From: Greg Kroah-Hartman Date: Sun, 28 May 2023 16:46:29 +0000 (+0100) Subject: 6.3-stable patches X-Git-Tag: review~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4c68196290aff25f5052ab0dbd2f9046cc606b55;p=thirdparty%2Fkernel%2Fstable-queue.git 6.3-stable patches added patches: arm-dts-imx6qdl-mba6-add-missing-pvcie-supply-regulator.patch bpf-fix-a-memory-leak-in-the-lru-and-lru_percpu-hash-maps.patch bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch cifs-mapchars-mount-option-ignored.patch coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch drm-fix-drmm_mutex_init.patch firmware-arm_ffa-check-if-ffa_driver-remove-is-present-before-executing.patch firmware-arm_ffa-fix-ffa-device-names-for-logical-partitions.patch fs-fix-undefined-behavior-in-bit-shift-for-sb_nouser.patch ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch lan966x-fix-unloading-loading-of-the-driver.patch net-fix-skb-leak-in-__skb_tstamp_tx.patch octeontx2-pf-fix-tsov6-offload.patch optee-fix-uninited-async-notif-value.patch platform-x86-isst-remove-8-socket-limit.patch power-supply-bq24190-call-power_supply_changed-after-updating-input-current.patch power-supply-bq25890-call-power_supply_changed-after-updating-input-current-or-voltage.patch power-supply-bq27xxx-add-cache-parameter-to-bq27xxx_battery_current_and_status.patch power-supply-bq27xxx-after-charger-plug-in-out-wait-0.5s-for-things-to-stabilize.patch power-supply-bq27xxx-ensure-power_supply_changed-is-called-on-current-sign-changes.patch power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch power-supply-bq27xxx-move-bq27xxx_battery_update-down.patch power-supply-leds-fix-blink-to-led-on-transition.patch power-supply-mt6360-add-a-check-of-devm_work_autocancel-in-mt6360_charger_probe.patch power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch regulator-pca9450-fix-buck2-enable_mask.patch selftests-fib_tests-mute-cleanup-error-message.patch x86-pci-xen-populate-msi-sysfs-entries.patch xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch --- diff --git a/queue-6.3/arm-dts-imx6qdl-mba6-add-missing-pvcie-supply-regulator.patch b/queue-6.3/arm-dts-imx6qdl-mba6-add-missing-pvcie-supply-regulator.patch new file mode 100644 index 00000000000..1405af54300 --- /dev/null +++ b/queue-6.3/arm-dts-imx6qdl-mba6-add-missing-pvcie-supply-regulator.patch @@ -0,0 +1,36 @@ +From 91aa4b3782448a7a13baa8cbcdfd5fd19defcbd9 Mon Sep 17 00:00:00 2001 +From: Alexander Stein +Date: Wed, 3 May 2023 13:31:10 +0200 +Subject: ARM: dts: imx6qdl-mba6: Add missing pvcie-supply regulator + +From: Alexander Stein + +commit 91aa4b3782448a7a13baa8cbcdfd5fd19defcbd9 upstream. + +This worked before by coincidence, as the regulator was probed and enabled +before PCI RC probe. But probe order changed since commit 259b93b21a9f +("regulator: Set PROBE_PREFER_ASYNCHRONOUS for drivers that existed in +4.14") and PCIe supply is enabled after RC. +Fix this by adding the regulator to RC node. + +The PCIe vaux regulator still needs to be enabled unconditionally for +Mini-PCIe USB-only devices. + +Fixes: ef3846247b41 ("ARM: dts: imx6qdl: add TQ-Systems MBa6x device trees") +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx6qdl-mba6.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/imx6qdl-mba6.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-mba6.dtsi +@@ -209,6 +209,7 @@ + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_pcie>; + reset-gpio = <&gpio6 7 GPIO_ACTIVE_LOW>; ++ vpcie-supply = <®_pcie>; + status = "okay"; + }; + diff --git a/queue-6.3/bpf-fix-a-memory-leak-in-the-lru-and-lru_percpu-hash-maps.patch b/queue-6.3/bpf-fix-a-memory-leak-in-the-lru-and-lru_percpu-hash-maps.patch new file mode 100644 index 00000000000..e03f1fb7019 --- /dev/null +++ b/queue-6.3/bpf-fix-a-memory-leak-in-the-lru-and-lru_percpu-hash-maps.patch @@ -0,0 +1,63 @@ +From b34ffb0c6d23583830f9327864b9c1f486003305 Mon Sep 17 00:00:00 2001 +From: Anton Protopopov +Date: Mon, 22 May 2023 15:45:58 +0000 +Subject: bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps + +From: Anton Protopopov + +commit b34ffb0c6d23583830f9327864b9c1f486003305 upstream. + +The LRU and LRU_PERCPU maps allocate a new element on update before locking the +target hash table bucket. Right after that the maps try to lock the bucket. +If this fails, then maps return -EBUSY to the caller without releasing the +allocated element. This makes the element untracked: it doesn't belong to +either of free lists, and it doesn't belong to the hash table, so can't be +re-used; this eventually leads to the permanent -ENOMEM on LRU map updates, +which is unexpected. Fix this by returning the element to the local free list +if bucket locking fails. + +Fixes: 20b6cc34ea74 ("bpf: Avoid hashtab deadlock with map_locked") +Signed-off-by: Anton Protopopov +Link: https://lore.kernel.org/r/20230522154558.2166815-1-aspsk@isovalent.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/hashtab.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -1197,7 +1197,7 @@ static long htab_lru_map_update_elem(str + + ret = htab_lock_bucket(htab, b, hash, &flags); + if (ret) +- return ret; ++ goto err_lock_bucket; + + l_old = lookup_elem_raw(head, hash, key, key_size); + +@@ -1218,6 +1218,7 @@ static long htab_lru_map_update_elem(str + err: + htab_unlock_bucket(htab, b, hash, flags); + ++err_lock_bucket: + if (ret) + htab_lru_push_free(htab, l_new); + else if (l_old) +@@ -1320,7 +1321,7 @@ static long __htab_lru_percpu_map_update + + ret = htab_lock_bucket(htab, b, hash, &flags); + if (ret) +- return ret; ++ goto err_lock_bucket; + + l_old = lookup_elem_raw(head, hash, key, key_size); + +@@ -1343,6 +1344,7 @@ static long __htab_lru_percpu_map_update + ret = 0; + err: + htab_unlock_bucket(htab, b, hash, flags); ++err_lock_bucket: + if (l_new) + bpf_lru_push_free(&htab->lru, &l_new->lru_node); + return ret; diff --git a/queue-6.3/bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch b/queue-6.3/bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch new file mode 100644 index 00000000000..13ba640347e --- /dev/null +++ b/queue-6.3/bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch @@ -0,0 +1,58 @@ +From 0613d8ca9ab382caabe9ed2dceb429e9781e443f Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 18 May 2023 11:25:28 +0100 +Subject: bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields + +From: Will Deacon + +commit 0613d8ca9ab382caabe9ed2dceb429e9781e443f upstream. + +A narrow load from a 64-bit context field results in a 64-bit load +followed potentially by a 64-bit right-shift and then a bitwise AND +operation to extract the relevant data. + +In the case of a 32-bit access, an immediate mask of 0xffffffff is used +to construct a 64-bit BPP_AND operation which then sign-extends the mask +value and effectively acts as a glorified no-op. For example: + +0: 61 10 00 00 00 00 00 00 r0 = *(u32 *)(r1 + 0) + +results in the following code generation for a 64-bit field: + + ldr x7, [x7] // 64-bit load + mov x10, #0xffffffffffffffff + and x7, x7, x10 + +Fix the mask generation so that narrow loads always perform a 32-bit AND +operation: + + ldr x7, [x7] // 64-bit load + mov w10, #0xffffffff + and w7, w7, w10 + +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: John Fastabend +Cc: Krzesimir Nowak +Cc: Andrey Ignatov +Acked-by: Yonghong Song +Fixes: 31fd85816dbe ("bpf: permits narrower load from bpf program context fields") +Signed-off-by: Will Deacon +Link: https://lore.kernel.org/r/20230518102528.1341-1-will@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -16017,7 +16017,7 @@ static int convert_ctx_accesses(struct b + insn_buf[cnt++] = BPF_ALU64_IMM(BPF_RSH, + insn->dst_reg, + shift); +- insn_buf[cnt++] = BPF_ALU64_IMM(BPF_AND, insn->dst_reg, ++ insn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg, + (1ULL << size * 8) - 1); + } + } diff --git a/queue-6.3/cifs-mapchars-mount-option-ignored.patch b/queue-6.3/cifs-mapchars-mount-option-ignored.patch new file mode 100644 index 00000000000..92e0785b21c --- /dev/null +++ b/queue-6.3/cifs-mapchars-mount-option-ignored.patch @@ -0,0 +1,46 @@ +From cb8b02fd6343228966324528adf920bfb8b8e681 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Wed, 24 May 2023 03:26:19 -0500 +Subject: cifs: mapchars mount option ignored + +From: Steve French + +commit cb8b02fd6343228966324528adf920bfb8b8e681 upstream. + +There are two ways that special characters (not allowed in some +other operating systems like Windows, but allowed in POSIX) have +been mapped in the past ("SFU" and "SFM" mappings) to allow them +to be stored in a range reserved for special chars. The default +for Linux has been to use "mapposix" (ie the SFM mapping) but +the conversion to the new mount API in the 5.11 kernel broke +the ability to override the default mapping of the reserved +characters (like '?' and '*' and '\') via "mapchars" mount option. + +This patch fixes that - so can now mount with "mapchars" +mount option to override the default ("mapposix" ie SFM) mapping. + +Reported-by: Tyler Spivey +Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api") +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/fs_context.