From: Greg Kroah-Hartman Date: Mon, 2 May 2022 17:45:48 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.4.192~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=38332fac5c749da4e36591e795b5a6028729394f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: acpi-processor-idle-avoid-falling-back-to-c3-type-c-states.patch arm-dts-at91-sama7g5ek-enable-pull-up-on-flexcom3-console-lines.patch arm-dts-imx8mm-venice-gw-71xx-72xx-73xx-fix-otg-controller-oc-mode.patch btrfs-fix-leaked-plug-after-failure-syncing-log-on-zoned-filesystems.patch drm-i915-check-edid-for-hdr-static-metadata-when-choosing-blc.patch drm-i915-fix-sel_fetch_plane_-pipe_b-register-addresses.patch kasan-prevent-cpu_quarantine-corruption-when-cpu-offline-and-cache-shrink-occur-at-same-time.patch mtd-rawnand-qcom-fix-memory-corruption-that-causes-panic.patch net-ethernet-stmmac-fix-write-to-sgmii_adapter_base.patch netfilter-update-ip6_route_me_harder-to-consider-l3-domain.patch revert-acpi-processor-idle-fix-lockup-regression-on-32-bit-thinkpad-t40.patch thermal-int340x-fix-attr.show-callback-prototype.patch zonefs-clear-inode-information-flags-on-inode-creation.patch zonefs-fix-management-of-open-zones.patch --- diff --git a/queue-5.15/acpi-processor-idle-avoid-falling-back-to-c3-type-c-states.patch b/queue-5.15/acpi-processor-idle-avoid-falling-back-to-c3-type-c-states.patch new file mode 100644 index 00000000000..1b8e7ab57ae --- /dev/null +++ b/queue-5.15/acpi-processor-idle-avoid-falling-back-to-c3-type-c-states.patch @@ -0,0 +1,51 @@ +From fc45e55ebc58dbf622cb89ddbf797589c7a5510b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 21 Apr 2022 16:36:34 +0300 +Subject: ACPI: processor: idle: Avoid falling back to C3 type C-states +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit fc45e55ebc58dbf622cb89ddbf797589c7a5510b upstream. + +The "safe state" index is used by acpi_idle_enter_bm() to avoid +entering a C-state that may require bus mastering to be disabled +on entry in the cases when this is not going to happen. For this +reason, it should not be set to point to C3 type of C-states, because +they may require bus mastering to be disabled on entry in principle. + +This was broken by commit d6b88ce2eb9d ("ACPI: processor idle: Allow +playing dead in C3 state") which inadvertently allowed the "safe +state" index to point to C3 type of C-states. + +This results in a machine that won't boot past the point when it first +enters C3. Restore the correct behaviour (either demote to C1/C2, or +use C3 but also set ARB_DIS=1). + +I hit this on a Fujitsu Siemens Lifebook S6010 (P3) machine. + +Fixes: d6b88ce2eb9d ("ACPI: processor idle: Allow playing dead in C3 state") +Cc: 5.16+ # 5.16+ +Signed-off-by: Ville Syrjälä +Tested-by: Woody Suwalski +[ rjw: Subject and changelog adjustments ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/processor_idle.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -792,7 +792,8 @@ static int acpi_processor_setup_cstates( + if (cx->type == ACPI_STATE_C1 || cx->type == ACPI_STATE_C2 || + cx->type == ACPI_STATE_C3) { + state->enter_dead = acpi_idle_play_dead; +- drv->safe_state_index = count; ++ if (cx->type != ACPI_STATE_C3) ++ drv->safe_state_index = count; + } + /* + * Halt-induced C1 is not good for ->enter_s2idle, because it diff --git a/queue-5.15/arm-dts-at91-sama7g5ek-enable-pull-up-on-flexcom3-console-lines.patch b/queue-5.15/arm-dts-at91-sama7g5ek-enable-pull-up-on-flexcom3-console-lines.patch new file mode 100644 index 00000000000..de8bf298840 --- /dev/null +++ b/queue-5.15/arm-dts-at91-sama7g5ek-enable-pull-up-on-flexcom3-console-lines.patch @@ -0,0 +1,37 @@ +From 3f7ce6d7091765ed6c67c5d78aa364b9d17e3aab Mon Sep 17 00:00:00 2001 +From: Eugen Hristev +Date: Mon, 7 Mar 2022 13:38:27 +0200 +Subject: ARM: dts: at91: sama7g5ek: enable pull-up on flexcom3 console lines + +From: Eugen Hristev + +commit 3f7ce6d7091765ed6c67c5d78aa364b9d17e3aab upstream. + +Flexcom3 is used as board console serial. There are no pull-ups on these +lines on the board. This means that if a cable is not connected (that has +pull-ups included), stray characters could appear on the console as the +floating pins voltage levels are interpreted as incoming characters. +To avoid this problem, enable the internal pull-ups on these lines. + +Fixes: 7540629e2fc7 ("ARM: dts: at91: add sama7g5 SoC DT and sama7g5-ek") +Cc: stable@vger.kernel.org # v5.15+ +Signed-off-by: Eugen Hristev +Reviewed-by: Tudor Ambarus +Signed-off-by: Nicolas Ferre +Link: https://lore.kernel.org/r/20220307113827.2419331-1-eugen.hristev@microchip.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/at91-sama7g5ek.