From: Sasha Levin Date: Sat, 4 Dec 2021 03:39:57 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v4.4.294~56 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=77323905abd571970d109afbf135008403e7d6d4;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/acpi-add-stubs-for-wakeup-handler-functions.patch b/queue-5.10/acpi-add-stubs-for-wakeup-handler-functions.patch new file mode 100644 index 00000000000..7fcf1a2bcd6 --- /dev/null +++ b/queue-5.10/acpi-add-stubs-for-wakeup-handler-functions.patch @@ -0,0 +1,48 @@ +From 035bc8d65c99b3e481df05b245df06f8f7a72115 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Oct 2021 20:48:52 -0500 +Subject: ACPI: Add stubs for wakeup handler functions + +From: Mario Limonciello + +[ Upstream commit e9380df851878cee71df5a1c7611584421527f7e ] + +The commit ddfd9dcf270c ("ACPI: PM: Add acpi_[un]register_wakeup_handler()") +added new functions for drivers to use during the s2idle wakeup path, but +didn't add stubs for when CONFIG_ACPI wasn't set. + +Add those stubs in for other drivers to be able to use. + +Fixes: ddfd9dcf270c ("ACPI: PM: Add acpi_[un]register_wakeup_handler()") +Acked-by: Rafael J. Wysocki +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20211101014853.6177-1-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + include/linux/acpi.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/include/linux/acpi.h b/include/linux/acpi.h +index fdb1d5262ce84..96d69404a54ff 100644 +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -953,6 +953,15 @@ static inline struct acpi_device *acpi_resource_consumer(struct resource *res) + return NULL; + } + ++static inline int acpi_register_wakeup_handler(int wake_irq, ++ bool (*wakeup)(void *context), void *context) ++{ ++ return -ENXIO; ++} ++ ++static inline void acpi_unregister_wakeup_handler( ++ bool (*wakeup)(void *context), void *context) { } ++ + #endif /* !CONFIG_ACPI */ + + #ifdef CONFIG_ACPI_HOTPLUG_IOAPIC +-- +2.33.0 + diff --git a/queue-5.10/ata-ahci-add-green-sardine-vendor-id-as-board_ahci_m.patch b/queue-5.10/ata-ahci-add-green-sardine-vendor-id-as-board_ahci_m.patch new file mode 100644 index 00000000000..f01d3b3606d --- /dev/null +++ b/queue-5.10/ata-ahci-add-green-sardine-vendor-id-as-board_ahci_m.patch @@ -0,0 +1,42 @@ +From 85ee917f2c795d2129dab9731de3c4b7b57347c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 14:15:38 -0600 +Subject: ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile + +From: Mario Limonciello + +[ Upstream commit 1527f69204fe35f341cb599f1cb01bd02daf4374 ] + +AMD requires that the SATA controller be configured for devsleep in order +for S0i3 entry to work properly. + +commit b1a9585cc396 ("ata: ahci: Enable DEVSLP by default on x86 with +SLP_S0") sets up a kernel policy to enable devsleep on Intel mobile +platforms that are using s0ix. Add the PCI ID for the SATA controller in +Green Sardine platforms to extend this policy by default for AMD based +systems using s0i3 as well. + +Cc: Nehal-bakulchandra Shah +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214091 +Signed-off-by: Mario Limonciello +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 33192a8f687d6..ff2add0101fe5 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -442,6 +442,7 @@ static const struct pci_device_id ahci_pci_tbl[] = { + /* AMD */ + { PCI_VDEVICE(AMD, 0x7800), board_ahci }, /* AMD Hudson-2 */ + { PCI_VDEVICE(AMD, 0x7900), board_ahci }, /* AMD CZ */ ++ { PCI_VDEVICE(AMD, 0x7901), board_ahci_mobile }, /* AMD Green Sardine */ + /* AMD is using RAID class only for ahci controllers */ + { PCI_VENDOR_ID_AMD, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, + PCI_CLASS_STORAGE_RAID << 8, 0xffffff, board_ahci }, +-- +2.33.0 + diff --git a/queue-5.10/ata-libahci-adjust-behavior-when-storaged3enable-_ds.patch b/queue-5.10/ata-libahci-adjust-behavior-when-storaged3enable-_ds.patch new file mode 100644 index 00000000000..cdfbbc48e27 --- /dev/null +++ b/queue-5.10/ata-libahci-adjust-behavior-when-storaged3enable-_ds.patch @@ -0,0 +1,69 @@ +From 4c8aefc159dde8ee5924bcfa6d3c6a22ece57850 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 14:15:39 -0600 +Subject: ata: libahci: Adjust behavior when StorageD3Enable _DSD is set + +From: Mario Limonciello + +[ Upstream commit 7c5f641a5914ce0303b06bcfcd7674ee64aeebe9 ] + +The StorageD3Enable _DSD is used for the vendor to indicate that the disk +should be opted into or out of a different behavior based upon the platform +design. + +For AMD's Renoir and Green Sardine platforms it's important that any +attached SATA storage has transitioned into DevSlp when s2idle is used. + +If the disk is left in active/partial/slumber, then the system is not able +to resume properly. + +When the StorageD3Enable _DSD is detected, check the system is using s2idle +and DevSlp is enabled and if so explicitly wait long enough for the disk to +enter DevSlp. + +Cc: Nehal-bakulchandra Shah +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214091 +Link: https://docs.microsoft.com/en-us/windows-hardware/design/component-guidelines/power-management-for-storage-hardware-devices-intro +Signed-off-by: Mario Limonciello +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libahci.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c +index fec2e9754aed2..d0d6efc9370d0 100644 +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -2304,6 +2304,18 @@ int ahci_port_resume(struct ata_port *ap) + EXPORT_SYMBOL_GPL(ahci_port_resume); + + #ifdef CONFIG_PM ++static void ahci_handle_s2idle(struct ata_port *ap) ++{ ++ void __iomem *port_mmio = ahci_port_base(ap); ++ u32 devslp; ++ ++ if (pm_suspend_via_firmware()) ++ return; ++ devslp = readl(port_mmio + PORT_DEVSLP); ++ if ((devslp & PORT_DEVSLP_ADSE)) ++ ata_msleep(ap, devslp_idle_timeout); ++} ++ + static int ahci_port_suspend(struct ata_port *ap, pm_message_t mesg) + { + const char *emsg = NULL; +@@ -2317,6 +2329,9 @@ static int ahci_port_suspend(struct ata_port *ap, pm_message_t mesg) + ata_port_freeze(ap); + } + ++ if (acpi_storage_d3(ap->host->dev)) ++ ahci_handle_s2idle(ap); ++ + ahci_rpm_put_port(ap); + return rc; + } +-- +2.33.0 + diff --git a/queue-5.10/atlantic-fix-oob-read-and-write-in-hw_atl_utils_fw_r.patch b/queue-5.10/atlantic-fix-oob-read-and-write-in-hw_atl_utils_fw_r.patch new file mode 100644 index 00000000000..9cea1ad3a6a --- /dev/null +++ b/queue-5.10/atlantic-fix-oob-read-and-write-in-hw_atl_utils_fw_r.patch @@ -0,0 +1,92 @@ +From 00131620ded4014e8795145ea422193ad9fc8f8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Nov 2021 22:24:40 -0500 +Subject: atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait + +From: Zekun Shen + +[ Upstream commit b922f622592af76b57cbc566eaeccda0b31a3496 ] + +This bug report shows up when running our research tools. The +reports is SOOB read, but it seems SOOB write is also possible +a few lines below. + +In details, fw.len and sw.len are inputs coming from io. A len +over the size of self->rpc triggers SOOB. The patch fixes the +bugs by adding sanity checks. + +The bugs are triggerable with compromised/malfunctioning devices. +They are potentially exploitable given they first leak up to +0xffff bytes and able to overwrite the region later. + +The patch is tested with QEMU emulater. +This is NOT tested with a real device. + +Attached is the log we found by fuzzing. + +BUG: KASAN: slab-out-of-bounds in + hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic] +Read of size 4 at addr ffff888016260b08 by task modprobe/213 +CPU: 0 PID: 213 Comm: modprobe Not tainted 5.6.0 #1 +Call Trace: + dump_stack+0x76/0xa0 + print_address_description.constprop.0+0x16/0x200 + ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic] + ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic] + __kasan_report.cold+0x37/0x7c + ? aq_hw_read_reg_bit+0x60/0x70 [atlantic] + ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic] + kasan_report+0xe/0x20 + hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic] + hw_atl_utils_fw_rpc_call+0x95/0x130 [atlantic] + hw_atl_utils_fw_rpc_wait+0x176/0x210 [atlantic] + hw_atl_utils_mpi_create+0x229/0x2e0 [atlantic] + ? hw_atl_utils_fw_rpc_wait+0x210/0x210 [atlantic] + ? hw_atl_utils_initfw+0x9f/0x1c8 [atlantic] + hw_atl_utils_initfw+0x12a/0x1c8 [atlantic] + aq_nic_ndev_register+0x88/0x650 [atlantic] + ? aq_nic_ndev_init+0x235/0x3c0 [atlantic] + aq_pci_probe+0x731/0x9b0 [atlantic] + ? aq_pci_func_init+0xc0/0xc0 [atlantic] + local_pci_probe+0xd3/0x160 + pci_device_probe+0x23f/0x3e0 + +Reported-by: Brendan Dolan-Gavitt +Signed-off-by: Zekun Shen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c +index 404cbf60d3f2f..da1d185f6d226 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c ++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c +@@ -559,6 +559,11 @@ int hw_atl_utils_fw_rpc_wait(struct aq_hw_s *self, + goto err_exit; + + if (fw.len == 0xFFFFU) { ++ if (sw.len > sizeof(self->rpc)) { ++ printk(KERN_INFO "Invalid sw len: %x\n", sw.len); ++ err = -EINVAL; ++ goto err_exit; ++ } + err = hw_atl_utils_fw_rpc_call(self, sw.len); + if (err < 0) + goto err_exit; +@@ -567,6 +572,11 @@ int hw_atl_utils_fw_rpc_wait(struct aq_hw_s *self, + + if (rpc) { + if (fw.len) { ++ if (fw.len > sizeof(self->rpc)) { ++ printk(KERN_INFO "Invalid fw len: %x\n", fw.len); ++ err = -EINVAL; ++ goto err_exit; ++ } + err = + hw_atl_utils_fw_downld_dwords(self, + self->rpc_addr, +-- +2.33.0 + diff --git a/queue-5.10/btrfs-check-integrity-fix-a-warning-on-write-caching.patch b/queue-5.10/btrfs-check-integrity-fix-a-warning-on-write-caching.patch new file mode 100644 index 00000000000..97ab2b5028b --- /dev/null +++ b/queue-5.10/btrfs-check-integrity-fix-a-warning-on-write-caching.patch @@ -0,0 +1,113 @@ +From d4b23d1e3c1963bedde14a41a902c9cfa2bac117 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 06:32:54 +0800 +Subject: btrfs: check-integrity: fix a warning on write caching disabled disk + +From: Wang Yugui + +[ Upstream commit a91cf0ffbc244792e0b3ecf7d0fddb2f344b461f ] + +When a disk has write caching disabled, we skip submission of a bio with +flush and sync requests before writing the superblock, since it's not +needed. However when the integrity checker is enabled, this results in +reports that there are metadata blocks referred by a superblock that +were not properly flushed. So don't skip the bio submission only when +the integrity checker is enabled for the sake of simplicity, since this +is a debug tool and not meant for use in non-debug builds. + +fstests/btrfs/220 trigger a check-integrity warning like the following +when CONFIG_BTRFS_FS_CHECK_INTEGRITY=y and the disk with WCE=0. + + btrfs: attempt to write superblock which references block M @5242880 (sdb2/5242880/0) which is not flushed out of disk's write cache (block flush_gen=1, dev->flush_gen=0)! + ------------[ cut here ]------------ + WARNING: CPU: 28 PID: 843680 at fs/btrfs/check-integrity.c:2196 btrfsic_process_written_superblock+0x22a/0x2a0 [btrfs] + CPU: 28 PID: 843680 Comm: umount Not tainted 5.15.0-0.rc5.39.el8.x86_64 #1 + Hardware name: Dell Inc. Precision T7610/0NK70N, BIOS A18 09/11/2019 + RIP: 0010:btrfsic_process_written_superblock+0x22a/0x2a0 [btrfs] + RSP: 0018:ffffb642afb47940 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 + RDX: 00000000ffffffff RSI: ffff8b722fc97d00 RDI: ffff8b722fc97d00 + RBP: ffff8b5601c00000 R08: 0000000000000000 R09: c0000000ffff7fff + R10: 0000000000000001 R11: ffffb642afb476f8 R12: ffffffffffffffff + R13: ffffb642afb47974 R14: ffff8b5499254c00 R15: 0000000000000003 + FS: 00007f00a06d4080(0000) GS:ffff8b722fc80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fff5cff5ff0 CR3: 00000001c0c2a006 CR4: 00000000001706e0 + Call Trace: + btrfsic_process_written_block+0x2f7/0x850 [btrfs] + __btrfsic_submit_bio.part.19+0x310/0x330 [btrfs] + ? bio_associate_blkg_from_css+0xa4/0x2c0 + btrfsic_submit_bio+0x18/0x30 [btrfs] + write_dev_supers+0x81/0x2a0 [btrfs] + ? find_get_pages_range_tag+0x219/0x280 + ? pagevec_lookup_range_tag+0x24/0x30 + ? __filemap_fdatawait_range+0x6d/0xf0 + ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e + ? find_first_extent_bit+0x9b/0x160 [btrfs] + ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e + write_all_supers+0x1b3/0xa70 [btrfs] + ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e + btrfs_commit_transaction+0x59d/0xac0 [btrfs] + close_ctree+0x11d/0x339 [btrfs] + generic_shutdown_super+0x71/0x110 + kill_anon_super+0x14/0x30 + btrfs_kill_super+0x12/0x20 [btrfs] + deactivate_locked_super+0x31/0x70 + cleanup_mnt+0xb8/0x140 + task_work_run+0x6d/0xb0 + exit_to_user_mode_prepare+0x1f0/0x200 + syscall_exit_to_user_mode+0x12/0x30 + do_syscall_64+0x46/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7f009f711dfb + RSP: 002b:00007fff5cff7928 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 + RAX: 0000000000000000 RBX: 000055b68c6c9970 RCX: 00007f009f711dfb + RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055b68c6c9b50 + RBP: 0000000000000000 R08: 000055b68c6ca900 R09: 00007f009f795580 + R10: 0000000000000000 R11: 0000000000000246 R12: 000055b68c6c9b50 + R13: 00007f00a04bf184 R14: 0000000000000000 R15: 00000000ffffffff + ---[ end trace 2c4b82abcef9eec4 ]--- + S-65536(sdb2/65536/1) + --> + M-1064960(sdb2/1064960/1) + +Reviewed-by: Filipe Manana +Signed-off-by: Wang Yugui +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 9051bb47cbdd9..bab2091c81683 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3692,11 +3692,23 @@ static void btrfs_end_empty_barrier(struct bio *bio) + */ + static void write_dev_flush(struct btrfs_device *device) + { +- struct request_queue *q = bdev_get_queue(device->bdev); + struct bio *bio = device->flush_bio; + ++#ifndef CONFIG_BTRFS_FS_CHECK_INTEGRITY ++ /* ++ * When a disk has write caching disabled, we skip submission of a bio ++ * with flush and sync requests before writing the superblock, since ++ * it's not needed. However when the integrity checker is enabled, this ++ * results in reports that there are metadata blocks referred by a ++ * superblock that were not properly flushed. So don't skip the bio ++ * submission only when the integrity checker is enabled for the sake ++ * of simplicity, since this is a debug tool and not meant for use in ++ * non-debug builds. ++ */ ++ struct request_queue *q = bdev_get_queue(device->bdev); + if (!test_bit(QUEUE_FLAG_WC, &q->queue_flags)) + return; ++#endif + + bio_reset(bio); + bio->bi_end_io = btrfs_end_empty_barrier; +-- +2.33.0 + diff --git a/queue-5.10/drm-amd-amdgpu-fix-potential-memleak.patch b/queue-5.10/drm-amd-amdgpu-fix-potential-memleak.patch new file mode 100644 index 00000000000..f9fcdd027a3 --- /dev/null +++ b/queue-5.10/drm-amd-amdgpu-fix-potential-memleak.patch @@ -0,0 +1,35 @@ +From 31adbedbd52cece452a633c569af7ce4a52d3108 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Nov 2021 18:58:50 -0800 +Subject: drm/amd/amdgpu: fix potential memleak + +From: Bernard Zhao + +[ Upstream commit 27dfaedc0d321b4ea4e10c53e4679d6911ab17aa ] + +In function amdgpu_get_xgmi_hive, when kobject_init_and_add failed +There is a potential memleak if not call kobject_put. + +Reviewed-by: Felix Kuehling +Signed-off-by: Bernard Zhao +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c +index 0526dec1d736e..042c85fc528bb 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c +@@ -358,6 +358,7 @@ struct amdgpu_hive_info *amdgpu_get_xgmi_hive(struct amdgpu_device *adev) + "%s", "xgmi_hive_info"); + if (ret) { + dev_err(adev->dev, "XGMI: failed initializing kobject for xgmi hive\n"); ++ kobject_put(&hive->kobj); + kfree(hive); + hive = NULL; + goto pro_end; +-- +2.33.0 + diff --git a/queue-5.10/drm-amd-amdkfd-fix-kernel-panic-when-reset-failed-an.patch b/queue-5.10/drm-amd-amdkfd-fix-kernel-panic-when-reset-failed-an.patch new file mode 100644 index 00000000000..a59bde21273 --- /dev/null +++ b/queue-5.10/drm-amd-amdkfd-fix-kernel-panic-when-reset-failed-an.patch @@ -0,0 +1,41 @@ +From 3102e81009934e70182f1883174dfff534c7cad2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Nov 2021 12:38:18 -0500 +Subject: drm/amd/amdkfd: Fix kernel panic when reset failed and been triggered + again + +From: shaoyunl + +[ Upstream commit 2cf49e00d40d5132e3d067b5aa6d84791929ab15 ] + +In SRIOV configuration, the reset may failed to bring asic back to normal but stop cpsch +already been called, the start_cpsch will not be called since there is no resume in this +case. When reset been triggered again, driver should avoid to do uninitialization again. + +Signed-off-by: shaoyunl +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +index 352a32dc609b2..2645ebc63a14d 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -1207,6 +1207,11 @@ static int stop_cpsch(struct device_queue_manager *dqm) + bool hanging; + + dqm_lock(dqm); ++ if (!dqm->sched_running) { ++ dqm_unlock(dqm); ++ return 0; ++ } ++ + if (!dqm->is_hws_hang) + unmap_queues_cpsch(dqm, KFD_UNMAP_QUEUES_FILTER_ALL_QUEUES, 0); + hanging = dqm->is_hws_hang || dqm->is_resetting; +-- +2.33.0 + diff --git a/queue-5.10/drm-sun4i-fix-unmet-dependency-on-reset_controller-f.patch b/queue-5.10/drm-sun4i-fix-unmet-dependency-on-reset_controller-f.patch new file mode 100644 index 00000000000..6f1a15c5bd1 --- /dev/null +++ b/queue-5.10/drm-sun4i-fix-unmet-dependency-on-reset_controller-f.patch @@ -0,0 +1,53 @@ +From b229705c6345ad1ff01b11cb09f9b1e01fd88b5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Nov 2021 22:23:51 -0500 +Subject: drm/sun4i: fix unmet dependency on RESET_CONTROLLER for + PHY_SUN6I_MIPI_DPHY + +From: Julian Braha + +[ Upstream commit bb162bb2b4394108c8f055d1b115735331205e28 ] + +When PHY_SUN6I_MIPI_DPHY is selected, and RESET_CONTROLLER +is not selected, Kbuild gives the following warning: + +WARNING: unmet direct dependencies detected for PHY_SUN6I_MIPI_DPHY + Depends on [n]: (ARCH_SUNXI [=n] || COMPILE_TEST [=y]) && HAS_IOMEM [=y] && COMMON_CLK [=y] && RESET_CONTROLLER [=n] + Selected by [y]: + - DRM_SUN6I_DSI [=y] && HAS_IOMEM [=y] && DRM_SUN4I [=y] + +This is because DRM_SUN6I_DSI selects PHY_SUN6I_MIPI_DPHY +without selecting or depending on RESET_CONTROLLER, despite +PHY_SUN6I_MIPI_DPHY depending on RESET_CONTROLLER. + +These unmet dependency bugs were detected by Kismet, +a static analysis tool for Kconfig. Please advise if this +is not the appropriate solution. + +v2: +Fixed indentation to match the rest of the file. + +Signed-off-by: Julian Braha +Acked-by: Jernej Skrabec +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20211109032351.43322-1-julianbraha@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/sun4i/Kconfig b/drivers/gpu/drm/sun4i/Kconfig +index 5755f0432e774..8c796de53222c 100644 +--- a/drivers/gpu/drm/sun4i/Kconfig ++++ b/drivers/gpu/drm/sun4i/Kconfig +@@ -46,6 +46,7 @@ config DRM_SUN6I_DSI + default MACH_SUN8I + select CRC_CCITT + select DRM_MIPI_DSI ++ select RESET_CONTROLLER + select PHY_SUN6I_MIPI_DPHY + help + Choose this option if you want have an Allwinner SoC with +-- +2.33.0 + diff --git a/queue-5.10/ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch b/queue-5.10/ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch new file mode 100644 index 00000000000..217d31950f3 --- /dev/null +++ b/queue-5.10/ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch @@ -0,0 +1,49 @@ +From 09d5a57aca872e24f4d2710c465a3fa90d66f173 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 11:44:53 +0800 +Subject: ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array + overflow in hns_dsaf_ge_srst_by_port() + +From: Teng Qi + +[ Upstream commit a66998e0fbf213d47d02813b9679426129d0d114 ] + +The if statement: + if (port >= DSAF_GE_NUM) + return; + +limits the value of port less than DSAF_GE_NUM (i.e., 8). +However, if the value of port is 6 or 7, an array overflow could occur: + port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off; + +because the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6). + +To fix this possible array overflow, we first check port and if it is +greater than or equal to DSAF_MAX_PORT_NUM, the function returns. + +Reported-by: TOTE Robot +Signed-off-by: Teng Qi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c +index a9aca8c24e90d..aa87e4d121532 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c +@@ -400,6 +400,10 @@ static void hns_dsaf_ge_srst_by_port(struct dsaf_device *dsaf_dev, u32 port, + return; + + if (!HNS_DSAF_IS_DEBUG(dsaf_dev)) { ++ /* DSAF_MAX_PORT_NUM is 6, but DSAF_GE_NUM is 8. ++ We need check to prevent array overflow */ ++ if (port >= DSAF_MAX_PORT_NUM) ++ return; + reg_val_1 = 0x1 << port; + port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off; + /* there is difference between V1 and V2 in register.*/ +-- +2.33.0 + diff --git a/queue-5.10/gfs2-fix-length-of-holes-reported-at-end-of-file.patch b/queue-5.10/gfs2-fix-length-of-holes-reported-at-end-of-file.patch new file mode 100644 index 00000000000..a12a615ec1f --- /dev/null +++ b/queue-5.10/gfs2-fix-length-of-holes-reported-at-end-of-file.patch @@ -0,0 +1,40 @@ +From 3bdda649512eecec9f972709a9f6570a07ce8eea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Nov 2021 00:18:56 +0100 +Subject: gfs2: Fix length of holes reported at end-of-file + +From: Andreas Gruenbacher + +[ Upstream commit f3506eee81d1f700d9ee2d2f4a88fddb669ec032 ] + +Fix the length of holes reported at the end of a file: the length is +relative to the beginning of the extent, not the seek position which is +rounded down to the filesystem block size. + +This bug went unnoticed for some time, but is now caught by the +following assertion in iomap_iter_done(): + + WARN_ON_ONCE(iter->iomap.offset + iter->iomap.length <= iter->pos) + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/bmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c +index a1f9dde33058f..b34c02985d9d2 100644 +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -940,7 +940,7 @@ static int gfs2_iomap_get(struct inode *inode, loff_t pos, loff_t length, + else if (height == ip->i_height) + ret = gfs2_hole_size(inode, lblock, len, mp, iomap); + else +- iomap->length = size - pos; ++ iomap->length = size - iomap->offset; + } else if (flags & IOMAP_WRITE) { + u64 alloc_size; + +-- +2.33.0 + diff --git a/queue-5.10/gfs2-release-iopen-glock-early-in-evict.patch b/queue-5.10/gfs2-release-iopen-glock-early-in-evict.patch new file mode 100644 index 00000000000..87b5af90c75 --- /dev/null +++ b/queue-5.10/gfs2-release-iopen-glock-early-in-evict.patch @@ -0,0 +1,62 @@ +From 584fba43d25e26ecd5ef96cd25b424dbb20b36d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 11:53:10 -0500 +Subject: gfs2: release iopen glock early in evict + +From: Bob Peterson + +[ Upstream commit 49462e2be119d38c5eb5759d0d1b712df3a41239 ] + +Before this patch, evict would clear the iopen glock's gl_object after +releasing the inode glock. In the meantime, another process could reuse +the same block and thus glocks for a new inode. It would lock the inode +glock (exclusively), and then the iopen glock (shared). The shared +locking mode doesn't provide any ordering against the evict, so by the +time the iopen glock is reused, evict may not have gotten to setting +gl_object to NULL. + +Fix that by releasing the iopen glock before the inode glock in +gfs2_evict_inode. + +Signed-off-by: Bob Peterson gl_object +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/super.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c +index 6a355e1347d7f..d2b7ecbd1b150 100644 +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -1438,13 +1438,6 @@ static void gfs2_evict_inode(struct inode *inode) + gfs2_ordered_del_inode(ip); + clear_inode(inode); + gfs2_dir_hash_inval(ip); +- if (ip->i_gl) { +- glock_clear_object(ip->i_gl, ip); +- wait_on_bit_io(&ip->i_flags, GIF_GLOP_PENDING, TASK_UNINTERRUPTIBLE); +- gfs2_glock_add_to_lru(ip->i_gl); +- gfs2_glock_put_eventually(ip->i_gl); +- ip->i_gl = NULL; +- } + if (gfs2_holder_initialized(&ip->i_iopen_gh)) { + struct gfs2_glock *gl = ip->i_iopen_gh.gh_gl; + +@@ -1457,6 +1450,13 @@ static void gfs2_evict_inode(struct inode *inode) + gfs2_holder_uninit(&ip->i_iopen_gh); + gfs2_glock_put_eventually(gl); + } ++ if (ip->i_gl) { ++ glock_clear_object(ip->i_gl, ip); ++ wait_on_bit_io(&ip->i_flags, GIF_GLOP_PENDING, TASK_UNINTERRUPTIBLE); ++ gfs2_glock_add_to_lru(ip->i_gl); ++ gfs2_glock_put_eventually(ip->i_gl); ++ ip->i_gl = NULL; ++ } + } + + static struct inode *gfs2_alloc_inode(struct super_block *sb) +-- +2.33.0 + diff --git a/queue-5.10/ipv6-check-return-value-of-ipv6_skip_exthdr.patch b/queue-5.10/ipv6-check-return-value-of-ipv6_skip_exthdr.patch new file mode 100644 index 00000000000..0c8d7a20f17 --- /dev/null +++ b/queue-5.10/ipv6-check-return-value-of-ipv6_skip_exthdr.patch @@ -0,0 +1,43 @@ +From 28472faa9eb9cc244cef8a461722727873aba744 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 20:06:48 +0100 +Subject: ipv6: check return value of ipv6_skip_exthdr + +From: Jordy Zomer + +[ Upstream commit 5f9c55c8066bcd93ac25234a02585701fe2e31df ] + +The offset value is used in pointer math on skb->data. +Since ipv6_skip_exthdr may return -1 the pointer to uh and th +may not point to the actual udp and tcp headers and potentially +overwrite other stuff. This is why I think this should be checked. + +EDIT: added {}'s, thanks Kees + +Signed-off-by: Jordy Zomer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/esp6.