From: Greg Kroah-Hartman Date: Mon, 3 Apr 2023 08:47:02 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.14.312~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5b4eeae9307cd9174a44e5f3c3fba3023714af8e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-hda-conexant-partial-revert-of-a-quirk-for-lenovo.patch alsa-hda-realtek-add-quirk-for-lenovo-zhaoyang-cf4620z.patch alsa-hda-realtek-add-quirks-for-some-clevo-laptops.patch alsa-usb-audio-fix-regression-on-detection-of-roland-vs-100.patch can-j1939-prevent-deadlock-by-moving-j1939_sk_errqueue.patch drm-amd-display-add-dsc-support-for-synaptics-cascaded-mst-hub.patch drm-etnaviv-fix-reference-leak-when-mmaping-imported-buffer.patch net-phy-dp83869-fix-default-value-for-tx-rx-internal-delay.patch nfsv4-fix-hangs-when-recovering-open-state-after-a-server-reboot.patch pinctrl-amd-disable-and-mask-interrupts-on-resume.patch pinctrl-at91-pio4-fix-domain-name-assignment.patch powerpc-don-t-try-to-copy-ppr-for-task-with-null-pt_regs.patch rcu-fix-rcu_torture_read-ftrace-event.patch xen-netback-don-t-do-grant-copy-across-page-boundary.patch xtensa-fix-kasan-report-for-show_stack.patch zonefs-always-invalidate-last-cached-page-on-append-write.patch --- diff --git a/queue-5.15/alsa-hda-conexant-partial-revert-of-a-quirk-for-lenovo.patch b/queue-5.15/alsa-hda-conexant-partial-revert-of-a-quirk-for-lenovo.patch new file mode 100644 index 00000000000..dbadc985982 --- /dev/null +++ b/queue-5.15/alsa-hda-conexant-partial-revert-of-a-quirk-for-lenovo.patch @@ -0,0 +1,59 @@ +From b871cb971c683f7f212e7ca3c9a6709a75785116 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 20 Mar 2023 15:09:54 +0100 +Subject: ALSA: hda/conexant: Partial revert of a quirk for Lenovo + +From: Takashi Iwai + +commit b871cb971c683f7f212e7ca3c9a6709a75785116 upstream. + +The recent commit f83bb2592482 ("ALSA: hda/conexant: Add quirk for +LENOVO 20149 Notebook model") introduced a quirk for the device with +17aa:3977, but this caused a regression on another model (Lenovo +Ideadpad U31) with the very same PCI SSID. And, through skimming over +the net, it seems that this PCI SSID is used for multiple different +models, so it's no good idea to apply the quirk with the SSID. + +Although we may take a different ID check (e.g. the codec SSID instead +of the PCI SSID), unfortunately, the original patch author couldn't +identify the hardware details any longer as the machine was returned, +and we can't develop the further proper fix. + +In this patch, instead, we partially revert the change so that the +quirk won't be applied as default for addressing the regression. +Meanwhile, the quirk function itself is kept, and it's now made to be +applicable via the explicit model=lenovo-20149 option. + +Fixes: f83bb2592482 ("ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model") +Reported-by: Jetro Jormalainen +Link: https://lore.kernel.org/r/20230308215009.4d3e58a6@mopti +Cc: +Link: https://lore.kernel.org/r/20230320140954.31154-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_conexant.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -980,7 +980,10 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x17aa, 0x3905, "Lenovo G50-30", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x390b, "Lenovo G50-80", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x3975, "Lenovo U300s", CXT_FIXUP_STEREO_DMIC), +- SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_PINCFG_LENOVO_NOTEBOOK), ++ /* NOTE: we'd need to extend the quirk for 17aa:3977 as the same ++ * PCI SSID is used on multiple Lenovo models ++ */ ++ SND_PCI_QUIRK(0x17aa, 0x3977, "Lenovo IdeaPad U310", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo G50-70", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x17aa, 0x397b, "Lenovo S205", CXT_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK_VENDOR(0x17aa, "Thinkpad", CXT_FIXUP_THINKPAD_ACPI), +@@ -1003,6 +1006,7 @@ static const struct hda_model_fixup cxt5 + { .id = CXT_FIXUP_MUTE_LED_GPIO, .name = "mute-led-gpio" }, + { .id = CXT_FIXUP_HP_ZBOOK_MUTE_LED, .name = "hp-zbook-mute-led" }, + { .id = CXT_FIXUP_HP_MIC_NO_PRESENCE, .name = "hp-mic-fix" }, ++ { .id = CXT_PINCFG_LENOVO_NOTEBOOK, .name = "lenovo-20149" }, + {} + }; + diff --git a/queue-5.15/alsa-hda-realtek-add-quirk-for-lenovo-zhaoyang-cf4620z.patch b/queue-5.15/alsa-hda-realtek-add-quirk-for-lenovo-zhaoyang-cf4620z.patch new file mode 100644 index 00000000000..9acc146dc91 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-quirk-for-lenovo-zhaoyang-cf4620z.patch @@ -0,0 +1,32 @@ +From 52aad39385e1bfdb34a1b405f699a8ef302c58b0 Mon Sep 17 00:00:00 2001 +From: huangwenhui +Date: Tue, 28 Mar 2023 15:46:44 +0800 +Subject: ALSA: hda/realtek: Add quirk for Lenovo ZhaoYang CF4620Z + +From: huangwenhui + +commit 52aad39385e1bfdb34a1b405f699a8ef302c58b0 upstream. + +Fix headset microphone detection on Lenovo ZhaoYang CF4620Z. + +[ adjusted to be applicable to the latest tree -- tiwai ] + +Signed-off-by: huangwenhui +Cc: +Link: https://lore.kernel.org/r/20230328074644.30142-1-huangwenhuia@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9332,6 +9332,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x511e, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x511f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD), ++ SND_PCI_QUIRK(0x17aa, 0x9e56, "Lenovo ZhaoYang