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/at91-sama7g5ek.dts ++++ b/arch/arm/boot/dts/at91-sama7g5ek.dts +@@ -403,7 +403,7 @@ + pinctrl_flx3_default: flx3_default { + pinmux = , + ; +- bias-disable; ++ bias-pull-up; + }; + + pinctrl_flx4_default: flx4_default { diff --git a/queue-5.15/arm-dts-imx8mm-venice-gw-71xx-72xx-73xx-fix-otg-controller-oc-mode.patch b/queue-5.15/arm-dts-imx8mm-venice-gw-71xx-72xx-73xx-fix-otg-controller-oc-mode.patch new file mode 100644 index 00000000000..218031e1bb3 --- /dev/null +++ b/queue-5.15/arm-dts-imx8mm-venice-gw-71xx-72xx-73xx-fix-otg-controller-oc-mode.patch @@ -0,0 +1,81 @@ +From 4c79865f3e8a2db93ec1e844509edfebe5a6ae56 Mon Sep 17 00:00:00 2001 +From: Tim Harvey +Date: Tue, 5 Apr 2022 12:35:09 -0700 +Subject: ARM: dts: imx8mm-venice-gw{71xx,72xx,73xx}: fix OTG controller OC mode + +From: Tim Harvey + +commit 4c79865f3e8a2db93ec1e844509edfebe5a6ae56 upstream. + +The GW71xx, GW72xx and GW73xx boards have USB1 routed to a USB OTG +connectors and USB2 routed to a USB hub. + +The OTG connector has a over-currently protection with an active-low +pin and the USB1 to HUB connection has no over-current protection (as +the HUB itself implements this for its downstream ports). + +Add proper dt nodes to specify the over-current pin polarity for USB1 +and disable over-current protection for USB2. + +Fixes: 6f30b27c5ef5 ("arm64: dts: imx8mm: Add Gateworks i.MX 8M Mini Development Kits") +Cc: stable@vger.kernel.org +Signed-off-by: Tim Harvey +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mm-venice-gw71xx.dtsi | 2 ++ + arch/arm64/boot/dts/freescale/imx8mm-venice-gw72xx.dtsi | 2 ++ + arch/arm64/boot/dts/freescale/imx8mm-venice-gw73xx.dtsi | 2 ++ + 3 files changed, 6 insertions(+) + +--- a/arch/arm64/boot/dts/freescale/imx8mm-venice-gw71xx.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-venice-gw71xx.dtsi +@@ -103,12 +103,14 @@ + + &usbotg1 { + dr_mode = "otg"; ++ over-current-active-low; + vbus-supply = <®_usb_otg1_vbus>; + status = "okay"; + }; + + &usbotg2 { + dr_mode = "host"; ++ disable-over-current; + status = "okay"; + }; + +--- a/arch/arm64/boot/dts/freescale/imx8mm-venice-gw72xx.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-venice-gw72xx.dtsi +@@ -139,12 +139,14 @@ + + &usbotg1 { + dr_mode = "otg"; ++ over-current-active-low; + vbus-supply = <®_usb_otg1_vbus>; + status = "okay"; + }; + + &usbotg2 { + dr_mode = "host"; ++ disable-over-current; + vbus-supply = <®_usb_otg2_vbus>; + status = "okay"; + }; +--- a/arch/arm64/boot/dts/freescale/imx8mm-venice-gw73xx.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-venice-gw73xx.dtsi +@@ -166,12 +166,14 @@ + + &usbotg1 { + dr_mode = "otg"; ++ over-current-active-low; + vbus-supply = <®_usb_otg1_vbus>; + status = "okay"; + }; + + &usbotg2 { + dr_mode = "host"; ++ disable-over-current; + vbus-supply = <®_usb_otg2_vbus>; + status = "okay"; + }; diff --git a/queue-5.15/btrfs-fix-leaked-plug-after-failure-syncing-log-on-zoned-filesystems.patch b/queue-5.15/btrfs-fix-leaked-plug-after-failure-syncing-log-on-zoned-filesystems.patch new file mode 100644 index 00000000000..b3dedf058c3 --- /dev/null +++ b/queue-5.15/btrfs-fix-leaked-plug-after-failure-syncing-log-on-zoned-filesystems.patch @@ -0,0 +1,40 @@ +From 50ff57888d0b13440e7f4cde05dc339ee8d0f1f8 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Wed, 6 Apr 2022 17:07:54 +0100 +Subject: btrfs: fix leaked plug after failure syncing log on zoned filesystems + +From: Filipe Manana + +commit 50ff57888d0b13440e7f4cde05dc339ee8d0f1f8 upstream. + +On a zoned filesystem, if we fail to allocate the root node for the log +root tree while syncing the log, we end up returning without finishing +the IO plug we started before, resulting in leaking resources as we +have started writeback for extent buffers of a log tree before. That +allocation failure, which typically is either -ENOMEM or -ENOSPC, is not +fatal and the fsync can safely fallback to a full transaction commit. + +So release the IO plug if we fail to allocate the extent buffer for the +root of the log root tree when syncing the log on a zoned filesystem. + +Fixes: 3ddebf27fcd3a9 ("btrfs: zoned: reorder log node allocation on zoned filesystem") +CC: stable@vger.kernel.org # 5.15+ +Reviewed-by: Johannes Thumshirn +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3216,6 +3216,7 @@ int btrfs_sync_log(struct btrfs_trans_ha + ret = btrfs_alloc_log_tree_node(trans, log_root_tree); + if (ret) { + mutex_unlock(&fs_info->tree_root->log_mutex); ++ blk_finish_plug(&plug); + goto out; + } + } diff --git a/queue-5.15/drm-i915-check-edid-for-hdr-static-metadata-when-choosing-blc.patch b/queue-5.15/drm-i915-check-edid-for-hdr-static-metadata-when-choosing-blc.patch new file mode 100644 index 00000000000..c0c4bdbcc58 --- /dev/null +++ b/queue-5.15/drm-i915-check-edid-for-hdr-static-metadata-when-choosing-blc.patch @@ -0,0 +1,103 @@ +From c05d8332f5d23fa3b521911cbe55a2b67fb21248 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jouni=20H=C3=B6gander?