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c +index 8d001f665fb15..7f2ffc7b1f75a 100644 +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -808,6 +808,12 @@ int esp6_input_done2(struct sk_buff *skb, int err) + struct tcphdr *th; + + offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); ++ ++ if (offset < 0) { ++ err = -EINVAL; ++ goto out; ++ } ++ + uh = (void *)(skb->data + offset); + th = (void *)(skb->data + offset); + hdr_len += offset; +-- +2.33.0 + diff --git a/queue-5.10/mac80211-do-not-access-the-iv-when-it-was-stripped.patch b/queue-5.10/mac80211-do-not-access-the-iv-when-it-was-stripped.patch new file mode 100644 index 00000000000..1ee2e82bb5a --- /dev/null +++ b/queue-5.10/mac80211-do-not-access-the-iv-when-it-was-stripped.patch @@ -0,0 +1,39 @@ +From 4e783d14602aa1939b84a5089b24611d87e0051f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Nov 2021 10:46:57 +0800 +Subject: mac80211: do not access the IV when it was stripped + +From: Xing Song + +[ Upstream commit 77dfc2bc0bb4b8376ecd7a430f27a4a8fff6a5a0 ] + +ieee80211_get_keyid() will return false value if IV has been stripped, +such as return 0 for IP/ARP frames due to LLC header, and return -EINVAL +for disassociation frames due to its length... etc. Don't try to access +it if it's not present. + +Signed-off-by: Xing Song +Link: https://lore.kernel.org/r/20211101024657.143026-1-xing.song@mediatek.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index b7979c0bffd0f..6a24431b90095 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1945,7 +1945,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) + int keyid = rx->sta->ptk_idx; + sta_ptk = rcu_dereference(rx->sta->ptk[keyid]); + +- if (ieee80211_has_protected(fc)) { ++ if (ieee80211_has_protected(fc) && ++ !(status->flag & RX_FLAG_IV_STRIPPED)) { + cs = rx->sta->cipher_scheme; + keyid = ieee80211_get_keyid(rx->skb, cs); + +-- +2.33.0 + diff --git a/queue-5.10/net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch b/queue-5.10/net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch new file mode 100644 index 00000000000..ddd15506f10 --- /dev/null +++ b/queue-5.10/net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch @@ -0,0 +1,58 @@ +From 30d4c7b7b639e1b152949682e1afbea041f74b2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Nov 2021 15:01:18 +0800 +Subject: net: ethernet: dec: tulip: de4x5: fix possible array overflows in + type3_infoblock() + +From: Teng Qi + +[ Upstream commit 0fa68da72c3be09e06dd833258ee89c33374195f ] + +The definition of macro MOTO_SROM_BUG is: + #define MOTO_SROM_BUG (lp->active == 8 && (get_unaligned_le32( + dev->dev_addr) & 0x00ffffff) == 0x3e0008) + +and the if statement + if (MOTO_SROM_BUG) lp->active = 0; + +using this macro indicates lp->active could be 8. If lp->active is 8 and +the second comparison of this macro is false. lp->active will remain 8 in: + lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1); + lp->phy[lp->active].rst = (*p ? p : NULL); p += (2 * (*p) + 1); + lp->phy[lp->active].mc = get_unaligned_le16(p); p += 2; + lp->phy[lp->active].ana = get_unaligned_le16(p); p += 2; + lp->phy[lp->active].fdx = get_unaligned_le16(p); p += 2; + lp->phy[lp->active].ttm = get_unaligned_le16(p); p += 2; + lp->phy[lp->active].mci = *p; + +However, the length of array lp->phy is 8, so array overflows can occur. +To fix these possible array overflows, we first check lp->active and then +return -EINVAL if it is greater or equal to ARRAY_SIZE(lp->phy) (i.e. 8). + +Reported-by: TOTE Robot +Signed-off-by: Teng Qi +Reviewed-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/de4x5.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c +index ffc25ecfa8d6a..8edd394bc3358 100644 +--- a/drivers/net/ethernet/dec/tulip/de4x5.c ++++ b/drivers/net/ethernet/dec/tulip/de4x5.c +@@ -4706,6 +4706,10 @@ type3_infoblock(struct net_device *dev, u_char count, u_char *p) + lp->ibn = 3; + lp->active = *p++; + if (MOTO_SROM_BUG) lp->active = 0; ++ /* if (MOTO_SROM_BUG) statement indicates lp->active could ++ * be 8 (i.e. the size of array lp->phy) */ ++ if (WARN_ON(lp->active >= ARRAY_SIZE(lp->phy))) ++ return -EINVAL; + lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1); + lp->phy[lp->active].rst = (*p ? p : NULL); p += (2 * (*p) + 1); + lp->phy[lp->active].mc = get_unaligned_le16(p); p += 2; +-- +2.33.0 + diff --git a/queue-5.10/net-return-correct-error-code.patch b/queue-5.10/net-return-correct-error-code.patch new file mode 100644 index 00000000000..24a1d0882d8 --- /dev/null +++ b/queue-5.10/net-return-correct-error-code.patch @@ -0,0 +1,35 @@ +From b9c385272ba5e491cafd74f15ecc560be468944b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 16:14:48 +0800 +Subject: net: return correct error code + +From: liuguoqiang + +[ Upstream commit 6def480181f15f6d9ec812bca8cbc62451ba314c ] + +When kmemdup called failed and register_net_sysctl return NULL, should +return ENOMEM instead of ENOBUFS + +Signed-off-by: liuguoqiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/devinet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 7c18597774297..148ef484a66ce 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -2582,7 +2582,7 @@ static int __devinet_sysctl_register(struct net *net, char *dev_name, + free: + kfree(t); + out: +- return -ENOBUFS; ++ return -ENOMEM; + } + + static void __devinet_sysctl_unregister(struct net *net, +-- +2.33.0 + diff --git a/queue-5.10/net-smc-avoid-warning-of-possible-recursive-locking.patch b/queue-5.10/net-smc-avoid-warning-of-possible-recursive-locking.patch new file mode 100644 index 00000000000..5c35e0979d1 --- /dev/null +++ b/queue-5.10/net-smc-avoid-warning-of-possible-recursive-locking.patch @@ -0,0 +1,96 @@ +From a3b21ce7625474ad67dd41b7ef1fa28bfeaa3317 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Nov 2021 20:32:53 +0800 +Subject: net/smc: Avoid warning of possible recursive locking + +From: Wen Gu + +[ Upstream commit 7a61432dc81375be06b02f0061247d3efbdfce3a ] + +Possible recursive locking is detected by lockdep when SMC +falls back to TCP. The corresponding warnings are as follows: + + ============================================ + WARNING: possible recursive locking detected + 5.16.0-rc1+ #18 Tainted: G E + -------------------------------------------- + wrk/1391 is trying to acquire lock: + ffff975246c8e7d8 (&ei->socket.wq.wait){..-.}-{3:3}, at: smc_switch_to_fallback+0x109/0x250 [smc] + + but task is already holding lock: + ffff975246c8f918 (&ei->socket.wq.wait){..-.}-{3:3}, at: smc_switch_to_fallback+0xfe/0x250 [smc] + + other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&ei->socket.wq.wait); + lock(&ei->socket.wq.wait); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + + 2 locks held by wrk/1391: + #0: ffff975246040130 (sk_lock-AF_SMC){+.+.}-{0:0}, at: smc_connect+0x43/0x150 [smc] + #1: ffff975246c8f918 (&ei->socket.wq.wait){..-.}-{3:3}, at: smc_switch_to_fallback+0xfe/0x250 [smc] + + stack backtrace: + Call Trace: + + dump_stack_lvl+0x56/0x7b + __lock_acquire+0x951/0x11f0 + lock_acquire+0x27a/0x320 + ? smc_switch_to_fallback+0x109/0x250 [smc] + ? smc_switch_to_fallback+0xfe/0x250 [smc] + _raw_spin_lock_irq+0x3b/0x80 + ? smc_switch_to_fallback+0x109/0x250 [smc] + smc_switch_to_fallback+0x109/0x250 [smc] + smc_connect_fallback+0xe/0x30 [smc] + __smc_connect+0xcf/0x1090 [smc] + ? mark_held_locks+0x61/0x80 + ? __local_bh_enable_ip+0x77/0xe0 + ? lockdep_hardirqs_on+0xbf/0x130 + ? smc_connect+0x12a/0x150 [smc] + smc_connect+0x12a/0x150 [smc] + __sys_connect+0x8a/0xc0 + ? syscall_enter_from_user_mode+0x20/0x70 + __x64_sys_connect+0x16/0x20 + do_syscall_64+0x34/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The nested locking in smc_switch_to_fallback() is considered to +possibly cause a deadlock because smc_wait->lock and clc_wait->lock +are the same type of lock. But actually it is safe so far since +there is no other place trying to obtain smc_wait->lock when +clc_wait->lock is held. So the patch replaces spin_lock() with +spin_lock_nested() to avoid false report by lockdep. + +Link: https://lkml.org/lkml/2021/11/19/962 +Fixes: 2153bd1e3d3d ("Transfer remaining wait queue entries during fallback") +Reported-by: syzbot+e979d3597f48262cb4ee@syzkaller.appspotmail.com +Signed-off-by: Wen Gu +Acked-by: Tony Lu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 04bf8088872a9..d324a12c26cd9 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -529,7 +529,7 @@ static void smc_switch_to_fallback(struct smc_sock *smc) + * to clcsocket->wq during the fallback. + */ + spin_lock_irqsave(&smc_wait->lock, flags); +- spin_lock(&clc_wait->lock); ++ spin_lock_nested(&clc_wait->lock, SINGLE_DEPTH_NESTING); + list_splice_init(&smc_wait->head, &clc_wait->head); + spin_unlock(&clc_wait->lock); + spin_unlock_irqrestore(&smc_wait->lock, flags); +-- +2.33.0 + diff --git a/queue-5.10/net-smc-transfer-remaining-wait-queue-entries-during.patch b/queue-5.10/net-smc-transfer-remaining-wait-queue-entries-during.patch new file mode 100644 index 00000000000..831cfa40410 --- /dev/null +++ b/queue-5.10/net-smc-transfer-remaining-wait-queue-entries-during.patch @@ -0,0 +1,87 @@ +From d041e0304a2444c963a826aacbf8e198ee2d8d4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Nov 2021 15:33:35 +0800 +Subject: net/smc: Transfer remaining wait queue entries during fallback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wen Gu + +[ Upstream commit 2153bd1e3d3dbf6a3403572084ef6ed31c53c5f0 ] + +The SMC fallback is incomplete currently. There may be some +wait queue entries remaining in smc socket->wq, which should +be removed to clcsocket->wq during the fallback. + +For example, in nginx/wrk benchmark, this issue causes an +all-zeros test result: + +server: nginx -g 'daemon off;' +client: smc_run wrk -c 1 -t 1 -d 5 http://11.200.15.93/index.html + + Running 5s test @ http://11.200.15.93/index.html + 1 threads and 1 connections + Thread Stats Avg Stdev Max ± Stdev + Latency 0.00us 0.00us 0.00us -nan% + Req/Sec 0.00 0.00 0.00 -nan% + 0 requests in 5.00s, 0.00B read + Requests/sec: 0.00 + Transfer/sec: 0.00B + +The reason for this all-zeros result is that when wrk used SMC +to replace TCP, it added an eppoll_entry into smc socket->wq +and expected to be notified if epoll events like EPOLL_IN/ +EPOLL_OUT occurred on the smc socket. + +However, once a fallback occurred, wrk switches to use clcsocket. +Now it is clcsocket->wq instead of smc socket->wq which will +be woken up. The eppoll_entry remaining in smc socket->wq does +not work anymore and wrk stops the test. + +This patch fixes this issue by removing remaining wait queue +entries from smc socket->wq to clcsocket->wq during the fallback. + +Link: https://www.spinics.net/lists/netdev/msg779769.html +Signed-off-by: Wen Gu +Reviewed-by: Tony Lu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index ac8265e35b2d2..04bf8088872a9 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -513,12 +513,26 @@ static void smc_link_save_peer_info(struct smc_link *link, + + static void smc_switch_to_fallback(struct smc_sock *smc) + { ++ wait_queue_head_t *smc_wait = sk_sleep(&smc->sk); ++ wait_queue_head_t *clc_wait = sk_sleep(smc->clcsock->sk); ++ unsigned long flags; ++ + smc->use_fallback = true; + if (smc->sk.sk_socket && smc->sk.sk_socket->file) { + smc->clcsock->file = smc->sk.sk_socket->file; + smc->clcsock->file->private_data = smc->clcsock; + smc->clcsock->wq.fasync_list = + smc->sk.sk_socket->wq.fasync_list; ++ ++ /* There may be some entries remaining in ++ * smc socket->wq, which should be removed ++ * to clcsocket->wq during the fallback. ++ */ ++ spin_lock_irqsave(&smc_wait->lock, flags); ++ spin_lock(&clc_wait->lock); ++ list_splice_init(&smc_wait->head, &clc_wait->head); ++ spin_unlock(&clc_wait->lock); ++ spin_unlock_irqrestore(&smc_wait->lock, flags); + } + } + +-- +2.33.0 + diff --git a/queue-5.10/net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch b/queue-5.10/net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch new file mode 100644 index 00000000000..4f11031e607 --- /dev/null +++ b/queue-5.10/net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch @@ -0,0 +1,66 @@ +From e3196d409eabf846002bc897d8328219cc944ce8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Nov 2021 13:46:32 +0800 +Subject: net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be + out of bound + +From: zhangyue + +[ Upstream commit 61217be886b5f7402843677e4be7e7e83de9cb41 ] + +In line 5001, if all id in the array 'lp->phy[8]' is not 0, when the +'for' end, the 'k' is 8. + +At this time, the array 'lp->phy[8]' may be out of bound. + +Signed-off-by: zhangyue +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/de4x5.c | 30 +++++++++++++++----------- + 1 file changed, 17 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c +index 683e328b5461d..ffc25ecfa8d6a 100644 +--- a/drivers/net/ethernet/dec/tulip/de4x5.c ++++ b/drivers/net/ethernet/dec/tulip/de4x5.c +@@ -4997,19 +4997,23 @@ mii_get_phy(struct net_device *dev) + } + if ((j == limit) && (i < DE4X5_MAX_MII)) { + for (k=0; k < DE4X5_MAX_PHY && lp->phy[k].id; k++); +- lp->phy[k].addr = i; +- lp->phy[k].id = id; +- lp->phy[k].spd.reg = GENERIC_REG; /* ANLPA register */ +- lp->phy[k].spd.mask = GENERIC_MASK; /* 100Mb/s technologies */ +- lp->phy[k].spd.value = GENERIC_VALUE; /* TX & T4, H/F Duplex */ +- lp->mii_cnt++; +- lp->active++; +- printk("%s: Using generic MII device control. If the board doesn't operate,\nplease mail the following dump to the author:\n", dev->name); +- j = de4x5_debug; +- de4x5_debug |= DEBUG_MII; +- de4x5_dbg_mii(dev, k); +- de4x5_debug = j; +- printk("\n"); ++ if (k < DE4X5_MAX_PHY) { ++ lp->phy[k].addr = i; ++ lp->phy[k].id = id; ++ lp->phy[k].spd.reg = GENERIC_REG; /* ANLPA register */ ++ lp->phy[k].spd.mask = GENERIC_MASK; /* 100Mb/s technologies */ ++ lp->phy[k].spd.value = GENERIC_VALUE; /* TX & T4, H/F Duplex */ ++ lp->mii_cnt++; ++ lp->active++; ++ printk("%s: Using generic MII device control. If the board doesn't operate,\nplease mail the following dump to the author:\n", dev->name); ++ j = de4x5_debug; ++ de4x5_debug |= DEBUG_MII; ++ de4x5_dbg_mii(dev, k); ++ de4x5_debug = j; ++ printk("\n"); ++ } else { ++ goto purgatory; ++ } + } + } + purgatory: +-- +2.33.0 + diff --git a/queue-5.10/perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch b/queue-5.10/perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch new file mode 100644 index 00000000000..fbd53ee813b --- /dev/null +++ b/queue-5.10/perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch @@ -0,0 +1,101 @@ +From 9c8b176b13620a2ce3b164fe2cefaee2e11bd517 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 23:12:47 -0800 +Subject: perf hist: Fix memory leak of a perf_hpp_fmt + +From: Ian Rogers + +[ Upstream commit 0ca1f534a776cc7d42f2c33da4732b74ec2790cd ] + +perf_hpp__column_unregister() removes an entry from a list but doesn't +free the memory causing a memory leak spotted by leak sanitizer. + +Add the free while at the same time reducing the scope of the function +to static. + +Signed-off-by: Ian Rogers +Reviewed-by: Kajol Jain +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: http://lore.kernel.org/lkml/20211118071247.2140392-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/ui/hist.c | 28 ++++++++++++++-------------- + tools/perf/util/hist.h | 1 - + 2 files changed, 14 insertions(+), 15 deletions(-) + +diff --git a/tools/perf/ui/hist.c b/tools/perf/ui/hist.c +index c1f24d0048527..5075ecead5f3d 100644 +--- a/tools/perf/ui/hist.c ++++ b/tools/perf/ui/hist.c +@@ -535,6 +535,18 @@ struct perf_hpp_list perf_hpp_list = { + #undef __HPP_SORT_ACC_FN + #undef __HPP_SORT_RAW_FN + ++static void fmt_free(struct perf_hpp_fmt *fmt) ++{ ++ /* ++ * At this point fmt should be completely ++ * unhooked, if not it's a bug. ++ */ ++ BUG_ON(!list_empty(&fmt->list)); ++ BUG_ON(!list_empty(&fmt->sort_list)); ++ ++ if (fmt->free) ++ fmt->free(fmt); ++} + + void perf_hpp__init(void) + { +@@ -598,9 +610,10 @@ void perf_hpp_list__prepend_sort_field(struct perf_hpp_list *list, + list_add(&format->sort_list, &list->sorts); + } + +-void perf_hpp__column_unregister(struct perf_hpp_fmt *format) ++static void perf_hpp__column_unregister(struct perf_hpp_fmt *format) + { + list_del_init(&format->list); ++ fmt_free(format); + } + + void perf_hpp__cancel_cumulate(void) +@@ -672,19 +685,6 @@ void perf_hpp__append_sort_keys(struct perf_hpp_list *list) + } + + +-static void fmt_free(struct perf_hpp_fmt *fmt) +-{ +- /* +- * At this point fmt should be completely +- * unhooked, if not it's a bug. +- */ +- BUG_ON(!list_empty(&fmt->list)); +- BUG_ON(!list_empty(&fmt->sort_list)); +- +- if (fmt->free) +- fmt->free(fmt); +-} +- + void perf_hpp__reset_output_field(struct perf_hpp_list *list) + { + struct perf_hpp_fmt *fmt, *tmp; +diff --git a/tools/perf/util/hist.h b/tools/perf/util/hist.h +index 96b1c13bbccc5..919f2c6c48142 100644 +--- a/tools/perf/util/hist.h ++++ b/tools/perf/util/hist.h +@@ -362,7 +362,6 @@ enum { + }; + + void perf_hpp__init(void); +-void perf_hpp__column_unregister(struct perf_hpp_fmt *format); + void