CF4620Z", ALC286_FIXUP_SONY_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1849, 0x1233, "ASRock NUC Box 1100", ALC233_FIXUP_NO_AUDIO_JACK), + SND_PCI_QUIRK(0x1849, 0xa233, "Positivo Master C6300", ALC269_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x19e5, 0x3204, "Huawei MACH-WX9", ALC256_FIXUP_HUAWEI_MACH_WX9_PINS), diff --git a/queue-5.15/alsa-hda-realtek-add-quirks-for-some-clevo-laptops.patch b/queue-5.15/alsa-hda-realtek-add-quirks-for-some-clevo-laptops.patch new file mode 100644 index 00000000000..54923e47e4c --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-quirks-for-some-clevo-laptops.patch @@ -0,0 +1,60 @@ +From b7a5822810c4398515300d614d988cf638adecad Mon Sep 17 00:00:00 2001 +From: Tim Crawford +Date: Fri, 17 Mar 2023 08:18:25 -0600 +Subject: ALSA: hda/realtek: Add quirks for some Clevo laptops + +From: Tim Crawford + +commit b7a5822810c4398515300d614d988cf638adecad upstream. + +Add the audio quirk for some of Clevo's latest RPL laptops: + +- NP50RNJS (ALC256) +- NP70SNE (ALC256) +- PD50SNE (ALC1220) +- PE60RNE (ALC1220) + +Co-authored-by: Jeremy Soller +Signed-off-by: Tim Crawford +Cc: +Link: https://lore.kernel.org/r/20230317141825.11807-1-tcrawford@system76.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2625,6 +2625,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1558, 0x65e5, "Clevo PC50D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x65f1, "Clevo PC50HS", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x65f5, "Clevo PD50PN[NRT]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), ++ SND_PCI_QUIRK(0x1558, 0x66a2, "Clevo PE60RNE", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x67d1, "Clevo PB71[ER][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x67e1, "Clevo PB71[DE][CDF]", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK(0x1558, 0x67e5, "Clevo PC70D[PRS](?:-D|-G)?", ALC1220_FIXUP_CLEVO_PB51ED_PINS), +@@ -2645,6 +2646,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1558, 0x96e1, "Clevo P960[ER][CDFN]-K", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1558, 0x97e1, "Clevo P970[ER][CDFN]", ALC1220_FIXUP_CLEVO_P950), + SND_PCI_QUIRK(0x1558, 0x97e2, "Clevo P970RC-M", ALC1220_FIXUP_CLEVO_P950), ++ SND_PCI_QUIRK(0x1558, 0xd502, "Clevo PD50SNE", ALC1220_FIXUP_CLEVO_PB51ED_PINS), + SND_PCI_QUIRK_VENDOR(0x1558, "Clevo laptop", ALC882_FIXUP_EAPD), + SND_PCI_QUIRK(0x161f, 0x2054, "Medion laptop", ALC883_FIXUP_EAPD), + SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo Y530", ALC882_FIXUP_LENOVO_Y530), +@@ -9201,6 +9203,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1558, 0x5101, "Clevo S510WU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x5157, "Clevo W517GU1", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x51a1, "Clevo NS50MU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x5630, "Clevo NP50RNJS", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x70a1, "Clevo NB70T[HJK]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x70b3, "Clevo NK70SB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x70f2, "Clevo NH79EPY", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), +@@ -9235,6 +9238,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1558, 0x971d, "Clevo N970T[CDF]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xa500, "Clevo NL5[03]RU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xa600, "Clevo NL50NU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0xa671, "Clevo NP70SN[CDE]", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xb018, "Clevo NP50D[BE]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xb019, "Clevo NH77D[BE]Q", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0xb022, "Clevo NH77D[DC][QW]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), diff --git a/queue-5.15/alsa-usb-audio-fix-regression-on-detection-of-roland-vs-100.patch b/queue-5.15/alsa-usb-audio-fix-regression-on-detection-of-roland-vs-100.patch new file mode 100644 index 00000000000..e988ecc15b1 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-fix-regression-on-detection-of-roland-vs-100.patch @@ -0,0 +1,46 @@ +From fa4e7a6fa12b1132340785e14bd439cbe95b7a5a Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 24 Mar 2023 08:50:05 +0100 +Subject: ALSA: usb-audio: Fix regression on detection of Roland VS-100 + +From: Takashi Iwai + +commit fa4e7a6fa12b1132340785e14bd439cbe95b7a5a upstream. + +It's been reported that the recent kernel can't probe the PCM devices +on Roland VS-100 properly, and it turned out to be a regression by the +recent addition of the bit shift range check for the format bits. +In the old code, we just did bit-shift and it resulted in zero, which +is then corrected to the standard PCM format, while the new code +explicitly returns an error in such a case. + +For addressing the regression, relax the check and fallback to the +standard PCM type (with the info output). + +Fixes: 43d5ca88dfcd ("ALSA: usb-audio: Fix potential out-of-bounds shift") +Cc: +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217084 +Link: https://lore.kernel.org/r/20230324075005.19403-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/format.