From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 11 Apr 2022 13:24:25 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v4.9.310~39
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=22bcdf3fee08d6daaec32233ff8359d6b69d8998;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	dmaengine-revert-dmaengine-shdma-fix-runtime-pm-imbalance-on-error.patch
	kvm-avoid-null-pointer-dereference-in-kvm_dirty_ring_push.patch
	revert-net-mlx5-accept-devlink-user-input-after-driver-initialization-complete.patch
---

diff --git a/queue-5.15/dmaengine-revert-dmaengine-shdma-fix-runtime-pm-imbalance-on-error.patch b/queue-5.15/dmaengine-revert-dmaengine-shdma-fix-runtime-pm-imbalance-on-error.patch
new file mode 100644
index 00000000000..55997c153d4
--- /dev/null
+++ b/queue-5.15/dmaengine-revert-dmaengine-shdma-fix-runtime-pm-imbalance-on-error.patch
@@ -0,0 +1,33 @@
+From d143f939a95696d38ff800ada14402fa50ebbd6c Mon Sep 17 00:00:00 2001
+From: Vinod Koul <vkoul@kernel.org>
+Date: Thu, 10 Mar 2022 10:13:20 +0530
+Subject: dmaengine: Revert "dmaengine: shdma: Fix runtime PM imbalance on error"
+
+From: Vinod Koul <vkoul@kernel.org>
+
+commit d143f939a95696d38ff800ada14402fa50ebbd6c upstream.
+
+This reverts commit 455896c53d5b ("dmaengine: shdma: Fix runtime PM
+imbalance on error") as the patch wrongly reduced the count on error and
+did not bail out. So drop the count by reverting the patch .
+
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/sh/shdma-base.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/dma/sh/shdma-base.c
++++ b/drivers/dma/sh/shdma-base.c
+@@ -115,10 +115,8 @@ static dma_cookie_t shdma_tx_submit(stru
+ 		ret = pm_runtime_get(schan->dev);
+ 
+ 		spin_unlock_irq(&schan->chan_lock);
+-		if (ret < 0) {
++		if (ret < 0)
+ 			dev_err(schan->dev, "%s(): GET = %d\n", __func__, ret);
+-			pm_runtime_put(schan->dev);
+-		}
+ 
+ 		pm_runtime_barrier(schan->dev);
+ 
diff --git a/queue-5.15/kvm-avoid-null-pointer-dereference-in-kvm_dirty_ring_push.patch b/queue-5.15/kvm-avoid-null-pointer-dereference-in-kvm_dirty_ring_push.patch
new file mode 100644
index 00000000000..eeaf25a2173
--- /dev/null
+++ b/queue-5.15/kvm-avoid-null-pointer-dereference-in-kvm_dirty_ring_push.patch
@@ -0,0 +1,50 @@
+From 5593473a1e6c743764b08e3b6071cb43b5cfa6c4 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 6 Apr 2022 13:13:42 -0400
+Subject: KVM: avoid NULL pointer dereference in kvm_dirty_ring_push
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 5593473a1e6c743764b08e3b6071cb43b5cfa6c4 upstream.
+
+kvm_vcpu_release() will call kvm_dirty_ring_free(), freeing
+ring->dirty_gfns and setting it to NULL.  Afterwards, it calls
+kvm_arch_vcpu_destroy().
+
+However, if closing the file descriptor races with KVM_RUN in such away
+that vcpu->arch.st.preempted == 0, the following call stack leads to a
+NULL pointer dereference in kvm_dirty_run_push():
+
+ mark_page_dirty_in_slot+0x192/0x270 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3171
+ kvm_steal_time_set_preempted arch/x86/kvm/x86.c:4600 [inline]
+ kvm_arch_vcpu_put+0x34e/0x5b0 arch/x86/kvm/x86.c:4618
+ vcpu_put+0x1b/0x70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:211
+ vmx_free_vcpu+0xcb/0x130 arch/x86/kvm/vmx/vmx.c:6985
+ kvm_arch_vcpu_destroy+0x76/0x290 arch/x86/kvm/x86.c:11219
+ kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline]
+
+The fix is to release the dirty page ring after kvm_arch_vcpu_destroy
+has run.
+
+Reported-by: Qiuhao Li <qiuhao@sysec.org>
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Reported-by: Yongkang Jia <kangel@zju.edu.cn>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -431,8 +431,8 @@ static void kvm_vcpu_init(struct kvm_vcp
+ 
+ void kvm_vcpu_destroy(struct kvm_vcpu *vcpu)
+ {
+-	kvm_dirty_ring_free(&vcpu->dirty_ring);
+ 	kvm_arch_vcpu_destroy(vcpu);
++	kvm_dirty_ring_free(&vcpu->dirty_ring);
+ 
+ 	/*
+ 	 * No need for rcu_read_lock as VCPU_RUN is the only place that changes
diff --git a/queue-5.15/revert-net-mlx5-accept-devlink-user-input-after-driver-initialization-complete.patch b/queue-5.15/revert-net-mlx5-accept-devlink-user-input-after-driver-initialization-complete.patch
new file mode 100644
index 00000000000..afc6a7e46d6
--- /dev/null
+++ b/queue-5.15/revert-net-mlx5-accept-devlink-user-input-after-driver-initialization-complete.patch
@@ -0,0 +1,126 @@
+From dann.frazier@canonical.com  Mon Apr 11 15:15:19 2022
+From: dann frazier <dann.frazier@canonical.com>
+Date: Thu,  7 Apr 2022 14:16:42 -0600
+Subject: Revert "net/mlx5: Accept devlink user input after driver initialization complete"
+To: stable@vger.kernel.org, Leon Romanovsky <leonro@nvidia.com>, "David S . Miller" <davem@davemloft.net>, Sasha Levin <sashal@kernel.org>
+Cc: amirtz@nvidia.com
+Message-ID: <20220407201642.1770157-1-dann.frazier@canonical.com>
+
+From: dann frazier <dann.frazier@canonical.com>
+
+This reverts commit 9cc25e8529d567e08da98d11f092b21449763144 which is
+commit 64ea2d0e7263b67d8efc93fa1baace041ed36d1e upstream.
