From: Sasha Levin Date: Mon, 18 Apr 2022 03:55:05 +0000 (-0400) Subject: Fixes for 5.17 X-Git-Tag: v4.9.311~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=72ef20221a725c90298f103433da79a73b83377f;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.17 Signed-off-by: Sasha Levin --- diff --git a/queue-5.17/alsa-ad1889-fix-the-missing-snd_card_free-call-at-pr.patch b/queue-5.17/alsa-ad1889-fix-the-missing-snd_card_free-call-at-pr.patch new file mode 100644 index 00000000000..cc79faa7a03 --- /dev/null +++ b/queue-5.17/alsa-ad1889-fix-the-missing-snd_card_free-call-at-pr.patch @@ -0,0 +1,57 @@ +From 2b2aee60ee985638d5860bcf9cb21d6d26600ae9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 12:26:00 +0200 +Subject: ALSA: ad1889: Fix the missing snd_card_free() call at probe error + +From: Takashi Iwai + +[ Upstream commit a8e84a5da18e6d786540aa4ceb6f969d5f1a441d ] + +The previous cleanup with devres may lead to the incorrect release +orders at the probe error handling due to the devres's nature. Until +we register the card, snd_card_free() has to be called at first for +releasing the stuff properly when the driver tries to manage and +release the stuff via card->private_free(). + +This patch fixes it by calling snd_card_free() on the error from the +probe callback using a new helper function. + +Fixes: 567f58754109 ("ALSA: ad1889: Allocate resources with device-managed APIs") +Link: https://lore.kernel.org/r/20220412102636.16000-4-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/ad1889.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/ad1889.c b/sound/pci/ad1889.c +index bba4dae8dcc7..50e30704bf6f 100644 +--- a/sound/pci/ad1889.c ++++ b/sound/pci/ad1889.c +@@ -844,8 +844,8 @@ snd_ad1889_create(struct snd_card *card, struct pci_dev *pci) + } + + static int +-snd_ad1889_probe(struct pci_dev *pci, +- const struct pci_device_id *pci_id) ++__snd_ad1889_probe(struct pci_dev *pci, ++ const struct pci_device_id *pci_id) + { + int err; + static int devno; +@@ -904,6 +904,12 @@ snd_ad1889_probe(struct pci_dev *pci, + return 0; + } + ++static int snd_ad1889_probe(struct pci_dev *pci, ++ const struct pci_device_id *pci_id) ++{ ++ return snd_card_free_on_error(&pci->dev, __snd_ad1889_probe(pci, pci_id)); ++} ++ + static const struct pci_device_id snd_ad1889_ids[] = { + { PCI_DEVICE(PCI_VENDOR_ID_ANALOG_DEVICES, PCI_DEVICE_ID_AD1889JS) }, + { 0, }, +-- +2.35.1 + diff --git a/queue-5.17/alsa-mtpav-don-t-call-card-private_free-at-probe-err.patch b/queue-5.17/alsa-mtpav-don-t-call-card-private_free-at-probe-err.patch new file mode 100644 index 00000000000..6c70800f881 --- /dev/null +++ b/queue-5.17/alsa-mtpav-don-t-call-card-private_free-at-probe-err.patch @@ -0,0 +1,50 @@ +From 8110809b4f18eae9c5981fb0192baf8dbf67cc7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 12:26:35 +0200 +Subject: ALSA: mtpav: Don't call card private_free at probe error path + +From: Takashi Iwai + +[ Upstream commit 4fb27190879b82e48ce89a56e9d6c04437dbc065 ] + +The card destructor of nm256 driver does merely stopping the running +timer, and it's superfluous for the probe error handling. Moreover, +calling this via the previous devres change would lead to another +problem due to the reverse call order. + +This patch moves the setup of the private_free callback after the card +registration, so that it can be used only after fully set up. + +Fixes: aa92050f10f0 ("ALSA: mtpav: Allocate resources with device-managed APIs") +Link: https://lore.kernel.org/r/20220412102636.16000-39-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/drivers/mtpav.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/drivers/mtpav.c b/sound/drivers/mtpav.c +index 11235baaf6fa..f212f233ea61 100644 +--- a/sound/drivers/mtpav.c ++++ b/sound/drivers/mtpav.c +@@ -693,8 +693,6 @@ static int snd_mtpav_probe(struct platform_device *dev) + mtp_card->outmidihwport = 0xffffffff; + timer_setup(&mtp_card->timer, snd_mtpav_output_timer, 0); + +- card->private_free = snd_mtpav_free; +- + err = snd_mtpav_get_RAWMIDI(mtp_card); + if (err < 0) + return err; +@@ -716,6 +714,8 @@ static int snd_mtpav_probe(struct platform_device *dev) + if (err < 0) + return err; + ++ card->private_free = snd_mtpav_free; ++ + platform_set_drvdata(dev, card); + printk(KERN_INFO "Motu MidiTimePiece on parallel port irq: %d ioport: 0x%lx\n", irq, port); + return 0; +-- +2.35.1 + diff --git a/queue-5.17/alsa-usb-audio-increase-max-buffer-size.patch b/queue-5.17/alsa-usb-audio-increase-max-buffer-size.patch new file mode 100644 index 00000000000..5e70aa830bc --- /dev/null +++ b/queue-5.17/alsa-usb-audio-increase-max-buffer-size.patch @@ -0,0 +1,37 @@ +From 800b31794fd0bf1f35fdb8058e602f5b34ff39f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 23:27:40 +0200 +Subject: ALSA: usb-audio: Increase max buffer size + +From: Takashi Iwai + +[ Upstream commit fee2ec8cceb33b8886bc5894fb07e0b2e34148af ] + +The current limit of max buffer size 1MB seems too small for modern +devices with lots of channels and high sample rates. +Let's make bigger, 4MB. + +Reviewed-by: Jaroslav Kysela +Link: https://lore.kernel.org/r/20220407212740.17920-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/pcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index 6a460225f2e3..37ee6df8b15a 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -659,7 +659,7 @@ static int snd_usb_pcm_prepare(struct snd_pcm_substream *substream) + #define hwc_debug(fmt, args...) do { } while(0) + #endif + +-#define MAX_BUFFER_BYTES (1024 * 1024) ++#define MAX_BUFFER_BYTES (4 * 1024 * 1024) + #define MAX_PERIOD_BYTES (512 * 1024) + + static const struct snd_pcm_hardware snd_usb_hardware = +-- +2.35.1 + diff --git a/queue-5.17/alsa-usb-audio-limit-max-buffer-and-period-sizes-per.patch b/queue-5.17/alsa-usb-audio-limit-max-buffer-and-period-sizes-per.patch new file mode 100644 index 00000000000..cea180319a3 --- /dev/null +++ b/queue-5.17/alsa-usb-audio-limit-max-buffer-and-period-sizes-per.patch @@ -0,0 +1,193 @@ +From c746fe90e3cbcdd46f8f06084d6417f0908e6392 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 15:07:40 +0200 +Subject: ALSA: usb-audio: Limit max buffer and period sizes per time + +From: Takashi Iwai + +[ Upstream commit 24d0c9f0e7de95fe3e3e0067cbea1cd5d413244b ] + +In the previous fix, we increased the max buffer bytes from 1MB to 4MB +so that we can use bigger buffers for the modern HiFi devices with +higher rates, more channels and wider formats. OTOH, extending this +has a concern that too big buffer is allowed for the lower rates, less +channels and narrower formats; when an application tries to allocate +as big buffer as possible, it'll lead to unexpectedly too huge size. + +Also, we had a problem about the inconsistent max buffer and period +bytes for the implicit feedback mode when both streams have different +channels. This was fixed by the (relatively complex) patch to reduce +the max buffer and period bytes accordingly. + +This is an alternative fix for those, a patch to kill two birds with +one stone (*): instead of increasing the max buffer bytes blindly and +applying the reduction per channels, we simply use the hw constraints +for the buffer and period "time". Meanwhile the max buffer and period +bytes are set unlimited instead. + +Since the inconsistency of buffer (and period) bytes comes from the +difference of the channels in the tied streams, as long as we care +only about the buffer (and period) time, it doesn't matter; the buffer +time is same for different channels, although we still allow higher +buffer size. Similarly, this will allow more buffer bytes for HiFi +devices while it also keeps the reasonable size for the legacy +devices, too. + +As of this patch, the max period and buffer time are set to 1 and 2 +seconds, which should be large enough for all possible use cases. + +(*) No animals were harmed in the making of this patch. + +Fixes: 98c27add5d96 ("ALSA: usb-audio: Cap upper limits of buffer/period bytes for implicit fb") +Fixes: fee2ec8cceb3 ("ALSA: usb-audio: Increase max buffer size") +Link: https://lore.kernel.org/r/20220412130740.18933-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/pcm.c | 101 +++++++----------------------------------------- + 1 file changed, 14 insertions(+), 87 deletions(-) + +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index 37ee6df8b15a..6d699065e81a 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -659,9 +659,6 @@ static int snd_usb_pcm_prepare(struct snd_pcm_substream *substream) + #define hwc_debug(fmt, args...) do { } while(0) + #endif + +-#define MAX_BUFFER_BYTES (4 * 1024 * 1024) +-#define MAX_PERIOD_BYTES (512 * 1024) +- + static const struct snd_pcm_hardware snd_usb_hardware = + { + .info = SNDRV_PCM_INFO_MMAP | +@@ -672,9 +669,9 @@ static const struct snd_pcm_hardware snd_usb_hardware = + SNDRV_PCM_INFO_PAUSE, + .channels_min = 1, + .channels_max = 256, +- .buffer_bytes_max = MAX_BUFFER_BYTES, ++ .buffer_bytes_max = INT_MAX, /* limited by BUFFER_TIME later */ + .period_bytes_min = 64, +- .period_bytes_max = MAX_PERIOD_BYTES, ++ .period_bytes_max = INT_MAX, /* limited by PERIOD_TIME later */ + .periods_min = 2, + .periods_max = 1024, + }; +@@ -974,78 +971,6 @@ static int hw_rule_periods_implicit_fb(struct snd_pcm_hw_params *params, + ep->cur_buffer_periods); + } + +-/* get the adjusted max buffer (or period) bytes that can fit with the +- * paired format for implicit fb +- */ +-static unsigned int +-get_adjusted_max_bytes(struct snd_usb_substream *subs, +- struct snd_usb_substream *pair, +- struct snd_pcm_hw_params *params, +- unsigned int max_bytes, +- bool reverse_map) +-{ +- const struct audioformat *fp, *pp; +- unsigned int rmax = 0, r; +- +- list_for_each_entry(fp, &subs->fmt_list, list) { +- if (!fp->implicit_fb) +- continue; +- if (!reverse_map && +- !hw_check_valid_format(subs, params, fp)) +- continue; +- list_for_each_entry(pp, &pair->fmt_list, list) { +- if (pp->iface != fp->sync_iface || +- pp->altsetting != fp->sync_altsetting || +- pp->ep_idx != fp->sync_ep_idx) +- continue; +- if (reverse_map && +- !hw_check_valid_format(pair, params, pp)) +- break; +- if (!reverse_map && pp->channels > fp->channels) +- r = max_bytes * fp->channels / pp->channels; +- else if (reverse_map && pp->channels < fp->channels) +- r = max_bytes * pp->channels / fp->channels; +- else +- r = max_bytes; +- rmax = max(rmax, r); +- break; +- } +- } +- return rmax; +-} +- +-/* Reduce the period or buffer bytes depending on the paired substream; +- * when a paired configuration for implicit fb has a higher number of channels, +- * we need to reduce the max size accordingly, otherwise it may become unusable +- */ +-static int hw_rule_bytes_implicit_fb(struct snd_pcm_hw_params *params, +- struct snd_pcm_hw_rule *rule) +-{ +- struct snd_usb_substream *subs = rule->private; +- struct snd_usb_substream *pair; +- struct snd_interval *it; +- unsigned int max_bytes; +- unsigned int rmax; +- +- pair = &subs->stream->substream[!subs->direction]; +- if (!pair->ep_num) +- return 0; +- +- if (rule->var == SNDRV_PCM_HW_PARAM_PERIOD_BYTES) +- max_bytes = MAX_PERIOD_BYTES; +- else +- max_bytes = MAX_BUFFER_BYTES; +- +- rmax = get_adjusted_max_bytes(subs, pair, params, max_bytes, false); +- if (!rmax) +- rmax = get_adjusted_max_bytes(pair, subs, params, max_bytes, true); +- if (!rmax) +- return 0; +- +- it = hw_param_interval(params, rule->var); +- return apply_hw_params_minmax(it, 0, rmax); +-} +- + /* + * set up the runtime hardware information. + */ +@@ -1139,6 +1064,18 @@ static int setup_hw_info(struct snd_pcm_runtime *runtime, struct snd_usb_substre + return err; + } + ++ /* set max period and buffer sizes for 1 and 2 seconds, respectively */ ++ err = snd_pcm_hw_constraint_minmax(runtime, ++ SNDRV_PCM_HW_PARAM_PERIOD_TIME, ++ 0, 1000000); ++ if (err < 0) ++ return err; ++ err = snd_pcm_hw_constraint_minmax(runtime, ++ SNDRV_PCM_HW_PARAM_BUFFER_TIME, ++ 0, 2000000); ++ if (err < 0) ++ return err; ++ + /* additional hw constraints for implicit fb */ + err = snd_pcm_hw_rule_add(runtime, 0, SNDRV_PCM_HW_PARAM_FORMAT, + hw_rule_format_implicit_fb, subs, +@@ -1160,16 +1097,6 @@ static int setup_hw_info(struct snd_pcm_runtime *runtime, struct snd_usb_substre + SNDRV_PCM_HW_PARAM_PERIODS, -1); + if (err < 0) + return err; +- err = snd_pcm_hw_rule_add(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_BYTES, +- hw_rule_bytes_implicit_fb, subs, +- SNDRV_PCM_HW_PARAM_BUFFER_BYTES, -1); +- if (err < 0) +- return err; +- err = snd_pcm_hw_rule_add(runtime, 0, SNDRV_PCM_HW_PARAM_PERIOD_BYTES, +- hw_rule_bytes_implicit_fb, subs, +- SNDRV_PCM_HW_PARAM_PERIOD_BYTES, -1); +- if (err < 0) +- return err; + + list_for_each_entry(fp, &subs->fmt_list, list) { + if (fp->implicit_fb) { +-- +2.35.1 + diff --git a/queue-5.17/arm64-alternatives-mark-patch_alternative-as-noinstr.patch b/queue-5.17/arm64-alternatives-mark-patch_alternative-as-noinstr.patch new file mode 100644 index 00000000000..0fcc7f68f5f --- /dev/null +++ b/queue-5.17/arm64-alternatives-mark-patch_alternative-as-noinstr.patch @@ -0,0 +1,86 @@ +From 5d70646152b076c54f6ae2f352f11ac9d2c71e26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 11:47:33 +0100 +Subject: arm64: alternatives: mark patch_alternative() as `noinstr` + +From: Joey Gouly + +[ Upstream commit a2c0b0fbe01419f8f5d1c0b9c581631f34ffce8b ] + +The alternatives code must be `noinstr` such that it does not patch itself, +as the cache invalidation is only performed after all the alternatives have +been applied. + +Mark patch_alternative() as `noinstr`. Mark branch_insn_requires_update() +and get_alt_insn() with `__always_inline` since they are both only called +through patch_alternative(). + +Booting a kernel in QEMU TCG with KCSAN=y and ARM64_USE_LSE_ATOMICS=y caused +a boot hang: +[ 0.241121] CPU: All CPU(s) started at EL2 + +The alternatives code was patching the atomics in __tsan_read4() from LL/SC +atomics to LSE atomics. + +The following fragment is using LL/SC atomics in the .text section: + | <__tsan_unaligned_read4+304>: ldxr x6, [x2] + | <__tsan_unaligned_read4+308>: add x6, x6, x5 + | <__tsan_unaligned_read4+312>: stxr w7, x6, [x2] + | <__tsan_unaligned_read4+316>: cbnz w7, <__tsan_unaligned_read4+304> + +This LL/SC atomic sequence was to be replaced with LSE atomics. However since +the alternatives code was instrumentable, __tsan_read4() was being called after +only the first instruction was replaced, which led to the following code in memory: + | <__tsan_unaligned_read4+304>: ldadd x5, x6, [x2] + | <__tsan_unaligned_read4+308>: add x6, x6, x5 + | <__tsan_unaligned_read4+312>: stxr w7, x6, [x2] + | <__tsan_unaligned_read4+316>: cbnz w7, <__tsan_unaligned_read4+304> + +This caused an infinite loop as the `stxr` instruction never completed successfully, +so `w7` was always 0. + +Signed-off-by: Joey Gouly +Cc: Mark Rutland +Cc: Catalin Marinas +Cc: Will Deacon +Link: https://lore.kernel.org/r/20220405104733.11476-1-joey.gouly@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/alternative.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kernel/alternative.c b/arch/arm64/kernel/alternative.c +index 3fb79b76e9d9..7bbf5104b7b7 100644 +--- a/arch/arm64/kernel/alternative.c ++++ b/arch/arm64/kernel/alternative.c +@@ -42,7 +42,7 @@ bool alternative_is_applied(u16 cpufeature) + /* + * Check if the target PC is within an alternative block. + */ +-static bool branch_insn_requires_update(struct alt_instr *alt, unsigned long pc) ++static __always_inline bool branch_insn_requires_update(struct alt_instr *alt, unsigned long pc) + { + unsigned long replptr = (unsigned long)ALT_REPL_PTR(alt); + return !(pc >= replptr && pc <= (replptr + alt->alt_len)); +@@ -50,7 +50,7 @@ static bool branch_insn_requires_update(struct alt_instr *alt, unsigned long pc) + + #define align_down(x, a) ((unsigned long)(x) & ~(((unsigned long)(a)) - 1)) + +-static u32 get_alt_insn(struct alt_instr *alt, __le32 *insnptr, __le32 *altinsnptr) ++static __always_inline u32 get_alt_insn(struct alt_instr *alt, __le32 *insnptr, __le32 *altinsnptr) + { + u32 insn; + +@@ -95,7 +95,7 @@ static u32 get_alt_insn(struct alt_instr *alt, __le32 *insnptr, __le32 *altinsnp + return insn; + } + +-static void patch_alternative(struct alt_instr *alt, ++static noinstr void patch_alternative(struct alt_instr *alt, + __le32 *origptr, __le32 *updptr, int nr_inst) + { + __le32 *replptr; +-- +2.35.1 + diff --git a/queue-5.17/ata-libata-core-disable-read-log-dma-ext-for-samsung.patch b/queue-5.17/ata-libata-core-disable-read-log-dma-ext-for-samsung.patch new file mode 100644 index 00000000000..31537eb2009 --- /dev/null +++ b/queue-5.17/ata-libata-core-disable-read-log-dma-ext-for-samsung.patch @@ -0,0 +1,45 @@ +From 202e4eed77a668634f488455dd773a17043c1fdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Mar 2022 21:11:03 +0100 +Subject: ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs + +From: Christian Lamparter + +[ Upstream commit 5399752299396a3c9df6617f4b3c907d7aa4ded8 ] + +Samsung' 840 EVO with the latest firmware (EXT0DB6Q) locks up with +the a message: "READ LOG DMA EXT failed, trying PIO" during boot. + +Initially this was discovered because it caused a crash +with the sata_dwc_460ex controller on a WD MyBook Live DUO. + +The reporter "Tice Rex" which has the unique opportunity that he +has two Samsung 840 EVO SSD! One with the older firmware "EXT0BB0Q" +which booted fine and didn't expose "READ LOG DMA EXT". But the +newer/latest firmware "EXT0DB6Q" caused the headaches. + +BugLink: https://github.com/openwrt/openwrt/issues/9505 +Signed-off-by: Christian Lamparter +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 0c854aebfe0b..760c0d81d148 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4014,6 +4014,9 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "Crucial_CT*MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, ++ { "Samsung SSD 840 EVO*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_NO_DMA_LOG | ++ ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "Samsung SSD 840*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "Samsung SSD 850*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | +-- +2.35.1 + diff --git a/queue-5.17/block-fix-offset-size-check-in-bio_trim.patch b/queue-5.17/block-fix-offset-size-check-in-bio_trim.patch new file mode 100644 index 00000000000..a2aab8d1218 --- /dev/null +++ b/queue-5.17/block-fix-offset-size-check-in-bio_trim.patch @@ -0,0 +1,40 @@ +From 6ffe438e188f8e77b4a9316c79307aeada2aaf20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 16:44:43 +0800 +Subject: block: fix offset/size check in bio_trim() + +From: Ming Lei + +[ Upstream commit 8535c0185d14ea41f0efd6a357961b05daf6687e ] + +Unit of bio->bi_iter.bi_size is bytes, but unit of offset/size +is sector. + +Fix the above issue in checking offset/size in bio_trim(). + +Fixes: e83502ca5f1e ("block: fix argument type of bio_trim()") +Cc: Chaitanya Kulkarni +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20220414084443.1736850-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bio.c b/block/bio.c +index 1be1e360967d..342b1cf5d713 100644 +--- a/block/bio.c ++++ b/block/bio.c +@@ -1570,7 +1570,7 @@ EXPORT_SYMBOL(bio_split); + void bio_trim(struct bio *bio, sector_t offset, sector_t size) + { + if (WARN_ON_ONCE(offset > BIO_MAX_SECTORS || size > BIO_MAX_SECTORS || +- offset + size > bio->bi_iter.bi_size)) ++ offset + size > bio_sectors(bio))) + return; + + size <<= 9; +-- +2.35.1 + diff --git a/queue-5.17/block-null_blk-end-timed-out-poll-request.patch b/queue-5.17/block-null_blk-end-timed-out-poll-request.patch new file mode 100644 index 00000000000..b31a686759d --- /dev/null +++ b/queue-5.17/block-null_blk-end-timed-out-poll-request.patch @@ -0,0 +1,40 @@ +From 73380f5b647817dc55ab9f5576bdc6758f2851fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 16:48:36 +0800 +Subject: block: null_blk: end timed out poll request + +From: Ming Lei + +[ Upstream commit 3e3876d322aef82416ecc496a4d4a587e0fdf7a3 ] + +When poll request is timed out, it is removed from the poll list, +but not completed, so the request is leaked, and never get chance +to complete. + +Fix the issue by ending it in timeout handler. + +Fixes: 0a593fbbc245 ("null_blk: poll queue support") +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20220413084836.1571995-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/null_blk/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c +index 13004beb48ca..233577b14141 100644 +--- a/drivers/block/null_blk/main.c ++++ b/drivers/block/null_blk/main.c +@@ -1606,7 +1606,7 @@ static enum blk_eh_timer_return null_timeout_rq(struct request *rq, bool res) + * Only fake timeouts need to execute blk_mq_complete_request() here. + */ + cmd->error = BLK_STS_TIMEOUT; +- if (cmd->fake_timeout) ++ if (cmd->fake_timeout || hctx->type == HCTX_TYPE_POLL) + blk_mq_complete_request(rq); + return BLK_EH_DONE; + } +-- +2.35.1 + diff --git a/queue-5.17/btrfs-do-not-warn-for-free-space-inode-in-cow_file_r.patch b/queue-5.17/btrfs-do-not-warn-for-free-space-inode-in-cow_file_r.patch new file mode 100644 index 00000000000..fbfb7c2e91e --- /dev/null +++ b/queue-5.17/btrfs-do-not-warn-for-free-space-inode-in-cow_file_r.patch @@ -0,0 +1,45 @@ +From cd3acbbcd9f9f38a811b9337e1a853177fc036db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Mar 2022 11:30:36 -0400 +Subject: btrfs: do not warn for free space inode in cow_file_range + +From: Josef Bacik + +[ Upstream commit a7d16d9a07bbcb7dcd5214a1bea75c808830bc0d ] + +This is a long time leftover from when I originally added the free space +inode, the point was to catch cases where we weren't honoring the NOCOW +flag. However there exists a race with relocation, if we allocate our +free space inode in a block group that is about to be relocated, we +could trigger the COW path before the relocation has the opportunity to +find the extents and delete the free space cache. In production where +we have auto-relocation enabled we're seeing this WARN_ON_ONCE() around +5k times in a 2 week period, so not super common but enough that it's at +the top of our metrics. + +We're properly handling the error here, and with us phasing out v1 space +cache anyway just drop the WARN_ON_ONCE. + +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 85daae70afda..9547088a9306 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -1130,7 +1130,6 @@ static noinline int cow_file_range(struct btrfs_inode *inode, + int ret = 0; + + if (btrfs_is_free_space_inode(inode)) { +- WARN_ON_ONCE(1); + ret = -EINVAL; + goto out_unlock; + } +-- +2.35.1 + diff --git a/queue-5.17/btrfs-fix-fallocate-to-use-file_modified-to-update-p.patch b/queue-5.17/btrfs-fix-fallocate-to-use-file_modified-to-update-p.patch new file mode 100644 index 00000000000..1342996c46f --- /dev/null +++ b/queue-5.17/btrfs-fix-fallocate-to-use-file_modified-to-update-p.patch @@ -0,0 +1,78 @@ +From 10cd52db25b140847516d2246a9ecf640e0fcb87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Mar 2022 10:55:32 -0700 +Subject: btrfs: fix fallocate to use file_modified to update permissions + consistently + +From: Darrick J. Wong + +[ Upstream commit 05fd9564e9faf0f23b4676385e27d9405cef6637 ] + +Since the initial introduction of (posix) fallocate back at the turn of +the century, it has been possible to use this syscall to change the +user-visible contents of files. This can happen by extending the file +size during a preallocation, or through any of the newer modes (punch, +zero range). Because the call can be used to change file contents, we +should treat it like we do any other modification to a file -- update +the mtime, and drop set[ug]id privileges/capabilities. + +The VFS function file_modified() does all this for us if pass it a +locked inode, so let's make fallocate drop permissions correctly. + +Reviewed-by: Filipe Manana +Signed-off-by: Darrick J. Wong +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/file.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index a0179cc62913..28ddd9cf2069 100644 +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -2918,8 +2918,9 @@ int btrfs_replace_file_extents(struct btrfs_inode *inode, + return ret; + } + +-static int btrfs_punch_hole(struct inode *inode, loff_t offset, loff_t len) ++static int btrfs_punch_hole(struct file *file, loff_t offset, loff_t len) + { ++ struct inode *inode = file_inode(file); + struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb); + struct btrfs_root *root = BTRFS_I(inode)->root; + struct extent_state *cached_state = NULL; +@@ -2951,6 +2952,10 @@ static int btrfs_punch_hole(struct inode *inode, loff_t offset, loff_t len) + goto out_only_mutex; + } + ++ ret = file_modified(file); ++ if (ret) ++ goto out_only_mutex; ++ + lockstart = round_up(offset, btrfs_inode_sectorsize(BTRFS_I(inode))); + lockend = round_down(offset + len, + btrfs_inode_sectorsize(BTRFS_I(inode))) - 1; +@@ -3391,7 +3396,7 @@ static long btrfs_fallocate(struct file *file, int mode, + return -EOPNOTSUPP; + + if (mode & FALLOC_FL_PUNCH_HOLE) +- return btrfs_punch_hole(inode, offset, len); ++ return btrfs_punch_hole(file, offset, len); + + /* + * Only trigger disk allocation, don't trigger qgroup reserve +@@ -3413,6 +3418,10 @@ static long btrfs_fallocate(struct file *file, int mode, + goto out; + } + ++ ret = file_modified(file); ++ if (ret) ++ goto out; ++ + /* + * TODO: Move these two operations after we have checked + * accurate reserved space, or fallocate can still fail but +-- +2.35.1 + diff --git a/queue-5.17/cachefiles-fix-kasan-slab-out-of-bounds-in-cachefile.patch b/queue-5.17/cachefiles-fix-kasan-slab-out-of-bounds-in-cachefile.patch new file mode 100644 index 00000000000..8f07e38690a --- /dev/null +++ b/queue-5.17/cachefiles-fix-kasan-slab-out-of-bounds-in-cachefile.patch @@ -0,0 +1,100 @@ +From 0dd99b5e5bf894deb461ab21a3f10d095d39233f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 09:46:49 -0400 +Subject: cachefiles: Fix KASAN slab-out-of-bounds in + cachefiles_set_volume_xattr + +From: Dave Wysochanski + +[ Upstream commit 7b2f6c306601240635c72caa61f682e74d4591b2 ] + +Use the actual length of volume coherency data when setting the +xattr to avoid the following KASAN report. + + BUG: KASAN: slab-out-of-bounds in cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles] + Write of size 4 at addr ffff888101e02af4 by task kworker/6:0/1347 + + CPU: 6 PID: 1347 Comm: kworker/6:0 Kdump: loaded Not tainted 5.18.0-rc1-nfs-fscache-netfs+ #13 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-4.fc34 04/01/2014 + Workqueue: events fscache_create_volume_work [fscache] + Call Trace: + + dump_stack_lvl+0x45/0x5a + print_report.cold+0x5e/0x5db + ? __lock_text_start+0x8/0x8 + ? cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles] + kasan_report+0xab/0x120 + ? cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles] + kasan_check_range+0xf5/0x1d0 + memcpy+0x39/0x60 + cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles] + cachefiles_acquire_volume+0x2be/0x500 [cachefiles] + ? __cachefiles_free_volume+0x90/0x90 [cachefiles] + fscache_create_volume_work+0x68/0x160 [fscache] + process_one_work+0x3b7/0x6a0 + worker_thread+0x2c4/0x650 + ? process_one_work+0x6a0/0x6a0 + kthread+0x16c/0x1a0 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x22/0x30 + + + Allocated by task 1347: + kasan_save_stack+0x1e/0x40 + __kasan_kmalloc+0x81/0xa0 + cachefiles_set_volume_xattr+0x76/0x350 [cachefiles] + cachefiles_acquire_volume+0x2be/0x500 [cachefiles] + fscache_create_volume_work+0x68/0x160 [fscache] + process_one_work+0x3b7/0x6a0 + worker_thread+0x2c4/0x650 + kthread+0x16c/0x1a0 + ret_from_fork+0x22/0x30 + + The buggy address belongs to the object at ffff888101e02af0 + which belongs to the cache kmalloc-8 of size 8 + The buggy address is located 4 bytes inside of + 8-byte region [ffff888101e02af0, ffff888101e02af8) + + The buggy address belongs to the physical page: + page:00000000a2292d70 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101e02 + flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) + raw: 0017ffffc0000200 0000000000000000 dead000000000001 ffff888100042280 + raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff888101e02980: fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc + ffff888101e02a00: 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc 00 + >ffff888101e02a80: fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc 04 fc + ^ + ffff888101e02b00: fc fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc + ffff888101e02b80: fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc + ================================================================== + +Fixes: 413a4a6b0b55 "cachefiles: Fix volume coherency attribute" +Signed-off-by: Dave Wysochanski +Signed-off-by: David Howells +cc: linux-cachefs@redhat.com +Link: https://lore.kernel.org/r/20220405134649.6579-1-dwysocha@redhat.com/ # v1 +Link: https://lore.kernel.org/r/20220405142810.8208-1-dwysocha@redhat.com/ # Incorrect v2 +Signed-off-by: Sasha Levin +--- + fs/cachefiles/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cachefiles/xattr.c b/fs/cachefiles/xattr.c +index 35465109d9c4..00b087c14995 100644 +--- a/fs/cachefiles/xattr.c ++++ b/fs/cachefiles/xattr.c +@@ -203,7 +203,7 @@ bool cachefiles_set_volume_xattr(struct cachefiles_volume *volume) + if (!buf) + return false; + buf->reserved = cpu_to_be32(0); +- memcpy(buf->data, p, len); ++ memcpy(buf->data, p, volume->vcookie->coherency_len); + + ret = cachefiles_inject_write_error(); + if (ret == 0) +-- +2.35.1 + diff --git a/queue-5.17/cachefiles-unmark-inode-in-use-in-error-path.patch b/queue-5.17/cachefiles-unmark-inode-in-use-in-error-path.patch new file mode 100644 index 00000000000..a5f00369a0e --- /dev/null +++ b/queue-5.17/cachefiles-unmark-inode-in-use-in-error-path.patch @@ -0,0 +1,117 @@ +From 54e549f9f40408ffc75852335f607980860dd10e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Mar 2022 17:47:59 +0800 +Subject: cachefiles: unmark inode in use in error path + +From: Jeffle Xu + +[ Upstream commit ea5dc046127e857a7873ae55fd57c866e9e86fb2 ] + +Unmark inode in use if error encountered. If the in-use flag leakage +occurs in cachefiles_open_file(), Cachefiles will complain "Inode +already in use" when later another cookie with the same index key is +looked up. + +If the in-use flag leakage occurs in cachefiles_create_tmpfile(), though +the "Inode already in use" warning won't be triggered, fix the leakage +anyway. + +Reported-by: Gao Xiang +Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling") +Signed-off-by: Jeffle Xu +Signed-off-by: David Howells +cc: linux-cachefs@redhat.com +Link: https://listman.redhat.com/archives/linux-cachefs/2022-March/006615.html # v1 +Link: https://listman.redhat.com/archives/linux-cachefs/2022-March/006618.html # v2 +Signed-off-by: Sasha Levin +--- + fs/cachefiles/namei.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c +index f256c8aff7bb..ca9f3e4ec4b3 100644 +--- a/fs/cachefiles/namei.c ++++ b/fs/cachefiles/namei.c +@@ -57,6 +57,16 @@ static void __cachefiles_unmark_inode_in_use(struct cachefiles_object *object, + trace_cachefiles_mark_inactive(object, inode); + } + ++static void cachefiles_do_unmark_inode_in_use(struct cachefiles_object *object, ++ struct dentry *dentry) ++{ ++ struct inode *inode = d_backing_inode(dentry); ++ ++ inode_lock(inode); ++ __cachefiles_unmark_inode_in_use(object, dentry); ++ inode_unlock(inode); ++} ++ + /* + * Unmark a backing inode and tell cachefilesd that there's something that can + * be culled. +@@ -68,9 +78,7 @@ void cachefiles_unmark_inode_in_use(struct cachefiles_object *object, + struct inode *inode = file_inode(file); + + if (inode) { +- inode_lock(inode); +- __cachefiles_unmark_inode_in_use(object, file->f_path.dentry); +- inode_unlock(inode); ++ cachefiles_do_unmark_inode_in_use(object, file->f_path.dentry); + + if (!test_bit(CACHEFILES_OBJECT_USING_TMPFILE, &object->flags)) { + atomic_long_add(inode->i_blocks, &cache->b_released); +@@ -484,7 +492,7 @@ struct file *cachefiles_create_tmpfile(struct cachefiles_object *object) + object, d_backing_inode(path.dentry), ret, + cachefiles_trace_trunc_error); + file = ERR_PTR(ret); +- goto out_dput; ++ goto out_unuse; + } + } + +@@ -494,15 +502,20 @@ struct file *cachefiles_create_tmpfile(struct cachefiles_object *object) + trace_cachefiles_vfs_error(object, d_backing_inode(path.dentry), + PTR_ERR(file), + cachefiles_trace_open_error); +- goto out_dput; ++ goto out_unuse; + } + if (unlikely(!file->f_op->read_iter) || + unlikely(!file->f_op->write_iter)) { + fput(file); + pr_notice("Cache does not support read_iter and write_iter\n"); + file = ERR_PTR(-EINVAL); ++ goto out_unuse; + } + ++ goto out_dput; ++ ++out_unuse: ++ cachefiles_do_unmark_inode_in_use(object, path.dentry); + out_dput: + dput(path.dentry); + out: +@@ -590,14 +603,16 @@ static bool cachefiles_open_file(struct cachefiles_object *object, + check_failed: + fscache_cookie_lookup_negative(object->cookie); + cachefiles_unmark_inode_in_use(object, file); +- if (ret == -ESTALE) { +- fput(file); +- dput(dentry); ++ fput(file); ++ dput(dentry); ++ if (ret == -ESTALE) + return cachefiles_create_file(object); +- } ++ return false; ++ + error_fput: + fput(file); + error: ++ cachefiles_do_unmark_inode_in_use(object, dentry); + dput(dentry); + return false; + } +-- +2.35.1 + diff --git a/queue-5.17/cfg80211-hold-bss_lock-while-updating-nontrans_list.patch b/queue-5.17/cfg80211-hold-bss_lock-while-updating-nontrans_list.patch new file mode 100644 index 00000000000..9ec2d10d403 --- /dev/null +++ b/queue-5.17/cfg80211-hold-bss_lock-while-updating-nontrans_list.patch @@ -0,0 +1,45 @@ +From 304f4c81cf51c922e1267063095f7bf784f19591 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 14:37:51 +0530 +Subject: cfg80211: hold bss_lock while updating nontrans_list + +From: Rameshkumar Sundaram + +[ Upstream commit a5199b5626cd6913cf8776a835bc63d40e0686ad ] + +Synchronize additions to nontrans_list of transmitting BSS with +bss_lock to avoid races. Also when cfg80211_add_nontrans_list() fails +__cfg80211_unlink_bss() needs bss_lock to be held (has lockdep assert +on bss_lock). So protect the whole block with bss_lock to avoid +races and warnings. Found during code review. + +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Signed-off-by: Rameshkumar Sundaram +Link: https://lore.kernel.org/r/1649668071-9370-1-git-send-email-quic_ramess@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index b2fdac96bab0..4a6d86432910 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -2018,11 +2018,13 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy, + /* this is a nontransmitting bss, we need to add it to + * transmitting bss' list if it is not there + */ ++ spin_lock_bh(&rdev->bss_lock); + if (cfg80211_add_nontrans_list(non_tx_data->tx_bss, + &res->pub)) { + if (__cfg80211_unlink_bss(rdev, res)) + rdev->bss_generation++; + } ++ spin_unlock_bh(&rdev->bss_lock); + } + + trace_cfg80211_return_bss(&res->pub); +-- +2.35.1 + diff --git a/queue-5.17/cifs-potential-buffer-overflow-in-handling-symlinks.patch b/queue-5.17/cifs-potential-buffer-overflow-in-handling-symlinks.patch new file mode 100644 index 00000000000..5b76c66121e --- /dev/null +++ b/queue-5.17/cifs-potential-buffer-overflow-in-handling-symlinks.patch @@ -0,0 +1,43 @@ +From a45b0254f2b794370cccfaa60b824c3874ef1142 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 04:42:51 -0700 +Subject: cifs: potential buffer overflow in handling symlinks + +From: Harshit Mogalapalli + +[ Upstream commit 64c4a37ac04eeb43c42d272f6e6c8c12bfcf4304 ] + +Smatch printed a warning: + arch/x86/crypto/poly1305_glue.c:198 poly1305_update_arch() error: + __memcpy() 'dctx->buf' too small (16 vs u32max) + +It's caused because Smatch marks 'link_len' as untrusted since it comes +from sscanf(). Add a check to ensure that 'link_len' is not larger than +the size of the 'link_str' buffer. + +Fixes: c69c1b6eaea1 ("cifs: implement CIFSParseMFSymlink()") +Signed-off-by: Harshit Mogalapalli +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/link.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/cifs/link.c b/fs/cifs/link.c +index 852e54ee82c2..bbdf3281559c 100644 +--- a/fs/cifs/link.c ++++ b/fs/cifs/link.c +@@ -85,6 +85,9 @@ parse_mf_symlink(const u8 *buf, unsigned int buf_len, unsigned int *_link_len, + if (rc != 1) + return -EINVAL; + ++ if (link_len > CIFS_MF_SYMLINK_LINK_MAXLEN) ++ return -EINVAL; ++ + rc = symlink_hash(link_len, link_str, md5_hash); + if (rc) { + cifs_dbg(FYI, "%s: MD5 hash failure: %d\n", __func__, rc); +-- +2.35.1 + diff --git a/queue-5.17/cifs-release-cached-dentries-only-if-mount-is-comple.patch b/queue-5.17/cifs-release-cached-dentries-only-if-mount-is-comple.patch new file mode 100644 index 00000000000..b83373c11da --- /dev/null +++ b/queue-5.17/cifs-release-cached-dentries-only-if-mount-is-comple.patch @@ -0,0 +1,68 @@ +From b05b16c6bb5133c5b925b435bfe76267527a43b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Apr 2022 06:25:17 +0000 +Subject: cifs: release cached dentries only if mount is complete + +From: Shyam Prasad N + +[ Upstream commit d788e51636462e61c6883f7d96b07b06bc291650 ] + +During cifs_kill_sb, we first dput all the dentries that we have cached. +However this function can also get called for mount failures. +So dput the cached dentries only if the filesystem mount is complete. +i.e. cifs_sb->root is populated. + +Fixes: 5e9c89d43fa6 ("cifs: Grab a reference for the dentry of the cached directory during the lifetime of the cache") +Signed-off-by: Shyam Prasad N +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifsfs.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c +index 6e5246122ee2..9f0f6bdb3a4d 100644 +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -266,22 +266,24 @@ static void cifs_kill_sb(struct super_block *sb) + * before we kill the sb. + */ + if (cifs_sb->root) { ++ node = rb_first(root); ++ while (node != NULL) { ++ tlink = rb_entry(node, struct tcon_link, tl_rbnode); ++ tcon = tlink_tcon(tlink); ++ cfid = &tcon->crfid; ++ mutex_lock(&cfid->fid_mutex); ++ if (cfid->dentry) { ++ dput(cfid->dentry); ++ cfid->dentry = NULL; ++ } ++ mutex_unlock(&cfid->fid_mutex); ++ node = rb_next(node); ++ } ++ ++ /* finally release root dentry */ + dput(cifs_sb->root); + cifs_sb->root = NULL; + } +- node = rb_first(root); +- while (node != NULL) { +- tlink = rb_entry(node, struct tcon_link, tl_rbnode); +- tcon = tlink_tcon(tlink); +- cfid = &tcon->crfid; +- mutex_lock(&cfid->fid_mutex); +- if (cfid->dentry) { +- dput(cfid->dentry); +- cfid->dentry = NULL; +- } +- mutex_unlock(&cfid->fid_mutex); +- node = rb_next(node); +- } + + kill_anon_super(sb); + cifs_umount(cifs_sb); +-- +2.35.1 + diff --git a/queue-5.17/dm-mpath-only-use-ktime_get_ns-in-historical-selecto.patch b/queue-5.17/dm-mpath-only-use-ktime_get_ns-in-historical-selecto.patch new file mode 100644 index 00000000000..244bdd91350 --- /dev/null +++ b/queue-5.17/dm-mpath-only-use-ktime_get_ns-in-historical-selecto.patch @@ -0,0 +1,70 @@ +From b155f7f8b5dfbeab9d530c8557a62835553a4105 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 15:03:35 -0700 +Subject: dm mpath: only use ktime_get_ns() in historical selector + +From: Khazhismel Kumykov + +[ Upstream commit ce40426fdc3c92acdba6b5ca74bc7277ffaa6a3d ] + +Mixing sched_clock() and ktime_get_ns() usage will give bad results. + +Switch hst_select_path() from using sched_clock() to ktime_get_ns(). +Also rename path_service_time()'s 'sched_now' variable to 'now'. + +Fixes: 2613eab11996 ("dm mpath: add Historical Service Time Path Selector") +Signed-off-by: Khazhismel Kumykov +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-ps-historical-service-time.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/md/dm-ps-historical-service-time.c b/drivers/md/dm-ps-historical-service-time.c +index 875bca30a0dd..82f2a06153dc 100644 +--- a/drivers/md/dm-ps-historical-service-time.c ++++ b/drivers/md/dm-ps-historical-service-time.c +@@ -27,7 +27,6 @@ + #include + #include + #include +-#include + + + #define DM_MSG_PREFIX "multipath historical-service-time" +@@ -433,7 +432,7 @@ static struct dm_path *hst_select_path(struct path_selector *ps, + { + struct selector *s = ps->context; + struct path_info *pi = NULL, *best = NULL; +- u64 time_now = sched_clock(); ++ u64 time_now = ktime_get_ns(); + struct dm_path *ret = NULL; + unsigned long flags; + +@@ -474,7 +473,7 @@ static int hst_start_io(struct path_selector *ps, struct dm_path *path, + + static u64 path_service_time(struct path_info *pi, u64 start_time) + { +- u64 sched_now = ktime_get_ns(); ++ u64 now = ktime_get_ns(); + + /* if a previous disk request has finished after this IO was + * sent to the hardware, pretend the submission happened +@@ -483,11 +482,11 @@ static u64 path_service_time(struct path_info *pi, u64 start_time) + if (time_after64(pi->last_finish, start_time)) + start_time = pi->last_finish; + +- pi->last_finish = sched_now; +- if (time_before64(sched_now, start_time)) ++ pi->last_finish = now; ++ if (time_before64(now, start_time)) + return 0; + +- return sched_now - start_time; ++ return now - start_time; + } + + static int hst_end_io(struct path_selector *ps, struct dm_path *path, +-- +2.35.1 + diff --git a/queue-5.17/drbd-set-queue_flag_stable_writes.patch b/queue-5.17/drbd-set-queue_flag_stable_writes.patch new file mode 100644 index 00000000000..1170141ddd4 --- /dev/null +++ b/queue-5.17/drbd-set-queue_flag_stable_writes.patch @@ -0,0 +1,36 @@ +From 2443e2725efb97578a841156ffff924904beb2ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 21:04:45 +0200 +Subject: drbd: set QUEUE_FLAG_STABLE_WRITES +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christoph Böhmwalder + +[ Upstream commit 286901941fd18a52b2138fddbbf589ad3639eb00 ] + +We want our pages not to change while they are being written. + +Signed-off-by: Christoph Böhmwalder +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/drbd/drbd_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c +index 5d5beeba3ed4..478ba959362c 100644 +--- a/drivers/block/drbd/drbd_main.c ++++ b/drivers/block/drbd/drbd_main.c +@@ -2739,6 +2739,7 @@ enum drbd_ret_code drbd_create_device(struct drbd_config_context *adm_ctx, unsig + sprintf(disk->disk_name, "drbd%d", minor); + disk->private_data = device; + ++ blk_queue_flag_set(QUEUE_FLAG_STABLE_WRITES, disk->queue); + blk_queue_write_cache(disk->queue, true, true); + /* Setting the max_hw_sectors to an odd value of 8kibyte here + This triggers a max_bio_size message upon first attach or connect */ +-- +2.35.1 + diff --git a/queue-5.17/drivers-hv-balloon-disable-balloon-and-hot-add-accor.patch b/queue-5.17/drivers-hv-balloon-disable-balloon-and-hot-add-accor.patch new file mode 100644 index 00000000000..63f8656eac8 --- /dev/null +++ b/queue-5.17/drivers-hv-balloon-disable-balloon-and-hot-add-accor.patch @@ -0,0 +1,95 @@ +From 39dbc5d040ac7115b8da9ad3b5ad7c36c8707d03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Mar 2022 10:32:12 +0800 +Subject: Drivers: hv: balloon: Disable balloon and hot-add accordingly + +From: Boqun Feng + +[ Upstream commit be5802795cf8d0b881745fa9ba7790293b382280 ] + +Currently there are known potential issues for balloon and hot-add on +ARM64: + +* Unballoon requests from Hyper-V should only unballoon ranges + that are guest page size aligned, otherwise guests cannot handle + because it's impossible to partially free a page. This is a + problem when guest page size > 4096 bytes. + +* Memory hot-add requests from Hyper-V should provide the NUMA + node id of the added ranges or ARM64 should have a functional + memory_add_physaddr_to_nid(), otherwise the node id is missing + for add_memory(). + +These issues require discussions on design and implementation. In the +meanwhile, post_status() is working and essential to guest monitoring. +Therefore instead of disabling the entire hv_balloon driver, the +ballooning (when page size > 4096 bytes) and hot-add are disabled +accordingly for now. Once the issues are fixed, they can be re-enable in +these cases. + +Signed-off-by: Boqun Feng +Reviewed-by: Michael Kelley +Link: https://lore.kernel.org/r/20220325023212.1570049-3-boqun.feng@gmail.