From: Greg Kroah-Hartman Date: Sun, 6 Feb 2022 12:59:15 +0000 (+0100) Subject: 5.16-stable patches X-Git-Tag: v4.9.300~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=48f872f175f5e9e47482a0b97daf90a7808f48f2;p=thirdparty%2Fkernel%2Fstable-queue.git 5.16-stable patches added patches: alsa-hda-fix-signedness-of-sscanf-arguments.patch alsa-hda-skip-codec-shutdown-in-case-the-codec-is-not-registered.patch alsa-usb-audio-initialize-variables-that-could-ignore-errors.patch asoc-codecs-lpass-rx-macro-fix-sidetone-register-offsets.patch asoc-codecs-wcd938x-fix-incorrect-used-of-portid.patch asoc-codecs-wcd938x-fix-return-value-of-mixer-put-function.patch asoc-cpcap-check-for-null-pointer-after-calling-of_get_child_by_name.patch asoc-fsl-add-missing-error-handling-in-pcm030_fabric_probe.patch asoc-max9759-fix-underflow-in-speaker_gain_control_put.patch asoc-qdsp6-q6apm-dai-only-stop-graphs-that-are-started.patch asoc-rt5682-fix-deadlock-on-resume.patch asoc-simple-card-fix-probe-failure-on-platform-component.patch asoc-xilinx-xlnx_formatter_pcm-make-buffer-bytes-multiple-of-period-bytes.patch bpf-use-vm_map-instead-of-vm_alloc-for-ringbuf.patch btrfs-fix-use-of-uninitialized-variable-at-rm-device-ioctl.patch drm-amd-avoid-suspend-on-dgpus-w-s2idle-support-when-runtime-pm-enabled.patch drm-i915-lock-timeline-mutex-directly-in-error-path-of-eb_pin_timeline.patch drm-i915-overlay-prevent-divide-by-zero-bugs-in-scaling.patch drm-kmb-fix-for-build-errors-with-warray-bounds.patch drm-mxsfb-fix-null-pointer-dereference.patch gve-fix-the-wrong-adminq-buffer-queue-index-check.patch ib-cm-release-previously-acquired-reference-counter-in-the-cm_id_priv.patch ib-hfi1-fix-tstats-alloc-and-dealloc.patch ib-rdmavt-validate-remote_addr-during-loopback-atomic-tests.patch iommu-amd-fix-loop-timeout-issue-in-iommu_ga_log_enable.patch iommu-vt-d-fix-potential-memory-leak-in-intel_setup_irq_remapping.patch net-ieee802154-ca8210-stop-leaking-skb-s.patch net-ieee802154-hwsim-ensure-proper-channel-selection-at-probe-time.patch net-ieee802154-mcr20a-fix-lifs-sifs-periods.patch net-ieee802154-return-meaningful-error-codes-from-the-netlink-helpers.patch net-macsec-fix-offload-support-for-netdev_unregister-event.patch net-macsec-verify-that-send_sci-is-on-when-setting-tx-sci-explicitly.patch net-neigh-do-not-trigger-immediate-probes-on-nud_failed-from-neigh_managed_work.patch net-smc-forward-wakeup-to-smc-socket-waitqueue-after-fallback.patch net-stmmac-dump-gmac4-dma-registers-correctly.patch net-stmmac-dwmac-visconti-no-change-to-ether_clock_sel-for-unexpected-speed-request.patch net-stmmac-ensure-ptp-time-register-reads-are-consistent.patch net-stmmac-properly-handle-with-runtime-pm-in-stmmac_dvr_remove.patch netfilter-nft_reject_bridge-fix-for-missing-reply-from-prerouting.patch nfsd-nfsd4_setclientid_confirm-mistakenly-expires-confirmed-client.patch pinctrl-bcm2835-fix-a-few-error-paths.patch pinctrl-intel-fix-a-glitch-when-updating-irq-flags-on-a-preconfigured-line.patch pinctrl-intel-fix-unexpected-interrupt.patch pinctrl-sunxi-fix-h616-i2s3-pin-data.patch rdma-cma-use-correct-address-when-leaving-multicast-group.patch rdma-mlx4-don-t-continue-event-handler-after-memory-allocation-failure.patch rdma-siw-fix-broken-rdma-read-fence-resume-logic.patch rdma-siw-fix-refcounting-leak-in-siw_create_qp.patch rdma-ucma-protect-mc-during-concurrent-multicast-leaves.patch scsi-bnx2fc-make-bnx2fc_recv_frame-mp-safe.patch selftests-exec-remove-pipe-from-test_gen_files.patch selftests-futex-use-variable-make-instead-of-make.patch spi-bcm-qspi-check-for-valid-cs-before-applying-chip-select.patch spi-mediatek-avoid-null-pointer-crash-in-interrupt.patch spi-meson-spicc-add-irq-check-in-meson_spicc_probe.patch spi-uniphier-fix-reference-count-leak-in-uniphier_spi_probe.patch tools-resolve_btfids-do-not-print-any-commands-when-building-silently.patch --- diff --git a/queue-5.16/alsa-hda-fix-signedness-of-sscanf-arguments.patch b/queue-5.16/alsa-hda-fix-signedness-of-sscanf-arguments.patch new file mode 100644 index 00000000000..59acb418e80 --- /dev/null +++ b/queue-5.16/alsa-hda-fix-signedness-of-sscanf-arguments.patch @@ -0,0 +1,33 @@ +From 0444f82766f0b5b9c8302ad802dafa5dd0e722d0 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 27 Jan 2022 14:57:17 +0100 +Subject: ALSA: hda: Fix signedness of sscanf() arguments + +From: Takashi Iwai + +commit 0444f82766f0b5b9c8302ad802dafa5dd0e722d0 upstream. + +The %x format of sscanf() takes an unsigned int pointer, while we pass +a signed int pointer. Practically it's OK, but this may result in a +compile warning. Let's fix it. + +Fixes: a235d5b8e550 ("ALSA: hda: Allow model option to specify PCI SSID alias") +Reported-by: kernel test robot +Link: https://lore.kernel.org/r/20220127135717.31751-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_auto_parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_auto_parser.c ++++ b/sound/pci/hda/hda_auto_parser.c +@@ -985,7 +985,7 @@ void snd_hda_pick_fixup(struct hda_codec + int id = HDA_FIXUP_ID_NOT_SET; + const char *name = NULL; + const char *type = NULL; +- int vendor, device; ++ unsigned int vendor, device; + + if (codec->fixup_id != HDA_FIXUP_ID_NOT_SET) + return; diff --git a/queue-5.16/alsa-hda-skip-codec-shutdown-in-case-the-codec-is-not-registered.patch b/queue-5.16/alsa-hda-skip-codec-shutdown-in-case-the-codec-is-not-registered.patch new file mode 100644 index 00000000000..0115cb36c5c --- /dev/null +++ b/queue-5.16/alsa-hda-skip-codec-shutdown-in-case-the-codec-is-not-registered.patch @@ -0,0 +1,39 @@ +From 1c7f0e349aa5f8f80b1cac3d4917405332e14cdf Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Tue, 1 Feb 2022 13:21:44 +0200 +Subject: ALSA: hda: Skip codec shutdown in case the codec is not registered + +From: Peter Ujfalusi + +commit 1c7f0e349aa5f8f80b1cac3d4917405332e14cdf upstream. + +If the codec->registered is not set then it means that pm_runtime is +not yet enabled and the codec->pcm_list_head has not been initialized. + +The access to the not initialized pcm_list_head will lead a kernel crash +during shutdown. + +Reported-by: Guennadi Liakhovetski +Signed-off-by: Peter Ujfalusi +Tested-by: Guennadi Liakhovetski +Fixes: b98444ed597d ("ALSA: hda: Suspend codec at shutdown") +Link: https://lore.kernel.org/r/20220201112144.29411-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_codec.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -3000,6 +3000,10 @@ void snd_hda_codec_shutdown(struct hda_c + { + struct hda_pcm *cpcm; + ++ /* Skip the shutdown if codec is not registered */ ++ if (!codec->registered) ++ return; ++ + list_for_each_entry(cpcm, &codec->pcm_list_head, list) + snd_pcm_suspend_all(cpcm->pcm); + diff --git a/queue-5.16/alsa-usb-audio-initialize-variables-that-could-ignore-errors.patch b/queue-5.16/alsa-usb-audio-initialize-variables-that-could-ignore-errors.patch new file mode 100644 index 00000000000..2be591c09fa --- /dev/null +++ b/queue-5.16/alsa-usb-audio-initialize-variables-that-could-ignore-errors.patch @@ -0,0 +1,40 @@ +From 3da4b7403db87d39bc2613cfd790de1de99a70ab Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Wed, 26 Jan 2022 10:21:42 -0800 +Subject: ALSA: usb-audio: initialize variables that could ignore errors + +From: Tom Rix + +commit 3da4b7403db87d39bc2613cfd790de1de99a70ab upstream. + +clang static analysis reports this representative issue +mixer.c:1548:35: warning: Assigned value is garbage or undefined + ucontrol->value.integer.value[0] = val; + ^ ~~~ + +The filter_error() macro allows errors to be ignored. +If errors can be ignored, initialize variables +so garbage will not be used. + +Fixes: 48cc42973509 ("ALSA: usb-audio: Filter error from connector kctl ops, too") +Signed-off-by: Tom Rix +Link: https://lore.kernel.org/r/20220126182142.1184819-1-trix@redhat.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1526,6 +1526,10 @@ error: + usb_audio_err(chip, + "cannot get connectors status: req = %#x, wValue = %#x, wIndex = %#x, type = %d\n", + UAC_GET_CUR, validx, idx, cval->val_type); ++ ++ if (val) ++ *val = 0; ++ + return filter_error(cval, ret); + } + diff --git a/queue-5.16/asoc-codecs-lpass-rx-macro-fix-sidetone-register-offsets.patch b/queue-5.16/asoc-codecs-lpass-rx-macro-fix-sidetone-register-offsets.patch new file mode 100644 index 00000000000..927b2bc4129 --- /dev/null +++ b/queue-5.16/asoc-codecs-lpass-rx-macro-fix-sidetone-register-offsets.patch @@ -0,0 +1,54 @@ +From fca041a3ab70a099a6d5519ecb689b6279bd04f3 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Wed, 26 Jan 2022 11:35:47 +0000 +Subject: ASoC: codecs: lpass-rx-macro: fix sidetone register offsets + +From: Srinivas Kandagatla + +commit fca041a3ab70a099a6d5519ecb689b6279bd04f3 upstream. + +For some reason we ended up with incorrect register offfset calcuations +for sidetone. regmap clearly throw errors when accessing these incorrect +registers as these do not belong to any read/write ranges. +so fix them to point to correct register offsets. + +Fixes: f3ce6f3c9a99 ("ASoC: codecs: lpass-rx-macro: add iir widgets") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20220126113549.8853-3-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/lpass-rx-macro.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/soc/codecs/lpass-rx-macro.c ++++ b/sound/soc/codecs/lpass-rx-macro.c +@@ -2688,8 +2688,8 @@ static uint32_t get_iir_band_coeff(struc + int reg, b2_reg; + + /* Address does not automatically update if reading */ +- reg = CDC_RX_SIDETONE_IIR0_IIR_COEF_B1_CTL + 16 * iir_idx; +- b2_reg = CDC_RX_SIDETONE_IIR0_IIR_COEF_B2_CTL + 16 * iir_idx; ++ reg = CDC_RX_SIDETONE_IIR0_IIR_COEF_B1_CTL + 0x80 * iir_idx; ++ b2_reg = CDC_RX_SIDETONE_IIR0_IIR_COEF_B2_CTL + 0x80 * iir_idx; + + snd_soc_component_write(component, reg, + ((band_idx * BAND_MAX + coeff_idx) * +@@ -2718,7 +2718,7 @@ static uint32_t get_iir_band_coeff(struc + static void set_iir_band_coeff(struct snd_soc_component *component, + int iir_idx, int band_idx, uint32_t value) + { +- int reg = CDC_RX_SIDETONE_IIR0_IIR_COEF_B2_CTL + 16 * iir_idx; ++ int reg = CDC_RX_SIDETONE_IIR0_IIR_COEF_B2_CTL + 0x80 * iir_idx; + + snd_soc_component_write(component, reg, (value & 0xFF)); + snd_soc_component_write(component, reg, (value >> 8) & 0xFF); +@@ -2739,7 +2739,7 @@ static int rx_macro_put_iir_band_audio_m + int iir_idx = ctl->iir_idx; + int band_idx = ctl->band_idx; + u32 coeff[BAND_MAX]; +- int reg = CDC_RX_SIDETONE_IIR0_IIR_COEF_B1_CTL + 16 * iir_idx; ++ int reg = CDC_RX_SIDETONE_IIR0_IIR_COEF_B1_CTL + 0x80 * iir_idx; + + memcpy(&coeff[0], ucontrol->value.bytes.data, params->max); + diff --git a/queue-5.16/asoc-codecs-wcd938x-fix-incorrect-used-of-portid.patch b/queue-5.16/asoc-codecs-wcd938x-fix-incorrect-used-of-portid.patch new file mode 100644 index 00000000000..5866681aa1b --- /dev/null +++ b/queue-5.16/asoc-codecs-wcd938x-fix-incorrect-used-of-portid.patch @@ -0,0 +1,104 @@ +From c5c1546a654f613e291a7c5d6f3660fc1eb6d0c7 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Wed, 26 Jan 2022 11:35:46 +0000 +Subject: ASoC: codecs: wcd938x: fix incorrect used of portid + +From: Srinivas Kandagatla + +commit c5c1546a654f613e291a7c5d6f3660fc1eb6d0c7 upstream. + +Mixer controls have the channel id in mixer->reg, which is not same +as port id. port id should be derived from chan_info array. +So fix this. Without this, its possible that we could corrupt +struct wcd938x_sdw_priv by accessing port_map array out of range +with channel id instead of port id. + +Fixes: e8ba1e05bdc0 ("ASoC: codecs: wcd938x: add basic controls") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20220126113549.8853-2-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -1432,14 +1432,10 @@ static int wcd938x_sdw_connect_port(stru + return 0; + } + +-static int wcd938x_connect_port(struct wcd938x_sdw_priv *wcd, u8 ch_id, u8 enable) ++static int wcd938x_connect_port(struct wcd938x_sdw_priv *wcd, u8 port_num, u8 ch_id, u8 enable) + { +- u8 port_num; +- +- port_num = wcd->ch_info[ch_id].port_num; +- + return wcd938x_sdw_connect_port(&wcd->ch_info[ch_id], +- &wcd->port_config[port_num], ++ &wcd->port_config[port_num - 1], + enable); + } + +@@ -2593,6 +2589,7 @@ static int wcd938x_set_compander(struct + struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); + struct wcd938x_sdw_priv *wcd; + int value = ucontrol->value.integer.value[0]; ++ int portidx; + struct soc_mixer_control *mc; + bool hphr; + +@@ -2606,10 +2603,12 @@ static int wcd938x_set_compander(struct + else + wcd938x->comp1_enable = value; + ++ portidx = wcd->ch_info[mc->reg].port_num; ++ + if (value) +- wcd938x_connect_port(wcd, mc->reg, true); ++ wcd938x_connect_port(wcd, portidx, mc->reg, true); + else +- wcd938x_connect_port(wcd, mc->reg, false); ++ wcd938x_connect_port(wcd, portidx, mc->reg, false); + + return 0; + } +@@ -2882,9 +2881,11 @@ static int wcd938x_get_swr_port(struct s + struct wcd938x_sdw_priv *wcd; + struct soc_mixer_control *mixer = (struct soc_mixer_control *)kcontrol->private_value; + int dai_id = mixer->shift; +- int portidx = mixer->reg; ++ int portidx, ch_idx = mixer->reg; ++ + + wcd = wcd938x->sdw_priv[dai_id]; ++ portidx = wcd->ch_info[ch_idx].port_num; + + ucontrol->value.integer.value[0] = wcd->port_enable[portidx]; + +@@ -2899,12 +2900,14 @@ static int wcd938x_set_swr_port(struct s + struct wcd938x_sdw_priv *wcd; + struct soc_mixer_control *mixer = + (struct soc_mixer_control *)kcontrol->private_value; +- int portidx = mixer->reg; ++ int ch_idx = mixer->reg; ++ int portidx; + int dai_id = mixer->shift; + bool enable; + + wcd = wcd938x->sdw_priv[dai_id]; + ++ portidx = wcd->ch_info[ch_idx].port_num; + if (ucontrol->value.integer.value[0]) + enable = true; + else +@@ -2912,7 +2915,7 @@ static int wcd938x_set_swr_port(struct s + + wcd->port_enable[portidx] = enable; + +- wcd938x_connect_port(wcd, portidx, enable); ++ wcd938x_connect_port(wcd, portidx, ch_idx, enable); + + return 0; + diff --git a/queue-5.16/asoc-codecs-wcd938x-fix-return-value-of-mixer-put-function.patch b/queue-5.16/asoc-codecs-wcd938x-fix-return-value-of-mixer-put-function.patch new file mode 100644 index 00000000000..3e6d5e7d1da --- /dev/null +++ b/queue-5.16/asoc-codecs-wcd938x-fix-return-value-of-mixer-put-function.patch @@ -0,0 +1,51 @@ +From bd2347fd67d8da0fa76296507cc556da0a233bcb Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Wed, 26 Jan 2022 11:35:48 +0000 +Subject: ASoC: codecs: wcd938x: fix return value of mixer put function + +From: Srinivas Kandagatla + +commit bd2347fd67d8da0fa76296507cc556da0a233bcb upstream. + +wcd938x_ear_pa_put_gain, wcd938x_set_swr_port and wcd938x_set_compander +currently returns zero eventhough it changes the value. +Fix this, so that change notifications are sent correctly. + +Fixes: e8ba1e05bdc01 ("ASoC: codecs: wcd938x: add basic controls") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20220126113549.8853-4-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -2559,7 +2559,7 @@ static int wcd938x_ear_pa_put_gain(struc + WCD938X_EAR_GAIN_MASK, + ucontrol->value.integer.value[0]); + +- return 0; ++ return 1; + } + + static int wcd938x_get_compander(struct snd_kcontrol *kcontrol, +@@ -2610,7 +2610,7 @@ static int wcd938x_set_compander(struct + else + wcd938x_connect_port(wcd, portidx, mc->reg, false); + +- return 0; ++ return 1; + } + + static int wcd938x_ldoh_get(struct snd_kcontrol *kcontrol, +@@ -2917,7 +2917,7 @@ static int wcd938x_set_swr_port(struct s + + wcd938x_connect_port(wcd, portidx, ch_idx, enable); + +- return 0; ++ return 1; + + } + diff --git a/queue-5.16/asoc-cpcap-check-for-null-pointer-after-calling-of_get_child_by_name.patch b/queue-5.16/asoc-cpcap-check-for-null-pointer-after-calling-of_get_child_by_name.patch new file mode 100644 index 00000000000..68a3fc22c5f --- /dev/null +++ b/queue-5.16/asoc-cpcap-check-for-null-pointer-after-calling-of_get_child_by_name.patch @@ -0,0 +1,36 @@ +From f7a6021aaf02088870559f82fc13c58cda7fea1a Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Tue, 11 Jan 2022 10:50:48 +0800 +Subject: ASoC: cpcap: Check for NULL pointer after calling of_get_child_by_name + +From: Jiasheng Jiang + +commit f7a6021aaf02088870559f82fc13c58cda7fea1a upstream. + +If the device does not exist, of_get_child_by_name() will return NULL +pointer. +And devm_snd_soc_register_component() does not check it. +Also, I have noticed that cpcap_codec_driver has not been used yet. +Therefore, it should be better to check it in order to avoid the future +dereference of the NULL pointer. + +Fixes: f6cdf2d3445d ("ASoC: cpcap: new codec") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220111025048.524134-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/cpcap.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/codecs/cpcap.c ++++ b/sound/soc/codecs/cpcap.c +@@ -1667,6 +1667,8 @@ static int cpcap_codec_probe(struct plat + { + struct device_node *codec_node = + of_get_child_by_name(pdev->dev.parent->of_node, "audio-codec"); ++ if (!codec_node) ++ return -ENODEV; + + pdev->dev.of_node = codec_node; + diff --git a/queue-5.16/asoc-fsl-add-missing-error-handling-in-pcm030_fabric_probe.patch b/queue-5.16/asoc-fsl-add-missing-error-handling-in-pcm030_fabric_probe.patch new file mode 100644 index 00000000000..cf5abd02742 --- /dev/null +++ b/queue-5.16/asoc-fsl-add-missing-error-handling-in-pcm030_fabric_probe.patch @@ -0,0 +1,48 @@ +From fb25621da5702c104ce0a48de5b174ced09e5b4e Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Thu, 27 Jan 2022 13:13:34 +0000 +Subject: ASoC: fsl: Add missing error handling in pcm030_fabric_probe + +From: Miaoqian Lin + +commit fb25621da5702c104ce0a48de5b174ced09e5b4e upstream. + +Add the missing platform_device_put() and platform_device_del() +before return from pcm030_fabric_probe in the error handling case. + +Fixes: c912fa913446 ("ASoC: fsl: register the wm9712-codec") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220127131336.30214-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/pcm030-audio-fabric.