 offset); + void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name); + + void mvpp2_dbgfs_cleanup(struct mvpp2 *priv); ++void mvpp2_dbgfs_exit(void); + + #endif +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +index 4a3baa7e0142..75e83ea2a926 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +@@ -691,6 +691,13 @@ static int mvpp2_dbgfs_port_init(struct dentry *parent, + return 0; + } + ++static struct dentry *mvpp2_root; ++ ++void mvpp2_dbgfs_exit(void) ++{ ++ debugfs_remove(mvpp2_root); ++} ++ + void mvpp2_dbgfs_cleanup(struct mvpp2 *priv) + { + debugfs_remove_recursive(priv->dbgfs_dir); +@@ -700,10 +707,9 @@ void mvpp2_dbgfs_cleanup(struct mvpp2 *priv) + + void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name) + { +- struct dentry *mvpp2_dir, *mvpp2_root; ++ struct dentry *mvpp2_dir; + int ret, i; + +- mvpp2_root = debugfs_lookup(MVPP2_DRIVER_NAME, NULL); + if (!mvpp2_root) + mvpp2_root = debugfs_create_dir(MVPP2_DRIVER_NAME, NULL); + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index d700f1b5a4bf..31dde6fbdbdc 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -6004,7 +6004,18 @@ static struct platform_driver mvpp2_driver = { + }, + }; + +-module_platform_driver(mvpp2_driver); ++static int __init mvpp2_driver_init(void) ++{ ++ return platform_driver_register(&mvpp2_driver); ++} ++module_init(mvpp2_driver_init); ++ ++static void __exit mvpp2_driver_exit(void) ++{ ++ platform_driver_unregister(&mvpp2_driver); ++ mvpp2_dbgfs_exit(); ++} ++module_exit(mvpp2_driver_exit); + + MODULE_DESCRIPTION("Marvell PPv2 Ethernet Driver - www.marvell.com"); + MODULE_AUTHOR("Marcin Wojtas "); +-- +2.35.1 + diff --git a/queue-5.4/net-rds-don-t-hold-sock-lock-when-cancelling-work-fr.patch b/queue-5.4/net-rds-don-t-hold-sock-lock-when-cancelling-work-fr.patch new file mode 100644 index 00000000000..08de0291e60 --- /dev/null +++ b/queue-5.4/net-rds-don-t-hold-sock-lock-when-cancelling-work-fr.patch @@ -0,0 +1,54 @@ +From 28c2e1e9d71000ff831a1dc6f1067f514061168a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 00:25:37 +0900 +Subject: net: rds: don't hold sock lock when cancelling work from + rds_tcp_reset_callbacks() + +From: Tetsuo Handa + +[ Upstream commit a91b750fd6629354460282bbf5146c01b05c4859 ] + +syzbot is reporting lockdep warning at rds_tcp_reset_callbacks() [1], for +commit ac3615e7f3cffe2a ("RDS: TCP: Reduce code duplication in +rds_tcp_reset_callbacks()") added cancel_delayed_work_sync() into a section +protected by lock_sock() without realizing that rds_send_xmit() might call +lock_sock(). + +We don't need to protect cancel_delayed_work_sync() using lock_sock(), for +even if rds_{send,recv}_worker() re-queued this work while __flush_work() + from cancel_delayed_work_sync() was waiting for this work to complete, +retried rds_{send,recv}_worker() is no-op due to the absence of RDS_CONN_UP +bit. + +Link: https://syzkaller.appspot.com/bug?extid=78c55c7bc6f66e53dce2 [1] +Reported-by: syzbot +Co-developed-by: Hillf Danton +Signed-off-by: Hillf Danton +Signed-off-by: Tetsuo Handa +Tested-by: syzbot +Fixes: ac3615e7f3cffe2a ("RDS: TCP: Reduce code duplication in rds_tcp_reset_callbacks()") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rds/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rds/tcp.c b/net/rds/tcp.c +index d55d81b01d37..bfb8d4d6a994 100644 +--- a/net/rds/tcp.c ++++ b/net/rds/tcp.c +@@ -176,10 +176,10 @@ void rds_tcp_reset_callbacks(struct socket *sock, + */ + atomic_set(&cp->cp_state, RDS_CONN_RESETTING); + wait_event(cp->cp_waitq, !test_bit(RDS_IN_XMIT, &cp->cp_flags)); +- lock_sock(osock->sk); + /* reset receive side state for rds_tcp_data_recv() for osock */ + cancel_delayed_work_sync(&cp->cp_send_w); + cancel_delayed_work_sync(&cp->cp_recv_w); ++ lock_sock(osock->sk); + if (tc->t_tinc) { + rds_inc_put(&tc->t_tinc->ti_inc); + tc->t_tinc = NULL; +-- +2.35.1 + diff --git a/queue-5.4/net-xscale-fix-return-type-for-implementation-of-ndo.patch b/queue-5.4/net-xscale-fix-return-type-for-implementation-of-ndo.patch new file mode 100644 index 00000000000..19a9306ee6a --- /dev/null +++ b/queue-5.4/net-xscale-fix-return-type-for-implementation-of-ndo.patch @@ -0,0 +1,40 @@ +From 25f72124b3f16cd15a43f18b972a8de677458258 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 16:16:12 +0800 +Subject: net: xscale: Fix return type for implementation of ndo_start_xmit + +From: GUO Zihua + +[ Upstream commit 0dbaf0fa62329d9fe452d9041a707a33f6274f1f ] + +Since Linux now supports CFI, it will be a good idea to fix mismatched +return type for implementation of hooks. Otherwise this might get +cought out by CFI and cause a panic. + +eth_xmit() would return either NETDEV_TX_BUSY or NETDEV_TX_OK, so +change the return type to netdev_tx_t directly. + +Signed-off-by: GUO Zihua +Link: https://lore.kernel.org/r/20220902081612.60405-1-guozihua@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xscale/ixp4xx_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xscale/ixp4xx_eth.c b/drivers/net/ethernet/xscale/ixp4xx_eth.c +index d4e095d0e8f1..26b5811e7263 100644 +--- a/drivers/net/ethernet/xscale/ixp4xx_eth.c ++++ b/drivers/net/ethernet/xscale/ixp4xx_eth.c +@@ -821,7 +821,7 @@ static void eth_txdone_irq(void *unused) + } + } + +-static int eth_xmit(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t eth_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct port *port = netdev_priv(dev); + unsigned int txreadyq = port->plat->txreadyq; +-- +2.35.1 + diff --git a/queue-5.4/netfilter-nft_fib-fix-for-rpath-check-with-vrf-devic.patch b/queue-5.4/netfilter-nft_fib-fix-for-rpath-check-with-vrf-devic.patch new file mode 100644 index 00000000000..3148d0faddf --- /dev/null +++ b/queue-5.4/netfilter-nft_fib-fix-for-rpath-check-with-vrf-devic.patch @@ -0,0 +1,64 @@ +From 34b0dcf309f37fca1f8176cb86046200afb42b9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 13:07:31 +0200 +Subject: netfilter: nft_fib: Fix for rpath check with VRF devices + +From: Phil Sutter + +[ Upstream commit 2a8a7c0eaa8747c16aa4a48d573aa920d5c00a5c ] + +Analogous to commit b575b24b8eee3 ("netfilter: Fix rpfilter +dropping vrf packets by mistake") but for nftables fib expression: +Add special treatment of VRF devices so that typical reverse path +filtering via 'fib saddr . iif oif' expression works as expected. + +Fixes: f6d0cbcf09c50 ("netfilter: nf_tables: add fib expression") +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/nft_fib_ipv4.c | 3 +++ + net/ipv6/netfilter/nft_fib_ipv6.c | 6 +++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c +index ce294113dbcd..85eac5aa5204 100644 +--- a/net/ipv4/netfilter/nft_fib_ipv4.c ++++ b/net/ipv4/netfilter/nft_fib_ipv4.c +@@ -83,6 +83,9 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, + else + oif = NULL; + ++ if (priv->flags & NFTA_FIB_F_IIF) ++ fl4.flowi4_oif = l3mdev_master_ifindex_rcu(oif); ++ + if (nft_hook(pkt) == NF_INET_PRE_ROUTING && + nft_fib_is_loopback(pkt->skb, nft_in(pkt))) { + nft_fib_store_result(dest, priv, nft_in(pkt)); +diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c +index 7ece86afd079..03dbd16f9ad5 100644 +--- a/net/ipv6/netfilter/nft_fib_ipv6.c ++++ b/net/ipv6/netfilter/nft_fib_ipv6.c +@@ -37,6 +37,9 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv, + if (ipv6_addr_type(&fl6->daddr) & IPV6_ADDR_LINKLOCAL) { + lookup_flags |= RT6_LOOKUP_F_IFACE; + fl6->flowi6_oif = get_ifindex(dev ? dev : pkt->skb->dev); ++ } else if ((priv->flags & NFTA_FIB_F_IIF) && ++ (netif_is_l3_master(dev) || netif_is_l3_slave(dev))) { ++ fl6->flowi6_oif = dev->ifindex; + } + + if (ipv6_addr_type(&fl6->saddr) & IPV6_ADDR_UNICAST) +@@ -179,7 +182,8 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, + if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL)) + goto put_rt_err; + +- if (oif && oif != rt->rt6i_idev->dev) ++ if (oif && oif != rt->rt6i_idev->dev && ++ l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) != oif->ifindex) + goto put_rt_err; + + nft_fib_store_result(dest, priv, rt->rt6i_idev->dev); +-- +2.35.1 + diff --git a/queue-5.4/nfsd-fix-a-memory-leak-in-an-error-handling-path.patch b/queue-5.4/nfsd-fix-a-memory-leak-in-an-error-handling-path.patch new file mode 100644 index 00000000000..5ba31ada5fd --- /dev/null +++ b/queue-5.4/nfsd-fix-a-memory-leak-in-an-error-handling-path.patch @@ -0,0 +1,40 @@ +From 33916b47b58a7e12ef9ee6fb6537cc595306876f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 07:27:04 +0200 +Subject: nfsd: Fix a memory leak in an error handling path + +From: Christophe JAILLET + +[ Upstream commit fd1ef88049de09bc70d60b549992524cfc0e66ff ] + +If this memdup_user() call fails, the memory allocated in a previous call +a few lines above should be freed. Otherwise it leaks. + +Fixes: 6ee95d1c8991 ("nfsd: add support for upcall version 2") +Signed-off-by: Christophe JAILLET +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4recover.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c +index 7d408957ed62..14463e107918 100644 +--- a/fs/nfsd/nfs4recover.c ++++ b/fs/nfsd/nfs4recover.c +@@ -825,8 +825,10 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg, + princhash.data = memdup_user( + &ci->cc_princhash.cp_data, + princhashlen); +- if (IS_ERR_OR_NULL(princhash.data)) ++ if (IS_ERR_OR_NULL(princhash.data)) { ++ kfree(name.data); + return -EFAULT; ++ } + princhash.len = princhashlen; + } else + princhash.len = 0; +-- +2.35.1 + diff --git a/queue-5.4/nfsd-return-nfserr_serverfault-if-splice_ok-but-buf-.patch b/queue-5.4/nfsd-return-nfserr_serverfault-if-splice_ok-but-buf-.patch new file mode 100644 index 00000000000..8c7a172bdbd --- /dev/null +++ b/queue-5.4/nfsd-return-nfserr_serverfault-if-splice_ok-but-buf-.patch @@ -0,0 +1,37 @@ +From b0036c92511425afd5e248156d0fbecada5a1463 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 14:01:50 -0400 +Subject: NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data + +From: Anna Schumaker + +[ Upstream commit 06981d560606ac48d61e5f4fff6738b925c93173 ] + +This was discussed with Chuck as part of this patch set. Returning +nfserr_resource was decided to not be the best error message here, and +he suggested changing to nfserr_serverfault instead. + +Signed-off-by: Anna Schumaker +Link: https://lore.kernel.org/linux-nfs/20220907195259.926736-1-anna@kernel.org/T/#t +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4xdr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index e61d9c435957..95bbe9d4018a 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -3600,7 +3600,7 @@ nfsd4_encode_read(struct nfsd4_compoundres *resp, __be32 nfserr, + if (resp->xdr.buf->page_len && + test_bit(RQ_SPLICE_OK, &resp->rqstp->rq_flags)) { + WARN_ON_ONCE(1); +- return nfserr_resource; ++ return nfserr_serverfault; + } + xdr_commit_encode(xdr); + +-- +2.35.1 + diff --git a/queue-5.4/nvme-copy-firmware_rev-on-each-init.patch b/queue-5.4/nvme-copy-firmware_rev-on-each-init.patch new file mode 100644 index 00000000000..299acc06e31 --- /dev/null +++ b/queue-5.4/nvme-copy-firmware_rev-on-each-init.patch @@ -0,0 +1,48 @@ +From cb6b823c9a98cd115dbea147d8e1c85e95f2ace6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 12:45:08 -0700 +Subject: nvme: copy firmware_rev on each init + +From: Keith Busch + +[ Upstream commit a8eb6c1ba48bddea82e8d74cbe6e119f006be97d ] + +The firmware revision can change on after a reset so copy the most +recent info each time instead of just the first time, otherwise the +sysfs firmware_rev entry may contain stale data. + +Reported-by: Jeff Lien +Signed-off-by: Keith Busch +Reviewed-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Chao Leng +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index f1717f34b2f3..6627fb531f33 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2671,7 +2671,6 @@ static int nvme_init_subsystem(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id) + nvme_init_subnqn(subsys, ctrl, id); + memcpy(subsys->serial, id->sn, sizeof(subsys->serial)); + memcpy(subsys->model, id->mn, sizeof(subsys->model)); +- memcpy(subsys->firmware_rev, id->fr, sizeof(subsys->firmware_rev)); + subsys->vendor_id = le16_to_cpu(id->vid); + subsys->cmic = id->cmic; + subsys->awupf = le16_to_cpu(id->awupf); +@@ -2824,6 +2823,8 @@ int nvme_init_identify(struct nvme_ctrl *ctrl) + ctrl->quirks |= core_quirks[i].quirks; + } + } ++ memcpy(ctrl->subsys->firmware_rev, id->fr, ++ sizeof(ctrl->subsys->firmware_rev)); + + if (force_apst && (ctrl->quirks & NVME_QUIRK_NO_DEEPEST_PS)) { + dev_warn(ctrl->device, "forcibly allowing all power states due to nvme_core.force_apst -- use at your own risk\n"); +-- +2.35.1 + diff --git a/queue-5.4/nvmet-tcp-add-bounds-check-on-transfer-tag.patch b/queue-5.4/nvmet-tcp-add-bounds-check-on-transfer-tag.patch new file mode 100644 index 00000000000..f5feec0442f --- /dev/null +++ b/queue-5.4/nvmet-tcp-add-bounds-check-on-transfer-tag.patch @@ -0,0 +1,47 @@ +From bd247167b4158c2fe3400d9dce6d5ac92bb07cea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 00:06:49 +0530 +Subject: nvmet-tcp: add bounds check on Transfer Tag + +From: Varun Prakash + +[ Upstream commit b6a545ffa2c192b1e6da4a7924edac5ba9f4ea2b ] + +ttag is used as an index to get cmd in nvmet_tcp_handle_h2c_data_pdu(), +add a bounds check to avoid out-of-bounds access. + +Signed-off-by: Varun Prakash +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index eb5b39c2bba8..df7a911d303f 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -858,10 +858,17 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + struct nvme_tcp_data_pdu *data = &queue->pdu.data; + struct nvmet_tcp_cmd *cmd; + +- if (likely(queue->nr_cmds)) ++ if (likely(queue->nr_cmds)) { ++ if (unlikely(data->ttag >= queue->nr_cmds)) { ++ pr_err("queue %d: received out of bound ttag %u, nr_cmds %u\n", ++ queue->idx, data->ttag, queue->nr_cmds); ++ nvmet_tcp_fatal_error(queue); ++ return -EPROTO; ++ } + cmd = &queue->cmds[data->ttag]; +- else ++ } else { + cmd = &queue->connect; ++ } + + if (le32_to_cpu(data->data_offset) != cmd->rbytes_done) { + pr_err("ttag %u unexpected data offset %u (expected %u)\n", +-- +2.35.1 + diff --git a/queue-5.4/once-add-do_once_slow-for-sleepable-contexts.patch b/queue-5.4/once-add-do_once_slow-for-sleepable-contexts.patch new file mode 100644 index 00000000000..5b5d0aeb46c --- /dev/null +++ b/queue-5.4/once-add-do_once_slow-for-sleepable-contexts.patch @@ -0,0 +1,149 @@ +From ed173b2cd3bf33139116e5febbf65d755bd31614 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Oct 2022 13:51:02 -0700 +Subject: once: add DO_ONCE_SLOW() for sleepable contexts + +From: Eric Dumazet + +[ Upstream commit 62c07983bef9d3e78e71189441e1a470f0d1e653 ] + +Christophe Leroy reported a ~80ms latency spike +happening at first TCP connect() time. + +This is because __inet_hash_connect() uses get_random_once() +to populate a perturbation table which became quite big +after commit 4c2c8f03a5ab ("tcp: increase source port perturb table to 2^16") + +get_random_once() uses DO_ONCE(), which block hard irqs for the duration +of the operation. + +This patch adds DO_ONCE_SLOW() which uses a mutex instead of a spinlock +for operations where we prefer to stay in process context. + +Then __inet_hash_connect() can use get_random_slow_once() +to populate its perturbation table. + +Fixes: 4c2c8f03a5ab ("tcp: increase source port perturb table to 2^16") +Fixes: 190cc82489f4 ("tcp: change source port randomizarion at connect() time") +Reported-by: Christophe Leroy +Link: https://lore.kernel.org/netdev/CANn89iLAEYBaoYajy0Y9UmGFff5GPxDUoG-ErVB2jDdRNQ5Tug@mail.gmail.com/T/#t +Signed-off-by: Eric Dumazet +Cc: Willy Tarreau +Tested-by: Christophe Leroy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/once.h | 28 ++++++++++++++++++++++++++++ + lib/once.c | 30 ++++++++++++++++++++++++++++++ + net/ipv4/inet_hashtables.c | 4 ++-- + 3 files changed, 60 insertions(+), 2 deletions(-) + +diff --git a/include/linux/once.h b/include/linux/once.h +index ae6f4eb41cbe..bb58e1c3aa03 100644 +--- a/include/linux/once.h ++++ b/include/linux/once.h +@@ -5,10 +5,18 @@ + #include + #include + ++/* Helpers used from arbitrary contexts. ++ * Hard irqs are blocked, be cautious. ++ */ + bool __do_once_start(bool *done, unsigned long *flags); + void __do_once_done(bool *done, struct static_key_true *once_key, + unsigned long *flags, struct module *mod); + ++/* Variant for process contexts only. */ ++bool __do_once_slow_start(bool *done); ++void __do_once_slow_done(bool *done, struct static_key_true *once_key, ++ struct module *mod); ++ + /* Call a function exactly once. The idea of DO_ONCE() is to perform + * a function call such as initialization of random seeds, etc, only + * once, where DO_ONCE() can live in the fast-path. After @func has +@@ -52,9 +60,29 @@ void __do_once_done(bool *done, struct static_key_true *once_key, + ___ret; \ + }) + ++/* Variant of DO_ONCE() for process/sleepable contexts. */ ++#define DO_ONCE_SLOW(func, ...) \ ++ ({ \ ++ bool ___ret = false; \ ++ static bool __section(".data.once") ___done = false; \ ++ static DEFINE_STATIC_KEY_TRUE(___once_key); \ ++ if (static_branch_unlikely(&___once_key)) { \ ++ ___ret = __do_once_slow_start(&___done); \ ++ if (unlikely(___ret)) { \ ++ func(__VA_ARGS__); \ ++ __do_once_slow_done(&___done, &___once_key, \ ++ THIS_MODULE); \ ++ } \ ++ } \ ++ ___ret; \ ++ }) ++ + #define get_random_once(buf, nbytes) \ + DO_ONCE(get_random_bytes, (buf), (nbytes)) + #define get_random_once_wait(buf, nbytes) \ + DO_ONCE(get_random_bytes_wait, (buf), (nbytes)) \ + ++#define get_random_slow_once(buf, nbytes) \ ++ DO_ONCE_SLOW(get_random_bytes, (buf), (nbytes)) ++ + #endif /* _LINUX_ONCE_H */ +diff --git a/lib/once.c b/lib/once.c +index 59149bf3bfb4..351f66aad310 100644 +--- a/lib/once.c ++++ b/lib/once.c +@@ -66,3 +66,33 @@ void __do_once_done(bool *done, struct static_key_true *once_key, + once_disable_jump(once_key, mod); + } + EXPORT_SYMBOL(__do_once_done); ++ ++static DEFINE_MUTEX(once_mutex); ++ ++bool __do_once_slow_start(bool *done) ++ __acquires(once_mutex) ++{ ++ mutex_lock(&once_mutex); ++ if (*done) { ++ mutex_unlock(&once_mutex); ++ /* Keep sparse happy by restoring an even lock count on ++ * this mutex. In case we return here, we don't call into ++ * __do_once_done but return early in the DO_ONCE_SLOW() macro. ++ */ ++ __acquire(once_mutex); ++ return false; ++ } ++ ++ return true; ++} ++EXPORT_SYMBOL(__do_once_slow_start); ++ ++void __do_once_slow_done(bool *done, struct static_key_true *once_key, ++ struct module *mod) ++ __releases(once_mutex) ++{ ++ *done = true; ++ mutex_unlock(&once_mutex); ++ once_disable_jump(once_key, mod); ++} ++EXPORT_SYMBOL(__do_once_slow_done); +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index d9bee15e36a5..bd3d9ad78e56 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -725,8 +725,8 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row, + if (likely(remaining > 1)) + remaining &= ~1U; + +- net_get_random_once(table_perturb, +- INET_TABLE_PERTURB_SIZE * sizeof(*table_perturb)); ++ get_random_slow_once(table_perturb, ++ INET_TABLE_PERTURB_SIZE * sizeof(*table_perturb)); + index = port_offset & (INET_TABLE_PERTURB_SIZE - 1); + + offset = READ_ONCE(table_perturb[index]) + (port_offset >> 32); +-- +2.35.1 + diff --git a/queue-5.4/openvswitch-fix-double-reporting-of-drops-in-dropwat.patch b/queue-5.4/openvswitch-fix-double-reporting-of-drops-in-dropwat.patch new file mode 100644 index 00000000000..7cbbe3792cf --- /dev/null +++ b/queue-5.4/openvswitch-fix-double-reporting-of-drops-in-dropwat.patch @@ -0,0 +1,52 @@ +From 19fc4b02eb3a41442b52ff8935b29f486bf675b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 11:06:34 -0400 +Subject: openvswitch: Fix double reporting of drops in dropwatch + +From: Mike Pattrick + +[ Upstream commit 1100248a5c5ccd57059eb8d02ec077e839a23826 ] + +Frames sent to userspace can be reported as dropped in +ovs_dp_process_packet, however, if they are dropped in the netlink code +then netlink_attachskb will report the same frame as dropped. + +This patch checks for error codes which indicate that the frame has +already been freed. + +Signed-off-by: Mike Pattrick +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109946 +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/openvswitch/datapath.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index 4f097bd3339e..63f36d6cd3f6 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -236,10 +236,17 @@ void ovs_dp_process_packet(struct sk_buff *skb, struct sw_flow_key *key) + upcall.portid = ovs_vport_find_upcall_portid(p, skb); + upcall.mru = OVS_CB(skb)->mru; + error = ovs_dp_upcall(dp, skb, key, &upcall, 0); +- if (unlikely(error)) +- kfree_skb(skb); +- else ++ switch (error) { ++ case 0: ++ case -EAGAIN: ++ case -ERESTARTSYS: ++ case -EINTR: + consume_skb(skb); ++ break; ++ default: ++ kfree_skb(skb); ++ break; ++ } + stats_counter = &stats->n_missed; + goto out; + } +-- +2.35.1 + diff --git a/queue-5.4/openvswitch-fix-overreporting-of-drops-in-dropwatch.patch b/queue-5.4/openvswitch-fix-overreporting-of-drops-in-dropwatch.patch new file mode 100644 index 00000000000..0fc2bce12ba --- /dev/null +++ b/queue-5.4/openvswitch-fix-overreporting-of-drops-in-dropwatch.patch @@ -0,0 +1,42 @@ +From c155d69d847c9aa7c15c4398611876eba0368f0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 11:06:35 -0400 +Subject: openvswitch: Fix overreporting of drops in dropwatch + +From: Mike Pattrick + +[ Upstream commit c21ab2afa2c64896a7f0e3cbc6845ec63dcfad2e ] + +Currently queue_userspace_packet will call kfree_skb for all frames, +whether or not an error occurred. This can result in a single dropped +frame being reported as multiple drops in dropwatch. This functions +caller may also call kfree_skb in case of an error. This patch will +consume the skbs instead and allow caller's to use kfree_skb. + +Signed-off-by: Mike Pattrick +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109957 +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/openvswitch/datapath.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index 63f36d6cd3f6..41035ce0d23c 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -532,8 +532,9 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb, + out: + if (err) + skb_tx_error(skb); +- kfree_skb(user_skb); +- kfree_skb(nskb); ++ consume_skb(user_skb); ++ consume_skb(nskb); ++ + return err; + } + +-- +2.35.1 + diff --git a/queue-5.4/phy-qualcomm-call-clk_disable_unprepare-in-the-error.patch b/queue-5.4/phy-qualcomm-call-clk_disable_unprepare-in-the-error.patch new file mode 100644 index 00000000000..a353ba764d8 --- /dev/null +++ b/queue-5.4/phy-qualcomm-call-clk_disable_unprepare-in-the-error.patch @@ -0,0 +1,53 @@ +From 6c309abe0b5981ff4fcb1ab6c0c30e4f646f87cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 13:13:33 +0800 +Subject: phy: qualcomm: call clk_disable_unprepare in the error handling + +From: Dongliang Mu + +[ Upstream commit c3966ced8eb8dc53b6c8d7f97d32cc8a2107d83e ] + +Smatch reports the following error: + +drivers/phy/qualcomm/phy-qcom-usb-hsic.c:82 qcom_usb_hsic_phy_power_on() +warn: 'uphy->cal_clk' from clk_prepare_enable() not released on lines: +58. +drivers/phy/qualcomm/phy-qcom-usb-hsic.c:82 qcom_usb_hsic_phy_power_on() +warn: 'uphy->cal_sleep_clk' from clk_prepare_enable() not released on +lines: 58. +drivers/phy/qualcomm/phy-qcom-usb-hsic.c:82 qcom_usb_hsic_phy_power_on() +warn: 'uphy->phy_clk' from clk_prepare_enable() not released on lines: +58. + +Fix this by calling proper clk_disable_unprepare calls. + +Fixes: 0b56e9a7e835 ("phy: Group vendor specific phy drivers") +Signed-off-by: Dongliang Mu +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20220914051334.69282-1-dzm91@hust.edu.cn +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-usb-hsic.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-usb-hsic.c b/drivers/phy/qualcomm/phy-qcom-usb-hsic.c +index 04d18d52f700..d4741c2dbbb5 100644 +--- a/drivers/phy/qualcomm/phy-qcom-usb-hsic.c ++++ b/drivers/phy/qualcomm/phy-qcom-usb-hsic.c +@@ -54,8 +54,10 @@ static int qcom_usb_hsic_phy_power_on(struct phy *phy) + + /* Configure pins for HSIC functionality */ + pins_default = pinctrl_lookup_state(uphy->pctl, PINCTRL_STATE_DEFAULT); +- if (IS_ERR(pins_default)) +- return PTR_ERR(pins_default); ++ if (IS_ERR(pins_default)) { ++ ret = PTR_ERR(pins_default); ++ goto err_ulpi; ++ } + + ret = pinctrl_select_state(uphy->pctl, pins_default); + if (ret) +-- +2.35.1 + diff --git a/queue-5.4/platform-chrome-fix-double-free-in-chromeos_laptop_p.patch b/queue-5.4/platform-chrome-fix-double-free-in-chromeos_laptop_p.patch new file mode 100644 index 00000000000..d1faae2e77e --- /dev/null +++ b/queue-5.4/platform-chrome-fix-double-free-in-chromeos_laptop_p.patch @@ -0,0 +1,88 @@ +From e0ecf1fb401d73fe58d91e9d8ae3d285642460fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Aug 2022 01:08:43 +0300 +Subject: platform/chrome: fix double-free in chromeos_laptop_prepare() + +From: Rustam Subkhankulov + +[ Upstream commit 6ad4194d6a1e1d11b285989cd648ef695b4a93c0 ] + +If chromeos_laptop_prepare_i2c_peripherals() fails after allocating memory +for 'cros_laptop->i2c_peripherals', this memory is freed at 'err_out' label +and nonzero value is returned. Then chromeos_laptop_destroy() is called, +resulting in double-free error. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Rustam Subkhankulov +Fixes: 5020cd29d8bf ("platform/chrome: chromeos_laptop - supply properties for ACPI devices") +Reviewed-by: Dmitry Torokhov +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20220813220843.2373004-1-subkhankulov@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/platform/chrome/chromeos_laptop.c | 24 ++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/drivers/platform/chrome/chromeos_laptop.c b/drivers/platform/chrome/chromeos_laptop.c +index 8723bcf10c93..954953133d56 100644 +--- a/drivers/platform/chrome/chromeos_laptop.c ++++ b/drivers/platform/chrome/chromeos_laptop.c +@@ -716,6 +716,7 @@ static int __init + chromeos_laptop_prepare_i2c_peripherals(struct chromeos_laptop *cros_laptop, + const struct chromeos_laptop *src) + { ++ struct i2c_peripheral *i2c_peripherals; + struct i2c_peripheral *i2c_dev; + struct i2c_board_info *info; + int i; +@@ -724,17 +725,15 @@ chromeos_laptop_prepare_i2c_peripherals(struct chromeos_laptop *cros_laptop, + if (!src->num_i2c_peripherals) + return 0; + +- cros_laptop->i2c_peripherals = kmemdup(src->i2c_peripherals, +- src->num_i2c_peripherals * +- sizeof(*src->i2c_peripherals), +- GFP_KERNEL); +- if (!cros_laptop->i2c_peripherals) ++ i2c_peripherals = kmemdup(src->i2c_peripherals, ++ src->num_i2c_peripherals * ++ sizeof(*src->i2c_peripherals), ++ GFP_KERNEL); ++ if (!i2c_peripherals) + return -ENOMEM; + +- cros_laptop->num_i2c_peripherals = src->num_i2c_peripherals; +- +- for (i = 0; i < cros_laptop->num_i2c_peripherals; i++) { +- i2c_dev = &cros_laptop->i2c_peripherals[i]; ++ for (i = 0; i < src->num_i2c_peripherals; i++) { ++ i2c_dev = &i2c_peripherals[i]; + info = &i2c_dev->board_info; + + error = chromeos_laptop_setup_irq(i2c_dev); +@@ -752,16 +751,19 @@ chromeos_laptop_prepare_i2c_peripherals(struct chromeos_laptop *cros_laptop, + } + } + ++ cros_laptop->i2c_peripherals = i2c_peripherals; ++ cros_laptop->num_i2c_peripherals = src->num_i2c_peripherals; ++ + return 0; + + err_out: + while (--i >= 0) { +- i2c_dev = &cros_laptop->i2c_peripherals[i]; ++ i2c_dev = &i2c_peripherals[i]; + info = &i2c_dev->board_info; + if (info->properties) + property_entries_free(info->properties); + } +- kfree(cros_laptop->i2c_peripherals); ++ kfree(i2c_peripherals); + return error; + } + +-- +2.35.1 + diff --git a/queue-5.4/platform-chrome-fix-memory-corruption-in-ioctl.patch b/queue-5.4/platform-chrome-fix-memory-corruption-in-ioctl.patch new file mode 100644 index 00000000000..b2218478494 --- /dev/null +++ b/queue-5.4/platform-chrome-fix-memory-corruption-in-ioctl.patch @@ -0,0 +1,39 @@ +From b5d40c0e9ee7f1467bb9a404ef6b1c8296184bd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 08:20:36 +0300 +Subject: platform/chrome: fix memory corruption in ioctl + +From: Dan Carpenter + +[ Upstream commit 8a07b45fd3c2dda24fad43639be5335a4595196a ] + +If "s_mem.bytes" is larger than the buffer size it leads to memory +corruption. + +Fixes: eda2e30c6684 ("mfd / platform: cros_ec: Miscellaneous character device to talk with the EC") +Signed-off-by: Dan Carpenter +Reviewed-by: Guenter Roeck +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/Yv8dpCFZJdbUT5ye@kili +Signed-off-by: Sasha Levin +--- + drivers/platform/chrome/cros_ec_chardev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/platform/chrome/cros_ec_chardev.c b/drivers/platform/chrome/cros_ec_chardev.c +index 74ded441bb50..1f5f4a46ab74 100644 +--- a/drivers/platform/chrome/cros_ec_chardev.c ++++ b/drivers/platform/chrome/cros_ec_chardev.c +@@ -328,6 +328,9 @@ static long cros_ec_chardev_ioctl_readmem(struct cros_ec_dev *ec, + if (copy_from_user(&s_mem, arg, sizeof(s_mem))) + return -EFAULT; + ++ if (s_mem.bytes > sizeof(s_mem.buffer)) ++ return -EINVAL; ++ + num = ec_dev->cmd_readmem(ec_dev, s_mem.offset, s_mem.bytes, + s_mem.buffer); + if (num <= 0) +-- +2.35.1 + diff --git a/queue-5.4/platform-x86-msi-laptop-change-dmi-match-alias-strin.patch b/queue-5.4/platform-x86-msi-laptop-change-dmi-match-alias-strin.patch new file mode 100644 index 00000000000..139c367ff60 --- /dev/null +++ b/queue-5.4/platform-x86-msi-laptop-change-dmi-match-alias-strin.patch @@ -0,0 +1,58 @@ +From 747cbee3c321334cfef425bcfd2791658144a237 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 23:04:07 +0200 +Subject: platform/x86: msi-laptop: Change DMI match / alias strings to fix + module autoloading + +From: Hans de Goede + +[ Upstream commit 2a2565272a3628e45d61625e36ef17af7af4e3de ] + +On a MSI S270 with Fedora 37 x86_64 / systemd-251.4 the module does not +properly autoload. + +This is likely caused by issues with how systemd-udevd handles the single +quote char (') which is part of the sys_vendor / chassis_vendor strings +on this laptop. As a workaround remove the single quote char + everything +behind it from the sys_vendor + chassis_vendor matches. This fixes +the module not autoloading. + +Link: https://github.com/systemd/systemd/issues/24715 +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220917210407.647432-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/msi-laptop.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index 3e935303b143..0e804b6c2d24 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -596,11 +596,10 @@ static const struct dmi_system_id msi_dmi_table[] __initconst = { + { + .ident = "MSI S270", + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT'L CO.,LTD"), ++ DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT"), + DMI_MATCH(DMI_PRODUCT_NAME, "MS-1013"), + DMI_MATCH(DMI_PRODUCT_VERSION, "0131"), +- DMI_MATCH(DMI_CHASSIS_VENDOR, +- "MICRO-STAR INT'L CO.,LTD") ++ DMI_MATCH(DMI_CHASSIS_VENDOR, "MICRO-STAR INT") + }, + .driver_data = &quirk_old_ec_model, + .callback = dmi_check_cb +@@ -633,8 +632,7 @@ static const struct dmi_system_id msi_dmi_table[] __initconst = { + DMI_MATCH(DMI_SYS_VENDOR, "NOTEBOOK"), + DMI_MATCH(DMI_PRODUCT_NAME, "SAM2000"), + DMI_MATCH(DMI_PRODUCT_VERSION, "0131"), +- DMI_MATCH(DMI_CHASSIS_VENDOR, +- "MICRO-STAR INT'L CO.,LTD") ++ DMI_MATCH(DMI_CHASSIS_VENDOR, "MICRO-STAR INT") + }, + .driver_data = &quirk_old_ec_model, + .callback = dmi_check_cb +-- +2.35.1 + diff --git a/queue-5.4/platform-x86-msi-laptop-fix-old-ec-check-for-backlig.patch b/queue-5.4/platform-x86-msi-laptop-fix-old-ec-check-for-backlig.patch new file mode 100644 index 00000000000..2e866968c13 --- /dev/null +++ b/queue-5.4/platform-x86-msi-laptop-fix-old-ec-check-for-backlig.patch @@ -0,0 +1,58 @@ +From f9557dd5bfad33108defa31068b1bd7cf1a74e4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 16:13:34 +0200 +Subject: platform/x86: msi-laptop: Fix old-ec check for backlight registering + +From: Hans de Goede + +[ Upstream commit 83ac7a1c2ed5f17caa07cbbc84bad3c05dc3bf22 ] + +Commit 2cc6c717799f ("msi-laptop: Port to new backlight interface +selection API") replaced this check: + + if (!quirks->old_ec_model || acpi_video_backlight_support()) + pr_info("Brightness ignored, ..."); + else + do_register(); + +With: + + if (quirks->old_ec_model || + acpi_video_get_backlight_type() == acpi_backlight_vendor) + do_register(); + +But since the do_register() part was part of the else branch, the entire +condition should be inverted. So not only the 2 statements on either +side of the || should be inverted, but the || itself should be replaced +with a &&. + +In practice this has likely not been an issue because the new-ec models +(old_ec_model==false) likely all support ACPI video backlight control, +making acpi_video_get_backlight_type() return acpi_backlight_video +turning the second part of the || also false when old_ec_model == false. + +Fixes: 2cc6c717799f ("msi-laptop: Port to new backlight interface selection API") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220825141336.208597-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/msi-laptop.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index 24ffc8e2d2d1..0960205ee49f 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -1048,8 +1048,7 @@ static int __init msi_init(void) + return -EINVAL; + + /* Register backlight stuff */ +- +- if (quirks->old_ec_model || ++ if (quirks->old_ec_model && + acpi_video_get_backlight_type() == acpi_backlight_vendor) { + struct backlight_properties props; + memset(&props, 0, sizeof(struct backlight_properties)); +-- +2.35.1 + diff --git a/queue-5.4/platform-x86-msi-laptop-fix-resource-cleanup.patch b/queue-5.4/platform-x86-msi-laptop-fix-resource-cleanup.patch new file mode 100644 index 00000000000..23e0bb5ae3e --- /dev/null +++ b/queue-5.4/platform-x86-msi-laptop-fix-resource-cleanup.patch @@ -0,0 +1,45 @@ +From b89425eeb4a48a38a14916b05855a6fb2295b2a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 16:13:36 +0200 +Subject: platform/x86: msi-laptop: Fix resource cleanup + +From: Hans de Goede + +[ Upstream commit 5523632aa10f906dfe2eb714ee748590dc7fc6b1 ] + +Fix the input-device not getting free-ed on probe-errors and +fix the msi_touchpad_dwork not getting cancelled on neither +probe-errors nor on remove. + +Fixes: 143a4c0284dc ("msi-laptop: send out touchpad on/off key") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220825141336.208597-3-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/msi-laptop.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index 0960205ee49f..3e935303b143 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -1116,6 +1116,8 @@ static int __init msi_init(void) + fail_create_group: + if (quirks->load_scm_model) { + i8042_remove_filter(msi_laptop_i8042_filter); ++ cancel_delayed_work_sync(&msi_touchpad_dwork); ++ input_unregister_device(msi_laptop_input_dev); + cancel_delayed_work_sync(&msi_rfkill_dwork); + cancel_work_sync(&msi_rfkill_work); + rfkill_cleanup(); +@@ -1136,6 +1138,7 @@ static void __exit msi_cleanup(void) + { + if (quirks->load_scm_model) { + i8042_remove_filter(msi_laptop_i8042_filter); ++ cancel_delayed_work_sync(&msi_touchpad_dwork); + input_unregister_device(msi_laptop_input_dev); + cancel_delayed_work_sync(&msi_rfkill_dwork); + cancel_work_sync(&msi_rfkill_work); +-- +2.35.1 + diff --git a/queue-5.4/power-supply-adp5061-fix-out-of-bounds-read-in-adp50.patch b/queue-5.4/power-supply-adp5061-fix-out-of-bounds-read-in-adp50.patch new file mode 100644 index 00000000000..e2761e7dcbf --- /dev/null +++ b/queue-5.4/power-supply-adp5061-fix-out-of-bounds-read-in-adp50.patch @@ -0,0 +1,44 @@ +From ea4ea92fac7db4d717a71921804270bd6cc975a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Aug 2022 07:32:23 +0000 +Subject: power: supply: adp5061: fix out-of-bounds read in + adp5061_get_chg_type() + +From: Wei Yongjun + +[ Upstream commit 9d47e01b9d807808224347935562f7043a358054 ] + +ADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length +of 8, but adp5061_chg_type array size is 4, may end up reading 4 elements +beyond the end of the adp5061_chg_type[] array. + +Signed-off-by: Wei Yongjun +Acked-by: Michael Hennerich +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/adp5061.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/power/supply/adp5061.c b/drivers/power/supply/adp5061.c +index 003557043ab3..daee1161c305 100644 +--- a/drivers/power/supply/adp5061.c ++++ b/drivers/power/supply/adp5061.c +@@ -427,11 +427,11 @@ static int adp5061_get_chg_type(struct adp5061_state *st, + if (ret < 0) + return ret; + +- chg_type = adp5061_chg_type[ADP5061_CHG_STATUS_1_CHG_STATUS(status1)]; +- if (chg_type > ADP5061_CHG_FAST_CV) ++ chg_type = ADP5061_CHG_STATUS_1_CHG_STATUS(status1); ++ if (chg_type >= ARRAY_SIZE(adp5061_chg_type)) + val->intval = POWER_SUPPLY_STATUS_UNKNOWN; + else +- val->intval = chg_type; ++ val->intval = adp5061_chg_type[chg_type]; + + return ret; + } +-- +2.35.1 + diff --git a/queue-5.4/powercap-intel_rapl-fix-ubsan-shift-out-of-bounds-is.patch b/queue-5.4/powercap-intel_rapl-fix-ubsan-shift-out-of-bounds-is.patch new file mode 100644 index 00000000000..bd87b03234a --- /dev/null +++ b/queue-5.4/powercap-intel_rapl-fix-ubsan-shift-out-of-bounds-is.patch @@ -0,0 +1,45 @@ +From 3003c077f1f4887a3daf4106054844a534e37cc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 14:08:26 +0800 +Subject: powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue + +From: Chao Qin + +[ Upstream commit 2d93540014387d1c73b9ccc4d7895320df66d01b ] + +When value < time_unit, the parameter of ilog2() will be zero and +the return value is -1. u64(-1) is too large for shift exponent +and then will trigger shift-out-of-bounds: + +shift exponent 18446744073709551615 is too large for 32-bit type 'int' +Call Trace: + rapl_compute_time_window_core + rapl_write_data_raw + set_time_window + store_constraint_time_window_us + +Signed-off-by: Chao Qin +Acked-by: Zhang Rui +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/powercap/intel_rapl_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/powercap/intel_rapl_common.c b/drivers/powercap/intel_rapl_common.c +index 925b0004a0ed..d5a505f32260 100644 +--- a/drivers/powercap/intel_rapl_common.c ++++ b/drivers/powercap/intel_rapl_common.c +@@ -885,6 +885,9 @@ static u64 rapl_compute_time_window_core(struct rapl_package *rp, u64 value, + y = value & 0x1f; + value = (1 << y) * (4 + f) * rp->time_unit / 4; + } else { ++ if (value < rp->time_unit) ++ return 0; ++ + do_div(value, rp->time_unit); + y = ilog2(value); + f = div64_u64(4 * (value - (1 << y)), 1 << y); +-- +2.35.1 + diff --git a/queue-5.4/powerpc-64s-fix-generic_cpu-build-flags-for-ppc970-g.patch b/queue-5.4/powerpc-64s-fix-generic_cpu-build-flags-for-ppc970-g.patch new file mode 100644 index 00000000000..c94487cfe2e --- /dev/null +++ b/queue-5.4/powerpc-64s-fix-generic_cpu-build-flags-for-ppc970-g.patch @@ -0,0 +1,41 @@ +From 72e15b2339c95a9309a1d0c6bdb50752befc7586 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 11:41:02 +1000 +Subject: powerpc/64s: Fix GENERIC_CPU build flags for PPC970 / G5 + +From: Nicholas Piggin + +[ Upstream commit 58ec7f06b74e0d6e76c4110afce367c8b5f0837d ] + +Big-endian GENERIC_CPU supports 970, but builds with -mcpu=power5. +POWER5 is ISA v2.02 whereas 970 is v2.01 plus Altivec. 2.02 added +the popcntb instruction which a compiler might use. + +Use -mcpu=power4. + +Fixes: 471d7ff8b51b ("powerpc/64s: Remove POWER4 support") +Signed-off-by: Nicholas Piggin +Reviewed-by: Segher Boessenkool +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220921014103.587954-1-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile +index eedd114a017c..95183a717eb6 100644 +--- a/arch/powerpc/Makefile ++++ b/arch/powerpc/Makefile +@@ -155,7 +155,7 @@ CFLAGS-$(CONFIG_GENERIC_CPU) += -mcpu=power8 + CFLAGS-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mtune=power9,-mtune=power8) + else + CFLAGS-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mtune=power7,$(call cc-option,-mtune=power5)) +-CFLAGS-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mcpu=power5,-mcpu=power4) ++CFLAGS-$(CONFIG_GENERIC_CPU) += -mcpu=power4 + endif + else ifdef CONFIG_PPC_BOOK3E_64 + CFLAGS-$(CONFIG_GENERIC_CPU) += -mcpu=powerpc64 +-- +2.35.1 + diff --git a/queue-5.4/powerpc-fix-spe-power-isa-properties-for-e500v1-plat.patch b/queue-5.4/powerpc-fix-spe-power-isa-properties-for-e500v1-plat.patch new file mode 100644 index 00000000000..0134d26c546 --- /dev/null +++ b/queue-5.4/powerpc-fix-spe-power-isa-properties-for-e500v1-plat.patch @@ -0,0 +1,150 @@ +From e2a626e3b79d19bd2a3deec27bd552288e55839d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 23:21:02 +0200 +Subject: powerpc: Fix SPE Power ISA properties for e500v1 platforms +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 37b9345ce7f4ab17538ea62def6f6d430f091355 ] + +Commit 2eb28006431c ("powerpc/e500v2: Add Power ISA properties to comply +with ePAPR 1.1") introduced new include file e500v2_power_isa.dtsi and +should have used it for all e500v2 platforms. But apparently it was used +also for e500v1 platforms mpc8540, mpc8541, mpc8555 and mpc8560. + +e500v1 cores compared to e500v2 do not support double precision floating +point SPE instructions. Hence power-isa-sp.fd should not be set on e500v1 +platforms, which is in e500v2_power_isa.dtsi include file. + +Fix this issue by introducing a new e500v1_power_isa.dtsi include file and +use it in all e500v1 device tree files. + +Fixes: 2eb28006431c ("powerpc/e500v2: Add Power ISA properties to comply with ePAPR 1.1") +Signed-off-by: Pali Rohár +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220902212103.22534-1-pali@kernel.org +Signed-off-by: Sasha Levin +--- + .../boot/dts/fsl/e500v1_power_isa.dtsi | 51 +++++++++++++++++++ + arch/powerpc/boot/dts/fsl/mpc8540ads.dts | 2 +- + arch/powerpc/boot/dts/fsl/mpc8541cds.dts | 2 +- + arch/powerpc/boot/dts/fsl/mpc8555cds.dts | 2 +- + arch/powerpc/boot/dts/fsl/mpc8560ads.dts | 2 +- + 5 files changed, 55 insertions(+), 4 deletions(-) + create mode 100644 arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi + +diff --git a/arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi b/arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi +new file mode 100644 +index 000000000000..7e2a90cde72e +--- /dev/null ++++ b/arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi +@@ -0,0 +1,51 @@ ++/* ++ * e500v1 Power ISA Device Tree Source (include) ++ * ++ * Copyright 2012 Freescale Semiconductor Inc. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * * Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * * Neither the name of Freescale Semiconductor nor the ++ * names of its contributors may be used to endorse or promote products ++ * derived from this software without specific prior written permission. ++ * ++ * ++ * ALTERNATIVELY, this software may be distributed under the terms of the ++ * GNU General Public License ("GPL") as published by the Free Software ++ * Foundation, either version 2 of that License or (at your option) any ++ * later version. ++ * ++ * THIS SOFTWARE IS PROVIDED BY Freescale Semiconductor "AS IS" AND ANY ++ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED ++ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL Freescale Semiconductor BE LIABLE FOR ANY ++ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ++ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS ++ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++/ { ++ cpus { ++ power-isa-version = "2.03"; ++ power-isa-b; // Base ++ power-isa-e; // Embedded ++ power-isa-atb; // Alternate Time Base ++ power-isa-cs; // Cache Specification ++ power-isa-e.le; // Embedded.Little-Endian ++ power-isa-e.pm; // Embedded.Performance Monitor ++ power-isa-ecl; // Embedded Cache Locking ++ power-isa-mmc; // Memory Coherence ++ power-isa-sp; // Signal Processing Engine ++ power-isa-sp.fs; // SPE.Embedded Float Scalar Single ++ power-isa-sp.fv; // SPE.Embedded Float Vector ++ mmu-type = "power-embedded"; ++ }; ++}; +diff --git a/arch/powerpc/boot/dts/fsl/mpc8540ads.dts b/arch/powerpc/boot/dts/fsl/mpc8540ads.dts +index 18a885130538..e03ae130162b 100644 +--- a/arch/powerpc/boot/dts/fsl/mpc8540ads.dts ++++ b/arch/powerpc/boot/dts/fsl/mpc8540ads.dts +@@ -7,7 +7,7 @@ + + /dts-v1/; + +-/include/ "e500v2_power_isa.dtsi" ++/include/ "e500v1_power_isa.dtsi" + + / { + model = "MPC8540ADS"; +diff --git a/arch/powerpc/boot/dts/fsl/mpc8541cds.dts b/arch/powerpc/boot/dts/fsl/mpc8541cds.dts +index ac381e7b1c60..a2a6c5cf852e 100644 +--- a/arch/powerpc/boot/dts/fsl/mpc8541cds.dts ++++ b/arch/powerpc/boot/dts/fsl/mpc8541cds.dts +@@ -7,7 +7,7 @@ + + /dts-v1/; + +-/include/ "e500v2_power_isa.dtsi" ++/include/ "e500v1_power_isa.dtsi" + + / { + model = "MPC8541CDS"; +diff --git a/arch/powerpc/boot/dts/fsl/mpc8555cds.dts b/arch/powerpc/boot/dts/fsl/mpc8555cds.dts +index 9f58db2a7e66..901b6ff06dfb 100644 +--- a/arch/powerpc/boot/dts/fsl/mpc8555cds.dts ++++ b/arch/powerpc/boot/dts/fsl/mpc8555cds.dts +@@ -7,7 +7,7 @@ + + /dts-v1/; + +-/include/ "e500v2_power_isa.dtsi" ++/include/ "e500v1_power_isa.dtsi" + + / { + model = "MPC8555CDS"; +diff --git a/arch/powerpc/boot/dts/fsl/mpc8560ads.dts b/arch/powerpc/boot/dts/fsl/mpc8560ads.dts +index a24722ccaebf..c2f9aea78b29 100644 +--- a/arch/powerpc/boot/dts/fsl/mpc8560ads.dts ++++ b/arch/powerpc/boot/dts/fsl/mpc8560ads.dts +@@ -7,7 +7,7 @@ + + /dts-v1/; + +-/include/ "e500v2_power_isa.dtsi" ++/include/ "e500v1_power_isa.dtsi" + + / { + model = "MPC8560ADS"; +-- +2.35.1 + diff --git a/queue-5.4/powerpc-math_emu-efp-include-module.h.patch b/queue-5.4/powerpc-math_emu-efp-include-module.h.patch new file mode 100644 index 00000000000..c98201e1d55 --- /dev/null +++ b/queue-5.4/powerpc-math_emu-efp-include-module.h.patch @@ -0,0 +1,53 @@ +From 12cded0c549f0208636c8e25d86b71bbad2bc3d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 18:00:08 +0200 +Subject: powerpc/math_emu/efp: Include module.h + +From: Nathan Chancellor + +[ Upstream commit cfe0d370e0788625ce0df3239aad07a2506c1796 ] + +When building with a recent version of clang, there are a couple of +errors around the call to module_init(): + + arch/powerpc/math-emu/math_efp.c:927:1: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int] + module_init(spe_mathemu_init); + ^ + int + arch/powerpc/math-emu/math_efp.c:927:13: error: a parameter list without types is only allowed in a function definition + module_init(spe_mathemu_init); + ^ + 2 errors generated. + +module_init() is a macro, which is not getting expanded because module.h +is not included in this file. Add the include so that the macro can +expand properly, clearing up the build failure. + +Fixes: ac6f120369ff ("powerpc/85xx: Workaroudn e500 CPU erratum A005") +[chleroy: added fixes tag] +Reported-by: kernel test robot +Signed-off-by: Nathan Chancellor +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Reviewed-by: Christophe Leroy +Link: https://lore.kernel.org/r/8403854a4c187459b2f4da3537f51227b70b9223.1662134272.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/math-emu/math_efp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/math-emu/math_efp.c b/arch/powerpc/math-emu/math_efp.c +index 0a05e51964c1..90111c9e7521 100644 +--- a/arch/powerpc/math-emu/math_efp.c ++++ b/arch/powerpc/math-emu/math_efp.c +@@ -17,6 +17,7 @@ + + #include + #include ++#include + + #include + #include +-- +2.35.1 + diff --git a/queue-5.4/powerpc-pci_dn-add-missing-of_node_put.patch b/queue-5.4/powerpc-pci_dn-add-missing-of_node_put.patch new file mode 100644 index 00000000000..321bb79fb51 --- /dev/null +++ b/queue-5.4/powerpc-pci_dn-add-missing-of_node_put.patch @@ -0,0 +1,38 @@ +From 78c2068043515431ed03bc1624d0aae25bf995fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 21:17:50 +0800 +Subject: powerpc/pci_dn: Add missing of_node_put() + +From: Liang He + +[ Upstream commit 110a1fcb6c4d55144d8179983a475f17a1d6f832 ] + +In pci_add_device_node_info(), use of_node_put() to drop the reference +to 'parent' returned by of_get_parent() to keep refcount balance. + +Fixes: cca87d303c85 ("powerpc/pci: Refactor pci_dn") +Co-authored-by: Miaoqian Lin +Signed-off-by: Liang He +Signed-off-by: Michael Ellerman +Reviewed-by: Tyrel Datwyler +Link: https://lore.kernel.org/r/20220701131750.240170-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/pci_dn.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/kernel/pci_dn.c b/arch/powerpc/kernel/pci_dn.c +index d876eda92609..d28433f0fc8e 100644 +--- a/arch/powerpc/kernel/pci_dn.c ++++ b/arch/powerpc/kernel/pci_dn.c +@@ -325,6 +325,7 @@ struct pci_dn *pci_add_device_node_info(struct pci_controller *hose, + INIT_LIST_HEAD(&pdn->list); + parent = of_get_parent(dn); + pdn->parent = parent ? PCI_DN(parent) : NULL; ++ of_node_put(parent); + if (pdn->parent) + list_add_tail(&pdn->list, &pdn->parent->child_list); + +-- +2.35.1 + diff --git a/queue-5.4/powerpc-powernv-add-missing-of_node_put-in-opal_expo.patch b/queue-5.4/powerpc-powernv-add-missing-of_node_put-in-opal_expo.patch new file mode 100644 index 00000000000..278f7ccd877 --- /dev/null +++ b/queue-5.4/powerpc-powernv-add-missing-of_node_put-in-opal_expo.patch @@ -0,0 +1,36 @@ +From a37777d352275d66d14c20cd6e640eceed8d45b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 14:17:03 +0000 +Subject: powerpc/powernv: add missing of_node_put() in opal_export_attrs() + +From: Zheng Yongjun + +[ Upstream commit 71a92e99c47900cc164620948b3863382cec4f1a ] + +After using 'np' returned by of_find_node_by_path(), of_node_put() +need be called to decrease the refcount. + +Fixes: 11fe909d2362 ("powerpc/powernv: Add OPAL exports attributes to sysfs") +Signed-off-by: Zheng Yongjun +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220906141703.118192-1-zhengyongjun3@huawei.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/opal.