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/hv_balloon.c | 36 ++++++++++++++++++++++++++++++++++-- + 1 file changed, 34 insertions(+), 2 deletions(-) + +diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c +index 439f99b8b5de..3cf334c46c31 100644 +--- a/drivers/hv/hv_balloon.c ++++ b/drivers/hv/hv_balloon.c +@@ -1653,6 +1653,38 @@ static void disable_page_reporting(void) + } + } + ++static int ballooning_enabled(void) ++{ ++ /* ++ * Disable ballooning if the page size is not 4k (HV_HYP_PAGE_SIZE), ++ * since currently it's unclear to us whether an unballoon request can ++ * make sure all page ranges are guest page size aligned. ++ */ ++ if (PAGE_SIZE != HV_HYP_PAGE_SIZE) { ++ pr_info("Ballooning disabled because page size is not 4096 bytes\n"); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++static int hot_add_enabled(void) ++{ ++ /* ++ * Disable hot add on ARM64, because we currently rely on ++ * memory_add_physaddr_to_nid() to get a node id of a hot add range, ++ * however ARM64's memory_add_physaddr_to_nid() always return 0 and ++ * DM_MEM_HOT_ADD_REQUEST doesn't have the NUMA node information for ++ * add_memory(). ++ */ ++ if (IS_ENABLED(CONFIG_ARM64)) { ++ pr_info("Memory hot add disabled on ARM64\n"); ++ return 0; ++ } ++ ++ return 1; ++} ++ + static int balloon_connect_vsp(struct hv_device *dev) + { + struct dm_version_request version_req; +@@ -1724,8 +1756,8 @@ static int balloon_connect_vsp(struct hv_device *dev) + * currently still requires the bits to be set, so we have to add code + * to fail the host's hot-add and balloon up/down requests, if any. + */ +- cap_msg.caps.cap_bits.balloon = 1; +- cap_msg.caps.cap_bits.hot_add = 1; ++ cap_msg.caps.cap_bits.balloon = ballooning_enabled(); ++ cap_msg.caps.cap_bits.hot_add = hot_add_enabled(); + + /* + * Specify our alignment requirements as it relates +-- +2.35.1 + diff --git a/queue-5.17/drivers-hv-vmbus-deactivate-sysctl_record_panic_msg-.patch b/queue-5.17/drivers-hv-vmbus-deactivate-sysctl_record_panic_msg-.patch new file mode 100644 index 00000000000..03334c10db5 --- /dev/null +++ b/queue-5.17/drivers-hv-vmbus-deactivate-sysctl_record_panic_msg-.patch @@ -0,0 +1,77 @@ +From bfac634ec7d938c665a285476d58ecb01ceb5859 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Mar 2022 15:11:35 +0100 +Subject: Drivers: hv: vmbus: Deactivate sysctl_record_panic_msg by default in + isolated guests + +From: Andrea Parri (Microsoft) + +[ Upstream commit 9f8b577f7b43b2170628d6c537252785dcc2dcea ] + +hv_panic_page might contain guest-sensitive information, do not dump it +over to Hyper-V by default in isolated guests. + +While at it, update some comments in hyperv_{panic,die}_event(). + +Reported-by: Dexuan Cui +Signed-off-by: Andrea Parri (Microsoft) +Reviewed-by: Dexuan Cui +Link: https://lore.kernel.org/r/20220301141135.2232-1-parri.andrea@gmail.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/vmbus_drv.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 4bea1dfa41cd..6c057c76c2ca 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -77,8 +77,8 @@ static int hyperv_panic_event(struct notifier_block *nb, unsigned long val, + + /* + * Hyper-V should be notified only once about a panic. If we will be +- * doing hyperv_report_panic_msg() later with kmsg data, don't do +- * the notification here. ++ * doing hv_kmsg_dump() with kmsg data later, don't do the notification ++ * here. + */ + if (ms_hyperv.misc_features & HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE + && hyperv_report_reg()) { +@@ -100,8 +100,8 @@ static int hyperv_die_event(struct notifier_block *nb, unsigned long val, + + /* + * Hyper-V should be notified only once about a panic. If we will be +- * doing hyperv_report_panic_msg() later with kmsg data, don't do +- * the notification here. ++ * doing hv_kmsg_dump() with kmsg data later, don't do the notification ++ * here. + */ + if (hyperv_report_reg()) + hyperv_report_panic(regs, val, true); +@@ -1546,14 +1546,20 @@ static int vmbus_bus_init(void) + if (ret) + goto err_connect; + ++ if (hv_is_isolation_supported()) ++ sysctl_record_panic_msg = 0; ++ + /* + * Only register if the crash MSRs are available + */ + if (ms_hyperv.misc_features & HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE) { + u64 hyperv_crash_ctl; + /* +- * Sysctl registration is not fatal, since by default +- * reporting is enabled. ++ * Panic message recording (sysctl_record_panic_msg) ++ * is enabled by default in non-isolated guests and ++ * disabled by default in isolated guests; the panic ++ * message recording won't be available in isolated ++ * guests should the following registration fail. + */ + hv_ctl_table_hdr = register_sysctl_table(hv_root_table); + if (!hv_ctl_table_hdr) +-- +2.35.1 + diff --git a/queue-5.17/drivers-hv-vmbus-prevent-load-re-ordering-when-readi.patch b/queue-5.17/drivers-hv-vmbus-prevent-load-re-ordering-when-readi.patch new file mode 100644 index 00000000000..ef0b6f69262 --- /dev/null +++ b/queue-5.17/drivers-hv-vmbus-prevent-load-re-ordering-when-readi.patch @@ -0,0 +1,57 @@ +From 4d28dd280b99bbbeb92eab03db8f06472cfa6068 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Mar 2022 08:25:10 -0700 +Subject: Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer + +From: Michael Kelley + +[ Upstream commit b6cae15b5710c8097aad26a2e5e752c323ee5348 ] + +When reading a packet from a host-to-guest ring buffer, there is no +memory barrier between reading the write index (to see if there is +a packet to read) and reading the contents of the packet. The Hyper-V +host uses store-release when updating the write index to ensure that +writes of the packet data are completed first. On the guest side, +the processor can reorder and read the packet data before the write +index, and sometimes get stale packet data. Getting such stale packet +data has been observed in a reproducible case in a VM on ARM64. + +Fix this by using virt_load_acquire() to read the write index, +ensuring that reads of the packet data cannot be reordered +before it. Preventing such reordering is logically correct, and +with this change, getting stale data can no longer be reproduced. + +Signed-off-by: Michael Kelley +Reviewed-by: Andrea Parri (Microsoft) +Link: https://lore.kernel.org/r/1648394710-33480-1-git-send-email-mikelley@microsoft.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/ring_buffer.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c +index 71efacb90965..3d215d9dec43 100644 +--- a/drivers/hv/ring_buffer.c ++++ b/drivers/hv/ring_buffer.c +@@ -439,7 +439,16 @@ int hv_ringbuffer_read(struct vmbus_channel *channel, + static u32 hv_pkt_iter_avail(const struct hv_ring_buffer_info *rbi) + { + u32 priv_read_loc = rbi->priv_read_index; +- u32 write_loc = READ_ONCE(rbi->ring_buffer->write_index); ++ u32 write_loc; ++ ++ /* ++ * The Hyper-V host writes the packet data, then uses ++ * store_release() to update the write_index. Use load_acquire() ++ * here to prevent loads of the packet data from being re-ordered ++ * before the read of the write_index and potentially getting ++ * stale data. ++ */ ++ write_loc = virt_load_acquire(&rbi->ring_buffer->write_index); + + if (write_loc >= priv_read_loc) + return write_loc - priv_read_loc; +-- +2.35.1 + diff --git a/queue-5.17/drivers-hv-vmbus-propagate-vmbus-coherence-to-each-v.patch b/queue-5.17/drivers-hv-vmbus-propagate-vmbus-coherence-to-each-v.patch new file mode 100644 index 00000000000..83ec36963ed --- /dev/null +++ b/queue-5.17/drivers-hv-vmbus-propagate-vmbus-coherence-to-each-v.patch @@ -0,0 +1,132 @@ +From a5a6e30a94596f6b316458954b624373b540688e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Mar 2022 09:14:51 -0700 +Subject: Drivers: hv: vmbus: Propagate VMbus coherence to each VMbus device + +From: Michael Kelley + +[ Upstream commit 37200078ed6aa2ac3c88a01a64996133dccfdd34 ] + +VMbus synthetic devices are not represented in the ACPI DSDT -- only +the top level VMbus device is represented. As a result, on ARM64 +coherence information in the _CCA method is not specified for +synthetic devices, so they default to not hardware coherent. +Drivers for some of these synthetic devices have been recently +updated to use the standard DMA APIs, and they are incurring extra +overhead of unneeded software coherence management. + +Fix this by propagating coherence information from the VMbus node +in ACPI to the individual synthetic devices. There's no effect on +x86/x64 where devices are always hardware coherent. + +Signed-off-by: Michael Kelley +Acked-by: Robin Murphy +Link: https://lore.kernel.org/r/1648138492-2191-2-git-send-email-mikelley@microsoft.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/hv_common.c | 11 +++++++++++ + drivers/hv/vmbus_drv.c | 31 +++++++++++++++++++++++++++++++ + include/asm-generic/mshyperv.h | 1 + + 3 files changed, 43 insertions(+) + +diff --git a/drivers/hv/hv_common.c b/drivers/hv/hv_common.c +index 181d16bbf49d..820e81406251 100644 +--- a/drivers/hv/hv_common.c ++++ b/drivers/hv/hv_common.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -216,6 +217,16 @@ bool hv_query_ext_cap(u64 cap_query) + } + EXPORT_SYMBOL_GPL(hv_query_ext_cap); + ++void hv_setup_dma_ops(struct device *dev, bool coherent) ++{ ++ /* ++ * Hyper-V does not offer a vIOMMU in the guest ++ * VM, so pass 0/NULL for the IOMMU settings ++ */ ++ arch_setup_dma_ops(dev, 0, 0, NULL, coherent); ++} ++EXPORT_SYMBOL_GPL(hv_setup_dma_ops); ++ + bool hv_is_hibernation_supported(void) + { + return !hv_root_partition && acpi_sleep_state_supported(ACPI_STATE_S4); +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 6c057c76c2ca..3cd0d3a44fa2 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -920,6 +920,21 @@ static int vmbus_probe(struct device *child_device) + return ret; + } + ++/* ++ * vmbus_dma_configure -- Configure DMA coherence for VMbus device ++ */ ++static int vmbus_dma_configure(struct device *child_device) ++{ ++ /* ++ * On ARM64, propagate the DMA coherence setting from the top level ++ * VMbus ACPI device to the child VMbus device being added here. ++ * On x86/x64 coherence is assumed and these calls have no effect. ++ */ ++ hv_setup_dma_ops(child_device, ++ device_get_dma_attr(&hv_acpi_dev->dev) == DEV_DMA_COHERENT); ++ return 0; ++} ++ + /* + * vmbus_remove - Remove a vmbus device + */ +@@ -1040,6 +1055,7 @@ static struct bus_type hv_bus = { + .remove = vmbus_remove, + .probe = vmbus_probe, + .uevent = vmbus_uevent, ++ .dma_configure = vmbus_dma_configure, + .dev_groups = vmbus_dev_groups, + .drv_groups = vmbus_drv_groups, + .bus_groups = vmbus_bus_groups, +@@ -2435,6 +2451,21 @@ static int vmbus_acpi_add(struct acpi_device *device) + + hv_acpi_dev = device; + ++ /* ++ * Older versions of Hyper-V for ARM64 fail to include the _CCA ++ * method on the top level VMbus device in the DSDT. But devices ++ * are hardware coherent in all current Hyper-V use cases, so fix ++ * up the ACPI device to behave as if _CCA is present and indicates ++ * hardware coherence. ++ */ ++ ACPI_COMPANION_SET(&device->dev, device); ++ if (IS_ENABLED(CONFIG_ACPI_CCA_REQUIRED) && ++ device_get_dma_attr(&device->dev) == DEV_DMA_NOT_SUPPORTED) { ++ pr_info("No ACPI _CCA found; assuming coherent device I/O\n"); ++ device->flags.cca_seen = true; ++ device->flags.coherent_dma = true; ++ } ++ + result = acpi_walk_resources(device->handle, METHOD_NAME__CRS, + vmbus_walk_resources, NULL); + +diff --git a/include/asm-generic/mshyperv.h b/include/asm-generic/mshyperv.h +index c08758b6b364..c05d2ce9b6cd 100644 +--- a/include/asm-generic/mshyperv.h ++++ b/include/asm-generic/mshyperv.h +@@ -269,6 +269,7 @@ bool hv_isolation_type_snp(void); + u64 hv_ghcb_hypercall(u64 control, void *input, void *output, u32 input_size); + void hyperv_cleanup(void); + bool hv_query_ext_cap(u64 cap_query); ++void hv_setup_dma_ops(struct device *dev, bool coherent); + void *hv_map_memory(void *addr, unsigned long size); + void hv_unmap_memory(void *addr); + #else /* CONFIG_HYPERV */ +-- +2.35.1 + diff --git a/queue-5.17/drivers-net-slip-fix-npd-bug-in-sl_tx_timeout.patch b/queue-5.17/drivers-net-slip-fix-npd-bug-in-sl_tx_timeout.patch new file mode 100644 index 00000000000..f643ed5ff38 --- /dev/null +++ b/queue-5.17/drivers-net-slip-fix-npd-bug-in-sl_tx_timeout.patch @@ -0,0 +1,60 @@ +From 43e89be7aa8274dc2acfb1c22678ea93d63a3f77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 21:22:06 +0800 +Subject: drivers: net: slip: fix NPD bug in sl_tx_timeout() + +From: Duoming Zhou + +[ Upstream commit ec4eb8a86ade4d22633e1da2a7d85a846b7d1798 ] + +When a slip driver is detaching, the slip_close() will act to +cleanup necessary resources and sl->tty is set to NULL in +slip_close(). Meanwhile, the packet we transmit is blocked, +sl_tx_timeout() will be called. Although slip_close() and +sl_tx_timeout() use sl->lock to synchronize, we don`t judge +whether sl->tty equals to NULL in sl_tx_timeout() and the +null pointer dereference bug will happen. + + (Thread 1) | (Thread 2) + | slip_close() + | spin_lock_bh(&sl->lock) + | ... +... | sl->tty = NULL //(1) +sl_tx_timeout() | spin_unlock_bh(&sl->lock) + spin_lock(&sl->lock); | + ... | ... + tty_chars_in_buffer(sl->tty)| + if (tty->ops->..) //(2) | + ... | synchronize_rcu() + +We set NULL to sl->tty in position (1) and dereference sl->tty +in position (2). + +This patch adds check in sl_tx_timeout(). If sl->tty equals to +NULL, sl_tx_timeout() will goto out. + +Signed-off-by: Duoming Zhou +Reviewed-by: Jiri Slaby +Link: https://lore.kernel.org/r/20220405132206.55291-1-duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/slip/slip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c +index 98f586f910fb..8ed4fcf70b9b 100644 +--- a/drivers/net/slip/slip.c ++++ b/drivers/net/slip/slip.c +@@ -469,7 +469,7 @@ static void sl_tx_timeout(struct net_device *dev, unsigned int txqueue) + spin_lock(&sl->lock); + + if (netif_queue_stopped(dev)) { +- if (!netif_running(dev)) ++ if (!netif_running(dev) || !sl->tty) + goto out; + + /* May be we must check transmitter timeout here ? +-- +2.35.1 + diff --git a/queue-5.17/drm-amd-add-usbc-connector-id.patch b/queue-5.17/drm-amd-add-usbc-connector-id.patch new file mode 100644 index 00000000000..760ffddb799 --- /dev/null +++ b/queue-5.17/drm-amd-add-usbc-connector-id.patch @@ -0,0 +1,35 @@ +From fa61bb57b9464bd605c1ea13031f7e02995ccccd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Mar 2022 14:53:24 -0400 +Subject: drm/amd: Add USBC connector ID + +From: Aurabindo Pillai + +[ Upstream commit c5c948aa894a831f96fccd025e47186b1ee41615 ] + +[Why&How] Add a dedicated AMDGPU specific ID for use with +newer ASICs that support USB-C output + +Signed-off-by: Aurabindo Pillai +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/ObjectID.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/ObjectID.h b/drivers/gpu/drm/amd/amdgpu/ObjectID.h +index 5b393622f592..a0f0a17e224f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/ObjectID.h ++++ b/drivers/gpu/drm/amd/amdgpu/ObjectID.h +@@ -119,6 +119,7 @@ + #define CONNECTOR_OBJECT_ID_eDP 0x14 + #define CONNECTOR_OBJECT_ID_MXM 0x15 + #define CONNECTOR_OBJECT_ID_LVDS_eDP 0x16 ++#define CONNECTOR_OBJECT_ID_USBC 0x17 + + /* deleted */ + +-- +2.35.1 + diff --git a/queue-5.17/drm-amd-display-correct-slice-reset-calculation.patch b/queue-5.17/drm-amd-display-correct-slice-reset-calculation.patch new file mode 100644 index 00000000000..cfffc9bb74c --- /dev/null +++ b/queue-5.17/drm-amd-display-correct-slice-reset-calculation.patch @@ -0,0 +1,51 @@ +From 8d37ca402a3a60b8ef3fc62c1ab5bb6004f8871a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Mar 2022 12:21:43 -0400 +Subject: drm/amd/display: Correct Slice reset calculation + +From: Chris Park + +[ Upstream commit 862a876c3a6372f2fa9d0c6510f1976ac94fc857 ] + +[Why] +Once DSC slice cannot fit pixel clock, we incorrectly +reset min slices to 0 and allow max slice to operate, +even when max slice itself cannot fit the pixel clock +properly. + +[How] +Change the sequence such that we correctly determine +DSC is not possible when both min slices and max +slices cannot fit pixel clock per slice. + +Reviewed-by: Wenjing Liu +Acked-by: Alex Hung +Signed-off-by: Chris Park +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dsc/dc_dsc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dsc/dc_dsc.c b/drivers/gpu/drm/amd/display/dc/dsc/dc_dsc.c +index 9c74564cbd8d..8973d3a38f9c 100644 +--- a/drivers/gpu/drm/amd/display/dc/dsc/dc_dsc.c ++++ b/drivers/gpu/drm/amd/display/dc/dsc/dc_dsc.c +@@ -864,11 +864,11 @@ static bool setup_dsc_config( + min_slices_h = inc_num_slices(dsc_common_caps.slice_caps, min_slices_h); + } + ++ is_dsc_possible = (min_slices_h <= max_slices_h); ++ + if (pic_width % min_slices_h != 0) + min_slices_h = 0; // DSC TODO: Maybe try increasing the number of slices first? + +- is_dsc_possible = (min_slices_h <= max_slices_h); +- + if (min_slices_h == 0 && max_slices_h == 0) + is_dsc_possible = false; + +-- +2.35.1 + diff --git a/queue-5.17/drm-amd-display-enable-power-gating-before-init_pipe.patch b/queue-5.17/drm-amd-display-enable-power-gating-before-init_pipe.patch new file mode 100644 index 00000000000..46a5c162885 --- /dev/null +++ b/queue-5.17/drm-amd-display-enable-power-gating-before-init_pipe.patch @@ -0,0 +1,106 @@ +From ec217b7318dbec907ed81fbe5f20e99c000cedbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Mar 2022 16:31:14 -0400 +Subject: drm/amd/display: Enable power gating before init_pipes + +From: Roman Li + +[ Upstream commit 58e16c752e9540b28a873c44c3bee83e022007c1 ] + +[Why] +In init_hw() we call init_pipes() before enabling power gating. +init_pipes() tries to power gate dsc but it may fail because +required force-ons are not released yet. +As a result with dsc config the following errors observed on resume: +"REG_WAIT timeout 1us * 1000 tries - dcn20_dsc_pg_control" +"REG_WAIT timeout 1us * 1000 tries - dcn20_dpp_pg_control" +"REG_WAIT timeout 1us * 1000 tries - dcn20_hubp_pg_control" + +[How] +Move enable_power_gating_plane() before init_pipes() in init_hw() + +Reviewed-by: Anthony Koo +Reviewed-by: Eric Yang +Acked-by: Alex Hung +Signed-off-by: Roman Li +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 5 +++-- + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 5 +++-- + drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hwseq.c | 5 +++-- + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +index a6703d17fcb6..c6a0daa56fa0 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +@@ -1501,6 +1501,9 @@ void dcn10_init_hw(struct dc *dc) + if (dc->config.power_down_display_on_boot) + dc_link_blank_all_dp_displays(dc); + ++ if (hws->funcs.enable_power_gating_plane) ++ hws->funcs.enable_power_gating_plane(dc->hwseq, true); ++ + /* If taking control over from VBIOS, we may want to optimize our first + * mode set, so we need to skip powering down pipes until we know which + * pipes we want to use. +@@ -1553,8 +1556,6 @@ void dcn10_init_hw(struct dc *dc) + + REG_UPDATE(DCFCLK_CNTL, DCFCLK_GATE_DIS, 0); + } +- if (hws->funcs.enable_power_gating_plane) +- hws->funcs.enable_power_gating_plane(dc->hwseq, true); + + if (dc->clk_mgr->funcs->notify_wm_ranges) + dc->clk_mgr->funcs->notify_wm_ranges(dc->clk_mgr); +diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c +index 1db1ca19411d..05dc0a3ae2a3 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c +@@ -548,6 +548,9 @@ void dcn30_init_hw(struct dc *dc) + if (dc->config.power_down_display_on_boot) + dc_link_blank_all_dp_displays(dc); + ++ if (hws->funcs.enable_power_gating_plane) ++ hws->funcs.enable_power_gating_plane(dc->hwseq, true); ++ + /* If taking control over from VBIOS, we may want to optimize our first + * mode set, so we need to skip powering down pipes until we know which + * pipes we want to use. +@@ -625,8 +628,6 @@ void dcn30_init_hw(struct dc *dc) + + REG_UPDATE(DCFCLK_CNTL, DCFCLK_GATE_DIS, 0); + } +- if (hws->funcs.enable_power_gating_plane) +- hws->funcs.enable_power_gating_plane(dc->hwseq, true); + + if (!dcb->funcs->is_accelerated_mode(dcb) && dc->res_pool->hubbub->funcs->init_watermarks) + dc->res_pool->hubbub->funcs->init_watermarks(dc->res_pool->hubbub); +diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hwseq.c +index 1e156f398065..bdc4467b40d7 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hwseq.c +@@ -200,6 +200,9 @@ void dcn31_init_hw(struct dc *dc) + if (dc->config.power_down_display_on_boot) + dc_link_blank_all_dp_displays(dc); + ++ if (hws->funcs.enable_power_gating_plane) ++ hws->funcs.enable_power_gating_plane(dc->hwseq, true); ++ + /* If taking control over from VBIOS, we may want to optimize our first + * mode set, so we need to skip powering down pipes until we know which + * pipes we want to use. +@@ -249,8 +252,6 @@ void dcn31_init_hw(struct dc *dc) + + REG_UPDATE(DCFCLK_CNTL, DCFCLK_GATE_DIS, 0); + } +- if (hws->funcs.enable_power_gating_plane) +- hws->funcs.enable_power_gating_plane(dc->hwseq, true); + + if (!dcb->funcs->is_accelerated_mode(dcb) && dc->res_pool->hubbub->funcs->init_watermarks) + dc->res_pool->hubbub->funcs->init_watermarks(dc->res_pool->hubbub); +-- +2.35.1 + diff --git a/queue-5.17/drm-amd-display-fec-check-in-timing-validation.patch b/queue-5.17/drm-amd-display-fec-check-in-timing-validation.patch new file mode 100644 index 00000000000..b57533f125c --- /dev/null +++ b/queue-5.17/drm-amd-display-fec-check-in-timing-validation.patch @@ -0,0 +1,43 @@ +From adf665517978a68afe8ece348c1c3ea590c7c874 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Mar 2022 00:07:59 +0800 +Subject: drm/amd/display: FEC check in timing validation + +From: Chiawen Huang + +[ Upstream commit 7d56a154e22ffb3613fdebf83ec34d5225a22993 ] + +[Why] +disable/enable leads FEC mismatch between hw/sw FEC state. + +[How] +check FEC status to fastboot on/off. + +Reviewed-by: Anthony Koo +Acked-by: Alex Hung +Signed-off-by: Chiawen Huang +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 62bc6ce88753..78e17a4af4ab 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -1495,6 +1495,10 @@ bool dc_validate_seamless_boot_timing(const struct dc *dc, + if (!link->link_enc->funcs->is_dig_enabled(link->link_enc)) + return false; + ++ /* Check for FEC status*/ ++ if (link->link_enc->funcs->fec_is_active(link->link_enc)) ++ return false; ++ + enc_inst = link->link_enc->funcs->get_dig_frontend(link->link_enc); + + if (enc_inst == ENGINE_ID_UNKNOWN) +-- +2.35.1 + diff --git a/queue-5.17/drm-amd-display-fix-allocate_mst_payload-assert-on-r.patch b/queue-5.17/drm-amd-display-fix-allocate_mst_payload-assert-on-r.patch new file mode 100644 index 00000000000..a2f9432bd41 --- /dev/null +++ b/queue-5.17/drm-amd-display-fix-allocate_mst_payload-assert-on-r.patch @@ -0,0 +1,46 @@ +From 630b98e812903c5fa61cdca5ee890c8b2a3cfb60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Mar 2022 19:55:05 -0400 +Subject: drm/amd/display: Fix allocate_mst_payload assert on resume + +From: Roman Li + +[ Upstream commit f4346fb3edf7720db3f7f5e1cab1f667cd024280 ] + +[Why] +On resume we do link detection for all non-MST connectors. +MST is handled separately. However the condition for telling +if connector is on mst branch is not enough for mst hub case. +Link detection for mst branch link leads to mst topology reset. +That causes assert in dc_link_allocate_mst_payload() + +[How] +Use link type as indicator for mst link. + +Reviewed-by: Wayne Lin +Acked-by: Alex Hung +Signed-off-by: Roman Li +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 90c017859ad4..24db2297857b 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -2693,7 +2693,8 @@ static int dm_resume(void *handle) + * this is the case when traversing through already created + * MST connectors, should be skipped + */ +- if (aconnector->mst_port) ++ if (aconnector->dc_link && ++ aconnector->dc_link->type == dc_connection_mst_branch) + continue; + + mutex_lock(&aconnector->hpd_lock); +-- +2.35.1 + diff --git a/queue-5.17/drm-amd-display-fix-audio-format-not-updated-after-e.patch b/queue-5.17/drm-amd-display-fix-audio-format-not-updated-after-e.patch new file mode 100644 index 00000000000..da019eb001e --- /dev/null +++ b/queue-5.17/drm-amd-display-fix-audio-format-not-updated-after-e.patch @@ -0,0 +1,42 @@ +From 120c75b3c673d38b02df32d804de3cacd818d50e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 18:31:29 -0500 +Subject: drm/amd/display: fix audio format not updated after edid updated + +From: Charlene Liu + +[ Upstream commit 5e8a71cf13bc9184fee915b2220be71b4c6cac74 ] + +[why] +for the case edid change only changed audio format. +driver still need to update stream. + +Reviewed-by: Alvin Lee +Reviewed-by: Aric Cyr +Acked-by: Alex Hung +Signed-off-by: Charlene Liu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +index ac3071e38e4a..f0a97b82c33a 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -1667,8 +1667,8 @@ bool dc_is_stream_unchanged( + if (old_stream->ignore_msa_timing_param != stream->ignore_msa_timing_param) + return false; + +- // Only Have Audio left to check whether it is same or not. This is a corner case for Tiled sinks +- if (old_stream->audio_info.mode_count != stream->audio_info.mode_count) ++ /*compare audio info*/ ++ if (memcmp(&old_stream->audio_info, &stream->audio_info, sizeof(stream->audio_info)) != 0) + return false; + + return true; +-- +2.35.1 + diff --git a/queue-5.17/drm-amd-display-revert-fec-check-in-validation.patch b/queue-5.17/drm-amd-display-revert-fec-check-in-validation.patch new file mode 100644 index 00000000000..aa8776c2807 --- /dev/null +++ b/queue-5.17/drm-amd-display-revert-fec-check-in-validation.patch @@ -0,0 +1,40 @@ +From a37e498d6e503c5d6f91e01f1a7c04c83fdc19cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Mar 2022 11:12:36 -0400 +Subject: drm/amd/display: Revert FEC check in validation + +From: Martin Leung + +[ Upstream commit b2075fce104b88b789c15ef1ed2b91dc94198e26 ] + +why and how: +causes failure on install on certain machines + +Reviewed-by: George Shen +Acked-by: Alex Hung +Signed-off-by: Martin Leung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 78e17a4af4ab..62bc6ce88753 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -1495,10 +1495,6 @@ bool dc_validate_seamless_boot_timing(const struct dc *dc, + if (!link->link_enc->funcs->is_dig_enabled(link->link_enc)) + return false; + +- /* Check for FEC status*/ +- if (link->link_enc->funcs->fec_is_active(link->link_enc)) +- return false; +- + enc_inst = link->link_enc->funcs->get_dig_frontend(link->link_enc); + + if (enc_inst == ENGINE_ID_UNKNOWN) +-- +2.35.1 + diff --git a/queue-5.17/drm-amd-display-update-vtem-infopacket-definition.patch b/queue-5.17/drm-amd-display-update-vtem-infopacket-definition.patch new file mode 100644 index 00000000000..0f184329e1b --- /dev/null +++ b/queue-5.17/drm-amd-display-update-vtem-infopacket-definition.patch @@ -0,0 +1,50 @@ +From 5eb48d7015b73b16a6099e66a5f632b7aa5ae67c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Mar 2022 11:35:29 -0500 +Subject: drm/amd/display: Update VTEM Infopacket definition + +From: Leo (Hanghong) Ma + +[ Upstream commit c9fbf6435162ed5fb7201d1d4adf6585c6a8c327 ] + +[Why & How] +The latest HDMI SPEC has updated the VTEM packet structure, +so change the VTEM Infopacket defined in the driver side to align +with the SPEC. + +Reviewed-by: Chris Park +Acked-by: Alex Hung +Signed-off-by: Leo (Hanghong) Ma +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/modules/info_packet/info_packet.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/modules/info_packet/info_packet.c b/drivers/gpu/drm/amd/display/modules/info_packet/info_packet.c +index 57f198de5e2c..4e075b01d48b 100644 +--- a/drivers/gpu/drm/amd/display/modules/info_packet/info_packet.c ++++ b/drivers/gpu/drm/amd/display/modules/info_packet/info_packet.c +@@ -100,7 +100,8 @@ enum vsc_packet_revision { + //PB7 = MD0 + #define MASK_VTEM_MD0__VRR_EN 0x01 + #define MASK_VTEM_MD0__M_CONST 0x02 +-#define MASK_VTEM_MD0__RESERVED2 0x0C ++#define MASK_VTEM_MD0__QMS_EN 0x04 ++#define MASK_VTEM_MD0__RESERVED2 0x08 + #define MASK_VTEM_MD0__FVA_FACTOR_M1 0xF0 + + //MD1 +@@ -109,7 +110,7 @@ enum vsc_packet_revision { + //MD2 + #define MASK_VTEM_MD2__BASE_REFRESH_RATE_98 0x03 + #define MASK_VTEM_MD2__RB 0x04 +-#define MASK_VTEM_MD2__RESERVED3 0xF8 ++#define MASK_VTEM_MD2__NEXT_TFR 0xF8 + + //MD3 + #define MASK_VTEM_MD3__BASE_REFRESH_RATE_07 0xFF +-- +2.35.1 + diff --git a/queue-5.17/drm-amdgpu-conduct-a-proper-cleanup-of-pdb-bo.patch b/queue-5.17/drm-amdgpu-conduct-a-proper-cleanup-of-pdb-bo.patch new file mode 100644 index 00000000000..05b466a41d6 --- /dev/null +++ b/queue-5.17/drm-amdgpu-conduct-a-proper-cleanup-of-pdb-bo.patch @@ -0,0 +1,41 @@ +From eb5a0b00da051537a4a390dabc71dd9bf8ddb448 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Mar 2022 14:59:28 +0800 +Subject: drm/amdgpu: conduct a proper cleanup of PDB bo +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guchun Chen + +[ Upstream commit 2d505453f38e18d42ba7d5428aaa17aaa7752c65 ] + +Use amdgpu_bo_free_kernel instead of amdgpu_bo_unref to +perform a proper cleanup of PDB bo. + +v2: update subject to be more accurate + +Signed-off-by: Guchun Chen +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +index 88c1eb9ad068..34ee75cf7954 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +@@ -1684,7 +1684,7 @@ static int gmc_v9_0_sw_fini(void *handle) + amdgpu_gem_force_release(adev); + amdgpu_vm_manager_fini(adev); + amdgpu_gart_table_vram_free(adev); +- amdgpu_bo_unref(&adev->gmc.pdb0_bo); ++ amdgpu_bo_free_kernel(&adev->gmc.pdb0_bo, NULL, &adev->gmc.ptr_pdb0); + amdgpu_bo_fini(adev); + + return 0; +-- +2.35.1 + diff --git a/queue-5.17/drm-amdgpu-gmc-use-pci-bars-for-apus-in-passthrough.patch b/queue-5.17/drm-amdgpu-gmc-use-pci-bars-for-apus-in-passthrough.patch new file mode 100644 index 00000000000..94acc9b43af --- /dev/null +++ b/queue-5.17/drm-amdgpu-gmc-use-pci-bars-for-apus-in-passthrough.patch @@ -0,0 +1,110 @@ +From c4a4080368863b5a0593f5d44958094fb49d6280 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 18:02:11 -0500 +Subject: drm/amdgpu/gmc: use PCI BARs for APUs in passthrough +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +[ Upstream commit b818a5d374542ccec73dcfe578a081574029820e ] + +If the GPU is passed through to a guest VM, use the PCI +BAR for CPU FB access rather than the physical address of +carve out. The physical address is not valid in a guest. + +v2: Fix HDP handing as suggested by Michel + +Reviewed-by: Christian König +Reviewed-by: Michel Dänzer +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 ++-- + drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c | 2 +- + drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c | 5 +++-- + drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 2 +- + drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 2 +- + 5 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index b87dca6d09fa..052816f0efed 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -5678,7 +5678,7 @@ void amdgpu_device_flush_hdp(struct amdgpu_device *adev, + struct amdgpu_ring *ring) + { + #ifdef CONFIG_X86_64 +- if (adev->flags & AMD_IS_APU) ++ if ((adev->flags & AMD_IS_APU) && !amdgpu_passthrough(adev)) + return; + #endif + if (adev->gmc.xgmi.connected_to_cpu) +@@ -5694,7 +5694,7 @@ void amdgpu_device_invalidate_hdp(struct amdgpu_device *adev, + struct amdgpu_ring *ring) + { + #ifdef CONFIG_X86_64 +- if (adev->flags & AMD_IS_APU) ++ if ((adev->flags & AMD_IS_APU) && !amdgpu_passthrough(adev)) + return; + #endif + if (adev->gmc.xgmi.connected_to_cpu) +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c +index a2f8ed0e6a64..f1b794d5d87d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c +@@ -788,7 +788,7 @@ static int gmc_v10_0_mc_init(struct amdgpu_device *adev) + adev->gmc.aper_size = pci_resource_len(adev->pdev, 0); + + #ifdef CONFIG_X86_64 +- if (adev->flags & AMD_IS_APU) { ++ if ((adev->flags & AMD_IS_APU) && !amdgpu_passthrough(adev)) { + adev->gmc.aper_base = adev->gfxhub.funcs->get_mc_fb_offset(adev); + adev->gmc.aper_size = adev->gmc.real_vram_size; + } +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c +index ab8adbff9e2d..5206e2da334a 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c +@@ -381,8 +381,9 @@ static int gmc_v7_0_mc_init(struct amdgpu_device *adev) + adev->gmc.aper_size = pci_resource_len(adev->pdev, 0); + + #ifdef CONFIG_X86_64 +- if (adev->flags & AMD_IS_APU && +- adev->gmc.real_vram_size > adev->gmc.aper_size) { ++ if ((adev->flags & AMD_IS_APU) && ++ adev->gmc.real_vram_size > adev->gmc.aper_size && ++ !amdgpu_passthrough(adev)) { + adev->gmc.aper_base = ((u64)RREG32(mmMC_VM_FB_OFFSET)) << 22; + adev->gmc.aper_size = adev->gmc.real_vram_size; + } +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c +index 054733838292..d07d36786836 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c +@@ -581,7 +581,7 @@ static int gmc_v8_0_mc_init(struct amdgpu_device *adev) + adev->gmc.aper_size = pci_resource_len(adev->pdev, 0); + + #ifdef CONFIG_X86_64 +- if (adev->flags & AMD_IS_APU) { ++ if ((adev->flags & AMD_IS_APU) && !amdgpu_passthrough(adev)) { + adev->gmc.aper_base = ((u64)RREG32(mmMC_VM_FB_OFFSET)) << 22; + adev->gmc.aper_size = adev->gmc.real_vram_size; + } +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +index 34ee75cf7954..2fb24178eaef 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +@@ -1420,7 +1420,7 @@ static int gmc_v9_0_mc_init(struct amdgpu_device *adev) + */ + + /* check whether both host-gpu and gpu-gpu xgmi links exist */ +- if ((adev->flags & AMD_IS_APU) || ++ if (((adev->flags & AMD_IS_APU) && !amdgpu_passthrough(adev)) || + (adev->gmc.xgmi.supported && + adev->gmc.xgmi.connected_to_cpu)) { + adev->gmc.aper_base = +-- +2.35.1 + diff --git a/queue-5.17/drm-amdgpu-vcn-improve-vcn-dpg-stop-procedure.patch b/queue-5.17/drm-amdgpu-vcn-improve-vcn-dpg-stop-procedure.patch new file mode 100644 index 00000000000..8b3db15c264 --- /dev/null +++ b/queue-5.17/drm-amdgpu-vcn-improve-vcn-dpg-stop-procedure.patch @@ -0,0 +1,39 @@ +From e15576c5ac90dc8d6d3978d3398b4a03ab183d7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Mar 2022 23:54:58 +0800 +Subject: drm/amdgpu/vcn: improve vcn dpg stop procedure + +From: Tianci Yin + +[ Upstream commit 6ea239adc2a712eb318f04f5c29b018ba65ea38a ] + +Prior to disabling dpg, VCN need unpausing dpg mode, or VCN will hang in +S3 resuming. + +Reviewed-by: James Zhu +Signed-off-by: Tianci Yin +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c +index 0ce2a7aa400b..ad9bfc772bdf 100644 +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c +@@ -1474,8 +1474,11 @@ static int vcn_v3_0_start_sriov(struct amdgpu_device *adev) + + static int vcn_v3_0_stop_dpg_mode(struct amdgpu_device *adev, int inst_idx) + { ++ struct dpg_pause_state state = {.fw_based = VCN_DPG_STATE__UNPAUSE}; + uint32_t tmp; + ++ vcn_v3_0_pause_dpg_mode(adev, 0, &state); ++ + /* Wait for power status to be 1 */ + SOC15_WAIT_ON_RREG(VCN, inst_idx, mmUVD_POWER_STATUS, 1, + UVD_POWER_STATUS__UVD_POWER_STATUS_MASK); +-- +2.35.1 + diff --git a/queue-5.17/drm-amdkfd-check-for-potential-null-return-of-kmallo.patch b/queue-5.17/drm-amdkfd-check-for-potential-null-return-of-kmallo.patch new file mode 100644 index 00000000000..9ca1a7a2d4a --- /dev/null +++ b/queue-5.17/drm-amdkfd-check-for-potential-null-return-of-kmallo.patch @@ -0,0 +1,35 @@ +From 499bf6ed9698b0d56d0cad1b26a4aca430ed5bc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Mar 2022 16:26:23 +0800 +Subject: drm/amdkfd: Check for potential null return of kmalloc_array() + +From: QintaoShen + +[ Upstream commit ebbb7bb9e80305820dc2328a371c1b35679f2667 ] + +As the kmalloc_array() may return null, the 'event_waiters[i].wait' would lead to null-pointer dereference. +Therefore, it is better to check the return value of kmalloc_array() to avoid this confusion. + +Signed-off-by: QintaoShen +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_events.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_events.c +index afe72dd11325..6ca7e12bdab8 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c +@@ -531,6 +531,8 @@ static struct kfd_event_waiter *alloc_event_waiters(uint32_t num_events) + event_waiters = kmalloc_array(num_events, + sizeof(struct kfd_event_waiter), + GFP_KERNEL); ++ if (!event_waiters) ++ return NULL; + + for (i = 0; (event_waiters) && (i < num_events) ; i++) { + init_wait(&event_waiters[i].wait); +-- +2.35.1 + diff --git a/queue-5.17/drm-amdkfd-fix-incorrect-vmids-passed-to-hws.patch b/queue-5.17/drm-amdkfd-fix-incorrect-vmids-passed-to-hws.patch new file mode 100644 index 00000000000..cb262039d13 --- /dev/null +++ b/queue-5.17/drm-amdkfd-fix-incorrect-vmids-passed-to-hws.patch @@ -0,0 +1,62 @@ +From d372e8c605c84e1304338105aa203badd558a57e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Mar 2022 15:31:22 -0400 +Subject: drm/amdkfd: Fix Incorrect VMIDs passed to HWS + +From: Tushar Patel + +[ Upstream commit b7dfbd2e601f3fee545bc158feceba4f340fe7cf ] + +Compute-only GPUs have more than 8 VMIDs allocated to KFD. Fix +this by passing correct number of VMIDs to HWS + +v2: squash in warning fix (Alex) + +Signed-off-by: Tushar Patel +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 2 +- + drivers/gpu/drm/amd/amdkfd/kfd_device.c | 11 +++-------- + 2 files changed, 4 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +index 284892b2d3b4..c853266957ce 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -686,7 +686,7 @@ MODULE_PARM_DESC(sched_policy, + * Maximum number of processes that HWS can schedule concurrently. The maximum is the + * number of VMIDs assigned to the HWS, which is also the default. + */ +-int hws_max_conc_proc = 8; ++int hws_max_conc_proc = -1; + module_param(hws_max_conc_proc, int, 0444); + MODULE_PARM_DESC(hws_max_conc_proc, + "Max # processes HWS can execute concurrently when sched_policy=0 (0 = no concurrency, #VMIDs for KFD = Maximum(default))"); +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c +index 2b65d0acae2c..2fdbe2f475e4 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c +@@ -480,15 +480,10 @@ bool kgd2kfd_device_init(struct kfd_dev *kfd, + } + + /* Verify module parameters regarding mapped process number*/ +- if ((hws_max_conc_proc < 0) +- || (hws_max_conc_proc > kfd->vm_info.vmid_num_kfd)) { +- dev_err(kfd_device, +- "hws_max_conc_proc %d must be between 0 and %d, use %d instead\n", +- hws_max_conc_proc, kfd->vm_info.vmid_num_kfd, +- kfd->vm_info.vmid_num_kfd); ++ if (hws_max_conc_proc >= 0) ++ kfd->max_proc_per_quantum = min((u32)hws_max_conc_proc, kfd->vm_info.vmid_num_kfd); ++ else + kfd->max_proc_per_quantum = kfd->vm_info.vmid_num_kfd; +- } else +- kfd->max_proc_per_quantum = hws_max_conc_proc; + + /* calculate max size of mqds needed for queues */ + size = max_num_of_queues_per_device * +-- +2.35.1 + diff --git a/queue-5.17/drm-msm-add-missing-put_task_struct-in-debugfs-path.patch b/queue-5.17/drm-msm-add-missing-put_task_struct-in-debugfs-path.patch new file mode 100644 index 00000000000..3e55ecb0d80 --- /dev/null +++ b/queue-5.17/drm-msm-add-missing-put_task_struct-in-debugfs-path.patch @@ -0,0 +1,32 @@ +From f5b3b9106c3e10e7915fb55107c5f7f3c56ebb6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Mar 2022 11:45:49 -0700 +Subject: drm/msm: Add missing put_task_struct() in debugfs path + +From: Rob Clark + +[ Upstream commit ac3e4f42d5ec459f701743debd9c1ad2f2247402 ] + +Fixes: 25faf2f2e065 ("drm/msm: Show process names in gem_describe") +Signed-off-by: Rob Clark +Link: https://lore.kernel.org/r/20220317184550.227991-1-robdclark@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c +index 02b9ae65a96a..a4f61972667b 100644 +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -926,6 +926,7 @@ void msm_gem_describe(struct drm_gem_object *obj, struct seq_file *m, + get_pid_task(aspace->pid, PIDTYPE_PID); + if (task) { + comm = kstrdup(task->comm, GFP_KERNEL); ++ put_task_struct(task); + } else { + comm = NULL; + } +-- +2.35.1 + diff --git a/queue-5.17/drm-msm-dp-add-fail-safe-mode-outside-of-event_mutex.patch b/queue-5.17/drm-msm-dp-add-fail-safe-mode-outside-of-event_mutex.patch new file mode 100644 index 00000000000..a8b2a766437 --- /dev/null +++ b/queue-5.17/drm-msm-dp-add-fail-safe-mode-outside-of-event_mutex.patch @@ -0,0 +1,235 @@ +From b68b23f237341fa0ba4ab4047501b7e6e8f86cf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Apr 2022 14:04:54 -0700 +Subject: drm/msm/dp: add fail safe mode outside of event_mutex context + +From: Kuogee Hsieh + +[ Upstream commit 8b2c181e3dcf7562445af6702ee94aaedcbe13c8 ] + +There is possible circular locking dependency detected on event_mutex +(see below logs). This is due to set fail safe mode is done at +dp_panel_read_sink_caps() within event_mutex scope. To break this +possible circular locking, this patch move setting fail safe mode +out of event_mutex scope. + +[ 23.958078] ====================================================== +[ 23.964430] WARNING: possible circular locking dependency detected +[ 23.970777] 5.17.0-rc2-lockdep-00088-g05241de1f69e #148 Not tainted +[ 23.977219] ------------------------------------------------------ +[ 23.983570] DrmThread/1574 is trying to acquire lock: +[ 23.988763] ffffff808423aab0 (&dp->event_mutex){+.+.}-{3:3}, at: msm_dp_displ ay_enable+0x58/0x164 +[ 23.997895] +[ 23.997895] but task is already holding lock: +[ 24.003895] ffffff808420b280 (&kms->commit_lock[i]/1){+.+.}-{3:3}, at: lock_c rtcs+0x80/0x8c +[ 24.012495] +[ 24.012495] which lock already depends on the new lock. +[ 24.012495] +[ 24.020886] +[ 24.020886] the existing dependency chain (in reverse order) is: +[ 24.028570] +[ 24.028570] -> #5 (&kms->commit_lock[i]/1){+.