= +Date: Wed, 13 Apr 2022 11:28:26 +0300 +Subject: drm/i915: Check EDID for HDR static metadata when choosing blc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jouni Högander + +commit c05d8332f5d23fa3b521911cbe55a2b67fb21248 upstream. + +We have now seen panel (XMG Core 15 e21 laptop) advertizing support +for Intel proprietary eDP backlight control via DPCD registers, but +actually working only with legacy pwm control. + +This patch adds panel EDID check for possible HDR static metadata and +Intel proprietary eDP backlight control is used only if that exists. +Missing HDR static metadata is ignored if user specifically asks for +Intel proprietary eDP backlight control via enable_dpcd_backlight +parameter. + +v2 : +- Ignore missing HDR static metadata if Intel proprietary eDP + backlight control is forced via i915.enable_dpcd_backlight +- Printout info message if panel is missing HDR static metadata and + support for Intel proprietary eDP backlight control is detected + +Fixes: 4a8d79901d5b ("drm/i915/dp: Enable Intel's HDR backlight interface (only SDR for now)") +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5284 +Cc: Lyude Paul +Cc: Mika Kahola +Cc: Jani Nikula +Cc: Filippo Falezza +Cc: stable@vger.kernel.org +Signed-off-by: Jouni Högander +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220413082826.120634-1-jouni.hogander@intel.com +Reviewed-by: Lyude Paul +(cherry picked from commit b4b157577cb1de13bee8bebc3576f1de6799a921) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_dp_aux_backlight.c | 34 +++++++++++++----- + 1 file changed, 26 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_dp_aux_backlight.c ++++ b/drivers/gpu/drm/i915/display/intel_dp_aux_backlight.c +@@ -96,6 +96,14 @@ + + #define INTEL_EDP_BRIGHTNESS_OPTIMIZATION_1 0x359 + ++enum intel_dp_aux_backlight_modparam { ++ INTEL_DP_AUX_BACKLIGHT_AUTO = -1, ++ INTEL_DP_AUX_BACKLIGHT_OFF = 0, ++ INTEL_DP_AUX_BACKLIGHT_ON = 1, ++ INTEL_DP_AUX_BACKLIGHT_FORCE_VESA = 2, ++ INTEL_DP_AUX_BACKLIGHT_FORCE_INTEL = 3, ++}; ++ + /* Intel EDP backlight callbacks */ + static bool + intel_dp_aux_supports_hdr_backlight(struct intel_connector *connector) +@@ -125,6 +133,24 @@ intel_dp_aux_supports_hdr_backlight(stru + return false; + } + ++ /* ++ * If we don't have HDR static metadata there is no way to ++ * runtime detect used range for nits based control. For now ++ * do not use Intel proprietary eDP backlight control if we ++ * don't have this data in panel EDID. In case we find panel ++ * which supports only nits based control, but doesn't provide ++ * HDR static metadata we need to start maintaining table of ++ * ranges for such panels. ++ */ ++ if (i915->params.enable_dpcd_backlight != INTEL_DP_AUX_BACKLIGHT_FORCE_INTEL && ++ !(connector->base.hdr_sink_metadata.hdmi_type1.metadata_type & ++ BIT(HDMI_STATIC_METADATA_TYPE1))) { ++ drm_info(&i915->drm, ++ "Panel is missing HDR static metadata. Possible support for Intel HDR backlight interface is not used. If your backlight controls don't work try booting with i915.enable_dpcd_backlight=%d. needs this, please file a _new_ bug report on drm/i915, see " FDO_BUG_URL " for details.\n", ++ INTEL_DP_AUX_BACKLIGHT_FORCE_INTEL); ++ return false; ++ } ++ + panel->backlight.edp.intel.sdr_uses_aux = + tcon_cap[2] & INTEL_EDP_SDR_TCON_BRIGHTNESS_AUX_CAP; + +@@ -373,14 +399,6 @@ static const struct intel_panel_bl_funcs + .get = intel_dp_aux_vesa_get_backlight, + }; + +-enum intel_dp_aux_backlight_modparam { +- INTEL_DP_AUX_BACKLIGHT_AUTO = -1, +- INTEL_DP_AUX_BACKLIGHT_OFF = 0, +- INTEL_DP_AUX_BACKLIGHT_ON = 1, +- INTEL_DP_AUX_BACKLIGHT_FORCE_VESA = 2, +- INTEL_DP_AUX_BACKLIGHT_FORCE_INTEL = 3, +-}; +- + int intel_dp_aux_init_backlight_funcs(struct intel_connector *connector) + { + struct drm_device *dev = connector->base.dev; diff --git a/queue-5.15/drm-i915-fix-sel_fetch_plane_-pipe_b-register-addresses.patch b/queue-5.15/drm-i915-fix-sel_fetch_plane_-pipe_b-register-addresses.patch new file mode 100644 index 00000000000..e7f3c292676 --- /dev/null +++ b/queue-5.15/drm-i915-fix-sel_fetch_plane_-pipe_b-register-addresses.patch @@ -0,0 +1,39 @@ +From 4ae4dd2e26fdfebf0b8c6af6c325383eadfefdb4 