From: Greg Kroah-Hartman Date: Mon, 27 Dec 2021 13:23:32 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.4.297~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4ab08aac393793c9bcf15a24825fe9909431fb0e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch ceph-fix-up-non-directory-creation-in-sgid-directories.patch f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch gpio-dln2-fix-interrupts-when-replugging-the-device.patch mac80211-fix-locking-in-ieee80211_start_ap-error-path.patch mm-hwpoison-clear-mf_count_increased-before-retrying-get_any_page.patch mmc-core-disable-card-detect-during-shutdown.patch mmc-meson-mx-sdhc-set-manual_stop-for-multi-block-sdio-commands.patch mmc-mmci-stm32-clear-dlyb_cr-after-sending-tuning-command.patch mmc-sdhci-tegra-fix-switch-to-hs400es-mode.patch pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch tee-optee-fix-incorrect-page-free-bug.patch usb-gadget-u_ether-fix-race-in-setting-mac-address-in-setup-phase.patch --- diff --git a/queue-5.10/arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch b/queue-5.10/arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch new file mode 100644 index 00000000000..a07a2ba9ded --- /dev/null +++ b/queue-5.10/arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch @@ -0,0 +1,51 @@ +From 8536a5ef886005bc443c2da9b842d69fd3d7647f Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 15 Dec 2021 09:31:36 +0100 +Subject: ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling + +From: Ard Biesheuvel + +commit 8536a5ef886005bc443c2da9b842d69fd3d7647f upstream. + +The Thumb2 version of the FP exception handling entry code treats the +register holding the CP number (R8) differently, resulting in the iWMMXT +CP number check to be incorrect. + +Fix this by unifying the ARM and Thumb2 code paths, and switch the +order of the additions of the TI_USED_CP offset and the shifted CP +index. + +Cc: +Fixes: b86040a59feb ("Thumb-2: Implementation of the unified start-up and exceptions code") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/kernel/entry-armv.S | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/arch/arm/kernel/entry-armv.S ++++ b/arch/arm/kernel/entry-armv.S +@@ -596,11 +596,9 @@ call_fpe: + tstne r0, #0x04000000 @ bit 26 set on both ARM and Thumb-2 + reteq lr + and r8, r0, #0x00000f00 @ mask out CP number +- THUMB( lsr r8, r8, #8 ) + mov r7, #1 +- add r6, r10, #TI_USED_CP +- ARM( strb r7, [r6, r8, lsr #8] ) @ set appropriate used_cp[] +- THUMB( strb r7, [r6, r8] ) @ set appropriate used_cp[] ++ add r6, r10, r8, lsr #8 @ add used_cp[] array offset first ++ strb r7, [r6, #TI_USED_CP] @ set appropriate used_cp[] + #ifdef CONFIG_IWMMXT + @ Test if we need to give access to iWMMXt coprocessors + ldr r5, [r10, #TI_FLAGS] +@@ -609,7 +607,7 @@ call_fpe: + bcs iwmmxt_task_enable + #endif + ARM( add pc, pc, r8, lsr #6 ) +- THUMB( lsl r8, r8, #2 ) ++ THUMB( lsr r8, r8, #6 ) + THUMB( add pc, r8 ) + nop + diff --git a/queue-5.10/ceph-fix-up-non-directory-creation-in-sgid-directories.patch b/queue-5.10/ceph-fix-up-non-directory-creation-in-sgid-directories.patch new file mode 100644 index 00000000000..f58ae7b5afc --- /dev/null +++ b/queue-5.10/ceph-fix-up-non-directory-creation-in-sgid-directories.patch @@ -0,0 +1,69 @@ +From fd84bfdddd169c219c3a637889a8b87f70a072c2 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Mon, 29 Nov 2021 12:16:39 +0100 +Subject: ceph: fix up non-directory creation in SGID directories + +From: Christian Brauner + +commit fd84bfdddd169c219c3a637889a8b87f70a072c2 upstream. + +Ceph always inherits the SGID bit if it is set on the parent inode, +while the generic inode_init_owner does not do this in a few cases where +it can create a possible security problem (cf. [1]). + +Update ceph to strip the SGID bit just as inode_init_owner would. + +This bug was detected by the mapped mount testsuite in [3]. The +testsuite tests all core VFS functionality and semantics with and +without mapped mounts. That is to say it functions as a generic VFS +testsuite in addition to a mapped mount testsuite. While working on +mapped mount support for ceph, SIGD inheritance was the only failing +test for ceph after the port. + +The same bug was detected by the mapped mount testsuite in XFS in +January 2021 (cf. [2]). + +[1]: commit 0fa3ecd87848 ("Fix up non-directory creation in SGID directories") +[2]: commit 01ea173e103e ("xfs: fix up non-directory creation in SGID directories") +[3]: https://git.kernel.org/fs/xfs/xfstests-dev.git + +Cc: stable@vger.kernel.org +Signed-off-by: Christian Brauner +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/file.