+.}-{3:3}: +[ 24.035472] __mutex_lock+0xc8/0x384 +[ 24.039695] mutex_lock_nested+0x54/0x74 +[ 24.044272] lock_crtcs+0x80/0x8c +[ 24.048222] msm_atomic_commit_tail+0x1e8/0x3d0 +[ 24.053413] commit_tail+0x7c/0xfc +[ 24.057452] drm_atomic_helper_commit+0x158/0x15c +[ 24.062826] drm_atomic_commit+0x60/0x74 +[ 24.067403] drm_mode_atomic_ioctl+0x6b0/0x908 +[ 24.072508] drm_ioctl_kernel+0xe8/0x168 +[ 24.077086] drm_ioctl+0x320/0x370 +[ 24.081123] drm_compat_ioctl+0x40/0xdc +[ 24.085602] __arm64_compat_sys_ioctl+0xe0/0x150 +[ 24.090895] invoke_syscall+0x80/0x114 +[ 24.095294] el0_svc_common.constprop.3+0xc4/0xf8 +[ 24.100668] do_el0_svc_compat+0x2c/0x54 +[ 24.105242] el0_svc_compat+0x4c/0xe4 +[ 24.109548] el0t_32_sync_handler+0xc4/0xf4 +[ 24.114381] el0t_32_sync+0x178 +[ 24.118688] +[ 24.118688] -> #4 (&kms->commit_lock[i]){+.+.}-{3:3}: +[ 24.125408] __mutex_lock+0xc8/0x384 +[ 24.129628] mutex_lock_nested+0x54/0x74 +[ 24.134204] lock_crtcs+0x80/0x8c +[ 24.138155] msm_atomic_commit_tail+0x1e8/0x3d0 +[ 24.143345] commit_tail+0x7c/0xfc +[ 24.147382] drm_atomic_helper_commit+0x158/0x15c +[ 24.152755] drm_atomic_commit+0x60/0x74 +[ 24.157323] drm_atomic_helper_set_config+0x68/0x90 +[ 24.162869] drm_mode_setcrtc+0x394/0x648 +[ 24.167535] drm_ioctl_kernel+0xe8/0x168 +[ 24.172102] drm_ioctl+0x320/0x370 +[ 24.176135] drm_compat_ioctl+0x40/0xdc +[ 24.180621] __arm64_compat_sys_ioctl+0xe0/0x150 +[ 24.185904] invoke_syscall+0x80/0x114 +[ 24.190302] el0_svc_common.constprop.3+0xc4/0xf8 +[ 24.195673] do_el0_svc_compat+0x2c/0x54 +[ 24.200241] el0_svc_compat+0x4c/0xe4 +[ 24.204544] el0t_32_sync_handler+0xc4/0xf4 +[ 24.209378] el0t_32_sync+0x174/0x178 +[ 24.213680] -> #3 (crtc_ww_class_mutex){+.+.}-{3:3}: +[ 24.220308] __ww_mutex_lock.constprop.20+0xe8/0x878 +[ 24.225951] ww_mutex_lock+0x60/0xd0 +[ 24.230166] modeset_lock+0x190/0x19c +[ 24.234467] drm_modeset_lock+0x34/0x54 +[ 24.238953] drmm_mode_config_init+0x550/0x764 +[ 24.244065] msm_drm_bind+0x170/0x59c +[ 24.248374] try_to_bring_up_master+0x244/0x294 +[ 24.253572] __component_add+0xf4/0x14c +[ 24.258057] component_add+0x2c/0x38 +[ 24.262273] dsi_dev_attach+0x2c/0x38 +[ 24.266575] dsi_host_attach+0xc4/0x120 +[ 24.271060] mipi_dsi_attach+0x34/0x48 +[ 24.275456] devm_mipi_dsi_attach+0x28/0x68 +[ 24.280298] ti_sn_bridge_probe+0x2b4/0x2dc +[ 24.285137] auxiliary_bus_probe+0x78/0x90 +[ 24.289893] really_probe+0x1e4/0x3d8 +[ 24.294194] __driver_probe_device+0x14c/0x164 +[ 24.299298] driver_probe_device+0x54/0xf8 +[ 24.304043] __device_attach_driver+0xb4/0x118 +[ 24.309145] bus_for_each_drv+0xb0/0xd4 +[ 24.313628] __device_attach+0xcc/0x158 +[ 24.318112] device_initial_probe+0x24/0x30 +[ 24.322954] bus_probe_device+0x38/0x9c +[ 24.327439] deferred_probe_work_func+0xd4/0xf0 +[ 24.332628] process_one_work+0x2f0/0x498 +[ 24.337289] process_scheduled_works+0x44/0x48 +[ 24.342391] worker_thread+0x1e4/0x26c +[ 24.346788] kthread+0xe4/0xf4 +[ 24.350470] ret_from_fork+0x10/0x20 +[ 24.354683] +[ 24.354683] +[ 24.354683] -> #2 (crtc_ww_class_acquire){+.+.}-{0:0}: +[ 24.361489] drm_modeset_acquire_init+0xe4/0x138 +[ 24.366777] drm_helper_probe_detect_ctx+0x44/0x114 +[ 24.372327] check_connector_changed+0xbc/0x198 +[ 24.377517] drm_helper_hpd_irq_event+0xcc/0x11c +[ 24.382804] dsi_hpd_worker+0x24/0x30 +[ 24.387104] process_one_work+0x2f0/0x498 +[ 24.391762] worker_thread+0x1d0/0x26c +[ 24.396158] kthread+0xe4/0xf4 +[ 24.399840] ret_from_fork+0x10/0x20 +[ 24.404053] +[ 24.404053] -> #1 (&dev->mode_config.mutex){+.+.}-{3:3}: +[ 24.411032] __mutex_lock+0xc8/0x384 +[ 24.415247] mutex_lock_nested+0x54/0x74 +[ 24.419819] dp_panel_read_sink_caps+0x23c/0x26c +[ 24.425108] dp_display_process_hpd_high+0x34/0xd4 +[ 24.430570] dp_display_usbpd_configure_cb+0x30/0x3c +[ 24.436205] hpd_event_thread+0x2ac/0x550 +[ 24.440864] kthread+0xe4/0xf4 +[ 24.444544] ret_from_fork+0x10/0x20 +[ 24.448757] +[ 24.448757] -> #0 (&dp->event_mutex){+.+.}-{3:3}: +[ 24.455116] __lock_acquire+0xe2c/0x10d8 +[ 24.459690] lock_acquire+0x1ac/0x2d0 +[ 24.463988] __mutex_lock+0xc8/0x384 +[ 24.468201] mutex_lock_nested+0x54/0x74 +[ 24.472773] msm_dp_display_enable+0x58/0x164 +[ 24.477789] dp_bridge_enable+0x24/0x30 +[ 24.482273] drm_atomic_bridge_chain_enable+0x78/0x9c +[ 24.488006] drm_atomic_helper_commit_modeset_enables+0x1bc/0x244 +[ 24.494801] msm_atomic_commit_tail+0x248/0x3d0 +[ 24.499992] commit_tail+0x7c/0xfc +[ 24.504031] drm_atomic_helper_commit+0x158/0x15c +[ 24.509404] drm_atomic_commit+0x60/0x74 +[ 24.513976] drm_mode_atomic_ioctl+0x6b0/0x908 +[ 24.519079] drm_ioctl_kernel+0xe8/0x168 +[ 24.523650] drm_ioctl+0x320/0x370 +[ 24.527689] drm_compat_ioctl+0x40/0xdc +[ 24.532175] __arm64_compat_sys_ioctl+0xe0/0x150 +[ 24.537463] invoke_syscall+0x80/0x114 +[ 24.541861] el0_svc_common.constprop.3+0xc4/0xf8 +[ 24.547235] do_el0_svc_compat+0x2c/0x54 +[ 24.551806] el0_svc_compat+0x4c/0xe4 +[ 24.556106] el0t_32_sync_handler+0xc4/0xf4 +[ 24.560948] el0t_32_sync+0x174/0x178 + +Changes in v2: +-- add circular lockiing trace + +Fixes: d4aca422539c ("drm/msm/dp: always add fail-safe mode into connector mode list") +Signed-off-by: Kuogee Hsieh +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/481396/ +Link: https://lore.kernel.org/r/1649451894-554-1-git-send-email-quic_khsieh@quicinc.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_display.c | 6 ++++++ + drivers/gpu/drm/msm/dp/dp_panel.c | 20 ++++++++++---------- + drivers/gpu/drm/msm/dp/dp_panel.h | 1 + + 3 files changed, 17 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c +index 1d7f82e6eafe..af9c09c30860 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -551,6 +551,12 @@ static int dp_hpd_plug_handle(struct dp_display_private *dp, u32 data) + + mutex_unlock(&dp->event_mutex); + ++ /* ++ * add fail safe mode outside event_mutex scope ++ * to avoid potiential circular lock with drm thread ++ */ ++ dp_panel_add_fail_safe_mode(dp->dp_display.connector); ++ + /* uevent will complete connection part */ + return 0; + }; +diff --git a/drivers/gpu/drm/msm/dp/dp_panel.c b/drivers/gpu/drm/msm/dp/dp_panel.c +index f1418722c549..26c3653c99ec 100644 +--- a/drivers/gpu/drm/msm/dp/dp_panel.c ++++ b/drivers/gpu/drm/msm/dp/dp_panel.c +@@ -151,6 +151,15 @@ static int dp_panel_update_modes(struct drm_connector *connector, + return rc; + } + ++void dp_panel_add_fail_safe_mode(struct drm_connector *connector) ++{ ++ /* fail safe edid */ ++ mutex_lock(&connector->dev->mode_config.mutex); ++ if (drm_add_modes_noedid(connector, 640, 480)) ++ drm_set_preferred_mode(connector, 640, 480); ++ mutex_unlock(&connector->dev->mode_config.mutex); ++} ++ + int dp_panel_read_sink_caps(struct dp_panel *dp_panel, + struct drm_connector *connector) + { +@@ -207,16 +216,7 @@ int dp_panel_read_sink_caps(struct dp_panel *dp_panel, + goto end; + } + +- /* fail safe edid */ +- mutex_lock(&connector->dev->mode_config.mutex); +- if (drm_add_modes_noedid(connector, 640, 480)) +- drm_set_preferred_mode(connector, 640, 480); +- mutex_unlock(&connector->dev->mode_config.mutex); +- } else { +- /* always add fail-safe mode as backup mode */ +- mutex_lock(&connector->dev->mode_config.mutex); +- drm_add_modes_noedid(connector, 640, 480); +- mutex_unlock(&connector->dev->mode_config.mutex); ++ dp_panel_add_fail_safe_mode(connector); + } + + if (panel->aux_cfg_update_done) { +diff --git a/drivers/gpu/drm/msm/dp/dp_panel.h b/drivers/gpu/drm/msm/dp/dp_panel.h +index 9023e5bb4b8b..99739ea679a7 100644 +--- a/drivers/gpu/drm/msm/dp/dp_panel.h ++++ b/drivers/gpu/drm/msm/dp/dp_panel.h +@@ -59,6 +59,7 @@ int dp_panel_init_panel_info(struct dp_panel *dp_panel); + int dp_panel_deinit(struct dp_panel *dp_panel); + int dp_panel_timing_cfg(struct dp_panel *dp_panel); + void dp_panel_dump_regs(struct dp_panel *dp_panel); ++void dp_panel_add_fail_safe_mode(struct drm_connector *connector); + int dp_panel_read_sink_caps(struct dp_panel *dp_panel, + struct drm_connector *connector); + u32 dp_panel_get_mode_bpp(struct dp_panel *dp_panel, u32 mode_max_bpp, +-- +2.35.1 + diff --git a/queue-5.17/drm-msm-dsi-use-connector-directly-in-msm_dsi_manage.patch b/queue-5.17/drm-msm-dsi-use-connector-directly-in-msm_dsi_manage.patch new file mode 100644 index 00000000000..305c950c557 --- /dev/null +++ b/queue-5.17/drm-msm-dsi-use-connector-directly-in-msm_dsi_manage.patch @@ -0,0 +1,45 @@ +From ba01b8366a2855596225b57c908b3e9b966e3394 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Mar 2022 17:07:31 -0700 +Subject: drm/msm/dsi: Use connector directly in + msm_dsi_manager_connector_init() + +From: Stephen Boyd + +[ Upstream commit 47b7de6b88b962ef339a2427a023d2a23d161654 ] + +The member 'msm_dsi->connector' isn't assigned until +msm_dsi_manager_connector_init() returns (see msm_dsi_modeset_init() and +how it assigns the return value). Therefore this pointer is going to be +NULL here. Let's use 'connector' which is what was intended. + +Cc: Dmitry Baryshkov +Cc: Sean Paul +Fixes: 6d5e78406991 ("drm/msm/dsi: Move dsi panel init into modeset init path") +Signed-off-by: Stephen Boyd +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/478693/ +Link: https://lore.kernel.org/r/20220318000731.2823718-1-swboyd@chromium.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_manager.c b/drivers/gpu/drm/msm/dsi/dsi_manager.c +index f19bae475c96..cd7b41b7d518 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_manager.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_manager.c +@@ -641,7 +641,7 @@ struct drm_connector *msm_dsi_manager_connector_init(u8 id) + return connector; + + fail: +- connector->funcs->destroy(msm_dsi->connector); ++ connector->funcs->destroy(connector); + return ERR_PTR(ret); + } + +-- +2.35.1 + diff --git a/queue-5.17/drm-msm-fix-range-size-vs-end-confusion.patch b/queue-5.17/drm-msm-fix-range-size-vs-end-confusion.patch new file mode 100644 index 00000000000..84790a7baf2 --- /dev/null +++ b/queue-5.17/drm-msm-fix-range-size-vs-end-confusion.patch @@ -0,0 +1,40 @@ +From 718849ee0f290b78231d4110d0158d35ce287aa0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 13:28:33 -0700 +Subject: drm/msm: Fix range size vs end confusion + +From: Rob Clark + +[ Upstream commit 537fef808be5ea56f6fc06932162550819a3b3c3 ] + +The fourth param is size, rather than range_end. + +Note that we could increase the address space size if we had a way to +prevent buffers from spanning a 4G split, mostly just to avoid fw bugs +with 64b math. + +Fixes: 84c31ee16f90 ("drm/msm/a6xx: Add support for per-instance pagetables") +Signed-off-by: Rob Clark +Link: https://lore.kernel.org/r/20220407202836.1211268-1-robdclark@gmail.com +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c +index 616be7265da4..19622fb1fa35 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c +@@ -1714,7 +1714,7 @@ a6xx_create_private_address_space(struct msm_gpu *gpu) + return ERR_CAST(mmu); + + return msm_gem_address_space_create(mmu, +- "gpu", 0x100000000ULL, 0x1ffffffffULL); ++ "gpu", 0x100000000ULL, SZ_4G); + } + + static uint32_t a6xx_get_rptr(struct msm_gpu *gpu, struct msm_ringbuffer *ring) +-- +2.35.1 + diff --git a/queue-5.17/firmware-arm_scmi-fix-sorting-of-retrieved-clock-rat.patch b/queue-5.17/firmware-arm_scmi-fix-sorting-of-retrieved-clock-rat.patch new file mode 100644 index 00000000000..fa3000d11ed --- /dev/null +++ b/queue-5.17/firmware-arm_scmi-fix-sorting-of-retrieved-clock-rat.patch @@ -0,0 +1,43 @@ +From b9d46ca0bdff6f374f856a14d31fe231a5fe968e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Mar 2022 09:28:13 +0000 +Subject: firmware: arm_scmi: Fix sorting of retrieved clock rates + +From: Cristian Marussi + +[ Upstream commit 23274739a5b6166f74d8d9cb5243d7bf6b46aab9 ] + +During SCMI Clock protocol initialization, after having retrieved from the +SCMI platform all the available discrete rates for a specific clock, the +clock rates array is sorted, unfortunately using a pointer to its end as +a base instead of its start, so that sorting does not work. + +Fix invocation of sort() passing as base a pointer to the start of the +retrieved clock rates array. + +Link: https://lore.kernel.org/r/20220318092813.49283-1-cristian.marussi@arm.com +Fixes: dccec73de91d ("firmware: arm_scmi: Keep the discrete clock rates sorted") +Signed-off-by: Cristian Marussi +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/clock.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/firmware/arm_scmi/clock.c b/drivers/firmware/arm_scmi/clock.c +index 35b56c8ba0c0..492f3a9197ec 100644 +--- a/drivers/firmware/arm_scmi/clock.c ++++ b/drivers/firmware/arm_scmi/clock.c +@@ -204,7 +204,8 @@ scmi_clock_describe_rates_get(const struct scmi_protocol_handle *ph, u32 clk_id, + + if (rate_discrete && rate) { + clk->list.num_rates = tot_rate_cnt; +- sort(rate, tot_rate_cnt, sizeof(*rate), rate_cmp_func, NULL); ++ sort(clk->list.rates, tot_rate_cnt, sizeof(*rate), ++ rate_cmp_func, NULL); + } + + clk->rate_discrete = rate_discrete; +-- +2.35.1 + diff --git a/queue-5.17/firmware-arm_scmi-remove-clear-channel-call-on-the-t.patch b/queue-5.17/firmware-arm_scmi-remove-clear-channel-call-on-the-t.patch new file mode 100644 index 00000000000..a5d2b14557a --- /dev/null +++ b/queue-5.17/firmware-arm_scmi-remove-clear-channel-call-on-the-t.patch @@ -0,0 +1,48 @@ +From cc97174874009b0dec1f068a6df162ac4d34ee52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Feb 2022 15:24:04 +0000 +Subject: firmware: arm_scmi: Remove clear channel call on the TX channel + +From: Cristian Marussi + +[ Upstream commit 98f0d68f94ea21541e0050cc64fa108ade779839 ] + +On SCMI transports whose channels are based on a shared resource the TX +channel area has to be acquired by the agent before placing the desired +command into the channel and it will be then relinquished by the platform +once the related reply has been made available into the channel. +On an RX channel the logic is reversed with the platform acquiring the +channel area and the agent reliquishing it once done by calling the +scmi_clear_channel() helper. + +As a consequence, even in case of error, the agent must never try to clear +a TX channel from its side: restrict the existing clear channel call on the +the reply path only to delayed responses since they are indeed coming from +the RX channel. + +Link: https://lore.kernel.org/r/20220224152404.12877-1-cristian.marussi@arm.com +Fixes: e9b21c96181c ("firmware: arm_scmi: Make .clear_channel optional") +Signed-off-by: Cristian Marussi +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/driver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c +index d76bab3aaac4..e815b8f98739 100644 +--- a/drivers/firmware/arm_scmi/driver.c ++++ b/drivers/firmware/arm_scmi/driver.c +@@ -652,7 +652,8 @@ static void scmi_handle_response(struct scmi_chan_info *cinfo, + + xfer = scmi_xfer_command_acquire(cinfo, msg_hdr); + if (IS_ERR(xfer)) { +- scmi_clear_channel(info, cinfo); ++ if (MSG_XTRACT_TYPE(msg_hdr) == MSG_TYPE_DELAYED_RESP) ++ scmi_clear_channel(info, cinfo); + return; + } + +-- +2.35.1 + diff --git a/queue-5.17/gpiolib-acpi-use-correct-format-characters.patch b/queue-5.17/gpiolib-acpi-use-correct-format-characters.patch new file mode 100644 index 00000000000..7ad4e8cafa6 --- /dev/null +++ b/queue-5.17/gpiolib-acpi-use-correct-format-characters.patch @@ -0,0 +1,97 @@ +From 6f29f72bcca2d2fd4274ca2c469b390dbe2f1f04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Mar 2022 16:21:09 -0700 +Subject: gpiolib: acpi: use correct format characters + +From: Linus Torvalds + +[ Upstream commit 213d266ebfb1621aab79cfe63388facc520a1381 ] + +When compiling with -Wformat, clang emits the following warning: + + gpiolib-acpi.c:393:4: warning: format specifies type 'unsigned char' but the argument has type 'int' [-Wformat] + pin); + ^~~ + +So warning that '%hhX' is paired with an 'int' is all just completely +mindless and wrong. Sadly, I can see a different bogus warning reason +why people would want to use '%02hhX'. + +Again, the *sane* thing from a human perspective is to use '%02X. But +if the compiler doesn't do any range analysis at all, it could decide +that "Oh, that print format could need up to 8 bytes of space in the +result". Using '%02hhX' would cut that down to two. + +And since we use + + char ev_name[5]; + +and currently use "_%c%02hhX" as the format string, even a compiler +that doesn't notice that "pin <= 255" test that guards this all will +go "OK, that's at most 4 bytes and the final NUL termination, so it's +fine". + +While a compiler - like gcc - that only sees that the original source +of the 'pin' value is a 'unsigned short' array, and then doesn't take +the "pin <= 255" into account, will warn like this: + + gpiolib-acpi.c: In function 'acpi_gpiochip_request_interrupt': + gpiolib-acpi.c:206:24: warning: '%02X' directive writing between 2 and 4 bytes into a region of size 3 [-Wformat-overflow=] + sprintf(ev_name, "_%c%02X", + ^~~~ + gpiolib-acpi.c:206:20: note: directive argument in the range [0, 65535] + +because gcc isn't being very good at that argument range analysis either. + +In other words, the original use of 'hhx' was bogus to begin with, and +due to *another* compiler warning being bad, and we had that bad code +being written back in 2016 to work around _that_ compiler warning +(commit e40a3ae1f794: "gpio: acpi: work around false-positive +-Wstring-overflow warning"). + +Sadly, two different bad compiler warnings together does not make for +one good one. + +It just makes for even more pain. + +End result: I think the simplest and cleanest option is simply the +proposed change which undoes that '%hhX' change for gcc, and replaces +it with just using a slightly bigger stack allocation. It's not like +a 5-byte allocation is in any way likely to have saved any actual stack, +since all the other variables in that function are 'int' or bigger. + +False-positive compiler warnings really do make people write worse +code, and that's a problem. But on a scale of bad code, I feel that +extending the buffer trivially is better than adding a pointless cast +that literally makes no sense. + +At least in this case the end result isn't unreadable or buggy. We've +had several cases of bad compiler warnings that caused changes that +were actually horrendously wrong. + +Fixes: e40a3ae1f794 ("gpio: acpi: work around false-positive -Wstring-overflow warning") +Signed-off-by: Linus Torvalds +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-acpi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c +index a5495ad31c9c..b7c2f2af1dee 100644 +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -387,8 +387,8 @@ static acpi_status acpi_gpiochip_alloc_event(struct acpi_resource *ares, + pin = agpio->pin_table[0]; + + if (pin <= 255) { +- char ev_name[5]; +- sprintf(ev_name, "_%c%02hhX", ++ char ev_name[8]; ++ sprintf(ev_name, "_%c%02X", + agpio->triggering == ACPI_EDGE_SENSITIVE ? 'E' : 'L', + pin); + if (ACPI_SUCCESS(acpi_get_handle(handle, ev_name, &evt_handle))) +-- +2.35.1 + diff --git a/queue-5.17/gpu-ipu-v3-fix-dev_dbg-frequency-output.patch b/queue-5.17/gpu-ipu-v3-fix-dev_dbg-frequency-output.patch new file mode 100644 index 00000000000..d780a878691 --- /dev/null +++ b/queue-5.17/gpu-ipu-v3-fix-dev_dbg-frequency-output.patch @@ -0,0 +1,53 @@ +From 93d5a58a1e450c51bd33876f371bffc3533999b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Feb 2022 16:14:11 +0100 +Subject: gpu: ipu-v3: Fix dev_dbg frequency output + +From: Leo Ruan + +[ Upstream commit 070a88fd4a03f921b73a2059e97d55faaa447dab ] + +This commit corrects the printing of the IPU clock error percentage if +it is between -0.1% to -0.9%. For example, if the pixel clock requested +is 27.2 MHz but only 27.0 MHz can be achieved the deviation is -0.8%. +But the fixed point math had a flaw and calculated error of 0.2%. + +Before: + Clocks: IPU 270000000Hz DI 24716667Hz Needed 27200000Hz + IPU clock can give 27000000 with divider 10, error 0.2% + Want 27200000Hz IPU 270000000Hz DI 24716667Hz using IPU, 27000000Hz + +After: + Clocks: IPU 270000000Hz DI 24716667Hz Needed 27200000Hz + IPU clock can give 27000000 with divider 10, error -0.8% + Want 27200000Hz IPU 270000000Hz DI 24716667Hz using IPU, 27000000Hz + +Signed-off-by: Leo Ruan +Signed-off-by: Mark Jonas +Reviewed-by: Philipp Zabel +Signed-off-by: Philipp Zabel +Link: https://lore.kernel.org/r/20220207151411.5009-1-mark.jonas@de.bosch.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/ipu-v3/ipu-di.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/ipu-v3/ipu-di.c b/drivers/gpu/ipu-v3/ipu-di.c +index 666223c6bec4..0a34e0ab4fe6 100644 +--- a/drivers/gpu/ipu-v3/ipu-di.c ++++ b/drivers/gpu/ipu-v3/ipu-di.c +@@ -447,8 +447,9 @@ static void ipu_di_config_clock(struct ipu_di *di, + + error = rate / (sig->mode.pixelclock / 1000); + +- dev_dbg(di->ipu->dev, " IPU clock can give %lu with divider %u, error %d.%u%%\n", +- rate, div, (signed)(error - 1000) / 10, error % 10); ++ dev_dbg(di->ipu->dev, " IPU clock can give %lu with divider %u, error %c%d.%d%%\n", ++ rate, div, error < 1000 ? '-' : '+', ++ abs(error - 1000) / 10, abs(error - 1000) % 10); + + /* Allow a 1% error */ + if (error < 1010 && error >= 990) { +-- +2.35.1 + diff --git a/queue-5.17/ice-arfs-fix-use-after-free-when-freeing-rx_cpu_rmap.patch b/queue-5.17/ice-arfs-fix-use-after-free-when-freeing-rx_cpu_rmap.patch new file mode 100644 index 00000000000..d0bb3e987e7 --- /dev/null +++ b/queue-5.17/ice-arfs-fix-use-after-free-when-freeing-rx_cpu_rmap.patch @@ -0,0 +1,192 @@ +From d8958cbe58f080bdb3a52a6f6bfd256440f87a41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Apr 2022 18:15:09 +0200 +Subject: ice: arfs: fix use-after-free when freeing @rx_cpu_rmap + +From: Alexander Lobakin + +[ Upstream commit d7442f512b71fc63a99c8a801422dde4fbbf9f93 ] + +The CI testing bots triggered the following splat: + +[ 718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80 +[ 718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834 +[ 718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S W IOE 5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1 +[ 718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020 +[ 718.223418] Call Trace: +[ 718.227139] +[ 718.230783] dump_stack_lvl+0x33/0x42 +[ 718.234431] print_address_description.constprop.9+0x21/0x170 +[ 718.238177] ? free_irq_cpu_rmap+0x53/0x80 +[ 718.241885] ? free_irq_cpu_rmap+0x53/0x80 +[ 718.245539] kasan_report.cold.18+0x7f/0x11b +[ 718.249197] ? free_irq_cpu_rmap+0x53/0x80 +[ 718.252852] free_irq_cpu_rmap+0x53/0x80 +[ 718.256471] ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice] +[ 718.260174] ice_remove_arfs+0x5f/0x70 [ice] +[ 718.263810] ice_rebuild_arfs+0x3b/0x70 [ice] +[ 718.267419] ice_rebuild+0x39c/0xb60 [ice] +[ 718.270974] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 +[ 718.274472] ? ice_init_phy_user_cfg+0x360/0x360 [ice] +[ 718.278033] ? delay_tsc+0x4a/0xb0 +[ 718.281513] ? preempt_count_sub+0x14/0xc0 +[ 718.284984] ? delay_tsc+0x8f/0xb0 +[ 718.288463] ice_do_reset+0x92/0xf0 [ice] +[ 718.292014] ice_pci_err_resume+0x91/0xf0 [ice] +[ 718.295561] pci_reset_function+0x53/0x80 +<...> +[ 718.393035] Allocated by task 690: +[ 718.433497] Freed by task 20834: +[ 718.495688] Last potentially related work creation: +[ 718.568966] The buggy address belongs to the object at ffff8881bd127e00 + which belongs to the cache kmalloc-96 of size 96 +[ 718.574085] The buggy address is located 0 bytes inside of + 96-byte region [ffff8881bd127e00, ffff8881bd127e60) +[ 718.579265] The buggy address belongs to the page: +[ 718.598905] Memory state around the buggy address: +[ 718.601809] ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc +[ 718.604796] ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc +[ 718.607794] >ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc +[ 718.610811] ^ +[ 718.613819] ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc +[ 718.617107] ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc + +This is due to that free_irq_cpu_rmap() is always being called +*after* (devm_)free_irq() and thus it tries to work with IRQ descs +already freed. For example, on device reset the driver frees the +rmap right before allocating a new one (the splat above). +Make rmap creation and freeing function symmetrical with +{request,free}_irq() calls i.e. do that on ifup/ifdown instead +of device probe/remove/resume. These operations can be performed +independently from the actual device aRFS configuration. +Also, make sure ice_vsi_free_irq() clears IRQ affinity notifiers +only when aRFS is disabled -- otherwise, CPU rmap sets and clears +its own and they must not be touched manually. + +Fixes: 28bf26724fdb0 ("ice: Implement aRFS") +Co-developed-by: Ivan Vecera +Signed-off-by: Ivan Vecera +Signed-off-by: Alexander Lobakin +Tested-by: Ivan Vecera +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_arfs.c | 9 ++------- + drivers/net/ethernet/intel/ice/ice_lib.c | 5 ++++- + drivers/net/ethernet/intel/ice/ice_main.c | 18 ++++++++---------- + 3 files changed, 14 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_arfs.c b/drivers/net/ethernet/intel/ice/ice_arfs.c +index 5daade32ea62..fba178e07600 100644 +--- a/drivers/net/ethernet/intel/ice/ice_arfs.c ++++ b/drivers/net/ethernet/intel/ice/ice_arfs.c +@@ -577,7 +577,7 @@ void ice_free_cpu_rx_rmap(struct ice_vsi *vsi) + { + struct net_device *netdev; + +- if (!vsi || vsi->type != ICE_VSI_PF || !vsi->arfs_fltr_list) ++ if (!vsi || vsi->type != ICE_VSI_PF) + return; + + netdev = vsi->netdev; +@@ -599,7 +599,7 @@ int ice_set_cpu_rx_rmap(struct ice_vsi *vsi) + int base_idx, i; + + if (!vsi || vsi->type != ICE_VSI_PF) +- return -EINVAL; ++ return 0; + + pf = vsi->back; + netdev = vsi->netdev; +@@ -636,7 +636,6 @@ void ice_remove_arfs(struct ice_pf *pf) + if (!pf_vsi) + return; + +- ice_free_cpu_rx_rmap(pf_vsi); + ice_clear_arfs(pf_vsi); + } + +@@ -653,9 +652,5 @@ void ice_rebuild_arfs(struct ice_pf *pf) + return; + + ice_remove_arfs(pf); +- if (ice_set_cpu_rx_rmap(pf_vsi)) { +- dev_err(ice_pf_to_dev(pf), "Failed to rebuild aRFS\n"); +- return; +- } + ice_init_arfs(pf_vsi); + } +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 5fd2bbeab2d1..15bb6f001a04 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -2869,6 +2869,8 @@ void ice_vsi_free_irq(struct ice_vsi *vsi) + return; + + vsi->irqs_ready = false; ++ ice_free_cpu_rx_rmap(vsi); ++ + ice_for_each_q_vector(vsi, i) { + u16 vector = i + base; + int irq_num; +@@ -2882,7 +2884,8 @@ void ice_vsi_free_irq(struct ice_vsi *vsi) + continue; + + /* clear the affinity notifier in the IRQ descriptor */ +- irq_set_affinity_notifier(irq_num, NULL); ++ if (!IS_ENABLED(CONFIG_RFS_ACCEL)) ++ irq_set_affinity_notifier(irq_num, NULL); + + /* clear the affinity_mask in the IRQ descriptor */ + irq_set_affinity_hint(irq_num, NULL); +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index db2e02e673a7..2de2bbbca1e9 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -2494,6 +2494,13 @@ static int ice_vsi_req_irq_msix(struct ice_vsi *vsi, char *basename) + irq_set_affinity_hint(irq_num, &q_vector->affinity_mask); + } + ++ err = ice_set_cpu_rx_rmap(vsi); ++ if (err) { ++ netdev_err(vsi->netdev, "Failed to setup CPU RMAP on VSI %u: %pe\n", ++ vsi->vsi_num, ERR_PTR(err)); ++ goto free_q_irqs; ++ } ++ + vsi->irqs_ready = true; + return 0; + +@@ -3605,20 +3612,12 @@ static int ice_setup_pf_sw(struct ice_pf *pf) + */ + ice_napi_add(vsi); + +- status = ice_set_cpu_rx_rmap(vsi); +- if (status) { +- dev_err(dev, "Failed to set CPU Rx map VSI %d error %d\n", +- vsi->vsi_num, status); +- goto unroll_napi_add; +- } + status = ice_init_mac_fltr(pf); + if (status) +- goto free_cpu_rx_map; ++ goto unroll_napi_add; + + return 0; + +-free_cpu_rx_map: +- ice_free_cpu_rx_rmap(vsi); + unroll_napi_add: + ice_tc_indir_block_unregister(vsi); + unroll_cfg_netdev: +@@ -5076,7 +5075,6 @@ static int __maybe_unused ice_suspend(struct device *dev) + continue; + ice_vsi_free_q_vectors(pf->vsi[v]); + } +- ice_free_cpu_rx_rmap(ice_get_main_vsi(pf)); + ice_clear_interrupt_scheme(pf); + + pci_save_state(pdev); +-- +2.35.1 + diff --git a/queue-5.17/io_uring-abort-file-assignment-prior-to-assigning-cr.patch b/queue-5.17/io_uring-abort-file-assignment-prior-to-assigning-cr.patch new file mode 100644 index 00000000000..92a27ffa454 --- /dev/null +++ b/queue-5.17/io_uring-abort-file-assignment-prior-to-assigning-cr.patch @@ -0,0 +1,47 @@ +From 6274b18ce0394907a940bed653b04ab3d04605b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 20:23:40 -0600 +Subject: io_uring: abort file assignment prior to assigning creds + +From: Jens Axboe + +[ Upstream commit 701521403cfb228536b3947035c8a6eca40d8e58 ] + +We need to either restore creds properly if we fail on the file +assignment, or just do the file assignment first instead. Let's do +the latter as it's simpler, should make no difference here for +file assignment. + +Link: https://lore.kernel.org/lkml/000000000000a7edb305dca75a50@google.com/ +Reported-by: syzbot+60c52ca98513a8760a91@syzkaller.appspotmail.com +Fixes: 6bf9c47a3989 ("io_uring: defer file assignment") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 7a652c8eeed2..6f93bff7633c 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -6729,13 +6729,14 @@ static int io_issue_sqe(struct io_kiocb *req, unsigned int issue_flags) + const struct cred *creds = NULL; + int ret; + ++ if (unlikely(!io_assign_file(req, issue_flags))) ++ return -EBADF; ++ + if (unlikely((req->flags & REQ_F_CREDS) && req->creds != current_cred())) + creds = override_creds(req->creds); + + if (!io_op_defs[req->opcode].audit_skip) + audit_uring_entry(req->opcode); +- if (unlikely(!io_assign_file(req, issue_flags))) +- return -EBADF; + + switch (req->opcode) { + case IORING_OP_NOP: +-- +2.35.1 + diff --git a/queue-5.17/io_uring-fix-assign-file-locking-issue.patch b/queue-5.17/io_uring-fix-assign-file-locking-issue.patch new file mode 100644 index 00000000000..7e2ec0f3f0e --- /dev/null +++ b/queue-5.17/io_uring-fix-assign-file-locking-issue.patch @@ -0,0 +1,52 @@ +From bef149a5e3110ce1d3d79eb6df2280a79e0924da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 15:24:43 +0100 +Subject: io_uring: fix assign file locking issue + +From: Pavel Begunkov + +[ Upstream commit 0f8da75b51ac863b9435368bd50691718cc454b0 ] + +io-wq work cancellation path can't take uring_lock as how it's done on +file assignment, we have to handle IO_WQ_WORK_CANCEL first, this fixes +encountered hangs. + +Fixes: 6bf9c47a3989 ("io_uring: defer file assignment") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/0d9b9f37841645518503f6a207e509d14a286aba.1649773463.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index d05394b0c1e6..e3d1fc954933 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -6892,16 +6892,18 @@ static void io_wq_submit_work(struct io_wq_work *work) + if (timeout) + io_queue_linked_timeout(timeout); + +- if (!io_assign_file(req, issue_flags)) { +- err = -EBADF; +- work->flags |= IO_WQ_WORK_CANCEL; +- } + + /* either cancelled or io-wq is dying, so don't touch tctx->iowq */ + if (work->flags & IO_WQ_WORK_CANCEL) { ++fail: + io_req_task_queue_fail(req, err); + return; + } ++ if (!io_assign_file(req, issue_flags)) { ++ err = -EBADF; ++ work->flags |= IO_WQ_WORK_CANCEL; ++ goto fail; ++ } + + if (req->flags & REQ_F_FORCE_ASYNC) { + bool opcode_poll = def->pollin || def->pollout; +-- +2.35.1 + diff --git a/queue-5.17/io_uring-flag-the-fact-that-linked-file-assignment-i.patch b/queue-5.17/io_uring-flag-the-fact-that-linked-file-assignment-i.patch new file mode 100644 index 00000000000..93ea6d27865 --- /dev/null +++ b/queue-5.17/io_uring-flag-the-fact-that-linked-file-assignment-i.patch @@ -0,0 +1,54 @@ +From 87064a78d25ca2e2308140938273ff7e31cd08b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Apr 2022 15:13:24 -0600 +Subject: io_uring: flag the fact that linked file assignment is sane + +From: Jens Axboe + +[ Upstream commit c4212f3eb89fd5654f0a6ed2ee1d13fcb86cb664 ] + +Give applications a way to tell if the kernel supports sane linked files, +as in files being assigned at the right time to be able to reliably +do while using +IOSQE_IO_LINK to order them. + +Not really a bug fix, but flag it as such so that it gets pulled in with +backports of the deferred file assignment. + +Fixes: 6bf9c47a3989 ("io_uring: defer file assignment") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 3 ++- + include/uapi/linux/io_uring.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 1a9630dc5361..d13f142793f2 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -10566,7 +10566,8 @@ static __cold int io_uring_create(unsigned entries, struct io_uring_params *p, + IORING_FEAT_CUR_PERSONALITY | IORING_FEAT_FAST_POLL | + IORING_FEAT_POLL_32BITS | IORING_FEAT_SQPOLL_NONFIXED | + IORING_FEAT_EXT_ARG | IORING_FEAT_NATIVE_WORKERS | +- IORING_FEAT_RSRC_TAGS | IORING_FEAT_CQE_SKIP; ++ IORING_FEAT_RSRC_TAGS | IORING_FEAT_CQE_SKIP | ++ IORING_FEAT_LINKED_FILE; + + if (copy_to_user(params, p, sizeof(*p))) { + ret = -EFAULT; +diff --git a/include/uapi/linux/io_uring.h b/include/uapi/linux/io_uring.h +index 787f491f0d2a..1e45368ad33f 100644 +--- a/include/uapi/linux/io_uring.h ++++ b/include/uapi/linux/io_uring.h +@@ -293,6 +293,7 @@ struct io_uring_params { + #define IORING_FEAT_NATIVE_WORKERS (1U << 9) + #define IORING_FEAT_RSRC_TAGS (1U << 10) + #define IORING_FEAT_CQE_SKIP (1U << 11) ++#define IORING_FEAT_LINKED_FILE (1U << 12) + + /* + * io_uring_register(2) opcodes and arguments +-- +2.35.1 + diff --git a/queue-5.17/io_uring-move-io_uring_rsrc_update2-validation.patch b/queue-5.17/io_uring-move-io_uring_rsrc_update2-validation.patch new file mode 100644 index 00000000000..ac2d8b98a61 --- /dev/null +++ b/queue-5.17/io_uring-move-io_uring_rsrc_update2-validation.patch @@ -0,0 +1,46 @@ +From e76c634b5e87cd1aebaf283326dc336eeab9dea7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 09:30:39 -0700 +Subject: io_uring: move io_uring_rsrc_update2 validation + +From: Dylan Yudaken + +[ Upstream commit 565c5e616e8061b40a2e1d786c418a7ac3503a8d ] + +Move validation to be more consistently straight after +copy_from_user. This is already done in io_register_rsrc_update and so +this removes that redundant check. + +Signed-off-by: Dylan Yudaken +Link: https://lore.kernel.org/r/20220412163042.2788062-2-dylany@fb.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index e3d1fc954933..7da6fddaef4d 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -10784,8 +10784,6 @@ static int __io_register_rsrc_update(struct io_ring_ctx *ctx, unsigned type, + __u32 tmp; + int err; + +- if (up->resv) +- return -EINVAL; + if (check_add_overflow(up->offset, nr_args, &tmp)) + return -EOVERFLOW; + err = io_rsrc_node_switch_start(ctx); +@@ -10811,6 +10809,8 @@ static int io_register_files_update(struct io_ring_ctx *ctx, void __user *arg, + memset(&up, 0, sizeof(up)); + if (copy_from_user(&up, arg, sizeof(struct io_uring_rsrc_update))) + return -EFAULT; ++ if (up.resv) ++ return -EINVAL; + return __io_register_rsrc_update(ctx, IORING_RSRC_FILE, &up, nr_args); + } + +-- +2.35.1 + diff --git a/queue-5.17/io_uring-stop-using-io_wq_work-as-an-fd-placeholder.patch b/queue-5.17/io_uring-stop-using-io_wq_work-as-an-fd-placeholder.patch new file mode 100644 index 00000000000..c13c193db26 --- /dev/null +++ b/queue-5.17/io_uring-stop-using-io_wq_work-as-an-fd-placeholder.patch @@ -0,0 +1,81 @@ +From 2cce61fb05b92db2d4520de259695a147f59b827 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Apr 2022 19:05:09 -0600 +Subject: io_uring: stop using io_wq_work as an fd placeholder + +From: Jens Axboe + +[ Upstream commit 82733d168cbd3fe9dab603f05894316b99008924 ] + +There are two reasons why this isn't the best idea: + +- It's an odd area to grab a bit of storage space, hence it's an odd area + to grab storage from. +- It puts the 3rd io_kiocb cacheline into the hot path, where normal hot + path just needs the first two. + +Use 'cflags' for joint fd/cflags storage. We only need fd until we +successfully issue, and we only need cflags once a request is done and is +completed. + +Fixes: 6bf9c47a3989 ("io_uring: defer file assignment") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io-wq.h | 1 - + fs/io_uring.c | 12 ++++++++---- + 2 files changed, 8 insertions(+), 5 deletions(-) + +diff --git a/fs/io-wq.h b/fs/io-wq.h +index 04d374e65e54..dbecd27656c7 100644 +--- a/fs/io-wq.h ++++ b/fs/io-wq.h +@@ -155,7 +155,6 @@ struct io_wq_work_node *wq_stack_extract(struct io_wq_work_node *stack) + struct io_wq_work { + struct io_wq_work_node list; + unsigned flags; +- int fd; + }; + + static inline struct io_wq_work *wq_next_work(struct io_wq_work *work) +diff --git a/fs/io_uring.c b/fs/io_uring.c +index d13f142793f2..d05394b0c1e6 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -864,7 +864,11 @@ struct io_kiocb { + + u64 user_data; + u32 result; +- u32 cflags; ++ /* fd initially, then cflags for completion */ ++ union { ++ u32 cflags; ++ int fd; ++ }; + + struct io_ring_ctx *ctx; + struct task_struct *task; +@@ -6708,9 +6712,9 @@ static bool io_assign_file(struct io_kiocb *req, unsigned int issue_flags) + return true; + + if (req->flags & REQ_F_FIXED_FILE) +- req->file = io_file_get_fixed(req, req->work.fd, issue_flags); ++ req->file = io_file_get_fixed(req, req->fd, issue_flags); + else +- req->file = io_file_get_normal(req, req->work.fd); ++ req->file = io_file_get_normal(req, req->fd); + if (req->file) + return true; + +@@ -7243,7 +7247,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, + if (io_op_defs[opcode].needs_file) { + struct io_submit_state *state = &ctx->submit_state; + +- req->work.fd = READ_ONCE(sqe->fd); ++ req->fd = READ_ONCE(sqe->fd); + + /* + * Plug now if we have more than 2 IO left after this, and the +-- +2.35.1 + diff --git a/queue-5.17/io_uring-use-nospec-annotation-for-more-indexes.patch b/queue-5.17/io_uring-use-nospec-annotation-for-more-indexes.patch new file mode 100644 index 00000000000..d2064a0298b --- /dev/null +++ b/queue-5.17/io_uring-use-nospec-annotation-for-more-indexes.patch @@ -0,0 +1,66 @@ +From 1d8398365053b3b6cec39523df24b36ef41bc466 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 14:05:05 +0100 +Subject: io_uring: use nospec annotation for more indexes + +From: Pavel Begunkov + +[ Upstream commit 4cdd158be9d09223737df83136a1fb65269d809a ] + +There are still several places that using pre array_index_nospec() +indexes, fix them up. + +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/b01ef5ee83f72ed35ad525912370b729f5d145f4.1649336342.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 53b20d8b1129..f0febb2cb016 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -8613,7 +8613,7 @@ static int io_close_fixed(struct io_kiocb *req, unsigned int issue_flags) + bool needs_lock = issue_flags & IO_URING_F_UNLOCKED; + struct io_fixed_file *file_slot; + struct file *file; +- int ret, i; ++ int ret; + + io_ring_submit_lock(ctx, needs_lock); + ret = -ENXIO; +@@ -8626,8 +8626,8 @@ static int io_close_fixed(struct io_kiocb *req, unsigned int issue_flags) + if (ret) + goto out; + +- i = array_index_nospec(offset, ctx->nr_user_files); +- file_slot = io_fixed_file_slot(&ctx->file_table, i); ++ offset = array_index_nospec(offset, ctx->nr_user_files); ++ file_slot = io_fixed_file_slot(&ctx->file_table, offset); + ret = -EBADF; + if (!file_slot->file_ptr) + goto out; +@@ -8683,8 +8683,7 @@ static int __io_sqe_files_update(struct io_ring_ctx *ctx, + + if (file_slot->file_ptr) { + file = (struct file *)(file_slot->file_ptr & FFS_MASK); +- err = io_queue_rsrc_removal(data, up->offset + done, +- ctx->rsrc_node, file); ++ err = io_queue_rsrc_removal(data, i, ctx->rsrc_node, file); + if (err) + break; + file_slot->file_ptr = 0; +@@ -9357,7 +9356,7 @@ static int __io_sqe_buffers_update(struct io_ring_ctx *ctx, + + i = array_index_nospec(offset, ctx->nr_user_bufs); + if (ctx->user_bufs[i] != ctx->dummy_ubuf) { +- err = io_queue_rsrc_removal(ctx->buf_data, offset, ++ err = io_queue_rsrc_removal(ctx->buf_data, i, + ctx->rsrc_node, ctx->user_bufs[i]); + if (unlikely(err)) { + io_buffer_unmap(ctx, &imu); +-- +2.35.1 + diff --git a/queue-5.17/io_uring-verify-pad-field-is-0-in-io_get_ext_arg.patch b/queue-5.17/io_uring-verify-pad-field-is-0-in-io_get_ext_arg.patch new file mode 100644 index 00000000000..cd519a5ca0f --- /dev/null +++ b/queue-5.17/io_uring-verify-pad-field-is-0-in-io_get_ext_arg.patch @@ -0,0 +1,36 @@ +From d25481356561a73a1c207dd5f1e6a63590f24892 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 09:30:42 -0700 +Subject: io_uring: verify pad field is 0 in io_get_ext_arg + +From: Dylan Yudaken + +[ Upstream commit d2347b9695dafe5c388a5f9aeb70e27a7a4d29cf ] + +Ensure that only 0 is passed for pad here. + +Fixes: c73ebb685fb6 ("io_uring: add timeout support for io_uring_enter()") +Signed-off-by: Dylan Yudaken +Link: https://lore.kernel.org/r/20220412163042.2788062-5-dylany@fb.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 2838bc6cdbc8..7a652c8eeed2 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -10109,6 +10109,8 @@ static int io_get_ext_arg(unsigned flags, const void __user *argp, size_t *argsz + return -EINVAL; + if (copy_from_user(&arg, argp, sizeof(arg))) + return -EFAULT; ++ if (arg.pad) ++ return -EINVAL; + *sig = u64_to_user_ptr(arg.sigmask); + *argsz = arg.sigmask_sz; + *ts = u64_to_user_ptr(arg.ts); +-- +2.35.1 + diff --git a/queue-5.17/io_uring-verify-that-resv2-is-0-in-io_uring_rsrc_upd.patch b/queue-5.17/io_uring-verify-that-resv2-is-0-in-io_uring_rsrc_upd.patch new file mode 100644 index 00000000000..0e75e4f065e --- /dev/null +++ b/queue-5.17/io_uring-verify-that-resv2-is-0-in-io_uring_rsrc_upd.patch @@ -0,0 +1,53 @@ +From db3a2e3456d0193deb1e8e25d6a2b7425c551a22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 09:30:40 -0700 +Subject: io_uring: verify that resv2 is 0 in io_uring_rsrc_update2 + +From: Dylan Yudaken + +[ Upstream commit d8a3ba9c143bf89c032deced8a686ffa53b46098 ] + +Verify that the user does not pass in anything but 0 for this field. + +Fixes: 992da01aa932 ("io_uring: change registration/upd/rsrc tagging ABI") +Signed-off-by: Dylan Yudaken +Link: https://lore.kernel.org/r/20220412163042.2788062-3-dylany@fb.