From: Greg Kroah-Hartman Date: Fri, 25 Feb 2022 12:00:53 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.9.304~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3172eca0889ee812e094e367c2add74476c24f65;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: cdc-ncm-avoid-overflow-in-sanity-checking.patch drm-amd-check-if-aspm-is-enabled-from-pcie-subsystem.patch drm-amdgpu-check-vm-ready-by-amdgpu_vm-evicting-flag.patch drm-amdgpu-disable-mmhub-pg-for-picasso.patch drm-amdgpu-do-not-enable-asic-reset-for-raven2.patch drm-i915-correctly-populate-use_sagv_wm-for-all-pipes.patch drm-i915-fix-bw-atomic-check-when-switching-between-sagv-vs.-no-sagv.patch drm-i915-widen-the-qgv-point-mask.patch netfilter-nf_tables_offload-incorrect-flow-offload-action-array-size.patch netfilter-xt_socket-fix-a-typo-in-socket_mt_destroy.patch netfilter-xt_socket-missing-ifdef-config_ip6_nf_iptables-dependency.patch sr9700-sanity-check-for-packet-length.patch usb-zaurus-support-another-broken-zaurus.patch --- diff --git a/queue-5.15/cdc-ncm-avoid-overflow-in-sanity-checking.patch b/queue-5.15/cdc-ncm-avoid-overflow-in-sanity-checking.patch new file mode 100644 index 00000000000..c9a6fb504d5 --- /dev/null +++ b/queue-5.15/cdc-ncm-avoid-overflow-in-sanity-checking.patch @@ -0,0 +1,51 @@ +From 8d2b1a1ec9f559d30b724877da4ce592edc41fdc Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 15 Feb 2022 11:35:47 +0100 +Subject: CDC-NCM: avoid overflow in sanity checking + +From: Oliver Neukum + +commit 8d2b1a1ec9f559d30b724877da4ce592edc41fdc upstream. + +A broken device may give an extreme offset like 0xFFF0 +and a reasonable length for a fragment. In the sanity +check as formulated now, this will create an integer +overflow, defeating the sanity check. Both offset +and offset + len need to be checked in such a manner +that no overflow can occur. +And those quantities should be unsigned. + +Signed-off-by: Oliver Neukum +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ncm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1715,10 +1715,10 @@ int cdc_ncm_rx_fixup(struct usbnet *dev, + { + struct sk_buff *skb; + struct cdc_ncm_ctx *ctx = (struct cdc_ncm_ctx *)dev->data[0]; +- int len; ++ unsigned int len; + int nframes; + int x; +- int offset; ++ unsigned int offset; + union { + struct usb_cdc_ncm_ndp16 *ndp16; + struct usb_cdc_ncm_ndp32 *ndp32; +@@ -1790,8 +1790,8 @@ next_ndp: + break; + } + +- /* sanity checking */ +- if (((offset + len) > skb_in->len) || ++ /* sanity checking - watch out for integer wrap*/ ++ if ((offset > skb_in->len) || (len > skb_in->len - offset) || + (len > ctx->rx_max) || (len < ETH_HLEN)) { + netif_dbg(dev, rx_err, dev->net, + "invalid frame detected (ignored) offset[%u]=%u, length=%u, skb=%p\n", diff --git a/queue-5.15/drm-amd-check-if-aspm-is-enabled-from-pcie-subsystem.patch b/queue-5.15/drm-amd-check-if-aspm-is-enabled-from-pcie-subsystem.patch new file mode 100644 index 00000000000..262e7e26a6b --- /dev/null +++ b/queue-5.15/drm-amd-check-if-aspm-is-enabled-from-pcie-subsystem.patch @@ -0,0 +1,49 @@ +From 7294863a6f01248d72b61d38478978d638641bee Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Tue, 1 Feb 2022 10:26:33 -0600 +Subject: drm/amd: Check if ASPM is enabled from PCIe subsystem + +From: Mario Limonciello + +commit 7294863a6f01248d72b61d38478978d638641bee upstream. + +commit 0064b0ce85bb ("drm/amd/pm: enable ASPM by default") enabled ASPM +by default but a variety of hardware configurations it turns out that this +caused a regression. + +* PPC64LE hardware does not support ASPM at a hardware level. + CONFIG_PCIEASPM is often disabled on these architectures. +* Some dGPUs on ALD platforms don't work with ASPM enabled and PCIe subsystem + disables it + +Check with the PCIe subsystem to see that ASPM