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/cifs/fs_context.c ++++ b/fs/cifs/fs_context.c +@@ -904,6 +904,14 @@ static int smb3_fs_context_parse_param(s + ctx->sfu_remap = false; /* disable SFU mapping */ + } + break; ++ case Opt_mapchars: ++ if (result.negated) ++ ctx->sfu_remap = false; ++ else { ++ ctx->sfu_remap = true; ++ ctx->remap = false; /* disable SFM (mapposix) mapping */ ++ } ++ break; + case Opt_user_xattr: + if (result.negated) + ctx->no_xattr = 1; diff --git a/queue-6.3/coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch b/queue-6.3/coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch new file mode 100644 index 00000000000..acabd508aa3 --- /dev/null +++ b/queue-6.3/coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch @@ -0,0 +1,40 @@ +From f67bc15e526bb9920683ad6c1891ff9e08981335 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 21 Apr 2023 13:42:41 +0300 +Subject: coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet() + +From: Dan Carpenter + +commit f67bc15e526bb9920683ad6c1891ff9e08981335 upstream. + +This code generates a Smatch warning: + + drivers/hwtracing/coresight/coresight-tmc-etr.c:947 tmc_etr_buf_insert_barrier_packet() + error: uninitialized symbol 'bufp'. + +The problem is that if tmc_sg_table_get_data() returns -EINVAL, then +when we test if "len < CORESIGHT_BARRIER_PKT_SIZE", the negative "len" +value is type promoted to a high unsigned long value which is greater +than CORESIGHT_BARRIER_PKT_SIZE. Fix this bug by adding an explicit +check for error codes. + +Fixes: 75f4e3619fe2 ("coresight: tmc-etr: Add transparent buffer management") +Signed-off-by: Dan Carpenter +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/7d33e244-d8b9-4c27-9653-883a13534b01@kili.mountain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c +@@ -942,7 +942,7 @@ tmc_etr_buf_insert_barrier_packet(struct + + len = tmc_etr_buf_get_data(etr_buf, offset, + CORESIGHT_BARRIER_PKT_SIZE, &bufp); +- if (WARN_ON(len < CORESIGHT_BARRIER_PKT_SIZE)) ++ if (WARN_ON(len < 0 || len < CORESIGHT_BARRIER_PKT_SIZE)) + return -EINVAL; + coresight_insert_barrier_packet(bufp); + return offset + CORESIGHT_BARRIER_PKT_SIZE; diff --git a/queue-6.3/drm-fix-drmm_mutex_init.patch b/queue-6.3/drm-fix-drmm_mutex_init.patch new file mode 100644 index 00000000000..bea3569b509 --- /dev/null +++ b/queue-6.3/drm-fix-drmm_mutex_init.patch @@ -0,0 +1,121 @@ +From c21f11d182c2180d8b90eaff84f574cfa845b250 Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Fri, 19 May 2023 10:07:33 +0100 +Subject: drm: fix drmm_mutex_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Auld + +commit c21f11d182c2180d8b90eaff84f574cfa845b250 upstream. + +In mutex_init() lockdep identifies a lock by defining a special static +key for each lock class. However if we wrap the macro in a function, +like in drmm_mutex_init(), we end up generating: + +int drmm_mutex_init(struct drm_device *dev, struct mutex *lock) +{ + static struct lock_class_key __key; + + __mutex_init((lock), "lock", &__key); + .... +} + +The static __key here is what lockdep uses to identify the lock class, +however since this is just a normal function the key here will be +created once, where all callers then use the same key. In effect the +mutex->depmap.key will be the same pointer for different +drmm_mutex_init() callers. This then results in impossible lockdep +splats since lockdep thinks completely unrelated locks are the same lock +class. + +To fix this turn drmm_mutex_init() into a macro such that it generates a +different "static struct lock_class_key __key" for each invocation, +which looks to be inline with what mutex_init() wants. + +v2: + - Revamp the commit message with clearer explanation of the issue. + - Rather export __drmm_mutex_release() than static inline. + +Reported-by: Thomas Hellström +Reported-by: Sarah Walker +Fixes: e13f13e039dc ("drm: Add DRM-managed mutex_init()") +Cc: Stanislaw Gruszka +Cc: Boris Brezillon +Cc: Thomas Zimmermann +Cc: Jocelyn Falempe +Cc: Daniel Vetter +Cc: dri-devel@lists.freedesktop.org +Signed-off-by: Matthew Auld +Reviewed-by: Boris Brezillon +Reviewed-by: Stanislaw Gruszka +Reviewed-by: Lucas De Marchi +Acked-by: Thomas Zimmermann +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230519090733.489019-1-matthew.auld@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_managed.c | 22 ++-------------------- + include/drm/drm_managed.h | 18 +++++++++++++++++- + 2 files changed, 19 insertions(+), 21 deletions(-) + +--- a/drivers/gpu/drm/drm_managed.c ++++ b/drivers/gpu/drm/drm_managed.c +@@ -264,28 +264,10 @@ void drmm_kfree(struct drm_device *dev, + } + EXPORT_SYMBOL(drmm_kfree); + +-static void drmm_mutex_release(struct drm_device *dev, void *res) ++void __drmm_mutex_release(struct drm_device *dev, void *res) + { + struct mutex *lock = res; + + mutex_destroy(lock); + } +- +-/** +- * drmm_mutex_init - &drm_device-managed mutex_init() +- * @dev: DRM device +- * @lock: lock to be initialized +- * +- * Returns: +- * 0 on success, or a negative errno code otherwise. +- * +- * This is a &drm_device-managed version of mutex_init(). The initialized +- * lock is automatically destroyed on the final drm_dev_put(). +- */ +-int drmm_mutex_init(struct drm_device *dev, struct mutex *lock) +-{ +- mutex_init(lock); +- +- return drmm_add_action_or_reset(dev, drmm_mutex_release, lock); +-} +-EXPORT_SYMBOL(drmm_mutex_init); ++EXPORT_SYMBOL(__drmm_mutex_release); +--- a/include/drm/drm_managed.h ++++ b/include/drm/drm_managed.h +@@ -105,6 +105,22 @@ char *drmm_kstrdup(struct drm_device *de + + void drmm_kfree(struct drm_device *dev, void *data); + +-int drmm_mutex_init(struct drm_device *dev, struct mutex *lock); ++void __drmm_mutex_release(struct drm_device *dev, void *res); ++ ++/** ++ * drmm_mutex_init - &drm_device-managed mutex_init() ++ * @dev: DRM device ++ * @lock: lock to be initialized ++ * ++ * Returns: ++ * 0 on success, or a negative errno code otherwise. ++ * ++ * This is a &drm_device-managed version of mutex_init(). The initialized ++ * lock is automatically destroyed on the final drm_dev_put(). ++ */ ++#define drmm_mutex_init(dev, lock) ({ \ ++ mutex_init(lock); \ ++ drmm_add_action_or_reset(dev, __drmm_mutex_release, lock); \ ++}) \ + + #endif diff --git a/queue-6.3/firmware-arm_ffa-check-if-ffa_driver-remove-is-present-before-executing.patch b/queue-6.3/firmware-arm_ffa-check-if-ffa_driver-remove-is-present-before-executing.patch new file mode 100644 index 00000000000..f73bd9892c9 --- /dev/null +++ b/queue-6.3/firmware-arm_ffa-check-if-ffa_driver-remove-is-present-before-executing.patch @@ -0,0 +1,66 @@ +From b71b55248a580e9c9befc4ae060539f1f8e477da Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Thu, 20 Apr 2023 16:06:01 +0100 +Subject: firmware: arm_ffa: Check if ffa_driver remove is present before executing + +From: Sudeep Holla + +commit b71b55248a580e9c9befc4ae060539f1f8e477da upstream. + +Currently ffa_drv->remove() is called unconditionally from +ffa_device_remove(). Since the driver registration doesn't check for it +and allows it to be registered without .remove callback, we need to check +for the presence of it before executing it from ffa_device_remove() to +above a NULL pointer dereference like the one below: + + | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + | Mem abort info: + | ESR = 0x0000000086000004 + | EC = 0x21: IABT (current EL), IL = 32 bits + | SET = 0, FnV = 0 + | EA = 0, S1PTW = 0 + | FSC = 0x04: level 0 translation fault + | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881cc8000 + | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 + | Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP + | CPU: 3 PID: 130 Comm: rmmod Not tainted 6.3.0-rc7 #6 + | Hardware name: FVP Base RevC (DT) + | pstate: 63402809 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=-c) + | pc : 0x0 + | lr : ffa_device_remove+0x20/0x2c + | Call trace: + | 0x0 + | device_release_driver_internal+0x16c/0x260 + | driver_detach+0x90/0xd0 + | bus_remove_driver+0xdc/0x11c + | driver_unregister+0x30/0x54 + | ffa_driver_unregister+0x14/0x20 + | cleanup_module+0x18/0xeec + | __arm64_sys_delete_module+0x234/0x378 + | invoke_syscall+0x40/0x108 + | el0_svc_common+0xb4/0xf0 + | do_el0_svc+0x30/0xa4 + | el0_svc+0x2c/0x7c + | el0t_64_sync_handler+0x84/0xf0 + | el0t_64_sync+0x190/0x194 + +Fixes: 244f5d597e1e ("firmware: arm_ffa: Add missing remove callback to ffa_bus_type") +Link: https://lore.kernel.org/r/20230419-ffa_fixes_6-4-v2-1-d9108e43a176@arm.com +Signed-off-by: Sudeep Holla +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/arm_ffa/bus.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/firmware/arm_ffa/bus.c ++++ b/drivers/firmware/arm_ffa/bus.c +@@ -53,7 +53,8 @@ static void ffa_device_remove(struct dev + { + struct ffa_driver *ffa_drv = to_ffa_driver(dev->driver); + +- ffa_drv->remove(to_ffa_dev(dev)); ++ if (ffa_drv->remove) ++ ffa_drv->remove(to_ffa_dev(dev)); + } + + static int ffa_device_uevent(const struct device *dev, struct kobj_uevent_env *env) diff --git a/queue-6.3/firmware-arm_ffa-fix-ffa-device-names-for-logical-partitions.patch b/queue-6.3/firmware-arm_ffa-fix-ffa-device-names-for-logical-partitions.patch new file mode 100644 index 00000000000..15d9c81fabc --- /dev/null +++ b/queue-6.3/firmware-arm_ffa-fix-ffa-device-names-for-logical-partitions.patch @@ -0,0 +1,131 @@ +From 19b8766459c41c6f318f8a548cc1c66dffd18363 Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Thu, 20 Apr 2023 16:06:03 +0100 +Subject: firmware: arm_ffa: Fix FFA device names for logical partitions + +From: Sudeep Holla + +commit 19b8766459c41c6f318f8a548cc1c66dffd18363 upstream. + +Each physical partition can provide multiple services each with UUID. +Each such service can be presented as logical partition with a unique +combination of VM ID and UUID. The number of distinct UUID in a system +will be less than or equal to the number of logical partitions. + +However, currently it fails to register more than one logical partition +or service within a physical partition as the device name contains only +VM ID while both VM ID and UUID are maintained in the partition information. +The kernel complains with the below message: + + | sysfs: cannot create duplicate filename '/devices/arm-ffa-8001' + | CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.3.0-rc7 #8 + | Hardware name: FVP Base RevC (DT) + | Call trace: + | dump_backtrace+0xf8/0x118 + | show_stack+0x18/0x24 + | dump_stack_lvl+0x50/0x68 + | dump_stack+0x18/0x24 + | sysfs_create_dir_ns+0xe0/0x13c + | kobject_add_internal+0x220/0x3d4 + | kobject_add+0x94/0x100 + | device_add+0x144/0x5d8 + | device_register+0x20/0x30 + | ffa_device_register+0x88/0xd8 + | ffa_setup_partitions+0x108/0x1b8 + | ffa_init+0x2ec/0x3a4 + | do_one_initcall+0xcc/0x240 + | do_initcall_level+0x8c/0xac + | do_initcalls+0x54/0x94 + | do_basic_setup+0x1c/0x28 + | kernel_init_freeable+0x100/0x16c + | kernel_init+0x20/0x1a0 + | ret_from_fork+0x10/0x20 + | kobject_add_internal failed for arm-ffa-8001 with -EEXIST, don't try to + | register things with the same name in the same directory. + | arm_ffa arm-ffa: unable to register device arm-ffa-8001 err=-17 + | ARM FF-A: ffa_setup_partitions: failed to register partition ID 0x8001 + +By virtue of being random enough to avoid collisions when generated in a +distributed system, there is no way to compress UUID keys to the number +of bits required to identify each. We can eliminate '-' in the name but +it is not worth eliminating 4 bytes and add unnecessary logic for doing +that. Also v1.0 doesn't provide the UUID of the partitions which makes +it hard to use the same for the device name. + +So to keep it simple, let us alloc an ID using ida_alloc() and append the +same to "arm-ffa" to make up a unique device name. Also stash the id value +in ffa_dev to help freeing the ID later when the device is destroyed. + +Fixes: e781858488b9 ("firmware: arm_ffa: Add initial FFA bus support for device enumeration") +Reported-by: Lucian Paul-Trifu +Link: https://lore.kernel.org/r/20230419-ffa_fixes_6-4-v2-3-d9108e43a176@arm.com +Signed-off-by: Sudeep Holla +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/arm_ffa/bus.c | 16 +++++++++++++--- + include/linux/arm_ffa.h | 1 + + 2 files changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/firmware/arm_ffa/bus.c ++++ b/drivers/firmware/arm_ffa/bus.c +@@ -15,6 +15,8 @@ + + #include "common.h" + ++static DEFINE_IDA(ffa_bus_id); ++ + static int ffa_device_match(struct device *dev, struct device_driver *drv) + { + const struct ffa_device_id *id_table; +@@ -131,6 +133,7 @@ static void ffa_release_device(struct de + { + struct ffa_device *ffa_dev = to_ffa_dev(dev); + ++ ida_free(&ffa_bus_id, ffa_dev->id); + kfree(ffa_dev); + } + +@@ -171,18 +174,24 @@ bool ffa_device_is_valid(struct ffa_devi + struct ffa_device *ffa_device_register(const uuid_t *uuid, int vm_id, + const struct ffa_ops *ops) + { +- int ret; ++ int id, ret; + struct device *dev; + struct ffa_device *ffa_dev; + ++ id = ida_alloc_min(&ffa_bus_id, 1, GFP_KERNEL); ++ if (id < 0) ++ return NULL; ++ + ffa_dev = kzalloc(sizeof(*ffa_dev), GFP_KERNEL); +- if (!ffa_dev) ++ if (!ffa_dev) { ++ ida_free(&ffa_bus_id, id); + return NULL; ++ } + + dev = &ffa_dev->dev; + dev->bus = &ffa_bus_type; + dev->release = ffa_release_device; +- dev_set_name(&ffa_dev->dev, "arm-ffa-%04x", vm_id); ++ dev_set_name(&ffa_dev->dev, "arm-ffa-%d", id); + + ffa_dev->vm_id = vm_id; + ffa_dev->ops = ops; +@@ -218,4 +227,5 @@ void arm_ffa_bus_exit(void) + { + ffa_devices_unregister(); + bus_unregister(&ffa_bus_type); ++ ida_destroy(&ffa_bus_id); + } +--- a/include/linux/arm_ffa.h ++++ b/include/linux/arm_ffa.h +@@ -96,6 +96,7 @@ + + /* FFA Bus/Device/Driver related */ + struct ffa_device { ++ u32 id; + int vm_id; + bool mode_32bit; + uuid_t uuid; diff --git a/queue-6.3/fs-fix-undefined-behavior-in-bit-shift-for-sb_nouser.patch b/queue-6.3/fs-fix-undefined-behavior-in-bit-shift-for-sb_nouser.patch new file mode 100644 index 00000000000..054ce268a8b --- /dev/null +++ b/queue-6.3/fs-fix-undefined-behavior-in-bit-shift-for-sb_nouser.patch @@ -0,0 +1,77 @@ +From f15afbd34d8fadbd375f1212e97837e32bc170cc Mon Sep 17 00:00:00 2001 +From: Hao Ge +Date: Mon, 24 Apr 2023 13:18:35 +0800 +Subject: fs: fix undefined behavior in bit shift for SB_NOUSER + +From: Hao Ge + +commit f15afbd34d8fadbd375f1212e97837e32bc170cc upstream. + +Shifting signed 32-bit value by 31 bits is undefined, so changing +significant bit to unsigned. It was spotted by UBSAN. + +So let's just fix this by using the BIT() helper for all SB_* flags. + +Fixes: e462ec50cb5f ("VFS: Differentiate mount flags (MS_*) from internal superblock flags") +Signed-off-by: Hao Ge +Message-Id: <20230424051835.374204-1-gehao@kylinos.cn> +[brauner@kernel.org: use BIT() for all SB_* flags] +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/fs.h | 42 +++++++++++++++++++++--------------------- + 1 file changed, 21 insertions(+), 21 deletions(-) + +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1059,29 +1059,29 @@ extern int send_sigurg(struct fown_struc + * sb->s_flags. Note that these mirror the equivalent MS_* flags where + * represented in both. + */ +-#define SB_RDONLY 1 /* Mount read-only */ +-#define SB_NOSUID 2 /* Ignore suid and sgid bits */ +-#define SB_NODEV 4 /* Disallow access to device special files */ +-#define SB_NOEXEC 8 /* Disallow program execution */ +-#define SB_SYNCHRONOUS 16 /* Writes are synced at once */ +-#define SB_MANDLOCK 64 /* Allow mandatory locks on an FS */ +-#define SB_DIRSYNC 128 /* Directory modifications are synchronous */ +-#define SB_NOATIME 1024 /* Do not update access times. */ +-#define SB_NODIRATIME 2048 /* Do not update directory access times */ +-#define SB_SILENT 32768 +-#define SB_POSIXACL (1<<16) /* VFS does not apply the umask */ +-#define SB_INLINECRYPT (1<<17) /* Use blk-crypto for encrypted files */ +-#define SB_KERNMOUNT (1<<22) /* this is a kern_mount call */ +-#define SB_I_VERSION (1<<23) /* Update inode I_version field */ +-#define SB_LAZYTIME (1<<25) /* Update the on-disk [acm]times lazily */ ++#define SB_RDONLY BIT(0) /* Mount read-only */ ++#define SB_NOSUID BIT(1) /* Ignore suid and sgid bits */ ++#define SB_NODEV BIT(2) /* Disallow access to device special files */ ++#define SB_NOEXEC BIT(3) /* Disallow program execution */ ++#define SB_SYNCHRONOUS BIT(4) /* Writes are synced at once */ ++#define SB_MANDLOCK BIT(6) /* Allow mandatory locks on an FS */ ++#define SB_DIRSYNC BIT(7) /* Directory modifications are synchronous */ ++#define SB_NOATIME BIT(10) /* Do not update access times. */ ++#define SB_NODIRATIME BIT(11) /* Do not update directory access times */ ++#define SB_SILENT BIT(15) ++#define SB_POSIXACL BIT(16) /* VFS does not apply the umask */ ++#define SB_INLINECRYPT BIT(17) /* Use blk-crypto for encrypted files */ ++#define SB_KERNMOUNT BIT(22) /* this is a kern_mount call */ ++#define SB_I_VERSION BIT(23) /* Update inode I_version field */ ++#define SB_LAZYTIME BIT(25) /* Update the on-disk [acm]times lazily */ + + /* These sb flags are internal to the kernel */ +-#define SB_SUBMOUNT (1<<26) +-#define SB_FORCE (1<<27) +-#define SB_NOSEC (1<<28) +-#define SB_BORN (1<<29) +-#define SB_ACTIVE (1<<30) +-#define SB_NOUSER (1<<31) ++#define SB_SUBMOUNT BIT(26) ++#define SB_FORCE BIT(27) ++#define SB_NOSEC BIT(28) ++#define SB_BORN BIT(29) ++#define SB_ACTIVE BIT(30) ++#define SB_NOUSER BIT(31) + + /* These flags relate to encoding and casefolding */ + #define SB_ENC_STRICT_MODE_FL (1 << 0) diff --git a/queue-6.3/ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch b/queue-6.3/ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch new file mode 100644 index 00000000000..6ef0c1a7d37 --- /dev/null +++ b/queue-6.3/ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch @@ -0,0 +1,36 @@ +From 878ecb0897f4737a4c9401f3523fd49589025671 Mon Sep 17 00:00:00 2001 +From: Gavrilov Ilia +Date: Tue, 23 May 2023 08:29:44 +0000 +Subject: ipv6: Fix out-of-bounds access in ipv6_find_tlv() + +From: Gavrilov Ilia + +commit 878ecb0897f4737a4c9401f3523fd49589025671 upstream. + +optlen is fetched without checking whether there is more than one byte to parse. +It can lead to out-of-bounds access. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: c61a40432509 ("[IPV6]: Find option offset by type.") +Signed-off-by: Gavrilov Ilia +Reviewed-by: Jiri Pirko +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/exthdrs_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/exthdrs_core.c ++++ b/net/ipv6/exthdrs_core.c +@@ -143,6 +143,8 @@ int ipv6_find_tlv(const struct sk_buff * + optlen = 1; + break; + default: ++ if (len < 2) ++ goto bad; + optlen = nh[offset + 1] + 2; + if (optlen > len) + goto bad; diff --git a/queue-6.3/lan966x-fix-unloading-loading-of-the-driver.patch b/queue-6.3/lan966x-fix-unloading-loading-of-the-driver.patch new file mode 100644 index 00000000000..7cf7c97d17d --- /dev/null +++ b/queue-6.3/lan966x-fix-unloading-loading-of-the-driver.patch @@ -0,0 +1,52 @@ +From 600761245952d7f70280add6ce02894f1528992b Mon Sep 17 00:00:00 2001 +From: Horatiu Vultur +Date: Mon, 22 May 2023 14:00:38 +0200 +Subject: lan966x: Fix unloading/loading of the driver + +From: Horatiu Vultur + +commit 600761245952d7f70280add6ce02894f1528992b upstream. + +It was noticing that after a while when unloading/loading the driver and +sending traffic through the switch, it would stop working. It would stop +forwarding any traffic and the only way to get out of this was to do a +power cycle of the board. The root cause seems to be that the switch +core is initialized twice. Apparently initializing twice the switch core +disturbs the pointers in the queue systems in the HW, so after a while +it would stop sending the traffic. +Unfortunetly, it is not possible to use a reset of the switch here, +because the reset line is connected to multiple devices like MDIO, +SGPIO, FAN, etc. So then all the devices will get reseted when the +network driver will be loaded. +So the fix is to check if the core is initialized already and if that is +the case don't initialize it again. + +Fixes: db8bcaad5393 ("net: lan966x: add the basic lan966x driver") +Signed-off-by: Horatiu Vultur +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230522120038.3749026-1-horatiu.vultur@microchip.