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 7da6fddaef4d..2838bc6cdbc8 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -6466,6 +6466,7 @@ static int io_files_update(struct io_kiocb *req, unsigned int issue_flags) + up.nr = 0; + up.tags = 0; + up.resv = 0; ++ up.resv2 = 0; + + io_ring_submit_lock(ctx, needs_lock); + ret = __io_register_rsrc_update(ctx, IORING_RSRC_FILE, +@@ -10809,7 +10810,7 @@ static int io_register_files_update(struct io_ring_ctx *ctx, void __user *arg, + memset(&up, 0, sizeof(up)); + if (copy_from_user(&up, arg, sizeof(struct io_uring_rsrc_update))) + return -EFAULT; +- if (up.resv) ++ if (up.resv || up.resv2) + return -EINVAL; + return __io_register_rsrc_update(ctx, IORING_RSRC_FILE, &up, nr_args); + } +@@ -10823,7 +10824,7 @@ static int io_register_rsrc_update(struct io_ring_ctx *ctx, void __user *arg, + return -EINVAL; + if (copy_from_user(&up, arg, sizeof(up))) + return -EFAULT; +- if (!up.nr || up.resv) ++ if (!up.nr || up.resv || up.resv2) + return -EINVAL; + return __io_register_rsrc_update(ctx, type, &up, up.nr); + } +-- +2.35.1 + diff --git a/queue-5.17/io_uring-zero-tag-on-rsrc-removal.patch b/queue-5.17/io_uring-zero-tag-on-rsrc-removal.patch new file mode 100644 index 00000000000..dc46f0dd5a8 --- /dev/null +++ b/queue-5.17/io_uring-zero-tag-on-rsrc-removal.patch @@ -0,0 +1,45 @@ +From 385330ec54c8fdb70b45570ccbd504d630c48bfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 14:05:04 +0100 +Subject: io_uring: zero tag on rsrc removal + +From: Pavel Begunkov + +[ Upstream commit 8f0a24801bb44aa58496945aabb904c729176772 ] + +Automatically default rsrc tag in io_queue_rsrc_removal(), it's safer +than leaving it there and relying on the rest of the code to behave and +not use it. + +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/1cf262a50df17478ea25b22494dcc19f3a80301f.1649336342.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 6f93bff7633c..53b20d8b1129 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -8536,13 +8536,15 @@ static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file, + static int io_queue_rsrc_removal(struct io_rsrc_data *data, unsigned idx, + struct io_rsrc_node *node, void *rsrc) + { ++ u64 *tag_slot = io_get_tag_slot(data, idx); + struct io_rsrc_put *prsrc; + + prsrc = kzalloc(sizeof(*prsrc), GFP_KERNEL); + if (!prsrc) + return -ENOMEM; + +- prsrc->tag = *io_get_tag_slot(data, idx); ++ prsrc->tag = *tag_slot; ++ *tag_slot = 0; + prsrc->rsrc = rsrc; + list_add(&prsrc->list, &node->rsrc_list); + return 0; +-- +2.35.1 + diff --git a/queue-5.17/kvm-arm64-generalise-vm-features-into-a-set-of-flags.patch b/queue-5.17/kvm-arm64-generalise-vm-features-into-a-set-of-flags.patch new file mode 100644 index 00000000000..60e56caae87 --- /dev/null +++ b/queue-5.17/kvm-arm64-generalise-vm-features-into-a-set-of-flags.patch @@ -0,0 +1,129 @@ +From cafe7dd9ee1ba899ba15e47dc19677dcd4c300e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Mar 2022 17:39:47 +0000 +Subject: KVM: arm64: Generalise VM features into a set of flags + +From: Marc Zyngier + +[ Upstream commit 06394531b425794dc56f3d525b7994d25b8072f7 ] + +We currently deal with a set of booleans for VM features, +while they could be better represented as set of flags +contained in an unsigned long, similarily to what we are +doing on the CPU side. + +Signed-off-by: Marc Zyngier +[Oliver: Flag-ify the 'ran_once' boolean] +Signed-off-by: Oliver Upton +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220311174001.605719-2-oupton@google.com +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/kvm_host.h | 15 +++++++++------ + arch/arm64/kvm/arm.c | 7 ++++--- + arch/arm64/kvm/mmio.c | 3 ++- + arch/arm64/kvm/pmu-emul.c | 2 +- + 4 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h +index 8234626a945a..2619fda42ca2 100644 +--- a/arch/arm64/include/asm/kvm_host.h ++++ b/arch/arm64/include/asm/kvm_host.h +@@ -122,7 +122,12 @@ struct kvm_arch { + * should) opt in to this feature if KVM_CAP_ARM_NISV_TO_USER is + * supported. + */ +- bool return_nisv_io_abort_to_user; ++#define KVM_ARCH_FLAG_RETURN_NISV_IO_ABORT_TO_USER 0 ++ /* Memory Tagging Extension enabled for the guest */ ++#define KVM_ARCH_FLAG_MTE_ENABLED 1 ++ /* At least one vCPU has ran in the VM */ ++#define KVM_ARCH_FLAG_HAS_RAN_ONCE 2 ++ unsigned long flags; + + /* + * VM-wide PMU filter, implemented as a bitmap and big enough for +@@ -133,10 +138,6 @@ struct kvm_arch { + + u8 pfr0_csv2; + u8 pfr0_csv3; +- +- /* Memory Tagging Extension enabled for the guest */ +- bool mte_enabled; +- bool ran_once; + }; + + struct kvm_vcpu_fault_info { +@@ -792,7 +793,9 @@ bool kvm_arm_vcpu_is_finalized(struct kvm_vcpu *vcpu); + #define kvm_arm_vcpu_sve_finalized(vcpu) \ + ((vcpu)->arch.flags & KVM_ARM64_VCPU_SVE_FINALIZED) + +-#define kvm_has_mte(kvm) (system_supports_mte() && (kvm)->arch.mte_enabled) ++#define kvm_has_mte(kvm) \ ++ (system_supports_mte() && \ ++ test_bit(KVM_ARCH_FLAG_MTE_ENABLED, &(kvm)->arch.flags)) + #define kvm_vcpu_has_pmu(vcpu) \ + (test_bit(KVM_ARM_VCPU_PMU_V3, (vcpu)->arch.features)) + +diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c +index 85a2a75f4498..25d8aff273a1 100644 +--- a/arch/arm64/kvm/arm.c ++++ b/arch/arm64/kvm/arm.c +@@ -89,7 +89,8 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm, + switch (cap->cap) { + case KVM_CAP_ARM_NISV_TO_USER: + r = 0; +- kvm->arch.return_nisv_io_abort_to_user = true; ++ set_bit(KVM_ARCH_FLAG_RETURN_NISV_IO_ABORT_TO_USER, ++ &kvm->arch.flags); + break; + case KVM_CAP_ARM_MTE: + mutex_lock(&kvm->lock); +@@ -97,7 +98,7 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm, + r = -EINVAL; + } else { + r = 0; +- kvm->arch.mte_enabled = true; ++ set_bit(KVM_ARCH_FLAG_MTE_ENABLED, &kvm->arch.flags); + } + mutex_unlock(&kvm->lock); + break; +@@ -635,7 +636,7 @@ int kvm_arch_vcpu_run_pid_change(struct kvm_vcpu *vcpu) + kvm_call_hyp_nvhe(__pkvm_vcpu_init_traps, vcpu); + + mutex_lock(&kvm->lock); +- kvm->arch.ran_once = true; ++ set_bit(KVM_ARCH_FLAG_HAS_RAN_ONCE, &kvm->arch.flags); + mutex_unlock(&kvm->lock); + + return ret; +diff --git a/arch/arm64/kvm/mmio.c b/arch/arm64/kvm/mmio.c +index 3e2d8ba11a02..3dd38a151d2a 100644 +--- a/arch/arm64/kvm/mmio.c ++++ b/arch/arm64/kvm/mmio.c +@@ -135,7 +135,8 @@ int io_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa) + * volunteered to do so, and bail out otherwise. + */ + if (!kvm_vcpu_dabt_isvalid(vcpu)) { +- if (vcpu->kvm->arch.return_nisv_io_abort_to_user) { ++ if (test_bit(KVM_ARCH_FLAG_RETURN_NISV_IO_ABORT_TO_USER, ++ &vcpu->kvm->arch.flags)) { + run->exit_reason = KVM_EXIT_ARM_NISV; + run->arm_nisv.esr_iss = kvm_vcpu_dabt_iss_nisv_sanitized(vcpu); + run->arm_nisv.fault_ipa = fault_ipa; +diff --git a/arch/arm64/kvm/pmu-emul.c b/arch/arm64/kvm/pmu-emul.c +index bc771bc1a041..fc6ee6f02fec 100644 +--- a/arch/arm64/kvm/pmu-emul.c ++++ b/arch/arm64/kvm/pmu-emul.c +@@ -982,7 +982,7 @@ int kvm_arm_pmu_v3_set_attr(struct kvm_vcpu *vcpu, struct kvm_device_attr *attr) + + mutex_lock(&kvm->lock); + +- if (kvm->arch.ran_once) { ++ if (test_bit(KVM_ARCH_FLAG_HAS_RAN_ONCE, &kvm->arch.flags)) { + mutex_unlock(&kvm->lock); + return -EBUSY; + } +-- +2.35.1 + diff --git a/queue-5.17/kvm-arm64-mixed-width-check-should-be-skipped-for-un.patch b/queue-5.17/kvm-arm64-mixed-width-check-should-be-skipped-for-un.patch new file mode 100644 index 00000000000..3034a0a22f0 --- /dev/null +++ b/queue-5.17/kvm-arm64-mixed-width-check-should-be-skipped-for-un.patch @@ -0,0 +1,218 @@ +From c32d9e530d7e0ebd3de97d137540408280943dfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Mar 2022 20:19:23 -0700 +Subject: KVM: arm64: mixed-width check should be skipped for uninitialized + vCPUs + +From: Reiji Watanabe + +[ Upstream commit 26bf74bd9f6ff0f1545b4f0c92a37c232d076014 ] + +KVM allows userspace to configure either all EL1 32bit or 64bit vCPUs +for a guest. At vCPU reset, vcpu_allowed_register_width() checks +if the vcpu's register width is consistent with all other vCPUs'. +Since the checking is done even against vCPUs that are not initialized +(KVM_ARM_VCPU_INIT has not been done) yet, the uninitialized vCPUs +are erroneously treated as 64bit vCPU, which causes the function to +incorrectly detect a mixed-width VM. + +Introduce KVM_ARCH_FLAG_EL1_32BIT and KVM_ARCH_FLAG_REG_WIDTH_CONFIGURED +bits for kvm->arch.flags. A value of the EL1_32BIT bit indicates that +the guest needs to be configured with all 32bit or 64bit vCPUs, and +a value of the REG_WIDTH_CONFIGURED bit indicates if a value of the +EL1_32BIT bit is valid (already set up). Values in those bits are set at +the first KVM_ARM_VCPU_INIT for the guest based on KVM_ARM_VCPU_EL1_32BIT +configuration for the vCPU. + +Check vcpu's register width against those new bits at the vcpu's +KVM_ARM_VCPU_INIT (instead of against other vCPUs' register width). + +Fixes: 66e94d5cafd4 ("KVM: arm64: Prevent mixed-width VM creation") +Signed-off-by: Reiji Watanabe +Reviewed-by: Oliver Upton +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220329031924.619453-2-reijiw@google.com +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/kvm_emulate.h | 27 ++++++++---- + arch/arm64/include/asm/kvm_host.h | 10 +++++ + arch/arm64/kvm/reset.c | 65 +++++++++++++++++++--------- + 3 files changed, 74 insertions(+), 28 deletions(-) + +diff --git a/arch/arm64/include/asm/kvm_emulate.h b/arch/arm64/include/asm/kvm_emulate.h +index d62405ce3e6d..7496deab025a 100644 +--- a/arch/arm64/include/asm/kvm_emulate.h ++++ b/arch/arm64/include/asm/kvm_emulate.h +@@ -43,10 +43,22 @@ void kvm_inject_pabt(struct kvm_vcpu *vcpu, unsigned long addr); + + void kvm_vcpu_wfi(struct kvm_vcpu *vcpu); + ++#if defined(__KVM_VHE_HYPERVISOR__) || defined(__KVM_NVHE_HYPERVISOR__) + static __always_inline bool vcpu_el1_is_32bit(struct kvm_vcpu *vcpu) + { + return !(vcpu->arch.hcr_el2 & HCR_RW); + } ++#else ++static __always_inline bool vcpu_el1_is_32bit(struct kvm_vcpu *vcpu) ++{ ++ struct kvm *kvm = vcpu->kvm; ++ ++ WARN_ON_ONCE(!test_bit(KVM_ARCH_FLAG_REG_WIDTH_CONFIGURED, ++ &kvm->arch.flags)); ++ ++ return test_bit(KVM_ARCH_FLAG_EL1_32BIT, &kvm->arch.flags); ++} ++#endif + + static inline void vcpu_reset_hcr(struct kvm_vcpu *vcpu) + { +@@ -72,15 +84,14 @@ static inline void vcpu_reset_hcr(struct kvm_vcpu *vcpu) + vcpu->arch.hcr_el2 |= HCR_TVM; + } + +- if (test_bit(KVM_ARM_VCPU_EL1_32BIT, vcpu->arch.features)) ++ if (vcpu_el1_is_32bit(vcpu)) + vcpu->arch.hcr_el2 &= ~HCR_RW; +- +- /* +- * TID3: trap feature register accesses that we virtualise. +- * For now this is conditional, since no AArch32 feature regs +- * are currently virtualised. +- */ +- if (!vcpu_el1_is_32bit(vcpu)) ++ else ++ /* ++ * TID3: trap feature register accesses that we virtualise. ++ * For now this is conditional, since no AArch32 feature regs ++ * are currently virtualised. ++ */ + vcpu->arch.hcr_el2 |= HCR_TID3; + + if (cpus_have_const_cap(ARM64_MISMATCHED_CACHE_TYPE) || +diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h +index 2619fda42ca2..b5ae92f77c61 100644 +--- a/arch/arm64/include/asm/kvm_host.h ++++ b/arch/arm64/include/asm/kvm_host.h +@@ -127,6 +127,16 @@ struct kvm_arch { + #define KVM_ARCH_FLAG_MTE_ENABLED 1 + /* At least one vCPU has ran in the VM */ + #define KVM_ARCH_FLAG_HAS_RAN_ONCE 2 ++ /* ++ * The following two bits are used to indicate the guest's EL1 ++ * register width configuration. A value of KVM_ARCH_FLAG_EL1_32BIT ++ * bit is valid only when KVM_ARCH_FLAG_REG_WIDTH_CONFIGURED is set. ++ * Otherwise, the guest's EL1 register width has not yet been ++ * determined yet. ++ */ ++#define KVM_ARCH_FLAG_REG_WIDTH_CONFIGURED 3 ++#define KVM_ARCH_FLAG_EL1_32BIT 4 ++ + unsigned long flags; + + /* +diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c +index ecc40c8cd6f6..6c70c6f61c70 100644 +--- a/arch/arm64/kvm/reset.c ++++ b/arch/arm64/kvm/reset.c +@@ -181,27 +181,51 @@ static int kvm_vcpu_enable_ptrauth(struct kvm_vcpu *vcpu) + return 0; + } + +-static bool vcpu_allowed_register_width(struct kvm_vcpu *vcpu) ++/** ++ * kvm_set_vm_width() - set the register width for the guest ++ * @vcpu: Pointer to the vcpu being configured ++ * ++ * Set both KVM_ARCH_FLAG_EL1_32BIT and KVM_ARCH_FLAG_REG_WIDTH_CONFIGURED ++ * in the VM flags based on the vcpu's requested register width, the HW ++ * capabilities and other options (such as MTE). ++ * When REG_WIDTH_CONFIGURED is already set, the vcpu settings must be ++ * consistent with the value of the FLAG_EL1_32BIT bit in the flags. ++ * ++ * Return: 0 on success, negative error code on failure. ++ */ ++static int kvm_set_vm_width(struct kvm_vcpu *vcpu) + { +- struct kvm_vcpu *tmp; ++ struct kvm *kvm = vcpu->kvm; + bool is32bit; +- unsigned long i; + + is32bit = vcpu_has_feature(vcpu, KVM_ARM_VCPU_EL1_32BIT); ++ ++ lockdep_assert_held(&kvm->lock); ++ ++ if (test_bit(KVM_ARCH_FLAG_REG_WIDTH_CONFIGURED, &kvm->arch.flags)) { ++ /* ++ * The guest's register width is already configured. ++ * Make sure that the vcpu is consistent with it. ++ */ ++ if (is32bit == test_bit(KVM_ARCH_FLAG_EL1_32BIT, &kvm->arch.flags)) ++ return 0; ++ ++ return -EINVAL; ++ } ++ + if (!cpus_have_const_cap(ARM64_HAS_32BIT_EL1) && is32bit) +- return false; ++ return -EINVAL; + + /* MTE is incompatible with AArch32 */ +- if (kvm_has_mte(vcpu->kvm) && is32bit) +- return false; ++ if (kvm_has_mte(kvm) && is32bit) ++ return -EINVAL; + +- /* Check that the vcpus are either all 32bit or all 64bit */ +- kvm_for_each_vcpu(i, tmp, vcpu->kvm) { +- if (vcpu_has_feature(tmp, KVM_ARM_VCPU_EL1_32BIT) != is32bit) +- return false; +- } ++ if (is32bit) ++ set_bit(KVM_ARCH_FLAG_EL1_32BIT, &kvm->arch.flags); + +- return true; ++ set_bit(KVM_ARCH_FLAG_REG_WIDTH_CONFIGURED, &kvm->arch.flags); ++ ++ return 0; + } + + /** +@@ -230,10 +254,16 @@ int kvm_reset_vcpu(struct kvm_vcpu *vcpu) + u32 pstate; + + mutex_lock(&vcpu->kvm->lock); +- reset_state = vcpu->arch.reset_state; +- WRITE_ONCE(vcpu->arch.reset_state.reset, false); ++ ret = kvm_set_vm_width(vcpu); ++ if (!ret) { ++ reset_state = vcpu->arch.reset_state; ++ WRITE_ONCE(vcpu->arch.reset_state.reset, false); ++ } + mutex_unlock(&vcpu->kvm->lock); + ++ if (ret) ++ return ret; ++ + /* Reset PMU outside of the non-preemptible section */ + kvm_pmu_vcpu_reset(vcpu); + +@@ -260,14 +290,9 @@ int kvm_reset_vcpu(struct kvm_vcpu *vcpu) + } + } + +- if (!vcpu_allowed_register_width(vcpu)) { +- ret = -EINVAL; +- goto out; +- } +- + switch (vcpu->arch.target) { + default: +- if (test_bit(KVM_ARM_VCPU_EL1_32BIT, vcpu->arch.features)) { ++ if (vcpu_el1_is_32bit(vcpu)) { + pstate = VCPU_RESET_PSTATE_SVC; + } else { + pstate = VCPU_RESET_PSTATE_EL1; +-- +2.35.1 + diff --git a/queue-5.17/kvm-ppc-book3s-hv-p9-fix-lost-kick-race.patch b/queue-5.17/kvm-ppc-book3s-hv-p9-fix-lost-kick-race.patch new file mode 100644 index 00000000000..dab8a7a2e95 --- /dev/null +++ b/queue-5.17/kvm-ppc-book3s-hv-p9-fix-lost-kick-race.patch @@ -0,0 +1,138 @@ +From e213f462fb185a14779d2d787152903677b9a530 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Mar 2022 15:33:10 +1000 +Subject: KVM: PPC: Book3S HV P9: Fix "lost kick" race + +From: Nicholas Piggin + +[ Upstream commit c7fa848ff01dad9ed3146a6b1a7d3622131bcedd ] + +When new work is created that requires attention from the hypervisor +(e.g., to inject an interrupt into the guest), fast_vcpu_kick is used to +pull the target vcpu out of the guest if it may have been running. + +Therefore the work creation side looks like this: + + vcpu->arch.doorbell_request = 1; + kvmppc_fast_vcpu_kick_hv(vcpu) { + smp_mb(); + cpu = vcpu->cpu; + if (cpu != -1) + send_ipi(cpu); + } + +And the guest entry side *should* look like this: + + vcpu->cpu = smp_processor_id(); + smp_mb(); + if (vcpu->arch.doorbell_request) { + // do something (abort entry or inject doorbell etc) + } + +But currently the store and load are flipped, so it is possible for the +entry to see no doorbell pending, and the doorbell creation misses the +store to set cpu, resulting lost work (or at least delayed until the +next guest exit). + +Fix this by reordering the entry operations and adding a smp_mb +between them. The P8 path appears to have a similar race which is +commented but not addressed yet. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220303053315.1056880-2-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 41 +++++++++++++++++++++++++++++------- + 1 file changed, 33 insertions(+), 8 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 791db769080d..316f61a4cb59 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -225,6 +225,13 @@ static void kvmppc_fast_vcpu_kick_hv(struct kvm_vcpu *vcpu) + int cpu; + struct rcuwait *waitp; + ++ /* ++ * rcuwait_wake_up contains smp_mb() which orders prior stores that ++ * create pending work vs below loads of cpu fields. The other side ++ * is the barrier in vcpu run that orders setting the cpu fields vs ++ * testing for pending work. ++ */ ++ + waitp = kvm_arch_vcpu_get_wait(vcpu); + if (rcuwait_wake_up(waitp)) + ++vcpu->stat.generic.halt_wakeup; +@@ -1089,7 +1096,7 @@ int kvmppc_pseries_do_hcall(struct kvm_vcpu *vcpu) + break; + } + tvcpu->arch.prodded = 1; +- smp_mb(); ++ smp_mb(); /* This orders prodded store vs ceded load */ + if (tvcpu->arch.ceded) + kvmppc_fast_vcpu_kick_hv(tvcpu); + break; +@@ -3771,6 +3778,14 @@ static noinline void kvmppc_run_core(struct kvmppc_vcore *vc) + pvc = core_info.vc[sub]; + pvc->pcpu = pcpu + thr; + for_each_runnable_thread(i, vcpu, pvc) { ++ /* ++ * XXX: is kvmppc_start_thread called too late here? ++ * It updates vcpu->cpu and vcpu->arch.thread_cpu ++ * which are used by kvmppc_fast_vcpu_kick_hv(), but ++ * kick is called after new exceptions become available ++ * and exceptions are checked earlier than here, by ++ * kvmppc_core_prepare_to_enter. ++ */ + kvmppc_start_thread(vcpu, pvc); + kvmppc_create_dtl_entry(vcpu, pvc); + trace_kvm_guest_enter(vcpu); +@@ -4492,6 +4507,21 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit, + if (need_resched() || !kvm->arch.mmu_ready) + goto out; + ++ vcpu->cpu = pcpu; ++ vcpu->arch.thread_cpu = pcpu; ++ vc->pcpu = pcpu; ++ local_paca->kvm_hstate.kvm_vcpu = vcpu; ++ local_paca->kvm_hstate.ptid = 0; ++ local_paca->kvm_hstate.fake_suspend = 0; ++ ++ /* ++ * Orders set cpu/thread_cpu vs testing for pending interrupts and ++ * doorbells below. The other side is when these fields are set vs ++ * kvmppc_fast_vcpu_kick_hv reading the cpu/thread_cpu fields to ++ * kick a vCPU to notice the pending interrupt. ++ */ ++ smp_mb(); ++ + if (!nested) { + kvmppc_core_prepare_to_enter(vcpu); + if (test_bit(BOOK3S_IRQPRIO_EXTERNAL, +@@ -4511,13 +4541,6 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit, + + tb = mftb(); + +- vcpu->cpu = pcpu; +- vcpu->arch.thread_cpu = pcpu; +- vc->pcpu = pcpu; +- local_paca->kvm_hstate.kvm_vcpu = vcpu; +- local_paca->kvm_hstate.ptid = 0; +- local_paca->kvm_hstate.fake_suspend = 0; +- + __kvmppc_create_dtl_entry(vcpu, pcpu, tb + vc->tb_offset, 0); + + trace_kvm_guest_enter(vcpu); +@@ -4619,6 +4642,8 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit, + run->exit_reason = KVM_EXIT_INTR; + vcpu->arch.ret = -EINTR; + out: ++ vcpu->cpu = -1; ++ vcpu->arch.thread_cpu = -1; + powerpc_local_irq_pmu_restore(flags); + preempt_enable(); + goto done; +-- +2.35.1 + diff --git a/queue-5.17/kvm-selftests-riscv-fix-alignment-of-the-guest_hang-.patch b/queue-5.17/kvm-selftests-riscv-fix-alignment-of-the-guest_hang-.patch new file mode 100644 index 00000000000..eeba830484d --- /dev/null +++ b/queue-5.17/kvm-selftests-riscv-fix-alignment-of-the-guest_hang-.patch @@ -0,0 +1,41 @@ +From 30e3f471a7bcfa2981d56eff6b28f8f9a1223407 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Apr 2022 09:15:51 +0530 +Subject: KVM: selftests: riscv: Fix alignment of the guest_hang() function + +From: Anup Patel + +[ Upstream commit ebdef0de2dbc40e697adaa6b3408130f7a7b8351 ] + +The guest_hang() function is used as the default exception handler +for various KVM selftests applications by setting it's address in +the vstvec CSR. The vstvec CSR requires exception handler base address +to be at least 4-byte aligned so this patch fixes alignment of the +guest_hang() function. + +Fixes: 3e06cdf10520 ("KVM: selftests: Add initial support for RISC-V +64-bit") +Signed-off-by: Anup Patel +Tested-by: Mayuresh Chitale +Signed-off-by: Anup Patel +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kvm/lib/riscv/processor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/kvm/lib/riscv/processor.c b/tools/testing/selftests/kvm/lib/riscv/processor.c +index d377f2603d98..3961487a4870 100644 +--- a/tools/testing/selftests/kvm/lib/riscv/processor.c ++++ b/tools/testing/selftests/kvm/lib/riscv/processor.c +@@ -268,7 +268,7 @@ void vcpu_dump(FILE *stream, struct kvm_vm *vm, uint32_t vcpuid, uint8_t indent) + core.regs.t3, core.regs.t4, core.regs.t5, core.regs.t6); + } + +-static void guest_hang(void) ++static void __aligned(16) guest_hang(void) + { + while (1) + ; +-- +2.35.1 + diff --git a/queue-5.17/kvm-selftests-riscv-set-pte-a-and-d-bits-in-vs-stage.patch b/queue-5.17/kvm-selftests-riscv-set-pte-a-and-d-bits-in-vs-stage.patch new file mode 100644 index 00000000000..e638f9fa84b --- /dev/null +++ b/queue-5.17/kvm-selftests-riscv-set-pte-a-and-d-bits-in-vs-stage.patch @@ -0,0 +1,50 @@ +From 5ae1660210b203e3a60128d14e1f0bfcf07d992f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Apr 2022 09:15:44 +0530 +Subject: KVM: selftests: riscv: Set PTE A and D bits in VS-stage page table + +From: Anup Patel + +[ Upstream commit fac3725364397f9a40a101f089b86ea655a58d06 ] + +Supporting hardware updates of PTE A and D bits is optional for any +RISC-V implementation so current software strategy is to always set +these bits in both G-stage (hypervisor) and VS-stage (guest kernel). + +If PTE A and D bits are not set by software (hypervisor or guest) +then RISC-V implementations not supporting hardware updates of these +bits will cause traps even for perfectly valid PTEs. + +Based on above explanation, the VS-stage page table created by various +KVM selftest applications is not correct because PTE A and D bits are +not set. This patch fixes VS-stage page table programming of PTE A and +D bits for KVM selftests. + +Fixes: 3e06cdf10520 ("KVM: selftests: Add initial support for RISC-V +64-bit") +Signed-off-by: Anup Patel +Tested-by: Mayuresh Chitale +Signed-off-by: Anup Patel +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kvm/include/riscv/processor.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/kvm/include/riscv/processor.h b/tools/testing/selftests/kvm/include/riscv/processor.h +index dc284c6bdbc3..eca5c622efd2 100644 +--- a/tools/testing/selftests/kvm/include/riscv/processor.h ++++ b/tools/testing/selftests/kvm/include/riscv/processor.h +@@ -101,7 +101,9 @@ static inline void set_reg(struct kvm_vm *vm, uint32_t vcpuid, uint64_t id, + #define PGTBL_PTE_WRITE_SHIFT 2 + #define PGTBL_PTE_READ_MASK 0x0000000000000002ULL + #define PGTBL_PTE_READ_SHIFT 1 +-#define PGTBL_PTE_PERM_MASK (PGTBL_PTE_EXECUTE_MASK | \ ++#define PGTBL_PTE_PERM_MASK (PGTBL_PTE_ACCESSED_MASK | \ ++ PGTBL_PTE_DIRTY_MASK | \ ++ PGTBL_PTE_EXECUTE_MASK | \ + PGTBL_PTE_WRITE_MASK | \ + PGTBL_PTE_READ_MASK) + #define PGTBL_PTE_VALID_MASK 0x0000000000000001ULL +-- +2.35.1 + diff --git a/queue-5.17/mac80211-fix-ht_capa-printout-in-debugfs.patch b/queue-5.17/mac80211-fix-ht_capa-printout-in-debugfs.patch new file mode 100644 index 00000000000..68107f7ddf6 --- /dev/null +++ b/queue-5.17/mac80211-fix-ht_capa-printout-in-debugfs.patch @@ -0,0 +1,37 @@ +From c9d9e99efa386fd0b1571a65a1fb92397b4064dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 10:56:59 -0700 +Subject: mac80211: fix ht_capa printout in debugfs + +From: Ben Greear + +[ Upstream commit fb4bccd863ccccd36ad000601856609e259a1859 ] + +Don't use sizeof(pointer) when calculating scnprintf offset. + +Fixes: 01f84f0ed3b4 ("mac80211: reduce stack usage in debugfs") +Signed-off-by: Ben Greear +Link: https://lore.kernel.org/r/20220406175659.20611-1-greearb@candelatech.com +[correct the Fixes tag] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/debugfs_sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c +index 9479f2787ea7..88d9cc945a21 100644 +--- a/net/mac80211/debugfs_sta.c ++++ b/net/mac80211/debugfs_sta.c +@@ -441,7 +441,7 @@ static ssize_t sta_ht_capa_read(struct file *file, char __user *userbuf, + #define PRINT_HT_CAP(_cond, _str) \ + do { \ + if (_cond) \ +- p += scnprintf(p, sizeof(buf)+buf-p, "\t" _str "\n"); \ ++ p += scnprintf(p, bufsz + buf - p, "\t" _str "\n"); \ + } while (0) + char *buf, *p; + int i; +-- +2.35.1 + diff --git a/queue-5.17/macvlan-fix-leaking-skb-in-source-mode-with-nodst-op.patch b/queue-5.17/macvlan-fix-leaking-skb-in-source-mode-with-nodst-op.patch new file mode 100644 index 00000000000..6b8ee7884d7 --- /dev/null +++ b/queue-5.17/macvlan-fix-leaking-skb-in-source-mode-with-nodst-op.patch @@ -0,0 +1,59 @@ +From f9fe95fc506c4288c1b573d06443b110b100385c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 11:34:57 +0200 +Subject: macvlan: Fix leaking skb in source mode with nodst option + +From: Martin Willi + +[ Upstream commit e16b859872b87650bb55b12cca5a5fcdc49c1442 ] + +The MACVLAN receive handler clones skbs to all matching source MACVLAN +interfaces, before it passes the packet along to match on destination +based MACVLANs. + +When using the MACVLAN nodst mode, passing the packet to destination based +MACVLANs is omitted and the handler returns with RX_HANDLER_CONSUMED. +However, the passed skb is not freed, leaking for any packet processed +with the nodst option. + +Properly free the skb when consuming packets to fix that leak. + +Fixes: 427f0c8c194b ("macvlan: Add nodst option to macvlan type source") +Signed-off-by: Martin Willi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 6ef5f77be4d0..c83664b28d89 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -460,8 +460,10 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb) + return RX_HANDLER_CONSUMED; + *pskb = skb; + eth = eth_hdr(skb); +- if (macvlan_forward_source(skb, port, eth->h_source)) ++ if (macvlan_forward_source(skb, port, eth->h_source)) { ++ kfree_skb(skb); + return RX_HANDLER_CONSUMED; ++ } + src = macvlan_hash_lookup(port, eth->h_source); + if (src && src->mode != MACVLAN_MODE_VEPA && + src->mode != MACVLAN_MODE_BRIDGE) { +@@ -480,8 +482,10 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb) + return RX_HANDLER_PASS; + } + +- if (macvlan_forward_source(skb, port, eth->h_source)) ++ if (macvlan_forward_source(skb, port, eth->h_source)) { ++ kfree_skb(skb); + return RX_HANDLER_CONSUMED; ++ } + if (macvlan_passthru(port)) + vlan = list_first_or_null_rcu(&port->vlans, + struct macvlan_dev, list); +-- +2.35.1 + diff --git a/queue-5.17/media-rockchip-rga-do-proper-error-checking-in-probe.patch b/queue-5.17/media-rockchip-rga-do-proper-error-checking-in-probe.patch new file mode 100644 index 00000000000..008b9855e6e --- /dev/null +++ b/queue-5.17/media-rockchip-rga-do-proper-error-checking-in-probe.patch @@ -0,0 +1,44 @@ +From 1d0cae6649a49086c753f91dfacf494a962c8ebf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Nov 2021 13:23:02 +0100 +Subject: media: rockchip/rga: do proper error checking in probe + +From: Kyle Copperfield + +[ Upstream commit 6150f276073a1480030242a7e006a89e161d6cd6 ] + +The latest fix for probe error handling contained a typo that causes +probing to fail with the following message: + + rockchip-rga: probe of ff680000.rga failed with error -12 + +This patch fixes the typo. + +Fixes: e58430e1d4fd (media: rockchip/rga: fix error handling in probe) +Reviewed-by: Dragan Simic +Signed-off-by: Kyle Copperfield +Reviewed-by: Kieran Bingham +Reviewed-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rockchip/rga/rga.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/rockchip/rga/rga.c b/drivers/media/platform/rockchip/rga/rga.c +index 4de5e8d2b261..3d3d1062e212 100644 +--- a/drivers/media/platform/rockchip/rga/rga.c ++++ b/drivers/media/platform/rockchip/rga/rga.c +@@ -892,7 +892,7 @@ static int rga_probe(struct platform_device *pdev) + } + rga->dst_mmu_pages = + (unsigned int *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, 3); +- if (rga->dst_mmu_pages) { ++ if (!rga->dst_mmu_pages) { + ret = -ENOMEM; + goto free_src_pages; + } +-- +2.35.1 + diff --git a/queue-5.17/memory-atmel-ebi-fix-missing-of_node_put-in-atmel_eb.patch b/queue-5.17/memory-atmel-ebi-fix-missing-of_node_put-in-atmel_eb.patch new file mode 100644 index 00000000000..fafbe217cf3 --- /dev/null +++ b/queue-5.17/memory-atmel-ebi-fix-missing-of_node_put-in-atmel_eb.patch @@ -0,0 +1,74 @@ +From 129b589e36d17261e85112802c156255e96fd9bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 11:01:43 +0000 +Subject: memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe + +From: Miaoqian Lin + +[ Upstream commit 6f296a9665ba5ac68937bf11f96214eb9de81baa ] + +The device_node pointer is returned by of_parse_phandle() with refcount +incremented. We should use of_node_put() on it when done. + +Fixes: 87108dc78eb8 ("memory: atmel-ebi: Enable the SMC clock if specified") +Signed-off-by: Miaoqian Lin +Reviewed-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220309110144.22412-1-linmq006@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/atmel-ebi.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/drivers/memory/atmel-ebi.c b/drivers/memory/atmel-ebi.c +index c267283b01fd..e749dcb3ddea 100644 +--- a/drivers/memory/atmel-ebi.c ++++ b/drivers/memory/atmel-ebi.c +@@ -544,20 +544,27 @@ static int atmel_ebi_probe(struct platform_device *pdev) + smc_np = of_parse_phandle(dev->of_node, "atmel,smc", 0); + + ebi->smc.regmap = syscon_node_to_regmap(smc_np); +- if (IS_ERR(ebi->smc.regmap)) +- return PTR_ERR(ebi->smc.regmap); ++ if (IS_ERR(ebi->smc.regmap)) { ++ ret = PTR_ERR(ebi->smc.regmap); ++ goto put_node; ++ } + + ebi->smc.layout = atmel_hsmc_get_reg_layout(smc_np); +- if (IS_ERR(ebi->smc.layout)) +- return PTR_ERR(ebi->smc.layout); ++ if (IS_ERR(ebi->smc.layout)) { ++ ret = PTR_ERR(ebi->smc.layout); ++ goto put_node; ++ } + + ebi->smc.clk = of_clk_get(smc_np, 0); + if (IS_ERR(ebi->smc.clk)) { +- if (PTR_ERR(ebi->smc.clk) != -ENOENT) +- return PTR_ERR(ebi->smc.clk); ++ if (PTR_ERR(ebi->smc.clk) != -ENOENT) { ++ ret = PTR_ERR(ebi->smc.clk); ++ goto put_node; ++ } + + ebi->smc.clk = NULL; + } ++ of_node_put(smc_np); + ret = clk_prepare_enable(ebi->smc.clk); + if (ret) + return ret; +@@ -608,6 +615,10 @@ static int atmel_ebi_probe(struct platform_device *pdev) + } + + return of_platform_populate(np, NULL, NULL, dev); ++ ++put_node: ++ of_node_put(smc_np); ++ return ret; + } + + static __maybe_unused int atmel_ebi_resume(struct device *dev) +-- +2.35.1 + diff --git a/queue-5.17/mlxsw-i2c-fix-initialization-error-flow.patch b/queue-5.17/mlxsw-i2c-fix-initialization-error-flow.patch new file mode 100644 index 00000000000..51a9dc499a3 --- /dev/null +++ b/queue-5.17/mlxsw-i2c-fix-initialization-error-flow.patch @@ -0,0 +1,36 @@ +From 6825f4e10f8042dda15126a6c1a087aa00c8748a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 10:07:03 +0300 +Subject: mlxsw: i2c: Fix initialization error flow + +From: Vadim Pasternak + +[ Upstream commit d452088cdfd5a4ad9d96d847d2273fe958d6339b ] + +Add mutex_destroy() call in driver initialization error flow. + +Fixes: 6882b0aee180f ("mlxsw: Introduce support for I2C bus") +Signed-off-by: Vadim Pasternak +Signed-off-by: Ido Schimmel +Link: https://lore.kernel.org/r/20220407070703.2421076-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/i2c.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/i2c.c b/drivers/net/ethernet/mellanox/mlxsw/i2c.c +index 939b692ffc33..ce843ea91464 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/i2c.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/i2c.c +@@ -650,6 +650,7 @@ static int mlxsw_i2c_probe(struct i2c_client *client, + return 0; + + errout: ++ mutex_destroy(&mlxsw_i2c->cmd.lock); + i2c_set_clientdata(client, NULL); + + return err; +-- +2.35.1 + diff --git a/queue-5.17/myri10ge-fix-an-incorrect-free-for-skb-in-myri10ge_s.patch b/queue-5.17/myri10ge-fix-an-incorrect-free-for-skb-in-myri10ge_s.patch new file mode 100644 index 00000000000..f174e4f414e --- /dev/null +++ b/queue-5.17/myri10ge-fix-an-incorrect-free-for-skb-in-myri10ge_s.patch @@ -0,0 +1,40 @@ +From 67705073a81a4e2402e7ab8149805484ecfe5046 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 11:55:56 +0800 +Subject: myri10ge: fix an incorrect free for skb in myri10ge_sw_tso + +From: Xiaomeng Tong + +[ Upstream commit b423e54ba965b4469b48e46fd16941f1e1701697 ] + +All remaining skbs should be released when myri10ge_xmit fails to +transmit a packet. Fix it within another skb_list_walk_safe. + +Signed-off-by: Xiaomeng Tong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +index 50ac3ee2577a..21d2645885ce 100644 +--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c ++++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +@@ -2903,11 +2903,9 @@ static netdev_tx_t myri10ge_sw_tso(struct sk_buff *skb, + status = myri10ge_xmit(curr, dev); + if (status != 0) { + dev_kfree_skb_any(curr); +- if (segs != NULL) { +- curr = segs; +- segs = next; ++ skb_list_walk_safe(next, curr, next) { + curr->next = NULL; +- dev_kfree_skb_any(segs); ++ dev_kfree_skb_any(curr); + } + goto drop; + } +-- +2.35.1 + diff --git a/queue-5.17/net-axienet-setup-mdio-unconditionally.patch b/queue-5.17/net-axienet-setup-mdio-unconditionally.patch new file mode 100644 index 00000000000..68a12227a5a --- /dev/null +++ b/queue-5.17/net-axienet-setup-mdio-unconditionally.patch @@ -0,0 +1,55 @@ +From 3fce4f381cc00cddafc1bc8521d98911c4810874 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 17:19:26 +0800 +Subject: net: axienet: setup mdio unconditionally + +From: Andy Chiu + +[ Upstream commit d1c4f93e3f0a023024a6f022a61528c06cf1daa9 ] + +The call to axienet_mdio_setup should not depend on whether "phy-node" +pressents on the DT. Besides, since `lp->phy_node` is used if PHY is in +SGMII or 100Base-X modes, move it into the if statement. And the next patch +will remove `lp->phy_node` from driver's private structure and do an +of_node_put on it right away after use since it is not used elsewhere. + +Signed-off-by: Andy Chiu +Reviewed-by: Greentime Hu +Reviewed-by: Robert Hancock +Reviewed-by: Radhey Shyam Pandey +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 90d96eb79984..a960227f61da 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -2072,15 +2072,14 @@ static int axienet_probe(struct platform_device *pdev) + if (ret) + goto cleanup_clk; + +- lp->phy_node = of_parse_phandle(pdev->dev.of_node, "phy-handle", 0); +- if (lp->phy_node) { +- ret = axienet_mdio_setup(lp); +- if (ret) +- dev_warn(&pdev->dev, +- "error registering MDIO bus: %d\n", ret); +- } ++ ret = axienet_mdio_setup(lp); ++ if (ret) ++ dev_warn(&pdev->dev, ++ "error registering MDIO bus: %d\n", ret); ++ + if (lp->phy_mode == PHY_INTERFACE_MODE_SGMII || + lp->phy_mode == PHY_INTERFACE_MODE_1000BASEX) { ++ lp->phy_node = of_parse_phandle(pdev->dev.of_node, "phy-handle", 0); + if (!lp->phy_node) { + dev_err(&pdev->dev, "phy-handle required for 1000BaseX/SGMII\n"); + ret = -EINVAL; +-- +2.35.1 + diff --git a/queue-5.17/net-bcmgenet-revert-use-stronger-register-read-write.patch b/queue-5.17/net-bcmgenet-revert-use-stronger-register-read-write.patch new file mode 100644 index 00000000000..89c165895b7 --- /dev/null +++ b/queue-5.17/net-bcmgenet-revert-use-stronger-register-read-write.patch @@ -0,0 +1,55 @@ +From b3b415f5b6eb6a42497940c5f42139a1850322ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 16:04:20 -0500 +Subject: net: bcmgenet: Revert "Use stronger register read/writes to assure + ordering" + +From: Jeremy Linton + +[ Upstream commit 2df3fc4a84e917a422935cc5bae18f43f9955d31 ] + +It turns out after digging deeper into this bug, that it was being +triggered by GCC12 failing to call the bcmgenet_enable_dma() +routine. Given that a gcc12 fix has been merged [1] and the genet +driver now works properly when built with gcc12, this commit should +be reverted. + +[1] +https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105160 +https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=aabb9a261ef060cf24fd626713f1d7d9df81aa57 + +Fixes: 8d3ea3d402db ("net: bcmgenet: Use stronger register read/writes to assure ordering") +Signed-off-by: Jeremy Linton +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220412210420.1129430-1-jeremy.linton@arm.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index bd5998012a87..2da804f84b48 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -76,7 +76,7 @@ static inline void bcmgenet_writel(u32 value, void __iomem *offset) + if (IS_ENABLED(CONFIG_MIPS) && IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)) + __raw_writel(value, offset); + else +- writel(value, offset); ++ writel_relaxed(value, offset); + } + + static inline u32 bcmgenet_readl(void __iomem *offset) +@@ -84,7 +84,7 @@ static inline u32 bcmgenet_readl(void __iomem *offset) + if (IS_ENABLED(CONFIG_MIPS) && IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)) + return __raw_readl(offset); + else +- return readl(offset); ++ return readl_relaxed(offset); + } + + static inline void dmadesc_set_length_status(struct bcmgenet_priv *priv, +-- +2.35.1 + diff --git a/queue-5.17/net-dsa-felix-fix-tagging-protocol-changes-with-mult.patch b/queue-5.17/net-dsa-felix-fix-tagging-protocol-changes-with-mult.patch new file mode 100644 index 00000000000..5c2b34334e2 --- /dev/null +++ b/queue-5.17/net-dsa-felix-fix-tagging-protocol-changes-with-mult.patch @@ -0,0 +1,87 @@ +From a64c494266364e77fc61814744e1e9fe6e06e5e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 20:22:09 +0300 +Subject: net: dsa: felix: fix tagging protocol changes with multiple CPU ports + +From: Vladimir Oltean + +[ Upstream commit 00fa91bc9cc2a9d340f963af5e457610ad4b2f9c ] + +When the device tree has 2 CPU ports defined, a single one is active +(has any dp->cpu_dp pointers point to it). Yet the second one is still a +CPU port, and DSA still calls ->change_tag_protocol on it. + +On the NXP LS1028A, the CPU ports are ports 4 and 5. Port 4 is the +active CPU port and port 5 is inactive. + +After the following commands: + + # Initial setting + cat /sys/class/net/eno2/dsa/tagging + ocelot + echo ocelot-8021q > /sys/class/net/eno2/dsa/tagging + echo ocelot > /sys/class/net/eno2/dsa/tagging + +traffic is now broken, because the driver has moved the NPI port from +port 4 to port 5, unbeknown to DSA. + +The problem can be avoided by detecting that the second CPU port is +unused, and not doing anything for it. Further rework will be needed +when proper support for multiple CPU ports is added. + +Treat this as a bug and prepare current kernels to work in single-CPU +mode with multiple-CPU DT blobs. + +Fixes: adb3dccf090b ("net: dsa: felix: convert to the new .change_tag_protocol DSA API") +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20220412172209.2531865-1-vladimir.oltean@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/ocelot/felix.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/drivers/net/dsa/ocelot/felix.c b/drivers/net/dsa/ocelot/felix.c +index 9957772201d5..c414d9e9d7c0 100644 +--- a/drivers/net/dsa/ocelot/felix.c ++++ b/drivers/net/dsa/ocelot/felix.c +@@ -599,6 +599,8 @@ static int felix_change_tag_protocol(struct dsa_switch *ds, int cpu, + struct ocelot *ocelot = ds->priv; + struct felix *felix = ocelot_to_felix(ocelot); + enum dsa_tag_protocol old_proto = felix->tag_proto; ++ bool cpu_port_active = false; ++ struct dsa_port *dp; + int err; + + if (proto != DSA_TAG_PROTO_SEVILLE && +@@ -606,6 +608,27 @@ static int felix_change_tag_protocol(struct dsa_switch *ds, int cpu, + proto != DSA_TAG_PROTO_OCELOT_8021Q) + return -EPROTONOSUPPORT; + ++ /* We don't support multiple CPU ports, yet the DT blob may have ++ * multiple CPU ports defined. The first CPU port is the active one, ++ * the others are inactive. In this case, DSA will call ++ * ->change_tag_protocol() multiple times, once per CPU port. ++ * Since we implement the tagging protocol change towards "ocelot" or ++ * "seville" as effectively initializing the NPI port, what we are ++ * doing is effectively changing who the NPI port is to the last @cpu ++ * argument passed, which is an unused DSA CPU port and not the one ++ * that should actively pass traffic. ++ * Suppress DSA's calls on CPU ports that are inactive. ++ */ ++ dsa_switch_for_each_user_port(dp, ds) { ++ if (dp->cpu_dp->index == cpu) { ++ cpu_port_active = true; ++ break; ++ } ++ } ++ ++ if (!cpu_port_active) ++ return 0; ++ + felix_del_tag_protocol(ds, cpu, old_proto); + + err = felix_set_tag_protocol(ds, cpu, proto); +-- +2.35.1 + diff --git a/queue-5.17/net-dsa-felix-suppress-eprobe_defer-errors.patch b/queue-5.17/net-dsa-felix-suppress-eprobe_defer-errors.patch new file mode 100644 index 00000000000..3105e6342c6 --- /dev/null +++ b/queue-5.17/net-dsa-felix-suppress-eprobe_defer-errors.patch @@ -0,0 +1,42 @@ +From 0bee3d375c82ff7cd009af6e8b3968f15af5ee16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Apr 2022 12:15:21 +0200 +Subject: net: dsa: felix: suppress -EPROBE_DEFER errors + +From: Michael Walle + +[ Upstream commit e6934e4048c91502efcb21da92b7ae37cd8fa741 ] + +The DSA master might not have been probed yet in which case the probe of +the felix switch fails with -EPROBE_DEFER: +[ 4.435305] mscc_felix 0000:00:00.5: Failed to register DSA switch: -517 + +It is not an error. Use dev_err_probe() to demote this particular error +to a debug message. + +Fixes: 56051948773e ("net: dsa: ocelot: add driver for Felix switch family") +Signed-off-by: Michael Walle +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20220408101521.281886-1-michael@walle.cc +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/ocelot/felix_vsc9959.