has been enabled +or not. + +Fixes: 0064b0ce85bb ("drm/amd/pm: enable ASPM by default") +Link: https://wiki.raptorcs.com/w/images/a/ad/P9_PHB_version1.0_27July2018_pub.pdf +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1723 +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1739 +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1885 +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1907 +Tested-by: koba.ko@canonical.com +Reviewed-by: Alex Deucher +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -1278,6 +1278,9 @@ static int amdgpu_pci_probe(struct pci_d + bool is_fw_fb; + resource_size_t base, size; + ++ if (amdgpu_aspm == -1 && !pcie_aspm_enabled(pdev)) ++ amdgpu_aspm = 0; ++ + if (amdgpu_virtual_display || + amdgpu_device_asic_has_dc_support(flags & AMD_ASIC_MASK)) + supports_atomic = true; diff --git a/queue-5.15/drm-amdgpu-check-vm-ready-by-amdgpu_vm-evicting-flag.patch b/queue-5.15/drm-amdgpu-check-vm-ready-by-amdgpu_vm-evicting-flag.patch new file mode 100644 index 00000000000..b295ca8c1d7 --- /dev/null +++ b/queue-5.15/drm-amdgpu-check-vm-ready-by-amdgpu_vm-evicting-flag.patch @@ -0,0 +1,78 @@ +From c1a66c3bc425ff93774fb2f6eefa67b83170dd7e Mon Sep 17 00:00:00 2001 +From: Qiang Yu +Date: Mon, 21 Feb 2022 17:53:56 +0800 +Subject: drm/amdgpu: check vm ready by amdgpu_vm->evicting flag +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Qiang Yu + +commit c1a66c3bc425ff93774fb2f6eefa67b83170dd7e upstream. + +Workstation application ANSA/META v21.1.4 get this error dmesg when +running CI test suite provided by ANSA/META: +[drm:amdgpu_gem_va_ioctl [amdgpu]] *ERROR* Couldn't update BO_VA (-16) + +This is caused by: +1. create a 256MB buffer in invisible VRAM +2. CPU map the buffer and access it causes vm_fault and try to move + it to visible VRAM +3. force visible VRAM space and traverse all VRAM bos to check if + evicting this bo is valuable +4. when checking a VM bo (in invisible VRAM), amdgpu_vm_evictable() + will set amdgpu_vm->evicting, but latter due to not in visible + VRAM, won't really evict it so not add it to amdgpu_vm->evicted +5. before next CS to clear the amdgpu_vm->evicting, user VM ops + ioctl will pass amdgpu_vm_ready() (check amdgpu_vm->evicted) + but fail in amdgpu_vm_bo_update_mapping() (check + amdgpu_vm->evicting) and get this error log + +This error won't affect functionality as next CS will finish the +waiting VM ops. But we'd better clear the error log by checking +the amdgpu_vm->evicting flag in amdgpu_vm_ready() to stop calling +amdgpu_vm_bo_update_mapping() later. + +Another reason is amdgpu_vm->evicted list holds all BOs (both +user buffer and page table), but only page table BOs' eviction +prevent VM ops. amdgpu_vm->evicting flag is set only for page +table BOs, so we should use evicting flag instead of evicted list +in amdgpu_vm_ready(). + +The side effect of this change is: previously blocked VM op (user +buffer in "evicted" list but no page table in it) gets done +immediately. + +v2: update commit comments. + +Acked-by: Paul Menzel +Reviewed-by: Christian König +Signed-off-by: Qiang Yu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -768,11 +768,16 @@ int amdgpu_vm_validate_pt_bos(struct amd + * Check if all VM PDs/PTs are ready for updates + * + * Returns: +- * True if eviction list is empty. ++ * True if VM is not evicting. + */ + bool amdgpu_vm_ready(struct amdgpu_vm *vm) + { +- return list_empty(&vm->evicted); ++ bool ret; ++ ++ amdgpu_vm_eviction_lock(vm); ++ ret = !vm->evicting; ++ amdgpu_vm_eviction_unlock(vm); ++ return ret; + } + + /** diff --git a/queue-5.15/drm-amdgpu-disable-mmhub-pg-for-picasso.patch b/queue-5.15/drm-amdgpu-disable-mmhub-pg-for-picasso.patch new file mode 100644 index 00000000000..b949de35e4f --- /dev/null +++ b/queue-5.15/drm-amdgpu-disable-mmhub-pg-for-picasso.patch @@ -0,0 +1,35 @@ +From f626dd0ff05043e5a7154770cc7cda66acee33a3 Mon Sep 17 00:00:00 2001 +From: Evan Quan +Date: Thu, 20 Jan 2022 16:15:52 +0800 +Subject: drm/amdgpu: disable MMHUB PG for Picasso + +From: Evan Quan + +commit f626dd0ff05043e5a7154770cc7cda66acee33a3 upstream. + +MMHUB PG needs to be disabled for Picasso for stability reasons. + +Signed-off-by: Evan Quan +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/soc15.