From: Greg Kroah-Hartman Date: Mon, 28 Feb 2022 07:05:41 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.9.304~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3b123bdc8a9b90c6f8157c8525ed1a5b3b4b080c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: btrfs-prevent-copying-too-big-compressed-lzo-segment.patch ib-qib-fix-duplicate-sysfs-directory-name.patch rdma-cma-do-not-change-route.addr.src_addr-outside-state-checks.patch riscv-fix-nommu_k210_sdcard_defconfig.patch riscv-fix-oops-caused-by-irqsoff-latency-tracer.patch staging-fbtft-fb_st7789v-reset-display-before-initialization.patch thermal-int340x-fix-memory-leak-in-int3400_notify.patch tps6598x-clear-int-mask-on-probe-failure.patch tty-n_gsm-fix-encoding-of-control-signal-octet-bit-dv.patch --- diff --git a/queue-5.15/btrfs-prevent-copying-too-big-compressed-lzo-segment.patch b/queue-5.15/btrfs-prevent-copying-too-big-compressed-lzo-segment.patch new file mode 100644 index 00000000000..e2ddbc4122d --- /dev/null +++ b/queue-5.15/btrfs-prevent-copying-too-big-compressed-lzo-segment.patch @@ -0,0 +1,83 @@ +From 741b23a970a79d5d3a1db2d64fa2c7b375a4febb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?D=C4=81vis=20Mos=C4=81ns?= +Date: Wed, 2 Feb 2022 23:44:55 +0200 +Subject: btrfs: prevent copying too big compressed lzo segment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dāvis Mosāns + +commit 741b23a970a79d5d3a1db2d64fa2c7b375a4febb upstream. + +Compressed length can be corrupted to be a lot larger than memory +we have allocated for buffer. +This will cause memcpy in copy_compressed_segment to write outside +of allocated memory. + +This mostly results in stuck read syscall but sometimes when using +btrfs send can get #GP + + kernel: general protection fault, probably for non-canonical address 0x841551d5c1000: 0000 [#1] PREEMPT SMP NOPTI + kernel: CPU: 17 PID: 264 Comm: kworker/u256:7 Tainted: P OE 5.17.0-rc2-1 #12 + kernel: Workqueue: btrfs-endio btrfs_work_helper [btrfs] + kernel: RIP: 0010:lzo_decompress_bio (./include/linux/fortify-string.h:225 fs/btrfs/lzo.c:322 fs/btrfs/lzo.c:394) btrfs + Code starting with the faulting instruction + =========================================== + 0:* 48 8b 06 mov (%rsi),%rax <-- trapping instruction + 3: 48 8d 79 08 lea 0x8(%rcx),%rdi + 7: 48 83 e7 f8 and $0xfffffffffffffff8,%rdi + b: 48 89 01 mov %rax,(%rcx) + e: 44 89 f0 mov %r14d,%eax + 11: 48 8b 54 06 f8 mov -0x8(%rsi,%rax,1),%rdx + kernel: RSP: 0018:ffffb110812efd50 EFLAGS: 00010212 + kernel: RAX: 0000000000001000 RBX: 000000009ca264c8 RCX: ffff98996e6d8ff8 + kernel: RDX: 0000000000000064 RSI: 000841551d5c1000 RDI: ffffffff9500435d + kernel: RBP: ffff989a3be856c0 R08: 0000000000000000 R09: 0000000000000000 + kernel: R10: 0000000000000000 R11: 0000000000001000 R12: ffff98996e6d8000 + kernel: R13: 0000000000000008 R14: 0000000000001000 R15: 000841551d5c1000 + kernel: FS: 0000000000000000(0000) GS:ffff98a09d640000(0000) knlGS:0000000000000000 + kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + kernel: CR2: 00001e9f984d9ea8 CR3: 000000014971a000 CR4: 00000000003506e0 + kernel: Call Trace: + kernel: + kernel: end_compressed_bio_read (fs/btrfs/compression.c:104 fs/btrfs/compression.c:1363 fs/btrfs/compression.c:323) btrfs + kernel: end_workqueue_fn (fs/btrfs/disk-io.c:1923) btrfs + kernel: btrfs_work_helper (fs/btrfs/async-thread.c:326) btrfs + kernel: process_one_work (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2312) + kernel: worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2455) + kernel: ? process_one_work (kernel/workqueue.c:2397) + kernel: kthread (kernel/kthread.c:377) + kernel: ? kthread_complete_and_exit (kernel/kthread.c:332) + kernel: ret_from_fork (arch/x86/entry/entry_64.S:301) + kernel: + +CC: stable@vger.kernel.org # 4.9+ +Signed-off-by: Dāvis Mosāns +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/lzo.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/fs/btrfs/lzo.c ++++ b/fs/btrfs/lzo.c +@@ -363,6 +363,17 @@ int lzo_decompress_bio(struct list_head + kunmap(cur_page); + cur_in += LZO_LEN; + ++ if (seg_len > lzo1x_worst_compress(PAGE_SIZE)) { ++ /* ++ * seg_len shouldn't be larger than we have allocated ++ * for workspace->cbuf ++ */ ++ btrfs_err(fs_info, "unexpectedly large lzo segment len %u", ++ seg_len); ++ ret = -EIO; ++ goto out; ++ } ++ + /* Copy the compressed segment payload into workspace */ + copy_compressed_segment(cb, workspace->cbuf, seg_len, &cur_in); + diff --git a/queue-5.15/ib-qib-fix-duplicate-sysfs-directory-name.patch b/queue-5.15/ib-qib-fix-duplicate-sysfs-directory-name.patch new file mode 100644 index 00000000000..8f0651935d7 --- /dev/null +++ b/queue-5.15/ib-qib-fix-duplicate-sysfs-directory-name.patch @@ -0,0 +1,39 @@ +From 32f57cb1b2c8d6f20aefec7052b1bfeb7e3b69d4 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Thu, 17 Feb 2022 08:59:32 -0500 +Subject: IB/qib: Fix duplicate sysfs directory name + +From: Mike Marciniszyn + +commit 32f57cb1b2c8d6f20aefec7052b1bfeb7e3b69d4 upstream. + +The qib driver load has been failing with the following message: + + sysfs: cannot create duplicate filename '/devices/pci0000:80/0000:80:02.0/0000:81:00.0/infiniband/qib0/ports/1/linkcontrol' + +The patch below has two "linkcontrol" names causing the duplication. + +Fix by using the correct "diag_counters" name on the second instance. + +Fixes: 4a7aaf88c89f ("RDMA/qib: Use attributes for the port sysfs") +Link: https://lore.kernel.org/r/1645106372-23004-1-git-send-email-mike.marciniszyn@cornelisnetworks.com +Cc: +Reviewed-by: Dennis Dalessandro +Signed-off-by: Mike Marciniszyn +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/qib/qib_sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/qib/qib_sysfs.c ++++ b/drivers/infiniband/hw/qib/qib_sysfs.c +@@ -541,7 +541,7 @@ static struct attribute *port_diagc_attr + }; + + static const struct attribute_group port_diagc_group = { +- .name = "linkcontrol", ++ .name = "diag_counters", + .attrs = port_diagc_attributes, + }; + diff --git a/queue-5.15/rdma-cma-do-not-change-route.addr.src_addr-outside-state-checks.patch b/queue-5.15/rdma-cma-do-not-change-route.addr.src_addr-outside-state-checks.patch new file mode 100644 index 00000000000..ad95aa57771 --- /dev/null +++ b/queue-5.15/rdma-cma-do-not-change-route.addr.src_addr-outside-state-checks.patch @@ -0,0 +1,114 @@ +From 22e9f71072fa605cbf033158db58e0790101928d Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Wed, 23 Feb 2022 11:23:57 -0400 +Subject: RDMA/cma: Do not change route.addr.src_addr outside state checks + +From: Jason Gunthorpe + +commit 22e9f71072fa605cbf033158db58e0790101928d upstream. + +If the state is not idle then resolve_prepare_src() should immediately +fail and no change to global state should happen. However, it +unconditionally overwrites the src_addr trying to build a temporary any +address. + +For instance if the state is already RDMA_CM_LISTEN then this will corrupt +the src_addr and would cause the test in cma_cancel_operation(): + + if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev) + +Which would manifest as this trace from syzkaller: + + BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26 + Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204 + + CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x141/0x1d7 lib/dump_stack.c:120 + print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 + __kasan_report mm/kasan/report.c:399 [inline] + kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 + __list_add_valid+0x93/0xa0 lib/list_debug.c:26 + __list_add include/linux/list.h:67 [inline] + list_add_tail include/linux/list.h:100 [inline] + cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline] + rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751 + ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102 + ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732 + vfs_write+0x28e/0xa30 fs/read_write.c:603 + ksys_write+0x1ee/0x250 fs/read_write.c:658 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +This is indicating that an rdma_id_private was destroyed without doing +cma_cancel_listens(). + +Instead of trying to re-use the src_addr memory to indirectly create an +any address derived from the dst build one explicitly on the stack and +bind to that as any other normal flow would do. rdma_bind_addr() will copy +it over the src_addr once it knows the state is valid. + +This is similar to commit bc0bdc5afaa7 ("RDMA/cma: Do not change +route.addr.src_addr.ss_family") + +Link: https://lore.kernel.org/r/0-v2-e975c8fd9ef2+11e-syz_cma_srcaddr_jgg@nvidia.com +Cc: stable@vger.kernel.org +Fixes: 732d41c545bb ("RDMA/cma: Make the locking for automatic state transition more clear") +Reported-by: syzbot+c94a3675a626f6333d74@syzkaller.appspotmail.com +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cma.c | 38 +++++++++++++++++++++++--------------- + 1 file changed, 23 insertions(+), 15 deletions(-) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -3368,22 +3368,30 @@ err: + static int cma_bind_addr(struct rdma_cm_id *id, struct sockaddr *src_addr, + const struct sockaddr *dst_addr) + { +- if (!src_addr || !src_addr->sa_family) { +- src_addr = (struct sockaddr *) &id->route.addr.src_addr; +- src_addr->sa_family = dst_addr->sa_family; +- if (IS_ENABLED(CONFIG_IPV6) && +- dst_addr->sa_family == AF_INET6) { +- struct sockaddr_in6 *src_addr6 = (struct sockaddr_in6 *) src_addr; +- struct sockaddr_in6 *dst_addr6 = (struct sockaddr_in6 *) dst_addr; +- src_addr6->sin6_scope_id = dst_addr6->sin6_scope_id; +- if (ipv6_addr_type(&dst_addr6->sin6_addr) & IPV6_ADDR_LINKLOCAL) +- id->route.addr.dev_addr.bound_dev_if = dst_addr6->sin6_scope_id; +- } else if (dst_addr->sa_family == AF_IB) { +- ((struct sockaddr_ib *) src_addr)->sib_pkey = +- ((struct sockaddr_ib *) dst_addr)->sib_pkey; +- } ++ struct