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microchip/lan966x/lan966x_main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +@@ -1013,6 +1013,16 @@ static int lan966x_reset_switch(struct l + + reset_control_reset(switch_reset); + ++ /* Don't reinitialize the switch core, if it is already initialized. In ++ * case it is initialized twice, some pointers inside the queue system ++ * in HW will get corrupted and then after a while the queue system gets ++ * full and no traffic is passing through the switch. The issue is seen ++ * when loading and unloading the driver and sending traffic through the ++ * switch. ++ */ ++ if (lan_rd(lan966x, SYS_RESET_CFG) & SYS_RESET_CFG_CORE_ENA) ++ return 0; ++ + lan_wr(SYS_RESET_CFG_CORE_ENA_SET(0), lan966x, SYS_RESET_CFG); + lan_wr(SYS_RAM_INIT_RAM_INIT_SET(1), lan966x, SYS_RAM_INIT); + ret = readx_poll_timeout(lan966x_ram_init, lan966x, diff --git a/queue-6.3/net-fix-skb-leak-in-__skb_tstamp_tx.patch b/queue-6.3/net-fix-skb-leak-in-__skb_tstamp_tx.patch new file mode 100644 index 00000000000..0a7e257cb8d --- /dev/null +++ b/queue-6.3/net-fix-skb-leak-in-__skb_tstamp_tx.patch @@ -0,0 +1,43 @@ +From 8a02fb71d7192ff1a9a47c9d937624966c6e09af Mon Sep 17 00:00:00 2001 +From: Pratyush Yadav +Date: Mon, 22 May 2023 17:30:20 +0200 +Subject: net: fix skb leak in __skb_tstamp_tx() + +From: Pratyush Yadav + +commit 8a02fb71d7192ff1a9a47c9d937624966c6e09af upstream. + +Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with +TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with +zerocopy skbs. But it ended up adding a leak of its own. When +skb_orphan_frags_rx() fails, the function just returns, leaking the skb +it just cloned. Free it before returning. + +This bug was discovered and resolved using Coverity Static Analysis +Security Testing (SAST) by Synopsys, Inc. + +Fixes: 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.") +Signed-off-by: Pratyush Yadav +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230522153020.32422-1-ptyadav@amazon.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -5171,8 +5171,10 @@ void __skb_tstamp_tx(struct sk_buff *ori + } else { + skb = skb_clone(orig_skb, GFP_ATOMIC); + +- if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) ++ if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) { ++ kfree_skb(skb); + return; ++ } + } + if (!skb) + return; diff --git a/queue-6.3/octeontx2-pf-fix-tsov6-offload.patch b/queue-6.3/octeontx2-pf-fix-tsov6-offload.patch new file mode 100644 index 00000000000..8105402057a --- /dev/null +++ b/queue-6.3/octeontx2-pf-fix-tsov6-offload.patch @@ -0,0 +1,36 @@ +From de678ca38861f2eb58814048076dcf95ed1b5bf9 Mon Sep 17 00:00:00 2001 +From: Sunil Goutham +Date: Thu, 18 May 2023 12:10:42 +0530 +Subject: octeontx2-pf: Fix TSOv6 offload + +From: Sunil Goutham + +commit de678ca38861f2eb58814048076dcf95ed1b5bf9 upstream. + +HW adds segment size to the payload length +in the IPv6 header. Fix payload length to +just TCP header length instead of 'TCP header +size + IPv6 header size'. + +Fixes: 86d7476078b8 ("octeontx2-pf: TCP segmentation offload support") +Signed-off-by: Sunil Goutham +Signed-off-by: Ratheesh Kannoth +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c +@@ -652,9 +652,7 @@ static void otx2_sqe_add_ext(struct otx2 + htons(ext->lso_sb - skb_network_offset(skb)); + } else if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6) { + ext->lso_format = pfvf->hw.lso_tsov6_idx; +- +- ipv6_hdr(skb)->payload_len = +- htons(ext->lso_sb - skb_network_offset(skb)); ++ ipv6_hdr(skb)->payload_len = htons(tcp_hdrlen(skb)); + } else if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4) { + __be16 l3_proto = vlan_get_protocol(skb); + struct udphdr *udph = udp_hdr(skb); diff --git a/queue-6.3/optee-fix-uninited-async-notif-value.patch b/queue-6.3/optee-fix-uninited-async-notif-value.patch new file mode 100644 index 00000000000..dcc7055141b --- /dev/null +++ b/queue-6.3/optee-fix-uninited-async-notif-value.patch @@ -0,0 +1,42 @@ +From 654d0310007146fae87b0c1a68f81e53ad519b14 Mon Sep 17 00:00:00 2001 +From: Etienne Carriere +Date: Thu, 20 Apr 2023 09:49:23 +0200 +Subject: optee: fix uninited async notif value + +From: Etienne Carriere + +commit 654d0310007146fae87b0c1a68f81e53ad519b14 upstream. + +Fixes an uninitialized variable in irq_handler() that could lead to +unpredictable behavior in case OP-TEE fails to handle SMC function ID +OPTEE_SMC_GET_ASYNC_NOTIF_VALUE. This change ensures that in that case +get_async_notif_value() properly reports there are no notification +event. + +Reported-by: kernel test robot +Link: https://lore.kernel.org/r/202304200755.OoiuclDZ-lkp@intel.com/ +Reported-by: Dan Carpenter +Link: https://lore.kernel.org/all/d9b7f69b-c737-4cb3-8e74-79fe00c934f9@kili.mountain/ +Fixes: 6749e69c4dad ("optee: add asynchronous notifications") +Signed-off-by: Etienne Carriere +Reviewed-by: Sumit Garg +Signed-off-by: Jens Wiklander +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tee/optee/smc_abi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/tee/optee/smc_abi.c ++++ b/drivers/tee/optee/smc_abi.c +@@ -984,8 +984,10 @@ static u32 get_async_notif_value(optee_i + + invoke_fn(OPTEE_SMC_GET_ASYNC_NOTIF_VALUE, 0, 0, 0, 0, 0, 0, 0, &res); + +- if (res.a0) ++ if (res.a0) { ++ *value_valid = false; + return 0; ++ } + *value_valid = (res.a2 & OPTEE_SMC_ASYNC_NOTIF_VALUE_VALID); + *value_pending = (res.a2 & OPTEE_SMC_ASYNC_NOTIF_VALUE_PENDING); + return res.a1; diff --git a/queue-6.3/platform-x86-isst-remove-8-socket-limit.patch b/queue-6.3/platform-x86-isst-remove-8-socket-limit.patch new file mode 100644 index 00000000000..c73a1846ec3 --- /dev/null +++ b/queue-6.3/platform-x86-isst-remove-8-socket-limit.patch @@ -0,0 +1,65 @@ +From bbb320bfe2c3e9740fe89cfa0a7089b4e8bfc4ff Mon Sep 17 00:00:00 2001 +From: Steve Wahl +Date: Fri, 19 May 2023 11:04:20 -0500 +Subject: platform/x86: ISST: Remove 8 socket limit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Steve Wahl + +commit bbb320bfe2c3e9740fe89cfa0a7089b4e8bfc4ff upstream. + +Stop restricting the PCI search to a range of PCI domains fed to +pci_get_domain_bus_and_slot(). Instead, use for_each_pci_dev() and +look at all PCI domains in one pass. + +On systems with more than 8 sockets, this avoids error messages like +"Information: Invalid level, Can't get TDP control information at +specified levels on cpu 480" from the intel speed select utility. + +Fixes: aa2ddd242572 ("platform/x86: ISST: Use numa node id for cpu pci dev mapping") +Signed-off-by: Steve Wahl +Reviewed-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20230519160420.2588475-1-steve.wahl@hpe.com +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c ++++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c +@@ -295,14 +295,13 @@ struct isst_if_pkg_info { + static struct isst_if_cpu_info *isst_cpu_info; + static struct isst_if_pkg_info *isst_pkg_info; + +-#define ISST_MAX_PCI_DOMAINS 8 +- + static struct pci_dev *_isst_if_get_pci_dev(int cpu, int bus_no, int dev, int fn) + { + struct pci_dev *matched_pci_dev = NULL; + struct pci_dev *pci_dev = NULL; ++ struct pci_dev *_pci_dev = NULL; + int no_matches = 0, pkg_id; +- int i, bus_number; ++ int bus_number; + + if (bus_no < 0 || bus_no >= ISST_MAX_BUS_NUMBER || cpu < 0 || + cpu >= nr_cpu_ids || cpu >= num_possible_cpus()) +@@ -314,12 +313,11 @@ static struct pci_dev *_isst_if_get_pci_ + if (bus_number < 0) + return NULL; + +- for (i = 0; i < ISST_MAX_PCI_DOMAINS; ++i) { +- struct pci_dev *_pci_dev; ++ for_each_pci_dev(_pci_dev) { + int node; + +- _pci_dev = pci_get_domain_bus_and_slot(i, bus_number, PCI_DEVFN(dev, fn)); +- if (!_pci_dev) ++ if (_pci_dev->bus->number != bus_number || ++ _pci_dev->devfn != PCI_DEVFN(dev, fn)) + continue; + + ++no_matches; diff --git a/queue-6.3/power-supply-bq24190-call-power_supply_changed-after-updating-input-current.patch b/queue-6.3/power-supply-bq24190-call-power_supply_changed-after-updating-input-current.patch new file mode 100644 index 00000000000..eba477ecb6c --- /dev/null +++ b/queue-6.3/power-supply-bq24190-call-power_supply_changed-after-updating-input-current.patch @@ -0,0 +1,41 @@ +From 77c2a3097d7029441e8a91aa0de1b4e5464593da Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:41 +0200 +Subject: power: supply: bq24190: Call power_supply_changed() after updating input current + +From: Hans de Goede + +commit 77c2a3097d7029441e8a91aa0de1b4e5464593da upstream. + +The bq24192 model relies on external charger-type detection and once +that is done the bq24190_charger code will update the input current. + +In this case, when the initial power_supply_changed() call is made +from the interrupt handler, the input settings are 5V/0.5A which +on many devices is not enough power to charge (while the device is on). + +On many devices the fuel-gauge relies in its external_power_changed +callback to timely signal userspace about charging <-> discharging +status changes. Add a power_supply_changed() call after updating +the input current. This allows the fuel-gauge driver to timely recheck +if the battery is charging after the new input current has been applied +and then it can immediately notify userspace about this. + +Fixes: 18f8e6f695ac ("power: supply: bq24190_charger: Get input_current_limit from our supplier") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq24190_charger.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/power/supply/bq24190_charger.c ++++ b/drivers/power/supply/bq24190_charger.c +@@ -1262,6 +1262,7 @@ static void bq24190_input_current_limit_ + bq24190_charger_set_property(bdi->charger, + POWER_SUPPLY_PROP_INPUT_CURRENT_LIMIT, + &val); ++ power_supply_changed(bdi->charger); + } + + /* Sync the input-current-limit with our parent supply (if we have one) */ diff --git a/queue-6.3/power-supply-bq25890-call-power_supply_changed-after-updating-input-current-or-voltage.patch b/queue-6.3/power-supply-bq25890-call-power_supply_changed-after-updating-input-current-or-voltage.patch new file mode 100644 index 00000000000..05aa88938d7 --- /dev/null +++ b/queue-6.3/power-supply-bq25890-call-power_supply_changed-after-updating-input-current-or-voltage.patch @@ -0,0 +1,53 @@ +From ad3d9c779b1f09f3f3a6fefd07af407c7bc7c9a7 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:40 +0200 +Subject: power: supply: bq25890: Call power_supply_changed() after updating input current or voltage + +From: Hans de Goede + +commit ad3d9c779b1f09f3f3a6fefd07af407c7bc7c9a7 upstream. + +The bq25892 model relies on external charger-type detection and once +that is done the bq25890_charger code will update the input current +and if pumpexpress is used also the input voltage. + +In this case, when the initial power_supply_changed() call is made +from the interrupt handler, the input settings are 5V/0.5A which +on many devices is not enough power to charge (while the device is on). + +On many devices the fuel-gauge relies in its external_power_changed +callback to timely signal userspace about charging <-> discharging +status changes. Add a power_supply_changed() call after updating +the input current or voltage. This allows the fuel-gauge driver +to timely recheck if the battery is charging after the new input +settings have been applied and then it can immediately notify +userspace about this. + +Fixes: 48f45b094dbb ("power: supply: bq25890: Support higher charging voltages through Pump Express+ protocol") +Fixes: eab25b4f93aa ("power: supply: bq25890: On the bq25892 set the IINLIM based on external charger detection") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq25890_charger.