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -603,13 +603,25 @@ static int ceph_finish_async_create(stru + in.cap.realm = cpu_to_le64(ci->i_snap_realm->ino); + in.cap.flags = CEPH_CAP_FLAG_AUTH; + in.ctime = in.mtime = in.atime = iinfo.btime; +- in.mode = cpu_to_le32((u32)mode); + in.truncate_seq = cpu_to_le32(1); + in.truncate_size = cpu_to_le64(-1ULL); + in.xattr_version = cpu_to_le64(1); + in.uid = cpu_to_le32(from_kuid(&init_user_ns, current_fsuid())); +- in.gid = cpu_to_le32(from_kgid(&init_user_ns, dir->i_mode & S_ISGID ? +- dir->i_gid : current_fsgid())); ++ if (dir->i_mode & S_ISGID) { ++ in.gid = cpu_to_le32(from_kgid(&init_user_ns, dir->i_gid)); ++ ++ /* Directories always inherit the setgid bit. */ ++ if (S_ISDIR(mode)) ++ mode |= S_ISGID; ++ else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) && ++ !in_group_p(dir->i_gid) && ++ !capable_wrt_inode_uidgid(dir, CAP_FSETID)) ++ mode &= ~S_ISGID; ++ } else { ++ in.gid = cpu_to_le32(from_kgid(&init_user_ns, current_fsgid())); ++ } ++ in.mode = cpu_to_le32((u32)mode); ++ + in.nlink = cpu_to_le32(1); + in.max_size = cpu_to_le64(lo->stripe_unit); + diff --git a/queue-5.10/f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch b/queue-5.10/f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch new file mode 100644 index 00000000000..d9c06150bcd --- /dev/null +++ b/queue-5.10/f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch @@ -0,0 +1,84 @@ +From 5598b24efaf4892741c798b425d543e4bed357a1 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Sun, 12 Dec 2021 17:16:30 +0800 +Subject: f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr() + +From: Chao Yu + +commit 5598b24efaf4892741c798b425d543e4bed357a1 upstream. + +As Wenqing Liu reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=215235 + +- Overview +page fault in f2fs_setxattr() when mount and operate on corrupted image + +- Reproduce +tested on kernel 5.16-rc3, 5.15.X under root + +1. unzip tmp7.zip +2. ./single.sh f2fs 7 + +Sometimes need to run the script several times + +- Kernel dump +loop0: detected capacity change from 0 to 131072 +F2FS-fs (loop0): Found nat_bits in checkpoint +F2FS-fs (loop0): Mounted with checkpoint version = 7548c2ee +BUG: unable to handle page fault for address: ffffe47bc7123f48 +RIP: 0010:kfree+0x66/0x320 +Call Trace: + __f2fs_setxattr+0x2aa/0xc00 [f2fs] + f2fs_setxattr+0xfa/0x480 [f2fs] + __f2fs_set_acl+0x19b/0x330 [f2fs] + __vfs_removexattr+0x52/0x70 + __vfs_removexattr_locked+0xb1/0x140 + vfs_removexattr+0x56/0x100 + removexattr+0x57/0x80 + path_removexattr+0xa3/0xc0 + __x64_sys_removexattr+0x17/0x20 + do_syscall_64+0x37/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The root cause is in __f2fs_setxattr(), we missed to do sanity check on +last xattr entry, result in out-of-bound memory access during updating +inconsistent xattr data of target inode. + +After the fix, it can detect such xattr inconsistency as below: + +F2FS-fs (loop11): inode (7) has invalid last xattr entry, entry_size: 60676 +F2FS-fs (loop11): inode (8) has corrupted xattr +F2FS-fs (loop11): inode (8) has corrupted xattr +F2FS-fs (loop11): inode (8) has invalid last xattr entry, entry_size: 47736 + +Cc: stable@vger.kernel.org +Reported-by: Wenqing Liu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/xattr.