+
+This patch was shown to introduce a regression:
+
+  # devlink dev param show pci/0000:24:00.0 name flow_steering_mode
+  pci/0000:24:00.0:
+    name flow_steering_mode type driver-specific
+      values:
+
+  (flow steering mode description is missing beneath "values:")
+
+  # devlink dev param set pci/0000:24:00.0 name flow_steering_mode value smfs cmode runtime
+  Segmentation fault (core dumped)
+
+  and also with upstream iproute
+  # ./iproute2/devlink/devlink dev param set pci/0000:24:00.0 name flow_steering_mode value smfs cmode runtime
+  Configuration mode not supported
+
+Note: Instead of reverting, we could instead also backport commit cf530217408e
+("devlink: Notify users when objects are accessible"). However, that makes
+changes to core devlink code that I'm not sure are suitable for a stable
+backport.
+
+Cc: Leon Romanovsky <leonro@nvidia.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Sasha Levin <sashal@kernel.org>
+Signed-off-by: dann frazier <dann.frazier@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/devlink.c       |   12 ++++++++++--
+ drivers/net/ethernet/mellanox/mlx5/core/main.c          |    2 --
+ drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c |    2 --
+ 3 files changed, 10 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
+@@ -793,11 +793,14 @@ int mlx5_devlink_register(struct devlink
+ {
+ 	int err;
+ 
+-	err = devlink_params_register(devlink, mlx5_devlink_params,
+-				      ARRAY_SIZE(mlx5_devlink_params));
++	err = devlink_register(devlink);
+ 	if (err)
+ 		return err;
+ 
++	err = devlink_params_register(devlink, mlx5_devlink_params,
++				      ARRAY_SIZE(mlx5_devlink_params));
++	if (err)
++		goto params_reg_err;
+ 	mlx5_devlink_set_params_init_values(devlink);
+ 
+ 	err = mlx5_devlink_auxdev_params_register(devlink);
+@@ -808,6 +811,7 @@ int mlx5_devlink_register(struct devlink
+ 	if (err)
+ 		goto traps_reg_err;
+ 
++	devlink_params_publish(devlink);
+ 	return 0;
+ 
+ traps_reg_err:
+@@ -815,13 +819,17 @@ traps_reg_err:
+ auxdev_reg_err:
+ 	devlink_params_unregister(devlink, mlx5_devlink_params,
+ 				  ARRAY_SIZE(mlx5_devlink_params));
++params_reg_err:
++	devlink_unregister(devlink);
+ 	return err;
+ }
+ 
+ void mlx5_devlink_unregister(struct devlink *devlink)
+ {
++	devlink_params_unpublish(devlink);
+ 	mlx5_devlink_traps_unregister(devlink);
+ 	mlx5_devlink_auxdev_params_unregister(devlink);
+ 	devlink_params_unregister(devlink, mlx5_devlink_params,
+ 				  ARRAY_SIZE(mlx5_devlink_params));
++	devlink_unregister(devlink);
+ }
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1541,7 +1541,6 @@ static int probe_one(struct pci_dev *pde
+ 		dev_err(&pdev->dev, "mlx5_crdump_enable failed with error code %d\n", err);
+ 
+ 	pci_save_state(pdev);
+-	devlink_register(devlink);
+ 	if (!mlx5_core_is_mp_slave(dev))
+ 		devlink_reload_enable(devlink);
+ 	return 0;
+@@ -1564,7 +1563,6 @@ static void remove_one(struct pci_dev *p
+ 	struct devlink *devlink = priv_to_devlink(dev);
+ 
+ 	devlink_reload_disable(devlink);
+-	devlink_unregister(devlink);
+ 	mlx5_crdump_disable(dev);
+ 	mlx5_drain_health_wq(dev);
+ 	mlx5_uninit_one(dev);
+--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c
+@@ -46,7 +46,6 @@ static int mlx5_sf_dev_probe(struct auxi
+ 		mlx5_core_warn(mdev, "mlx5_init_one err=%d\n", err);
+ 		goto init_one_err;
+ 	}
+-	devlink_register(devlink);
+ 	devlink_reload_enable(devlink);
+ 	return 0;
+ 
+@@ -66,7 +65,6 @@ static void mlx5_sf_dev_remove(struct au
+ 
+ 	devlink = priv_to_devlink(sf_dev->mdev);
+ 	devlink_reload_disable(devlink);
+-	devlink_unregister(devlink);
+ 	mlx5_uninit_one(sf_dev->mdev);
+ 	iounmap(sf_dev->mdev->iseg);
+ 	mlx5_mdev_uninit(sf_dev->mdev);
diff --git a/queue-5.15/series b/queue-5.15/series
index fa281359ffa..adb719b0e82 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -257,3 +257,6 @@ perf-build-don-t-use-ffat-lto-objects-in-the-python-feature-test-when-building-w
 perf-python-fix-probing-for-some-clang-command-line-options.patch
 tools-build-filter-out-options-and-warnings-not-supported-by-clang.patch
 tools-build-use-shell-instead-of-to-get-embedded-libperl-s-ccopts.patch
+dmaengine-revert-dmaengine-shdma-fix-runtime-pm-imbalance-on-error.patch
+kvm-avoid-null-pointer-dereference-in-kvm_dirty_ring_push.patch
+revert-net-mlx5-accept-devlink-user-input-after-driver-initialization-complete.patch