From: Sasha Levin Date: Sat, 24 Feb 2024 13:35:41 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v4.19.308~77 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2876d31511fe23a92c6a3731771dcdc08c492442;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/alsa-hda-realtek-enable-micmute-led-on-and-hp-system.patch b/queue-5.4/alsa-hda-realtek-enable-micmute-led-on-and-hp-system.patch new file mode 100644 index 00000000000..eb6bc4fddfb --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-enable-micmute-led-on-and-hp-system.patch @@ -0,0 +1,43 @@ +From 9940c6ab39d054d15ece5a4d7fc0f605834613e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Apr 2020 16:32:52 +0800 +Subject: ALSA: hda/realtek - Enable micmute LED on and HP system + +From: Kai-Heng Feng + +[ Upstream commit 3e0650ab26e2010ee312311612e40e076ed1feca ] + +Though the system uses DMIC, headset mic still uses the HDA, let's use +GPIO 0x1 to control the micmute LED. + +The micmute LED GPIO has a different polarity to the mute LED GPIO, we +can use the newly added micmute_led_polarity to indicate that. + +Signed-off-by: Kai-Heng Feng +Link: https://lore.kernel.org/r/20200430083255.5093-2-kai.heng.feng@canonical.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index d8ee1b1ee7e3d..893b9fde59ac0 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4326,7 +4326,11 @@ static void alc269_fixup_hp_gpio_led(struct hda_codec *codec, + static void alc285_fixup_hp_gpio_led(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +- alc_fixup_hp_gpio_led(codec, action, 0x04, 0x00); ++ struct alc_spec *spec = codec->spec; ++ ++ spec->micmute_led_polarity = 1; ++ ++ alc_fixup_hp_gpio_led(codec, action, 0x04, 0x01); + } + + static void alc286_fixup_hp_gpio_led(struct hda_codec *codec, +-- +2.43.0 + diff --git a/queue-5.4/arm64-dts-qcom-msm8916-fix-typo-in-pronto-remoteproc.patch b/queue-5.4/arm64-dts-qcom-msm8916-fix-typo-in-pronto-remoteproc.patch new file mode 100644 index 00000000000..d5f2e85e316 --- /dev/null +++ b/queue-5.4/arm64-dts-qcom-msm8916-fix-typo-in-pronto-remoteproc.patch @@ -0,0 +1,42 @@ +From 3ae12c33c35246212e946e6ff32d012ca301203d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 19:47:40 +0530 +Subject: arm64: dts: qcom: msm8916: Fix typo in pronto remoteproc node + +From: Sireesh Kodali + +[ Upstream commit 5458d6f2827cd30218570f266b8d238417461f2f ] + +The smem-state properties for the pronto node were incorrectly labelled, +reading `qcom,state*` rather than `qcom,smem-state*`. Fix that, allowing +the stop state to be used. + +Fixes: 88106096cbf8 ("ARM: dts: msm8916: Add and enable wcnss node") +Signed-off-by: Sireesh Kodali +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Stephan Gerhold +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220526141740.15834-3-sireeshkodali1@gmail.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index bf40500adef73..e1097ba6c9481 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -1097,8 +1097,8 @@ + vddmx-supply = <&pm8916_l3>; + vddpx-supply = <&pm8916_l7>; + +- qcom,state = <&wcnss_smp2p_out 0>; +- qcom,state-names = "stop"; ++ qcom,smem-states = <&wcnss_smp2p_out 0>; ++ qcom,smem-state-names = "stop"; + + pinctrl-names = "default"; + pinctrl-0 = <&wcnss_pin_a>; +-- +2.43.0 + diff --git a/queue-5.4/dm-integrity-don-t-modify-bio-s-immutable-bio_vec-in.patch b/queue-5.4/dm-integrity-don-t-modify-bio-s-immutable-bio_vec-in.patch new file mode 100644 index 00000000000..48bf4fc5a03 --- /dev/null +++ b/queue-5.4/dm-integrity-don-t-modify-bio-s-immutable-bio_vec-in.patch @@ -0,0 +1,73 @@ +From a786824d93478146b4fd965e4c4a3a05732e0cdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Dec 2023 16:39:16 +0100 +Subject: dm-integrity: don't modify bio's immutable bio_vec in + integrity_metadata() + +From: Mikulas Patocka + +commit b86f4b790c998afdbc88fe1aa55cfe89c4068726 upstream. + +__bio_for_each_segment assumes that the first struct bio_vec argument +doesn't change - it calls "bio_advance_iter_single((bio), &(iter), +(bvl).bv_len)" to advance the iterator. Unfortunately, the dm-integrity +code changes the bio_vec with "bv.bv_len -= pos". When this code path +is taken, the iterator would be out of sync and dm-integrity would +report errors. This happens if the machine is out of memory and +"kmalloc" fails. + +Fix this bug by making a copy of "bv" and changing the copy instead. + +Fixes: 7eada909bfd7 ("dm: add integrity target") +Cc: stable@vger.kernel.org # v4.12+ +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/md/dm-integrity.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c +index 81157801a3dc6..f3246f7407d61 100644 +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -1582,11 +1582,12 @@ static void integrity_metadata(struct work_struct *w) + } + + __bio_for_each_segment(bv, bio, iter, dio->bio_details.bi_iter) { ++ struct bio_vec bv_copy = bv; + unsigned pos; + char *mem, *checksums_ptr; + + again: +- mem = (char *)kmap_atomic(bv.bv_page) + bv.bv_offset; ++ mem = (char *)kmap_atomic(bv_copy.bv_page) + bv_copy.bv_offset; + pos = 0; + checksums_ptr = checksums; + do { +@@ -1595,7 +1596,7 @@ static void integrity_metadata(struct work_struct *w) + sectors_to_process -= ic->sectors_per_block; + pos += ic->sectors_per_block << SECTOR_SHIFT; + sector += ic->sectors_per_block; +- } while (pos < bv.bv_len && sectors_to_process && checksums != checksums_onstack); ++ } while (pos < bv_copy.bv_len && sectors_to_process && checksums != checksums_onstack); + kunmap_atomic(mem); + + r = dm_integrity_rw_tag(ic, checksums, &dio->metadata_block, &dio->metadata_offset, +@@ -1615,9 +1616,9 @@ static void integrity_metadata(struct work_struct *w) + if (!sectors_to_process) + break; + +- if (unlikely(pos < bv.bv_len)) { +- bv.bv_offset += pos; +- bv.bv_len -= pos; ++ if (unlikely(pos < bv_copy.bv_len)) { ++ bv_copy.bv_offset += pos; ++ bv_copy.bv_len -= pos; + goto again; + } + } +-- +2.43.0 + diff --git a/queue-5.4/driver-core-set-deferred_probe_timeout-to-a-longer-d.patch b/queue-5.4/driver-core-set-deferred_probe_timeout-to-a-longer-d.patch