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c +index 38e90270280b..c3f968429161 100644 +--- a/arch/powerpc/platforms/powernv/opal.c ++++ b/arch/powerpc/platforms/powernv/opal.c +@@ -776,6 +776,7 @@ static void opal_export_attrs(void) + kobj = kobject_create_and_add("exports", opal_kobj); + if (!kobj) { + pr_warn("kobject_create_and_add() of exports failed\n"); ++ of_node_put(np); + return; + } + +-- +2.35.1 + diff --git a/queue-5.4/powerpc-sysdev-fsl_msi-add-missing-of_node_put.patch b/queue-5.4/powerpc-sysdev-fsl_msi-add-missing-of_node_put.patch new file mode 100644 index 00000000000..60224f374eb --- /dev/null +++ b/queue-5.4/powerpc-sysdev-fsl_msi-add-missing-of_node_put.patch @@ -0,0 +1,40 @@ +From 95c8ee2cd26a5516c61072095a927e14eaa45b0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Jul 2022 22:52:33 +0800 +Subject: powerpc/sysdev/fsl_msi: Add missing of_node_put() + +From: Liang He + +[ Upstream commit def435c04ee984a5f9ed2711b2bfe946936c6a21 ] + +In fsl_setup_msi_irqs(), use of_node_put() to drop the reference +returned by of_parse_phandle(). + +Fixes: 895d603f945ba ("powerpc/fsl_msi: add support for the fsl, msi property in PCI nodes") +Co-authored-by: Miaoqian Lin +Signed-off-by: Liang He +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220704145233.278539-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/fsl_msi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/sysdev/fsl_msi.c b/arch/powerpc/sysdev/fsl_msi.c +index 808e7118abfc..d276c5e96445 100644 +--- a/arch/powerpc/sysdev/fsl_msi.c ++++ b/arch/powerpc/sysdev/fsl_msi.c +@@ -211,8 +211,10 @@ static int fsl_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) + dev_err(&pdev->dev, + "node %pOF has an invalid fsl,msi phandle %u\n", + hose->dn, np->phandle); ++ of_node_put(np); + return -EINVAL; + } ++ of_node_put(np); + } + + for_each_pci_msi_entry(entry, pdev) { +-- +2.35.1 + diff --git a/queue-5.4/r8152-factor-out-oob-link-list-waits.patch b/queue-5.4/r8152-factor-out-oob-link-list-waits.patch new file mode 100644 index 00000000000..7d6d18b5ac8 --- /dev/null +++ b/queue-5.4/r8152-factor-out-oob-link-list-waits.patch @@ -0,0 +1,184 @@ +From f168a7d4fb7a1b3928684caa4ce770c317fb3411 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2019 01:35:57 -0700 +Subject: r8152: Factor out OOB link list waits + +From: Prashant Malani + +[ Upstream commit 5f71c84038d39def573744a145c573758f52a949 ] + +The same for-loop check for the LINK_LIST_READY bit of an OOB_CTRL +register is used in several places. Factor these out into a single +function to reduce the lines of code. + +Change-Id: I20e8f327045a72acc0a83e2d145ae2993ab62915 +Signed-off-by: Prashant Malani +Reviewed-by: Grant Grundler +Acked-by: Hayes Wang +Signed-off-by: David S. Miller +Stable-dep-of: c5783af35468 ("sh: machvec: Use char[] for section boundaries") +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 73 ++++++++++++----------------------------- + 1 file changed, 21 insertions(+), 52 deletions(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 873f288e7cec..9042db982a08 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -3367,11 +3367,23 @@ static void r8152b_hw_phy_cfg(struct r8152 *tp) + set_bit(PHY_RESET, &tp->flags); + } + +-static void r8152b_exit_oob(struct r8152 *tp) ++static void wait_oob_link_list_ready(struct r8152 *tp) + { + u32 ocp_data; + int i; + ++ for (i = 0; i < 1000; i++) { ++ ocp_data = ocp_read_byte(tp, MCU_TYPE_PLA, PLA_OOB_CTRL); ++ if (ocp_data & LINK_LIST_READY) ++ break; ++ usleep_range(1000, 2000); ++ } ++} ++ ++static void r8152b_exit_oob(struct r8152 *tp) ++{ ++ u32 ocp_data; ++ + ocp_data = ocp_read_dword(tp, MCU_TYPE_PLA, PLA_RCR); + ocp_data &= ~RCR_ACPT_ALL; + ocp_write_dword(tp, MCU_TYPE_PLA, PLA_RCR, ocp_data); +@@ -3389,23 +3401,13 @@ static void r8152b_exit_oob(struct r8152 *tp) + ocp_data &= ~MCU_BORW_EN; + ocp_write_word(tp, MCU_TYPE_PLA, PLA_SFF_STS_7, ocp_data); + +- for (i = 0; i < 1000; i++) { +- ocp_data = ocp_read_byte(tp, MCU_TYPE_PLA, PLA_OOB_CTRL); +- if (ocp_data & LINK_LIST_READY) +- break; +- usleep_range(1000, 2000); +- } ++ wait_oob_link_list_ready(tp); + + ocp_data = ocp_read_word(tp, MCU_TYPE_PLA, PLA_SFF_STS_7); + ocp_data |= RE_INIT_LL; + ocp_write_word(tp, MCU_TYPE_PLA, PLA_SFF_STS_7, ocp_data); + +- for (i = 0; i < 1000; i++) { +- ocp_data = ocp_read_byte(tp, MCU_TYPE_PLA, PLA_OOB_CTRL); +- if (ocp_data & LINK_LIST_READY) +- break; +- usleep_range(1000, 2000); +- } ++ wait_oob_link_list_ready(tp); + + rtl8152_nic_reset(tp); + +@@ -3447,7 +3449,6 @@ static void r8152b_exit_oob(struct r8152 *tp) + static void r8152b_enter_oob(struct r8152 *tp) + { + u32 ocp_data; +- int i; + + ocp_data = ocp_read_byte(tp, MCU_TYPE_PLA, PLA_OOB_CTRL); + ocp_data &= ~NOW_IS_OOB; +@@ -3459,23 +3460,13 @@ static void r8152b_enter_oob(struct r8152 *tp) + + rtl_disable(tp); + +- for (i = 0; i < 1000; i++) { +- ocp_data = ocp_read_byte(tp, MCU_TYPE_PLA, PLA_OOB_CTRL); +- if (ocp_data & LINK_LIST_READY) +- break; +- usleep_range(1000, 2000); +- } ++ wait_oob_link_list_ready(tp); + + ocp_data = ocp_read_word(tp, MCU_TYPE_PLA, PLA_SFF_STS_7); + ocp_data |= RE_INIT_LL; + ocp_write_word(tp, MCU_TYPE_PLA, PLA_SFF_STS_7, ocp_data); + +- for (i = 0; i < 1000; i++) { +- ocp_data = ocp_read_byte(tp, MCU_TYPE_PLA, PLA_OOB_CTRL); +- if (ocp_data & LINK_LIST_READY) +- break; +- usleep_range(1000, 2000); +- } ++ wait_oob_link_list_ready(tp); + + ocp_write_word(tp, MCU_TYPE_PLA, PLA_RMS, RTL8152_RMS); + +@@ -3700,7 +3691,6 @@ static void r8153b_hw_phy_cfg(struct r8152 *tp) + static void r8153_first_init(struct r8152 *tp) + { + u32 ocp_data; +- int i; + + rxdy_gated_en(tp, true); + r8153_teredo_off(tp); +@@ -3720,23 +3710,13 @@ static void r8153_first_init(struct r8152 *tp) + ocp_data &= ~MCU_BORW_EN; + ocp_write_word(tp, MCU_TYPE_PLA, PLA_SFF_STS_7, ocp_data); + +- for (i = 0; i < 1000; i++) { +- ocp_data = ocp_read_byte(tp, MCU_TYPE_PLA, PLA_OOB_CTRL); +- if (ocp_data & LINK_LIST_READY) +- break; +- usleep_range(1000, 2000); +- } ++ wait_oob_link_list_ready(tp); + + ocp_data = ocp_read_word(tp, MCU_TYPE_PLA, PLA_SFF_STS_7); + ocp_data |= RE_INIT_LL; + ocp_write_word(tp, MCU_TYPE_PLA, PLA_SFF_STS_7, ocp_data); + +- for (i = 0; i < 1000; i++) { +- ocp_data = ocp_read_byte(tp, MCU_TYPE_PLA, PLA_OOB_CTRL); +- if (ocp_data & LINK_LIST_READY) +- break; +- usleep_range(1000, 2000); +- } ++ wait_oob_link_list_ready(tp); + + rtl_rx_vlan_en(tp, tp->netdev->features & NETIF_F_HW_VLAN_CTAG_RX); + +@@ -3761,7 +3741,6 @@ static void r8153_first_init(struct r8152 *tp) + static void r8153_enter_oob(struct r8152 *tp) + { + u32 ocp_data; +- int i; + + ocp_data = ocp_read_byte(tp, MCU_TYPE_PLA, PLA_OOB_CTRL); + ocp_data &= ~NOW_IS_OOB; +@@ -3770,23 +3749,13 @@ static void r8153_enter_oob(struct r8152 *tp) + rtl_disable(tp); + rtl_reset_bmu(tp); + +- for (i = 0; i < 1000; i++) { +- ocp_data = ocp_read_byte(tp, MCU_TYPE_PLA, PLA_OOB_CTRL); +- if (ocp_data & LINK_LIST_READY) +- break; +- usleep_range(1000, 2000); +- } ++ wait_oob_link_list_ready(tp); + + ocp_data = ocp_read_word(tp, MCU_TYPE_PLA, PLA_SFF_STS_7); + ocp_data |= RE_INIT_LL; + ocp_write_word(tp, MCU_TYPE_PLA, PLA_SFF_STS_7, ocp_data); + +- for (i = 0; i < 1000; i++) { +- ocp_data = ocp_read_byte(tp, MCU_TYPE_PLA, PLA_OOB_CTRL); +- if (ocp_data & LINK_LIST_READY) +- break; +- usleep_range(1000, 2000); +- } ++ wait_oob_link_list_ready(tp); + + ocp_data = tp->netdev->mtu + VLAN_ETH_HLEN + ETH_FCS_LEN; + ocp_write_word(tp, MCU_TYPE_PLA, PLA_RMS, ocp_data); +-- +2.35.1 + diff --git a/queue-5.4/r8152-rate-limit-overflow-messages.patch b/queue-5.4/r8152-rate-limit-overflow-messages.patch new file mode 100644 index 00000000000..c4516a6fe21 --- /dev/null +++ b/queue-5.4/r8152-rate-limit-overflow-messages.patch @@ -0,0 +1,38 @@ +From b02e7d010cd536e672b275d6888fc8ed2fb4d50b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Oct 2022 12:41:28 +0900 +Subject: r8152: Rate limit overflow messages + +From: Andrew Gaul + +[ Upstream commit 93e2be344a7db169b7119de21ac1bf253b8c6907 ] + +My system shows almost 10 million of these messages over a 24-hour +period which pollutes my logs. + +Signed-off-by: Andrew Gaul +Link: https://lore.kernel.org/r/20221002034128.2026653-1-gaul@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 9042db982a08..dafdae6536a3 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -1479,7 +1479,9 @@ static void intr_callback(struct urb *urb) + "Stop submitting intr, status %d\n", status); + return; + case -EOVERFLOW: +- netif_info(tp, intr, tp->netdev, "intr status -EOVERFLOW\n"); ++ if (net_ratelimit()) ++ netif_info(tp, intr, tp->netdev, ++ "intr status -EOVERFLOW\n"); + goto resubmit; + /* -EPIPE: should clear the halt */ + default: +-- +2.35.1 + diff --git a/queue-5.4/rdma-rxe-fix-kernel-null-pointer-dereference-error.patch b/queue-5.4/rdma-rxe-fix-kernel-null-pointer-dereference-error.patch new file mode 100644 index 00000000000..f5c9eeca7a0 --- /dev/null +++ b/queue-5.4/rdma-rxe-fix-kernel-null-pointer-dereference-error.patch @@ -0,0 +1,48 @@ +From cb50c587d27733382230456e76ee7cb331281687 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 21:16:13 -0400 +Subject: RDMA/rxe: Fix "kernel NULL pointer dereference" error + +From: Zhu Yanjun + +[ Upstream commit a625ca30eff806395175ebad3ac1399014bdb280 ] + +When rxe_queue_init in the function rxe_qp_init_req fails, +both qp->req.task.func and qp->req.task.arg are not initialized. + +Because of creation of qp fails, the function rxe_create_qp will +call rxe_qp_do_cleanup to handle allocated resource. + +Before calling __rxe_do_task, both qp->req.task.func and +qp->req.task.arg should be checked. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20220822011615.805603-2-yanjun.zhu@linux.dev +Reported-by: syzbot+ab99dc4c6e961eed8b8e@syzkaller.appspotmail.com +Signed-off-by: Zhu Yanjun +Reviewed-by: Li Zhijian +Reviewed-by: Bob Pearson +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index 57f111fe5443..be3eff792864 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -805,7 +805,9 @@ void rxe_qp_destroy(struct rxe_qp *qp) + rxe_cleanup_task(&qp->comp.task); + + /* flush out any receive wr's or pending requests */ +- __rxe_do_task(&qp->req.task); ++ if (qp->req.task.func) ++ __rxe_do_task(&qp->req.task); ++ + if (qp->sq.queue) { + __rxe_do_task(&qp->comp.task); + __rxe_do_task(&qp->req.task); +-- +2.35.1 + diff --git a/queue-5.4/rdma-rxe-fix-the-error-caused-by-qp-sk.patch b/queue-5.4/rdma-rxe-fix-the-error-caused-by-qp-sk.patch new file mode 100644 index 00000000000..f7df5dd2471 --- /dev/null +++ b/queue-5.4/rdma-rxe-fix-the-error-caused-by-qp-sk.patch @@ -0,0 +1,48 @@ +From 7bbb63bcd006262f392fc4e338d439307ad5888e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 21:16:14 -0400 +Subject: RDMA/rxe: Fix the error caused by qp->sk + +From: Zhu Yanjun + +[ Upstream commit 548ce2e66725dcba4e27d1e8ac468d5dd17fd509 ] + +When sock_create_kern in the function rxe_qp_init_req fails, +qp->sk is set to NULL. + +Then the function rxe_create_qp will call rxe_qp_do_cleanup +to handle allocated resource. + +Before handling qp->sk, this variable should be checked. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20220822011615.805603-3-yanjun.zhu@linux.dev +Signed-off-by: Zhu Yanjun +Reviewed-by: Li Zhijian +Reviewed-by: Bob Pearson +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index be3eff792864..89f6d54a4312 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -847,8 +847,10 @@ static void rxe_qp_do_cleanup(struct work_struct *work) + + free_rd_atomic_resources(qp); + +- kernel_sock_shutdown(qp->sk, SHUT_RDWR); +- sock_release(qp->sk); ++ if (qp->sk) { ++ kernel_sock_shutdown(qp->sk, SHUT_RDWR); ++ sock_release(qp->sk); ++ } + } + + /* called when the last reference to the qp is dropped */ +-- +2.35.1 + diff --git a/queue-5.4/rdma-siw-always-consume-all-skbuf-data-in-sk_data_re.patch b/queue-5.4/rdma-siw-always-consume-all-skbuf-data-in-sk_data_re.patch new file mode 100644 index 00000000000..cf25c7cd902 --- /dev/null +++ b/queue-5.4/rdma-siw-always-consume-all-skbuf-data-in-sk_data_re.patch @@ -0,0 +1,99 @@ +From 3167a32ff859f77329861bc01cd0e5128a65acb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 10:12:02 +0200 +Subject: RDMA/siw: Always consume all skbuf data in sk_data_ready() upcall. + +From: Bernard Metzler + +[ Upstream commit 754209850df8367c954ac1de7671c7430b1f342c ] + +For header and trailer/padding processing, siw did not consume new +skb data until minimum amount present to fill current header or trailer +structure, including potential payload padding. Not consuming any +data during upcall may cause a receive stall, since tcp_read_sock() +is not upcalling again if no new data arrive. +A NFSoRDMA client got stuck at RDMA Write reception of unaligned +payload, if the current skb did contain only the expected 3 padding +bytes, but not the 4 bytes CRC trailer. Expecting 4 more bytes already +arrived in another skb, and not consuming those 3 bytes in the current +upcall left the Write incomplete, waiting for the CRC forever. + +Fixes: 8b6a361b8c48 ("rdma/siw: receive path") +Reported-by: Olga Kornievskaia +Tested-by: Olga Kornievskaia +Signed-off-by: Bernard Metzler +Link: https://lore.kernel.org/r/20220920081202.223629-1-bmt@zurich.ibm.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/siw/siw_qp_rx.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/drivers/infiniband/sw/siw/siw_qp_rx.c b/drivers/infiniband/sw/siw/siw_qp_rx.c +index 5f94c716301f..e8a1aa07f058 100644 +--- a/drivers/infiniband/sw/siw/siw_qp_rx.c ++++ b/drivers/infiniband/sw/siw/siw_qp_rx.c +@@ -961,27 +961,28 @@ int siw_proc_terminate(struct siw_qp *qp) + static int siw_get_trailer(struct siw_qp *qp, struct siw_rx_stream *srx) + { + struct sk_buff *skb = srx->skb; ++ int avail = min(srx->skb_new, srx->fpdu_part_rem); + u8 *tbuf = (u8 *)&srx->trailer.crc - srx->pad; + __wsum crc_in, crc_own = 0; + + siw_dbg_qp(qp, "expected %d, available %d, pad %u\n", + srx->fpdu_part_rem, srx->skb_new, srx->pad); + +- if (srx->skb_new < srx->fpdu_part_rem) +- return -EAGAIN; +- +- skb_copy_bits(skb, srx->skb_offset, tbuf, srx->fpdu_part_rem); ++ skb_copy_bits(skb, srx->skb_offset, tbuf, avail); + +- if (srx->mpa_crc_hd && srx->pad) +- crypto_shash_update(srx->mpa_crc_hd, tbuf, srx->pad); ++ srx->skb_new -= avail; ++ srx->skb_offset += avail; ++ srx->skb_copied += avail; ++ srx->fpdu_part_rem -= avail; + +- srx->skb_new -= srx->fpdu_part_rem; +- srx->skb_offset += srx->fpdu_part_rem; +- srx->skb_copied += srx->fpdu_part_rem; ++ if (srx->fpdu_part_rem) ++ return -EAGAIN; + + if (!srx->mpa_crc_hd) + return 0; + ++ if (srx->pad) ++ crypto_shash_update(srx->mpa_crc_hd, tbuf, srx->pad); + /* + * CRC32 is computed, transmitted and received directly in NBO, + * so there's never a reason to convert byte order. +@@ -1083,10 +1084,9 @@ static int siw_get_hdr(struct siw_rx_stream *srx) + * completely received. + */ + if (iwarp_pktinfo[opcode].hdr_len > sizeof(struct iwarp_ctrl_tagged)) { +- bytes = iwarp_pktinfo[opcode].hdr_len - MIN_DDP_HDR; ++ int hdrlen = iwarp_pktinfo[opcode].hdr_len; + +- if (srx->skb_new < bytes) +- return -EAGAIN; ++ bytes = min_t(int, hdrlen - MIN_DDP_HDR, srx->skb_new); + + skb_copy_bits(skb, srx->skb_offset, + (char *)c_hdr + srx->fpdu_part_rcvd, bytes); +@@ -1096,6 +1096,9 @@ static int siw_get_hdr(struct siw_rx_stream *srx) + srx->skb_new -= bytes; + srx->skb_offset += bytes; + srx->skb_copied += bytes; ++ ++ if (srx->fpdu_part_rcvd < hdrlen) ++ return -EAGAIN; + } + + /* +-- +2.35.1 + diff --git a/queue-5.4/revert-usb-storage-add-quirk-for-samsung-fit-flash.patch b/queue-5.4/revert-usb-storage-add-quirk-for-samsung-fit-flash.patch new file mode 100644 index 00000000000..b45b1442086 --- /dev/null +++ b/queue-5.4/revert-usb-storage-add-quirk-for-samsung-fit-flash.patch @@ -0,0 +1,59 @@ +From ac71cae73f51f3334b72eb880c7195485eb8d16d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 20:49:13 +0900 +Subject: Revert "usb: storage: Add quirk for Samsung Fit flash" + +From: sunghwan jung + +[ Upstream commit ad5dbfc123e6ffbbde194e2a4603323e09f741ee ] + +This reverts commit 86d92f5465958752481269348d474414dccb1552, +which fix the timeout issue for "Samsung Fit Flash". + +But the commit affects not only "Samsung Fit Flash" but also other usb +storages that use the same controller and causes severe performance +regression. + + # hdparm -t /dev/sda (without the quirk) + Timing buffered disk reads: 622 MB in 3.01 seconds = 206.66 MB/sec + + # hdparm -t /dev/sda (with the quirk) + Timing buffered disk reads: 220 MB in 3.00 seconds = 73.32 MB/sec + +The commit author mentioned that "Issue was reproduced after device has +bad block", so this quirk should be applied when we have the timeout +issue with a device that has bad blocks. + +We revert the commit so that we apply this quirk by adding kernel +paramters using a bootloader or other ways when we really need it, +without the performance regression with devices that don't have the +issue. + +Signed-off-by: sunghwan jung +Link: https://lore.kernel.org/r/20220913114913.3073-1-onenowy@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/storage/unusual_devs.h | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h +index 6a59950a63a0..b270be141b8e 100644 +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -1275,12 +1275,6 @@ UNUSUAL_DEV( 0x090a, 0x1200, 0x0000, 0x9999, + USB_SC_RBC, USB_PR_BULK, NULL, + 0 ), + +-UNUSUAL_DEV(0x090c, 0x1000, 0x1100, 0x1100, +- "Samsung", +- "Flash Drive FIT", +- USB_SC_DEVICE, USB_PR_DEVICE, NULL, +- US_FL_MAX_SECTORS_64), +- + /* aeb */ + UNUSUAL_DEV( 0x090c, 0x1132, 0x0000, 0xffff, + "Feiya", +-- +2.35.1 + diff --git a/queue-5.4/sbitmap-avoid-leaving-waitqueue-in-invalid-state-in-.patch b/queue-5.4/sbitmap-avoid-leaving-waitqueue-in-invalid-state-in-.patch new file mode 100644 index 00000000000..2d4069736f8 --- /dev/null +++ b/queue-5.4/sbitmap-avoid-leaving-waitqueue-in-invalid-state-in-.patch @@ -0,0 +1,77 @@ +From 6edafbfeb613a3a163eaaff3d1f18bfcc189a627 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 15:09:37 +0200 +Subject: sbitmap: Avoid leaving waitqueue in invalid state in __sbq_wake_up() + +From: Jan Kara + +[ Upstream commit 48c033314f372478548203c583529f53080fd078 ] + +When __sbq_wake_up() decrements wait_cnt to 0 but races with someone +else waking the waiter on the waitqueue (so the waitqueue becomes +empty), it exits without reseting wait_cnt to wake_batch number. Once +wait_cnt is 0, nobody will ever reset the wait_cnt or wake the new +waiters resulting in possible deadlocks or busyloops. Fix the problem by +making sure we reset wait_cnt even if we didn't wake up anybody in the +end. + +Fixes: 040b83fcecfb ("sbitmap: fix possible io hung due to lost wakeup") +Reported-by: Keith Busch +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20220908130937.2795-1-jack@suse.cz +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + lib/sbitmap.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/lib/sbitmap.c b/lib/sbitmap.c +index 7df295a15c3d..fe67d6da7156 100644 +--- a/lib/sbitmap.c ++++ b/lib/sbitmap.c +@@ -530,6 +530,7 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq) + struct sbq_wait_state *ws; + unsigned int wake_batch; + int wait_cnt; ++ bool ret; + + ws = sbq_wake_ptr(sbq); + if (!ws) +@@ -540,12 +541,23 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq) + * For concurrent callers of this, callers should call this function + * again to wakeup a new batch on a different 'ws'. + */ +- if (wait_cnt < 0 || !waitqueue_active(&ws->wait)) ++ if (wait_cnt < 0) + return true; + ++ /* ++ * If we decremented queue without waiters, retry to avoid lost ++ * wakeups. ++ */ + if (wait_cnt > 0) +- return false; ++ return !waitqueue_active(&ws->wait); + ++ /* ++ * When wait_cnt == 0, we have to be particularly careful as we are ++ * responsible to reset wait_cnt regardless whether we've actually ++ * woken up anybody. But in case we didn't wakeup anybody, we still ++ * need to retry. ++ */ ++ ret = !waitqueue_active(&ws->wait); + wake_batch = READ_ONCE(sbq->wake_batch); + + /* +@@ -574,7 +586,7 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq) + sbq_index_atomic_inc(&sbq->wake_index); + atomic_set(&ws->wait_cnt, wake_batch); + +- return false; ++ return ret; + } + + void sbitmap_queue_wake_up(struct sbitmap_queue *sbq) +-- +2.35.1 + diff --git a/queue-5.4/sbitmap-fix-possible-io-hung-due-to-lost-wakeup.patch b/queue-5.4/sbitmap-fix-possible-io-hung-due-to-lost-wakeup.patch new file mode 100644 index 00000000000..3e01ae87697 --- /dev/null +++ b/queue-5.4/sbitmap-fix-possible-io-hung-due-to-lost-wakeup.patch @@ -0,0 +1,141 @@ +From dcef8b05380b764e2ab4cd87bc9b5472dc3ee5f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 20:15:04 +0800 +Subject: sbitmap: fix possible io hung due to lost wakeup + +From: Yu Kuai + +[ Upstream commit 040b83fcecfb86f3225d3a5de7fd9b3fbccf83b4 ] + +There are two problems can lead to lost wakeup: + +1) invalid wakeup on the wrong waitqueue: + +For example, 2 * wake_batch tags are put, while only wake_batch threads +are woken: + +__sbq_wake_up + atomic_cmpxchg -> reset wait_cnt + __sbq_wake_up -> decrease wait_cnt + ... + __sbq_wake_up -> wait_cnt is decreased to 0 again + atomic_cmpxchg + sbq_index_atomic_inc -> increase wake_index + wake_up_nr -> wake up and waitqueue might be empty + sbq_index_atomic_inc -> increase again, one waitqueue is skipped + wake_up_nr -> invalid wake up because old wakequeue might be empty + +To fix the problem, increasing 'wake_index' before resetting 'wait_cnt'. + +2) 'wait_cnt' can be decreased while waitqueue is empty + +As pointed out by Jan Kara, following race is possible: + +CPU1 CPU2 +__sbq_wake_up __sbq_wake_up + sbq_wake_ptr() sbq_wake_ptr() -> the same + wait_cnt = atomic_dec_return() + /* decreased to 0 */ + sbq_index_atomic_inc() + /* move to next waitqueue */ + atomic_set() + /* reset wait_cnt */ + wake_up_nr() + /* wake up on the old waitqueue */ + wait_cnt = atomic_dec_return() + /* + * decrease wait_cnt in the old + * waitqueue, while it can be + * empty. + */ + +Fix the problem by waking up before updating 'wake_index' and +'wait_cnt'. + +With this patch, noted that 'wait_cnt' is still decreased in the old +empty waitqueue, however, the wakeup is redirected to a active waitqueue, +and the extra decrement on the old empty waitqueue is not handled. + +Fixes: 88459642cba4 ("blk-mq: abstract tag allocation out into sbitmap library") +Signed-off-by: Yu Kuai +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20220803121504.212071-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + lib/sbitmap.c | 55 ++++++++++++++++++++++++++++++--------------------- + 1 file changed, 33 insertions(+), 22 deletions(-) + +diff --git a/lib/sbitmap.c b/lib/sbitmap.c +index ee3ce1494568..7df295a15c3d 100644 +--- a/lib/sbitmap.c ++++ b/lib/sbitmap.c +@@ -536,32 +536,43 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq) + return false; + + wait_cnt = atomic_dec_return(&ws->wait_cnt); +- if (wait_cnt <= 0) { +- int ret; ++ /* ++ * For concurrent callers of this, callers should call this function ++ * again to wakeup a new batch on a different 'ws'. ++ */ ++ if (wait_cnt < 0 || !waitqueue_active(&ws->wait)) ++ return true; + +- wake_batch = READ_ONCE(sbq->wake_batch); ++ if (wait_cnt > 0) ++ return false; + +- /* +- * Pairs with the memory barrier in sbitmap_queue_resize() to +- * ensure that we see the batch size update before the wait +- * count is reset. +- */ +- smp_mb__before_atomic(); ++ wake_batch = READ_ONCE(sbq->wake_batch); + +- /* +- * For concurrent callers of this, the one that failed the +- * atomic_cmpxhcg() race should call this function again +- * to wakeup a new batch on a different 'ws'. +- */ +- ret = atomic_cmpxchg(&ws->wait_cnt, wait_cnt, wake_batch); +- if (ret == wait_cnt) { +- sbq_index_atomic_inc(&sbq->wake_index); +- wake_up_nr(&ws->wait, wake_batch); +- return false; +- } ++ /* ++ * Wake up first in case that concurrent callers decrease wait_cnt ++ * while waitqueue is empty. ++ */ ++ wake_up_nr(&ws->wait, wake_batch); + +- return true; +- } ++ /* ++ * Pairs with the memory barrier in sbitmap_queue_resize() to ++ * ensure that we see the batch size update before the wait ++ * count is reset. ++ * ++ * Also pairs with the implicit barrier between decrementing wait_cnt ++ * and checking for waitqueue_active() to make sure waitqueue_active() ++ * sees result of the wakeup if atomic_dec_return() has seen the result ++ * of atomic_set(). ++ */ ++ smp_mb__before_atomic(); ++ ++ /* ++ * Increase wake_index before updating wait_cnt, otherwise concurrent ++ * callers can see valid wait_cnt in old waitqueue, which can cause ++ * invalid wakeup on the old waitqueue. ++ */ ++ sbq_index_atomic_inc(&sbq->wake_index); ++ atomic_set(&ws->wait_cnt, wake_batch); + + return false; + } +-- +2.35.1 + diff --git a/queue-5.4/scsi-3w-9xxx-avoid-disabling-device-if-failing-to-en.patch b/queue-5.4/scsi-3w-9xxx-avoid-disabling-device-if-failing-to-en.patch new file mode 100644 index 00000000000..5d15ff64227 --- /dev/null +++ b/queue-5.4/scsi-3w-9xxx-avoid-disabling-device-if-failing-to-en.patch @@ -0,0 +1,42 @@ +From 2e5e8de1aa840e6d213a269a87db46f3735e96e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 19:01:15 +0800 +Subject: scsi: 3w-9xxx: Avoid disabling device if failing to enable it + +From: Letu Ren + +[ Upstream commit 7eff437b5ee1309b34667844361c6bbb5c97df05 ] + +The original code will "goto out_disable_device" and call +pci_disable_device() if pci_enable_device() fails. The kernel will generate +a warning message like "3w-9xxx 0000:00:05.0: disabling already-disabled +device". + +We shouldn't disable a device that failed to be enabled. A simple return is +fine. + +Link: https://lore.kernel.org/r/20220829110115.38789-1-fantasquex@gmail.com +Reported-by: Zheyu Ma +Signed-off-by: Letu Ren +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/3w-9xxx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c +index 3337b1e80412..f6f92033132a 100644 +--- a/drivers/scsi/3w-9xxx.c ++++ b/drivers/scsi/3w-9xxx.c +@@ -2014,7 +2014,7 @@ static int twa_probe(struct pci_dev *pdev, const struct pci_device_id *dev_id) + retval = pci_enable_device(pdev); + if (retval) { + TW_PRINTK(host, TW_DRIVER, 0x34, "Failed to enable pci device"); +- goto out_disable_device; ++ return -ENODEV; + } + + pci_set_master(pdev); +-- +2.35.1 + diff --git a/queue-5.4/scsi-libsas-fix-use-after-free-bug-in-smp_execute_ta.patch b/queue-5.4/scsi-libsas-fix-use-after-free-bug-in-smp_execute_ta.patch new file mode 100644 index 00000000000..ca401369880 --- /dev/null +++ b/queue-5.4/scsi-libsas-fix-use-after-free-bug-in-smp_execute_ta.patch @@ -0,0 +1,54 @@ +From 6629714d2656539155e0809f2b922895357efa19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 22:42:13 +0800 +Subject: scsi: libsas: Fix use-after-free bug in smp_execute_task_sg() + +From: Duoming Zhou + +[ Upstream commit 46ba53c30666717cb06c2b3c5d896301cd00d0c0 ] + +When executing SMP task failed, the smp_execute_task_sg() calls del_timer() +to delete "slow_task->timer". However, if the timer handler +sas_task_internal_timedout() is running, the del_timer() in +smp_execute_task_sg() will not stop it and a UAF will happen. The process +is shown below: + + (thread 1) | (thread 2) +smp_execute_task_sg() | sas_task_internal_timedout() + ... | + del_timer() | + ... | ... + sas_free_task(task) | + kfree(task->slow_task) //FREE| + | task->slow_task->... //USE + +Fix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure +the timer handler have finished before the "task->slow_task" is +deallocated. + +Link: https://lore.kernel.org/r/20220920144213.10536-1-duoming@zju.edu.cn +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Reviewed-by: Jason Yan +Signed-off-by: Duoming Zhou +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libsas/sas_expander.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index 9fdb9c9fbda4..173f91ae38f0 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -85,7 +85,7 @@ static int smp_execute_task_sg(struct domain_device *dev, + res = i->dft->lldd_execute_task(task, GFP_KERNEL); + + if (res) { +- del_timer(&task->slow_task->timer); ++ del_timer_sync(&task->slow_task->timer); + pr_notice("executing SMP task failed:%d\n", res); + break; + } +-- +2.35.1 + diff --git a/queue-5.4/sctp-handle-the-error-returned-from-sctp_auth_asoc_i.patch b/queue-5.4/sctp-handle-the-error-returned-from-sctp_auth_asoc_i.patch new file mode 100644 index 00000000000..698bad3b666 --- /dev/null +++ b/queue-5.4/sctp-handle-the-error-returned-from-sctp_auth_asoc_i.patch @@ -0,0 +1,79 @@ +From c20b88235ca4196a1a490763fa738e31bb985524 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 14:10:13 -0400 +Subject: sctp: handle the error returned from sctp_auth_asoc_init_active_key + +From: Xin Long + +[ Upstream commit 022152aaebe116a25c39818a07e175a8cd3c1e11 ] + +When it returns an error from sctp_auth_asoc_init_active_key(), the +active_key is actually not updated. The old sh_key will be freeed +while it's still used as active key in asoc. Then an use-after-free +will be triggered when sending patckets, as found by syzbot: + + sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 + sctp_set_owner_w net/sctp/socket.c:132 [inline] + sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863 + sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025 + inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:734 + +This patch is to fix it by not replacing the sh_key when it returns +errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key(). +For sctp_auth_set_active_key(), old active_key_id will be set back +to asoc->active_key_id when the same thing happens. + +Fixes: 58acd1009226 ("sctp: update active_key for asoc when old key is being replaced") +Reported-by: syzbot+a236dd8e9622ed8954a3@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/auth.