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/sound/usb/format.c ++++ b/sound/usb/format.c +@@ -39,8 +39,12 @@ static u64 parse_audio_format_i_type(str + case UAC_VERSION_1: + default: { + struct uac_format_type_i_discrete_descriptor *fmt = _fmt; +- if (format >= 64) +- return 0; /* invalid format */ ++ if (format >= 64) { ++ usb_audio_info(chip, ++ "%u:%d: invalid format type 0x%llx is detected, processed as PCM\n", ++ fp->iface, fp->altsetting, format); ++ format = UAC_FORMAT_TYPE_I_PCM; ++ } + sample_width = fmt->bBitResolution; + sample_bytes = fmt->bSubframeSize; + format = 1ULL << format; diff --git a/queue-5.15/can-j1939-prevent-deadlock-by-moving-j1939_sk_errqueue.patch b/queue-5.15/can-j1939-prevent-deadlock-by-moving-j1939_sk_errqueue.patch new file mode 100644 index 00000000000..d09ec9be1e6 --- /dev/null +++ b/queue-5.15/can-j1939-prevent-deadlock-by-moving-j1939_sk_errqueue.patch @@ -0,0 +1,88 @@ +From d1366b283d94ac4537a4b3a1e8668da4df7ce7e9 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Fri, 24 Mar 2023 14:01:41 +0100 +Subject: can: j1939: prevent deadlock by moving j1939_sk_errqueue() + +From: Oleksij Rempel + +commit d1366b283d94ac4537a4b3a1e8668da4df7ce7e9 upstream. + +This commit addresses a deadlock situation that can occur in certain +scenarios, such as when running data TP/ETP transfer and subscribing to +the error queue while receiving a net down event. The deadlock involves +locks in the following order: + +3 + j1939_session_list_lock -> active_session_list_lock + j1939_session_activate + ... + j1939_sk_queue_activate_next -> sk_session_queue_lock + ... + j1939_xtp_rx_eoma_one + +2 + j1939_sk_queue_drop_all -> sk_session_queue_lock + ... + j1939_sk_netdev_event_netdown -> j1939_socks_lock + j1939_netdev_notify + +1 + j1939_sk_errqueue -> j1939_socks_lock + __j1939_session_cancel -> active_session_list_lock + j1939_tp_rxtimer + + CPU0 CPU1 + ---- ---- + lock(&priv->active_session_list_lock); + lock(&jsk->sk_session_queue_lock); + lock(&priv->active_session_list_lock); + lock(&priv->j1939_socks_lock); + +The solution implemented in this commit is to move the +j1939_sk_errqueue() call out of the active_session_list_lock context, +thus preventing the deadlock situation. + +Reported-by: syzbot+ee1cd780f69483a8616b@syzkaller.appspotmail.com +Fixes: 5b9272e93f2e ("can: j1939: extend UAPI to notify about RX status") +Co-developed-by: Hillf Danton +Signed-off-by: Hillf Danton +Signed-off-by: Oleksij Rempel +Link: https://lore.kernel.org/all/20230324130141.2132787-1-o.rempel@pengutronix.de +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/transport.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1124,8 +1124,6 @@ static void __j1939_session_cancel(struc + + if (session->sk) + j1939_sk_send_loop_abort(session->sk, session->err); +- else +- j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT); + } + + static void j1939_session_cancel(struct j1939_session *session, +@@ -1140,6 +1138,9 @@ static void j1939_session_cancel(struct + } + + j1939_session_list_unlock(session->priv); ++ ++ if (!session->sk) ++ j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT); + } + + static enum hrtimer_restart j1939_tp_txtimer(struct hrtimer *hrtimer) +@@ -1253,6 +1254,9 @@ static enum hrtimer_restart j1939_tp_rxt + __j1939_session_cancel(session, J1939_XTP_ABORT_TIMEOUT); + } + j1939_session_list_unlock(session->priv); ++ ++ if (!session->sk) ++ j1939_sk_errqueue(session, J1939_ERRQUEUE_RX_ABORT); + } + + j1939_session_put(session); diff --git a/queue-5.15/drm-amd-display-add-dsc-support-for-synaptics-cascaded-mst-hub.patch b/queue-5.15/drm-amd-display-add-dsc-support-for-synaptics-cascaded-mst-hub.patch new file mode 100644 index 00000000000..681503be081 --- /dev/null +++ b/queue-5.15/drm-amd-display-add-dsc-support-for-synaptics-cascaded-mst-hub.patch @@ -0,0 +1,82 @@ +From f4f3b7dedbe849e780c779ba67365bb1db0d8637 Mon Sep 17 00:00:00 2001 +From: Fangzhi Zuo +Date: Fri, 24 Feb 2023 13:45:21 -0500 +Subject: drm/amd/display: Add DSC Support for Synaptics Cascaded MST Hub + +From: Fangzhi Zuo + +commit f4f3b7dedbe849e780c779ba67365bb1db0d8637 upstream. + +Traditional synaptics hub has one MST branch device without virtual dpcd. +Synaptics cascaded hub has two chained MST branch devices. DSC decoding +is performed via root MST branch device, instead of the second MST branch +device. + +Reviewed-by: Hersen Wu +Acked-by: Qingqing Zhuo +Signed-off-by: Fangzhi Zuo +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 19 ++++++++++++ + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.h | 12 +++++++ + 2 files changed, 31 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +@@ -184,6 +184,21 @@ static bool needs_dsc_aux_workaround(str + return false; + } + ++bool is_synaptics_cascaded_panamera(struct dc_link *link, struct drm_dp_mst_port *port) ++{ ++ u8 branch_vendor_data[4] = { 0 }; // Vendor data 0x50C ~ 0x50F ++ ++ if (drm_dp_dpcd_read(port->mgr->aux, DP_BRANCH_VENDOR_SPECIFIC_START, &branch_vendor_data, 4) == 4) { ++ if (link->dpcd_caps.branch_dev_id == DP_BRANCH_DEVICE_ID_90CC24 && ++ IS_SYNAPTICS_CASCADED_PANAMERA(link->dpcd_caps.branch_dev_name, branch_vendor_data)) { ++ DRM_INFO("Synaptics Cascaded MST hub\n"); ++ return true; ++ } ++ } ++ ++ return false; ++} ++ + static bool validate_dsc_caps_on_connector(struct amdgpu_dm_connector *aconnector) + { + struct dc_sink *dc_sink = aconnector->dc_sink; +@@ -207,6 +222,10 @@ static bool validate_dsc_caps_on_connect + needs_dsc_aux_workaround(aconnector->dc_link)) + aconnector->dsc_aux = &aconnector->mst_port->dm_dp_aux.aux; + ++ /* synaptics cascaded MST hub case */ ++ if (!aconnector->dsc_aux && is_synaptics_cascaded_panamera(aconnector->dc_link, port)) ++ aconnector->dsc_aux = port->mgr->aux; ++ + if (!aconnector->dsc_aux) + return false; + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.h ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.h +@@ -26,6 +26,18 @@ + #ifndef __DAL_AMDGPU_DM_MST_TYPES_H__ + #define __DAL_AMDGPU_DM_MST_TYPES_H__ + ++#define DP_BRANCH_VENDOR_SPECIFIC_START 0x50C ++ ++/** ++ * Panamera MST Hub detection ++ * Offset DPCD 050Eh == 0x5A indicates cascaded MST hub case ++ * Check from beginning of branch device vendor specific field (050Ch) ++ */ ++#define IS_SYNAPTICS_PANAMERA(branchDevName) (((int)branchDevName[4] & 0xF0) == 0x50 ? 