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/xattr.c ++++ b/fs/f2fs/xattr.c +@@ -680,8 +680,17 @@ static int __f2fs_setxattr(struct inode + } + + last = here; +- while (!IS_XATTR_LAST_ENTRY(last)) ++ while (!IS_XATTR_LAST_ENTRY(last)) { ++ if ((void *)(last) + sizeof(__u32) > last_base_addr || ++ (void *)XATTR_NEXT_ENTRY(last) > last_base_addr) { ++ f2fs_err(F2FS_I_SB(inode), "inode (%lu) has invalid last xattr entry, entry_size: %zu", ++ inode->i_ino, ENTRY_SIZE(last)); ++ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK); ++ error = -EFSCORRUPTED; ++ goto exit; ++ } + last = XATTR_NEXT_ENTRY(last); ++ } + + newsize = XATTR_ALIGN(sizeof(struct f2fs_xattr_entry) + len + size); + diff --git a/queue-5.10/gpio-dln2-fix-interrupts-when-replugging-the-device.patch b/queue-5.10/gpio-dln2-fix-interrupts-when-replugging-the-device.patch new file mode 100644 index 00000000000..a8347629b10 --- /dev/null +++ b/queue-5.10/gpio-dln2-fix-interrupts-when-replugging-the-device.patch @@ -0,0 +1,76 @@ +From 9a5875f14b0e3a13ae314883f1bb72b7f31fac07 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= +Date: Mon, 18 Oct 2021 13:22:01 +0200 +Subject: gpio: dln2: Fix interrupts when replugging the device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Noralf Trønnes + +commit 9a5875f14b0e3a13ae314883f1bb72b7f31fac07 upstream. + +When replugging the device the following message shows up: + +gpio gpiochip2: (dln2): detected irqchip that is shared with multiple gpiochips: please fix the driver. + +This also has the effect that interrupts won't work. +The same problem would also show up if multiple devices where plugged in. + +Fix this by allocating the irq_chip data structure per instance like other +drivers do. + +I don't know when this problem appeared, but it is present in 5.10. + +Cc: # 5.10+ +Cc: Daniel Baluta +Signed-off-by: Noralf Trønnes +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-dln2.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/gpio/gpio-dln2.c ++++ b/drivers/gpio/gpio-dln2.c +@@ -46,6 +46,7 @@ + struct dln2_gpio { + struct platform_device *pdev; + struct gpio_chip gpio; ++ struct irq_chip irqchip; + + /* + * Cache pin direction to save us one transfer, since the hardware has +@@ -383,15 +384,6 @@ static void dln2_irq_bus_unlock(struct i + mutex_unlock(&dln2->irq_lock); + } + +-static struct irq_chip dln2_gpio_irqchip = { +- .name = "dln2-irq", +- .irq_mask = dln2_irq_mask, +- .irq_unmask = dln2_irq_unmask, +- .irq_set_type = dln2_irq_set_type, +- .irq_bus_lock = dln2_irq_bus_lock, +- .irq_bus_sync_unlock = dln2_irq_bus_unlock, +-}; +- + static void dln2_gpio_event(struct platform_device *pdev, u16 echo, + const void *data, int len) + { +@@ -477,8 +469,15 @@ static int dln2_gpio_probe(struct platfo + dln2->gpio.direction_output = dln2_gpio_direction_output; + dln2->gpio.set_config = dln2_gpio_set_config; + ++ dln2->irqchip.name = "dln2-irq", ++ dln2->irqchip.irq_mask = dln2_irq_mask, ++ dln2->irqchip.irq_unmask = dln2_irq_unmask, ++ dln2->irqchip.irq_set_type = dln2_irq_set_type, ++ dln2->irqchip.irq_bus_lock = dln2_irq_bus_lock, ++ dln2->irqchip.irq_bus_sync_unlock = dln2_irq_bus_unlock, ++ + girq = &dln2->gpio.irq; +- girq->chip = &dln2_gpio_irqchip; ++ girq->chip = &dln2->irqchip; + /* The event comes from the outside so no parent handler */ + girq->parent_handler = NULL; + girq->num_parents = 0; diff --git a/queue-5.10/mac80211-fix-locking-in-ieee80211_start_ap-error-path.patch b/queue-5.10/mac80211-fix-locking-in-ieee80211_start_ap-error-path.patch new file mode 100644 index 00000000000..fd17fc3850a --- /dev/null +++ b/queue-5.10/mac80211-fix-locking-in-ieee80211_start_ap-error-path.patch @@ -0,0 +1,36 @@ +From 87a270625a89fc841f1a7e21aae6176543d8385c Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 20 Dec 2021 10:22:40 +0100 +Subject: mac80211: fix locking in ieee80211_start_ap error path + +From: Johannes Berg + +commit 87a270625a89fc841f1a7e21aae6176543d8385c upstream. + +We need to hold the local->mtx to release the channel context, +as even encoded by the lockdep_assert_held() there. Fix it. + +Cc: stable@vger.kernel.org +Fixes: 295b02c4be74 ("mac80211: Add FILS discovery support") +Reported-and-tested-by: syzbot+11c342e5e30e9539cabd@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20211220090836.cee3d59a1915.I36bba9b79dc2ff4d57c3c7aa30dff9a003fe8c5c@changeid +Signed-off-by: Johannes Berg +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1217,7 +1217,10 @@ static int ieee80211_start_ap(struct wip + return 0; + + error: ++ mutex_lock(&local->mtx); + ieee80211_vif_release_channel(sdata); ++ mutex_unlock(&local->mtx); ++ + return err; + } + diff --git a/queue-5.10/mm-hwpoison-clear-mf_count_increased-before-retrying-get_any_page.patch