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Thu, 21 Apr 2022 19:22:21 +0300 +Subject: drm/i915: Fix SEL_FETCH_PLANE_*(PIPE_B+) register addresses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Imre Deak + +commit 4ae4dd2e26fdfebf0b8c6af6c325383eadfefdb4 upstream. + +Fix typo in the _SEL_FETCH_PLANE_BASE_1_B register base address. + +Fixes: a5523e2ff074a5 ("drm/i915: Add PSR2 selective fetch registers") +References: https://gitlab.freedesktop.org/drm/intel/-/issues/5400 +Cc: José Roberto de Souza +Cc: # v5.9+ +Signed-off-by: Imre Deak +Reviewed-by: José Roberto de Souza +Link: https://patchwork.freedesktop.org/patch/msgid/20220421162221.2261895-1-imre.deak@intel.com +(cherry picked from commit af2cbc6ef967f61711a3c40fca5366ea0bc7fecc) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/i915_reg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -7458,7 +7458,7 @@ enum { + #define _SEL_FETCH_PLANE_BASE_6_A 0x70940 + #define _SEL_FETCH_PLANE_BASE_7_A 0x70960 + #define _SEL_FETCH_PLANE_BASE_CUR_A 0x70880 +-#define _SEL_FETCH_PLANE_BASE_1_B 0x70990 ++#define _SEL_FETCH_PLANE_BASE_1_B 0x71890 + + #define _SEL_FETCH_PLANE_BASE_A(plane) _PICK(plane, \ + _SEL_FETCH_PLANE_BASE_1_A, \ diff --git a/queue-5.15/kasan-prevent-cpu_quarantine-corruption-when-cpu-offline-and-cache-shrink-occur-at-same-time.patch b/queue-5.15/kasan-prevent-cpu_quarantine-corruption-when-cpu-offline-and-cache-shrink-occur-at-same-time.patch new file mode 100644 index 00000000000..e3bc7a4212a --- /dev/null +++ b/queue-5.15/kasan-prevent-cpu_quarantine-corruption-when-cpu-offline-and-cache-shrink-occur-at-same-time.patch @@ -0,0 +1,53 @@ +From 31fa985b4196f8a66f027672e9bf2b81fea0417c Mon Sep 17 00:00:00 2001 +From: Zqiang +Date: Wed, 27 Apr 2022 12:41:56 -0700 +Subject: kasan: prevent cpu_quarantine corruption when CPU offline and cache shrink occur at same time + +From: Zqiang + +commit 31fa985b4196f8a66f027672e9bf2b81fea0417c upstream. + +kasan_quarantine_remove_cache() is called in kmem_cache_shrink()/ +destroy(). The kasan_quarantine_remove_cache() call is protected by +cpuslock in kmem_cache_destroy() to ensure serialization with +kasan_cpu_offline(). + +However the kasan_quarantine_remove_cache() call is not protected by +cpuslock in kmem_cache_shrink(). When a CPU is going offline and cache +shrink occurs at same time, the cpu_quarantine may be corrupted by +interrupt (per_cpu_remove_cache operation). + +So add a cpu_quarantine offline flags check in per_cpu_remove_cache(). + +[akpm@linux-foundation.org: add comment, per Zqiang] + +Link: https://lkml.kernel.org/r/20220414025925.2423818-1-qiang1.zhang@intel.com +Signed-off-by: Zqiang +Reviewed-by: Dmitry Vyukov +Cc: Andrey Ryabinin +Cc: Alexander Potapenko +Cc: Andrey Konovalov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/kasan/quarantine.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/mm/kasan/quarantine.c ++++ b/mm/kasan/quarantine.c +@@ -315,6 +315,13 @@ static void per_cpu_remove_cache(void *a + struct qlist_head *q; + + q = this_cpu_ptr(&cpu_quarantine); ++ /* ++ * Ensure the ordering between the writing to q->offline and ++ * per_cpu_remove_cache. Prevent cpu_quarantine from being corrupted ++ * by interrupt. ++ */ ++ if (READ_ONCE(q->offline)) ++ return; + qlist_move_cache(q, &to_free, cache); + qlist_free_all(&to_free, cache); + } diff --git a/queue-5.15/mtd-rawnand-qcom-fix-memory-corruption-that-causes-panic.patch b/queue-5.15/mtd-rawnand-qcom-fix-memory-corruption-that-causes-panic.patch new file mode 100644 index 00000000000..6a3a640d8b2 --- /dev/null +++ b/queue-5.15/mtd-rawnand-qcom-fix-memory-corruption-that-causes-panic.patch @@ -0,0 +1,111 @@ +From ba7542eb2dd5dfc75c457198b88986642e602065 Mon Sep 17 00:00:00 2001 +From: Md Sadre Alam +Date: Mon, 18 Apr 2022 13:18:27 +0530 +Subject: mtd: rawnand: qcom: fix memory corruption that causes panic + +From: Md Sadre Alam + +commit ba7542eb2dd5dfc75c457198b88986642e602065 upstream. + +This patch fixes a memory corruption that occurred in the +nand_scan() path for Hynix nand device. + +On boot, for Hynix nand device will panic at a weird place: +| Unable to handle kernel NULL pointer dereference at virtual + address 00000070 +| [00000070] *pgd=00000000 +| Internal error: Oops: 5 [#1] PREEMPT SMP ARM +| Modules linked in: +| CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.17.0-01473-g13ae1769cfb0 + #38 +| Hardware name: Generic DT based system +| PC is at nandc_set_reg+0x8/0x1c +| LR is at qcom_nandc_command+0x20c/0x5d0 +| pc : [] lr : [] psr: 00000113 +| sp : c14adc50 ip : c14ee208 fp : c0cc970c +| r10: 000000a3 r9 : 