1 : 0) ++#define BRANCH_HW_REVISION_PANAMERA_A2 0x10 ++#define SYNAPTICS_CASCADED_HUB_ID 0x5A ++#define IS_SYNAPTICS_CASCADED_PANAMERA(devName, data) ((IS_SYNAPTICS_PANAMERA(devName) && ((int)data[2] == SYNAPTICS_CASCADED_HUB_ID)) ? 1 : 0) ++ + struct amdgpu_display_manager; + struct amdgpu_dm_connector; + diff --git a/queue-5.15/drm-etnaviv-fix-reference-leak-when-mmaping-imported-buffer.patch b/queue-5.15/drm-etnaviv-fix-reference-leak-when-mmaping-imported-buffer.patch new file mode 100644 index 00000000000..5593d72eb4c --- /dev/null +++ b/queue-5.15/drm-etnaviv-fix-reference-leak-when-mmaping-imported-buffer.patch @@ -0,0 +1,41 @@ +From 963b2e8c428f79489ceeb058e8314554ec9cbe6f Mon Sep 17 00:00:00 2001 +From: Lucas Stach +Date: Fri, 24 Feb 2023 18:21:54 +0100 +Subject: drm/etnaviv: fix reference leak when mmaping imported buffer + +From: Lucas Stach + +commit 963b2e8c428f79489ceeb058e8314554ec9cbe6f upstream. + +drm_gem_prime_mmap() takes a reference on the GEM object, but before that +drm_gem_mmap_obj() already takes a reference, which will be leaked as only +one reference is dropped when the mapping is closed. Drop the extra +reference when dma_buf_mmap() succeeds. + +Cc: stable@vger.kernel.org +Signed-off-by: Lucas Stach +Reviewed-by: Christian Gmeiner +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_prime.c +@@ -88,7 +88,15 @@ static void *etnaviv_gem_prime_vmap_impl + static int etnaviv_gem_prime_mmap_obj(struct etnaviv_gem_object *etnaviv_obj, + struct vm_area_struct *vma) + { +- return dma_buf_mmap(etnaviv_obj->base.dma_buf, vma, 0); ++ int ret; ++ ++ ret = dma_buf_mmap(etnaviv_obj->base.dma_buf, vma, 0); ++ if (!ret) { ++ /* Drop the reference acquired by drm_gem_mmap_obj(). */ ++ drm_gem_object_put(&etnaviv_obj->base); ++ } ++ ++ return ret; + } + + static const struct etnaviv_gem_ops etnaviv_gem_prime_ops = { diff --git a/queue-5.15/net-phy-dp83869-fix-default-value-for-tx-rx-internal-delay.patch b/queue-5.15/net-phy-dp83869-fix-default-value-for-tx-rx-internal-delay.patch new file mode 100644 index 00000000000..a3428b4cad8 --- /dev/null +++ b/queue-5.15/net-phy-dp83869-fix-default-value-for-tx-rx-internal-delay.patch @@ -0,0 +1,55 @@ +From 82e2c39f9ef78896e9b634dfd82dc042e6956bb7 Mon Sep 17 00:00:00 2001 +From: Josua Mayer +Date: Thu, 23 Mar 2023 12:25:36 +0200 +Subject: net: phy: dp83869: fix default value for tx-/rx-internal-delay + +From: Josua Mayer + +commit 82e2c39f9ef78896e9b634dfd82dc042e6956bb7 upstream. + +dp83869 internally uses a look-up table for mapping supported delays in +nanoseconds to register values. +When specific delays are defined in device-tree, phy_get_internal_delay +does the lookup automatically returning an index. + +The default case wrongly assigns the nanoseconds value from the lookup +table, resulting in numeric value 2000 applied to delay configuration +register, rather than the expected index values 0-7 (7 for 2000). +Ultimately this issue broke RX for 1Gbps links. + +Fix default delay configuration by assigning the intended index value +directly. + +Cc: stable@vger.kernel.org +Fixes: 736b25afe284 ("net: dp83869: Add RGMII internal delay configuration") +Co-developed-by: Yazan Shhady +Signed-off-by: Yazan Shhady +Signed-off-by: Josua Mayer +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230323102536.31988-1-josua@solid-run.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83869.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/net/phy/dp83869.c ++++ b/drivers/net/phy/dp83869.c +@@ -587,15 +587,13 @@ static int dp83869_of_init(struct phy_de + &dp83869_internal_delay[0], + delay_size, true); + if (dp83869->rx_int_delay < 0) +- dp83869->rx_int_delay = +- dp83869_internal_delay[DP83869_CLK_DELAY_DEF]; ++ dp83869->rx_int_delay = DP83869_CLK_DELAY_DEF; + + dp83869->tx_int_delay = phy_get_internal_delay(phydev, dev, + &dp83869_internal_delay[0], + delay_size, false); + if (dp83869->tx_int_delay < 0) +- dp83869->tx_int_delay = +- dp83869_internal_delay[DP83869_CLK_DELAY_DEF]; ++ dp83869->tx_int_delay = DP83869_CLK_DELAY_DEF; + + return ret; + } diff --git a/queue-5.15/nfsv4-fix-hangs-when-recovering-open-state-after-a-server-reboot.patch b/queue-5.15/nfsv4-fix-hangs-when-recovering-open-state-after-a-server-reboot.patch new file mode 100644 index 00000000000..41700956175 --- /dev/null +++ b/queue-5.15/nfsv4-fix-hangs-when-recovering-open-state-after-a-server-reboot.patch @@ -0,0 +1,45 @@ +From 6165a16a5ad9b237bb3131cff4d3c601ccb8f9a3 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 21 Mar 2023 00:17:36 -0400 +Subject: NFSv4: Fix hangs when recovering open state after a server reboot + +From: Trond Myklebust + +commit 6165a16a5ad9b237bb3131cff4d3c601ccb8f9a3 