b/queue-5.10/mm-hwpoison-clear-mf_count_increased-before-retrying-get_any_page.patch new file mode 100644 index 00000000000..d011cf75a7b --- /dev/null +++ b/queue-5.10/mm-hwpoison-clear-mf_count_increased-before-retrying-get_any_page.patch @@ -0,0 +1,63 @@ +From 2a57d83c78f889bf3f54eede908d0643c40d5418 Mon Sep 17 00:00:00 2001 +From: Liu Shixin +Date: Fri, 24 Dec 2021 21:12:58 -0800 +Subject: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page() + +From: Liu Shixin + +commit 2a57d83c78f889bf3f54eede908d0643c40d5418 upstream. + +Hulk Robot reported a panic in put_page_testzero() when testing +madvise() with MADV_SOFT_OFFLINE. The BUG() is triggered when retrying +get_any_page(). This is because we keep MF_COUNT_INCREASED flag in +second try but the refcnt is not increased. + + page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0) + ------------[ cut here ]------------ + kernel BUG at include/linux/mm.h:737! + invalid opcode: 0000 [#1] PREEMPT SMP + CPU: 5 PID: 2135 Comm: sshd Tainted: G B 5.16.0-rc6-dirty #373 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 + RIP: release_pages+0x53f/0x840 + Call Trace: + free_pages_and_swap_cache+0x64/0x80 + tlb_flush_mmu+0x6f/0x220 + unmap_page_range+0xe6c/0x12c0 + unmap_single_vma+0x90/0x170 + unmap_vmas+0xc4/0x180 + exit_mmap+0xde/0x3a0 + mmput+0xa3/0x250 + do_exit+0x564/0x1470 + do_group_exit+0x3b/0x100 + __do_sys_exit_group+0x13/0x20 + __x64_sys_exit_group+0x16/0x20 + do_syscall_64+0x34/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + Modules linked in: + ---[ end trace e99579b570fe0649 ]--- + RIP: 0010:release_pages+0x53f/0x840 + +Link: https://lkml.kernel.org/r/20211221074908.3910286-1-liushixin2@huawei.com +Fixes: b94e02822deb ("mm,hwpoison: try to narrow window race for free pages") +Signed-off-by: Liu Shixin +Reported-by: Hulk Robot +Reviewed-by: Oscar Salvador +Acked-by: Naoya Horiguchi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory-failure.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -1938,6 +1938,7 @@ retry: + else if (ret == 0) + if (soft_offline_free_page(page) && try_again) { + try_again = false; ++ flags &= ~MF_COUNT_INCREASED; + goto retry; + } + diff --git a/queue-5.10/mmc-core-disable-card-detect-during-shutdown.patch b/queue-5.10/mmc-core-disable-card-detect-during-shutdown.patch new file mode 100644 index 00000000000..6caaf4a1786 --- /dev/null +++ b/queue-5.10/mmc-core-disable-card-detect-during-shutdown.patch @@ -0,0 +1,83 @@ +From 66c915d09b942fb3b2b0cb2f56562180901fba17 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Fri, 3 Dec 2021 15:15:54 +0100 +Subject: mmc: core: Disable card detect during shutdown + +From: Ulf Hansson + +commit 66c915d09b942fb3b2b0cb2f56562180901fba17 upstream. + +It's seems prone to problems by allowing card detect and its corresponding +mmc_rescan() work to run, during platform shutdown. For example, we may end +up turning off the power while initializing a card, which potentially could +damage it. + +To avoid this scenario, let's add ->shutdown_pre() callback for the mmc host +class device and then turn of the card detect from there. + +Reported-by: Al Cooper +Suggested-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211203141555.105351-1-ulf.hansson@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/core.c | 7 ++++++- + drivers/mmc/core/core.h | 1 + + drivers/mmc/core/host.c | 9 +++++++++ + 3 files changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/core/core.c ++++ b/drivers/mmc/core/core.c +@@ -2327,7 +2327,7 @@ void mmc_start_host(struct mmc_host *hos + _mmc_detect_change(host, 0, false); + } + +-void mmc_stop_host(struct mmc_host *host) ++void __mmc_stop_host(struct mmc_host *host) + { + if (host->slot.cd_irq >= 0) { + mmc_gpio_set_cd_wake(host, false); +@@ -2336,6 +2336,11 @@ void mmc_stop_host(struct mmc_host *host + + host->rescan_disable = 1; + cancel_delayed_work_sync(&host->detect); ++} ++ ++void mmc_stop_host(struct mmc_host *host) ++{ ++ __mmc_stop_host(host); + + /* clear pm flags now and let card drivers set them as needed */ + host->pm_flags = 0; +--- a/drivers/mmc/core/core.h ++++ b/drivers/mmc/core/core.h +@@ -69,6 +69,7 @@ static inline void mmc_delay(unsigned