00000000 r8 : 00000040 +| r7 : c16f6a00 r6 : 00000090 r5 : 00000004 r4 :c14ee040 +| r3 : 00000000 r2 : 0000000b r1 : 00000000 r0 :c14ee040 +| Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +| Control: 10c5387d Table: 8020406a DAC: 00000051 +| Register r0 information: slab kmalloc-2k start c14ee000 pointer offset + 64 size 2048 +| Process swapper/0 (pid: 1, stack limit = 0x(ptrval)) +| nandc_set_reg from qcom_nandc_command+0x20c/0x5d0 +| qcom_nandc_command from nand_readid_op+0x198/0x1e8 +| nand_readid_op from hynix_nand_has_valid_jedecid+0x30/0x78 +| hynix_nand_has_valid_jedecid from hynix_nand_init+0xb8/0x454 +| hynix_nand_init from nand_scan_with_ids+0xa30/0x14a8 +| nand_scan_with_ids from qcom_nandc_probe+0x648/0x7b0 +| qcom_nandc_probe from platform_probe+0x58/0xac + +The problem is that the nand_scan()'s qcom_nand_attach_chip callback +is updating the nandc->max_cwperpage from 1 to 4 or 8 based on page size. +This causes the sg_init_table of clear_bam_transaction() in the driver's +qcom_nandc_command() to memset much more than what was initially +allocated by alloc_bam_transaction(). + +This patch will update nandc->max_cwperpage 1 to 4 or 8 based on page +size in qcom_nand_attach_chip call back after freeing the previously +allocated memory for bam txn as per nandc->max_cwperpage = 1 and then +again allocating bam txn as per nandc->max_cwperpage = 4 or 8 based on +page size in qcom_nand_attach_chip call back itself. + +Cc: stable@vger.kernel.org +Fixes: 6a3cec64f18c ("mtd: rawnand: qcom: convert driver to nand_scan()") +Reported-by: Konrad Dybcio +Reviewed-by: Manivannan Sadhasivam +Co-developed-by: Sricharan R +Signed-off-by: Sricharan R +Signed-off-by: Md Sadre Alam +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/1650268107-5363-1-git-send-email-quic_mdalam@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/qcom_nandc.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/drivers/mtd/nand/raw/qcom_nandc.c ++++ b/drivers/mtd/nand/raw/qcom_nandc.c +@@ -2641,10 +2641,23 @@ static int qcom_nand_attach_chip(struct + ecc->engine_type = NAND_ECC_ENGINE_TYPE_ON_HOST; + + mtd_set_ooblayout(mtd, &qcom_nand_ooblayout_ops); ++ /* Free the initially allocated BAM transaction for reading the ONFI params */ ++ if (nandc->props->is_bam) ++ free_bam_transaction(nandc); + + nandc->max_cwperpage = max_t(unsigned int, nandc->max_cwperpage, + cwperpage); + ++ /* Now allocate the BAM transaction based on updated max_cwperpage */ ++ if (nandc->props->is_bam) { ++ nandc->bam_txn = alloc_bam_transaction(nandc); ++ if (!nandc->bam_txn) { ++ dev_err(nandc->dev, ++ "failed to allocate bam transaction\n"); ++ return -ENOMEM; ++ } ++ } ++ + /* + * DATA_UD_BYTES varies based on whether the read/write command protects + * spare data with ECC too. We protect spare data by default, so we set +@@ -2945,17 +2958,6 @@ static int qcom_nand_host_init_and_regis + if (ret) + return ret; + +- if (nandc->props->is_bam) { +- free_bam_transaction(nandc); +- nandc->bam_txn = alloc_bam_transaction(nandc); +- if (!nandc->bam_txn) { +- dev_err(nandc->dev, +- "failed to allocate bam transaction\n"); +- nand_cleanup(chip); +- return -ENOMEM; +- } +- } +- + ret = mtd_device_parse_register(mtd, probes, NULL, NULL, 0); + if (ret) + nand_cleanup(chip); diff --git a/queue-5.15/net-ethernet-stmmac-fix-write-to-sgmii_adapter_base.patch b/queue-5.15/net-ethernet-stmmac-fix-write-to-sgmii_adapter_base.patch new file mode 100644 index 00000000000..2fa58b27820 --- /dev/null +++ b/queue-5.15/net-ethernet-stmmac-fix-write-to-sgmii_adapter_base.patch @@ -0,0 +1,56 @@ +From 5fd1fe4807f91ea0cca043114d929faa11bd4190 Mon Sep 17 00:00:00 2001 +From: Dinh Nguyen +Date: Wed, 20 Apr 2022 10:23:45 -0500 +Subject: net: ethernet: stmmac: fix write to sgmii_adapter_base + +From: Dinh Nguyen + +commit 5fd1fe4807f91ea0cca043114d929faa11bd4190 upstream. + +I made a mistake with the commit a6aaa0032424 ("net: ethernet: stmmac: +fix altr_tse_pcs function when using a fixed-link"). I should have +tested against both scenario of having a SGMII interface and one +without. + +Without the SGMII PCS TSE adpater, the sgmii_adapter_base address is +NULL, thus a write to this address will fail. + +Cc: stable@vger.kernel.org +Fixes: a6aaa0032424 ("net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link") +Signed-off-by: Dinh Nguyen +Link: https://lore.kernel.org/r/20220420152345.27415-1-dinguyen@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c +@@ -65,8 +65,9 @@ static void socfpga_dwmac_fix_mac_speed( + struct phy_device *phy_dev = ndev->phydev; + u32 val; + +- writew(SGMII_ADAPTER_DISABLE, +- sgmii_adapter_base + SGMII_ADAPTER_CTRL_REG); ++ if (sgmii_adapter_base) ++ writew(SGMII_ADAPTER_DISABLE, ++ sgmii_adapter_base + SGMII_ADAPTER_CTRL_REG); + + if (splitter_base) { + val = readl(splitter_base + EMAC_SPLITTER_CTRL_REG); +@@ -88,10 +89,11 @@ static void socfpga_dwmac_fix_mac_speed( + writel(val, splitter_base + EMAC_SPLITTER_CTRL_REG); + } + +- writew(SGMII_ADAPTER_ENABLE, +- sgmii_adapter_base + SGMII_ADAPTER_CTRL_REG); +- if (phy_dev) ++ if (phy_dev && sgmii_adapter_base) { ++ writew(SGMII_ADAPTER_ENABLE, ++ sgmii_adapter_base + SGMII_ADAPTER_CTRL_REG); + tse_pcs_fix_mac_speed(&dwmac->pcs, phy_dev, speed); ++ } + } + + static int socfpga_dwmac_parse_data(struct socfpga_dwmac *dwmac, struct device *dev) diff --git a/queue-5.15/netfilter-update-ip6_route_me_harder-to-consider-l3-domain.patch b/queue-5.15/netfilter-update-ip6_route_me_harder-to-consider-l3-domain.patch new file mode 100644 index 00000000000..34ce5852bbc --- /dev/null +++ b/queue-5.15/netfilter-update-ip6_route_me_harder-to-consider-l3-domain.patch @@ -0,0 +1,58 @@ +From 8ddffdb9442a9d60b4a6e679ac48d7d21403a674 Mon Sep 17 00:00:00 2001 +From: Martin Willi +Date: Tue, 19 Apr 2022 15:47:00 +0200 +Subject: netfilter: Update ip6_route_me_harder to consider L3 domain + +From: Martin Willi + +commit 8ddffdb9442a9d60b4a6e679ac48d7d21403a674 upstream. + +The commit referenced below fixed packet re-routing if Netfilter mangles +a routing key property of a packet and the packet is routed in a VRF L3 +domain. The fix, however, addressed IPv4 re-routing, only. + +This commit applies the same behavior for IPv6. While at it, untangle +the nested ternary operator to make the code more readable. + +Fixes: 6d8b49c3a3a3 ("netfilter: Update ip_route_me_harder to consider L3 domain") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Willi +Reviewed-by: David Ahern +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/netfilter.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/ipv6/netfilter.c ++++ b/net/ipv6/netfilter.c +@@ -24,14 +24,13 @@ int ip6_route_me_harder(struct net *net, + { + const struct ipv6hdr *iph = ipv6_hdr(skb); + struct sock *sk = sk_to_full_sk(sk_partial); ++ struct net_device *dev = skb_dst(skb)->dev; + struct flow_keys flkeys; + unsigned int hh_len; + struct dst_entry *dst; + int strict = (ipv6_addr_type(&iph->daddr) & + (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL)); + struct flowi6 fl6 = { +- .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if : +- strict ? skb_dst(skb)->dev->ifindex : 0, + .flowi6_mark = skb->mark, + .flowi6_uid = sock_net_uid(net, sk), + .daddr = iph->daddr, +@@ -39,6 +38,13 @@ int ip6_route_me_harder(struct net *net, + }; + int err; + ++ if (sk && sk->sk_bound_dev_if) ++ fl6.flowi6_oif = sk->sk_bound_dev_if; ++ else if (strict) ++ fl6.flowi6_oif = dev->ifindex; ++ else ++ fl6.flowi6_oif = l3mdev_master_ifindex(dev); ++ + fib6_rules_early_flow_dissect(net, skb, &fl6, &flkeys); + dst = ip6_route_output(net, sk, &fl6); + err = dst->error; diff --git a/queue-5.15/revert-acpi-processor-idle-fix-lockup-regression-on-32-bit-thinkpad-t40.patch b/queue-5.15/revert-acpi-processor-idle-fix-lockup-regression-on-32-bit-thinkpad-t40.patch new file mode 100644 index 00000000000..36e3127651c --- /dev/null +++ b/queue-5.15/revert-acpi-processor-idle-fix-lockup-regression-on-32-bit-thinkpad-t40.patch @@ -0,0 +1,41 @@ +From 20e582e16af24b074e583f9551fad557882a3c9d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 20 Apr 2022 16:44:17 +0300 +Subject: Revert "ACPI: processor: idle: fix lockup regression on 32-bit ThinkPad T40" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 20e582e16af24b074e583f9551fad557882a3c9d upstream. + +This reverts commit bfe55a1f7fd6bfede16078bf04c6250fbca11588. + +This was presumably misdiagnosed as an inability to use C3 at +all when I suspect the real problem is just misconfiguration of +C3 vs. ARB_DIS. + +Signed-off-by: Ville Syrjälä +Cc: 5.16+ # 5.16+ +Tested-by: Woody Suwalski +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/processor_idle.