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/sound/soc/fsl/pcm030-audio-fabric.c ++++ b/sound/soc/fsl/pcm030-audio-fabric.c +@@ -93,16 +93,21 @@ static int pcm030_fabric_probe(struct pl + dev_err(&op->dev, "platform_device_alloc() failed\n"); + + ret = platform_device_add(pdata->codec_device); +- if (ret) ++ if (ret) { + dev_err(&op->dev, "platform_device_add() failed: %d\n", ret); ++ platform_device_put(pdata->codec_device); ++ } + + ret = snd_soc_register_card(card); +- if (ret) ++ if (ret) { + dev_err(&op->dev, "snd_soc_register_card() failed: %d\n", ret); ++ platform_device_del(pdata->codec_device); ++ platform_device_put(pdata->codec_device); ++ } + + platform_set_drvdata(op, pdata); +- + return ret; ++ + } + + static int pcm030_fabric_remove(struct platform_device *op) diff --git a/queue-5.16/asoc-max9759-fix-underflow-in-speaker_gain_control_put.patch b/queue-5.16/asoc-max9759-fix-underflow-in-speaker_gain_control_put.patch new file mode 100644 index 00000000000..24d66558c9a --- /dev/null +++ b/queue-5.16/asoc-max9759-fix-underflow-in-speaker_gain_control_put.patch @@ -0,0 +1,36 @@ +From 4c907bcd9dcd233da6707059d777ab389dcbd964 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 19 Jan 2022 15:31:01 +0300 +Subject: ASoC: max9759: fix underflow in speaker_gain_control_put() + +From: Dan Carpenter + +commit 4c907bcd9dcd233da6707059d777ab389dcbd964 upstream. + +Check for negative values of "priv->gain" to prevent an out of bounds +access. The concern is that these might come from the user via: + -> snd_ctl_elem_write_user() + -> snd_ctl_elem_write() + -> kctl->put() + +Fixes: fa8d915172b8 ("ASoC: max9759: Add Amplifier Driver") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20220119123101.GA9509@kili +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/max9759.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/soc/codecs/max9759.c ++++ b/sound/soc/codecs/max9759.c +@@ -64,7 +64,8 @@ static int speaker_gain_control_put(stru + struct snd_soc_component *c = snd_soc_kcontrol_component(kcontrol); + struct max9759 *priv = snd_soc_component_get_drvdata(c); + +- if (ucontrol->value.integer.value[0] > 3) ++ if (ucontrol->value.integer.value[0] < 0 || ++ ucontrol->value.integer.value[0] > 3) + return -EINVAL; + + priv->gain = ucontrol->value.integer.value[0]; diff --git a/queue-5.16/asoc-qdsp6-q6apm-dai-only-stop-graphs-that-are-started.patch b/queue-5.16/asoc-qdsp6-q6apm-dai-only-stop-graphs-that-are-started.patch new file mode 100644 index 00000000000..f9d8172be57 --- /dev/null +++ b/queue-5.16/asoc-qdsp6-q6apm-dai-only-stop-graphs-that-are-started.patch @@ -0,0 +1,41 @@ +From 8f2e5c65ec7534cce6d315fccf2c3aef023f68f0 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Wed, 26 Jan 2022 11:35:49 +0000 +Subject: ASoC: qdsp6: q6apm-dai: only stop graphs that are started + +From: Srinivas Kandagatla + +commit 8f2e5c65ec7534cce6d315fccf2c3aef023f68f0 upstream. + +Its possible that the sound card is just opened and closed without actually +playing stream, ex: if the audio file itself is missing. + +Even in such cases we do call stop on graphs that are not yet started. +DSP can throw errors in such cases, so add a check to see if the graph +was started before stopping it. + +Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20220126113549.8853-5-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6apm-dai.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/sound/soc/qcom/qdsp6/q6apm-dai.c ++++ b/sound/soc/qcom/qdsp6/q6apm-dai.c +@@ -308,8 +308,11 @@ static int q6apm_dai_close(struct snd_so + struct snd_pcm_runtime *runtime = substream->runtime; + struct q6apm_dai_rtd *prtd = runtime->private_data; + +- q6apm_graph_stop(prtd->graph); +- q6apm_unmap_memory_regions(prtd->graph, substream->stream); ++ if (prtd->state) { /* only stop graph that is started */ ++ q6apm_graph_stop(prtd->graph); ++ q6apm_unmap_memory_regions(prtd->graph, substream->stream); ++ } ++ + q6apm_graph_close(prtd->graph); + prtd->graph = NULL; + kfree(prtd); diff --git a/queue-5.16/asoc-rt5682-fix-deadlock-on-resume.patch b/queue-5.16/asoc-rt5682-fix-deadlock-on-resume.patch new file mode 100644 index 00000000000..3dded091096 --- /dev/null +++ b/queue-5.16/asoc-rt5682-fix-deadlock-on-resume.patch @@ -0,0 +1,191 @@ +From 4045daf0fa87846a27f56329fddad2deeb5ca354 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 26 Jan 2022 12:03:25 +0200 +Subject: ASoC: rt5682: Fix deadlock on resume + +From: Peter Ujfalusi + +commit 4045daf0fa87846a27f56329fddad2deeb5ca354 upstream. + +On resume from suspend the following chain of events can happen: +A rt5682_resume() -> mod_delayed_work() for jack_detect_work +B DAPM sequence starts ( DAPM is locked now) + +A1. rt5682_jack_detect_handler() scheduled + - Takes both jdet_mutex and calibrate_mutex + - Calls in to rt5682_headset_detect() which tries to take DAPM lock, it + starts to wait for it as B path took it already. +B1. DAPM sequence reaches the "HP Amp", rt5682_hp_event() tries to take + the jdet_mutex, but it is locked in A1, so it waits. + +Deadlock. + +To solve the deadlock, drop the jdet_mutex, use the jack_detect_work to do +the jack removal handling, move the dapm lock up one level to protect the +most of the rt5682_jack_detect_handler(), but not the jack reporting as it +might trigger a DAPM sequence. +The rt5682_headset_detect() can be changed to static as well. + +Fixes: 8deb34a90f063 ("ASoC: rt5682: fix the wrong jack type detected") +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20220126100325.16513-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/rt5682-i2c.c | 15 ++++----------- + sound/soc/codecs/rt5682.c | 24 ++++++++---------------- + sound/soc/codecs/rt5682.h | 2 -- + 3 files changed, 12 insertions(+), 29 deletions(-) + +--- a/sound/soc/codecs/rt5682-i2c.c ++++ b/sound/soc/codecs/rt5682-i2c.c +@@ -59,18 +59,12 @@ static void rt5682_jd_check_handler(stru + struct rt5682_priv *rt5682 = container_of(work, struct rt5682_priv, + jd_check_work.work); + +- if (snd_soc_component_read(rt5682->component, RT5682_AJD1_CTRL) +- & RT5682_JDH_RS_MASK) { ++ if (snd_soc_component_read(rt5682->component, RT5682_AJD1_CTRL) & RT5682_JDH_RS_MASK) + /* jack out */ +- rt5682->jack_type = rt5682_headset_detect(rt5682->component, 0); +- +- snd_soc_jack_report(rt5682->hs_jack, rt5682->jack_type, +- SND_JACK_HEADSET | +- SND_JACK_BTN_0 | SND_JACK_BTN_1 | +- SND_JACK_BTN_2 | SND_JACK_BTN_3); +- } else { ++ mod_delayed_work(system_power_efficient_wq, ++ &rt5682->jack_detect_work, 0); ++ else + schedule_delayed_work(&rt5682->jd_check_work, 500); +- } + } + + static irqreturn_t rt5682_irq(int irq, void *data) +@@ -198,7 +192,6 @@ static int rt5682_i2c_probe(struct i2c_c + } + + mutex_init(&rt5682->calibrate_mutex); +- mutex_init(&rt5682->jdet_mutex); + rt5682_calibrate(rt5682); + + rt5682_apply_patch_list(rt5682, &i2c->dev); +--- a/sound/soc/codecs/rt5682.c ++++ b/sound/soc/codecs/rt5682.c +@@ -922,15 +922,13 @@ static void rt5682_enable_push_button_ir + * + * Returns detect status. + */ +-int rt5682_headset_detect(struct snd_soc_component *component, int jack_insert) ++static int rt5682_headset_detect(struct snd_soc_component *component, int jack_insert) + { + struct rt5682_priv *rt5682 = snd_soc_component_get_drvdata(component); + struct snd_soc_dapm_context *dapm = &component->dapm; + unsigned int val, count; + + if (jack_insert) { +- snd_soc_dapm_mutex_lock(dapm); +- + snd_soc_component_update_bits(component, RT5682_PWR_ANLG_1, + RT5682_PWR_VREF2 | RT5682_PWR_MB, + RT5682_PWR_VREF2 | RT5682_PWR_MB); +@@ -981,8 +979,6 @@ int rt5682_headset_detect(struct snd_soc + snd_soc_component_update_bits(component, RT5682_MICBIAS_2, + RT5682_PWR_CLK25M_MASK | RT5682_PWR_CLK1M_MASK, + RT5682_PWR_CLK25M_PU | RT5682_PWR_CLK1M_PU); +- +- snd_soc_dapm_mutex_unlock(dapm); + } else { + rt5682_enable_push_button_irq(component, false); + snd_soc_component_update_bits(component, RT5682_CBJ_CTRL_1, +@@ -1011,7 +1007,6 @@ int rt5682_headset_detect(struct snd_soc + dev_dbg(component->dev, "jack_type = %d\n", rt5682->jack_type); + return rt5682->jack_type; + } +-EXPORT_SYMBOL_GPL(rt5682_headset_detect); + + static int rt5682_set_jack_detect(struct snd_soc_component *component, + struct snd_soc_jack *hs_jack, void *data) +@@ -1094,6 +1089,7 @@ void rt5682_jack_detect_handler(struct w + { + struct rt5682_priv *rt5682 = + container_of(work, struct rt5682_priv, jack_detect_work.work); ++ struct snd_soc_dapm_context *dapm; + int val, btn_type; + + while (!rt5682->component) +@@ -1102,7 +1098,9 @@ void rt5682_jack_detect_handler(struct w + while (!rt5682->component->card->instantiated) + usleep_range(10000, 15000); + +- mutex_lock(&rt5682->jdet_mutex); ++ dapm = snd_soc_component_get_dapm(rt5682->component); ++ ++ snd_soc_dapm_mutex_lock(dapm); + mutex_lock(&rt5682->calibrate_mutex); + + val = snd_soc_component_read(rt5682->component, RT5682_AJD1_CTRL) +@@ -1162,6 +1160,9 @@ void rt5682_jack_detect_handler(struct w + rt5682->irq_work_delay_time = 50; + } + ++ mutex_unlock(&rt5682->calibrate_mutex); ++ snd_soc_dapm_mutex_unlock(dapm); ++ + snd_soc_jack_report(rt5682->hs_jack, rt5682->jack_type, + SND_JACK_HEADSET | + SND_JACK_BTN_0 | SND_JACK_BTN_1 | +@@ -1174,9 +1175,6 @@ void rt5682_jack_detect_handler(struct w + else + cancel_delayed_work_sync(&rt5682->jd_check_work); + } +- +- mutex_unlock(&rt5682->calibrate_mutex); +- mutex_unlock(&rt5682->jdet_mutex); + } + EXPORT_SYMBOL_GPL(rt5682_jack_detect_handler); + +@@ -1526,7 +1524,6 @@ static int rt5682_hp_event(struct snd_so + { + struct snd_soc_component *component = + snd_soc_dapm_to_component(w->dapm); +- struct rt5682_priv *rt5682 = snd_soc_component_get_drvdata(component); + + switch (event) { + case SND_SOC_DAPM_PRE_PMU: +@@ -1538,17 +1535,12 @@ static int rt5682_hp_event(struct snd_so + RT5682_DEPOP_1, 0x60, 0x60); + snd_soc_component_update_bits(component, + RT5682_DAC_ADC_DIG_VOL1, 0x00c0, 0x0080); +- +- mutex_lock(&rt5682->jdet_mutex); +- + snd_soc_component_update_bits(component, RT5682_HP_CTRL_2, + RT5682_HP_C2_DAC_L_EN | RT5682_HP_C2_DAC_R_EN, + RT5682_HP_C2_DAC_L_EN | RT5682_HP_C2_DAC_R_EN); + usleep_range(5000, 10000); + snd_soc_component_update_bits(component, RT5682_CHARGE_PUMP_1, + RT5682_CP_SW_SIZE_MASK, RT5682_CP_SW_SIZE_L); +- +- mutex_unlock(&rt5682->jdet_mutex); + break; + + case SND_SOC_DAPM_POST_PMD: +--- a/sound/soc/codecs/rt5682.h ++++ b/sound/soc/codecs/rt5682.h +@@ -1463,7 +1463,6 @@ struct rt5682_priv { + + int jack_type; + int irq_work_delay_time; +- struct mutex jdet_mutex; + }; + + extern const char *rt5682_supply_names[RT5682_NUM_SUPPLIES]; +@@ -1473,7 +1472,6 @@ int rt5682_sel_asrc_clk_src(struct snd_s + + void rt5682_apply_patch_list(struct rt5682_priv *rt5682, struct device *dev); + +-int rt5682_headset_detect(struct snd_soc_component *component, int jack_insert); + void rt5682_jack_detect_handler(struct work_struct *work); + + bool rt5682_volatile_register(struct device *dev, unsigned int reg); diff --git a/queue-5.16/asoc-simple-card-fix-probe-failure-on-platform-component.patch b/queue-5.16/asoc-simple-card-fix-probe-failure-on-platform-component.patch new file mode 100644 index 00000000000..859267185b8 --- /dev/null +++ b/queue-5.16/asoc-simple-card-fix-probe-failure-on-platform-component.patch @@ -0,0 +1,69 @@ +From a64067f4cecaaa4deed8e33d3266bc0bcc189142 Mon Sep 17 00:00:00 2001 +From: Robert Hancock +Date: Fri, 7 Jan 2022 15:47:10 -0600 +Subject: ASoC: simple-card: fix probe failure on platform component + +From: Robert Hancock + +commit a64067f4cecaaa4deed8e33d3266bc0bcc189142 upstream. + +A previous change to simple-card resulted in asoc_simple_parse_dai +attempting to retrieve the dai_name for platform components, which are +unlikely to have a valid DAI name. This caused simple-card to fail to +probe when using the xlnx_formatter_pcm as the platform component, since +it does not register any DAI components. + +Since the dai_name is not used for platform components, just skip trying +to retrieve it for those. + +Fixes: f107294c6422 ("ASoC: simple-card: support snd_soc_dai_link_component style for cpu") +Signed-off-by: Robert Hancock +Link: https://lore.kernel.org/r/20220107214711.1100162-6-robert.hancock@calian.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/generic/simple-card.c | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +--- a/sound/soc/generic/simple-card.c ++++ b/sound/soc/generic/simple-card.c +@@ -28,6 +28,30 @@ static const struct snd_soc_ops simple_o + .hw_params = asoc_simple_hw_params, + }; + ++static int asoc_simple_parse_platform(struct device_node *node, ++ struct snd_soc_dai_link_component *dlc) ++{ ++ struct of_phandle_args args; ++ int ret; ++ ++ if (!node) ++ return 0; ++ ++ /* ++ * Get node via "sound-dai = <&phandle port>" ++ * it will be used as xxx_of_node on soc_bind_dai_link() ++ */ ++ ret = of_parse_phandle_with_args(node, DAI, CELL, 0, &args); ++ if (ret) ++ return ret; ++ ++ /* dai_name is not required and may not exist for plat component */ ++ ++ dlc->of_node = args.np; ++ ++ return 0; ++} ++ + static int asoc_simple_parse_dai(struct device_node *node, + struct snd_soc_dai_link_component *dlc, + int *is_single_link) +@@ -289,7 +313,7 @@ static int simple_dai_link_of(struct aso + if (ret < 0) + goto dai_link_of_err; + +- ret = asoc_simple_parse_dai(plat, platforms, NULL); ++ ret = asoc_simple_parse_platform(plat, platforms); + if (ret < 0) + goto dai_link_of_err; + diff --git a/queue-5.16/asoc-xilinx-xlnx_formatter_pcm-make-buffer-bytes-multiple-of-period-bytes.patch b/queue-5.16/asoc-xilinx-xlnx_formatter_pcm-make-buffer-bytes-multiple-of-period-bytes.patch new file mode 100644 index 00000000000..4c7cf7daeed --- /dev/null +++ b/queue-5.16/asoc-xilinx-xlnx_formatter_pcm-make-buffer-bytes-multiple-of-period-bytes.patch @@ -0,0 +1,90 @@ +From e958b5884725dac86d36c1e7afe5a55f31feb0b2 Mon Sep 17 00:00:00 2001 +From: Robert Hancock +Date: Fri, 7 Jan 2022 15:47:06 -0600 +Subject: ASoC: xilinx: xlnx_formatter_pcm: Make buffer bytes multiple of period bytes + +From: Robert Hancock + +commit e958b5884725dac86d36c1e7afe5a55f31feb0b2 upstream. + +This patch is based on one in the Xilinx kernel tree, "ASoc: xlnx: Make +buffer bytes multiple of period bytes" by Devarsh Thakkar. The same +issue exists in the mainline version of the driver. The original +patch description is as follows: + +"The Xilinx Audio Formatter IP has a constraint on period +bytes to be multiple of 64. This leads to driver changing +the period size to suitable frames such that period bytes +are multiple of 64. + +Now since period bytes and period size are updated but not +the buffer bytes, this may make the buffer bytes unaligned +and not multiple of period bytes. + +When this happens we hear popping noise as while DMA is being +done the buffer bytes are not enough to complete DMA access +for last period of frame within the application buffer boundary. + +To avoid this, align buffer bytes too as multiple of 64, and +set another constraint to always enforce number of periods as +integer. Now since, there is already a rule in alsa core +to enforce Buffer size = Number of Periods * Period Size +this automatically aligns buffer bytes as multiple of period +bytes." + +Fixes: 6f6c3c36f091 ("ASoC: xlnx: add pcm formatter platform driver") +Cc: Devarsh Thakkar +Signed-off-by: Robert Hancock +Link: https://lore.kernel.org/r/20220107214711.1100162-2-robert.hancock@calian.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/xilinx/xlnx_formatter_pcm.c | 27 ++++++++++++++++++++++++--- + 1 file changed, 24 insertions(+), 3 deletions(-) + +--- a/sound/soc/xilinx/xlnx_formatter_pcm.c ++++ b/sound/soc/xilinx/xlnx_formatter_pcm.c +@@ -37,6 +37,7 @@ + #define XLNX_AUD_XFER_COUNT 0x28 + #define XLNX_AUD_CH_STS_START 0x2C + #define XLNX_BYTES_PER_CH 0x44 ++#define XLNX_AUD_ALIGN_BYTES 64 + + #define AUD_STS_IOC_IRQ_MASK BIT(31) + #define AUD_STS_CH_STS_MASK BIT(29) +@@ -368,12 +369,32 @@ static int xlnx_formatter_pcm_open(struc + snd_soc_set_runtime_hwparams(substream, &xlnx_pcm_hardware); + runtime->private_data = stream_data; + +- /* Resize the period size divisible by 64 */ ++ /* Resize the period bytes as divisible by 64 */ + err = snd_pcm_hw_constraint_step(runtime, 0, +- SNDRV_PCM_HW_PARAM_PERIOD_BYTES, 64); ++ SNDRV_PCM_HW_PARAM_PERIOD_BYTES, ++ XLNX_AUD_ALIGN_BYTES); + if (err) { + dev_err(component->dev, +- "unable to set constraint on period bytes\n"); ++ "Unable to set constraint on period bytes\n"); ++ return err; ++ } ++ ++ /* Resize the buffer bytes as divisible by 64 */ ++ err = snd_pcm_hw_constraint_step(runtime, 0, ++ SNDRV_PCM_HW_PARAM_BUFFER_BYTES, ++ XLNX_AUD_ALIGN_BYTES); ++ if (err) { ++ dev_err(component->dev, ++ "Unable to set constraint on buffer bytes\n"); ++ return err; ++ } ++ ++ /* Set periods as integer multiple */ ++ err = snd_pcm_hw_constraint_integer(runtime, ++ SNDRV_PCM_HW_PARAM_PERIODS); ++ if (err < 0) { ++ dev_err(component->dev, ++ "Unable to set constraint on periods to be integer\n"); + return err; + } + diff --git a/queue-5.16/bpf-use-vm_map-instead-of-vm_alloc-for-ringbuf.patch b/queue-5.16/bpf-use-vm_map-instead-of-vm_alloc-for-ringbuf.patch new file mode 100644 index 00000000000..5fc1de5d43c --- /dev/null +++ b/queue-5.16/bpf-use-vm_map-instead-of-vm_alloc-for-ringbuf.patch @@ -0,0 +1,42 @@ +From b293dcc473d22a62dc6d78de2b15e4f49515db56 Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Wed, 2 Feb 2022 14:01:58 +0800 +Subject: bpf: Use VM_MAP instead of VM_ALLOC for ringbuf + +From: Hou Tao + +commit b293dcc473d22a62dc6d78de2b15e4f49515db56 upstream. + +After commit 2fd3fb0be1d1 ("kasan, vmalloc: unpoison VM_ALLOC pages +after mapping"), non-VM_ALLOC mappings will be marked as accessible +in __get_vm_area_node() when KASAN is enabled. But now the flag for +ringbuf area is VM_ALLOC, so KASAN will complain out-of-bound access +after vmap() returns. Because the ringbuf area is created by mapping +allocated pages, so use VM_MAP instead. + +After the change, info in /proc/vmallocinfo also changes from + [start]-[end] 24576 ringbuf_map_alloc+0x171/0x290 vmalloc user +to + [start]-[end] 24576 ringbuf_map_alloc+0x171/0x290 vmap user + +Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") +Reported-by: syzbot+5ad567a418794b9b5983@syzkaller.appspotmail.com +Signed-off-by: Hou Tao +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20220202060158.6260-1-houtao1@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/ringbuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/ringbuf.c ++++ b/kernel/bpf/ringbuf.c +@@ -104,7 +104,7 @@ static struct bpf_ringbuf *bpf_ringbuf_a + } + + rb = vmap(pages, nr_meta_pages + 2 * nr_data_pages, +- VM_ALLOC | VM_USERMAP, PAGE_KERNEL); ++ VM_MAP | VM_USERMAP, PAGE_KERNEL); + if (rb) { + kmemleak_not_leak(pages); + rb->pages = pages; diff --git a/queue-5.16/btrfs-fix-use-of-uninitialized-variable-at-rm-device-ioctl.patch b/queue-5.16/btrfs-fix-use-of-uninitialized-variable-at-rm-device-ioctl.patch new file mode 100644 index 00000000000..958c9b7e779 --- /dev/null +++ b/queue-5.16/btrfs-fix-use-of-uninitialized-variable-at-rm-device-ioctl.patch @@ -0,0 +1,38 @@ +From 37b4599547e324589e011c20f74b021d6d25cb7f Mon Sep 17 00:00:00 2001 +From: Tom Rix +Date: Fri, 21 Jan 2022 05:45:22 -0800 +Subject: btrfs: fix use of uninitialized variable at rm device ioctl + +From: Tom Rix + +commit 37b4599547e324589e011c20f74b021d6d25cb7f upstream. + +Clang static analysis reports this problem +ioctl.c:3333:8: warning: 3rd function call argument is an + uninitialized value + ret = exclop_start_or_cancel_reloc(fs_info, + +cancel is only set in one branch of an if-check