in + + void mmc_rescan(struct work_struct *work); + void mmc_start_host(struct mmc_host *host); ++void __mmc_stop_host(struct mmc_host *host); + void mmc_stop_host(struct mmc_host *host); + + void _mmc_detect_change(struct mmc_host *host, unsigned long delay, +--- a/drivers/mmc/core/host.c ++++ b/drivers/mmc/core/host.c +@@ -79,9 +79,18 @@ static void mmc_host_classdev_release(st + kfree(host); + } + ++static int mmc_host_classdev_shutdown(struct device *dev) ++{ ++ struct mmc_host *host = cls_dev_to_mmc_host(dev); ++ ++ __mmc_stop_host(host); ++ return 0; ++} ++ + static struct class mmc_host_class = { + .name = "mmc_host", + .dev_release = mmc_host_classdev_release, ++ .shutdown_pre = mmc_host_classdev_shutdown, + .pm = MMC_HOST_CLASS_DEV_PM_OPS, + }; + diff --git a/queue-5.10/mmc-meson-mx-sdhc-set-manual_stop-for-multi-block-sdio-commands.patch b/queue-5.10/mmc-meson-mx-sdhc-set-manual_stop-for-multi-block-sdio-commands.patch new file mode 100644 index 00000000000..c0c20e657df --- /dev/null +++ b/queue-5.10/mmc-meson-mx-sdhc-set-manual_stop-for-multi-block-sdio-commands.patch @@ -0,0 +1,82 @@ +From f89b548ca66be7500dcd92ee8e61590f7d08ac91 Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Sun, 19 Dec 2021 16:34:41 +0100 +Subject: mmc: meson-mx-sdhc: Set MANUAL_STOP for multi-block SDIO commands + +From: Martin Blumenstingl + +commit f89b548ca66be7500dcd92ee8e61590f7d08ac91 upstream. + +The vendor driver implements special handling for multi-block +SD_IO_RW_EXTENDED (and SD_IO_RW_DIRECT) commands which have data +attached to them. It sets the MANUAL_STOP bit in the MESON_SDHC_MISC +register for these commands. In all other cases this bit is cleared. +Here we omit SD_IO_RW_DIRECT since that command never has any data +attached to it. + +This fixes SDIO wifi using the brcmfmac driver which reported the +following error without this change on a Netxeon S82 board using a +Meson8 (S802) SoC: + brcmf_fw_alloc_request: using brcm/brcmfmac43362-sdio for chip + BCM43362/1 + brcmf_sdiod_ramrw: membytes transfer failed + brcmf_sdio_download_code_file: error -110 on writing 219557 membytes + at 0x00000000 + brcmf_sdio_download_firmware: dongle image file download failed + +And with this change: + brcmf_fw_alloc_request: using brcm/brcmfmac43362-sdio for chip + BCM43362/1 + brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may + have limited channels available + brcmf_c_preinit_dcmds: Firmware: BCM43362/1 wl0: Apr 22 2013 14:50:00 + version 5.90.195.89.6 FWID 01-b30a427d + +Fixes: e4bf1b0970ef96 ("mmc: host: meson-mx-sdhc: new driver for the Amlogic Meson SDHC host") +Signed-off-by: Martin Blumenstingl +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211219153442.463863-2-martin.blumenstingl@googlemail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/meson-mx-sdhc-mmc.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/mmc/host/meson-mx-sdhc-mmc.c ++++ b/drivers/mmc/host/meson-mx-sdhc-mmc.c +@@ -135,6 +135,7 @@ static void meson_mx_sdhc_start_cmd(stru + struct mmc_command *cmd) + { + struct meson_mx_sdhc_host *host = mmc_priv(mmc); ++ bool manual_stop = false; + u32 ictl, send; + int pack_len; + +@@ -172,12 +173,27 @@ static void meson_mx_sdhc_start_cmd(stru + else + /* software flush: */ + ictl |= MESON_SDHC_ICTL_DATA_XFER_OK; ++ ++ /* ++ * Mimic the logic from the vendor driver where (only) ++ * SD_IO_RW_EXTENDED commands with more than one block set the ++ * MESON_SDHC_MISC_MANUAL_STOP bit. This fixes the firmware ++ * download in the brcmfmac driver for a BCM43362/1 card. ++ * Without this sdio_memcpy_toio() (with a size of 219557 ++ * bytes) times out if MESON_SDHC_MISC_MANUAL_STOP is not set. ++ */ ++ manual_stop = cmd->data->blocks > 1 && ++ cmd->opcode == SD_IO_RW_EXTENDED; + } else { + pack_len = 0; + + ictl |= MESON_SDHC_ICTL_RESP_OK; + } + ++ regmap_update_bits(host->regmap, MESON_SDHC_MISC, ++ MESON_SDHC_MISC_MANUAL_STOP, ++ manual_stop ? MESON_SDHC_MISC_MANUAL_STOP : 0); ++ + if (cmd->opcode == MMC_STOP_TRANSMISSION) + send |= MESON_SDHC_SEND_DATA_STOP; + diff --git a/queue-5.10/mmc-mmci-stm32-clear-dlyb_cr-after-sending-tuning-command.patch b/queue-5.10/mmc-mmci-stm32-clear-dlyb_cr-after-sending-tuning-command.patch new file mode 