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -95,11 +95,6 @@ static const struct dmi_system_id proces + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."), + DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")}, + (void *)1}, +- /* T40 can not handle C3 idle state */ +- { set_max_cstate, "IBM ThinkPad T40", { +- DMI_MATCH(DMI_SYS_VENDOR, "IBM"), +- DMI_MATCH(DMI_PRODUCT_NAME, "23737CU")}, +- (void *)2}, + {}, + }; + diff --git a/queue-5.15/series b/queue-5.15/series index 4ecf91caf29..1033f92ee1b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -137,3 +137,17 @@ drivers-net-hippi-fix-deadlock-in-rr_close.patch powerpc-perf-fix-32bit-compile.patch selftest-vm-verify-mmap-addr-in-mremap_test.patch selftest-vm-verify-remap-destination-address-in-mrem.patch +revert-acpi-processor-idle-fix-lockup-regression-on-32-bit-thinkpad-t40.patch +zonefs-fix-management-of-open-zones.patch +zonefs-clear-inode-information-flags-on-inode-creation.patch +kasan-prevent-cpu_quarantine-corruption-when-cpu-offline-and-cache-shrink-occur-at-same-time.patch +mtd-rawnand-qcom-fix-memory-corruption-that-causes-panic.patch +netfilter-update-ip6_route_me_harder-to-consider-l3-domain.patch +drm-i915-check-edid-for-hdr-static-metadata-when-choosing-blc.patch +drm-i915-fix-sel_fetch_plane_-pipe_b-register-addresses.patch +net-ethernet-stmmac-fix-write-to-sgmii_adapter_base.patch +acpi-processor-idle-avoid-falling-back-to-c3-type-c-states.patch +thermal-int340x-fix-attr.show-callback-prototype.patch +btrfs-fix-leaked-plug-after-failure-syncing-log-on-zoned-filesystems.patch +arm-dts-at91-sama7g5ek-enable-pull-up-on-flexcom3-console-lines.patch +arm-dts-imx8mm-venice-gw-71xx-72xx-73xx-fix-otg-controller-oc-mode.patch diff --git a/queue-5.15/thermal-int340x-fix-attr.show-callback-prototype.patch b/queue-5.15/thermal-int340x-fix-attr.show-callback-prototype.patch new file mode 100644 index 00000000000..b22fbdd7f00 --- /dev/null +++ b/queue-5.15/thermal-int340x-fix-attr.show-callback-prototype.patch @@ -0,0 +1,46 @@ +From d0f6cfb2bd165b0aa307750e07e03420859bd554 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 21 Apr 2022 09:55:04 -0700 +Subject: thermal: int340x: Fix attr.show callback prototype + +From: Kees Cook + +commit d0f6cfb2bd165b0aa307750e07e03420859bd554 upstream. + +Control Flow Integrity (CFI) instrumentation of the kernel noticed that +the caller, dev_attr_show(), and the callback, odvp_show(), did not have +matching function prototypes, which would cause a CFI exception to be +raised. Correct the prototype by using struct device_attribute instead +of struct kobj_attribute. + +Reported-and-tested-by: Joao Moreira +Link: https://lore.kernel.org/lkml/067ce8bd4c3968054509831fa2347f4f@overdrivepizza.com/ +Fixes: 006f006f1e5c ("thermal/int340x_thermal: Export OEM vendor variables") +Cc: 5.8+ # 5.8+ +Signed-off-by: Kees Cook +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/intel/int340x_thermal/int3400_thermal.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c ++++ b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c +@@ -67,7 +67,7 @@ static int evaluate_odvp(struct int3400_ + struct odvp_attr { + int odvp; + struct int3400_thermal_priv *priv; +- struct kobj_attribute attr; ++ struct device_attribute attr; + }; + + static ssize_t data_vault_read(struct file *file, struct kobject *kobj, +@@ -272,7 +272,7 @@ static int int3400_thermal_run_osc(acpi_ + return result; + } + +-static ssize_t odvp_show(struct kobject *kobj, struct kobj_attribute *attr, ++static ssize_t odvp_show(struct device *dev, struct device_attribute *attr, + char *buf) + { + struct odvp_attr *odvp_attr; diff --git a/queue-5.15/zonefs-clear-inode-information-flags-on-inode-creation.patch b/queue-5.15/zonefs-clear-inode-information-flags-on-inode-creation.patch new file mode 100644 index 00000000000..9e52ab67da7 --- /dev/null +++ b/queue-5.15/zonefs-clear-inode-information-flags-on-inode-creation.patch @@ -0,0 +1,34 @@ +From 694852ead287a3433126e7ebda397b242dc99624 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 12 Apr 2022 20:52:35 +0900 +Subject: zonefs: Clear inode information flags on inode creation + +From: Damien Le Moal + +commit 694852ead287a3433126e7ebda397b242dc99624 upstream. + +Ensure that the i_flags field of struct zonefs_inode_info is cleared to +0 when initializing a zone file inode, avoiding seeing the flag +ZONEFS_ZONE_OPEN being incorrectly set. + +Fixes: b5c00e975779 ("zonefs: open/close zone on file open/close") +Cc: +Signed-off-by: Damien Le Moal +Reviewed-by: Johannes Thumshirn +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Hans Holmberg +Signed-off-by: Greg Kroah-Hartman +--- + fs/zonefs/super.