sockaddr_storage zero_sock = {}; ++ ++ if (src_addr && src_addr->sa_family) ++ return rdma_bind_addr(id, src_addr); ++ ++ /* ++ * When the src_addr is not specified, automatically supply an any addr ++ */ ++ zero_sock.ss_family = dst_addr->sa_family; ++ if (IS_ENABLED(CONFIG_IPV6) && dst_addr->sa_family == AF_INET6) { ++ struct sockaddr_in6 *src_addr6 = ++ (struct sockaddr_in6 *)&zero_sock; ++ struct sockaddr_in6 *dst_addr6 = ++ (struct sockaddr_in6 *)dst_addr; ++ ++ src_addr6->sin6_scope_id = dst_addr6->sin6_scope_id; ++ if (ipv6_addr_type(&dst_addr6->sin6_addr) & IPV6_ADDR_LINKLOCAL) ++ id->route.addr.dev_addr.bound_dev_if = ++ dst_addr6->sin6_scope_id; ++ } else if (dst_addr->sa_family == AF_IB) { ++ ((struct sockaddr_ib *)&zero_sock)->sib_pkey = ++ ((struct sockaddr_ib *)dst_addr)->sib_pkey; + } +- return rdma_bind_addr(id, src_addr); ++ return rdma_bind_addr(id, (struct sockaddr *)&zero_sock); + } + + /* diff --git a/queue-5.15/riscv-fix-nommu_k210_sdcard_defconfig.patch b/queue-5.15/riscv-fix-nommu_k210_sdcard_defconfig.patch new file mode 100644 index 00000000000..0d96c452852 --- /dev/null +++ b/queue-5.15/riscv-fix-nommu_k210_sdcard_defconfig.patch @@ -0,0 +1,33 @@ +From 762e52f79c95ea20a7229674ffd13b94d7d8959c Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Wed, 9 Feb 2022 12:56:23 +0900 +Subject: riscv: fix nommu_k210_sdcard_defconfig + +From: Damien Le Moal + +commit 762e52f79c95ea20a7229674ffd13b94d7d8959c upstream. + +Instead of an arbitrary delay, use the "rootwait" kernel option to wait +for the mmc root device to be ready. + +Signed-off-by: Damien Le Moal +Reviewed-by: Anup Patel +Fixes: 7e09fd3994c5 ("riscv: Add Canaan Kendryte K210 SD card defconfig") +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/configs/nommu_k210_sdcard_defconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/configs/nommu_k210_sdcard_defconfig ++++ b/arch/riscv/configs/nommu_k210_sdcard_defconfig +@@ -23,7 +23,7 @@ CONFIG_SLOB=y + CONFIG_SOC_CANAAN=y + CONFIG_SMP=y + CONFIG_NR_CPUS=2 +-CONFIG_CMDLINE="earlycon console=ttySIF0 rootdelay=2 root=/dev/mmcblk0p1 ro" ++CONFIG_CMDLINE="earlycon console=ttySIF0 root=/dev/mmcblk0p1 rootwait ro" + CONFIG_CMDLINE_FORCE=y + # CONFIG_SECCOMP is not set + # CONFIG_STACKPROTECTOR is not set diff --git a/queue-5.15/riscv-fix-oops-caused-by-irqsoff-latency-tracer.patch b/queue-5.15/riscv-fix-oops-caused-by-irqsoff-latency-tracer.patch new file mode 100644 index 00000000000..5d0bfe7c9b3 --- /dev/null +++ b/queue-5.15/riscv-fix-oops-caused-by-irqsoff-latency-tracer.patch @@ -0,0 +1,167 @@ +From 22e2100b1b07d6f5acc71cc1acb53f680c677d77 Mon Sep 17 00:00:00 2001 +From: Changbin Du +Date: Sun, 13 Feb 2022 16:18:45 +0800 +Subject: riscv: fix oops caused by irqsoff latency tracer + +From: Changbin Du + +commit 22e2100b1b07d6f5acc71cc1acb53f680c677d77 upstream. + +The trace_hardirqs_{on,off}() require the caller to setup frame pointer +properly. This because these two functions use macro 'CALLER_ADDR1' (aka. +__builtin_return_address(1)) to acquire caller info. If the $fp is used +for other purpose, the code generated this macro (as below) could trigger +memory access fault. + + 0xffffffff8011510e <+80>: ld a1,-16(s0) + 0xffffffff80115112 <+84>: ld s2,-8(a1) # <-- paging fault here + +The oops message