100644 index 00000000000..aab0cd5481d --- /dev/null +++ b/queue-5.10/mmc-mmci-stm32-clear-dlyb_cr-after-sending-tuning-command.patch @@ -0,0 +1,41 @@ +From ff31ee0a0f471776f67be5e5275c18d17736fc6b Mon Sep 17 00:00:00 2001 +From: Yann Gautier +Date: Wed, 15 Dec 2021 15:17:26 +0100 +Subject: mmc: mmci: stm32: clear DLYB_CR after sending tuning command + +From: Yann Gautier + +commit ff31ee0a0f471776f67be5e5275c18d17736fc6b upstream. + +During test campaign, and especially after several unbind/bind sequences, +it has been seen that the SD-card on SDMMC1 thread could freeze. +The freeze always appear on a CMD23 following a CMD19. +Checking SDMMC internal registers shows that the tuning command (CMD19) +has failed. +The freeze is then due to the delay block involved in the tuning sequence. +To correct this, clear the delay block register DLYB_CR register after +the tuning commands. + +Signed-off-by: Christophe Kerello +Signed-off-by: Yann Gautier +Reviewed-by: Linus Walleij +Fixes: 1103f807a3b9 ("mmc: mmci_sdmmc: Add execute tuning with delay block") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211215141727.4901-4-yann.gautier@foss.st.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mmci_stm32_sdmmc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mmc/host/mmci_stm32_sdmmc.c ++++ b/drivers/mmc/host/mmci_stm32_sdmmc.c +@@ -441,6 +441,8 @@ static int sdmmc_dlyb_phase_tuning(struc + return -EINVAL; + } + ++ writel_relaxed(0, dlyb->base + DLYB_CR); ++ + phase = end_of_len - max_len / 2; + sdmmc_dlyb_set_cfgr(dlyb, dlyb->unit, phase, false); + diff --git a/queue-5.10/mmc-sdhci-tegra-fix-switch-to-hs400es-mode.patch b/queue-5.10/mmc-sdhci-tegra-fix-switch-to-hs400es-mode.patch new file mode 100644 index 00000000000..cf42b3f8cf6 --- /dev/null +++ b/queue-5.10/mmc-sdhci-tegra-fix-switch-to-hs400es-mode.patch @@ -0,0 +1,85 @@ +From 4fc7261dbab139d3c64c3b618262504e16cfe7ee Mon Sep 17 00:00:00 2001 +From: Prathamesh Shete +Date: Tue, 14 Dec 2021 17:06:53 +0530 +Subject: mmc: sdhci-tegra: Fix switch to HS400ES mode + +From: Prathamesh Shete + +commit 4fc7261dbab139d3c64c3b618262504e16cfe7ee upstream. + +When CMD13 is sent after switching to HS400ES mode, the bus +is operating at either MMC_HIGH_26_MAX_DTR or MMC_HIGH_52_MAX_DTR. +To meet Tegra SDHCI requirement at HS400ES mode, force SDHCI +interface clock to MMC_HS200_MAX_DTR (200 MHz) so that host +controller CAR clock and the interface clock are rate matched. + +Signed-off-by: Prathamesh Shete +Acked-by: Adrian Hunter +Fixes: dfc9700cef77 ("mmc: tegra: Implement HS400 enhanced strobe") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211214113653.4631-1-pshete@nvidia.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-tegra.c | 43 ++++++++++++++++++++++++----------------- + 1 file changed, 26 insertions(+), 17 deletions(-) + +--- a/drivers/mmc/host/sdhci-tegra.c ++++ b/drivers/mmc/host/sdhci-tegra.c +@@ -354,23 +354,6 @@ static void tegra_sdhci_set_tap(struct s + } + } + +-static void tegra_sdhci_hs400_enhanced_strobe(struct mmc_host *mmc, +- struct mmc_ios *ios) +-{ +- struct sdhci_host *host = mmc_priv(mmc); +- u32 val; +- +- val = sdhci_readl(host, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL); +- +- if (ios->enhanced_strobe) +- val |= SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE; +- else +- val &= ~SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE; +- +- sdhci_writel(host, val, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL); +- +-} +- + static void tegra_sdhci_reset(struct sdhci_host *host, u8 mask) + { + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); +@@ -791,6 +774,32 @@ static void tegra_sdhci_set_clock(struct + } + } + ++static void tegra_sdhci_hs400_enhanced_strobe(struct mmc_host *mmc, ++ struct mmc_ios *ios) ++{ ++ struct sdhci_host *host = mmc_priv(mmc); ++ u32 val; ++ ++ val = sdhci_readl(host, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL); ++ ++ if (ios->enhanced_strobe) { ++ val |= SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE; ++ /* ++ * When CMD13 is sent from mmc_select_hs400es() after ++ * switching to HS400ES mode, the bus is operating at ++ * either MMC_HIGH_26_MAX_DTR or MMC_HIGH_52_MAX_DTR. ++ * To meet Tegra