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/soc15.c ++++ b/drivers/gpu/drm/amd/amdgpu/soc15.c +@@ -1273,8 +1273,11 @@ static int soc15_common_early_init(void + AMD_CG_SUPPORT_SDMA_LS | + AMD_CG_SUPPORT_VCN_MGCG; + ++ /* ++ * MMHUB PG needs to be disabled for Picasso for ++ * stability reasons. ++ */ + adev->pg_flags = AMD_PG_SUPPORT_SDMA | +- AMD_PG_SUPPORT_MMHUB | + AMD_PG_SUPPORT_VCN; + } else { + adev->cg_flags = AMD_CG_SUPPORT_GFX_MGCG | diff --git a/queue-5.15/drm-amdgpu-do-not-enable-asic-reset-for-raven2.patch b/queue-5.15/drm-amdgpu-do-not-enable-asic-reset-for-raven2.patch new file mode 100644 index 00000000000..8533fa08015 --- /dev/null +++ b/queue-5.15/drm-amdgpu-do-not-enable-asic-reset-for-raven2.patch @@ -0,0 +1,40 @@ +From 1e2be869c8a7247a7253ef4f461f85e2f5931b95 Mon Sep 17 00:00:00 2001 +From: Chen Gong +Date: Thu, 17 Feb 2022 15:29:41 +0800 +Subject: drm/amdgpu: do not enable asic reset for raven2 + +From: Chen Gong + +commit 1e2be869c8a7247a7253ef4f461f85e2f5931b95 upstream. + +The GPU reset function of raven2 is not maintained or tested, so it should be +very unstable. + +Now the amdgpu_asic_reset function is added to amdgpu_pmops_suspend, which +causes the S3 test of raven2 to fail, so the asic_reset of raven2 is ignored +here. + +Fixes: daf8de0874ab5b ("drm/amdgpu: always reset the asic in suspend (v2)") +Signed-off-by: Chen Gong +Acked-by: Alex Deucher +Reviewed-by: Mario Limonciello +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/soc15.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/soc15.c ++++ b/drivers/gpu/drm/amd/amdgpu/soc15.c +@@ -607,8 +607,8 @@ soc15_asic_reset_method(struct amdgpu_de + static int soc15_asic_reset(struct amdgpu_device *adev) + { + /* original raven doesn't have full asic reset */ +- if ((adev->apu_flags & AMD_APU_IS_RAVEN) && +- !(adev->apu_flags & AMD_APU_IS_RAVEN2)) ++ if ((adev->apu_flags & AMD_APU_IS_RAVEN) || ++ (adev->apu_flags & AMD_APU_IS_RAVEN2)) + return 0; + + switch (soc15_asic_reset_method(adev)) { diff --git a/queue-5.15/drm-i915-correctly-populate-use_sagv_wm-for-all-pipes.patch b/queue-5.15/drm-i915-correctly-populate-use_sagv_wm-for-all-pipes.patch new file mode 100644 index 00000000000..b5b47add972 --- /dev/null +++ b/queue-5.15/drm-i915-correctly-populate-use_sagv_wm-for-all-pipes.patch @@ -0,0 +1,69 @@ +From afc189df6bcc6be65961deb54e15ec60e7f85337 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Fri, 18 Feb 2022 08:40:34 +0200 +Subject: drm/i915: Correctly populate use_sagv_wm for all pipes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit afc189df6bcc6be65961deb54e15ec60e7f85337 upstream. + +When changing between SAGV vs. no SAGV on tgl+ we have to +update the use_sagv_wm flag for all the crtcs or else +an active pipe not already in the state will end up using +the wrong watermarks. That is especially bad when we end up +with the tighter non-SAGV watermarks with SAGV enabled. +Usually ends up in underruns. + +Cc: stable@vger.kernel.org +Reviewed-by: Stanislav Lisovskiy +Fixes: 7241c57d3140 ("drm/i915: Add TGL+ SAGV support") +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220218064039.12834-2-ville.syrjala@linux.intel.com +(cherry picked from commit 8dd8ffb824ca7b897ce9f2082ffa7e64831c22dc) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/intel_pm.