and is always used. So +initialize to false. + +Fixes: 1a15eb724aae ("btrfs: use btrfs_get_dev_args_from_path in dev removal ioctls") +Reviewed-by: Filipe Manana +Reviewed-by: Anand Jain +Signed-off-by: Tom Rix +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3310,7 +3310,7 @@ static long btrfs_ioctl_rm_dev(struct fi + struct block_device *bdev = NULL; + fmode_t mode; + int ret; +- bool cancel; ++ bool cancel = false; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; diff --git a/queue-5.16/drm-amd-avoid-suspend-on-dgpus-w-s2idle-support-when-runtime-pm-enabled.patch b/queue-5.16/drm-amd-avoid-suspend-on-dgpus-w-s2idle-support-when-runtime-pm-enabled.patch new file mode 100644 index 00000000000..8f6dff60213 --- /dev/null +++ b/queue-5.16/drm-amd-avoid-suspend-on-dgpus-w-s2idle-support-when-runtime-pm-enabled.patch @@ -0,0 +1,35 @@ +From e55a3aea418269266d84f426b3bd70794d3389c8 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Tue, 25 Jan 2022 21:46:58 -0600 +Subject: drm/amd: avoid suspend on dGPUs w/ s2idle support when runtime PM enabled + +From: Mario Limonciello + +commit e55a3aea418269266d84f426b3bd70794d3389c8 upstream. + +dGPUs connected to Intel systems configured for suspend to idle +will not have the power rails cut at suspend and resetting the GPU +may lead to problematic behaviors. + +Fixes: e25443d2765f4 ("drm/amdgpu: add a dev_pm_ops prepare callback (v2)") +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1879 +Reviewed-by: Alex Deucher +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -2241,8 +2241,7 @@ static int amdgpu_pmops_prepare(struct d + * DPM_FLAG_SMART_SUSPEND works properly + */ + if (amdgpu_device_supports_boco(drm_dev)) +- return pm_runtime_suspended(dev) && +- pm_suspend_via_firmware(); ++ return pm_runtime_suspended(dev); + + return 0; + } diff --git a/queue-5.16/drm-i915-lock-timeline-mutex-directly-in-error-path-of-eb_pin_timeline.patch b/queue-5.16/drm-i915-lock-timeline-mutex-directly-in-error-path-of-eb_pin_timeline.patch new file mode 100644 index 00000000000..0d259b92b6d --- /dev/null +++ b/queue-5.16/drm-i915-lock-timeline-mutex-directly-in-error-path-of-eb_pin_timeline.patch @@ -0,0 +1,50 @@ +From 5ae13c305ef8cb54efc4f0ba4565709b9f320fed Mon Sep 17 00:00:00 2001 +From: Matthew Brost +Date: Tue, 11 Jan 2022 08:39:29 -0800 +Subject: drm/i915: Lock timeline mutex directly in error path of eb_pin_timeline + +From: Matthew Brost + +commit 5ae13c305ef8cb54efc4f0ba4565709b9f320fed upstream. + +Don't use the interruptable version of the timeline mutex lock in the +error path of eb_pin_timeline as the cleanup must always happen. + +v2: + (John Harrison) + - Don't check for interrupt during mutex lock +v3: + (Tvrtko) + - A comment explaining why lock helper isn't used + +Fixes: 544460c33821 ("drm/i915: Multi-BB execbuf") +Signed-off-by: Matthew Brost +Reviewed-by: John Harrison +Signed-off-by: John Harrison +Link: https://patchwork.freedesktop.org/patch/msgid/20220111163929.14017-1-matthew.brost@intel.com +(cherry picked from commit cb935c4618bd2ff9058feee4af7088446da6a763) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c +@@ -2372,9 +2372,14 @@ static int eb_pin_timeline(struct i915_e + timeout) < 0) { + i915_request_put(rq); + +- tl = intel_context_timeline_lock(ce); ++ /* ++ * Error path, cannot use intel_context_timeline_lock as ++ * that is user interruptable and this clean up step ++ * must be done. ++ */ ++ mutex_lock(&ce->timeline->mutex); + intel_context_exit(ce); +- intel_context_timeline_unlock(tl); ++ mutex_unlock(&ce->timeline->mutex); + + if (nonblock) + return -EWOULDBLOCK; diff --git a/queue-5.16/drm-i915-overlay-prevent-divide-by-zero-bugs-in-scaling.patch b/queue-5.16/drm-i915-overlay-prevent-divide-by-zero-bugs-in-scaling.patch new file mode 100644 index 00000000000..69404b8ad4f --- /dev/null +++ b/queue-5.16/drm-i915-overlay-prevent-divide-by-zero-bugs-in-scaling.patch @@ -0,0 +1,44 @@ +From 90a3d22ff02b196d5884e111f39271a1d4ee8e3e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 24 Jan 2022 15:24:09 +0300 +Subject: drm/i915/overlay: Prevent divide by zero bugs in scaling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +commit 90a3d22ff02b196d5884e111f39271a1d4ee8e3e upstream. + +Smatch detected a divide by zero bug in check_overlay_scaling(). + + drivers/gpu/drm/i915/display/intel_overlay.c:976 check_overlay_scaling() + error: potential divide by zero bug '/ rec->dst_height'. + drivers/gpu/drm/i915/display/intel_overlay.c:980 check_overlay_scaling() + error: potential divide by zero bug '/ rec->dst_width'. + +Prevent this by ensuring that the dst height and width are non-zero. + +Fixes: 02e792fbaadb ("drm/i915: implement drmmode overlay support v4") +Signed-off-by: Dan Carpenter +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220124122409.GA31673@kili +(cherry picked from commit cf5b64f7f10b28bebb9b7c9d25e7aee5cbe43918) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_overlay.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_overlay.c ++++ b/drivers/gpu/drm/i915/display/intel_overlay.c +@@ -959,6 +959,9 @@ static int check_overlay_dst(struct inte + const struct intel_crtc_state *pipe_config = + overlay->crtc->config; + ++ if (rec->dst_height == 0 || rec->dst_width == 0) ++ return -EINVAL; ++ + if (rec->dst_x < pipe_config->pipe_src_w && + rec->dst_x + rec->dst_width <= pipe_config->pipe_src_w && + rec->dst_y < pipe_config->pipe_src_h && diff --git a/queue-5.16/drm-kmb-fix-for-build-errors-with-warray-bounds.patch b/queue-5.16/drm-kmb-fix-for-build-errors-with-warray-bounds.patch new file mode 100644 index 00000000000..62095bd94b5 --- /dev/null +++ b/queue-5.16/drm-kmb-fix-for-build-errors-with-warray-bounds.patch @@ -0,0 +1,54 @@ +From 43f2517955875be5d96b641fba33d73097fe3cd9 Mon Sep 17 00:00:00 2001 +From: Anitha Chrisanthus +Date: Thu, 27 Jan 2022 10:45:46 -0800 +Subject: drm/kmb: Fix for build errors with Warray-bounds + +From: Anitha Chrisanthus + +commit 43f2517955875be5d96b641fba33d73097fe3cd9 upstream. + +This fixes the following build error + +drivers/gpu/drm/kmb/kmb_plane.c: In function 'kmb_plane_atomic_disable': +drivers/gpu/drm/kmb/kmb_plane.c:165:34: error: array subscript 3 is above array bounds of 'struct layer_status[2]' [-Werror=array-bounds] + 165 | kmb->plane_status[plane_id].ctrl = + LCD_CTRL_GL2_ENABLE; + | ~~~~~~~~~~~~~~~~~^~~~~~~~~~ + In file included from drivers/gpu/drm/kmb/kmb_plane.c:17: + drivers/gpu/drm/kmb/kmb_drv.h:61:41: note: while referencing 'plane_status' + 61 | struct layer_status plane_status[KMB_MAX_PLANES]; + | ^~~~~~~~~~~~ + drivers/gpu/drm/kmb/kmb_plane.c:162:34: error: array subscript 2 is above array bounds of 'struct layer_status[2]' [-Werror=array-bounds] + 162 | kmb->plane_status[plane_id].ctrl = LCD_CTRL_GL1_ENABLE; + | ~~~~~~~~~~~~~~~~~^~~~~~~~~~ + In file included from + drivers/gpu/drm/kmb/kmb_plane.c:17: + drivers/gpu/drm/kmb/kmb_drv.h:61:41: note: while referencing 'plane_status' + 61 | struct layer_status plane_status[KMB_MAX_PLANES]; + | + ^~~~~~~~~~~~ + +Fixes: 7f7b96a8a0a1 ("drm/kmb: Add support for KeemBay Display") +Signed-off-by: Anitha Chrisanthus +Reviewed-by: Kees Cook +Link: https://patchwork.freedesktop.org/patch/msgid/20220127194227.2213608-1-anitha.chrisanthus@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/kmb/kmb_plane.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/gpu/drm/kmb/kmb_plane.c ++++ b/drivers/gpu/drm/kmb/kmb_plane.c +@@ -158,12 +158,6 @@ static void kmb_plane_atomic_disable(str + case LAYER_1: + kmb->plane_status[plane_id].ctrl = LCD_CTRL_VL2_ENABLE; + break; +- case LAYER_2: +- kmb->plane_status[plane_id].ctrl = LCD_CTRL_GL1_ENABLE; +- break; +- case LAYER_3: +- kmb->plane_status[plane_id].ctrl = LCD_CTRL_GL2_ENABLE; +- break; + } + + kmb->plane_status[plane_id].disable = true; diff --git a/queue-5.16/drm-mxsfb-fix-null-pointer-dereference.patch b/queue-5.16/drm-mxsfb-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..e3b00d02d47 --- /dev/null +++ b/queue-5.16/drm-mxsfb-fix-null-pointer-dereference.patch @@ -0,0 +1,37 @@ +From 622c9a3a7868e1eeca39c55305ca3ebec4742b64 Mon Sep 17 00:00:00 2001 +From: Alexander Stein +Date: Wed, 2 Feb 2022 09:17:55 +0100 +Subject: drm: mxsfb: Fix NULL pointer dereference + +From: Alexander Stein + +commit 622c9a3a7868e1eeca39c55305ca3ebec4742b64 upstream. + +mxsfb should not ever dereference the NULL pointer which +drm_atomic_get_new_bridge_state is allowed to return. +Assume a fixed format instead. + +Fixes: b776b0f00f24 ("drm: mxsfb: Use bus_format from the nearest bridge if present") +Signed-off-by: Alexander Stein +Signed-off-by: Marek Vasut +Link: https://patchwork.freedesktop.org/patch/msgid/20220202081755.145716-3-alexander.stein@ew.tq-group.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/mxsfb/mxsfb_kms.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/mxsfb/mxsfb_kms.c ++++ b/drivers/gpu/drm/mxsfb/mxsfb_kms.c +@@ -361,7 +361,11 @@ static void mxsfb_crtc_atomic_enable(str + bridge_state = + drm_atomic_get_new_bridge_state(state, + mxsfb->bridge); +- bus_format = bridge_state->input_bus_cfg.format; ++ if (!bridge_state) ++ bus_format = MEDIA_BUS_FMT_FIXED; ++ else ++ bus_format = bridge_state->input_bus_cfg.format; ++ + if (bus_format == MEDIA_BUS_FMT_FIXED) { + dev_warn_once(drm->dev, + "Bridge does not provide bus format, assuming MEDIA_BUS_FMT_RGB888_1X24.\n" diff --git a/queue-5.16/gve-fix-the-wrong-adminq-buffer-queue-index-check.patch b/queue-5.16/gve-fix-the-wrong-adminq-buffer-queue-index-check.patch new file mode 100644 index 00000000000..d95edafffd8 --- /dev/null +++ b/queue-5.16/gve-fix-the-wrong-adminq-buffer-queue-index-check.patch @@ -0,0 +1,62 @@ +From 1f84a9450d75e08af70d9e2f2d5e1c0ac0c881d2 Mon Sep 17 00:00:00 2001 +From: Haiyue Wang +Date: Fri, 28 Jan 2022 18:47:14 +0800 +Subject: gve: fix the wrong AdminQ buffer queue index check + +From: Haiyue Wang + +commit 1f84a9450d75e08af70d9e2f2d5e1c0ac0c881d2 upstream. + +The 'tail' and 'head' are 'unsigned int' type free-running count, when +'head' is overflow, the 'int i (= tail) < u32 head' will be false: + +Only '- loop 0: idx = 63' result is shown, so it needs to use 'int' type +to compare, it can handle the overflow correctly. + +typedef uint32_t u32; + +int main() +{ + u32 tail, head; + int stail, shead; + int i, loop; + + tail = 0xffffffff; + head = 0x00000000; + + for (i = tail, loop = 0; i < head; i++) { + unsigned int idx = i & 63; + + printf("+ loop %d: idx = %u\n", loop++, idx); + } + + stail = tail; + shead = head; + for (i = stail, loop = 0; i < shead; i++) { + unsigned int idx = i & 63; + + printf("- loop %d: idx = %u\n", loop++, idx); + } + + return 0; +} + +Fixes: 5cdad90de62c ("gve: Batch AQ commands for creating and destroying queues.") +Signed-off-by: Haiyue Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/google/gve/gve_adminq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/google/gve/gve_adminq.c ++++ b/drivers/net/ethernet/google/gve/gve_adminq.c +@@ -301,7 +301,7 @@ static int gve_adminq_parse_err(struct g + */ + static int gve_adminq_kick_and_wait(struct gve_priv *priv) + { +- u32 tail, head; ++ int tail, head; + int i; + + tail = ioread32be(&priv->reg_bar0->adminq_event_counter); diff --git a/queue-5.16/ib-cm-release-previously-acquired-reference-counter-in-the-cm_id_priv.patch b/queue-5.16/ib-cm-release-previously-acquired-reference-counter-in-the-cm_id_priv.patch new file mode 100644 index 00000000000..b96df423151 --- /dev/null +++ b/queue-5.16/ib-cm-release-previously-acquired-reference-counter-in-the-cm_id_priv.patch @@ -0,0 +1,37 @@ +From b856101a1774b5f1c8c99e8dfdef802856520732 Mon Sep 17 00:00:00 2001 +From: Mark Zhang +Date: Wed, 19 Jan 2022 10:37:55 +0200 +Subject: IB/cm: Release previously acquired reference counter in the cm_id_priv + +From: Mark Zhang + +commit b856101a1774b5f1c8c99e8dfdef802856520732 upstream. + +In failure flow, the reference counter acquired was not released, +and the following error was reported: + + drivers/infiniband/core/cm.c:3373 cm_lap_handler() warn: inconsistent + refcounting 'cm_id_priv->refcount.refs.counter': + +Fixes: 7345201c3963 ("IB/cm: Improve the calling of cm_init_av_for_lap and cm_init_av_by_path") +Link: https://lore.kernel.org/r/7615f23bbb5c5b66d03f6fa13e1c99d51dae6916.1642581448.git.leonro@nvidia.com +Reported-by: Dan Carpenter +Signed-off-by: Mark Zhang +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -3322,7 +3322,7 @@ static int cm_lap_handler(struct cm_work + ret = cm_init_av_by_path(param->alternate_path, NULL, &alt_av); + if (ret) { + rdma_destroy_ah_attr(&ah_attr); +- return -EINVAL; ++ goto deref; + } + + spin_lock_irq(&cm_id_priv->lock); diff --git a/queue-5.16/ib-hfi1-fix-tstats-alloc-and-dealloc.patch b/queue-5.16/ib-hfi1-fix-tstats-alloc-and-dealloc.patch new file mode 100644 index 00000000000..c4a5aef4679 --- /dev/null +++ b/queue-5.16/ib-hfi1-fix-tstats-alloc-and-dealloc.patch @@ -0,0 +1,75 @@ +From e5cce44aff3be9ad2cd52f63f35edbd706181d50 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Sat, 15 Jan 2022 18:02:36 -0500 +Subject: IB/hfi1: Fix tstats alloc and dealloc + +From: Mike Marciniszyn + +commit e5cce44aff3be9ad2cd52f63f35edbd706181d50 upstream. + +The tstats allocation is done in the accelerated ndo_init function but the +allocation is not tested to succeed. + +The deallocation is not done in the accelerated ndo_uninit function. + +Resolve issues by testing for an allocation failure and adding the +free_percpu in the uninit function. + +Fixes: aa0616a9bd52 ("IB/hfi1: switch to core handling of rx/tx byte/packet counters") +Link: https://lore.kernel.org/r/1642287756-182313-5-git-send-email-mike.marciniszyn@cornelisnetworks.com +Reviewed-by: Dennis Dalessandro +Signed-off-by: Mike Marciniszyn +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/ipoib_main.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/ipoib_main.c ++++ b/drivers/infiniband/hw/hfi1/ipoib_main.c +@@ -22,26 +22,35 @@ static int hfi1_ipoib_dev_init(struct ne + int ret; + + dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats); ++ if (!dev->tstats) ++ return -ENOMEM; + + ret = priv->netdev_ops->ndo_init(dev); + if (ret) +- return ret; ++ goto out_ret; + + ret = hfi1_netdev_add_data(priv->dd, + qpn_from_mac(priv->netdev->dev_addr), + dev); + if (ret < 0) { + priv->netdev_ops->ndo_uninit(dev); +- return ret; ++ goto out_ret; + } + + return 0; ++out_ret: ++ free_percpu(dev->tstats); ++ dev->tstats = NULL; ++ return ret; + } + + static void hfi1_ipoib_dev_uninit(struct net_device *dev) + { + struct hfi1_ipoib_dev_priv *priv = hfi1_ipoib_priv(dev); + ++ free_percpu(dev->tstats); ++ dev->tstats = NULL; ++ + hfi1_netdev_remove_data(priv->dd, qpn_from_mac(priv->netdev->dev_addr)); + + priv->netdev_ops->ndo_uninit(dev); +@@ -166,6 +175,7 @@ static void hfi1_ipoib_netdev_dtor(struc + hfi1_ipoib_rxq_deinit(priv->netdev); + + free_percpu(dev->tstats); ++ dev->tstats = NULL; + } + + static void hfi1_ipoib_set_id(struct net_device *dev, int id) diff --git a/queue-5.16/ib-rdmavt-validate-remote_addr-during-loopback-atomic-tests.patch b/queue-5.16/ib-rdmavt-validate-remote_addr-during-loopback-atomic-tests.patch new file mode 100644 index 00000000000..7e2604d5144 --- /dev/null +++ b/queue-5.16/ib-rdmavt-validate-remote_addr-during-loopback-atomic-tests.patch @@ -0,0 +1,42 @@ +From 4028bccb003cf67e46632dee7f97ddc5d7b6e685 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Wed, 19 Jan 2022 04:28:09 -0500 +Subject: IB/rdmavt: Validate remote_addr during loopback atomic tests + +From: Mike Marciniszyn + +commit 4028bccb003cf67e46632dee7f97ddc5d7b6e685 upstream. + +The rdma-core test suite sends an unaligned remote address and expects a +failure. + +ERROR: test_atomic_non_aligned_addr (tests.test_atomic.AtomicTest) + +The qib/hfi1 rc handling validates properly, but the test has the client +and server on the same system. + +The loopback of these operations is a distinct code path. + +Fix by syntaxing the proposed remote address in the loopback code path. + +Fixes: 15703461533a ("IB/{hfi1, qib, rdmavt}: Move ruc_loopback to rdmavt") +Link: https://lore.kernel.org/r/1642584489-141005-1-git-send-email-mike.marciniszyn@cornelisnetworks.com +Reviewed-by: Dennis Dalessandro +Signed-off-by: Mike Marciniszyn +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rdmavt/qp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/sw/rdmavt/qp.c ++++ b/drivers/infiniband/sw/rdmavt/qp.c +@@ -3073,6 +3073,8 @@ do_write: + case IB_WR_ATOMIC_FETCH_AND_ADD: + if (unlikely(!(qp->qp_access_flags & IB_ACCESS_REMOTE_ATOMIC))) + goto inv_err; ++ if (unlikely(wqe->atomic_wr.remote_addr & (sizeof(u64) - 1))) ++ goto inv_err; + if (unlikely(!rvt_rkey_ok(qp, &qp->r_sge.sge, sizeof(u64), + wqe->atomic_wr.remote_addr, + wqe->atomic_wr.rkey, diff --git a/queue-5.16/iommu-amd-fix-loop-timeout-issue-in-iommu_ga_log_enable.patch b/queue-5.16/iommu-amd-fix-loop-timeout-issue-in-iommu_ga_log_enable.patch new file mode 100644 index 00000000000..e595606a07e --- /dev/null +++ b/queue-5.16/iommu-amd-fix-loop-timeout-issue-in-iommu_ga_log_enable.patch @@ -0,0 +1,45 @@ +From 9b45a7738eec52bf0f5d8d3d54e822962781c5f2 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Fri, 4 Feb 2022 12:55:37 +0100 +Subject: iommu/amd: Fix loop timeout issue in iommu_ga_log_enable() + +From: Joerg Roedel + +commit 9b45a7738eec52bf0f5d8d3d54e822962781c5f2 upstream. + +The polling loop for the register change in iommu_ga_log_enable() needs +to have a udelay() in it. Otherwise the CPU might be faster than the +IOMMU hardware and wrongly trigger the WARN_ON() further down the code +stream. Use a 10us for udelay(), has there is some hardware where +activation of the GA log can take more than a 100ms. + +A future optimization should move the activation check of the GA log +to the point where it gets used for the first time. But that is a +bigger change and not suitable for a fix. + +Fixes: 8bda0cfbdc1a ("iommu/amd: Detect and initialize guest vAPIC log") +Signed-off-by: Joerg Roedel +Link: https://lore.kernel.org/r/20220204115537.3894-1-joro@8bytes.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd/init.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iommu/amd/init.c ++++ b/drivers/iommu/amd/init.