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/power/supply/bq25890_charger.c ++++ b/drivers/power/supply/bq25890_charger.c +@@ -775,6 +775,7 @@ static void bq25890_charger_external_pow + } + + bq25890_field_write(bq, F_IINLIM, input_current_limit); ++ power_supply_changed(psy); + } + + static int bq25890_get_chip_state(struct bq25890_device *bq, +@@ -1106,6 +1107,8 @@ static void bq25890_pump_express_work(st + dev_info(bq->dev, "Hi-voltage charging requested, input voltage is %d mV\n", + voltage); + ++ power_supply_changed(bq->charger); ++ + return; + error_print: + bq25890_field_write(bq, F_PUMPX_EN, 0); diff --git a/queue-6.3/power-supply-bq27xxx-add-cache-parameter-to-bq27xxx_battery_current_and_status.patch b/queue-6.3/power-supply-bq27xxx-add-cache-parameter-to-bq27xxx_battery_current_and_status.patch new file mode 100644 index 00000000000..046c5a53805 --- /dev/null +++ b/queue-6.3/power-supply-bq27xxx-add-cache-parameter-to-bq27xxx_battery_current_and_status.patch @@ -0,0 +1,72 @@ +From 35092c5819f8c5acc7bafe3fdbb13d6307c4f5e1 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:35 +0200 +Subject: power: supply: bq27xxx: Add cache parameter to bq27xxx_battery_current_and_status() + +From: Hans de Goede + +commit 35092c5819f8c5acc7bafe3fdbb13d6307c4f5e1 upstream. + +Add a cache parameter to bq27xxx_battery_current_and_status() so that +it can optionally use cached flags instead of re-reading them itself. + +This is a preparation patch for making bq27xxx_battery_update() check +the status and have it call power_supply_changed() on status changes. + +Fixes: 297a533b3e62 ("bq27x00: Cache battery registers") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1840,7 +1840,8 @@ static bool bq27xxx_battery_is_full(stru + static int bq27xxx_battery_current_and_status( + struct bq27xxx_device_info *di, + union power_supply_propval *val_curr, +- union power_supply_propval *val_status) ++ union power_supply_propval *val_status, ++ struct bq27xxx_reg_cache *cache) + { + bool single_flags = (di->opts & BQ27XXX_O_ZERO); + int curr; +@@ -1852,10 +1853,14 @@ static int bq27xxx_battery_current_and_s + return curr; + } + +- flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, single_flags); +- if (flags < 0) { +- dev_err(di->dev, "error reading flags\n"); +- return flags; ++ if (cache) { ++ flags = cache->flags; ++ } else { ++ flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, single_flags); ++ if (flags < 0) { ++ dev_err(di->dev, "error reading flags\n"); ++ return flags; ++ } + } + + if (di->opts & BQ27XXX_O_ZERO) { +@@ -2001,7 +2006,7 @@ static int bq27xxx_battery_get_property( + + switch (psp) { + case POWER_SUPPLY_PROP_STATUS: +- ret = bq27xxx_battery_current_and_status(di, NULL, val); ++ ret = bq27xxx_battery_current_and_status(di, NULL, val, NULL); + break; + case POWER_SUPPLY_PROP_VOLTAGE_NOW: + ret = bq27xxx_battery_voltage(di, val); +@@ -2010,7 +2015,7 @@ static int bq27xxx_battery_get_property( + val->intval = di->cache.flags < 0 ? 0 : 1; + break; + case POWER_SUPPLY_PROP_CURRENT_NOW: +- ret = bq27xxx_battery_current_and_status(di, val, NULL); ++ ret = bq27xxx_battery_current_and_status(di, val, NULL, NULL); + break; + case POWER_SUPPLY_PROP_CAPACITY: + ret = bq27xxx_simple_value(di->cache.capacity, val); diff --git a/queue-6.3/power-supply-bq27xxx-after-charger-plug-in-out-wait-0.5s-for-things-to-stabilize.patch b/queue-6.3/power-supply-bq27xxx-after-charger-plug-in-out-wait-0.5s-for-things-to-stabilize.patch new file mode 100644 index 00000000000..2bcf7e8090a --- /dev/null +++ b/queue-6.3/power-supply-bq27xxx-after-charger-plug-in-out-wait-0.5s-for-things-to-stabilize.patch @@ -0,0 +1,35 @@ +From 59a99cd462fbdf71f4e845e09f37783035088b4f Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:38 +0200 +Subject: power: supply: bq27xxx: After charger plug in/out wait 0.5s for things to stabilize + +From: Hans de Goede + +commit 59a99cd462fbdf71f4e845e09f37783035088b4f upstream. + +bq27xxx_external_power_changed() gets called when the charger is plugged +in or out. Rather then immediately scheduling an update wait 0.5 seconds +for things to stabilize, so that e.g. the (dis)charge current is stable +when bq27xxx_battery_update() runs. + +Fixes: 740b755a3b34 ("bq27x00: Poll battery state") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -2099,8 +2099,8 @@ static void bq27xxx_external_power_chang + { + struct bq27xxx_device_info *di = power_supply_get_drvdata(psy); + +- cancel_delayed_work_sync(&di->work); +- schedule_delayed_work(&di->work, 0); ++ /* After charger plug in/out wait 0.5s for things to stabilize */ ++ mod_delayed_work(system_wq, &di->work, HZ / 2); + } + + int bq27xxx_battery_setup(struct bq27xxx_device_info *di) diff --git a/queue-6.3/power-supply-bq27xxx-ensure-power_supply_changed-is-called-on-current-sign-changes.patch b/queue-6.3/power-supply-bq27xxx-ensure-power_supply_changed-is-called-on-current-sign-changes.patch new file mode 100644 index 00000000000..5e89f0185f7 --- /dev/null +++ b/queue-6.3/power-supply-bq27xxx-ensure-power_supply_changed-is-called-on-current-sign-changes.patch @@ -0,0 +1,90 @@ +From 939a116142012926e25de0ea6b7e2f8d86a5f1b6 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:37 +0200 +Subject: power: supply: bq27xxx: Ensure power_supply_changed() is called on current sign changes + +From: Hans de Goede + +commit 939a116142012926e25de0ea6b7e2f8d86a5f1b6 upstream. + +On gauges where the current register is signed, there is no charging +flag in the flags register. So only checking flags will not result +in power_supply_changed() getting called when e.g. a charger is plugged +in and the current sign changes from negative (discharging) to +positive (charging). + +This causes userspace's notion of the status to lag until userspace +does a poll. + +And when a power_supply_leds.c LED trigger is used to indicate charging +status with a LED, this LED will lag until the capacity percentage +changes, which may take many minutes (because the LED trigger only is +updated on power_supply_changed() calls). + +Fix this by calling bq27xxx_battery_current_and_status() on gauges with +a signed current register and checking if the status has changed. + +Fixes: 297a533b3e62 ("bq27x00: Cache battery registers") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery.c | 13 ++++++++++++- + include/linux/power/bq27xxx_battery.h | 3 +++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1836,6 +1836,7 @@ static int bq27xxx_battery_current_and_s + + static void bq27xxx_battery_update_unlocked(struct bq27xxx_device_info *di) + { ++ union power_supply_propval status = di->last_status; + struct bq27xxx_reg_cache cache = {0, }; + bool has_singe_flag = di->opts & BQ27XXX_O_ZERO; + +@@ -1860,14 +1861,24 @@ static void bq27xxx_battery_update_unloc + if (di->regs[BQ27XXX_REG_CYCT] != INVALID_REG_ADDR) + cache.cycle_count = bq27xxx_battery_read_cyct(di); + ++ /* ++ * On gauges with signed current reporting the current must be ++ * checked to detect charging <-> discharging status changes. ++ */ ++ if (!(di->opts & BQ27XXX_O_ZERO)) ++ bq27xxx_battery_current_and_status(di, NULL, &status, &cache); ++ + /* We only have to read charge design full once */ + if (di->charge_design_full <= 0) + di->charge_design_full = bq27xxx_battery_read_dcap(di); + } + + if ((di->cache.capacity != cache.capacity) || +- (di->cache.flags != cache.flags)) ++ (di->cache.flags != cache.flags) || ++ (di->last_status.intval != status.intval)) { ++ di->last_status.intval = status.intval; + power_supply_changed(di->bat); ++ } + + if (memcmp(&di->cache, &cache, sizeof(cache)) != 0) + di->cache = cache; +--- a/include/linux/power/bq27xxx_battery.h ++++ b/include/linux/power/bq27xxx_battery.h +@@ -2,6 +2,8 @@ + #ifndef __LINUX_BQ27X00_BATTERY_H__ + #define __LINUX_BQ27X00_BATTERY_H__ + ++#include ++ + enum bq27xxx_chip { + BQ27000 = 1, /* bq27000, bq27200 */ + BQ27010, /* bq27010, bq27210 */ +@@ -70,6 +72,7 @@ struct bq27xxx_device_info { + int charge_design_full; + bool removed; + unsigned long last_update; ++ union power_supply_propval last_status; + struct delayed_work work; + struct power_supply *bat; + struct list_head list; diff --git a/queue-6.3/power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch b/queue-6.3/power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch new file mode 100644 index 00000000000..d787350c511 --- /dev/null +++ b/queue-6.3/power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch @@ -0,0 +1,92 @@ +From 5c34c0aef185dcd10881847b9ebf20046aa77cb4 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:32 +0200 +Subject: power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition + +From: Hans de Goede + +commit 5c34c0aef185dcd10881847b9ebf20046aa77cb4 upstream. + +bq27xxx_battery_update() assumes / requires that it is only run once, +not multiple times at the same time. But there are 3 possible callers: + +1. bq27xxx_battery_poll() delayed_work item handler +2. bq27xxx_battery_irq_handler_thread() I2C IRQ handler +3. bq27xxx_battery_setup() + +And there is no protection against these racing with each other, +fix