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/net/sctp/auth.c b/net/sctp/auth.c +index 3b2d0bd616dd..6b97b734a16f 100644 +--- a/net/sctp/auth.c ++++ b/net/sctp/auth.c +@@ -869,12 +869,17 @@ int sctp_auth_set_key(struct sctp_endpoint *ep, + } + + list_del_init(&shkey->key_list); +- sctp_auth_shkey_release(shkey); + list_add(&cur_key->key_list, sh_keys); + +- if (asoc && asoc->active_key_id == auth_key->sca_keynumber) +- sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL); ++ if (asoc && asoc->active_key_id == auth_key->sca_keynumber && ++ sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL)) { ++ list_del_init(&cur_key->key_list); ++ sctp_auth_shkey_release(cur_key); ++ list_add(&shkey->key_list, sh_keys); ++ return -ENOMEM; ++ } + ++ sctp_auth_shkey_release(shkey); + return 0; + } + +@@ -908,8 +913,13 @@ int sctp_auth_set_active_key(struct sctp_endpoint *ep, + return -EINVAL; + + if (asoc) { ++ __u16 active_key_id = asoc->active_key_id; ++ + asoc->active_key_id = key_id; +- sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL); ++ if (sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL)) { ++ asoc->active_key_id = active_key_id; ++ return -ENOMEM; ++ } + } else + ep->active_key_id = key_id; + +-- +2.35.1 + diff --git a/queue-5.4/selftests-cpu-hotplug-use-return-instead-of-exit.patch b/queue-5.4/selftests-cpu-hotplug-use-return-instead-of-exit.patch new file mode 100644 index 00000000000..cad45898a1e --- /dev/null +++ b/queue-5.4/selftests-cpu-hotplug-use-return-instead-of-exit.patch @@ -0,0 +1,76 @@ +From c942b5210160d225adced18de55426587f2f55c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 21:36:12 +0800 +Subject: selftests/cpu-hotplug: Use return instead of exit + +From: Zhao Gongyi + +[ Upstream commit 972cf4ce51ef5532d56822af17defb148aac0ccb ] + +Some cpus will be left in offline state when online +function exits in some error conditions. Use return +instead of exit to fix it. + +Signed-off-by: Zhao Gongyi +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../selftests/cpu-hotplug/cpu-on-off-test.sh | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh +index 0d26b5e3f966..940b68c940bb 100755 +--- a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh ++++ b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh +@@ -4,6 +4,7 @@ + SYSFS= + # Kselftest framework requirement - SKIP code is 4. + ksft_skip=4 ++retval=0 + + prerequisite() + { +@@ -102,10 +103,10 @@ online_cpu_expect_success() + + if ! online_cpu $cpu; then + echo $FUNCNAME $cpu: unexpected fail >&2 +- exit 1 ++ retval=1 + elif ! cpu_is_online $cpu; then + echo $FUNCNAME $cpu: unexpected offline >&2 +- exit 1 ++ retval=1 + fi + } + +@@ -128,10 +129,10 @@ offline_cpu_expect_success() + + if ! offline_cpu $cpu; then + echo $FUNCNAME $cpu: unexpected fail >&2 +- exit 1 ++ retval=1 + elif ! cpu_is_offline $cpu; then + echo $FUNCNAME $cpu: unexpected offline >&2 +- exit 1 ++ retval=1 + fi + } + +@@ -201,7 +202,7 @@ if [ $allcpus -eq 0 ]; then + offline_cpu_expect_success $present_max + online_cpu $present_max + fi +- exit 0 ++ exit $retval + else + echo "Full scope test: all hotplug cpus" + echo -e "\t online all offline cpus" +@@ -291,3 +292,5 @@ done + + echo 0 > $NOTIFIER_ERR_INJECT_DIR/actions/CPU_DOWN_PREPARE/error + /sbin/modprobe -q -r cpu-notifier-error-inject ++ ++exit $retval +-- +2.35.1 + diff --git a/queue-5.4/serial-8250-fix-restoring-termios-speed-after-suspen.patch b/queue-5.4/serial-8250-fix-restoring-termios-speed-after-suspen.patch new file mode 100644 index 00000000000..9bb12b32f3b --- /dev/null +++ b/queue-5.4/serial-8250-fix-restoring-termios-speed-after-suspen.patch @@ -0,0 +1,54 @@ +From 07e5b59486a64313fbea9fe87df05c0cf6e8e04b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 12:43:24 +0200 +Subject: serial: 8250: Fix restoring termios speed after suspend +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 379a33786d489ab81885ff0b3935cfeb36137fea ] + +Since commit edc6afc54968 ("tty: switch to ktermios and new framework") +termios speed is no longer stored only in c_cflag member but also in new +additional c_ispeed and c_ospeed members. If BOTHER flag is set in c_cflag +then termios speed is stored only in these new members. + +Since commit 027b57170bf8 ("serial: core: Fix initializing and restoring +termios speed") termios speed is available also in struct console. + +So properly restore also c_ispeed and c_ospeed members after suspend to fix +restoring termios speed which is not represented by Bnnn constant. + +Fixes: 4516d50aabed ("serial: 8250: Use canary to restart console after suspend") +Signed-off-by: Pali Rohár +Link: https://lore.kernel.org/r/20220924104324.4035-1-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_port.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index f8819f72304a..c1551319684f 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -3180,8 +3180,13 @@ static void serial8250_console_restore(struct uart_8250_port *up) + unsigned int baud, quot, frac = 0; + + termios.c_cflag = port->cons->cflag; +- if (port->state->port.tty && termios.c_cflag == 0) ++ termios.c_ispeed = port->cons->ispeed; ++ termios.c_ospeed = port->cons->ospeed; ++ if (port->state->port.tty && termios.c_cflag == 0) { + termios.c_cflag = port->state->port.tty->termios.c_cflag; ++ termios.c_ispeed = port->state->port.tty->termios.c_ispeed; ++ termios.c_ospeed = port->state->port.tty->termios.c_ospeed; ++ } + + baud = serial8250_get_baud_rate(port, &termios, NULL); + quot = serial8250_get_divisor(port, baud, &frac); +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index e9050946956..0781999c3a6 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -55,3 +55,217 @@ kvm-vmx-drop-bits-31-16-when-shoving-exception-error-code-into-vmcs.patch drm-nouveau-fix-a-use-after-free-in-nouveau_gem_prime_import_sg_table.patch selinux-use-grep-e-instead-of-egrep.patch tracing-disable-interrupt-or-preemption-before-acquiring-arch_spinlock_t.patch +userfaultfd-open-userfaultfds-with-o_rdonly.patch +r8152-factor-out-oob-link-list-waits.patch +sh-machvec-use-char-for-section-boundaries.patch +arm-9247-1-mm-set-readonly-for-mt_memory_ro-with-arm.patch +nfsd-fix-a-memory-leak-in-an-error-handling-path.patch +wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch +wifi-mac80211-allow-bw-change-during-channel-switch-.patch +bpftool-fix-a-wrong-type-cast-in-btf_dumper_int.patch +x86-resctrl-fix-to-restore-to-original-value-when-re.patch +wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch +spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch +spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch-12391 +can-rx-offload-can_rx_offload_init_queue-fix-typo.patch +wifi-rtl8xxxu-fix-skb-misuse-in-tx-queue-selection.patch +bpf-btf-fix-truncated-last_member_type_id-in-btf_str.patch +wifi-rtl8xxxu-gen2-fix-mistake-in-path-b-iq-calibrat.patch +net-fs_enet-fix-wrong-check-in-do_pd_setup.patch +bpf-ensure-correct-locking-around-vulnerable-functio.patch +x86-microcode-amd-track-patch-allocation-size-explic.patch +spi-omap100k-fix-pm-disable-depth-imbalance-in-omap1.patch +netfilter-nft_fib-fix-for-rpath-check-with-vrf-devic.patch +spi-s3c64xx-fix-large-transfers-with-dma.patch +vhost-vsock-use-kvmalloc-kvfree-for-larger-packets.patch +misdn-fix-use-after-free-bugs-in-l1oip-timer-handler.patch +sctp-handle-the-error-returned-from-sctp_auth_asoc_i.patch +tcp-fix-tcp_cwnd_validate-to-not-forget-is_cwnd_limi.patch +net-rds-don-t-hold-sock-lock-when-cancelling-work-fr.patch +bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch +net-ieee802154-reject-zero-sized-raw_sendmsg.patch +once-add-do_once_slow-for-sleepable-contexts.patch +net-mvpp2-fix-mvpp2-debugfs-leak.patch +drm-bridge-adv7511-fix-cec-power-down-control-regist.patch +drm-mipi-dsi-detach-devices-when-removing-the-host.patch +drm-msm-make-.remove-and-.shutdown-hw-shutdown-consi.patch +platform-chrome-fix-double-free-in-chromeos_laptop_p.patch +platform-chrome-fix-memory-corruption-in-ioctl.patch +platform-x86-msi-laptop-fix-old-ec-check-for-backlig.patch +platform-x86-msi-laptop-fix-resource-cleanup.patch +drm-fix-drm_mipi_dbi-build-errors.patch +drm-bridge-megachips-fix-a-null-pointer-dereference-.patch +asoc-rsnd-add-check-for-rsnd_mod_power_on.patch +alsa-hda-beep-simplify-keep-power-at-enable-behavior.patch +drm-omap-dss-fix-refcount-leak-bugs.patch +mmc-au1xmmc-fix-an-error-handling-path-in-au1xmmc_pr.patch +asoc-eureka-tlv320-hold-reference-returned-from-of_f.patch +drm-msm-dpu-index-dpu_kms-hw_vbif-using-vbif_idx.patch +alsa-dmaengine-increment-buffer-pointer-atomically.patch +mmc-wmt-sdmmc-fix-an-error-handling-path-in-wmt_mci_.patch +asoc-wm8997-fix-pm-disable-depth-imbalance-in-wm8997.patch +asoc-wm5110-fix-pm-disable-depth-imbalance-in-wm5110.patch +asoc-wm5102-fix-pm-disable-depth-imbalance-in-wm5102.patch +alsa-hda-hdmi-don-t-skip-notification-handling-durin.patch +memory-pl353-smc-fix-refcount-leak-bug-in-pl353_smc_.patch +memory-of-fix-refcount-leak-bug-in-of_get_ddr_timing.patch +soc-qcom-smsm-fix-refcount-leak-bugs-in-qcom_smsm_pr.patch +soc-qcom-smem_state-add-refcounting-for-the-state-of.patch +arm-dts-turris-omnia-fix-mpp26-pin-name-and-comment.patch +arm-dts-kirkwood-lsxl-fix-serial-line.patch +arm-dts-kirkwood-lsxl-remove-first-ethernet-port.patch +arm-dts-exynos-correct-s5k6a3-reset-polarity-on-mida.patch +arm-drop-cmdline_-dependency-on-atags.patch +arm-dts-exynos-fix-polarity-of-vbus-gpio-of-origen.patch +iio-adc-at91-sama5d2_adc-fix-at91_sama5d2_mr_trackti.patch +iio-adc-at91-sama5d2_adc-check-return-status-for-pre.patch +iio-adc-at91-sama5d2_adc-lock-around-oversampling-an.patch +iio-inkern-only-release-the-device-node-when-done-wi.patch +iio-abi-fix-wrong-format-of-differential-capacitance.patch +clk-meson-hold-reference-returned-by-of_get_parent.patch +clk-oxnas-hold-reference-returned-by-of_get_parent.patch +clk-berlin-add-of_node_put-for-of_get_parent.patch +clk-tegra-fix-refcount-leak-in-tegra210_clock_init.patch +clk-tegra-fix-refcount-leak-in-tegra114_clock_init.patch +clk-tegra20-fix-refcount-leak-in-tegra20_clock_init.patch +sbitmap-fix-possible-io-hung-due-to-lost-wakeup.patch +hsi-omap_ssi-fix-refcount-leak-in-ssi_probe.patch +hsi-omap_ssi_port-fix-dma_map_sg-error-check.patch +media-exynos4-is-fimc-is-add-of_node_put-when-breaki.patch +media-tm6000-fix-unused-value-in-vidioc_try_fmt_vid_.patch +tty-xilinx_uartps-fix-the-ignore_status.patch +media-xilinx-vipp-fix-refcount-leak-in-xvip_graph_dm.patch +rdma-rxe-fix-kernel-null-pointer-dereference-error.patch +rdma-rxe-fix-the-error-caused-by-qp-sk.patch +misc-ocxl-fix-possible-refcount-leak-in-afu_ioctl.patch +dyndbg-fix-module.dyndbg-handling.patch +dyndbg-let-query-modname-override-actual-module-name.patch +sbitmap-avoid-leaving-waitqueue-in-invalid-state-in-.patch +usb-serial-console-move-mutex_unlock-before-usb_seri.patch +mtd-devices-docg3-check-the-return-value-of-devm_ior.patch +rdma-siw-always-consume-all-skbuf-data-in-sk_data_re.patch +ata-fix-ata_id_sense_reporting_enabled-and-ata_id_ha.patch +ata-fix-ata_id_has_devslp.patch +ata-fix-ata_id_has_ncq_autosense.patch +ata-fix-ata_id_has_dipm.patch +mtd-rawnand-meson-fix-bit-map-use-in-meson_nfc_ecc_c.patch +md-raid5-ensure-stripe_fill-happens-on-non-read-io-w.patch +xhci-don-t-show-warning-for-reinit-on-known-broken-s.patch +usb-gadget-function-fix-dangling-pnp_string-in-f_pri.patch +drivers-serial-jsm-fix-some-leaks-in-probe.patch +tty-serial-fsl_lpuart-disable-dma-rx-tx-use-flags-in.patch +phy-qualcomm-call-clk_disable_unprepare-in-the-error.patch +staging-vt6655-fix-some-erroneous-memory-clean-up-lo.patch +firmware-google-test-spinlock-on-panic-path-to-avoid.patch +serial-8250-fix-restoring-termios-speed-after-suspen.patch +scsi-libsas-fix-use-after-free-bug-in-smp_execute_ta.patch +ib-rdmavt-add-__init-__exit-annotations-to-module-in.patch +fsi-core-check-error-number-after-calling-ida_simple.patch +mfd-intel_soc_pmic-fix-an-error-handling-path-in-int.patch +mfd-fsl-imx25-fix-an-error-handling-path-in-mx25_tsa.patch +mfd-lp8788-fix-an-error-handling-path-in-lp8788_prob.patch +mfd-lp8788-fix-an-error-handling-path-in-lp8788_irq_.patch +mfd-fsl-imx25-fix-check-for-platform_get_irq-errors.patch +mfd-sm501-add-check-for-platform_driver_register.patch +clk-mediatek-mt8183-mfgcfg-propagate-rate-changes-to.patch +dmaengine-ioat-stop-mod_timer-from-resurrecting-dele.patch +spmi-pmic-arb-correct-duplicate-apid-to-ppid-mapping.patch +clk-bcm2835-fix-bcm2835_clock_rate_from_divisor-decl.patch +clk-ti-dra7-atl-fix-reference-leak-in-of_dra7_atl_cl.patch +clk-ast2600-bclk-comes-from-epll.patch +mailbox-bcm-ferxrm-mailbox-fix-error-check-for-dma_m.patch +powerpc-math_emu-efp-include-module.h.patch +powerpc-sysdev-fsl_msi-add-missing-of_node_put.patch +powerpc-pci_dn-add-missing-of_node_put.patch +powerpc-powernv-add-missing-of_node_put-in-opal_expo.patch +x86-hyperv-fix-struct-hv_enlightened_vmcs-definition.patch +powerpc-64s-fix-generic_cpu-build-flags-for-ppc970-g.patch +powerpc-fix-spe-power-isa-properties-for-e500v1-plat.patch +cgroup-cpuset-enable-update_tasks_cpumask-on-top_cpu.patch +iommu-omap-fix-buffer-overflow-in-debugfs.patch +crypto-akcipher-default-implementation-for-setting-a.patch +crypto-ccp-release-dma-channels-before-dmaengine-unr.patch +iommu-iova-fix-module-config-properly.patch +kbuild-remove-the-target-in-signal-traps-when-interr.patch +crypto-cavium-prevent-integer-overflow-loading-firmw.patch +f2fs-fix-race-condition-on-setting-fi_no_extent-flag.patch +acpi-video-add-toshiba-satellite-portege-z830-quirk.patch +mips-bcm47xx-cast-memcmp-of-function-to-void.patch +powercap-intel_rapl-fix-ubsan-shift-out-of-bounds-is.patch +thermal-intel_powerclamp-use-get_cpu-instead-of-smp_.patch +x86-entry-work-around-clang-__bdos-bug.patch +nfsd-return-nfserr_serverfault-if-splice_ok-but-buf-.patch +wifi-rtw88-phy-fix-warning-of-possible-buffer-overfl.patch +wifi-brcmfmac-fix-invalid-address-access-when-enabli.patch +bpftool-clear-errno-after-libcap-s-checks.patch +openvswitch-fix-double-reporting-of-drops-in-dropwat.patch +openvswitch-fix-overreporting-of-drops-in-dropwatch.patch +tcp-annotate-data-race-around-tcp_md5sig_pool_popula.patch +wifi-ath9k-avoid-uninit-memory-read-in-ath9k_htc_rx_.patch +xfrm-update-ipcomp_scratches-with-null-when-freed.patch +net-xscale-fix-return-type-for-implementation-of-ndo.patch +net-lantiq_etop-fix-return-type-for-implementation-o.patch +net-ftmac100-fix-endianness-related-issues-from-spar.patch +wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch +bluetooth-l2cap-initialize-delayed-works-at-l2cap_ch.patch +net-davicom-fix-return-type-of-dm9000_start_xmit.patch +net-ethernet-ti-davinci_emac-fix-return-type-of-emac.patch +net-korina-fix-return-type-of-korina_send_packet.patch +bluetooth-hci_sysfs-fix-attempting-to-call-device_ad.patch +wifi-ath10k-reset-pointer-after-memory-free-to-avoid.patch +can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch +wifi-rt2x00-don-t-run-rt5592-iq-calibration-on-mt762.patch +wifi-rt2x00-set-correct-tx_sw_cfg1-mac-register-for-.patch +wifi-rt2x00-set-vgc-gain-for-both-chains-of-mt7620.patch +wifi-rt2x00-set-soc-wmac-clock-register.patch +wifi-rt2x00-correctly-set-bbp-register-86-for-mt7620.patch +net-if-sock-is-dead-don-t-access-sock-s-sk_wq-in-sk_.patch +bluetooth-l2cap-fix-user-after-free.patch +libbpf-fix-overrun-in-netlink-attribute-iteration.patch +r8152-rate-limit-overflow-messages.patch +drm-nouveau-nouveau_bo-fix-potential-memory-leak-in-.patch +drm-use-size_t-type-for-len-variable-in-drm_copy_fie.patch +drm-prevent-drm_copy_field-to-attempt-copying-a-null.patch +drm-amd-display-fix-overflow-on-min_i64-definition.patch +alsa-usb-audio-add-quirk-to-enable-avid-mbox-3-suppo.patch +drm-vc4-vec-fix-timings-for-vec-modes.patch +drm-panel-orientation-quirks-add-quirk-for-anbernic-.patch +platform-x86-msi-laptop-change-dmi-match-alias-strin.patch +drm-amdgpu-fix-initial-connector-audio-value.patch +drm-exynos-fix-return-type-for-mixer_mode_valid-and-.patch +mmc-sdhci-msm-add-compatible-string-check-for-sdm670.patch +drm-amd-display-fix-array-bounds-error-in-dc_stream_.patch +arm64-dts-qcom-sdm845-narrow-llcc-address-space.patch +arm-dts-imx7d-sdb-config-the-max-pressure-for-tsc204.patch +arm-dts-imx6q-add-missing-properties-for-sram.patch +arm-dts-imx6dl-add-missing-properties-for-sram.patch +arm-dts-imx6qp-add-missing-properties-for-sram.patch +arm-dts-imx6sl-add-missing-properties-for-sram.patch +arm-dts-imx6sll-add-missing-properties-for-sram.patch +arm-dts-imx6sx-add-missing-properties-for-sram.patch +arm-orion-fix-include-path.patch +btrfs-scrub-try-to-fix-super-block-errors.patch +arm64-dts-uniphier-add-usb-device-support-for-pxs3-r.patch +selftests-cpu-hotplug-use-return-instead-of-exit.patch +clk-zynqmp-fix-stack-out-of-bounds-in-strncpy.patch +media-cx88-fix-a-null-ptr-deref-bug-in-buffer_prepar.patch +clk-zynqmp-pll-rectify-rate-rounding-in-zynqmp_pll_r.patch +scsi-3w-9xxx-avoid-disabling-device-if-failing-to-en.patch +nbd-fix-hung-when-signal-interrupts-nbd_start_device.patch +power-supply-adp5061-fix-out-of-bounds-read-in-adp50.patch +staging-vt6655-fix-potential-memory-leak.patch +ata-libahci_platform-sanity-check-the-dt-child-nodes.patch +bcache-fix-set_at_max_writeback_rate-for-multiple-at.patch +hid-topre-add-driver-fixing-report-descriptor.patch +hid-roccat-fix-use-after-free-in-roccat_read.patch +hsi-ssi_protocol-fix-potential-resource-leak-in-ssip.patch +md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch +usb-host-xhci-fix-potential-memory-leak-in-xhci_allo.patch +usb-musb-fix-musb_gadget.c-rxstate-overflow-bug.patch +revert-usb-storage-add-quirk-for-samsung-fit-flash.patch +staging-rtl8723bs-fix-a-potential-memory-leak-in-rtw.patch +nvme-copy-firmware_rev-on-each-init.patch +nvmet-tcp-add-bounds-check-on-transfer-tag.patch +usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch +fsi-master-ast-cf-fix-missing-of_node_put-in-fsi_mas.patch +clk-bcm2835-make-peripheral-pllc-critical.patch diff --git a/queue-5.4/sh-machvec-use-char-for-section-boundaries.patch b/queue-5.4/sh-machvec-use-char-for-section-boundaries.patch new file mode 100644 index 00000000000..9e33d82aeea --- /dev/null +++ b/queue-5.4/sh-machvec-use-char-for-section-boundaries.patch @@ -0,0 +1,82 @@ +From 3c02f0ae91a5cef7fe7b93176e384bf3ae8c0634 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 16:40:44 -0700 +Subject: sh: machvec: Use char[] for section boundaries + +From: Kees Cook + +[ Upstream commit c5783af354688b24abd359f7086c282ec74de993 ] + +As done for other sections, define the extern as a character array, +which relaxes many of the compiler-time object size checks, which would +otherwise assume it's a single long. Solves the following build error: + +arch/sh/kernel/machvec.c: error: array subscript 'struct sh_machine_vector[0]' is partly outside array bounds of 'long int[1]' [-Werror=array-bounds]: => 105:33 + +Cc: Yoshinori Sato +Cc: Rich Felker +Cc: linux-sh@vger.kernel.org +Reported-by: Geert Uytterhoeven +Link: https://lore.kernel.org/lkml/alpine.DEB.2.22.394.2209050944290.964530@ramsan.of.borg/ +Fixes: 9655ad03af2d ("sh: Fixup machvec support.") +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Gustavo A. R. Silva +Acked-by: Rich Felker +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/sh/include/asm/sections.h | 2 +- + arch/sh/kernel/machvec.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/sh/include/asm/sections.h b/arch/sh/include/asm/sections.h +index 8edb824049b9..0cb0ca149ac3 100644 +--- a/arch/sh/include/asm/sections.h ++++ b/arch/sh/include/asm/sections.h +@@ -4,7 +4,7 @@ + + #include + +-extern long __machvec_start, __machvec_end; ++extern char __machvec_start[], __machvec_end[]; + extern char __uncached_start, __uncached_end; + extern char __start_eh_frame[], __stop_eh_frame[]; + +diff --git a/arch/sh/kernel/machvec.c b/arch/sh/kernel/machvec.c +index beadbbdb4486..3e0a4306f1d5 100644 +--- a/arch/sh/kernel/machvec.c ++++ b/arch/sh/kernel/machvec.c +@@ -19,8 +19,8 @@ + #define MV_NAME_SIZE 32 + + #define for_each_mv(mv) \ +- for ((mv) = (struct sh_machine_vector *)&__machvec_start; \ +- (mv) && (unsigned long)(mv) < (unsigned long)&__machvec_end; \ ++ for ((mv) = (struct sh_machine_vector *)__machvec_start; \ ++ (mv) && (unsigned long)(mv) < (unsigned long)__machvec_end; \ + (mv)++) + + static struct sh_machine_vector * __init get_mv_byname(const char *name) +@@ -86,8 +86,8 @@ void __init sh_mv_setup(void) + if (!machvec_selected) { + unsigned long machvec_size; + +- machvec_size = ((unsigned long)&__machvec_end - +- (unsigned long)&__machvec_start); ++ machvec_size = ((unsigned long)__machvec_end - ++ (unsigned long)__machvec_start); + + /* + * Sanity check for machvec section alignment. Ensure +@@ -101,7 +101,7 @@ void __init sh_mv_setup(void) + * vector (usually the only one) from .machvec.init. + */ + if (machvec_size >= sizeof(struct sh_machine_vector)) +- sh_mv = *(struct sh_machine_vector *)&__machvec_start; ++ sh_mv = *(struct sh_machine_vector *)__machvec_start; + } + + printk(KERN_NOTICE "Booting machvec: %s\n", get_system_type()); +-- +2.35.1 + diff --git a/queue-5.4/soc-qcom-smem_state-add-refcounting-for-the-state-of.patch b/queue-5.4/soc-qcom-smem_state-add-refcounting-for-the-state-of.patch new file mode 100644 index 00000000000..471be247cdf --- /dev/null +++ b/queue-5.4/soc-qcom-smem_state-add-refcounting-for-the-state-of.patch @@ -0,0 +1,46 @@ +From b537ff6dc3eea988a2eaa489c7692a633045df2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jul 2022 21:52:17 +0800 +Subject: soc: qcom: smem_state: Add refcounting for the 'state->of_node' + +From: Liang He + +[ Upstream commit 90681f53b9381c23ff7762a3b13826d620c272de ] + +In qcom_smem_state_register() and qcom_smem_state_release(), we +should better use of_node_get() and of_node_put() for the reference +creation and destruction of 'device_node'. + +Fixes: 9460ae2ff308 ("soc: qcom: Introduce common SMEM state machine code") +Signed-off-by: Liang He +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220721135217.1301039-2-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/smem_state.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/soc/qcom/smem_state.c b/drivers/soc/qcom/smem_state.c +index d2b558438deb..41e929407196 100644 +--- a/drivers/soc/qcom/smem_state.c ++++ b/drivers/soc/qcom/smem_state.c +@@ -136,6 +136,7 @@ static void qcom_smem_state_release(struct kref *ref) + struct qcom_smem_state *state = container_of(ref, struct qcom_smem_state, refcount); + + list_del(&state->list); ++ of_node_put(state->of_node); + kfree(state); + } + +@@ -169,7 +170,7 @@ struct qcom_smem_state *qcom_smem_state_register(struct device_node *of_node, + + kref_init(&state->refcount); + +- state->of_node = of_node; ++ state->of_node = of_node_get(of_node); + state->ops = *ops; + state->priv = priv; + +-- +2.35.1 + diff --git a/queue-5.4/soc-qcom-smsm-fix-refcount-leak-bugs-in-qcom_smsm_pr.patch b/queue-5.4/soc-qcom-smsm-fix-refcount-leak-bugs-in-qcom_smsm_pr.patch new file mode 100644 index 00000000000..e86613f57e7 --- /dev/null +++ b/queue-5.4/soc-qcom-smsm-fix-refcount-leak-bugs-in-qcom_smsm_pr.patch @@ -0,0 +1,107 @@ +From 9d7bea53476fcda2a5142ed5242f8dd2c9a62e98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jul 2022 21:52:16 +0800 +Subject: soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() + +From: Liang He + +[ Upstream commit af8f6f39b8afd772fda4f8e61823ef8c021bf382 ] + +There are two refcount leak bugs in qcom_smsm_probe(): + +(1) The 'local_node' is escaped out from for_each_child_of_node() as +the break of iteration, we should call of_node_put() for it in error +path or when it is not used anymore. +(2) The 'node' is escaped out from for_each_available_child_of_node() +as the 'goto', we should call of_node_put() for it in goto target. + +Fixes: c97c4090ff72 ("soc: qcom: smsm: Add driver for Qualcomm SMSM") +Signed-off-by: Liang He +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220721135217.1301039-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/smsm.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/soc/qcom/smsm.c b/drivers/soc/qcom/smsm.c +index 6564f15c5319..acba67dfbc85 100644 +--- a/drivers/soc/qcom/smsm.c ++++ b/drivers/soc/qcom/smsm.c +@@ -511,7 +511,7 @@ static int qcom_smsm_probe(struct platform_device *pdev) + for (id = 0; id < smsm->num_hosts; id++) { + ret = smsm_parse_ipc(smsm, id); + if (ret < 0) +- return ret; ++ goto out_put; + } + + /* Acquire the main SMSM state vector */ +@@ -519,13 +519,14 @@ static int qcom_smsm_probe(struct platform_device *pdev) + smsm->num_entries * sizeof(u32)); + if (ret < 0 && ret != -EEXIST) { + dev_err(&pdev->dev, "unable to allocate shared state entry\n"); +- return ret; ++ goto out_put; + } + + states = qcom_smem_get(QCOM_SMEM_HOST_ANY, SMEM_SMSM_SHARED_STATE, NULL); + if (IS_ERR(states)) { + dev_err(&pdev->dev, "Unable to acquire shared state entry\n"); +- return PTR_ERR(states); ++ ret = PTR_ERR(states); ++ goto out_put; + } + + /* Acquire the list of interrupt mask vectors */ +@@ -533,13 +534,14 @@ static int qcom_smsm_probe(struct platform_device *pdev) + ret = qcom_smem_alloc(QCOM_SMEM_HOST_ANY, SMEM_SMSM_CPU_INTR_MASK, size); + if (ret < 0 && ret != -EEXIST) { + dev_err(&pdev->dev, "unable to allocate smsm interrupt mask\n"); +- return ret; ++ goto out_put; + } + + intr_mask = qcom_smem_get(QCOM_SMEM_HOST_ANY, SMEM_SMSM_CPU_INTR_MASK, NULL); + if (IS_ERR(intr_mask)) { + dev_err(&pdev->dev, "unable to acquire shared memory interrupt mask\n"); +- return PTR_ERR(intr_mask); ++ ret = PTR_ERR(intr_mask); ++ goto out_put; + } + + /* Setup the reference to the local state bits */ +@@ -550,7 +552,8 @@ static int qcom_smsm_probe(struct platform_device *pdev) + smsm->state = qcom_smem_state_register(local_node, &smsm_state_ops, smsm); + if (IS_ERR(smsm->state)) { + dev_err(smsm->dev, "failed to register qcom_smem_state\n"); +- return PTR_ERR(smsm->state); ++ ret = PTR_ERR(smsm->state); ++ goto out_put; + } + + /* Register handlers for remote processor entries of interest. */ +@@ -580,16 +583,19 @@ static int qcom_smsm_probe(struct platform_device *pdev) + } + + platform_set_drvdata(pdev, smsm); ++ of_node_put(local_node); + + return 0; + + unwind_interfaces: ++ of_node_put(node); + for (id = 0; id < smsm->num_entries; id++) + if (smsm->entries[id].domain) + irq_domain_remove(smsm->entries[id].domain); + + qcom_smem_state_unregister(smsm->state); +- ++out_put: ++ of_node_put(local_node); + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.4/spi-omap100k-fix-pm-disable-depth-imbalance-in-omap1.patch b/queue-5.4/spi-omap100k-fix-pm-disable-depth-imbalance-in-omap1.patch new file mode 100644 index 00000000000..bd5270d1a6b --- /dev/null +++ b/queue-5.4/spi-omap100k-fix-pm-disable-depth-imbalance-in-omap1.patch @@ -0,0 +1,38 @@ +From 2a8d0eedd6f17e493bc9f99827ff7761106dd609 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 20:13:09 +0800 +Subject: spi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe + +From: Zhang Qilong + +[ Upstream commit 29f65f2171c85a9633daa380df14009a365f42f2 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. + +Fixes:db91841b58f9a ("spi/omap100k: Convert to runtime PM") + +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20220924121310.78331-4-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-omap-100k.