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -834,6 +835,7 @@ static int iommu_ga_log_enable(struct am + status = readl(iommu->mmio_base + MMIO_STATUS_OFFSET); + if (status & (MMIO_STATUS_GALOG_RUN_MASK)) + break; ++ udelay(10); + } + + if (WARN_ON(i >= LOOP_TIMEOUT)) diff --git a/queue-5.16/iommu-vt-d-fix-potential-memory-leak-in-intel_setup_irq_remapping.patch b/queue-5.16/iommu-vt-d-fix-potential-memory-leak-in-intel_setup_irq_remapping.patch new file mode 100644 index 00000000000..6055fa80804 --- /dev/null +++ b/queue-5.16/iommu-vt-d-fix-potential-memory-leak-in-intel_setup_irq_remapping.patch @@ -0,0 +1,69 @@ +From 99e675d473eb8cf2deac1376a0f840222fc1adcf Mon Sep 17 00:00:00 2001 +From: Guoqing Jiang +Date: Fri, 28 Jan 2022 11:10:02 +0800 +Subject: iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping() + +From: Guoqing Jiang + +commit 99e675d473eb8cf2deac1376a0f840222fc1adcf upstream. + +After commit e3beca48a45b ("irqdomain/treewide: Keep firmware node +unconditionally allocated"). For tear down scenario, fn is only freed +after fail to allocate ir_domain, though it also should be freed in case +dmar_enable_qi returns error. + +Besides free fn, irq_domain and ir_msi_domain need to be removed as well +if intel_setup_irq_remapping fails to enable queued invalidation. + +Improve the rewinding path by add out_free_ir_domain and out_free_fwnode +lables per Baolu's suggestion. + +Fixes: e3beca48a45b ("irqdomain/treewide: Keep firmware node unconditionally allocated") +Suggested-by: Lu Baolu +Signed-off-by: Guoqing Jiang +Link: https://lore.kernel.org/r/20220119063640.16864-1-guoqing.jiang@linux.dev +Signed-off-by: Lu Baolu +Link: https://lore.kernel.org/r/20220128031002.2219155-3-baolu.lu@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel/irq_remapping.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/intel/irq_remapping.c ++++ b/drivers/iommu/intel/irq_remapping.c +@@ -569,9 +569,8 @@ static int intel_setup_irq_remapping(str + fn, &intel_ir_domain_ops, + iommu); + if (!iommu->ir_domain) { +- irq_domain_free_fwnode(fn); + pr_err("IR%d: failed to allocate irqdomain\n", iommu->seq_id); +- goto out_free_bitmap; ++ goto out_free_fwnode; + } + iommu->ir_msi_domain = + arch_create_remap_msi_irq_domain(iommu->ir_domain, +@@ -595,7 +594,7 @@ static int intel_setup_irq_remapping(str + + if (dmar_enable_qi(iommu)) { + pr_err("Failed to enable queued invalidation\n"); +- goto out_free_bitmap; ++ goto out_free_ir_domain; + } + } + +@@ -619,6 +618,14 @@ static int intel_setup_irq_remapping(str + + return 0; + ++out_free_ir_domain: ++ if (iommu->ir_msi_domain) ++ irq_domain_remove(iommu->ir_msi_domain); ++ iommu->ir_msi_domain = NULL; ++ irq_domain_remove(iommu->ir_domain); ++ iommu->ir_domain = NULL; ++out_free_fwnode: ++ irq_domain_free_fwnode(fn); + out_free_bitmap: + bitmap_free(bitmap); + out_free_pages: diff --git a/queue-5.16/net-ieee802154-ca8210-stop-leaking-skb-s.patch b/queue-5.16/net-ieee802154-ca8210-stop-leaking-skb-s.patch new file mode 100644 index 00000000000..d1a2b58464a --- /dev/null +++ b/queue-5.16/net-ieee802154-ca8210-stop-leaking-skb-s.patch @@ -0,0 +1,35 @@ +From 621b24b09eb61c63f262da0c9c5f0e93348897e5 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Tue, 25 Jan 2022 13:14:24 +0100 +Subject: net: ieee802154: ca8210: Stop leaking skb's + +From: Miquel Raynal + +commit 621b24b09eb61c63f262da0c9c5f0e93348897e5 upstream. + +Upon error the ieee802154_xmit_complete() helper is not called. Only +ieee802154_wake_queue() is called manually. We then leak the skb +structure. + +Free the skb structure upon error before returning. + +Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver") +Signed-off-by: Miquel Raynal +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20220125121426.848337-5-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/ca8210.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -1771,6 +1771,7 @@ static int ca8210_async_xmit_complete( + status + ); + if (status != MAC_TRANSACTION_OVERFLOW) { ++ dev_kfree_skb_any(priv->tx_skb); + ieee802154_wake_queue(priv->hw); + return 0; + } diff --git a/queue-5.16/net-ieee802154-hwsim-ensure-proper-channel-selection-at-probe-time.patch b/queue-5.16/net-ieee802154-hwsim-ensure-proper-channel-selection-at-probe-time.patch new file mode 100644 index 00000000000..b79ea6b860c --- /dev/null +++ b/queue-5.16/net-ieee802154-hwsim-ensure-proper-channel-selection-at-probe-time.patch @@ -0,0 +1,37 @@ +From 1293fccc9e892712d910ec96079d3717307f1d2d Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Tue, 25 Jan 2022 13:14:21 +0100 +Subject: net: ieee802154: hwsim: Ensure proper channel selection at probe time + +From: Miquel Raynal + +commit 1293fccc9e892712d910ec96079d3717307f1d2d upstream. + +Drivers are expected to set the PHY current_channel and current_page +according to their default state. The hwsim driver is advertising being +configured on channel 13 by default but that is not reflected in its own +internal pib structure. In order to ensure that this driver consider the +current channel as being 13 internally, we at least need to set the +pib->channel field to 13. + +Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb") +Signed-off-by: Miquel Raynal +[stefan@datenfreihafen.org: fixed assigment from page to channel] +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20220125121426.848337-2-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/mac802154_hwsim.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ieee802154/mac802154_hwsim.c ++++ b/drivers/net/ieee802154/mac802154_hwsim.c +@@ -786,6 +786,7 @@ static int hwsim_add_one(struct genl_inf + goto err_pib; + } + ++ pib->channel = 13; + rcu_assign_pointer(phy->pib, pib); + phy->idx = idx; + INIT_LIST_HEAD(&phy->edges); diff --git a/queue-5.16/net-ieee802154-mcr20a-fix-lifs-sifs-periods.patch b/queue-5.16/net-ieee802154-mcr20a-fix-lifs-sifs-periods.patch new file mode 100644 index 00000000000..4405e89dd25 --- /dev/null +++ b/queue-5.16/net-ieee802154-mcr20a-fix-lifs-sifs-periods.patch @@ -0,0 +1,37 @@ +From d753c4004820a888ec007dd88b271fa9c3172c5c Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Tue, 25 Jan 2022 13:14:22 +0100 +Subject: net: ieee802154: mcr20a: Fix lifs/sifs periods + +From: Miquel Raynal + +commit d753c4004820a888ec007dd88b271fa9c3172c5c upstream. + +These periods are expressed in time units (microseconds) while 40 and 12 +are the number of symbol durations these periods will last. We need to +multiply them both with phy->symbol_duration in order to get these +values in microseconds. + +Fixes: 8c6ad9cc5157 ("ieee802154: Add NXP MCR20A IEEE 802.15.4 transceiver driver") +Signed-off-by: Miquel Raynal +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20220125121426.848337-3-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/mcr20a.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ieee802154/mcr20a.c ++++ b/drivers/net/ieee802154/mcr20a.c +@@ -976,8 +976,8 @@ static void mcr20a_hw_setup(struct mcr20 + dev_dbg(printdev(lp), "%s\n", __func__); + + phy->symbol_duration = 16; +- phy->lifs_period = 40; +- phy->sifs_period = 12; ++ phy->lifs_period = 40 * phy->symbol_duration; ++ phy->sifs_period = 12 * phy->symbol_duration; + + hw->flags = IEEE802154_HW_TX_OMIT_CKSUM | + IEEE802154_HW_AFILT | diff --git a/queue-5.16/net-ieee802154-return-meaningful-error-codes-from-the-netlink-helpers.patch b/queue-5.16/net-ieee802154-return-meaningful-error-codes-from-the-netlink-helpers.patch new file mode 100644 index 00000000000..d399dd57b7f --- /dev/null +++ b/queue-5.16/net-ieee802154-return-meaningful-error-codes-from-the-netlink-helpers.patch @@ -0,0 +1,61 @@ +From 79c37ca73a6e9a33f7b2b7783ba6af07a448c8a9 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Tue, 25 Jan 2022 13:14:25 +0100 +Subject: net: ieee802154: Return meaningful error codes from the netlink helpers + +From: Miquel Raynal + +commit 79c37ca73a6e9a33f7b2b7783ba6af07a448c8a9 upstream. + +Returning -1 does not indicate anything useful. + +Use a standard and meaningful error code instead. + +Fixes: a26c5fd7622d ("nl802154: add support for security layer") +Signed-off-by: Miquel Raynal +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20220125121426.848337-6-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/nl802154.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ieee802154/nl802154.c ++++ b/net/ieee802154/nl802154.c +@@ -1441,7 +1441,7 @@ static int nl802154_send_key(struct sk_b + + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); + if (!hdr) +- return -1; ++ return -ENOBUFS; + + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) + goto nla_put_failure; +@@ -1634,7 +1634,7 @@ static int nl802154_send_device(struct s + + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); + if (!hdr) +- return -1; ++ return -ENOBUFS; + + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) + goto nla_put_failure; +@@ -1812,7 +1812,7 @@ static int nl802154_send_devkey(struct s + + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); + if (!hdr) +- return -1; ++ return -ENOBUFS; + + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) + goto nla_put_failure; +@@ -1988,7 +1988,7 @@ static int nl802154_send_seclevel(struct + + hdr = nl802154hdr_put(msg, portid, seq, flags, cmd); + if (!hdr) +- return -1; ++ return -ENOBUFS; + + if (nla_put_u32(msg, NL802154_ATTR_IFINDEX, dev->ifindex)) + goto nla_put_failure; diff --git a/queue-5.16/net-macsec-fix-offload-support-for-netdev_unregister-event.patch b/queue-5.16/net-macsec-fix-offload-support-for-netdev_unregister-event.patch new file mode 100644 index 00000000000..1bafd183b27 --- /dev/null +++ b/queue-5.16/net-macsec-fix-offload-support-for-netdev_unregister-event.patch @@ -0,0 +1,70 @@ +From 9cef24c8b76c1f6effe499d2f131807c90f7ce9a Mon Sep 17 00:00:00 2001 +From: Lior Nahmanson +Date: Sun, 30 Jan 2022 13:29:01 +0200 +Subject: net: macsec: Fix offload support for NETDEV_UNREGISTER event + +From: Lior Nahmanson + +commit 9cef24c8b76c1f6effe499d2f131807c90f7ce9a upstream. + +Current macsec netdev notify handler handles NETDEV_UNREGISTER event by +releasing relevant SW resources only, this causes resources leak in case +of macsec HW offload, as the underlay driver was not notified to clean +it's macsec offload resources. + +Fix by calling the underlay driver to clean it's relevant resources +by moving offload handling from macsec_dellink() to macsec_common_dellink() +when handling NETDEV_UNREGISTER event. + +Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure") +Signed-off-by: Lior Nahmanson +Reviewed-by: Raed Salem +Signed-off-by: Raed Salem +Reviewed-by: Antoine Tenart +Link: https://lore.kernel.org/r/1643542141-28956-1-git-send-email-raeds@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -3870,6 +3870,18 @@ static void macsec_common_dellink(struct + struct macsec_dev *macsec = macsec_priv(dev); + struct net_device *real_dev = macsec->real_dev; + ++ /* If h/w offloading is available, propagate to the device */ ++ if (macsec_is_offloaded(macsec)) { ++ const struct macsec_ops *ops; ++ struct macsec_context ctx; ++ ++ ops = macsec_get_ops(netdev_priv(dev), &ctx); ++ if (ops) { ++ ctx.secy = &macsec->secy; ++ macsec_offload(ops->mdo_del_secy, &ctx); ++ } ++ } ++ + unregister_netdevice_queue(dev, head); + list_del_rcu(&macsec->secys); + macsec_del_dev(macsec); +@@ -3884,18 +3896,6 @@ static void macsec_dellink(struct net_de + struct net_device *real_dev = macsec->real_dev; + struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev); + +- /* If h/w offloading is available, propagate to the device */ +- if (macsec_is_offloaded(macsec)) { +- const struct macsec_ops *ops; +- struct macsec_context ctx; +- +- ops = macsec_get_ops(netdev_priv(dev), &ctx); +- if (ops) { +- ctx.secy = &macsec->secy; +- macsec_offload(ops->mdo_del_secy, &ctx); +- } +- } +- + macsec_common_dellink(dev, head); + + if (list_empty(&rxd->secys)) { diff --git a/queue-5.16/net-macsec-verify-that-send_sci-is-on-when-setting-tx-sci-explicitly.patch b/queue-5.16/net-macsec-verify-that-send_sci-is-on-when-setting-tx-sci-explicitly.patch new file mode 100644 index 00000000000..aaf604bd605 --- /dev/null +++ b/queue-5.16/net-macsec-verify-that-send_sci-is-on-when-setting-tx-sci-explicitly.patch @@ -0,0 +1,47 @@ +From d0cfa548dbde354de986911d3913897b5448faad Mon Sep 17 00:00:00 2001 +From: Lior Nahmanson +Date: Sun, 30 Jan 2022 13:37:52 +0200 +Subject: net: macsec: Verify that send_sci is on when setting Tx sci explicitly + +From: Lior Nahmanson + +commit d0cfa548dbde354de986911d3913897b5448faad upstream. + +When setting Tx sci explicit, the Rx side is expected to use this +sci and not recalculate it from the packet.However, in case of Tx sci +is explicit and send_sci is off, the receiver is wrongly recalculate +the sci from the source MAC address which most likely be different +than the explicit sci. + +Fix by preventing such configuration when macsec newlink is established +and return EINVAL error code on such cases. + +Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") +Signed-off-by: Lior Nahmanson +Reviewed-by: Raed Salem +Signed-off-by: Raed Salem +Link: https://lore.kernel.org/r/1643542672-29403-1-git-send-email-raeds@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -4018,6 +4018,15 @@ static int macsec_newlink(struct net *ne + !macsec_check_offload(macsec->offload, macsec)) + return -EOPNOTSUPP; + ++ /* send_sci must be set to true when transmit sci explicitly is set */ ++ if ((data && data[IFLA_MACSEC_SCI]) && ++ (data && data[IFLA_MACSEC_INC_SCI])) { ++ u8 send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]); ++ ++ if (!send_sci) ++ return -EINVAL; ++ } ++ + if (data && data[IFLA_MACSEC_ICV_LEN]) + icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]); + mtu = real_dev->mtu - icv_len - macsec_extra_len(true); diff --git a/queue-5.16/net-neigh-do-not-trigger-immediate-probes-on-nud_failed-from-neigh_managed_work.patch b/queue-5.16/net-neigh-do-not-trigger-immediate-probes-on-nud_failed-from-neigh_managed_work.patch new file mode 100644 index 00000000000..10ff7df0ecf --- /dev/null +++ b/queue-5.16/net-neigh-do-not-trigger-immediate-probes-on-nud_failed-from-neigh_managed_work.patch @@ -0,0 +1,164 @@ +From 4a81f6da9cb2d1ef911131a6fd8bd15cb61fc772 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Tue, 1 Feb 2022 20:39:42 +0100 +Subject: net, neigh: Do not trigger immediate probes on NUD_FAILED from neigh_managed_work + +From: Daniel Borkmann + +commit 4a81f6da9cb2d1ef911131a6fd8bd15cb61fc772 upstream. + +syzkaller was able to trigger a deadlock for NTF_MANAGED entries [0]: + + kworker/0:16/14617 is trying to acquire lock: + ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652 + [...] + but task is already holding lock: + ffffffff8d4dd370 (&tbl->lock){++-.}-{2:2}, at: neigh_managed_work+0x35/0x250 net/core/neighbour.c:1572 + +The neighbor entry turned to NUD_FAILED state, where __neigh_event_send() +triggered an immediate probe as per commit cd28ca0a3dd1 ("neigh: reduce +arp latency") via neigh_probe() given table lock was held. + +One option to fix this situation is to defer the neigh_probe() back to +the neigh_timer_handler() similarly as pre cd28ca0a3dd1. For the case +of NTF_MANAGED, this deferral is acceptable given this only happens on +actual failure state and regular / expected state is NUD_VALID with the +entry already present. + +The fix adds a parameter to __neigh_event_send() in order to communicate +whether immediate probe is allowed or disallowed. Existing call-sites +of neigh_event_send() default as-is to immediate probe. However, the +neigh_managed_work() disables it via use of neigh_event_send_probe(). + +[0] + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_deadlock_bug kernel/locking/lockdep.c:2956 [inline] + check_deadlock kernel/locking/lockdep.c:2999 [inline] + validate_chain kernel/locking/lockdep.c:3788 [inline] + __lock_acquire.cold+0x149/0x3ab kernel/locking/lockdep.c:5027 + lock_acquire kernel/locking/lockdep.c:5639 [inline] + lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604 + __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [inline] + _raw_write_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:334 + ___neigh_create+0x9e1/0x2990 net/core/neighbour.c:652 + ip6_finish_output2+0x1070/0x14f0 net/ipv6/ip6_output.c:123 + __ip6_finish_output net/ipv6/ip6_output.c:191 [inline] + __ip6_finish_output+0x61e/0xe90 net/ipv6/ip6_output.c:170 + ip6_finish_output+0x32/0x200 net/ipv6/ip6_output.c:201 + NF_HOOK_COND include/linux/netfilter.h:296 [inline] + ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224 + dst_output include/net/dst.h:451 [inline] + NF_HOOK include/linux/netfilter.h:307 [inline] + ndisc_send_skb+0xa99/0x17f0 net/ipv6/ndisc.c:508 + ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650 + ndisc_solicit+0x2cd/0x4f0 net/ipv6/ndisc.c:742 + neigh_probe+0xc2/0x110 net/core/neighbour.c:1040 + __neigh_event_send+0x37d/0x1570 net/core/neighbour.c:1201 + neigh_event_send include/net/neighbour.h:470 [inline] + neigh_managed_work+0x162/0x250 net/core/neighbour.c:1574 + process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307 + worker_thread+0x657/0x1110 kernel/workqueue.c:2454 + kthread+0x2e9/0x3a0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 + + +Fixes: 7482e3841d52 ("net, neigh: Add NTF_MANAGED flag for managed neighbor entries") +Reported-by: syzbot+5239d0e1778a500d477a@syzkaller.appspotmail.com +Signed-off-by: Daniel Borkmann +Cc: Eric Dumazet +Cc: Roopa Prabhu +Tested-by: syzbot+5239d0e1778a500d477a@syzkaller.appspotmail.com +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20220201193942.5055-1-daniel@iogearbox.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/net/neighbour.h | 18 +++++++++++++----- + net/core/neighbour.c | 18 ++++++++++++------ + 2 files changed, 25 insertions(+), 11 deletions(-) + +--- a/include/net/neighbour.h ++++ b/include/net/neighbour.h +@@ -336,7 +336,8 @@ static inline struct neighbour *neigh_cr + return __neigh_create(tbl, pkey, dev, true); + } + void neigh_destroy(struct neighbour *neigh); +-int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb); ++int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb, ++ const bool immediate_ok); + int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new, u32 flags, + u32 nlmsg_pid); + void __neigh_set_probe_once(struct neighbour *neigh); +@@ -446,17 +447,24 @@ static inline struct neighbour * neigh_c + + #define neigh_hold(n) refcount_inc(&(n)->refcnt) + +-static inline int neigh_event_send(struct neighbour *neigh, struct sk_buff *skb) ++static __always_inline int neigh_event_send_probe(struct neighbour *neigh, ++ struct sk_buff *skb, ++ const bool immediate_ok) + { + unsigned long now = jiffies; +- ++ + if (READ_ONCE(neigh->used) != now) + WRITE_ONCE(neigh->used, now); +- if (!(neigh->nud_state&(NUD_CONNECTED|NUD_DELAY|NUD_PROBE))) +- return __neigh_event_send(neigh, skb); ++ if (!