this race condition by making all callers take di->lock: + +- Rename bq27xxx_battery_update() to bq27xxx_battery_update_unlocked() + +- Add new bq27xxx_battery_update() which takes di->lock and then calls + bq27xxx_battery_update_unlocked() + +- Make stale cache check code in bq27xxx_battery_get_property(), which + already takes di->lock directly to check the jiffies, call + bq27xxx_battery_update_unlocked() instead of messing with + the delayed_work item + +- Make bq27xxx_battery_update_unlocked() mod the delayed-work item + so that the next poll is delayed to poll_interval milliseconds after + the last update independent of the source of the update + +Fixes: 740b755a3b34 ("bq27x00: Poll battery state") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1761,7 +1761,7 @@ static int bq27xxx_battery_read_health(s + return POWER_SUPPLY_HEALTH_GOOD; + } + +-void bq27xxx_battery_update(struct bq27xxx_device_info *di) ++static void bq27xxx_battery_update_unlocked(struct bq27xxx_device_info *di) + { + struct bq27xxx_reg_cache cache = {0, }; + bool has_singe_flag = di->opts & BQ27XXX_O_ZERO; +@@ -1800,6 +1800,16 @@ void bq27xxx_battery_update(struct bq27x + di->cache = cache; + + di->last_update = jiffies; ++ ++ if (poll_interval > 0) ++ mod_delayed_work(system_wq, &di->work, poll_interval * HZ); ++} ++ ++void bq27xxx_battery_update(struct bq27xxx_device_info *di) ++{ ++ mutex_lock(&di->lock); ++ bq27xxx_battery_update_unlocked(di); ++ mutex_unlock(&di->lock); + } + EXPORT_SYMBOL_GPL(bq27xxx_battery_update); + +@@ -1810,9 +1820,6 @@ static void bq27xxx_battery_poll(struct + work.work); + + bq27xxx_battery_update(di); +- +- if (poll_interval > 0) +- schedule_delayed_work(&di->work, poll_interval * HZ); + } + + static bool bq27xxx_battery_is_full(struct bq27xxx_device_info *di, int flags) +@@ -1985,10 +1992,8 @@ static int bq27xxx_battery_get_property( + struct bq27xxx_device_info *di = power_supply_get_drvdata(psy); + + mutex_lock(&di->lock); +- if (time_is_before_jiffies(di->last_update + 5 * HZ)) { +- cancel_delayed_work_sync(&di->work); +- bq27xxx_battery_poll(&di->work.work); +- } ++ if (time_is_before_jiffies(di->last_update + 5 * HZ)) ++ bq27xxx_battery_update_unlocked(di); + mutex_unlock(&di->lock); + + if (psp != POWER_SUPPLY_PROP_PRESENT && di->cache.flags < 0) diff --git a/queue-6.3/power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch b/queue-6.3/power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch new file mode 100644 index 00000000000..8238ba5f0b8 --- /dev/null +++ b/queue-6.3/power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch @@ -0,0 +1,44 @@ +From 444ff00734f3878cd54ddd1ed5e2e6dbea9326d5 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:33 +0200 +Subject: power: supply: bq27xxx: Fix I2C IRQ race on remove + +From: Hans de Goede + +commit 444ff00734f3878cd54ddd1ed5e2e6dbea9326d5 upstream. + +devm_request_threaded_irq() requested IRQs are only free-ed after +the driver's remove function has ran. So the IRQ could trigger and +call bq27xxx_battery_update() after bq27xxx_battery_teardown() has +already run. + +Switch to explicitly free-ing the IRQ in bq27xxx_battery_i2c_remove() +to fix this. + +Fixes: 8807feb91b76 ("power: bq27xxx_battery: Add interrupt handling support") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery_i2c.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/power/supply/bq27xxx_battery_i2c.c ++++ b/drivers/power/supply/bq27xxx_battery_i2c.c +@@ -179,7 +179,7 @@ static int bq27xxx_battery_i2c_probe(str + i2c_set_clientdata(client, di); + + if (client->irq) { +- ret = devm_request_threaded_irq(&client->dev, client->irq, ++ ret = request_threaded_irq(client->irq, + NULL, bq27xxx_battery_irq_handler_thread, + IRQF_ONESHOT, + di->name, di); +@@ -209,6 +209,7 @@ static void bq27xxx_battery_i2c_remove(s + { + struct bq27xxx_device_info *di = i2c_get_clientdata(client); + ++ free_irq(client->irq, di); + bq27xxx_battery_teardown(di); + + mutex_lock(&battery_mutex); diff --git a/queue-6.3/power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch b/queue-6.3/power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch new file mode 100644 index 00000000000..68443f280a2 --- /dev/null +++ b/queue-6.3/power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch @@ -0,0 +1,94 @@ +From c00bc80462afc7963f449d7f21d896d2f629cacc Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:34 +0200 +Subject: power: supply: bq27xxx: Fix poll_interval handling and races on remove + +From: Hans de Goede + +commit c00bc80462afc7963f449d7f21d896d2f629cacc upstream. + +Before this patch bq27xxx_battery_teardown() was setting poll_interval = 0 +to avoid bq27xxx_battery_update() requeuing the delayed_work item. + +There are 2 problems with this: + +1. If the driver is unbound through sysfs, rather then the module being + rmmod-ed, this changes poll_interval unexpectedly + +2. This is racy, after it being set poll_interval could be changed + before bq27xxx_battery_update() checks it through + /sys/module/bq27xxx_battery/parameters/poll_interval + +Fix this by added a removed attribute to struct bq27xxx_device_info and +using that instead of setting poll_interval to 0. + +There also is another poll_interval related race on remove(), writing +/sys/module/bq27xxx_battery/parameters/poll_interval will requeue +the delayed_work item for all devices on the bq27xxx_battery_devices +list and the device being removed was only removed from that list +after cancelling the delayed_work item. + +Fix this by moving the removal from the bq27xxx_battery_devices list +to before cancelling the delayed_work item. + +Fixes: 8cfaaa811894 ("bq27x00_battery: Fix OOPS caused by unregistring bq27x00 driver") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery.c | 22 +++++++++------------- + include/linux/power/bq27xxx_battery.h | 1 + + 2 files changed, 10 insertions(+), 13 deletions(-) + +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1801,7 +1801,7 @@ static void bq27xxx_battery_update_unloc + + di->last_update = jiffies; + +- if (poll_interval > 0) ++ if (!di->removed && poll_interval > 0) + mod_delayed_work(system_wq, &di->work, poll_interval * HZ); + } + +@@ -2132,22 +2132,18 @@ EXPORT_SYMBOL_GPL(bq27xxx_battery_setup) + + void bq27xxx_battery_teardown(struct bq27xxx_device_info *di) + { +- /* +- * power_supply_unregister call bq27xxx_battery_get_property which +- * call bq27xxx_battery_poll. +- * Make sure that bq27xxx_battery_poll will not call +- * schedule_delayed_work again after unregister (which cause OOPS). +- */ +- poll_interval = 0; +- +- cancel_delayed_work_sync(&di->work); +- +- power_supply_unregister(di->bat); +- + mutex_lock(&bq27xxx_list_lock); + list_del(&di->list); + mutex_unlock(&bq27xxx_list_lock); + ++ /* Set removed to avoid bq27xxx_battery_update() re-queuing the work */ ++ mutex_lock(&di->lock); ++ di->removed = true; ++ mutex_unlock(&di->lock); ++ ++ cancel_delayed_work_sync(&di->work); ++ ++ power_supply_unregister(di->bat); + mutex_destroy(&di->lock); + } + EXPORT_SYMBOL_GPL(bq27xxx_battery_teardown); +--- a/include/linux/power/bq27xxx_battery.h ++++ b/include/linux/power/bq27xxx_battery.h +@@ -68,6 +68,7 @@ struct bq27xxx_device_info { + struct bq27xxx_access_methods bus; + struct bq27xxx_reg_cache cache; + int charge_design_full; ++ bool removed; + unsigned long last_update; + struct delayed_work work; + struct power_supply *bat; diff --git a/queue-6.3/power-supply-bq27xxx-move-bq27xxx_battery_update-down.patch b/queue-6.3/power-supply-bq27xxx-move-bq27xxx_battery_update-down.patch new file mode 100644 index 00000000000..31e0f30a45b --- /dev/null +++ b/queue-6.3/power-supply-bq27xxx-move-bq27xxx_battery_update-down.patch @@ -0,0 +1,163 @@ +From ff4c4a2a4437a6d03787c7aafb2617f20c3ef45f Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:36 +0200 +Subject: power: supply: bq27xxx: Move bq27xxx_battery_update() down + +From: Hans de Goede + +commit ff4c4a2a4437a6d03787c7aafb2617f20c3ef45f upstream. + +Move the bq27xxx_battery_update() functions to below +the bq27xxx_battery_current_and_status() function. + +This is just moving a block of text, no functional changes. + +This is a preparation patch for making bq27xxx_battery_update() check +the status and have it call power_supply_changed() on status changes. + +Fixes: 297a533b3e62 ("bq27x00: Cache battery registers") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery.c | 122 ++++++++++++++++----------------- + 1 file changed, 61 insertions(+), 61 deletions(-) + +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1761,67 +1761,6 @@ static int bq27xxx_battery_read_health(s + return POWER_SUPPLY_HEALTH_GOOD; + } + +-static void bq27xxx_battery_update_unlocked(struct bq27xxx_device_info *di) +-{ +- struct bq27xxx_reg_cache cache = {0, }; +- bool has_singe_flag = di->opts & BQ27XXX_O_ZERO; +- +- cache.flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, has_singe_flag); +- if ((cache.flags & 0xff) == 0xff) +- cache.flags = -1; /* read error */ +- if (cache.flags >= 0) { +- cache.temperature = bq27xxx_battery_read_temperature(di); +- if (di->regs[BQ27XXX_REG_TTE] != INVALID_REG_ADDR) +- cache.time_to_empty = bq27xxx_battery_read_time(di, BQ27XXX_REG_TTE); +- if (di->regs[BQ27XXX_REG_TTECP] != INVALID_REG_ADDR) +- cache.time_to_empty_avg = bq27xxx_battery_read_time(di, BQ27XXX_REG_TTECP); +- if (di->regs[BQ27XXX_REG_TTF] != INVALID_REG_ADDR) +- cache.time_to_full = bq27xxx_battery_read_time(di, BQ27XXX_REG_TTF); +- +- cache.charge_full = bq27xxx_battery_read_fcc(di); +- cache.capacity = bq27xxx_battery_read_soc(di); +- if (di->regs[BQ27XXX_REG_AE] != INVALID_REG_ADDR) +- cache.energy = bq27xxx_battery_read_energy(di); +- di->cache.flags = cache.flags; +- cache.health = bq27xxx_battery_read_health(di); +- if (di->regs[BQ27XXX_REG_CYCT] != INVALID_REG_ADDR) +- cache.cycle_count = bq27xxx_battery_read_cyct(di); +- +- /* We only have to read charge design full once */ +- if (di->charge_design_full <= 0) +- di->charge_design_full = bq27xxx_battery_read_dcap(di); +- } +- +- if ((di->cache.capacity != cache.capacity) || +- (di->cache.flags != cache.flags)) +- power_supply_changed(di->bat); +- +- if (memcmp(&di->cache, &cache, sizeof(cache)) != 0) +- di->cache = cache; +- +- di->last_update = jiffies; +- +- if (!di->removed && poll_interval > 0) +- mod_delayed_work(system_wq, &di->work, poll_interval * HZ); +-} +- +-void bq27xxx_battery_update(struct bq27xxx_device_info *di) +-{ +- mutex_lock(&di->lock); +- bq27xxx_battery_update_unlocked(di); +- mutex_unlock(&di->lock); +-} +-EXPORT_SYMBOL_GPL(bq27xxx_battery_update); +- +-static void bq27xxx_battery_poll(struct work_struct *work) +-{ +- struct bq27xxx_device_info *di = +- container_of(work, struct bq27xxx_device_info, +- work.work); +- +- bq27xxx_battery_update(di); +-} +- + static bool bq27xxx_battery_is_full(struct bq27xxx_device_info *di, int flags) + { + if (di->opts & BQ27XXX_O_ZERO) +@@ -1895,6 +1834,67 @@ static int bq27xxx_battery_current_and_s + return 0; + } + ++static void bq27xxx_battery_update_unlocked(struct bq27xxx_device_info *di) ++{ ++ struct bq27xxx_reg_cache cache = {0, }; ++ bool has_singe_flag = di->opts & BQ27XXX_O_ZERO; ++ ++ cache.flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, has_singe_flag); ++ if ((cache.flags & 0xff) == 0xff) ++ cache.flags = -1; /* read error */ ++ if (cache.flags >= 0) { ++ cache.temperature = bq27xxx_battery_read_temperature(di); ++ if (di->regs[BQ27XXX_REG_TTE] != INVALID_REG_ADDR) ++ cache.time_to_empty = bq27xxx_battery_read_time(di, BQ27XXX_REG_TTE); ++ if (di->regs[BQ27XXX_REG_TTECP] != INVALID_REG_ADDR) ++ cache.time_to_empty_avg = bq27xxx_battery_read_time(di, BQ27XXX_REG_TTECP); ++ if (di->regs[BQ27XXX_REG_TTF] != INVALID_REG_ADDR) ++ cache.time_to_full = bq27xxx_battery_read_time(di, BQ27XXX_REG_TTF); ++ ++ cache.charge_full = bq27xxx_battery_read_fcc(di); ++ cache.capacity = bq27xxx_battery_read_soc(di); ++ if (di->regs[BQ27XXX_REG_AE] != INVALID_REG_ADDR) ++ cache.energy = bq27xxx_battery_read_energy(di); ++ di->cache.flags = cache.flags; ++ cache.health = bq27xxx_battery_read_health(di); ++ if (di->regs[BQ27XXX_REG_CYCT] != INVALID_REG_ADDR) ++ cache.cycle_count = bq27xxx_battery_read_cyct(di); ++ ++ /* We only have to read charge design full once */ ++ if (di->charge_design_full <= 0) ++ di->charge_design_full = bq27xxx_battery_read_dcap(di); ++ } ++ ++ if ((di->cache.capacity != cache.capacity) || ++ (di->cache.flags != cache.flags)) ++ power_supply_changed(di->bat); ++ ++ if (memcmp(&di->cache, &cache, sizeof(cache)) != 0) ++ di->cache = cache; ++ ++ di->last_update = jiffies; ++ ++ if (!di->removed && poll_interval > 0) ++ mod_delayed_work(system_wq, &di->work, poll_interval * HZ); ++} ++ ++void bq27xxx_battery_update(struct bq27xxx_device_info *di) ++{ ++ mutex_lock(&di->lock); ++ bq27xxx_battery_update_unlocked(di); ++ mutex_unlock(&di->lock); ++} ++EXPORT_SYMBOL_GPL(bq27xxx_battery_update); ++ ++static void bq27xxx_battery_poll(struct work_struct *work) ++{ ++ struct bq27xxx_device_info *di = ++ container_of(work, struct bq27xxx_device_info, ++ work.work); ++ ++ bq27xxx_battery_update(di); ++} ++ + /* + * Get the average power in µW + * Return < 0 if something fails. diff --git a/queue-6.3/power-supply-leds-fix-blink-to-led-on-transition.patch b/queue-6.3/power-supply-leds-fix-blink-to-led-on-transition.patch new file mode 100644 index 00000000000..648d3b45de6 --- /dev/null +++ b/queue-6.3/power-supply-leds-fix-blink-to-led-on-transition.patch @@ -0,0 +1,51 @@ +From e4484643991e0f6b89060092563f0dbab9450cbb Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 13 Apr 2023 12:09:41 +0200 +Subject: power: supply: leds: Fix blink to LED on transition + +From: Hans de Goede + +commit e4484643991e0f6b89060092563f0dbab9450cbb upstream. + +When a battery's status changes from charging to full then +the charging-blink-full-solid trigger tries to change +the LED from blinking to solid/on. + +As is documented in include/linux/leds.h to deactivate blinking / +to make the LED solid a LED_OFF must be send: + +""" + * Deactivate blinking again when the brightness is set to LED_OFF + * via the brightness_set() callback. +""" + +led_set_brighness() calls with a brightness value other then 0 / LED_OFF +merely change the brightness of the LED in its on state while it is +blinking. + +So power_supply_update_bat_leds() must first send a LED_OFF event +before the LED_FULL to disable blinking. + +Fixes: 6501f728c56f ("power_supply: Add new LED trigger charging-blink-solid-full") +Signed-off-by: Hans de Goede +Reviewed-by: Vasily Khoruzhick +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/power_supply_leds.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/power/supply/power_supply_leds.c ++++ b/drivers/power/supply/power_supply_leds.c +@@ -35,8 +35,9 @@ static void power_supply_update_bat_leds + led_trigger_event(psy->charging_full_trig, LED_FULL); + led_trigger_event(psy->charging_trig, LED_OFF); + led_trigger_event(psy->full_trig, LED_FULL); +- led_trigger_event(psy->charging_blink_full_solid_trig, +- LED_FULL); ++ /* Going from blink to LED on requires a LED_OFF event to stop blink */ ++ led_trigger_event(psy->charging_blink_full_solid_trig, LED_OFF); ++ led_trigger_event(psy->charging_blink_full_solid_trig, LED_FULL); + break; + case POWER_SUPPLY_STATUS_CHARGING: + led_trigger_event(psy->charging_full_trig, LED_FULL); diff --git a/queue-6.3/power-supply-mt6360-add-a-check-of-devm_work_autocancel-in-mt6360_charger_probe.patch b/queue-6.3/power-supply-mt6360-add-a-check-of-devm_work_autocancel-in-mt6360_charger_probe.patch new file mode 100644 index 00000000000..b82f59a6c22 --- /dev/null +++ b/queue-6.3/power-supply-mt6360-add-a-check-of-devm_work_autocancel-in-mt6360_charger_probe.patch @@ -0,0 +1,32 @@ +From 4cbb0d358883a27e432714b5256f0362946f5e25 Mon Sep 17 00:00:00 2001 +From: Kang Chen +Date: Mon, 27 Feb 2023 11:14:10 +0800 +Subject: power: supply: mt6360: add a check of devm_work_autocancel in mt6360_charger_probe + +From: Kang Chen + +commit 4cbb0d358883a27e432714b5256f0362946f5e25 upstream. + +devm_work_autocancel may fail, add a check and return early. + +Fixes: 0402e8ebb8b86 ("power: supply: mt6360_charger: add MT6360 charger support") +Signed-off-by: Kang Chen +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/mt6360_charger.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/power/supply/mt6360_charger.c ++++ b/drivers/power/supply/mt6360_charger.c +@@ -796,7 +796,9 @@ static int mt6360_charger_probe(struct p + mci->vinovp = 6500000; + mutex_init(&mci->chgdet_lock); + platform_set_drvdata(pdev, mci); +- devm_work_autocancel(&pdev->dev, &mci->chrdet_work, mt6360_chrdet_work); ++ ret = devm_work_autocancel(&pdev->dev, &mci->chrdet_work, mt6360_chrdet_work); ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "Failed to set delayed work\n"); + + ret = device_property_read_u32(&pdev->dev, "richtek,vinovp-microvolt", &mci->vinovp); + if (ret) diff --git a/queue-6.3/power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch b/queue-6.3/power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch new file mode 100644 index 00000000000..78794c29e0b --- /dev/null +++ b/queue-6.3/power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch @@ -0,0 +1,31 @@ +From b2f2a3c9800208b0db2c2e34b05323757117faa2 Mon Sep 17 00:00:00 2001 +From: Daisuke Nojiri +Date: Mon, 24 Apr 2023 11:25:58 -0700 +Subject: power: supply: sbs-charger: Fix INHIBITED bit for Status reg + +From: Daisuke Nojiri + +commit b2f2a3c9800208b0db2c2e34b05323757117faa2 upstream. + +CHARGE_INHIBITED bit position of the ChargerStatus register is actually +0 not 1. This patch corrects it. + +Fixes: feb583e37f8a8 ("power: supply: add sbs-charger driver") +Signed-off-by: Daisuke Nojiri +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/sbs-charger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/supply/sbs-charger.c ++++ b/drivers/power/supply/sbs-charger.c +@@ -24,7 +24,7 @@ + #define SBS_CHARGER_REG_STATUS 0x13 + #define SBS_CHARGER_REG_ALARM_WARNING 0x16 + +-#define SBS_CHARGER_STATUS_CHARGE_INHIBITED BIT(1) ++#define SBS_CHARGER_STATUS_CHARGE_INHIBITED BIT(0) + #define SBS_CHARGER_STATUS_RES_COLD BIT(9) + #define SBS_CHARGER_STATUS_RES_HOT BIT(10) + #define SBS_CHARGER_STATUS_BATTERY_PRESENT BIT(14) diff --git a/queue-6.3/regulator-pca9450-fix-buck2-enable_mask.patch b/queue-6.3/regulator-pca9450-fix-buck2-enable_mask.patch new file mode 100644 index 00000000000..001230210ac --- /dev/null +++ b/queue-6.3/regulator-pca9450-fix-buck2-enable_mask.patch @@ -0,0 +1,43 @@ +From d67dada3e2524514b09496b9ee1df22d4507a280 Mon Sep 17 00:00:00 2001 +From: Alexander Stein +Date: Fri, 12 May 2023 10:19:34 +0200 +Subject: regulator: pca9450: Fix BUCK2 enable_mask + +From: Alexander Stein + +commit d67dada3e2524514b09496b9ee1df22d4507a280 upstream. + +This fixes a copy & paste error. +No functional change intended, BUCK1_ENMODE_MASK equals BUCK2_ENMODE_MASK. + +Fixes: 0935ff5f1f0a ("regulator: pca9450: add pca9450 pmic driver") +Originally-from: Robin Gong +--- + drivers/regulator/pca9450-regulator.