SDHCI requirement at HS400ES mode, force SDHCI ++ * interface clock to MMC_HS200_MAX_DTR (200 MHz) so that host ++ * controller CAR clock and the interface clock are rate matched. ++ */ ++ tegra_sdhci_set_clock(host, MMC_HS200_MAX_DTR); ++ } else { ++ val &= ~SDHCI_TEGRA_SYS_SW_CTRL_ENHANCED_STROBE; ++ } ++ ++ sdhci_writel(host, val, SDHCI_TEGRA_VENDOR_SYS_SW_CTRL); ++} ++ + static unsigned int tegra_sdhci_get_max_clock(struct sdhci_host *host) + { + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); diff --git a/queue-5.10/pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch b/queue-5.10/pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch new file mode 100644 index 00000000000..6562dc7532c --- /dev/null +++ b/queue-5.10/pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch @@ -0,0 +1,43 @@ +From b67210cc217f9ca1c576909454d846970c13dfd4 Mon Sep 17 00:00:00 2001 +From: Fabien Dessenne +Date: Wed, 15 Dec 2021 10:58:08 +0100 +Subject: pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines + +From: Fabien Dessenne + +commit b67210cc217f9ca1c576909454d846970c13dfd4 upstream. + +Consider the GPIO controller offset (from "gpio-ranges") to compute the +maximum GPIO line number. +This fixes an issue where gpio-ranges uses a non-null offset. + e.g.: gpio-ranges = <&pinctrl 6 86 10> + In that case the last valid GPIO line is not 9 but 15 (6 + 10 - 1) + +Cc: stable@vger.kernel.org +Fixes: 67e2996f72c7 ("pinctrl: stm32: fix the reported number of GPIO lines per bank") +Reported-by: Christoph Fritz +Signed-off-by: Fabien Dessenne +Link: https://lore.kernel.org/r/20211215095808.621716-1-fabien.dessenne@foss.st.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/stm32/pinctrl-stm32.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/pinctrl/stm32/pinctrl-stm32.c ++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c +@@ -1255,10 +1255,10 @@ static int stm32_gpiolib_register_bank(s + bank_nr = args.args[1] / STM32_GPIO_PINS_PER_BANK; + bank->gpio_chip.base = args.args[1]; + +- npins = args.args[2]; +- while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, +- ++i, &args)) +- npins += args.args[2]; ++ /* get the last defined gpio line (offset + nb of pins) */ ++ npins = args.args[0] + args.args[2]; ++ while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, ++i, &args)) ++ npins = max(npins, (int)(args.args[0] + args.args[2])); + } else { + bank_nr = pctl->nbanks; + bank->gpio_chip.base = bank_nr * STM32_GPIO_PINS_PER_BANK; diff --git a/queue-5.10/series b/queue-5.10/series index 460335f4456..0f36075d9f4 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -47,3 +47,16 @@ tee-handle-lookup-of-shm-with-reference-count-0.patch x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch platform-x86-intel_pmc_core-fix-memleak-on-registration-failure.patch kvm-vmx-wake-vcpu-when-delivering-posted-irq-even-if-vcpu-this-vcpu.patch +pinctrl-stm32-consider-the-gpio-offset-to-expose-all-the-gpio-lines.patch +gpio-dln2-fix-interrupts-when-replugging-the-device.patch +mmc-sdhci-tegra-fix-switch-to-hs400es-mode.patch +mmc-meson-mx-sdhc-set-manual_stop-for-multi-block-sdio-commands.patch +mmc-core-disable-card-detect-during-shutdown.patch +mmc-mmci-stm32-clear-dlyb_cr-after-sending-tuning-command.patch +arm-9169-1-entry-fix-thumb2-bug-in-iwmmxt-exception-handling.patch +mac80211-fix-locking-in-ieee80211_start_ap-error-path.patch +mm-hwpoison-clear-mf_count_increased-before-retrying-get_any_page.patch +tee-optee-fix-incorrect-page-free-bug.patch +f2fs-fix-to-do-sanity-check-on-last-xattr-entry-in-__f2fs_setxattr.patch +ceph-fix-up-non-directory-creation-in-sgid-directories.patch +usb-gadget-u_ether-fix-race-in-setting-mac-address-in-setup-phase.patch diff --git a/queue-5.10/tee-optee-fix-incorrect-page-free-bug.patch b/queue-5.10/tee-optee-fix-incorrect-page-free-bug.patch new file mode 100644 index 00000000000..d3d77cbc1ce --- /dev/null +++ b/queue-5.10/tee-optee-fix-incorrect-page-free-bug.patch @@ -0,0 +1,40 @@ +From 18549bf4b21c739a9def39f27dcac53e27286ab5 Mon Sep 17 00:00:00 2001 +From: Sumit Garg +Date: Thu, 16 Dec 2021 11:17:25 +0530 +Subject: tee: optee: Fix incorrect page free bug + +From: Sumit Garg + +commit 18549bf4b21c739a9def39f27dcac53e27286ab5 upstream. + +Pointer to the allocated pages (struct page *page) has already +progressed towards the end of allocation. It is incorrect to perform +__free_pages(page, order) using this pointer as we would free any +arbitrary pages. Fix this by stop modifying the page pointer. + +Fixes: ec185dd3ab25 ("optee: Fix memory leak when failing to register shm pages") +Cc: stable@vger.kernel.org +Reported-by: Patrik Lantz +Signed-off-by: Sumit Garg +Reviewed-by: Tyler Hicks +Signed-off-by: Jens Wiklander +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tee/optee/shm_pool.