(neigh->nud_state & (NUD_CONNECTED | NUD_DELAY | NUD_PROBE))) ++ return __neigh_event_send(neigh, skb, immediate_ok); + return 0; + } + ++static inline int neigh_event_send(struct neighbour *neigh, struct sk_buff *skb) ++{ ++ return neigh_event_send_probe(neigh, skb, true); ++} ++ + #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) + static inline int neigh_hh_bridge(struct hh_cache *hh, struct sk_buff *skb) + { +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -1133,7 +1133,8 @@ out: + neigh_release(neigh); + } + +-int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb) ++int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb, ++ const bool immediate_ok) + { + int rc; + bool immediate_probe = false; +@@ -1154,12 +1155,17 @@ int __neigh_event_send(struct neighbour + atomic_set(&neigh->probes, + NEIGH_VAR(neigh->parms, UCAST_PROBES)); + neigh_del_timer(neigh); +- neigh->nud_state = NUD_INCOMPLETE; ++ neigh->nud_state = NUD_INCOMPLETE; + neigh->updated = now; +- next = now + max(NEIGH_VAR(neigh->parms, RETRANS_TIME), +- HZ/100); ++ if (!immediate_ok) { ++ next = now + 1; ++ } else { ++ immediate_probe = true; ++ next = now + max(NEIGH_VAR(neigh->parms, ++ RETRANS_TIME), ++ HZ / 100); ++ } + neigh_add_timer(neigh, next); +- immediate_probe = true; + } else { + neigh->nud_state = NUD_FAILED; + neigh->updated = jiffies; +@@ -1571,7 +1577,7 @@ static void neigh_managed_work(struct wo + + write_lock_bh(&tbl->lock); + list_for_each_entry(neigh, &tbl->managed_list, managed_list) +- neigh_event_send(neigh, NULL); ++ neigh_event_send_probe(neigh, NULL, false); + queue_delayed_work(system_power_efficient_wq, &tbl->managed_work, + NEIGH_VAR(&tbl->parms, DELAY_PROBE_TIME)); + write_unlock_bh(&tbl->lock); diff --git a/queue-5.16/net-smc-forward-wakeup-to-smc-socket-waitqueue-after-fallback.patch b/queue-5.16/net-smc-forward-wakeup-to-smc-socket-waitqueue-after-fallback.patch new file mode 100644 index 00000000000..45b78bcaad0 --- /dev/null +++ b/queue-5.16/net-smc-forward-wakeup-to-smc-socket-waitqueue-after-fallback.patch @@ -0,0 +1,291 @@ +From 341adeec9adad0874f29a0a1af35638207352a39 Mon Sep 17 00:00:00 2001 +From: Wen Gu +Date: Wed, 26 Jan 2022 23:33:04 +0800 +Subject: net/smc: Forward wakeup to smc socket waitqueue after fallback + +From: Wen Gu + +commit 341adeec9adad0874f29a0a1af35638207352a39 upstream. + +When we replace TCP with SMC and a fallback occurs, there may be +some socket waitqueue entries remaining in smc socket->wq, such +as eppoll_entries inserted by userspace applications. + +After the fallback, data flows over TCP/IP and only clcsocket->wq +will be woken up. Applications can't be notified by the entries +which were inserted in smc socket->wq before fallback. So we need +a mechanism to wake up smc socket->wq at the same time if some +entries remaining in it. + +The current workaround is to transfer the entries from smc socket->wq +to clcsock->wq during the fallback. But this may cause a crash +like this: + + general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP PTI + CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G E 5.16.0+ #107 + RIP: 0010:__wake_up_common+0x65/0x170 + Call Trace: + + __wake_up_common_lock+0x7a/0xc0 + sock_def_readable+0x3c/0x70 + tcp_data_queue+0x4a7/0xc40 + tcp_rcv_established+0x32f/0x660 + ? sk_filter_trim_cap+0xcb/0x2e0 + tcp_v4_do_rcv+0x10b/0x260 + tcp_v4_rcv+0xd2a/0xde0 + ip_protocol_deliver_rcu+0x3b/0x1d0 + ip_local_deliver_finish+0x54/0x60 + ip_local_deliver+0x6a/0x110 + ? tcp_v4_early_demux+0xa2/0x140 + ? tcp_v4_early_demux+0x10d/0x140 + ip_sublist_rcv_finish+0x49/0x60 + ip_sublist_rcv+0x19d/0x230 + ip_list_rcv+0x13e/0x170 + __netif_receive_skb_list_core+0x1c2/0x240 + netif_receive_skb_list_internal+0x1e6/0x320 + napi_complete_done+0x11d/0x190 + mlx5e_napi_poll+0x163/0x6b0 [mlx5_core] + __napi_poll+0x3c/0x1b0 + net_rx_action+0x27c/0x300 + __do_softirq+0x114/0x2d2 + irq_exit_rcu+0xb4/0xe0 + common_interrupt+0xba/0xe0 + + + +The crash is caused by privately transferring waitqueue entries from +smc socket->wq to clcsock->wq. The owners of these entries, such as +epoll, have no idea that the entries have been transferred to a +different socket wait queue and still use original waitqueue spinlock +(smc socket->wq.wait.lock) to make the entries operation exclusive, +but it doesn't work. The operations to the entries, such as removing +from the waitqueue (now is clcsock->wq after fallback), may cause a +crash when clcsock waitqueue is being iterated over at the moment. + +This patch tries to fix this by no longer transferring wait queue +entries privately, but introducing own implementations of clcsock's +callback functions in fallback situation. The callback functions will +forward the wakeup to smc socket->wq if clcsock->wq is actually woken +up and smc socket->wq has remaining entries. + +Fixes: 2153bd1e3d3d ("net/smc: Transfer remaining wait queue entries during fallback") +Suggested-by: Karsten Graul +Signed-off-by: Wen Gu +Acked-by: Karsten Graul +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/af_smc.c | 133 ++++++++++++++++++++++++++++++++++++++++++++++++------- + net/smc/smc.h | 20 +++++++- + 2 files changed, 137 insertions(+), 16 deletions(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -566,17 +566,115 @@ static void smc_stat_fallback(struct smc + mutex_unlock(&net->smc.mutex_fback_rsn); + } + ++/* must be called under rcu read lock */ ++static void smc_fback_wakeup_waitqueue(struct smc_sock *smc, void *key) ++{ ++ struct socket_wq *wq; ++ __poll_t flags; ++ ++ wq = rcu_dereference(smc->sk.sk_wq); ++ if (!skwq_has_sleeper(wq)) ++ return; ++ ++ /* wake up smc sk->sk_wq */ ++ if (!key) { ++ /* sk_state_change */ ++ wake_up_interruptible_all(&wq->wait); ++ } else { ++ flags = key_to_poll(key); ++ if (flags & (EPOLLIN | EPOLLOUT)) ++ /* sk_data_ready or sk_write_space */ ++ wake_up_interruptible_sync_poll(&wq->wait, flags); ++ else if (flags & EPOLLERR) ++ /* sk_error_report */ ++ wake_up_interruptible_poll(&wq->wait, flags); ++ } ++} ++ ++static int smc_fback_mark_woken(wait_queue_entry_t *wait, ++ unsigned int mode, int sync, void *key) ++{ ++ struct smc_mark_woken *mark = ++ container_of(wait, struct smc_mark_woken, wait_entry); ++ ++ mark->woken = true; ++ mark->key = key; ++ return 0; ++} ++ ++static void smc_fback_forward_wakeup(struct smc_sock *smc, struct sock *clcsk, ++ void (*clcsock_callback)(struct sock *sk)) ++{ ++ struct smc_mark_woken mark = { .woken = false }; ++ struct socket_wq *wq; ++ ++ init_waitqueue_func_entry(&mark.wait_entry, ++ smc_fback_mark_woken); ++ rcu_read_lock(); ++ wq = rcu_dereference(clcsk->sk_wq); ++ if (!wq) ++ goto out; ++ add_wait_queue(sk_sleep(clcsk), &mark.wait_entry); ++ clcsock_callback(clcsk); ++ remove_wait_queue(sk_sleep(clcsk), &mark.wait_entry); ++ ++ if (mark.woken) ++ smc_fback_wakeup_waitqueue(smc, mark.key); ++out: ++ rcu_read_unlock(); ++} ++ ++static void smc_fback_state_change(struct sock *clcsk) ++{ ++ struct smc_sock *smc = ++ smc_clcsock_user_data(clcsk); ++ ++ if (!smc) ++ return; ++ smc_fback_forward_wakeup(smc, clcsk, smc->clcsk_state_change); ++} ++ ++static void smc_fback_data_ready(struct sock *clcsk) ++{ ++ struct smc_sock *smc = ++ smc_clcsock_user_data(clcsk); ++ ++ if (!smc) ++ return; ++ smc_fback_forward_wakeup(smc, clcsk, smc->clcsk_data_ready); ++} ++ ++static void smc_fback_write_space(struct sock *clcsk) ++{ ++ struct smc_sock *smc = ++ smc_clcsock_user_data(clcsk); ++ ++ if (!smc) ++ return; ++ smc_fback_forward_wakeup(smc, clcsk, smc->clcsk_write_space); ++} ++ ++static void smc_fback_error_report(struct sock *clcsk) ++{ ++ struct smc_sock *smc = ++ smc_clcsock_user_data(clcsk); ++ ++ if (!smc) ++ return; ++ smc_fback_forward_wakeup(smc, clcsk, smc->clcsk_error_report); ++} ++ + static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code) + { +- wait_queue_head_t *smc_wait = sk_sleep(&smc->sk); +- wait_queue_head_t *clc_wait; +- unsigned long flags; ++ struct sock *clcsk; + + mutex_lock(&smc->clcsock_release_lock); + if (!smc->clcsock) { + mutex_unlock(&smc->clcsock_release_lock); + return -EBADF; + } ++ clcsk = smc->clcsock->sk; ++ + smc->use_fallback = true; + smc->fallback_rsn = reason_code; + smc_stat_fallback(smc); +@@ -587,16 +685,22 @@ static int smc_switch_to_fallback(struct + smc->clcsock->wq.fasync_list = + smc->sk.sk_socket->wq.fasync_list; + +- /* There may be some entries remaining in +- * smc socket->wq, which should be removed +- * to clcsocket->wq during the fallback. ++ /* There might be some wait entries remaining ++ * in smc sk->sk_wq and they should be woken up ++ * as clcsock's wait queue is woken up. + */ +- clc_wait = sk_sleep(smc->clcsock->sk); +- spin_lock_irqsave(&smc_wait->lock, flags); +- spin_lock_nested(&clc_wait->lock, SINGLE_DEPTH_NESTING); +- list_splice_init(&smc_wait->head, &clc_wait->head); +- spin_unlock(&clc_wait->lock); +- spin_unlock_irqrestore(&smc_wait->lock, flags); ++ smc->clcsk_state_change = clcsk->sk_state_change; ++ smc->clcsk_data_ready = clcsk->sk_data_ready; ++ smc->clcsk_write_space = clcsk->sk_write_space; ++ smc->clcsk_error_report = clcsk->sk_error_report; ++ ++ clcsk->sk_state_change = smc_fback_state_change; ++ clcsk->sk_data_ready = smc_fback_data_ready; ++ clcsk->sk_write_space = smc_fback_write_space; ++ clcsk->sk_error_report = smc_fback_error_report; ++ ++ smc->clcsock->sk->sk_user_data = ++ (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY); + } + mutex_unlock(&smc->clcsock_release_lock); + return 0; +@@ -2111,10 +2215,9 @@ out: + + static void smc_clcsock_data_ready(struct sock *listen_clcsock) + { +- struct smc_sock *lsmc; ++ struct smc_sock *lsmc = ++ smc_clcsock_user_data(listen_clcsock); + +- lsmc = (struct smc_sock *) +- ((uintptr_t)listen_clcsock->sk_user_data & ~SK_USER_DATA_NOCOPY); + if (!lsmc) + return; + lsmc->clcsk_data_ready(listen_clcsock); +--- a/net/smc/smc.h ++++ b/net/smc/smc.h +@@ -139,6 +139,12 @@ enum smc_urg_state { + SMC_URG_READ = 3, /* data was already read */ + }; + ++struct smc_mark_woken { ++ bool woken; ++ void *key; ++ wait_queue_entry_t wait_entry; ++}; ++ + struct smc_connection { + struct rb_node alert_node; + struct smc_link_group *lgr; /* link group of connection */ +@@ -227,8 +233,14 @@ struct smc_connection { + struct smc_sock { /* smc sock container */ + struct sock sk; + struct socket *clcsock; /* internal tcp socket */ ++ void (*clcsk_state_change)(struct sock *sk); ++ /* original stat_change fct. */ + void (*clcsk_data_ready)(struct sock *sk); +- /* original data_ready fct. **/ ++ /* original data_ready fct. */ ++ void (*clcsk_write_space)(struct sock *sk); ++ /* original write_space fct. */ ++ void (*clcsk_error_report)(struct sock *sk); ++ /* original error_report fct. */ + struct smc_connection conn; /* smc connection */ + struct smc_sock *listen_smc; /* listen parent */ + struct work_struct connect_work; /* handle non-blocking connect*/ +@@ -263,6 +275,12 @@ static inline struct smc_sock *smc_sk(co + return (struct smc_sock *)sk; + } + ++static inline struct smc_sock *smc_clcsock_user_data(struct sock *clcsk) ++{ ++ return (struct smc_sock *) ++ ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY); ++} ++ + extern struct workqueue_struct *smc_hs_wq; /* wq for handshake work */ + extern struct workqueue_struct *smc_close_wq; /* wq for close work */ + diff --git a/queue-5.16/net-stmmac-dump-gmac4-dma-registers-correctly.patch b/queue-5.16/net-stmmac-dump-gmac4-dma-registers-correctly.patch new file mode 100644 index 00000000000..5b05d36b348 --- /dev/null +++ b/queue-5.16/net-stmmac-dump-gmac4-dma-registers-correctly.patch @@ -0,0 +1,95 @@ +From 7af037c39b600bac2c716dd1228e8ddbe149573f Mon Sep 17 00:00:00 2001 +From: Camel Guo +Date: Mon, 31 Jan 2022 09:38:40 +0100 +Subject: net: stmmac: dump gmac4 DMA registers correctly + +From: Camel Guo + +commit 7af037c39b600bac2c716dd1228e8ddbe149573f upstream. + +Unlike gmac100, gmac1000, gmac4 has 27 DMA registers and they are +located at DMA_CHAN_BASE_ADDR (0x1100). In order for ethtool to dump +gmac4 DMA registers correctly, this commit checks if a net_device has +gmac4 and uses different logic to dump its DMA registers. + +This fixes the following KASAN warning, which can normally be triggered +by a command similar like "ethtool -d eth0": + +BUG: KASAN: vmalloc-out-of-bounds in dwmac4_dump_dma_regs+0x6d4/0xb30 +Write of size 4 at addr ffffffc010177100 by task ethtool/1839 + kasan_report+0x200/0x21c + __asan_report_store4_noabort+0x34/0x60 + dwmac4_dump_dma_regs+0x6d4/0xb30 + stmmac_ethtool_gregs+0x110/0x204 + ethtool_get_regs+0x200/0x4b0 + dev_ethtool+0x1dac/0x3800 + dev_ioctl+0x7c0/0xb50 + sock_ioctl+0x298/0x6c4 + ... + +Fixes: fbf68229ffe7 ("net: stmmac: unify registers dumps methods") +Signed-off-by: Camel Guo +Link: https://lore.kernel.org/r/20220131083841.3346801-1-camel.guo@axis.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac_dma.h | 1 + + drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 19 +++++++++++++++++-- + 2 files changed, 18 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac_dma.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac_dma.h +@@ -150,6 +150,7 @@ + + #define NUM_DWMAC100_DMA_REGS 9 + #define NUM_DWMAC1000_DMA_REGS 23 ++#define NUM_DWMAC4_DMA_REGS 27 + + void dwmac_enable_dma_transmission(void __iomem *ioaddr); + void dwmac_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx); +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +@@ -21,10 +21,18 @@ + #include "dwxgmac2.h" + + #define REG_SPACE_SIZE 0x1060 ++#define GMAC4_REG_SPACE_SIZE 0x116C + #define MAC100_ETHTOOL_NAME "st_mac100" + #define GMAC_ETHTOOL_NAME "st_gmac" + #define XGMAC_ETHTOOL_NAME "st_xgmac" + ++/* Same as DMA_CHAN_BASE_ADDR defined in dwmac4_dma.h ++ * ++ * It is here because dwmac_dma.h and dwmac4_dam.h can not be included at the ++ * same time due to the conflicting macro names. ++ */ ++#define GMAC4_DMA_CHAN_BASE_ADDR 0x00001100 ++ + #define ETHTOOL_DMA_OFFSET 55 + + struct stmmac_stats { +@@ -435,6 +443,8 @@ static int stmmac_ethtool_get_regs_len(s + + if (priv->plat->has_xgmac) + return XGMAC_REGSIZE * 4; ++ else if (priv->plat->has_gmac4) ++ return GMAC4_REG_SPACE_SIZE; + return REG_SPACE_SIZE; + } + +@@ -447,8 +457,13 @@ static void stmmac_ethtool_gregs(struct + stmmac_dump_mac_regs(priv, priv->hw, reg_space); + stmmac_dump_dma_regs(priv, priv->ioaddr, reg_space); + +- if (!priv->plat->has_xgmac) { +- /* Copy DMA registers to where ethtool expects them */ ++ /* Copy DMA registers to where ethtool expects them */ ++ if (priv->plat->has_gmac4) { ++ /* GMAC4 dumps its DMA registers at its DMA_CHAN_BASE_ADDR */ ++ memcpy(®_space[ETHTOOL_DMA_OFFSET], ++ ®_space[GMAC4_DMA_CHAN_BASE_ADDR / 4], ++ NUM_DWMAC4_DMA_REGS * 4); ++ } else if (!priv->plat->has_xgmac) { + memcpy(®_space[ETHTOOL_DMA_OFFSET], + ®_space[DMA_BUS_MODE / 4], + NUM_DWMAC1000_DMA_REGS * 4); diff --git a/queue-5.16/net-stmmac-dwmac-visconti-no-change-to-ether_clock_sel-for-unexpected-speed-request.patch b/queue-5.16/net-stmmac-dwmac-visconti-no-change-to-ether_clock_sel-for-unexpected-speed-request.patch new file mode 100644 index 00000000000..34495e37dec --- /dev/null +++ b/queue-5.16/net-stmmac-dwmac-visconti-no-change-to-ether_clock_sel-for-unexpected-speed-request.patch @@ -0,0 +1,61 @@ +From 928d6fe996f69330ded6b887baf4534c5fac7988 Mon Sep 17 00:00:00 2001 +From: Yuji Ishikawa +Date: Thu, 27 Jan 2022 21:17:14 +0900 +Subject: net: stmmac: dwmac-visconti: No change to ETHER_CLOCK_SEL for unexpected speed request. + +From: Yuji Ishikawa + +commit 928d6fe996f69330ded6b887baf4534c5fac7988 upstream. + +Variable clk_sel_val is not initialized in the default case of the first switch statement. +In that case, the function should return immediately without any changes to the hardware. + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Fixes: b38dd98ff8d0 ("net: stmmac: Add Toshiba Visconti SoCs glue driver") +Signed-off-by: Yuji Ishikawa +Reviewed-by: Nobuhiro Iwamatsu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c +@@ -49,13 +49,15 @@ struct visconti_eth { + void __iomem *reg; + u32 phy_intf_sel; + struct clk *phy_ref_clk; ++ struct device *dev; + spinlock_t lock; /* lock to protect register update */ + }; + + static void visconti_eth_fix_mac_speed(void *priv, unsigned int speed) + { + struct visconti_eth *dwmac = priv; +- unsigned int val, clk_sel_val; ++ struct net_device *netdev = dev_get_drvdata(dwmac->dev); ++ unsigned int val, clk_sel_val = 0; + unsigned long flags; + + spin_lock_irqsave(&dwmac->lock, flags); +@@ -85,7 +87,9 @@ static void visconti_eth_fix_mac_speed(v + break; + default: + /* No bit control */ +- break; ++ netdev_err(netdev, "Unsupported speed request (%d)", speed); ++ spin_unlock_irqrestore(&dwmac->lock, flags); ++ return; + } + + writel(val, dwmac->reg + MAC_CTRL_REG); +@@ -229,6 +233,7 @@ static int visconti_eth_dwmac_probe(stru + + spin_lock_init(&dwmac->lock); + dwmac->reg = stmmac_res.addr; ++ dwmac->dev = &pdev->dev; + plat_dat->bsp_priv = dwmac; + plat_dat->fix_mac_speed = visconti_eth_fix_mac_speed; + diff --git a/queue-5.16/net-stmmac-ensure-ptp-time-register-reads-are-consistent.patch b/queue-5.16/net-stmmac-ensure-ptp-time-register-reads-are-consistent.patch new file mode 100644 index 00000000000..47c5f35beb6 --- /dev/null +++ b/queue-5.16/net-stmmac-ensure-ptp-time-register-reads-are-consistent.patch @@ -0,0 +1,55 @@ +From 80d4609008e6d696a279e39ae7458c916fcd44c1 Mon Sep 17 00:00:00 2001 +From: Yannick Vignon +Date: Thu, 3 Feb 2022 17:00:25 +0100 +Subject: net: stmmac: ensure PTP time register reads are consistent + +From: Yannick Vignon + +commit 80d4609008e6d696a279e39ae7458c916fcd44c1 upstream. + +Even if protected from preemption and interrupts, a small time window +remains when the 2 register reads could return inconsistent values, +each time the "seconds" register changes. This could lead to an about +1-second error in the reported time. + +Add logic to ensure the "seconds" and "nanoseconds" values are consistent. + +Fixes: 92ba6888510c ("stmmac: add the support for PTP hw clock driver") +Signed-off-by: Yannick Vignon +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20220203160025.750632-1-yannick.vignon@oss.nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c +@@ -145,15 +145,20 @@ static int adjust_systime(void __iomem * + + static void get_systime(void __iomem *ioaddr, u64 *systime) + { +- u64 ns; ++ u64 ns, sec0, sec1; + +- /* Get the TSSS value */ +- ns = readl(ioaddr + PTP_STNSR); +- /* Get the TSS and convert sec time value to nanosecond */ +- ns += readl(ioaddr + PTP_STSR) * 1000000000ULL; ++ /* Get the TSS value */ ++ sec1 = readl_relaxed(ioaddr + PTP_STSR); ++ do { ++ sec0 = sec1; ++ /* Get the TSSS value */ ++ ns = readl_relaxed(ioaddr + PTP_STNSR); ++ /* Get the TSS value */ ++ sec1 = readl_relaxed(ioaddr + PTP_STSR); ++ } while (sec0 != sec1); + + if (systime) +- *systime = ns; ++ *systime = ns + (sec1 * 1000000000ULL); + } + + static void get_ptptime(void __iomem *ptpaddr, u64 *ptp_time) diff --git a/queue-5.16/net-stmmac-properly-handle-with-runtime-pm-in-stmmac_dvr_remove.patch b/queue-5.16/net-stmmac-properly-handle-with-runtime-pm-in-stmmac_dvr_remove.patch new file mode 100644 index 00000000000..36e253a6640 --- /dev/null +++ b/queue-5.16/net-stmmac-properly-handle-with-runtime-pm-in-stmmac_dvr_remove.patch @@ -0,0 +1,147 @@ +From 6449520391dfc3d2cef134f11a91251a054ff7d0 Mon Sep 17 00:00:00 2001 +From: Jisheng Zhang +Date: Fri, 28 Jan 2022 22:15:50 +0800 +Subject: net: stmmac: properly handle with runtime pm in stmmac_dvr_remove() + +From: Jisheng Zhang + +commit 6449520391dfc3d2cef134f11a91251a054ff7d0 upstream. + +There are two issues with runtime pm handling in stmmac_dvr_remove(): + +1. the mac is runtime suspended before stopping dma and rx/tx. We +need to ensure the device is properly resumed back. + +2. the stmmaceth clk enable/disable isn't balanced in both exit and +error handling code path. Take the exit code path for example, when we +unbind the driver or rmmod the driver module, the mac is runtime +suspended as said above, so the stmmaceth clk is disabled, but + stmmac_dvr_remove() + stmmac_remove_config_dt() + clk_disable_unprepare() +CCF will complain this time. The error handling code path suffers +from the similar situtaion. + +Here are kernel warnings in error handling code path on Allwinner D1 +platform: + +[ 1.604695] ------------[ cut here ]------------ +[ 1.609328] bus-emac already disabled +[ 1.613015] WARNING: CPU: 0 PID: 38 at drivers/clk/clk.c:952 clk_core_disable+0xcc/0xec +[ 1.621039] CPU: 0 PID: 38 Comm: kworker/u2:1 Not tainted 5.14.0-rc4#1 +[ 1.627653] Hardware name: Allwinner D1 NeZha (DT) +[ 1.632443] Workqueue: events_unbound deferred_probe_work_func +[ 1.638286] epc : clk_core_disable+0xcc/0xec +[ 1.642561] ra : clk_core_disable+0xcc/0xec +[ 1.646835] epc : ffffffff8023c2ec ra : ffffffff8023c2ec sp : ffffffd00411bb10 +[ 1.654054] gp : ffffffff80ec9988 tp : ffffffe00143a800 t0 : ffffffff80ed6a6f +[ 1.661272] t1 : ffffffff80ed6a60 t2 : 0000000000000000 s0 : ffffffe001509e00 +[ 1.668489] s1 : 0000000000000001 a0 : 0000000000000019 a1 : ffffffff80e80bd8 +[ 1.675707] a2 : 00000000ffffefff a3 : 00000000000000f4 a4 : 0000000000000002 +[ 1.682924] a5 : 0000000000000001 a6 : 0000000000000030 a7 : 00000000028f5c29 +[ 1.690141] s2 : 0000000000000800 s3 : ffffffe001375000 s4 : ffffffe01fdf7a80 +[ 1.697358] s5 : ffffffe001375010 s6 : ffffffff8001fc10 s7 : ffffffffffffffff +[ 1.704577] s8 : 0000000000000001 s9 : ffffffff80ecb248 s10: ffffffe001b80000 +[ 1.711794] s11: ffffffe001b80760 t3 : 0000000000000062 t4 : ffffffffffffffff +[ 1.719012] t5 : ffffffff80e0f6d8 t6 : ffffffd00411b8f0 +[ 1.724321] status: 8000000201800100 badaddr: 0000000000000000 cause: 0000000000000003 +[ 1.732233] [] clk_core_disable+0xcc/0xec +[ 1.737810] [] clk_disable+0x38/0x78 +[ 1.742956] [] worker_thread+0x1a8/0x4d8 +[ 1.748451] [] stmmac_remove_config_dt+0x1c/0x4c +[ 1.754646] [] sun8i_dwmac_probe+0x378/0x82c +[ 1.760484] [] worker_thread+0x1a8/0x4d8 +[ 1.765975] [] platform_probe+0x64/0xf0 +[ 1.771382] [] really_probe.part.0+0x8c/0x30c +[ 1.777305] [] __driver_probe_device+0xa0/0x148 +[ 1.783402] [] driver_probe_device+0x38/0x138 +[ 1.789324] [] __device_attach_driver+0xd0/0x170 +[ 1.795508] [] __driver_attach_async_helper+0xbc/0xc0 +[ 1.802125] [] bus_for_each_drv+0x68/0xb4 +[ 1.807701] [] __device_attach+0xd8/0x184 +[ 1.813277] [] bus_probe_device+0x98/0xbc +[ 1.818852] [] deferred_probe_work_func+0x90/0xd4 +[ 1.825122] [] process_one_work+0x1e4/0x390 +[ 1.830872] [] worker_thread+0x31c/0x4d8 +[ 1.836362] [] kthreadd+0x94/0x188 +[ 1.841335] [] kthreadd+0x94/0x188 +[ 1.846304] [] process_one_work+0x38c/0x390 +[ 1.852054] [] kthread+0x124/0x160 +[ 1.857021] [] set_kthread_struct+0x5c/0x60 +[ 1.862770] [] ret_from_syscall_rejected+0x8/0xc +[ 1.868956] ---[ end trace 8d5c6046255f84a0 ]--- +[ 1.873675] ------------[ cut here ]------------ +[ 1.878366] bus-emac already unprepared +[ 1.882378] WARNING: CPU: 0 PID: 38 at drivers/clk/clk.c:810 clk_core_unprepare+0xe4/0x168 +[ 1.890673] CPU: 0 PID: 38 Comm: kworker/u2:1 Tainted: G W 5.14.0-rc4 #1 +[ 1.898674] Hardware name: Allwinner D1 NeZha (DT) +[ 1.903464] Workqueue: events_unbound deferred_probe_work_func +[ 1.909305] epc : clk_core_unprepare+0xe4/0x168 +[ 1.913840] ra : clk_core_unprepare+0xe4/0x168 +[ 1.918375] epc : ffffffff8023d6cc ra : ffffffff8023d6cc sp : ffffffd00411bb10 +[ 1.925593] gp : ffffffff80ec9988 tp : ffffffe00143a800 t0 : 0000000000000002 +[ 1.932811] t1 : ffffffe01f743be0 t2 : 0000000000000040 s0 : ffffffe001509e00 +[ 1.940029] s1 : 0000000000000001 a0 : 000000000000001b a1 : ffffffe00143a800 +[ 1.947246] a2 : 0000000000000000 a3 : 00000000000000f4 a4 : 0000000000000001 +[ 1.954463] a5 : 0000000000000000 a6 : 0000000005fce2a5 a7 : 0000000000000001 +[ 1.961680] s2 : 0000000000000800 s3 : ffffffff80afeb90 s4 : ffffffe01fdf7a80 +[ 1.968898] s5 : ffffffe001375010 s6 : ffffffff8001fc10 s7 : ffffffffffffffff +[ 1.976115] s8 : 0000000000000001 s9 : ffffffff80ecb248 s10: ffffffe001b80000 +[ 1.983333] s11: ffffffe001b80760 t3 : ffffffff80b39120 t4 : 0000000000000001 +[ 1.990550] t5 : 0000000000000000 t6 : ffffffe001600002 +[ 1.995859] status: 8000000201800120 badaddr: 0000000000000000 cause: 0000000000000003 +[ 2.003771] [] clk_core_unprepare+0xe4/0x168 +[ 2.009609] [] clk_unprepare+0x24/0x3c +[ 2.014929] [] stmmac_remove_config_dt+0x24/0x4c +[ 2.021125] [] sun8i_dwmac_probe+0x378/0x82c +[ 2.026965] [] worker_thread+0x1a8/0x4d8 +[ 2.032463] [] platform_probe+0x64/0xf0 +[ 2.037871] [] really_probe.part.0+0x8c/0x30c +[ 2.043795] [] __driver_probe_device+0xa0/0x148 +[ 2.049892] [] driver_probe_device+0x38/0x138 +[ 2.055815] [] __device_attach_driver+0xd0/0x170 +[ 2.061999] [] __driver_attach_async_helper+0xbc/0xc0 +[ 2.068616] [] bus_for_each_drv+0x68/0xb4 +[ 2.074193] [] __device_attach+0xd8/0x184 +[ 2.079769] [] bus_probe_device+0x98/0xbc +[ 2.085345] [] deferred_probe_work_func+0x90/0xd4 +[ 2.091616] [] process_one_work+0x1e4/0x390 +[ 2.097367] [] worker_thread+0x31c/0x4d8 +[ 2.102858] [] kthreadd+0x94/0x188 +[ 2.107830] [] kthreadd+0x94/0x188 +[ 2.112800] [] process_one_work+0x38c/0x390 +[ 2.118551] [] kthread+0x124/0x160 +[ 2.123520] [] set_kthread_struct+0x5c/0x60 +[ 2.129268] [] ret_from_syscall_rejected+0x8/0xc +[ 2.135455] ---[ end trace 8d5c6046255f84a1 ]--- + +Fixes: 5ec55823438e ("net: stmmac: add clocks management for gmac driver") +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -7137,6 +7137,10 @@ int stmmac_dvr_remove(struct device *dev + + netdev_info(priv->dev, "%s: removing driver", __func__); + ++ pm_runtime_get_sync(dev); ++ pm_runtime_disable(dev); ++ pm_runtime_put_noidle(dev); ++ + stmmac_stop_all_dma(priv); + stmmac_mac_set(priv, priv->ioaddr, false); + netif_carrier_off(ndev); +@@ -7155,8 +7159,6 @@ int stmmac_dvr_remove(struct device *dev + if (priv->plat->stmmac_rst) + reset_control_assert(priv->plat->stmmac_rst); + reset_control_assert(priv->plat->stmmac_ahb_rst); +- pm_runtime_put(dev); +- pm_runtime_disable(dev); + if (priv->hw->pcs != STMMAC_PCS_TBI && + priv->hw->pcs != STMMAC_PCS_RTBI) + stmmac_mdio_unregister(ndev); diff --git a/queue-5.16/netfilter-nft_reject_bridge-fix-for-missing-reply-from-prerouting.patch b/queue-5.16/netfilter-nft_reject_bridge-fix-for-missing-reply-from-prerouting.patch new file mode 100644 index 00000000000..fdb1095e1c8 --- /dev/null +++ b/queue-5.16/netfilter-nft_reject_bridge-fix-for-missing-reply-from-prerouting.patch @@ -0,0 +1,64 @@ +From aeac4554eb549037ff2f719200c0a9c1c25e7eaa Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 25 Jan 2022 20:06:03 +0100 +Subject: netfilter: nft_reject_bridge: Fix for missing reply from prerouting + +From: Phil Sutter + +commit aeac4554eb549037ff2f719200c0a9c1c25e7eaa upstream. + +Prior to commit fa538f7cf05aa ("netfilter: nf_reject: add reject skbuff +creation helpers"), nft_reject_bridge did not assign to nskb->dev before +passing nskb on to br_forward(). The shared skbuff creation helpers +introduced in above commit do which seems to confuse br_forward() as +reject statements in prerouting hook won't emit a packet anymore. + +Fix this by simply passing NULL instead of 'dev' to the helpers - they +use the pointer for just that assignment, nothing else. + +Fixes: fa538f7cf05aa ("netfilter: nf_reject: add reject skbuff creation helpers") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/netfilter/nft_reject_bridge.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/bridge/netfilter/nft_reject_bridge.c ++++ b/net/bridge/netfilter/nft_reject_bridge.c +@@ -49,7 +49,7 @@ static void nft_reject_br_send_v4_tcp_re + { + struct sk_buff *nskb; + +- nskb = nf_reject_skb_v4_tcp_reset(net, oldskb, dev, hook); ++ nskb = nf_reject_skb_v4_tcp_reset(net, oldskb, NULL, hook); + if (!nskb) + return; + +@@ -65,7 +65,7 @@ static void nft_reject_br_send_v4_unreac + { + struct sk_buff *nskb; + +- nskb = nf_reject_skb_v4_unreach(net, oldskb, dev, hook, code); ++ nskb = nf_reject_skb_v4_unreach(net, oldskb, NULL, hook, code); + if (!nskb) + return; + +@@ -81,7 +81,7 @@ static void nft_reject_br_send_v6_tcp_re + { + struct sk_buff *nskb; + +- nskb = nf_reject_skb_v6_tcp_reset(net, oldskb, dev, hook); ++ nskb = nf_reject_skb_v6_tcp_reset(net, oldskb, NULL, hook); + if (!nskb) + return; + +@@ -98,7 +98,7 @@ static void nft_reject_br_send_v6_unreac + { + struct sk_buff *nskb; + +- nskb = nf_reject_skb_v6_unreach(net, oldskb, dev, hook, code); ++ nskb = nf_reject_skb_v6_unreach(net, oldskb, NULL, hook, code); + if (!nskb) + return; + diff --git a/queue-5.16/nfsd-nfsd4_setclientid_confirm-mistakenly-expires-confirmed-client.patch b/queue-5.16/nfsd-nfsd4_setclientid_confirm-mistakenly-expires-confirmed-client.patch new file mode 100644 index 00000000000..7a2bbc3afbd --- /dev/null +++ b/queue-5.16/nfsd-nfsd4_setclientid_confirm-mistakenly-expires-confirmed-client.patch @@ -0,0 +1,45 @@ +From ab451ea952fe9d7afefae55ddb28943a148247fe Mon Sep 17 00:00:00 2001 +From: Dai Ngo +Date: Wed, 26 Jan 2022 13:13:38 -0800 +Subject: nfsd: nfsd4_setclientid_confirm mistakenly expires confirmed client. + +From: Dai Ngo + +commit ab451ea952fe9d7afefae55ddb28943a148247fe upstream. + +From RFC 7530 Section 16.34.5: + +o The server has not recorded an unconfirmed { v, x, c, *, * } and + has recorded a confirmed { v, x, c, *, s }. If the principals of + the record and of SETCLIENTID_CONFIRM do not match, the server + returns NFS4ERR_CLID_INUSE without removing any relevant leased + client state, and without changing recorded callback and + callback_ident values for client { x }. + +The current code intends to do what the spec describes above but +it forgot to set 'old' to NULL resulting to the confirmed client +to be expired. + +Fixes: 2b63482185e6 ("nfsd: fix clid_inuse on mount with security change") +Signed-off-by: Dai Ngo +Signed-off-by: Chuck Lever +Reviewed-by: Bruce Fields +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -4112,8 +4112,10 @@ nfsd4_setclientid_confirm(struct svc_rqs + status = nfserr_clid_inuse; + if (client_has_state(old) + && !same_creds(&unconf->cl_cred, +- &old->cl_cred)) ++ &old->cl_cred)) { ++ old = NULL; + goto out; ++ } + status = mark_client_expired_locked(old); + if (status) { + old = NULL; diff --git a/queue-5.16/pinctrl-bcm2835-fix-a-few-error-paths.patch b/queue-5.16/pinctrl-bcm2835-fix-a-few-error-paths.patch new file mode 100644 index 00000000000..35616103bf5 --- /dev/null +++ b/queue-5.16/pinctrl-bcm2835-fix-a-few-error-paths.patch @@ -0,0 +1,78 @@ +From 5297c693d8c8e08fa742e3112cf70723f7a04da2 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Thu, 27 Jan 2022 13:50:31 -0800 +Subject: pinctrl: bcm2835: Fix a few error paths + +From: Florian Fainelli + +commit 5297c693d8c8e08fa742e3112cf70723f7a04da2 upstream. + +After commit 266423e60ea1 ("pinctrl: bcm2835: Change init order for gpio +hogs") a few error paths would not unwind properly the registration of +gpio ranges. Correct that by assigning a single error label and goto it +whenever we encounter a fatal error. + +Fixes: 266423e60ea1 ("pinctrl: bcm2835: Change init order for gpio hogs") +Signed-off-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220127215033.267227-1-f.fainelli@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/bcm/pinctrl-bcm2835.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/drivers/pinctrl/bcm/pinctrl-bcm2835.c ++++ b/drivers/pinctrl/bcm/pinctrl-bcm2835.c +@@ -1264,16 +1264,18 @@ static int bcm2835_pinctrl_probe(struct + sizeof(*girq->parents), + GFP_KERNEL); + if (!girq->parents) { +- pinctrl_remove_gpio_range(pc->pctl_dev, &pc->gpio_range); +- return -ENOMEM; ++ err = -ENOMEM; ++ goto out_remove; + } + + if (is_7211) { + pc->wake_irq = devm_kcalloc(dev, BCM2835_NUM_IRQS, + sizeof(*pc->wake_irq), + GFP_KERNEL); +- if (!pc->wake_irq) +- return -ENOMEM; ++ if (!pc->wake_irq) { ++ err = -ENOMEM; ++ goto out_remove; ++ } + } + + /* +@@ -1301,8 +1303,10 @@ static int bcm2835_pinctrl_probe(struct + + len = strlen(dev_name(pc->dev)) + 16; + name = devm_kzalloc(pc->dev, len, GFP_KERNEL); +- if (!name) +- return -ENOMEM; ++ if (!name) { ++ err = -ENOMEM; ++ goto out_remove; ++ } + + snprintf(name, len, "%s:bank%d", dev_name(pc->dev), i); + +@@ -1321,11 +1325,14 @@ static int bcm2835_pinctrl_probe(struct + err = gpiochip_add_data(&pc->gpio_chip, pc); + if (err) { + dev_err(dev, "could not add GPIO chip\n"); +- pinctrl_remove_gpio_range(pc->pctl_dev, &pc->gpio_range); +- return err; ++ goto out_remove; + } + + return 0; ++ ++out_remove: ++ pinctrl_remove_gpio_range(pc->pctl_dev, &pc->gpio_range); ++ return err; + } + + static struct platform_driver bcm2835_pinctrl_driver = { diff --git a/queue-5.16/pinctrl-intel-fix-a-glitch-when-updating-irq-flags-on-a-preconfigured-line.patch b/queue-5.16/pinctrl-intel-fix-a-glitch-when-updating-irq-flags-on-a-preconfigured-line.patch new file mode 100644 index 00000000000..f936432c14f --- /dev/null +++ b/queue-5.16/pinctrl-intel-fix-a-glitch-when-updating-irq-flags-on-a-preconfigured-line.patch @@ -0,0 +1,69 @@ +From e12963c453263d5321a2c610e98cbc731233b685 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 19 Jan 2022 20:19:15 +0200 +Subject: pinctrl: intel: Fix a glitch when updating IRQ flags on a preconfigured line + +From: Andy Shevchenko + +commit e12963c453263d5321a2c610e98cbc731233b685 upstream. + +The commit af7e3eeb84e2 ("pinctrl: intel: Disable input and output buffer +when switching to GPIO") hadn't taken into account an update of the IRQ +flags scenario. + +When updating the IRQ flags on the preconfigured line the ->irq_set_type() +is called again. In such case the sequential Rx buffer configuration +changes may trigger a falling or rising edge interrupt that may lead, +on some platforms, to an undesired event. + +This may happen because each of intel_gpio_set_gpio_mode() and +__intel_gpio_set_direction() updates the pad configuration with a different +value of the GPIORXDIS bit. Notable, that the intel_gpio_set_gpio_mode() is +called only for the pads that are configured as an input. Due to this fact, +integrate the logic of __intel_gpio_set_direction() call into the +intel_gpio_set_gpio_mode() so that the Rx buffer won't be disabled and +immediately re-enabled. + +Fixes: af7e3eeb84e2 ("pinctrl: intel: Disable input and output buffer when switching to GPIO") +Reported-by: Kane Chen +Signed-off-by: Andy Shevchenko +Acked-by: Mika Westerberg +Tested-by: Grace Kao +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/intel/pinctrl-intel.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +--- a/drivers/pinctrl/intel/pinctrl-intel.c ++++ b/drivers/pinctrl/intel/pinctrl-intel.c +@@ -451,8 +451,8 @@ static void intel_gpio_set_gpio_mode(voi + value &= ~PADCFG0_PMODE_MASK; + value |= PADCFG0_PMODE_GPIO; + +- /* Disable input and output buffers */ +- value |= PADCFG0_GPIORXDIS; ++ /* Disable TX buffer and enable RX (this will be input) */ ++ value &= ~PADCFG0_GPIORXDIS; + value |= PADCFG0_GPIOTXDIS; + + /* Disable SCI/SMI/NMI generation */ +@@ -497,9 +497,6 @@ static int intel_gpio_request_enable(str + + intel_gpio_set_gpio_mode(padcfg0); + +- /* Disable TX buffer and enable RX (this will be input) */ +- __intel_gpio_set_direction(padcfg0, true); +- + raw_spin_unlock_irqrestore(&pctrl->lock, flags); + + return 0; +@@ -1115,9 +1112,6 @@ static int intel_gpio_irq_type(struct ir + + intel_gpio_set_gpio_mode(reg); + +- /* Disable TX buffer and enable RX (this will be input) */ +- __intel_gpio_set_direction(reg, true); +- + value = readl(reg); + + value &= ~(PADCFG0_RXEVCFG_MASK | PADCFG0_RXINV); diff --git a/queue-5.16/pinctrl-intel-fix-unexpected-interrupt.patch b/queue-5.16/pinctrl-intel-fix-unexpected-interrupt.patch new file mode 100644 index 00000000000..9ab9e0ac475 --- /dev/null +++ b/queue-5.16/pinctrl-intel-fix-unexpected-interrupt.patch @@ -0,0 +1,123 @@ +From e986f0e602f19ecb7880b04dd1db415ed9bca3f6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=81ukasz=20Bartosik?