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_pm.c ++++ b/drivers/gpu/drm/i915/intel_pm.c +@@ -4020,6 +4020,17 @@ static int intel_compute_sagv_mask(struc + return ret; + } + ++ if (intel_can_enable_sagv(dev_priv, new_bw_state) != ++ intel_can_enable_sagv(dev_priv, old_bw_state)) { ++ ret = intel_atomic_serialize_global_state(&new_bw_state->base); ++ if (ret) ++ return ret; ++ } else if (new_bw_state->pipe_sagv_reject != old_bw_state->pipe_sagv_reject) { ++ ret = intel_atomic_lock_global_state(&new_bw_state->base); ++ if (ret) ++ return ret; ++ } ++ + for_each_new_intel_crtc_in_state(state, crtc, + new_crtc_state, i) { + struct skl_pipe_wm *pipe_wm = &new_crtc_state->wm.skl.optimal; +@@ -4035,17 +4046,6 @@ static int intel_compute_sagv_mask(struc + intel_can_enable_sagv(dev_priv, new_bw_state); + } + +- if (intel_can_enable_sagv(dev_priv, new_bw_state) != +- intel_can_enable_sagv(dev_priv, old_bw_state)) { +- ret = intel_atomic_serialize_global_state(&new_bw_state->base); +- if (ret) +- return ret; +- } else if (new_bw_state->pipe_sagv_reject != old_bw_state->pipe_sagv_reject) { +- ret = intel_atomic_lock_global_state(&new_bw_state->base); +- if (ret) +- return ret; +- } +- + return 0; + } + diff --git a/queue-5.15/drm-i915-fix-bw-atomic-check-when-switching-between-sagv-vs.-no-sagv.patch b/queue-5.15/drm-i915-fix-bw-atomic-check-when-switching-between-sagv-vs.-no-sagv.patch new file mode 100644 index 00000000000..8c97536e7e2 --- /dev/null +++ b/queue-5.15/drm-i915-fix-bw-atomic-check-when-switching-between-sagv-vs.-no-sagv.patch @@ -0,0 +1,88 @@ +From ec663bca9128f13eada25cd0446e7fcb5fcdc088 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Fri, 18 Feb 2022 08:40:35 +0200 +Subject: drm/i915: Fix bw atomic check when switching between SAGV vs. no SAGV +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit ec663bca9128f13eada25cd0446e7fcb5fcdc088 upstream. + +If the only thing that is changing is SAGV vs. no SAGV but +the number of active planes and the total data rates end up +unchanged we currently bail out of intel_bw_atomic_check() +early and forget to actually compute the new WGV point +mask and thus won't actually enable/disable SAGV as requested. +This ends up poorly if we end up running with SAGV enabled +when we shouldn't. Usually ends up in underruns. + +To fix this let's go through the QGV point mask computation +if either the data rates/number of planes, or the state +of SAGV is changing. + +v2: Check more carefully if things are changing to avoid + the extra calculations/debugs from introducing unwanted + overhead + +Cc: stable@vger.kernel.org +Reviewed-by: Stanislav Lisovskiy #v1 +Fixes: 20f505f22531 ("drm/i915: Restrict qgv points which don't have enough bandwidth.") +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220218064039.12834-3-ville.syrjala@linux.intel.com +(cherry picked from commit 6b728595ffa51c087343c716bccbfc260f120e72) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_bw.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_bw.c ++++ b/drivers/gpu/drm/i915/display/intel_bw.c +@@ -681,6 +681,7 @@ int intel_bw_atomic_check(struct intel_a + unsigned int max_bw_point = 0, max_bw = 0; + unsigned int num_qgv_points = dev_priv->max_bw[0].num_qgv_points; + unsigned int num_psf_gv_points = dev_priv->max_bw[0].num_psf_gv_points; ++ bool changed = false; + u32 mask = 0; + + /* FIXME earlier gens need some checks too */ +@@ -724,6 +725,8 @@ int intel_bw_atomic_check(struct intel_a + new_bw_state->data_rate[crtc->pipe] = new_data_rate; + new_bw_state->num_active_planes[crtc->pipe] = new_active_planes; + ++ changed = true; ++ + drm_dbg_kms(&dev_priv->drm, + "pipe %c data rate %u num active planes %u\n", + pipe_name(crtc->pipe), +@@ -731,7 +734,19 @@ int intel_bw_atomic_check(struct