perf_hpp__cancel_cumulate(void); + void perf_hpp__setup_output_field(struct perf_hpp_list *list); + void perf_hpp__reset_output_field(struct perf_hpp_list *list); +-- +2.33.0 + diff --git a/queue-5.10/perf-inject-fix-arm-spe-handling.patch b/queue-5.10/perf-inject-fix-arm-spe-handling.patch new file mode 100644 index 00000000000..332a6b00926 --- /dev/null +++ b/queue-5.10/perf-inject-fix-arm-spe-handling.patch @@ -0,0 +1,96 @@ +From 9d3a22a291ab2c11843b6bed0b477d60454df91e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 10:41:30 +0000 +Subject: perf inject: Fix ARM SPE handling + +From: German Gomez + +[ Upstream commit 9e1a8d9f683260d50e0a14176d3f7c46a93b2700 ] + +'perf inject' is currently not working for Arm SPE. When you try to run +'perf inject' and 'perf report' with a perf.data file that contains SPE +traces, the tool reports a "Bad address" error: + + # ./perf record -e arm_spe_0/ts_enable=1,store_filter=1,branch_filter=1,load_filter=1/ -a -- sleep 1 + # ./perf inject -i perf.data -o perf.inject.data --itrace + # ./perf report -i perf.inject.data --stdio + + 0x42c00 [0x8]: failed to process type: 9 [Bad address] + Error: + failed to process sample + +As far as I know, the issue was first spotted in [1], but 'perf inject' +was not yet injecting the samples. This patch does something similar to +what cs_etm does for injecting the samples [2], but for SPE. + +[1] https://patchwork.kernel.org/project/linux-arm-kernel/cover/20210412091006.468557-1-leo.yan@linaro.org/#24117339 +[2] https://git.kernel.org/pub/scm/linux/kernel/git/acme/linux.git/tree/tools/perf/util/cs-etm.c?h=perf/core&id=133fe2e617e48ca0948983329f43877064ffda3e#n1196 + +Reviewed-by: James Clark +Signed-off-by: German Gomez +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: John Garry +Cc: Leo Yan +Cc: Mark Rutland +Cc: Mathieu Poirier +Cc: Namhyung Kim +Cc: Will Deacon +Cc: linux-arm-kernel@lists.infradead.org +Link: https://lore.kernel.org/r/20211105104130.28186-2-german.gomez@arm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/arm-spe.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/tools/perf/util/arm-spe.c b/tools/perf/util/arm-spe.c +index 3882a5360ada4..0350020acb96f 100644 +--- a/tools/perf/util/arm-spe.c ++++ b/tools/perf/util/arm-spe.c +@@ -48,6 +48,7 @@ struct arm_spe { + u8 timeless_decoding; + u8 data_queued; + ++ u64 sample_type; + u8 sample_flc; + u8 sample_llc; + u8 sample_tlb; +@@ -244,6 +245,12 @@ static void arm_spe_prep_sample(struct arm_spe *spe, + event->sample.header.size = sizeof(struct perf_event_header); + } + ++static int arm_spe__inject_event(union perf_event *event, struct perf_sample *sample, u64 type) ++{ ++ event->header.size = perf_event__sample_event_size(sample, type, 0); ++ return perf_event__synthesize_sample(event, type, 0, sample); ++} ++ + static inline int + arm_spe_deliver_synth_event(struct arm_spe *spe, + struct arm_spe_queue *speq __maybe_unused, +@@ -252,6 +259,12 @@ arm_spe_deliver_synth_event(struct arm_spe *spe, + { + int ret; + ++ if (spe->synth_opts.inject) { ++ ret = arm_spe__inject_event(event, sample, spe->sample_type); ++ if (ret) ++ return ret; ++ } ++ + ret = perf_session__deliver_synth_event(spe->session, event, sample); + if (ret) + pr_err("ARM SPE: failed to deliver event, error %d\n", ret); +@@ -809,6 +822,8 @@ arm_spe_synth_events(struct arm_spe *spe, struct perf_session *session) + else + attr.sample_type |= PERF_SAMPLE_TIME; + ++ spe->sample_type = attr.sample_type; ++ + attr.exclude_user = evsel->core.attr.exclude_user; + attr.exclude_kernel = evsel->core.attr.exclude_kernel; + attr.exclude_hv = evsel->core.attr.exclude_hv; +-- +2.33.0 + diff --git a/queue-5.10/perf-report-fix-memory-leaks-around-perf_tip.patch b/queue-5.10/perf-report-fix-memory-leaks-around-perf_tip.patch new file mode 100644 index 00000000000..0ccfb632e7b --- /dev/null +++ b/queue-5.10/perf-report-fix-memory-leaks-around-perf_tip.patch @@ -0,0 +1,127 @@ +From 4b9d3e2ae51ef153cdc722f35c2fd0d7af86b800 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Nov 2021 23:38:04 -0800 +Subject: perf report: Fix memory leaks around perf_tip() + +From: Ian Rogers + +[ Upstream commit d9fc706108c15f8bc2d4ccccf8e50f74830fabd9 ] + +perf_tip() may allocate memory or use a literal, this means memory +wasn't freed if allocated. Change the API so that literals aren't used. + +At the same time add missing frees for system_path. These issues were +spotted using leak sanitizer. + +Signed-off-by: Ian Rogers +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Link: http://lore.kernel.org/lkml/20211118073804.2149974-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-report.c | 15 +++++++++------ + tools/perf/util/util.c | 14 +++++++------- + tools/perf/util/util.h | 2 +- + 3 files changed, 17 insertions(+), 14 deletions(-) + +diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c +index 5824aa24acfcc..91cab5cdfbc16 100644 +--- a/tools/perf/builtin-report.c ++++ b/tools/perf/builtin-report.c +@@ -610,14 +610,17 @@ static int report__browse_hists(struct report *rep) + int ret; + struct perf_session *session = rep->session; + struct evlist *evlist = session->evlist; +- const char *help = perf_tip(system_path(TIPDIR)); ++ char *help = NULL, *path = NULL; + +- if (help == NULL) { ++ path = system_path(TIPDIR); ++ if (perf_tip(&help, path) || help == NULL) { + /* fallback for people who don't install perf ;-) */ +- help = perf_tip(DOCDIR); +- if (help == NULL) +- help = "Cannot load tips.txt file, please install perf!"; ++ free(path); ++ path = system_path(DOCDIR); ++ if (perf_tip(&help, path) || help == NULL) ++ help = strdup("Cannot load tips.txt file, please install perf!"); + } ++ free(path); + + switch (use_browser) { + case 1: +@@ -644,7 +647,7 @@ static int report__browse_hists(struct report *rep) + ret = perf_evlist__tty_browse_hists(evlist, rep, help); + break; + } +- ++ free(help); + return ret; + } + +diff --git a/tools/perf/util/util.c b/tools/perf/util/util.c +index 37a9492edb3eb..df3c4671be72a 100644 +--- a/tools/perf/util/util.c ++++ b/tools/perf/util/util.c +@@ -379,32 +379,32 @@ fetch_kernel_version(unsigned int *puint, char *str, + return 0; + } + +-const char *perf_tip(const char *dirpath) ++int perf_tip(char **strp, const char *dirpath) + { + struct strlist *tips; + struct str_node *node; +- char *tip = NULL; + struct strlist_config conf = { + .dirname = dirpath, + .file_only = true, + }; ++ int ret = 0; + ++ *strp = NULL; + tips = strlist__new("tips.txt", &conf); + if (tips == NULL) +- return errno == ENOENT ? NULL : +- "Tip: check path of tips.txt or get more memory! ;-p"; ++ return -errno; + + if (strlist__nr_entries(tips) == 0) + goto out; + + node = strlist__entry(tips, random() % strlist__nr_entries(tips)); +- if (asprintf(&tip, "Tip: %s", node->s) < 0) +- tip = (char *)"Tip: get more memory! ;-)"; ++ if (asprintf(strp, "Tip: %s", node->s) < 0) ++ ret = -ENOMEM; + + out: + strlist__delete(tips); + +- return tip; ++ return ret; + } + + char *perf_exe(char *buf, int len) +diff --git a/tools/perf/util/util.h b/tools/perf/util/util.h +index ad737052e5977..9f0d36ba77f2d 100644 +--- a/tools/perf/util/util.h ++++ b/tools/perf/util/util.h +@@ -39,7 +39,7 @@ int fetch_kernel_version(unsigned int *puint, + #define KVER_FMT "%d.%d.