= +Date: Mon, 24 Jan 2022 13:55:29 +0100 +Subject: pinctrl: intel: fix unexpected interrupt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Łukasz Bartosik + +commit e986f0e602f19ecb7880b04dd1db415ed9bca3f6 upstream. + +ASUS Chromebook C223 with Celeron N3350 crashes sometimes during +cold booot. Inspection of the kernel log showed that it gets into +an inifite loop logging the following message: + +->handle_irq(): 000000009cdb51e8, handle_bad_irq+0x0/0x251 +->irq_data.chip(): 000000005ec212a7, 0xffffa043009d8e7 +->action(): 00000 + IRQ_NOPROBE set +unexpected IRQ trap at vector 7c + +The issue happens during cold boot but only if cold boot happens +at most several dozen seconds after Chromebook is powered off. For +longer intervals between power off and power on (cold boot) the issue +does not reproduce. The unexpected interrupt is sourced from INT3452 +GPIO pin which is used for SD card detect. Investigation relevealed +that when the interval between power off and power on (cold boot) +is less than several dozen seconds then values of INT3452 GPIO interrupt +enable and interrupt pending registers survive power off and power +on sequence and interrupt for SD card detect pin is enabled and pending +during probe of SD controller which causes the unexpected IRQ message. +"Intel Pentium and Celeron Processor N- and J- Series" volume 3 doc +mentions that GPIO interrupt enable and status registers default +value is 0x0. +The fix clears INT3452 GPIO interrupt enabled and interrupt pending +registers in its probe function. + +Fixes: 7981c0015af2 ("pinctrl: intel: Add Intel Sunrisepoint pin controller and GPIO support") +Signed-off-by: Łukasz Bartosik +Signed-off-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/intel/pinctrl-intel.c | 54 +++++++++++++++++++++------------- + 1 file changed, 34 insertions(+), 20 deletions(-) + +--- a/drivers/pinctrl/intel/pinctrl-intel.c ++++ b/drivers/pinctrl/intel/pinctrl-intel.c +@@ -1210,6 +1210,39 @@ static irqreturn_t intel_gpio_irq(int ir + return IRQ_RETVAL(ret); + } + ++static void intel_gpio_irq_init(struct intel_pinctrl *pctrl) ++{ ++ int i; ++ ++ for (i = 0; i < pctrl->ncommunities; i++) { ++ const struct intel_community *community; ++ void __iomem *base; ++ unsigned int gpp; ++ ++ community = &pctrl->communities[i]; ++ base = community->regs; ++ ++ for (gpp = 0; gpp < community->ngpps; gpp++) { ++ /* Mask and clear all interrupts */ ++ writel(0, base + community->ie_offset + gpp * 4); ++ writel(0xffff, base + community->is_offset + gpp * 4); ++ } ++ } ++} ++ ++static int intel_gpio_irq_init_hw(struct gpio_chip *gc) ++{ ++ struct intel_pinctrl *pctrl = gpiochip_get_data(gc); ++ ++ /* ++ * Make sure the interrupt lines are in a proper state before ++ * further configuration. ++ */ ++ intel_gpio_irq_init(pctrl); ++ ++ return 0; ++} ++ + static int intel_gpio_add_community_ranges(struct intel_pinctrl *pctrl, + const struct intel_community *community) + { +@@ -1314,6 +1347,7 @@ static int intel_gpio_probe(struct intel + girq->num_parents = 0; + girq->default_type = IRQ_TYPE_NONE; + girq->handler = handle_bad_irq; ++ girq->init_hw = intel_gpio_irq_init_hw; + + ret = devm_gpiochip_add_data(pctrl->dev, &pctrl->chip, pctrl); + if (ret) { +@@ -1689,26 +1723,6 @@ int intel_pinctrl_suspend_noirq(struct d + } + EXPORT_SYMBOL_GPL(intel_pinctrl_suspend_noirq); + +-static void intel_gpio_irq_init(struct intel_pinctrl *pctrl) +-{ +- size_t i; +- +- for (i = 0; i < pctrl->ncommunities; i++) { +- const struct intel_community *community; +- void __iomem *base; +- unsigned int gpp; +- +- community = &pctrl->communities[i]; +- base = community->regs; +- +- for (gpp = 0; gpp < community->ngpps; gpp++) { +- /* Mask and clear all interrupts */ +- writel(0, base + community->ie_offset + gpp * 4); +- writel(0xffff, base + community->is_offset + gpp * 4); +- } +- } +-} +- + static bool intel_gpio_update_reg(void __iomem *reg, u32 mask, u32 value) + { + u32 curr, updated; diff --git a/queue-5.16/pinctrl-sunxi-fix-h616-i2s3-pin-data.patch b/queue-5.16/pinctrl-sunxi-fix-h616-i2s3-pin-data.patch new file mode 100644 index 00000000000..f46164371b1 --- /dev/null +++ b/queue-5.16/pinctrl-sunxi-fix-h616-i2s3-pin-data.patch @@ -0,0 +1,51 @@ +From 1fd6bb5b47a65eacb063b37e6fa6df2b8fa92959 Mon Sep 17 00:00:00 2001 +From: Andre Przywara +Date: Wed, 5 Jan 2022 17:29:52 +0000 +Subject: pinctrl: sunxi: Fix H616 I2S3 pin data + +From: Andre Przywara + +commit 1fd6bb5b47a65eacb063b37e6fa6df2b8fa92959 upstream. + +Two bugs have sneaked in the H616 pinctrl data: +- PH9 uses the mux value of 0x3 twice (one should be 0x5 instead) +- PH8 and PH9 use the "i2s3" function name twice in each pin + +For the double pin name we use the same trick we pulled for i2s0: append +the pin function to the group name to designate the special function. + +Fixes: 25adc29407fb ("pinctrl: sunxi: Add support for the Allwinner H616 pin controller") +Reported-by: SASANO Takayoshi +Signed-off-by: Andre Przywara +Reviewed-by: Jernej Skrabec +Reviewed-by: Samuel Holland +Link: https://lore.kernel.org/r/20220105172952.23347-1-andre.przywara@arm.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/sunxi/pinctrl-sun50i-h616.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/pinctrl/sunxi/pinctrl-sun50i-h616.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sun50i-h616.c +@@ -363,16 +363,16 @@ static const struct sunxi_desc_pin h616_ + SUNXI_FUNCTION(0x0, "gpio_in"), + SUNXI_FUNCTION(0x1, "gpio_out"), + SUNXI_FUNCTION(0x2, "uart2"), /* CTS */ +- SUNXI_FUNCTION(0x3, "i2s3"), /* DO0 */ ++ SUNXI_FUNCTION(0x3, "i2s3_dout0"), /* DO0 */ + SUNXI_FUNCTION(0x4, "spi1"), /* MISO */ +- SUNXI_FUNCTION(0x5, "i2s3"), /* DI1 */ ++ SUNXI_FUNCTION(0x5, "i2s3_din1"), /* DI1 */ + SUNXI_FUNCTION_IRQ_BANK(0x6, 6, 8)), /* PH_EINT8 */ + SUNXI_PIN(SUNXI_PINCTRL_PIN(H, 9), + SUNXI_FUNCTION(0x0, "gpio_in"), + SUNXI_FUNCTION(0x1, "gpio_out"), +- SUNXI_FUNCTION(0x3, "i2s3"), /* DI0 */ ++ SUNXI_FUNCTION(0x3, "i2s3_din0"), /* DI0 */ + SUNXI_FUNCTION(0x4, "spi1"), /* CS1 */ +- SUNXI_FUNCTION(0x3, "i2s3"), /* DO1 */ ++ SUNXI_FUNCTION(0x5, "i2s3_dout1"), /* DO1 */ + SUNXI_FUNCTION_IRQ_BANK(0x6, 6, 9)), /* PH_EINT9 */ + SUNXI_PIN(SUNXI_PINCTRL_PIN(H, 10), + SUNXI_FUNCTION(0x0, "gpio_in"), diff --git a/queue-5.16/rdma-cma-use-correct-address-when-leaving-multicast-group.patch b/queue-5.16/rdma-cma-use-correct-address-when-leaving-multicast-group.patch new file mode 100644 index 00000000000..6029c2b803e --- /dev/null +++ b/queue-5.16/rdma-cma-use-correct-address-when-leaving-multicast-group.patch @@ -0,0 +1,63 @@ +From d9e410ebbed9d091b97bdf45b8a3792e2878dc48 Mon Sep 17 00:00:00 2001 +From: Maor Gottlieb +Date: Tue, 18 Jan 2022 09:35:00 +0200 +Subject: RDMA/cma: Use correct address when leaving multicast group + +From: Maor Gottlieb + +commit d9e410ebbed9d091b97bdf45b8a3792e2878dc48 upstream. + +In RoCE we should use cma_iboe_set_mgid() and not cma_set_mgid to generate +the mgid, otherwise we will generate an IGMP for an incorrect address. + +Fixes: b5de0c60cc30 ("RDMA/cma: Fix use after free race in roce multicast join") +Link: https://lore.kernel.org/r/913bc6783fd7a95fe71ad9454e01653ee6fb4a9a.1642491047.git.leonro@nvidia.com +Signed-off-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cma.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -67,8 +67,8 @@ static const char * const cma_events[] = + [RDMA_CM_EVENT_TIMEWAIT_EXIT] = "timewait exit", + }; + +-static void cma_set_mgid(struct rdma_id_private *id_priv, struct sockaddr *addr, +- union ib_gid *mgid); ++static void cma_iboe_set_mgid(struct sockaddr *addr, union ib_gid *mgid, ++ enum ib_gid_type gid_type); + + const char *__attribute_const__ rdma_event_msg(enum rdma_cm_event_type event) + { +@@ -1846,17 +1846,19 @@ static void destroy_mc(struct rdma_id_pr + if (dev_addr->bound_dev_if) + ndev = dev_get_by_index(dev_addr->net, + dev_addr->bound_dev_if); +- if (ndev) { ++ if (ndev && !send_only) { ++ enum ib_gid_type gid_type; + union ib_gid mgid; + +- cma_set_mgid(id_priv, (struct sockaddr *)&mc->addr, +- &mgid); +- +- if (!send_only) +- cma_igmp_send(ndev, &mgid, false); +- +- dev_put(ndev); ++ gid_type = id_priv->cma_dev->default_gid_type ++ [id_priv->id.port_num - ++ rdma_start_port( ++ id_priv->cma_dev->device)]; ++ cma_iboe_set_mgid((struct sockaddr *)&mc->addr, &mgid, ++ gid_type); ++ cma_igmp_send(ndev, &mgid, false); + } ++ dev_put(ndev); + + cancel_work_sync(&mc->iboe_join.work); + } diff --git a/queue-5.16/rdma-mlx4-don-t-continue-event-handler-after-memory-allocation-failure.patch b/queue-5.16/rdma-mlx4-don-t-continue-event-handler-after-memory-allocation-failure.patch new file mode 100644 index 00000000000..65e6537a799 --- /dev/null +++ b/queue-5.16/rdma-mlx4-don-t-continue-event-handler-after-memory-allocation-failure.patch @@ -0,0 +1,40 @@ +From f3136c4ce7acf64bee43135971ca52a880572e32 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Mon, 31 Jan 2022 11:45:26 +0200 +Subject: RDMA/mlx4: Don't continue event handler after memory allocation failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Leon Romanovsky + +commit f3136c4ce7acf64bee43135971ca52a880572e32 upstream. + +The failure to allocate memory during MLX4_DEV_EVENT_PORT_MGMT_CHANGE +event handler will cause skip the assignment logic, but +ib_dispatch_event() will be called anyway. + +Fix it by calling to return instead of break after memory allocation +failure. + +Fixes: 00f5ce99dc6e ("mlx4: Use port management change event instead of smp_snoop") +Link: https://lore.kernel.org/r/12a0e83f18cfad4b5f62654f141e240d04915e10.1643622264.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Reviewed-by: HÃ¥kon Bugge +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx4/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -3247,7 +3247,7 @@ static void mlx4_ib_event(struct mlx4_de + case MLX4_DEV_EVENT_PORT_MGMT_CHANGE: + ew = kmalloc(sizeof *ew, GFP_ATOMIC); + if (!ew) +- break; ++ return; + + INIT_WORK(&ew->work, handle_port_mgmt_change_event); + memcpy(&ew->ib_eqe, eqe, sizeof *eqe); diff --git a/queue-5.16/rdma-siw-fix-broken-rdma-read-fence-resume-logic.patch b/queue-5.16/rdma-siw-fix-broken-rdma-read-fence-resume-logic.patch new file mode 100644 index 00000000000..fa567c808bd --- /dev/null +++ b/queue-5.16/rdma-siw-fix-broken-rdma-read-fence-resume-logic.patch @@ -0,0 +1,97 @@ +From b43a76f423aa304037603fd6165c4a534d2c09a7 Mon Sep 17 00:00:00 2001 +From: Bernard Metzler +Date: Sun, 30 Jan 2022 18:08:15 +0100 +Subject: RDMA/siw: Fix broken RDMA Read Fence/Resume logic. + +From: Bernard Metzler + +commit b43a76f423aa304037603fd6165c4a534d2c09a7 upstream. + +Code unconditionally resumed fenced SQ processing after next RDMA Read +completion, even if other RDMA Read responses are still outstanding, or +ORQ is full. Also adds comments for better readability of fence +processing, and removes orq_get_tail() helper, which is not needed +anymore. + +Fixes: 8b6a361b8c48 ("rdma/siw: receive path") +Fixes: a531975279f3 ("rdma/siw: main include file") +Link: https://lore.kernel.org/r/20220130170815.1940-1-bmt@zurich.ibm.com +Reported-by: Jared Holzman +Signed-off-by: Bernard Metzler +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/siw/siw.h | 7 +------ + drivers/infiniband/sw/siw/siw_qp_rx.c | 20 +++++++++++--------- + 2 files changed, 12 insertions(+), 15 deletions(-) + +--- a/drivers/infiniband/sw/siw/siw.h ++++ b/drivers/infiniband/sw/siw/siw.h +@@ -644,14 +644,9 @@ static inline struct siw_sqe *orq_get_cu + return &qp->orq[qp->orq_get % qp->attrs.orq_size]; + } + +-static inline struct siw_sqe *orq_get_tail(struct siw_qp *qp) +-{ +- return &qp->orq[qp->orq_put % qp->attrs.orq_size]; +-} +- + static inline struct siw_sqe *orq_get_free(struct siw_qp *qp) + { +- struct siw_sqe *orq_e = orq_get_tail(qp); ++ struct siw_sqe *orq_e = &qp->orq[qp->orq_put % qp->attrs.orq_size]; + + if (READ_ONCE(orq_e->flags) == 0) + return orq_e; +--- a/drivers/infiniband/sw/siw/siw_qp_rx.c ++++ b/drivers/infiniband/sw/siw/siw_qp_rx.c +@@ -1153,11 +1153,12 @@ static int siw_check_tx_fence(struct siw + + spin_lock_irqsave(&qp->orq_lock, flags); + +- rreq = orq_get_current(qp); +- + /* free current orq entry */ ++ rreq = orq_get_current(qp); + WRITE_ONCE(rreq->flags, 0); + ++ qp->orq_get++; ++ + if (qp->tx_ctx.orq_fence) { + if (unlikely(tx_waiting->wr_status != SIW_WR_QUEUED)) { + pr_warn("siw: [QP %u]: fence resume: bad status %d\n", +@@ -1165,10 +1166,12 @@ static int siw_check_tx_fence(struct siw + rv = -EPROTO; + goto out; + } +- /* resume SQ processing */ ++ /* resume SQ processing, if possible */ + if (tx_waiting->sqe.opcode == SIW_OP_READ || + tx_waiting->sqe.opcode == SIW_OP_READ_LOCAL_INV) { +- rreq = orq_get_tail(qp); ++ ++ /* SQ processing was stopped because of a full ORQ */ ++ rreq = orq_get_free(qp); + if (unlikely(!rreq)) { + pr_warn("siw: [QP %u]: no ORQE\n", qp_id(qp)); + rv = -EPROTO; +@@ -1181,15 +1184,14 @@ static int siw_check_tx_fence(struct siw + resume_tx = 1; + + } else if (siw_orq_empty(qp)) { ++ /* ++ * SQ processing was stopped by fenced work request. ++ * Resume since all previous Read's are now completed. ++ */ + qp->tx_ctx.orq_fence = 0; + resume_tx = 1; +- } else { +- pr_warn("siw: [QP %u]: fence resume: orq idx: %d:%d\n", +- qp_id(qp), qp->orq_get, qp->orq_put); +- rv = -EPROTO; + } + } +- qp->orq_get++; + out: + spin_unlock_irqrestore(&qp->orq_lock, flags); + diff --git a/queue-5.16/rdma-siw-fix-refcounting-leak-in-siw_create_qp.patch b/queue-5.16/rdma-siw-fix-refcounting-leak-in-siw_create_qp.patch new file mode 100644 index 00000000000..e892cdcd61a --- /dev/null +++ b/queue-5.16/rdma-siw-fix-refcounting-leak-in-siw_create_qp.patch @@ -0,0 +1,35 @@ +From a75badebfdc0b3823054bedf112edb54d6357c75 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 18 Jan 2022 12:11:04 +0300 +Subject: RDMA/siw: Fix refcounting leak in siw_create_qp() + +From: Dan Carpenter + +commit a75badebfdc0b3823054bedf112edb54d6357c75 upstream. + +The atomic_inc() needs to be paired with an atomic_dec() on the error +path. + +Fixes: 514aee660df4 ("RDMA: Globally allocate and release QP memory") +Link: https://lore.kernel.org/r/20220118091104.GA11671@kili +Signed-off-by: Dan Carpenter +Reviewed-by: Leon Romanovsky +Reviewed-by: Bernard Metzler +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/siw/siw_verbs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/sw/siw/siw_verbs.c ++++ b/drivers/infiniband/sw/siw/siw_verbs.c +@@ -311,7 +311,8 @@ int siw_create_qp(struct ib_qp *ibqp, st + + if (atomic_inc_return(&sdev->num_qp) > SIW_MAX_QP) { + siw_dbg(base_dev, "too many QP's\n"); +- return -ENOMEM; ++ rv = -ENOMEM; ++ goto err_atomic; + } + if (attrs->qp_type != IB_QPT_RC) { + siw_dbg(base_dev, "only RC QP's supported\n"); diff --git a/queue-5.16/rdma-ucma-protect-mc-during-concurrent-multicast-leaves.patch b/queue-5.16/rdma-ucma-protect-mc-during-concurrent-multicast-leaves.patch new file mode 100644 index 00000000000..5ff95b6189e --- /dev/null +++ b/queue-5.16/rdma-ucma-protect-mc-during-concurrent-multicast-leaves.patch @@ -0,0 +1,154 @@ +From 36e8169ec973359f671f9ec7213547059cae972e Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 18 Jan 2022 09:35:01 +0200 +Subject: RDMA/ucma: Protect mc during concurrent multicast leaves + +From: Leon Romanovsky + +commit 36e8169ec973359f671f9ec7213547059cae972e upstream. + +Partially revert the commit mentioned in the Fixes line to make sure that +allocation and erasing multicast struct are locked. + + BUG: KASAN: use-after-free in ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline] + BUG: KASAN: use-after-free in ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 + Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529 + CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 + __kasan_report mm/kasan/report.c:433 [inline] + kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 + ucma_cleanup_multicast drivers/infiniband/core/ucma.c:491 [inline] + ucma_destroy_private_ctx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 + ucma_destroy_id+0x1e6/0x280 drivers/infiniband/core/ucma.c:614 + ucma_write+0x25c/0x350 drivers/infiniband/core/ucma.c:1732 + vfs_write+0x28e/0xae0 fs/read_write.c:588 + ksys_write+0x1ee/0x250 fs/read_write.c:643 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Currently the xarray search can touch a concurrently freeing mc as the +xa_for_each() is not surrounded by any lock. Rather than hold the lock for +a full scan hold it only for the effected items, which is usually an empty +list. + +Fixes: 95fe51096b7a ("RDMA/ucma: Remove mc_list and rely on xarray") +Link: https://lore.kernel.org/r/1cda5fabb1081e8d16e39a48d3a4f8160cea88b8.1642491047.git.leonro@nvidia.com +Reported-by: syzbot+e3f96c43d19782dd14a7@syzkaller.appspotmail.com +Suggested-by: Jason Gunthorpe +Reviewed-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/ucma.c | 34 +++++++++++++++++++++++----------- + 1 file changed, 23 insertions(+), 11 deletions(-) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -95,6 +95,7 @@ struct ucma_context { + u64 uid; + + struct list_head list; ++ struct list_head mc_list; + struct work_struct close_work; + }; + +@@ -105,6 +106,7 @@ struct ucma_multicast { + + u64 uid; + u8 join_state; ++ struct list_head list; + struct sockaddr_storage addr; + }; + +@@ -198,6 +200,7 @@ static struct ucma_context *ucma_alloc_c + + INIT_WORK(&ctx->close_work, ucma_close_id); + init_completion(&ctx->comp); ++ INIT_LIST_HEAD(&ctx->mc_list); + /* So list_del() will work if we don't do ucma_finish_ctx() */ + INIT_LIST_HEAD(&ctx->list); + ctx->file = file; +@@ -484,19 +487,19 @@ err1: + + static void ucma_cleanup_multicast(struct ucma_context *ctx) + { +- struct ucma_multicast *mc; +- unsigned long index; ++ struct ucma_multicast *mc, *tmp; + +- xa_for_each(&multicast_table, index, mc) { +- if (mc->ctx != ctx) +- continue; ++ xa_lock(&multicast_table); ++ list_for_each_entry_safe(mc, tmp, &ctx->mc_list, list) { ++ list_del(&mc->list); + /* + * At this point mc->ctx->ref is 0 so the mc cannot leave the + * lock on the reader and this is enough serialization + */ +- xa_erase(&multicast_table, index); ++ __xa_erase(&multicast_table, mc->id); + kfree(mc); + } ++ xa_unlock(&multicast_table); + } + + static void ucma_cleanup_mc_events(struct ucma_multicast *mc) +@@ -1469,12 +1472,16 @@ static ssize_t ucma_process_join(struct + mc->uid = cmd->uid; + memcpy(&mc->addr, addr, cmd->addr_size); + +- if (xa_alloc(&multicast_table, &mc->id, NULL, xa_limit_32b, ++ xa_lock(&multicast_table); ++ if (__xa_alloc(&multicast_table, &mc->id, NULL, xa_limit_32b, + GFP_KERNEL)) { + ret = -ENOMEM; + goto err_free_mc; + } + ++ list_add_tail(&mc->list, &ctx->mc_list); ++ xa_unlock(&multicast_table); ++ + mutex_lock(&ctx->mutex); + ret = rdma_join_multicast(ctx->cm_id, (struct sockaddr *)&mc->addr, + join_state, mc); +@@ -1500,8 +1507,11 @@ err_leave_multicast: + mutex_unlock(&ctx->mutex); + ucma_cleanup_mc_events(mc); + err_xa_erase: +- xa_erase(&multicast_table, mc->id); ++ xa_lock(&multicast_table); ++ list_del(&mc->list); ++ __xa_erase(&multicast_table, mc->id); + err_free_mc: ++ xa_unlock(&multicast_table); + kfree(mc); + err_put_ctx: + ucma_put_ctx(ctx); +@@ -1569,15 +1579,17 @@ static ssize_t ucma_leave_multicast(stru + mc = ERR_PTR(-EINVAL); + else if (!refcount_inc_not_zero(&mc->ctx->ref)) + mc = ERR_PTR(-ENXIO); +- else +- __xa_erase(&multicast_table, mc->id); +- xa_unlock(&multicast_table); + + if (IS_ERR(mc)) { ++ xa_unlock(&multicast_table); + ret = PTR_ERR(mc); + goto out; + } + ++ list_del(&mc->list); ++ __xa_erase(&multicast_table, mc->id); ++ xa_unlock(&multicast_table); ++ + mutex_lock(&mc->ctx->mutex); + rdma_leave_multicast(mc->ctx->cm_id, (struct sockaddr *) &mc->addr); + mutex_unlock(&mc->ctx->mutex); diff --git a/queue-5.16/scsi-bnx2fc-make-bnx2fc_recv_frame-mp-safe.patch b/queue-5.16/scsi-bnx2fc-make-bnx2fc_recv_frame-mp-safe.patch new file mode 100644 index 00000000000..523eec9579f --- /dev/null +++ b/queue-5.16/scsi-bnx2fc-make-bnx2fc_recv_frame-mp-safe.patch @@ -0,0 +1,92 @@ +From 936bd03405fc83ba039d42bc93ffd4b88418f1d3 Mon Sep 17 00:00:00 2001 +From: John Meneghini +Date: Mon, 24 Jan 2022 09:51:10 -0500 +Subject: scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe + +From: John Meneghini + +commit 936bd03405fc83ba039d42bc93ffd4b88418f1d3 upstream. + +Running tests with a debug kernel shows that bnx2fc_recv_frame() is +modifying the per_cpu lport stats counters in a non-mpsafe way. Just boot +a debug kernel and run the bnx2fc driver with the hardware enabled. + +[ 1391.699147] BUG: using smp_processor_id() in preemptible [00000000] code: bnx2fc_ +[ 1391.699160] caller is bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc] +[ 1391.699174] CPU: 2 PID: 4355 Comm: bnx2fc_l2_threa Kdump: loaded Tainted: G B +[ 1391.699180] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 +[ 1391.699183] Call Trace: +[ 