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/ocelot/felix_vsc9959.c b/drivers/net/dsa/ocelot/felix_vsc9959.c +index 2875b5250856..443d34ce2853 100644 +--- a/drivers/net/dsa/ocelot/felix_vsc9959.c ++++ b/drivers/net/dsa/ocelot/felix_vsc9959.c +@@ -2328,7 +2328,7 @@ static int felix_pci_probe(struct pci_dev *pdev, + + err = dsa_register_switch(ds); + if (err) { +- dev_err(&pdev->dev, "Failed to register DSA switch: %d\n", err); ++ dev_err_probe(&pdev->dev, err, "Failed to register DSA switch\n"); + goto err_register_ds; + } + +-- +2.35.1 + diff --git a/queue-5.17/net-ethernet-stmmac-fix-altr_tse_pcs-function-when-u.patch b/queue-5.17/net-ethernet-stmmac-fix-altr_tse_pcs-function-when-u.patch new file mode 100644 index 00000000000..ba059a8607c --- /dev/null +++ b/queue-5.17/net-ethernet-stmmac-fix-altr_tse_pcs-function-when-u.patch @@ -0,0 +1,120 @@ +From 6635beb2e53e6ff263f075478b7efaec8099ed08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 08:25:21 -0500 +Subject: net: ethernet: stmmac: fix altr_tse_pcs function when using a + fixed-link + +From: Dinh Nguyen + +[ Upstream commit a6aaa00324240967272b451bfa772547bd576ee6 ] + +When using a fixed-link, the altr_tse_pcs driver crashes +due to null-pointer dereference as no phy_device is provided to +tse_pcs_fix_mac_speed function. Fix this by adding a check for +phy_dev before calling the tse_pcs_fix_mac_speed() function. + +Also clean up the tse_pcs_fix_mac_speed function a bit. There is +no need to check for splitter_base and sgmii_adapter_base +because the driver will fail if these 2 variables are not +derived from the device tree. + +Fixes: fb3bbdb85989 ("net: ethernet: Add TSE PCS support to dwmac-socfpga") +Signed-off-by: Dinh Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c | 8 -------- + drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.h | 4 ++++ + drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c | 13 +++++-------- + 3 files changed, 9 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c b/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c +index cd478d2cd871..00f6d347eaf7 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c ++++ b/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.c +@@ -57,10 +57,6 @@ + #define TSE_PCS_USE_SGMII_ENA BIT(0) + #define TSE_PCS_IF_USE_SGMII 0x03 + +-#define SGMII_ADAPTER_CTRL_REG 0x00 +-#define SGMII_ADAPTER_DISABLE 0x0001 +-#define SGMII_ADAPTER_ENABLE 0x0000 +- + #define AUTONEGO_LINK_TIMER 20 + + static int tse_pcs_reset(void __iomem *base, struct tse_pcs *pcs) +@@ -202,12 +198,8 @@ void tse_pcs_fix_mac_speed(struct tse_pcs *pcs, struct phy_device *phy_dev, + unsigned int speed) + { + void __iomem *tse_pcs_base = pcs->tse_pcs_base; +- void __iomem *sgmii_adapter_base = pcs->sgmii_adapter_base; + u32 val; + +- writew(SGMII_ADAPTER_ENABLE, +- sgmii_adapter_base + SGMII_ADAPTER_CTRL_REG); +- + pcs->autoneg = phy_dev->autoneg; + + if (phy_dev->autoneg == AUTONEG_ENABLE) { +diff --git a/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.h b/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.h +index 442812c0a4bd..694ac25ef426 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.h ++++ b/drivers/net/ethernet/stmicro/stmmac/altr_tse_pcs.h +@@ -10,6 +10,10 @@ + #include + #include + ++#define SGMII_ADAPTER_CTRL_REG 0x00 ++#define SGMII_ADAPTER_ENABLE 0x0000 ++#define SGMII_ADAPTER_DISABLE 0x0001 ++ + struct tse_pcs { + struct device *dev; + void __iomem *tse_pcs_base; +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c +index b7c2579c963b..ac9e6c7a33b5 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c +@@ -18,9 +18,6 @@ + + #include "altr_tse_pcs.h" + +-#define SGMII_ADAPTER_CTRL_REG 0x00 +-#define SGMII_ADAPTER_DISABLE 0x0001 +- + #define SYSMGR_EMACGRP_CTRL_PHYSEL_ENUM_GMII_MII 0x0 + #define SYSMGR_EMACGRP_CTRL_PHYSEL_ENUM_RGMII 0x1 + #define SYSMGR_EMACGRP_CTRL_PHYSEL_ENUM_RMII 0x2 +@@ -62,16 +59,14 @@ static void socfpga_dwmac_fix_mac_speed(void *priv, unsigned int speed) + { + struct socfpga_dwmac *dwmac = (struct socfpga_dwmac *)priv; + void __iomem *splitter_base = dwmac->splitter_base; +- void __iomem *tse_pcs_base = dwmac->pcs.tse_pcs_base; + void __iomem *sgmii_adapter_base = dwmac->pcs.sgmii_adapter_base; + struct device *dev = dwmac->dev; + struct net_device *ndev = dev_get_drvdata(dev); + struct phy_device *phy_dev = ndev->phydev; + u32 val; + +- if ((tse_pcs_base) && (sgmii_adapter_base)) +- writew(SGMII_ADAPTER_DISABLE, +- sgmii_adapter_base + SGMII_ADAPTER_CTRL_REG); ++ writew(SGMII_ADAPTER_DISABLE, ++ sgmii_adapter_base + SGMII_ADAPTER_CTRL_REG); + + if (splitter_base) { + val = readl(splitter_base + EMAC_SPLITTER_CTRL_REG); +@@ -93,7 +88,9 @@ static void socfpga_dwmac_fix_mac_speed(void *priv, unsigned int speed) + writel(val, splitter_base + EMAC_SPLITTER_CTRL_REG); + } + +- if (tse_pcs_base && sgmii_adapter_base) ++ writew(SGMII_ADAPTER_ENABLE, ++ sgmii_adapter_base + SGMII_ADAPTER_CTRL_REG); ++ if (phy_dev) + tse_pcs_fix_mac_speed(&dwmac->pcs, phy_dev, speed); + } + +-- +2.35.1 + diff --git a/queue-5.17/net-ftgmac100-access-hardware-register-after-clock-r.patch b/queue-5.17/net-ftgmac100-access-hardware-register-after-clock-r.patch new file mode 100644 index 00000000000..c619238d866 --- /dev/null +++ b/queue-5.17/net-ftgmac100-access-hardware-register-after-clock-r.patch @@ -0,0 +1,54 @@ +From 8b0d39de6117e9e18975cda5b3b6019f39e32dd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 19:48:59 +0800 +Subject: net: ftgmac100: access hardware register after clock ready + +From: Dylan Hung + +[ Upstream commit 3d2504524531990b32a0629cc984db44f399d161 ] + +AST2600 MAC register 0x58 is writable only when the MAC clock is +enabled. Usually, the MAC clock is enabled by the bootloader so +register 0x58 is set normally when the bootloader is involved. To make +ast2600 ftgmac100 work without the bootloader, postpone the register +write until the clock is ready. + +Fixes: 137d23cea1c0 ("net: ftgmac100: Fix Aspeed ast2600 TX hang issue") +Signed-off-by: Dylan Hung +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/faraday/ftgmac100.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c +index d5356db7539a..caf48023f8ea 100644 +--- a/drivers/net/ethernet/faraday/ftgmac100.c ++++ b/drivers/net/ethernet/faraday/ftgmac100.c +@@ -1835,11 +1835,6 @@ static int ftgmac100_probe(struct platform_device *pdev) + priv->rxdes0_edorr_mask = BIT(30); + priv->txdes0_edotr_mask = BIT(30); + priv->is_aspeed = true; +- /* Disable ast2600 problematic HW arbitration */ +- if (of_device_is_compatible(np, "aspeed,ast2600-mac")) { +- iowrite32(FTGMAC100_TM_DEFAULT, +- priv->base + FTGMAC100_OFFSET_TM); +- } + } else { + priv->rxdes0_edorr_mask = BIT(15); + priv->txdes0_edotr_mask = BIT(15); +@@ -1911,6 +1906,11 @@ static int ftgmac100_probe(struct platform_device *pdev) + err = ftgmac100_setup_clk(priv); + if (err) + goto err_phy_connect; ++ ++ /* Disable ast2600 problematic HW arbitration */ ++ if (of_device_is_compatible(np, "aspeed,ast2600-mac")) ++ iowrite32(FTGMAC100_TM_DEFAULT, ++ priv->base + FTGMAC100_OFFSET_TM); + } + + /* Default ring sizes */ +-- +2.35.1 + diff --git a/queue-5.17/net-lan966x-fix-when-a-port-s-upper-is-changed.patch b/queue-5.17/net-lan966x-fix-when-a-port-s-upper-is-changed.patch new file mode 100644 index 00000000000..71d3b2621e0 --- /dev/null +++ b/queue-5.17/net-lan966x-fix-when-a-port-s-upper-is-changed.patch @@ -0,0 +1,44 @@ +From 4a5530dcf8466b4475f202d8c05a6e4332c9210c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Apr 2022 20:41:42 +0200 +Subject: net: lan966x: Fix when a port's upper is changed. + +From: Horatiu Vultur + +[ Upstream commit d7a947d289dc205fc717c004dcebe33b15305afd ] + +On lan966x it is not allowed to have foreign interfaces under a bridge +which already contains lan966x ports. So when a port leaves the bridge +it would call switchdev_bridge_port_unoffload which eventually will +notify the other ports that bridge left the vlan group but that is not +true because the bridge is still part of the vlan group. + +Therefore when a port leaves the bridge, stop generating replays because +already the HW cleared after itself and the other ports don't need to do +anything else. + +Fixes: cf2f60897e921e ("net: lan966x: Add support to offload the forwarding.") +Signed-off-by: Horatiu Vultur +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c b/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c +index 7de55f6a4da8..3c987fd6b9e2 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c +@@ -261,8 +261,7 @@ static int lan966x_port_prechangeupper(struct net_device *dev, + + if (netif_is_bridge_master(info->upper_dev) && !info->linking) + switchdev_bridge_port_unoffload(port->dev, port, +- &lan966x_switchdev_nb, +- &lan966x_switchdev_blocking_nb); ++ NULL, NULL); + + return NOTIFY_DONE; + } +-- +2.35.1 + diff --git a/queue-5.17/net-lan966x-stop-processing-the-mac-entry-is-port-is.patch b/queue-5.17/net-lan966x-stop-processing-the-mac-entry-is-port-is.patch new file mode 100644 index 00000000000..16cebb1f649 --- /dev/null +++ b/queue-5.17/net-lan966x-stop-processing-the-mac-entry-is-port-is.patch @@ -0,0 +1,50 @@ +From 8b357fa7197440f3b247fbf66328f1278405c1ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Apr 2022 20:41:43 +0200 +Subject: net: lan966x: Stop processing the MAC entry is port is wrong. + +From: Horatiu Vultur + +[ Upstream commit 269219321eb7d7645a3122cf40a420c5dc655eb9 ] + +Currently when getting a new MAC is learn, the HW generates an +interrupt. So then the SW will check the new entry and checks if it +arrived on a correct port. If it didn't just generate a warning. +But this could still crash the system. Therefore stop processing that +entry when an issue is seen. + +Fixes: 5ccd66e01cbef8 ("net: lan966x: add support for interrupts from analyzer") +Signed-off-by: Horatiu Vultur +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/lan966x/lan966x_mac.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_mac.c b/drivers/net/ethernet/microchip/lan966x/lan966x_mac.c +index ce5970bdcc6a..2679111ef669 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_mac.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_mac.c +@@ -346,7 +346,8 @@ static void lan966x_mac_irq_process(struct lan966x *lan966x, u32 row, + + lan966x_mac_process_raw_entry(&raw_entries[column], + mac, &vid, &dest_idx); +- WARN_ON(dest_idx > lan966x->num_phys_ports); ++ if (WARN_ON(dest_idx > lan966x->num_phys_ports)) ++ continue; + + /* If the entry in SW is found, then there is nothing + * to do +@@ -392,7 +393,8 @@ static void lan966x_mac_irq_process(struct lan966x *lan966x, u32 row, + + lan966x_mac_process_raw_entry(&raw_entries[column], + mac, &vid, &dest_idx); +- WARN_ON(dest_idx > lan966x->num_phys_ports); ++ if (WARN_ON(dest_idx > lan966x->num_phys_ports)) ++ continue; + + mac_entry = lan966x_mac_alloc_entry(mac, vid, dest_idx); + if (!mac_entry) +-- +2.35.1 + diff --git a/queue-5.17/net-mdio-don-t-defer-probe-forever-if-phy-irq-provid.patch b/queue-5.17/net-mdio-don-t-defer-probe-forever-if-phy-irq-provid.patch new file mode 100644 index 00000000000..f746db4ed00 --- /dev/null +++ b/queue-5.17/net-mdio-don-t-defer-probe-forever-if-phy-irq-provid.patch @@ -0,0 +1,89 @@ +From 5f641b3a04d17485f8bd930a8c1333ecdcf46024 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 19:55:38 +0300 +Subject: net: mdio: don't defer probe forever if PHY IRQ provider is missing + +From: Vladimir Oltean + +[ Upstream commit 74befa447e6839cdd90ed541159ec783726946f9 ] + +When a driver for an interrupt controller is missing, of_irq_get() +returns -EPROBE_DEFER ad infinitum, causing +fwnode_mdiobus_phy_device_register(), and ultimately, the entire +of_mdiobus_register() call, to fail. In turn, any phy_connect() call +towards a PHY on this MDIO bus will also fail. + +This is not what is expected to happen, because the PHY library falls +back to poll mode when of_irq_get() returns a hard error code, and the +MDIO bus, PHY and attached Ethernet controller work fine, albeit +suboptimally, when the PHY library polls for link status. However, +-EPROBE_DEFER has special handling given the assumption that at some +point probe deferral will stop, and the driver for the supplier will +kick in and create the IRQ domain. + +Reasons for which the interrupt controller may be missing: + +- It is not yet written. This may happen if a more recent DT blob (with + an interrupt-parent for the PHY) is used to boot an old kernel where + the driver didn't exist, and that kernel worked with the + vintage-correct DT blob using poll mode. + +- It is compiled out. Behavior is the same as above. + +- It is compiled as a module. The kernel will wait for a number of + seconds specified in the "deferred_probe_timeout" boot parameter for + user space to load the required module. The current default is 0, + which times out at the end of initcalls. It is possible that this + might cause regressions unless users adjust this boot parameter. + +The proposed solution is to use the driver_deferred_probe_check_state() +helper function provided by the driver core, which gives up after some +-EPROBE_DEFER attempts, taking "deferred_probe_timeout" into consideration. +The return code is changed from -EPROBE_DEFER into -ENODEV or +-ETIMEDOUT, depending on whether the kernel is compiled with support for +modules or not. + +Fixes: 66bdede495c7 ("of_mdio: Fix broken PHY IRQ in case of probe deferral") +Suggested-by: Robin Murphy +Signed-off-by: Vladimir Oltean +Acked-by: Greg Kroah-Hartman +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220407165538.4084809-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/base/dd.c | 1 + + drivers/net/mdio/fwnode_mdio.c | 5 +++++ + 2 files changed, 6 insertions(+) + +diff --git a/drivers/base/dd.c b/drivers/base/dd.c +index 752a11d16e26..7e079fa3795b 100644 +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -296,6 +296,7 @@ int driver_deferred_probe_check_state(struct device *dev) + + return -EPROBE_DEFER; + } ++EXPORT_SYMBOL_GPL(driver_deferred_probe_check_state); + + static void deferred_probe_timeout_work_func(struct work_struct *work) + { +diff --git a/drivers/net/mdio/fwnode_mdio.c b/drivers/net/mdio/fwnode_mdio.c +index 1becb1a731f6..1c1584fca632 100644 +--- a/drivers/net/mdio/fwnode_mdio.c ++++ b/drivers/net/mdio/fwnode_mdio.c +@@ -43,6 +43,11 @@ int fwnode_mdiobus_phy_device_register(struct mii_bus *mdio, + int rc; + + rc = fwnode_irq_get(child, 0); ++ /* Don't wait forever if the IRQ provider doesn't become available, ++ * just fall back to poll mode ++ */ ++ if (rc == -EPROBE_DEFER) ++ rc = driver_deferred_probe_check_state(&phy->mdio.dev); + if (rc == -EPROBE_DEFER) + return rc; + +-- +2.35.1 + diff --git a/queue-5.17/net-micrel-fix-ks8851_mll-kconfig.patch b/queue-5.17/net-micrel-fix-ks8851_mll-kconfig.patch new file mode 100644 index 00000000000..e86d53c8a19 --- /dev/null +++ b/queue-5.17/net-micrel-fix-ks8851_mll-kconfig.patch @@ -0,0 +1,50 @@ +From 44a49cff5a53b8e213f742fd5a2e352fb34ce7ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Mar 2022 22:42:44 -0700 +Subject: net: micrel: fix KS8851_MLL Kconfig + +From: Randy Dunlap + +[ Upstream commit c3efcedd272aa6dd5929e20cf902a52ddaa1197a ] + +KS8851_MLL selects MICREL_PHY, which depends on PTP_1588_CLOCK_OPTIONAL, +so make KS8851_MLL also depend on PTP_1588_CLOCK_OPTIONAL since +'select' does not follow any dependency chains. + +Fixes kconfig warning and build errors: + +WARNING: unmet direct dependencies detected for MICREL_PHY + Depends on [m]: NETDEVICES [=y] && PHYLIB [=y] && PTP_1588_CLOCK_OPTIONAL [=m] + Selected by [y]: + - KS8851_MLL [=y] && NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_MICREL [=y] && HAS_IOMEM [=y] + +ld: drivers/net/phy/micrel.o: in function `lan8814_ts_info': +micrel.c:(.text+0xb35): undefined reference to `ptp_clock_index' +ld: drivers/net/phy/micrel.o: in function `lan8814_probe': +micrel.c:(.text+0x2586): undefined reference to `ptp_clock_register' + +Signed-off-by: Randy Dunlap +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/micrel/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/micrel/Kconfig b/drivers/net/ethernet/micrel/Kconfig +index 93df3049cdc0..1b632cdd7630 100644 +--- a/drivers/net/ethernet/micrel/Kconfig ++++ b/drivers/net/ethernet/micrel/Kconfig +@@ -39,6 +39,7 @@ config KS8851 + config KS8851_MLL + tristate "Micrel KS8851 MLL" + depends on HAS_IOMEM ++ depends on PTP_1588_CLOCK_OPTIONAL + select MII + select CRC32 + select EEPROM_93CX6 +-- +2.35.1 + diff --git a/queue-5.17/net-sched-fix-initialization-order-when-updating-cha.patch b/queue-5.17/net-sched-fix-initialization-order-when-updating-cha.patch new file mode 100644 index 00000000000..3c8acf7f127 --- /dev/null +++ b/queue-5.17/net-sched-fix-initialization-order-when-updating-cha.patch @@ -0,0 +1,66 @@ +From deded192c0e5037f8c978387e6e28ca95e1ddc80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 11:29:23 -0300 +Subject: net/sched: fix initialization order when updating chain 0 head + +From: Marcelo Ricardo Leitner + +[ Upstream commit e65812fd22eba32f11abe28cb377cbd64cfb1ba0 ] + +Currently, when inserting a new filter that needs to sit at the head +of chain 0, it will first update the heads pointer on all devices using +the (shared) block, and only then complete the initialization of the new +element so that it has a "next" element. + +This can lead to a situation that the chain 0 head is propagated to +another CPU before the "next" initialization is done. When this race +condition is triggered, packets being matched on that CPU will simply +miss all other filters, and will flow through the stack as if there were +no other filters installed. If the system is using OVS + TC, such +packets will get handled by vswitchd via upcall, which results in much +higher latency and reordering. For other applications it may result in +packet drops. + +This is reproducible with a tc only setup, but it varies from system to +system. It could be reproduced with a shared block amongst 10 veth +tunnels, and an ingress filter mirroring packets to another veth. +That's because using the last added veth tunnel to the shared block to +do the actual traffic, it makes the race window bigger and easier to +trigger. + +The fix is rather simple, to just initialize the next pointer of the new +filter instance (tp) before propagating the head change. + +The fixes tag is pointing to the original code though this issue should +only be observed when using it unlocked. + +Fixes: 2190d1d0944f ("net: sched: introduce helpers to work with filter chains") +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: Vlad Buslov +Reviewed-by: Davide Caratti +Link: https://lore.kernel.org/r/b97d5f4eaffeeb9d058155bcab63347527261abf.1649341369.git.marcelo.leitner@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c +index 5ce1208a6ea3..130b5fda9c51 100644 +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -1653,10 +1653,10 @@ static int tcf_chain_tp_insert(struct tcf_chain *chain, + if (chain->flushing) + return -EAGAIN; + ++ RCU_INIT_POINTER(tp->next, tcf_chain_tp_prev(chain, chain_info)); + if (*chain_info->pprev == chain->filter_chain) + tcf_chain0_head_change(chain, tp); + tcf_proto_get(tp); +- RCU_INIT_POINTER(tp->next, tcf_chain_tp_prev(chain, chain_info)); + rcu_assign_pointer(*chain_info->pprev, tp); + + return 0; +-- +2.35.1 + diff --git a/queue-5.17/net-sched-flower-fix-parsing-of-ethertype-following-.patch b/queue-5.17/net-sched-flower-fix-parsing-of-ethertype-following-.patch new file mode 100644 index 00000000000..c9bd55d90e0 --- /dev/null +++ b/queue-5.17/net-sched-flower-fix-parsing-of-ethertype-following-.patch @@ -0,0 +1,132 @@ +From 52d39ce8c272f5e5837c7fec608c8fb0610eedf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 14:22:41 +0300 +Subject: net/sched: flower: fix parsing of ethertype following VLAN header + +From: Vlad Buslov + +[ Upstream commit 2105f700b53c24aa48b65c15652acc386044d26a ] + +A tc flower filter matching TCA_FLOWER_KEY_VLAN_ETH_TYPE is expected to +match the L2 ethertype following the first VLAN header, as confirmed by +linked discussion with the maintainer. However, such rule also matches +packets that have additional second VLAN header, even though filter has +both eth_type and vlan_ethtype set to "ipv4". Looking at the code this +seems to be mostly an artifact of the way flower uses flow dissector. +First, even though looking at the uAPI eth_type and vlan_ethtype appear +like a distinct fields, in flower they are all mapped to the same +key->basic.n_proto. Second, flow dissector skips following VLAN header as +no keys for FLOW_DISSECTOR_KEY_CVLAN are set and eventually assigns the +value of n_proto to last parsed header. With these, such filters ignore any +headers present between first VLAN header and first "non magic" +header (ipv4 in this case) that doesn't result +FLOW_DISSECT_RET_PROTO_AGAIN. + +Fix the issue by extending flow dissector VLAN key structure with new +'vlan_eth_type' field that matches first ethertype following previously +parsed VLAN header. Modify flower classifier to set the new +flow_dissector_key_vlan->vlan_eth_type with value obtained from +TCA_FLOWER_KEY_VLAN_ETH_TYPE/TCA_FLOWER_KEY_CVLAN_ETH_TYPE uAPIs. + +Link: https://lore.kernel.org/all/Yjhgi48BpTGh6dig@nanopsycho/ +Fixes: 9399ae9a6cb2 ("net_sched: flower: Add vlan support") +Fixes: d64efd0926ba ("net/sched: flower: Add supprt for matching on QinQ vlan headers") +Signed-off-by: Vlad Buslov +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/flow_dissector.h | 2 ++ + net/core/flow_dissector.c | 1 + + net/sched/cls_flower.c | 18 +++++++++++++----- + 3 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/include/net/flow_dissector.h b/include/net/flow_dissector.h +index aa33e1092e2c..9f65f1bfbd24 100644 +--- a/include/net/flow_dissector.h ++++ b/include/net/flow_dissector.h +@@ -59,6 +59,8 @@ struct flow_dissector_key_vlan { + __be16 vlan_tci; + }; + __be16 vlan_tpid; ++ __be16 vlan_eth_type; ++ u16 padding; + }; + + struct flow_dissector_mpls_lse { +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c +index 15833e1d6ea1..544d2028ccf5 100644 +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -1182,6 +1182,7 @@ bool __skb_flow_dissect(const struct net *net, + VLAN_PRIO_MASK) >> VLAN_PRIO_SHIFT; + } + key_vlan->vlan_tpid = saved_vlan_tpid; ++ key_vlan->vlan_eth_type = proto; + } + + fdret = FLOW_DISSECT_RET_PROTO_AGAIN; +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index 1a9b1f140f9e..ef5b3452254a 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -1005,6 +1005,7 @@ static int fl_set_key_mpls(struct nlattr **tb, + static void fl_set_key_vlan(struct nlattr **tb, + __be16 ethertype, + int vlan_id_key, int vlan_prio_key, ++ int vlan_next_eth_type_key, + struct flow_dissector_key_vlan *key_val, + struct flow_dissector_key_vlan *key_mask) + { +@@ -1023,6 +1024,11 @@ static void fl_set_key_vlan(struct nlattr **tb, + } + key_val->vlan_tpid = ethertype; + key_mask->vlan_tpid = cpu_to_be16(~0); ++ if (tb[vlan_next_eth_type_key]) { ++ key_val->vlan_eth_type = ++ nla_get_be16(tb[vlan_next_eth_type_key]); ++ key_mask->vlan_eth_type = cpu_to_be16(~0); ++ } + } + + static void fl_set_key_flag(u32 flower_key, u32 flower_mask, +@@ -1519,8 +1525,9 @@ static int fl_set_key(struct net *net, struct nlattr **tb, + + if (eth_type_vlan(ethertype)) { + fl_set_key_vlan(tb, ethertype, TCA_FLOWER_KEY_VLAN_ID, +- TCA_FLOWER_KEY_VLAN_PRIO, &key->vlan, +- &mask->vlan); ++ TCA_FLOWER_KEY_VLAN_PRIO, ++ TCA_FLOWER_KEY_VLAN_ETH_TYPE, ++ &key->vlan, &mask->vlan); + + if (tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE]) { + ethertype = nla_get_be16(tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE]); +@@ -1528,6 +1535,7 @@ static int fl_set_key(struct net *net, struct nlattr **tb, + fl_set_key_vlan(tb, ethertype, + TCA_FLOWER_KEY_CVLAN_ID, + TCA_FLOWER_KEY_CVLAN_PRIO, ++ TCA_FLOWER_KEY_CVLAN_ETH_TYPE, + &key->cvlan, &mask->cvlan); + fl_set_key_val(tb, &key->basic.n_proto, + TCA_FLOWER_KEY_CVLAN_ETH_TYPE, +@@ -2886,13 +2894,13 @@ static int fl_dump_key(struct sk_buff *skb, struct net *net, + goto nla_put_failure; + + if (mask->basic.n_proto) { +- if (mask->cvlan.vlan_tpid) { ++ if (mask->cvlan.vlan_eth_type) { + if (nla_put_be16(skb, TCA_FLOWER_KEY_CVLAN_ETH_TYPE, + key->basic.n_proto)) + goto nla_put_failure; +- } else if (mask->vlan.vlan_tpid) { ++ } else if (mask->vlan.vlan_eth_type) { + if (nla_put_be16(skb, TCA_FLOWER_KEY_VLAN_ETH_TYPE, +- key->basic.n_proto)) ++ key->vlan.vlan_eth_type)) + goto nla_put_failure; + } + } +-- +2.35.1 + diff --git a/queue-5.17/net-sched-taprio-check-if-socket-flags-are-valid.patch b/queue-5.17/net-sched-taprio-check-if-socket-flags-are-valid.patch new file mode 100644 index 00000000000..7bec005ea85 --- /dev/null +++ b/queue-5.17/net-sched-taprio-check-if-socket-flags-are-valid.patch @@ -0,0 +1,48 @@ +From 593e2d7a3e46fc96b4ee62dfa3f9915aee7f99ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Apr 2022 11:47:45 +0200 +Subject: net/sched: taprio: Check if socket flags are valid + +From: Benedikt Spranger + +[ Upstream commit e8a64bbaaad1f6548cec5508297bc6d45e8ab69e ] + +A user may set the SO_TXTIME socket option to ensure a packet is send +at a given time. The taprio scheduler has to confirm, that it is allowed +to send a packet at that given time, by a check against the packet time +schedule. The scheduler drop the packet, if the gates are closed at the +given send time. + +The check, if SO_TXTIME is set, may fail since sk_flags are part of an +union and the union is used otherwise. This happen, if a socket is not +a full socket, like a request socket for example. + +Add a check to verify, if the union is used for sk_flags. + +Fixes: 4cfd5779bd6e ("taprio: Add support for txtime-assist mode") +Signed-off-by: Benedikt Spranger +Reviewed-by: Kurt Kanzenbach +Acked-by: Vinicius Costa Gomes +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_taprio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c +index 377f896bdedc..b9c71a304d39 100644 +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -417,7 +417,8 @@ static int taprio_enqueue_one(struct sk_buff *skb, struct Qdisc *sch, + { + struct taprio_sched *q = qdisc_priv(sch); + +- if (skb->sk && sock_flag(skb->sk, SOCK_TXTIME)) { ++ /* sk_flags are only safe to use on full sockets. */ ++ if (skb->sk && sk_fullsock(skb->sk) && sock_flag(skb->sk, SOCK_TXTIME)) { + if (!is_valid_interval(skb, sch)) + return qdisc_drop(skb, sch, to_free); + } else if (TXTIME_ASSIST_IS_ENABLED(q->flags)) { +-- +2.35.1 + diff --git a/queue-5.17/net-smc-fix-null-pointer-dereference-in-smc_pnet_fin.patch b/queue-5.17/net-smc-fix-null-pointer-dereference-in-smc_pnet_fin.patch new file mode 100644 index 00000000000..b4419adf92e --- /dev/null +++ b/queue-5.17/net-smc-fix-null-pointer-dereference-in-smc_pnet_fin.patch @@ -0,0 +1,41 @@ +From 207b53ea97363f031e442646ad43c065ff0a24a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Apr 2022 17:10:34 +0200 +Subject: net/smc: Fix NULL pointer dereference in smc_pnet_find_ib() + +From: Karsten Graul + +[ Upstream commit d22f4f977236f97e01255a80bca2ea93a8094fc8 ] + +dev_name() was called with dev.parent as argument but without to +NULL-check it before. +Solve this by checking the pointer before the call to dev_name(). + +Fixes: af5f60c7e3d5 ("net/smc: allow PCI IDs as ib device names in the pnet table") +Reported-by: syzbot+03e3e228510223dabd34@syzkaller.appspotmail.com +Signed-off-by: Karsten Graul +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_pnet.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/smc/smc_pnet.c b/net/smc/smc_pnet.c +index 29f0a559d884..4769f76505af 100644 +--- a/net/smc/smc_pnet.c ++++ b/net/smc/smc_pnet.c +@@ -311,8 +311,9 @@ static struct smc_ib_device *smc_pnet_find_ib(char *ib_name) + list_for_each_entry(ibdev, &smc_ib_devices.list, list) { + if (!strncmp(ibdev->ibdev->name, ib_name, + sizeof(ibdev->ibdev->name)) || +- !strncmp(dev_name(ibdev->ibdev->dev.parent), ib_name, +- IB_DEVICE_NAME_MAX - 1)) { ++ (ibdev->ibdev->dev.parent && ++ !strncmp(dev_name(ibdev->ibdev->dev.parent), ib_name, ++ IB_DEVICE_NAME_MAX - 1))) { + goto out; + } + } +-- +2.35.1 + diff --git a/queue-5.17/net-smc-use-memcpy-instead-of-snprintf-to-avoid-out-.patch b/queue-5.17/net-smc-use-memcpy-instead-of-snprintf-to-avoid-out-.patch new file mode 100644 index 00000000000..2dd0e80c182 --- /dev/null +++ b/queue-5.17/net-smc-use-memcpy-instead-of-snprintf-to-avoid-out-.patch @@ -0,0 +1,50 @@ +From 6aae28b071fbd698a5bf45928856871b076d619f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Apr 2022 17:10:33 +0200 +Subject: net/smc: use memcpy instead of snprintf to avoid out of bounds read + +From: Karsten Graul + +[ Upstream commit b1871fd48efc567650dbdc974e5a2342a03fe0d2 ] + +Using snprintf() to convert not null-terminated strings to null +terminated strings may cause out of bounds read in the source string. +Therefore use memcpy() and terminate the target string with a null +afterwards. + +Fixes: fa0866625543 ("net/smc: add support for user defined EIDs") +Fixes: 3c572145c24e ("net/smc: add generic netlink support for system EID") +Signed-off-by: Karsten Graul +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/smc_clc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c +index ce27399b38b1..f9f3f59c79de 100644 +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -191,7 +191,8 @@ static int smc_nl_ueid_dumpinfo(struct sk_buff *skb, u32 portid, u32 seq, + flags, SMC_NETLINK_DUMP_UEID); + if (!hdr) + return -ENOMEM; +- snprintf(ueid_str, sizeof(ueid_str), "%s", ueid); ++ memcpy(ueid_str, ueid, SMC_MAX_EID_LEN); ++ ueid_str[SMC_MAX_EID_LEN] = 0; + if (nla_put_string(skb, SMC_NLA_EID_TABLE_ENTRY, ueid_str)) { + genlmsg_cancel(skb, hdr); + return -EMSGSIZE; +@@ -252,7 +253,8 @@ int smc_nl_dump_seid(struct sk_buff *skb, struct netlink_callback *cb) + goto end; + + smc_ism_get_system_eid(&seid); +- snprintf(seid_str, sizeof(seid_str), "%s", seid); ++ memcpy(seid_str, seid, SMC_MAX_EID_LEN); ++ seid_str[SMC_MAX_EID_LEN] = 0; + if (nla_put_string(skb, SMC_NLA_SEID_ENTRY, seid_str)) + goto err; + read_lock(&smc_clc_eid_table.lock); +-- +2.35.1 + diff --git a/queue-5.17/net-usb-aqc111-fix-out-of-bounds-accesses-in-rx-fixu.patch b/queue-5.17/net-usb-aqc111-fix-out-of-bounds-accesses-in-rx-fixu.patch new file mode 100644 index 00000000000..ea6805e1e78 --- /dev/null +++ b/queue-5.17/net-usb-aqc111-fix-out-of-bounds-accesses-in-rx-fixu.patch @@ -0,0 +1,56 @@ +From 48ef125665b02740552de0d2fce6a96ef3f8334e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 10:05:37 +0200 +Subject: net: usb: aqc111: Fix out-of-bounds accesses in RX fixup + +From: Marcin Kozlowski + +[ Upstream commit afb8e246527536848b9b4025b40e613edf776a9d ] + +aqc111_rx_fixup() contains several out-of-bounds accesses that can be +triggered by a malicious (or defective) USB device, in particular: + + - The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds, + causing OOB reads and (on big-endian systems) OOB endianness flips. + - A packet can overlap the metadata array, causing a later OOB + endianness flip to corrupt data used by a cloned SKB that has already + been handed off into the network stack. + - A packet SKB can be constructed whose tail is far beyond its end, + causing out-of-bounds heap data to be considered part of the SKB's + data. + +Found doing variant analysis. Tested it with another driver (ax88179_178a), since +I don't have a aqc111 device to test it, but the code looks very similar. + +Signed-off-by: Marcin Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/aqc111.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c +index ea06d10e1c21..ca409d450a29 100644 +--- a/drivers/net/usb/aqc111.c ++++ b/drivers/net/usb/aqc111.c +@@ -1102,10 +1102,15 @@ static int aqc111_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + if (start_of_descs != desc_offset) + goto err; + +- /* self check desc_offset from header*/ +- if (desc_offset >= skb_len) ++ /* self check desc_offset from header and make sure that the ++ * bounds of the metadata array are inside the SKB ++ */ ++ if (pkt_count * 2 + desc_offset >= skb_len) + goto err; + ++ /* Packets must not overlap the metadata array */ ++ skb_trim(skb, desc_offset); ++ + if (pkt_count == 0) + goto err; + +-- +2.35.1 + diff --git a/queue-5.17/netfilter-nf_tables-nft_parse_register-can-return-a-.patch b/queue-5.17/netfilter-nf_tables-nft_parse_register-can-return-a-.patch new file mode 100644 index 00000000000..a3733fcd4a2 --- /dev/null +++ b/queue-5.17/netfilter-nf_tables-nft_parse_register-can-return-a-.patch @@ -0,0 +1,37 @@ +From 96fa4a5df9f8d85172eb5d0d44a79d749d3fbfcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 10:14:59 +0200 +Subject: netfilter: nf_tables: nft_parse_register can return a negative value + +From: Antoine Tenart + +[ Upstream commit 6c6f9f31ecd47dce1d0dafca4bec8805f9bc97cd ] + +Since commit 6e1acfa387b9 ("netfilter: nf_tables: validate registers +coming from userspace.") nft_parse_register can return a negative value, +but the function prototype is still returning an unsigned int. + +Fixes: 6e1acfa387b9 ("netfilter: nf_tables: validate registers coming from userspace.") +Signed-off-by: Antoine Tenart +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 1f5a0eece0d1..30d29d038d09 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -9275,7 +9275,7 @@ int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest) + } + EXPORT_SYMBOL_GPL(nft_parse_u32_check); + +-static unsigned int nft_parse_register(const struct nlattr *attr, u32 *preg) ++static int nft_parse_register(const struct nlattr *attr, u32 *preg) + { + unsigned int reg; + +-- +2.35.1 + diff --git a/queue-5.17/netfilter-nft_socket-make-cgroup-match-work-in-input.patch b/queue-5.17/netfilter-nft_socket-make-cgroup-match-work-in-input.patch new file mode 100644 index 00000000000..8dc8b8da2d4 --- /dev/null +++ b/queue-5.17/netfilter-nft_socket-make-cgroup-match-work-in-input.patch @@ -0,0 +1,56 @@ +From efc8cba749f7267bcbed35e28304554a36bdd707 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Apr 2022 13:20:19 +0200 +Subject: netfilter: nft_socket: make cgroup match work in input too + +From: Florian Westphal + +[ Upstream commit 05ae2fba821c4d122ab4ba3e52144e21586c4010 ] + +cgroupv2 helper function ignores the already-looked up sk +and uses skb->sk instead. + +Just pass sk from the calling function instead; this will +make cgroup matching work for udp and tcp in input even when +edemux did not set skb->sk already. + +Fixes: e0bb96db96f8 ("netfilter: nft_socket: add support for cgroupsv2") +Signed-off-by: Florian Westphal +Tested-by: Topi Miettinen +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_socket.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c +index d601974c9d2e..b8f011145765 100644 +--- a/net/netfilter/nft_socket.c ++++ b/net/netfilter/nft_socket.c +@@ -36,12 +36,11 @@ static void nft_socket_wildcard(const struct nft_pktinfo *pkt, + + #ifdef CONFIG_SOCK_CGROUP_DATA + static noinline bool +-nft_sock_get_eval_cgroupv2(u32 *dest, const struct nft_pktinfo *pkt, u32 level) ++nft_sock_get_eval_cgroupv2(u32 *dest, struct sock *sk, const struct nft_pktinfo *pkt, u32 level) + { +- struct sock *sk = skb_to_full_sk(pkt->skb); + struct cgroup *cgrp; + +- if (!sk || !sk_fullsock(sk) || !net_eq(nft_net(pkt), sock_net(sk))) ++ if (!sk_fullsock(sk)) + return false; + + cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data); +@@ -108,7 +107,7 @@ static void nft_socket_eval(const struct nft_expr *expr, + break; + #ifdef CONFIG_SOCK_CGROUP_DATA + case NFT_SOCKET_CGROUPV2: +- if (!nft_sock_get_eval_cgroupv2(dest, pkt, priv->level)) { ++ if (!nft_sock_get_eval_cgroupv2(dest, sk, pkt, priv->level)) { + regs->verdict.code = NFT_BREAK; + return; + } +-- +2.35.1 + diff --git a/queue-5.17/nfc-nci-add-flush_workqueue-to-prevent-uaf.patch b/queue-5.17/nfc-nci-add-flush_workqueue-to-prevent-uaf.patch new file mode 100644 index 00000000000..ffb40018c24 --- /dev/null +++ b/queue-5.17/nfc-nci-add-flush_workqueue-to-prevent-uaf.patch @@ -0,0 +1,128 @@ +From a54c36a42c12b9136c55cbd8d88482dfb3846d60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 00:04:30 +0800 +Subject: nfc: nci: add flush_workqueue to prevent uaf + +From: Lin Ma + +[ Upstream commit ef27324e2cb7bb24542d6cb2571740eefe6b00dc ] + +Our detector found a concurrent use-after-free bug when detaching an +NCI device. The main reason for this bug is the unexpected scheduling +between the used delayed mechanism (timer and workqueue). + +The race can be demonstrated below: + +Thread-1 Thread-2 + | nci_dev_up() + | nci_open_device() + | __nci_request(nci_reset_req) + | nci_send_cmd + | queue_work(cmd_work) +nci_unregister_device() | + nci_close_device() | ... + del_timer_sync(cmd_timer)[1] | +... | Worker +nci_free_device() | nci_cmd_work() + kfree(ndev)[3] | mod_timer(cmd_timer)[2] + +In short, the cleanup routine thought that the cmd_timer has already +been detached by [1] but the mod_timer can re-attach the timer [2], even +it is already released [3], resulting in UAF. + +This UAF is easy to trigger, crash trace by POC is like below + +[ 66.703713] ================================================================== +[ 66.703974] BUG: KASAN: use-after-free in enqueue_timer+0x448/0x490 +[ 66.703974] Write of size 8 at addr ffff888009fb7058 by task kworker/u4:1/33 +[ 66.703974] +[ 66.703974] CPU: 1 PID: 33 Comm: kworker/u4:1 Not tainted 5.18.0-rc2 #5 +[ 66.703974] Workqueue: nfc2_nci_cmd_wq nci_cmd_work +[ 66.703974] Call Trace: +[ 66.703974] +[ 66.703974] dump_stack_lvl+0x57/0x7d +[ 66.703974] print_report.cold+0x5e/0x5db +[ 66.703974] ? enqueue_timer+0x448/0x490 +[ 66.703974] kasan_report+0xbe/0x1c0 +[ 66.703974] ? enqueue_timer+0x448/0x490 +[ 66.703974] enqueue_timer+0x448/0x490 +[ 66.703974] __mod_timer+0x5e6/0xb80 +[ 66.703974] ? mark_held_locks+0x9e/0xe0 +[ 66.703974] ? try_to_del_timer_sync+0xf0/0xf0 +[ 66.703974] ? lockdep_hardirqs_on_prepare+0x17b/0x410 +[ 66.703974] ? queue_work_on+0x61/0x80 +[ 66.703974] ? lockdep_hardirqs_on+0xbf/0x130 +[ 66.703974] process_one_work+0x8bb/0x1510 +[ 66.703974] ? lockdep_hardirqs_on_prepare+0x410/0x410 +[ 66.703974] ? pwq_dec_nr_in_flight+0x230/0x230 +[ 66.703974] ? rwlock_bug.part.0+0x90/0x90 +[ 66.703974] ? _raw_spin_lock_irq+0x41/0x50 +[ 66.703974] worker_thread+0x575/0x1190 +[ 66.703974] ? process_one_work+0x1510/0x1510 +[ 66.703974] kthread+0x2a0/0x340 +[ 66.703974] ? kthread_complete_and_exit+0x20/0x20 +[ 66.703974] ret_from_fork+0x22/0x30 +[ 66.703974] +[ 66.703974] +[ 66.703974] Allocated by task 267: +[ 66.703974] kasan_save_stack+0x1e/0x40 +[ 66.703974] __kasan_kmalloc+0x81/0xa0 +[ 66.703974] nci_allocate_device+0xd3/0x390 +[ 66.703974] nfcmrvl_nci_register_dev+0x183/0x2c0 +[ 66.703974] nfcmrvl_nci_uart_open+0xf2/0x1dd +[ 66.703974] nci_uart_tty_ioctl+0x2c3/0x4a0 +[ 66.703974] tty_ioctl+0x764/0x1310 +[ 66.703974] __x64_sys_ioctl+0x122/0x190 +[ 66.703974] do_syscall_64+0x3b/0x90 +[ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 66.703974] +[ 66.703974] Freed by task 406: +[ 66.703974] kasan_save_stack+0x1e/0x40 +[ 66.703974] kasan_set_track+0x21/0x30 +[ 66.703974] kasan_set_free_info+0x20/0x30 +[ 66.703974] __kasan_slab_free+0x108/0x170 +[ 66.703974] kfree+0xb0/0x330 +[ 66.703974] nfcmrvl_nci_unregister_dev+0x90/0xd0 +[ 66.703974] nci_uart_tty_close+0xdf/0x180 +[ 66.703974] tty_ldisc_kill+0x73/0x110 +[ 66.703974] tty_ldisc_hangup+0x281/0x5b0 +[ 66.703974] __tty_hangup.part.0+0x431/0x890 +[ 66.703974] tty_release+0x3a8/0xc80 +[ 66.703974] __fput+0x1f0/0x8c0 +[ 66.703974] task_work_run+0xc9/0x170 +[ 66.703974] exit_to_user_mode_prepare+0x194/0x1a0 +[ 66.703974] syscall_exit_to_user_mode+0x19/0x50 +[ 66.703974] do_syscall_64+0x48/0x90 +[ 66.703974] entry_SYSCALL_64_after_hwframe+0x44/0xae + +To fix the UAF, this patch adds flush_workqueue() to ensure the +nci_cmd_work is finished before the following del_timer_sync. +This combination will promise the timer is actually detached. + +Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") +Signed-off-by: Lin Ma +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/nci/core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c +index d2537383a3e8..6a193cce2a75 100644 +--- a/net/nfc/nci/core.c ++++ b/net/nfc/nci/core.c +@@ -560,6 +560,10 @@ static int nci_close_device(struct nci_dev *ndev) + mutex_lock(&ndev->req_lock); + + if (!test_and_clear_bit(NCI_UP, &ndev->flags)) { ++ /* Need to flush the cmd wq in case ++ * there is a queued/running cmd_work ++ */ ++ flush_workqueue(ndev->cmd_wq); + del_timer_sync(&ndev->cmd_timer); + del_timer_sync(&ndev->data_timer); + mutex_unlock(&ndev->req_lock); +-- +2.35.1 + diff --git a/queue-5.17/nfsd-fix-a-write-performance-regression.patch b/queue-5.17/nfsd-fix-a-write-performance-regression.patch new file mode 100644 index 00000000000..36cf3c0649e --- /dev/null +++ b/queue-5.17/nfsd-fix-a-write-performance-regression.patch @@ -0,0 +1,86 @@ +From 8e75ece84844b5994d79e1abfa71f97dfe213174 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Mar 2022 09:54:01 -0400 +Subject: nfsd: Fix a write performance regression + +From: Trond Myklebust + +[ Upstream commit 6b8a94332ee4f7d9a8ae0cbac7609f79c212f06c ] + +The call to filemap_flush() in nfsd_file_put() is there to ensure that +we clear out any writes belonging to a NFSv3 client relatively quickly +and avoid situations where the file can't be evicted by the garbage +collector. It also ensures that we detect write errors quickly. + +The problem is this causes a regression in performance for some +workloads. + +So try to improve matters by deferring writeback until we're ready to +close the file, and need to detect errors so that we can force the +client to resend. + +Tested-by: Jan Kara +Fixes: b6669305d35a ("nfsd: Reduce the number of calls to nfsd_file_gc()") +Signed-off-by: Trond Myklebust +Link: https://lore.kernel.org/all/20220330103457.r4xrhy2d6nhtouzk@quack3.lan +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/filecache.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c +index cc2831cec669..496f7b3f7523 100644 +--- a/fs/nfsd/filecache.c ++++ b/fs/nfsd/filecache.c +@@ -235,6 +235,13 @@ nfsd_file_check_write_error(struct nfsd_file *nf) + return filemap_check_wb_err(file->f_mapping, READ_ONCE(file->f_wb_err)); + } + ++static void ++nfsd_file_flush(struct nfsd_file *nf) ++{ ++ if (nf->nf_file && vfs_fsync(nf->nf_file, 1) != 0) ++ nfsd_reset_write_verifier(net_generic(nf->nf_net, nfsd_net_id)); ++} ++ + static void + nfsd_file_do_unhash(struct nfsd_file *nf) + { +@@ -302,11 +309,14 @@ nfsd_file_put(struct nfsd_file *nf) + return; + } + +- filemap_flush(nf->nf_file->f_mapping); + is_hashed = test_bit(NFSD_FILE_HASHED, &nf->nf_flags) != 0; +- nfsd_file_put_noref(nf); +- if (is_hashed) ++ if (!is_hashed) { ++ nfsd_file_flush(nf); ++ nfsd_file_put_noref(nf); ++ } else { ++ nfsd_file_put_noref(nf); + nfsd_file_schedule_laundrette(); ++ } + if (atomic_long_read(&nfsd_filecache_count) >= NFSD_FILE_LRU_LIMIT) + nfsd_file_gc(); + } +@@ -327,6 +337,7 @@ nfsd_file_dispose_list(struct list_head *dispose) + while(!list_empty(dispose)) { + nf = list_first_entry(dispose, struct nfsd_file, nf_lru); + list_del(&nf->nf_lru); ++ nfsd_file_flush(nf); + nfsd_file_put_noref(nf); + } + } +@@ -340,6 +351,7 @@ nfsd_file_dispose_list_sync(struct list_head *dispose) + while(!list_empty(dispose)) { + nf = list_first_entry(dispose, struct nfsd_file, nf_lru); + list_del(&nf->nf_lru); ++ nfsd_file_flush(nf); + if (!refcount_dec_and_test(&nf->nf_ref)) + continue; + if (nfsd_file_free(nf)) +-- +2.35.1 + diff --git a/queue-5.17/pci-hv-propagate-coherence-from-vmbus-device-to-pci-.patch b/queue-5.17/pci-hv-propagate-coherence-from-vmbus-device-to-pci-.patch new file mode 100644 index 00000000000..4e47cdb7c73 --- /dev/null +++ b/queue-5.17/pci-hv-propagate-coherence-from-vmbus-device-to-pci-.patch @@ -0,0 +1,54 @@ +From cac87d8f019848cc8af0283c18f782b73ed19af2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Mar 2022 09:14:52 -0700 +Subject: PCI: hv: Propagate coherence from VMbus device to PCI device + +From: Michael Kelley + +[ Upstream commit 8d21732475c637c7efcdb91dc927a4c594e97898 ] + +PCI pass-thru devices in a Hyper-V VM are represented as a VMBus +device and as a PCI device. The coherence of the VMbus device is +set based on the VMbus node in ACPI, but the PCI device has no +ACPI node and defaults to not hardware coherent. This results +in extra software coherence management overhead on ARM64 when +devices are hardware coherent. + +Fix this by setting up the PCI host bus so that normal +PCI mechanisms will propagate the coherence of the VMbus +device to the PCI device. There's no effect on x86/x64 where +devices are always hardware coherent. + +Signed-off-by: Michael Kelley +Acked-by: Boqun Feng +Acked-by: Robin Murphy +Link: https://lore.kernel.org/r/1648138492-2191-3-git-send-email-mikelley@microsoft.