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c +index f64d030c760a..89d89ad1064d 100644 +--- a/drivers/spi/spi-omap-100k.c ++++ b/drivers/spi/spi-omap-100k.c +@@ -416,6 +416,7 @@ static int omap1_spi100k_probe(struct platform_device *pdev) + return status; + + err_fck: ++ pm_runtime_disable(&pdev->dev); + clk_disable_unprepare(spi100k->fck); + err_ick: + clk_disable_unprepare(spi100k->ick); +-- +2.35.1 + diff --git a/queue-5.4/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch b/queue-5.4/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch new file mode 100644 index 00000000000..4b052ad6c09 --- /dev/null +++ b/queue-5.4/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch @@ -0,0 +1,61 @@ +From 12dc3e585b36c4b74a71c11e7a20a065bb5ba78d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 06:53:23 +0000 +Subject: spi: qup: add missing clk_disable_unprepare on error in + spi_qup_resume() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xu Qiang + +[ Upstream commit 70034320fdc597b8f58b4a43bb547f17c4c5557a ] + +Add the missing clk_disable_unprepare() before return +from spi_qup_resume() in the error handling case. + +Fixes: 64ff247a978f (“spi: Add Qualcomm QUP SPI controller support”) +Signed-off-by: Xu Qiang +Link: https://lore.kernel.org/r/20220825065324.68446-1-xuqiang36@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-qup.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-qup.c b/drivers/spi/spi-qup.c +index d1dfb52008b4..6da49705a10a 100644 +--- a/drivers/spi/spi-qup.c ++++ b/drivers/spi/spi-qup.c +@@ -1246,14 +1246,25 @@ static int spi_qup_resume(struct device *device) + return ret; + + ret = clk_prepare_enable(controller->cclk); +- if (ret) ++ if (ret) { ++ clk_disable_unprepare(controller->iclk); + return ret; ++ } + + ret = spi_qup_set_state(controller, QUP_STATE_RESET); + if (ret) +- return ret; ++ goto disable_clk; ++ ++ ret = spi_master_resume(master); ++ if (ret) ++ goto disable_clk; + +- return spi_master_resume(master); ++ return 0; ++ ++disable_clk: ++ clk_disable_unprepare(controller->cclk); ++ clk_disable_unprepare(controller->iclk); ++ return ret; + } + #endif /* CONFIG_PM_SLEEP */ + +-- +2.35.1 + diff --git a/queue-5.4/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch-12391 b/queue-5.4/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch-12391 new file mode 100644 index 00000000000..af53861c36a --- /dev/null +++ b/queue-5.4/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch-12391 @@ -0,0 +1,44 @@ +From a0e7cdde707b5db75ae876fcb5f145f613516860 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 06:53:24 +0000 +Subject: spi: qup: add missing clk_disable_unprepare on error in + spi_qup_pm_resume_runtime() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xu Qiang + +[ Upstream commit 494a22765ce479c9f8ad181c5d24cffda9f534bb ] + +Add the missing clk_disable_unprepare() before return +from spi_qup_pm_resume_runtime() in the error handling case. + +Fixes: dae1a7700b34 (“spi: qup: Handle clocks in pm_runtime suspend and resume”) +Signed-off-by: Xu Qiang +Link: https://lore.kernel.org/r/20220825065324.68446-2-xuqiang36@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-qup.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-qup.c b/drivers/spi/spi-qup.c +index 6da49705a10a..ead6c211047d 100644 +--- a/drivers/spi/spi-qup.c ++++ b/drivers/spi/spi-qup.c +@@ -1199,8 +1199,10 @@ static int spi_qup_pm_resume_runtime(struct device *device) + return ret; + + ret = clk_prepare_enable(controller->cclk); +- if (ret) ++ if (ret) { ++ clk_disable_unprepare(controller->iclk); + return ret; ++ } + + /* Disable clocks auto gaiting */ + config = readl_relaxed(controller->base + QUP_CONFIG); +-- +2.35.1 + diff --git a/queue-5.4/spi-s3c64xx-fix-large-transfers-with-dma.patch b/queue-5.4/spi-s3c64xx-fix-large-transfers-with-dma.patch new file mode 100644 index 00000000000..714469feda3 --- /dev/null +++ b/queue-5.4/spi-s3c64xx-fix-large-transfers-with-dma.patch @@ -0,0 +1,60 @@ +From 72516c8951d22f3b797f67beefd21784702d3f09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 13:21:17 +0200 +Subject: spi: s3c64xx: Fix large transfers with DMA + +From: Vincent Whitchurch + +[ Upstream commit 1224e29572f655facfcd850cf0f0a4784f36a903 ] + +The COUNT_VALUE in the PACKET_CNT register is 16-bit so the maximum +value is 65535. Asking the driver to transfer a larger size currently +leads to the DMA transfer timing out. Implement ->max_transfer_size() +and have the core split the transfer as needed. + +Fixes: 230d42d422e7 ("spi: Add s3c64xx SPI Controller driver") +Signed-off-by: Vincent Whitchurch +Link: https://lore.kernel.org/r/20220927112117.77599-5-vincent.whitchurch@axis.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-s3c64xx.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c +index 1d948fee1a03..d9420561236c 100644 +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -84,6 +84,7 @@ + #define S3C64XX_SPI_ST_TX_FIFORDY (1<<0) + + #define S3C64XX_SPI_PACKET_CNT_EN (1<<16) ++#define S3C64XX_SPI_PACKET_CNT_MASK GENMASK(15, 0) + + #define S3C64XX_SPI_PND_TX_UNDERRUN_CLR (1<<4) + #define S3C64XX_SPI_PND_TX_OVERRUN_CLR (1<<3) +@@ -654,6 +655,13 @@ static int s3c64xx_spi_prepare_message(struct spi_master *master, + return 0; + } + ++static size_t s3c64xx_spi_max_transfer_size(struct spi_device *spi) ++{ ++ struct spi_controller *ctlr = spi->controller; ++ ++ return ctlr->can_dma ? S3C64XX_SPI_PACKET_CNT_MASK : SIZE_MAX; ++} ++ + static int s3c64xx_spi_transfer_one(struct spi_master *master, + struct spi_device *spi, + struct spi_transfer *xfer) +@@ -1118,6 +1126,7 @@ static int s3c64xx_spi_probe(struct platform_device *pdev) + master->prepare_transfer_hardware = s3c64xx_spi_prepare_transfer; + master->prepare_message = s3c64xx_spi_prepare_message; + master->transfer_one = s3c64xx_spi_transfer_one; ++ master->max_transfer_size = s3c64xx_spi_max_transfer_size; + master->num_chipselect = sci->num_cs; + master->dma_alignment = 8; + master->bits_per_word_mask = SPI_BPW_MASK(32) | SPI_BPW_MASK(16) | +-- +2.35.1 + diff --git a/queue-5.4/spmi-pmic-arb-correct-duplicate-apid-to-ppid-mapping.patch b/queue-5.4/spmi-pmic-arb-correct-duplicate-apid-to-ppid-mapping.patch new file mode 100644 index 00000000000..e41c416dd4a --- /dev/null +++ b/queue-5.4/spmi-pmic-arb-correct-duplicate-apid-to-ppid-mapping.patch @@ -0,0 +1,65 @@ +From e78b45c9f9b63d5501454a2ed931cdd025b99031 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 17:50:16 -0700 +Subject: spmi: pmic-arb: correct duplicate APID to PPID mapping logic + +From: David Collins + +[ Upstream commit 1f1693118c2476cb1666ad357edcf3cf48bf9b16 ] + +Correct the way that duplicate PPID mappings are handled for PMIC +arbiter v5. The final APID mapped to a given PPID should be the +one which has write owner = APPS EE, if it exists, or if not +that, then the first APID mapped to the PPID, if it exists. + +Fixes: 40f318f0ed67 ("spmi: pmic-arb: add support for HW version 5") +Signed-off-by: David Collins +Signed-off-by: Fenglin Wu +Link: https://lore.kernel.org/r/1655004286-11493-7-git-send-email-quic_fenglinw@quicinc.com +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20220930005019.2663064-8-sboyd@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/spmi/spmi-pmic-arb.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/spmi/spmi-pmic-arb.c b/drivers/spmi/spmi-pmic-arb.c +index bbbd311eda03..e6de2aeece8d 100644 +--- a/drivers/spmi/spmi-pmic-arb.c ++++ b/drivers/spmi/spmi-pmic-arb.c +@@ -887,7 +887,8 @@ static int pmic_arb_read_apid_map_v5(struct spmi_pmic_arb *pmic_arb) + * version 5, there is more than one APID mapped to each PPID. + * The owner field for each of these mappings specifies the EE which is + * allowed to write to the APID. The owner of the last (highest) APID +- * for a given PPID will receive interrupts from the PPID. ++ * which has the IRQ owner bit set for a given PPID will receive ++ * interrupts from the PPID. + */ + for (i = 0; ; i++, apidd++) { + offset = pmic_arb->ver_ops->apid_map_offset(i); +@@ -910,16 +911,16 @@ static int pmic_arb_read_apid_map_v5(struct spmi_pmic_arb *pmic_arb) + apid = pmic_arb->ppid_to_apid[ppid] & ~PMIC_ARB_APID_VALID; + prev_apidd = &pmic_arb->apid_data[apid]; + +- if (valid && is_irq_ee && +- prev_apidd->write_ee == pmic_arb->ee) { ++ if (!valid || apidd->write_ee == pmic_arb->ee) { ++ /* First PPID mapping or one for this EE */ ++ pmic_arb->ppid_to_apid[ppid] = i | PMIC_ARB_APID_VALID; ++ } else if (valid && is_irq_ee && ++ prev_apidd->write_ee == pmic_arb->ee) { + /* + * Duplicate PPID mapping after the one for this EE; + * override the irq owner + */ + prev_apidd->irq_ee = apidd->irq_ee; +- } else if (!valid || is_irq_ee) { +- /* First PPID mapping or duplicate for another EE */ +- pmic_arb->ppid_to_apid[ppid] = i | PMIC_ARB_APID_VALID; + } + + apidd->ppid = ppid; +-- +2.35.1 + diff --git a/queue-5.4/staging-rtl8723bs-fix-a-potential-memory-leak-in-rtw.patch b/queue-5.4/staging-rtl8723bs-fix-a-potential-memory-leak-in-rtw.patch new file mode 100644 index 00000000000..5adcf0a89e3 --- /dev/null +++ b/queue-5.4/staging-rtl8723bs-fix-a-potential-memory-leak-in-rtw.patch @@ -0,0 +1,79 @@ +From a47de3313c23aae0cb41744c6475574ba2e1e5b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 19:27:21 +0800 +Subject: staging: rtl8723bs: fix a potential memory leak in + rtw_init_cmd_priv() + +From: Xiaoke Wang + +[ Upstream commit 708056fba733a73d926772ea4ce9a42d240345da ] + +In rtw_init_cmd_priv(), if `pcmdpriv->rsp_allocated_buf` is allocated +in failure, then `pcmdpriv->cmd_allocated_buf` will be not properly +released. Besides, considering there are only two error paths and the +first one can directly return, so we do not need implicitly jump to the +`exit` tag to execute the error handler. + +So this patch added `kfree(pcmdpriv->cmd_allocated_buf);` on the error +path to release the resource and simplified the return logic of +rtw_init_cmd_priv(). As there is no proper device to test with, no runtime +testing was performed. + +Signed-off-by: Xiaoke Wang +Link: https://lore.kernel.org/r/tencent_2B7931B79BA38E22205C5A09EFDF11E48805@qq.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8723bs/core/rtw_cmd.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/drivers/staging/rtl8723bs/core/rtw_cmd.c b/drivers/staging/rtl8723bs/core/rtw_cmd.c +index 8d93c2f26890..a82114de21a7 100644 +--- a/drivers/staging/rtl8723bs/core/rtw_cmd.c ++++ b/drivers/staging/rtl8723bs/core/rtw_cmd.c +@@ -165,8 +165,6 @@ No irqsave is necessary. + + int rtw_init_cmd_priv(struct cmd_priv *pcmdpriv) + { +- int res = 0; +- + init_completion(&pcmdpriv->cmd_queue_comp); + init_completion(&pcmdpriv->terminate_cmdthread_comp); + +@@ -178,18 +176,16 @@ int rtw_init_cmd_priv(struct cmd_priv *pcmdpriv) + + pcmdpriv->cmd_allocated_buf = rtw_zmalloc(MAX_CMDSZ + CMDBUFF_ALIGN_SZ); + +- if (!pcmdpriv->cmd_allocated_buf) { +- res = -ENOMEM; +- goto exit; +- } ++ if (!pcmdpriv->cmd_allocated_buf) ++ return -ENOMEM; + + pcmdpriv->cmd_buf = pcmdpriv->cmd_allocated_buf + CMDBUFF_ALIGN_SZ - ((SIZE_PTR)(pcmdpriv->cmd_allocated_buf) & (CMDBUFF_ALIGN_SZ-1)); + + pcmdpriv->rsp_allocated_buf = rtw_zmalloc(MAX_RSPSZ + 4); + + if (!pcmdpriv->rsp_allocated_buf) { +- res = -ENOMEM; +- goto exit; ++ kfree(pcmdpriv->cmd_allocated_buf); ++ return -ENOMEM; + } + + pcmdpriv->rsp_buf = pcmdpriv->rsp_allocated_buf + 4 - ((SIZE_PTR)(pcmdpriv->rsp_allocated_buf) & 3); +@@ -197,8 +193,8 @@ int rtw_init_cmd_priv(struct cmd_priv *pcmdpriv) + pcmdpriv->cmd_issued_cnt = pcmdpriv->cmd_done_cnt = pcmdpriv->rsp_cnt = 0; + + mutex_init(&pcmdpriv->sctx_mutex); +-exit: +- return res; ++ ++ return 0; + } + + static void c2h_wk_callback(_workitem *work); +-- +2.35.1 + diff --git a/queue-5.4/staging-vt6655-fix-potential-memory-leak.patch b/queue-5.4/staging-vt6655-fix-potential-memory-leak.patch new file mode 100644 index 00000000000..828e98b89d2 --- /dev/null +++ b/queue-5.4/staging-vt6655-fix-potential-memory-leak.patch @@ -0,0 +1,42 @@ +From 078c97809de5ffd1526570e244e2e32d167e74df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 16:13:39 +0200 +Subject: staging: vt6655: fix potential memory leak + +From: Nam Cao + +[ Upstream commit c8ff91535880d41b49699b3829fb6151942de29e ] + +In function device_init_td0_ring, memory is allocated for member +td_info of priv->apTD0Rings[i], with i increasing from 0. In case of +allocation failure, the memory is freed in reversed order, with i +decreasing to 0. However, the case i=0 is left out and thus memory is +leaked. + +Modify the memory freeing loop to include the case i=0. + +Tested-by: Philipp Hortmann +Signed-off-by: Nam Cao +Link: https://lore.kernel.org/r/20220909141338.19343-1-namcaov@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/vt6655/device_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c +index c1f9b263129e..18284c427b7e 100644 +--- a/drivers/staging/vt6655/device_main.c ++++ b/drivers/staging/vt6655/device_main.c +@@ -670,7 +670,7 @@ static int device_init_td0_ring(struct vnt_private *priv) + return 0; + + err_free_desc: +- while (--i) { ++ while (i--) { + desc = &priv->apTD0Rings[i]; + kfree(desc->td_info); + } +-- +2.35.1 + diff --git a/queue-5.4/staging-vt6655-fix-some-erroneous-memory-clean-up-lo.patch b/queue-5.4/staging-vt6655-fix-some-erroneous-memory-clean-up-lo.patch new file mode 100644 index 00000000000..bf3629c688f --- /dev/null +++ b/queue-5.4/staging-vt6655-fix-some-erroneous-memory-clean-up-lo.patch @@ -0,0 +1,68 @@ +From 1783c37541ee81b27a95b0b43b62bf22ef3af69b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 19:04:31 +0200 +Subject: staging: vt6655: fix some erroneous memory clean-up loops + +From: Nam Cao + +[ Upstream commit 2a2db520e3ca5aafba7c211abfd397666c9b5f9d ] + +In some initialization functions of this driver, memory is allocated with +'i' acting as an index variable and increasing from 0. The commit in +"Fixes" introduces some clean-up codes in case of allocation failure, +which free memory in reverse order with 'i' decreasing to 0. However, +there are some problems: + - The case i=0 is left out. Thus memory is leaked. + - In case memory allocation fails right from the start, the memory + freeing loops will start with i=-1 and invalid memory locations will + be accessed. + +One of these loops has been fixed in commit c8ff91535880 ("staging: +vt6655: fix potential memory leak"). Fix the remaining erroneous loops. + +Link: https://lore.kernel.org/linux-staging/Yx9H1zSpxmNqx6Xc@kadam/ +Fixes: 5341ee0adb17 ("staging: vt6655: check for memory allocation failures") +Reported-by: Dan Carpenter +Tested-by: Philipp Hortmann +Signed-off-by: Nam Cao +Link: https://lore.kernel.org/r/20220912170429.29852-1-namcaov@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/vt6655/device_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c +index 082302944c37..c1f9b263129e 100644 +--- a/drivers/staging/vt6655/device_main.c ++++ b/drivers/staging/vt6655/device_main.c +@@ -560,7 +560,7 @@ static int device_init_rd0_ring(struct vnt_private *priv) + kfree(desc->rd_info); + + err_free_desc: +- while (--i) { ++ while (i--) { + desc = &priv->aRD0Ring[i]; + device_free_rx_buf(priv, desc); + kfree(desc->rd_info); +@@ -606,7 +606,7 @@ static int device_init_rd1_ring(struct vnt_private *priv) + kfree(desc->rd_info); + + err_free_desc: +- while (--i) { ++ while (i--) { + desc = &priv->aRD1Ring[i]; + device_free_rx_buf(priv, desc); + kfree(desc->rd_info); +@@ -710,7 +710,7 @@ static int device_init_td1_ring(struct vnt_private *priv) + return 0; + + err_free_desc: +- while (--i) { ++ while (i--) { + desc = &priv->apTD1Rings[i]; + kfree(desc->td_info); + } +-- +2.35.1 + diff --git a/queue-5.4/tcp-annotate-data-race-around-tcp_md5sig_pool_popula.patch b/queue-5.4/tcp-annotate-data-race-around-tcp_md5sig_pool_popula.patch new file mode 100644 index 00000000000..76e049b70f0 --- /dev/null +++ b/queue-5.4/tcp-annotate-data-race-around-tcp_md5sig_pool_popula.patch @@ -0,0 +1,72 @@ +From c12508e6da769ed94bf2ed25d9983ad79034acca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 21:15:28 +0000 +Subject: tcp: annotate data-race around tcp_md5sig_pool_populated + +From: Eric Dumazet + +[ Upstream commit aacd467c0a576e5e44d2de4205855dc0fe43f6fb ] + +tcp_md5sig_pool_populated can be read while another thread +changes its value. + +The race has no consequence because allocations +are protected with tcp_md5sig_mutex. + +This patch adds READ_ONCE() and WRITE_ONCE() to document +the race and silence KCSAN. + +Reported-by: Abhishek Shah +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 2da4f852fc58..aeeeaf2d6482 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3770,12 +3770,16 @@ static void __tcp_alloc_md5sig_pool(void) + * to memory. See smp_rmb() in tcp_get_md5sig_pool() + */ + smp_wmb(); +- tcp_md5sig_pool_populated = true; ++ /* Paired with READ_ONCE() from tcp_alloc_md5sig_pool() ++ * and tcp_get_md5sig_pool(). ++ */ ++ WRITE_ONCE(tcp_md5sig_pool_populated, true); + } + + bool tcp_alloc_md5sig_pool(void) + { +- if (unlikely(!tcp_md5sig_pool_populated)) { ++ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */ ++ if (unlikely(!READ_ONCE(tcp_md5sig_pool_populated))) { + mutex_lock(&tcp_md5sig_mutex); + + if (!tcp_md5sig_pool_populated) { +@@ -3786,7 +3790,8 @@ bool tcp_alloc_md5sig_pool(void) + + mutex_unlock(&tcp_md5sig_mutex); + } +- return tcp_md5sig_pool_populated; ++ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */ ++ return READ_ONCE(tcp_md5sig_pool_populated); + } + EXPORT_SYMBOL(tcp_alloc_md5sig_pool); + +@@ -3802,7 +3807,8 @@ struct tcp_md5sig_pool *tcp_get_md5sig_pool(void) + { + local_bh_disable(); + +- if (tcp_md5sig_pool_populated) { ++ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */ ++ if (READ_ONCE(tcp_md5sig_pool_populated)) { + /* coupled with smp_wmb() in __tcp_alloc_md5sig_pool() */ + smp_rmb(); + return this_cpu_ptr(&tcp_md5sig_pool); +-- +2.35.1 + diff --git a/queue-5.4/tcp-fix-tcp_cwnd_validate-to-not-forget-is_cwnd_limi.patch b/queue-5.4/tcp-fix-tcp_cwnd_validate-to-not-forget-is_cwnd_limi.patch new file mode 100644 index 00000000000..4bbcdf0c9af --- /dev/null +++ b/queue-5.4/tcp-fix-tcp_cwnd_validate-to-not-forget-is_cwnd_limi.patch @@ -0,0 +1,150 @@ +From 05af639b04b9092542b4b9f0335df4424c625ea4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 16:03:31 -0400 +Subject: tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited + +From: Neal Cardwell + +[ Upstream commit f4ce91ce12a7c6ead19b128ffa8cff6e3ded2a14 ] + +This commit fixes a bug in the tracking of max_packets_out and +is_cwnd_limited. This bug can cause the connection to fail to remember +that is_cwnd_limited is true, causing the connection to fail to grow +cwnd when it should, causing throughput to be lower than it should be. + +The following event sequence is an example that triggers the bug: + + (a) The connection is cwnd_limited, but packets_out is not at its + peak due to TSO deferral deciding not to send another skb yet. + In such cases the connection can advance max_packets_seq and set + tp->is_cwnd_limited to true and max_packets_out to a small + number. + +(b) Then later in the round trip the connection is pacing-limited (not + cwnd-limited), and packets_out is larger. In such cases the + connection would raise max_packets_out to a bigger number but + (unexpectedly) flip tp->is_cwnd_limited from true to false. + +This commit fixes that bug. + +One straightforward fix would be to separately track (a) the next +window after max_packets_out reaches a maximum, and (b) the next +window after tp->is_cwnd_limited is set to true. But this would +require consuming an extra u32 sequence number. + +Instead, to save space we track only the most important +information. Specifically, we track the strongest available signal of +the degree to which the cwnd is fully utilized: + +(1) If the connection is cwnd-limited then we remember that fact for +the current window. + +(2) If the connection not cwnd-limited then we track the maximum +number of outstanding packets in the current window. + +In particular, note that the new logic cannot trigger the buggy +(a)/(b) sequence above because with the new logic a condition where +tp->packets_out > tp->max_packets_out can only trigger an update of +tp->is_cwnd_limited if tp->is_cwnd_limited is false. + +This first showed up in a testing of a BBRv2 dev branch, but this +buggy behavior highlighted a general issue with the +tcp_cwnd_validate() logic that can cause cwnd to fail to increase at +the proper rate for any TCP congestion control, including Reno or +CUBIC. + +Fixes: ca8a22634381 ("tcp: make cwnd-limited checks measurement-based, and gentler") +Signed-off-by: Neal Cardwell +Signed-off-by: Kevin(Yudong) Yang +Signed-off-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/tcp.h | 2 +- + include/net/tcp.h | 5 ++++- + net/ipv4/tcp.c | 2 ++ + net/ipv4/tcp_output.c | 19 ++++++++++++------- + 4 files changed, 19 insertions(+), 9 deletions(-) + +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index 358deb4ff830..89751c89f11f 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -258,7 +258,7 @@ struct tcp_sock { + u32 packets_out; /* Packets which are "in flight" */ + u32 retrans_out; /* Retransmitted packets out */ + u32 max_packets_out; /* max packets_out in last window */ +- u32 max_packets_seq; /* right edge of max_packets_out flight */ ++ u32 cwnd_usage_seq; /* right edge of cwnd usage tracking flight */ + + u16 urg_data; /* Saved octet of OOB data and control flags */ + u8 ecn_flags; /* ECN status bits. */ +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 8459145497b7..5b2473a08241 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1258,11 +1258,14 @@ static inline bool tcp_is_cwnd_limited(const struct sock *sk) + { + const struct tcp_sock *tp = tcp_sk(sk); + ++ if (tp->is_cwnd_limited) ++ return true; ++ + /* If in slow start, ensure cwnd grows to twice what was ACKed. */ + if (tcp_in_slow_start(tp)) + return tp->snd_cwnd < 2 * tp->max_packets_out; + +- return tp->is_cwnd_limited; ++ return false; + } + + /* BBR congestion control needs pacing. +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 0a570d5d0b38..2da4f852fc58 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2635,6 +2635,8 @@ int tcp_disconnect(struct sock *sk, int flags) + tp->snd_ssthresh = TCP_INFINITE_SSTHRESH; + tp->snd_cwnd = TCP_INIT_CWND; + tp->snd_cwnd_cnt = 0; ++ tp->is_cwnd_limited = 0; ++ tp->max_packets_out = 0; + tp->window_clamp = 0; + tp->delivered = 0; + tp->delivered_ce = 0; +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index c37028af0db0..b4a9f6948cb5 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1653,15 +1653,20 @@ static void tcp_cwnd_validate(struct sock *sk, bool is_cwnd_limited) + const struct tcp_congestion_ops *ca_ops = inet_csk(sk)->icsk_ca_ops; + struct tcp_sock *tp = tcp_sk(sk); + +- /* Track the maximum number of outstanding packets in each +- * window, and remember whether we were cwnd-limited then. ++ /* Track the strongest available signal of the degree to which the cwnd ++ * is fully utilized. If cwnd-limited then remember that fact for the ++ * current window. If not cwnd-limited then track the maximum number of ++ * outstanding packets in the current window. (If cwnd-limited then we ++ * chose to not update tp->max_packets_out to avoid an extra else ++ * clause with no functional impact.) + */ +- if (!before(tp->snd_una, tp->max_packets_seq) || +- tp->packets_out > tp->max_packets_out || +- is_cwnd_limited) { +- tp->max_packets_out = tp->packets_out; +- tp->max_packets_seq = tp->snd_nxt; ++ if (!before(tp->snd_una, tp->cwnd_usage_seq) || ++ is_cwnd_limited || ++ (!tp->is_cwnd_limited && ++ tp->packets_out > tp->max_packets_out)) { + tp->is_cwnd_limited = is_cwnd_limited; ++ tp->max_packets_out = tp->packets_out; ++ tp->cwnd_usage_seq = tp->snd_nxt; + } + + if (tcp_is_cwnd_limited(sk)) { +-- +2.35.1 + diff --git a/queue-5.4/thermal-intel_powerclamp-use-get_cpu-instead-of-smp_.patch b/queue-5.4/thermal-intel_powerclamp-use-get_cpu-instead-of-smp_.patch new file mode 100644 index 00000000000..ed0fef3d880 --- /dev/null +++ b/queue-5.4/thermal-intel_powerclamp-use-get_cpu-instead-of-smp_.patch @@ -0,0 +1,61 @@ +From 19701113da57067714258a1c82d6460745db631c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 04:06:57 -0700 +Subject: thermal: intel_powerclamp: Use get_cpu() instead of + smp_processor_id() to avoid crash + +From: Srinivas Pandruvada + +[ Upstream commit 68b99e94a4a2db6ba9b31fe0485e057b9354a640 ] + +When CPU 0 is offline and intel_powerclamp is used to inject +idle, it generates kernel BUG: + +BUG: using smp_processor_id() in preemptible [00000000] code: bash/15687 +caller is debug_smp_processor_id+0x17/0x20 +CPU: 4 PID: 15687 Comm: bash Not tainted 5.19.0-rc7+ #57 +Call Trace: + +dump_stack_lvl+0x49/0x63 +dump_stack+0x10/0x16 +check_preemption_disabled+0xdd/0xe0 +debug_smp_processor_id+0x17/0x20 +powerclamp_set_cur_state+0x7f/0xf9 [intel_powerclamp] +... +... + +Here CPU 0 is the control CPU by default and changed to the current CPU, +if CPU 0 offlined. This check has to be performed under cpus_read_lock(), +hence the above warning. + +Use get_cpu() instead of smp_processor_id() to avoid this BUG. + +Suggested-by: Chen Yu +Signed-off-by: Srinivas Pandruvada +[ rjw: Subject edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/intel/intel_powerclamp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/thermal/intel/intel_powerclamp.c b/drivers/thermal/intel/intel_powerclamp.c +index 53216dcbe173..5e4f32733caf 100644 +--- a/drivers/thermal/intel/intel_powerclamp.c ++++ b/drivers/thermal/intel/intel_powerclamp.c +@@ -535,8 +535,10 @@ static int start_power_clamp(void) + + /* prefer BSP */ + control_cpu = 0; +- if (!cpu_online(control_cpu)) +- control_cpu = smp_processor_id(); ++ if (!cpu_online(control_cpu)) { ++ control_cpu = get_cpu(); ++ put_cpu(); ++ } + + clamping = true; + schedule_delayed_work(&poll_pkg_cstate_work, 0); +-- +2.35.1 + diff --git a/queue-5.4/tty-serial-fsl_lpuart-disable-dma-rx-tx-use-flags-in.patch b/queue-5.4/tty-serial-fsl_lpuart-disable-dma-rx-tx-use-flags-in.patch new file mode 100644 index 00000000000..f2930e22c02 --- /dev/null +++ b/queue-5.4/tty-serial-fsl_lpuart-disable-dma-rx-tx-use-flags-in.patch @@ -0,0 +1,103 @@ +From 1115fdc321509383cd2793153791fdc9438d7945 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 19:17:03 +0800 +Subject: tty: serial: fsl_lpuart: disable dma rx/tx use flags in + lpuart_dma_shutdown +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sherry Sun + +[ Upstream commit 316ae95c175a7d770d1bfe4c011192712f57aa4a ] + +lpuart_dma_shutdown tears down lpuart dma, but lpuart_flush_buffer can +still occur which in turn tries to access dma apis if lpuart_dma_tx_use +flag is true. At this point since dma is torn down, these dma apis can +abort. Set lpuart_dma_tx_use and the corresponding rx flag +lpuart_dma_rx_use to false in lpuart_dma_shutdown so that dmas are not +accessed after they are relinquished. + +Otherwise, when try to kill btattach, kernel may panic. This patch may +fix this issue. +root@imx8ulpevk:~# btattach -B /dev/ttyLP2 -S 115200 +^C[ 90.182296] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP +[ 90.189806] Modules linked in: moal(O) mlan(O) +[ 90.194258] CPU: 0 PID: 503 Comm: btattach Tainted: G O 5.15.32-06136-g34eecdf2f9e4 #37 +[ 90.203554] Hardware name: NXP i.MX8ULP 9X9 EVK (DT) +[ 90.208513] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 90.215470] pc : fsl_edma3_disable_request+0x8/0x60 +[ 90.220358] lr : fsl_edma3_terminate_all+0x34/0x20c +[ 90.225237] sp : ffff800013f0bac0 +[ 90.228548] x29: ffff800013f0bac0 x28: 0000000000000001 x27: ffff000008404800 +[ 90.235681] x26: ffff000008404960 x25: ffff000008404a08 x24: ffff000008404a00 +[ 90.242813] x23: ffff000008404a60 x22: 0000000000000002 x21: 0000000000000000 +[ 90.249946] x20: ffff800013f0baf8 x19: ffff00000559c800 x18: 0000000000000000 +[ 90.257078] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 +[ 90.264211] x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000040 +[ 90.271344] x11: ffff00000600c248 x10: ffff800013f0bb10 x9 : ffff000057bcb090 +[ 90.278477] x8 : fffffc0000241a08 x7 : ffff00000534ee00 x6 : ffff000008404804 +[ 90.285609] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff0000055b3480 +[ 90.292742] x2 : ffff8000135c0000 x1 : ffff00000534ee00 x0 : ffff00000559c800 +[ 90.299876] Call trace: +[ 90.302321] fsl_edma3_disable_request+0x8/0x60 +[ 90.306851] lpuart_flush_buffer+0x40/0x160 +[ 90.311037] uart_flush_buffer+0x88/0x120 +[ 90.315050] tty_driver_flush_buffer+0x20/0x30 +[ 90.319496] hci_uart_flush+0x44/0x90 +[ 90.323162] +0x34/0x12c +[ 90.327253] tty_ldisc_close+0x38/0x70 +[ 90.331005] tty_ldisc_release+0xa8/0x190 +[ 90.335018] tty_release_struct+0x24/0x8c +[ 90.339022] tty_release+0x3ec/0x4c0 +[ 90.342593] __fput+0x70/0x234 +[ 90.345652] ____fput+0x14/0x20 +[ 90.348790] task_work_run+0x84/0x17c +[ 90.352455] do_exit+0x310/0x96c +[ 90.355688] do_group_exit+0x3c/0xa0 +[ 90.359259] __arm64_sys_exit_group+0x1c/0x20 +[ 90.363609] invoke_syscall+0x48/0x114 +[ 90.367362] el0_svc_common.constprop.0+0xd4/0xfc +[ 90.372068] do_el0_svc+0x2c/0x94 +[ 90.375379] el0_svc+0x28/0x80 +[ 90.378438] el0t_64_sync_handler+0xa8/0x130 +[ 90.382711] el0t_64_sync+0x1a0/0x1a4 +[ 90.386376] Code: 17ffffda d503201f d503233f f9409802 (b9400041) +[ 90.392467] ---[ end trace 2f60524b4a43f1f6 ]--- +[ 90.397073] note: btattach[503] exited with preempt_count 1 +[ 90.402636] Fixing recursive fault but reboot is needed! + +Fixes: 6250cc30c4c4 ("tty: serial: fsl_lpuart: Use scatter/gather DMA for Tx") +Reviewed-by: Ilpo Järvinen +Signed-off-by: Thara Gopinath +Signed-off-by: Sherry Sun +Link: https://lore.kernel.org/r/20220920111703.1532-1-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/fsl_lpuart.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index f3f582c3dc87..e84cef42f4b7 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1593,6 +1593,7 @@ static void lpuart_dma_shutdown(struct lpuart_port *sport) + if (sport->lpuart_dma_rx_use) { + del_timer_sync(&sport->lpuart_timer); + lpuart_dma_rx_free(&sport->port); ++ sport->lpuart_dma_rx_use = false; + } + + if (sport->lpuart_dma_tx_use) { +@@ -1601,6 +1602,7 @@ static void lpuart_dma_shutdown(struct lpuart_port *sport) + sport->dma_tx_in_progress = false; + dmaengine_terminate_all(sport->dma_tx_chan); + } ++ sport->lpuart_dma_tx_use = false; + } + } + +-- +2.35.1 + diff --git a/queue-5.4/tty-xilinx_uartps-fix-the-ignore_status.patch b/queue-5.4/tty-xilinx_uartps-fix-the-ignore_status.patch new file mode 100644 index 00000000000..c7faca2e27e --- /dev/null +++ b/queue-5.4/tty-xilinx_uartps-fix-the-ignore_status.patch @@ -0,0 +1,37 @@ +From fdb6cb93263cc49958dc7e0da5d1756e0462a135 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jul 2022 17:17:45 +0530 +Subject: tty: xilinx_uartps: Fix the ignore_status + +From: Shubhrajyoti Datta + +[ Upstream commit b8a6c3b3d4654fba19881cc77da61eac29f57cae ] + +Currently the ignore_status is not considered in the isr. +Add a check to add the ignore_status. + +Fixes: 61ec9016988f ("tty/serial: add support for Xilinx PS UART") +Signed-off-by: Shubhrajyoti Datta +Link: https://lore.kernel.org/r/20220729114748.18332-5-shubhrajyoti.datta@xilinx.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/xilinx_uartps.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index a1409251fbcc..6842999072c5 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -369,6 +369,8 @@ static irqreturn_t cdns_uart_isr(int irq, void *dev_id) + isrstatus &= ~CDNS_UART_IXR_TXEMPTY; + } + ++ isrstatus &= port->read_status_mask; ++ isrstatus &= ~port->ignore_status_mask; + /* + * Skip RX processing if RX is disabled as RXEMPTY will never be set + * as read bytes will not be removed from the FIFO. +-- +2.35.1 + diff --git a/queue-5.4/usb-gadget-function-fix-dangling-pnp_string-in-f_pri.patch b/queue-5.4/usb-gadget-function-fix-dangling-pnp_string-in-f_pri.patch new file mode 100644 index 00000000000..97b40b54c0e --- /dev/null +++ b/queue-5.4/usb-gadget-function-fix-dangling-pnp_string-in-f_pri.patch @@ -0,0 +1,76 @@ +From 0c10a271955ddb9863c545fc924c05d359355d7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Sep 2022 15:37:55 -0700 +Subject: usb: gadget: function: fix dangling pnp_string in f_printer.c + +From: Albert Briscoe + +[ Upstream commit 24b7ba2f88e04800b54d462f376512e8c41b8a3c ] + +When opts->pnp_string is changed with configfs, new memory is allocated for +the string. It does not, however, update dev->pnp_string, even though the +memory is freed. When rquesting the string, the host then gets old or +corrupted data rather than the new string. The ieee 1284 id string should +be allowed to change while the device is connected. + +The bug was introduced in commit fdc01cc286be ("usb: gadget: printer: +Remove pnp_string static buffer"), which changed opts->pnp_string from a +char[] to a char*. +This patch changes dev->pnp_string from a char* to a char** pointing to +opts->pnp_string. + +Fixes: fdc01cc286be ("usb: gadget: printer: Remove pnp_string static buffer") +Signed-off-by: Albert Briscoe +Link: https://lore.kernel.org/r/20220911223753.20417-1-albertsbriscoe@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_printer.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c +index 2a1868b2d24c..dd5eb6202fe1 100644 +--- a/drivers/usb/gadget/function/f_printer.c ++++ b/drivers/usb/gadget/function/f_printer.c +@@ -87,7 +87,7 @@ struct printer_dev { + u8 printer_cdev_open; + wait_queue_head_t wait; + unsigned q_len; +- char *pnp_string; /* We don't own memory! */ ++ char **pnp_string; /* We don't own memory! */ + struct usb_function function; + }; + +@@ -963,16 +963,16 @@ static int printer_func_setup(struct usb_function *f, + if ((wIndex>>8) != dev->interface) + break; + +- if (!dev->pnp_string) { ++ if (!*dev->pnp_string) { + value = 0; + break; + } +- value = strlen(dev->pnp_string); ++ value = strlen(*dev->pnp_string); + buf[0] = (value >> 8) & 0xFF; + buf[1] = value & 0xFF; +- memcpy(buf + 2, dev->pnp_string, value); ++ memcpy(buf + 2, *dev->pnp_string, value); + DBG(dev, "1284 PNP String: %x %s\n", value, +- dev->pnp_string); ++ *dev->pnp_string); + break; + + case GET_PORT_STATUS: /* Get Port Status */ +@@ -1435,7 +1435,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi) + kref_init(&dev->kref); + ++opts->refcnt; + dev->minor = opts->minor; +- dev->pnp_string = opts->pnp_string; ++ dev->pnp_string = &opts->pnp_string; + dev->q_len = opts->q_len; + mutex_unlock(&opts->lock); + +-- +2.35.1 + diff --git a/queue-5.4/usb-host-xhci-fix-potential-memory-leak-in-xhci_allo.patch b/queue-5.4/usb-host-xhci-fix-potential-memory-leak-in-xhci_allo.patch new file mode 100644 index 00000000000..815f200f47e --- /dev/null +++ b/queue-5.4/usb-host-xhci-fix-potential-memory-leak-in-xhci_allo.patch @@ -0,0 +1,56 @@ +From eaa38403ef3985d175f26b53fe8193ca8e484569 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 15:34:45 +0300 +Subject: usb: host: xhci: Fix potential memory leak in + xhci_alloc_stream_info() + +From: Jianglei Nie + +[ Upstream commit 7e271f42a5cc3768cd2622b929ba66859ae21f97 ] + +xhci_alloc_stream_info() allocates stream context array for stream_info +->stream_ctx_array with xhci_alloc_stream_ctx(). When some error occurs, +stream_info->stream_ctx_array is not released, which will lead to a +memory leak. + +We can fix it by releasing the stream_info->stream_ctx_array with +xhci_free_stream_ctx() on the error path to avoid the potential memory +leak. + +Signed-off-by: Jianglei Nie +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20220921123450.671459-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-mem.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index ef23a69c6553..6125a98ffbf5 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -650,7 +650,7 @@ struct xhci_stream_info *xhci_alloc_stream_info(struct xhci_hcd *xhci, + num_stream_ctxs, &stream_info->ctx_array_dma, + mem_flags); + if (!stream_info->stream_ctx_array) +- goto cleanup_ctx; ++ goto cleanup_ring_array; + memset(stream_info->stream_ctx_array, 0, + sizeof(struct xhci_stream_ctx)*num_stream_ctxs); + +@@ -711,6 +711,11 @@ struct xhci_stream_info *xhci_alloc_stream_info(struct xhci_hcd *xhci, + } + xhci_free_command(xhci, stream_info->free_streams_command); + cleanup_ctx: ++ xhci_free_stream_ctx(xhci, ++ stream_info->num_stream_ctxs, ++ stream_info->stream_ctx_array, ++ stream_info->ctx_array_dma); ++cleanup_ring_array: + kfree(stream_info->stream_rings); + cleanup_info: + kfree(stream_info); +-- +2.35.1 + diff --git a/queue-5.4/usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch b/queue-5.4/usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch new file mode 100644 index 00000000000..3476801dd5d --- /dev/null +++ b/queue-5.4/usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch @@ -0,0 +1,59 @@ +From be1a30dcb493d20d15b07397d4364c5e8ef4e15a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 21:48:44 +0800 +Subject: usb: idmouse: fix an uninit-value in idmouse_open + +From: Dongliang Mu + +[ Upstream commit bce2b0539933e485d22d6f6f076c0fcd6f185c4c ] + +In idmouse_create_image, if any ftip_command fails, it will +go to the reset label. However, this leads to the data in +bulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check +for valid image incurs an uninitialized dereference. + +Fix this by moving the check before reset label since this +check only be valid if the data after bulk_in_buffer[HEADER] +has concrete data. + +Note that this is found by KMSAN, so only kernel compilation +is tested. + +Reported-by: syzbot+79832d33eb89fb3cd092@syzkaller.appspotmail.com +Signed-off-by: Dongliang Mu +Link: https://lore.kernel.org/r/20220922134847.1101921-1-dzm91@hust.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/idmouse.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/misc/idmouse.c b/drivers/usb/misc/idmouse.c +index bb24527f3c70..ba2b6fbab9b8 100644 +--- a/drivers/usb/misc/idmouse.c ++++ b/drivers/usb/misc/idmouse.c +@@ -178,10 +178,6 @@ static int idmouse_create_image(struct usb_idmouse *dev) + bytes_read += bulk_read; + } + +- /* reset the device */ +-reset: +- ftip_command(dev, FTIP_RELEASE, 0, 0); +- + /* check for valid image */ + /* right border should be black (0x00) */ + for (bytes_read = sizeof(HEADER)-1 + WIDTH-1; bytes_read < IMGSIZE; bytes_read += WIDTH) +@@ -193,6 +189,10 @@ static int idmouse_create_image(struct usb_idmouse *dev) + if (dev->bulk_in_buffer[bytes_read] != 0xFF) + return -EAGAIN; + ++ /* reset the device */ ++reset: ++ ftip_command(dev, FTIP_RELEASE, 0, 0); ++ + /* should be IMGSIZE == 65040 */ + dev_dbg(&dev->interface->dev, "read %d bytes fingerprint data\n", + bytes_read); +-- +2.35.1 + diff --git a/queue-5.4/usb-musb-fix-musb_gadget.c-rxstate-overflow-bug.patch b/queue-5.4/usb-musb-fix-musb_gadget.c-rxstate-overflow-bug.patch new file mode 100644 index 00000000000..44fbf0ecff4 --- /dev/null +++ b/queue-5.4/usb-musb-fix-musb_gadget.c-rxstate-overflow-bug.patch @@ -0,0 +1,42 @@ +From c339e4ac712e0eff4e25d1b07a7d9d2c16c58322 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 10:21:19 +0800 +Subject: usb: musb: Fix musb_gadget.c rxstate overflow bug + +From: Robin Guo + +[ Upstream commit eea4c860c3b366369eff0489d94ee4f0571d467d ] + +The usb function device call musb_gadget_queue() adds the passed +request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz) +and (is_buffer_mapped(req) return false),the rxstate() will copy all data +in fifo to request->buf which may cause request->buf out of bounds. + +Fix it by add the length check : +fifocnt = min_t(unsigned, request->length - request->actual, fifocnt); + +Signed-off-by: Robin Guo +Link: https://lore.kernel.org/r/20220906102119.1b071d07a8391ff115e6d1ef@inspur.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/musb/musb_gadget.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c +index 4622400ba4dd..8e83995fc3bd 100644 +--- a/drivers/usb/musb/musb_gadget.c ++++ b/drivers/usb/musb/musb_gadget.c +@@ -760,6 +760,9 @@ static void rxstate(struct musb *musb, struct musb_request *req) + musb_writew(epio, MUSB_RXCSR, csr); + + buffer_aint_mapped: ++ fifo_count = min_t(unsigned int, ++ request->length - request->actual, ++ (unsigned int)fifo_count); + musb_read_fifo(musb_ep->hw_ep, fifo_count, (u8 *) + (request->buf + request->actual)); + request->actual += fifo_count; +-- +2.35.1 + diff --git a/queue-5.4/usb-serial-console-move-mutex_unlock-before-usb_seri.patch b/queue-5.4/usb-serial-console-move-mutex_unlock-before-usb_seri.patch new file mode 100644 index 00000000000..2f8042cf4c4 --- /dev/null +++ b/queue-5.4/usb-serial-console-move-mutex_unlock-before-usb_seri.patch @@ -0,0 +1,39 @@ +From ab97ffaf71223afed27527dec0496563b1304832 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 18:48:24 +0800 +Subject: USB: serial: console: move mutex_unlock() before usb_serial_put() + +From: Liang He + +[ Upstream commit 61dfa797c731754642d1ac500a6ac42f9b47f920 ] + +While in current version there is no use-after-free as USB serial +core holds another reference when the console is registered, we +should better unlock before dropping the reference in +usb_console_setup(). + +Fixes: 7bd032dc2793 ("USB serial: update the console driver") +Signed-off-by: Liang He +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +--- + drivers/usb/serial/console.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c +index 7d289302ff6c..299bdb3a58fe 100644 +--- a/drivers/usb/serial/console.c ++++ b/drivers/usb/serial/console.c +@@ -186,8 +186,8 @@ static int usb_console_setup(struct console *co, char *options) + info->port = NULL; + usb_autopm_put_interface(serial->interface); + error_get_interface: +- usb_serial_put(serial); + mutex_unlock(&serial->disc_mutex); ++ usb_serial_put(serial); + return retval; + } + +-- +2.35.1 + diff --git a/queue-5.4/userfaultfd-open-userfaultfds-with-o_rdonly.patch b/queue-5.4/userfaultfd-open-userfaultfds-with-o_rdonly.patch new file mode 100644 index 00000000000..de9a4e87339 --- /dev/null +++ b/queue-5.4/userfaultfd-open-userfaultfds-with-o_rdonly.patch @@ -0,0 +1,57 @@ +From 2b780a2360c96937901bd14184924fda95a25b31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 11:34:51 +0200 +Subject: userfaultfd: open userfaultfds with O_RDONLY + +From: Ondrej Mosnacek + +[ Upstream commit abec3d015fdfb7c63105c7e1c956188bf381aa55 ] + +Since userfaultfd doesn't implement a write operation, it is more +appropriate to open it read-only. + +When userfaultfds are opened read-write like it is now, and such fd is +passed from one process to another, SELinux will check both read and +write permissions for the target process, even though it can't actually +do any write operation on the fd later. + +Inspired by the following bug report, which has hit the SELinux scenario +described above: +https://bugzilla.redhat.com/show_bug.cgi?id=1974559 + +Reported-by: Robert O'Callahan +Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization") +Signed-off-by: Ondrej Mosnacek +Acked-by: Peter Xu +Acked-by: Christian Brauner (Microsoft) +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + fs/userfaultfd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index ec57bbb6bb05..740853465356 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -1018,7 +1018,7 @@ static int resolve_userfault_fork(struct userfaultfd_ctx *ctx, + int fd; + + fd = anon_inode_getfd("[userfaultfd]", &userfaultfd_fops, new, +- O_RDWR | (new->flags & UFFD_SHARED_FCNTL_FLAGS)); ++ O_RDONLY | (new->flags & UFFD_SHARED_FCNTL_FLAGS)); + if (fd < 0) + return fd; + +@@ -1969,7 +1969,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) + mmgrab(ctx->mm); + + fd = anon_inode_getfd("[userfaultfd]", &userfaultfd_fops, ctx, +- O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS)); ++ O_RDONLY | (flags & UFFD_SHARED_FCNTL_FLAGS)); + if (fd < 0) { + mmdrop(ctx->mm); + kmem_cache_free(userfaultfd_ctx_cachep, ctx); +-- +2.35.1 + diff --git a/queue-5.4/vhost-vsock-use-kvmalloc-kvfree-for-larger-packets.patch b/queue-5.4/vhost-vsock-use-kvmalloc-kvfree-for-larger-packets.patch new file mode 100644 index 00000000000..4295134dd47 --- /dev/null +++ b/queue-5.4/vhost-vsock-use-kvmalloc-kvfree-for-larger-packets.patch @@ -0,0 +1,73 @@ +From fb736b3c2919d5792c090309eb69785aa54258a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 15:45:38 +0900 +Subject: vhost/vsock: Use kvmalloc/kvfree for larger packets. + +From: Junichi Uekawa + +[ Upstream commit 0e3f72931fc47bb81686020cc643cde5d9cd0bb8 ] + +When copying a large file over sftp over vsock, data size is usually 32kB, +and kmalloc seems to fail to try to allocate 32 32kB regions. + + vhost-5837: page allocation failure: order:4, mode:0x24040c0 + Call Trace: + [] dump_stack+0x97/0xdb + [] warn_alloc_failed+0x10f/0x138 + [] ? __alloc_pages_direct_compact+0x38/0xc8 + [] __alloc_pages_nodemask+0x84c/0x90d + [] alloc_kmem_pages+0x17/0x19 + [] kmalloc_order_trace+0x2b/0xdb + [] __kmalloc+0x177/0x1f7 + [] ? copy_from_iter+0x8d/0x31d + [] vhost_vsock_handle_tx_kick+0x1fa/0x301 [vhost_vsock] + [] vhost_worker+0xf7/0x157 [vhost] + [] kthread+0xfd/0x105 + [] ? vhost_dev_set_owner+0x22e/0x22e [vhost] + [] ? flush_kthread_worker+0xf3/0xf3 + [] ret_from_fork+0x4e/0x80 + [] ? flush_kthread_worker+0xf3/0xf3 + +Work around by doing kvmalloc instead. + +Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko") +Signed-off-by: Junichi Uekawa +Reviewed-by: Stefano Garzarella +Acked-by: Michael S. Tsirkin +Link: https://lore.kernel.org/r/20220928064538.667678-1-uekawa@chromium.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/vhost/vsock.c | 2 +- + net/vmw_vsock/virtio_transport_common.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c +index 308df62655dd..64806e562bf6 100644 +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -353,7 +353,7 @@ vhost_vsock_alloc_pkt(struct vhost_virtqueue *vq, + return NULL; + } + +- pkt->buf = kmalloc(pkt->len, GFP_KERNEL); ++ pkt->buf = kvmalloc(pkt->len, GFP_KERNEL); + if (!pkt->buf) { + kfree(pkt); + return NULL; +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index dde16a033a09..93c11ffae92b 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1146,7 +1146,7 @@ EXPORT_SYMBOL_GPL(virtio_transport_recv_pkt); + + void virtio_transport_free_pkt(struct virtio_vsock_pkt *pkt) + { +- kfree(pkt->buf); ++ kvfree(pkt->buf); + kfree(pkt); + } + EXPORT_SYMBOL_GPL(virtio_transport_free_pkt); +-- +2.35.1 + diff --git a/queue-5.4/wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch b/queue-5.4/wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch new file mode 100644 index 00000000000..2cd15562585 --- /dev/null +++ b/queue-5.4/wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch @@ -0,0 +1,206 @@ +From 4be9b1fdff4dfc97a20cfe5c4599308992aeadb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 10:19:30 -0400 +Subject: wifi: ath10k: add peer map clean up for peer delete in + ath10k_sta_state() + +From: Wen Gong + +[ Upstream commit f020d9570a04df0762a2ac5c50cf1d8c511c9164 ] + +When peer delete failed in a disconnect operation, use-after-free +detected by KFENCE in below log. It is because for each vdev_id and +address, it has only one struct ath10k_peer, it is allocated in +ath10k_peer_map_event(). When connected to an AP, it has more than +one HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the +array peer_map of struct ath10k will be set muti-elements to the +same ath10k_peer in ath10k_peer_map_event(). When peer delete failed +in ath10k_sta_state(), the ath10k_peer will be free for the 1st peer +id in array peer_map of struct ath10k, and then use-after-free happened +for the 2nd peer id because they map to the same ath10k_peer. + +And clean up all peers in array peer_map for the ath10k_peer, then +user-after-free disappeared + +peer map event log: +[ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e +[ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33 +[ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246 +[ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198 +[ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166 + +peer unmap event log: +[ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING) +[ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone) +[ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246 +[ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198 +[ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166 + +use-after-free log: +[21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING) +[21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110 +[21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed +[21713.799968] ================================================================== +[21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core] +[21713.799991] +[21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69): +[21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core] +[21713.800041] drv_sta_state+0x115/0x677 [mac80211] +[21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211] +[21713.800076] __sta_info_flush+0x11d/0x162 [mac80211] +[21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211] +[21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211] +[21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211] +[21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211] +[21713.800161] genl_rcv_msg+0x38e/0x3be +[21713.800166] netlink_rcv_skb+0x89/0xf7 +[21713.800171] genl_rcv+0x28/0x36 +[21713.800176] netlink_unicast+0x179/0x24b +[21713.800181] netlink_sendmsg+0x3a0/0x40e +[21713.800187] sock_sendmsg+0x72/0x76 +[21713.800192] ____sys_sendmsg+0x16d/0x1e3 +[21713.800196] ___sys_sendmsg+0x95/0xd1 +[21713.800200] __sys_sendmsg+0x85/0xbf +[21713.800205] do_syscall_64+0x43/0x55 +[21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[21713.800213] +[21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k +[21713.800219] +[21713.800224] allocated by task 13 on cpu 0 at 21705.501373s: +[21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core] +[21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core] +[21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core] +[21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core] +[21713.800283] ath10k_pci_process_rx_cb+0x195/0x1df [ath10k_pci] +[21713.800294] ath10k_ce_per_engine_service+0x55/0x74 [ath10k_core] +[21713.800305] ath10k_ce_per_engine_service_any+0x76/0x84 [ath10k_core] +[21713.800310] ath10k_pci_napi_poll+0x49/0x144 [ath10k_pci] +[21713.800316] net_rx_action+0xdc/0x361 +[21713.800320] __do_softirq+0x163/0x29a +[21713.800325] asm_call_irq_on_stack+0x12/0x20 +[21713.800331] do_softirq_own_stack+0x3c/0x48 +[21713.800337] __irq_exit_rcu+0x9b/0x9d +[21713.800342] common_interrupt+0xc9/0x14d +[21713.800346] asm_common_interrupt+0x1e/0x40 +[21713.800351] ksoftirqd_should_run+0x5/0x16 +[21713.800357] smpboot_thread_fn+0x148/0x211 +[21713.800362] kthread+0x150/0x15f +[21713.800367] ret_from_fork+0x22/0x30 +[21713.800370] +[21713.800374] freed by task 708 on cpu 1 at 21713.799953s: +[21713.800498] ath10k_sta_state+0x2c6/0xb8a [ath10k_core] +[21713.800515] drv_sta_state+0x115/0x677 [mac80211] +[21713.800532] __sta_info_destroy_part2+0xb1/0x133 [mac80211] +[21713.800548] __sta_info_flush+0x11d/0x162 [mac80211] +[21713.800565] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211] +[21713.800581] ieee80211_mgd_deauth+0x26c/0x29b [mac80211] +[21713.800598] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211] +[21713.800614] nl80211_deauthenticate+0xf8/0x121 [cfg80211] +[21713.800619] genl_rcv_msg+0x38e/0x3be +[21713.800623] netlink_rcv_skb+0x89/0xf7 +[21713.800628] genl_rcv+0x28/0x36 +[21713.800632] netlink_unicast+0x179/0x24b +[21713.800637] netlink_sendmsg+0x3a0/0x40e +[21713.800642] sock_sendmsg+0x72/0x76 +[21713.800646] ____sys_sendmsg+0x16d/0x1e3 +[21713.800651] ___sys_sendmsg+0x95/0xd1 +[21713.800655] __sys_sendmsg+0x85/0xbf +[21713.800659] do_syscall_64+0x43/0x55 +[21713.800663] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1 + +Fixes: d0eeafad1189 ("ath10k: Clean up peer when sta goes away.") +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220801141930.16794-1-quic_wgong@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 54 ++++++++++++++------------- + 1 file changed, 29 insertions(+), 25 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 3026eb54a7f2..afa3cc92fc2a 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -856,11 +856,36 @@ static int ath10k_peer_delete(struct ath10k *ar, u32 vdev_id, const u8 *addr) + return 0; + } + ++static void ath10k_peer_map_cleanup(struct ath10k *ar, struct ath10k_peer *peer) ++{ ++ int peer_id, i; ++ ++ lockdep_assert_held(&ar->conf_mutex); ++ ++ for_each_set_bit(peer_id, peer->peer_ids, ++ ATH10K_MAX_NUM_PEER_IDS) { ++ ar->peer_map[peer_id] = NULL; ++ } ++ ++ /* Double check that peer is properly un-referenced from ++ * the peer_map ++ */ ++ for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) { ++ if (ar->peer_map[i] == peer) { ++ ath10k_warn(ar, "removing stale peer_map entry for %pM (ptr %pK idx %d)\n", ++ peer->addr, peer, i); ++ ar->peer_map[i] = NULL; ++ } ++ } ++ ++ list_del(&peer->list); ++ kfree(peer); ++ ar->num_peers--; ++} ++ + static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id) + { + struct ath10k_peer *peer, *tmp; +- int peer_id; +- int i; + + lockdep_assert_held(&ar->conf_mutex); + +@@ -872,25 +897,7 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id) + ath10k_warn(ar, "removing stale peer %pM from vdev_id %d\n", + peer->addr, vdev_id); + +- for_each_set_bit(peer_id, peer->peer_ids, +- ATH10K_MAX_NUM_PEER_IDS) { +- ar->peer_map[peer_id] = NULL; +- } +- +- /* Double check that peer is properly un-referenced from +- * the peer_map +- */ +- for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) { +- if (ar->peer_map[i] == peer) { +- ath10k_warn(ar, "removing stale peer_map entry for %pM (ptr %pK idx %d)\n", +- peer->addr, peer, i); +- ar->peer_map[i] = NULL; +- } +- } +- +- list_del(&peer->list); +- kfree(peer); +- ar->num_peers--; ++ ath10k_peer_map_cleanup(ar, peer); + } + spin_unlock_bh(&ar->data_lock); + } +@@ -6641,10 +6648,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw, + /* Clean up the peer object as well since we + * must have failed to do this above. + */ +- list_del(&peer->list); +- ar->peer_map[i] = NULL; +- kfree(peer); +- ar->num_peers--; ++ ath10k_peer_map_cleanup(ar, peer); + } + } + spin_unlock_bh(&ar->data_lock); +-- +2.35.1 + diff --git a/queue-5.4/wifi-ath10k-reset-pointer-after-memory-free-to-avoid.patch b/queue-5.4/wifi-ath10k-reset-pointer-after-memory-free-to-avoid.patch new file mode 100644 index 00000000000..40f42ae03f1 --- /dev/null +++ b/queue-5.4/wifi-ath10k-reset-pointer-after-memory-free-to-avoid.patch @@ -0,0 +1,64 @@ +From 5d931348c7ad0a0465b1a1714152f675301bffe3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 18:23:54 +0300 +Subject: wifi: ath10k: reset pointer after memory free to avoid potential + use-after-free + +From: Wen Gong + +[ Upstream commit 1e1cb8e0b73e6f39a9d4a7a15d940b1265387eb5 ] + +When running suspend test, kernel crash happened in ath10k, and it is +fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend +for driver state RESTARTING"). + +Currently the crash is fixed, but as a common code style, it is better +to set the pointer to NULL after memory is free. + +This is to address the code style and it will avoid potential bug of +use-after-free. + +Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220505092248.787-1-quic_wgong@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index 760d24a28f39..f6fdb18f0950 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -297,12 +297,16 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt) + ath10k_htt_get_vaddr_ring(htt), + htt->rx_ring.base_paddr); + ++ ath10k_htt_config_paddrs_ring(htt, NULL); ++ + dma_free_coherent(htt->ar->dev, + sizeof(*htt->rx_ring.alloc_idx.vaddr), + htt->rx_ring.alloc_idx.vaddr, + htt->rx_ring.alloc_idx.paddr); ++ htt->rx_ring.alloc_idx.vaddr = NULL; + + kfree(htt->rx_ring.netbufs_ring); ++ htt->rx_ring.netbufs_ring = NULL; + } + + static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt) +@@ -823,8 +827,10 @@ int ath10k_htt_rx_alloc(struct ath10k_htt *htt) + ath10k_htt_get_rx_ring_size(htt), + vaddr_ring, + htt->rx_ring.base_paddr); ++ ath10k_htt_config_paddrs_ring(htt, NULL); + err_dma_ring: + kfree(htt->rx_ring.netbufs_ring); ++ htt->rx_ring.netbufs_ring = NULL; + err_netbuf: + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-5.4/wifi-ath9k-avoid-uninit-memory-read-in-ath9k_htc_rx_.patch b/queue-5.4/wifi-ath9k-avoid-uninit-memory-read-in-ath9k_htc_rx_.patch new file mode 100644 index 00000000000..25b2ba26d8c --- /dev/null +++ b/queue-5.4/wifi-ath9k-avoid-uninit-memory-read-in-ath9k_htc_rx_.patch @@ -0,0 +1,152 @@ +From 71bbd0ec45d28ec7af4bb73b185da8a43c4bb7ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 23:46:13 +0900 +Subject: wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tetsuo Handa + +[ Upstream commit b383e8abed41cc6ff1a3b34de75df9397fa4878c ] + +syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for +ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with +pkt_len = 0 but ath9k_hif_usb_rx_stream() uses +__dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that +pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb +with uninitialized memory and ath9k_htc_rx_msg() is reading from +uninitialized memory. + +Since bytes accessed by ath9k_htc_rx_msg() is not known until +ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid +pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in +ath9k_hif_usb_rx_stream(). + +We have two choices. One is to workaround by adding __GFP_ZERO so that +ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let +ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose +the latter. + +Note that I'm not sure threshold condition is correct, for I can't find +details on possible packet length used by this protocol. + +Link: https://syzkaller.appspot.com/bug?extid=2ca247c2d60c7023de7f [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7acfa1be-4b5c-b2ce-de43-95b0593fb3e5@I-love.SAKURA.ne.jp +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 43 +++++++++++++++--------- + 1 file changed, 28 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index 994ec48b2f66..ca05b07a45e6 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -364,33 +364,27 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle, + } + + static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle, +- struct sk_buff *skb) ++ struct sk_buff *skb, u32 len) + { + uint32_t *pattern = (uint32_t *)skb->data; + +- switch (*pattern) { +- case 0x33221199: +- { ++ if (*pattern == 0x33221199 && len >= sizeof(struct htc_panic_bad_vaddr)) { + struct htc_panic_bad_vaddr *htc_panic; + htc_panic = (struct htc_panic_bad_vaddr *) skb->data; + dev_err(htc_handle->dev, "ath: firmware panic! " + "exccause: 0x%08x; pc: 0x%08x; badvaddr: 0x%08x.\n", + htc_panic->exccause, htc_panic->pc, + htc_panic->badvaddr); +- break; +- } +- case 0x33221299: +- { ++ return; ++ } ++ if (*pattern == 0x33221299) { + struct htc_panic_bad_epid *htc_panic; + htc_panic = (struct htc_panic_bad_epid *) skb->data; + dev_err(htc_handle->dev, "ath: firmware panic! " + "bad epid: 0x%08x\n", htc_panic->epid); +- break; +- } +- default: +- dev_err(htc_handle->dev, "ath: unknown panic pattern!\n"); +- break; ++ return; + } ++ dev_err(htc_handle->dev, "ath: unknown panic pattern!\n"); + } + + /* +@@ -411,16 +405,26 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle, + if (!htc_handle || !skb) + return; + ++ /* A valid message requires len >= 8. ++ * ++ * sizeof(struct htc_frame_hdr) == 8 ++ * sizeof(struct htc_ready_msg) == 8 ++ * sizeof(struct htc_panic_bad_vaddr) == 16 ++ * sizeof(struct htc_panic_bad_epid) == 8 ++ */ ++ if (unlikely(len < sizeof(struct htc_frame_hdr))) ++ goto invalid; + htc_hdr = (struct htc_frame_hdr *) skb->data; + epid = htc_hdr->endpoint_id; + + if (epid == 0x99) { +- ath9k_htc_fw_panic_report(htc_handle, skb); ++ ath9k_htc_fw_panic_report(htc_handle, skb, len); + kfree_skb(skb); + return; + } + + if (epid < 0 || epid >= ENDPOINT_MAX) { ++invalid: + if (pipe_id != USB_REG_IN_PIPE) + dev_kfree_skb_any(skb); + else +@@ -432,21 +436,30 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle, + + /* Handle trailer */ + if (htc_hdr->flags & HTC_FLAGS_RECV_TRAILER) { +- if (be32_to_cpu(*(__be32 *) skb->data) == 0x00C60000) ++ if (be32_to_cpu(*(__be32 *) skb->data) == 0x00C60000) { + /* Move past the Watchdog pattern */ + htc_hdr = (struct htc_frame_hdr *)(skb->data + 4); ++ len -= 4; ++ } + } + + /* Get the message ID */ ++ if (unlikely(len < sizeof(struct htc_frame_hdr) + sizeof(__be16))) ++ goto invalid; + msg_id = (__be16 *) ((void *) htc_hdr + + sizeof(struct htc_frame_hdr)); + + /* Now process HTC messages */ + switch (be16_to_cpu(*msg_id)) { + case HTC_MSG_READY_ID: ++ if (unlikely(len < sizeof(struct htc_ready_msg))) ++ goto invalid; + htc_process_target_rdy(htc_handle, htc_hdr); + break; + case HTC_MSG_CONNECT_SERVICE_RESPONSE_ID: ++ if (unlikely(len < sizeof(struct htc_frame_hdr) + ++ sizeof(struct htc_conn_svc_rspmsg))) ++ goto invalid; + htc_process_conn_rsp(htc_handle, htc_hdr); + break; + default: +-- +2.35.1 + diff --git a/queue-5.4/wifi-brcmfmac-fix-invalid-address-access-when-enabli.patch b/queue-5.4/wifi-brcmfmac-fix-invalid-address-access-when-enabli.patch new file mode 100644 index 00000000000..008aea43fbf --- /dev/null +++ b/queue-5.4/wifi-brcmfmac-fix-invalid-address-access-when-enabli.patch @@ -0,0 +1,110 @@ +From d121b7f5c39f766145ca97679c6f3d8e5a6c5a0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jul 2022 13:56:28 +0200 +Subject: wifi: brcmfmac: fix invalid address access when enabling SCAN log + level +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wright Feng + +[ Upstream commit aa666b68e73fc06d83c070d96180b9010cf5a960 ] + +The variable i is changed when setting random MAC address and causes +invalid address access when printing the value of pi->reqs[i]->reqid. + +We replace reqs index with ri to fix the issue. + +[ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 +[ 136.737365] Mem abort info: +[ 136.740172] ESR = 0x96000004 +[ 136.743359] Exception class = DABT (current EL), IL = 32 bits +[ 136.749294] SET = 0, FnV = 0 +[ 136.752481] EA = 0, S1PTW = 0 +[ 136.755635] Data abort info: +[ 136.758514] ISV = 0, ISS = 0x00000004 +[ 136.762487] CM = 0, WnR = 0 +[ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577 +[ 136.772265] [0000000000000000] pgd=0000000000000000 +[ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP +[ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O) +[ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb) +[ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1 +[ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT) +[ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO) +[ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] +[ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac] +[ 136.828162] sp : ffff00000e9a3880 +[ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400 +[ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0 +[ 136.842098] x25: ffff80002054345c x24: ffff800088d22400 +[ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8 +[ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400 +[ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000 +[ 136.863343] x17: 0000000000000000 x16: 0000000000000000 +[ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050 +[ 136.873966] x13: 0000000000003135 x12: 0000000000000000 +[ 136.879277] x11: 0000000000000000 x10: ffff000009a61888 +[ 136.884589] x9 : 000000000000000f x8 : 0000000000000008 +[ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d +[ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942 +[ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8 +[ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000 +[ 136.911146] Call trace: +[ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] +[ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac] +[ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac] +[ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211] +[ 136.937298] genl_rcv_msg+0x358/0x3f4 +[ 136.940960] netlink_rcv_skb+0xb4/0x118 +[ 136.944795] genl_rcv+0x34/0x48 +[ 136.947935] netlink_unicast+0x264/0x300 +[ 136.951856] netlink_sendmsg+0x2e4/0x33c +[ 136.955781] __sys_sendto+0x120/0x19c + +Signed-off-by: Wright Feng +Signed-off-by: Chi-hsien Lin +Signed-off-by: Ahmad Fatoum +Signed-off-by: Alvin Å ipraga +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220722115632.620681-4-alvin@pqrs.dk +Signed-off-by: Sasha Levin +--- + .../net/wireless/broadcom/brcm80211/brcmfmac/pno.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c +index 14e530601ef3..7ec1630d9095 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c +@@ -154,12 +154,12 @@ static int brcmf_pno_set_random(struct brcmf_if *ifp, struct brcmf_pno_info *pi) + struct brcmf_pno_macaddr_le pfn_mac; + u8 *mac_addr = NULL; + u8 *mac_mask = NULL; +- int err, i; ++ int err, i, ri; + +- for (i = 0; i < pi->n_reqs; i++) +- if (pi->reqs[i]->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) { +- mac_addr = pi->reqs[i]->mac_addr; +- mac_mask = pi->reqs[i]->mac_addr_mask; ++ for (ri = 0; ri < pi->n_reqs; ri++) ++ if (pi->reqs[ri]->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) { ++ mac_addr = pi->reqs[ri]->mac_addr; ++ mac_mask = pi->reqs[ri]->mac_addr_mask; + break; + } + +@@ -181,7 +181,7 @@ static int brcmf_pno_set_random(struct brcmf_if *ifp, struct brcmf_pno_info *pi) + pfn_mac.mac[0] |= 0x02; + + brcmf_dbg(SCAN, "enabling random mac: reqid=%llu mac=%pM\n", +- pi->reqs[i]->reqid, pfn_mac.mac); ++ pi->reqs[ri]->reqid, pfn_mac.mac); + err = brcmf_fil_iovar_data_set(ifp, "pfn_macaddr", &pfn_mac, + sizeof(pfn_mac)); + if (err) +-- +2.35.1 + diff --git a/queue-5.4/wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch b/queue-5.4/wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch new file mode 100644 index 00000000000..bab66deddc5 --- /dev/null +++ b/queue-5.4/wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch @@ -0,0 +1,140 @@ +From f17d59571bcc437876bd5344a896d2e9bef23534 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 10:49:26 -0700 +Subject: wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() + +From: Alexander Coffin + +[ Upstream commit 3f42faf6db431e04bf942d2ebe3ae88975723478 ] + +> ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb); + +may be schedule, and then complete before the line + +> ndev->stats.tx_bytes += skb->len; + +[ 46.912801] ================================================================== +[ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] +[ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328 +[ 46.935991] +[ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1 +[ 46.947255] Hardware name: [REDACTED] +[ 46.954568] Call trace: +[ 46.957037] dump_backtrace+0x0/0x2b8 +[ 46.960719] show_stack+0x24/0x30 +[ 46.964052] dump_stack+0x128/0x194 +[ 46.967557] print_address_description.isra.0+0x64/0x380 +[ 46.972877] __kasan_report+0x1d4/0x240 +[ 46.976723] kasan_report+0xc/0x18 +[ 46.980138] __asan_report_load4_noabort+0x18/0x20 +[ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] +[ 46.990613] dev_hard_start_xmit+0x1bc/0xda0 +[ 46.994894] sch_direct_xmit+0x198/0xd08 +[ 46.998827] __qdisc_run+0x37c/0x1dc0 +[ 47.002500] __dev_queue_xmit+0x1528/0x21f8 +[ 47.006692] dev_queue_xmit+0x24/0x30 +[ 47.010366] neigh_resolve_output+0x37c/0x678 +[ 47.014734] ip_finish_output2+0x598/0x2458 +[ 47.018927] __ip_finish_output+0x300/0x730 +[ 47.023118] ip_output+0x2e0/0x430 +[ 47.026530] ip_local_out+0x90/0x140 +[ 47.030117] igmpv3_sendpack+0x14c/0x228 +[ 47.034049] igmpv3_send_cr+0x384/0x6b8 +[ 47.037895] igmp_ifc_timer_expire+0x4c/0x118 +[ 47.042262] call_timer_fn+0x1cc/0xbe8 +[ 47.046021] __run_timers+0x4d8/0xb28 +[ 47.049693] run_timer_softirq+0x24/0x40 +[ 47.053626] __do_softirq+0x2c0/0x117c +[ 47.057387] irq_exit+0x2dc/0x388 +[ 47.060715] __handle_domain_irq+0xb4/0x158 +[ 47.064908] gic_handle_irq+0x58/0xb0 +[ 47.068581] el0_irq_naked+0x50/0x5c +[ 47.072162] +[ 47.073665] Allocated by task 328: +[ 47.077083] save_stack+0x24/0xb0 +[ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0 +[ 47.084776] kasan_slab_alloc+0x14/0x20 +[ 47.088622] kmem_cache_alloc+0x15c/0x468 +[ 47.092643] __alloc_skb+0xa4/0x498 +[ 47.096142] igmpv3_newpack+0x158/0xd78 +[ 47.099987] add_grhead+0x210/0x288 +[ 47.103485] add_grec+0x6b0/0xb70 +[ 47.106811] igmpv3_send_cr+0x2e0/0x6b8 +[ 47.110657] igmp_ifc_timer_expire+0x4c/0x118 +[ 47.115027] call_timer_fn+0x1cc/0xbe8 +[ 47.118785] __run_timers+0x4d8/0xb28 +[ 47.122457] run_timer_softirq+0x24/0x40 +[ 47.126389] __do_softirq+0x2c0/0x117c +[ 47.130142] +[ 47.131643] Freed by task 180: +[ 47.134712] save_stack+0x24/0xb0 +[ 47.138041] __kasan_slab_free+0x108/0x180 +[ 47.142146] kasan_slab_free+0x10/0x18 +[ 47.145904] slab_free_freelist_hook+0xa4/0x1b0 +[ 47.150444] kmem_cache_free+0x8c/0x528 +[ 47.154292] kfree_skbmem+0x94/0x108 +[ 47.157880] consume_skb+0x10c/0x5a8 +[ 47.161466] __dev_kfree_skb_any+0x88/0xa0 +[ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil] +[ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac] +[ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac] +[ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac] +[ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac] +[ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac] +[ 47.197859] process_one_work+0x7fc/0x1a80 +[ 47.201965] worker_thread+0x31c/0xc40 +[ 47.205726] kthread+0x2d8/0x370 +[ 47.208967] ret_from_fork+0x10/0x18 +[ 47.212546] +[ 47.214051] The buggy address belongs to the object at ffffff803f588280 +[ 47.214051] which belongs to the cache skbuff_head_cache of size 208 +[ 47.227086] The buggy address is located 104 bytes inside of +[ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350) +[ 47.238814] The buggy address belongs to the page: +[ 47.243618] page:ffffffff00dd6200 refcount:1 mapcount:0 mapping:ffffff804b6bf800 index:0xffffff803f589900 compound_mapcount: 0 +[ 47.255007] flags: 0x10200(slab|head) +[ 47.258689] raw: 0000000000010200 ffffffff00dfa980 0000000200000002 ffffff804b6bf800 +[ 47.266439] raw: ffffff803f589900 0000000080190018 00000001ffffffff 0000000000000000 +[ 47.274180] page dumped because: kasan: bad access detected +[ 47.279752] +[ 47.281251] Memory state around the buggy address: +[ 47.286051] ffffff803f588180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 47.293277] ffffff803f588200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 47.300502] >ffffff803f588280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 47.307723] ^ +[ 47.314343] ffffff803f588300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc +[ 47.321569] ffffff803f588380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb +[ 47.328789] ================================================================== + +Signed-off-by: Alexander Coffin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220808174925.3922558-1-alex.coffin@matician.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +index edb79e9665dc..5b7c1b99273d 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -290,6 +290,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, + struct brcmf_pub *drvr = ifp->drvr; + struct ethhdr *eh; + int head_delta; ++ unsigned int tx_bytes = skb->len; + + brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx); + +@@ -361,7 +362,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, + ndev->stats.tx_dropped++; + } else { + ndev->stats.tx_packets++; +- ndev->stats.tx_bytes += skb->len; ++ ndev->stats.tx_bytes += tx_bytes; + } + + /* Return ok: we always eat the packet */ +-- +2.35.1 + diff --git a/queue-5.4/wifi-mac80211-allow-bw-change-during-channel-switch-.patch b/queue-5.4/wifi-mac80211-allow-bw-change-during-channel-switch-.patch new file mode 100644 index 00000000000..f9c95bfa49b --- /dev/null +++ b/queue-5.4/wifi-mac80211-allow-bw-change-during-channel-switch-.patch @@ -0,0 +1,47 @@ +From 25f1f9bfa7f5f401b412970500a6a66fc6db33d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 12:02:29 +0530 +Subject: wifi: mac80211: allow bw change during channel switch in mesh + +From: Hari Chandrakanthan + +[ Upstream commit 6b75f133fe05c36c52d691ff21545d5757fff721 ] + +From 'IEEE Std 802.11-2020 section 11.8.8.4.1': + The mesh channel switch may be triggered by the need to avoid + interference to a detected radar signal, or to reassign mesh STA + channels to ensure the MBSS connectivity. + + A 20/40 MHz MBSS may be changed to a 20 MHz MBSS and a 20 MHz + MBSS may be changed to a 20/40 MHz MBSS. + +Since the standard allows the change of bandwidth during +the channel switch in mesh, remove the bandwidth check present in +ieee80211_set_csa_beacon. + +Fixes: c6da674aff94 ("{nl,cfg,mac}80211: enable the triggering of CSA frame in mesh") +Signed-off-by: Hari Chandrakanthan +Link: https://lore.kernel.org/r/1658903549-21218-1-git-send-email-quic_haric@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 16f37fd0ac0e..9e3bff5aaf8b 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -3280,9 +3280,6 @@ static int ieee80211_set_csa_beacon(struct ieee80211_sub_if_data *sdata, + case NL80211_IFTYPE_MESH_POINT: { + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; + +- if (params->chandef.width != sdata->vif.bss_conf.chandef.width) +- return -EINVAL; +- + /* changes into another band are not supported */ + if (sdata->vif.bss_conf.chandef.chan->band != + params->chandef.chan->band) +-- +2.35.1 + diff --git a/queue-5.4/wifi-rt2x00-correctly-set-bbp-register-86-for-mt7620.patch b/queue-5.4/wifi-rt2x00-correctly-set-bbp-register-86-for-mt7620.patch new file mode 100644 index 00000000000..0ddf6cda283 --- /dev/null +++ b/queue-5.4/wifi-rt2x00-correctly-set-bbp-register-86-for-mt7620.patch @@ -0,0 +1,40 @@ +From 47f6fc638c81dd9c84520e70794863570a4e14d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 21:30:09 +0100 +Subject: wifi: rt2x00: correctly set BBP register 86 for MT7620 + +From: Daniel Golle + +[ Upstream commit c9aada64fe6493461127f1522d7e2f01792d2424 ] + +Instead of 0 set the correct value for BBP register 86 for MT7620. + +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/257267247ee4fa7ebc6a5d0c4948b3f8119c0d77.1663445157.git.daniel@makrotopia.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index c303d52b6820..32d2528cdd5f 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -4154,7 +4154,10 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev, + rt2800_bbp_write(rt2x00dev, 62, 0x37 - rt2x00dev->lna_gain); + rt2800_bbp_write(rt2x00dev, 63, 0x37 - rt2x00dev->lna_gain); + rt2800_bbp_write(rt2x00dev, 64, 0x37 - rt2x00dev->lna_gain); +- rt2800_bbp_write(rt2x00dev, 86, 0); ++ if (rt2x00_rt(rt2x00dev, RT6352)) ++ rt2800_bbp_write(rt2x00dev, 86, 0x38); ++ else ++ rt2800_bbp_write(rt2x00dev, 86, 0); + } + + if (rf->channel <= 14) { +-- +2.35.1 + diff --git a/queue-5.4/wifi-rt2x00-don-t-run-rt5592-iq-calibration-on-mt762.patch b/queue-5.4/wifi-rt2x00-don-t-run-rt5592-iq-calibration-on-mt762.patch new file mode 100644 index 00000000000..a8a4b1365ad --- /dev/null +++ b/queue-5.4/wifi-rt2x00-don-t-run-rt5592-iq-calibration-on-mt762.patch @@ -0,0 +1,38 @@ +From 8e1d4a53480a9ac2dd4ba7b9935163ffc54e7b2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 21:28:29 +0100 +Subject: wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 + +From: Daniel Golle + +[ Upstream commit d3aad83d05aec0cfd7670cf0028f2ad4b81de92e ] + +The function rt2800_iq_calibrate is intended for Rt5592 only. +Don't call it for MT7620 which has it's own calibration functions. + +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/31a1c34ddbd296b82f38c18c9ae7339059215fdc.1663445157.git.daniel@makrotopia.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index c99f1912e266..9b56a4df2e94 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -4355,7 +4355,8 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev, + reg = (rf->channel <= 14 ? 0x1c : 0x24) + 2*rt2x00dev->lna_gain; + rt2800_bbp_write_with_rx_chain(rt2x00dev, 66, reg); + +- rt2800_iq_calibrate(rt2x00dev, rf->channel); ++ if (rt2x00_rt(rt2x00dev, RT5592)) ++ rt2800_iq_calibrate(rt2x00dev, rf->channel); + } + + bbp = rt2800_bbp_read(rt2x00dev, 4); +-- +2.35.1 + diff --git a/queue-5.4/wifi-rt2x00-set-correct-tx_sw_cfg1-mac-register-for-.patch b/queue-5.4/wifi-rt2x00-set-correct-tx_sw_cfg1-mac-register-for-.patch new file mode 100644 index 00000000000..5c84ce11d10 --- /dev/null +++ b/queue-5.4/wifi-rt2x00-set-correct-tx_sw_cfg1-mac-register-for-.patch @@ -0,0 +1,39 @@ +From d949ea1f15ead23102f5e348e0d426860d4e9fc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 21:29:26 +0100 +Subject: wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 + +From: Daniel Golle + +[ Upstream commit eeb50acf15762b61921f9df18663f839f387c054 ] + +Set correct TX_SW_CFG1 MAC register as it is done also in v3 of the +vendor driver[1]. + +[1]: https://gitlab.com/dm38/padavan-ng/-/blob/master/trunk/proprietary/rt_wifi/rtpci/3.0.X.X/mt76x2/chips/rt6352.c#L531 +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/4be38975ce600a34249e12d09a3cb758c6e71071.1663445157.git.daniel@makrotopia.