1391.699188] dump_stack_lvl+0x57/0x7d +[ 1391.699198] check_preemption_disabled+0xc8/0xd0 +[ 1391.699205] bnx2fc_recv_frame+0xbf9/0x1760 [bnx2fc] +[ 1391.699215] ? do_raw_spin_trylock+0xb5/0x180 +[ 1391.699221] ? bnx2fc_npiv_create_vports.isra.0+0x4e0/0x4e0 [bnx2fc] +[ 1391.699229] ? bnx2fc_l2_rcv_thread+0xb7/0x3a0 [bnx2fc] +[ 1391.699240] bnx2fc_l2_rcv_thread+0x1af/0x3a0 [bnx2fc] +[ 1391.699250] ? bnx2fc_ulp_init+0xc0/0xc0 [bnx2fc] +[ 1391.699258] kthread+0x364/0x420 +[ 1391.699263] ? _raw_spin_unlock_irq+0x24/0x50 +[ 1391.699268] ? set_kthread_struct+0x100/0x100 +[ 1391.699273] ret_from_fork+0x22/0x30 + +Restore the old get_cpu/put_cpu code with some modifications to reduce the +size of the critical section. + +Link: https://lore.kernel.org/r/20220124145110.442335-1-jmeneghi@redhat.com +Fixes: d576a5e80cd0 ("bnx2fc: Improve stats update mechanism") +Tested-by: Guangwu Zhang +Acked-by: Saurav Kashyap +Signed-off-by: John Meneghini +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +@@ -508,7 +508,8 @@ static int bnx2fc_l2_rcv_thread(void *ar + + static void bnx2fc_recv_frame(struct sk_buff *skb) + { +- u32 fr_len; ++ u64 crc_err; ++ u32 fr_len, fr_crc; + struct fc_lport *lport; + struct fcoe_rcv_info *fr; + struct fc_stats *stats; +@@ -542,6 +543,11 @@ static void bnx2fc_recv_frame(struct sk_ + skb_pull(skb, sizeof(struct fcoe_hdr)); + fr_len = skb->len - sizeof(struct fcoe_crc_eof); + ++ stats = per_cpu_ptr(lport->stats, get_cpu()); ++ stats->RxFrames++; ++ stats->RxWords += fr_len / FCOE_WORD_TO_BYTE; ++ put_cpu(); ++ + fp = (struct fc_frame *)skb; + fc_frame_init(fp); + fr_dev(fp) = lport; +@@ -624,16 +630,15 @@ static void bnx2fc_recv_frame(struct sk_ + return; + } + +- stats = per_cpu_ptr(lport->stats, smp_processor_id()); +- stats->RxFrames++; +- stats->RxWords += fr_len / FCOE_WORD_TO_BYTE; ++ fr_crc = le32_to_cpu(fr_crc(fp)); + +- if (le32_to_cpu(fr_crc(fp)) != +- ~crc32(~0, skb->data, fr_len)) { +- if (stats->InvalidCRCCount < 5) ++ if (unlikely(fr_crc != ~crc32(~0, skb->data, fr_len))) { ++ stats = per_cpu_ptr(lport->stats, get_cpu()); ++ crc_err = (stats->InvalidCRCCount++); ++ put_cpu(); ++ if (crc_err < 5) + printk(KERN_WARNING PFX "dropping frame with " + "CRC error\n"); +- stats->InvalidCRCCount++; + kfree_skb(skb); + return; + } diff --git a/queue-5.16/selftests-exec-remove-pipe-from-test_gen_files.patch b/queue-5.16/selftests-exec-remove-pipe-from-test_gen_files.patch new file mode 100644 index 00000000000..78657e45b99 --- /dev/null +++ b/queue-5.16/selftests-exec-remove-pipe-from-test_gen_files.patch @@ -0,0 +1,41 @@ +From 908a26e139e8cf21093acc56d8e90ddad2ad1eff Mon Sep 17 00:00:00 2001 +From: Muhammad Usama Anjum +Date: Thu, 27 Jan 2022 21:33:45 +0500 +Subject: selftests/exec: Remove pipe from TEST_GEN_FILES + +From: Muhammad Usama Anjum + +commit 908a26e139e8cf21093acc56d8e90ddad2ad1eff upstream. + +pipe named FIFO special file is being created in execveat.c to perform +some tests. Makefile doesn't need to do anything with the pipe. When it +isn't found, Makefile generates the following build error: + +make: *** No rule to make target +'../tools/testing/selftests/exec/pipe', needed by 'all'. Stop. + +pipe is created and removed during test run-time. + +Amended change log to add pipe remove info: +Shuah Khan + +Fixes: 61016db15b8e ("selftests/exec: Verify execve of non-regular files fail") +Signed-off-by: Muhammad Usama Anjum +Reviewed-by: Shuah Khan +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/exec/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/exec/Makefile ++++ b/tools/testing/selftests/exec/Makefile +@@ -5,7 +5,7 @@ CFLAGS += -D_GNU_SOURCE + + TEST_PROGS := binfmt_script non-regular + TEST_GEN_PROGS := execveat load_address_4096 load_address_2097152 load_address_16777216 +-TEST_GEN_FILES := execveat.symlink execveat.denatured script subdir pipe ++TEST_GEN_FILES := execveat.symlink execveat.denatured script subdir + # Makefile is a run-time dependency, since it's accessed by the execveat test + TEST_FILES := Makefile + diff --git a/queue-5.16/selftests-futex-use-variable-make-instead-of-make.patch b/queue-5.16/selftests-futex-use-variable-make-instead-of-make.patch new file mode 100644 index 00000000000..8cfcdc3db63 --- /dev/null +++ b/queue-5.16/selftests-futex-use-variable-make-instead-of-make.patch @@ -0,0 +1,46 @@ +From b9199181a9ef8252e47e207be8c23e1f50662620 Mon Sep 17 00:00:00 2001 +From: Muhammad Usama Anjum +Date: Thu, 27 Jan 2022 22:44:46 +0500 +Subject: selftests: futex: Use variable MAKE instead of make +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Muhammad Usama Anjum + +commit b9199181a9ef8252e47e207be8c23e1f50662620 upstream. + +Recursive make commands should always use the variable MAKE, not the +explicit command name ‘make’. This has benefits and removes the +following warning when multiple jobs are used for the build: + +make[2]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule. + +Fixes: a8ba798bc8ec ("selftests: enable O and KBUILD_OUTPUT") +Signed-off-by: Muhammad Usama Anjum +Reviewed-by: André Almeida +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/futex/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/futex/Makefile ++++ b/tools/testing/selftests/futex/Makefile +@@ -11,7 +11,7 @@ all: + @for DIR in $(SUBDIRS); do \ + BUILD_TARGET=$(OUTPUT)/$$DIR; \ + mkdir $$BUILD_TARGET -p; \ +- make OUTPUT=$$BUILD_TARGET -C $$DIR $@;\ ++ $(MAKE) OUTPUT=$$BUILD_TARGET -C $$DIR $@;\ + if [ -e $$DIR/$(TEST_PROGS) ]; then \ + rsync -a $$DIR/$(TEST_PROGS) $$BUILD_TARGET/; \ + fi \ +@@ -32,6 +32,6 @@ override define CLEAN + @for DIR in $(SUBDIRS); do \ + BUILD_TARGET=$(OUTPUT)/$$DIR; \ + mkdir $$BUILD_TARGET -p; \ +- make OUTPUT=$$BUILD_TARGET -C $$DIR $@;\ ++ $(MAKE) OUTPUT=$$BUILD_TARGET -C $$DIR $@;\ + done + endef diff --git a/queue-5.16/series b/queue-5.16/series index 6be082997ce..98f029fe741 100644 --- a/queue-5.16/series +++ b/queue-5.16/series @@ -45,3 +45,60 @@ risc-v-kvm-make-cy-tm-and-ir-counters-accessible-in-vu-mode.patch kvm-arm64-avoid-consuming-a-stale-esr-value-when-serror-occur.patch kvm-arm64-stop-handle_exit-from-handling-hvc-twice-when-an-serror-occurs.patch arm64-add-cortex-a510-cpu-part-definition.patch +rdma-cma-use-correct-address-when-leaving-multicast-group.patch +rdma-ucma-protect-mc-during-concurrent-multicast-leaves.patch +rdma-siw-fix-refcounting-leak-in-siw_create_qp.patch +ib-rdmavt-validate-remote_addr-during-loopback-atomic-tests.patch +rdma-siw-fix-broken-rdma-read-fence-resume-logic.patch +rdma-mlx4-don-t-continue-event-handler-after-memory-allocation-failure.patch +alsa-usb-audio-initialize-variables-that-could-ignore-errors.patch +alsa-hda-fix-signedness-of-sscanf-arguments.patch +alsa-hda-skip-codec-shutdown-in-case-the-codec-is-not-registered.patch +iommu-vt-d-fix-potential-memory-leak-in-intel_setup_irq_remapping.patch +iommu-amd-fix-loop-timeout-issue-in-iommu_ga_log_enable.patch +spi-bcm-qspi-check-for-valid-cs-before-applying-chip-select.patch +spi-mediatek-avoid-null-pointer-crash-in-interrupt.patch +spi-meson-spicc-add-irq-check-in-meson_spicc_probe.patch +spi-uniphier-fix-reference-count-leak-in-uniphier_spi_probe.patch +ib-hfi1-fix-tstats-alloc-and-dealloc.patch +ib-cm-release-previously-acquired-reference-counter-in-the-cm_id_priv.patch +net-ieee802154-hwsim-ensure-proper-channel-selection-at-probe-time.patch +net-ieee802154-mcr20a-fix-lifs-sifs-periods.patch +net-ieee802154-ca8210-stop-leaking-skb-s.patch +netfilter-nft_reject_bridge-fix-for-missing-reply-from-prerouting.patch +net-ieee802154-return-meaningful-error-codes-from-the-netlink-helpers.patch +net-smc-forward-wakeup-to-smc-socket-waitqueue-after-fallback.patch +net-stmmac-dwmac-visconti-no-change-to-ether_clock_sel-for-unexpected-speed-request.patch +net-stmmac-properly-handle-with-runtime-pm-in-stmmac_dvr_remove.patch +net-macsec-fix-offload-support-for-netdev_unregister-event.patch +net-macsec-verify-that-send_sci-is-on-when-setting-tx-sci-explicitly.patch +net-stmmac-dump-gmac4-dma-registers-correctly.patch +net-neigh-do-not-trigger-immediate-probes-on-nud_failed-from-neigh_managed_work.patch +net-stmmac-ensure-ptp-time-register-reads-are-consistent.patch +drm-mxsfb-fix-null-pointer-dereference.patch +drm-kmb-fix-for-build-errors-with-warray-bounds.patch +drm-i915-overlay-prevent-divide-by-zero-bugs-in-scaling.patch +drm-i915-lock-timeline-mutex-directly-in-error-path-of-eb_pin_timeline.patch +drm-amd-avoid-suspend-on-dgpus-w-s2idle-support-when-runtime-pm-enabled.patch +asoc-rt5682-fix-deadlock-on-resume.patch +asoc-fsl-add-missing-error-handling-in-pcm030_fabric_probe.patch +asoc-xilinx-xlnx_formatter_pcm-make-buffer-bytes-multiple-of-period-bytes.patch +asoc-simple-card-fix-probe-failure-on-platform-component.patch +asoc-cpcap-check-for-null-pointer-after-calling-of_get_child_by_name.patch +asoc-max9759-fix-underflow-in-speaker_gain_control_put.patch +asoc-codecs-wcd938x-fix-incorrect-used-of-portid.patch +asoc-codecs-lpass-rx-macro-fix-sidetone-register-offsets.patch +asoc-codecs-wcd938x-fix-return-value-of-mixer-put-function.patch +asoc-qdsp6-q6apm-dai-only-stop-graphs-that-are-started.patch +pinctrl-sunxi-fix-h616-i2s3-pin-data.patch +pinctrl-intel-fix-a-glitch-when-updating-irq-flags-on-a-preconfigured-line.patch +pinctrl-intel-fix-unexpected-interrupt.patch +pinctrl-bcm2835-fix-a-few-error-paths.patch +btrfs-fix-use-of-uninitialized-variable-at-rm-device-ioctl.patch +scsi-bnx2fc-make-bnx2fc_recv_frame-mp-safe.patch +nfsd-nfsd4_setclientid_confirm-mistakenly-expires-confirmed-client.patch +gve-fix-the-wrong-adminq-buffer-queue-index-check.patch +bpf-use-vm_map-instead-of-vm_alloc-for-ringbuf.patch +selftests-exec-remove-pipe-from-test_gen_files.patch +selftests-futex-use-variable-make-instead-of-make.patch +tools-resolve_btfids-do-not-print-any-commands-when-building-silently.patch diff --git a/queue-5.16/spi-bcm-qspi-check-for-valid-cs-before-applying-chip-select.patch b/queue-5.16/spi-bcm-qspi-check-for-valid-cs-before-applying-chip-select.patch new file mode 100644 index 00000000000..480b00b0e9a --- /dev/null +++ b/queue-5.16/spi-bcm-qspi-check-for-valid-cs-before-applying-chip-select.patch @@ -0,0 +1,36 @@ +From 2cbd27267ffe020af1442b95ec57f59a157ba85c Mon Sep 17 00:00:00 2001 +From: Kamal Dasu +Date: Thu, 27 Jan 2022 13:53:59 -0500 +Subject: spi: bcm-qspi: check for valid cs before applying chip select + +From: Kamal Dasu + +commit 2cbd27267ffe020af1442b95ec57f59a157ba85c upstream. + +Apply only valid chip select value. This change fixes case where chip +select is set to initial value of '-1' during probe and PM supend and +subsequent resume can try to use the value with undefined behaviour. +Also in case where gpio based chip select, the check in +bcm_qspi_chip_select() shall prevent undefined behaviour on resume. + +Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") +Signed-off-by: Kamal Dasu +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220127185359.27322-1-kdasu.kdev@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-bcm-qspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -573,7 +573,7 @@ static void bcm_qspi_chip_select(struct + u32 rd = 0; + u32 wr = 0; + +- if (qspi->base[CHIP_SELECT]) { ++ if (cs >= 0 && qspi->base[CHIP_SELECT]) { + rd = bcm_qspi_read(qspi, CHIP_SELECT, 0); + wr = (rd & ~0xff) | (1 << cs); + if (rd == wr) diff --git a/queue-5.16/spi-mediatek-avoid-null-pointer-crash-in-interrupt.patch b/queue-5.16/spi-mediatek-avoid-null-pointer-crash-in-interrupt.patch new file mode 100644 index 00000000000..adeb9d16a4e --- /dev/null +++ b/queue-5.16/spi-mediatek-avoid-null-pointer-crash-in-interrupt.patch @@ -0,0 +1,34 @@ +From f83a96e5f033fbbd21764705cb9c04234b96218e Mon Sep 17 00:00:00 2001 +From: Benjamin Gaignard +Date: Mon, 31 Jan 2022 15:17:08 +0100 +Subject: spi: mediatek: Avoid NULL pointer crash in interrupt + +From: Benjamin Gaignard + +commit f83a96e5f033fbbd21764705cb9c04234b96218e upstream. + +In some case, like after a transfer timeout, master->cur_msg pointer +is NULL which led to a kernel crash when trying to use master->cur_msg->spi. +mtk_spi_can_dma(), pointed by master->can_dma, doesn't use this parameter +avoid the problem by setting NULL as second parameter. + +Fixes: a568231f46322 ("spi: mediatek: Add spi bus for Mediatek MT8173") +Signed-off-by: Benjamin Gaignard +Link: https://lore.kernel.org/r/20220131141708.888710-1-benjamin.gaignard@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-mt65xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-mt65xx.c ++++ b/drivers/spi/spi-mt65xx.c +@@ -624,7 +624,7 @@ static irqreturn_t mtk_spi_interrupt(int + else + mdata->state = MTK_SPI_IDLE; + +- if (!master->can_dma(master, master->cur_msg->spi, trans)) { ++ if (!master->can_dma(master, NULL, trans)) { + if (trans->rx_buf) { + cnt = mdata->xfer_len / 4; + ioread32_rep(mdata->base + SPI_RX_DATA_REG, diff --git a/queue-5.16/spi-meson-spicc-add-irq-check-in-meson_spicc_probe.patch b/queue-5.16/spi-meson-spicc-add-irq-check-in-meson_spicc_probe.patch new file mode 100644 index 00000000000..c1d5c9d6186 --- /dev/null +++ b/queue-5.16/spi-meson-spicc-add-irq-check-in-meson_spicc_probe.patch @@ -0,0 +1,37 @@ +From e937440f7fc444a3e3f1fb75ea65292d6f433a44 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Wed, 26 Jan 2022 11:04:47 +0000 +Subject: spi: meson-spicc: add IRQ check in meson_spicc_probe + +From: Miaoqian Lin + +commit e937440f7fc444a3e3f1fb75ea65292d6f433a44 upstream. + +This check misses checking for platform_get_irq()'s call and may passes +the negative error codes to devm_request_irq(), which takes unsigned IRQ #, +causing it to fail with -EINVAL, overriding an original error code. +Stop calling devm_request_irq() with invalid IRQ #s. + +Fixes: 454fa271bc4e ("spi: Add Meson SPICC driver") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220126110447.24549-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-meson-spicc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/spi/spi-meson-spicc.c ++++ b/drivers/spi/spi-meson-spicc.c +@@ -693,6 +693,11 @@ static int meson_spicc_probe(struct plat + writel_relaxed(0, spicc->base + SPICC_INTREG); + + irq = platform_get_irq(pdev, 0); ++ if (irq < 0) { ++ ret = irq; ++ goto out_master; ++ } ++ + ret = devm_request_irq(&pdev->dev, irq, meson_spicc_irq, + 0, NULL, spicc); + if (ret) { diff --git a/queue-5.16/spi-uniphier-fix-reference-count-leak-in-uniphier_spi_probe.patch b/queue-5.16/spi-uniphier-fix-reference-count-leak-in-uniphier_spi_probe.patch new file mode 100644 index 00000000000..121663b326c --- /dev/null +++ b/queue-5.16/spi-uniphier-fix-reference-count-leak-in-uniphier_spi_probe.patch @@ -0,0 +1,80 @@ +From 37c2c83ca4f1ef4b6908181ac98e18360af89b42 Mon Sep 17 00:00:00 2001 +From: Xin Xiong +Date: Tue, 25 Jan 2022 18:12:15 +0800 +Subject: spi: uniphier: fix reference count leak in uniphier_spi_probe() + +From: Xin Xiong + +commit 37c2c83ca4f1ef4b6908181ac98e18360af89b42 upstream. + +The issue happens in several error paths in uniphier_spi_probe(). +When either dma_get_slave_caps() or devm_spi_register_master() returns +an error code, the function forgets to decrease the refcount of both +`dma_rx` and `dma_tx` objects, which may lead to refcount leaks. + +Fix it by decrementing the reference count of specific objects in +those error paths. + +Signed-off-by: Xin Xiong +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Reviewed-by: Kunihiko Hayashi +Fixes: 28d1dddc59f6 ("spi: uniphier: Add DMA transfer mode support") +Link: https://lore.kernel.org/r/20220125101214.35677-1-xiongx18@fudan.edu.cn +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-uniphier.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-uniphier.c ++++ b/drivers/spi/spi-uniphier.c +@@ -726,7 +726,7 @@ static int uniphier_spi_probe(struct pla + if (ret) { + dev_err(&pdev->dev, "failed to get TX DMA capacities: %d\n", + ret); +- goto out_disable_clk; ++ goto out_release_dma; + } + dma_tx_burst = caps.max_burst; + } +@@ -735,7 +735,7 @@ static int uniphier_spi_probe(struct pla + if (IS_ERR_OR_NULL(master->dma_rx)) { + if (PTR_ERR(master->dma_rx) == -EPROBE_DEFER) { + ret = -EPROBE_DEFER; +- goto out_disable_clk; ++ goto out_release_dma; + } + master->dma_rx = NULL; + dma_rx_burst = INT_MAX; +@@ -744,7 +744,7 @@ static int uniphier_spi_probe(struct pla + if (ret) { + dev_err(&pdev->dev, "failed to get RX DMA capacities: %d\n", + ret); +- goto out_disable_clk; ++ goto out_release_dma; + } + dma_rx_burst = caps.max_burst; + } +@@ -753,10 +753,20 @@ static int uniphier_spi_probe(struct pla + + ret = devm_spi_register_master(&pdev->dev, master); + if (ret) +- goto out_disable_clk; ++ goto out_release_dma; + + return 0; + ++out_release_dma: ++ if (!IS_ERR_OR_NULL(master->dma_rx)) { ++ dma_release_channel(master->dma_rx); ++ master->dma_rx = NULL; ++ } ++ if (!IS_ERR_OR_NULL(master->dma_tx)) { ++ dma_release_channel(master->dma_tx); ++ master->dma_tx = NULL; ++ } ++ + out_disable_clk: + clk_disable_unprepare(priv->clk); + diff --git a/queue-5.16/tools-resolve_btfids-do-not-print-any-commands-when-building-silently.patch b/queue-5.16/tools-resolve_btfids-do-not-print-any-commands-when-building-silently.patch new file mode 100644 index 00000000000..371f68bbc1f --- /dev/null +++ b/queue-5.16/tools-resolve_btfids-do-not-print-any-commands-when-building-silently.patch @@ -0,0 +1,44 @@ +From 7f3bdbc3f13146eb9d07de81ea71f551587a384b Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 1 Feb 2022 14:25:04 -0700 +Subject: tools/resolve_btfids: Do not print any commands when building silently + +From: Nathan Chancellor + +commit 7f3bdbc3f13146eb9d07de81ea71f551587a384b upstream. + +When building with 'make -s', there is some output from resolve_btfids: + +$ make -sj"$(nproc)" oldconfig prepare + MKDIR .../tools/bpf/resolve_btfids/libbpf/ + MKDIR .../tools/bpf/resolve_btfids//libsubcmd + LINK resolve_btfids + +Silent mode means that no information should be emitted about what is +currently being done. Use the $(silent) variable from Makefile.include +to avoid defining the msg macro so that there is no information printed. + +Fixes: fbbb68de80a4 ("bpf: Add resolve_btfids tool to resolve BTF IDs in ELF object") +Signed-off-by: Nathan Chancellor +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20220201212503.731732-1-nathan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + tools/bpf/resolve_btfids/Makefile | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/tools/bpf/resolve_btfids/Makefile ++++ b/tools/bpf/resolve_btfids/Makefile +@@ -9,7 +9,11 @@ ifeq ($(V),1) + msg = + else + Q = @ +- msg = @printf ' %-8s %s%s\n' "$(1)" "$(notdir $(2))" "$(if $(3), $(3))"; ++ ifeq ($(silent),1) ++ msg = ++ else ++ msg = @printf ' %-8s %s%s\n' "$(1)" "$(notdir $(2))" "$(if $(3), $(3))"; ++ endif + MAKEFLAGS=--no-print-directory + endif +