%d" + #define KVER_PARAM(x) KVER_VERSION(x), KVER_PATCHLEVEL(x), KVER_SUBLEVEL(x) + +-const char *perf_tip(const char *dirpath); ++int perf_tip(char **strp, const char *dirpath); + + #ifndef HAVE_SCHED_GETCPU_SUPPORT + int sched_getcpu(void); +-- +2.33.0 + diff --git a/queue-5.10/pinctrl-amd-fix-wakeups-when-irq-is-shared-with-sci.patch b/queue-5.10/pinctrl-amd-fix-wakeups-when-irq-is-shared-with-sci.patch new file mode 100644 index 00000000000..0e58786e369 --- /dev/null +++ b/queue-5.10/pinctrl-amd-fix-wakeups-when-irq-is-shared-with-sci.patch @@ -0,0 +1,114 @@ +From e90381ff9d708e67c3c5196e962566edd60e5e23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Oct 2021 20:48:53 -0500 +Subject: pinctrl: amd: Fix wakeups when IRQ is shared with SCI + +From: Mario Limonciello + +[ Upstream commit 2d54067fcd23aae61e23508425ae5b29e973573d ] + +On some Lenovo AMD Gen2 platforms the IRQ for the SCI and pinctrl drivers +are shared. Due to how the s2idle loop handling works, this case needs +an extra explicit check whether the interrupt was caused by SCI or by +the GPIO controller. + +To fix this rework the existing IRQ handler function to function as a +checker and an IRQ handler depending on the calling arguments. + +BugLink: https://gitlab.freedesktop.org/drm/amd/-/issues/1738 +Reported-by: Joerie de Gram +Signed-off-by: Mario Limonciello +Acked-by: Basavaraj Natikar +Link: https://lore.kernel.org/r/20211101014853.6177-2-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-amd.c | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-amd.c b/drivers/pinctrl/pinctrl-amd.c +index e20bcc835d6a8..54dfa0244422c 100644 +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -520,14 +520,14 @@ static struct irq_chip amd_gpio_irqchip = { + + #define PIN_IRQ_PENDING (BIT(INTERRUPT_STS_OFF) | BIT(WAKE_STS_OFF)) + +-static irqreturn_t amd_gpio_irq_handler(int irq, void *dev_id) ++static bool do_amd_gpio_irq_handler(int irq, void *dev_id) + { + struct amd_gpio *gpio_dev = dev_id; + struct gpio_chip *gc = &gpio_dev->gc; +- irqreturn_t ret = IRQ_NONE; + unsigned int i, irqnr; + unsigned long flags; + u32 __iomem *regs; ++ bool ret = false; + u32 regval; + u64 status, mask; + +@@ -549,6 +549,14 @@ static irqreturn_t amd_gpio_irq_handler(int irq, void *dev_id) + /* Each status bit covers four pins */ + for (i = 0; i < 4; i++) { + regval = readl(regs + i); ++ /* caused wake on resume context for shared IRQ */ ++ if (irq < 0 && (regval & BIT(WAKE_STS_OFF))) { ++ dev_dbg(&gpio_dev->pdev->dev, ++ "Waking due to GPIO %d: 0x%x", ++ irqnr + i, regval); ++ return true; ++ } ++ + if (!(regval & PIN_IRQ_PENDING) || + !(regval & BIT(INTERRUPT_MASK_OFF))) + continue; +@@ -574,9 +582,12 @@ static irqreturn_t amd_gpio_irq_handler(int irq, void *dev_id) + } + writel(regval, regs + i); + raw_spin_unlock_irqrestore(&gpio_dev->lock, flags); +- ret = IRQ_HANDLED; ++ ret = true; + } + } ++ /* did not cause wake on resume context for shared IRQ */ ++ if (irq < 0) ++ return false; + + /* Signal EOI to the GPIO unit */ + raw_spin_lock_irqsave(&gpio_dev->lock, flags); +@@ -588,6 +599,16 @@ static irqreturn_t amd_gpio_irq_handler(int irq, void *dev_id) + return ret; + } + ++static irqreturn_t amd_gpio_irq_handler(int irq, void *dev_id) ++{ ++ return IRQ_RETVAL(do_amd_gpio_irq_handler(irq, dev_id)); ++} ++ ++static bool __maybe_unused amd_gpio_check_wake(void *dev_id) ++{ ++ return do_amd_gpio_irq_handler(-1, dev_id); ++} ++ + static int amd_get_groups_count(struct pinctrl_dev *pctldev) + { + struct amd_gpio *gpio_dev = pinctrl_dev_get_drvdata(pctldev); +@@ -958,6 +979,7 @@ static int amd_gpio_probe(struct platform_device *pdev) + goto out2; + + platform_set_drvdata(pdev, gpio_dev); ++ acpi_register_wakeup_handler(gpio_dev->irq, amd_gpio_check_wake, gpio_dev); + + dev_dbg(&pdev->dev, "amd gpio driver loaded\n"); + return ret; +@@ -975,6 +997,7 @@ static int amd_gpio_remove(struct platform_device *pdev) + gpio_dev = platform_get_drvdata(pdev); + + gpiochip_remove(&gpio_dev->gc); ++ acpi_unregister_wakeup_handler(amd_gpio_check_wake, gpio_dev); + + return 0; + } +-- +2.33.0 + diff --git a/queue-5.10/platform-x86-thinkpad_acpi-add-support-for-dual-fan-.patch b/queue-5.10/platform-x86-thinkpad_acpi-add-support-for-dual-fan-.patch new file mode 100644 index 00000000000..5c98c1eb841 --- /dev/null +++ b/queue-5.10/platform-x86-thinkpad_acpi-add-support-for-dual-fan-.patch @@ -0,0 +1,34 @@ +From b46793796f61c0e0ac87062abfa4b3cb027df357 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 17:05:28 +0800 +Subject: platform/x86: thinkpad_acpi: Add support for dual fan control + +From: Jimmy Wang + +[ Upstream commit 1f338954a5fbe21eb22b4223141e31f2a26366d5 ] + + This adds dual fan control for P1 / X1 Extreme Gen4 + +Signed-off-by: Jimmy Wang +Link: https://lore.kernel.org/r/20211105090528.39677-1-jimmy221b@163.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/thinkpad_acpi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index 2a313643e0388..840bbc312aedd 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -8805,6 +8805,7 @@ static const struct tpacpi_quirk fan_quirk_table[] __initconst = { + TPACPI_Q_LNV3('N', '2', 'E', TPACPI_FAN_2CTL), /* P1 / X1 Extreme (1st gen) */ + TPACPI_Q_LNV3('N', '2', 'O', TPACPI_FAN_2CTL), /* P1 / X1 Extreme (2nd gen) */ + TPACPI_Q_LNV3('N', '2', 'V', TPACPI_FAN_2CTL), /* P1 / X1 Extreme (3nd gen) */ ++ TPACPI_Q_LNV3('N', '4', '0', TPACPI_FAN_2CTL), /* P1 / X1 Extreme (4nd gen) */ + TPACPI_Q_LNV3('N', '3', '0', TPACPI_FAN_2CTL), /* P15 (1st gen) / P15v (1st gen) */ + TPACPI_Q_LNV3('N', '3', '2', TPACPI_FAN_2CTL), /* X1 Carbon (9th gen) */ + }; +-- +2.33.0 + diff --git a/queue-5.10/platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch b/queue-5.10/platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch new file mode 100644 index 00000000000..c4038f60fca --- /dev/null +++ b/queue-5.10/platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch @@ -0,0 +1,70 @@ +From e0225deb88fbae27c70b0498667a4818463bae68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Nov 2021 14:06:48 +0800 +Subject: platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 + deep + +From: Slark Xiao + +[ Upstream commit 39f53292181081d35174a581a98441de5da22bc9 ] + +When WWAN device wake from S3 deep, under thinkpad platform, +WWAN would be disabled. This disable status could be checked +by command 'nmcli r wwan' or 'rfkill list'. + +Issue analysis as below: + When host resume from S3 deep, thinkpad_acpi driver would +call hotkey_resume() function. Finnaly, it will use +wan_get_status to check the current status of WWAN device. +During this resume progress, wan_get_status would always +return off even WWAN boot up completely. + In patch V2, Hans said 'sw_state should be unchanged +after a suspend/resume. It's better to drop the +tpacpi_rfk_update_swstate call all together from the +resume path'. + And it's confimed by Lenovo that GWAN is no longer + available from WHL generation because the design does not + match with current pin control. + +Signed-off-by: Slark Xiao +Link: https://lore.kernel.org/r/20211108060648.8212-1-slark_xiao@163.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/thinkpad_acpi.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index 840bbc312aedd..d8d241344d22d 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -1170,15 +1170,6 @@ static int tpacpi_rfk_update_swstate(const struct tpacpi_rfk *tp_rfk) + return status; + } + +-/* Query FW and update rfkill sw state for all rfkill switches */ +-static void tpacpi_rfk_update_swstate_all(void) +-{ +- unsigned int i; +- +- for (i = 0; i < TPACPI_RFK_SW_MAX; i++) +- tpacpi_rfk_update_swstate(tpacpi_rfkill_switches[i]); +-} +- + /* + * Sync the HW-blocking state of all rfkill switches, + * do notice it causes the rfkill core to schedule uevents +@@ -3121,9 +3112,6 @@ static void tpacpi_send_radiosw_update(void) + if (wlsw == TPACPI_RFK_RADIO_OFF) + tpacpi_rfk_update_hwblock_state(true); + +- /* Sync sw blocking state */ +- tpacpi_rfk_update_swstate_all(); +- + /* Sync hw blocking state last if it is hw-unblocked */ + if (wlsw == TPACPI_RFK_RADIO_ON) + tpacpi_rfk_update_hwblock_state(false); +-- +2.33.0 + diff --git a/queue-5.10/powerpc-pseries-ddw-revert-extend-upper-limit-for-hu.patch b/queue-5.10/powerpc-pseries-ddw-revert-extend-upper-limit-for-hu.patch new file mode 100644 index 00000000000..ebd27441e3b --- /dev/null +++ b/queue-5.10/powerpc-pseries-ddw-revert-extend-upper-limit-for-hu.patch @@ -0,0 +1,45 @@ +From d217414c12e92fb0efdcd83e05a078772059d8bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Nov 2021 15:03:17 +1100 +Subject: powerpc/pseries/ddw: Revert "Extend upper limit for huge DMA window + for persistent memory" + +From: Alexey Kardashevskiy + +[ Upstream commit 2d33f5504490a9d90924476dbccd4a5349ee1ad0 ] + +This reverts commit 54fc3c681ded9437e4548e2501dc1136b23cfa9a +which does not allow 1:1 mapping even for the system RAM which +is usually possible. + +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211108040320.3857636-2-aik@ozlabs.ru +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/iommu.