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-hyperv.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c +index ae0bc2fee4ca..88b3b56d0522 100644 +--- a/drivers/pci/controller/pci-hyperv.c ++++ b/drivers/pci/controller/pci-hyperv.c +@@ -3404,6 +3404,15 @@ static int hv_pci_probe(struct hv_device *hdev, + hbus->bridge->domain_nr = dom; + #ifdef CONFIG_X86 + hbus->sysdata.domain = dom; ++#elif defined(CONFIG_ARM64) ++ /* ++ * Set the PCI bus parent to be the corresponding VMbus ++ * device. Then the VMbus device will be assigned as the ++ * ACPI companion in pcibios_root_bridge_prepare() and ++ * pci_dma_configure() will propagate device coherence ++ * information to devices created on the bus. ++ */ ++ hbus->sysdata.parent = hdev->device.parent; + #endif + + hbus->hdev = hdev; +-- +2.35.1 + diff --git a/queue-5.17/perf-imx_ddr-fix-undefined-behavior-due-to-shift-ove.patch b/queue-5.17/perf-imx_ddr-fix-undefined-behavior-due-to-shift-ove.patch new file mode 100644 index 00000000000..8560d4ac2e4 --- /dev/null +++ b/queue-5.17/perf-imx_ddr-fix-undefined-behavior-due-to-shift-ove.patch @@ -0,0 +1,60 @@ +From ef83a19546a2af62f198cb8aa48fca8df0fed9ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 17:15:15 +0200 +Subject: perf/imx_ddr: Fix undefined behavior due to shift overflowing the + constant +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov + +[ Upstream commit d02b4dd84e1a90f7f1444d027c0289bf355b0d5a ] + +Fix: + + In file included from :0:0: + In function ‘ddr_perf_counter_enable’, + inlined from ‘ddr_perf_irq_handler’ at drivers/perf/fsl_imx8_ddr_perf.c:651:2: + ././include/linux/compiler_types.h:352:38: error: call to ‘__compiletime_assert_729’ \ + declared with attribute error: FIELD_PREP: mask is not constant + _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) +... + +See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory +details as to why it triggers with older gccs only. + +Signed-off-by: Borislav Petkov +Cc: Frank Li +Cc: Will Deacon +Cc: Mark Rutland +Cc: Shawn Guo +Cc: Sascha Hauer +Cc: Pengutronix Kernel Team +Cc: Fabio Estevam +Cc: NXP Linux Team +Cc: linux-arm-kernel@lists.infradead.org +Acked-by: Will Deacon +Link: https://lore.kernel.org/r/20220405151517.29753-10-bp@alien8.de +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/fsl_imx8_ddr_perf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/perf/fsl_imx8_ddr_perf.c b/drivers/perf/fsl_imx8_ddr_perf.c +index 94ebc1ecace7..b1b2a55de77f 100644 +--- a/drivers/perf/fsl_imx8_ddr_perf.c ++++ b/drivers/perf/fsl_imx8_ddr_perf.c +@@ -29,7 +29,7 @@ + #define CNTL_OVER_MASK 0xFFFFFFFE + + #define CNTL_CSV_SHIFT 24 +-#define CNTL_CSV_MASK (0xFF << CNTL_CSV_SHIFT) ++#define CNTL_CSV_MASK (0xFFU << CNTL_CSV_SHIFT) + + #define EVENT_CYCLES_ID 0 + #define EVENT_CYCLES_COUNTER 0 +-- +2.35.1 + diff --git a/queue-5.17/perf-tools-fix-misleading-add-event-pmu-debug-messag.patch b/queue-5.17/perf-tools-fix-misleading-add-event-pmu-debug-messag.patch new file mode 100644 index 00000000000..c56831080c7 --- /dev/null +++ b/queue-5.17/perf-tools-fix-misleading-add-event-pmu-debug-messag.patch @@ -0,0 +1,60 @@ +From 054690ef5608098db014d3455564f06eb98b9930 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 09:17:58 +0300 +Subject: perf tools: Fix misleading add event PMU debug message + +From: Adrian Hunter + +[ Upstream commit f034fc50d3c7d9385c20d505ab4cf56b8fd18ac7 ] + +Fix incorrect debug message: + + Attempting to add event pmu 'intel_pt' with '' that may result in + non-fatal errors + +which always appears with perf record -vv and intel_pt e.g. + + perf record -vv -e intel_pt//u uname + +The message is incorrect because there will never be non-fatal errors. + +Suppress the message if the PMU is 'selectable' i.e. meant to be +selected directly as an event. + +Fixes: 4ac22b484d4c79e8 ("perf parse-events: Make add PMU verbose output clearer") +Signed-off-by: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Link: http://lore.kernel.org/lkml/20220411061758.2458417-1-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/parse-events.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c +index 24997925ae00..dd84fed698a3 100644 +--- a/tools/perf/util/parse-events.c ++++ b/tools/perf/util/parse-events.c +@@ -1523,7 +1523,9 @@ int parse_events_add_pmu(struct parse_events_state *parse_state, + bool use_uncore_alias; + LIST_HEAD(config_terms); + +- if (verbose > 1) { ++ pmu = parse_state->fake_pmu ?: perf_pmu__find(name); ++ ++ if (verbose > 1 && !(pmu && pmu->selectable)) { + fprintf(stderr, "Attempting to add event pmu '%s' with '", + name); + if (head_config) { +@@ -1536,7 +1538,6 @@ int parse_events_add_pmu(struct parse_events_state *parse_state, + fprintf(stderr, "' that may result in non-fatal errors\n"); + } + +- pmu = parse_state->fake_pmu ?: perf_pmu__find(name); + if (!pmu) { + char *err_str; + +-- +2.35.1 + diff --git a/queue-5.17/regulator-wm8994-add-an-off-on-delay-for-wm8994-vari.patch b/queue-5.17/regulator-wm8994-add-an-off-on-delay-for-wm8994-vari.patch new file mode 100644 index 00000000000..afb09fdcf5f --- /dev/null +++ b/queue-5.17/regulator-wm8994-add-an-off-on-delay-for-wm8994-vari.patch @@ -0,0 +1,94 @@ +From 2d8822e52efeb4c58b4e91762d6de9fb43aff4a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Mar 2022 18:01:54 -0700 +Subject: regulator: wm8994: Add an off-on delay for WM8994 variant + +From: Jonathan Bakker + +[ Upstream commit 92d96b603738ec4f35cde7198c303ae264dd47cb ] + +As per Table 130 of the wm8994 datasheet at [1], there is an off-on +delay for LDO1 and LDO2. In the wm8958 datasheet [2], I could not +find any reference to it. I could not find a wm1811 datasheet to +double-check there, but as no one has complained presumably it works +without it. + +This solves the issue on Samsung Aries boards with a wm8994 where +register writes fail when the device is powered off and back-on +quickly. + +[1] https://statics.cirrus.com/pubs/proDatasheet/WM8994_Rev4.6.pdf +[2] https://statics.cirrus.com/pubs/proDatasheet/WM8958_v3.5.pdf + +Signed-off-by: Jonathan Bakker +Acked-by: Charles Keepax +Link: https://lore.kernel.org/r/CY4PR04MB056771CFB80DC447C30D5A31CB1D9@CY4PR04MB0567.namprd04.prod.outlook.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/wm8994-regulator.c | 42 ++++++++++++++++++++++++++-- + 1 file changed, 39 insertions(+), 3 deletions(-) + +diff --git a/drivers/regulator/wm8994-regulator.c b/drivers/regulator/wm8994-regulator.c +index cadea0344486..40befdd9dfa9 100644 +--- a/drivers/regulator/wm8994-regulator.c ++++ b/drivers/regulator/wm8994-regulator.c +@@ -71,6 +71,35 @@ static const struct regulator_ops wm8994_ldo2_ops = { + }; + + static const struct regulator_desc wm8994_ldo_desc[] = { ++ { ++ .name = "LDO1", ++ .id = 1, ++ .type = REGULATOR_VOLTAGE, ++ .n_voltages = WM8994_LDO1_MAX_SELECTOR + 1, ++ .vsel_reg = WM8994_LDO_1, ++ .vsel_mask = WM8994_LDO1_VSEL_MASK, ++ .ops = &wm8994_ldo1_ops, ++ .min_uV = 2400000, ++ .uV_step = 100000, ++ .enable_time = 3000, ++ .off_on_delay = 36000, ++ .owner = THIS_MODULE, ++ }, ++ { ++ .name = "LDO2", ++ .id = 2, ++ .type = REGULATOR_VOLTAGE, ++ .n_voltages = WM8994_LDO2_MAX_SELECTOR + 1, ++ .vsel_reg = WM8994_LDO_2, ++ .vsel_mask = WM8994_LDO2_VSEL_MASK, ++ .ops = &wm8994_ldo2_ops, ++ .enable_time = 3000, ++ .off_on_delay = 36000, ++ .owner = THIS_MODULE, ++ }, ++}; ++ ++static const struct regulator_desc wm8958_ldo_desc[] = { + { + .name = "LDO1", + .id = 1, +@@ -172,9 +201,16 @@ static int wm8994_ldo_probe(struct platform_device *pdev) + * regulator core and we need not worry about it on the + * error path. + */ +- ldo->regulator = devm_regulator_register(&pdev->dev, +- &wm8994_ldo_desc[id], +- &config); ++ if (ldo->wm8994->type == WM8994) { ++ ldo->regulator = devm_regulator_register(&pdev->dev, ++ &wm8994_ldo_desc[id], ++ &config); ++ } else { ++ ldo->regulator = devm_regulator_register(&pdev->dev, ++ &wm8958_ldo_desc[id], ++ &config); ++ } ++ + if (IS_ERR(ldo->regulator)) { + ret = PTR_ERR(ldo->regulator); + dev_err(wm8994->dev, "Failed to register LDO%d: %d\n", +-- +2.35.1 + diff --git a/queue-5.17/revert-ath11k-mesh-add-support-for-256-bitmap-in-blo.patch b/queue-5.17/revert-ath11k-mesh-add-support-for-256-bitmap-in-blo.patch new file mode 100644 index 00000000000..da925fb2ec2 --- /dev/null +++ b/queue-5.17/revert-ath11k-mesh-add-support-for-256-bitmap-in-blo.patch @@ -0,0 +1,70 @@ +From 291a12638509cc5b38b4b1f0230176bac52a491d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Mar 2022 10:07:57 +0530 +Subject: Revert "ath11k: mesh: add support for 256 bitmap in blockack frames + in 11ax" + +From: Anilkumar Kolli + +[ Upstream commit 10cb21f4ff3f9cb36d1e1c39bf80426f02f4986a ] + +This reverts commit 743b9065fe6348a5f8f5ce04869ce2d701e5e1bc. + +The original commit breaks the 256 bitmap in blockack frames in AP +mode. After reverting the commit the feature works again in both AP and +mesh modes + +Tested-on: IPQ8074 hw2.0 PCI WLAN.HK.2.6.0.1-00786-QCAHKSWPL_SILICONZ-1 + +Fixes: 743b9065fe63 ("ath11k: mesh: add support for 256 bitmap in blockack frames in 11ax") +Signed-off-by: Anilkumar Kolli +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1648701477-16367-1-git-send-email-quic_akolli@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 28de877ad6c4..f54d5819477a 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -3131,6 +3131,20 @@ static void ath11k_mac_op_bss_info_changed(struct ieee80211_hw *hw, + arvif->do_not_send_tmpl = true; + else + arvif->do_not_send_tmpl = false; ++ ++ if (vif->bss_conf.he_support) { ++ ret = ath11k_wmi_vdev_set_param_cmd(ar, arvif->vdev_id, ++ WMI_VDEV_PARAM_BA_MODE, ++ WMI_BA_MODE_BUFFER_SIZE_256); ++ if (ret) ++ ath11k_warn(ar->ab, ++ "failed to set BA BUFFER SIZE 256 for vdev: %d\n", ++ arvif->vdev_id); ++ else ++ ath11k_dbg(ar->ab, ATH11K_DBG_MAC, ++ "Set BA BUFFER SIZE 256 for VDEV: %d\n", ++ arvif->vdev_id); ++ } + } + + if (changed & (BSS_CHANGED_BEACON_INFO | BSS_CHANGED_BEACON)) { +@@ -3166,14 +3180,6 @@ static void ath11k_mac_op_bss_info_changed(struct ieee80211_hw *hw, + + if (arvif->is_up && vif->bss_conf.he_support && + vif->bss_conf.he_oper.params) { +- ret = ath11k_wmi_vdev_set_param_cmd(ar, arvif->vdev_id, +- WMI_VDEV_PARAM_BA_MODE, +- WMI_BA_MODE_BUFFER_SIZE_256); +- if (ret) +- ath11k_warn(ar->ab, +- "failed to set BA BUFFER SIZE 256 for vdev: %d\n", +- arvif->vdev_id); +- + param_id = WMI_VDEV_PARAM_HEOPS_0_31; + param_value = vif->bss_conf.he_oper.params; + ret = ath11k_wmi_vdev_set_param_cmd(ar, arvif->vdev_id, +-- +2.35.1 + diff --git a/queue-5.17/revert-iavf-fix-deadlock-occurrence-during-resetting.patch b/queue-5.17/revert-iavf-fix-deadlock-occurrence-during-resetting.patch new file mode 100644 index 00000000000..8a418a61161 --- /dev/null +++ b/queue-5.17/revert-iavf-fix-deadlock-occurrence-during-resetting.patch @@ -0,0 +1,60 @@ +From 0533036ecba303d1601ecbfecc872c1c37729ffc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Mar 2022 14:19:15 +0100 +Subject: Revert "iavf: Fix deadlock occurrence during resetting VF interface" + +From: Mateusz Palczewski + +[ Upstream commit 7d59706dbef8de83b3662026766507bc494223d7 ] + +This change caused a regression with resetting while changing network +namespaces. By clearing the IFF_UP flag, the kernel now thinks it has +fully closed the device. + +This reverts commit 0cc318d2e8408bc0ffb4662a0c3e5e57005ac6ff. + +Fixes: 0cc318d2e840 ("iavf: Fix deadlock occurrence during resetting VF interface") +Signed-off-by: Mateusz Palczewski +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index d10e9a8e8011..f55ecb672768 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -2817,7 +2817,6 @@ static void iavf_reset_task(struct work_struct *work) + running = adapter->state == __IAVF_RUNNING; + + if (running) { +- netdev->flags &= ~IFF_UP; + netif_carrier_off(netdev); + netif_tx_stop_all_queues(netdev); + adapter->link_up = false; +@@ -2934,7 +2933,7 @@ static void iavf_reset_task(struct work_struct *work) + * to __IAVF_RUNNING + */ + iavf_up_complete(adapter); +- netdev->flags |= IFF_UP; ++ + iavf_irq_enable(adapter, true); + } else { + iavf_change_state(adapter, __IAVF_DOWN); +@@ -2950,10 +2949,8 @@ static void iavf_reset_task(struct work_struct *work) + reset_err: + mutex_unlock(&adapter->client_lock); + mutex_unlock(&adapter->crit_lock); +- if (running) { ++ if (running) + iavf_change_state(adapter, __IAVF_RUNNING); +- netdev->flags |= IFF_UP; +- } + dev_err(&adapter->pdev->dev, "failed to allocate resources during reinit\n"); + iavf_close(netdev); + } +-- +2.35.1 + diff --git a/queue-5.17/risc-v-kvm-include-missing-hwcap.h-into-vcpu_fp.patch b/queue-5.17/risc-v-kvm-include-missing-hwcap.h-into-vcpu_fp.patch new file mode 100644 index 00000000000..86d2dee92da --- /dev/null +++ b/queue-5.17/risc-v-kvm-include-missing-hwcap.h-into-vcpu_fp.patch @@ -0,0 +1,51 @@ +From 29b09c5bcc34e1b135576bc5b700125c8f1955a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Apr 2022 09:16:00 +0530 +Subject: RISC-V: KVM: include missing hwcap.h into vcpu_fp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Heiko Stuebner + +[ Upstream commit 4054eee9290248bf66c5eacb58879c9aaad37f71 ] + +vcpu_fp uses the riscv_isa_extension mechanism which gets +defined in hwcap.h but doesn't include that head file. + +While it seems to work in most cases, in certain conditions +this can lead to build failures like + +../arch/riscv/kvm/vcpu_fp.c: In function ‘kvm_riscv_vcpu_fp_reset’: +../arch/riscv/kvm/vcpu_fp.c:22:13: error: implicit declaration of function ‘riscv_isa_extension_available’ [-Werror=implicit-function-declaration] + 22 | if (riscv_isa_extension_available(&isa, f) || + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../arch/riscv/kvm/vcpu_fp.c:22:49: error: ‘f’ undeclared (first use in this function) + 22 | if (riscv_isa_extension_available(&isa, f) || + +Fix this by simply including the necessary header. + +Fixes: 0a86512dc113 ("RISC-V: KVM: Factor-out FP virtualization into separate +sources") +Signed-off-by: Heiko Stuebner +Signed-off-by: Anup Patel +Signed-off-by: Sasha Levin +--- + arch/riscv/kvm/vcpu_fp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/riscv/kvm/vcpu_fp.c b/arch/riscv/kvm/vcpu_fp.c +index 4449a976e5a6..d4308c512007 100644 +--- a/arch/riscv/kvm/vcpu_fp.c ++++ b/arch/riscv/kvm/vcpu_fp.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + + #ifdef CONFIG_FPU + void kvm_riscv_vcpu_fp_reset(struct kvm_vcpu *vcpu) +-- +2.35.1 + diff --git a/queue-5.17/scsi-ibmvscsis-increase-initial_srp_limit-to-1024.patch b/queue-5.17/scsi-ibmvscsis-increase-initial_srp_limit-to-1024.patch new file mode 100644 index 00000000000..94f391e3bc6 --- /dev/null +++ b/queue-5.17/scsi-ibmvscsis-increase-initial_srp_limit-to-1024.patch @@ -0,0 +1,44 @@ +From e4573ae4d1978365c366ea4993350c2c6362d743 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Mar 2022 12:44:43 -0700 +Subject: scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024 + +From: Tyrel Datwyler + +[ Upstream commit 0bade8e53279157c7cc9dd95d573b7e82223d78a ] + +The adapter request_limit is hardcoded to be INITIAL_SRP_LIMIT which is +currently an arbitrary value of 800. Increase this value to 1024 which +better matches the characteristics of the typical IBMi Initiator that +supports 32 LUNs and a queue depth of 32. + +This change also has the secondary benefit of being a power of two as +required by the kfifo API. Since, Commit ab9bb6318b09 ("Partially revert +"kfifo: fix kfifo_alloc() and kfifo_init()"") the size of IU pool for each +target has been rounded down to 512 when attempting to kfifo_init() those +pools with the current request_limit size of 800. + +Link: https://lore.kernel.org/r/20220322194443.678433-1-tyreld@linux.ibm.com +Signed-off-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c +index 61f06f6885a5..89b9fbce7488 100644 +--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c ++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c +@@ -36,7 +36,7 @@ + + #define IBMVSCSIS_VERSION "v0.2" + +-#define INITIAL_SRP_LIMIT 800 ++#define INITIAL_SRP_LIMIT 1024 + #define DEFAULT_MAX_SECTORS 256 + #define MAX_TXU 1024 * 1024 + +-- +2.35.1 + diff --git a/queue-5.17/scsi-iscsi-fix-conn-cleanup-and-stop-race-during-isc.patch b/queue-5.17/scsi-iscsi-fix-conn-cleanup-and-stop-race-during-isc.patch new file mode 100644 index 00000000000..f08e149a2c6 --- /dev/null +++ b/queue-5.17/scsi-iscsi-fix-conn-cleanup-and-stop-race-during-isc.patch @@ -0,0 +1,152 @@ +From d1a94c6e72daae571981b2e9a49be7bfcb2db50a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 19:13:09 -0500 +Subject: scsi: iscsi: Fix conn cleanup and stop race during iscsid restart + +From: Mike Christie + +[ Upstream commit 7c6e99c18167ed89729bf167ccb4a7e3ab3115ba ] + +If iscsid is doing a stop_conn at the same time the kernel is starting +error recovery we can hit a race that allows the cleanup work to run on a +valid connection. In the race, iscsi_if_stop_conn sees the cleanup bit set, +but it calls flush_work on the clean_work before iscsi_conn_error_event has +queued it. The flush then returns before the queueing and so the +cleanup_work can run later and disconnect/stop a conn while it's in a +connected state. + +The patch: + +Commit 0ab710458da1 ("scsi: iscsi: Perform connection failure entirely in +kernel space") + +added the late stop_conn call bug originally, and the patch: + +Commit 23d6fefbb3f6 ("scsi: iscsi: Fix in-kernel conn failure handling") + +attempted to fix it but only fixed the normal EH case and left the above +race for the iscsid restart case. For the normal EH case we don't hit the +race because we only signal userspace to start recovery after we have done +the queueing, so the flush will always catch the queued work or see it +completed. + +For iscsid restart cases like boot, we can hit the race because iscsid will +call down to the kernel before the kernel has signaled any error, so both +code paths can be running at the same time. This adds a lock around the +setting of the cleanup bit and queueing so they happen together. + +Link: https://lore.kernel.org/r/20220408001314.5014-6-michael.christie@oracle.com +Fixes: 0ab710458da1 ("scsi: iscsi: Perform connection failure entirely in kernel space") +Tested-by: Manish Rangankar +Reviewed-by: Lee Duncan +Reviewed-by: Chris Leech +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 17 +++++++++++++++++ + include/scsi/scsi_transport_iscsi.h | 2 ++ + 2 files changed, 19 insertions(+) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 4fa2fd7f4c72..ed289e1242c9 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2260,9 +2260,12 @@ static void iscsi_if_disconnect_bound_ep(struct iscsi_cls_conn *conn, + bool is_active) + { + /* Check if this was a conn error and the kernel took ownership */ ++ spin_lock_irq(&conn->lock); + if (!test_bit(ISCSI_CLS_CONN_BIT_CLEANUP, &conn->flags)) { ++ spin_unlock_irq(&conn->lock); + iscsi_ep_disconnect(conn, is_active); + } else { ++ spin_unlock_irq(&conn->lock); + ISCSI_DBG_TRANS_CONN(conn, "flush kernel conn cleanup.\n"); + mutex_unlock(&conn->ep_mutex); + +@@ -2309,9 +2312,12 @@ static int iscsi_if_stop_conn(struct iscsi_transport *transport, + /* + * Figure out if it was the kernel or userspace initiating this. + */ ++ spin_lock_irq(&conn->lock); + if (!test_and_set_bit(ISCSI_CLS_CONN_BIT_CLEANUP, &conn->flags)) { ++ spin_unlock_irq(&conn->lock); + iscsi_stop_conn(conn, flag); + } else { ++ spin_unlock_irq(&conn->lock); + ISCSI_DBG_TRANS_CONN(conn, + "flush kernel conn cleanup.\n"); + flush_work(&conn->cleanup_work); +@@ -2320,7 +2326,9 @@ static int iscsi_if_stop_conn(struct iscsi_transport *transport, + * Only clear for recovery to avoid extra cleanup runs during + * termination. + */ ++ spin_lock_irq(&conn->lock); + clear_bit(ISCSI_CLS_CONN_BIT_CLEANUP, &conn->flags); ++ spin_unlock_irq(&conn->lock); + } + ISCSI_DBG_TRANS_CONN(conn, "iscsi if conn stop done.\n"); + return 0; +@@ -2341,7 +2349,9 @@ static void iscsi_cleanup_conn_work_fn(struct work_struct *work) + */ + if (conn->state != ISCSI_CONN_BOUND && conn->state != ISCSI_CONN_UP) { + ISCSI_DBG_TRANS_CONN(conn, "Got error while conn is already failed. Ignoring.\n"); ++ spin_lock_irq(&conn->lock); + clear_bit(ISCSI_CLS_CONN_BIT_CLEANUP, &conn->flags); ++ spin_unlock_irq(&conn->lock); + mutex_unlock(&conn->ep_mutex); + return; + } +@@ -2407,6 +2417,7 @@ iscsi_create_conn(struct iscsi_cls_session *session, int dd_size, uint32_t cid) + conn->dd_data = &conn[1]; + + mutex_init(&conn->ep_mutex); ++ spin_lock_init(&conn->lock); + INIT_LIST_HEAD(&conn->conn_list); + INIT_WORK(&conn->cleanup_work, iscsi_cleanup_conn_work_fn); + conn->transport = transport; +@@ -2598,9 +2609,12 @@ void iscsi_conn_error_event(struct iscsi_cls_conn *conn, enum iscsi_err error) + struct iscsi_uevent *ev; + struct iscsi_internal *priv; + int len = nlmsg_total_size(sizeof(*ev)); ++ unsigned long flags; + ++ spin_lock_irqsave(&conn->lock, flags); + if (!test_and_set_bit(ISCSI_CLS_CONN_BIT_CLEANUP, &conn->flags)) + queue_work(iscsi_conn_cleanup_workq, &conn->cleanup_work); ++ spin_unlock_irqrestore(&conn->lock, flags); + + priv = iscsi_if_transport_lookup(conn->transport); + if (!priv) +@@ -3743,11 +3757,14 @@ static int iscsi_if_transport_conn(struct iscsi_transport *transport, + return -EINVAL; + + mutex_lock(&conn->ep_mutex); ++ spin_lock_irq(&conn->lock); + if (test_bit(ISCSI_CLS_CONN_BIT_CLEANUP, &conn->flags)) { ++ spin_unlock_irq(&conn->lock); + mutex_unlock(&conn->ep_mutex); + ev->r.retcode = -ENOTCONN; + return 0; + } ++ spin_unlock_irq(&conn->lock); + + switch (nlh->nlmsg_type) { + case ISCSI_UEVENT_BIND_CONN: +diff --git a/include/scsi/scsi_transport_iscsi.h b/include/scsi/scsi_transport_iscsi.h +index c5d7810fd792..037c77fb5dc5 100644 +--- a/include/scsi/scsi_transport_iscsi.h ++++ b/include/scsi/scsi_transport_iscsi.h +@@ -211,6 +211,8 @@ struct iscsi_cls_conn { + struct mutex ep_mutex; + struct iscsi_endpoint *ep; + ++ /* Used when accessing flags and queueing work. */ ++ spinlock_t lock; + unsigned long flags; + struct work_struct cleanup_work; + +-- +2.35.1 + diff --git a/queue-5.17/scsi-iscsi-fix-endpoint-reuse-regression.patch b/queue-5.17/scsi-iscsi-fix-endpoint-reuse-regression.patch new file mode 100644 index 00000000000..e23b263bf6b --- /dev/null +++ b/queue-5.17/scsi-iscsi-fix-endpoint-reuse-regression.patch @@ -0,0 +1,80 @@ +From f6a4c172d3e004a8e6dbceb93b9fd70a4933611a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 19:13:08 -0500 +Subject: scsi: iscsi: Fix endpoint reuse regression + +From: Mike Christie + +[ Upstream commit 0aadafb5c34403a7cced1a8d61877048dc059f70 ] + +This patch fixes a bug where when using iSCSI offload we can free an +endpoint while userspace still thinks it's active. That then causes the +endpoint ID to be reused for a new connection's endpoint while userspace +still thinks the ID is for the original connection. Userspace will then end +up disconnecting a running connection's endpoint or trying to bind to +another connection's endpoint. + +This bug is a regression added in: + +Commit 23d6fefbb3f6 ("scsi: iscsi: Fix in-kernel conn failure handling") + +where we added a in kernel ep_disconnect call to fix a bug in: + +Commit 0ab710458da1 ("scsi: iscsi: Perform connection failure entirely in +kernel space") + +where we would call stop_conn without having done ep_disconnect. This early +ep_disconnect call will then free the endpoint and it's ID while userspace +still thinks the ID is valid. + +Fix the early release of the ID by having the in kernel recovery code keep +a reference to the endpoint until userspace has called into the kernel to +finish cleaning up the endpoint/connection. It requires the previous commit +"scsi: iscsi: Release endpoint ID when its freed" which moved the freeing +of the ID until when the endpoint is released. + +Link: https://lore.kernel.org/r/20220408001314.5014-5-michael.christie@oracle.com +Fixes: 23d6fefbb3f6 ("scsi: iscsi: Fix in-kernel conn failure handling") +Tested-by: Manish Rangankar +Reviewed-by: Lee Duncan +Reviewed-by: Chris Leech +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 03cda2da80ef..4fa2fd7f4c72 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2267,7 +2267,11 @@ static void iscsi_if_disconnect_bound_ep(struct iscsi_cls_conn *conn, + mutex_unlock(&conn->ep_mutex); + + flush_work(&conn->cleanup_work); +- ++ /* ++ * Userspace is now done with the EP so we can release the ref ++ * iscsi_cleanup_conn_work_fn took. ++ */ ++ iscsi_put_endpoint(ep); + mutex_lock(&conn->ep_mutex); + } + } +@@ -2342,6 +2346,12 @@ static void iscsi_cleanup_conn_work_fn(struct work_struct *work) + return; + } + ++ /* ++ * Get a ref to the ep, so we don't release its ID until after ++ * userspace is done referencing it in iscsi_if_disconnect_bound_ep. ++ */ ++ if (conn->ep) ++ get_device(&conn->ep->dev); + iscsi_ep_disconnect(conn, false); + + if (system_state != SYSTEM_RUNNING) { +-- +2.35.1 + diff --git a/queue-5.17/scsi-iscsi-fix-offload-conn-cleanup-when-iscsid-rest.patch b/queue-5.17/scsi-iscsi-fix-offload-conn-cleanup-when-iscsid-rest.patch new file mode 100644 index 00000000000..1a3892bc5af --- /dev/null +++ b/queue-5.17/scsi-iscsi-fix-offload-conn-cleanup-when-iscsid-rest.patch @@ -0,0 +1,115 @@ +From b14a5c1b5d8445cbe5d739bf4ead6338866a0b15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 19:13:06 -0500 +Subject: scsi: iscsi: Fix offload conn cleanup when iscsid restarts + +From: Mike Christie + +[ Upstream commit cbd2283aaf47fef4ded4b29124b1ef3beb515f3a ] + +When userspace restarts during boot or upgrades it won't know about the +offload driver's endpoint and connection mappings. iscsid will start by +cleaning up the old session by doing a stop_conn call. Later, if we are +able to create a new connection, we clean up the old endpoint during the +binding stage. The problem is that if we do stop_conn before doing the +ep_disconnect call offload, drivers can still be executing I/O. We then +might free tasks from the under the card/driver. + +This moves the ep_disconnect call to before we do the stop_conn call for +this case. It will then work and look like a normal recovery/cleanup +procedure from the driver's point of view. + +Link: https://lore.kernel.org/r/20220408001314.5014-3-michael.christie@oracle.com +Tested-by: Manish Rangankar +Reviewed-by: Lee Duncan +Reviewed-by: Chris Leech +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 48 +++++++++++++++++------------ + 1 file changed, 28 insertions(+), 20 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 126f6f23bffa..03cda2da80ef 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2255,6 +2255,23 @@ static void iscsi_ep_disconnect(struct iscsi_cls_conn *conn, bool is_active) + ISCSI_DBG_TRANS_CONN(conn, "disconnect ep done.\n"); + } + ++static void iscsi_if_disconnect_bound_ep(struct iscsi_cls_conn *conn, ++ struct iscsi_endpoint *ep, ++ bool is_active) ++{ ++ /* Check if this was a conn error and the kernel took ownership */ ++ if (!test_bit(ISCSI_CLS_CONN_BIT_CLEANUP, &conn->flags)) { ++ iscsi_ep_disconnect(conn, is_active); ++ } else { ++ ISCSI_DBG_TRANS_CONN(conn, "flush kernel conn cleanup.\n"); ++ mutex_unlock(&conn->ep_mutex); ++ ++ flush_work(&conn->cleanup_work); ++ ++ mutex_lock(&conn->ep_mutex); ++ } ++} ++ + static int iscsi_if_stop_conn(struct iscsi_transport *transport, + struct iscsi_uevent *ev) + { +@@ -2275,6 +2292,16 @@ static int iscsi_if_stop_conn(struct iscsi_transport *transport, + cancel_work_sync(&conn->cleanup_work); + iscsi_stop_conn(conn, flag); + } else { ++ /* ++ * For offload, when iscsid is restarted it won't know about ++ * existing endpoints so it can't do a ep_disconnect. We clean ++ * it up here for userspace. ++ */ ++ mutex_lock(&conn->ep_mutex); ++ if (conn->ep) ++ iscsi_if_disconnect_bound_ep(conn, conn->ep, true); ++ mutex_unlock(&conn->ep_mutex); ++ + /* + * Figure out if it was the kernel or userspace initiating this. + */ +@@ -3003,16 +3030,7 @@ static int iscsi_if_ep_disconnect(struct iscsi_transport *transport, + } + + mutex_lock(&conn->ep_mutex); +- /* Check if this was a conn error and the kernel took ownership */ +- if (test_bit(ISCSI_CLS_CONN_BIT_CLEANUP, &conn->flags)) { +- ISCSI_DBG_TRANS_CONN(conn, "flush kernel conn cleanup.\n"); +- mutex_unlock(&conn->ep_mutex); +- +- flush_work(&conn->cleanup_work); +- goto put_ep; +- } +- +- iscsi_ep_disconnect(conn, false); ++ iscsi_if_disconnect_bound_ep(conn, ep, false); + mutex_unlock(&conn->ep_mutex); + put_ep: + iscsi_put_endpoint(ep); +@@ -3723,16 +3741,6 @@ static int iscsi_if_transport_conn(struct iscsi_transport *transport, + + switch (nlh->nlmsg_type) { + case ISCSI_UEVENT_BIND_CONN: +- if (conn->ep) { +- /* +- * For offload boot support where iscsid is restarted +- * during the pivot root stage, the ep will be intact +- * here when the new iscsid instance starts up and +- * reconnects. +- */ +- iscsi_ep_disconnect(conn, true); +- } +- + session = iscsi_session_lookup(ev->u.b_conn.sid); + if (!session) { + err = -EINVAL; +-- +2.35.1 + diff --git a/queue-5.17/scsi-iscsi-fix-unbound-endpoint-error-handling.patch b/queue-5.17/scsi-iscsi-fix-unbound-endpoint-error-handling.patch new file mode 100644 index 00000000000..cc404709dff --- /dev/null +++ b/queue-5.17/scsi-iscsi-fix-unbound-endpoint-error-handling.patch @@ -0,0 +1,192 @@ +From 8a2915e41c219b51512534dabc4df5ba658b87a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 19:13:10 -0500 +Subject: scsi: iscsi: Fix unbound endpoint error handling + +From: Mike Christie + +[ Upstream commit 03690d81974535f228e892a14f0d2d44404fe555 ] + +If a driver raises a connection error before the connection is bound, we +can leave a cleanup_work queued that can later run and disconnect/stop a +connection that is logged in. The problem is that drivers can call +iscsi_conn_error_event for endpoints that are connected but not yet bound +when something like the network port they are using is brought down. +iscsi_cleanup_conn_work_fn will check for this and exit early, but if the +cleanup_work is stuck behind other works, it might not get run until after +userspace has done ep_disconnect. Because the endpoint is not yet bound +there was no way for ep_disconnect to flush the work. + +The bug of leaving stop_conns queued was added in: + +Commit 23d6fefbb3f6 ("scsi: iscsi: Fix in-kernel conn failure handling") + +and: + +Commit 0ab710458da1 ("scsi: iscsi: Perform connection failure entirely in +kernel space") + +was supposed to fix it, but left this case. + +This patch moves the conn state check to before we even queue the work so +we can avoid queueing. + +Link: https://lore.kernel.org/r/20220408001314.5014-7-michael.christie@oracle.com +Fixes: 0ab710458da1 ("scsi: iscsi: Perform connection failure entirely in kernel space") +Tested-by: Manish Rangankar +Reviewed-by: Lee Duncan +Reviewed-by: Chris Leech +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 65 ++++++++++++++++------------- + 1 file changed, 36 insertions(+), 29 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index ed289e1242c9..c7b1b2e8bb02 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2221,10 +2221,10 @@ static void iscsi_stop_conn(struct iscsi_cls_conn *conn, int flag) + + switch (flag) { + case STOP_CONN_RECOVER: +- conn->state = ISCSI_CONN_FAILED; ++ WRITE_ONCE(conn->state, ISCSI_CONN_FAILED); + break; + case STOP_CONN_TERM: +- conn->state = ISCSI_CONN_DOWN; ++ WRITE_ONCE(conn->state, ISCSI_CONN_DOWN); + break; + default: + iscsi_cls_conn_printk(KERN_ERR, conn, "invalid stop flag %d\n", +@@ -2242,7 +2242,7 @@ static void iscsi_ep_disconnect(struct iscsi_cls_conn *conn, bool is_active) + struct iscsi_endpoint *ep; + + ISCSI_DBG_TRANS_CONN(conn, "disconnect ep.\n"); +- conn->state = ISCSI_CONN_FAILED; ++ WRITE_ONCE(conn->state, ISCSI_CONN_FAILED); + + if (!conn->ep || !session->transport->ep_disconnect) + return; +@@ -2341,21 +2341,6 @@ static void iscsi_cleanup_conn_work_fn(struct work_struct *work) + struct iscsi_cls_session *session = iscsi_conn_to_session(conn); + + mutex_lock(&conn->ep_mutex); +- /* +- * If we are not at least bound there is nothing for us to do. Userspace +- * will do a ep_disconnect call if offload is used, but will not be +- * doing a stop since there is nothing to clean up, so we have to clear +- * the cleanup bit here. +- */ +- if (conn->state != ISCSI_CONN_BOUND && conn->state != ISCSI_CONN_UP) { +- ISCSI_DBG_TRANS_CONN(conn, "Got error while conn is already failed. Ignoring.\n"); +- spin_lock_irq(&conn->lock); +- clear_bit(ISCSI_CLS_CONN_BIT_CLEANUP, &conn->flags); +- spin_unlock_irq(&conn->lock); +- mutex_unlock(&conn->ep_mutex); +- return; +- } +- + /* + * Get a ref to the ep, so we don't release its ID until after + * userspace is done referencing it in iscsi_if_disconnect_bound_ep. +@@ -2422,7 +2407,7 @@ iscsi_create_conn(struct iscsi_cls_session *session, int dd_size, uint32_t cid) + INIT_WORK(&conn->cleanup_work, iscsi_cleanup_conn_work_fn); + conn->transport = transport; + conn->cid = cid; +- conn->state = ISCSI_CONN_DOWN; ++ WRITE_ONCE(conn->state, ISCSI_CONN_DOWN); + + /* this is released in the dev's release function */ + if (!get_device(&session->dev)) +@@ -2610,10 +2595,30 @@ void iscsi_conn_error_event(struct iscsi_cls_conn *conn, enum iscsi_err error) + struct iscsi_internal *priv; + int len = nlmsg_total_size(sizeof(*ev)); + unsigned long flags; ++ int state; + + spin_lock_irqsave(&conn->lock, flags); +- if (!test_and_set_bit(ISCSI_CLS_CONN_BIT_CLEANUP, &conn->flags)) +- queue_work(iscsi_conn_cleanup_workq, &conn->cleanup_work); ++ /* ++ * Userspace will only do a stop call if we are at least bound. And, we ++ * only need to do the in kernel cleanup if in the UP state so cmds can ++ * be released to upper layers. If in other states just wait for ++ * userspace to avoid races that can leave the cleanup_work queued. ++ */ ++ state = READ_ONCE(conn->state); ++ switch (state) { ++ case ISCSI_CONN_BOUND: ++ case ISCSI_CONN_UP: ++ if (!test_and_set_bit(ISCSI_CLS_CONN_BIT_CLEANUP, ++ &conn->flags)) { ++ queue_work(iscsi_conn_cleanup_workq, ++ &conn->cleanup_work); ++ } ++ break; ++ default: ++ ISCSI_DBG_TRANS_CONN(conn, "Got conn error in state %d\n", ++ state); ++ break; ++ } + spin_unlock_irqrestore(&conn->lock, flags); + + priv = iscsi_if_transport_lookup(conn->transport); +@@ -2964,7 +2969,7 @@ iscsi_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev) + char *data = (char*)ev + sizeof(*ev); + struct iscsi_cls_conn *conn; + struct iscsi_cls_session *session; +- int err = 0, value = 0; ++ int err = 0, value = 0, state; + + if (ev->u.set_param.len > PAGE_SIZE) + return -EINVAL; +@@ -2981,8 +2986,8 @@ iscsi_set_param(struct iscsi_transport *transport, struct iscsi_uevent *ev) + session->recovery_tmo = value; + break; + default: +- if ((conn->state == ISCSI_CONN_BOUND) || +- (conn->state == ISCSI_CONN_UP)) { ++ state = READ_ONCE(conn->state); ++ if (state == ISCSI_CONN_BOUND || state == ISCSI_CONN_UP) { + err = transport->set_param(conn, ev->u.set_param.param, + data, ev->u.set_param.len); + } else { +@@ -3778,7 +3783,7 @@ static int iscsi_if_transport_conn(struct iscsi_transport *transport, + ev->u.b_conn.transport_eph, + ev->u.b_conn.is_leading); + if (!ev->r.retcode) +- conn->state = ISCSI_CONN_BOUND; ++ WRITE_ONCE(conn->state, ISCSI_CONN_BOUND); + + if (ev->r.retcode || !transport->ep_connect) + break; +@@ -3797,7 +3802,8 @@ static int iscsi_if_transport_conn(struct iscsi_transport *transport, + case ISCSI_UEVENT_START_CONN: + ev->r.retcode = transport->start_conn(conn); + if (!ev->r.retcode) +- conn->state = ISCSI_CONN_UP; ++ WRITE_ONCE(conn->state, ISCSI_CONN_UP); ++ + break; + case ISCSI_UEVENT_SEND_PDU: + pdu_len = nlh->nlmsg_len - sizeof(*nlh) - sizeof(*ev); +@@ -4105,10 +4111,11 @@ static ssize_t show_conn_state(struct device *dev, + { + struct iscsi_cls_conn *conn = iscsi_dev_to_conn(dev->parent); + const char *state = "unknown"; ++ int conn_state = READ_ONCE(conn->state); + +- if (conn->state >= 0 && +- conn->state < ARRAY_SIZE(connection_state_names)) +- state = connection_state_names[conn->state]; ++ if (conn_state >= 0 && ++ conn_state < ARRAY_SIZE(connection_state_names)) ++ state = connection_state_names[conn_state]; + + return sysfs_emit(buf, "%s\n", state); + } +-- +2.35.1 + diff --git a/queue-5.17/scsi-iscsi-move-iscsi_ep_disconnect.patch b/queue-5.17/scsi-iscsi-move-iscsi_ep_disconnect.patch new file mode 100644 index 00000000000..b40ea5d0234 --- /dev/null +++ b/queue-5.17/scsi-iscsi-move-iscsi_ep_disconnect.patch @@ -0,0 +1,82 @@ +From 28a53ba8cb241e14673d8f936943fffc4955bda7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 19:13:05 -0500 +Subject: scsi: iscsi: Move iscsi_ep_disconnect() + +From: Mike Christie + +[ Upstream commit c34f95e98d8fb750eefd4f3fe58b4f8b5e89253b ] + +This patch moves iscsi_ep_disconnect() so it can be called earlier in the +next patch. + +Link: https://lore.kernel.org/r/20220408001314.5014-2-michael.christie@oracle.com +Tested-by: Manish Rangankar +Reviewed-by: Lee Duncan +Reviewed-by: Chris Leech +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 38 ++++++++++++++--------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 554b6f784223..126f6f23bffa 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2236,6 +2236,25 @@ static void iscsi_stop_conn(struct iscsi_cls_conn *conn, int flag) + ISCSI_DBG_TRANS_CONN(conn, "Stopping conn done.\n"); + } + ++static void iscsi_ep_disconnect(struct iscsi_cls_conn *conn, bool is_active) ++{ ++ struct iscsi_cls_session *session = iscsi_conn_to_session(conn); ++ struct iscsi_endpoint *ep; ++ ++ ISCSI_DBG_TRANS_CONN(conn, "disconnect ep.\n"); ++ conn->state = ISCSI_CONN_FAILED; ++ ++ if (!conn->ep || !session->transport->ep_disconnect) ++ return; ++ ++ ep = conn->ep; ++ conn->ep = NULL; ++ ++ session->transport->unbind_conn(conn, is_active); ++ session->transport->ep_disconnect(ep); ++ ISCSI_DBG_TRANS_CONN(conn, "disconnect ep done.\n"); ++} ++ + static int iscsi_if_stop_conn(struct iscsi_transport *transport, + struct iscsi_uevent *ev) + { +@@ -2276,25 +2295,6 @@ static int iscsi_if_stop_conn(struct iscsi_transport *transport, + return 0; + } + +-static void iscsi_ep_disconnect(struct iscsi_cls_conn *conn, bool is_active) +-{ +- struct iscsi_cls_session *session = iscsi_conn_to_session(conn); +- struct iscsi_endpoint *ep; +- +- ISCSI_DBG_TRANS_CONN(conn, "disconnect ep.\n"); +- conn->state = ISCSI_CONN_FAILED; +- +- if (!conn->ep || !session->transport->ep_disconnect) +- return; +- +- ep = conn->ep; +- conn->ep = NULL; +- +- session->transport->unbind_conn(conn, is_active); +- session->transport->ep_disconnect(ep); +- ISCSI_DBG_TRANS_CONN(conn, "disconnect ep done.\n"); +-} +- + static void iscsi_cleanup_conn_work_fn(struct work_struct *work) + { + struct iscsi_cls_conn *conn = container_of(work, struct iscsi_cls_conn, +-- +2.35.1 + diff --git a/queue-5.17/scsi-lpfc-fix-queue-failures-when-recovering-from-pc.patch b/queue-5.17/scsi-lpfc-fix-queue-failures-when-recovering-from-pc.patch new file mode 100644 index 00000000000..fff23954ac7 --- /dev/null +++ b/queue-5.17/scsi-lpfc-fix-queue-failures-when-recovering-from-pc.patch @@ -0,0 +1,46 @@ +From c2f2e8a8fc63afb8949508b6194b50134654651b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 20:27:36 -0700 +Subject: scsi: lpfc: Fix queue failures when recovering from PCI parity error + +From: James Smart + +[ Upstream commit df0101197c4d9596682901631f3ee193ed354873 ] + +When recovering from a pci-parity error the driver is failing to re-create +queues, causing recovery to fail. Looking deeper, it was found that the +interrupt vector count allocated on the recovery was fewer than the vectors +originally allocated. This disparity resulted in CPU map entries with stale +information. When the driver tries to re-create the queues, it attempts to +use the stale information which indicates an eq/interrupt vector that was +no longer created. + +Fix by clearng the cpup map array before enabling and requesting the IRQs +in the lpfc_sli_reset_slot_s4 routine(). + +Link: https://lore.kernel.org/r/20220317032737.45308-4-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_init.