during booting if compiled with 'irqoff' tracer enabled: +[ 0.039615][ T0] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8 +[ 0.041925][ T0] Oops [#1] +[ 0.042063][ T0] Modules linked in: +[ 0.042864][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-rc1-00233-g9a20c48d1ed2 #29 +[ 0.043568][ T0] Hardware name: riscv-virtio,qemu (DT) +[ 0.044343][ T0] epc : trace_hardirqs_on+0x56/0xe2 +[ 0.044601][ T0] ra : restore_all+0x12/0x6e +[ 0.044721][ T0] epc : ffffffff80126a5c ra : ffffffff80003b94 sp : ffffffff81403db0 +[ 0.044801][ T0] gp : ffffffff8163acd8 tp : ffffffff81414880 t0 : 0000000000000020 +[ 0.044882][ T0] t1 : 0098968000000000 t2 : 0000000000000000 s0 : ffffffff81403de0 +[ 0.044967][ T0] s1 : 0000000000000000 a0 : 0000000000000001 a1 : 0000000000000100 +[ 0.045046][ T0] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000 +[ 0.045124][ T0] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000054494d45 +[ 0.045210][ T0] s2 : ffffffff80003b94 s3 : ffffffff81a8f1b0 s4 : ffffffff80e27b50 +[ 0.045289][ T0] s5 : ffffffff81414880 s6 : ffffffff8160fa00 s7 : 00000000800120e8 +[ 0.045389][ T0] s8 : 0000000080013100 s9 : 000000000000007f s10: 0000000000000000 +[ 0.045474][ T0] s11: 0000000000000000 t3 : 7fffffffffffffff t4 : 0000000000000000 +[ 0.045548][ T0] t5 : 0000000000000000 t6 : ffffffff814aa368 +[ 0.045620][ T0] status: 0000000200000100 badaddr: 00000000000000f8 cause: 000000000000000d +[ 0.046402][ T0] [] restore_all+0x12/0x6e + +This because the $fp(aka. $s0) register is not used as frame pointer in the +assembly entry code. + + resume_kernel: + REG_L s0, TASK_TI_PREEMPT_COUNT(tp) + bnez s0, restore_all + REG_L s0, TASK_TI_FLAGS(tp) + andi s0, s0, _TIF_NEED_RESCHED + beqz s0, restore_all + call preempt_schedule_irq + j restore_all + +To fix above issue, here we add one extra level wrapper for function +trace_hardirqs_{on,off}() so they can be safely called by low level entry +code. + +Signed-off-by: Changbin Du +Fixes: 3c4697982982 ("riscv: Enable LOCKDEP_SUPPORT & fixup TRACE_IRQFLAGS_SUPPORT") +Cc: stable@vger.kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/Makefile | 2 ++ + arch/riscv/kernel/entry.S | 10 +++++----- + arch/riscv/kernel/trace_irq.c | 27 +++++++++++++++++++++++++++ + arch/riscv/kernel/trace_irq.h | 11 +++++++++++ + 4 files changed, 45 insertions(+), 5 deletions(-) + create mode 100644 arch/riscv/kernel/trace_irq.c + create mode 100644 arch/riscv/kernel/trace_irq.h + +--- a/arch/riscv/kernel/Makefile ++++ b/arch/riscv/kernel/Makefile +@@ -50,6 +50,8 @@ obj-$(CONFIG_MODULE_SECTIONS) += module- + obj-$(CONFIG_FUNCTION_TRACER) += mcount.o ftrace.o + obj-$(CONFIG_DYNAMIC_FTRACE) += mcount-dyn.o + ++obj-$(CONFIG_TRACE_IRQFLAGS) += trace_irq.o ++ + obj-$(CONFIG_RISCV_BASE_PMU) += perf_event.o + obj-$(CONFIG_PERF_EVENTS) += perf_callchain.o + obj-$(CONFIG_HAVE_PERF_REGS) += perf_regs.o +--- a/arch/riscv/kernel/entry.S ++++ b/arch/riscv/kernel/entry.S +@@ -108,7 +108,7 @@ _save_context: + .option pop + + #ifdef CONFIG_TRACE_IRQFLAGS +- call trace_hardirqs_off ++ call __trace_hardirqs_off + #endif + + #ifdef CONFIG_CONTEXT_TRACKING +@@ -144,7 +144,7 @@ skip_context_tracking: + li t0, EXC_BREAKPOINT + beq s4, t0, 1f + #ifdef CONFIG_TRACE_IRQFLAGS +- call trace_hardirqs_on ++ call __trace_hardirqs_on + #endif + csrs CSR_STATUS, SR_IE + +@@ -235,7 +235,7 @@ ret_from_exception: + REG_L s0, PT_STATUS(sp) + csrc CSR_STATUS, SR_IE + #ifdef CONFIG_TRACE_IRQFLAGS +- call trace_hardirqs_off ++ call __trace_hardirqs_off + #endif + #ifdef CONFIG_RISCV_M_MODE + /* the MPP value is too large to be used as an immediate arg for addi */ +@@ -271,10 +271,10 @@ restore_all: + REG_L s1, PT_STATUS(sp) + andi t0, s1, SR_PIE + beqz t0, 1f +- call trace_hardirqs_on ++ call __trace_hardirqs_on + j 2f + 1: +- call trace_hardirqs_off ++ call __trace_hardirqs_off + 2: + #endif + REG_L a0, PT_STATUS(sp) +--- /dev/null ++++ b/arch/riscv/kernel/trace_irq.c +@@ -0,0 +1,27 @@ ++// SPDX-License-Identifier: GPL-2.0 ++/* ++ * Copyright (C) 2022 Changbin Du ++ */ ++ ++#include ++#include ++#include "trace_irq.h" ++ ++/* ++ * trace_hardirqs_on/off require the caller to setup frame pointer properly. ++ * Otherwise, CALLER_ADDR1 might trigger an pagging exception in kernel. ++ * Here we add one extra level so they can be safely called by low ++ * level entry code which $fp is used for other purpose. ++ */ ++ ++void __trace_hardirqs_on(void) ++{ ++ trace_hardirqs_on(); ++} ++NOKPROBE_SYMBOL(__trace_hardirqs_on); ++ ++void __trace_hardirqs_off(void) ++{ ++ trace_hardirqs_off(); ++} ++NOKPROBE_SYMBOL(__trace_hardirqs_off); +--- /dev/null ++++ b/arch/riscv/kernel/trace_irq.h +@@ -0,0 +1,11 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++/* ++ * Copyright (C) 2022 Changbin Du ++ */ ++#ifndef __TRACE_IRQ_H ++#define __TRACE_IRQ_H ++ ++void __trace_hardirqs_on(void); ++void __trace_hardirqs_off(void); ++ ++#endif /* __TRACE_IRQ_H */ diff --git a/queue-5.15/series b/queue-5.15/series index 12ac1262ba3..ef5ee0372d2 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -117,3 +117,12 @@ xhci-prevent-futile-urb-re-submissions-due-to-incorrect-return-value.patch nvmem-core-fix-a-conflict-between-mtd-and-nvmem-on-wp-gpios-property.patch mtd-core-fix-a-conflict-between-mtd-and-nvmem-on-wp-gpios-property.patch driver-core-free-dma-range-map-when-device-is-released.patch +btrfs-prevent-copying-too-big-compressed-lzo-segment.patch +rdma-cma-do-not-change-route.addr.src_addr-outside-state-checks.patch +thermal-int340x-fix-memory-leak-in-int3400_notify.patch +staging-fbtft-fb_st7789v-reset-display-before-initialization.patch +tps6598x-clear-int-mask-on-probe-failure.patch +ib-qib-fix-duplicate-sysfs-directory-name.patch +riscv-fix-nommu_k210_sdcard_defconfig.patch +riscv-fix-oops-caused-by-irqsoff-latency-tracer.patch +tty-n_gsm-fix-encoding-of-control-signal-octet-bit-dv.patch diff --git a/queue-5.15/staging-fbtft-fb_st7789v-reset-display-before-initialization.patch b/queue-5.15/staging-fbtft-fb_st7789v-reset-display-before-initialization.patch new file mode 100644 index 00000000000..4bc0c7c2ddd --- /dev/null +++ b/queue-5.15/staging-fbtft-fb_st7789v-reset-display-before-initialization.patch @@ -0,0 +1,33 @@ +From b6821b0d9b56386d2bf14806f90ec401468c799f Mon Sep 17 00:00:00 2001 +From: Oliver Graute +Date: Thu, 10 Feb 2022 09:53:22 +0100 +Subject: staging: fbtft: fb_st7789v: reset display before initialization + +From: Oliver Graute + +commit b6821b0d9b56386d2bf14806f90ec401468c799f upstream. + +In rare cases the display is flipped or mirrored. This was observed more +often in a low temperature environment. A clean reset on init_display() +should help to get registers in a sane state. + +Fixes: ef8f317795da (staging: fbtft: use init function instead of init sequence) +Cc: stable@vger.kernel.org +Signed-off-by: Oliver Graute +Link: https://lore.kernel.org/r/20220210085322.15676-1-oliver.graute@kococonnector.