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c +index e4198700ed1a3..245f1f8df6563 100644 +--- a/arch/powerpc/platforms/pseries/iommu.c ++++ b/arch/powerpc/platforms/pseries/iommu.c +@@ -1034,15 +1034,6 @@ static phys_addr_t ddw_memory_hotplug_max(void) + phys_addr_t max_addr = memory_hotplug_max(); + struct device_node *memory; + +- /* +- * The "ibm,pmemory" can appear anywhere in the address space. +- * Assuming it is still backed by page structs, set the upper limit +- * for the huge DMA window as MAX_PHYSMEM_BITS. +- */ +- if (of_find_node_by_type(NULL, "ibm,pmemory")) +- return (sizeof(phys_addr_t) * 8 <= MAX_PHYSMEM_BITS) ? +- (phys_addr_t) -1 : (1ULL << MAX_PHYSMEM_BITS); +- + for_each_node_by_type(memory, "memory") { + unsigned long start, size; + int n_mem_addr_cells, n_mem_size_cells, len; +-- +2.33.0 + diff --git a/queue-5.10/s390-setup-avoid-using-memblock_enforce_memory_limit.patch b/queue-5.10/s390-setup-avoid-using-memblock_enforce_memory_limit.patch new file mode 100644 index 00000000000..67bf67fb8f3 --- /dev/null +++ b/queue-5.10/s390-setup-avoid-using-memblock_enforce_memory_limit.patch @@ -0,0 +1,56 @@ +From f000a4b0184994b594845158f281a3844b7c1d9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Oct 2021 13:38:17 +0200 +Subject: s390/setup: avoid using memblock_enforce_memory_limit + +From: Vasily Gorbik + +[ Upstream commit 5dbc4cb4667457b0c53bcd7bff11500b3c362975 ] + +There is a difference in how architectures treat "mem=" option. For some +that is an amount of online memory, for s390 and x86 this is the limiting +max address. Some memblock api like memblock_enforce_memory_limit() +take limit argument and explicitly treat it as the size of online memory, +and use __find_max_addr to convert it to an actual max address. Current +s390 usage: + +memblock_enforce_memory_limit(memblock_end_of_DRAM()); + +yields different results depending on presence of memory holes (offline +memory blocks in between online memory). If there are no memory holes +limit == max_addr in memblock_enforce_memory_limit() and it does trim +online memory and reserved memory regions. With memory holes present it +actually does nothing. + +Since we already use memblock_remove() explicitly to trim online memory +regions to potential limit (think mem=, kdump, addressing limits, etc.) +drop the usage of memblock_enforce_memory_limit() altogether. Trimming +reserved regions should not be required, since we now use +memblock_set_current_limit() to limit allocations and any explicit memory +reservations above the limit is an actual problem we should not hide. + +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/setup.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c +index 5cd9d20af31e9..f9f8721dc5321 100644 +--- a/arch/s390/kernel/setup.c ++++ b/arch/s390/kernel/setup.c +@@ -845,9 +845,6 @@ static void __init setup_memory(void) + storage_key_init_range(start, end); + + psw_set_key(PAGE_DEFAULT_KEY); +- +- /* Only cosmetics */ +- memblock_enforce_memory_limit(memblock_end_of_DRAM()); + } + + /* +-- +2.33.0 + diff --git a/queue-5.10/scsi-iscsi-unblock-session-then-wake-up-error-handle.patch b/queue-5.10/scsi-iscsi-unblock-session-then-wake-up-error-handle.patch new file mode 100644 index 00000000000..d390a90b461 --- /dev/null +++ b/queue-5.10/scsi-iscsi-unblock-session-then-wake-up-error-handle.patch @@ -0,0 +1,53 @@ +From 756993d53dc5a9ee250ccedd4c220f258e10a3f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 17:10:47 -0500 +Subject: scsi: iscsi: Unblock session then wake up error handler + +From: Mike Christie + +[ Upstream commit a0c2f8b6709a9a4af175497ca65f93804f57b248 ] + +We can race where iscsi_session_recovery_timedout() has woken up the error +handler thread and it's now setting the devices to offline, and +session_recovery_timedout()'s call to scsi_target_unblock() is also trying +to set the device's state to transport-offline. We can then get a mix of +states. + +For the case where we can't relogin we want the devices to be in +transport-offline so when we have repaired the connection +__iscsi_unblock_session() can set the state back to running. + +Set the device state then call into libiscsi to wake up the error handler. + +Link: https://lore.kernel.org/r/20211105221048.6541-2-michael.christie@oracle.com +Reviewed-by: Lee Duncan +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index 3f7fa8de36427..a5759d0e388a8 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -1909,12 +1909,12 @@ static void session_recovery_timedout(struct work_struct *work) + } + spin_unlock_irqrestore(&session->lock, flags); + +- if (session->transport->session_recovery_timedout) +- session->transport->session_recovery_timedout(session); +- + ISCSI_DBG_TRANS_SESSION(session, "Unblocking SCSI target\n"); + scsi_target_unblock(&session->dev, SDEV_TRANSPORT_OFFLINE); + ISCSI_DBG_TRANS_SESSION(session, "Completed unblocking SCSI target\n"); ++ ++ if (session->transport->session_recovery_timedout) ++ session->transport->session_recovery_timedout(session); + } + + static void __iscsi_unblock_session(struct work_struct *work) +-- +2.33.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 7c42bc2cad2..4567bed9ec4 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -2,3 +2,31 @@ nfsv42-fix-pagecache-invalidation-after-copy-clone.patch can-j1939-j1939_tp_cmd_recv-check-the-dst-address-of-tp.cm_bam.patch ovl-simplify-file-splice.patch ovl-fix-deadlock-in-splice-write.patch +gfs2-release-iopen-glock-early-in-evict.patch +gfs2-fix-length-of-holes-reported-at-end-of-file.patch +powerpc-pseries-ddw-revert-extend-upper-limit-for-hu.patch +drm-sun4i-fix-unmet-dependency-on-reset_controller-f.patch +mac80211-do-not-access-the-iv-when-it-was-stripped.patch +net-smc-transfer-remaining-wait-queue-entries-during.patch +atlantic-fix-oob-read-and-write-in-hw_atl_utils_fw_r.patch +net-return-correct-error-code.patch +pinctrl-amd-fix-wakeups-when-irq-is-shared-with-sci.patch +platform-x86-thinkpad_acpi-add-support-for-dual-fan-.patch +platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch +s390-setup-avoid-using-memblock_enforce_memory_limit.patch +btrfs-check-integrity-fix-a-warning-on-write-caching.patch +thermal-core-reset-previous-low-and-high-trip-during.patch +scsi-iscsi-unblock-session-then-wake-up-error-handle.patch +drm-amd-amdkfd-fix-kernel-panic-when-reset-failed-an.patch +drm-amd-amdgpu-fix-potential-memleak.patch +ata-ahci-add-green-sardine-vendor-id-as-board_ahci_m.patch +ata-libahci-adjust-behavior-when-storaged3enable-_ds.patch +ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch +ipv6-check-return-value-of-ipv6_skip_exthdr.patch +net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch +net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch +perf-inject-fix-arm-spe-handling.patch +perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch +perf-report-fix-memory-leaks-around-perf_tip.patch +net-smc-avoid-warning-of-possible-recursive-locking.patch +acpi-add-stubs-for-wakeup-handler-functions.patch diff --git a/queue-5.10/thermal-core-reset-previous-low-and-high-trip-during.patch b/queue-5.10/thermal-core-reset-previous-low-and-high-trip-during.patch new file mode 100644 index 00000000000..0996d2b6e3c --- /dev/null +++ b/queue-5.10/thermal-core-reset-previous-low-and-high-trip-during.patch @@ -0,0 +1,50 @@ +From d0eb6bf38f787e9a57f87bdd8b7378692ef0843f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 01:30:40 +0530 +Subject: thermal: core: Reset previous low and high trip during thermal zone + init + +From: Manaf Meethalavalappu Pallikunhi + +[ Upstream commit 99b63316c39988039965693f5f43d8b4ccb1c86c ] + +During the suspend is in process, thermal_zone_device_update bails out +thermal zone re-evaluation for any sensor trip violation without +setting next valid trip to that sensor. It assumes during resume +it will re-evaluate same thermal zone and update trip. But when it is +in suspend temperature goes down and on resume path while updating +thermal zone if temperature is less than previously violated trip, +thermal zone set trip function evaluates the same previous high and +previous low trip as new high and low trip. Since there is no change +in high/low trip, it bails out from thermal zone set trip API without +setting any trip. It leads to a case where sensor high trip or low +trip is disabled forever even though thermal zone has a valid high +or low trip. + +During thermal zone device init, reset thermal zone previous high +and low trip. It resolves above mentioned scenario. + +Signed-off-by: Manaf Meethalavalappu Pallikunhi +Reviewed-by: Thara Gopinath +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index 17de8a9b991e9..d9e34ac376626 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -474,6 +474,8 @@ static void thermal_zone_device_init(struct thermal_zone_device *tz) + { + struct thermal_instance *pos; + tz->temperature = THERMAL_TEMP_INVALID; ++ tz->prev_low_trip = -INT_MAX; ++ tz->prev_high_trip = INT_MAX; + list_for_each_entry(pos, &tz->thermal_instances, tz_node) + pos->initialized = false; + } +-- +2.33.0 +