new file mode 100644 index 00000000000..8c34587af51 --- /dev/null +++ b/queue-5.4/driver-core-set-deferred_probe_timeout-to-a-longer-d.patch @@ -0,0 +1,69 @@ +From 1e05ef4f11c455ba5f4a8e886a33d329861d77f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2020 05:08:24 +0000 +Subject: driver core: Set deferred_probe_timeout to a longer default if + CONFIG_MODULES is set + +From: John Stultz + +[ Upstream commit e2cec7d6853712295cef5377762165a489b2957f ] + +When using modules, its common for the modules not to be loaded +until quite late by userland. With the current code, +driver_deferred_probe_check_state() will stop returning +EPROBE_DEFER after late_initcall, which can cause module +dependency resolution to fail after that. + +So allow a longer window of 30 seconds (picked somewhat +arbitrarily, but influenced by the similar regulator core +timeout value) in the case where modules are enabled. + +Cc: linux-pm@vger.kernel.org +Cc: Greg Kroah-Hartman +Cc: Linus Walleij +Cc: Thierry Reding +Cc: Mark Brown +Cc: Liam Girdwood +Cc: Bjorn Andersson +Cc: Saravana Kannan +Cc: Todd Kjos +Cc: Len Brown +Cc: Pavel Machek +Cc: Ulf Hansson +Cc: Kevin Hilman +Cc: "Rafael J. Wysocki" +Cc: Rob Herring +Reviewed-by: Bjorn Andersson +Reviewed-by: Rafael J. Wysocki +Signed-off-by: John Stultz +Link: https://lore.kernel.org/r/20200225050828.56458-3-john.stultz@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/dd.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/base/dd.c b/drivers/base/dd.c +index 7941a8fd22841..0b97a0c96baa3 100644 +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -224,7 +224,16 @@ static int deferred_devs_show(struct seq_file *s, void *data) + } + DEFINE_SHOW_ATTRIBUTE(deferred_devs); + ++#ifdef CONFIG_MODULES ++/* ++ * In the case of modules, set the default probe timeout to ++ * 30 seconds to give userland some time to load needed modules ++ */ ++static int deferred_probe_timeout = 30; ++#else ++/* In the case of !modules, no probe timeout needed */ + static int deferred_probe_timeout = -1; ++#endif + static int __init deferred_probe_timeout_setup(char *str) + { + int timeout; +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-check-for-valid-number-of-registers-to-re.patch b/queue-5.4/drm-amdgpu-check-for-valid-number-of-registers-to-re.patch new file mode 100644 index 00000000000..9292d132cee --- /dev/null +++ b/queue-5.4/drm-amdgpu-check-for-valid-number-of-registers-to-re.patch @@ -0,0 +1,39 @@ +From 372f39b1ccd3c61def56a711094e42342251b07e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Aug 2019 21:25:36 +0200 +Subject: drm/amdgpu: Check for valid number of registers to read + +From: Trek + +[ Upstream commit 13238d4fa6764fa74dcf863d5f2227765b3753eb ] + +Do not try to allocate any amount of memory requested by the user. +Instead limit it to 128 registers. Actually the longest series of +consecutive allowed registers are 48, mmGB_TILE_MODE0-31 and +mmGB_MACROTILE_MODE0-15 (0x2644-0x2673). + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=111273 +Signed-off-by: Trek +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +index 26a1173df9586..1f4acb4c3efb8 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -650,6 +650,9 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file + if (info->read_mmr_reg.count > 128) + return -EINVAL; + ++ if (info->read_mmr_reg.count > 128) ++ return -EINVAL; ++ + regs = kmalloc_array(info->read_mmr_reg.count, sizeof(*regs), GFP_KERNEL); + if (!regs) + return -ENOMEM; +-- +2.43.0 + diff --git a/queue-5.4/drm-amdgpu-fix-type-of-second-parameter-in-trans_msg.patch b/queue-5.4/drm-amdgpu-fix-type-of-second-parameter-in-trans_msg.patch new file mode 100644 index 00000000000..9f92f256f37 --- /dev/null +++ b/queue-5.4/drm-amdgpu-fix-type-of-second-parameter-in-trans_msg.patch @@ -0,0 +1,66 @@ +From a3cb15ec4efc273f2644ed27898abe7a76e8f270 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 08:25:39 -0700 +Subject: drm/amdgpu: Fix type of second parameter in trans_msg() callback + +From: Nathan Chancellor + +[ Upstream commit f0d0f1087333714ee683cc134a95afe331d7ddd9 ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +proposed warning in clang aims to catch these at compile time, which +reveals: + + drivers/gpu/drm/amd/amdgpu/mxgpu_ai.c:412:15: error: incompatible function pointer types initializing 'void (*)(struct amdgpu_device *, u32, u32, u32, u32)' (aka 'void (*)(struct amdgpu_device *, unsigned int, unsigned int, unsigned int, unsigned int)') with an expression of type 'void (struct amdgpu_device *, enum idh_request, u32, u32, u32)' (aka 'void (struct amdgpu_device *, enum idh_request, unsigned int, unsigned int, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict] + .trans_msg = xgpu_ai_mailbox_trans_msg, + ^~~~~~~~~~~~~~~~~~~~~~~~~ + 1 error generated. + + drivers/gpu/drm/amd/amdgpu/mxgpu_nv.c:435:15: error: incompatible function pointer types initializing 'void (*)(struct amdgpu_device *, u32, u32, u32, u32)' (aka 'void (*)(struct amdgpu_device *, unsigned int, unsigned int, unsigned int, unsigned int)') with an expression of type 'void (struct amdgpu_device *, enum idh_request, u32, u32, u32)' (aka 'void (struct amdgpu_device *, enum idh_request, unsigned int, unsigned int, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict] + .trans_msg = xgpu_nv_mailbox_trans_msg, + ^~~~~~~~~~~~~~~~~~~~~~~~~ + 1 error generated. + +The type of the second parameter in the prototype should be 'enum +idh_request' instead of 'u32'. Update it to clear up the warnings. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Reported-by: Sami Tolvanen +Reviewed-by: Kees Cook +Signed-off-by: Nathan Chancellor +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h +index b0b2bdc750df9..3e59b4e150237 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h +@@ -48,6 +48,8 @@ struct amdgpu_vf_error_buffer { + uint64_t data[AMDGPU_VF_ERROR_ENTRY_SIZE]; + }; + ++enum idh_request; ++ + /** + * struct amdgpu_virt_ops - amdgpu device virt operations + */ +@@ -56,7 +58,8 @@ struct amdgpu_virt_ops { + int (*rel_full_gpu)(struct amdgpu_device *adev, bool init); + int (*reset_gpu)(struct amdgpu_device *adev); + int (*wait_reset)(struct amdgpu_device *adev); +- void (*trans_msg)(struct amdgpu_device *adev, u32 req, u32 data1, u32 data2, u32 data3); ++ void (*trans_msg)(struct amdgpu_device *adev, enum idh_request req, ++ u32 data1, u32 data2, u32 data3); + int (*get_pp_clk)(struct amdgpu_device *adev, u32 type, char *buf); + int (*force_dpm_level)(struct amdgpu_device *adev, u32 level); + }; +-- +2.43.0 + diff --git a/queue-5.4/iomap-set-all-uptodate-bits-for-an-uptodate-page.patch b/queue-5.4/iomap-set-all-uptodate-bits-for-an-uptodate-page.patch new file mode 100644 index 00000000000..04f627198a8 --- /dev/null +++ b/queue-5.4/iomap-set-all-uptodate-bits-for-an-uptodate-page.patch @@ -0,0 +1,55 @@ +From fbe35689c5acb3f4be7bcfe68e179efd4334a4aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 11:16:53 -0700 +Subject: iomap: Set all uptodate bits for an Uptodate page + +From: Matthew Wilcox (Oracle) + +[ Upstream commit 4595a298d5563cf76c1d852970f162051fd1a7a6 ] + +For filesystems with block size < page size, we need to set all the +per-block uptodate bits if the page was already uptodate at the time +we create the per-block metadata. This can happen if the page is +invalidated (eg by a write to drop_caches) but ultimately not removed +from the page cache. + +This is a data corruption issue as page writeback skips blocks which +are marked !uptodate. + +Fixes: 9dc55f1389f9 ("iomap: add support for sub-pagesize buffered I/O without buffer heads") +Signed-off-by: Matthew Wilcox (Oracle) +Reported-by: Qian Cai +Cc: Brian Foster +Reviewed-by: Gao Xiang +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/iomap/buffered-io.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c +index 53cd7b2bb580b..c28ba474a25e7 100644 +--- a/fs/iomap/buffered-io.c ++++ b/fs/iomap/buffered-io.c +@@ -23,6 +23,7 @@ static struct iomap_page * + iomap_page_create(struct inode *inode, struct page *page) + { + struct iomap_page *iop = to_iomap_page(page); ++ unsigned int nr_blocks = PAGE_SIZE / i_blocksize(inode); + + if (iop || i_blocksize(inode) == PAGE_SIZE) + return iop; +@@ -32,6 +33,8 @@ iomap_page_create(struct inode *inode, struct page *page) + atomic_set(&iop->write_count, 0); + spin_lock_init(&iop->uptodate_lock); + bitmap_zero(iop->uptodate, PAGE_SIZE / SECTOR_SIZE); ++ if (PageUptodate(page)) ++ bitmap_fill(iop->uptodate, nr_blocks); + + /* + * migrate_page_move_mapping() assumes that pages with private data have +-- +2.43.0 + diff --git a/queue-5.4/net-bridge-clear-bridge-s-private-skb-space-on-xmit.patch b/queue-5.4/net-bridge-clear-bridge-s-private-skb-space-on-xmit.patch new file mode 100644 index 00000000000..8711c01c1fa --- /dev/null +++ b/queue-5.4/net-bridge-clear-bridge-s-private-skb-space-on-xmit.patch @@ -0,0 +1,41 @@ +From 1b7d453d70d48cbe94d4852b59f35f360480fe85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 19:26:16 +0300 +Subject: net: bridge: clear bridge's private skb space on xmit + +From: Nikolay Aleksandrov + +[ Upstream commit fd65e5a95d08389444e8591a20538b3edece0e15 ] + +We need to clear all of the bridge private skb variables as they can be +stale due to the packet being recirculated through the stack and then +transmitted through the bridge device. Similar memset is already done on +bridge's input. We've seen cases where proxyarp_replied was 1 on routed +multicast packets transmitted through the bridge to ports with neigh +suppress which were getting dropped. Same thing can in theory happen with +the port isolation bit as well. + +Fixes: 821f1b21cabb ("bridge: add new BR_NEIGH_SUPPRESS port flag to suppress arp and nd flood") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_device.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c +index f085b1648e66c..501f77f0f480a 100644 +--- a/net/bridge/br_device.c ++++ b/net/bridge/br_device.c +@@ -35,6 +35,8 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) + const unsigned char *dest; + u16 vid = 0; + ++ memset(skb->cb, 0, sizeof(struct br_input_skb_cb)); ++ + rcu_read_lock(); + nf_ops = rcu_dereference(nf_br_ops); + if (nf_ops && nf_ops->br_dev_xmit_hook(skb)) { +-- +2.43.0 + diff --git a/queue-5.4/pci-tegra-fix-of-node-reference-leak.patch b/queue-5.4/pci-tegra-fix-of-node-reference-leak.patch new file mode 100644 index 00000000000..c2d084ebf91 --- /dev/null +++ b/queue-5.4/pci-tegra-fix-of-node-reference-leak.patch @@ -0,0 +1,63 @@ +From abef663720e1250cc9a04bea4250ebe50009bd6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 19:17:42 +0200 +Subject: PCI: tegra: Fix OF node reference leak + +From: Christophe JAILLET + +[ Upstream commit eff21f5da308265678e7e59821795e606f3e560f ] + +Commit 9e38e690ace3 ("PCI: tegra: Fix OF node reference leak") has fixed +some node reference leaks in this function but missed some of them. + +In fact, having 'port' referenced in the 'rp' structure is not enough to +prevent the leak, until 'rp' is actually added in the 'pcie->ports' list. + +Add the missing 'goto err_node_put' accordingly. + +Link: https://lore.kernel.org/r/55b11e9a7fa2987fbc0869d68ae59888954d65e2.1620148539.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Christophe JAILLET +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Vidya Sagar +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-tegra.