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -264,7 +264,7 @@ static const struct pca9450_regulator_de + .vsel_reg = PCA9450_REG_BUCK2OUT_DVS0, + .vsel_mask = BUCK2OUT_DVS0_MASK, + .enable_reg = PCA9450_REG_BUCK2CTRL, +- .enable_mask = BUCK1_ENMODE_MASK, ++ .enable_mask = BUCK2_ENMODE_MASK, + .ramp_reg = PCA9450_REG_BUCK2CTRL, + .ramp_mask = BUCK2_RAMP_MASK, + .ramp_delay_table = pca9450_dvs_buck_ramp_table, +@@ -502,7 +502,7 @@ static const struct pca9450_regulator_de + .vsel_reg = PCA9450_REG_BUCK2OUT_DVS0, + .vsel_mask = BUCK2OUT_DVS0_MASK, + .enable_reg = PCA9450_REG_BUCK2CTRL, +- .enable_mask = BUCK1_ENMODE_MASK, ++ .enable_mask = BUCK2_ENMODE_MASK, + .ramp_reg = PCA9450_REG_BUCK2CTRL, + .ramp_mask = BUCK2_RAMP_MASK, + .ramp_delay_table = pca9450_dvs_buck_ramp_table, diff --git a/queue-6.3/selftests-fib_tests-mute-cleanup-error-message.patch b/queue-6.3/selftests-fib_tests-mute-cleanup-error-message.patch new file mode 100644 index 00000000000..47cb677c5ca --- /dev/null +++ b/queue-6.3/selftests-fib_tests-mute-cleanup-error-message.patch @@ -0,0 +1,45 @@ +From d226b1df361988f885c298737d6019c863a25f26 Mon Sep 17 00:00:00 2001 +From: Po-Hsu Lin +Date: Thu, 18 May 2023 12:37:59 +0800 +Subject: selftests: fib_tests: mute cleanup error message + +From: Po-Hsu Lin + +commit d226b1df361988f885c298737d6019c863a25f26 upstream. + +In the end of the test, there will be an error message induced by the +`ip netns del ns1` command in cleanup() + + Tests passed: 201 + Tests failed: 0 + Cannot remove namespace file "/run/netns/ns1": No such file or directory + +This can even be reproduced with just `./fib_tests.sh -h` as we're +calling cleanup() on exit. + +Redirect the error message to /dev/null to mute it. + +V2: Update commit message and fixes tag. +V3: resubmit due to missing netdev ML in V2 + +Fixes: b60417a9f2b8 ("selftest: fib_tests: Always cleanup before exit") +Signed-off-by: Po-Hsu Lin +Reviewed-by: Ido Schimmel +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/fib_tests.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/fib_tests.sh ++++ b/tools/testing/selftests/net/fib_tests.sh +@@ -68,7 +68,7 @@ setup() + cleanup() + { + $IP link del dev dummy0 &> /dev/null +- ip netns del ns1 ++ ip netns del ns1 &> /dev/null + ip netns del ns2 &> /dev/null + } + diff --git a/queue-6.3/series b/queue-6.3/series index 248857f0130..bd39890db2c 100644 --- a/queue-6.3/series +++ b/queue-6.3/series @@ -65,3 +65,34 @@ usb-core-add-routines-for-endpoint-checks-in-old-drivers.patch usb-sisusbvga-add-endpoint-checks.patch media-radio-shark-add-endpoint-checks.patch asoc-lpass-fix-for-kasan-use_after_free-out-of-bounds.patch +net-fix-skb-leak-in-__skb_tstamp_tx.patch +drm-fix-drmm_mutex_init.patch +selftests-fib_tests-mute-cleanup-error-message.patch +octeontx2-pf-fix-tsov6-offload.patch +bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch +bpf-fix-a-memory-leak-in-the-lru-and-lru_percpu-hash-maps.patch +lan966x-fix-unloading-loading-of-the-driver.patch +ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch +cifs-mapchars-mount-option-ignored.patch +power-supply-leds-fix-blink-to-led-on-transition.patch +power-supply-mt6360-add-a-check-of-devm_work_autocancel-in-mt6360_charger_probe.patch +power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch +power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch +power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch +power-supply-bq27xxx-add-cache-parameter-to-bq27xxx_battery_current_and_status.patch +power-supply-bq27xxx-move-bq27xxx_battery_update-down.patch +power-supply-bq27xxx-ensure-power_supply_changed-is-called-on-current-sign-changes.patch +power-supply-bq27xxx-after-charger-plug-in-out-wait-0.5s-for-things-to-stabilize.patch +power-supply-bq25890-call-power_supply_changed-after-updating-input-current-or-voltage.patch +power-supply-bq24190-call-power_supply_changed-after-updating-input-current.patch +power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch +optee-fix-uninited-async-notif-value.patch +firmware-arm_ffa-check-if-ffa_driver-remove-is-present-before-executing.patch +firmware-arm_ffa-fix-ffa-device-names-for-logical-partitions.patch +fs-fix-undefined-behavior-in-bit-shift-for-sb_nouser.patch +regulator-pca9450-fix-buck2-enable_mask.patch +platform-x86-isst-remove-8-socket-limit.patch +coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch +arm-dts-imx6qdl-mba6-add-missing-pvcie-supply-regulator.patch +x86-pci-xen-populate-msi-sysfs-entries.patch +xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch diff --git a/queue-6.3/x86-pci-xen-populate-msi-sysfs-entries.patch b/queue-6.3/x86-pci-xen-populate-msi-sysfs-entries.patch new file mode 100644 index 00000000000..1901f18e7ee --- /dev/null +++ b/queue-6.3/x86-pci-xen-populate-msi-sysfs-entries.patch @@ -0,0 +1,119 @@ +From 335b4223466dd75f9f3ea4918187afbadd22e5c8 Mon Sep 17 00:00:00 2001 +From: Maximilian Heyne +Date: Wed, 3 May 2023 13:16:53 +0000 +Subject: x86/pci/xen: populate MSI sysfs entries + +From: Maximilian Heyne + +commit 335b4223466dd75f9f3ea4918187afbadd22e5c8 upstream. + +Commit bf5e758f02fc ("genirq/msi: Simplify sysfs handling") reworked the +creation of sysfs entries for MSI IRQs. The creation used to be in +msi_domain_alloc_irqs_descs_locked after calling ops->domain_alloc_irqs. +Then it moved into __msi_domain_alloc_irqs which is an implementation of +domain_alloc_irqs. However, Xen comes with the only other implementation +of domain_alloc_irqs and hence doesn't run the sysfs population code +anymore. + +Commit 6c796996ee70 ("x86/pci/xen: Fixup fallout from the PCI/MSI +overhaul") set the flag MSI_FLAG_DEV_SYSFS for the xen msi_domain_info +but that doesn't actually have an effect because Xen uses it's own +domain_alloc_irqs implementation. + +Fix this by making use of the fallback functions for sysfs population. + +Fixes: bf5e758f02fc ("genirq/msi: Simplify sysfs handling") +Signed-off-by: Maximilian Heyne +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20230503131656.15928-1-mheyne@amazon.de +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/pci/xen.c | 8 +++++--- + include/linux/msi.h | 9 ++++++++- + kernel/irq/msi.c | 4 ++-- + 3 files changed, 15 insertions(+), 6 deletions(-) + +--- a/arch/x86/pci/xen.c ++++ b/arch/x86/pci/xen.c +@@ -198,7 +198,7 @@ static int xen_setup_msi_irqs(struct pci + i++; + } + kfree(v); +- return 0; ++ return msi_device_populate_sysfs(&dev->dev); + + error: + if (ret == -ENOSYS) +@@ -254,7 +254,7 @@ static int xen_hvm_setup_msi_irqs(struct + dev_dbg(&dev->dev, + "xen: msi --> pirq=%d --> irq=%d\n", pirq, irq); + } +- return 0; ++ return msi_device_populate_sysfs(&dev->dev); + + error: + dev_err(&dev->dev, "Failed to create MSI%s! ret=%d!\n", +@@ -346,7 +346,7 @@ static int xen_initdom_setup_msi_irqs(st + if (ret < 0) + goto out; + } +- ret = 0; ++ ret = msi_device_populate_sysfs(&dev->dev); + out: + return ret; + } +@@ -394,6 +394,8 @@ static void xen_teardown_msi_irqs(struct + xen_destroy_irq(msidesc->irq + i); + msidesc->irq = 0; + } ++ ++ msi_device_destroy_sysfs(&dev->dev); + } + + static void xen_pv_teardown_msi_irqs(struct pci_dev *dev) +--- a/include/linux/msi.h ++++ b/include/linux/msi.h +@@ -383,6 +383,13 @@ int arch_setup_msi_irq(struct pci_dev *d + void arch_teardown_msi_irq(unsigned int irq); + int arch_setup_msi_irqs(struct pci_dev *dev, int nvec, int type); + void arch_teardown_msi_irqs(struct pci_dev *dev); ++#endif /* CONFIG_PCI_MSI_ARCH_FALLBACKS */ ++ ++/* ++ * Xen uses non-default msi_domain_ops and hence needs a way to populate sysfs ++ * entries of MSI IRQs. ++ */ ++#if defined(CONFIG_PCI_XEN) || defined(CONFIG_PCI_MSI_ARCH_FALLBACKS) + #ifdef CONFIG_SYSFS + int msi_device_populate_sysfs(struct device *dev); + void msi_device_destroy_sysfs(struct device *dev); +@@ -390,7 +397,7 @@ void msi_device_destroy_sysfs(struct dev + static inline int msi_device_populate_sysfs(struct device *dev) { return 0; } + static inline void msi_device_destroy_sysfs(struct device *dev) { } + #endif /* !CONFIG_SYSFS */ +-#endif /* CONFIG_PCI_MSI_ARCH_FALLBACKS */ ++#endif /* CONFIG_PCI_XEN || CONFIG_PCI_MSI_ARCH_FALLBACKS */ + + /* + * The restore hook is still available even for fully irq domain based +--- a/kernel/irq/msi.c ++++ b/kernel/irq/msi.c +@@ -542,7 +542,7 @@ fail: + return ret; + } + +-#ifdef CONFIG_PCI_MSI_ARCH_FALLBACKS ++#if defined(CONFIG_PCI_MSI_ARCH_FALLBACKS) || defined(CONFIG_PCI_XEN) + /** + * msi_device_populate_sysfs - Populate msi_irqs sysfs entries for a device + * @dev: The device (PCI, platform etc) which will get sysfs entries +@@ -574,7 +574,7 @@ void msi_device_destroy_sysfs(struct dev + msi_for_each_desc(desc, dev, MSI_DESC_ALL) + msi_sysfs_remove_desc(dev, desc); + } +-#endif /* CONFIG_PCI_MSI_ARCH_FALLBACK */ ++#endif /* CONFIG_PCI_MSI_ARCH_FALLBACK || CONFIG_PCI_XEN */ + #else /* CONFIG_SYSFS */ + static inline int msi_sysfs_create_group(struct device *dev) { return 0; } + static inline int msi_sysfs_populate_desc(struct device *dev, struct msi_desc *desc) { return 0; } diff --git a/queue-6.3/xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch b/queue-6.3/xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch new file mode 100644 index 00000000000..d6f80f85d71 --- /dev/null +++ b/queue-6.3/xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch @@ -0,0 +1,60 @@ +From 8fafac202d18230bb9926bda48e563fd2cce2a4f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 3 May 2023 18:11:35 +0300 +Subject: xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() + +From: Dan Carpenter + +commit 8fafac202d18230bb9926bda48e563fd2cce2a4f upstream. + +In the pvcalls_new_active_socket() function, most error paths call +pvcalls_back_release_active(fedata->dev, fedata, map) which calls +sock_release() on "sock". The bug is that the caller also frees sock. + +Fix this by making every error path in pvcalls_new_active_socket() +release the sock, and don't free it in the caller. + +Fixes: 5db4d286a8ef ("xen/pvcalls: implement connect command") +Signed-off-by: Dan Carpenter +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/e5f98dc2-0305-491f-a860-71bbd1398a2f@kili.mountain +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/pvcalls-back.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/xen/pvcalls-back.c ++++ b/drivers/xen/pvcalls-back.c +@@ -325,8 +325,10 @@ static struct sock_mapping *pvcalls_new_ + void *page; + + map = kzalloc(sizeof(*map), GFP_KERNEL); +- if (map == NULL) ++ if (map == NULL) { ++ sock_release(sock); + return NULL; ++ } + + map->fedata = fedata; + map->sock = sock; +@@ -418,10 +420,8 @@ static int pvcalls_back_connect(struct x + req->u.connect.ref, + req->u.connect.evtchn, + sock); +- if (!map) { ++ if (!map) + ret = -EFAULT; +- sock_release(sock); +- } + + out: + rsp = RING_GET_RESPONSE(&fedata->ring, fedata->ring.rsp_prod_pvt++); +@@ -561,7 +561,6 @@ static void __pvcalls_back_accept(struct + sock); + if (!map) { + ret = -EFAULT; +- sock_release(sock); + goto out_error; + } +