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/fbtft/fb_st7789v.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/staging/fbtft/fb_st7789v.c ++++ b/drivers/staging/fbtft/fb_st7789v.c +@@ -144,6 +144,8 @@ static int init_display(struct fbtft_par + { + int rc; + ++ par->fbtftops.reset(par); ++ + rc = init_tearing_effect_line(par); + if (rc) + return rc; diff --git a/queue-5.15/thermal-int340x-fix-memory-leak-in-int3400_notify.patch b/queue-5.15/thermal-int340x-fix-memory-leak-in-int3400_notify.patch new file mode 100644 index 00000000000..2f129cacd16 --- /dev/null +++ b/queue-5.15/thermal-int340x-fix-memory-leak-in-int3400_notify.patch @@ -0,0 +1,52 @@ +From 3abea10e6a8f0e7804ed4c124bea2d15aca977c8 Mon Sep 17 00:00:00 2001 +From: Chuansheng Liu +Date: Wed, 23 Feb 2022 08:20:24 +0800 +Subject: thermal: int340x: fix memory leak in int3400_notify() + +From: Chuansheng Liu + +commit 3abea10e6a8f0e7804ed4c124bea2d15aca977c8 upstream. + +It is easy to hit the below memory leaks in my TigerLake platform: + +unreferenced object 0xffff927c8b91dbc0 (size 32): + comm "kworker/0:2", pid 112, jiffies 4294893323 (age 83.604s) + hex dump (first 32 bytes): + 4e 41 4d 45 3d 49 4e 54 33 34 30 30 20 54 68 65 NAME=INT3400 The + 72 6d 61 6c 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 rmal.kkkkkkkkkk. + backtrace: + [] __kmalloc_track_caller+0x2fe/0x4a0 + [] kvasprintf+0x65/0xd0 + [] kasprintf+0x4e/0x70 + [] int3400_notify+0x82/0x120 [int3400_thermal] + [] acpi_ev_notify_dispatch+0x54/0x71 + [] acpi_os_execute_deferred+0x17/0x30 + [] process_one_work+0x21a/0x3f0 + [] worker_thread+0x4a/0x3b0 + [] kthread+0xfd/0x130 + [] ret_from_fork+0x1f/0x30 + +Fix it by calling kfree() accordingly. + +Fixes: 38e44da59130 ("thermal: int3400_thermal: process "thermal table changed" event") +Signed-off-by: Chuansheng Liu +Cc: 4.14+ # 4.14+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/intel/int340x_thermal/int3400_thermal.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c ++++ b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c +@@ -405,6 +405,10 @@ static void int3400_notify(acpi_handle h + thermal_prop[3] = kasprintf(GFP_KERNEL, "EVENT=%d", therm_event); + thermal_prop[4] = NULL; + kobject_uevent_env(&priv->thermal->device.kobj, KOBJ_CHANGE, thermal_prop); ++ kfree(thermal_prop[0]); ++ kfree(thermal_prop[1]); ++ kfree(thermal_prop[2]); ++ kfree(thermal_prop[3]); + } + + static int int3400_thermal_get_temp(struct thermal_zone_device *thermal, diff --git a/queue-5.15/tps6598x-clear-int-mask-on-probe-failure.patch b/queue-5.15/tps6598x-clear-int-mask-on-probe-failure.patch new file mode 100644 index 00000000000..68ea0afa011 --- /dev/null +++ b/queue-5.15/tps6598x-clear-int-mask-on-probe-failure.patch @@ -0,0 +1,54 @@ +From aba2081e0a9c977396124aa6df93b55ed5912b19 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 15 Feb 2022 11:22:04 -0700 +Subject: tps6598x: clear int mask