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/pci/controller/pci-tegra.c b/drivers/pci/controller/pci-tegra.c +index 64921c63874fa..74c0ddd433815 100644 +--- a/drivers/pci/controller/pci-tegra.c ++++ b/drivers/pci/controller/pci-tegra.c +@@ -2267,13 +2267,15 @@ static int tegra_pcie_parse_dt(struct tegra_pcie *pcie) + rp->np = port; + + rp->base = devm_pci_remap_cfg_resource(dev, &rp->regs); +- if (IS_ERR(rp->base)) +- return PTR_ERR(rp->base); ++ if (IS_ERR(rp->base)) { ++ err = PTR_ERR(rp->base); ++ goto err_node_put; ++ } + + label = devm_kasprintf(dev, GFP_KERNEL, "pex-reset-%u", index); + if (!label) { +- dev_err(dev, "failed to create reset GPIO label\n"); +- return -ENOMEM; ++ err = -ENOMEM; ++ goto err_node_put; + } + + /* +@@ -2291,7 +2293,8 @@ static int tegra_pcie_parse_dt(struct tegra_pcie *pcie) + } else { + dev_err(dev, "failed to get reset GPIO: %ld\n", + PTR_ERR(rp->reset_gpio)); +- return PTR_ERR(rp->reset_gpio); ++ err = PTR_ERR(rp->reset_gpio); ++ goto err_node_put; + } + } + +-- +2.43.0 + diff --git a/queue-5.4/pci-tegra-fix-reporting-gpio-error-value.patch b/queue-5.4/pci-tegra-fix-reporting-gpio-error-value.patch new file mode 100644 index 00000000000..49dba130fc5 --- /dev/null +++ b/queue-5.4/pci-tegra-fix-reporting-gpio-error-value.patch @@ -0,0 +1,43 @@ +From b2de3cb2dcf33b2059328f6f38afb5329b93a9ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Apr 2020 12:25:12 +0200 +Subject: PCI: tegra: Fix reporting GPIO error value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 63605f1cfcc56bcb25c48bbee75a679d85ba7675 ] + +Error code is stored in rp->reset_gpio and not in err variable. + +Link: https://lore.kernel.org/r/20200414102512.27506-1-pali@kernel.org +Signed-off-by: Pali Rohár +Signed-off-by: Lorenzo Pieralisi +Acked-by: Thierry Reding +Acked-by: Rob Herring +Stable-dep-of: eff21f5da308 ("PCI: tegra: Fix OF node reference leak") +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-tegra.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/controller/pci-tegra.c b/drivers/pci/controller/pci-tegra.c +index 99d505a85067b..64921c63874fa 100644 +--- a/drivers/pci/controller/pci-tegra.c ++++ b/drivers/pci/controller/pci-tegra.c +@@ -2289,8 +2289,8 @@ static int tegra_pcie_parse_dt(struct tegra_pcie *pcie) + if (PTR_ERR(rp->reset_gpio) == -ENOENT) { + rp->reset_gpio = NULL; + } else { +- dev_err(dev, "failed to get reset GPIO: %d\n", +- err); ++ dev_err(dev, "failed to get reset GPIO: %ld\n", ++ PTR_ERR(rp->reset_gpio)); + return PTR_ERR(rp->reset_gpio); + } + } +-- +2.43.0 + diff --git a/queue-5.4/pinctrl-pinctrl-rockchip-fix-a-bunch-of-kerneldoc-mi.patch b/queue-5.4/pinctrl-pinctrl-rockchip-fix-a-bunch-of-kerneldoc-mi.patch new file mode 100644 index 00000000000..fe0c5921fb7 --- /dev/null +++ b/queue-5.4/pinctrl-pinctrl-rockchip-fix-a-bunch-of-kerneldoc-mi.patch @@ -0,0 +1,154 @@ +From 4c7fed61191e70f79614a1402722fdc0b861bccb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jul 2020 15:49:24 +0100 +Subject: pinctrl: pinctrl-rockchip: Fix a bunch of kerneldoc misdemeanours + +From: Lee Jones + +[ Upstream commit e1524ea84af7172acc20827f8dca3fc8f72b8f37 ] + +Demote headers which are clearly not kerneldoc, provide titles for +struct definition blocks, fix API slip (bitrot) misspellings and +provide some missing entries. + +Fixes the following W=1 kernel build warning(s): + + drivers/pinctrl/pinctrl-rockchip.c:82: warning: cannot understand function prototype: 'struct rockchip_iomux ' + drivers/pinctrl/pinctrl-rockchip.c:97: warning: Enum value 'DRV_TYPE_IO_DEFAULT' not described in enum 'rockchip_pin_drv_type' + drivers/pinctrl/pinctrl-rockchip.c:97: warning: Enum value 'DRV_TYPE_IO_1V8_OR_3V0' not described in enum 'rockchip_pin_drv_type' + drivers/pinctrl/pinctrl-rockchip.c:97: warning: Enum value 'DRV_TYPE_IO_1V8_ONLY' not described in enum 'rockchip_pin_drv_type' + drivers/pinctrl/pinctrl-rockchip.c:97: warning: Enum value 'DRV_TYPE_IO_1V8_3V0_AUTO' not described in enum 'rockchip_pin_drv_type' + drivers/pinctrl/pinctrl-rockchip.c:97: warning: Enum value 'DRV_TYPE_IO_3V3_ONLY' not described in enum 'rockchip_pin_drv_type' + drivers/pinctrl/pinctrl-rockchip.c:97: warning: Enum value 'DRV_TYPE_MAX' not described in enum 'rockchip_pin_drv_type' + drivers/pinctrl/pinctrl-rockchip.c:106: warning: Enum value 'PULL_TYPE_IO_DEFAULT' not described in enum 'rockchip_pin_pull_type' + drivers/pinctrl/pinctrl-rockchip.c:106: warning: Enum value 'PULL_TYPE_IO_1V8_ONLY' not described in enum 'rockchip_pin_pull_type' + drivers/pinctrl/pinctrl-rockchip.c:106: warning: Enum value 'PULL_TYPE_MAX' not described in enum 'rockchip_pin_pull_type' + drivers/pinctrl/pinctrl-rockchip.c:109: warning: Cannot understand * @drv_type: drive strength variant using rockchip_perpin_drv_type + on line 109 - I thought it was a doc line + drivers/pinctrl/pinctrl-rockchip.c:122: warning: Cannot understand * @reg_base: register base of the gpio bank + on line 109 - I thought it was a doc line + drivers/pinctrl/pinctrl-rockchip.c:325: warning: Function parameter or member 'route_location' not described in 'rockchip_mux_route_data' + drivers/pinctrl/pinctrl-rockchip.c:328: warning: Cannot understand */ + on line 109 - I thought it was a doc line + drivers/pinctrl/pinctrl-rockchip.c:375: warning: Function parameter or member 'data' not described in 'rockchip_pin_group' + drivers/pinctrl/pinctrl-rockchip.c:387: warning: Function parameter or member 'ngroups' not described in 'rockchip_pmx_func' + +Signed-off-by: Lee Jones +Reviewed-by: Heiko Stuebner +Cc: Heiko Stuebner +Cc: Jean-Christophe PLAGNIOL-VILLARD +Cc: linux-rockchip@lists.infradead.org +Link: https://lore.kernel.org/r/20200713144930.1034632-20-lee.jones@linaro.org +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-rockchip.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c +index 4b972be3487f9..a44c2680c4230 100644 +--- a/drivers/pinctrl/pinctrl-rockchip.c ++++ b/drivers/pinctrl/pinctrl-rockchip.c +@@ -62,7 +62,7 @@ enum rockchip_pinctrl_type { + RK3399, + }; + +-/** ++/* + * Encode variants of iomux registers into a type variable + */ + #define IOMUX_GPIO_ONLY BIT(0) +@@ -72,6 +72,7 @@ enum rockchip_pinctrl_type { + #define IOMUX_WIDTH_3BIT BIT(4) + + /** ++ * struct rockchip_iomux + * @type: iomux variant using IOMUX_* constants + * @offset: if initialized to -1 it will be autocalculated, by specifying + * an initial offset value the relevant source offset can be reset +@@ -82,7 +83,7 @@ struct rockchip_iomux { + int offset; + }; + +-/** ++/* + * enum type index corresponding to rockchip_perpin_drv_list arrays index. + */ + enum rockchip_pin_drv_type { +@@ -94,7 +95,7 @@ enum rockchip_pin_drv_type { + DRV_TYPE_MAX + }; + +-/** ++/* + * enum