upstream. + +When we're using a cached open stateid or a delegation in order to avoid +sending a CLAIM_PREVIOUS open RPC call to the server, we don't have a +new open stateid to present to update_open_stateid(). +Instead rely on nfs4_try_open_cached(), just as if we were doing a +normal open. + +Fixes: d2bfda2e7aa0 ("NFSv4: don't reprocess cached open CLAIM_PREVIOUS") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1993,8 +1993,7 @@ _nfs4_opendata_reclaim_to_nfs4_state(str + if (!data->rpc_done) { + if (data->rpc_status) + return ERR_PTR(data->rpc_status); +- /* cached opens have already been processed */ +- goto update; ++ return nfs4_try_open_cached(data); + } + + ret = nfs_refresh_inode(inode, &data->f_attr); +@@ -2003,7 +2002,7 @@ _nfs4_opendata_reclaim_to_nfs4_state(str + + if (data->o_res.delegation_type != 0) + nfs4_opendata_check_deleg(data, state); +-update: ++ + if (!update_open_stateid(state, &data->o_res.stateid, + NULL, data->o_arg.fmode)) + return ERR_PTR(-EAGAIN); diff --git a/queue-5.15/pinctrl-amd-disable-and-mask-interrupts-on-resume.patch b/queue-5.15/pinctrl-amd-disable-and-mask-interrupts-on-resume.patch new file mode 100644 index 00000000000..7432cdcb134 --- /dev/null +++ b/queue-5.15/pinctrl-amd-disable-and-mask-interrupts-on-resume.patch @@ -0,0 +1,97 @@ +From b26cd9325be4c1fcd331b77f10acb627c560d4d7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Kornel=20Dul=C4=99ba?= +Date: Mon, 20 Mar 2023 09:32:59 +0000 +Subject: pinctrl: amd: Disable and mask interrupts on resume +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kornel Dulęba + +commit b26cd9325be4c1fcd331b77f10acb627c560d4d7 upstream. + +This fixes a similar problem to the one observed in: +commit 4e5a04be88fe ("pinctrl: amd: disable and mask interrupts on probe"). + +On some systems, during suspend/resume cycle firmware leaves +an interrupt enabled on a pin that is not used by the kernel. +This confuses the AMD pinctrl driver and causes spurious interrupts. + +The driver already has logic to detect if a pin is used by the kernel. +Leverage it to re-initialize interrupt fields of a pin only if it's not +used by us. + +Cc: stable@vger.kernel.org +Fixes: dbad75dd1f25 ("pinctrl: add AMD GPIO driver support.") +Signed-off-by: Kornel Dulęba +Link: https://lore.kernel.org/r/20230320093259.845178-1-korneld@chromium.org +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-amd.c | 36 ++++++++++++++++++++---------------- + 1 file changed, 20 insertions(+), 16 deletions(-) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -863,32 +863,34 @@ static const struct pinconf_ops amd_pinc + .pin_config_group_set = amd_pinconf_group_set, + }; + +-static void amd_gpio_irq_init(struct amd_gpio *gpio_dev) ++static void amd_gpio_irq_init_pin(struct amd_gpio *gpio_dev, int pin) + { +- struct pinctrl_desc *desc = gpio_dev->pctrl->desc; ++ const struct pin_desc *pd; + unsigned long flags; + u32 pin_reg, mask; +- int i; + + mask = BIT(WAKE_CNTRL_OFF_S0I3) | BIT(WAKE_CNTRL_OFF_S3) | + BIT(INTERRUPT_MASK_OFF) | BIT(INTERRUPT_ENABLE_OFF) | + BIT(WAKE_CNTRL_OFF_S4); + +- for (i = 0; i < desc->npins; i++) { +- int pin = desc->pins[i].number; +- const struct pin_desc *pd = pin_desc_get(gpio_dev->pctrl, pin); +- +- if (!pd) +- continue; ++ pd = pin_desc_get(gpio_dev->pctrl, pin); ++ if (!pd) ++ return; + +- raw_spin_lock_irqsave(&gpio_dev->lock, flags); ++ raw_spin_lock_irqsave(&gpio_dev->lock, flags); ++ pin_reg = readl(gpio_dev->base + pin * 4); ++ pin_reg &= ~mask; ++ writel(pin_reg, gpio_dev->base + pin * 4); ++ raw_spin_unlock_irqrestore(&gpio_dev->lock, flags); ++} + +- pin_reg = readl(gpio_dev->base + i * 4); +- pin_reg &= ~mask; +- writel(pin_reg, gpio_dev->base + i * 4); ++static void amd_gpio_irq_init(struct amd_gpio *gpio_dev) ++{ ++ struct pinctrl_desc *desc = gpio_dev->pctrl->desc; ++ int i; + +- raw_spin_unlock_irqrestore(&gpio_dev->lock, flags); +- } ++ for (i = 0; i < desc->npins; i++) ++ amd_gpio_irq_init_pin(gpio_dev, i); + } + + #ifdef CONFIG_PM_SLEEP +@@ -941,8 +943,10 @@ static int amd_gpio_resume(struct device + for (i = 0; i < desc->npins; i++) { + int pin = desc->pins[i].number; + +- if (!amd_gpio_should_save(gpio_dev, pin)) ++ if (!amd_gpio_should_save(gpio_dev, pin)) { ++ amd_gpio_irq_init_pin(gpio_dev, pin); + continue; ++ } + + raw_spin_lock_irqsave(&gpio_dev->lock, flags); + gpio_dev->saved_regs[i] |= readl(gpio_dev->base + pin * 4) & PIN_IRQ_PENDING; diff --git a/queue-5.15/pinctrl-at91-pio4-fix-domain-name-assignment.patch b/queue-5.15/pinctrl-at91-pio4-fix-domain-name-assignment.patch new file mode 100644 index 00000000000..4d7c30de99a --- /dev/null +++ b/queue-5.15/pinctrl-at91-pio4-fix-domain-name-assignment.patch @@ -0,0 +1,39 @@ +From 7bb97e360acdd38b68ad0a1defb89c6e89c85596 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 24 Feb 2023 14:08:28 +0100 +Subject: pinctrl: at91-pio4: fix domain name assignment + +From: Johan Hovold + +commit 7bb97e360acdd38b68ad0a1defb89c6e89c85596 upstream. + +Since commit d59f6617eef0 ("genirq: Allow fwnode to carry name +information only") an IRQ domain is always given a name during +allocation (e.g. used for the debugfs entry). + +Drop the no longer valid name assignment, which would lead to an attempt +to free a string constant when removing the domain on late probe +failures (e.g. probe deferral). + +Fixes: d59f6617eef0 ("genirq: Allow fwnode to carry name information only") +Cc: stable@vger.kernel.org # 4.13 +Signed-off-by: Johan Hovold +Reviewed-by: Claudiu Beznea +Tested-by: Claudiu Beznea # on SAMA7G5 +Link: https://lore.kernel.org/r/20230224130828.27985-1-johan+linaro@kernel.org +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-at91-pio4.