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/tee/optee/shm_pool.c ++++ b/drivers/tee/optee/shm_pool.c +@@ -41,10 +41,8 @@ static int pool_op_alloc(struct tee_shm_ + goto err; + } + +- for (i = 0; i < nr_pages; i++) { +- pages[i] = page; +- page++; +- } ++ for (i = 0; i < nr_pages; i++) ++ pages[i] = page + i; + + shm->flags |= TEE_SHM_REGISTER; + rc = optee_shm_register(shm->ctx, shm, pages, nr_pages, diff --git a/queue-5.10/usb-gadget-u_ether-fix-race-in-setting-mac-address-in-setup-phase.patch b/queue-5.10/usb-gadget-u_ether-fix-race-in-setting-mac-address-in-setup-phase.patch new file mode 100644 index 00000000000..3f40a092a7f --- /dev/null +++ b/queue-5.10/usb-gadget-u_ether-fix-race-in-setting-mac-address-in-setup-phase.patch @@ -0,0 +1,88 @@ +From 890d5b40908bfd1a79be018d2d297cf9df60f4ee Mon Sep 17 00:00:00 2001 +From: Marian Postevca +Date: Sat, 4 Dec 2021 23:49:12 +0200 +Subject: usb: gadget: u_ether: fix race in setting MAC address in setup phase + +From: Marian Postevca + +commit 890d5b40908bfd1a79be018d2d297cf9df60f4ee upstream. + +When listening for notifications through netlink of a new interface being +registered, sporadically, it is possible for the MAC to be read as zero. +The zero MAC address lasts a short period of time and then switches to a +valid random MAC address. + +This causes problems for netd in Android, which assumes that the interface +is malfunctioning and will not use it. + +In the good case we get this log: +InterfaceController::getCfg() ifName usb0 + hwAddr 92:a8:f0:73:79:5b ipv4Addr 0.0.0.0 flags 0x1002 + +In the error case we get these logs: +InterfaceController::getCfg() ifName usb0 + hwAddr 00:00:00:00:00:00 ipv4Addr 0.0.0.0 flags 0x1002 + +netd : interfaceGetCfg("usb0") +netd : interfaceSetCfg() -> ServiceSpecificException + (99, "[Cannot assign requested address] : ioctl() failed") + +The reason for the issue is the order in which the interface is setup, +it is first registered through register_netdev() and after the MAC +address is set. + +Fixed by first setting the MAC address of the net_device and after that +calling register_netdev(). + +Fixes: bcd4a1c40bee885e ("usb: gadget: u_ether: construct with default values and add setters/getters") +Cc: stable@vger.kernel.org +Signed-off-by: Marian Postevca +Link: https://lore.kernel.org/r/20211204214912.17627-1-posteuca@mutex.one +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/u_ether.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +--- a/drivers/usb/gadget/function/u_ether.c ++++ b/drivers/usb/gadget/function/u_ether.c +@@ -860,19 +860,23 @@ int gether_register_netdev(struct net_de + { + struct eth_dev *dev; + struct usb_gadget *g; +- struct sockaddr sa; + int status; + + if (!net->dev.parent) + return -EINVAL; + dev = netdev_priv(net); + g = dev->gadget; ++ ++ memcpy(net->dev_addr, dev->dev_mac, ETH_ALEN); ++ net->addr_assign_type = NET_ADDR_RANDOM; ++ + status = register_netdev(net); + if (status < 0) { + dev_dbg(&g->dev, "register_netdev failed, %d\n", status); + return status; + } else { + INFO(dev, "HOST MAC %pM\n", dev->host_mac); ++ INFO(dev, "MAC %pM\n", dev->dev_mac); + + /* two kinds of host-initiated state changes: + * - iff DATA transfer is active, carrier is "on" +@@ -880,15 +884,6 @@ int gether_register_netdev(struct net_de + */ + netif_carrier_off(net); + } +- sa.sa_family = net->type; +- memcpy(sa.sa_data, dev->dev_mac, ETH_ALEN); +- rtnl_lock(); +- status = dev_set_mac_address(net, &sa, NULL); +- rtnl_unlock(); +- if (status) +- pr_warn("cannot set self ethernet address: %d\n", status); +- else +- INFO(dev, "MAC %pM\n", dev->dev_mac); + + return status; + }