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index c8c049cf8d96..9569a7390f9d 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -15248,6 +15248,8 @@ lpfc_io_slot_reset_s4(struct pci_dev *pdev) + psli->sli_flag &= ~LPFC_SLI_ACTIVE; + spin_unlock_irq(&phba->hbalock); + ++ /* Init cpu_map array */ ++ lpfc_cpu_map_array_init(phba); + /* Configure and enable interrupt */ + intr_mode = lpfc_sli4_enable_intr(phba, phba->intr_mode); + if (intr_mode == LPFC_INTR_ERROR) { +-- +2.35.1 + diff --git a/queue-5.17/scsi-lpfc-fix-unload-hang-after-back-to-back-pci-eeh.patch b/queue-5.17/scsi-lpfc-fix-unload-hang-after-back-to-back-pci-eeh.patch new file mode 100644 index 00000000000..22094bfac45 --- /dev/null +++ b/queue-5.17/scsi-lpfc-fix-unload-hang-after-back-to-back-pci-eeh.patch @@ -0,0 +1,267 @@ +From 3517485ef14cf20e7591c0228f463ed5e3471591 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 20:27:35 -0700 +Subject: scsi: lpfc: Fix unload hang after back to back PCI EEH faults + +From: James Smart + +[ Upstream commit a4691038b4071ff0d9ae486d8822a2c0d41d5796 ] + +When injecting EEH errors the port is getting hung up waiting on the node +list to empty, message number 0233. The driver is stuck at this point and +also can't unload. The driver makes transport remoteport delete calls which +try to abort I/O's, but the EEH daemon has already called the driver to +detach and the detachment has set the global FC_UNLOADING flag. There are +several code paths that will avoid I/O cleanup if the FC_UNLOADING flag is +set, resulting in transports waiting for I/O while the driver is waiting on +transports to clean up. + +Additionally, during study of the list, a locking issue was found in +lpfc_sli_abort_iocb_ring that could corrupt the list. + +A special case was added to the lpfc_cleanup() routine to call +lpfc_sli_flush_rings() if the driver is FC_UNLOADING and if the pci-slot +is offline (e.g. EEH). + +The SLI4 part of lpfc_sli_abort_iocb_ring() is changed to use the +ring_lock. Also added code to cancel the I/Os if the pci-slot is offline +and added checks and returns for the FC_UNLOADING and HBA_IOQ_FLUSH flags +to prevent trying to send an I/O that we cannot handle. + +Link: https://lore.kernel.org/r/20220317032737.45308-3-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_hbadisc.c | 1 + + drivers/scsi/lpfc/lpfc_init.c | 26 +++++++++++++++-- + drivers/scsi/lpfc/lpfc_nvme.c | 16 ++++++++-- + drivers/scsi/lpfc/lpfc_sli.c | 50 ++++++++++++++++++++++---------- + 4 files changed, 72 insertions(+), 21 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index e10371611ef8..0cba306de0db 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -5416,6 +5416,7 @@ lpfc_unreg_rpi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp) + ndlp->nlp_flag &= ~NLP_UNREG_INP; + mempool_free(mbox, phba->mbox_mem_pool); + acc_plogi = 1; ++ lpfc_nlp_put(ndlp); + } + } else { + lpfc_printf_vlog(vport, KERN_INFO, +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index fe9a04b2df3e..c8c049cf8d96 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -95,6 +95,7 @@ static void lpfc_sli4_oas_verify(struct lpfc_hba *phba); + static uint16_t lpfc_find_cpu_handle(struct lpfc_hba *, uint16_t, int); + static void lpfc_setup_bg(struct lpfc_hba *, struct Scsi_Host *); + static int lpfc_sli4_cgn_parm_chg_evt(struct lpfc_hba *); ++static void lpfc_sli4_prep_dev_for_reset(struct lpfc_hba *phba); + + static struct scsi_transport_template *lpfc_transport_template = NULL; + static struct scsi_transport_template *lpfc_vport_transport_template = NULL; +@@ -1995,6 +1996,7 @@ lpfc_handle_eratt_s4(struct lpfc_hba *phba) + if (pci_channel_offline(phba->pcidev)) { + lpfc_printf_log(phba, KERN_ERR, LOG_TRACE_EVENT, + "3166 pci channel is offline\n"); ++ lpfc_sli_flush_io_rings(phba); + return; + } + +@@ -2983,6 +2985,22 @@ lpfc_cleanup(struct lpfc_vport *vport) + NLP_EVT_DEVICE_RM); + } + ++ /* This is a special case flush to return all ++ * IOs before entering this loop. There are ++ * two points in the code where a flush is ++ * avoided if the FC_UNLOADING flag is set. ++ * one is in the multipool destroy, ++ * (this prevents a crash) and the other is ++ * in the nvme abort handler, ( also prevents ++ * a crash). Both of these exceptions are ++ * cases where the slot is still accessible. ++ * The flush here is only when the pci slot ++ * is offline. ++ */ ++ if (vport->load_flag & FC_UNLOADING && ++ pci_channel_offline(phba->pcidev)) ++ lpfc_sli_flush_io_rings(vport->phba); ++ + /* At this point, ALL ndlp's should be gone + * because of the previous NLP_EVT_DEVICE_RM. + * Lets wait for this to happen, if needed. +@@ -2995,7 +3013,7 @@ lpfc_cleanup(struct lpfc_vport *vport) + list_for_each_entry_safe(ndlp, next_ndlp, + &vport->fc_nodes, nlp_listp) { + lpfc_printf_vlog(ndlp->vport, KERN_ERR, +- LOG_TRACE_EVENT, ++ LOG_DISCOVERY, + "0282 did:x%x ndlp:x%px " + "refcnt:%d xflags x%x nflag x%x\n", + ndlp->nlp_DID, (void *)ndlp, +@@ -13371,8 +13389,9 @@ lpfc_sli4_hba_unset(struct lpfc_hba *phba) + /* Abort all iocbs associated with the hba */ + lpfc_sli_hba_iocb_abort(phba); + +- /* Wait for completion of device XRI exchange busy */ +- lpfc_sli4_xri_exchange_busy_wait(phba); ++ if (!pci_channel_offline(phba->pcidev)) ++ /* Wait for completion of device XRI exchange busy */ ++ lpfc_sli4_xri_exchange_busy_wait(phba); + + /* per-phba callback de-registration for hotplug event */ + if (phba->pport) +@@ -14276,6 +14295,7 @@ lpfc_sli_prep_dev_for_perm_failure(struct lpfc_hba *phba) + "2711 PCI channel permanent disable for failure\n"); + /* Block all SCSI devices' I/Os on the host */ + lpfc_scsi_dev_block(phba); ++ lpfc_sli4_prep_dev_for_reset(phba); + + /* stop all timers */ + lpfc_stop_hba_timers(phba); +diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c +index 8983f6440858..df73abb59407 100644 +--- a/drivers/scsi/lpfc/lpfc_nvme.c ++++ b/drivers/scsi/lpfc/lpfc_nvme.c +@@ -93,6 +93,11 @@ lpfc_nvme_create_queue(struct nvme_fc_local_port *pnvme_lport, + + lport = (struct lpfc_nvme_lport *)pnvme_lport->private; + vport = lport->vport; ++ ++ if (!vport || vport->load_flag & FC_UNLOADING || ++ vport->phba->hba_flag & HBA_IOQ_FLUSH) ++ return -ENODEV; ++ + qhandle = kzalloc(sizeof(struct lpfc_nvme_qhandle), GFP_KERNEL); + if (qhandle == NULL) + return -ENOMEM; +@@ -267,7 +272,8 @@ lpfc_nvme_handle_lsreq(struct lpfc_hba *phba, + return -EINVAL; + + remoteport = lpfc_rport->remoteport; +- if (!vport->localport) ++ if (!vport->localport || ++ vport->phba->hba_flag & HBA_IOQ_FLUSH) + return -EINVAL; + + lport = vport->localport->private; +@@ -559,6 +565,8 @@ __lpfc_nvme_ls_req(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + ndlp->nlp_DID, ntype, nstate); + return -ENODEV; + } ++ if (vport->phba->hba_flag & HBA_IOQ_FLUSH) ++ return -ENODEV; + + if (!vport->phba->sli4_hba.nvmels_wq) + return -ENOMEM; +@@ -662,7 +670,8 @@ lpfc_nvme_ls_req(struct nvme_fc_local_port *pnvme_lport, + return -EINVAL; + + vport = lport->vport; +- if (vport->load_flag & FC_UNLOADING) ++ if (vport->load_flag & FC_UNLOADING || ++ vport->phba->hba_flag & HBA_IOQ_FLUSH) + return -ENODEV; + + atomic_inc(&lport->fc4NvmeLsRequests); +@@ -1515,7 +1524,8 @@ lpfc_nvme_fcp_io_submit(struct nvme_fc_local_port *pnvme_lport, + + phba = vport->phba; + +- if (unlikely(vport->load_flag & FC_UNLOADING)) { ++ if ((unlikely(vport->load_flag & FC_UNLOADING)) || ++ phba->hba_flag & HBA_IOQ_FLUSH) { + lpfc_printf_vlog(vport, KERN_INFO, LOG_NVME_IOERR, + "6124 Fail IO, Driver unload\n"); + atomic_inc(&lport->xmt_fcp_err); +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 661ed0999f1c..b64c5f157ce9 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -4472,42 +4472,62 @@ lpfc_sli_handle_slow_ring_event_s4(struct lpfc_hba *phba, + void + lpfc_sli_abort_iocb_ring(struct lpfc_hba *phba, struct lpfc_sli_ring *pring) + { +- LIST_HEAD(completions); ++ LIST_HEAD(tx_completions); ++ LIST_HEAD(txcmplq_completions); + struct lpfc_iocbq *iocb, *next_iocb; ++ int offline; + + if (pring->ringno == LPFC_ELS_RING) { + lpfc_fabric_abort_hba(phba); + } ++ offline = pci_channel_offline(phba->pcidev); + + /* Error everything on txq and txcmplq + * First do the txq. + */ + if (phba->sli_rev >= LPFC_SLI_REV4) { + spin_lock_irq(&pring->ring_lock); +- list_splice_init(&pring->txq, &completions); ++ list_splice_init(&pring->txq, &tx_completions); + pring->txq_cnt = 0; +- spin_unlock_irq(&pring->ring_lock); + +- spin_lock_irq(&phba->hbalock); +- /* Next issue ABTS for everything on the txcmplq */ +- list_for_each_entry_safe(iocb, next_iocb, &pring->txcmplq, list) +- lpfc_sli_issue_abort_iotag(phba, pring, iocb, NULL); +- spin_unlock_irq(&phba->hbalock); ++ if (offline) { ++ list_splice_init(&pring->txcmplq, ++ &txcmplq_completions); ++ } else { ++ /* Next issue ABTS for everything on the txcmplq */ ++ list_for_each_entry_safe(iocb, next_iocb, ++ &pring->txcmplq, list) ++ lpfc_sli_issue_abort_iotag(phba, pring, ++ iocb, NULL); ++ } ++ spin_unlock_irq(&pring->ring_lock); + } else { + spin_lock_irq(&phba->hbalock); +- list_splice_init(&pring->txq, &completions); ++ list_splice_init(&pring->txq, &tx_completions); + pring->txq_cnt = 0; + +- /* Next issue ABTS for everything on the txcmplq */ +- list_for_each_entry_safe(iocb, next_iocb, &pring->txcmplq, list) +- lpfc_sli_issue_abort_iotag(phba, pring, iocb, NULL); ++ if (offline) { ++ list_splice_init(&pring->txcmplq, &txcmplq_completions); ++ } else { ++ /* Next issue ABTS for everything on the txcmplq */ ++ list_for_each_entry_safe(iocb, next_iocb, ++ &pring->txcmplq, list) ++ lpfc_sli_issue_abort_iotag(phba, pring, ++ iocb, NULL); ++ } + spin_unlock_irq(&phba->hbalock); + } +- /* Make sure HBA is alive */ +- lpfc_issue_hb_tmo(phba); + ++ if (offline) { ++ /* Cancel all the IOCBs from the completions list */ ++ lpfc_sli_cancel_iocbs(phba, &txcmplq_completions, ++ IOSTAT_LOCAL_REJECT, IOERR_SLI_ABORTED); ++ } else { ++ /* Make sure HBA is alive */ ++ lpfc_issue_hb_tmo(phba); ++ } + /* Cancel all the IOCBs from the completions list */ +- lpfc_sli_cancel_iocbs(phba, &completions, IOSTAT_LOCAL_REJECT, ++ lpfc_sli_cancel_iocbs(phba, &tx_completions, IOSTAT_LOCAL_REJECT, + IOERR_SLI_ABORTED); + } + +-- +2.35.1 + diff --git a/queue-5.17/scsi-lpfc-improve-pci-eeh-error-and-recovery-handlin.patch b/queue-5.17/scsi-lpfc-improve-pci-eeh-error-and-recovery-handlin.patch new file mode 100644 index 00000000000..f32f6d3bae2 --- /dev/null +++ b/queue-5.17/scsi-lpfc-improve-pci-eeh-error-and-recovery-handlin.patch @@ -0,0 +1,603 @@ +From 3abbd4a50c42079c5b948d4d0a61f627a6539e95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 20:27:34 -0700 +Subject: scsi: lpfc: Improve PCI EEH Error and Recovery Handling + +From: James Smart + +[ Upstream commit 35ed9613d83f3c1f011877d591fd7d36f2666106 ] + +Following EEH errors, the driver can crash or hang when deleting the +localport or when attempting to unload. + +The EEH handlers in the driver did not notify the NVMe-FC transport before +tearing the driver down. This was delayed until the resume steps. This +worked for SCSI because lpfc_block_scsi() would notify the +scsi_fc_transport that the target was not available but it would not clean +up all the references to the ndlp. + +The SLI3 prep for dev reset handler did the lpfc_offline_prep() and +lpfc_offline() calls to get the port stopped before restarting. The SLI4 +version of the prep for dev reset just destroyed the queues and did not +stop NVMe from continuing. Also because the port was not really stopped +the localport destroy would hang because the transport was still waiting +for I/O. Additionally, a devloss tmo can fire and post events to a stopped +worker thread creating another hang condition. + +lpfc_sli4_prep_dev_for_reset() is modified to call lpfc_offline_prep() and +lpfc_offline() rather than just lpfc_scsi_dev_block() to ensure both SCSI +and NVMe transports are notified to block I/O to the driver. + +Logic is added to devloss handler and worker thread to clean up ndlp +references and quiesce appropriately. + +Link: https://lore.kernel.org/r/20220317032737.45308-2-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc.h | 7 +- + drivers/scsi/lpfc/lpfc_crtn.h | 3 + + drivers/scsi/lpfc/lpfc_hbadisc.c | 119 +++++++++++++++++++++++++------ + drivers/scsi/lpfc/lpfc_init.c | 60 ++++++++++------ + drivers/scsi/lpfc/lpfc_nvme.c | 11 ++- + drivers/scsi/lpfc/lpfc_sli.c | 15 ++-- + 6 files changed, 157 insertions(+), 58 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h +index 98cabe09c040..8748c5996478 100644 +--- a/drivers/scsi/lpfc/lpfc.h ++++ b/drivers/scsi/lpfc/lpfc.h +@@ -897,6 +897,11 @@ enum lpfc_irq_chann_mode { + NHT_MODE, + }; + ++enum lpfc_hba_bit_flags { ++ FABRIC_COMANDS_BLOCKED, ++ HBA_PCI_ERR, ++}; ++ + struct lpfc_hba { + /* SCSI interface function jump table entries */ + struct lpfc_io_buf * (*lpfc_get_scsi_buf) +@@ -1025,7 +1030,6 @@ struct lpfc_hba { + * Firmware supports Forced Link Speed + * capability + */ +-#define HBA_PCI_ERR 0x80000 /* The PCI slot is offline */ + #define HBA_FLOGI_ISSUED 0x100000 /* FLOGI was issued */ + #define HBA_SHORT_CMF 0x200000 /* shorter CMF timer routine */ + #define HBA_CGN_DAY_WRAP 0x400000 /* HBA Congestion info day wraps */ +@@ -1335,7 +1339,6 @@ struct lpfc_hba { + atomic_t fabric_iocb_count; + struct timer_list fabric_block_timer; + unsigned long bit_flags; +-#define FABRIC_COMANDS_BLOCKED 0 + atomic_t num_rsrc_err; + atomic_t num_cmd_success; + unsigned long last_rsrc_error_time; +diff --git a/drivers/scsi/lpfc/lpfc_crtn.h b/drivers/scsi/lpfc/lpfc_crtn.h +index 89e36bf14d8f..d4340e5a3aac 100644 +--- a/drivers/scsi/lpfc/lpfc_crtn.h ++++ b/drivers/scsi/lpfc/lpfc_crtn.h +@@ -652,3 +652,6 @@ struct lpfc_vmid *lpfc_get_vmid_from_hashtable(struct lpfc_vport *vport, + uint32_t hash, uint8_t *buf); + void lpfc_vmid_vport_cleanup(struct lpfc_vport *vport); + int lpfc_issue_els_qfpa(struct lpfc_vport *vport); ++ ++void lpfc_sli_rpi_release(struct lpfc_vport *vport, ++ struct lpfc_nodelist *ndlp); +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index 816fc406135b..e10371611ef8 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -109,8 +109,8 @@ lpfc_rport_invalid(struct fc_rport *rport) + + ndlp = rdata->pnode; + if (!rdata->pnode) { +- pr_err("**** %s: NULL ndlp on rport x%px SID x%x\n", +- __func__, rport, rport->scsi_target_id); ++ pr_info("**** %s: NULL ndlp on rport x%px SID x%x\n", ++ __func__, rport, rport->scsi_target_id); + return -EINVAL; + } + +@@ -169,9 +169,10 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport *rport) + + lpfc_printf_vlog(ndlp->vport, KERN_INFO, LOG_NODE, + "3181 dev_loss_callbk x%06x, rport x%px flg x%x " +- "load_flag x%x refcnt %d\n", ++ "load_flag x%x refcnt %d state %d xpt x%x\n", + ndlp->nlp_DID, ndlp->rport, ndlp->nlp_flag, +- vport->load_flag, kref_read(&ndlp->kref)); ++ vport->load_flag, kref_read(&ndlp->kref), ++ ndlp->nlp_state, ndlp->fc4_xpt_flags); + + /* Don't schedule a worker thread event if the vport is going down. + * The teardown process cleans up the node via lpfc_drop_node. +@@ -181,6 +182,11 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport *rport) + ndlp->rport = NULL; + + ndlp->fc4_xpt_flags &= ~SCSI_XPT_REGD; ++ /* clear the NLP_XPT_REGD if the node is not registered ++ * with nvme-fc ++ */ ++ if (ndlp->fc4_xpt_flags == NLP_XPT_REGD) ++ ndlp->fc4_xpt_flags &= ~NLP_XPT_REGD; + + /* Remove the node reference from remote_port_add now. + * The driver will not call remote_port_delete. +@@ -225,18 +231,36 @@ lpfc_dev_loss_tmo_callbk(struct fc_rport *rport) + ndlp->rport = NULL; + spin_unlock_irqrestore(&ndlp->lock, iflags); + +- /* We need to hold the node by incrementing the reference +- * count until this queued work is done +- */ +- evtp->evt_arg1 = lpfc_nlp_get(ndlp); ++ if (phba->worker_thread) { ++ /* We need to hold the node by incrementing the reference ++ * count until this queued work is done ++ */ ++ evtp->evt_arg1 = lpfc_nlp_get(ndlp); ++ ++ spin_lock_irqsave(&phba->hbalock, iflags); ++ if (evtp->evt_arg1) { ++ evtp->evt = LPFC_EVT_DEV_LOSS; ++ list_add_tail(&evtp->evt_listp, &phba->work_list); ++ lpfc_worker_wake_up(phba); ++ } ++ spin_unlock_irqrestore(&phba->hbalock, iflags); ++ } else { ++ lpfc_printf_vlog(ndlp->vport, KERN_INFO, LOG_NODE, ++ "3188 worker thread is stopped %s x%06x, " ++ " rport x%px flg x%x load_flag x%x refcnt " ++ "%d\n", __func__, ndlp->nlp_DID, ++ ndlp->rport, ndlp->nlp_flag, ++ vport->load_flag, kref_read(&ndlp->kref)); ++ if (!(ndlp->fc4_xpt_flags & NVME_XPT_REGD)) { ++ spin_lock_irqsave(&ndlp->lock, iflags); ++ /* Node is in dev loss. No further transaction. */ ++ ndlp->nlp_flag &= ~NLP_IN_DEV_LOSS; ++ spin_unlock_irqrestore(&ndlp->lock, iflags); ++ lpfc_disc_state_machine(vport, ndlp, NULL, ++ NLP_EVT_DEVICE_RM); ++ } + +- spin_lock_irqsave(&phba->hbalock, iflags); +- if (evtp->evt_arg1) { +- evtp->evt = LPFC_EVT_DEV_LOSS; +- list_add_tail(&evtp->evt_listp, &phba->work_list); +- lpfc_worker_wake_up(phba); + } +- spin_unlock_irqrestore(&phba->hbalock, iflags); + + return; + } +@@ -503,11 +527,12 @@ lpfc_dev_loss_tmo_handler(struct lpfc_nodelist *ndlp) + lpfc_printf_vlog(vport, KERN_ERR, LOG_TRACE_EVENT, + "0203 Devloss timeout on " + "WWPN %02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x " +- "NPort x%06x Data: x%x x%x x%x\n", ++ "NPort x%06x Data: x%x x%x x%x refcnt %d\n", + *name, *(name+1), *(name+2), *(name+3), + *(name+4), *(name+5), *(name+6), *(name+7), + ndlp->nlp_DID, ndlp->nlp_flag, +- ndlp->nlp_state, ndlp->nlp_rpi); ++ ndlp->nlp_state, ndlp->nlp_rpi, ++ kref_read(&ndlp->kref)); + } else { + lpfc_printf_vlog(vport, KERN_INFO, LOG_TRACE_EVENT, + "0204 Devloss timeout on " +@@ -755,18 +780,22 @@ lpfc_work_list_done(struct lpfc_hba *phba) + int free_evt; + int fcf_inuse; + uint32_t nlp_did; ++ bool hba_pci_err; + + spin_lock_irq(&phba->hbalock); + while (!list_empty(&phba->work_list)) { + list_remove_head((&phba->work_list), evtp, typeof(*evtp), + evt_listp); + spin_unlock_irq(&phba->hbalock); ++ hba_pci_err = test_bit(HBA_PCI_ERR, &phba->bit_flags); + free_evt = 1; + switch (evtp->evt) { + case LPFC_EVT_ELS_RETRY: + ndlp = (struct lpfc_nodelist *) (evtp->evt_arg1); +- lpfc_els_retry_delay_handler(ndlp); +- free_evt = 0; /* evt is part of ndlp */ ++ if (!hba_pci_err) { ++ lpfc_els_retry_delay_handler(ndlp); ++ free_evt = 0; /* evt is part of ndlp */ ++ } + /* decrement the node reference count held + * for this queued work + */ +@@ -788,8 +817,10 @@ lpfc_work_list_done(struct lpfc_hba *phba) + break; + case LPFC_EVT_RECOVER_PORT: + ndlp = (struct lpfc_nodelist *)(evtp->evt_arg1); +- lpfc_sli_abts_recover_port(ndlp->vport, ndlp); +- free_evt = 0; ++ if (!hba_pci_err) { ++ lpfc_sli_abts_recover_port(ndlp->vport, ndlp); ++ free_evt = 0; ++ } + /* decrement the node reference count held for + * this queued work + */ +@@ -859,14 +890,18 @@ lpfc_work_done(struct lpfc_hba *phba) + struct lpfc_vport **vports; + struct lpfc_vport *vport; + int i; ++ bool hba_pci_err; + ++ hba_pci_err = test_bit(HBA_PCI_ERR, &phba->bit_flags); + spin_lock_irq(&phba->hbalock); + ha_copy = phba->work_ha; + phba->work_ha = 0; + spin_unlock_irq(&phba->hbalock); ++ if (hba_pci_err) ++ ha_copy = 0; + + /* First, try to post the next mailbox command to SLI4 device */ +- if (phba->pci_dev_grp == LPFC_PCI_DEV_OC) ++ if (phba->pci_dev_grp == LPFC_PCI_DEV_OC && !hba_pci_err) + lpfc_sli4_post_async_mbox(phba); + + if (ha_copy & HA_ERATT) { +@@ -886,7 +921,7 @@ lpfc_work_done(struct lpfc_hba *phba) + lpfc_handle_latt(phba); + + /* Handle VMID Events */ +- if (lpfc_is_vmid_enabled(phba)) { ++ if (lpfc_is_vmid_enabled(phba) && !hba_pci_err) { + if (phba->pport->work_port_events & + WORKER_CHECK_VMID_ISSUE_QFPA) { + lpfc_check_vmid_qfpa_issue(phba); +@@ -936,6 +971,8 @@ lpfc_work_done(struct lpfc_hba *phba) + work_port_events = vport->work_port_events; + vport->work_port_events &= ~work_port_events; + spin_unlock_irq(&vport->work_port_lock); ++ if (hba_pci_err) ++ continue; + if (work_port_events & WORKER_DISC_TMO) + lpfc_disc_timeout_handler(vport); + if (work_port_events & WORKER_ELS_TMO) +@@ -1173,12 +1210,14 @@ lpfc_linkdown(struct lpfc_hba *phba) + struct lpfc_vport **vports; + LPFC_MBOXQ_t *mb; + int i; ++ int offline; + + if (phba->link_state == LPFC_LINK_DOWN) + return 0; + + /* Block all SCSI stack I/Os */ + lpfc_scsi_dev_block(phba); ++ offline = pci_channel_offline(phba->pcidev); + + phba->defer_flogi_acc_flag = false; + +@@ -1219,7 +1258,7 @@ lpfc_linkdown(struct lpfc_hba *phba) + lpfc_destroy_vport_work_array(phba, vports); + + /* Clean up any SLI3 firmware default rpi's */ +- if (phba->sli_rev > LPFC_SLI_REV3) ++ if (phba->sli_rev > LPFC_SLI_REV3 || offline) + goto skip_unreg_did; + + mb = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); +@@ -4712,6 +4751,11 @@ lpfc_nlp_unreg_node(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp) + spin_lock_irqsave(&ndlp->lock, iflags); + if (!(ndlp->fc4_xpt_flags & NLP_XPT_REGD)) { + spin_unlock_irqrestore(&ndlp->lock, iflags); ++ lpfc_printf_vlog(vport, KERN_INFO, LOG_SLI, ++ "0999 %s Not regd: ndlp x%px rport x%px DID " ++ "x%x FLG x%x XPT x%x\n", ++ __func__, ndlp, ndlp->rport, ndlp->nlp_DID, ++ ndlp->nlp_flag, ndlp->fc4_xpt_flags); + return; + } + +@@ -4722,6 +4766,13 @@ lpfc_nlp_unreg_node(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp) + ndlp->fc4_xpt_flags & SCSI_XPT_REGD) { + vport->phba->nport_event_cnt++; + lpfc_unregister_remote_port(ndlp); ++ } else if (!ndlp->rport) { ++ lpfc_printf_vlog(vport, KERN_INFO, LOG_SLI, ++ "1999 %s NDLP in devloss x%px DID x%x FLG x%x" ++ " XPT x%x refcnt %d\n", ++ __func__, ndlp, ndlp->nlp_DID, ndlp->nlp_flag, ++ ndlp->fc4_xpt_flags, ++ kref_read(&ndlp->kref)); + } + + if (ndlp->fc4_xpt_flags & NVME_XPT_REGD) { +@@ -6089,12 +6140,34 @@ lpfc_disc_flush_list(struct lpfc_vport *vport) + } + } + ++/* ++ * lpfc_notify_xport_npr - notifies xport of node disappearance ++ * @vport: Pointer to Virtual Port object. ++ * ++ * Transitions all ndlps to NPR state. When lpfc_nlp_set_state ++ * calls lpfc_nlp_state_cleanup, the ndlp->rport is unregistered ++ * and transport notified that the node is gone. ++ * Return Code: ++ * none ++ */ ++static void ++lpfc_notify_xport_npr(struct lpfc_vport *vport) ++{ ++ struct lpfc_nodelist *ndlp, *next_ndlp; ++ ++ list_for_each_entry_safe(ndlp, next_ndlp, &vport->fc_nodes, ++ nlp_listp) { ++ lpfc_nlp_set_state(vport, ndlp, NLP_STE_NPR_NODE); ++ } ++} + void + lpfc_cleanup_discovery_resources(struct lpfc_vport *vport) + { + lpfc_els_flush_rscn(vport); + lpfc_els_flush_cmd(vport); + lpfc_disc_flush_list(vport); ++ if (pci_channel_offline(vport->phba->pcidev)) ++ lpfc_notify_xport_npr(vport); + } + + /*****************************************************************************/ +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index 558f7d2559c4..fe9a04b2df3e 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -1652,7 +1652,7 @@ lpfc_sli4_offline_eratt(struct lpfc_hba *phba) + { + spin_lock_irq(&phba->hbalock); + if (phba->link_state == LPFC_HBA_ERROR && +- phba->hba_flag & HBA_PCI_ERR) { ++ test_bit(HBA_PCI_ERR, &phba->bit_flags)) { + spin_unlock_irq(&phba->hbalock); + return; + } +@@ -3692,7 +3692,8 @@ lpfc_offline_prep(struct lpfc_hba *phba, int mbx_action) + struct lpfc_vport **vports; + struct Scsi_Host *shost; + int i; +- int offline = 0; ++ int offline; ++ bool hba_pci_err; + + if (vport->fc_flag & FC_OFFLINE_MODE) + return; +@@ -3702,6 +3703,7 @@ lpfc_offline_prep(struct lpfc_hba *phba, int mbx_action) + lpfc_linkdown(phba); + + offline = pci_channel_offline(phba->pcidev); ++ hba_pci_err = test_bit(HBA_PCI_ERR, &phba->bit_flags); + + /* Issue an unreg_login to all nodes on all vports */ + vports = lpfc_create_vport_work_array(phba); +@@ -3725,11 +3727,14 @@ lpfc_offline_prep(struct lpfc_hba *phba, int mbx_action) + ndlp->nlp_flag &= ~NLP_NPR_ADISC; + spin_unlock_irq(&ndlp->lock); + +- if (offline) { ++ if (offline || hba_pci_err) { + spin_lock_irq(&ndlp->lock); + ndlp->nlp_flag &= ~(NLP_UNREG_INP | + NLP_RPI_REGISTERED); + spin_unlock_irq(&ndlp->lock); ++ if (phba->sli_rev == LPFC_SLI_REV4) ++ lpfc_sli_rpi_release(vports[i], ++ ndlp); + } else { + lpfc_unreg_rpi(vports[i], ndlp); + } +@@ -13386,15 +13391,12 @@ lpfc_sli4_hba_unset(struct lpfc_hba *phba) + /* Disable FW logging to host memory */ + lpfc_ras_stop_fwlog(phba); + +- /* Unset the queues shared with the hardware then release all +- * allocated resources. +- */ +- lpfc_sli4_queue_unset(phba); +- lpfc_sli4_queue_destroy(phba); +- + /* Reset SLI4 HBA FCoE function */ + lpfc_pci_function_reset(phba); + ++ /* release all queue allocated resources. */ ++ lpfc_sli4_queue_destroy(phba); ++ + /* Free RAS DMA memory */ + if (phba->ras_fwlog.ras_enabled) + lpfc_sli4_ras_dma_free(phba); +@@ -15069,24 +15071,28 @@ lpfc_sli4_prep_dev_for_recover(struct lpfc_hba *phba) + static void + lpfc_sli4_prep_dev_for_reset(struct lpfc_hba *phba) + { +- lpfc_printf_log(phba, KERN_ERR, LOG_TRACE_EVENT, +- "2826 PCI channel disable preparing for reset\n"); ++ int offline = pci_channel_offline(phba->pcidev); ++ ++ lpfc_printf_log(phba, KERN_ERR, LOG_INIT, ++ "2826 PCI channel disable preparing for reset offline" ++ " %d\n", offline); + + /* Block any management I/Os to the device */ + lpfc_block_mgmt_io(phba, LPFC_MBX_NO_WAIT); + +- /* Block all SCSI devices' I/Os on the host */ +- lpfc_scsi_dev_block(phba); + ++ /* HBA_PCI_ERR was set in io_error_detect */ ++ lpfc_offline_prep(phba, LPFC_MBX_NO_WAIT); + /* Flush all driver's outstanding I/Os as we are to reset */ + lpfc_sli_flush_io_rings(phba); ++ lpfc_offline(phba); + + /* stop all timers */ + lpfc_stop_hba_timers(phba); + ++ lpfc_sli4_queue_destroy(phba); + /* Disable interrupt and pci device */ + lpfc_sli4_disable_intr(phba); +- lpfc_sli4_queue_destroy(phba); + pci_disable_device(phba->pcidev); + } + +@@ -15135,6 +15141,7 @@ lpfc_io_error_detected_s4(struct pci_dev *pdev, pci_channel_state_t state) + { + struct Scsi_Host *shost = pci_get_drvdata(pdev); + struct lpfc_hba *phba = ((struct lpfc_vport *)shost->hostdata)->phba; ++ bool hba_pci_err; + + switch (state) { + case pci_channel_io_normal: +@@ -15142,17 +15149,24 @@ lpfc_io_error_detected_s4(struct pci_dev *pdev, pci_channel_state_t state) + lpfc_sli4_prep_dev_for_recover(phba); + return PCI_ERS_RESULT_CAN_RECOVER; + case pci_channel_io_frozen: +- phba->hba_flag |= HBA_PCI_ERR; ++ hba_pci_err = test_and_set_bit(HBA_PCI_ERR, &phba->bit_flags); + /* Fatal error, prepare for slot reset */ +- lpfc_sli4_prep_dev_for_reset(phba); ++ if (!hba_pci_err) ++ lpfc_sli4_prep_dev_for_reset(phba); ++ else ++ lpfc_printf_log(phba, KERN_ERR, LOG_INIT, ++ "2832 Already handling PCI error " ++ "state: x%x\n", state); + return PCI_ERS_RESULT_NEED_RESET; + case pci_channel_io_perm_failure: +- phba->hba_flag |= HBA_PCI_ERR; ++ set_bit(HBA_PCI_ERR, &phba->bit_flags); + /* Permanent failure, prepare for device down */ + lpfc_sli4_prep_dev_for_perm_failure(phba); + return PCI_ERS_RESULT_DISCONNECT; + default: +- phba->hba_flag |= HBA_PCI_ERR; ++ hba_pci_err = test_and_set_bit(HBA_PCI_ERR, &phba->bit_flags); ++ if (!hba_pci_err) ++ lpfc_sli4_prep_dev_for_reset(phba); + /* Unknown state, prepare and request slot reset */ + lpfc_printf_log(phba, KERN_ERR, LOG_TRACE_EVENT, + "2825 Unknown PCI error state: x%x\n", state); +@@ -15186,17 +15200,21 @@ lpfc_io_slot_reset_s4(struct pci_dev *pdev) + struct lpfc_hba *phba = ((struct lpfc_vport *)shost->hostdata)->phba; + struct lpfc_sli *psli = &phba->sli; + uint32_t intr_mode; ++ bool hba_pci_err; + + dev_printk(KERN_INFO, &pdev->dev, "recovering from a slot reset.\n"); + if (pci_enable_device_mem(pdev)) { + printk(KERN_ERR "lpfc: Cannot re-enable " +- "PCI device after reset.\n"); ++ "PCI device after reset.\n"); + return PCI_ERS_RESULT_DISCONNECT; + } + + pci_restore_state(pdev); + +- phba->hba_flag &= ~HBA_PCI_ERR; ++ hba_pci_err = test_and_clear_bit(HBA_PCI_ERR, &phba->bit_flags); ++ if (!hba_pci_err) ++ dev_info(&pdev->dev, ++ "hba_pci_err was not set, recovering slot reset.\n"); + /* + * As the new kernel behavior of pci_restore_state() API call clears + * device saved_state flag, need to save the restored state again. +@@ -15251,8 +15269,6 @@ lpfc_io_resume_s4(struct pci_dev *pdev) + */ + if (!(phba->sli.sli_flag & LPFC_SLI_ACTIVE)) { + /* Perform device reset */ +- lpfc_offline_prep(phba, LPFC_MBX_WAIT); +- lpfc_offline(phba); + lpfc_sli_brdrestart(phba); + /* Bring the device back online */ + lpfc_online(phba); +diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c +index 9601edd838e1..8983f6440858 100644 +--- a/drivers/scsi/lpfc/lpfc_nvme.c ++++ b/drivers/scsi/lpfc/lpfc_nvme.c +@@ -2169,8 +2169,7 @@ lpfc_nvme_lport_unreg_wait(struct lpfc_vport *vport, + abts_nvme = 0; + for (i = 0; i < phba->cfg_hdw_queue; i++) { + qp = &phba->sli4_hba.hdwq[i]; +- if (!vport || !vport->localport || +- !qp || !qp->io_wq) ++ if (!vport->localport || !qp || !qp->io_wq) + return; + + pring = qp->io_wq->pring; +@@ -2180,8 +2179,9 @@ lpfc_nvme_lport_unreg_wait(struct lpfc_vport *vport, + abts_scsi += qp->abts_scsi_io_bufs; + abts_nvme += qp->abts_nvme_io_bufs; + } +- if (!vport || !vport->localport || +- vport->phba->hba_flag & HBA_PCI_ERR) ++ if (!vport->localport || ++ test_bit(HBA_PCI_ERR, &vport->phba->bit_flags) || ++ vport->load_flag & FC_UNLOADING) + return; + + lpfc_printf_vlog(vport, KERN_ERR, LOG_TRACE_EVENT, +@@ -2541,8 +2541,7 @@ lpfc_nvme_unregister_port(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp) + * return values is ignored. The upcall is a courtesy to the + * transport. + */ +- if (vport->load_flag & FC_UNLOADING || +- unlikely(vport->phba->hba_flag & HBA_PCI_ERR)) ++ if (vport->load_flag & FC_UNLOADING) + (void)nvme_fc_set_remoteport_devloss(remoteport, 0); + + ret = nvme_fc_unregister_remoteport(remoteport); +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 430abebf99f1..661ed0999f1c 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -2833,6 +2833,12 @@ __lpfc_sli_rpi_release(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp) + ndlp->nlp_flag &= ~NLP_UNREG_INP; + } + ++void ++lpfc_sli_rpi_release(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp) ++{ ++ __lpfc_sli_rpi_release(vport, ndlp); ++} ++ + /** + * lpfc_sli_def_mbox_cmpl - Default mailbox completion handler + * @phba: Pointer to HBA context object. +@@ -4554,11 +4560,6 @@ lpfc_sli_flush_io_rings(struct lpfc_hba *phba) + struct lpfc_iocbq *piocb, *next_iocb; + + spin_lock_irq(&phba->hbalock); +- if (phba->hba_flag & HBA_IOQ_FLUSH || +- !phba->sli4_hba.hdwq) { +- spin_unlock_irq(&phba->hbalock); +- return; +- } + /* Indicate the I/O queues are flushed */ + phba->hba_flag |= HBA_IOQ_FLUSH; + spin_unlock_irq(&phba->hbalock); +@@ -11235,6 +11236,10 @@ lpfc_sli_issue_iocb(struct lpfc_hba *phba, uint32_t ring_number, + unsigned long iflags; + int rc; + ++ /* If the PCI channel is in offline state, do not post iocbs. */ ++ if (unlikely(pci_channel_offline(phba->pcidev))) ++ return IOCB_ERROR; ++ + if (phba->sli_rev == LPFC_SLI_REV4) { + eq = phba->sli4_hba.hdwq[piocb->hba_wqidx].hba_eq; + +-- +2.35.1 + diff --git a/queue-5.17/scsi-megaraid_sas-target-with-invalid-lun-id-is-dele.patch b/queue-5.17/scsi-megaraid_sas-target-with-invalid-lun-id-is-dele.patch new file mode 100644 index 00000000000..406a5d62adf --- /dev/null +++ b/queue-5.17/scsi-megaraid_sas-target-with-invalid-lun-id-is-dele.patch @@ -0,0 +1,68 @@ +From 85239c22d0be1dc29ece94e74057d8058cdf800c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Mar 2022 02:47:11 -0700 +Subject: scsi: megaraid_sas: Target with invalid LUN ID is deleted during scan + +From: Chandrakanth patil + +[ Upstream commit 56495f295d8e021f77d065b890fc0100e3f9f6d8 ] + +The megaraid_sas driver supports single LUN for RAID devices. That is LUN +0. All other LUNs are unsupported. When a device scan on a logical target +with invalid LUN number is invoked through sysfs, that target ends up +getting removed. + +Add LUN ID validation in the slave destroy function to avoid the target +deletion. + +Link: https://lore.kernel.org/r/20220324094711.48833-1-chandrakanth.patil@broadcom.com +Signed-off-by: Chandrakanth patil +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_sas.h | 3 +++ + drivers/scsi/megaraid/megaraid_sas_base.c | 7 +++++++ + 2 files changed, 10 insertions(+) + +diff --git a/drivers/scsi/megaraid/megaraid_sas.h b/drivers/scsi/megaraid/megaraid_sas.h +index 2c9d1b796475..ae2aef9ba8cf 100644 +--- a/drivers/scsi/megaraid/megaraid_sas.h ++++ b/drivers/scsi/megaraid/megaraid_sas.h +@@ -2558,6 +2558,9 @@ struct megasas_instance_template { + #define MEGASAS_IS_LOGICAL(sdev) \ + ((sdev->channel < MEGASAS_MAX_PD_CHANNELS) ? 0 : 1) + ++#define MEGASAS_IS_LUN_VALID(sdev) \ ++ (((sdev)->lun == 0) ? 1 : 0) ++ + #define MEGASAS_DEV_INDEX(scp) \ + (((scp->device->channel % 2) * MEGASAS_MAX_DEV_PER_CHANNEL) + \ + scp->device->id) +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index 82e1e24257bc..ca563498dcdb 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -2126,6 +2126,9 @@ static int megasas_slave_alloc(struct scsi_device *sdev) + goto scan_target; + } + return -ENXIO; ++ } else if (!MEGASAS_IS_LUN_VALID(sdev)) { ++ sdev_printk(KERN_INFO, sdev, "%s: invalid LUN\n", __func__); ++ return -ENXIO; + } + + scan_target: +@@ -2156,6 +2159,10 @@ static void megasas_slave_destroy(struct scsi_device *sdev) + instance = megasas_lookup_instance(sdev->host->host_no); + + if (MEGASAS_IS_LOGICAL(sdev)) { ++ if (!MEGASAS_IS_LUN_VALID(sdev)) { ++ sdev_printk(KERN_INFO, sdev, "%s: invalid LUN\n", __func__); ++ return; ++ } + ld_tgt_id = MEGASAS_TARGET_ID(sdev); + instance->ld_tgtid_status[ld_tgt_id] = LD_TARGET_ID_DELETED; + if (megasas_dbg_lvl & LD_PD_DEBUG) +-- +2.35.1 + diff --git a/queue-5.17/scsi-mpt3sas-fail-reset-operation-if-config-request-.patch b/queue-5.17/scsi-mpt3sas-fail-reset-operation-if-config-request-.patch new file mode 100644 index 00000000000..fc6531693ed --- /dev/null +++ b/queue-5.17/scsi-mpt3sas-fail-reset-operation-if-config-request-.patch @@ -0,0 +1,45 @@ +From 1cd7c939e6d331cf3dc43e684875650c0532bee3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 17:36:37 +0530 +Subject: scsi: mpt3sas: Fail reset operation if config request timed out + +From: Sreekanth Reddy + +[ Upstream commit f61eb1216c959f93ffabd3b8781fa5b2b22f8907 ] + +As part of controller reset operation the driver issues a config request +command. If this command gets times out, then fail the controller reset +operation instead of retrying it. + +Link: https://lore.kernel.org/r/20220405120637.20528-1-sreekanth.reddy@broadcom.com +Signed-off-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_config.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_config.c b/drivers/scsi/mpt3sas/mpt3sas_config.c +index 0563078227de..a8dd14c91efd 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_config.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_config.c +@@ -394,10 +394,13 @@ _config_request(struct MPT3SAS_ADAPTER *ioc, Mpi2ConfigRequest_t + retry_count++; + if (ioc->config_cmds.smid == smid) + mpt3sas_base_free_smid(ioc, smid); +- if ((ioc->shost_recovery) || (ioc->config_cmds.status & +- MPT3_CMD_RESET) || ioc->pci_error_recovery) ++ if (ioc->config_cmds.status & MPT3_CMD_RESET) + goto retry_config; +- issue_host_reset = 1; ++ if (ioc->shost_recovery || ioc->pci_error_recovery) { ++ issue_host_reset = 0; ++ r = -EFAULT; ++ } else ++ issue_host_reset = 1; + goto free_mem; + } + +-- +2.35.1 + diff --git a/queue-5.17/scsi-mvsas-add-pci-id-of-rocketraid-2640.patch b/queue-5.17/scsi-mvsas-add-pci-id-of-rocketraid-2640.patch new file mode 100644 index 00000000000..3a4d76194e3 --- /dev/null +++ b/queue-5.17/scsi-mvsas-add-pci-id-of-rocketraid-2640.patch @@ -0,0 +1,36 @@ +From 18c5e0e23cfa74695448c624f900298bea6f5e95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 22:25:35 +0100 +Subject: scsi: mvsas: Add PCI ID of RocketRaid 2640 + +From: Alexey Galakhov + +[ Upstream commit 5f2bce1e222028dc1c15f130109a17aa654ae6e8 ] + +The HighPoint RocketRaid 2640 is a low-cost SAS controller based on Marvell +chip. The chip in question was already supported by the kernel, just the +PCI ID of this particular board was missing. + +Link: https://lore.kernel.org/r/20220309212535.402987-1-agalakhov@gmail.com +Signed-off-by: Alexey Galakhov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mvsas/mv_init.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/mvsas/mv_init.c b/drivers/scsi/mvsas/mv_init.c +index 44df7c03aab8..605a8eb7344a 100644 +--- a/drivers/scsi/mvsas/mv_init.c ++++ b/drivers/scsi/mvsas/mv_init.c +@@ -646,6 +646,7 @@ static struct pci_device_id mvs_pci_table[] = { + { PCI_VDEVICE(ARECA, PCI_DEVICE_ID_ARECA_1300), chip_1300 }, + { PCI_VDEVICE(ARECA, PCI_DEVICE_ID_ARECA_1320), chip_1320 }, + { PCI_VDEVICE(ADAPTEC2, 0x0450), chip_6440 }, ++ { PCI_VDEVICE(TTI, 0x2640), chip_6440 }, + { PCI_VDEVICE(TTI, 0x2710), chip_9480 }, + { PCI_VDEVICE(TTI, 0x2720), chip_9480 }, + { PCI_VDEVICE(TTI, 0x2721), chip_9480 }, +-- +2.35.1 + diff --git a/queue-5.17/scsi-pm80xx-enable-upper-inbound-outbound-queues.patch b/queue-5.17/scsi-pm80xx-enable-upper-inbound-outbound-queues.patch new file mode 100644 index 00000000000..6fe38ca9bff --- /dev/null +++ b/queue-5.17/scsi-pm80xx-enable-upper-inbound-outbound-queues.patch @@ -0,0 +1,63 @@ +From 4080bb219c2c073a7be715c009e0cffd6cf588b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 12:16:03 +0530 +Subject: scsi: pm80xx: Enable upper inbound, outbound queues + +From: Ajish Koshy + +[ Upstream commit bcd8a45223470e00b5f254018174d64a75db4bbe ] + +Executing driver on servers with more than 32 CPUs were faced with command +timeouts. This is because we were not geting completions for commands +submitted on IQ32 - IQ63. + +Set E64Q bit to enable upper inbound and outbound queues 32 to 63 in the +MPI main configuration table. + +Added 500ms delay after successful MPI initialization as mentioned in +controller datasheet. + +Link: https://lore.kernel.org/r/20220411064603.668448-3-Ajish.Koshy@microchip.com +Fixes: 05c6c029a44d ("scsi: pm80xx: Increase number of supported queues") +Reviewed-by: Damien Le Moal +Acked-by: Jack Wang +Signed-off-by: Ajish Koshy +Signed-off-by: Viswas G +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pm8001/pm80xx_hwi.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/scsi/pm8001/pm80xx_hwi.c b/drivers/scsi/pm8001/pm80xx_hwi.c +index 2dea48933ef9..5853b3c0d76d 100644 +--- a/drivers/scsi/pm8001/pm80xx_hwi.c ++++ b/drivers/scsi/pm8001/pm80xx_hwi.c +@@ -766,6 +766,10 @@ static void init_default_table_values(struct pm8001_hba_info *pm8001_ha) + pm8001_ha->main_cfg_tbl.pm80xx_tbl.pcs_event_log_severity = 0x01; + pm8001_ha->main_cfg_tbl.pm80xx_tbl.fatal_err_interrupt = 0x01; + ++ /* Enable higher IQs and OQs, 32 to 63, bit 16 */ ++ if (pm8001_ha->max_q_num > 32) ++ pm8001_ha->main_cfg_tbl.pm80xx_tbl.fatal_err_interrupt |= ++ 1 << 16; + /* Disable end to end CRC checking */ + pm8001_ha->main_cfg_tbl.pm80xx_tbl.crc_core_dump = (0x1 << 16); + +@@ -1027,6 +1031,13 @@ static int mpi_init_check(struct pm8001_hba_info *pm8001_ha) + if (0x0000 != gst_len_mpistate) + return -EBUSY; + ++ /* ++ * As per controller datasheet, after successful MPI ++ * initialization minimum 500ms delay is required before ++ * issuing commands. ++ */ ++ msleep(500); ++ + return 0; + } + +-- +2.35.1 + diff --git a/queue-5.17/scsi-pm80xx-mask-and-unmask-upper-interrupt-vectors-.patch b/queue-5.17/scsi-pm80xx-mask-and-unmask-upper-interrupt-vectors-.patch new file mode 100644 index 00000000000..644609a58c9 --- /dev/null +++ b/queue-5.17/scsi-pm80xx-mask-and-unmask-upper-interrupt-vectors-.patch @@ -0,0 +1,73 @@ +From b7a1b801ab1c9b1fac3b62d22366e6f418235a14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 12:16:02 +0530 +Subject: scsi: pm80xx: Mask and unmask upper interrupt vectors 32-63 + +From: Ajish Koshy + +[ Upstream commit 294080eacf92a0781e6d43663448a55001ec8c64 ] + +When upper inbound and outbound queues 32-63 are enabled, we see upper +vectors 32-63 in interrupt service routine. We need corresponding registers +to handle masking and unmasking of these upper interrupts. + +To achieve this, we use registers MSGU_ODMR_U(0x34) to mask and +MSGU_ODMR_CLR_U(0x3C) to unmask the interrupts. In these registers bit 0-31 +represents interrupt vectors 32-63. + +Link: https://lore.kernel.org/r/20220411064603.668448-2-Ajish.Koshy@microchip.com +Fixes: 05c6c029a44d ("scsi: pm80xx: Increase number of supported queues") +Reviewed-by: John Garry +Acked-by: Jack Wang +Signed-off-by: Ajish Koshy +Signed-off-by: Viswas G +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pm8001/pm80xx_hwi.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/drivers/scsi/pm8001/pm80xx_hwi.c b/drivers/scsi/pm8001/pm80xx_hwi.c +index 55163469030d..2dea48933ef9 100644 +--- a/drivers/scsi/pm8001/pm80xx_hwi.c ++++ b/drivers/scsi/pm8001/pm80xx_hwi.c +@@ -1734,10 +1734,11 @@ static void + pm80xx_chip_interrupt_enable(struct pm8001_hba_info *pm8001_ha, u8 vec) + { + #ifdef PM8001_USE_MSIX +- u32 mask; +- mask = (u32)(1 << vec); +- +- pm8001_cw32(pm8001_ha, 0, MSGU_ODMR_CLR, (u32)(mask & 0xFFFFFFFF)); ++ if (vec < 32) ++ pm8001_cw32(pm8001_ha, 0, MSGU_ODMR_CLR, 1U << vec); ++ else ++ pm8001_cw32(pm8001_ha, 0, MSGU_ODMR_CLR_U, ++ 1U << (vec - 32)); + return; + #endif + pm80xx_chip_intx_interrupt_enable(pm8001_ha); +@@ -1753,12 +1754,15 @@ static void + pm80xx_chip_interrupt_disable(struct pm8001_hba_info *pm8001_ha, u8 vec) + { + #ifdef PM8001_USE_MSIX +- u32 mask; +- if (vec == 0xFF) +- mask = 0xFFFFFFFF; ++ if (vec == 0xFF) { ++ /* disable all vectors 0-31, 32-63 */ ++ pm8001_cw32(pm8001_ha, 0, MSGU_ODMR, 0xFFFFFFFF); ++ pm8001_cw32(pm8001_ha, 0, MSGU_ODMR_U, 0xFFFFFFFF); ++ } else if (vec < 32) ++ pm8001_cw32(pm8001_ha, 0, MSGU_ODMR, 1U << vec); + else +- mask = (u32)(1 << vec); +- pm8001_cw32(pm8001_ha, 0, MSGU_ODMR, (u32)(mask & 0xFFFFFFFF)); ++ pm8001_cw32(pm8001_ha, 0, MSGU_ODMR_U, ++ 1U << (vec - 32)); + return; + #endif + pm80xx_chip_intx_interrupt_disable(pm8001_ha); +-- +2.35.1 + diff --git a/queue-5.17/scsi-target-tcmu-fix-possible-page-uaf.patch b/queue-5.17/scsi-target-tcmu-fix-possible-page-uaf.patch new file mode 100644 index 00000000000..df872d7651f --- /dev/null +++ b/queue-5.17/scsi-target-tcmu-fix-possible-page-uaf.patch @@ -0,0 +1,57 @@ +From 3f503b19071aada9a4db1404cb320a8f22172f8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Mar 2022 21:22:05 +0800 +Subject: scsi: target: tcmu: Fix possible page UAF + +From: Xiaoguang Wang + +[ Upstream commit a6968f7a367f128d120447360734344d5a3d5336 ] + +tcmu_try_get_data_page() looks up pages under cmdr_lock, but it does not +take refcount properly and just returns page pointer. When +tcmu_try_get_data_page() returns, the returned page may have been freed by +tcmu_blocks_release(). + +We need to get_page() under cmdr_lock to avoid concurrent +tcmu_blocks_release(). + +Link: https://lore.kernel.org/r/20220311132206.24515-1-xiaoguang.wang@linux.alibaba.com +Reviewed-by: Bodo Stroesser +Signed-off-by: Xiaoguang Wang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_user.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c +index 7b2a89a67cdb..06a5c4086551 100644 +--- a/drivers/target/target_core_user.c ++++ b/drivers/target/target_core_user.c +@@ -1820,6 +1820,7 @@ static struct page *tcmu_try_get_data_page(struct tcmu_dev *udev, uint32_t dpi) + mutex_lock(&udev->cmdr_lock); + page = xa_load(&udev->data_pages, dpi); + if (likely(page)) { ++ get_page(page); + mutex_unlock(&udev->cmdr_lock); + return page; + } +@@ -1876,6 +1877,7 @@ static vm_fault_t tcmu_vma_fault(struct vm_fault *vmf) + /* For the vmalloc()ed cmd area pages */ + addr = (void *)(unsigned long)info->mem[mi].addr + offset; + page = vmalloc_to_page(addr); ++ get_page(page); + } else { + uint32_t dpi; + +@@ -1886,7 +1888,6 @@ static vm_fault_t tcmu_vma_fault(struct vm_fault *vmf) + return VM_FAULT_SIGBUS; + } + +- get_page(page); + vmf->page = page; + return 0; + } +-- +2.35.1 + diff --git a/queue-5.17/sctp-initialize-daddr-on-peeled-off-socket.patch b/queue-5.17/sctp-initialize-daddr-on-peeled-off-socket.patch new file mode 100644 index 00000000000..00aac374fdc --- /dev/null +++ b/queue-5.17/sctp-initialize-daddr-on-peeled-off-socket.patch @@ -0,0 +1,40 @@ +From ac5bc88498f59ff84fc39d99e4ff86d4e258d5e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Apr 2022 08:36:11 +0200 +Subject: sctp: Initialize daddr on peeled off socket + +From: Petr Malat + +[ Upstream commit 8467dda0c26583547731e7f3ea73fc3856bae3bf ] + +Function sctp_do_peeloff() wrongly initializes daddr of the original +socket instead of the peeled off socket, which makes getpeername() +return zeroes instead of the primary address. Initialize the new socket +instead. + +Fixes: d570ee490fb1 ("[SCTP]: Correctly set daddr for IPv6 sockets during peeloff") +Signed-off-by: Petr Malat +Acked-by: Marcelo Ricardo Leitner +Link: https://lore.kernel.org/r/20220409063611.673193-1-oss@malat.biz +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 3e1a9600be5e..7b0427658056 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -5636,7 +5636,7 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp) + * Set the daddr and initialize id to something more random and also + * copy over any ip options. + */ +- sp->pf->to_sk_daddr(&asoc->peer.primary_addr, sk); ++ sp->pf->to_sk_daddr(&asoc->peer.primary_addr, sock->sk); + sp->pf->copy_ip_options(sk, sock->sk); + + /* Populate the fields of the newsk from the oldsk and migrate the +-- +2.35.1 + diff --git a/queue-5.17/sctp-use-the-correct-skb-for-security_sctp_assoc_req.patch b/queue-5.17/sctp-use-the-correct-skb-for-security_sctp_assoc_req.patch new file mode 100644 index 00000000000..974726b1ce3 --- /dev/null +++ b/queue-5.17/sctp-use-the-correct-skb-for-security_sctp_assoc_req.patch @@ -0,0 +1,69 @@ +From 2d128bd144a7b26fb8cca7c6f894bc7e140c39fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 09:24:22 -0400 +Subject: sctp: use the correct skb for security_sctp_assoc_request + +From: Xin Long + +[ Upstream commit e2d88f9ce678cd33763826ae2f0412f181251314 ] + +Yi Chen reported an unexpected sctp connection abort, and it occurred when +COOKIE_ECHO is bundled with DATA Fragment by SCTP HW GSO. As the IP header +is included in chunk->head_skb instead of chunk->skb, it failed to check +IP header version in security_sctp_assoc_request(). + +According to Ondrej, SELinux only looks at IP header (address and IPsec +options) and XFRM state data, and these are all included in head_skb for +SCTP HW GSO packets. So fix it by using head_skb when calling +security_sctp_assoc_request() in processing COOKIE_ECHO. + +v1->v2: + - As Ondrej noticed, chunk->head_skb should also be used for + security_sctp_assoc_established() in sctp_sf_do_5_1E_ca(). + +Fixes: e215dab1c490 ("security: call security_sctp_assoc_request in sctp_sf_do_5_1D_ce") +Reported-by: Yi Chen +Signed-off-by: Xin Long +Reviewed-by: Ondrej Mosnacek +Acked-by: Marcelo Ricardo Leitner +Link: https://lore.kernel.org/r/71becb489e51284edf0c11fc15246f4ed4cef5b6.1649337862.