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/pinctrl/pinctrl-at91-pio4.c ++++ b/drivers/pinctrl/pinctrl-at91-pio4.c +@@ -1184,7 +1184,6 @@ static int atmel_pinctrl_probe(struct pl + dev_err(dev, "can't add the irq domain\n"); + return -ENODEV; + } +- atmel_pioctrl->irq_domain->name = "atmel gpio"; + + for (i = 0; i < atmel_pioctrl->npins; i++) { + int irq = irq_create_mapping(atmel_pioctrl->irq_domain, i); diff --git a/queue-5.15/powerpc-don-t-try-to-copy-ppr-for-task-with-null-pt_regs.patch b/queue-5.15/powerpc-don-t-try-to-copy-ppr-for-task-with-null-pt_regs.patch new file mode 100644 index 00000000000..729bb50eda5 --- /dev/null +++ b/queue-5.15/powerpc-don-t-try-to-copy-ppr-for-task-with-null-pt_regs.patch @@ -0,0 +1,81 @@ +From fd7276189450110ed835eb0a334e62d2f1c4e3be Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Sun, 26 Mar 2023 16:15:57 -0600 +Subject: powerpc: Don't try to copy PPR for task with NULL pt_regs + +From: Jens Axboe + +commit fd7276189450110ed835eb0a334e62d2f1c4e3be upstream. + +powerpc sets up PF_KTHREAD and PF_IO_WORKER with a NULL pt_regs, which +from my (arguably very short) checking is not commonly done for other +archs. This is fine, except when PF_IO_WORKER's have been created and +the task does something that causes a coredump to be generated. Then we +get this crash: + + Kernel attempted to read user page (160) - exploit attempt? (uid: 1000) + BUG: Kernel NULL pointer dereference on read at 0x00000160 + Faulting instruction address: 0xc0000000000c3a60 + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=32 NUMA pSeries + Modules linked in: bochs drm_vram_helper drm_kms_helper xts binfmt_misc ecb ctr syscopyarea sysfillrect cbc sysimgblt drm_ttm_helper aes_generic ttm sg libaes evdev joydev virtio_balloon vmx_crypto gf128mul drm dm_mod fuse loop configfs drm_panel_orientation_quirks ip_tables x_tables autofs4 hid_generic usbhid hid xhci_pci xhci_hcd usbcore usb_common sd_mod + CPU: 1 PID: 1982 Comm: ppc-crash Not tainted 6.3.0-rc2+ #88 + Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries + NIP: c0000000000c3a60 LR: c000000000039944 CTR: c0000000000398e0 + REGS: c0000000041833b0 TRAP: 0300 Not tainted (6.3.0-rc2+) + MSR: 800000000280b033 CR: 88082828 XER: 200400f8 + ... + NIP memcpy_power7+0x200/0x7d0 + LR ppr_get+0x64/0xb0 + Call Trace: + ppr_get+0x40/0xb0 (unreliable) + __regset_get+0x180/0x1f0 + regset_get_alloc+0x64/0x90 + elf_core_dump+0xb98/0x1b60 + do_coredump+0x1c34/0x24a0 + get_signal+0x71c/0x1410 + do_notify_resume+0x140/0x6f0 + interrupt_exit_user_prepare_main+0x29c/0x320 + interrupt_exit_user_prepare+0x6c/0xa0 + interrupt_return_srr_user+0x8/0x138 + +Because ppr_get() is trying to copy from a PF_IO_WORKER with a NULL +pt_regs. + +Check for a valid pt_regs in both ppc_get/ppr_set, and return an error +if not set. The actual error value doesn't seem to be important here, so +just pick -EINVAL. + +Fixes: fa439810cc1b ("powerpc/ptrace: Enable support for NT_PPPC_TAR, NT_PPC_PPR, NT_PPC_DSCR") +Cc: stable@vger.kernel.org # v4.8+ +Signed-off-by: Jens Axboe +[mpe: Trim oops in change log, add Fixes & Cc stable] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/d9f63344-fe7c-56ae-b420-4a1a04a2ae4c@kernel.dk +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/ptrace/ptrace-view.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/powerpc/kernel/ptrace/ptrace-view.c ++++ b/arch/powerpc/kernel/ptrace/ptrace-view.c +@@ -290,6 +290,9 @@ static int gpr_set(struct task_struct *t + static int ppr_get(struct task_struct *target, const struct user_regset *regset, + struct membuf to) + { ++ if (!target->thread.regs) ++ return -EINVAL; ++ + return membuf_write(&to, &target->thread.regs->ppr, sizeof(u64)); + } + +@@ -297,6 +300,9 @@ static int ppr_set(struct task_struct *t + unsigned int pos, unsigned int count, const void *kbuf, + const void __user *ubuf) + { ++ if (!target->thread.regs) ++ return -EINVAL; ++ + return user_regset_copyin(&pos, &count, &kbuf, &ubuf, + &target->thread.regs->ppr, 0, sizeof(u64)); + } diff --git a/queue-5.15/rcu-fix-rcu_torture_read-ftrace-event.patch b/queue-5.15/rcu-fix-rcu_torture_read-ftrace-event.patch new file mode 100644 index 00000000000..737d7044199 --- /dev/null +++ b/queue-5.15/rcu-fix-rcu_torture_read-ftrace-event.patch @@ -0,0 +1,39 @@ +From d18a04157fc171fd48075e3dc96471bd3b87f0dd Mon Sep 17 00:00:00 2001 +From: Douglas Raillard +Date: Mon, 6 Mar 2023 12:27:43 +0000 +Subject: rcu: Fix rcu_torture_read ftrace event + +From: Douglas Raillard + +commit d18a04157fc171fd48075e3dc96471bd3b87f0dd upstream. + +Fix the rcutorturename field so that its size is correctly reported in +the text format embedded in trace.dat files. As it stands, it is +reported as being of size 1: + + field:char rcutorturename[8]; offset:8; size:1; signed:0; + +Signed-off-by: Douglas Raillard +Reviewed-by: Mukesh Ojha +Cc: stable@vger.kernel.org +Fixes: 04ae87a52074e ("ftrace: Rework event_create_dir()") +Reviewed-by: Steven Rostedt (Google) +[ boqun: Add "Cc" and "Fixes" tags per Steven ] +Signed-off-by: Boqun Feng +Signed-off-by: Paul E. McKenney +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/rcu.