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index 9b56a4df2e94..20491ff6bb76 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -5852,7 +5852,7 @@ static int rt2800_init_registers(struct rt2x00_dev *rt2x00dev) + rt2800_register_write(rt2x00dev, TX_SW_CFG0, 0x00000404); + } else if (rt2x00_rt(rt2x00dev, RT6352)) { + rt2800_register_write(rt2x00dev, TX_SW_CFG0, 0x00000401); +- rt2800_register_write(rt2x00dev, TX_SW_CFG1, 0x000C0000); ++ rt2800_register_write(rt2x00dev, TX_SW_CFG1, 0x000C0001); + rt2800_register_write(rt2x00dev, TX_SW_CFG2, 0x00000000); + rt2800_register_write(rt2x00dev, TX_ALC_VGA3, 0x00000000); + rt2800_register_write(rt2x00dev, TX0_BB_GAIN_ATTEN, 0x0); +-- +2.35.1 + diff --git a/queue-5.4/wifi-rt2x00-set-soc-wmac-clock-register.patch b/queue-5.4/wifi-rt2x00-set-soc-wmac-clock-register.patch new file mode 100644 index 00000000000..ace61f35606 --- /dev/null +++ b/queue-5.4/wifi-rt2x00-set-soc-wmac-clock-register.patch @@ -0,0 +1,58 @@ +From e98e552eb041c80358574aa5ae5bd3bfa01752cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 21:29:55 +0100 +Subject: wifi: rt2x00: set SoC wmac clock register + +From: Daniel Golle + +[ Upstream commit cbde6ed406a51092d9e8a2df058f5f8490f27443 ] + +Instead of using the default value 33 (pci), set US_CYC_CNT init based +on Programming guide: +If available, set chipset bus clock with fallback to cpu clock/3. + +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/3e275d259f476f597dab91a9c395015ef3fe3284.1663445157.git.daniel@makrotopia.org +Signed-off-by: Sasha Levin +--- + .../net/wireless/ralink/rt2x00/rt2800lib.c | 21 +++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index ab0d673253f0..c303d52b6820 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -6115,6 +6115,27 @@ static int rt2800_init_registers(struct rt2x00_dev *rt2x00dev) + reg = rt2800_register_read(rt2x00dev, US_CYC_CNT); + rt2x00_set_field32(®, US_CYC_CNT_CLOCK_CYCLE, 125); + rt2800_register_write(rt2x00dev, US_CYC_CNT, reg); ++ } else if (rt2x00_is_soc(rt2x00dev)) { ++ struct clk *clk = clk_get_sys("bus", NULL); ++ int rate; ++ ++ if (IS_ERR(clk)) { ++ clk = clk_get_sys("cpu", NULL); ++ ++ if (IS_ERR(clk)) { ++ rate = 125; ++ } else { ++ rate = clk_get_rate(clk) / 3000000; ++ clk_put(clk); ++ } ++ } else { ++ rate = clk_get_rate(clk) / 1000000; ++ clk_put(clk); ++ } ++ ++ reg = rt2800_register_read(rt2x00dev, US_CYC_CNT); ++ rt2x00_set_field32(®, US_CYC_CNT_CLOCK_CYCLE, rate); ++ rt2800_register_write(rt2x00dev, US_CYC_CNT, reg); + } + + reg = rt2800_register_read(rt2x00dev, HT_FBK_CFG0); +-- +2.35.1 + diff --git a/queue-5.4/wifi-rt2x00-set-vgc-gain-for-both-chains-of-mt7620.patch b/queue-5.4/wifi-rt2x00-set-vgc-gain-for-both-chains-of-mt7620.patch new file mode 100644 index 00000000000..8d45bbc4923 --- /dev/null +++ b/queue-5.4/wifi-rt2x00-set-vgc-gain-for-both-chains-of-mt7620.patch @@ -0,0 +1,38 @@ +From fc40105ad646eacdeb8e546bd2f4036fcf0a43b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 21:29:40 +0100 +Subject: wifi: rt2x00: set VGC gain for both chains of MT7620 + +From: Daniel Golle + +[ Upstream commit 0e09768c085709e10ece3b68f6ac921d3f6a9caa ] + +Set bbp66 for all chains of the MT7620. + +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/29e161397e5c9d9399da0fe87d44458aa2b90a78.1663445157.git.daniel@makrotopia.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index 20491ff6bb76..ab0d673253f0 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -5629,7 +5629,8 @@ static inline void rt2800_set_vgc(struct rt2x00_dev *rt2x00dev, + if (qual->vgc_level != vgc_level) { + if (rt2x00_rt(rt2x00dev, RT3572) || + rt2x00_rt(rt2x00dev, RT3593) || +- rt2x00_rt(rt2x00dev, RT3883)) { ++ rt2x00_rt(rt2x00dev, RT3883) || ++ rt2x00_rt(rt2x00dev, RT6352)) { + rt2800_bbp_write_with_rx_chain(rt2x00dev, 66, + vgc_level); + } else if (rt2x00_rt(rt2x00dev, RT5592)) { +-- +2.35.1 + diff --git a/queue-5.4/wifi-rtl8xxxu-fix-skb-misuse-in-tx-queue-selection.patch b/queue-5.4/wifi-rtl8xxxu-fix-skb-misuse-in-tx-queue-selection.patch new file mode 100644 index 00000000000..2a7fa635d15 --- /dev/null +++ b/queue-5.4/wifi-rtl8xxxu-fix-skb-misuse-in-tx-queue-selection.patch @@ -0,0 +1,47 @@ +From 1d69f5f88106a9dc1bfdd6aa954a09a1c5119818 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 19:12:36 +0300 +Subject: wifi: rtl8xxxu: Fix skb misuse in TX queue selection + +From: Bitterblue Smith + +[ Upstream commit edd5747aa12ed61a5ecbfa58d3908623fddbf1e8 ] + +rtl8xxxu_queue_select() selects the wrong TX queues because it's +reading memory from the wrong address. It expects to find ieee80211_hdr +at skb->data, but that's not the case after skb_push(). Move the call +to rtl8xxxu_queue_select() before the call to skb_push(). + +Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") +Signed-off-by: Bitterblue Smith +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7fa4819a-4f20-b2af-b7a6-8ee01ac49295@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 3062103e216a..977ebb647c0e 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -4950,6 +4950,8 @@ static void rtl8xxxu_tx(struct ieee80211_hw *hw, + if (control && control->sta) + sta = control->sta; + ++ queue = rtl8xxxu_queue_select(hw, skb); ++ + tx_desc = skb_push(skb, tx_desc_size); + + memset(tx_desc, 0, tx_desc_size); +@@ -4962,7 +4964,6 @@ static void rtl8xxxu_tx(struct ieee80211_hw *hw, + is_broadcast_ether_addr(ieee80211_get_DA(hdr))) + tx_desc->txdw0 |= TXDESC_BROADMULTICAST; + +- queue = rtl8xxxu_queue_select(hw, skb); + tx_desc->txdw1 = cpu_to_le32(queue << TXDESC_QUEUE_SHIFT); + + if (tx_info->control.hw_key) { +-- +2.35.1 + diff --git a/queue-5.4/wifi-rtl8xxxu-gen2-fix-mistake-in-path-b-iq-calibrat.patch b/queue-5.4/wifi-rtl8xxxu-gen2-fix-mistake-in-path-b-iq-calibrat.patch new file mode 100644 index 00000000000..6156b17ddb2 --- /dev/null +++ b/queue-5.4/wifi-rtl8xxxu-gen2-fix-mistake-in-path-b-iq-calibrat.patch @@ -0,0 +1,46 @@ +From 8c81fa66a13d843e7fb308f45affed694d5ed8c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 14:48:32 +0300 +Subject: wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration + +From: Bitterblue Smith + +[ Upstream commit e963a19c64ac0d2f8785d36a27391abd91ac77aa ] + +Found by comparing with the vendor driver. Currently this affects +only the RTL8192EU, which is the only gen2 chip with 2 TX paths +supported by this driver. It's unclear what kind of effect the +mistake had in practice, since I don't have any RTL8192EU devices +to test it. + +Fixes: e1547c535ede ("rtl8xxxu: First stab at adding IQK calibration for 8723bu parts") +Signed-off-by: Bitterblue Smith +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/30a59f3a-cfa9-8379-7af0-78a8f4c77cfd@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 977ebb647c0e..b472dc4c551e 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -2926,12 +2926,12 @@ bool rtl8xxxu_gen2_simularity_compare(struct rtl8xxxu_priv *priv, + } + + if (!(simubitmap & 0x30) && priv->tx_paths > 1) { +- /* path B RX OK */ ++ /* path B TX OK */ + for (i = 4; i < 6; i++) + result[3][i] = result[c1][i]; + } + +- if (!(simubitmap & 0x30) && priv->tx_paths > 1) { ++ if (!(simubitmap & 0xc0) && priv->tx_paths > 1) { + /* path B RX OK */ + for (i = 6; i < 8; i++) + result[3][i] = result[c1][i]; +-- +2.35.1 + diff --git a/queue-5.4/wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch b/queue-5.4/wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch new file mode 100644 index 00000000000..253fea753fa --- /dev/null +++ b/queue-5.4/wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch @@ -0,0 +1,59 @@ +From d64199e3344a1d3558ac2bae7c7e5c51742eb884 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 08:22:32 +0300 +Subject: wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse() + +From: Dan Carpenter + +[ Upstream commit 620d5eaeb9059636864bda83ca1c68c20ede34a5 ] + +There some bounds checking to ensure that "map_addr" is not out of +bounds before the start of the loop. But the checking needs to be +done as we iterate through the loop because "map_addr" gets larger as +we iterate. + +Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") +Signed-off-by: Dan Carpenter +Acked-by: Jes Sorensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/Yv8eGLdBslLAk3Ct@kili +Signed-off-by: Sasha Levin +--- + .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 048984ca81fd..3062103e216a 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -1875,13 +1875,6 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv) + + /* We have 8 bits to indicate validity */ + map_addr = offset * 8; +- if (map_addr >= EFUSE_MAP_LEN) { +- dev_warn(dev, "%s: Illegal map_addr (%04x), " +- "efuse corrupt!\n", +- __func__, map_addr); +- ret = -EINVAL; +- goto exit; +- } + for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) { + /* Check word enable condition in the section */ + if (word_mask & BIT(i)) { +@@ -1892,6 +1885,13 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv) + ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8); + if (ret) + goto exit; ++ if (map_addr >= EFUSE_MAP_LEN - 1) { ++ dev_warn(dev, "%s: Illegal map_addr (%04x), " ++ "efuse corrupt!\n", ++ __func__, map_addr); ++ ret = -EINVAL; ++ goto exit; ++ } + priv->efuse_wifi.raw[map_addr++] = val8; + + ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8); +-- +2.35.1 + diff --git a/queue-5.4/wifi-rtw88-phy-fix-warning-of-possible-buffer-overfl.patch b/queue-5.4/wifi-rtw88-phy-fix-warning-of-possible-buffer-overfl.patch new file mode 100644 index 00000000000..336b2f5ea4b --- /dev/null +++ b/queue-5.4/wifi-rtw88-phy-fix-warning-of-possible-buffer-overfl.patch @@ -0,0 +1,68 @@ +From 8a7e863df42e7bd282bc9299f641c95110b2ff8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 14:50:03 +0800 +Subject: wifi: rtw88: phy: fix warning of possible buffer overflow + +From: Zong-Zhe Yang + +[ Upstream commit 86331c7e0cd819bf0c1d0dcf895e0c90b0aa9a6f ] + +reported by smatch + +phy.c:854 rtw_phy_linear_2_db() error: buffer overflow 'db_invert_table[i]' +8 <= 8 (assuming for loop doesn't break) + +However, it seems to be a false alarm because we prevent it originally via + if (linear >= db_invert_table[11][7]) + return 96; /* maximum 96 dB */ + +Still, we adjust the code to be more readable and avoid smatch warning. + +Signed-off-by: Zong-Zhe Yang +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220727065003.28340-5-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/phy.c | 21 ++++++++------------- + 1 file changed, 8 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/phy.c b/drivers/net/wireless/realtek/rtw88/phy.c +index 02da69e9dfe7..2227bbd14644 100644 +--- a/drivers/net/wireless/realtek/rtw88/phy.c ++++ b/drivers/net/wireless/realtek/rtw88/phy.c +@@ -586,23 +586,18 @@ static u8 rtw_phy_linear_2_db(u64 linear) + u8 j; + u32 dB; + +- if (linear >= db_invert_table[11][7]) +- return 96; /* maximum 96 dB */ +- + for (i = 0; i < 12; i++) { +- if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][7]) +- break; +- else if (i > 2 && linear <= db_invert_table[i][7]) +- break; ++ for (j = 0; j < 8; j++) { ++ if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][j]) ++ goto cnt; ++ else if (i > 2 && linear <= db_invert_table[i][j]) ++ goto cnt; ++ } + } + +- for (j = 0; j < 8; j++) { +- if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][j]) +- break; +- else if (i > 2 && linear <= db_invert_table[i][j]) +- break; +- } ++ return 96; /* maximum 96 dB */ + ++cnt: + if (j == 0 && i == 0) + goto end; + +-- +2.35.1 + diff --git a/queue-5.4/x86-entry-work-around-clang-__bdos-bug.patch b/queue-5.4/x86-entry-work-around-clang-__bdos-bug.patch new file mode 100644 index 00000000000..d5391cd2e8d --- /dev/null +++ b/queue-5.4/x86-entry-work-around-clang-__bdos-bug.patch @@ -0,0 +1,66 @@ +From 09aef0473b1b1f38de9591dc12b498ca4163b981 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 19:45:14 -0700 +Subject: x86/entry: Work around Clang __bdos() bug + +From: Kees Cook + +[ Upstream commit 3e1730842f142add55dc658929221521a9ea62b6 ] + +Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y +and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic +offset. Work around this by using a direct assignment of an empty +instance. Avoids this warning: + +../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn +ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat +tribute-warning] + __write_overflow_field(p_size_field, size); + ^ + +which was isolated to the memset() call in xen_load_idt(). + +Note that this looks very much like another bug that was worked around: +https://github.com/ClangBuiltLinux/linux/issues/1592 + +Cc: Juergen Gross +Cc: Boris Ostrovsky +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: x86@kernel.org +Cc: "H. Peter Anvin" +Cc: xen-devel@lists.xenproject.org +Reviewed-by: Boris Ostrovsky +Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/x86/xen/enlighten_pv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c +index 65cf405cd975..26b35e75b701 100644 +--- a/arch/x86/xen/enlighten_pv.c ++++ b/arch/x86/xen/enlighten_pv.c +@@ -759,6 +759,7 @@ static void xen_load_idt(const struct desc_ptr *desc) + { + static DEFINE_SPINLOCK(lock); + static struct trap_info traps[257]; ++ static const struct trap_info zero = { }; + unsigned out; + + trace_xen_cpu_load_idt(desc); +@@ -768,7 +769,7 @@ static void xen_load_idt(const struct desc_ptr *desc) + memcpy(this_cpu_ptr(&idt_desc), desc, sizeof(idt_desc)); + + out = xen_convert_trap_info(desc, traps, false); +- memset(&traps[out], 0, sizeof(traps[0])); ++ traps[out] = zero; + + xen_mc_flush(); + if (HYPERVISOR_set_trap_table(traps)) +-- +2.35.1 + diff --git a/queue-5.4/x86-hyperv-fix-struct-hv_enlightened_vmcs-definition.patch b/queue-5.4/x86-hyperv-fix-struct-hv_enlightened_vmcs-definition.patch new file mode 100644 index 00000000000..4e22f863acc --- /dev/null +++ b/queue-5.4/x86-hyperv-fix-struct-hv_enlightened_vmcs-definition.patch @@ -0,0 +1,68 @@ +From 56025062b39e09904d9aab25ce6be6f91aeedceb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 15:37:05 +0200 +Subject: x86/hyperv: Fix 'struct hv_enlightened_vmcs' definition + +From: Vitaly Kuznetsov + +[ Upstream commit ea9da788a61e47e7ab9cbad397453e51cd82ac0d ] + +Section 1.9 of TLFS v6.0b says: + +"All structures are padded in such a way that fields are aligned +naturally (that is, an 8-byte field is aligned to an offset of 8 bytes +and so on)". + +'struct enlightened_vmcs' has a glitch: + +... + struct { + u32 nested_flush_hypercall:1; /* 836: 0 4 */ + u32 msr_bitmap:1; /* 836: 1 4 */ + u32 reserved:30; /* 836: 2 4 */ + } hv_enlightenments_control; /* 836 4 */ + u32 hv_vp_id; /* 840 4 */ + u64 hv_vm_id; /* 844 8 */ + u64 partition_assist_page; /* 852 8 */ +... + +And the observed values in 'partition_assist_page' make no sense at +all. Fix the layout by padding the structure properly. + +Fixes: 68d1eb72ee99 ("x86/hyper-v: define struct hv_enlightened_vmcs and clean field bits") +Reviewed-by: Maxim Levitsky +Reviewed-by: Michael Kelley +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Sean Christopherson +Link: https://lore.kernel.org/r/20220830133737.1539624-2-vkuznets@redhat.com +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/hyperv-tlfs.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/include/asm/hyperv-tlfs.h b/arch/x86/include/asm/hyperv-tlfs.h +index 7741e211f7f5..333e61e6dbe7 100644 +--- a/arch/x86/include/asm/hyperv-tlfs.h ++++ b/arch/x86/include/asm/hyperv-tlfs.h +@@ -721,7 +721,7 @@ struct hv_enlightened_vmcs { + u64 guest_rip; + + u32 hv_clean_fields; +- u32 hv_padding_32; ++ u32 padding32_1; + u32 hv_synthetic_controls; + struct { + u32 nested_flush_hypercall:1; +@@ -729,7 +729,7 @@ struct hv_enlightened_vmcs { + u32 reserved:30; + } __packed hv_enlightenments_control; + u32 hv_vp_id; +- ++ u32 padding32_2; + u64 hv_vm_id; + u64 partition_assist_page; + u64 padding64_4[4]; +-- +2.35.1 + diff --git a/queue-5.4/x86-microcode-amd-track-patch-allocation-size-explic.patch b/queue-5.4/x86-microcode-amd-track-patch-allocation-size-explic.patch new file mode 100644 index 00000000000..16307fc2553 --- /dev/null +++ b/queue-5.4/x86-microcode-amd-track-patch-allocation-size-explic.patch @@ -0,0 +1,64 @@ +From 98e1520119bb6ec623ad29b29e497cc4b1652ce7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 20:10:10 -0700 +Subject: x86/microcode/AMD: Track patch allocation size explicitly + +From: Kees Cook + +[ Upstream commit 712f210a457d9c32414df246a72781550bc23ef6 ] + +In preparation for reducing the use of ksize(), record the actual +allocation size for later memcpy(). This avoids copying extra +(uninitialized!) bytes into the patch buffer when the requested +allocation size isn't exactly the size of a kmalloc bucket. +Additionally, fix potential future issues where runtime bounds checking +will notice that the buffer was allocated to a smaller value than +returned by ksize(). + +Fixes: 757885e94a22 ("x86, microcode, amd: Early microcode patch loading support for AMD") +Suggested-by: Daniel Micay +Signed-off-by: Kees Cook +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/lkml/CA+DvKQ+bp7Y7gmaVhacjv9uF6Ar-o4tet872h4Q8RPYPJjcJQA@mail.gmail.com/ +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/microcode.h | 1 + + arch/x86/kernel/cpu/microcode/amd.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h +index 91a06cef50c1..f73327397b89 100644 +--- a/arch/x86/include/asm/microcode.h ++++ b/arch/x86/include/asm/microcode.h +@@ -9,6 +9,7 @@ + struct ucode_patch { + struct list_head plist; + void *data; /* Intel uses only this one */ ++ unsigned int size; + u32 patch_id; + u16 equiv_cpu; + }; +diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c +index a0e52bd00ecc..3b82d022dcd4 100644 +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -783,6 +783,7 @@ static int verify_and_add_patch(u8 family, u8 *fw, unsigned int leftover, + kfree(patch); + return -EINVAL; + } ++ patch->size = *patch_size; + + mc_hdr = (struct microcode_header_amd *)(fw + SECTION_HDR_SIZE); + proc_id = mc_hdr->processor_rev_id; +@@ -864,7 +865,7 @@ load_microcode_amd(bool save, u8 family, const u8 *data, size_t size) + return ret; + + memset(amd_ucode_patch, 0, PATCH_MAX_SIZE); +- memcpy(amd_ucode_patch, p->data, min_t(u32, ksize(p->data), PATCH_MAX_SIZE)); ++ memcpy(amd_ucode_patch, p->data, min_t(u32, p->size, PATCH_MAX_SIZE)); + + return ret; + } +-- +2.35.1 + diff --git a/queue-5.4/x86-resctrl-fix-to-restore-to-original-value-when-re.patch b/queue-5.4/x86-resctrl-fix-to-restore-to-original-value-when-re.patch new file mode 100644 index 00000000000..4e63a3f9147 --- /dev/null +++ b/queue-5.4/x86-resctrl-fix-to-restore-to-original-value-when-re.patch @@ -0,0 +1,108 @@ +From 0c8799a9f1b38445f422bd42eb8fcc2af9c03b54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 09:44:10 -0700 +Subject: x86/resctrl: Fix to restore to original value when re-enabling + hardware prefetch register + +From: Kohei Tarumizu + +[ Upstream commit 499c8bb4693d1c8d8f3d6dd38e5bdde3ff5bd906 ] + +The current pseudo_lock.c code overwrites the value of the +MSR_MISC_FEATURE_CONTROL to 0 even if the original value is not 0. +Therefore, modify it to save and restore the original values. + +Fixes: 018961ae5579 ("x86/intel_rdt: Pseudo-lock region creation/removal core") +Fixes: 443810fe6160 ("x86/intel_rdt: Create debugfs files for pseudo-locking testing") +Fixes: 8a2fc0e1bc0c ("x86/intel_rdt: More precise L2 hit/miss measurements") +Signed-off-by: Kohei Tarumizu +Signed-off-by: Dave Hansen +Acked-by: Reinette Chatre +Link: https://lkml.kernel.org/r/eb660f3c2010b79a792c573c02d01e8e841206ad.1661358182.git.reinette.chatre@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/resctrl/pseudo_lock.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/cpu/resctrl/pseudo_lock.c b/arch/x86/kernel/cpu/resctrl/pseudo_lock.c +index d7623e1b927d..f186470c2e66 100644 +--- a/arch/x86/kernel/cpu/resctrl/pseudo_lock.c ++++ b/arch/x86/kernel/cpu/resctrl/pseudo_lock.c +@@ -416,6 +416,7 @@ static int pseudo_lock_fn(void *_rdtgrp) + struct pseudo_lock_region *plr = rdtgrp->plr; + u32 rmid_p, closid_p; + unsigned long i; ++ u64 saved_msr; + #ifdef CONFIG_KASAN + /* + * The registers used for local register variables are also used +@@ -459,6 +460,7 @@ static int pseudo_lock_fn(void *_rdtgrp) + * the buffer and evict pseudo-locked memory read earlier from the + * cache. + */ ++ saved_msr = __rdmsr(MSR_MISC_FEATURE_CONTROL); + __wrmsr(MSR_MISC_FEATURE_CONTROL, prefetch_disable_bits, 0x0); + closid_p = this_cpu_read(pqr_state.cur_closid); + rmid_p = this_cpu_read(pqr_state.cur_rmid); +@@ -510,7 +512,7 @@ static int pseudo_lock_fn(void *_rdtgrp) + __wrmsr(IA32_PQR_ASSOC, rmid_p, closid_p); + + /* Re-enable the hardware prefetcher(s) */ +- wrmsr(MSR_MISC_FEATURE_CONTROL, 0x0, 0x0); ++ wrmsrl(MSR_MISC_FEATURE_CONTROL, saved_msr); + local_irq_enable(); + + plr->thread_done = 1; +@@ -867,6 +869,7 @@ bool rdtgroup_pseudo_locked_in_hierarchy(struct rdt_domain *d) + static int measure_cycles_lat_fn(void *_plr) + { + struct pseudo_lock_region *plr = _plr; ++ u32 saved_low, saved_high; + unsigned long i; + u64 start, end; + void *mem_r; +@@ -875,6 +878,7 @@ static int measure_cycles_lat_fn(void *_plr) + /* + * Disable hardware prefetchers. + */ ++ rdmsr(MSR_MISC_FEATURE_CONTROL, saved_low, saved_high); + wrmsr(MSR_MISC_FEATURE_CONTROL, prefetch_disable_bits, 0x0); + mem_r = READ_ONCE(plr->kmem); + /* +@@ -891,7 +895,7 @@ static int measure_cycles_lat_fn(void *_plr) + end = rdtsc_ordered(); + trace_pseudo_lock_mem_latency((u32)(end - start)); + } +- wrmsr(MSR_MISC_FEATURE_CONTROL, 0x0, 0x0); ++ wrmsr(MSR_MISC_FEATURE_CONTROL, saved_low, saved_high); + local_irq_enable(); + plr->thread_done = 1; + wake_up_interruptible(&plr->lock_thread_wq); +@@ -936,6 +940,7 @@ static int measure_residency_fn(struct perf_event_attr *miss_attr, + u64 hits_before = 0, hits_after = 0, miss_before = 0, miss_after = 0; + struct perf_event *miss_event, *hit_event; + int hit_pmcnum, miss_pmcnum; ++ u32 saved_low, saved_high; + unsigned int line_size; + unsigned int size; + unsigned long i; +@@ -969,6 +974,7 @@ static int measure_residency_fn(struct perf_event_attr *miss_attr, + /* + * Disable hardware prefetchers. + */ ++ rdmsr(MSR_MISC_FEATURE_CONTROL, saved_low, saved_high); + wrmsr(MSR_MISC_FEATURE_CONTROL, prefetch_disable_bits, 0x0); + + /* Initialize rest of local variables */ +@@ -1027,7 +1033,7 @@ static int measure_residency_fn(struct perf_event_attr *miss_attr, + */ + rmb(); + /* Re-enable hardware prefetchers */ +- wrmsr(MSR_MISC_FEATURE_CONTROL, 0x0, 0x0); ++ wrmsr(MSR_MISC_FEATURE_CONTROL, saved_low, saved_high); + local_irq_enable(); + out_hit: + perf_event_release_kernel(hit_event); +-- +2.35.1 + diff --git a/queue-5.4/xfrm-update-ipcomp_scratches-with-null-when-freed.patch b/queue-5.4/xfrm-update-ipcomp_scratches-with-null-when-freed.patch new file mode 100644 index 00000000000..4a303ec4e3c --- /dev/null +++ b/queue-5.4/xfrm-update-ipcomp_scratches-with-null-when-freed.patch @@ -0,0 +1,72 @@ +From 9edaff54ffb6f7b0dcf96d724e65726ef9f0acdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 13:12:10 +0600 +Subject: xfrm: Update ipcomp_scratches with NULL when freed + +From: Khalid Masum + +[ Upstream commit 8a04d2fc700f717104bfb95b0f6694e448a4537f ] + +Currently if ipcomp_alloc_scratches() fails to allocate memory +ipcomp_scratches holds obsolete address. So when we try to free the +percpu scratches using ipcomp_free_scratches() it tries to vfree non +existent vm area. Described below: + +static void * __percpu *ipcomp_alloc_scratches(void) +{ + ... + scratches = alloc_percpu(void *); + if (!scratches) + return NULL; +ipcomp_scratches does not know about this allocation failure. +Therefore holding the old obsolete address. + ... +} + +So when we free, + +static void ipcomp_free_scratches(void) +{ + ... + scratches = ipcomp_scratches; +Assigning obsolete address from ipcomp_scratches + + if (!scratches) + return; + + for_each_possible_cpu(i) + vfree(*per_cpu_ptr(scratches, i)); +Trying to free non existent page, causing warning: trying to vfree +existent vm area. + ... +} + +Fix this breakage by updating ipcomp_scrtches with NULL when scratches +is freed + +Suggested-by: Herbert Xu +Reported-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com +Tested-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com +Signed-off-by: Khalid Masum +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_ipcomp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c +index 4d422447aadc..4fca4b6cec8b 100644 +--- a/net/xfrm/xfrm_ipcomp.c ++++ b/net/xfrm/xfrm_ipcomp.c +@@ -212,6 +212,7 @@ static void ipcomp_free_scratches(void) + vfree(*per_cpu_ptr(scratches, i)); + + free_percpu(scratches); ++ ipcomp_scratches = NULL; + } + + static void * __percpu *ipcomp_alloc_scratches(void) +-- +2.35.1 + diff --git a/queue-5.4/xhci-don-t-show-warning-for-reinit-on-known-broken-s.patch b/queue-5.4/xhci-don-t-show-warning-for-reinit-on-known-broken-s.patch new file mode 100644 index 00000000000..c6fe493ee3c --- /dev/null +++ b/queue-5.4/xhci-don-t-show-warning-for-reinit-on-known-broken-s.patch @@ -0,0 +1,48 @@ +From c07190a6e91f7476748f742e315664972ce4cba5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 15:34:47 +0300 +Subject: xhci: Don't show warning for reinit on known broken suspend + +From: Mario Limonciello + +[ Upstream commit 484d6f7aa3283d082c87654b7fe7a7f725423dfb ] + +commit 8b328f8002bc ("xhci: re-initialize the HC during resume if HCE was +set") introduced a new warning message when the host controller error +was set and re-initializing. + +This is expected behavior on some designs which already set +`xhci->broken_suspend` so the new warning is alarming to some users. + +Modify the code to only show the warning if this was a surprising behavior +to the XHCI driver. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216470 +Fixes: 8b328f8002bc ("xhci: re-initialize the HC during resume if HCE was set") +Reported-by: Artem S. Tashkinov +Signed-off-by: Mario Limonciello +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20220921123450.671459-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 5ce16a259e61..3537113f006f 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1163,7 +1163,8 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated) + /* re-initialize the HC on Restore Error, or Host Controller Error */ + if (temp & (STS_SRE | STS_HCE)) { + reinit_xhc = true; +- xhci_warn(xhci, "xHC error in resume, USBSTS 0x%x, Reinit\n", temp); ++ if (!xhci->broken_suspend) ++ xhci_warn(xhci, "xHC error in resume, USBSTS 0x%x, Reinit\n", temp); + } + + if (reinit_xhc) { +-- +2.35.1 +