on probe failure + +From: Jens Axboe + +commit aba2081e0a9c977396124aa6df93b55ed5912b19 upstream. + +The interrupt mask is enabled before any potential failure points in +the driver, which can leave a failure path where we exit with +interrupts enabled but the device not live. This causes an infinite +stream of interrupts on an Apple M1 Pro laptop on USB-C. + +Add a failure label that's used post enabling interrupts, where we +mask them again before returning an error. + +Suggested-by: Sven Peter +Cc: stable +Reviewed-by: Heikki Krogerus +Signed-off-by: Jens Axboe +Link: https://lore.kernel.org/r/e6b80669-20f3-06e7-9ed5-8951a9c6db6f@kernel.dk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tipd/core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/typec/tipd/core.c ++++ b/drivers/usb/typec/tipd/core.c +@@ -618,12 +618,12 @@ static int tps6598x_probe(struct i2c_cli + + ret = tps6598x_read32(tps, TPS_REG_STATUS, &status); + if (ret < 0) +- return ret; ++ goto err_clear_mask; + trace_tps6598x_status(status); + + ret = tps6598x_read32(tps, TPS_REG_SYSTEM_CONF, &conf); + if (ret < 0) +- return ret; ++ goto err_clear_mask; + + /* + * This fwnode has a "compatible" property, but is never populated as a +@@ -712,7 +712,8 @@ err_role_put: + usb_role_switch_put(tps->role_sw); + err_fwnode_put: + fwnode_handle_put(fwnode); +- ++err_clear_mask: ++ tps6598x_write64(tps, TPS_REG_INT_MASK1, 0); + return ret; + } + diff --git a/queue-5.15/tty-n_gsm-fix-encoding-of-control-signal-octet-bit-dv.patch b/queue-5.15/tty-n_gsm-fix-encoding-of-control-signal-octet-bit-dv.patch new file mode 100644 index 00000000000..ac9c22abce2 --- /dev/null +++ b/queue-5.15/tty-n_gsm-fix-encoding-of-control-signal-octet-bit-dv.patch @@ -0,0 +1,44 @@ +From 737b0ef3be6b319d6c1fd64193d1603311969326 Mon Sep 17 00:00:00 2001 +From: "daniel.starke@siemens.com" +Date: Thu, 17 Feb 2022 23:31:17 -0800 +Subject: tty: n_gsm: fix encoding of control signal octet bit DV + +From: daniel.starke@siemens.com + +commit 737b0ef3be6b319d6c1fd64193d1603311969326 upstream. + +n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. +See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 +The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to +the newer 27.010 here. Chapter 5.4.6.3.7 describes the encoding of the +control signal octet used by the MSC (modem status command). The same +encoding is also used in convergence layer type 2 as described in chapter +5.5.2. Table 7 and 24 both require the DV (data valid) bit to be set 1 for +outgoing control signal octets sent by the DTE (data terminal equipment), +i.e. for the initiator side. +Currently, the DV bit is only set if CD (carrier detect) is on, regardless +of the side. + +This patch fixes this behavior by setting the DV bit on the initiator side +unconditionally. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Starke +Link: https://lore.kernel.org/r/20220218073123.2121-1-daniel.starke@siemens.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -435,7 +435,7 @@ static u8 gsm_encode_modem(const struct + modembits |= MDM_RTR; + if (dlci->modem_tx & TIOCM_RI) + modembits |= MDM_IC; +- if (dlci->modem_tx & TIOCM_CD) ++ if (dlci->modem_tx & TIOCM_CD || dlci->gsm->initiator) + modembits |= MDM_DV; + return modembits; + }