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/trace/events/rcu.h ++++ b/include/trace/events/rcu.h +@@ -768,7 +768,7 @@ TRACE_EVENT_RCU(rcu_torture_read, + TP_ARGS(rcutorturename, rhp, secs, c_old, c), + + TP_STRUCT__entry( +- __field(char, rcutorturename[RCUTORTURENAME_LEN]) ++ __array(char, rcutorturename, RCUTORTURENAME_LEN) + __field(struct rcu_head *, rhp) + __field(unsigned long, secs) + __field(unsigned long, c_old) diff --git a/queue-5.15/series b/queue-5.15/series index fb47d777d84..d13e9829c3b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -69,3 +69,19 @@ cifs-fix-dfs-traversal-oops-without-config_cifs_dfs_upcall.patch input-goodix-add-lenovo-yoga-book-x90f-to-nine_bytes_report-dmi-table.patch btrfs-fix-race-between-quota-disable-and-quota-assign-ioctls.patch btrfs-scan-device-in-non-exclusive-mode.patch +zonefs-always-invalidate-last-cached-page-on-append-write.patch +can-j1939-prevent-deadlock-by-moving-j1939_sk_errqueue.patch +xen-netback-don-t-do-grant-copy-across-page-boundary.patch +net-phy-dp83869-fix-default-value-for-tx-rx-internal-delay.patch +pinctrl-amd-disable-and-mask-interrupts-on-resume.patch +pinctrl-at91-pio4-fix-domain-name-assignment.patch +powerpc-don-t-try-to-copy-ppr-for-task-with-null-pt_regs.patch +nfsv4-fix-hangs-when-recovering-open-state-after-a-server-reboot.patch +alsa-hda-conexant-partial-revert-of-a-quirk-for-lenovo.patch +alsa-usb-audio-fix-regression-on-detection-of-roland-vs-100.patch +alsa-hda-realtek-add-quirks-for-some-clevo-laptops.patch +alsa-hda-realtek-add-quirk-for-lenovo-zhaoyang-cf4620z.patch +xtensa-fix-kasan-report-for-show_stack.patch +rcu-fix-rcu_torture_read-ftrace-event.patch +drm-etnaviv-fix-reference-leak-when-mmaping-imported-buffer.patch +drm-amd-display-add-dsc-support-for-synaptics-cascaded-mst-hub.patch diff --git a/queue-5.15/xen-netback-don-t-do-grant-copy-across-page-boundary.patch b/queue-5.15/xen-netback-don-t-do-grant-copy-across-page-boundary.patch new file mode 100644 index 00000000000..9dc60d64804 --- /dev/null +++ b/queue-5.15/xen-netback-don-t-do-grant-copy-across-page-boundary.patch @@ -0,0 +1,118 @@ +From 05310f31ca74673a96567fb14637b7d5d6c82ea5 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Mon, 27 Mar 2023 10:36:45 +0200 +Subject: xen/netback: don't do grant copy across page boundary + +From: Juergen Gross + +commit 05310f31ca74673a96567fb14637b7d5d6c82ea5 upstream. + +Fix xenvif_get_requests() not to do grant copy operations across local +page boundaries. This requires to double the maximum number of copy +operations per queue, as each copy could now be split into 2. + +Make sure that struct xenvif_tx_cb doesn't grow too large. + +Cc: stable@vger.kernel.org +Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area") +Signed-off-by: Juergen Gross +Reviewed-by: Paul Durrant +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/common.h | 2 +- + drivers/net/xen-netback/netback.c | 25 +++++++++++++++++++++++-- + 2 files changed, 24 insertions(+), 3 deletions(-) + +--- a/drivers/net/xen-netback/common.h ++++ b/drivers/net/xen-netback/common.h +@@ -166,7 +166,7 @@ struct xenvif_queue { /* Per-queue data + struct pending_tx_info pending_tx_info[MAX_PENDING_REQS]; + grant_handle_t grant_tx_handle[MAX_PENDING_REQS]; + +- struct gnttab_copy tx_copy_ops[MAX_PENDING_REQS]; ++ struct gnttab_copy tx_copy_ops[2 * MAX_PENDING_REQS]; + struct gnttab_map_grant_ref tx_map_ops[MAX_PENDING_REQS]; + struct gnttab_unmap_grant_ref tx_unmap_ops[MAX_PENDING_REQS]; + /* passed to gnttab_[un]map_refs with pages under (un)mapping */ +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -334,6 +334,7 @@ static int xenvif_count_requests(struct + struct xenvif_tx_cb { + u16 copy_pending_idx[XEN_NETBK_LEGACY_SLOTS_MAX + 1]; + u8 copy_count; ++ u32 split_mask; + }; + + #define XENVIF_TX_CB(skb) ((struct xenvif_tx_cb *)(skb)->cb) +@@ -361,6 +362,8 @@ static inline struct sk_buff *xenvif_all + struct sk_buff *skb = + alloc_skb(size + NET_SKB_PAD + NET_IP_ALIGN, + GFP_ATOMIC | __GFP_NOWARN); ++ ++ BUILD_BUG_ON(sizeof(*XENVIF_TX_CB(skb)) > sizeof(skb->cb)); + if (unlikely(skb == NULL)) + return NULL; + +@@ -396,11 +399,13 @@ static void xenvif_get_requests(struct x + nr_slots = shinfo->nr_frags + 1; + + copy_count(skb) = 0; ++ XENVIF_TX_CB(skb)->split_mask = 0; + + /* Create copy ops for exactly data_len bytes into the skb head. */ + __skb_put(skb, data_len); + while (data_len > 0) { + int amount = data_len > txp->size ? txp->size : data_len; ++ bool split = false; + + cop->source.u.ref = txp->gref; + cop->source.domid = queue->vif->domid; +@@ -413,6 +418,13 @@ static void xenvif_get_requests(struct x + cop->dest.u.gmfn = virt_to_gfn(skb->data + skb_headlen(skb) + - data_len); + ++ /* Don't cross local page boundary! */ ++ if (cop->dest.offset + amount > XEN_PAGE_SIZE) { ++ amount = XEN_PAGE_SIZE - cop->dest.offset; ++ XENVIF_TX_CB(skb)->split_mask |= 1U << copy_count(skb); ++ split = true; ++ } ++ + cop->len = amount; + cop->flags = GNTCOPY_source_gref; + +@@ -420,7 +432,8 @@ static void xenvif_get_requests(struct x + pending_idx = queue->pending_ring[index]; + callback_param(queue, pending_idx).ctx = NULL; + copy_pending_idx(skb, copy_count(skb)) = pending_idx; +- copy_count(skb)++; ++ if (!split) ++ copy_count(skb)++; + + cop++; + data_len -= amount; +@@ -441,7 +454,8 @@ static void xenvif_get_requests(struct x + nr_slots--; + } else { + /* The copy op partially covered the tx_request. +- * The remainder will be mapped. ++ * The remainder will be mapped or copied in the next ++ * iteration. + */ + txp->offset += amount; + txp->size -= amount; +@@ -539,6 +553,13 @@ static int xenvif_tx_check_gop(struct xe + pending_idx = copy_pending_idx(skb, i); + + newerr = (*gopp_copy)->status; ++ ++ /* Split copies need to be handled together. */ ++ if (XENVIF_TX_CB(skb)->split_mask & (1U << i)) { ++ (*gopp_copy)++; ++ if (!newerr) ++ newerr = (*gopp_copy)->status; ++ } + if (likely(!newerr)) { + /* The first frag might still have this slot mapped */ + if (i < copy_count(skb) - 1 || !sharedslot) diff --git a/queue-5.15/xtensa-fix-kasan-report-for-show_stack.patch b/queue-5.15/xtensa-fix-kasan-report-for-show_stack.patch new file mode 100644 index 00000000000..08dc3d0e2b5 --- /dev/null +++ b/queue-5.15/xtensa-fix-kasan-report-for-show_stack.patch @@ -0,0 +1,53 @@ +From 1d3b7a788ca7435156809a6bd5b20c95b2370d45 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Thu, 16 Mar 2023 23:00:21 -0700 +Subject: xtensa: fix KASAN report for show_stack + +From: Max Filippov + +commit 1d3b7a788ca7435156809a6bd5b20c95b2370d45 upstream. + +show_stack dumps raw stack contents which may trigger an unnecessary +KASAN report. Fix it by copying stack contents to a temporary buffer +with __memcpy and then printing that buffer instead of passing stack +pointer directly to the print_hex_dump. + +Cc: stable@vger.kernel.org +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman +--- + arch/xtensa/kernel/traps.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/arch/xtensa/kernel/traps.c ++++ b/arch/xtensa/kernel/traps.c +@@ -510,7 +510,7 @@ static size_t kstack_depth_to_print = CO + + void show_stack(struct task_struct *task, unsigned long *sp, const char *loglvl) + { +- size_t len; ++ size_t len, off = 0; + + if (!sp) + sp = stack_pointer(task); +@@ -519,9 +519,17 @@ void show_stack(struct task_struct *task + kstack_depth_to_print * STACK_DUMP_ENTRY_SIZE); + + printk("%sStack:\n", loglvl); +- print_hex_dump(loglvl, " ", DUMP_PREFIX_NONE, +- STACK_DUMP_LINE_SIZE, STACK_DUMP_ENTRY_SIZE, +- sp, len, false); ++ while (off < len) { ++ u8 line[STACK_DUMP_LINE_SIZE]; ++ size_t line_len = len - off > STACK_DUMP_LINE_SIZE ? ++ STACK_DUMP_LINE_SIZE : len - off; ++ ++ __memcpy(line, (u8 *)sp + off, line_len); ++ print_hex_dump(loglvl, " ", DUMP_PREFIX_NONE, ++ STACK_DUMP_LINE_SIZE, STACK_DUMP_ENTRY_SIZE, ++ line, line_len, false); ++ off += STACK_DUMP_LINE_SIZE; ++ } + show_trace(task, sp, loglvl); + } + diff --git a/queue-5.15/zonefs-always-invalidate-last-cached-page-on-append-write.patch b/queue-5.15/zonefs-always-invalidate-last-cached-page-on-append-write.patch new file mode 100644 index 00000000000..7d89a9595ed --- /dev/null +++ b/queue-5.15/zonefs-always-invalidate-last-cached-page-on-append-write.patch @@ -0,0 +1,62 @@ +From c1976bd8f23016d8706973908f2bb0ac0d852a8f Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Wed, 29 Mar 2023 13:16:01 +0900 +Subject: zonefs: Always invalidate last cached page on append write + +From: Damien Le Moal + +commit c1976bd8f23016d8706973908f2bb0ac0d852a8f upstream. + +When a direct append write is executed, the append offset may correspond +to the last page of a sequential file inode which might have been cached +already by buffered reads, page faults with mmap-read or non-direct +readahead. To ensure that the on-disk and cached data is consistant for +such last cached page, make sure to always invalidate it in +zonefs_file_dio_append(). If the invalidation fails, return -EBUSY to +userspace to differentiate from IO errors. + +This invalidation will always be a no-op when the FS block size (device +zone write granularity) is equal to the page size (e.g. 4K). + +Reported-by: Hans Holmberg +Fixes: 02ef12a663c7 ("zonefs: use REQ_OP_ZONE_APPEND for sync DIO") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Christoph Hellwig +Reviewed-by: Johannes Thumshirn +Tested-by: Hans Holmberg +Signed-off-by: Greg Kroah-Hartman +--- + fs/zonefs/super.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/zonefs/super.c ++++ b/fs/zonefs/super.c +@@ -736,6 +736,7 @@ static ssize_t zonefs_file_dio_append(st + struct zonefs_inode_info *zi = ZONEFS_I(inode); + struct block_device *bdev = inode->i_sb->s_bdev; + unsigned int max = bdev_max_zone_append_sectors(bdev); ++ pgoff_t start, end; + struct bio *bio; + ssize_t size; + int nr_pages; +@@ -744,6 +745,19 @@ static ssize_t zonefs_file_dio_append(st + max = ALIGN_DOWN(max << SECTOR_SHIFT, inode->i_sb->s_blocksize); + iov_iter_truncate(from, max); + ++ /* ++ * If the inode block size (zone write granularity) is smaller than the ++ * page size, we may be appending data belonging to the last page of the ++ * inode straddling inode->i_size, with that page already cached due to ++ * a buffered read or readahead. So make sure to invalidate that page. ++ * This will always be a no-op for the case where the block size is ++ * equal to the page size. ++ */ ++ start = iocb->ki_pos >> PAGE_SHIFT; ++ end = (iocb->ki_pos + iov_iter_count(from) - 1) >> PAGE_SHIFT; ++ if (invalidate_inode_pages2_range(inode->i_mapping, start, end)) ++ return -EBUSY; ++ + nr_pages = iov_iter_npages(from, BIO_MAX_VECS); + if (!nr_pages) + return 0;