type index corresponding to rockchip_pull_list arrays index. + */ + enum rockchip_pin_pull_type { +@@ -104,6 +105,7 @@ enum rockchip_pin_pull_type { + }; + + /** ++ * struct rockchip_drv + * @drv_type: drive strength variant using rockchip_perpin_drv_type + * @offset: if initialized to -1 it will be autocalculated, by specifying + * an initial offset value the relevant source offset can be reset +@@ -117,8 +119,9 @@ struct rockchip_drv { + }; + + /** ++ * struct rockchip_pin_bank + * @reg_base: register base of the gpio bank +- * @reg_pull: optional separate register for additional pull settings ++ * @regmap_pull: optional separate register for additional pull settings + * @clk: clock of the gpio bank + * @irq: interrupt of the gpio bank + * @saved_masks: Saved content of GPIO_INTEN at suspend time. +@@ -136,6 +139,8 @@ struct rockchip_drv { + * @gpio_chip: gpiolib chip + * @grange: gpio range + * @slock: spinlock for the gpio bank ++ * @toggle_edge_mode: bit mask to toggle (falling/rising) edge mode ++ * @recalced_mask: bit mask to indicate a need to recalulate the mask + * @route_mask: bits describing the routing pins of per bank + */ + struct rockchip_pin_bank { +@@ -310,6 +315,7 @@ enum rockchip_mux_route_location { + * @bank_num: bank number. + * @pin: index at register or used to calc index. + * @func: the min pin. ++ * @route_location: the mux route location (same, pmu, grf). + * @route_offset: the max pin. + * @route_val: the register offset. + */ +@@ -322,8 +328,6 @@ struct rockchip_mux_route_data { + u32 route_val; + }; + +-/** +- */ + struct rockchip_pin_ctrl { + struct rockchip_pin_bank *pin_banks; + u32 nr_banks; +@@ -361,9 +365,7 @@ struct rockchip_pin_config { + * @name: name of the pin group, used to lookup the group. + * @pins: the pins included in this group. + * @npins: number of pins included in this group. +- * @func: the mux function number to be programmed when selected. +- * @configs: the config values to be set for each pin +- * @nconfigs: number of configs for each pin ++ * @data: local pin configuration + */ + struct rockchip_pin_group { + const char *name; +@@ -376,7 +378,7 @@ struct rockchip_pin_group { + * struct rockchip_pmx_func: represent a pin function. + * @name: name of the pin function, used to lookup the function. + * @groups: one or more names of pin groups that provide this function. +- * @num_groups: number of groups included in @groups. ++ * @ngroups: number of groups included in @groups. + */ + struct rockchip_pmx_func { + const char *name; +-- +2.43.0 + diff --git a/queue-5.4/pinctrl-rockchip-fix-refcount-leak-in-rockchip_pinct.patch b/queue-5.4/pinctrl-rockchip-fix-refcount-leak-in-rockchip_pinct.patch new file mode 100644 index 00000000000..79262cca3b1 --- /dev/null +++ b/queue-5.4/pinctrl-rockchip-fix-refcount-leak-in-rockchip_pinct.patch @@ -0,0 +1,37 @@ +From 6231eab8ea4a8f48c9a6efc7eea398748bef90d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jan 2023 15:28:45 +0400 +Subject: pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups + +From: Miaoqian Lin + +[ Upstream commit c818ae563bf99457f02e8170aabd6b174f629f65 ] + +of_find_node_by_phandle() returns a node pointer with refcount incremented, +We should use of_node_put() on it when not needed anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: d3e5116119bd ("pinctrl: add pinctrl driver for Rockchip SoCs") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20230102112845.3982407-1-linmq006@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-rockchip.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c +index a44c2680c4230..9388d6fac7d40 100644 +--- a/drivers/pinctrl/pinctrl-rockchip.c ++++ b/drivers/pinctrl/pinctrl-rockchip.c +@@ -2536,6 +2536,7 @@ static int rockchip_pinctrl_parse_groups(struct device_node *np, + np_config = of_find_node_by_phandle(be32_to_cpup(phandle)); + ret = pinconf_generic_parse_dt_config(np_config, NULL, + &grp->data[j].configs, &grp->data[j].nconfigs); ++ of_node_put(np_config); + if (ret) + return ret; + } +-- +2.43.0 + diff --git a/queue-5.4/revert-drm-sun4i-dsi-change-the-start-delay-calculat.patch b/queue-5.4/revert-drm-sun4i-dsi-change-the-start-delay-calculat.patch new file mode 100644 index 00000000000..d8542b2c1ef --- /dev/null +++ b/queue-5.4/revert-drm-sun4i-dsi-change-the-start-delay-calculat.patch @@ -0,0 +1,48 @@ +From eb14ebef6b9913bfaa5c173dc24b4283526f1adf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2019 16:02:51 +0800 +Subject: Revert "drm/sun4i: dsi: Change the start delay calculation" + +From: Icenowy Zheng + +[ Upstream commit a00d17e0a71ae2e4fdaac46e1c12785d3346c3f2 ] + +This reverts commit da676c6aa6413d59ab0a80c97bbc273025e640b2. + +The original commit adds a start parameter to the calculation of the +start delay according to some old BSP versions from Allwinner. However, +there're two ways to add this delay -- add it in DSI controller or add +it in the TCON. Add it in both controllers won't work. + +The code before this commit is picked from new versions of BSP kernel, +which has a comment for the 1 that says "put start_delay to tcon". By +checking the sun4i_tcon0_mode_set_cpu() in sun4i_tcon driver, it has +already added this delay, so we shouldn't repeat to add the delay in DSI +controller, otherwise the timing won't match. + +Signed-off-by: Icenowy Zheng +Reviewed-by: Jagan Teki +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20191001080253.6135-2-icenowy@aosc.io +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c b/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c +index f2b288037b909..a18efd3055199 100644 +--- a/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c ++++ b/drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c +@@ -365,8 +365,7 @@ static void sun6i_dsi_inst_init(struct sun6i_dsi *dsi, + static u16 sun6i_dsi_get_video_start_delay(struct sun6i_dsi *dsi, + struct drm_display_mode *mode) + { +- u16 start = clamp(mode->vtotal - mode->vdisplay - 10, 8, 100); +- u16 delay = mode->vtotal - (mode->vsync_end - mode->vdisplay) + start; ++ u16 delay = mode->vtotal - (mode->vsync_end - mode->vdisplay) + 1; + + if (delay > mode->vtotal) + delay = delay % mode->vtotal; +-- +2.43.0 + diff --git a/queue-5.4/selftests-bpf-avoid-running-unprivileged-tests-with-.patch b/queue-5.4/selftests-bpf-avoid-running-unprivileged-tests-with-.patch new file mode 100644 index 00000000000..35e330c1f05 --- /dev/null +++ b/queue-5.4/selftests-bpf-avoid-running-unprivileged-tests-with-.patch @@ -0,0 +1,60 @@ +From 7f4979bc30e7e18e52f05d39eb1b6b37518fcf25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Nov 2020 08:16:39 +0100 +Subject: selftests/bpf: Avoid running unprivileged tests with alignment + requirements +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit c77b0589ca29ad1859fe7d7c1ecd63c0632379fa ] + +Some architectures have strict alignment requirements. In that case, +the BPF verifier detects if a program has unaligned accesses and +rejects them. A user can pass BPF_F_ANY_ALIGNMENT to a program to +override this check. That, however, will only work when a privileged +user loads a program. An unprivileged user loading a program with this +flag will be rejected prior entering the verifier. + +Hence, it does not make sense to load unprivileged programs without +strict alignment when testing the verifier. This patch avoids exactly +that. + +Signed-off-by: Björn Töpel +Signed-off-by: Andrii Nakryiko +Acked-by: Luke Nelson +Link: https://lore.kernel.org/bpf/20201118071640.83773-3-bjorn.topel@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_verifier.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c +index 43224c5ec1e9b..1bd285dc55e94 100644 +--- a/tools/testing/selftests/bpf/test_verifier.c ++++ b/tools/testing/selftests/bpf/test_verifier.c +@@ -1091,6 +1091,19 @@ static void get_unpriv_disabled() + + static bool test_as_unpriv(struct bpf_test *test) + { ++#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS ++ /* Some architectures have strict alignment requirements. In ++ * that case, the BPF verifier detects if a program has ++ * unaligned accesses and rejects them. A user can pass ++ * BPF_F_ANY_ALIGNMENT to a program to override this ++ * check. That, however, will only work when a privileged user ++ * loads a program. An unprivileged user loading a program ++ * with this flag will be rejected prior entering the ++ * verifier. ++ */ ++ if (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) ++ return false; ++#endif + return !test->prog_type || + test->prog_type == BPF_PROG_TYPE_SOCKET_FILTER || + test->prog_type == BPF_PROG_TYPE_CGROUP_SKB; +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 3c411413d81..d9d29ebbab7 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -29,3 +29,22 @@ firewire-core-send-bus-reset-promptly-on-gap-count-e.patch virtio-blk-ensure-no-requests-in-virtqueues-before-d.patch s390-qeth-fix-potential-loss-of-l3-ip-in-case-of-net.patch pmdomain-renesas-r8a77980-sysc-cr7-must-be-always-on.patch +tcp-factor-out-__tcp_close-helper.patch +tcp-return-epollout-from-tcp_poll-only-when-notsent_.patch +tcp-add-annotations-around-sk-sk_shutdown-accesses.patch +pinctrl-pinctrl-rockchip-fix-a-bunch-of-kerneldoc-mi.patch +pinctrl-rockchip-fix-refcount-leak-in-rockchip_pinct.patch +driver-core-set-deferred_probe_timeout-to-a-longer-d.patch +spi-mt7621-fix-an-error-message-in-mt7621_spi_probe.patch +net-bridge-clear-bridge-s-private-skb-space-on-xmit.patch +selftests-bpf-avoid-running-unprivileged-tests-with-.patch +alsa-hda-realtek-enable-micmute-led-on-and-hp-system.patch +revert-drm-sun4i-dsi-change-the-start-delay-calculat.patch +drm-amdgpu-check-for-valid-number-of-registers-to-re.patch +x86-alternatives-disable-kasan-in-apply_alternatives.patch +dm-integrity-don-t-modify-bio-s-immutable-bio_vec-in.patch +iomap-set-all-uptodate-bits-for-an-uptodate-page.patch +drm-amdgpu-fix-type-of-second-parameter-in-trans_msg.patch +arm64-dts-qcom-msm8916-fix-typo-in-pronto-remoteproc.patch +pci-tegra-fix-reporting-gpio-error-value.patch +pci-tegra-fix-of-node-reference-leak.patch diff --git a/queue-5.4/spi-mt7621-fix-an-error-message-in-mt7621_spi_probe.patch b/queue-5.4/spi-mt7621-fix-an-error-message-in-mt7621_spi_probe.patch new file mode 100644 index 00000000000..386645c1d7f --- /dev/null +++ b/queue-5.4/spi-mt7621-fix-an-error-message-in-mt7621_spi_probe.patch @@ -0,0 +1,48 @@ +From c4e772c34e6075f6cf6803136a2e73382564c757 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Aug 2022 13:42:07 +0200 +Subject: spi: mt7621: Fix an error message in mt7621_spi_probe() + +From: Christophe JAILLET + +[ Upstream commit 2b2bf6b7faa9010fae10dc7de76627a3fdb525b3 ] + +'status' is known to be 0 at this point. The expected error code is +PTR_ERR(clk). + +Switch to dev_err_probe() in order to display the expected error code (in a +human readable way). +This also filters -EPROBE_DEFER cases, should it happen. + +Fixes: 1ab7f2a43558 ("staging: mt7621-spi: add mt7621 support") +Signed-off-by: Christophe JAILLET +Reviewed-by: Matthias Brugger +Link: https://lore.kernel.org/r/928f3fb507d53ba0774df27cea0bbba4b055993b.1661599671.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-mt7621.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/spi/spi-mt7621.c b/drivers/spi/spi-mt7621.c +index b4b9b7309b5e9..351b0ef52bbc8 100644 +--- a/drivers/spi/spi-mt7621.c ++++ b/drivers/spi/spi-mt7621.c +@@ -340,11 +340,9 @@ static int mt7621_spi_probe(struct platform_device *pdev) + return PTR_ERR(base); + + clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(clk)) { +- dev_err(&pdev->dev, "unable to get SYS clock, err=%d\n", +- status); +- return PTR_ERR(clk); +- } ++ if (IS_ERR(clk)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(clk), ++ "unable to get SYS clock\n"); + + status = clk_prepare_enable(clk); + if (status) +-- +2.43.0 + diff --git a/queue-5.4/tcp-add-annotations-around-sk-sk_shutdown-accesses.patch b/queue-5.4/tcp-add-annotations-around-sk-sk_shutdown-accesses.patch new file mode 100644 index 00000000000..a42641bd019 --- /dev/null +++ b/queue-5.4/tcp-add-annotations-around-sk-sk_shutdown-accesses.patch @@ -0,0 +1,158 @@ +From de4de149e7d947c9c9b11b80e6dbbfaae573971b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 20:36:56 +0000 +Subject: tcp: add annotations around sk->sk_shutdown accesses + +From: Eric Dumazet + +[ Upstream commit e14cadfd80d76f01bfaa1a8d745b1db19b57d6be ] + +Now sk->sk_shutdown is no longer a bitfield, we can add +standard READ_ONCE()/WRITE_ONCE() annotations to silence +KCSAN reports like the following: + +BUG: KCSAN: data-race in tcp_disconnect / tcp_poll + +write to 0xffff88814588582c of 1 bytes by task 3404 on cpu 1: +tcp_disconnect+0x4d6/0xdb0 net/ipv4/tcp.c:3121 +__inet_stream_connect+0x5dd/0x6e0 net/ipv4/af_inet.c:715 +inet_stream_connect+0x48/0x70 net/ipv4/af_inet.c:727 +__sys_connect_file net/socket.c:2001 [inline] +__sys_connect+0x19b/0x1b0 net/socket.c:2018 +__do_sys_connect net/socket.c:2028 [inline] +__se_sys_connect net/socket.c:2025 [inline] +__x64_sys_connect+0x41/0x50 net/socket.c:2025 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff88814588582c of 1 bytes by task 3374 on cpu 0: +tcp_poll+0x2e6/0x7d0 net/ipv4/tcp.c:562 +sock_poll+0x253/0x270 net/socket.c:1383 +vfs_poll include/linux/poll.h:88 [inline] +io_poll_check_events io_uring/poll.c:281 [inline] +io_poll_task_func+0x15a/0x820 io_uring/poll.c:333 +handle_tw_list io_uring/io_uring.c:1184 [inline] +tctx_task_work+0x1fe/0x4d0 io_uring/io_uring.c:1246 +task_work_run+0x123/0x160 kernel/task_work.c:179 +get_signal+0xe64/0xff0 kernel/signal.c:2635 +arch_do_signal_or_restart+0x89/0x2a0 arch/x86/kernel/signal.c:306 +exit_to_user_mode_loop+0x6f/0xe0 kernel/entry/common.c:168 +exit_to_user_mode_prepare+0x6c/0xb0 kernel/entry/common.c:204 +__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] +syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:297 +do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x03 -> 0x00 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/af_inet.c | 2 +- + net/ipv4/tcp.c | 14 ++++++++------ + net/ipv4/tcp_input.c | 4 ++-- + 3 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index e05cdc6088507..d7ebee3c048d5 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -876,7 +876,7 @@ int inet_shutdown(struct socket *sock, int how) + EPOLLHUP, even on eg. unconnected UDP sockets -- RR */ + /* fall through */ + default: +- sk->sk_shutdown |= how; ++ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | how); + if (sk->sk_prot->shutdown) + sk->sk_prot->shutdown(sk, how); + break; +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index e45c09977c600..8d7933989de0e 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -505,6 +505,7 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait) + __poll_t mask; + struct sock *sk = sock->sk; + const struct tcp_sock *tp = tcp_sk(sk); ++ u8 shutdown; + int state; + + sock_poll_wait(file, sock, wait); +@@ -547,9 +548,10 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait) + * NOTE. Check for TCP_CLOSE is added. The goal is to prevent + * blocking on fresh not-connected or disconnected socket. --ANK + */ +- if (sk->sk_shutdown == SHUTDOWN_MASK || state == TCP_CLOSE) ++ shutdown = READ_ONCE(sk->sk_shutdown); ++ if (shutdown == SHUTDOWN_MASK || state == TCP_CLOSE) + mask |= EPOLLHUP; +- if (sk->sk_shutdown & RCV_SHUTDOWN) ++ if (shutdown & RCV_SHUTDOWN) + mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP; + + /* Connected or passive Fast Open socket? */ +@@ -565,7 +567,7 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait) + if (tcp_stream_is_readable(tp, target, sk)) + mask |= EPOLLIN | EPOLLRDNORM; + +- if (!(sk->sk_shutdown & SEND_SHUTDOWN)) { ++ if (!(shutdown & SEND_SHUTDOWN)) { + if (__sk_stream_is_writeable(sk, 1)) { + mask |= EPOLLOUT | EPOLLWRNORM; + } else { /* send SIGIO later */ +@@ -2357,7 +2359,7 @@ void __tcp_close(struct sock *sk, long timeout) + int data_was_unread = 0; + int state; + +- sk->sk_shutdown = SHUTDOWN_MASK; ++ WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK); + + if (sk->sk_state == TCP_LISTEN) { + tcp_set_state(sk, TCP_CLOSE); +@@ -2629,7 +2631,7 @@ int tcp_disconnect(struct sock *sk, int flags) + if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) + inet_reset_saddr(sk); + +- sk->sk_shutdown = 0; ++ WRITE_ONCE(sk->sk_shutdown, 0); + sock_reset_flag(sk, SOCK_DONE); + tp->srtt_us = 0; + tp->mdev_us = jiffies_to_usecs(TCP_TIMEOUT_INIT); +@@ -3905,7 +3907,7 @@ void tcp_done(struct sock *sk) + if (req) + reqsk_fastopen_remove(sk, req, false); + +- sk->sk_shutdown = SHUTDOWN_MASK; ++ WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK); + + if (!sock_flag(sk, SOCK_DEAD)) + sk->sk_state_change(sk); +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 982fe464156a4..61243531a7f4c 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -4216,7 +4216,7 @@ void tcp_fin(struct sock *sk) + + inet_csk_schedule_ack(sk); + +- sk->sk_shutdown |= RCV_SHUTDOWN; ++ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | RCV_SHUTDOWN); + sock_set_flag(sk, SOCK_DONE); + + switch (sk->sk_state) { +@@ -6354,7 +6354,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb) + break; + + tcp_set_state(sk, TCP_FIN_WAIT2); +- sk->sk_shutdown |= SEND_SHUTDOWN; ++ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | SEND_SHUTDOWN); + + sk_dst_confirm(sk); + +-- +2.43.0 + diff --git a/queue-5.4/tcp-factor-out-__tcp_close-helper.patch b/queue-5.4/tcp-factor-out-__tcp_close-helper.patch new file mode 100644 index 00000000000..161d3d40f72 --- /dev/null +++ b/queue-5.4/tcp-factor-out-__tcp_close-helper.patch @@ -0,0 +1,67 @@ +From 97ae9e0cd6f7e20c6f2eb580f14005e91777a3ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Nov 2020 10:48:04 +0100 +Subject: tcp: factor out __tcp_close() helper + +From: Paolo Abeni + +[ Upstream commit 77c3c95637526f1e4330cc9a4b2065f668c2c4fe ] + +unlocked version of protocol level close, will be used by +MPTCP to allow decouple orphaning and subflow level close. + +Signed-off-by: Paolo Abeni +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 1 + + net/ipv4/tcp.c | 9 +++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index