intel_a + new_bw_state->num_active_planes[crtc->pipe]); + } + +- if (!new_bw_state) ++ old_bw_state = intel_atomic_get_old_bw_state(state); ++ new_bw_state = intel_atomic_get_new_bw_state(state); ++ ++ if (new_bw_state && ++ intel_can_enable_sagv(dev_priv, old_bw_state) != ++ intel_can_enable_sagv(dev_priv, new_bw_state)) ++ changed = true; ++ ++ /* ++ * If none of our inputs (data rates, number of active ++ * planes, SAGV yes/no) changed then nothing to do here. ++ */ ++ if (!changed) + return 0; + + ret = intel_atomic_lock_global_state(&new_bw_state->base); +@@ -814,7 +829,6 @@ int intel_bw_atomic_check(struct intel_a + */ + new_bw_state->qgv_points_mask = ~allowed_points & mask; + +- old_bw_state = intel_atomic_get_old_bw_state(state); + /* + * If the actual mask had changed we need to make sure that + * the commits are serialized(in case this is a nomodeset, nonblocking) diff --git a/queue-5.15/drm-i915-widen-the-qgv-point-mask.patch b/queue-5.15/drm-i915-widen-the-qgv-point-mask.patch new file mode 100644 index 00000000000..30760514e43 --- /dev/null +++ b/queue-5.15/drm-i915-widen-the-qgv-point-mask.patch @@ -0,0 +1,55 @@ +From 3f33364836aacc28cd430d22cf22379e3b5ecd77 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Mon, 14 Feb 2022 11:18:08 +0200 +Subject: drm/i915: Widen the QGV point mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 3f33364836aacc28cd430d22cf22379e3b5ecd77 upstream. + +adlp+ adds some extra bits to the QGV point mask. The code attempts +to handle that but forgot to actually make sure we can store those +bits in the bw state. Fix it. + +Cc: stable@vger.kernel.org +Cc: Stanislav Lisovskiy +Fixes: 192fbfb76744 ("drm/i915: Implement PSF GV point support") +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220214091811.13725-4-ville.syrjala@linux.intel.com +Reviewed-by: Stanislav Lisovskiy +(cherry picked from commit c0299cc9840b3805205173cc77782f317b78ea0e) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_bw.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_bw.h ++++ b/drivers/gpu/drm/i915/display/intel_bw.h +@@ -30,19 +30,19 @@ struct intel_bw_state { + */ + u8 pipe_sagv_reject; + ++ /* bitmask of active pipes */ ++ u8 active_pipes; ++ + /* + * Current QGV points mask, which restricts + * some particular SAGV states, not to confuse + * with pipe_sagv_mask. + */ +- u8 qgv_points_mask; ++ u16 qgv_points_mask; + + unsigned int data_rate[I915_MAX_PIPES]; + u8 num_active_planes[I915_MAX_PIPES]; + +- /* bitmask of active pipes */ +- u8 active_pipes; +- + int min_cdclk; + }; + diff --git a/queue-5.15/netfilter-nf_tables_offload-incorrect-flow-offload-action-array-size.patch b/queue-5.15/netfilter-nf_tables_offload-incorrect-flow-offload-action-array-size.patch new file mode 100644 index 00000000000..98a5ff53fbf --- /dev/null +++ b/queue-5.15/netfilter-nf_tables_offload-incorrect-flow-offload-action-array-size.patch @@ -0,0 +1,138 @@ +From b1a5983f56e371046dcf164f90bfaf704d2b89f6 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 17 Feb 2022 23:41:20 +0100 +Subject: netfilter: nf_tables_offload: incorrect flow offload action array size + +From: Pablo Neira Ayuso + +commit b1a5983f56e371046dcf164f90bfaf704d2b89f6 upstream. + +immediate verdict expression needs to allocate one slot in the flow offload +action array, however, immediate data expression does not need to do so. + +fwd and dup expression need to allocate one slot, this is missing. + +Add a new offload_action interface to report if this expression needs to +allocate one slot in the flow offload action array. + +Fixes: be2861dc36d7 ("netfilter: nft_{fwd,dup}_netdev: add offload support") +Reported-and-tested-by: Nick Gregory +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 2 +- + include/net/netfilter/nf_tables_offload.h | 2 -- + net/netfilter/nf_tables_offload.c | 3 ++- + net/netfilter/nft_dup_netdev.c | 6 ++++++ + net/netfilter/nft_fwd_netdev.c | 6 ++++++ + net/netfilter/nft_immediate.c | 12 +++++++++++- + 6 files changed, 26 insertions(+), 5 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -883,9 +883,9 @@ struct nft_expr_ops { + int (*offload)(struct nft_offload_ctx *ctx, + struct nft_flow_rule *flow, + const struct nft_expr *expr); ++ bool (*offload_action)(const struct nft_expr *expr); + void (*offload_stats)(struct nft_expr *expr, + const struct flow_stats *stats); +- u32 offload_flags; + const struct nft_expr_type *type; + void *data; + }; +--- a/include/net/netfilter/nf_tables_offload.h ++++ b/include/net/netfilter/nf_tables_offload.h +@@ -67,8 +67,6 @@ struct nft_flow_rule { + struct flow_rule *rule; + }; + +-#define NFT_OFFLOAD_F_ACTION (1 << 0) +- + void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow, + enum flow_dissector_key_id addr_type); + +--- a/net/netfilter/nf_tables_offload.c ++++ b/net/netfilter/nf_tables_offload.c +@@ -94,7 +94,8 @@ struct nft_flow_rule *nft_flow_rule_crea + + expr = nft_expr_first(rule); + while (nft_expr_more(rule, expr)) { +- if (expr->ops->offload_flags & NFT_OFFLOAD_F_ACTION) ++ if (expr->ops->offload_action && ++ expr->ops->offload_action(expr)) + num_actions++; + + expr = nft_expr_next(expr); +--- a/net/netfilter/nft_dup_netdev.c ++++ b/net/netfilter/nft_dup_netdev.c +@@ -67,6 +67,11 @@ static int nft_dup_netdev_offload(struct + return nft_fwd_dup_netdev_offload(ctx, flow, FLOW_ACTION_MIRRED, oif); + } + ++static bool nft_dup_netdev_offload_action(const struct nft_expr *expr) ++{ ++ return true; ++} ++ + static struct nft_expr_type nft_dup_netdev_type; + static const struct nft_expr_ops nft_dup_netdev_ops = { + .type = &nft_dup_netdev_type, +@@ -75,6 +80,7 @@ static const struct nft_expr_ops nft_dup + .init = nft_dup_netdev_init, + .dump = nft_dup_netdev_dump, + .offload = nft_dup_netdev_offload, ++ .offload_action = nft_dup_netdev_offload_action, + }; + + static struct nft_expr_type nft_dup_netdev_type __read_mostly = { +--- a/net/netfilter/nft_fwd_netdev.c ++++ b/net/netfilter/nft_fwd_netdev.c +@@ -77,6 +77,11 @@ static int nft_fwd_netdev_offload(struct + return nft_fwd_dup_netdev_offload(ctx, flow, FLOW_ACTION_REDIRECT, oif); + } + ++static bool nft_fwd_netdev_offload_action(const struct nft_expr *expr) ++{ ++ return true; ++} ++ + struct nft_fwd_neigh { + u8 sreg_dev; + u8 sreg_addr; +@@ -219,6 +224,7 @@ static const struct nft_expr_ops nft_fwd + .dump = nft_fwd_netdev_dump, + .validate = nft_fwd_validate, + .offload = nft_fwd_netdev_offload, ++ .offload_action = nft_fwd_netdev_offload_action, + }; + + static const struct nft_expr_ops * +--- a/net/netfilter/nft_immediate.c ++++ b/net/netfilter/nft_immediate.c +@@ -213,6 +213,16 @@ static int nft_immediate_offload(struct + return 0; + } + ++static bool nft_immediate_offload_action(const struct nft_expr *expr) ++{ ++ const struct nft_immediate_expr *priv = nft_expr_priv(expr); ++ ++ if (priv->dreg == NFT_REG_VERDICT) ++ return true; ++ ++ return false; ++} ++ + static const struct nft_expr_ops nft_imm_ops = { + .type = &nft_imm_type, + .size = NFT_EXPR_SIZE(sizeof(struct nft_immediate_expr)), +@@ -224,7 +234,7 @@ static const struct nft_expr_ops nft_imm + .dump = nft_immediate_dump, + .validate = nft_immediate_validate, + .offload = nft_immediate_offload, +- .offload_flags = NFT_OFFLOAD_F_ACTION, ++ .offload_action = nft_immediate_offload_action, + }; + + struct nft_expr_type nft_imm_type __read_mostly = { diff --git a/queue-5.15/netfilter-xt_socket-fix-a-typo-in-socket_mt_destroy.patch b/queue-5.15/netfilter-xt_socket-fix-a-typo-in-socket_mt_destroy.patch new file mode 100644 index 00000000000..7f478952f23 --- /dev/null +++ b/queue-5.15/netfilter-xt_socket-fix-a-typo-in-socket_mt_destroy.patch @@ -0,0 +1,34 @@ +From 75063c9294fb239bbe64eb72141b6871fe526d29 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 8 Feb 2022 18:30:43 -0800 +Subject: netfilter: xt_socket: fix a typo in socket_mt_destroy() + +From: Eric Dumazet + +commit 75063c9294fb239bbe64eb72141b6871fe526d29 upstream. + +Calling nf_defrag_ipv4_disable() instead of nf_defrag_ipv6_disable() +was probably not the intent. + +I found this by code inspection, while chasing a possible issue in TPROXY. + +Fixes: de8c12110a13 ("netfilter: disable defrag once its no longer needed") +Signed-off-by: Eric Dumazet +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/xt_socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/xt_socket.c ++++ b/net/netfilter/xt_socket.c +@@ -221,7 +221,7 @@ static void socket_mt_destroy(const stru + if (par->family == NFPROTO_IPV4) + nf_defrag_ipv4_disable(par->net); + else if (par->family == NFPROTO_IPV6) +- nf_defrag_ipv4_disable(par->net); ++ nf_defrag_ipv6_disable(par->net); + } + + static struct xt_match socket_mt_reg[] __read_mostly = { diff --git a/queue-5.15/netfilter-xt_socket-missing-ifdef-config_ip6_nf_iptables-dependency.patch b/queue-5.15/netfilter-xt_socket-missing-ifdef-config_ip6_nf_iptables-dependency.patch new file mode 100644 index 00000000000..eb32cb9b06a --- /dev/null +++ b/queue-5.15/netfilter-xt_socket-missing-ifdef-config_ip6_nf_iptables-dependency.patch @@ -0,0 +1,33 @@ +From 2874b7911132f6975e668f6849c8ac93bc4e1f35 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Sat, 12 Feb 2022 00:44:11 +0100 +Subject: netfilter: xt_socket: missing ifdef CONFIG_IP6_NF_IPTABLES dependency + +From: Pablo Neira Ayuso + +commit 2874b7911132f6975e668f6849c8ac93bc4e1f35 upstream. + +nf_defrag_ipv6_disable() requires CONFIG_IP6_NF_IPTABLES. + +Fixes: 75063c9294fb ("netfilter: xt_socket: fix a typo in socket_mt_destroy()") +Reported-by: kernel test robot +Reviewed-by: Eric Dumazet +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/xt_socket.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/netfilter/xt_socket.c ++++ b/net/netfilter/xt_socket.c +@@ -220,8 +220,10 @@ static void socket_mt_destroy(const stru + { + if (par->family == NFPROTO_IPV4) + nf_defrag_ipv4_disable(par->net); ++#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) + else if (par->family == NFPROTO_IPV6) + nf_defrag_ipv6_disable(par->net); ++#endif + } + + static struct xt_match socket_mt_reg[] __read_mostly = { diff --git a/queue-5.15/series b/queue-5.15/series index b892ae89519..fa89538113b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -14,3 +14,16 @@ parisc-unaligned-fix-ldw-and-stw-unalignment-handlers.patch kvm-x86-mmu-make-apf-token-non-zero-to-fix-bug.patch drm-amd-display-protect-update_bw_bounding_box-fpu-code.patch drm-amd-pm-fix-some-oem-sku-specific-stability-issues.patch +drm-amd-check-if-aspm-is-enabled-from-pcie-subsystem.patch +drm-amdgpu-disable-mmhub-pg-for-picasso.patch +drm-amdgpu-do-not-enable-asic-reset-for-raven2.patch +drm-amdgpu-check-vm-ready-by-amdgpu_vm-evicting-flag.patch +drm-i915-widen-the-qgv-point-mask.patch +drm-i915-correctly-populate-use_sagv_wm-for-all-pipes.patch +drm-i915-fix-bw-atomic-check-when-switching-between-sagv-vs.