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/zonefs/super.c ++++ b/fs/zonefs/super.c +@@ -1155,6 +1155,7 @@ static struct inode *zonefs_alloc_inode( + inode_init_once(&zi->i_vnode); + mutex_init(&zi->i_truncate_mutex); + zi->i_wr_refcnt = 0; ++ zi->i_flags = 0; + + return &zi->i_vnode; + } diff --git a/queue-5.15/zonefs-fix-management-of-open-zones.patch b/queue-5.15/zonefs-fix-management-of-open-zones.patch new file mode 100644 index 00000000000..f9d55194d52 --- /dev/null +++ b/queue-5.15/zonefs-fix-management-of-open-zones.patch @@ -0,0 +1,126 @@ +From 1da18a296f5ba4f99429e62a7cf4fdbefa598902 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 12 Apr 2022 17:41:37 +0900 +Subject: zonefs: Fix management of open zones + +From: Damien Le Moal + +commit 1da18a296f5ba4f99429e62a7cf4fdbefa598902 upstream. + +The mount option "explicit_open" manages the device open zone +resources to ensure that if an application opens a sequential file for +writing, the file zone can always be written by explicitly opening +the zone and accounting for that state with the s_open_zones counter. + +However, if some zones are already open when mounting, the device open +zone resource usage status will be larger than the initial s_open_zones +value of 0. Ensure that this inconsistency does not happen by closing +any sequential zone that is open when mounting. + +Furthermore, with ZNS drives, closing an explicitly open zone that has +not been written will change the zone state to "closed", that is, the +zone will remain in an active state. Since this can then cause failures +of explicit open operations on other zones if the drive active zone +resources are exceeded, we need to make sure that the zone is not +active anymore by resetting it instead of closing it. To address this, +zonefs_zone_mgmt() is modified to change a REQ_OP_ZONE_CLOSE request +into a REQ_OP_ZONE_RESET for sequential zones that have not been +written. + +Fixes: b5c00e975779 ("zonefs: open/close zone on file open/close") +Cc: +Signed-off-by: Damien Le Moal +Reviewed-by: Johannes Thumshirn +Reviewed-by: Hans Holmberg +Signed-off-by: Greg Kroah-Hartman +--- + fs/zonefs/super.c | 45 ++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 40 insertions(+), 5 deletions(-) + +--- a/fs/zonefs/super.c ++++ b/fs/zonefs/super.c +@@ -35,6 +35,17 @@ static inline int zonefs_zone_mgmt(struc + + lockdep_assert_held(&zi->i_truncate_mutex); + ++ /* ++ * With ZNS drives, closing an explicitly open zone that has not been ++ * written will change the zone state to "closed", that is, the zone ++ * will remain active. Since this can then cause failure of explicit ++ * open operation on other zones if the drive active zone resources ++ * are exceeded, make sure that the zone does not remain active by ++ * resetting it. ++ */ ++ if (op == REQ_OP_ZONE_CLOSE && !zi->i_wpoffset) ++ op = REQ_OP_ZONE_RESET; ++ + trace_zonefs_zone_mgmt(inode, op); + ret = blkdev_zone_mgmt(inode->i_sb->s_bdev, op, zi->i_zsector, + zi->i_zone_size >> SECTOR_SHIFT, GFP_NOFS); +@@ -1295,12 +1306,13 @@ static void zonefs_init_dir_inode(struct + inc_nlink(parent); + } + +-static void zonefs_init_file_inode(struct inode *inode, struct blk_zone *zone, +- enum zonefs_ztype type) ++static int zonefs_init_file_inode(struct inode *inode, struct blk_zone *zone, ++ enum zonefs_ztype type) + { + struct super_block *sb = inode->i_sb; + struct zonefs_sb_info *sbi = ZONEFS_SB(sb); + struct zonefs_inode_info *zi = ZONEFS_I(inode); ++ int ret = 0; + + inode->i_ino = zone->start >> sbi->s_zone_sectors_shift; + inode->i_mode = S_IFREG | sbi->s_perm; +@@ -1325,6 +1337,22 @@ static void zonefs_init_file_inode(struc + sb->s_maxbytes = max(zi->i_max_size, sb->s_maxbytes); + sbi->s_blocks += zi->i_max_size >> sb->s_blocksize_bits; + sbi->s_used_blocks += zi->i_wpoffset >> sb->s_blocksize_bits; ++ ++ /* ++ * For sequential zones, make sure that any open zone is closed first ++ * to ensure that the initial number of open zones is 0, in sync with ++ * the open zone accounting done when the mount option ++ * ZONEFS_MNTOPT_EXPLICIT_OPEN is used. ++ */ ++ if (type == ZONEFS_ZTYPE_SEQ && ++ (zone->cond == BLK_ZONE_COND_IMP_OPEN || ++ zone->cond == BLK_ZONE_COND_EXP_OPEN)) { ++ mutex_lock(&zi->i_truncate_mutex); ++ ret = zonefs_zone_mgmt(inode, REQ_OP_ZONE_CLOSE); ++ mutex_unlock(&zi->i_truncate_mutex); ++ } ++ ++ return ret; + } + + static struct dentry *zonefs_create_inode(struct dentry *parent, +@@ -1334,6 +1362,7 @@ static struct dentry *zonefs_create_inod + struct inode *dir = d_inode(parent); + struct dentry *dentry; + struct inode *inode; ++ int ret; + + dentry = d_alloc_name(parent, name); + if (!dentry) +@@ -1344,10 +1373,16 @@ static struct dentry *zonefs_create_inod + goto dput; + + inode->i_ctime = inode->i_mtime = inode->i_atime = dir->i_ctime; +- if (zone) +- zonefs_init_file_inode(inode, zone, type); +- else ++ if (zone) { ++ ret = zonefs_init_file_inode(inode, zone, type); ++ if (ret) { ++ iput(inode); ++ goto dput; ++ } ++ } else { + zonefs_init_dir_inode(dir, inode, type); ++ } ++ + d_add(dentry, inode); + dir->i_size++; +