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/sm_statefuns.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index 7f342bc12735..52edee1322fc 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -781,7 +781,7 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net, + } + } + +- if (security_sctp_assoc_request(new_asoc, chunk->skb)) { ++ if (security_sctp_assoc_request(new_asoc, chunk->head_skb ?: chunk->skb)) { + sctp_association_free(new_asoc); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + } +@@ -932,7 +932,7 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net, + + /* Set peer label for connection. */ + if (security_sctp_assoc_established((struct sctp_association *)asoc, +- chunk->skb)) ++ chunk->head_skb ?: chunk->skb)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + + /* Verify that the chunk length for the COOKIE-ACK is OK. +@@ -2262,7 +2262,7 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook( + } + + /* Update socket peer label if first association. */ +- if (security_sctp_assoc_request(new_asoc, chunk->skb)) { ++ if (security_sctp_assoc_request(new_asoc, chunk->head_skb ?: chunk->skb)) { + sctp_association_free(new_asoc); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + } +-- +2.35.1 + diff --git a/queue-5.17/series b/queue-5.17/series index 8eb21f1b368..9f81d2c8094 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -55,3 +55,120 @@ alsa-via82xx-fix-the-missing-snd_card_free-call-at-probe-error.patch alsa-usb-audio-cap-upper-limits-of-buffer-period-bytes-for-implicit-fb.patch alsa-memalloc-add-fallback-sg-buffer-allocations-for-x86.patch alsa-nm256-don-t-call-card-private_free-at-probe-error-path.patch +drm-msm-add-missing-put_task_struct-in-debugfs-path.patch +nfsd-fix-a-write-performance-regression.patch +firmware-arm_scmi-remove-clear-channel-call-on-the-t.patch +memory-atmel-ebi-fix-missing-of_node_put-in-atmel_eb.patch +revert-ath11k-mesh-add-support-for-256-bitmap-in-blo.patch +firmware-arm_scmi-fix-sorting-of-retrieved-clock-rat.patch +media-rockchip-rga-do-proper-error-checking-in-probe.patch +kvm-arm64-generalise-vm-features-into-a-set-of-flags.patch +kvm-arm64-mixed-width-check-should-be-skipped-for-un.patch +sunrpc-fix-the-svc_deferred_event-trace-class.patch +net-sched-flower-fix-parsing-of-ethertype-following-.patch +veth-ensure-eth-header-is-in-skb-s-linear-part.patch +gpiolib-acpi-use-correct-format-characters.patch +cifs-release-cached-dentries-only-if-mount-is-comple.patch +ice-arfs-fix-use-after-free-when-freeing-rx_cpu_rmap.patch +revert-iavf-fix-deadlock-occurrence-during-resetting.patch +net-mdio-don-t-defer-probe-forever-if-phy-irq-provid.patch +mlxsw-i2c-fix-initialization-error-flow.patch +sctp-use-the-correct-skb-for-security_sctp_assoc_req.patch +net-sched-fix-initialization-order-when-updating-cha.patch +cachefiles-unmark-inode-in-use-in-error-path.patch +cachefiles-fix-kasan-slab-out-of-bounds-in-cachefile.patch +net-dsa-felix-suppress-eprobe_defer-errors.patch +kvm-selftests-riscv-set-pte-a-and-d-bits-in-vs-stage.patch +kvm-selftests-riscv-fix-alignment-of-the-guest_hang-.patch +risc-v-kvm-include-missing-hwcap.h-into-vcpu_fp.patch +io_uring-flag-the-fact-that-linked-file-assignment-i.patch +net-ethernet-stmmac-fix-altr_tse_pcs-function-when-u.patch +net-sched-taprio-check-if-socket-flags-are-valid.patch +cfg80211-hold-bss_lock-while-updating-nontrans_list.patch +mac80211-fix-ht_capa-printout-in-debugfs.patch +netfilter-nft_socket-make-cgroup-match-work-in-input.patch +drm-msm-fix-range-size-vs-end-confusion.patch +drm-msm-dsi-use-connector-directly-in-msm_dsi_manage.patch +drm-msm-dp-add-fail-safe-mode-outside-of-event_mutex.patch +io_uring-stop-using-io_wq_work-as-an-fd-placeholder.patch +net-smc-use-memcpy-instead-of-snprintf-to-avoid-out-.patch +net-smc-fix-null-pointer-dereference-in-smc_pnet_fin.patch +scsi-pm80xx-mask-and-unmask-upper-interrupt-vectors-.patch +scsi-pm80xx-enable-upper-inbound-outbound-queues.patch +scsi-iscsi-move-iscsi_ep_disconnect.patch +scsi-iscsi-fix-offload-conn-cleanup-when-iscsid-rest.patch +scsi-iscsi-fix-endpoint-reuse-regression.patch +scsi-iscsi-fix-conn-cleanup-and-stop-race-during-isc.patch +scsi-iscsi-fix-unbound-endpoint-error-handling.patch +sctp-initialize-daddr-on-peeled-off-socket.patch +net-lan966x-fix-when-a-port-s-upper-is-changed.patch +net-lan966x-stop-processing-the-mac-entry-is-port-is.patch +netfilter-nf_tables-nft_parse_register-can-return-a-.patch +io_uring-fix-assign-file-locking-issue.patch +alsa-ad1889-fix-the-missing-snd_card_free-call-at-pr.patch +alsa-mtpav-don-t-call-card-private_free-at-probe-err.patch +io_uring-move-io_uring_rsrc_update2-validation.patch +io_uring-verify-that-resv2-is-0-in-io_uring_rsrc_upd.patch +io_uring-verify-pad-field-is-0-in-io_get_ext_arg.patch +testing-selftests-mqueue-fix-mq_perf_tests-to-free-t.patch +alsa-usb-audio-increase-max-buffer-size.patch +alsa-usb-audio-limit-max-buffer-and-period-sizes-per.patch +perf-tools-fix-misleading-add-event-pmu-debug-messag.patch +macvlan-fix-leaking-skb-in-source-mode-with-nodst-op.patch +net-ftgmac100-access-hardware-register-after-clock-r.patch +nfc-nci-add-flush_workqueue-to-prevent-uaf.patch +cifs-potential-buffer-overflow-in-handling-symlinks.patch +dm-mpath-only-use-ktime_get_ns-in-historical-selecto.patch +vfio-pci-fix-vf_token-mechanism-when-device-specific.patch +tun-annotate-access-to-queue-trans_start.patch +net-dsa-felix-fix-tagging-protocol-changes-with-mult.patch +net-bcmgenet-revert-use-stronger-register-read-write.patch +block-fix-offset-size-check-in-bio_trim.patch +block-null_blk-end-timed-out-poll-request.patch +io_uring-abort-file-assignment-prior-to-assigning-cr.patch +kvm-ppc-book3s-hv-p9-fix-lost-kick-race.patch +drm-amd-add-usbc-connector-id.patch +btrfs-fix-fallocate-to-use-file_modified-to-update-p.patch +btrfs-do-not-warn-for-free-space-inode-in-cow_file_r.patch +drm-amdgpu-conduct-a-proper-cleanup-of-pdb-bo.patch +drm-amdgpu-gmc-use-pci-bars-for-apus-in-passthrough.patch +drm-amd-display-fix-audio-format-not-updated-after-e.patch +drm-amd-display-fec-check-in-timing-validation.patch +drm-amd-display-update-vtem-infopacket-definition.patch +drm-amdkfd-fix-incorrect-vmids-passed-to-hws.patch +drm-amdgpu-vcn-improve-vcn-dpg-stop-procedure.patch +drm-amdkfd-check-for-potential-null-return-of-kmallo.patch +drivers-hv-vmbus-deactivate-sysctl_record_panic_msg-.patch +drivers-hv-vmbus-propagate-vmbus-coherence-to-each-v.patch +pci-hv-propagate-coherence-from-vmbus-device-to-pci-.patch +drivers-hv-vmbus-prevent-load-re-ordering-when-readi.patch +scsi-target-tcmu-fix-possible-page-uaf.patch +scsi-lpfc-improve-pci-eeh-error-and-recovery-handlin.patch +scsi-lpfc-fix-unload-hang-after-back-to-back-pci-eeh.patch +scsi-lpfc-fix-queue-failures-when-recovering-from-pc.patch +scsi-ibmvscsis-increase-initial_srp_limit-to-1024.patch +net-micrel-fix-ks8851_mll-kconfig.patch +ata-libata-core-disable-read-log-dma-ext-for-samsung.patch +gpu-ipu-v3-fix-dev_dbg-frequency-output.patch +regulator-wm8994-add-an-off-on-delay-for-wm8994-vari.patch +static_call-properly-initialise-define_static_call_r.patch +arm64-alternatives-mark-patch_alternative-as-noinstr.patch +tlb-hugetlb-add-more-sizes-to-tlb_remove_huge_tlb_en.patch +net-axienet-setup-mdio-unconditionally.patch +drivers-hv-balloon-disable-balloon-and-hot-add-accor.patch +net-usb-aqc111-fix-out-of-bounds-accesses-in-rx-fixu.patch +myri10ge-fix-an-incorrect-free-for-skb-in-myri10ge_s.patch +spi-cadence-quadspi-fix-protocol-setup-for-non-1-1-x.patch +drm-amd-display-correct-slice-reset-calculation.patch +drm-amd-display-enable-power-gating-before-init_pipe.patch +drm-amd-display-revert-fec-check-in-validation.patch +drm-amd-display-fix-allocate_mst_payload-assert-on-r.patch +drbd-set-queue_flag_stable_writes.patch +scsi-mpt3sas-fail-reset-operation-if-config-request-.patch +scsi-mvsas-add-pci-id-of-rocketraid-2640.patch +scsi-megaraid_sas-target-with-invalid-lun-id-is-dele.patch +drivers-net-slip-fix-npd-bug-in-sl_tx_timeout.patch +x86-bpf-avoid-ibt-objtool-warning.patch +io_uring-zero-tag-on-rsrc-removal.patch +io_uring-use-nospec-annotation-for-more-indexes.patch +perf-imx_ddr-fix-undefined-behavior-due-to-shift-ove.patch diff --git a/queue-5.17/spi-cadence-quadspi-fix-protocol-setup-for-non-1-1-x.patch b/queue-5.17/spi-cadence-quadspi-fix-protocol-setup-for-non-1-1-x.patch new file mode 100644 index 00000000000..94d65b244f2 --- /dev/null +++ b/queue-5.17/spi-cadence-quadspi-fix-protocol-setup-for-non-1-1-x.patch @@ -0,0 +1,131 @@ +From 1692a3025bdd929307a6fd02a5859b1d7ae56b5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Mar 2022 13:08:19 +0200 +Subject: spi: cadence-quadspi: fix protocol setup for non-1-1-X operations + +From: Matthias Schiffer + +[ Upstream commit 97e4827d775faa9a32b5e1a97959c69dd77d17a3 ] + +cqspi_set_protocol() only set the data width, but ignored the command +and address width (except for 8-8-8 DTR ops), leading to corruption of +all transfers using 1-X-X or X-X-X ops. Fix by setting the other two +widths as well. + +While we're at it, simplify the code a bit by replacing the +CQSPI_INST_TYPE_* constants with ilog2(). + +Tested on a TI AM64x with a Macronix MX25U51245G QSPI flash with 1-4-4 +read and write operations. + +Signed-off-by: Matthias Schiffer +Link: https://lore.kernel.org/r/20220331110819.133392-1-matthias.schiffer@ew.tq-group.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-cadence-quadspi.c | 46 ++++++++----------------------- + 1 file changed, 12 insertions(+), 34 deletions(-) + +diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c +index b808c94641fa..75f356041138 100644 +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -102,12 +103,6 @@ struct cqspi_driver_platdata { + #define CQSPI_TIMEOUT_MS 500 + #define CQSPI_READ_TIMEOUT_MS 10 + +-/* Instruction type */ +-#define CQSPI_INST_TYPE_SINGLE 0 +-#define CQSPI_INST_TYPE_DUAL 1 +-#define CQSPI_INST_TYPE_QUAD 2 +-#define CQSPI_INST_TYPE_OCTAL 3 +- + #define CQSPI_DUMMY_CLKS_PER_BYTE 8 + #define CQSPI_DUMMY_BYTES_MAX 4 + #define CQSPI_DUMMY_CLKS_MAX 31 +@@ -376,10 +371,6 @@ static unsigned int cqspi_calc_dummy(const struct spi_mem_op *op, bool dtr) + static int cqspi_set_protocol(struct cqspi_flash_pdata *f_pdata, + const struct spi_mem_op *op) + { +- f_pdata->inst_width = CQSPI_INST_TYPE_SINGLE; +- f_pdata->addr_width = CQSPI_INST_TYPE_SINGLE; +- f_pdata->data_width = CQSPI_INST_TYPE_SINGLE; +- + /* + * For an op to be DTR, cmd phase along with every other non-empty + * phase should have dtr field set to 1. If an op phase has zero +@@ -389,32 +380,23 @@ static int cqspi_set_protocol(struct cqspi_flash_pdata *f_pdata, + (!op->addr.nbytes || op->addr.dtr) && + (!op->data.nbytes || op->data.dtr); + +- switch (op->data.buswidth) { +- case 0: +- break; +- case 1: +- f_pdata->data_width = CQSPI_INST_TYPE_SINGLE; +- break; +- case 2: +- f_pdata->data_width = CQSPI_INST_TYPE_DUAL; +- break; +- case 4: +- f_pdata->data_width = CQSPI_INST_TYPE_QUAD; +- break; +- case 8: +- f_pdata->data_width = CQSPI_INST_TYPE_OCTAL; +- break; +- default: +- return -EINVAL; +- } ++ f_pdata->inst_width = 0; ++ if (op->cmd.buswidth) ++ f_pdata->inst_width = ilog2(op->cmd.buswidth); ++ ++ f_pdata->addr_width = 0; ++ if (op->addr.buswidth) ++ f_pdata->addr_width = ilog2(op->addr.buswidth); ++ ++ f_pdata->data_width = 0; ++ if (op->data.buswidth) ++ f_pdata->data_width = ilog2(op->data.buswidth); + + /* Right now we only support 8-8-8 DTR mode. */ + if (f_pdata->dtr) { + switch (op->cmd.buswidth) { + case 0: +- break; + case 8: +- f_pdata->inst_width = CQSPI_INST_TYPE_OCTAL; + break; + default: + return -EINVAL; +@@ -422,9 +404,7 @@ static int cqspi_set_protocol(struct cqspi_flash_pdata *f_pdata, + + switch (op->addr.buswidth) { + case 0: +- break; + case 8: +- f_pdata->addr_width = CQSPI_INST_TYPE_OCTAL; + break; + default: + return -EINVAL; +@@ -432,9 +412,7 @@ static int cqspi_set_protocol(struct cqspi_flash_pdata *f_pdata, + + switch (op->data.buswidth) { + case 0: +- break; + case 8: +- f_pdata->data_width = CQSPI_INST_TYPE_OCTAL; + break; + default: + return -EINVAL; +-- +2.35.1 + diff --git a/queue-5.17/static_call-properly-initialise-define_static_call_r.patch b/queue-5.17/static_call-properly-initialise-define_static_call_r.patch new file mode 100644 index 00000000000..67b5f917eec --- /dev/null +++ b/queue-5.17/static_call-properly-initialise-define_static_call_r.patch @@ -0,0 +1,129 @@ +From b4f189026e86bc2142f11ef584326b0a8bce0fc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Mar 2022 11:27:35 +0100 +Subject: static_call: Properly initialise DEFINE_STATIC_CALL_RET0() + +From: Christophe Leroy + +[ Upstream commit 5517d500829c683a358a8de04ecb2e28af629ae5 ] + +When a static call is updated with __static_call_return0() as target, +arch_static_call_transform() set it to use an optimised set of +instructions which are meant to lay in the same cacheline. + +But when initialising a static call with DEFINE_STATIC_CALL_RET0(), +we get a branch to the real __static_call_return0() function instead +of getting the optimised setup: + + c00d8120 <__SCT__perf_snapshot_branch_stack>: + c00d8120: 4b ff ff f4 b c00d8114 <__static_call_return0> + c00d8124: 3d 80 c0 0e lis r12,-16370 + c00d8128: 81 8c 81 3c lwz r12,-32452(r12) + c00d812c: 7d 89 03 a6 mtctr r12 + c00d8130: 4e 80 04 20 bctr + c00d8134: 38 60 00 00 li r3,0 + c00d8138: 4e 80 00 20 blr + c00d813c: 00 00 00 00 .long 0x0 + +Add ARCH_DEFINE_STATIC_CALL_RET0_TRAMP() defined by each architecture +to setup the optimised configuration, and rework +DEFINE_STATIC_CALL_RET0() to call it: + + c00d8120 <__SCT__perf_snapshot_branch_stack>: + c00d8120: 48 00 00 14 b c00d8134 <__SCT__perf_snapshot_branch_stack+0x14> + c00d8124: 3d 80 c0 0e lis r12,-16370 + c00d8128: 81 8c 81 3c lwz r12,-32452(r12) + c00d812c: 7d 89 03 a6 mtctr r12 + c00d8130: 4e 80 04 20 bctr + c00d8134: 38 60 00 00 li r3,0 + c00d8138: 4e 80 00 20 blr + c00d813c: 00 00 00 00 .long 0x0 + +Signed-off-by: Christophe Leroy +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Josh Poimboeuf +Link: https://lore.kernel.org/r/1e0a61a88f52a460f62a58ffc2a5f847d1f7d9d8.1647253456.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/static_call.h | 1 + + arch/x86/include/asm/static_call.h | 2 ++ + include/linux/static_call.h | 20 +++++++++++++++++--- + 3 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/include/asm/static_call.h b/arch/powerpc/include/asm/static_call.h +index 0a0bc79bd1fa..de1018cc522b 100644 +--- a/arch/powerpc/include/asm/static_call.h ++++ b/arch/powerpc/include/asm/static_call.h +@@ -24,5 +24,6 @@ + + #define ARCH_DEFINE_STATIC_CALL_TRAMP(name, func) __PPC_SCT(name, "b " #func) + #define ARCH_DEFINE_STATIC_CALL_NULL_TRAMP(name) __PPC_SCT(name, "blr") ++#define ARCH_DEFINE_STATIC_CALL_RET0_TRAMP(name) __PPC_SCT(name, "b .+20") + + #endif /* _ASM_POWERPC_STATIC_CALL_H */ +diff --git a/arch/x86/include/asm/static_call.h b/arch/x86/include/asm/static_call.h +index ed4f8bb6c2d9..2455d721503e 100644 +--- a/arch/x86/include/asm/static_call.h ++++ b/arch/x86/include/asm/static_call.h +@@ -38,6 +38,8 @@ + #define ARCH_DEFINE_STATIC_CALL_NULL_TRAMP(name) \ + __ARCH_DEFINE_STATIC_CALL_TRAMP(name, "ret; int3; nop; nop; nop") + ++#define ARCH_DEFINE_STATIC_CALL_RET0_TRAMP(name) \ ++ ARCH_DEFINE_STATIC_CALL_TRAMP(name, __static_call_return0) + + #define ARCH_ADD_TRAMP_KEY(name) \ + asm(".pushsection .static_call_tramp_key, \"a\" \n" \ +diff --git a/include/linux/static_call.h b/include/linux/static_call.h +index fcc5b48989b3..3c50b0fdda16 100644 +--- a/include/linux/static_call.h ++++ b/include/linux/static_call.h +@@ -196,6 +196,14 @@ extern long __static_call_return0(void); + }; \ + ARCH_DEFINE_STATIC_CALL_NULL_TRAMP(name) + ++#define DEFINE_STATIC_CALL_RET0(name, _func) \ ++ DECLARE_STATIC_CALL(name, _func); \ ++ struct static_call_key STATIC_CALL_KEY(name) = { \ ++ .func = __static_call_return0, \ ++ .type = 1, \ ++ }; \ ++ ARCH_DEFINE_STATIC_CALL_RET0_TRAMP(name) ++ + #define static_call_cond(name) (void)__static_call(name) + + #define EXPORT_STATIC_CALL(name) \ +@@ -231,6 +239,12 @@ static inline int static_call_init(void) { return 0; } + }; \ + ARCH_DEFINE_STATIC_CALL_NULL_TRAMP(name) + ++#define DEFINE_STATIC_CALL_RET0(name, _func) \ ++ DECLARE_STATIC_CALL(name, _func); \ ++ struct static_call_key STATIC_CALL_KEY(name) = { \ ++ .func = __static_call_return0, \ ++ }; \ ++ ARCH_DEFINE_STATIC_CALL_RET0_TRAMP(name) + + #define static_call_cond(name) (void)__static_call(name) + +@@ -284,6 +298,9 @@ static inline long __static_call_return0(void) + .func = NULL, \ + } + ++#define DEFINE_STATIC_CALL_RET0(name, _func) \ ++ __DEFINE_STATIC_CALL(name, _func, __static_call_return0) ++ + static inline void __static_call_nop(void) { } + + /* +@@ -327,7 +344,4 @@ static inline int static_call_text_reserved(void *start, void *end) + #define DEFINE_STATIC_CALL(name, _func) \ + __DEFINE_STATIC_CALL(name, _func, _func) + +-#define DEFINE_STATIC_CALL_RET0(name, _func) \ +- __DEFINE_STATIC_CALL(name, _func, __static_call_return0) +- + #endif /* _LINUX_STATIC_CALL_H */ +-- +2.35.1 + diff --git a/queue-5.17/sunrpc-fix-the-svc_deferred_event-trace-class.patch b/queue-5.17/sunrpc-fix-the-svc_deferred_event-trace-class.patch new file mode 100644 index 00000000000..ae022fbe9f6 --- /dev/null +++ b/queue-5.17/sunrpc-fix-the-svc_deferred_event-trace-class.patch @@ -0,0 +1,71 @@ +From 2e4bc3920c242098f592b49fd56b5e3ec2c90941 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 13:51:32 -0400 +Subject: SUNRPC: Fix the svc_deferred_event trace class + +From: Chuck Lever + +[ Upstream commit 4d5004451ab2218eab94a30e1841462c9316ba19 ] + +Fix a NULL deref crash that occurs when an svc_rqst is deferred +while the sunrpc tracing subsystem is enabled. svc_revisit() sets +dr->xprt to NULL, so it can't be relied upon in the tracepoint to +provide the remote's address. + +Unfortunately we can't revert the "svc_deferred_class" hunk in +commit ece200ddd54b ("sunrpc: Save remote presentation address in +svc_xprt for trace events") because there is now a specific check +of event format specifiers for unsafe dereferences. The warning +that check emits is: + + event svc_defer_recv has unsafe dereference of argument 1 + +A "%pISpc" format specifier with a "struct sockaddr *" is indeed +flagged by this check. + +Instead, take the brute-force approach used by the svcrdma_qp_error +tracepoint. Convert the dr::addr field into a presentation address +in the TP_fast_assign() arm of the trace event, and store that as +a string. This fix can be backported to -stable kernels. + +In the meantime, commit c6ced22997ad ("tracing: Update print fmt +check to handle new __get_sockaddr() macro") is now in v5.18, so +this wonky fix can be replaced with __sockaddr() and friends +properly during the v5.19 merge window. + +Fixes: ece200ddd54b ("sunrpc: Save remote presentation address in svc_xprt for trace events") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + include/trace/events/sunrpc.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/include/trace/events/sunrpc.h b/include/trace/events/sunrpc.h +index 5be3faf88c1a..06fe47fb3686 100644 +--- a/include/trace/events/sunrpc.h ++++ b/include/trace/events/sunrpc.h +@@ -1956,17 +1956,18 @@ DECLARE_EVENT_CLASS(svc_deferred_event, + TP_STRUCT__entry( + __field(const void *, dr) + __field(u32, xid) +- __string(addr, dr->xprt->xpt_remotebuf) ++ __array(__u8, addr, INET6_ADDRSTRLEN + 10) + ), + + TP_fast_assign( + __entry->dr = dr; + __entry->xid = be32_to_cpu(*(__be32 *)(dr->args + + (dr->xprt_hlen>>2))); +- __assign_str(addr, dr->xprt->xpt_remotebuf); ++ snprintf(__entry->addr, sizeof(__entry->addr) - 1, ++ "%pISpc", (struct sockaddr *)&dr->addr); + ), + +- TP_printk("addr=%s dr=%p xid=0x%08x", __get_str(addr), __entry->dr, ++ TP_printk("addr=%s dr=%p xid=0x%08x", __entry->addr, __entry->dr, + __entry->xid) + ); + +-- +2.35.1 + diff --git a/queue-5.17/testing-selftests-mqueue-fix-mq_perf_tests-to-free-t.patch b/queue-5.17/testing-selftests-mqueue-fix-mq_perf_tests-to-free-t.patch new file mode 100644 index 00000000000..44a0cb28a48 --- /dev/null +++ b/queue-5.17/testing-selftests-mqueue-fix-mq_perf_tests-to-free-t.patch @@ -0,0 +1,105 @@ +From a6776f40e9d1910e4365e481522abf2ed76ae464 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Apr 2022 12:54:31 +0530 +Subject: testing/selftests/mqueue: Fix mq_perf_tests to free the allocated cpu + set + +From: Athira Rajeev + +[ Upstream commit ce64763c63854b4079f2e036638aa881a1fb3fbc ] + +The selftest "mqueue/mq_perf_tests.c" use CPU_ALLOC to allocate +CPU set. This cpu set is used further in pthread_attr_setaffinity_np +and by pthread_create in the code. But in current code, allocated +cpu set is not freed. + +Fix this issue by adding CPU_FREE in the "shutdown" function which +is called in most of the error/exit path for the cleanup. There are +few error paths which exit without using shutdown. Add a common goto +error path with CPU_FREE for these cases. + +Fixes: 7820b0715b6f ("tools/selftests: add mq_perf_tests") +Signed-off-by: Athira Rajeev +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../testing/selftests/mqueue/mq_perf_tests.c | 25 +++++++++++++------ + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/tools/testing/selftests/mqueue/mq_perf_tests.c b/tools/testing/selftests/mqueue/mq_perf_tests.c +index b019e0b8221c..84fda3b49073 100644 +--- a/tools/testing/selftests/mqueue/mq_perf_tests.c ++++ b/tools/testing/selftests/mqueue/mq_perf_tests.c +@@ -180,6 +180,9 @@ void shutdown(int exit_val, char *err_cause, int line_no) + if (in_shutdown++) + return; + ++ /* Free the cpu_set allocated using CPU_ALLOC in main function */ ++ CPU_FREE(cpu_set); ++ + for (i = 0; i < num_cpus_to_pin; i++) + if (cpu_threads[i]) { + pthread_kill(cpu_threads[i], SIGUSR1); +@@ -551,6 +554,12 @@ int main(int argc, char *argv[]) + perror("sysconf(_SC_NPROCESSORS_ONLN)"); + exit(1); + } ++ ++ if (getuid() != 0) ++ ksft_exit_skip("Not running as root, but almost all tests " ++ "require root in order to modify\nsystem settings. " ++ "Exiting.\n"); ++ + cpus_online = min(MAX_CPUS, sysconf(_SC_NPROCESSORS_ONLN)); + cpu_set = CPU_ALLOC(cpus_online); + if (cpu_set == NULL) { +@@ -589,7 +598,7 @@ int main(int argc, char *argv[]) + cpu_set)) { + fprintf(stderr, "Any given CPU may " + "only be given once.\n"); +- exit(1); ++ goto err_code; + } else + CPU_SET_S(cpus_to_pin[cpu], + cpu_set_size, cpu_set); +@@ -607,7 +616,7 @@ int main(int argc, char *argv[]) + queue_path = malloc(strlen(option) + 2); + if (!queue_path) { + perror("malloc()"); +- exit(1); ++ goto err_code; + } + queue_path[0] = '/'; + queue_path[1] = 0; +@@ -622,17 +631,12 @@ int main(int argc, char *argv[]) + fprintf(stderr, "Must pass at least one CPU to continuous " + "mode.\n"); + poptPrintUsage(popt_context, stderr, 0); +- exit(1); ++ goto err_code; + } else if (!continuous_mode) { + num_cpus_to_pin = 1; + cpus_to_pin[0] = cpus_online - 1; + } + +- if (getuid() != 0) +- ksft_exit_skip("Not running as root, but almost all tests " +- "require root in order to modify\nsystem settings. " +- "Exiting.\n"); +- + max_msgs = fopen(MAX_MSGS, "r+"); + max_msgsize = fopen(MAX_MSGSIZE, "r+"); + if (!max_msgs) +@@ -740,4 +744,9 @@ int main(int argc, char *argv[]) + sleep(1); + } + shutdown(0, "", 0); ++ ++err_code: ++ CPU_FREE(cpu_set); ++ exit(1); ++ + } +-- +2.35.1 + diff --git a/queue-5.17/tlb-hugetlb-add-more-sizes-to-tlb_remove_huge_tlb_en.patch b/queue-5.17/tlb-hugetlb-add-more-sizes-to-tlb_remove_huge_tlb_en.patch new file mode 100644 index 00000000000..881be38fc1c --- /dev/null +++ b/queue-5.17/tlb-hugetlb-add-more-sizes-to-tlb_remove_huge_tlb_en.patch @@ -0,0 +1,66 @@ +From 05a9f6f2b0aaa7cc212e7a270861ba9e84227601 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Mar 2022 12:25:43 +0100 +Subject: tlb: hugetlb: Add more sizes to tlb_remove_huge_tlb_entry + +From: Steve Capper + +[ Upstream commit 697a1d44af8ba0477ee729e632f4ade37999249a ] + +tlb_remove_huge_tlb_entry only considers PMD_SIZE and PUD_SIZE when +updating the mmu_gather structure. + +Unfortunately on arm64 there are two additional huge page sizes that +need to be covered: CONT_PTE_SIZE and CONT_PMD_SIZE. Where an end-user +attempts to employ contiguous huge pages, a VM_BUG_ON can be experienced +due to the fact that the tlb structure hasn't been correctly updated by +the relevant tlb_flush_p.._range() call from tlb_remove_huge_tlb_entry. + +This patch adds inequality logic to the generic implementation of +tlb_remove_huge_tlb_entry s.t. CONT_PTE_SIZE and CONT_PMD_SIZE are +effectively covered on arm64. Also, as well as ptes, pmds and puds; +p4ds are now considered too. + +Reported-by: David Hildenbrand +Suggested-by: Peter Zijlstra (Intel) +Cc: Anshuman Khandual +Cc: Catalin Marinas +Cc: Will Deacon +Link: https://lore.kernel.org/linux-mm/811c5c8e-b3a2-85d2-049c-717f17c3a03a@redhat.com/ +Signed-off-by: Steve Capper +Acked-by: David Hildenbrand +Reviewed-by: Anshuman Khandual +Reviewed-by: Catalin Marinas +Acked-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20220330112543.863-1-steve.capper@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + include/asm-generic/tlb.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h +index 2c68a545ffa7..71942a1c642d 100644 +--- a/include/asm-generic/tlb.h ++++ b/include/asm-generic/tlb.h +@@ -565,10 +565,14 @@ static inline void tlb_flush_p4d_range(struct mmu_gather *tlb, + #define tlb_remove_huge_tlb_entry(h, tlb, ptep, address) \ + do { \ + unsigned long _sz = huge_page_size(h); \ +- if (_sz == PMD_SIZE) \ +- tlb_flush_pmd_range(tlb, address, _sz); \ +- else if (_sz == PUD_SIZE) \ ++ if (_sz >= P4D_SIZE) \ ++ tlb_flush_p4d_range(tlb, address, _sz); \ ++ else if (_sz >= PUD_SIZE) \ + tlb_flush_pud_range(tlb, address, _sz); \ ++ else if (_sz >= PMD_SIZE) \ ++ tlb_flush_pmd_range(tlb, address, _sz); \ ++ else \ ++ tlb_flush_pte_range(tlb, address, _sz); \ + __tlb_remove_tlb_entry(tlb, ptep, address); \ + } while (0) + +-- +2.35.1 + diff --git a/queue-5.17/tun-annotate-access-to-queue-trans_start.patch b/queue-5.17/tun-annotate-access-to-queue-trans_start.patch new file mode 100644 index 00000000000..1b07e24d07d --- /dev/null +++ b/queue-5.17/tun-annotate-access-to-queue-trans_start.patch @@ -0,0 +1,41 @@ +From 9a6b9e9a91060c5847c786b6184621736c7c371b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 15:58:52 +0200 +Subject: tun: annotate access to queue->trans_start + +From: Antoine Tenart + +[ Upstream commit 968a1a5d6541cd24e37dadc1926eab9c10aeb09b ] + +Commit 5337824f4dc4 ("net: annotate accesses to queue->trans_start") +introduced a new helper, txq_trans_cond_update, to update +queue->trans_start using WRITE_ONCE. One snippet in drivers/net/tun.c +was missed, as it was introduced roughly at the same time. + +Fixes: 5337824f4dc4 ("net: annotate accesses to queue->trans_start") +Cc: Eric Dumazet +Signed-off-by: Antoine Tenart +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20220412135852.466386-1-atenart@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/tun.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index de999e0fedbc..aa78d7e00289 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1106,7 +1106,7 @@ static netdev_tx_t tun_net_xmit(struct sk_buff *skb, struct net_device *dev) + + /* NETIF_F_LLTX requires to do our own update of trans_start */ + queue = netdev_get_tx_queue(dev, txq); +- queue->trans_start = jiffies; ++ txq_trans_cond_update(queue); + + /* Notify and wake up reader process */ + if (tfile->flags & TUN_FASYNC) +-- +2.35.1 + diff --git a/queue-5.17/veth-ensure-eth-header-is-in-skb-s-linear-part.patch b/queue-5.17/veth-ensure-eth-header-is-in-skb-s-linear-part.patch new file mode 100644 index 00000000000..071e2a4175e --- /dev/null +++ b/queue-5.17/veth-ensure-eth-header-is-in-skb-s-linear-part.patch @@ -0,0 +1,72 @@ +From 82690036eadaf5650c6a1ca5bc39fd003e4a7fac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 16:18:54 +0200 +Subject: veth: Ensure eth header is in skb's linear part + +From: Guillaume Nault + +[ Upstream commit 726e2c5929de841fdcef4e2bf995680688ae1b87 ] + +After feeding a decapsulated packet to a veth device with act_mirred, +skb_headlen() may be 0. But veth_xmit() calls __dev_forward_skb(), +which expects at least ETH_HLEN byte of linear data (as +__dev_forward_skb2() calls eth_type_trans(), which pulls ETH_HLEN bytes +unconditionally). + +Use pskb_may_pull() to ensure veth_xmit() respects this constraint. + +kernel BUG at include/linux/skbuff.h:2328! +RIP: 0010:eth_type_trans+0xcf/0x140 +Call Trace: + + __dev_forward_skb2+0xe3/0x160 + veth_xmit+0x6e/0x250 [veth] + dev_hard_start_xmit+0xc7/0x200 + __dev_queue_xmit+0x47f/0x520 + ? skb_ensure_writable+0x85/0xa0 + ? skb_mpls_pop+0x98/0x1c0 + tcf_mirred_act+0x442/0x47e [act_mirred] + tcf_action_exec+0x86/0x140 + fl_classify+0x1d8/0x1e0 [cls_flower] + ? dma_pte_clear_level+0x129/0x1a0 + ? dma_pte_clear_level+0x129/0x1a0 + ? prb_fill_curr_block+0x2f/0xc0 + ? skb_copy_bits+0x11a/0x220 + __tcf_classify+0x58/0x110 + tcf_classify_ingress+0x6b/0x140 + __netif_receive_skb_core.constprop.0+0x47d/0xfd0 + ? __iommu_dma_unmap_swiotlb+0x44/0x90 + __netif_receive_skb_one_core+0x3d/0xa0 + netif_receive_skb+0x116/0x170 + be_process_rx+0x22f/0x330 [be2net] + be_poll+0x13c/0x370 [be2net] + __napi_poll+0x2a/0x170 + net_rx_action+0x22f/0x2f0 + __do_softirq+0xca/0x2a8 + __irq_exit_rcu+0xc1/0xe0 + common_interrupt+0x83/0xa0 + +Fixes: e314dbdc1c0d ("[NET]: Virtual ethernet device driver.") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index d29fb9759cc9..6c8f4f4dfc8a 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -320,7 +320,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev) + + rcu_read_lock(); + rcv = rcu_dereference(priv->peer); +- if (unlikely(!rcv)) { ++ if (unlikely(!rcv) || !pskb_may_pull(skb, ETH_HLEN)) { + kfree_skb(skb); + goto drop; + } +-- +2.35.1 + diff --git a/queue-5.17/vfio-pci-fix-vf_token-mechanism-when-device-specific.patch b/queue-5.17/vfio-pci-fix-vf_token-mechanism-when-device-specific.patch new file mode 100644 index 00000000000..afb32d8ee0a --- /dev/null +++ b/queue-5.17/vfio-pci-fix-vf_token-mechanism-when-device-specific.patch @@ -0,0 +1,279 @@ +From 580a34d73f9dc699b343764b07397b296ca2c292 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 10:10:36 -0300 +Subject: vfio/pci: Fix vf_token mechanism when device-specific VF drivers are + used + +From: Jason Gunthorpe + +[ Upstream commit 1ef3342a934e235aca72b4bcc0d6854d80a65077 ] + +get_pf_vdev() tries to check if a PF is a VFIO PF by looking at the driver: + + if (pci_dev_driver(physfn) != pci_dev_driver(vdev->pdev)) { + +However now that we have multiple VF and PF drivers this is no longer +reliable. + +This means that security tests realted to vf_token can be skipped by +mixing and matching different VFIO PCI drivers. + +Instead of trying to use the driver core to find the PF devices maintain a +linked list of all PF vfio_pci_core_device's that we have called +pci_enable_sriov() on. + +When registering a VF just search the list to see if the PF is present and +record the match permanently in the struct. PCI core locking prevents a PF +from passing pci_disable_sriov() while VF drivers are attached so the VFIO +owned PF becomes a static property of the VF. + +In common cases where vfio does not own the PF the global list remains +empty and the VF's pointer is statically NULL. + +This also fixes a lockdep splat from recursive locking of the +vfio_group::device_lock between vfio_device_get_from_name() and +vfio_device_get_from_dev(). If the VF and PF share the same group this +would deadlock. + +Fixes: ff53edf6d6ab ("vfio/pci: Split the pci_driver code out of vfio_pci_core.c") +Signed-off-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/0-v3-876570980634+f2e8-vfio_vf_token_jgg@nvidia.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_core.c | 124 ++++++++++++++++++------------- + include/linux/vfio_pci_core.h | 2 + + 2 files changed, 76 insertions(+), 50 deletions(-) + +diff --git a/drivers/vfio/pci/vfio_pci_core.c b/drivers/vfio/pci/vfio_pci_core.c +index 2e6409cc11ad..ef54ef11af55 100644 +--- a/drivers/vfio/pci/vfio_pci_core.c ++++ b/drivers/vfio/pci/vfio_pci_core.c +@@ -36,6 +36,10 @@ static bool nointxmask; + static bool disable_vga; + static bool disable_idle_d3; + ++/* List of PF's that vfio_pci_core_sriov_configure() has been called on */ ++static DEFINE_MUTEX(vfio_pci_sriov_pfs_mutex); ++static LIST_HEAD(vfio_pci_sriov_pfs); ++ + static inline bool vfio_vga_disabled(void) + { + #ifdef CONFIG_VFIO_PCI_VGA +@@ -434,47 +438,17 @@ void vfio_pci_core_disable(struct vfio_pci_core_device *vdev) + } + EXPORT_SYMBOL_GPL(vfio_pci_core_disable); + +-static struct vfio_pci_core_device *get_pf_vdev(struct vfio_pci_core_device *vdev) +-{ +- struct pci_dev *physfn = pci_physfn(vdev->pdev); +- struct vfio_device *pf_dev; +- +- if (!vdev->pdev->is_virtfn) +- return NULL; +- +- pf_dev = vfio_device_get_from_dev(&physfn->dev); +- if (!pf_dev) +- return NULL; +- +- if (pci_dev_driver(physfn) != pci_dev_driver(vdev->pdev)) { +- vfio_device_put(pf_dev); +- return NULL; +- } +- +- return container_of(pf_dev, struct vfio_pci_core_device, vdev); +-} +- +-static void vfio_pci_vf_token_user_add(struct vfio_pci_core_device *vdev, int val) +-{ +- struct vfio_pci_core_device *pf_vdev = get_pf_vdev(vdev); +- +- if (!pf_vdev) +- return; +- +- mutex_lock(&pf_vdev->vf_token->lock); +- pf_vdev->vf_token->users += val; +- WARN_ON(pf_vdev->vf_token->users < 0); +- mutex_unlock(&pf_vdev->vf_token->lock); +- +- vfio_device_put(&pf_vdev->vdev); +-} +- + void vfio_pci_core_close_device(struct vfio_device *core_vdev) + { + struct vfio_pci_core_device *vdev = + container_of(core_vdev, struct vfio_pci_core_device, vdev); + +- vfio_pci_vf_token_user_add(vdev, -1); ++ if (vdev->sriov_pf_core_dev) { ++ mutex_lock(&vdev->sriov_pf_core_dev->vf_token->lock); ++ WARN_ON(!vdev->sriov_pf_core_dev->vf_token->users); ++ vdev->sriov_pf_core_dev->vf_token->users--; ++ mutex_unlock(&vdev->sriov_pf_core_dev->vf_token->lock); ++ } + vfio_spapr_pci_eeh_release(vdev->pdev); + vfio_pci_core_disable(vdev); + +@@ -495,7 +469,12 @@ void vfio_pci_core_finish_enable(struct vfio_pci_core_device *vdev) + { + vfio_pci_probe_mmaps(vdev); + vfio_spapr_pci_eeh_open(vdev->pdev); +- vfio_pci_vf_token_user_add(vdev, 1); ++ ++ if (vdev->sriov_pf_core_dev) { ++ mutex_lock(&vdev->sriov_pf_core_dev->vf_token->lock); ++ vdev->sriov_pf_core_dev->vf_token->users++; ++ mutex_unlock(&vdev->sriov_pf_core_dev->vf_token->lock); ++ } + } + EXPORT_SYMBOL_GPL(vfio_pci_core_finish_enable); + +@@ -1603,11 +1582,8 @@ static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev, + * + * If the VF token is provided but unused, an error is generated. + */ +- if (!vdev->pdev->is_virtfn && !vdev->vf_token && !vf_token) +- return 0; /* No VF token provided or required */ +- + if (vdev->pdev->is_virtfn) { +- struct vfio_pci_core_device *pf_vdev = get_pf_vdev(vdev); ++ struct vfio_pci_core_device *pf_vdev = vdev->sriov_pf_core_dev; + bool match; + + if (!pf_vdev) { +@@ -1620,7 +1596,6 @@ static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev, + } + + if (!vf_token) { +- vfio_device_put(&pf_vdev->vdev); + pci_info_ratelimited(vdev->pdev, + "VF token required to access device\n"); + return -EACCES; +@@ -1630,8 +1605,6 @@ static int vfio_pci_validate_vf_token(struct vfio_pci_core_device *vdev, + match = uuid_equal(uuid, &pf_vdev->vf_token->uuid); + mutex_unlock(&pf_vdev->vf_token->lock); + +- vfio_device_put(&pf_vdev->vdev); +- + if (!match) { + pci_info_ratelimited(vdev->pdev, + "Incorrect VF token provided for device\n"); +@@ -1752,8 +1725,30 @@ static int vfio_pci_bus_notifier(struct notifier_block *nb, + static int vfio_pci_vf_init(struct vfio_pci_core_device *vdev) + { + struct pci_dev *pdev = vdev->pdev; ++ struct vfio_pci_core_device *cur; ++ struct pci_dev *physfn; + int ret; + ++ if (pdev->is_virtfn) { ++ /* ++ * If this VF was created by our vfio_pci_core_sriov_configure() ++ * then we can find the PF vfio_pci_core_device now, and due to ++ * the locking in pci_disable_sriov() it cannot change until ++ * this VF device driver is removed. ++ */ ++ physfn = pci_physfn(vdev->pdev); ++ mutex_lock(&vfio_pci_sriov_pfs_mutex); ++ list_for_each_entry(cur, &vfio_pci_sriov_pfs, sriov_pfs_item) { ++ if (cur->pdev == physfn) { ++ vdev->sriov_pf_core_dev = cur; ++ break; ++ } ++ } ++ mutex_unlock(&vfio_pci_sriov_pfs_mutex); ++ return 0; ++ } ++ ++ /* Not a SRIOV PF */ + if (!pdev->is_physfn) + return 0; + +@@ -1825,6 +1820,7 @@ void vfio_pci_core_init_device(struct vfio_pci_core_device *vdev, + INIT_LIST_HEAD(&vdev->ioeventfds_list); + mutex_init(&vdev->vma_lock); + INIT_LIST_HEAD(&vdev->vma_list); ++ INIT_LIST_HEAD(&vdev->sriov_pfs_item); + init_rwsem(&vdev->memory_lock); + } + EXPORT_SYMBOL_GPL(vfio_pci_core_init_device); +@@ -1916,7 +1912,7 @@ void vfio_pci_core_unregister_device(struct vfio_pci_core_device *vdev) + { + struct pci_dev *pdev = vdev->pdev; + +- pci_disable_sriov(pdev); ++ vfio_pci_core_sriov_configure(pdev, 0); + + vfio_unregister_group_dev(&vdev->vdev); + +@@ -1954,21 +1950,49 @@ static pci_ers_result_t vfio_pci_aer_err_detected(struct pci_dev *pdev, + + int vfio_pci_core_sriov_configure(struct pci_dev *pdev, int nr_virtfn) + { ++ struct vfio_pci_core_device *vdev; + struct vfio_device *device; + int ret = 0; + ++ device_lock_assert(&pdev->dev); ++ + device = vfio_device_get_from_dev(&pdev->dev); + if (!device) + return -ENODEV; + +- if (nr_virtfn == 0) +- pci_disable_sriov(pdev); +- else ++ vdev = container_of(device, struct vfio_pci_core_device, vdev); ++ ++ if (nr_virtfn) { ++ mutex_lock(&vfio_pci_sriov_pfs_mutex); ++ /* ++ * The thread that adds the vdev to the list is the only thread ++ * that gets to call pci_enable_sriov() and we will only allow ++ * it to be called once without going through ++ * pci_disable_sriov() ++ */ ++ if (!list_empty(&vdev->sriov_pfs_item)) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } ++ list_add_tail(&vdev->sriov_pfs_item, &vfio_pci_sriov_pfs); ++ mutex_unlock(&vfio_pci_sriov_pfs_mutex); + ret = pci_enable_sriov(pdev, nr_virtfn); ++ if (ret) ++ goto out_del; ++ ret = nr_virtfn; ++ goto out_put; ++ } + +- vfio_device_put(device); ++ pci_disable_sriov(pdev); + +- return ret < 0 ? ret : nr_virtfn; ++out_del: ++ mutex_lock(&vfio_pci_sriov_pfs_mutex); ++ list_del_init(&vdev->sriov_pfs_item); ++out_unlock: ++ mutex_unlock(&vfio_pci_sriov_pfs_mutex); ++out_put: ++ vfio_device_put(device); ++ return ret; + } + EXPORT_SYMBOL_GPL(vfio_pci_core_sriov_configure); + +diff --git a/include/linux/vfio_pci_core.h b/include/linux/vfio_pci_core.h +index ae6f4838ab75..6e5db4edc335 100644 +--- a/include/linux/vfio_pci_core.h ++++ b/include/linux/vfio_pci_core.h +@@ -133,6 +133,8 @@ struct vfio_pci_core_device { + struct mutex ioeventfds_lock; + struct list_head ioeventfds_list; + struct vfio_pci_vf_token *vf_token; ++ struct list_head sriov_pfs_item; ++ struct vfio_pci_core_device *sriov_pf_core_dev; + struct notifier_block nb; + struct mutex vma_lock; + struct list_head vma_list; +-- +2.35.1 + diff --git a/queue-5.17/x86-bpf-avoid-ibt-objtool-warning.patch b/queue-5.17/x86-bpf-avoid-ibt-objtool-warning.patch new file mode 100644 index 00000000000..687d39c2e7d --- /dev/null +++ b/queue-5.17/x86-bpf-avoid-ibt-objtool-warning.patch @@ -0,0 +1,43 @@ +From c7ce5104b3175928b8e60d01e257db05664f8ca1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Mar 2022 13:13:41 +0200 +Subject: x86,bpf: Avoid IBT objtool warning + +From: Peter Zijlstra + +[ Upstream commit be8a096521ca1a252bf078b347f96ce94582612e ] + +Clang can inline emit_indirect_jump() and then folds constants, which +results in: + + | vmlinux.o: warning: objtool: emit_bpf_dispatcher()+0x6a4: relocation to !ENDBR: .text.__x86.indirect_thunk+0x40 + | vmlinux.o: warning: objtool: emit_bpf_dispatcher()+0x67d: relocation to !ENDBR: .text.__x86.indirect_thunk+0x40 + | vmlinux.o: warning: objtool: emit_bpf_tail_call_indirect()+0x386: relocation to !ENDBR: .text.__x86.indirect_thunk+0x20 + | vmlinux.o: warning: objtool: emit_bpf_tail_call_indirect()+0x35d: relocation to !ENDBR: .text.__x86.indirect_thunk+0x20 + +Suppress the optimization such that it must emit a code reference to +the __x86_indirect_thunk_array[] base. + +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Alexei Starovoitov +Link: https://lkml.kernel.org/r/20220405075531.GB30877@worktop.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + arch/x86/net/bpf_jit_comp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index 0ecb140864b2..b272e963388c 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -398,6 +398,7 @@ static void emit_indirect_jump(u8 **pprog, int reg, u8 *ip) + EMIT_LFENCE(); + EMIT2(0xFF, 0xE0 + reg); + } else if (cpu_feature_enabled(X86_FEATURE_RETPOLINE)) { ++ OPTIMIZER_HIDE_VAR(reg); + emit_jump(&prog, &__x86_indirect_thunk_array[reg], ip); + } else + #endif +-- +2.35.1 +