af67e19eba392..164ba7b77bd9f 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -391,6 +391,7 @@ void tcp_update_metrics(struct sock *sk); + void tcp_init_metrics(struct sock *sk); + void tcp_metrics_init(void); + bool tcp_peer_is_proven(struct request_sock *req, struct dst_entry *dst); ++void __tcp_close(struct sock *sk, long timeout); + void tcp_close(struct sock *sk, long timeout); + void tcp_init_sock(struct sock *sk); + void tcp_init_transfer(struct sock *sk, int bpf_op); +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 53a8522adf681..6a52fdcf9e4ef 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2351,13 +2351,12 @@ bool tcp_check_oom(struct sock *sk, int shift) + return too_many_orphans || out_of_socket_memory; + } + +-void tcp_close(struct sock *sk, long timeout) ++void __tcp_close(struct sock *sk, long timeout) + { + struct sk_buff *skb; + int data_was_unread = 0; + int state; + +- lock_sock(sk); + sk->sk_shutdown = SHUTDOWN_MASK; + + if (sk->sk_state == TCP_LISTEN) { +@@ -2521,6 +2520,12 @@ void tcp_close(struct sock *sk, long timeout) + out: + bh_unlock_sock(sk); + local_bh_enable(); ++} ++ ++void tcp_close(struct sock *sk, long timeout) ++{ ++ lock_sock(sk); ++ __tcp_close(sk, timeout); + release_sock(sk); + sock_put(sk); + } +-- +2.43.0 + diff --git a/queue-5.4/tcp-return-epollout-from-tcp_poll-only-when-notsent_.patch b/queue-5.4/tcp-return-epollout-from-tcp_poll-only-when-notsent_.patch new file mode 100644 index 00000000000..77f6c1f962b --- /dev/null +++ b/queue-5.4/tcp-return-epollout-from-tcp_poll-only-when-notsent_.patch @@ -0,0 +1,53 @@ +From d144016c436e114ea27bb2ec6d899243a3e8e5f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 17:52:09 -0400 +Subject: tcp: return EPOLLOUT from tcp_poll only when notsent_bytes is half + the limit + +From: Soheil Hassas Yeganeh + +[ Upstream commit 8ba3c9d1c6d75d1e6af2087278b30e17f68e1fff ] + +If there was any event available on the TCP socket, tcp_poll() +will be called to retrieve all the events. In tcp_poll(), we call +sk_stream_is_writeable() which returns true as long as we are at least +one byte below notsent_lowat. This will result in quite a few +spurious EPLLOUT and frequent tiny sendmsg() calls as a result. + +Similar to sk_stream_write_space(), use __sk_stream_is_writeable +with a wake value of 1, so that we set EPOLLOUT only if half the +space is available for write. + +Signed-off-by: Soheil Hassas Yeganeh +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 6a52fdcf9e4ef..e45c09977c600 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -566,7 +566,7 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait) + mask |= EPOLLIN | EPOLLRDNORM; + + if (!(sk->sk_shutdown & SEND_SHUTDOWN)) { +- if (sk_stream_is_writeable(sk)) { ++ if (__sk_stream_is_writeable(sk, 1)) { + mask |= EPOLLOUT | EPOLLWRNORM; + } else { /* send SIGIO later */ + sk_set_bit(SOCKWQ_ASYNC_NOSPACE, sk); +@@ -578,7 +578,7 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait) + * pairs with the input side. + */ + smp_mb__after_atomic(); +- if (sk_stream_is_writeable(sk)) ++ if (__sk_stream_is_writeable(sk, 1)) + mask |= EPOLLOUT | EPOLLWRNORM; + } + } else +-- +2.43.0 + diff --git a/queue-5.4/x86-alternatives-disable-kasan-in-apply_alternatives.patch b/queue-5.4/x86-alternatives-disable-kasan-in-apply_alternatives.patch new file mode 100644 index 00000000000..7ca66a5516b --- /dev/null +++ b/queue-5.4/x86-alternatives-disable-kasan-in-apply_alternatives.patch @@ -0,0 +1,81 @@ +From 07f101c011767f7e86e370622ff6457246b4c6e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Oct 2023 13:04:24 +0300 +Subject: x86/alternatives: Disable KASAN in apply_alternatives() + +From: Kirill A. Shutemov + +[ Upstream commit d35652a5fc9944784f6f50a5c979518ff8dacf61 ] + +Fei has reported that KASAN triggers during apply_alternatives() on +a 5-level paging machine: + + BUG: KASAN: out-of-bounds in rcu_is_watching() + Read of size 4 at addr ff110003ee6419a0 by task swapper/0/0 + ... + __asan_load4() + rcu_is_watching() + trace_hardirqs_on() + text_poke_early() + apply_alternatives() + ... + +On machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57) +gets patched. It includes KASAN code, where KASAN_SHADOW_START depends on +__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled(). + +KASAN gets confused when apply_alternatives() patches the +KASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START +static, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue. + +Fix it for real by disabling KASAN while the kernel is patching alternatives. + +[ mingo: updated the changelog ] + +Fixes: 6657fca06e3f ("x86/mm: Allow to boot without LA57 if CONFIG_X86_5LEVEL=y") +Reported-by: Fei Yang +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Ingo Molnar +Acked-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231012100424.1456-1-kirill.shutemov@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/alternative.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c +index 15bad8d598949..faae8a1856709 100644 +--- a/arch/x86/kernel/alternative.c ++++ b/arch/x86/kernel/alternative.c +@@ -374,6 +374,17 @@ void __init_or_module noinline apply_alternatives(struct alt_instr *start, + u8 insn_buff[MAX_PATCH_LEN]; + + DPRINTK("alt table %px, -> %px", start, end); ++ ++ /* ++ * In the case CONFIG_X86_5LEVEL=y, KASAN_SHADOW_START is defined using ++ * cpu_feature_enabled(X86_FEATURE_LA57) and is therefore patched here. ++ * During the process, KASAN becomes confused seeing partial LA57 ++ * conversion and triggers a false-positive out-of-bound report. ++ * ++ * Disable KASAN until the patching is complete. ++ */ ++ kasan_disable_current(); ++ + /* + * The scan order should be from start to end. A later scanned + * alternative code can overwrite previously scanned alternative code. +@@ -434,6 +445,8 @@ void __init_or_module noinline apply_alternatives(struct alt_instr *start, + + text_poke_early(instr, insn_buff, insn_buff_sz); + } ++ ++ kasan_enable_current(); + } + + #ifdef CONFIG_SMP +-- +2.43.0 +