-no-sagv.patch +sr9700-sanity-check-for-packet-length.patch +usb-zaurus-support-another-broken-zaurus.patch +cdc-ncm-avoid-overflow-in-sanity-checking.patch +netfilter-xt_socket-fix-a-typo-in-socket_mt_destroy.patch +netfilter-xt_socket-missing-ifdef-config_ip6_nf_iptables-dependency.patch +netfilter-nf_tables_offload-incorrect-flow-offload-action-array-size.patch diff --git a/queue-5.15/sr9700-sanity-check-for-packet-length.patch b/queue-5.15/sr9700-sanity-check-for-packet-length.patch new file mode 100644 index 00000000000..a81b362b525 --- /dev/null +++ b/queue-5.15/sr9700-sanity-check-for-packet-length.patch @@ -0,0 +1,31 @@ +From e9da0b56fe27206b49f39805f7dcda8a89379062 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 17 Feb 2022 14:10:44 +0100 +Subject: sr9700: sanity check for packet length + +From: Oliver Neukum + +commit e9da0b56fe27206b49f39805f7dcda8a89379062 upstream. + +A malicious device can leak heap data to user space +providing bogus frame lengths. Introduce a sanity check. + +Signed-off-by: Oliver Neukum +Reviewed-by: Grant Grundler +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/sr9700.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -410,7 +410,7 @@ static int sr9700_rx_fixup(struct usbnet + /* ignore the CRC length */ + len = (skb->data[1] | (skb->data[2] << 8)) - 4; + +- if (len > ETH_FRAME_LEN) ++ if (len > ETH_FRAME_LEN || len > skb->len) + return 0; + + /* the last packet of current skb */ diff --git a/queue-5.15/usb-zaurus-support-another-broken-zaurus.patch b/queue-5.15/usb-zaurus-support-another-broken-zaurus.patch new file mode 100644 index 00000000000..43ebdeaf4da --- /dev/null +++ b/queue-5.15/usb-zaurus-support-another-broken-zaurus.patch @@ -0,0 +1,79 @@ +From 6605cc67ca18b9d583eb96e18a20f5f4e726103c Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Mon, 14 Feb 2022 15:08:18 +0100 +Subject: USB: zaurus: support another broken Zaurus + +From: Oliver Neukum + +commit 6605cc67ca18b9d583eb96e18a20f5f4e726103c upstream. + +This SL-6000 says Direct Line, not Ethernet + +v2: added Reporter and Link + +Signed-off-by: Oliver Neukum +Reported-by: Ross Maynard +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215361 +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ether.c | 12 ++++++++++++ + drivers/net/usb/zaurus.c | 12 ++++++++++++ + 2 files changed, 24 insertions(+) + +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -583,6 +583,11 @@ static const struct usb_device_id produc + .bInterfaceSubClass = USB_CDC_SUBCLASS_ETHERNET, \ + .bInterfaceProtocol = USB_CDC_PROTO_NONE + ++#define ZAURUS_FAKE_INTERFACE \ ++ .bInterfaceClass = USB_CLASS_COMM, \ ++ .bInterfaceSubClass = USB_CDC_SUBCLASS_MDLM, \ ++ .bInterfaceProtocol = USB_CDC_PROTO_NONE ++ + /* SA-1100 based Sharp Zaurus ("collie"), or compatible; + * wire-incompatible with true CDC Ethernet implementations. + * (And, it seems, needlessly so...) +@@ -638,6 +643,13 @@ static const struct usb_device_id produc + .driver_info = 0, + }, { + .match_flags = USB_DEVICE_ID_MATCH_INT_INFO ++ | USB_DEVICE_ID_MATCH_DEVICE, ++ .idVendor = 0x04DD, ++ .idProduct = 0x9032, /* SL-6000 */ ++ ZAURUS_FAKE_INTERFACE, ++ .driver_info = 0, ++}, { ++ .match_flags = USB_DEVICE_ID_MATCH_INT_INFO + | USB_DEVICE_ID_MATCH_DEVICE, + .idVendor = 0x04DD, + /* reported with some C860 units */ +--- a/drivers/net/usb/zaurus.c ++++ b/drivers/net/usb/zaurus.c +@@ -256,6 +256,11 @@ static const struct usb_device_id produc + .bInterfaceSubClass = USB_CDC_SUBCLASS_ETHERNET, \ + .bInterfaceProtocol = USB_CDC_PROTO_NONE + ++#define ZAURUS_FAKE_INTERFACE \ ++ .bInterfaceClass = USB_CLASS_COMM, \ ++ .bInterfaceSubClass = USB_CDC_SUBCLASS_MDLM, \ ++ .bInterfaceProtocol = USB_CDC_PROTO_NONE ++ + /* SA-1100 based Sharp Zaurus ("collie"), or compatible. */ + { + .match_flags = USB_DEVICE_ID_MATCH_INT_INFO +@@ -315,6 +320,13 @@ static const struct usb_device_id produc + .driver_info = ZAURUS_PXA_INFO, + }, { + .match_flags = USB_DEVICE_ID_MATCH_INT_INFO ++ | USB_DEVICE_ID_MATCH_DEVICE, ++ .idVendor = 0x04DD, ++ .idProduct = 0x9032, /* SL-6000 */ ++ ZAURUS_FAKE_INTERFACE, ++ .driver_info = (unsigned long)&bogus_mdlm_info, ++}, { ++ .match_flags = USB_DEVICE_ID_MATCH_INT_INFO + | USB_DEVICE_ID_MATCH_DEVICE, + .idVendor = 0x04DD, + /* reported with some C860 units */